@@ -3,6 +3,7 @@ package parse //nolint:revive,nolintlint
33import (
44 "fmt"
55 "os"
6+ "path/filepath"
67 "runtime"
78 "testing"
89
@@ -11,6 +12,7 @@ import (
1112 "github.com/stretchr/testify/assert"
1213 "github.com/stretchr/testify/require"
1314 "go.podman.io/buildah/define"
15+ "go.podman.io/common/pkg/config"
1416 "go.podman.io/image/v5/types"
1517)
1618
@@ -29,6 +31,70 @@ func TestCommonBuildOptionsFromFlagSet(t *testing.T) {
2931 assert .Equal (t , cbo .Memory , int64 (2147483648 ))
3032}
3133
34+ func TestCommonBuildOptionsSeccompFromConfig (t * testing.T ) {
35+ configPath := filepath .Join (t .TempDir (), "containers.conf" )
36+ t .Setenv ("CONTAINERS_CONF" , configPath )
37+ t .Cleanup (func () {
38+ _ , err := config .Reload ()
39+ assert .NoError (t , err )
40+ })
41+
42+ defaultOptions := new (define.CommonBuildOptions )
43+ require .NoError (t , parseSecurityOpts (nil , defaultOptions ))
44+
45+ tests := []struct {
46+ name string
47+ containersConf string
48+ securityOpts []string
49+ expectedProfile string
50+ }{
51+ {
52+ name : "configured unconfined" ,
53+ containersConf : "[containers]\n seccomp_profile = \" unconfined\" \n " ,
54+ expectedProfile : "unconfined" ,
55+ },
56+ {
57+ name : "command line overrides config" ,
58+ containersConf : "[containers]\n seccomp_profile = \" unconfined\" \n " ,
59+ securityOpts : []string {"seccomp=/tmp/custom-seccomp.json" },
60+ expectedProfile : "/tmp/custom-seccomp.json" ,
61+ },
62+ {
63+ name : "no configured profile" ,
64+ containersConf : "[containers]\n " ,
65+ expectedProfile : defaultOptions .SeccompProfilePath ,
66+ },
67+ }
68+
69+ for _ , test := range tests {
70+ t .Run (test .name , func (t * testing.T ) {
71+ require .NoError (t , os .WriteFile (configPath , []byte (test .containersConf ), 0o600 ))
72+ _ , err := config .Reload ()
73+ require .NoError (t , err )
74+
75+ fs := newCommonBuildOptionsFlagSet (t , test .securityOpts )
76+ commonOpts , err := CommonBuildOptionsFromFlagSet (fs , fs .Lookup )
77+ require .NoError (t , err )
78+ assert .Equal (t , test .expectedProfile , commonOpts .SeccompProfilePath )
79+ })
80+ }
81+ }
82+
83+ func newCommonBuildOptionsFlagSet (t * testing.T , securityOpts []string ) * pflag.FlagSet {
84+ t .Helper ()
85+
86+ fs := pflag .NewFlagSet ("common-build-options" , pflag .ContinueOnError )
87+ fs .String ("cpuset-cpus" , "" , "" )
88+ fs .String ("cpuset-mems" , "" , "" )
89+ fs .String ("cgroup-parent" , "" , "" )
90+ fs .String ("shm-size" , "65536k" , "" )
91+ fs .StringArray ("security-opt" , nil , "" )
92+ for _ , securityOpt := range securityOpts {
93+ require .NoError (t , fs .Set ("security-opt" , securityOpt ))
94+ }
95+ return fs
96+ }
97+
3298// TestDeviceParser verifies the given device strings is parsed correctly
3399func TestDeviceParser (t * testing.T ) {
34100 t .Parallel ()
0 commit comments