kotovalexarian-likes-github/moby--moby
1
0
Fork 0
mirror of https://github.com/moby/moby.git synced 2022-11-09 12:21:53 -05:00
Code Releases Activity
moby--moby/integration/container/mounts_linux_test.go

394 lines
12 KiB
Go
Raw Normal View History

Add canonical import comment Signed-off-by: Daniel Nephin <dnephin@docker.com>
2018-02-05 16:05:59 -05:00
package container // import "github.com/docker/docker/integration/container"
Make container resource mounts unbindable It's a common scenario for admins and/or monitoring applications to mount in the daemon root dir into a container. When doing so all mounts get coppied into the container, often with private references. This can prevent removal of a container due to the various mounts that must be configured before a container is started (for example, for shared /dev/shm, or secrets) being leaked into another namespace, usually with private references. This is particularly problematic on older kernels (e.g. RHEL < 7.4) where a mount may be active in another namespace and attempting to remove a mountpoint which is active in another namespace fails. This change moves all container resource mounts into a common directory so that the directory can be made unbindable. What this does is prevents sub-mounts of this new directory from leaking into other namespaces when mounted with `rbind`... which is how all binds are handled for containers. Signed-off-by: Brian Goff <cpuguy83@gmail.com>
2017-12-18 16:02:23 -05:00
import (
"context"
"fmt"
Use rslave propagation for mounts from daemon root By default, if a user requests a bind mount it uses private propagation. When the source path is a path within the daemon root this, along with some other propagation values that the user can use, causes issues when the daemon tries to remove a mountpoint because a container will then have a private reference to that mount which prevents removal. Unmouting with MNT_DETATCH can help this scenario on newer kernels, but ultimately this is just covering up the problem and doesn't actually free up the underlying resources until all references are destroyed. This change does essentially 2 things: 1. Change the default propagation when unspecified to `rslave` when the source path is within the daemon root path or a parent of the daemon root (because everything is using rbinds). 2. Creates a validation error on create when the user tries to specify an unacceptable propagation mode for these paths... basically the only two acceptable modes are `rslave` and `rshared`. In cases where we have used the new default propagation but the underlying filesystem is not setup to handle it (fs must hvae at least rshared propagation) instead of erroring out like we normally would, this falls back to the old default mode of `private`, which preserves backwards compatibility. Signed-off-by: Brian Goff <cpuguy83@gmail.com>
2018-01-18 16:55:27 -05:00
"path/filepath"
Make container resource mounts unbindable It's a common scenario for admins and/or monitoring applications to mount in the daemon root dir into a container. When doing so all mounts get coppied into the container, often with private references. This can prevent removal of a container due to the various mounts that must be configured before a container is started (for example, for shared /dev/shm, or secrets) being leaked into another namespace, usually with private references. This is particularly problematic on older kernels (e.g. RHEL < 7.4) where a mount may be active in another namespace and attempting to remove a mountpoint which is active in another namespace fails. This change moves all container resource mounts into a common directory so that the directory can be made unbindable. What this does is prevents sub-mounts of this new directory from leaking into other namespaces when mounted with `rbind`... which is how all binds are handled for containers. Signed-off-by: Brian Goff <cpuguy83@gmail.com>
2017-12-18 16:02:23 -05:00
"testing"
mount: add BindOptions.NonRecursive (API v1.40) This allows non-recursive bind-mount, i.e. mount(2) with "bind" rather than "rbind". Swarm-mode will be supported in a separate PR because of mutual vendoring. Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
2018-10-10 06:20:13 -04:00
"time"
Make container resource mounts unbindable It's a common scenario for admins and/or monitoring applications to mount in the daemon root dir into a container. When doing so all mounts get coppied into the container, often with private references. This can prevent removal of a container due to the various mounts that must be configured before a container is started (for example, for shared /dev/shm, or secrets) being leaked into another namespace, usually with private references. This is particularly problematic on older kernels (e.g. RHEL < 7.4) where a mount may be active in another namespace and attempting to remove a mountpoint which is active in another namespace fails. This change moves all container resource mounts into a common directory so that the directory can be made unbindable. What this does is prevents sub-mounts of this new directory from leaking into other namespaces when mounted with `rbind`... which is how all binds are handled for containers. Signed-off-by: Brian Goff <cpuguy83@gmail.com>
2017-12-18 16:02:23 -05:00
"github.com/docker/docker/api/types"
mount: add BindOptions.NonRecursive (API v1.40) This allows non-recursive bind-mount, i.e. mount(2) with "bind" rather than "rbind". Swarm-mode will be supported in a separate PR because of mutual vendoring. Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
2018-10-10 06:20:13 -04:00
containertypes "github.com/docker/docker/api/types/container"
mounttypes "github.com/docker/docker/api/types/mount"
Migrates TestContainersAPINetworkMountsNoChown to api tests This fix migrates TestContainersAPINetworkMountsNoChown from integration-cli to api tests in integration. Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
2018-02-04 12:38:04 -05:00
"github.com/docker/docker/api/types/network"
mount: add BindOptions.NonRecursive (API v1.40) This allows non-recursive bind-mount, i.e. mount(2) with "bind" rather than "rbind". Swarm-mode will be supported in a separate PR because of mutual vendoring. Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
2018-10-10 06:20:13 -04:00
"github.com/docker/docker/api/types/versions"
Migrates TestContainersAPINetworkMountsNoChown to api tests This fix migrates TestContainersAPINetworkMountsNoChown from integration-cli to api tests in integration. Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
2018-02-04 12:38:04 -05:00
"github.com/docker/docker/client"
mount: add BindOptions.NonRecursive (API v1.40) This allows non-recursive bind-mount, i.e. mount(2) with "bind" rather than "rbind". Swarm-mode will be supported in a separate PR because of mutual vendoring. Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
2018-10-10 06:20:13 -04:00
"github.com/docker/docker/integration/internal/container"
Migrates TestContainersAPINetworkMountsNoChown to api tests This fix migrates TestContainersAPINetworkMountsNoChown from integration-cli to api tests in integration. Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
2018-02-04 12:38:04 -05:00
"github.com/docker/docker/pkg/system"
Really switch to moby/sys/mount* Switch to moby/sys/mount and mountinfo. Keep the pkg/mount for potential outside users. This commit was generated by the following bash script: ``` set -e -u -o pipefail for file in $(git grep -l 'docker/docker/pkg/mount"' | grep -v ^pkg/mount); do sed -i -e 's#/docker/docker/pkg/mount"#/moby/sys/mount"#' \ -e 's#mount\.\(GetMounts\|Mounted\|Info\|[A-Za-z]*Filter\)#mountinfo.\1#g' \ $file goimports -w $file done ``` Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2020-03-13 19:38:24 -04:00
"github.com/moby/sys/mount"
Rewrite VolumesMountedAsShared/Slave as Integration tests This moves the two tests from integration-CLI to integration. Signed-off-by: Paul "TBBle" Hampson <Paul.Hampson@Pobox.com>
2020-11-07 02:06:44 -05:00
"github.com/moby/sys/mountinfo"
bump gotest.tools v3.0.1 for compatibility with Go 1.14 full diff: https://github.com/gotestyourself/gotest.tools/compare/v2.3.0...v3.0.1 Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-02-07 08:39:24 -05:00
"gotest.tools/v3/assert"
is "gotest.tools/v3/assert/cmp"
"gotest.tools/v3/fs"
"gotest.tools/v3/poll"
"gotest.tools/v3/skip"
Make container resource mounts unbindable It's a common scenario for admins and/or monitoring applications to mount in the daemon root dir into a container. When doing so all mounts get coppied into the container, often with private references. This can prevent removal of a container due to the various mounts that must be configured before a container is started (for example, for shared /dev/shm, or secrets) being leaked into another namespace, usually with private references. This is particularly problematic on older kernels (e.g. RHEL < 7.4) where a mount may be active in another namespace and attempting to remove a mountpoint which is active in another namespace fails. This change moves all container resource mounts into a common directory so that the directory can be made unbindable. What this does is prevents sub-mounts of this new directory from leaking into other namespaces when mounted with `rbind`... which is how all binds are handled for containers. Signed-off-by: Brian Goff <cpuguy83@gmail.com>
2017-12-18 16:02:23 -05:00
)
Migrates TestContainersAPINetworkMountsNoChown to api tests This fix migrates TestContainersAPINetworkMountsNoChown from integration-cli to api tests in integration. Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
2018-02-04 12:38:04 -05:00
func TestContainerNetworkMountsNoChown(t *testing.T) {
// chown only applies to Linux bind mounted volumes; must be same host to verify
Simplify skip checks These tests are run on a local Linux daemon only, so no need to do a platform-check. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2019-01-03 06:32:05 -05:00
skip.If(t, testEnv.IsRemoteDaemon)
Migrates TestContainersAPINetworkMountsNoChown to api tests This fix migrates TestContainersAPINetworkMountsNoChown from integration-cli to api tests in integration. Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
2018-02-04 12:38:04 -05:00
defer setupTest(t)()
ctx := context.Background()
tmpDir := fs.NewDir(t, "network-file-mounts", fs.WithMode(0755), fs.WithFile("nwfile", "network file bind mount", fs.WithMode(0644)))
defer tmpDir.Remove()
tmpNWFileMount := tmpDir.Join("nwfile")
mount: add BindOptions.NonRecursive (API v1.40) This allows non-recursive bind-mount, i.e. mount(2) with "bind" rather than "rbind". Swarm-mode will be supported in a separate PR because of mutual vendoring. Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
2018-10-10 06:20:13 -04:00
config := containertypes.Config{
Migrates TestContainersAPINetworkMountsNoChown to api tests This fix migrates TestContainersAPINetworkMountsNoChown from integration-cli to api tests in integration. Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
2018-02-04 12:38:04 -05:00
Image: "busybox",
}
mount: add BindOptions.NonRecursive (API v1.40) This allows non-recursive bind-mount, i.e. mount(2) with "bind" rather than "rbind". Swarm-mode will be supported in a separate PR because of mutual vendoring. Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
2018-10-10 06:20:13 -04:00
hostConfig := containertypes.HostConfig{
Mounts: []mounttypes.Mount{
Migrates TestContainersAPINetworkMountsNoChown to api tests This fix migrates TestContainersAPINetworkMountsNoChown from integration-cli to api tests in integration. Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
2018-02-04 12:38:04 -05:00
{
Type: "bind",
Source: tmpNWFileMount,
Target: "/etc/resolv.conf",
},
{
Type: "bind",
Source: tmpNWFileMount,
Target: "/etc/hostname",
},
{
Type: "bind",
Source: tmpNWFileMount,
Target: "/etc/hosts",
},
},
}
Remove use of deprecated client.NewEnvClient() Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2019-01-03 16:49:00 -05:00
cli, err := client.NewClientWithOpts(client.FromEnv)
Automated migration using gty-migrate-from-testify --ignore-build-tags Signed-off-by: Daniel Nephin <dnephin@docker.com>
2018-03-13 15:28:34 -04:00
assert.NilError(t, err)
Migrates TestContainersAPINetworkMountsNoChown to api tests This fix migrates TestContainersAPINetworkMountsNoChown from integration-cli to api tests in integration. Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
2018-02-04 12:38:04 -05:00
defer cli.Close()
Accept platform spec on container create This enables image lookup when creating a container to fail when the reference exists but it is for the wrong platform. This prevents trying to run an image for the wrong platform, as can be the case with, for example binfmt_misc+qemu. Signed-off-by: Brian Goff <cpuguy83@gmail.com>
2020-03-19 16:54:48 -04:00
ctrCreate, err := cli.ContainerCreate(ctx, &config, &hostConfig, &network.NetworkingConfig{}, nil, "")
Automated migration using gty-migrate-from-testify --ignore-build-tags Signed-off-by: Daniel Nephin <dnephin@docker.com>
2018-03-13 15:28:34 -04:00
assert.NilError(t, err)
Migrates TestContainersAPINetworkMountsNoChown to api tests This fix migrates TestContainersAPINetworkMountsNoChown from integration-cli to api tests in integration. Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
2018-02-04 12:38:04 -05:00
// container will exit immediately because of no tty, but we only need the start sequence to test the condition
err = cli.ContainerStart(ctx, ctrCreate.ID, types.ContainerStartOptions{})
Automated migration using gty-migrate-from-testify --ignore-build-tags Signed-off-by: Daniel Nephin <dnephin@docker.com>
2018-03-13 15:28:34 -04:00
assert.NilError(t, err)
Migrates TestContainersAPINetworkMountsNoChown to api tests This fix migrates TestContainersAPINetworkMountsNoChown from integration-cli to api tests in integration. Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
2018-02-04 12:38:04 -05:00
Add description to TestContainerNetworkMountsNoChown This fix is a follow up to 36198 by adding description to TestContainerNetworkMountsNoChown so that it is clear about the purpose of the test for ownership. This fix is related to comment in 36198. Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
2018-02-06 19:19:38 -05:00
// Check that host-located bind mount network file did not change ownership when the container was started
// Note: If the user specifies a mountpath from the host, we should not be
// attempting to chown files outside the daemon's metadata directory
// (represented by `daemon.repository` at init time).
// This forces users who want to use user namespaces to handle the
// ownership needs of any external files mounted as network files
// (/etc/resolv.conf, /etc/hosts, /etc/hostname) separately from the
// daemon. In all other volume/bind mount situations we have taken this
// same line--we don't chown host file content.
// See GitHub PR 34224 for details.
Migrates TestContainersAPINetworkMountsNoChown to api tests This fix migrates TestContainersAPINetworkMountsNoChown from integration-cli to api tests in integration. Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
2018-02-04 12:38:04 -05:00
statT, err := system.Stat(tmpNWFileMount)
Automated migration using gty-migrate-from-testify --ignore-build-tags Signed-off-by: Daniel Nephin <dnephin@docker.com>
2018-03-13 15:28:34 -04:00
assert.NilError(t, err)
assert.Check(t, is.Equal(uint32(0), statT.UID()), "bind mounted network file should not change ownership from root")
Migrates TestContainersAPINetworkMountsNoChown to api tests This fix migrates TestContainersAPINetworkMountsNoChown from integration-cli to api tests in integration. Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
2018-02-04 12:38:04 -05:00
}
Use rslave propagation for mounts from daemon root By default, if a user requests a bind mount it uses private propagation. When the source path is a path within the daemon root this, along with some other propagation values that the user can use, causes issues when the daemon tries to remove a mountpoint because a container will then have a private reference to that mount which prevents removal. Unmouting with MNT_DETATCH can help this scenario on newer kernels, but ultimately this is just covering up the problem and doesn't actually free up the underlying resources until all references are destroyed. This change does essentially 2 things: 1. Change the default propagation when unspecified to `rslave` when the source path is within the daemon root path or a parent of the daemon root (because everything is using rbinds). 2. Creates a validation error on create when the user tries to specify an unacceptable propagation mode for these paths... basically the only two acceptable modes are `rslave` and `rshared`. In cases where we have used the new default propagation but the underlying filesystem is not setup to handle it (fs must hvae at least rshared propagation) instead of erroring out like we normally would, this falls back to the old default mode of `private`, which preserves backwards compatibility. Signed-off-by: Brian Goff <cpuguy83@gmail.com>
2018-01-18 16:55:27 -05:00
func TestMountDaemonRoot(t *testing.T) {
Simplify skip checks These tests are run on a local Linux daemon only, so no need to do a platform-check. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2019-01-03 06:32:05 -05:00
skip.If(t, testEnv.IsRemoteDaemon)
Use rslave propagation for mounts from daemon root By default, if a user requests a bind mount it uses private propagation. When the source path is a path within the daemon root this, along with some other propagation values that the user can use, causes issues when the daemon tries to remove a mountpoint because a container will then have a private reference to that mount which prevents removal. Unmouting with MNT_DETATCH can help this scenario on newer kernels, but ultimately this is just covering up the problem and doesn't actually free up the underlying resources until all references are destroyed. This change does essentially 2 things: 1. Change the default propagation when unspecified to `rslave` when the source path is within the daemon root path or a parent of the daemon root (because everything is using rbinds). 2. Creates a validation error on create when the user tries to specify an unacceptable propagation mode for these paths... basically the only two acceptable modes are `rslave` and `rshared`. In cases where we have used the new default propagation but the underlying filesystem is not setup to handle it (fs must hvae at least rshared propagation) instead of erroring out like we normally would, this falls back to the old default mode of `private`, which preserves backwards compatibility. Signed-off-by: Brian Goff <cpuguy83@gmail.com>
2018-01-18 16:55:27 -05:00
Integration: use testenv.APIClient() A client is already created in testenv.New(), so we can just as well use that one, instead of creating a new client. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2019-01-02 08:16:25 -05:00
defer setupTest(t)()
client := testEnv.APIClient()
Use rslave propagation for mounts from daemon root By default, if a user requests a bind mount it uses private propagation. When the source path is a path within the daemon root this, along with some other propagation values that the user can use, causes issues when the daemon tries to remove a mountpoint because a container will then have a private reference to that mount which prevents removal. Unmouting with MNT_DETATCH can help this scenario on newer kernels, but ultimately this is just covering up the problem and doesn't actually free up the underlying resources until all references are destroyed. This change does essentially 2 things: 1. Change the default propagation when unspecified to `rslave` when the source path is within the daemon root path or a parent of the daemon root (because everything is using rbinds). 2. Creates a validation error on create when the user tries to specify an unacceptable propagation mode for these paths... basically the only two acceptable modes are `rslave` and `rshared`. In cases where we have used the new default propagation but the underlying filesystem is not setup to handle it (fs must hvae at least rshared propagation) instead of erroring out like we normally would, this falls back to the old default mode of `private`, which preserves backwards compatibility. Signed-off-by: Brian Goff <cpuguy83@gmail.com>
2018-01-18 16:55:27 -05:00
ctx := context.Background()
info, err := client.Info(ctx)
if err != nil {
t.Fatal(err)
}
for _, test := range []struct {
desc string
mount: add BindOptions.NonRecursive (API v1.40) This allows non-recursive bind-mount, i.e. mount(2) with "bind" rather than "rbind". Swarm-mode will be supported in a separate PR because of mutual vendoring. Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
2018-10-10 06:20:13 -04:00
propagation mounttypes.Propagation
expected mounttypes.Propagation
Use rslave propagation for mounts from daemon root By default, if a user requests a bind mount it uses private propagation. When the source path is a path within the daemon root this, along with some other propagation values that the user can use, causes issues when the daemon tries to remove a mountpoint because a container will then have a private reference to that mount which prevents removal. Unmouting with MNT_DETATCH can help this scenario on newer kernels, but ultimately this is just covering up the problem and doesn't actually free up the underlying resources until all references are destroyed. This change does essentially 2 things: 1. Change the default propagation when unspecified to `rslave` when the source path is within the daemon root path or a parent of the daemon root (because everything is using rbinds). 2. Creates a validation error on create when the user tries to specify an unacceptable propagation mode for these paths... basically the only two acceptable modes are `rslave` and `rshared`. In cases where we have used the new default propagation but the underlying filesystem is not setup to handle it (fs must hvae at least rshared propagation) instead of erroring out like we normally would, this falls back to the old default mode of `private`, which preserves backwards compatibility. Signed-off-by: Brian Goff <cpuguy83@gmail.com>
2018-01-18 16:55:27 -05:00
}{
{
desc: "default",
propagation: "",
mount: add BindOptions.NonRecursive (API v1.40) This allows non-recursive bind-mount, i.e. mount(2) with "bind" rather than "rbind". Swarm-mode will be supported in a separate PR because of mutual vendoring. Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
2018-10-10 06:20:13 -04:00
expected: mounttypes.PropagationRSlave,
Use rslave propagation for mounts from daemon root By default, if a user requests a bind mount it uses private propagation. When the source path is a path within the daemon root this, along with some other propagation values that the user can use, causes issues when the daemon tries to remove a mountpoint because a container will then have a private reference to that mount which prevents removal. Unmouting with MNT_DETATCH can help this scenario on newer kernels, but ultimately this is just covering up the problem and doesn't actually free up the underlying resources until all references are destroyed. This change does essentially 2 things: 1. Change the default propagation when unspecified to `rslave` when the source path is within the daemon root path or a parent of the daemon root (because everything is using rbinds). 2. Creates a validation error on create when the user tries to specify an unacceptable propagation mode for these paths... basically the only two acceptable modes are `rslave` and `rshared`. In cases where we have used the new default propagation but the underlying filesystem is not setup to handle it (fs must hvae at least rshared propagation) instead of erroring out like we normally would, this falls back to the old default mode of `private`, which preserves backwards compatibility. Signed-off-by: Brian Goff <cpuguy83@gmail.com>
2018-01-18 16:55:27 -05:00
},
{
desc: "private",
mount: add BindOptions.NonRecursive (API v1.40) This allows non-recursive bind-mount, i.e. mount(2) with "bind" rather than "rbind". Swarm-mode will be supported in a separate PR because of mutual vendoring. Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
2018-10-10 06:20:13 -04:00
propagation: mounttypes.PropagationPrivate,
Use rslave propagation for mounts from daemon root By default, if a user requests a bind mount it uses private propagation. When the source path is a path within the daemon root this, along with some other propagation values that the user can use, causes issues when the daemon tries to remove a mountpoint because a container will then have a private reference to that mount which prevents removal. Unmouting with MNT_DETATCH can help this scenario on newer kernels, but ultimately this is just covering up the problem and doesn't actually free up the underlying resources until all references are destroyed. This change does essentially 2 things: 1. Change the default propagation when unspecified to `rslave` when the source path is within the daemon root path or a parent of the daemon root (because everything is using rbinds). 2. Creates a validation error on create when the user tries to specify an unacceptable propagation mode for these paths... basically the only two acceptable modes are `rslave` and `rshared`. In cases where we have used the new default propagation but the underlying filesystem is not setup to handle it (fs must hvae at least rshared propagation) instead of erroring out like we normally would, this falls back to the old default mode of `private`, which preserves backwards compatibility. Signed-off-by: Brian Goff <cpuguy83@gmail.com>
2018-01-18 16:55:27 -05:00
},
{
desc: "rprivate",
mount: add BindOptions.NonRecursive (API v1.40) This allows non-recursive bind-mount, i.e. mount(2) with "bind" rather than "rbind". Swarm-mode will be supported in a separate PR because of mutual vendoring. Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
2018-10-10 06:20:13 -04:00
propagation: mounttypes.PropagationRPrivate,
Use rslave propagation for mounts from daemon root By default, if a user requests a bind mount it uses private propagation. When the source path is a path within the daemon root this, along with some other propagation values that the user can use, causes issues when the daemon tries to remove a mountpoint because a container will then have a private reference to that mount which prevents removal. Unmouting with MNT_DETATCH can help this scenario on newer kernels, but ultimately this is just covering up the problem and doesn't actually free up the underlying resources until all references are destroyed. This change does essentially 2 things: 1. Change the default propagation when unspecified to `rslave` when the source path is within the daemon root path or a parent of the daemon root (because everything is using rbinds). 2. Creates a validation error on create when the user tries to specify an unacceptable propagation mode for these paths... basically the only two acceptable modes are `rslave` and `rshared`. In cases where we have used the new default propagation but the underlying filesystem is not setup to handle it (fs must hvae at least rshared propagation) instead of erroring out like we normally would, this falls back to the old default mode of `private`, which preserves backwards compatibility. Signed-off-by: Brian Goff <cpuguy83@gmail.com>
2018-01-18 16:55:27 -05:00
},
{
desc: "slave",
mount: add BindOptions.NonRecursive (API v1.40) This allows non-recursive bind-mount, i.e. mount(2) with "bind" rather than "rbind". Swarm-mode will be supported in a separate PR because of mutual vendoring. Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
2018-10-10 06:20:13 -04:00
propagation: mounttypes.PropagationSlave,
Use rslave propagation for mounts from daemon root By default, if a user requests a bind mount it uses private propagation. When the source path is a path within the daemon root this, along with some other propagation values that the user can use, causes issues when the daemon tries to remove a mountpoint because a container will then have a private reference to that mount which prevents removal. Unmouting with MNT_DETATCH can help this scenario on newer kernels, but ultimately this is just covering up the problem and doesn't actually free up the underlying resources until all references are destroyed. This change does essentially 2 things: 1. Change the default propagation when unspecified to `rslave` when the source path is within the daemon root path or a parent of the daemon root (because everything is using rbinds). 2. Creates a validation error on create when the user tries to specify an unacceptable propagation mode for these paths... basically the only two acceptable modes are `rslave` and `rshared`. In cases where we have used the new default propagation but the underlying filesystem is not setup to handle it (fs must hvae at least rshared propagation) instead of erroring out like we normally would, this falls back to the old default mode of `private`, which preserves backwards compatibility. Signed-off-by: Brian Goff <cpuguy83@gmail.com>
2018-01-18 16:55:27 -05:00
},
{
desc: "rslave",
mount: add BindOptions.NonRecursive (API v1.40) This allows non-recursive bind-mount, i.e. mount(2) with "bind" rather than "rbind". Swarm-mode will be supported in a separate PR because of mutual vendoring. Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
2018-10-10 06:20:13 -04:00
propagation: mounttypes.PropagationRSlave,
expected: mounttypes.PropagationRSlave,
Use rslave propagation for mounts from daemon root By default, if a user requests a bind mount it uses private propagation. When the source path is a path within the daemon root this, along with some other propagation values that the user can use, causes issues when the daemon tries to remove a mountpoint because a container will then have a private reference to that mount which prevents removal. Unmouting with MNT_DETATCH can help this scenario on newer kernels, but ultimately this is just covering up the problem and doesn't actually free up the underlying resources until all references are destroyed. This change does essentially 2 things: 1. Change the default propagation when unspecified to `rslave` when the source path is within the daemon root path or a parent of the daemon root (because everything is using rbinds). 2. Creates a validation error on create when the user tries to specify an unacceptable propagation mode for these paths... basically the only two acceptable modes are `rslave` and `rshared`. In cases where we have used the new default propagation but the underlying filesystem is not setup to handle it (fs must hvae at least rshared propagation) instead of erroring out like we normally would, this falls back to the old default mode of `private`, which preserves backwards compatibility. Signed-off-by: Brian Goff <cpuguy83@gmail.com>
2018-01-18 16:55:27 -05:00
},
{
desc: "shared",
mount: add BindOptions.NonRecursive (API v1.40) This allows non-recursive bind-mount, i.e. mount(2) with "bind" rather than "rbind". Swarm-mode will be supported in a separate PR because of mutual vendoring. Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
2018-10-10 06:20:13 -04:00
propagation: mounttypes.PropagationShared,
Use rslave propagation for mounts from daemon root By default, if a user requests a bind mount it uses private propagation. When the source path is a path within the daemon root this, along with some other propagation values that the user can use, causes issues when the daemon tries to remove a mountpoint because a container will then have a private reference to that mount which prevents removal. Unmouting with MNT_DETATCH can help this scenario on newer kernels, but ultimately this is just covering up the problem and doesn't actually free up the underlying resources until all references are destroyed. This change does essentially 2 things: 1. Change the default propagation when unspecified to `rslave` when the source path is within the daemon root path or a parent of the daemon root (because everything is using rbinds). 2. Creates a validation error on create when the user tries to specify an unacceptable propagation mode for these paths... basically the only two acceptable modes are `rslave` and `rshared`. In cases where we have used the new default propagation but the underlying filesystem is not setup to handle it (fs must hvae at least rshared propagation) instead of erroring out like we normally would, this falls back to the old default mode of `private`, which preserves backwards compatibility. Signed-off-by: Brian Goff <cpuguy83@gmail.com>
2018-01-18 16:55:27 -05:00
},
{
desc: "rshared",
mount: add BindOptions.NonRecursive (API v1.40) This allows non-recursive bind-mount, i.e. mount(2) with "bind" rather than "rbind". Swarm-mode will be supported in a separate PR because of mutual vendoring. Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
2018-10-10 06:20:13 -04:00
propagation: mounttypes.PropagationRShared,
expected: mounttypes.PropagationRShared,
Use rslave propagation for mounts from daemon root By default, if a user requests a bind mount it uses private propagation. When the source path is a path within the daemon root this, along with some other propagation values that the user can use, causes issues when the daemon tries to remove a mountpoint because a container will then have a private reference to that mount which prevents removal. Unmouting with MNT_DETATCH can help this scenario on newer kernels, but ultimately this is just covering up the problem and doesn't actually free up the underlying resources until all references are destroyed. This change does essentially 2 things: 1. Change the default propagation when unspecified to `rslave` when the source path is within the daemon root path or a parent of the daemon root (because everything is using rbinds). 2. Creates a validation error on create when the user tries to specify an unacceptable propagation mode for these paths... basically the only two acceptable modes are `rslave` and `rshared`. In cases where we have used the new default propagation but the underlying filesystem is not setup to handle it (fs must hvae at least rshared propagation) instead of erroring out like we normally would, this falls back to the old default mode of `private`, which preserves backwards compatibility. Signed-off-by: Brian Goff <cpuguy83@gmail.com>
2018-01-18 16:55:27 -05:00
},
} {
t.Run(test.desc, func(t *testing.T) {
test := test
t.Parallel()
propagationSpec := fmt.Sprintf(":%s", test.propagation)
if test.propagation == "" {
propagationSpec = ""
}
bindSpecRoot := info.DockerRootDir + ":" + "/foo" + propagationSpec
bindSpecSub := filepath.Join(info.DockerRootDir, "containers") + ":/foo" + propagationSpec
mount: add BindOptions.NonRecursive (API v1.40) This allows non-recursive bind-mount, i.e. mount(2) with "bind" rather than "rbind". Swarm-mode will be supported in a separate PR because of mutual vendoring. Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
2018-10-10 06:20:13 -04:00
for name, hc := range map[string]*containertypes.HostConfig{
Use rslave propagation for mounts from daemon root By default, if a user requests a bind mount it uses private propagation. When the source path is a path within the daemon root this, along with some other propagation values that the user can use, causes issues when the daemon tries to remove a mountpoint because a container will then have a private reference to that mount which prevents removal. Unmouting with MNT_DETATCH can help this scenario on newer kernels, but ultimately this is just covering up the problem and doesn't actually free up the underlying resources until all references are destroyed. This change does essentially 2 things: 1. Change the default propagation when unspecified to `rslave` when the source path is within the daemon root path or a parent of the daemon root (because everything is using rbinds). 2. Creates a validation error on create when the user tries to specify an unacceptable propagation mode for these paths... basically the only two acceptable modes are `rslave` and `rshared`. In cases where we have used the new default propagation but the underlying filesystem is not setup to handle it (fs must hvae at least rshared propagation) instead of erroring out like we normally would, this falls back to the old default mode of `private`, which preserves backwards compatibility. Signed-off-by: Brian Goff <cpuguy83@gmail.com>
2018-01-18 16:55:27 -05:00
"bind root": {Binds: []string{bindSpecRoot}},
"bind subpath": {Binds: []string{bindSpecSub}},
"mount root": {
mount: add BindOptions.NonRecursive (API v1.40) This allows non-recursive bind-mount, i.e. mount(2) with "bind" rather than "rbind". Swarm-mode will be supported in a separate PR because of mutual vendoring. Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
2018-10-10 06:20:13 -04:00
Mounts: []mounttypes.Mount{
Use rslave propagation for mounts from daemon root By default, if a user requests a bind mount it uses private propagation. When the source path is a path within the daemon root this, along with some other propagation values that the user can use, causes issues when the daemon tries to remove a mountpoint because a container will then have a private reference to that mount which prevents removal. Unmouting with MNT_DETATCH can help this scenario on newer kernels, but ultimately this is just covering up the problem and doesn't actually free up the underlying resources until all references are destroyed. This change does essentially 2 things: 1. Change the default propagation when unspecified to `rslave` when the source path is within the daemon root path or a parent of the daemon root (because everything is using rbinds). 2. Creates a validation error on create when the user tries to specify an unacceptable propagation mode for these paths... basically the only two acceptable modes are `rslave` and `rshared`. In cases where we have used the new default propagation but the underlying filesystem is not setup to handle it (fs must hvae at least rshared propagation) instead of erroring out like we normally would, this falls back to the old default mode of `private`, which preserves backwards compatibility. Signed-off-by: Brian Goff <cpuguy83@gmail.com>
2018-01-18 16:55:27 -05:00
{
mount: add BindOptions.NonRecursive (API v1.40) This allows non-recursive bind-mount, i.e. mount(2) with "bind" rather than "rbind". Swarm-mode will be supported in a separate PR because of mutual vendoring. Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
2018-10-10 06:20:13 -04:00
Type: mounttypes.TypeBind,
Use rslave propagation for mounts from daemon root By default, if a user requests a bind mount it uses private propagation. When the source path is a path within the daemon root this, along with some other propagation values that the user can use, causes issues when the daemon tries to remove a mountpoint because a container will then have a private reference to that mount which prevents removal. Unmouting with MNT_DETATCH can help this scenario on newer kernels, but ultimately this is just covering up the problem and doesn't actually free up the underlying resources until all references are destroyed. This change does essentially 2 things: 1. Change the default propagation when unspecified to `rslave` when the source path is within the daemon root path or a parent of the daemon root (because everything is using rbinds). 2. Creates a validation error on create when the user tries to specify an unacceptable propagation mode for these paths... basically the only two acceptable modes are `rslave` and `rshared`. In cases where we have used the new default propagation but the underlying filesystem is not setup to handle it (fs must hvae at least rshared propagation) instead of erroring out like we normally would, this falls back to the old default mode of `private`, which preserves backwards compatibility. Signed-off-by: Brian Goff <cpuguy83@gmail.com>
2018-01-18 16:55:27 -05:00
Source: info.DockerRootDir,
Target: "/foo",
mount: add BindOptions.NonRecursive (API v1.40) This allows non-recursive bind-mount, i.e. mount(2) with "bind" rather than "rbind". Swarm-mode will be supported in a separate PR because of mutual vendoring. Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
2018-10-10 06:20:13 -04:00
BindOptions: &mounttypes.BindOptions{Propagation: test.propagation},
Use rslave propagation for mounts from daemon root By default, if a user requests a bind mount it uses private propagation. When the source path is a path within the daemon root this, along with some other propagation values that the user can use, causes issues when the daemon tries to remove a mountpoint because a container will then have a private reference to that mount which prevents removal. Unmouting with MNT_DETATCH can help this scenario on newer kernels, but ultimately this is just covering up the problem and doesn't actually free up the underlying resources until all references are destroyed. This change does essentially 2 things: 1. Change the default propagation when unspecified to `rslave` when the source path is within the daemon root path or a parent of the daemon root (because everything is using rbinds). 2. Creates a validation error on create when the user tries to specify an unacceptable propagation mode for these paths... basically the only two acceptable modes are `rslave` and `rshared`. In cases where we have used the new default propagation but the underlying filesystem is not setup to handle it (fs must hvae at least rshared propagation) instead of erroring out like we normally would, this falls back to the old default mode of `private`, which preserves backwards compatibility. Signed-off-by: Brian Goff <cpuguy83@gmail.com>
2018-01-18 16:55:27 -05:00
},
},
},
"mount subpath": {
mount: add BindOptions.NonRecursive (API v1.40) This allows non-recursive bind-mount, i.e. mount(2) with "bind" rather than "rbind". Swarm-mode will be supported in a separate PR because of mutual vendoring. Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
2018-10-10 06:20:13 -04:00
Mounts: []mounttypes.Mount{
Use rslave propagation for mounts from daemon root By default, if a user requests a bind mount it uses private propagation. When the source path is a path within the daemon root this, along with some other propagation values that the user can use, causes issues when the daemon tries to remove a mountpoint because a container will then have a private reference to that mount which prevents removal. Unmouting with MNT_DETATCH can help this scenario on newer kernels, but ultimately this is just covering up the problem and doesn't actually free up the underlying resources until all references are destroyed. This change does essentially 2 things: 1. Change the default propagation when unspecified to `rslave` when the source path is within the daemon root path or a parent of the daemon root (because everything is using rbinds). 2. Creates a validation error on create when the user tries to specify an unacceptable propagation mode for these paths... basically the only two acceptable modes are `rslave` and `rshared`. In cases where we have used the new default propagation but the underlying filesystem is not setup to handle it (fs must hvae at least rshared propagation) instead of erroring out like we normally would, this falls back to the old default mode of `private`, which preserves backwards compatibility. Signed-off-by: Brian Goff <cpuguy83@gmail.com>
2018-01-18 16:55:27 -05:00
{
mount: add BindOptions.NonRecursive (API v1.40) This allows non-recursive bind-mount, i.e. mount(2) with "bind" rather than "rbind". Swarm-mode will be supported in a separate PR because of mutual vendoring. Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
2018-10-10 06:20:13 -04:00
Type: mounttypes.TypeBind,
Use rslave propagation for mounts from daemon root By default, if a user requests a bind mount it uses private propagation. When the source path is a path within the daemon root this, along with some other propagation values that the user can use, causes issues when the daemon tries to remove a mountpoint because a container will then have a private reference to that mount which prevents removal. Unmouting with MNT_DETATCH can help this scenario on newer kernels, but ultimately this is just covering up the problem and doesn't actually free up the underlying resources until all references are destroyed. This change does essentially 2 things: 1. Change the default propagation when unspecified to `rslave` when the source path is within the daemon root path or a parent of the daemon root (because everything is using rbinds). 2. Creates a validation error on create when the user tries to specify an unacceptable propagation mode for these paths... basically the only two acceptable modes are `rslave` and `rshared`. In cases where we have used the new default propagation but the underlying filesystem is not setup to handle it (fs must hvae at least rshared propagation) instead of erroring out like we normally would, this falls back to the old default mode of `private`, which preserves backwards compatibility. Signed-off-by: Brian Goff <cpuguy83@gmail.com>
2018-01-18 16:55:27 -05:00
Source: filepath.Join(info.DockerRootDir, "containers"),
Target: "/foo",
mount: add BindOptions.NonRecursive (API v1.40) This allows non-recursive bind-mount, i.e. mount(2) with "bind" rather than "rbind". Swarm-mode will be supported in a separate PR because of mutual vendoring. Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
2018-10-10 06:20:13 -04:00
BindOptions: &mounttypes.BindOptions{Propagation: test.propagation},
Use rslave propagation for mounts from daemon root By default, if a user requests a bind mount it uses private propagation. When the source path is a path within the daemon root this, along with some other propagation values that the user can use, causes issues when the daemon tries to remove a mountpoint because a container will then have a private reference to that mount which prevents removal. Unmouting with MNT_DETATCH can help this scenario on newer kernels, but ultimately this is just covering up the problem and doesn't actually free up the underlying resources until all references are destroyed. This change does essentially 2 things: 1. Change the default propagation when unspecified to `rslave` when the source path is within the daemon root path or a parent of the daemon root (because everything is using rbinds). 2. Creates a validation error on create when the user tries to specify an unacceptable propagation mode for these paths... basically the only two acceptable modes are `rslave` and `rshared`. In cases where we have used the new default propagation but the underlying filesystem is not setup to handle it (fs must hvae at least rshared propagation) instead of erroring out like we normally would, this falls back to the old default mode of `private`, which preserves backwards compatibility. Signed-off-by: Brian Goff <cpuguy83@gmail.com>
2018-01-18 16:55:27 -05:00
},
},
},
} {
t.Run(name, func(t *testing.T) {
hc := hc
t.Parallel()
mount: add BindOptions.NonRecursive (API v1.40) This allows non-recursive bind-mount, i.e. mount(2) with "bind" rather than "rbind". Swarm-mode will be supported in a separate PR because of mutual vendoring. Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
2018-10-10 06:20:13 -04:00
c, err := client.ContainerCreate(ctx, &containertypes.Config{
Use rslave propagation for mounts from daemon root By default, if a user requests a bind mount it uses private propagation. When the source path is a path within the daemon root this, along with some other propagation values that the user can use, causes issues when the daemon tries to remove a mountpoint because a container will then have a private reference to that mount which prevents removal. Unmouting with MNT_DETATCH can help this scenario on newer kernels, but ultimately this is just covering up the problem and doesn't actually free up the underlying resources until all references are destroyed. This change does essentially 2 things: 1. Change the default propagation when unspecified to `rslave` when the source path is within the daemon root path or a parent of the daemon root (because everything is using rbinds). 2. Creates a validation error on create when the user tries to specify an unacceptable propagation mode for these paths... basically the only two acceptable modes are `rslave` and `rshared`. In cases where we have used the new default propagation but the underlying filesystem is not setup to handle it (fs must hvae at least rshared propagation) instead of erroring out like we normally would, this falls back to the old default mode of `private`, which preserves backwards compatibility. Signed-off-by: Brian Goff <cpuguy83@gmail.com>
2018-01-18 16:55:27 -05:00
Image: "busybox",
Cmd: []string{"true"},
Accept platform spec on container create This enables image lookup when creating a container to fail when the reference exists but it is for the wrong platform. This prevents trying to run an image for the wrong platform, as can be the case with, for example binfmt_misc+qemu. Signed-off-by: Brian Goff <cpuguy83@gmail.com>
2020-03-19 16:54:48 -04:00
}, hc, nil, nil, "")
Use rslave propagation for mounts from daemon root By default, if a user requests a bind mount it uses private propagation. When the source path is a path within the daemon root this, along with some other propagation values that the user can use, causes issues when the daemon tries to remove a mountpoint because a container will then have a private reference to that mount which prevents removal. Unmouting with MNT_DETATCH can help this scenario on newer kernels, but ultimately this is just covering up the problem and doesn't actually free up the underlying resources until all references are destroyed. This change does essentially 2 things: 1. Change the default propagation when unspecified to `rslave` when the source path is within the daemon root path or a parent of the daemon root (because everything is using rbinds). 2. Creates a validation error on create when the user tries to specify an unacceptable propagation mode for these paths... basically the only two acceptable modes are `rslave` and `rshared`. In cases where we have used the new default propagation but the underlying filesystem is not setup to handle it (fs must hvae at least rshared propagation) instead of erroring out like we normally would, this falls back to the old default mode of `private`, which preserves backwards compatibility. Signed-off-by: Brian Goff <cpuguy83@gmail.com>
2018-01-18 16:55:27 -05:00
if err != nil {
if test.expected != "" {
t.Fatal(err)
}
// expected an error, so this is ok and should not continue
return
}
if test.expected == "" {
t.Fatal("expected create to fail")
}
defer func() {
if err := client.ContainerRemove(ctx, c.ID, types.ContainerRemoveOptions{Force: true}); err != nil {
panic(err)
}
}()
inspect, err := client.ContainerInspect(ctx, c.ID)
if err != nil {
t.Fatal(err)
}
if len(inspect.Mounts) != 1 {
t.Fatalf("unexpected number of mounts: %+v", inspect.Mounts)
}
m := inspect.Mounts[0]
if m.Propagation != test.expected {
t.Fatalf("got unexpected propagation mode, expected %q, got: %v", test.expected, m.Propagation)
}
})
}
})
}
}
mount: add BindOptions.NonRecursive (API v1.40) This allows non-recursive bind-mount, i.e. mount(2) with "bind" rather than "rbind". Swarm-mode will be supported in a separate PR because of mutual vendoring. Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
2018-10-10 06:20:13 -04:00
func TestContainerBindMountNonRecursive(t *testing.T) {
Simplify skip checks These tests are run on a local Linux daemon only, so no need to do a platform-check. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2019-01-03 06:32:05 -05:00
skip.If(t, testEnv.IsRemoteDaemon)
mount: add BindOptions.NonRecursive (API v1.40) This allows non-recursive bind-mount, i.e. mount(2) with "bind" rather than "rbind". Swarm-mode will be supported in a separate PR because of mutual vendoring. Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
2018-10-10 06:20:13 -04:00
skip.If(t, versions.LessThan(testEnv.DaemonAPIVersion(), "1.40"), "BindOptions.NonRecursive requires API v1.40")
hack: support $DOCKER_ROOTLESS for testing rootless ``` $ DOCKER_EXPERIMENTAL=1 DOCKER_ROOTLESS=1 TEST_SKIP_INTEGRATION_CLI=1 \ make test-integration ``` test-integration-cli is unsupported currently. Also, tests that spawn custom daemon (testutil/daemon) are skipped. Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2020-02-18 04:43:56 -05:00
skip.If(t, testEnv.IsRootless, "cannot be tested because RootlessKit executes the daemon in private mount namespace (https://github.com/rootless-containers/rootlesskit/issues/97)")
mount: add BindOptions.NonRecursive (API v1.40) This allows non-recursive bind-mount, i.e. mount(2) with "bind" rather than "rbind". Swarm-mode will be supported in a separate PR because of mutual vendoring. Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
2018-10-10 06:20:13 -04:00
defer setupTest(t)()
tmpDir1 := fs.NewDir(t, "tmpdir1", fs.WithMode(0755),
fs.WithDir("mnt", fs.WithMode(0755)))
defer tmpDir1.Remove()
tmpDir1Mnt := filepath.Join(tmpDir1.Path(), "mnt")
tmpDir2 := fs.NewDir(t, "tmpdir2", fs.WithMode(0755),
fs.WithFile("file", "should not be visible when NonRecursive", fs.WithMode(0644)))
defer tmpDir2.Remove()
err := mount.Mount(tmpDir2.Path(), tmpDir1Mnt, "none", "bind,ro")
if err != nil {
t.Fatal(err)
}
defer func() {
if err := mount.Unmount(tmpDir1Mnt); err != nil {
t.Fatal(err)
}
}()
// implicit is recursive (NonRecursive: false)
implicit := mounttypes.Mount{
Type: "bind",
Source: tmpDir1.Path(),
Target: "/foo",
ReadOnly: true,
}
recursive := implicit
recursive.BindOptions = &mounttypes.BindOptions{
NonRecursive: false,
}
recursiveVerifier := []string{"test", "-f", "/foo/mnt/file"}
nonRecursive := implicit
nonRecursive.BindOptions = &mounttypes.BindOptions{
NonRecursive: true,
}
nonRecursiveVerifier := []string{"test", "!", "-f", "/foo/mnt/file"}
ctx := context.Background()
Integration: use testenv.APIClient() A client is already created in testenv.New(), so we can just as well use that one, instead of creating a new client. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2019-01-02 08:16:25 -05:00
client := testEnv.APIClient()
mount: add BindOptions.NonRecursive (API v1.40) This allows non-recursive bind-mount, i.e. mount(2) with "bind" rather than "rbind". Swarm-mode will be supported in a separate PR because of mutual vendoring. Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
2018-10-10 06:20:13 -04:00
containers := []string{
integration: change container.Run signature to fix linting Line 59: warning: context.Context should be the first parameter of a function (golint) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2019-06-06 07:15:31 -04:00
container.Run(ctx, t, client, container.WithMount(implicit), container.WithCmd(recursiveVerifier...)),
container.Run(ctx, t, client, container.WithMount(recursive), container.WithCmd(recursiveVerifier...)),
container.Run(ctx, t, client, container.WithMount(nonRecursive), container.WithCmd(nonRecursiveVerifier...)),
mount: add BindOptions.NonRecursive (API v1.40) This allows non-recursive bind-mount, i.e. mount(2) with "bind" rather than "rbind". Swarm-mode will be supported in a separate PR because of mutual vendoring. Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
2018-10-10 06:20:13 -04:00
}
for _, c := range containers {
poll.WaitOn(t, container.IsSuccessful(ctx, client, c), poll.WithDelay(100*time.Millisecond))
}
}
Rewrite VolumesMountedAsShared/Slave as Integration tests This moves the two tests from integration-CLI to integration. Signed-off-by: Paul "TBBle" Hampson <Paul.Hampson@Pobox.com>
2020-11-07 02:06:44 -05:00
func TestContainerVolumesMountedAsShared(t *testing.T) {
// Volume propagation is linux only. Also it creates directories for
// bind mounting, so needs to be same host.
skip.If(t, testEnv.IsRemoteDaemon)
skip.If(t, testEnv.IsUserNamespace)
skip.If(t, testEnv.IsRootless, "cannot be tested because RootlessKit executes the daemon in private mount namespace (https://github.com/rootless-containers/rootlesskit/issues/97)")
defer setupTest(t)()
// Prepare a source directory to bind mount
tmpDir1 := fs.NewDir(t, "volume-source", fs.WithMode(0755),
fs.WithDir("mnt1", fs.WithMode(0755)))
defer tmpDir1.Remove()
tmpDir1Mnt := filepath.Join(tmpDir1.Path(), "mnt1")
// Convert this directory into a shared mount point so that we do
// not rely on propagation properties of parent mount.
Use specific APIs for shared mount-point behaviour Thanks to @cpuguy83 for pointing these APIs out in #41638. Signed-off-by: Paul "TBBle" Hampson <Paul.Hampson@Pobox.com>
2020-11-10 04:00:48 -05:00
if err := mount.MakePrivate(tmpDir1.Path()); err != nil {
Rewrite VolumesMountedAsShared/Slave as Integration tests This moves the two tests from integration-CLI to integration. Signed-off-by: Paul "TBBle" Hampson <Paul.Hampson@Pobox.com>
2020-11-07 02:06:44 -05:00
t.Fatal(err)
}
defer func() {
if err := mount.Unmount(tmpDir1.Path()); err != nil {
t.Fatal(err)
}
}()
Use specific APIs for shared mount-point behaviour Thanks to @cpuguy83 for pointing these APIs out in #41638. Signed-off-by: Paul "TBBle" Hampson <Paul.Hampson@Pobox.com>
2020-11-10 04:00:48 -05:00
if err := mount.MakeShared(tmpDir1.Path()); err != nil {
Rewrite VolumesMountedAsShared/Slave as Integration tests This moves the two tests from integration-CLI to integration. Signed-off-by: Paul "TBBle" Hampson <Paul.Hampson@Pobox.com>
2020-11-07 02:06:44 -05:00
t.Fatal(err)
}
sharedMount := mounttypes.Mount{
Type: mounttypes.TypeBind,
Source: tmpDir1.Path(),
Target: "/volume-dest",
BindOptions: &mounttypes.BindOptions{
Propagation: mounttypes.PropagationShared,
},
}
bindMountCmd := []string{"mount", "--bind", "/volume-dest/mnt1", "/volume-dest/mnt1"}
ctx := context.Background()
client := testEnv.APIClient()
containerID := container.Run(ctx, t, client, container.WithPrivileged(true), container.WithMount(sharedMount), container.WithCmd(bindMountCmd...))
poll.WaitOn(t, container.IsSuccessful(ctx, client, containerID), poll.WithDelay(100*time.Millisecond))
// Make sure a bind mount under a shared volume propagated to host.
if mounted, _ := mountinfo.Mounted(tmpDir1Mnt); !mounted {
t.Fatalf("Bind mount under shared volume did not propagate to host")
}
mount.Unmount(tmpDir1Mnt)
}
func TestContainerVolumesMountedAsSlave(t *testing.T) {
// Volume propagation is linux only. Also it creates directories for
// bind mounting, so needs to be same host.
skip.If(t, testEnv.IsRemoteDaemon)
skip.If(t, testEnv.IsUserNamespace)
skip.If(t, testEnv.IsRootless, "cannot be tested because RootlessKit executes the daemon in private mount namespace (https://github.com/rootless-containers/rootlesskit/issues/97)")
// Prepare a source directory to bind mount
tmpDir1 := fs.NewDir(t, "volume-source", fs.WithMode(0755),
fs.WithDir("mnt1", fs.WithMode(0755)))
defer tmpDir1.Remove()
tmpDir1Mnt := filepath.Join(tmpDir1.Path(), "mnt1")
// Prepare a source directory with file in it. We will bind mount this
// directory and see if file shows up.
tmpDir2 := fs.NewDir(t, "volume-source2", fs.WithMode(0755),
fs.WithFile("slave-testfile", "Test", fs.WithMode(0644)))
defer tmpDir2.Remove()
// Convert this directory into a shared mount point so that we do
// not rely on propagation properties of parent mount.
Use specific APIs for shared mount-point behaviour Thanks to @cpuguy83 for pointing these APIs out in #41638. Signed-off-by: Paul "TBBle" Hampson <Paul.Hampson@Pobox.com>
2020-11-10 04:00:48 -05:00
if err := mount.MakePrivate(tmpDir1.Path()); err != nil {
Rewrite VolumesMountedAsShared/Slave as Integration tests This moves the two tests from integration-CLI to integration. Signed-off-by: Paul "TBBle" Hampson <Paul.Hampson@Pobox.com>
2020-11-07 02:06:44 -05:00
t.Fatal(err)
}
defer func() {
if err := mount.Unmount(tmpDir1.Path()); err != nil {
t.Fatal(err)
}
}()
Use specific APIs for shared mount-point behaviour Thanks to @cpuguy83 for pointing these APIs out in #41638. Signed-off-by: Paul "TBBle" Hampson <Paul.Hampson@Pobox.com>
2020-11-10 04:00:48 -05:00
if err := mount.MakeShared(tmpDir1.Path()); err != nil {
Rewrite VolumesMountedAsShared/Slave as Integration tests This moves the two tests from integration-CLI to integration. Signed-off-by: Paul "TBBle" Hampson <Paul.Hampson@Pobox.com>
2020-11-07 02:06:44 -05:00
t.Fatal(err)
}
slaveMount := mounttypes.Mount{
Type: mounttypes.TypeBind,
Source: tmpDir1.Path(),
Target: "/volume-dest",
BindOptions: &mounttypes.BindOptions{
Propagation: mounttypes.PropagationSlave,
},
}
topCmd := []string{"top"}
ctx := context.Background()
client := testEnv.APIClient()
containerID := container.Run(ctx, t, client, container.WithTty(true), container.WithMount(slaveMount), container.WithCmd(topCmd...))
// Bind mount tmpDir2/ onto tmpDir1/mnt1. If mount propagates inside
// container then contents of tmpDir2/slave-testfile should become
// visible at "/volume-dest/mnt1/slave-testfile"
if err := mount.Mount(tmpDir2.Path(), tmpDir1Mnt, "none", "bind"); err != nil {
t.Fatal(err)
}
defer func() {
if err := mount.Unmount(tmpDir1Mnt); err != nil {
t.Fatal(err)
}
}()
mountCmd := []string{"cat", "/volume-dest/mnt1/slave-testfile"}
if result, err := container.Exec(ctx, client, containerID, mountCmd); err == nil {
if result.Stdout() != "Test" {
t.Fatalf("Bind mount under slave volume did not propagate to container")
}
} else {
t.Fatal(err)
}
}
Copy permalink