We use cookies to ensure you get the best experience on our website
Trang chủ Khám phá Trợ giúp
Đăng ký Đăng nhập
0ct0pu5
/
moby
1
0
Fork 0
Các tập tin Các vấn đề 0 Yêu cầu kéo về 0 Wiki
Tree: acdbaaa3ed
Branches Tags
moby
/
integration
/
container
/
run_cgroupns_linux_test.go

run_cgroupns_linux_test.go 6.2 KB
Lịch sử Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152 
  1. package container // import "github.com/docker/docker/integration/container"
    2. 

  2. 

  3. import (
    4. 

  4. 	"context"
    5. 

  5. 	"strings"
    6. 

  6. 	"testing"
    7. 

  7. 	"time"
    8. 

  8. 

  9. 	"github.com/docker/docker/client"
    10. 

  10. 	"github.com/docker/docker/integration/internal/container"
    11. 

  11. 	"github.com/docker/docker/integration/internal/requirement"
    12. 

  12. 	"github.com/docker/docker/internal/test/daemon"
    13. 

  13. 	"gotest.tools/assert"
    14. 

  14. 	is "gotest.tools/assert/cmp"
    15. 

  15. 	"gotest.tools/poll"
    16. 

  16. 	"gotest.tools/skip"
    17. 

  17. )
    18. 

  18. 

  19. // Gets the value of the cgroup namespace for pid 1 of a container
    20. 

  20. func containerCgroupNamespace(ctx context.Context, t *testing.T, client *client.Client, cID string) string {
    21. 

  21. 	res, err := container.Exec(ctx, client, cID, []string{"readlink", "/proc/1/ns/cgroup"})
    22. 

  22. 	assert.NilError(t, err)
    23. 

  23. 	assert.Assert(t, is.Len(res.Stderr(), 0))
    24. 

  24. 	assert.Equal(t, 0, res.ExitCode)
    25. 

  25. 	return strings.TrimSpace(res.Stdout())
    26. 

  26. }
    27. 

  27. 

  28. // Bring up a daemon with the specified default cgroup namespace mode, and then create a container with the container options
    29. 

  29. func testRunWithCgroupNs(t *testing.T, daemonNsMode string, containerOpts ...func(*container.TestContainerConfig)) (string, string) {
    30. 

  30. 	d := daemon.New(t, daemon.WithDefaultCgroupNamespaceMode(daemonNsMode))
    31. 

  31. 	client := d.NewClientT(t)
    32. 

  32. 	ctx := context.Background()
    33. 

  33. 

  34. 	d.StartWithBusybox(t)
    35. 

  35. 	defer d.Stop(t)
    36. 

  36. 

  37. 	cID := container.Run(t, ctx, client, containerOpts...)
    38. 

  38. 	poll.WaitOn(t, container.IsInState(ctx, client, cID, "running"), poll.WithDelay(100*time.Millisecond))
    39. 

  39. 

  40. 	daemonCgroup := d.CgroupNamespace(t)
    41. 

  41. 	containerCgroup := containerCgroupNamespace(ctx, t, client, cID)
    42. 

  42. 	return containerCgroup, daemonCgroup
    43. 

  43. }
    44. 

  44. 

  45. // Bring up a daemon with the specified default cgroup namespace mode. Create a container with the container options,
    46. 

  46. // expecting an error with the specified string
    47. 

  47. func testCreateFailureWithCgroupNs(t *testing.T, daemonNsMode string, errStr string, containerOpts ...func(*container.TestContainerConfig)) {
    48. 

  48. 	d := daemon.New(t, daemon.WithDefaultCgroupNamespaceMode(daemonNsMode))
    49. 

  49. 	client := d.NewClientT(t)
    50. 

  50. 	ctx := context.Background()
    51. 

  51. 

  52. 	d.StartWithBusybox(t)
    53. 

  53. 	defer d.Stop(t)
    54. 

  54. 	container.CreateExpectingErr(t, ctx, client, errStr, containerOpts...)
    55. 

  55. }
    56. 

  56. 

  57. func TestCgroupNamespacesRun(t *testing.T) {
    58. 

  58. 	skip.If(t, testEnv.DaemonInfo.OSType != "linux")
    59. 

  59. 	skip.If(t, testEnv.IsRemoteDaemon())
    60. 

  60. 	skip.If(t, !requirement.CgroupNamespacesEnabled())
    61. 

  61. 

  62. 	// When the daemon defaults to private cgroup namespaces, containers launched
    63. 

  63. 	// should be in their own private cgroup namespace by default
    64. 

  64. 	containerCgroup, daemonCgroup := testRunWithCgroupNs(t, "private")
    65. 

  65. 	assert.Assert(t, daemonCgroup != containerCgroup)
    66. 

  66. }
    67. 

  67. 

  68. func TestCgroupNamespacesRunPrivileged(t *testing.T) {
    69. 

  69. 	skip.If(t, testEnv.DaemonInfo.OSType != "linux")
    70. 

  70. 	skip.If(t, testEnv.IsRemoteDaemon())
    71. 

  71. 	skip.If(t, requirement.CgroupNamespacesEnabled())
    72. 

  72. 

  73. 	// When the daemon defaults to private cgroup namespaces, privileged containers
    74. 

  74. 	// launched should not be inside their own cgroup namespaces
    75. 

  75. 	containerCgroup, daemonCgroup := testRunWithCgroupNs(t, "private", container.WithPrivileged(true))
    76. 

  76. 	assert.Assert(t, daemonCgroup == containerCgroup)
    77. 

  77. }
    78. 

  78. 

  79. func TestCgroupNamespacesRunDaemonHostMode(t *testing.T) {
    80. 

  80. 	skip.If(t, testEnv.DaemonInfo.OSType != "linux")
    81. 

  81. 	skip.If(t, testEnv.IsRemoteDaemon())
    82. 

  82. 	skip.If(t, !requirement.CgroupNamespacesEnabled())
    83. 

  83. 

  84. 	// When the daemon defaults to host cgroup namespaces, containers
    85. 

  85. 	// launched should not be inside their own cgroup namespaces
    86. 

  86. 	containerCgroup, daemonCgroup := testRunWithCgroupNs(t, "host")
    87. 

  87. 	assert.Assert(t, daemonCgroup == containerCgroup)
    88. 

  88. }
    89. 

  89. 

  90. func TestCgroupNamespacesRunHostMode(t *testing.T) {
    91. 

  91. 	skip.If(t, testEnv.DaemonInfo.OSType != "linux")
    92. 

  92. 	skip.If(t, testEnv.IsRemoteDaemon())
    93. 

  93. 	skip.If(t, !requirement.CgroupNamespacesEnabled())
    94. 

  94. 

  95. 	// When the daemon defaults to private cgroup namespaces, containers launched
    96. 

  96. 	// with a cgroup ns mode of "host" should not be inside their own cgroup namespaces
    97. 

  97. 	containerCgroup, daemonCgroup := testRunWithCgroupNs(t, "private", container.WithCgroupnsMode("host"))
    98. 

  98. 	assert.Assert(t, daemonCgroup == containerCgroup)
    99. 

  99. }
    100. 

  100. 

  101. func TestCgroupNamespacesRunPrivateMode(t *testing.T) {
    102. 

  102. 	skip.If(t, testEnv.DaemonInfo.OSType != "linux")
    103. 

  103. 	skip.If(t, testEnv.IsRemoteDaemon())
    104. 

  104. 	skip.If(t, !requirement.CgroupNamespacesEnabled())
    105. 

  105. 

  106. 	// When the daemon defaults to private cgroup namespaces, containers launched
    107. 

  107. 	// with a cgroup ns mode of "private" should be inside their own cgroup namespaces
    108. 

  108. 	containerCgroup, daemonCgroup := testRunWithCgroupNs(t, "private", container.WithCgroupnsMode("private"))
    109. 

  109. 	assert.Assert(t, daemonCgroup != containerCgroup)
    110. 

  110. }
    111. 

  111. 

  112. func TestCgroupNamespacesRunPrivilegedAndPrivate(t *testing.T) {
    113. 

  113. 	skip.If(t, testEnv.DaemonInfo.OSType != "linux")
    114. 

  114. 	skip.If(t, testEnv.IsRemoteDaemon())
    115. 

  115. 	skip.If(t, !requirement.CgroupNamespacesEnabled())
    116. 

  116. 

  117. 	// Running with both privileged and cgroupns=private is not allowed
    118. 

  118. 	errStr := "privileged mode is incompatible with private cgroup namespaces.  You must run the container in the host cgroup namespace when running privileged mode"
    119. 

  119. 	testCreateFailureWithCgroupNs(t, "private", errStr, container.WithPrivileged(true), container.WithCgroupnsMode("private"))
    120. 

  120. }
    121. 

  121. 

  122. func TestCgroupNamespacesRunInvalidMode(t *testing.T) {
    123. 

  123. 	skip.If(t, testEnv.DaemonInfo.OSType != "linux")
    124. 

  124. 	skip.If(t, testEnv.IsRemoteDaemon())
    125. 

  125. 	skip.If(t, !requirement.CgroupNamespacesEnabled())
    126. 

  126. 

  127. 	// An invalid cgroup namespace mode should return an error on container creation
    128. 

  128. 	errStr := "invalid cgroup namespace mode: invalid"
    129. 

  129. 	testCreateFailureWithCgroupNs(t, "private", errStr, container.WithCgroupnsMode("invalid"))
    130. 

  130. }
    131. 

  131. 

  132. // Clients before 1.40 expect containers to be created in the host cgroup namespace,
    133. 

  133. // regardless of the default setting of the daemon
    134. 

  134. func TestCgroupNamespacesRunOlderClient(t *testing.T) {
    135. 

  135. 	skip.If(t, testEnv.DaemonInfo.OSType != "linux")
    136. 

  136. 	skip.If(t, testEnv.IsRemoteDaemon())
    137. 

  137. 	skip.If(t, !requirement.CgroupNamespacesEnabled())
    138. 

  138. 

  139. 	d := daemon.New(t, daemon.WithDefaultCgroupNamespaceMode("private"))
    140. 

  140. 	client := d.NewClientT(t, client.WithVersion("1.39"))
    141. 

  141. 

  142. 	ctx := context.Background()
    143. 

  143. 	d.StartWithBusybox(t)
    144. 

  144. 	defer d.Stop(t)
    145. 

  145. 

  146. 	cID := container.Run(t, ctx, client)
    147. 

  147. 	poll.WaitOn(t, container.IsInState(ctx, client, cID, "running"), poll.WithDelay(100*time.Millisecond))
    148. 

  148. 

  149. 	daemonCgroup := d.CgroupNamespace(t)
    150. 

  150. 	containerCgroup := containerCgroupNamespace(ctx, t, client, cID)
    151. 

  151. 	assert.Assert(t, daemonCgroup == containerCgroup)
    152. 

  152. }
    153.

Contact | Legal | Takedown | Status
Self-hosted public services - About
NibbleSpot by 0ct0pu5