763d839261
This implements chown support on Windows. Built-in accounts as well as accounts included in the SAM database of the container are supported. NOTE: IDPair is now named Identity and IDMappings is now named IdentityMapping. The following are valid examples: ADD --chown=Guest . <some directory> COPY --chown=Administrator . <some directory> COPY --chown=Guests . <some directory> COPY --chown=ContainerUser . <some directory> On Windows an owner is only granted the permission to read the security descriptor and read/write the discretionary access control list. This fix also grants read/write and execute permissions to the owner. Signed-off-by: Salahuddin Khan <salah@docker.com>
102 lines
2.9 KiB
Go
102 lines
2.9 KiB
Go
package daemon // import "github.com/docker/docker/daemon"
|
|
|
|
import (
|
|
"os"
|
|
"testing"
|
|
|
|
containertypes "github.com/docker/docker/api/types/container"
|
|
"github.com/docker/docker/container"
|
|
"github.com/docker/docker/daemon/config"
|
|
"github.com/docker/docker/oci"
|
|
"github.com/docker/docker/pkg/idtools"
|
|
"gotest.tools/assert"
|
|
is "gotest.tools/assert/cmp"
|
|
)
|
|
|
|
// TestTmpfsDevShmNoDupMount checks that a user-specified /dev/shm tmpfs
|
|
// mount (as in "docker run --tmpfs /dev/shm:rw,size=NNN") does not result
|
|
// in "Duplicate mount point" error from the engine.
|
|
// https://github.com/moby/moby/issues/35455
|
|
func TestTmpfsDevShmNoDupMount(t *testing.T) {
|
|
d := Daemon{
|
|
// some empty structs to avoid getting a panic
|
|
// caused by a null pointer dereference
|
|
idMapping: &idtools.IdentityMapping{},
|
|
configStore: &config.Config{},
|
|
}
|
|
c := &container.Container{
|
|
ShmPath: "foobar", // non-empty, for c.IpcMounts() to work
|
|
HostConfig: &containertypes.HostConfig{
|
|
IpcMode: containertypes.IpcMode("shareable"), // default mode
|
|
// --tmpfs /dev/shm:rw,exec,size=NNN
|
|
Tmpfs: map[string]string{
|
|
"/dev/shm": "rw,exec,size=1g",
|
|
},
|
|
},
|
|
}
|
|
|
|
// Mimick the code flow of daemon.createSpec(), enough to reproduce the issue
|
|
ms, err := d.setupMounts(c)
|
|
assert.Check(t, err)
|
|
|
|
ms = append(ms, c.IpcMounts()...)
|
|
|
|
tmpfsMounts, err := c.TmpfsMounts()
|
|
assert.Check(t, err)
|
|
ms = append(ms, tmpfsMounts...)
|
|
|
|
s := oci.DefaultSpec()
|
|
err = setMounts(&d, &s, c, ms)
|
|
assert.Check(t, err)
|
|
}
|
|
|
|
// TestIpcPrivateVsReadonly checks that in case of IpcMode: private
|
|
// and ReadonlyRootfs: true (as in "docker run --ipc private --read-only")
|
|
// the resulting /dev/shm mount is NOT made read-only.
|
|
// https://github.com/moby/moby/issues/36503
|
|
func TestIpcPrivateVsReadonly(t *testing.T) {
|
|
d := Daemon{
|
|
// some empty structs to avoid getting a panic
|
|
// caused by a null pointer dereference
|
|
idMapping: &idtools.IdentityMapping{},
|
|
configStore: &config.Config{},
|
|
}
|
|
c := &container.Container{
|
|
HostConfig: &containertypes.HostConfig{
|
|
IpcMode: containertypes.IpcMode("private"),
|
|
ReadonlyRootfs: true,
|
|
},
|
|
}
|
|
|
|
// We can't call createSpec() so mimick the minimal part
|
|
// of its code flow, just enough to reproduce the issue.
|
|
ms, err := d.setupMounts(c)
|
|
assert.Check(t, err)
|
|
|
|
s := oci.DefaultSpec()
|
|
s.Root.Readonly = c.HostConfig.ReadonlyRootfs
|
|
|
|
err = setMounts(&d, &s, c, ms)
|
|
assert.Check(t, err)
|
|
|
|
// Find the /dev/shm mount in ms, check it does not have ro
|
|
for _, m := range s.Mounts {
|
|
if m.Destination != "/dev/shm" {
|
|
continue
|
|
}
|
|
assert.Check(t, is.Equal(false, inSlice(m.Options, "ro")))
|
|
}
|
|
}
|
|
|
|
func TestGetSourceMount(t *testing.T) {
|
|
// must be able to find source mount for /
|
|
mnt, _, err := getSourceMount("/")
|
|
assert.NilError(t, err)
|
|
assert.Equal(t, mnt, "/")
|
|
|
|
// must be able to find source mount for current directory
|
|
cwd, err := os.Getwd()
|
|
assert.NilError(t, err)
|
|
_, _, err = getSourceMount(cwd)
|
|
assert.NilError(t, err)
|
|
}
|