add dockerfile #26

Workflow file for this run

.github/workflows/cpp-tests.yml at 41519a7

	name: C++ Integration Tests

	on:
	push:
	branches:
	- "**"
	pull_request:

	jobs:
	test-filesystem-isolation:
	name: "Security: Filesystem Isolation (File Privacy)"
	runs-on: ubuntu-latest

	steps:
	- name: Checkout
	uses: actions/checkout@v4

	- name: Setup Go
	uses: actions/setup-go@v5
	with:
	go-version-file: go.mod

	- name: Install native dependencies
	run: \|
	sudo apt-get update
	sudo apt-get install -y gcc g++ libc6-dev

	- name: Run filesystem isolation subtest
	env:
	ENABLE_QUEUE: "false"
	run: sudo -E go test -v -run '^TestContainerizationAPISecurityIntegrationCpp$/^file privacy across request IDs$' ./...

	test-disk-cleanup:
	name: "Security: Disk Cleanup (Storage Exhaustion)"
	runs-on: ubuntu-latest

	steps:
	- name: Checkout
	uses: actions/checkout@v4

	- name: Setup Go
	uses: actions/setup-go@v5
	with:
	go-version-file: go.mod

	- name: Install native dependencies
	run: \|
	sudo apt-get update
	sudo apt-get install -y gcc g++ libc6-dev

	- name: Run disk cleanup subtest
	env:
	ENABLE_QUEUE: "false"
	run: sudo -E go test -v -run '^TestContainerizationAPISecurityIntegrationCpp$/^disk spammer is terminated and data is reclaimed$' ./...

	test-fork-bomb:
	name: "Resource: Fork Bomb Containment"
	runs-on: ubuntu-latest

	steps:
	- name: Checkout
	uses: actions/checkout@v4

	- name: Setup Go
	uses: actions/setup-go@v5
	with:
	go-version-file: go.mod

	- name: Install native dependencies
	run: \|
	sudo apt-get update
	sudo apt-get install -y gcc g++ libc6-dev

	- name: Run fork bomb subtest
	env:
	ENABLE_QUEUE: "false"
	run: sudo -E go test -v -run '^TestContainerizationAPISecurityIntegrationCpp$/^fork bomb does not poison subsequent requests$' ./...

	test-network-isolation:
	name: "Security: Network Namespace (Localhost Bridge)"
	runs-on: ubuntu-latest

	steps:
	- name: Checkout
	uses: actions/checkout@v4

	- name: Setup Go
	uses: actions/setup-go@v5
	with:
	go-version-file: go.mod

	- name: Install native dependencies
	run: \|
	sudo apt-get update
	sudo apt-get install -y gcc g++ libc6-dev

	- name: Run network isolation subtest
	env:
	ENABLE_QUEUE: "false"
	run: sudo -E go test -v -run '^TestContainerizationAPISecurityIntegrationCpp$/^network namespace blocks localhost bridge$' ./...

	test-memory-oom:
	name: "Security: Memory Limit (Hard OOM)"
	runs-on: ubuntu-latest

	steps:
	- name: Checkout
	uses: actions/checkout@v4

	- name: Setup Go
	uses: actions/setup-go@v5
	with:
	go-version-file: go.mod

	- name: Install native dependencies
	run: \|
	sudo apt-get update
	sudo apt-get install -y gcc g++ libc6-dev

	- name: Run memory OOM subtest
	env:
	ENABLE_QUEUE: "false"
	run: sudo -E go test -v -run '^TestContainerizationAPISecurityIntegrationCpp$/^memory hard limit triggers oom kill$' ./...

	test-io-flood:
	name: "Resilience: I/O Flood (Bounded Stderr)"
	runs-on: ubuntu-latest

	steps:
	- name: Checkout
	uses: actions/checkout@v4

	- name: Setup Go
	uses: actions/setup-go@v5
	with:
	go-version-file: go.mod

	- name: Install native dependencies
	run: \|
	sudo apt-get update
	sudo apt-get install -y gcc g++ libc6-dev

	- name: Run I/O flood resilience subtest
	env:
	ENABLE_QUEUE: "false"
	run: sudo -E go test -v -run '^TestContainerizationAPISecurityIntegrationCpp$/^io flood is bounded and returns before timeout$' ./...

	test-signal-trap:
	name: "Resilience: Signal Trap Uses SIGKILL Timeout"
	runs-on: ubuntu-latest

	steps:
	- name: Checkout
	uses: actions/checkout@v4

	- name: Setup Go
	uses: actions/setup-go@v5
	with:
	go-version-file: go.mod

	- name: Install native dependencies
	run: \|
	sudo apt-get update
	sudo apt-get install -y gcc g++ libc6-dev

	- name: Run signal trap resilience subtest
	env:
	ENABLE_QUEUE: "false"
	run: sudo -E go test -v -run '^TestContainerizationAPISecurityIntegrationCpp$/^signal trap cannot survive forced timeout$' ./...

	test-orphan-reaping:
	name: "Resilience: Orphan Grandchild Reaping"
	runs-on: ubuntu-latest

	steps:
	- name: Checkout
	uses: actions/checkout@v4

	- name: Setup Go
	uses: actions/setup-go@v5
	with:
	go-version-file: go.mod

	- name: Install native dependencies
	run: \|
	sudo apt-get update
	sudo apt-get install -y gcc g++ libc6-dev

	- name: Run orphan reaping resilience subtest
	env:
	ENABLE_QUEUE: "false"
	run: sudo -E go test -v -run '^TestContainerizationAPISecurityIntegrationCpp$/^orphan grandchild is reaped after request exits$' ./...

	test-inode-exhaustion:
	name: "Resilience: Inode Exhaustion Safety"
	runs-on: ubuntu-latest

	steps:
	- name: Checkout
	uses: actions/checkout@v4

	- name: Setup Go
	uses: actions/setup-go@v5
	with:
	go-version-file: go.mod

	- name: Install native dependencies
	run: \|
	sudo apt-get update
	sudo apt-get install -y gcc g++ libc6-dev

	- name: Run inode exhaustion resilience subtest
	env:
	ENABLE_QUEUE: "false"
	run: sudo -E go test -v -run '^TestContainerizationAPISecurityIntegrationCpp$/^inode bomb does not poison host temp filesystem$' ./...

	test-privileged-syscall:
	name: "Resilience: Privileged Syscall Denial"
	runs-on: ubuntu-latest

	steps:
	- name: Checkout
	uses: actions/checkout@v4

	- name: Setup Go
	uses: actions/setup-go@v5
	with:
	go-version-file: go.mod

	- name: Install native dependencies
	run: \|
	sudo apt-get update
	sudo apt-get install -y gcc g++ libc6-dev

	- name: Run privileged syscall denial subtest
	env:
	ENABLE_QUEUE: "false"
	run: sudo -E go test -v -run '^TestContainerizationAPISecurityIntegrationCpp$/^privileged reboot syscall is denied$' ./...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

add dockerfile #26

Workflow file

add dockerfile #26

Uh oh!

Workflow file for this run