Merge pull request #13312 from hqhq/hq_enable_cgroupfs

Add cgroup bind mount by default
2015-07-10 10:45:05 -07:00 · 2015-07-10 10:45:05 -07:00 · 1dd2fda394
parent c4b85baf3d f18fb5b3ef
commit 1dd2fda394
2 changed files with 21 additions and 0 deletions
--- a/daemon/execdriver/native/template/default_template.go
+++ b/daemon/execdriver/native/template/default_template.go
@ -80,6 +80,12 @@ func New() *configs.Config {
 				Device:      "sysfs",
 				Flags:       defaultMountFlags | syscall.MS_RDONLY,
 			},
+			{
+				Source:      "cgroup",
+				Destination: "/sys/fs/cgroup",
+				Device:      "cgroup",
+				Flags:       defaultMountFlags | syscall.MS_RDONLY,
+			},
 		},
 		MaskPaths: []string{
 			"/proc/kcore",
--- a/integration-cli/docker_cli_run_unix_test.go
+++ b/integration-cli/docker_cli_run_unix_test.go
@ -159,6 +159,21 @@ func (s *DockerSuite) TestRunContainerWithCgroupParentAbsPath(c *check.C) {
 	}
 }

+func (s *DockerSuite) TestRunContainerWithCgroupMountRO(c *check.C) {
+	testRequires(c, NativeExecDriver)
+
+	filename := "/sys/fs/cgroup/devices/test123"
+	cmd := exec.Command(dockerBinary, "run", "busybox", "touch", filename)
+	out, _, err := runCommandWithOutput(cmd)
+	if err == nil {
+		c.Fatal("expected cgroup mount point to be read-only, touch file should fail")
+	}
+	expected := "Read-only file system"
+	if !strings.Contains(out, expected) {
+		c.Fatalf("expected output from failure to contain %s but contains %s", expected, out)
+	}
+}
+
 func (s *DockerSuite) TestRunDeviceDirectory(c *check.C) {
 	testRequires(c, NativeExecDriver)
 	cmd := exec.Command(dockerBinary, "run", "--device", "/dev/snd:/dev/snd", "busybox", "sh", "-c", "ls /dev/snd/")