From 296fcf331f2886d2aba3cfb929887dfbb603643d Mon Sep 17 00:00:00 2001 From: Michael Crosby Date: Fri, 18 Apr 2014 03:20:17 +0000 Subject: [PATCH] Port privileged tests Docker-DCO-1.1-Signed-off-by: Michael Crosby (github: crosbymichael) --- integration-cli/docker_cli_run_test.go | 62 +++++++++++++++++++++ integration/container_test.go | 75 -------------------------- 2 files changed, 62 insertions(+), 75 deletions(-) diff --git a/integration-cli/docker_cli_run_test.go b/integration-cli/docker_cli_run_test.go index d50adeafcf..d356f5f4de 100644 --- a/integration-cli/docker_cli_run_test.go +++ b/integration-cli/docker_cli_run_test.go @@ -603,3 +603,65 @@ func TestLoopbackOnlyExistsWhenNetworkingDisabled(t *testing.T) { logDone("run - test loopback only exists when networking disabled") } + +func TestPrivilegedCanMknod(t *testing.T) { + cmd := exec.Command(dockerBinary, "run", "--privileged", "busybox", "sh", "-c", "mknod /tmp/sda b 8 0 && echo ok") + out, _, err := runCommandWithOutput(cmd) + if err != nil { + t.Fatal(err) + } + + if actual := strings.Trim(out, "\r\n"); actual != "ok" { + t.Fatalf("expected output ok received %s", actual) + } + deleteAllContainers() + + logDone("run - test privileged can mknod") +} + +func TestUnPrivilegedCanMknod(t *testing.T) { + cmd := exec.Command(dockerBinary, "run", "busybox", "sh", "-c", "mknod /tmp/sda b 8 0 && echo ok") + out, _, err := runCommandWithOutput(cmd) + if err != nil { + t.Fatal(err) + } + + if actual := strings.Trim(out, "\r\n"); actual != "ok" { + t.Fatalf("expected output ok received %s", actual) + } + deleteAllContainers() + + logDone("run - test un-privileged can mknod") +} + +func TestPrivilegedCanMount(t *testing.T) { + cmd := exec.Command(dockerBinary, "run", "--privileged", "busybox", "sh", "-c", "mount -t tmpfs none /tmp && echo ok") + + out, _, err := runCommandWithOutput(cmd) + if err != nil { + t.Fatal(err) + } + + if actual := strings.Trim(out, "\r\n"); actual != "ok" { + t.Fatalf("expected output ok received %s", actual) + } + deleteAllContainers() + + logDone("run - test privileged can mount") +} + +func TestUnPrivilegedCannotMount(t *testing.T) { + cmd := exec.Command(dockerBinary, "run", "busybox", "sh", "-c", "mount -t tmpfs none /tmp && echo ok") + + out, _, err := runCommandWithOutput(cmd) + if err == nil { + t.Fatal(err, out) + } + + if actual := strings.Trim(out, "\r\n"); actual == "ok" { + t.Fatalf("expected output not ok received %s", actual) + } + deleteAllContainers() + + logDone("run - test un-privileged cannot mount") +} diff --git a/integration/container_test.go b/integration/container_test.go index bce3a9628f..67b2783ce9 100644 --- a/integration/container_test.go +++ b/integration/container_test.go @@ -1,56 +1,17 @@ package docker import ( - "bufio" "fmt" "github.com/dotcloud/docker/runconfig" - "github.com/dotcloud/docker/utils" "io" "io/ioutil" "os" "path" - "regexp" - "sort" "strings" "testing" "time" ) -func TestCpuShares(t *testing.T) { - _, err1 := os.Stat("/sys/fs/cgroup/cpuacct,cpu") - _, err2 := os.Stat("/sys/fs/cgroup/cpu,cpuacct") - if err1 == nil || err2 == nil { - t.Skip("Fixme. Setting cpu cgroup shares doesn't work in dind on a Fedora host. The lxc utils are confused by the cpu,cpuacct mount.") - } - daemon := mkDaemon(t) - defer nuke(daemon) - container, _, _ := mkContainer(daemon, []string{"-m", "33554432", "-c", "1000", "-i", "_", "/bin/cat"}, t) - defer daemon.Destroy(container) - - cStdin, err := container.StdinPipe() - if err != nil { - t.Fatal(err) - } - - if err := container.Start(); err != nil { - t.Fatal(err) - } - - // Give some time to the process to start - container.WaitTimeout(500 * time.Millisecond) - - if !container.State.IsRunning() { - t.Errorf("Container should be running") - } - if err := container.Start(); err != nil { - t.Fatalf("A running container should be able to be started") - } - - // Try to avoid the timeout in destroy. Best effort, don't check error - cStdin.Close() - container.WaitTimeout(2 * time.Second) -} - func TestKillDifferentUser(t *testing.T) { daemon := mkDaemon(t) defer nuke(daemon) @@ -582,39 +543,3 @@ func TestRestartWithVolumes(t *testing.T) { t.Fatalf("Expected volume path: %s Actual path: %s", expected, actual) } } - -func TestPrivilegedCanMknod(t *testing.T) { - eng := NewTestEngine(t) - daemon := mkDaemonFromEngine(eng, t) - defer daemon.Nuke() - if output, err := runContainer(eng, daemon, []string{"--privileged", "_", "sh", "-c", "mknod /tmp/sda b 8 0 && echo ok"}, t); output != "ok\n" { - t.Fatalf("Could not mknod into privileged container %s %v", output, err) - } -} - -func TestPrivilegedCanMount(t *testing.T) { - eng := NewTestEngine(t) - daemon := mkDaemonFromEngine(eng, t) - defer daemon.Nuke() - if output, _ := runContainer(eng, daemon, []string{"--privileged", "_", "sh", "-c", "mount -t tmpfs none /tmp && echo ok"}, t); output != "ok\n" { - t.Fatal("Could not mount into privileged container") - } -} - -func TestUnprivilegedCanMknod(t *testing.T) { - eng := NewTestEngine(t) - daemon := mkDaemonFromEngine(eng, t) - defer daemon.Nuke() - if output, _ := runContainer(eng, daemon, []string{"_", "sh", "-c", "mknod /tmp/sda b 8 0 && echo ok"}, t); output != "ok\n" { - t.Fatal("Couldn't mknod into secure container") - } -} - -func TestUnprivilegedCannotMount(t *testing.T) { - eng := NewTestEngine(t) - daemon := mkDaemonFromEngine(eng, t) - defer daemon.Nuke() - if output, _ := runContainer(eng, daemon, []string{"_", "sh", "-c", "mount -t tmpfs none /tmp || echo ok"}, t); output != "ok\n" { - t.Fatal("Could mount into secure container") - } -}