bugfix: container can not write cgroup with privileged

clear ro in mount option when container get privileged, make cgroup writable, add test for it. Signed-off-by: Ace-Tang <aceapril@126.com>
AliyunContainerService · Dec 13, 2018 · fe8bd4a · fe8bd4a
1 parent a103371
commit fe8bd4a
Show file tree

Hide file tree

Showing 2 changed files with 27 additions and 5 deletions.
diff --git a/daemon/mgr/spec_mount.go b/daemon/mgr/spec_mount.go
@@ -129,12 +129,15 @@ func setupMounts(ctx context.Context, c *Container, s *specs.Spec) error {
 	s.Mounts = sortMounts(mounts)
 
 	if c.HostConfig.Privileged {
-		if !s.Root.Readonly {
+		for i := range s.Mounts {
 			// Clear readonly for /sys.
-			for i := range s.Mounts {
-				if s.Mounts[i].Destination == "/sys" {
-					clearReadonly(&s.Mounts[i])
-				}
+			if s.Mounts[i].Destination == "/sys" && !s.Root.Readonly {
+				clearReadonly(&s.Mounts[i])
+			}
+
+			// Clear readonly for cgroup
+			if s.Mounts[i].Type == "cgroup" {
+				clearReadonly(&s.Mounts[i])
 			}
 		}
 	}

diff --git a/test/cli_run_with_privileged_test.go b/test/cli_run_with_privileged_test.go
@@ -5,6 +5,7 @@ import (
 
 	"github.com/alibaba/pouch/test/command"
 	"github.com/alibaba/pouch/test/environment"
+	"github.com/alibaba/pouch/test/util"
 
 	"github.com/go-check/check"
 	"github.com/gotestyourself/gotestyourself/icmd"
@@ -86,3 +87,21 @@ func (suite *PouchRunPrivilegedSuite) TestRunCheckSysWritableWithAndWithoutPrivi
 		c.Errorf("expected %s, but got %s", expected, out)
 	}
 }
+
+// TestCgroupWritableWithAndWithoutPrivileged tests cgroup can be writable with privileged,
+// can not be writable without privileged
+func (suite *PouchRunPrivilegedSuite) TestCgroupWritableWithAndWithoutPrivileged(c *check.C) {
+	name := "TestRunCheckCgroupWritable"
+	command.PouchRun("run", "--name", name, "--privileged", busyboxImage, "sh", "-c", "mkdir /sys/fs/cgroup/cpu/test").Assert(c, icmd.Success)
+	defer DelContainerForceMultyTime(c, name)
+
+	name1 := "TestRunCheckCgroupCannotWritable"
+	res := command.PouchRun("run", "--name", name1, busyboxImage, "sh", "-c", "mkdir /sys/fs/cgroup/cpu/test")
+	defer DelContainerForceMultyTime(c, name1)
+
+	if res.ExitCode == 0 {
+		c.Errorf("non-privileged container executes mkdir /sys/fs/cgroup/cpu/test should failed, but succeeded: %v", res.Combined())
+	}
+
+	c.Assert(util.PartialEqual(res.Combined(), "Read-only file system"), check.IsNil)
+}