moby--moby/integration/daemon/daemon_test.go

package daemon // import "github.com/docker/docker/integration/daemon"

import (
	"os"
	"os/exec"
	"path/filepath"
	"runtime"
	"testing"

	"github.com/docker/docker/daemon/config"
	"github.com/docker/docker/testutil/daemon"
	"gotest.tools/v3/assert"
	is "gotest.tools/v3/assert/cmp"
	"gotest.tools/v3/skip"
)

func TestConfigDaemonLibtrustID(t *testing.T) {
	skip.If(t, runtime.GOOS != "linux")

	d := daemon.New(t)
	defer d.Stop(t)

	trustKey := filepath.Join(d.RootDir(), "key.json")
	err := os.WriteFile(trustKey, []byte(`{"crv":"P-256","d":"dm28PH4Z4EbyUN8L0bPonAciAQa1QJmmyYd876mnypY","kid":"WTJ3:YSIP:CE2E:G6KJ:PSBD:YX2Y:WEYD:M64G:NU2V:XPZV:H2CR:VLUB","kty":"EC","x":"Mh5-JINSjaa_EZdXDttri255Z5fbCEOTQIZjAcScFTk","y":"eUyuAjfxevb07hCCpvi4Zi334Dy4GDWQvEToGEX4exQ"}`), 0644)
	assert.NilError(t, err)

	config := filepath.Join(d.RootDir(), "daemon.json")
	err = os.WriteFile(config, []byte(`{"deprecated-key-path": "`+trustKey+`"}`), 0644)
	assert.NilError(t, err)

	d.Start(t, "--config-file", config)
	info := d.Info(t)
	assert.Equal(t, info.ID, "WTJ3:YSIP:CE2E:G6KJ:PSBD:YX2Y:WEYD:M64G:NU2V:XPZV:H2CR:VLUB")
}

func TestDaemonConfigValidation(t *testing.T) {
	skip.If(t, runtime.GOOS != "linux")

	d := daemon.New(t)
	dockerBinary, err := d.BinaryPath()
	assert.NilError(t, err)
	params := []string{"--validate", "--config-file"}

	dest := os.Getenv("DOCKER_INTEGRATION_DAEMON_DEST")
	if dest == "" {
		dest = os.Getenv("DEST")
	}
	testdata := filepath.Join(dest, "..", "..", "integration", "daemon", "testdata")

	const (
		validOut  = "configuration OK"
		failedOut = "unable to configure the Docker daemon with file"
	)

	tests := []struct {
		name        string
		args        []string
		expectedOut string
	}{
		{
			name:        "config with no content",
			args:        append(params, filepath.Join(testdata, "empty-config-1.json")),
			expectedOut: validOut,
		},
		{
			name:        "config with {}",
			args:        append(params, filepath.Join(testdata, "empty-config-2.json")),
			expectedOut: validOut,
		},
		{
			name:        "invalid config",
			args:        append(params, filepath.Join(testdata, "invalid-config-1.json")),
			expectedOut: failedOut,
		},
		{
			name:        "malformed config",
			args:        append(params, filepath.Join(testdata, "malformed-config.json")),
			expectedOut: failedOut,
		},
		{
			name:        "valid config",
			args:        append(params, filepath.Join(testdata, "valid-config-1.json")),
			expectedOut: validOut,
		},
	}
	for _, tc := range tests {
		tc := tc
		t.Run(tc.name, func(t *testing.T) {
			t.Parallel()
			cmd := exec.Command(dockerBinary, tc.args...)
			out, err := cmd.CombinedOutput()
			assert.Check(t, is.Contains(string(out), tc.expectedOut))
			if tc.expectedOut == failedOut {
				assert.ErrorContains(t, err, "", "expected an error, but got none")
			} else {
				assert.NilError(t, err)
			}
		})
	}
}

func TestConfigDaemonSeccompProfiles(t *testing.T) {
	skip.If(t, runtime.GOOS != "linux")

	d := daemon.New(t)
	defer d.Stop(t)

	tests := []struct {
		doc             string
		profile         string
		expectedProfile string
	}{
		{
			doc:             "empty profile set",
			profile:         "",
			expectedProfile: config.SeccompProfileDefault,
		},
		{
			doc:             "default profile",
			profile:         config.SeccompProfileDefault,
			expectedProfile: config.SeccompProfileDefault,
		},
		{
			doc:             "unconfined profile",
			profile:         config.SeccompProfileUnconfined,
			expectedProfile: config.SeccompProfileUnconfined,
		},
	}

	for _, tc := range tests {
		tc := tc
		t.Run(tc.doc, func(t *testing.T) {
			d.Start(t, "--seccomp-profile="+tc.profile)
			info := d.Info(t)
			assert.Assert(t, is.Contains(info.SecurityOptions, "name=seccomp,profile="+tc.expectedProfile))
			d.Stop(t)

			cfg := filepath.Join(d.RootDir(), "daemon.json")
			err := os.WriteFile(cfg, []byte(`{"seccomp-profile": "`+tc.profile+`"}`), 0644)
			assert.NilError(t, err)

			d.Start(t, "--config-file", cfg)
			info = d.Info(t)
			assert.Assert(t, is.Contains(info.SecurityOptions, "name=seccomp,profile="+tc.expectedProfile))
			d.Stop(t)
		})
	}
}
Add configuration validation option and tests. Fixes #36911 If config file is invalid we'll exit anyhow, so this just prevents the daemon from starting if the configuration is fine. Mainly useful for making config changes and restarting the daemon iff the config is valid. Signed-off-by: Rich Horwood <rjhorwood@apple.com> Signed-off-by: Sebastiaan van Stijn <github@gone.nl> Signed-off-by: Anca Iordache <anca.iordache@docker.com> 2018-11-04 19:52:26 -05:00			`package daemon // import "github.com/docker/docker/integration/daemon"`

			`import (`
			`"os"`
			`"os/exec"`
			`"path/filepath"`
			`"runtime"`
			`"testing"`

Fix daemon.json and daemon --seccomp-profile not accepting "unconfined" Commit b237189e6c8a4f97be59f08c63cdcb1f2f4680a8 implemented an option to set the default seccomp profile in the daemon configuration. When that PR was reviewed, it was discussed to have the option accept the path to a custom profile JSON file; https://github.com/moby/moby/pull/26276#issuecomment-253546966 However, in the implementation, the special "unconfined" value was not taken into account. The "unconfined" value is meant to disable seccomp (more factually: run with an empty profile). While it's likely possible to achieve this by creating a file with an an empty (`{}`) profile, and passing the path to that file, it's inconsistent with the `--security-opt seccomp=unconfined` option on `docker run` and `docker create`, which is both confusing, and makes it harder to use (especially on Docker Desktop, where there's no direct access to the VM's filesystem). This patch adds the missing check for the special "unconfined" value. Co-authored-by: Tianon Gravi <admwiggin@gmail.com> Signed-off-by: Sebastiaan van Stijn <github@gone.nl> 2021-06-07 07:50:00 -04:00			`"github.com/docker/docker/daemon/config"`
Add configuration validation option and tests. Fixes #36911 If config file is invalid we'll exit anyhow, so this just prevents the daemon from starting if the configuration is fine. Mainly useful for making config changes and restarting the daemon iff the config is valid. Signed-off-by: Rich Horwood <rjhorwood@apple.com> Signed-off-by: Sebastiaan van Stijn <github@gone.nl> Signed-off-by: Anca Iordache <anca.iordache@docker.com> 2018-11-04 19:52:26 -05:00			`"github.com/docker/docker/testutil/daemon"`
			`"gotest.tools/v3/assert"`
			`is "gotest.tools/v3/assert/cmp"`
Fix daemon.json and daemon --seccomp-profile not accepting "unconfined" Commit b237189e6c8a4f97be59f08c63cdcb1f2f4680a8 implemented an option to set the default seccomp profile in the daemon configuration. When that PR was reviewed, it was discussed to have the option accept the path to a custom profile JSON file; https://github.com/moby/moby/pull/26276#issuecomment-253546966 However, in the implementation, the special "unconfined" value was not taken into account. The "unconfined" value is meant to disable seccomp (more factually: run with an empty profile). While it's likely possible to achieve this by creating a file with an an empty (`{}`) profile, and passing the path to that file, it's inconsistent with the `--security-opt seccomp=unconfined` option on `docker run` and `docker create`, which is both confusing, and makes it harder to use (especially on Docker Desktop, where there's no direct access to the VM's filesystem). This patch adds the missing check for the special "unconfined" value. Co-authored-by: Tianon Gravi <admwiggin@gmail.com> Signed-off-by: Sebastiaan van Stijn <github@gone.nl> 2021-06-07 07:50:00 -04:00			`"gotest.tools/v3/skip"`
Add configuration validation option and tests. Fixes #36911 If config file is invalid we'll exit anyhow, so this just prevents the daemon from starting if the configuration is fine. Mainly useful for making config changes and restarting the daemon iff the config is valid. Signed-off-by: Rich Horwood <rjhorwood@apple.com> Signed-off-by: Sebastiaan van Stijn <github@gone.nl> Signed-off-by: Anca Iordache <anca.iordache@docker.com> 2018-11-04 19:52:26 -05:00			`)`

			`func TestConfigDaemonLibtrustID(t *testing.T) {`
			`skip.If(t, runtime.GOOS != "linux")`

			`d := daemon.New(t)`
			`defer d.Stop(t)`

			`trustKey := filepath.Join(d.RootDir(), "key.json")`
refactor: move from io/ioutil to io and os package The io/ioutil package has been deprecated in Go 1.16. This commit replaces the existing io/ioutil functions with their new definitions in io and os packages. Signed-off-by: Eng Zer Jun <engzerjun@gmail.com> 2021-08-24 06:10:50 -04:00			err := os.WriteFile(trustKey, []byte(`{"crv":"P-256","d":"dm28PH4Z4EbyUN8L0bPonAciAQa1QJmmyYd876mnypY","kid":"WTJ3:YSIP:CE2E:G6KJ:PSBD:YX2Y:WEYD:M64G:NU2V:XPZV:H2CR:VLUB","kty":"EC","x":"Mh5-JINSjaa_EZdXDttri255Z5fbCEOTQIZjAcScFTk","y":"eUyuAjfxevb07hCCpvi4Zi334Dy4GDWQvEToGEX4exQ"}`), 0644)
Add configuration validation option and tests. Fixes #36911 If config file is invalid we'll exit anyhow, so this just prevents the daemon from starting if the configuration is fine. Mainly useful for making config changes and restarting the daemon iff the config is valid. Signed-off-by: Rich Horwood <rjhorwood@apple.com> Signed-off-by: Sebastiaan van Stijn <github@gone.nl> Signed-off-by: Anca Iordache <anca.iordache@docker.com> 2018-11-04 19:52:26 -05:00			`assert.NilError(t, err)`

			`config := filepath.Join(d.RootDir(), "daemon.json")`
refactor: move from io/ioutil to io and os package The io/ioutil package has been deprecated in Go 1.16. This commit replaces the existing io/ioutil functions with their new definitions in io and os packages. Signed-off-by: Eng Zer Jun <engzerjun@gmail.com> 2021-08-24 06:10:50 -04:00			err = os.WriteFile(config, []byte(`{"deprecated-key-path": "`+trustKey+`"}`), 0644)
Add configuration validation option and tests. Fixes #36911 If config file is invalid we'll exit anyhow, so this just prevents the daemon from starting if the configuration is fine. Mainly useful for making config changes and restarting the daemon iff the config is valid. Signed-off-by: Rich Horwood <rjhorwood@apple.com> Signed-off-by: Sebastiaan van Stijn <github@gone.nl> Signed-off-by: Anca Iordache <anca.iordache@docker.com> 2018-11-04 19:52:26 -05:00			`assert.NilError(t, err)`

			`d.Start(t, "--config-file", config)`
			`info := d.Info(t)`
			`assert.Equal(t, info.ID, "WTJ3:YSIP:CE2E:G6KJ:PSBD:YX2Y:WEYD:M64G:NU2V:XPZV:H2CR:VLUB")`
			`}`

			`func TestDaemonConfigValidation(t *testing.T) {`
			`skip.If(t, runtime.GOOS != "linux")`

			`d := daemon.New(t)`
			`dockerBinary, err := d.BinaryPath()`
			`assert.NilError(t, err)`
			`params := []string{"--validate", "--config-file"}`

			`dest := os.Getenv("DOCKER_INTEGRATION_DAEMON_DEST")`
			`if dest == "" {`
			`dest = os.Getenv("DEST")`
			`}`
			`testdata := filepath.Join(dest, "..", "..", "integration", "daemon", "testdata")`

			`const (`
			`validOut = "configuration OK"`
			`failedOut = "unable to configure the Docker daemon with file"`
			`)`

			`tests := []struct {`
			`name string`
			`args []string`
			`expectedOut string`
			`}{`
			`{`
			`name: "config with no content",`
			`args: append(params, filepath.Join(testdata, "empty-config-1.json")),`
			`expectedOut: validOut,`
			`},`
			`{`
			`name: "config with {}",`
			`args: append(params, filepath.Join(testdata, "empty-config-2.json")),`
			`expectedOut: validOut,`
			`},`
			`{`
			`name: "invalid config",`
			`args: append(params, filepath.Join(testdata, "invalid-config-1.json")),`
			`expectedOut: failedOut,`
			`},`
			`{`
			`name: "malformed config",`
			`args: append(params, filepath.Join(testdata, "malformed-config.json")),`
			`expectedOut: failedOut,`
			`},`
			`{`
			`name: "valid config",`
			`args: append(params, filepath.Join(testdata, "valid-config-1.json")),`
			`expectedOut: validOut,`
			`},`
			`}`
			`for _, tc := range tests {`
			`tc := tc`
			`t.Run(tc.name, func(t *testing.T) {`
			`t.Parallel()`
			`cmd := exec.Command(dockerBinary, tc.args...)`
			`out, err := cmd.CombinedOutput()`
			`assert.Check(t, is.Contains(string(out), tc.expectedOut))`
			`if tc.expectedOut == failedOut {`
			`assert.ErrorContains(t, err, "", "expected an error, but got none")`
			`} else {`
			`assert.NilError(t, err)`
			`}`
			`})`
			`}`
			`}`
Fix daemon.json and daemon --seccomp-profile not accepting "unconfined" Commit b237189e6c8a4f97be59f08c63cdcb1f2f4680a8 implemented an option to set the default seccomp profile in the daemon configuration. When that PR was reviewed, it was discussed to have the option accept the path to a custom profile JSON file; https://github.com/moby/moby/pull/26276#issuecomment-253546966 However, in the implementation, the special "unconfined" value was not taken into account. The "unconfined" value is meant to disable seccomp (more factually: run with an empty profile). While it's likely possible to achieve this by creating a file with an an empty (`{}`) profile, and passing the path to that file, it's inconsistent with the `--security-opt seccomp=unconfined` option on `docker run` and `docker create`, which is both confusing, and makes it harder to use (especially on Docker Desktop, where there's no direct access to the VM's filesystem). This patch adds the missing check for the special "unconfined" value. Co-authored-by: Tianon Gravi <admwiggin@gmail.com> Signed-off-by: Sebastiaan van Stijn <github@gone.nl> 2021-06-07 07:50:00 -04:00
			`func TestConfigDaemonSeccompProfiles(t *testing.T) {`
			`skip.If(t, runtime.GOOS != "linux")`

			`d := daemon.New(t)`
			`defer d.Stop(t)`

			`tests := []struct {`
			`doc string`
			`profile string`
			`expectedProfile string`
			`}{`
			`{`
			`doc: "empty profile set",`
			`profile: "",`
			`expectedProfile: config.SeccompProfileDefault,`
			`},`
daemon: allow "builtin" as valid value for seccomp profiles This allows containers to use the embedded default profile if a different default is set (e.g. "unconfined") in the daemon configuration. Without this option, users would have to copy the default profile to a file in order to use the default. Signed-off-by: Sebastiaan van Stijn <github@gone.nl> 2021-06-07 08:25:52 -04:00			`{`
			`doc: "default profile",`
			`profile: config.SeccompProfileDefault,`
			`expectedProfile: config.SeccompProfileDefault,`
			`},`
Fix daemon.json and daemon --seccomp-profile not accepting "unconfined" Commit b237189e6c8a4f97be59f08c63cdcb1f2f4680a8 implemented an option to set the default seccomp profile in the daemon configuration. When that PR was reviewed, it was discussed to have the option accept the path to a custom profile JSON file; https://github.com/moby/moby/pull/26276#issuecomment-253546966 However, in the implementation, the special "unconfined" value was not taken into account. The "unconfined" value is meant to disable seccomp (more factually: run with an empty profile). While it's likely possible to achieve this by creating a file with an an empty (`{}`) profile, and passing the path to that file, it's inconsistent with the `--security-opt seccomp=unconfined` option on `docker run` and `docker create`, which is both confusing, and makes it harder to use (especially on Docker Desktop, where there's no direct access to the VM's filesystem). This patch adds the missing check for the special "unconfined" value. Co-authored-by: Tianon Gravi <admwiggin@gmail.com> Signed-off-by: Sebastiaan van Stijn <github@gone.nl> 2021-06-07 07:50:00 -04:00			`{`
			`doc: "unconfined profile",`
			`profile: config.SeccompProfileUnconfined,`
			`expectedProfile: config.SeccompProfileUnconfined,`
			`},`
			`}`

			`for _, tc := range tests {`
			`tc := tc`
			`t.Run(tc.doc, func(t *testing.T) {`
			`d.Start(t, "--seccomp-profile="+tc.profile)`
			`info := d.Info(t)`
			`assert.Assert(t, is.Contains(info.SecurityOptions, "name=seccomp,profile="+tc.expectedProfile))`
			`d.Stop(t)`

			`cfg := filepath.Join(d.RootDir(), "daemon.json")`
refactor: move from io/ioutil to io and os package The io/ioutil package has been deprecated in Go 1.16. This commit replaces the existing io/ioutil functions with their new definitions in io and os packages. Signed-off-by: Eng Zer Jun <engzerjun@gmail.com> 2021-08-24 06:10:50 -04:00			err := os.WriteFile(cfg, []byte(`{"seccomp-profile": "`+tc.profile+`"}`), 0644)
Fix daemon.json and daemon --seccomp-profile not accepting "unconfined" Commit b237189e6c8a4f97be59f08c63cdcb1f2f4680a8 implemented an option to set the default seccomp profile in the daemon configuration. When that PR was reviewed, it was discussed to have the option accept the path to a custom profile JSON file; https://github.com/moby/moby/pull/26276#issuecomment-253546966 However, in the implementation, the special "unconfined" value was not taken into account. The "unconfined" value is meant to disable seccomp (more factually: run with an empty profile). While it's likely possible to achieve this by creating a file with an an empty (`{}`) profile, and passing the path to that file, it's inconsistent with the `--security-opt seccomp=unconfined` option on `docker run` and `docker create`, which is both confusing, and makes it harder to use (especially on Docker Desktop, where there's no direct access to the VM's filesystem). This patch adds the missing check for the special "unconfined" value. Co-authored-by: Tianon Gravi <admwiggin@gmail.com> Signed-off-by: Sebastiaan van Stijn <github@gone.nl> 2021-06-07 07:50:00 -04:00			`assert.NilError(t, err)`

			`d.Start(t, "--config-file", cfg)`
			`info = d.Info(t)`
			`assert.Assert(t, is.Contains(info.SecurityOptions, "name=seccomp,profile="+tc.expectedProfile))`
			`d.Stop(t)`
			`})`
			`}`
			`}`