moby/integration/container/mounts_linux_test.go

package container

import (
	"bytes"
	"context"
	"fmt"
	"testing"

	"github.com/docker/docker/api/types"
	"github.com/docker/docker/api/types/container"
	"github.com/docker/docker/api/types/mount"
	"github.com/docker/docker/integration-cli/daemon"
	"github.com/docker/docker/pkg/stdcopy"
)

func TestContainerShmNoLeak(t *testing.T) {
	t.Parallel()
	d := daemon.New(t, "docker", "dockerd", daemon.Config{})
	client, err := d.NewClient()
	if err != nil {
		t.Fatal(err)
	}
	d.StartWithBusybox(t)
	defer d.Stop(t)

	ctx := context.Background()
	cfg := container.Config{
		Image: "busybox",
		Cmd:   []string{"top"},
	}

	ctr, err := client.ContainerCreate(ctx, &cfg, nil, nil, "")
	if err != nil {
		t.Fatal(err)
	}
	defer client.ContainerRemove(ctx, ctr.ID, types.ContainerRemoveOptions{Force: true})

	if err := client.ContainerStart(ctx, ctr.ID, types.ContainerStartOptions{}); err != nil {
		t.Fatal(err)
	}

	// this should recursively bind mount everything in the test daemons root
	// except of course we are hoping that the previous containers /dev/shm mount did not leak into this new container
	hc := container.HostConfig{
		Mounts: []mount.Mount{
			{
				Type:        mount.TypeBind,
				Source:      d.Root,
				Target:      "/testdaemonroot",
				BindOptions: &mount.BindOptions{Propagation: mount.PropagationRPrivate}},
		},
	}
	cfg.Cmd = []string{"/bin/sh", "-c", fmt.Sprintf("mount | grep testdaemonroot | grep containers | grep %s", ctr.ID)}
	cfg.AttachStdout = true
	cfg.AttachStderr = true
	ctrLeak, err := client.ContainerCreate(ctx, &cfg, &hc, nil, "")
	if err != nil {
		t.Fatal(err)
	}

	attach, err := client.ContainerAttach(ctx, ctrLeak.ID, types.ContainerAttachOptions{
		Stream: true,
		Stdout: true,
		Stderr: true,
	})
	if err != nil {
		t.Fatal(err)
	}

	if err := client.ContainerStart(ctx, ctrLeak.ID, types.ContainerStartOptions{}); err != nil {
		t.Fatal(err)
	}

	buf := bytes.NewBuffer(nil)

	if _, err := stdcopy.StdCopy(buf, buf, attach.Reader); err != nil {
		t.Fatal(err)
	}

	out := bytes.TrimSpace(buf.Bytes())
	if !bytes.Equal(out, []byte{}) {
		t.Fatalf("mount leaked: %s", string(out))
	}
}
Make container resource mounts unbindable It's a common scenario for admins and/or monitoring applications to mount in the daemon root dir into a container. When doing so all mounts get coppied into the container, often with private references. This can prevent removal of a container due to the various mounts that must be configured before a container is started (for example, for shared /dev/shm, or secrets) being leaked into another namespace, usually with private references. This is particularly problematic on older kernels (e.g. RHEL < 7.4) where a mount may be active in another namespace and attempting to remove a mountpoint which is active in another namespace fails. This change moves all container resource mounts into a common directory so that the directory can be made unbindable. What this does is prevents sub-mounts of this new directory from leaking into other namespaces when mounted with `rbind`... which is how all binds are handled for containers. Signed-off-by: Brian Goff <cpuguy83@gmail.com> 2017-12-18 21:02:23 +00:00			`package container`

			`import (`
			`"bytes"`
			`"context"`
			`"fmt"`
			`"testing"`

			`"github.com/docker/docker/api/types"`
			`"github.com/docker/docker/api/types/container"`
			`"github.com/docker/docker/api/types/mount"`
			`"github.com/docker/docker/integration-cli/daemon"`
			`"github.com/docker/docker/pkg/stdcopy"`
			`)`

			`func TestContainerShmNoLeak(t *testing.T) {`
			`t.Parallel()`
			`d := daemon.New(t, "docker", "dockerd", daemon.Config{})`
			`client, err := d.NewClient()`
			`if err != nil {`
			`t.Fatal(err)`
			`}`
			`d.StartWithBusybox(t)`
			`defer d.Stop(t)`

			`ctx := context.Background()`
			`cfg := container.Config{`
			`Image: "busybox",`
			`Cmd: []string{"top"},`
			`}`

			`ctr, err := client.ContainerCreate(ctx, &cfg, nil, nil, "")`
			`if err != nil {`
			`t.Fatal(err)`
			`}`
			`defer client.ContainerRemove(ctx, ctr.ID, types.ContainerRemoveOptions{Force: true})`

			`if err := client.ContainerStart(ctx, ctr.ID, types.ContainerStartOptions{}); err != nil {`
			`t.Fatal(err)`
			`}`

			`// this should recursively bind mount everything in the test daemons root`
			`// except of course we are hoping that the previous containers /dev/shm mount did not leak into this new container`
			`hc := container.HostConfig{`
			`Mounts: []mount.Mount{`
			`{`
			`Type: mount.TypeBind,`
			`Source: d.Root,`
			`Target: "/testdaemonroot",`
			`BindOptions: &mount.BindOptions{Propagation: mount.PropagationRPrivate}},`
			`},`
			`}`
			`cfg.Cmd = []string{"/bin/sh", "-c", fmt.Sprintf("mount \| grep testdaemonroot \| grep containers \| grep %s", ctr.ID)}`
			`cfg.AttachStdout = true`
			`cfg.AttachStderr = true`
			`ctrLeak, err := client.ContainerCreate(ctx, &cfg, &hc, nil, "")`
			`if err != nil {`
			`t.Fatal(err)`
			`}`

			`attach, err := client.ContainerAttach(ctx, ctrLeak.ID, types.ContainerAttachOptions{`
			`Stream: true,`
			`Stdout: true,`
			`Stderr: true,`
			`})`
			`if err != nil {`
			`t.Fatal(err)`
			`}`

			`if err := client.ContainerStart(ctx, ctrLeak.ID, types.ContainerStartOptions{}); err != nil {`
			`t.Fatal(err)`
			`}`

			`buf := bytes.NewBuffer(nil)`

			`if _, err := stdcopy.StdCopy(buf, buf, attach.Reader); err != nil {`
			`t.Fatal(err)`
			`}`

			`out := bytes.TrimSpace(buf.Bytes())`
			`if !bytes.Equal(out, []byte{}) {`
			`t.Fatalf("mount leaked: %s", string(out))`
			`}`
			`}`