(t *testing.T)
| 242 | } |
| 243 | |
| 244 | func TestCreateWithCustomMaskedPaths(t *testing.T) { |
| 245 | skip.If(t, testEnv.DaemonInfo.OSType != "linux") |
| 246 | |
| 247 | ctx := setupTest(t) |
| 248 | apiClient := testEnv.APIClient() |
| 249 | |
| 250 | testCases := []struct { |
| 251 | doc string |
| 252 | privileged bool |
| 253 | maskedPaths []string |
| 254 | expected []string |
| 255 | }{ |
| 256 | { |
| 257 | doc: "default masked paths", |
| 258 | maskedPaths: nil, |
| 259 | expected: oci.DefaultSpec().Linux.MaskedPaths, |
| 260 | }, |
| 261 | { |
| 262 | doc: "no masked paths", |
| 263 | maskedPaths: []string{}, |
| 264 | expected: []string{}, |
| 265 | }, |
| 266 | { |
| 267 | doc: "custom masked paths", |
| 268 | maskedPaths: []string{"/proc/kcore", "/proc/keys"}, |
| 269 | expected: []string{"/proc/kcore", "/proc/keys"}, |
| 270 | }, |
| 271 | { |
| 272 | // privileged containers should have no masked paths by default |
| 273 | doc: "privileged", |
| 274 | privileged: true, |
| 275 | maskedPaths: nil, |
| 276 | expected: nil, |
| 277 | }, |
| 278 | } |
| 279 | |
| 280 | for i, tc := range testCases { |
| 281 | t.Run(tc.doc, func(t *testing.T) { |
| 282 | t.Parallel() |
| 283 | |
| 284 | // Create the container. |
| 285 | ctr, err := apiClient.ContainerCreate(ctx, client.ContainerCreateOptions{ |
| 286 | Config: &container.Config{ |
| 287 | Image: "busybox", |
| 288 | Cmd: []string{"true"}, |
| 289 | }, |
| 290 | HostConfig: &container.HostConfig{ |
| 291 | Privileged: tc.privileged, |
| 292 | MaskedPaths: tc.maskedPaths, |
| 293 | }, |
| 294 | Name: fmt.Sprintf("create-masked-paths-%d", i), |
| 295 | }) |
| 296 | assert.NilError(t, err) |
| 297 | |
| 298 | inspect, err := apiClient.ContainerInspect(ctx, ctr.ID, client.ContainerInspectOptions{}) |
| 299 | assert.NilError(t, err) |
| 300 | assert.DeepEqual(t, inspect.Container.HostConfig.MaskedPaths, tc.expected) |
| 301 |
nothing calls this directly
no test coverage detected
searching dependent graphs…