#71 Run without the default seccomp profile
Closed 6 years ago by astepano. Opened 6 years ago by astepano.
astepano/standard-test-roles security-opt  into  master

@@ -88,6 +88,7 @@ 

      cmd = [

          "/usr/bin/docker", "run", "--detach", "--cidfile={0}".format(cidfile),

      ] + extra_arg_list + [

+         "--security-opt=seccomp:unconfined",

          "--entrypoint=/bin/sh", image, "-c", "sleep 1000000"

      ]

      try:

Many tests use strace/ltrace programs to proceed various tests.

By default docker run containers in confined more. As a result test for
containers fails with:

rlRun "ltrace -o ltrace.out ./test" 0 "Run the program with ltrace"

$ ltrace test
PTRACE_TRACEME: Operation not permitted
failed to initialize process 5727: No such file or directory
couldn't open program '/usr/bin/test': No such file or directory

This commit runs containers without the default seccomp profile:

https://docs.docker.com/engine/security/seccomp

Signed-off-by: Andrei Stepanov astepano@redhat.com

Will this hide other real bugs by fundamentally changing the mode that the container is run in?

Why do these tests use strace or ltrace?

Will this hide other real bugs by fundamentally changing the mode that the container is run in?

Maybe it is not the best solution. It was the first thing that came to my mind. We discussed with @rasibley and came to idea to introduce: 'docker_extra_args' for tests.yml. This will help to get rid of such hacks as: https://upstreamfirst.fedorainfracloud.org/fipscheck/blob/master/f/inventory

Why do these tests use strace or ltrace?
strace/ltrace are tools to check system/library calls. That is why they are commonly used.
Specifically for this case:

rlRun "grep FascistCheck ltrace.out" 0 "Check if it actually uses the library function"

This check if tool really uses some library function.

ok, after a talk with @merlinm I was pointed to:
https://pagure.io/standard-test-roles/blob/master/f/scripts/README.md
and:

# export ANSIBLE_INVENTORY=$(test -e inventory && echo inventory || echo /usr/share/ansible/inventory)

Therefor, it is the best way to set in inventory file next:

TEST_DOCKER_EXTRA_ARGS='--security-opt seccomp:unconfined'
exec merge-standard-inventory "$@"

This PR could be closed as it is useless.

Pull-Request has been closed by astepano

6 years ago
Metadata