moby/daemon/create_unix.go
Brian Goff 8e5bb8fdd3 Do not parse config.Volumes for named volumes
Fixes an issue where `VOLUME some_name:/foo` would be parsed as a named
volume, allowing access from the builder to any volume on the host.

This makes sure that named volumes must always be passed in as a bind.

Signed-off-by: Brian Goff <cpuguy83@gmail.com>
2015-09-29 10:01:57 -04:00

67 lines
1.9 KiB
Go

// +build !windows
package daemon
import (
"os"
"path/filepath"
derr "github.com/docker/docker/errors"
"github.com/docker/docker/image"
"github.com/docker/docker/pkg/stringid"
"github.com/docker/docker/runconfig"
"github.com/docker/docker/volume"
"github.com/opencontainers/runc/libcontainer/label"
)
// createContainerPlatformSpecificSettings performs platform specific container create functionality
func createContainerPlatformSpecificSettings(container *Container, config *runconfig.Config, hostConfig *runconfig.HostConfig, img *image.Image) error {
for spec := range config.Volumes {
name := stringid.GenerateNonCryptoID()
destination := filepath.Clean(spec)
// Skip volumes for which we already have something mounted on that
// destination because of a --volume-from.
if container.isDestinationMounted(destination) {
continue
}
path, err := container.GetResourcePath(destination)
if err != nil {
return err
}
stat, err := os.Stat(path)
if err == nil && !stat.IsDir() {
return derr.ErrorCodeMountOverFile.WithArgs(path)
}
volumeDriver := hostConfig.VolumeDriver
if destination != "" && img != nil {
if _, ok := img.ContainerConfig.Volumes[destination]; ok {
// check for whether bind is not specified and then set to local
if _, ok := container.MountPoints[destination]; !ok {
volumeDriver = volume.DefaultDriverName
}
}
}
v, err := container.daemon.createVolume(name, volumeDriver, nil)
if err != nil {
return err
}
if err := label.Relabel(v.Path(), container.MountLabel, true); err != nil {
return err
}
// never attempt to copy existing content in a container FS to a shared volume
if v.DriverName() == volume.DefaultDriverName {
if err := container.copyImagePathContent(v, destination); err != nil {
return err
}
}
container.addMountPointWithVolume(destination, v, true)
}
return nil
}