kotovalexarian-likes-github/moby--moby
1
0
Fork 0
mirror of https://github.com/moby/moby.git synced 2022-11-09 12:21:53 -05:00
Code Releases Activity

Merge pull request #14965 from stefanberger/nohidevols2

Browse source 
Have network files mounted read-only when -v parameter has 'ro' passed
This commit is contained in:
David Calavera 2015-08-07 19:10:59 -07:00
commit 196aa6d62d
3 changed files with 75 additions and 16 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

18
daemon/container_unix.go
View file

@ -1128,28 +1128,40 @@ func (container *Container) networkMounts() []execdriver.Mount {
} }
if container.ResolvConfPath != "" { if container.ResolvConfPath != "" {
label.Relabel(container.ResolvConfPath, container.MountLabel, mode) label.Relabel(container.ResolvConfPath, container.MountLabel, mode)
writable := !container.hostConfig.ReadonlyRootfs
if m, exists := container.MountPoints["/etc/resolv.conf"]; exists {
writable = m.RW
}
mounts = append(mounts, execdriver.Mount{ mounts = append(mounts, execdriver.Mount{
Source: container.ResolvConfPath, Source: container.ResolvConfPath,
Destination: "/etc/resolv.conf", Destination: "/etc/resolv.conf",
Writable: !container.hostConfig.ReadonlyRootfs, Writable: writable,
Private: true, Private: true,
}) })
} }
if container.HostnamePath != "" { if container.HostnamePath != "" {
label.Relabel(container.HostnamePath, container.MountLabel, mode) label.Relabel(container.HostnamePath, container.MountLabel, mode)
writable := !container.hostConfig.ReadonlyRootfs
if m, exists := container.MountPoints["/etc/hostname"]; exists {
writable = m.RW
}
mounts = append(mounts, execdriver.Mount{ mounts = append(mounts, execdriver.Mount{
Source: container.HostnamePath, Source: container.HostnamePath,
Destination: "/etc/hostname", Destination: "/etc/hostname",
Writable: !container.hostConfig.ReadonlyRootfs, Writable: writable,
Private: true, Private: true,
}) })
} }
if container.HostsPath != "" { if container.HostsPath != "" {
label.Relabel(container.HostsPath, container.MountLabel, mode) label.Relabel(container.HostsPath, container.MountLabel, mode)
writable := !container.hostConfig.ReadonlyRootfs
if m, exists := container.MountPoints["/etc/hosts"]; exists {
writable = m.RW
}
mounts = append(mounts, execdriver.Mount{ mounts = append(mounts, execdriver.Mount{
Source: container.HostsPath, Source: container.HostsPath,
Destination: "/etc/hosts", Destination: "/etc/hosts",
Writable: !container.hostConfig.ReadonlyRootfs, Writable: writable,
Private: true, Private: true,
}) })
} }

61
integration-cli/docker_cli_run_test.go
View file

@ -2561,23 +2561,58 @@ func (s *DockerSuite) TestRunWriteFilteredProc(c *check.C) {
func (s *DockerSuite) TestRunNetworkFilesBindMount(c *check.C) { func (s *DockerSuite) TestRunNetworkFilesBindMount(c *check.C) {
testRequires(c, SameHostDaemon) testRequires(c, SameHostDaemon)
name := "test-nwfiles-mount"
f, err := ioutil.TempFile("", name)
c.Assert(err, check.IsNil)
filename := f.Name()
defer os.Remove(filename)
expected := "test123" expected := "test123"
err = ioutil.WriteFile(filename, []byte(expected), 0644) filename := createTmpFile(c, expected)
c.Assert(err, check.IsNil) defer os.Remove(filename)
var actual string nwfiles := []string{"/etc/resolv.conf", "/etc/hosts", "/etc/hostname"}
actual, _ = dockerCmd(c, "run", "-v", filename+":/etc/resolv.conf", "busybox", "cat", "/etc/resolv.conf")
if actual != expected { for i := range nwfiles {
c.Fatalf("expected resolv.conf be: %q, but was: %q", expected, actual) actual, _ := dockerCmd(c, "run", "-v", filename+":"+nwfiles[i], "busybox", "cat", nwfiles[i])
if actual != expected {
c.Fatalf("expected %s be: %q, but was: %q", nwfiles[i], expected, actual)
}
}
}
func (s *DockerSuite) TestRunNetworkFilesBindMountRO(c *check.C) {
testRequires(c, SameHostDaemon)
filename := createTmpFile(c, "test123")
defer os.Remove(filename)
nwfiles := []string{"/etc/resolv.conf", "/etc/hosts", "/etc/hostname"}
for i := range nwfiles {
_, exitCode, err := dockerCmdWithError("run", "-v", filename+":"+nwfiles[i]+":ro", "busybox", "touch", nwfiles[i])
if err == nil || exitCode == 0 {
c.Fatalf("run should fail because bind mount of %s is ro: exit code %d", nwfiles[i], exitCode)
}
}
}
func (s *DockerSuite) TestRunNetworkFilesBindMountROFilesystem(c *check.C) {
testRequires(c, SameHostDaemon)
filename := createTmpFile(c, "test123")
defer os.Remove(filename)
nwfiles := []string{"/etc/resolv.conf", "/etc/hosts", "/etc/hostname"}
for i := range nwfiles {
_, exitCode := dockerCmd(c, "run", "-v", filename+":"+nwfiles[i], "--read-only", "busybox", "touch", nwfiles[i])
if exitCode != 0 {
c.Fatalf("run should not fail because %s is mounted writable on read-only root filesystem: exit code %d", nwfiles[i], exitCode)
}
}
for i := range nwfiles {
_, exitCode, err := dockerCmdWithError("run", "-v", filename+":"+nwfiles[i]+":ro", "--read-only", "busybox", "touch", nwfiles[i])
if err == nil || exitCode == 0 {
c.Fatalf("run should fail because %s is mounted read-only on read-only root filesystem: exit code %d", nwfiles[i], exitCode)
}
} }
} }

12
integration-cli/docker_utils.go
View file

@ -1341,3 +1341,15 @@ func appendBaseEnv(env []string) []string {
} }
return env return env
} }
func createTmpFile(c *check.C, content string) string {
f, err := ioutil.TempFile("", "testfile")
c.Assert(err, check.IsNil)
filename := f.Name()
err = ioutil.WriteFile(filename, []byte(content), 0644)
c.Assert(err, check.IsNil)
return filename
}