summaryrefslogtreecommitdiff
path: root/libpod/container_graph.go
diff options
context:
space:
mode:
authorEd Santiago <santiago@redhat.com>2022-08-17 11:50:41 -0600
committerEd Santiago <santiago@redhat.com>2022-08-18 09:43:55 -0600
commit09ef6fc66cac44dec94c29cd7a1a53f70831446d (patch)
tree6a682164e4a8da0a5a6e0cdd72b9246a0d27f2d3 /libpod/container_graph.go
parent1f0c3d52628e7c5b22ee500194155bdd20ad271f (diff)
downloadpodman-09ef6fc66cac44dec94c29cd7a1a53f70831446d.tar.gz
podman-09ef6fc66cac44dec94c29cd7a1a53f70831446d.tar.bz2
podman-09ef6fc66cac44dec94c29cd7a1a53f70831446d.zip
podman generate kube - add actual tests
This exposed a nasty bug in our system-test setup: Ubuntu (runc) was writing a scratch containers.conf file, and setting CONTAINERS_CONF to point to it. This was well-intentionedly introduced in #10199 as part of our long sad history of not testing runc. What I did not understand at that time is that CONTAINERS_CONF is **dangerous**: it does not mean "I will read standard containers.conf and then override", it means "I will **IGNORE** standard containers.conf and use only the settings in this file"! So on Ubuntu we were losing all the default settings: capabilities, sysctls, all. Yes, this is documented in containers.conf(5) but it is such a huge violation of POLA that I need to repeat it. In #14972, as yet another attempt to fix our runc crisis, I introduced a new runc-override mechanism: create a custom /etc/containers/containers.conf when OCI_RUNTIME=runc. Unlike the CONTAINERS_CONF envariable, the /etc file actually means what you think it means: "read the default file first, then override with the /etc file contents". I.e., we get the desired defaults. But I didn't remember this helpers.bash workaround, so our runc testing has actually been flawed: we have not been testing with the system containers.conf. This commit removes the no-longer-needed and never-actually-wanted workaround, and by virtue of testing the cap-drops in kube generate, we add a regression test to make sure this never happens again. It's a little scary that we haven't been testing capabilities. Also scary: this PR requires python, for converting yaml to json. I think that should be safe: python3 'import yaml' and 'json' works fine on a RHEL8.7 VM from 1minutetip. Signed-off-by: Ed Santiago <santiago@redhat.com>
Diffstat (limited to 'libpod/container_graph.go')
0 files changed, 0 insertions, 0 deletions