github.com/pwn-term/docker@v0.0.0-20210616085119-6e977cce2565/cli/e2e/container/run_test.go (about)

     1  package container
     2  
     3  import (
     4  	"fmt"
     5  	"testing"
     6  
     7  	"github.com/docker/cli/e2e/internal/fixtures"
     8  	"github.com/docker/cli/internal/test/environment"
     9  	"gotest.tools/v3/assert"
    10  	is "gotest.tools/v3/assert/cmp"
    11  	"gotest.tools/v3/golden"
    12  	"gotest.tools/v3/icmd"
    13  	"gotest.tools/v3/skip"
    14  )
    15  
    16  const registryPrefix = "registry:5000"
    17  
    18  func TestRunAttachedFromRemoteImageAndRemove(t *testing.T) {
    19  	skip.If(t, environment.RemoteDaemon())
    20  
    21  	image := createRemoteImage(t)
    22  
    23  	result := icmd.RunCommand("docker", "run", "--rm", image,
    24  		"echo", "this", "is", "output")
    25  
    26  	result.Assert(t, icmd.Success)
    27  	assert.Check(t, is.Equal("this is output\n", result.Stdout()))
    28  	golden.Assert(t, result.Stderr(), "run-attached-from-remote-and-remove.golden")
    29  }
    30  
    31  func TestRunWithContentTrust(t *testing.T) {
    32  	skip.If(t, environment.RemoteDaemon())
    33  
    34  	dir := fixtures.SetupConfigFile(t)
    35  	defer dir.Remove()
    36  	image := fixtures.CreateMaskedTrustedRemoteImage(t, registryPrefix, "trust-run", "latest")
    37  
    38  	defer func() {
    39  		icmd.RunCommand("docker", "image", "rm", image).Assert(t, icmd.Success)
    40  	}()
    41  
    42  	result := icmd.RunCmd(
    43  		icmd.Command("docker", "run", image),
    44  		fixtures.WithConfig(dir.Path()),
    45  		fixtures.WithTrust,
    46  		fixtures.WithNotary,
    47  	)
    48  	result.Assert(t, icmd.Expected{
    49  		Err: fmt.Sprintf("Tagging %s@sha", image[:len(image)-7]),
    50  	})
    51  }
    52  
    53  func TestUntrustedRun(t *testing.T) {
    54  	dir := fixtures.SetupConfigFile(t)
    55  	defer dir.Remove()
    56  	image := registryPrefix + "/alpine:untrusted"
    57  	// tag the image and upload it to the private registry
    58  	icmd.RunCommand("docker", "tag", fixtures.AlpineImage, image).Assert(t, icmd.Success)
    59  	defer func() {
    60  		icmd.RunCommand("docker", "image", "rm", image).Assert(t, icmd.Success)
    61  	}()
    62  
    63  	// try trusted run on untrusted tag
    64  	result := icmd.RunCmd(
    65  		icmd.Command("docker", "run", image),
    66  		fixtures.WithConfig(dir.Path()),
    67  		fixtures.WithTrust,
    68  		fixtures.WithNotary,
    69  	)
    70  	result.Assert(t, icmd.Expected{
    71  		ExitCode: 125,
    72  		Err:      "does not have trust data for",
    73  	})
    74  }
    75  
    76  func TestTrustedRunFromBadTrustServer(t *testing.T) {
    77  	evilImageName := registryPrefix + "/evil-alpine:latest"
    78  	dir := fixtures.SetupConfigFile(t)
    79  	defer dir.Remove()
    80  
    81  	// tag the image and upload it to the private registry
    82  	icmd.RunCmd(icmd.Command("docker", "tag", fixtures.AlpineImage, evilImageName),
    83  		fixtures.WithConfig(dir.Path()),
    84  	).Assert(t, icmd.Success)
    85  	icmd.RunCmd(icmd.Command("docker", "image", "push", evilImageName),
    86  		fixtures.WithConfig(dir.Path()),
    87  		fixtures.WithPassphrase("root_password", "repo_password"),
    88  		fixtures.WithTrust,
    89  		fixtures.WithNotary,
    90  	).Assert(t, icmd.Success)
    91  	icmd.RunCmd(icmd.Command("docker", "image", "rm", evilImageName)).Assert(t, icmd.Success)
    92  
    93  	// try run
    94  	icmd.RunCmd(icmd.Command("docker", "run", evilImageName),
    95  		fixtures.WithConfig(dir.Path()),
    96  		fixtures.WithTrust,
    97  		fixtures.WithNotary,
    98  	).Assert(t, icmd.Success)
    99  	icmd.RunCmd(icmd.Command("docker", "image", "rm", evilImageName)).Assert(t, icmd.Success)
   100  
   101  	// init a client with the evil-server and a new trust dir
   102  	evilNotaryDir := fixtures.SetupConfigWithNotaryURL(t, "evil-test", fixtures.EvilNotaryURL)
   103  	defer evilNotaryDir.Remove()
   104  
   105  	// tag the same image and upload it to the private registry but signed with evil notary server
   106  	icmd.RunCmd(icmd.Command("docker", "tag", fixtures.AlpineImage, evilImageName),
   107  		fixtures.WithConfig(evilNotaryDir.Path()),
   108  	).Assert(t, icmd.Success)
   109  	icmd.RunCmd(icmd.Command("docker", "image", "push", evilImageName),
   110  		fixtures.WithConfig(evilNotaryDir.Path()),
   111  		fixtures.WithPassphrase("root_password", "repo_password"),
   112  		fixtures.WithTrust,
   113  		fixtures.WithNotaryServer(fixtures.EvilNotaryURL),
   114  	).Assert(t, icmd.Success)
   115  	icmd.RunCmd(icmd.Command("docker", "image", "rm", evilImageName)).Assert(t, icmd.Success)
   116  
   117  	// try running with the original client from the evil notary server. This should failed
   118  	// because the new root is invalid
   119  	icmd.RunCmd(icmd.Command("docker", "run", evilImageName),
   120  		fixtures.WithConfig(dir.Path()),
   121  		fixtures.WithTrust,
   122  		fixtures.WithNotaryServer(fixtures.EvilNotaryURL),
   123  	).Assert(t, icmd.Expected{
   124  		ExitCode: 125,
   125  		Err:      "could not rotate trust to a new trusted root",
   126  	})
   127  }
   128  
   129  // TODO: create this with registry API instead of engine API
   130  func createRemoteImage(t *testing.T) string {
   131  	image := registryPrefix + "/alpine:test-run-pulls"
   132  	icmd.RunCommand("docker", "pull", fixtures.AlpineImage).Assert(t, icmd.Success)
   133  	icmd.RunCommand("docker", "tag", fixtures.AlpineImage, image).Assert(t, icmd.Success)
   134  	icmd.RunCommand("docker", "push", image).Assert(t, icmd.Success)
   135  	icmd.RunCommand("docker", "rmi", image).Assert(t, icmd.Success)
   136  	return image
   137  }
   138  
   139  func TestRunWithCgroupNamespace(t *testing.T) {
   140  	environment.SkipIfDaemonNotLinux(t)
   141  	environment.SkipIfCgroupNamespacesNotSupported(t)
   142  
   143  	result := icmd.RunCommand("docker", "run", "--cgroupns=private", "--rm", fixtures.AlpineImage,
   144  		"/bin/grep", "-q", "':memory:/$'", "/proc/1/cgroup")
   145  	result.Assert(t, icmd.Success)
   146  }