aboutsummaryrefslogtreecommitdiff
path: root/test/e2e/run_privileged_test.go
diff options
context:
space:
mode:
authorbaude <bbaude@redhat.com>2018-02-14 12:51:06 -0600
committerAtomic Bot <atomic-devel@projectatomic.io>2018-02-15 00:20:47 +0000
commitbe9ed1cfacc19d1ad3c09e10481da445615b8b8e (patch)
tree1c0c01daf5b43c6139e37408be601475c1dcea41 /test/e2e/run_privileged_test.go
parentd051dc38d81920c94c37b20ceba0d33b35299bca (diff)
downloadpodman-be9ed1cfacc19d1ad3c09e10481da445615b8b8e.tar.gz
podman-be9ed1cfacc19d1ad3c09e10481da445615b8b8e.tar.bz2
podman-be9ed1cfacc19d1ad3c09e10481da445615b8b8e.zip
Privileged containers should inherit host devices
When running a privileged container, it should inherit the same devices the host has. Signed-off-by: baude <bbaude@redhat.com> Closes: #330 Approved by: mheon
Diffstat (limited to 'test/e2e/run_privileged_test.go')
-rw-r--r--test/e2e/run_privileged_test.go89
1 files changed, 89 insertions, 0 deletions
diff --git a/test/e2e/run_privileged_test.go b/test/e2e/run_privileged_test.go
new file mode 100644
index 000000000..b53be15f0
--- /dev/null
+++ b/test/e2e/run_privileged_test.go
@@ -0,0 +1,89 @@
+package integration
+
+import (
+ "os"
+
+ . "github.com/onsi/ginkgo"
+ . "github.com/onsi/gomega"
+ "strings"
+)
+
+var _ = Describe("Podman privileged container tests", func() {
+ var (
+ tempdir string
+ err error
+ podmanTest PodmanTest
+ )
+
+ BeforeEach(func() {
+ tempdir, err = CreateTempDirInTempDir()
+ if err != nil {
+ os.Exit(1)
+ }
+ podmanTest = PodmanCreate(tempdir)
+ podmanTest.RestoreAllArtifacts()
+ })
+
+ AfterEach(func() {
+ podmanTest.Cleanup()
+
+ })
+
+ It("podman privileged make sure sys is mounted rw", func() {
+ session := podmanTest.Podman([]string{"run", "--privileged", "busybox", "mount"})
+ session.WaitWithDefaultTimeout()
+ Expect(session.ExitCode()).To(Equal(0))
+ ok, lines := session.GrepString("sysfs")
+ Expect(ok).To(BeTrue())
+ Expect(lines[0]).To(ContainSubstring("sysfs (rw,"))
+ })
+
+ It("podman privileged CapEff", func() {
+ cap := podmanTest.SystemExec("grep", []string{"CapEff", "/proc/self/status"})
+ cap.WaitWithDefaultTimeout()
+ Expect(cap.ExitCode()).To(Equal(0))
+
+ session := podmanTest.Podman([]string{"run", "--privileged", "busybox", "grep", "CapEff", "/proc/self/status"})
+ session.WaitWithDefaultTimeout()
+ Expect(session.ExitCode()).To(Equal(0))
+ Expect(session.OutputToString()).To(Equal(cap.OutputToString()))
+ })
+
+ It("podman cap-add CapEff", func() {
+ cap := podmanTest.SystemExec("grep", []string{"CapEff", "/proc/self/status"})
+ cap.WaitWithDefaultTimeout()
+ Expect(cap.ExitCode()).To(Equal(0))
+
+ session := podmanTest.Podman([]string{"run", "--cap-add", "all", "busybox", "grep", "CapEff", "/proc/self/status"})
+ session.WaitWithDefaultTimeout()
+ Expect(session.ExitCode()).To(Equal(0))
+ Expect(session.OutputToString()).To(Equal(cap.OutputToString()))
+ })
+
+ It("podman cap-drop CapEff", func() {
+ cap := podmanTest.SystemExec("grep", []string{"CapAmb", "/proc/self/status"})
+ cap.WaitWithDefaultTimeout()
+ Expect(cap.ExitCode()).To(Equal(0))
+ session := podmanTest.Podman([]string{"run", "--cap-drop", "all", "busybox", "grep", "CapEff", "/proc/self/status"})
+ session.WaitWithDefaultTimeout()
+ Expect(session.ExitCode()).To(Equal(0))
+
+ capAmp := strings.Split(cap.OutputToString(), " ")
+ capEff := strings.Split(session.OutputToString(), " ")
+ Expect(capAmp[1]).To(Equal(capEff[1]))
+ })
+
+ It("podman non-privileged should have very few devices", func() {
+ session := podmanTest.Podman([]string{"run", "busybox", "ls", "-l", "/dev"})
+ session.WaitWithDefaultTimeout()
+ Expect(session.ExitCode()).To(Equal(0))
+ Expect(len(session.OutputToStringArray())).To(Equal(18))
+ })
+
+ It("podman privileged should inherit host devices", func() {
+ session := podmanTest.Podman([]string{"run", "--privileged", ALPINE, "ls", "-l", "/dev"})
+ session.WaitWithDefaultTimeout()
+ Expect(session.ExitCode()).To(Equal(0))
+ Expect(len(session.OutputToStringArray())).To(BeNumerically(">", 20))
+ })
+})