3 files changed, 143 insertions, 7 deletions

diff --git a/test/system/070-build.bats b/test/system/070-build.bats
index e5b68a0d8..2e97c93e0 100644
--- a/test/system/070-build.bats
+++ b/test/system/070-build.bats
@@ -712,6 +712,46 @@ EOF
     run_podman rmi -f build_test
 }
 
+@test "podman build check_label" {
+    skip_if_no_selinux
+    tmpdir=$PODMAN_TMPDIR/build-test
+    mkdir -p $tmpdir
+    tmpbuilddir=$tmpdir/build
+    mkdir -p $tmpbuilddir
+    dockerfile=$tmpbuilddir/Dockerfile
+    cat >$dockerfile <<EOF
+FROM $IMAGE
+RUN cat /proc/self/attr/current
+EOF
+
+    run_podman build -t build_test --security-opt label=level:s0:c3,c4 --format=docker $tmpbuilddir
+    is "$output" ".*s0:c3,c4STEP 3: COMMIT" "label setting level"
+
+    run_podman rmi -f build_test
+}
+
+@test "podman build check_seccomp_ulimits" {
+    tmpdir=$PODMAN_TMPDIR/build-test
+    mkdir -p $tmpdir
+    tmpbuilddir=$tmpdir/build
+    mkdir -p $tmpbuilddir
+    dockerfile=$tmpbuilddir/Dockerfile
+    cat >$dockerfile <<EOF
+FROM $IMAGE
+RUN grep Seccomp: /proc/self/status |awk '{ print \$1\$2 }'
+RUN grep "Max open files" /proc/self/limits |awk '{ print \$4":"\$5 }'
+EOF
+
+    run_podman build --ulimit nofile=101:102 -t build_test $tmpbuilddir
+    is "$output" ".*Seccomp:2" "setting seccomp"
+    is "$output" ".*101:102" "setting ulimits"
+    run_podman rmi -f build_test
+
+    run_podman build -t build_test --security-opt seccomp=unconfined $tmpbuilddir
+    is "$output" ".*Seccomp:0" "setting seccomp"
+    run_podman rmi -f build_test
+}
+
 function teardown() {
     # A timeout or other error in 'build' can leave behind stale images
     # that podman can't even see and which will cascade into subsequent
diff --git a/test/system/270-socket-activation.bats b/test/system/270-socket-activation.bats
new file mode 100644
index 000000000..25206c6a7
--- /dev/null
+++ b/test/system/270-socket-activation.bats
@@ -0,0 +1,103 @@
+#!/usr/bin/env bats   -*- bats -*-
+#
+# Tests podman system service under systemd socket activation
+#
+
+load helpers
+
+SERVICE_NAME="podman_test_$(random_string)"
+
+SYSTEMCTL="systemctl"
+UNIT_DIR="/usr/lib/systemd/system"
+SERVICE_SOCK_ADDR="/run/podman/podman.sock"
+
+if is_rootless; then
+    UNIT_DIR="$HOME/.config/systemd/user"
+    mkdir -p $UNIT_DIR
+
+    SYSTEMCTL="$SYSTEMCTL --user"
+    if [ -z "$XDG_RUNTIME_DIR" ]; then
+        export XDG_RUNTIME_DIR=/run/user/$(id -u)
+    fi
+    SERVICE_SOCK_ADDR="$XDG_RUNTIME_DIR/podman/podman.sock"
+fi
+
+SERVICE_FILE="$UNIT_DIR/$SERVICE_NAME.service"
+SOCKET_FILE="$UNIT_DIR/$SERVICE_NAME.socket"
+
+
+function setup() {
+    skip_if_remote "systemd tests are meaningless over remote"
+
+    basic_setup
+
+    cat > $SERVICE_FILE <<EOF
+[Unit]
+Description=Podman API Service
+Requires=podman.socket
+After=podman.socket
+Documentation=man:podman-system-service(1)
+StartLimitIntervalSec=0
+
+[Service]
+Type=exec
+KillMode=process
+Environment=LOGGING="--log-level=info"
+ExecStart=$PODMAN $LOGGING system service -t 2
+EOF
+    cat > $SOCKET_FILE <<EOF
+[Unit]
+Description=Podman API Socket
+Documentation=man:podman-system-service(1)
+
+[Socket]
+ListenStream=%t/podman/podman.sock
+SocketMode=0660
+
+[Install]
+WantedBy=sockets.target
+EOF
+
+    # ensure pause die before each test runs
+    if is_rootless; then
+        local pause_pid="$XDG_RUNTIME_DIR/libpod/tmp/pause.pid"
+        if [ -f $pause_pid ]; then
+            kill -9 $(cat $pause_pid) 2> /dev/null
+            rm -f $pause_pid
+        fi
+    fi
+    $SYSTEMCTL start "$SERVICE_NAME.socket"
+}
+
+function teardown() {
+    $SYSTEMCTL stop "$SERVICE_NAME.socket"
+    rm -f "$SERVICE_FILE" "$SOCKET_FILE"
+    $SYSTEMCTL daemon-reload
+    basic_teardown
+}
+
+@test "podman system service - socket activation - no container" {
+    run curl -s --max-time 3 --unix-socket $SERVICE_SOCK_ADDR http://podman/libpod/_ping
+    is "$output" "OK" "podman service responses normally"
+}
+
+@test "podman system service - socket activation - exist container " {
+    run_podman run $IMAGE sleep 90
+    run curl -s --max-time 3 --unix-socket $SERVICE_SOCK_ADDR http://podman/libpod/_ping
+    is "$output" "OK" "podman service responses normally"
+}
+
+@test "podman system service - socket activation - kill rootless pause " {
+    if ! is_rootless; then
+        skip "root podman no need pause process"
+    fi
+    run_podman run $IMAGE sleep 90
+    local pause_pid="$XDG_RUNTIME_DIR/libpod/tmp/pause.pid"
+    if [ -f $pause_pid ]; then
+        kill -9 $(cat $pause_pid) 2> /dev/null
+    fi
+    run curl -s --max-time 3 --unix-socket $SERVICE_SOCK_ADDR http://podman/libpod/_ping
+    is "$output" "OK" "podman service responses normally"
+}
+
+# vim: filetype=sh
diff --git a/test/system/500-networking.bats b/test/system/500-networking.bats
index 4868ad6a0..804dd46b1 100644
--- a/test/system/500-networking.bats
+++ b/test/system/500-networking.bats
@@ -143,13 +143,6 @@ load helpers
 
     run_podman network rm $mynetname
     run_podman 1 network rm $mynetname
-
-    # rootless CNI leaves behind an image pulled by SHA, hence with no tag.
-    # Remove it if present; we can only remove it by ID.
-    run_podman images --format '{{.Id}}' rootless-cni-infra
-    if [ -n "$output" ]; then
-        run_podman rmi $output
-    fi
 }
 
 @test "podman network reload" {