-
Notifications
You must be signed in to change notification settings - Fork 2k
/
fs_linux.go
92 lines (77 loc) · 2.17 KB
/
fs_linux.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
// Copyright (c) HashiCorp, Inc.
// SPDX-License-Identifier: BUSL-1.1
package allocdir
import (
"fmt"
"os"
"path/filepath"
"syscall"
"golang.org/x/sys/unix"
)
const (
// secretDirTmpfsSize is the size of the tmpfs per task in MBs
secretDirTmpfsSize = 1
// secretMarker is the filename of the marker created so Nomad doesn't
// try to mount the secrets tmpfs more than once
secretMarker = ".nomad-mount"
)
// linkDir bind mounts src to dst as Linux doesn't support hardlinking
// directories.
func linkDir(src, dst string) error {
if err := os.MkdirAll(dst, 0777); err != nil {
return err
}
return syscall.Mount(src, dst, "", syscall.MS_BIND, "")
}
// unlinkDir unmounts a bind mounted directory as Linux doesn't support
// hardlinking directories. If the dir is already unmounted no error is
// returned.
func unlinkDir(dir string) error {
if err := syscall.Unmount(dir, 0); err != nil {
if err != syscall.EINVAL {
return err
}
}
return nil
}
// createSecretDir creates the secrets dir folder at the given path using a
// tmpfs
func createSecretDir(dir string) error {
// Only mount the tmpfs if we are root
if unix.Geteuid() == 0 {
if err := os.MkdirAll(dir, 0777); err != nil {
return err
}
// Check for marker file and skip mounting if it exists
marker := filepath.Join(dir, secretMarker)
if _, err := os.Stat(marker); err == nil {
return nil
}
flags := uintptr(syscall.MS_NOEXEC)
options := fmt.Sprintf("size=%dm", secretDirTmpfsSize)
if err := syscall.Mount("tmpfs", dir, "tmpfs", flags, options); err != nil {
return os.NewSyscallError("mount", err)
}
// Create the marker file so we don't try to mount more than once
f, err := os.OpenFile(marker, os.O_RDWR|os.O_CREATE, 0666)
if err != nil {
// Hard fail since if this fails something is really wrong
return err
}
f.Close()
return nil
}
return os.MkdirAll(dir, 0777)
}
// createSecretDir removes the secrets dir folder
func removeSecretDir(dir string) error {
if unix.Geteuid() == 0 {
if err := unlinkDir(dir); err != nil {
// Ignore invalid path errors
if err != syscall.ENOENT {
return os.NewSyscallError("unmount", err)
}
}
}
return os.RemoveAll(dir)
}