GuillaumeHemmen/docker-bench-security
1
0
Fork 0
mirror of https://github.com/docker/docker-bench-security.git synced 2024-11-01 08:31:44 +01:00
Code Issues Projects Releases Packages Wiki Activity

Merge pull request #539 from konstruktoid/issue538

Browse source 
check if restart policy is 5 or less
This commit is contained in:
Thomas Sjögren 2024-02-11 11:25:09 +01:00 committed by GitHub
commit 820abe98c3
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 9 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

16
tests/5_container_runtime.sh
View file

@ -617,27 +617,29 @@ check_5_15() {
for s in $(docker service ls --format '{{.Name}}'); do for s in $(docker service ls --format '{{.Name}}'); do
if echo $container_name | grep -q "$s"; then if echo $container_name | grep -q "$s"; then
task_id=$(docker inspect "$c" --format '{{.Name}}' | awk -F '.' '{print $NF}') task_id=$(docker inspect "$c" --format '{{.Name}}' | awk -F '.' '{print $NF}')
# a container name could arbitrary include a service one: it belongs to a service (created by Docker # a container name could arbitrary include a service one: it belongs to a service (created by Docker
# as part of the service), if the container task ID matches one of the task IDs of the service. # as part of the service), if the container task ID matches one of the task IDs of the service.
if docker service ps --no-trunc "$s" --format '{{.ID}}' | grep -q "$task_id"; then if docker service ps --no-trunc "$s" --format '{{.ID}}' | grep -q "$task_id"; then
spolicy=$(docker inspect --format MaxAttempts='{{ .Spec.TaskTemplate.RestartPolicy.MaxAttempts }}' "$s") restart_policy=$(docker inspect --format '{{ .Spec.TaskTemplate.RestartPolicy.MaxAttempts }}' "$s")
break break
fi fi
fi fi
done done
fi fi
cpolicy=$(docker inspect --format MaximumRetryCount='{{ .HostConfig.RestartPolicy.MaximumRetryCount }}' "$c") if docker inspect --format '{{ .HostConfig.RestartPolicy.MaximumRetryCount }}' "$c" &>/dev/null; then
restart_policy=$(docker inspect --format '{{ .HostConfig.RestartPolicy.MaximumRetryCount }}' "$c")
fi
if [ "$cpolicy" != "MaximumRetryCount=5" ] && [ "$spolicy" != "MaxAttempts=5" ]; then if [ "$restart_policy" -gt "5" ]; then
# If it's the first container, fail the test # If it's the first container, fail the test
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
warn -s "$check" warn -s "$check"
warn " * MaximumRetryCount is not set to 5: $c" warn " * MaximumRetryCount is not set to 5 or less: $c"
maxretry_unset_containers="$maxretry_unset_containers $c" maxretry_unset_containers="$maxretry_unset_containers $c"
fail=1 fail=1
continue continue
fi fi
warn " * MaximumRetryCount is not set to 5: $c" warn " * MaximumRetryCount is not set to 5 or less: $c"
maxretry_unset_containers="$maxretry_unset_containers $c" maxretry_unset_containers="$maxretry_unset_containers $c"
fi fi
done done
@ -647,7 +649,7 @@ check_5_15() {
logcheckresult "PASS" logcheckresult "PASS"
return return
fi fi
logcheckresult "WARN" "Containers with MaximumRetryCount not set to 5" "$maxretry_unset_containers" logcheckresult "WARN" "Containers with MaximumRetryCount not set to 5 or less" "$maxretry_unset_containers"
} }
check_5_16() { check_5_16() {