a82e25af0e
The --mount-string argument defaults to `/Users` on darwin, and
homedir.Homedir() on other platforms (e.g. $HOME on unix).
This is wrong in many ways:
- `/Users` is not HOME on darwin (the right path is `/Users/$USER`).
Using the default mount we cannot access anything inside the guest in
the user home directory. We can access the special `/Users/Shared`
directory, but this should not be a default mount.
- Mounting the user home directory inside the guest in read-write mode
is a horrible default. This exposes the users private keys in .ssh/ to
the guest, any sensitive files in the user home directory, and allows
the guest to change any file on the host.
- Using the `--mount` option mount the default mount directory silently.
This is unexpected, surprising, and not documented in the minikube
handbook[1].
Example access to user private key from the guest with the default
mount:
$ minikube start --mount
$ minikube ssh cat /minikube-host/.ssh/id_ed25519
-----BEGIN OPENSSH PRIVATE KEY-----
...
-----END OPENSSH PRIVATE KEY-----
Fixed by removing the default mount directory and changing mount logic
to check for non-empty mount-string instead of the mount flag.
The mount flag is kept for backward compatibility, but its value is
ignored. In the next release we want to use this flag for supporting
multiple mounts.
Example usage before:
minikube start --mount --mount-string ~/models:/mnt/models
Example usage after:
minikube start --mount-string ~/models:/mnt/models
Breaking changes:
User depending the default mount will have to replace the command:
minikube start --mount
With:
minikube start --mount-string $HOME:/minikube-host
[1] https://minikube.sigs.k8s.io/docs/handbook/mount/
|
||
|---|---|---|
| .. | ||
| auto-pause | ||
| drivers | ||
| extract | ||
| gvisor | ||
| minikube | ||
| performance | ||
| storage-provisioner | ||