openstack
/
paunch
Code Issues Proposed changes

Merge "Implement cap_add, cap_drop"

This commit is contained in:
Zuul 2018-09-29 16:27:22 +00:00 committed by Gerrit Code Review
parent 8cd1813d84 274cca0040
commit 78dfebcbee
5 changed files with 22 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
paunch/builder/compose1.py
View File

@ -73,8 +73,10 @@ class ComposeV1Builder(base.BaseBuilder):
'stop_grace_period', '--stop-timeout',
self.duration)
self.list_arg(cconfig, cmd, 'cap_add', '--cap-add')
self.list_arg(cconfig, cmd, 'cap_drop', '--cap-drop')
# TODO(sbaker): add missing compose v1 properties:
# cap_add, cap_drop
# cgroup_parent
# devices
# dns, dns_search

3
paunch/builder/podman.py
View File

@ -62,5 +62,8 @@ class PodmanBuilder(base.BaseBuilder):
'stop_grace_period', '--stop-timeout',
self.duration)
self.list_arg(cconfig, cmd, 'cap_add', '--cap-add')
self.list_arg(cconfig, cmd, 'cap_drop', '--cap-drop')
cmd.append(cconfig.get('image', ''))
cmd.extend(self.command_argument(cconfig.get('command')))

5
paunch/tests/test_builder_base.py
View File

@ -457,7 +457,9 @@ three-12345678 three''', '', 0),
'ulimit': ['nofile=1024', 'nproc=1024'],
'volumes': ['/foo:/foo:rw', '/bar:/bar:ro'],
'volumes_from': ['two', 'three'],
'group_add': ['docker', 'zuul']
'group_add': ['docker', 'zuul'],
'cap_add': ['SYS_ADMIN', 'SETUID'],
'cap_drop': ['NET_RAW']
}
}
builder = compose1.ComposeV1Builder('foo', config, None)
@ -473,6 +475,7 @@ three-12345678 three''', '', 0),
'--group-add=docker', '--group-add=zuul',
'--volume=/foo:/foo:rw', '--volume=/bar:/bar:ro',
'--volumes-from=two', '--volumes-from=three',
'--cap-add=SYS_ADMIN', '--cap-add=SETUID', '--cap-drop=NET_RAW',
'centos:7', 'ls', '-l', '/foo'],
cmd
)

8
paunch/tests/test_builder_compose1.py
View File

@ -37,7 +37,9 @@ class TestComposeV1Builder(tbb.TestBaseBuilder):
'env_file': '/tmp/foo.env',
'log_tag': '{{.ImageName}}/{{.Name}}/{{.ID}}',
'cpu_shares': 600,
'security_opt': 'label:disable'
'security_opt': 'label:disable',
'cap_add': ['SYS_ADMIN', 'SETUID'],
'cap_drop': ['NET_RAW']
}
}
builder = compose1.ComposeV1Builder('foo', config, None)
@ -53,6 +55,8 @@ class TestComposeV1Builder(tbb.TestBaseBuilder):
'--privileged=true', '--restart=always', '--user=bar',
'--log-opt=tag={{.ImageName}}/{{.Name}}/{{.ID}}',
'--cpu-shares=600',
'--security-opt=label:disable', 'centos:7'],
'--security-opt=label:disable',
'--cap-add=SYS_ADMIN', '--cap-add=SETUID', '--cap-drop=NET_RAW',
'centos:7'],
cmd
)

8
paunch/tests/test_builder_podman.py
View File

@ -31,7 +31,9 @@ class TestPodmanBuilder(base.TestBaseBuilder):
'env_file': '/tmp/foo.env',
'log_tag': '{{.ImageName}}/{{.Name}}/{{.ID}}',
'cpu_shares': 600,
'security_opt': 'label:disable'
'security_opt': 'label:disable',
'cap_add': ['SYS_ADMIN', 'SETUID'],
'cap_drop': ['NET_RAW']
}
}
builder = podman.PodmanBuilder('foo', config, None)
@ -45,6 +47,8 @@ class TestPodmanBuilder(base.TestBaseBuilder):
'--uts=host', '--privileged=true', '--user=bar',
'--log-opt=tag={{.ImageName}}/{{.Name}}/{{.ID}}',
'--cpu-shares=600',
'--security-opt=label:disable', 'centos:7'],
'--security-opt=label:disable',
'--cap-add=SYS_ADMIN', '--cap-add=SETUID', '--cap-drop=NET_RAW',
'centos:7'],
cmd
)