test: add test case for setcap in Dockerfile #2082
Conversation
zhouhaibing089
force-pushed
the
add-setcap-test
branch
3 times, most recently
from
9efdff0
to
ce042f0
Compare
integration/integration_test.go
Outdated
| @@ -893,7 +902,7 @@ func meetsRequirements() bool { | |||
| func containerDiff(t *testing.T, image1, image2 string, flags ...string) []byte { | |||
| flags = append([]string{"diff"}, flags...) | |||
| flags = append(flags, image1, image2, | |||
| "-q", "--type=file", "--type=metadata", "--json") | |||
| "-q", "--type=file", "--type=metadata", "--history", "--json") | |||
There was a problem hiding this comment.
I guess neither of --type=file and --type=metadata will capture the setcap situation. --history should be able to because the number of image layers should be different if setcap change is discarded.
This is a followup of GoogleContainerTools#1994. This test runs a Dockerfile where setcap is executed. Without the fix in GoogleContainerTools#1994, the last command won't generate any diff and thus is discarded by kaniko and thus should fail this test.
zhouhaibing089
force-pushed
the
add-setcap-test
branch
from
ce042f0
to
f12fab4
Compare
| # See the License for the specific language governing permissions and | ||
| # limitations under the License. | ||
|
|
||
| FROM wildwildangel/setcap-static:sha-a5c7425 |
There was a problem hiding this comment.
Is there another more standard image that we can use to set capabilities in this way? Running this in our tests means we'll depend on wildwildangel not to remove or change this image in ways that may break the test, or worse, inject vulnerabilities into our pipeline.
There was a problem hiding this comment.
The one above is the closest one I can find.. Other common images would require things like apt-get install libcap2-bin(in debian) - I can update this to debian and add this command, is that a better approach to go?
There was a problem hiding this comment.
I agree here with @imjasonh. There is a TestsLayers test in integration_test https://github.com/GoogleContainerTools/kaniko/blob/main/integration/integration_test.go#L495 which should capture the difference in layer count. Shouldn't that be enough?
This test runs all docker files in integration/dockerfiles.
Yeah, that is what I expect. When kaniko doesn't detect extended attributes like |
Description
This is a followup of #1994. This test runs a Dockerfile where setcap is
executed. Without the fix in #1994, the last command won't generate any
diff and thus is discarded by kaniko, and thus should fail this test.
Submitter Checklist
These are the criteria that every PR should meet, please check them off as you
review them:
See the contribution guide for more details.
Reviewer Notes
Release Notes