1
0
Fork 0
mirror of https://github.com/moby/moby.git synced 2022-11-09 12:21:53 -05:00

Fix network connectivity problem for non-root users

If a container was started with a non-root user the container
may not be able to resolve DNS names because of too restrictive
permission in the /etc/resolv.conf container file. This problem
is in how this file gets created in libnetwork and ths PR
attempts to fix the issue by vendoring in the libnetwork code
with the fix.

Signed-off-by: Jana Radhakrishnan <mrjana@docker.com>
This commit is contained in:
Jana Radhakrishnan 2015-05-20 06:06:44 +00:00
parent c6d9c904af
commit afd901e408
4 changed files with 42 additions and 1 deletions

View file

@ -55,7 +55,7 @@ clone hg code.google.com/p/go.net 84a4013f96e0
clone hg code.google.com/p/gosqlite 74691fb6f837
#get libnetwork packages
clone git github.com/docker/libnetwork v0.2
clone git github.com/docker/libnetwork b39597744b0978fe4aeb9f3a099ba42f7b6c4a1f
clone git github.com/vishvananda/netns 008d17ae001344769b031375bdb38a86219154c6
clone git github.com/vishvananda/netlink 8eb64238879fed52fd51c5b30ad20b928fb4c36c

View file

@ -1455,6 +1455,32 @@ func (s *DockerSuite) TestRunDnsOptionsBasedOnHostResolvConf(c *check.C) {
}
}
// Test to see if a non-root user can resolve a DNS name and reach out to it. Also
// check if the container resolv.conf file has atleast 0644 perm.
func (s *DockerSuite) TestRunNonRootUserResolvName(c *check.C) {
testRequires(c, SameHostDaemon)
cmd := exec.Command(dockerBinary, "run", "--name=testperm", "--user=default", "busybox", "ping", "-c", "1", "www.docker.io")
if out, err := runCommand(cmd); err != nil {
c.Fatal(err, out)
}
cID, err := getIDByName("testperm")
if err != nil {
c.Fatal(err)
}
fmode := (os.FileMode)(0644)
finfo, err := os.Stat(containerStorageFile(cID, "resolv.conf"))
if err != nil {
c.Fatal(err)
}
if (finfo.Mode() & fmode) != fmode {
c.Fatalf("Expected container resolv.conf mode to be atleast %s, instead got %s", fmode.String(), finfo.Mode().String())
}
}
// Test if container resolv.conf gets updated the next time it restarts
// if host /etc/resolv.conf has changed. This only applies if the container
// uses the host's /etc/resolv.conf and does not have any dns options provided.

View file

@ -548,6 +548,11 @@ func (ep *endpoint) updateDNS(resolvConf []byte) error {
return err
}
// Change the perms to 0644 since ioutil.TempFile creates it by default as 0600
if err := os.Chmod(tmpResolvFile.Name(), 0644); err != nil {
return err
}
// write the updates to the temp files
if err = ioutil.WriteFile(tmpHashFile.Name(), []byte(newHash), 0644); err != nil {
return err

View file

@ -1137,6 +1137,16 @@ func TestResolvConf(t *testing.T) {
}
}()
finfo, err := os.Stat(resolvConfPath)
if err != nil {
t.Fatal(err)
}
fmode := (os.FileMode)(0644)
if finfo.Mode() != fmode {
t.Fatalf("Expected file mode %s, got %s", fmode.String(), finfo.Mode().String())
}
content, err := ioutil.ReadFile(resolvConfPath)
if err != nil {
t.Fatal(err)