Dishonoured capabilities test#41740
Conversation
|
@AkihiroSuda , @thaJeztah here is an integration test for #41724. |
15dfcf5 to
778bb9b
Compare
|
Back to the drawing board. I hadn't realised integration-cli was deprecated. |
1274be6 to
8d78fcf
Compare
07bfc82 to
141d54c
Compare
|
@AkihiroSuda , @thaJeztah here is an integration test for #41724... implemented in the right |
| debian:buster@sha256:46d659005ca1151087efa997f1039ae45a7bf7a2cbbe2d17d3dcbda632a3ee9a \ | ||
| debian:bullseye@sha256:7190e972ab16aefea4d758ebe42a293f4e5c5be63595f4d03a5b9bf6839a4344 \ |
There was a problem hiding this comment.
Wondering if we should replace the :buster variant (and switch the buildpack-deps image accordingly as well)
@tianon wdyt?
There was a problem hiding this comment.
Depends on how we use this image -- if we install packages, Bullseye is still a pretty heavily moving target (whereas Buster is "stable"), so using Bullseye will be more likely to introduce unrelated failures.
There was a problem hiding this comment.
Looks like we don't typically invoke apt-get, so it'd probably be fine to update to bullseye for both, since if the image upstream built successfully there's a high chance it'll work for what's used here (which will be pinned by digest anyhow).
There was a problem hiding this comment.
I added a commit to replace use of debian:buster with debian:bullseye.
|
|
||
| ### Writing new integration tests | ||
|
|
||
| Note the `integration-cli` tests are deprecated; new tests will be rejected by |
| } | ||
|
|
||
| // IsUserNamespaceInKernel returns whether the kernel supports user namespaces | ||
| func (e *Execution) IsUserNamespaceInKernel() bool { |
There was a problem hiding this comment.
Wondering; was IsUserNamespace() not working for this case?
There was a problem hiding this comment.
IIUC IsUserNamespace() checks if we are running with a user-namespaced daemon right now. Whereas for the test I've written I'm interested in knowing if it's possible to run a user-namespaced daemon in the current test environment.
There was a problem hiding this comment.
Ah, right.
Was also wondering if there wasn't an existing utility for this, but looks indeed that the existing ones check if it's enabled (not if it's supported); looks like the daemon does not actually check for that;
Lines 1167 to 1170 in cf31b96
For reference; this was copied from the equivalent utility in integration-cli;
moby/integration-cli/requirements_test.go
Lines 136 to 139 in 46cdcd2
( we should look at moving those remaining tests to integration as well)
tianon
left a comment
There was a problem hiding this comment.
LGTM 👍
(I think we should probably also update from buildpack-deps:buster to buildpack-deps:bullseye for consistency, but IMO that's orthogonal to this - the debian:buster -> debian:bullseye change was related. 😅)
362a669 to
d9aa70e
Compare
Signed-off-by: Eric Mountain <eric.mountain@datadoghq.com>
Signed-off-by: Eric Mountain <eric.mountain@datadoghq.com>
Capabilities are serialised in VFS_CAP_REVISION_3 when an image is built in a user-namespaced daemon, instead of VFS_CAP_REVISION_2. This adds a test for this, though it's currently wired to fail if the capabilities are serialised in VFS_CAP_REVISION_2 instead in this situation, since this is unexpected. Signed-off-by: Eric Mountain <eric.mountain@datadoghq.com>
Signed-off-by: Eric Mountain <eric.mountain@datadoghq.com>
Signed-off-by: Eric Mountain <eric.mountain@datadoghq.com>
d9aa70e to
d5f09c7
Compare
Signed-off-by: Eric Mountain <eric.mountain@datadoghq.com>
d5f09c7 to
1c5806c
Compare
Thanks!
Actually considered including that, however indeed seemed too orthogonal to this PR. |
thaJeztah
left a comment
There was a problem hiding this comment.
LGTM, thanks!
Looks like we don't typically invoke apt-get, so it'd probably be fine to update to bullseye for both, since if the image upstream built successfully there's a high chance it'll work for what's used here (which will be pinned by digest anyhow).
Actually considered including that, however indeed seemed too orthogonal to this PR.
Yes, we can do that in a follow-up; would probably be good to do, so that we can share the image-layers between the two (slightly faster building of the Dockerfile)
| } | ||
|
|
||
| // IsUserNamespaceInKernel returns whether the kernel supports user namespaces | ||
| func (e *Execution) IsUserNamespaceInKernel() bool { |
There was a problem hiding this comment.
Ah, right.
Was also wondering if there wasn't an existing utility for this, but looks indeed that the existing ones check if it's enabled (not if it's supported); looks like the daemon does not actually check for that;
Lines 1167 to 1170 in cf31b96
For reference; this was copied from the equivalent utility in integration-cli;
moby/integration-cli/requirements_test.go
Lines 136 to 139 in 46cdcd2
( we should look at moving those remaining tests to integration as well)
- What I did
Tests #41723 so that the fix in #41724 can be verified.
- How I did it
Adds debian:bullseye as a frozen image: debian:buster doesn't support the
-noption togetcap.The test would be much harder to write otherwise, and much uglier.
As it stands:
Since the fix isn't yet merged, the test is inverted to fail if the capabilities are found to be in V2 format (which is what we expect of the fix), and allow V3 (the current situation).
- How to verify it
- Description for the changelog
Tests #41723 - verifies capability format version for builds under a user-namespaced daemon.