System tests: cover gaps from the last month

- stop: test --all and --ignore (#9051)
- build: test /run/secrets (#8679, but see below)
- sensitive mount points: deal with 'stat' failures
- selinux: confirm useful diagnostics on unknown labels (#8946)

The 'build' test is intended as a fix for #8679, in which
'podman build' does not mount secrets from mounts.conf.
Unfortunately, as of this writing, 'podman build' does
not pass the --default-mounts-file option to buildah,
so there's no reasonable way to test this path. Still,
we can at least confirm /run/secrets on 'podman run'.

The /sys thing is related to #8949: RHEL8, rootless, cgroups v1.
It's just a workaround to get gating tests to pass on RHEL.

Signed-off-by: Ed Santiago <santiago@redhat.com>

1 files changed, 31 insertions, 2 deletions

diff --git a/test/system/070-build.bats b/test/system/070-build.bats
index 0e83a184b..9e5e3ee1d 100644
--- a/test/system/070-build.bats
+++ b/test/system/070-build.bats
@@ -126,6 +126,23 @@ EOF
     label_name=l$(random_string 8)
     label_value=$(random_string 12)
 
+    # #8679: Create a secrets directory, and mount it in the container
+    # (can only test locally; podman-remote has no --default-mounts-file opt)
+    MOUNTS_CONF=
+    secret_contents="ceci nest pas un secret"
+    CAT_SECRET="echo $secret_contents"
+    if ! is_remote; then
+        mkdir $tmpdir/secrets
+        echo  $tmpdir/secrets:/run/secrets > $tmpdir/mounts.conf
+
+        secret_filename=secretfile-$(random_string 20)
+        secret_contents=shhh-$(random_string 30)-shhh
+        echo $secret_contents >$tmpdir/secrets/$secret_filename
+
+        MOUNTS_CONF=--default-mounts-file=$tmpdir/mounts.conf
+        CAT_SECRET="cat /run/secrets/$secret_filename"
+    fi
+
     # Command to run on container startup with no args
     cat >$tmpdir/mycmd <<EOF
 #!/bin/sh
@@ -133,6 +150,7 @@ PATH=/usr/bin:/bin
 pwd
 echo "\$1"
 printenv | grep MYENV | sort | sed -e 's/^MYENV.=//'
+$CAT_SECRET
 EOF
 
     # For overriding with --env-file; using multiple files confirms that
@@ -169,14 +187,22 @@ ENV ftp_proxy  ftp-proxy-in-image
 ADD mycmd /bin/mydefaultcmd
 RUN chmod 755 /bin/mydefaultcmd
 RUN chown 2:3 /bin/mydefaultcmd
+
+#FIXME FIXME FIXME: enable if/when 'podman build' passes mounts.conf to buildah
+#RUN $CAT_SECRET
+
 CMD ["/bin/mydefaultcmd","$s_echo"]
 EOF
 
     # cd to the dir, so we test relative paths (important for podman-remote)
     cd $PODMAN_TMPDIR
-    run_podman build -t build_test -f build-test/Containerfile build-test
+    run_podman ${MOUNTS_CONF} build \
+               -t build_test -f build-test/Containerfile build-test
     local iid="${lines[-1]}"
 
+    # Make sure 'podman build' had the secret mounted
+    #FIXME FIXME: enable if/when 'podman build' passes mounts.conf to buildah
+    #is "$output" ".*$secret_contents.*" "podman build has /run/secrets mounted"
 
     if is_remote; then
         ENVHOST=""
@@ -187,7 +213,7 @@ EOF
     # Run without args - should run the above script. Verify its output.
     export MYENV2="$s_env2"
     export MYENV3="env-file-should-override-env-host!"
-    run_podman run --rm \
+    run_podman ${MOUNTS_CONF} run --rm \
                --env-file=$PODMAN_TMPDIR/env-file1 \
                --env-file=$PODMAN_TMPDIR/env-file2 \
                ${ENVHOST} \
@@ -207,6 +233,9 @@ EOF
     is "${lines[4]}" "$s_env3"  "container default command: env3 (from envfile)"
     is "${lines[5]}" "$s_env4"  "container default command: env4 (from cmdline)"
 
+    is "${lines[6]}" "$secret_contents" \
+       "Contents of /run/secrets/$secret_filename in container"
+
     # Proxies - environment should override container, but not env-file
     http_proxy=http-proxy-from-env  ftp_proxy=ftp-proxy-from-env \
               run_podman run --rm \