github.com/pwn-term/docker@v0.0.0-20210616085119-6e977cce2565/cli/e2e/container/run_test.go (about) 1 package container 2 3 import ( 4 "fmt" 5 "testing" 6 7 "github.com/docker/cli/e2e/internal/fixtures" 8 "github.com/docker/cli/internal/test/environment" 9 "gotest.tools/v3/assert" 10 is "gotest.tools/v3/assert/cmp" 11 "gotest.tools/v3/golden" 12 "gotest.tools/v3/icmd" 13 "gotest.tools/v3/skip" 14 ) 15 16 const registryPrefix = "registry:5000" 17 18 func TestRunAttachedFromRemoteImageAndRemove(t *testing.T) { 19 skip.If(t, environment.RemoteDaemon()) 20 21 image := createRemoteImage(t) 22 23 result := icmd.RunCommand("docker", "run", "--rm", image, 24 "echo", "this", "is", "output") 25 26 result.Assert(t, icmd.Success) 27 assert.Check(t, is.Equal("this is output\n", result.Stdout())) 28 golden.Assert(t, result.Stderr(), "run-attached-from-remote-and-remove.golden") 29 } 30 31 func TestRunWithContentTrust(t *testing.T) { 32 skip.If(t, environment.RemoteDaemon()) 33 34 dir := fixtures.SetupConfigFile(t) 35 defer dir.Remove() 36 image := fixtures.CreateMaskedTrustedRemoteImage(t, registryPrefix, "trust-run", "latest") 37 38 defer func() { 39 icmd.RunCommand("docker", "image", "rm", image).Assert(t, icmd.Success) 40 }() 41 42 result := icmd.RunCmd( 43 icmd.Command("docker", "run", image), 44 fixtures.WithConfig(dir.Path()), 45 fixtures.WithTrust, 46 fixtures.WithNotary, 47 ) 48 result.Assert(t, icmd.Expected{ 49 Err: fmt.Sprintf("Tagging %s@sha", image[:len(image)-7]), 50 }) 51 } 52 53 func TestUntrustedRun(t *testing.T) { 54 dir := fixtures.SetupConfigFile(t) 55 defer dir.Remove() 56 image := registryPrefix + "/alpine:untrusted" 57 // tag the image and upload it to the private registry 58 icmd.RunCommand("docker", "tag", fixtures.AlpineImage, image).Assert(t, icmd.Success) 59 defer func() { 60 icmd.RunCommand("docker", "image", "rm", image).Assert(t, icmd.Success) 61 }() 62 63 // try trusted run on untrusted tag 64 result := icmd.RunCmd( 65 icmd.Command("docker", "run", image), 66 fixtures.WithConfig(dir.Path()), 67 fixtures.WithTrust, 68 fixtures.WithNotary, 69 ) 70 result.Assert(t, icmd.Expected{ 71 ExitCode: 125, 72 Err: "does not have trust data for", 73 }) 74 } 75 76 func TestTrustedRunFromBadTrustServer(t *testing.T) { 77 evilImageName := registryPrefix + "/evil-alpine:latest" 78 dir := fixtures.SetupConfigFile(t) 79 defer dir.Remove() 80 81 // tag the image and upload it to the private registry 82 icmd.RunCmd(icmd.Command("docker", "tag", fixtures.AlpineImage, evilImageName), 83 fixtures.WithConfig(dir.Path()), 84 ).Assert(t, icmd.Success) 85 icmd.RunCmd(icmd.Command("docker", "image", "push", evilImageName), 86 fixtures.WithConfig(dir.Path()), 87 fixtures.WithPassphrase("root_password", "repo_password"), 88 fixtures.WithTrust, 89 fixtures.WithNotary, 90 ).Assert(t, icmd.Success) 91 icmd.RunCmd(icmd.Command("docker", "image", "rm", evilImageName)).Assert(t, icmd.Success) 92 93 // try run 94 icmd.RunCmd(icmd.Command("docker", "run", evilImageName), 95 fixtures.WithConfig(dir.Path()), 96 fixtures.WithTrust, 97 fixtures.WithNotary, 98 ).Assert(t, icmd.Success) 99 icmd.RunCmd(icmd.Command("docker", "image", "rm", evilImageName)).Assert(t, icmd.Success) 100 101 // init a client with the evil-server and a new trust dir 102 evilNotaryDir := fixtures.SetupConfigWithNotaryURL(t, "evil-test", fixtures.EvilNotaryURL) 103 defer evilNotaryDir.Remove() 104 105 // tag the same image and upload it to the private registry but signed with evil notary server 106 icmd.RunCmd(icmd.Command("docker", "tag", fixtures.AlpineImage, evilImageName), 107 fixtures.WithConfig(evilNotaryDir.Path()), 108 ).Assert(t, icmd.Success) 109 icmd.RunCmd(icmd.Command("docker", "image", "push", evilImageName), 110 fixtures.WithConfig(evilNotaryDir.Path()), 111 fixtures.WithPassphrase("root_password", "repo_password"), 112 fixtures.WithTrust, 113 fixtures.WithNotaryServer(fixtures.EvilNotaryURL), 114 ).Assert(t, icmd.Success) 115 icmd.RunCmd(icmd.Command("docker", "image", "rm", evilImageName)).Assert(t, icmd.Success) 116 117 // try running with the original client from the evil notary server. This should failed 118 // because the new root is invalid 119 icmd.RunCmd(icmd.Command("docker", "run", evilImageName), 120 fixtures.WithConfig(dir.Path()), 121 fixtures.WithTrust, 122 fixtures.WithNotaryServer(fixtures.EvilNotaryURL), 123 ).Assert(t, icmd.Expected{ 124 ExitCode: 125, 125 Err: "could not rotate trust to a new trusted root", 126 }) 127 } 128 129 // TODO: create this with registry API instead of engine API 130 func createRemoteImage(t *testing.T) string { 131 image := registryPrefix + "/alpine:test-run-pulls" 132 icmd.RunCommand("docker", "pull", fixtures.AlpineImage).Assert(t, icmd.Success) 133 icmd.RunCommand("docker", "tag", fixtures.AlpineImage, image).Assert(t, icmd.Success) 134 icmd.RunCommand("docker", "push", image).Assert(t, icmd.Success) 135 icmd.RunCommand("docker", "rmi", image).Assert(t, icmd.Success) 136 return image 137 } 138 139 func TestRunWithCgroupNamespace(t *testing.T) { 140 environment.SkipIfDaemonNotLinux(t) 141 environment.SkipIfCgroupNamespacesNotSupported(t) 142 143 result := icmd.RunCommand("docker", "run", "--cgroupns=private", "--rm", fixtures.AlpineImage, 144 "/bin/grep", "-q", "':memory:/$'", "/proc/1/cgroup") 145 result.Assert(t, icmd.Success) 146 }