mirror of
https://github.com/moby/moby.git
synced 2022-11-09 12:21:53 -05:00
Fix network connectivity problem for non-root users
If a container was started with a non-root user the container may not be able to resolve DNS names because of too restrictive permission in the /etc/resolv.conf container file. This problem is in how this file gets created in libnetwork and ths PR attempts to fix the issue by vendoring in the libnetwork code with the fix. Signed-off-by: Jana Radhakrishnan <mrjana@docker.com>
This commit is contained in:
parent
c6d9c904af
commit
afd901e408
4 changed files with 42 additions and 1 deletions
|
@ -55,7 +55,7 @@ clone hg code.google.com/p/go.net 84a4013f96e0
|
|||
clone hg code.google.com/p/gosqlite 74691fb6f837
|
||||
|
||||
#get libnetwork packages
|
||||
clone git github.com/docker/libnetwork v0.2
|
||||
clone git github.com/docker/libnetwork b39597744b0978fe4aeb9f3a099ba42f7b6c4a1f
|
||||
clone git github.com/vishvananda/netns 008d17ae001344769b031375bdb38a86219154c6
|
||||
clone git github.com/vishvananda/netlink 8eb64238879fed52fd51c5b30ad20b928fb4c36c
|
||||
|
||||
|
|
|
@ -1455,6 +1455,32 @@ func (s *DockerSuite) TestRunDnsOptionsBasedOnHostResolvConf(c *check.C) {
|
|||
}
|
||||
}
|
||||
|
||||
// Test to see if a non-root user can resolve a DNS name and reach out to it. Also
|
||||
// check if the container resolv.conf file has atleast 0644 perm.
|
||||
func (s *DockerSuite) TestRunNonRootUserResolvName(c *check.C) {
|
||||
testRequires(c, SameHostDaemon)
|
||||
|
||||
cmd := exec.Command(dockerBinary, "run", "--name=testperm", "--user=default", "busybox", "ping", "-c", "1", "www.docker.io")
|
||||
if out, err := runCommand(cmd); err != nil {
|
||||
c.Fatal(err, out)
|
||||
}
|
||||
|
||||
cID, err := getIDByName("testperm")
|
||||
if err != nil {
|
||||
c.Fatal(err)
|
||||
}
|
||||
|
||||
fmode := (os.FileMode)(0644)
|
||||
finfo, err := os.Stat(containerStorageFile(cID, "resolv.conf"))
|
||||
if err != nil {
|
||||
c.Fatal(err)
|
||||
}
|
||||
|
||||
if (finfo.Mode() & fmode) != fmode {
|
||||
c.Fatalf("Expected container resolv.conf mode to be atleast %s, instead got %s", fmode.String(), finfo.Mode().String())
|
||||
}
|
||||
}
|
||||
|
||||
// Test if container resolv.conf gets updated the next time it restarts
|
||||
// if host /etc/resolv.conf has changed. This only applies if the container
|
||||
// uses the host's /etc/resolv.conf and does not have any dns options provided.
|
||||
|
|
|
@ -548,6 +548,11 @@ func (ep *endpoint) updateDNS(resolvConf []byte) error {
|
|||
return err
|
||||
}
|
||||
|
||||
// Change the perms to 0644 since ioutil.TempFile creates it by default as 0600
|
||||
if err := os.Chmod(tmpResolvFile.Name(), 0644); err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
// write the updates to the temp files
|
||||
if err = ioutil.WriteFile(tmpHashFile.Name(), []byte(newHash), 0644); err != nil {
|
||||
return err
|
||||
|
|
|
@ -1137,6 +1137,16 @@ func TestResolvConf(t *testing.T) {
|
|||
}
|
||||
}()
|
||||
|
||||
finfo, err := os.Stat(resolvConfPath)
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
|
||||
fmode := (os.FileMode)(0644)
|
||||
if finfo.Mode() != fmode {
|
||||
t.Fatalf("Expected file mode %s, got %s", fmode.String(), finfo.Mode().String())
|
||||
}
|
||||
|
||||
content, err := ioutil.ReadFile(resolvConfPath)
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
|
|
Loading…
Reference in a new issue