From c028da3557cc0e9f80aee9b08118e9947e1fa57a Mon Sep 17 00:00:00 2001 From: Yong Tang Date: Sun, 4 Feb 2018 17:38:04 +0000 Subject: [PATCH] Migrates TestContainersAPINetworkMountsNoChown to api tests This fix migrates TestContainersAPINetworkMountsNoChown from integration-cli to api tests in integration. Signed-off-by: Yong Tang --- .../docker_api_containers_unix_test.go | 77 ------------------- integration/container/mounts_linux_test.go | 59 ++++++++++++++ 2 files changed, 59 insertions(+), 77 deletions(-) delete mode 100644 integration-cli/docker_api_containers_unix_test.go diff --git a/integration-cli/docker_api_containers_unix_test.go b/integration-cli/docker_api_containers_unix_test.go deleted file mode 100644 index 4964f52644..0000000000 --- a/integration-cli/docker_api_containers_unix_test.go +++ /dev/null @@ -1,77 +0,0 @@ -// +build !windows - -package main - -import ( - "io/ioutil" - "os" - "path/filepath" - - "github.com/docker/docker/api/types" - containertypes "github.com/docker/docker/api/types/container" - mounttypes "github.com/docker/docker/api/types/mount" - networktypes "github.com/docker/docker/api/types/network" - "github.com/docker/docker/client" - "github.com/docker/docker/integration-cli/checker" - "github.com/docker/docker/pkg/ioutils" - "github.com/docker/docker/pkg/system" - "github.com/go-check/check" - "github.com/stretchr/testify/assert" - "golang.org/x/net/context" -) - -func (s *DockerSuite) TestContainersAPINetworkMountsNoChown(c *check.C) { - // chown only applies to Linux bind mounted volumes; must be same host to verify - testRequires(c, DaemonIsLinux, SameHostDaemon) - - tmpDir, err := ioutils.TempDir("", "test-network-mounts") - c.Assert(err, checker.IsNil) - defer os.RemoveAll(tmpDir) - - // make tmp dir readable by anyone to allow userns process to mount from - err = os.Chmod(tmpDir, 0755) - c.Assert(err, checker.IsNil) - // create temp files to use as network mounts - tmpNWFileMount := filepath.Join(tmpDir, "nwfile") - - err = ioutil.WriteFile(tmpNWFileMount, []byte("network file bind mount"), 0644) - c.Assert(err, checker.IsNil) - - config := containertypes.Config{ - Image: "busybox", - } - hostConfig := containertypes.HostConfig{ - Mounts: []mounttypes.Mount{ - { - Type: "bind", - Source: tmpNWFileMount, - Target: "/etc/resolv.conf", - }, - { - Type: "bind", - Source: tmpNWFileMount, - Target: "/etc/hostname", - }, - { - Type: "bind", - Source: tmpNWFileMount, - Target: "/etc/hosts", - }, - }, - } - - cli, err := client.NewEnvClient() - c.Assert(err, checker.IsNil) - defer cli.Close() - - ctrCreate, err := cli.ContainerCreate(context.Background(), &config, &hostConfig, &networktypes.NetworkingConfig{}, "") - c.Assert(err, checker.IsNil) - // container will exit immediately because of no tty, but we only need the start sequence to test the condition - err = cli.ContainerStart(context.Background(), ctrCreate.ID, types.ContainerStartOptions{}) - c.Assert(err, checker.IsNil) - - // check that host-located bind mount network file did not change ownership when the container was started - statT, err := system.Stat(tmpNWFileMount) - c.Assert(err, checker.IsNil) - assert.Equal(c, uint32(0), statT.UID(), "bind mounted network file should not change ownership from root") -} diff --git a/integration/container/mounts_linux_test.go b/integration/container/mounts_linux_test.go index 8c13258c30..eab0fd5d74 100644 --- a/integration/container/mounts_linux_test.go +++ b/integration/container/mounts_linux_test.go @@ -9,8 +9,15 @@ import ( "github.com/docker/docker/api/types" "github.com/docker/docker/api/types/container" "github.com/docker/docker/api/types/mount" + "github.com/docker/docker/api/types/network" + "github.com/docker/docker/client" "github.com/docker/docker/integration-cli/daemon" "github.com/docker/docker/pkg/stdcopy" + "github.com/docker/docker/pkg/system" + "github.com/gotestyourself/gotestyourself/fs" + "github.com/gotestyourself/gotestyourself/skip" + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" ) func TestContainerShmNoLeak(t *testing.T) { @@ -82,3 +89,55 @@ func TestContainerShmNoLeak(t *testing.T) { t.Fatalf("mount leaked: %s", string(out)) } } + +func TestContainerNetworkMountsNoChown(t *testing.T) { + // chown only applies to Linux bind mounted volumes; must be same host to verify + skip.If(t, testEnv.DaemonInfo.OSType != "linux" || !testEnv.IsLocalDaemon()) + + defer setupTest(t)() + + ctx := context.Background() + + tmpDir := fs.NewDir(t, "network-file-mounts", fs.WithMode(0755), fs.WithFile("nwfile", "network file bind mount", fs.WithMode(0644))) + defer tmpDir.Remove() + + tmpNWFileMount := tmpDir.Join("nwfile") + + config := container.Config{ + Image: "busybox", + } + hostConfig := container.HostConfig{ + Mounts: []mount.Mount{ + { + Type: "bind", + Source: tmpNWFileMount, + Target: "/etc/resolv.conf", + }, + { + Type: "bind", + Source: tmpNWFileMount, + Target: "/etc/hostname", + }, + { + Type: "bind", + Source: tmpNWFileMount, + Target: "/etc/hosts", + }, + }, + } + + cli, err := client.NewEnvClient() + require.NoError(t, err) + defer cli.Close() + + ctrCreate, err := cli.ContainerCreate(ctx, &config, &hostConfig, &network.NetworkingConfig{}, "") + require.NoError(t, err) + // container will exit immediately because of no tty, but we only need the start sequence to test the condition + err = cli.ContainerStart(ctx, ctrCreate.ID, types.ContainerStartOptions{}) + require.NoError(t, err) + + // check that host-located bind mount network file did not change ownership when the container was started + statT, err := system.Stat(tmpNWFileMount) + require.NoError(t, err) + assert.Equal(t, uint32(0), statT.UID(), "bind mounted network file should not change ownership from root") +}