Add tests to ensure docker is configured correctly when optionals are…

… enabled
Netflix · Aug 16, 2018 · 1b8631c · 1b8631c
1 parent b8fb1c0
commit 1b8631c
Show file tree

Hide file tree

Showing 2 changed files with 83 additions and 2 deletions.
diff --git a/executor/runtime/docker/capabilities_test.go b/executor/runtime/docker/capabilities_test.go
@@ -0,0 +1,80 @@
+package docker
+
+import (
+	"testing"
+
+	"github.com/Netflix/titus-executor/api/netflix/titus"
+	runtimeTypes "github.com/Netflix/titus-executor/executor/runtime/types"
+	"github.com/docker/docker/api/types/container"
+	"github.com/gogo/protobuf/proto"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestDefaultProfile(t *testing.T) {
+	c := runtimeTypes.Container{
+		TitusInfo: &titus.ContainerInfo{},
+	}
+	hostConfig := container.HostConfig{}
+
+	assert.NoError(t, setupAdditionalCapabilities(&c, &hostConfig))
+
+	assert.Len(t, hostConfig.CapAdd, 0)
+	assert.Len(t, hostConfig.CapDrop, 0)
+	assert.Len(t, hostConfig.SecurityOpt, 1)
+}
+
+func TestFuseProfile(t *testing.T) {
+	c := runtimeTypes.Container{
+		TitusInfo: &titus.ContainerInfo{
+			PassthroughAttributes: map[string]string{
+				runtimeTypes.FuseEnabledParam: "true",
+			},
+		},
+	}
+	hostConfig := container.HostConfig{}
+
+	assert.NoError(t, setupAdditionalCapabilities(&c, &hostConfig))
+
+	assert.Contains(t, hostConfig.CapAdd, "SYS_ADMIN")
+	assert.Len(t, hostConfig.CapDrop, 0)
+	assert.Len(t, hostConfig.SecurityOpt, 2)
+	assert.Contains(t, hostConfig.SecurityOpt, "apparmor:docker-fuse")
+}
+
+func TestNestedContainerProfile(t *testing.T) {
+	c := runtimeTypes.Container{
+		Env: map[string]string{},
+		TitusInfo: &titus.ContainerInfo{
+			AllowNestedContainers: proto.Bool(true),
+		},
+	}
+	hostConfig := container.HostConfig{}
+
+	assert.NoError(t, setupAdditionalCapabilities(&c, &hostConfig))
+
+	assert.Contains(t, hostConfig.CapAdd, "SYS_ADMIN")
+	assert.Len(t, hostConfig.CapDrop, 0)
+	assert.Len(t, hostConfig.SecurityOpt, 2)
+	assert.Contains(t, hostConfig.SecurityOpt, "apparmor:docker-nested")
+
+}
+
+func TestFuseAndNestedContainerProfileProfile(t *testing.T) {
+	c := runtimeTypes.Container{
+		Env: map[string]string{},
+		TitusInfo: &titus.ContainerInfo{
+			AllowNestedContainers: proto.Bool(true),
+			PassthroughAttributes: map[string]string{
+				runtimeTypes.FuseEnabledParam: "true",
+			},
+		},
+	}
+	hostConfig := container.HostConfig{}
+
+	assert.NoError(t, setupAdditionalCapabilities(&c, &hostConfig))
+
+	assert.Contains(t, hostConfig.CapAdd, "SYS_ADMIN")
+	assert.Len(t, hostConfig.CapDrop, 0)
+	assert.Len(t, hostConfig.SecurityOpt, 2)
+	assert.Contains(t, hostConfig.SecurityOpt, "apparmor:docker-nested")
+}
diff --git a/executor/runtime/types/types.go b/executor/runtime/types/types.go
@@ -23,7 +23,8 @@ import (
 
 const (
 	hostnameStyleParam = "titusParameter.agent.hostnameStyle"
-	fuseEnabledParam   = "titusParameter.agent.fuseEnabled"
+	// FuseEnabledParam is a container atttribute set to enable FUSE
+	FuseEnabledParam = "titusParameter.agent.fuseEnabled"
 )
 
 // ErrMissingIAMRole indicates that the Titus job was submitted without an IAM role
@@ -250,7 +251,7 @@ func (c *Container) ComputeHostname() (string, error) {
 
 // GetFuseEnabled determines whether the container has FUSE devices exposed to it
 func (c *Container) GetFuseEnabled() (bool, error) {
-	fuseEnabledStr, ok := c.TitusInfo.GetPassthroughAttributes()[fuseEnabledParam]
+	fuseEnabledStr, ok := c.TitusInfo.GetPassthroughAttributes()[FuseEnabledParam]
 	if !ok {
 		return false, nil
 	}