Out with the old, in with the new Moby

- remove remainder of editions code - add a new check container to run tests without Docker - switch over `make test` to use new command to build tests Signed-off-by: Justin Cormack <justin.cormack@docker.com>
2025-09-02 07:26:13 +00:00 · 2017-03-06 21:25:11 +00:00
parent ab6575c089
commit 159202416c
143 changed files with 280 additions and 10651 deletions
--- a/tools/check/Dockerfile
+++ b/tools/check/Dockerfile
@@ -0,0 +1,5 @@
+FROM alpine:3.5
+RUN apk update && apk upgrade && apk add --no-cache bash
+ADD https://raw.githubusercontent.com/docker/docker/master/contrib/check-config.sh /check-config.sh
+ADD . ./
+ENTRYPOINT ["/bin/sh", "/check.sh"]
--- a/tools/check/Makefile
+++ b/tools/check/Makefile
@@ -0,0 +1,29 @@
+.PHONY: tag push
+
+BASE=alpine:3.5
+IMAGE=check
+
+default: push
+
+hash: Dockerfile check.sh check-kernel-config.sh
+	DOCKER_CONTENT_TRUST=1 docker pull $(BASE)
+	tar cf - $^ | docker build --no-cache -t $(IMAGE):build -
+	docker run --rm --entrypoint=/bin/sh $(IMAGE):build -c "cat $^ /lib/apk/db/installed | sha1sum" | sed 's/ .*//' > hash
+
+push: hash
+	docker pull mobylinux/$(IMAGE):$(shell cat hash) || \
+		(docker tag $(IMAGE):build mobylinux/$(IMAGE):$(shell cat hash) && \
+		 docker push mobylinux/$(IMAGE):$(shell cat hash))
+	docker rmi $(IMAGE):build
+	rm -f hash
+
+tag: hash
+	docker pull mobylinux/$(IMAGE):$(shell cat hash) || \
+		docker tag $(IMAGE):build mobylinux/$(IMAGE):$(shell cat hash)
+	docker rmi $(IMAGE):build
+	rm -f hash
+
+clean:
+	rm -f hash
+
+.DELETE_ON_ERROR:
--- a/tools/check/check-kernel-config.sh
+++ b/tools/check/check-kernel-config.sh
@@ -0,0 +1,70 @@
+#!/bin/sh
+
+set -e
+
+echo "starting kernel config sanity test with /proc/config.gz"
+
+# decompress /proc/config.gz from the Moby host
+zcat /proc/config.gz > unzipped_config
+
+kernelVersion="$(uname -r)"
+kernelMajor="${kernelVersion%%.*}"
+kernelMinor="${kernelVersion#$kernelMajor.}"
+kernelMinor="${kernelMinor%%.*}"
+
+# Most tests against https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project
+# Positive cases
+cat unzipped_config | grep CONFIG_BUG=y
+cat unzipped_config | grep CONFIG_DEBUG_KERNEL=y
+cat unzipped_config | grep CONFIG_DEBUG_RODATA=y
+cat unzipped_config | grep CONFIG_CC_STACKPROTECTOR=y
+cat unzipped_config | grep CONFIG_CC_STACKPROTECTOR_STRONG=y
+cat unzipped_config | grep CONFIG_STRICT_DEVMEM=y
+cat unzipped_config | grep CONFIG_SYN_COOKIES=y
+cat unzipped_config | grep CONFIG_DEBUG_CREDENTIALS=y
+cat unzipped_config | grep CONFIG_DEBUG_NOTIFIERS=y
+cat unzipped_config | grep CONFIG_DEBUG_LIST=y
+cat unzipped_config | grep CONFIG_SECCOMP=y
+cat unzipped_config | grep CONFIG_SECCOMP_FILTER=y
+cat unzipped_config | grep CONFIG_SECURITY=y
+cat unzipped_config | grep CONFIG_SECURITY_YAMA=y
+cat unzipped_config | grep CONFIG_PANIC_ON_OOPS=y
+cat unzipped_config | grep CONFIG_DEBUG_SET_MODULE_RONX=y
+cat unzipped_config | grep CONFIG_SYN_COOKIES=y
+cat unzipped_config | grep CONFIG_LEGACY_VSYSCALL_NONE=y
+cat unzipped_config | grep CONFIG_RANDOMIZE_BASE=y
+
+# Conditional on kernel version
+if [ "$kernelMajor" -ge 4 -a "$kernelMinor" -ge 5 ]; then
+  cat unzipped_config | grep CONFIG_IO_STRICT_DEVMEM=y
+  cat unzipped_config | grep CONFIG_UBSAN=y
+fi
+if [ "$kernelMajor" -ge 4 -a "$kernelMinor" -ge 7 ]; then
+  cat unzipped_config | grep CONFIG_SLAB_FREELIST_RANDOM=y
+fi
+if [ "$kernelMajor" -ge 4 -a "$kernelMinor" -ge 8 ]; then
+  cat unzipped_config | grep CONFIG_HARDENED_USERCOPY=y
+  cat unzipped_config | grep CONFIG_RANDOMIZE_MEMORY=y
+fi
+
+# poisoning cannot be enabled in 4.4
+if [ "$kernelMajor" -ge 4 -a "$kernelMinor" -ge 9 ]; then
+  cat unzipped_config | grep CONFIG_PAGE_POISONING=y
+  cat unzipped_config | grep CONFIG_PAGE_POISONING_NO_SANITY=y
+  cat unzipped_config | grep CONFIG_PAGE_POISONING_ZERO=y
+fi
+
+if [ "$kernelMajor" -ge 4 -a "$kernelMinor" -ge 10 ]; then
+  cat unzipped_config | grep CONFIG_BUG_ON_DATA_CORRUPTION=y
+fi
+
+# Negative cases
+cat unzipped_config | grep 'CONFIG_ACPI_CUSTOM_METHOD is not set'
+cat unzipped_config | grep 'CONFIG_COMPAT_BRK is not set'
+cat unzipped_config | grep 'CONFIG_DEVKMEM is not set'
+cat unzipped_config | grep 'CONFIG_COMPAT_VDSO is not set'
+cat unzipped_config | grep 'CONFIG_KEXEC is not set'
+cat unzipped_config | grep 'CONFIG_HIBERNATION is not set'
+cat unzipped_config | grep 'CONFIG_LEGACY_PTYS is not set'
+cat unzipped_config | grep 'CONFIG_X86_X32 is not set'
+cat unzipped_config | grep 'CONFIG_MODIFY_LDT_SYSCALL is not set'
--- a/tools/check/check.sh
+++ b/tools/check/check.sh
@@ -0,0 +1,12 @@
+#!/bin/sh
+
+function failed {
+	printf "Moby test suite FAILED\n"
+	/sbin/poweroff -f
+}
+
+/check-kernel-config.sh || failed
+bash /check-config.sh || failed
+
+printf "Moby test suite PASSED\n"
+/sbin/poweroff -f
--- a/tools/go-compile/Dockerfile
+++ b/tools/go-compile/Dockerfile
@@ -1,8 +1,8 @@
-FROM golang:1.8-alpine
-RUN apk update && apk add --no-cache build-base git
-
+FROM alpine:3.5
+RUN apk update && apk add --no-cache build-base git go
+ENV GOPATH=/go PATH=$PATH:/go/bin
 RUN go get -u github.com/golang/lint/golint

-COPY compile.sh /usr/bin/
+COPY . ./

-ENTRYPOINT ["/usr/bin/compile.sh"]
+ENTRYPOINT ["/compile.sh"]
--- a/tools/go-compile/Makefile
+++ b/tools/go-compile/Makefile
@@ -1,6 +1,6 @@
 .PHONY: tag push

-BASE=golang:1.8-alpine
+BASE=alpine:3.5
 IMAGE=go-compile

 default: push
@@ -8,7 +8,7 @@ default: push
 hash: Dockerfile compile.sh
 	DOCKER_CONTENT_TRUST=1 docker pull $(BASE)
 	tar cf - $^ | docker build --no-cache -t $(IMAGE):build -
-	docker run --rm --entrypoint=/bin/sh $(IMAGE):build -c 'cat /usr/local/go/bin/go /lib/apk/db/installed /go/bin/golint /usr/bin/compile.sh | sha1sum' | sed 's/ .*//' > hash
+	docker run --rm --entrypoint=/bin/sh $(IMAGE):build -c "cat $^ /lib/apk/db/installed /go/bin/golint | sha1sum" | sed 's/ .*//' > hash

 push: hash
 	docker pull mobylinux/$(IMAGE):$(shell cat hash) || \
--- a/tools/go-compile/compile.sh
+++ b/tools/go-compile/compile.sh
@@ -3,7 +3,6 @@
 # This is designed to compile a single package to a single binary
 # so it makes some assumptions about things to simplify config
 # to output a single binary (in a tarball) just use -o file
-# use --docker to output a tarball for input to docker build -

 set -e

@@ -23,6 +22,10 @@ do
 		mkdir -p "$(dirname $2)"
 		shift
 	;;
+	--package)
+		package="$2"
+		shift
+	;;
 	*)
 		echo "Unknown option $1"
 		exit 1
@@ -33,7 +36,7 @@ done
 [ $# -gt 0 ] && usage
 [ -z "$out" ] && usage

-package=$(basename "$out")
+[ -z "$package" ] && package=$(basename "$out")

 dir="$GOPATH/src/$package"

@@ -46,16 +49,21 @@ cd $dir

 # lint before building
 >&2 echo "gofmt..."
-test -z $(gofmt -s -l .| grep -v .pb. | grep -v */vendor/ | tee /dev/stderr)
+test -z $(gofmt -s -l .| grep -v .pb. | grep -v vendor/ | tee /dev/stderr)

 >&2 echo "govet..."
-test -z $(go tool vet -printf=false . 2>&1 | grep -v */vendor/ | tee /dev/stderr)
+test -z $(GOOS=linux go tool vet -printf=false . 2>&1 | grep -v vendor/ | tee /dev/stderr)

 >&2 echo "golint..."
 test -z $(find . -type f -name "*.go" -not -path "*/vendor/*" -not -name "*.pb.*" -exec golint {} \; | tee /dev/stderr)

 >&2 echo "go build..."

-go build -o $out -buildmode pie --ldflags '-extldflags "-static"' "$package"
+if [ "$GOOS" = "darwin" ]
+then
+	go build -o $out "$package"
+else
+	go build -o $out -buildmode pie --ldflags '-extldflags "-static"' "$package"
+fi

 tar cf - $out
--- a/tools/qemu/Dockerfile
+++ b/tools/qemu/Dockerfile
@@ -0,0 +1,13 @@
+FROM alpine:3.5
+
+RUN \
+  apk update && apk upgrade && \
+  apk add --no-cache \
+  libarchive-tools \
+  qemu-img \
+  qemu-system-arm \
+  qemu-system-x86_64 \
+  && true
+
+COPY . .
+ENTRYPOINT ["/qemu.sh"]
--- a/tools/qemu/Makefile
+++ b/tools/qemu/Makefile
@@ -0,0 +1,29 @@
+.PHONY: tag push
+
+BASE=alpine:3.5
+IMAGE=qemu
+
+default: push
+
+hash: Dockerfile qemu.sh
+	DOCKER_CONTENT_TRUST=1 docker pull $(BASE)
+	tar cf - $^ | docker build --no-cache -t $(IMAGE):build -
+	docker run --rm --entrypoint /bin/sh $(IMAGE):build -c 'cat Dockerfile qemu.sh /lib/apk/db/installed | sha1sum' | sed 's/ .*//' > $@
+
+push: hash
+	docker pull mobylinux/$(IMAGE):$(shell cat hash) || \
+		(docker tag $(IMAGE):build mobylinux/$(IMAGE):$(shell cat hash) && \
+		 docker push mobylinux/$(IMAGE):$(shell cat hash))
+	docker rmi $(IMAGE):build
+	rm -f hash
+
+tag: hash
+	docker pull mobylinux/$(IMAGE):$(shell cat hash) || \
+		docker tag $(IMAGE):build mobylinux/$(IMAGE):$(shell cat hash)
+	docker rmi $(IMAGE):build
+	rm -f hash
+
+clean:
+	rm -f hash
+
+.DELETE_ON_ERROR:
--- a/tools/qemu/qemu.sh
+++ b/tools/qemu/qemu.sh
@@ -0,0 +1,41 @@
+#!/bin/sh
+
+set -e
+
+cd /tmp
+
+# extract. BSD tar auto recognises compression, unlike GNU tar
+# only if stdin is a tty, if so need files volume mounted...
+[ -t 0 ] || bsdtar xzf -
+
+TGZ="$(find . -name '*.tgz' -or -name '*.tar.gz')"
+[ -n "$TGZ" ] && bsdtar xzf "$TGZ"
+
+ISO="$(find . -name '*.iso')"
+RAW="$(find . -name '*.raw')"
+INITRD="$(find . -name '*.img')"
+KERNEL="$(find . -name vmlinuz64 -or -name '*bzImage')"
+
+if [ -n "$ISO" ]
+then
+	ARGS="-cdrom $ISO -drive file=systemdisk.img,format=raw"
+elif [ -n "$RAW" ]
+then
+	# should test with more drives
+	ARGS="-drive file=$RAW,format=raw"
+elif [ -n "KERNEL" ]
+then
+	ARGS="-kernel $KERNEL"
+	if [ -n "$INITRD" ]
+	then
+		ARGS="$ARGS -initrd $INITRD"
+	fi
+	ARGS="$ARGS -append console=ttyS0 -drive file=systemdisk.img,format=raw"
+else
+	echo "no recognised boot media" >2
+	exit 1
+fi
+
+echo "$ARGS" | grep -q systemdisk && qemu-img create -f raw systemdisk.img 256M
+
+qemu-system-x86_64 -device virtio-rng-pci -serial stdio -vnc none -m 1024 $ARGS $*