summaryrefslogtreecommitdiff
path: root/test/system
diff options
context:
space:
mode:
Diffstat (limited to 'test/system')
-rw-r--r--test/system/040-ps.bats5
-rw-r--r--test/system/050-stop.bats2
-rw-r--r--test/system/070-build.bats2
-rw-r--r--test/system/160-volumes.bats3
-rw-r--r--test/system/170-run-userns.bats45
-rw-r--r--test/system/200-pod.bats11
-rw-r--r--test/system/330-corrupt-images.bats134
-rw-r--r--test/system/500-networking.bats33
8 files changed, 221 insertions, 14 deletions
diff --git a/test/system/040-ps.bats b/test/system/040-ps.bats
index ae27c479f..182d75547 100644
--- a/test/system/040-ps.bats
+++ b/test/system/040-ps.bats
@@ -5,6 +5,9 @@ load helpers
@test "podman ps - basic tests" {
rand_name=$(random_string 30)
+ run_podman ps --noheading
+ is "$output" "" "baseline: empty results from ps --noheading"
+
run_podman run -d --name $rand_name $IMAGE sleep 5
cid=$output
is "$cid" "[0-9a-f]\{64\}$"
@@ -30,8 +33,6 @@ load helpers
"${cid:0:12} \+$IMAGE *sleep .* Exited .* $rand_name" \
"podman ps -a"
-
-
run_podman rm $cid
}
diff --git a/test/system/050-stop.bats b/test/system/050-stop.bats
index a9495e350..2ed791429 100644
--- a/test/system/050-stop.bats
+++ b/test/system/050-stop.bats
@@ -114,7 +114,7 @@ load helpers
@test "podman stop - unlock while waiting for timeout" {
# Test that the container state transitions to "stopping" and that other
# commands can get the container's lock. To do that, run a container that
- # ingores SIGTERM such that the Podman would wait 20 seconds for the stop
+ # ignores SIGTERM such that the Podman would wait 20 seconds for the stop
# to finish. This gives us enough time to try some commands and inspect
# the container's status.
diff --git a/test/system/070-build.bats b/test/system/070-build.bats
index d4017ae01..6ae78de2e 100644
--- a/test/system/070-build.bats
+++ b/test/system/070-build.bats
@@ -354,7 +354,7 @@ Cmd[1] | $s_echo
WorkingDir | $workdir
Labels.$label_name | $label_value
"
- # FIXME: 2021-02-24: Fixed in buildah #3036; reenable this once podman
+ # FIXME: 2021-02-24: Fixed in buildah #3036; re-enable this once podman
# vendors in a newer buildah!
# Labels.\"io.buildah.version\" | $buildah_version
diff --git a/test/system/160-volumes.bats b/test/system/160-volumes.bats
index 4952eafc2..98992f973 100644
--- a/test/system/160-volumes.bats
+++ b/test/system/160-volumes.bats
@@ -23,6 +23,9 @@ function teardown() {
@test "podman run --volumes : basic" {
skip_if_remote "volumes cannot be shared across hosts"
+ run_podman volume list --noheading
+ is "$output" "" "baseline: empty results from list --noheading"
+
# Create three temporary directories
vol1=${PODMAN_TMPDIR}/v1_$(random_string)
vol2=${PODMAN_TMPDIR}/v2_$(random_string)
diff --git a/test/system/170-run-userns.bats b/test/system/170-run-userns.bats
new file mode 100644
index 000000000..2dc5b078f
--- /dev/null
+++ b/test/system/170-run-userns.bats
@@ -0,0 +1,45 @@
+#!/usr/bin/env bats -*- bats -*-
+# shellcheck disable=SC2096
+#
+# Tests for podman build
+#
+
+load helpers
+
+@test "podman --group-add keep-groups while in a userns" {
+ skip_if_rootless "choot is not allowed in rootless mode"
+ skip_if_remote "--group-add keep-groups not supported in remote mode"
+ run chroot --groups 1234 / ${PODMAN} run --uidmap 0:200000:5000 --group-add keep-groups $IMAGE id
+ is "$output" ".*65534(nobody)" "Check group leaked into user namespace"
+}
+
+@test "podman --group-add keep-groups while not in a userns" {
+ skip_if_rootless "choot is not allowed in rootless mode"
+ skip_if_remote "--group-add keep-groups not supported in remote mode"
+ run chroot --groups 1234,5678 / ${PODMAN} run --group-add keep-groups $IMAGE id
+ is "$output" ".*1234" "Check group leaked into container"
+}
+
+@test "podman --group-add without keep-groups while in a userns" {
+ skip_if_rootless "choot is not allowed in rootless mode"
+ skip_if_remote "--group-add keep-groups not supported in remote mode"
+ run chroot --groups 1234,5678 / ${PODMAN} run --uidmap 0:200000:5000 --group-add 457 $IMAGE id
+ is "$output" ".*457" "Check group leaked into container"
+}
+
+@test "podman --remote --group-add keep-groups " {
+ if is_remote; then
+ run_podman 125 run --group-add keep-groups $IMAGE id
+ is "$output" ".*not supported in remote mode" "Remote check --group-add keep-groups"
+ fi
+}
+
+@test "podman --group-add without keep-groups " {
+ run_podman run --group-add 457 $IMAGE id
+ is "$output" ".*457" "Check group leaked into container"
+}
+
+@test "podman --group-add keep-groups plus added groups " {
+ run_podman 125 run --group-add keep-groups --group-add 457 $IMAGE id
+ is "$output" ".*the '--group-add keep-groups' option is not allowed with any other --group-add options" "Check group leaked into container"
+}
diff --git a/test/system/200-pod.bats b/test/system/200-pod.bats
index c65449212..054eda908 100644
--- a/test/system/200-pod.bats
+++ b/test/system/200-pod.bats
@@ -17,6 +17,17 @@ function teardown() {
}
+@test "podman pod - basic tests" {
+ run_podman pod list --noheading
+ is "$output" "" "baseline: empty results from list --noheading"
+
+ run_podman pod ls --noheading
+ is "$output" "" "baseline: empty results from ls --noheading"
+
+ run_podman pod ps --noheading
+ is "$output" "" "baseline: empty results from ps --noheading"
+}
+
@test "podman pod top - containers in different PID namespaces" {
# With infra=false, we don't get a /pause container (we also
# don't pull k8s.gcr.io/pause )
diff --git a/test/system/330-corrupt-images.bats b/test/system/330-corrupt-images.bats
new file mode 100644
index 000000000..c51cc8d46
--- /dev/null
+++ b/test/system/330-corrupt-images.bats
@@ -0,0 +1,134 @@
+#!/usr/bin/env bats -*- bats -*-
+#
+# All tests in here perform nasty manipulations on image storage.
+#
+
+load helpers
+
+###############################################################################
+# BEGIN setup/teardown
+
+# Create a scratch directory; this is what we'll use for image store and cache
+if [ -z "${PODMAN_CORRUPT_TEST_WORKDIR}" ]; then
+ export PODMAN_CORRUPT_TEST_WORKDIR=$(mktemp -d --tmpdir=${BATS_TMPDIR:-${TMPDIR:-/tmp}} podman_corrupt_test.XXXXXX)
+fi
+
+PODMAN_CORRUPT_TEST_IMAGE_FQIN=quay.io/libpod/alpine@sha256:634a8f35b5f16dcf4aaa0822adc0b1964bb786fca12f6831de8ddc45e5986a00
+PODMAN_CORRUPT_TEST_IMAGE_ID=961769676411f082461f9ef46626dd7a2d1e2b2a38e6a44364bcbecf51e66dd4
+
+# All tests in this file (and ONLY in this file) run with a custom rootdir
+function setup() {
+ skip_if_remote "none of these tests run under podman-remote"
+ _PODMAN_TEST_OPTS="--root ${PODMAN_CORRUPT_TEST_WORKDIR}/root"
+}
+
+function teardown() {
+ # No other tests should ever run with this custom rootdir
+ unset _PODMAN_TEST_OPTS
+
+ is_remote && return
+
+ # Clean up
+ umount ${PODMAN_CORRUPT_TEST_WORKDIR}/root/overlay || true
+ if is_rootless; then
+ run_podman unshare rm -rf ${PODMAN_CORRUPT_TEST_WORKDIR}/root
+ else
+ rm -rf ${PODMAN_CORRUPT_TEST_WORKDIR}/root
+ fi
+}
+
+# END setup/teardown
+###############################################################################
+# BEGIN primary test helper
+
+# This is our main action, invoked by every actual test. It:
+# - creates a new empty rootdir
+# - populates it with our crafted test image
+# - removes [ manifest, blob ]
+# - confirms that "podman images" throws an error
+# - runs the specified command (rmi -a -f, prune, reset, etc)
+# - confirms that it succeeds, and also emits expected warnings
+function _corrupt_image_test() {
+ # Run this test twice: once removing manifest, once removing blob
+ for what_to_rm in manifest blob; do
+ # I have no idea, but this sometimes remains mounted
+ umount ${PODMAN_CORRUPT_TEST_WORKDIR}/root/overlay || true
+ # Start with a fresh storage root, load prefetched image into it.
+ /bin/rm -rf ${PODMAN_CORRUPT_TEST_WORKDIR}/root
+ mkdir -p ${PODMAN_CORRUPT_TEST_WORKDIR}/root
+ run_podman load -i ${PODMAN_CORRUPT_TEST_WORKDIR}/img.tar
+ # "podman load" restores it without a tag, which (a) causes rmi-by-name
+ # to fail, and (b) causes "podman images" to exit 0 instead of 125
+ run_podman tag ${PODMAN_CORRUPT_TEST_IMAGE_ID} ${PODMAN_CORRUPT_TEST_IMAGE_FQIN}
+
+ # shortcut variable name
+ local id=${PODMAN_CORRUPT_TEST_IMAGE_ID}
+
+ case "$what_to_rm" in
+ manifest) rm_path=manifest ;;
+ blob) rm_path="=$(echo -n "sha256:$id" | base64 -w0)" ;;
+ *) die "Internal error: unknown action '$what_to_rm'" ;;
+ esac
+
+ # Corruptify, and confirm that 'podman images' throws an error
+ rm -v ${PODMAN_CORRUPT_TEST_WORKDIR}/root/*-images/$id/${rm_path}
+ run_podman 125 images
+ is "$output" "Error: error retrieving label for image \"$id\": you may need to remove the image to resolve the error"
+
+ # Run the requested command. Confirm it succeeds, with suitable warnings
+ run_podman $*
+ is "$output" ".*error determining parent of image.*ignoring the error" \
+ "$* with missing $what_to_rm"
+
+ run_podman images -a --noheading
+ is "$output" "" "podman images -a, after $*, is empty"
+ done
+}
+
+# END primary test helper
+###############################################################################
+# BEGIN first "test" does a one-time pull of our desired image
+
+@test "podman corrupt images - initialize" {
+ # Pull once, save cached copy.
+ run_podman pull $PODMAN_CORRUPT_TEST_IMAGE_FQIN
+ run_podman save -o ${PODMAN_CORRUPT_TEST_WORKDIR}/img.tar \
+ $PODMAN_CORRUPT_TEST_IMAGE_FQIN
+}
+
+# END first "test" does a one-time pull of our desired image
+###############################################################################
+# BEGIN actual tests
+
+@test "podman corrupt images - rmi -f <image-id>" {
+ _corrupt_image_test "rmi -f ${PODMAN_CORRUPT_TEST_IMAGE_ID}"
+}
+
+@test "podman corrupt images - rmi -f <image-name>" {
+ _corrupt_image_test "rmi -f ${PODMAN_CORRUPT_TEST_IMAGE_FQIN}"
+}
+
+@test "podman corrupt images - rmi -f -a" {
+ _corrupt_image_test "rmi -f -a"
+}
+
+@test "podman corrupt images - image prune" {
+ _corrupt_image_test "image prune -a -f"
+}
+
+@test "podman corrupt images - system reset" {
+ _corrupt_image_test "system reset -f"
+}
+
+# END actual tests
+###############################################################################
+# BEGIN final cleanup
+
+@test "podman corrupt images - cleanup" {
+ rm -rf ${PODMAN_CORRUPT_TEST_WORKDIR}
+}
+
+# END final cleanup
+###############################################################################
+
+# vim: filetype=sh
diff --git a/test/system/500-networking.bats b/test/system/500-networking.bats
index cda054b15..8da864798 100644
--- a/test/system/500-networking.bats
+++ b/test/system/500-networking.bats
@@ -5,6 +5,19 @@
load helpers
+@test "podman network - basic tests" {
+ heading="*NETWORK*ID*NAME*VERSION*PLUGINS*"
+ run_podman network ls
+ if [[ ${output} != ${heading} ]]; then
+ die "network ls expected heading is not available"
+ fi
+
+ run_podman network ls --noheading
+ if [[ ${output} = ${heading} ]]; then
+ die "network ls --noheading did not remove heading: $output"
+ fi
+}
+
# Copied from tsweeney's https://github.com/containers/podman/issues/4827
@test "podman networking: port on localhost" {
skip_if_remote "FIXME: reevaluate this one after #7360 is fixed"
@@ -20,9 +33,9 @@ load helpers
# Bind-mount this file with a different name to a container running httpd
run_podman run -d --name myweb -p "$HOST_PORT:80" \
- -v $INDEX1:/var/www/index.txt \
- -w /var/www \
- $IMAGE /bin/busybox-extras httpd -f -p 80
+ -v $INDEX1:/var/www/index.txt \
+ -w /var/www \
+ $IMAGE /bin/busybox-extras httpd -f -p 80
cid=$output
# In that container, create a second file, using exec and redirection
@@ -71,7 +84,7 @@ load helpers
# We could get more parseable output by using $NCAT_REMOTE_ADDR,
# but busybox nc doesn't support that.
run_podman run -d --userns=keep-id -p 127.0.0.1:$myport:$myport \
- $IMAGE nc -l -n -v -p $myport
+ $IMAGE nc -l -n -v -p $myport
cid="$output"
# emit random string, and check it
@@ -108,7 +121,7 @@ load helpers
# (Assert that output is formatted, not a one-line blob: #8011)
run_podman network inspect $mynetname
if [[ "${#lines[*]}" -lt 5 ]]; then
- die "Output from 'pod inspect' is only ${#lines[*]} lines; see #8011"
+ die "Output from 'pod inspect' is only ${#lines[*]} lines; see #8011"
fi
run_podman run --rm --network $mynetname $IMAGE ip a
@@ -116,7 +129,7 @@ load helpers
"sdfsdf"
run_podman run --rm -d --network $mynetname -p 127.0.0.1:$myport:$myport \
- $IMAGE nc -l -n -v -p $myport
+ $IMAGE nc -l -n -v -p $myport
cid="$output"
# emit random string, and check it
@@ -159,9 +172,9 @@ load helpers
# Bind-mount this file with a different name to a container running httpd
run_podman run -d --name myweb -p "$HOST_PORT:80" \
- -v $INDEX1:/var/www/index.txt \
- -w /var/www \
- $IMAGE /bin/busybox-extras httpd -f -p 80
+ -v $INDEX1:/var/www/index.txt \
+ -w /var/www \
+ $IMAGE /bin/busybox-extras httpd -f -p 80
cid=$output
run_podman inspect $cid --format "{{.NetworkSettings.IPAddress}}"
@@ -179,7 +192,7 @@ load helpers
# check that we cannot curl (timeout after 5 sec)
run timeout 5 curl -s $SERVER/index.txt
if [ "$status" -ne 124 ]; then
- die "curl did not timeout, status code: $status"
+ die "curl did not timeout, status code: $status"
fi
# reload the network to recreate the iptables rules