From 99cac99cbc3b49ad9fb39950d881e0f266775320 Mon Sep 17 00:00:00 2001 From: Matt Clay Date: Tue, 18 Sep 2018 16:48:59 -0700 Subject: [PATCH] Block network access for unit tests in docker. --- test/runner/lib/delegation.py | 8 ++++++++ test/runner/lib/docker_util.py | 20 ++++++++++++++++++++ 2 files changed, 28 insertions(+) diff --git a/test/runner/lib/delegation.py b/test/runner/lib/delegation.py index 2c7900ce9a..e94557884d 100644 --- a/test/runner/lib/delegation.py +++ b/test/runner/lib/delegation.py @@ -52,6 +52,8 @@ from lib.docker_util import ( docker_rm, docker_run, docker_available, + docker_network_disconnect, + get_docker_networks, ) from lib.cloud import ( @@ -276,6 +278,7 @@ def delegate_docker(args, exclude, require, integration_targets): cmd += ['--python', 'default'] # run unit tests unprivileged to prevent stray writes to the source tree + # also disconnect from the network once requirements have been installed if isinstance(args, UnitsConfig): writable_dirs = [ '/root/ansible/.pytest_cache', @@ -293,6 +296,11 @@ def delegate_docker(args, exclude, require, integration_targets): docker_exec(args, test_id, cmd + ['--requirements-mode', 'only'], options=cmd_options) + networks = get_docker_networks(args, test_id) + + for network in networks: + docker_network_disconnect(args, test_id, network) + cmd += ['--requirements-mode', 'skip'] cmd_options += ['--user', 'pytest'] diff --git a/test/runner/lib/docker_util.py b/test/runner/lib/docker_util.py index 691d73d45c..afa81d93b7 100644 --- a/test/runner/lib/docker_util.py +++ b/test/runner/lib/docker_util.py @@ -67,6 +67,17 @@ def get_docker_container_ip(args, container_id): return ipaddress +def get_docker_networks(args, container_id): + """ + :param args: EnvironmentConfig + :param container_id: str + :rtype: list[str] + """ + results = docker_inspect(args, container_id) + networks = sorted(results[0]['NetworkSettings']['Networks']) + return networks + + def docker_pull(args, image): """ :type args: EnvironmentConfig @@ -165,6 +176,15 @@ def docker_inspect(args, container_id): raise ex # pylint: disable=locally-disabled, raising-bad-type +def docker_network_disconnect(args, container_id, network): + """ + :param args: EnvironmentConfig + :param container_id: str + :param network: str + """ + docker_command(args, ['network', 'disconnect', network, container_id], capture=True) + + def docker_network_inspect(args, network): """ :type args: EnvironmentConfig