2018-02-05 16:05:59 -05:00
|
|
|
package container // import "github.com/docker/docker/integration/container"
|
2017-12-18 16:02:23 -05:00
|
|
|
|
|
|
|
import (
|
|
|
|
"bytes"
|
|
|
|
"context"
|
|
|
|
"fmt"
|
2018-01-18 16:55:27 -05:00
|
|
|
"path/filepath"
|
2017-12-18 16:02:23 -05:00
|
|
|
"testing"
|
|
|
|
|
|
|
|
"github.com/docker/docker/api/types"
|
|
|
|
"github.com/docker/docker/api/types/container"
|
|
|
|
"github.com/docker/docker/api/types/mount"
|
2018-02-04 12:38:04 -05:00
|
|
|
"github.com/docker/docker/api/types/network"
|
|
|
|
"github.com/docker/docker/client"
|
2017-12-18 16:02:23 -05:00
|
|
|
"github.com/docker/docker/integration-cli/daemon"
|
2018-01-18 16:55:27 -05:00
|
|
|
"github.com/docker/docker/integration/util/request"
|
2017-12-18 16:02:23 -05:00
|
|
|
"github.com/docker/docker/pkg/stdcopy"
|
2018-02-04 12:38:04 -05:00
|
|
|
"github.com/docker/docker/pkg/system"
|
|
|
|
"github.com/gotestyourself/gotestyourself/fs"
|
|
|
|
"github.com/gotestyourself/gotestyourself/skip"
|
|
|
|
"github.com/stretchr/testify/assert"
|
|
|
|
"github.com/stretchr/testify/require"
|
2017-12-18 16:02:23 -05:00
|
|
|
)
|
|
|
|
|
|
|
|
func TestContainerShmNoLeak(t *testing.T) {
|
|
|
|
t.Parallel()
|
|
|
|
d := daemon.New(t, "docker", "dockerd", daemon.Config{})
|
|
|
|
client, err := d.NewClient()
|
|
|
|
if err != nil {
|
|
|
|
t.Fatal(err)
|
|
|
|
}
|
|
|
|
d.StartWithBusybox(t)
|
|
|
|
defer d.Stop(t)
|
|
|
|
|
|
|
|
ctx := context.Background()
|
|
|
|
cfg := container.Config{
|
|
|
|
Image: "busybox",
|
|
|
|
Cmd: []string{"top"},
|
|
|
|
}
|
|
|
|
|
|
|
|
ctr, err := client.ContainerCreate(ctx, &cfg, nil, nil, "")
|
|
|
|
if err != nil {
|
|
|
|
t.Fatal(err)
|
|
|
|
}
|
|
|
|
defer client.ContainerRemove(ctx, ctr.ID, types.ContainerRemoveOptions{Force: true})
|
|
|
|
|
|
|
|
if err := client.ContainerStart(ctx, ctr.ID, types.ContainerStartOptions{}); err != nil {
|
|
|
|
t.Fatal(err)
|
|
|
|
}
|
|
|
|
|
|
|
|
// this should recursively bind mount everything in the test daemons root
|
|
|
|
// except of course we are hoping that the previous containers /dev/shm mount did not leak into this new container
|
|
|
|
hc := container.HostConfig{
|
|
|
|
Mounts: []mount.Mount{
|
|
|
|
{
|
2018-01-18 16:55:27 -05:00
|
|
|
Type: mount.TypeBind,
|
|
|
|
Source: d.Root,
|
|
|
|
Target: "/testdaemonroot",
|
|
|
|
},
|
2017-12-18 16:02:23 -05:00
|
|
|
},
|
|
|
|
}
|
|
|
|
cfg.Cmd = []string{"/bin/sh", "-c", fmt.Sprintf("mount | grep testdaemonroot | grep containers | grep %s", ctr.ID)}
|
|
|
|
cfg.AttachStdout = true
|
|
|
|
cfg.AttachStderr = true
|
|
|
|
ctrLeak, err := client.ContainerCreate(ctx, &cfg, &hc, nil, "")
|
|
|
|
if err != nil {
|
|
|
|
t.Fatal(err)
|
|
|
|
}
|
|
|
|
|
|
|
|
attach, err := client.ContainerAttach(ctx, ctrLeak.ID, types.ContainerAttachOptions{
|
|
|
|
Stream: true,
|
|
|
|
Stdout: true,
|
|
|
|
Stderr: true,
|
|
|
|
})
|
|
|
|
if err != nil {
|
|
|
|
t.Fatal(err)
|
|
|
|
}
|
|
|
|
|
|
|
|
if err := client.ContainerStart(ctx, ctrLeak.ID, types.ContainerStartOptions{}); err != nil {
|
|
|
|
t.Fatal(err)
|
|
|
|
}
|
|
|
|
|
|
|
|
buf := bytes.NewBuffer(nil)
|
|
|
|
|
|
|
|
if _, err := stdcopy.StdCopy(buf, buf, attach.Reader); err != nil {
|
|
|
|
t.Fatal(err)
|
|
|
|
}
|
|
|
|
|
|
|
|
out := bytes.TrimSpace(buf.Bytes())
|
|
|
|
if !bytes.Equal(out, []byte{}) {
|
|
|
|
t.Fatalf("mount leaked: %s", string(out))
|
|
|
|
}
|
|
|
|
}
|
2018-02-04 12:38:04 -05:00
|
|
|
|
|
|
|
func TestContainerNetworkMountsNoChown(t *testing.T) {
|
|
|
|
// chown only applies to Linux bind mounted volumes; must be same host to verify
|
|
|
|
skip.If(t, testEnv.DaemonInfo.OSType != "linux" || !testEnv.IsLocalDaemon())
|
|
|
|
|
|
|
|
defer setupTest(t)()
|
|
|
|
|
|
|
|
ctx := context.Background()
|
|
|
|
|
|
|
|
tmpDir := fs.NewDir(t, "network-file-mounts", fs.WithMode(0755), fs.WithFile("nwfile", "network file bind mount", fs.WithMode(0644)))
|
|
|
|
defer tmpDir.Remove()
|
|
|
|
|
|
|
|
tmpNWFileMount := tmpDir.Join("nwfile")
|
|
|
|
|
|
|
|
config := container.Config{
|
|
|
|
Image: "busybox",
|
|
|
|
}
|
|
|
|
hostConfig := container.HostConfig{
|
|
|
|
Mounts: []mount.Mount{
|
|
|
|
{
|
|
|
|
Type: "bind",
|
|
|
|
Source: tmpNWFileMount,
|
|
|
|
Target: "/etc/resolv.conf",
|
|
|
|
},
|
|
|
|
{
|
|
|
|
Type: "bind",
|
|
|
|
Source: tmpNWFileMount,
|
|
|
|
Target: "/etc/hostname",
|
|
|
|
},
|
|
|
|
{
|
|
|
|
Type: "bind",
|
|
|
|
Source: tmpNWFileMount,
|
|
|
|
Target: "/etc/hosts",
|
|
|
|
},
|
|
|
|
},
|
|
|
|
}
|
|
|
|
|
|
|
|
cli, err := client.NewEnvClient()
|
|
|
|
require.NoError(t, err)
|
|
|
|
defer cli.Close()
|
|
|
|
|
|
|
|
ctrCreate, err := cli.ContainerCreate(ctx, &config, &hostConfig, &network.NetworkingConfig{}, "")
|
|
|
|
require.NoError(t, err)
|
|
|
|
// container will exit immediately because of no tty, but we only need the start sequence to test the condition
|
|
|
|
err = cli.ContainerStart(ctx, ctrCreate.ID, types.ContainerStartOptions{})
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
2018-02-06 19:19:38 -05:00
|
|
|
// Check that host-located bind mount network file did not change ownership when the container was started
|
|
|
|
// Note: If the user specifies a mountpath from the host, we should not be
|
|
|
|
// attempting to chown files outside the daemon's metadata directory
|
|
|
|
// (represented by `daemon.repository` at init time).
|
|
|
|
// This forces users who want to use user namespaces to handle the
|
|
|
|
// ownership needs of any external files mounted as network files
|
|
|
|
// (/etc/resolv.conf, /etc/hosts, /etc/hostname) separately from the
|
|
|
|
// daemon. In all other volume/bind mount situations we have taken this
|
|
|
|
// same line--we don't chown host file content.
|
|
|
|
// See GitHub PR 34224 for details.
|
2018-02-04 12:38:04 -05:00
|
|
|
statT, err := system.Stat(tmpNWFileMount)
|
|
|
|
require.NoError(t, err)
|
|
|
|
assert.Equal(t, uint32(0), statT.UID(), "bind mounted network file should not change ownership from root")
|
|
|
|
}
|
2018-01-18 16:55:27 -05:00
|
|
|
|
|
|
|
func TestMountDaemonRoot(t *testing.T) {
|
|
|
|
t.Parallel()
|
|
|
|
|
|
|
|
client := request.NewAPIClient(t)
|
|
|
|
ctx := context.Background()
|
|
|
|
info, err := client.Info(ctx)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatal(err)
|
|
|
|
}
|
|
|
|
|
|
|
|
for _, test := range []struct {
|
|
|
|
desc string
|
|
|
|
propagation mount.Propagation
|
|
|
|
expected mount.Propagation
|
|
|
|
}{
|
|
|
|
{
|
|
|
|
desc: "default",
|
|
|
|
propagation: "",
|
|
|
|
expected: mount.PropagationRSlave,
|
|
|
|
},
|
|
|
|
{
|
|
|
|
desc: "private",
|
|
|
|
propagation: mount.PropagationPrivate,
|
|
|
|
},
|
|
|
|
{
|
|
|
|
desc: "rprivate",
|
|
|
|
propagation: mount.PropagationRPrivate,
|
|
|
|
},
|
|
|
|
{
|
|
|
|
desc: "slave",
|
|
|
|
propagation: mount.PropagationSlave,
|
|
|
|
},
|
|
|
|
{
|
|
|
|
desc: "rslave",
|
|
|
|
propagation: mount.PropagationRSlave,
|
|
|
|
expected: mount.PropagationRSlave,
|
|
|
|
},
|
|
|
|
{
|
|
|
|
desc: "shared",
|
|
|
|
propagation: mount.PropagationShared,
|
|
|
|
},
|
|
|
|
{
|
|
|
|
desc: "rshared",
|
|
|
|
propagation: mount.PropagationRShared,
|
|
|
|
expected: mount.PropagationRShared,
|
|
|
|
},
|
|
|
|
} {
|
|
|
|
t.Run(test.desc, func(t *testing.T) {
|
|
|
|
test := test
|
|
|
|
t.Parallel()
|
|
|
|
|
|
|
|
propagationSpec := fmt.Sprintf(":%s", test.propagation)
|
|
|
|
if test.propagation == "" {
|
|
|
|
propagationSpec = ""
|
|
|
|
}
|
|
|
|
bindSpecRoot := info.DockerRootDir + ":" + "/foo" + propagationSpec
|
|
|
|
bindSpecSub := filepath.Join(info.DockerRootDir, "containers") + ":/foo" + propagationSpec
|
|
|
|
|
|
|
|
for name, hc := range map[string]*container.HostConfig{
|
|
|
|
"bind root": {Binds: []string{bindSpecRoot}},
|
|
|
|
"bind subpath": {Binds: []string{bindSpecSub}},
|
|
|
|
"mount root": {
|
|
|
|
Mounts: []mount.Mount{
|
|
|
|
{
|
|
|
|
Type: mount.TypeBind,
|
|
|
|
Source: info.DockerRootDir,
|
|
|
|
Target: "/foo",
|
|
|
|
BindOptions: &mount.BindOptions{Propagation: test.propagation},
|
|
|
|
},
|
|
|
|
},
|
|
|
|
},
|
|
|
|
"mount subpath": {
|
|
|
|
Mounts: []mount.Mount{
|
|
|
|
{
|
|
|
|
Type: mount.TypeBind,
|
|
|
|
Source: filepath.Join(info.DockerRootDir, "containers"),
|
|
|
|
Target: "/foo",
|
|
|
|
BindOptions: &mount.BindOptions{Propagation: test.propagation},
|
|
|
|
},
|
|
|
|
},
|
|
|
|
},
|
|
|
|
} {
|
|
|
|
t.Run(name, func(t *testing.T) {
|
|
|
|
hc := hc
|
|
|
|
t.Parallel()
|
|
|
|
|
|
|
|
c, err := client.ContainerCreate(ctx, &container.Config{
|
|
|
|
Image: "busybox",
|
|
|
|
Cmd: []string{"true"},
|
|
|
|
}, hc, nil, "")
|
|
|
|
|
|
|
|
if err != nil {
|
|
|
|
if test.expected != "" {
|
|
|
|
t.Fatal(err)
|
|
|
|
}
|
|
|
|
// expected an error, so this is ok and should not continue
|
|
|
|
return
|
|
|
|
}
|
|
|
|
if test.expected == "" {
|
|
|
|
t.Fatal("expected create to fail")
|
|
|
|
}
|
|
|
|
|
|
|
|
defer func() {
|
|
|
|
if err := client.ContainerRemove(ctx, c.ID, types.ContainerRemoveOptions{Force: true}); err != nil {
|
|
|
|
panic(err)
|
|
|
|
}
|
|
|
|
}()
|
|
|
|
|
|
|
|
inspect, err := client.ContainerInspect(ctx, c.ID)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatal(err)
|
|
|
|
}
|
|
|
|
if len(inspect.Mounts) != 1 {
|
|
|
|
t.Fatalf("unexpected number of mounts: %+v", inspect.Mounts)
|
|
|
|
}
|
|
|
|
|
|
|
|
m := inspect.Mounts[0]
|
|
|
|
if m.Propagation != test.expected {
|
|
|
|
t.Fatalf("got unexpected propagation mode, expected %q, got: %v", test.expected, m.Propagation)
|
|
|
|
}
|
|
|
|
})
|
|
|
|
}
|
|
|
|
})
|
|
|
|
}
|
|
|
|
}
|