summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorbaude <bbaude@redhat.com>2018-01-31 14:21:47 -0600
committerAtomic Bot <atomic-devel@projectatomic.io>2018-02-06 01:17:54 +0000
commitbf00c976dd7509b7d84d1fa5254f1ac26fc494e5 (patch)
tree168e559fbfcdbc0e0f07cd5cbce03f982677ef58
parent3609b82fe6f5fe268cdbe9f8aba43140c4e81f90 (diff)
downloadpodman-bf00c976dd7509b7d84d1fa5254f1ac26fc494e5.tar.gz
podman-bf00c976dd7509b7d84d1fa5254f1ac26fc494e5.tar.bz2
podman-bf00c976dd7509b7d84d1fa5254f1ac26fc494e5.zip
sysfs should be mounted rw for privileged
sysfs should be mounted rw for a privileged container. Signed-off-by: baude <bbaude@redhat.com> Closes: #279 Approved by: rhatdan
-rw-r--r--cmd/podman/spec.go14
-rw-r--r--test/e2e/privileged_test.go39
-rw-r--r--test/e2e/rm_test.go2
3 files changed, 53 insertions, 2 deletions
diff --git a/cmd/podman/spec.go b/cmd/podman/spec.go
index d21d8b6da..56e8c8d05 100644
--- a/cmd/podman/spec.go
+++ b/cmd/podman/spec.go
@@ -156,12 +156,24 @@ func addDevice(g *generate.Generator, device string) error {
// Parses information needed to create a container into an OCI runtime spec
func createConfigToOCISpec(config *createConfig) (*spec.Spec, error) {
+ cgroupPerm := "ro"
g := generate.New()
+ if config.Privileged {
+ cgroupPerm = "rw"
+ g.RemoveMount("/sys")
+ sysMnt := spec.Mount{
+ Destination: "/sys",
+ Type: "sysfs",
+ Source: "sysfs",
+ Options: []string{"nosuid", "noexec", "nodev", "rw"},
+ }
+ g.AddMount(sysMnt)
+ }
cgroupMnt := spec.Mount{
Destination: "/sys/fs/cgroup",
Type: "cgroup",
Source: "cgroup",
- Options: []string{"nosuid", "noexec", "nodev", "relatime", "ro"},
+ Options: []string{"nosuid", "noexec", "nodev", "relatime", cgroupPerm},
}
g.AddMount(cgroupMnt)
g.SetProcessCwd(config.WorkDir)
diff --git a/test/e2e/privileged_test.go b/test/e2e/privileged_test.go
new file mode 100644
index 000000000..1da9ed07e
--- /dev/null
+++ b/test/e2e/privileged_test.go
@@ -0,0 +1,39 @@
+package integration
+
+import (
+ "os"
+
+ . "github.com/onsi/ginkgo"
+ . "github.com/onsi/gomega"
+)
+
+var _ = Describe("Podman privileged container tests", func() {
+ var (
+ tempdir string
+ err error
+ podmanTest PodmanTest
+ )
+
+ BeforeEach(func() {
+ tempdir, err = CreateTempDirInTempDir()
+ if err != nil {
+ os.Exit(1)
+ }
+ podmanTest = PodmanCreate(tempdir)
+ podmanTest.RestoreAllArtifacts()
+ })
+
+ AfterEach(func() {
+ podmanTest.Cleanup()
+
+ })
+
+ It("podman privileged make sure sys is mounted rw", func() {
+ session := podmanTest.Podman([]string{"run", "--privileged", "busybox", "mount"})
+ session.WaitWithDefaultTimeout()
+ Expect(session.ExitCode()).To(Equal(0))
+ ok, lines := session.GrepString("sysfs")
+ Expect(ok).To(BeTrue())
+ Expect(lines[0]).To(ContainSubstring("sysfs (rw,"))
+ })
+})
diff --git a/test/e2e/rm_test.go b/test/e2e/rm_test.go
index a59b2ee01..ed0221dfd 100644
--- a/test/e2e/rm_test.go
+++ b/test/e2e/rm_test.go
@@ -45,7 +45,7 @@ var _ = Describe("Podman rm", func() {
result := podmanTest.Podman([]string{"rm", cid})
result.WaitWithDefaultTimeout()
- Expect(result.ExitCode()).To(Not(Equal(0)))
+ Expect(result.ExitCode()).To(Equal(125))
})
It("podman rm created container", func() {