2018-02-05 16:05:59 -05:00
|
|
|
package daemon // import "github.com/docker/docker/daemon"
|
2017-11-10 18:43:57 -05:00
|
|
|
|
|
|
|
import (
|
2018-11-30 01:31:44 -05:00
|
|
|
"io/ioutil"
|
2018-05-10 15:01:50 -04:00
|
|
|
"os"
|
2018-11-30 01:31:44 -05:00
|
|
|
"path/filepath"
|
2017-11-10 18:43:57 -05:00
|
|
|
"testing"
|
|
|
|
|
|
|
|
containertypes "github.com/docker/docker/api/types/container"
|
|
|
|
"github.com/docker/docker/container"
|
|
|
|
"github.com/docker/docker/daemon/config"
|
2018-11-30 01:31:44 -05:00
|
|
|
"github.com/docker/docker/daemon/network"
|
|
|
|
"github.com/docker/docker/pkg/containerfs"
|
2017-11-10 18:43:57 -05:00
|
|
|
"github.com/docker/docker/pkg/idtools"
|
2018-11-30 01:31:44 -05:00
|
|
|
"github.com/docker/libnetwork"
|
2020-02-07 08:39:24 -05:00
|
|
|
"gotest.tools/v3/assert"
|
|
|
|
is "gotest.tools/v3/assert/cmp"
|
2020-11-26 04:18:50 -05:00
|
|
|
"gotest.tools/v3/skip"
|
2017-11-10 18:43:57 -05:00
|
|
|
)
|
|
|
|
|
2018-11-30 01:31:44 -05:00
|
|
|
func setupFakeDaemon(t *testing.T, c *container.Container) *Daemon {
|
|
|
|
root, err := ioutil.TempDir("", "oci_linux_test-root")
|
|
|
|
assert.NilError(t, err)
|
|
|
|
|
|
|
|
rootfs := filepath.Join(root, "rootfs")
|
|
|
|
err = os.MkdirAll(rootfs, 0755)
|
|
|
|
assert.NilError(t, err)
|
|
|
|
|
|
|
|
netController, err := libnetwork.New()
|
|
|
|
assert.NilError(t, err)
|
|
|
|
|
|
|
|
d := &Daemon{
|
|
|
|
// some empty structs to avoid getting a panic
|
|
|
|
// caused by a null pointer dereference
|
|
|
|
idMapping: &idtools.IdentityMapping{},
|
|
|
|
configStore: &config.Config{},
|
|
|
|
linkIndex: newLinkIndex(),
|
|
|
|
netController: netController,
|
|
|
|
}
|
|
|
|
|
|
|
|
c.Root = root
|
|
|
|
c.BaseFS = containerfs.NewLocalContainerFS(rootfs)
|
|
|
|
|
|
|
|
if c.Config == nil {
|
|
|
|
c.Config = new(containertypes.Config)
|
|
|
|
}
|
|
|
|
if c.HostConfig == nil {
|
|
|
|
c.HostConfig = new(containertypes.HostConfig)
|
|
|
|
}
|
|
|
|
if c.NetworkSettings == nil {
|
|
|
|
c.NetworkSettings = &network.Settings{Networks: make(map[string]*network.EndpointSettings)}
|
|
|
|
}
|
|
|
|
|
|
|
|
return d
|
|
|
|
}
|
|
|
|
|
|
|
|
func cleanupFakeContainer(c *container.Container) {
|
2019-08-09 06:30:18 -04:00
|
|
|
_ = os.RemoveAll(c.Root)
|
2018-11-30 01:31:44 -05:00
|
|
|
}
|
|
|
|
|
2017-11-10 18:43:57 -05:00
|
|
|
// TestTmpfsDevShmNoDupMount checks that a user-specified /dev/shm tmpfs
|
|
|
|
// mount (as in "docker run --tmpfs /dev/shm:rw,size=NNN") does not result
|
|
|
|
// in "Duplicate mount point" error from the engine.
|
|
|
|
// https://github.com/moby/moby/issues/35455
|
|
|
|
func TestTmpfsDevShmNoDupMount(t *testing.T) {
|
2020-11-26 04:18:50 -05:00
|
|
|
skip.If(t, os.Getuid() != 0, "skipping test that requires root")
|
2017-11-10 18:43:57 -05:00
|
|
|
c := &container.Container{
|
|
|
|
ShmPath: "foobar", // non-empty, for c.IpcMounts() to work
|
|
|
|
HostConfig: &containertypes.HostConfig{
|
|
|
|
IpcMode: containertypes.IpcMode("shareable"), // default mode
|
|
|
|
// --tmpfs /dev/shm:rw,exec,size=NNN
|
|
|
|
Tmpfs: map[string]string{
|
|
|
|
"/dev/shm": "rw,exec,size=1g",
|
|
|
|
},
|
|
|
|
},
|
|
|
|
}
|
2018-11-30 01:31:44 -05:00
|
|
|
d := setupFakeDaemon(t, c)
|
|
|
|
defer cleanupFakeContainer(c)
|
2017-11-10 18:43:57 -05:00
|
|
|
|
2018-11-30 01:31:44 -05:00
|
|
|
_, err := d.createSpec(c)
|
2018-03-13 15:28:34 -04:00
|
|
|
assert.Check(t, err)
|
2017-11-10 18:43:57 -05:00
|
|
|
}
|
2018-03-08 15:24:39 -05:00
|
|
|
|
|
|
|
// TestIpcPrivateVsReadonly checks that in case of IpcMode: private
|
|
|
|
// and ReadonlyRootfs: true (as in "docker run --ipc private --read-only")
|
|
|
|
// the resulting /dev/shm mount is NOT made read-only.
|
|
|
|
// https://github.com/moby/moby/issues/36503
|
|
|
|
func TestIpcPrivateVsReadonly(t *testing.T) {
|
2020-11-26 04:18:50 -05:00
|
|
|
skip.If(t, os.Getuid() != 0, "skipping test that requires root")
|
2018-03-08 15:24:39 -05:00
|
|
|
c := &container.Container{
|
|
|
|
HostConfig: &containertypes.HostConfig{
|
|
|
|
IpcMode: containertypes.IpcMode("private"),
|
|
|
|
ReadonlyRootfs: true,
|
|
|
|
},
|
|
|
|
}
|
2018-11-30 01:31:44 -05:00
|
|
|
d := setupFakeDaemon(t, c)
|
|
|
|
defer cleanupFakeContainer(c)
|
2018-03-08 15:24:39 -05:00
|
|
|
|
2018-11-30 01:31:44 -05:00
|
|
|
s, err := d.createSpec(c)
|
2018-03-13 15:28:34 -04:00
|
|
|
assert.Check(t, err)
|
2018-03-08 15:24:39 -05:00
|
|
|
|
|
|
|
// Find the /dev/shm mount in ms, check it does not have ro
|
|
|
|
for _, m := range s.Mounts {
|
|
|
|
if m.Destination != "/dev/shm" {
|
|
|
|
continue
|
|
|
|
}
|
2018-03-13 15:28:34 -04:00
|
|
|
assert.Check(t, is.Equal(false, inSlice(m.Options, "ro")))
|
2018-03-08 15:24:39 -05:00
|
|
|
}
|
|
|
|
}
|
2018-05-10 15:01:50 -04:00
|
|
|
|
2018-11-30 01:31:44 -05:00
|
|
|
// TestSysctlOverride ensures that any implicit sysctls (such as
|
|
|
|
// Config.Domainname) are overridden by an explicit sysctl in the HostConfig.
|
|
|
|
func TestSysctlOverride(t *testing.T) {
|
2020-11-26 04:18:50 -05:00
|
|
|
skip.If(t, os.Getuid() != 0, "skipping test that requires root")
|
2018-11-30 01:31:44 -05:00
|
|
|
c := &container.Container{
|
|
|
|
Config: &containertypes.Config{
|
|
|
|
Hostname: "foobar",
|
|
|
|
Domainname: "baz.cyphar.com",
|
|
|
|
},
|
|
|
|
HostConfig: &containertypes.HostConfig{
|
2020-05-26 10:58:24 -04:00
|
|
|
NetworkMode: "bridge",
|
|
|
|
Sysctls: map[string]string{},
|
2018-11-30 01:31:44 -05:00
|
|
|
},
|
|
|
|
}
|
|
|
|
d := setupFakeDaemon(t, c)
|
|
|
|
defer cleanupFakeContainer(c)
|
|
|
|
|
|
|
|
// Ensure that the implicit sysctl is set correctly.
|
|
|
|
s, err := d.createSpec(c)
|
|
|
|
assert.NilError(t, err)
|
|
|
|
assert.Equal(t, s.Hostname, "foobar")
|
|
|
|
assert.Equal(t, s.Linux.Sysctl["kernel.domainname"], c.Config.Domainname)
|
2020-05-26 10:58:24 -04:00
|
|
|
if sysctlExists("net.ipv4.ip_unprivileged_port_start") {
|
|
|
|
assert.Equal(t, s.Linux.Sysctl["net.ipv4.ip_unprivileged_port_start"], "0")
|
|
|
|
}
|
|
|
|
if sysctlExists("net.ipv4.ping_group_range") {
|
|
|
|
assert.Equal(t, s.Linux.Sysctl["net.ipv4.ping_group_range"], "0 2147483647")
|
|
|
|
}
|
2018-11-30 01:31:44 -05:00
|
|
|
|
|
|
|
// Set an explicit sysctl.
|
|
|
|
c.HostConfig.Sysctls["kernel.domainname"] = "foobar.net"
|
|
|
|
assert.Assert(t, c.HostConfig.Sysctls["kernel.domainname"] != c.Config.Domainname)
|
2020-05-26 10:58:24 -04:00
|
|
|
c.HostConfig.Sysctls["net.ipv4.ip_unprivileged_port_start"] = "1024"
|
2018-11-30 01:31:44 -05:00
|
|
|
|
|
|
|
s, err = d.createSpec(c)
|
|
|
|
assert.NilError(t, err)
|
|
|
|
assert.Equal(t, s.Hostname, "foobar")
|
|
|
|
assert.Equal(t, s.Linux.Sysctl["kernel.domainname"], c.HostConfig.Sysctls["kernel.domainname"])
|
2020-05-26 10:58:24 -04:00
|
|
|
assert.Equal(t, s.Linux.Sysctl["net.ipv4.ip_unprivileged_port_start"], c.HostConfig.Sysctls["net.ipv4.ip_unprivileged_port_start"])
|
2021-08-11 14:43:30 -04:00
|
|
|
|
|
|
|
// Ensure the ping_group_range is not set on a daemon with user-namespaces enabled
|
|
|
|
d.configStore.RemappedRoot = "dummy:dummy"
|
|
|
|
s, err = d.createSpec(c)
|
|
|
|
assert.NilError(t, err)
|
|
|
|
_, ok := s.Linux.Sysctl["net.ipv4.ping_group_range"]
|
|
|
|
assert.Assert(t, !ok)
|
|
|
|
|
|
|
|
// Ensure the ping_group_range is set on a container in "host" userns mode
|
|
|
|
// on a daemon with user-namespaces enabled
|
|
|
|
c.HostConfig.UsernsMode = "host"
|
|
|
|
s, err = d.createSpec(c)
|
|
|
|
assert.NilError(t, err)
|
|
|
|
assert.Equal(t, s.Linux.Sysctl["net.ipv4.ping_group_range"], "0 2147483647")
|
2020-05-26 10:58:24 -04:00
|
|
|
}
|
|
|
|
|
|
|
|
// TestSysctlOverrideHost ensures that any implicit network sysctls are not set
|
|
|
|
// with host networking
|
|
|
|
func TestSysctlOverrideHost(t *testing.T) {
|
2020-11-26 04:18:50 -05:00
|
|
|
skip.If(t, os.Getuid() != 0, "skipping test that requires root")
|
2020-05-26 10:58:24 -04:00
|
|
|
c := &container.Container{
|
|
|
|
Config: &containertypes.Config{},
|
|
|
|
HostConfig: &containertypes.HostConfig{
|
|
|
|
NetworkMode: "host",
|
|
|
|
Sysctls: map[string]string{},
|
|
|
|
},
|
|
|
|
}
|
|
|
|
d := setupFakeDaemon(t, c)
|
|
|
|
defer cleanupFakeContainer(c)
|
|
|
|
|
|
|
|
// Ensure that the implicit sysctl is not set
|
|
|
|
s, err := d.createSpec(c)
|
|
|
|
assert.NilError(t, err)
|
|
|
|
assert.Equal(t, s.Linux.Sysctl["net.ipv4.ip_unprivileged_port_start"], "")
|
|
|
|
assert.Equal(t, s.Linux.Sysctl["net.ipv4.ping_group_range"], "")
|
|
|
|
|
|
|
|
// Set an explicit sysctl.
|
|
|
|
c.HostConfig.Sysctls["net.ipv4.ip_unprivileged_port_start"] = "1024"
|
|
|
|
|
|
|
|
s, err = d.createSpec(c)
|
|
|
|
assert.NilError(t, err)
|
|
|
|
assert.Equal(t, s.Linux.Sysctl["net.ipv4.ip_unprivileged_port_start"], c.HostConfig.Sysctls["net.ipv4.ip_unprivileged_port_start"])
|
2018-11-30 01:31:44 -05:00
|
|
|
}
|
|
|
|
|
2018-05-10 15:01:50 -04:00
|
|
|
func TestGetSourceMount(t *testing.T) {
|
|
|
|
// must be able to find source mount for /
|
|
|
|
mnt, _, err := getSourceMount("/")
|
|
|
|
assert.NilError(t, err)
|
|
|
|
assert.Equal(t, mnt, "/")
|
|
|
|
|
|
|
|
// must be able to find source mount for current directory
|
|
|
|
cwd, err := os.Getwd()
|
|
|
|
assert.NilError(t, err)
|
|
|
|
_, _, err = getSourceMount(cwd)
|
|
|
|
assert.NilError(t, err)
|
|
|
|
}
|