diff options
| -rw-r--r-- | .papr.yml | 23 | ||||
| -rw-r--r-- | .papr_prepare.sh | 5 | ||||
| -rw-r--r-- | Makefile | 2 | ||||
| -rw-r--r-- | cmd/podman/spec.go | 19 | ||||
| -rw-r--r-- | test/e2e/libpod_suite_test.go | 20 | ||||
| -rw-r--r-- | test/e2e/run_privileged_test.go | 7 |
6 files changed, 57 insertions, 19 deletions
@@ -15,6 +15,7 @@ timeout: 45m tests: - sh .papr_prepare.sh +context: "FAH27" --- inherit: true @@ -31,4 +32,24 @@ extra-repos: baseurl: https://cbs.centos.org/repos/virt7-container-common-candidate/$basearch/os gpgcheck: 0 -context: centos/7/atomic/smoketested +context: "CAH smoketested" + +--- + +inherit: true +host: + distro: fedora/27/cloud + specs: + ram: 8192 + cpus: 4 +extra-repos: + - name: crio_copr + baseurl: https://copr-be.cloud.fedoraproject.org/results/baude/Upstream_CRIO_Family/fedora-27-x86_64/ + gpgcheck: 0 +packages: + - podman + - buildah +tests: + - CONTAINER_RUNTIME="podman" sh .papr_prepare.sh +required: false +context: "Fedora fedora/27/cloud Podman" diff --git a/.papr_prepare.sh b/.papr_prepare.sh index b30abfc66..6fa8eb84d 100644 --- a/.papr_prepare.sh +++ b/.papr_prepare.sh @@ -2,6 +2,7 @@ set -xeuo pipefail DIST=${DIST:=Fedora} +CONTAINER_RUNTIME=${CONTAINER_RUNTIME:=docker} IMAGE=fedorapodmanbuild PYTHON=python3 if [[ ${DIST} != "Fedora" ]]; then @@ -10,7 +11,7 @@ if [[ ${DIST} != "Fedora" ]]; then fi # Build the test image -docker build -t ${IMAGE} -f Dockerfile.${DIST} . +${CONTAINER_RUNTIME} build -t ${IMAGE} -f Dockerfile.${DIST} . # Run the tests -docker run --rm --privileged -v $PWD:/go/src/github.com/projectatomic/libpod --workdir /go/src/github.com/projectatomic/libpod -e PYTHON=$PYTHON -e STORAGE_OPTIONS="--storage-driver=vfs" -e CRIO_ROOT="/go/src/github.com/projectatomic/libpod" -e PODMAN_BINARY="/usr/bin/podman" -e CONMON_BINARY="/usr/libexec/crio/conmon" -e DIST=$DIST $IMAGE sh .papr.sh +${CONTAINER_RUNTIME} run --rm --privileged --net=host -v $PWD:/go/src/github.com/projectatomic/libpod --workdir /go/src/github.com/projectatomic/libpod -e PYTHON=$PYTHON -e STORAGE_OPTIONS="--storage-driver=vfs" -e CRIO_ROOT="/go/src/github.com/projectatomic/libpod" -e PODMAN_BINARY="/usr/bin/podman" -e CONMON_BINARY="/usr/libexec/crio/conmon" -e DIST=$DIST $IMAGE sh .papr.sh @@ -120,7 +120,7 @@ ginkgo: ginkgo -v test/e2e/ localintegration: test-binaries - ginkgo -v -cover -flakeAttempts 3 -progress -trace test/e2e/. + ginkgo -v -cover -flakeAttempts 3 -progress -trace -noColor test/e2e/. vagrant-check: BOX=$(BOX) sh ./vagrant.sh diff --git a/cmd/podman/spec.go b/cmd/podman/spec.go index c5ed2c0d4..e78118b2f 100644 --- a/cmd/podman/spec.go +++ b/cmd/podman/spec.go @@ -124,13 +124,9 @@ func addRlimits(config *createConfig, g *generate.Generator) error { func setupCapabilities(config *createConfig, configSpec *spec.Spec) error { var err error var caplist []string - if config.Privileged { - caplist = caps.GetAllCapabilities() - } else { - caplist, err = caps.TweakCapabilities(configSpec.Process.Capabilities.Bounding, config.CapAdd, config.CapDrop) - if err != nil { - return err - } + caplist, err = caps.TweakCapabilities(configSpec.Process.Capabilities.Bounding, config.CapAdd, config.CapDrop) + if err != nil { + return err } configSpec.Process.Capabilities.Bounding = caplist @@ -163,6 +159,7 @@ func addDevice(g *generate.Generator, device string) error { func createConfigToOCISpec(config *createConfig) (*spec.Spec, error) { cgroupPerm := "ro" g := generate.New() + g.HostSpecific = true if config.Privileged { cgroupPerm = "rw" g.RemoveMount("/sys") @@ -319,8 +316,12 @@ func createConfigToOCISpec(config *createConfig) (*spec.Spec, error) { // HANDLE CAPABILITIES // NOTE: Must happen before SECCOMP - if err := setupCapabilities(config, configSpec); err != nil { - return nil, err + if !config.Privileged { + if err := setupCapabilities(config, configSpec); err != nil { + return nil, err + } + } else { + g.SetupPrivileged(true) } // HANDLE SECCOMP diff --git a/test/e2e/libpod_suite_test.go b/test/e2e/libpod_suite_test.go index afe91134e..c479a6cef 100644 --- a/test/e2e/libpod_suite_test.go +++ b/test/e2e/libpod_suite_test.go @@ -460,3 +460,23 @@ func (p *PodmanTest) BuildImage(dockerfile, imageName string) { session.Wait(120) Expect(session.ExitCode()).To(Equal(0)) } + +//GetHostDistribution returns the dist in string format. If the +//distribution cannot be determined, an empty string will be returned. +func (p *PodmanTest) GetHostDistribution() string { + content, err := ioutil.ReadFile("/etc/os-release") + if err != nil { + return "" + } + for _, line := range content { + if strings.HasPrefix(fmt.Sprintf("%s", line), "ID") { + fields := strings.Split(fmt.Sprintf("%s", line), "=") + if len(fields) < 2 { + return "" + } + return strings.Trim(fields[1], "\"") + + } + } + return "" +} diff --git a/test/e2e/run_privileged_test.go b/test/e2e/run_privileged_test.go index b53be15f0..430698ba1 100644 --- a/test/e2e/run_privileged_test.go +++ b/test/e2e/run_privileged_test.go @@ -61,16 +61,11 @@ var _ = Describe("Podman privileged container tests", func() { }) It("podman cap-drop CapEff", func() { - cap := podmanTest.SystemExec("grep", []string{"CapAmb", "/proc/self/status"}) - cap.WaitWithDefaultTimeout() - Expect(cap.ExitCode()).To(Equal(0)) session := podmanTest.Podman([]string{"run", "--cap-drop", "all", "busybox", "grep", "CapEff", "/proc/self/status"}) session.WaitWithDefaultTimeout() Expect(session.ExitCode()).To(Equal(0)) - - capAmp := strings.Split(cap.OutputToString(), " ") capEff := strings.Split(session.OutputToString(), " ") - Expect(capAmp[1]).To(Equal(capEff[1])) + Expect("0000000000000000").To(Equal(capEff[1])) }) It("podman non-privileged should have very few devices", func() { |