don't use privileged docker containers

2025-10-29 04:57:48 +01:00 · 2024-06-23 21:54:46 +02:00
parent 3e145b18cb
commit 8ffaa80252
2 changed files with 7 additions and 10 deletions
--- a/server/src/test/java/com/usatiuk/dhfs/integration/DhfsFuseIT.java
+++ b/server/src/test/java/com/usatiuk/dhfs/integration/DhfsFuseIT.java
@@ -1,5 +1,6 @@
 package com.usatiuk.dhfs.integration;

+import com.github.dockerjava.api.model.Capability;
 import com.github.dockerjava.api.model.Device;
 import io.quarkus.logging.Log;
 import org.apache.commons.lang3.tuple.Pair;
@@ -46,12 +47,10 @@ public class DhfsFuseIT {
                                .build())
                .withFileFromPath("/app", Paths.get(buildPath, "quarkus-app"));
        container1 = new GenericContainer<>(image)
-                .withPrivilegedMode(true)
-                .withCreateContainerCmdModifier(cmd -> Objects.requireNonNull(cmd.getHostConfig()).withDevices(Device.parse("/dev/fuse")))
+                .withCreateContainerCmdModifier(cmd -> Objects.requireNonNull(cmd.getHostConfig()).withDevices(Device.parse("/dev/fuse")).withCapAdd(Capability.SYS_ADMIN))
                .waitingFor(Wait.forLogMessage(".*Listening.*", 1).withStartupTimeout(Duration.ofSeconds(60))).withNetwork(network);
        container2 = new GenericContainer<>(image)
-                .withPrivilegedMode(true)
-                .withCreateContainerCmdModifier(cmd -> Objects.requireNonNull(cmd.getHostConfig()).withDevices(Device.parse("/dev/fuse")))
+                .withCreateContainerCmdModifier(cmd -> Objects.requireNonNull(cmd.getHostConfig()).withDevices(Device.parse("/dev/fuse")).withCapAdd(Capability.SYS_ADMIN))
                .waitingFor(Wait.forLogMessage(".*Listening.*", 1).withStartupTimeout(Duration.ofSeconds(60))).withNetwork(network);

        Stream.of(container1, container2).parallel().forEach(GenericContainer::start);
--- a/server/src/test/java/com/usatiuk/dhfs/integration/DhfsFusex3IT.java
+++ b/server/src/test/java/com/usatiuk/dhfs/integration/DhfsFusex3IT.java
@@ -1,5 +1,6 @@
 package com.usatiuk.dhfs.integration;

+import com.github.dockerjava.api.model.Capability;
 import com.github.dockerjava.api.model.Device;
 import io.quarkus.logging.Log;
 import org.apache.commons.lang3.tuple.Pair;
@@ -50,16 +51,13 @@ public class DhfsFusex3IT {
                                .build())
                .withFileFromPath("/app", Paths.get(buildPath, "quarkus-app"));
        container1 = new GenericContainer<>(image)
-                .withPrivilegedMode(true)
-                .withCreateContainerCmdModifier(cmd -> Objects.requireNonNull(cmd.getHostConfig()).withDevices(Device.parse("/dev/fuse")))
+                .withCreateContainerCmdModifier(cmd -> Objects.requireNonNull(cmd.getHostConfig()).withDevices(Device.parse("/dev/fuse")).withCapAdd(Capability.SYS_ADMIN))
                .waitingFor(Wait.forLogMessage(".*Listening.*", 1).withStartupTimeout(Duration.ofSeconds(60))).withNetwork(network);
        container2 = new GenericContainer<>(image)
-                .withPrivilegedMode(true)
-                .withCreateContainerCmdModifier(cmd -> Objects.requireNonNull(cmd.getHostConfig()).withDevices(Device.parse("/dev/fuse")))
+                .withCreateContainerCmdModifier(cmd -> Objects.requireNonNull(cmd.getHostConfig()).withDevices(Device.parse("/dev/fuse")).withCapAdd(Capability.SYS_ADMIN))
                .waitingFor(Wait.forLogMessage(".*Listening.*", 1).withStartupTimeout(Duration.ofSeconds(60))).withNetwork(network);
        container3 = new GenericContainer<>(image)
-                .withPrivilegedMode(true)
-                .withCreateContainerCmdModifier(cmd -> Objects.requireNonNull(cmd.getHostConfig()).withDevices(Device.parse("/dev/fuse")))
+                .withCreateContainerCmdModifier(cmd -> Objects.requireNonNull(cmd.getHostConfig()).withDevices(Device.parse("/dev/fuse")).withCapAdd(Capability.SYS_ADMIN))
                .waitingFor(Wait.forLogMessage(".*Listening.*", 1).withStartupTimeout(Duration.ofSeconds(60))).withNetwork(network);