Description
The best practice when creating a temporary file is not only to generate a filename of a file that does not already exist, but also to create/open the file with O_EXCL, to avoid TOCTOU, typically that's what mkstemp(3) does.
Unfortunately, docker-run's --cidfile prevents from passing it a safe temporary file, because docker-run will fail if the given file merely exists.
Reproduce
t=$(mktemp)
docker run --rm --cidfile=$t debian
Expected behavior
docker-run should fail only if the file given as --cidfile contains a PID (even better, check if the PID is alive by using kill(the_pid, 0) which is designed for that)
docker version
Client:
Version: 20.10.24+dfsg1
API version: 1.41
Go version: go1.19.8
Git commit: 297e128
Built: Sat Oct 12 15:19:49 2024
OS/Arch: linux/amd64
Context: default
Experimental: true
Server:
Engine:
Version: 20.10.5+dfsg1
API version: 1.41 (minimum version 1.12)
Go version: go1.15.15
Git commit: 363e9a8
Built: Mon May 30 18:34:49 2022
OS/Arch: linux/amd64
Experimental: false
containerd:
Version: 1.6.20~ds1
GitCommit: 1.6.20~ds1-1+deb12u1
runc:
Version: 1.1.5+ds1
GitCommit: 1.1.5+ds1-1+deb12u1
docker-init:
Version: 0.19.0
GitCommit:
docker info
too much identifying info
Additional Info
No response
Description
The best practice when creating a temporary file is not only to generate a filename of a file that does not already exist, but also to create/open the file with
O_EXCL, to avoid TOCTOU, typically that's whatmkstemp(3)does.Unfortunately,
docker-run's--cidfileprevents from passing it a safe temporary file, because docker-run will fail if the given file merely exists.Reproduce
Expected behavior
docker-run should fail only if the file given as --cidfile contains a PID (even better, check if the PID is alive by using
kill(the_pid, 0)which is designed for that)docker version
docker info
Additional Info
No response