From 551ac0600ae9c892061c034cc2990d19e3d579d5 Mon Sep 17 00:00:00 2001 From: Erikson Tung Date: Tue, 30 Jul 2024 14:18:33 -0700 Subject: [PATCH] Ensure /run/containerd is created with correct perms There are a couple directories that get created under the default state directory ("/run/containerd") even when containerd is configured to use a different location for its state directory. Create the default state directory even if containerd is configured to use a different state directory location. This ensure pkg/shim and pkg/fifo won't create the default state directory with incorrect permissions when calling os.MkdirAll for their respective subdirectories. Signed-off-by: Erikson Tung --- cmd/containerd/server/server.go | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/cmd/containerd/server/server.go b/cmd/containerd/server/server.go index d5f281dd533e..b3d5b7575c92 100644 --- a/cmd/containerd/server/server.go +++ b/cmd/containerd/server/server.go @@ -88,6 +88,15 @@ func CreateTopLevelDirectories(config *srvconfig.Config) error { if err := sys.MkdirAllWithACL(config.State, 0o711); err != nil { return err } + if config.State != defaults.DefaultStateDir { + // XXX: socketRoot in pkg/shim is hard-coded to the default state directory. + // See https://github.com/containerd/containerd/issues/10502#issuecomment-2249268582 for why it's set up that way. + // The default fifo directory in pkg/cio is also configured separately and defaults to the default state directory instead of the configured state directory. + // Make sure the default state directory is created with the correct permissions. + if err := sys.MkdirAllWithACL(defaults.DefaultStateDir, 0o711); err != nil { + return err + } + } if config.TempDir != "" { if err := sys.MkdirAllWithACL(config.TempDir, 0o711); err != nil {