kitchen-docker 1.7.0 → 2.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 507d10dff893beb14c3bb0fad337d70522808d9f
-  data.tar.gz: 91b27b11aa5c5dc2dadc39eac8efd6de617cf7d8
+  metadata.gz: 4275b28c2034adf26c10d78d0d670e78d602357c
+  data.tar.gz: 16a5f7a158bb28ae81097d2a1140b50727744276
 SHA512:
-  metadata.gz: 27d9e0fe3756df4553b62ade589bca1b09d03dd9af15c54f3f1da1f89e880b3ff641c65dae273dc9d2625e510b1477f9cbf63c71f28c59abee0dbd2cf34617a9
-  data.tar.gz: 662d6a17f9f8ecb2b9bb819d24ef1e1682efbb5038d416124b4963231d1ee7b47ca1c8d1e796eb3a2cfda376cafce747c984e178077046f021e8948e026744fe
+  metadata.gz: 1aaa823ac17498cd65d78c657219409cc631a20e5e6c0a7bc2d2aeba5c386b85b76cb7c70d07fe0bccb26f9f72fc8b01c5979b68a0c5ec862a4d47bd3260d550
+  data.tar.gz: 2402c346e1780c3e8b1e859d9153ceaaeddf6b388a04e1cc57fab52277f9f65ba07fb10ac0341a2e40f72ea7343886332dd0f581c00c10d1a076848e1538127b

data/.kitchen.yml

@@ -36,7 +36,17 @@ platforms:
       image: ubuntu:14.04
       platform: ubuntu
       links: "db:db"
-
 suites:
   - name: default
   - name: concurrency
+  - name: capabilities
+    excludes: [arch,unknown,centos-7,centos-6.4,dockerfile]
+    driver:
+      provision_command:  
+      - curl -L http://www.chef.io/chef/install.sh | bash
+      - apt-get install -y net-tools 
+      username: kitchen
+      password: kitchen 
+      cap_drop:
+      - NET_ADMIN 
+     

data/CHANGELOG.md

@@ -1,3 +1,19 @@
+## 2.0.0
+
+* Use Docker `top` and `port` instead of `inspect`
+
+* Don't create the kitchen user if it already exists
+
+* Docker container capabilities options: cap_add, cap_drop
+
+* Docker security profile option (SELinux/AppArmor): security_opt
+
+* wait_for_sshd option (boolean)
+
+* Create `/etc/sudoers.d` if missing
+
+* Fixed option deprecation warnings, require Docker >= 1.2
+
 ## 1.7.0
 
 * Ensure a container id is set before attempting to inspect a container

data/README.md

@@ -4,7 +4,7 @@ A Test Kitchen Driver for Docker.
 
 ## Requirements
 
-* [Docker][docker_getting_started]
+* [Docker][docker_installation] **(>= 1.2)**
 
 ## Installation and Setup
 
@@ -188,7 +188,7 @@ destroyed.
 
 The default value is `false`.
 
-### run_command
+### run\_command
 
 Sets the command used to run the suite container.
 
@@ -226,7 +226,7 @@ Examples:
   - /srv
 ```
 
-### volumes_from
+### volumes\_from
 
 Mount volumes managed by other containers.
 
@@ -317,7 +317,44 @@ Examples:
   privileged: true
 ```
 
-## dockerfile
+### cap\_add
+
+Adds a capability to the running container.
+
+Examples:
+
+````
+cap_add:
+- SYS_PTRACE
+
+````
+
+### cap\_drop
+
+Drops a capability from the running container.
+
+Examples:
+
+````
+cap_drop:
+- CHOWN
+
+````
+
+### security\_opt
+
+Apply a security profile to the Docker container. Allowing finer granularity of
+access control than privileged mode, through leveraging SELinux/AppArmor
+profiles to grant access to specific resources.
+
+Examples:
+
+```
+security_opt:
+  - apparmor:my_profile
+```
+
+### dockerfile
 
 Use a custom Dockerfile, instead of having Kitchen-Docker build one for you.
 
@@ -327,7 +364,7 @@ Examples:
   dockerfile: test/Dockerfile
 ```
 
-### instance_name
+### instance\_name
 
 Set the name of container to link to other container(s).
 
@@ -355,7 +392,7 @@ Examples:
   - kvs:kvs
 ```
 
-### publish_all
+### publish\_all
 
 Publish all exposed ports to the host interfaces.
 This option used to communicate between some containers.
@@ -396,7 +433,7 @@ Apache 2.0 (see [LICENSE][license])
 [issues]:                 https://github.com/portertech/kitchen-docker/issues
 [license]:                https://github.com/portertech/kitchen-docker/blob/master/LICENSE
 [repo]:                   https://github.com/portertech/kitchen-docker
-[docker_getting_started]: http://www.docker.io/gettingstarted/
+[docker_installation]:    https://docs.docker.com/installation/#installation
 [docker_upstart_issue]:   https://github.com/dotcloud/docker/issues/223
 [docker_index]:           https://index.docker.io/
 [docker_default_image]:   https://index.docker.io/_/base/

data/lib/kitchen/driver/docker.rb

@@ -31,6 +31,9 @@ module Kitchen
       default_config :binary,        'docker'
       default_config :socket,        ENV['DOCKER_HOST'] || 'unix:///var/run/docker.sock'
       default_config :privileged,    false
+      default_config :cap_add,       nil
+      default_config :cap_drop,      nil
+      default_config :security_opt,  nil
       default_config :use_cache,     true
       default_config :remove_images, false
       default_config :run_command,   '/usr/sbin/sshd -D -o UseDNS=no -o UsePAM=no -o PasswordAuthentication=yes ' +
@@ -43,6 +46,7 @@ module Kitchen
       default_config :tls_cert,      nil
       default_config :tls_key,       nil
       default_config :publish_all,   false
+      default_config :wait_for_sshd, true
 
       default_config :use_sudo do |driver|
         !driver.remote_socket?
@@ -82,7 +86,7 @@ module Kitchen
         state[:container_id] = run_container(state) unless state[:container_id]
         state[:hostname] = remote_socket? ? socket_uri.host : 'localhost'
         state[:port] = container_ssh_port(state)
-        wait_for_sshd(state[:hostname], nil, :port => state[:port])
+        wait_for_sshd(state[:hostname], nil, :port => state[:port]) if config[:wait_for_sshd]
       end
 
       def destroy(state)
@@ -162,10 +166,12 @@ module Kitchen
         username = config[:username]
         password = config[:password]
         base = <<-eos
-          RUN useradd -d /home/#{username} -m -s /bin/bash #{username}
+          RUN if ! getent passwd #{username}; then useradd -d /home/#{username} -m -s /bin/bash #{username}; fi
           RUN echo #{username}:#{password} | chpasswd
           RUN echo '#{username} ALL=(ALL) NOPASSWD:ALL' >> /etc/sudoers
+          RUN mkdir -p /etc/sudoers.d
           RUN echo '#{username} ALL=(ALL) NOPASSWD:ALL' >> /etc/sudoers.d/#{username}
+          RUN chmod 0440 /etc/sudoers.d/#{username}
         eos
         custom = ''
         Array(config[:provision_command]).each do |cmd|
@@ -213,7 +219,8 @@ module Kitchen
       def build_run_command(image_id)
         cmd = "run -d -p 22"
         Array(config[:forward]).each {|port| cmd << " -p #{port}"}
-        Array(config[:dns]).each {|dns| cmd << " -dns #{dns}"}
+        Array(config[:dns]).each {|dns| cmd << " --dns #{dns}"}
+        Array(config[:add_host]).each {|host, ip| cmd << " --add-host=#{host}:#{ip}"}
         Array(config[:volume]).each {|volume| cmd << " -v #{volume}"}
         Array(config[:volumes_from]).each {|container| cmd << " --volumes-from #{container}"}
         Array(config[:links]).each {|link| cmd << " --link #{link}"}
@@ -222,9 +229,12 @@ module Kitchen
         cmd << " -h #{config[:hostname]}" if config[:hostname]
         cmd << " -m #{config[:memory]}" if config[:memory]
         cmd << " -c #{config[:cpu]}" if config[:cpu]
-        cmd << " -privileged" if config[:privileged]
         cmd << " -e http_proxy=#{config[:http_proxy]}" if config[:http_proxy]
         cmd << " -e https_proxy=#{config[:https_proxy]}" if config[:https_proxy]
+        cmd << " --privileged" if config[:privileged]
+        Array(config[:cap_add]).each {|cap| cmd << " --cap-add=#{cap}"} if config[:cap_add]
+        Array(config[:cap_drop]).each {|cap| cmd << " --cap-drop=#{cap}"} if config[:cap_drop]
+        Array(config[:security_opt]).each {|opt| cmd << " --security-opt=#{opt}"} if config[:security_opt]
         cmd << " #{image_id} #{config[:run_command]}"
         cmd
       end
@@ -235,30 +245,28 @@ module Kitchen
         parse_container_id(output)
       end
 
-      def inspect_container(state)
-        container_id = state[:container_id]
-        docker_command("inspect #{container_id}")
-      end
-
       def container_exists?(state)
-        state[:container_id] && !!inspect_container(state) rescue false
+        state[:container_id] && !!docker_command("top #{state[:container_id]}") rescue false
       end
 
       def parse_container_ssh_port(output)
         begin
-          info = Array(::JSON.parse(output)).first
-          ports = info['NetworkSettings']['Ports'] || info['HostConfig']['PortBindings']
-          ssh_port = ports['22/tcp'].detect {|port| port['HostIp'] == '0.0.0.0'}
-          ssh_port['HostPort'].to_i
+          host, port = output.split(':')
+          port.to_i
         rescue
           raise ActionFailed,
-          'Could not parse Docker inspect output for container SSH port'
+          'Could not parse Docker port output for container SSH port'
         end
       end
 
       def container_ssh_port(state)
-        output = inspect_container(state)
-        parse_container_ssh_port(output)
+        begin
+          output = docker_command("port #{state[:container_id]} 22/tcp")
+          parse_container_ssh_port(output)
+        rescue
+          raise ActionFailed,
+          'Docker reports container has no ssh port mapped'
+        end
       end
 
       def rm_container(state)

data/lib/kitchen/driver/docker_version.rb

@@ -19,6 +19,6 @@ module Kitchen
   module Driver
 
     # Version string for Docker Kitchen driver
-    DOCKER_VERSION = "1.7.0"
+    DOCKER_VERSION = "2.0.0"
   end
 end

data/test/integration/capabilities/serverspec/capabilities_drop_spec.rb

@@ -0,0 +1,8 @@
+require 'serverspec' 
+
+set :backend, :exec
+
+describe command('sudo /sbin/ifconfig eth0 multicast') do
+  its(:exit_status) { should_not eq 0 }
+  its(:stdout) { should match /Operation not permitted/ }
+end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: kitchen-docker
 version: !ruby/object:Gem::Version
-  version: 1.7.0
+  version: 2.0.0
 platform: ruby
 authors:
 - Sean Porter
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2015-01-05 00:00:00.000000000 Z
+date: 2015-04-12 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: test-kitchen
@@ -116,6 +116,7 @@ files:
 - lib/kitchen/driver/docker/erb.rb
 - lib/kitchen/driver/docker_version.rb
 - test/Dockerfile
+- test/integration/capabilities/serverspec/capabilities_drop_spec.rb
 - test/integration/default/serverspec/default_spec.rb
 homepage: https://github.com/portertech/kitchen-docker
 licenses:
@@ -143,4 +144,5 @@ specification_version: 4
 summary: A Docker Driver for Test Kitchen
 test_files:
 - test/Dockerfile
+- test/integration/capabilities/serverspec/capabilities_drop_spec.rb
 - test/integration/default/serverspec/default_spec.rb