Merge pull request #478 from zappy-shu/non-root

Don't run invocation image as root

Author: ijc

Dockerfile.invocation-image

@@ -15,7 +15,8 @@ RUN make EXPERIMENTAL=${EXPERIMENTAL} bin/cnab-run
 
  # local cnab invocation image
 FROM alpine:${ALPINE_VERSION} as invocation
-RUN apk add --no-cache ca-certificates
+RUN apk add --no-cache ca-certificates && adduser -S cnab
+USER cnab
 COPY --from=build /go/src/github.com/docker/app/bin/cnab-run /cnab/app/run
 WORKDIR /cnab/app
 CMD /cnab/app/run

Gopkg.lock

@@ -277,10 +277,20 @@ func TestBundle(t *testing.T) {
 }
 
 func TestDockerAppLifecycle(t *testing.T) {
+	t.Run("withBindMounts", func(t *testing.T) {
+		testDockerAppLifecycle(t, true)
+	})
+	t.Run("withoutBindMounts", func(t *testing.T) {
+		testDockerAppLifecycle(t, false)
+	})
+}
+
+func testDockerAppLifecycle(t *testing.T, useBindMount bool) {
 	cmd, cleanup := dockerCli.createTestCmd()
 	defer cleanup()
+	appName := strings.Replace(t.Name(), "/", "_", 1)
 
-	tmpDir := fs.NewDir(t, t.Name())
+	tmpDir := fs.NewDir(t, appName)
 	defer tmpDir.Remove()
 
 	cmd.Env = append(cmd.Env, "DUFFLE_HOME="+tmpDir.Path())
@@ -306,7 +316,12 @@ func TestDockerAppLifecycle(t *testing.T) {
 	// The workaround is to create a context with an empty host.
 	// This host will default to the unix socket inside the
 	// invocation image
-	cmd.Command = dockerCli.Command("context", "create", "swarm-target-context", "--docker", "host=", "--default-stack-orchestrator", "swarm")
+	host := "host="
+	if !useBindMount {
+		host += fmt.Sprintf("tcp://%s", swarm.GetPrivateAddress(t))
+	}
+
+	cmd.Command = dockerCli.Command("context", "create", "swarm-target-context", "--docker", host, "--default-stack-orchestrator", "swarm")
 	icmd.RunCmd(cmd).Assert(t, icmd.Success)
 
 	// Initialize the swarm
@@ -319,47 +334,47 @@ func TestDockerAppLifecycle(t *testing.T) {
 	icmd.RunCmd(cmd).Assert(t, icmd.Success)
 
 	// Install a Docker Application Package
-	cmd.Command = dockerCli.Command("app", "install", "testdata/simple/simple.dockerapp", "--name", t.Name())
+	cmd.Command = dockerCli.Command("app", "install", "testdata/simple/simple.dockerapp", "--name", appName)
 	checkContains(t, icmd.RunCmd(cmd).Assert(t, icmd.Success).Combined(),
 		[]string{
-			fmt.Sprintf("Creating network %s_back", t.Name()),
-			fmt.Sprintf("Creating network %s_front", t.Name()),
-			fmt.Sprintf("Creating service %s_db", t.Name()),
-			fmt.Sprintf("Creating service %s_api", t.Name()),
-			fmt.Sprintf("Creating service %s_web", t.Name()),
+			fmt.Sprintf("Creating network %s_back", appName),
+			fmt.Sprintf("Creating network %s_front", appName),
+			fmt.Sprintf("Creating service %s_db", appName),
+			fmt.Sprintf("Creating service %s_api", appName),
+			fmt.Sprintf("Creating service %s_web", appName),
 		})
 
 	// Query the application status
-	cmd.Command = dockerCli.Command("app", "status", t.Name())
+	cmd.Command = dockerCli.Command("app", "status", appName)
 	checkContains(t, icmd.RunCmd(cmd).Assert(t, icmd.Success).Combined(),
 		[]string{
-			fmt.Sprintf("[[:alnum:]]+        %s_db    replicated          [0-1]/1                 postgres:9.3", t.Name()),
-			fmt.Sprintf(`[[:alnum:]]+        %s_web   replicated          [0-1]/1                 nginx:latest        \*:8082->80/tcp`, t.Name()),
-			fmt.Sprintf("[[:alnum:]]+        %s_api   replicated          [0-1]/1                 python:3.6", t.Name()),
+			fmt.Sprintf("[[:alnum:]]+        %s_db    replicated          [0-1]/1                 postgres:9.3", appName),
+			fmt.Sprintf(`[[:alnum:]]+        %s_web   replicated          [0-1]/1                 nginx:latest        \*:8082->80/tcp`, appName),
+			fmt.Sprintf("[[:alnum:]]+        %s_api   replicated          [0-1]/1                 python:3.6", appName),
 		})
 
 	// Upgrade the application, changing the port
-	cmd.Command = dockerCli.Command("app", "upgrade", t.Name(), "--set", "web_port=8081")
+	cmd.Command = dockerCli.Command("app", "upgrade", appName, "--set", "web_port=8081")
 	checkContains(t, icmd.RunCmd(cmd).Assert(t, icmd.Success).Combined(),
 		[]string{
-			fmt.Sprintf("Updating service %s_db", t.Name()),
-			fmt.Sprintf("Updating service %s_api", t.Name()),
-			fmt.Sprintf("Updating service %s_web", t.Name()),
+			fmt.Sprintf("Updating service %s_db", appName),
+			fmt.Sprintf("Updating service %s_api", appName),
+			fmt.Sprintf("Updating service %s_web", appName),
 		})
 
 	// Query the application status again, the port should have change
-	cmd.Command = dockerCli.Command("app", "status", t.Name())
+	cmd.Command = dockerCli.Command("app", "status", appName)
 	icmd.RunCmd(cmd).Assert(t, icmd.Expected{ExitCode: 0, Out: "8081"})
 
 	// Uninstall the application
-	cmd.Command = dockerCli.Command("app", "uninstall", t.Name())
+	cmd.Command = dockerCli.Command("app", "uninstall", appName)
 	checkContains(t, icmd.RunCmd(cmd).Assert(t, icmd.Success).Combined(),
 		[]string{
-			fmt.Sprintf("Removing service %s_api", t.Name()),
-			fmt.Sprintf("Removing service %s_db", t.Name()),
-			fmt.Sprintf("Removing service %s_web", t.Name()),
-			fmt.Sprintf("Removing network %s_front", t.Name()),
-			fmt.Sprintf("Removing network %s_back", t.Name()),
+			fmt.Sprintf("Removing service %s_api", appName),
+			fmt.Sprintf("Removing service %s_db", appName),
+			fmt.Sprintf("Removing service %s_web", appName),
+			fmt.Sprintf("Removing network %s_front", appName),
+			fmt.Sprintf("Removing network %s_back", appName),
 		})
 }
 

e2e/commands_test.go

@@ -97,3 +97,13 @@ func (c *Container) GetAddress(t *testing.T) string {
 	c.address = fmt.Sprintf("127.0.0.1:%v", strings.Trim(strings.Split(result.Stdout(), ":")[1], " \r\n"))
 	return c.address
 }
+
+// GetPrivateAddress returns the host:port this container listens on
+func (c *Container) GetPrivateAddress(t *testing.T) string {
+	container := c.parentContainer
+	if container == "" {
+		container = c.container
+	}
+	result := icmd.RunCommand(dockerCli.path, "inspect", container, "-f", "{{.NetworkSettings.IPAddress}}").Assert(t, icmd.Success)
+	return fmt.Sprintf("%s:%d", strings.TrimSpace(result.Stdout()), c.privatePort)
+}

e2e/helper_test.go

@@ -17,35 +17,39 @@
 	"invocationImages": [
 		{
 			"imageType": "docker",
-			"image": "simple:1.1.0-beta1-invoc"
+			"image": "simple:1.1.0-beta1-invoc",
+			"platform": {}
 		}
 	],
 	"images": {
 		"api": {
 			"imageType": "docker",
 			"image": "python:3.6",
+			"platform": {},
 			"description": "python:3.6",
 			"refs": null
 		},
 		"db": {
 			"imageType": "docker",
 			"image": "postgres:9.3",
+			"platform": {},
 			"description": "postgres:9.3",
 			"refs": null
 		},
 		"web": {
 			"imageType": "docker",
 			"image": "nginx:latest",
+			"platform": {},
 			"description": "nginx:latest",
 			"refs": null
 		}
 	},
 	"actions": {
 		"com.docker.app.inspect": {
-			"Modifies": false
+			"modifies": false
 		},
 		"com.docker.app.status": {
-			"Modifies": false
+			"modifies": false
 		}
 	},
 	"parameters": {

e2e/testdata/simple-bundle.json.golden

@@ -8,6 +8,7 @@ import (
 	"strings"
 
 	"github.com/deislabs/duffle/pkg/bundle"
+	"github.com/deislabs/duffle/pkg/claim"
 	"github.com/deislabs/duffle/pkg/credentials"
 	"github.com/deislabs/duffle/pkg/driver"
 	"github.com/deislabs/duffle/pkg/duffle/home"
@@ -16,11 +17,21 @@ import (
 	"github.com/docker/app/internal/packager"
 	bundlestore "github.com/docker/app/internal/store"
 	"github.com/docker/cli/cli/command"
+	"github.com/docker/cli/cli/context/docker"
 	"github.com/docker/cli/cli/context/store"
 	"github.com/docker/distribution/reference"
+	"github.com/docker/docker/api/types/container"
+	"github.com/docker/docker/api/types/mount"
 	"github.com/pkg/errors"
 )
 
+type bindMount struct {
+	required bool
+	endpoint string
+}
+
+const defaultSocketPath string = "/var/run/docker.sock"
+
 func prepareCredentialSet(contextName string, contextStore store.Store, b *bundle.Bundle, namedCredentialsets []string) (map[string]string, error) {
 	creds := map[string]string{}
 	for _, file := range namedCredentialsets {
@@ -76,13 +87,27 @@ func duffleHome() home.Home {
 }
 
 // prepareDriver prepares a driver per the user's request.
-func prepareDriver(dockerCli command.Cli) (driver.Driver, error) {
+func prepareDriver(dockerCli command.Cli, bindMount bindMount) (driver.Driver, error) {
 	driverImpl, err := driver.Lookup("docker")
 	if err != nil {
 		return driverImpl, err
 	}
 	if d, ok := driverImpl.(*driver.DockerDriver); ok {
 		d.SetDockerCli(dockerCli)
+		if bindMount.required {
+			d.AddConfigurationOptions(func(config *container.Config, hostConfig *container.HostConfig) error {
+				config.User = "0:0"
+				mounts := []mount.Mount{
+					{
+						Type:   mount.TypeBind,
+						Source: bindMount.endpoint,
+						Target: bindMount.endpoint,
+					},
+				}
+				hostConfig.Mounts = mounts
+				return nil
+			})
+		}
 	}
 
 	// Load any driver-specific config out of the environment.
@@ -161,3 +186,54 @@ func resolveBundle(dockerCli command.Cli, name string, pullRef bool, insecureReg
 	}
 	return nil, fmt.Errorf("could not resolve bundle %q", name)
 }
+
+func requiredClaimBindMount(c claim.Claim, targetContextName string, dockerCli command.Cli) (bindMount, error) {
+	var specifiedOrchestrator string
+	if rawOrchestrator, ok := c.Parameters["docker.orchestrator"]; ok {
+		specifiedOrchestrator = rawOrchestrator.(string)
+	}
+
+	return requiredBindMount(targetContextName, specifiedOrchestrator, dockerCli)
+}
+
+func requiredBindMount(targetContextName string, targetOrchestrator string, dockerCli command.Cli) (bindMount, error) {
+	if targetOrchestrator == "kubernetes" {
+		return bindMount{}, nil
+	}
+
+	// TODO:smarter handling of default context required
+	if targetContextName == "" {
+		return bindMount{true, defaultSocketPath}, nil
+	}
+
+	ctxMeta, err := dockerCli.ContextStore().GetContextMetadata(targetContextName)
+	if err != nil {
+		return bindMount{}, err
+	}
+	dockerCtx, err := command.GetDockerContext(ctxMeta)
+	if err != nil {
+		return bindMount{}, err
+	}
+	if dockerCtx.StackOrchestrator == command.OrchestratorKubernetes {
+		return bindMount{}, nil
+	}
+	dockerEndpoint, err := docker.EndpointFromContext(ctxMeta)
+	if err != nil {
+		return bindMount{}, err
+	}
+
+	host := dockerEndpoint.Host
+	return bindMount{isDockerHostLocal(host), socketPath(host)}, nil
+}
+
+func socketPath(host string) string {
+	if strings.HasPrefix(host, "unix://") {
+		return strings.TrimPrefix(host, "unix://")
+	}
+
+	return defaultSocketPath
+}
+
+func isDockerHostLocal(host string) bool {
+	return host == "" || strings.HasPrefix(host, "unix://") || strings.HasPrefix(host, "npipe://")
+}