toolshed/docker-cli
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

Prevent mqueue from implicitely becoming a bind mount with --ipc=host

Browse Source 
Currently, when running a container with --ipc=host, if /dev/mqueue is
a standard directory on the hos the daemon will bind mount it allowing
the container to create/modify files on the host.

This commit forces /dev/mqueue to always be of type mqueue except when
the user explicitely requested something to be bind mounted to
/dev/mqueue.

Signed-off-by: Kenfe-Mickael Laventure <mickael.laventure@gmail.com>
Upstream-commit: f7d4abdc00d521509995da1070215c808fe0fd9c
Component: engine
This commit is contained in:
Kenfe-Mickael Laventure
2016-02-08 16:51:45 -08:00
parent 6ae6421b5c
commit 24558a48dd
3 changed files with 21 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
components/engine/integration-cli/docker_cli_run_test.go
View File

@ -2371,7 +2371,7 @@ func (s *DockerSuite) TestRunModeIpcContainer(c *check.C) {
// Not applicable on Windows as uses Unix-specific capabilities
testRequires(c, SameHostDaemon, DaemonIsLinux, NotUserNamespace)
out, _ := dockerCmd(c, "run", "-d", "busybox", "sh", "-c", "echo -n test > /dev/shm/test && top")
out, _ := dockerCmd(c, "run", "-d", "busybox", "sh", "-c", "echo -n test > /dev/shm/test && touch /dev/mqueue/toto && top")
id := strings.TrimSpace(out)
state := inspectField(c, id, "State.Running")
@ -2395,6 +2395,18 @@ func (s *DockerSuite) TestRunModeIpcContainer(c *check.C) {
if catOutput != "test" {
c.Fatalf("Output of /dev/shm/test expected test but found: %s", catOutput)
}
// check that /dev/mqueue is actually of mqueue type
grepOutput, _ := dockerCmd(c, "run", fmt.Sprintf("--ipc=container:%s", id), "busybox", "grep", "/dev/mqueue", "/proc/mounts")
if !strings.HasPrefix(grepOutput, "mqueue /dev/mqueue mqueue rw") {
c.Fatalf("Output of 'grep /proc/mounts' expected 'mqueue /dev/mqueue mqueue rw' but found: %s", grepOutput)
}
lsOutput, _ := dockerCmd(c, "run", fmt.Sprintf("--ipc=container:%s", id), "busybox", "ls", "/dev/mqueue")
lsOutput = strings.Trim(lsOutput, "\n")
if lsOutput != "toto" {
c.Fatalf("Output of 'ls /dev/mqueue' expected 'toto' but found: %s", lsOutput)
}
}
func (s *DockerSuite) TestRunModeIpcContainerNotExists(c *check.C) {
@ -2423,7 +2435,9 @@ func (s *DockerSuite) TestRunMountShmMqueueFromHost(c *check.C) {
// Not applicable on Windows as uses Unix-specific capabilities
testRequires(c, SameHostDaemon, DaemonIsLinux)
dockerCmd(c, "run", "-d", "--name", "shmfromhost", "-v", "/dev/shm:/dev/shm", "busybox", "sh", "-c", "echo -n test > /dev/shm/test && top")
dockerCmd(c, "run", "-d", "--name", "shmfromhost", "-v", "/dev/shm:/dev/shm", "-v", "/dev/mqueue:/dev/mqueue", "busybox", "sh", "-c", "echo -n test > /dev/shm/test && touch /dev/mqueue/toto && top")
defer os.Remove("/dev/mqueue/toto")
defer os.Remove("/dev/shm/test")
volPath, err := inspectMountSourceField("shmfromhost", "/dev/shm")
c.Assert(err, checker.IsNil)
if volPath != "/dev/shm" {
@ -2434,6 +2448,11 @@ func (s *DockerSuite) TestRunMountShmMqueueFromHost(c *check.C) {
if out != "test" {
c.Fatalf("Output of /dev/shm/test expected test but found: %s", out)
}
// Check that the mq was created
if _, err := os.Stat("/dev/mqueue/toto"); err != nil {
c.Fatalf("Failed to confirm '/dev/mqueue/toto' presence on host: %s", err.Error())
}
}
func (s *DockerSuite) TestContainerNetworkMode(c *check.C) {