- Add build tags
- Fixes a bug because of my negligence
- Improve the test case of selinux
Signed-off-by: Yanqiang Miao <miao.yanqiang@zte.com.cn>
test
Since sandboxes which use the host network have no network namespace path this
would result in an invalid invocation of nsenter.
Rework the fetching of the sandbox to take this into account and also avoid
trying to get an IP when the network plugin is not yet ready.
Fixes#245.
Signed-off-by: Ian Campbell <ijc@docker.com>
This pulls in and uses github.com/docker/docker/pkg/chrootarchive for the
actual copy up which is some battle hardened code to unpack avoiding things
like symlink traversal security issues.
However it does pull in a pretty huge pile of vendoring, including
github.com/docker/docker/pkg/reexec which we must then call at startup. It's
not immediately clear that this tradeoff is the correct one.
Signed-off-by: Ian Campbell <ijc@docker.com>
mount with `rshared`, the host path should be shared.
mount with `rslave`, the host pash should be shared or slave.
Signed-off-by: Yanqiang Miao <miao.yanqiang@zte.com.cn>
This is needed by runc to mount volume for containers that expect
biderectional file updates or host to container updates.
Signed-off-by: Abhinandan Prativadi <abhi@docker.com>
This is achieved by switching `assert.NoError` to `require.NoError` in several
places.
Otherwise the test code will continue and dereference a nil spec, leading to a
panic which obscures the real failure.
Signed-off-by: Ian Campbell <ijc@docker.com>
This will be made readonly by runc based on spec.Root.Readonly (which we
already set correctly) but defering until then gives runc the chance to make
any missing mount points as it processes the spec.Mount array.
This is necessary because many container images lack mount points for things
like the /etc/hosts which we want to overbind. This is not noticed with e.g.
Docker because it automatically creates an additional layer containing those.
This is something we may want to do here as well eventually but for now using a
writeable snapshot is both necessary and sufficient.
The same does not apply to the sandbox since we never modify its rootfs or want
to mount anything in it etc, add a comment to clarify.
Fixes#220.
Signed-off-by: Ian Campbell <ijc@docker.com>
This avoids errors such as:
spec: invalid environment variable "JAVA_OPTS=-Djava.security.egd=file:/dev/urandom"
use SplitN(2) to get the envvar name and value while allowing the value to
contain `=`.
Add some variables to the test data which have one or more `=` in the value.
Since this makes the resulting list of variables to check rather long split the
check in two and check the container config and image config derived values
independently.
Signed-off-by: Ian Campbell <ijc@docker.com>
