.github/dependabot.yml

@@ -6,3 +6,9 @@ updates:
       interval: "monthly"
     labels:
       - "dependencies"
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "monthly"
+    labels:
+      - "dependencies"

.github/workflows/ci.yaml

@@ -32,7 +32,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repo
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
       - name: Set up Rust toolchain
         uses: dtolnay/rust-toolchain@stable
       - name: Set up Rust caching
@@ -43,3 +43,6 @@ jobs:
       - name: Run clippy
         run: |
           cargo clippy -- -D warnings
+      - name: Run tests
+        run: |
+          cargo test

.github/workflows/release.yaml

@@ -15,19 +15,25 @@ jobs:
     steps:
       - name: Create release
         id: create-release
-        uses: softprops/action-gh-release@v1
+        uses: softprops/action-gh-release@v2
   build:
     name: Build release binaries
     runs-on: ${{ matrix.runner-os }}
     needs: create-release
     strategy:
       matrix:
         include:
-          - runner-os: ubuntu-20.04
+          - runner-os: ubuntu-22.04
             rustc-target: "x86_64-unknown-linux-gnu"
+          - runner-os: ubuntu-22.04
+            rustc-target: "aarch64-unknown-linux-gnu"
+          - runner-os: macos-latest
+            rustc-target: "x86_64-apple-darwin"
+          - runner-os: macos-latest
+            rustc-target: "aarch64-apple-darwin"
     steps:
       - name: Checkout repo
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
       - name: Set up Rust toolchain
         uses: dtolnay/rust-toolchain@stable
         with:
@@ -44,6 +50,6 @@ jobs:
         env:
           suffix: ${{ matrix.rustc-target }}
       - name: Upload tarball
-        uses: softprops/action-gh-release@v1
+        uses: softprops/action-gh-release@v2
         with:
           files: out/*.tar.gz

CHANGELOG.md

@@ -1,10 +1,27 @@
 # Changelog
 
-## 0.1.1
+## v1.1.0
 
-- Fixes volume removal.
-- Dependency updates.
+- Linux binaries are now built on Ubuntu 22.04 runners (rather than 24.04) for compability with a wider range of glibc versions.
 
-## 0.1.0
+## v1.0.0
+
+- Added integration tests.
+- Updated dependencies.
+
+## v0.1.3
+
+- Updated dependencies.
+
+## v0.1.2
+
+- Updated dependencies.
+
+## v0.1.1
+
+- Fixed volume removal.
+- Updated dependencies.
+
+## v0.1.0
 
 Initial release. Supports removal of matching containers, networks, and volumes based on creation time and Docker filter syntax.

Cargo.toml

@@ -1,23 +1,30 @@
 [package]
-authors = ["Dustin Martin <dustin@dmartin.io>", "picoCTF Team <opensource@picoctf.org>"]
+authors = ["picoCTF Team <opensource@picoctf.org>"]
 description = "Command line tool for removing expired Docker resources"
-edition = "2021"
+edition = "2024"
 license = "MIT OR Apache-2.0"
 name = "docker-reaper"
 repository = "https://github.com/picoCTF/docker-reaper"
-version = "0.1.0"
+version = "1.1.0"
 
 # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
 
 [dependencies]
-anyhow = "1.0.72"
-bollard = {version = "0.14.0", features = ["ssl"]}
-chrono = {version = "0.4.26", default-features = false, features = ["std", "clock"]}
-clap = {version = "4.3.19", features = ["derive"]}
-futures = "0.3.28"
+anyhow = "1.0.98"
+bollard = { version = "0.18.1", features = ["ssl"] }
+chrono = { version = "0.4.41", default-features = false, features = [
+    "std",
+    "clock",
+] }
+clap = { version = "4.5.37", features = ["derive"] }
+futures = "0.3.31"
 go-parse-duration = "0.1.1"
-tabled = "0.14.0"
-thiserror = "1.0.44"
-tokio = {version = "1.29.1", features = ["full"]}
-tracing = "0.1.37"
-tracing-subscriber = "0.3.17"
+tabled = "0.19.0"
+thiserror = "2.0.12"
+tokio = { version = "1.44.2", features = ["full"] }
+tracing = "0.1.41"
+tracing-subscriber = "0.3.19"
+
+[dev-dependencies]
+serial_test = { version = "3.2.0" }
+tokio-stream = "0.1.17"

RELEASING.md

@@ -0,0 +1,12 @@
+# Releasing
+
+1. Ensure that [`CHANGELOG.md`](./CHANGELOG.md) is up-to-date with all relevant changes. Additionally, make sure that the version specified in [Cargo.toml](./Cargo.toml) matches the to-be-released version.
+
+1. Create and push a new Git tag for the version with a `v` prefix, e.g.:
+    ```shell
+    git tag vX.Y.Z
+    git push --tags
+    ```
+    This will automatically run the "Publish release" GitHub Actions workflow, which will create a GitHub release, build a release tarball, and attach the tarball to the release.
+
+1. Edit the newly created GitHub release, setting the relevant section of `CHANGELOG.md` as the description.

src/lib.rs

@@ -1,9 +1,9 @@
+#[doc(no_inline)]
+pub use bollard::Docker;
 use bollard::container::{ListContainersOptions, RemoveContainerOptions};
 use bollard::network::ListNetworksOptions;
 use bollard::service::VolumeListResponse;
 use bollard::volume::ListVolumesOptions;
-#[doc(no_inline)]
-pub use bollard::Docker;
 use std::collections::{HashMap, HashSet};
 use std::fmt;
 use std::time::{SystemTime, UNIX_EPOCH};
@@ -51,7 +51,7 @@ pub struct ReapVolumesConfig<'a> {
 }
 
 #[derive(Debug)]
-enum RemovalStatus {
+pub enum RemovalStatus {
     /// Used in dry-run mode to indicate that a resource is eligible for removal.
     Eligible,
     /// Resource was successfully removed.
@@ -108,10 +108,9 @@ impl Filter {
 }
 
 #[derive(Debug, PartialEq, Eq)]
-enum ResourceType {
+pub enum ResourceType {
     Container,
     Network,
-    #[allow(dead_code)]
     Volume,
 }
 
@@ -135,12 +134,17 @@ impl fmt::Display for ResourceType {
 #[tabled(rename_all = "PascalCase")]
 pub struct Resource {
     #[tabled(rename = "Resource Type")]
-    resource_type: ResourceType,
+    pub resource_type: ResourceType,
     #[tabled(skip)]
-    #[allow(dead_code)]
-    id: String,
-    name: String,
-    status: RemovalStatus,
+    pub id: String,
+    pub name: String,
+    pub status: RemovalStatus,
+}
+
+impl PartialEq for Resource {
+    fn eq(&self, other: &Self) -> bool {
+        self.resource_type == other.resource_type && self.id == other.id
+    }
 }
 
 impl Resource {
@@ -265,7 +269,7 @@ pub async fn reap_containers(
             // reason, the returned creation time is missing or negative, skip the container.
             let Some(creation_secs) = container.created else {
                 warn!("Skipped container {}: missing creation timestamp", id);
-                return false
+                return false;
             };
             let creation_secs: u64 = match creation_secs.try_into() {
                 Ok(secs) => secs,
@@ -275,8 +279,11 @@ pub async fn reap_containers(
                 }
             };
             let Some(age) = now.checked_sub(Duration::from_secs(creation_secs)) else {
-                warn!("Skipped container {}: creation timestamp after system time", id);
-                return false
+                warn!(
+                    "Skipped container {}: creation timestamp after system time",
+                    id
+                );
+                return false;
             };
             let within_age_range = age > config.min_age.unwrap_or(Duration::ZERO)
                 && age < config.max_age.unwrap_or(Duration::MAX);
@@ -292,7 +299,7 @@ pub async fn reap_containers(
     for container in eligible_containers {
         let Some(id) = container.id else {
             warn!("Skipped container (unknown ID): missing ID value");
-            continue
+            continue;
         };
         eligible_resources.push(Resource {
             resource_type: ResourceType::Container,
@@ -368,19 +375,25 @@ pub async fn reap_networks(
         eligible_networks.retain(|network| {
             let Some(ref name) = network.name else {
                 warn!("Skipped network (unknown name): missing name value");
-                return false
+                return false;
             };
             let Some(ref creation_timestamp) = network.created else {
                 warn!("Skipped network {}: missing creation timestamp", name);
-                return false
+                return false;
             };
             let Ok(creation_time) = chrono::DateTime::parse_from_rfc3339(creation_timestamp) else {
-                warn!("Skipped network {}: failed to parse creation timestamp as RFC3339", name);
-                return false
+                warn!(
+                    "Skipped network {}: failed to parse creation timestamp as RFC3339",
+                    name
+                );
+                return false;
             };
             let Ok(age) = now.signed_duration_since(creation_time).to_std() else {
-                warn!("Skipped network {}: creation timestamp after system time", name);
-                return false
+                warn!(
+                    "Skipped network {}: creation timestamp after system time",
+                    name
+                );
+                return false;
             };
             let within_age_range = age > config.min_age.unwrap_or(Duration::ZERO)
                 && age < config.max_age.unwrap_or(Duration::MAX);
@@ -394,9 +407,9 @@ pub async fn reap_networks(
         .into_iter()
         .filter_map(|network| {
             let Some(name) = network.name else {
-            warn!("Skipped network (unknown name): missing name value");
-            return None
-        };
+                warn!("Skipped network (unknown name): missing name value");
+                return None;
+            };
             Some(Resource {
                 resource_type: ResourceType::Network,
                 id: name.clone(),
@@ -447,20 +460,29 @@ pub async fn reap_volumes(
         eligible_volumes.retain(|volume| {
             let Some(ref creation_timestamp) = volume.created_at else {
                 warn!("Skipped volume {}: missing creation timestamp", volume.name);
-                return false
+                return false;
             };
             let Ok(creation_time) = chrono::DateTime::parse_from_rfc3339(creation_timestamp) else {
-                warn!("Skipped volume {}: failed to parse creation timestamp as RFC3339", volume.name);
-                return false
+                warn!(
+                    "Skipped volume {}: failed to parse creation timestamp as RFC3339",
+                    volume.name
+                );
+                return false;
             };
             let Ok(age) = now.signed_duration_since(creation_time).to_std() else {
-                warn!("Skipped volume {}: creation timestamp after system time", volume.name);
-                return false
+                warn!(
+                    "Skipped volume {}: creation timestamp after system time",
+                    volume.name
+                );
+                return false;
             };
             let within_age_range = age > config.min_age.unwrap_or(Duration::ZERO)
                 && age < config.max_age.unwrap_or(Duration::MAX);
             if !within_age_range {
-                debug!("Skipped volume {}: age outside of specified range", volume.name);
+                debug!(
+                    "Skipped volume {}: age outside of specified range",
+                    volume.name
+                );
             }
             within_age_range
         })

src/main.rs

@@ -4,10 +4,10 @@ use tracing::{debug, error, info, warn};
 use anyhow::Context;
 use clap::{Args, Parser, Subcommand};
 use docker_reaper::{
-    reap_containers, reap_networks, reap_volumes, Docker, Filter, ReapContainersConfig,
-    ReapNetworksConfig, ReapVolumesConfig,
+    Docker, Filter, ReapContainersConfig, ReapNetworksConfig, ReapVolumesConfig, reap_containers,
+    reap_networks, reap_volumes,
 };
-use tokio::time::{sleep, Duration};
+use tokio::time::{Duration, sleep};
 
 #[derive(Debug, Parser)]
 #[command(
@@ -131,7 +131,9 @@ async fn main() -> Result<(), anyhow::Error> {
             debug!("Environment variable DOCKER_CERT_PATH set. Connecting via TLS");
             Docker::connect_with_ssl_defaults()?
         } else if env::var("DOCKER_HOST").is_ok() {
-            debug!("Environment variable DOCKER_HOST set, but not DOCKER_CERT_PATH. Connecting via HTTP");
+            debug!(
+                "Environment variable DOCKER_HOST set, but not DOCKER_CERT_PATH. Connecting via HTTP"
+            );
             Docker::connect_with_http_defaults()?
         } else {
             debug!("Environment variable DOCKER_HOST not set, connecting to local machine");
@@ -185,15 +187,15 @@ async fn main() -> Result<(), anyhow::Error> {
                 info!("Found {} matching resources", removed_resources.len());
                 if !removed_resources.is_empty() {
                     use tabled::{
-                        settings::{object::Columns, Modify, Style, Width},
                         Table,
+                        settings::{Style, Width, object::Columns},
                     };
                     let mut table = Table::new(removed_resources);
                     info!(
                         "\n{}",
                         table
                             .with(Style::sharp())
-                            .with(Modify::new(Columns::last()).with(Width::wrap(80)))
+                            .modify(Columns::last(), Width::wrap(80))
                             .to_string()
                     );
                 }

tests/common.rs

@@ -0,0 +1,232 @@
+//! Common utility functions for integration tests.
+#![allow(dead_code)]
+
+use bollard::Docker;
+use bollard::container::{Config, NetworkingConfig};
+use bollard::image::CreateImageOptions;
+use bollard::network::CreateNetworkOptions;
+use bollard::secret::{ContainerCreateResponse, EndpointSettings};
+use bollard::volume::CreateVolumeOptions;
+use chrono::Utc;
+use docker_reaper::{
+    Filter, ReapContainersConfig, ReapNetworksConfig, ReapVolumesConfig, reap_containers,
+    reap_networks, reap_volumes,
+};
+use std::collections::HashMap;
+use std::sync::OnceLock;
+use tokio_stream::StreamExt;
+
+/// A label set on all test-created Docker resources.
+pub(crate) const TEST_LABEL: &str = "docker-reaper-test";
+
+/// Obtain a client for the local Docker daemon.
+pub(crate) fn docker_client() -> &'static Docker {
+    static CLIENT: OnceLock<Docker> = OnceLock::new();
+    CLIENT.get_or_init(|| {
+        Docker::connect_with_local_defaults().expect("failed to connect to Docker daemon")
+    })
+}
+
+/// Return type for [run_container] calls.
+/// A network will not be created unless the `with_network` argument was `true`.
+pub(crate) struct RunContainerResult {
+    pub(crate) container_id: String,
+    pub(crate) network_id: Option<String>,
+}
+
+/// Run a container on the local Docker daemon.
+/// The label [TEST_LABEL] will always be set. Additional labels may also be specified.
+pub(crate) async fn run_container(
+    with_network: bool,
+    extra_labels: Option<HashMap<String, String>>,
+) -> RunContainerResult {
+    static TEST_IMAGE: &'static str = "busybox:latest";
+
+    let client = docker_client();
+    let mut labels = HashMap::from([(TEST_LABEL.to_string(), "true".to_string())]);
+    if let Some(ref extra_labels) = extra_labels {
+        labels.extend(extra_labels.clone().into_iter())
+    }
+    let mut network_id = None;
+
+    // Ensure test image is present on host
+    if client.inspect_image(&TEST_IMAGE).await.is_err() {
+        let mut pull_results_stream = client.create_image(
+            Some(CreateImageOptions {
+                from_image: TEST_IMAGE,
+                ..Default::default()
+            }),
+            None,
+            None,
+        );
+        while let Some(result) = pull_results_stream.next().await {
+            result.expect("failed to pull test image");
+        }
+    }
+
+    let ContainerCreateResponse {
+        id: container_id, ..
+    } = client
+        .create_container::<String, String>(
+            None,
+            Config {
+                tty: Some(true),
+                cmd: None,
+                image: Some(TEST_IMAGE.to_string()),
+                labels: Some(labels),
+                networking_config: {
+                    if with_network {
+                        network_id = Some(create_network(extra_labels.clone()).await);
+                        Some(NetworkingConfig {
+                            endpoints_config: HashMap::from([(
+                                "docker-reaper-test-network".to_string(),
+                                EndpointSettings {
+                                    network_id: network_id.clone(),
+                                    ..Default::default()
+                                },
+                            )]),
+                        })
+                    } else {
+                        None
+                    }
+                },
+                ..Default::default()
+            },
+        )
+        .await
+        .expect("failed to create container");
+    client
+        .start_container::<&str>(&container_id, None)
+        .await
+        .expect(&format!("failed to start container {container_id}"));
+    RunContainerResult {
+        container_id,
+        network_id,
+    }
+}
+
+/// Create a network on the local Docker daemon. Returns the name of the created network.
+/// The label [TEST_LABEL] will always be set. Additional labels may also be specified.
+pub(crate) async fn create_network(extra_labels: Option<HashMap<String, String>>) -> String {
+    let client = docker_client();
+    let mut labels = HashMap::from([(TEST_LABEL.to_string(), "true".to_string())]);
+    if let Some(extra_labels) = extra_labels {
+        labels.extend(extra_labels.into_iter())
+    }
+    let name = Utc::now().timestamp_millis().to_string(); // network names must be unique
+    client
+        .create_network(CreateNetworkOptions {
+            name: name.clone(),
+            labels,
+            ..Default::default()
+        })
+        .await
+        .expect("failed to create network");
+    // We use names rather than actual IDs to uniquely identify networks in docker-reaper
+    // because they are more meaningful in the user-facing output. Docker's handling of network
+    // names vs. IDs is strange - they can effectively be used interchangably.
+    name
+}
+
+/// Create a volume on the local Docker daemon. Returns the name of the created volume.
+/// The label [TEST_LABEL] will always be set. Additional labels may also be specified.
+pub(crate) async fn create_volume(extra_labels: Option<HashMap<String, String>>) -> String {
+    let client = docker_client();
+    let mut labels = HashMap::from([(TEST_LABEL.to_string(), "true".to_string())]);
+    if let Some(extra_labels) = extra_labels {
+        labels.extend(extra_labels.into_iter())
+    }
+    let name = Utc::now().timestamp_millis().to_string(); // volume names must be unique
+    client
+        .create_volume(CreateVolumeOptions {
+            name: name.clone(),
+            labels,
+            ..Default::default()
+        })
+        .await
+        .expect("failed to create volume");
+    name
+}
+
+/// Check whether a container with the given ID exists.
+pub(crate) async fn container_exists(id: &str) -> bool {
+    let client = docker_client();
+    match client.inspect_container(id, None).await {
+        Ok(_) => return true,
+        Err(err) => match err {
+            bollard::errors::Error::DockerResponseServerError {
+                status_code: 404, ..
+            } => return false,
+            _ => panic!("unexpected error: {err}"),
+        },
+    }
+}
+
+/// Check whether a network with the given name exists.
+pub(crate) async fn network_exists(name: &str) -> bool {
+    let client = docker_client();
+    match client.inspect_network::<&str>(name, None).await {
+        Ok(_) => return true,
+        Err(err) => match err {
+            bollard::errors::Error::DockerResponseServerError {
+                status_code: 404, ..
+            } => return false,
+            _ => panic!("unexpected error: {err}"),
+        },
+    }
+}
+
+/// Check whether a volume with the given name exists.
+pub(crate) async fn volume_exists(name: &str) -> bool {
+    let client = docker_client();
+    match client.inspect_volume(name).await {
+        Ok(_) => return true,
+        Err(err) => match err {
+            bollard::errors::Error::DockerResponseServerError {
+                status_code: 404, ..
+            } => return false,
+            _ => panic!("unexpected error: {err}"),
+        },
+    }
+}
+
+/// Clean up all remaining test resources.
+pub(crate) async fn cleanup() {
+    let client = docker_client();
+    reap_containers(
+        client,
+        &ReapContainersConfig {
+            dry_run: false,
+            min_age: None,
+            max_age: None,
+            filters: &vec![Filter::new("label", TEST_LABEL)],
+            reap_networks: true,
+        },
+    )
+    .await
+    .expect("failed to clean up containers");
+
+    reap_networks(
+        client,
+        &ReapNetworksConfig {
+            dry_run: false,
+            min_age: None,
+            max_age: None,
+            filters: &vec![Filter::new("label", TEST_LABEL)],
+        },
+    )
+    .await
+    .expect("failed to clean up networks");
+
+    reap_volumes(
+        client,
+        &ReapVolumesConfig {
+            dry_run: false,
+            min_age: None,
+            max_age: None,
+            filters: &vec![Filter::new("label", TEST_LABEL)],
+        },
+    )
+    .await
+    .expect("failed to clean up volumes");
+}

tests/containers.rs

@@ -0,0 +1,185 @@
+//! Container reaping tests.
+//!
+//! These are run serially because all test-related resources are cleaned up after each test.
+
+mod common;
+
+use std::collections::HashMap;
+
+use common::{
+    RunContainerResult, TEST_LABEL, cleanup, container_exists, docker_client, network_exists,
+    run_container,
+};
+use docker_reaper::{
+    Filter, ReapContainersConfig, RemovalStatus, Resource, ResourceType, reap_containers,
+};
+use serial_test::serial;
+use tokio::time::{Duration, sleep};
+
+/// Test that only containers older than the `min_age` threshold are reaped.
+#[tokio::test]
+#[serial]
+async fn min_age() {
+    let RunContainerResult {
+        container_id: ref old_container_id,
+        ..
+    } = run_container(false, None).await;
+    sleep(Duration::from_secs(2)).await;
+    let RunContainerResult {
+        container_id: ref new_container_id,
+        ..
+    } = run_container(false, None).await;
+    reap_containers(
+        docker_client(),
+        &ReapContainersConfig {
+            dry_run: false,
+            min_age: Some(Duration::from_secs(2)),
+            max_age: None,
+            filters: &vec![Filter::new("label", TEST_LABEL)],
+            reap_networks: false,
+        },
+    )
+    .await
+    .expect("failed to reap containers");
+    assert_eq!(container_exists(old_container_id).await, false);
+    assert_eq!(container_exists(new_container_id).await, true);
+    cleanup().await;
+}
+
+/// Test that only containers younger than the `max_age` threshold are reaped.
+#[tokio::test]
+#[serial]
+async fn max_age() {
+    let RunContainerResult {
+        container_id: ref old_container_id,
+        ..
+    } = run_container(false, None).await;
+    sleep(Duration::from_secs(2)).await;
+    let RunContainerResult {
+        container_id: ref new_container_id,
+        ..
+    } = run_container(false, None).await;
+    reap_containers(
+        docker_client(),
+        &ReapContainersConfig {
+            dry_run: false,
+            min_age: None,
+            max_age: Some(Duration::from_secs(2)),
+            filters: &vec![Filter::new("label", TEST_LABEL)],
+            reap_networks: false,
+        },
+    )
+    .await
+    .expect("failed to reap containers");
+    assert_eq!(container_exists(old_container_id).await, true);
+    assert_eq!(container_exists(new_container_id).await, false);
+    cleanup().await;
+}
+
+/// Test that only containers matching the specified filters are reaped.
+#[tokio::test]
+#[serial]
+async fn filters() {
+    let RunContainerResult {
+        container_id: ref purple_container_id,
+        ..
+    } = run_container(
+        false,
+        Some(HashMap::from([("color".to_string(), "purple".to_string())])),
+    )
+    .await;
+    let RunContainerResult {
+        container_id: ref orange_container_id,
+        ..
+    } = run_container(
+        false,
+        Some(HashMap::from([("color".to_string(), "orange".to_string())])),
+    )
+    .await;
+    reap_containers(
+        docker_client(),
+        &ReapContainersConfig {
+            dry_run: false,
+            min_age: None,
+            max_age: None,
+            filters: &vec![
+                Filter::new("label", TEST_LABEL),
+                Filter::new("label", "color=orange"),
+            ],
+            reap_networks: false,
+        },
+    )
+    .await
+    .expect("failed to reap containers");
+    assert_eq!(container_exists(purple_container_id).await, true);
+    assert_eq!(container_exists(orange_container_id).await, false);
+    cleanup().await;
+}
+
+/// Test that container-associated networks are also removed if `reap_networks` is set.
+#[tokio::test]
+#[serial]
+async fn reap_networks() {
+    let RunContainerResult {
+        container_id,
+        network_id,
+    } = run_container(true, None).await;
+    reap_containers(
+        docker_client(),
+        &ReapContainersConfig {
+            dry_run: false,
+            min_age: None,
+            max_age: None,
+            filters: &vec![Filter::new("label", TEST_LABEL)],
+            reap_networks: true,
+        },
+    )
+    .await
+    .expect("failed to reap containers");
+    assert_eq!(
+        network_exists(&network_id.expect("network ID not present")).await,
+        false
+    );
+    assert_eq!(container_exists(&container_id).await, false);
+    cleanup().await;
+}
+
+/// Test that resources are identified but not removed if `dry_run` is set.
+#[tokio::test]
+#[serial]
+async fn dry_run() {
+    let RunContainerResult {
+        container_id,
+        network_id,
+    } = run_container(true, None).await;
+    let result = reap_containers(
+        docker_client(),
+        &ReapContainersConfig {
+            dry_run: true,
+            min_age: None,
+            max_age: None,
+            filters: &vec![Filter::new("label", TEST_LABEL)],
+            reap_networks: true,
+        },
+    )
+    .await
+    .expect("failed to reap containers");
+    assert!(result.contains(&Resource {
+        resource_type: ResourceType::Container,
+        id: container_id.clone(),
+        name: String::new(),
+        status: RemovalStatus::Eligible,
+    }));
+    assert!(result.contains(&Resource {
+        resource_type: ResourceType::Network,
+        id: network_id.clone().expect("network ID not present"),
+        name: String::new(),
+        status: RemovalStatus::Eligible,
+    }));
+    assert_eq!(
+        network_exists(&network_id.expect("network ID not present")).await,
+        true
+    );
+    assert_eq!(container_exists(&container_id).await, true);
+    cleanup().await;
+}

tests/networks.rs

@@ -0,0 +1,119 @@
+//! Network reaping tests.
+//!
+//! These are run serially because all test-related resources are cleaned up after each test.
+
+mod common;
+
+use std::collections::HashMap;
+
+use common::{TEST_LABEL, cleanup, create_network, docker_client, network_exists};
+use docker_reaper::{
+    Filter, ReapNetworksConfig, RemovalStatus, Resource, ResourceType, reap_networks,
+};
+use serial_test::serial;
+use tokio::time::{Duration, sleep};
+
+/// Test that only networks older than the `min_age` threshold are reaped.
+#[tokio::test]
+#[serial]
+async fn min_age() {
+    let old_network_id = create_network(None).await;
+    sleep(Duration::from_secs(2)).await;
+    let new_network_id = create_network(None).await;
+    reap_networks(
+        docker_client(),
+        &ReapNetworksConfig {
+            dry_run: false,
+            min_age: Some(Duration::from_secs(2)),
+            max_age: None,
+            filters: &vec![Filter::new("label", TEST_LABEL)],
+        },
+    )
+    .await
+    .expect("failed to reap networks");
+    assert_eq!(network_exists(&old_network_id).await, false);
+    assert_eq!(network_exists(&new_network_id).await, true);
+    cleanup().await;
+}
+
+/// Test that only networks younger than the `max_age` threshold are reaped.
+#[tokio::test]
+#[serial]
+async fn max_age() {
+    let old_network_id = create_network(None).await;
+    sleep(Duration::from_secs(2)).await;
+    let new_network_id = create_network(None).await;
+    reap_networks(
+        docker_client(),
+        &ReapNetworksConfig {
+            dry_run: false,
+            min_age: None,
+            max_age: Some(Duration::from_secs(2)),
+            filters: &vec![Filter::new("label", TEST_LABEL)],
+        },
+    )
+    .await
+    .expect("failed to reap networks");
+    assert_eq!(network_exists(&old_network_id).await, true);
+    assert_eq!(network_exists(&new_network_id).await, false);
+    cleanup().await;
+}
+
+/// Test that only networks matching the specified filters are reaped.
+#[tokio::test]
+#[serial]
+async fn filters() {
+    let purple_network_id = create_network(Some(HashMap::from([(
+        "color".to_string(),
+        "purple".to_string(),
+    )])))
+    .await;
+    let orange_network_id = create_network(Some(HashMap::from([(
+        "color".to_string(),
+        "orange".to_string(),
+    )])))
+    .await;
+    reap_networks(
+        docker_client(),
+        &ReapNetworksConfig {
+            dry_run: false,
+            min_age: None,
+            max_age: None,
+            filters: &vec![
+                Filter::new("label", TEST_LABEL),
+                Filter::new("label", "color=orange"),
+            ],
+        },
+    )
+    .await
+    .expect("failed to reap networks");
+    assert_eq!(network_exists(&purple_network_id).await, true);
+    assert_eq!(network_exists(&orange_network_id).await, false);
+    cleanup().await;
+}
+
+/// Test that resources are identified but not removed if `dry_run` is set.
+#[tokio::test]
+#[serial]
+async fn dry_run() {
+    let network_id = create_network(None).await;
+    let result = reap_networks(
+        docker_client(),
+        &ReapNetworksConfig {
+            dry_run: true,
+            min_age: None,
+            max_age: None,
+            filters: &vec![Filter::new("label", TEST_LABEL)],
+        },
+    )
+    .await
+    .expect("failed to reap networks");
+    assert!(result.contains(&Resource {
+        resource_type: ResourceType::Network,
+        id: network_id.clone(),
+        name: String::new(),
+        status: RemovalStatus::Eligible
+    }));
+    assert_eq!(network_exists(&network_id).await, true);
+    cleanup().await;
+}

tests/volumes.rs

@@ -0,0 +1,119 @@
+//! Volume reaping tests.
+//!
+//! These are run serially because all test-related resources are cleaned up after each test.
+
+mod common;
+
+use std::collections::HashMap;
+
+use common::{TEST_LABEL, cleanup, create_volume, docker_client, volume_exists};
+use docker_reaper::{
+    Filter, ReapVolumesConfig, RemovalStatus, Resource, ResourceType, reap_volumes,
+};
+use serial_test::serial;
+use tokio::time::{Duration, sleep};
+
+/// Test that only volumes older than the `min_age` threshold are reaped.
+#[tokio::test]
+#[serial]
+async fn min_age() {
+    let old_volume_id = create_volume(None).await;
+    sleep(Duration::from_secs(2)).await;
+    let new_volume_id = create_volume(None).await;
+    reap_volumes(
+        docker_client(),
+        &ReapVolumesConfig {
+            dry_run: false,
+            min_age: Some(Duration::from_secs(2)),
+            max_age: None,
+            filters: &vec![Filter::new("label", TEST_LABEL)],
+        },
+    )
+    .await
+    .expect("failed to reap volumes");
+    assert_eq!(volume_exists(&old_volume_id).await, false);
+    assert_eq!(volume_exists(&new_volume_id).await, true);
+    cleanup().await;
+}
+
+/// Test that only volumes younger than the `max_age` threshold are reaped.
+#[tokio::test]
+#[serial]
+async fn max_age() {
+    let old_volume_id = create_volume(None).await;
+    sleep(Duration::from_secs(2)).await;
+    let new_volume_id = create_volume(None).await;
+    reap_volumes(
+        docker_client(),
+        &ReapVolumesConfig {
+            dry_run: false,
+            min_age: None,
+            max_age: Some(Duration::from_secs(2)),
+            filters: &vec![Filter::new("label", TEST_LABEL)],
+        },
+    )
+    .await
+    .expect("failed to reap volumes");
+    assert_eq!(volume_exists(&old_volume_id).await, true);
+    assert_eq!(volume_exists(&new_volume_id).await, false);
+    cleanup().await;
+}
+
+/// Test that only volumes matching the specified filters are reaped.
+#[tokio::test]
+#[serial]
+async fn filters() {
+    let purple_volume_id = create_volume(Some(HashMap::from([(
+        "color".to_string(),
+        "purple".to_string(),
+    )])))
+    .await;
+    let orange_volume_id = create_volume(Some(HashMap::from([(
+        "color".to_string(),
+        "orange".to_string(),
+    )])))
+    .await;
+    reap_volumes(
+        docker_client(),
+        &ReapVolumesConfig {
+            dry_run: false,
+            min_age: None,
+            max_age: None,
+            filters: &vec![
+                Filter::new("label", TEST_LABEL),
+                Filter::new("label", "color=orange"),
+            ],
+        },
+    )
+    .await
+    .expect("failed to reap volumes");
+    assert_eq!(volume_exists(&purple_volume_id).await, true);
+    assert_eq!(volume_exists(&orange_volume_id).await, false);
+    cleanup().await;
+}
+
+/// Test that resources are identified but not removed if `dry_run` is set.
+#[tokio::test]
+#[serial]
+async fn dry_run() {
+    let volume_id = create_volume(None).await;
+    let result = reap_volumes(
+        docker_client(),
+        &ReapVolumesConfig {
+            dry_run: true,
+            min_age: None,
+            max_age: None,
+            filters: &vec![Filter::new("label", TEST_LABEL)],
+        },
+    )
+    .await
+    .expect("failed to reap volumes");
+    assert!(result.contains(&Resource {
+        resource_type: ResourceType::Volume,
+        id: volume_id.clone(),
+        name: String::new(),
+        status: RemovalStatus::Eligible
+    }));
+    assert_eq!(volume_exists(&volume_id).await, true);
+    cleanup().await;
+}