container-structure-test Passing arguments to the docker run command

trafficstars

When we're using the docker driver, is there anyway to currently pass arguments to the docker run command? for example if i have a container that needs extra capabilites, or you want to add a volume mount to test a command with some custom config?

Feb 26 '18 15:02 mogthesprog

I'm actually happy to have a go at this, but wanted to check if you'd thought about how you might do this?

Use case for us is we have an auditd container that contains some audisp plugins we'd like to test, which needs some extra privileges in order to run successfully.

I'm wondering whether we could add a dockerRunOpts top-level field to test yaml? that might allow you to set global docker run options. Something the below. We wouldn't need to support all the options really, since some of them are constructued by the driver at runtime.

type dockerRunOpts struct {
  Mounts []docker.Mount
  // by default drop all capabilites
  Capabilites []string
  Privileged bool
}

and the yaml might look like:

dockerRunOpts:
  mounts:
    -  source: /tmp/beans
        destination /tmp/cheese
        readWrite: false
  privileged: false
  capabilities:
    - SYS_ADMIN

We'd then need to pass the capabilities to the docker.HostConfig and the mounts to the docker.Config.

Feb 26 '18 18:02 mogthesprog

Hey @mogthesprog, thanks for filing. I think I'm ok with with the general design here, seems like there's enough desire for run options here to warrant taking a stab at it. The one change I think we'll have to make to the UX is probably embedding the driver flag into the yaml, so that it's a little more explicit when you specify a dockerRunOpts field that it'll be used with the docker driver, or that it will be ignored if you specify a different driver.

As far as fields in the dockerRunOpts, I'd say the 3 you have in there right now are fine, we might want to consider adding support for networking options as well.

Feb 26 '18 19:02 nkubala

so maybe something like this? also means if we end up supporting a different container driver then it's a little more generic.

containerRunOpts:
  driver: docker
  mounts:
    - source: /tmp/beans
      destination: /tmp/cheese
      readWrite: false
  privileged: false
  capabilities:
    - SYS_ADMIN

Feb 26 '18 20:02 mogthesprog

I think the driver should be outside the containerRunOpts field. if the user wants to specify the tar driver for example, there won't be any run options. other than that, seems fine

Feb 26 '18 23:02 nkubala

ah great. That's the bit i was missing. I've had a quick stab this evening, i'll hopefully have something put together over the next few days, will keep you posted.

Feb 26 '18 23:02 mogthesprog

+1 for this feature.

I'm currently using docker-py to make sure we have the correct libraries installed after mounting a volume containing scripts. This seems like a more robust solution.

Nov 17 '18 19:11 alysivji

+1 for this feature

Jul 25 '19 12:07 helmut-hoffer-von-ankershoffen

Okay. There's community interested in this one and an old PR.

I'm going to file this 'help wanted' and put it in the Icebox, but if any of you want to pick up where the previous author left off, let me know and I'll put it 'In Progress'