Signed-off-by: Vincent Demeester <vincent@sbr.pm>
Vincent Demeester authored on 2017/01/06 03:08:24... | ... |
@@ -5433,7 +5433,7 @@ func (s *DockerTrustSuite) TestTrustedBuild(c *check.C) { |
5433 | 5433 |
name := "testtrustedbuild" |
5434 | 5434 |
|
5435 | 5435 |
buildCmd := buildImageCmd(name, dockerFile, true) |
5436 |
- s.trustedCmd(buildCmd) |
|
5436 |
+ trustedExecCmd(buildCmd) |
|
5437 | 5437 |
out, _, err := runCommandWithOutput(buildCmd) |
5438 | 5438 |
if err != nil { |
5439 | 5439 |
c.Fatalf("Error running trusted build: %s\n%s", err, out) |
... | ... |
@@ -5464,7 +5464,7 @@ func (s *DockerTrustSuite) TestTrustedBuildUntrustedTag(c *check.C) { |
5464 | 5464 |
name := "testtrustedbuilduntrustedtag" |
5465 | 5465 |
|
5466 | 5466 |
buildCmd := buildImageCmd(name, dockerFile, true) |
5467 |
- s.trustedCmd(buildCmd) |
|
5467 |
+ trustedExecCmd(buildCmd) |
|
5468 | 5468 |
out, _, err := runCommandWithOutput(buildCmd) |
5469 | 5469 |
if err == nil { |
5470 | 5470 |
c.Fatalf("Expected error on trusted build with untrusted tag: %s\n%s", err, out) |
... | ... |
@@ -5527,10 +5527,7 @@ func (s *DockerTrustSuite) TestTrustedBuildTagFromReleasesRole(c *check.C) { |
5527 | 5527 |
otherTag := fmt.Sprintf("%s:other", repoName) |
5528 | 5528 |
dockerCmd(c, "tag", "busybox", otherTag) |
5529 | 5529 |
|
5530 |
- pushCmd := exec.Command(dockerBinary, "push", otherTag) |
|
5531 |
- s.trustedCmd(pushCmd) |
|
5532 |
- out, _, err := runCommandWithOutput(pushCmd) |
|
5533 |
- c.Assert(err, check.IsNil, check.Commentf("Trusted push failed: %s", out)) |
|
5530 |
+ icmd.RunCmd(icmd.Command(dockerBinary, "push", otherTag), trustedCmd).Assert(c, icmd.Success) |
|
5534 | 5531 |
s.assertTargetInRoles(c, repoName, "other", "targets/releases") |
5535 | 5532 |
s.assertTargetNotInRoles(c, repoName, "other", "targets") |
5536 | 5533 |
|
... | ... |
@@ -5545,8 +5542,8 @@ func (s *DockerTrustSuite) TestTrustedBuildTagFromReleasesRole(c *check.C) { |
5545 | 5545 |
name := "testtrustedbuildreleasesrole" |
5546 | 5546 |
|
5547 | 5547 |
buildCmd := buildImageCmd(name, dockerFile, true) |
5548 |
- s.trustedCmd(buildCmd) |
|
5549 |
- out, _, err = runCommandWithOutput(buildCmd) |
|
5548 |
+ trustedExecCmd(buildCmd) |
|
5549 |
+ out, _, err := runCommandWithOutput(buildCmd) |
|
5550 | 5550 |
c.Assert(err, check.IsNil, check.Commentf("Trusted build failed: %s", out)) |
5551 | 5551 |
c.Assert(out, checker.Contains, fmt.Sprintf("FROM %s@sha", repoName)) |
5552 | 5552 |
} |
... | ... |
@@ -5566,10 +5563,7 @@ func (s *DockerTrustSuite) TestTrustedBuildTagIgnoresOtherDelegationRoles(c *che |
5566 | 5566 |
otherTag := fmt.Sprintf("%s:other", repoName) |
5567 | 5567 |
dockerCmd(c, "tag", "busybox", otherTag) |
5568 | 5568 |
|
5569 |
- pushCmd := exec.Command(dockerBinary, "push", otherTag) |
|
5570 |
- s.trustedCmd(pushCmd) |
|
5571 |
- out, _, err := runCommandWithOutput(pushCmd) |
|
5572 |
- c.Assert(err, check.IsNil, check.Commentf("Trusted push failed: %s", out)) |
|
5569 |
+ icmd.RunCmd(icmd.Command(dockerBinary, "push", otherTag), trustedCmd).Assert(c, icmd.Success) |
|
5573 | 5570 |
s.assertTargetInRoles(c, repoName, "other", "targets/other") |
5574 | 5571 |
s.assertTargetNotInRoles(c, repoName, "other", "targets") |
5575 | 5572 |
|
... | ... |
@@ -5584,8 +5578,8 @@ func (s *DockerTrustSuite) TestTrustedBuildTagIgnoresOtherDelegationRoles(c *che |
5584 | 5584 |
name := "testtrustedbuildotherrole" |
5585 | 5585 |
|
5586 | 5586 |
buildCmd := buildImageCmd(name, dockerFile, true) |
5587 |
- s.trustedCmd(buildCmd) |
|
5588 |
- out, _, err = runCommandWithOutput(buildCmd) |
|
5587 |
+ trustedExecCmd(buildCmd) |
|
5588 |
+ out, _, err := runCommandWithOutput(buildCmd) |
|
5589 | 5589 |
c.Assert(err, check.NotNil, check.Commentf("Trusted build expected to fail: %s", out)) |
5590 | 5590 |
} |
5591 | 5591 |
|
... | ... |
@@ -103,7 +103,7 @@ func (s *DockerSuite) TestBuildAddChangeOwnership(c *check.C) { |
103 | 103 |
|
104 | 104 |
icmd.RunCmd(icmd.Cmd{ |
105 | 105 |
Command: []string{"chown", "daemon:daemon", "foo"}, |
106 |
- Dir: tmpDir, |
|
106 |
+ Dir: tmpDir, |
|
107 | 107 |
}).Assert(c, icmd.Success) |
108 | 108 |
|
109 | 109 |
if err := ioutil.WriteFile(filepath.Join(tmpDir, "Dockerfile"), []byte(dockerfile), 0644); err != nil { |
... | ... |
@@ -5,15 +5,14 @@ import ( |
5 | 5 |
"net/http" |
6 | 6 |
"net/http/httptest" |
7 | 7 |
"os" |
8 |
- "os/exec" |
|
9 | 8 |
"path/filepath" |
10 | 9 |
"runtime" |
11 | 10 |
|
12 | 11 |
"github.com/docker/docker/api" |
13 | 12 |
"github.com/docker/docker/dockerversion" |
14 | 13 |
"github.com/docker/docker/integration-cli/checker" |
15 |
- icmd "github.com/docker/docker/pkg/testutil/cmd" |
|
16 | 14 |
"github.com/docker/docker/pkg/homedir" |
15 |
+ icmd "github.com/docker/docker/pkg/testutil/cmd" |
|
17 | 16 |
"github.com/go-check/check" |
18 | 17 |
) |
19 | 18 |
|
... | ... |
@@ -53,7 +52,10 @@ func (s *DockerSuite) TestConfigHTTPHeader(c *check.C) { |
53 | 53 |
c.Assert(err, checker.IsNil) |
54 | 54 |
|
55 | 55 |
result := icmd.RunCommand(dockerBinary, "-H="+server.URL[7:], "ps") |
56 |
- result.Assert(c, icmd.Success) |
|
56 |
+ result.Assert(c, icmd.Expected{ |
|
57 |
+ ExitCode: 1, |
|
58 |
+ Error: "exit status 1", |
|
59 |
+ }) |
|
57 | 60 |
|
58 | 61 |
c.Assert(headers["User-Agent"], checker.NotNil, check.Commentf("Missing User-Agent")) |
59 | 62 |
|
... | ... |
@@ -73,9 +75,9 @@ func (s *DockerSuite) TestConfigDir(c *check.C) { |
73 | 73 |
dockerCmd(c, "--config", cDir, "ps") |
74 | 74 |
|
75 | 75 |
// Test with env var too |
76 |
- icmd.RunCmd(icm.Cmd{ |
|
76 |
+ icmd.RunCmd(icmd.Cmd{ |
|
77 | 77 |
Command: []string{dockerBinary, "ps"}, |
78 |
- Env: appendBaseEnv(true, "DOCKER_CONFIG="+cDir), |
|
78 |
+ Env: appendBaseEnv(true, "DOCKER_CONFIG="+cDir), |
|
79 | 79 |
}).Assert(c, icmd.Success) |
80 | 80 |
|
81 | 81 |
// Start a server so we can check to see if the config file was |
... | ... |
@@ -100,36 +102,37 @@ func (s *DockerSuite) TestConfigDir(c *check.C) { |
100 | 100 |
env := appendBaseEnv(false) |
101 | 101 |
|
102 | 102 |
icmd.RunCmd(icmd.Cmd{ |
103 |
- Command: []string{dockerBinary, "--config", cDir, "-H="+server.URL[7:], "ps"}, |
|
104 |
- Env: env, |
|
105 |
- }).Assert(c, icmd.Exepected{ |
|
106 |
- Error: "exit status 1", |
|
103 |
+ Command: []string{dockerBinary, "--config", cDir, "-H=" + server.URL[7:], "ps"}, |
|
104 |
+ Env: env, |
|
105 |
+ }).Assert(c, icmd.Expected{ |
|
106 |
+ ExitCode: 1, |
|
107 |
+ Error: "exit status 1", |
|
107 | 108 |
}) |
108 | 109 |
c.Assert(headers["Myheader"], checker.NotNil) |
109 |
- c.Assert(headers["Myheader"][0], checker.Equals, "MyValue", check.Commentf("ps3 - Missing header,out:%v", out)) |
|
110 |
+ c.Assert(headers["Myheader"][0], checker.Equals, "MyValue", check.Commentf("ps3 - Missing header")) |
|
110 | 111 |
|
111 | 112 |
// Reset headers and try again using env var this time |
112 | 113 |
headers = map[string][]string{} |
113 | 114 |
icmd.RunCmd(icmd.Cmd{ |
114 |
- Command: []string{dockerBinary, "--config", cDir, "-H="+server.URL[7:], "ps"}, |
|
115 |
- Env: append(env, "DOCKER_CONFIG="+cDir), |
|
116 |
- }).Assert(c, icmd.Exepected{ |
|
117 |
- Error: "exit status 1", |
|
115 |
+ Command: []string{dockerBinary, "--config", cDir, "-H=" + server.URL[7:], "ps"}, |
|
116 |
+ Env: append(env, "DOCKER_CONFIG="+cDir), |
|
117 |
+ }).Assert(c, icmd.Expected{ |
|
118 |
+ ExitCode: 1, |
|
118 | 119 |
}) |
119 | 120 |
c.Assert(headers["Myheader"], checker.NotNil) |
120 |
- c.Assert(headers["Myheader"][0], checker.Equals, "MyValue", check.Commentf("ps4 - Missing header,out:%v", out)) |
|
121 |
+ c.Assert(headers["Myheader"][0], checker.Equals, "MyValue", check.Commentf("ps4 - Missing header")) |
|
121 | 122 |
|
122 | 123 |
// FIXME(vdemeester) should be a unit test |
123 | 124 |
// Reset headers and make sure flag overrides the env var |
124 | 125 |
headers = map[string][]string{} |
125 | 126 |
icmd.RunCmd(icmd.Cmd{ |
126 |
- Command: []string{dockerBinary, "--config", cDir, "-H="+server.URL[7:], "ps"}, |
|
127 |
- Env: append(env, "DOCKER_CONFIG=MissingDir"), |
|
128 |
- }).Assert(c, icmd.Exepected{ |
|
129 |
- Error: "exit status 1", |
|
127 |
+ Command: []string{dockerBinary, "--config", cDir, "-H=" + server.URL[7:], "ps"}, |
|
128 |
+ Env: append(env, "DOCKER_CONFIG=MissingDir"), |
|
129 |
+ }).Assert(c, icmd.Expected{ |
|
130 |
+ ExitCode: 1, |
|
130 | 131 |
}) |
131 | 132 |
c.Assert(headers["Myheader"], checker.NotNil) |
132 |
- c.Assert(headers["Myheader"][0], checker.Equals, "MyValue", check.Commentf("ps5 - Missing header,out:%v", out)) |
|
133 |
+ c.Assert(headers["Myheader"][0], checker.Equals, "MyValue", check.Commentf("ps5 - Missing header")) |
|
133 | 134 |
|
134 | 135 |
// FIXME(vdemeester) should be a unit test |
135 | 136 |
// Reset headers and make sure flag overrides the env var. |
... | ... |
@@ -137,11 +140,12 @@ func (s *DockerSuite) TestConfigDir(c *check.C) { |
137 | 137 |
// ignore - we don't want to default back to the env var. |
138 | 138 |
headers = map[string][]string{} |
139 | 139 |
icmd.RunCmd(icmd.Cmd{ |
140 |
- Command: []string{dockerBinary, "--config", "MissingDir", "-H="+server.URL[7:], "ps"}, |
|
141 |
- Env: append(env, "DOCKER_CONFIG="+cDir), |
|
142 |
- }).Assert(c, icmd.Exepected{ |
|
143 |
- Error: "exit status 1", |
|
140 |
+ Command: []string{dockerBinary, "--config", "MissingDir", "-H=" + server.URL[7:], "ps"}, |
|
141 |
+ Env: append(env, "DOCKER_CONFIG="+cDir), |
|
142 |
+ }).Assert(c, icmd.Expected{ |
|
143 |
+ ExitCode: 1, |
|
144 |
+ Error: "exit status 1", |
|
144 | 145 |
}) |
145 | 146 |
|
146 |
- c.Assert(headers["Myheader"], checker.IsNil, check.Commentf("ps6 - Headers shouldn't be the expected value,out:%v", out)) |
|
147 |
+ c.Assert(headers["Myheader"], checker.IsNil, check.Commentf("ps6 - Headers shouldn't be the expected value")) |
|
147 | 148 |
} |
... | ... |
@@ -3,18 +3,16 @@ package main |
3 | 3 |
import ( |
4 | 4 |
"encoding/json" |
5 | 5 |
"fmt" |
6 |
+ "io/ioutil" |
|
6 | 7 |
"os" |
7 | 8 |
"reflect" |
8 | 9 |
"strings" |
9 | 10 |
"time" |
10 | 11 |
|
11 |
- "os/exec" |
|
12 |
- |
|
13 |
- "io/ioutil" |
|
14 |
- |
|
15 | 12 |
"github.com/docker/docker/integration-cli/checker" |
16 | 13 |
"github.com/docker/docker/pkg/stringid" |
17 | 14 |
"github.com/docker/docker/pkg/testutil" |
15 |
+ icmd "github.com/docker/docker/pkg/testutil/cmd" |
|
18 | 16 |
"github.com/docker/go-connections/nat" |
19 | 17 |
"github.com/go-check/check" |
20 | 18 |
) |
... | ... |
@@ -302,21 +300,12 @@ func (s *DockerTrustSuite) TestTrustedCreate(c *check.C) { |
302 | 302 |
repoName := s.setupTrustedImage(c, "trusted-create") |
303 | 303 |
|
304 | 304 |
// Try create |
305 |
- createCmd := exec.Command(dockerBinary, "create", repoName) |
|
306 |
- s.trustedCmd(createCmd) |
|
307 |
- out, _, err := runCommandWithOutput(createCmd) |
|
308 |
- c.Assert(err, check.IsNil) |
|
309 |
- c.Assert(string(out), checker.Contains, "Tagging", check.Commentf("Missing expected output on trusted push:\n%s", out)) |
|
305 |
+ icmd.RunCmd(icmd.Command(dockerBinary, "create", repoName), trustedCmd).Assert(c, SuccessTagging) |
|
310 | 306 |
|
311 | 307 |
dockerCmd(c, "rmi", repoName) |
312 | 308 |
|
313 | 309 |
// Try untrusted create to ensure we pushed the tag to the registry |
314 |
- createCmd = exec.Command(dockerBinary, "create", "--disable-content-trust=true", repoName) |
|
315 |
- s.trustedCmd(createCmd) |
|
316 |
- out, _, err = runCommandWithOutput(createCmd) |
|
317 |
- c.Assert(err, check.IsNil) |
|
318 |
- c.Assert(string(out), checker.Contains, "Status: Downloaded", check.Commentf("Missing expected output on trusted create with --disable-content-trust:\n%s", out)) |
|
319 |
- |
|
310 |
+ icmd.RunCmd(icmd.Command(dockerBinary, "create", "--disable-content-trust=true", repoName), trustedCmd).Assert(c, SuccessDownloadedOnStderr) |
|
320 | 311 |
} |
321 | 312 |
|
322 | 313 |
func (s *DockerTrustSuite) TestUntrustedCreate(c *check.C) { |
... | ... |
@@ -328,23 +317,17 @@ func (s *DockerTrustSuite) TestUntrustedCreate(c *check.C) { |
328 | 328 |
dockerCmd(c, "rmi", withTagName) |
329 | 329 |
|
330 | 330 |
// Try trusted create on untrusted tag |
331 |
- createCmd := exec.Command(dockerBinary, "create", withTagName) |
|
332 |
- s.trustedCmd(createCmd) |
|
333 |
- out, _, err := runCommandWithOutput(createCmd) |
|
334 |
- c.Assert(err, check.Not(check.IsNil)) |
|
335 |
- c.Assert(string(out), checker.Contains, fmt.Sprintf("does not have trust data for %s", repoName), check.Commentf("Missing expected output on trusted create:\n%s", out)) |
|
336 |
- |
|
331 |
+ icmd.RunCmd(icmd.Command(dockerBinary, "create", withTagName), trustedCmd).Assert(c, icmd.Expected{ |
|
332 |
+ ExitCode: 1, |
|
333 |
+ Err: fmt.Sprintf("does not have trust data for %s", repoName), |
|
334 |
+ }) |
|
337 | 335 |
} |
338 | 336 |
|
339 | 337 |
func (s *DockerTrustSuite) TestTrustedIsolatedCreate(c *check.C) { |
340 | 338 |
repoName := s.setupTrustedImage(c, "trusted-isolated-create") |
341 | 339 |
|
342 | 340 |
// Try create |
343 |
- createCmd := exec.Command(dockerBinary, "--config", "/tmp/docker-isolated-create", "create", repoName) |
|
344 |
- s.trustedCmd(createCmd) |
|
345 |
- out, _, err := runCommandWithOutput(createCmd) |
|
346 |
- c.Assert(err, check.IsNil) |
|
347 |
- c.Assert(string(out), checker.Contains, "Tagging", check.Commentf("Missing expected output on trusted push:\n%s", out)) |
|
341 |
+ icmd.RunCmd(icmd.Command(dockerBinary, "--config", "/tmp/docker-isolated-create", "create", repoName), trustedCmd).Assert(c, SuccessTagging) |
|
348 | 342 |
|
349 | 343 |
dockerCmd(c, "rmi", repoName) |
350 | 344 |
} |
... | ... |
@@ -358,20 +341,19 @@ func (s *DockerTrustSuite) TestCreateWhenCertExpired(c *check.C) { |
358 | 358 |
|
359 | 359 |
testutil.RunAtDifferentDate(elevenYearsFromNow, func() { |
360 | 360 |
// Try create |
361 |
- createCmd := exec.Command(dockerBinary, "create", repoName) |
|
362 |
- s.trustedCmd(createCmd) |
|
363 |
- out, _, err := runCommandWithOutput(createCmd) |
|
364 |
- c.Assert(err, check.Not(check.IsNil)) |
|
365 |
- c.Assert(string(out), checker.Contains, "could not validate the path to a trusted root", check.Commentf("Missing expected output on trusted create in the distant future:\n%s", out)) |
|
361 |
+ icmd.RunCmd(icmd.Cmd{ |
|
362 |
+ Command: []string{dockerBinary, "create", repoName}, |
|
363 |
+ }, trustedCmd).Assert(c, icmd.Expected{ |
|
364 |
+ ExitCode: 1, |
|
365 |
+ Err: "could not validate the path to a trusted root", |
|
366 |
+ }) |
|
366 | 367 |
}) |
367 | 368 |
|
368 | 369 |
testutil.RunAtDifferentDate(elevenYearsFromNow, func() { |
369 | 370 |
// Try create |
370 |
- createCmd := exec.Command(dockerBinary, "create", "--disable-content-trust", repoName) |
|
371 |
- s.trustedCmd(createCmd) |
|
372 |
- out, _, err := runCommandWithOutput(createCmd) |
|
373 |
- c.Assert(err, check.Not(check.IsNil)) |
|
374 |
- c.Assert(string(out), checker.Contains, "Status: Downloaded", check.Commentf("Missing expected output on trusted create in the distant future:\n%s", out)) |
|
371 |
+ result := icmd.RunCmd(icmd.Command(dockerBinary, "create", "--disable-content-trust", repoName), trustedCmd) |
|
372 |
+ c.Assert(result.Error, check.Not(check.IsNil)) |
|
373 |
+ c.Assert(string(result.Combined()), checker.Contains, "Status: Downloaded", check.Commentf("Missing expected output on trusted create in the distant future:\n%s", result.Combined())) |
|
375 | 374 |
|
376 | 375 |
}) |
377 | 376 |
} |
... | ... |
@@ -384,20 +366,12 @@ func (s *DockerTrustSuite) TestTrustedCreateFromBadTrustServer(c *check.C) { |
384 | 384 |
// tag the image and upload it to the private registry |
385 | 385 |
dockerCmd(c, "tag", "busybox", repoName) |
386 | 386 |
|
387 |
- pushCmd := exec.Command(dockerBinary, "push", repoName) |
|
388 |
- s.trustedCmd(pushCmd) |
|
389 |
- out, _, err := runCommandWithOutput(pushCmd) |
|
390 |
- c.Assert(err, check.IsNil) |
|
391 |
- c.Assert(string(out), checker.Contains, "Signing and pushing trust metadata", check.Commentf("Missing expected output on trusted push:\n%s", out)) |
|
387 |
+ icmd.RunCmd(icmd.Command(dockerBinary, "push", repoName), trustedCmd).Assert(c, SuccessSigningAndPushing) |
|
392 | 388 |
|
393 | 389 |
dockerCmd(c, "rmi", repoName) |
394 | 390 |
|
395 | 391 |
// Try create |
396 |
- createCmd := exec.Command(dockerBinary, "create", repoName) |
|
397 |
- s.trustedCmd(createCmd) |
|
398 |
- out, _, err = runCommandWithOutput(createCmd) |
|
399 |
- c.Assert(err, check.IsNil) |
|
400 |
- c.Assert(string(out), checker.Contains, "Tagging", check.Commentf("Missing expected output on trusted push:\n%s", out)) |
|
392 |
+ icmd.RunCmd(icmd.Command(dockerBinary, "create", repoName), trustedCmd).Assert(c, SuccessTagging) |
|
401 | 393 |
|
402 | 394 |
dockerCmd(c, "rmi", repoName) |
403 | 395 |
|
... | ... |
@@ -411,23 +385,13 @@ func (s *DockerTrustSuite) TestTrustedCreateFromBadTrustServer(c *check.C) { |
411 | 411 |
dockerCmd(c, "--config", evilLocalConfigDir, "tag", "busybox", repoName) |
412 | 412 |
|
413 | 413 |
// Push up to the new server |
414 |
- pushCmd = exec.Command(dockerBinary, "--config", evilLocalConfigDir, "push", repoName) |
|
415 |
- s.trustedCmd(pushCmd) |
|
416 |
- out, _, err = runCommandWithOutput(pushCmd) |
|
417 |
- c.Assert(err, check.IsNil) |
|
418 |
- c.Assert(string(out), checker.Contains, "Signing and pushing trust metadata", check.Commentf("Missing expected output on trusted push:\n%s", out)) |
|
414 |
+ icmd.RunCmd(icmd.Command(dockerBinary, "--config", evilLocalConfigDir, "push", repoName), trustedCmd).Assert(c, SuccessSigningAndPushing) |
|
419 | 415 |
|
420 | 416 |
// Now, try creating with the original client from this new trust server. This should fail because the new root is invalid. |
421 |
- createCmd = exec.Command(dockerBinary, "create", repoName) |
|
422 |
- s.trustedCmd(createCmd) |
|
423 |
- out, _, err = runCommandWithOutput(createCmd) |
|
424 |
- if err == nil { |
|
425 |
- c.Fatalf("Continuing with cached data even though it's an invalid root rotation: %s\n%s", err, out) |
|
426 |
- } |
|
427 |
- if !strings.Contains(out, "could not rotate trust to a new trusted root") { |
|
428 |
- c.Fatalf("Missing expected output on trusted create:\n%s", out) |
|
429 |
- } |
|
430 |
- |
|
417 |
+ icmd.RunCmd(icmd.Command(dockerBinary, "create", repoName), trustedCmd).Assert(c, icmd.Expected{ |
|
418 |
+ ExitCode: 1, |
|
419 |
+ Err: "could not rotate trust to a new trusted root", |
|
420 |
+ }) |
|
431 | 421 |
} |
432 | 422 |
|
433 | 423 |
func (s *DockerSuite) TestCreateStopSignal(c *check.C) { |
... | ... |
@@ -4,14 +4,13 @@ package main |
4 | 4 |
|
5 | 5 |
import ( |
6 | 6 |
"os" |
7 |
- "os/exec" |
|
8 | 7 |
"path/filepath" |
9 | 8 |
"strings" |
10 | 9 |
"syscall" |
11 | 10 |
|
12 |
- icmd "github.com/docker/docker/pkg/testutil/cmd" |
|
13 | 11 |
"github.com/docker/docker/integration-cli/checker" |
14 | 12 |
"github.com/docker/docker/pkg/mount" |
13 |
+ icmd "github.com/docker/docker/pkg/testutil/cmd" |
|
15 | 14 |
"github.com/go-check/check" |
16 | 15 |
) |
17 | 16 |
|
... | ... |
@@ -153,7 +152,7 @@ func (s *DockerDaemonSuite) TestDaemonShutdownWithPlugins(c *check.C) { |
153 | 153 |
|
154 | 154 |
icmd.RunCommand("pgrep", "-f", pluginProcessName).Assert(c, icmd.Expected{ |
155 | 155 |
ExitCode: 1, |
156 |
- Error: "exit status 1", |
|
156 |
+ Error: "exit status 1", |
|
157 | 157 |
}) |
158 | 158 |
|
159 | 159 |
s.d.Start(c, "--live-restore") |
... | ... |
@@ -1945,7 +1945,7 @@ func (s *DockerDaemonSuite) TestDaemonRestartWithKilledRunningContainer(t *check |
1945 | 1945 |
} |
1946 | 1946 |
|
1947 | 1947 |
// kill the container |
1948 |
- icmd.RunCommand(ctrBinary, "--address", "unix:///var/run/docker/libcontainerd/docker-containerd.sock", "containers", "kill", cid).Assert(c, icmd.Success) |
|
1948 |
+ icmd.RunCommand(ctrBinary, "--address", "unix:///var/run/docker/libcontainerd/docker-containerd.sock", "containers", "kill", cid).Assert(t, icmd.Success) |
|
1949 | 1949 |
|
1950 | 1950 |
// Give time to containerd to process the command if we don't |
1951 | 1951 |
// the exit event might be received after we do the inspect |
... | ... |
@@ -19,8 +19,8 @@ func (s *DockerSuite) TestExportContainerAndImportImage(c *check.C) { |
19 | 19 |
out, _ := dockerCmd(c, "export", containerID) |
20 | 20 |
|
21 | 21 |
result := icmd.RunCmd(icmd.Cmd{ |
22 |
- Command: dockerBinary, "import", "-", "repo/testexp:v1", |
|
23 |
- Stdin: strings.NewReader(out), |
|
22 |
+ Command: []string{dockerBinary, "import", "-", "repo/testexp:v1"}, |
|
23 |
+ Stdin: strings.NewReader(out), |
|
24 | 24 |
}) |
25 | 25 |
result.Assert(c, icmd.Success) |
26 | 26 |
|
... | ... |
@@ -41,8 +41,8 @@ func (s *DockerSuite) TestExportContainerWithOutputAndImportImage(c *check.C) { |
41 | 41 |
resultCat.Assert(c, icmd.Success) |
42 | 42 |
|
43 | 43 |
result := icmd.RunCmd(icmd.Cmd{ |
44 |
- Command: dockerBinary, "import", "-", "repo/testexp:v1", |
|
45 |
- Stdin: strings.NewReader(resultCat.Combined()), |
|
44 |
+ Command: []string{dockerBinary, "import", "-", "repo/testexp:v1"}, |
|
45 |
+ Stdin: strings.NewReader(resultCat.Combined()), |
|
46 | 46 |
}) |
47 | 47 |
result.Assert(c, icmd.Success) |
48 | 48 |
|
... | ... |
@@ -2,7 +2,6 @@ package main |
2 | 2 |
|
3 | 3 |
import ( |
4 | 4 |
"fmt" |
5 |
- "os/exec" |
|
6 | 5 |
"runtime" |
7 | 6 |
"strings" |
8 | 7 |
"unicode" |
... | ... |
@@ -54,8 +53,8 @@ func (s *DockerSuite) TestHelpTextVerify(c *check.C) { |
54 | 54 |
|
55 | 55 |
// Check main help text to make sure its not over 80 chars |
56 | 56 |
result := icmd.RunCmd(icmd.Cmd{ |
57 |
- Command: []stirng{dockerBinary, "help"}, |
|
58 |
- Env: newEnvs, |
|
57 |
+ Command: []string{dockerBinary, "help"}, |
|
58 |
+ Env: newEnvs, |
|
59 | 59 |
}) |
60 | 60 |
result.Assert(c, icmd.Success) |
61 | 61 |
lines := strings.Split(result.Combined(), "\n") |
... | ... |
@@ -8,10 +8,10 @@ import ( |
8 | 8 |
"strings" |
9 | 9 |
"time" |
10 | 10 |
|
11 |
- icmd "github.com/docker/docker/pkg/testutil/cmd" |
|
12 | 11 |
"github.com/docker/docker/integration-cli/checker" |
13 | 12 |
"github.com/docker/docker/pkg/jsonlog" |
14 | 13 |
"github.com/docker/docker/pkg/testutil" |
14 |
+ icmd "github.com/docker/docker/pkg/testutil/cmd" |
|
15 | 15 |
"github.com/go-check/check" |
16 | 16 |
) |
17 | 17 |
|
... | ... |
@@ -190,10 +190,10 @@ func (s *DockerSuite) TestLogsSince(c *check.C) { |
190 | 190 |
// Test with default value specified and parameter omitted |
191 | 191 |
expected := []string{"log1", "log2", "log3"} |
192 | 192 |
for _, cmd := range [][]string{ |
193 |
- []string{dockerBinary, "logs", "-t", name}, |
|
194 |
- []string{dockerBinary, "logs", "-t", "--since=0", name}, |
|
193 |
+ {"logs", "-t", name}, |
|
194 |
+ {"logs", "-t", "--since=0", name}, |
|
195 | 195 |
} { |
196 |
- result := icmd.RunCommand(cmd...) |
|
196 |
+ result := icmd.RunCommand(dockerBinary, cmd...) |
|
197 | 197 |
result.Assert(c, icmd.Success) |
198 | 198 |
for _, v := range expected { |
199 | 199 |
c.Assert(result.Combined(), checker.Contains, v) |
... | ... |
@@ -2,15 +2,14 @@ package main |
2 | 2 |
|
3 | 3 |
import ( |
4 | 4 |
"fmt" |
5 |
- "os/exec" |
|
6 |
- |
|
7 |
- "github.com/docker/docker/integration-cli/checker" |
|
8 |
- "github.com/go-check/check" |
|
9 |
- |
|
10 | 5 |
"io/ioutil" |
11 | 6 |
"os" |
12 | 7 |
"path/filepath" |
13 | 8 |
"strings" |
9 |
+ |
|
10 |
+ "github.com/docker/docker/integration-cli/checker" |
|
11 |
+ icmd "github.com/docker/docker/pkg/testutil/cmd" |
|
12 |
+ "github.com/go-check/check" |
|
14 | 13 |
) |
15 | 14 |
|
16 | 15 |
var ( |
... | ... |
@@ -305,15 +304,11 @@ func (s *DockerTrustSuite) TestPluginTrustedInstall(c *check.C) { |
305 | 305 |
|
306 | 306 |
trustedName := s.setupTrustedplugin(c, pNameWithTag, "trusted-plugin-install") |
307 | 307 |
|
308 |
- installCmd := exec.Command(dockerBinary, "plugin", "install", "--grant-all-permissions", trustedName) |
|
309 |
- s.trustedCmd(installCmd) |
|
310 |
- out, _, err := runCommandWithOutput(installCmd) |
|
308 |
+ icmd.RunCmd(icmd.Command(dockerBinary, "plugin", "install", "--grant-all-permissions", trustedName), trustedCmd).Assert(c, icmd.Expected{ |
|
309 |
+ Out: trustedName, |
|
310 |
+ }) |
|
311 | 311 |
|
312 |
- c.Assert(strings.TrimSpace(out), checker.Contains, trustedName) |
|
313 |
- c.Assert(err, checker.IsNil) |
|
314 |
- c.Assert(strings.TrimSpace(out), checker.Contains, trustedName) |
|
315 |
- |
|
316 |
- out, _, err = dockerCmdWithError("plugin", "ls") |
|
312 |
+ out, _, err := dockerCmdWithError("plugin", "ls") |
|
317 | 313 |
c.Assert(err, checker.IsNil) |
318 | 314 |
c.Assert(out, checker.Contains, "true") |
319 | 315 |
|
... | ... |
@@ -330,11 +325,7 @@ func (s *DockerTrustSuite) TestPluginTrustedInstall(c *check.C) { |
330 | 330 |
c.Assert(strings.TrimSpace(out), checker.Contains, trustedName) |
331 | 331 |
|
332 | 332 |
// Try untrusted pull to ensure we pushed the tag to the registry |
333 |
- installCmd = exec.Command(dockerBinary, "plugin", "install", "--disable-content-trust=true", "--grant-all-permissions", trustedName) |
|
334 |
- s.trustedCmd(installCmd) |
|
335 |
- out, _, err = runCommandWithOutput(installCmd) |
|
336 |
- c.Assert(err, check.IsNil, check.Commentf(out)) |
|
337 |
- c.Assert(string(out), checker.Contains, "Status: Downloaded", check.Commentf(out)) |
|
333 |
+ icmd.RunCmd(icmd.Command(dockerBinary, "plugin", "install", "--disable-content-trust=true", "--grant-all-permissions", trustedName), trustedCmd).Assert(c, SuccessDownloaded) |
|
338 | 334 |
|
339 | 335 |
out, _, err = dockerCmdWithError("plugin", "ls") |
340 | 336 |
c.Assert(err, checker.IsNil) |
... | ... |
@@ -352,12 +343,10 @@ func (s *DockerTrustSuite) TestPluginUntrustedInstall(c *check.C) { |
352 | 352 |
dockerCmd(c, "plugin", "rm", "-f", pluginName) |
353 | 353 |
|
354 | 354 |
// Try trusted install on untrusted plugin |
355 |
- installCmd := exec.Command(dockerBinary, "plugin", "install", "--grant-all-permissions", pluginName) |
|
356 |
- s.trustedCmd(installCmd) |
|
357 |
- out, _, err := runCommandWithOutput(installCmd) |
|
358 |
- |
|
359 |
- c.Assert(err, check.NotNil, check.Commentf(out)) |
|
360 |
- c.Assert(string(out), checker.Contains, "Error: remote trust data does not exist", check.Commentf(out)) |
|
355 |
+ icmd.RunCmd(icmd.Command(dockerBinary, "plugin", "install", "--grant-all-permissions", pluginName), trustedCmd).Assert(c, icmd.Expected{ |
|
356 |
+ ExitCode: 1, |
|
357 |
+ Err: "Error: remote trust data does not exist", |
|
358 |
+ }) |
|
361 | 359 |
} |
362 | 360 |
|
363 | 361 |
func (s *DockerSuite) TestPluginIDPrefix(c *check.C) { |
... | ... |
@@ -2,20 +2,19 @@ package main |
2 | 2 |
|
3 | 3 |
import ( |
4 | 4 |
"net" |
5 |
- "os/exec" |
|
6 | 5 |
"strings" |
7 | 6 |
|
8 |
- icmd "github.com/docker/docker/pkg/testutil/cmd" |
|
9 | 7 |
"github.com/docker/docker/integration-cli/checker" |
8 |
+ icmd "github.com/docker/docker/pkg/testutil/cmd" |
|
10 | 9 |
"github.com/go-check/check" |
11 | 10 |
) |
12 | 11 |
|
13 | 12 |
func (s *DockerSuite) TestCLIProxyDisableProxyUnixSock(c *check.C) { |
14 | 13 |
testRequires(c, DaemonIsLinux, SameHostDaemon) |
15 | 14 |
|
16 |
- icmd.RunCmd(icm.Cmd{ |
|
15 |
+ icmd.RunCmd(icmd.Cmd{ |
|
17 | 16 |
Command: []string{dockerBinary, "info"}, |
18 |
- Env: appendBaseEnv(false, "HTTP_PROXY=http://127.0.0.1:9999"), |
|
17 |
+ Env: appendBaseEnv(false, "HTTP_PROXY=http://127.0.0.1:9999"), |
|
19 | 18 |
}).Assert(c, icmd.Success) |
20 | 19 |
} |
21 | 20 |
|
... | ... |
@@ -42,11 +41,11 @@ func (s *DockerDaemonSuite) TestCLIProxyProxyTCPSock(c *check.C) { |
42 | 42 |
|
43 | 43 |
icmd.RunCmd(icmd.Cmd{ |
44 | 44 |
Command: []string{dockerBinary, "info"}, |
45 |
- Env: []string{"DOCKER_HOST=tcp://" + ip + ":2375", "HTTP_PROXY=127.0.0.1:9999"}, |
|
46 |
- }).Assert(c, icmd.Expected{Error:"exit status 1", ExitCode: 1}) |
|
45 |
+ Env: []string{"DOCKER_HOST=tcp://" + ip + ":2375", "HTTP_PROXY=127.0.0.1:9999"}, |
|
46 |
+ }).Assert(c, icmd.Expected{Error: "exit status 1", ExitCode: 1}) |
|
47 | 47 |
// Test with no_proxy |
48 |
- icmd.RunCommand(icmd.Cmd{ |
|
48 |
+ icmd.RunCmd(icmd.Cmd{ |
|
49 | 49 |
Command: []string{dockerBinary, "info"}, |
50 |
- Env: []string{"DOCKER_HOST=tcp://" + ip + ":2375", "HTTP_PROXY=127.0.0.1:9999", "NO_PROXY="+ip}, |
|
50 |
+ Env: []string{"DOCKER_HOST=tcp://" + ip + ":2375", "HTTP_PROXY=127.0.0.1:9999", "NO_PROXY=" + ip}, |
|
51 | 51 |
}).Assert(c, icmd.Success) |
52 | 52 |
} |
... | ... |
@@ -5,18 +5,17 @@ import ( |
5 | 5 |
"fmt" |
6 | 6 |
"io/ioutil" |
7 | 7 |
"os" |
8 |
- "os/exec" |
|
9 | 8 |
"path/filepath" |
10 | 9 |
"runtime" |
11 | 10 |
"strings" |
12 | 11 |
|
13 | 12 |
"github.com/docker/distribution" |
14 | 13 |
"github.com/docker/distribution/digest" |
15 |
- icmd "github.com/docker/docker/pkg/testutil/cmd" |
|
16 | 14 |
"github.com/docker/distribution/manifest" |
17 | 15 |
"github.com/docker/distribution/manifest/manifestlist" |
18 | 16 |
"github.com/docker/distribution/manifest/schema2" |
19 | 17 |
"github.com/docker/docker/integration-cli/checker" |
18 |
+ icmd "github.com/docker/docker/pkg/testutil/cmd" |
|
20 | 19 |
"github.com/go-check/check" |
21 | 20 |
) |
22 | 21 |
|
... | ... |
@@ -3,12 +3,11 @@ package main |
3 | 3 |
import ( |
4 | 4 |
"fmt" |
5 | 5 |
"io/ioutil" |
6 |
- "os/exec" |
|
7 |
- "strings" |
|
8 | 6 |
"time" |
9 | 7 |
|
10 | 8 |
"github.com/docker/docker/integration-cli/checker" |
11 | 9 |
"github.com/docker/docker/pkg/testutil" |
10 |
+ icmd "github.com/docker/docker/pkg/testutil/cmd" |
|
12 | 11 |
"github.com/go-check/check" |
13 | 12 |
) |
14 | 13 |
|
... | ... |
@@ -16,33 +15,18 @@ func (s *DockerTrustSuite) TestTrustedPull(c *check.C) { |
16 | 16 |
repoName := s.setupTrustedImage(c, "trusted-pull") |
17 | 17 |
|
18 | 18 |
// Try pull |
19 |
- pullCmd := exec.Command(dockerBinary, "pull", repoName) |
|
20 |
- s.trustedCmd(pullCmd) |
|
21 |
- out, _, err := runCommandWithOutput(pullCmd) |
|
22 |
- |
|
23 |
- c.Assert(err, check.IsNil, check.Commentf(out)) |
|
24 |
- c.Assert(string(out), checker.Contains, "Tagging", check.Commentf(out)) |
|
19 |
+ icmd.RunCmd(icmd.Command(dockerBinary, "pull", repoName), trustedCmd).Assert(c, SuccessTagging) |
|
25 | 20 |
|
26 | 21 |
dockerCmd(c, "rmi", repoName) |
27 | 22 |
// Try untrusted pull to ensure we pushed the tag to the registry |
28 |
- pullCmd = exec.Command(dockerBinary, "pull", "--disable-content-trust=true", repoName) |
|
29 |
- s.trustedCmd(pullCmd) |
|
30 |
- out, _, err = runCommandWithOutput(pullCmd) |
|
31 |
- c.Assert(err, check.IsNil, check.Commentf(out)) |
|
32 |
- c.Assert(string(out), checker.Contains, "Status: Downloaded", check.Commentf(out)) |
|
33 |
- |
|
23 |
+ icmd.RunCmd(icmd.Command(dockerBinary, "pull", "--disable-content-trust=true", repoName), trustedCmd).Assert(c, SuccessDownloaded) |
|
34 | 24 |
} |
35 | 25 |
|
36 | 26 |
func (s *DockerTrustSuite) TestTrustedIsolatedPull(c *check.C) { |
37 | 27 |
repoName := s.setupTrustedImage(c, "trusted-isolated-pull") |
38 | 28 |
|
39 | 29 |
// Try pull (run from isolated directory without trust information) |
40 |
- pullCmd := exec.Command(dockerBinary, "--config", "/tmp/docker-isolated", "pull", repoName) |
|
41 |
- s.trustedCmd(pullCmd) |
|
42 |
- out, _, err := runCommandWithOutput(pullCmd) |
|
43 |
- |
|
44 |
- c.Assert(err, check.IsNil, check.Commentf(out)) |
|
45 |
- c.Assert(string(out), checker.Contains, "Tagging", check.Commentf(string(out))) |
|
30 |
+ icmd.RunCmd(icmd.Command(dockerBinary, "--config", "/tmp/docker-isolated", "pull", repoName), trustedCmd).Assert(c, SuccessTagging) |
|
46 | 31 |
|
47 | 32 |
dockerCmd(c, "rmi", repoName) |
48 | 33 |
} |
... | ... |
@@ -55,12 +39,10 @@ func (s *DockerTrustSuite) TestUntrustedPull(c *check.C) { |
55 | 55 |
dockerCmd(c, "rmi", repoName) |
56 | 56 |
|
57 | 57 |
// Try trusted pull on untrusted tag |
58 |
- pullCmd := exec.Command(dockerBinary, "pull", repoName) |
|
59 |
- s.trustedCmd(pullCmd) |
|
60 |
- out, _, err := runCommandWithOutput(pullCmd) |
|
61 |
- |
|
62 |
- c.Assert(err, check.NotNil, check.Commentf(out)) |
|
63 |
- c.Assert(string(out), checker.Contains, "Error: remote trust data does not exist", check.Commentf(out)) |
|
58 |
+ icmd.RunCmd(icmd.Command(dockerBinary, "pull", repoName), trustedCmd).Assert(c, icmd.Expected{ |
|
59 |
+ ExitCode: 1, |
|
60 |
+ Err: "Error: remote trust data does not exist", |
|
61 |
+ }) |
|
64 | 62 |
} |
65 | 63 |
|
66 | 64 |
func (s *DockerTrustSuite) TestPullWhenCertExpired(c *check.C) { |
... | ... |
@@ -72,22 +54,19 @@ func (s *DockerTrustSuite) TestPullWhenCertExpired(c *check.C) { |
72 | 72 |
|
73 | 73 |
testutil.RunAtDifferentDate(elevenYearsFromNow, func() { |
74 | 74 |
// Try pull |
75 |
- pullCmd := exec.Command(dockerBinary, "pull", repoName) |
|
76 |
- s.trustedCmd(pullCmd) |
|
77 |
- out, _, err := runCommandWithOutput(pullCmd) |
|
78 |
- |
|
79 |
- c.Assert(err, check.NotNil, check.Commentf(out)) |
|
80 |
- c.Assert(string(out), checker.Contains, "could not validate the path to a trusted root", check.Commentf(out)) |
|
75 |
+ icmd.RunCmd(icmd.Cmd{ |
|
76 |
+ Command: []string{dockerBinary, "pull", repoName}, |
|
77 |
+ }, trustedCmd).Assert(c, icmd.Expected{ |
|
78 |
+ ExitCode: 1, |
|
79 |
+ Err: "could not validate the path to a trusted root", |
|
80 |
+ }) |
|
81 | 81 |
}) |
82 | 82 |
|
83 | 83 |
testutil.RunAtDifferentDate(elevenYearsFromNow, func() { |
84 | 84 |
// Try pull |
85 |
- pullCmd := exec.Command(dockerBinary, "pull", "--disable-content-trust", repoName) |
|
86 |
- s.trustedCmd(pullCmd) |
|
87 |
- out, _, err := runCommandWithOutput(pullCmd) |
|
88 |
- |
|
89 |
- c.Assert(err, check.IsNil, check.Commentf(out)) |
|
90 |
- c.Assert(string(out), checker.Contains, "Status: Downloaded", check.Commentf(out)) |
|
85 |
+ icmd.RunCmd(icmd.Cmd{ |
|
86 |
+ Command: []string{dockerBinary, "pull", "--disable-content-trust", repoName}, |
|
87 |
+ }, trustedCmd).Assert(c, SuccessDownloaded) |
|
91 | 88 |
}) |
92 | 89 |
} |
93 | 90 |
|
... | ... |
@@ -101,21 +80,11 @@ func (s *DockerTrustSuite) TestTrustedPullFromBadTrustServer(c *check.C) { |
101 | 101 |
// tag the image and upload it to the private registry |
102 | 102 |
dockerCmd(c, "tag", "busybox", repoName) |
103 | 103 |
|
104 |
- pushCmd := exec.Command(dockerBinary, "push", repoName) |
|
105 |
- s.trustedCmd(pushCmd) |
|
106 |
- out, _, err := runCommandWithOutput(pushCmd) |
|
107 |
- |
|
108 |
- c.Assert(err, check.IsNil, check.Commentf(out)) |
|
109 |
- c.Assert(string(out), checker.Contains, "Signing and pushing trust metadata", check.Commentf(out)) |
|
104 |
+ icmd.RunCmd(icmd.Command(dockerBinary, "push", repoName), trustedCmd).Assert(c, SuccessSigningAndPushing) |
|
110 | 105 |
dockerCmd(c, "rmi", repoName) |
111 | 106 |
|
112 | 107 |
// Try pull |
113 |
- pullCmd := exec.Command(dockerBinary, "pull", repoName) |
|
114 |
- s.trustedCmd(pullCmd) |
|
115 |
- out, _, err = runCommandWithOutput(pullCmd) |
|
116 |
- |
|
117 |
- c.Assert(err, check.IsNil, check.Commentf(out)) |
|
118 |
- c.Assert(string(out), checker.Contains, "Tagging", check.Commentf(out)) |
|
108 |
+ icmd.RunCmd(icmd.Command(dockerBinary, "pull", repoName), trustedCmd).Assert(c, SuccessTagging) |
|
119 | 109 |
dockerCmd(c, "rmi", repoName) |
120 | 110 |
|
121 | 111 |
// Kill the notary server, start a new "evil" one. |
... | ... |
@@ -129,23 +98,13 @@ func (s *DockerTrustSuite) TestTrustedPullFromBadTrustServer(c *check.C) { |
129 | 129 |
dockerCmd(c, "--config", evilLocalConfigDir, "tag", "busybox", repoName) |
130 | 130 |
|
131 | 131 |
// Push up to the new server |
132 |
- pushCmd = exec.Command(dockerBinary, "--config", evilLocalConfigDir, "push", repoName) |
|
133 |
- s.trustedCmd(pushCmd) |
|
134 |
- out, _, err = runCommandWithOutput(pushCmd) |
|
135 |
- |
|
136 |
- c.Assert(err, check.IsNil, check.Commentf(out)) |
|
137 |
- c.Assert(string(out), checker.Contains, "Signing and pushing trust metadata", check.Commentf(out)) |
|
132 |
+ icmd.RunCmd(icmd.Command(dockerBinary, "--config", evilLocalConfigDir, "push", repoName), trustedCmd).Assert(c, SuccessSigningAndPushing) |
|
138 | 133 |
|
139 | 134 |
// Now, try pulling with the original client from this new trust server. This should fail because the new root is invalid. |
140 |
- pullCmd = exec.Command(dockerBinary, "pull", repoName) |
|
141 |
- s.trustedCmd(pullCmd) |
|
142 |
- out, _, err = runCommandWithOutput(pullCmd) |
|
143 |
- if err == nil { |
|
144 |
- c.Fatalf("Continuing with cached data even though it's an invalid root rotation: %s\n%s", err, out) |
|
145 |
- } |
|
146 |
- if !strings.Contains(out, "could not rotate trust to a new trusted root") { |
|
147 |
- c.Fatalf("Missing expected output on trusted pull:\n%s", out) |
|
148 |
- } |
|
135 |
+ icmd.RunCmd(icmd.Command(dockerBinary, "pull", repoName), trustedCmd).Assert(c, icmd.Expected{ |
|
136 |
+ ExitCode: 1, |
|
137 |
+ Err: "could not rotate trust to a new trusted root", |
|
138 |
+ }) |
|
149 | 139 |
} |
150 | 140 |
|
151 | 141 |
func (s *DockerTrustSuite) TestTrustedPullWithExpiredSnapshot(c *check.C) { |
... | ... |
@@ -155,13 +114,7 @@ func (s *DockerTrustSuite) TestTrustedPullWithExpiredSnapshot(c *check.C) { |
155 | 155 |
dockerCmd(c, "tag", "busybox", repoName) |
156 | 156 |
|
157 | 157 |
// Push with default passphrases |
158 |
- pushCmd := exec.Command(dockerBinary, "push", repoName) |
|
159 |
- s.trustedCmd(pushCmd) |
|
160 |
- out, _, err := runCommandWithOutput(pushCmd) |
|
161 |
- |
|
162 |
- c.Assert(err, check.IsNil, check.Commentf(out)) |
|
163 |
- c.Assert(string(out), checker.Contains, "Signing and pushing trust metadata", check.Commentf(out)) |
|
164 |
- |
|
158 |
+ icmd.RunCmd(icmd.Command(dockerBinary, "push", repoName), trustedCmd).Assert(c, SuccessSigningAndPushing) |
|
165 | 159 |
dockerCmd(c, "rmi", repoName) |
166 | 160 |
|
167 | 161 |
// Snapshots last for three years. This should be expired |
... | ... |
@@ -169,41 +122,28 @@ func (s *DockerTrustSuite) TestTrustedPullWithExpiredSnapshot(c *check.C) { |
169 | 169 |
|
170 | 170 |
testutil.RunAtDifferentDate(fourYearsLater, func() { |
171 | 171 |
// Try pull |
172 |
- pullCmd := exec.Command(dockerBinary, "pull", repoName) |
|
173 |
- s.trustedCmd(pullCmd) |
|
174 |
- out, _, err = runCommandWithOutput(pullCmd) |
|
175 |
- |
|
176 |
- c.Assert(err, check.NotNil, check.Commentf("Missing expected error running trusted pull with expired snapshots")) |
|
177 |
- c.Assert(string(out), checker.Contains, "repository out-of-date", check.Commentf(out)) |
|
172 |
+ icmd.RunCmd(icmd.Cmd{ |
|
173 |
+ Command: []string{dockerBinary, "pull", repoName}, |
|
174 |
+ }, trustedCmd).Assert(c, icmd.Expected{ |
|
175 |
+ ExitCode: 1, |
|
176 |
+ Err: "repository out-of-date", |
|
177 |
+ }) |
|
178 | 178 |
}) |
179 | 179 |
} |
180 | 180 |
|
181 | 181 |
func (s *DockerTrustSuite) TestTrustedOfflinePull(c *check.C) { |
182 | 182 |
repoName := s.setupTrustedImage(c, "trusted-offline-pull") |
183 | 183 |
|
184 |
- pullCmd := exec.Command(dockerBinary, "pull", repoName) |
|
185 |
- s.trustedCmdWithServer(pullCmd, "https://invalidnotaryserver") |
|
186 |
- out, _, err := runCommandWithOutput(pullCmd) |
|
187 |
- |
|
188 |
- c.Assert(err, check.NotNil, check.Commentf(out)) |
|
189 |
- c.Assert(string(out), checker.Contains, "error contacting notary server", check.Commentf(out)) |
|
184 |
+ icmd.RunCmd(icmd.Command(dockerBinary, "pull", repoName), trustedCmdWithServer("https://invalidnotaryserver")).Assert(c, icmd.Expected{ |
|
185 |
+ ExitCode: 1, |
|
186 |
+ Err: "error contacting notary server", |
|
187 |
+ }) |
|
190 | 188 |
// Do valid trusted pull to warm cache |
191 |
- pullCmd = exec.Command(dockerBinary, "pull", repoName) |
|
192 |
- s.trustedCmd(pullCmd) |
|
193 |
- out, _, err = runCommandWithOutput(pullCmd) |
|
194 |
- |
|
195 |
- c.Assert(err, check.IsNil, check.Commentf(out)) |
|
196 |
- c.Assert(string(out), checker.Contains, "Tagging", check.Commentf(out)) |
|
197 |
- |
|
189 |
+ icmd.RunCmd(icmd.Command(dockerBinary, "pull", repoName), trustedCmd).Assert(c, SuccessTagging) |
|
198 | 190 |
dockerCmd(c, "rmi", repoName) |
199 | 191 |
|
200 | 192 |
// Try pull again with invalid notary server, should use cache |
201 |
- pullCmd = exec.Command(dockerBinary, "pull", repoName) |
|
202 |
- s.trustedCmdWithServer(pullCmd, "https://invalidnotaryserver") |
|
203 |
- out, _, err = runCommandWithOutput(pullCmd) |
|
204 |
- |
|
205 |
- c.Assert(err, check.IsNil, check.Commentf(out)) |
|
206 |
- c.Assert(string(out), checker.Contains, "Tagging", check.Commentf(out)) |
|
193 |
+ icmd.RunCmd(icmd.Command(dockerBinary, "pull", repoName), trustedCmdWithServer("https://invalidnotaryserver")).Assert(c, SuccessTagging) |
|
207 | 194 |
} |
208 | 195 |
|
209 | 196 |
func (s *DockerTrustSuite) TestTrustedPullDelete(c *check.C) { |
... | ... |
@@ -214,29 +154,16 @@ func (s *DockerTrustSuite) TestTrustedPullDelete(c *check.C) { |
214 | 214 |
CMD echo trustedpulldelete |
215 | 215 |
`, true) |
216 | 216 |
|
217 |
- pushCmd := exec.Command(dockerBinary, "push", repoName) |
|
218 |
- s.trustedCmd(pushCmd) |
|
219 |
- out, _, err := runCommandWithOutput(pushCmd) |
|
220 |
- if err != nil { |
|
221 |
- c.Fatalf("Error running trusted push: %s\n%s", err, out) |
|
222 |
- } |
|
223 |
- if !strings.Contains(string(out), "Signing and pushing trust metadata") { |
|
224 |
- c.Fatalf("Missing expected output on trusted push:\n%s", out) |
|
225 |
- } |
|
217 |
+ icmd.RunCmd(icmd.Command(dockerBinary, "push", repoName), trustedCmd).Assert(c, SuccessSigningAndPushing) |
|
226 | 218 |
|
227 |
- if out, status := dockerCmd(c, "rmi", repoName); status != 0 { |
|
228 |
- c.Fatalf("Error removing image %q\n%s", repoName, out) |
|
229 |
- } |
|
219 |
+ dockerCmd(c, "rmi", repoName) |
|
230 | 220 |
|
231 | 221 |
// Try pull |
232 |
- pullCmd := exec.Command(dockerBinary, "pull", repoName) |
|
233 |
- s.trustedCmd(pullCmd) |
|
234 |
- out, _, err = runCommandWithOutput(pullCmd) |
|
222 |
+ result := icmd.RunCmd(icmd.Command(dockerBinary, "pull", repoName), trustedCmd) |
|
223 |
+ result.Assert(c, icmd.Success) |
|
235 | 224 |
|
236 |
- c.Assert(err, check.IsNil, check.Commentf(out)) |
|
237 |
- |
|
238 |
- matches := digestRegex.FindStringSubmatch(out) |
|
239 |
- c.Assert(matches, checker.HasLen, 2, check.Commentf("unable to parse digest from pull output: %s", out)) |
|
225 |
+ matches := digestRegex.FindStringSubmatch(result.Combined()) |
|
226 |
+ c.Assert(matches, checker.HasLen, 2, check.Commentf("unable to parse digest from pull output: %s", result.Combined())) |
|
240 | 227 |
pullDigest := matches[1] |
241 | 228 |
|
242 | 229 |
imageID := inspectField(c, repoName, "Id") |
... | ... |
@@ -263,18 +190,13 @@ func (s *DockerTrustSuite) TestTrustedPullReadsFromReleasesRole(c *check.C) { |
263 | 263 |
|
264 | 264 |
// Push with targets first, initializing the repo |
265 | 265 |
dockerCmd(c, "tag", "busybox", targetName) |
266 |
- pushCmd := exec.Command(dockerBinary, "push", targetName) |
|
267 |
- s.trustedCmd(pushCmd) |
|
268 |
- out, _, err := runCommandWithOutput(pushCmd) |
|
269 |
- c.Assert(err, check.IsNil, check.Commentf(out)) |
|
266 |
+ icmd.RunCmd(icmd.Command(dockerBinary, "push", targetName), trustedCmd).Assert(c, icmd.Success) |
|
270 | 267 |
s.assertTargetInRoles(c, repoName, "latest", "targets") |
271 | 268 |
|
272 | 269 |
// Try pull, check we retrieve from targets role |
273 |
- pullCmd := exec.Command(dockerBinary, "-D", "pull", repoName) |
|
274 |
- s.trustedCmd(pullCmd) |
|
275 |
- out, _, err = runCommandWithOutput(pullCmd) |
|
276 |
- c.Assert(err, check.IsNil, check.Commentf(out)) |
|
277 |
- c.Assert(out, checker.Contains, "retrieving target for targets role") |
|
270 |
+ icmd.RunCmd(icmd.Command(dockerBinary, "-D", "pull", repoName), trustedCmd).Assert(c, icmd.Expected{ |
|
271 |
+ Err: "retrieving target for targets role", |
|
272 |
+ }) |
|
278 | 273 |
|
279 | 274 |
// Now we'll create the releases role, and try pushing and pulling |
280 | 275 |
s.notaryCreateDelegation(c, repoName, "targets/releases", s.not.keys[0].Public) |
... | ... |
@@ -283,31 +205,23 @@ func (s *DockerTrustSuite) TestTrustedPullReadsFromReleasesRole(c *check.C) { |
283 | 283 |
|
284 | 284 |
// try a pull, check that we can still pull because we can still read the |
285 | 285 |
// old tag in the targets role |
286 |
- pullCmd = exec.Command(dockerBinary, "-D", "pull", repoName) |
|
287 |
- s.trustedCmd(pullCmd) |
|
288 |
- out, _, err = runCommandWithOutput(pullCmd) |
|
289 |
- c.Assert(err, check.IsNil, check.Commentf(out)) |
|
290 |
- c.Assert(out, checker.Contains, "retrieving target for targets role") |
|
286 |
+ icmd.RunCmd(icmd.Command(dockerBinary, "-D", "pull", repoName), trustedCmd).Assert(c, icmd.Expected{ |
|
287 |
+ Err: "retrieving target for targets role", |
|
288 |
+ }) |
|
291 | 289 |
|
292 | 290 |
// try a pull -a, check that it succeeds because we can still pull from the |
293 | 291 |
// targets role |
294 |
- pullCmd = exec.Command(dockerBinary, "-D", "pull", "-a", repoName) |
|
295 |
- s.trustedCmd(pullCmd) |
|
296 |
- out, _, err = runCommandWithOutput(pullCmd) |
|
297 |
- c.Assert(err, check.IsNil, check.Commentf(out)) |
|
292 |
+ icmd.RunCmd(icmd.Command(dockerBinary, "-D", "pull", "-a", repoName), trustedCmd).Assert(c, icmd.Success) |
|
298 | 293 |
|
299 | 294 |
// Push, should sign with targets/releases |
300 | 295 |
dockerCmd(c, "tag", "busybox", targetName) |
301 |
- pushCmd = exec.Command(dockerBinary, "push", targetName) |
|
302 |
- s.trustedCmd(pushCmd) |
|
303 |
- out, _, err = runCommandWithOutput(pushCmd) |
|
296 |
+ icmd.RunCmd(icmd.Command(dockerBinary, "push", targetName), trustedCmd).Assert(c, icmd.Success) |
|
304 | 297 |
s.assertTargetInRoles(c, repoName, "latest", "targets", "targets/releases") |
305 | 298 |
|
306 | 299 |
// Try pull, check we retrieve from targets/releases role |
307 |
- pullCmd = exec.Command(dockerBinary, "-D", "pull", repoName) |
|
308 |
- s.trustedCmd(pullCmd) |
|
309 |
- out, _, err = runCommandWithOutput(pullCmd) |
|
310 |
- c.Assert(out, checker.Contains, "retrieving target for targets/releases role") |
|
300 |
+ icmd.RunCmd(icmd.Command(dockerBinary, "-D", "pull", repoName), trustedCmd).Assert(c, icmd.Expected{ |
|
301 |
+ Err: "retrieving target for targets/releases role", |
|
302 |
+ }) |
|
311 | 303 |
|
312 | 304 |
// Create another delegation that we'll sign with |
313 | 305 |
s.notaryCreateDelegation(c, repoName, "targets/other", s.not.keys[1].Public) |
... | ... |
@@ -315,16 +229,13 @@ func (s *DockerTrustSuite) TestTrustedPullReadsFromReleasesRole(c *check.C) { |
315 | 315 |
s.notaryPublish(c, repoName) |
316 | 316 |
|
317 | 317 |
dockerCmd(c, "tag", "busybox", targetName) |
318 |
- pushCmd = exec.Command(dockerBinary, "push", targetName) |
|
319 |
- s.trustedCmd(pushCmd) |
|
320 |
- out, _, err = runCommandWithOutput(pushCmd) |
|
318 |
+ icmd.RunCmd(icmd.Command(dockerBinary, "push", targetName), trustedCmd).Assert(c, icmd.Success) |
|
321 | 319 |
s.assertTargetInRoles(c, repoName, "latest", "targets", "targets/releases", "targets/other") |
322 | 320 |
|
323 | 321 |
// Try pull, check we retrieve from targets/releases role |
324 |
- pullCmd = exec.Command(dockerBinary, "-D", "pull", repoName) |
|
325 |
- s.trustedCmd(pullCmd) |
|
326 |
- out, _, err = runCommandWithOutput(pullCmd) |
|
327 |
- c.Assert(out, checker.Contains, "retrieving target for targets/releases role") |
|
322 |
+ icmd.RunCmd(icmd.Command(dockerBinary, "-D", "pull", repoName), trustedCmd).Assert(c, icmd.Expected{ |
|
323 |
+ Err: "retrieving target for targets/releases role", |
|
324 |
+ }) |
|
328 | 325 |
} |
329 | 326 |
|
330 | 327 |
func (s *DockerTrustSuite) TestTrustedPullIgnoresOtherDelegationRoles(c *check.C) { |
... | ... |
@@ -341,26 +252,22 @@ func (s *DockerTrustSuite) TestTrustedPullIgnoresOtherDelegationRoles(c *check.C |
341 | 341 |
|
342 | 342 |
// Push should write to the delegation role, not targets |
343 | 343 |
dockerCmd(c, "tag", "busybox", targetName) |
344 |
- pushCmd := exec.Command(dockerBinary, "push", targetName) |
|
345 |
- s.trustedCmd(pushCmd) |
|
346 |
- out, _, err := runCommandWithOutput(pushCmd) |
|
347 |
- c.Assert(err, check.IsNil, check.Commentf(out)) |
|
344 |
+ icmd.RunCmd(icmd.Command(dockerBinary, "push", targetName), trustedCmd).Assert(c, icmd.Success) |
|
348 | 345 |
s.assertTargetInRoles(c, repoName, "latest", "targets/other") |
349 | 346 |
s.assertTargetNotInRoles(c, repoName, "latest", "targets") |
350 | 347 |
|
351 | 348 |
// Try pull - we should fail, since pull will only pull from the targets/releases |
352 | 349 |
// role or the targets role |
353 |
- pullCmd := exec.Command(dockerBinary, "-D", "pull", repoName) |
|
354 |
- s.trustedCmd(pullCmd) |
|
355 |
- out, _, err = runCommandWithOutput(pullCmd) |
|
356 |
- c.Assert(err, check.NotNil, check.Commentf(out)) |
|
357 |
- c.Assert(out, checker.Contains, "No trust data for") |
|
350 |
+ dockerCmd(c, "tag", "busybox", targetName) |
|
351 |
+ icmd.RunCmd(icmd.Command(dockerBinary, "-D", "pull", repoName), trustedCmd).Assert(c, icmd.Expected{ |
|
352 |
+ ExitCode: 1, |
|
353 |
+ Err: "No trust data for", |
|
354 |
+ }) |
|
358 | 355 |
|
359 | 356 |
// try a pull -a: we should fail since pull will only pull from the targets/releases |
360 | 357 |
// role or the targets role |
361 |
- pullCmd = exec.Command(dockerBinary, "-D", "pull", "-a", repoName) |
|
362 |
- s.trustedCmd(pullCmd) |
|
363 |
- out, _, err = runCommandWithOutput(pullCmd) |
|
364 |
- c.Assert(err, check.NotNil, check.Commentf(out)) |
|
365 |
- c.Assert(out, checker.Contains, "No trusted tags for") |
|
358 |
+ icmd.RunCmd(icmd.Command(dockerBinary, "-D", "pull", "-a", repoName), trustedCmd).Assert(c, icmd.Expected{ |
|
359 |
+ ExitCode: 1, |
|
360 |
+ Err: "No trusted tags for", |
|
361 |
+ }) |
|
366 | 362 |
} |
... | ... |
@@ -7,17 +7,16 @@ import ( |
7 | 7 |
"net/http" |
8 | 8 |
"net/http/httptest" |
9 | 9 |
"os" |
10 |
- "os/exec" |
|
11 | 10 |
"path/filepath" |
12 | 11 |
"strings" |
13 | 12 |
"sync" |
14 | 13 |
"time" |
15 | 14 |
|
16 | 15 |
"github.com/docker/distribution/reference" |
17 |
- icmd "github.com/docker/docker/pkg/testutil/cmd" |
|
18 | 16 |
cliconfig "github.com/docker/docker/cli/config" |
19 | 17 |
"github.com/docker/docker/integration-cli/checker" |
20 | 18 |
"github.com/docker/docker/pkg/testutil" |
19 |
+ icmd "github.com/docker/docker/pkg/testutil/cmd" |
|
21 | 20 |
"github.com/go-check/check" |
22 | 21 |
) |
23 | 22 |
|
... | ... |
@@ -138,11 +137,11 @@ func testPushEmptyLayer(c *check.C) { |
138 | 138 |
|
139 | 139 |
icmd.RunCmd(icmd.Cmd{ |
140 | 140 |
Command: []string{dockerBinary, "import", "-", repoName}, |
141 |
- Stdin: freader, |
|
141 |
+ Stdin: freader, |
|
142 | 142 |
}).Assert(c, icmd.Success) |
143 | 143 |
|
144 | 144 |
// Now verify we can push it |
145 |
- out, _, err = dockerCmdWithError("push", repoName) |
|
145 |
+ out, _, err := dockerCmdWithError("push", repoName) |
|
146 | 146 |
c.Assert(err, check.IsNil, check.Commentf("pushing the image to the private registry has failed: %s", out)) |
147 | 147 |
} |
148 | 148 |
|
... | ... |
@@ -288,18 +287,12 @@ func (s *DockerTrustSuite) TestTrustedPush(c *check.C) { |
288 | 288 |
// tag the image and upload it to the private registry |
289 | 289 |
dockerCmd(c, "tag", "busybox", repoName) |
290 | 290 |
|
291 |
- pushCmd := exec.Command(dockerBinary, "push", repoName) |
|
292 |
- s.trustedCmd(pushCmd) |
|
293 |
- out, _, err := runCommandWithOutput(pushCmd) |
|
294 |
- c.Assert(err, check.IsNil, check.Commentf("Error running trusted push: %s\n%s", err, out)) |
|
295 |
- c.Assert(out, checker.Contains, "Signing and pushing trust metadata", check.Commentf("Missing expected output on trusted push")) |
|
291 |
+ icmd.RunCmd(icmd.Command(dockerBinary, "push", repoName), trustedCmd).Assert(c, SuccessSigningAndPushing) |
|
296 | 292 |
|
297 | 293 |
// Try pull after push |
298 |
- pullCmd := exec.Command(dockerBinary, "pull", repoName) |
|
299 |
- s.trustedCmd(pullCmd) |
|
300 |
- out, _, err = runCommandWithOutput(pullCmd) |
|
301 |
- c.Assert(err, check.IsNil, check.Commentf(out)) |
|
302 |
- c.Assert(string(out), checker.Contains, "Status: Image is up to date", check.Commentf(out)) |
|
294 |
+ icmd.RunCmd(icmd.Command(dockerBinary, "pull", repoName), trustedCmd).Assert(c, icmd.Expected{ |
|
295 |
+ Out: "Status: Image is up to date", |
|
296 |
+ }) |
|
303 | 297 |
|
304 | 298 |
// Assert that we rotated the snapshot key to the server by checking our local keystore |
305 | 299 |
contents, err := ioutil.ReadDir(filepath.Join(cliconfig.Dir(), "trust/private/tuf_keys", privateRegistryURL, "dockerclitrusted/pushtest")) |
... | ... |
@@ -313,18 +306,12 @@ func (s *DockerTrustSuite) TestTrustedPushWithEnvPasswords(c *check.C) { |
313 | 313 |
// tag the image and upload it to the private registry |
314 | 314 |
dockerCmd(c, "tag", "busybox", repoName) |
315 | 315 |
|
316 |
- pushCmd := exec.Command(dockerBinary, "push", repoName) |
|
317 |
- s.trustedCmdWithPassphrases(pushCmd, "12345678", "12345678") |
|
318 |
- out, _, err := runCommandWithOutput(pushCmd) |
|
319 |
- c.Assert(err, check.IsNil, check.Commentf("Error running trusted push: %s\n%s", err, out)) |
|
320 |
- c.Assert(out, checker.Contains, "Signing and pushing trust metadata", check.Commentf("Missing expected output on trusted push")) |
|
316 |
+ icmd.RunCmd(icmd.Command(dockerBinary, "push", repoName), trustedCmdWithPassphrases("12345678", "12345678")).Assert(c, SuccessSigningAndPushing) |
|
321 | 317 |
|
322 | 318 |
// Try pull after push |
323 |
- pullCmd := exec.Command(dockerBinary, "pull", repoName) |
|
324 |
- s.trustedCmd(pullCmd) |
|
325 |
- out, _, err = runCommandWithOutput(pullCmd) |
|
326 |
- c.Assert(err, check.IsNil, check.Commentf(out)) |
|
327 |
- c.Assert(string(out), checker.Contains, "Status: Image is up to date", check.Commentf(out)) |
|
319 |
+ icmd.RunCmd(icmd.Command(dockerBinary, "pull", repoName), trustedCmd).Assert(c, icmd.Expected{ |
|
320 |
+ Out: "Status: Image is up to date", |
|
321 |
+ }) |
|
328 | 322 |
} |
329 | 323 |
|
330 | 324 |
func (s *DockerTrustSuite) TestTrustedPushWithFailingServer(c *check.C) { |
... | ... |
@@ -332,12 +319,11 @@ func (s *DockerTrustSuite) TestTrustedPushWithFailingServer(c *check.C) { |
332 | 332 |
// tag the image and upload it to the private registry |
333 | 333 |
dockerCmd(c, "tag", "busybox", repoName) |
334 | 334 |
|
335 |
- pushCmd := exec.Command(dockerBinary, "push", repoName) |
|
336 | 335 |
// Using a name that doesn't resolve to an address makes this test faster |
337 |
- s.trustedCmdWithServer(pushCmd, "https://server.invalid:81/") |
|
338 |
- out, _, err := runCommandWithOutput(pushCmd) |
|
339 |
- c.Assert(err, check.NotNil, check.Commentf("Missing error while running trusted push w/ no server")) |
|
340 |
- c.Assert(out, checker.Contains, "error contacting notary server", check.Commentf("Missing expected output on trusted push")) |
|
336 |
+ icmd.RunCmd(icmd.Command(dockerBinary, "push", repoName), trustedCmdWithServer("https://server.invalid:81/")).Assert(c, icmd.Expected{ |
|
337 |
+ ExitCode: 1, |
|
338 |
+ Err: "error contacting notary server", |
|
339 |
+ }) |
|
341 | 340 |
} |
342 | 341 |
|
343 | 342 |
func (s *DockerTrustSuite) TestTrustedPushWithoutServerAndUntrusted(c *check.C) { |
... | ... |
@@ -345,12 +331,9 @@ func (s *DockerTrustSuite) TestTrustedPushWithoutServerAndUntrusted(c *check.C) |
345 | 345 |
// tag the image and upload it to the private registry |
346 | 346 |
dockerCmd(c, "tag", "busybox", repoName) |
347 | 347 |
|
348 |
- pushCmd := exec.Command(dockerBinary, "push", "--disable-content-trust", repoName) |
|
349 |
- // Using a name that doesn't resolve to an address makes this test faster |
|
350 |
- s.trustedCmdWithServer(pushCmd, "https://server.invalid") |
|
351 |
- out, _, err := runCommandWithOutput(pushCmd) |
|
352 |
- c.Assert(err, check.IsNil, check.Commentf("trusted push with no server and --disable-content-trust failed: %s\n%s", err, out)) |
|
353 |
- c.Assert(out, check.Not(checker.Contains), "Error establishing connection to notary repository", check.Commentf("Missing expected output on trusted push with --disable-content-trust:")) |
|
348 |
+ result := icmd.RunCmd(icmd.Command(dockerBinary, "push", "--disable-content-trust", repoName), trustedCmdWithServer("https://server.invalid:81/")) |
|
349 |
+ result.Assert(c, icmd.Success) |
|
350 |
+ c.Assert(result.Combined(), check.Not(checker.Contains), "Error establishing connection to notary repository", check.Commentf("Missing expected output on trusted push with --disable-content-trust:")) |
|
354 | 351 |
} |
355 | 352 |
|
356 | 353 |
func (s *DockerTrustSuite) TestTrustedPushWithExistingTag(c *check.C) { |
... | ... |
@@ -359,18 +342,12 @@ func (s *DockerTrustSuite) TestTrustedPushWithExistingTag(c *check.C) { |
359 | 359 |
dockerCmd(c, "tag", "busybox", repoName) |
360 | 360 |
dockerCmd(c, "push", repoName) |
361 | 361 |
|
362 |
- pushCmd := exec.Command(dockerBinary, "push", repoName) |
|
363 |
- s.trustedCmd(pushCmd) |
|
364 |
- out, _, err := runCommandWithOutput(pushCmd) |
|
365 |
- c.Assert(err, check.IsNil, check.Commentf("trusted push failed: %s\n%s", err, out)) |
|
366 |
- c.Assert(out, checker.Contains, "Signing and pushing trust metadata", check.Commentf("Missing expected output on trusted push with existing tag")) |
|
362 |
+ icmd.RunCmd(icmd.Command(dockerBinary, "push", repoName), trustedCmd).Assert(c, SuccessSigningAndPushing) |
|
367 | 363 |
|
368 | 364 |
// Try pull after push |
369 |
- pullCmd := exec.Command(dockerBinary, "pull", repoName) |
|
370 |
- s.trustedCmd(pullCmd) |
|
371 |
- out, _, err = runCommandWithOutput(pullCmd) |
|
372 |
- c.Assert(err, check.IsNil, check.Commentf(out)) |
|
373 |
- c.Assert(string(out), checker.Contains, "Status: Image is up to date", check.Commentf(out)) |
|
365 |
+ icmd.RunCmd(icmd.Command(dockerBinary, "pull", repoName), trustedCmd).Assert(c, icmd.Expected{ |
|
366 |
+ Out: "Status: Image is up to date", |
|
367 |
+ }) |
|
374 | 368 |
} |
375 | 369 |
|
376 | 370 |
func (s *DockerTrustSuite) TestTrustedPushWithExistingSignedTag(c *check.C) { |
... | ... |
@@ -379,28 +356,14 @@ func (s *DockerTrustSuite) TestTrustedPushWithExistingSignedTag(c *check.C) { |
379 | 379 |
dockerCmd(c, "tag", "busybox", repoName) |
380 | 380 |
|
381 | 381 |
// Do a trusted push |
382 |
- pushCmd := exec.Command(dockerBinary, "push", repoName) |
|
383 |
- s.trustedCmd(pushCmd) |
|
384 |
- out, _, err := runCommandWithOutput(pushCmd) |
|
385 |
- c.Assert(err, check.IsNil, check.Commentf("trusted push failed: %s\n%s", err, out)) |
|
386 |
- c.Assert(out, checker.Contains, "Signing and pushing trust metadata", check.Commentf("Missing expected output on trusted push with existing tag")) |
|
382 |
+ icmd.RunCmd(icmd.Command(dockerBinary, "push", repoName), trustedCmd).Assert(c, SuccessSigningAndPushing) |
|
387 | 383 |
|
388 | 384 |
// Do another trusted push |
389 |
- pushCmd = exec.Command(dockerBinary, "push", repoName) |
|
390 |
- s.trustedCmd(pushCmd) |
|
391 |
- out, _, err = runCommandWithOutput(pushCmd) |
|
392 |
- c.Assert(err, check.IsNil, check.Commentf("trusted push failed: %s\n%s", err, out)) |
|
393 |
- c.Assert(out, checker.Contains, "Signing and pushing trust metadata", check.Commentf("Missing expected output on trusted push with existing tag")) |
|
394 |
- |
|
385 |
+ icmd.RunCmd(icmd.Command(dockerBinary, "push", repoName), trustedCmd).Assert(c, SuccessSigningAndPushing) |
|
395 | 386 |
dockerCmd(c, "rmi", repoName) |
396 | 387 |
|
397 | 388 |
// Try pull to ensure the double push did not break our ability to pull |
398 |
- pullCmd := exec.Command(dockerBinary, "pull", repoName) |
|
399 |
- s.trustedCmd(pullCmd) |
|
400 |
- out, _, err = runCommandWithOutput(pullCmd) |
|
401 |
- c.Assert(err, check.IsNil, check.Commentf("Error running trusted pull: %s\n%s", err, out)) |
|
402 |
- c.Assert(out, checker.Contains, "Status: Downloaded", check.Commentf("Missing expected output on trusted pull with --disable-content-trust")) |
|
403 |
- |
|
389 |
+ icmd.RunCmd(icmd.Command(dockerBinary, "pull", repoName), trustedCmd).Assert(c, SuccessDownloaded) |
|
404 | 390 |
} |
405 | 391 |
|
406 | 392 |
func (s *DockerTrustSuite) TestTrustedPushWithIncorrectPassphraseForNonRoot(c *check.C) { |
... | ... |
@@ -409,18 +372,13 @@ func (s *DockerTrustSuite) TestTrustedPushWithIncorrectPassphraseForNonRoot(c *c |
409 | 409 |
dockerCmd(c, "tag", "busybox", repoName) |
410 | 410 |
|
411 | 411 |
// Push with default passphrases |
412 |
- pushCmd := exec.Command(dockerBinary, "push", repoName) |
|
413 |
- s.trustedCmd(pushCmd) |
|
414 |
- out, _, err := runCommandWithOutput(pushCmd) |
|
415 |
- c.Assert(err, check.IsNil, check.Commentf("trusted push failed: %s\n%s", err, out)) |
|
416 |
- c.Assert(out, checker.Contains, "Signing and pushing trust metadata", check.Commentf("Missing expected output on trusted push:\n%s", out)) |
|
412 |
+ icmd.RunCmd(icmd.Command(dockerBinary, "push", repoName), trustedCmd).Assert(c, SuccessSigningAndPushing) |
|
417 | 413 |
|
418 | 414 |
// Push with wrong passphrases |
419 |
- pushCmd = exec.Command(dockerBinary, "push", repoName) |
|
420 |
- s.trustedCmdWithPassphrases(pushCmd, "12345678", "87654321") |
|
421 |
- out, _, err = runCommandWithOutput(pushCmd) |
|
422 |
- c.Assert(err, check.NotNil, check.Commentf("Error missing from trusted push with short targets passphrase: \n%s", out)) |
|
423 |
- c.Assert(out, checker.Contains, "could not find necessary signing keys", check.Commentf("Missing expected output on trusted push with short targets/snapsnot passphrase")) |
|
415 |
+ icmd.RunCmd(icmd.Command(dockerBinary, "push", repoName), trustedCmdWithPassphrases("12345678", "87654321")).Assert(c, icmd.Expected{ |
|
416 |
+ ExitCode: 1, |
|
417 |
+ Err: "could not find necessary signing keys", |
|
418 |
+ }) |
|
424 | 419 |
} |
425 | 420 |
|
426 | 421 |
func (s *DockerTrustSuite) TestTrustedPushWithExpiredSnapshot(c *check.C) { |
... | ... |
@@ -430,22 +388,19 @@ func (s *DockerTrustSuite) TestTrustedPushWithExpiredSnapshot(c *check.C) { |
430 | 430 |
dockerCmd(c, "tag", "busybox", repoName) |
431 | 431 |
|
432 | 432 |
// Push with default passphrases |
433 |
- pushCmd := exec.Command(dockerBinary, "push", repoName) |
|
434 |
- s.trustedCmd(pushCmd) |
|
435 |
- out, _, err := runCommandWithOutput(pushCmd) |
|
436 |
- c.Assert(err, check.IsNil, check.Commentf("trusted push failed: %s\n%s", err, out)) |
|
437 |
- c.Assert(out, checker.Contains, "Signing and pushing trust metadata", check.Commentf("Missing expected output on trusted push")) |
|
433 |
+ icmd.RunCmd(icmd.Command(dockerBinary, "push", repoName), trustedCmd).Assert(c, SuccessSigningAndPushing) |
|
438 | 434 |
|
439 | 435 |
// Snapshots last for three years. This should be expired |
440 | 436 |
fourYearsLater := time.Now().Add(time.Hour * 24 * 365 * 4) |
441 | 437 |
|
442 | 438 |
testutil.RunAtDifferentDate(fourYearsLater, func() { |
443 | 439 |
// Push with wrong passphrases |
444 |
- pushCmd = exec.Command(dockerBinary, "push", repoName) |
|
445 |
- s.trustedCmd(pushCmd) |
|
446 |
- out, _, err = runCommandWithOutput(pushCmd) |
|
447 |
- c.Assert(err, check.NotNil, check.Commentf("Error missing from trusted push with expired snapshot: \n%s", out)) |
|
448 |
- c.Assert(out, checker.Contains, "repository out-of-date", check.Commentf("Missing expected output on trusted push with expired snapshot")) |
|
440 |
+ icmd.RunCmd(icmd.Cmd{ |
|
441 |
+ Command: []string{dockerBinary, "push", repoName}, |
|
442 |
+ }, trustedCmd).Assert(c, icmd.Expected{ |
|
443 |
+ ExitCode: 1, |
|
444 |
+ Err: "repository out-of-date", |
|
445 |
+ }) |
|
449 | 446 |
}) |
450 | 447 |
} |
451 | 448 |
|
... | ... |
@@ -456,22 +411,15 @@ func (s *DockerTrustSuite) TestTrustedPushWithExpiredTimestamp(c *check.C) { |
456 | 456 |
dockerCmd(c, "tag", "busybox", repoName) |
457 | 457 |
|
458 | 458 |
// Push with default passphrases |
459 |
- pushCmd := exec.Command(dockerBinary, "push", repoName) |
|
460 |
- s.trustedCmd(pushCmd) |
|
461 |
- out, _, err := runCommandWithOutput(pushCmd) |
|
462 |
- c.Assert(err, check.IsNil, check.Commentf("trusted push failed: %s\n%s", err, out)) |
|
463 |
- c.Assert(out, checker.Contains, "Signing and pushing trust metadata", check.Commentf("Missing expected output on trusted push")) |
|
459 |
+ icmd.RunCmd(icmd.Command(dockerBinary, "push", repoName), trustedCmd).Assert(c, SuccessSigningAndPushing) |
|
464 | 460 |
|
465 | 461 |
// The timestamps expire in two weeks. Lets check three |
466 | 462 |
threeWeeksLater := time.Now().Add(time.Hour * 24 * 21) |
467 | 463 |
|
468 | 464 |
// Should succeed because the server transparently re-signs one |
469 | 465 |
testutil.RunAtDifferentDate(threeWeeksLater, func() { |
470 |
- pushCmd := exec.Command(dockerBinary, "push", repoName) |
|
471 |
- s.trustedCmd(pushCmd) |
|
472 |
- out, _, err := runCommandWithOutput(pushCmd) |
|
473 |
- c.Assert(err, check.IsNil, check.Commentf("Error running trusted push: %s\n%s", err, out)) |
|
474 |
- c.Assert(out, checker.Contains, "Signing and pushing trust metadata", check.Commentf("Missing expected output on trusted push with expired timestamp")) |
|
466 |
+ icmd.RunCmd(icmd.Command(dockerBinary, "push", repoName), |
|
467 |
+ trustedCmd).Assert(c, SuccessSigningAndPushing) |
|
475 | 468 |
}) |
476 | 469 |
} |
477 | 470 |
|
... | ... |
@@ -488,11 +436,7 @@ func (s *DockerTrustSuite) TestTrustedPushWithReleasesDelegationOnly(c *check.C) |
488 | 488 |
// tag the image and upload it to the private registry |
489 | 489 |
dockerCmd(c, "tag", "busybox", targetName) |
490 | 490 |
|
491 |
- pushCmd := exec.Command(dockerBinary, "push", targetName) |
|
492 |
- s.trustedCmd(pushCmd) |
|
493 |
- out, _, err := runCommandWithOutput(pushCmd) |
|
494 |
- c.Assert(err, check.IsNil, check.Commentf("trusted push failed: %s\n%s", err, out)) |
|
495 |
- c.Assert(out, checker.Contains, "Signing and pushing trust metadata", check.Commentf("Missing expected output on trusted push with existing tag")) |
|
491 |
+ icmd.RunCmd(icmd.Command(dockerBinary, "push", targetName), trustedCmd).Assert(c, SuccessSigningAndPushing) |
|
496 | 492 |
// check to make sure that the target has been added to targets/releases and not targets |
497 | 493 |
s.assertTargetInRoles(c, repoName, "latest", "targets/releases") |
498 | 494 |
s.assertTargetNotInRoles(c, repoName, "latest", "targets") |
... | ... |
@@ -500,11 +444,9 @@ func (s *DockerTrustSuite) TestTrustedPushWithReleasesDelegationOnly(c *check.C) |
500 | 500 |
// Try pull after push |
501 | 501 |
os.RemoveAll(filepath.Join(cliconfig.Dir(), "trust")) |
502 | 502 |
|
503 |
- pullCmd := exec.Command(dockerBinary, "pull", targetName) |
|
504 |
- s.trustedCmd(pullCmd) |
|
505 |
- out, _, err = runCommandWithOutput(pullCmd) |
|
506 |
- c.Assert(err, check.IsNil, check.Commentf(out)) |
|
507 |
- c.Assert(string(out), checker.Contains, "Status: Image is up to date", check.Commentf(out)) |
|
503 |
+ icmd.RunCmd(icmd.Command(dockerBinary, "pull", targetName), trustedCmd).Assert(c, icmd.Expected{ |
|
504 |
+ Out: "Status: Image is up to date", |
|
505 |
+ }) |
|
508 | 506 |
} |
509 | 507 |
|
510 | 508 |
func (s *DockerTrustSuite) TestTrustedPushSignsAllFirstLevelRolesWeHaveKeysFor(c *check.C) { |
... | ... |
@@ -528,11 +470,7 @@ func (s *DockerTrustSuite) TestTrustedPushSignsAllFirstLevelRolesWeHaveKeysFor(c |
528 | 528 |
// tag the image and upload it to the private registry |
529 | 529 |
dockerCmd(c, "tag", "busybox", targetName) |
530 | 530 |
|
531 |
- pushCmd := exec.Command(dockerBinary, "push", targetName) |
|
532 |
- s.trustedCmd(pushCmd) |
|
533 |
- out, _, err := runCommandWithOutput(pushCmd) |
|
534 |
- c.Assert(err, check.IsNil, check.Commentf("trusted push failed: %s\n%s", err, out)) |
|
535 |
- c.Assert(out, checker.Contains, "Signing and pushing trust metadata", check.Commentf("Missing expected output on trusted push with existing tag")) |
|
531 |
+ icmd.RunCmd(icmd.Command(dockerBinary, "push", targetName), trustedCmd).Assert(c, SuccessSigningAndPushing) |
|
536 | 532 |
|
537 | 533 |
// check to make sure that the target has been added to targets/role1 and targets/role2, and |
538 | 534 |
// not targets (because there are delegations) or targets/role3 (due to missing key) or |
... | ... |
@@ -544,10 +482,9 @@ func (s *DockerTrustSuite) TestTrustedPushSignsAllFirstLevelRolesWeHaveKeysFor(c |
544 | 544 |
os.RemoveAll(filepath.Join(cliconfig.Dir(), "trust")) |
545 | 545 |
|
546 | 546 |
// pull should fail because none of these are the releases role |
547 |
- pullCmd := exec.Command(dockerBinary, "pull", targetName) |
|
548 |
- s.trustedCmd(pullCmd) |
|
549 |
- out, _, err = runCommandWithOutput(pullCmd) |
|
550 |
- c.Assert(err, check.NotNil, check.Commentf(out)) |
|
547 |
+ icmd.RunCmd(icmd.Command(dockerBinary, "pull", targetName), trustedCmd).Assert(c, icmd.Expected{ |
|
548 |
+ ExitCode: 1, |
|
549 |
+ }) |
|
551 | 550 |
} |
552 | 551 |
|
553 | 552 |
func (s *DockerTrustSuite) TestTrustedPushSignsForRolesWithKeysAndValidPaths(c *check.C) { |
... | ... |
@@ -569,11 +506,7 @@ func (s *DockerTrustSuite) TestTrustedPushSignsForRolesWithKeysAndValidPaths(c * |
569 | 569 |
// tag the image and upload it to the private registry |
570 | 570 |
dockerCmd(c, "tag", "busybox", targetName) |
571 | 571 |
|
572 |
- pushCmd := exec.Command(dockerBinary, "push", targetName) |
|
573 |
- s.trustedCmd(pushCmd) |
|
574 |
- out, _, err := runCommandWithOutput(pushCmd) |
|
575 |
- c.Assert(err, check.IsNil, check.Commentf("trusted push failed: %s\n%s", err, out)) |
|
576 |
- c.Assert(out, checker.Contains, "Signing and pushing trust metadata", check.Commentf("Missing expected output on trusted push with existing tag")) |
|
572 |
+ icmd.RunCmd(icmd.Command(dockerBinary, "push", targetName), trustedCmd).Assert(c, SuccessSigningAndPushing) |
|
577 | 573 |
|
578 | 574 |
// check to make sure that the target has been added to targets/role1 and targets/role4, and |
579 | 575 |
// not targets (because there are delegations) or targets/role2 (due to path restrictions) or |
... | ... |
@@ -585,10 +518,9 @@ func (s *DockerTrustSuite) TestTrustedPushSignsForRolesWithKeysAndValidPaths(c * |
585 | 585 |
os.RemoveAll(filepath.Join(cliconfig.Dir(), "trust")) |
586 | 586 |
|
587 | 587 |
// pull should fail because none of these are the releases role |
588 |
- pullCmd := exec.Command(dockerBinary, "pull", targetName) |
|
589 |
- s.trustedCmd(pullCmd) |
|
590 |
- out, _, err = runCommandWithOutput(pullCmd) |
|
591 |
- c.Assert(err, check.NotNil, check.Commentf(out)) |
|
588 |
+ icmd.RunCmd(icmd.Command(dockerBinary, "pull", targetName), trustedCmd).Assert(c, icmd.Expected{ |
|
589 |
+ ExitCode: 1, |
|
590 |
+ }) |
|
592 | 591 |
} |
593 | 592 |
|
594 | 593 |
func (s *DockerTrustSuite) TestTrustedPushDoesntSignTargetsIfDelegationsExist(c *check.C) { |
... | ... |
@@ -604,13 +536,10 @@ func (s *DockerTrustSuite) TestTrustedPushDoesntSignTargetsIfDelegationsExist(c |
604 | 604 |
// tag the image and upload it to the private registry |
605 | 605 |
dockerCmd(c, "tag", "busybox", targetName) |
606 | 606 |
|
607 |
- pushCmd := exec.Command(dockerBinary, "push", targetName) |
|
608 |
- s.trustedCmd(pushCmd) |
|
609 |
- out, _, err := runCommandWithOutput(pushCmd) |
|
610 |
- c.Assert(err, check.NotNil, check.Commentf("trusted push succeeded but should have failed:\n%s", out)) |
|
611 |
- c.Assert(out, checker.Contains, "no valid signing keys", |
|
612 |
- check.Commentf("Missing expected output on trusted push without keys")) |
|
613 |
- |
|
607 |
+ icmd.RunCmd(icmd.Command(dockerBinary, "push", targetName), trustedCmd).Assert(c, icmd.Expected{ |
|
608 |
+ ExitCode: 1, |
|
609 |
+ Err: "no valid signing keys", |
|
610 |
+ }) |
|
614 | 611 |
s.assertTargetNotInRoles(c, repoName, "latest", "targets", "targets/role1") |
615 | 612 |
} |
616 | 613 |
|
... | ... |
@@ -2,13 +2,12 @@ package main |
2 | 2 |
|
3 | 3 |
import ( |
4 | 4 |
"fmt" |
5 |
- "os/exec" |
|
6 | 5 |
"strings" |
7 | 6 |
"time" |
8 | 7 |
|
9 |
- icmd "github.com/docker/docker/pkg/testutil/cmd" |
|
10 | 8 |
"github.com/docker/docker/integration-cli/checker" |
11 | 9 |
"github.com/docker/docker/pkg/stringid" |
10 |
+ icmd "github.com/docker/docker/pkg/testutil/cmd" |
|
12 | 11 |
"github.com/go-check/check" |
13 | 12 |
) |
14 | 13 |
|
... | ... |
@@ -179,7 +178,7 @@ func (s *DockerSuite) TestRmiForceWithExistingContainers(c *check.C) { |
179 | 179 |
icmd.RunCmd(icmd.Cmd{ |
180 | 180 |
Command: []string{dockerBinary, "build", "--no-cache", "-t", image, "-"}, |
181 | 181 |
Stdin: strings.NewReader(`FROM busybox |
182 |
-MAINTAINER foo`) |
|
182 |
+MAINTAINER foo`), |
|
183 | 183 |
}).Assert(c, icmd.Success) |
184 | 184 |
|
185 | 185 |
dockerCmd(c, "run", "--name", "test-force-rmi", image, "/bin/true") |
... | ... |
@@ -865,7 +865,7 @@ func (s *DockerSuite) TestRunEnvironmentErase(c *check.C) { |
865 | 865 |
|
866 | 866 |
result := icmd.RunCmd(icmd.Cmd{ |
867 | 867 |
Command: []string{dockerBinary, "run", "-e", "FOO", "-e", "HOSTNAME", "busybox", "env"}, |
868 |
- Env: appendBaseEnd(true), |
|
868 |
+ Env: appendBaseEnv(true), |
|
869 | 869 |
}) |
870 | 870 |
result.Assert(c, icmd.Success) |
871 | 871 |
|
... | ... |
@@ -897,7 +897,7 @@ func (s *DockerSuite) TestRunEnvironmentOverride(c *check.C) { |
897 | 897 |
|
898 | 898 |
result := icmd.RunCmd(icmd.Cmd{ |
899 | 899 |
Command: []string{dockerBinary, "run", "-e", "HOSTNAME", "-e", "HOME=/root2", "busybox", "env"}, |
900 |
- Env: appendBaseEnv(true, "HOSTNAME=bar"), |
|
900 |
+ Env: appendBaseEnv(true, "HOSTNAME=bar"), |
|
901 | 901 |
}) |
902 | 902 |
result.Assert(c, icmd.Success) |
903 | 903 |
|
... | ... |
@@ -3262,30 +3262,11 @@ func (s *DockerTrustSuite) TestTrustedRun(c *check.C) { |
3262 | 3262 |
repoName := s.setupTrustedImage(c, "trusted-run") |
3263 | 3263 |
|
3264 | 3264 |
// Try run |
3265 |
- runCmd := exec.Command(dockerBinary, "run", repoName) |
|
3266 |
- s.trustedCmd(runCmd) |
|
3267 |
- out, _, err := runCommandWithOutput(runCmd) |
|
3268 |
- if err != nil { |
|
3269 |
- c.Fatalf("Error running trusted run: %s\n%s\n", err, out) |
|
3270 |
- } |
|
3271 |
- |
|
3272 |
- if !strings.Contains(string(out), "Tagging") { |
|
3273 |
- c.Fatalf("Missing expected output on trusted push:\n%s", out) |
|
3274 |
- } |
|
3275 |
- |
|
3265 |
+ icmd.RunCmd(icmd.Command(dockerBinary, "run", repoName), trustedCmd).Assert(c, SuccessTagging) |
|
3276 | 3266 |
dockerCmd(c, "rmi", repoName) |
3277 | 3267 |
|
3278 | 3268 |
// Try untrusted run to ensure we pushed the tag to the registry |
3279 |
- runCmd = exec.Command(dockerBinary, "run", "--disable-content-trust=true", repoName) |
|
3280 |
- s.trustedCmd(runCmd) |
|
3281 |
- out, _, err = runCommandWithOutput(runCmd) |
|
3282 |
- if err != nil { |
|
3283 |
- c.Fatalf("Error running trusted run: %s\n%s", err, out) |
|
3284 |
- } |
|
3285 |
- |
|
3286 |
- if !strings.Contains(string(out), "Status: Downloaded") { |
|
3287 |
- c.Fatalf("Missing expected output on trusted run with --disable-content-trust:\n%s", out) |
|
3288 |
- } |
|
3269 |
+ icmd.RunCmd(icmd.Command(dockerBinary, "run", "--disable-content-trust=true", repoName), trustedCmd).Assert(c, SuccessDownloadedOnStderr) |
|
3289 | 3270 |
} |
3290 | 3271 |
|
3291 | 3272 |
func (s *DockerTrustSuite) TestUntrustedRun(c *check.C) { |
... | ... |
@@ -3298,16 +3279,10 @@ func (s *DockerTrustSuite) TestUntrustedRun(c *check.C) { |
3298 | 3298 |
dockerCmd(c, "rmi", repoName) |
3299 | 3299 |
|
3300 | 3300 |
// Try trusted run on untrusted tag |
3301 |
- runCmd := exec.Command(dockerBinary, "run", repoName) |
|
3302 |
- s.trustedCmd(runCmd) |
|
3303 |
- out, _, err := runCommandWithOutput(runCmd) |
|
3304 |
- if err == nil { |
|
3305 |
- c.Fatalf("Error expected when running trusted run with:\n%s", out) |
|
3306 |
- } |
|
3307 |
- |
|
3308 |
- if !strings.Contains(string(out), "does not have trust data for") { |
|
3309 |
- c.Fatalf("Missing expected output on trusted run:\n%s", out) |
|
3310 |
- } |
|
3301 |
+ icmd.RunCmd(icmd.Command(dockerBinary, "run", repoName), trustedCmd).Assert(c, icmd.Expected{ |
|
3302 |
+ ExitCode: 125, |
|
3303 |
+ Err: "does not have trust data for", |
|
3304 |
+ }) |
|
3311 | 3305 |
} |
3312 | 3306 |
|
3313 | 3307 |
func (s *DockerTrustSuite) TestRunWhenCertExpired(c *check.C) { |
... | ... |
@@ -3321,30 +3296,19 @@ func (s *DockerTrustSuite) TestRunWhenCertExpired(c *check.C) { |
3321 | 3321 |
|
3322 | 3322 |
testutil.RunAtDifferentDate(elevenYearsFromNow, func() { |
3323 | 3323 |
// Try run |
3324 |
- runCmd := exec.Command(dockerBinary, "run", repoName) |
|
3325 |
- s.trustedCmd(runCmd) |
|
3326 |
- out, _, err := runCommandWithOutput(runCmd) |
|
3327 |
- if err == nil { |
|
3328 |
- c.Fatalf("Error running trusted run in the distant future: %s\n%s", err, out) |
|
3329 |
- } |
|
3330 |
- |
|
3331 |
- if !strings.Contains(string(out), "could not validate the path to a trusted root") { |
|
3332 |
- c.Fatalf("Missing expected output on trusted run in the distant future:\n%s", out) |
|
3333 |
- } |
|
3324 |
+ icmd.RunCmd(icmd.Cmd{ |
|
3325 |
+ Command: []string{dockerBinary, "run", repoName}, |
|
3326 |
+ }, trustedCmd).Assert(c, icmd.Expected{ |
|
3327 |
+ ExitCode: 1, |
|
3328 |
+ Err: "could not validate the path to a trusted root", |
|
3329 |
+ }) |
|
3334 | 3330 |
}) |
3335 | 3331 |
|
3336 | 3332 |
testutil.RunAtDifferentDate(elevenYearsFromNow, func() { |
3337 | 3333 |
// Try run |
3338 |
- runCmd := exec.Command(dockerBinary, "run", "--disable-content-trust", repoName) |
|
3339 |
- s.trustedCmd(runCmd) |
|
3340 |
- out, _, err := runCommandWithOutput(runCmd) |
|
3341 |
- if err != nil { |
|
3342 |
- c.Fatalf("Error running untrusted run in the distant future: %s\n%s", err, out) |
|
3343 |
- } |
|
3344 |
- |
|
3345 |
- if !strings.Contains(string(out), "Status: Downloaded") { |
|
3346 |
- c.Fatalf("Missing expected output on untrusted run in the distant future:\n%s", out) |
|
3347 |
- } |
|
3334 |
+ icmd.RunCmd(icmd.Cmd{ |
|
3335 |
+ Command: []string{dockerBinary, "run", "--disable-content-trust", repoName}, |
|
3336 |
+ }, trustedCmd).Assert(c, SuccessDownloaded) |
|
3348 | 3337 |
}) |
3349 | 3338 |
} |
3350 | 3339 |
|
... | ... |
@@ -3360,30 +3324,11 @@ func (s *DockerTrustSuite) TestTrustedRunFromBadTrustServer(c *check.C) { |
3360 | 3360 |
// tag the image and upload it to the private registry |
3361 | 3361 |
dockerCmd(c, "tag", "busybox", repoName) |
3362 | 3362 |
|
3363 |
- pushCmd := exec.Command(dockerBinary, "push", repoName) |
|
3364 |
- s.trustedCmd(pushCmd) |
|
3365 |
- out, _, err := runCommandWithOutput(pushCmd) |
|
3366 |
- if err != nil { |
|
3367 |
- c.Fatalf("Error running trusted push: %s\n%s", err, out) |
|
3368 |
- } |
|
3369 |
- if !strings.Contains(string(out), "Signing and pushing trust metadata") { |
|
3370 |
- c.Fatalf("Missing expected output on trusted push:\n%s", out) |
|
3371 |
- } |
|
3372 |
- |
|
3363 |
+ icmd.RunCmd(icmd.Command(dockerBinary, "push", repoName), trustedCmd).Assert(c, SuccessSigningAndPushing) |
|
3373 | 3364 |
dockerCmd(c, "rmi", repoName) |
3374 | 3365 |
|
3375 | 3366 |
// Try run |
3376 |
- runCmd := exec.Command(dockerBinary, "run", repoName) |
|
3377 |
- s.trustedCmd(runCmd) |
|
3378 |
- out, _, err = runCommandWithOutput(runCmd) |
|
3379 |
- if err != nil { |
|
3380 |
- c.Fatalf("Error running trusted run: %s\n%s", err, out) |
|
3381 |
- } |
|
3382 |
- |
|
3383 |
- if !strings.Contains(string(out), "Tagging") { |
|
3384 |
- c.Fatalf("Missing expected output on trusted push:\n%s", out) |
|
3385 |
- } |
|
3386 |
- |
|
3367 |
+ icmd.RunCmd(icmd.Command(dockerBinary, "run", repoName), trustedCmd).Assert(c, SuccessTagging) |
|
3387 | 3368 |
dockerCmd(c, "rmi", repoName) |
3388 | 3369 |
|
3389 | 3370 |
// Kill the notary server, start a new "evil" one. |
... | ... |
@@ -3398,27 +3343,13 @@ func (s *DockerTrustSuite) TestTrustedRunFromBadTrustServer(c *check.C) { |
3398 | 3398 |
dockerCmd(c, "--config", evilLocalConfigDir, "tag", "busybox", repoName) |
3399 | 3399 |
|
3400 | 3400 |
// Push up to the new server |
3401 |
- pushCmd = exec.Command(dockerBinary, "--config", evilLocalConfigDir, "push", repoName) |
|
3402 |
- s.trustedCmd(pushCmd) |
|
3403 |
- out, _, err = runCommandWithOutput(pushCmd) |
|
3404 |
- if err != nil { |
|
3405 |
- c.Fatalf("Error running trusted push: %s\n%s", err, out) |
|
3406 |
- } |
|
3407 |
- if !strings.Contains(string(out), "Signing and pushing trust metadata") { |
|
3408 |
- c.Fatalf("Missing expected output on trusted push:\n%s", out) |
|
3409 |
- } |
|
3401 |
+ icmd.RunCmd(icmd.Command(dockerBinary, "--config", evilLocalConfigDir, "push", repoName), trustedCmd).Assert(c, SuccessSigningAndPushing) |
|
3410 | 3402 |
|
3411 | 3403 |
// Now, try running with the original client from this new trust server. This should fail because the new root is invalid. |
3412 |
- runCmd = exec.Command(dockerBinary, "run", repoName) |
|
3413 |
- s.trustedCmd(runCmd) |
|
3414 |
- out, _, err = runCommandWithOutput(runCmd) |
|
3415 |
- |
|
3416 |
- if err == nil { |
|
3417 |
- c.Fatalf("Continuing with cached data even though it's an invalid root rotation: %s\n%s", err, out) |
|
3418 |
- } |
|
3419 |
- if !strings.Contains(out, "could not rotate trust to a new trusted root") { |
|
3420 |
- c.Fatalf("Missing expected output on trusted run:\n%s", out) |
|
3421 |
- } |
|
3404 |
+ icmd.RunCmd(icmd.Command(dockerBinary, "run", repoName), trustedCmd).Assert(c, icmd.Expected{ |
|
3405 |
+ ExitCode: 125, |
|
3406 |
+ Err: "could not rotate trust to a new trusted root", |
|
3407 |
+ }) |
|
3422 | 3408 |
} |
3423 | 3409 |
|
3424 | 3410 |
func (s *DockerSuite) TestPtraceContainerProcsFromHost(c *check.C) { |
... | ... |
@@ -4007,7 +3938,7 @@ func (s *DockerSuite) TestRunNonExecutableCmd(c *check.C) { |
4007 | 4007 |
name := "testNonExecutableCmd" |
4008 | 4008 |
icmd.RunCommand(dockerBinary, "run", "--name", name, "busybox", "foo").Assert(c, icmd.Expected{ |
4009 | 4009 |
ExitCode: 127, |
4010 |
- Error: "exit status 127", |
|
4010 |
+ Error: "exit status 127", |
|
4011 | 4011 |
}) |
4012 | 4012 |
} |
4013 | 4013 |
|
... | ... |
@@ -4016,7 +3947,7 @@ func (s *DockerSuite) TestRunNonExistingCmd(c *check.C) { |
4016 | 4016 |
name := "testNonExistingCmd" |
4017 | 4017 |
icmd.RunCommand(dockerBinary, "run", "--name", name, "busybox", "/bin/foo").Assert(c, icmd.Expected{ |
4018 | 4018 |
ExitCode: 127, |
4019 |
- Error: "exit status 127", |
|
4019 |
+ Error: "exit status 127", |
|
4020 | 4020 |
}) |
4021 | 4021 |
} |
4022 | 4022 |
|
... | ... |
@@ -4031,7 +3962,7 @@ func (s *DockerSuite) TestCmdCannotBeInvoked(c *check.C) { |
4031 | 4031 |
name := "testCmdCannotBeInvoked" |
4032 | 4032 |
icmd.RunCommand(dockerBinary, "run", "--name", name, "busybox", "/etc").Assert(c, icmd.Expected{ |
4033 | 4033 |
ExitCode: expected, |
4034 |
- Error: fmt.Sprintf("exit status %d", expected), |
|
4034 |
+ Error: fmt.Sprintf("exit status %d", expected), |
|
4035 | 4035 |
}) |
4036 | 4036 |
} |
4037 | 4037 |
|
... | ... |
@@ -4040,7 +3971,7 @@ func (s *DockerSuite) TestCmdCannotBeInvoked(c *check.C) { |
4040 | 4040 |
func (s *DockerSuite) TestRunNonExistingImage(c *check.C) { |
4041 | 4041 |
icmd.RunCommand(dockerBinary, "run", "foo").Assert(c, icmd.Expected{ |
4042 | 4042 |
ExitCode: 125, |
4043 |
- Err: "Unable to find image", |
|
4043 |
+ Err: "Unable to find image", |
|
4044 | 4044 |
}) |
4045 | 4045 |
} |
4046 | 4046 |
|
... | ... |
@@ -4049,7 +3980,7 @@ func (s *DockerSuite) TestRunNonExistingImage(c *check.C) { |
4049 | 4049 |
func (s *DockerSuite) TestDockerFails(c *check.C) { |
4050 | 4050 |
icmd.RunCommand(dockerBinary, "run", "-foo", "busybox").Assert(c, icmd.Expected{ |
4051 | 4051 |
ExitCode: 125, |
4052 |
- Error: "exit status 125", |
|
4052 |
+ Error: "exit status 125", |
|
4053 | 4053 |
}) |
4054 | 4054 |
} |
4055 | 4055 |
|
... | ... |
@@ -909,7 +909,7 @@ func (s *DockerSuite) TestRunSysctls(c *check.C) { |
909 | 909 |
|
910 | 910 |
icmd.RunCommand(dockerBinary, "run", "--sysctl", "kernel.foobar=1", "--name", "test2", |
911 | 911 |
"busybox", "cat", "/proc/sys/kernel/foobar").Assert(c, icmd.Expected{ |
912 |
- ExitCode: 1, |
|
912 |
+ ExitCode: 125, |
|
913 | 913 |
Err: "invalid argument", |
914 | 914 |
}) |
915 | 915 |
} |
... | ... |
@@ -939,7 +939,7 @@ func (s *DockerSuite) TestRunSeccompProfileDenyUnshare(c *check.C) { |
939 | 939 |
"--security-opt", "seccomp="+tmpFile.Name(), |
940 | 940 |
"debian:jessie", "unshare", "-p", "-m", "-f", "-r", "mount", "-t", "proc", "none", "/proc").Assert(c, icmd.Expected{ |
941 | 941 |
ExitCode: 1, |
942 |
- Err: "Operation not permitted", |
|
942 |
+ Err: "Operation not permitted", |
|
943 | 943 |
}) |
944 | 944 |
} |
945 | 945 |
|
... | ... |
@@ -973,7 +973,7 @@ func (s *DockerSuite) TestRunSeccompProfileDenyChmod(c *check.C) { |
973 | 973 |
icmd.RunCommand(dockerBinary, "run", "--security-opt", "seccomp="+tmpFile.Name(), |
974 | 974 |
"busybox", "chmod", "400", "/etc/hostname").Assert(c, icmd.Expected{ |
975 | 975 |
ExitCode: 1, |
976 |
- Err: "Operation not permitted", |
|
976 |
+ Err: "Operation not permitted", |
|
977 | 977 |
}) |
978 | 978 |
} |
979 | 979 |
|
... | ... |
@@ -1011,7 +1011,7 @@ func (s *DockerSuite) TestRunSeccompProfileDenyUnshareUserns(c *check.C) { |
1011 | 1011 |
"--security-opt", "apparmor=unconfined", "--security-opt", "seccomp="+tmpFile.Name(), |
1012 | 1012 |
"debian:jessie", "unshare", "--map-root-user", "--user", "sh", "-c", "whoami").Assert(c, icmd.Expected{ |
1013 | 1013 |
ExitCode: 1, |
1014 |
- Err: "Operation not permitted", |
|
1014 |
+ Err: "Operation not permitted", |
|
1015 | 1015 |
}) |
1016 | 1016 |
} |
1017 | 1017 |
|
... | ... |
@@ -1023,7 +1023,7 @@ func (s *DockerSuite) TestRunSeccompProfileDenyCloneUserns(c *check.C) { |
1023 | 1023 |
|
1024 | 1024 |
icmd.RunCommand(dockerBinary, "run", "syscall-test", "userns-test", "id").Assert(c, icmd.Expected{ |
1025 | 1025 |
ExitCode: 1, |
1026 |
- Err: "clone failed: Operation not permitted", |
|
1026 |
+ Err: "clone failed: Operation not permitted", |
|
1027 | 1027 |
}) |
1028 | 1028 |
} |
1029 | 1029 |
|
... | ... |
@@ -1152,16 +1152,16 @@ func (s *DockerSuite) TestUserNoEffectiveCapabilitiesChown(c *check.C) { |
1152 | 1152 |
ensureSyscallTest(c) |
1153 | 1153 |
|
1154 | 1154 |
// test that a root user has default capability CAP_CHOWN |
1155 |
- dockerCmd("run", "busybox", "chown", "100", "/tmp") |
|
1155 |
+ dockerCmd(c, "run", "busybox", "chown", "100", "/tmp") |
|
1156 | 1156 |
// test that non root user does not have default capability CAP_CHOWN |
1157 | 1157 |
icmd.RunCommand(dockerBinary, "run", "--user", "1000:1000", "busybox", "chown", "100", "/tmp").Assert(c, icmd.Expected{ |
1158 | 1158 |
ExitCode: 1, |
1159 |
- Err: "Operation not permitted", |
|
1159 |
+ Err: "Operation not permitted", |
|
1160 | 1160 |
}) |
1161 | 1161 |
// test that root user can drop default capability CAP_CHOWN |
1162 | 1162 |
icmd.RunCommand(dockerBinary, "run", "--cap-drop", "chown", "busybox", "chown", "100", "/tmp").Assert(c, icmd.Expected{ |
1163 | 1163 |
ExitCode: 1, |
1164 |
- Err: "Operation not permitted", |
|
1164 |
+ Err: "Operation not permitted", |
|
1165 | 1165 |
}) |
1166 | 1166 |
} |
1167 | 1167 |
|
... | ... |
@@ -1170,11 +1170,11 @@ func (s *DockerSuite) TestUserNoEffectiveCapabilitiesDacOverride(c *check.C) { |
1170 | 1170 |
ensureSyscallTest(c) |
1171 | 1171 |
|
1172 | 1172 |
// test that a root user has default capability CAP_DAC_OVERRIDE |
1173 |
- dockerCmd("run", "busybox", "sh", "-c", "echo test > /etc/passwd") |
|
1173 |
+ dockerCmd(c, "run", "busybox", "sh", "-c", "echo test > /etc/passwd") |
|
1174 | 1174 |
// test that non root user does not have default capability CAP_DAC_OVERRIDE |
1175 | 1175 |
icmd.RunCommand(dockerBinary, "run", "--user", "1000:1000", "busybox", "sh", "-c", "echo test > /etc/passwd").Assert(c, icmd.Expected{ |
1176 | 1176 |
ExitCode: 1, |
1177 |
- Err: "Permission denied", |
|
1177 |
+ Err: "Permission denied", |
|
1178 | 1178 |
}) |
1179 | 1179 |
} |
1180 | 1180 |
|
... | ... |
@@ -1183,11 +1183,11 @@ func (s *DockerSuite) TestUserNoEffectiveCapabilitiesFowner(c *check.C) { |
1183 | 1183 |
ensureSyscallTest(c) |
1184 | 1184 |
|
1185 | 1185 |
// test that a root user has default capability CAP_FOWNER |
1186 |
- dockerCmd("run", "busybox", "chmod", "777", "/etc/passwd") |
|
1186 |
+ dockerCmd(c, "run", "busybox", "chmod", "777", "/etc/passwd") |
|
1187 | 1187 |
// test that non root user does not have default capability CAP_FOWNER |
1188 | 1188 |
icmd.RunCommand(dockerBinary, "run", "--user", "1000:1000", "busybox", "chmod", "777", "/etc/passwd").Assert(c, icmd.Expected{ |
1189 | 1189 |
ExitCode: 1, |
1190 |
- Err: "Operation not permitted", |
|
1190 |
+ Err: "Operation not permitted", |
|
1191 | 1191 |
}) |
1192 | 1192 |
// TODO test that root user can drop default capability CAP_FOWNER |
1193 | 1193 |
} |
... | ... |
@@ -1199,16 +1199,16 @@ func (s *DockerSuite) TestUserNoEffectiveCapabilitiesSetuid(c *check.C) { |
1199 | 1199 |
ensureSyscallTest(c) |
1200 | 1200 |
|
1201 | 1201 |
// test that a root user has default capability CAP_SETUID |
1202 |
- dockerCmd("run", "syscall-test", "setuid-test") |
|
1202 |
+ dockerCmd(c, "run", "syscall-test", "setuid-test") |
|
1203 | 1203 |
// test that non root user does not have default capability CAP_SETUID |
1204 | 1204 |
icmd.RunCommand(dockerBinary, "run", "--user", "1000:1000", "syscall-test", "setuid-test").Assert(c, icmd.Expected{ |
1205 | 1205 |
ExitCode: 1, |
1206 |
- Err: "Operation not permitted", |
|
1206 |
+ Err: "Operation not permitted", |
|
1207 | 1207 |
}) |
1208 | 1208 |
// test that root user can drop default capability CAP_SETUID |
1209 | 1209 |
icmd.RunCommand(dockerBinary, "run", "--cap-drop", "setuid", "syscall-test", "setuid-test").Assert(c, icmd.Expected{ |
1210 | 1210 |
ExitCode: 1, |
1211 |
- Err: "Operation not permitted", |
|
1211 |
+ Err: "Operation not permitted", |
|
1212 | 1212 |
}) |
1213 | 1213 |
} |
1214 | 1214 |
|
... | ... |
@@ -1217,16 +1217,16 @@ func (s *DockerSuite) TestUserNoEffectiveCapabilitiesSetgid(c *check.C) { |
1217 | 1217 |
ensureSyscallTest(c) |
1218 | 1218 |
|
1219 | 1219 |
// test that a root user has default capability CAP_SETGID |
1220 |
- dockerCmd("run", "syscall-test", "setgid-test") |
|
1220 |
+ dockerCmd(c, "run", "syscall-test", "setgid-test") |
|
1221 | 1221 |
// test that non root user does not have default capability CAP_SETGID |
1222 | 1222 |
icmd.RunCommand(dockerBinary, "run", "--user", "1000:1000", "syscall-test", "setgid-test").Assert(c, icmd.Expected{ |
1223 | 1223 |
ExitCode: 1, |
1224 |
- Err: "Operation not permitted", |
|
1224 |
+ Err: "Operation not permitted", |
|
1225 | 1225 |
}) |
1226 | 1226 |
// test that root user can drop default capability CAP_SETGID |
1227 | 1227 |
icmd.RunCommand(dockerBinary, "run", "--cap-drop", "setgid", "syscall-test", "setgid-test").Assert(c, icmd.Expected{ |
1228 | 1228 |
ExitCode: 1, |
1229 |
- Err: "Operation not permitted", |
|
1229 |
+ Err: "Operation not permitted", |
|
1230 | 1230 |
}) |
1231 | 1231 |
} |
1232 | 1232 |
|
... | ... |
@@ -1237,16 +1237,16 @@ func (s *DockerSuite) TestUserNoEffectiveCapabilitiesNetBindService(c *check.C) |
1237 | 1237 |
ensureSyscallTest(c) |
1238 | 1238 |
|
1239 | 1239 |
// test that a root user has default capability CAP_NET_BIND_SERVICE |
1240 |
- dockerCmd("run", "syscall-test", "socket-test") |
|
1240 |
+ dockerCmd(c, "run", "syscall-test", "socket-test") |
|
1241 | 1241 |
// test that non root user does not have default capability CAP_NET_BIND_SERVICE |
1242 | 1242 |
icmd.RunCommand(dockerBinary, "run", "--user", "1000:1000", "syscall-test", "socket-test").Assert(c, icmd.Expected{ |
1243 | 1243 |
ExitCode: 1, |
1244 |
- Err: "Permission denied", |
|
1244 |
+ Err: "Permission denied", |
|
1245 | 1245 |
}) |
1246 | 1246 |
// test that root user can drop default capability CAP_NET_BIND_SERVICE |
1247 | 1247 |
icmd.RunCommand(dockerBinary, "run", "--cap-drop", "net_bind_service", "syscall-test", "socket-test").Assert(c, icmd.Expected{ |
1248 | 1248 |
ExitCode: 1, |
1249 |
- Err: "Permission denied", |
|
1249 |
+ Err: "Permission denied", |
|
1250 | 1250 |
}) |
1251 | 1251 |
} |
1252 | 1252 |
|
... | ... |
@@ -1255,16 +1255,16 @@ func (s *DockerSuite) TestUserNoEffectiveCapabilitiesNetRaw(c *check.C) { |
1255 | 1255 |
ensureSyscallTest(c) |
1256 | 1256 |
|
1257 | 1257 |
// test that a root user has default capability CAP_NET_RAW |
1258 |
- dockerCmd("run", "syscall-test", "raw-test") |
|
1258 |
+ dockerCmd(c, "run", "syscall-test", "raw-test") |
|
1259 | 1259 |
// test that non root user does not have default capability CAP_NET_RAW |
1260 | 1260 |
icmd.RunCommand(dockerBinary, "run", "--user", "1000:1000", "syscall-test", "raw-test").Assert(c, icmd.Expected{ |
1261 | 1261 |
ExitCode: 1, |
1262 |
- Err: "Operation not permitted", |
|
1262 |
+ Err: "Operation not permitted", |
|
1263 | 1263 |
}) |
1264 | 1264 |
// test that root user can drop default capability CAP_NET_RAW |
1265 | 1265 |
icmd.RunCommand(dockerBinary, "run", "--cap-drop", "net_raw", "syscall-test", "raw-test").Assert(c, icmd.Expected{ |
1266 | 1266 |
ExitCode: 1, |
1267 |
- Err: "Operation not permitted", |
|
1267 |
+ Err: "Operation not permitted", |
|
1268 | 1268 |
}) |
1269 | 1269 |
} |
1270 | 1270 |
|
... | ... |
@@ -1273,16 +1273,16 @@ func (s *DockerSuite) TestUserNoEffectiveCapabilitiesChroot(c *check.C) { |
1273 | 1273 |
ensureSyscallTest(c) |
1274 | 1274 |
|
1275 | 1275 |
// test that a root user has default capability CAP_SYS_CHROOT |
1276 |
- dockerCmd("run", "busybox", "chroot", "/", "/bin/true") |
|
1276 |
+ dockerCmd(c, "run", "busybox", "chroot", "/", "/bin/true") |
|
1277 | 1277 |
// test that non root user does not have default capability CAP_SYS_CHROOT |
1278 | 1278 |
icmd.RunCommand(dockerBinary, "run", "--user", "1000:1000", "busybox", "chroot", "/", "/bin/true").Assert(c, icmd.Expected{ |
1279 | 1279 |
ExitCode: 1, |
1280 |
- Err: "Operation not permitted", |
|
1280 |
+ Err: "Operation not permitted", |
|
1281 | 1281 |
}) |
1282 | 1282 |
// test that root user can drop default capability CAP_SYS_CHROOT |
1283 | 1283 |
icmd.RunCommand(dockerBinary, "run", "--cap-drop", "sys_chroot", "busybox", "chroot", "/", "/bin/true").Assert(c, icmd.Expected{ |
1284 | 1284 |
ExitCode: 1, |
1285 |
- Err: "Operation not permitted", |
|
1285 |
+ Err: "Operation not permitted", |
|
1286 | 1286 |
}) |
1287 | 1287 |
} |
1288 | 1288 |
|
... | ... |
@@ -1291,17 +1291,17 @@ func (s *DockerSuite) TestUserNoEffectiveCapabilitiesMknod(c *check.C) { |
1291 | 1291 |
ensureSyscallTest(c) |
1292 | 1292 |
|
1293 | 1293 |
// test that a root user has default capability CAP_MKNOD |
1294 |
- dockerCmd("run", "busybox", "mknod", "/tmp/node", "b", "1", "2") |
|
1294 |
+ dockerCmd(c, "run", "busybox", "mknod", "/tmp/node", "b", "1", "2") |
|
1295 | 1295 |
// test that non root user does not have default capability CAP_MKNOD |
1296 | 1296 |
// test that root user can drop default capability CAP_SYS_CHROOT |
1297 | 1297 |
icmd.RunCommand(dockerBinary, "run", "--user", "1000:1000", "busybox", "mknod", "/tmp/node", "b", "1", "2").Assert(c, icmd.Expected{ |
1298 | 1298 |
ExitCode: 1, |
1299 |
- Err: "Operation not permitted", |
|
1299 |
+ Err: "Operation not permitted", |
|
1300 | 1300 |
}) |
1301 | 1301 |
// test that root user can drop default capability CAP_MKNOD |
1302 | 1302 |
icmd.RunCommand(dockerBinary, "run", "--cap-drop", "mknod", "busybox", "mknod", "/tmp/node", "b", "1", "2").Assert(c, icmd.Expected{ |
1303 | 1303 |
ExitCode: 1, |
1304 |
- Err: "Operation not permitted", |
|
1304 |
+ Err: "Operation not permitted", |
|
1305 | 1305 |
}) |
1306 | 1306 |
} |
1307 | 1307 |
|
... | ... |
@@ -1315,13 +1315,13 @@ func (s *DockerSuite) TestRunApparmorProcDirectory(c *check.C) { |
1315 | 1315 |
result := icmd.RunCommand(dockerBinary, "run", "--security-opt", "seccomp=unconfined", "busybox", "chmod", "777", "/proc/1/cgroup") |
1316 | 1316 |
result.Assert(c, icmd.Expected{ExitCode: 1}) |
1317 | 1317 |
if !(strings.Contains(result.Combined(), "Permission denied") || strings.Contains(result.Combined(), "Operation not permitted")) { |
1318 |
- c.Fatalf("expected chmod 777 /proc/1/cgroup to fail, got %s: %v", result.Combined(), err) |
|
1318 |
+ c.Fatalf("expected chmod 777 /proc/1/cgroup to fail, got %s: %v", result.Combined(), result.Error) |
|
1319 | 1319 |
} |
1320 | 1320 |
|
1321 | 1321 |
result = icmd.RunCommand(dockerBinary, "run", "--security-opt", "seccomp=unconfined", "busybox", "chmod", "777", "/proc/1/attr/current") |
1322 | 1322 |
result.Assert(c, icmd.Expected{ExitCode: 1}) |
1323 | 1323 |
if !(strings.Contains(result.Combined(), "Permission denied") || strings.Contains(result.Combined(), "Operation not permitted")) { |
1324 |
- c.Fatalf("expected chmod 777 /proc/1/attr/current to fail, got %s: %v", result.Combined(), err) |
|
1324 |
+ c.Fatalf("expected chmod 777 /proc/1/attr/current to fail, got %s: %v", result.Combined(), result.Error) |
|
1325 | 1325 |
} |
1326 | 1326 |
} |
1327 | 1327 |
|
... | ... |
@@ -1439,7 +1439,7 @@ func (s *DockerTrustedSwarmSuite) TestTrustedServiceCreate(c *check.C) { |
1439 | 1439 |
|
1440 | 1440 |
name := "trusted" |
1441 | 1441 |
serviceCmd := d.Command("-D", "service", "create", "--name", name, repoName, "top") |
1442 |
- s.trustSuite.trustedCmd(serviceCmd) |
|
1442 |
+ trustedExecCmd(serviceCmd) |
|
1443 | 1443 |
out, _, err := runCommandWithOutput(serviceCmd) |
1444 | 1444 |
c.Assert(err, checker.IsNil, check.Commentf(out)) |
1445 | 1445 |
c.Assert(out, checker.Contains, "resolved image tag to", check.Commentf(out)) |
... | ... |
@@ -1458,7 +1458,7 @@ func (s *DockerTrustedSwarmSuite) TestTrustedServiceCreate(c *check.C) { |
1458 | 1458 |
|
1459 | 1459 |
name = "untrusted" |
1460 | 1460 |
serviceCmd = d.Command("service", "create", "--name", name, repoName, "top") |
1461 |
- s.trustSuite.trustedCmd(serviceCmd) |
|
1461 |
+ trustedExecCmd(serviceCmd) |
|
1462 | 1462 |
out, _, err = runCommandWithOutput(serviceCmd) |
1463 | 1463 |
|
1464 | 1464 |
c.Assert(err, check.NotNil, check.Commentf(out)) |
... | ... |
@@ -1487,7 +1487,7 @@ func (s *DockerTrustedSwarmSuite) TestTrustedServiceUpdate(c *check.C) { |
1487 | 1487 |
c.Assert(out, check.Not(checker.Contains), repoName+"@", check.Commentf(out)) |
1488 | 1488 |
|
1489 | 1489 |
serviceCmd := d.Command("-D", "service", "update", "--image", repoName, name) |
1490 |
- s.trustSuite.trustedCmd(serviceCmd) |
|
1490 |
+ trustedExecCmd(serviceCmd) |
|
1491 | 1491 |
out, _, err = runCommandWithOutput(serviceCmd) |
1492 | 1492 |
c.Assert(err, checker.IsNil, check.Commentf(out)) |
1493 | 1493 |
c.Assert(out, checker.Contains, "resolved image tag to", check.Commentf(out)) |
... | ... |
@@ -1505,7 +1505,7 @@ func (s *DockerTrustedSwarmSuite) TestTrustedServiceUpdate(c *check.C) { |
1505 | 1505 |
dockerCmd(c, "rmi", repoName) |
1506 | 1506 |
|
1507 | 1507 |
serviceCmd = d.Command("service", "update", "--image", repoName, name) |
1508 |
- s.trustSuite.trustedCmd(serviceCmd) |
|
1508 |
+ trustedExecCmd(serviceCmd) |
|
1509 | 1509 |
out, _, err = runCommandWithOutput(serviceCmd) |
1510 | 1510 |
|
1511 | 1511 |
c.Assert(err, check.NotNil, check.Commentf(out)) |
... | ... |
@@ -229,7 +229,7 @@ func (s *DockerSuite) TestVolumeCLIRm(c *check.C) { |
229 | 229 |
|
230 | 230 |
icmd.RunCommand(dockerBinary, "volume", "rm", "testing").Assert(c, icmd.Expected{ |
231 | 231 |
ExitCode: 1, |
232 |
- Error: "exit status 1", |
|
232 |
+ Error: "exit status 1", |
|
233 | 233 |
}) |
234 | 234 |
|
235 | 235 |
out, _ = dockerCmd(c, "run", "--volumes-from=test", "--name=test2", "busybox", "sh", "-c", "cat /foo/bar") |
... | ... |
@@ -13,6 +13,7 @@ import ( |
13 | 13 |
|
14 | 14 |
cliconfig "github.com/docker/docker/cli/config" |
15 | 15 |
"github.com/docker/docker/integration-cli/checker" |
16 |
+ icmd "github.com/docker/docker/pkg/testutil/cmd" |
|
16 | 17 |
"github.com/docker/go-connections/tlsconfig" |
17 | 18 |
"github.com/go-check/check" |
18 | 19 |
) |
... | ... |
@@ -34,6 +35,30 @@ type testNotary struct { |
34 | 34 |
const notaryHost = "localhost:4443" |
35 | 35 |
const notaryURL = "https://" + notaryHost |
36 | 36 |
|
37 |
+var SuccessTagging = icmd.Expected{ |
|
38 |
+ Out: "Tagging", |
|
39 |
+} |
|
40 |
+ |
|
41 |
+var SuccessSigningAndPushing = icmd.Expected{ |
|
42 |
+ Out: "Signing and pushing trust metadata", |
|
43 |
+} |
|
44 |
+ |
|
45 |
+var SuccessDownloaded = icmd.Expected{ |
|
46 |
+ Out: "Status: Downloaded", |
|
47 |
+} |
|
48 |
+ |
|
49 |
+var SuccessTaggingOnStderr = icmd.Expected{ |
|
50 |
+ Err: "Tagging", |
|
51 |
+} |
|
52 |
+ |
|
53 |
+var SuccessSigningAndPushingOnStderr = icmd.Expected{ |
|
54 |
+ Err: "Signing and pushing trust metadata", |
|
55 |
+} |
|
56 |
+ |
|
57 |
+var SuccessDownloadedOnStderr = icmd.Expected{ |
|
58 |
+ Err: "Status: Downloaded", |
|
59 |
+} |
|
60 |
+ |
|
37 | 61 |
func newTestNotary(c *check.C) (*testNotary, error) { |
38 | 62 |
// generate server config |
39 | 63 |
template := `{ |
... | ... |
@@ -164,28 +189,38 @@ func (t *testNotary) Close() { |
164 | 164 |
os.RemoveAll(t.dir) |
165 | 165 |
} |
166 | 166 |
|
167 |
-func (s *DockerTrustSuite) trustedCmd(cmd *exec.Cmd) { |
|
167 |
+// Deprecated: used trustedCmd instead |
|
168 |
+func trustedExecCmd(cmd *exec.Cmd) { |
|
168 | 169 |
pwd := "12345678" |
169 |
- trustCmdEnv(cmd, notaryURL, pwd, pwd) |
|
170 |
+ cmd.Env = append(cmd.Env, trustEnv(notaryURL, pwd, pwd)...) |
|
170 | 171 |
} |
171 | 172 |
|
172 |
-func (s *DockerTrustSuite) trustedCmdWithServer(cmd *exec.Cmd, server string) { |
|
173 |
+func trustedCmd(cmd *icmd.Cmd) { |
|
173 | 174 |
pwd := "12345678" |
174 |
- trustCmdEnv(cmd, server, pwd, pwd) |
|
175 |
+ cmd.Env = append(cmd.Env, trustEnv(notaryURL, pwd, pwd)...) |
|
175 | 176 |
} |
176 | 177 |
|
177 |
-func (s *DockerTrustSuite) trustedCmdWithPassphrases(cmd *exec.Cmd, rootPwd, repositoryPwd string) { |
|
178 |
- trustCmdEnv(cmd, notaryURL, rootPwd, repositoryPwd) |
|
178 |
+func trustedCmdWithServer(server string) func(*icmd.Cmd) { |
|
179 |
+ return func(cmd *icmd.Cmd) { |
|
180 |
+ pwd := "12345678" |
|
181 |
+ cmd.Env = append(cmd.Env, trustEnv(server, pwd, pwd)...) |
|
182 |
+ } |
|
179 | 183 |
} |
180 | 184 |
|
181 |
-func trustCmdEnv(cmd *exec.Cmd, server, rootPwd, repositoryPwd string) { |
|
182 |
- env := []string{ |
|
185 |
+func trustedCmdWithPassphrases(rootPwd, repositoryPwd string) func(*icmd.Cmd) { |
|
186 |
+ return func(cmd *icmd.Cmd) { |
|
187 |
+ cmd.Env = append(cmd.Env, trustEnv(notaryURL, rootPwd, repositoryPwd)...) |
|
188 |
+ } |
|
189 |
+} |
|
190 |
+ |
|
191 |
+func trustEnv(server, rootPwd, repositoryPwd string) []string { |
|
192 |
+ env := append(os.Environ(), []string{ |
|
183 | 193 |
"DOCKER_CONTENT_TRUST=1", |
184 | 194 |
fmt.Sprintf("DOCKER_CONTENT_TRUST_SERVER=%s", server), |
185 | 195 |
fmt.Sprintf("DOCKER_CONTENT_TRUST_ROOT_PASSPHRASE=%s", rootPwd), |
186 | 196 |
fmt.Sprintf("DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE=%s", repositoryPwd), |
187 |
- } |
|
188 |
- cmd.Env = append(os.Environ(), env...) |
|
197 |
+ }...) |
|
198 |
+ return env |
|
189 | 199 |
} |
190 | 200 |
|
191 | 201 |
func (s *DockerTrustSuite) setupTrustedImage(c *check.C, name string) string { |
... | ... |
@@ -193,16 +228,7 @@ func (s *DockerTrustSuite) setupTrustedImage(c *check.C, name string) string { |
193 | 193 |
// tag the image and upload it to the private registry |
194 | 194 |
dockerCmd(c, "tag", "busybox", repoName) |
195 | 195 |
|
196 |
- pushCmd := exec.Command(dockerBinary, "push", repoName) |
|
197 |
- s.trustedCmd(pushCmd) |
|
198 |
- out, _, err := runCommandWithOutput(pushCmd) |
|
199 |
- |
|
200 |
- if err != nil { |
|
201 |
- c.Fatalf("Error running trusted push: %s\n%s", err, out) |
|
202 |
- } |
|
203 |
- if !strings.Contains(string(out), "Signing and pushing trust metadata") { |
|
204 |
- c.Fatalf("Missing expected output on trusted push:\n%s", out) |
|
205 |
- } |
|
196 |
+ icmd.RunCmd(icmd.Command(dockerBinary, "push", repoName), trustedCmd).Assert(c, SuccessSigningAndPushing) |
|
206 | 197 |
|
207 | 198 |
if out, status := dockerCmd(c, "rmi", repoName); status != 0 { |
208 | 199 |
c.Fatalf("Error removing image %q\n%s", repoName, out) |
... | ... |
@@ -216,16 +242,7 @@ func (s *DockerTrustSuite) setupTrustedplugin(c *check.C, source, name string) s |
216 | 216 |
// tag the image and upload it to the private registry |
217 | 217 |
dockerCmd(c, "plugin", "install", "--grant-all-permissions", "--alias", repoName, source) |
218 | 218 |
|
219 |
- pushCmd := exec.Command(dockerBinary, "plugin", "push", repoName) |
|
220 |
- s.trustedCmd(pushCmd) |
|
221 |
- out, _, err := runCommandWithOutput(pushCmd) |
|
222 |
- |
|
223 |
- if err != nil { |
|
224 |
- c.Fatalf("Error running trusted plugin push: %s\n%s", err, out) |
|
225 |
- } |
|
226 |
- if !strings.Contains(string(out), "Signing and pushing trust metadata") { |
|
227 |
- c.Fatalf("Missing expected output on trusted push:\n%s", out) |
|
228 |
- } |
|
219 |
+ icmd.RunCmd(icmd.Command(dockerBinary, "plugin", "push", repoName), trustedCmd).Assert(c, SuccessSigningAndPushing) |
|
229 | 220 |
|
230 | 221 |
if out, status := dockerCmd(c, "plugin", "rm", "-f", repoName); status != 0 { |
231 | 222 |
c.Fatalf("Error removing plugin %q\n%s", repoName, out) |
... | ... |
@@ -13,6 +13,7 @@ func getPrefixAndSlashFromDaemonPlatform() (prefix, slash string) { |
13 | 13 |
} |
14 | 14 |
|
15 | 15 |
// TODO: update code to call cmd.RunCmd directly, and remove this function |
16 |
+// Deprecated: use pkg/testutil/cmd instead |
|
16 | 17 |
func runCommandWithOutput(execCmd *exec.Cmd) (string, int, error) { |
17 | 18 |
result := cmd.RunCmd(transformCmd(execCmd)) |
18 | 19 |
return result.Combined(), result.ExitCode, result.Error |
... | ... |
@@ -215,8 +215,16 @@ type Cmd struct { |
215 | 215 |
Env []string |
216 | 216 |
} |
217 | 217 |
|
218 |
+// Command create a simple Cmd with the specified command and arguments |
|
219 |
+func Command(command string, args ...string) Cmd { |
|
220 |
+ return Cmd{Command: append([]string{command}, args...)} |
|
221 |
+} |
|
222 |
+ |
|
218 | 223 |
// RunCmd runs a command and returns a Result |
219 |
-func RunCmd(cmd Cmd) *Result { |
|
224 |
+func RunCmd(cmd Cmd, cmdOperators ...func(*Cmd)) *Result { |
|
225 |
+ for _, op := range cmdOperators { |
|
226 |
+ op(&cmd) |
|
227 |
+ } |
|
220 | 228 |
result := StartCmd(cmd) |
221 | 229 |
if result.Error != nil { |
222 | 230 |
return result |
... | ... |
@@ -226,7 +234,7 @@ func RunCmd(cmd Cmd) *Result { |
226 | 226 |
|
227 | 227 |
// RunCommand parses a command line and runs it, returning a result |
228 | 228 |
func RunCommand(command string, args ...string) *Result { |
229 |
- return RunCmd(Cmd{Command: append([]string{command}, args...)}) |
|
229 |
+ return RunCmd(Command(command, args...)) |
|
230 | 230 |
} |
231 | 231 |
|
232 | 232 |
// StartCmd starts a command, but doesn't wait for it to finish |