Skip to content

Commit

Permalink
[container hardening] include multiasic scenario, add lldp and teamd …
Browse files Browse the repository at this point in the history 
…containers to testcase (sonic-net#10070)

## Description of PR

Summary: Include multiasic scenario, add lldp and teamd containers to testcase
Fixes # (issue)

### Type of change

- [ ] Bug fix
- [ ] Testbed and Framework(new/improvement)
- [X] Test case(new/improvement)


## Approach
#### What is the motivation for this PR?
Handle both multiasic and single asic scenarios in container hardening testcase
Add lldp and teamd containers to testcase
#### How did you do it?
For teamd, the pattern `df -h` is different so cannot use `df -h | grep /etc/hosts | awk '{print $1}'` to grep device.

`/dev/vda3        16G  2.1G   14G  14% /var/warmboot`
#### How did you verify/test it?
Manual test
  • Loading branch information
@maipbui
maipbui authored Oct 5, 2023
1 parent a12bed8 commit ae6b234
Showing 1 changed file with 10 additions and 4 deletions.
14 changes: 10 additions & 4 deletions tests/container_hardening/test_container_hardening.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,18 +10,24 @@

NO_PRIVILEGED_CONTAINERS = [
'bgp',
'lldp',
'teamd'
]


def test_container_privileged(duthost):
def test_container_privileged(duthosts, enum_rand_one_per_hwsku_hostname, enum_rand_one_asic_index):
"""
Test container without --privileged flag has no access to /dev/vda* or /dev/sda*
"""
for container_name in NO_PRIVILEGED_CONTAINERS:
for container in NO_PRIVILEGED_CONTAINERS:
duthost = duthosts[enum_rand_one_per_hwsku_hostname]
asic = duthost.asic_instance(enum_rand_one_asic_index)
container_name = asic.get_docker_name(container)
docker_exec_cmd = 'docker exec {} bash -c '.format(container_name)
cmd = duthost.shell(docker_exec_cmd + "'df -h | grep /etc/hosts' | awk '{print $1}'")
cmd = duthost.shell(docker_exec_cmd + "'mount | grep /etc/hosts' | awk '{print $1}'")
rc, device = cmd['rc'], cmd['stdout']
output = duthost.shell(docker_exec_cmd + "'ls {}'".format(device), module_ignore_errors=True)['stdout']

pytest_assert(rc == 0, 'Failed to get the device name.')
pytest_assert(device.startswith('/dev/'), 'Invalid device {}.'.format(device))
output = duthost.shell(docker_exec_cmd + "'ls {}'".format(device), module_ignore_errors=True)['stdout']
pytest_assert(not output, 'The partition {} exists.'.format(device))

0 comments on commit ae6b234

Please sign in to comment.