Closed zappy-shu closed 5 years ago
Merging #478 into master will decrease coverage by
<.01%
. The diff coverage is73.43%
.
@@ Coverage Diff @@
## master #478 +/- ##
==========================================
- Coverage 69.53% 69.52% -0.01%
==========================================
Files 51 50 -1
Lines 2629 2553 -76
==========================================
- Hits 1828 1775 -53
+ Misses 569 543 -26
- Partials 232 235 +3
Impacted Files | Coverage Δ | |
---|---|---|
internal/commands/inspect.go | 78.37% <100%> (ø) |
:arrow_up: |
internal/commands/uninstall.go | 65.78% <50%> (-2.79%) |
:arrow_down: |
internal/commands/status.go | 71.42% <50%> (-3.58%) |
:arrow_down: |
internal/commands/install.go | 63.63% <50%> (-1.45%) |
:arrow_down: |
internal/commands/upgrade.go | 63.46% <70%> (-1.85%) |
:arrow_down: |
internal/commands/cnab.go | 68.99% <80.48%> (-10.21%) |
:arrow_down: |
internal/store/store.go | 71.42% <0%> (-0.58%) |
:arrow_down: |
internal/commands/dockerdesktop.go |
Continue to review full report at Codecov.
Legend - Click here to learn more
Δ = absolute <relative> (impact)
,ø = not affected
,? = missing data
Powered by Codecov. Last update 622f5d9...aecbf56. Read the comment docs.
Note in order to fix the vendoring this PR also contains the changes in #482
- What I did
Made the invocation image run as a non-root account except where root permissions are required.
Root permissions are required when running through a unix socket/named pipe rather than TCP. In this case the unix socket is mounted and the container is run as root.
- How I did it
Updated the invocation image's docker file to create a "cnab" system user and run as that by default.
On commands, check whether the target context/orchestrator requires the socket binding by checking the stack orchestrator and context metadata's endpoint. If the orchestrator is not kubernetes and the endpoint is empty, the unix socket, or windows named pipe, then the socket needs to be bound.
When preparing the driver, mount /var/run/docker.sock and override the cnab user with "0:0" if binding the local socket is required.
- How to verify it
E2E tests have been updated to test the docker app lifecycle with and without the bind mount.
- Notes Because of issues with the handling of the default context the bind mount/root permissions are assumed to be required when on the default context.