Skip to content
This repository was archived by the owner on Oct 13, 2023. It is now read-only.

Commit 67fe100

Browse files
jessfrazjessfraz
committed
api: add configurable MaskedPaths and ReadOnlyPaths to the API
This adds MaskedPaths and ReadOnlyPaths options to HostConfig for containers so that a user can override the default values. When the value sent through the API is nil the default is used. Otherwise the default is overridden. Adds integration tests for MaskedPaths and ReadonlyPaths. Signed-off-by: Jess Frazelle <[email protected]> Upstream-commit: 3694c1e34e40fa2e255a97b5541645cec9c8d1d5 Component: engine
1 parent 2452577 commit 67fe100

File tree

5 files changed

+199
-0
lines changed

5 files changed

+199
-0
lines changed

components/engine/api/swagger.yaml

+10
Original file line numberDiff line numberDiff line change
@@ -772,6 +772,16 @@ definitions:
772772
- "default"
773773
- "process"
774774
- "hyperv"
775+
MaskedPaths:
776+
type: "array"
777+
description: "The list of paths to be masked inside the container (this overrides the default set of paths)"
778+
items:
779+
type: "string"
780+
ReadonlyPaths:
781+
type: "array"
782+
description: "The list of paths to be set as read-only inside the container (this overrides the default set of paths)"
783+
items:
784+
type: "string"
775785

776786
ContainerConfig:
777787
description: "Configuration for a container that is portable between hosts"

components/engine/api/types/container/host_config.go

+6
Original file line numberDiff line numberDiff line change
@@ -401,6 +401,12 @@ type HostConfig struct {
401401
// Mounts specs used by the container
402402
Mounts []mount.Mount `json:",omitempty"`
403403

404+
// MaskedPaths is the list of paths to be masked inside the container (this overrides the default set of paths)
405+
MaskedPaths []string
406+
407+
// ReadonlyPaths is the list of paths to be set as read-only inside the container (this overrides the default set of paths)
408+
ReadonlyPaths []string
409+
404410
// Run a custom init inside the container, if null, use the daemon's configured settings
405411
Init *bool `json:",omitempty"`
406412
}

components/engine/daemon/create_unix.go

+11
Original file line numberDiff line numberDiff line change
@@ -11,6 +11,7 @@ import (
1111
containertypes "github.com/docker/docker/api/types/container"
1212
mounttypes "github.com/docker/docker/api/types/mount"
1313
"github.com/docker/docker/container"
14+
"github.com/docker/docker/oci"
1415
"github.com/docker/docker/pkg/stringid"
1516
volumeopts "github.com/docker/docker/volume/service/opts"
1617
"github.com/opencontainers/selinux/go-selinux/label"
@@ -29,6 +30,16 @@ func (daemon *Daemon) createContainerOSSpecificSettings(container *container.Con
2930
return err
3031
}
3132

33+
// Set the default masked and readonly paths with regard to the host config options if they are not set.
34+
if hostConfig.MaskedPaths == nil && !hostConfig.Privileged {
35+
hostConfig.MaskedPaths = oci.DefaultSpec().Linux.MaskedPaths // Set it to the default if nil
36+
container.HostConfig.MaskedPaths = hostConfig.MaskedPaths
37+
}
38+
if hostConfig.ReadonlyPaths == nil && !hostConfig.Privileged {
39+
hostConfig.ReadonlyPaths = oci.DefaultSpec().Linux.ReadonlyPaths // Set it to the default if nil
40+
container.HostConfig.ReadonlyPaths = hostConfig.ReadonlyPaths
41+
}
42+
3243
for spec := range config.Volumes {
3344
name := stringid.GenerateNonCryptoID()
3445
destination := filepath.Clean(spec)

components/engine/daemon/oci_linux.go

+8
Original file line numberDiff line numberDiff line change
@@ -903,6 +903,14 @@ func (daemon *Daemon) createSpec(c *container.Container) (retSpec *specs.Spec, e
903903
s.Process.OOMScoreAdj = &c.HostConfig.OomScoreAdj
904904
s.Linux.MountLabel = c.MountLabel
905905

906+
// Set the masked and readonly paths with regard to the host config options if they are set.
907+
if c.HostConfig.MaskedPaths != nil {
908+
s.Linux.MaskedPaths = c.HostConfig.MaskedPaths
909+
}
910+
if c.HostConfig.ReadonlyPaths != nil {
911+
s.Linux.ReadonlyPaths = c.HostConfig.ReadonlyPaths
912+
}
913+
906914
return &s, nil
907915
}
908916

components/engine/integration/container/create_test.go

+164
Original file line numberDiff line numberDiff line change
@@ -2,14 +2,21 @@ package container // import "github.com/docker/docker/integration/container"
22

33
import (
44
"context"
5+
"encoding/json"
6+
"fmt"
57
"strconv"
68
"testing"
9+
"time"
710

11+
"github.com/docker/docker/api/types"
812
"github.com/docker/docker/api/types/container"
913
"github.com/docker/docker/api/types/network"
14+
ctr "github.com/docker/docker/integration/internal/container"
1015
"github.com/docker/docker/internal/test/request"
16+
"github.com/docker/docker/oci"
1117
"github.com/gotestyourself/gotestyourself/assert"
1218
is "github.com/gotestyourself/gotestyourself/assert/cmp"
19+
"github.com/gotestyourself/gotestyourself/poll"
1320
"github.com/gotestyourself/gotestyourself/skip"
1421
)
1522

@@ -137,3 +144,160 @@ func TestCreateTmpfsMountsTarget(t *testing.T) {
137144
assert.Check(t, is.ErrorContains(err, tc.expectedError))
138145
}
139146
}
147+
func TestCreateWithCustomMaskedPaths(t *testing.T) {
148+
skip.If(t, testEnv.DaemonInfo.OSType != "linux")
149+
150+
defer setupTest(t)()
151+
client := request.NewAPIClient(t)
152+
ctx := context.Background()
153+
154+
testCases := []struct {
155+
maskedPaths []string
156+
expected []string
157+
}{
158+
{
159+
maskedPaths: []string{},
160+
expected: []string{},
161+
},
162+
{
163+
maskedPaths: nil,
164+
expected: oci.DefaultSpec().Linux.MaskedPaths,
165+
},
166+
{
167+
maskedPaths: []string{"/proc/kcore", "/proc/keys"},
168+
expected: []string{"/proc/kcore", "/proc/keys"},
169+
},
170+
}
171+
172+
checkInspect := func(t *testing.T, ctx context.Context, name string, expected []string) {
173+
_, b, err := client.ContainerInspectWithRaw(ctx, name, false)
174+
assert.NilError(t, err)
175+
176+
var inspectJSON map[string]interface{}
177+
err = json.Unmarshal(b, &inspectJSON)
178+
assert.NilError(t, err)
179+
180+
cfg, ok := inspectJSON["HostConfig"].(map[string]interface{})
181+
assert.Check(t, is.Equal(true, ok), name)
182+
183+
maskedPaths, ok := cfg["MaskedPaths"].([]interface{})
184+
assert.Check(t, is.Equal(true, ok), name)
185+
186+
mps := []string{}
187+
for _, mp := range maskedPaths {
188+
mps = append(mps, mp.(string))
189+
}
190+
191+
assert.DeepEqual(t, expected, mps)
192+
}
193+
194+
for i, tc := range testCases {
195+
name := fmt.Sprintf("create-masked-paths-%d", i)
196+
config := container.Config{
197+
Image: "busybox",
198+
Cmd: []string{"true"},
199+
}
200+
hc := container.HostConfig{}
201+
if tc.maskedPaths != nil {
202+
hc.MaskedPaths = tc.maskedPaths
203+
}
204+
205+
// Create the container.
206+
c, err := client.ContainerCreate(context.Background(),
207+
&config,
208+
&hc,
209+
&network.NetworkingConfig{},
210+
name,
211+
)
212+
assert.NilError(t, err)
213+
214+
checkInspect(t, ctx, name, tc.expected)
215+
216+
// Start the container.
217+
err = client.ContainerStart(ctx, c.ID, types.ContainerStartOptions{})
218+
assert.NilError(t, err)
219+
220+
poll.WaitOn(t, ctr.IsInState(ctx, client, c.ID, "exited"), poll.WithDelay(100*time.Millisecond))
221+
222+
checkInspect(t, ctx, name, tc.expected)
223+
}
224+
}
225+
226+
func TestCreateWithCustomReadonlyPaths(t *testing.T) {
227+
skip.If(t, testEnv.DaemonInfo.OSType != "linux")
228+
229+
defer setupTest(t)()
230+
client := request.NewAPIClient(t)
231+
ctx := context.Background()
232+
233+
testCases := []struct {
234+
doc string
235+
readonlyPaths []string
236+
expected []string
237+
}{
238+
{
239+
readonlyPaths: []string{},
240+
expected: []string{},
241+
},
242+
{
243+
readonlyPaths: nil,
244+
expected: oci.DefaultSpec().Linux.ReadonlyPaths,
245+
},
246+
{
247+
readonlyPaths: []string{"/proc/asound", "/proc/bus"},
248+
expected: []string{"/proc/asound", "/proc/bus"},
249+
},
250+
}
251+
252+
checkInspect := func(t *testing.T, ctx context.Context, name string, expected []string) {
253+
_, b, err := client.ContainerInspectWithRaw(ctx, name, false)
254+
assert.NilError(t, err)
255+
256+
var inspectJSON map[string]interface{}
257+
err = json.Unmarshal(b, &inspectJSON)
258+
assert.NilError(t, err)
259+
260+
cfg, ok := inspectJSON["HostConfig"].(map[string]interface{})
261+
assert.Check(t, is.Equal(true, ok), name)
262+
263+
readonlyPaths, ok := cfg["ReadonlyPaths"].([]interface{})
264+
assert.Check(t, is.Equal(true, ok), name)
265+
266+
rops := []string{}
267+
for _, rop := range readonlyPaths {
268+
rops = append(rops, rop.(string))
269+
}
270+
assert.DeepEqual(t, expected, rops)
271+
}
272+
273+
for i, tc := range testCases {
274+
name := fmt.Sprintf("create-readonly-paths-%d", i)
275+
config := container.Config{
276+
Image: "busybox",
277+
Cmd: []string{"true"},
278+
}
279+
hc := container.HostConfig{}
280+
if tc.readonlyPaths != nil {
281+
hc.ReadonlyPaths = tc.readonlyPaths
282+
}
283+
284+
// Create the container.
285+
c, err := client.ContainerCreate(context.Background(),
286+
&config,
287+
&hc,
288+
&network.NetworkingConfig{},
289+
name,
290+
)
291+
assert.NilError(t, err)
292+
293+
checkInspect(t, ctx, name, tc.expected)
294+
295+
// Start the container.
296+
err = client.ContainerStart(ctx, c.ID, types.ContainerStartOptions{})
297+
assert.NilError(t, err)
298+
299+
poll.WaitOn(t, ctr.IsInState(ctx, client, c.ID, "exited"), poll.WithDelay(100*time.Millisecond))
300+
301+
checkInspect(t, ctx, name, tc.expected)
302+
}
303+
}

0 commit comments

Comments
 (0)