From e4d3ca7263291b43cdc49c7553c62608be062cd9 Mon Sep 17 00:00:00 2001 From: Fabricio Voznika Date: Wed, 16 Jan 2019 12:47:21 -0800 Subject: Prevent internal tmpfs mount to override files in /tmp Runsc wants to mount /tmp using internal tmpfs implementation for performance. However, it risks hiding files that may exist under /tmp in case it's present in the container. Now, it only mounts over /tmp iff: - /tmp was not explicitly asked to be mounted - /tmp is empty If any of this is not true, then /tmp maps to the container's image /tmp. Note: checkpoint doesn't have sentry FS mounted to check if /tmp is empty. It simply looks for explicit mounts right now. PiperOrigin-RevId: 229607856 Change-Id: I10b6dae7ac157ef578efc4dfceb089f3b94cde06 --- runsc/container/multi_container_test.go | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) (limited to 'runsc/container/multi_container_test.go') diff --git a/runsc/container/multi_container_test.go b/runsc/container/multi_container_test.go index 6b3c41a9b..8490999ea 100644 --- a/runsc/container/multi_container_test.go +++ b/runsc/container/multi_container_test.go @@ -739,6 +739,11 @@ func TestMultiContainerGoferStop(t *testing.T) { t.Fatal("error finding test_app:", err) } + dir, err := ioutil.TempDir(testutil.TmpDir(), "gofer-stop-test") + if err != nil { + t.Fatal("ioutil.TempDir failed:", err) + } + // Setup containers. Root container just reaps children, while the others // perform some IOs. Children are executed in 3 batches of 10. Within the // batch there is overlap between containers starting and being destroyed. In @@ -746,7 +751,8 @@ func TestMultiContainerGoferStop(t *testing.T) { cmds := [][]string{{app, "reaper"}} const batchSize = 10 for i := 0; i < 3*batchSize; i++ { - cmds = append(cmds, []string{"sh", "-c", "find /bin -type f | head | xargs -I SRC cp SRC /tmp/output"}) + cmd := "find /bin -type f | head | xargs -I SRC cp SRC " + dir + cmds = append(cmds, []string{"sh", "-c", cmd}) } allSpecs, allIDs := createSpecs(cmds...) -- cgit v1.2.3