(cherry picked from commit c1173a2aecf4075f1e550b131359989fb260604b)
Matt Clay authored on 2018/08/31 03:36:57... | ... |
@@ -1,11 +1,11 @@ |
1 | 1 |
default name=ansible/ansible:default@sha256:b651e5964e192c12ef574646a9c724e72fd94615d37d47ffad986408b2097a07 |
2 |
-centos6 name=quay.io/ansible/centos6-test-container:1.4.0 |
|
3 |
-centos7 name=quay.io/ansible/centos7-test-container:1.4.0 |
|
4 |
-fedora24 name=quay.io/ansible/fedora24-test-container:1.4.0 |
|
5 |
-fedora25 name=quay.io/ansible/fedora25-test-container:1.4.0 |
|
2 |
+centos6 name=quay.io/ansible/centos6-test-container:1.4.0 seccomp=unconfined |
|
3 |
+centos7 name=quay.io/ansible/centos7-test-container:1.4.0 seccomp=unconfined |
|
4 |
+fedora24 name=quay.io/ansible/fedora24-test-container:1.4.0 seccomp=unconfined |
|
5 |
+fedora25 name=quay.io/ansible/fedora25-test-container:1.4.0 seccomp=unconfined |
|
6 | 6 |
fedora26py3 name=quay.io/ansible/fedora26py3-test-container:1.4.0 |
7 | 7 |
fedora27py3 name=quay.io/ansible/fedora27py3-test-container:1.4.0 |
8 |
-opensuse42.3 name=quay.io/ansible/opensuse42.3-test-container:1.4.0 |
|
9 |
-ubuntu1404 name=quay.io/ansible/ubuntu1404-test-container:1.4.0 |
|
10 |
-ubuntu1604 name=quay.io/ansible/ubuntu1604-test-container:1.4.0 |
|
11 |
-ubuntu1604py3 name=quay.io/ansible/ubuntu1604py3-test-container:1.4.0 |
|
8 |
+opensuse42.3 name=quay.io/ansible/opensuse42.3-test-container:1.4.0 seccomp=unconfined |
|
9 |
+ubuntu1404 name=quay.io/ansible/ubuntu1404-test-container:1.4.0 seccomp=unconfined |
|
10 |
+ubuntu1604 name=quay.io/ansible/ubuntu1604-test-container:1.4.0 seccomp=unconfined |
|
11 |
+ubuntu1604py3 name=quay.io/ansible/ubuntu1604py3-test-container:1.4.0 seccomp=unconfined |
... | ... |
@@ -11,6 +11,7 @@ from lib.util import ( |
11 | 11 |
docker_qualify_image, |
12 | 12 |
find_python, |
13 | 13 |
generate_pip_command, |
14 |
+ get_docker_completion, |
|
14 | 15 |
) |
15 | 16 |
|
16 | 17 |
from lib.metadata import ( |
... | ... |
@@ -46,8 +47,12 @@ class EnvironmentConfig(CommonConfig): |
46 | 46 |
self.docker_privileged = args.docker_privileged if 'docker_privileged' in args else False # type: bool |
47 | 47 |
self.docker_pull = args.docker_pull if 'docker_pull' in args else False # type: bool |
48 | 48 |
self.docker_keep_git = args.docker_keep_git if 'docker_keep_git' in args else False # type: bool |
49 |
+ self.docker_seccomp = args.docker_seccomp if 'docker_seccomp' in args else None # type: str |
|
49 | 50 |
self.docker_memory = args.docker_memory if 'docker_memory' in args else None |
50 | 51 |
|
52 |
+ if self.docker_seccomp is None: |
|
53 |
+ self.docker_seccomp = get_docker_completion().get(self.docker_raw, {}).get('seccomp', 'default') |
|
54 |
+ |
|
51 | 55 |
self.tox_sitepackages = args.tox_sitepackages # type: bool |
52 | 56 |
|
53 | 57 |
self.remote_stage = args.remote_stage # type: str |
... | ... |
@@ -238,6 +238,9 @@ def delegate_docker(args, exclude, require, integration_targets): |
238 | 238 |
|
239 | 239 |
docker_socket = '/var/run/docker.sock' |
240 | 240 |
|
241 |
+ if args.docker_seccomp != 'default': |
|
242 |
+ test_options += ['--security-opt', 'seccomp=%s' % args.docker_seccomp] |
|
243 |
+ |
|
241 | 244 |
if os.path.exists(docker_socket): |
242 | 245 |
test_options += ['--volume', '%s:%s' % (docker_socket, docker_socket)] |
243 | 246 |
|
... | ... |
@@ -651,6 +651,12 @@ def add_extra_docker_options(parser, integration=True): |
651 | 651 |
action='store_true', |
652 | 652 |
help='transfer git related files into the docker container') |
653 | 653 |
|
654 |
+ docker.add_argument('--docker-seccomp', |
|
655 |
+ metavar='SC', |
|
656 |
+ choices=('default', 'unconfined'), |
|
657 |
+ default=None, |
|
658 |
+ help='set seccomp confinement for the test container: %(choices)s') |
|
659 |
+ |
|
654 | 660 |
if not integration: |
655 | 661 |
return |
656 | 662 |
|