From 25bdad762b4605dee11889f41e9e23997ab0edf9 Mon Sep 17 00:00:00 2001 From: Matthew Wong Date: Thu, 30 Mar 2017 01:49:32 -0400 Subject: [PATCH] Create subPaths and set their permissions like we do mountPaths --- pkg/kubelet/kubelet_pods.go | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/pkg/kubelet/kubelet_pods.go b/pkg/kubelet/kubelet_pods.go index 3aa8509f039..0fb29ccda27 100644 --- a/pkg/kubelet/kubelet_pods.go +++ b/pkg/kubelet/kubelet_pods.go @@ -135,7 +135,28 @@ func makeMounts(pod *v1.Pod, podDir string, container *v1.Container, hostName, h return nil, err } if mount.SubPath != "" { + fileinfo, err := os.Lstat(hostPath) + if err != nil { + return nil, err + } + perm := fileinfo.Mode() + hostPath = filepath.Join(hostPath, mount.SubPath) + + // Create the sub path now because if it's auto-created later when referenced, it may have an + // incorrect ownership and mode. For example, the sub path directory must have at least g+rwx + // when the pod specifies an fsGroup, and if the directory is not created here, Docker will + // later auto-create it with the incorrect mode 0750 + if err := os.MkdirAll(hostPath, perm); err != nil { + glog.Errorf("failed to mkdir:%s", hostPath) + return nil, err + } + + // chmod the sub path because umask may have prevented us from making the sub path with the same + // permissions as the mounter path + if err := os.Chmod(hostPath, perm); err != nil { + return nil, err + } } // Docker Volume Mounts fail on Windows if it is not of the form C:/