moby--moby/daemon/execdriver/native/configuration/parse_test.go

package configuration

import (
	"testing"

	"github.com/docker/docker/daemon/execdriver/native/template"
	"github.com/docker/libcontainer/security/capabilities"
)

// Checks whether the expected capability is specified in the capabilities.
func hasCapability(expected string, capabilities []string) bool {
	for _, capability := range capabilities {
		if capability == expected {
			return true
		}
	}
	return false
}

func TestSetReadonlyRootFs(t *testing.T) {
	var (
		container = template.New()
		opts      = []string{
			"fs.readonly=true",
		}
	)

	if container.MountConfig.ReadonlyFs {
		t.Fatal("container should not have a readonly rootfs by default")
	}
	if err := ParseConfiguration(container, nil, opts); err != nil {
		t.Fatal(err)
	}

	if !container.MountConfig.ReadonlyFs {
		t.Fatal("container should have a readonly rootfs")
	}
}

func TestConfigurationsDoNotConflict(t *testing.T) {
	var (
		container1 = template.New()
		container2 = template.New()
		opts       = []string{
			"cap.add=NET_ADMIN",
		}
	)

	if err := ParseConfiguration(container1, nil, opts); err != nil {
		t.Fatal(err)
	}

	if !hasCapability("NET_ADMIN", container1.Capabilities) {
		t.Fatal("container one should have NET_ADMIN enabled")
	}
	if hasCapability("NET_ADMIN", container2.Capabilities) {
		t.Fatal("container two should not have NET_ADMIN enabled")
	}
}

func TestCpusetCpus(t *testing.T) {
	var (
		container = template.New()
		opts      = []string{
			"cgroups.cpuset.cpus=1,2",
		}
	)
	if err := ParseConfiguration(container, nil, opts); err != nil {
		t.Fatal(err)
	}

	if expected := "1,2"; container.Cgroups.CpusetCpus != expected {
		t.Fatalf("expected %s got %s for cpuset.cpus", expected, container.Cgroups.CpusetCpus)
	}
}

func TestAppArmorProfile(t *testing.T) {
	var (
		container = template.New()
		opts      = []string{
			"apparmor_profile=koye-the-protector",
		}
	)
	if err := ParseConfiguration(container, nil, opts); err != nil {
		t.Fatal(err)
	}

	if expected := "koye-the-protector"; container.AppArmorProfile != expected {
		t.Fatalf("expected profile %s got %s", expected, container.AppArmorProfile)
	}
}

func TestCpuShares(t *testing.T) {
	var (
		container = template.New()
		opts      = []string{
			"cgroups.cpu_shares=1048",
		}
	)
	if err := ParseConfiguration(container, nil, opts); err != nil {
		t.Fatal(err)
	}

	if expected := int64(1048); container.Cgroups.CpuShares != expected {
		t.Fatalf("expected cpu shares %d got %d", expected, container.Cgroups.CpuShares)
	}
}

func TestMemory(t *testing.T) {
	var (
		container = template.New()
		opts      = []string{
			"cgroups.memory=500m",
		}
	)
	if err := ParseConfiguration(container, nil, opts); err != nil {
		t.Fatal(err)
	}

	if expected := int64(500 * 1024 * 1024); container.Cgroups.Memory != expected {
		t.Fatalf("expected memory %d got %d", expected, container.Cgroups.Memory)
	}
}

func TestMemoryReservation(t *testing.T) {
	var (
		container = template.New()
		opts      = []string{
			"cgroups.memory_reservation=500m",
		}
	)
	if err := ParseConfiguration(container, nil, opts); err != nil {
		t.Fatal(err)
	}

	if expected := int64(500 * 1024 * 1024); container.Cgroups.MemoryReservation != expected {
		t.Fatalf("expected memory reservation %d got %d", expected, container.Cgroups.MemoryReservation)
	}
}

func TestAddCap(t *testing.T) {
	var (
		container = template.New()
		opts      = []string{
			"cap.add=MKNOD",
			"cap.add=SYS_ADMIN",
		}
	)
	if err := ParseConfiguration(container, nil, opts); err != nil {
		t.Fatal(err)
	}

	if !hasCapability("MKNOD", container.Capabilities) {
		t.Fatal("container should have MKNOD enabled")
	}
	if !hasCapability("SYS_ADMIN", container.Capabilities) {
		t.Fatal("container should have SYS_ADMIN enabled")
	}
}

func TestDropCap(t *testing.T) {
	var (
		container = template.New()
		opts      = []string{
			"cap.drop=MKNOD",
		}
	)
	// enabled all caps like in privileged mode
	container.Capabilities = capabilities.GetAllCapabilities()
	if err := ParseConfiguration(container, nil, opts); err != nil {
		t.Fatal(err)
	}

	if hasCapability("MKNOD", container.Capabilities) {
		t.Fatal("container should not have MKNOD enabled")
	}
}

func TestDropNamespace(t *testing.T) {
	var (
		container = template.New()
		opts      = []string{
			"ns.drop=NEWNET",
		}
	)
	if err := ParseConfiguration(container, nil, opts); err != nil {
		t.Fatal(err)
	}

	if container.Namespaces["NEWNET"] {
		t.Fatal("container should not have NEWNET enabled")
	}
}
Add unit test for lxc conf merge and native opts Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael) 2014-03-24 03:16:40 -04:00			`package configuration`

			`import (`
			`"testing"`
Improve libcontainer namespace and cap format Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael) 2014-05-05 15:34:21 -04:00
update go import path and libcontainer Docker-DCO-1.1-Signed-off-by: Victor Vieux <vieux@docker.com> (github: vieux) 2014-07-24 18:19:50 -04:00			`"github.com/docker/docker/daemon/execdriver/native/template"`
gofmt -s -w Docker-DCO-1.1-Signed-off-by: Victor Vieux <vieux@docker.com> (github: vieux) 2014-07-24 18:25:29 -04:00			`"github.com/docker/libcontainer/security/capabilities"`
Add unit test for lxc conf merge and native opts Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael) 2014-03-24 03:16:40 -04:00			`)`

Make libcontainer's CapabilitiesMask into a []string (Capabilities). Docker-DCO-1.1-Signed-off-by: Victor Marmol <vmarmol@google.com> (github: vmarmol) 2014-05-16 20:44:10 -04:00			`// Checks whether the expected capability is specified in the capabilities.`
			`func hasCapability(expected string, capabilities []string) bool {`
			`for _, capability := range capabilities {`
			`if capability == expected {`
			`return true`
			`}`
			`}`
			`return false`
			`}`

Add unit test for lxc conf merge and native opts Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael) 2014-03-24 03:16:40 -04:00			`func TestSetReadonlyRootFs(t *testing.T) {`
			`var (`
			`container = template.New()`
			`opts = []string{`
			`"fs.readonly=true",`
			`}`
			`)`

Update libcontainer references Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@docker.com> (github: crosbymichael) 2014-06-23 19:43:43 -04:00			`if container.MountConfig.ReadonlyFs {`
Add unit test for lxc conf merge and native opts Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael) 2014-03-24 03:16:40 -04:00			`t.Fatal("container should not have a readonly rootfs by default")`
			`}`
			`if err := ParseConfiguration(container, nil, opts); err != nil {`
			`t.Fatal(err)`
			`}`

Update libcontainer references Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@docker.com> (github: crosbymichael) 2014-06-23 19:43:43 -04:00			`if !container.MountConfig.ReadonlyFs {`
Add unit test for lxc conf merge and native opts Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael) 2014-03-24 03:16:40 -04:00			`t.Fatal("container should have a readonly rootfs")`
			`}`
			`}`

			`func TestConfigurationsDoNotConflict(t *testing.T) {`
			`var (`
			`container1 = template.New()`
			`container2 = template.New()`
			`opts = []string{`
			`"cap.add=NET_ADMIN",`
			`}`
			`)`

			`if err := ParseConfiguration(container1, nil, opts); err != nil {`
			`t.Fatal(err)`
			`}`

Make libcontainer's CapabilitiesMask into a []string (Capabilities). Docker-DCO-1.1-Signed-off-by: Victor Marmol <vmarmol@google.com> (github: vmarmol) 2014-05-16 20:44:10 -04:00			`if !hasCapability("NET_ADMIN", container1.Capabilities) {`
Add unit test for lxc conf merge and native opts Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael) 2014-03-24 03:16:40 -04:00			`t.Fatal("container one should have NET_ADMIN enabled")`
			`}`
Make libcontainer's CapabilitiesMask into a []string (Capabilities). Docker-DCO-1.1-Signed-off-by: Victor Marmol <vmarmol@google.com> (github: vmarmol) 2014-05-16 20:44:10 -04:00			`if hasCapability("NET_ADMIN", container2.Capabilities) {`
Add unit test for lxc conf merge and native opts Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael) 2014-03-24 03:16:40 -04:00			`t.Fatal("container two should not have NET_ADMIN enabled")`
			`}`
			`}`

			`func TestCpusetCpus(t *testing.T) {`
			`var (`
			`container = template.New()`
			`opts = []string{`
			`"cgroups.cpuset.cpus=1,2",`
			`}`
			`)`
			`if err := ParseConfiguration(container, nil, opts); err != nil {`
			`t.Fatal(err)`
			`}`

			`if expected := "1,2"; container.Cgroups.CpusetCpus != expected {`
			`t.Fatalf("expected %s got %s for cpuset.cpus", expected, container.Cgroups.CpusetCpus)`
			`}`
			`}`

			`func TestAppArmorProfile(t *testing.T) {`
			`var (`
			`container = template.New()`
			`opts = []string{`
			`"apparmor_profile=koye-the-protector",`
			`}`
			`)`
			`if err := ParseConfiguration(container, nil, opts); err != nil {`
			`t.Fatal(err)`
			`}`
Update libcontainer Context changes Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@docker.com> (github: crosbymichael) 2014-06-26 15:23:53 -04:00
			`if expected := "koye-the-protector"; container.AppArmorProfile != expected {`
			`t.Fatalf("expected profile %s got %s", expected, container.AppArmorProfile)`
Add unit test for lxc conf merge and native opts Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael) 2014-03-24 03:16:40 -04:00			`}`
			`}`

			`func TestCpuShares(t *testing.T) {`
			`var (`
			`container = template.New()`
			`opts = []string{`
			`"cgroups.cpu_shares=1048",`
			`}`
			`)`
			`if err := ParseConfiguration(container, nil, opts); err != nil {`
			`t.Fatal(err)`
			`}`

			`if expected := int64(1048); container.Cgroups.CpuShares != expected {`
			`t.Fatalf("expected cpu shares %d got %d", expected, container.Cgroups.CpuShares)`
			`}`
			`}`

Separating cgroup Memory and MemoryReservation. This will allow for these to be set independently. Keep the current Docker behavior where Memory and MemoryReservation are set to the value of Memory. Docker-DCO-1.1-Signed-off-by: Victor Marmol <vmarmol@google.com> (github: vmarmol) 2014-04-24 01:11:43 -04:00			`func TestMemory(t *testing.T) {`
Add unit test for lxc conf merge and native opts Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael) 2014-03-24 03:16:40 -04:00			`var (`
			`container = template.New()`
			`opts = []string{`
			`"cgroups.memory=500m",`
			`}`
			`)`
			`if err := ParseConfiguration(container, nil, opts); err != nil {`
			`t.Fatal(err)`
			`}`

			`if expected := int64(500 * 1024 * 1024); container.Cgroups.Memory != expected {`
			`t.Fatalf("expected memory %d got %d", expected, container.Cgroups.Memory)`
			`}`
			`}`

Separating cgroup Memory and MemoryReservation. This will allow for these to be set independently. Keep the current Docker behavior where Memory and MemoryReservation are set to the value of Memory. Docker-DCO-1.1-Signed-off-by: Victor Marmol <vmarmol@google.com> (github: vmarmol) 2014-04-24 01:11:43 -04:00			`func TestMemoryReservation(t *testing.T) {`
			`var (`
			`container = template.New()`
			`opts = []string{`
			`"cgroups.memory_reservation=500m",`
			`}`
			`)`
			`if err := ParseConfiguration(container, nil, opts); err != nil {`
			`t.Fatal(err)`
			`}`

			`if expected := int64(500 * 1024 * 1024); container.Cgroups.MemoryReservation != expected {`
			`t.Fatalf("expected memory reservation %d got %d", expected, container.Cgroups.MemoryReservation)`
			`}`
			`}`

Add unit test for lxc conf merge and native opts Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael) 2014-03-24 03:16:40 -04:00			`func TestAddCap(t *testing.T) {`
			`var (`
			`container = template.New()`
			`opts = []string{`
			`"cap.add=MKNOD",`
			`"cap.add=SYS_ADMIN",`
			`}`
			`)`
			`if err := ParseConfiguration(container, nil, opts); err != nil {`
			`t.Fatal(err)`
			`}`

Make libcontainer's CapabilitiesMask into a []string (Capabilities). Docker-DCO-1.1-Signed-off-by: Victor Marmol <vmarmol@google.com> (github: vmarmol) 2014-05-16 20:44:10 -04:00			`if !hasCapability("MKNOD", container.Capabilities) {`
Add unit test for lxc conf merge and native opts Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael) 2014-03-24 03:16:40 -04:00			`t.Fatal("container should have MKNOD enabled")`
			`}`
Make libcontainer's CapabilitiesMask into a []string (Capabilities). Docker-DCO-1.1-Signed-off-by: Victor Marmol <vmarmol@google.com> (github: vmarmol) 2014-05-16 20:44:10 -04:00			`if !hasCapability("SYS_ADMIN", container.Capabilities) {`
Add unit test for lxc conf merge and native opts Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael) 2014-03-24 03:16:40 -04:00			`t.Fatal("container should have SYS_ADMIN enabled")`
			`}`
			`}`

			`func TestDropCap(t *testing.T) {`
			`var (`
			`container = template.New()`
			`opts = []string{`
			`"cap.drop=MKNOD",`
			`}`
			`)`
			`// enabled all caps like in privileged mode`
Update libcontainer references Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@docker.com> (github: crosbymichael) 2014-06-23 19:43:43 -04:00			`container.Capabilities = capabilities.GetAllCapabilities()`
Add unit test for lxc conf merge and native opts Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael) 2014-03-24 03:16:40 -04:00			`if err := ParseConfiguration(container, nil, opts); err != nil {`
			`t.Fatal(err)`
			`}`

Make libcontainer's CapabilitiesMask into a []string (Capabilities). Docker-DCO-1.1-Signed-off-by: Victor Marmol <vmarmol@google.com> (github: vmarmol) 2014-05-16 20:44:10 -04:00			`if hasCapability("MKNOD", container.Capabilities) {`
Add unit test for lxc conf merge and native opts Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael) 2014-03-24 03:16:40 -04:00			`t.Fatal("container should not have MKNOD enabled")`
			`}`
			`}`

			`func TestDropNamespace(t *testing.T) {`
			`var (`
			`container = template.New()`
			`opts = []string{`
			`"ns.drop=NEWNET",`
			`}`
			`)`
			`if err := ParseConfiguration(container, nil, opts); err != nil {`
			`t.Fatal(err)`
			`}`

Improve libcontainer namespace and cap format Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael) 2014-05-05 15:34:21 -04:00			`if container.Namespaces["NEWNET"] {`
Add unit test for lxc conf merge and native opts Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael) 2014-03-24 03:16:40 -04:00			`t.Fatal("container should not have NEWNET enabled")`
			`}`
			`}`