mirror of
https://github.com/moby/moby.git
synced 2022-11-09 12:21:53 -05:00
Port privileged tests
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
This commit is contained in:
Michael Crosby
parent
caad45d0ed
commit
296fcf331f
2 changed files with 62 additions and 75 deletions
|
|
@ -603,3 +603,65 @@ func TestLoopbackOnlyExistsWhenNetworkingDisabled(t *testing.T) {
|
|||
|
||||
logDone("run - test loopback only exists when networking disabled")
|
||||
}
|
||||
|
||||
func TestPrivilegedCanMknod(t *testing.T) {
|
||||
cmd := exec.Command(dockerBinary, "run", "--privileged", "busybox", "sh", "-c", "mknod /tmp/sda b 8 0 && echo ok")
|
||||
out, _, err := runCommandWithOutput(cmd)
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
|
||||
if actual := strings.Trim(out, "\r\n"); actual != "ok" {
|
||||
t.Fatalf("expected output ok received %s", actual)
|
||||
}
|
||||
deleteAllContainers()
|
||||
|
||||
logDone("run - test privileged can mknod")
|
||||
}
|
||||
|
||||
func TestUnPrivilegedCanMknod(t *testing.T) {
|
||||
cmd := exec.Command(dockerBinary, "run", "busybox", "sh", "-c", "mknod /tmp/sda b 8 0 && echo ok")
|
||||
out, _, err := runCommandWithOutput(cmd)
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
|
||||
if actual := strings.Trim(out, "\r\n"); actual != "ok" {
|
||||
t.Fatalf("expected output ok received %s", actual)
|
||||
}
|
||||
deleteAllContainers()
|
||||
|
||||
logDone("run - test un-privileged can mknod")
|
||||
}
|
||||
|
||||
func TestPrivilegedCanMount(t *testing.T) {
|
||||
cmd := exec.Command(dockerBinary, "run", "--privileged", "busybox", "sh", "-c", "mount -t tmpfs none /tmp && echo ok")
|
||||
|
||||
out, _, err := runCommandWithOutput(cmd)
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
|
||||
if actual := strings.Trim(out, "\r\n"); actual != "ok" {
|
||||
t.Fatalf("expected output ok received %s", actual)
|
||||
}
|
||||
deleteAllContainers()
|
||||
|
||||
logDone("run - test privileged can mount")
|
||||
}
|
||||
|
||||
func TestUnPrivilegedCannotMount(t *testing.T) {
|
||||
cmd := exec.Command(dockerBinary, "run", "busybox", "sh", "-c", "mount -t tmpfs none /tmp && echo ok")
|
||||
|
||||
out, _, err := runCommandWithOutput(cmd)
|
||||
if err == nil {
|
||||
t.Fatal(err, out)
|
||||
}
|
||||
|
||||
if actual := strings.Trim(out, "\r\n"); actual == "ok" {
|
||||
t.Fatalf("expected output not ok received %s", actual)
|
||||
}
|
||||
deleteAllContainers()
|
||||
|
||||
logDone("run - test un-privileged cannot mount")
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,56 +1,17 @@
|
|||
package docker
|
||||
|
||||
import (
|
||||
"bufio"
|
||||
"fmt"
|
||||
"github.com/dotcloud/docker/runconfig"
|
||||
"github.com/dotcloud/docker/utils"
|
||||
"io"
|
||||
"io/ioutil"
|
||||
"os"
|
||||
"path"
|
||||
"regexp"
|
||||
"sort"
|
||||
"strings"
|
||||
"testing"
|
||||
"time"
|
||||
)
|
||||
|
||||
func TestCpuShares(t *testing.T) {
|
||||
_, err1 := os.Stat("/sys/fs/cgroup/cpuacct,cpu")
|
||||
_, err2 := os.Stat("/sys/fs/cgroup/cpu,cpuacct")
|
||||
if err1 == nil || err2 == nil {
|
||||
t.Skip("Fixme. Setting cpu cgroup shares doesn't work in dind on a Fedora host. The lxc utils are confused by the cpu,cpuacct mount.")
|
||||
}
|
||||
daemon := mkDaemon(t)
|
||||
defer nuke(daemon)
|
||||
container, _, _ := mkContainer(daemon, []string{"-m", "33554432", "-c", "1000", "-i", "_", "/bin/cat"}, t)
|
||||
defer daemon.Destroy(container)
|
||||
|
||||
cStdin, err := container.StdinPipe()
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
|
||||
if err := container.Start(); err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
|
||||
// Give some time to the process to start
|
||||
container.WaitTimeout(500 * time.Millisecond)
|
||||
|
||||
if !container.State.IsRunning() {
|
||||
t.Errorf("Container should be running")
|
||||
}
|
||||
if err := container.Start(); err != nil {
|
||||
t.Fatalf("A running container should be able to be started")
|
||||
}
|
||||
|
||||
// Try to avoid the timeout in destroy. Best effort, don't check error
|
||||
cStdin.Close()
|
||||
container.WaitTimeout(2 * time.Second)
|
||||
}
|
||||
|
||||
func TestKillDifferentUser(t *testing.T) {
|
||||
daemon := mkDaemon(t)
|
||||
defer nuke(daemon)
|
||||
|
|
@ -582,39 +543,3 @@ func TestRestartWithVolumes(t *testing.T) {
|
|||
t.Fatalf("Expected volume path: %s Actual path: %s", expected, actual)
|
||||
}
|
||||
}
|
||||
|
||||
func TestPrivilegedCanMknod(t *testing.T) {
|
||||
eng := NewTestEngine(t)
|
||||
daemon := mkDaemonFromEngine(eng, t)
|
||||
defer daemon.Nuke()
|
||||
if output, err := runContainer(eng, daemon, []string{"--privileged", "_", "sh", "-c", "mknod /tmp/sda b 8 0 && echo ok"}, t); output != "ok\n" {
|
||||
t.Fatalf("Could not mknod into privileged container %s %v", output, err)
|
||||
}
|
||||
}
|
||||
|
||||
func TestPrivilegedCanMount(t *testing.T) {
|
||||
eng := NewTestEngine(t)
|
||||
daemon := mkDaemonFromEngine(eng, t)
|
||||
defer daemon.Nuke()
|
||||
if output, _ := runContainer(eng, daemon, []string{"--privileged", "_", "sh", "-c", "mount -t tmpfs none /tmp && echo ok"}, t); output != "ok\n" {
|
||||
t.Fatal("Could not mount into privileged container")
|
||||
}
|
||||
}
|
||||
|
||||
func TestUnprivilegedCanMknod(t *testing.T) {
|
||||
eng := NewTestEngine(t)
|
||||
daemon := mkDaemonFromEngine(eng, t)
|
||||
defer daemon.Nuke()
|
||||
if output, _ := runContainer(eng, daemon, []string{"_", "sh", "-c", "mknod /tmp/sda b 8 0 && echo ok"}, t); output != "ok\n" {
|
||||
t.Fatal("Couldn't mknod into secure container")
|
||||
}
|
||||
}
|
||||
|
||||
func TestUnprivilegedCannotMount(t *testing.T) {
|
||||
eng := NewTestEngine(t)
|
||||
daemon := mkDaemonFromEngine(eng, t)
|
||||
defer daemon.Nuke()
|
||||
if output, _ := runContainer(eng, daemon, []string{"_", "sh", "-c", "mount -t tmpfs none /tmp || echo ok"}, t); output != "ok\n" {
|
||||
t.Fatal("Could mount into secure container")
|
||||
}
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in a new issue