Running Moby Tests as Unprivileged User #46387
-
I work at a Linux distribution in software packaging and I've recently undertaken to package docker-24.0.5. In brief, we build moby and docker/cli from source using the golang provided from our own package repositories. We then execute the test suite from both moby and docker to validate that the build was successful. However, there are a large number of moby tests which expect to be run with root privileges. I've fixed this by using a patch to inject I'd like some guidance on what, if anything, the project would like to see in these patches. I can think of three ways to accomplish this, though presumably there are more.
Let me know what you think! |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments
-
I expect most developers will run the test-suites docker-in-docker, in which case the tests run as Given that the full test-suite takes a long time to run, I expect most people working on the code to only be running unit-tests, or (if integration tests are needed to verify changes) to run a limited set of integration tests, using the make BIND_DIR=. DOCKER_GRAPHDRIVER=vfs TEST_FILTER=TestInfoAPI test-integration w.r.t. the Skips themselves; because of all of the above, it's not unlikely that there are Unfortunately there are many of such (contributions in that area are very much appreciated as well, but I realize those can be a bit of a chore to do ❤️)
Contributions are always welcome! If they are generic patches, and benefit the project as a whole, we would definitely accept them.
Perhaps you can enlighten me a bit on this part. Is there a specific reason why To give a bit of context: we do have environment variables in various places to control things. Honestly, we have "too many" of them. Many environment variables were added in the past, and either are no longer really relevant, or we lost track "why" they were, and as a result it's easy to continue "preserving them" (they must be there for a reason... right?), which can result in things becoming more complicated than they need to be (lots of bash.. lots of bash to set up things). So where possible we want to (try to) make these tests "just work", and detect whether they should be skipped (or not) using test-utilities, instead of having to be run with "magic" environment variables. That's not to say we don't allow new environment-variables to be introduced, but just that we need to check the alternatives to decide what makes most sense (which will differ for each case). If (with the above in mind) there's still reasons why an environment variable would be beneficial, then we could The most basic (if we expected "privileged" to be the default, could be to check for non-empty values (any value set to be considered func IsUnprivileged() bool {
if val := os.GetEnv("UNPRIVILEGED"); val != "" {
return true
}
return os.GetUID() != 0
} If we need for func IsUnprivileged(t testing.T) bool {
t.Helper()
if val := os.GetEnv("UNPRIVILEGED"); val != "" {
ok, err := strconv.ParseBool(val)
if err != nil {
t.Log("failed to parse $UNPRIVILEGED (%s): %v", val, err)
}
return ok
}
return os.GetUID() != 0
} If course, the reverse could also be true (assume "unprivileged"), I guess that part is to be discussed 😅 |
Beta Was this translation helpful? Give feedback.
-
Thanks for your time in response! It's good to hear that contributions are welcome! I find it helpful to talk about what I want to do first, before submitting a PR, since it can shape the contribution to something the project is happy with. There isn't anything incorrect about using I don't expect anybody to audit their tests to make sure they don't require privileges to run. As package maintainers take new versions of moby we can add those conditional skips in our vendor patches, and contribute them back upstream as they're found. |
Beta Was this translation helpful? Give feedback.
I expect most developers will run the test-suites docker-in-docker, in which case the tests run as
root
inside the container (which could be either "actual"root
, or a "remapped"root
(with user-namespaces enabled)). Some users may be running tests directly on "bare-metal" (not docker-in-docker), so for those, the skips may be relevant.Given that the full test-suite takes a long time to run, I expect most people working on the code to only be running unit-tests, or (if inte…