Skip to content
This repository was archived by the owner on Apr 28, 2026. It is now read-only.

Commit 41a80d3

Browse files
milaskylos101
milas
authored and
kylos101
committed
test: fix e2e test for privileged builds (docker#10873)
We cannot guarantee the exact value of `CapEff` across environments, and this test has started failing some places, e.g. Docker Desktop, and now GitHub Actions (likely due to a kernel upgrade on the runners or similar). By setting `privileged: true` on the build, we're asking for the `security.insecure` entitlement on the build. A safe assumption is that will include `CAP_SYS_ADMIN`, which won't be present otherwise, so mask the `CapEff` value and check for that. It's worth noting that realistically, the build won't even be able to complete without the correct entitlement, since the `Dockerfile` uses `RUN --security=insecure`, so this is really an additional sanity check. Signed-off-by: Milas Bowman <milas.bowman@docker.com>
1 parent 7371bd8 commit 41a80d3

1 file changed

Lines changed: 17 additions & 4 deletions

File tree

pkg/e2e/build_test.go

Lines changed: 17 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -19,7 +19,9 @@ package e2e
1919
import (
2020
"fmt"
2121
"net/http"
22+
"regexp"
2223
"runtime"
24+
"strconv"
2325
"strings"
2426
"testing"
2527
"time"
@@ -366,10 +368,21 @@ func TestBuildPrivileged(t *testing.T) {
366368
})
367369

368370
t.Run("use build privileged mode to run insecure build command", func(t *testing.T) {
369-
res := c.RunDockerComposeCmdNoCheck(t, "--project-directory", "fixtures/build-test/privileged", "build")
370-
assert.NilError(t, res.Error, res.Stderr())
371-
res.Assert(t, icmd.Expected{Out: "CapEff:\t0000003fffffffff"})
372-
371+
res := c.RunDockerComposeCmd(t, "--project-directory", "fixtures/build-test/privileged", "build")
372+
capEffRe := regexp.MustCompile("CapEff:\t([0-9a-f]+)")
373+
matches := capEffRe.FindStringSubmatch(res.Stdout())
374+
assert.Equal(t, 2, len(matches), "Did not match CapEff in output, matches: %v", matches)
375+
376+
capEff, err := strconv.ParseUint(matches[1], 16, 64)
377+
assert.NilError(t, err, "Parsing CapEff: %s", matches[1])
378+
379+
// NOTE: can't use constant from x/sys/unix or tests won't compile on macOS/Windows
380+
// #define CAP_SYS_ADMIN 21
381+
// https://github.com/torvalds/linux/blob/v6.1/include/uapi/linux/capability.h#L278
382+
const capSysAdmin = 0x15
383+
if capEff&capSysAdmin != capSysAdmin {
384+
t.Fatalf("CapEff %s is missing CAP_SYS_ADMIN", matches[1])
385+
}
373386
})
374387
}
375388

0 commit comments

Comments
 (0)