From f7d4abdc00d521509995da1070215c808fe0fd9c Mon Sep 17 00:00:00 2001 From: Kenfe-Mickael Laventure Date: Mon, 8 Feb 2016 16:51:45 -0800 Subject: [PATCH 1/2] Prevent mqueue from implicitely becoming a bind mount with --ipc=host Currently, when running a container with --ipc=host, if /dev/mqueue is a standard directory on the hos the daemon will bind mount it allowing the container to create/modify files on the host. This commit forces /dev/mqueue to always be of type mqueue except when the user explicitely requested something to be bind mounted to /dev/mqueue. Signed-off-by: Kenfe-Mickael Laventure --- container/container_unix.go | 10 ---------- daemon/container_operations_unix.go | 4 ---- integration-cli/docker_cli_run_test.go | 23 +++++++++++++++++++++-- 3 files changed, 21 insertions(+), 16 deletions(-) diff --git a/container/container_unix.go b/container/container_unix.go index d784a4f137..dadb357c14 100644 --- a/container/container_unix.go +++ b/container/container_unix.go @@ -44,7 +44,6 @@ type Container struct { HostnamePath string HostsPath string ShmPath string - MqueuePath string ResolvConfPath string SeccompProfile string } @@ -577,15 +576,6 @@ func (container *Container) IpcMounts() []execdriver.Mount { Propagation: volume.DefaultPropagationMode, }) } - if !container.HasMountFor("/dev/mqueue") && - container.MqueuePath != "" { - mounts = append(mounts, execdriver.Mount{ - Source: container.MqueuePath, - Destination: "/dev/mqueue", - Writable: true, - Propagation: volume.DefaultPropagationMode, - }) - } return mounts } diff --git a/daemon/container_operations_unix.go b/daemon/container_operations_unix.go index 27fdd30a84..4db5b4d62f 100644 --- a/daemon/container_operations_unix.go +++ b/daemon/container_operations_unix.go @@ -106,11 +106,7 @@ func (daemon *Daemon) populateCommand(c *container.Container, env []string) erro if _, err := os.Stat("/dev/shm"); err != nil { return fmt.Errorf("/dev/shm is not mounted, but must be for --ipc=host") } - if _, err := os.Stat("/dev/mqueue"); err != nil { - return fmt.Errorf("/dev/mqueue is not mounted, but must be for --ipc=host") - } c.ShmPath = "/dev/shm" - c.MqueuePath = "/dev/mqueue" } } diff --git a/integration-cli/docker_cli_run_test.go b/integration-cli/docker_cli_run_test.go index 5c145729b1..f99f4745d5 100644 --- a/integration-cli/docker_cli_run_test.go +++ b/integration-cli/docker_cli_run_test.go @@ -2371,7 +2371,7 @@ func (s *DockerSuite) TestRunModeIpcContainer(c *check.C) { // Not applicable on Windows as uses Unix-specific capabilities testRequires(c, SameHostDaemon, DaemonIsLinux, NotUserNamespace) - out, _ := dockerCmd(c, "run", "-d", "busybox", "sh", "-c", "echo -n test > /dev/shm/test && top") + out, _ := dockerCmd(c, "run", "-d", "busybox", "sh", "-c", "echo -n test > /dev/shm/test && touch /dev/mqueue/toto && top") id := strings.TrimSpace(out) state := inspectField(c, id, "State.Running") @@ -2395,6 +2395,18 @@ func (s *DockerSuite) TestRunModeIpcContainer(c *check.C) { if catOutput != "test" { c.Fatalf("Output of /dev/shm/test expected test but found: %s", catOutput) } + + // check that /dev/mqueue is actually of mqueue type + grepOutput, _ := dockerCmd(c, "run", fmt.Sprintf("--ipc=container:%s", id), "busybox", "grep", "/dev/mqueue", "/proc/mounts") + if !strings.HasPrefix(grepOutput, "mqueue /dev/mqueue mqueue rw") { + c.Fatalf("Output of 'grep /proc/mounts' expected 'mqueue /dev/mqueue mqueue rw' but found: %s", grepOutput) + } + + lsOutput, _ := dockerCmd(c, "run", fmt.Sprintf("--ipc=container:%s", id), "busybox", "ls", "/dev/mqueue") + lsOutput = strings.Trim(lsOutput, "\n") + if lsOutput != "toto" { + c.Fatalf("Output of 'ls /dev/mqueue' expected 'toto' but found: %s", lsOutput) + } } func (s *DockerSuite) TestRunModeIpcContainerNotExists(c *check.C) { @@ -2423,7 +2435,9 @@ func (s *DockerSuite) TestRunMountShmMqueueFromHost(c *check.C) { // Not applicable on Windows as uses Unix-specific capabilities testRequires(c, SameHostDaemon, DaemonIsLinux) - dockerCmd(c, "run", "-d", "--name", "shmfromhost", "-v", "/dev/shm:/dev/shm", "busybox", "sh", "-c", "echo -n test > /dev/shm/test && top") + dockerCmd(c, "run", "-d", "--name", "shmfromhost", "-v", "/dev/shm:/dev/shm", "-v", "/dev/mqueue:/dev/mqueue", "busybox", "sh", "-c", "echo -n test > /dev/shm/test && touch /dev/mqueue/toto && top") + defer os.Remove("/dev/mqueue/toto") + defer os.Remove("/dev/shm/test") volPath, err := inspectMountSourceField("shmfromhost", "/dev/shm") c.Assert(err, checker.IsNil) if volPath != "/dev/shm" { @@ -2434,6 +2448,11 @@ func (s *DockerSuite) TestRunMountShmMqueueFromHost(c *check.C) { if out != "test" { c.Fatalf("Output of /dev/shm/test expected test but found: %s", out) } + + // Check that the mq was created + if _, err := os.Stat("/dev/mqueue/toto"); err != nil { + c.Fatalf("Failed to confirm '/dev/mqueue/toto' presence on host: %s", err.Error()) + } } func (s *DockerSuite) TestContainerNetworkMode(c *check.C) { From dba5a7f243e6c251176585571419b595172e9402 Mon Sep 17 00:00:00 2001 From: Kenfe-Mickael Laventure Date: Tue, 9 Feb 2016 11:19:19 -0800 Subject: [PATCH 2/2] Disable TestRunMountshmmqueuefromhost when using userns Since we now automatically mount the mqueue device inside the container (instead of bind mounting the one from the host), when trying to start a container with --ipc=host, the mount will fail with EPERM. Signed-off-by: Kenfe-Mickael Laventure --- integration-cli/docker_cli_run_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/integration-cli/docker_cli_run_test.go b/integration-cli/docker_cli_run_test.go index f99f4745d5..d797d0450f 100644 --- a/integration-cli/docker_cli_run_test.go +++ b/integration-cli/docker_cli_run_test.go @@ -2433,7 +2433,7 @@ func (s *DockerSuite) TestRunModeIpcContainerNotRunning(c *check.C) { func (s *DockerSuite) TestRunMountShmMqueueFromHost(c *check.C) { // Not applicable on Windows as uses Unix-specific capabilities - testRequires(c, SameHostDaemon, DaemonIsLinux) + testRequires(c, SameHostDaemon, DaemonIsLinux, NotUserNamespace) dockerCmd(c, "run", "-d", "--name", "shmfromhost", "-v", "/dev/shm:/dev/shm", "-v", "/dev/mqueue:/dev/mqueue", "busybox", "sh", "-c", "echo -n test > /dev/shm/test && touch /dev/mqueue/toto && top") defer os.Remove("/dev/mqueue/toto")