github.com/moby/docker@v26.1.3+incompatible/integration-cli/docker_cli_userns_test.go (about) 1 //go:build !windows 2 3 package main 4 5 import ( 6 "fmt" 7 "os" 8 "os/exec" 9 "path" 10 "path/filepath" 11 "strconv" 12 "strings" 13 "syscall" 14 "testing" 15 16 "github.com/docker/docker/pkg/stringid" 17 "github.com/docker/docker/testutil" 18 "gotest.tools/v3/assert" 19 is "gotest.tools/v3/assert/cmp" 20 ) 21 22 // user namespaces test: run daemon with remapped root setting 23 // 1. validate uid/gid maps are set properly 24 // 2. verify that files created are owned by remapped root 25 func (s *DockerDaemonSuite) TestDaemonUserNamespaceRootSetting(c *testing.T) { 26 testRequires(c, UserNamespaceInKernel) 27 28 ctx := testutil.GetContext(c) 29 s.d.StartWithBusybox(ctx, c, "--userns-remap", "default") 30 31 out, err := s.d.Cmd("run", "busybox", "stat", "-c", "%u:%g", "/bin/cat") 32 assert.Check(c, err) 33 assert.Assert(c, is.Equal(strings.TrimSpace(out), "0:0")) 34 35 tmpDir, err := os.MkdirTemp("", "userns") 36 assert.NilError(c, err) 37 38 defer os.RemoveAll(tmpDir) 39 40 // Set a non-existent path 41 tmpDirNotExists := path.Join(os.TempDir(), "userns"+stringid.GenerateRandomID()) 42 defer os.RemoveAll(tmpDirNotExists) 43 44 // we need to find the uid and gid of the remapped root from the daemon's root dir info 45 uidgid := strings.Split(filepath.Base(s.d.Root), ".") 46 assert.Equal(c, len(uidgid), 2, fmt.Sprintf("Should have gotten uid/gid strings from root dirname: %s", filepath.Base(s.d.Root))) 47 uid, err := strconv.Atoi(uidgid[0]) 48 assert.NilError(c, err, "Can't parse uid") 49 gid, err := strconv.Atoi(uidgid[1]) 50 assert.NilError(c, err, "Can't parse gid") 51 52 // writable by the remapped root UID/GID pair 53 assert.NilError(c, os.Chown(tmpDir, uid, gid)) 54 55 out, err = s.d.Cmd("run", "-d", "--name", "userns", "-v", tmpDir+":/goofy", "-v", tmpDirNotExists+":/donald", "busybox", "sh", "-c", "touch /goofy/testfile; exec top") 56 assert.NilError(c, err, "Output: %s", out) 57 58 user := s.findUser(c, "userns") 59 assert.Equal(c, uidgid[0], user) 60 61 // check that the created directory is owned by remapped uid:gid 62 statNotExists, err := os.Stat(tmpDirNotExists) 63 assert.NilError(c, err) 64 fi := statNotExists.Sys().(*syscall.Stat_t) 65 assert.Equal(c, fi.Uid, uint32(uid), "Created directory not owned by remapped root UID") 66 assert.Equal(c, fi.Gid, uint32(gid), "Created directory not owned by remapped root GID") 67 68 pid, err := s.d.Cmd("inspect", "--format={{.State.Pid}}", "userns") 69 assert.Assert(c, err == nil, "Could not inspect running container: out: %q", pid) 70 // check the uid and gid maps for the PID to ensure root is remapped 71 // (cmd = cat /proc/<pid>/uid_map | grep -E '0\s+9999\s+1') 72 _, err = RunCommandPipelineWithOutput( 73 exec.Command("cat", "/proc/"+strings.TrimSpace(pid)+"/uid_map"), 74 exec.Command("grep", "-E", fmt.Sprintf("0[[:space:]]+%d[[:space:]]+", uid))) 75 assert.NilError(c, err) 76 77 _, err = RunCommandPipelineWithOutput( 78 exec.Command("cat", "/proc/"+strings.TrimSpace(pid)+"/gid_map"), 79 exec.Command("grep", "-E", fmt.Sprintf("0[[:space:]]+%d[[:space:]]+", gid))) 80 assert.NilError(c, err) 81 82 // check that the touched file is owned by remapped uid:gid 83 stat, err := os.Stat(filepath.Join(tmpDir, "testfile")) 84 assert.NilError(c, err) 85 fi = stat.Sys().(*syscall.Stat_t) 86 assert.Equal(c, fi.Uid, uint32(uid), "Touched file not owned by remapped root UID") 87 assert.Equal(c, fi.Gid, uint32(gid), "Touched file not owned by remapped root GID") 88 89 // use host usernamespace 90 out, err = s.d.Cmd("run", "-d", "--name", "userns_skip", "--userns", "host", "busybox", "sh", "-c", "touch /goofy/testfile; exec top") 91 assert.Assert(c, err == nil, "Output: %s", out) 92 user = s.findUser(c, "userns_skip") 93 // userns are skipped, user is root 94 assert.Equal(c, user, "root") 95 } 96 97 // findUser finds the uid or name of the user of the first process that runs in a container 98 func (s *DockerDaemonSuite) findUser(c *testing.T, container string) string { 99 out, err := s.d.Cmd("top", container) 100 assert.Assert(c, err == nil, "Output: %s", out) 101 rows := strings.Split(out, "\n") 102 if len(rows) < 2 { 103 // No process rows founds 104 c.FailNow() 105 } 106 return strings.Fields(rows[1])[0] 107 }