GitList

Browse code

cleanup jess/unshare image

Signed-off-by: Jessica Frazelle <acidburn@docker.com>

Jessica Frazelle authored on 2015/12/31 02:49:10
Showing 4 changed files

Dockerfile index 9710ebf..ff46194 100644
hack/make/.ensure-frozen-images index 4977b79..98acdc8 100644
integration-cli/docker_cli_run_test.go index f2eabf2..edc331d 100644
integration-cli/docker_cli_run_unix_test.go index 053da76..7df88c5 100644

@@ -198,8 +198,7 @@ COPY contrib/download-frozen-image-v2.sh /go/src/github.com/docker/docker/contri
                      RUN ./contrib/download-frozen-image-v2.sh /docker-frozen-images \
                      	busybox:latest@sha256:eb3c0d4680f9213ee5f348ea6d39489a1f85a318a2ae09e012c426f78252a6d2 \
                      	debian:jessie@sha256:24a900d1671b269d6640b4224e7b63801880d8e3cb2bcbfaa10a5dddcf4469ed \
                     -	hello-world:latest@sha256:8be990ef2aeb16dbcb9271ddfe2610fa6658d13f6dfb8bc72074cc1ca36966a7 \
                     -	jess/unshare:latest@sha256:2e3a8c0591c4690b82d4eba7e5ef8f49f2ddfe9f867f3e865198db9bd1436c5b
                     +	hello-world:latest@sha256:8be990ef2aeb16dbcb9271ddfe2610fa6658d13f6dfb8bc72074cc1ca36966a7
                      # see also "hack/make/.ensure-frozen-images" (which needs to be updated any time this list is)
                      # Download man page generator

hack/make/.ensure-frozen-images

History View file @ 626c933

@@ -29,7 +29,6 @@ case "$DOCKER_ENGINE_OSARCH" in
                      			busybox:latest
                      			debian:jessie
                      			hello-world:latest
                     -			jess/unshare:latest
+                     		)
                      		;;
                      esac

integration-cli/docker_cli_run_test.go

History View file @ 626c933

@@ -2858,26 +2858,28 @@ func (s *DockerSuite) TestRunUnshareProc(c *check.C) {
                      	testRequires(c, Apparmor, DaemonIsLinux, NotUserNamespace)
                      	name := "acidburn"
                     -	out, _, err := dockerCmdWithError("run", "--name", name, "--security-opt", "seccomp:unconfined", "jess/unshare", "unshare", "-p", "-m", "-f", "-r", "--mount-proc=/proc", "mount")
                     +	out, _, err := dockerCmdWithError("run", "--name", name, "--security-opt", "seccomp:unconfined", "debian:jessie", "unshare", "-p", "-m", "-f", "-r", "--mount-proc=/proc", "mount")
                      	if err == nil ||
                      		!(strings.Contains(strings.ToLower(out), "permission denied") ||
                      			strings.Contains(strings.ToLower(out), "operation not permitted")) {
                     -		c.Fatalf("unshare with --mount-proc should have failed with permission denied, got: %s, %v", out, err)
                     +		c.Fatalf("unshare with --mount-proc should have failed with 'permission denied' or 'operation not permitted', got: %s, %v", out, err)
+                     	}
                      	name = "cereal"
                     -	out, _, err = dockerCmdWithError("run", "--name", name, "--security-opt", "seccomp:unconfined", "jess/unshare", "unshare", "-p", "-m", "-f", "-r", "mount", "-t", "proc", "none", "/proc")
                     +	out, _, err = dockerCmdWithError("run", "--name", name, "--security-opt", "seccomp:unconfined", "debian:jessie", "unshare", "-p", "-m", "-f", "-r", "mount", "-t", "proc", "none", "/proc")
                      	if err == nil ||
                     -		!(strings.Contains(strings.ToLower(out), "permission denied") ||
                     -			strings.Contains(strings.ToLower(out), "operation not permitted")) {
                     -		c.Fatalf("unshare and mount of /proc should have failed with permission denied, got: %s, %v", out, err)
                     +		!(strings.Contains(strings.ToLower(out), "mount: cannot mount none") ||
                     +			strings.Contains(strings.ToLower(out), "permission denied")) {
                     +		c.Fatalf("unshare and mount of /proc should have failed with 'mount: cannot mount none' or 'permission denied', got: %s, %v", out, err)
+                     	}
                      	/* Ensure still fails if running privileged with the default policy */
                      	name = "crashoverride"
                     -	out, _, err = dockerCmdWithError("run", "--privileged", "--security-opt", "seccomp:unconfined", "--security-opt", "apparmor:docker-default", "--name", name, "jess/unshare", "unshare", "-p", "-m", "-f", "-r", "mount", "-t", "proc", "none", "/proc")
                     -	if err == nil || !(strings.Contains(strings.ToLower(out), "permission denied") || strings.Contains(strings.ToLower(out), "operation not permitted")) {
                     -		c.Fatalf("privileged unshare with apparmor should have failed with permission denied, got: %s, %v", out, err)
                     +	out, _, err = dockerCmdWithError("run", "--privileged", "--security-opt", "seccomp:unconfined", "--security-opt", "apparmor:docker-default", "--name", name, "debian:jessie", "unshare", "-p", "-m", "-f", "-r", "mount", "-t", "proc", "none", "/proc")
                     +	if err == nil ||
                     +		!(strings.Contains(strings.ToLower(out), "mount: cannot mount none") ||
                     +			strings.Contains(strings.ToLower(out), "permission denied")) {
                     +		c.Fatalf("privileged unshare with apparmor should have failed with 'mount: cannot mount none' or 'permission denied', got: %s, %v", out, err)
+                     	}
+                     }

integration-cli/docker_cli_run_unix_test.go

History View file @ 626c933

@@ -493,7 +493,7 @@ func (s *DockerSuite) TestRunTmpfsMounts(c *check.C) {
 	}
 }
 
-// TestRunSeccompProfileDenyUnshare checks that 'docker run --security-opt seccomp:/tmp/profile.json jess/unshare unshare' exits with operation not permitted.
+// TestRunSeccompProfileDenyUnshare checks that 'docker run --security-opt seccomp:/tmp/profile.json debian:jessie unshare' exits with operation not permitted.
 func (s *DockerSuite) TestRunSeccompProfileDenyUnshare(c *check.C) {
 	testRequires(c, SameHostDaemon, seccompEnabled)
 	jsonData := `{
@@ -549,7 +549,7 @@ func (s *DockerSuite) TestRunSeccompProfileDenyChmod(c *check.C) {
 	}
 }
 
-// TestRunSeccompProfileDenyUnshareUserns checks that 'docker run jess/unshare unshare --map-root-user --user sh -c whoami' with a specific profile to
+// TestRunSeccompProfileDenyUnshareUserns checks that 'docker run debian:jessie unshare --map-root-user --user sh -c whoami' with a specific profile to
 // deny unhare of a userns exits with operation not permitted.
 func (s *DockerSuite) TestRunSeccompProfileDenyUnshareUserns(c *check.C) {
 	testRequires(c, SameHostDaemon, seccompEnabled)

...	...	@@ -493,7 +493,7 @@ func (s DockerSuite) TestRunTmpfsMounts(c check.C) {
493	493	}
494	494	}
495	495
496		-// TestRunSeccompProfileDenyUnshare checks that 'docker run --security-opt seccomp:/tmp/profile.json jess/unshare unshare' exits with operation not permitted.
	496	+// TestRunSeccompProfileDenyUnshare checks that 'docker run --security-opt seccomp:/tmp/profile.json debian:jessie unshare' exits with operation not permitted.
497	497	func (s DockerSuite) TestRunSeccompProfileDenyUnshare(c check.C) {
498	498	testRequires(c, SameHostDaemon, seccompEnabled)
499	499	jsonData := `{
...	...	@@ -549,7 +549,7 @@ func (s DockerSuite) TestRunSeccompProfileDenyChmod(c check.C) {
549	549	}
550	550	}
551	551
552		-// TestRunSeccompProfileDenyUnshareUserns checks that 'docker run jess/unshare unshare --map-root-user --user sh -c whoami' with a specific profile to
	552	+// TestRunSeccompProfileDenyUnshareUserns checks that 'docker run debian:jessie unshare --map-root-user --user sh -c whoami' with a specific profile to
553	553	// deny unhare of a userns exits with operation not permitted.
554	554	func (s DockerSuite) TestRunSeccompProfileDenyUnshareUserns(c check.C) {
555	555	testRequires(c, SameHostDaemon, seccompEnabled)