aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--.papr.yml23
-rw-r--r--.papr_prepare.sh5
-rw-r--r--Makefile2
-rw-r--r--cmd/podman/spec.go19
-rw-r--r--test/e2e/libpod_suite_test.go20
-rw-r--r--test/e2e/run_privileged_test.go7
6 files changed, 57 insertions, 19 deletions
diff --git a/.papr.yml b/.papr.yml
index e803a4357..88bee2924 100644
--- a/.papr.yml
+++ b/.papr.yml
@@ -15,6 +15,7 @@ timeout: 45m
tests:
- sh .papr_prepare.sh
+context: "FAH27"
---
inherit: true
@@ -31,4 +32,24 @@ extra-repos:
baseurl: https://cbs.centos.org/repos/virt7-container-common-candidate/$basearch/os
gpgcheck: 0
-context: centos/7/atomic/smoketested
+context: "CAH smoketested"
+
+---
+
+inherit: true
+host:
+ distro: fedora/27/cloud
+ specs:
+ ram: 8192
+ cpus: 4
+extra-repos:
+ - name: crio_copr
+ baseurl: https://copr-be.cloud.fedoraproject.org/results/baude/Upstream_CRIO_Family/fedora-27-x86_64/
+ gpgcheck: 0
+packages:
+ - podman
+ - buildah
+tests:
+ - CONTAINER_RUNTIME="podman" sh .papr_prepare.sh
+required: false
+context: "Fedora fedora/27/cloud Podman"
diff --git a/.papr_prepare.sh b/.papr_prepare.sh
index b30abfc66..6fa8eb84d 100644
--- a/.papr_prepare.sh
+++ b/.papr_prepare.sh
@@ -2,6 +2,7 @@
set -xeuo pipefail
DIST=${DIST:=Fedora}
+CONTAINER_RUNTIME=${CONTAINER_RUNTIME:=docker}
IMAGE=fedorapodmanbuild
PYTHON=python3
if [[ ${DIST} != "Fedora" ]]; then
@@ -10,7 +11,7 @@ if [[ ${DIST} != "Fedora" ]]; then
fi
# Build the test image
-docker build -t ${IMAGE} -f Dockerfile.${DIST} .
+${CONTAINER_RUNTIME} build -t ${IMAGE} -f Dockerfile.${DIST} .
# Run the tests
-docker run --rm --privileged -v $PWD:/go/src/github.com/projectatomic/libpod --workdir /go/src/github.com/projectatomic/libpod -e PYTHON=$PYTHON -e STORAGE_OPTIONS="--storage-driver=vfs" -e CRIO_ROOT="/go/src/github.com/projectatomic/libpod" -e PODMAN_BINARY="/usr/bin/podman" -e CONMON_BINARY="/usr/libexec/crio/conmon" -e DIST=$DIST $IMAGE sh .papr.sh
+${CONTAINER_RUNTIME} run --rm --privileged --net=host -v $PWD:/go/src/github.com/projectatomic/libpod --workdir /go/src/github.com/projectatomic/libpod -e PYTHON=$PYTHON -e STORAGE_OPTIONS="--storage-driver=vfs" -e CRIO_ROOT="/go/src/github.com/projectatomic/libpod" -e PODMAN_BINARY="/usr/bin/podman" -e CONMON_BINARY="/usr/libexec/crio/conmon" -e DIST=$DIST $IMAGE sh .papr.sh
diff --git a/Makefile b/Makefile
index a1f495aad..a4ff16978 100644
--- a/Makefile
+++ b/Makefile
@@ -120,7 +120,7 @@ ginkgo:
ginkgo -v test/e2e/
localintegration: test-binaries
- ginkgo -v -cover -flakeAttempts 3 -progress -trace test/e2e/.
+ ginkgo -v -cover -flakeAttempts 3 -progress -trace -noColor test/e2e/.
vagrant-check:
BOX=$(BOX) sh ./vagrant.sh
diff --git a/cmd/podman/spec.go b/cmd/podman/spec.go
index c5ed2c0d4..e78118b2f 100644
--- a/cmd/podman/spec.go
+++ b/cmd/podman/spec.go
@@ -124,13 +124,9 @@ func addRlimits(config *createConfig, g *generate.Generator) error {
func setupCapabilities(config *createConfig, configSpec *spec.Spec) error {
var err error
var caplist []string
- if config.Privileged {
- caplist = caps.GetAllCapabilities()
- } else {
- caplist, err = caps.TweakCapabilities(configSpec.Process.Capabilities.Bounding, config.CapAdd, config.CapDrop)
- if err != nil {
- return err
- }
+ caplist, err = caps.TweakCapabilities(configSpec.Process.Capabilities.Bounding, config.CapAdd, config.CapDrop)
+ if err != nil {
+ return err
}
configSpec.Process.Capabilities.Bounding = caplist
@@ -163,6 +159,7 @@ func addDevice(g *generate.Generator, device string) error {
func createConfigToOCISpec(config *createConfig) (*spec.Spec, error) {
cgroupPerm := "ro"
g := generate.New()
+ g.HostSpecific = true
if config.Privileged {
cgroupPerm = "rw"
g.RemoveMount("/sys")
@@ -319,8 +316,12 @@ func createConfigToOCISpec(config *createConfig) (*spec.Spec, error) {
// HANDLE CAPABILITIES
// NOTE: Must happen before SECCOMP
- if err := setupCapabilities(config, configSpec); err != nil {
- return nil, err
+ if !config.Privileged {
+ if err := setupCapabilities(config, configSpec); err != nil {
+ return nil, err
+ }
+ } else {
+ g.SetupPrivileged(true)
}
// HANDLE SECCOMP
diff --git a/test/e2e/libpod_suite_test.go b/test/e2e/libpod_suite_test.go
index afe91134e..c479a6cef 100644
--- a/test/e2e/libpod_suite_test.go
+++ b/test/e2e/libpod_suite_test.go
@@ -460,3 +460,23 @@ func (p *PodmanTest) BuildImage(dockerfile, imageName string) {
session.Wait(120)
Expect(session.ExitCode()).To(Equal(0))
}
+
+//GetHostDistribution returns the dist in string format. If the
+//distribution cannot be determined, an empty string will be returned.
+func (p *PodmanTest) GetHostDistribution() string {
+ content, err := ioutil.ReadFile("/etc/os-release")
+ if err != nil {
+ return ""
+ }
+ for _, line := range content {
+ if strings.HasPrefix(fmt.Sprintf("%s", line), "ID") {
+ fields := strings.Split(fmt.Sprintf("%s", line), "=")
+ if len(fields) < 2 {
+ return ""
+ }
+ return strings.Trim(fields[1], "\"")
+
+ }
+ }
+ return ""
+}
diff --git a/test/e2e/run_privileged_test.go b/test/e2e/run_privileged_test.go
index b53be15f0..430698ba1 100644
--- a/test/e2e/run_privileged_test.go
+++ b/test/e2e/run_privileged_test.go
@@ -61,16 +61,11 @@ var _ = Describe("Podman privileged container tests", func() {
})
It("podman cap-drop CapEff", func() {
- cap := podmanTest.SystemExec("grep", []string{"CapAmb", "/proc/self/status"})
- cap.WaitWithDefaultTimeout()
- Expect(cap.ExitCode()).To(Equal(0))
session := podmanTest.Podman([]string{"run", "--cap-drop", "all", "busybox", "grep", "CapEff", "/proc/self/status"})
session.WaitWithDefaultTimeout()
Expect(session.ExitCode()).To(Equal(0))
-
- capAmp := strings.Split(cap.OutputToString(), " ")
capEff := strings.Split(session.OutputToString(), " ")
- Expect(capAmp[1]).To(Equal(capEff[1]))
+ Expect("0000000000000000").To(Equal(capEff[1]))
})
It("podman non-privileged should have very few devices", func() {