Make cgroup namespaces configurable

This adds both a daemon-wide flag and a container creation property: - Set the `CgroupnsMode: "host|private"` HostConfig property at container creation time to control what cgroup namespace the container is created in - Set the `--default-cgroupns-mode=host|private` daemon flag to control what cgroup namespace containers are created in by default - Set the default if the daemon flag is unset to "host", for backward compatibility - Default to CgroupnsMode: "host" for client versions < 1.40 Signed-off-by: Rob Gulewich <rgulewich@netflix.com>
author: Rob Gulewich <rgulewich@netflix.com> 2019-03-14 20:44:18 -0700
committer: Rob Gulewich <rgulewich@netflix.com> 2019-05-07 10:22:16 -0700
commit: 072400fc4b8d6a38a2007d41072b765666a4c288 (patch)
tree: 6251892ed427acbdeffceaf19690bb861d11c9a3 /integration/internal
parent: 256eb04d6989d50cd622c5db65ef0a283e94365c (diff)
download: docker-072400fc4b8d6a38a2007d41072b765666a4c288.tar.gz
3 files changed, 44 insertions, 3 deletions
diff --git a/integration/internal/container/container.go b/integration/internal/container/container.go
index 20ad774242..280f64897d 100644
--- a/integration/internal/container/container.go
+++ b/integration/internal/container/container.go
@@ -20,9 +20,9 @@ type TestContainerConfig struct {
 	NetworkingConfig *network.NetworkingConfig
 }
 
-// Create creates a container with the specified options
+// create creates a container with the specified options
 // nolint: golint
-func Create(t *testing.T, ctx context.Context, client client.APIClient, ops ...func(*TestContainerConfig)) string { // nolint: golint
+func create(t *testing.T, ctx context.Context, client client.APIClient, ops ...func(*TestContainerConfig)) (container.ContainerCreateCreatedBody, error) { // nolint: golint
 	t.Helper()
 	config := &TestContainerConfig{
 		Config: &container.Config{
@@ -37,12 +37,23 @@ func Create(t *testing.T, ctx context.Context, client client.APIClient, ops ...f
 		op(config)
 	}
 
-	c, err := client.ContainerCreate(ctx, config.Config, config.HostConfig, config.NetworkingConfig, config.Name)
+	return client.ContainerCreate(ctx, config.Config, config.HostConfig, config.NetworkingConfig, config.Name)
+}
+
+// Create creates a container with the specified options, asserting that there was no error
+func Create(t *testing.T, ctx context.Context, client client.APIClient, ops ...func(*TestContainerConfig)) string { // nolint: golint
+	c, err := create(t, ctx, client, ops...)
 	assert.NilError(t, err)
 
 	return c.ID
 }
 
+// CreateExpectingErr creates a container, expecting an error with the specified message
+func CreateExpectingErr(t *testing.T, ctx context.Context, client client.APIClient, errMsg string, ops ...func(*TestContainerConfig)) { // nolint: golint
+	_, err := create(t, ctx, client, ops...)
+	assert.ErrorContains(t, err, errMsg)
+}
+
 // Run creates and start a container with the specified options
 // nolint: golint
 func Run(t *testing.T, ctx context.Context, client client.APIClient, ops ...func(*TestContainerConfig)) string { // nolint: golint
diff --git a/integration/internal/container/ops.go b/integration/internal/container/ops.go
index 10fc064702..b9ba8c4e85 100644
--- a/integration/internal/container/ops.go
+++ b/integration/internal/container/ops.go
@@ -160,3 +160,23 @@ func WithUser(user string) func(c *TestContainerConfig) {
 		c.Config.User = user
 	}
 }
+
+// WithPrivileged sets privileged mode for the container
+func WithPrivileged(privileged bool) func(*TestContainerConfig) {
+	return func(c *TestContainerConfig) {
+		if c.HostConfig == nil {
+			c.HostConfig = &containertypes.HostConfig{}
+		}
+		c.HostConfig.Privileged = privileged
+	}
+}
+
+// WithCgroupnsMode sets the cgroup namespace mode for the container
+func WithCgroupnsMode(mode string) func(*TestContainerConfig) {
+	return func(c *TestContainerConfig) {
+		if c.HostConfig == nil {
+			c.HostConfig = &containertypes.HostConfig{}
+		}
+		c.HostConfig.CgroupnsMode = containertypes.CgroupnsMode(mode)
+	}
+}
diff --git a/integration/internal/requirement/requirement_linux.go b/integration/internal/requirement/requirement_linux.go
index 10a36b0fd9..1197e407ed 100644
--- a/integration/internal/requirement/requirement_linux.go
+++ b/integration/internal/requirement/requirement_linux.go
@@ -1,12 +1,22 @@
 package requirement // import "github.com/docker/docker/integration/internal/requirement"
 
 import (
+	"os"
 	"strings"
 
 	"github.com/docker/docker/pkg/parsers/kernel"
 	"gotest.tools/icmd"
 )
 
+// CgroupNamespacesEnabled checks if cgroup namespaces are enabled on this host
+func CgroupNamespacesEnabled() bool {
+	if _, err := os.Stat("/proc/self/ns/cgroup"); os.IsNotExist(err) {
+		return false
+	}
+
+	return true
+}
+
 func overlayFSSupported() bool {
 	result := icmd.RunCommand("/bin/sh", "-c", "cat /proc/filesystems")
 	if result.Error != nil {
author	Rob Gulewich <rgulewich@netflix.com>	2019-03-14 20:44:18 -0700
committer	Rob Gulewich <rgulewich@netflix.com>	2019-05-07 10:22:16 -0700
commit	072400fc4b8d6a38a2007d41072b765666a4c288 (patch)
tree	6251892ed427acbdeffceaf19690bb861d11c9a3 /integration/internal
parent	256eb04d6989d50cd622c5db65ef0a283e94365c (diff)
download	docker-072400fc4b8d6a38a2007d41072b765666a4c288.tar.gz