(t *testing.T)
| 315 | } |
| 316 | |
| 317 | func TestCreateWithCustomReadonlyPaths(t *testing.T) { |
| 318 | skip.If(t, testEnv.DaemonInfo.OSType != "linux") |
| 319 | |
| 320 | ctx := setupTest(t) |
| 321 | apiClient := testEnv.APIClient() |
| 322 | |
| 323 | testCases := []struct { |
| 324 | doc string |
| 325 | privileged bool |
| 326 | readonlyPaths []string |
| 327 | expected []string |
| 328 | }{ |
| 329 | { |
| 330 | doc: "default readonly paths", |
| 331 | readonlyPaths: nil, |
| 332 | expected: oci.DefaultSpec().Linux.ReadonlyPaths, |
| 333 | }, |
| 334 | { |
| 335 | doc: "empty readonly paths", |
| 336 | readonlyPaths: []string{}, |
| 337 | expected: []string{}, |
| 338 | }, |
| 339 | { |
| 340 | doc: "custom readonly paths", |
| 341 | readonlyPaths: []string{"/proc/asound", "/proc/bus"}, |
| 342 | expected: []string{"/proc/asound", "/proc/bus"}, |
| 343 | }, |
| 344 | { |
| 345 | // privileged containers should have no readonly paths by default |
| 346 | doc: "privileged", |
| 347 | privileged: true, |
| 348 | readonlyPaths: nil, |
| 349 | expected: nil, |
| 350 | }, |
| 351 | } |
| 352 | |
| 353 | for i, tc := range testCases { |
| 354 | t.Run(tc.doc, func(t *testing.T) { |
| 355 | t.Parallel() |
| 356 | ctr, err := apiClient.ContainerCreate(ctx, client.ContainerCreateOptions{ |
| 357 | Config: &container.Config{ |
| 358 | Image: "busybox", |
| 359 | Cmd: []string{"true"}, |
| 360 | }, |
| 361 | HostConfig: &container.HostConfig{ |
| 362 | Privileged: tc.privileged, |
| 363 | ReadonlyPaths: tc.readonlyPaths, |
| 364 | }, |
| 365 | Name: fmt.Sprintf("create-readonly-paths-%d", i), |
| 366 | }) |
| 367 | assert.NilError(t, err) |
| 368 | |
| 369 | ctrInspect, err := apiClient.ContainerInspect(ctx, ctr.ID, client.ContainerInspectOptions{}) |
| 370 | assert.NilError(t, err) |
| 371 | assert.DeepEqual(t, ctrInspect.Container.HostConfig.ReadonlyPaths, tc.expected) |
| 372 | |
| 373 | // Start the container. |
| 374 | _, err = apiClient.ContainerStart(ctx, ctr.ID, client.ContainerStartOptions{}) |
nothing calls this directly
no test coverage detected
searching dependent graphs…