d222bf097c
The existing runtimes reload logic went to great lengths to replace the directory containing runtime wrapper scripts as atomically as possible within the limitations of the Linux filesystem ABI. Trouble is, atomically swapping the wrapper scripts directory solves the wrong problem! The runtime configuration is "locked in" when a container is started, including the path to the runC binary. If a container is started with a runtime which requires a daemon-managed wrapper script and then the daemon is reloaded with a config which no longer requires the wrapper script (i.e. some args -> no args, or the runtime is dropped from the config), that container would become unmanageable. Any attempts to stop, exec or otherwise perform lifecycle management operations on the container are likely to fail due to the wrapper script no longer existing at its original path. Atomically swapping the wrapper scripts is also incompatible with the read-copy-update paradigm for reloading configuration. A handler in the daemon could retain a reference to the pre-reload configuration for an indeterminate amount of time after the daemon configuration has been reloaded and updated. It is possible for the daemon to attempt to start a container using a deleted wrapper script if a request to run a container races a reload. Solve the problem of deleting referenced wrapper scripts by ensuring that all wrapper scripts are *immutable* for the lifetime of the daemon process. Any given runtime wrapper script must always exist with the same contents, no matter how many times the daemon config is reloaded, or what changes are made to the config. This is accomplished by using everyone's favourite design pattern: content-addressable storage. Each wrapper script file name is suffixed with the SHA-256 digest of its contents to (probabilistically) guarantee immutability without needing any concurrency control. Stale runtime wrapper scripts are only cleaned up on the next daemon restart. Split the derived runtimes configuration from the user-supplied configuration to have a place to store derived state without mutating the user-supplied configuration or exposing daemon internals in API struct types. Hold the derived state and the user-supplied configuration in a single struct value so that they can be updated as an atomic unit. Signed-off-by: Cory Snider <csnider@mirantis.com>
91 lines
2.7 KiB
Go
91 lines
2.7 KiB
Go
//go:build linux
|
|
|
|
package daemon
|
|
|
|
import (
|
|
"context"
|
|
"testing"
|
|
|
|
"github.com/containerd/containerd/pkg/apparmor"
|
|
containertypes "github.com/docker/docker/api/types/container"
|
|
"github.com/docker/docker/container"
|
|
specs "github.com/opencontainers/runtime-spec/specs-go"
|
|
"gotest.tools/v3/assert"
|
|
)
|
|
|
|
func TestExecSetPlatformOptAppArmor(t *testing.T) {
|
|
appArmorEnabled := apparmor.HostSupports()
|
|
|
|
tests := []struct {
|
|
doc string
|
|
privileged bool
|
|
appArmorProfile string
|
|
expectedProfile string
|
|
}{
|
|
{
|
|
doc: "default options",
|
|
expectedProfile: defaultAppArmorProfile,
|
|
},
|
|
{
|
|
doc: "custom profile",
|
|
appArmorProfile: "my-custom-profile",
|
|
expectedProfile: "my-custom-profile",
|
|
},
|
|
{
|
|
doc: "privileged container",
|
|
privileged: true,
|
|
expectedProfile: unconfinedAppArmorProfile,
|
|
},
|
|
{
|
|
doc: "privileged container, custom profile",
|
|
privileged: true,
|
|
appArmorProfile: "my-custom-profile",
|
|
expectedProfile: "my-custom-profile",
|
|
// FIXME: execSetPlatformOpts prefers custom profiles over "privileged",
|
|
// which looks like a bug (--privileged on the container should
|
|
// disable apparmor, seccomp, and selinux); see the code at:
|
|
// https://github.com/moby/moby/blob/46cdcd206c56172b95ba5c77b827a722dab426c5/daemon/exec_linux.go#L32-L40
|
|
// expectedProfile: unconfinedAppArmorProfile,
|
|
},
|
|
}
|
|
|
|
cfg := &configStore{}
|
|
d := &Daemon{}
|
|
d.configStore.Store(cfg)
|
|
|
|
// Currently, `docker exec --privileged` inherits the Privileged configuration
|
|
// of the container, and does not disable AppArmor.
|
|
// See https://github.com/moby/moby/pull/31773#discussion_r105586900
|
|
//
|
|
// This behavior may change in future, but to verify the current behavior,
|
|
// we run the test both with "exec" and "exec --privileged", which should
|
|
// both give the same result.
|
|
for _, execPrivileged := range []bool{false, true} {
|
|
for _, tc := range tests {
|
|
tc := tc
|
|
doc := tc.doc
|
|
if !appArmorEnabled {
|
|
// no profile should be set if the host does not support AppArmor
|
|
doc += " (apparmor disabled)"
|
|
tc.expectedProfile = ""
|
|
}
|
|
if execPrivileged {
|
|
doc += " (exec privileged)"
|
|
}
|
|
t.Run(doc, func(t *testing.T) {
|
|
c := &container.Container{
|
|
SecurityOptions: container.SecurityOptions{AppArmorProfile: tc.appArmorProfile},
|
|
HostConfig: &containertypes.HostConfig{
|
|
Privileged: tc.privileged,
|
|
},
|
|
}
|
|
ec := &container.ExecConfig{Container: c, Privileged: execPrivileged}
|
|
p := &specs.Process{}
|
|
|
|
err := d.execSetPlatformOpt(context.Background(), &cfg.Config, ec, p)
|
|
assert.NilError(t, err)
|
|
assert.Equal(t, p.ApparmorProfile, tc.expectedProfile)
|
|
})
|
|
}
|
|
}
|
|
}
|