Merge pull request #10589 from umohnani8/pod-userns

Add support for pod inside of user namespace.
author: openshift-ci[bot] <75433959+openshift-ci[bot]@users.noreply.github.com> 2021-08-10 12:55:52 +0000
committer: GitHub <noreply@github.com> 2021-08-10 12:55:52 +0000
commit: e136ad485c626e09e361c37bbd529bb599448ac0 (patch)
tree: e3b1c0a96222831481de1358e13dbb086185a9d3 /test
parent: 6f61e229911e399d92f8fbe0574654f308f73b39 (diff)
parent: 221b1add74e17ded10e8f2f832a53065578aa264 (diff)
download: podman-e136ad485c626e09e361c37bbd529bb599448ac0.tar.gz
podman-e136ad485c626e09e361c37bbd529bb599448ac0.tar.bz2
podman-e136ad485c626e09e361c37bbd529bb599448ac0.zip
2 files changed, 221 insertions, 1 deletions
diff --git a/test/e2e/play_kube_test.go b/test/e2e/play_kube_test.go
index 66bfdefe7..e3096d932 100644
--- a/test/e2e/play_kube_test.go
+++ b/test/e2e/play_kube_test.go
@@ -1114,7 +1114,7 @@ var _ = Describe("Podman play kube", func() {
 	})
 
 	It("podman play kube should share ipc,net,uts when shareProcessNamespace is set", func() {
-		SkipIfRootless("Requires root priviledges for sharing few namespaces")
+		SkipIfRootless("Requires root privileges for sharing few namespaces")
 		err := writeYaml(sharedNamespacePodYaml, kubeYaml)
 		Expect(err).To(BeNil())
 
diff --git a/test/e2e/pod_create_test.go b/test/e2e/pod_create_test.go
index 4c6788b9d..f6f532ce9 100644
--- a/test/e2e/pod_create_test.go
+++ b/test/e2e/pod_create_test.go
@@ -4,6 +4,7 @@ import (
 	"fmt"
 	"io/ioutil"
 	"os"
+	"os/user"
 	"path/filepath"
 	"strconv"
 	"strings"
@@ -621,4 +622,223 @@ ENTRYPOINT ["sleep","99999"]
 		Expect(podCreate).Should(ExitWithError())
 
 	})
+
+	It("podman pod create with --userns=keep-id", func() {
+		if os.Geteuid() == 0 {
+			Skip("Test only runs without root")
+		}
+
+		podName := "testPod"
+		podCreate := podmanTest.Podman([]string{"pod", "create", "--userns", "keep-id", "--name", podName})
+		podCreate.WaitWithDefaultTimeout()
+		Expect(podCreate).Should(Exit(0))
+
+		session := podmanTest.Podman([]string{"run", "--pod", podName, ALPINE, "id", "-u"})
+		session.WaitWithDefaultTimeout()
+		Expect(session).Should(Exit(0))
+		uid := fmt.Sprintf("%d", os.Geteuid())
+		ok, _ := session.GrepString(uid)
+		Expect(ok).To(BeTrue())
+
+		// Check passwd
+		session = podmanTest.Podman([]string{"run", "--pod", podName, ALPINE, "id", "-un"})
+		session.WaitWithDefaultTimeout()
+		Expect(session).Should(Exit(0))
+		u, err := user.Current()
+		Expect(err).To(BeNil())
+		ok, _ = session.GrepString(u.Name)
+		Expect(ok).To(BeTrue())
+
+		// root owns /usr
+		session = podmanTest.Podman([]string{"run", "--pod", podName, ALPINE, "stat", "-c%u", "/usr"})
+		session.WaitWithDefaultTimeout()
+		Expect(session).Should(Exit(0))
+		Expect(session.OutputToString()).To(Equal("0"))
+
+		// fail if --pod and --userns set together
+		session = podmanTest.Podman([]string{"run", "--pod", podName, "--userns", "keep-id", ALPINE, "id", "-u"})
+		session.WaitWithDefaultTimeout()
+		Expect(session).Should(Exit(125))
+	})
+
+	It("podman pod create with --userns=keep-id can add users", func() {
+		if os.Geteuid() == 0 {
+			Skip("Test only runs without root")
+		}
+
+		podName := "testPod"
+		podCreate := podmanTest.Podman([]string{"pod", "create", "--userns", "keep-id", "--name", podName})
+		podCreate.WaitWithDefaultTimeout()
+		Expect(podCreate).Should(Exit(0))
+
+		ctrName := "ctr-name"
+		session := podmanTest.Podman([]string{"run", "--pod", podName, "-d", "--stop-signal", "9", "--name", ctrName, fedoraMinimal, "sleep", "600"})
+		session.WaitWithDefaultTimeout()
+		Expect(session).Should(Exit(0))
+
+		// container inside pod inherits user form infra container if --user is not set
+		// etc/passwd entry will look like 1000:*:1000:1000:container user:/:/bin/sh
+		exec1 := podmanTest.Podman([]string{"exec", ctrName, "cat", "/etc/passwd"})
+		exec1.WaitWithDefaultTimeout()
+		Expect(exec1).Should(Exit(0))
+		Expect(exec1.OutputToString()).To(ContainSubstring("container"))
+
+		exec2 := podmanTest.Podman([]string{"exec", ctrName, "useradd", "testuser"})
+		exec2.WaitWithDefaultTimeout()
+		Expect(exec2).Should(Exit(0))
+
+		exec3 := podmanTest.Podman([]string{"exec", ctrName, "cat", "/etc/passwd"})
+		exec3.WaitWithDefaultTimeout()
+		Expect(exec3).Should(Exit(0))
+		Expect(exec3.OutputToString()).To(ContainSubstring("testuser"))
+	})
+
+	It("podman pod create with --userns=auto", func() {
+		u, err := user.Current()
+		Expect(err).To(BeNil())
+		name := u.Name
+		if name == "root" {
+			name = "containers"
+		}
+
+		content, err := ioutil.ReadFile("/etc/subuid")
+		if err != nil {
+			Skip("cannot read /etc/subuid")
+		}
+		if !strings.Contains(string(content), name) {
+			Skip("cannot find mappings for the current user")
+		}
+
+		m := make(map[string]string)
+		for i := 0; i < 5; i++ {
+			podName := "testPod" + strconv.Itoa(i)
+			podCreate := podmanTest.Podman([]string{"pod", "create", "--userns=auto", "--name", podName})
+			podCreate.WaitWithDefaultTimeout()
+			Expect(podCreate).Should(Exit(0))
+
+			session := podmanTest.Podman([]string{"run", "--pod", podName, ALPINE, "cat", "/proc/self/uid_map"})
+			session.WaitWithDefaultTimeout()
+			Expect(session).Should(Exit(0))
+			l := session.OutputToString()
+			Expect(strings.Contains(l, "1024")).To(BeTrue())
+			m[l] = l
+		}
+		// check for no duplicates
+		Expect(len(m)).To(Equal(5))
+	})
+
+	It("podman pod create --userns=auto:size=%d", func() {
+		u, err := user.Current()
+		Expect(err).To(BeNil())
+
+		name := u.Name
+		if name == "root" {
+			name = "containers"
+		}
+
+		content, err := ioutil.ReadFile("/etc/subuid")
+		if err != nil {
+			Skip("cannot read /etc/subuid")
+		}
+		if !strings.Contains(string(content), name) {
+			Skip("cannot find mappings for the current user")
+		}
+
+		podName := "testPod"
+		podCreate := podmanTest.Podman([]string{"pod", "create", "--userns=auto:size=500", "--name", podName})
+		podCreate.WaitWithDefaultTimeout()
+		Expect(podCreate).Should(Exit(0))
+		session := podmanTest.Podman([]string{"run", "--pod", podName, ALPINE, "cat", "/proc/self/uid_map"})
+		session.WaitWithDefaultTimeout()
+		Expect(session).Should(Exit(0))
+		ok, _ := session.GrepString("500")
+
+		podName = "testPod-1"
+		podCreate = podmanTest.Podman([]string{"pod", "create", "--userns=auto:size=3000", "--name", podName})
+		podCreate.WaitWithDefaultTimeout()
+		Expect(podCreate).Should(Exit(0))
+		session = podmanTest.Podman([]string{"run", "--pod", podName, ALPINE, "cat", "/proc/self/uid_map"})
+		session.WaitWithDefaultTimeout()
+		Expect(session).Should(Exit(0))
+		ok, _ = session.GrepString("3000")
+
+		Expect(ok).To(BeTrue())
+	})
+
+	It("podman pod create --userns=auto:uidmapping=", func() {
+		u, err := user.Current()
+		Expect(err).To(BeNil())
+
+		name := u.Name
+		if name == "root" {
+			name = "containers"
+		}
+
+		content, err := ioutil.ReadFile("/etc/subuid")
+		if err != nil {
+			Skip("cannot read /etc/subuid")
+		}
+		if !strings.Contains(string(content), name) {
+			Skip("cannot find mappings for the current user")
+		}
+
+		podName := "testPod"
+		podCreate := podmanTest.Podman([]string{"pod", "create", "--userns=auto:uidmapping=0:0:1", "--name", podName})
+		podCreate.WaitWithDefaultTimeout()
+		Expect(podCreate).Should(Exit(0))
+		session := podmanTest.Podman([]string{"run", "--pod", podName, ALPINE, "cat", "/proc/self/uid_map"})
+		session.WaitWithDefaultTimeout()
+		Expect(session).Should(Exit(0))
+		output := session.OutputToString()
+		Expect(output).To(MatchRegexp("\\s0\\s0\\s1"))
+
+		podName = "testPod-1"
+		podCreate = podmanTest.Podman([]string{"pod", "create", "--userns=auto:size=8192,uidmapping=0:0:1", "--name", podName})
+		podCreate.WaitWithDefaultTimeout()
+		Expect(podCreate).Should(Exit(0))
+		session = podmanTest.Podman([]string{"run", "--pod", podName, ALPINE, "cat", "/proc/self/uid_map"})
+		session.WaitWithDefaultTimeout()
+		Expect(session).Should(Exit(0))
+		ok, _ := session.GrepString("8191")
+		Expect(ok).To(BeTrue())
+	})
+
+	It("podman pod create --userns=auto:gidmapping=", func() {
+		u, err := user.Current()
+		Expect(err).To(BeNil())
+
+		name := u.Name
+		if name == "root" {
+			name = "containers"
+		}
+
+		content, err := ioutil.ReadFile("/etc/subuid")
+		if err != nil {
+			Skip("cannot read /etc/subuid")
+		}
+		if !strings.Contains(string(content), name) {
+			Skip("cannot find mappings for the current user")
+		}
+
+		podName := "testPod"
+		podCreate := podmanTest.Podman([]string{"pod", "create", "--userns=auto:gidmapping=0:0:1", "--name", podName})
+		podCreate.WaitWithDefaultTimeout()
+		Expect(podCreate).Should(Exit(0))
+		session := podmanTest.Podman([]string{"run", "--pod", podName, ALPINE, "cat", "/proc/self/gid_map"})
+		session.WaitWithDefaultTimeout()
+		Expect(session).Should(Exit(0))
+		output := session.OutputToString()
+		Expect(output).To(MatchRegexp("\\s0\\s0\\s1"))
+
+		podName = "testPod-1"
+		podCreate = podmanTest.Podman([]string{"pod", "create", "--userns=auto:size=8192,gidmapping=0:0:1", "--name", podName})
+		podCreate.WaitWithDefaultTimeout()
+		Expect(podCreate).Should(Exit(0))
+		session = podmanTest.Podman([]string{"run", "--pod", podName, ALPINE, "cat", "/proc/self/gid_map"})
+		session.WaitWithDefaultTimeout()
+		Expect(session).Should(Exit(0))
+		ok, _ := session.GrepString("8191")
+		Expect(ok).To(BeTrue())
+	})
+
 })
author	openshift-ci[bot] <75433959+openshift-ci[bot]@users.noreply.github.com>	2021-08-10 12:55:52 +0000
committer	GitHub <noreply@github.com>	2021-08-10 12:55:52 +0000
commit	e136ad485c626e09e361c37bbd529bb599448ac0 (patch)
tree	e3b1c0a96222831481de1358e13dbb086185a9d3 /test
parent	6f61e229911e399d92f8fbe0574654f308f73b39 (diff)
parent	221b1add74e17ded10e8f2f832a53065578aa264 (diff)
download	podman-e136ad485c626e09e361c37bbd529bb599448ac0.tar.gz podman-e136ad485c626e09e361c37bbd529bb599448ac0.tar.bz2 podman-e136ad485c626e09e361c37bbd529bb599448ac0.zip