mounts_linux_test.go 7.6 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281
  1. package container // import "github.com/docker/docker/integration/container"
  2. import (
  3. "bytes"
  4. "context"
  5. "fmt"
  6. "path/filepath"
  7. "testing"
  8. "github.com/docker/docker/api/types"
  9. "github.com/docker/docker/api/types/container"
  10. "github.com/docker/docker/api/types/mount"
  11. "github.com/docker/docker/api/types/network"
  12. "github.com/docker/docker/client"
  13. "github.com/docker/docker/integration-cli/daemon"
  14. "github.com/docker/docker/integration/internal/request"
  15. "github.com/docker/docker/pkg/stdcopy"
  16. "github.com/docker/docker/pkg/system"
  17. "github.com/gotestyourself/gotestyourself/fs"
  18. "github.com/gotestyourself/gotestyourself/skip"
  19. "github.com/stretchr/testify/assert"
  20. "github.com/stretchr/testify/require"
  21. )
  22. func TestContainerShmNoLeak(t *testing.T) {
  23. skip.If(t, testEnv.IsRemoteDaemon(), "cannot start daemon on remote test run")
  24. t.Parallel()
  25. d := daemon.New(t, "docker", "dockerd", daemon.Config{})
  26. client, err := d.NewClient()
  27. if err != nil {
  28. t.Fatal(err)
  29. }
  30. d.StartWithBusybox(t)
  31. defer d.Stop(t)
  32. ctx := context.Background()
  33. cfg := container.Config{
  34. Image: "busybox",
  35. Cmd: []string{"top"},
  36. }
  37. ctr, err := client.ContainerCreate(ctx, &cfg, nil, nil, "")
  38. if err != nil {
  39. t.Fatal(err)
  40. }
  41. defer client.ContainerRemove(ctx, ctr.ID, types.ContainerRemoveOptions{Force: true})
  42. if err := client.ContainerStart(ctx, ctr.ID, types.ContainerStartOptions{}); err != nil {
  43. t.Fatal(err)
  44. }
  45. // this should recursively bind mount everything in the test daemons root
  46. // except of course we are hoping that the previous containers /dev/shm mount did not leak into this new container
  47. hc := container.HostConfig{
  48. Mounts: []mount.Mount{
  49. {
  50. Type: mount.TypeBind,
  51. Source: d.Root,
  52. Target: "/testdaemonroot",
  53. },
  54. },
  55. }
  56. cfg.Cmd = []string{"/bin/sh", "-c", fmt.Sprintf("mount | grep testdaemonroot | grep containers | grep %s", ctr.ID)}
  57. cfg.AttachStdout = true
  58. cfg.AttachStderr = true
  59. ctrLeak, err := client.ContainerCreate(ctx, &cfg, &hc, nil, "")
  60. if err != nil {
  61. t.Fatal(err)
  62. }
  63. attach, err := client.ContainerAttach(ctx, ctrLeak.ID, types.ContainerAttachOptions{
  64. Stream: true,
  65. Stdout: true,
  66. Stderr: true,
  67. })
  68. if err != nil {
  69. t.Fatal(err)
  70. }
  71. if err := client.ContainerStart(ctx, ctrLeak.ID, types.ContainerStartOptions{}); err != nil {
  72. t.Fatal(err)
  73. }
  74. buf := bytes.NewBuffer(nil)
  75. if _, err := stdcopy.StdCopy(buf, buf, attach.Reader); err != nil {
  76. t.Fatal(err)
  77. }
  78. out := bytes.TrimSpace(buf.Bytes())
  79. if !bytes.Equal(out, []byte{}) {
  80. t.Fatalf("mount leaked: %s", string(out))
  81. }
  82. }
  83. func TestContainerNetworkMountsNoChown(t *testing.T) {
  84. // chown only applies to Linux bind mounted volumes; must be same host to verify
  85. skip.If(t, testEnv.DaemonInfo.OSType != "linux" || testEnv.IsRemoteDaemon())
  86. defer setupTest(t)()
  87. ctx := context.Background()
  88. tmpDir := fs.NewDir(t, "network-file-mounts", fs.WithMode(0755), fs.WithFile("nwfile", "network file bind mount", fs.WithMode(0644)))
  89. defer tmpDir.Remove()
  90. tmpNWFileMount := tmpDir.Join("nwfile")
  91. config := container.Config{
  92. Image: "busybox",
  93. }
  94. hostConfig := container.HostConfig{
  95. Mounts: []mount.Mount{
  96. {
  97. Type: "bind",
  98. Source: tmpNWFileMount,
  99. Target: "/etc/resolv.conf",
  100. },
  101. {
  102. Type: "bind",
  103. Source: tmpNWFileMount,
  104. Target: "/etc/hostname",
  105. },
  106. {
  107. Type: "bind",
  108. Source: tmpNWFileMount,
  109. Target: "/etc/hosts",
  110. },
  111. },
  112. }
  113. cli, err := client.NewEnvClient()
  114. require.NoError(t, err)
  115. defer cli.Close()
  116. ctrCreate, err := cli.ContainerCreate(ctx, &config, &hostConfig, &network.NetworkingConfig{}, "")
  117. require.NoError(t, err)
  118. // container will exit immediately because of no tty, but we only need the start sequence to test the condition
  119. err = cli.ContainerStart(ctx, ctrCreate.ID, types.ContainerStartOptions{})
  120. require.NoError(t, err)
  121. // Check that host-located bind mount network file did not change ownership when the container was started
  122. // Note: If the user specifies a mountpath from the host, we should not be
  123. // attempting to chown files outside the daemon's metadata directory
  124. // (represented by `daemon.repository` at init time).
  125. // This forces users who want to use user namespaces to handle the
  126. // ownership needs of any external files mounted as network files
  127. // (/etc/resolv.conf, /etc/hosts, /etc/hostname) separately from the
  128. // daemon. In all other volume/bind mount situations we have taken this
  129. // same line--we don't chown host file content.
  130. // See GitHub PR 34224 for details.
  131. statT, err := system.Stat(tmpNWFileMount)
  132. require.NoError(t, err)
  133. assert.Equal(t, uint32(0), statT.UID(), "bind mounted network file should not change ownership from root")
  134. }
  135. func TestMountDaemonRoot(t *testing.T) {
  136. t.Parallel()
  137. client := request.NewAPIClient(t)
  138. ctx := context.Background()
  139. info, err := client.Info(ctx)
  140. if err != nil {
  141. t.Fatal(err)
  142. }
  143. for _, test := range []struct {
  144. desc string
  145. propagation mount.Propagation
  146. expected mount.Propagation
  147. }{
  148. {
  149. desc: "default",
  150. propagation: "",
  151. expected: mount.PropagationRSlave,
  152. },
  153. {
  154. desc: "private",
  155. propagation: mount.PropagationPrivate,
  156. },
  157. {
  158. desc: "rprivate",
  159. propagation: mount.PropagationRPrivate,
  160. },
  161. {
  162. desc: "slave",
  163. propagation: mount.PropagationSlave,
  164. },
  165. {
  166. desc: "rslave",
  167. propagation: mount.PropagationRSlave,
  168. expected: mount.PropagationRSlave,
  169. },
  170. {
  171. desc: "shared",
  172. propagation: mount.PropagationShared,
  173. },
  174. {
  175. desc: "rshared",
  176. propagation: mount.PropagationRShared,
  177. expected: mount.PropagationRShared,
  178. },
  179. } {
  180. t.Run(test.desc, func(t *testing.T) {
  181. test := test
  182. t.Parallel()
  183. propagationSpec := fmt.Sprintf(":%s", test.propagation)
  184. if test.propagation == "" {
  185. propagationSpec = ""
  186. }
  187. bindSpecRoot := info.DockerRootDir + ":" + "/foo" + propagationSpec
  188. bindSpecSub := filepath.Join(info.DockerRootDir, "containers") + ":/foo" + propagationSpec
  189. for name, hc := range map[string]*container.HostConfig{
  190. "bind root": {Binds: []string{bindSpecRoot}},
  191. "bind subpath": {Binds: []string{bindSpecSub}},
  192. "mount root": {
  193. Mounts: []mount.Mount{
  194. {
  195. Type: mount.TypeBind,
  196. Source: info.DockerRootDir,
  197. Target: "/foo",
  198. BindOptions: &mount.BindOptions{Propagation: test.propagation},
  199. },
  200. },
  201. },
  202. "mount subpath": {
  203. Mounts: []mount.Mount{
  204. {
  205. Type: mount.TypeBind,
  206. Source: filepath.Join(info.DockerRootDir, "containers"),
  207. Target: "/foo",
  208. BindOptions: &mount.BindOptions{Propagation: test.propagation},
  209. },
  210. },
  211. },
  212. } {
  213. t.Run(name, func(t *testing.T) {
  214. hc := hc
  215. t.Parallel()
  216. c, err := client.ContainerCreate(ctx, &container.Config{
  217. Image: "busybox",
  218. Cmd: []string{"true"},
  219. }, hc, nil, "")
  220. if err != nil {
  221. if test.expected != "" {
  222. t.Fatal(err)
  223. }
  224. // expected an error, so this is ok and should not continue
  225. return
  226. }
  227. if test.expected == "" {
  228. t.Fatal("expected create to fail")
  229. }
  230. defer func() {
  231. if err := client.ContainerRemove(ctx, c.ID, types.ContainerRemoveOptions{Force: true}); err != nil {
  232. panic(err)
  233. }
  234. }()
  235. inspect, err := client.ContainerInspect(ctx, c.ID)
  236. if err != nil {
  237. t.Fatal(err)
  238. }
  239. if len(inspect.Mounts) != 1 {
  240. t.Fatalf("unexpected number of mounts: %+v", inspect.Mounts)
  241. }
  242. m := inspect.Mounts[0]
  243. if m.Propagation != test.expected {
  244. t.Fatalf("got unexpected propagation mode, expected %q, got: %v", test.expected, m.Propagation)
  245. }
  246. })
  247. }
  248. })
  249. }
  250. }