github.com/lazyboychen7/engine@v17.12.1-ce-rc2+incompatible/daemon/volumes_linux.go (about) 1 package daemon 2 3 import ( 4 "strings" 5 6 "github.com/docker/docker/api/types/mount" 7 "github.com/pkg/errors" 8 ) 9 10 // validateBindDaemonRoot ensures that if a given mountpoint's source is within 11 // the daemon root path, that the propagation is setup to prevent a container 12 // from holding private refereneces to a mount within the daemon root, which 13 // can cause issues when the daemon attempts to remove the mountpoint. 14 func (daemon *Daemon) validateBindDaemonRoot(m mount.Mount) (bool, error) { 15 if m.Type != mount.TypeBind { 16 return false, nil 17 } 18 19 // check if the source is within the daemon root, or if the daemon root is within the source 20 if !strings.HasPrefix(m.Source, daemon.root) && !strings.HasPrefix(daemon.root, m.Source) { 21 return false, nil 22 } 23 24 if m.BindOptions == nil { 25 return true, nil 26 } 27 28 switch m.BindOptions.Propagation { 29 case mount.PropagationRSlave, mount.PropagationRShared, "": 30 return m.BindOptions.Propagation == "", nil 31 default: 32 } 33 34 return false, validationError{errors.Errorf(`invalid mount config: must use either propagation mode "rslave" or "rshared" when mount source is within the daemon root, daemon root: %q, bind mount source: %q, propagation: %q`, daemon.root, m.Source, m.BindOptions.Propagation)} 35 }