summaryrefslogtreecommitdiff
path: root/test/system
diff options
context:
space:
mode:
Diffstat (limited to 'test/system')
-rw-r--r--test/system/001-basic.bats7
-rw-r--r--test/system/005-info.bats9
-rw-r--r--test/system/070-build.bats40
-rw-r--r--test/system/270-socket-activation.bats103
-rw-r--r--test/system/410-selinux.bats28
-rw-r--r--test/system/500-networking.bats7
6 files changed, 187 insertions, 7 deletions
diff --git a/test/system/001-basic.bats b/test/system/001-basic.bats
index d276cfda1..081bb1171 100644
--- a/test/system/001-basic.bats
+++ b/test/system/001-basic.bats
@@ -10,6 +10,13 @@ function setup() {
:
}
+@test "podman --context emits reasonable output" {
+ run_podman 125 --context=swarm version
+ is "$output" "Error: Podman does not support swarm, the only --context value allowed is \"default\"" "--context=default or fail"
+
+ run_podman --context=default version
+}
+
@test "podman version emits reasonable output" {
run_podman version
diff --git a/test/system/005-info.bats b/test/system/005-info.bats
index 7452c1901..c0af2e937 100644
--- a/test/system/005-info.bats
+++ b/test/system/005-info.bats
@@ -53,4 +53,13 @@ store.imageStore.number | 1
}
+@test "podman info --storage-opt='' " {
+ skip_if_remote "--storage-opt flag is not supported for remote"
+ skip_if_rootless "storage opts are required for rootless running"
+ run_podman --storage-opt='' info
+ # Note this will not work in rootless mode, unless you specify
+ # storage-driver=vfs, until we have kernels that support rootless overlay
+ # mounts.
+ is "$output" ".*graphOptions: {}" "output includes graphOptions: {}"
+}
# vim: filetype=sh
diff --git a/test/system/070-build.bats b/test/system/070-build.bats
index e5b68a0d8..2e97c93e0 100644
--- a/test/system/070-build.bats
+++ b/test/system/070-build.bats
@@ -712,6 +712,46 @@ EOF
run_podman rmi -f build_test
}
+@test "podman build check_label" {
+ skip_if_no_selinux
+ tmpdir=$PODMAN_TMPDIR/build-test
+ mkdir -p $tmpdir
+ tmpbuilddir=$tmpdir/build
+ mkdir -p $tmpbuilddir
+ dockerfile=$tmpbuilddir/Dockerfile
+ cat >$dockerfile <<EOF
+FROM $IMAGE
+RUN cat /proc/self/attr/current
+EOF
+
+ run_podman build -t build_test --security-opt label=level:s0:c3,c4 --format=docker $tmpbuilddir
+ is "$output" ".*s0:c3,c4STEP 3: COMMIT" "label setting level"
+
+ run_podman rmi -f build_test
+}
+
+@test "podman build check_seccomp_ulimits" {
+ tmpdir=$PODMAN_TMPDIR/build-test
+ mkdir -p $tmpdir
+ tmpbuilddir=$tmpdir/build
+ mkdir -p $tmpbuilddir
+ dockerfile=$tmpbuilddir/Dockerfile
+ cat >$dockerfile <<EOF
+FROM $IMAGE
+RUN grep Seccomp: /proc/self/status |awk '{ print \$1\$2 }'
+RUN grep "Max open files" /proc/self/limits |awk '{ print \$4":"\$5 }'
+EOF
+
+ run_podman build --ulimit nofile=101:102 -t build_test $tmpbuilddir
+ is "$output" ".*Seccomp:2" "setting seccomp"
+ is "$output" ".*101:102" "setting ulimits"
+ run_podman rmi -f build_test
+
+ run_podman build -t build_test --security-opt seccomp=unconfined $tmpbuilddir
+ is "$output" ".*Seccomp:0" "setting seccomp"
+ run_podman rmi -f build_test
+}
+
function teardown() {
# A timeout or other error in 'build' can leave behind stale images
# that podman can't even see and which will cascade into subsequent
diff --git a/test/system/270-socket-activation.bats b/test/system/270-socket-activation.bats
new file mode 100644
index 000000000..25206c6a7
--- /dev/null
+++ b/test/system/270-socket-activation.bats
@@ -0,0 +1,103 @@
+#!/usr/bin/env bats -*- bats -*-
+#
+# Tests podman system service under systemd socket activation
+#
+
+load helpers
+
+SERVICE_NAME="podman_test_$(random_string)"
+
+SYSTEMCTL="systemctl"
+UNIT_DIR="/usr/lib/systemd/system"
+SERVICE_SOCK_ADDR="/run/podman/podman.sock"
+
+if is_rootless; then
+ UNIT_DIR="$HOME/.config/systemd/user"
+ mkdir -p $UNIT_DIR
+
+ SYSTEMCTL="$SYSTEMCTL --user"
+ if [ -z "$XDG_RUNTIME_DIR" ]; then
+ export XDG_RUNTIME_DIR=/run/user/$(id -u)
+ fi
+ SERVICE_SOCK_ADDR="$XDG_RUNTIME_DIR/podman/podman.sock"
+fi
+
+SERVICE_FILE="$UNIT_DIR/$SERVICE_NAME.service"
+SOCKET_FILE="$UNIT_DIR/$SERVICE_NAME.socket"
+
+
+function setup() {
+ skip_if_remote "systemd tests are meaningless over remote"
+
+ basic_setup
+
+ cat > $SERVICE_FILE <<EOF
+[Unit]
+Description=Podman API Service
+Requires=podman.socket
+After=podman.socket
+Documentation=man:podman-system-service(1)
+StartLimitIntervalSec=0
+
+[Service]
+Type=exec
+KillMode=process
+Environment=LOGGING="--log-level=info"
+ExecStart=$PODMAN $LOGGING system service -t 2
+EOF
+ cat > $SOCKET_FILE <<EOF
+[Unit]
+Description=Podman API Socket
+Documentation=man:podman-system-service(1)
+
+[Socket]
+ListenStream=%t/podman/podman.sock
+SocketMode=0660
+
+[Install]
+WantedBy=sockets.target
+EOF
+
+ # ensure pause die before each test runs
+ if is_rootless; then
+ local pause_pid="$XDG_RUNTIME_DIR/libpod/tmp/pause.pid"
+ if [ -f $pause_pid ]; then
+ kill -9 $(cat $pause_pid) 2> /dev/null
+ rm -f $pause_pid
+ fi
+ fi
+ $SYSTEMCTL start "$SERVICE_NAME.socket"
+}
+
+function teardown() {
+ $SYSTEMCTL stop "$SERVICE_NAME.socket"
+ rm -f "$SERVICE_FILE" "$SOCKET_FILE"
+ $SYSTEMCTL daemon-reload
+ basic_teardown
+}
+
+@test "podman system service - socket activation - no container" {
+ run curl -s --max-time 3 --unix-socket $SERVICE_SOCK_ADDR http://podman/libpod/_ping
+ is "$output" "OK" "podman service responses normally"
+}
+
+@test "podman system service - socket activation - exist container " {
+ run_podman run $IMAGE sleep 90
+ run curl -s --max-time 3 --unix-socket $SERVICE_SOCK_ADDR http://podman/libpod/_ping
+ is "$output" "OK" "podman service responses normally"
+}
+
+@test "podman system service - socket activation - kill rootless pause " {
+ if ! is_rootless; then
+ skip "root podman no need pause process"
+ fi
+ run_podman run $IMAGE sleep 90
+ local pause_pid="$XDG_RUNTIME_DIR/libpod/tmp/pause.pid"
+ if [ -f $pause_pid ]; then
+ kill -9 $(cat $pause_pid) 2> /dev/null
+ fi
+ run curl -s --max-time 3 --unix-socket $SERVICE_SOCK_ADDR http://podman/libpod/_ping
+ is "$output" "OK" "podman service responses normally"
+}
+
+# vim: filetype=sh
diff --git a/test/system/410-selinux.bats b/test/system/410-selinux.bats
index 4a2c7b7a4..8a690fb48 100644
--- a/test/system/410-selinux.bats
+++ b/test/system/410-selinux.bats
@@ -191,5 +191,33 @@ function check_label() {
is "$output" "Error.*: \`/proc/thread-self/attr/exec\`: OCI runtime error: unable to assign security attribute" "useful diagnostic"
}
+@test "podman selinux: check relabel" {
+ skip_if_no_selinux
+
+ LABEL="system_u:object_r:tmp_t:s0"
+ tmpdir=$PODMAN_TMPDIR/vol
+ touch $tmpdir
+ chcon -vR ${LABEL} $tmpdir
+ ls -Z $tmpdir
+
+ run_podman run -v $tmpdir:/test $IMAGE cat /proc/self/attr/current
+ level=$(secon -l $output)
+ run ls -dZ ${tmpdir}
+ is "$output" ${LABEL} "No Relabel Correctly"
+
+ run_podman run -v $tmpdir:/test:Z --security-opt label=disable $IMAGE cat /proc/self/attr/current
+ level=$(secon -l $output)
+ run ls -dZ $tmpdir
+ is "$output" ${LABEL} "No Privileged Relabel Correctly"
+
+ run_podman run -v $tmpdir:/test:Z $IMAGE cat /proc/self/attr/current
+ level=$(secon -l $output)
+ run ls -dZ $tmpdir
+ is "$output" "system_u:object_r:container_file_t:$level" "Confined Relabel Correctly"
+
+ run_podman run -v $tmpdir:/test:z $IMAGE cat /proc/self/attr/current
+ run ls -dZ $tmpdir
+ is "$output" "system_u:object_r:container_file_t:s0" "Shared Relabel Correctly"
+}
# vim: filetype=sh
diff --git a/test/system/500-networking.bats b/test/system/500-networking.bats
index 4868ad6a0..804dd46b1 100644
--- a/test/system/500-networking.bats
+++ b/test/system/500-networking.bats
@@ -143,13 +143,6 @@ load helpers
run_podman network rm $mynetname
run_podman 1 network rm $mynetname
-
- # rootless CNI leaves behind an image pulled by SHA, hence with no tag.
- # Remove it if present; we can only remove it by ID.
- run_podman images --format '{{.Id}}' rootless-cni-infra
- if [ -n "$output" ]; then
- run_podman rmi $output
- fi
}
@test "podman network reload" {