Block network access for unit tests in docker.

2018-09-18 16:48:59 -07:00 · 2018-09-18 16:48:59 -07:00 · 99cac99cbc
commit 99cac99cbc
parent af40d8c2a5
2 changed files with 28 additions and 0 deletions
--- a/test/runner/lib/delegation.py
+++ b/test/runner/lib/delegation.py
@ -52,6 +52,8 @@ from lib.docker_util import (
    docker_rm,
    docker_run,
    docker_available,
+    docker_network_disconnect,
+    get_docker_networks,
 )

 from lib.cloud import (
@ -276,6 +278,7 @@ def delegate_docker(args, exclude, require, integration_targets):
                cmd += ['--python', 'default']

            # run unit tests unprivileged to prevent stray writes to the source tree
+            # also disconnect from the network once requirements have been installed
            if isinstance(args, UnitsConfig):
                writable_dirs = [
                    '/root/ansible/.pytest_cache',
@ -293,6 +296,11 @@ def delegate_docker(args, exclude, require, integration_targets):

                docker_exec(args, test_id, cmd + ['--requirements-mode', 'only'], options=cmd_options)

+                networks = get_docker_networks(args, test_id)
+
+                for network in networks:
+                    docker_network_disconnect(args, test_id, network)
+
                cmd += ['--requirements-mode', 'skip']

                cmd_options += ['--user', 'pytest']
--- a/test/runner/lib/docker_util.py
+++ b/test/runner/lib/docker_util.py
@ -67,6 +67,17 @@ def get_docker_container_ip(args, container_id):
    return ipaddress


+def get_docker_networks(args, container_id):
+    """
+    :param args: EnvironmentConfig
+    :param container_id: str
+    :rtype: list[str]
+    """
+    results = docker_inspect(args, container_id)
+    networks = sorted(results[0]['NetworkSettings']['Networks'])
+    return networks
+
+
 def docker_pull(args, image):
    """
    :type args: EnvironmentConfig
@ -165,6 +176,15 @@ def docker_inspect(args, container_id):
            raise ex  # pylint: disable=locally-disabled, raising-bad-type


+def docker_network_disconnect(args, container_id, network):
+    """
+    :param args: EnvironmentConfig
+    :param container_id: str
+    :param network: str
+    """
+    docker_command(args, ['network', 'disconnect', network, container_id], capture=True)
+
+
 def docker_network_inspect(args, network):
    """
    :type args: EnvironmentConfig