-
Notifications
You must be signed in to change notification settings - Fork 1.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
add cli integration for unconfined systempaths #1808
add cli integration for unconfined systempaths #1808
Conversation
Codecov Report
@@ Coverage Diff @@
## master #1808 +/- ##
==========================================
- Coverage 56.31% 56.31% -0.01%
==========================================
Files 308 308
Lines 21391 21408 +17
==========================================
+ Hits 12047 12055 +8
- Misses 8465 8472 +7
- Partials 879 881 +2 |
Codecov Report
@@ Coverage Diff @@
## master #1808 +/- ##
==========================================
+ Coverage 56.31% 56.34% +0.02%
==========================================
Files 308 308
Lines 21391 21403 +12
==========================================
+ Hits 12047 12059 +12
Misses 8465 8465
Partials 879 879 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for working on this! I left some comments and suggestions inline.
cli/command/container/opts.go
Outdated
@@ -825,6 +832,23 @@ func parseSecurityOpts(securityOpts []string) ([]string, error) { | |||
return securityOpts, nil | |||
} | |||
|
|||
func parseSystemPaths(securityOpts []string) ([]string, []string, []string, error) { | |||
var maskedPaths []string | |||
var readonlyPaths []string |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: could be;
var readonlyPaths []string | |
var maskedPaths , readonlyPaths []string |
cli/command/container/opts.go
Outdated
filtered := securityOpts[:0] | ||
for _, opt := range securityOpts { | ||
con := strings.SplitN(opt, "=", 2) | ||
if con[0] == "systempaths" && con[1] == "unconfined" { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks like we don't need the split (and don't strip whitespace etc) at this point, so this could be simplified to
if con[0] == "systempaths" && con[1] == "unconfined" { | |
if opt == "systempaths=unconfined" { |
cli/command/container/opts.go
Outdated
@@ -485,6 +485,11 @@ func parse(flags *pflag.FlagSet, copts *containerOptions, serverOS string) (*con | |||
return nil, err | |||
} | |||
|
|||
securityOpts, maskedPaths, readonlyPaths, err := parseSystemPaths(securityOpts) | |||
if err != nil { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I see we never return an error; although it's good practice to keep this signature, this function is not exported, so I think it's ok to drop the error
return for now, and remove this error-handling
cli/command/container/opts.go
Outdated
@@ -825,6 +832,23 @@ func parseSecurityOpts(securityOpts []string) ([]string, error) { | |||
return securityOpts, nil | |||
} | |||
|
|||
func parseSystemPaths(securityOpts []string) ([]string, []string, []string, error) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I realise this function is not exported, but it might be important to document what it does (especially because it filters the securityOpts
; perhaps add a short GoDoc; something along the line of:
func parseSystemPaths(securityOpts []string) ([]string, []string, []string, error) { | |
// parseSystemPaths checks if `systempaths=unconfined` security option is set, | |
// and returns the `MaskedPaths` and `ReadonlyPaths` accordingly. An updated | |
// list of security options is returned with this option removed, because the | |
// `unconfined` option is handled client-side, and should not be sent to the | |
// daemon. | |
func parseSystemPaths(securityOpts []string) ([]string, []string, []string, error) { |
(suggestions for better wording welcome! 😂)
Although I'm generally not a fan of named return variables, I'm a bit on the fence if we should use them here (for readability), as three []string
returns might be difficult to read/grasp;
func parseSystemPaths(securityOpts []string) ([]string, []string, []string, error) { | |
func parseSystemPaths(securityOpts []string) (filtered, maskedPaths, readonlyPaths []string) { |
I'd love to get feedback from others in that as well though 😅
cli/command/container/opts_test.go
Outdated
@@ -800,3 +800,37 @@ func TestValidateDevice(t *testing.T) { | |||
} | |||
} | |||
} | |||
|
|||
func TestParseSystemPaths(t *testing.T) { | |||
valids := []string{ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Would be good to test other combinations (i.e., make sure if doesn't touch other values if not set, and that invalid/unknown options are ignored; quick write-up for that;
func TestParseSystemPaths(t *testing.T) {
tests := []struct {
doc string
in, out, masked, readonly []string
}{
{
doc: "not set",
in: []string{},
out: []string{},
},
{
doc: "not set, preserve other options",
in: []string{
"seccomp=unconfined",
"apparmor=unconfined",
"label=user:USER",
"foo=bar",
},
out: []string{
"seccomp=unconfined",
"apparmor=unconfined",
"label=user:USER",
"foo=bar",
},
},
{
doc: "unconfined",
in: []string{"systempaths=unconfined"},
out: []string{},
masked: []string{},
readonly: []string{},
},
{
doc: "unconfined and other options",
in: []string{"foo=bar", "systempaths=unconfined", "bar=baz"},
out: []string{"foo=bar", "bar=baz"},
masked: []string{},
readonly: []string{},
},
{
doc: "unknown option",
in: []string{"foo=bar", "systempaths=unkown", "bar=baz"},
out: []string{"foo=bar", "systempaths=unkown", "bar=baz"},
},
}
for _, tc := range tests {
securityOpts, maskedPaths, readonlyPaths, err := parseSystemPaths(tc.in)
assert.NilError(t, err)
assert.DeepEqual(t, securityOpts, tc.out)
assert.DeepEqual(t, maskedPaths, tc.masked)
assert.DeepEqual(t, readonlyPaths, tc.readonly)
}
}
ping @tiborvass @jessfraz PTAL 🤗 |
I've implemented your suggested changes. I will change unkown to unknown, linting failed on that. |
Oh! The linter detected my typo 😂 |
Oh! when you're updating, could you fix your sign-off to use your real name (instead of your github handle)?
Guessing it's
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
thanks! LGTM after the sign-off is updated 😅
…ent suggested changes Signed-off-by: Mårten Cassel <[email protected]>
Updated commit sign-off. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM!
After this, we'll have to update the (reference) docs to mention the new option, and check if the compose-file format needs changes to accommodate (swarm services not yet support this option, so for docker-compose standalone)
ping @tiborvass @jessfraz |
It seems the documentation / https://docs.docker.com/reference/cli/docker/container/run/#security-opt was forgotten to be updated and this option remains undocumented. Could this be added to the docs? |
- What I did
I've implemented the proposed changes in #1347 (comment).
- Description for the changelog
Added --security-opt systempaths=unconfined support.