verify volume restrictions are enforced

This commit is contained in:
Earl Warren 2023-07-08 15:18:26 +02:00
parent df44f56dd9
commit d986bc3b3d
No known key found for this signature in database
GPG key ID: 0579CB2928A78A00
5 changed files with 53 additions and 1 deletions

View file

@ -21,13 +21,21 @@ jobs:
./forgejo-runner.sh setup
export FORGEJO_RUNNER_LOGS=forgejo-runner.log
for example in $TESTS ; do
if test $example = service ; then
> /srv/example-service-volume-valid
> /srv/example-service-volume-invalid
fi
config=$(pwd)/testdata/example-$example/runner-config.yaml
if test -f $config ; then
FORGEJO_RUNNER_CONFIG=$config ./forgejo-runner.sh reload
fi
echo "============================ BEGIN example-$example ==================="
./forgejo-test-helper.sh run_workflow testdata/example-$example http://root:admin1234@$(cat forgejo-ip):3000 root example-$example setup-forgejo $(cat forgejo-token)
echo "============================ END example-$example ==================="
if test -f $config ; then
./forgejo-runner.sh reload
fi

6
testdata/README.txt vendored Normal file
View file

@ -0,0 +1,6 @@
Run the tests from source for debugging purposes with:
#
# runner-config.yaml will be ignored if it does not exist and the default configuration will be used
#
forgejo-runner exec --config testdata/example-$service/runner-config.yaml --workflows testdata/example-$service/.forgejo/workflows

View file

@ -0,0 +1,38 @@
on: [push]
jobs:
#
# A --volume option will expose the volume from the docker host to the job
#
volume-on-step:
runs-on: docker
container:
image: debian:bookworm
options: "--volume /srv/example-service-volume-valid:/srv/example-service-volume-valid --volume /srv/example-service-volume-invalid:/srv/example-service-volume-invalid"
steps:
- run: |
test -f /srv/example-service-volume-valid
! test -f /srv/example-service-volume-invalid
#
# A --volume option will expose the volume from the docker host to the service
#
volume-on-service:
runs-on: docker
container:
image: debian:bookworm
options: "--volume /srv/example-service-volume-valid:/srv/example-service-volume-valid"
services:
myservice:
image: debian:bookworm
options: "--volume /srv/example-service-volume-valid:/srv/example-service-volume-valid"
cmd: ["bash", "-c", "echo -n SUCCESS > /srv/example-service-volume-valid ; sleep infinity"]
steps:
- run: |
set -x
f=/srv/example-service-volume-valid
test -f $f
test $(cat $f) = SUCCESS

View file

@ -23,7 +23,7 @@ container:
privileged: false
options:
workdir_parent:
valid_volumes: []
valid_volumes: ["/srv/example-service-volume-valid"]
docker_host: ""
host: