You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@mesos.apache.org by ji...@apache.org on 2017/07/01 00:23:30 UTC
[4/7] mesos git commit: Add more linux/capabilities isolator test
cases.
Add more linux/capabilities isolator test cases.
Add a case to verify that the effective framework capabilities
must be within the bounding framework capabilities.
Check that setting the framework capabilities to something that
is insufficient to execute ping overrides the operator flags and
fails.
Check that setting the framework bounding capabilities to allow
ping overrides the operator flags and succeeds.
Check that setting the framework effective and bounding
capabilities to allow ping overrides the operator flags and
succeeds.
Review: https://reviews.apache.org/r/60412/
Project: http://git-wip-us.apache.org/repos/asf/mesos/repo
Commit: http://git-wip-us.apache.org/repos/asf/mesos/commit/dd2374bd
Tree: http://git-wip-us.apache.org/repos/asf/mesos/tree/dd2374bd
Diff: http://git-wip-us.apache.org/repos/asf/mesos/diff/dd2374bd
Branch: refs/heads/master
Commit: dd2374bdb16965ec789553b0f3b47f9a55c72571
Parents: 508f73e
Author: James Peach <jp...@apache.org>
Authored: Fri Jun 30 17:12:31 2017 -0700
Committer: Jie Yu <yu...@gmail.com>
Committed: Fri Jun 30 17:12:31 2017 -0700
----------------------------------------------------------------------
.../linux_capabilities_isolator_tests.cpp | 101 +++++++++++++++++++
1 file changed, 101 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/mesos/blob/dd2374bd/src/tests/containerizer/linux_capabilities_isolator_tests.cpp
----------------------------------------------------------------------
diff --git a/src/tests/containerizer/linux_capabilities_isolator_tests.cpp b/src/tests/containerizer/linux_capabilities_isolator_tests.cpp
index 4a21c9a..a0b8b4b 100644
--- a/src/tests/containerizer/linux_capabilities_isolator_tests.cpp
+++ b/src/tests/containerizer/linux_capabilities_isolator_tests.cpp
@@ -367,6 +367,37 @@ INSTANTIATE_TEST_CASE_P(
TestParam::WITH_IMAGE,
TestParam::FAILURE),
+ // The framework effective set is outside the bounding set
+ // so the task will be failed by the isolator.
+ TestParam(
+ set<Capability>({NET_RAW, NET_ADMIN, DAC_READ_SEARCH}),
+ set<Capability>(),
+ None(),
+ None(),
+ TestParam::WITH_IMAGE,
+ TestParam::FAILURE),
+ TestParam(
+ set<Capability>({NET_RAW, NET_ADMIN, DAC_READ_SEARCH}),
+ set<Capability>(),
+ None(),
+ None(),
+ TestParam::WITHOUT_IMAGE,
+ TestParam::FAILURE),
+ TestParam(
+ set<Capability>({NET_RAW, NET_ADMIN, DAC_READ_SEARCH}),
+ set<Capability>({CHOWN}),
+ None(),
+ None(),
+ TestParam::WITH_IMAGE,
+ TestParam::FAILURE),
+ TestParam(
+ set<Capability>({NET_RAW, NET_ADMIN, DAC_READ_SEARCH}),
+ set<Capability>({CHOWN}),
+ None(),
+ None(),
+ TestParam::WITHOUT_IMAGE,
+ TestParam::FAILURE),
+
// Effective capabilities do not contain that ping needs, thus
// ping will fail.
TestParam(
@@ -397,6 +428,34 @@ INSTANTIATE_TEST_CASE_P(
set<Capability>({CHOWN, DAC_READ_SEARCH}),
TestParam::WITHOUT_IMAGE,
TestParam::FAILURE),
+ TestParam(
+ set<Capability>({CHOWN, DAC_READ_SEARCH}),
+ None(),
+ None(),
+ None(),
+ TestParam::WITHOUT_IMAGE,
+ TestParam::FAILURE),
+ TestParam(
+ set<Capability>({CHOWN, DAC_READ_SEARCH}),
+ None(),
+ None(),
+ None(),
+ TestParam::WITH_IMAGE,
+ TestParam::FAILURE),
+ TestParam(
+ set<Capability>({CHOWN, DAC_READ_SEARCH}),
+ set<Capability>({CHOWN, DAC_READ_SEARCH}),
+ None(),
+ None(),
+ TestParam::WITH_IMAGE,
+ TestParam::FAILURE),
+ TestParam(
+ set<Capability>({CHOWN, DAC_READ_SEARCH}),
+ set<Capability>({CHOWN, DAC_READ_SEARCH}),
+ None(),
+ None(),
+ TestParam::WITHOUT_IMAGE,
+ TestParam::FAILURE),
// Framework effective capabilities are not allowed, task will fail.
TestParam(
@@ -417,6 +476,20 @@ INSTANTIATE_TEST_CASE_P(
// Dropped all capabilities but those that ping needs, thus
// ping will finish normally.
TestParam(
+ set<Capability>({DAC_READ_SEARCH}),
+ set<Capability>({NET_RAW, NET_ADMIN, DAC_READ_SEARCH}),
+ None(),
+ None(),
+ TestParam::WITHOUT_IMAGE,
+ TestParam::SUCCESS),
+ TestParam(
+ set<Capability>(),
+ set<Capability>({NET_RAW, NET_ADMIN, DAC_READ_SEARCH}),
+ None(),
+ None(),
+ TestParam::WITH_IMAGE,
+ TestParam::SUCCESS),
+ TestParam(
set<Capability>({NET_RAW, NET_ADMIN, DAC_READ_SEARCH}),
None(),
None(),
@@ -431,6 +504,20 @@ INSTANTIATE_TEST_CASE_P(
TestParam::WITH_IMAGE,
TestParam::SUCCESS),
TestParam(
+ set<Capability>({NET_RAW, NET_ADMIN, DAC_READ_SEARCH}),
+ set<Capability>({NET_RAW, NET_ADMIN, DAC_READ_SEARCH}),
+ None(),
+ None(),
+ TestParam::WITHOUT_IMAGE,
+ TestParam::SUCCESS),
+ TestParam(
+ set<Capability>({NET_RAW, NET_ADMIN, DAC_READ_SEARCH}),
+ set<Capability>({NET_RAW, NET_ADMIN, DAC_READ_SEARCH}),
+ None(),
+ None(),
+ TestParam::WITH_IMAGE,
+ TestParam::SUCCESS),
+ TestParam(
None(),
None(),
set<Capability>({NET_RAW, NET_ADMIN, DAC_READ_SEARCH}),
@@ -459,6 +546,20 @@ INSTANTIATE_TEST_CASE_P(
TestParam::WITH_IMAGE,
TestParam::SUCCESS),
TestParam(
+ None(),
+ set<Capability>({NET_RAW, NET_ADMIN, DAC_READ_SEARCH}),
+ None(),
+ None(),
+ TestParam::WITHOUT_IMAGE,
+ TestParam::SUCCESS),
+ TestParam(
+ None(),
+ set<Capability>({NET_RAW, NET_ADMIN, DAC_READ_SEARCH}),
+ None(),
+ None(),
+ TestParam::WITH_IMAGE,
+ TestParam::SUCCESS),
+ TestParam(
set<Capability>({NET_RAW, NET_ADMIN, DAC_READ_SEARCH}),
None(),
set<Capability>({NET_RAW, NET_ADMIN, DAC_READ_SEARCH}),