Browse code
Prevent connecting to host and prevent disconnecting from host
Container has private network namespace can not to connect to host
and container with host network can not be disconnected from host.
Signed-off-by: Lei Jitang <leijitang@huawei.com>
Lei Jitang authored on 2015/11/09 11:19:53Showing 3 changed files
| ... | ... |
@@ -720,6 +720,10 @@ func (daemon *Daemon) updateNetworkSettings(container *Container, n libnetwork.N |
| 720 | 720 |
container.NetworkSettings = &network.Settings{Networks: make(map[string]*network.EndpointSettings)}
|
| 721 | 721 |
} |
| 722 | 722 |
|
| 723 |
+ if !container.hostConfig.NetworkMode.IsHost() && runconfig.NetworkMode(n.Type()).IsHost() {
|
|
| 724 |
+ return runconfig.ErrConflictHostNetwork |
|
| 725 |
+ } |
|
| 726 |
+ |
|
| 723 | 727 |
for s := range container.NetworkSettings.Networks {
|
| 724 | 728 |
sn, err := daemon.FindNetwork(s) |
| 725 | 729 |
if err != nil {
|
| ... | ... |
@@ -1174,6 +1178,10 @@ func (container *Container) DisconnectFromNetwork(n libnetwork.Network) error {
|
| 1174 | 1174 |
return derr.ErrorCodeNotRunning.WithArgs(container.ID) |
| 1175 | 1175 |
} |
| 1176 | 1176 |
|
| 1177 |
+ if container.hostConfig.NetworkMode.IsHost() && runconfig.NetworkMode(n.Type()).IsHost() {
|
|
| 1178 |
+ return runconfig.ErrConflictHostNetwork |
|
| 1179 |
+ } |
|
| 1180 |
+ |
|
| 1177 | 1181 |
if err := container.disconnectFromNetwork(n); err != nil {
|
| 1178 | 1182 |
return err |
| 1179 | 1183 |
} |
| ... | ... |
@@ -15,6 +15,7 @@ import ( |
| 15 | 15 |
"github.com/docker/docker/api/types" |
| 16 | 16 |
"github.com/docker/docker/api/types/versions/v1p20" |
| 17 | 17 |
"github.com/docker/docker/pkg/integration/checker" |
| 18 |
+ "github.com/docker/docker/runconfig" |
|
| 18 | 19 |
"github.com/docker/libnetwork/driverapi" |
| 19 | 20 |
remoteapi "github.com/docker/libnetwork/drivers/remote/api" |
| 20 | 21 |
"github.com/docker/libnetwork/ipamapi" |
| ... | ... |
@@ -764,3 +765,20 @@ func (s *DockerNetworkSuite) TestDockerNetworkHostModeUngracefulDaemonRestart(c |
| 764 | 764 |
c.Assert(strings.TrimSpace(runningOut), checker.Equals, "true") |
| 765 | 765 |
} |
| 766 | 766 |
} |
| 767 |
+ |
|
| 768 |
+func (s *DockerNetworkSuite) TestDockerNetworkConnectToHostFromOtherNetwork(c *check.C) {
|
|
| 769 |
+ dockerCmd(c, "run", "-d", "--name", "container1", "busybox", "top") |
|
| 770 |
+ c.Assert(waitRun("container1"), check.IsNil)
|
|
| 771 |
+ dockerCmd(c, "network", "disconnect", "bridge", "container1") |
|
| 772 |
+ out, _, err := dockerCmdWithError("network", "connect", "host", "container1")
|
|
| 773 |
+ c.Assert(err, checker.NotNil, check.Commentf(out)) |
|
| 774 |
+ c.Assert(out, checker.Contains, runconfig.ErrConflictHostNetwork.Error()) |
|
| 775 |
+} |
|
| 776 |
+ |
|
| 777 |
+func (s *DockerNetworkSuite) TestDockerNetworkDisconnectFromHost(c *check.C) {
|
|
| 778 |
+ dockerCmd(c, "run", "-d", "--name", "container1", "--net=host", "busybox", "top") |
|
| 779 |
+ c.Assert(waitRun("container1"), check.IsNil)
|
|
| 780 |
+ out, _, err := dockerCmdWithError("network", "disconnect", "host", "container1")
|
|
| 781 |
+ c.Assert(err, checker.NotNil, check.Commentf("Should err out disconnect from host"))
|
|
| 782 |
+ c.Assert(out, checker.Contains, runconfig.ErrConflictHostNetwork.Error()) |
|
| 783 |
+} |
| ... | ... |
@@ -22,6 +22,8 @@ var ( |
| 22 | 22 |
ErrConflictUserDefinedNetworkAndLinks = fmt.Errorf("Conflicting options: --net=<NETWORK> can't be used with links. This would result in undefined behavior")
|
| 23 | 23 |
// ErrConflictSharedNetwork conflict between private and other networks |
| 24 | 24 |
ErrConflictSharedNetwork = fmt.Errorf("Container sharing network namespace with another container or host cannot be connected to any other network")
|
| 25 |
+ // ErrConflictHostNetwork conflict from being disconnected from host network or connected to host network. |
|
| 26 |
+ ErrConflictHostNetwork = fmt.Errorf("Container cannot be disconnected from host network or connected to host network")
|
|
| 25 | 27 |
// ErrConflictNoNetwork conflict between private and other networks |
| 26 | 28 |
ErrConflictNoNetwork = fmt.Errorf("Container cannot be connected to multiple networks with one of the networks in --none mode")
|
| 27 | 29 |
// ErrConflictNetworkAndDNS conflict between --dns and the network mode |