github.com/rumpl/bof@v23.0.0-rc.2+incompatible/integration/container/run_cgroupns_linux_test.go

github.com/rumpl/bof@v23.0.0-rc.2+incompatible/integration/container/run_cgroupns_linux_test.go (about)

     1  package container // import "github.com/docker/docker/integration/container"
     2  
     3  import (
     4  	"context"
     5  	"testing"
     6  	"time"
     7  
     8  	"github.com/docker/docker/client"
     9  	"github.com/docker/docker/integration/internal/container"
    10  	"github.com/docker/docker/integration/internal/requirement"
    11  	"github.com/docker/docker/testutil/daemon"
    12  	"gotest.tools/v3/assert"
    13  	"gotest.tools/v3/poll"
    14  	"gotest.tools/v3/skip"
    15  )
    16  
    17  // Bring up a daemon with the specified default cgroup namespace mode, and then create a container with the container options
    18  func testRunWithCgroupNs(t *testing.T, daemonNsMode string, containerOpts ...func(*container.TestContainerConfig)) (string, string) {
    19  	d := daemon.New(t, daemon.WithDefaultCgroupNamespaceMode(daemonNsMode))
    20  	client := d.NewClientT(t)
    21  	ctx := context.Background()
    22  
    23  	d.StartWithBusybox(t)
    24  	defer d.Stop(t)
    25  
    26  	cID := container.Run(ctx, t, client, containerOpts...)
    27  	poll.WaitOn(t, container.IsInState(ctx, client, cID, "running"), poll.WithDelay(100*time.Millisecond))
    28  
    29  	daemonCgroup := d.CgroupNamespace(t)
    30  	containerCgroup := container.GetContainerNS(ctx, t, client, cID, "cgroup")
    31  	return containerCgroup, daemonCgroup
    32  }
    33  
    34  // Bring up a daemon with the specified default cgroup namespace mode. Create a container with the container options,
    35  // expecting an error with the specified string
    36  func testCreateFailureWithCgroupNs(t *testing.T, daemonNsMode string, errStr string, containerOpts ...func(*container.TestContainerConfig)) {
    37  	d := daemon.New(t, daemon.WithDefaultCgroupNamespaceMode(daemonNsMode))
    38  	client := d.NewClientT(t)
    39  	ctx := context.Background()
    40  
    41  	d.StartWithBusybox(t)
    42  	defer d.Stop(t)
    43  	container.CreateExpectingErr(ctx, t, client, errStr, containerOpts...)
    44  }
    45  
    46  func TestCgroupNamespacesRun(t *testing.T) {
    47  	skip.If(t, testEnv.DaemonInfo.OSType != "linux")
    48  	skip.If(t, testEnv.IsRemoteDaemon())
    49  	skip.If(t, !requirement.CgroupNamespacesEnabled())
    50  
    51  	// When the daemon defaults to private cgroup namespaces, containers launched
    52  	// should be in their own private cgroup namespace by default
    53  	containerCgroup, daemonCgroup := testRunWithCgroupNs(t, "private")
    54  	assert.Assert(t, daemonCgroup != containerCgroup)
    55  }
    56  
    57  func TestCgroupNamespacesRunPrivileged(t *testing.T) {
    58  	skip.If(t, testEnv.DaemonInfo.OSType != "linux")
    59  	skip.If(t, testEnv.IsRemoteDaemon())
    60  	skip.If(t, !requirement.CgroupNamespacesEnabled())
    61  	skip.If(t, testEnv.DaemonInfo.CgroupVersion == "2", "on cgroup v2, privileged containers use private cgroupns")
    62  
    63  	// When the daemon defaults to private cgroup namespaces, privileged containers
    64  	// launched should not be inside their own cgroup namespaces
    65  	containerCgroup, daemonCgroup := testRunWithCgroupNs(t, "private", container.WithPrivileged(true))
    66  	assert.Assert(t, daemonCgroup == containerCgroup)
    67  }
    68  
    69  func TestCgroupNamespacesRunDaemonHostMode(t *testing.T) {
    70  	skip.If(t, testEnv.DaemonInfo.OSType != "linux")
    71  	skip.If(t, testEnv.IsRemoteDaemon())
    72  	skip.If(t, !requirement.CgroupNamespacesEnabled())
    73  
    74  	// When the daemon defaults to host cgroup namespaces, containers
    75  	// launched should not be inside their own cgroup namespaces
    76  	containerCgroup, daemonCgroup := testRunWithCgroupNs(t, "host")
    77  	assert.Assert(t, daemonCgroup == containerCgroup)
    78  }
    79  
    80  func TestCgroupNamespacesRunHostMode(t *testing.T) {
    81  	skip.If(t, testEnv.DaemonInfo.OSType != "linux")
    82  	skip.If(t, testEnv.IsRemoteDaemon())
    83  	skip.If(t, !requirement.CgroupNamespacesEnabled())
    84  
    85  	// When the daemon defaults to private cgroup namespaces, containers launched
    86  	// with a cgroup ns mode of "host" should not be inside their own cgroup namespaces
    87  	containerCgroup, daemonCgroup := testRunWithCgroupNs(t, "private", container.WithCgroupnsMode("host"))
    88  	assert.Assert(t, daemonCgroup == containerCgroup)
    89  }
    90  
    91  func TestCgroupNamespacesRunPrivateMode(t *testing.T) {
    92  	skip.If(t, testEnv.DaemonInfo.OSType != "linux")
    93  	skip.If(t, testEnv.IsRemoteDaemon())
    94  	skip.If(t, !requirement.CgroupNamespacesEnabled())
    95  
    96  	// When the daemon defaults to private cgroup namespaces, containers launched
    97  	// with a cgroup ns mode of "private" should be inside their own cgroup namespaces
    98  	containerCgroup, daemonCgroup := testRunWithCgroupNs(t, "private", container.WithCgroupnsMode("private"))
    99  	assert.Assert(t, daemonCgroup != containerCgroup)
   100  }
   101  
   102  func TestCgroupNamespacesRunPrivilegedAndPrivate(t *testing.T) {
   103  	skip.If(t, testEnv.DaemonInfo.OSType != "linux")
   104  	skip.If(t, testEnv.IsRemoteDaemon())
   105  	skip.If(t, !requirement.CgroupNamespacesEnabled())
   106  
   107  	containerCgroup, daemonCgroup := testRunWithCgroupNs(t, "private", container.WithPrivileged(true), container.WithCgroupnsMode("private"))
   108  	assert.Assert(t, daemonCgroup != containerCgroup)
   109  }
   110  
   111  func TestCgroupNamespacesRunInvalidMode(t *testing.T) {
   112  	skip.If(t, testEnv.DaemonInfo.OSType != "linux")
   113  	skip.If(t, testEnv.IsRemoteDaemon())
   114  	skip.If(t, !requirement.CgroupNamespacesEnabled())
   115  
   116  	// An invalid cgroup namespace mode should return an error on container creation
   117  	errStr := "invalid cgroup namespace mode: invalid"
   118  	testCreateFailureWithCgroupNs(t, "private", errStr, container.WithCgroupnsMode("invalid"))
   119  }
   120  
   121  // Clients before 1.40 expect containers to be created in the host cgroup namespace,
   122  // regardless of the default setting of the daemon, unless running with cgroup v2
   123  func TestCgroupNamespacesRunOlderClient(t *testing.T) {
   124  	skip.If(t, testEnv.DaemonInfo.OSType != "linux")
   125  	skip.If(t, testEnv.IsRemoteDaemon())
   126  	skip.If(t, !requirement.CgroupNamespacesEnabled())
   127  
   128  	d := daemon.New(t, daemon.WithDefaultCgroupNamespaceMode("private"))
   129  	client := d.NewClientT(t, client.WithVersion("1.39"))
   130  
   131  	ctx := context.Background()
   132  	d.StartWithBusybox(t)
   133  	defer d.Stop(t)
   134  
   135  	cID := container.Run(ctx, t, client)
   136  	poll.WaitOn(t, container.IsInState(ctx, client, cID, "running"), poll.WithDelay(100*time.Millisecond))
   137  
   138  	daemonCgroup := d.CgroupNamespace(t)
   139  	containerCgroup := container.GetContainerNS(ctx, t, client, cID, "cgroup")
   140  	if testEnv.DaemonInfo.CgroupVersion != "2" {
   141  		assert.Assert(t, daemonCgroup == containerCgroup)
   142  	} else {
   143  		assert.Assert(t, daemonCgroup != containerCgroup)
   144  	}
   145  }