summaryrefslogtreecommitdiff
path: root/test
diff options
context:
space:
mode:
authorDaniel J Walsh <dwalsh@redhat.com>2020-12-01 16:23:40 -0500
committerUrvashi Mohnani <umohnani@redhat.com>2021-08-09 15:17:22 -0400
commit221b1add74e17ded10e8f2f832a53065578aa264 (patch)
tree499c89b26092c92026f3e7532b6bd633d920652f /test
parent431707c72044154b956944d00b1ba40b303decb2 (diff)
downloadpodman-221b1add74e17ded10e8f2f832a53065578aa264.tar.gz
podman-221b1add74e17ded10e8f2f832a53065578aa264.tar.bz2
podman-221b1add74e17ded10e8f2f832a53065578aa264.zip
Add support for pod inside of user namespace.
Add the --userns flag to podman pod create and keep track of the userns setting that pod was created with so that all containers created within the pod will inherit that userns setting. Specifically we need to be able to launch a pod with --userns=keep-id Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Signed-off-by: Urvashi Mohnani <umohnani@redhat.com>
Diffstat (limited to 'test')
-rw-r--r--test/e2e/play_kube_test.go2
-rw-r--r--test/e2e/pod_create_test.go220
2 files changed, 221 insertions, 1 deletions
diff --git a/test/e2e/play_kube_test.go b/test/e2e/play_kube_test.go
index 66bfdefe7..e3096d932 100644
--- a/test/e2e/play_kube_test.go
+++ b/test/e2e/play_kube_test.go
@@ -1114,7 +1114,7 @@ var _ = Describe("Podman play kube", func() {
})
It("podman play kube should share ipc,net,uts when shareProcessNamespace is set", func() {
- SkipIfRootless("Requires root priviledges for sharing few namespaces")
+ SkipIfRootless("Requires root privileges for sharing few namespaces")
err := writeYaml(sharedNamespacePodYaml, kubeYaml)
Expect(err).To(BeNil())
diff --git a/test/e2e/pod_create_test.go b/test/e2e/pod_create_test.go
index 4c6788b9d..f6f532ce9 100644
--- a/test/e2e/pod_create_test.go
+++ b/test/e2e/pod_create_test.go
@@ -4,6 +4,7 @@ import (
"fmt"
"io/ioutil"
"os"
+ "os/user"
"path/filepath"
"strconv"
"strings"
@@ -621,4 +622,223 @@ ENTRYPOINT ["sleep","99999"]
Expect(podCreate).Should(ExitWithError())
})
+
+ It("podman pod create with --userns=keep-id", func() {
+ if os.Geteuid() == 0 {
+ Skip("Test only runs without root")
+ }
+
+ podName := "testPod"
+ podCreate := podmanTest.Podman([]string{"pod", "create", "--userns", "keep-id", "--name", podName})
+ podCreate.WaitWithDefaultTimeout()
+ Expect(podCreate).Should(Exit(0))
+
+ session := podmanTest.Podman([]string{"run", "--pod", podName, ALPINE, "id", "-u"})
+ session.WaitWithDefaultTimeout()
+ Expect(session).Should(Exit(0))
+ uid := fmt.Sprintf("%d", os.Geteuid())
+ ok, _ := session.GrepString(uid)
+ Expect(ok).To(BeTrue())
+
+ // Check passwd
+ session = podmanTest.Podman([]string{"run", "--pod", podName, ALPINE, "id", "-un"})
+ session.WaitWithDefaultTimeout()
+ Expect(session).Should(Exit(0))
+ u, err := user.Current()
+ Expect(err).To(BeNil())
+ ok, _ = session.GrepString(u.Name)
+ Expect(ok).To(BeTrue())
+
+ // root owns /usr
+ session = podmanTest.Podman([]string{"run", "--pod", podName, ALPINE, "stat", "-c%u", "/usr"})
+ session.WaitWithDefaultTimeout()
+ Expect(session).Should(Exit(0))
+ Expect(session.OutputToString()).To(Equal("0"))
+
+ // fail if --pod and --userns set together
+ session = podmanTest.Podman([]string{"run", "--pod", podName, "--userns", "keep-id", ALPINE, "id", "-u"})
+ session.WaitWithDefaultTimeout()
+ Expect(session).Should(Exit(125))
+ })
+
+ It("podman pod create with --userns=keep-id can add users", func() {
+ if os.Geteuid() == 0 {
+ Skip("Test only runs without root")
+ }
+
+ podName := "testPod"
+ podCreate := podmanTest.Podman([]string{"pod", "create", "--userns", "keep-id", "--name", podName})
+ podCreate.WaitWithDefaultTimeout()
+ Expect(podCreate).Should(Exit(0))
+
+ ctrName := "ctr-name"
+ session := podmanTest.Podman([]string{"run", "--pod", podName, "-d", "--stop-signal", "9", "--name", ctrName, fedoraMinimal, "sleep", "600"})
+ session.WaitWithDefaultTimeout()
+ Expect(session).Should(Exit(0))
+
+ // container inside pod inherits user form infra container if --user is not set
+ // etc/passwd entry will look like 1000:*:1000:1000:container user:/:/bin/sh
+ exec1 := podmanTest.Podman([]string{"exec", ctrName, "cat", "/etc/passwd"})
+ exec1.WaitWithDefaultTimeout()
+ Expect(exec1).Should(Exit(0))
+ Expect(exec1.OutputToString()).To(ContainSubstring("container"))
+
+ exec2 := podmanTest.Podman([]string{"exec", ctrName, "useradd", "testuser"})
+ exec2.WaitWithDefaultTimeout()
+ Expect(exec2).Should(Exit(0))
+
+ exec3 := podmanTest.Podman([]string{"exec", ctrName, "cat", "/etc/passwd"})
+ exec3.WaitWithDefaultTimeout()
+ Expect(exec3).Should(Exit(0))
+ Expect(exec3.OutputToString()).To(ContainSubstring("testuser"))
+ })
+
+ It("podman pod create with --userns=auto", func() {
+ u, err := user.Current()
+ Expect(err).To(BeNil())
+ name := u.Name
+ if name == "root" {
+ name = "containers"
+ }
+
+ content, err := ioutil.ReadFile("/etc/subuid")
+ if err != nil {
+ Skip("cannot read /etc/subuid")
+ }
+ if !strings.Contains(string(content), name) {
+ Skip("cannot find mappings for the current user")
+ }
+
+ m := make(map[string]string)
+ for i := 0; i < 5; i++ {
+ podName := "testPod" + strconv.Itoa(i)
+ podCreate := podmanTest.Podman([]string{"pod", "create", "--userns=auto", "--name", podName})
+ podCreate.WaitWithDefaultTimeout()
+ Expect(podCreate).Should(Exit(0))
+
+ session := podmanTest.Podman([]string{"run", "--pod", podName, ALPINE, "cat", "/proc/self/uid_map"})
+ session.WaitWithDefaultTimeout()
+ Expect(session).Should(Exit(0))
+ l := session.OutputToString()
+ Expect(strings.Contains(l, "1024")).To(BeTrue())
+ m[l] = l
+ }
+ // check for no duplicates
+ Expect(len(m)).To(Equal(5))
+ })
+
+ It("podman pod create --userns=auto:size=%d", func() {
+ u, err := user.Current()
+ Expect(err).To(BeNil())
+
+ name := u.Name
+ if name == "root" {
+ name = "containers"
+ }
+
+ content, err := ioutil.ReadFile("/etc/subuid")
+ if err != nil {
+ Skip("cannot read /etc/subuid")
+ }
+ if !strings.Contains(string(content), name) {
+ Skip("cannot find mappings for the current user")
+ }
+
+ podName := "testPod"
+ podCreate := podmanTest.Podman([]string{"pod", "create", "--userns=auto:size=500", "--name", podName})
+ podCreate.WaitWithDefaultTimeout()
+ Expect(podCreate).Should(Exit(0))
+ session := podmanTest.Podman([]string{"run", "--pod", podName, ALPINE, "cat", "/proc/self/uid_map"})
+ session.WaitWithDefaultTimeout()
+ Expect(session).Should(Exit(0))
+ ok, _ := session.GrepString("500")
+
+ podName = "testPod-1"
+ podCreate = podmanTest.Podman([]string{"pod", "create", "--userns=auto:size=3000", "--name", podName})
+ podCreate.WaitWithDefaultTimeout()
+ Expect(podCreate).Should(Exit(0))
+ session = podmanTest.Podman([]string{"run", "--pod", podName, ALPINE, "cat", "/proc/self/uid_map"})
+ session.WaitWithDefaultTimeout()
+ Expect(session).Should(Exit(0))
+ ok, _ = session.GrepString("3000")
+
+ Expect(ok).To(BeTrue())
+ })
+
+ It("podman pod create --userns=auto:uidmapping=", func() {
+ u, err := user.Current()
+ Expect(err).To(BeNil())
+
+ name := u.Name
+ if name == "root" {
+ name = "containers"
+ }
+
+ content, err := ioutil.ReadFile("/etc/subuid")
+ if err != nil {
+ Skip("cannot read /etc/subuid")
+ }
+ if !strings.Contains(string(content), name) {
+ Skip("cannot find mappings for the current user")
+ }
+
+ podName := "testPod"
+ podCreate := podmanTest.Podman([]string{"pod", "create", "--userns=auto:uidmapping=0:0:1", "--name", podName})
+ podCreate.WaitWithDefaultTimeout()
+ Expect(podCreate).Should(Exit(0))
+ session := podmanTest.Podman([]string{"run", "--pod", podName, ALPINE, "cat", "/proc/self/uid_map"})
+ session.WaitWithDefaultTimeout()
+ Expect(session).Should(Exit(0))
+ output := session.OutputToString()
+ Expect(output).To(MatchRegexp("\\s0\\s0\\s1"))
+
+ podName = "testPod-1"
+ podCreate = podmanTest.Podman([]string{"pod", "create", "--userns=auto:size=8192,uidmapping=0:0:1", "--name", podName})
+ podCreate.WaitWithDefaultTimeout()
+ Expect(podCreate).Should(Exit(0))
+ session = podmanTest.Podman([]string{"run", "--pod", podName, ALPINE, "cat", "/proc/self/uid_map"})
+ session.WaitWithDefaultTimeout()
+ Expect(session).Should(Exit(0))
+ ok, _ := session.GrepString("8191")
+ Expect(ok).To(BeTrue())
+ })
+
+ It("podman pod create --userns=auto:gidmapping=", func() {
+ u, err := user.Current()
+ Expect(err).To(BeNil())
+
+ name := u.Name
+ if name == "root" {
+ name = "containers"
+ }
+
+ content, err := ioutil.ReadFile("/etc/subuid")
+ if err != nil {
+ Skip("cannot read /etc/subuid")
+ }
+ if !strings.Contains(string(content), name) {
+ Skip("cannot find mappings for the current user")
+ }
+
+ podName := "testPod"
+ podCreate := podmanTest.Podman([]string{"pod", "create", "--userns=auto:gidmapping=0:0:1", "--name", podName})
+ podCreate.WaitWithDefaultTimeout()
+ Expect(podCreate).Should(Exit(0))
+ session := podmanTest.Podman([]string{"run", "--pod", podName, ALPINE, "cat", "/proc/self/gid_map"})
+ session.WaitWithDefaultTimeout()
+ Expect(session).Should(Exit(0))
+ output := session.OutputToString()
+ Expect(output).To(MatchRegexp("\\s0\\s0\\s1"))
+
+ podName = "testPod-1"
+ podCreate = podmanTest.Podman([]string{"pod", "create", "--userns=auto:size=8192,gidmapping=0:0:1", "--name", podName})
+ podCreate.WaitWithDefaultTimeout()
+ Expect(podCreate).Should(Exit(0))
+ session = podmanTest.Podman([]string{"run", "--pod", podName, ALPINE, "cat", "/proc/self/gid_map"})
+ session.WaitWithDefaultTimeout()
+ Expect(session).Should(Exit(0))
+ ok, _ := session.GrepString("8191")
+ Expect(ok).To(BeTrue())
+ })
+
})