We now use the fully qualified image name (if not provided)
when dealing with atomic info and verify. This is because
skopeo requires a fq image name to do remote inspection. As
an upside, it also makes atomic a little more user friendly
as well.
tests/integration/test_info.sh
Temporarly disabled a test due to an issue with skopeo
This addresses one of the two issues raised by bugzilla
1248038 where atomic is using shell=True on its subprocess
calls which exposes a security concern.
Two new functions were added to accomplish this. The
first is a util.chk_call which is similar to util.subp
but it uses the python function check call instead of
Popen.
The second function is atomic.sub_env_strings. Previously,
there was env variable substitution occuring with cmd_env and
the subprocess call. That was one upside of the shell=True
usage. Now, prior to calling util.chk_call, we pass the
intended command to sub_env_strings and use cmd_env to
perform the variable substitution.
We will address part 2 of the security concerns, which
is the handling of LABELS as strings, in a different
PR.
This patch does two things:
1. Add a validation step after migration to make sure that the
containers and images were indeed migrated.
2. Don't actually change the docker configuration to use overlayfs,
which currently causes issues on e.g. Fedora kernels. This has
been the source of the instability of the PR tester. It can be
reproduced locally by running:
# while true; do dd if=/dev/vda of=/dev/null; done &
# make test TEST_INTEGRATION=migrate
We can uncomment out that block once the workaround for it has
made it to the stable kernels. See the comment block for more
details.
Laymen users who are told to run a image may not understand
the docker run switches that have security implications. We
now look for the following switches:
* --privileged
* --cap-add
* --security-opt label:disable
* --net=host
* --pid=host
* --ipc=host
and output an appropriate security message.
Also, moved def run() from Atomic/atomic.py to Atomic/run.py
to reduce the size and the number of definitions in
Atomic/atomic.py.
Images or containers can now have an associated
man-like help page to help users understand more
about the image. Typical information included
are things like a longer description, if the image
needs to be installed, security implications, steps
to upgrade, etc.
The default behavior is for atomic to display
a file called help.1 (in man format) located in
the / of the docker object. This default
can be overriden with the HELP LABEL. The
HELP LABEL needs to be a fully qualified
command to work correctly.
Basic tests for atomic diff and top which should catch
basic code regressions.
In top.py, added -n for number of iterations. And added
tty detection so that tests can pass in a jenkins environment
where there is no tty.
Make the cleanup() function more wary of failures. Otherwise, because we
have `set -e` turned on, on the first failure, it will jump ship and not
finish cleanup.
Also make the test use a local directory instead of
/var/lib/atomic/migrate).
Now that PR #217 is merged, running `atomic install` on images without
INSTALL labels become noops. Test 5 of test_display.sh reflects this new
behaviour.
This patch makes test_display.sh pass. They are mostly tweaks to account
for the following:
- Account for commit 7858957, which removes {CONF,LOG,DATA}DIR from the
target environment.
- Account for commit ae931d0, which removes those default bind mounts.
- Fix a few mismatches between the labels in the Dockerfile vs the
expected output in the test script.
And with that, all tests (should) pass!
Fix test failures that have crept into the atomic master.
tests/integration/test_display.sh
Fix failure related to defined UID/GID's in the test itself. I now
use sed to remove the --user UID:GID to make the comparison equal
and remove potential for dynamic failures.
I also had to add a conditional if the labels (in python) are of
type None to prevent a traceback.
tests/integration/test_info.sh
There seemed to be two related failures in the test case that relate to
running 'atomic info --remote'. If that command is run with a docker
daemon that is not capable of --remote, the test will failure. I added
a variable based on the return of that command and put it under the
set +e section.
I then added a conditional for that test (based on the return of above),
to only run the test if the docker daemon is capable of the --remote
function.
Use --display to view run or install commands without
executing the commands. This is useful when working with custom images
with LABEL methods defined.
Signed-off-by: Sally O'Malley <somalley@redhat.com>
