-
-
Notifications
You must be signed in to change notification settings - Fork 1.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
add container arguments to specify SELinux contexts for mounts #334
Changes from 2 commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,16 @@ | ||
package org.testcontainers.containers; | ||
|
||
import com.github.dockerjava.api.model.SELContext; | ||
|
||
/** | ||
* Possible contexts for use with SELinux | ||
*/ | ||
public enum SelinuxContext { | ||
SHARED(SELContext.shared), SINGLE(SELContext.single), NONE(SELContext.none); | ||
|
||
public final SELContext selContext; | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. FYI since we use Lombok, you can remove "public final" and the constructor and just add a single There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. oh. my. word. Where has Lombok been all my life? This is amazing. Although There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. how about private modifier and There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. ping There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. @cainj13 ping :) |
||
|
||
SelinuxContext(final SELContext selContext) { | ||
this.selContext = selContext; | ||
} | ||
} |
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -25,6 +25,8 @@ | |
|
||
import static org.rnorth.visibleassertions.VisibleAssertions.*; | ||
import static org.testcontainers.containers.BindMode.READ_ONLY; | ||
import static org.testcontainers.containers.BindMode.READ_WRITE; | ||
import static org.testcontainers.containers.SelinuxContext.SHARED; | ||
|
||
/** | ||
* Tests for GenericContainerRules | ||
|
@@ -101,6 +103,15 @@ public static void setupContent() throws FileNotFoundException { | |
.withClasspathResourceMapping("mappable-resource/test-resource.txt", "/content.txt", READ_ONLY) | ||
.withCommand("/bin/sh", "-c", "while true; do cat /content.txt | nc -l -p 80; done"); | ||
|
||
/** | ||
* Map a file on the classpath to a file in the container, and then expose the content for testing. | ||
*/ | ||
@ClassRule | ||
public static GenericContainer alpineClasspathResourceSelinx = new GenericContainer("alpine:3.2") | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. typo. |
||
.withExposedPorts(80) | ||
.withClasspathResourceMapping("mappable-resource/test-resource.txt", "/content.txt", READ_WRITE, SHARED) | ||
.withCommand("/bin/sh", "-c", "while true; do cat /content.txt | nc -l -p 80; done"); | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Would be helpful to test SELinux mode. Right now these new tests will pass even if we drop selinuxContext passing. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. True story. Not sure how I'd actually go about doing that other than inspecting the assigned seLinux type in the running container or on the host machine. Any suggestions as to how I might inspect that? I'm assuming we don't want our test to call 'inspect'... |
||
|
||
/** | ||
* Create a container with an extra host entry and expose the content of /etc/hosts for testing. | ||
*/ | ||
|
@@ -203,6 +214,15 @@ public void customClasspathResourceMappingTest() throws IOException { | |
assertEquals("Resource on the classpath can be mapped using calls to withClasspathResourceMapping", "FOOBAR", line); | ||
} | ||
|
||
@Test | ||
public void customClasspathResourceMappingWithSelinuxTest() throws IOException { | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I'm not an SELinux expert, but maybe this might help? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Sure, we can get the labeled context on the container (provided we use a beefier image with SELinux utils installed), but I thought the :Z option used some host configs to label it as the correct type. Wouldn't this also require knowledge of some SELinux context on the host to make sure they match? Thought we'd want to avoid having to interrogate/put dependencies on the host. |
||
// Note: This functionality doesn't work if you are running your build inside a Docker container; | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I think this comment is outdated and should not be used here |
||
// in that case this test will fail. | ||
String line = getReaderForContainerPort80(alpineClasspathResourceSelinx).readLine(); | ||
|
||
assertEquals("Resource on the classpath can be mapped using calls to withClasspathResourceMappingSelinux", "FOOBAR", line); | ||
} | ||
|
||
@Test | ||
public void exceptionThrownWhenMappedPortNotFound() throws IOException { | ||
assertThrows("When the requested port is not mapped, getMappedPort() throws an exception", | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could you please add a new line after every entry?