From afd901e408d8d4ed00707c545ae985bc637a1979 Mon Sep 17 00:00:00 2001 From: Jana Radhakrishnan Date: Wed, 20 May 2015 06:06:44 +0000 Subject: [PATCH] Fix network connectivity problem for non-root users If a container was started with a non-root user the container may not be able to resolve DNS names because of too restrictive permission in the /etc/resolv.conf container file. This problem is in how this file gets created in libnetwork and ths PR attempts to fix the issue by vendoring in the libnetwork code with the fix. Signed-off-by: Jana Radhakrishnan --- hack/vendor.sh | 2 +- integration-cli/docker_cli_run_test.go | 26 +++++++++++++++++++ .../github.com/docker/libnetwork/endpoint.go | 5 ++++ .../docker/libnetwork/libnetwork_test.go | 10 +++++++ 4 files changed, 42 insertions(+), 1 deletion(-) diff --git a/hack/vendor.sh b/hack/vendor.sh index 5288b6634d..a98e3bcfe9 100755 --- a/hack/vendor.sh +++ b/hack/vendor.sh @@ -55,7 +55,7 @@ clone hg code.google.com/p/go.net 84a4013f96e0 clone hg code.google.com/p/gosqlite 74691fb6f837 #get libnetwork packages -clone git github.com/docker/libnetwork v0.2 +clone git github.com/docker/libnetwork b39597744b0978fe4aeb9f3a099ba42f7b6c4a1f clone git github.com/vishvananda/netns 008d17ae001344769b031375bdb38a86219154c6 clone git github.com/vishvananda/netlink 8eb64238879fed52fd51c5b30ad20b928fb4c36c diff --git a/integration-cli/docker_cli_run_test.go b/integration-cli/docker_cli_run_test.go index e7b9f2d71d..0b067b9785 100644 --- a/integration-cli/docker_cli_run_test.go +++ b/integration-cli/docker_cli_run_test.go @@ -1455,6 +1455,32 @@ func (s *DockerSuite) TestRunDnsOptionsBasedOnHostResolvConf(c *check.C) { } } +// Test to see if a non-root user can resolve a DNS name and reach out to it. Also +// check if the container resolv.conf file has atleast 0644 perm. +func (s *DockerSuite) TestRunNonRootUserResolvName(c *check.C) { + testRequires(c, SameHostDaemon) + + cmd := exec.Command(dockerBinary, "run", "--name=testperm", "--user=default", "busybox", "ping", "-c", "1", "www.docker.io") + if out, err := runCommand(cmd); err != nil { + c.Fatal(err, out) + } + + cID, err := getIDByName("testperm") + if err != nil { + c.Fatal(err) + } + + fmode := (os.FileMode)(0644) + finfo, err := os.Stat(containerStorageFile(cID, "resolv.conf")) + if err != nil { + c.Fatal(err) + } + + if (finfo.Mode() & fmode) != fmode { + c.Fatalf("Expected container resolv.conf mode to be atleast %s, instead got %s", fmode.String(), finfo.Mode().String()) + } +} + // Test if container resolv.conf gets updated the next time it restarts // if host /etc/resolv.conf has changed. This only applies if the container // uses the host's /etc/resolv.conf and does not have any dns options provided. diff --git a/vendor/src/github.com/docker/libnetwork/endpoint.go b/vendor/src/github.com/docker/libnetwork/endpoint.go index 3ddec80ec9..f6f18a9360 100644 --- a/vendor/src/github.com/docker/libnetwork/endpoint.go +++ b/vendor/src/github.com/docker/libnetwork/endpoint.go @@ -548,6 +548,11 @@ func (ep *endpoint) updateDNS(resolvConf []byte) error { return err } + // Change the perms to 0644 since ioutil.TempFile creates it by default as 0600 + if err := os.Chmod(tmpResolvFile.Name(), 0644); err != nil { + return err + } + // write the updates to the temp files if err = ioutil.WriteFile(tmpHashFile.Name(), []byte(newHash), 0644); err != nil { return err diff --git a/vendor/src/github.com/docker/libnetwork/libnetwork_test.go b/vendor/src/github.com/docker/libnetwork/libnetwork_test.go index b628190657..879c0f146e 100644 --- a/vendor/src/github.com/docker/libnetwork/libnetwork_test.go +++ b/vendor/src/github.com/docker/libnetwork/libnetwork_test.go @@ -1137,6 +1137,16 @@ func TestResolvConf(t *testing.T) { } }() + finfo, err := os.Stat(resolvConfPath) + if err != nil { + t.Fatal(err) + } + + fmode := (os.FileMode)(0644) + if finfo.Mode() != fmode { + t.Fatalf("Expected file mode %s, got %s", fmode.String(), finfo.Mode().String()) + } + content, err := ioutil.ReadFile(resolvConfPath) if err != nil { t.Fatal(err)