Don't use setuid on chkmq*

Also add new tests for chkmqhealthy and privileges

test/docker/docker_api_test.go

@@ -1,5 +1,5 @@
 /*
-© Copyright IBM Corporation 2017, 2019
+© Copyright IBM Corporation 2017, 2020
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -1434,3 +1434,44 @@ func TestTraceStrmqm(t *testing.T) {
 		t.Fatalf("No trace files found in trace directory /var/mqm/trace. RC=%d.", rc)
 	}
 }
+
+// utilTestHealthCheck is used by TestHealthCheck* to run a container with
+// privileges enabled or disabled.  Otherwise the same as the golden path tests.
+func utilTestHealthCheck(t *testing.T, nonewpriv bool) {
+	t.Parallel()
+	cli, err := client.NewEnvClient()
+	if err != nil {
+		t.Fatal(err)
+	}
+	containerConfig := container.Config{
+		Env: []string{"LICENSE=accept", "MQ_QMGR_NAME=qm1"},
+	}
+	hostConfig := getDefaultHostConfig(t, cli)
+	hostConfig.SecurityOpt = append(hostConfig.SecurityOpt, fmt.Sprintf("no-new-privileges:%v", nonewpriv))
+	id := runContainerWithHostConfig(t, cli, &containerConfig, hostConfig)
+	defer cleanContainer(t, cli, id)
+	waitForReady(t, cli, id)
+	rc, out := execContainer(t, cli, id, "", []string{"chkmqhealthy"})
+	t.Log(out)
+	if rc != 0 {
+		t.Errorf("Expected chkmqhealthy to return with exit code 0; got \"%v\"", rc)
+		t.Logf("Output from chkmqhealthy:\n%v", out)
+	}
+	// Stop the container cleanly
+	stopContainer(t, cli, id)
+}
+
+// TestHealthCheckWithNoNewPrivileges tests golden path start/stop plus
+// chkmqhealthy, when running in a container where no new privileges are
+// allowed (i.e. setuid is disabled)
+func TestHealthCheckWithNoNewPrivileges(t *testing.T) {
+	utilTestHealthCheck(t, true)
+}
+
+// TestHealthCheckWithNoNewPrivileges tests golden path start/stop plus
+// chkmqhealthy when running in a container where new privileges are
+// allowed (i.e. setuid is allowed)
+// See https://github.com/ibm-messaging/mq-container/issues/428
+func TestHealthCheckWithNewPrivileges(t *testing.T) {
+	utilTestHealthCheck(t, false)
+}

test/docker/docker_api_test_util.go

@@ -267,20 +267,8 @@ func generateRandomUID() string {
 	return fmt.Sprint(rand.Intn(max-min) + min)
 }
 
-// runContainerWithPorts creates and starts a container, exposing the specified ports on the host.
-// If no image is specified in the container config, then the image name is retrieved from the TEST_IMAGE
-// environment variable.
-func runContainerWithPorts(t *testing.T, cli *client.Client, containerConfig *container.Config, ports []int) string {
-	if containerConfig.Image == "" {
-		containerConfig.Image = imageName()
-	}
-	// Always run as a random user, unless the test has specified otherwise
-	if containerConfig.User == "" {
-		containerConfig.User = generateRandomUID()
-	}
-	// if coverage
-	containerConfig.Env = append(containerConfig.Env, "COVERAGE_FILE="+t.Name()+".cov")
-	containerConfig.Env = append(containerConfig.Env, "EXIT_CODE_FILE="+getExitCodeFilename(t))
+// getDefaultHostConfig creates a HostConfig and populates it with the defaults used in testing
+func getDefaultHostConfig(t *testing.T, cli *client.Client) *container.HostConfig {
 	hostConfig := container.HostConfig{
 		Binds: []string{
 			coverageBind(t),
@@ -299,6 +287,37 @@ func runContainerWithPorts(t *testing.T, cli *client.Client, containerConfig *co
 	} else {
 		t.Logf("Detected MQ Advanced image - dropping all capabilities")
 	}
+	return &hostConfig
+}
+
+// runContainerWithHostConfig creates and starts a container, using the supplied HostConfig.
+// Note that a default HostConfig can be created using getDefaultHostConfig.
+func runContainerWithHostConfig(t *testing.T, cli *client.Client, containerConfig *container.Config, hostConfig *container.HostConfig) string {
+	if containerConfig.Image == "" {
+		containerConfig.Image = imageName()
+	}
+	// Always run as a random user, unless the test has specified otherwise
+	if containerConfig.User == "" {
+		containerConfig.User = generateRandomUID()
+	}
+	// if coverage
+	containerConfig.Env = append(containerConfig.Env, "COVERAGE_FILE="+t.Name()+".cov")
+	containerConfig.Env = append(containerConfig.Env, "EXIT_CODE_FILE="+getExitCodeFilename(t))
+	networkingConfig := network.NetworkingConfig{}
+	t.Logf("Running container (%s)", containerConfig.Image)
+	ctr, err := cli.ContainerCreate(context.Background(), containerConfig, hostConfig, &networkingConfig, t.Name())
+	if err != nil {
+		t.Fatal(err)
+	}
+	startContainer(t, cli, ctr.ID)
+	return ctr.ID
+}
+
+// runContainerWithPorts creates and starts a container, exposing the specified ports on the host.
+// If no image is specified in the container config, then the image name is retrieved from the TEST_IMAGE
+// environment variable.
+func runContainerWithPorts(t *testing.T, cli *client.Client, containerConfig *container.Config, ports []int) string {
+	hostConfig := getDefaultHostConfig(t, cli)
 	for _, p := range ports {
 		port := nat.Port(fmt.Sprintf("%v/tcp", p))
 		hostConfig.PortBindings[port] = []nat.PortBinding{
@@ -307,14 +326,7 @@ func runContainerWithPorts(t *testing.T, cli *client.Client, containerConfig *co
 			},
 		}
 	}
-	networkingConfig := network.NetworkingConfig{}
-	t.Logf("Running container (%s)", containerConfig.Image)
-	ctr, err := cli.ContainerCreate(context.Background(), containerConfig, &hostConfig, &networkingConfig, t.Name())
-	if err != nil {
-		t.Fatal(err)
-	}
-	startContainer(t, cli, ctr.ID)
-	return ctr.ID
+	return runContainerWithHostConfig(t, cli, containerConfig, hostConfig)
 }
 
 // runContainer creates and starts a container.  If no image is specified in
@@ -526,6 +538,7 @@ func waitForContainer(t *testing.T, cli *client.Client, ID string, timeout time.
 
 // execContainer runs a command in a running container, and returns the exit code and output
 func execContainer(t *testing.T, cli *client.Client, ID string, user string, cmd []string) (int, string) {
+	t.Logf("Running command: %v", cmd)
 	config := types.ExecConfig{
 		User:        user,
 		Privileged:  false,