diff options
author | Matt Clay <matt@mystile.com> | 2018-08-30 11:36:57 -0700 |
---|---|---|
committer | Matt Clay <matt@mystile.com> | 2018-09-05 19:21:48 -0700 |
commit | fb153e4da79a5fff0517013a4a192b138e49ea30 (patch) | |
tree | 1de2f6ef9fc3a4ca94d2a67ed2c16ace4b755b9c | |
parent | 339d064584f08aa5ec9ea04137de2ae641fe5ee6 (diff) | |
download | ansible-fb153e4da79a5fff0517013a4a192b138e49ea30.tar.gz |
Add seccomp support to ansible-test.
(cherry picked from commit c1173a2aecf4075f1e550b131359989fb260604b)
-rw-r--r-- | test/runner/completion/docker.txt | 16 | ||||
-rw-r--r-- | test/runner/lib/config.py | 5 | ||||
-rw-r--r-- | test/runner/lib/delegation.py | 3 | ||||
-rwxr-xr-x | test/runner/test.py | 6 |
4 files changed, 22 insertions, 8 deletions
diff --git a/test/runner/completion/docker.txt b/test/runner/completion/docker.txt index dc673cd27d..d85ba96f99 100644 --- a/test/runner/completion/docker.txt +++ b/test/runner/completion/docker.txt @@ -1,11 +1,11 @@ default name=ansible/ansible:default@sha256:b651e5964e192c12ef574646a9c724e72fd94615d37d47ffad986408b2097a07 -centos6 name=quay.io/ansible/centos6-test-container:1.4.0 -centos7 name=quay.io/ansible/centos7-test-container:1.4.0 -fedora24 name=quay.io/ansible/fedora24-test-container:1.4.0 -fedora25 name=quay.io/ansible/fedora25-test-container:1.4.0 +centos6 name=quay.io/ansible/centos6-test-container:1.4.0 seccomp=unconfined +centos7 name=quay.io/ansible/centos7-test-container:1.4.0 seccomp=unconfined +fedora24 name=quay.io/ansible/fedora24-test-container:1.4.0 seccomp=unconfined +fedora25 name=quay.io/ansible/fedora25-test-container:1.4.0 seccomp=unconfined fedora26py3 name=quay.io/ansible/fedora26py3-test-container:1.4.0 fedora27py3 name=quay.io/ansible/fedora27py3-test-container:1.4.0 -opensuse42.3 name=quay.io/ansible/opensuse42.3-test-container:1.4.0 -ubuntu1404 name=quay.io/ansible/ubuntu1404-test-container:1.4.0 -ubuntu1604 name=quay.io/ansible/ubuntu1604-test-container:1.4.0 -ubuntu1604py3 name=quay.io/ansible/ubuntu1604py3-test-container:1.4.0 +opensuse42.3 name=quay.io/ansible/opensuse42.3-test-container:1.4.0 seccomp=unconfined +ubuntu1404 name=quay.io/ansible/ubuntu1404-test-container:1.4.0 seccomp=unconfined +ubuntu1604 name=quay.io/ansible/ubuntu1604-test-container:1.4.0 seccomp=unconfined +ubuntu1604py3 name=quay.io/ansible/ubuntu1604py3-test-container:1.4.0 seccomp=unconfined diff --git a/test/runner/lib/config.py b/test/runner/lib/config.py index 6e2356cd25..0cc34f21d3 100644 --- a/test/runner/lib/config.py +++ b/test/runner/lib/config.py @@ -11,6 +11,7 @@ from lib.util import ( docker_qualify_image, find_python, generate_pip_command, + get_docker_completion, ) from lib.metadata import ( @@ -46,8 +47,12 @@ class EnvironmentConfig(CommonConfig): self.docker_privileged = args.docker_privileged if 'docker_privileged' in args else False # type: bool self.docker_pull = args.docker_pull if 'docker_pull' in args else False # type: bool self.docker_keep_git = args.docker_keep_git if 'docker_keep_git' in args else False # type: bool + self.docker_seccomp = args.docker_seccomp if 'docker_seccomp' in args else None # type: str self.docker_memory = args.docker_memory if 'docker_memory' in args else None + if self.docker_seccomp is None: + self.docker_seccomp = get_docker_completion().get(self.docker_raw, {}).get('seccomp', 'default') + self.tox_sitepackages = args.tox_sitepackages # type: bool self.remote_stage = args.remote_stage # type: str diff --git a/test/runner/lib/delegation.py b/test/runner/lib/delegation.py index 8bde6ab270..31ca253dec 100644 --- a/test/runner/lib/delegation.py +++ b/test/runner/lib/delegation.py @@ -238,6 +238,9 @@ def delegate_docker(args, exclude, require, integration_targets): docker_socket = '/var/run/docker.sock' + if args.docker_seccomp != 'default': + test_options += ['--security-opt', 'seccomp=%s' % args.docker_seccomp] + if os.path.exists(docker_socket): test_options += ['--volume', '%s:%s' % (docker_socket, docker_socket)] diff --git a/test/runner/test.py b/test/runner/test.py index 95bb33f3a1..1546c7900c 100755 --- a/test/runner/test.py +++ b/test/runner/test.py @@ -651,6 +651,12 @@ def add_extra_docker_options(parser, integration=True): action='store_true', help='transfer git related files into the docker container') + docker.add_argument('--docker-seccomp', + metavar='SC', + choices=('default', 'unconfined'), + default=None, + help='set seccomp confinement for the test container: %(choices)s') + if not integration: return |