kotovalexarian-likes-github
/
moby--moby
mirror of https://github.com/moby/moby.git
1
0
Fork 0
Code Releases Activity

Move use of debian:buster frozen image to debian:bullseye 

Signed-off-by: Eric Mountain <eric.mountain@datadoghq.com>
This commit is contained in:
Eric Mountain 2020-12-16 14:53:49 +01:00
parent 7ba1af38b8
commit 1c5806cf57
No known key found for this signature in database
GPG Key ID: 84C692CFB25B4031
8 changed files with 20 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
Dockerfile
View File

@ -96,7 +96,6 @@ RUN /download-frozen-image-v2.sh /build \
buildpack-deps:buster@sha256:d0abb4b1e5c664828b93e8b6ac84d10bce45ee469999bef88304be04a2709491 \
busybox:latest@sha256:95cf004f559831017cdf4628aaf1bb30133677be8702a8c5f2994629f637a209 \
busybox:glibc@sha256:1f81263701cddf6402afe9f33fca0266d9fff379e59b1748f33d3072da71ee85 \
debian:buster@sha256:46d659005ca1151087efa997f1039ae45a7bf7a2cbbe2d17d3dcbda632a3ee9a \
debian:bullseye@sha256:7190e972ab16aefea4d758ebe42a293f4e5c5be63595f4d03a5b9bf6839a4344 \
hello-world:latest@sha256:d58e752213a51785838f9eed2b7a498ffa1cb3aa7f946dda11af39286c3db9a9 \
arm32v7/hello-world:latest@sha256:50b8560ad574c779908da71f7ce370c0a2471c098d44d1c8f6b513c5a55eeeb1

4
Dockerfile.e2e
View File

@ -21,9 +21,9 @@ RUN /download-frozen-image-v2.sh /build \
buildpack-deps:buster@sha256:d0abb4b1e5c664828b93e8b6ac84d10bce45ee469999bef88304be04a2709491 \
busybox:latest@sha256:95cf004f559831017cdf4628aaf1bb30133677be8702a8c5f2994629f637a209 \
busybox:glibc@sha256:1f81263701cddf6402afe9f33fca0266d9fff379e59b1748f33d3072da71ee85 \
debian:buster@sha256:46d659005ca1151087efa997f1039ae45a7bf7a2cbbe2d17d3dcbda632a3ee9a \
debian:bullseye@sha256:7190e972ab16aefea4d758ebe42a293f4e5c5be63595f4d03a5b9bf6839a4344 \
hello-world:latest@sha256:d58e752213a51785838f9eed2b7a498ffa1cb3aa7f946dda11af39286c3db9a9
# See also ensureFrozenImagesLinux() in "integration-cli/fixtures_linux_daemon_test.go" (which needs to be updated when adding images to this list)
# See also frozenImages in "testutil/environment/protect.go" (which needs to be updated when adding images to this list)
FROM base AS dockercli
ENV INSTALL_BINARY_NAME=dockercli

4
integration-cli/docker_cli_daemon_test.go
View File

@ -1776,7 +1776,7 @@ func (s *DockerDaemonSuite) TestDaemonNoSpaceLeftOnDeviceError(c *testing.T) {
defer mount.Unmount(testDir)
// create a 3MiB image (with a 2MiB ext4 fs) and mount it as graph root
// Why in a container? Because `mount` sometimes behaves weirdly and often fails outright on this test in debian:buster (which is what the test suite runs under if run from the Makefile)
// Why in a container? Because `mount` sometimes behaves weirdly and often fails outright on this test in debian:bullseye (which is what the test suite runs under if run from the Makefile)
dockerCmd(c, "run", "--rm", "-v", testDir+":/test", "busybox", "sh", "-c", "dd of=/test/testfs.img bs=1M seek=3 count=0")
icmd.RunCommand("mkfs.ext4", "-F", filepath.Join(testDir, "testfs.img")).Assert(c, icmd.Success)
@ -1787,7 +1787,7 @@ func (s *DockerDaemonSuite) TestDaemonNoSpaceLeftOnDeviceError(c *testing.T) {
defer s.d.Stop(c)
// pull a repository large enough to overfill the mounted filesystem
pullOut, err := s.d.Cmd("pull", "debian:buster")
pullOut, err := s.d.Cmd("pull", "debian:bullseye")
assert.Assert(c, err != nil, pullOut)
assert.Assert(c, strings.Contains(pullOut, "no space left on device"))
}

2
integration-cli/docker_cli_network_unix_test.go
View File

@ -1574,7 +1574,7 @@ func (s *DockerSuite) TestEmbeddedDNSInvalidInput(c *testing.T) {
dockerCmd(c, "network", "create", "-d", "bridge", "nw1")
// Sending garbage to embedded DNS shouldn't crash the daemon
dockerCmd(c, "run", "-i", "--net=nw1", "--name=c1", "debian:buster", "bash", "-c", "echo InvalidQuery > /dev/udp/127.0.0.11/53")
dockerCmd(c, "run", "-i", "--net=nw1", "--name=c1", "debian:bullseye", "bash", "-c", "echo InvalidQuery > /dev/udp/127.0.0.11/53")
}
func (s *DockerSuite) TestDockerNetworkConnectFailsNoInspectChange(c *testing.T) {

6
integration-cli/docker_cli_run_test.go
View File

@ -2927,7 +2927,7 @@ func (s *DockerSuite) TestRunUnshareProc(c *testing.T) {
go func() {
name := "acidburn"
out, _, err := dockerCmdWithError("run", "--name", name, "--security-opt", "seccomp=unconfined", "debian:buster", "unshare", "-p", "-m", "-f", "-r", "--mount-proc=/proc", "mount")
out, _, err := dockerCmdWithError("run", "--name", name, "--security-opt", "seccomp=unconfined", "debian:bullseye", "unshare", "-p", "-m", "-f", "-r", "--mount-proc=/proc", "mount")
if err == nil ||
!(strings.Contains(strings.ToLower(out), "permission denied") ||
strings.Contains(strings.ToLower(out), "operation not permitted")) {
@ -2939,7 +2939,7 @@ func (s *DockerSuite) TestRunUnshareProc(c *testing.T) {
go func() {
name := "cereal"
out, _, err := dockerCmdWithError("run", "--name", name, "--security-opt", "seccomp=unconfined", "debian:buster", "unshare", "-p", "-m", "-f", "-r", "mount", "-t", "proc", "none", "/proc")
out, _, err := dockerCmdWithError("run", "--name", name, "--security-opt", "seccomp=unconfined", "debian:bullseye", "unshare", "-p", "-m", "-f", "-r", "mount", "-t", "proc", "none", "/proc")
if err == nil ||
!(strings.Contains(strings.ToLower(out), "mount: cannot mount none") ||
strings.Contains(strings.ToLower(out), "permission denied") ||
@ -2953,7 +2953,7 @@ func (s *DockerSuite) TestRunUnshareProc(c *testing.T) {
/* Ensure still fails if running privileged with the default policy */
go func() {
name := "crashoverride"
out, _, err := dockerCmdWithError("run", "--privileged", "--security-opt", "seccomp=unconfined", "--security-opt", "apparmor=docker-default", "--name", name, "debian:buster", "unshare", "-p", "-m", "-f", "-r", "mount", "-t", "proc", "none", "/proc")
out, _, err := dockerCmdWithError("run", "--privileged", "--security-opt", "seccomp=unconfined", "--security-opt", "apparmor=docker-default", "--name", name, "debian:bullseye", "unshare", "-p", "-m", "-f", "-r", "mount", "-t", "proc", "none", "/proc")
if err == nil ||
!(strings.Contains(strings.ToLower(out), "mount: cannot mount none") ||
strings.Contains(strings.ToLower(out), "permission denied") ||

18
integration-cli/docker_cli_run_unix_test.go
View File

@ -873,12 +873,12 @@ func (s *DockerSuite) TestRunTmpfsMountsWithOptions(c *testing.T) {
assert.Assert(c, strings.Contains(out, option))
}
// We use debian:buster as there is no findmnt in busybox. Also the output will be in the format of
// We use debian:bullseye as there is no findmnt in busybox. Also the output will be in the format of
// TARGET PROPAGATION
// /tmp shared
// so we only capture `shared` here.
expectedOptions = []string{"shared"}
out, _ = dockerCmd(c, "run", "--tmpfs", "/tmp:shared", "debian:buster", "findmnt", "-o", "TARGET,PROPAGATION", "/tmp")
out, _ = dockerCmd(c, "run", "--tmpfs", "/tmp:shared", "debian:bullseye", "findmnt", "-o", "TARGET,PROPAGATION", "/tmp")
for _, option := range expectedOptions {
assert.Assert(c, strings.Contains(out, option))
}
@ -914,7 +914,7 @@ func (s *DockerSuite) TestRunSysctls(c *testing.T) {
})
}
// TestRunSeccompProfileDenyUnshare checks that 'docker run --security-opt seccomp=/tmp/profile.json debian:buster unshare' exits with operation not permitted.
// TestRunSeccompProfileDenyUnshare checks that 'docker run --security-opt seccomp=/tmp/profile.json debian:bullseye unshare' exits with operation not permitted.
func (s *DockerSuite) TestRunSeccompProfileDenyUnshare(c *testing.T) {
testRequires(c, testEnv.IsLocalDaemon, seccompEnabled, NotArm, Apparmor)
jsonData := `{
@ -937,7 +937,7 @@ func (s *DockerSuite) TestRunSeccompProfileDenyUnshare(c *testing.T) {
}
icmd.RunCommand(dockerBinary, "run", "--security-opt", "apparmor=unconfined",
"--security-opt", "seccomp="+tmpFile.Name(),
"debian:buster", "unshare", "-p", "-m", "-f", "-r", "mount", "-t", "proc", "none", "/proc").Assert(c, icmd.Expected{
"debian:bullseye", "unshare", "-p", "-m", "-f", "-r", "mount", "-t", "proc", "none", "/proc").Assert(c, icmd.Expected{
ExitCode: 1,
Err: "Operation not permitted",
})
@ -977,7 +977,7 @@ func (s *DockerSuite) TestRunSeccompProfileDenyChmod(c *testing.T) {
})
}
// TestRunSeccompProfileDenyUnshareUserns checks that 'docker run debian:buster unshare --map-root-user --user sh -c whoami' with a specific profile to
// TestRunSeccompProfileDenyUnshareUserns checks that 'docker run debian:bullseye unshare --map-root-user --user sh -c whoami' with a specific profile to
// deny unshare of a userns exits with operation not permitted.
func (s *DockerSuite) TestRunSeccompProfileDenyUnshareUserns(c *testing.T) {
testRequires(c, testEnv.IsLocalDaemon, seccompEnabled, NotArm, Apparmor)
@ -1009,7 +1009,7 @@ func (s *DockerSuite) TestRunSeccompProfileDenyUnshareUserns(c *testing.T) {
}
icmd.RunCommand(dockerBinary, "run",
"--security-opt", "apparmor=unconfined", "--security-opt", "seccomp="+tmpFile.Name(),
"debian:buster", "unshare", "--map-root-user", "--user", "sh", "-c", "whoami").Assert(c, icmd.Expected{
"debian:bullseye", "unshare", "--map-root-user", "--user", "sh", "-c", "whoami").Assert(c, icmd.Expected{
ExitCode: 1,
Err: "Operation not permitted",
})
@ -1061,12 +1061,12 @@ func (s *DockerSuite) TestRunSeccompProfileAllow32Bit(c *testing.T) {
icmd.RunCommand(dockerBinary, "run", "syscall-test", "exit32-test").Assert(c, icmd.Success)
}
// TestRunSeccompAllowSetrlimit checks that 'docker run debian:buster ulimit -v 1048510' succeeds.
// TestRunSeccompAllowSetrlimit checks that 'docker run debian:bullseye ulimit -v 1048510' succeeds.
func (s *DockerSuite) TestRunSeccompAllowSetrlimit(c *testing.T) {
testRequires(c, testEnv.IsLocalDaemon, seccompEnabled)
// ulimit uses setrlimit, so we want to make sure we don't break it
icmd.RunCommand(dockerBinary, "run", "debian:buster", "bash", "-c", "ulimit -v 1048510").Assert(c, icmd.Success)
icmd.RunCommand(dockerBinary, "run", "debian:bullseye", "bash", "-c", "ulimit -v 1048510").Assert(c, icmd.Success)
}
func (s *DockerSuite) TestRunSeccompDefaultProfileAcct(c *testing.T) {
@ -1362,7 +1362,7 @@ func (s *DockerSuite) TestRunApparmorProcDirectory(c *testing.T) {
func (s *DockerSuite) TestRunSeccompWithDefaultProfile(c *testing.T) {
testRequires(c, testEnv.IsLocalDaemon, seccompEnabled)
out, _, err := dockerCmdWithError("run", "--security-opt", "seccomp=../profiles/seccomp/default.json", "debian:buster", "unshare", "--map-root-user", "--user", "sh", "-c", "whoami")
out, _, err := dockerCmdWithError("run", "--security-opt", "seccomp=../profiles/seccomp/default.json", "debian:bullseye", "unshare", "--map-root-user", "--user", "sh", "-c", "whoami")
assert.ErrorContains(c, err, "", out)
assert.Equal(c, strings.TrimSpace(out), "unshare: unshare failed: Operation not permitted")
}

4
integration-cli/fixtures_linux_daemon_test.go
View File

@ -49,7 +49,7 @@ func ensureSyscallTest(c *testing.T) {
dockerFile := filepath.Join(tmp, "Dockerfile")
content := []byte(`
FROM debian:buster
FROM debian:bullseye
COPY . /usr/bin/
`)
err = ioutil.WriteFile(dockerFile, content, 0600)
@ -103,7 +103,7 @@ func ensureNNPTest(c *testing.T) {
dockerfile := filepath.Join(tmp, "Dockerfile")
content := `
FROM debian:buster
FROM debian:bullseye
COPY . /usr/bin
RUN chmod +s /usr/bin/nnp-test
`

2
testutil/environment/protect.go
View File

@ -10,7 +10,7 @@ import (
"gotest.tools/v3/assert"
)
var frozenImages = []string{"busybox:latest", "busybox:glibc", "hello-world:frozen", "debian:buster", "debian:bullseye"}
var frozenImages = []string{"busybox:latest", "busybox:glibc", "hello-world:frozen", "debian:bullseye"}
type protectedElements struct {
containers map[string]struct{}