5 년 전 · 1e2fc94f46
--- a/test/tests/mongo-basics/run.sh
+++ b/test/tests/mongo-basics/run.sh
@@ -3,59 +3,8 @@ set -e
 
				 
			
 
				 image="$1"
			
 
				 
			
 
				-haveSeccomp=
			
 
				-if docker info --format '{{ join .SecurityOptions "\n" }}' 2>/dev/null |tac|tac| grep -q seccomp; then
			
 
				-	haveSeccomp=1
			
 
				-
			
 
				-	# get docker default seccomp profile
			
 
				-	seccomp="$(wget -q -O - 'https://raw.githubusercontent.com/docker/docker/v17.03.1-ce/profiles/seccomp/default.json')"
			
 
				-
			
 
				-	# make container with jq since it is not guaranteed on the host
			
 
				-	jqImage='librarytest/mongo-basics-jq:alpine'
			
 
				-	docker build -t "$jqImage" - > /dev/null <<-'EOF'
			
 
				-		FROM alpine:3.11
			
 
				-
			
 
				-		RUN apk add --no-cache jq
			
 
				-
			
 
				-		ENTRYPOINT ["jq"]
			
 
				-	EOF
			
 
				-
			
 
				-	# need set_mempolicy syscall to be able to do numactl for mongodb
			
 
				-	# if "set_mempolicy" is not in the always allowed list, add it
			
 
				-	extraSeccomp="$(
			
 
				-		docker run -i --rm "$jqImage" --tab '
			
 
				-			.syscalls[] |= if (
			
 
				-				.action == "SCMP_ACT_ALLOW"
			
 
				-				and .args == []
			
 
				-				and .comment == ""
			
 
				-				and .includes == {}
			
 
				-				and .excludes == {}
			
 
				-			) then (
			
 
				-				if ( .names | index("set_mempolicy") ) > 0 then
			
 
				-					.
			
 
				-				else (
			
 
				-					.names |= . + ["set_mempolicy"]
			
 
				-				) end
			
 
				-			)
			
 
				-			else
			
 
				-				.
			
 
				-			end
			
 
				-		' <<<"$seccomp"
			
 
				-	)"
			
 
				-else
			
 
				-	echo >&2 'warning: the current Docker daemon does not appear to support seccomp'
			
 
				-fi
			
 
				-
			
 
				-docker_run_seccomp() {
			
 
				-	if [ "$haveSeccomp" ]; then
			
 
				-		docker run --security-opt seccomp=<(cat <<<"$extraSeccomp") "$@"
			
 
				-	else
			
 
				-		docker run "$@"
			
 
				-	fi
			
 
				-}
			
 
				-
			
 
				 cname="mongo-container-$RANDOM-$RANDOM"
			
 
				-mongodRunArgs=( -d --name "$cname" )
			
 
				+mongodRunArgs=( -d --name "$cname" --cap-add SYS_NICE ) # SYS_NICE is for NUMA (needed for MongoDB 3.6 on NUMA-enabled hosts)
			
 
				 mongodCmdArgs=()
			
 
				 mongoArgs=( --host mongo )
			
 
				 
			
@@ -127,11 +76,11 @@ if [[ "$testName" == *tls* ]]; then
 
				 	fi
			
 
				 fi
			
 
				 
			
 
				-cid="$(docker_run_seccomp "${mongodRunArgs[@]}" "$image" "${mongodCmdArgs[@]}")"
			
 
				+cid="$(docker run "${mongodRunArgs[@]}" "$image" "${mongodCmdArgs[@]}")"
			
 
				 trap "docker rm -vf $cid > /dev/null" EXIT
			
 
				 
			
 
				 mongo() {
			
 
				-	docker_run_seccomp --rm -i \
			
 
				+	docker run --rm -i --cap-add SYS_NICE \
			
 
				 		--link "$cname":mongo \
			
 
				 		--entrypoint mongo \
			
 
				 		"$image" \