tyler.durden
/
compose
mirror of https://github.com/docker/compose.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

test: fix e2e test for privileged builds (#10873) 

We cannot guarantee the exact value of `CapEff` across
environments, and this test has started failing some places,
e.g. Docker Desktop, and now GitHub Actions (likely due to
a kernel upgrade on the runners or similar).

By setting `privileged: true` on the build, we're asking for
the `security.insecure` entitlement on the build. A safe
assumption is that will include `CAP_SYS_ADMIN`, which won't
be present otherwise, so mask the `CapEff` value and check
for that.

It's worth noting that realistically, the build won't even
be able to complete without the correct entitlement, since the
`Dockerfile` uses `RUN --security=insecure`, so this is really
an additional sanity check.

Signed-off-by: Milas Bowman <milas.bowman@docker.com>
This commit is contained in:
Milas Bowman 2023-08-03 12:23:24 -04:00 committed by GitHub
parent e7ed070690
commit f94cb49062
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 16 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
pkg/e2e/build_test.go
View File

@ -19,7 +19,9 @@ package e2e
import (
"fmt"
"net/http"
"regexp"
"runtime"
"strconv"
"strings"
"testing"
"time"
@ -366,10 +368,21 @@ func TestBuildPrivileged(t *testing.T) {
})
t.Run("use build privileged mode to run insecure build command", func(t *testing.T) {
res := c.RunDockerComposeCmdNoCheck(t, "--project-directory", "fixtures/build-test/privileged", "build")
assert.NilError(t, res.Error, res.Stderr())
res.Assert(t, icmd.Expected{Out: "CapEff:\t0000003fffffffff"})
res := c.RunDockerComposeCmd(t, "--project-directory", "fixtures/build-test/privileged", "build")
capEffRe := regexp.MustCompile("CapEff:\t([0-9a-f]+)")
matches := capEffRe.FindStringSubmatch(res.Stdout())
assert.Equal(t, 2, len(matches), "Did not match CapEff in output, matches: %v", matches)
capEff, err := strconv.ParseUint(matches[1], 16, 64)
assert.NilError(t, err, "Parsing CapEff: %s", matches[1])
// NOTE: can't use constant from x/sys/unix or tests won't compile on macOS/Windows
// #define CAP_SYS_ADMIN 21
// https://github.com/torvalds/linux/blob/v6.1/include/uapi/linux/capability.h#L278
const capSysAdmin = 0x15
if capEff&capSysAdmin != capSysAdmin {
t.Fatalf("CapEff %s is missing CAP_SYS_ADMIN", matches[1])
}
})
}