rootless: fix open /etc/docker/plugins: permission denied#47559
rootless: fix open /etc/docker/plugins: permission denied#47559thaJeztah merged 1 commit intomoby:masterfrom
open /etc/docker/plugins: permission denied#47559Conversation
pkg/plugins/discovery.go
Outdated
| if err != nil && !os.IsNotExist(err) { | ||
| if errors.Is(err, fs.ErrPermission) && userns.RunningInUserNS() { | ||
| continue | ||
| } | ||
| return nil, errors.Wrap(err, "error reading dir entries") | ||
| } |
There was a problem hiding this comment.
Perhaps we should put the os.IsNotExist(err) inside the if branch here as well; at least I think it might be slightly more readable; wdyt?
if err != nil {
if os.IsNotExist(err) {
continue
}
if errors.Is(err, fs.ErrPermission) && userns.RunningInUserNS() {
continue
}
return nil, errors.Wrap(err, "error reading dir entries")
}I guess the errors.Is(err, fs.ErrPermission) could be os.IsPermission(err) as well, to stick with the same as we do for the os.IsNotExist() (although I think either is probably fine);
if err != nil {
if os.IsNotExist(err) {
continue
}
if os.IsPermission(err) && userns.RunningInUserNS() {
continue
}
return nil, errors.Wrap(err, "error reading dir entries")
}There was a problem hiding this comment.
Thanks! Do you know why we have this permissions issue in the first place? Are we hiding the underlying issue here, and should the directory have been created with different permissions?
If that's the case, should we add a Warn or Debug log here?
There was a problem hiding this comment.
Updated to use os.IsPermission, although I feel os.Is... functions have been substantially soft-deprecated.
Also added a debug log.
There was a problem hiding this comment.
FYI,errors.Is(err, os.IsPermission) should be preferred over os.IsPermission(err) (this also applies to other fs errors):
This function predates errors.Is. It only supports errors returned by the os package. New code should use errors.Is(err, fs.ErrPermission).
~ https://pkg.go.dev/os#IsPermission
There was a problem hiding this comment.
Yeah, ISTR the os.IsXXX ones did some extra checks related to syscall errors, but for this case, probably either is fine.
Note that os.XXX errors are on their own an alias for fs.XXX errors, so the "fully correct" thing is to also import fs (which is a bit of a nuisance)
Fix issue 47436 Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
- What I did
Fixed #47436
- How I did it
Skipped the
specsPathsloop onErrPermission.- How to verify it
- Description for the changelog
- A picture of a cute animal (not mandatory but encouraged)
🐧