Ensure /run/containerd is created with correct perms

There are a couple directories that get created under the default state directory ("/run/containerd") even when containerd is configured to use a different location for its state directory. Create the default state directory even if containerd is configured to use a different state directory location. This ensure pkg/shim and pkg/fifo won't create the default state directory with incorrect permissions when calling os.MkdirAll for their respective subdirectories. Signed-off-by: Erikson Tung <[email protected]>
austinvazquez · Jul 31, 2024 · 551ac06 · 551ac06
1 parent 2ddd3db
commit 551ac06
Showing 1 changed file with 9 additions and 0 deletions.
diff --git a/cmd/containerd/server/server.go b/cmd/containerd/server/server.go
@@ -88,6 +88,15 @@ func CreateTopLevelDirectories(config *srvconfig.Config) error {
 	if err := sys.MkdirAllWithACL(config.State, 0o711); err != nil {
 		return err
 	}
+	if config.State != defaults.DefaultStateDir {
+		// XXX: socketRoot in pkg/shim is hard-coded to the default state directory.
+		// See https://github.com/containerd/containerd/issues/10502#issuecomment-2249268582 for why it's set up that way.
+		// The default fifo directory in pkg/cio is also configured separately and defaults to the default state directory instead of the configured state directory.
+		// Make sure the default state directory is created with the correct permissions.
+		if err := sys.MkdirAllWithACL(defaults.DefaultStateDir, 0o711); err != nil {
+			return err
+		}
+	}
 
 	if config.TempDir != "" {
 		if err := sys.MkdirAllWithACL(config.TempDir, 0o711); err != nil {