mirror of
https://github.com/moby/moby.git
synced 2022-11-09 12:21:53 -05:00
eaa5192856
It's a common scenario for admins and/or monitoring applications to mount in the daemon root dir into a container. When doing so all mounts get coppied into the container, often with private references. This can prevent removal of a container due to the various mounts that must be configured before a container is started (for example, for shared /dev/shm, or secrets) being leaked into another namespace, usually with private references. This is particularly problematic on older kernels (e.g. RHEL < 7.4) where a mount may be active in another namespace and attempting to remove a mountpoint which is active in another namespace fails. This change moves all container resource mounts into a common directory so that the directory can be made unbindable. What this does is prevents sub-mounts of this new directory from leaking into other namespaces when mounted with `rbind`... which is how all binds are handled for containers. Signed-off-by: Brian Goff <cpuguy83@gmail.com>
84 lines
2.1 KiB
Go
84 lines
2.1 KiB
Go
package container
|
|
|
|
import (
|
|
"bytes"
|
|
"context"
|
|
"fmt"
|
|
"testing"
|
|
|
|
"github.com/docker/docker/api/types"
|
|
"github.com/docker/docker/api/types/container"
|
|
"github.com/docker/docker/api/types/mount"
|
|
"github.com/docker/docker/integration-cli/daemon"
|
|
"github.com/docker/docker/pkg/stdcopy"
|
|
)
|
|
|
|
func TestContainerShmNoLeak(t *testing.T) {
|
|
t.Parallel()
|
|
d := daemon.New(t, "docker", "dockerd", daemon.Config{})
|
|
client, err := d.NewClient()
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
d.StartWithBusybox(t)
|
|
defer d.Stop(t)
|
|
|
|
ctx := context.Background()
|
|
cfg := container.Config{
|
|
Image: "busybox",
|
|
Cmd: []string{"top"},
|
|
}
|
|
|
|
ctr, err := client.ContainerCreate(ctx, &cfg, nil, nil, "")
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
defer client.ContainerRemove(ctx, ctr.ID, types.ContainerRemoveOptions{Force: true})
|
|
|
|
if err := client.ContainerStart(ctx, ctr.ID, types.ContainerStartOptions{}); err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
// this should recursively bind mount everything in the test daemons root
|
|
// except of course we are hoping that the previous containers /dev/shm mount did not leak into this new container
|
|
hc := container.HostConfig{
|
|
Mounts: []mount.Mount{
|
|
{
|
|
Type: mount.TypeBind,
|
|
Source: d.Root,
|
|
Target: "/testdaemonroot",
|
|
BindOptions: &mount.BindOptions{Propagation: mount.PropagationRPrivate}},
|
|
},
|
|
}
|
|
cfg.Cmd = []string{"/bin/sh", "-c", fmt.Sprintf("mount | grep testdaemonroot | grep containers | grep %s", ctr.ID)}
|
|
cfg.AttachStdout = true
|
|
cfg.AttachStderr = true
|
|
ctrLeak, err := client.ContainerCreate(ctx, &cfg, &hc, nil, "")
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
attach, err := client.ContainerAttach(ctx, ctrLeak.ID, types.ContainerAttachOptions{
|
|
Stream: true,
|
|
Stdout: true,
|
|
Stderr: true,
|
|
})
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
if err := client.ContainerStart(ctx, ctrLeak.ID, types.ContainerStartOptions{}); err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
buf := bytes.NewBuffer(nil)
|
|
|
|
if _, err := stdcopy.StdCopy(buf, buf, attach.Reader); err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
out := bytes.TrimSpace(buf.Bytes())
|
|
if !bytes.Equal(out, []byte{}) {
|
|
t.Fatalf("mount leaked: %s", string(out))
|
|
}
|
|
}
|