apple/foundationdb
1
0
Fork 0
mirror of https://github.com/apple/foundationdb.git synced 2025-05-15 02:18:39 +08:00
Code Issues Packages Projects Releases Wiki Activity

Try using less privileges in for running systemd

Browse Source
This commit is contained in:
Andrew Noyes 2021-08-24 17:40:44 +00:00
parent 97568645a1
commit cbd0c33e13
1 changed files with 11 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
contrib/pkg_tester/test_fdb_pkgs.py
View File

@ -50,18 +50,18 @@ class Container:
assert isinstance(image, str) assert isinstance(image, str)
image_name = image image_name = image
# minimal privilege required to run systemd # minimal extra args required to run systemd
# https://github.com/docker/for-linux/issues/106#issuecomment-330518243 # https://developers.redhat.com/blog/2016/09/13/running-systemd-in-a-non-privileged-container#the_quest
extra_privilege = [] extra_initd_args = []
if initd: if initd:
extra_privilege = "--cap-add=SYS_ADMIN -e container=docker -v /sys/fs/cgroup:/sys/fs/cgroup".split() extra_initd_args = "--tmpfs /tmp --tmpfs /run -v /sys/fs/cgroup:/sys/fs/cgroup:ro".split()
self.uid = str(uuid.uuid4()) self.uid = str(uuid.uuid4())
run( run(
["docker", "run"] ["docker", "run"]
+ ["-t", "-d", "--name", self.uid] + ["-t", "-d", "--name", self.uid]
+ extra_privilege + extra_initd_args
+ [image_name] + [image_name]
+ ["/usr/sbin/init" for _ in range(1) if initd] + ["/usr/sbin/init" for _ in range(1) if initd]
).rstrip() ).rstrip()
@ -102,9 +102,9 @@ def ubuntu_image_with_fdb_helper(versioned: bool) -> Iterator[Optional[Image]]:
try: try:
container = Container("ubuntu") container = Container("ubuntu")
for deb in debs: for deb in debs:
container.copy_to(deb, "/tmp") container.copy_to(deb, "/opt")
container.run(["bash", "-c", "dpkg -i /tmp/*.deb"]) container.run(["bash", "-c", "dpkg -i /opt/*.deb"])
container.run(["bash", "-c", "rm /tmp/*.deb"]) container.run(["bash", "-c", "rm /opt/*.deb"])
image = container.commit() image = container.commit()
yield image yield image
finally: finally:
@ -145,9 +145,9 @@ def centos_image_with_fdb_helper(versioned: bool) -> Iterator[Optional[Image]]:
try: try:
container = Container("centos", initd=True) container = Container("centos", initd=True)
for rpm in rpms: for rpm in rpms:
container.copy_to(rpm, "/tmp") container.copy_to(rpm, "/opt")
container.run(["bash", "-c", "yum install -y /tmp/*.rpm"]) container.run(["bash", "-c", "yum install -y /opt/*.rpm"])
container.run(["bash", "-c", "rm /tmp/*.rpm"]) container.run(["bash", "-c", "rm /opt/*.rpm"])
image = container.commit() image = container.commit()
yield image yield image
finally: finally: