Merge pull request #308 from giuseppe/docker-bind-mount-prefix-1.13.1-rhel

volume: allow a prefix for all bind mounts

Author: runcom

contrib/completion/bash/docker

@@ -1865,6 +1865,7 @@ _docker_daemon() {
 		--add-runtime
 		--api-cors-header
 		--authorization-plugin
+                --bind-mount-prefix
 		--bip
 		--block-registry
 		--bridge -b

daemon/config_unix.go

@@ -38,6 +38,7 @@ type Config struct {
 	SeccompProfile       string                   `json:"seccomp-profile,omitempty"`
 	SigCheck             bool                     `json:"signature-verification"`
 	EnableSecrets        bool                     `json:"enable-secrets"`
+	BindMountPrefix      string                   `json:"bind-mount-prefix"`
 }
 
 // bridgeConfig stores all the bridge driver specific
@@ -93,6 +94,7 @@ func (config *Config) InstallFlags(flags *pflag.FlagSet) {
 	flags.StringVar(&config.SeccompProfile, "seccomp-profile", "", "Path to seccomp profile")
 	flags.BoolVar(&config.SigCheck, "signature-verification", true, "Check image's signatures on pull")
 	flags.BoolVar(&config.EnableSecrets, "enable-secrets", true, "Enable Secrets")
+	flags.StringVar(&config.BindMountPrefix, "bind-mount-prefix", "", "Specify a prefix to prepend to the source of a bind mount")
 
 	config.attachExperimentalFlags(flags)
 }

daemon/volumes_unix.go

@@ -43,7 +43,7 @@ func (daemon *Daemon) setupMounts(c *container.Container) ([]container.Mount, er
 			return nil, err
 		}
 		rootUID, rootGID := daemon.GetRemappedUIDGID()
-		path, err := m.Setup(c.MountLabel, rootUID, rootGID)
+		path, err := m.Setup(daemon.configStore.BindMountPrefix, c.MountLabel, rootUID, rootGID)
 		if err != nil {
 			return nil, err
 		}

docs/reference/commandline/dockerd.md

@@ -25,6 +25,7 @@ Options:
       --add-runtime value                     Register an additional OCI compatible runtime (default [])
       --api-cors-header string                Set CORS headers in the Engine API
       --authorization-plugin value            Authorization plugins to load (default [])
+      --bind-mount-prefix                     Specify a prefix to prepend to the source of a bind mount
       --bip string                            Specify network bridge IP
   -b, --bridge string                         Attach containers to a network bridge
       --cgroup-parent string                  Set parent cgroup for all containers

man/dockerd.8.md

@@ -11,6 +11,7 @@ dockerd - Enable daemon mode
 [**--api-cors-header**=[=*API-CORS-HEADER*]]
 [**--authorization-plugin**[=*[]*]]
 [**-b**|**--bridge**[=*BRIDGE*]]
+[**--bind-mount-prefix[=*PREFIX*]]
 [**--bip**[=*BIP*]]
 [**--block-registry**[=*[]*]]
 [**--cgroup-parent**[=*[]*]]
@@ -133,6 +134,9 @@ $ sudo dockerd --add-runtime runc=runc --add-runtime custom=/usr/local/bin/my-ru
   Attach containers to a pre\-existing network bridge; use 'none' to disable
   container networking
 
+**--bind-mount-prefix**=""
+  Specify a prefix to use for the source of the bind mounts.
+
 **--bip**=""
   Use the provided CIDR notation address for the dynamically created bridge
   (docker0); Mutually exclusive of \-b

volume/volume.go

@@ -9,6 +9,7 @@ import (
 
 	mounttypes "github.com/docker/docker/api/types/mount"
 	"github.com/docker/docker/pkg/idtools"
+	"github.com/docker/docker/pkg/symlink"
 	"github.com/docker/docker/pkg/stringid"
 	"github.com/opencontainers/runc/libcontainer/label"
 	"github.com/pkg/errors"
@@ -124,23 +125,28 @@ type MountPoint struct {
 
 // Setup sets up a mount point by either mounting the volume if it is
 // configured, or creating the source directory if supplied.
-func (m *MountPoint) Setup(mountLabel string, rootUID, rootGID int) (path string, err error) {
+func (m *MountPoint) Setup(prefix, mountLabel string, rootUID, rootGID int) (path string, err error) {
+	symlinkRoot := prefix
+	if symlinkRoot == "" {
+		symlinkRoot = "/"
+	}
+	sourcePath, err := symlink.FollowSymlinkInScope(filepath.Join(prefix, m.Source), symlinkRoot)
+	if err != nil {
+		path = ""
+		err = errors.Wrapf(err, "error evaluating symlink from mount source '%s'", m.Source)
+		return
+	}
+
 	defer func() {
 		if err == nil {
 			if label.RelabelNeeded(m.Mode) {
-				sourcePath, err := filepath.EvalSymlinks(m.Source)
-				if err != nil {
-					path = ""
-					err = errors.Wrapf(err, "error evaluating symlink from mount source '%s'", m.Source)
-					return
-				}
 				err = label.Relabel(sourcePath, mountLabel, label.IsShared(m.Mode))
 				if err == syscall.ENOTSUP {
 					err = nil
 				}
 				if err != nil {
 					path = ""
-					err = errors.Wrapf(err, "error setting label on mount source '%s'", m.Source)
+					err = errors.Wrapf(err, "error setting label on mount source '%s'", sourcePath)
 					return
 				}
 			}
@@ -162,19 +168,19 @@ func (m *MountPoint) Setup(mountLabel string, rootUID, rootGID int) (path string
 	if len(m.Source) == 0 {
 		return "", fmt.Errorf("Unable to setup mount point, neither source nor volume defined")
 	}
-	// system.MkdirAll() produces an error if m.Source exists and is a file (not a directory),
+	// system.MkdirAll() produces an error if source exists and is a file (not a directory),
 	if m.Type == mounttypes.TypeBind {
-		// idtools.MkdirAllNewAs() produces an error if m.Source exists and is a file (not a directory)
+		// idtools.MkdirAllNewAs() produces an error if source exists and is a file (not a directory)
 		// also, makes sure that if the directory is created, the correct remapped rootUID/rootGID will own it
-		if err := idtools.MkdirAllNewAs(m.Source, 0755, rootUID, rootGID); err != nil {
+		if err := idtools.MkdirAllNewAs(sourcePath, 0755, rootUID, rootGID); err != nil {
 			if perr, ok := err.(*os.PathError); ok {
 				if perr.Err != syscall.ENOTDIR {
-					return "", errors.Wrapf(err, "error while creating mount source path '%s'", m.Source)
+					return "", errors.Wrapf(err, "error while creating mount source path '%s'", sourcePath)
 				}
 			}
 		}
 	}
-	return m.Source, nil
+	return sourcePath, nil
 }
 
 // Path returns the path of a volume in a mount point.