github.com/Prakhar-Agarwal-byte/moby@v0.0.0-20231027092010-a14e3e8ab87e/integration/container/run_cgroupns_linux_test.go (about)

     1  package container // import "github.com/Prakhar-Agarwal-byte/moby/integration/container"
     2  
     3  import (
     4  	"context"
     5  	"testing"
     6  
     7  	"github.com/Prakhar-Agarwal-byte/moby/client"
     8  	"github.com/Prakhar-Agarwal-byte/moby/integration/internal/container"
     9  	"github.com/Prakhar-Agarwal-byte/moby/integration/internal/requirement"
    10  	"github.com/Prakhar-Agarwal-byte/moby/testutil"
    11  	"github.com/Prakhar-Agarwal-byte/moby/testutil/daemon"
    12  	"gotest.tools/v3/assert"
    13  	"gotest.tools/v3/skip"
    14  )
    15  
    16  // Bring up a daemon with the specified default cgroup namespace mode, and then create a container with the container options
    17  func testRunWithCgroupNs(ctx context.Context, t *testing.T, daemonNsMode string, containerOpts ...func(*container.TestContainerConfig)) (string, string) {
    18  	d := daemon.New(t, daemon.WithDefaultCgroupNamespaceMode(daemonNsMode))
    19  	apiClient := d.NewClientT(t)
    20  
    21  	d.StartWithBusybox(ctx, t)
    22  	defer d.Stop(t)
    23  
    24  	cID := container.Run(ctx, t, apiClient, containerOpts...)
    25  
    26  	daemonCgroup := d.CgroupNamespace(t)
    27  	containerCgroup := container.GetContainerNS(ctx, t, apiClient, cID, "cgroup")
    28  	return containerCgroup, daemonCgroup
    29  }
    30  
    31  // Bring up a daemon with the specified default cgroup namespace mode. Create a container with the container options,
    32  // expecting an error with the specified string
    33  func testCreateFailureWithCgroupNs(ctx context.Context, t *testing.T, daemonNsMode string, errStr string, containerOpts ...func(*container.TestContainerConfig)) {
    34  	d := daemon.New(t, daemon.WithDefaultCgroupNamespaceMode(daemonNsMode))
    35  	apiClient := d.NewClientT(t)
    36  
    37  	d.StartWithBusybox(ctx, t)
    38  	defer d.Stop(t)
    39  	_, err := container.CreateFromConfig(ctx, apiClient, container.NewTestConfig(containerOpts...))
    40  	assert.ErrorContains(t, err, errStr)
    41  }
    42  
    43  func TestCgroupNamespacesRun(t *testing.T) {
    44  	skip.If(t, testEnv.DaemonInfo.OSType != "linux")
    45  	skip.If(t, testEnv.IsRemoteDaemon())
    46  	skip.If(t, !requirement.CgroupNamespacesEnabled())
    47  
    48  	ctx := testutil.StartSpan(baseContext, t)
    49  
    50  	// When the daemon defaults to private cgroup namespaces, containers launched
    51  	// should be in their own private cgroup namespace by default
    52  	containerCgroup, daemonCgroup := testRunWithCgroupNs(ctx, t, "private")
    53  	assert.Assert(t, daemonCgroup != containerCgroup)
    54  }
    55  
    56  func TestCgroupNamespacesRunPrivileged(t *testing.T) {
    57  	skip.If(t, testEnv.DaemonInfo.OSType != "linux")
    58  	skip.If(t, testEnv.IsRemoteDaemon())
    59  	skip.If(t, !requirement.CgroupNamespacesEnabled())
    60  	skip.If(t, testEnv.DaemonInfo.CgroupVersion == "2", "on cgroup v2, privileged containers use private cgroupns")
    61  
    62  	ctx := testutil.StartSpan(baseContext, t)
    63  
    64  	// When the daemon defaults to private cgroup namespaces, privileged containers
    65  	// launched should not be inside their own cgroup namespaces
    66  	containerCgroup, daemonCgroup := testRunWithCgroupNs(ctx, t, "private", container.WithPrivileged(true))
    67  	assert.Assert(t, daemonCgroup == containerCgroup)
    68  }
    69  
    70  func TestCgroupNamespacesRunDaemonHostMode(t *testing.T) {
    71  	skip.If(t, testEnv.DaemonInfo.OSType != "linux")
    72  	skip.If(t, testEnv.IsRemoteDaemon())
    73  	skip.If(t, !requirement.CgroupNamespacesEnabled())
    74  
    75  	ctx := testutil.StartSpan(baseContext, t)
    76  
    77  	// When the daemon defaults to host cgroup namespaces, containers
    78  	// launched should not be inside their own cgroup namespaces
    79  	containerCgroup, daemonCgroup := testRunWithCgroupNs(ctx, t, "host")
    80  	assert.Assert(t, daemonCgroup == containerCgroup)
    81  }
    82  
    83  func TestCgroupNamespacesRunHostMode(t *testing.T) {
    84  	skip.If(t, testEnv.DaemonInfo.OSType != "linux")
    85  	skip.If(t, testEnv.IsRemoteDaemon())
    86  	skip.If(t, !requirement.CgroupNamespacesEnabled())
    87  
    88  	ctx := testutil.StartSpan(baseContext, t)
    89  
    90  	// When the daemon defaults to private cgroup namespaces, containers launched
    91  	// with a cgroup ns mode of "host" should not be inside their own cgroup namespaces
    92  	containerCgroup, daemonCgroup := testRunWithCgroupNs(ctx, t, "private", container.WithCgroupnsMode("host"))
    93  	assert.Assert(t, daemonCgroup == containerCgroup)
    94  }
    95  
    96  func TestCgroupNamespacesRunPrivateMode(t *testing.T) {
    97  	skip.If(t, testEnv.DaemonInfo.OSType != "linux")
    98  	skip.If(t, testEnv.IsRemoteDaemon())
    99  	skip.If(t, !requirement.CgroupNamespacesEnabled())
   100  
   101  	ctx := testutil.StartSpan(baseContext, t)
   102  
   103  	// When the daemon defaults to private cgroup namespaces, containers launched
   104  	// with a cgroup ns mode of "private" should be inside their own cgroup namespaces
   105  	containerCgroup, daemonCgroup := testRunWithCgroupNs(ctx, t, "private", container.WithCgroupnsMode("private"))
   106  	assert.Assert(t, daemonCgroup != containerCgroup)
   107  }
   108  
   109  func TestCgroupNamespacesRunPrivilegedAndPrivate(t *testing.T) {
   110  	skip.If(t, testEnv.DaemonInfo.OSType != "linux")
   111  	skip.If(t, testEnv.IsRemoteDaemon())
   112  	skip.If(t, !requirement.CgroupNamespacesEnabled())
   113  
   114  	ctx := testutil.StartSpan(baseContext, t)
   115  
   116  	containerCgroup, daemonCgroup := testRunWithCgroupNs(ctx, t, "private", container.WithPrivileged(true), container.WithCgroupnsMode("private"))
   117  	assert.Assert(t, daemonCgroup != containerCgroup)
   118  }
   119  
   120  func TestCgroupNamespacesRunInvalidMode(t *testing.T) {
   121  	skip.If(t, testEnv.DaemonInfo.OSType != "linux")
   122  	skip.If(t, testEnv.IsRemoteDaemon())
   123  	skip.If(t, !requirement.CgroupNamespacesEnabled())
   124  
   125  	ctx := testutil.StartSpan(baseContext, t)
   126  
   127  	// An invalid cgroup namespace mode should return an error on container creation
   128  	errStr := "invalid cgroup namespace mode: invalid"
   129  	testCreateFailureWithCgroupNs(ctx, t, "private", errStr, container.WithCgroupnsMode("invalid"))
   130  }
   131  
   132  // Clients before 1.40 expect containers to be created in the host cgroup namespace,
   133  // regardless of the default setting of the daemon, unless running with cgroup v2
   134  func TestCgroupNamespacesRunOlderClient(t *testing.T) {
   135  	skip.If(t, testEnv.DaemonInfo.OSType != "linux")
   136  	skip.If(t, testEnv.IsRemoteDaemon())
   137  	skip.If(t, !requirement.CgroupNamespacesEnabled())
   138  
   139  	ctx := testutil.StartSpan(baseContext, t)
   140  
   141  	d := daemon.New(t, daemon.WithDefaultCgroupNamespaceMode("private"))
   142  	apiClient := d.NewClientT(t, client.WithVersion("1.39"))
   143  
   144  	d.StartWithBusybox(ctx, t)
   145  	defer d.Stop(t)
   146  
   147  	cID := container.Run(ctx, t, apiClient)
   148  
   149  	daemonCgroup := d.CgroupNamespace(t)
   150  	containerCgroup := container.GetContainerNS(ctx, t, apiClient, cID, "cgroup")
   151  	if testEnv.DaemonInfo.CgroupVersion != "2" {
   152  		assert.Assert(t, daemonCgroup == containerCgroup)
   153  	} else {
   154  		assert.Assert(t, daemonCgroup != containerCgroup)
   155  	}
   156  }