From fb027748140856aea9355cdedfdeb1e42bf4f1b5 Mon Sep 17 00:00:00 2001 From: Adam Outler Date: Sun, 26 Oct 2025 00:14:03 +0000 Subject: [PATCH] Fix errors for tests --- .devcontainer/Dockerfile | 3 ++ .vscode/tasks.json | 2 +- Dockerfile | 3 ++ install/production-filesystem/entrypoint.sh | 4 +- ...storage.sh => check-persistent-storage.sh} | 48 ++++++++++++++++--- .../test_container_environment.py | 1 + 6 files changed, 52 insertions(+), 9 deletions(-) rename install/production-filesystem/services/scripts/{check-persistent_storage.sh => check-persistent-storage.sh} (58%) diff --git a/.devcontainer/Dockerfile b/.devcontainer/Dockerfile index 4d7fbde0..35c4a40d 100755 --- a/.devcontainer/Dockerfile +++ b/.devcontainer/Dockerfile @@ -185,6 +185,9 @@ RUN chown -R ${READ_ONLY_USER}:${READ_ONLY_GROUP} ${READ_ONLY_FOLDERS} && \ find ${READ_WRITE_FOLDERS} -type d -exec chmod 700 {} + && \ chown ${READ_ONLY_USER}:${READ_ONLY_GROUP} /entrypoint.sh /opt /opt/venv && \ chmod 005 /entrypoint.sh ${SYSTEM_SERVICES}/*.sh /app /opt /opt/venv && \ + for dir in ${READ_WRITE_FOLDERS}; do \ + install -d -o ${NETALERTX_USER} -g ${NETALERTX_GROUP} -m 700 "$dir"; \ + done && \ apk del apk-tools && \ rm -Rf /var /etc/sudoers.d/* /etc/shadow /etc/gshadow /etc/sudoers \ /lib/apk /lib/firmware /lib/modules-load.d /lib/sysctl.d /mnt /home/ /root \ diff --git a/.vscode/tasks.json b/.vscode/tasks.json index 815123bc..f8a55bcb 100755 --- a/.vscode/tasks.json +++ b/.vscode/tasks.json @@ -164,7 +164,7 @@ { "label": "[Any] Build Unit Test Docker image", "type": "shell", - "command": "docker build -t netalertx-test .", + "command": "docker build -t netalertx-test .; echo '🧪 Unit Test Docker image built: netalertx-test'", "presentation": { "echo": true, "reveal": "always", diff --git a/Dockerfile b/Dockerfile index a395236a..154068c1 100755 --- a/Dockerfile +++ b/Dockerfile @@ -182,6 +182,9 @@ RUN chown -R ${READ_ONLY_USER}:${READ_ONLY_GROUP} ${READ_ONLY_FOLDERS} && \ find ${READ_WRITE_FOLDERS} -type d -exec chmod 700 {} + && \ chown ${READ_ONLY_USER}:${READ_ONLY_GROUP} /entrypoint.sh /opt /opt/venv && \ chmod 005 /entrypoint.sh ${SYSTEM_SERVICES}/*.sh /app /opt /opt/venv && \ + for dir in ${READ_WRITE_FOLDERS}; do \ + install -d -o ${NETALERTX_USER} -g ${NETALERTX_GROUP} -m 700 "$dir"; \ + done && \ apk del apk-tools && \ rm -Rf /var /etc/sudoers.d/* /etc/shadow /etc/gshadow /etc/sudoers \ /lib/apk /lib/firmware /lib/modules-load.d /lib/sysctl.d /mnt /home/ /root \ diff --git a/install/production-filesystem/entrypoint.sh b/install/production-filesystem/entrypoint.sh index 00e14ff1..807657da 100755 --- a/install/production-filesystem/entrypoint.sh +++ b/install/production-filesystem/entrypoint.sh @@ -70,7 +70,9 @@ if [ "${NETALERTX_DEBUG:-0}" != "1" ]; then if [ ${NETALERTX_DOCKER_ERROR_CHECK} -ne 0 ]; then echo exit code ${NETALERTX_DOCKER_ERROR_CHECK} from ${script} - exit ${NETALERTX_DOCKER_ERROR_CHECK} + if [ ${NETALERTX_DOCKER_ERROR_CHECK} -ne 0 ]; then + NETALERTX_CHECK_ONLY=${NETALERTX_DOCKER_ERROR_CHECK} + fi fi done fi diff --git a/install/production-filesystem/services/scripts/check-persistent_storage.sh b/install/production-filesystem/services/scripts/check-persistent-storage.sh similarity index 58% rename from install/production-filesystem/services/scripts/check-persistent_storage.sh rename to install/production-filesystem/services/scripts/check-persistent-storage.sh index e795651d..a7065dc3 100644 --- a/install/production-filesystem/services/scripts/check-persistent_storage.sh +++ b/install/production-filesystem/services/scripts/check-persistent-storage.sh @@ -1,14 +1,48 @@ #!/bin/sh # check-storage.sh - Verify critical paths are persistent mounts. -warn_if_not_persistent_mount() { - path="$1" - # Check if the path is a mount point by looking for it in /proc/self/mountinfo - # We are looking for an exact match in the mount point column (field 5) - if awk -v target="${path}" '$5 == target {found=1} END {exit found ? 0 : 1}' /proc/self/mountinfo; then +# Get the Device ID of the root filesystem (overlayfs/tmpfs) +# The default, non-persistent container root will have a unique Device ID. +# Persistent mounts will have a different Device ID (unless it's a bind mount +# from the host's root, which is a rare and unusual setup for a single volume check). +ROOT_DEV_ID=$(stat -c '%d' /) + +is_persistent_mount() { + target_path="$1" + + # Stat the path and get its Device ID + current_dev_id=$(stat -c '%d' "${target_path}") + + # If the Device ID of the target is *different* from the root's Device ID, + # it means it resides on a separate filesystem, implying a mount. + if [ "${current_dev_id}" != "${ROOT_DEV_ID}" ]; then + return 0 # Persistent (different filesystem/device ID) + fi + + # Fallback to check if it's the root directory itself (which is always mounted) + if [ "${target_path}" = "/" ]; then return 0 fi + # Check parent directory recursively + parent_dir=$(dirname "${target_path}") + if [ "${parent_dir}" != "${target_path}" ]; then + is_persistent_mount "${parent_dir}" + return $? + fi + + return 1 # Not persistent +} + +warn_if_not_persistent_mount() { + path="$1" + + if is_persistent_mount "${path}"; then + return 0 + fi + + # ... (Your existing warning message block remains unchanged) ... + failures=1 YELLOW=$(printf '\033[1;33m') RESET=$(printf '\033[0m') @@ -36,7 +70,7 @@ EOF # If NETALERTX_DEBUG=1 then we will exit if [ "${NETALERTX_DEBUG}" = "1" ]; then - exit 0 + exit 0 fi failures=0 @@ -49,4 +83,4 @@ if [ "${failures}" -ne 0 ]; then # We only warn, not exit, as this is not a critical failure # but the user should be aware of the potential data loss. sleep 5 # Give user time to read the message -fi +fi \ No newline at end of file diff --git a/test/docker_tests/test_container_environment.py b/test/docker_tests/test_container_environment.py index 0fd04c75..5a7b891c 100644 --- a/test/docker_tests/test_container_environment.py +++ b/test/docker_tests/test_container_environment.py @@ -169,6 +169,7 @@ def _run_container( extra_args: list[str] | None = None, volume_specs: list[str] | None = None, sleep_seconds: float = GRACE_SECONDS, + userns: str | None = "host", ) -> subprocess.CompletedProcess[str]: name = f"netalertx-test-{label}-{uuid.uuid4().hex[:8]}".lower() cmd: list[str] = ["docker", "run", "--rm", "--name", name]