daemon/oci_linux_test: add TestIpcPrivateVsReadonly
The test case checks that in case of IpcMode: private and
ReadonlyRootfs: true (as in "docker run --ipc private --read-only")
the resulting /dev/shm mount is NOT made read-only.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 33dd562e3acff71ee18a2543d14fcbecf9bf0e62)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
diff --git a/daemon/oci_linux_test.go b/daemon/oci_linux_test.go
index 4af0ba9..f6bda79 100644
--- a/daemon/oci_linux_test.go
+++ b/daemon/oci_linux_test.go
@@ -48,3 +48,41 @@
err = setMounts(&d, &s, c, ms)
assert.NoError(t, err)
}
+
+// TestIpcPrivateVsReadonly checks that in case of IpcMode: private
+// and ReadonlyRootfs: true (as in "docker run --ipc private --read-only")
+// the resulting /dev/shm mount is NOT made read-only.
+// https://github.com/moby/moby/issues/36503
+func TestIpcPrivateVsReadonly(t *testing.T) {
+ d := Daemon{
+ // some empty structs to avoid getting a panic
+ // caused by a null pointer dereference
+ idMappings: &idtools.IDMappings{},
+ configStore: &config.Config{},
+ }
+ c := &container.Container{
+ HostConfig: &containertypes.HostConfig{
+ IpcMode: containertypes.IpcMode("private"),
+ ReadonlyRootfs: true,
+ },
+ }
+
+ // We can't call createSpec() so mimick the minimal part
+ // of its code flow, just enough to reproduce the issue.
+ ms, err := d.setupMounts(c)
+ assert.NoError(t, err)
+
+ s := oci.DefaultSpec()
+ s.Root.Readonly = c.HostConfig.ReadonlyRootfs
+
+ err = setMounts(&d, &s, c, ms)
+ assert.NoError(t, err)
+
+ // Find the /dev/shm mount in ms, check it does not have ro
+ for _, m := range s.Mounts {
+ if m.Destination != "/dev/shm" {
+ continue
+ }
+ assert.Equal(t, false, inSlice(m.Options, "ro"))
+ }
+}