Run podman inside a podman container

We should be able to run nested podman containers in particular for our testing environment. i.e. eat our own dog food. Some privileges had to be corrected in order for this to work correctly. Added a third papr target that runs podman tests inside podman. I marked the test as not required right now as we get more confident in the results Signed-off-by: baude <bbaude@redhat.com> Closes: #340 Approved by: rhatdan
author: baude <bbaude@redhat.com> 2018-02-15 08:17:35 -0600
committer: Atomic Bot <atomic-devel@projectatomic.io> 2018-02-16 18:35:54 +0000
commit: 586bb86a2ac58056b0d0d23274fb98ec599b0908 (patch)
tree: 831019f054727e219c2bd11a083b0b10a90cd974
parent: bc1d25bb19c1664b5669c13d6ff2811571284d27 (diff)
download: podman-586bb86a2ac58056b0d0d23274fb98ec599b0908.tar.gz
podman-586bb86a2ac58056b0d0d23274fb98ec599b0908.tar.bz2
podman-586bb86a2ac58056b0d0d23274fb98ec599b0908.zip
6 files changed, 57 insertions, 19 deletions
diff --git a/.papr.yml b/.papr.yml
index e803a4357..88bee2924 100644
--- a/.papr.yml
+++ b/.papr.yml
@@ -15,6 +15,7 @@ timeout: 45m
 tests:
   -  sh .papr_prepare.sh
 
+context: "FAH27"
 ---
 
 inherit: true
@@ -31,4 +32,24 @@ extra-repos:
       baseurl: https://cbs.centos.org/repos/virt7-container-common-candidate/$basearch/os
       gpgcheck: 0
 
-context: centos/7/atomic/smoketested
+context: "CAH smoketested"
+
+---
+
+inherit: true
+host:
+    distro: fedora/27/cloud
+    specs:
+        ram: 8192
+        cpus: 4
+extra-repos:
+    - name: crio_copr
+      baseurl: https://copr-be.cloud.fedoraproject.org/results/baude/Upstream_CRIO_Family/fedora-27-x86_64/
+      gpgcheck: 0
+packages:
+    - podman
+    - buildah
+tests:
+    - CONTAINER_RUNTIME="podman" sh .papr_prepare.sh
+required: false
+context: "Fedora fedora/27/cloud Podman"
diff --git a/.papr_prepare.sh b/.papr_prepare.sh
index b30abfc66..6fa8eb84d 100644
--- a/.papr_prepare.sh
+++ b/.papr_prepare.sh
@@ -2,6 +2,7 @@
 set -xeuo pipefail
 
 DIST=${DIST:=Fedora}
+CONTAINER_RUNTIME=${CONTAINER_RUNTIME:=docker}
 IMAGE=fedorapodmanbuild
 PYTHON=python3
 if [[ ${DIST} != "Fedora" ]]; then
@@ -10,7 +11,7 @@ if [[ ${DIST} != "Fedora" ]]; then
 fi
 
 # Build the test image
-docker build -t ${IMAGE} -f Dockerfile.${DIST} .
+${CONTAINER_RUNTIME} build -t ${IMAGE} -f Dockerfile.${DIST} .
 
 # Run the tests
-docker run --rm --privileged -v $PWD:/go/src/github.com/projectatomic/libpod --workdir /go/src/github.com/projectatomic/libpod -e PYTHON=$PYTHON -e STORAGE_OPTIONS="--storage-driver=vfs" -e CRIO_ROOT="/go/src/github.com/projectatomic/libpod" -e PODMAN_BINARY="/usr/bin/podman" -e CONMON_BINARY="/usr/libexec/crio/conmon" -e DIST=$DIST $IMAGE sh .papr.sh
+${CONTAINER_RUNTIME} run --rm --privileged --net=host -v $PWD:/go/src/github.com/projectatomic/libpod --workdir /go/src/github.com/projectatomic/libpod -e PYTHON=$PYTHON -e STORAGE_OPTIONS="--storage-driver=vfs" -e CRIO_ROOT="/go/src/github.com/projectatomic/libpod" -e PODMAN_BINARY="/usr/bin/podman" -e CONMON_BINARY="/usr/libexec/crio/conmon" -e DIST=$DIST $IMAGE sh .papr.sh
diff --git a/Makefile b/Makefile
index a1f495aad..a4ff16978 100644
--- a/Makefile
+++ b/Makefile
@@ -120,7 +120,7 @@ ginkgo:
 	ginkgo -v test/e2e/
 
 localintegration: test-binaries
-	ginkgo -v -cover -flakeAttempts 3 -progress -trace test/e2e/.
+	ginkgo -v -cover -flakeAttempts 3 -progress -trace -noColor test/e2e/.
 
 vagrant-check:
 	BOX=$(BOX) sh ./vagrant.sh
diff --git a/cmd/podman/spec.go b/cmd/podman/spec.go
index c5ed2c0d4..e78118b2f 100644
--- a/cmd/podman/spec.go
+++ b/cmd/podman/spec.go
@@ -124,13 +124,9 @@ func addRlimits(config *createConfig, g *generate.Generator) error {
 func setupCapabilities(config *createConfig, configSpec *spec.Spec) error {
 	var err error
 	var caplist []string
-	if config.Privileged {
-		caplist = caps.GetAllCapabilities()
-	} else {
-		caplist, err = caps.TweakCapabilities(configSpec.Process.Capabilities.Bounding, config.CapAdd, config.CapDrop)
-		if err != nil {
-			return err
-		}
+	caplist, err = caps.TweakCapabilities(configSpec.Process.Capabilities.Bounding, config.CapAdd, config.CapDrop)
+	if err != nil {
+		return err
 	}
 
 	configSpec.Process.Capabilities.Bounding = caplist
@@ -163,6 +159,7 @@ func addDevice(g *generate.Generator, device string) error {
 func createConfigToOCISpec(config *createConfig) (*spec.Spec, error) {
 	cgroupPerm := "ro"
 	g := generate.New()
+	g.HostSpecific = true
 	if config.Privileged {
 		cgroupPerm = "rw"
 		g.RemoveMount("/sys")
@@ -319,8 +316,12 @@ func createConfigToOCISpec(config *createConfig) (*spec.Spec, error) {
 
 	// HANDLE CAPABILITIES
 	// NOTE: Must happen before SECCOMP
-	if err := setupCapabilities(config, configSpec); err != nil {
-		return nil, err
+	if !config.Privileged {
+		if err := setupCapabilities(config, configSpec); err != nil {
+			return nil, err
+		}
+	} else {
+		g.SetupPrivileged(true)
 	}
 
 	// HANDLE SECCOMP
diff --git a/test/e2e/libpod_suite_test.go b/test/e2e/libpod_suite_test.go
index afe91134e..c479a6cef 100644
--- a/test/e2e/libpod_suite_test.go
+++ b/test/e2e/libpod_suite_test.go
@@ -460,3 +460,23 @@ func (p *PodmanTest) BuildImage(dockerfile, imageName string) {
 	session.Wait(120)
 	Expect(session.ExitCode()).To(Equal(0))
 }
+
+//GetHostDistribution returns the dist in string format. If the
+//distribution cannot be determined, an empty string will be returned.
+func (p *PodmanTest) GetHostDistribution() string {
+	content, err := ioutil.ReadFile("/etc/os-release")
+	if err != nil {
+		return ""
+	}
+	for _, line := range content {
+		if strings.HasPrefix(fmt.Sprintf("%s", line), "ID") {
+			fields := strings.Split(fmt.Sprintf("%s", line), "=")
+			if len(fields) < 2 {
+				return ""
+			}
+			return strings.Trim(fields[1], "\"")
+
+		}
+	}
+	return ""
+}
diff --git a/test/e2e/run_privileged_test.go b/test/e2e/run_privileged_test.go
index b53be15f0..430698ba1 100644
--- a/test/e2e/run_privileged_test.go
+++ b/test/e2e/run_privileged_test.go
@@ -61,16 +61,11 @@ var _ = Describe("Podman privileged container tests", func() {
 	})
 
 	It("podman cap-drop CapEff", func() {
-		cap := podmanTest.SystemExec("grep", []string{"CapAmb", "/proc/self/status"})
-		cap.WaitWithDefaultTimeout()
-		Expect(cap.ExitCode()).To(Equal(0))
 		session := podmanTest.Podman([]string{"run", "--cap-drop", "all", "busybox", "grep", "CapEff", "/proc/self/status"})
 		session.WaitWithDefaultTimeout()
 		Expect(session.ExitCode()).To(Equal(0))
-
-		capAmp := strings.Split(cap.OutputToString(), " ")
 		capEff := strings.Split(session.OutputToString(), " ")
-		Expect(capAmp[1]).To(Equal(capEff[1]))
+		Expect("0000000000000000").To(Equal(capEff[1]))
 	})
 
 	It("podman non-privileged should have very few devices", func() {
author	baude <bbaude@redhat.com>	2018-02-15 08:17:35 -0600
committer	Atomic Bot <atomic-devel@projectatomic.io>	2018-02-16 18:35:54 +0000
commit	586bb86a2ac58056b0d0d23274fb98ec599b0908 (patch)
tree	831019f054727e219c2bd11a083b0b10a90cd974
parent	bc1d25bb19c1664b5669c13d6ff2811571284d27 (diff)
download	podman-586bb86a2ac58056b0d0d23274fb98ec599b0908.tar.gz podman-586bb86a2ac58056b0d0d23274fb98ec599b0908.tar.bz2 podman-586bb86a2ac58056b0d0d23274fb98ec599b0908.zip