aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--CONTRIBUTING.md6
-rw-r--r--docs/source/markdown/podman-system-service.1.md4
-rw-r--r--test/system/070-build.bats2
-rw-r--r--test/system/250-systemd.bats33
-rw-r--r--test/system/410-selinux.bats6
5 files changed, 36 insertions, 15 deletions
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index 271c130c9..6b63c7b5a 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -93,7 +93,7 @@ You need install some dependencies before building a binary.
#### Fedora
```shell
- $ sudo dnf install gpgme-devel libseccomp-devel.x86_64 libseccomp-devel.x86_64 systemd-devel
+ $ sudo dnf install gpgme-devel libseccomp-devel.x86_64 systemd-devel
$ export PKG_CONFIG_PATH="/usr/lib/pkgconfig"
```
@@ -103,8 +103,8 @@ To test your changes do `make binaries` to generate your binaries.
Your binaries are created inside the `bin/` directory and you can test your changes:
```shell
-$ bin/podman -h
-bin/podman -h
+$ bin/podman --help
+bin/podman --help
NAME:
podman - manage pods and images
diff --git a/docs/source/markdown/podman-system-service.1.md b/docs/source/markdown/podman-system-service.1.md
index 176d73eda..99fde8ce4 100644
--- a/docs/source/markdown/podman-system-service.1.md
+++ b/docs/source/markdown/podman-system-service.1.md
@@ -21,6 +21,10 @@ The REST API provided by **podman system service** is split into two parts: a co
Documentation for the latter is available at *https://docs.podman.io/en/latest/_static/api.html*.
Both APIs are versioned, but the server will not reject requests with an unsupported version set.
+Please note that the API grants full access to Podman's capabilities, and as such should be treated as allowing arbitrary code execution as the user running the API.
+As such, we strongly recommend against making the API socket available via the network.
+The default configuration (a Unix socket with permissions set to only allow the user running Podman) is the most secure way of running the API.
+
Note: The default systemd unit files (system and user) change the log-level option to *info* from *error*. This change provides additional information on each API call.
## OPTIONS
diff --git a/test/system/070-build.bats b/test/system/070-build.bats
index ac41dd84d..9fddbaa21 100644
--- a/test/system/070-build.bats
+++ b/test/system/070-build.bats
@@ -762,7 +762,7 @@ EOF
is "$output" "[no instance of 'Using cache']" "no cache used"
fi
- run_podman rmi -a --force
+ run_podman rmi -f build_test
}
# Caveat lector: this test was mostly copy-pasted from buildah in #9275.
diff --git a/test/system/250-systemd.bats b/test/system/250-systemd.bats
index cf57d2589..e251e8a6d 100644
--- a/test/system/250-systemd.bats
+++ b/test/system/250-systemd.bats
@@ -27,7 +27,6 @@ function teardown() {
rm -f "$UNIT_FILE"
systemctl daemon-reload
fi
- run_podman rmi -a
basic_teardown
}
@@ -53,10 +52,17 @@ function service_setup() {
# Helper to stop a systemd service running a container
function service_cleanup() {
- local status=$1
run systemctl stop "$SERVICE_NAME"
assert $status -eq 0 "Error stopping systemd unit $SERVICE_NAME: $output"
+ # Regression test for #11304: confirm that unit stops into correct state
+ local expected_state="$1"
+ if [[ -n "$expected_state" ]]; then
+ run systemctl show --property=ActiveState "$SERVICE_NAME"
+ assert "$output" = "ActiveState=$expected_state" \
+ "state of service after systemctl stop"
+ fi
+
run systemctl disable "$SERVICE_NAME"
assert $status -eq 0 "Error disabling systemd unit $SERVICE_NAME: $output"
@@ -88,26 +94,28 @@ function service_cleanup() {
@test "podman autoupdate local" {
# Note that the entrypoint may be a JSON string which requires preserving the quotes (see #12477)
cname=$(random_string)
- run_podman create --name $cname --label "io.containers.autoupdate=local" --entrypoint '["top"]' $IMAGE
+
+ # Create a scratch image (copy of our regular one)
+ image_copy=base$(random_string | tr A-Z a-z)
+ run_podman tag $IMAGE $image_copy
+
+ # Create a container based on that
+ run_podman create --name $cname --label "io.containers.autoupdate=local" --entrypoint '["top"]' $image_copy
# Start systemd service to run this container
service_setup
# Give container time to start; make sure output looks top-like
- sleep 2
- run_podman logs $cname
- is "$output" ".*Load average:.*" "running container 'top'-like output"
-
- # Save the container id before updating
- run_podman ps --format '{{.ID}}'
+ wait_for_output 'Load average' $cname
# Run auto-update and check that it restarted the container
- run_podman commit --change "CMD=/bin/bash" $cname $IMAGE
+ run_podman commit --change "CMD=/bin/bash" $cname $image_copy
run_podman auto-update
is "$output" ".*$SERVICE_NAME.*" "autoupdate local restarted container"
# All good. Stop service, clean up.
service_cleanup
+ run_podman rmi $image_copy
}
# These tests can fail in dev. environment because of SELinux.
@@ -235,6 +243,7 @@ LISTEN_FDNAMES=listen_fdnames" | sort)
run_podman rm -f $cname
run_podman pod rm -f $podname
+ run_podman rmi $(pause_image)
}
@test "podman generate - systemd template only used on --new" {
@@ -295,6 +304,8 @@ LISTEN_FDNAMES=listen_fdnames" | sort)
unit_file="contrib/systemd/system/${unit_name}"
if [[ -e ${unit_file}.in ]]; then
echo "# [Building & using $unit_name from source]" >&3
+ # Force regenerating unit file (existing one may have /usr/bin path)
+ rm -f $unit_file
BINDIR=$(dirname $PODMAN) make $unit_file
cp $unit_file $UNIT_DIR/$unit_name
fi
@@ -360,6 +371,8 @@ EOF
systemctl stop $service_name
run_podman 1 container exists $service_container
run_podman 1 pod exists test_pod
+ run_podman rmi $(pause_image)
+ rm -f $UNIT_DIR/$unit_name
}
@test "podman-system-service containers survive service stop" {
diff --git a/test/system/410-selinux.bats b/test/system/410-selinux.bats
index 21ac4cb8f..d437465a4 100644
--- a/test/system/410-selinux.bats
+++ b/test/system/410-selinux.bats
@@ -205,7 +205,11 @@ function check_label() {
# from /proc/thread-self/attr/exec`: .* unable to assign
# to /proc/self/attr/keycreate`: .* unable to process
crun) expect="\`/proc/.*\`: OCI runtime error: unable to \(assign\|process\) security attribute" ;;
- runc) expect="OCI runtime error: .*: failed to set /proc/self/attr/keycreate on procfs" ;;
+ # runc 1.1 changed the error message because of new selinux pkg that uses standard os.PathError, see
+ # https://github.com/opencontainers/selinux/pull/148/commits/a5dc47f74c56922d58ead05d1fdcc5f7f52d5f4e
+ # from failed to set /proc/self/attr/keycreate on procfs
+ # to write /proc/self/attr/keycreate: invalid argument
+ runc) expect="OCI runtime error: .*: \(failed to set|write\) /proc/self/attr/keycreate" ;;
*) skip "Unknown runtime '$runtime'";;
esac