SEND CAPABILITY IDS TO LXC #10152

ashahab-altiscale · 2015-01-17T02:35:12Z

Sending capability ids instead of capability names ot LXC for --cap-add and --cap-drop.
Also fixed tests.

Docker-DCO-1.1-Signed-off-by: Abin Shahab ashahab@altiscale.com (github: ashahab-altiscale)

Sending capability ids instead of capability names ot LXC for --cap-add and --cap-drop. Also fixed tests. Docker-DCO-1.1-Signed-off-by: Abin Shahab <ashahab@altiscale.com> (github: ashahab-altiscale)

ashahab-altiscale · 2015-01-17T05:49:39Z

@jfrazelle @crosbymichael @unclejack @dineshs-altiscale

jessfraz · 2015-01-17T22:25:58Z

@ashahab-altiscale Thanks so much for the continual effort of fixing the tests :)

Do you think there is a way to check the output differently for these so that it works for lxc as well, because it looks like they should be passing:

--- FAIL: TestRunCapDropCannotMknod (0.87s)
    docker_cli_run_test.go:962: <nil> ok

--- FAIL: TestRunCapDropCannotMknodLowerCase (1.11s)
    docker_cli_run_test.go:977: <nil> ok

--- FAIL: TestRunCapDropALLCannotMknod (1.14s)
    docker_cli_run_test.go:992: <nil> ok

--- FAIL: TestRunCapAddALLDropNetAdminCanDownInterface (1.13s)
    docker_cli_run_test.go:1064: <nil> ok

--- FAIL: TestRunUnPrivilegedCannotMount (1.10s)
    docker_cli_run_test.go:1096: <nil> ok

ashahab-altiscale · 2015-01-17T22:46:51Z

Odd, they all passed for me. I will have to check how its failing in
Jenkins. Can you send me a link?
On Jan 17, 2015 2:26 PM, "Jessie Frazelle" notifications@github.com wrote:

@ashahab-altiscale https://github.com/ashahab-altiscale Thanks so much
for the continual effort of fixing the tests :)

Do you think there is a way to check the output differently for these so
that it works for lxc as well, because it looks like they should be passing:

--- FAIL: TestRunCapDropCannotMknod (0.87s)
docker_cli_run_test.go:962: ok

--- FAIL: TestRunCapDropCannotMknodLowerCase (1.11s)
docker_cli_run_test.go:977: ok

--- FAIL: TestRunCapDropALLCannotMknod (1.14s)
docker_cli_run_test.go:992: ok

--- FAIL: TestRunCapAddALLDropNetAdminCanDownInterface (1.13s)
docker_cli_run_test.go:1064: ok

--- FAIL: TestRunUnPrivilegedCannotMount (1.10s)
docker_cli_run_test.go:1096: ok

—
Reply to this email directly or view it on GitHub
#10152 (comment).

jessfraz · 2015-01-17T22:48:55Z

Oh I tested locally not on Jenkins. I am on Debian with Btrfs, but idk if
that could have anything to do with it.

On Sat, Jan 17, 2015 at 2:47 PM, Abin Shahab notifications@github.com
wrote:

Odd, they all passed for me. I will have to check how its failing in
Jenkins. Can you send me a link?
On Jan 17, 2015 2:26 PM, "Jessie Frazelle" notifications@github.com
wrote:

@ashahab-altiscale https://github.com/ashahab-altiscale Thanks so
much
for the continual effort of fixing the tests :)

Do you think there is a way to check the output differently for these so
that it works for lxc as well, because it looks like they should be
passing:

--- FAIL: TestRunCapDropCannotMknod (0.87s)
docker_cli_run_test.go:962: ok

--- FAIL: TestRunCapDropCannotMknodLowerCase (1.11s)
docker_cli_run_test.go:977: ok

--- FAIL: TestRunCapDropALLCannotMknod (1.14s)
docker_cli_run_test.go:992: ok

--- FAIL: TestRunCapAddALLDropNetAdminCanDownInterface (1.13s)
docker_cli_run_test.go:1064: ok

--- FAIL: TestRunUnPrivilegedCannotMount (1.10s)
docker_cli_run_test.go:1096: ok

—
Reply to this email directly or view it on GitHub
#10152 (comment).

—
Reply to this email directly or view it on GitHub
#10152 (comment).

ashahab-altiscale · 2015-01-17T23:18:41Z

Its not an issue with output. Its just not working. If you want to dig more
into this, you can tell lxc where to log and the log level(in
lxc/driver.go). I am thinking if I should create a patch with that feature,
which would be enabled only in debug mode.
On Jan 17, 2015 2:49 PM, "Jessie Frazelle" notifications@github.com wrote:

Oh I tested locally not on Jenkins. I am on Debian with Btrfs, but idk if
that could have anything to do with it.

On Sat, Jan 17, 2015 at 2:47 PM, Abin Shahab notifications@github.com
wrote:

Odd, they all passed for me. I will have to check how its failing in
Jenkins. Can you send me a link?
On Jan 17, 2015 2:26 PM, "Jessie Frazelle" notifications@github.com
wrote:

@ashahab-altiscale https://github.com/ashahab-altiscale Thanks so
much
for the continual effort of fixing the tests :)

Do you think there is a way to check the output differently for these
so
that it works for lxc as well, because it looks like they should be
passing:

--- FAIL: TestRunCapDropCannotMknod (0.87s)
docker_cli_run_test.go:962: ok

--- FAIL: TestRunCapDropCannotMknodLowerCase (1.11s)
docker_cli_run_test.go:977: ok

--- FAIL: TestRunCapDropALLCannotMknod (1.14s)
docker_cli_run_test.go:992: ok

--- FAIL: TestRunCapAddALLDropNetAdminCanDownInterface (1.13s)
docker_cli_run_test.go:1064: ok

--- FAIL: TestRunUnPrivilegedCannotMount (1.10s)
docker_cli_run_test.go:1096: ok

—
Reply to this email directly or view it on GitHub
#10152 (comment).

—
Reply to this email directly or view it on GitHub
#10152 (comment).

—
Reply to this email directly or view it on GitHub
#10152 (comment).

jessfraz · 2015-01-17T23:24:17Z

I'll try again thanks

On Saturday, January 17, 2015, Abin Shahab notifications@github.com wrote:

Its not an issue with output. Its just not working. If you want to dig
more
into this, you can tell lxc where to log and the log level(in
lxc/driver.go). I am thinking if I should create a patch with that
feature,
which would be enabled only in debug mode.
On Jan 17, 2015 2:49 PM, "Jessie Frazelle" <notifications@github.com
javascript:_e(%7B%7D,'cvml','notifications@github.com');> wrote:

Oh I tested locally not on Jenkins. I am on Debian with Btrfs, but idk
if
that could have anything to do with it.

On Sat, Jan 17, 2015 at 2:47 PM, Abin Shahab <notifications@github.com
javascript:_e(%7B%7D,'cvml','notifications@github.com');>
wrote:

Odd, they all passed for me. I will have to check how its failing in
Jenkins. Can you send me a link?
On Jan 17, 2015 2:26 PM, "Jessie Frazelle" <notifications@github.com
javascript:_e(%7B%7D,'cvml','notifications@github.com');>
wrote:

@ashahab-altiscale https://github.com/ashahab-altiscale Thanks so
much
for the continual effort of fixing the tests :)

Do you think there is a way to check the output differently for
these
so
that it works for lxc as well, because it looks like they should be
passing:

--- FAIL: TestRunCapDropCannotMknod (0.87s)
docker_cli_run_test.go:962: ok

--- FAIL: TestRunCapDropCannotMknodLowerCase (1.11s)
docker_cli_run_test.go:977: ok

--- FAIL: TestRunCapDropALLCannotMknod (1.14s)
docker_cli_run_test.go:992: ok

--- FAIL: TestRunCapAddALLDropNetAdminCanDownInterface (1.13s)
docker_cli_run_test.go:1064: ok

--- FAIL: TestRunUnPrivilegedCannotMount (1.10s)
docker_cli_run_test.go:1096: ok

—
Reply to this email directly or view it on GitHub
#10152 (comment).

—
Reply to this email directly or view it on GitHub
#10152 (comment).

—
Reply to this email directly or view it on GitHub
#10152 (comment).

—
Reply to this email directly or view it on GitHub
#10152 (comment).

ashahab-altiscale · 2015-01-18T04:40:05Z

Jessie,
What do you see if you try this: docker run --cap-add=ALL
--cap-drop=NET_ADMIN busybox sh -c 'ip link set eth0 down && echo ok'
(replace the docker binary with one created from "make binary" in my
branch)?

Abin

On Sat, Jan 17, 2015 at 3:25 PM, Jessie Frazelle notifications@github.com
wrote:

I'll try again thanks

On Saturday, January 17, 2015, Abin Shahab notifications@github.com
wrote:

Its not an issue with output. Its just not working. If you want to dig
more
into this, you can tell lxc where to log and the log level(in
lxc/driver.go). I am thinking if I should create a patch with that
feature,
which would be enabled only in debug mode.
On Jan 17, 2015 2:49 PM, "Jessie Frazelle" <notifications@github.com
javascript:_e(%7B%7D,'cvml','notifications@github.com');> wrote:

Oh I tested locally not on Jenkins. I am on Debian with Btrfs, but idk
if
that could have anything to do with it.

On Sat, Jan 17, 2015 at 2:47 PM, Abin Shahab <notifications@github.com
javascript:_e(%7B%7D,'cvml','notifications@github.com');>
wrote:

Odd, they all passed for me. I will have to check how its failing in
Jenkins. Can you send me a link?
On Jan 17, 2015 2:26 PM, "Jessie Frazelle" <notifications@github.com
javascript:_e(%7B%7D,'cvml','notifications@github.com');>
wrote:

@ashahab-altiscale https://github.com/ashahab-altiscale Thanks
so
much
for the continual effort of fixing the tests :)

Do you think there is a way to check the output differently for
these
so
that it works for lxc as well, because it looks like they should
be
passing:

--- FAIL: TestRunCapDropCannotMknod (0.87s)
docker_cli_run_test.go:962: ok

--- FAIL: TestRunCapDropCannotMknodLowerCase (1.11s)
docker_cli_run_test.go:977: ok

--- FAIL: TestRunCapDropALLCannotMknod (1.14s)
docker_cli_run_test.go:992: ok

--- FAIL: TestRunCapAddALLDropNetAdminCanDownInterface (1.13s)
docker_cli_run_test.go:1064: ok

--- FAIL: TestRunUnPrivilegedCannotMount (1.10s)
docker_cli_run_test.go:1096: ok

—
Reply to this email directly or view it on GitHub
#10152 (comment).

—
Reply to this email directly or view it on GitHub
#10152 (comment).

—
Reply to this email directly or view it on GitHub
#10152 (comment).

—
Reply to this email directly or view it on GitHub
#10152 (comment).

—
Reply to this email directly or view it on GitHub
#10152 (comment).

ashahab-altiscale · 2015-01-18T07:12:34Z

Actually, please also make sure there are no old docker images lurking
around. I got the same errors, but once I cleared the old images,
everything was fine. Ideally this tests should run in a machine with only
busybox.
Abin

On Sat, Jan 17, 2015 at 8:39 PM, Abin Shahab ashahab@altiscale.com wrote:

Jessie,
What do you see if you try this: docker run --cap-add=ALL
--cap-drop=NET_ADMIN busybox sh -c 'ip link set eth0 down && echo ok'
(replace the docker binary with one created from "make binary" in my
branch)?

Abin

On Sat, Jan 17, 2015 at 3:25 PM, Jessie Frazelle <notifications@github.com

wrote:

I'll try again thanks

On Saturday, January 17, 2015, Abin Shahab notifications@github.com
wrote:

Its not an issue with output. Its just not working. If you want to dig
more
into this, you can tell lxc where to log and the log level(in
lxc/driver.go). I am thinking if I should create a patch with that
feature,
which would be enabled only in debug mode.
On Jan 17, 2015 2:49 PM, "Jessie Frazelle" <notifications@github.com
javascript:_e(%7B%7D,'cvml','notifications@github.com');> wrote:

Oh I tested locally not on Jenkins. I am on Debian with Btrfs, but
idk
if
that could have anything to do with it.

On Sat, Jan 17, 2015 at 2:47 PM, Abin Shahab <
notifications@github.com
javascript:_e(%7B%7D,'cvml','notifications@github.com');>
wrote:

Odd, they all passed for me. I will have to check how its failing
in
Jenkins. Can you send me a link?
On Jan 17, 2015 2:26 PM, "Jessie Frazelle" <
notifications@github.com
javascript:_e(%7B%7D,'cvml','notifications@github.com');>
wrote:

@ashahab-altiscale https://github.com/ashahab-altiscale Thanks
so
much
for the continual effort of fixing the tests :)

Do you think there is a way to check the output differently for
these
so
that it works for lxc as well, because it looks like they should
be
passing:

--- FAIL: TestRunCapDropCannotMknod (0.87s)
docker_cli_run_test.go:962: ok

--- FAIL: TestRunCapDropCannotMknodLowerCase (1.11s)
docker_cli_run_test.go:977: ok

--- FAIL: TestRunCapDropALLCannotMknod (1.14s)
docker_cli_run_test.go:992: ok

--- FAIL: TestRunCapAddALLDropNetAdminCanDownInterface (1.13s)
docker_cli_run_test.go:1064: ok

--- FAIL: TestRunUnPrivilegedCannotMount (1.10s)
docker_cli_run_test.go:1096: ok

—
Reply to this email directly or view it on GitHub
<
https://github.com/docker/docker/pull/10152#issuecomment-70387204>.

—
Reply to this email directly or view it on GitHub
#10152 (comment).

—
Reply to this email directly or view it on GitHub
#10152 (comment).

—
Reply to this email directly or view it on GitHub
#10152 (comment).

—
Reply to this email directly or view it on GitHub
#10152 (comment).

ashahab-altiscale · 2015-01-19T17:07:07Z

@jfrazelle Any feedback on this?

jessfraz · 2015-01-19T17:18:13Z

so sorry, going back through it all now

jessfraz · 2015-01-19T17:44:00Z

I am running them again here so it is easier to show you the output I am seeing https://jenkins.dockerproject.com/job/LXC%20PR%20Test/label=ubuntu-aufs-lxc/1/console

jessfraz · 2015-01-19T17:52:45Z

welp the tests work there so great :)

jessfraz · 2015-01-19T17:52:48Z

LGTM

dineshs-altiscale · 2015-01-19T18:01:16Z

integration-cli/docker_cli_run_test.go

@@ -986,7 +986,7 @@ func TestRunCapDropCannotMknodLowerCase(t *testing.T) {
 }

 func TestRunCapDropALLCannotMknod(t *testing.T) {
-	cmd := exec.Command(dockerBinary, "run", "--cap-drop=ALL", "busybox", "sh", "-c", "mknod /tmp/sda b 8 0 && echo ok")
+	cmd := exec.Command(dockerBinary, "run", "--cap-drop=ALL", "--cap-add=SETGID", "busybox", "sh", "-c", "mknod /tmp/sda b 8 0 && echo ok")


This may need a little explanation as to why we are special casing setgid in this test.

LXC cap-drop=ALL means it won't allow docker do any preliminary setup work, without SETGID.

dineshs-altiscale · 2015-01-19T18:01:30Z

LGTM

ashahab-altiscale · 2015-01-19T18:05:04Z

Thanks @jfrazelle. So is https://jenkins.dockerproject.com/job/LXC%20PR%20Test a permanent set of jobs that I can check for my pull requests? The drone.io console logs are always from a native driver build I think.

jessfraz · 2015-01-19T18:15:16Z

Not permanent, but I will probably trigger it if you open more PRs :)

On Mon, Jan 19, 2015 at 10:05 AM, Abin Shahab notifications@github.com
wrote:

Thanks @jfrazelle https://github.com/jfrazelle. So is
https://jenkins.dockerproject.com/job/LXC%20PR%20Test a permanent set of
jobs that I can check for my pull requests? The drone.io console logs are
always from a native driver build I think.

—
Reply to this email directly or view it on GitHub
#10152 (comment).

jessfraz · 2015-01-19T18:16:51Z

But yes, the tests it runs are a better representation than drone, which
uses the native graph driver, eventually we hope, once all tests pass
across lxc is to run these on every PR so we can be sure no additions to
the code base break the lxc execdriver as well.

On Mon, Jan 19, 2015 at 10:15 AM, Jessica Frazelle jess@docker.com wrote:

Not permanent, but I will probably trigger it if you open more PRs :)

On Mon, Jan 19, 2015 at 10:05 AM, Abin Shahab notifications@github.com
wrote:

Thanks @jfrazelle https://github.com/jfrazelle. So is
https://jenkins.dockerproject.com/job/LXC%20PR%20Test a permanent set of
jobs that I can check for my pull requests? The drone.io console logs
are always from a native driver build I think.

—
Reply to this email directly or view it on GitHub
#10152 (comment).

crosbymichael · 2015-01-19T18:42:46Z

@ashahab-altiscale is this good to be merged?

ashahab-altiscale · 2015-01-19T18:44:32Z

@crosbymichael yes it is ready to merge.

crosbymichael · 2015-01-19T18:46:20Z

OK, thanks!

LGTM

SEND CAPABILITY IDS TO LXC

SEND CAPABILITY IDS TO LXC

bff3509

Sending capability ids instead of capability names ot LXC for --cap-add and --cap-drop. Also fixed tests. Docker-DCO-1.1-Signed-off-by: Abin Shahab <ashahab@altiscale.com> (github: ashahab-altiscale)

ashahab-altiscale mentioned this pull request Jan 17, 2015

Running integration tests with lxc fail #9875

Closed

ashahab-altiscale force-pushed the 9875-cap-add-all branch from 57a4c2c to bff3509 Compare January 17, 2015 05:56

dineshs-altiscale reviewed Jan 19, 2015
View reviewed changes

crosbymichael added a commit that referenced this pull request Jan 19, 2015

Merge pull request #10152 from ashahab-altiscale/9875-cap-add-all

979a4cd

SEND CAPABILITY IDS TO LXC

crosbymichael merged commit 979a4cd into moby:master Jan 19, 2015

SvenDowideit mentioned this pull request Jan 27, 2015

Post 1.4.1 docs update 2 #9739

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

SEND CAPABILITY IDS TO LXC #10152

SEND CAPABILITY IDS TO LXC #10152

ashahab-altiscale commented Jan 17, 2015

ashahab-altiscale commented Jan 17, 2015

jessfraz commented Jan 17, 2015

ashahab-altiscale commented Jan 17, 2015

jessfraz commented Jan 17, 2015

ashahab-altiscale commented Jan 17, 2015

jessfraz commented Jan 17, 2015

ashahab-altiscale commented Jan 18, 2015

ashahab-altiscale commented Jan 18, 2015

ashahab-altiscale commented Jan 19, 2015

jessfraz commented Jan 19, 2015

jessfraz commented Jan 19, 2015

jessfraz commented Jan 19, 2015

jessfraz commented Jan 19, 2015

dineshs-altiscale Jan 19, 2015

ashahab-altiscale Jan 19, 2015

dineshs-altiscale commented Jan 19, 2015

ashahab-altiscale commented Jan 19, 2015

jessfraz commented Jan 19, 2015

jessfraz commented Jan 19, 2015

crosbymichael commented Jan 19, 2015

ashahab-altiscale commented Jan 19, 2015

crosbymichael commented Jan 19, 2015

SEND CAPABILITY IDS TO LXC #10152

SEND CAPABILITY IDS TO LXC #10152

Conversation

ashahab-altiscale commented Jan 17, 2015

ashahab-altiscale commented Jan 17, 2015

jessfraz commented Jan 17, 2015

ashahab-altiscale commented Jan 17, 2015

jessfraz commented Jan 17, 2015

ashahab-altiscale commented Jan 17, 2015

jessfraz commented Jan 17, 2015

ashahab-altiscale commented Jan 18, 2015

ashahab-altiscale commented Jan 18, 2015

ashahab-altiscale commented Jan 19, 2015

jessfraz commented Jan 19, 2015

jessfraz commented Jan 19, 2015

jessfraz commented Jan 19, 2015

jessfraz commented Jan 19, 2015

dineshs-altiscale Jan 19, 2015

Choose a reason for hiding this comment

ashahab-altiscale Jan 19, 2015

Choose a reason for hiding this comment

dineshs-altiscale commented Jan 19, 2015

ashahab-altiscale commented Jan 19, 2015

jessfraz commented Jan 19, 2015

jessfraz commented Jan 19, 2015

crosbymichael commented Jan 19, 2015

ashahab-altiscale commented Jan 19, 2015

crosbymichael commented Jan 19, 2015