We use cookies to ensure you get the best experience on our website
首頁 探索 說明
註冊 登入
0ct0pu5
/
moby
1
0
複刻 0
Files 問題管理 0 合併請求 0 Wiki
瀏覽代碼

Prevent connecting to host and prevent disconnecting from host

Container has private network namespace can not to connect to host
and container with host network can not be disconnected from host.

Signed-off-by: Lei Jitang <leijitang@huawei.com>
Lei Jitang 9 年之前
父節點
1eafc7264c
當前提交
a2d8c93fc6
共有 3 個文件被更改,包括 28 次插入0 次删除
統一視圖 顯示文件統計
  1. 8 0
      daemon/container_unix.go
  2. 18 0
      integration-cli/docker_cli_network_unix_test.go
  3. 2 0
      runconfig/parse.go

+ 8 - 0
daemon/container_unix.go
查看文件 

@@ -720,6 +720,10 @@ func (daemon *Daemon) updateNetworkSettings(container *Container, n libnetwork.N
 
 		container.NetworkSettings = &network.Settings{Networks: make(map[string]*network.EndpointSettings)}
 
 		container.NetworkSettings = &network.Settings{Networks: make(map[string]*network.EndpointSettings)}
 
 	}
 
 	}
 
 
 
+	if !container.hostConfig.NetworkMode.IsHost() && runconfig.NetworkMode(n.Type()).IsHost() {
 
+		return runconfig.ErrConflictHostNetwork
 
+	}
 
+
 
 	for s := range container.NetworkSettings.Networks {
 
 	for s := range container.NetworkSettings.Networks {
 
 		sn, err := daemon.FindNetwork(s)
 
 		sn, err := daemon.FindNetwork(s)
 
 		if err != nil {
 
 		if err != nil {
 
@@ -1174,6 +1178,10 @@ func (container *Container) DisconnectFromNetwork(n libnetwork.Network) error {
 
 		return derr.ErrorCodeNotRunning.WithArgs(container.ID)
 
 		return derr.ErrorCodeNotRunning.WithArgs(container.ID)
 
 	}
 
 	}
 
 
 
+	if container.hostConfig.NetworkMode.IsHost() && runconfig.NetworkMode(n.Type()).IsHost() {
 
+		return runconfig.ErrConflictHostNetwork
 
+	}
 
+
 
 	if err := container.disconnectFromNetwork(n); err != nil {
 
 	if err := container.disconnectFromNetwork(n); err != nil {
 
 		return err
 
 		return err
 
 	}
 
 	}

+ 18 - 0
integration-cli/docker_cli_network_unix_test.go
查看文件 

@@ -15,6 +15,7 @@ import (
 
 	"github.com/docker/docker/api/types"
 
 	"github.com/docker/docker/api/types"
 
 	"github.com/docker/docker/api/types/versions/v1p20"
 
 	"github.com/docker/docker/api/types/versions/v1p20"
 
 	"github.com/docker/docker/pkg/integration/checker"
 
 	"github.com/docker/docker/pkg/integration/checker"
 
+	"github.com/docker/docker/runconfig"
 
 	"github.com/docker/libnetwork/driverapi"
 
 	"github.com/docker/libnetwork/driverapi"
 
 	remoteapi "github.com/docker/libnetwork/drivers/remote/api"
 
 	remoteapi "github.com/docker/libnetwork/drivers/remote/api"
 
 	"github.com/docker/libnetwork/ipamapi"
 
 	"github.com/docker/libnetwork/ipamapi"
 
@@ -764,3 +765,20 @@ func (s *DockerNetworkSuite) TestDockerNetworkHostModeUngracefulDaemonRestart(c
 
 		c.Assert(strings.TrimSpace(runningOut), checker.Equals, "true")
 
 		c.Assert(strings.TrimSpace(runningOut), checker.Equals, "true")
 
 	}
 
 	}
 
 }
 
 }
 
+
 
+func (s *DockerNetworkSuite) TestDockerNetworkConnectToHostFromOtherNetwork(c *check.C) {
 
+	dockerCmd(c, "run", "-d", "--name", "container1", "busybox", "top")
 
+	c.Assert(waitRun("container1"), check.IsNil)
 
+	dockerCmd(c, "network", "disconnect", "bridge", "container1")
 
+	out, _, err := dockerCmdWithError("network", "connect", "host", "container1")
 
+	c.Assert(err, checker.NotNil, check.Commentf(out))
 
+	c.Assert(out, checker.Contains, runconfig.ErrConflictHostNetwork.Error())
 
+}
 
+
 
+func (s *DockerNetworkSuite) TestDockerNetworkDisconnectFromHost(c *check.C) {
 
+	dockerCmd(c, "run", "-d", "--name", "container1", "--net=host", "busybox", "top")
 
+	c.Assert(waitRun("container1"), check.IsNil)
 
+	out, _, err := dockerCmdWithError("network", "disconnect", "host", "container1")
 
+	c.Assert(err, checker.NotNil, check.Commentf("Should err out disconnect from host"))
 
+	c.Assert(out, checker.Contains, runconfig.ErrConflictHostNetwork.Error())
 
+}

+ 2 - 0
runconfig/parse.go
查看文件 

@@ -22,6 +22,8 @@ var (
 
 	ErrConflictUserDefinedNetworkAndLinks = fmt.Errorf("Conflicting options: --net=<NETWORK> can't be used with links. This would result in undefined behavior")
 
 	ErrConflictUserDefinedNetworkAndLinks = fmt.Errorf("Conflicting options: --net=<NETWORK> can't be used with links. This would result in undefined behavior")
 
 	// ErrConflictSharedNetwork conflict between private and other networks
 
 	// ErrConflictSharedNetwork conflict between private and other networks
 
 	ErrConflictSharedNetwork = fmt.Errorf("Container sharing network namespace with another container or host cannot be connected to any other network")
 
 	ErrConflictSharedNetwork = fmt.Errorf("Container sharing network namespace with another container or host cannot be connected to any other network")
 
+	// ErrConflictHostNetwork conflict from being disconnected from host network or connected to host network.
 
+	ErrConflictHostNetwork = fmt.Errorf("Container cannot be disconnected from host network or connected to host network")
 
 	// ErrConflictNoNetwork conflict between private and other networks
 
 	// ErrConflictNoNetwork conflict between private and other networks
 
 	ErrConflictNoNetwork = fmt.Errorf("Container cannot be connected to multiple networks with one of the networks in --none mode")
 
 	ErrConflictNoNetwork = fmt.Errorf("Container cannot be connected to multiple networks with one of the networks in --none mode")
 
 	// ErrConflictNetworkAndDNS conflict between --dns and the network mode
 
 	// ErrConflictNetworkAndDNS conflict between --dns and the network mode

Contact | Legal | Takedown | Status
Self-hosted public services - About
NibbleSpot by 0ct0pu5