From 06d42781cbfc3d9baa7155b480e22b9f4164ab91 Mon Sep 17 00:00:00 2001
From: zhongtao <zhongtao17@huawei.com>
Date: Tue, 12 Dec 2023 20:24:57 +0800
Subject: [PATCH 52/64] modify the default value of ISULAD_TMPDIR to
 /var/lib/isulad

Signed-off-by: zhongtao <zhongtao17@huawei.com>
---
 src/cmd/isulad/main.c                               | 13 +++++++------
 src/common/constants.h                              |  2 ++
 src/contrib/config/iSulad.sysconfig                 |  4 ++--
 .../modules/container/leftover_cleanup/cleanup.c    |  6 +++---
 src/daemon/modules/image/oci/utils_images.c         |  2 +-
 src/utils/cutils/utils_verify.c                     |  5 +++++
 src/utils/cutils/utils_verify.h                     |  2 ++
 src/utils/tar/util_archive.c                        |  9 +++++----
 8 files changed, 27 insertions(+), 16 deletions(-)

diff --git a/src/cmd/isulad/main.c b/src/cmd/isulad/main.c
index 95454e2a..d33e4004 100644
--- a/src/cmd/isulad/main.c
+++ b/src/cmd/isulad/main.c
@@ -1295,8 +1295,8 @@ static int ensure_isulad_tmpdir_security()
     char *isulad_tmp_dir = NULL;
 
     isulad_tmp_dir = getenv("ISULAD_TMPDIR");
-    if (!util_valid_str(isulad_tmp_dir)) {
-        isulad_tmp_dir = "/tmp";
+    if (!util_valid_isulad_tmpdir(isulad_tmp_dir)) {
+        isulad_tmp_dir = DEFAULT_ISULAD_TMPDIR;
     }
 
     if (do_ensure_isulad_tmpdir_security(isulad_tmp_dir) != 0) {
@@ -1304,14 +1304,15 @@ static int ensure_isulad_tmpdir_security()
         return -1;
     }
 
-    if (strcmp(isulad_tmp_dir, "/tmp") == 0) {
+    if (strcmp(isulad_tmp_dir, DEFAULT_ISULAD_TMPDIR) == 0) {
         return 0;
     }
 
     // No matter whether ISULAD_TMPDIR is set or not,
-    // ensure the "/tmp" directory is a safe directory
-    if (do_ensure_isulad_tmpdir_security("/tmp") != 0) {
-        WARN("Failed to ensure the /tmp directory is a safe directory");
+    // ensure the DEFAULT_ISULAD_TMPDIR directory is a safe directory
+    // TODO: if isula is no longer tarred in the future, we can delete it.
+    if (do_ensure_isulad_tmpdir_security(DEFAULT_ISULAD_TMPDIR) != 0) {
+        WARN("Failed to ensure the default ISULAD_TMPDIR : %s directory is a safe directory", DEFAULT_ISULAD_TMPDIR);
     }
 
     return 0;
diff --git a/src/common/constants.h b/src/common/constants.h
index 5f12ae25..27d4956e 100644
--- a/src/common/constants.h
+++ b/src/common/constants.h
@@ -129,6 +129,8 @@ extern "C" {
 
 #define OCI_IMAGE_GRAPH_ROOTPATH_NAME "storage"
 
+#define DEFAULT_ISULAD_TMPDIR "/var/lib/isulad"
+
 #ifdef ENABLE_GRPC_REMOTE_CONNECT
 #define DEFAULT_TCP_HOST "tcp://localhost:2375"
 #define DEFAULT_TLS_HOST "tcp://localhost:2376"
diff --git a/src/contrib/config/iSulad.sysconfig b/src/contrib/config/iSulad.sysconfig
index 43ba7cbd..25099480 100644
--- a/src/contrib/config/iSulad.sysconfig
+++ b/src/contrib/config/iSulad.sysconfig
@@ -22,5 +22,5 @@
 #SYSMONITOR_OPTIONS='-H tcp://127.0.0.1:2375 --tlsverify --tlscacert=/root/.iSulad/ca.pem --tlscert=/root/.iSulad/cert.pem --tlskey=/root/.iSulad/key.pem'
 
 # Location used for temporary files, such as those created by isula load and pull operations.
-# Default is /var/tmp. Can be overridden by setting the following env variable.
-# ISULAD_TMPDIR=/var/tmp
+# Default is /var/lib/isulad. Can be overridden by setting the following env variable.
+# ISULAD_TMPDIR=/var/lib/isulad
diff --git a/src/daemon/modules/container/leftover_cleanup/cleanup.c b/src/daemon/modules/container/leftover_cleanup/cleanup.c
index 9a38ffc2..af5f0eee 100644
--- a/src/daemon/modules/container/leftover_cleanup/cleanup.c
+++ b/src/daemon/modules/container/leftover_cleanup/cleanup.c
@@ -203,12 +203,12 @@ void do_isulad_tmpdir_cleaner(void)
     char *isula_tmp_dir = NULL;
 
     isula_tmp_dir = getenv("ISULAD_TMPDIR");
-    if (util_valid_str(isula_tmp_dir)) {
+    if (util_valid_isulad_tmpdir(isula_tmp_dir)) {
         cleanup_path(isula_tmp_dir);
     }
     // No matter whether ISULAD_TMPDIR is set or not,
-    // clean up the "/tmp" directory to prevent the mount point from remaining
-    cleanup_path("/tmp");
+    // clean up the DEFAULT_ISULAD_TMPDIR directory to prevent the mount point from remaining
+    cleanup_path(DEFAULT_ISULAD_TMPDIR);
 
     return;
 }
diff --git a/src/daemon/modules/image/oci/utils_images.c b/src/daemon/modules/image/oci/utils_images.c
index f92ee59a..d94388bd 100644
--- a/src/daemon/modules/image/oci/utils_images.c
+++ b/src/daemon/modules/image/oci/utils_images.c
@@ -595,7 +595,7 @@ char *oci_get_isulad_tmpdir(const char *root_dir)
     }
 
     env_dir = getenv("ISULAD_TMPDIR");
-    if (util_valid_str(env_dir)) {
+    if (util_valid_isulad_tmpdir(env_dir)) {
         isulad_tmpdir = util_path_join(env_dir, "isulad_tmpdir");
     } else {
         isulad_tmpdir = util_path_join(root_dir, "isulad_tmpdir");
diff --git a/src/utils/cutils/utils_verify.c b/src/utils/cutils/utils_verify.c
index f4ce3199..7f2db48b 100644
--- a/src/utils/cutils/utils_verify.c
+++ b/src/utils/cutils/utils_verify.c
@@ -744,6 +744,11 @@ bool util_valid_volume_name(const char *name)
     return util_reg_match(patten, name) == 0;
 }
 
+bool util_valid_isulad_tmpdir(const char *dir)
+{
+    return util_valid_str(dir) && strcmp(dir, "/tmp") != 0;
+}
+
 #ifdef ENABLE_IMAGE_SEARCH
 bool util_valid_search_name(const char *name)
 {
diff --git a/src/utils/cutils/utils_verify.h b/src/utils/cutils/utils_verify.h
index 54d1ce71..bafd2a82 100644
--- a/src/utils/cutils/utils_verify.h
+++ b/src/utils/cutils/utils_verify.h
@@ -124,6 +124,8 @@ bool util_valid_sysctl(const char *sysctl_key);
 
 bool util_valid_volume_name(const char *name);
 
+bool util_valid_isulad_tmpdir(const char *dir);
+
 #ifdef ENABLE_IMAGE_SEARCH
 bool util_valid_search_name(const char *name);
 #endif
diff --git a/src/utils/tar/util_archive.c b/src/utils/tar/util_archive.c
index 82e940a5..e8fad391 100644
--- a/src/utils/tar/util_archive.c
+++ b/src/utils/tar/util_archive.c
@@ -134,7 +134,7 @@ static void do_disable_unneccessary_caps()
 // Add flock when bind mount and make it private.
 // Because bind mount usually makes safedir shared mount point,
 // and sometimes it will cause "mount point explosion".
-// E.g. concurrently execute isula cp /tmp/<XXX-File> <CONTAINER-ID>:<CONTAINER-PAT>
+// E.g. concurrently execute isula cp DEFAULT_ISULAD_TMPDIR/<XXX-File> <CONTAINER-ID>:<CONTAINER-PAT>
 static int bind_mount_with_flock(const char *flock_path, const char *dstdir, const char *tmp_dir)
 {
     __isula_auto_close int fd = -1;
@@ -192,9 +192,10 @@ static int make_safedir_is_noexec(const char *flock_path, const char *dstdir, ch
     int nret;
 
     isulad_tmpdir_env = getenv("ISULAD_TMPDIR");
-    if (!util_valid_str(isulad_tmpdir_env)) {
-        // if not setted isulad tmpdir, just use /tmp
-        isulad_tmpdir_env = "/tmp";
+    if (!util_valid_isulad_tmpdir(isulad_tmpdir_env)) {
+        INFO("if not setted isulad tmpdir or setted unvalid dir, use DEFAULT_ISULAD_TMPDIR");
+        // if not setted isulad tmpdir, just use DEFAULT_ISULAD_TMPDIR
+        isulad_tmpdir_env = DEFAULT_ISULAD_TMPDIR;
     }
 
     nret = snprintf(isula_tmpdir, PATH_MAX, "%s/isulad_tmpdir", isulad_tmpdir_env);
-- 
2.42.0