diff --git a/alpine/test/.gitignore b/alpine/test/.gitignore index fa2165899..efa4bddde 100644 --- a/alpine/test/.gitignore +++ b/alpine/test/.gitignore @@ -1,3 +1,4 @@ ca-certificates.crt mksh rootfs +config.json diff --git a/alpine/test/Makefile b/alpine/test/Makefile index 773c35555..2d017f325 100644 --- a/alpine/test/Makefile +++ b/alpine/test/Makefile @@ -8,7 +8,7 @@ CACERT_IMAGE=mobylinux/ca-certificates@sha256:6ca2dca9cfb8534a55f3a17f8797943527 CACERT_FILE=ca-certificates.crt CACERT_PATH=/etc/ssl/certs -default: rootfs +default: config.json $(MKSH_FILE): docker run --rm --net=none $(MKSH_IMAGE) tar cf - -C $(MKSH_PATH) $(MKSH_FILE) | tar xf - @@ -16,8 +16,8 @@ $(MKSH_FILE): $(CACERT_FILE): docker run --rm --net=none $(CACERT_IMAGE) tar cf - -C $(CACERT_PATH) $(CACERT_FILE) | tar xf - -rootfs: Dockerfile test.sh $(MKSH_FILE) $(CACERT_FILE) - mkdir -p $@ +config.json: Dockerfile test.sh $(MKSH_FILE) $(CACERT_FILE) + mkdir -p rootfs BUILD=$$( tar cf - $^ | docker build -q - ) && \ [ -n "$$BUILD" ] && \ echo "Built $$BUILD" && \ @@ -25,11 +25,11 @@ rootfs: Dockerfile test.sh $(MKSH_FILE) $(CACERT_FILE) [ -n "$$IMAGE" ] && \ echo "Built $$IMAGE" && \ CONTAINER=$$( docker create $$IMAGE /dev/null ) && \ - docker export $$CONTAINER | tar -xf - -C $@ && \ + docker export $$CONTAINER | tar -xf - -C rootfs $(EXCLUDE) && \ docker rm $$CONTAINER && \ - ( cd $@ && rm -rf .dockerenv Dockerfile dev/* etc/hostname etc/hosts etc/mtab etc/resolv.conf ) + ../containers/riddler.sh --cap-drop all --cap-add SYS_ADMIN -e HOME=/tmp -u 0:0 -v /var/tmp:/tmp -v /var/run/docker.sock:/var/run/docker.sock:ro -v /usr/bin/docker:/usr/bin/docker:ro -v /etc/resolv.conf:/etc/resolv.conf:ro --net host --read-only $$IMAGE /bin/test.sh >$@ clean: - rm -rf rootfs $(MKSH_FILE) $(CACERT_FILE) + rm -rf rootfs config.json $(MKSH_FILE) $(CACERT_FILE) .DELETE_ON_ERROR: diff --git a/alpine/test/config.json b/alpine/test/config.json deleted file mode 100644 index d8f24413a..000000000 --- a/alpine/test/config.json +++ /dev/null @@ -1,197 +0,0 @@ -{ - "ociVersion": "1.0.0-rc2-dev", - "platform": { - "os": "linux", - "arch": "amd64" - }, - "process": { - "terminal": false, - "user": { - "uid": 0, - "gid": 0 - }, - "args": [ - "/bin/sh", - "-c", - "/bin/test.sh" - ], - "env": [ - "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", - "HOME=/tmp" - ], - "cwd": "/", - "capabilities": [], - "rlimits": [ - { - "type": "RLIMIT_NOFILE", - "hard": 1024, - "soft": 1024 - } - ], - "noNewPrivileges": true - }, - "root": { - "path": "rootfs", - "readonly": true - }, - "hostname": "elegant_albattani", - "mounts": [ - { - "destination": "/usr/bin/docker", - "type": "bind", - "source": "/usr/bin/docker", - "options": [ - "ro", - "rbind", - "rprivate" - ] - }, - { - "destination": "/tmp", - "type": "tmpfs", - "source": "tmpfs", - "options": [ - "nosuid", - "noexec", - "nodev", - "strictatime", - "mode=1755", - "size=65536k" - ] - }, - { - "destination": "/var/run/docker.sock", - "type": "bind", - "source": "/var/run/docker.sock", - "options": [ - "ro", - "rbind", - "rprivate" - ] - }, - { - "destination": "/etc/resolv.conf", - "type": "bind", - "source": "/etc/resolv.conf", - "options": [ - "ro", - "rbind", - "rprivate" - ] - }, - { - "destination": "/proc", - "type": "proc", - "source": "proc" - }, - { - "destination": "/dev", - "type": "tmpfs", - "source": "tmpfs", - "options": [ - "nosuid", - "strictatime", - "mode=755", - "size=65536k" - ] - }, - { - "destination": "/dev/pts", - "type": "devpts", - "source": "devpts", - "options": [ - "nosuid", - "noexec", - "newinstance", - "ptmxmode=0666", - "mode=0620", - "gid=5" - ] - }, - { - "destination": "/dev/shm", - "type": "tmpfs", - "source": "shm", - "options": [ - "nosuid", - "noexec", - "nodev", - "mode=1777", - "size=65536k" - ] - }, - { - "destination": "/dev/mqueue", - "type": "mqueue", - "source": "mqueue", - "options": [ - "nosuid", - "noexec", - "nodev" - ] - }, - { - "destination": "/sys", - "type": "sysfs", - "source": "sysfs", - "options": [ - "nosuid", - "noexec", - "nodev" - ] - }, - { - "destination": "/sys/fs/cgroup", - "type": "cgroup", - "source": "cgroup", - "options": [ - "nosuid", - "noexec", - "nodev", - "relatime", - "ro" - ] - } - ], - "hooks": {}, - "linux": { - "resources": { - "devices": [ - { - "allow": false, - "access": "rwm" - } - ] - }, - "namespaces": [ - { - "type": "pid" - }, - { - "type": "ipc" - }, - { - "type": "uts" - }, - { - "type": "mount" - } - ], - "maskedPaths": [ - "/proc/kcore", - "/proc/latency_stats", - "/proc/timer_list", - "/proc/timer_stats", - "/proc/sched_debug", - "/sys/firmware" - ], - "readonlyPaths": [ - "/proc/asound", - "/proc/bus", - "/proc/fs", - "/proc/irq", - "/proc/sys", - "/proc/sysrq-trigger" - ] - } -}