Merge pull request #7289 from vrothberg/v2-backports

V2 backports

17 files changed, 476 insertions, 32 deletions

diff --git a/test/system/030-run.bats b/test/system/030-run.bats
index c7a9bf191..12c82bc4c 100644
--- a/test/system/030-run.bats
+++ b/test/system/030-run.bats
@@ -190,6 +190,8 @@ echo $rand        |   0 | $rand
 }
 
 @test "podman run docker-archive" {
+    skip_if_remote "FIXME: pending #7116"
+
     # Create an image that, when run, outputs a random magic string
     expect=$(random_string 20)
     run_podman run --name myc --entrypoint="[\"/bin/echo\",\"$expect\"]" $IMAGE
@@ -230,4 +232,68 @@ echo $rand        |   0 | $rand
     run_podman rmi myi
 }
 
+# #6735 : complex interactions with multiple user namespaces
+# The initial report has to do with bind mounts, but that particular
+# symptom only manifests on a fedora container image -- we have no
+# reproducer on alpine. Checking directory ownership is good enough.
+@test "podman run : user namespace preserved root ownership" {
+    skip_if_remote "FIXME: pending #7195"
+
+    for priv in "" "--privileged"; do
+        for user in "--user=0" "--user=100"; do
+            for keepid in "" "--userns=keep-id"; do
+                opts="$priv $user $keepid"
+
+                for dir in /etc /usr;do
+                    run_podman run --rm $opts $IMAGE stat -c '%u:%g:%n' $dir
+                    remove_same_dev_warning      # grumble
+                    is "$output" "0:0:$dir" "run $opts ($dir)"
+                done
+            done
+        done
+    done
+}
+
+# #6829 : add username to /etc/passwd inside container if --userns=keep-id
+@test "podman run : add username to /etc/passwd if --userns=keep-id" {
+    skip_if_remote "FIXME: pending #7195"
+
+    # Default: always run as root
+    run_podman run --rm $IMAGE id -un
+    is "$output" "root" "id -un on regular container"
+
+    # This would always work on root, but is new behavior on rootless: #6829
+    # adds a user entry to /etc/passwd
+    run_podman run --rm --userns=keep-id $IMAGE id -un
+    is "$output" "$(id -un)" "username on container with keep-id"
+
+    # --privileged should make no difference
+    run_podman run --rm --privileged --userns=keep-id $IMAGE id -un
+    remove_same_dev_warning      # grumble
+    is "$output" "$(id -un)" "username on container with keep-id"
+
+    # ...but explicitly setting --user should override keep-id
+    run_podman run --rm --privileged --userns=keep-id --user=0 $IMAGE id -un
+    remove_same_dev_warning      # grumble
+    is "$output" "root" "--user=0 overrides keep-id"
+}
+
+# #6991 : /etc/passwd is modifiable
+@test "podman run : --userns=keep-id: passwd file is modifiable" {
+    skip_if_remote "FIXME: pending #7195"
+
+    run_podman run -d --userns=keep-id $IMAGE sh -c 'while ! test -e /stop; do sleep 0.1; done'
+    cid="$output"
+
+    gecos="$(random_string 6) $(random_string 8)"
+    run_podman exec --user root $cid adduser -D -g "$gecos" -s /bin/sh newuser3
+    is "$output" "" "output from adduser"
+    run_podman exec $cid tail -1 /etc/passwd
+    is "$output" "newuser3:x:1000:1000:$gecos:/home/newuser3:/bin/sh" \
+       "newuser3 added to /etc/passwd in container"
+
+    run_podman exec $cid touch /stop
+    run_podman wait $cid
+}
+
 # vim: filetype=sh
diff --git a/test/system/035-logs.bats b/test/system/035-logs.bats
index 055865c8d..cbb2091e5 100644
--- a/test/system/035-logs.bats
+++ b/test/system/035-logs.bats
@@ -25,6 +25,8 @@ load helpers
 }
 
 @test "podman logs - multi" {
+    skip_if_remote "logs does not support multiple containers when run remotely"
+
     # Simple helper to make the container starts, below, easier to read
     local -a cid
     doit() {
diff --git a/test/system/050-stop.bats b/test/system/050-stop.bats
index 093606ece..f604ea2e2 100644
--- a/test/system/050-stop.bats
+++ b/test/system/050-stop.bats
@@ -12,9 +12,12 @@ load helpers
     run_podman stop $cid
     t1=$SECONDS
 
-    # Confirm that container is stopped
+    # Confirm that container is stopped. Podman-remote unfortunately
+    # cannot tell the difference between "stopped" and "exited", and
+    # spits them out interchangeably, so we need to recognize either.
     run_podman inspect --format '{{.State.Status}} {{.State.ExitCode}}' $cid
-    is "$output" "exited \+137" "Status and exit code of stopped container"
+    is "$output" "\\(stopped\|exited\\) \+137" \
+       "Status and exit code of stopped container"
 
     # The initial SIGTERM is ignored, so this operation should take
     # exactly 10 seconds. Give it some leeway.
diff --git a/test/system/055-rm.bats b/test/system/055-rm.bats
index 8ef8a119e..5ff19282e 100644
--- a/test/system/055-rm.bats
+++ b/test/system/055-rm.bats
@@ -32,6 +32,8 @@ load helpers
 #
 # See https://github.com/containers/libpod/issues/3795
 @test "podman rm -f" {
+    skip_if_remote "FIXME: pending #7117"
+
     rand=$(random_string 30)
     ( sleep 3; run_podman rm -f $rand ) &
     run_podman 137 run --name $rand $IMAGE sleep 30
diff --git a/test/system/070-build.bats b/test/system/070-build.bats
index 7d6660270..bdc05a172 100644
--- a/test/system/070-build.bats
+++ b/test/system/070-build.bats
@@ -6,9 +6,7 @@
 load helpers
 
 @test "podman build - basic test" {
-    if is_remote && is_rootless; then
-        skip "unreliable with podman-remote and rootless; #2972"
-    fi
+    skip_if_remote "FIXME: pending #7136"
 
     rand_filename=$(random_string 20)
     rand_content=$(random_string 50)
@@ -34,6 +32,7 @@ EOF
 
 # Regression from v1.5.0. This test passes fine in v1.5.0, fails in 1.6
 @test "podman build - cache (#3920)" {
+    skip_if_remote "FIXME: pending #7136"
     if is_remote && is_rootless; then
         skip "unreliable with podman-remote and rootless; #2972"
     fi
@@ -81,6 +80,8 @@ EOF
 }
 
 @test "podman build - URLs" {
+    skip_if_remote "FIXME: pending #7137"
+
     tmpdir=$PODMAN_TMPDIR/build-test
     mkdir -p $tmpdir
 
@@ -98,20 +99,156 @@ EOF
     is "$output" ".*error building at STEP .*: source can't be a URL for COPY"
 }
 
-@test "podman build - stdin test" {
-    if is_remote && is_rootless; then
-        skip "unreliable with podman-remote and rootless; #2972"
-    fi
+@test "podman build - workdir, cmd, env, label" {
+    skip_if_remote "FIXME: pending #7137"
+
+    tmpdir=$PODMAN_TMPDIR/build-test
+    mkdir -p $tmpdir
 
     # Random workdir, and multiple random strings to verify command & env
     workdir=/$(random_string 10)
+    s_echo=$(random_string 15)
+    s_env1=$(random_string 20)
+    s_env2=$(random_string 25)
+    s_env3=$(random_string 30)
+    s_env4=$(random_string 40)
+
+    # Label name: make sure it begins with a letter! jq barfs if you
+    # try to ask it for '.foo.<N>xyz', i.e. any string beginning with digit
+    label_name=l$(random_string 8)
+    label_value=$(random_string 12)
+
+    # Command to run on container startup with no args
+    cat >$tmpdir/mycmd <<EOF
+#!/bin/sh
+PATH=/usr/bin:/bin
+pwd
+echo "\$1"
+printenv | grep MYENV | sort | sed -e 's/^MYENV.=//'
+EOF
+
+    # For overridding with --env-file
+    cat >$PODMAN_TMPDIR/env-file <<EOF
+MYENV3=$s_env3
+http_proxy=http-proxy-in-env-file
+https_proxy=https-proxy-in-env-file
+EOF
+
+    cat >$tmpdir/Containerfile <<EOF
+FROM $IMAGE
+LABEL $label_name=$label_value
+RUN mkdir $workdir
+WORKDIR $workdir
+
+# Test for #7094 - chowning of invalid symlinks
+RUN mkdir -p /a/b/c
+RUN ln -s /no/such/nonesuch /a/b/c/badsymlink
+RUN ln -s /bin/mydefaultcmd /a/b/c/goodsymlink
+RUN touch /a/b/c/myfile
+RUN chown -h 1:2 /a/b/c/badsymlink /a/b/c/goodsymlink && chown -h 4:5 /a/b/c/myfile
+VOLUME /a/b/c
+
+# Test for environment passing and override
+ENV MYENV1=$s_env1
+ENV MYENV2 this-should-be-overridden-by-env-host
+ENV MYENV3 this-should-be-overridden-by-env-file
+ENV MYENV4 this-should-be-overridden-by-cmdline
+ENV http_proxy http-proxy-in-image
+ENV ftp_proxy  ftp-proxy-in-image
+ADD mycmd /bin/mydefaultcmd
+RUN chmod 755 /bin/mydefaultcmd
+RUN chown 2:3 /bin/mydefaultcmd
+CMD ["/bin/mydefaultcmd","$s_echo"]
+EOF
+
+    # cd to the dir, so we test relative paths (important for podman-remote)
+    cd $PODMAN_TMPDIR
+    run_podman build -t build_test -f build-test/Containerfile build-test
+
+    # Run without args - should run the above script. Verify its output.
+    export MYENV2="$s_env2"
+    export MYENV3="env-file-should-override-env-host!"
+    run_podman run --rm \
+               --env-file=$PODMAN_TMPDIR/env-file \
+               --env-host \
+               -e MYENV4="$s_env4" \
+               build_test
+    is "${lines[0]}" "$workdir" "container default command: pwd"
+    is "${lines[1]}" "$s_echo"  "container default command: output from echo"
+    is "${lines[2]}" "$s_env1"  "container default command: env1"
+    is "${lines[3]}" "$s_env2"  "container default command: env2"
+    is "${lines[4]}" "$s_env3"  "container default command: env3 (from envfile)"
+    is "${lines[5]}" "$s_env4"  "container default command: env4 (from cmdline)"
+
+    # Proxies - environment should override container, but not env-file
+    http_proxy=http-proxy-from-env  ftp_proxy=ftp-proxy-from-env \
+              run_podman run --rm --env-file=$PODMAN_TMPDIR/env-file \
+              build_test \
+              printenv http_proxy https_proxy ftp_proxy
+    is "${lines[0]}" "http-proxy-in-env-file"  "env-file overrides env"
+    is "${lines[1]}" "https-proxy-in-env-file" "env-file sets proxy var"
+    is "${lines[2]}" "ftp-proxy-from-env"      "ftp-proxy is passed through"
+
+    # test that workdir is set for command-line commands also
+    run_podman run --rm build_test pwd
+    is "$output" "$workdir" "pwd command in container"
+
+    # Confirm that 'podman inspect' shows the expected values
+    # FIXME: can we rely on .Env[0] being PATH, and the rest being in order??
+    run_podman image inspect build_test
+    tests="
+Env[1]             | MYENV1=$s_env1
+Env[2]             | MYENV2=this-should-be-overridden-by-env-host
+Env[3]             | MYENV3=this-should-be-overridden-by-env-file
+Env[4]             | MYENV4=this-should-be-overridden-by-cmdline
+Cmd[0]             | /bin/mydefaultcmd
+Cmd[1]             | $s_echo
+WorkingDir         | $workdir
+Labels.$label_name | $label_value
+"
+
+    parse_table "$tests" | while read field expect; do
+        actual=$(jq -r ".[0].Config.$field" <<<"$output")
+        dprint "# actual=<$actual> expect=<$expect}>"
+        is "$actual" "$expect" "jq .Config.$field"
+    done
+
+    # Bad symlink in volume. Prior to #7094, well, we wouldn't actually
+    # get here because any 'podman run' on a volume that had symlinks,
+    # be they dangling or valid, would barf with
+    #    Error: chown <mountpath>/_data/symlink: ENOENT
+    run_podman run --rm build_test stat -c'%u:%g:%N' /a/b/c/badsymlink
+    is "$output" "1:2:'/a/b/c/badsymlink' -> '/no/such/nonesuch'" \
+       "bad symlink to nonexistent file is chowned and preserved"
+
+    run_podman run --rm build_test stat -c'%u:%g:%N' /a/b/c/goodsymlink
+    is "$output" "1:2:'/a/b/c/goodsymlink' -> '/bin/mydefaultcmd'" \
+       "good symlink to existing file is chowned and preserved"
+
+    run_podman run --rm build_test stat -c'%u:%g' /bin/mydefaultcmd
+    is "$output" "2:3" "target of symlink is not chowned"
+
+    run_podman run --rm build_test stat -c'%u:%g:%N' /a/b/c/myfile
+    is "$output" "4:5:/a/b/c/myfile" "file in volume is chowned"
+
+    # Clean up
+    run_podman rmi -f build_test
+}
+
+@test "podman build - stdin test" {
+    skip_if_remote "FIXME: pending #7136"
+
+    # Random workdir, and random string to verify build output
+    workdir=/$(random_string 10)
+    random_echo=$(random_string 15)
     PODMAN_TIMEOUT=240 run_podman build -t build_test - << EOF
 FROM  $IMAGE
 RUN mkdir $workdir
 WORKDIR $workdir
-RUN /bin/echo 'Test'
+RUN /bin/echo $random_echo
 EOF
     is "$output" ".*STEP 5: COMMIT" "COMMIT seen in log"
+    is "$output" ".*STEP .: RUN /bin/echo $random_echo"
 
     run_podman run --rm build_test pwd
     is "$output" "$workdir" "pwd command in container"
diff --git a/test/system/075-exec.bats b/test/system/075-exec.bats
index f8c7f2766..f53a22a3f 100644
--- a/test/system/075-exec.bats
+++ b/test/system/075-exec.bats
@@ -6,8 +6,6 @@
 load helpers
 
 @test "podman exec - basic test" {
-    skip_if_remote
-
     rand_filename=$(random_string 20)
     rand_content=$(random_string 50)
 
@@ -21,6 +19,15 @@ load helpers
     run_podman exec $cid sh -c "cat /$rand_filename"
     is "$output" "$rand_content" "Can exec and see file in running container"
 
+
+    # Specially defined situations: exec a dir, or no such command.
+    # We don't check the full error message because runc & crun differ.
+    run_podman 126 exec $cid /etc
+    is "$output" ".*permission denied"  "podman exec /etc"
+    run_podman 127 exec $cid /no/such/command
+    is "$output" ".*such file or dir"   "podman exec /no/such/command"
+
+    # Done
     run_podman exec $cid rm -f /$rand_filename
 
     run_podman wait $cid
@@ -80,4 +87,24 @@ load helpers
     run_podman rm $cid
 }
 
+# #6829 : add username to /etc/passwd inside container if --userns=keep-id
+# #6593 : doesn't actually work with podman exec
+@test "podman exec - with keep-id" {
+    skip "Please enable once #6593 is fixed"
+
+    run_podman run -d --userns=keep-id $IMAGE sh -c \
+               "echo READY;while [ ! -f /stop ]; do sleep 1; done"
+    cid="$output"
+    wait_for_ready $cid
+
+    run_podman exec $cid id -un
+    is "$output" "$(id -un)" "container is running as current user"
+
+    # Until #6593 gets fixed, this just hangs. The server process barfs with:
+    #   unable to find user <username>: no matching entries in passwd file
+    run_podman exec --user=$(id -un) $cid touch /stop
+    run_podman wait $cid
+    run_podman rm $cid
+}
+
 # vim: filetype=sh
diff --git a/test/system/110-history.bats b/test/system/110-history.bats
index 5dc221d61..b83e90fe4 100644
--- a/test/system/110-history.bats
+++ b/test/system/110-history.bats
@@ -3,6 +3,8 @@
 load helpers
 
 @test "podman history - basic tests" {
+    skip_if_remote "FIXME: pending #7122"
+
     tests="
                                  | .*[0-9a-f]\\\{12\\\} .* CMD .* LABEL
 --format '{{.ID}} {{.Created}}'  | .*[0-9a-f]\\\{12\\\} .* ago
diff --git a/test/system/120-load.bats b/test/system/120-load.bats
index f290c1888..611799f8d 100644
--- a/test/system/120-load.bats
+++ b/test/system/120-load.bats
@@ -28,6 +28,8 @@ verify_iid_and_name() {
 
 
 @test "podman load - by image ID" {
+    skip_if_remote "FIXME: pending #7123"
+
     # FIXME: how to build a simple archive instead?
     get_iid_and_name
 
@@ -74,7 +76,7 @@ verify_iid_and_name() {
     verify_iid_and_name $img_name
 }
 
-@test "podman load - NAME and NAME:TAG arguments work (requires: #2674)" {
+@test "podman load - NAME and NAME:TAG arguments work" {
     get_iid_and_name
     run_podman save $iid -o $archive
     run_podman rmi $iid
diff --git a/test/system/130-kill.bats b/test/system/130-kill.bats
index 7c2b9bed8..1bab089fe 100644
--- a/test/system/130-kill.bats
+++ b/test/system/130-kill.bats
@@ -6,6 +6,8 @@
 load helpers
 
 @test "podman kill - test signal handling in containers" {
+    skip_if_remote "FIXME: pending #7135"
+
     # podman-remote and crun interact poorly in f31: crun seems to gobble up
     # some signals.
     # Workaround: run 'env --default-signal sh' instead of just 'sh' in
diff --git a/test/system/140-diff.bats b/test/system/140-diff.bats
index 9f4a2c0de..01ec5430e 100644
--- a/test/system/140-diff.bats
+++ b/test/system/140-diff.bats
@@ -6,9 +6,16 @@
 load helpers
 
 @test "podman diff" {
+    n=$(random_string 10)          # container name
     rand_file=$(random_string 10)
-    run_podman run $IMAGE sh -c "touch /$rand_file;rm /etc/services"
-    run_podman diff --format json -l
+    run_podman run --name $n $IMAGE sh -c "touch /$rand_file;rm /etc/services"
+
+    # If running local, test `-l` (latest) option. This can't work with remote.
+    if ! is_remote; then
+        n=-l
+    fi
+
+    run_podman diff --format json $n
 
     # Expected results for each type of diff
     declare -A expect=(
@@ -22,7 +29,7 @@ load helpers
         is "$result" "${expect[$field]}" "$field"
     done
 
-    run_podman rm -l
+    run_podman rm $n
 }
 
 # vim: filetype=sh
diff --git a/test/system/160-volumes.bats b/test/system/160-volumes.bats
index 3233e6f04..3f50bd3c4 100644
--- a/test/system/160-volumes.bats
+++ b/test/system/160-volumes.bats
@@ -140,7 +140,6 @@ EOF
 
 # Anonymous temporary volumes, and persistent autocreated named ones
 @test "podman volume, implicit creation with run" {
-
     # No hostdir arg: create anonymous container with random name
     rand=$(random_string)
     run_podman run -v /myvol $IMAGE sh -c "echo $rand >/myvol/myfile"
@@ -187,6 +186,7 @@ EOF
 # Confirm that container sees the correct id
 @test "podman volume with --userns=keep-id" {
     is_rootless || skip "only meaningful when run rootless"
+    skip_if_remote "FIXME: pending #7195"
 
     myvoldir=${PODMAN_TMPDIR}/volume_$(random_string)
     mkdir $myvoldir
diff --git a/test/system/200-pod.bats b/test/system/200-pod.bats
index 478ff06bb..93a7d7b5e 100644
--- a/test/system/200-pod.bats
+++ b/test/system/200-pod.bats
@@ -18,7 +18,9 @@ function teardown() {
 
 
 @test "podman pod top - containers in different PID namespaces" {
-    skip_if_remote "podman-pod does not work with podman-remote"
+    if is_remote && is_rootless; then
+        skip "FIXME: pending #7139"
+    fi
 
     # With infra=false, we don't get a /pause container (we also
     # don't pull k8s.gcr.io/pause )
@@ -53,7 +55,9 @@ function teardown() {
 
 
 @test "podman pod - communicating between pods" {
-    skip_if_remote "podman-pod does not work with podman-remote"
+    if is_remote && is_rootless; then
+        skip "FIXME: pending #7139"
+    fi
 
     podname=pod$(random_string)
     run_podman 1 pod exists $podname
@@ -77,7 +81,7 @@ function teardown() {
     run_podman ps --format '{{.Pod}}'
     newline="
 "
-    is "$output" "${podid:0:12}${newline}${podid:0:12}" "sdfdsf"
+    is "$output" "${podid:0:12}${newline}${podid:0:12}" "ps shows 2 pod IDs"
 
     # Talker: send the message via common port on localhost
     message=$(random_string 15)
@@ -135,6 +139,10 @@ function random_ip() {
 }
 
 @test "podman pod create - hashtag AllTheOptions" {
+    if is_remote && is_rootless; then
+        skip "FIXME: pending #7139"
+    fi
+
     mac=$(random_mac)
     add_host_ip=$(random_ip)
     add_host_n=$(random_string | tr A-Z a-z).$(random_string | tr A-Z a-z).xyz
diff --git a/test/system/220-healthcheck.bats b/test/system/220-healthcheck.bats
index e649ad3d2..3405029c1 100644
--- a/test/system/220-healthcheck.bats
+++ b/test/system/220-healthcheck.bats
@@ -25,6 +25,7 @@ function _check_health {
 
 
 @test "podman healthcheck" {
+    skip_if_remote "FIXME: pending #7137"
 
     # Create an image with a healthcheck script; said script will
     # pass until the file /uh-oh gets created (by us, via exec)
diff --git a/test/system/400-unprivileged-access.bats b/test/system/400-unprivileged-access.bats
index 98f8b8211..acf0f0ba2 100644
--- a/test/system/400-unprivileged-access.bats
+++ b/test/system/400-unprivileged-access.bats
@@ -97,4 +97,72 @@ EOF
     run_podman rm c_uidmap c_uidmap_v
 }
 
+# #6957 - mask out /proc/acpi, /sys/dev, and other sensitive system files
+@test "sensitive mount points are masked without --privileged" {
+    # Weird error, maybe a flake?
+    #   can only attach to created or running containers: container state improper
+    # https://github.com/containers/podman/pull/7111#issuecomment-666858715
+    skip_if_remote "FIXME: Weird flake"
+
+    # FIXME: this should match the list in pkg/specgen/generate/config_linux.go
+    local -a mps=(
+        /proc/acpi
+        /proc/kcore
+        /proc/keys
+        /proc/latency_stats
+        /proc/timer_list
+        /proc/timer_stats
+        /proc/sched_debug
+        /proc/scsi
+        /sys/firmware
+        /sys/fs/selinux
+        /sys/dev
+    )
+
+    # Some of the above may not exist on our host. Find only the ones that do.
+    local -a subset=()
+    for mp in ${mps[@]}; do
+        if [ -e $mp ]; then
+            subset+=($mp)
+        fi
+    done
+
+    # Run 'stat' on all the files, plus /dev/null. Get path, file type,
+    # number of links, major, and minor (see below for why). Do it all
+    # in one go, to avoid multiple podman-runs
+    run_podman run --rm $IMAGE stat -c'%n:%F:%h:%T:%t' /dev/null ${subset[@]}
+    local devnull=
+    for result in "${lines[@]}"; do
+        # e.g. /proc/acpi:character special file:1:3:1
+        local IFS=:
+        read path type nlinks major minor <<<"$result"
+
+        if [[ $path = "/dev/null" ]]; then
+            # /dev/null is our reference point: masked *files* (not directories)
+            # will be created as /dev/null clones.
+            # This depends on 'stat' returning results in argv order,
+            # so /dev/null is first, so we have a reference for others.
+            # If that ever breaks, this test will have to be done in two passes.
+            devnull="$major:$minor"
+        elif [[ $type = "character special file" ]]; then
+            # Container file is a character device: it must match /dev/null
+            is "$major:$minor" "$devnull" "$path: major/minor matches /dev/null"
+        elif [[ $type = "directory" ]]; then
+            # Directories: must be empty (only two links).
+            # FIXME: this is a horrible almost-worthless test! It does not
+            # actually check for files in the directory (expect: zero),
+            # merely for the nonexistence of any subdirectories! It relies
+            # on the observed (by Ed) fact that all the masked directories
+            # contain further subdirectories on the host. If there's ever
+            # a new masked directory that contains only files, this test
+            # will silently pass without any indication of error.
+            # If you can think of a better way to do this check,
+            # please feel free to fix it.
+            is "$nlinks" "2" "$path: directory link count"
+        else
+            die "$path: Unknown file type '$type'"
+        fi
+    done
+}
+
 # vim: filetype=sh
diff --git a/test/system/410-selinux.bats b/test/system/410-selinux.bats
index 8a0477eff..3dca59641 100644
--- a/test/system/410-selinux.bats
+++ b/test/system/410-selinux.bats
@@ -19,15 +19,8 @@ function check_label() {
 
     # FIXME: on some CI systems, 'run --privileged' emits a spurious
     # warning line about dup devices. Ignore it.
+    remove_same_dev_warning
     local context="$output"
-    if [ ${#lines[@]} -gt 1 ]; then
-        if expr "${lines[0]}" : "WARNING: .* type, major" >/dev/null; then
-            echo "# ${lines[0]} [ignored]" >&3
-            context="${lines[1]}"
-        else
-            die "FAILED: too much output, expected one single line"
-        fi
-    fi
 
     is "$context" ".*_u:system_r:.*" "SELinux role should always be system_r"
 
diff --git a/test/system/helpers.bash b/test/system/helpers.bash
index 7ec2105d1..0975effe7 100644
--- a/test/system/helpers.bash
+++ b/test/system/helpers.bash
@@ -16,6 +16,12 @@ IMAGE=$PODMAN_TEST_IMAGE_FQN
 # Default timeout for a podman command.
 PODMAN_TIMEOUT=${PODMAN_TIMEOUT:-60}
 
+# Prompt to display when logging podman commands; distinguish root/rootless
+_LOG_PROMPT='$'
+if [ $(id -u) -eq 0 ]; then
+    _LOG_PROMPT='#'
+fi
+
 ###############################################################################
 # BEGIN setup/teardown tools
 
@@ -132,7 +138,7 @@ function run_podman() {
     esac
 
     # stdout is only emitted upon error; this echo is to help a debugger
-    echo "\$ $PODMAN $*"
+    echo "$_LOG_PROMPT $PODMAN $*"
     # BATS hangs if a subprocess remains and keeps FD 3 open; this happens
     # if podman crashes unexpectedly without cleaning up subprocesses.
     run timeout --foreground -v --kill=10 $PODMAN_TIMEOUT $PODMAN "$@" 3>/dev/null
@@ -234,12 +240,29 @@ function is_remote() {
     [[ "$PODMAN" =~ -remote ]]
 }
 
+###########################
+#  _add_label_if_missing  #  make sure skip messages include rootless/remote
+###########################
+function _add_label_if_missing() {
+    local msg="$1"
+    local want="$2"
+
+    if [ -z "$msg" ]; then
+        echo
+    elif expr "$msg" : ".*$want" &>/dev/null; then
+        echo "$msg"
+    else
+        echo "[$want] $msg"
+    fi
+}
+
 ######################
 #  skip_if_rootless  #  ...with an optional message
 ######################
 function skip_if_rootless() {
     if is_rootless; then
-        skip "${1:-not applicable under rootless podman}"
+        local msg=$(_add_label_if_missing "$1" "rootless")
+        skip "${msg:-not applicable under rootless podman}"
     fi
 }
 
@@ -248,7 +271,8 @@ function skip_if_rootless() {
 ####################
 function skip_if_remote() {
     if is_remote; then
-        skip "${1:-test does not work with podman-remote}"
+        local msg=$(_add_label_if_missing "$1" "remote")
+        skip "${msg:-test does not work with podman-remote}"
     fi
 }
 
@@ -386,5 +410,37 @@ function find_exec_pid_files() {
         find $storage_path -type f -iname 'exec_pid_*'
     fi
 }
+
+
+#############################
+#  remove_same_dev_warning  #  Filter out useless warning from output
+#############################
+#
+# On some CI systems, 'podman run --privileged' emits a useless warning:
+#
+#    WARNING: The same type, major and minor should not be used for multiple devices.
+#
+# This obviously screws us up when we look at output results.
+#
+# This function removes the warning from $output and $lines
+#
+function remove_same_dev_warning() {
+    # No input arguments. We operate in-place on $output and $lines
+
+    local i=0
+    local -a new_lines=()
+    while [[ $i -lt ${#lines[@]} ]]; do
+        if expr "${lines[$i]}" : 'WARNING: .* same type, major.* multiple' >/dev/null; then
+            :
+        else
+            new_lines+=("${lines[$i]}")
+        fi
+        i=$(( i + 1 ))
+    done
+
+    lines=("${new_lines[@]}")
+    output=$(printf '%s\n' "${lines[@]}")
+}
+
 # END   miscellaneous tools
 ###############################################################################
diff --git a/test/system/helpers.t b/test/system/helpers.t
index 7b4e48a84..a022f11c4 100755
--- a/test/system/helpers.t
+++ b/test/system/helpers.t
@@ -23,7 +23,8 @@ rc=0
 function check_result {
     testnum=$(expr $testnum + 1)
     if [ "$1" = "$2" ]; then
-        echo "ok $testnum $3 = $1"
+        # Multi-level echo flattens newlines, makes success messages readable
+        echo $(echo "ok $testnum $3 = $1")
     else
         echo "not ok $testnum $3"
         echo "#  expected: $2"
@@ -141,5 +142,72 @@ done < <(parse_table "$table")
 
 # END   dprint
 ###############################################################################
+# BEGIN remove_same_dev_warning
+
+# Test-helper function: runs remove_same_dev_warning, compares resulting
+# value of $lines and $output to expected values given on command line
+function check_same_dev() {
+    local testname="$1"; shift
+    local -a expect_lines=("$@")
+    local nl="
+"
+
+    remove_same_dev_warning
+
+    # After processing, check the expected number of lines
+    check_result "${#lines[@]}" "${#@}" "$testname: expected # of lines"
+
+    # ...and each expected line
+    local expect_output=""
+    local i=0
+    while [ $i -lt ${#expect_lines[@]} ]; do
+        check_result "${lines[$i]}" "${expect_lines[$i]}" "$testname: line $i"
+        expect_output+="${expect_lines[$i]}$nl"
+        i=$(( i + 1 ))
+    done
+
+    # ...and the possibly-multi-line $output
+    check_result "$output" "${expect_output%%$nl}"  "$testname: output"
+}
+
+# Simplest case: nothing removed.
+declare -a lines=("a b c" "d" "e f")
+check_same_dev "abc" "a b c" "d" "e f"
+
+# Confirm that the warning message is removed from the beginning
+declare -a lines=(
+    "WARNING: The same type, major and minor should not be used for multiple devices."
+    "a"
+    "b"
+    "c"
+)
+check_same_dev "warning is removed" a b c
+
+# ...and from the middle (we do not expect to see this)
+declare -a lines=(
+    "WARNING: The same type, major and minor should not be used for multiple devices."
+    "a"
+    "b"
+    "WARNING: The same type, major and minor should not be used for multiple devices."
+    "c"
+)
+check_same_dev "multiple warnings removed" a b c
+
+# Corner case: two lines of output, only one of which we care about
+declare -a lines=(
+    "WARNING: The same type, major and minor should not be used for multiple devices."
+    "this is the only line we care about"
+)
+check_same_dev "one-line output" "this is the only line we care about"
+
+# Corner case: one line of output, but we expect zero.
+declare -a lines=(
+    "WARNING: The same type, major and minor should not be used for multiple devices."
+)
+check_same_dev "zero-line output"
+
+
+# END   remove_same_dev_warning
+###############################################################################
 
 exit $rc