From ae6b23450e84ecc620ece7839216eac43843e337 Mon Sep 17 00:00:00 2001 From: Mai Bui Date: Thu, 5 Oct 2023 16:18:34 -0400 Subject: [PATCH] [container hardening] include multiasic scenario, add lldp and teamd containers to testcase (#10070) ## Description of PR Summary: Include multiasic scenario, add lldp and teamd containers to testcase Fixes # (issue) ### Type of change - [ ] Bug fix - [ ] Testbed and Framework(new/improvement) - [X] Test case(new/improvement) ## Approach #### What is the motivation for this PR? Handle both multiasic and single asic scenarios in container hardening testcase Add lldp and teamd containers to testcase #### How did you do it? For teamd, the pattern `df -h` is different so cannot use `df -h | grep /etc/hosts | awk '{print $1}'` to grep device. `/dev/vda3 16G 2.1G 14G 14% /var/warmboot` #### How did you verify/test it? Manual test --- .../test_container_hardening.py | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/tests/container_hardening/test_container_hardening.py b/tests/container_hardening/test_container_hardening.py index 6150f77f72f..3c032efc7a6 100644 --- a/tests/container_hardening/test_container_hardening.py +++ b/tests/container_hardening/test_container_hardening.py @@ -10,18 +10,24 @@ NO_PRIVILEGED_CONTAINERS = [ 'bgp', + 'lldp', + 'teamd' ] -def test_container_privileged(duthost): +def test_container_privileged(duthosts, enum_rand_one_per_hwsku_hostname, enum_rand_one_asic_index): """ Test container without --privileged flag has no access to /dev/vda* or /dev/sda* """ - for container_name in NO_PRIVILEGED_CONTAINERS: + for container in NO_PRIVILEGED_CONTAINERS: + duthost = duthosts[enum_rand_one_per_hwsku_hostname] + asic = duthost.asic_instance(enum_rand_one_asic_index) + container_name = asic.get_docker_name(container) docker_exec_cmd = 'docker exec {} bash -c '.format(container_name) - cmd = duthost.shell(docker_exec_cmd + "'df -h | grep /etc/hosts' | awk '{print $1}'") + cmd = duthost.shell(docker_exec_cmd + "'mount | grep /etc/hosts' | awk '{print $1}'") rc, device = cmd['rc'], cmd['stdout'] + output = duthost.shell(docker_exec_cmd + "'ls {}'".format(device), module_ignore_errors=True)['stdout'] + pytest_assert(rc == 0, 'Failed to get the device name.') pytest_assert(device.startswith('/dev/'), 'Invalid device {}.'.format(device)) - output = duthost.shell(docker_exec_cmd + "'ls {}'".format(device), module_ignore_errors=True)['stdout'] pytest_assert(not output, 'The partition {} exists.'.format(device))