2016-08-31 19:31:06 +00:00
|
|
|
package main
|
|
|
|
|
|
|
|
import (
|
2023-07-14 18:02:38 +00:00
|
|
|
"context"
|
2016-10-21 12:34:37 +00:00
|
|
|
"fmt"
|
2016-08-31 19:31:06 +00:00
|
|
|
"os"
|
|
|
|
"os/exec"
|
|
|
|
"path/filepath"
|
|
|
|
"runtime"
|
|
|
|
"strings"
|
2019-09-09 21:06:12 +00:00
|
|
|
"testing"
|
2016-08-31 19:31:06 +00:00
|
|
|
|
2023-07-27 18:01:59 +00:00
|
|
|
"github.com/docker/docker/integration-cli/cli"
|
2019-08-29 20:52:40 +00:00
|
|
|
"github.com/docker/docker/testutil/fixtures/load"
|
2020-02-07 13:39:24 +00:00
|
|
|
"gotest.tools/v3/assert"
|
2016-08-31 19:31:06 +00:00
|
|
|
)
|
|
|
|
|
2023-07-14 18:02:38 +00:00
|
|
|
func ensureSyscallTest(ctx context.Context, c *testing.T) {
|
2019-03-12 07:37:31 +00:00
|
|
|
defer testEnv.ProtectImage(c, "syscall-test:latest")
|
|
|
|
|
|
|
|
// If the image already exists, there's nothing left to do.
|
|
|
|
if testEnv.HasExistingImage(c, "syscall-test:latest") {
|
2016-08-31 19:31:06 +00:00
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
// if no match, must build in docker, which is significantly slower
|
|
|
|
// (slower mostly because of the vfs graphdriver)
|
2023-06-14 09:46:00 +00:00
|
|
|
if testEnv.DaemonInfo.OSType != runtime.GOOS {
|
2023-07-14 18:02:38 +00:00
|
|
|
ensureSyscallTestBuild(ctx, c)
|
2016-08-31 19:31:06 +00:00
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2021-08-24 10:10:50 +00:00
|
|
|
tmp, err := os.MkdirTemp("", "syscall-test-build")
|
2019-04-04 13:23:19 +00:00
|
|
|
assert.NilError(c, err, "couldn't create temp dir")
|
2016-08-31 19:31:06 +00:00
|
|
|
defer os.RemoveAll(tmp)
|
|
|
|
|
|
|
|
gcc, err := exec.LookPath("gcc")
|
2019-04-04 13:23:19 +00:00
|
|
|
assert.NilError(c, err, "could not find gcc")
|
2016-08-31 19:31:06 +00:00
|
|
|
|
2017-05-09 13:21:19 +00:00
|
|
|
tests := []string{"userns", "ns", "acct", "setuid", "setgid", "socket", "raw"}
|
2016-10-21 12:34:37 +00:00
|
|
|
for _, test := range tests {
|
|
|
|
out, err := exec.Command(gcc, "-g", "-Wall", "-static", fmt.Sprintf("../contrib/syscall-test/%s.c", test), "-o", fmt.Sprintf("%s/%s-test", tmp, test)).CombinedOutput()
|
2019-04-04 13:23:19 +00:00
|
|
|
assert.NilError(c, err, string(out))
|
2016-10-21 12:34:37 +00:00
|
|
|
}
|
2016-08-31 19:31:06 +00:00
|
|
|
|
|
|
|
if runtime.GOOS == "linux" && runtime.GOARCH == "amd64" {
|
TestRunSeccompProfileAllow32Bit: fix
Since the update to Debian Stretch, this test fails. The reason is dynamic
binary, which requires i386 ld.so for loading (and apparently it is no longer
installed by default):
> root@09d4b173c3dc:/go/src/github.com/docker/docker# file exit32-test
> exit32-test: ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, BuildID[sha1]=a0d3d6cb59788453b983f65f8dc6ac52920147b6, stripped
> root@09d4b173c3dc:/go/src/github.com/docker/docker# ls -l /lib/ld-linux.so.2
> ls: cannot access '/lib/ld-linux.so.2': No such file or directory
To fix, just add -static.
Interestingly, ldd can'f figure it out.
> root@a324f8edfcaa:/go/src/github.com/docker/docker# ldd exit32-test
> not a dynamic executable
Other tools (e.g. objdump) also show it's a dynamic binary.
While at it, remove the extra "id" argument (a copy-paste error I
guess).
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2017-08-21 14:52:43 +00:00
|
|
|
out, err := exec.Command(gcc, "-s", "-m32", "-nostdlib", "-static", "../contrib/syscall-test/exit32.s", "-o", tmp+"/"+"exit32-test").CombinedOutput()
|
2019-04-04 13:23:19 +00:00
|
|
|
assert.NilError(c, err, string(out))
|
2016-08-31 19:31:06 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
dockerFile := filepath.Join(tmp, "Dockerfile")
|
|
|
|
content := []byte(`
|
2023-06-22 14:04:26 +00:00
|
|
|
FROM debian:bookworm-slim
|
2016-08-31 19:31:06 +00:00
|
|
|
COPY . /usr/bin/
|
|
|
|
`)
|
2022-01-20 12:43:42 +00:00
|
|
|
err = os.WriteFile(dockerFile, content, 0o600)
|
2019-04-04 13:23:19 +00:00
|
|
|
assert.NilError(c, err)
|
2016-08-31 19:31:06 +00:00
|
|
|
|
|
|
|
var buildArgs []string
|
|
|
|
if arg := os.Getenv("DOCKER_BUILD_ARGS"); strings.TrimSpace(arg) != "" {
|
|
|
|
buildArgs = strings.Split(arg, " ")
|
|
|
|
}
|
|
|
|
buildArgs = append(buildArgs, []string{"-q", "-t", "syscall-test", tmp}...)
|
|
|
|
buildArgs = append([]string{"build"}, buildArgs...)
|
2023-07-27 18:01:59 +00:00
|
|
|
cli.DockerCmd(c, buildArgs...)
|
2016-08-31 19:31:06 +00:00
|
|
|
}
|
|
|
|
|
2023-07-14 18:02:38 +00:00
|
|
|
func ensureSyscallTestBuild(ctx context.Context, c *testing.T) {
|
2023-06-22 14:04:26 +00:00
|
|
|
err := load.FrozenImagesLinux(ctx, testEnv.APIClient(), "debian:bookworm-slim")
|
2019-04-04 13:23:19 +00:00
|
|
|
assert.NilError(c, err)
|
2016-08-31 19:31:06 +00:00
|
|
|
|
|
|
|
var buildArgs []string
|
|
|
|
if arg := os.Getenv("DOCKER_BUILD_ARGS"); strings.TrimSpace(arg) != "" {
|
|
|
|
buildArgs = strings.Split(arg, " ")
|
|
|
|
}
|
|
|
|
buildArgs = append(buildArgs, []string{"-q", "-t", "syscall-test", "../contrib/syscall-test"}...)
|
|
|
|
buildArgs = append([]string{"build"}, buildArgs...)
|
2023-07-27 18:01:59 +00:00
|
|
|
cli.DockerCmd(c, buildArgs...)
|
2016-08-31 19:31:06 +00:00
|
|
|
}
|
|
|
|
|
2023-07-14 18:02:38 +00:00
|
|
|
func ensureNNPTest(ctx context.Context, c *testing.T) {
|
2017-03-01 17:45:04 +00:00
|
|
|
defer testEnv.ProtectImage(c, "nnp-test:latest")
|
2019-03-12 07:37:31 +00:00
|
|
|
|
|
|
|
// If the image already exists, there's nothing left to do.
|
|
|
|
if testEnv.HasExistingImage(c, "nnp-test:latest") {
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
// if no match, must build in docker, which is significantly slower
|
|
|
|
// (slower mostly because of the vfs graphdriver)
|
2023-06-14 09:46:00 +00:00
|
|
|
if testEnv.DaemonInfo.OSType != runtime.GOOS {
|
2023-07-14 18:02:38 +00:00
|
|
|
ensureNNPTestBuild(ctx, c)
|
2016-08-31 19:31:06 +00:00
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2021-08-24 10:10:50 +00:00
|
|
|
tmp, err := os.MkdirTemp("", "docker-nnp-test")
|
2019-04-04 13:23:19 +00:00
|
|
|
assert.NilError(c, err)
|
2016-08-31 19:31:06 +00:00
|
|
|
|
|
|
|
gcc, err := exec.LookPath("gcc")
|
2019-04-04 13:23:19 +00:00
|
|
|
assert.NilError(c, err, "could not find gcc")
|
2016-08-31 19:31:06 +00:00
|
|
|
|
|
|
|
out, err := exec.Command(gcc, "-g", "-Wall", "-static", "../contrib/nnp-test/nnp-test.c", "-o", filepath.Join(tmp, "nnp-test")).CombinedOutput()
|
2019-04-04 13:23:19 +00:00
|
|
|
assert.NilError(c, err, string(out))
|
2016-08-31 19:31:06 +00:00
|
|
|
|
|
|
|
dockerfile := filepath.Join(tmp, "Dockerfile")
|
|
|
|
content := `
|
2023-06-22 14:04:26 +00:00
|
|
|
FROM debian:bookworm-slim
|
2016-08-31 19:31:06 +00:00
|
|
|
COPY . /usr/bin
|
|
|
|
RUN chmod +s /usr/bin/nnp-test
|
|
|
|
`
|
2022-01-20 12:43:42 +00:00
|
|
|
err = os.WriteFile(dockerfile, []byte(content), 0o600)
|
2019-04-04 13:23:19 +00:00
|
|
|
assert.NilError(c, err, "could not write Dockerfile for nnp-test image")
|
2016-08-31 19:31:06 +00:00
|
|
|
|
|
|
|
var buildArgs []string
|
|
|
|
if arg := os.Getenv("DOCKER_BUILD_ARGS"); strings.TrimSpace(arg) != "" {
|
|
|
|
buildArgs = strings.Split(arg, " ")
|
|
|
|
}
|
|
|
|
buildArgs = append(buildArgs, []string{"-q", "-t", "nnp-test", tmp}...)
|
|
|
|
buildArgs = append([]string{"build"}, buildArgs...)
|
2023-07-27 18:01:59 +00:00
|
|
|
cli.DockerCmd(c, buildArgs...)
|
2016-08-31 19:31:06 +00:00
|
|
|
}
|
|
|
|
|
2023-07-14 18:02:38 +00:00
|
|
|
func ensureNNPTestBuild(ctx context.Context, c *testing.T) {
|
2023-06-22 14:04:26 +00:00
|
|
|
err := load.FrozenImagesLinux(ctx, testEnv.APIClient(), "debian:bookworm-slim")
|
2019-04-04 13:23:19 +00:00
|
|
|
assert.NilError(c, err)
|
2016-08-31 19:31:06 +00:00
|
|
|
|
|
|
|
var buildArgs []string
|
|
|
|
if arg := os.Getenv("DOCKER_BUILD_ARGS"); strings.TrimSpace(arg) != "" {
|
|
|
|
buildArgs = strings.Split(arg, " ")
|
|
|
|
}
|
|
|
|
buildArgs = append(buildArgs, []string{"-q", "-t", "npp-test", "../contrib/nnp-test"}...)
|
|
|
|
buildArgs = append([]string{"build"}, buildArgs...)
|
2023-07-27 18:01:59 +00:00
|
|
|
cli.DockerCmd(c, buildArgs...)
|
2016-08-31 19:31:06 +00:00
|
|
|
}
|