Skip to content

Commit

Permalink
Merge pull request #1956 from umohnani8/fips
Browse files Browse the repository at this point in the history 
Add disableFips option to secrets pkg
  • Loading branch information
@rhatdan
rhatdan authored Oct 31, 2019
2 parents 141b5a1 + 54ef007 commit 20e92ff
Show file tree
Hide file tree
Showing 2 changed files with 8 additions and 4 deletions.
10 changes: 7 additions & 3 deletions pkg/secrets/secrets.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -148,12 +148,12 @@ func getMountsMap(path string) (string, string, error) {
}

// SecretMounts copies, adds, and mounts the secrets to the container root filesystem
func SecretMounts(mountLabel, containerWorkingDir, mountFile string, rootless bool) []rspec.Mount {
return SecretMountsWithUIDGID(mountLabel, containerWorkingDir, mountFile, containerWorkingDir, 0, 0, rootless)
func SecretMounts(mountLabel, containerWorkingDir, mountFile string, rootless, disableFips bool) []rspec.Mount {
return SecretMountsWithUIDGID(mountLabel, containerWorkingDir, mountFile, containerWorkingDir, 0, 0, rootless, disableFips)
}

// SecretMountsWithUIDGID specifies the uid/gid of the owner
func SecretMountsWithUIDGID(mountLabel, containerWorkingDir, mountFile, mountPrefix string, uid, gid int, rootless bool) []rspec.Mount {
func SecretMountsWithUIDGID(mountLabel, containerWorkingDir, mountFile, mountPrefix string, uid, gid int, rootless, disableFips bool) []rspec.Mount {
var (
secretMounts []rspec.Mount
mountFiles []string
Expand All @@ -180,6 +180,10 @@ func SecretMountsWithUIDGID(mountLabel, containerWorkingDir, mountFile, mountPre
}
}

// Only add FIPS secret mount if disableFips=false
if disableFips {
return secretMounts
}
// Add FIPS mode secret if /etc/system-fips exists on the host
_, err := os.Stat("/etc/system-fips")
if err == nil {
Expand Down
2 changes: 1 addition & 1 deletion run_linux.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -460,7 +460,7 @@ func (b *Builder) setupMounts(mountPoint string, spec *specs.Spec, bundlePath st
}

// Get the list of secrets mounts.
secretMounts := secrets.SecretMountsWithUIDGID(b.MountLabel, cdir, b.DefaultMountsFilePath, cdir, int(rootUID), int(rootGID), unshare.IsRootless())
secretMounts := secrets.SecretMountsWithUIDGID(b.MountLabel, cdir, b.DefaultMountsFilePath, cdir, int(rootUID), int(rootGID), unshare.IsRootless(), false)

// Add temporary copies of the contents of volume locations at the
// volume locations, unless we already have something there.
Expand Down

0 comments on commit 20e92ff

Please sign in to comment.