From df636ef45addcb6ff2555e3da2bc61fc25cc5603 Mon Sep 17 00:00:00 2001 From: Liron Levin Date: Mon, 8 Feb 2016 22:07:04 +0200 Subject: [PATCH] Move userns cli test to a separate file, remove experimental flag Signed-off-by: Liron Levin --- .../docker_cli_experimental_test.go | 57 +--------------- integration-cli/docker_cli_userns_test.go | 65 +++++++++++++++++++ 2 files changed, 66 insertions(+), 56 deletions(-) create mode 100644 integration-cli/docker_cli_userns_test.go diff --git a/integration-cli/docker_cli_experimental_test.go b/integration-cli/docker_cli_experimental_test.go index 4c2384912a..8795078f64 100644 --- a/integration-cli/docker_cli_experimental_test.go +++ b/integration-cli/docker_cli_experimental_test.go @@ -3,17 +3,9 @@ package main import ( - "fmt" - "io/ioutil" - "os" - "os/exec" - "path/filepath" - "strconv" - "strings" - "github.com/docker/docker/pkg/integration/checker" - "github.com/docker/docker/pkg/system" "github.com/go-check/check" + "strings" ) func (s *DockerSuite) TestExperimentalVersion(c *check.C) { @@ -27,50 +19,3 @@ func (s *DockerSuite) TestExperimentalVersion(c *check.C) { out, _ = dockerCmd(c, "-v") c.Assert(out, checker.Contains, ", experimental", check.Commentf("docker version did not contain experimental")) } - -// user namespaces test: run daemon with remapped root setting -// 1. validate uid/gid maps are set properly -// 2. verify that files created are owned by remapped root -func (s *DockerDaemonSuite) TestDaemonUserNamespaceRootSetting(c *check.C) { - testRequires(c, DaemonIsLinux, SameHostDaemon) - - c.Assert(s.d.StartWithBusybox("--userns-remap", "default"), checker.IsNil) - - tmpDir, err := ioutil.TempDir("", "userns") - c.Assert(err, checker.IsNil) - defer os.RemoveAll(tmpDir) - - // we need to find the uid and gid of the remapped root from the daemon's root dir info - uidgid := strings.Split(filepath.Base(s.d.root), ".") - c.Assert(uidgid, checker.HasLen, 2, check.Commentf("Should have gotten uid/gid strings from root dirname: %s", filepath.Base(s.d.root))) - uid, err := strconv.Atoi(uidgid[0]) - c.Assert(err, checker.IsNil, check.Commentf("Can't parse uid")) - gid, err := strconv.Atoi(uidgid[1]) - c.Assert(err, checker.IsNil, check.Commentf("Can't parse gid")) - - //writeable by the remapped root UID/GID pair - c.Assert(os.Chown(tmpDir, uid, gid), checker.IsNil) - - out, err := s.d.Cmd("run", "-d", "--name", "userns", "-v", tmpDir+":/goofy", "busybox", "sh", "-c", "touch /goofy/testfile; top") - c.Assert(err, checker.IsNil, check.Commentf("Output: %s", out)) - - pid, err := s.d.Cmd("inspect", "--format='{{.State.Pid}}'", "userns") - c.Assert(err, checker.IsNil, check.Commentf("Could not inspect running container: out: %q", pid)) - // check the uid and gid maps for the PID to ensure root is remapped - // (cmd = cat /proc//uid_map | grep -E '0\s+9999\s+1') - out, rc1, err := runCommandPipelineWithOutput( - exec.Command("cat", "/proc/"+strings.TrimSpace(pid)+"/uid_map"), - exec.Command("grep", "-E", fmt.Sprintf("0[[:space:]]+%d[[:space:]]+", uid))) - c.Assert(rc1, checker.Equals, 0, check.Commentf("Didn't match uid_map: output: %s", out)) - - out, rc2, err := runCommandPipelineWithOutput( - exec.Command("cat", "/proc/"+strings.TrimSpace(pid)+"/gid_map"), - exec.Command("grep", "-E", fmt.Sprintf("0[[:space:]]+%d[[:space:]]+", gid))) - c.Assert(rc2, checker.Equals, 0, check.Commentf("Didn't match gid_map: output: %s", out)) - - // check that the touched file is owned by remapped uid:gid - stat, err := system.Stat(filepath.Join(tmpDir, "testfile")) - c.Assert(err, checker.IsNil) - c.Assert(stat.UID(), checker.Equals, uint32(uid), check.Commentf("Touched file not owned by remapped root UID")) - c.Assert(stat.GID(), checker.Equals, uint32(gid), check.Commentf("Touched file not owned by remapped root GID")) -} diff --git a/integration-cli/docker_cli_userns_test.go b/integration-cli/docker_cli_userns_test.go new file mode 100644 index 0000000000..ab503b4038 --- /dev/null +++ b/integration-cli/docker_cli_userns_test.go @@ -0,0 +1,65 @@ +// +build !windows + +package main + +import ( + "fmt" + "io/ioutil" + "os" + "os/exec" + "path/filepath" + "strconv" + "strings" + + "github.com/docker/docker/pkg/integration/checker" + "github.com/docker/docker/pkg/system" + "github.com/go-check/check" +) + +// user namespaces test: run daemon with remapped root setting +// 1. validate uid/gid maps are set properly +// 2. verify that files created are owned by remapped root +func (s *DockerDaemonSuite) TestDaemonUserNamespaceRootSetting(c *check.C) { + testRequires(c, DaemonIsLinux, SameHostDaemon) + + c.Assert(s.d.StartWithBusybox("--userns-remap", "default"), checker.IsNil) + + tmpDir, err := ioutil.TempDir("", "userns") + c.Assert(err, checker.IsNil) + + defer os.RemoveAll(tmpDir) + + // we need to find the uid and gid of the remapped root from the daemon's root dir info + uidgid := strings.Split(filepath.Base(s.d.root), ".") + c.Assert(uidgid, checker.HasLen, 2, check.Commentf("Should have gotten uid/gid strings from root dirname: %s", filepath.Base(s.d.root))) + uid, err := strconv.Atoi(uidgid[0]) + c.Assert(err, checker.IsNil, check.Commentf("Can't parse uid")) + gid, err := strconv.Atoi(uidgid[1]) + c.Assert(err, checker.IsNil, check.Commentf("Can't parse gid")) + + //writeable by the remapped root UID/GID pair + c.Assert(os.Chown(tmpDir, uid, gid), checker.IsNil) + + out, err := s.d.Cmd("run", "-d", "--name", "userns", "-v", tmpDir+":/goofy", "busybox", "sh", "-c", "touch /goofy/testfile; top") + c.Assert(err, checker.IsNil, check.Commentf("Output: %s", out)) + + pid, err := s.d.Cmd("inspect", "--format='{{.State.Pid}}'", "userns") + c.Assert(err, checker.IsNil, check.Commentf("Could not inspect running container: out: %q", pid)) + // check the uid and gid maps for the PID to ensure root is remapped + // (cmd = cat /proc//uid_map | grep -E '0\s+9999\s+1') + out, rc1, err := runCommandPipelineWithOutput( + exec.Command("cat", "/proc/"+strings.TrimSpace(pid)+"/uid_map"), + exec.Command("grep", "-E", fmt.Sprintf("0[[:space:]]+%d[[:space:]]+", uid))) + c.Assert(rc1, checker.Equals, 0, check.Commentf("Didn't match uid_map: output: %s", out)) + + out, rc2, err := runCommandPipelineWithOutput( + exec.Command("cat", "/proc/"+strings.TrimSpace(pid)+"/gid_map"), + exec.Command("grep", "-E", fmt.Sprintf("0[[:space:]]+%d[[:space:]]+", gid))) + c.Assert(rc2, checker.Equals, 0, check.Commentf("Didn't match gid_map: output: %s", out)) + + // check that the touched file is owned by remapped uid:gid + stat, err := system.Stat(filepath.Join(tmpDir, "testfile")) + c.Assert(err, checker.IsNil) + c.Assert(stat.UID(), checker.Equals, uint32(uid), check.Commentf("Touched file not owned by remapped root UID")) + c.Assert(stat.GID(), checker.Equals, uint32(gid), check.Commentf("Touched file not owned by remapped root GID")) +}