Repository: mesos
Updated Branches:
  refs/heads/master 1aa85e0cb -> b0d4439d6


Made sure required capabilities are not dropped in capabilities test.

The capabilities isolator test suites runs test as root where the
files executed might not reside in directories accessible even to root
after dropping all capabilities. We already ensured that the test
agent would always permit `DAC_READ_SEARCH` so that we could move this
one into the permitted set, but missed to ensure it was always present
when tasks set capabilities. This could lead to situtations where
e.g., `mesos-executor` could not be executed by the test.

This commit adds `DAC_READ_SEARCH` to the requested set for all
situation where where drop all capabilities required for tests.

Review: https://reviews.apache.org/r/52881/


Project: http://git-wip-us.apache.org/repos/asf/mesos/repo
Commit: http://git-wip-us.apache.org/repos/asf/mesos/commit/b0d4439d
Tree: http://git-wip-us.apache.org/repos/asf/mesos/tree/b0d4439d
Diff: http://git-wip-us.apache.org/repos/asf/mesos/diff/b0d4439d

Branch: refs/heads/master
Commit: b0d4439d675629b4425ef40d9082ec4497225f8a
Parents: 1aa85e0
Author: Benjamin Bannier <benjamin.bann...@mesosphere.io>
Authored: Fri Oct 14 10:55:53 2016 -0700
Committer: Jie Yu <yujie....@gmail.com>
Committed: Fri Oct 14 10:55:53 2016 -0700

----------------------------------------------------------------------
 .../linux_capabilities_isolator_tests.cpp             | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/mesos/blob/b0d4439d/src/tests/containerizer/linux_capabilities_isolator_tests.cpp
----------------------------------------------------------------------
diff --git a/src/tests/containerizer/linux_capabilities_isolator_tests.cpp 
b/src/tests/containerizer/linux_capabilities_isolator_tests.cpp
index f040c20..edb4665 100644
--- a/src/tests/containerizer/linux_capabilities_isolator_tests.cpp
+++ b/src/tests/containerizer/linux_capabilities_isolator_tests.cpp
@@ -260,26 +260,26 @@ INSTANTIATE_TEST_CASE_P(
     TestParam,
     LinuxCapabilitiesIsolatorTest,
     ::testing::Values(
-        // Dropped all capabilities, thus ping will fail.
-        TestParam(set<Capability>(), None(), false, false),
-        TestParam(set<Capability>(), None(), true, false),
+        // Dropped all relevant capabilities, thus ping will fail.
+        TestParam(set<Capability>({DAC_READ_SEARCH}), None(), false, false),
+        TestParam(set<Capability>({DAC_READ_SEARCH}), None(), true, false),
         TestParam(
-            set<Capability>(),
+            set<Capability>({DAC_READ_SEARCH}),
             set<Capability>({NET_RAW, NET_ADMIN, DAC_READ_SEARCH}),
             false,
             false),
         TestParam(
-            set<Capability>(),
+            set<Capability>({DAC_READ_SEARCH}),
             set<Capability>({NET_RAW, NET_ADMIN, DAC_READ_SEARCH}),
             true,
             false),
         TestParam(
-            set<Capability>(),
+            set<Capability>({DAC_READ_SEARCH}),
             set<Capability>({CHOWN, DAC_READ_SEARCH}),
             false,
             false),
         TestParam(
-            set<Capability>(),
+            set<Capability>({DAC_READ_SEARCH}),
             set<Capability>({CHOWN, DAC_READ_SEARCH}),
             true,
             false),

Reply via email to