Browse code
Move use of debian:buster frozen image to debian:bullseye
Signed-off-by: Eric Mountain <eric.mountain@datadoghq.com>
Eric Mountain authored on 2020/12/16 22:53:49Showing 8 changed files
- Dockerfile
- Dockerfile.e2e
- integration-cli/docker_cli_daemon_test.go
- integration-cli/docker_cli_network_unix_test.go
- integration-cli/docker_cli_run_test.go
- integration-cli/docker_cli_run_unix_test.go
- integration-cli/fixtures_linux_daemon_test.go
- testutil/environment/protect.go
| ... | ... |
@@ -96,7 +96,6 @@ RUN /download-frozen-image-v2.sh /build \ |
| 96 | 96 |
buildpack-deps:buster@sha256:d0abb4b1e5c664828b93e8b6ac84d10bce45ee469999bef88304be04a2709491 \ |
| 97 | 97 |
busybox:latest@sha256:95cf004f559831017cdf4628aaf1bb30133677be8702a8c5f2994629f637a209 \ |
| 98 | 98 |
busybox:glibc@sha256:1f81263701cddf6402afe9f33fca0266d9fff379e59b1748f33d3072da71ee85 \ |
| 99 |
- debian:buster@sha256:46d659005ca1151087efa997f1039ae45a7bf7a2cbbe2d17d3dcbda632a3ee9a \ |
|
| 100 | 99 |
debian:bullseye@sha256:7190e972ab16aefea4d758ebe42a293f4e5c5be63595f4d03a5b9bf6839a4344 \ |
| 101 | 100 |
hello-world:latest@sha256:d58e752213a51785838f9eed2b7a498ffa1cb3aa7f946dda11af39286c3db9a9 \ |
| 102 | 101 |
arm32v7/hello-world:latest@sha256:50b8560ad574c779908da71f7ce370c0a2471c098d44d1c8f6b513c5a55eeeb1 |
| ... | ... |
@@ -21,9 +21,9 @@ RUN /download-frozen-image-v2.sh /build \ |
| 21 | 21 |
buildpack-deps:buster@sha256:d0abb4b1e5c664828b93e8b6ac84d10bce45ee469999bef88304be04a2709491 \ |
| 22 | 22 |
busybox:latest@sha256:95cf004f559831017cdf4628aaf1bb30133677be8702a8c5f2994629f637a209 \ |
| 23 | 23 |
busybox:glibc@sha256:1f81263701cddf6402afe9f33fca0266d9fff379e59b1748f33d3072da71ee85 \ |
| 24 |
- debian:buster@sha256:46d659005ca1151087efa997f1039ae45a7bf7a2cbbe2d17d3dcbda632a3ee9a \ |
|
| 24 |
+ debian:bullseye@sha256:7190e972ab16aefea4d758ebe42a293f4e5c5be63595f4d03a5b9bf6839a4344 \ |
|
| 25 | 25 |
hello-world:latest@sha256:d58e752213a51785838f9eed2b7a498ffa1cb3aa7f946dda11af39286c3db9a9 |
| 26 |
-# See also ensureFrozenImagesLinux() in "integration-cli/fixtures_linux_daemon_test.go" (which needs to be updated when adding images to this list) |
|
| 26 |
+# See also frozenImages in "testutil/environment/protect.go" (which needs to be updated when adding images to this list) |
|
| 27 | 27 |
|
| 28 | 28 |
FROM base AS dockercli |
| 29 | 29 |
ENV INSTALL_BINARY_NAME=dockercli |
| ... | ... |
@@ -1776,7 +1776,7 @@ func (s *DockerDaemonSuite) TestDaemonNoSpaceLeftOnDeviceError(c *testing.T) {
|
| 1776 | 1776 |
defer mount.Unmount(testDir) |
| 1777 | 1777 |
|
| 1778 | 1778 |
// create a 3MiB image (with a 2MiB ext4 fs) and mount it as graph root |
| 1779 |
- // Why in a container? Because `mount` sometimes behaves weirdly and often fails outright on this test in debian:buster (which is what the test suite runs under if run from the Makefile) |
|
| 1779 |
+ // Why in a container? Because `mount` sometimes behaves weirdly and often fails outright on this test in debian:bullseye (which is what the test suite runs under if run from the Makefile) |
|
| 1780 | 1780 |
dockerCmd(c, "run", "--rm", "-v", testDir+":/test", "busybox", "sh", "-c", "dd of=/test/testfs.img bs=1M seek=3 count=0") |
| 1781 | 1781 |
icmd.RunCommand("mkfs.ext4", "-F", filepath.Join(testDir, "testfs.img")).Assert(c, icmd.Success)
|
| 1782 | 1782 |
|
| ... | ... |
@@ -1787,7 +1787,7 @@ func (s *DockerDaemonSuite) TestDaemonNoSpaceLeftOnDeviceError(c *testing.T) {
|
| 1787 | 1787 |
defer s.d.Stop(c) |
| 1788 | 1788 |
|
| 1789 | 1789 |
// pull a repository large enough to overfill the mounted filesystem |
| 1790 |
- pullOut, err := s.d.Cmd("pull", "debian:buster")
|
|
| 1790 |
+ pullOut, err := s.d.Cmd("pull", "debian:bullseye")
|
|
| 1791 | 1791 |
assert.Assert(c, err != nil, pullOut) |
| 1792 | 1792 |
assert.Assert(c, strings.Contains(pullOut, "no space left on device")) |
| 1793 | 1793 |
} |
| ... | ... |
@@ -1574,7 +1574,7 @@ func (s *DockerSuite) TestEmbeddedDNSInvalidInput(c *testing.T) {
|
| 1574 | 1574 |
dockerCmd(c, "network", "create", "-d", "bridge", "nw1") |
| 1575 | 1575 |
|
| 1576 | 1576 |
// Sending garbage to embedded DNS shouldn't crash the daemon |
| 1577 |
- dockerCmd(c, "run", "-i", "--net=nw1", "--name=c1", "debian:buster", "bash", "-c", "echo InvalidQuery > /dev/udp/127.0.0.11/53") |
|
| 1577 |
+ dockerCmd(c, "run", "-i", "--net=nw1", "--name=c1", "debian:bullseye", "bash", "-c", "echo InvalidQuery > /dev/udp/127.0.0.11/53") |
|
| 1578 | 1578 |
} |
| 1579 | 1579 |
|
| 1580 | 1580 |
func (s *DockerSuite) TestDockerNetworkConnectFailsNoInspectChange(c *testing.T) {
|
| ... | ... |
@@ -2927,7 +2927,7 @@ func (s *DockerSuite) TestRunUnshareProc(c *testing.T) {
|
| 2927 | 2927 |
|
| 2928 | 2928 |
go func() {
|
| 2929 | 2929 |
name := "acidburn" |
| 2930 |
- out, _, err := dockerCmdWithError("run", "--name", name, "--security-opt", "seccomp=unconfined", "debian:buster", "unshare", "-p", "-m", "-f", "-r", "--mount-proc=/proc", "mount")
|
|
| 2930 |
+ out, _, err := dockerCmdWithError("run", "--name", name, "--security-opt", "seccomp=unconfined", "debian:bullseye", "unshare", "-p", "-m", "-f", "-r", "--mount-proc=/proc", "mount")
|
|
| 2931 | 2931 |
if err == nil || |
| 2932 | 2932 |
!(strings.Contains(strings.ToLower(out), "permission denied") || |
| 2933 | 2933 |
strings.Contains(strings.ToLower(out), "operation not permitted")) {
|
| ... | ... |
@@ -2939,7 +2939,7 @@ func (s *DockerSuite) TestRunUnshareProc(c *testing.T) {
|
| 2939 | 2939 |
|
| 2940 | 2940 |
go func() {
|
| 2941 | 2941 |
name := "cereal" |
| 2942 |
- out, _, err := dockerCmdWithError("run", "--name", name, "--security-opt", "seccomp=unconfined", "debian:buster", "unshare", "-p", "-m", "-f", "-r", "mount", "-t", "proc", "none", "/proc")
|
|
| 2942 |
+ out, _, err := dockerCmdWithError("run", "--name", name, "--security-opt", "seccomp=unconfined", "debian:bullseye", "unshare", "-p", "-m", "-f", "-r", "mount", "-t", "proc", "none", "/proc")
|
|
| 2943 | 2943 |
if err == nil || |
| 2944 | 2944 |
!(strings.Contains(strings.ToLower(out), "mount: cannot mount none") || |
| 2945 | 2945 |
strings.Contains(strings.ToLower(out), "permission denied") || |
| ... | ... |
@@ -2953,7 +2953,7 @@ func (s *DockerSuite) TestRunUnshareProc(c *testing.T) {
|
| 2953 | 2953 |
/* Ensure still fails if running privileged with the default policy */ |
| 2954 | 2954 |
go func() {
|
| 2955 | 2955 |
name := "crashoverride" |
| 2956 |
- out, _, err := dockerCmdWithError("run", "--privileged", "--security-opt", "seccomp=unconfined", "--security-opt", "apparmor=docker-default", "--name", name, "debian:buster", "unshare", "-p", "-m", "-f", "-r", "mount", "-t", "proc", "none", "/proc")
|
|
| 2956 |
+ out, _, err := dockerCmdWithError("run", "--privileged", "--security-opt", "seccomp=unconfined", "--security-opt", "apparmor=docker-default", "--name", name, "debian:bullseye", "unshare", "-p", "-m", "-f", "-r", "mount", "-t", "proc", "none", "/proc")
|
|
| 2957 | 2957 |
if err == nil || |
| 2958 | 2958 |
!(strings.Contains(strings.ToLower(out), "mount: cannot mount none") || |
| 2959 | 2959 |
strings.Contains(strings.ToLower(out), "permission denied") || |
| ... | ... |
@@ -873,12 +873,12 @@ func (s *DockerSuite) TestRunTmpfsMountsWithOptions(c *testing.T) {
|
| 873 | 873 |
assert.Assert(c, strings.Contains(out, option)) |
| 874 | 874 |
} |
| 875 | 875 |
|
| 876 |
- // We use debian:buster as there is no findmnt in busybox. Also the output will be in the format of |
|
| 876 |
+ // We use debian:bullseye as there is no findmnt in busybox. Also the output will be in the format of |
|
| 877 | 877 |
// TARGET PROPAGATION |
| 878 | 878 |
// /tmp shared |
| 879 | 879 |
// so we only capture `shared` here. |
| 880 | 880 |
expectedOptions = []string{"shared"}
|
| 881 |
- out, _ = dockerCmd(c, "run", "--tmpfs", "/tmp:shared", "debian:buster", "findmnt", "-o", "TARGET,PROPAGATION", "/tmp") |
|
| 881 |
+ out, _ = dockerCmd(c, "run", "--tmpfs", "/tmp:shared", "debian:bullseye", "findmnt", "-o", "TARGET,PROPAGATION", "/tmp") |
|
| 882 | 882 |
for _, option := range expectedOptions {
|
| 883 | 883 |
assert.Assert(c, strings.Contains(out, option)) |
| 884 | 884 |
} |
| ... | ... |
@@ -914,7 +914,7 @@ func (s *DockerSuite) TestRunSysctls(c *testing.T) {
|
| 914 | 914 |
}) |
| 915 | 915 |
} |
| 916 | 916 |
|
| 917 |
-// TestRunSeccompProfileDenyUnshare checks that 'docker run --security-opt seccomp=/tmp/profile.json debian:buster unshare' exits with operation not permitted. |
|
| 917 |
+// TestRunSeccompProfileDenyUnshare checks that 'docker run --security-opt seccomp=/tmp/profile.json debian:bullseye unshare' exits with operation not permitted. |
|
| 918 | 918 |
func (s *DockerSuite) TestRunSeccompProfileDenyUnshare(c *testing.T) {
|
| 919 | 919 |
testRequires(c, testEnv.IsLocalDaemon, seccompEnabled, NotArm, Apparmor) |
| 920 | 920 |
jsonData := `{
|
| ... | ... |
@@ -937,7 +937,7 @@ func (s *DockerSuite) TestRunSeccompProfileDenyUnshare(c *testing.T) {
|
| 937 | 937 |
} |
| 938 | 938 |
icmd.RunCommand(dockerBinary, "run", "--security-opt", "apparmor=unconfined", |
| 939 | 939 |
"--security-opt", "seccomp="+tmpFile.Name(), |
| 940 |
- "debian:buster", "unshare", "-p", "-m", "-f", "-r", "mount", "-t", "proc", "none", "/proc").Assert(c, icmd.Expected{
|
|
| 940 |
+ "debian:bullseye", "unshare", "-p", "-m", "-f", "-r", "mount", "-t", "proc", "none", "/proc").Assert(c, icmd.Expected{
|
|
| 941 | 941 |
ExitCode: 1, |
| 942 | 942 |
Err: "Operation not permitted", |
| 943 | 943 |
}) |
| ... | ... |
@@ -977,7 +977,7 @@ func (s *DockerSuite) TestRunSeccompProfileDenyChmod(c *testing.T) {
|
| 977 | 977 |
}) |
| 978 | 978 |
} |
| 979 | 979 |
|
| 980 |
-// TestRunSeccompProfileDenyUnshareUserns checks that 'docker run debian:buster unshare --map-root-user --user sh -c whoami' with a specific profile to |
|
| 980 |
+// TestRunSeccompProfileDenyUnshareUserns checks that 'docker run debian:bullseye unshare --map-root-user --user sh -c whoami' with a specific profile to |
|
| 981 | 981 |
// deny unshare of a userns exits with operation not permitted. |
| 982 | 982 |
func (s *DockerSuite) TestRunSeccompProfileDenyUnshareUserns(c *testing.T) {
|
| 983 | 983 |
testRequires(c, testEnv.IsLocalDaemon, seccompEnabled, NotArm, Apparmor) |
| ... | ... |
@@ -1009,7 +1009,7 @@ func (s *DockerSuite) TestRunSeccompProfileDenyUnshareUserns(c *testing.T) {
|
| 1009 | 1009 |
} |
| 1010 | 1010 |
icmd.RunCommand(dockerBinary, "run", |
| 1011 | 1011 |
"--security-opt", "apparmor=unconfined", "--security-opt", "seccomp="+tmpFile.Name(), |
| 1012 |
- "debian:buster", "unshare", "--map-root-user", "--user", "sh", "-c", "whoami").Assert(c, icmd.Expected{
|
|
| 1012 |
+ "debian:bullseye", "unshare", "--map-root-user", "--user", "sh", "-c", "whoami").Assert(c, icmd.Expected{
|
|
| 1013 | 1013 |
ExitCode: 1, |
| 1014 | 1014 |
Err: "Operation not permitted", |
| 1015 | 1015 |
}) |
| ... | ... |
@@ -1061,12 +1061,12 @@ func (s *DockerSuite) TestRunSeccompProfileAllow32Bit(c *testing.T) {
|
| 1061 | 1061 |
icmd.RunCommand(dockerBinary, "run", "syscall-test", "exit32-test").Assert(c, icmd.Success) |
| 1062 | 1062 |
} |
| 1063 | 1063 |
|
| 1064 |
-// TestRunSeccompAllowSetrlimit checks that 'docker run debian:buster ulimit -v 1048510' succeeds. |
|
| 1064 |
+// TestRunSeccompAllowSetrlimit checks that 'docker run debian:bullseye ulimit -v 1048510' succeeds. |
|
| 1065 | 1065 |
func (s *DockerSuite) TestRunSeccompAllowSetrlimit(c *testing.T) {
|
| 1066 | 1066 |
testRequires(c, testEnv.IsLocalDaemon, seccompEnabled) |
| 1067 | 1067 |
|
| 1068 | 1068 |
// ulimit uses setrlimit, so we want to make sure we don't break it |
| 1069 |
- icmd.RunCommand(dockerBinary, "run", "debian:buster", "bash", "-c", "ulimit -v 1048510").Assert(c, icmd.Success) |
|
| 1069 |
+ icmd.RunCommand(dockerBinary, "run", "debian:bullseye", "bash", "-c", "ulimit -v 1048510").Assert(c, icmd.Success) |
|
| 1070 | 1070 |
} |
| 1071 | 1071 |
|
| 1072 | 1072 |
func (s *DockerSuite) TestRunSeccompDefaultProfileAcct(c *testing.T) {
|
| ... | ... |
@@ -1362,7 +1362,7 @@ func (s *DockerSuite) TestRunApparmorProcDirectory(c *testing.T) {
|
| 1362 | 1362 |
func (s *DockerSuite) TestRunSeccompWithDefaultProfile(c *testing.T) {
|
| 1363 | 1363 |
testRequires(c, testEnv.IsLocalDaemon, seccompEnabled) |
| 1364 | 1364 |
|
| 1365 |
- out, _, err := dockerCmdWithError("run", "--security-opt", "seccomp=../profiles/seccomp/default.json", "debian:buster", "unshare", "--map-root-user", "--user", "sh", "-c", "whoami")
|
|
| 1365 |
+ out, _, err := dockerCmdWithError("run", "--security-opt", "seccomp=../profiles/seccomp/default.json", "debian:bullseye", "unshare", "--map-root-user", "--user", "sh", "-c", "whoami")
|
|
| 1366 | 1366 |
assert.ErrorContains(c, err, "", out) |
| 1367 | 1367 |
assert.Equal(c, strings.TrimSpace(out), "unshare: unshare failed: Operation not permitted") |
| 1368 | 1368 |
} |
| ... | ... |
@@ -49,7 +49,7 @@ func ensureSyscallTest(c *testing.T) {
|
| 49 | 49 |
|
| 50 | 50 |
dockerFile := filepath.Join(tmp, "Dockerfile") |
| 51 | 51 |
content := []byte(` |
| 52 |
- FROM debian:buster |
|
| 52 |
+ FROM debian:bullseye |
|
| 53 | 53 |
COPY . /usr/bin/ |
| 54 | 54 |
`) |
| 55 | 55 |
err = ioutil.WriteFile(dockerFile, content, 0600) |
| ... | ... |
@@ -103,7 +103,7 @@ func ensureNNPTest(c *testing.T) {
|
| 103 | 103 |
|
| 104 | 104 |
dockerfile := filepath.Join(tmp, "Dockerfile") |
| 105 | 105 |
content := ` |
| 106 |
- FROM debian:buster |
|
| 106 |
+ FROM debian:bullseye |
|
| 107 | 107 |
COPY . /usr/bin |
| 108 | 108 |
RUN chmod +s /usr/bin/nnp-test |
| 109 | 109 |
` |
| ... | ... |
@@ -10,7 +10,7 @@ import ( |
| 10 | 10 |
"gotest.tools/v3/assert" |
| 11 | 11 |
) |
| 12 | 12 |
|
| 13 |
-var frozenImages = []string{"busybox:latest", "busybox:glibc", "hello-world:frozen", "debian:buster", "debian:bullseye"}
|
|
| 13 |
+var frozenImages = []string{"busybox:latest", "busybox:glibc", "hello-world:frozen", "debian:bullseye"}
|
|
| 14 | 14 |
|
| 15 | 15 |
type protectedElements struct {
|
| 16 | 16 |
containers map[string]struct{}
|