Merge pull request #10199 from edsantiago/system_tests_with_runc_override

System tests: honor $OCI_RUNTIME (for CI)

6 files changed, 58 insertions, 21 deletions

diff --git a/test/system/005-info.bats b/test/system/005-info.bats
index ed341dd17..83d79221a 100644
--- a/test/system/005-info.bats
+++ b/test/system/005-info.bats
@@ -67,8 +67,7 @@ store.imageStore.number   | 1
 
         # RHEL or CentOS 8.
         # FIXME: what does 'CentOS 8' even mean? What is $VERSION_ID in CentOS?
-        run_podman info --format '{{.Host.OCIRuntime.Name}}'
-        is "$output" "runc" "$osname only supports OCI Runtime = runc"
+        is "$(podman_runtime)" "runc" "$osname only supports OCI Runtime = runc"
     else
         skip "only applicable on RHEL, this is $osname"
     fi
diff --git a/test/system/160-volumes.bats b/test/system/160-volumes.bats
index 98992f973..9a852db89 100644
--- a/test/system/160-volumes.bats
+++ b/test/system/160-volumes.bats
@@ -123,8 +123,7 @@ EOF
     # ARGH. Unfortunately, runc (used for cgroups v1) produces a different error
     local expect_rc=126
     local expect_msg='.* OCI permission denied.*'
-    run_podman info --format '{{ .Host.OCIRuntime.Path }}'
-    if expr "$output" : ".*/runc"; then
+    if [[ $(podman_runtime) = "runc" ]]; then
         expect_rc=1
         expect_msg='.* exec user process caused.*permission denied'
     fi
diff --git a/test/system/170-run-userns.bats b/test/system/170-run-userns.bats
index 2dc5b078f..eb6c4e259 100644
--- a/test/system/170-run-userns.bats
+++ b/test/system/170-run-userns.bats
@@ -6,22 +6,31 @@
 
 load helpers
 
+function _require_crun() {
+    runtime=$(podman_runtime)
+    if [[ $runtime != "crun" ]]; then
+        skip "runtime is $runtime; keep-groups requires crun"
+    fi
+}
+
 @test "podman --group-add keep-groups while in a userns" {
-    skip_if_rootless "choot is not allowed in rootless mode"
+    skip_if_rootless "chroot is not allowed in rootless mode"
     skip_if_remote "--group-add keep-groups not supported in remote mode"
+    _require_crun
     run chroot --groups 1234 / ${PODMAN} run --uidmap 0:200000:5000 --group-add keep-groups $IMAGE id
     is "$output" ".*65534(nobody)" "Check group leaked into user namespace"
 }
 
 @test "podman --group-add keep-groups while not in a userns" {
-    skip_if_rootless "choot is not allowed in rootless mode"
+    skip_if_rootless "chroot is not allowed in rootless mode"
     skip_if_remote "--group-add keep-groups not supported in remote mode"
+    _require_crun
     run chroot --groups 1234,5678 / ${PODMAN} run --group-add keep-groups $IMAGE id
     is "$output" ".*1234" "Check group leaked into container"
 }
 
 @test "podman --group-add without keep-groups while in a userns" {
-    skip_if_rootless "choot is not allowed in rootless mode"
+    skip_if_rootless "chroot is not allowed in rootless mode"
     skip_if_remote "--group-add keep-groups not supported in remote mode"
     run chroot --groups 1234,5678 / ${PODMAN} run --uidmap 0:200000:5000 --group-add 457 $IMAGE id
     is "$output" ".*457" "Check group leaked into container"
diff --git a/test/system/260-sdnotify.bats b/test/system/260-sdnotify.bats
index 8bf49eb1d..acb30de47 100644
--- a/test/system/260-sdnotify.bats
+++ b/test/system/260-sdnotify.bats
@@ -17,9 +17,9 @@ function setup() {
 
     # sdnotify fails with runc 1.0.0-3-dev2 on Ubuntu. Let's just
     # assume that we work only with crun, nothing else.
-    run_podman info --format '{{ .Host.OCIRuntime.Name }}'
-    if [[ "$output" != "crun" ]]; then
-        skip "this test only works with crun, not '$output'"
+    runtime=$(podman_runtime)
+    if [[ "$runtime" != "crun" ]]; then
+        skip "this test only works with crun, not $runtime"
     fi
 
     basic_setup
diff --git a/test/system/410-selinux.bats b/test/system/410-selinux.bats
index 8a690fb48..95233c1e6 100644
--- a/test/system/410-selinux.bats
+++ b/test/system/410-selinux.bats
@@ -51,18 +51,13 @@ function check_label() {
 }
 
 @test "podman selinux: pid=host" {
-    # FIXME FIXME FIXME: Remove these lines once all VMs have >= 2.146.0
-    # (this is ugly, but better than an unconditional skip)
-    skip_if_no_selinux
+    # FIXME this test fails when run rootless with runc:
+    #   Error: container_linux.go:367: starting container process caused: process_linux.go:495: container init caused: readonly path /proc/asound: operation not permitted: OCI permission denied
     if is_rootless; then
-        if [ -x /usr/bin/rpm ]; then
-            cs_version=$(rpm -q --qf '%{version}' container-selinux)
-        else
-            # SELinux not enabled on Ubuntu, so we should never get here
-            die "WHOA! SELinux enabled, but no /usr/bin/rpm!"
-        fi
+        runtime=$(podman_runtime)
+        test "$runtime" == "crun" \
+            || skip "runtime is $runtime; this test requires crun"
     fi
-    # FIXME FIXME FIXME: delete up to here, leaving just check_label
 
     check_label "--pid=host" "spc_t"
 }
@@ -185,10 +180,18 @@ function check_label() {
 @test "podman with nonexistent labels" {
     skip_if_no_selinux
 
+    # runc and crun emit different diagnostics
+    runtime=$(podman_runtime)
+    case "$runtime" in
+        crun) expect="\`/proc/thread-self/attr/exec\`: OCI runtime error: unable to assign security attribute" ;;
+        runc) expect="OCI runtime error: .*: failed to set /proc/self/attr/keycreate on procfs" ;;
+        *)    skip "Unknown runtime '$runtime'";;
+    esac
+
     # The '.*' in the error below is for dealing with podman-remote, which
     # includes "error preparing container <sha> for attach" in output.
     run_podman 126 run --security-opt label=type:foo.bar $IMAGE true
-    is "$output" "Error.*: \`/proc/thread-self/attr/exec\`: OCI runtime error: unable to assign security attribute" "useful diagnostic"
+    is "$output" "Error.*: $expect" "podman emits useful diagnostic on failure"
 }
 
 @test "podman selinux: check relabel" {
diff --git a/test/system/helpers.bash b/test/system/helpers.bash
index 1de7ddfd9..e0c208f57 100644
--- a/test/system/helpers.bash
+++ b/test/system/helpers.bash
@@ -35,6 +35,23 @@ fi
 # That way individual tests can override with their own setup/teardown,
 # while retaining the ability to include these if they so desire.
 
+# Some CI systems set this to runc, overriding the default crun.
+# Although it would be more elegant to override options in run_podman(),
+# we instead override $PODMAN itself because some tests (170-run-userns)
+# have to invoke $PODMAN directly.
+if [[ -n $OCI_RUNTIME ]]; then
+    if [[ -z $CONTAINERS_CONF ]]; then
+        # FIXME: BATS provides no mechanism for end-of-run cleanup[1]; how
+        # can we avoid leaving this file behind when we finish?
+        #   [1] https://github.com/bats-core/bats-core/issues/39
+        export CONTAINERS_CONF=$(mktemp --tmpdir=${BATS_TMPDIR:-/tmp} podman-bats-XXXXXXX.containers.conf)
+        cat >$CONTAINERS_CONF <<EOF
+[engine]
+runtime="$OCI_RUNTIME"
+EOF
+    fi
+fi
+
 # Setup helper: establish a test environment with exactly the images needed
 function basic_setup() {
     # Clean up all containers
@@ -284,6 +301,16 @@ function is_cgroupsv2() {
     test "$cgroup_type" = "cgroup2fs"
 }
 
+# Returns the OCI runtime *basename* (typically crun or runc). Much as we'd
+# love to cache this result, we probably shouldn't.
+function podman_runtime() {
+    # This function is intended to be used as '$(podman_runtime)', i.e.
+    # our caller wants our output. run_podman() messes with output because
+    # it emits the command invocation to stdout, hence the redirection.
+    run_podman info --format '{{ .Host.OCIRuntime.Name }}' >/dev/null
+    basename "${output:-[null]}"
+}
+
 # rhbz#1895105: rootless journald is unavailable except to users in
 # certain magic groups; which our testuser account does not belong to
 # (intentional: that is the RHEL default, so that's the setup we test).