Commit graph

5197 commits

Author SHA1 Message Date
Sebastiaan van Stijn
6345208b9b
Replace some checkers and assertions with gotest.tools
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2019-04-05 16:45:37 +02:00
Sebastiaan van Stijn
86f2ac4a6b
Remove some checkers to discourage usage
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2019-04-05 15:22:10 +02:00
Vincent Demeester
da823cf3a5
Merge pull request #38853 from cyphar/integration-cli-ensureImage
integration-cli: don't build -test images if they already exist
2019-03-27 07:32:23 +01:00
Yong Tang
269cba2428 Small gofmt fix
This PR is a small gofmt fix of https://goreportcard.com/report/github.com/moby/moby#gofmt
```
gofmt99%
Gofmt formats Go programs. We run gofmt -s on your code, where -s is for the "simplify" command
moby/integration-cli/docker_cli_run_test.go
Line 1: warning: file is not gofmted with -s (gofmt)
```

Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
2019-03-26 01:54:31 +00:00
Sebastiaan van Stijn
6dfd5bd74f
Merge pull request #38908 from Microsoft/jjh/testrunbindmounts
Windows (pre RS5) disableTestRunBindMounts
2019-03-20 08:31:53 +01:00
John Howard
a3eda72f71
Merge pull request #38541 from Microsoft/jjh/containerd
Windows: Experimental: ContainerD runtime
2019-03-19 21:09:19 -07:00
John Howard
9d2e97ac6e Windows (pre RS5) disableTestRunBindMounts
Signed-off-by: John Howard <jhoward@microsoft.com>
Signed-off-by: Tibor Vass <tibor@docker.com>
2019-03-20 01:43:38 +00:00
John Howard
80fce6d747 Windows:Fix TestRunUserDefaults
Signed-off-by: John Howard <jhoward@microsoft.com>
2019-03-19 13:06:27 -07:00
Sebastiaan van Stijn
2925eb7a2a
Merge pull request #38777 from wk8/wk8/raw_cred_specs
Making it possible to pass Windows credential specs directly to the engine
2019-03-16 16:42:39 +01:00
Jean Rouge
7fdac7eb0f Making it possible to pass Windows credential specs directly to the engine
Instead of having to go through files or registry values as is currently the
case.

While adding GMSA support to Kubernetes (https://github.com/kubernetes/kubernetes/pull/73726)
I stumbled upon the fact that Docker currently only allows passing Windows
credential specs through files or registry values, forcing the Kubelet
to perform a rather awkward dance of writing-then-deleting to either the
disk or the registry to be able to create a Windows container with cred
specs.

This patch solves this problem by making it possible to directly pass
whole base64-encoded cred specs to the engine's API. I took the opportunity
to slightly refactor the method responsible for Windows cred spec as it
seemed hard to read to me.

Added some unit tests on Windows credential specs handling, as there were
previously none.

Added/amended the relevant integration tests.

I have also tested it manually: given a Windows container using a cred spec
that you would normally start with e.g.
```powershell
docker run --rm --security-opt "credentialspec=file://win.json" mcr.microsoft.com/windows/servercore:ltsc2019 nltest /parentdomain
# output:
# my.ad.domain.com. (1)
# The command completed successfully
```
can now equivalently be started with
```powershell
$rawCredSpec = & cat 'C:\ProgramData\docker\credentialspecs\win.json'
$escaped = $rawCredSpec.Replace('"', '\"')
docker run --rm --security-opt "credentialspec=raw://$escaped" mcr.microsoft.com/windows/servercore:ltsc2019 nltest /parentdomain
# same output!
```

I'll do another PR on Swarmkit after this is merged to allow services to use
the same option.

(It's worth noting that @dperny faced the same problem adding GMSA support
to Swarmkit, to which he came up with an interesting solution - see
https://github.com/moby/moby/pull/38632 - but alas these tricks are not
available to the Kubelet.)

Signed-off-by: Jean Rouge <rougej+github@gmail.com>
2019-03-15 19:20:19 -07:00
John Howard
20833b06a0 Windows: (WCOW) Generate OCI spec that remote runtime can escape
Signed-off-by: John Howard <jhoward@microsoft.com>

Also fixes https://github.com/moby/moby/issues/22874

This commit is a pre-requisite to moving moby/moby on Windows to using
Containerd for its runtime.

The reason for this is that the interface between moby and containerd
for the runtime is an OCI spec which must be unambigious.

It is the responsibility of the runtime (runhcs in the case of
containerd on Windows) to ensure that arguments are escaped prior
to calling into HCS and onwards to the Win32 CreateProcess call.

Previously, the builder was always escaping arguments which has
led to several bugs in moby. Because the local runtime in
libcontainerd had context of whether or not arguments were escaped,
it was possible to hack around in daemon/oci_windows.go with
knowledge of the context of the call (from builder or not).

With a remote runtime, this is not possible as there's rightly
no context of the caller passed across in the OCI spec. Put another
way, as I put above, the OCI spec must be unambigious.

The other previous limitation (which leads to various subtle bugs)
is that moby is coded entirely from a Linux-centric point of view.

Unfortunately, Windows != Linux. Windows CreateProcess uses a
command line, not an array of arguments. And it has very specific
rules about how to escape a command line. Some interesting reading
links about this are:

https://blogs.msdn.microsoft.com/twistylittlepassagesallalike/2011/04/23/everyone-quotes-command-line-arguments-the-wrong-way/
https://stackoverflow.com/questions/31838469/how-do-i-convert-argv-to-lpcommandline-parameter-of-createprocess
https://docs.microsoft.com/en-us/cpp/cpp/parsing-cpp-command-line-arguments?view=vs-2017

For this reason, the OCI spec has recently been updated to cater
for more natural syntax by including a CommandLine option in
Process.

What does this commit do?

Primary objective is to ensure that the built OCI spec is unambigious.

It changes the builder so that `ArgsEscaped` as commited in a
layer is only controlled by the use of CMD or ENTRYPOINT.

Subsequently, when calling in to create a container from the builder,
if follows a different path to both `docker run` and `docker create`
using the added `ContainerCreateIgnoreImagesArgsEscaped`. This allows
a RUN from the builder to control how to escape in the OCI spec.

It changes the builder so that when shell form is used for RUN,
CMD or ENTRYPOINT, it builds (for WCOW) a more natural command line
using the original as put by the user in the dockerfile, not
the parsed version as a set of args which loses fidelity.
This command line is put into args[0] and `ArgsEscaped` is set
to true for CMD or ENTRYPOINT. A RUN statement does not commit
`ArgsEscaped` to the commited layer regardless or whether shell
or exec form were used.
2019-03-12 18:41:55 -07:00
Aleksa Sarai
175b1d7830
integration-cli: don't build -test images if they already exist
There's no need to try to re-build the test images if they already
exist. This change makes basically no difference to the upstream
integration test-suite running, but for users who want to run the
integration-cli suite on a host machine (such as distributions doing
tests) this change allows images to be pre-loaded such that compilers
aren't needed on the test machine.

However, this does remove the accidental re-compilation of nnp-test, as
well as handling errors far more cleanly (previously if an error
occurred during a test build, further tests won't attempt to rebuild
it).

Signed-off-by: Aleksa Sarai <asarai@suse.de>
2019-03-13 11:48:40 +11:00
Kir Kolyshkin
9fd765f07c TestDaemonRestartIpcMode: modernize
Move the test case from integration-cli to integration.

The test logic itself has not changed, except these
two things:

* the new test sets default-ipc-mode via command line
  rather than via daemon.json (less code);
* the new test uses current API version.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2019-03-08 10:04:43 -08:00
Brian Goff
13b7d11be1 Remove Schema1 integration test suite
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
2019-03-02 10:46:37 -08:00
Justin Cormack
98fc09128b Remove the rest of v1 manifest support
As people are using the UUID in `docker info` that was based on the v1 manifest signing key, replace
with a UUID instead.

Remove deprecated `--disable-legacy-registry` option that was scheduled to be removed in 18.03.

Signed-off-by: Justin Cormack <justin.cormack@docker.com>
2019-03-02 10:46:37 -08:00
John Howard
faaffd5d6d Windows:Disable 2 restart test when Hyper-V
Signed-off-by: John Howard <jhoward@microsoft.com>
2019-02-22 11:15:51 -08:00
Brian Goff
e063099f91 Completely remove d.NewClient from testing tools
Favor `d.NewClientT` instead.

Signed-off-by: Brian Goff <cpuguy83@gmail.com>
2019-02-07 16:07:02 -08:00
Deng Guangxing
8e293be4ba fix unless-stopped unexpected behavior
fix https://github.com/moby/moby/issues/35304.

Signed-off-by: dengguangxing <dengguangxing@huawei.com>
2019-02-01 15:03:17 -08:00
Sebastiaan van Stijn
3a4bb96ab7
Remove use of deprecated client.NewClient()
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2019-01-28 17:08:54 +01:00
Sebastiaan van Stijn
5801c04345
Merge pull request #38380 from olljanat/capabilities-support
Add support for exact list of capabilities + capAdd / capDrop refactor
2019-01-28 16:36:03 +01:00
Olli Janatuinen
80d7bfd54d Capabilities refactor
- Add support for exact list of capabilities, support only OCI model
- Support OCI model on CapAdd and CapDrop but remain backward compatibility
- Create variable locally instead of declaring it at the top
- Use const for magic "ALL" value
- Rename `cap` variable as it overlaps with `cap()` built-in
- Normalize and validate capabilities before use
- Move validation for conflicting options to validateHostConfig()
- TweakCapabilities: simplify logic to calculate capabilities

Signed-off-by: Olli Janatuinen <olli.janatuinen@gmail.com>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2019-01-22 21:50:41 +02:00
Sebastiaan van Stijn
3105ca26dc
integration-cli: remove deprecated daemonHost() utility
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2019-01-21 12:07:36 +01:00
Brian Goff
64fd09bd29
Merge pull request #38553 from thaJeztah/faster_api_node_drain_pause
Slightly speed up TestAPISwarmNodeDrainPause
2019-01-15 13:49:28 -08:00
Brian Goff
0dc531243d
Merge pull request #38554 from thaJeztah/check_for_errors
Add missing error-check in TestAPISwarmManagerRestore
2019-01-15 09:25:44 -08:00
Vincent Demeester
a827f17306
Merge pull request #38552 from thaJeztah/improve_test_events_filter_labels
Make TestEventsFilterLabels less flaky
2019-01-15 09:01:38 +01:00
Sebastiaan van Stijn
0e15c02465
Make TestEventsFilterLabels less flaky
This test sometimes failed because the number of events received did not
match the expected number:

    FAIL: docker_cli_events_test.go:316: DockerSuite.TestEventsFilterLabels

    docker_cli_events_test.go:334:
        c.Assert(len(events), checker.Equals, 3)
    ... obtained int = 2
    ... expected int = 3

This patch makes the test more stable, by:

- use a wider range between `--since` and `--until`. These options were set
  so that the client detaches after events were received, but the actual
  range should not matter. Changing the range will cause more events to be
  returned, but we're specifically looking for the container ID's, so this
  should not make a difference for the actual test.
- use `docker create` instead of `docker run` for the containers. the
  containers don't have to be running to trigger an event; using `create`
  speeds up the test.
- check the exit code of the `docker create` to verify the containers were
  succesfully created.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2019-01-14 00:29:13 +01:00
Sebastiaan van Stijn
2e326eba70
Add missing error-check in TestAPISwarmManagerRestore
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2019-01-13 21:11:50 +01:00
Sebastiaan van Stijn
ebdc9a3afc
Slightly speed up TestAPISwarmNodeDrainPause
Looks like we don't need that many replicas, to test the
behavior, so let's start a few less.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2019-01-13 21:08:20 +01:00
Sebastiaan van Stijn
973ca00d60
reduce flakiness of TestSwarmLockUnlockCluster and TestSwarmJoinPromoteLocked
I noticed that this test failed, because the node was in status "pending".

The test checks for the node's status immediately after it was restarted, so
possibly it needs some time to unlock.

    14:07:10 FAIL: docker_cli_swarm_test.go:1128: DockerSwarmSuite.TestSwarmLockUnlockCluster
    ...
    14:07:10 docker_cli_swarm_test.go:1168:
    14:07:10     checkSwarmLockedToUnlocked(c, d)
    14:07:10 docker_cli_swarm_test.go:1017:
    14:07:10     c.Assert(getNodeStatus(c, d), checker.Equals, swarm.LocalNodeStateActive)
    14:07:10 ... obtained swarm.LocalNodeState = "pending"
    14:07:10 ... expected swarm.LocalNodeState = "active"

This patch adds a `waitAndAssert` for the node's status, with a 1 second timeout.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2019-01-12 20:42:18 +01:00
Sebastiaan van Stijn
55b5b8de79
Merge pull request #38486 from thaJeztah/dont_use_deprecated_envclient
Remove use of deprecated client.NewEnvClient()
2019-01-05 11:23:19 +01:00
Sebastiaan van Stijn
926edd68a5
Merge pull request #38493 from thaJeztah/skip_kmem_tests_on_rhel
Skip kernel-memory tests on RHEL/CentOS daemons
2019-01-05 09:51:53 +01:00
Yong Tang
b958b430aa
Merge pull request #38417 from thaJeztah/replace_newclient
Test: Replace NewClient() with NewClientT()
2019-01-04 23:37:00 -08:00
Sebastiaan van Stijn
1e1156cf67
Skip kernel-memory tests on RHEL/CentOS daemons
RHEL/CentOS 3.10 kernels report that kernel-memory accounting is supported,
but it actually does not work.

Runc (when compiled for those kernels) will be compiled without kernel-memory
support, so even though the daemon may be reporting that it's supported,
it actually is not.

This cause tests to fail when testing against a daemon that's using a runc
version without kmem support.

For now, skip these tests based on the kernel version reported by the daemon.

This should fix failures such as:

```
FAIL: /go/src/github.com/docker/docker/integration-cli/docker_cli_run_unix_test.go:499: DockerSuite.TestRunWithKernelMemory

assertion failed:
Command:  /usr/bin/docker run --kernel-memory 50M --name test1 busybox cat /sys/fs/cgroup/memory/memory.kmem.limit_in_bytes
ExitCode: 0
Error:    <nil>
Stdout:   9223372036854771712

Stderr:   WARNING: You specified a kernel memory limit on a kernel older than 4.0. Kernel memory limits are experimental on older kernels, it won't work as expected and can cause your system to be unstable.

Failures:
Expected stdout to contain "52428800"

FAIL: /go/src/github.com/docker/docker/integration-cli/docker_cli_update_unix_test.go:125: DockerSuite.TestUpdateKernelMemory

/go/src/github.com/docker/docker/integration-cli/docker_cli_update_unix_test.go:136:
    ...open /go/src/github.com/docker/docker/integration-cli/docker_cli_update_unix_test.go: no such file or directory
... obtained string = "9223372036854771712"
... expected string = "104857600"

----------------------------------------------------------------------
FAIL: /go/src/github.com/docker/docker/integration-cli/docker_cli_update_unix_test.go:139: DockerSuite.TestUpdateKernelMemoryUninitialized

/go/src/github.com/docker/docker/integration-cli/docker_cli_update_unix_test.go:149:
    ...open /go/src/github.com/docker/docker/integration-cli/docker_cli_update_unix_test.go: no such file or directory
... value = nil
```

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2019-01-04 13:27:46 +01:00
Vincent Demeester
74ad4f2d2c
Merge pull request #38423 from olljanat/disable-integration-tests-on-z-and-powerpc
Disabled Flaky tests on powerpc and z
2019-01-04 09:35:56 +01:00
Sebastiaan van Stijn
c8ff5ecc09
Remove use of deprecated client.NewEnvClient()
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2019-01-03 22:49:00 +01:00
Akihiro Suda
27234ffe3e
Merge pull request #37564 from adshmh/migrate-docker_cli_service_update_test-to-integration-service-fixed-flake
migrate service update integration tests from integration-cli to integration/service package
2019-01-01 04:12:10 +09:00
Akihiro Suda
5ddb1d410a
Merge pull request #38426 from thaJeztah/remove_unused_experimental_check
Remove old ExperimentalDaemon, NotS390X, NotPausable, SameHostDaemon checks
2018-12-25 18:30:23 +09:00
Arash Deshmeh
be151a73f0
migrated service integration tests from integration-cli/docker_cli_service_update_test.go to integration/service
Signed-off-by: Arash Deshmeh <adeshmeh@ca.ibm.com>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2018-12-24 20:28:00 +01:00
Sebastiaan van Stijn
43b15e924f
Remove SameHostDaemon, use testEnv.IsLocalDaemon instead
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2018-12-24 13:25:53 +01:00
Sebastiaan van Stijn
362f737e1c
Remove unused ExperimentalDaemon, NotS390X, NotPausable requirement checks
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2018-12-24 13:16:05 +01:00
Olli Janatuinen
02157c638b Disabled these tests on s390x and ppc64le:
- TestAPISwarmLeaderElection
- TestAPISwarmRaftQuorum
- TestSwarmClusterRotateUnlockKey

because they are known to be flaky.

Signed-off-by: Olli Janatuinen <olli.janatuinen@gmail.com>
2018-12-24 13:51:09 +02:00
Sebastiaan van Stijn
11b88be247
Remove validationError type, and use errdefs.InvalidParameter
Using `errors.Errorf()` passes the error with the stack trace for
debugging purposes.

Also using `errdefs.InvalidParameter` for Windows, so that the API
will return a 4xx status, instead of a 5xx, and added tests for
both validations.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2018-12-22 16:04:52 +01:00
Vincent Demeester
d5b271c155
add check for local volume option
Description:
When using local volume option such as size=10G, type=tmpfs, if we provide wrong options, we could create volume successfully.
But when we are ready to use it, it will fail to start container by failing to mount the local volume(invalid option).

We should check the options at when we create it.

Signed-off-by: Wentao Zhang <zhangwentao234@huawei.com>
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2018-12-22 16:02:50 +01:00
Sebastiaan van Stijn
2cb7b73a1b
Test: Replace NewClient() with NewClientT()
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2018-12-22 15:53:02 +01:00
Kir Kolyshkin
7e7ff2a033 integration-cli/build: don't panic
A lack of check in the test code can lead to a panic due to
`len(ids)` being `0`.

Avoid the panic by adding appropriate checks. Note `Assert()` should be
used rather than `Check()` as if it fails we should not proceed with the
test.

Originally found in https://github.com/moby/moby/pull/38404.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2018-12-20 18:51:57 -08:00
Sebastiaan van Stijn
a8d2b29e8d
Use errors.Wrap() in daemon/config
using `errors.Wrap()` preserves the original error

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2018-11-30 01:27:47 +01:00
John Howard
561e0f6b7f Windows: Bump busybox to v1.1
Signed-off-by: John Howard <jhoward@microsoft.com>

This is a follow-on from https://github.com/moby/moby/pull/38277
but had to be done in a couple of stages to ensure that CI didn't
break. v1.1 of the busybox image is now based on a CMD of "sh"
rather than using an entrypoint. And it also uses the bin directory
rather than `c:\busybox`. This makes it look a lot closer to the
Linux busybox image, and means that a couple of Windows-isms in
CI tests can be reverted back to be identical to their Linux
equivalents.
2018-11-26 14:50:47 -08:00
Kir Kolyshkin
2ed512c7fa integration-cli/Test*Swarm*: use same args on restart
When starting docker daemons for swarm testing, we disable iptables
and use lo for communication (in order to avoid network conflicts).

The problem is, these options are lost on restart, that can lead
to any sorts of network conflicts and thus connectivity issues
between swarm nodes.

Fix this. This does not fix issues with swarm test failures, but
it seems they appear are less often after this one.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2018-11-01 13:25:12 -07:00
Kir Kolyshkin
06afc2d1e6 TestAPISwarmLeaderElection: add some debug
......

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2018-11-01 13:24:39 -07:00
Kir Kolyshkin
24cbb98971 docker_cli_swarm_test: factor out common code
This is repeated 6 times in different tests, with slight
minor variations. Let's factor it out, for clarity.

While at it, simplify the code: instead of more complex
parsing of "docker swarm init|update --autolock" output (1)
and checking if the key is also present in
"docker swarm unlock-key" output (2), get the key
from (2) and check it is present in (1).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2018-11-01 13:23:47 -07:00