Commit graph

139 commits

Author SHA1 Message Date
Sebastiaan van Stijn
1235b56fbc Merge pull request #29076 from justincormack/seccomp-socket-to-them
Block obsolete and unusual socket families in the default seccomp profile
(cherry picked from commit 48184351c9)

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2017-02-23 00:27:29 +01:00
Vincent Demeester
833f3b3cf0 Fixes some integration-cli on userns
Mainly adding requirements on Network or NotUserNamespace to make it pass.

Signed-off-by: Vincent Demeester <vincent@sbr.pm>
(cherry picked from commit eb5fe064cf)
Signed-off-by: Victor Vieux <victorvieux@gmail.com>
2016-11-23 12:27:16 -08:00
Michael Crosby
cac13fc131 Merge pull request #27737 from justincormack/no-ambient-1.13
Revert ambient capabilities for 1.13
2016-11-04 12:52:21 -07:00
Justin Cormack
c5251f7116 Use runc version built without ambient capabilities
Until we can support existing behaviour with `sudo` disable
ambient capabilities in runc build.

Add tests that non root user cannot use default capabilities,
and that capabilities are working as expected.

Test for #27590

Update runc.

Signed-off-by: Justin Cormack <justin.cormack@docker.com>
2016-11-04 17:25:28 +00:00
Yong Tang
846baf1fd3 Add --cpus flag to control cpu resources
This fix tries to address the proposal raised in 27921 and add
`--cpus` flag for `docker run/create`.

Basically, `--cpus` will allow user to specify a number (possibly partial)
about how many CPUs the container will use. For example, on a 2-CPU system
`--cpus 1.5` means the container will take 75% (1.5/2) of the CPU share.

This fix adds a `NanoCPUs` field to `HostConfig` since swarmkit alreay
have a concept of NanoCPUs for tasks. The `--cpus` flag will translate
the number into reused `NanoCPUs` to be consistent.

This fix adds integration tests to cover the changes.

Related docs (`docker run` and Remote APIs) have been updated.

This fix fixes 27921.

Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
2016-11-04 09:43:10 -07:00
Antonio Murdaca
b237189e6c
daemon: add a flag to override the default seccomp profile
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2016-11-02 21:41:29 +01:00
Elena Morozova
2b9786a9b3 integration-cli: move Close() after error check
Signed-off-by: Elena Morozova <lelenanam@gmail.com>
2016-10-13 16:07:08 -07:00
Justin Cormack
199e19548e Add support for ambient capabilities
Linux kernel 4.3 and later supports "ambient capabilities" which are the
only way to pass capabilities to containers running as a non root uid.

Previously there was no way to allow containers not running as root
capabilities in a useful way.

Fix #8460

Signed-off-by: Justin Cormack <justin.cormack@docker.com>
2016-10-10 19:29:02 +01:00
Akihiro Suda
7fb7a477d7 [nit] integration-cli: obey Go's naming convention
No substantial code change.

 - Api         --> API
 - Cli         --> CLI
 - Http, Https --> HTTP, HTTPS
 - Id          --> ID
 - Uid,Gid,Pid --> UID,PID,PID
 - Ipam        --> IPAM
 - Tls         --> TLS (TestDaemonNoTlsCliTlsVerifyWithEnv --> TestDaemonTLSVerifyIssue13964)

Didn't touch in this commit:
 - Git: because it is officially "Git": https://git-scm.com/
 - Tar: because it is officially "Tar": https://www.gnu.org/software/tar/
 - Cpu, Nat, Mac, Ipc, Shm: for keeping a consistency with existing production code (not changable, for compatibility)

Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
2016-09-30 01:21:05 +00:00
Michael Crosby
ee3ac3aa66 Add init process for zombie fighting
This adds a small C binary for fighting zombies.  It is mounted under
`/dev/init` and is prepended to the args specified by the user.  You
enable it via a daemon flag, `dockerd --init`, as it is disable by
default for backwards compat.

You can also override the daemon option or specify this on a per
container basis with `docker run --init=true|false`.

You can test this by running a process like this as the pid 1 in a
container and see the extra zombie that appears in the container as it
is running.

```c

int main(int argc, char ** argv) {
	pid_t pid = fork();
	if (pid == 0) {
		pid = fork();
		if (pid == 0) {
			exit(0);
		}
		sleep(3);
		exit(0);
	}
	printf("got pid %d and exited\n", pid);
	sleep(20);
}
```

Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
2016-09-19 17:33:50 -07:00
Brian Goff
ff91276d1f Move some test fixtures to go
moves ensure-frozen-images to go
moves ensure-syscall-test to go
moves ensure-nnp-test to go
moves ensure-httpserver to go

Also makes some of the fixtures load only for the required tests.
This makes sure that fixtures that won't be needed for a test run such as
`make TESTFLAGS='-check.f Swarm' test-integration-cli` (for example)
aren't loaded... like the syscall tests.

Signed-off-by: Brian Goff <cpuguy83@gmail.com>
2016-09-07 17:30:35 -04:00
Antonio Murdaca
5ff21add06
New seccomp format
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2016-09-01 11:53:07 +02:00
Justin Cormack
eda90f6344 Remove gccgo support
Since Go 1.7, s390x uses upstream Go, so we have no reason to
support gccgo any more.

Signed-off-by: Justin Cormack <justin.cormack@docker.com>
2016-08-24 11:09:35 +01:00
Justin Cormack
84ec04306c Run seccomp tests in series not parallel
Fix #24803 as this had been failing sometimes.

As the parallel tests are probably genuine failures, and
had already been cut down, I will re-create these specifically
as a parallel execution test with no seccomp to make the
cause clearer.

Signed-off-by: Justin Cormack <justin.cormack@docker.com>
2016-08-17 18:48:06 +01:00
Michael Holzheu
87e4e3af68 TestRunSeccompUnconfinedCloneUserns: Check for unprivileged_userns_clone
On Ubuntu and Debian there is a sysctl which allows to block
clone(CLONE_NEWUSER) via "sysctl kernel.unprivileged_userns_clone=0"
for unprivileged users that do not have CAP_SYS_ADMIN.

See: https://lists.ubuntu.com/archives/kernel-team/2016-January/067926.html

The DockerSuite.TestRunSeccompUnconfinedCloneUserns testcase fails if
"kernel.unprivileged_userns_clone" is set to 0:

 docker_cli_run_unix_test.go:1040:
    c.Fatalf("expected clone userns with --security-opt seccomp=unconfined
              to succeed, got %s: %v", out, err)
 ... Error: expected clone userns with --security-opt seccomp=unconfined
              to succeed, got clone failed: Operation not permitted
 : exit status 1

So add a check and skip the testcase if kernel.unprivileged_userns_clone is 0.

Signed-off-by: Michael Holzheu <holzheu@linux.vnet.ibm.com>
2016-07-29 12:16:03 -04:00
Alexander Morozov
ca43efb40e Merge pull request #24502 from allencloud/change-comparison-log-in-container-config
update comparison log in container config
2016-07-28 16:51:11 -07:00
Justin Cormack
93bbc76ee5 Add a test that the default seccomp profile allows execution of 32 bit binaries
While testing #24510 I noticed that 32 bit syscalls were incorrectly being
blocked and we did not have a test for this, so adding one.

This is only tested on amd64 as it is the only architecture that
reliably supports 32 bit code execution, others only do sometimes.

There is no 32 bit libc in the buildpack-deps so we cannot build
32 bit C code easily so use the simplest assembly program which
just calls the exit syscall.

Signed-off-by: Justin Cormack <justin.cormack@docker.com>
2016-07-27 18:42:34 +01:00
allencloud
e5bed17574 update comparison log in container config
Signed-off-by: allencloud <allen.sun@daocloud.io>
2016-07-16 11:26:19 +08:00
Lei Jitang
8c179348c3 Add fchmod and fchmodat to TestRunSeccompProfileDenyChmod
Signed-off-by: Lei Jitang <leijitang@huawei.com>
2016-07-04 11:06:48 +00:00
Antonio Murdaca
756f6cef4a daemon: allow tmpfs to trump over VOLUME(s)
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2016-06-15 16:01:51 +02:00
Jess Frazelle
982c5f199f
fix default tmpfs size to prevent breakage
Signed-off-by: Jess Frazelle <me@jessfraz.com>
2016-06-09 00:58:06 -07:00
Sebastiaan van Stijn
eb6b5a6448 Merge pull request #23172 from michael-holzheu/PR-s390x-seccomp
Enable seccomp for s390x and ppc: s390x part
2016-06-07 12:04:13 +02:00
Zhang Wei
eceb8625a9 Move attach command to cobra.
Signed-off-by: Zhang Wei <zhangwei555@huawei.com>
2016-06-06 22:28:57 +08:00
Michael Holzheu
bf2a577c13 Enable seccomp for s390x
To implement seccomp for s390x the following changes are required:

1) seccomp_default: Add s390 compat mode

   On s390x (64 bit) we can run s390 (32 bit) programs in 32 bit
   compat mode. Therefore add this information to arches().

2) seccomp_default: Use correct flags parameter for sys_clone on s390x

   On s390x the second parameter for the clone system call is the flags
   parameter. On all other architectures it is the first one.

   See kernel code kernel/fork.c:

   #elif defined(CONFIG_CLONE_BACKWARDS2)
   SYSCALL_DEFINE5(clone, unsigned long, newsp, unsigned long, clone_flags,
                   int __user *, parent_tidptr,

   So fix the docker default seccomp rule and check for the second
   parameter on s390/s390x.

3) seccomp_default: Add s390 specific syscalls

  For s390 we currently have three additional system calls that should
  be added to the seccomp whitelist:

  - Other architectures can read/write unprivileged from/to PCI MMIO memory.
    On s390 the instructions are privileged and therefore we need system
    calls for that purpose:

    * s390_pci_mmio_write()
    * s390_pci_mmio_read()

  - Runtime instrumentation:

    * s390_runtime_instr()

4) test_integration: Do not run seccomp default profile test on s390x

   The generated profile that we check in is for amd64 and i386
   architectures and does not work correctly on s390x.

   See also: 75385dc216 ("Do not run the seccomp tests that use
   default.json on non x86 architectures")

5) Dockerfile.s390x: Add "seccomp" to DOCKER_BUILDTAGS

Signed-off-by: Michael Holzheu <holzheu@linux.vnet.ibm.com>
2016-06-06 08:13:22 -04:00
Daniel Nephin
5ab2434225 Convert 'docker create' to use cobra and pflag
Return the correct status code on flag parsins errors.

Signed-off-by: Daniel Nephin <dnephin@docker.com>
2016-06-04 13:57:30 +02:00
Zhang Wei
83ad006d47 Add detach event
If we attach to a running container and stream is closed afterwards, we
can never be sure if the container is stopped or detached. Adding a new
type of `detach` event can explicitly notify client that container is
detached, so client will know that there's no need to wait for its exit
code and it can move forward to next step now.

Signed-off-by: Zhang Wei <zhangwei555@huawei.com>
2016-06-03 11:59:11 +08:00
Shijiang Wei
f80bfdf85c make the error message in TestRunSeccompDefaultProfile more precise
Signed-off-by: Shijiang Wei <mountkin@gmail.com>
2016-05-28 09:06:25 +08:00
Justin Cormack
cfca3255a8 Split the Seccomp tests into two
The Seccomp tests ran 11 tests in parallel and this appears to be
hitting some sort of bug on CI. Splitting into two tests means that
I can no longer repeoduce the failure on the slow laptop where I could
reproduce the failures before.

Obviously this does not fix the underlying issue, which I will
continue to investigate, but not having the tests failing a lot
before the freeze for 1.12 would be rather helpful.

Signed-off-by: Justin Cormack <justin.cormack@docker.com>
2016-05-27 15:38:29 -07:00
Yong Tang
397a6fefad Inconsistent --tmpfs behavior
This fix tries to address the issue raised in #22420. When
`--tmpfs` is specified with `/tmp`, the default value is
`rw,nosuid,nodev,noexec,relatime,size=65536k`. When `--tmpfs`
is specified with `/tmp:rw`, then the value changed to
`rw,nosuid,nodev,noexec,relatime`.

The reason for such an inconsistency is because docker tries
to add `size=65536k` option only when user provides no option.

This fix tries to address this issue by always pre-progating
`size=65536k` along with `rw,nosuid,nodev,noexec,relatime`.
If user provides a different value (e.g., `size=8192k`), it
will override the `size=65536k` anyway since the combined
options will be parsed and merged to remove any duplicates.

Additional test cases have been added to cover the changes
in this fix.

This fix fixes #22420.

Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
2016-05-26 19:28:18 -07:00
David Calavera
60abc96acf Merge pull request #22943 from vdemeester/21769-fix-detach-keys
Fix escape-keys by preserving input if invalid
2016-05-25 09:53:53 -07:00
Justin Cormack
75385dc216 Do not run the seccomp tests that use default.json on non x86 architectures
The generated profile that we check in is for amd64 and i386 architectures
and does not work correctly on arm as it is missing required syscalls,
and also specifies the architectures that are supported. It works on
ppc64le at the moment but better to skip the test as it is likely to
break in future.

Signed-off-by: Justin Cormack <justin.cormack@docker.com>
2016-05-24 17:47:30 -07:00
Vincent Demeester
0fb6190243
Fix escape-keys by preserving input if invalid
Currently, using a custom detach key with an invalid sequence, eats a
part of the sequence, making it weird and difficult to enter some key
sequence.

This fixes by keeping the input read when trying to see if it's the key
sequence or not, and "writing" then is the key sequence is not the right
one, preserving the initial input.

Signed-off-by: Vincent Demeester <vincent@sbr.pm>
2016-05-24 17:14:48 +02:00
Justin Cormack
3598f2e331 Fix error channel size in seccomp test
This was not changed when the additional tests were added.
It may be the reason for occasional test failures.

Signed-off-by: Justin Cormack <justin.cormack@docker.com>
2016-05-23 18:14:55 -07:00
Sebastiaan van Stijn
0e9009bae3 Merge pull request #22554 from justincormack/seccap
Align default seccomp profile with selected capabilities
2016-05-20 12:58:28 +02:00
Justin Cormack
a01c4dc8f8 Align default seccomp profile with selected capabilities
Currently the default seccomp profile is fixed. This changes it
so that it varies depending on the Linux capabilities selected with
the --cap-add and --cap-drop options. Without this, if a user adds
privileges, eg to allow ptrace with --cap-add sys_ptrace then still
cannot actually use ptrace as it is still blocked by seccomp, so
they will probably disable seccomp or use --privileged. With this
change the syscalls that are needed for the capability are also
allowed by the seccomp profile based on the selected capabilities.

While this patch makes it easier to do things with for example
cap_sys_admin enabled, as it will now allow creating new namespaces
and use of mount, it still allows less than --cap-add cap_sys_admin
--security-opt seccomp:unconfined would have previously. It is not
recommended that users run containers with cap_sys_admin as this does
give full access to the host machine.

It also cleans up some architecture specific system calls to be
only selected when needed.

Signed-off-by: Justin Cormack <justin.cormack@docker.com>
2016-05-11 09:30:23 +01:00
Sean Christopherson
adabb51311 Add the swapMemorySupport requirement to OOM tests
Add the swapMemorySupport requirement to all tests related to the OOM killer.  The --memory option has the subtle side effect of defaulting --memory-swap to double the value of --memory.  The OOM killer doesn't kick in until the container exhausts memory+swap, and so without the memory swap cgroup the tests will timeout due to swap being effectively unlimited.

Document the default behavior of --memory-swap in the docker run man page.

Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com>
2016-05-10 11:28:00 -07:00
Antonio Murdaca
6a8ea46c67 daemon: reorder mounts before setting them
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2016-04-26 11:03:25 +02:00
Yong Tang
632b314b23 Relative symlinks don't work with --device argument
This fix tries to address the issue raised in #22271 where
relative symlinks don't work with --device argument.

Previously, the symlinks in --device was implemneted (#20684)
with `os.Readlink()` which does not resolve if the linked
target is a relative path. In this fix, `filepath.EvalSymlinks()`
has been used which will reolve correctly with relative
paths.

An additional test case has been added to the existing
`TestRunDeviceSymlink` to cover changes in this fix.

This fix is related to #13840 and #20684, #22271.
This fix fixes #22271.

Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
2016-04-25 07:22:56 -07:00
Kai Qiang Wu(Kennan)
62cb06a6c1 Make cpu validation correct
There was an error in validation logic before, should use period
instead of quota, and also add check for negative
number here, if not with that, it would had cpu.cfs_period_us: invalid argument
which is not good for users.

Signed-off-by: Kai Qiang Wu(Kennan) <wkqwu@cn.ibm.com>
2016-04-22 01:18:03 +00:00
Dan Walsh
9caf7aeefd Add support for setting sysctls
This patch will allow users to specify namespace specific "kernel parameters"
for running inside of a container.

Signed-off-by: Dan Walsh <dwalsh@redhat.com>
2016-04-12 13:37:31 -04:00
Vincent Demeester
a0e7e13766 Merge pull request #21818 from Microsoft/jjh/tp4fortests
Windows: Remove TP4 support from test code
2016-04-12 10:07:12 +02:00
John Howard
b0e24c7393 Windows: Remove TP4 support from test code
Signed-off-by: John Howard <jhoward@microsoft.com>
2016-04-11 15:36:31 -07:00
David Calavera
e626011bfb Merge pull request #21760 from hqhq/hq_minimum_reservation
Add minimum limit for memory reservation
2016-04-08 07:58:28 -07:00
Qiang Huang
50a6181005 Add minimum limit for memory reservation
Kernel has no limit for memory reservation, but in different
kernel versions, the default behavior is different.

On kernel 3.13,
docker run --rm --memory-reservation 1k busybox cat /sys/fs/cgroup/memory/memory.soft_limit_in_bytes
the output would be 4096, but on kernel 4.1, the output is 0.

Since we have minimum limit for memory and kernel memory, we
can have this limit for memory reservation as well, to make
the behavior consistent.

Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
2016-04-06 09:37:51 +08:00
Zhang Wei
91e5bb9541 Let client print error when speicify wrong detach keys
Fix #21064

Let client print error message explicitly when user specifies wrong
detach keys.

Signed-off-by: Zhang Wei <zhangwei555@huawei.com>
2016-04-04 15:35:55 +08:00
Tonis Tiigi
f01e1c865f Disable privileged test from in user namespace
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
2016-03-25 09:31:36 -07:00
Tonis Tiigi
ee61235880 Fix setting cgroup permission to user/privileged devices
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
2016-03-24 14:16:33 -07:00
David Calavera
cb9aeb0413 Consolidate security options to use = as separator.
All other options we have use `=` as separator, labels,
log configurations, graph configurations and so on.
We should be consistent and use `=` for the security
options too.

Signed-off-by: David Calavera <david.calavera@gmail.com>
2016-03-17 13:34:42 -04:00
Shijiang Wei
7369ddd89f speed up DockerSuite.TestRunApparmorProcDirectory
Signed-off-by: Shijiang Wei <mountkin@gmail.com>
2016-03-12 18:58:29 +08:00
David Calavera
dd32445ecc Merge pull request #18697 from jfrazelle/pids-cgroup
Add PIDs cgroup support to Docker
2016-03-08 14:03:36 -08:00