Selaa lähdekoodia

Merge pull request #13346 from mrjana/cnm_integ

Fix network connectivity problem for non-root users
Alexander Morozov 10 vuotta sitten
vanhempi
commit
dec13cef2a

+ 1 - 1
hack/vendor.sh

@@ -55,7 +55,7 @@ clone hg code.google.com/p/go.net 84a4013f96e0
 clone hg code.google.com/p/gosqlite 74691fb6f837
 clone hg code.google.com/p/gosqlite 74691fb6f837
 
 
 #get libnetwork packages
 #get libnetwork packages
-clone git github.com/docker/libnetwork v0.2
+clone git github.com/docker/libnetwork b39597744b0978fe4aeb9f3a099ba42f7b6c4a1f
 clone git github.com/vishvananda/netns 008d17ae001344769b031375bdb38a86219154c6
 clone git github.com/vishvananda/netns 008d17ae001344769b031375bdb38a86219154c6
 clone git github.com/vishvananda/netlink 8eb64238879fed52fd51c5b30ad20b928fb4c36c
 clone git github.com/vishvananda/netlink 8eb64238879fed52fd51c5b30ad20b928fb4c36c
 
 

+ 26 - 0
integration-cli/docker_cli_run_test.go

@@ -1455,6 +1455,32 @@ func (s *DockerSuite) TestRunDnsOptionsBasedOnHostResolvConf(c *check.C) {
 	}
 	}
 }
 }
 
 
+// Test to see if a non-root user can resolve a DNS name and reach out to it. Also
+// check if the container resolv.conf file has atleast 0644 perm.
+func (s *DockerSuite) TestRunNonRootUserResolvName(c *check.C) {
+	testRequires(c, SameHostDaemon)
+
+	cmd := exec.Command(dockerBinary, "run", "--name=testperm", "--user=default", "busybox", "ping", "-c", "1", "www.docker.io")
+	if out, err := runCommand(cmd); err != nil {
+		c.Fatal(err, out)
+	}
+
+	cID, err := getIDByName("testperm")
+	if err != nil {
+		c.Fatal(err)
+	}
+
+	fmode := (os.FileMode)(0644)
+	finfo, err := os.Stat(containerStorageFile(cID, "resolv.conf"))
+	if err != nil {
+		c.Fatal(err)
+	}
+
+	if (finfo.Mode() & fmode) != fmode {
+		c.Fatalf("Expected container resolv.conf mode to be atleast %s, instead got %s", fmode.String(), finfo.Mode().String())
+	}
+}
+
 // Test if container resolv.conf gets updated the next time it restarts
 // Test if container resolv.conf gets updated the next time it restarts
 // if host /etc/resolv.conf has changed. This only applies if the container
 // if host /etc/resolv.conf has changed. This only applies if the container
 // uses the host's /etc/resolv.conf and does not have any dns options provided.
 // uses the host's /etc/resolv.conf and does not have any dns options provided.

+ 5 - 0
vendor/src/github.com/docker/libnetwork/endpoint.go

@@ -548,6 +548,11 @@ func (ep *endpoint) updateDNS(resolvConf []byte) error {
 		return err
 		return err
 	}
 	}
 
 
+	// Change the perms to 0644 since ioutil.TempFile creates it by default as 0600
+	if err := os.Chmod(tmpResolvFile.Name(), 0644); err != nil {
+		return err
+	}
+
 	// write the updates to the temp files
 	// write the updates to the temp files
 	if err = ioutil.WriteFile(tmpHashFile.Name(), []byte(newHash), 0644); err != nil {
 	if err = ioutil.WriteFile(tmpHashFile.Name(), []byte(newHash), 0644); err != nil {
 		return err
 		return err

+ 10 - 0
vendor/src/github.com/docker/libnetwork/libnetwork_test.go

@@ -1137,6 +1137,16 @@ func TestResolvConf(t *testing.T) {
 		}
 		}
 	}()
 	}()
 
 
+	finfo, err := os.Stat(resolvConfPath)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	fmode := (os.FileMode)(0644)
+	if finfo.Mode() != fmode {
+		t.Fatalf("Expected file mode %s, got %s", fmode.String(), finfo.Mode().String())
+	}
+
 	content, err := ioutil.ReadFile(resolvConfPath)
 	content, err := ioutil.ReadFile(resolvConfPath)
 	if err != nil {
 	if err != nil {
 		t.Fatal(err)
 		t.Fatal(err)