beenull/moby
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Merge pull request #31740 from Microsoft/jjh/privcheck

Browse source 
Windows: Balk on --privileged
This commit is contained in:
Justin Cormack 2017-03-13 20:35:45 +00:00 committed by GitHub
commit 72f1425ff2
7 changed files with 78 additions and 34 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

14
runconfig/config.go
View file

@ -55,24 +55,30 @@ func DecodeContainerConfig(src io.Reader) (*container.Config, *container.HostCon
// Certain parameters need daemon-side validation that cannot be done
// on the client, as only the daemon knows what is valid for the platform.
if err := ValidateNetMode(w.Config, hc); err != nil {
if err := validateNetMode(w.Config, hc); err != nil {
return nil, nil, nil, err
}
// Validate isolation
if err := ValidateIsolation(hc); err != nil {
if err := validateIsolation(hc); err != nil {
return nil, nil, nil, err
}
// Validate QoS
if err := ValidateQoS(hc); err != nil {
if err := validateQoS(hc); err != nil {
return nil, nil, nil, err
}
// Validate Resources
if err := ValidateResources(hc, sysinfo.New(true)); err != nil {
if err := validateResources(hc, sysinfo.New(true)); err != nil {
return nil, nil, nil, err
}
// Validate Privileged
if err := validatePrivileged(hc); err != nil {
return nil, nil, nil, err
}
return w.Config, hc, w.NetworkingConfig, nil
}

4
runconfig/hostconfig.go
View file

@ -35,9 +35,9 @@ func SetDefaultNetModeIfBlank(hc *container.HostConfig) {
}
}
// ValidateNetContainerMode ensures that the various combinations of requested
// validateNetContainerMode ensures that the various combinations of requested
// network settings wrt container mode are valid.
func ValidateNetContainerMode(c *container.Config, hc *container.HostConfig) error {
func validateNetContainerMode(c *container.Config, hc *container.HostConfig) error {
// We may not be passed a host config, such as in the case of docker commit
if hc == nil {
return nil

21
runconfig/hostconfig_solaris.go
View file

@ -16,26 +16,31 @@ func IsPreDefinedNetwork(network string) bool {
return false
}
// ValidateNetMode ensures that the various combinations of requested
// validateNetMode ensures that the various combinations of requested
// network settings are valid.
func ValidateNetMode(c *container.Config, hc *container.HostConfig) error {
func validateNetMode(c *container.Config, hc *container.HostConfig) error {
// We may not be passed a host config, such as in the case of docker commit
return nil
}
// ValidateIsolation performs platform specific validation of the
// validateIsolation performs platform specific validation of the
// isolation level in the hostconfig structure.
// This setting is currently discarded for Solaris so this is a no-op.
func ValidateIsolation(hc *container.HostConfig) error {
func validateIsolation(hc *container.HostConfig) error {
return nil
}
// ValidateQoS performs platform specific validation of the QoS settings
func ValidateQoS(hc *container.HostConfig) error {
// validateQoS performs platform specific validation of the QoS settings
func validateQoS(hc *container.HostConfig) error {
return nil
}
// ValidateResources performs platform specific validation of the resource settings
func ValidateResources(hc *container.HostConfig, si *sysinfo.SysInfo) error {
// validateResources performs platform specific validation of the resource settings
func validateResources(hc *container.HostConfig, si *sysinfo.SysInfo) error {
return nil
}
// validatePrivileged performs platform specific validation of the Privileged setting
func validatePrivileged(hc *container.HostConfig) error {
return nil
}

2
runconfig/hostconfig_test.go
View file

@ -276,7 +276,7 @@ func TestValidateResources(t *testing.T) {
si.CPURealtimePeriod = rt.SysInfoCPURealtimePeriod
si.CPURealtimeRuntime = rt.SysInfoCPURealtimeRuntime
if err := ValidateResources(&hc, &si); (err != nil) != rt.ErrorExpected {
if err := validateResources(&hc, &si); (err != nil) != rt.ErrorExpected {
t.Fatal(rt.FailureMsg, err)
}
}

23
runconfig/hostconfig_unix.go
View file

@ -22,15 +22,15 @@ func IsPreDefinedNetwork(network string) bool {
return n.IsBridge() || n.IsHost() || n.IsNone() || n.IsDefault() || network == "ingress"
}
// ValidateNetMode ensures that the various combinations of requested
// validateNetMode ensures that the various combinations of requested
// network settings are valid.
func ValidateNetMode(c *container.Config, hc *container.HostConfig) error {
func validateNetMode(c *container.Config, hc *container.HostConfig) error {
// We may not be passed a host config, such as in the case of docker commit
if hc == nil {
return nil
}
err := ValidateNetContainerMode(c, hc)
err := validateNetContainerMode(c, hc)
if err != nil {
return err
}
@ -46,10 +46,10 @@ func ValidateNetMode(c *container.Config, hc *container.HostConfig) error {
return nil
}
// ValidateIsolation performs platform specific validation of
// validateIsolation performs platform specific validation of
// isolation in the hostconfig structure. Linux only supports "default"
// which is LXC container isolation
func ValidateIsolation(hc *container.HostConfig) error {
func validateIsolation(hc *container.HostConfig) error {
// We may not be passed a host config, such as in the case of docker commit
if hc == nil {
return nil
@ -60,8 +60,8 @@ func ValidateIsolation(hc *container.HostConfig) error {
return nil
}
// ValidateQoS performs platform specific validation of the QoS settings
func ValidateQoS(hc *container.HostConfig) error {
// validateQoS performs platform specific validation of the QoS settings
func validateQoS(hc *container.HostConfig) error {
// We may not be passed a host config, such as in the case of docker commit
if hc == nil {
return nil
@ -77,9 +77,9 @@ func ValidateQoS(hc *container.HostConfig) error {
return nil
}
// ValidateResources performs platform specific validation of the resource settings
// validateResources performs platform specific validation of the resource settings
// cpu-rt-runtime and cpu-rt-period can not be greater than their parent, cpu-rt-runtime requires sys_nice
func ValidateResources(hc *container.HostConfig, si *sysinfo.SysInfo) error {
func validateResources(hc *container.HostConfig, si *sysinfo.SysInfo) error {
// We may not be passed a host config, such as in the case of docker commit
if hc == nil {
return nil
@ -98,3 +98,8 @@ func ValidateResources(hc *container.HostConfig, si *sysinfo.SysInfo) error {
}
return nil
}
// validatePrivileged performs platform specific validation of the Privileged setting
func validatePrivileged(hc *container.HostConfig) error {
return nil
}

31
runconfig/hostconfig_windows.go
View file

@ -18,14 +18,14 @@ func IsPreDefinedNetwork(network string) bool {
return !container.NetworkMode(network).IsUserDefined()
}
// ValidateNetMode ensures that the various combinations of requested
// validateNetMode ensures that the various combinations of requested
// network settings are valid.
func ValidateNetMode(c *container.Config, hc *container.HostConfig) error {
func validateNetMode(c *container.Config, hc *container.HostConfig) error {
if hc == nil {
return nil
}
err := ValidateNetContainerMode(c, hc)
err := validateNetContainerMode(c, hc)
if err != nil {
return err
}
@ -37,10 +37,10 @@ func ValidateNetMode(c *container.Config, hc *container.HostConfig) error {
return nil
}
// ValidateIsolation performs platform specific validation of the
// validateIsolation performs platform specific validation of the
// isolation in the hostconfig structure. Windows supports 'default' (or
// blank), 'process', or 'hyperv'.
func ValidateIsolation(hc *container.HostConfig) error {
func validateIsolation(hc *container.HostConfig) error {
// We may not be passed a host config, such as in the case of docker commit
if hc == nil {
return nil
@ -51,18 +51,17 @@ func ValidateIsolation(hc *container.HostConfig) error {
return nil
}
// ValidateQoS performs platform specific validation of the Qos settings
func ValidateQoS(hc *container.HostConfig) error {
// validateQoS performs platform specific validation of the Qos settings
func validateQoS(hc *container.HostConfig) error {
return nil
}
// ValidateResources performs platform specific validation of the resource settings
func ValidateResources(hc *container.HostConfig, si *sysinfo.SysInfo) error {
// validateResources performs platform specific validation of the resource settings
func validateResources(hc *container.HostConfig, si *sysinfo.SysInfo) error {
// We may not be passed a host config, such as in the case of docker commit
if hc == nil {
return nil
}
if hc.Resources.CPURealtimePeriod != 0 {
return fmt.Errorf("invalid --cpu-rt-period: Windows does not support this feature")
}
@ -71,3 +70,15 @@ func ValidateResources(hc *container.HostConfig, si *sysinfo.SysInfo) error {
}
return nil
}
// validatePrivileged performs platform specific validation of the Privileged setting
func validatePrivileged(hc *container.HostConfig) error {
// We may not be passed a host config, such as in the case of docker commit
if hc == nil {
return nil
}
if hc.Privileged {
return fmt.Errorf("invalid --privileged: Windows does not support this feature")
}
return nil
}

17
runconfig/hostconfig_windows_test.go Normal file
View file

@ -0,0 +1,17 @@
// +build windows
package runconfig
import (
"testing"
"github.com/docker/docker/api/types/container"
)
func TestValidatePrivileged(t *testing.T) {
expected := "invalid --privileged: Windows does not support this feature"
err := validatePrivileged(&container.HostConfig{Privileged: true})
if err == nil || err.Error() != expected {
t.Fatalf("Expected %s", expected)
}
}