os-autoinst · ricardobranco777 · Oct 18, 2025 · Oct 18, 2025 · Oct 18, 2025 · Oct 18, 2025
@@ -150,16 +150,19 @@ docker-py:
   # https://github.com/docker/docker-py/pull/3290 - tests/exec: expect 127 exit code for missing executable
   # https://github.com/docker/docker-py/pull/3354 - tests: Fix deprecation warning for utcfromtimestamp()
   # https://github.com/docker/docker-py/pull/3366 - test: Skip from_env_unix tests if DOCKER_HOST is network socket
+  # https://github.com/docker/docker-py/pull/3367 - tests/integration: Make the tests runnable on SELinux enabled daemon
   opensuse-Tumbleweed:
     GITHUB_PATCHES:
     - 3290
     - 3354
     - 3366
+    - 3367
   sle-16.0:
     GITHUB_PATCHES:
     - 3290
     - 3354
     - 3366
+    - 3367
   sle-15-SP7:
     GITHUB_PATCHES:
     - 3199

@@ -0,0 +1,94 @@
+From 0fa4c10ee454ec478b7029f7a0d4dce81e88e4ec Mon Sep 17 00:00:00 2001
+From: Ricardo Branco <[email protected]>
+Date: Sat, 18 Oct 2025 21:04:04 +0200
+Subject: [PATCH] tests/integration: Make the tests runnable on SELinux enabled
+ daemon
+
+Signed-off-by: Ricardo Branco <[email protected]>
+---
+ tests/integration/api_container_test.py     | 21 ++++++++++++++++-----
+ tests/integration/models_containers_test.py |  4 ++--
+ 2 files changed, 18 insertions(+), 7 deletions(-)
+
+diff --git a/tests/integration/api_container_test.py b/tests/integration/api_container_test.py
+index 21c2f35797..e780a3f3d4 100644
+--- a/tests/integration/api_container_test.py
++++ b/tests/integration/api_container_test.py
+@@ -570,7 +570,10 @@ def test_create_with_mounts(self):
+         mount = docker.types.Mount(
+             type="bind", source=self.mount_origin, target=self.mount_dest
+         )
+-        host_config = self.client.create_host_config(mounts=[mount])
++        host_config = self.client.create_host_config(
++            mounts=[mount],
++            security_opt=["label=disable"],
++        )
+         container = self.run_container(
+             TEST_IMG, ['ls', self.mount_dest],
+             host_config=host_config
+@@ -587,7 +590,10 @@ def test_create_with_mounts_ro(self):
+             type="bind", source=self.mount_origin, target=self.mount_dest,
+             read_only=True
+         )
+-        host_config = self.client.create_host_config(mounts=[mount])
++        host_config = self.client.create_host_config(
++            mounts=[mount],
++            security_opt=["label=disable"],
++        )
+         container = self.run_container(
+             TEST_IMG, ['ls', self.mount_dest],
+             host_config=host_config
+@@ -604,7 +610,10 @@ def test_create_with_volume_mount(self):
+             type="volume", source=helpers.random_name(),
+             target=self.mount_dest, labels={'com.dockerpy.test': 'true'}
+         )
+-        host_config = self.client.create_host_config(mounts=[mount])
++        host_config = self.client.create_host_config(
++            mounts=[mount],
++            security_opt=["label=disable"],
++        )
+         container = self.client.create_container(
+             TEST_IMG, ['true'], host_config=host_config,
+         )
+@@ -693,7 +702,8 @@ def run_with_volume(self, ro, *args, **kwargs):
+                         'ro': ro,
+                     },
+                 },
+-                network_mode='none'
++                network_mode='none',
++                security_opt=["label=disable"],
+             ),
+             **kwargs
+         )
+@@ -710,7 +720,8 @@ def run_with_volume_propagation(self, ro, propagation, *args, **kwargs):
+                         'propagation': propagation
+                     },
+                 },
+-                network_mode='none'
++                network_mode='none',
++                security_opt=["label=disable"],
+             ),
+             **kwargs
+         )
+diff --git a/tests/integration/models_containers_test.py b/tests/integration/models_containers_test.py
+index 8727455932..0dc5a43828 100644
+--- a/tests/integration/models_containers_test.py
++++ b/tests/integration/models_containers_test.py
+@@ -48,7 +48,7 @@ def test_run_with_volume(self):
+
+         container = client.containers.run(
+             "alpine", "sh -c 'echo \"hello\" > /insidecontainer/test'",
+-            volumes=[f"{path}:/insidecontainer"],
++            volumes=[f"{path}:/insidecontainer:z"],
+             detach=True
+         )
+         self.tmp_containers.append(container.id)
+@@ -57,7 +57,7 @@ def test_run_with_volume(self):
+         name = "container_volume_test"
+         out = client.containers.run(
+             "alpine", "cat /insidecontainer/test",
+-            volumes=[f"{path}:/insidecontainer"],
++            volumes=[f"{path}:/insidecontainer:z"],
+             name=name
+         )
+         self.tmp_containers.append(name)
@@ -68,8 +68,10 @@ sub run_command {
 }
 
 sub configure_docker {
-    my $docker_opts = "-H unix:///var/run/docker.sock --insecure-registry localhost:5000";
+    my $docker_opts = "-H unix:///var/run/docker.sock --insecure-registry localhost:5000 --log-level warn";
     $docker_opts .= " --experimental" if get_var("DOCKER_EXPERIMENTAL");
+    # SELinux is not enabled by default due to https://bugzilla.opensuse.org/show_bug.cgi?id=1252290
+    $docker_opts .= " --selinux-enabled" if get_var("DOCKER_SELINUX");
     my $port = 2375;
     if (get_var("DOCKER_TLS")) {
         $port++;
@@ -98,14 +100,15 @@ sub configure_docker {
         run_command "cp /etc/docker/ca.pem /etc/pki/trust/anchors/";
         run_command "update-ca-certificates";
     }
-    $docker_opts .= " -H 0.0.0.0:$port";
+    $docker_opts .= " -H tcp://0.0.0.0:$port";
     run_command "mv /etc/sysconfig/docker{,.bak}";
     run_command "mv /etc/docker/daemon.json{,.bak}";
     run_command qq(echo 'DOCKER_OPTS="$docker_opts"' > /etc/sysconfig/docker);
     run_command "systemctl restart docker";
     run_command "export DOCKER_HOST=tcp://localhost:$port";
     run_command "export DOCKER_TLS_VERIFY=1" if get_var("DOCKER_TLS");
-    record_info "docker info", script_output("docker info");
+    record_info "docker version", script_output("docker version -f json | jq -Mr");
+    record_info "docker info", script_output("docker info -f json | jq -Mr");
 }
 
 sub cleanup_docker {

@@ -20,6 +20,7 @@ The tests rely on some variables:
 | variable | description |
 | --- | --- |
 | `DOCKER_EXPERIMENTAL` | Enable experimental features in Docker |
+| `DOCKER_SELINUX` | Enable SELinux in Docker daemon |
 | `DOCKER_TLS` | Enable TLS in Docker as documented [here](https://docs.docker.com/engine/security/protect-access/) |
 | `GITHUB_PATCHES` | List of github PR id's containing upstream test patches |
 | `OCI_RUNTIME` | OCI runtime to use: `runc` or `crun` |