diff options
Diffstat (limited to 'test/system')
-rw-r--r-- | test/system/040-ps.bats | 5 | ||||
-rw-r--r-- | test/system/050-stop.bats | 2 | ||||
-rw-r--r-- | test/system/070-build.bats | 2 | ||||
-rw-r--r-- | test/system/160-volumes.bats | 3 | ||||
-rw-r--r-- | test/system/170-run-userns.bats | 45 | ||||
-rw-r--r-- | test/system/200-pod.bats | 11 | ||||
-rw-r--r-- | test/system/330-corrupt-images.bats | 134 | ||||
-rw-r--r-- | test/system/500-networking.bats | 33 |
8 files changed, 221 insertions, 14 deletions
diff --git a/test/system/040-ps.bats b/test/system/040-ps.bats index ae27c479f..182d75547 100644 --- a/test/system/040-ps.bats +++ b/test/system/040-ps.bats @@ -5,6 +5,9 @@ load helpers @test "podman ps - basic tests" { rand_name=$(random_string 30) + run_podman ps --noheading + is "$output" "" "baseline: empty results from ps --noheading" + run_podman run -d --name $rand_name $IMAGE sleep 5 cid=$output is "$cid" "[0-9a-f]\{64\}$" @@ -30,8 +33,6 @@ load helpers "${cid:0:12} \+$IMAGE *sleep .* Exited .* $rand_name" \ "podman ps -a" - - run_podman rm $cid } diff --git a/test/system/050-stop.bats b/test/system/050-stop.bats index a9495e350..2ed791429 100644 --- a/test/system/050-stop.bats +++ b/test/system/050-stop.bats @@ -114,7 +114,7 @@ load helpers @test "podman stop - unlock while waiting for timeout" { # Test that the container state transitions to "stopping" and that other # commands can get the container's lock. To do that, run a container that - # ingores SIGTERM such that the Podman would wait 20 seconds for the stop + # ignores SIGTERM such that the Podman would wait 20 seconds for the stop # to finish. This gives us enough time to try some commands and inspect # the container's status. diff --git a/test/system/070-build.bats b/test/system/070-build.bats index d4017ae01..6ae78de2e 100644 --- a/test/system/070-build.bats +++ b/test/system/070-build.bats @@ -354,7 +354,7 @@ Cmd[1] | $s_echo WorkingDir | $workdir Labels.$label_name | $label_value " - # FIXME: 2021-02-24: Fixed in buildah #3036; reenable this once podman + # FIXME: 2021-02-24: Fixed in buildah #3036; re-enable this once podman # vendors in a newer buildah! # Labels.\"io.buildah.version\" | $buildah_version diff --git a/test/system/160-volumes.bats b/test/system/160-volumes.bats index 4952eafc2..98992f973 100644 --- a/test/system/160-volumes.bats +++ b/test/system/160-volumes.bats @@ -23,6 +23,9 @@ function teardown() { @test "podman run --volumes : basic" { skip_if_remote "volumes cannot be shared across hosts" + run_podman volume list --noheading + is "$output" "" "baseline: empty results from list --noheading" + # Create three temporary directories vol1=${PODMAN_TMPDIR}/v1_$(random_string) vol2=${PODMAN_TMPDIR}/v2_$(random_string) diff --git a/test/system/170-run-userns.bats b/test/system/170-run-userns.bats new file mode 100644 index 000000000..2dc5b078f --- /dev/null +++ b/test/system/170-run-userns.bats @@ -0,0 +1,45 @@ +#!/usr/bin/env bats -*- bats -*- +# shellcheck disable=SC2096 +# +# Tests for podman build +# + +load helpers + +@test "podman --group-add keep-groups while in a userns" { + skip_if_rootless "choot is not allowed in rootless mode" + skip_if_remote "--group-add keep-groups not supported in remote mode" + run chroot --groups 1234 / ${PODMAN} run --uidmap 0:200000:5000 --group-add keep-groups $IMAGE id + is "$output" ".*65534(nobody)" "Check group leaked into user namespace" +} + +@test "podman --group-add keep-groups while not in a userns" { + skip_if_rootless "choot is not allowed in rootless mode" + skip_if_remote "--group-add keep-groups not supported in remote mode" + run chroot --groups 1234,5678 / ${PODMAN} run --group-add keep-groups $IMAGE id + is "$output" ".*1234" "Check group leaked into container" +} + +@test "podman --group-add without keep-groups while in a userns" { + skip_if_rootless "choot is not allowed in rootless mode" + skip_if_remote "--group-add keep-groups not supported in remote mode" + run chroot --groups 1234,5678 / ${PODMAN} run --uidmap 0:200000:5000 --group-add 457 $IMAGE id + is "$output" ".*457" "Check group leaked into container" +} + +@test "podman --remote --group-add keep-groups " { + if is_remote; then + run_podman 125 run --group-add keep-groups $IMAGE id + is "$output" ".*not supported in remote mode" "Remote check --group-add keep-groups" + fi +} + +@test "podman --group-add without keep-groups " { + run_podman run --group-add 457 $IMAGE id + is "$output" ".*457" "Check group leaked into container" +} + +@test "podman --group-add keep-groups plus added groups " { + run_podman 125 run --group-add keep-groups --group-add 457 $IMAGE id + is "$output" ".*the '--group-add keep-groups' option is not allowed with any other --group-add options" "Check group leaked into container" +} diff --git a/test/system/200-pod.bats b/test/system/200-pod.bats index c65449212..054eda908 100644 --- a/test/system/200-pod.bats +++ b/test/system/200-pod.bats @@ -17,6 +17,17 @@ function teardown() { } +@test "podman pod - basic tests" { + run_podman pod list --noheading + is "$output" "" "baseline: empty results from list --noheading" + + run_podman pod ls --noheading + is "$output" "" "baseline: empty results from ls --noheading" + + run_podman pod ps --noheading + is "$output" "" "baseline: empty results from ps --noheading" +} + @test "podman pod top - containers in different PID namespaces" { # With infra=false, we don't get a /pause container (we also # don't pull k8s.gcr.io/pause ) diff --git a/test/system/330-corrupt-images.bats b/test/system/330-corrupt-images.bats new file mode 100644 index 000000000..c51cc8d46 --- /dev/null +++ b/test/system/330-corrupt-images.bats @@ -0,0 +1,134 @@ +#!/usr/bin/env bats -*- bats -*- +# +# All tests in here perform nasty manipulations on image storage. +# + +load helpers + +############################################################################### +# BEGIN setup/teardown + +# Create a scratch directory; this is what we'll use for image store and cache +if [ -z "${PODMAN_CORRUPT_TEST_WORKDIR}" ]; then + export PODMAN_CORRUPT_TEST_WORKDIR=$(mktemp -d --tmpdir=${BATS_TMPDIR:-${TMPDIR:-/tmp}} podman_corrupt_test.XXXXXX) +fi + +PODMAN_CORRUPT_TEST_IMAGE_FQIN=quay.io/libpod/alpine@sha256:634a8f35b5f16dcf4aaa0822adc0b1964bb786fca12f6831de8ddc45e5986a00 +PODMAN_CORRUPT_TEST_IMAGE_ID=961769676411f082461f9ef46626dd7a2d1e2b2a38e6a44364bcbecf51e66dd4 + +# All tests in this file (and ONLY in this file) run with a custom rootdir +function setup() { + skip_if_remote "none of these tests run under podman-remote" + _PODMAN_TEST_OPTS="--root ${PODMAN_CORRUPT_TEST_WORKDIR}/root" +} + +function teardown() { + # No other tests should ever run with this custom rootdir + unset _PODMAN_TEST_OPTS + + is_remote && return + + # Clean up + umount ${PODMAN_CORRUPT_TEST_WORKDIR}/root/overlay || true + if is_rootless; then + run_podman unshare rm -rf ${PODMAN_CORRUPT_TEST_WORKDIR}/root + else + rm -rf ${PODMAN_CORRUPT_TEST_WORKDIR}/root + fi +} + +# END setup/teardown +############################################################################### +# BEGIN primary test helper + +# This is our main action, invoked by every actual test. It: +# - creates a new empty rootdir +# - populates it with our crafted test image +# - removes [ manifest, blob ] +# - confirms that "podman images" throws an error +# - runs the specified command (rmi -a -f, prune, reset, etc) +# - confirms that it succeeds, and also emits expected warnings +function _corrupt_image_test() { + # Run this test twice: once removing manifest, once removing blob + for what_to_rm in manifest blob; do + # I have no idea, but this sometimes remains mounted + umount ${PODMAN_CORRUPT_TEST_WORKDIR}/root/overlay || true + # Start with a fresh storage root, load prefetched image into it. + /bin/rm -rf ${PODMAN_CORRUPT_TEST_WORKDIR}/root + mkdir -p ${PODMAN_CORRUPT_TEST_WORKDIR}/root + run_podman load -i ${PODMAN_CORRUPT_TEST_WORKDIR}/img.tar + # "podman load" restores it without a tag, which (a) causes rmi-by-name + # to fail, and (b) causes "podman images" to exit 0 instead of 125 + run_podman tag ${PODMAN_CORRUPT_TEST_IMAGE_ID} ${PODMAN_CORRUPT_TEST_IMAGE_FQIN} + + # shortcut variable name + local id=${PODMAN_CORRUPT_TEST_IMAGE_ID} + + case "$what_to_rm" in + manifest) rm_path=manifest ;; + blob) rm_path="=$(echo -n "sha256:$id" | base64 -w0)" ;; + *) die "Internal error: unknown action '$what_to_rm'" ;; + esac + + # Corruptify, and confirm that 'podman images' throws an error + rm -v ${PODMAN_CORRUPT_TEST_WORKDIR}/root/*-images/$id/${rm_path} + run_podman 125 images + is "$output" "Error: error retrieving label for image \"$id\": you may need to remove the image to resolve the error" + + # Run the requested command. Confirm it succeeds, with suitable warnings + run_podman $* + is "$output" ".*error determining parent of image.*ignoring the error" \ + "$* with missing $what_to_rm" + + run_podman images -a --noheading + is "$output" "" "podman images -a, after $*, is empty" + done +} + +# END primary test helper +############################################################################### +# BEGIN first "test" does a one-time pull of our desired image + +@test "podman corrupt images - initialize" { + # Pull once, save cached copy. + run_podman pull $PODMAN_CORRUPT_TEST_IMAGE_FQIN + run_podman save -o ${PODMAN_CORRUPT_TEST_WORKDIR}/img.tar \ + $PODMAN_CORRUPT_TEST_IMAGE_FQIN +} + +# END first "test" does a one-time pull of our desired image +############################################################################### +# BEGIN actual tests + +@test "podman corrupt images - rmi -f <image-id>" { + _corrupt_image_test "rmi -f ${PODMAN_CORRUPT_TEST_IMAGE_ID}" +} + +@test "podman corrupt images - rmi -f <image-name>" { + _corrupt_image_test "rmi -f ${PODMAN_CORRUPT_TEST_IMAGE_FQIN}" +} + +@test "podman corrupt images - rmi -f -a" { + _corrupt_image_test "rmi -f -a" +} + +@test "podman corrupt images - image prune" { + _corrupt_image_test "image prune -a -f" +} + +@test "podman corrupt images - system reset" { + _corrupt_image_test "system reset -f" +} + +# END actual tests +############################################################################### +# BEGIN final cleanup + +@test "podman corrupt images - cleanup" { + rm -rf ${PODMAN_CORRUPT_TEST_WORKDIR} +} + +# END final cleanup +############################################################################### + +# vim: filetype=sh diff --git a/test/system/500-networking.bats b/test/system/500-networking.bats index cda054b15..8da864798 100644 --- a/test/system/500-networking.bats +++ b/test/system/500-networking.bats @@ -5,6 +5,19 @@ load helpers +@test "podman network - basic tests" { + heading="*NETWORK*ID*NAME*VERSION*PLUGINS*" + run_podman network ls + if [[ ${output} != ${heading} ]]; then + die "network ls expected heading is not available" + fi + + run_podman network ls --noheading + if [[ ${output} = ${heading} ]]; then + die "network ls --noheading did not remove heading: $output" + fi +} + # Copied from tsweeney's https://github.com/containers/podman/issues/4827 @test "podman networking: port on localhost" { skip_if_remote "FIXME: reevaluate this one after #7360 is fixed" @@ -20,9 +33,9 @@ load helpers # Bind-mount this file with a different name to a container running httpd run_podman run -d --name myweb -p "$HOST_PORT:80" \ - -v $INDEX1:/var/www/index.txt \ - -w /var/www \ - $IMAGE /bin/busybox-extras httpd -f -p 80 + -v $INDEX1:/var/www/index.txt \ + -w /var/www \ + $IMAGE /bin/busybox-extras httpd -f -p 80 cid=$output # In that container, create a second file, using exec and redirection @@ -71,7 +84,7 @@ load helpers # We could get more parseable output by using $NCAT_REMOTE_ADDR, # but busybox nc doesn't support that. run_podman run -d --userns=keep-id -p 127.0.0.1:$myport:$myport \ - $IMAGE nc -l -n -v -p $myport + $IMAGE nc -l -n -v -p $myport cid="$output" # emit random string, and check it @@ -108,7 +121,7 @@ load helpers # (Assert that output is formatted, not a one-line blob: #8011) run_podman network inspect $mynetname if [[ "${#lines[*]}" -lt 5 ]]; then - die "Output from 'pod inspect' is only ${#lines[*]} lines; see #8011" + die "Output from 'pod inspect' is only ${#lines[*]} lines; see #8011" fi run_podman run --rm --network $mynetname $IMAGE ip a @@ -116,7 +129,7 @@ load helpers "sdfsdf" run_podman run --rm -d --network $mynetname -p 127.0.0.1:$myport:$myport \ - $IMAGE nc -l -n -v -p $myport + $IMAGE nc -l -n -v -p $myport cid="$output" # emit random string, and check it @@ -159,9 +172,9 @@ load helpers # Bind-mount this file with a different name to a container running httpd run_podman run -d --name myweb -p "$HOST_PORT:80" \ - -v $INDEX1:/var/www/index.txt \ - -w /var/www \ - $IMAGE /bin/busybox-extras httpd -f -p 80 + -v $INDEX1:/var/www/index.txt \ + -w /var/www \ + $IMAGE /bin/busybox-extras httpd -f -p 80 cid=$output run_podman inspect $cid --format "{{.NetworkSettings.IPAddress}}" @@ -179,7 +192,7 @@ load helpers # check that we cannot curl (timeout after 5 sec) run timeout 5 curl -s $SERVER/index.txt if [ "$status" -ne 124 ]; then - die "curl did not timeout, status code: $status" + die "curl did not timeout, status code: $status" fi # reload the network to recreate the iptables rules |