1
0
Fork 0
mirror of https://github.com/moby/moby.git synced 2022-11-09 12:21:53 -05:00
moby--moby/integration-cli/requirements.go
Michael Holzheu bf2a577c13 Enable seccomp for s390x
To implement seccomp for s390x the following changes are required:

1) seccomp_default: Add s390 compat mode

   On s390x (64 bit) we can run s390 (32 bit) programs in 32 bit
   compat mode. Therefore add this information to arches().

2) seccomp_default: Use correct flags parameter for sys_clone on s390x

   On s390x the second parameter for the clone system call is the flags
   parameter. On all other architectures it is the first one.

   See kernel code kernel/fork.c:

   #elif defined(CONFIG_CLONE_BACKWARDS2)
   SYSCALL_DEFINE5(clone, unsigned long, newsp, unsigned long, clone_flags,
                   int __user *, parent_tidptr,

   So fix the docker default seccomp rule and check for the second
   parameter on s390/s390x.

3) seccomp_default: Add s390 specific syscalls

  For s390 we currently have three additional system calls that should
  be added to the seccomp whitelist:

  - Other architectures can read/write unprivileged from/to PCI MMIO memory.
    On s390 the instructions are privileged and therefore we need system
    calls for that purpose:

    * s390_pci_mmio_write()
    * s390_pci_mmio_read()

  - Runtime instrumentation:

    * s390_runtime_instr()

4) test_integration: Do not run seccomp default profile test on s390x

   The generated profile that we check in is for amd64 and i386
   architectures and does not work correctly on s390x.

   See also: 75385dc216 ("Do not run the seccomp tests that use
   default.json on non x86 architectures")

5) Dockerfile.s390x: Add "seccomp" to DOCKER_BUILDTAGS

Signed-off-by: Michael Holzheu <holzheu@linux.vnet.ibm.com>
2016-06-06 08:13:22 -04:00

198 lines
5.4 KiB
Go

package main
import (
"fmt"
"io/ioutil"
"net/http"
"os"
"os/exec"
"strings"
"time"
"github.com/docker/docker/utils"
"github.com/go-check/check"
)
type testCondition func() bool
type testRequirement struct {
Condition testCondition
SkipMessage string
}
// List test requirements
var (
DaemonIsWindows = testRequirement{
func() bool { return daemonPlatform == "windows" },
"Test requires a Windows daemon",
}
DaemonIsLinux = testRequirement{
func() bool { return daemonPlatform == "linux" },
"Test requires a Linux daemon",
}
NotExperimentalDaemon = testRequirement{
func() bool { return !utils.ExperimentalBuild() },
"Test requires a non experimental daemon",
}
NotArm = testRequirement{
func() bool { return os.Getenv("DOCKER_ENGINE_GOARCH") != "arm" },
"Test requires a daemon not running on ARM",
}
NotPpc64le = testRequirement{
func() bool { return os.Getenv("DOCKER_ENGINE_GOARCH") != "ppc64le" },
"Test requires a daemon not running on ppc64le",
}
NotS390X = testRequirement{
func() bool { return os.Getenv("DOCKER_ENGINE_GOARCH") != "s390x" },
"Test requires a daemon not running on s390x",
}
SameHostDaemon = testRequirement{
func() bool { return isLocalDaemon },
"Test requires docker daemon to run on the same machine as CLI",
}
UnixCli = testRequirement{
func() bool { return isUnixCli },
"Test requires posix utilities or functionality to run.",
}
ExecSupport = testRequirement{
func() bool { return supportsExec },
"Test requires 'docker exec' capabilities on the tested daemon.",
}
Network = testRequirement{
func() bool {
// Set a timeout on the GET at 15s
var timeout = time.Duration(15 * time.Second)
var url = "https://hub.docker.com"
client := http.Client{
Timeout: timeout,
}
resp, err := client.Get(url)
if err != nil && strings.Contains(err.Error(), "use of closed network connection") {
panic(fmt.Sprintf("Timeout for GET request on %s", url))
}
if resp != nil {
resp.Body.Close()
}
return err == nil
},
"Test requires network availability, environment variable set to none to run in a non-network enabled mode.",
}
Apparmor = testRequirement{
func() bool {
buf, err := ioutil.ReadFile("/sys/module/apparmor/parameters/enabled")
return err == nil && len(buf) > 1 && buf[0] == 'Y'
},
"Test requires apparmor is enabled.",
}
RegistryHosting = testRequirement{
func() bool {
// for now registry binary is built only if we're running inside
// container through `make test`. Figure that out by testing if
// registry binary is in PATH.
_, err := exec.LookPath(v2binary)
return err == nil
},
fmt.Sprintf("Test requires an environment that can host %s in the same host", v2binary),
}
NotaryHosting = testRequirement{
func() bool {
// for now notary binary is built only if we're running inside
// container through `make test`. Figure that out by testing if
// notary-server binary is in PATH.
_, err := exec.LookPath(notaryServerBinary)
return err == nil
},
fmt.Sprintf("Test requires an environment that can host %s in the same host", notaryServerBinary),
}
NotaryServerHosting = testRequirement{
func() bool {
// for now notary-server binary is built only if we're running inside
// container through `make test`. Figure that out by testing if
// notary-server binary is in PATH.
_, err := exec.LookPath(notaryServerBinary)
return err == nil
},
fmt.Sprintf("Test requires an environment that can host %s in the same host", notaryServerBinary),
}
NotOverlay = testRequirement{
func() bool {
return !strings.HasPrefix(daemonStorageDriver, "overlay")
},
"Test requires underlying root filesystem not be backed by overlay.",
}
Devicemapper = testRequirement{
func() bool {
return strings.HasPrefix(daemonStorageDriver, "devicemapper")
},
"Test requires underlying root filesystem to be backed by devicemapper.",
}
IPv6 = testRequirement{
func() bool {
cmd := exec.Command("test", "-f", "/proc/net/if_inet6")
if err := cmd.Run(); err != nil {
return true
}
return false
},
"Test requires support for IPv6",
}
NotGCCGO = testRequirement{
func() bool {
out, err := exec.Command("go", "version").Output()
if err == nil && strings.Contains(string(out), "gccgo") {
return false
}
return true
},
"Test requires native Golang compiler instead of GCCGO",
}
UserNamespaceInKernel = testRequirement{
func() bool {
if _, err := os.Stat("/proc/self/uid_map"); os.IsNotExist(err) {
/*
* This kernel-provided file only exists if user namespaces are
* supported
*/
return false
}
// We need extra check on redhat based distributions
if f, err := os.Open("/sys/module/user_namespace/parameters/enable"); err == nil {
b := make([]byte, 1)
_, _ = f.Read(b)
if string(b) == "N" {
return false
}
return true
}
return true
},
"Kernel must have user namespaces configured and enabled.",
}
NotUserNamespace = testRequirement{
func() bool {
root := os.Getenv("DOCKER_REMAP_ROOT")
if root != "" {
return false
}
return true
},
"Test cannot be run when remapping root",
}
)
// testRequires checks if the environment satisfies the requirements
// for the test to run or skips the tests.
func testRequires(c *check.C, requirements ...testRequirement) {
for _, r := range requirements {
if !r.Condition() {
c.Skip(r.SkipMessage)
}
}
}