summaryrefslogtreecommitdiff
path: root/test
diff options
context:
space:
mode:
authoropenshift-ci[bot] <75433959+openshift-ci[bot]@users.noreply.github.com>2021-08-10 12:55:52 +0000
committerGitHub <noreply@github.com>2021-08-10 12:55:52 +0000
commite136ad485c626e09e361c37bbd529bb599448ac0 (patch)
treee3b1c0a96222831481de1358e13dbb086185a9d3 /test
parent6f61e229911e399d92f8fbe0574654f308f73b39 (diff)
parent221b1add74e17ded10e8f2f832a53065578aa264 (diff)
downloadpodman-e136ad485c626e09e361c37bbd529bb599448ac0.tar.gz
podman-e136ad485c626e09e361c37bbd529bb599448ac0.tar.bz2
podman-e136ad485c626e09e361c37bbd529bb599448ac0.zip
Merge pull request #10589 from umohnani8/pod-userns
Add support for pod inside of user namespace.
Diffstat (limited to 'test')
-rw-r--r--test/e2e/play_kube_test.go2
-rw-r--r--test/e2e/pod_create_test.go220
2 files changed, 221 insertions, 1 deletions
diff --git a/test/e2e/play_kube_test.go b/test/e2e/play_kube_test.go
index 66bfdefe7..e3096d932 100644
--- a/test/e2e/play_kube_test.go
+++ b/test/e2e/play_kube_test.go
@@ -1114,7 +1114,7 @@ var _ = Describe("Podman play kube", func() {
})
It("podman play kube should share ipc,net,uts when shareProcessNamespace is set", func() {
- SkipIfRootless("Requires root priviledges for sharing few namespaces")
+ SkipIfRootless("Requires root privileges for sharing few namespaces")
err := writeYaml(sharedNamespacePodYaml, kubeYaml)
Expect(err).To(BeNil())
diff --git a/test/e2e/pod_create_test.go b/test/e2e/pod_create_test.go
index 4c6788b9d..f6f532ce9 100644
--- a/test/e2e/pod_create_test.go
+++ b/test/e2e/pod_create_test.go
@@ -4,6 +4,7 @@ import (
"fmt"
"io/ioutil"
"os"
+ "os/user"
"path/filepath"
"strconv"
"strings"
@@ -621,4 +622,223 @@ ENTRYPOINT ["sleep","99999"]
Expect(podCreate).Should(ExitWithError())
})
+
+ It("podman pod create with --userns=keep-id", func() {
+ if os.Geteuid() == 0 {
+ Skip("Test only runs without root")
+ }
+
+ podName := "testPod"
+ podCreate := podmanTest.Podman([]string{"pod", "create", "--userns", "keep-id", "--name", podName})
+ podCreate.WaitWithDefaultTimeout()
+ Expect(podCreate).Should(Exit(0))
+
+ session := podmanTest.Podman([]string{"run", "--pod", podName, ALPINE, "id", "-u"})
+ session.WaitWithDefaultTimeout()
+ Expect(session).Should(Exit(0))
+ uid := fmt.Sprintf("%d", os.Geteuid())
+ ok, _ := session.GrepString(uid)
+ Expect(ok).To(BeTrue())
+
+ // Check passwd
+ session = podmanTest.Podman([]string{"run", "--pod", podName, ALPINE, "id", "-un"})
+ session.WaitWithDefaultTimeout()
+ Expect(session).Should(Exit(0))
+ u, err := user.Current()
+ Expect(err).To(BeNil())
+ ok, _ = session.GrepString(u.Name)
+ Expect(ok).To(BeTrue())
+
+ // root owns /usr
+ session = podmanTest.Podman([]string{"run", "--pod", podName, ALPINE, "stat", "-c%u", "/usr"})
+ session.WaitWithDefaultTimeout()
+ Expect(session).Should(Exit(0))
+ Expect(session.OutputToString()).To(Equal("0"))
+
+ // fail if --pod and --userns set together
+ session = podmanTest.Podman([]string{"run", "--pod", podName, "--userns", "keep-id", ALPINE, "id", "-u"})
+ session.WaitWithDefaultTimeout()
+ Expect(session).Should(Exit(125))
+ })
+
+ It("podman pod create with --userns=keep-id can add users", func() {
+ if os.Geteuid() == 0 {
+ Skip("Test only runs without root")
+ }
+
+ podName := "testPod"
+ podCreate := podmanTest.Podman([]string{"pod", "create", "--userns", "keep-id", "--name", podName})
+ podCreate.WaitWithDefaultTimeout()
+ Expect(podCreate).Should(Exit(0))
+
+ ctrName := "ctr-name"
+ session := podmanTest.Podman([]string{"run", "--pod", podName, "-d", "--stop-signal", "9", "--name", ctrName, fedoraMinimal, "sleep", "600"})
+ session.WaitWithDefaultTimeout()
+ Expect(session).Should(Exit(0))
+
+ // container inside pod inherits user form infra container if --user is not set
+ // etc/passwd entry will look like 1000:*:1000:1000:container user:/:/bin/sh
+ exec1 := podmanTest.Podman([]string{"exec", ctrName, "cat", "/etc/passwd"})
+ exec1.WaitWithDefaultTimeout()
+ Expect(exec1).Should(Exit(0))
+ Expect(exec1.OutputToString()).To(ContainSubstring("container"))
+
+ exec2 := podmanTest.Podman([]string{"exec", ctrName, "useradd", "testuser"})
+ exec2.WaitWithDefaultTimeout()
+ Expect(exec2).Should(Exit(0))
+
+ exec3 := podmanTest.Podman([]string{"exec", ctrName, "cat", "/etc/passwd"})
+ exec3.WaitWithDefaultTimeout()
+ Expect(exec3).Should(Exit(0))
+ Expect(exec3.OutputToString()).To(ContainSubstring("testuser"))
+ })
+
+ It("podman pod create with --userns=auto", func() {
+ u, err := user.Current()
+ Expect(err).To(BeNil())
+ name := u.Name
+ if name == "root" {
+ name = "containers"
+ }
+
+ content, err := ioutil.ReadFile("/etc/subuid")
+ if err != nil {
+ Skip("cannot read /etc/subuid")
+ }
+ if !strings.Contains(string(content), name) {
+ Skip("cannot find mappings for the current user")
+ }
+
+ m := make(map[string]string)
+ for i := 0; i < 5; i++ {
+ podName := "testPod" + strconv.Itoa(i)
+ podCreate := podmanTest.Podman([]string{"pod", "create", "--userns=auto", "--name", podName})
+ podCreate.WaitWithDefaultTimeout()
+ Expect(podCreate).Should(Exit(0))
+
+ session := podmanTest.Podman([]string{"run", "--pod", podName, ALPINE, "cat", "/proc/self/uid_map"})
+ session.WaitWithDefaultTimeout()
+ Expect(session).Should(Exit(0))
+ l := session.OutputToString()
+ Expect(strings.Contains(l, "1024")).To(BeTrue())
+ m[l] = l
+ }
+ // check for no duplicates
+ Expect(len(m)).To(Equal(5))
+ })
+
+ It("podman pod create --userns=auto:size=%d", func() {
+ u, err := user.Current()
+ Expect(err).To(BeNil())
+
+ name := u.Name
+ if name == "root" {
+ name = "containers"
+ }
+
+ content, err := ioutil.ReadFile("/etc/subuid")
+ if err != nil {
+ Skip("cannot read /etc/subuid")
+ }
+ if !strings.Contains(string(content), name) {
+ Skip("cannot find mappings for the current user")
+ }
+
+ podName := "testPod"
+ podCreate := podmanTest.Podman([]string{"pod", "create", "--userns=auto:size=500", "--name", podName})
+ podCreate.WaitWithDefaultTimeout()
+ Expect(podCreate).Should(Exit(0))
+ session := podmanTest.Podman([]string{"run", "--pod", podName, ALPINE, "cat", "/proc/self/uid_map"})
+ session.WaitWithDefaultTimeout()
+ Expect(session).Should(Exit(0))
+ ok, _ := session.GrepString("500")
+
+ podName = "testPod-1"
+ podCreate = podmanTest.Podman([]string{"pod", "create", "--userns=auto:size=3000", "--name", podName})
+ podCreate.WaitWithDefaultTimeout()
+ Expect(podCreate).Should(Exit(0))
+ session = podmanTest.Podman([]string{"run", "--pod", podName, ALPINE, "cat", "/proc/self/uid_map"})
+ session.WaitWithDefaultTimeout()
+ Expect(session).Should(Exit(0))
+ ok, _ = session.GrepString("3000")
+
+ Expect(ok).To(BeTrue())
+ })
+
+ It("podman pod create --userns=auto:uidmapping=", func() {
+ u, err := user.Current()
+ Expect(err).To(BeNil())
+
+ name := u.Name
+ if name == "root" {
+ name = "containers"
+ }
+
+ content, err := ioutil.ReadFile("/etc/subuid")
+ if err != nil {
+ Skip("cannot read /etc/subuid")
+ }
+ if !strings.Contains(string(content), name) {
+ Skip("cannot find mappings for the current user")
+ }
+
+ podName := "testPod"
+ podCreate := podmanTest.Podman([]string{"pod", "create", "--userns=auto:uidmapping=0:0:1", "--name", podName})
+ podCreate.WaitWithDefaultTimeout()
+ Expect(podCreate).Should(Exit(0))
+ session := podmanTest.Podman([]string{"run", "--pod", podName, ALPINE, "cat", "/proc/self/uid_map"})
+ session.WaitWithDefaultTimeout()
+ Expect(session).Should(Exit(0))
+ output := session.OutputToString()
+ Expect(output).To(MatchRegexp("\\s0\\s0\\s1"))
+
+ podName = "testPod-1"
+ podCreate = podmanTest.Podman([]string{"pod", "create", "--userns=auto:size=8192,uidmapping=0:0:1", "--name", podName})
+ podCreate.WaitWithDefaultTimeout()
+ Expect(podCreate).Should(Exit(0))
+ session = podmanTest.Podman([]string{"run", "--pod", podName, ALPINE, "cat", "/proc/self/uid_map"})
+ session.WaitWithDefaultTimeout()
+ Expect(session).Should(Exit(0))
+ ok, _ := session.GrepString("8191")
+ Expect(ok).To(BeTrue())
+ })
+
+ It("podman pod create --userns=auto:gidmapping=", func() {
+ u, err := user.Current()
+ Expect(err).To(BeNil())
+
+ name := u.Name
+ if name == "root" {
+ name = "containers"
+ }
+
+ content, err := ioutil.ReadFile("/etc/subuid")
+ if err != nil {
+ Skip("cannot read /etc/subuid")
+ }
+ if !strings.Contains(string(content), name) {
+ Skip("cannot find mappings for the current user")
+ }
+
+ podName := "testPod"
+ podCreate := podmanTest.Podman([]string{"pod", "create", "--userns=auto:gidmapping=0:0:1", "--name", podName})
+ podCreate.WaitWithDefaultTimeout()
+ Expect(podCreate).Should(Exit(0))
+ session := podmanTest.Podman([]string{"run", "--pod", podName, ALPINE, "cat", "/proc/self/gid_map"})
+ session.WaitWithDefaultTimeout()
+ Expect(session).Should(Exit(0))
+ output := session.OutputToString()
+ Expect(output).To(MatchRegexp("\\s0\\s0\\s1"))
+
+ podName = "testPod-1"
+ podCreate = podmanTest.Podman([]string{"pod", "create", "--userns=auto:size=8192,gidmapping=0:0:1", "--name", podName})
+ podCreate.WaitWithDefaultTimeout()
+ Expect(podCreate).Should(Exit(0))
+ session = podmanTest.Podman([]string{"run", "--pod", podName, ALPINE, "cat", "/proc/self/gid_map"})
+ session.WaitWithDefaultTimeout()
+ Expect(session).Should(Exit(0))
+ ok, _ := session.GrepString("8191")
+ Expect(ok).To(BeTrue())
+ })
+
})