summaryrefslogtreecommitdiff
path: root/test/e2e
diff options
context:
space:
mode:
authorJakub Guzik <jakubmguzik@gmail.com>2021-02-28 13:14:11 +0100
committerJakub Guzik <jakubmguzik@gmail.com>2021-02-28 15:59:43 +0100
commitd9cb135b6423da5cb16bca82e9c2b5d322dec8a9 (patch)
tree2d7c5e7acd9e4706431ffeeb8a77db883cde0b2b /test/e2e
parent397aae32b9ae219eda190cde65b18e4361427932 (diff)
downloadpodman-d9cb135b6423da5cb16bca82e9c2b5d322dec8a9.tar.gz
podman-d9cb135b6423da5cb16bca82e9c2b5d322dec8a9.tar.bz2
podman-d9cb135b6423da5cb16bca82e9c2b5d322dec8a9.zip
Enable cgroupsv2 rw mount via security-opt unmask
Signed-off-by: Jakub Guzik <jakubmguzik@gmail.com>
Diffstat (limited to 'test/e2e')
-rw-r--r--test/e2e/run_test.go36
1 files changed, 36 insertions, 0 deletions
diff --git a/test/e2e/run_test.go b/test/e2e/run_test.go
index f0ba9d1d9..490d05699 100644
--- a/test/e2e/run_test.go
+++ b/test/e2e/run_test.go
@@ -304,6 +304,42 @@ var _ = Describe("Podman run", func() {
})
+ It("podman run security-opt unmask on /sys/fs/cgroup", func() {
+
+ SkipIfCgroupV1("podman umask on /sys/fs/cgroup will fail with cgroups V1")
+ SkipIfRootless("/sys/fs/cgroup rw access is needed")
+ rwOnCGroups := "/sys/fs/cgroup cgroup2 rw"
+ session := podmanTest.Podman([]string{"run", "--security-opt", "unmask=ALL", "--security-opt", "mask=/sys/fs/cgroup", ALPINE, "cat", "/proc/mounts"})
+ session.WaitWithDefaultTimeout()
+ Expect(session.ExitCode()).To(Equal(0))
+ Expect(session.OutputToString()).To(ContainSubstring(rwOnCGroups))
+
+ session = podmanTest.Podman([]string{"run", "--security-opt", "unmask=/sys/fs/cgroup", ALPINE, "cat", "/proc/mounts"})
+ session.WaitWithDefaultTimeout()
+ Expect(session.ExitCode()).To(Equal(0))
+ Expect(session.OutputToString()).To(ContainSubstring(rwOnCGroups))
+
+ session = podmanTest.Podman([]string{"run", "--security-opt", "unmask=/sys/fs/cgroup///", ALPINE, "cat", "/proc/mounts"})
+ session.WaitWithDefaultTimeout()
+ Expect(session.ExitCode()).To(Equal(0))
+ Expect(session.OutputToString()).To(ContainSubstring(rwOnCGroups))
+
+ session = podmanTest.Podman([]string{"run", "--security-opt", "unmask=ALL", ALPINE, "cat", "/proc/mounts"})
+ session.WaitWithDefaultTimeout()
+ Expect(session.ExitCode()).To(Equal(0))
+ Expect(session.OutputToString()).To(ContainSubstring(rwOnCGroups))
+
+ session = podmanTest.Podman([]string{"run", "--security-opt", "unmask=/sys/fs/cgroup", "--security-opt", "mask=/sys/fs/cgroup", ALPINE, "cat", "/proc/mounts"})
+ session.WaitWithDefaultTimeout()
+ Expect(session.ExitCode()).To(Equal(0))
+ Expect(session.OutputToString()).To(ContainSubstring(rwOnCGroups))
+
+ session = podmanTest.Podman([]string{"run", "--security-opt", "unmask=/sys/fs/cgroup", ALPINE, "ls", "/sys/fs/cgroup"})
+ session.WaitWithDefaultTimeout()
+ Expect(session.ExitCode()).To(Equal(0))
+ Expect(session.OutputToString()).ToNot(BeEmpty())
+ })
+
It("podman run seccomp test", func() {
session := podmanTest.Podman([]string{"run", "-it", "--security-opt", strings.Join([]string{"seccomp=", forbidGetCWDSeccompProfile()}, ""), ALPINE, "pwd"})
session.WaitWithDefaultTimeout()