moby/integration-cli/docker_cli_daemon_test.go
Sebastiaan van Stijn 4f9db655ed
portmapper: move userland-proxy lookup to daemon config
When mapping a port with the userland-proxy enabled, the daemon would
perform an "exec.LookPath" for every mapped port (which, in case of
a range of ports, would be for every port in the range).

This was both inefficient (looking up the binary for each port), inconsistent
(when running in rootless-mode, the binary was looked-up once), as well as
inconvenient, because a missing binary, or a mis-configureed userland-proxy-path
would not be detected daeemon startup, and not produce an error until starting
the container;

    docker run -d -P nginx:alpine
    4f7b6589a1680f883d98d03db12203973387f9061e7a963331776170e4414194
    docker: Error response from daemon: driver failed programming external connectivity on endpoint romantic_wiles (7cfdc361821f75cbc665564cf49856cf216a5b09046d3c22d5b9988836ee088d): fork/exec docker-proxy: no such file or directory.

However, the container would still be created (but invalid);

    docker ps -a
    CONTAINER ID   IMAGE          COMMAND                  CREATED          STATUS    PORTS     NAMES
    869f41d7e94f   nginx:alpine   "/docker-entrypoint.…"   10 seconds ago   Created             romantic_wiles

This patch changes how the userland-proxy is configured;

- The path of the userland-proxy is now looked up / configured at daemon
  startup; this is similar to how the proxy is configured in rootless-mode.
- A warning is logged when failing to lookup the binary.
- If the daemon is configured with "userland-proxy" enabled, an error is
  produced, and the daemon will refuse to start.
- The "proxyPath" argument for newProxyCommand() (in libnetwork/portmapper)
  is now required to be set. It no longer looks up the executable, and
  produces an error if no path was provided. While this change was not
  required, it makes the daemon config the canonical source of truth, instead
  of logic spread accross multiplee locations.

Some of this logic is a change of behavior, but these changes were made with
the assumption that we don't want to support;

- installing the userland proxy _after_ the daemon was started
- moving the userland proxy (or installing a proxy with a higher
  preference in PATH)

With this patch:

Validating the config produces an error if the binary is not found:

    dockerd --validate
    WARN[2023-12-29T11:36:39.748699591Z] failed to lookup default userland-proxy binary       error="exec: \"docker-proxy\": executable file not found in $PATH"
    userland-proxy is enabled, but userland-proxy-path is not set

Disabling userland-proxy prints a warning, but validates as "OK":

    dockerd --userland-proxy=false --validate
    WARN[2023-12-29T11:38:30.752523879Z] ffailed to lookup default userland-proxy binary       error="exec: \"docker-proxy\": executable file not found in $PATH"
    configuration OK

Speficying a non-absolute path produces an error:

    dockerd --userland-proxy-path=docker-proxy --validate
    invalid userland-proxy-path: must be an absolute path: docker-proxy

Befor this patch, we would not validate this path, which would allow the daemon
to start, but fail to map a port;

    docker run -d -P nginx:alpine
    4f7b6589a1680f883d98d03db12203973387f9061e7a963331776170e4414194
    docker: Error response from daemon: driver failed programming external connectivity on endpoint romantic_wiles (7cfdc361821f75cbc665564cf49856cf216a5b09046d3c22d5b9988836ee088d): fork/exec docker-proxy: no such file or directory.

Specifying an invalid userland-proxy-path produces an error as well:

    dockerd --userland-proxy-path=/usr/local/bin/no-such-binary --validate
    userland-proxy-path is invalid: stat /usr/local/bin/no-such-binary: no such file or directory

    mkdir -p /usr/local/bin/not-a-file
    dockerd --userland-proxy-path=/usr/local/bin/not-a-file --validate
    userland-proxy-path is invalid: exec: "/usr/local/bin/not-a-file": is a directory

    touch /usr/local/bin/not-an-executable
    dockerd --userland-proxy-path=/usr/local/bin/not-an-executable --validate
    userland-proxy-path is invalid: exec: "/usr/local/bin/not-an-executable": permission denied

Same when using the daemon.json config-file;

    echo '{"userland-proxy-path":"no-such-binary"}' > /etc/docker/daemon.json
    dockerd --validate
    unable to configure the Docker daemon with file /etc/docker/daemon.json: merged configuration validation from file and command line flags failed: invalid userland-proxy-path: must be an absolute path: no-such-binary

    dockerd --userland-proxy-path=hello --validate
    unable to configure the Docker daemon with file /etc/docker/daemon.json: the following directives are specified both as a flag and in the configuration file: userland-proxy-path: (from flag: hello, from file: /usr/local/bin/docker-proxy)

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-12-29 16:23:18 +01:00

2837 lines
95 KiB
Go

//go:build linux
package main
import (
"bufio"
"bytes"
"context"
"crypto/tls"
"crypto/x509"
"encoding/json"
"fmt"
"io"
"net"
"os"
"os/exec"
"path"
"path/filepath"
"regexp"
"strconv"
"strings"
"sync"
"testing"
"time"
"github.com/cloudflare/cfssl/helpers"
"github.com/creack/pty"
"github.com/docker/docker/api/types"
"github.com/docker/docker/integration-cli/checker"
"github.com/docker/docker/integration-cli/cli"
"github.com/docker/docker/integration-cli/cli/build"
"github.com/docker/docker/integration-cli/daemon"
"github.com/docker/docker/libnetwork/iptables"
"github.com/docker/docker/opts"
"github.com/docker/docker/testutil"
testdaemon "github.com/docker/docker/testutil/daemon"
"github.com/moby/sys/mount"
"golang.org/x/sys/unix"
"gotest.tools/v3/assert"
is "gotest.tools/v3/assert/cmp"
"gotest.tools/v3/icmd"
"gotest.tools/v3/poll"
"gotest.tools/v3/skip"
)
const containerdSocket = "/var/run/docker/containerd/containerd.sock"
// TestLegacyDaemonCommand test starting docker daemon using "deprecated" docker daemon
// command. Remove this test when we remove this.
func (s *DockerDaemonSuite) TestLegacyDaemonCommand(c *testing.T) {
cmd := exec.Command(dockerBinary, "daemon", "--storage-driver=vfs", "--debug")
err := cmd.Start()
go cmd.Wait()
assert.NilError(c, err, "could not start daemon using 'docker daemon'")
assert.NilError(c, cmd.Process.Kill())
}
func (s *DockerDaemonSuite) TestDaemonRestartWithRunningContainersPorts(c *testing.T) {
s.d.StartWithBusybox(testutil.GetContext(c), c)
cli.Docker(
cli.Args("run", "-d", "--name", "top1", "-p", "1234:80", "--restart", "always", "busybox:latest", "top"),
cli.Daemon(s.d),
).Assert(c, icmd.Success)
cli.Docker(
cli.Args("run", "-d", "--name", "top2", "-p", "80", "busybox:latest", "top"),
cli.Daemon(s.d),
).Assert(c, icmd.Success)
testRun := func(m map[string]bool, prefix string) {
var format string
for cont, shouldRun := range m {
out := cli.Docker(cli.Args("ps"), cli.Daemon(s.d)).Assert(c, icmd.Success).Combined()
if shouldRun {
format = "%scontainer %q is not running"
} else {
format = "%scontainer %q is running"
}
if shouldRun != strings.Contains(out, cont) {
c.Fatalf(format, prefix, cont)
}
}
}
testRun(map[string]bool{"top1": true, "top2": true}, "")
s.d.Restart(c)
testRun(map[string]bool{"top1": true, "top2": false}, "After daemon restart: ")
}
func (s *DockerDaemonSuite) TestDaemonRestartWithVolumesRefs(c *testing.T) {
s.d.StartWithBusybox(testutil.GetContext(c), c)
if out, err := s.d.Cmd("run", "--name", "volrestarttest1", "-v", "/foo", "busybox"); err != nil {
c.Fatal(err, out)
}
s.d.Restart(c)
if out, err := s.d.Cmd("run", "-d", "--volumes-from", "volrestarttest1", "--name", "volrestarttest2", "busybox", "top"); err != nil {
c.Fatal(err, out)
}
if out, err := s.d.Cmd("rm", "-fv", "volrestarttest2"); err != nil {
c.Fatal(err, out)
}
out, err := s.d.Cmd("inspect", "-f", `{{range .Mounts}}{{.Destination}}{{"\n"}}{{end}}`, "volrestarttest1")
assert.Check(c, err)
assert.Check(c, is.Contains(strings.Split(out, "\n"), "/foo"))
}
// #11008
func (s *DockerDaemonSuite) TestDaemonRestartUnlessStopped(c *testing.T) {
s.d.StartWithBusybox(testutil.GetContext(c), c)
out, err := s.d.Cmd("run", "-d", "--name", "top1", "--restart", "always", "busybox:latest", "top")
assert.NilError(c, err, "run top1: %v", out)
out, err = s.d.Cmd("run", "-d", "--name", "top2", "--restart", "unless-stopped", "busybox:latest", "top")
assert.NilError(c, err, "run top2: %v", out)
out, err = s.d.Cmd("run", "-d", "--name", "exit", "--restart", "unless-stopped", "busybox:latest", "false")
assert.NilError(c, err, "run exit: %v", out)
testRun := func(m map[string]bool, prefix string) {
var format string
for name, shouldRun := range m {
out, err := s.d.Cmd("ps")
assert.Assert(c, err == nil, "run ps: %v", out)
if shouldRun {
format = "%scontainer %q is not running"
} else {
format = "%scontainer %q is running"
}
assert.Equal(c, strings.Contains(out, name), shouldRun, fmt.Sprintf(format, prefix, name))
}
}
// both running
testRun(map[string]bool{"top1": true, "top2": true, "exit": true}, "")
out, err = s.d.Cmd("stop", "exit")
assert.NilError(c, err, out)
out, err = s.d.Cmd("stop", "top1")
assert.NilError(c, err, out)
out, err = s.d.Cmd("stop", "top2")
assert.NilError(c, err, out)
// both stopped
testRun(map[string]bool{"top1": false, "top2": false, "exit": false}, "")
s.d.Restart(c)
// restart=always running
testRun(map[string]bool{"top1": true, "top2": false, "exit": false}, "After daemon restart: ")
out, err = s.d.Cmd("start", "top2")
assert.NilError(c, err, "start top2: %v", out)
out, err = s.d.Cmd("start", "exit")
assert.NilError(c, err, "start exit: %v", out)
s.d.Restart(c)
// both running
testRun(map[string]bool{"top1": true, "top2": true, "exit": true}, "After second daemon restart: ")
}
func (s *DockerDaemonSuite) TestDaemonRestartOnFailure(c *testing.T) {
s.d.StartWithBusybox(testutil.GetContext(c), c)
out, err := s.d.Cmd("run", "-d", "--name", "test1", "--restart", "on-failure:3", "busybox:latest", "false")
assert.NilError(c, err, "run top1: %v", out)
// wait test1 to stop
hostArgs := []string{"--host", s.d.Sock()}
err = daemon.WaitInspectWithArgs(dockerBinary, "test1", "{{.State.Running}} {{.State.Restarting}}", "false false", 10*time.Second, hostArgs...)
assert.NilError(c, err, "test1 should exit but not")
// record last start time
out, err = s.d.Cmd("inspect", "-f={{.State.StartedAt}}", "test1")
assert.NilError(c, err, "out: %v", out)
lastStartTime := out
s.d.Restart(c)
// test1 shouldn't restart at all
err = daemon.WaitInspectWithArgs(dockerBinary, "test1", "{{.State.Running}} {{.State.Restarting}}", "false false", 0, hostArgs...)
assert.NilError(c, err, "test1 should exit but not")
// make sure test1 isn't restarted when daemon restart
// if "StartAt" time updates, means test1 was once restarted.
out, err = s.d.Cmd("inspect", "-f={{.State.StartedAt}}", "test1")
assert.NilError(c, err, "out: %v", out)
assert.Equal(c, out, lastStartTime, "test1 shouldn't start after daemon restarts")
}
func (s *DockerDaemonSuite) TestDaemonStartIptablesFalse(c *testing.T) {
s.d.Start(c, "--iptables=false")
}
// Issue #8444: If docker0 bridge is modified (intentionally or unintentionally) and
// no longer has an IP associated, we should gracefully handle that case and associate
// an IP with it rather than fail daemon start
func (s *DockerDaemonSuite) TestDaemonStartBridgeWithoutIPAssociation(c *testing.T) {
// rather than depending on brctl commands to verify docker0 is created and up
// let's start the daemon and stop it, and then make a modification to run the
// actual test
s.d.Start(c)
s.d.Stop(c)
// now we will remove the ip from docker0 and then try starting the daemon
icmd.RunCommand("ip", "addr", "flush", "dev", "docker0").Assert(c, icmd.Success)
if err := s.d.StartWithError(); err != nil {
warning := "**WARNING: Docker bridge network in bad state--delete docker0 bridge interface to fix"
c.Fatalf("Could not start daemon when docker0 has no IP address: %v\n%s", err, warning)
}
}
func (s *DockerDaemonSuite) TestDaemonIptablesClean(c *testing.T) {
s.d.StartWithBusybox(testutil.GetContext(c), c)
if out, err := s.d.Cmd("run", "-d", "--name", "top", "-p", "80", "busybox:latest", "top"); err != nil {
c.Fatalf("Could not run top: %s, %v", out, err)
}
ipTablesSearchString := "tcp dpt:80"
// get output from iptables with container running
verifyIPTablesContains(c, ipTablesSearchString)
s.d.Stop(c)
// get output from iptables after restart
verifyIPTablesDoesNotContains(c, ipTablesSearchString)
}
func (s *DockerDaemonSuite) TestDaemonIptablesCreate(c *testing.T) {
s.d.StartWithBusybox(testutil.GetContext(c), c)
if out, err := s.d.Cmd("run", "-d", "--name", "top", "--restart=always", "-p", "80", "busybox:latest", "top"); err != nil {
c.Fatalf("Could not run top: %s, %v", out, err)
}
// get output from iptables with container running
ipTablesSearchString := "tcp dpt:80"
verifyIPTablesContains(c, ipTablesSearchString)
s.d.Restart(c)
// make sure the container is not running
runningOut, err := s.d.Cmd("inspect", "--format={{.State.Running}}", "top")
if err != nil {
c.Fatalf("Could not inspect on container: %s, %v", runningOut, err)
}
if strings.TrimSpace(runningOut) != "true" {
c.Fatalf("Container should have been restarted after daemon restart. Status running should have been true but was: %q", strings.TrimSpace(runningOut))
}
// get output from iptables after restart
verifyIPTablesContains(c, ipTablesSearchString)
}
func verifyIPTablesContains(c *testing.T, ipTablesSearchString string) {
result := icmd.RunCommand("iptables", "-nvL")
result.Assert(c, icmd.Success)
if !strings.Contains(result.Combined(), ipTablesSearchString) {
c.Fatalf("iptables output should have contained %q, but was %q", ipTablesSearchString, result.Combined())
}
}
func verifyIPTablesDoesNotContains(c *testing.T, ipTablesSearchString string) {
result := icmd.RunCommand("iptables", "-nvL")
result.Assert(c, icmd.Success)
if strings.Contains(result.Combined(), ipTablesSearchString) {
c.Fatalf("iptables output should not have contained %q, but was %q", ipTablesSearchString, result.Combined())
}
}
// TestDaemonIPv6Enabled checks that when the daemon is started with --ipv6=true that the docker0 bridge
// has the fe80::1 address and that a container is assigned a link-local address
func (s *DockerDaemonSuite) TestDaemonIPv6Enabled(c *testing.T) {
testRequires(c, IPv6)
setupV6(c)
defer teardownV6(c)
s.d.StartWithBusybox(testutil.GetContext(c), c, "--ipv6")
iface, err := net.InterfaceByName("docker0")
if err != nil {
c.Fatalf("Error getting docker0 interface: %v", err)
}
addrs, err := iface.Addrs()
if err != nil {
c.Fatalf("Error getting addresses for docker0 interface: %v", err)
}
var found bool
expected := "fe80::1/64"
for i := range addrs {
if addrs[i].String() == expected {
found = true
break
}
}
if !found {
c.Fatalf("Bridge does not have an IPv6 Address")
}
if out, err := s.d.Cmd("run", "-itd", "--name=ipv6test", "busybox:latest"); err != nil {
c.Fatalf("Could not run container: %s, %v", out, err)
}
out, err := s.d.Cmd("inspect", "--format", "'{{.NetworkSettings.Networks.bridge.LinkLocalIPv6Address}}'", "ipv6test")
if err != nil {
c.Fatalf("Error inspecting container: %s, %v", out, err)
}
out = strings.Trim(out, " \r\n'")
if ip := net.ParseIP(out); ip == nil {
c.Fatalf("Container should have a link-local IPv6 address")
}
out, err = s.d.Cmd("inspect", "--format", "'{{.NetworkSettings.Networks.bridge.GlobalIPv6Address}}'", "ipv6test")
if err != nil {
c.Fatalf("Error inspecting container: %s, %v", out, err)
}
out = strings.Trim(out, " \r\n'")
if ip := net.ParseIP(out); ip != nil {
c.Fatalf("Container should not have a global IPv6 address: %v", out)
}
}
// TestDaemonIPv6FixedCIDR checks that when the daemon is started with --ipv6=true and a fixed CIDR
// that running containers are given a link-local and global IPv6 address
func (s *DockerDaemonSuite) TestDaemonIPv6FixedCIDR(c *testing.T) {
// IPv6 setup is messing with local bridge address.
testRequires(c, testEnv.IsLocalDaemon)
// Delete the docker0 bridge if its left around from previous daemon. It has to be recreated with
// ipv6 enabled
deleteInterface(c, "docker0")
s.d.StartWithBusybox(testutil.GetContext(c), c, "--ipv6", "--fixed-cidr-v6=2001:db8:2::/64", "--default-gateway-v6=2001:db8:2::100")
out, err := s.d.Cmd("run", "-d", "--name=ipv6test", "busybox:latest", "top")
assert.NilError(c, err, "Could not run container: %s, %v", out, err)
out, err = s.d.Cmd("inspect", "--format", "{{.NetworkSettings.Networks.bridge.GlobalIPv6Address}}", "ipv6test")
assert.NilError(c, err, out)
out = strings.Trim(out, " \r\n'")
ip := net.ParseIP(out)
assert.Assert(c, ip != nil, "Container should have a global IPv6 address")
out, err = s.d.Cmd("inspect", "--format", "{{.NetworkSettings.Networks.bridge.IPv6Gateway}}", "ipv6test")
assert.NilError(c, err, out)
assert.Equal(c, strings.Trim(out, " \r\n'"), "2001:db8:2::100", "Container should have a global IPv6 gateway")
}
// TestDaemonIPv6FixedCIDRAndMac checks that when the daemon is started with ipv6 fixed CIDR
// the running containers are given an IPv6 address derived from the MAC address and the ipv6 fixed CIDR
func (s *DockerDaemonSuite) TestDaemonIPv6FixedCIDRAndMac(c *testing.T) {
// IPv6 setup is messing with local bridge address.
testRequires(c, testEnv.IsLocalDaemon)
// Delete the docker0 bridge if its left around from previous daemon. It has to be recreated with
// ipv6 enabled
deleteInterface(c, "docker0")
s.d.StartWithBusybox(testutil.GetContext(c), c, "--ipv6", "--fixed-cidr-v6=2001:db8:1::/64")
out, err := s.d.Cmd("run", "-d", "--name=ipv6test", "--mac-address", "AA:BB:CC:DD:EE:FF", "busybox", "top")
assert.NilError(c, err, out)
out, err = s.d.Cmd("inspect", "--format", "{{.NetworkSettings.Networks.bridge.GlobalIPv6Address}}", "ipv6test")
assert.NilError(c, err, out)
assert.Equal(c, strings.Trim(out, " \r\n'"), "2001:db8:1::aabb:ccdd:eeff")
}
// TestDaemonIPv6HostMode checks that when the running a container with
// network=host the host ipv6 addresses are not removed
func (s *DockerDaemonSuite) TestDaemonIPv6HostMode(c *testing.T) {
testRequires(c, testEnv.IsLocalDaemon)
deleteInterface(c, "docker0")
s.d.StartWithBusybox(testutil.GetContext(c), c, "--ipv6", "--fixed-cidr-v6=2001:db8:2::/64")
out, err := s.d.Cmd("run", "-d", "--name=hostcnt", "--network=host", "busybox:latest", "top")
assert.NilError(c, err, "Could not run container: %s, %v", out, err)
out, err = s.d.Cmd("exec", "hostcnt", "ip", "-6", "addr", "show", "docker0")
assert.NilError(c, err, out)
assert.Assert(c, strings.Contains(strings.Trim(out, " \r\n'"), "2001:db8:2::1"))
}
func (s *DockerDaemonSuite) TestDaemonLogLevelWrong(c *testing.T) {
assert.Assert(c, s.d.StartWithError("--log-level=bogus") != nil, "Daemon shouldn't start with wrong log level")
}
func (s *DockerDaemonSuite) TestDaemonLogLevelDebug(c *testing.T) {
s.d.Start(c, "--log-level=debug")
content, err := s.d.ReadLogFile()
assert.NilError(c, err)
if !strings.Contains(string(content), `level=debug`) {
c.Fatalf(`Missing level="debug" in log file:\n%s`, string(content))
}
}
func (s *DockerDaemonSuite) TestDaemonLogLevelFatal(c *testing.T) {
// we creating new daemons to create new logFile
s.d.Start(c, "--log-level=fatal")
content, err := s.d.ReadLogFile()
assert.NilError(c, err)
if strings.Contains(string(content), `level=debug`) {
c.Fatalf(`Should not have level="debug" in log file:\n%s`, string(content))
}
}
func (s *DockerDaemonSuite) TestDaemonFlagD(c *testing.T) {
s.d.Start(c, "-D")
content, err := s.d.ReadLogFile()
assert.NilError(c, err)
if !strings.Contains(string(content), `level=debug`) {
c.Fatalf(`Should have level="debug" in log file using -D:\n%s`, string(content))
}
}
func (s *DockerDaemonSuite) TestDaemonFlagDebug(c *testing.T) {
s.d.Start(c, "--debug")
content, err := s.d.ReadLogFile()
assert.NilError(c, err)
if !strings.Contains(string(content), `level=debug`) {
c.Fatalf(`Should have level="debug" in log file using --debug:\n%s`, string(content))
}
}
func (s *DockerDaemonSuite) TestDaemonFlagDebugLogLevelFatal(c *testing.T) {
s.d.Start(c, "--debug", "--log-level=fatal")
content, err := s.d.ReadLogFile()
assert.NilError(c, err)
if !strings.Contains(string(content), `level=debug`) {
c.Fatalf(`Should have level="debug" in log file when using both --debug and --log-level=fatal:\n%s`, string(content))
}
}
func (s *DockerDaemonSuite) TestDaemonAllocatesListeningPort(c *testing.T) {
type listener struct {
daemon string
client string
port string
}
listeningPorts := []listener{
{"0.0.0.0", "0.0.0.0", "5678"},
{"127.0.0.1", "127.0.0.1", "1234"},
{"localhost", "127.0.0.1", "1235"},
}
cmdArgs := make([]string, 0, len(listeningPorts)*2)
for _, l := range listeningPorts {
cmdArgs = append(cmdArgs, "--tls=false", "--host", "tcp://"+net.JoinHostPort(l.daemon, l.port))
}
s.d.StartWithBusybox(testutil.GetContext(c), c, cmdArgs...)
for _, l := range listeningPorts {
output, err := s.d.Cmd("run", "-p", fmt.Sprintf("%s:%s:80", l.client, l.port), "busybox", "true")
if err == nil {
c.Fatalf("Container should not start, expected port already allocated error: %q", output)
} else if !strings.Contains(output, "port is already allocated") {
c.Fatalf("Expected port is already allocated error: %q", output)
}
}
}
// GH#11320 - verify that the daemon exits on failure properly
// Note that this explicitly tests the conflict of {-b,--bridge} and {--bip} options as the means
// to get a daemon init failure; no other tests for -b/--bip conflict are therefore required
func (s *DockerDaemonSuite) TestDaemonExitOnFailure(c *testing.T) {
// attempt to start daemon with incorrect flags (we know -b and --bip conflict)
if err := s.d.StartWithError("--bridge", "nosuchbridge", "--bip", "1.1.1.1"); err != nil {
// verify we got the right error
if !strings.Contains(err.Error(), "daemon exited") {
c.Fatalf("Expected daemon not to start, got %v", err)
}
// look in the log and make sure we got the message that daemon is shutting down
icmd.RunCommand("grep", "failed to start daemon", s.d.LogFileName()).Assert(c, icmd.Success)
} else {
// if we didn't get an error and the daemon is running, this is a failure
c.Fatal("Conflicting options should cause the daemon to error out with a failure")
}
}
func (s *DockerDaemonSuite) TestDaemonBridgeExternal(c *testing.T) {
d := s.d
err := d.StartWithError("--bridge", "nosuchbridge")
assert.ErrorContains(c, err, "", `--bridge option with an invalid bridge should cause the daemon to fail`)
defer d.Restart(c)
// make sure the default docker0 bridge doesn't interfere with the test,
// which may happen if it was created with the same IP range.
deleteInterface(c, "docker0")
bridgeName := "ext-bridge1"
bridgeIP := "192.169.1.1/24"
_, bridgeIPNet, _ := net.ParseCIDR(bridgeIP)
createInterface(c, "bridge", bridgeName, bridgeIP)
defer deleteInterface(c, bridgeName)
d.StartWithBusybox(testutil.GetContext(c), c, "--bridge", bridgeName)
ipTablesSearchString := bridgeIPNet.String()
icmd.RunCommand("iptables", "-t", "nat", "-nvL").Assert(c, icmd.Expected{
Out: ipTablesSearchString,
})
out, err := d.Cmd("run", "-d", "--name", "ExtContainer", "busybox", "top")
assert.NilError(c, err, out)
containerIP := d.FindContainerIP(c, "ExtContainer")
ip := net.ParseIP(containerIP)
assert.Assert(c, bridgeIPNet.Contains(ip), "Container IP-Address must be in the same subnet range : %s", containerIP)
}
func (s *DockerDaemonSuite) TestDaemonBridgeNone(c *testing.T) {
// start with bridge none
d := s.d
d.StartWithBusybox(testutil.GetContext(c), c, "--bridge", "none")
defer d.Restart(c)
// verify docker0 iface is not there
icmd.RunCommand("ifconfig", "docker0").Assert(c, icmd.Expected{
ExitCode: 1,
Error: "exit status 1",
Err: "Device not found",
})
// verify default "bridge" network is not there
out, err := d.Cmd("network", "inspect", "bridge")
assert.ErrorContains(c, err, "", `"bridge" network should not be present if daemon started with --bridge=none`)
assert.Assert(c, strings.Contains(out, "No such network"))
}
func createInterface(c *testing.T, ifType string, ifName string, ipNet string) {
icmd.RunCommand("ip", "link", "add", "name", ifName, "type", ifType).Assert(c, icmd.Success)
icmd.RunCommand("ifconfig", ifName, ipNet, "up").Assert(c, icmd.Success)
}
func deleteInterface(c *testing.T, ifName string) {
icmd.RunCommand("ip", "link", "delete", ifName).Assert(c, icmd.Success)
icmd.RunCommand("iptables", "-t", "nat", "--flush").Assert(c, icmd.Success)
icmd.RunCommand("iptables", "--flush").Assert(c, icmd.Success)
}
func (s *DockerDaemonSuite) TestDaemonBridgeIP(c *testing.T) {
// TestDaemonBridgeIP Steps
// 1. Delete the existing docker0 Bridge
// 2. Set --bip daemon configuration and start the new Docker Daemon
// 3. Check if the bip config has taken effect using ifconfig and iptables commands
// 4. Launch a Container and make sure the IP-Address is in the expected subnet
// 5. Delete the docker0 Bridge
// 6. Restart the Docker Daemon (via deferred action)
// This Restart takes care of bringing docker0 interface back to auto-assigned IP
defaultNetworkBridge := "docker0"
deleteInterface(c, defaultNetworkBridge)
d := s.d
bridgeIP := "192.169.1.1/24"
ip, bridgeIPNet, _ := net.ParseCIDR(bridgeIP)
d.StartWithBusybox(testutil.GetContext(c), c, "--bip", bridgeIP)
defer d.Restart(c)
ifconfigSearchString := ip.String()
icmd.RunCommand("ifconfig", defaultNetworkBridge).Assert(c, icmd.Expected{
Out: ifconfigSearchString,
})
ipTablesSearchString := bridgeIPNet.String()
icmd.RunCommand("iptables", "-t", "nat", "-nvL").Assert(c, icmd.Expected{
Out: ipTablesSearchString,
})
out, err := d.Cmd("run", "-d", "--name", "test", "busybox", "top")
assert.NilError(c, err, out)
containerIP := d.FindContainerIP(c, "test")
ip = net.ParseIP(containerIP)
assert.Equal(c, bridgeIPNet.Contains(ip), true, fmt.Sprintf("Container IP-Address must be in the same subnet range : %s", containerIP))
deleteInterface(c, defaultNetworkBridge)
}
func (s *DockerDaemonSuite) TestDaemonRestartWithBridgeIPChange(c *testing.T) {
s.d.Start(c)
defer s.d.Restart(c)
s.d.Stop(c)
// now we will change the docker0's IP and then try starting the daemon
bridgeIP := "192.169.100.1/24"
_, bridgeIPNet, _ := net.ParseCIDR(bridgeIP)
icmd.RunCommand("ifconfig", "docker0", bridgeIP).Assert(c, icmd.Success)
s.d.Start(c, "--bip", bridgeIP)
// check if the iptables contains new bridgeIP MASQUERADE rule
ipTablesSearchString := bridgeIPNet.String()
icmd.RunCommand("iptables", "-t", "nat", "-nvL").Assert(c, icmd.Expected{
Out: ipTablesSearchString,
})
}
func (s *DockerDaemonSuite) TestDaemonBridgeFixedCidr(c *testing.T) {
d := s.d
// make sure the default docker0 bridge doesn't interfere with the test,
// which may happen if it was created with the same IP range.
deleteInterface(c, "docker0")
bridgeName := "ext-bridge2"
bridgeIP := "192.169.1.1/24"
createInterface(c, "bridge", bridgeName, bridgeIP)
defer deleteInterface(c, bridgeName)
args := []string{"--bridge", bridgeName, "--fixed-cidr", "192.169.1.0/30"}
d.StartWithBusybox(testutil.GetContext(c), c, args...)
defer d.Restart(c)
for i := 0; i < 4; i++ {
cName := "Container" + strconv.Itoa(i)
out, err := d.Cmd("run", "-d", "--name", cName, "busybox", "top")
if err != nil {
assert.Assert(c, strings.Contains(out, "no available IPv4 addresses"), "Could not run a Container : %s %s", err.Error(), out)
}
}
}
func (s *DockerDaemonSuite) TestDaemonBridgeFixedCidr2(c *testing.T) {
d := s.d
// make sure the default docker0 bridge doesn't interfere with the test,
// which may happen if it was created with the same IP range.
deleteInterface(c, "docker0")
bridgeName := "ext-bridge3"
bridgeIP := "10.2.2.1/16"
createInterface(c, "bridge", bridgeName, bridgeIP)
defer deleteInterface(c, bridgeName)
d.StartWithBusybox(testutil.GetContext(c), c, "--bip", bridgeIP, "--fixed-cidr", "10.2.2.0/24")
defer s.d.Restart(c)
out, err := d.Cmd("run", "-d", "--name", "bb", "busybox", "top")
assert.NilError(c, err, out)
defer d.Cmd("stop", "bb")
out, err = d.Cmd("exec", "bb", "/bin/sh", "-c", "ifconfig eth0 | awk '/inet addr/{print substr($2,6)}'")
assert.NilError(c, err)
assert.Equal(c, out, "10.2.2.0\n")
out, err = d.Cmd("run", "--rm", "busybox", "/bin/sh", "-c", "ifconfig eth0 | awk '/inet addr/{print substr($2,6)}'")
assert.NilError(c, err, out)
assert.Equal(c, out, "10.2.2.2\n")
}
func (s *DockerDaemonSuite) TestDaemonBridgeFixedCIDREqualBridgeNetwork(c *testing.T) {
d := s.d
// make sure the default docker0 bridge doesn't interfere with the test,
// which may happen if it was created with the same IP range.
deleteInterface(c, "docker0")
bridgeName := "ext-bridge4"
bridgeIP := "172.27.42.1/16"
createInterface(c, "bridge", bridgeName, bridgeIP)
defer deleteInterface(c, bridgeName)
d.StartWithBusybox(testutil.GetContext(c), c, "--bridge", bridgeName, "--fixed-cidr", bridgeIP)
defer s.d.Restart(c)
out, err := d.Cmd("run", "-d", "busybox", "top")
assert.NilError(c, err, out)
cid1 := strings.TrimSpace(out)
defer d.Cmd("stop", cid1)
}
func (s *DockerDaemonSuite) TestDaemonDefaultGatewayIPv4Implicit(c *testing.T) {
defaultNetworkBridge := "docker0"
deleteInterface(c, defaultNetworkBridge)
d := s.d
bridgeIP := "192.169.1.1"
bridgeIPNet := fmt.Sprintf("%s/24", bridgeIP)
d.StartWithBusybox(testutil.GetContext(c), c, "--bip", bridgeIPNet)
defer d.Restart(c)
expectedMessage := fmt.Sprintf("default via %s dev", bridgeIP)
out, err := d.Cmd("run", "busybox", "ip", "-4", "route", "list", "0/0")
assert.NilError(c, err, out)
assert.Equal(c, strings.Contains(out, expectedMessage), true, fmt.Sprintf("Implicit default gateway should be bridge IP %s, but default route was '%s'", bridgeIP, strings.TrimSpace(out)))
deleteInterface(c, defaultNetworkBridge)
}
func (s *DockerDaemonSuite) TestDaemonDefaultGatewayIPv4Explicit(c *testing.T) {
defaultNetworkBridge := "docker0"
deleteInterface(c, defaultNetworkBridge)
d := s.d
bridgeIP := "192.169.1.1"
bridgeIPNet := fmt.Sprintf("%s/24", bridgeIP)
gatewayIP := "192.169.1.254"
d.StartWithBusybox(testutil.GetContext(c), c, "--bip", bridgeIPNet, "--default-gateway", gatewayIP)
defer d.Restart(c)
expectedMessage := fmt.Sprintf("default via %s dev", gatewayIP)
out, err := d.Cmd("run", "busybox", "ip", "-4", "route", "list", "0/0")
assert.NilError(c, err, out)
assert.Equal(c, strings.Contains(out, expectedMessage), true, fmt.Sprintf("Explicit default gateway should be %s, but default route was '%s'", gatewayIP, strings.TrimSpace(out)))
deleteInterface(c, defaultNetworkBridge)
}
func (s *DockerDaemonSuite) TestDaemonDefaultGatewayIPv4ExplicitOutsideContainerSubnet(c *testing.T) {
defaultNetworkBridge := "docker0"
deleteInterface(c, defaultNetworkBridge)
// Program a custom default gateway outside of the container subnet, daemon should accept it and start
s.d.StartWithBusybox(testutil.GetContext(c), c, "--bip", "172.16.0.10/16", "--fixed-cidr", "172.16.1.0/24", "--default-gateway", "172.16.0.254")
deleteInterface(c, defaultNetworkBridge)
s.d.Restart(c)
}
func (s *DockerDaemonSuite) TestDaemonIP(c *testing.T) {
d := s.d
// make sure the default docker0 bridge doesn't interfere with the test,
// which may happen if it was created with the same IP range.
deleteInterface(c, "docker0")
ipStr := "192.170.1.1/24"
ip, _, _ := net.ParseCIDR(ipStr)
args := []string{"--ip", ip.String()}
d.StartWithBusybox(testutil.GetContext(c), c, args...)
defer d.Restart(c)
out, err := d.Cmd("run", "-d", "-p", "8000:8000", "busybox", "top")
assert.Assert(c, err != nil, "Running a container must fail with an invalid --ip option")
assert.Equal(c, strings.Contains(out, "Error starting userland proxy"), true)
ifName := "dummy"
createInterface(c, "dummy", ifName, ipStr)
defer deleteInterface(c, ifName)
_, err = d.Cmd("run", "-d", "-p", "8000:8000", "busybox", "top")
assert.NilError(c, err, out)
result := icmd.RunCommand("iptables", "-t", "nat", "-nvL")
result.Assert(c, icmd.Success)
regex := fmt.Sprintf("DNAT.*%s.*dpt:8000", ip.String())
matched, _ := regexp.MatchString(regex, result.Combined())
assert.Equal(c, matched, true, fmt.Sprintf("iptables output should have contained %q, but was %q", regex, result.Combined()))
}
func (s *DockerDaemonSuite) TestDaemonICCPing(c *testing.T) {
testRequires(c, bridgeNfIptables)
d := s.d
// make sure the default docker0 bridge doesn't interfere with the test,
// which may happen if it was created with the same IP range.
deleteInterface(c, "docker0")
const bridgeName = "ext-bridge5"
const bridgeIP = "192.169.1.1/24"
createInterface(c, "bridge", bridgeName, bridgeIP)
defer deleteInterface(c, bridgeName)
d.StartWithBusybox(testutil.GetContext(c), c, "--bridge", bridgeName, "--icc=false")
defer d.Restart(c)
result := icmd.RunCommand("sh", "-c", "iptables -vL FORWARD | grep DROP")
result.Assert(c, icmd.Success)
// strip whitespace and newlines to verify we only found a single DROP
out := strings.TrimSpace(result.Stdout())
assert.Assert(c, is.Equal(strings.Count(out, "\n"), 0), "only expected a single DROP rules")
// Column headers are stripped because of grep-ing, but should be:
//
// pkts bytes target prot opt in out source destination
// 0 0 DROP all -- ext-bridge5 ext-bridge5 anywhere anywhere
cols := strings.Fields(out)
expected := []string{"0", "0", "DROP", "all", "--", bridgeName, bridgeName, "anywhere", "anywhere"}
assert.DeepEqual(c, cols, expected)
// Pinging another container must fail with --icc=false
pingContainers(c, d, true)
const cidr = "192.171.1.1/24"
ip, _, _ := net.ParseCIDR(cidr)
const ifName = "icc-dummy"
createInterface(c, "dummy", ifName, cidr)
defer deleteInterface(c, ifName)
// But, Pinging external or a Host interface must succeed
pingCmd := fmt.Sprintf("ping -c 1 %s -W 1", ip.String())
runArgs := []string{"run", "--rm", "busybox", "sh", "-c", pingCmd}
out, err := d.Cmd(runArgs...)
assert.NilError(c, err, out)
}
func (s *DockerDaemonSuite) TestDaemonICCLinkExpose(c *testing.T) {
d := s.d
// make sure the default docker0 bridge doesn't interfere with the test,
// which may happen if it was created with the same IP range.
deleteInterface(c, "docker0")
const bridgeName = "ext-bridge6"
const bridgeIP = "192.169.1.1/24"
createInterface(c, "bridge", bridgeName, bridgeIP)
defer deleteInterface(c, bridgeName)
d.StartWithBusybox(testutil.GetContext(c), c, "--bridge", bridgeName, "--icc=false")
defer d.Restart(c)
result := icmd.RunCommand("sh", "-c", "iptables -vL FORWARD | grep DROP")
result.Assert(c, icmd.Success)
// strip whitespace and newlines to verify we only found a single DROP
out := strings.TrimSpace(result.Stdout())
assert.Assert(c, is.Equal(strings.Count(out, "\n"), 0), "only expected a single DROP rules")
// Column headers are stripped because of grep-ing, but should be:
//
// pkts bytes target prot opt in out source destination
// 0 0 DROP all -- ext-bridge6 ext-bridge6 anywhere anywhere
cols := strings.Fields(out)
expected := []string{"0", "0", "DROP", "all", "--", bridgeName, bridgeName, "anywhere", "anywhere"}
assert.DeepEqual(c, cols, expected)
out, err := d.Cmd("run", "-d", "--expose", "4567", "--name", "icc1", "busybox", "nc", "-l", "-p", "4567")
assert.NilError(c, err, out)
out, err = d.Cmd("run", "--link", "icc1:icc1", "busybox", "nc", "icc1", "4567")
assert.NilError(c, err, out)
}
func (s *DockerDaemonSuite) TestDaemonLinksIpTablesRulesWhenLinkAndUnlink(c *testing.T) {
// make sure the default docker0 bridge doesn't interfere with the test,
// which may happen if it was created with the same IP range.
deleteInterface(c, "docker0")
bridgeName := "ext-bridge7"
bridgeIP := "192.169.1.1/24"
createInterface(c, "bridge", bridgeName, bridgeIP)
defer deleteInterface(c, bridgeName)
s.d.StartWithBusybox(testutil.GetContext(c), c, "--bridge", bridgeName, "--icc=false")
defer s.d.Restart(c)
out, err := s.d.Cmd("run", "-d", "--name", "child", "--publish", "8080:80", "busybox", "top")
assert.NilError(c, err, out)
out, err = s.d.Cmd("run", "-d", "--name", "parent", "--link", "child:http", "busybox", "top")
assert.NilError(c, err, out)
childIP := s.d.FindContainerIP(c, "child")
parentIP := s.d.FindContainerIP(c, "parent")
sourceRule := []string{"-i", bridgeName, "-o", bridgeName, "-p", "tcp", "-s", childIP, "--sport", "80", "-d", parentIP, "-j", "ACCEPT"}
destinationRule := []string{"-i", bridgeName, "-o", bridgeName, "-p", "tcp", "-s", parentIP, "--dport", "80", "-d", childIP, "-j", "ACCEPT"}
iptable := iptables.GetIptable(iptables.IPv4)
if !iptable.Exists("filter", "DOCKER", sourceRule...) || !iptable.Exists("filter", "DOCKER", destinationRule...) {
c.Fatal("Iptables rules not found")
}
s.d.Cmd("rm", "--link", "parent/http")
if iptable.Exists("filter", "DOCKER", sourceRule...) || iptable.Exists("filter", "DOCKER", destinationRule...) {
c.Fatal("Iptables rules should be removed when unlink")
}
s.d.Cmd("kill", "child")
s.d.Cmd("kill", "parent")
}
func (s *DockerDaemonSuite) TestDaemonUlimitDefaults(c *testing.T) {
s.d.StartWithBusybox(testutil.GetContext(c), c, "--default-ulimit", "nofile=42:42", "--default-ulimit", "nproc=1024:1024")
out, err := s.d.Cmd("run", "--ulimit", "nproc=2048", "--name=test", "busybox", "/bin/sh", "-c", "echo $(ulimit -n); echo $(ulimit -u)")
if err != nil {
c.Fatal(err, out)
}
outArr := strings.Split(out, "\n")
if len(outArr) < 2 {
c.Fatalf("got unexpected output: %s", out)
}
nofile := strings.TrimSpace(outArr[0])
nproc := strings.TrimSpace(outArr[1])
if nofile != "42" {
c.Fatalf("expected `ulimit -n` to be `42`, got: %s", nofile)
}
if nproc != "2048" {
c.Fatalf("expected `ulimit -u` to be 2048, got: %s", nproc)
}
// Now restart daemon with a new default
s.d.Restart(c, "--default-ulimit", "nofile=43")
out, err = s.d.Cmd("start", "-a", "test")
if err != nil {
c.Fatal(err, out)
}
outArr = strings.Split(out, "\n")
if len(outArr) < 2 {
c.Fatalf("got unexpected output: %s", out)
}
nofile = strings.TrimSpace(outArr[0])
nproc = strings.TrimSpace(outArr[1])
if nofile != "43" {
c.Fatalf("expected `ulimit -n` to be `43`, got: %s", nofile)
}
if nproc != "2048" {
c.Fatalf("expected `ulimit -u` to be 2048, got: %s", nproc)
}
}
// #11315
func (s *DockerDaemonSuite) TestDaemonRestartRenameContainer(c *testing.T) {
s.d.StartWithBusybox(testutil.GetContext(c), c)
if out, err := s.d.Cmd("run", "--name=test", "busybox"); err != nil {
c.Fatal(err, out)
}
if out, err := s.d.Cmd("rename", "test", "test2"); err != nil {
c.Fatal(err, out)
}
s.d.Restart(c)
if out, err := s.d.Cmd("start", "test2"); err != nil {
c.Fatal(err, out)
}
}
func (s *DockerDaemonSuite) TestDaemonLoggingDriverDefault(c *testing.T) {
s.d.StartWithBusybox(testutil.GetContext(c), c)
out, err := s.d.Cmd("run", "--name=test", "busybox", "echo", "testline")
assert.NilError(c, err, out)
id, err := s.d.GetIDByName("test")
assert.NilError(c, err)
logPath := filepath.Join(s.d.Root, "containers", id, id+"-json.log")
if _, err := os.Stat(logPath); err != nil {
c.Fatal(err)
}
f, err := os.Open(logPath)
if err != nil {
c.Fatal(err)
}
defer f.Close()
var res struct {
Log string `json:"log"`
Stream string `json:"stream"`
Time time.Time `json:"time"`
}
if err := json.NewDecoder(f).Decode(&res); err != nil {
c.Fatal(err)
}
if res.Log != "testline\n" {
c.Fatalf("Unexpected log line: %q, expected: %q", res.Log, "testline\n")
}
if res.Stream != "stdout" {
c.Fatalf("Unexpected stream: %q, expected: %q", res.Stream, "stdout")
}
if !time.Now().After(res.Time) {
c.Fatalf("Log time %v in future", res.Time)
}
}
func (s *DockerDaemonSuite) TestDaemonLoggingDriverDefaultOverride(c *testing.T) {
s.d.StartWithBusybox(testutil.GetContext(c), c)
out, err := s.d.Cmd("run", "--name=test", "--log-driver=none", "busybox", "echo", "testline")
if err != nil {
c.Fatal(out, err)
}
id, err := s.d.GetIDByName("test")
assert.NilError(c, err)
logPath := filepath.Join(s.d.Root, "containers", id, id+"-json.log")
if _, err := os.Stat(logPath); err == nil || !os.IsNotExist(err) {
c.Fatalf("%s shouldn't exits, error on Stat: %s", logPath, err)
}
}
func (s *DockerDaemonSuite) TestDaemonLoggingDriverNone(c *testing.T) {
s.d.StartWithBusybox(testutil.GetContext(c), c, "--log-driver=none")
out, err := s.d.Cmd("run", "--name=test", "busybox", "echo", "testline")
if err != nil {
c.Fatal(out, err)
}
id, err := s.d.GetIDByName("test")
assert.NilError(c, err)
logPath := filepath.Join(s.d.Root, "containers", id, id+"-json.log")
if _, err := os.Stat(logPath); err == nil || !os.IsNotExist(err) {
c.Fatalf("%s shouldn't exits, error on Stat: %s", logPath, err)
}
}
func (s *DockerDaemonSuite) TestDaemonLoggingDriverNoneOverride(c *testing.T) {
s.d.StartWithBusybox(testutil.GetContext(c), c, "--log-driver=none")
out, err := s.d.Cmd("run", "--name=test", "--log-driver=json-file", "busybox", "echo", "testline")
if err != nil {
c.Fatal(out, err)
}
id, err := s.d.GetIDByName("test")
assert.NilError(c, err)
logPath := filepath.Join(s.d.Root, "containers", id, id+"-json.log")
if _, err := os.Stat(logPath); err != nil {
c.Fatal(err)
}
f, err := os.Open(logPath)
if err != nil {
c.Fatal(err)
}
defer f.Close()
var res struct {
Log string `json:"log"`
Stream string `json:"stream"`
Time time.Time `json:"time"`
}
if err := json.NewDecoder(f).Decode(&res); err != nil {
c.Fatal(err)
}
if res.Log != "testline\n" {
c.Fatalf("Unexpected log line: %q, expected: %q", res.Log, "testline\n")
}
if res.Stream != "stdout" {
c.Fatalf("Unexpected stream: %q, expected: %q", res.Stream, "stdout")
}
if !time.Now().After(res.Time) {
c.Fatalf("Log time %v in future", res.Time)
}
}
func (s *DockerDaemonSuite) TestDaemonLoggingDriverNoneLogsError(c *testing.T) {
s.d.StartWithBusybox(testutil.GetContext(c), c, "--log-driver=none")
out, err := s.d.Cmd("run", "--name=test", "busybox", "echo", "testline")
assert.NilError(c, err, out)
out, err = s.d.Cmd("logs", "test")
assert.Assert(c, err != nil, "Logs should fail with 'none' driver")
expected := `configured logging driver does not support reading`
assert.Assert(c, strings.Contains(out, expected))
}
func (s *DockerDaemonSuite) TestDaemonLoggingDriverShouldBeIgnoredForBuild(c *testing.T) {
s.d.StartWithBusybox(testutil.GetContext(c), c, "--log-driver=splunk")
result := cli.BuildCmd(c, "busyboxs", cli.Daemon(s.d),
build.WithDockerfile(`
FROM busybox
RUN echo foo`),
build.WithoutCache,
)
comment := fmt.Sprintf("Failed to build image. output %s, exitCode %d, err %v", result.Combined(), result.ExitCode, result.Error)
assert.Assert(c, result.Error == nil, comment)
assert.Equal(c, result.ExitCode, 0, comment)
assert.Assert(c, strings.Contains(result.Combined(), "foo"), comment)
}
func (s *DockerDaemonSuite) TestDaemonUnixSockCleanedUp(c *testing.T) {
dir, err := os.MkdirTemp("", "socket-cleanup-test")
if err != nil {
c.Fatal(err)
}
defer os.RemoveAll(dir)
sockPath := filepath.Join(dir, "docker.sock")
s.d.Start(c, "--host", "unix://"+sockPath)
if _, err := os.Stat(sockPath); err != nil {
c.Fatal("socket does not exist")
}
s.d.Stop(c)
if _, err := os.Stat(sockPath); err == nil || !os.IsNotExist(err) {
c.Fatal("unix socket is not cleaned up")
}
}
func (s *DockerDaemonSuite) TestDaemonRestartKillWait(c *testing.T) {
s.d.StartWithBusybox(testutil.GetContext(c), c)
out, err := s.d.Cmd("run", "-id", "busybox", "/bin/cat")
if err != nil {
c.Fatalf("Could not run /bin/cat: err=%v\n%s", err, out)
}
containerID := strings.TrimSpace(out)
if out, err := s.d.Cmd("kill", containerID); err != nil {
c.Fatalf("Could not kill %s: err=%v\n%s", containerID, err, out)
}
s.d.Restart(c)
errchan := make(chan error, 1)
go func() {
if out, err := s.d.Cmd("wait", containerID); err != nil {
errchan <- fmt.Errorf("%v:\n%s", err, out)
}
close(errchan)
}()
select {
case <-time.After(5 * time.Second):
c.Fatal("Waiting on a stopped (killed) container timed out")
case err := <-errchan:
if err != nil {
c.Fatal(err)
}
}
}
// TestHTTPSInfo connects via two-way authenticated HTTPS to the info endpoint
func (s *DockerDaemonSuite) TestHTTPSInfo(c *testing.T) {
const (
testDaemonHTTPSAddr = "tcp://localhost:4271"
)
s.d.Start(c,
"--tlsverify",
"--tlscacert", "fixtures/https/ca.pem",
"--tlscert", "fixtures/https/server-cert.pem",
"--tlskey", "fixtures/https/server-key.pem",
"-H", testDaemonHTTPSAddr)
args := []string{
"--host", testDaemonHTTPSAddr,
"--tlsverify",
"--tlscacert", "fixtures/https/ca.pem",
"--tlscert", "fixtures/https/client-cert.pem",
"--tlskey", "fixtures/https/client-key.pem",
"info",
}
out, err := s.d.Cmd(args...)
if err != nil {
c.Fatalf("Error Occurred: %s and output: %s", err, out)
}
}
// TestHTTPSRun connects via two-way authenticated HTTPS to the create, attach, start, and wait endpoints.
// https://github.com/docker/docker/issues/19280
func (s *DockerDaemonSuite) TestHTTPSRun(c *testing.T) {
const (
testDaemonHTTPSAddr = "tcp://localhost:4271"
)
s.d.StartWithBusybox(testutil.GetContext(c), c, "--tlsverify", "--tlscacert", "fixtures/https/ca.pem", "--tlscert", "fixtures/https/server-cert.pem",
"--tlskey", "fixtures/https/server-key.pem", "-H", testDaemonHTTPSAddr)
args := []string{
"--host", testDaemonHTTPSAddr,
"--tlsverify", "--tlscacert", "fixtures/https/ca.pem",
"--tlscert", "fixtures/https/client-cert.pem",
"--tlskey", "fixtures/https/client-key.pem",
"run", "busybox", "echo", "TLS response",
}
out, err := s.d.Cmd(args...)
if err != nil {
c.Fatalf("Error Occurred: %s and output: %s", err, out)
}
if !strings.Contains(out, "TLS response") {
c.Fatalf("expected output to include `TLS response`, got %v", out)
}
}
// TestTLSVerify verifies that --tlsverify=false turns on tls
func (s *DockerDaemonSuite) TestTLSVerify(c *testing.T) {
out, err := exec.Command(dockerdBinary, "--tlsverify=false").CombinedOutput()
if err == nil || !strings.Contains(string(out), "could not load X509 key pair") {
c.Fatalf("Daemon should not have started due to missing certs: %v\n%s", err, string(out))
}
}
// TestHTTPSInfoRogueCert connects via two-way authenticated HTTPS to the info endpoint
// by using a rogue client certificate and checks that it fails with the expected error.
func (s *DockerDaemonSuite) TestHTTPSInfoRogueCert(c *testing.T) {
const (
errBadCertificate = "bad certificate"
testDaemonHTTPSAddr = "tcp://localhost:4271"
)
s.d.Start(c,
"--tlsverify",
"--tlscacert", "fixtures/https/ca.pem",
"--tlscert", "fixtures/https/server-cert.pem",
"--tlskey", "fixtures/https/server-key.pem",
"-H", testDaemonHTTPSAddr)
args := []string{
"--host", testDaemonHTTPSAddr,
"--tlsverify",
"--tlscacert", "fixtures/https/ca.pem",
"--tlscert", "fixtures/https/client-rogue-cert.pem",
"--tlskey", "fixtures/https/client-rogue-key.pem",
"info",
}
out, err := s.d.Cmd(args...)
if err == nil || !strings.Contains(out, errBadCertificate) {
c.Fatalf("Expected err: %s, got instead: %s and output: %s", errBadCertificate, err, out)
}
}
// TestHTTPSInfoRogueServerCert connects via two-way authenticated HTTPS to the info endpoint
// which provides a rogue server certificate and checks that it fails with the expected error
func (s *DockerDaemonSuite) TestHTTPSInfoRogueServerCert(c *testing.T) {
const (
errCaUnknown = "x509: certificate signed by unknown authority"
testDaemonRogueHTTPSAddr = "tcp://localhost:4272"
)
s.d.Start(c,
"--tlsverify",
"--tlscacert", "fixtures/https/ca.pem",
"--tlscert", "fixtures/https/server-rogue-cert.pem",
"--tlskey", "fixtures/https/server-rogue-key.pem",
"-H", testDaemonRogueHTTPSAddr)
args := []string{
"--host", testDaemonRogueHTTPSAddr,
"--tlsverify",
"--tlscacert", "fixtures/https/ca.pem",
"--tlscert", "fixtures/https/client-rogue-cert.pem",
"--tlskey", "fixtures/https/client-rogue-key.pem",
"info",
}
out, err := s.d.Cmd(args...)
if err == nil || !strings.Contains(out, errCaUnknown) {
c.Fatalf("Expected err: %s, got instead: %s and output: %s", errCaUnknown, err, out)
}
}
func pingContainers(c *testing.T, d *daemon.Daemon, expectFailure bool) {
var dargs []string
if d != nil {
dargs = []string{"--host", d.Sock()}
}
args := append(dargs, "run", "-d", "--name", "container1", "busybox", "top")
cli.DockerCmd(c, args...)
args = append(dargs, "run", "--rm", "--link", "container1:alias1", "busybox", "sh", "-c")
pingCmd := "ping -c 1 %s -W 1"
args = append(args, fmt.Sprintf(pingCmd, "alias1"))
_, _, err := dockerCmdWithError(args...)
if expectFailure {
assert.ErrorContains(c, err, "")
} else {
assert.NilError(c, err)
}
args = append(dargs, "rm", "-f", "container1")
cli.DockerCmd(c, args...)
}
func (s *DockerDaemonSuite) TestDaemonRestartWithSocketAsVolume(c *testing.T) {
s.d.StartWithBusybox(testutil.GetContext(c), c)
socket := filepath.Join(s.d.Folder, "docker.sock")
out, err := s.d.Cmd("run", "--restart=always", "-v", socket+":/sock", "busybox")
assert.NilError(c, err, "Output: %s", out)
s.d.Restart(c)
}
// os.Kill should kill daemon ungracefully, leaving behind container mounts.
// A subsequent daemon restart should clean up said mounts.
func (s *DockerDaemonSuite) TestCleanupMountsAfterDaemonAndContainerKill(c *testing.T) {
d := daemon.New(c, dockerBinary, dockerdBinary, testdaemon.WithEnvironment(testEnv.Execution))
d.StartWithBusybox(testutil.GetContext(c), c)
out, err := d.Cmd("run", "-d", "busybox", "top")
assert.NilError(c, err, "Output: %s", out)
id := strings.TrimSpace(out)
// If there are no mounts with container id visible from the host
// (as those are in container's own mount ns), there is nothing
// to check here and the test should be skipped.
mountOut, err := os.ReadFile("/proc/self/mountinfo")
assert.NilError(c, err, "Output: %s", mountOut)
if !strings.Contains(string(mountOut), id) {
d.Stop(c)
c.Skip("no container mounts visible in host ns")
}
// kill the daemon
assert.NilError(c, d.Kill())
// kill the container
icmd.RunCommand(ctrBinary, "--address", containerdSocket,
"--namespace", d.ContainersNamespace(), "tasks", "kill", id).Assert(c, icmd.Success)
// restart daemon.
d.Restart(c)
// Now, container mounts should be gone.
mountOut, err = os.ReadFile("/proc/self/mountinfo")
assert.NilError(c, err, "Output: %s", mountOut)
assert.Assert(c, !strings.Contains(string(mountOut), id), "%s is still mounted from older daemon start:\nDaemon root repository %s\n%s", id, d.Root, mountOut)
d.Stop(c)
}
// os.Interrupt should perform a graceful daemon shutdown and hence cleanup mounts.
func (s *DockerDaemonSuite) TestCleanupMountsAfterGracefulShutdown(c *testing.T) {
d := daemon.New(c, dockerBinary, dockerdBinary, testdaemon.WithEnvironment(testEnv.Execution))
d.StartWithBusybox(testutil.GetContext(c), c)
out, err := d.Cmd("run", "-d", "busybox", "top")
assert.NilError(c, err, "Output: %s", out)
id := strings.TrimSpace(out)
// Send SIGINT and daemon should clean up
assert.NilError(c, d.Signal(os.Interrupt))
// Wait for the daemon to stop.
assert.NilError(c, <-d.Wait)
mountOut, err := os.ReadFile("/proc/self/mountinfo")
assert.NilError(c, err, "Output: %s", mountOut)
assert.Assert(c, !strings.Contains(string(mountOut), id), "%s is still mounted from older daemon start:\nDaemon root repository %s\n%s", id, d.Root, mountOut)
}
func (s *DockerDaemonSuite) TestDaemonRestartWithContainerRunning(t *testing.T) {
s.d.StartWithBusybox(testutil.GetContext(t), t)
if out, err := s.d.Cmd("run", "-d", "--name", "test", "busybox", "top"); err != nil {
t.Fatal(out, err)
}
s.d.Restart(t)
// Container 'test' should be removed without error
if out, err := s.d.Cmd("rm", "test"); err != nil {
t.Fatal(out, err)
}
}
func (s *DockerDaemonSuite) TestDaemonRestartCleanupNetns(c *testing.T) {
s.d.StartWithBusybox(testutil.GetContext(c), c)
out, err := s.d.Cmd("run", "--name", "netns", "-d", "busybox", "top")
if err != nil {
c.Fatal(out, err)
}
// Get sandbox key via inspect
out, err = s.d.Cmd("inspect", "--format", "'{{.NetworkSettings.SandboxKey}}'", "netns")
if err != nil {
c.Fatalf("Error inspecting container: %s, %v", out, err)
}
fileName := strings.Trim(out, " \r\n'")
if out, err := s.d.Cmd("stop", "netns"); err != nil {
c.Fatal(out, err)
}
// Test if the file still exists
icmd.RunCommand("stat", "-c", "%n", fileName).Assert(c, icmd.Expected{
Out: fileName,
})
// Remove the container and restart the daemon
if out, err := s.d.Cmd("rm", "netns"); err != nil {
c.Fatal(out, err)
}
s.d.Restart(c)
// Test again and see now the netns file does not exist
icmd.RunCommand("stat", "-c", "%n", fileName).Assert(c, icmd.Expected{
Err: "No such file or directory",
ExitCode: 1,
})
}
// tests regression detailed in #13964 where DOCKER_TLS_VERIFY env is ignored
func (s *DockerDaemonSuite) TestDaemonTLSVerifyIssue13964(c *testing.T) {
host := "tcp://localhost:4271"
s.d.Start(c, "-H", host)
icmd.RunCmd(icmd.Cmd{
Command: []string{dockerBinary, "-H", host, "info"},
Env: []string{"DOCKER_TLS_VERIFY=1", "DOCKER_CERT_PATH=fixtures/https"},
}).Assert(c, icmd.Expected{
ExitCode: 1,
Err: "error during connect",
})
}
func setupV6(c *testing.T) {
// Hack to get the right IPv6 address on docker0, which has already been created
result := icmd.RunCommand("ip", "addr", "add", "fe80::1/64", "dev", "docker0")
result.Assert(c, icmd.Success)
}
func teardownV6(c *testing.T) {
result := icmd.RunCommand("ip", "addr", "del", "fe80::1/64", "dev", "docker0")
result.Assert(c, icmd.Success)
}
func (s *DockerDaemonSuite) TestDaemonRestartWithContainerWithRestartPolicyAlways(c *testing.T) {
s.d.StartWithBusybox(testutil.GetContext(c), c)
out, err := s.d.Cmd("run", "-d", "--restart", "always", "busybox", "top")
assert.NilError(c, err, out)
id := strings.TrimSpace(out)
out, err = s.d.Cmd("stop", id)
assert.NilError(c, err, out)
out, err = s.d.Cmd("wait", id)
assert.NilError(c, err, out)
out, err = s.d.Cmd("ps", "-q")
assert.NilError(c, err, out)
assert.Equal(c, out, "")
s.d.Restart(c)
out, err = s.d.Cmd("ps", "-q")
assert.NilError(c, err, out)
assert.Equal(c, strings.TrimSpace(out), id[:12])
}
func (s *DockerDaemonSuite) TestDaemonWideLogConfig(c *testing.T) {
s.d.StartWithBusybox(testutil.GetContext(c), c, "--log-opt=max-size=1k")
name := "logtest"
out, err := s.d.Cmd("run", "-d", "--log-opt=max-file=5", "--name", name, "busybox", "top")
assert.NilError(c, err, "Output: %s, err: %v", out, err)
out, err = s.d.Cmd("inspect", "-f", "{{ .HostConfig.LogConfig.Config }}", name)
assert.NilError(c, err, "Output: %s", out)
assert.Assert(c, strings.Contains(out, "max-size:1k"))
assert.Assert(c, strings.Contains(out, "max-file:5"))
out, err = s.d.Cmd("inspect", "-f", "{{ .HostConfig.LogConfig.Type }}", name)
assert.NilError(c, err, "Output: %s", out)
assert.Equal(c, strings.TrimSpace(out), "json-file")
}
func (s *DockerDaemonSuite) TestDaemonRestartWithPausedContainer(c *testing.T) {
s.d.StartWithBusybox(testutil.GetContext(c), c)
if out, err := s.d.Cmd("run", "-i", "-d", "--name", "test", "busybox", "top"); err != nil {
c.Fatal(err, out)
}
if out, err := s.d.Cmd("pause", "test"); err != nil {
c.Fatal(err, out)
}
s.d.Restart(c)
errchan := make(chan error, 1)
go func() {
out, err := s.d.Cmd("start", "test")
if err != nil {
errchan <- fmt.Errorf("%v:\n%s", err, out)
return
}
name := strings.TrimSpace(out)
if name != "test" {
errchan <- fmt.Errorf("Paused container start error on docker daemon restart, expected 'test' but got '%s'", name)
return
}
close(errchan)
}()
select {
case <-time.After(5 * time.Second):
c.Fatal("Waiting on start a container timed out")
case err := <-errchan:
if err != nil {
c.Fatal(err)
}
}
}
func (s *DockerDaemonSuite) TestDaemonRestartRmVolumeInUse(c *testing.T) {
s.d.StartWithBusybox(testutil.GetContext(c), c)
out, err := s.d.Cmd("create", "-v", "test:/foo", "busybox")
assert.NilError(c, err, out)
s.d.Restart(c)
out, err = s.d.Cmd("volume", "rm", "test")
assert.Assert(c, err != nil, "should not be able to remove in use volume after daemon restart")
assert.Assert(c, strings.Contains(out, "in use"))
}
func (s *DockerDaemonSuite) TestDaemonRestartLocalVolumes(c *testing.T) {
s.d.Start(c)
out, err := s.d.Cmd("volume", "create", "test")
assert.NilError(c, err, out)
s.d.Restart(c)
out, err = s.d.Cmd("volume", "inspect", "test")
assert.NilError(c, err, out)
}
// FIXME(vdemeester) Use a new daemon instance instead of the Suite one
func (s *DockerDaemonSuite) TestDaemonStartWithoutHost(c *testing.T) {
s.d.UseDefaultHost = true
defer func() {
s.d.UseDefaultHost = false
}()
s.d.Start(c)
}
// FIXME(vdemeester) Use a new daemon instance instead of the Suite one
func (s *DockerDaemonSuite) TestDaemonStartWithDefaultTLSHost(c *testing.T) {
s.d.UseDefaultTLSHost = true
defer func() {
s.d.UseDefaultTLSHost = false
}()
s.d.Start(c,
"--tlsverify",
"--tlscacert", "fixtures/https/ca.pem",
"--tlscert", "fixtures/https/server-cert.pem",
"--tlskey", "fixtures/https/server-key.pem")
// The client with --tlsverify should also use default host localhost:2376
c.Setenv("DOCKER_HOST", "")
out := cli.DockerCmd(c,
"--tlsverify",
"--tlscacert", "fixtures/https/ca.pem",
"--tlscert", "fixtures/https/client-cert.pem",
"--tlskey", "fixtures/https/client-key.pem",
"version",
).Stdout()
if !strings.Contains(out, "Server") {
c.Fatalf("docker version should return information of server side")
}
// ensure when connecting to the server that only a single acceptable CA is requested
contents, err := os.ReadFile("fixtures/https/ca.pem")
assert.NilError(c, err)
rootCert, err := helpers.ParseCertificatePEM(contents)
assert.NilError(c, err)
rootPool := x509.NewCertPool()
rootPool.AddCert(rootCert)
var certRequestInfo *tls.CertificateRequestInfo
conn, err := tls.Dial("tcp", fmt.Sprintf("%s:%d", opts.DefaultHTTPHost, opts.DefaultTLSHTTPPort), &tls.Config{
RootCAs: rootPool,
GetClientCertificate: func(cri *tls.CertificateRequestInfo) (*tls.Certificate, error) {
certRequestInfo = cri
cert, err := tls.LoadX509KeyPair("fixtures/https/client-cert.pem", "fixtures/https/client-key.pem")
if err != nil {
return nil, err
}
return &cert, nil
},
})
assert.NilError(c, err)
conn.Close()
assert.Assert(c, certRequestInfo != nil)
assert.Equal(c, len(certRequestInfo.AcceptableCAs), 1)
assert.DeepEqual(c, certRequestInfo.AcceptableCAs[0], rootCert.RawSubject)
}
func (s *DockerDaemonSuite) TestBridgeIPIsExcludedFromAllocatorPool(c *testing.T) {
defaultNetworkBridge := "docker0"
deleteInterface(c, defaultNetworkBridge)
bridgeIP := "192.169.1.1"
bridgeRange := bridgeIP + "/30"
s.d.StartWithBusybox(testutil.GetContext(c), c, "--bip", bridgeRange)
defer s.d.Restart(c)
var cont int
for {
contName := fmt.Sprintf("container%d", cont)
_, err := s.d.Cmd("run", "--name", contName, "-d", "busybox", "/bin/sleep", "2")
if err != nil {
// pool exhausted
break
}
ip, err := s.d.Cmd("inspect", "--format", "'{{.NetworkSettings.IPAddress}}'", contName)
assert.Assert(c, err == nil, ip)
assert.Assert(c, ip != bridgeIP)
cont++
}
}
// Test daemon for no space left on device error
func (s *DockerDaemonSuite) TestDaemonNoSpaceLeftOnDeviceError(c *testing.T) {
testRequires(c, testEnv.IsLocalDaemon, DaemonIsLinux, Network)
testDir, err := os.MkdirTemp("", "no-space-left-on-device-test")
assert.NilError(c, err)
defer os.RemoveAll(testDir)
assert.Assert(c, mount.MakeRShared(testDir) == nil)
defer mount.Unmount(testDir)
// create a 3MiB image (with a 2MiB ext4 fs) and mount it as storage root
storageFS := filepath.Join(testDir, "testfs.img")
icmd.RunCommand("dd", "of="+storageFS, "bs=1M", "seek=3", "count=0").Assert(c, icmd.Success)
icmd.RunCommand("mkfs.ext4", "-F", storageFS).Assert(c, icmd.Success)
testMount, err := os.MkdirTemp(testDir, "test-mount")
assert.NilError(c, err)
icmd.RunCommand("mount", "-n", "-t", "ext4", storageFS, testMount).Assert(c, icmd.Success)
defer mount.Unmount(testMount)
driver := "vfs"
if testEnv.UsingSnapshotter() {
driver = "native"
}
s.d.Start(c,
"--data-root", testMount,
"--storage-driver", driver,
// Pass empty containerd socket to force daemon to create a new
// supervised containerd daemon, otherwise the global containerd daemon
// will be used and its data won't be stored in the specified data-root.
"--containerd", "",
)
defer s.d.Stop(c)
// pull a repository large enough to overfill the mounted filesystem
pullOut, err := s.d.Cmd("pull", "debian:bookworm-slim")
assert.Check(c, err != nil)
assert.Check(c, is.Contains(pullOut, "no space left on device"))
}
// Test daemon restart with container links + auto restart
func (s *DockerDaemonSuite) TestDaemonRestartContainerLinksRestart(c *testing.T) {
s.d.StartWithBusybox(testutil.GetContext(c), c)
var parent1Args []string
var parent2Args []string
wg := sync.WaitGroup{}
maxChildren := 10
chErr := make(chan error, maxChildren)
for i := 0; i < maxChildren; i++ {
wg.Add(1)
name := fmt.Sprintf("test%d", i)
if i < maxChildren/2 {
parent1Args = append(parent1Args, []string{"--link", name}...)
} else {
parent2Args = append(parent2Args, []string{"--link", name}...)
}
go func() {
_, err := s.d.Cmd("run", "-d", "--name", name, "--restart=always", "busybox", "top")
chErr <- err
wg.Done()
}()
}
wg.Wait()
close(chErr)
for err := range chErr {
assert.NilError(c, err)
}
parent1Args = append([]string{"run", "-d"}, parent1Args...)
parent1Args = append(parent1Args, []string{"--name=parent1", "--restart=always", "busybox", "top"}...)
parent2Args = append([]string{"run", "-d"}, parent2Args...)
parent2Args = append(parent2Args, []string{"--name=parent2", "--restart=always", "busybox", "top"}...)
_, err := s.d.Cmd(parent1Args...)
assert.NilError(c, err)
_, err = s.d.Cmd(parent2Args...)
assert.NilError(c, err)
s.d.Stop(c)
// clear the log file -- we don't need any of it but may for the next part
// can ignore the error here, this is just a cleanup
os.Truncate(s.d.LogFileName(), 0)
s.d.Start(c)
for _, num := range []string{"1", "2"} {
out, err := s.d.Cmd("inspect", "-f", "{{ .State.Running }}", "parent"+num)
assert.NilError(c, err)
if strings.TrimSpace(out) != "true" {
log, _ := os.ReadFile(s.d.LogFileName())
c.Fatalf("parent container is not running\n%s", string(log))
}
}
}
func (s *DockerDaemonSuite) TestDaemonCgroupParent(c *testing.T) {
testRequires(c, DaemonIsLinux)
cgroupParent := "test"
name := "cgroup-test"
s.d.StartWithBusybox(testutil.GetContext(c), c, "--cgroup-parent", cgroupParent)
defer s.d.Restart(c)
out, err := s.d.Cmd("run", "--name", name, "busybox", "cat", "/proc/self/cgroup")
assert.NilError(c, err)
cgroupPaths := ParseCgroupPaths(out)
assert.Assert(c, len(cgroupPaths) != 0, "unexpected output - %q", out)
out, err = s.d.Cmd("inspect", "-f", "{{.Id}}", name)
assert.NilError(c, err)
id := strings.TrimSpace(out)
expectedCgroup := path.Join(cgroupParent, id)
found := false
for _, p := range cgroupPaths {
if strings.HasSuffix(p, expectedCgroup) {
found = true
break
}
}
assert.Assert(c, found, "Cgroup path for container (%s) doesn't found in cgroups file: %s", expectedCgroup, cgroupPaths)
}
func (s *DockerDaemonSuite) TestDaemonRestartWithLinks(c *testing.T) {
testRequires(c, DaemonIsLinux) // Windows does not support links
s.d.StartWithBusybox(testutil.GetContext(c), c)
out, err := s.d.Cmd("run", "-d", "--name=test", "busybox", "top")
assert.NilError(c, err, out)
out, err = s.d.Cmd("run", "--name=test2", "--link", "test:abc", "busybox", "sh", "-c", "ping -c 1 -w 1 abc")
assert.NilError(c, err, out)
s.d.Restart(c)
// should fail since test is not running yet
out, err = s.d.Cmd("start", "test2")
assert.ErrorContains(c, err, "", out)
out, err = s.d.Cmd("start", "test")
assert.NilError(c, err, out)
out, err = s.d.Cmd("start", "-a", "test2")
assert.NilError(c, err, out)
assert.Equal(c, strings.Contains(out, "1 packets transmitted, 1 packets received"), true, out)
}
func (s *DockerDaemonSuite) TestDaemonRestartWithNames(c *testing.T) {
testRequires(c, DaemonIsLinux) // Windows does not support links
s.d.StartWithBusybox(testutil.GetContext(c), c)
out, err := s.d.Cmd("create", "--name=test", "busybox")
assert.NilError(c, err, out)
out, err = s.d.Cmd("run", "-d", "--name=test2", "busybox", "top")
assert.NilError(c, err, out)
test2ID := strings.TrimSpace(out)
out, err = s.d.Cmd("run", "-d", "--name=test3", "--link", "test2:abc", "busybox", "top")
assert.NilError(c, err)
test3ID := strings.TrimSpace(out)
s.d.Restart(c)
_, err = s.d.Cmd("create", "--name=test", "busybox")
assert.ErrorContains(c, err, "", "expected error trying to create container with duplicate name")
// this one is no longer needed, removing simplifies the remainder of the test
out, err = s.d.Cmd("rm", "-f", "test")
assert.NilError(c, err, out)
out, err = s.d.Cmd("ps", "-a", "--no-trunc")
assert.NilError(c, err, out)
lines := strings.Split(strings.TrimSpace(out), "\n")[1:]
test2validated := false
test3validated := false
for _, line := range lines {
fields := strings.Fields(line)
names := fields[len(fields)-1]
switch fields[0] {
case test2ID:
assert.Equal(c, names, "test2,test3/abc")
test2validated = true
case test3ID:
assert.Equal(c, names, "test3")
test3validated = true
}
}
assert.Assert(c, test2validated)
assert.Assert(c, test3validated)
}
// TestDaemonRestartWithKilledRunningContainer requires live restore of running containers
func (s *DockerDaemonSuite) TestDaemonRestartWithKilledRunningContainer(t *testing.T) {
testRequires(t, DaemonIsLinux)
s.d.StartWithBusybox(testutil.GetContext(t), t)
cid, err := s.d.Cmd("run", "-d", "--name", "test", "busybox", "top")
defer s.d.Stop(t)
if err != nil {
t.Fatal(cid, err)
}
cid = strings.TrimSpace(cid)
pid, err := s.d.Cmd("inspect", "-f", "{{.State.Pid}}", cid)
assert.NilError(t, err)
pid = strings.TrimSpace(pid)
// Kill the daemon
if err := s.d.Kill(); err != nil {
t.Fatal(err)
}
// kill the container
icmd.RunCommand(ctrBinary, "--address", containerdSocket,
"--namespace", s.d.ContainersNamespace(), "tasks", "kill", cid).Assert(t, icmd.Success)
// Give time to containerd to process the command if we don't
// the exit event might be received after we do the inspect
result := icmd.RunCommand("kill", "-0", pid)
for result.ExitCode == 0 {
time.Sleep(1 * time.Second)
// FIXME(vdemeester) should we check it doesn't error out ?
result = icmd.RunCommand("kill", "-0", pid)
}
// restart the daemon
s.d.Start(t)
// Check that we've got the correct exit code
out, err := s.d.Cmd("inspect", "-f", "{{.State.ExitCode}}", cid)
assert.NilError(t, err)
out = strings.TrimSpace(out)
if out != "143" {
t.Fatalf("Expected exit code '%s' got '%s' for container '%s'\n", "143", out, cid)
}
}
// os.Kill should kill daemon ungracefully, leaving behind live containers.
// The live containers should be known to the restarted daemon. Stopping
// them now, should remove the mounts.
func (s *DockerDaemonSuite) TestCleanupMountsAfterDaemonCrash(c *testing.T) {
testRequires(c, DaemonIsLinux)
s.d.StartWithBusybox(testutil.GetContext(c), c, "--live-restore")
out, err := s.d.Cmd("run", "-d", "busybox", "top")
assert.NilError(c, err, "Output: %s", out)
id := strings.TrimSpace(out)
// kill the daemon
assert.Assert(c, s.d.Kill() == nil)
// Check if there are mounts with container id visible from the host.
// If not, those mounts exist in container's own mount ns, and so
// the following check for mounts being cleared is pointless.
skipMountCheck := false
mountOut, err := os.ReadFile("/proc/self/mountinfo")
assert.Assert(c, err == nil, "Output: %s", mountOut)
if !strings.Contains(string(mountOut), id) {
skipMountCheck = true
}
// restart daemon.
s.d.Start(c, "--live-restore")
// container should be running.
out, err = s.d.Cmd("inspect", "--format={{.State.Running}}", id)
assert.NilError(c, err, "Output: %s", out)
out = strings.TrimSpace(out)
if out != "true" {
c.Fatalf("Container %s expected to stay alive after daemon restart", id)
}
// 'docker stop' should work.
out, err = s.d.Cmd("stop", id)
assert.NilError(c, err, "Output: %s", out)
if skipMountCheck {
return
}
// Now, container mounts should be gone.
mountOut, err = os.ReadFile("/proc/self/mountinfo")
assert.Assert(c, err == nil, "Output: %s", mountOut)
comment := fmt.Sprintf("%s is still mounted from older daemon start:\nDaemon root repository %s\n%s", id, s.d.Root, mountOut)
assert.Equal(c, strings.Contains(string(mountOut), id), false, comment)
}
// TestDaemonRestartWithUnpausedRunningContainer requires live restore of running containers.
func (s *DockerDaemonSuite) TestDaemonRestartWithUnpausedRunningContainer(t *testing.T) {
testRequires(t, DaemonIsLinux)
s.d.StartWithBusybox(testutil.GetContext(t), t, "--live-restore")
cid, err := s.d.Cmd("run", "-d", "--name", "test", "busybox", "top")
defer s.d.Stop(t)
if err != nil {
t.Fatal(cid, err)
}
cid = strings.TrimSpace(cid)
pid, err := s.d.Cmd("inspect", "-f", "{{.State.Pid}}", cid)
assert.NilError(t, err)
// pause the container
if _, err := s.d.Cmd("pause", cid); err != nil {
t.Fatal(cid, err)
}
// Kill the daemon
if err := s.d.Kill(); err != nil {
t.Fatal(err)
}
// resume the container
result := icmd.RunCommand(
ctrBinary,
"--address", containerdSocket,
"--namespace", s.d.ContainersNamespace(),
"tasks", "resume", cid)
result.Assert(t, icmd.Success)
// Give time to containerd to process the command if we don't
// the resume event might be received after we do the inspect
poll.WaitOn(t, pollCheck(t, func(*testing.T) (interface{}, string) {
result := icmd.RunCommand("kill", "-0", strings.TrimSpace(pid))
return result.ExitCode, ""
}, checker.Equals(0)), poll.WithTimeout(defaultReconciliationTimeout))
// restart the daemon
s.d.Start(t, "--live-restore")
// Check that we've got the correct status
out, err := s.d.Cmd("inspect", "-f", "{{.State.Status}}", cid)
assert.NilError(t, err)
out = strings.TrimSpace(out)
if out != "running" {
t.Fatalf("Expected exit code '%s' got '%s' for container '%s'\n", "running", out, cid)
}
if _, err := s.d.Cmd("kill", cid); err != nil {
t.Fatal(err)
}
}
// TestRunLinksChanged checks that creating a new container with the same name does not update links
// this ensures that the old, pre gh#16032 functionality continues on
func (s *DockerDaemonSuite) TestRunLinksChanged(c *testing.T) {
testRequires(c, DaemonIsLinux) // Windows does not support links
s.d.StartWithBusybox(testutil.GetContext(c), c)
out, err := s.d.Cmd("run", "-d", "--name=test", "busybox", "top")
assert.NilError(c, err, out)
out, err = s.d.Cmd("run", "--name=test2", "--link=test:abc", "busybox", "sh", "-c", "ping -c 1 abc")
assert.NilError(c, err, out)
assert.Assert(c, strings.Contains(out, "1 packets transmitted, 1 packets received"))
out, err = s.d.Cmd("rm", "-f", "test")
assert.NilError(c, err, out)
out, err = s.d.Cmd("run", "-d", "--name=test", "busybox", "top")
assert.NilError(c, err, out)
out, err = s.d.Cmd("start", "-a", "test2")
assert.ErrorContains(c, err, "", out)
assert.Assert(c, !strings.Contains(out, "1 packets transmitted, 1 packets received"))
s.d.Restart(c)
out, err = s.d.Cmd("start", "-a", "test2")
assert.ErrorContains(c, err, "", out)
assert.Assert(c, !strings.Contains(out, "1 packets transmitted, 1 packets received"))
}
func (s *DockerDaemonSuite) TestDaemonStartWithoutColors(c *testing.T) {
testRequires(c, DaemonIsLinux)
infoLog := "\x1b[36mINFO\x1b"
b := bytes.NewBuffer(nil)
done := make(chan bool)
p, tty, err := pty.Open()
assert.NilError(c, err)
defer func() {
tty.Close()
p.Close()
}()
go func() {
io.Copy(b, p)
done <- true
}()
// Enable coloring explicitly
s.d.StartWithLogFile(tty, "--raw-logs=false")
s.d.Stop(c)
// Wait for io.Copy() before checking output
<-done
assert.Assert(c, strings.Contains(b.String(), infoLog))
b.Reset()
// "tty" is already closed in prev s.d.Stop(),
// we have to close the other side "p" and open another pair of
// pty for the next test.
p.Close()
p, tty, err = pty.Open()
assert.NilError(c, err)
go func() {
io.Copy(b, p)
done <- true
}()
// Disable coloring explicitly
s.d.StartWithLogFile(tty, "--raw-logs=true")
s.d.Stop(c)
// Wait for io.Copy() before checking output
<-done
assert.Assert(c, b.String() != "")
assert.Assert(c, !strings.Contains(b.String(), infoLog))
}
func (s *DockerDaemonSuite) TestDaemonDebugLog(c *testing.T) {
testRequires(c, DaemonIsLinux)
debugLog := "\x1b[37mDEBU\x1b"
p, tty, err := pty.Open()
assert.NilError(c, err)
defer func() {
tty.Close()
p.Close()
}()
b := bytes.NewBuffer(nil)
go io.Copy(b, p)
s.d.StartWithLogFile(tty, "--debug")
s.d.Stop(c)
assert.Assert(c, strings.Contains(b.String(), debugLog))
}
// Test for #21956
func (s *DockerDaemonSuite) TestDaemonLogOptions(c *testing.T) {
s.d.StartWithBusybox(testutil.GetContext(c), c, "--log-driver=syslog", "--log-opt=syslog-address=udp://127.0.0.1:514")
out, err := s.d.Cmd("run", "-d", "--log-driver=json-file", "busybox", "top")
assert.NilError(c, err, out)
id := strings.TrimSpace(out)
out, err = s.d.Cmd("inspect", "--format='{{.HostConfig.LogConfig}}'", id)
assert.NilError(c, err, out)
assert.Assert(c, strings.Contains(out, "{json-file map[]}"))
}
// Test case for #20936, #22443
func (s *DockerDaemonSuite) TestDaemonMaxConcurrency(c *testing.T) {
skip.If(c, testEnv.UsingSnapshotter, "max concurrency is not implemented (yet) with containerd snapshotters https://github.com/moby/moby/issues/46610")
s.d.Start(c, "--max-concurrent-uploads=6", "--max-concurrent-downloads=8")
expectedMaxConcurrentUploads := `level=debug msg="Max Concurrent Uploads: 6"`
expectedMaxConcurrentDownloads := `level=debug msg="Max Concurrent Downloads: 8"`
content, err := s.d.ReadLogFile()
assert.NilError(c, err)
assert.Assert(c, strings.Contains(string(content), expectedMaxConcurrentUploads))
assert.Assert(c, strings.Contains(string(content), expectedMaxConcurrentDownloads))
}
// Test case for #20936, #22443
func (s *DockerDaemonSuite) TestDaemonMaxConcurrencyWithConfigFile(c *testing.T) {
skip.If(c, testEnv.UsingSnapshotter, "max concurrency is not implemented (yet) with containerd snapshotters https://github.com/moby/moby/issues/46610")
testRequires(c, testEnv.IsLocalDaemon, DaemonIsLinux)
// daemon config file
configFilePath := "test.json"
configFile, err := os.Create(configFilePath)
assert.NilError(c, err)
defer os.Remove(configFilePath)
daemonConfig := `{ "max-concurrent-downloads" : 8 }`
fmt.Fprintf(configFile, "%s", daemonConfig)
configFile.Close()
s.d.Start(c, fmt.Sprintf("--config-file=%s", configFilePath))
expectedMaxConcurrentUploads := `level=debug msg="Max Concurrent Uploads: 5"`
expectedMaxConcurrentDownloads := `level=debug msg="Max Concurrent Downloads: 8"`
content, err := s.d.ReadLogFile()
assert.NilError(c, err)
assert.Assert(c, strings.Contains(string(content), expectedMaxConcurrentUploads))
assert.Assert(c, strings.Contains(string(content), expectedMaxConcurrentDownloads))
configFile, err = os.Create(configFilePath)
assert.NilError(c, err)
daemonConfig = `{ "max-concurrent-uploads" : 7, "max-concurrent-downloads" : 9 }`
fmt.Fprintf(configFile, "%s", daemonConfig)
configFile.Close()
assert.Assert(c, s.d.Signal(unix.SIGHUP) == nil)
// unix.Kill(s.d.cmd.Process.Pid, unix.SIGHUP)
time.Sleep(3 * time.Second)
expectedMaxConcurrentUploads = `level=debug msg="Reset Max Concurrent Uploads: 7"`
expectedMaxConcurrentDownloads = `level=debug msg="Reset Max Concurrent Downloads: 9"`
content, err = s.d.ReadLogFile()
assert.NilError(c, err)
assert.Assert(c, strings.Contains(string(content), expectedMaxConcurrentUploads))
assert.Assert(c, strings.Contains(string(content), expectedMaxConcurrentDownloads))
}
// Test case for #20936, #22443
func (s *DockerDaemonSuite) TestDaemonMaxConcurrencyWithConfigFileReload(c *testing.T) {
skip.If(c, testEnv.UsingSnapshotter, "max concurrency is not implemented (yet) with containerd snapshotters https://github.com/moby/moby/issues/46610")
testRequires(c, testEnv.IsLocalDaemon, DaemonIsLinux)
// daemon config file
configFilePath := "test.json"
configFile, err := os.Create(configFilePath)
assert.NilError(c, err)
defer os.Remove(configFilePath)
daemonConfig := `{ "max-concurrent-uploads" : null }`
fmt.Fprintf(configFile, "%s", daemonConfig)
configFile.Close()
s.d.Start(c, fmt.Sprintf("--config-file=%s", configFilePath))
expectedMaxConcurrentUploads := `level=debug msg="Max Concurrent Uploads: 5"`
expectedMaxConcurrentDownloads := `level=debug msg="Max Concurrent Downloads: 3"`
content, err := s.d.ReadLogFile()
assert.NilError(c, err)
assert.Assert(c, strings.Contains(string(content), expectedMaxConcurrentUploads))
assert.Assert(c, strings.Contains(string(content), expectedMaxConcurrentDownloads))
configFile, err = os.Create(configFilePath)
assert.NilError(c, err)
daemonConfig = `{ "max-concurrent-uploads" : 1, "max-concurrent-downloads" : null }`
fmt.Fprintf(configFile, "%s", daemonConfig)
configFile.Close()
assert.Assert(c, s.d.Signal(unix.SIGHUP) == nil)
// unix.Kill(s.d.cmd.Process.Pid, unix.SIGHUP)
time.Sleep(3 * time.Second)
expectedMaxConcurrentUploads = `level=debug msg="Reset Max Concurrent Uploads: 1"`
expectedMaxConcurrentDownloads = `level=debug msg="Reset Max Concurrent Downloads: 3"`
content, err = s.d.ReadLogFile()
assert.NilError(c, err)
assert.Assert(c, strings.Contains(string(content), expectedMaxConcurrentUploads))
assert.Assert(c, strings.Contains(string(content), expectedMaxConcurrentDownloads))
configFile, err = os.Create(configFilePath)
assert.NilError(c, err)
daemonConfig = `{ "labels":["foo=bar"] }`
fmt.Fprintf(configFile, "%s", daemonConfig)
configFile.Close()
assert.Assert(c, s.d.Signal(unix.SIGHUP) == nil)
time.Sleep(3 * time.Second)
expectedMaxConcurrentUploads = `level=debug msg="Reset Max Concurrent Uploads: 5"`
expectedMaxConcurrentDownloads = `level=debug msg="Reset Max Concurrent Downloads: 3"`
content, err = s.d.ReadLogFile()
assert.NilError(c, err)
assert.Assert(c, strings.Contains(string(content), expectedMaxConcurrentUploads))
assert.Assert(c, strings.Contains(string(content), expectedMaxConcurrentDownloads))
}
func (s *DockerDaemonSuite) TestBuildOnDisabledBridgeNetworkDaemon(c *testing.T) {
s.d.StartWithBusybox(testutil.GetContext(c), c, "-b=none", "--iptables=false")
result := cli.BuildCmd(c, "busyboxs", cli.Daemon(s.d),
build.WithDockerfile(`
FROM busybox
RUN cat /etc/hosts`),
build.WithoutCache,
)
comment := fmt.Sprintf("Failed to build image. output %s, exitCode %d, err %v", result.Combined(), result.ExitCode, result.Error)
assert.Assert(c, result.Error == nil, comment)
assert.Equal(c, result.ExitCode, 0, comment)
}
// Test case for #21976
func (s *DockerDaemonSuite) TestDaemonDNSFlagsInHostMode(c *testing.T) {
testRequires(c, testEnv.IsLocalDaemon, DaemonIsLinux)
s.d.StartWithBusybox(testutil.GetContext(c), c, "--dns", "1.2.3.4", "--dns-search", "example.com", "--dns-opt", "timeout:3")
expectedOutput := "nameserver 1.2.3.4"
out, _ := s.d.Cmd("run", "--net=host", "busybox", "cat", "/etc/resolv.conf")
assert.Assert(c, strings.Contains(out, expectedOutput), "Expected '%s', but got %q", expectedOutput, out)
expectedOutput = "search example.com"
assert.Assert(c, strings.Contains(out, expectedOutput), "Expected '%s', but got %q", expectedOutput, out)
expectedOutput = "options timeout:3"
assert.Assert(c, strings.Contains(out, expectedOutput), "Expected '%s', but got %q", expectedOutput, out)
}
func (s *DockerDaemonSuite) TestRunWithRuntimeFromConfigFile(c *testing.T) {
conf, err := os.CreateTemp("", "config-file-")
assert.NilError(c, err)
configName := conf.Name()
conf.Close()
defer os.Remove(configName)
config := `
{
"runtimes": {
"oci": {
"path": "runc"
},
"vm": {
"path": "/usr/local/bin/vm-manager",
"runtimeArgs": [
"--debug"
]
}
}
}
`
os.WriteFile(configName, []byte(config), 0o644)
s.d.StartWithBusybox(testutil.GetContext(c), c, "--config-file", configName)
// Run with default runtime
out, err := s.d.Cmd("run", "--rm", "busybox", "ls")
assert.NilError(c, err, out)
// Run with default runtime explicitly
out, err = s.d.Cmd("run", "--rm", "--runtime=runc", "busybox", "ls")
assert.NilError(c, err, out)
// Run with oci (same path as default) but keep it around
out, err = s.d.Cmd("run", "--name", "oci-runtime-ls", "--runtime=oci", "busybox", "ls")
assert.NilError(c, err, out)
// Run with "vm"
out, err = s.d.Cmd("run", "--rm", "--runtime=vm", "busybox", "ls")
assert.ErrorContains(c, err, "", out)
assert.Assert(c, is.Contains(out, "/usr/local/bin/vm-manager: no such file or directory"))
// Reset config to only have the default
config = `
{
"runtimes": {
}
}
`
os.WriteFile(configName, []byte(config), 0o644)
assert.Assert(c, s.d.Signal(unix.SIGHUP) == nil)
// Give daemon time to reload config
<-time.After(1 * time.Second)
// Run with default runtime
out, err = s.d.Cmd("run", "--rm", "--runtime=runc", "busybox", "ls")
assert.NilError(c, err, out)
// Run with "oci"
out, err = s.d.Cmd("run", "--rm", "--runtime=oci", "busybox", "ls")
assert.ErrorContains(c, err, "", out)
assert.Assert(c, is.Contains(out, "unknown or invalid runtime name: oci"))
// Start previously created container with oci
out, err = s.d.Cmd("start", "oci-runtime-ls")
assert.ErrorContains(c, err, "", out)
assert.Assert(c, is.Contains(out, "unknown or invalid runtime name: oci"))
// Check that we can't override the default runtime
config = `
{
"runtimes": {
"runc": {
"path": "my-runc"
}
}
}
`
os.WriteFile(configName, []byte(config), 0o644)
assert.Assert(c, s.d.Signal(unix.SIGHUP) == nil)
// Give daemon time to reload config
<-time.After(1 * time.Second)
content, err := s.d.ReadLogFile()
assert.NilError(c, err)
assert.Assert(c, is.Contains(string(content), `runtime name 'runc' is reserved`))
// Check that we can select a default runtime
config = `
{
"default-runtime": "vm",
"runtimes": {
"oci": {
"path": "runc"
},
"vm": {
"path": "/usr/local/bin/vm-manager",
"runtimeArgs": [
"--debug"
]
}
}
}
`
os.WriteFile(configName, []byte(config), 0o644)
assert.Assert(c, s.d.Signal(unix.SIGHUP) == nil)
// Give daemon time to reload config
<-time.After(1 * time.Second)
out, err = s.d.Cmd("run", "--rm", "busybox", "ls")
assert.ErrorContains(c, err, "", out)
assert.Assert(c, is.Contains(out, "/usr/local/bin/vm-manager: no such file or directory"))
// Run with default runtime explicitly
out, err = s.d.Cmd("run", "--rm", "--runtime=runc", "busybox", "ls")
assert.NilError(c, err, out)
}
func (s *DockerDaemonSuite) TestRunWithRuntimeFromCommandLine(c *testing.T) {
s.d.StartWithBusybox(testutil.GetContext(c), c, "--add-runtime", "oci=runc", "--add-runtime", "vm=/usr/local/bin/vm-manager")
// Run with default runtime
out, err := s.d.Cmd("run", "--rm", "busybox", "ls")
assert.NilError(c, err, out)
// Run with default runtime explicitly
out, err = s.d.Cmd("run", "--rm", "--runtime=runc", "busybox", "ls")
assert.NilError(c, err, out)
// Run with oci (same path as default) but keep it around
out, err = s.d.Cmd("run", "--name", "oci-runtime-ls", "--runtime=oci", "busybox", "ls")
assert.NilError(c, err, out)
// Run with "vm"
out, err = s.d.Cmd("run", "--rm", "--runtime=vm", "busybox", "ls")
assert.ErrorContains(c, err, "", out)
assert.Assert(c, is.Contains(out, "/usr/local/bin/vm-manager: no such file or directory"))
// Start a daemon without any extra runtimes
s.d.Stop(c)
s.d.StartWithBusybox(testutil.GetContext(c), c)
// Run with default runtime
out, err = s.d.Cmd("run", "--rm", "--runtime=runc", "busybox", "ls")
assert.NilError(c, err, out)
// Run with "oci"
out, err = s.d.Cmd("run", "--rm", "--runtime=oci", "busybox", "ls")
assert.ErrorContains(c, err, "", out)
assert.Assert(c, is.Contains(out, "unknown or invalid runtime name: oci"))
// Start previously created container with oci
out, err = s.d.Cmd("start", "oci-runtime-ls")
assert.ErrorContains(c, err, "", out)
assert.Assert(c, is.Contains(out, "unknown or invalid runtime name: oci"))
// Check that we can't override the default runtime
s.d.Stop(c)
assert.Assert(c, s.d.StartWithError("--add-runtime", "runc=my-runc") != nil)
content, err := s.d.ReadLogFile()
assert.NilError(c, err)
assert.Assert(c, is.Contains(string(content), `runtime name 'runc' is reserved`))
// Check that we can select a default runtime
s.d.Stop(c)
s.d.StartWithBusybox(testutil.GetContext(c), c, "--default-runtime=vm", "--add-runtime", "oci=runc", "--add-runtime", "vm=/usr/local/bin/vm-manager")
out, err = s.d.Cmd("run", "--rm", "busybox", "ls")
assert.ErrorContains(c, err, "", out)
assert.Assert(c, is.Contains(out, "/usr/local/bin/vm-manager: no such file or directory"))
// Run with default runtime explicitly
out, err = s.d.Cmd("run", "--rm", "--runtime=runc", "busybox", "ls")
assert.NilError(c, err, out)
}
func (s *DockerDaemonSuite) TestDaemonRestartWithAutoRemoveContainer(c *testing.T) {
s.d.StartWithBusybox(testutil.GetContext(c), c)
// top1 will exist after daemon restarts
out, err := s.d.Cmd("run", "-d", "--name", "top1", "busybox:latest", "top")
assert.Assert(c, err == nil, "run top1: %v", out)
// top2 will be removed after daemon restarts
out, err = s.d.Cmd("run", "-d", "--rm", "--name", "top2", "busybox:latest", "top")
assert.Assert(c, err == nil, "run top2: %v", out)
out, err = s.d.Cmd("ps")
assert.NilError(c, err)
assert.Assert(c, strings.Contains(out, "top1"), "top1 should be running")
assert.Assert(c, strings.Contains(out, "top2"), "top2 should be running")
// now restart daemon gracefully
s.d.Restart(c)
out, err = s.d.Cmd("ps", "-a")
assert.NilError(c, err, "out: %v", out)
assert.Assert(c, strings.Contains(out, "top1"), "top1 should exist after daemon restarts")
assert.Assert(c, !strings.Contains(out, "top2"), "top2 should be removed after daemon restarts")
}
func (s *DockerDaemonSuite) TestDaemonRestartSaveContainerExitCode(c *testing.T) {
s.d.StartWithBusybox(testutil.GetContext(c), c)
containerName := "error-values"
// Make a container with both a non 0 exit code and an error message
// We explicitly disable `--init` for this test, because `--init` is enabled by default
// on "experimental". Enabling `--init` results in a different behavior; because the "init"
// process itself is PID1, the container does not fail on _startup_ (i.e., `docker-init` starting),
// but directly after. The exit code of the container is still 127, but the Error Message is not
// captured, so `.State.Error` is empty.
// See the discussion on https://github.com/docker/docker/pull/30227#issuecomment-274161426,
// and https://github.com/docker/docker/pull/26061#r78054578 for more information.
_, err := s.d.Cmd("run", "--name", containerName, "--init=false", "busybox", "toto")
assert.ErrorContains(c, err, "")
// Check that those values were saved on disk
out, err := s.d.Cmd("inspect", "-f", "{{.State.ExitCode}}", containerName)
out = strings.TrimSpace(out)
assert.NilError(c, err)
assert.Equal(c, out, "127")
errMsg1, err := s.d.Cmd("inspect", "-f", "{{.State.Error}}", containerName)
errMsg1 = strings.TrimSpace(errMsg1)
assert.NilError(c, err)
assert.Assert(c, strings.Contains(errMsg1, "executable file not found"))
// now restart daemon
s.d.Restart(c)
// Check that those values are still around
out, err = s.d.Cmd("inspect", "-f", "{{.State.ExitCode}}", containerName)
out = strings.TrimSpace(out)
assert.NilError(c, err)
assert.Equal(c, out, "127")
out, err = s.d.Cmd("inspect", "-f", "{{.State.Error}}", containerName)
out = strings.TrimSpace(out)
assert.NilError(c, err)
assert.Equal(c, out, errMsg1)
}
func (s *DockerDaemonSuite) TestDaemonWithUserlandProxyPath(c *testing.T) {
testRequires(c, testEnv.IsLocalDaemon, DaemonIsLinux)
ctx := context.TODO()
dockerProxyPath, err := exec.LookPath("docker-proxy")
assert.NilError(c, err)
tmpDir, err := os.MkdirTemp("", "test-docker-proxy")
assert.NilError(c, err)
newProxyPath := filepath.Join(tmpDir, "docker-proxy")
cmd := exec.Command("cp", dockerProxyPath, newProxyPath)
assert.NilError(c, cmd.Run())
// custom one
s.d.StartWithBusybox(testutil.GetContext(c), c, "--userland-proxy-path", newProxyPath)
out, err := s.d.Cmd("run", "-p", "5000:5000", "busybox:latest", "true")
assert.NilError(c, err, out)
// try with the original one
s.d.Restart(c, "--userland-proxy-path", dockerProxyPath)
out, err = s.d.Cmd("run", "-p", "5000:5000", "busybox:latest", "true")
assert.NilError(c, err, out)
// not exist
s.d.Stop(c)
err = s.d.StartWithError("--userland-proxy-path", "/does/not/exist")
assert.ErrorContains(c, err, "", "daemon should fail to start")
expected := "invalid userland-proxy-path"
ok, _ := s.d.ScanLogsT(ctx, c, testdaemon.ScanLogsMatchString(expected))
assert.Assert(c, ok, "logs did not contain: %s", expected)
// not an absolute path
s.d.Stop(c)
err = s.d.StartWithError("--userland-proxy-path", "docker-proxy")
assert.ErrorContains(c, err, "", "daemon should fail to start")
expected = "invalid userland-proxy-path: must be an absolute path: docker-proxy"
ok, _ = s.d.ScanLogsT(ctx, c, testdaemon.ScanLogsMatchString(expected))
assert.Assert(c, ok, "logs did not contain: %s", expected)
}
// Test case for #22471
func (s *DockerDaemonSuite) TestDaemonShutdownTimeout(c *testing.T) {
testRequires(c, testEnv.IsLocalDaemon)
s.d.StartWithBusybox(testutil.GetContext(c), c, "--shutdown-timeout=3")
_, err := s.d.Cmd("run", "-d", "busybox", "top")
assert.NilError(c, err)
assert.Assert(c, s.d.Signal(unix.SIGINT) == nil)
select {
case <-s.d.Wait:
case <-time.After(5 * time.Second):
}
expectedMessage := `level=debug msg="daemon configured with a 3 seconds minimum shutdown timeout"`
content, err := s.d.ReadLogFile()
assert.NilError(c, err)
assert.Assert(c, strings.Contains(string(content), expectedMessage))
}
// Test case for #22471
func (s *DockerDaemonSuite) TestDaemonShutdownTimeoutWithConfigFile(c *testing.T) {
testRequires(c, testEnv.IsLocalDaemon)
// daemon config file
configFilePath := "test.json"
configFile, err := os.Create(configFilePath)
assert.NilError(c, err)
defer os.Remove(configFilePath)
daemonConfig := `{ "shutdown-timeout" : 8 }`
fmt.Fprintf(configFile, "%s", daemonConfig)
configFile.Close()
s.d.Start(c, fmt.Sprintf("--config-file=%s", configFilePath))
configFile, err = os.Create(configFilePath)
assert.NilError(c, err)
daemonConfig = `{ "shutdown-timeout" : 5 }`
fmt.Fprintf(configFile, "%s", daemonConfig)
configFile.Close()
assert.Assert(c, s.d.Signal(unix.SIGHUP) == nil)
select {
case <-s.d.Wait:
case <-time.After(3 * time.Second):
}
expectedMessage := `level=debug msg="Reset Shutdown Timeout: 5"`
content, err := s.d.ReadLogFile()
assert.NilError(c, err)
assert.Assert(c, strings.Contains(string(content), expectedMessage))
}
// Test case for 29342
func (s *DockerDaemonSuite) TestExecWithUserAfterLiveRestore(c *testing.T) {
testRequires(c, DaemonIsLinux)
s.d.StartWithBusybox(testutil.GetContext(c), c, "--live-restore")
out, err := s.d.Cmd("run", "--init", "-d", "--name=top", "busybox", "sh", "-c", "addgroup -S test && adduser -S -G test test -D -s /bin/sh && touch /adduser_end && exec top")
assert.NilError(c, err, "Output: %s", out)
s.d.WaitRun("top")
// Wait for shell command to be completed
_, err = s.d.Cmd("exec", "top", "sh", "-c", `for i in $(seq 1 5); do if [ -e /adduser_end ]; then rm -f /adduser_end && break; else sleep 1 && false; fi; done`)
assert.Assert(c, err == nil, "Timeout waiting for shell command to be completed")
out1, err := s.d.Cmd("exec", "-u", "test", "top", "id")
// uid=100(test) gid=101(test) groups=101(test)
assert.Assert(c, err == nil, "Output: %s", out1)
// restart daemon.
s.d.Restart(c, "--live-restore")
out2, err := s.d.Cmd("exec", "-u", "test", "top", "id")
assert.Assert(c, err == nil, "Output: %s", out2)
assert.Equal(c, out2, out1, fmt.Sprintf("Output: before restart '%s', after restart '%s'", out1, out2))
out, err = s.d.Cmd("stop", "top")
assert.NilError(c, err, "Output: %s", out)
}
func (s *DockerDaemonSuite) TestRemoveContainerAfterLiveRestore(c *testing.T) {
testRequires(c, DaemonIsLinux, testEnv.IsLocalDaemon)
s.d.StartWithBusybox(testutil.GetContext(c), c, "--live-restore")
out, err := s.d.Cmd("run", "-d", "--name=top", "busybox", "top")
assert.NilError(c, err, "Output: %s", out)
s.d.WaitRun("top")
// restart daemon.
s.d.Restart(c, "--live-restore")
out, err = s.d.Cmd("stop", "top")
assert.NilError(c, err, "Output: %s", out)
// test if the rootfs mountpoint still exist
mountpoint, err := s.d.InspectField("top", ".GraphDriver.Data.MergedDir")
assert.NilError(c, err)
f, err := os.Open("/proc/self/mountinfo")
assert.NilError(c, err)
defer f.Close()
sc := bufio.NewScanner(f)
for sc.Scan() {
line := sc.Text()
if strings.Contains(line, mountpoint) {
c.Fatalf("mountinfo should not include the mountpoint of stop container")
}
}
out, err = s.d.Cmd("rm", "top")
assert.NilError(c, err, "Output: %s", out)
}
// #29598
func (s *DockerDaemonSuite) TestRestartPolicyWithLiveRestore(c *testing.T) {
testRequires(c, DaemonIsLinux, testEnv.IsLocalDaemon)
s.d.StartWithBusybox(testutil.GetContext(c), c, "--live-restore")
out, err := s.d.Cmd("run", "-d", "--restart", "always", "busybox", "top")
assert.NilError(c, err, "Output: %s", out)
id := strings.TrimSpace(out)
type state struct {
Running bool
StartedAt time.Time
}
out, err = s.d.Cmd("inspect", "-f", "{{json .State}}", id)
assert.Assert(c, err == nil, "output: %s", out)
var origState state
err = json.Unmarshal([]byte(strings.TrimSpace(out)), &origState)
assert.NilError(c, err)
s.d.Restart(c, "--live-restore")
pid, err := s.d.Cmd("inspect", "-f", "{{.State.Pid}}", id)
assert.NilError(c, err)
pidint, err := strconv.Atoi(strings.TrimSpace(pid))
assert.NilError(c, err)
assert.Assert(c, pidint > 0)
assert.NilError(c, unix.Kill(pidint, unix.SIGKILL))
ticker := time.NewTicker(50 * time.Millisecond)
timeout := time.After(10 * time.Second)
for range ticker.C {
select {
case <-timeout:
c.Fatal("timeout waiting for container restart")
default:
}
out, err := s.d.Cmd("inspect", "-f", "{{json .State}}", id)
assert.Assert(c, err == nil, "output: %s", out)
var newState state
err = json.Unmarshal([]byte(strings.TrimSpace(out)), &newState)
assert.NilError(c, err)
if !newState.Running {
continue
}
if newState.StartedAt.After(origState.StartedAt) {
break
}
}
out, err = s.d.Cmd("stop", id)
assert.NilError(c, err, "Output: %s", out)
}
func (s *DockerDaemonSuite) TestShmSize(c *testing.T) {
testRequires(c, DaemonIsLinux)
size := 67108864 * 2
pattern := regexp.MustCompile(fmt.Sprintf("shm on /dev/shm type tmpfs(.*)size=%dk", size/1024))
s.d.StartWithBusybox(testutil.GetContext(c), c, "--default-shm-size", fmt.Sprintf("%v", size))
name := "shm1"
out, err := s.d.Cmd("run", "--name", name, "busybox", "mount")
assert.NilError(c, err, "Output: %s", out)
assert.Assert(c, pattern.MatchString(out))
out, err = s.d.Cmd("inspect", "--format", "{{.HostConfig.ShmSize}}", name)
assert.NilError(c, err, "Output: %s", out)
assert.Equal(c, strings.TrimSpace(out), fmt.Sprintf("%v", size))
}
func (s *DockerDaemonSuite) TestShmSizeReload(c *testing.T) {
testRequires(c, DaemonIsLinux)
configPath, err := os.MkdirTemp("", "test-daemon-shm-size-reload-config")
assert.Assert(c, err == nil, "could not create temp file for config reload")
defer os.RemoveAll(configPath) // clean up
configFile := filepath.Join(configPath, "config.json")
size := 67108864 * 2
configData := []byte(fmt.Sprintf(`{"default-shm-size": "%dM"}`, size/1024/1024))
assert.Assert(c, os.WriteFile(configFile, configData, 0o666) == nil, "could not write temp file for config reload")
pattern := regexp.MustCompile(fmt.Sprintf("shm on /dev/shm type tmpfs(.*)size=%dk", size/1024))
s.d.StartWithBusybox(testutil.GetContext(c), c, "--config-file", configFile)
name := "shm1"
out, err := s.d.Cmd("run", "--name", name, "busybox", "mount")
assert.NilError(c, err, "Output: %s", out)
assert.Assert(c, pattern.MatchString(out))
out, err = s.d.Cmd("inspect", "--format", "{{.HostConfig.ShmSize}}", name)
assert.NilError(c, err, "Output: %s", out)
assert.Equal(c, strings.TrimSpace(out), fmt.Sprintf("%v", size))
size = 67108864 * 3
configData = []byte(fmt.Sprintf(`{"default-shm-size": "%dM"}`, size/1024/1024))
assert.Assert(c, os.WriteFile(configFile, configData, 0o666) == nil, "could not write temp file for config reload")
pattern = regexp.MustCompile(fmt.Sprintf("shm on /dev/shm type tmpfs(.*)size=%dk", size/1024))
err = s.d.ReloadConfig()
assert.Assert(c, err == nil, "error reloading daemon config")
name = "shm2"
out, err = s.d.Cmd("run", "--name", name, "busybox", "mount")
assert.NilError(c, err, "Output: %s", out)
assert.Assert(c, pattern.MatchString(out))
out, err = s.d.Cmd("inspect", "--format", "{{.HostConfig.ShmSize}}", name)
assert.NilError(c, err, "Output: %s", out)
assert.Equal(c, strings.TrimSpace(out), fmt.Sprintf("%v", size))
}
func testDaemonStartIpcMode(c *testing.T, from, mode string, valid bool) {
d := daemon.New(c, dockerBinary, dockerdBinary, testdaemon.WithEnvironment(testEnv.Execution))
c.Logf("Checking IpcMode %s set from %s\n", mode, from)
var serr error
switch from {
case "config":
f, err := os.CreateTemp("", "test-daemon-ipc-config")
assert.NilError(c, err)
defer os.Remove(f.Name())
config := `{"default-ipc-mode": "` + mode + `"}`
_, err = f.WriteString(config)
assert.NilError(c, f.Close())
assert.NilError(c, err)
serr = d.StartWithError("--config-file", f.Name())
case "cli":
serr = d.StartWithError("--default-ipc-mode", mode)
default:
c.Fatalf("testDaemonStartIpcMode: invalid 'from' argument")
}
if serr == nil {
d.Stop(c)
}
if valid {
assert.NilError(c, serr)
} else {
assert.ErrorContains(c, serr, "")
icmd.RunCommand("grep", "-E", "IPC .* is (invalid|not supported)", d.LogFileName()).Assert(c, icmd.Success)
}
}
// TestDaemonStartWithIpcModes checks that daemon starts fine given correct
// arguments for default IPC mode, and bails out with incorrect ones.
// Both CLI option (--default-ipc-mode) and config parameter are tested.
func (s *DockerDaemonSuite) TestDaemonStartWithIpcModes(c *testing.T) {
testRequires(c, DaemonIsLinux, testEnv.IsLocalDaemon)
ipcModes := []struct {
mode string
valid bool
}{
{"private", true},
{"shareable", true},
{"host", false},
{"container:123", false},
{"nosuchmode", false},
}
for _, from := range []string{"config", "cli"} {
for _, m := range ipcModes {
testDaemonStartIpcMode(c, from, m.mode, m.valid)
}
}
}
// TestFailedPluginRemove makes sure that a failed plugin remove does not block
// the daemon from starting
func (s *DockerDaemonSuite) TestFailedPluginRemove(c *testing.T) {
testRequires(c, DaemonIsLinux, IsAmd64, testEnv.IsLocalDaemon)
d := daemon.New(c, dockerBinary, dockerdBinary)
d.Start(c)
apiClient := d.NewClientT(c)
ctx, cancel := context.WithTimeout(testutil.GetContext(c), 300*time.Second)
defer cancel()
name := "test-plugin-rm-fail"
out, err := apiClient.PluginInstall(ctx, name, types.PluginInstallOptions{
Disabled: true,
AcceptAllPermissions: true,
RemoteRef: "cpuguy83/docker-logdriver-test",
})
assert.NilError(c, err)
defer out.Close()
io.Copy(io.Discard, out)
ctx, cancel = context.WithTimeout(testutil.GetContext(c), 30*time.Second)
defer cancel()
p, _, err := apiClient.PluginInspectWithRaw(ctx, name)
assert.NilError(c, err)
// simulate a bad/partial removal by removing the plugin config.
configPath := filepath.Join(d.Root, "plugins", p.ID, "config.json")
assert.NilError(c, os.Remove(configPath))
d.Restart(c)
ctx, cancel = context.WithTimeout(testutil.GetContext(c), 30*time.Second)
defer cancel()
_, err = apiClient.Ping(ctx)
assert.NilError(c, err)
_, _, err = apiClient.PluginInspectWithRaw(ctx, name)
// plugin should be gone since the config.json is gone
assert.ErrorContains(c, err, "")
}