@@ -30,6 +30,10 @@ const (

 	containerListAPI    = "/containers/json"

 )

+var (

+	alwaysAllowed = []string{"/_ping", "/info"}

+)

+

 func init() {

 	check.Suite(&DockerAuthzSuite{

 		ds: &DockerSuite{},

@@ -74,12 +78,6 @@ func (s *DockerAuthzSuite) SetUpSuite(c *check.C) {

 	})

 	mux.HandleFunc("/AuthZPlugin.AuthZReq", func(w http.ResponseWriter, r *http.Request) {

-		if s.ctrl.reqRes.Err != "" {

-			w.WriteHeader(http.StatusInternalServerError)

-		}

-		b, err := json.Marshal(s.ctrl.reqRes)

-		c.Assert(err, check.IsNil)

-		w.Write(b)

 		defer r.Body.Close()

 		body, err := ioutil.ReadAll(r.Body)

 		c.Assert(err, check.IsNil)

@@ -96,16 +94,20 @@ func (s *DockerAuthzSuite) SetUpSuite(c *check.C) {

 		}

 		s.ctrl.requestsURIs = append(s.ctrl.requestsURIs, authReq.RequestURI)

-	})

-	mux.HandleFunc("/AuthZPlugin.AuthZRes", func(w http.ResponseWriter, r *http.Request) {

-		if s.ctrl.resRes.Err != "" {

+		reqRes := s.ctrl.reqRes

+		if isAllowed(authReq.RequestURI) {

+			reqRes = authorization.Response{Allow: true}

+		}

+		if reqRes.Err != "" {

 			w.WriteHeader(http.StatusInternalServerError)

 		}

-		b, err := json.Marshal(s.ctrl.resRes)

+		b, err := json.Marshal(reqRes)

 		c.Assert(err, check.IsNil)

 		w.Write(b)

+	})

+	mux.HandleFunc("/AuthZPlugin.AuthZRes", func(w http.ResponseWriter, r *http.Request) {

 		defer r.Body.Close()

 		body, err := ioutil.ReadAll(r.Body)

 		c.Assert(err, check.IsNil)

@@ -120,6 +122,16 @@ func (s *DockerAuthzSuite) SetUpSuite(c *check.C) {

 		if strings.HasSuffix(authReq.RequestURI, containerListAPI) {

 			s.ctrl.psResponseCnt++

 		}

+		resRes := s.ctrl.resRes

+		if isAllowed(authReq.RequestURI) {

+			resRes = authorization.Response{Allow: true}

+		}

+		if resRes.Err != "" {

+			w.WriteHeader(http.StatusInternalServerError)

+		}

+		b, err := json.Marshal(resRes)

+		c.Assert(err, check.IsNil)

+		w.Write(b)

 	})

 	err := os.MkdirAll("/etc/docker/plugins", 0755)

@@ -130,6 +142,16 @@ func (s *DockerAuthzSuite) SetUpSuite(c *check.C) {

 	c.Assert(err, checker.IsNil)

 }

+// check for always allowed endpoints to not inhibit test framework functions

+func isAllowed(reqURI string) bool {

+	for _, endpoint := range alwaysAllowed {

+		if strings.HasSuffix(reqURI, endpoint) {

+			return true

+		}

+	}

+	return false

+}

+

 // assertAuthHeaders validates authentication headers are removed

 func assertAuthHeaders(c *check.C, headers map[string]string) error {

 	for k := range headers {

@@ -171,13 +193,10 @@ func (s *DockerAuthzSuite) TearDownSuite(c *check.C) {

 func (s *DockerAuthzSuite) TestAuthZPluginAllowRequest(c *check.C) {

 	// start the daemon and load busybox, --net=none build fails otherwise

 	// cause it needs to pull busybox

-	c.Assert(s.d.StartWithBusybox(), check.IsNil)

-	// restart the daemon and enable the plugin, otherwise busybox loading

-	// is blocked by the plugin itself

-	c.Assert(s.d.Restart("--authorization-plugin="+testAuthZPlugin), check.IsNil)

-

+	c.Assert(s.d.Start("--authorization-plugin="+testAuthZPlugin), check.IsNil)

 	s.ctrl.reqRes.Allow = true

 	s.ctrl.resRes.Allow = true

+	c.Assert(s.d.LoadBusybox(), check.IsNil)

 	// Ensure command successful

 	out, err := s.d.Cmd("run", "-d", "busybox", "top")

@@ -234,12 +253,10 @@ func (s *DockerAuthzSuite) TestAuthZPluginAllowEventStream(c *check.C) {

 	testRequires(c, DaemonIsLinux)

 	// start the daemon and load busybox to avoid pulling busybox from Docker Hub

-	c.Assert(s.d.StartWithBusybox(), check.IsNil)

-	// restart the daemon and enable the authorization plugin, otherwise busybox loading

-	// is blocked by the plugin itself

-	c.Assert(s.d.Restart("--authorization-plugin="+testAuthZPlugin), check.IsNil)

+	c.Assert(s.d.Start("--authorization-plugin="+testAuthZPlugin), check.IsNil)

 	s.ctrl.reqRes.Allow = true

 	s.ctrl.resRes.Allow = true

+	c.Assert(s.d.LoadBusybox(), check.IsNil)

 	startTime := strconv.FormatInt(daemonTime(c).Unix(), 10)

 	// Add another command to to enable event pipelining

@@ -321,24 +321,7 @@ func (d *Daemon) StartWithBusybox(arg ...string) error {

 	if err := d.Start(arg...); err != nil {

 		return err

 	}

-	bb := filepath.Join(d.folder, "busybox.tar")

-	if _, err := os.Stat(bb); err != nil {

-		if !os.IsNotExist(err) {

-			return fmt.Errorf("unexpected error on busybox.tar stat: %v", err)

-		}

-		// saving busybox image from main daemon

-		if err := exec.Command(dockerBinary, "save", "--output", bb, "busybox:latest").Run(); err != nil {

-			return fmt.Errorf("could not save busybox image: %v", err)

-		}

-	}

-	// loading busybox image to this daemon

-	if out, err := d.Cmd("load", "--input", bb); err != nil {

-		return fmt.Errorf("could not load busybox image: %s", out)

-	}

-	if err := os.Remove(bb); err != nil {

-		d.c.Logf("could not remove %s: %v", bb, err)

-	}

-	return nil

+	return d.LoadBusybox()

 }

 // Stop will send a SIGINT every second and wait for the daemon to stop.

@@ -413,6 +396,28 @@ func (d *Daemon) Restart(arg ...string) error {

 	return d.Start(arg...)

 }

+// LoadBusybox will load the stored busybox into a newly started daemon

+func (d *Daemon) LoadBusybox() error {

+	bb := filepath.Join(d.folder, "busybox.tar")

+	if _, err := os.Stat(bb); err != nil {

+		if !os.IsNotExist(err) {

+			return fmt.Errorf("unexpected error on busybox.tar stat: %v", err)

+		}

+		// saving busybox image from main daemon

+		if err := exec.Command(dockerBinary, "save", "--output", bb, "busybox:latest").Run(); err != nil {

+			return fmt.Errorf("could not save busybox image: %v", err)

+		}

+	}

+	// loading busybox image to this daemon

+	if out, err := d.Cmd("load", "--input", bb); err != nil {

+		return fmt.Errorf("could not load busybox image: %s", out)

+	}

+	if err := os.Remove(bb); err != nil {

+		d.c.Logf("could not remove %s: %v", bb, err)

+	}

+	return nil

+}

+

 func (d *Daemon) queryRootDir() (string, error) {

 	// update daemon root by asking /info endpoint (to support user

 	// namespaced daemon with root remapped uid.gid directory)