Test 1_1 fails when user namespaces are enabled

[dginther]

When user namespaces are enabled as per test 2_8, this causes test 1_1 to fail because the Docker Root Dir is set to for example: /var/lib/docker/808080:808080.

This adds a test to see if userns is enabled and uses the dirname utility to get the parent directory, which should be the mount point.

[GordonTheTurtle]

Please sign your commits following these rules:
https://github.com/moby/moby/blob/master/CONTRIBUTING.md#sign-your-work
The easiest way to do this is to amend the last commit:

$ git clone -b "master" [email protected]:dginther/docker-bench-security.git somewhere
$ cd somewhere
$ git commit --amend -s --no-edit
$ git push -f

Amending updates the existing PR. You DO NOT need to open a new one.

[konstruktoid]

Hi @dginther, there's a discussion going on at #332 (comment) and is kind of related to this.
Maybe we should add a similiar test for overlay etc, but that could get messy fast.

[dginther]

I noticed that conversation, and I saw there were similar issues, figured I'd take a stab at a solution.

perhaps it would be better to find a solution that determines whether the Docker Root Dir is on the same filesystem as the root filesystem, and PASS if it is not?

[dginther]

@konstruktoid Thought about this a lot today and came up with a different approach. Take a look and see if this might be a better way to do things? You're already using the util-linux package for mountpoint, so findmnt is available.

This PR gets the filesystem UUID that the docker home directory is on, checks the parents of that directory to see if the UUID matches, and fails if it does.

The idea here is that the UUID for the filesystem that the docker directory is on should definitely NOT match the UUID of the filesystems of its parent directories, if it's on its own volume.

[konstruktoid]

Thanks, but could you run a shellcheck and try to make it a bit more POSIX?

$ shellcheck -x --format gcc tests/1_host_configuration.sh
tests/1_host_configuration.sh:22:30: note: Double quote to prevent globbing and word splitting. [SC2086]
tests/1_host_configuration.sh:23:36: note: Double quote to prevent globbing and word splitting. [SC2086]
tests/1_host_configuration.sh:24:17: note: Double quote to prevent globbing and word splitting. [SC2086]
tests/1_host_configuration.sh:25:14: warning: In POSIX sh, arrays are undefined. [SC2039]
tests/1_host_configuration.sh:27:3: warning: In POSIX sh, arithmetic for loops are undefined. [SC2039]
tests/1_host_configuration.sh:27:11: note: $/${} is unnecessary on arithmetic variables. [SC2004]
tests/1_host_configuration.sh:27:25: warning: In POSIX sh, -- is undefined. [SC2039]
tests/1_host_configuration.sh:29:44: note: Double quote to prevent globbing and word splitting. [SC2086]
tests/1_host_configuration.sh:32:13: warning: In POSIX sh, array references are undefined. [SC2039]
tests/1_host_configuration.sh:33:22: warning: In POSIX sh, == in place of = is undefined. [SC2039]
tests/1_host_configuration.sh:40:6: warning: In POSIX sh, [[ ]] is undefined. [SC2039]

[dginther]

the more I look at this code the less I feel like I am barking up the right tree with this test.

I'm not sure there is a good way to determine this programmatically, without checking to see if the homedir is set the way it is because of user namespaces or overlay.

Edge cases abound. I see originally it looked to see if $DOCKER_HOME was in fstab, but even that doesn't really give a good way of making this work.