本文介绍了有没有办法用pytest沙箱测试执行,尤其是文件系统访问?的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧! 问题描述 我有兴趣在类似docker的沙箱中使用pytest执行可能不受信任的测试,类似于持续集成服务所做的工作。I'm interested in executing potentially untrusted tests with pytest in some kind of sandbox, like docker, similarly to what continuous integration services do.我知道正确地将您需要操作系统级别隔离的python进程沙箱化,就像在一次性chroot /容器中运行测试一样,但是在我的用例中,我不需要针对故意的恶意代码进行保护,而不必担心配对随机功能的危险行为与参数。因此,不太严格的沙箱可能仍然可以接受。但是我没有找到能启用任何形式沙箱的插件。I understand that to properly sandbox a python process you need OS-level isolation, like running the tests in a disposable chroot/container, but in my use case I don't need to protect against intentionally malicious code, only from dangerous behaviour of pairing "randomly" functions with arguments. So lesser strict sandboxing may still be acceptable. But I didn't find any plugin that enables any form of sandboxing.在pytest中执行沙箱测试的最佳方法是什么?What is the best way to sandbox tests execution in pytest? 更新:此问题与,而我无法更改使用 exec 的执行方式 ast 或其他。不幸的是,根据 PyPy功能页,使用pypy-sandbox也不是一种选择, a>。Update: This question is not about python sandboxing in general as the tests' code is run by pytest and I can't change the way it is executed to use exec or ast or whatever. Also using pypy-sandbox is not an option unfortunately as it is "a prototype only" as per the PyPy feature page. 更新2 :pytest-dev邮件列表建议通过pytest-xdist使用专用测试用户进行用户级隔离:Update 2: Hoger Krekel on the pytest-dev mailing list suggests using a dedicated testuser via pytest-xdist for user-level isolation:py.test --tx ssh=OTHERUSER@localhost --dist=each 帮了我意识到对于类似CI的用例:which made me realise that for my CI-like use case:所以testuser + xdist接近解决方案,但还不完全解决。So the testuser+xdist is close to a solution, but not quite there.仅出于上下文考虑,我需要隔离才能运行 pytest-nodev 。Just for context I need isolation to run pytest-nodev.推荐答案经过大量研究,我没有找到任何现成的方法让pytest在操作系统级别的隔离中和可抛弃的环境中运行项目测试。许多方法都是可行的,并且各有利弊,但是大多数方法都有更多让我感到满意的活动部分。After quite a bit of research I didn't find any ready-made way for pytest to run a project tests with OS-level isolation and in a disposable environment. Many approaches are possible and have advantages and disadvantages, but most of them have more moving parts that I would feel comfortable with.我设计的绝对最小(但自以为是)的方法如下:The absolute minimal (but opinionated) approach I devised is the following: 使用以下命令构建python docker镜像: 专用的非root用户: pytest requirements.txt 以开发模式安装的项目 要实现该方法,请将以下 Dockerfile 添加到要测试的项目的顶部文件夹中, requirements.txt 和 setup.py 文件:To implement the approach add the following Dockerfile to the top folder of the project you want to test next to the requirements.txt and setup.py files:FROM python:3# setup pytest userRUN adduser --disabled-password --gecos "" --uid 7357 pytestCOPY ./ /home/pytestWORKDIR /home/pytest# setup the python and pytest environmentsRUN pip install --upgrade pip setuptools pytestRUN pip install --upgrade -r requirements.txtRUN python setup.py develop# setup entry pointUSER pytestENTRYPOINT ["py.test"]使用以下方式构建图像一次:Build the image once with:docker build -t pytest .在容器中运行py.test,将项目文件夹作为卷安装在/ home / pytest上,使用:Run py.test inside the container mounting the project folder as volume on /home/pytest with:docker run --rm -it -v `pwd`:/home/pytest pytest [USUAL_PYTEST_OPTIONS]请注意, -v 将卷安装为uid 1000,因此主机文件是pytest用户无法使用uid强制将其写入7357。Note that -v mounts the volume as uid 1000 so host files are not writable by the pytest user with uid forced to 7357.现在,您应该可以使用操作系统级隔离来开发和测试项目了。Now you should be able to develop and test your project with OS-level isolation. 更新::如果您还在主机上运行测试,则可能需要删除容器内不可写的python和pytest缓存。在主机上运行:Update: If you also run the test on the host you may need to remove the python and pytest caches that are not writable inside the container. On the host run:rm -rf .cache/ && find . -name __pycache__ | xargs rm -rf 这篇关于有没有办法用pytest沙箱测试执行,尤其是文件系统访问?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!
10-19 06:50