diff options
author | Ed Santiago <santiago@redhat.com> | 2022-08-17 11:50:41 -0600 |
---|---|---|
committer | Ed Santiago <santiago@redhat.com> | 2022-08-18 09:43:55 -0600 |
commit | 09ef6fc66cac44dec94c29cd7a1a53f70831446d (patch) | |
tree | 6a682164e4a8da0a5a6e0cdd72b9246a0d27f2d3 /libpod/container_graph.go | |
parent | 1f0c3d52628e7c5b22ee500194155bdd20ad271f (diff) | |
download | podman-09ef6fc66cac44dec94c29cd7a1a53f70831446d.tar.gz podman-09ef6fc66cac44dec94c29cd7a1a53f70831446d.tar.bz2 podman-09ef6fc66cac44dec94c29cd7a1a53f70831446d.zip |
podman generate kube - add actual tests
This exposed a nasty bug in our system-test setup: Ubuntu (runc)
was writing a scratch containers.conf file, and setting CONTAINERS_CONF
to point to it. This was well-intentionedly introduced in #10199 as
part of our long sad history of not testing runc. What I did not
understand at that time is that CONTAINERS_CONF is **dangerous**:
it does not mean "I will read standard containers.conf and then
override", it means "I will **IGNORE** standard containers.conf
and use only the settings in this file"! So on Ubuntu we were
losing all the default settings: capabilities, sysctls, all.
Yes, this is documented in containers.conf(5) but it is such
a huge violation of POLA that I need to repeat it.
In #14972, as yet another attempt to fix our runc crisis, I
introduced a new runc-override mechanism: create a custom
/etc/containers/containers.conf when OCI_RUNTIME=runc.
Unlike the CONTAINERS_CONF envariable, the /etc file
actually means what you think it means: "read the default
file first, then override with the /etc file contents".
I.e., we get the desired defaults. But I didn't remember
this helpers.bash workaround, so our runc testing has
actually been flawed: we have not been testing with
the system containers.conf. This commit removes the
no-longer-needed and never-actually-wanted workaround,
and by virtue of testing the cap-drops in kube generate,
we add a regression test to make sure this never happens
again.
It's a little scary that we haven't been testing capabilities.
Also scary: this PR requires python, for converting yaml to json.
I think that should be safe: python3 'import yaml' and 'json'
works fine on a RHEL8.7 VM from 1minutetip.
Signed-off-by: Ed Santiago <santiago@redhat.com>
Diffstat (limited to 'libpod/container_graph.go')
0 files changed, 0 insertions, 0 deletions