summaryrefslogtreecommitdiff
path: root/test/system
diff options
context:
space:
mode:
Diffstat (limited to 'test/system')
-rw-r--r--test/system/001-basic.bats19
-rw-r--r--test/system/015-help.bats6
-rw-r--r--test/system/030-run.bats5
-rw-r--r--test/system/035-logs.bats28
-rw-r--r--test/system/045-start.bats4
-rw-r--r--test/system/070-build.bats29
-rw-r--r--test/system/130-kill.bats15
-rw-r--r--test/system/160-volumes.bats38
-rw-r--r--test/system/200-pod.bats30
-rw-r--r--test/system/250-systemd.bats2
-rw-r--r--test/system/270-socket-activation.bats51
-rw-r--r--test/system/272-system-connection.bats156
-rw-r--r--test/system/410-selinux.bats70
-rw-r--r--test/system/500-networking.bats8
14 files changed, 398 insertions, 63 deletions
diff --git a/test/system/001-basic.bats b/test/system/001-basic.bats
index ccc05bb15..03f07d602 100644
--- a/test/system/001-basic.bats
+++ b/test/system/001-basic.bats
@@ -93,6 +93,25 @@ function setup() {
is "$output" "Error: unknown flag: --remote" "podman version --remote"
}
+@test "podman-remote: defaults" {
+ skip_if_remote "only applicable on a local run"
+
+ # By default, podman should include '--remote' in its help output
+ run_podman --help
+ is "$output" ".* --remote " "podman --help includes the --remote option"
+
+ # When it detects CONTAINER_HOST or _CONNECTION, --remote is not an option
+ CONTAINER_HOST=foobar run_podman --help
+ if grep -- " --remote " <<<"$output"; then
+ die "podman --help, with CONTAINER_HOST set, is showing --remote"
+ fi
+
+ CONTAINER_CONNECTION=foobar run_podman --help
+ if grep -- " --remote " <<<"$output"; then
+ die "podman --help, with CONTAINER_CONNECTION set, is showing --remote"
+ fi
+}
+
# Check that just calling "podman-remote" prints the usage message even
# without a running endpoint. Use "podman --remote" for this as this works the same.
@test "podman-remote: check for command usage message without a running endpoint" {
diff --git a/test/system/015-help.bats b/test/system/015-help.bats
index b2c6e2575..a87081687 100644
--- a/test/system/015-help.bats
+++ b/test/system/015-help.bats
@@ -86,6 +86,12 @@ function check_help() {
run_podman 125 "$@" $cmd -l nonexistent-container
is "$output" "Error: .*--latest and \(containers\|pods\|arguments\) cannot be used together" \
"'$command_string' with both -l and container"
+
+ # Combine -l and -a, too (but spell it as --all, because "-a"
+ # means "attach" in podman container start)
+ run_podman 125 "$@" $cmd --all --latest
+ is "$output" "Error: \(--all and --latest cannot be used together\|--all, --latest and containers cannot be used together\|--all, --latest and arguments cannot be used together\|unknown flag\)" \
+ "'$command_string' with both --all and --latest"
fi
fi
diff --git a/test/system/030-run.bats b/test/system/030-run.bats
index 44c2ee509..2c8d08b99 100644
--- a/test/system/030-run.bats
+++ b/test/system/030-run.bats
@@ -67,6 +67,11 @@ echo $rand | 0 | $rand
is "$output" ".*invalidflag" "failed when passing undefined flags to the runtime"
}
+@test "podman run --memory=0 runtime option" {
+ run_podman run --memory=0 --rm $IMAGE echo hello
+ is "$output" "hello" "failed to run when --memory is set to 0"
+}
+
# 'run --preserve-fds' passes a number of additional file descriptors into the container
@test "podman run --preserve-fds" {
skip_if_remote "preserve-fds is meaningless over remote"
diff --git a/test/system/035-logs.bats b/test/system/035-logs.bats
index 44b66676e..7fb3e62e4 100644
--- a/test/system/035-logs.bats
+++ b/test/system/035-logs.bats
@@ -30,6 +30,17 @@ load helpers
run_podman rm $cid
}
+function _additional_events_backend() {
+ local driver=$1
+ # Since PR#10431, 'logs -f' with journald driver is only supported with journald events backend.
+ if [[ $driver = "journald" ]]; then
+ run_podman info --format '{{.Host.EventLogger}}' >/dev/null
+ if [[ $output != "journald" ]]; then
+ echo "--events-backend journald"
+ fi
+ fi
+}
+
function _log_test_multi() {
local driver=$1
@@ -42,10 +53,12 @@ function _log_test_multi() {
etc='.*'
fi
+ local events_backend=$(_additional_events_backend $driver)
+
# Simple helper to make the container starts, below, easier to read
local -a cid
doit() {
- run_podman run --log-driver=$driver --rm -d --name "$1" $IMAGE sh -c "$2";
+ run_podman ${events_backend} run --log-driver=$driver --rm -d --name "$1" $IMAGE sh -c "$2";
cid+=($(echo "${output:0:12}"))
}
@@ -57,7 +70,7 @@ function _log_test_multi() {
doit c1 "echo a;sleep 10;echo d;sleep 3"
doit c2 "sleep 1;echo b;sleep 2;echo c;sleep 3"
- run_podman logs -f c1 c2
+ run_podman ${events_backend} logs -f c1 c2
is "$output" \
"${cid[0]} a$etc
${cid[1]} b$etc
@@ -187,15 +200,20 @@ function _log_test_follow() {
contentA=$(random_string)
contentB=$(random_string)
contentC=$(random_string)
+ local events_backend=$(_additional_events_backend $driver)
+
+ if [[ -n "${events_backend}" ]]; then
+ skip_if_remote "remote does not support --events-backend"
+ fi
# Note: it seems we need at least three log lines to hit #11461.
- run_podman run --log-driver=$driver --name $cname $IMAGE sh -c "echo $contentA; echo $contentB; echo $contentC"
- run_podman logs -f $cname
+ run_podman ${events_backend} run --log-driver=$driver --name $cname $IMAGE sh -c "echo $contentA; echo $contentB; echo $contentC"
+ run_podman ${events_backend} logs -f $cname
is "$output" "$contentA
$contentB
$contentC" "logs -f on exitted container works"
- run_podman rm -t 0 -f $cname
+ run_podman ${events_backend} rm -t 0 -f $cname
}
@test "podman logs - --follow k8s-file" {
diff --git a/test/system/045-start.bats b/test/system/045-start.bats
index 7e4bbde8d..2ea057cd3 100644
--- a/test/system/045-start.bats
+++ b/test/system/045-start.bats
@@ -36,10 +36,6 @@ load helpers
expected="Error: either start all containers or the container(s) provided in the arguments"
run_podman 125 start --all 12333
is "$output" "$expected" "start --all, with args, throws error"
- if ! is_remote; then
- run_podman 125 start --all --latest
- is "$output" "$expected" "podman start --all --latest"
- fi
}
@test "podman start --filter - start only containers that match the filter" {
diff --git a/test/system/070-build.bats b/test/system/070-build.bats
index d3dc14d81..3c47b1f5b 100644
--- a/test/system/070-build.bats
+++ b/test/system/070-build.bats
@@ -39,6 +39,8 @@ EOF
cat >$dockerfile <<EOF
FROM $IMAGE
RUN echo $rand_content > /$rand_filename
+VOLUME /a/b/c
+VOLUME ['/etc/foo', '/etc/bar']
EOF
run_podman buildx build --load -t build_test --format=docker $tmpdir
@@ -47,6 +49,33 @@ EOF
run_podman run --rm build_test cat /$rand_filename
is "$output" "$rand_content" "reading generated file in image"
+ # Make sure the volumes are created at surprising yet Docker-compatible
+ # destinations (see bugzilla.redhat.com/show_bug.cgi?id=2014149).
+ run_podman run --rm build_test find /[ /etc/bar\] -print
+ is "$output" "/\[
+/\[/etc
+/\[/etc/foo,
+/etc/bar]" "weird VOLUME gets converted to directories with brackets and comma"
+
+ # Now confirm that each volume got a unique device ID
+ run_podman run --rm build_test stat -c '%D' / /a /a/b /a/b/c /\[ /\[/etc /\[/etc/foo, /etc /etc/bar\]
+ # First, the non-volumes should all be the same...
+ is "${lines[0]}" "${lines[1]}" "devnum( / ) = devnum( /a )"
+ is "${lines[0]}" "${lines[2]}" "devnum( / ) = devnum( /a/b )"
+ is "${lines[0]}" "${lines[4]}" "devnum( / ) = devnum( /[ )"
+ is "${lines[0]}" "${lines[5]}" "devnum( / ) = devnum( /[etc )"
+ is "${lines[0]}" "${lines[7]}" "devnum( / ) = devnum( /etc )"
+ is "${lines[6]}" "${lines[8]}" "devnum( /[etc/foo, ) = devnum( /etc/bar] )"
+ # ...then, each volume should be different
+ if [[ "${lines[0]}" = "${lines[3]}" ]]; then
+ die "devnum( / ) (${lines[0]}) = devnum( volume0 ) (${lines[3]}) -- they should differ"
+ fi
+ if [[ "${lines[0]}" = "${lines[6]}" ]]; then
+ die "devnum( / ) (${lines[0]}) = devnum( volume1 ) (${lines[6]}) -- they should differ"
+ fi
+ # FIXME: is this expected? I thought /a/b/c and /[etc/foo, would differ
+ is "${lines[3]}" "${lines[6]}" "devnum( volume0 ) = devnum( volume1 )"
+
run_podman rmi -f build_test
}
diff --git a/test/system/130-kill.bats b/test/system/130-kill.bats
index d85f0a6a9..1ff3a7b61 100644
--- a/test/system/130-kill.bats
+++ b/test/system/130-kill.bats
@@ -6,9 +6,22 @@
load helpers
@test "podman kill - test signal handling in containers" {
+
+ # Prepare for 'logs -f'
+ run_podman info --format '{{.Host.LogDriver}}'
+ log_driver=$output
+ run_podman info --format '{{.Host.EventLogger}}'
+ event_logger=$output
+ opt_log_driver=
+ if [ $log_driver = "journald" ] && [ $event_logger != "journald" ]; then
+ # Since PR#10431, 'logs -f' with journald driver is only supported with journald events backend.
+ # Set '--log driver' temporally because remote doesn't support '--events-backend'.
+ opt_log_driver="--log-driver k8s-file"
+ fi
+
# Start a container that will handle all signals by emitting 'got: N'
local -a signals=(1 2 3 4 5 6 8 10 12 13 14 15 16 20 21 22 23 24 25 26 64)
- run_podman run -d $IMAGE sh -c \
+ run_podman run -d ${opt_log_driver} $IMAGE sh -c \
"for i in ${signals[*]}; do trap \"echo got: \$i\" \$i; done;
echo READY;
while ! test -e /stop; do sleep 0.05; done;
diff --git a/test/system/160-volumes.bats b/test/system/160-volumes.bats
index 490d635e5..43462de36 100644
--- a/test/system/160-volumes.bats
+++ b/test/system/160-volumes.bats
@@ -97,6 +97,14 @@ Labels.l | $mylabel
run_podman volume rm $myvolume
}
+# Removing volumes with --force
+@test "podman volume rm --force" {
+ run_podman run -d --volume myvol:/myvol $IMAGE top
+ cid=$output
+ run_podman 2 volume rm myvol
+ is "$output" "Error: volume myvol is being used by the following container(s): $cid: volume is being used" "should error since container is running"
+ run_podman volume rm myvol --force
+}
# Running scripts (executables) from a volume
@test "podman volume: exec/noexec" {
@@ -202,6 +210,36 @@ EOF
run_podman volume rm my_vol2
}
+# Podman volume user test
+@test "podman volume user test" {
+ is_rootless || skip "only meaningful when run rootless"
+ user="1000:2000"
+ newuser="100:200"
+ tmpdir=${PODMAN_TMPDIR}/volume_$(random_string)
+ mkdir $tmpdir
+ touch $tmpdir/test1
+
+ run_podman run --name user --user $user -v $tmpdir:/data:U $IMAGE stat -c "%u:%g" /data
+ is "$output" "$user" "user should be changed"
+
+ # Now chown the source directory and make sure recursive chown happens
+ run_podman unshare chown -R $newuser $tmpdir
+ run_podman start --attach user
+ is "$output" "$user" "user should be the same"
+
+ # Now chown the file in source directory and make sure recursive chown
+ # doesn't happen
+ run_podman unshare chown -R $newuser $tmpdir/test1
+ run_podman start --attach user
+ is "$output" "$user" "user should be the same"
+ # test1 should still be chowned to $newuser
+ run_podman unshare stat -c "%u:%g" $tmpdir/test1
+ is "$output" "$newuser" "user should not be changed"
+
+ run_podman unshare rm $tmpdir/test1
+ run_podman rm user
+}
+
# Confirm that container sees the correct id
@test "podman volume with --userns=keep-id" {
diff --git a/test/system/200-pod.bats b/test/system/200-pod.bats
index 86f3610ab..09a419914 100644
--- a/test/system/200-pod.bats
+++ b/test/system/200-pod.bats
@@ -60,6 +60,10 @@ function teardown() {
run_podman pod rm -f -t 0 $podid
}
+function rm_podman_pause_image() {
+ run_podman version --format "{{.Server.Version}}-{{.Server.Built}}"
+ run_podman rmi -f "localhost/podman-pause:$output"
+}
@test "podman pod - communicating between pods" {
podname=pod$(random_string)
@@ -100,19 +104,14 @@ function teardown() {
# Clean up. First the nc -l container...
run_podman rm $cid1
- # ...then, from pause container, find the image ID of the pause image...
- run_podman pod inspect --format '{{(index .Containers 0).ID}}' $podname
- pause_cid="$output"
- run_podman container inspect --format '{{.Image}}' $pause_cid
- pause_iid="$output"
-
# ...then rm the pod, then rmi the pause image so we don't leave strays.
run_podman pod rm $podname
- run_podman rmi $pause_iid
# Pod no longer exists
run_podman 1 pod exists $podid
run_podman 1 pod exists $podname
+
+ rm_podman_pause_image
}
@test "podman pod - communicating via /dev/shm " {
@@ -133,6 +132,10 @@ function teardown() {
# Pod no longer exists
run_podman 1 pod exists $podid
run_podman 1 pod exists $podname
+
+ # Pause image hasn't been pulled
+ run_podman 1 image exists k8s.gcr.io/pause:3.5
+ rm_podman_pause_image
}
# Random byte
@@ -303,16 +306,25 @@ EOF
run_podman rm $cid
run_podman pod rm -t 0 -f mypod
run_podman rmi $infra_image
-
}
@test "podman pod create should fail when infra-name is already in use" {
local infra_name="infra_container_$(random_string 10 | tr A-Z a-z)"
- run_podman pod create --infra-name "$infra_name"
+ local pod_name="$(random_string 10 | tr A-Z a-z)"
+
+ # Note that the internal pause image is built even when --infra-image is
+ # set to the K8s one.
+ run_podman pod create --name $pod_name --infra-name "$infra_name" --infra-image "k8s.gcr.io/pause:3.5"
run_podman '?' pod create --infra-name "$infra_name"
if [ $status -eq 0 ]; then
die "Podman should fail when user try to create two pods with the same infra-name value"
fi
+ run_podman pod rm -f $pod_name
+ run_podman images -a
+
+ # Pause image hasn't been pulled
+ run_podman 1 image exists k8s.gcr.io/pause:3.5
+ rm_podman_pause_image
}
# vim: filetype=sh
diff --git a/test/system/250-systemd.bats b/test/system/250-systemd.bats
index 3607c1028..98241c309 100644
--- a/test/system/250-systemd.bats
+++ b/test/system/250-systemd.bats
@@ -153,7 +153,7 @@ function service_cleanup() {
cname3=$(random_string)
run_podman create --restart=on-failure:42 --name $cname3 $IMAGE
run_podman generate systemd --new $cname3
- is "$output" ".*Restart=on-failure.*" "on-failure:xx is parsed correclty"
+ is "$output" ".*Restart=on-failure.*" "on-failure:xx is parsed correctly"
is "$output" ".*StartLimitBurst=42.*" "on-failure:xx is parsed correctly"
run_podman rm -t 0 -f $cname $cname2 $cname3
diff --git a/test/system/270-socket-activation.bats b/test/system/270-socket-activation.bats
index dd439d3ae..6d582be18 100644
--- a/test/system/270-socket-activation.bats
+++ b/test/system/270-socket-activation.bats
@@ -8,14 +8,16 @@ load helpers.systemd
SERVICE_NAME="podman_test_$(random_string)"
-SERVICE_SOCK_ADDR="/run/podman/podman.sock"
+SERVICE_SOCK_ADDR="/run/podman/$SERVICE_NAME.sock"
if is_rootless; then
- SERVICE_SOCK_ADDR="$XDG_RUNTIME_DIR/podman/podman.sock"
+ SERVICE_SOCK_ADDR="$XDG_RUNTIME_DIR/podman/$SERVICE_NAME.sock"
fi
SERVICE_FILE="$UNIT_DIR/$SERVICE_NAME.service"
SOCKET_FILE="$UNIT_DIR/$SERVICE_NAME.socket"
+# URL to use for ping
+_PING=http://placeholder-hostname/libpod/_ping
function setup() {
skip_if_remote "systemd tests are meaningless over remote"
@@ -25,8 +27,8 @@ function setup() {
cat > $SERVICE_FILE <<EOF
[Unit]
Description=Podman API Service
-Requires=podman.socket
-After=podman.socket
+Requires=$SERVICE_NAME.socket
+After=$SERVICE_NAME.socket
Documentation=man:podman-system-service(1)
StartLimitIntervalSec=0
@@ -42,7 +44,7 @@ Description=Podman API Socket
Documentation=man:podman-system-service(1)
[Socket]
-ListenStream=%t/podman/podman.sock
+ListenStream=%t/podman/$SERVICE_NAME.sock
SocketMode=0660
[Install]
@@ -51,10 +53,10 @@ EOF
# ensure pause die before each test runs
if is_rootless; then
- local pause_pid="$XDG_RUNTIME_DIR/libpod/tmp/pause.pid"
- if [ -f $pause_pid ]; then
- kill -9 $(cat $pause_pid) 2> /dev/null
- rm -f $pause_pid
+ local pause_pid_file="$XDG_RUNTIME_DIR/libpod/tmp/pause.pid"
+ if [ -f $pause_pid_file ]; then
+ kill -9 $(< $pause_pid_file) 2> /dev/null
+ rm -f $pause_pid_file
fi
fi
systemctl start "$SERVICE_NAME.socket"
@@ -68,7 +70,9 @@ function teardown() {
}
@test "podman system service - socket activation - no container" {
- run curl -s --max-time 3 --unix-socket $SERVICE_SOCK_ADDR http://podman/libpod/_ping
+ run curl -s --max-time 3 --unix-socket $SERVICE_SOCK_ADDR $_PING
+ echo "curl output: $output"
+ is "$status" "0" "curl exit status"
is "$output" "OK" "podman service responds normally"
}
@@ -76,29 +80,36 @@ function teardown() {
run_podman run -d $IMAGE sleep 90
cid="$output"
- run curl -s --max-time 3 --unix-socket $SERVICE_SOCK_ADDR http://podman/libpod/_ping
+ run curl -s --max-time 3 --unix-socket $SERVICE_SOCK_ADDR $_PING
+ echo "curl output: $output"
+ is "$status" "0" "curl exit status"
is "$output" "OK" "podman service responds normally"
- run_podman stop -t 0 $cid
- run_podman rm -f $cid
+ run_podman rm -f -t 0 $cid
}
@test "podman system service - socket activation - kill rootless pause" {
if ! is_rootless; then
- skip "root podman no need pause process"
+ skip "there is no pause process when running rootful"
fi
run_podman run -d $IMAGE sleep 90
cid="$output"
- local pause_pid="$XDG_RUNTIME_DIR/libpod/tmp/pause.pid"
- if [ -f $pause_pid ]; then
- kill -9 $(cat $pause_pid) 2> /dev/null
+ local pause_pid_file="$XDG_RUNTIME_DIR/libpod/tmp/pause.pid"
+ if [ ! -f $pause_pid_file ]; then
+ # This seems unlikely, but not impossible
+ die "Pause pid file does not exist: $pause_pid_file"
fi
- run curl -s --max-time 3 --unix-socket $SERVICE_SOCK_ADDR http://podman/libpod/_ping
+
+ echo "kill -9 $(< pause_pid_file)"
+ kill -9 $(< $pause_pid_file)
+
+ run curl -s --max-time 3 --unix-socket $SERVICE_SOCK_ADDR $_PING
+ echo "curl output: $output"
+ is "$status" "0" "curl exit status"
is "$output" "OK" "podman service responds normally"
- run_podman stop -t 0 $cid
- run_podman rm -f $cid
+ run_podman rm -f -t 0 $cid
}
# vim: filetype=sh
diff --git a/test/system/272-system-connection.bats b/test/system/272-system-connection.bats
new file mode 100644
index 000000000..14c4f6664
--- /dev/null
+++ b/test/system/272-system-connection.bats
@@ -0,0 +1,156 @@
+#!/usr/bin/env bats -*- bats -*-
+#
+# tests for podman system connection
+#
+
+load helpers
+
+# This will be set if we start a local service
+_SERVICE_PID=
+
+function setup() {
+ if ! is_remote; then
+ skip "only applicable when running remote"
+ fi
+
+ basic_setup
+}
+
+function teardown() {
+ if ! is_remote; then
+ return
+ fi
+
+ # In case test function failed to clean up
+ if [[ -n $_SERVICE_PID ]]; then
+ run kill $_SERVICE_PID
+ fi
+
+ # Aaaaargh! When running as root, 'system service' creates a tmpfs
+ # mount on $root/overlay. This in turn causes cleanup to fail.
+ mount \
+ | grep $PODMAN_TMPDIR \
+ | awk '{print $3}' \
+ | xargs -l1 --no-run-if-empty umount
+
+ # Remove all system connections
+ run_podman system connection rm --all
+
+ basic_teardown
+}
+
+# Helper function: invokes $PODMAN (which is podman-remote) _without_ --url opt
+#
+# Needed because, in CI, PODMAN="/path/to/podman-remote --url /path/to/socket"
+# which of course overrides podman's detection and use of a connection.
+function _run_podman_remote() {
+ PODMAN=${PODMAN%%--url*} run_podman "$@"
+}
+
+# Very basic test, does not actually connect at any time
+@test "podman system connection - basic add / ls / remove" {
+ run_podman system connection ls
+ is "$output" "" "system connection ls: no connections"
+
+ c1="c1_$(random_string 15)"
+ c2="c2_$(random_string 15)"
+
+ run_podman system connection add $c1 tcp://localhost:12345
+ run_podman system connection add --default $c2 tcp://localhost:54321
+ run_podman system connection ls
+ is "$output" \
+ ".*$c1[ ]\+tcp://localhost:12345[ ]\+false
+$c2[ ]\+tcp://localhost:54321[ ]\+true" \
+ "system connection ls"
+
+ # Remove default connection; the remaining one should still not be default
+ run_podman system connection rm $c2
+ run_podman system connection ls
+ is "$output" ".*$c1[ ]\+tcp://localhost:12345[ ]\+false" \
+ "system connection ls (after removing default connection)"
+
+ run_podman system connection rm $c1
+}
+
+# Test tcp socket; requires starting a local server
+@test "podman system connection - tcp" {
+ # Start server
+ _SERVICE_PORT=$(random_free_port 63000-64999)
+
+ # Add the connection, and run podman info *before* starting the service.
+ # This should fail.
+ run_podman system connection add myconnect tcp://localhost:$_SERVICE_PORT
+ # IMPORTANT NOTE: in CI, podman-remote is tested by setting PODMAN
+ # to "podman-remote --url sdfsdf". This of course overrides the default
+ # podman-remote action. Our solution: strip off the "--url xyz" part
+ # when invoking podman.
+ _run_podman_remote 125 info
+ is "$output" \
+ "Cannot connect to Podman. Please verify.*dial tcp.*connection refused" \
+ "podman info, without active service"
+
+ # Start service. Now podman info should work fine. The %%-remote*
+ # converts "podman-remote --opts" to just "podman", which is what
+ # we need for the server.
+ ${PODMAN%%-remote*} --root ${PODMAN_TMPDIR}/root \
+ --runroot ${PODMAN_TMPDIR}/runroot \
+ system service -t 99 tcp:localhost:$_SERVICE_PORT &
+ _SERVICE_PID=$!
+ wait_for_port localhost $_SERVICE_PORT
+
+ # FIXME: #12023, RemoteSocket is always /run/something
+# run_podman info --format '{{.Host.RemoteSocket.Path}}'
+# is "$output" "tcp:localhost:$_SERVICE_PORT" \
+# "podman info works, and talks to the correct server"
+
+ _run_podman_remote info --format '{{.Store.GraphRoot}}'
+ is "$output" "${PODMAN_TMPDIR}/root" \
+ "podman info, talks to the right service"
+
+ # Add another connection; make sure it does not get set as default
+ _run_podman_remote system connection add fakeconnect tcp://localhost:$(( _SERVICE_PORT + 1))
+ _run_podman_remote info --format '{{.Store.GraphRoot}}'
+ # (Don't bother checking output; we just care about exit status)
+
+ # Stop server. Use 'run' to avoid failing on nonzero exit status
+ run kill $_SERVICE_PID
+ run wait $_SERVICE_PID
+ _SERVICE_PID=
+
+ run_podman system connection rm fakeconnect
+ run_podman system connection rm myconnect
+}
+
+# If we have ssh access to localhost (unlikely in CI), test that.
+@test "podman system connection - ssh" {
+ rand=$(random_string 20)
+ echo $rand >$PODMAN_TMPDIR/testfile
+
+ # Can we actually ssh to localhost?
+ run ssh -q -o BatchMode=yes \
+ -o UserKnownHostsFile=/dev/null \
+ -o StrictHostKeyChecking=no \
+ -o CheckHostIP=no \
+ localhost \
+ cat $PODMAN_TMPDIR/testfile
+ test "$status" -eq 0 || skip "cannot ssh to localhost"
+ is "$output" "$rand" "weird! ssh worked, but could not cat local file"
+
+ # OK, ssh works.
+ # Create a new connection, over ssh, but using existing socket file
+ # (Remember, we're already podman-remote, there's a service running)
+ run_podman info --format '{{.Host.RemoteSocket.Path}}'
+ local socketpath="$output"
+ run_podman system connection add --socket-path "$socketpath" \
+ mysshcon ssh://localhost
+ is "$output" "" "output from system connection add"
+
+ # debug logs will confirm that we use ssh connection
+ _run_podman_remote --log-level=debug info --format '{{.Host.RemoteSocket.Path}}'
+ is "$output" ".*msg=\"SSH Agent Key .*" "we are truly using ssh"
+
+ # Clean up
+ run_podman system connection rm mysshconn
+}
+
+# vim: filetype=sh
diff --git a/test/system/410-selinux.bats b/test/system/410-selinux.bats
index ed9e73a3e..dbdfd4b9d 100644
--- a/test/system/410-selinux.bats
+++ b/test/system/410-selinux.bats
@@ -27,9 +27,9 @@ function check_label() {
is "$type" "$1" "SELinux type"
if [ -n "$2" ]; then
- # e.g. from the above example -> "s0:c45,c745"
- range=$(cut -d: -f4,5 <<<"$context")
- is "$range" "$2^@" "SELinux range"
+ # e.g. from the above example -> "s0:c45,c745"
+ range=$(cut -d: -f4,5 <<<"$context")
+ is "$range" "$2^@" "SELinux range"
fi
}
@@ -66,9 +66,9 @@ function check_label() {
# FIXME this test fails when run rootless with runc:
# Error: container_linux.go:367: starting container process caused: process_linux.go:495: container init caused: readonly path /proc/asound: operation not permitted: OCI permission denied
if is_rootless; then
- runtime=$(podman_runtime)
- test "$runtime" == "crun" \
- || skip "runtime is $runtime; this test requires crun"
+ runtime=$(podman_runtime)
+ test "$runtime" == "crun" \
+ || skip "runtime is $runtime; this test requires crun"
fi
check_label "--pid=host" "spc_t"
@@ -96,10 +96,10 @@ function check_label() {
skip_if_no_selinux
run_podman run -d --name myc \
- --security-opt seccomp=unconfined \
- --security-opt label=type:spc_t \
- --security-opt label=level:s0 \
- $IMAGE sh -c 'while test ! -e /stop; do sleep 0.1; done'
+ --security-opt seccomp=unconfined \
+ --security-opt label=type:spc_t \
+ --security-opt label=level:s0 \
+ $IMAGE sh -c 'while test ! -e /stop; do sleep 0.1; done'
run_podman inspect --format='{{ .HostConfig.SecurityOpt }}' myc
is "$output" "[label=type:spc_t,label=level:s0 seccomp=unconfined]" \
"'podman inspect' preserves all --security-opts"
@@ -118,7 +118,7 @@ function check_label() {
skip_if_rootless_cgroupsv1
if [[ $(podman_runtime) == "runc" ]]; then
- skip "some sort of runc bug, not worth fixing (#11784)"
+ skip "some sort of runc bug, not worth fixing (#11784)"
fi
run_podman run -d --name myctr $IMAGE top
@@ -136,7 +136,7 @@ function check_label() {
# net NS: do not share context
run_podman run --rm --net container:myctr $IMAGE cat -v /proc/self/attr/current
if [[ "$output" = "$context_c1" ]]; then
- die "run --net : context ($output) is same as running container (it should not be)"
+ die "run --net : context ($output) is same as running container (it should not be)"
fi
# The 'myctr2' above was not run with --rm, so it still exists, and
@@ -158,8 +158,8 @@ function check_label() {
# We don't need a fullblown pause container; avoid pulling the k8s one
run_podman pod create --name myselinuxpod \
- --infra-image $IMAGE \
- --infra-command /home/podman/pause
+ --infra-image $IMAGE \
+ --infra-command /home/podman/pause
# Get baseline
run_podman run --rm --pod myselinuxpod $IMAGE cat -v /proc/self/attr/current
@@ -190,7 +190,7 @@ function check_label() {
# Even after #7902, labels (':c123,c456') should be different
run_podman run --rm --pod myselinuxpod $IMAGE cat -v /proc/self/attr/current
if [[ "$output" = "$context_c1" ]]; then
- die "context ($output) is the same on two separate containers, it should have been different"
+ die "context ($output) is the same on two separate containers, it should have been different"
fi
run_podman pod rm myselinuxpod
@@ -203,12 +203,12 @@ function check_label() {
# runc and crun emit different diagnostics
runtime=$(podman_runtime)
case "$runtime" in
- # crun 0.20.1 changes the error message
- # from /proc/thread-self/attr/exec`: .* unable to assign
- # to /proc/self/attr/keycreate`: .* unable to process
- crun) expect="\`/proc/.*\`: OCI runtime error: unable to \(assign\|process\) security attribute" ;;
- runc) expect="OCI runtime error: .*: failed to set /proc/self/attr/keycreate on procfs" ;;
- *) skip "Unknown runtime '$runtime'";;
+ # crun 0.20.1 changes the error message
+ # from /proc/thread-self/attr/exec`: .* unable to assign
+ # to /proc/self/attr/keycreate`: .* unable to process
+ crun) expect="\`/proc/.*\`: OCI runtime error: unable to \(assign\|process\) security attribute" ;;
+ runc) expect="OCI runtime error: .*: failed to set /proc/self/attr/keycreate on procfs" ;;
+ *) skip "Unknown runtime '$runtime'";;
esac
# The '.*' in the error below is for dealing with podman-remote, which
@@ -223,7 +223,7 @@ function check_label() {
LABEL="system_u:object_r:tmp_t:s0"
RELABEL="system_u:object_r:container_file_t:s0"
tmpdir=$PODMAN_TMPDIR/vol
- touch $tmpdir
+ mkdir -p $tmpdir
chcon -vR ${LABEL} $tmpdir
ls -Z $tmpdir
@@ -239,12 +239,36 @@ function check_label() {
run ls -dZ $tmpdir
is "$output" "${RELABEL} $tmpdir" "Privileged Relabel Correctly"
- run_podman run -v $tmpdir:/test:Z $IMAGE cat /proc/self/attr/current
+ run_podman run --name label -v $tmpdir:/test:Z $IMAGE cat /proc/self/attr/current
level=$(secon -l $output)
run ls -dZ $tmpdir
is "$output" "system_u:object_r:container_file_t:$level $tmpdir" \
"Confined Relabel Correctly"
+ if is_rootless; then
+ run_podman unshare touch $tmpdir/test1
+ # Relabel entire directory
+ run_podman unshare chcon system_u:object_r:usr_t:s0 $tmpdir
+ run_podman start --attach label
+ newlevel=$(secon -l $output)
+ is "$level" "$newlevel" "start should relabel with same SELinux labels"
+ run ls -dZ $tmpdir
+ is "$output" "system_u:object_r:container_file_t:$level $tmpdir" \
+ "Confined Relabel Correctly"
+ run ls -dZ $tmpdir/test1
+ is "$output" "system_u:object_r:container_file_t:$level $tmpdir/test1" \
+ "Start did not Relabel"
+
+ # Relabel only file in subdir
+ run_podman unshare chcon system_u:object_r:usr_t:s0 $tmpdir/test1
+ run_podman start --attach label
+ newlevel=$(secon -l $output)
+ is "$level" "$newlevel" "start should use same SELinux labels"
+
+ run ls -dZ $tmpdir/test1
+ is "$output" "system_u:object_r:usr_t:s0 $tmpdir/test1" \
+ "Start did not Relabel"
+ fi
run_podman run -v $tmpdir:/test:z $IMAGE cat /proc/self/attr/current
run ls -dZ $tmpdir
is "$output" "${RELABEL} $tmpdir" "Shared Relabel Correctly"
diff --git a/test/system/500-networking.bats b/test/system/500-networking.bats
index cb73cf24d..b3471b425 100644
--- a/test/system/500-networking.bats
+++ b/test/system/500-networking.bats
@@ -444,6 +444,14 @@ load helpers
die "MAC address did not change after podman network disconnect/connect"
fi
+ # FIXME FIXME FIXME: #11825: bodhi tests are failing, remote+rootless only,
+ # with "dnsmasq: failed to create inotify". This error has never occurred
+ # in CI, and Ed has been unable to reproduce it on 1minutetip. This next
+ # line is a suggestion from Paul Holzinger for trying to shed light on
+ # the system context before the failure. This output will be invisible
+ # if the test passes.
+ for foo in /proc/\*/fd/*; do readlink -f $foo; done |grep '^/proc/.*inotify' |cut -d/ -f3 | xargs -I '{}' -- ps --no-headers -o '%p %U %a' -p '{}' |uniq -c |sort -n
+
# connect a second network
run_podman network connect $netname2 $cid