diff options
| author | Ed Santiago <santiago@redhat.com> | 2020-07-13 09:42:47 -0600 |
|---|---|---|
| committer | Ed Santiago <santiago@redhat.com> | 2020-07-14 14:19:22 -0600 |
| commit | fea3eea68bf483e33bae56d77071d5cb8ded91db (patch) | |
| tree | 3c80909e3199be6b1ad0f39df2e0e7e7f59bde40 /test/system/030-run.bats | |
| parent | 50cd21e1811f4fe508a74dc316c81a047de4e8d9 (diff) | |
| download | podman-fea3eea68bf483e33bae56d77071d5cb8ded91db.tar.gz podman-fea3eea68bf483e33bae56d77071d5cb8ded91db.tar.bz2 podman-fea3eea68bf483e33bae56d77071d5cb8ded91db.zip | |
system tests: new tests for run, exec
- Issue #6735 : problem with multiple namespaces; confirms
combinations of --userns=keep-id, --privileged, --user=XX
- Issue #6829 : --userns=keep-id will add a /etc/passwd entry
- Issue #6593 : podman exec, with --userns=keep-id, errors
(test is currently skipped because issue remains live)
...and, addendum: add new helper function, remove_same_dev_warning.
Some CI systems issue a warning on podman run --privileged:
WARNING: The same type, major and minor should not be used for multiple devices.
We already had special-case code to ignore than in the SELinux
test, but now we're seeing it in the new run tests I added, so
I've refactored the "ignore this warning" code and written
tests for the removal code.
Signed-off-by: Ed Santiago <santiago@redhat.com>
Diffstat (limited to 'test/system/030-run.bats')
| -rw-r--r-- | test/system/030-run.bats | 42 |
1 files changed, 42 insertions, 0 deletions
diff --git a/test/system/030-run.bats b/test/system/030-run.bats index bc6347012..13fec20ad 100644 --- a/test/system/030-run.bats +++ b/test/system/030-run.bats @@ -242,4 +242,46 @@ echo $rand | 0 | $rand run_podman rmi myi } +# #6735 : complex interactions with multiple user namespaces +# The initial report has to do with bind mounts, but that particular +# symptom only manifests on a fedora container image -- we have no +# reproducer on alpine. Checking directory ownership is good enough. +@test "podman run : user namespace preserved root ownership" { + for priv in "" "--privileged"; do + for user in "--user=0" "--user=100"; do + for keepid in "" "--userns=keep-id"; do + opts="$priv $user $keepid" + + for dir in /etc /usr;do + run_podman run --rm $opts $IMAGE stat -c '%u:%g:%n' $dir + remove_same_dev_warning # grumble + is "$output" "0:0:$dir" "run $opts ($dir)" + done + done + done + done +} + +# #6829 : add username to /etc/passwd inside container if --userns=keep-id +@test "podman run : add username to /etc/passwd if --userns=keep-id" { + # Default: always run as root + run_podman run --rm $IMAGE id -un + is "$output" "root" "id -un on regular container" + + # This would always work on root, but is new behavior on rootless: #6829 + # adds a user entry to /etc/passwd + run_podman run --rm --userns=keep-id $IMAGE id -un + is "$output" "$(id -un)" "username on container with keep-id" + + # --privileged should make no difference + run_podman run --rm --privileged --userns=keep-id $IMAGE id -un + remove_same_dev_warning # grumble + is "$output" "$(id -un)" "username on container with keep-id" + + # ...but explicitly setting --user should override keep-id + run_podman run --rm --privileged --userns=keep-id --user=0 $IMAGE id -un + remove_same_dev_warning # grumble + is "$output" "root" "--user=0 overrides keep-id" +} + # vim: filetype=sh |