Commit graph

150 commits

Author SHA1 Message Date
lixiaobing10051267
660ec32e8f invalide detach keys provided
Signed-off-by: lixiaobing10051267 <li.xiaobing1@zte.com.cn>
2017-02-22 09:48:18 +08:00
Daniel Zhang
d7fda019bb Add daemon flag to set no_new_priv as default for unprivileged containers.
Signed-off-by: Daniel Zhang <jmzwcn@gmail.com>
2017-02-16 19:05:14 +08:00
Sebastiaan van Stijn
e1c5e72902 Merge pull request #30185 from vdemeester/integration-build-cmd-cleanup-take2
[test-integration] Clean more build utils
2017-01-18 15:12:03 +01:00
Justin Cormack
7e3a596a63 Block obsolete socket families in the default seccomp profile
Linux supports many obsolete address families, which are usually available in
common distro kernels, but they are less likely to be properly audited and
may have security issues

This blocks all socket families in the socket (and socketcall where applicable) syscall
except
- AF_UNIX - Unix domain sockets
- AF_INET - IPv4
- AF_INET6 - IPv6
- AF_NETLINK - Netlink sockets for communicating with the ekrnel
- AF_PACKET - raw sockets, which are only allowed with CAP_NET_RAW

All other socket families are blocked, including Appletalk (native, not
over IP), IPX (remember that!), VSOCK and HVSOCK, which should not generally
be used in containers, etc.

Note that users can of course provide a profile per container or in the daemon
config if they have unusual use cases that require these.

Signed-off-by: Justin Cormack <justin.cormack@docker.com>
2017-01-17 17:50:44 +00:00
Vincent Demeester
c10f6ef43f
Clean more build utils in integration cli
- Remove deprecated buildImage* functions
- Rename buildImageNew to buildImage
- Use *check.C in fakeContext* setup and in getIdByName

Signed-off-by: Vincent Demeester <vincent@sbr.pm>
2017-01-17 15:42:38 +01:00
Vincent Demeester
303b1d200a
Update trustedCmd to be compatible with testutil/cmd
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
2017-01-09 11:07:05 +01:00
Vincent Demeester
87e3fcfe1e
Clean some runCommandWithOutput accross integration-cli code
There is still ways to go

Signed-off-by: Vincent Demeester <vincent@sbr.pm>
2017-01-05 17:44:31 +01:00
Vincent Demeester
33968e6c7d
Remove pkg/integration and move it to testutil or integration-cli
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
2016-12-30 18:26:34 +01:00
Vincent Demeester
def13fa23c
Clean integration-cli/utils.go from most of its content
Most of the code is now on pkg/integration.

Signed-off-by: Vincent Demeester <vincent@sbr.pm>
2016-12-28 19:05:48 +01:00
Vincent Demeester
c502fb49dc Use *check.C in StartWithBusybox, Start, Stop and Restart…
… to make sure it doesn't fail. It also introduce StartWithError,
StopWithError and RestartWithError in case we care about the
error (and want the error to happen).

This removes the need to check for error and make the intent more
clear : I want a deamon with busybox loaded on it — if an error occur
it should fail the test, but it's not the test code that has the
responsability to check that.

Signed-off-by: Vincent Demeester <vincent@sbr.pm>
2016-12-12 09:46:47 +01:00
Vincent Demeester
eb5fe064cf
Fixes some integration-cli on userns
Mainly adding requirements on Network or NotUserNamespace to make it pass.

Signed-off-by: Vincent Demeester <vincent@sbr.pm>
2016-11-23 14:03:53 +01:00
Michael Crosby
aff99136b4 Fix cfs period calculation
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
2016-11-18 00:47:43 -08:00
Yong Tang
d22ac2f3a0 Fix error messages for --cpus from daemon
This fix fixes error messages for `--cpus` from daemon.

When `docker run` takes `--cpus`, it will translate into NanoCPUs
and pass the value to daemon. The `NanoCPU` is not visible to the user.
The error message generated from daemon used 'NanoCPU' which may cause
some confusion to the user.

This fix fixes this issue by returning the error in CPUs instead.

This fix fixes 28456.

Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
2016-11-15 17:16:09 -08:00
Michael Crosby
cac13fc131 Merge pull request #27737 from justincormack/no-ambient-1.13
Revert ambient capabilities for 1.13
2016-11-04 12:52:21 -07:00
Justin Cormack
c5251f7116 Use runc version built without ambient capabilities
Until we can support existing behaviour with `sudo` disable
ambient capabilities in runc build.

Add tests that non root user cannot use default capabilities,
and that capabilities are working as expected.

Test for #27590

Update runc.

Signed-off-by: Justin Cormack <justin.cormack@docker.com>
2016-11-04 17:25:28 +00:00
Yong Tang
846baf1fd3 Add --cpus flag to control cpu resources
This fix tries to address the proposal raised in 27921 and add
`--cpus` flag for `docker run/create`.

Basically, `--cpus` will allow user to specify a number (possibly partial)
about how many CPUs the container will use. For example, on a 2-CPU system
`--cpus 1.5` means the container will take 75% (1.5/2) of the CPU share.

This fix adds a `NanoCPUs` field to `HostConfig` since swarmkit alreay
have a concept of NanoCPUs for tasks. The `--cpus` flag will translate
the number into reused `NanoCPUs` to be consistent.

This fix adds integration tests to cover the changes.

Related docs (`docker run` and Remote APIs) have been updated.

This fix fixes 27921.

Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
2016-11-04 09:43:10 -07:00
Antonio Murdaca
b237189e6c
daemon: add a flag to override the default seccomp profile
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2016-11-02 21:41:29 +01:00
Elena Morozova
2b9786a9b3 integration-cli: move Close() after error check
Signed-off-by: Elena Morozova <lelenanam@gmail.com>
2016-10-13 16:07:08 -07:00
Justin Cormack
199e19548e Add support for ambient capabilities
Linux kernel 4.3 and later supports "ambient capabilities" which are the
only way to pass capabilities to containers running as a non root uid.

Previously there was no way to allow containers not running as root
capabilities in a useful way.

Fix #8460

Signed-off-by: Justin Cormack <justin.cormack@docker.com>
2016-10-10 19:29:02 +01:00
Akihiro Suda
7fb7a477d7 [nit] integration-cli: obey Go's naming convention
No substantial code change.

 - Api         --> API
 - Cli         --> CLI
 - Http, Https --> HTTP, HTTPS
 - Id          --> ID
 - Uid,Gid,Pid --> UID,PID,PID
 - Ipam        --> IPAM
 - Tls         --> TLS (TestDaemonNoTlsCliTlsVerifyWithEnv --> TestDaemonTLSVerifyIssue13964)

Didn't touch in this commit:
 - Git: because it is officially "Git": https://git-scm.com/
 - Tar: because it is officially "Tar": https://www.gnu.org/software/tar/
 - Cpu, Nat, Mac, Ipc, Shm: for keeping a consistency with existing production code (not changable, for compatibility)

Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
2016-09-30 01:21:05 +00:00
Michael Crosby
ee3ac3aa66 Add init process for zombie fighting
This adds a small C binary for fighting zombies.  It is mounted under
`/dev/init` and is prepended to the args specified by the user.  You
enable it via a daemon flag, `dockerd --init`, as it is disable by
default for backwards compat.

You can also override the daemon option or specify this on a per
container basis with `docker run --init=true|false`.

You can test this by running a process like this as the pid 1 in a
container and see the extra zombie that appears in the container as it
is running.

```c

int main(int argc, char ** argv) {
	pid_t pid = fork();
	if (pid == 0) {
		pid = fork();
		if (pid == 0) {
			exit(0);
		}
		sleep(3);
		exit(0);
	}
	printf("got pid %d and exited\n", pid);
	sleep(20);
}
```

Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
2016-09-19 17:33:50 -07:00
Brian Goff
ff91276d1f Move some test fixtures to go
moves ensure-frozen-images to go
moves ensure-syscall-test to go
moves ensure-nnp-test to go
moves ensure-httpserver to go

Also makes some of the fixtures load only for the required tests.
This makes sure that fixtures that won't be needed for a test run such as
`make TESTFLAGS='-check.f Swarm' test-integration-cli` (for example)
aren't loaded... like the syscall tests.

Signed-off-by: Brian Goff <cpuguy83@gmail.com>
2016-09-07 17:30:35 -04:00
Antonio Murdaca
5ff21add06
New seccomp format
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2016-09-01 11:53:07 +02:00
Justin Cormack
eda90f6344 Remove gccgo support
Since Go 1.7, s390x uses upstream Go, so we have no reason to
support gccgo any more.

Signed-off-by: Justin Cormack <justin.cormack@docker.com>
2016-08-24 11:09:35 +01:00
Justin Cormack
84ec04306c Run seccomp tests in series not parallel
Fix #24803 as this had been failing sometimes.

As the parallel tests are probably genuine failures, and
had already been cut down, I will re-create these specifically
as a parallel execution test with no seccomp to make the
cause clearer.

Signed-off-by: Justin Cormack <justin.cormack@docker.com>
2016-08-17 18:48:06 +01:00
Michael Holzheu
87e4e3af68 TestRunSeccompUnconfinedCloneUserns: Check for unprivileged_userns_clone
On Ubuntu and Debian there is a sysctl which allows to block
clone(CLONE_NEWUSER) via "sysctl kernel.unprivileged_userns_clone=0"
for unprivileged users that do not have CAP_SYS_ADMIN.

See: https://lists.ubuntu.com/archives/kernel-team/2016-January/067926.html

The DockerSuite.TestRunSeccompUnconfinedCloneUserns testcase fails if
"kernel.unprivileged_userns_clone" is set to 0:

 docker_cli_run_unix_test.go:1040:
    c.Fatalf("expected clone userns with --security-opt seccomp=unconfined
              to succeed, got %s: %v", out, err)
 ... Error: expected clone userns with --security-opt seccomp=unconfined
              to succeed, got clone failed: Operation not permitted
 : exit status 1

So add a check and skip the testcase if kernel.unprivileged_userns_clone is 0.

Signed-off-by: Michael Holzheu <holzheu@linux.vnet.ibm.com>
2016-07-29 12:16:03 -04:00
Alexander Morozov
ca43efb40e Merge pull request #24502 from allencloud/change-comparison-log-in-container-config
update comparison log in container config
2016-07-28 16:51:11 -07:00
Justin Cormack
93bbc76ee5 Add a test that the default seccomp profile allows execution of 32 bit binaries
While testing #24510 I noticed that 32 bit syscalls were incorrectly being
blocked and we did not have a test for this, so adding one.

This is only tested on amd64 as it is the only architecture that
reliably supports 32 bit code execution, others only do sometimes.

There is no 32 bit libc in the buildpack-deps so we cannot build
32 bit C code easily so use the simplest assembly program which
just calls the exit syscall.

Signed-off-by: Justin Cormack <justin.cormack@docker.com>
2016-07-27 18:42:34 +01:00
allencloud
e5bed17574 update comparison log in container config
Signed-off-by: allencloud <allen.sun@daocloud.io>
2016-07-16 11:26:19 +08:00
Lei Jitang
8c179348c3 Add fchmod and fchmodat to TestRunSeccompProfileDenyChmod
Signed-off-by: Lei Jitang <leijitang@huawei.com>
2016-07-04 11:06:48 +00:00
Antonio Murdaca
756f6cef4a daemon: allow tmpfs to trump over VOLUME(s)
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2016-06-15 16:01:51 +02:00
Jess Frazelle
982c5f199f
fix default tmpfs size to prevent breakage
Signed-off-by: Jess Frazelle <me@jessfraz.com>
2016-06-09 00:58:06 -07:00
Sebastiaan van Stijn
eb6b5a6448 Merge pull request #23172 from michael-holzheu/PR-s390x-seccomp
Enable seccomp for s390x and ppc: s390x part
2016-06-07 12:04:13 +02:00
Zhang Wei
eceb8625a9 Move attach command to cobra.
Signed-off-by: Zhang Wei <zhangwei555@huawei.com>
2016-06-06 22:28:57 +08:00
Michael Holzheu
bf2a577c13 Enable seccomp for s390x
To implement seccomp for s390x the following changes are required:

1) seccomp_default: Add s390 compat mode

   On s390x (64 bit) we can run s390 (32 bit) programs in 32 bit
   compat mode. Therefore add this information to arches().

2) seccomp_default: Use correct flags parameter for sys_clone on s390x

   On s390x the second parameter for the clone system call is the flags
   parameter. On all other architectures it is the first one.

   See kernel code kernel/fork.c:

   #elif defined(CONFIG_CLONE_BACKWARDS2)
   SYSCALL_DEFINE5(clone, unsigned long, newsp, unsigned long, clone_flags,
                   int __user *, parent_tidptr,

   So fix the docker default seccomp rule and check for the second
   parameter on s390/s390x.

3) seccomp_default: Add s390 specific syscalls

  For s390 we currently have three additional system calls that should
  be added to the seccomp whitelist:

  - Other architectures can read/write unprivileged from/to PCI MMIO memory.
    On s390 the instructions are privileged and therefore we need system
    calls for that purpose:

    * s390_pci_mmio_write()
    * s390_pci_mmio_read()

  - Runtime instrumentation:

    * s390_runtime_instr()

4) test_integration: Do not run seccomp default profile test on s390x

   The generated profile that we check in is for amd64 and i386
   architectures and does not work correctly on s390x.

   See also: 75385dc216 ("Do not run the seccomp tests that use
   default.json on non x86 architectures")

5) Dockerfile.s390x: Add "seccomp" to DOCKER_BUILDTAGS

Signed-off-by: Michael Holzheu <holzheu@linux.vnet.ibm.com>
2016-06-06 08:13:22 -04:00
Daniel Nephin
5ab2434225 Convert 'docker create' to use cobra and pflag
Return the correct status code on flag parsins errors.

Signed-off-by: Daniel Nephin <dnephin@docker.com>
2016-06-04 13:57:30 +02:00
Zhang Wei
83ad006d47 Add detach event
If we attach to a running container and stream is closed afterwards, we
can never be sure if the container is stopped or detached. Adding a new
type of `detach` event can explicitly notify client that container is
detached, so client will know that there's no need to wait for its exit
code and it can move forward to next step now.

Signed-off-by: Zhang Wei <zhangwei555@huawei.com>
2016-06-03 11:59:11 +08:00
Shijiang Wei
f80bfdf85c make the error message in TestRunSeccompDefaultProfile more precise
Signed-off-by: Shijiang Wei <mountkin@gmail.com>
2016-05-28 09:06:25 +08:00
Justin Cormack
cfca3255a8 Split the Seccomp tests into two
The Seccomp tests ran 11 tests in parallel and this appears to be
hitting some sort of bug on CI. Splitting into two tests means that
I can no longer repeoduce the failure on the slow laptop where I could
reproduce the failures before.

Obviously this does not fix the underlying issue, which I will
continue to investigate, but not having the tests failing a lot
before the freeze for 1.12 would be rather helpful.

Signed-off-by: Justin Cormack <justin.cormack@docker.com>
2016-05-27 15:38:29 -07:00
Yong Tang
397a6fefad Inconsistent --tmpfs behavior
This fix tries to address the issue raised in #22420. When
`--tmpfs` is specified with `/tmp`, the default value is
`rw,nosuid,nodev,noexec,relatime,size=65536k`. When `--tmpfs`
is specified with `/tmp:rw`, then the value changed to
`rw,nosuid,nodev,noexec,relatime`.

The reason for such an inconsistency is because docker tries
to add `size=65536k` option only when user provides no option.

This fix tries to address this issue by always pre-progating
`size=65536k` along with `rw,nosuid,nodev,noexec,relatime`.
If user provides a different value (e.g., `size=8192k`), it
will override the `size=65536k` anyway since the combined
options will be parsed and merged to remove any duplicates.

Additional test cases have been added to cover the changes
in this fix.

This fix fixes #22420.

Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
2016-05-26 19:28:18 -07:00
David Calavera
60abc96acf Merge pull request #22943 from vdemeester/21769-fix-detach-keys
Fix escape-keys by preserving input if invalid
2016-05-25 09:53:53 -07:00
Justin Cormack
75385dc216 Do not run the seccomp tests that use default.json on non x86 architectures
The generated profile that we check in is for amd64 and i386 architectures
and does not work correctly on arm as it is missing required syscalls,
and also specifies the architectures that are supported. It works on
ppc64le at the moment but better to skip the test as it is likely to
break in future.

Signed-off-by: Justin Cormack <justin.cormack@docker.com>
2016-05-24 17:47:30 -07:00
Vincent Demeester
0fb6190243
Fix escape-keys by preserving input if invalid
Currently, using a custom detach key with an invalid sequence, eats a
part of the sequence, making it weird and difficult to enter some key
sequence.

This fixes by keeping the input read when trying to see if it's the key
sequence or not, and "writing" then is the key sequence is not the right
one, preserving the initial input.

Signed-off-by: Vincent Demeester <vincent@sbr.pm>
2016-05-24 17:14:48 +02:00
Justin Cormack
3598f2e331 Fix error channel size in seccomp test
This was not changed when the additional tests were added.
It may be the reason for occasional test failures.

Signed-off-by: Justin Cormack <justin.cormack@docker.com>
2016-05-23 18:14:55 -07:00
Sebastiaan van Stijn
0e9009bae3 Merge pull request #22554 from justincormack/seccap
Align default seccomp profile with selected capabilities
2016-05-20 12:58:28 +02:00
Justin Cormack
a01c4dc8f8 Align default seccomp profile with selected capabilities
Currently the default seccomp profile is fixed. This changes it
so that it varies depending on the Linux capabilities selected with
the --cap-add and --cap-drop options. Without this, if a user adds
privileges, eg to allow ptrace with --cap-add sys_ptrace then still
cannot actually use ptrace as it is still blocked by seccomp, so
they will probably disable seccomp or use --privileged. With this
change the syscalls that are needed for the capability are also
allowed by the seccomp profile based on the selected capabilities.

While this patch makes it easier to do things with for example
cap_sys_admin enabled, as it will now allow creating new namespaces
and use of mount, it still allows less than --cap-add cap_sys_admin
--security-opt seccomp:unconfined would have previously. It is not
recommended that users run containers with cap_sys_admin as this does
give full access to the host machine.

It also cleans up some architecture specific system calls to be
only selected when needed.

Signed-off-by: Justin Cormack <justin.cormack@docker.com>
2016-05-11 09:30:23 +01:00
Sean Christopherson
adabb51311 Add the swapMemorySupport requirement to OOM tests
Add the swapMemorySupport requirement to all tests related to the OOM killer.  The --memory option has the subtle side effect of defaulting --memory-swap to double the value of --memory.  The OOM killer doesn't kick in until the container exhausts memory+swap, and so without the memory swap cgroup the tests will timeout due to swap being effectively unlimited.

Document the default behavior of --memory-swap in the docker run man page.

Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com>
2016-05-10 11:28:00 -07:00
Antonio Murdaca
6a8ea46c67 daemon: reorder mounts before setting them
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2016-04-26 11:03:25 +02:00
Yong Tang
632b314b23 Relative symlinks don't work with --device argument
This fix tries to address the issue raised in #22271 where
relative symlinks don't work with --device argument.

Previously, the symlinks in --device was implemneted (#20684)
with `os.Readlink()` which does not resolve if the linked
target is a relative path. In this fix, `filepath.EvalSymlinks()`
has been used which will reolve correctly with relative
paths.

An additional test case has been added to the existing
`TestRunDeviceSymlink` to cover changes in this fix.

This fix is related to #13840 and #20684, #22271.
This fix fixes #22271.

Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
2016-04-25 07:22:56 -07:00
Kai Qiang Wu(Kennan)
62cb06a6c1 Make cpu validation correct
There was an error in validation logic before, should use period
instead of quota, and also add check for negative
number here, if not with that, it would had cpu.cfs_period_us: invalid argument
which is not good for users.

Signed-off-by: Kai Qiang Wu(Kennan) <wkqwu@cn.ibm.com>
2016-04-22 01:18:03 +00:00