2014-11-20 05:19:16 +00:00
// +build !windows
package main
import (
2015-04-11 03:16:42 +00:00
"bufio"
2014-11-20 05:19:16 +00:00
"fmt"
"io/ioutil"
"os"
"os/exec"
"path/filepath"
2015-11-26 12:14:09 +00:00
"regexp"
2015-09-08 18:40:55 +00:00
"strconv"
2014-11-20 05:19:16 +00:00
"strings"
2016-01-26 16:05:44 +00:00
"sync"
2016-03-24 19:01:12 +00:00
"syscall"
2014-11-20 05:19:16 +00:00
"time"
2016-01-03 22:03:39 +00:00
"github.com/docker/docker/pkg/homedir"
2015-09-24 00:41:35 +00:00
"github.com/docker/docker/pkg/integration/checker"
2014-11-20 05:19:16 +00:00
"github.com/docker/docker/pkg/mount"
2015-09-08 18:40:55 +00:00
"github.com/docker/docker/pkg/parsers"
"github.com/docker/docker/pkg/sysinfo"
2015-04-18 16:46:47 +00:00
"github.com/go-check/check"
2014-11-20 05:19:16 +00:00
"github.com/kr/pty"
)
// #6509
2015-04-18 16:46:47 +00:00
func ( s * DockerSuite ) TestRunRedirectStdout ( c * check . C ) {
2014-11-20 05:19:16 +00:00
checkRedirect := func ( command string ) {
_ , tty , err := pty . Open ( )
2015-11-06 21:49:16 +00:00
c . Assert ( err , checker . IsNil , check . Commentf ( "Could not open pty" ) )
2014-11-20 05:19:16 +00:00
cmd := exec . Command ( "sh" , "-c" , command )
cmd . Stdin = tty
cmd . Stdout = tty
cmd . Stderr = tty
2015-11-06 21:49:16 +00:00
c . Assert ( cmd . Start ( ) , checker . IsNil )
2015-04-27 17:29:48 +00:00
ch := make ( chan error )
2014-11-20 05:19:16 +00:00
go func ( ) {
2015-04-27 17:29:48 +00:00
ch <- cmd . Wait ( )
2014-11-20 05:19:16 +00:00
close ( ch )
} ( )
select {
case <- time . After ( 10 * time . Second ) :
2015-04-18 16:46:47 +00:00
c . Fatal ( "command timeout" )
2015-04-27 17:29:48 +00:00
case err := <- ch :
2015-11-06 21:49:16 +00:00
c . Assert ( err , checker . IsNil , check . Commentf ( "wait err" ) )
2014-11-20 05:19:16 +00:00
}
}
checkRedirect ( dockerBinary + " run -i busybox cat /etc/passwd | grep -q root" )
checkRedirect ( dockerBinary + " run busybox cat /etc/passwd | grep -q root" )
}
// Test recursive bind mount works by default
2015-04-18 16:46:47 +00:00
func ( s * DockerSuite ) TestRunWithVolumesIsRecursive ( c * check . C ) {
2015-09-18 17:41:12 +00:00
// /tmp gets permission denied
2016-02-11 03:27:02 +00:00
testRequires ( c , NotUserNamespace , SameHostDaemon )
2014-11-20 05:19:16 +00:00
tmpDir , err := ioutil . TempDir ( "" , "docker_recursive_mount_test" )
2015-11-06 21:49:16 +00:00
c . Assert ( err , checker . IsNil )
2014-11-20 05:19:16 +00:00
defer os . RemoveAll ( tmpDir )
// Create a temporary tmpfs mount.
tmpfsDir := filepath . Join ( tmpDir , "tmpfs" )
2015-11-06 21:49:16 +00:00
c . Assert ( os . MkdirAll ( tmpfsDir , 0777 ) , checker . IsNil , check . Commentf ( "failed to mkdir at %s" , tmpfsDir ) )
c . Assert ( mount . Mount ( "tmpfs" , tmpfsDir , "tmpfs" , "" ) , checker . IsNil , check . Commentf ( "failed to create a tmpfs mount at %s" , tmpfsDir ) )
2014-11-20 05:19:16 +00:00
f , err := ioutil . TempFile ( tmpfsDir , "touch-me" )
2015-11-06 21:49:16 +00:00
c . Assert ( err , checker . IsNil )
2014-11-20 05:19:16 +00:00
defer f . Close ( )
runCmd := exec . Command ( dockerBinary , "run" , "--name" , "test-data" , "--volume" , fmt . Sprintf ( "%s:/tmp:ro" , tmpDir ) , "busybox:latest" , "ls" , "/tmp/tmpfs" )
2015-11-06 21:49:16 +00:00
out , _ , _ , err := runCommandWithStdoutStderr ( runCmd )
c . Assert ( err , checker . IsNil )
c . Assert ( out , checker . Contains , filepath . Base ( f . Name ( ) ) , check . Commentf ( "Recursive bind mount test failed. Expected file not found" ) )
2014-11-20 05:19:16 +00:00
}
2015-02-11 19:21:38 +00:00
2015-04-18 16:46:47 +00:00
func ( s * DockerSuite ) TestRunDeviceDirectory ( c * check . C ) {
2015-11-25 23:38:33 +00:00
testRequires ( c , DaemonIsLinux , NotUserNamespace , NotArm )
2015-09-16 18:43:30 +00:00
if _ , err := os . Stat ( "/dev/snd" ) ; err != nil {
c . Skip ( "Host does not have /dev/snd" )
}
2015-02-12 18:51:51 +00:00
2015-07-14 20:15:00 +00:00
out , _ := dockerCmd ( c , "run" , "--device" , "/dev/snd:/dev/snd" , "busybox" , "sh" , "-c" , "ls /dev/snd/" )
2015-11-06 21:49:16 +00:00
c . Assert ( strings . Trim ( out , "\r\n" ) , checker . Contains , "timer" , check . Commentf ( "expected output /dev/snd/timer" ) )
2015-02-12 18:51:51 +00:00
2015-07-14 20:15:00 +00:00
out , _ = dockerCmd ( c , "run" , "--device" , "/dev/snd:/dev/othersnd" , "busybox" , "sh" , "-c" , "ls /dev/othersnd/" )
2015-11-06 21:49:16 +00:00
c . Assert ( strings . Trim ( out , "\r\n" ) , checker . Contains , "seq" , check . Commentf ( "expected output /dev/othersnd/seq" ) )
2015-02-12 18:51:51 +00:00
}
2015-04-11 03:16:42 +00:00
2016-01-03 22:03:39 +00:00
// TestRunDetach checks attaching and detaching with the default escape sequence.
2015-04-18 16:46:47 +00:00
func ( s * DockerSuite ) TestRunAttachDetach ( c * check . C ) {
2015-04-11 03:16:42 +00:00
name := "attach-detach"
2016-01-03 22:03:39 +00:00
dockerCmd ( c , "run" , "--name" , name , "-itd" , "busybox" , "cat" )
cmd := exec . Command ( dockerBinary , "attach" , name )
2015-04-11 03:16:42 +00:00
stdout , err := cmd . StdoutPipe ( )
2015-11-06 21:49:16 +00:00
c . Assert ( err , checker . IsNil )
2015-04-11 03:16:42 +00:00
cpty , tty , err := pty . Open ( )
2015-11-06 21:49:16 +00:00
c . Assert ( err , checker . IsNil )
2015-04-11 03:16:42 +00:00
defer cpty . Close ( )
cmd . Stdin = tty
2015-11-06 21:49:16 +00:00
c . Assert ( cmd . Start ( ) , checker . IsNil )
2015-08-11 07:41:11 +00:00
c . Assert ( waitRun ( name ) , check . IsNil )
2015-04-11 03:16:42 +00:00
2015-11-06 21:49:16 +00:00
_ , err = cpty . Write ( [ ] byte ( "hello\n" ) )
c . Assert ( err , checker . IsNil )
2015-04-11 03:16:42 +00:00
out , err := bufio . NewReader ( stdout ) . ReadString ( '\n' )
2015-11-06 21:49:16 +00:00
c . Assert ( err , checker . IsNil )
c . Assert ( strings . TrimSpace ( out ) , checker . Equals , "hello" )
2015-04-11 03:16:42 +00:00
// escape sequence
2015-11-06 21:49:16 +00:00
_ , err = cpty . Write ( [ ] byte { 16 } )
c . Assert ( err , checker . IsNil )
2015-04-11 03:16:42 +00:00
time . Sleep ( 100 * time . Millisecond )
2015-11-06 21:49:16 +00:00
_ , err = cpty . Write ( [ ] byte { 17 } )
c . Assert ( err , checker . IsNil )
2015-04-11 03:16:42 +00:00
ch := make ( chan struct { } )
go func ( ) {
cmd . Wait ( )
ch <- struct { } { }
} ( )
2016-01-03 22:03:39 +00:00
select {
case <- ch :
case <- time . After ( 10 * time . Second ) :
c . Fatal ( "timed out waiting for container to exit" )
}
2016-01-28 14:19:25 +00:00
running := inspectField ( c , name , "State.Running" )
2016-01-03 22:03:39 +00:00
c . Assert ( running , checker . Equals , "true" , check . Commentf ( "expected container to still be running" ) )
}
// TestRunDetach checks attaching and detaching with the escape sequence specified via flags.
func ( s * DockerSuite ) TestRunAttachDetachFromFlag ( c * check . C ) {
name := "attach-detach"
keyCtrlA := [ ] byte { 1 }
keyA := [ ] byte { 97 }
dockerCmd ( c , "run" , "--name" , name , "-itd" , "busybox" , "cat" )
cmd := exec . Command ( dockerBinary , "attach" , "--detach-keys='ctrl-a,a'" , name )
stdout , err := cmd . StdoutPipe ( )
if err != nil {
c . Fatal ( err )
}
cpty , tty , err := pty . Open ( )
if err != nil {
c . Fatal ( err )
}
defer cpty . Close ( )
cmd . Stdin = tty
if err := cmd . Start ( ) ; err != nil {
c . Fatal ( err )
}
c . Assert ( waitRun ( name ) , check . IsNil )
if _ , err := cpty . Write ( [ ] byte ( "hello\n" ) ) ; err != nil {
c . Fatal ( err )
}
out , err := bufio . NewReader ( stdout ) . ReadString ( '\n' )
if err != nil {
c . Fatal ( err )
}
if strings . TrimSpace ( out ) != "hello" {
c . Fatalf ( "expected 'hello', got %q" , out )
}
// escape sequence
if _ , err := cpty . Write ( keyCtrlA ) ; err != nil {
c . Fatal ( err )
}
time . Sleep ( 100 * time . Millisecond )
if _ , err := cpty . Write ( keyA ) ; err != nil {
c . Fatal ( err )
}
ch := make ( chan struct { } )
go func ( ) {
cmd . Wait ( )
ch <- struct { } { }
} ( )
select {
case <- ch :
case <- time . After ( 10 * time . Second ) :
c . Fatal ( "timed out waiting for container to exit" )
}
2016-01-28 14:19:25 +00:00
running := inspectField ( c , name , "State.Running" )
2016-01-03 22:03:39 +00:00
c . Assert ( running , checker . Equals , "true" , check . Commentf ( "expected container to still be running" ) )
}
2016-03-23 11:34:47 +00:00
// TestRunDetach checks attaching and detaching with the escape sequence specified via flags.
func ( s * DockerSuite ) TestRunAttachDetachFromInvalidFlag ( c * check . C ) {
name := "attach-detach"
dockerCmd ( c , "run" , "--name" , name , "-itd" , "busybox" , "top" )
c . Assert ( waitRun ( name ) , check . IsNil )
// specify an invalid detach key, container will ignore it and use default
cmd := exec . Command ( dockerBinary , "attach" , "--detach-keys='ctrl-A,a'" , name )
stdout , err := cmd . StdoutPipe ( )
if err != nil {
c . Fatal ( err )
}
cpty , tty , err := pty . Open ( )
if err != nil {
c . Fatal ( err )
}
defer cpty . Close ( )
cmd . Stdin = tty
if err := cmd . Start ( ) ; err != nil {
c . Fatal ( err )
}
bufReader := bufio . NewReader ( stdout )
out , err := bufReader . ReadString ( '\n' )
if err != nil {
c . Fatal ( err )
}
// it should print a warning to indicate the detach key flag is invalid
errStr := "Invalid escape keys (ctrl-A,a) provided"
c . Assert ( strings . TrimSpace ( out ) , checker . Equals , errStr )
}
2016-01-03 22:03:39 +00:00
// TestRunDetach checks attaching and detaching with the escape sequence specified via config file.
func ( s * DockerSuite ) TestRunAttachDetachFromConfig ( c * check . C ) {
keyCtrlA := [ ] byte { 1 }
keyA := [ ] byte { 97 }
// Setup config
homeKey := homedir . Key ( )
homeVal := homedir . Get ( )
tmpDir , err := ioutil . TempDir ( "" , "fake-home" )
c . Assert ( err , checker . IsNil )
defer os . RemoveAll ( tmpDir )
dotDocker := filepath . Join ( tmpDir , ".docker" )
os . Mkdir ( dotDocker , 0600 )
tmpCfg := filepath . Join ( dotDocker , "config.json" )
defer func ( ) { os . Setenv ( homeKey , homeVal ) } ( )
os . Setenv ( homeKey , tmpDir )
data := ` {
"detachKeys" : "ctrl-a,a"
} `
err = ioutil . WriteFile ( tmpCfg , [ ] byte ( data ) , 0600 )
c . Assert ( err , checker . IsNil )
// Then do the work
name := "attach-detach"
dockerCmd ( c , "run" , "--name" , name , "-itd" , "busybox" , "cat" )
cmd := exec . Command ( dockerBinary , "attach" , name )
stdout , err := cmd . StdoutPipe ( )
if err != nil {
c . Fatal ( err )
}
cpty , tty , err := pty . Open ( )
if err != nil {
c . Fatal ( err )
}
defer cpty . Close ( )
cmd . Stdin = tty
if err := cmd . Start ( ) ; err != nil {
c . Fatal ( err )
}
c . Assert ( waitRun ( name ) , check . IsNil )
if _ , err := cpty . Write ( [ ] byte ( "hello\n" ) ) ; err != nil {
c . Fatal ( err )
}
out , err := bufio . NewReader ( stdout ) . ReadString ( '\n' )
if err != nil {
c . Fatal ( err )
}
if strings . TrimSpace ( out ) != "hello" {
c . Fatalf ( "expected 'hello', got %q" , out )
}
// escape sequence
if _ , err := cpty . Write ( keyCtrlA ) ; err != nil {
c . Fatal ( err )
}
time . Sleep ( 100 * time . Millisecond )
if _ , err := cpty . Write ( keyA ) ; err != nil {
c . Fatal ( err )
}
ch := make ( chan struct { } )
go func ( ) {
cmd . Wait ( )
ch <- struct { } { }
} ( )
select {
case <- ch :
case <- time . After ( 10 * time . Second ) :
c . Fatal ( "timed out waiting for container to exit" )
}
2016-01-28 14:19:25 +00:00
running := inspectField ( c , name , "State.Running" )
2015-11-06 21:49:16 +00:00
c . Assert ( running , checker . Equals , "true" , check . Commentf ( "expected container to still be running" ) )
2016-01-03 22:03:39 +00:00
}
// TestRunDetach checks attaching and detaching with the detach flags, making sure it overrides config file
func ( s * DockerSuite ) TestRunAttachDetachKeysOverrideConfig ( c * check . C ) {
keyCtrlA := [ ] byte { 1 }
keyA := [ ] byte { 97 }
// Setup config
homeKey := homedir . Key ( )
homeVal := homedir . Get ( )
tmpDir , err := ioutil . TempDir ( "" , "fake-home" )
c . Assert ( err , checker . IsNil )
defer os . RemoveAll ( tmpDir )
dotDocker := filepath . Join ( tmpDir , ".docker" )
os . Mkdir ( dotDocker , 0600 )
tmpCfg := filepath . Join ( dotDocker , "config.json" )
2015-04-11 03:16:42 +00:00
2016-01-03 22:03:39 +00:00
defer func ( ) { os . Setenv ( homeKey , homeVal ) } ( )
os . Setenv ( homeKey , tmpDir )
data := ` {
"detachKeys" : "ctrl-e,e"
} `
err = ioutil . WriteFile ( tmpCfg , [ ] byte ( data ) , 0600 )
c . Assert ( err , checker . IsNil )
// Then do the work
name := "attach-detach"
dockerCmd ( c , "run" , "--name" , name , "-itd" , "busybox" , "cat" )
cmd := exec . Command ( dockerBinary , "attach" , "--detach-keys='ctrl-a,a'" , name )
stdout , err := cmd . StdoutPipe ( )
if err != nil {
c . Fatal ( err )
}
cpty , tty , err := pty . Open ( )
if err != nil {
c . Fatal ( err )
}
defer cpty . Close ( )
cmd . Stdin = tty
if err := cmd . Start ( ) ; err != nil {
c . Fatal ( err )
}
c . Assert ( waitRun ( name ) , check . IsNil )
if _ , err := cpty . Write ( [ ] byte ( "hello\n" ) ) ; err != nil {
c . Fatal ( err )
}
out , err := bufio . NewReader ( stdout ) . ReadString ( '\n' )
if err != nil {
c . Fatal ( err )
}
if strings . TrimSpace ( out ) != "hello" {
c . Fatalf ( "expected 'hello', got %q" , out )
}
// escape sequence
if _ , err := cpty . Write ( keyCtrlA ) ; err != nil {
c . Fatal ( err )
}
time . Sleep ( 100 * time . Millisecond )
if _ , err := cpty . Write ( keyA ) ; err != nil {
c . Fatal ( err )
}
ch := make ( chan struct { } )
2015-04-11 03:16:42 +00:00
go func ( ) {
2016-01-03 22:03:39 +00:00
cmd . Wait ( )
ch <- struct { } { }
2015-04-11 03:16:42 +00:00
} ( )
select {
case <- ch :
2016-01-03 22:03:39 +00:00
case <- time . After ( 10 * time . Second ) :
2015-04-18 16:46:47 +00:00
c . Fatal ( "timed out waiting for container to exit" )
2015-04-11 03:16:42 +00:00
}
2016-01-03 22:03:39 +00:00
2016-01-28 14:19:25 +00:00
running := inspectField ( c , name , "State.Running" )
2016-01-03 22:03:39 +00:00
c . Assert ( running , checker . Equals , "true" , check . Commentf ( "expected container to still be running" ) )
2015-04-11 03:16:42 +00:00
}
2015-05-29 18:22:21 +00:00
2016-01-03 22:03:39 +00:00
// "test" should be printed
2015-11-30 00:40:47 +00:00
func ( s * DockerSuite ) TestRunWithCPUQuota ( c * check . C ) {
2015-07-22 12:59:24 +00:00
testRequires ( c , cpuCfsQuota )
2015-07-14 20:15:00 +00:00
2015-11-30 00:40:47 +00:00
file := "/sys/fs/cgroup/cpu/cpu.cfs_quota_us"
out , _ := dockerCmd ( c , "run" , "--cpu-quota" , "8000" , "--name" , "test" , "busybox" , "cat" , file )
c . Assert ( strings . TrimSpace ( out ) , checker . Equals , "8000" )
2015-05-29 18:22:21 +00:00
2016-01-28 14:19:25 +00:00
out = inspectField ( c , "test" , "HostConfig.CpuQuota" )
2015-11-06 21:49:16 +00:00
c . Assert ( out , checker . Equals , "8000" , check . Commentf ( "setting the CPU CFS quota failed" ) )
2015-05-29 18:22:21 +00:00
}
func ( s * DockerSuite ) TestRunWithCpuPeriod ( c * check . C ) {
2015-07-22 12:59:24 +00:00
testRequires ( c , cpuCfsPeriod )
2015-07-14 20:15:00 +00:00
2015-11-30 00:40:47 +00:00
file := "/sys/fs/cgroup/cpu/cpu.cfs_period_us"
out , _ := dockerCmd ( c , "run" , "--cpu-period" , "50000" , "--name" , "test" , "busybox" , "cat" , file )
c . Assert ( strings . TrimSpace ( out ) , checker . Equals , "50000" )
2015-05-29 18:22:21 +00:00
2016-01-28 14:19:25 +00:00
out = inspectField ( c , "test" , "HostConfig.CpuPeriod" )
2015-11-06 21:49:16 +00:00
c . Assert ( out , checker . Equals , "50000" , check . Commentf ( "setting the CPU CFS period failed" ) )
2015-05-29 18:22:21 +00:00
}
2015-07-08 20:30:03 +00:00
2015-08-19 15:56:55 +00:00
func ( s * DockerSuite ) TestRunWithKernelMemory ( c * check . C ) {
testRequires ( c , kernelMemorySupport )
2015-11-28 01:47:25 +00:00
file := "/sys/fs/cgroup/memory/memory.kmem.limit_in_bytes"
2015-11-30 00:40:47 +00:00
stdout , _ , _ := dockerCmdWithStdoutStderr ( c , "run" , "--kernel-memory" , "50M" , "--name" , "test1" , "busybox" , "cat" , file )
c . Assert ( strings . TrimSpace ( stdout ) , checker . Equals , "52428800" )
2015-08-19 15:56:55 +00:00
2016-01-28 14:19:25 +00:00
out := inspectField ( c , "test1" , "HostConfig.KernelMemory" )
2015-09-24 00:41:35 +00:00
c . Assert ( out , check . Equals , "52428800" )
2015-12-09 06:26:41 +00:00
}
func ( s * DockerSuite ) TestRunWithInvalidKernelMemory ( c * check . C ) {
testRequires ( c , kernelMemorySupport )
out , _ , err := dockerCmdWithError ( "run" , "--kernel-memory" , "2M" , "busybox" , "true" )
c . Assert ( err , check . NotNil )
expected := "Minimum kernel memory limit allowed is 4MB"
c . Assert ( out , checker . Contains , expected )
2015-09-24 00:41:35 +00:00
out , _ , err = dockerCmdWithError ( "run" , "--kernel-memory" , "-16m" , "--name" , "test2" , "busybox" , "echo" , "test" )
c . Assert ( err , check . NotNil )
2015-12-09 06:26:41 +00:00
expected = "invalid size"
2015-09-24 00:41:35 +00:00
c . Assert ( out , checker . Contains , expected )
2015-08-19 15:56:55 +00:00
}
2015-11-30 00:40:47 +00:00
func ( s * DockerSuite ) TestRunWithCPUShares ( c * check . C ) {
2015-08-24 03:37:11 +00:00
testRequires ( c , cpuShare )
2015-11-30 00:40:47 +00:00
file := "/sys/fs/cgroup/cpu/cpu.shares"
out , _ := dockerCmd ( c , "run" , "--cpu-shares" , "1000" , "--name" , "test" , "busybox" , "cat" , file )
c . Assert ( strings . TrimSpace ( out ) , checker . Equals , "1000" )
2016-01-28 14:19:25 +00:00
out = inspectField ( c , "test" , "HostConfig.CPUShares" )
2015-11-30 00:40:47 +00:00
c . Assert ( out , check . Equals , "1000" )
2015-08-24 03:37:11 +00:00
}
// "test" should be printed
func ( s * DockerSuite ) TestRunEchoStdoutWithCPUSharesAndMemoryLimit ( c * check . C ) {
testRequires ( c , cpuShare )
testRequires ( c , memoryLimitSupport )
2015-10-26 15:46:49 +00:00
out , _ , _ := dockerCmdWithStdoutStderr ( c , "run" , "--cpu-shares" , "1000" , "-m" , "32m" , "busybox" , "echo" , "test" )
2015-11-06 21:49:16 +00:00
c . Assert ( out , checker . Equals , "test\n" , check . Commentf ( "container should've printed 'test'" ) )
2015-08-24 03:37:11 +00:00
}
func ( s * DockerSuite ) TestRunWithCpusetCpus ( c * check . C ) {
testRequires ( c , cgroupCpuset )
2015-11-30 00:40:47 +00:00
file := "/sys/fs/cgroup/cpuset/cpuset.cpus"
out , _ := dockerCmd ( c , "run" , "--cpuset-cpus" , "0" , "--name" , "test" , "busybox" , "cat" , file )
c . Assert ( strings . TrimSpace ( out ) , checker . Equals , "0" )
2016-01-28 14:19:25 +00:00
out = inspectField ( c , "test" , "HostConfig.CpusetCpus" )
2015-11-30 00:40:47 +00:00
c . Assert ( out , check . Equals , "0" )
2015-08-24 03:37:11 +00:00
}
func ( s * DockerSuite ) TestRunWithCpusetMems ( c * check . C ) {
testRequires ( c , cgroupCpuset )
2015-11-30 00:40:47 +00:00
file := "/sys/fs/cgroup/cpuset/cpuset.mems"
out , _ := dockerCmd ( c , "run" , "--cpuset-mems" , "0" , "--name" , "test" , "busybox" , "cat" , file )
c . Assert ( strings . TrimSpace ( out ) , checker . Equals , "0" )
2016-01-28 14:19:25 +00:00
out = inspectField ( c , "test" , "HostConfig.CpusetMems" )
2015-11-30 00:40:47 +00:00
c . Assert ( out , check . Equals , "0" )
2015-08-24 03:37:11 +00:00
}
func ( s * DockerSuite ) TestRunWithBlkioWeight ( c * check . C ) {
testRequires ( c , blkioWeight )
2015-11-30 00:40:47 +00:00
file := "/sys/fs/cgroup/blkio/blkio.weight"
out , _ := dockerCmd ( c , "run" , "--blkio-weight" , "300" , "--name" , "test" , "busybox" , "cat" , file )
c . Assert ( strings . TrimSpace ( out ) , checker . Equals , "300" )
2016-01-28 14:19:25 +00:00
out = inspectField ( c , "test" , "HostConfig.BlkioWeight" )
2015-11-30 00:40:47 +00:00
c . Assert ( out , check . Equals , "300" )
2015-08-24 03:37:11 +00:00
}
2015-12-18 05:34:25 +00:00
func ( s * DockerSuite ) TestRunWithInvalidBlkioWeight ( c * check . C ) {
2015-08-24 03:37:11 +00:00
testRequires ( c , blkioWeight )
2015-10-14 08:20:52 +00:00
out , _ , err := dockerCmdWithError ( "run" , "--blkio-weight" , "5" , "busybox" , "true" )
c . Assert ( err , check . NotNil , check . Commentf ( out ) )
expected := "Range of blkio weight is from 10 to 1000"
c . Assert ( out , checker . Contains , expected )
2015-08-24 03:37:11 +00:00
}
2015-12-18 05:34:25 +00:00
func ( s * DockerSuite ) TestRunWithInvalidPathforBlkioWeightDevice ( c * check . C ) {
2015-06-12 00:34:20 +00:00
testRequires ( c , blkioWeight )
2015-12-18 05:34:25 +00:00
out , _ , err := dockerCmdWithError ( "run" , "--blkio-weight-device" , "/dev/sdX:100" , "busybox" , "true" )
2015-06-12 00:34:20 +00:00
c . Assert ( err , check . NotNil , check . Commentf ( out ) )
}
2015-12-18 05:34:25 +00:00
func ( s * DockerSuite ) TestRunWithInvalidPathforBlkioDeviceReadBps ( c * check . C ) {
2015-07-08 11:06:48 +00:00
testRequires ( c , blkioWeight )
2015-12-16 16:58:31 +00:00
out , _ , err := dockerCmdWithError ( "run" , "--device-read-bps" , "/dev/sdX:500" , "busybox" , "true" )
2015-07-08 11:06:48 +00:00
c . Assert ( err , check . NotNil , check . Commentf ( out ) )
}
2015-12-18 05:34:25 +00:00
func ( s * DockerSuite ) TestRunWithInvalidPathforBlkioDeviceWriteBps ( c * check . C ) {
2015-07-08 11:06:48 +00:00
testRequires ( c , blkioWeight )
2015-12-16 16:58:31 +00:00
out , _ , err := dockerCmdWithError ( "run" , "--device-write-bps" , "/dev/sdX:500" , "busybox" , "true" )
2015-07-08 11:06:48 +00:00
c . Assert ( err , check . NotNil , check . Commentf ( out ) )
}
2015-12-18 05:34:25 +00:00
func ( s * DockerSuite ) TestRunWithInvalidPathforBlkioDeviceReadIOps ( c * check . C ) {
2015-07-08 11:06:48 +00:00
testRequires ( c , blkioWeight )
out , _ , err := dockerCmdWithError ( "run" , "--device-read-iops" , "/dev/sdX:500" , "busybox" , "true" )
c . Assert ( err , check . NotNil , check . Commentf ( out ) )
}
2015-12-18 05:34:25 +00:00
func ( s * DockerSuite ) TestRunWithInvalidPathforBlkioDeviceWriteIOps ( c * check . C ) {
2015-07-08 11:06:48 +00:00
testRequires ( c , blkioWeight )
out , _ , err := dockerCmdWithError ( "run" , "--device-write-iops" , "/dev/sdX:500" , "busybox" , "true" )
c . Assert ( err , check . NotNil , check . Commentf ( out ) )
}
2015-07-08 20:30:03 +00:00
func ( s * DockerSuite ) TestRunOOMExitCode ( c * check . C ) {
2015-07-22 12:59:24 +00:00
testRequires ( c , oomControl )
2015-07-08 20:30:03 +00:00
errChan := make ( chan error )
go func ( ) {
defer close ( errChan )
2015-08-17 09:20:45 +00:00
//changing memory to 40MB from 4MB due to an issue with GCCGO that test fails to start the container.
out , exitCode , _ := dockerCmdWithError ( "run" , "-m" , "40MB" , "busybox" , "sh" , "-c" , "x=a; while true; do x=$x$x$x$x; done" )
2015-07-08 20:30:03 +00:00
if expected := 137 ; exitCode != expected {
errChan <- fmt . Errorf ( "wrong exit code for OOM container: expected %d, got %d (output: %q)" , expected , exitCode , out )
}
} ( )
select {
case err := <- errChan :
c . Assert ( err , check . IsNil )
2015-02-24 18:33:18 +00:00
case <- time . After ( 600 * time . Second ) :
2015-07-08 20:30:03 +00:00
c . Fatal ( "Timeout waiting for container to die on OOM" )
}
}
2015-11-30 00:40:47 +00:00
func ( s * DockerSuite ) TestRunWithMemoryLimit ( c * check . C ) {
2015-08-24 03:37:11 +00:00
testRequires ( c , memoryLimitSupport )
2015-11-30 00:40:47 +00:00
file := "/sys/fs/cgroup/memory/memory.limit_in_bytes"
stdout , _ , _ := dockerCmdWithStdoutStderr ( c , "run" , "-m" , "32M" , "--name" , "test" , "busybox" , "cat" , file )
c . Assert ( strings . TrimSpace ( stdout ) , checker . Equals , "33554432" )
2016-01-28 14:19:25 +00:00
out := inspectField ( c , "test" , "HostConfig.Memory" )
2015-11-30 00:40:47 +00:00
c . Assert ( out , check . Equals , "33554432" )
2015-08-24 03:37:11 +00:00
}
2015-09-18 00:28:36 +00:00
// TestRunWithoutMemoryswapLimit sets memory limit and disables swap
// memory limit, this means the processes in the container can use
// 16M memory and as much swap memory as they need (if the host
// supports swap memory).
2015-08-24 03:37:11 +00:00
func ( s * DockerSuite ) TestRunWithoutMemoryswapLimit ( c * check . C ) {
2015-11-05 00:40:58 +00:00
testRequires ( c , DaemonIsLinux )
2015-08-24 03:37:11 +00:00
testRequires ( c , memoryLimitSupport )
testRequires ( c , swapMemorySupport )
2015-02-24 18:33:18 +00:00
dockerCmd ( c , "run" , "-m" , "32m" , "--memory-swap" , "-1" , "busybox" , "true" )
2015-08-24 03:37:11 +00:00
}
func ( s * DockerSuite ) TestRunWithSwappiness ( c * check . C ) {
testRequires ( c , memorySwappinessSupport )
2015-11-30 00:40:47 +00:00
file := "/sys/fs/cgroup/memory/memory.swappiness"
out , _ := dockerCmd ( c , "run" , "--memory-swappiness" , "0" , "--name" , "test" , "busybox" , "cat" , file )
c . Assert ( strings . TrimSpace ( out ) , checker . Equals , "0" )
2016-01-28 14:19:25 +00:00
out = inspectField ( c , "test" , "HostConfig.MemorySwappiness" )
2015-11-30 00:40:47 +00:00
c . Assert ( out , check . Equals , "0" )
2015-08-24 03:37:11 +00:00
}
func ( s * DockerSuite ) TestRunWithSwappinessInvalid ( c * check . C ) {
testRequires ( c , memorySwappinessSupport )
out , _ , err := dockerCmdWithError ( "run" , "--memory-swappiness" , "101" , "busybox" , "true" )
2015-09-28 10:13:21 +00:00
c . Assert ( err , check . NotNil )
expected := "Valid memory swappiness range is 0-100"
c . Assert ( out , checker . Contains , expected , check . Commentf ( "Expected output to contain %q, not %q" , out , expected ) )
out , _ , err = dockerCmdWithError ( "run" , "--memory-swappiness" , "-10" , "busybox" , "true" )
c . Assert ( err , check . NotNil )
c . Assert ( out , checker . Contains , expected , check . Commentf ( "Expected output to contain %q, not %q" , out , expected ) )
2015-08-24 03:37:11 +00:00
}
2015-08-04 20:51:48 +00:00
2015-09-23 06:02:45 +00:00
func ( s * DockerSuite ) TestRunWithMemoryReservation ( c * check . C ) {
testRequires ( c , memoryReservationSupport )
2015-11-30 00:40:47 +00:00
file := "/sys/fs/cgroup/memory/memory.soft_limit_in_bytes"
out , _ := dockerCmd ( c , "run" , "--memory-reservation" , "200M" , "--name" , "test" , "busybox" , "cat" , file )
c . Assert ( strings . TrimSpace ( out ) , checker . Equals , "209715200" )
2016-01-28 14:19:25 +00:00
out = inspectField ( c , "test" , "HostConfig.MemoryReservation" )
2015-11-30 00:40:47 +00:00
c . Assert ( out , check . Equals , "209715200" )
2015-09-23 06:02:45 +00:00
}
func ( s * DockerSuite ) TestRunWithMemoryReservationInvalid ( c * check . C ) {
testRequires ( c , memoryLimitSupport )
testRequires ( c , memoryReservationSupport )
out , _ , err := dockerCmdWithError ( "run" , "-m" , "500M" , "--memory-reservation" , "800M" , "busybox" , "true" )
c . Assert ( err , check . NotNil )
expected := "Minimum memory limit should be larger than memory reservation limit"
2015-11-06 21:49:16 +00:00
c . Assert ( strings . TrimSpace ( out ) , checker . Contains , expected , check . Commentf ( "run container should fail with invalid memory reservation" ) )
2016-04-06 01:37:51 +00:00
out , _ , err = dockerCmdWithError ( "run" , "--memory-reservation" , "1k" , "busybox" , "true" )
c . Assert ( err , check . NotNil )
expected = "Minimum memory reservation allowed is 4MB"
c . Assert ( strings . TrimSpace ( out ) , checker . Contains , expected , check . Commentf ( "run container should fail with invalid memory reservation" ) )
2015-09-23 06:02:45 +00:00
}
2015-08-04 20:51:48 +00:00
func ( s * DockerSuite ) TestStopContainerSignal ( c * check . C ) {
out , _ := dockerCmd ( c , "run" , "--stop-signal" , "SIGUSR1" , "-d" , "busybox" , "/bin/sh" , "-c" , ` trap 'echo "exit trapped"; exit 0' USR1; while true; do sleep 1; done ` )
containerID := strings . TrimSpace ( out )
2015-11-06 21:49:16 +00:00
c . Assert ( waitRun ( containerID ) , checker . IsNil )
2015-08-04 20:51:48 +00:00
dockerCmd ( c , "stop" , containerID )
out , _ = dockerCmd ( c , "logs" , containerID )
2015-11-06 21:49:16 +00:00
c . Assert ( out , checker . Contains , "exit trapped" , check . Commentf ( "Expected `exit trapped` in the log" ) )
2015-08-04 20:51:48 +00:00
}
2015-09-21 14:12:19 +00:00
func ( s * DockerSuite ) TestRunSwapLessThanMemoryLimit ( c * check . C ) {
testRequires ( c , memoryLimitSupport )
testRequires ( c , swapMemorySupport )
out , _ , err := dockerCmdWithError ( "run" , "-m" , "16m" , "--memory-swap" , "15m" , "busybox" , "echo" , "test" )
expected := "Minimum memoryswap limit should be larger than memory limit"
c . Assert ( err , check . NotNil )
2015-11-06 21:49:16 +00:00
c . Assert ( out , checker . Contains , expected )
2015-09-21 14:12:19 +00:00
}
2015-09-08 18:40:55 +00:00
func ( s * DockerSuite ) TestRunInvalidCpusetCpusFlagValue ( c * check . C ) {
2016-02-11 03:27:02 +00:00
testRequires ( c , cgroupCpuset , SameHostDaemon )
2015-09-08 18:40:55 +00:00
sysInfo := sysinfo . New ( true )
cpus , err := parsers . ParseUintList ( sysInfo . Cpus )
c . Assert ( err , check . IsNil )
var invalid int
for i := 0 ; i <= len ( cpus ) + 1 ; i ++ {
if ! cpus [ i ] {
invalid = i
break
}
}
out , _ , err := dockerCmdWithError ( "run" , "--cpuset-cpus" , strconv . Itoa ( invalid ) , "busybox" , "true" )
c . Assert ( err , check . NotNil )
2015-07-29 12:21:16 +00:00
expected := fmt . Sprintf ( "Error response from daemon: Requested CPUs are not available - requested %s, available: %s" , strconv . Itoa ( invalid ) , sysInfo . Cpus )
2015-11-06 21:49:16 +00:00
c . Assert ( out , checker . Contains , expected )
2015-09-08 18:40:55 +00:00
}
func ( s * DockerSuite ) TestRunInvalidCpusetMemsFlagValue ( c * check . C ) {
testRequires ( c , cgroupCpuset )
sysInfo := sysinfo . New ( true )
mems , err := parsers . ParseUintList ( sysInfo . Mems )
c . Assert ( err , check . IsNil )
var invalid int
for i := 0 ; i <= len ( mems ) + 1 ; i ++ {
if ! mems [ i ] {
invalid = i
break
}
}
out , _ , err := dockerCmdWithError ( "run" , "--cpuset-mems" , strconv . Itoa ( invalid ) , "busybox" , "true" )
c . Assert ( err , check . NotNil )
2015-07-29 12:21:16 +00:00
expected := fmt . Sprintf ( "Error response from daemon: Requested memory nodes are not available - requested %s, available: %s" , strconv . Itoa ( invalid ) , sysInfo . Mems )
2015-11-06 21:49:16 +00:00
c . Assert ( out , checker . Contains , expected )
2015-09-08 18:40:55 +00:00
}
2015-10-08 02:04:51 +00:00
func ( s * DockerSuite ) TestRunInvalidCPUShares ( c * check . C ) {
2015-11-05 00:40:58 +00:00
testRequires ( c , cpuShare , DaemonIsLinux )
2015-10-08 02:04:51 +00:00
out , _ , err := dockerCmdWithError ( "run" , "--cpu-shares" , "1" , "busybox" , "echo" , "test" )
c . Assert ( err , check . NotNil , check . Commentf ( out ) )
expected := "The minimum allowed cpu-shares is 2"
c . Assert ( out , checker . Contains , expected )
out , _ , err = dockerCmdWithError ( "run" , "--cpu-shares" , "-1" , "busybox" , "echo" , "test" )
c . Assert ( err , check . NotNil , check . Commentf ( out ) )
expected = "shares: invalid argument"
c . Assert ( out , checker . Contains , expected )
out , _ , err = dockerCmdWithError ( "run" , "--cpu-shares" , "99999999" , "busybox" , "echo" , "test" )
c . Assert ( err , check . NotNil , check . Commentf ( out ) )
expected = "The maximum allowed cpu-shares is"
c . Assert ( out , checker . Contains , expected )
}
2015-11-26 12:14:09 +00:00
func ( s * DockerSuite ) TestRunWithDefaultShmSize ( c * check . C ) {
testRequires ( c , DaemonIsLinux )
name := "shm-default"
out , _ := dockerCmd ( c , "run" , "--name" , name , "busybox" , "mount" )
shmRegex := regexp . MustCompile ( ` shm on /dev/shm type tmpfs(.*)size=65536k ` )
if ! shmRegex . MatchString ( out ) {
c . Fatalf ( "Expected shm of 64MB in mount command, got %v" , out )
}
2016-01-28 14:19:25 +00:00
shmSize := inspectField ( c , name , "HostConfig.ShmSize" )
2015-11-26 12:14:09 +00:00
c . Assert ( shmSize , check . Equals , "67108864" )
}
func ( s * DockerSuite ) TestRunWithShmSize ( c * check . C ) {
testRequires ( c , DaemonIsLinux )
name := "shm"
out , _ := dockerCmd ( c , "run" , "--name" , name , "--shm-size=1G" , "busybox" , "mount" )
shmRegex := regexp . MustCompile ( ` shm on /dev/shm type tmpfs(.*)size=1048576k ` )
if ! shmRegex . MatchString ( out ) {
c . Fatalf ( "Expected shm of 1GB in mount command, got %v" , out )
}
2016-01-28 14:19:25 +00:00
shmSize := inspectField ( c , name , "HostConfig.ShmSize" )
2015-11-26 12:14:09 +00:00
c . Assert ( shmSize , check . Equals , "1073741824" )
}
2015-12-01 18:39:34 +00:00
func ( s * DockerSuite ) TestRunTmpfsMounts ( c * check . C ) {
2016-04-06 21:01:12 +00:00
// TODO Windows (Post TP5): This test cannot run on a Windows daemon as
2015-12-01 18:39:34 +00:00
// Windows does not support tmpfs mounts.
testRequires ( c , DaemonIsLinux )
if out , _ , err := dockerCmdWithError ( "run" , "--tmpfs" , "/run" , "busybox" , "touch" , "/run/somefile" ) ; err != nil {
c . Fatalf ( "/run directory not mounted on tmpfs %q %s" , err , out )
}
2015-12-22 18:59:28 +00:00
if out , _ , err := dockerCmdWithError ( "run" , "--tmpfs" , "/run:noexec" , "busybox" , "touch" , "/run/somefile" ) ; err != nil {
c . Fatalf ( "/run directory not mounted on tmpfs %q %s" , err , out )
}
2015-12-01 18:39:34 +00:00
if out , _ , err := dockerCmdWithError ( "run" , "--tmpfs" , "/run:noexec,nosuid,rw,size=5k,mode=700" , "busybox" , "touch" , "/run/somefile" ) ; err != nil {
c . Fatalf ( "/run failed to mount on tmpfs with valid options %q %s" , err , out )
}
if _ , _ , err := dockerCmdWithError ( "run" , "--tmpfs" , "/run:foobar" , "busybox" , "touch" , "/run/somefile" ) ; err == nil {
c . Fatalf ( "/run mounted on tmpfs when it should have vailed within invalid mount option" )
}
if _ , _ , err := dockerCmdWithError ( "run" , "--tmpfs" , "/run" , "-v" , "/run:/run" , "busybox" , "touch" , "/run/somefile" ) ; err == nil {
c . Fatalf ( "Should have generated an error saying Duplicate mount points" )
}
}
2015-12-08 01:14:52 +00:00
2016-03-15 22:34:29 +00:00
// TestRunSeccompProfileDenyUnshare checks that 'docker run --security-opt seccomp=/tmp/profile.json debian:jessie unshare' exits with operation not permitted.
2015-12-08 01:14:52 +00:00
func ( s * DockerSuite ) TestRunSeccompProfileDenyUnshare ( c * check . C ) {
2016-01-26 10:57:14 +00:00
testRequires ( c , SameHostDaemon , seccompEnabled , NotArm , Apparmor )
2015-12-08 01:14:52 +00:00
jsonData := ` {
"defaultAction" : "SCMP_ACT_ALLOW" ,
"syscalls" : [
{
"name" : "unshare" ,
"action" : "SCMP_ACT_ERRNO"
}
]
} `
tmpFile , err := ioutil . TempFile ( "" , "profile.json" )
defer tmpFile . Close ( )
if err != nil {
c . Fatal ( err )
}
if _ , err := tmpFile . Write ( [ ] byte ( jsonData ) ) ; err != nil {
c . Fatal ( err )
}
2016-03-15 22:34:29 +00:00
runCmd := exec . Command ( dockerBinary , "run" , "--security-opt" , "apparmor=unconfined" , "--security-opt" , "seccomp=" + tmpFile . Name ( ) , "debian:jessie" , "unshare" , "-p" , "-m" , "-f" , "-r" , "mount" , "-t" , "proc" , "none" , "/proc" )
2015-12-08 01:14:52 +00:00
out , _ , _ := runCommandWithOutput ( runCmd )
if ! strings . Contains ( out , "Operation not permitted" ) {
c . Fatalf ( "expected unshare with seccomp profile denied to fail, got %s" , out )
}
}
2016-03-15 22:34:29 +00:00
// TestRunSeccompProfileDenyChmod checks that 'docker run --security-opt seccomp=/tmp/profile.json busybox chmod 400 /etc/hostname' exits with operation not permitted.
2015-12-08 01:14:52 +00:00
func ( s * DockerSuite ) TestRunSeccompProfileDenyChmod ( c * check . C ) {
testRequires ( c , SameHostDaemon , seccompEnabled )
jsonData := ` {
"defaultAction" : "SCMP_ACT_ALLOW" ,
"syscalls" : [
{
"name" : "chmod" ,
"action" : "SCMP_ACT_ERRNO"
}
]
} `
tmpFile , err := ioutil . TempFile ( "" , "profile.json" )
defer tmpFile . Close ( )
if err != nil {
c . Fatal ( err )
}
if _ , err := tmpFile . Write ( [ ] byte ( jsonData ) ) ; err != nil {
c . Fatal ( err )
}
2016-03-15 22:34:29 +00:00
runCmd := exec . Command ( dockerBinary , "run" , "--security-opt" , "seccomp=" + tmpFile . Name ( ) , "busybox" , "chmod" , "400" , "/etc/hostname" )
2015-12-08 01:14:52 +00:00
out , _ , _ := runCommandWithOutput ( runCmd )
if ! strings . Contains ( out , "Operation not permitted" ) {
c . Fatalf ( "expected chmod with seccomp profile denied to fail, got %s" , out )
}
}
2015-12-18 18:01:58 +00:00
2015-12-30 17:49:10 +00:00
// TestRunSeccompProfileDenyUnshareUserns checks that 'docker run debian:jessie unshare --map-root-user --user sh -c whoami' with a specific profile to
2015-12-21 22:42:58 +00:00
// deny unhare of a userns exits with operation not permitted.
func ( s * DockerSuite ) TestRunSeccompProfileDenyUnshareUserns ( c * check . C ) {
2016-01-26 10:57:14 +00:00
testRequires ( c , SameHostDaemon , seccompEnabled , NotArm , Apparmor )
2015-12-18 18:01:58 +00:00
// from sched.h
jsonData := fmt . Sprintf ( ` {
"defaultAction" : "SCMP_ACT_ALLOW" ,
"syscalls" : [
{
"name" : "unshare" ,
"action" : "SCMP_ACT_ERRNO" ,
"args" : [
{
"index" : 0 ,
"value" : % d ,
"op" : "SCMP_CMP_EQ"
}
]
}
]
} ` , uint64 ( 0x10000000 ) )
tmpFile , err := ioutil . TempFile ( "" , "profile.json" )
defer tmpFile . Close ( )
if err != nil {
c . Fatal ( err )
}
if _ , err := tmpFile . Write ( [ ] byte ( jsonData ) ) ; err != nil {
c . Fatal ( err )
}
2016-03-15 22:34:29 +00:00
runCmd := exec . Command ( dockerBinary , "run" , "--security-opt" , "apparmor=unconfined" , "--security-opt" , "seccomp=" + tmpFile . Name ( ) , "debian:jessie" , "unshare" , "--map-root-user" , "--user" , "sh" , "-c" , "whoami" )
2015-12-18 18:01:58 +00:00
out , _ , _ := runCommandWithOutput ( runCmd )
if ! strings . Contains ( out , "Operation not permitted" ) {
c . Fatalf ( "expected unshare userns with seccomp profile denied to fail, got %s" , out )
}
}
2015-12-21 22:42:58 +00:00
2015-12-30 19:20:23 +00:00
// TestRunSeccompProfileDenyCloneUserns checks that 'docker run syscall-test'
2015-12-21 22:42:58 +00:00
// with a the default seccomp profile exits with operation not permitted.
func ( s * DockerSuite ) TestRunSeccompProfileDenyCloneUserns ( c * check . C ) {
testRequires ( c , SameHostDaemon , seccompEnabled )
2015-12-30 19:20:23 +00:00
runCmd := exec . Command ( dockerBinary , "run" , "syscall-test" , "userns-test" , "id" )
2015-12-21 22:42:58 +00:00
out , _ , err := runCommandWithOutput ( runCmd )
if err == nil || ! strings . Contains ( out , "clone failed: Operation not permitted" ) {
c . Fatalf ( "expected clone userns with default seccomp profile denied to fail, got %s: %v" , out , err )
}
}
2015-12-22 03:32:12 +00:00
// TestRunSeccompUnconfinedCloneUserns checks that
2016-03-15 22:34:29 +00:00
// 'docker run --security-opt seccomp=unconfined syscall-test' allows creating a userns.
2015-12-22 03:32:12 +00:00
func ( s * DockerSuite ) TestRunSeccompUnconfinedCloneUserns ( c * check . C ) {
2016-03-03 00:58:49 +00:00
testRequires ( c , SameHostDaemon , seccompEnabled , UserNamespaceInKernel , NotUserNamespace )
2015-12-22 03:32:12 +00:00
// make sure running w privileged is ok
2016-03-15 22:34:29 +00:00
runCmd := exec . Command ( dockerBinary , "run" , "--security-opt" , "seccomp=unconfined" , "syscall-test" , "userns-test" , "id" )
2015-12-22 03:32:12 +00:00
if out , _ , err := runCommandWithOutput ( runCmd ) ; err != nil || ! strings . Contains ( out , "nobody" ) {
2016-03-15 22:34:29 +00:00
c . Fatalf ( "expected clone userns with --security-opt seccomp=unconfined to succeed, got %s: %v" , out , err )
2015-12-22 03:32:12 +00:00
}
}
2015-12-30 19:20:23 +00:00
// TestRunSeccompAllowPrivCloneUserns checks that 'docker run --privileged syscall-test'
2015-12-22 03:32:12 +00:00
// allows creating a userns.
2015-12-21 22:42:58 +00:00
func ( s * DockerSuite ) TestRunSeccompAllowPrivCloneUserns ( c * check . C ) {
2016-03-03 00:58:49 +00:00
testRequires ( c , SameHostDaemon , seccompEnabled , UserNamespaceInKernel , NotUserNamespace )
2015-12-21 22:42:58 +00:00
// make sure running w privileged is ok
2015-12-30 19:20:23 +00:00
runCmd := exec . Command ( dockerBinary , "run" , "--privileged" , "syscall-test" , "userns-test" , "id" )
2015-12-21 22:42:58 +00:00
if out , _ , err := runCommandWithOutput ( runCmd ) ; err != nil || ! strings . Contains ( out , "nobody" ) {
c . Fatalf ( "expected clone userns with --privileged to succeed, got %s: %v" , out , err )
}
}
2016-02-12 00:28:00 +00:00
// TestRunSeccompAllowSetrlimit checks that 'docker run debian:jessie ulimit -v 1048510' succeeds.
func ( s * DockerSuite ) TestRunSeccompAllowSetrlimit ( c * check . C ) {
testRequires ( c , SameHostDaemon , seccompEnabled )
2015-12-21 22:42:58 +00:00
2016-02-12 00:28:00 +00:00
// ulimit uses setrlimit, so we want to make sure we don't break it
runCmd := exec . Command ( dockerBinary , "run" , "debian:jessie" , "bash" , "-c" , "ulimit -v 1048510" )
2015-12-21 22:42:58 +00:00
if out , _ , err := runCommandWithOutput ( runCmd ) ; err != nil {
2016-02-12 00:28:00 +00:00
c . Fatalf ( "expected ulimit with seccomp to succeed, got %s: %v" , out , err )
2015-12-21 22:42:58 +00:00
}
}
2015-12-30 19:20:23 +00:00
func ( s * DockerSuite ) TestRunSeccompDefaultProfile ( c * check . C ) {
testRequires ( c , SameHostDaemon , seccompEnabled , NotUserNamespace )
2016-01-26 16:05:44 +00:00
var group sync . WaitGroup
group . Add ( 4 )
errChan := make ( chan error , 4 )
go func ( ) {
out , _ , err := dockerCmdWithError ( "run" , "--cap-add" , "ALL" , "syscall-test" , "acct-test" )
if err == nil || ! strings . Contains ( out , "Operation not permitted" ) {
errChan <- fmt . Errorf ( "expected Operation not permitted, got: %s" , out )
}
group . Done ( )
} ( )
2015-12-30 19:20:23 +00:00
2016-01-26 16:05:44 +00:00
go func ( ) {
out , _ , err := dockerCmdWithError ( "run" , "--cap-add" , "ALL" , "syscall-test" , "ns-test" , "echo" , "hello" )
if err == nil || ! strings . Contains ( out , "Operation not permitted" ) {
errChan <- fmt . Errorf ( "expected Operation not permitted, got: %s" , out )
}
group . Done ( )
} ( )
2015-12-30 19:20:23 +00:00
2016-01-26 16:05:44 +00:00
go func ( ) {
2016-03-15 22:34:29 +00:00
out , _ , err := dockerCmdWithError ( "run" , "--cap-add" , "ALL" , "--security-opt" , "seccomp=unconfined" , "syscall-test" , "acct-test" )
2016-01-26 16:05:44 +00:00
if err == nil || ! strings . Contains ( out , "No such file or directory" ) {
errChan <- fmt . Errorf ( "expected No such file or directory, got: %s" , out )
}
group . Done ( )
} ( )
go func ( ) {
2016-03-15 22:34:29 +00:00
out , _ , err := dockerCmdWithError ( "run" , "--cap-add" , "ALL" , "--security-opt" , "seccomp=unconfined" , "syscall-test" , "ns-test" , "echo" , "hello" )
2016-01-26 16:05:44 +00:00
if err != nil || ! strings . Contains ( out , "hello" ) {
errChan <- fmt . Errorf ( "expected hello, got: %s, %v" , out , err )
}
group . Done ( )
} ( )
group . Wait ( )
close ( errChan )
2015-12-30 19:20:23 +00:00
2016-01-26 16:05:44 +00:00
for err := range errChan {
c . Assert ( err , checker . IsNil )
2015-12-30 19:20:23 +00:00
}
}
2016-01-05 00:23:36 +00:00
2016-02-22 05:31:21 +00:00
// TestRunNoNewPrivSetuid checks that --security-opt=no-new-privileges prevents
// effective uid transtions on executing setuid binaries.
func ( s * DockerSuite ) TestRunNoNewPrivSetuid ( c * check . C ) {
testRequires ( c , DaemonIsLinux , NotUserNamespace , SameHostDaemon )
// test that running a setuid binary results in no effective uid transition
runCmd := exec . Command ( dockerBinary , "run" , "--security-opt" , "no-new-privileges" , "--user" , "1000" , "nnp-test" , "/usr/bin/nnp-test" )
if out , _ , err := runCommandWithOutput ( runCmd ) ; err != nil || ! strings . Contains ( out , "EUID=1000" ) {
c . Fatalf ( "expected output to contain EUID=1000, got %s: %v" , out , err )
}
}
2016-01-05 00:23:36 +00:00
func ( s * DockerSuite ) TestRunApparmorProcDirectory ( c * check . C ) {
testRequires ( c , SameHostDaemon , Apparmor )
// running w seccomp unconfined tests the apparmor profile
2016-03-15 22:34:29 +00:00
runCmd := exec . Command ( dockerBinary , "run" , "--security-opt" , "seccomp=unconfined" , "busybox" , "chmod" , "777" , "/proc/1/cgroup" )
2016-01-05 00:23:36 +00:00
if out , _ , err := runCommandWithOutput ( runCmd ) ; err == nil || ! ( strings . Contains ( out , "Permission denied" ) || strings . Contains ( out , "Operation not permitted" ) ) {
c . Fatalf ( "expected chmod 777 /proc/1/cgroup to fail, got %s: %v" , out , err )
}
2016-03-15 22:34:29 +00:00
runCmd = exec . Command ( dockerBinary , "run" , "--security-opt" , "seccomp=unconfined" , "busybox" , "chmod" , "777" , "/proc/1/attr/current" )
2016-01-05 00:23:36 +00:00
if out , _ , err := runCommandWithOutput ( runCmd ) ; err == nil || ! ( strings . Contains ( out , "Permission denied" ) || strings . Contains ( out , "Operation not permitted" ) ) {
c . Fatalf ( "expected chmod 777 /proc/1/attr/current to fail, got %s: %v" , out , err )
}
}
2016-02-19 08:22:36 +00:00
// make sure the default profile can be successfully parsed (using unshare as it is
// something which we know is blocked in the default profile)
func ( s * DockerSuite ) TestRunSeccompWithDefaultProfile ( c * check . C ) {
testRequires ( c , SameHostDaemon , seccompEnabled )
2016-03-15 22:34:29 +00:00
out , _ , err := dockerCmdWithError ( "run" , "--security-opt" , "seccomp=../profiles/seccomp/default.json" , "debian:jessie" , "unshare" , "--map-root-user" , "--user" , "sh" , "-c" , "whoami" )
2016-02-19 08:22:36 +00:00
c . Assert ( err , checker . NotNil , check . Commentf ( out ) )
c . Assert ( strings . TrimSpace ( out ) , checker . Equals , "unshare: unshare failed: Operation not permitted" )
}
2016-02-25 01:50:39 +00:00
// TestRunDeviceSymlink checks run with device that follows symlink (#13840)
func ( s * DockerSuite ) TestRunDeviceSymlink ( c * check . C ) {
testRequires ( c , DaemonIsLinux , NotUserNamespace , NotArm , SameHostDaemon )
if _ , err := os . Stat ( "/dev/zero" ) ; err != nil {
c . Skip ( "Host does not have /dev/zero" )
}
// Create a temporary directory to create symlink
tmpDir , err := ioutil . TempDir ( "" , "docker_device_follow_symlink_tests" )
c . Assert ( err , checker . IsNil )
defer os . RemoveAll ( tmpDir )
// Create a symbolic link to /dev/zero
symZero := filepath . Join ( tmpDir , "zero" )
err = os . Symlink ( "/dev/zero" , symZero )
c . Assert ( err , checker . IsNil )
// Create a temporary file "temp" inside tmpDir, write some data to "tmpDir/temp",
// then create a symlink "tmpDir/file" to the temporary file "tmpDir/temp".
tmpFile := filepath . Join ( tmpDir , "temp" )
err = ioutil . WriteFile ( tmpFile , [ ] byte ( "temp" ) , 0666 )
c . Assert ( err , checker . IsNil )
symFile := filepath . Join ( tmpDir , "file" )
err = os . Symlink ( tmpFile , symFile )
c . Assert ( err , checker . IsNil )
// md5sum of 'dd if=/dev/zero bs=4K count=8' is bb7df04e1b0a2570657527a7e108ae23
out , _ := dockerCmd ( c , "run" , "--device" , symZero + ":/dev/symzero" , "busybox" , "sh" , "-c" , "dd if=/dev/symzero bs=4K count=8 | md5sum" )
c . Assert ( strings . Trim ( out , "\r\n" ) , checker . Contains , "bb7df04e1b0a2570657527a7e108ae23" , check . Commentf ( "expected output bb7df04e1b0a2570657527a7e108ae23" ) )
// symlink "tmpDir/file" to a file "tmpDir/temp" will result in an error as it is not a device.
out , _ , err = dockerCmdWithError ( "run" , "--device" , symFile + ":/dev/symzero" , "busybox" , "sh" , "-c" , "dd if=/dev/symzero bs=4K count=8 | md5sum" )
c . Assert ( err , check . NotNil )
c . Assert ( strings . Trim ( out , "\r\n" ) , checker . Contains , "not a device node" , check . Commentf ( "expected output 'not a device node'" ) )
}
2015-12-15 19:15:43 +00:00
// TestRunPidsLimit makes sure the pids cgroup is set with --pids-limit
func ( s * DockerSuite ) TestRunPidsLimit ( c * check . C ) {
testRequires ( c , pidsLimit )
file := "/sys/fs/cgroup/pids/pids.max"
out , _ := dockerCmd ( c , "run" , "--name" , "skittles" , "--pids-limit" , "2" , "busybox" , "cat" , file )
c . Assert ( strings . TrimSpace ( out ) , checker . Equals , "2" )
out = inspectField ( c , "skittles" , "HostConfig.PidsLimit" )
c . Assert ( out , checker . Equals , "2" , check . Commentf ( "setting the pids limit failed" ) )
}
2016-03-24 19:01:12 +00:00
func ( s * DockerSuite ) TestRunPrivilegedAllowedDevices ( c * check . C ) {
2016-03-25 16:31:36 +00:00
testRequires ( c , DaemonIsLinux , NotUserNamespace )
2016-03-24 19:01:12 +00:00
file := "/sys/fs/cgroup/devices/devices.list"
out , _ := dockerCmd ( c , "run" , "--privileged" , "busybox" , "cat" , file )
c . Logf ( "out: %q" , out )
c . Assert ( strings . TrimSpace ( out ) , checker . Equals , "a *:* rwm" )
}
func ( s * DockerSuite ) TestRunUserDeviceAllowed ( c * check . C ) {
testRequires ( c , DaemonIsLinux )
fi , err := os . Stat ( "/dev/snd/timer" )
if err != nil {
c . Skip ( "Host does not have /dev/snd/timer" )
}
stat , ok := fi . Sys ( ) . ( * syscall . Stat_t )
if ! ok {
c . Skip ( "Could not stat /dev/snd/timer" )
}
file := "/sys/fs/cgroup/devices/devices.list"
out , _ := dockerCmd ( c , "run" , "--device" , "/dev/snd/timer:w" , "busybox" , "cat" , file )
c . Assert ( out , checker . Contains , fmt . Sprintf ( "c %d:%d w" , stat . Rdev / 256 , stat . Rdev % 256 ) )
}