beenull/moby
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
moby/daemon/daemon_unix_test.go

360 lines
11 KiB
Go
Raw Permalink Normal View History

Update to Go 1.17.0, and gofmt with Go 1.17 Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-08-23 13:14:53 +00:00
//go:build !windows
Adjust disallowed CpuShares in /containers/create Previous versions of libcontainer allowed CpuShares that were greater than the maximum or less than the minimum supported by the kernel, and relied on the kernel to do the right thing. Newer libcontainer fails after creating the container if the requested CpuShares is different from what was actually created by the kernel, which breaks compatibility with earlier Docker Remote API versions. This change explicitly adjusts the requested CpuShares in API versions < 1.20. Signed-off-by: Samuel Karp <skarp@amazon.com>
2015-06-03 19:01:53 +00:00
Add canonical import comment Signed-off-by: Daniel Nephin <dnephin@docker.com>
2018-02-05 21:05:59 +00:00
package daemon // import "github.com/docker/docker/daemon"
Adjust disallowed CpuShares in /containers/create Previous versions of libcontainer allowed CpuShares that were greater than the maximum or less than the minimum supported by the kernel, and relied on the kernel to do the right thing. Newer libcontainer fails after creating the container if the requested CpuShares is different from what was actually created by the kernel, which breaks compatibility with earlier Docker Remote API versions. This change explicitly adjusts the requested CpuShares in API versions < 1.20. Signed-off-by: Samuel Karp <skarp@amazon.com>
2015-06-03 19:01:53 +00:00
import (
Use ID rather than Name to identify a container when sharing namespace Fix: https://github.com/moby/moby/issues/34307 Signed-off-by: Chen Min <chenmin46@huawei.com>
2017-08-01 19:04:37 +00:00
"errors"
Cleanup: Merge adjustCPUShares to adoptContainerSettings Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
2015-08-06 00:15:14 +00:00
"os"
bugfix: fetch the right device number which great than 255 Signed-off-by: frankyang <yyb196@gmail.com>
2019-05-14 07:21:55 +00:00
"path/filepath"
Adjust disallowed CpuShares in /containers/create Previous versions of libcontainer allowed CpuShares that were greater than the maximum or less than the minimum supported by the kernel, and relied on the kernel to do the right thing. Newer libcontainer fails after creating the container if the requested CpuShares is different from what was actually created by the kernel, which breaks compatibility with earlier Docker Remote API versions. This change explicitly adjusts the requested CpuShares in API versions < 1.20. Signed-off-by: Samuel Karp <skarp@amazon.com>
2015-06-03 19:01:53 +00:00
"testing"
bugfix: fetch the right device number which great than 255 Signed-off-by: frankyang <yyb196@gmail.com>
2019-05-14 07:21:55 +00:00
"github.com/docker/docker/api/types/blkiodev"
Add engine-api types to docker This moves the types for the `engine-api` repo to the existing types package. Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
2016-09-06 18:18:12 +00:00
containertypes "github.com/docker/docker/api/types/container"
Windows CI: Fix test-unit for daemon Signed-off-by: John Howard <jhoward@microsoft.com>
2016-02-02 02:26:47 +00:00
"github.com/docker/docker/container"
Extract daemon configuration and discovery to their own package This also moves some cli specific in `cmd/dockerd` as it does not really belong to the `daemon/config` package. Signed-off-by: Vincent Demeester <vincent@sbr.pm>
2017-01-23 11:23:07 +00:00
"github.com/docker/docker/daemon/config"
Move "OOM Kill disable" warning to the daemon Disabling the oom-killer for a container without setting a memory limit is dangerous, as it can result in the container consuming unlimited memory, without the kernel being able to kill it. A check for this situation is curently done in the CLI, but other consumers of the API won't receive this warning. This patch adds a check for this situation to the daemon, so that all consumers of the API will receive this warning. This patch will have one side-effect; docker cli's that also perform this check client-side will print the warning twice; this can be addressed by disabling the cli-side check for newer API versions, but will generate a bit of extra noise when using an older CLI. With this patch applied (and a cli that does not take the new warning into account); ``` docker create --oom-kill-disable busybox WARNING: OOM killer is disabled for the container, but no memory limit is set, this can result in the system running out of resources. 669933b9b237fa27da699483b5cf15355a9027050825146587a0e5be0d848adf docker run --rm --oom-kill-disable busybox WARNING: Disabling the OOM killer on containers without setting a '-m/--memory' limit may be dangerous. WARNING: OOM killer is disabled for the container, but no memory limit is set, this can result in the system running out of resources. ``` Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2018-12-17 10:23:41 +00:00
"github.com/docker/docker/pkg/sysinfo"
container: split security options to a SecurityOptions struct - Split these options to a separate struct, so that we can handle them in isolation. - Change some tests to use subtests, and improve coverage Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-04-14 07:27:20 +00:00
"github.com/opencontainers/selinux/go-selinux"
bugfix: fetch the right device number which great than 255 Signed-off-by: frankyang <yyb196@gmail.com>
2019-05-14 07:21:55 +00:00
"golang.org/x/sys/unix"
bump gotest.tools v3.0.1 for compatibility with Go 1.14 full diff: https://github.com/gotestyourself/gotest.tools/compare/v2.3.0...v3.0.1 Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-02-07 13:39:24 +00:00
"gotest.tools/v3/assert"
is "gotest.tools/v3/assert/cmp"
Adjust disallowed CpuShares in /containers/create Previous versions of libcontainer allowed CpuShares that were greater than the maximum or less than the minimum supported by the kernel, and relied on the kernel to do the right thing. Newer libcontainer fails after creating the container if the requested CpuShares is different from what was actually created by the kernel, which breaks compatibility with earlier Docker Remote API versions. This change explicitly adjusts the requested CpuShares in API versions < 1.20. Signed-off-by: Samuel Karp <skarp@amazon.com>
2015-06-03 19:01:53 +00:00
)
Use ID rather than Name to identify a container when sharing namespace Fix: https://github.com/moby/moby/issues/34307 Signed-off-by: Chen Min <chenmin46@huawei.com>
2017-08-01 19:04:37 +00:00
type fakeContainerGetter struct {
containers map[string]*container.Container
}
func (f *fakeContainerGetter) GetContainer(cid string) (*container.Container, error) {
daemon: rename variables that collide with imported package names Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2019-08-09 12:10:07 +00:00
ctr, ok := f.containers[cid]
Use ID rather than Name to identify a container when sharing namespace Fix: https://github.com/moby/moby/issues/34307 Signed-off-by: Chen Min <chenmin46@huawei.com>
2017-08-01 19:04:37 +00:00
if !ok {
return nil, errors.New("container not found")
}
daemon: rename variables that collide with imported package names Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2019-08-09 12:10:07 +00:00
return ctr, nil
Use ID rather than Name to identify a container when sharing namespace Fix: https://github.com/moby/moby/issues/34307 Signed-off-by: Chen Min <chenmin46@huawei.com>
2017-08-01 19:04:37 +00:00
}
// Unix test as uses settings which are not available on Windows
func TestAdjustSharedNamespaceContainerName(t *testing.T) {
fakeID := "abcdef1234567890"
hostConfig := &containertypes.HostConfig{
IpcMode: containertypes.IpcMode("container:base"),
PidMode: containertypes.PidMode("container:base"),
NetworkMode: containertypes.NetworkMode("container:base"),
}
containerStore := &fakeContainerGetter{}
containerStore.containers = make(map[string]*container.Container)
containerStore.containers["base"] = &container.Container{
ID: fakeID,
}
adaptSharedNamespaceContainer(containerStore, hostConfig)
if hostConfig.IpcMode != containertypes.IpcMode("container:"+fakeID) {
t.Errorf("Expected IpcMode to be container:%s", fakeID)
}
if hostConfig.PidMode != containertypes.PidMode("container:"+fakeID) {
t.Errorf("Expected PidMode to be container:%s", fakeID)
}
if hostConfig.NetworkMode != containertypes.NetworkMode("container:"+fakeID) {
t.Errorf("Expected NetworkMode to be container:%s", fakeID)
}
}
Windows CI: Fix test-unit for daemon Signed-off-by: John Howard <jhoward@microsoft.com>
2016-02-02 02:26:47 +00:00
// Unix test as uses settings which are not available on Windows
Consolidate security options to use `=` as separator. All other options we have use `=` as separator, labels, log configurations, graph configurations and so on. We should be consistent and use `=` for the security options too. Signed-off-by: David Calavera <david.calavera@gmail.com>
2016-03-15 22:34:29 +00:00
func TestParseSecurityOptWithDeprecatedColon(t *testing.T) {
container: split security options to a SecurityOptions struct - Split these options to a separate struct, so that we can handle them in isolation. - Change some tests to use subtests, and improve coverage Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-04-14 07:27:20 +00:00
opts := &container.SecurityOptions{}
daemon: rename variables that collide with imported package names Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2019-08-09 12:10:07 +00:00
cfg := &containertypes.HostConfig{}
Windows CI: Fix test-unit for daemon Signed-off-by: John Howard <jhoward@microsoft.com>
2016-02-02 02:26:47 +00:00
// test apparmor
daemon: rename variables that collide with imported package names Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2019-08-09 12:10:07 +00:00
cfg.SecurityOpt = []string{"apparmor=test_profile"}
container: split security options to a SecurityOptions struct - Split these options to a separate struct, so that we can handle them in isolation. - Change some tests to use subtests, and improve coverage Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-04-14 07:27:20 +00:00
if err := parseSecurityOpt(opts, cfg); err != nil {
Windows CI: Fix test-unit for daemon Signed-off-by: John Howard <jhoward@microsoft.com>
2016-02-02 02:26:47 +00:00
t.Fatalf("Unexpected parseSecurityOpt error: %v", err)
}
container: split security options to a SecurityOptions struct - Split these options to a separate struct, so that we can handle them in isolation. - Change some tests to use subtests, and improve coverage Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-04-14 07:27:20 +00:00
if opts.AppArmorProfile != "test_profile" {
daemon: use string-literals for easier grep'ing Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-07-05 10:13:09 +00:00
t.Fatalf(`Unexpected AppArmorProfile, expected: "test_profile", got %q`, opts.AppArmorProfile)
Windows CI: Fix test-unit for daemon Signed-off-by: John Howard <jhoward@microsoft.com>
2016-02-02 02:26:47 +00:00
}
// test seccomp
sp := "/path/to/seccomp_test.json"
daemon: rename variables that collide with imported package names Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2019-08-09 12:10:07 +00:00
cfg.SecurityOpt = []string{"seccomp=" + sp}
container: split security options to a SecurityOptions struct - Split these options to a separate struct, so that we can handle them in isolation. - Change some tests to use subtests, and improve coverage Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-04-14 07:27:20 +00:00
if err := parseSecurityOpt(opts, cfg); err != nil {
Windows CI: Fix test-unit for daemon Signed-off-by: John Howard <jhoward@microsoft.com>
2016-02-02 02:26:47 +00:00
t.Fatalf("Unexpected parseSecurityOpt error: %v", err)
}
container: split security options to a SecurityOptions struct - Split these options to a separate struct, so that we can handle them in isolation. - Change some tests to use subtests, and improve coverage Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-04-14 07:27:20 +00:00
if opts.SeccompProfile != sp {
t.Fatalf("Unexpected AppArmorProfile, expected: %q, got %q", sp, opts.SeccompProfile)
Windows CI: Fix test-unit for daemon Signed-off-by: John Howard <jhoward@microsoft.com>
2016-02-02 02:26:47 +00:00
}
// test valid label
daemon: rename variables that collide with imported package names Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2019-08-09 12:10:07 +00:00
cfg.SecurityOpt = []string{"label=user:USER"}
container: split security options to a SecurityOptions struct - Split these options to a separate struct, so that we can handle them in isolation. - Change some tests to use subtests, and improve coverage Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-04-14 07:27:20 +00:00
if err := parseSecurityOpt(opts, cfg); err != nil {
Consolidate security options to use `=` as separator. All other options we have use `=` as separator, labels, log configurations, graph configurations and so on. We should be consistent and use `=` for the security options too. Signed-off-by: David Calavera <david.calavera@gmail.com>
2016-03-15 22:34:29 +00:00
t.Fatalf("Unexpected parseSecurityOpt error: %v", err)
}
// test invalid label
daemon: rename variables that collide with imported package names Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2019-08-09 12:10:07 +00:00
cfg.SecurityOpt = []string{"label"}
container: split security options to a SecurityOptions struct - Split these options to a separate struct, so that we can handle them in isolation. - Change some tests to use subtests, and improve coverage Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-04-14 07:27:20 +00:00
if err := parseSecurityOpt(opts, cfg); err == nil {
Consolidate security options to use `=` as separator. All other options we have use `=` as separator, labels, log configurations, graph configurations and so on. We should be consistent and use `=` for the security options too. Signed-off-by: David Calavera <david.calavera@gmail.com>
2016-03-15 22:34:29 +00:00
t.Fatal("Expected parseSecurityOpt error, got nil")
}
// test invalid opt
daemon: rename variables that collide with imported package names Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2019-08-09 12:10:07 +00:00
cfg.SecurityOpt = []string{"test"}
container: split security options to a SecurityOptions struct - Split these options to a separate struct, so that we can handle them in isolation. - Change some tests to use subtests, and improve coverage Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-04-14 07:27:20 +00:00
if err := parseSecurityOpt(opts, cfg); err == nil {
Consolidate security options to use `=` as separator. All other options we have use `=` as separator, labels, log configurations, graph configurations and so on. We should be consistent and use `=` for the security options too. Signed-off-by: David Calavera <david.calavera@gmail.com>
2016-03-15 22:34:29 +00:00
t.Fatal("Expected parseSecurityOpt error, got nil")
}
}
func TestParseSecurityOpt(t *testing.T) {
container: split security options to a SecurityOptions struct - Split these options to a separate struct, so that we can handle them in isolation. - Change some tests to use subtests, and improve coverage Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-04-14 07:27:20 +00:00
t.Run("apparmor", func(t *testing.T) {
secOpts := &container.SecurityOptions{}
err := parseSecurityOpt(secOpts, &containertypes.HostConfig{
SecurityOpt: []string{"apparmor=test_profile"},
})
assert.Check(t, err)
assert.Equal(t, secOpts.AppArmorProfile, "test_profile")
})
t.Run("apparmor using legacy separator", func(t *testing.T) {
secOpts := &container.SecurityOptions{}
err := parseSecurityOpt(secOpts, &containertypes.HostConfig{
SecurityOpt: []string{"apparmor:test_profile"},
})
assert.Check(t, err)
assert.Equal(t, secOpts.AppArmorProfile, "test_profile")
})
t.Run("seccomp", func(t *testing.T) {
secOpts := &container.SecurityOptions{}
err := parseSecurityOpt(secOpts, &containertypes.HostConfig{
SecurityOpt: []string{"seccomp=/path/to/seccomp_test.json"},
})
assert.Check(t, err)
assert.Equal(t, secOpts.SeccompProfile, "/path/to/seccomp_test.json")
})
t.Run("valid label", func(t *testing.T) {
secOpts := &container.SecurityOptions{}
err := parseSecurityOpt(secOpts, &containertypes.HostConfig{
SecurityOpt: []string{"label=user:USER"},
})
assert.Check(t, err)
if selinux.GetEnabled() {
// TODO(thaJeztah): set expected labels here (or "partial" if depends on host)
// assert.Check(t, is.Equal(secOpts.MountLabel, ""))
// assert.Check(t, is.Equal(secOpts.ProcessLabel, ""))
} else {
assert.Check(t, is.Equal(secOpts.MountLabel, ""))
assert.Check(t, is.Equal(secOpts.ProcessLabel, ""))
}
})
t.Run("invalid label", func(t *testing.T) {
secOpts := &container.SecurityOptions{}
err := parseSecurityOpt(secOpts, &containertypes.HostConfig{
SecurityOpt: []string{"label"},
})
assert.Error(t, err, `invalid --security-opt 1: "label"`)
})
t.Run("invalid option (no value)", func(t *testing.T) {
secOpts := &container.SecurityOptions{}
err := parseSecurityOpt(secOpts, &containertypes.HostConfig{
SecurityOpt: []string{"unknown"},
})
assert.Error(t, err, `invalid --security-opt 1: "unknown"`)
})
t.Run("unknown option", func(t *testing.T) {
secOpts := &container.SecurityOptions{}
err := parseSecurityOpt(secOpts, &containertypes.HostConfig{
SecurityOpt: []string{"unknown=something"},
})
assert.Error(t, err, `invalid --security-opt 2: "unknown=something"`)
})
Windows CI: Fix test-unit for daemon Signed-off-by: John Howard <jhoward@microsoft.com>
2016-02-02 02:26:47 +00:00
}
Add daemon flag to set no_new_priv as default for unprivileged containers. Signed-off-by: Daniel Zhang <jmzwcn@gmail.com>
2017-01-09 01:22:05 +00:00
func TestParseNNPSecurityOptions(t *testing.T) {
daemon: reload runtimes w/o breaking containers The existing runtimes reload logic went to great lengths to replace the directory containing runtime wrapper scripts as atomically as possible within the limitations of the Linux filesystem ABI. Trouble is, atomically swapping the wrapper scripts directory solves the wrong problem! The runtime configuration is "locked in" when a container is started, including the path to the runC binary. If a container is started with a runtime which requires a daemon-managed wrapper script and then the daemon is reloaded with a config which no longer requires the wrapper script (i.e. some args -> no args, or the runtime is dropped from the config), that container would become unmanageable. Any attempts to stop, exec or otherwise perform lifecycle management operations on the container are likely to fail due to the wrapper script no longer existing at its original path. Atomically swapping the wrapper scripts is also incompatible with the read-copy-update paradigm for reloading configuration. A handler in the daemon could retain a reference to the pre-reload configuration for an indeterminate amount of time after the daemon configuration has been reloaded and updated. It is possible for the daemon to attempt to start a container using a deleted wrapper script if a request to run a container races a reload. Solve the problem of deleting referenced wrapper scripts by ensuring that all wrapper scripts are *immutable* for the lifetime of the daemon process. Any given runtime wrapper script must always exist with the same contents, no matter how many times the daemon config is reloaded, or what changes are made to the config. This is accomplished by using everyone's favourite design pattern: content-addressable storage. Each wrapper script file name is suffixed with the SHA-256 digest of its contents to (probabilistically) guarantee immutability without needing any concurrency control. Stale runtime wrapper scripts are only cleaned up on the next daemon restart. Split the derived runtimes configuration from the user-supplied configuration to have a place to store derived state without mutating the user-supplied configuration or exposing daemon internals in API struct types. Hold the derived state and the user-supplied configuration in a single struct value so that they can be updated as an atomic unit. Signed-off-by: Cory Snider <csnider@mirantis.com>
2022-08-31 20:12:30 +00:00
daemonCfg := &configStore{Config: config.Config{NoNewPrivileges: true}}
daemon: read-copy-update the daemon config Ensure data-race-free access to the daemon configuration without locking by mutating a deep copy of the config and atomically storing a pointer to the copy into the daemon-wide configStore value. Any operations which need to read from the daemon config must capture the configStore value only once and pass it around to guarantee a consistent view of the config. Signed-off-by: Cory Snider <csnider@mirantis.com>
2022-08-17 21:13:49 +00:00
daemon := &Daemon{}
daemon.configStore.Store(daemonCfg)
container: split security options to a SecurityOptions struct - Split these options to a separate struct, so that we can handle them in isolation. - Change some tests to use subtests, and improve coverage Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-04-14 07:27:20 +00:00
opts := &container.SecurityOptions{}
daemon: rename variables that collide with imported package names Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2019-08-09 12:10:07 +00:00
cfg := &containertypes.HostConfig{}
Add daemon flag to set no_new_priv as default for unprivileged containers. Signed-off-by: Daniel Zhang <jmzwcn@gmail.com>
2017-01-09 01:22:05 +00:00
// test NNP when "daemon:true" and "no-new-privileges=false""
daemon: rename variables that collide with imported package names Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2019-08-09 12:10:07 +00:00
cfg.SecurityOpt = []string{"no-new-privileges=false"}
Add daemon flag to set no_new_priv as default for unprivileged containers. Signed-off-by: Daniel Zhang <jmzwcn@gmail.com>
2017-01-09 01:22:05 +00:00
daemon: reload runtimes w/o breaking containers The existing runtimes reload logic went to great lengths to replace the directory containing runtime wrapper scripts as atomically as possible within the limitations of the Linux filesystem ABI. Trouble is, atomically swapping the wrapper scripts directory solves the wrong problem! The runtime configuration is "locked in" when a container is started, including the path to the runC binary. If a container is started with a runtime which requires a daemon-managed wrapper script and then the daemon is reloaded with a config which no longer requires the wrapper script (i.e. some args -> no args, or the runtime is dropped from the config), that container would become unmanageable. Any attempts to stop, exec or otherwise perform lifecycle management operations on the container are likely to fail due to the wrapper script no longer existing at its original path. Atomically swapping the wrapper scripts is also incompatible with the read-copy-update paradigm for reloading configuration. A handler in the daemon could retain a reference to the pre-reload configuration for an indeterminate amount of time after the daemon configuration has been reloaded and updated. It is possible for the daemon to attempt to start a container using a deleted wrapper script if a request to run a container races a reload. Solve the problem of deleting referenced wrapper scripts by ensuring that all wrapper scripts are *immutable* for the lifetime of the daemon process. Any given runtime wrapper script must always exist with the same contents, no matter how many times the daemon config is reloaded, or what changes are made to the config. This is accomplished by using everyone's favourite design pattern: content-addressable storage. Each wrapper script file name is suffixed with the SHA-256 digest of its contents to (probabilistically) guarantee immutability without needing any concurrency control. Stale runtime wrapper scripts are only cleaned up on the next daemon restart. Split the derived runtimes configuration from the user-supplied configuration to have a place to store derived state without mutating the user-supplied configuration or exposing daemon internals in API struct types. Hold the derived state and the user-supplied configuration in a single struct value so that they can be updated as an atomic unit. Signed-off-by: Cory Snider <csnider@mirantis.com>
2022-08-31 20:12:30 +00:00
if err := daemon.parseSecurityOpt(&daemonCfg.Config, opts, cfg); err != nil {
Add daemon flag to set no_new_priv as default for unprivileged containers. Signed-off-by: Daniel Zhang <jmzwcn@gmail.com>
2017-01-09 01:22:05 +00:00
t.Fatalf("Unexpected daemon.parseSecurityOpt error: %v", err)
}
container: split security options to a SecurityOptions struct - Split these options to a separate struct, so that we can handle them in isolation. - Change some tests to use subtests, and improve coverage Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-04-14 07:27:20 +00:00
if opts.NoNewPrivileges {
t.Fatalf("container.NoNewPrivileges should be FALSE: %v", opts.NoNewPrivileges)
Add daemon flag to set no_new_priv as default for unprivileged containers. Signed-off-by: Daniel Zhang <jmzwcn@gmail.com>
2017-01-09 01:22:05 +00:00
}
// test NNP when "daemon:false" and "no-new-privileges=true""
daemon: read-copy-update the daemon config Ensure data-race-free access to the daemon configuration without locking by mutating a deep copy of the config and atomically storing a pointer to the copy into the daemon-wide configStore value. Any operations which need to read from the daemon config must capture the configStore value only once and pass it around to guarantee a consistent view of the config. Signed-off-by: Cory Snider <csnider@mirantis.com>
2022-08-17 21:13:49 +00:00
daemonCfg.NoNewPrivileges = false
daemon: rename variables that collide with imported package names Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2019-08-09 12:10:07 +00:00
cfg.SecurityOpt = []string{"no-new-privileges=true"}
Add daemon flag to set no_new_priv as default for unprivileged containers. Signed-off-by: Daniel Zhang <jmzwcn@gmail.com>
2017-01-09 01:22:05 +00:00
daemon: reload runtimes w/o breaking containers The existing runtimes reload logic went to great lengths to replace the directory containing runtime wrapper scripts as atomically as possible within the limitations of the Linux filesystem ABI. Trouble is, atomically swapping the wrapper scripts directory solves the wrong problem! The runtime configuration is "locked in" when a container is started, including the path to the runC binary. If a container is started with a runtime which requires a daemon-managed wrapper script and then the daemon is reloaded with a config which no longer requires the wrapper script (i.e. some args -> no args, or the runtime is dropped from the config), that container would become unmanageable. Any attempts to stop, exec or otherwise perform lifecycle management operations on the container are likely to fail due to the wrapper script no longer existing at its original path. Atomically swapping the wrapper scripts is also incompatible with the read-copy-update paradigm for reloading configuration. A handler in the daemon could retain a reference to the pre-reload configuration for an indeterminate amount of time after the daemon configuration has been reloaded and updated. It is possible for the daemon to attempt to start a container using a deleted wrapper script if a request to run a container races a reload. Solve the problem of deleting referenced wrapper scripts by ensuring that all wrapper scripts are *immutable* for the lifetime of the daemon process. Any given runtime wrapper script must always exist with the same contents, no matter how many times the daemon config is reloaded, or what changes are made to the config. This is accomplished by using everyone's favourite design pattern: content-addressable storage. Each wrapper script file name is suffixed with the SHA-256 digest of its contents to (probabilistically) guarantee immutability without needing any concurrency control. Stale runtime wrapper scripts are only cleaned up on the next daemon restart. Split the derived runtimes configuration from the user-supplied configuration to have a place to store derived state without mutating the user-supplied configuration or exposing daemon internals in API struct types. Hold the derived state and the user-supplied configuration in a single struct value so that they can be updated as an atomic unit. Signed-off-by: Cory Snider <csnider@mirantis.com>
2022-08-31 20:12:30 +00:00
if err := daemon.parseSecurityOpt(&daemonCfg.Config, opts, cfg); err != nil {
Add daemon flag to set no_new_priv as default for unprivileged containers. Signed-off-by: Daniel Zhang <jmzwcn@gmail.com>
2017-01-09 01:22:05 +00:00
t.Fatalf("Unexpected daemon.parseSecurityOpt error: %v", err)
}
container: split security options to a SecurityOptions struct - Split these options to a separate struct, so that we can handle them in isolation. - Change some tests to use subtests, and improve coverage Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-04-14 07:27:20 +00:00
if !opts.NoNewPrivileges {
t.Fatalf("container.NoNewPrivileges should be TRUE: %v", opts.NoNewPrivileges)
Add daemon flag to set no_new_priv as default for unprivileged containers. Signed-off-by: Daniel Zhang <jmzwcn@gmail.com>
2017-01-09 01:22:05 +00:00
}
}
Rename verifyContainerResources to verifyPlatformContainerResources This validation function is platform-specific; rename it to be more explicit. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2018-12-18 22:41:52 +00:00
func TestVerifyPlatformContainerResources(t *testing.T) {
Move "OOM Kill disable" warning to the daemon Disabling the oom-killer for a container without setting a memory limit is dangerous, as it can result in the container consuming unlimited memory, without the kernel being able to kill it. A check for this situation is curently done in the CLI, but other consumers of the API won't receive this warning. This patch adds a check for this situation to the daemon, so that all consumers of the API will receive this warning. This patch will have one side-effect; docker cli's that also perform this check client-side will print the warning twice; this can be addressed by disabling the cli-side check for newer API versions, but will generate a bit of extra noise when using an older CLI. With this patch applied (and a cli that does not take the new warning into account); ``` docker create --oom-kill-disable busybox WARNING: OOM killer is disabled for the container, but no memory limit is set, this can result in the system running out of resources. 669933b9b237fa27da699483b5cf15355a9027050825146587a0e5be0d848adf docker run --rm --oom-kill-disable busybox WARNING: Disabling the OOM killer on containers without setting a '-m/--memory' limit may be dangerous. WARNING: OOM killer is disabled for the container, but no memory limit is set, this can result in the system running out of resources. ``` Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2018-12-17 10:23:41 +00:00
t.Parallel()
var (
no = false
yes = true
)
withMemoryLimit := func(si *sysinfo.SysInfo) {
si.MemoryLimit = true
}
withSwapLimit := func(si *sysinfo.SysInfo) {
si.SwapLimit = true
}
withOomKillDisable := func(si *sysinfo.SysInfo) {
si.OomKillDisable = true
}
tests := []struct {
name string
resources containertypes.Resources
sysInfo sysinfo.SysInfo
update bool
expectedWarnings []string
}{
{
name: "no-oom-kill-disable",
resources: containertypes.Resources{},
sysInfo: sysInfo(t, withMemoryLimit),
expectedWarnings: []string{},
},
{
name: "oom-kill-disable-disabled",
resources: containertypes.Resources{
OomKillDisable: &no,
},
sysInfo: sysInfo(t, withMemoryLimit),
expectedWarnings: []string{},
},
{
name: "oom-kill-disable-not-supported",
resources: containertypes.Resources{
OomKillDisable: &yes,
},
sysInfo: sysInfo(t, withMemoryLimit),
expectedWarnings: []string{
"Your kernel does not support OomKillDisable. OomKillDisable discarded.",
},
},
{
name: "oom-kill-disable-without-memory-constraints",
resources: containertypes.Resources{
OomKillDisable: &yes,
Memory: 0,
},
sysInfo: sysInfo(t, withMemoryLimit, withOomKillDisable, withSwapLimit),
expectedWarnings: []string{
"OOM killer is disabled for the container, but no memory limit is set, this can result in the system running out of resources.",
},
},
{
name: "oom-kill-disable-with-memory-constraints-but-no-memory-limit-support",
resources: containertypes.Resources{
OomKillDisable: &yes,
Memory: linuxMinMemory,
},
sysInfo: sysInfo(t, withOomKillDisable),
expectedWarnings: []string{
"Your kernel does not support memory limit capabilities or the cgroup is not mounted. Limitation discarded.",
"OOM killer is disabled for the container, but no memory limit is set, this can result in the system running out of resources.",
},
},
{
name: "oom-kill-disable-with-memory-constraints",
resources: containertypes.Resources{
OomKillDisable: &yes,
Memory: linuxMinMemory,
},
sysInfo: sysInfo(t, withMemoryLimit, withOomKillDisable, withSwapLimit),
expectedWarnings: []string{},
},
}
for _, tc := range tests {
daemon: fix TestVerifyPlatformContainerResources not capturing variable This test runs with t.Parallel() _and_ uses subtests, but didn't capture the `tc` variable, which potentialy (likely) makes it test the same testcase multiple times. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-09-22 15:12:45 +00:00
tc := tc
Move "OOM Kill disable" warning to the daemon Disabling the oom-killer for a container without setting a memory limit is dangerous, as it can result in the container consuming unlimited memory, without the kernel being able to kill it. A check for this situation is curently done in the CLI, but other consumers of the API won't receive this warning. This patch adds a check for this situation to the daemon, so that all consumers of the API will receive this warning. This patch will have one side-effect; docker cli's that also perform this check client-side will print the warning twice; this can be addressed by disabling the cli-side check for newer API versions, but will generate a bit of extra noise when using an older CLI. With this patch applied (and a cli that does not take the new warning into account); ``` docker create --oom-kill-disable busybox WARNING: OOM killer is disabled for the container, but no memory limit is set, this can result in the system running out of resources. 669933b9b237fa27da699483b5cf15355a9027050825146587a0e5be0d848adf docker run --rm --oom-kill-disable busybox WARNING: Disabling the OOM killer on containers without setting a '-m/--memory' limit may be dangerous. WARNING: OOM killer is disabled for the container, but no memory limit is set, this can result in the system running out of resources. ``` Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2018-12-17 10:23:41 +00:00
t.Run(tc.name, func(t *testing.T) {
t.Parallel()
Rename verifyContainerResources to verifyPlatformContainerResources This validation function is platform-specific; rename it to be more explicit. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2018-12-18 22:41:52 +00:00
warnings, err := verifyPlatformContainerResources(&tc.resources, &tc.sysInfo, tc.update)
Move "OOM Kill disable" warning to the daemon Disabling the oom-killer for a container without setting a memory limit is dangerous, as it can result in the container consuming unlimited memory, without the kernel being able to kill it. A check for this situation is curently done in the CLI, but other consumers of the API won't receive this warning. This patch adds a check for this situation to the daemon, so that all consumers of the API will receive this warning. This patch will have one side-effect; docker cli's that also perform this check client-side will print the warning twice; this can be addressed by disabling the cli-side check for newer API versions, but will generate a bit of extra noise when using an older CLI. With this patch applied (and a cli that does not take the new warning into account); ``` docker create --oom-kill-disable busybox WARNING: OOM killer is disabled for the container, but no memory limit is set, this can result in the system running out of resources. 669933b9b237fa27da699483b5cf15355a9027050825146587a0e5be0d848adf docker run --rm --oom-kill-disable busybox WARNING: Disabling the OOM killer on containers without setting a '-m/--memory' limit may be dangerous. WARNING: OOM killer is disabled for the container, but no memory limit is set, this can result in the system running out of resources. ``` Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2018-12-17 10:23:41 +00:00
assert.NilError(t, err)
for _, w := range tc.expectedWarnings {
assert.Assert(t, is.Contains(warnings, w))
}
})
}
}
func sysInfo(t *testing.T, opts ...func(*sysinfo.SysInfo)) sysinfo.SysInfo {
t.Helper()
si := sysinfo.SysInfo{}
for _, opt := range opts {
opt(&si)
}
if si.OomKillDisable {
t.Log(t.Name(), "OOM disable supported")
}
return si
}
bugfix: fetch the right device number which great than 255 Signed-off-by: frankyang <yyb196@gmail.com>
2019-05-14 07:21:55 +00:00
const (
// prepare major 0x1FD(509 in decimal) and minor 0x130(304)
DEVNO = 0x11FD30
MAJOR = 509
MINOR = 304
WEIGHT = 1024
)
func deviceTypeMock(t *testing.T, testAndCheck func(string)) {
if os.Getuid() != 0 {
t.Skip("root required") // for mknod
}
t.Parallel()
refactor: move from io/ioutil to io and os package The io/ioutil package has been deprecated in Go 1.16. This commit replaces the existing io/ioutil functions with their new definitions in io and os packages. Signed-off-by: Eng Zer Jun <engzerjun@gmail.com>
2021-08-24 10:10:50 +00:00
tempDir, err := os.MkdirTemp("", "tempDevDir"+t.Name())
bugfix: fetch the right device number which great than 255 Signed-off-by: frankyang <yyb196@gmail.com>
2019-05-14 07:21:55 +00:00
assert.NilError(t, err, "create temp file")
tempFile := filepath.Join(tempDir, "dev")
defer os.RemoveAll(tempDir)
if err = unix.Mknod(tempFile, unix.S_IFCHR, DEVNO); err != nil {
t.Fatalf("mknod error %s(%x): %v", tempFile, DEVNO, err)
}
testAndCheck(tempFile)
}
func TestGetBlkioWeightDevices(t *testing.T) {
deviceTypeMock(t, func(tempFile string) {
mockResource := containertypes.Resources{
BlkioWeightDevice: []*blkiodev.WeightDevice{{Path: tempFile, Weight: WEIGHT}},
}
weightDevs, err := getBlkioWeightDevices(mockResource)
assert.NilError(t, err, "getBlkioWeightDevices")
assert.Check(t, is.Len(weightDevs, 1), "getBlkioWeightDevices")
assert.Check(t, weightDevs[0].Major == MAJOR, "get major device type")
assert.Check(t, weightDevs[0].Minor == MINOR, "get minor device type")
assert.Check(t, *weightDevs[0].Weight == WEIGHT, "get device weight")
})
}
func TestGetBlkioThrottleDevices(t *testing.T) {
deviceTypeMock(t, func(tempFile string) {
mockDevs := []*blkiodev.ThrottleDevice{{Path: tempFile, Rate: WEIGHT}}
retDevs, err := getBlkioThrottleDevices(mockDevs)
assert.NilError(t, err, "getBlkioThrottleDevices")
assert.Check(t, is.Len(retDevs, 1), "getBlkioThrottleDevices")
assert.Check(t, retDevs[0].Major == MAJOR, "get major device type")
assert.Check(t, retDevs[0].Minor == MINOR, "get minor device type")
assert.Check(t, retDevs[0].Rate == WEIGHT, "get device rate")
})
}
Reference in a new issue Copy permalink