From b36b415526ce6674d6cded84d964def17d600627 Mon Sep 17 00:00:00 2001
From: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
Date: Sun, 29 Jan 2023 07:29:35 +0900
Subject: [PATCH] cri: mkdir /etc/cni with 0755, not 0700

/etc/cni has to be readable for non-root users (0755), because /etc/cni/tuning/allowlist.conf is used for rootless mode too.
This file was introduced in CNI plugins 1.2.0 (containernetworking/plugins PR 693), and its path is hard-coded.

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
---
 pkg/cri/sbserver/cni_conf_syncer.go | 8 ++++++++
 pkg/cri/server/cni_conf_syncer.go   | 8 ++++++++
 2 files changed, 16 insertions(+)

diff --git a/pkg/cri/sbserver/cni_conf_syncer.go b/pkg/cri/sbserver/cni_conf_syncer.go
index 66acd79b3..551e0b924 100644
--- a/pkg/cri/sbserver/cni_conf_syncer.go
+++ b/pkg/cri/sbserver/cni_conf_syncer.go
@@ -19,6 +19,7 @@ package sbserver
 import (
 	"fmt"
 	"os"
+	"path/filepath"
 	"sync"
 
 	"github.com/containerd/go-cni"
@@ -46,6 +47,13 @@ func newCNINetConfSyncer(confDir string, netPlugin cni.CNI, loadOpts []cni.Opt)
 		return nil, fmt.Errorf("failed to create fsnotify watcher: %w", err)
 	}
 
+	// /etc/cni has to be readable for non-root users (0755), because /etc/cni/tuning/allowlist.conf is used for rootless mode too.
+	// This file was introduced in CNI plugins 1.2.0 (https://github.com/containernetworking/plugins/pull/693), and its path is hard-coded.
+	confDirParent := filepath.Dir(confDir)
+	if err := os.MkdirAll(confDirParent, 0755); err != nil {
+		return nil, fmt.Errorf("failed to create the parent of the cni conf dir=%s: %w", confDirParent, err)
+	}
+
 	if err := os.MkdirAll(confDir, 0700); err != nil {
 		return nil, fmt.Errorf("failed to create cni conf dir=%s for watch: %w", confDir, err)
 	}
diff --git a/pkg/cri/server/cni_conf_syncer.go b/pkg/cri/server/cni_conf_syncer.go
index 87036edd8..9e2a459ec 100644
--- a/pkg/cri/server/cni_conf_syncer.go
+++ b/pkg/cri/server/cni_conf_syncer.go
@@ -19,6 +19,7 @@ package server
 import (
 	"fmt"
 	"os"
+	"path/filepath"
 	"sync"
 
 	cni "github.com/containerd/go-cni"
@@ -46,6 +47,13 @@ func newCNINetConfSyncer(confDir string, netPlugin cni.CNI, loadOpts []cni.Opt)
 		return nil, fmt.Errorf("failed to create fsnotify watcher: %w", err)
 	}
 
+	// /etc/cni has to be readable for non-root users (0755), because /etc/cni/tuning/allowlist.conf is used for rootless mode too.
+	// This file was introduced in CNI plugins 1.2.0 (https://github.com/containernetworking/plugins/pull/693), and its path is hard-coded.
+	confDirParent := filepath.Dir(confDir)
+	if err := os.MkdirAll(confDirParent, 0755); err != nil {
+		return nil, fmt.Errorf("failed to create the parent of the cni conf dir=%s: %w", confDirParent, err)
+	}
+
 	if err := os.MkdirAll(confDir, 0700); err != nil {
 		return nil, fmt.Errorf("failed to create cni conf dir=%s for watch: %w", confDir, err)
 	}