beenull/moby
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Merge pull request #42638 from eliaskoromilas/host-devices

Browse source 
Mount (accessible) host devices in `--privileged` rootless containers
This commit is contained in:
Sebastiaan van Stijn 2022-03-24 11:19:57 +01:00 committed by GitHub
commit d967ffbee0
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 56 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
daemon/oci_linux.go
View file

@ -862,7 +862,7 @@ func WithDevices(daemon *Daemon, c *container.Container) coci.SpecOpts {
var devs []specs.LinuxDevice var devs []specs.LinuxDevice
devPermissions := s.Linux.Resources.Devices devPermissions := s.Linux.Resources.Devices
if c.HostConfig.Privileged && !userns.RunningInUserNS() { if c.HostConfig.Privileged {
hostDevices, err := coci.HostDevices() hostDevices, err := coci.HostDevices()
if err != nil { if err != nil {
return err return err

55
integration/container/run_linux_test.go
View file

@ -2,6 +2,8 @@ package container // import "github.com/docker/docker/integration/container"
import ( import (
"context" "context"
"os"
"path/filepath"
"strings" "strings"
"testing" "testing"
"time" "time"
@ -10,6 +12,8 @@ import (
"github.com/docker/docker/api/types/versions" "github.com/docker/docker/api/types/versions"
"github.com/docker/docker/integration/internal/container" "github.com/docker/docker/integration/internal/container"
net "github.com/docker/docker/integration/internal/network" net "github.com/docker/docker/integration/internal/network"
"github.com/docker/docker/pkg/system"
"golang.org/x/sys/unix"
"gotest.tools/v3/assert" "gotest.tools/v3/assert"
is "gotest.tools/v3/assert/cmp" is "gotest.tools/v3/assert/cmp"
"gotest.tools/v3/poll" "gotest.tools/v3/poll"
@ -128,3 +132,54 @@ func TestUnprivilegedPortsAndPing(t *testing.T) {
assert.Equal(t, 0, res.ExitCode) assert.Equal(t, 0, res.ExitCode)
assert.Equal(t, "0", strings.TrimSpace(res.Stdout())) assert.Equal(t, "0", strings.TrimSpace(res.Stdout()))
} }
func TestPrivilegedHostDevices(t *testing.T) {
// Host devices are linux only. Also it creates host devices,
// so needs to be same host.
skip.If(t, testEnv.IsRemoteDaemon)
skip.If(t, testEnv.DaemonInfo.OSType != "linux")
defer setupTest(t)()
client := testEnv.APIClient()
ctx := context.Background()
const (
devTest = "/dev/test"
devRootOnlyTest = "/dev/root-only/test"
)
// Create Null devices.
if err := system.Mknod(devTest, unix.S_IFCHR|0600, int(system.Mkdev(1, 3))); err != nil {
t.Fatal(err)
}
defer os.Remove(devTest)
if err := os.Mkdir(filepath.Dir(devRootOnlyTest), 0700); err != nil {
t.Fatal(err)
}
defer os.RemoveAll(filepath.Dir(devRootOnlyTest))
if err := system.Mknod(devRootOnlyTest, unix.S_IFCHR|0600, int(system.Mkdev(1, 3))); err != nil {
t.Fatal(err)
}
defer os.Remove(devRootOnlyTest)
cID := container.Run(ctx, t, client, container.WithPrivileged(true))
poll.WaitOn(t, container.IsInState(ctx, client, cID, "running"), poll.WithDelay(100*time.Millisecond))
// Check test device.
res, err := container.Exec(ctx, client, cID, []string{"ls", devTest})
assert.NilError(t, err)
assert.Equal(t, 0, res.ExitCode)
assert.Check(t, is.Equal(strings.TrimSpace(res.Stdout()), devTest))
// Check root-only test device.
res, err = container.Exec(ctx, client, cID, []string{"ls", devRootOnlyTest})
assert.NilError(t, err)
if testEnv.IsRootless() {
assert.Equal(t, 1, res.ExitCode)
assert.Check(t, is.Contains(res.Stderr(), "No such file or directory"))
} else {
assert.Equal(t, 0, res.ExitCode)
assert.Check(t, is.Equal(strings.TrimSpace(res.Stdout()), devRootOnlyTest))
}
}