summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorEd Santiago <santiago@redhat.com>2021-01-25 13:27:15 -0700
committerEd Santiago <santiago@redhat.com>2021-01-25 13:34:26 -0700
commit33179c281e83ebd397e0aca046a3655580aee8f7 (patch)
treee726e866048f5ca502e3812c02b9c646363140a1
parent23b879d72f9e2cf2b2d3924399605e0edebaa977 (diff)
downloadpodman-33179c281e83ebd397e0aca046a3655580aee8f7.tar.gz
podman-33179c281e83ebd397e0aca046a3655580aee8f7.tar.bz2
podman-33179c281e83ebd397e0aca046a3655580aee8f7.zip
System tests: cover gaps from the last month
- stop: test --all and --ignore (#9051) - build: test /run/secrets (#8679, but see below) - sensitive mount points: deal with 'stat' failures - selinux: confirm useful diagnostics on unknown labels (#8946) The 'build' test is intended as a fix for #8679, in which 'podman build' does not mount secrets from mounts.conf. Unfortunately, as of this writing, 'podman build' does not pass the --default-mounts-file option to buildah, so there's no reasonable way to test this path. Still, we can at least confirm /run/secrets on 'podman run'. The /sys thing is related to #8949: RHEL8, rootless, cgroups v1. It's just a workaround to get gating tests to pass on RHEL. Signed-off-by: Ed Santiago <santiago@redhat.com>
-rw-r--r--test/system/050-stop.bats43
-rw-r--r--test/system/070-build.bats33
-rw-r--r--test/system/400-unprivileged-access.bats11
-rw-r--r--test/system/410-selinux.bats11
4 files changed, 95 insertions, 3 deletions
diff --git a/test/system/050-stop.bats b/test/system/050-stop.bats
index 548fd56ee..7d9f1fcb3 100644
--- a/test/system/050-stop.bats
+++ b/test/system/050-stop.bats
@@ -30,6 +30,49 @@ load helpers
run_podman rm $cid
}
+# #9051 : podman stop --all was not working with podman-remote
+@test "podman stop --all" {
+ # Start three containers, create (without running) a fourth
+ run_podman run -d --name c1 $IMAGE sleep 20
+ run_podman run -d --name c2 $IMAGE sleep 40
+ run_podman run -d --name c3 $IMAGE sleep 60
+ run_podman create --name c4 $IMAGE sleep 80
+
+ # podman ps (without -a) should show the three running containers
+ run_podman ps --sort names --format '{{.Names}}--{{.Status}}'
+ is "${#lines[*]}" "3" "podman ps shows exactly three containers"
+ is "${lines[0]}" "c1--Up.*" "podman ps shows running container (1)"
+ is "${lines[1]}" "c2--Up.*" "podman ps shows running container (2)"
+ is "${lines[2]}" "c3--Up.*" "podman ps shows running container (3)"
+
+ # Stop -a
+ run_podman stop -a -t 1
+
+ # Now podman ps (without -a) should show nothing.
+ run_podman ps --format '{{.Names}}'
+ is "$output" "" "podman ps, after stop -a, shows no running containers"
+
+ # ...but with -a, containers are shown
+ run_podman ps -a --sort names --format '{{.Names}}--{{.Status}}'
+ is "${#lines[*]}" "4" "podman ps -a shows exactly four containers"
+ is "${lines[0]}" "c1--Exited.*" "ps -a, first stopped container"
+ is "${lines[1]}" "c2--Exited.*" "ps -a, second stopped container"
+ is "${lines[2]}" "c3--Exited.*" "ps -a, third stopped container"
+ is "${lines[3]}" "c4--Created.*" "ps -a, created container (unaffected)"
+}
+
+# #9051 : podman stop --ignore was not working with podman-remote
+@test "podman stop --ignore" {
+ name=thiscontainerdoesnotexist
+ run_podman 125 stop $name
+ is "$output" \
+ "Error: no container with name or ID $name found: no such container" \
+ "podman stop nonexistent container"
+
+ run_podman stop --ignore $name
+ is "$output" "" "podman stop nonexistent container, with --ignore"
+}
+
# Test fallback
diff --git a/test/system/070-build.bats b/test/system/070-build.bats
index 0e83a184b..9e5e3ee1d 100644
--- a/test/system/070-build.bats
+++ b/test/system/070-build.bats
@@ -126,6 +126,23 @@ EOF
label_name=l$(random_string 8)
label_value=$(random_string 12)
+ # #8679: Create a secrets directory, and mount it in the container
+ # (can only test locally; podman-remote has no --default-mounts-file opt)
+ MOUNTS_CONF=
+ secret_contents="ceci nest pas un secret"
+ CAT_SECRET="echo $secret_contents"
+ if ! is_remote; then
+ mkdir $tmpdir/secrets
+ echo $tmpdir/secrets:/run/secrets > $tmpdir/mounts.conf
+
+ secret_filename=secretfile-$(random_string 20)
+ secret_contents=shhh-$(random_string 30)-shhh
+ echo $secret_contents >$tmpdir/secrets/$secret_filename
+
+ MOUNTS_CONF=--default-mounts-file=$tmpdir/mounts.conf
+ CAT_SECRET="cat /run/secrets/$secret_filename"
+ fi
+
# Command to run on container startup with no args
cat >$tmpdir/mycmd <<EOF
#!/bin/sh
@@ -133,6 +150,7 @@ PATH=/usr/bin:/bin
pwd
echo "\$1"
printenv | grep MYENV | sort | sed -e 's/^MYENV.=//'
+$CAT_SECRET
EOF
# For overriding with --env-file; using multiple files confirms that
@@ -169,14 +187,22 @@ ENV ftp_proxy ftp-proxy-in-image
ADD mycmd /bin/mydefaultcmd
RUN chmod 755 /bin/mydefaultcmd
RUN chown 2:3 /bin/mydefaultcmd
+
+#FIXME FIXME FIXME: enable if/when 'podman build' passes mounts.conf to buildah
+#RUN $CAT_SECRET
+
CMD ["/bin/mydefaultcmd","$s_echo"]
EOF
# cd to the dir, so we test relative paths (important for podman-remote)
cd $PODMAN_TMPDIR
- run_podman build -t build_test -f build-test/Containerfile build-test
+ run_podman ${MOUNTS_CONF} build \
+ -t build_test -f build-test/Containerfile build-test
local iid="${lines[-1]}"
+ # Make sure 'podman build' had the secret mounted
+ #FIXME FIXME: enable if/when 'podman build' passes mounts.conf to buildah
+ #is "$output" ".*$secret_contents.*" "podman build has /run/secrets mounted"
if is_remote; then
ENVHOST=""
@@ -187,7 +213,7 @@ EOF
# Run without args - should run the above script. Verify its output.
export MYENV2="$s_env2"
export MYENV3="env-file-should-override-env-host!"
- run_podman run --rm \
+ run_podman ${MOUNTS_CONF} run --rm \
--env-file=$PODMAN_TMPDIR/env-file1 \
--env-file=$PODMAN_TMPDIR/env-file2 \
${ENVHOST} \
@@ -207,6 +233,9 @@ EOF
is "${lines[4]}" "$s_env3" "container default command: env3 (from envfile)"
is "${lines[5]}" "$s_env4" "container default command: env4 (from cmdline)"
+ is "${lines[6]}" "$secret_contents" \
+ "Contents of /run/secrets/$secret_filename in container"
+
# Proxies - environment should override container, but not env-file
http_proxy=http-proxy-from-env ftp_proxy=ftp-proxy-from-env \
run_podman run --rm \
diff --git a/test/system/400-unprivileged-access.bats b/test/system/400-unprivileged-access.bats
index 6a89247e6..f26c97d1e 100644
--- a/test/system/400-unprivileged-access.bats
+++ b/test/system/400-unprivileged-access.bats
@@ -132,7 +132,11 @@ EOF
# Run 'stat' on all the files, plus /dev/null. Get path, file type,
# number of links, major, and minor (see below for why). Do it all
# in one go, to avoid multiple podman-runs
- run_podman run --rm $IMAGE stat -c'%n:%F:%h:%T:%t' /dev/null ${subset[@]}
+ run_podman '?' run --rm $IMAGE stat -c'%n:%F:%h:%T:%t' /dev/null ${subset[@]}
+ if [[ $status -gt 1 ]]; then
+ die "Unexpected exit status $status: expected 0 or 1"
+ fi
+
local devnull=
for result in "${lines[@]}"; do
# e.g. /proc/acpi:character special file:1:3:1
@@ -161,6 +165,11 @@ EOF
# If you can think of a better way to do this check,
# please feel free to fix it.
is "$nlinks" "2" "$path: directory link count"
+ elif [[ $result =~ stat:.*No.such.file.or.directory ]]; then
+ # No matter what the path is, this is OK. It has to do with #8949
+ # and RHEL8 and rootless and cgroups v1. Bottom line, what we care
+ # about is that the path not be available inside the container.
+ :
else
die "$path: Unknown file type '$type'"
fi
diff --git a/test/system/410-selinux.bats b/test/system/410-selinux.bats
index 1e44fe06c..7482d3e55 100644
--- a/test/system/410-selinux.bats
+++ b/test/system/410-selinux.bats
@@ -171,4 +171,15 @@ function check_label() {
run_podman pod rm myselinuxpod
}
+# #8946 - better diagnostics for nonexistent attributes
+@test "podman with nonexistent labels" {
+ skip_if_no_selinux
+
+ # The '.*' in the error below is for dealing with podman-remote, which
+ # includes "error preparing container <sha> for attach" in output.
+ run_podman 126 run --security-opt label=type:foo.bar $IMAGE true
+ is "$output" "Error.*: \`/proc/thread-self/attr/exec\`: OCI runtime error: unable to assign security attribute" "useful diagnostic"
+}
+
+
# vim: filetype=sh