kotovalexarian-likes-github/moby--moby
1
0
Fork 0
mirror of https://github.com/moby/moby.git synced 2022-11-09 12:21:53 -05:00
Code Releases Activity

Port privileged tests

Browse source 
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
This commit is contained in:
Michael Crosby 2014-04-18 03:20:17 +00:00
parent caad45d0ed
commit 296fcf331f
2 changed files with 62 additions and 75 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

62
integration-cli/docker_cli_run_test.go
View file

@ -603,3 +603,65 @@ func TestLoopbackOnlyExistsWhenNetworkingDisabled(t *testing.T) {
logDone("run - test loopback only exists when networking disabled") logDone("run - test loopback only exists when networking disabled")
} }
func TestPrivilegedCanMknod(t *testing.T) {
cmd := exec.Command(dockerBinary, "run", "--privileged", "busybox", "sh", "-c", "mknod /tmp/sda b 8 0 && echo ok")
out, _, err := runCommandWithOutput(cmd)
if err != nil {
t.Fatal(err)
}
if actual := strings.Trim(out, "\r\n"); actual != "ok" {
t.Fatalf("expected output ok received %s", actual)
}
deleteAllContainers()
logDone("run - test privileged can mknod")
}
func TestUnPrivilegedCanMknod(t *testing.T) {
cmd := exec.Command(dockerBinary, "run", "busybox", "sh", "-c", "mknod /tmp/sda b 8 0 && echo ok")
out, _, err := runCommandWithOutput(cmd)
if err != nil {
t.Fatal(err)
}
if actual := strings.Trim(out, "\r\n"); actual != "ok" {
t.Fatalf("expected output ok received %s", actual)
}
deleteAllContainers()
logDone("run - test un-privileged can mknod")
}
func TestPrivilegedCanMount(t *testing.T) {
cmd := exec.Command(dockerBinary, "run", "--privileged", "busybox", "sh", "-c", "mount -t tmpfs none /tmp && echo ok")
out, _, err := runCommandWithOutput(cmd)
if err != nil {
t.Fatal(err)
}
if actual := strings.Trim(out, "\r\n"); actual != "ok" {
t.Fatalf("expected output ok received %s", actual)
}
deleteAllContainers()
logDone("run - test privileged can mount")
}
func TestUnPrivilegedCannotMount(t *testing.T) {
cmd := exec.Command(dockerBinary, "run", "busybox", "sh", "-c", "mount -t tmpfs none /tmp && echo ok")
out, _, err := runCommandWithOutput(cmd)
if err == nil {
t.Fatal(err, out)
}
if actual := strings.Trim(out, "\r\n"); actual == "ok" {
t.Fatalf("expected output not ok received %s", actual)
}
deleteAllContainers()
logDone("run - test un-privileged cannot mount")
}

75
integration/container_test.go
View file

@ -1,56 +1,17 @@
package docker package docker
import ( import (
"bufio"
"fmt" "fmt"
"github.com/dotcloud/docker/runconfig" "github.com/dotcloud/docker/runconfig"
"github.com/dotcloud/docker/utils"
"io" "io"
"io/ioutil" "io/ioutil"
"os" "os"
"path" "path"
"regexp"
"sort"
"strings" "strings"
"testing" "testing"
"time" "time"
) )
func TestCpuShares(t *testing.T) {
_, err1 := os.Stat("/sys/fs/cgroup/cpuacct,cpu")
_, err2 := os.Stat("/sys/fs/cgroup/cpu,cpuacct")
if err1 == nil || err2 == nil {
t.Skip("Fixme. Setting cpu cgroup shares doesn't work in dind on a Fedora host. The lxc utils are confused by the cpu,cpuacct mount.")
}
daemon := mkDaemon(t)
defer nuke(daemon)
container, _, _ := mkContainer(daemon, []string{"-m", "33554432", "-c", "1000", "-i", "_", "/bin/cat"}, t)
defer daemon.Destroy(container)
cStdin, err := container.StdinPipe()
if err != nil {
t.Fatal(err)
}
if err := container.Start(); err != nil {
t.Fatal(err)
}
// Give some time to the process to start
container.WaitTimeout(500 * time.Millisecond)
if !container.State.IsRunning() {
t.Errorf("Container should be running")
}
if err := container.Start(); err != nil {
t.Fatalf("A running container should be able to be started")
}
// Try to avoid the timeout in destroy. Best effort, don't check error
cStdin.Close()
container.WaitTimeout(2 * time.Second)
}
func TestKillDifferentUser(t *testing.T) { func TestKillDifferentUser(t *testing.T) {
daemon := mkDaemon(t) daemon := mkDaemon(t)
defer nuke(daemon) defer nuke(daemon)
@ -582,39 +543,3 @@ func TestRestartWithVolumes(t *testing.T) {
t.Fatalf("Expected volume path: %s Actual path: %s", expected, actual) t.Fatalf("Expected volume path: %s Actual path: %s", expected, actual)
} }
} }
func TestPrivilegedCanMknod(t *testing.T) {
eng := NewTestEngine(t)
daemon := mkDaemonFromEngine(eng, t)
defer daemon.Nuke()
if output, err := runContainer(eng, daemon, []string{"--privileged", "_", "sh", "-c", "mknod /tmp/sda b 8 0 && echo ok"}, t); output != "ok\n" {
t.Fatalf("Could not mknod into privileged container %s %v", output, err)
}
}
func TestPrivilegedCanMount(t *testing.T) {
eng := NewTestEngine(t)
daemon := mkDaemonFromEngine(eng, t)
defer daemon.Nuke()
if output, _ := runContainer(eng, daemon, []string{"--privileged", "_", "sh", "-c", "mount -t tmpfs none /tmp && echo ok"}, t); output != "ok\n" {
t.Fatal("Could not mount into privileged container")
}
}
func TestUnprivilegedCanMknod(t *testing.T) {
eng := NewTestEngine(t)
daemon := mkDaemonFromEngine(eng, t)
defer daemon.Nuke()
if output, _ := runContainer(eng, daemon, []string{"_", "sh", "-c", "mknod /tmp/sda b 8 0 && echo ok"}, t); output != "ok\n" {
t.Fatal("Couldn't mknod into secure container")
}
}
func TestUnprivilegedCannotMount(t *testing.T) {
eng := NewTestEngine(t)
daemon := mkDaemonFromEngine(eng, t)
defer daemon.Nuke()
if output, _ := runContainer(eng, daemon, []string{"_", "sh", "-c", "mount -t tmpfs none /tmp || echo ok"}, t); output != "ok\n" {
t.Fatal("Could mount into secure container")
}
}