summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--docs/tutorials/rootless_tutorial.md2
-rw-r--r--test/e2e/run_security_labels.go4
-rw-r--r--test/e2e/run_test.go6
3 files changed, 8 insertions, 4 deletions
diff --git a/docs/tutorials/rootless_tutorial.md b/docs/tutorials/rootless_tutorial.md
index 6b83f18d9..3b9cbd2d0 100644
--- a/docs/tutorials/rootless_tutorial.md
+++ b/docs/tutorials/rootless_tutorial.md
@@ -95,7 +95,7 @@ If this is required, the administrator must verify that the UID of the user is p
To change its value the administrator can use a call similar to: `sysctl -w "net.ipv4.ping_group_range=0 2000000"`.
-To make the change persistent, the administrator will need to add a file in `/etc/sysctl.d` that contains `net.ipv4.ping_group_range=0 $MAX_UID`.
+To make the change persist, the administrator will need to add a file with the `.conf` file extension in `/etc/sysctl.d` that contains `net.ipv4.ping_group_range=0 $MAX_GID`, where `$MAX_GID` is the highest assignable GID of the user running the container.
## User Actions
diff --git a/test/e2e/run_security_labels.go b/test/e2e/run_security_labels.go
index 7c8597866..2a0b0467d 100644
--- a/test/e2e/run_security_labels.go
+++ b/test/e2e/run_security_labels.go
@@ -130,7 +130,7 @@ var _ = Describe("Podman generate kube", func() {
SkipIfRemote("runlabel not supported on podman-remote")
PodmanDockerfile := `
FROM alpine:latest
-LABEL io.containers.capabilities=chown,mknod`
+LABEL io.containers.capabilities=chown,kill`
image := "podman-caps:podman"
podmanTest.BuildImage(PodmanDockerfile, image, "false")
@@ -145,7 +145,7 @@ LABEL io.containers.capabilities=chown,mknod`
ctr := inspect.InspectContainerToJSON()
caps := strings.Join(ctr[0].EffectiveCaps, ",")
- Expect(caps).To(Equal("CAP_CHOWN,CAP_MKNOD"))
+ Expect(caps).To(Equal("CAP_CHOWN,CAP_KILL"))
})
})
diff --git a/test/e2e/run_test.go b/test/e2e/run_test.go
index 2d4f3a42d..292df529c 100644
--- a/test/e2e/run_test.go
+++ b/test/e2e/run_test.go
@@ -261,6 +261,8 @@ var _ = Describe("Podman run", func() {
})
It("podman run user capabilities test", func() {
+ // We need to ignore the containers.conf on the test distribution for this test
+ os.Setenv("CONTAINERS_CONF", "/dev/null")
session := podmanTest.Podman([]string{"run", "--rm", "--user", "bin", ALPINE, "grep", "CapBnd", "/proc/self/status"})
session.WaitWithDefaultTimeout()
Expect(session.ExitCode()).To(Equal(0))
@@ -293,6 +295,8 @@ var _ = Describe("Podman run", func() {
})
It("podman run user capabilities test with image", func() {
+ // We need to ignore the containers.conf on the test distribution for this test
+ os.Setenv("CONTAINERS_CONF", "/dev/null")
SkipIfRemote("FIXME This should work on podman-remote")
dockerfile := `FROM busybox
USER bin`
@@ -1134,7 +1138,7 @@ USER mail`
It("podman run --device-cgroup-rule", func() {
SkipIfRootless("rootless users are not allowed to mknod")
deviceCgroupRule := "c 42:* rwm"
- session := podmanTest.Podman([]string{"run", "--name", "test", "-d", "--device-cgroup-rule", deviceCgroupRule, ALPINE, "top"})
+ session := podmanTest.Podman([]string{"run", "--cap-add", "mknod", "--name", "test", "-d", "--device-cgroup-rule", deviceCgroupRule, ALPINE, "top"})
session.WaitWithDefaultTimeout()
Expect(session.ExitCode()).To(Equal(0))
session = podmanTest.Podman([]string{"exec", "test", "mknod", "newDev", "c", "42", "1"})