2014-11-20 00:19:16 -05:00
// +build !windows
package main
import (
2015-04-10 23:16:42 -04:00
"bufio"
2017-09-01 15:14:59 -04:00
"context"
2016-03-29 08:24:28 -04:00
"encoding/json"
2014-11-20 00:19:16 -05:00
"fmt"
"io/ioutil"
"os"
"os/exec"
"path/filepath"
2015-11-26 07:14:09 -05:00
"regexp"
2015-09-08 14:40:55 -04:00
"strconv"
2014-11-20 00:19:16 -05:00
"strings"
2016-03-24 15:01:12 -04:00
"syscall"
2014-11-20 00:19:16 -05:00
"time"
2017-09-01 15:14:59 -04:00
"github.com/docker/docker/client"
2016-12-30 12:23:00 -05:00
"github.com/docker/docker/integration-cli/checker"
2017-03-27 11:12:48 -04:00
"github.com/docker/docker/integration-cli/cli"
2017-03-23 13:35:22 -04:00
"github.com/docker/docker/integration-cli/cli/build"
2016-01-03 17:03:39 -05:00
"github.com/docker/docker/pkg/homedir"
2014-11-20 00:19:16 -05:00
"github.com/docker/docker/pkg/mount"
2015-09-08 14:40:55 -04:00
"github.com/docker/docker/pkg/parsers"
"github.com/docker/docker/pkg/sysinfo"
2015-04-18 12:46:47 -04:00
"github.com/go-check/check"
2017-08-23 17:01:29 -04:00
"github.com/gotestyourself/gotestyourself/icmd"
2014-11-20 00:19:16 -05:00
"github.com/kr/pty"
)
// #6509
2015-04-18 12:46:47 -04:00
func ( s * DockerSuite ) TestRunRedirectStdout ( c * check . C ) {
2014-11-20 00:19:16 -05:00
checkRedirect := func ( command string ) {
_ , tty , err := pty . Open ( )
2015-11-06 16:49:16 -05:00
c . Assert ( err , checker . IsNil , check . Commentf ( "Could not open pty" ) )
2014-11-20 00:19:16 -05:00
cmd := exec . Command ( "sh" , "-c" , command )
cmd . Stdin = tty
cmd . Stdout = tty
cmd . Stderr = tty
2015-11-06 16:49:16 -05:00
c . Assert ( cmd . Start ( ) , checker . IsNil )
2015-04-27 13:29:48 -04:00
ch := make ( chan error )
2014-11-20 00:19:16 -05:00
go func ( ) {
2015-04-27 13:29:48 -04:00
ch <- cmd . Wait ( )
2014-11-20 00:19:16 -05:00
close ( ch )
} ( )
select {
case <- time . After ( 10 * time . Second ) :
2015-04-18 12:46:47 -04:00
c . Fatal ( "command timeout" )
2015-04-27 13:29:48 -04:00
case err := <- ch :
2015-11-06 16:49:16 -05:00
c . Assert ( err , checker . IsNil , check . Commentf ( "wait err" ) )
2014-11-20 00:19:16 -05:00
}
}
checkRedirect ( dockerBinary + " run -i busybox cat /etc/passwd | grep -q root" )
checkRedirect ( dockerBinary + " run busybox cat /etc/passwd | grep -q root" )
}
// Test recursive bind mount works by default
2015-04-18 12:46:47 -04:00
func ( s * DockerSuite ) TestRunWithVolumesIsRecursive ( c * check . C ) {
2015-09-18 13:41:12 -04:00
// /tmp gets permission denied
2016-02-10 22:27:02 -05:00
testRequires ( c , NotUserNamespace , SameHostDaemon )
2014-11-20 00:19:16 -05:00
tmpDir , err := ioutil . TempDir ( "" , "docker_recursive_mount_test" )
2015-11-06 16:49:16 -05:00
c . Assert ( err , checker . IsNil )
2014-11-20 00:19:16 -05:00
defer os . RemoveAll ( tmpDir )
// Create a temporary tmpfs mount.
tmpfsDir := filepath . Join ( tmpDir , "tmpfs" )
2015-11-06 16:49:16 -05:00
c . Assert ( os . MkdirAll ( tmpfsDir , 0777 ) , checker . IsNil , check . Commentf ( "failed to mkdir at %s" , tmpfsDir ) )
c . Assert ( mount . Mount ( "tmpfs" , tmpfsDir , "tmpfs" , "" ) , checker . IsNil , check . Commentf ( "failed to create a tmpfs mount at %s" , tmpfsDir ) )
2014-11-20 00:19:16 -05:00
f , err := ioutil . TempFile ( tmpfsDir , "touch-me" )
2015-11-06 16:49:16 -05:00
c . Assert ( err , checker . IsNil )
2014-11-20 00:19:16 -05:00
defer f . Close ( )
2016-12-13 15:21:51 -05:00
out , _ := dockerCmd ( c , "run" , "--name" , "test-data" , "--volume" , fmt . Sprintf ( "%s:/tmp:ro" , tmpDir ) , "busybox:latest" , "ls" , "/tmp/tmpfs" )
2015-11-06 16:49:16 -05:00
c . Assert ( out , checker . Contains , filepath . Base ( f . Name ( ) ) , check . Commentf ( "Recursive bind mount test failed. Expected file not found" ) )
2014-11-20 00:19:16 -05:00
}
2015-02-11 14:21:38 -05:00
2015-04-18 12:46:47 -04:00
func ( s * DockerSuite ) TestRunDeviceDirectory ( c * check . C ) {
2015-11-25 18:38:33 -05:00
testRequires ( c , DaemonIsLinux , NotUserNamespace , NotArm )
2015-09-16 14:43:30 -04:00
if _ , err := os . Stat ( "/dev/snd" ) ; err != nil {
c . Skip ( "Host does not have /dev/snd" )
}
2015-02-12 13:51:51 -05:00
2015-07-14 16:15:00 -04:00
out , _ := dockerCmd ( c , "run" , "--device" , "/dev/snd:/dev/snd" , "busybox" , "sh" , "-c" , "ls /dev/snd/" )
2015-11-06 16:49:16 -05:00
c . Assert ( strings . Trim ( out , "\r\n" ) , checker . Contains , "timer" , check . Commentf ( "expected output /dev/snd/timer" ) )
2015-02-12 13:51:51 -05:00
2015-07-14 16:15:00 -04:00
out , _ = dockerCmd ( c , "run" , "--device" , "/dev/snd:/dev/othersnd" , "busybox" , "sh" , "-c" , "ls /dev/othersnd/" )
2015-11-06 16:49:16 -05:00
c . Assert ( strings . Trim ( out , "\r\n" ) , checker . Contains , "seq" , check . Commentf ( "expected output /dev/othersnd/seq" ) )
2015-02-12 13:51:51 -05:00
}
2015-04-10 23:16:42 -04:00
2017-02-22 03:13:45 -05:00
// TestRunAttachDetach checks attaching and detaching with the default escape sequence.
2015-04-18 12:46:47 -04:00
func ( s * DockerSuite ) TestRunAttachDetach ( c * check . C ) {
2015-04-10 23:16:42 -04:00
name := "attach-detach"
2016-01-03 17:03:39 -05:00
dockerCmd ( c , "run" , "--name" , name , "-itd" , "busybox" , "cat" )
cmd := exec . Command ( dockerBinary , "attach" , name )
2015-04-10 23:16:42 -04:00
stdout , err := cmd . StdoutPipe ( )
2015-11-06 16:49:16 -05:00
c . Assert ( err , checker . IsNil )
2015-04-10 23:16:42 -04:00
cpty , tty , err := pty . Open ( )
2015-11-06 16:49:16 -05:00
c . Assert ( err , checker . IsNil )
2015-04-10 23:16:42 -04:00
defer cpty . Close ( )
cmd . Stdin = tty
2015-11-06 16:49:16 -05:00
c . Assert ( cmd . Start ( ) , checker . IsNil )
2015-08-11 03:41:11 -04:00
c . Assert ( waitRun ( name ) , check . IsNil )
2015-04-10 23:16:42 -04:00
2015-11-06 16:49:16 -05:00
_ , err = cpty . Write ( [ ] byte ( "hello\n" ) )
c . Assert ( err , checker . IsNil )
2015-04-10 23:16:42 -04:00
out , err := bufio . NewReader ( stdout ) . ReadString ( '\n' )
2015-11-06 16:49:16 -05:00
c . Assert ( err , checker . IsNil )
c . Assert ( strings . TrimSpace ( out ) , checker . Equals , "hello" )
2015-04-10 23:16:42 -04:00
// escape sequence
2015-11-06 16:49:16 -05:00
_ , err = cpty . Write ( [ ] byte { 16 } )
c . Assert ( err , checker . IsNil )
2015-04-10 23:16:42 -04:00
time . Sleep ( 100 * time . Millisecond )
2015-11-06 16:49:16 -05:00
_ , err = cpty . Write ( [ ] byte { 17 } )
c . Assert ( err , checker . IsNil )
2015-04-10 23:16:42 -04:00
ch := make ( chan struct { } )
go func ( ) {
cmd . Wait ( )
ch <- struct { } { }
} ( )
2016-01-03 17:03:39 -05:00
select {
case <- ch :
case <- time . After ( 10 * time . Second ) :
c . Fatal ( "timed out waiting for container to exit" )
}
2016-01-28 09:19:25 -05:00
running := inspectField ( c , name , "State.Running" )
2016-01-03 17:03:39 -05:00
c . Assert ( running , checker . Equals , "true" , check . Commentf ( "expected container to still be running" ) )
2016-05-22 10:04:39 -04:00
out , _ = dockerCmd ( c , "events" , "--since=0" , "--until" , daemonUnixTime ( c ) , "-f" , "container=" + name )
// attach and detach event should be monitored
c . Assert ( out , checker . Contains , "attach" )
c . Assert ( out , checker . Contains , "detach" )
2016-01-03 17:03:39 -05:00
}
2017-02-22 03:13:45 -05:00
// TestRunAttachDetachFromFlag checks attaching and detaching with the escape sequence specified via flags.
2016-01-03 17:03:39 -05:00
func ( s * DockerSuite ) TestRunAttachDetachFromFlag ( c * check . C ) {
name := "attach-detach"
keyCtrlA := [ ] byte { 1 }
keyA := [ ] byte { 97 }
dockerCmd ( c , "run" , "--name" , name , "-itd" , "busybox" , "cat" )
2016-06-05 12:17:39 -04:00
cmd := exec . Command ( dockerBinary , "attach" , "--detach-keys=ctrl-a,a" , name )
2016-01-03 17:03:39 -05:00
stdout , err := cmd . StdoutPipe ( )
if err != nil {
c . Fatal ( err )
}
cpty , tty , err := pty . Open ( )
if err != nil {
c . Fatal ( err )
}
defer cpty . Close ( )
cmd . Stdin = tty
if err := cmd . Start ( ) ; err != nil {
c . Fatal ( err )
}
c . Assert ( waitRun ( name ) , check . IsNil )
if _ , err := cpty . Write ( [ ] byte ( "hello\n" ) ) ; err != nil {
c . Fatal ( err )
}
out , err := bufio . NewReader ( stdout ) . ReadString ( '\n' )
if err != nil {
c . Fatal ( err )
}
if strings . TrimSpace ( out ) != "hello" {
c . Fatalf ( "expected 'hello', got %q" , out )
}
// escape sequence
if _ , err := cpty . Write ( keyCtrlA ) ; err != nil {
c . Fatal ( err )
}
time . Sleep ( 100 * time . Millisecond )
if _ , err := cpty . Write ( keyA ) ; err != nil {
c . Fatal ( err )
}
ch := make ( chan struct { } )
go func ( ) {
cmd . Wait ( )
ch <- struct { } { }
} ( )
select {
case <- ch :
case <- time . After ( 10 * time . Second ) :
c . Fatal ( "timed out waiting for container to exit" )
}
2016-01-28 09:19:25 -05:00
running := inspectField ( c , name , "State.Running" )
2016-01-03 17:03:39 -05:00
c . Assert ( running , checker . Equals , "true" , check . Commentf ( "expected container to still be running" ) )
}
2017-02-22 03:13:45 -05:00
// TestRunAttachDetachFromInvalidFlag checks attaching and detaching with the escape sequence specified via flags.
2016-03-23 07:34:47 -04:00
func ( s * DockerSuite ) TestRunAttachDetachFromInvalidFlag ( c * check . C ) {
name := "attach-detach"
dockerCmd ( c , "run" , "--name" , name , "-itd" , "busybox" , "top" )
c . Assert ( waitRun ( name ) , check . IsNil )
// specify an invalid detach key, container will ignore it and use default
2016-06-05 12:17:39 -04:00
cmd := exec . Command ( dockerBinary , "attach" , "--detach-keys=ctrl-A,a" , name )
2016-03-23 07:34:47 -04:00
stdout , err := cmd . StdoutPipe ( )
if err != nil {
c . Fatal ( err )
}
cpty , tty , err := pty . Open ( )
if err != nil {
c . Fatal ( err )
}
defer cpty . Close ( )
cmd . Stdin = tty
if err := cmd . Start ( ) ; err != nil {
c . Fatal ( err )
}
2017-09-07 13:11:25 -04:00
go cmd . Wait ( )
2016-03-23 07:34:47 -04:00
bufReader := bufio . NewReader ( stdout )
out , err := bufReader . ReadString ( '\n' )
if err != nil {
c . Fatal ( err )
}
// it should print a warning to indicate the detach key flag is invalid
2017-02-21 04:41:45 -05:00
errStr := "Invalid detach keys (ctrl-A,a) provided"
2016-03-23 07:34:47 -04:00
c . Assert ( strings . TrimSpace ( out ) , checker . Equals , errStr )
}
2017-02-22 03:13:45 -05:00
// TestRunAttachDetachFromConfig checks attaching and detaching with the escape sequence specified via config file.
2016-01-03 17:03:39 -05:00
func ( s * DockerSuite ) TestRunAttachDetachFromConfig ( c * check . C ) {
keyCtrlA := [ ] byte { 1 }
keyA := [ ] byte { 97 }
// Setup config
homeKey := homedir . Key ( )
homeVal := homedir . Get ( )
tmpDir , err := ioutil . TempDir ( "" , "fake-home" )
c . Assert ( err , checker . IsNil )
defer os . RemoveAll ( tmpDir )
dotDocker := filepath . Join ( tmpDir , ".docker" )
os . Mkdir ( dotDocker , 0600 )
tmpCfg := filepath . Join ( dotDocker , "config.json" )
defer func ( ) { os . Setenv ( homeKey , homeVal ) } ( )
os . Setenv ( homeKey , tmpDir )
data := ` {
"detachKeys" : "ctrl-a,a"
} `
err = ioutil . WriteFile ( tmpCfg , [ ] byte ( data ) , 0600 )
c . Assert ( err , checker . IsNil )
// Then do the work
name := "attach-detach"
dockerCmd ( c , "run" , "--name" , name , "-itd" , "busybox" , "cat" )
cmd := exec . Command ( dockerBinary , "attach" , name )
stdout , err := cmd . StdoutPipe ( )
if err != nil {
c . Fatal ( err )
}
cpty , tty , err := pty . Open ( )
if err != nil {
c . Fatal ( err )
}
defer cpty . Close ( )
cmd . Stdin = tty
if err := cmd . Start ( ) ; err != nil {
c . Fatal ( err )
}
c . Assert ( waitRun ( name ) , check . IsNil )
if _ , err := cpty . Write ( [ ] byte ( "hello\n" ) ) ; err != nil {
c . Fatal ( err )
}
out , err := bufio . NewReader ( stdout ) . ReadString ( '\n' )
if err != nil {
c . Fatal ( err )
}
if strings . TrimSpace ( out ) != "hello" {
c . Fatalf ( "expected 'hello', got %q" , out )
}
// escape sequence
if _ , err := cpty . Write ( keyCtrlA ) ; err != nil {
c . Fatal ( err )
}
time . Sleep ( 100 * time . Millisecond )
if _ , err := cpty . Write ( keyA ) ; err != nil {
c . Fatal ( err )
}
ch := make ( chan struct { } )
go func ( ) {
cmd . Wait ( )
ch <- struct { } { }
} ( )
select {
case <- ch :
case <- time . After ( 10 * time . Second ) :
c . Fatal ( "timed out waiting for container to exit" )
}
2016-01-28 09:19:25 -05:00
running := inspectField ( c , name , "State.Running" )
2015-11-06 16:49:16 -05:00
c . Assert ( running , checker . Equals , "true" , check . Commentf ( "expected container to still be running" ) )
2016-01-03 17:03:39 -05:00
}
2017-02-22 03:13:45 -05:00
// TestRunAttachDetachKeysOverrideConfig checks attaching and detaching with the detach flags, making sure it overrides config file
2016-01-03 17:03:39 -05:00
func ( s * DockerSuite ) TestRunAttachDetachKeysOverrideConfig ( c * check . C ) {
keyCtrlA := [ ] byte { 1 }
keyA := [ ] byte { 97 }
// Setup config
homeKey := homedir . Key ( )
homeVal := homedir . Get ( )
tmpDir , err := ioutil . TempDir ( "" , "fake-home" )
c . Assert ( err , checker . IsNil )
defer os . RemoveAll ( tmpDir )
dotDocker := filepath . Join ( tmpDir , ".docker" )
os . Mkdir ( dotDocker , 0600 )
tmpCfg := filepath . Join ( dotDocker , "config.json" )
2015-04-10 23:16:42 -04:00
2016-01-03 17:03:39 -05:00
defer func ( ) { os . Setenv ( homeKey , homeVal ) } ( )
os . Setenv ( homeKey , tmpDir )
data := ` {
"detachKeys" : "ctrl-e,e"
} `
err = ioutil . WriteFile ( tmpCfg , [ ] byte ( data ) , 0600 )
c . Assert ( err , checker . IsNil )
// Then do the work
name := "attach-detach"
dockerCmd ( c , "run" , "--name" , name , "-itd" , "busybox" , "cat" )
2016-06-05 12:17:39 -04:00
cmd := exec . Command ( dockerBinary , "attach" , "--detach-keys=ctrl-a,a" , name )
2016-01-03 17:03:39 -05:00
stdout , err := cmd . StdoutPipe ( )
if err != nil {
c . Fatal ( err )
}
cpty , tty , err := pty . Open ( )
if err != nil {
c . Fatal ( err )
}
defer cpty . Close ( )
cmd . Stdin = tty
if err := cmd . Start ( ) ; err != nil {
c . Fatal ( err )
}
c . Assert ( waitRun ( name ) , check . IsNil )
if _ , err := cpty . Write ( [ ] byte ( "hello\n" ) ) ; err != nil {
c . Fatal ( err )
}
out , err := bufio . NewReader ( stdout ) . ReadString ( '\n' )
if err != nil {
c . Fatal ( err )
}
if strings . TrimSpace ( out ) != "hello" {
c . Fatalf ( "expected 'hello', got %q" , out )
}
// escape sequence
if _ , err := cpty . Write ( keyCtrlA ) ; err != nil {
c . Fatal ( err )
}
time . Sleep ( 100 * time . Millisecond )
if _ , err := cpty . Write ( keyA ) ; err != nil {
c . Fatal ( err )
}
ch := make ( chan struct { } )
2015-04-10 23:16:42 -04:00
go func ( ) {
2016-01-03 17:03:39 -05:00
cmd . Wait ( )
ch <- struct { } { }
2015-04-10 23:16:42 -04:00
} ( )
select {
case <- ch :
2016-01-03 17:03:39 -05:00
case <- time . After ( 10 * time . Second ) :
2015-04-18 12:46:47 -04:00
c . Fatal ( "timed out waiting for container to exit" )
2015-04-10 23:16:42 -04:00
}
2016-01-03 17:03:39 -05:00
2016-01-28 09:19:25 -05:00
running := inspectField ( c , name , "State.Running" )
2016-01-03 17:03:39 -05:00
c . Assert ( running , checker . Equals , "true" , check . Commentf ( "expected container to still be running" ) )
2015-04-10 23:16:42 -04:00
}
2015-05-29 14:22:21 -04:00
2016-05-24 11:14:48 -04:00
func ( s * DockerSuite ) TestRunAttachInvalidDetachKeySequencePreserved ( c * check . C ) {
name := "attach-detach"
keyA := [ ] byte { 97 }
keyB := [ ] byte { 98 }
dockerCmd ( c , "run" , "--name" , name , "-itd" , "busybox" , "cat" )
2016-06-05 12:17:39 -04:00
cmd := exec . Command ( dockerBinary , "attach" , "--detach-keys=a,b,c" , name )
2016-05-24 11:14:48 -04:00
stdout , err := cmd . StdoutPipe ( )
if err != nil {
c . Fatal ( err )
}
cpty , tty , err := pty . Open ( )
if err != nil {
c . Fatal ( err )
}
defer cpty . Close ( )
cmd . Stdin = tty
if err := cmd . Start ( ) ; err != nil {
c . Fatal ( err )
}
2017-09-07 13:11:25 -04:00
go cmd . Wait ( )
2016-05-24 11:14:48 -04:00
c . Assert ( waitRun ( name ) , check . IsNil )
// Invalid escape sequence aba, should print aba in output
if _ , err := cpty . Write ( keyA ) ; err != nil {
c . Fatal ( err )
}
time . Sleep ( 100 * time . Millisecond )
if _ , err := cpty . Write ( keyB ) ; err != nil {
c . Fatal ( err )
}
time . Sleep ( 100 * time . Millisecond )
if _ , err := cpty . Write ( keyA ) ; err != nil {
c . Fatal ( err )
}
time . Sleep ( 100 * time . Millisecond )
if _ , err := cpty . Write ( [ ] byte ( "\n" ) ) ; err != nil {
c . Fatal ( err )
}
out , err := bufio . NewReader ( stdout ) . ReadString ( '\n' )
if err != nil {
c . Fatal ( err )
}
if strings . TrimSpace ( out ) != "aba" {
c . Fatalf ( "expected 'aba', got %q" , out )
}
}
2016-01-03 17:03:39 -05:00
// "test" should be printed
2015-11-29 19:40:47 -05:00
func ( s * DockerSuite ) TestRunWithCPUQuota ( c * check . C ) {
2015-07-22 08:59:24 -04:00
testRequires ( c , cpuCfsQuota )
2015-07-14 16:15:00 -04:00
2015-11-29 19:40:47 -05:00
file := "/sys/fs/cgroup/cpu/cpu.cfs_quota_us"
out , _ := dockerCmd ( c , "run" , "--cpu-quota" , "8000" , "--name" , "test" , "busybox" , "cat" , file )
c . Assert ( strings . TrimSpace ( out ) , checker . Equals , "8000" )
2015-05-29 14:22:21 -04:00
2016-01-28 09:19:25 -05:00
out = inspectField ( c , "test" , "HostConfig.CpuQuota" )
2015-11-06 16:49:16 -05:00
c . Assert ( out , checker . Equals , "8000" , check . Commentf ( "setting the CPU CFS quota failed" ) )
2015-05-29 14:22:21 -04:00
}
func ( s * DockerSuite ) TestRunWithCpuPeriod ( c * check . C ) {
2015-07-22 08:59:24 -04:00
testRequires ( c , cpuCfsPeriod )
2015-07-14 16:15:00 -04:00
2015-11-29 19:40:47 -05:00
file := "/sys/fs/cgroup/cpu/cpu.cfs_period_us"
out , _ := dockerCmd ( c , "run" , "--cpu-period" , "50000" , "--name" , "test" , "busybox" , "cat" , file )
c . Assert ( strings . TrimSpace ( out ) , checker . Equals , "50000" )
2015-05-29 14:22:21 -04:00
2016-04-21 02:50:25 -04:00
out , _ = dockerCmd ( c , "run" , "--cpu-period" , "0" , "busybox" , "cat" , file )
c . Assert ( strings . TrimSpace ( out ) , checker . Equals , "100000" )
2016-01-28 09:19:25 -05:00
out = inspectField ( c , "test" , "HostConfig.CpuPeriod" )
2015-11-06 16:49:16 -05:00
c . Assert ( out , checker . Equals , "50000" , check . Commentf ( "setting the CPU CFS period failed" ) )
2015-05-29 14:22:21 -04:00
}
2015-07-08 16:30:03 -04:00
2016-04-21 02:50:25 -04:00
func ( s * DockerSuite ) TestRunWithInvalidCpuPeriod ( c * check . C ) {
testRequires ( c , cpuCfsPeriod )
out , _ , err := dockerCmdWithError ( "run" , "--cpu-period" , "900" , "busybox" , "true" )
c . Assert ( err , check . NotNil )
expected := "CPU cfs period can not be less than 1ms (i.e. 1000) or larger than 1s (i.e. 1000000)"
c . Assert ( out , checker . Contains , expected )
out , _ , err = dockerCmdWithError ( "run" , "--cpu-period" , "2000000" , "busybox" , "true" )
c . Assert ( err , check . NotNil )
c . Assert ( out , checker . Contains , expected )
out , _ , err = dockerCmdWithError ( "run" , "--cpu-period" , "-3" , "busybox" , "true" )
c . Assert ( err , check . NotNil )
c . Assert ( out , checker . Contains , expected )
}
2015-08-19 11:56:55 -04:00
func ( s * DockerSuite ) TestRunWithKernelMemory ( c * check . C ) {
testRequires ( c , kernelMemorySupport )
2015-11-27 20:47:25 -05:00
file := "/sys/fs/cgroup/memory/memory.kmem.limit_in_bytes"
2017-03-27 11:12:48 -04:00
cli . DockerCmd ( c , "run" , "--kernel-memory" , "50M" , "--name" , "test1" , "busybox" , "cat" , file ) . Assert ( c , icmd . Expected {
Out : "52428800" ,
} )
2015-08-19 11:56:55 -04:00
2017-03-27 11:12:48 -04:00
cli . InspectCmd ( c , "test1" , cli . Format ( ".HostConfig.KernelMemory" ) ) . Assert ( c , icmd . Expected {
Out : "52428800" ,
} )
2015-12-09 01:26:41 -05:00
}
func ( s * DockerSuite ) TestRunWithInvalidKernelMemory ( c * check . C ) {
testRequires ( c , kernelMemorySupport )
out , _ , err := dockerCmdWithError ( "run" , "--kernel-memory" , "2M" , "busybox" , "true" )
c . Assert ( err , check . NotNil )
expected := "Minimum kernel memory limit allowed is 4MB"
c . Assert ( out , checker . Contains , expected )
2015-09-23 20:41:35 -04:00
out , _ , err = dockerCmdWithError ( "run" , "--kernel-memory" , "-16m" , "--name" , "test2" , "busybox" , "echo" , "test" )
c . Assert ( err , check . NotNil )
2015-12-09 01:26:41 -05:00
expected = "invalid size"
2015-09-23 20:41:35 -04:00
c . Assert ( out , checker . Contains , expected )
2015-08-19 11:56:55 -04:00
}
2015-11-29 19:40:47 -05:00
func ( s * DockerSuite ) TestRunWithCPUShares ( c * check . C ) {
2015-08-23 23:37:11 -04:00
testRequires ( c , cpuShare )
2015-11-29 19:40:47 -05:00
file := "/sys/fs/cgroup/cpu/cpu.shares"
out , _ := dockerCmd ( c , "run" , "--cpu-shares" , "1000" , "--name" , "test" , "busybox" , "cat" , file )
c . Assert ( strings . TrimSpace ( out ) , checker . Equals , "1000" )
2016-01-28 09:19:25 -05:00
out = inspectField ( c , "test" , "HostConfig.CPUShares" )
2015-11-29 19:40:47 -05:00
c . Assert ( out , check . Equals , "1000" )
2015-08-23 23:37:11 -04:00
}
// "test" should be printed
func ( s * DockerSuite ) TestRunEchoStdoutWithCPUSharesAndMemoryLimit ( c * check . C ) {
testRequires ( c , cpuShare )
testRequires ( c , memoryLimitSupport )
2017-03-27 11:12:48 -04:00
cli . DockerCmd ( c , "run" , "--cpu-shares" , "1000" , "-m" , "32m" , "busybox" , "echo" , "test" ) . Assert ( c , icmd . Expected {
Out : "test\n" ,
} )
2015-08-23 23:37:11 -04:00
}
func ( s * DockerSuite ) TestRunWithCpusetCpus ( c * check . C ) {
testRequires ( c , cgroupCpuset )
2015-11-29 19:40:47 -05:00
file := "/sys/fs/cgroup/cpuset/cpuset.cpus"
out , _ := dockerCmd ( c , "run" , "--cpuset-cpus" , "0" , "--name" , "test" , "busybox" , "cat" , file )
c . Assert ( strings . TrimSpace ( out ) , checker . Equals , "0" )
2016-01-28 09:19:25 -05:00
out = inspectField ( c , "test" , "HostConfig.CpusetCpus" )
2015-11-29 19:40:47 -05:00
c . Assert ( out , check . Equals , "0" )
2015-08-23 23:37:11 -04:00
}
func ( s * DockerSuite ) TestRunWithCpusetMems ( c * check . C ) {
testRequires ( c , cgroupCpuset )
2015-11-29 19:40:47 -05:00
file := "/sys/fs/cgroup/cpuset/cpuset.mems"
out , _ := dockerCmd ( c , "run" , "--cpuset-mems" , "0" , "--name" , "test" , "busybox" , "cat" , file )
c . Assert ( strings . TrimSpace ( out ) , checker . Equals , "0" )
2016-01-28 09:19:25 -05:00
out = inspectField ( c , "test" , "HostConfig.CpusetMems" )
2015-11-29 19:40:47 -05:00
c . Assert ( out , check . Equals , "0" )
2015-08-23 23:37:11 -04:00
}
func ( s * DockerSuite ) TestRunWithBlkioWeight ( c * check . C ) {
testRequires ( c , blkioWeight )
2015-11-29 19:40:47 -05:00
file := "/sys/fs/cgroup/blkio/blkio.weight"
out , _ := dockerCmd ( c , "run" , "--blkio-weight" , "300" , "--name" , "test" , "busybox" , "cat" , file )
c . Assert ( strings . TrimSpace ( out ) , checker . Equals , "300" )
2016-01-28 09:19:25 -05:00
out = inspectField ( c , "test" , "HostConfig.BlkioWeight" )
2015-11-29 19:40:47 -05:00
c . Assert ( out , check . Equals , "300" )
2015-08-23 23:37:11 -04:00
}
2015-12-18 00:34:25 -05:00
func ( s * DockerSuite ) TestRunWithInvalidBlkioWeight ( c * check . C ) {
2015-08-23 23:37:11 -04:00
testRequires ( c , blkioWeight )
2015-10-14 04:20:52 -04:00
out , _ , err := dockerCmdWithError ( "run" , "--blkio-weight" , "5" , "busybox" , "true" )
c . Assert ( err , check . NotNil , check . Commentf ( out ) )
expected := "Range of blkio weight is from 10 to 1000"
c . Assert ( out , checker . Contains , expected )
2015-08-23 23:37:11 -04:00
}
2015-12-18 00:34:25 -05:00
func ( s * DockerSuite ) TestRunWithInvalidPathforBlkioWeightDevice ( c * check . C ) {
2015-06-11 20:34:20 -04:00
testRequires ( c , blkioWeight )
2015-12-18 00:34:25 -05:00
out , _ , err := dockerCmdWithError ( "run" , "--blkio-weight-device" , "/dev/sdX:100" , "busybox" , "true" )
2015-06-11 20:34:20 -04:00
c . Assert ( err , check . NotNil , check . Commentf ( out ) )
}
2015-12-18 00:34:25 -05:00
func ( s * DockerSuite ) TestRunWithInvalidPathforBlkioDeviceReadBps ( c * check . C ) {
2015-07-08 07:06:48 -04:00
testRequires ( c , blkioWeight )
2015-12-16 11:58:31 -05:00
out , _ , err := dockerCmdWithError ( "run" , "--device-read-bps" , "/dev/sdX:500" , "busybox" , "true" )
2015-07-08 07:06:48 -04:00
c . Assert ( err , check . NotNil , check . Commentf ( out ) )
}
2015-12-18 00:34:25 -05:00
func ( s * DockerSuite ) TestRunWithInvalidPathforBlkioDeviceWriteBps ( c * check . C ) {
2015-07-08 07:06:48 -04:00
testRequires ( c , blkioWeight )
2015-12-16 11:58:31 -05:00
out , _ , err := dockerCmdWithError ( "run" , "--device-write-bps" , "/dev/sdX:500" , "busybox" , "true" )
2015-07-08 07:06:48 -04:00
c . Assert ( err , check . NotNil , check . Commentf ( out ) )
}
2015-12-18 00:34:25 -05:00
func ( s * DockerSuite ) TestRunWithInvalidPathforBlkioDeviceReadIOps ( c * check . C ) {
2015-07-08 07:06:48 -04:00
testRequires ( c , blkioWeight )
out , _ , err := dockerCmdWithError ( "run" , "--device-read-iops" , "/dev/sdX:500" , "busybox" , "true" )
c . Assert ( err , check . NotNil , check . Commentf ( out ) )
}
2015-12-18 00:34:25 -05:00
func ( s * DockerSuite ) TestRunWithInvalidPathforBlkioDeviceWriteIOps ( c * check . C ) {
2015-07-08 07:06:48 -04:00
testRequires ( c , blkioWeight )
out , _ , err := dockerCmdWithError ( "run" , "--device-write-iops" , "/dev/sdX:500" , "busybox" , "true" )
c . Assert ( err , check . NotNil , check . Commentf ( out ) )
}
2015-07-08 16:30:03 -04:00
func ( s * DockerSuite ) TestRunOOMExitCode ( c * check . C ) {
2018-03-08 17:57:23 -05:00
testRequires ( c , memoryLimitSupport , swapMemorySupport , NotPpc64le )
2015-07-08 16:30:03 -04:00
errChan := make ( chan error )
go func ( ) {
defer close ( errChan )
2016-08-24 06:09:35 -04:00
out , exitCode , _ := dockerCmdWithError ( "run" , "-m" , "4MB" , "busybox" , "sh" , "-c" , "x=a; while true; do x=$x$x$x$x; done" )
2015-07-08 16:30:03 -04:00
if expected := 137 ; exitCode != expected {
errChan <- fmt . Errorf ( "wrong exit code for OOM container: expected %d, got %d (output: %q)" , expected , exitCode , out )
}
} ( )
select {
case err := <- errChan :
c . Assert ( err , check . IsNil )
2015-02-24 13:33:18 -05:00
case <- time . After ( 600 * time . Second ) :
2015-07-08 16:30:03 -04:00
c . Fatal ( "Timeout waiting for container to die on OOM" )
}
}
2015-11-29 19:40:47 -05:00
func ( s * DockerSuite ) TestRunWithMemoryLimit ( c * check . C ) {
2015-08-23 23:37:11 -04:00
testRequires ( c , memoryLimitSupport )
2015-11-29 19:40:47 -05:00
file := "/sys/fs/cgroup/memory/memory.limit_in_bytes"
2017-03-27 11:12:48 -04:00
cli . DockerCmd ( c , "run" , "-m" , "32M" , "--name" , "test" , "busybox" , "cat" , file ) . Assert ( c , icmd . Expected {
Out : "33554432" ,
} )
cli . InspectCmd ( c , "test" , cli . Format ( ".HostConfig.Memory" ) ) . Assert ( c , icmd . Expected {
Out : "33554432" ,
} )
2015-08-23 23:37:11 -04:00
}
2015-09-17 20:28:36 -04:00
// TestRunWithoutMemoryswapLimit sets memory limit and disables swap
// memory limit, this means the processes in the container can use
// 16M memory and as much swap memory as they need (if the host
// supports swap memory).
2015-08-23 23:37:11 -04:00
func ( s * DockerSuite ) TestRunWithoutMemoryswapLimit ( c * check . C ) {
2015-11-04 19:40:58 -05:00
testRequires ( c , DaemonIsLinux )
2015-08-23 23:37:11 -04:00
testRequires ( c , memoryLimitSupport )
testRequires ( c , swapMemorySupport )
2015-02-24 13:33:18 -05:00
dockerCmd ( c , "run" , "-m" , "32m" , "--memory-swap" , "-1" , "busybox" , "true" )
2015-08-23 23:37:11 -04:00
}
func ( s * DockerSuite ) TestRunWithSwappiness ( c * check . C ) {
testRequires ( c , memorySwappinessSupport )
2015-11-29 19:40:47 -05:00
file := "/sys/fs/cgroup/memory/memory.swappiness"
out , _ := dockerCmd ( c , "run" , "--memory-swappiness" , "0" , "--name" , "test" , "busybox" , "cat" , file )
c . Assert ( strings . TrimSpace ( out ) , checker . Equals , "0" )
2016-01-28 09:19:25 -05:00
out = inspectField ( c , "test" , "HostConfig.MemorySwappiness" )
2015-11-29 19:40:47 -05:00
c . Assert ( out , check . Equals , "0" )
2015-08-23 23:37:11 -04:00
}
func ( s * DockerSuite ) TestRunWithSwappinessInvalid ( c * check . C ) {
testRequires ( c , memorySwappinessSupport )
out , _ , err := dockerCmdWithError ( "run" , "--memory-swappiness" , "101" , "busybox" , "true" )
2015-09-28 06:13:21 -04:00
c . Assert ( err , check . NotNil )
expected := "Valid memory swappiness range is 0-100"
c . Assert ( out , checker . Contains , expected , check . Commentf ( "Expected output to contain %q, not %q" , out , expected ) )
out , _ , err = dockerCmdWithError ( "run" , "--memory-swappiness" , "-10" , "busybox" , "true" )
c . Assert ( err , check . NotNil )
c . Assert ( out , checker . Contains , expected , check . Commentf ( "Expected output to contain %q, not %q" , out , expected ) )
2015-08-23 23:37:11 -04:00
}
2015-08-04 16:51:48 -04:00
2015-09-23 02:02:45 -04:00
func ( s * DockerSuite ) TestRunWithMemoryReservation ( c * check . C ) {
2017-09-11 10:23:59 -04:00
testRequires ( c , SameHostDaemon , memoryReservationSupport )
2015-11-29 19:40:47 -05:00
file := "/sys/fs/cgroup/memory/memory.soft_limit_in_bytes"
out , _ := dockerCmd ( c , "run" , "--memory-reservation" , "200M" , "--name" , "test" , "busybox" , "cat" , file )
c . Assert ( strings . TrimSpace ( out ) , checker . Equals , "209715200" )
2016-01-28 09:19:25 -05:00
out = inspectField ( c , "test" , "HostConfig.MemoryReservation" )
2015-11-29 19:40:47 -05:00
c . Assert ( out , check . Equals , "209715200" )
2015-09-23 02:02:45 -04:00
}
func ( s * DockerSuite ) TestRunWithMemoryReservationInvalid ( c * check . C ) {
testRequires ( c , memoryLimitSupport )
2017-09-11 10:23:59 -04:00
testRequires ( c , SameHostDaemon , memoryReservationSupport )
2015-09-23 02:02:45 -04:00
out , _ , err := dockerCmdWithError ( "run" , "-m" , "500M" , "--memory-reservation" , "800M" , "busybox" , "true" )
c . Assert ( err , check . NotNil )
2016-07-11 06:29:17 -04:00
expected := "Minimum memory limit can not be less than memory reservation limit"
2015-11-06 16:49:16 -05:00
c . Assert ( strings . TrimSpace ( out ) , checker . Contains , expected , check . Commentf ( "run container should fail with invalid memory reservation" ) )
2016-04-05 21:37:51 -04:00
out , _ , err = dockerCmdWithError ( "run" , "--memory-reservation" , "1k" , "busybox" , "true" )
c . Assert ( err , check . NotNil )
expected = "Minimum memory reservation allowed is 4MB"
c . Assert ( strings . TrimSpace ( out ) , checker . Contains , expected , check . Commentf ( "run container should fail with invalid memory reservation" ) )
2015-09-23 02:02:45 -04:00
}
2015-08-04 16:51:48 -04:00
func ( s * DockerSuite ) TestStopContainerSignal ( c * check . C ) {
out , _ := dockerCmd ( c , "run" , "--stop-signal" , "SIGUSR1" , "-d" , "busybox" , "/bin/sh" , "-c" , ` trap 'echo "exit trapped"; exit 0' USR1; while true; do sleep 1; done ` )
containerID := strings . TrimSpace ( out )
2015-11-06 16:49:16 -05:00
c . Assert ( waitRun ( containerID ) , checker . IsNil )
2015-08-04 16:51:48 -04:00
dockerCmd ( c , "stop" , containerID )
out , _ = dockerCmd ( c , "logs" , containerID )
2015-11-06 16:49:16 -05:00
c . Assert ( out , checker . Contains , "exit trapped" , check . Commentf ( "Expected `exit trapped` in the log" ) )
2015-08-04 16:51:48 -04:00
}
2015-09-21 10:12:19 -04:00
func ( s * DockerSuite ) TestRunSwapLessThanMemoryLimit ( c * check . C ) {
testRequires ( c , memoryLimitSupport )
testRequires ( c , swapMemorySupport )
out , _ , err := dockerCmdWithError ( "run" , "-m" , "16m" , "--memory-swap" , "15m" , "busybox" , "echo" , "test" )
expected := "Minimum memoryswap limit should be larger than memory limit"
c . Assert ( err , check . NotNil )
2015-11-06 16:49:16 -05:00
c . Assert ( out , checker . Contains , expected )
2015-09-21 10:12:19 -04:00
}
2015-09-08 14:40:55 -04:00
func ( s * DockerSuite ) TestRunInvalidCpusetCpusFlagValue ( c * check . C ) {
2016-02-10 22:27:02 -05:00
testRequires ( c , cgroupCpuset , SameHostDaemon )
2015-09-08 14:40:55 -04:00
sysInfo := sysinfo . New ( true )
cpus , err := parsers . ParseUintList ( sysInfo . Cpus )
c . Assert ( err , check . IsNil )
var invalid int
for i := 0 ; i <= len ( cpus ) + 1 ; i ++ {
if ! cpus [ i ] {
invalid = i
break
}
}
out , _ , err := dockerCmdWithError ( "run" , "--cpuset-cpus" , strconv . Itoa ( invalid ) , "busybox" , "true" )
c . Assert ( err , check . NotNil )
2015-07-29 08:21:16 -04:00
expected := fmt . Sprintf ( "Error response from daemon: Requested CPUs are not available - requested %s, available: %s" , strconv . Itoa ( invalid ) , sysInfo . Cpus )
2015-11-06 16:49:16 -05:00
c . Assert ( out , checker . Contains , expected )
2015-09-08 14:40:55 -04:00
}
func ( s * DockerSuite ) TestRunInvalidCpusetMemsFlagValue ( c * check . C ) {
testRequires ( c , cgroupCpuset )
sysInfo := sysinfo . New ( true )
mems , err := parsers . ParseUintList ( sysInfo . Mems )
c . Assert ( err , check . IsNil )
var invalid int
for i := 0 ; i <= len ( mems ) + 1 ; i ++ {
if ! mems [ i ] {
invalid = i
break
}
}
out , _ , err := dockerCmdWithError ( "run" , "--cpuset-mems" , strconv . Itoa ( invalid ) , "busybox" , "true" )
c . Assert ( err , check . NotNil )
2015-07-29 08:21:16 -04:00
expected := fmt . Sprintf ( "Error response from daemon: Requested memory nodes are not available - requested %s, available: %s" , strconv . Itoa ( invalid ) , sysInfo . Mems )
2015-11-06 16:49:16 -05:00
c . Assert ( out , checker . Contains , expected )
2015-09-08 14:40:55 -04:00
}
2015-10-07 22:04:51 -04:00
func ( s * DockerSuite ) TestRunInvalidCPUShares ( c * check . C ) {
2015-11-04 19:40:58 -05:00
testRequires ( c , cpuShare , DaemonIsLinux )
2015-10-07 22:04:51 -04:00
out , _ , err := dockerCmdWithError ( "run" , "--cpu-shares" , "1" , "busybox" , "echo" , "test" )
c . Assert ( err , check . NotNil , check . Commentf ( out ) )
expected := "The minimum allowed cpu-shares is 2"
c . Assert ( out , checker . Contains , expected )
out , _ , err = dockerCmdWithError ( "run" , "--cpu-shares" , "-1" , "busybox" , "echo" , "test" )
c . Assert ( err , check . NotNil , check . Commentf ( out ) )
expected = "shares: invalid argument"
c . Assert ( out , checker . Contains , expected )
out , _ , err = dockerCmdWithError ( "run" , "--cpu-shares" , "99999999" , "busybox" , "echo" , "test" )
c . Assert ( err , check . NotNil , check . Commentf ( out ) )
expected = "The maximum allowed cpu-shares is"
c . Assert ( out , checker . Contains , expected )
}
2015-11-26 07:14:09 -05:00
func ( s * DockerSuite ) TestRunWithDefaultShmSize ( c * check . C ) {
testRequires ( c , DaemonIsLinux )
name := "shm-default"
out , _ := dockerCmd ( c , "run" , "--name" , name , "busybox" , "mount" )
shmRegex := regexp . MustCompile ( ` shm on /dev/shm type tmpfs(.*)size=65536k ` )
if ! shmRegex . MatchString ( out ) {
c . Fatalf ( "Expected shm of 64MB in mount command, got %v" , out )
}
2016-01-28 09:19:25 -05:00
shmSize := inspectField ( c , name , "HostConfig.ShmSize" )
2015-11-26 07:14:09 -05:00
c . Assert ( shmSize , check . Equals , "67108864" )
}
func ( s * DockerSuite ) TestRunWithShmSize ( c * check . C ) {
testRequires ( c , DaemonIsLinux )
name := "shm"
out , _ := dockerCmd ( c , "run" , "--name" , name , "--shm-size=1G" , "busybox" , "mount" )
shmRegex := regexp . MustCompile ( ` shm on /dev/shm type tmpfs(.*)size=1048576k ` )
if ! shmRegex . MatchString ( out ) {
c . Fatalf ( "Expected shm of 1GB in mount command, got %v" , out )
}
2016-01-28 09:19:25 -05:00
shmSize := inspectField ( c , name , "HostConfig.ShmSize" )
2015-11-26 07:14:09 -05:00
c . Assert ( shmSize , check . Equals , "1073741824" )
}
2015-12-01 13:39:34 -05:00
2016-04-26 04:20:17 -04:00
func ( s * DockerSuite ) TestRunTmpfsMountsEnsureOrdered ( c * check . C ) {
tmpFile , err := ioutil . TempFile ( "" , "test" )
c . Assert ( err , check . IsNil )
defer tmpFile . Close ( )
out , _ := dockerCmd ( c , "run" , "--tmpfs" , "/run" , "-v" , tmpFile . Name ( ) + ":/run/test" , "busybox" , "ls" , "/run" )
c . Assert ( out , checker . Contains , "test" )
}
2015-12-01 13:39:34 -05:00
func ( s * DockerSuite ) TestRunTmpfsMounts ( c * check . C ) {
2016-04-06 17:01:12 -04:00
// TODO Windows (Post TP5): This test cannot run on a Windows daemon as
2015-12-01 13:39:34 -05:00
// Windows does not support tmpfs mounts.
testRequires ( c , DaemonIsLinux )
if out , _ , err := dockerCmdWithError ( "run" , "--tmpfs" , "/run" , "busybox" , "touch" , "/run/somefile" ) ; err != nil {
c . Fatalf ( "/run directory not mounted on tmpfs %q %s" , err , out )
}
2015-12-22 13:59:28 -05:00
if out , _ , err := dockerCmdWithError ( "run" , "--tmpfs" , "/run:noexec" , "busybox" , "touch" , "/run/somefile" ) ; err != nil {
c . Fatalf ( "/run directory not mounted on tmpfs %q %s" , err , out )
}
2015-12-01 13:39:34 -05:00
if out , _ , err := dockerCmdWithError ( "run" , "--tmpfs" , "/run:noexec,nosuid,rw,size=5k,mode=700" , "busybox" , "touch" , "/run/somefile" ) ; err != nil {
c . Fatalf ( "/run failed to mount on tmpfs with valid options %q %s" , err , out )
}
if _ , _ , err := dockerCmdWithError ( "run" , "--tmpfs" , "/run:foobar" , "busybox" , "touch" , "/run/somefile" ) ; err == nil {
c . Fatalf ( "/run mounted on tmpfs when it should have vailed within invalid mount option" )
}
if _ , _ , err := dockerCmdWithError ( "run" , "--tmpfs" , "/run" , "-v" , "/run:/run" , "busybox" , "touch" , "/run/somefile" ) ; err == nil {
c . Fatalf ( "Should have generated an error saying Duplicate mount points" )
}
}
2015-12-07 20:14:52 -05:00
2016-06-06 05:57:11 -04:00
func ( s * DockerSuite ) TestRunTmpfsMountsOverrideImageVolumes ( c * check . C ) {
name := "img-with-volumes"
2017-03-23 13:35:22 -04:00
buildImageSuccessfully ( c , name , build . WithDockerfile ( `
2016-06-06 05:57:11 -04:00
FROM busybox
VOLUME / run
RUN touch / run / stuff
2017-01-16 05:30:14 -05:00
` ) )
2016-06-06 05:57:11 -04:00
out , _ := dockerCmd ( c , "run" , "--tmpfs" , "/run" , name , "ls" , "/run" )
c . Assert ( out , checker . Not ( checker . Contains ) , "stuff" )
}
Inconsistent --tmpfs behavior
This fix tries to address the issue raised in #22420. When
`--tmpfs` is specified with `/tmp`, the default value is
`rw,nosuid,nodev,noexec,relatime,size=65536k`. When `--tmpfs`
is specified with `/tmp:rw`, then the value changed to
`rw,nosuid,nodev,noexec,relatime`.
The reason for such an inconsistency is because docker tries
to add `size=65536k` option only when user provides no option.
This fix tries to address this issue by always pre-progating
`size=65536k` along with `rw,nosuid,nodev,noexec,relatime`.
If user provides a different value (e.g., `size=8192k`), it
will override the `size=65536k` anyway since the combined
options will be parsed and merged to remove any duplicates.
Additional test cases have been added to cover the changes
in this fix.
This fix fixes #22420.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
2016-04-30 22:42:19 -04:00
// Test case for #22420
func ( s * DockerSuite ) TestRunTmpfsMountsWithOptions ( c * check . C ) {
testRequires ( c , DaemonIsLinux )
2016-06-09 03:12:34 -04:00
expectedOptions := [ ] string { "rw" , "nosuid" , "nodev" , "noexec" , "relatime" }
Inconsistent --tmpfs behavior
This fix tries to address the issue raised in #22420. When
`--tmpfs` is specified with `/tmp`, the default value is
`rw,nosuid,nodev,noexec,relatime,size=65536k`. When `--tmpfs`
is specified with `/tmp:rw`, then the value changed to
`rw,nosuid,nodev,noexec,relatime`.
The reason for such an inconsistency is because docker tries
to add `size=65536k` option only when user provides no option.
This fix tries to address this issue by always pre-progating
`size=65536k` along with `rw,nosuid,nodev,noexec,relatime`.
If user provides a different value (e.g., `size=8192k`), it
will override the `size=65536k` anyway since the combined
options will be parsed and merged to remove any duplicates.
Additional test cases have been added to cover the changes
in this fix.
This fix fixes #22420.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
2016-04-30 22:42:19 -04:00
out , _ := dockerCmd ( c , "run" , "--tmpfs" , "/tmp" , "busybox" , "sh" , "-c" , "mount | grep 'tmpfs on /tmp'" )
for _ , option := range expectedOptions {
c . Assert ( out , checker . Contains , option )
}
2016-06-09 03:12:34 -04:00
c . Assert ( out , checker . Not ( checker . Contains ) , "size=" )
Inconsistent --tmpfs behavior
This fix tries to address the issue raised in #22420. When
`--tmpfs` is specified with `/tmp`, the default value is
`rw,nosuid,nodev,noexec,relatime,size=65536k`. When `--tmpfs`
is specified with `/tmp:rw`, then the value changed to
`rw,nosuid,nodev,noexec,relatime`.
The reason for such an inconsistency is because docker tries
to add `size=65536k` option only when user provides no option.
This fix tries to address this issue by always pre-progating
`size=65536k` along with `rw,nosuid,nodev,noexec,relatime`.
If user provides a different value (e.g., `size=8192k`), it
will override the `size=65536k` anyway since the combined
options will be parsed and merged to remove any duplicates.
Additional test cases have been added to cover the changes
in this fix.
This fix fixes #22420.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
2016-04-30 22:42:19 -04:00
2016-06-09 03:12:34 -04:00
expectedOptions = [ ] string { "rw" , "nosuid" , "nodev" , "noexec" , "relatime" }
Inconsistent --tmpfs behavior
This fix tries to address the issue raised in #22420. When
`--tmpfs` is specified with `/tmp`, the default value is
`rw,nosuid,nodev,noexec,relatime,size=65536k`. When `--tmpfs`
is specified with `/tmp:rw`, then the value changed to
`rw,nosuid,nodev,noexec,relatime`.
The reason for such an inconsistency is because docker tries
to add `size=65536k` option only when user provides no option.
This fix tries to address this issue by always pre-progating
`size=65536k` along with `rw,nosuid,nodev,noexec,relatime`.
If user provides a different value (e.g., `size=8192k`), it
will override the `size=65536k` anyway since the combined
options will be parsed and merged to remove any duplicates.
Additional test cases have been added to cover the changes
in this fix.
This fix fixes #22420.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
2016-04-30 22:42:19 -04:00
out , _ = dockerCmd ( c , "run" , "--tmpfs" , "/tmp:rw" , "busybox" , "sh" , "-c" , "mount | grep 'tmpfs on /tmp'" )
for _ , option := range expectedOptions {
c . Assert ( out , checker . Contains , option )
}
2016-06-09 03:12:34 -04:00
c . Assert ( out , checker . Not ( checker . Contains ) , "size=" )
Inconsistent --tmpfs behavior
This fix tries to address the issue raised in #22420. When
`--tmpfs` is specified with `/tmp`, the default value is
`rw,nosuid,nodev,noexec,relatime,size=65536k`. When `--tmpfs`
is specified with `/tmp:rw`, then the value changed to
`rw,nosuid,nodev,noexec,relatime`.
The reason for such an inconsistency is because docker tries
to add `size=65536k` option only when user provides no option.
This fix tries to address this issue by always pre-progating
`size=65536k` along with `rw,nosuid,nodev,noexec,relatime`.
If user provides a different value (e.g., `size=8192k`), it
will override the `size=65536k` anyway since the combined
options will be parsed and merged to remove any duplicates.
Additional test cases have been added to cover the changes
in this fix.
This fix fixes #22420.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
2016-04-30 22:42:19 -04:00
expectedOptions = [ ] string { "rw" , "nosuid" , "nodev" , "relatime" , "size=8192k" }
out , _ = dockerCmd ( c , "run" , "--tmpfs" , "/tmp:rw,exec,size=8192k" , "busybox" , "sh" , "-c" , "mount | grep 'tmpfs on /tmp'" )
for _ , option := range expectedOptions {
c . Assert ( out , checker . Contains , option )
}
expectedOptions = [ ] string { "rw" , "nosuid" , "nodev" , "noexec" , "relatime" , "size=4096k" }
out , _ = dockerCmd ( c , "run" , "--tmpfs" , "/tmp:rw,size=8192k,exec,size=4096k,noexec" , "busybox" , "sh" , "-c" , "mount | grep 'tmpfs on /tmp'" )
for _ , option := range expectedOptions {
c . Assert ( out , checker . Contains , option )
}
// We use debian:jessie as there is no findmnt in busybox. Also the output will be in the format of
// TARGET PROPAGATION
// /tmp shared
// so we only capture `shared` here.
expectedOptions = [ ] string { "shared" }
out , _ = dockerCmd ( c , "run" , "--tmpfs" , "/tmp:shared" , "debian:jessie" , "findmnt" , "-o" , "TARGET,PROPAGATION" , "/tmp" )
for _ , option := range expectedOptions {
c . Assert ( out , checker . Contains , option )
}
}
2016-03-29 08:24:28 -04:00
func ( s * DockerSuite ) TestRunSysctls ( c * check . C ) {
testRequires ( c , DaemonIsLinux )
var err error
out , _ := dockerCmd ( c , "run" , "--sysctl" , "net.ipv4.ip_forward=1" , "--name" , "test" , "busybox" , "cat" , "/proc/sys/net/ipv4/ip_forward" )
c . Assert ( strings . TrimSpace ( out ) , check . Equals , "1" )
out = inspectFieldJSON ( c , "test" , "HostConfig.Sysctls" )
sysctls := make ( map [ string ] string )
err = json . Unmarshal ( [ ] byte ( out ) , & sysctls )
c . Assert ( err , check . IsNil )
c . Assert ( sysctls [ "net.ipv4.ip_forward" ] , check . Equals , "1" )
out , _ = dockerCmd ( c , "run" , "--sysctl" , "net.ipv4.ip_forward=0" , "--name" , "test1" , "busybox" , "cat" , "/proc/sys/net/ipv4/ip_forward" )
c . Assert ( strings . TrimSpace ( out ) , check . Equals , "0" )
out = inspectFieldJSON ( c , "test1" , "HostConfig.Sysctls" )
err = json . Unmarshal ( [ ] byte ( out ) , & sysctls )
c . Assert ( err , check . IsNil )
c . Assert ( sysctls [ "net.ipv4.ip_forward" ] , check . Equals , "0" )
2017-01-05 06:38:34 -05:00
icmd . RunCommand ( dockerBinary , "run" , "--sysctl" , "kernel.foobar=1" , "--name" , "test2" ,
"busybox" , "cat" , "/proc/sys/kernel/foobar" ) . Assert ( c , icmd . Expected {
2017-01-05 13:08:24 -05:00
ExitCode : 125 ,
2017-01-05 06:38:34 -05:00
Err : "invalid argument" ,
} )
2016-03-29 08:24:28 -04:00
}
2016-03-15 18:34:29 -04:00
// TestRunSeccompProfileDenyUnshare checks that 'docker run --security-opt seccomp=/tmp/profile.json debian:jessie unshare' exits with operation not permitted.
2015-12-07 20:14:52 -05:00
func ( s * DockerSuite ) TestRunSeccompProfileDenyUnshare ( c * check . C ) {
2016-01-26 05:57:14 -05:00
testRequires ( c , SameHostDaemon , seccompEnabled , NotArm , Apparmor )
2015-12-07 20:14:52 -05:00
jsonData := ` {
"defaultAction" : "SCMP_ACT_ALLOW" ,
"syscalls" : [
{
"name" : "unshare" ,
"action" : "SCMP_ACT_ERRNO"
}
]
} `
tmpFile , err := ioutil . TempFile ( "" , "profile.json" )
if err != nil {
c . Fatal ( err )
}
2016-10-13 19:07:08 -04:00
defer tmpFile . Close ( )
2015-12-07 20:14:52 -05:00
if _ , err := tmpFile . Write ( [ ] byte ( jsonData ) ) ; err != nil {
c . Fatal ( err )
}
2017-01-05 06:38:34 -05:00
icmd . RunCommand ( dockerBinary , "run" , "--security-opt" , "apparmor=unconfined" ,
"--security-opt" , "seccomp=" + tmpFile . Name ( ) ,
"debian:jessie" , "unshare" , "-p" , "-m" , "-f" , "-r" , "mount" , "-t" , "proc" , "none" , "/proc" ) . Assert ( c , icmd . Expected {
ExitCode : 1 ,
2017-01-05 13:08:24 -05:00
Err : "Operation not permitted" ,
2017-01-05 06:38:34 -05:00
} )
2015-12-07 20:14:52 -05:00
}
2016-03-15 18:34:29 -04:00
// TestRunSeccompProfileDenyChmod checks that 'docker run --security-opt seccomp=/tmp/profile.json busybox chmod 400 /etc/hostname' exits with operation not permitted.
2015-12-07 20:14:52 -05:00
func ( s * DockerSuite ) TestRunSeccompProfileDenyChmod ( c * check . C ) {
testRequires ( c , SameHostDaemon , seccompEnabled )
jsonData := ` {
"defaultAction" : "SCMP_ACT_ALLOW" ,
"syscalls" : [
{
"name" : "chmod" ,
"action" : "SCMP_ACT_ERRNO"
2016-07-04 07:00:35 -04:00
} ,
{
"name" : "fchmod" ,
"action" : "SCMP_ACT_ERRNO"
} ,
{
"name" : "fchmodat" ,
"action" : "SCMP_ACT_ERRNO"
2015-12-07 20:14:52 -05:00
}
]
} `
tmpFile , err := ioutil . TempFile ( "" , "profile.json" )
2016-04-26 04:20:17 -04:00
c . Assert ( err , check . IsNil )
2015-12-07 20:14:52 -05:00
defer tmpFile . Close ( )
if _ , err := tmpFile . Write ( [ ] byte ( jsonData ) ) ; err != nil {
c . Fatal ( err )
}
2017-01-05 06:38:34 -05:00
icmd . RunCommand ( dockerBinary , "run" , "--security-opt" , "seccomp=" + tmpFile . Name ( ) ,
"busybox" , "chmod" , "400" , "/etc/hostname" ) . Assert ( c , icmd . Expected {
ExitCode : 1 ,
2017-01-05 13:08:24 -05:00
Err : "Operation not permitted" ,
2017-01-05 06:38:34 -05:00
} )
2015-12-07 20:14:52 -05:00
}
2015-12-18 13:01:58 -05:00
2015-12-30 12:49:10 -05:00
// TestRunSeccompProfileDenyUnshareUserns checks that 'docker run debian:jessie unshare --map-root-user --user sh -c whoami' with a specific profile to
2016-12-02 11:41:26 -05:00
// deny unshare of a userns exits with operation not permitted.
2015-12-21 17:42:58 -05:00
func ( s * DockerSuite ) TestRunSeccompProfileDenyUnshareUserns ( c * check . C ) {
2016-01-26 05:57:14 -05:00
testRequires ( c , SameHostDaemon , seccompEnabled , NotArm , Apparmor )
2015-12-18 13:01:58 -05:00
// from sched.h
jsonData := fmt . Sprintf ( ` {
"defaultAction" : "SCMP_ACT_ALLOW" ,
"syscalls" : [
{
"name" : "unshare" ,
"action" : "SCMP_ACT_ERRNO" ,
"args" : [
{
"index" : 0 ,
"value" : % d ,
"op" : "SCMP_CMP_EQ"
}
]
}
]
} ` , uint64 ( 0x10000000 ) )
tmpFile , err := ioutil . TempFile ( "" , "profile.json" )
if err != nil {
c . Fatal ( err )
}
2016-10-13 19:07:08 -04:00
defer tmpFile . Close ( )
2015-12-18 13:01:58 -05:00
if _ , err := tmpFile . Write ( [ ] byte ( jsonData ) ) ; err != nil {
c . Fatal ( err )
}
2017-01-05 06:38:34 -05:00
icmd . RunCommand ( dockerBinary , "run" ,
"--security-opt" , "apparmor=unconfined" , "--security-opt" , "seccomp=" + tmpFile . Name ( ) ,
"debian:jessie" , "unshare" , "--map-root-user" , "--user" , "sh" , "-c" , "whoami" ) . Assert ( c , icmd . Expected {
ExitCode : 1 ,
2017-01-05 13:08:24 -05:00
Err : "Operation not permitted" ,
2017-01-05 06:38:34 -05:00
} )
2015-12-18 13:01:58 -05:00
}
2015-12-21 17:42:58 -05:00
2015-12-30 14:20:23 -05:00
// TestRunSeccompProfileDenyCloneUserns checks that 'docker run syscall-test'
2015-12-21 17:42:58 -05:00
// with a the default seccomp profile exits with operation not permitted.
func ( s * DockerSuite ) TestRunSeccompProfileDenyCloneUserns ( c * check . C ) {
testRequires ( c , SameHostDaemon , seccompEnabled )
2016-08-31 15:31:06 -04:00
ensureSyscallTest ( c )
2015-12-21 17:42:58 -05:00
2017-01-05 06:38:34 -05:00
icmd . RunCommand ( dockerBinary , "run" , "syscall-test" , "userns-test" , "id" ) . Assert ( c , icmd . Expected {
ExitCode : 1 ,
2017-01-05 13:08:24 -05:00
Err : "clone failed: Operation not permitted" ,
2017-01-05 06:38:34 -05:00
} )
2015-12-21 17:42:58 -05:00
}
2015-12-21 22:32:12 -05:00
// TestRunSeccompUnconfinedCloneUserns checks that
2016-03-15 18:34:29 -04:00
// 'docker run --security-opt seccomp=unconfined syscall-test' allows creating a userns.
2015-12-21 22:32:12 -05:00
func ( s * DockerSuite ) TestRunSeccompUnconfinedCloneUserns ( c * check . C ) {
2016-07-29 09:11:07 -04:00
testRequires ( c , SameHostDaemon , seccompEnabled , UserNamespaceInKernel , NotUserNamespace , unprivilegedUsernsClone )
2016-08-31 15:31:06 -04:00
ensureSyscallTest ( c )
2015-12-21 22:32:12 -05:00
// make sure running w privileged is ok
2017-01-05 06:38:34 -05:00
icmd . RunCommand ( dockerBinary , "run" , "--security-opt" , "seccomp=unconfined" ,
"syscall-test" , "userns-test" , "id" ) . Assert ( c , icmd . Expected {
Out : "nobody" ,
} )
2015-12-21 22:32:12 -05:00
}
2015-12-30 14:20:23 -05:00
// TestRunSeccompAllowPrivCloneUserns checks that 'docker run --privileged syscall-test'
2015-12-21 22:32:12 -05:00
// allows creating a userns.
2015-12-21 17:42:58 -05:00
func ( s * DockerSuite ) TestRunSeccompAllowPrivCloneUserns ( c * check . C ) {
2016-03-02 19:58:49 -05:00
testRequires ( c , SameHostDaemon , seccompEnabled , UserNamespaceInKernel , NotUserNamespace )
2016-08-31 15:31:06 -04:00
ensureSyscallTest ( c )
2015-12-21 17:42:58 -05:00
// make sure running w privileged is ok
2017-01-05 06:38:34 -05:00
icmd . RunCommand ( dockerBinary , "run" , "--privileged" , "syscall-test" , "userns-test" , "id" ) . Assert ( c , icmd . Expected {
Out : "nobody" ,
} )
2015-12-21 17:42:58 -05:00
}
2016-07-27 13:42:34 -04:00
// TestRunSeccompProfileAllow32Bit checks that 32 bit code can run on x86_64
// with the default seccomp profile.
func ( s * DockerSuite ) TestRunSeccompProfileAllow32Bit ( c * check . C ) {
testRequires ( c , SameHostDaemon , seccompEnabled , IsAmd64 )
2016-08-31 15:31:06 -04:00
ensureSyscallTest ( c )
2016-07-27 13:42:34 -04:00
TestRunSeccompProfileAllow32Bit: fix
Since the update to Debian Stretch, this test fails. The reason is dynamic
binary, which requires i386 ld.so for loading (and apparently it is no longer
installed by default):
> root@09d4b173c3dc:/go/src/github.com/docker/docker# file exit32-test
> exit32-test: ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, BuildID[sha1]=a0d3d6cb59788453b983f65f8dc6ac52920147b6, stripped
> root@09d4b173c3dc:/go/src/github.com/docker/docker# ls -l /lib/ld-linux.so.2
> ls: cannot access '/lib/ld-linux.so.2': No such file or directory
To fix, just add -static.
Interestingly, ldd can'f figure it out.
> root@a324f8edfcaa:/go/src/github.com/docker/docker# ldd exit32-test
> not a dynamic executable
Other tools (e.g. objdump) also show it's a dynamic binary.
While at it, remove the extra "id" argument (a copy-paste error I
guess).
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2017-08-21 10:52:43 -04:00
icmd . RunCommand ( dockerBinary , "run" , "syscall-test" , "exit32-test" ) . Assert ( c , icmd . Success )
2016-07-27 13:42:34 -04:00
}
2016-02-11 19:28:00 -05:00
// TestRunSeccompAllowSetrlimit checks that 'docker run debian:jessie ulimit -v 1048510' succeeds.
func ( s * DockerSuite ) TestRunSeccompAllowSetrlimit ( c * check . C ) {
testRequires ( c , SameHostDaemon , seccompEnabled )
2015-12-21 17:42:58 -05:00
2016-02-11 19:28:00 -05:00
// ulimit uses setrlimit, so we want to make sure we don't break it
2017-01-05 06:38:34 -05:00
icmd . RunCommand ( dockerBinary , "run" , "debian:jessie" , "bash" , "-c" , "ulimit -v 1048510" ) . Assert ( c , icmd . Success )
2015-12-21 17:42:58 -05:00
}
2015-12-30 14:20:23 -05:00
2016-05-27 18:38:29 -04:00
func ( s * DockerSuite ) TestRunSeccompDefaultProfileAcct ( c * check . C ) {
2015-12-30 14:20:23 -05:00
testRequires ( c , SameHostDaemon , seccompEnabled , NotUserNamespace )
2016-08-31 15:31:06 -04:00
ensureSyscallTest ( c )
2015-12-30 14:20:23 -05:00
2016-08-17 13:26:09 -04:00
out , _ , err := dockerCmdWithError ( "run" , "syscall-test" , "acct-test" )
if err == nil || ! strings . Contains ( out , "Operation not permitted" ) {
c . Fatalf ( "test 0: expected Operation not permitted, got: %s" , out )
}
2016-05-06 10:17:41 -04:00
2016-08-17 13:26:09 -04:00
out , _ , err = dockerCmdWithError ( "run" , "--cap-add" , "sys_admin" , "syscall-test" , "acct-test" )
if err == nil || ! strings . Contains ( out , "Operation not permitted" ) {
c . Fatalf ( "test 1: expected Operation not permitted, got: %s" , out )
}
2016-05-06 10:17:41 -04:00
2016-08-17 13:26:09 -04:00
out , _ , err = dockerCmdWithError ( "run" , "--cap-add" , "sys_pacct" , "syscall-test" , "acct-test" )
if err == nil || ! strings . Contains ( out , "No such file or directory" ) {
c . Fatalf ( "test 2: expected No such file or directory, got: %s" , out )
}
2016-05-06 10:17:41 -04:00
2016-08-17 13:26:09 -04:00
out , _ , err = dockerCmdWithError ( "run" , "--cap-add" , "ALL" , "syscall-test" , "acct-test" )
if err == nil || ! strings . Contains ( out , "No such file or directory" ) {
c . Fatalf ( "test 3: expected No such file or directory, got: %s" , out )
}
2016-05-27 18:38:29 -04:00
2016-08-17 13:26:09 -04:00
out , _ , err = dockerCmdWithError ( "run" , "--cap-drop" , "ALL" , "--cap-add" , "sys_pacct" , "syscall-test" , "acct-test" )
if err == nil || ! strings . Contains ( out , "No such file or directory" ) {
c . Fatalf ( "test 4: expected No such file or directory, got: %s" , out )
2016-05-27 18:38:29 -04:00
}
}
func ( s * DockerSuite ) TestRunSeccompDefaultProfileNS ( c * check . C ) {
testRequires ( c , SameHostDaemon , seccompEnabled , NotUserNamespace )
2016-08-31 15:31:06 -04:00
ensureSyscallTest ( c )
2016-05-27 18:38:29 -04:00
2016-08-17 13:26:09 -04:00
out , _ , err := dockerCmdWithError ( "run" , "syscall-test" , "ns-test" , "echo" , "hello0" )
if err == nil || ! strings . Contains ( out , "Operation not permitted" ) {
c . Fatalf ( "test 0: expected Operation not permitted, got: %s" , out )
}
2016-05-06 10:17:41 -04:00
2016-08-17 13:26:09 -04:00
out , _ , err = dockerCmdWithError ( "run" , "--cap-add" , "sys_admin" , "syscall-test" , "ns-test" , "echo" , "hello1" )
if err != nil || ! strings . Contains ( out , "hello1" ) {
c . Fatalf ( "test 1: expected hello1, got: %s, %v" , out , err )
}
2016-05-06 10:17:41 -04:00
2016-08-17 13:26:09 -04:00
out , _ , err = dockerCmdWithError ( "run" , "--cap-drop" , "all" , "--cap-add" , "sys_admin" , "syscall-test" , "ns-test" , "echo" , "hello2" )
if err != nil || ! strings . Contains ( out , "hello2" ) {
c . Fatalf ( "test 2: expected hello2, got: %s, %v" , out , err )
}
2016-01-26 11:05:44 -05:00
2016-08-17 13:26:09 -04:00
out , _ , err = dockerCmdWithError ( "run" , "--cap-add" , "ALL" , "syscall-test" , "ns-test" , "echo" , "hello3" )
if err != nil || ! strings . Contains ( out , "hello3" ) {
c . Fatalf ( "test 3: expected hello3, got: %s, %v" , out , err )
}
2016-01-26 11:05:44 -05:00
2016-08-17 13:26:09 -04:00
out , _ , err = dockerCmdWithError ( "run" , "--cap-add" , "ALL" , "--security-opt" , "seccomp=unconfined" , "syscall-test" , "acct-test" )
if err == nil || ! strings . Contains ( out , "No such file or directory" ) {
c . Fatalf ( "test 4: expected No such file or directory, got: %s" , out )
}
2015-12-30 14:20:23 -05:00
2016-08-17 13:26:09 -04:00
out , _ , err = dockerCmdWithError ( "run" , "--cap-add" , "ALL" , "--security-opt" , "seccomp=unconfined" , "syscall-test" , "ns-test" , "echo" , "hello4" )
if err != nil || ! strings . Contains ( out , "hello4" ) {
c . Fatalf ( "test 5: expected hello4, got: %s, %v" , out , err )
2015-12-30 14:20:23 -05:00
}
}
2016-01-04 19:23:36 -05:00
2017-01-08 20:22:05 -05:00
// TestRunNoNewPrivSetuid checks that --security-opt='no-new-privileges=true' prevents
2016-02-22 00:31:21 -05:00
// effective uid transtions on executing setuid binaries.
func ( s * DockerSuite ) TestRunNoNewPrivSetuid ( c * check . C ) {
testRequires ( c , DaemonIsLinux , NotUserNamespace , SameHostDaemon )
2016-08-31 15:31:06 -04:00
ensureNNPTest ( c )
2016-02-22 00:31:21 -05:00
2017-01-08 20:22:05 -05:00
// test that running a setuid binary results in no effective uid transition
icmd . RunCommand ( dockerBinary , "run" , "--security-opt" , "no-new-privileges=true" , "--user" , "1000" ,
"nnp-test" , "/usr/bin/nnp-test" ) . Assert ( c , icmd . Expected {
Out : "EUID=1000" ,
} )
}
// TestLegacyRunNoNewPrivSetuid checks that --security-opt=no-new-privileges prevents
// effective uid transtions on executing setuid binaries.
func ( s * DockerSuite ) TestLegacyRunNoNewPrivSetuid ( c * check . C ) {
testRequires ( c , DaemonIsLinux , NotUserNamespace , SameHostDaemon )
ensureNNPTest ( c )
2016-02-22 00:31:21 -05:00
// test that running a setuid binary results in no effective uid transition
2017-01-05 06:38:34 -05:00
icmd . RunCommand ( dockerBinary , "run" , "--security-opt" , "no-new-privileges" , "--user" , "1000" ,
"nnp-test" , "/usr/bin/nnp-test" ) . Assert ( c , icmd . Expected {
Out : "EUID=1000" ,
} )
2016-02-22 00:31:21 -05:00
}
2016-10-21 08:34:37 -04:00
func ( s * DockerSuite ) TestUserNoEffectiveCapabilitiesChown ( c * check . C ) {
testRequires ( c , DaemonIsLinux )
ensureSyscallTest ( c )
// test that a root user has default capability CAP_CHOWN
2017-01-05 13:08:24 -05:00
dockerCmd ( c , "run" , "busybox" , "chown" , "100" , "/tmp" )
2016-10-21 08:34:37 -04:00
// test that non root user does not have default capability CAP_CHOWN
2017-01-05 06:38:34 -05:00
icmd . RunCommand ( dockerBinary , "run" , "--user" , "1000:1000" , "busybox" , "chown" , "100" , "/tmp" ) . Assert ( c , icmd . Expected {
ExitCode : 1 ,
2017-01-05 13:08:24 -05:00
Err : "Operation not permitted" ,
2017-01-05 06:38:34 -05:00
} )
2016-10-21 08:34:37 -04:00
// test that root user can drop default capability CAP_CHOWN
2017-01-05 06:38:34 -05:00
icmd . RunCommand ( dockerBinary , "run" , "--cap-drop" , "chown" , "busybox" , "chown" , "100" , "/tmp" ) . Assert ( c , icmd . Expected {
ExitCode : 1 ,
2017-01-05 13:08:24 -05:00
Err : "Operation not permitted" ,
2017-01-05 06:38:34 -05:00
} )
2016-10-21 08:34:37 -04:00
}
func ( s * DockerSuite ) TestUserNoEffectiveCapabilitiesDacOverride ( c * check . C ) {
testRequires ( c , DaemonIsLinux )
ensureSyscallTest ( c )
// test that a root user has default capability CAP_DAC_OVERRIDE
2017-01-05 13:08:24 -05:00
dockerCmd ( c , "run" , "busybox" , "sh" , "-c" , "echo test > /etc/passwd" )
2016-10-21 08:34:37 -04:00
// test that non root user does not have default capability CAP_DAC_OVERRIDE
2017-01-05 06:38:34 -05:00
icmd . RunCommand ( dockerBinary , "run" , "--user" , "1000:1000" , "busybox" , "sh" , "-c" , "echo test > /etc/passwd" ) . Assert ( c , icmd . Expected {
ExitCode : 1 ,
2017-01-05 13:08:24 -05:00
Err : "Permission denied" ,
2017-01-05 06:38:34 -05:00
} )
2016-10-21 08:34:37 -04:00
}
func ( s * DockerSuite ) TestUserNoEffectiveCapabilitiesFowner ( c * check . C ) {
testRequires ( c , DaemonIsLinux )
ensureSyscallTest ( c )
2016-09-28 08:46:11 -04:00
2016-10-21 08:34:37 -04:00
// test that a root user has default capability CAP_FOWNER
2017-01-05 13:08:24 -05:00
dockerCmd ( c , "run" , "busybox" , "chmod" , "777" , "/etc/passwd" )
2016-10-21 08:34:37 -04:00
// test that non root user does not have default capability CAP_FOWNER
2017-01-05 06:38:34 -05:00
icmd . RunCommand ( dockerBinary , "run" , "--user" , "1000:1000" , "busybox" , "chmod" , "777" , "/etc/passwd" ) . Assert ( c , icmd . Expected {
ExitCode : 1 ,
2017-01-05 13:08:24 -05:00
Err : "Operation not permitted" ,
2017-01-05 06:38:34 -05:00
} )
2016-10-21 08:34:37 -04:00
// TODO test that root user can drop default capability CAP_FOWNER
}
// TODO CAP_KILL
func ( s * DockerSuite ) TestUserNoEffectiveCapabilitiesSetuid ( c * check . C ) {
testRequires ( c , DaemonIsLinux )
ensureSyscallTest ( c )
// test that a root user has default capability CAP_SETUID
2017-01-05 13:08:24 -05:00
dockerCmd ( c , "run" , "syscall-test" , "setuid-test" )
2016-10-21 08:34:37 -04:00
// test that non root user does not have default capability CAP_SETUID
2017-01-05 06:38:34 -05:00
icmd . RunCommand ( dockerBinary , "run" , "--user" , "1000:1000" , "syscall-test" , "setuid-test" ) . Assert ( c , icmd . Expected {
ExitCode : 1 ,
2017-01-05 13:08:24 -05:00
Err : "Operation not permitted" ,
2017-01-05 06:38:34 -05:00
} )
2016-10-21 08:34:37 -04:00
// test that root user can drop default capability CAP_SETUID
2017-01-05 06:38:34 -05:00
icmd . RunCommand ( dockerBinary , "run" , "--cap-drop" , "setuid" , "syscall-test" , "setuid-test" ) . Assert ( c , icmd . Expected {
ExitCode : 1 ,
2017-01-05 13:08:24 -05:00
Err : "Operation not permitted" ,
2017-01-05 06:38:34 -05:00
} )
2016-09-28 08:46:11 -04:00
}
2016-10-21 08:34:37 -04:00
func ( s * DockerSuite ) TestUserNoEffectiveCapabilitiesSetgid ( c * check . C ) {
testRequires ( c , DaemonIsLinux )
ensureSyscallTest ( c )
// test that a root user has default capability CAP_SETGID
2017-01-05 13:08:24 -05:00
dockerCmd ( c , "run" , "syscall-test" , "setgid-test" )
2016-10-21 08:34:37 -04:00
// test that non root user does not have default capability CAP_SETGID
2017-01-05 06:38:34 -05:00
icmd . RunCommand ( dockerBinary , "run" , "--user" , "1000:1000" , "syscall-test" , "setgid-test" ) . Assert ( c , icmd . Expected {
ExitCode : 1 ,
2017-01-05 13:08:24 -05:00
Err : "Operation not permitted" ,
2017-01-05 06:38:34 -05:00
} )
2016-10-21 08:34:37 -04:00
// test that root user can drop default capability CAP_SETGID
2017-01-05 06:38:34 -05:00
icmd . RunCommand ( dockerBinary , "run" , "--cap-drop" , "setgid" , "syscall-test" , "setgid-test" ) . Assert ( c , icmd . Expected {
ExitCode : 1 ,
2017-01-05 13:08:24 -05:00
Err : "Operation not permitted" ,
2017-01-05 06:38:34 -05:00
} )
2016-10-21 08:34:37 -04:00
}
// TODO CAP_SETPCAP
func ( s * DockerSuite ) TestUserNoEffectiveCapabilitiesNetBindService ( c * check . C ) {
testRequires ( c , DaemonIsLinux )
ensureSyscallTest ( c )
// test that a root user has default capability CAP_NET_BIND_SERVICE
2017-01-05 13:08:24 -05:00
dockerCmd ( c , "run" , "syscall-test" , "socket-test" )
2016-10-21 08:34:37 -04:00
// test that non root user does not have default capability CAP_NET_BIND_SERVICE
2017-01-05 06:38:34 -05:00
icmd . RunCommand ( dockerBinary , "run" , "--user" , "1000:1000" , "syscall-test" , "socket-test" ) . Assert ( c , icmd . Expected {
ExitCode : 1 ,
2017-01-05 13:08:24 -05:00
Err : "Permission denied" ,
2017-01-05 06:38:34 -05:00
} )
2016-10-21 08:34:37 -04:00
// test that root user can drop default capability CAP_NET_BIND_SERVICE
2017-01-05 06:38:34 -05:00
icmd . RunCommand ( dockerBinary , "run" , "--cap-drop" , "net_bind_service" , "syscall-test" , "socket-test" ) . Assert ( c , icmd . Expected {
ExitCode : 1 ,
2017-01-05 13:08:24 -05:00
Err : "Permission denied" ,
2017-01-05 06:38:34 -05:00
} )
2016-10-21 08:34:37 -04:00
}
func ( s * DockerSuite ) TestUserNoEffectiveCapabilitiesNetRaw ( c * check . C ) {
testRequires ( c , DaemonIsLinux )
ensureSyscallTest ( c )
// test that a root user has default capability CAP_NET_RAW
2017-01-05 13:08:24 -05:00
dockerCmd ( c , "run" , "syscall-test" , "raw-test" )
2016-10-21 08:34:37 -04:00
// test that non root user does not have default capability CAP_NET_RAW
2017-01-05 06:38:34 -05:00
icmd . RunCommand ( dockerBinary , "run" , "--user" , "1000:1000" , "syscall-test" , "raw-test" ) . Assert ( c , icmd . Expected {
ExitCode : 1 ,
2017-01-05 13:08:24 -05:00
Err : "Operation not permitted" ,
2017-01-05 06:38:34 -05:00
} )
2016-10-21 08:34:37 -04:00
// test that root user can drop default capability CAP_NET_RAW
2017-01-05 06:38:34 -05:00
icmd . RunCommand ( dockerBinary , "run" , "--cap-drop" , "net_raw" , "syscall-test" , "raw-test" ) . Assert ( c , icmd . Expected {
ExitCode : 1 ,
2017-01-05 13:08:24 -05:00
Err : "Operation not permitted" ,
2017-01-05 06:38:34 -05:00
} )
2016-10-21 08:34:37 -04:00
}
func ( s * DockerSuite ) TestUserNoEffectiveCapabilitiesChroot ( c * check . C ) {
testRequires ( c , DaemonIsLinux )
ensureSyscallTest ( c )
// test that a root user has default capability CAP_SYS_CHROOT
2017-01-05 13:08:24 -05:00
dockerCmd ( c , "run" , "busybox" , "chroot" , "/" , "/bin/true" )
2016-10-21 08:34:37 -04:00
// test that non root user does not have default capability CAP_SYS_CHROOT
2017-01-05 06:38:34 -05:00
icmd . RunCommand ( dockerBinary , "run" , "--user" , "1000:1000" , "busybox" , "chroot" , "/" , "/bin/true" ) . Assert ( c , icmd . Expected {
ExitCode : 1 ,
2017-01-05 13:08:24 -05:00
Err : "Operation not permitted" ,
2017-01-05 06:38:34 -05:00
} )
2016-10-21 08:34:37 -04:00
// test that root user can drop default capability CAP_SYS_CHROOT
2017-01-05 06:38:34 -05:00
icmd . RunCommand ( dockerBinary , "run" , "--cap-drop" , "sys_chroot" , "busybox" , "chroot" , "/" , "/bin/true" ) . Assert ( c , icmd . Expected {
ExitCode : 1 ,
2017-01-05 13:08:24 -05:00
Err : "Operation not permitted" ,
2017-01-05 06:38:34 -05:00
} )
2016-10-21 08:34:37 -04:00
}
func ( s * DockerSuite ) TestUserNoEffectiveCapabilitiesMknod ( c * check . C ) {
2016-11-23 08:03:53 -05:00
testRequires ( c , DaemonIsLinux , NotUserNamespace )
2016-10-21 08:34:37 -04:00
ensureSyscallTest ( c )
// test that a root user has default capability CAP_MKNOD
2017-01-05 13:08:24 -05:00
dockerCmd ( c , "run" , "busybox" , "mknod" , "/tmp/node" , "b" , "1" , "2" )
2016-10-21 08:34:37 -04:00
// test that non root user does not have default capability CAP_MKNOD
2017-01-05 06:38:34 -05:00
// test that root user can drop default capability CAP_SYS_CHROOT
icmd . RunCommand ( dockerBinary , "run" , "--user" , "1000:1000" , "busybox" , "mknod" , "/tmp/node" , "b" , "1" , "2" ) . Assert ( c , icmd . Expected {
ExitCode : 1 ,
2017-01-05 13:08:24 -05:00
Err : "Operation not permitted" ,
2017-01-05 06:38:34 -05:00
} )
2016-10-21 08:34:37 -04:00
// test that root user can drop default capability CAP_MKNOD
2017-01-05 06:38:34 -05:00
icmd . RunCommand ( dockerBinary , "run" , "--cap-drop" , "mknod" , "busybox" , "mknod" , "/tmp/node" , "b" , "1" , "2" ) . Assert ( c , icmd . Expected {
ExitCode : 1 ,
2017-01-05 13:08:24 -05:00
Err : "Operation not permitted" ,
2017-01-05 06:38:34 -05:00
} )
2016-10-21 08:34:37 -04:00
}
// TODO CAP_AUDIT_WRITE
// TODO CAP_SETFCAP
2016-01-04 19:23:36 -05:00
func ( s * DockerSuite ) TestRunApparmorProcDirectory ( c * check . C ) {
testRequires ( c , SameHostDaemon , Apparmor )
// running w seccomp unconfined tests the apparmor profile
2017-01-05 06:38:34 -05:00
result := icmd . RunCommand ( dockerBinary , "run" , "--security-opt" , "seccomp=unconfined" , "busybox" , "chmod" , "777" , "/proc/1/cgroup" )
result . Assert ( c , icmd . Expected { ExitCode : 1 } )
if ! ( strings . Contains ( result . Combined ( ) , "Permission denied" ) || strings . Contains ( result . Combined ( ) , "Operation not permitted" ) ) {
2017-01-05 13:08:24 -05:00
c . Fatalf ( "expected chmod 777 /proc/1/cgroup to fail, got %s: %v" , result . Combined ( ) , result . Error )
2016-01-04 19:23:36 -05:00
}
2017-01-05 06:38:34 -05:00
result = icmd . RunCommand ( dockerBinary , "run" , "--security-opt" , "seccomp=unconfined" , "busybox" , "chmod" , "777" , "/proc/1/attr/current" )
result . Assert ( c , icmd . Expected { ExitCode : 1 } )
if ! ( strings . Contains ( result . Combined ( ) , "Permission denied" ) || strings . Contains ( result . Combined ( ) , "Operation not permitted" ) ) {
2017-01-05 13:08:24 -05:00
c . Fatalf ( "expected chmod 777 /proc/1/attr/current to fail, got %s: %v" , result . Combined ( ) , result . Error )
2016-01-04 19:23:36 -05:00
}
}
2016-02-19 03:22:36 -05:00
// make sure the default profile can be successfully parsed (using unshare as it is
// something which we know is blocked in the default profile)
func ( s * DockerSuite ) TestRunSeccompWithDefaultProfile ( c * check . C ) {
2016-07-13 09:41:30 -04:00
testRequires ( c , SameHostDaemon , seccompEnabled )
2016-02-19 03:22:36 -05:00
2016-03-15 18:34:29 -04:00
out , _ , err := dockerCmdWithError ( "run" , "--security-opt" , "seccomp=../profiles/seccomp/default.json" , "debian:jessie" , "unshare" , "--map-root-user" , "--user" , "sh" , "-c" , "whoami" )
2016-02-19 03:22:36 -05:00
c . Assert ( err , checker . NotNil , check . Commentf ( out ) )
c . Assert ( strings . TrimSpace ( out ) , checker . Equals , "unshare: unshare failed: Operation not permitted" )
}
2016-02-24 20:50:39 -05:00
2016-04-23 11:00:57 -04:00
// TestRunDeviceSymlink checks run with device that follows symlink (#13840 and #22271)
2016-02-24 20:50:39 -05:00
func ( s * DockerSuite ) TestRunDeviceSymlink ( c * check . C ) {
testRequires ( c , DaemonIsLinux , NotUserNamespace , NotArm , SameHostDaemon )
if _ , err := os . Stat ( "/dev/zero" ) ; err != nil {
c . Skip ( "Host does not have /dev/zero" )
}
// Create a temporary directory to create symlink
tmpDir , err := ioutil . TempDir ( "" , "docker_device_follow_symlink_tests" )
c . Assert ( err , checker . IsNil )
defer os . RemoveAll ( tmpDir )
// Create a symbolic link to /dev/zero
symZero := filepath . Join ( tmpDir , "zero" )
err = os . Symlink ( "/dev/zero" , symZero )
c . Assert ( err , checker . IsNil )
// Create a temporary file "temp" inside tmpDir, write some data to "tmpDir/temp",
// then create a symlink "tmpDir/file" to the temporary file "tmpDir/temp".
tmpFile := filepath . Join ( tmpDir , "temp" )
err = ioutil . WriteFile ( tmpFile , [ ] byte ( "temp" ) , 0666 )
c . Assert ( err , checker . IsNil )
symFile := filepath . Join ( tmpDir , "file" )
err = os . Symlink ( tmpFile , symFile )
c . Assert ( err , checker . IsNil )
2016-04-23 11:00:57 -04:00
// Create a symbolic link to /dev/zero, this time with a relative path (#22271)
err = os . Symlink ( "zero" , "/dev/symzero" )
if err != nil {
c . Fatal ( "/dev/symzero creation failed" )
}
// We need to remove this symbolic link here as it is created in /dev/, not temporary directory as above
defer os . Remove ( "/dev/symzero" )
2016-02-24 20:50:39 -05:00
// md5sum of 'dd if=/dev/zero bs=4K count=8' is bb7df04e1b0a2570657527a7e108ae23
out , _ := dockerCmd ( c , "run" , "--device" , symZero + ":/dev/symzero" , "busybox" , "sh" , "-c" , "dd if=/dev/symzero bs=4K count=8 | md5sum" )
c . Assert ( strings . Trim ( out , "\r\n" ) , checker . Contains , "bb7df04e1b0a2570657527a7e108ae23" , check . Commentf ( "expected output bb7df04e1b0a2570657527a7e108ae23" ) )
// symlink "tmpDir/file" to a file "tmpDir/temp" will result in an error as it is not a device.
out , _ , err = dockerCmdWithError ( "run" , "--device" , symFile + ":/dev/symzero" , "busybox" , "sh" , "-c" , "dd if=/dev/symzero bs=4K count=8 | md5sum" )
c . Assert ( err , check . NotNil )
c . Assert ( strings . Trim ( out , "\r\n" ) , checker . Contains , "not a device node" , check . Commentf ( "expected output 'not a device node'" ) )
2016-04-23 11:00:57 -04:00
// md5sum of 'dd if=/dev/zero bs=4K count=8' is bb7df04e1b0a2570657527a7e108ae23 (this time check with relative path backed, see #22271)
out , _ = dockerCmd ( c , "run" , "--device" , "/dev/symzero:/dev/symzero" , "busybox" , "sh" , "-c" , "dd if=/dev/symzero bs=4K count=8 | md5sum" )
c . Assert ( strings . Trim ( out , "\r\n" ) , checker . Contains , "bb7df04e1b0a2570657527a7e108ae23" , check . Commentf ( "expected output bb7df04e1b0a2570657527a7e108ae23" ) )
2016-02-24 20:50:39 -05:00
}
2015-12-15 14:15:43 -05:00
[nit] integration-cli: obey Go's naming convention
No substantial code change.
- Api --> API
- Cli --> CLI
- Http, Https --> HTTP, HTTPS
- Id --> ID
- Uid,Gid,Pid --> UID,PID,PID
- Ipam --> IPAM
- Tls --> TLS (TestDaemonNoTlsCliTlsVerifyWithEnv --> TestDaemonTLSVerifyIssue13964)
Didn't touch in this commit:
- Git: because it is officially "Git": https://git-scm.com/
- Tar: because it is officially "Tar": https://www.gnu.org/software/tar/
- Cpu, Nat, Mac, Ipc, Shm: for keeping a consistency with existing production code (not changable, for compatibility)
Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
2016-09-27 21:50:12 -04:00
// TestRunPIDsLimit makes sure the pids cgroup is set with --pids-limit
func ( s * DockerSuite ) TestRunPIDsLimit ( c * check . C ) {
2017-09-11 10:23:59 -04:00
testRequires ( c , SameHostDaemon , pidsLimit )
2015-12-15 14:15:43 -05:00
file := "/sys/fs/cgroup/pids/pids.max"
2016-06-27 17:38:47 -04:00
out , _ := dockerCmd ( c , "run" , "--name" , "skittles" , "--pids-limit" , "4" , "busybox" , "cat" , file )
c . Assert ( strings . TrimSpace ( out ) , checker . Equals , "4" )
2015-12-15 14:15:43 -05:00
out = inspectField ( c , "skittles" , "HostConfig.PidsLimit" )
2016-06-27 17:38:47 -04:00
c . Assert ( out , checker . Equals , "4" , check . Commentf ( "setting the pids limit failed" ) )
2015-12-15 14:15:43 -05:00
}
2016-03-24 15:01:12 -04:00
func ( s * DockerSuite ) TestRunPrivilegedAllowedDevices ( c * check . C ) {
2016-03-25 12:31:36 -04:00
testRequires ( c , DaemonIsLinux , NotUserNamespace )
2016-03-24 15:01:12 -04:00
file := "/sys/fs/cgroup/devices/devices.list"
out , _ := dockerCmd ( c , "run" , "--privileged" , "busybox" , "cat" , file )
c . Logf ( "out: %q" , out )
c . Assert ( strings . TrimSpace ( out ) , checker . Equals , "a *:* rwm" )
}
func ( s * DockerSuite ) TestRunUserDeviceAllowed ( c * check . C ) {
testRequires ( c , DaemonIsLinux )
fi , err := os . Stat ( "/dev/snd/timer" )
if err != nil {
c . Skip ( "Host does not have /dev/snd/timer" )
}
stat , ok := fi . Sys ( ) . ( * syscall . Stat_t )
if ! ok {
c . Skip ( "Could not stat /dev/snd/timer" )
}
file := "/sys/fs/cgroup/devices/devices.list"
out , _ := dockerCmd ( c , "run" , "--device" , "/dev/snd/timer:w" , "busybox" , "cat" , file )
c . Assert ( out , checker . Contains , fmt . Sprintf ( "c %d:%d w" , stat . Rdev / 256 , stat . Rdev % 256 ) )
}
2016-07-13 09:41:30 -04:00
func ( s * DockerDaemonSuite ) TestRunSeccompJSONNewFormat ( c * check . C ) {
testRequires ( c , SameHostDaemon , seccompEnabled )
2016-12-09 17:20:14 -05:00
s . d . StartWithBusybox ( c )
2016-07-13 09:41:30 -04:00
jsonData := ` {
"defaultAction" : "SCMP_ACT_ALLOW" ,
"syscalls" : [
{
"names" : [ "chmod" , "fchmod" , "fchmodat" ] ,
"action" : "SCMP_ACT_ERRNO"
}
]
} `
tmpFile , err := ioutil . TempFile ( "" , "profile.json" )
c . Assert ( err , check . IsNil )
defer tmpFile . Close ( )
_ , err = tmpFile . Write ( [ ] byte ( jsonData ) )
c . Assert ( err , check . IsNil )
out , err := s . d . Cmd ( "run" , "--security-opt" , "seccomp=" + tmpFile . Name ( ) , "busybox" , "chmod" , "777" , "." )
c . Assert ( err , check . NotNil )
c . Assert ( out , checker . Contains , "Operation not permitted" )
}
func ( s * DockerDaemonSuite ) TestRunSeccompJSONNoNameAndNames ( c * check . C ) {
testRequires ( c , SameHostDaemon , seccompEnabled )
2016-12-09 17:20:14 -05:00
s . d . StartWithBusybox ( c )
2016-07-13 09:41:30 -04:00
jsonData := ` {
"defaultAction" : "SCMP_ACT_ALLOW" ,
"syscalls" : [
{
"name" : "chmod" ,
"names" : [ "fchmod" , "fchmodat" ] ,
"action" : "SCMP_ACT_ERRNO"
}
]
} `
tmpFile , err := ioutil . TempFile ( "" , "profile.json" )
c . Assert ( err , check . IsNil )
defer tmpFile . Close ( )
_ , err = tmpFile . Write ( [ ] byte ( jsonData ) )
c . Assert ( err , check . IsNil )
out , err := s . d . Cmd ( "run" , "--security-opt" , "seccomp=" + tmpFile . Name ( ) , "busybox" , "chmod" , "777" , "." )
c . Assert ( err , check . NotNil )
c . Assert ( out , checker . Contains , "'name' and 'names' were specified in the seccomp profile, use either 'name' or 'names'" )
}
func ( s * DockerDaemonSuite ) TestRunSeccompJSONNoArchAndArchMap ( c * check . C ) {
testRequires ( c , SameHostDaemon , seccompEnabled )
2016-12-09 17:20:14 -05:00
s . d . StartWithBusybox ( c )
2016-07-13 09:41:30 -04:00
jsonData := ` {
"archMap" : [
{
"architecture" : "SCMP_ARCH_X86_64" ,
"subArchitectures" : [
"SCMP_ARCH_X86" ,
"SCMP_ARCH_X32"
]
}
] ,
"architectures" : [
"SCMP_ARCH_X32"
] ,
"defaultAction" : "SCMP_ACT_ALLOW" ,
"syscalls" : [
{
"names" : [ "chmod" , "fchmod" , "fchmodat" ] ,
"action" : "SCMP_ACT_ERRNO"
}
]
} `
tmpFile , err := ioutil . TempFile ( "" , "profile.json" )
c . Assert ( err , check . IsNil )
defer tmpFile . Close ( )
_ , err = tmpFile . Write ( [ ] byte ( jsonData ) )
c . Assert ( err , check . IsNil )
out , err := s . d . Cmd ( "run" , "--security-opt" , "seccomp=" + tmpFile . Name ( ) , "busybox" , "chmod" , "777" , "." )
c . Assert ( err , check . NotNil )
c . Assert ( out , checker . Contains , "'architectures' and 'archMap' were specified in the seccomp profile, use either 'architectures' or 'archMap'" )
}
2016-09-02 09:20:54 -04:00
func ( s * DockerDaemonSuite ) TestRunWithDaemonDefaultSeccompProfile ( c * check . C ) {
testRequires ( c , SameHostDaemon , seccompEnabled )
2016-12-09 17:20:14 -05:00
s . d . StartWithBusybox ( c )
2016-09-02 09:20:54 -04:00
// 1) verify I can run containers with the Docker default shipped profile which allows chmod
2016-12-09 17:20:14 -05:00
_ , err := s . d . Cmd ( "run" , "busybox" , "chmod" , "777" , "." )
2016-09-02 09:20:54 -04:00
c . Assert ( err , check . IsNil )
jsonData := ` {
"defaultAction" : "SCMP_ACT_ALLOW" ,
"syscalls" : [
{
"name" : "chmod" ,
"action" : "SCMP_ACT_ERRNO"
}
]
} `
tmpFile , err := ioutil . TempFile ( "" , "profile.json" )
c . Assert ( err , check . IsNil )
defer tmpFile . Close ( )
_ , err = tmpFile . Write ( [ ] byte ( jsonData ) )
c . Assert ( err , check . IsNil )
// 2) restart the daemon and add a custom seccomp profile in which we deny chmod
2016-12-09 17:20:14 -05:00
s . d . Restart ( c , "--seccomp-profile=" + tmpFile . Name ( ) )
2016-09-02 09:20:54 -04:00
out , err := s . d . Cmd ( "run" , "busybox" , "chmod" , "777" , "." )
c . Assert ( err , check . NotNil )
c . Assert ( out , checker . Contains , "Operation not permitted" )
}
2016-11-01 13:12:29 -04:00
func ( s * DockerSuite ) TestRunWithNanoCPUs ( c * check . C ) {
testRequires ( c , cpuCfsQuota , cpuCfsPeriod )
file1 := "/sys/fs/cgroup/cpu/cpu.cfs_quota_us"
file2 := "/sys/fs/cgroup/cpu/cpu.cfs_period_us"
out , _ := dockerCmd ( c , "run" , "--cpus" , "0.5" , "--name" , "test" , "busybox" , "sh" , "-c" , fmt . Sprintf ( "cat %s && cat %s" , file1 , file2 ) )
2016-11-17 19:39:47 -05:00
c . Assert ( strings . TrimSpace ( out ) , checker . Equals , "50000\n100000" )
2016-11-01 13:12:29 -04:00
2017-09-01 15:14:59 -04:00
clt , err := client . NewEnvClient ( )
c . Assert ( err , checker . IsNil )
inspect , err := clt . ContainerInspect ( context . Background ( ) , "test" )
c . Assert ( err , checker . IsNil )
c . Assert ( inspect . HostConfig . NanoCPUs , checker . Equals , int64 ( 500000000 ) )
2016-11-01 13:12:29 -04:00
out = inspectField ( c , "test" , "HostConfig.CpuQuota" )
c . Assert ( out , checker . Equals , "0" , check . Commentf ( "CPU CFS quota should be 0" ) )
out = inspectField ( c , "test" , "HostConfig.CpuPeriod" )
c . Assert ( out , checker . Equals , "0" , check . Commentf ( "CPU CFS period should be 0" ) )
2017-09-01 15:14:59 -04:00
out , _ , err = dockerCmdWithError ( "run" , "--cpus" , "0.5" , "--cpu-quota" , "50000" , "--cpu-period" , "100000" , "busybox" , "sh" )
2016-11-01 13:12:29 -04:00
c . Assert ( err , check . NotNil )
c . Assert ( out , checker . Contains , "Conflicting options: Nano CPUs and CPU Period cannot both be set" )
}