This changes the test TestBuildWithInaccessibleFilesInContext to not
add the user 'unprivilegeduser' and add it via the Dockerfile instead.
Docker-DCO-1.1-Signed-off-by: Cristian Staretu <cristian.staretu@gmail.com> (github: unclejack)
Upstream-commit: 599cb12bb8aa13aa2f1be940dd8de4c9d3a06959
Component: engine
Rearrange docker version output so that server output matches client
output
Docker-DCO-1.1-Signed-off-by: Jonathan McCrohan <jmccrohan@gmail.com> (github: jmccrohan)
Upstream-commit: 82712ed67ef9c189ccc8837ef8469272c91f6fcf
Component: engine
This improves the TestBuildSixtySteps test by switching from busybox to
scratch and simply adding a file.
This lowers the execution time of that test from 20 seconds to 5
seconds.
Docker-DCO-1.1-Signed-off-by: Cristian Staretu <cristian.staretu@gmail.com> (github: unclejack)
Upstream-commit: 58c11ee0a8be74562b0e6f88ee000afdf9ddf025
Component: engine
Setting dockerBinary to the full path of the Docker binary is a good
idea and this is now done in the test code.
Docker-DCO-1.1-Signed-off-by: Cristian Staretu <cristian.staretu@gmail.com> (github: unclejack)
Upstream-commit: 46578a2359714e32d61af4efaeea86b7ff770359
Component: engine
This patch adds integration tests for the copying of resources
from a container, to ensure that regressions in the security of
resource copying can be easily discovered.
Docker-DCO-1.1-Signed-off-by: Aleksa Sarai <cyphar@cyphar.com> (github: cyphar)
Upstream-commit: 79ca77f3e80d983cf72aa131c1b59c77c60270b0
Component: engine
The tests weren't ... tested when last edited, this patch fixes
them so that they run and pass correctly.
Docker-DCO-1.1-Signed-off-by: Aleksa Sarai <cyphar@cyphar.com> (github: cyphar)
Upstream-commit: 924979259ec4c9ef6beab0468325f1cb04deaacb
Component: engine
It has been pointed out that some files in /proc and /sys can be used
to break out of containers. However, if those filesystems are mounted
read-only, most of the known exploits are mitigated, since they rely
on writing some file in those filesystems.
This does not replace security modules (like SELinux or AppArmor), it
is just another layer of security. Likewise, it doesn't mean that the
other mitigations (shadowing parts of /proc or /sys with bind mounts)
are useless. Those measures are still useful. As such, the shadowing
of /proc/kcore is still enabled with both LXC and native drivers.
Special care has to be taken with /proc/1/attr, which still needs to
be mounted read-write in order to enable the AppArmor profile. It is
bind-mounted from a private read-write mount of procfs.
All that enforcement is done in dockerinit. The code doing the real
work is in libcontainer. The init function for the LXC driver calls
the function from libcontainer to avoid code duplication.
Docker-DCO-1.1-Signed-off-by: Jérôme Petazzoni <jerome@docker.com> (github: jpetazzo)
Upstream-commit: 1c4202a6142d238d41f10deff1f0548f7591350b
Component: engine
Without this patch, containers inherit the open file descriptors of the daemon, so my "exec 42>&2" allows us to "echo >&42 some nasty error with some bad advice" directly into the daemon log. :)
Also, "hack/dind" was already doing this due to issues caused by the inheritance, so I'm removing that hack too since this patch obsoletes it by generalizing it for all containers.
Docker-DCO-1.1-Signed-off-by: Andrew Page <admwiggin@gmail.com> (github: tianon)
Upstream-commit: d5d62ff95574a48816890d8d6e0785a79f559c3c
Component: engine
This also migrates the volumes from integration tests into the new cli
integration test framework.
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
Upstream-commit: af9746412b6070063f105ae97eba1f8fbd56bd22
Component: engine
This makes container and image removal in the tests run synchronously.
Docker-DCO-1.1-Signed-off-by: Cristian Staretu <cristian.staretu@gmail.com> (github: unclejack)
Upstream-commit: e09274476f889c08416a819dfb28f2c425868c6b
Component: engine
