diff options
Diffstat (limited to 'test')
49 files changed, 1433 insertions, 307 deletions
diff --git a/test/apiv2/01-basic.at b/test/apiv2/01-basic.at index 1ddf49c6f..1357e0ca6 100644 --- a/test/apiv2/01-basic.at +++ b/test/apiv2/01-basic.at @@ -18,7 +18,7 @@ t HEAD libpod/_ping 200 for i in /version version; do t GET $i 200 \ .Components[0].Name="Podman Engine" \ - .Components[0].Details.APIVersion=3.0.0 \ + .Components[0].Details.APIVersion=3.1.0-dev \ .Components[0].Details.MinAPIVersion=3.0.0 \ .Components[0].Details.Os=linux \ .ApiVersion=1.40 \ diff --git a/test/apiv2/10-images.at b/test/apiv2/10-images.at index a650cf958..f866422e2 100644 --- a/test/apiv2/10-images.at +++ b/test/apiv2/10-images.at @@ -41,7 +41,7 @@ t GET images/$iid/json 200 \ .Id=sha256:$iid \ .RepoTags[0]=$IMAGE -t POST "images/create?fromImage=alpine" '' 200 .error=null .status~".*Download complete.*" +t POST "images/create?fromImage=alpine" '' 200 .error~null .status~".*Download complete.*" t POST "images/create?fromImage=alpine&tag=latest" '' 200 @@ -49,7 +49,7 @@ t POST "images/create?fromImage=alpine&tag=latest" '' 200 old_iid=$(podman image inspect --format "{{.ID}}" docker.io/library/alpine:latest) podman rmi -f docker.io/library/alpine:latest podman tag $IMAGE docker.io/library/alpine:latest -t POST "images/create?fromImage=alpine" '' 200 .error=null .status~".*$old_iid.*" +t POST "images/create?fromImage=alpine" '' 200 .error~null .status~".*$old_iid.*" podman untag $IMAGE docker.io/library/alpine:latest t POST "images/create?fromImage=quay.io/libpod/alpine&tag=sha256:fa93b01658e3a5a1686dc3ae55f170d8de487006fb53a28efcd12ab0710a2e5f" '' 200 diff --git a/test/apiv2/12-imagesMore.at b/test/apiv2/12-imagesMore.at index 4f3ddf925..ce3049106 100644 --- a/test/apiv2/12-imagesMore.at +++ b/test/apiv2/12-imagesMore.at @@ -46,6 +46,10 @@ t POST "images/localhost:5000/myrepo/push?tlsVerify=false&tag=mytag" '' 200 # Untag the image t POST "libpod/images/$iid/untag?repo=localhost:5000/myrepo&tag=mytag" '' 201 +# Try to push non-existing image +t POST "images/localhost:5000/idonotexist/push?tlsVerify=false" '' 200 +jq -re 'select(.errorDetail)' <<<"$output" &>/dev/null || echo -e "${red}not ok: error message not found in output${nc}" 1>&2 + t GET libpod/images/$IMAGE/json 200 \ .RepoTags[-1]=$IMAGE diff --git a/test/apiv2/20-containers.at b/test/apiv2/20-containers.at index a99e9a184..383d92ef3 100644 --- a/test/apiv2/20-containers.at +++ b/test/apiv2/20-containers.at @@ -31,6 +31,13 @@ t GET libpod/containers/json?all=true 200 \ .[0].ExitCode=0 \ .[0].IsInfra=false +# Test compat API for Network Settings +t GET /containers/json?all=true 200 \ + length=1 \ + .[0].Id~[0-9a-f]\\{64\\} \ + .[0].Image=$IMAGE \ + .[0].NetworkSettings.Networks.podman.NetworkID=podman + # Make sure `limit` works. t GET libpod/containers/json?limit=1 200 \ length=1 \ @@ -155,6 +162,7 @@ t DELETE images/localhost/newrepo:v1?force=true 200 t DELETE images/localhost/newrepo:v2?force=true 200 t DELETE libpod/containers/$cid 204 t DELETE libpod/containers/myctr 204 +t DELETE libpod/containers/bogus 404 # test apiv2 create container with correct entrypoint and cmd @@ -206,9 +214,9 @@ t GET 'containers/json?limit=0&all=1' 200 \ t GET containers/json?limit=2 200 length=2 # Filter with two ids should return both container -t GET "containers/json?filters=%7B%22id%22%3A%5B%22${cid}%22%2C%22${cid_top}%22%5D%7D&all=1" 200 length=2 +t GET containers/json?filters='{"id":["'${cid}'","'${cid_top}'"]}&all=1' 200 length=2 # Filter with two ids and status running should return only 1 container -t GET "containers/json?filters=%7B%22id%22%3A%5B%22${cid}%22%2C%22${cid_top}%22%5D%2C%22status%22%3A%5B%22running%22%5D%7D&all=1" 200 \ +t GET containers/json?filters='{"id":["'${cid}'","'${cid_top}'"],"status":["running"]}&all=1' 200 \ length=1 \ .[0].Id=${cid_top} @@ -246,3 +254,22 @@ t GET containers/$cid/json 200 \ .Mounts[0].Destination="/test" t DELETE containers/$cid?v=true 204 + +# test port mapping +podman run -d --rm --name bar -p 8080:9090 $IMAGE top + +t GET containers/json 200 \ + .[0].Ports[0].PrivatePort=9090 \ + .[0].Ports[0].PublicPort=8080 \ + .[0].Ports[0].Type="tcp" + +podman stop bar + +# Test CPU limit (NanoCPUs) +t POST containers/create '"Image":"'$IMAGE'","HostConfig":{"NanoCpus":500000}' 201 \ + .Id~[0-9a-f]\\{64\\} +cid=$(jq -r '.Id' <<<"$output") +t GET containers/$cid/json 200 \ + .HostConfig.NanoCpus=500000 + +t DELETE containers/$cid?v=true 204 diff --git a/test/apiv2/30-volumes.at b/test/apiv2/30-volumes.at index b38810039..cf4b3d3ea 100644 --- a/test/apiv2/30-volumes.at +++ b/test/apiv2/30-volumes.at @@ -45,18 +45,17 @@ t GET libpod/volumes/json 200 \ .[0].Name~.* \ .[0].Mountpoint~.* \ .[0].CreatedAt~[0-9]\\{4\\}-[0-9]\\{2\\}-[0-9]\\{2\\}.* -# -G --data-urlencode 'filters={"name":["foo1"]}' -t GET libpod/volumes/json?filters=%7B%22name%22%3A%5B%22foo1%22%5D%7D 200 length=1 .[0].Name=foo1 -# -G --data-urlencode 'filters={"name":["foo1","foo2"]}' -t GET libpod/volumes/json?filters=%7B%22name%22%3A%20%5B%22foo1%22%2C%20%22foo2%22%5D%7D 200 length=2 .[0].Name=foo1 .[1].Name=foo2 -# -G --data-urlencode 'filters={"name":["nonexistent"]}' -t GET libpod/volumes/json?filters=%7B%22name%22%3A%5B%22nonexistent%22%5D%7D 200 length=0 -# -G --data-urlencode 'filters={"label":["testlabel"]}' -t GET libpod/volumes/json?filters=%7B%22label%22:%5B%22testlabel%22%5D%7D 200 length=2 -# -G --data-urlencode 'filters={"label":["testlabel=testonly"]}' -t GET libpod/volumes/json?filters=%7B%22label%22:%5B%22testlabel=testonly%22%5D%7D 200 length=1 -# -G --data-urlencode 'filters={"label":["testlabel1=testonly"]}' -t GET libpod/volumes/json?filters=%7B%22label%22:%5B%22testlabel1=testonly%22%5D%7D 200 length=1 +t GET libpod/volumes/json?filters='{"name":["foo1"]}' 200 \ + length=1 \ + .[0].Name=foo1 +t GET libpod/volumes/json?filters='{"name":%20["foo1",%20"foo2"]}' 200 \ + length=2 \ + .[0].Name=foo1 \ + .[1].Name=foo2 +t GET libpod/volumes/json?filters='{"name":["nonexistent"]}' 200 length=0 +t GET libpod/volumes/json?filters='{"label":["testlabel"]}' 200 length=2 +t GET libpod/volumes/json?filters='{"label":["testlabel=testonly"]}' 200 length=1 +t GET libpod/volumes/json?filters='{"label":["testlabel1=testonly"]}' 200 length=1 ## inspect volume t GET libpod/volumes/foo1/json 200 \ @@ -79,16 +78,12 @@ t DELETE libpod/volumes/foo1 404 \ .response=404 ## Prune volumes with label matching 'testlabel1=testonly' -# -G --data-urlencode 'filters={"label":["testlabel1=testonly"]}' -t POST libpod/volumes/prune?filters=%7B%22label%22:%5B%22testlabel1=testonly%22%5D%7D "" 200 -# -G --data-urlencode 'filters={"label":["testlabel1=testonly"]}' -t GET libpod/volumes/json?filters=%7B%22label%22:%5B%22testlabel1=testonly%22%5D%7D 200 length=0 +t POST libpod/volumes/prune?filters='{"label":["testlabel1=testonly"]}' "" 200 +t GET libpod/volumes/json?filters='{"label":["testlabel1=testonly"]}' 200 length=0 ## Prune volumes with label matching 'testlabel' -# -G --data-urlencode 'filters={"label":["testlabel"]}' -t POST libpod/volumes/prune?filters=%7B%22label%22:%5B%22testlabel%22%5D%7D "" 200 -# -G --data-urlencode 'filters={"label":["testlabel"]}' -t GET libpod/volumes/json?filters=%7B%22label%22:%5B%22testlabel%22%5D%7D 200 length=0 +t POST libpod/volumes/prune?filters='{"label":["testlabel"]}' "" 200 +t GET libpod/volumes/json?filters='{"label":["testlabel"]}' 200 length=0 ## Prune volumes t POST libpod/volumes/prune "" 200 diff --git a/test/apiv2/35-networks.at b/test/apiv2/35-networks.at index 7ce109913..d3bbaf32b 100644 --- a/test/apiv2/35-networks.at +++ b/test/apiv2/35-networks.at @@ -7,54 +7,52 @@ t GET networks/non-existing-network 404 \ .cause='network not found' t POST libpod/networks/create?name=network1 '' 200 \ -.Filename~.*/network1\\.conflist + .Filename~.*/network1\\.conflist # --data '{"Subnet":{"IP":"10.10.254.0","Mask":[255,255,255,0]},"Labels":{"abc":"val"}}' t POST libpod/networks/create?name=network2 '"Subnet":{"IP":"10.10.254.0","Mask":[255,255,255,0]},"Labels":{"abc":"val"}' 200 \ -.Filename~.*/network2\\.conflist + .Filename~.*/network2\\.conflist # test for empty mask t POST libpod/networks/create '"Subnet":{"IP":"10.10.1.0","Mask":[]}' 500 \ -.cause~'.*cannot be empty' + .cause~'.*cannot be empty' # test for invalid mask t POST libpod/networks/create '"Subnet":{"IP":"10.10.1.0","Mask":[0,255,255,0]}' 500 \ -.cause~'.*mask is invalid' + .cause~'.*mask is invalid' # network list t GET libpod/networks/json 200 -# filters={"name":["network1"]} -t GET libpod/networks/json?filters=%7B%22name%22%3A%5B%22network1%22%5D%7D 200 \ -length=1 \ -.[0].Name=network1 +t GET libpod/networks/json?filters='{"name":["network1"]}' 200 \ + length=1 \ + .[0].Name=network1 t GET networks 200 #network list docker endpoint -#filters={"name":["network1","network2"]} -t GET networks?filters=%7B%22name%22%3A%5B%22network1%22%2C%22network2%22%5D%7D 200 \ -length=2 -#filters={"name":["network"]} -t GET networks?filters=%7B%22name%22%3A%5B%22network%22%5D%7D 200 \ -length=2 -# filters={"label":["abc"]} -t GET networks?filters=%7B%22label%22%3A%5B%22abc%22%5D%7D 200 \ -length=1 -# id filter filters={"id":["a7662f44d65029fd4635c91feea3d720a57cef52e2a9fcc7772b69072cc1ccd1"]} -t GET networks?filters=%7B%22id%22%3A%5B%22a7662f44d65029fd4635c91feea3d720a57cef52e2a9fcc7772b69072cc1ccd1%22%5D%7D 200 \ -length=1 \ -.[0].Name=network1 \ -.[0].Id=a7662f44d65029fd4635c91feea3d720a57cef52e2a9fcc7772b69072cc1ccd1 -# invalid filter filters={"dangling":["1"]} -t GET networks?filters=%7B%22dangling%22%3A%5B%221%22%5D%7D 500 \ -.cause='invalid filter "dangling"' +t GET networks?filters='{"name":["network1","network2"]}' 200 \ + length=2 +t GET networks?filters='{"name":["network"]}' 200 \ + length=2 +t GET networks?filters='{"label":["abc"]}' 200 \ + length=1 +# old docker filter type see #9526 +t GET networks?filters='{"label":{"abc":true}}' 200 \ + length=1 +t GET networks?filters='{"id":["a7662f44d65029fd4635c91feea3d720a57cef52e2a9fcc7772b69072cc1ccd1"]}' 200 \ + length=1 \ + .[0].Name=network1 \ + .[0].Id=a7662f44d65029fd4635c91feea3d720a57cef52e2a9fcc7772b69072cc1ccd1 +# invalid filter +t GET networks?filters='{"dangling":["1"]}' 500 \ + .cause='invalid filter "dangling"' # (#9293 with no networks the endpoint should return empty array instead of null) -t GET networks?filters=%7B%22name%22%3A%5B%22doesnotexists%22%5D%7D 200 \ -"[]" +t GET networks?filters='{"name":["doesnotexists"]}' 200 \ + "[]" # network inspect docker t GET networks/a7662f44d65029fd4635c91feea3d720a57cef52e2a9fcc7772b69072cc1ccd1 200 \ -.Name=network1 \ -.Id=a7662f44d65029fd4635c91feea3d720a57cef52e2a9fcc7772b69072cc1ccd1 \ -.Scope=local + .Name=network1 \ + .Id=a7662f44d65029fd4635c91feea3d720a57cef52e2a9fcc7772b69072cc1ccd1 \ + .Scope=local # network create docker t POST networks/create '"Name":"net3","IPAM":{"Config":[]}' 201 @@ -63,11 +61,11 @@ t DELETE networks/net3 204 # clean the network t DELETE libpod/networks/network1 200 \ -.[0].Name~network1 \ -.[0].Err=null + .[0].Name~network1 \ + .[0].Err=null t DELETE libpod/networks/network2 200 \ -.[0].Name~network2 \ -.[0].Err=null + .[0].Name~network2 \ + .[0].Err=null # vim: filetype=sh diff --git a/test/apiv2/44-mounts.at b/test/apiv2/44-mounts.at new file mode 100644 index 000000000..5dc560852 --- /dev/null +++ b/test/apiv2/44-mounts.at @@ -0,0 +1,21 @@ +# -*- sh -*- + +podman pull $IMAGE &>/dev/null + +# Test various HostConfig options +tmpfs_name="/mytmpfs" +t POST containers/create?name=hostconfig_test '"Image":"'$IMAGE'","Cmd":["df"],"HostConfig":{"Binds":["/tmp/doesnotexist:/test1"],"TmpFs":{"'$tmpfs_name'":"rw"}}' 201 \ + .Id~[0-9a-f]\\{64\\} +cid=$(jq -r '.Id' <<<"$output") + +# Prior to #9512, the tmpfs would be called '/mytmpfs=rw', with the '=rw' +t GET containers/${cid}/json 200 \ + .HostConfig.Tmpfs[\"${tmpfs_name}\"]~rw, + +# Run the container, verify output +t POST containers/${cid}/start '' 204 +t POST containers/${cid}/wait '' 200 +t GET containers/${cid}/logs?stdout=true 200 + +like "$(<$WORKDIR/curl.result.out)" ".* ${tmpfs_name}" \ + "'df' output includes tmpfs name" diff --git a/test/apiv2/45-system.at b/test/apiv2/45-system.at index 985d86e56..ad4bdf4f7 100644 --- a/test/apiv2/45-system.at +++ b/test/apiv2/45-system.at @@ -49,18 +49,16 @@ t GET libpod/system/df 200 '.Volumes | length=3' # Prune volumes -# -G --data-urlencode 'volumes=true&filters={"label":["testlabel1=idontmatch"]}' -t POST 'libpod/system/prune?volumes=true&filters=%7B%22label%22:%5B%22testlabel1=idontmatch%22%5D%7D' params='' 200 +t POST 'libpod/system/prune?volumes=true&filters={"label":["testlabel1=idontmatch"]}' params='' 200 # nothing should have been pruned t GET system/df 200 '.Volumes | length=3' t GET libpod/system/df 200 '.Volumes | length=3' -# -G --data-urlencode 'volumes=true&filters={"label":["testlabel1=testonly"]}' # only foo3 should be pruned because of filter -t POST 'libpod/system/prune?volumes=true&filters=%7B%22label%22:%5B%22testlabel1=testonly%22%5D%7D' params='' 200 .VolumePruneReports[0].Id=foo3 +t POST 'libpod/system/prune?volumes=true&filters={"label":["testlabel1=testonly"]}' params='' 200 .VolumePruneReports[0].Id=foo3 # only foo2 should be pruned because of filter -t POST 'libpod/system/prune?volumes=true&filters=%7B%22label%22:%5B%22testlabel1%22%5D%7D' params='' 200 .VolumePruneReports[0].Id=foo2 +t POST 'libpod/system/prune?volumes=true&filters={"label":["testlabel1"]}' params='' 200 .VolumePruneReports[0].Id=foo2 # foo1, the last remaining volume should be pruned without any filters applied t POST 'libpod/system/prune?volumes=true' params='' 200 .VolumePruneReports[0].Id=foo1 diff --git a/test/apiv2/50-secrets.at b/test/apiv2/50-secrets.at index 1ef43381a..c4ffb5883 100644 --- a/test/apiv2/50-secrets.at +++ b/test/apiv2/50-secrets.at @@ -14,18 +14,21 @@ t POST secrets/create '"Name":"mysecret","Data":"c2VjcmV0","Labels":{"fail":"fai t POST secrets/create '"Name":"mysecret","Data":"c2VjcmV0"' 409 # secret inspect -t GET secrets/mysecret 200\ - .Spec.Name=mysecret +t GET secrets/mysecret 200 \ + .Spec.Name=mysecret \ + .Version.Index=1 # secret inspect non-existent secret t GET secrets/bogus 404 # secret list -t GET secrets 200\ - length=1 +t GET secrets 200 \ + length=1 \ + .[0].Spec.Name=mysecret \ + .[0].Version.Index=1 # secret list unsupported filters -t GET secrets?filters=%7B%22name%22%3A%5B%22foo1%22%5D%7D 400 +t GET secrets?filters='{"name":["foo1"]}' 400 # secret rm t DELETE secrets/mysecret 204 diff --git a/test/apiv2/60-auth.at b/test/apiv2/60-auth.at new file mode 100644 index 000000000..378955cd7 --- /dev/null +++ b/test/apiv2/60-auth.at @@ -0,0 +1,29 @@ +# -*- sh -*- +# +# registry-related tests +# + +start_registry + +# FIXME FIXME FIXME: remove the 'if false' for use with PR 9589 +if false; then + +# FIXME FIXME: please forgive the horrible POST params format; I have an +# upcoming PR which should fix that. + +# Test with wrong password. Confirm bad status and appropriate error message +t POST /v1.40/auth "\"username\":\"${REGISTRY_USERNAME}\",\"password\":\"WrOnGPassWord\",\"serveraddress\":\"localhost:$REGISTRY_PORT/\"" \ + 400 \ + .Status~'.* invalid username/password' + +# Test with the right password. Confirm status message and reasonable token +t POST /v1.40/auth "\"username\":\"${REGISTRY_USERNAME}\",\"password\":\"${REGISTRY_PASSWORD}\",\"serveraddress\":\"localhost:$REGISTRY_PORT/\"" \ + 200 \ + .Status="Login Succeeded" \ + .IdentityToken~[a-zA-Z0-9] + +# FIXME: now what? Try something-something using that token? +token=$(jq -r .IdentityToken <<<"$output") +# ... + +fi # FIXME FIXME FIXME: remove when working diff --git a/test/apiv2/rest_api/__init__.py b/test/apiv2/rest_api/__init__.py index db0257f03..b7b8a7649 100644 --- a/test/apiv2/rest_api/__init__.py +++ b/test/apiv2/rest_api/__init__.py @@ -27,7 +27,7 @@ class Podman(object): self.cmd.append("--root=" + os.path.join(self.anchor_directory, "crio")) self.cmd.append("--runroot=" + os.path.join(self.anchor_directory, "crio-run")) - os.environ["REGISTRIES_CONFIG_PATH"] = os.path.join(self.anchor_directory, "registry.conf") + os.environ["CONTAINERS_REGISTRIES_CONF"] = os.path.join(self.anchor_directory, "registry.conf") p = configparser.ConfigParser() p.read_dict( { @@ -36,7 +36,7 @@ class Podman(object): "registries.block": {"registries": "[]"}, } ) - with open(os.environ["REGISTRIES_CONFIG_PATH"], "w") as w: + with open(os.environ["CONTAINERS_REGISTRIES_CONF"], "w") as w: p.write(w) os.environ["CNI_CONFIG_PATH"] = os.path.join(self.anchor_directory, "cni", "net.d") diff --git a/test/apiv2/rest_api/test_rest_v2_0_0.py b/test/apiv2/rest_api/test_rest_v2_0_0.py index 05c24f2ea..8a78f5185 100644 --- a/test/apiv2/rest_api/test_rest_v2_0_0.py +++ b/test/apiv2/rest_api/test_rest_v2_0_0.py @@ -64,7 +64,9 @@ class TestApi(unittest.TestCase): super().setUpClass() TestApi.podman = Podman() - TestApi.service = TestApi.podman.open("system", "service", "tcp:localhost:8080", "--time=0") + TestApi.service = TestApi.podman.open( + "system", "service", "tcp:localhost:8080", "--time=0" + ) # give the service some time to be ready... time.sleep(2) @@ -241,7 +243,9 @@ class TestApi(unittest.TestCase): def test_post_create_compat(self): """Create network and connect container during create""" - net = requests.post(PODMAN_URL + "/v1.40/networks/create", json={"Name": "TestNetwork"}) + net = requests.post( + PODMAN_URL + "/v1.40/networks/create", json={"Name": "TestNetwork"} + ) self.assertEqual(net.status_code, 201, net.text) create = requests.post( @@ -450,11 +454,15 @@ class TestApi(unittest.TestCase): self.assertIn(k, o) def test_network_compat(self): - name = "Network_" + "".join(random.choice(string.ascii_letters) for i in range(10)) + name = "Network_" + "".join( + random.choice(string.ascii_letters) for i in range(10) + ) # Cannot test for 0 existing networks because default "podman" network always exists - create = requests.post(PODMAN_URL + "/v1.40/networks/create", json={"Name": name}) + create = requests.post( + PODMAN_URL + "/v1.40/networks/create", json={"Name": name} + ) self.assertEqual(create.status_code, 201, create.content) obj = json.loads(create.content) self.assertIn(type(obj), (dict,)) @@ -484,8 +492,12 @@ class TestApi(unittest.TestCase): self.assertEqual(inspect.status_code, 404, inspect.content) # network prune - prune_name = "Network_" + "".join(random.choice(string.ascii_letters) for i in range(10)) - prune_create = requests.post(PODMAN_URL + "/v1.40/networks/create", json={"Name": prune_name}) + prune_name = "Network_" + "".join( + random.choice(string.ascii_letters) for i in range(10) + ) + prune_create = requests.post( + PODMAN_URL + "/v1.40/networks/create", json={"Name": prune_name} + ) self.assertEqual(create.status_code, 201, prune_create.content) prune = requests.post(PODMAN_URL + "/v1.40/networks/prune") @@ -493,9 +505,10 @@ class TestApi(unittest.TestCase): obj = json.loads(prune.content) self.assertTrue(prune_name in obj["NetworksDeleted"]) - def test_volumes_compat(self): - name = "Volume_" + "".join(random.choice(string.ascii_letters) for i in range(10)) + name = "Volume_" + "".join( + random.choice(string.ascii_letters) for i in range(10) + ) ls = requests.get(PODMAN_URL + "/v1.40/volumes") self.assertEqual(ls.status_code, 200, ls.content) @@ -511,7 +524,9 @@ class TestApi(unittest.TestCase): for k in required_keys: self.assertIn(k, obj) - create = requests.post(PODMAN_URL + "/v1.40/volumes/create", json={"Name": name}) + create = requests.post( + PODMAN_URL + "/v1.40/volumes/create", json={"Name": name} + ) self.assertEqual(create.status_code, 201, create.content) # See https://docs.docker.com/engine/api/v1.40/#operation/VolumeCreate @@ -688,15 +703,21 @@ class TestApi(unittest.TestCase): """Verify issue #8865""" pod_name = list() - pod_name.append("Pod_" + "".join(random.choice(string.ascii_letters) for i in range(10))) - pod_name.append("Pod_" + "".join(random.choice(string.ascii_letters) for i in range(10))) + pod_name.append( + "Pod_" + "".join(random.choice(string.ascii_letters) for i in range(10)) + ) + pod_name.append( + "Pod_" + "".join(random.choice(string.ascii_letters) for i in range(10)) + ) r = requests.post( _url("/pods/create"), json={ "name": pod_name[0], "no_infra": False, - "portmappings": [{"host_ip": "127.0.0.1", "host_port": 8889, "container_port": 89}], + "portmappings": [ + {"host_ip": "127.0.0.1", "host_port": 8889, "container_port": 89} + ], }, ) self.assertEqual(r.status_code, 201, r.text) @@ -715,7 +736,9 @@ class TestApi(unittest.TestCase): json={ "name": pod_name[1], "no_infra": False, - "portmappings": [{"host_ip": "127.0.0.1", "host_port": 8889, "container_port": 89}], + "portmappings": [ + {"host_ip": "127.0.0.1", "host_port": 8889, "container_port": 89} + ], }, ) self.assertEqual(r.status_code, 201, r.text) diff --git a/test/apiv2/test-apiv2 b/test/apiv2/test-apiv2 index 5b1e2ef80..e32d6bc62 100755 --- a/test/apiv2/test-apiv2 +++ b/test/apiv2/test-apiv2 @@ -17,6 +17,8 @@ PODMAN_TEST_IMAGE_FQN="$PODMAN_TEST_IMAGE_REGISTRY/$PODMAN_TEST_IMAGE_USER/$PODM IMAGE=$PODMAN_TEST_IMAGE_FQN +REGISTRY_IMAGE="${PODMAN_TEST_IMAGE_REGISTRY}/${PODMAN_TEST_IMAGE_USER}/registry:2.7" + # END stuff you can but probably shouldn't customize ############################################################################### # BEGIN setup @@ -188,6 +190,13 @@ function t() { # entrypoint path can include a descriptive comment; strip it off path=${path%% *} + # path may include JSONish params that curl will barf on; url-encode them + path="${path//'['/%5B}" + path="${path//']'/%5D}" + path="${path//'{'/%7B}" + path="${path//'}'/%7D}" + path="${path//':'/%3A}" + # curl -X HEAD but without --head seems to wait for output anyway if [[ $method == "HEAD" ]]; then curl_args="--head" @@ -306,13 +315,115 @@ function start_service() { die "Cannot start service on non-localhost ($HOST)" fi - $PODMAN_BIN --root $WORKDIR system service --time 15 tcp:127.0.0.1:$PORT \ + $PODMAN_BIN --root $WORKDIR/server_root system service \ + --time 15 \ + tcp:127.0.0.1:$PORT \ &> $WORKDIR/server.log & service_pid=$! wait_for_port $HOST $PORT } +function stop_service() { + # Stop the server + if [[ -n $service_pid ]]; then + kill $service_pid + wait $service_pid + fi +} + +#################### +# start_registry # Run a local registry +#################### +REGISTRY_PORT= +REGISTRY_USERNAME= +REGISTRY_PASSWORD= +function start_registry() { + # We can be invoked multiple times, e.g. from different subtests, but + # let's assume that once started we only kill it at the end of tests. + if [[ -n "$REGISTRY_PORT" ]]; then + return + fi + + REGISTRY_PORT=$(random_port) + REGISTRY_USERNAME=u$(random_string 7) + REGISTRY_PASSWORD=p$(random_string 7) + + local REGDIR=$WORKDIR/registry + local AUTHDIR=$REGDIR/auth + mkdir -p $AUTHDIR + + mkdir -p ${REGDIR}/{root,runroot} + local PODMAN_REGISTRY_ARGS="--root ${REGDIR}/root --runroot ${REGDIR}/runroot" + + # Give it three tries, to compensate for network flakes + podman ${PODMAN_REGISTRY_ARGS} pull $REGISTRY_IMAGE || + podman ${PODMAN_REGISTRY_ARGS} pull $REGISTRY_IMAGE || + podman ${PODMAN_REGISTRY_ARGS} pull $REGISTRY_IMAGE + + # Create a local cert and credentials + # FIXME: is there a hidden "--quiet" flag? This is too noisy. + openssl req -newkey rsa:4096 -nodes -sha256 \ + -keyout $AUTHDIR/domain.key -x509 -days 2 \ + -out $AUTHDIR/domain.crt \ + -subj "/C=US/ST=Foo/L=Bar/O=Red Hat, Inc./CN=registry host certificate" \ + -addext subjectAltName=DNS:localhost + htpasswd -Bbn ${REGISTRY_USERNAME} ${REGISTRY_PASSWORD} \ + > $AUTHDIR/htpasswd + + # Run the registry, and wait for it to come up + podman ${PODMAN_REGISTRY_ARGS} run -d \ + -p ${REGISTRY_PORT}:5000 \ + --name registry \ + -v $AUTHDIR:/auth:Z \ + -e "REGISTRY_AUTH=htpasswd" \ + -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \ + -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \ + -e REGISTRY_HTTP_TLS_CERTIFICATE=/auth/domain.crt \ + -e REGISTRY_HTTP_TLS_KEY=/auth/domain.key \ + ${REGISTRY_IMAGE} + + wait_for_port localhost $REGISTRY_PORT +} + +function stop_registry() { + local REGDIR=${WORKDIR}/registry + if [[ -d $REGDIR ]]; then + local OPTS="--root ${REGDIR}/root --runroot ${REGDIR}/runroot" + podman $OPTS stop -f -t 0 -a + + # rm/rmi are important when running rootless: without them we + # get EPERMS in tmpdir cleanup because files are owned by subuids. + podman $OPTS rm -f -a + podman $OPTS rmi -f -a + fi +} + +################# +# random_port # Random open port; arg is range (min-max), default 5000-5999 +################# +function random_port() { + local range=${1:-5000-5999} + + local port + for port in $(shuf -i ${range}); do + if ! { exec 5<> /dev/tcp/127.0.0.1/$port; } &>/dev/null; then + echo $port + return + fi + done + + die "Could not find open port in range $range" +} + +################### +# random_string # Pseudorandom alphanumeric string of given length +################### +function random_string() { + local length=${1:-10} + head /dev/urandom | tr -dc a-zA-Z0-9 | head -c$length +} + ################### # wait_for_port # Returns once port is available on host ################### @@ -334,8 +445,8 @@ function wait_for_port() { # podman # Needed by some test scripts to invoke the actual podman binary ############ function podman() { - echo "\$ $PODMAN_BIN $*" >>$WORKDIR/output.log - $PODMAN_BIN --root $WORKDIR "$@" >>$WORKDIR/output.log 2>&1 + echo "\$ $PODMAN_BIN $*" >>$WORKDIR/output.log + $PODMAN_BIN --root $WORKDIR/server_root "$@" >>$WORKDIR/output.log 2>&1 } #################### @@ -405,9 +516,8 @@ if [ -n "$service_pid" ]; then podman rm -a podman rmi -af - # Stop the server - kill $service_pid - wait $service_pid + stop_registry + stop_service fi test_count=$(<$testcounter_file) diff --git a/test/e2e/build_test.go b/test/e2e/build_test.go index c733db61c..4839d66ec 100644 --- a/test/e2e/build_test.go +++ b/test/e2e/build_test.go @@ -532,4 +532,20 @@ RUN grep CapEff /proc/self/status` // Then Expect(session.ExitCode()).To(Equal(125)) }) + + It("podman build --timestamp flag", func() { + containerfile := `FROM quay.io/libpod/alpine:latest +RUN echo hello` + + containerfilePath := filepath.Join(podmanTest.TempDir, "Containerfile") + err := ioutil.WriteFile(containerfilePath, []byte(containerfile), 0755) + Expect(err).To(BeNil()) + session := podmanTest.Podman([]string{"build", "-t", "test", "--timestamp", "0", "--file", containerfilePath, podmanTest.TempDir}) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(Equal(0)) + + inspect := podmanTest.Podman([]string{"image", "inspect", "--format", "{{ .Created }}", "test"}) + inspect.WaitWithDefaultTimeout() + Expect(inspect.OutputToString()).To(Equal("1970-01-01 00:00:00 +0000 UTC")) + }) }) diff --git a/test/e2e/config/containers.conf b/test/e2e/config/containers.conf index fdf679664..bbd712254 100644 --- a/test/e2e/config/containers.conf +++ b/test/e2e/config/containers.conf @@ -55,6 +55,7 @@ umask = "0002" annotations=["run.oci.keep_original_groups=1",] +no_hosts=true [engine] network_cmd_options=["allow_host_loopback=true"] diff --git a/test/e2e/containers_conf_test.go b/test/e2e/containers_conf_test.go index 9c2260c5f..6b1a0d16e 100644 --- a/test/e2e/containers_conf_test.go +++ b/test/e2e/containers_conf_test.go @@ -331,4 +331,26 @@ var _ = Describe("Podman run", func() { Expect(inspect.OutputToString()).To(ContainSubstring("run.oci.keep_original_groups:1")) }) + It("podman run with --add-host and no-hosts=true fails", func() { + session := podmanTest.Podman([]string{"run", "-dt", "--add-host", "test1:127.0.0.1", ALPINE, "top"}) + session.WaitWithDefaultTimeout() + Expect(session).To(ExitWithError()) + Expect(session.ErrorToString()).To(ContainSubstring("--no-hosts and --add-host cannot be set together")) + + session = podmanTest.Podman([]string{"run", "-dt", "--add-host", "test1:127.0.0.1", "--no-hosts=false", ALPINE, "top"}) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(Equal(0)) + }) + + It("podman run with no-hosts=true /etc/hosts does not include hostname", func() { + session := podmanTest.Podman([]string{"run", "--rm", "--name", "test", ALPINE, "cat", "/etc/hosts"}) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(Equal(0)) + Expect(session.OutputToString()).To(Not(ContainSubstring("test"))) + + session = podmanTest.Podman([]string{"run", "--rm", "--name", "test", "--no-hosts=false", ALPINE, "cat", "/etc/hosts"}) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(Equal(0)) + Expect(session.OutputToString()).To(ContainSubstring("test")) + }) }) diff --git a/test/e2e/generate_kube_test.go b/test/e2e/generate_kube_test.go index d7c697f28..21e006c20 100644 --- a/test/e2e/generate_kube_test.go +++ b/test/e2e/generate_kube_test.go @@ -734,4 +734,36 @@ ENTRYPOINT /bin/sleep` kube.WaitWithDefaultTimeout() Expect(kube.ExitCode()).To(Equal(0)) }) + + It("podman generate kube based on user in container", func() { + // Build an image with an entrypoint. + containerfile := `FROM quay.io/libpod/alpine:latest +RUN adduser -u 10001 -S test1 +USER test1` + + targetPath, err := CreateTempDirInTempDir() + Expect(err).To(BeNil()) + containerfilePath := filepath.Join(targetPath, "Containerfile") + err = ioutil.WriteFile(containerfilePath, []byte(containerfile), 0644) + Expect(err).To(BeNil()) + + image := "generatekube:test" + session := podmanTest.Podman([]string{"build", "-f", containerfilePath, "-t", image}) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(Equal(0)) + + session = podmanTest.Podman([]string{"create", "--pod", "new:testpod", image, "test1"}) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(Equal(0)) + + kube := podmanTest.Podman([]string{"generate", "kube", "testpod"}) + kube.WaitWithDefaultTimeout() + Expect(kube.ExitCode()).To(Equal(0)) + + pod := new(v1.Pod) + err = yaml.Unmarshal(kube.Out.Contents(), pod) + Expect(err).To(BeNil()) + Expect(*pod.Spec.Containers[0].SecurityContext.RunAsUser).To(Equal(int64(10001))) + }) + }) diff --git a/test/e2e/libpod_suite_remote_test.go b/test/e2e/libpod_suite_remote_test.go index a26765ee9..3115c246f 100644 --- a/test/e2e/libpod_suite_remote_test.go +++ b/test/e2e/libpod_suite_remote_test.go @@ -48,17 +48,17 @@ func (p *PodmanTestIntegration) PodmanExtraFiles(args []string, extraFiles []*os func (p *PodmanTestIntegration) setDefaultRegistriesConfigEnv() { defaultFile := filepath.Join(INTEGRATION_ROOT, "test/registries.conf") - os.Setenv("REGISTRIES_CONFIG_PATH", defaultFile) + os.Setenv("CONTAINERS_REGISTRIES_CONF", defaultFile) } func (p *PodmanTestIntegration) setRegistriesConfigEnv(b []byte) { outfile := filepath.Join(p.TempDir, "registries.conf") - os.Setenv("REGISTRIES_CONFIG_PATH", outfile) + os.Setenv("CONTAINERS_REGISTRIES_CONF", outfile) ioutil.WriteFile(outfile, b, 0644) } func resetRegistriesConfigEnv() { - os.Setenv("REGISTRIES_CONFIG_PATH", "") + os.Setenv("CONTAINERS_REGISTRIES_CONF", "") } func PodmanTestCreate(tempDir string) *PodmanTestIntegration { pti := PodmanTestCreateUtil(tempDir, true) diff --git a/test/e2e/libpod_suite_test.go b/test/e2e/libpod_suite_test.go index 0ae30ca10..cc03ccc96 100644 --- a/test/e2e/libpod_suite_test.go +++ b/test/e2e/libpod_suite_test.go @@ -31,17 +31,17 @@ func (p *PodmanTestIntegration) PodmanExtraFiles(args []string, extraFiles []*os func (p *PodmanTestIntegration) setDefaultRegistriesConfigEnv() { defaultFile := filepath.Join(INTEGRATION_ROOT, "test/registries.conf") - os.Setenv("REGISTRIES_CONFIG_PATH", defaultFile) + os.Setenv("CONTAINERS_REGISTRIES_CONF", defaultFile) } func (p *PodmanTestIntegration) setRegistriesConfigEnv(b []byte) { outfile := filepath.Join(p.TempDir, "registries.conf") - os.Setenv("REGISTRIES_CONFIG_PATH", outfile) + os.Setenv("CONTAINERS_REGISTRIES_CONF", outfile) ioutil.WriteFile(outfile, b, 0644) } func resetRegistriesConfigEnv() { - os.Setenv("REGISTRIES_CONFIG_PATH", "") + os.Setenv("CONTAINERS_REGISTRIES_CONF", "") } func PodmanTestCreate(tempDir string) *PodmanTestIntegration { diff --git a/test/e2e/login_logout_test.go b/test/e2e/login_logout_test.go index 99876de29..6269bb92b 100644 --- a/test/e2e/login_logout_test.go +++ b/test/e2e/login_logout_test.go @@ -125,15 +125,15 @@ var _ = Describe("Podman login and logout", func() { // Environment is per-process, so this looks very unsafe; actually it seems fine because tests are not // run in parallel unless they opt in by calling t.Parallel(). So don’t do that. - oldRCP, hasRCP := os.LookupEnv("REGISTRIES_CONFIG_PATH") + oldRCP, hasRCP := os.LookupEnv("CONTAINERS_REGISTRIES_CONF") defer func() { if hasRCP { - os.Setenv("REGISTRIES_CONFIG_PATH", oldRCP) + os.Setenv("CONTAINERS_REGISTRIES_CONF", oldRCP) } else { - os.Unsetenv("REGISTRIES_CONFIG_PATH") + os.Unsetenv("CONTAINERS_REGISTRIES_CONF") } }() - os.Setenv("REGISTRIES_CONFIG_PATH", registriesConf.Name()) + os.Setenv("CONTAINERS_REGISTRIES_CONF", registriesConf.Name()) session := podmanTest.Podman([]string{"login", "-u", "podmantest", "-p", "test"}) session.WaitWithDefaultTimeout() diff --git a/test/e2e/logs_test.go b/test/e2e/logs_test.go index 8f695279a..3051031a5 100644 --- a/test/e2e/logs_test.go +++ b/test/e2e/logs_test.go @@ -37,16 +37,18 @@ var _ = Describe("Podman logs", func() { }) for _, log := range []string{"k8s-file", "journald", "json-file"} { + It("all lines: "+log, func() { logc := podmanTest.Podman([]string{"run", "--log-driver", log, "-dt", ALPINE, "sh", "-c", "echo podman; echo podman; echo podman"}) logc.WaitWithDefaultTimeout() Expect(logc).To(Exit(0)) - cid := logc.OutputToString() + results := podmanTest.Podman([]string{"logs", cid}) results.WaitWithDefaultTimeout() Expect(results).To(Exit(0)) Expect(len(results.OutputToStringArray())).To(Equal(3)) + Expect(results.OutputToString()).To(Equal("podman podman podman")) }) It("tail two lines: "+log, func() { @@ -73,6 +75,18 @@ var _ = Describe("Podman logs", func() { Expect(len(results.OutputToStringArray())).To(Equal(0)) }) + It("tail 99 lines: "+log, func() { + logc := podmanTest.Podman([]string{"run", "--log-driver", log, "-dt", ALPINE, "sh", "-c", "echo podman; echo podman; echo podman"}) + logc.WaitWithDefaultTimeout() + Expect(logc).To(Exit(0)) + cid := logc.OutputToString() + + results := podmanTest.Podman([]string{"logs", "--tail", "99", cid}) + results.WaitWithDefaultTimeout() + Expect(results).To(Exit(0)) + Expect(len(results.OutputToStringArray())).To(Equal(3)) + }) + It("tail 800 lines: "+log, func() { logc := podmanTest.Podman([]string{"run", "--log-driver", log, "-dt", ALPINE, "sh", "-c", "i=1; while [ \"$i\" -ne 1000 ]; do echo \"line $i\"; i=$((i + 1)); done"}) logc.WaitWithDefaultTimeout() @@ -158,78 +172,6 @@ var _ = Describe("Podman logs", func() { Expect(results).To(Exit(0)) }) - It("for container: "+log, func() { - logc := podmanTest.Podman([]string{"run", "--log-driver", log, "-dt", ALPINE, "sh", "-c", "echo podman; echo podman; echo podman"}) - logc.WaitWithDefaultTimeout() - Expect(logc).To(Exit(0)) - cid := logc.OutputToString() - - results := podmanTest.Podman([]string{"logs", cid}) - results.WaitWithDefaultTimeout() - Expect(results).To(Exit(0)) - Expect(len(results.OutputToStringArray())).To(Equal(3)) - Expect(results.OutputToString()).To(Equal("podman podman podman")) - }) - - It("tail two lines: "+log, func() { - logc := podmanTest.Podman([]string{"run", "--log-driver", log, "-dt", ALPINE, "sh", "-c", "echo podman; echo podman; echo podman"}) - logc.WaitWithDefaultTimeout() - Expect(logc).To(Exit(0)) - cid := logc.OutputToString() - results := podmanTest.Podman([]string{"logs", "--tail", "2", cid}) - results.WaitWithDefaultTimeout() - Expect(results).To(Exit(0)) - Expect(len(results.OutputToStringArray())).To(Equal(2)) - }) - - It("tail 99 lines: "+log, func() { - logc := podmanTest.Podman([]string{"run", "--log-driver", log, "-dt", ALPINE, "sh", "-c", "echo podman; echo podman; echo podman"}) - logc.WaitWithDefaultTimeout() - Expect(logc).To(Exit(0)) - cid := logc.OutputToString() - - results := podmanTest.Podman([]string{"logs", "--tail", "99", cid}) - results.WaitWithDefaultTimeout() - Expect(results).To(Exit(0)) - Expect(len(results.OutputToStringArray())).To(Equal(3)) - }) - - It("tail 2 lines with timestamps: "+log, func() { - logc := podmanTest.Podman([]string{"run", "--log-driver", log, "-dt", ALPINE, "sh", "-c", "echo podman; echo podman; echo podman"}) - logc.WaitWithDefaultTimeout() - Expect(logc).To(Exit(0)) - cid := logc.OutputToString() - - results := podmanTest.Podman([]string{"logs", "--tail", "2", "-t", cid}) - results.WaitWithDefaultTimeout() - Expect(results).To(Exit(0)) - Expect(len(results.OutputToStringArray())).To(Equal(2)) - }) - - It("since time 2017-08-07: "+log, func() { - logc := podmanTest.Podman([]string{"run", "--log-driver", log, "-dt", ALPINE, "sh", "-c", "echo podman; echo podman; echo podman"}) - logc.WaitWithDefaultTimeout() - Expect(logc).To(Exit(0)) - cid := logc.OutputToString() - - results := podmanTest.Podman([]string{"logs", "--since", "2017-08-07T10:10:09.056611202-04:00", cid}) - results.WaitWithDefaultTimeout() - Expect(results).To(Exit(0)) - Expect(len(results.OutputToStringArray())).To(Equal(3)) - }) - - It("with duration 10m: "+log, func() { - logc := podmanTest.Podman([]string{"run", "--log-driver", log, "-dt", ALPINE, "sh", "-c", "echo podman; echo podman; echo podman"}) - logc.WaitWithDefaultTimeout() - Expect(logc).To(Exit(0)) - cid := logc.OutputToString() - - results := podmanTest.Podman([]string{"logs", "--since", "10m", cid}) - results.WaitWithDefaultTimeout() - Expect(results).To(Exit(0)) - Expect(len(results.OutputToStringArray())).To(Equal(3)) - }) - It("streaming output: "+log, func() { containerName := "logs-f-rm" @@ -259,17 +201,6 @@ var _ = Describe("Podman logs", func() { } }) - It("podman logs with log-driver=none errors: "+log, func() { - ctrName := "logsctr" - logc := podmanTest.Podman([]string{"run", "--log-driver", log, "--name", ctrName, "-d", "--log-driver", "none", ALPINE, "top"}) - logc.WaitWithDefaultTimeout() - Expect(logc).To(Exit(0)) - - logs := podmanTest.Podman([]string{"logs", "-f", ctrName}) - logs.WaitWithDefaultTimeout() - Expect(logs).To(Not(Exit(0))) - }) - It("follow output stopped container: "+log, func() { containerName := "logs-f" @@ -373,4 +304,15 @@ var _ = Describe("Podman logs", func() { Expect(err).To(BeNil()) Expect(string(out)).To(ContainSubstring(containerName)) }) + + It("podman logs with log-driver=none errors", func() { + ctrName := "logsctr" + logc := podmanTest.Podman([]string{"run", "--name", ctrName, "-d", "--log-driver", "none", ALPINE, "top"}) + logc.WaitWithDefaultTimeout() + Expect(logc).To(Exit(0)) + + logs := podmanTest.Podman([]string{"logs", "-f", ctrName}) + logs.WaitWithDefaultTimeout() + Expect(logs).To(Not(Exit(0))) + }) }) diff --git a/test/e2e/network_connect_disconnect_test.go b/test/e2e/network_connect_disconnect_test.go index eb8ad7181..e9a7b421f 100644 --- a/test/e2e/network_connect_disconnect_test.go +++ b/test/e2e/network_connect_disconnect_test.go @@ -193,6 +193,13 @@ var _ = Describe("Podman network connect and disconnect", func() { exec = podmanTest.Podman([]string{"exec", "-it", "test", "ip", "addr", "show", "eth1"}) exec.WaitWithDefaultTimeout() Expect(exec.ExitCode()).To(BeZero()) + + // make sure no logrus errors are shown https://github.com/containers/podman/issues/9602 + rm := podmanTest.Podman([]string{"rm", "-f", "test"}) + rm.WaitWithDefaultTimeout() + Expect(rm.ExitCode()).To(BeZero()) + Expect(rm.ErrorToString()).To(Equal("")) + }) It("podman network connect when not running", func() { diff --git a/test/e2e/network_test.go b/test/e2e/network_test.go index 53521cdc4..ff2e1eb66 100644 --- a/test/e2e/network_test.go +++ b/test/e2e/network_test.go @@ -352,6 +352,29 @@ var _ = Describe("Podman network", func() { Expect(rmAll.ExitCode()).To(BeZero()) }) + It("podman network remove after disconnect when container initially created with the network", func() { + SkipIfRootless("disconnect works only in non rootless container") + + container := "test" + network := "foo" + + session := podmanTest.Podman([]string{"network", "create", network}) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(Equal(0)) + + session = podmanTest.Podman([]string{"run", "--name", container, "--network", network, "-d", ALPINE, "top"}) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(Equal(0)) + + session = podmanTest.Podman([]string{"network", "disconnect", network, container}) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(Equal(0)) + + session = podmanTest.Podman([]string{"network", "rm", network}) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(Equal(0)) + }) + It("podman network remove bogus", func() { session := podmanTest.Podman([]string{"network", "rm", "bogus"}) session.WaitWithDefaultTimeout() diff --git a/test/e2e/rename_test.go b/test/e2e/rename_test.go index f19413221..14696c0f6 100644 --- a/test/e2e/rename_test.go +++ b/test/e2e/rename_test.go @@ -89,4 +89,25 @@ var _ = Describe("podman rename", func() { Expect(ps.ExitCode()).To(Equal(0)) Expect(ps.OutputToString()).To(ContainSubstring(newName)) }) + + It("Rename a running container with exec sessions", func() { + ctrName := "testCtr" + ctr := podmanTest.Podman([]string{"run", "-d", "--name", ctrName, ALPINE, "top"}) + ctr.WaitWithDefaultTimeout() + Expect(ctr.ExitCode()).To(Equal(0)) + + exec := podmanTest.Podman([]string{"exec", "-d", ctrName, "top"}) + exec.WaitWithDefaultTimeout() + Expect(exec.ExitCode()).To(Equal(0)) + + newName := "aNewName" + rename := podmanTest.Podman([]string{"rename", ctrName, newName}) + rename.WaitWithDefaultTimeout() + Expect(rename.ExitCode()).To(Equal(0)) + + ps := podmanTest.Podman([]string{"ps", "-aq", "--filter", fmt.Sprintf("name=%s", newName), "--format", "{{ .Names }}"}) + ps.WaitWithDefaultTimeout() + Expect(ps.ExitCode()).To(Equal(0)) + Expect(ps.OutputToString()).To(ContainSubstring(newName)) + }) }) diff --git a/test/e2e/run_selinux_test.go b/test/e2e/run_selinux_test.go index 8c712b1be..6abe152a9 100644 --- a/test/e2e/run_selinux_test.go +++ b/test/e2e/run_selinux_test.go @@ -2,6 +2,7 @@ package integration import ( "os" + "path/filepath" . "github.com/containers/podman/v3/test/utils" . "github.com/onsi/ginkgo" @@ -294,4 +295,52 @@ var _ = Describe("Podman run", func() { Expect(session.ExitCode()).To(Equal(0)) Expect(session.OutputToString()).To(ContainSubstring("container_t")) }) + + It("podman test --ipc=net", func() { + session := podmanTest.Podman([]string{"run", "--net=host", ALPINE, "cat", "/proc/self/attr/current"}) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(Equal(0)) + Expect(session.OutputToString()).To(ContainSubstring("container_t")) + }) + + It("podman test --ipc=net", func() { + session := podmanTest.Podman([]string{"run", "--net=host", ALPINE, "cat", "/proc/self/attr/current"}) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(Equal(0)) + Expect(session.OutputToString()).To(ContainSubstring("container_t")) + }) + + It("podman test --runtime=/PATHTO/kata-runtime", func() { + runtime := podmanTest.OCIRuntime + podmanTest.OCIRuntime = filepath.Join(podmanTest.TempDir, "kata-runtime") + err := os.Symlink("/bin/true", podmanTest.OCIRuntime) + Expect(err).To(BeNil()) + if IsRemote() { + podmanTest.StopRemoteService() + podmanTest.StartRemoteService() + } + session := podmanTest.Podman([]string{"create", ALPINE}) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(Equal(0)) + cid := session.OutputToString() + session = podmanTest.Podman([]string{"inspect", "--format", "{{ .ProcessLabel }}", cid}) + session.WaitWithDefaultTimeout() + Expect(session.OutputToString()).To(ContainSubstring("container_kvm_t")) + + podmanTest.OCIRuntime = runtime + if IsRemote() { + podmanTest.StopRemoteService() + podmanTest.StartRemoteService() + } + }) + + It("podman test init labels", func() { + session := podmanTest.Podman([]string{"create", ubi_init, "/sbin/init"}) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(Equal(0)) + cid := session.OutputToString() + session = podmanTest.Podman([]string{"inspect", "--format", "{{ .ProcessLabel }}", cid}) + session.WaitWithDefaultTimeout() + Expect(session.OutputToString()).To(ContainSubstring("container_init_t")) + }) }) diff --git a/test/e2e/run_test.go b/test/e2e/run_test.go index f0ba9d1d9..490d05699 100644 --- a/test/e2e/run_test.go +++ b/test/e2e/run_test.go @@ -304,6 +304,42 @@ var _ = Describe("Podman run", func() { }) + It("podman run security-opt unmask on /sys/fs/cgroup", func() { + + SkipIfCgroupV1("podman umask on /sys/fs/cgroup will fail with cgroups V1") + SkipIfRootless("/sys/fs/cgroup rw access is needed") + rwOnCGroups := "/sys/fs/cgroup cgroup2 rw" + session := podmanTest.Podman([]string{"run", "--security-opt", "unmask=ALL", "--security-opt", "mask=/sys/fs/cgroup", ALPINE, "cat", "/proc/mounts"}) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(Equal(0)) + Expect(session.OutputToString()).To(ContainSubstring(rwOnCGroups)) + + session = podmanTest.Podman([]string{"run", "--security-opt", "unmask=/sys/fs/cgroup", ALPINE, "cat", "/proc/mounts"}) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(Equal(0)) + Expect(session.OutputToString()).To(ContainSubstring(rwOnCGroups)) + + session = podmanTest.Podman([]string{"run", "--security-opt", "unmask=/sys/fs/cgroup///", ALPINE, "cat", "/proc/mounts"}) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(Equal(0)) + Expect(session.OutputToString()).To(ContainSubstring(rwOnCGroups)) + + session = podmanTest.Podman([]string{"run", "--security-opt", "unmask=ALL", ALPINE, "cat", "/proc/mounts"}) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(Equal(0)) + Expect(session.OutputToString()).To(ContainSubstring(rwOnCGroups)) + + session = podmanTest.Podman([]string{"run", "--security-opt", "unmask=/sys/fs/cgroup", "--security-opt", "mask=/sys/fs/cgroup", ALPINE, "cat", "/proc/mounts"}) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(Equal(0)) + Expect(session.OutputToString()).To(ContainSubstring(rwOnCGroups)) + + session = podmanTest.Podman([]string{"run", "--security-opt", "unmask=/sys/fs/cgroup", ALPINE, "ls", "/sys/fs/cgroup"}) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(Equal(0)) + Expect(session.OutputToString()).ToNot(BeEmpty()) + }) + It("podman run seccomp test", func() { session := podmanTest.Podman([]string{"run", "-it", "--security-opt", strings.Join([]string{"seccomp=", forbidGetCWDSeccompProfile()}, ""), ALPINE, "pwd"}) session.WaitWithDefaultTimeout() diff --git a/test/e2e/stop_test.go b/test/e2e/stop_test.go index dd264eb0d..d6d58c94c 100644 --- a/test/e2e/stop_test.go +++ b/test/e2e/stop_test.go @@ -150,7 +150,7 @@ var _ = Describe("Podman stop", func() { session.WaitWithDefaultTimeout() Expect(session.ExitCode()).To(Equal(0)) - session = podmanTest.Podman([]string{"stop", "--time", "1", "test4"}) + session = podmanTest.Podman([]string{"stop", "--time", "0", "test4"}) session.WaitWithDefaultTimeout() Expect(session.ExitCode()).To(Equal(0)) output := session.OutputToString() @@ -166,7 +166,7 @@ var _ = Describe("Podman stop", func() { session := podmanTest.Podman([]string{"run", "-d", "--name", "test5", ALPINE, "sleep", "100"}) session.WaitWithDefaultTimeout() Expect(session.ExitCode()).To(Equal(0)) - session = podmanTest.Podman([]string{"stop", "--timeout", "1", "test5"}) + session = podmanTest.Podman([]string{"stop", "--timeout", "0", "test5"}) // Without timeout container stops in 10 seconds // If not stopped in 5 seconds, then --timeout did not work session.Wait(5) diff --git a/test/python/__init__.py b/test/python/__init__.py new file mode 100644 index 000000000..e69de29bb --- /dev/null +++ b/test/python/__init__.py diff --git a/test/python/docker/__init__.py b/test/python/docker/__init__.py index 351834316..59b7987f4 100644 --- a/test/python/docker/__init__.py +++ b/test/python/docker/__init__.py @@ -8,7 +8,7 @@ import tempfile from docker import DockerClient -from test.python.docker import constant +from .compat import constant class Podman(object): @@ -39,7 +39,9 @@ class Podman(object): self.cmd.append("--root=" + os.path.join(self.anchor_directory, "crio")) self.cmd.append("--runroot=" + os.path.join(self.anchor_directory, "crio-run")) - os.environ["REGISTRIES_CONFIG_PATH"] = os.path.join(self.anchor_directory, "registry.conf") + os.environ["CONTAINERS_REGISTRIES_CONF"] = os.path.join( + self.anchor_directory, "registry.conf" + ) p = configparser.ConfigParser() p.read_dict( { @@ -48,13 +50,17 @@ class Podman(object): "registries.block": {"registries": "[]"}, } ) - with open(os.environ["REGISTRIES_CONFIG_PATH"], "w") as w: + with open(os.environ["CONTAINERS_REGISTRIES_CONF"], "w") as w: p.write(w) - os.environ["CNI_CONFIG_PATH"] = os.path.join(self.anchor_directory, "cni", "net.d") + os.environ["CNI_CONFIG_PATH"] = os.path.join( + self.anchor_directory, "cni", "net.d" + ) os.makedirs(os.environ["CNI_CONFIG_PATH"], exist_ok=True) self.cmd.append("--cni-config-dir=" + os.environ["CNI_CONFIG_PATH"]) - cni_cfg = os.path.join(os.environ["CNI_CONFIG_PATH"], "87-podman-bridge.conflist") + cni_cfg = os.path.join( + os.environ["CNI_CONFIG_PATH"], "87-podman-bridge.conflist" + ) # json decoded and encoded to ensure legal json buf = json.loads( """ diff --git a/test/python/docker/build_labels/Dockerfile b/test/python/docker/build_labels/Dockerfile new file mode 100644 index 000000000..f6e07066c --- /dev/null +++ b/test/python/docker/build_labels/Dockerfile @@ -0,0 +1 @@ +FROM quay.io/libpod/alpine:latest diff --git a/test/python/docker/README.md b/test/python/docker/compat/README.md index c10fd636d..50796d66b 100644 --- a/test/python/docker/README.md +++ b/test/python/docker/compat/README.md @@ -13,26 +13,26 @@ To run the tests locally in your sandbox (Fedora 32,33): ### Run the entire test suite +All commands are run from the root of the repository. + ```shell -# python3 -m unittest discover test/python/docker +# python3 -m unittest discover -s test/python/docker ``` Passing the -v option to your test script will instruct unittest.main() to enable a higher level of verbosity, and produce detailed output: ```shell -# python3 -m unittest -v discover test/python/docker +# python3 -m unittest -v discover -s test/python/docker ``` ### Run a specific test class ```shell -# cd test/python/docker -# python3 -m unittest -v tests.test_images +# python3 -m unittest -v test.python.docker.compat.test_images.TestImages ``` ### Run a specific test within the test class ```shell -# cd test/python/docker -# python3 -m unittest tests.test_images.TestImages.test_import_image +# python3 -m unittest test.python.docker.compat.test_images.TestImages.test_tag_valid_image ``` diff --git a/test/python/docker/compat/__init__.py b/test/python/docker/compat/__init__.py new file mode 100644 index 000000000..e69de29bb --- /dev/null +++ b/test/python/docker/compat/__init__.py diff --git a/test/python/docker/common.py b/test/python/docker/compat/common.py index 11f512495..bdc67c287 100644 --- a/test/python/docker/common.py +++ b/test/python/docker/compat/common.py @@ -1,10 +1,12 @@ from docker import DockerClient -from test.python.docker import constant +from test.python.docker.compat import constant def run_top_container(client: DockerClient): - c = client.containers.create(constant.ALPINE, command="top", detach=True, tty=True, name="top") + c = client.containers.create( + constant.ALPINE, command="top", detach=True, tty=True, name="top" + ) c.start() return c.id diff --git a/test/python/docker/constant.py b/test/python/docker/compat/constant.py index 892293c97..892293c97 100644 --- a/test/python/docker/constant.py +++ b/test/python/docker/compat/constant.py diff --git a/test/python/docker/test_containers.py b/test/python/docker/compat/test_containers.py index 337cacd5c..be70efa67 100644 --- a/test/python/docker/test_containers.py +++ b/test/python/docker/compat/test_containers.py @@ -5,7 +5,8 @@ import unittest from docker import DockerClient, errors -from test.python.docker import Podman, common, constant +from test.python.docker import Podman +from test.python.docker.compat import common, constant class TestContainers(unittest.TestCase): @@ -87,9 +88,11 @@ class TestContainers(unittest.TestCase): self.assertEqual(len(containers), 2) def test_start_container_with_random_port_bind(self): - container = self.client.containers.create(image=constant.ALPINE, - name="containerWithRandomBind", - ports={'1234/tcp': None}) + container = self.client.containers.create( + image=constant.ALPINE, + name="containerWithRandomBind", + ports={"1234/tcp": None}, + ) containers = self.client.containers.list(all=True) self.assertTrue(container in containers) diff --git a/test/python/docker/test_images.py b/test/python/docker/compat/test_images.py index f2b6a5190..4a90069a9 100644 --- a/test/python/docker/test_images.py +++ b/test/python/docker/compat/test_images.py @@ -7,7 +7,8 @@ import unittest from docker import DockerClient, errors -from test.python.docker import Podman, common, constant +from test.python.docker import Podman +from test.python.docker.compat import common, constant class TestImages(unittest.TestCase): @@ -78,7 +79,9 @@ class TestImages(unittest.TestCase): self.assertEqual(len(self.client.images.list()), 2) # List images with filter - self.assertEqual(len(self.client.images.list(filters={"reference": "alpine"})), 1) + self.assertEqual( + len(self.client.images.list(filters={"reference": "alpine"})), 1 + ) def test_search_image(self): """Search for image""" @@ -91,7 +94,7 @@ class TestImages(unittest.TestCase): r = self.client.images.search("bogus/bogus") except: return - self.assertTrue(len(r)==0) + self.assertTrue(len(r) == 0) def test_remove_image(self): """Remove image""" @@ -146,6 +149,14 @@ class TestImages(unittest.TestCase): self.assertEqual(len(self.client.images.list()), 2) + def test_build_image(self): + labels = {"apple": "red", "grape": "green"} + _ = self.client.images.build(path="test/python/docker/build_labels", labels=labels, tag="labels") + image = self.client.images.get("labels") + self.assertEqual(image.labels["apple"], labels["apple"]) + self.assertEqual(image.labels["grape"], labels["grape"]) + + if __name__ == "__main__": # Setup temporary space diff --git a/test/python/docker/test_system.py b/test/python/docker/compat/test_system.py index 46b90e5f6..131b18991 100644 --- a/test/python/docker/test_system.py +++ b/test/python/docker/compat/test_system.py @@ -5,7 +5,8 @@ import unittest from docker import DockerClient -from test.python.docker import Podman, common, constant +from test.python.docker import Podman, constant +from test.python.docker.compat import common class TestSystem(unittest.TestCase): diff --git a/test/python/requirements.txt b/test/python/requirements.txt new file mode 100644 index 000000000..ee85bf1d1 --- /dev/null +++ b/test/python/requirements.txt @@ -0,0 +1,6 @@ +docker~=4.4.3 + +requests~=2.20.0 +setuptools~=50.3.2 +python-dateutil~=2.8.1 +PyYAML~=5.4.1 diff --git a/test/system/030-run.bats b/test/system/030-run.bats index 93449ece9..b2999a9e7 100644 --- a/test/system/030-run.bats +++ b/test/system/030-run.bats @@ -139,7 +139,7 @@ echo $rand | 0 | $rand is "$output" "" "--pull=never [present]: no output" # Now test with a remote image which we don't have present (the 00 tag) - NONLOCAL_IMAGE="$PODMAN_TEST_IMAGE_REGISTRY/$PODMAN_TEST_IMAGE_USER/$PODMAN_TEST_IMAGE_NAME:00000000" + NONLOCAL_IMAGE="$PODMAN_NONLOCAL_IMAGE_FQN" run_podman 125 run --pull=never $NONLOCAL_IMAGE true is "$output" "Error: unable to find a name and tag match for $NONLOCAL_IMAGE in repotags: no such image" "--pull=never [with image not present]: error" @@ -175,7 +175,7 @@ echo $rand | 0 | $rand # 'run --rmi' deletes the image in the end unless it's used by another container @test "podman run --rmi" { # Name of a nonlocal image. It should be pulled in by the first 'run' - NONLOCAL_IMAGE="$PODMAN_TEST_IMAGE_REGISTRY/$PODMAN_TEST_IMAGE_USER/$PODMAN_TEST_IMAGE_NAME:00000000" + NONLOCAL_IMAGE="$PODMAN_NONLOCAL_IMAGE_FQN" run_podman 1 image exists $NONLOCAL_IMAGE # Run a container, without --rm; this should block subsequent --rmi diff --git a/test/system/050-stop.bats b/test/system/050-stop.bats index 7d9f1fcb3..0652a97e4 100644 --- a/test/system/050-stop.bats +++ b/test/system/050-stop.bats @@ -66,7 +66,7 @@ load helpers name=thiscontainerdoesnotexist run_podman 125 stop $name is "$output" \ - "Error: no container with name or ID $name found: no such container" \ + "Error: no container with name or ID \"$name\" found: no such container" \ "podman stop nonexistent container" run_podman stop --ignore $name diff --git a/test/system/065-cp.bats b/test/system/065-cp.bats index 312106b36..73e807843 100644 --- a/test/system/065-cp.bats +++ b/test/system/065-cp.bats @@ -15,6 +15,7 @@ load helpers random-1-$(random_string 15) random-2-$(random_string 20) ) + echo "${randomcontent[0]}" > $srcdir/hostfile0 echo "${randomcontent[1]}" > $srcdir/hostfile1 echo "${randomcontent[2]}" > $srcdir/hostfile2 @@ -24,6 +25,10 @@ load helpers run_podman run -d --name cpcontainer --workdir=/srv $IMAGE sleep infinity run_podman exec cpcontainer mkdir /srv/subdir + # Commit the image for testing non-running containers + run_podman commit -q cpcontainer + cpimage="$output" + # format is: <id> | <destination arg to cp> | <full dest path> | <test name> # where: # id is 0-2, one of the random strings/files @@ -44,8 +49,7 @@ load helpers 0 | subdir | /srv/subdir/hostfile0 | copy to workdir/subdir " - # Copy one of the files into container, exec+cat, confirm the file - # is there and matches what we expect + # RUNNING container while read id dest dest_fullname description; do run_podman cp $srcdir/hostfile$id cpcontainer:$dest run_podman exec cpcontainer cat $dest_fullname @@ -67,6 +71,61 @@ load helpers is "$output" 'Error: "/IdoNotExist/" could not be found on container cpcontainer: No such file or directory' \ "copy into nonexistent path in container" + run_podman kill cpcontainer + run_podman rm -f cpcontainer + + # CREATED container + while read id dest dest_fullname description; do + run_podman create --name cpcontainer --workdir=/srv $cpimage sleep infinity + run_podman cp $srcdir/hostfile$id cpcontainer:$dest + run_podman start cpcontainer + run_podman exec cpcontainer cat $dest_fullname + is "$output" "${randomcontent[$id]}" "$description (cp -> ctr:$dest)" + run_podman kill cpcontainer + run_podman rm -f cpcontainer + done < <(parse_table "$tests") + + run_podman rmi -f $cpimage +} + + +@test "podman cp file from host to container tmpfs mount" { + srcdir=$PODMAN_TMPDIR/cp-test-file-host-to-ctr + mkdir -p $srcdir + content=tmpfile-content$(random_string 20) + echo $content > $srcdir/file + + # RUNNING container + run_podman run -d --mount type=tmpfs,dst=/tmp --name cpcontainer $IMAGE sleep infinity + run_podman cp $srcdir/file cpcontainer:/tmp + run_podman exec cpcontainer cat /tmp/file + is "$output" "${content}" "cp to running container's tmpfs" + run_podman kill cpcontainer + run_podman rm -f cpcontainer + + # CREATED container (with copy up) + run_podman create --mount type=tmpfs,dst=/tmp --name cpcontainer $IMAGE sleep infinity + run_podman cp $srcdir/file cpcontainer:/tmp + run_podman start cpcontainer + run_podman exec cpcontainer cat /tmp/file + is "$output" "${content}" "cp to created container's tmpfs" + run_podman kill cpcontainer + run_podman rm -f cpcontainer +} + + +@test "podman cp file from host to container and check ownership" { + srcdir=$PODMAN_TMPDIR/cp-test-file-host-to-ctr + mkdir -p $srcdir + content=cp-user-test-$(random_string 10) + echo "content" > $srcdir/hostfile + userid=$(id -u) + + run_podman run --user=$userid --userns=keep-id -d --name cpcontainer $IMAGE sleep infinity + run_podman cp $srcdir/hostfile cpcontainer:/tmp/hostfile + run_podman exec cpcontainer stat -c "%u" /tmp/hostfile + is "$output" "$userid" "copied file is chowned to the container user" + run_podman kill cpcontainer run_podman rm -f cpcontainer } @@ -87,6 +146,10 @@ load helpers run_podman exec cpcontainer sh -c "echo ${randomcontent[1]} > /srv/containerfile1" run_podman exec cpcontainer sh -c "mkdir /srv/subdir; echo ${randomcontent[2]} > /srv/subdir/containerfile2" + # Commit the image for testing non-running containers + run_podman commit -q cpcontainer + cpimage="$output" + # format is: <id> | <source arg to cp> | <destination arg (appended to $srcdir) to cp> | <full dest path (appended to $srcdir)> | <test name> tests=" 0 | /tmp/containerfile | | /containerfile | copy to srcdir/ @@ -98,109 +161,214 @@ load helpers 2 | subdir/containerfile2 | / | /containerfile2 | copy from workdir/subdir (rel path) to srcdir " - # Copy one of the files to the host, cat, confirm the file - # is there and matches what we expect + # RUNNING container while read id src dest dest_fullname description; do # dest may be "''" for empty table cells if [[ $dest == "''" ]];then unset dest fi run_podman cp cpcontainer:$src "$srcdir$dest" - run cat $srcdir$dest_fullname - is "$output" "${randomcontent[$id]}" "$description (cp ctr:$src to \$srcdir$dest)" - rm $srcdir/$dest_fullname + is "$(< $srcdir$dest_fullname)" "${randomcontent[$id]}" "$description (cp ctr:$src to \$srcdir$dest)" + rm $srcdir$dest_fullname done < <(parse_table "$tests") + run_podman kill cpcontainer + run_podman rm -f cpcontainer + # Created container + run_podman create --name cpcontainer --workdir=/srv $cpimage + while read id src dest dest_fullname description; do + # dest may be "''" for empty table cells + if [[ $dest == "''" ]];then + unset dest + fi + run_podman cp cpcontainer:$src "$srcdir$dest" + is "$(< $srcdir$dest_fullname)" "${randomcontent[$id]}" "$description (cp ctr:$src to \$srcdir$dest)" + rm $srcdir$dest_fullname + done < <(parse_table "$tests") run_podman rm -f cpcontainer + + run_podman rmi -f $cpimage } @test "podman cp dir from host to container" { - dirname=dir-test - srcdir=$PODMAN_TMPDIR/$dirname - mkdir -p $srcdir + srcdir=$PODMAN_TMPDIR + mkdir -p $srcdir/dir/sub local -a randomcontent=( random-0-$(random_string 10) random-1-$(random_string 15) ) - echo "${randomcontent[0]}" > $srcdir/hostfile0 - echo "${randomcontent[1]}" > $srcdir/hostfile1 + echo "${randomcontent[0]}" > $srcdir/dir/sub/hostfile0 + echo "${randomcontent[1]}" > $srcdir/dir/sub/hostfile1 # "." and "dir/." will copy the contents, so make sure that a dir ending # with dot is treated correctly. - mkdir -p $srcdir. - cp $srcdir/* $srcdir./ + mkdir -p $srcdir/dir. + cp -r $srcdir/dir/* $srcdir/dir. run_podman run -d --name cpcontainer --workdir=/srv $IMAGE sleep infinity run_podman exec cpcontainer mkdir /srv/subdir + # Commit the image for testing non-running containers + run_podman commit -q cpcontainer + cpimage="$output" + # format is: <source arg to cp (appended to srcdir)> | <destination arg to cp> | <full dest path> | <test name> tests=" - | / | /dir-test | copy to root - . | / | /dir-test. | copy dotdir to root - / | /tmp | /tmp/dir-test | copy to tmp - /. | /usr/ | /usr/ | copy contents of dir to usr/ - | . | /srv/dir-test | copy to workdir (rel path) - | subdir/. | /srv/subdir/dir-test | copy to workdir subdir (rel path) + dir | / | /dir/sub | copy dir to root + dir. | / | /dir./sub | copy dir. to root + dir/ | /tmp | /tmp/dir/sub | copy dir/ to tmp + dir/. | /usr/ | /usr/sub | copy dir/. usr/ + dir/sub | . | /srv/sub | copy dir/sub to workdir (rel path) + dir/sub/. | subdir/. | /srv/subdir | copy dir/sub/. to workdir subdir (rel path) + dir | /newdir1 | /newdir1/sub | copy dir to newdir1 + dir/ | /newdir2 | /newdir2/sub | copy dir/ to newdir2 + dir/. | /newdir3 | /newdir3/sub | copy dir/. to newdir3 " + # RUNNING container while read src dest dest_fullname description; do # src may be "''" for empty table cells if [[ $src == "''" ]];then unset src fi - run_podman cp $srcdir$src cpcontainer:$dest - run_podman exec cpcontainer ls $dest_fullname - run_podman exec cpcontainer cat $dest_fullname/hostfile0 - is "$output" "${randomcontent[0]}" "$description (cp -> ctr:$dest)" - run_podman exec cpcontainer cat $dest_fullname/hostfile1 - is "$output" "${randomcontent[1]}" "$description (cp -> ctr:$dest)" + run_podman cp $srcdir/$src cpcontainer:$dest + run_podman exec cpcontainer cat $dest_fullname/hostfile0 $dest_fullname/hostfile1 + is "${lines[0]}" "${randomcontent[0]}" "$description (cp -> ctr:$dest)" + is "${lines[1]}" "${randomcontent[1]}" "$description (cp -> ctr:$dest)" done < <(parse_table "$tests") - + run_podman kill cpcontainer run_podman rm -f cpcontainer + + # CREATED container + while read src dest dest_fullname description; do + # src may be "''" for empty table cells + if [[ $src == "''" ]];then + unset src + fi + run_podman create --name cpcontainer --workdir=/srv $cpimage sleep infinity + run_podman cp $srcdir/$src cpcontainer:$dest + run_podman start cpcontainer + run_podman exec cpcontainer cat $dest_fullname/hostfile0 $dest_fullname/hostfile1 + is "${lines[0]}" "${randomcontent[0]}" "$description (cp -> ctr:$dest)" + is "${lines[1]}" "${randomcontent[1]}" "$description (cp -> ctr:$dest)" + run_podman kill cpcontainer + run_podman rm -f cpcontainer + done < <(parse_table "$tests") + + run_podman rmi -f $cpimage } @test "podman cp dir from container to host" { - srcdir=$PODMAN_TMPDIR/dir-test - mkdir -p $srcdir + destdir=$PODMAN_TMPDIR/cp-test-dir-ctr-to-host + mkdir -p $destdir + # Create 2 files with random content in the container. + local -a randomcontent=( + random-0-$(random_string 10) + random-1-$(random_string 15) + ) run_podman run -d --name cpcontainer --workdir=/srv $IMAGE sleep infinity - run_podman exec cpcontainer sh -c 'mkdir /srv/subdir; echo "This first file is on the container" > /srv/subdir/containerfile1' - run_podman exec cpcontainer sh -c 'echo "This second file is on the container as well" > /srv/subdir/containerfile2' + run_podman exec cpcontainer sh -c "mkdir /srv/subdir; echo ${randomcontent[0]} > /srv/subdir/containerfile0" + run_podman exec cpcontainer sh -c "echo ${randomcontent[1]} > /srv/subdir/containerfile1" # "." and "dir/." will copy the contents, so make sure that a dir ending # with dot is treated correctly. run_podman exec cpcontainer sh -c 'mkdir /tmp/subdir.; cp /srv/subdir/* /tmp/subdir./' - run_podman cp cpcontainer:/srv $srcdir - run cat $srcdir/srv/subdir/containerfile1 - is "$output" "This first file is on the container" - run cat $srcdir/srv/subdir/containerfile2 - is "$output" "This second file is on the container as well" - rm -rf $srcdir/srv/subdir - - run_podman cp cpcontainer:/srv/. $srcdir - run ls $srcdir/subdir - run cat $srcdir/subdir/containerfile1 - is "$output" "This first file is on the container" - run cat $srcdir/subdir/containerfile2 - is "$output" "This second file is on the container as well" - rm -rf $srcdir/subdir - - run_podman cp cpcontainer:/srv/subdir/. $srcdir - run cat $srcdir/containerfile1 - is "$output" "This first file is on the container" - run cat $srcdir/containerfile2 - is "$output" "This second file is on the container as well" - rm -rf $srcdir/subdir - - run_podman cp cpcontainer:/tmp/subdir. $srcdir - run cat $srcdir/subdir./containerfile1 - is "$output" "This first file is on the container" - run cat $srcdir/subdir./containerfile2 - is "$output" "This second file is on the container as well" - rm -rf $srcdir/subdir. + # Commit the image for testing non-running containers + run_podman commit -q cpcontainer + cpimage="$output" + + # format is: <source arg to cp (appended to /srv)> | <dest> | <full dest path> | <test name> + tests=" +/srv | | /srv/subdir | copy /srv +/srv | /newdir | /newdir/subdir | copy /srv to /newdir +/srv/ | | /srv/subdir | copy /srv/ +/srv/. | | /subdir | copy /srv/. +/srv/. | /newdir | /newdir/subdir | copy /srv/. to /newdir +/srv/subdir/. | | | copy /srv/subdir/. +/tmp/subdir. | | /subdir. | copy /tmp/subdir. +" + + # RUNNING container + while read src dest dest_fullname description; do + if [[ $src == "''" ]];then + unset src + fi + if [[ $dest == "''" ]];then + unset dest + fi + if [[ $dest_fullname == "''" ]];then + unset dest_fullname + fi + run_podman cp cpcontainer:$src $destdir$dest + is "$(< $destdir$dest_fullname/containerfile0)" "${randomcontent[0]}" "$description" + is "$(< $destdir$dest_fullname/containerfile1)" "${randomcontent[1]}" "$description" + rm -rf $destdir/* + done < <(parse_table "$tests") + run_podman kill cpcontainer + run_podman rm -f cpcontainer + + # CREATED container + run_podman create --name cpcontainer --workdir=/srv $cpimage + while read src dest dest_fullname description; do + if [[ $src == "''" ]];then + unset src + fi + if [[ $dest == "''" ]];then + unset dest + fi + if [[ $dest_fullname == "''" ]];then + unset dest_fullname + fi + run_podman cp cpcontainer:$src $destdir$dest + is "$(< $destdir$dest_fullname/containerfile0)" "${randomcontent[0]}" "$description" + is "$(< $destdir$dest_fullname/containerfile1)" "${randomcontent[1]}" "$description" + rm -rf $destdir/* + done < <(parse_table "$tests") + run_podman rm -f cpcontainer + + run_podman rmi -f $cpimage +} + + +@test "podman cp symlinked directory from container" { + destdir=$PODMAN_TMPDIR/cp-weird-symlink + mkdir -p $destdir + + # Create 3 files with random content in the container. + local -a randomcontent=( + random-0-$(random_string 10) + random-1-$(random_string 15) + ) + run_podman run -d --name cpcontainer $IMAGE sleep infinity + run_podman exec cpcontainer sh -c "echo ${randomcontent[0]} > /tmp/containerfile0" + run_podman exec cpcontainer sh -c "echo ${randomcontent[1]} > /tmp/containerfile1" + run_podman exec cpcontainer sh -c "mkdir /tmp/sub && cd /tmp/sub && ln -s .. weirdlink" + + # Commit the image for testing non-running containers + run_podman commit -q cpcontainer + cpimage="$output" + + # RUNNING container + # NOTE: /dest does not exist yet but is expected to be created during copy + run_podman cp cpcontainer:/tmp/sub/weirdlink $destdir/dest + run cat $destdir/dest/containerfile0 $destdir/dest/containerfile1 + is "${lines[0]}" "${randomcontent[0]}" "eval symlink - running container" + is "${lines[1]}" "${randomcontent[1]}" "eval symlink - running container" + + run_podman kill cpcontainer + run_podman rm -f cpcontainer + run rm -rf $srcdir/dest + + # CREATED container + run_podman create --name cpcontainer $cpimage + run_podman cp cpcontainer:/tmp/sub/weirdlink $destdir/dest + run cat $destdir/dest/containerfile0 $destdir/dest/containerfile1 + is "${lines[0]}" "${randomcontent[0]}" "eval symlink - created container" + is "${lines[1]}" "${randomcontent[1]}" "eval symlink - created container" run_podman rm -f cpcontainer } @@ -228,9 +396,7 @@ load helpers run_podman create --name cpcontainer -v $volume1:/tmp/volume -v $volume2:/tmp/volume/sub-volume $IMAGE run_podman cp $srcdir/hostfile cpcontainer:/tmp/volume/sub-volume - - run cat $volume2_mount/hostfile - is "$output" "This file should be in volume2" + is "$(< $volume2_mount/hostfile)" "This file should be in volume2" # Volume 1 must be empty. run ls $volume1_mount @@ -254,9 +420,7 @@ load helpers run_podman create --name cpcontainer -v $volume:/tmp/volume -v $mountdir:/tmp/volume/mount $IMAGE run_podman cp $srcdir/hostfile cpcontainer:/tmp/volume/mount - - run cat $mountdir/hostfile - is "$output" "This file should be in the mount" + is "$(< $mountdir/hostfile)" "This file should be in the mount" run_podman rm -f cpcontainer run_podman volume rm $volume @@ -284,7 +448,7 @@ load helpers # cp no longer supports wildcarding run_podman 125 cp 'cpcontainer:/tmp/*' $dstdir - run_podman rm cpcontainer + run_podman rm -f cpcontainer } @@ -308,7 +472,7 @@ load helpers # make sure there are no files in dstdir is "$(/bin/ls -1 $dstdir)" "" "incorrectly copied symlink from host" - run_podman rm cpcontainer + run_podman rm -f cpcontainer } @@ -332,7 +496,7 @@ load helpers # make sure there are no files in dstdir is "$(/bin/ls -1 $dstdir)" "" "incorrectly copied symlink from host" - run_podman rm cpcontainer + run_podman rm -f cpcontainer } @@ -352,7 +516,7 @@ load helpers # dstdir must be empty is "$(/bin/ls -1 $dstdir)" "" "incorrectly copied symlink from host" - run_podman rm cpcontainer + run_podman rm -f cpcontainer } @@ -409,6 +573,7 @@ load helpers run_podman exec cpcontainer cat /tmp/d3/x is "$output" "$rand_content3" "cp creates file named x" + run_podman kill cpcontainer run_podman rm -f cpcontainer } @@ -446,6 +611,7 @@ load helpers run_podman exec cpcontainer cat $graphroot/$rand_filename is "$output" "$rand_content" "Contents of file copied into container" + run_podman kill cpcontainer run_podman rm -f cpcontainer } @@ -494,6 +660,7 @@ load helpers run_podman 125 cp - cpcontainer:/tmp/IdoNotExist < $tar_file is "$output" 'Error: destination must be a directory when copying from stdin' + run_podman kill cpcontainer run_podman rm -f cpcontainer } @@ -527,8 +694,7 @@ load helpers fi tar xvf $srcdir/stdout.tar -C $srcdir - run cat $srcdir/file.txt - is "$output" "$rand_content" + is "$(< $srcdir/file.txt)" "$rand_content" run 1 ls $srcdir/empty.txt rm -f $srcdir/* @@ -539,11 +705,10 @@ load helpers fi tar xvf $srcdir/stdout.tar -C $srcdir - run cat $srcdir/tmp/file.txt - is "$output" "$rand_content" - run cat $srcdir/tmp/empty.txt - is "$output" "" + is "$(< $srcdir/tmp/file.txt)" "$rand_content" + is "$(< $srcdir/tmp/empty.txt)" "" + run_podman kill cpcontainer run_podman rm -f cpcontainer } diff --git a/test/system/070-build.bats b/test/system/070-build.bats index 89f3f5c64..d413b0c10 100644 --- a/test/system/070-build.bats +++ b/test/system/070-build.bats @@ -168,6 +168,9 @@ EOF CAT_SECRET="cat /run/secrets/$secret_filename" fi + # For --dns-search: a domain that is unlikely to exist + local nosuchdomain=nx$(random_string 10).net + # Command to run on container startup with no args cat >$tmpdir/mycmd <<EOF #!/bin/sh @@ -188,11 +191,17 @@ EOF https_proxy=https-proxy-in-env-file EOF + # Build args: one explicit (foo=bar), one implicit (foo) + local arg_implicit_value=implicit_$(random_string 15) + local arg_explicit_value=explicit_$(random_string 15) + # NOTE: it's important to not create the workdir. # Podman will make sure to create a missing workdir # if needed. See #9040. cat >$tmpdir/Containerfile <<EOF FROM $IMAGE +ARG arg_explicit +ARG arg_implicit LABEL $label_name=$label_value WORKDIR $workdir @@ -217,18 +226,47 @@ RUN chown 2:3 /bin/mydefaultcmd RUN $CAT_SECRET +RUN echo explicit-build-arg=\$arg_explicit +RUN echo implicit-build-arg=\$arg_implicit + CMD ["/bin/mydefaultcmd","$s_echo"] +RUN cat /etc/resolv.conf EOF + # The goal is to test that a missing value will be inherited from + # environment - but that can't work with remote, so for simplicity + # just make it explicit in that case too. + local build_arg_implicit="--build-arg arg_implicit" + if is_remote; then + build_arg_implicit+="=$arg_implicit_value" + fi + # cd to the dir, so we test relative paths (important for podman-remote) cd $PODMAN_TMPDIR + export arg_explicit="THIS SHOULD BE OVERRIDDEN BY COMMAND LINE!" + export arg_implicit=${arg_implicit_value} run_podman ${MOUNTS_CONF} build \ + --build-arg arg_explicit=${arg_explicit_value} \ + $build_arg_implicit \ + --dns-search $nosuchdomain \ -t build_test -f build-test/Containerfile build-test local iid="${lines[-1]}" + if [[ $output =~ missing.*build.argument ]]; then + die "podman did not see the given --build-arg(s)" + fi + # Make sure 'podman build' had the secret mounted is "$output" ".*$secret_contents.*" "podman build has /run/secrets mounted" + # --build-arg should be set, both via 'foo=bar' and via just 'foo' ($foo) + is "$output" ".*explicit-build-arg=${arg_explicit_value}" \ + "--build-arg arg_explicit=explicit-value works" + is "$output" ".*implicit-build-arg=${arg_implicit_value}" \ + "--build-arg arg_implicit works (inheriting from environment)" + is "$output" ".*search $nosuchdomain" \ + "--dns-search added to /etc/resolv.conf" + if is_remote; then ENVHOST="" else @@ -305,8 +343,10 @@ Cmd[0] | /bin/mydefaultcmd Cmd[1] | $s_echo WorkingDir | $workdir Labels.$label_name | $label_value -Labels.\"io.buildah.version\" | $buildah_version " + # FIXME: 2021-02-24: Fixed in buildah #3036; reenable this once podman + # vendors in a newer buildah! + # Labels.\"io.buildah.version\" | $buildah_version parse_table "$tests" | while read field expect; do actual=$(jq -r ".[0].Config.$field" <<<"$output") @@ -360,6 +400,82 @@ Labels.\"io.buildah.version\" | $buildah_version run_podman rmi -f build_test } +@test "podman build - COPY with ignore" { + local tmpdir=$PODMAN_TMPDIR/build-test-$(random_string 10) + mkdir -p $tmpdir/subdir + + # Create a bunch of files. Declare this as an array to avoid duplication + # because we iterate over that list below, checking for each file. + # A leading "-" indicates that the file SHOULD NOT exist in the built image + local -a files=( + -test1 -test1.txt + test2 test2.txt + subdir/sub1 subdir/sub1.txt + -subdir/sub2 -subdir/sub2.txt + this-file-does-not-match-anything-in-ignore-file + comment + ) + for f in ${files[@]}; do + # The magic '##-' strips off the '-' prefix + echo "$f" > $tmpdir/${f##-} + done + + # Directory that doesn't exist in the image; COPY should create it + local newdir=/newdir-$(random_string 12) + cat >$tmpdir/Containerfile <<EOF +FROM $IMAGE +COPY ./ $newdir/ +EOF + + # Run twice: first with a custom --ignorefile, then with a default one. + # This ordering is deliberate: if we were to run with .dockerignore + # first, and forget to rm it, and then run with --ignorefile, _and_ + # there was a bug in podman where --ignorefile was a NOP (eg #9570), + # the test might pass because of the existence of .dockerfile. + for ignorefile in ignoreme-$(random_string 5) .dockerignore; do + # Patterns to ignore. Mostly copied from buildah/tests/bud/dockerignore + cat >$tmpdir/$ignorefile <<EOF +# comment +test* +!test2* +subdir +!*/sub1* +EOF + + # Build an image. For .dockerignore + local -a ignoreflag + unset ignoreflag + if [[ $ignorefile != ".dockerignore" ]]; then + ignoreflag="--ignorefile $tmpdir/$ignorefile" + fi + run_podman build -t build_test ${ignoreflag} $tmpdir + + # Delete the ignore file! Otherwise, in the next iteration of the loop, + # we could end up with an existing .dockerignore that invisibly + # takes precedence over --ignorefile + rm -f $tmpdir/$ignorefile + + # It would be much more readable, and probably safer, to iterate + # over each file, running 'podman run ... ls -l $f'. But each podman run + # takes a second or so, and we are mindful of each second. + run_podman run --rm build_test find $newdir -type f + for f in ${files[@]}; do + if [[ $f =~ ^- ]]; then + f=${f##-} + if [[ $output =~ $f ]]; then + die "File '$f' found in image; it should have been ignored via $ignorefile" + fi + else + is "$output" ".*$newdir/$f" \ + "File '$f' should exist in container (no match in $ignorefile)" + fi + done + + # Clean up + run_podman rmi -f build_test + done +} + @test "podman build - stdin test" { # Random workdir, and random string to verify build output workdir=/$(random_string 10) diff --git a/test/system/120-load.bats b/test/system/120-load.bats index 902cd9f5e..936449bdb 100644 --- a/test/system/120-load.bats +++ b/test/system/120-load.bats @@ -26,6 +26,13 @@ verify_iid_and_name() { is "$new_img_name" "$1" "Name & tag of restored image" } +@test "podman load invalid file" { + # Regression test for #9672 to make sure invalid input yields errors. + invalid=$PODMAN_TMPDIR/invalid + echo "I am an invalid file and should cause a podman-load error" > $invalid + run_podman 125 load -i $invalid +} + @test "podman save to pipe and load" { # Generate a random name and tag (must be lower-case) local random_name=x0$(random_string 12 | tr A-Z a-z) diff --git a/test/system/410-selinux.bats b/test/system/410-selinux.bats index 7482d3e55..49743ff33 100644 --- a/test/system/410-selinux.bats +++ b/test/system/410-selinux.bats @@ -39,17 +39,17 @@ function check_label() { } @test "podman selinux: container with label=disable" { - skip_if_rootless - check_label "--security-opt label=disable" "spc_t" } @test "podman selinux: privileged container" { - skip_if_rootless - check_label "--privileged --userns=host" "spc_t" } +@test "podman selinux: init container" { + check_label "--systemd=always" "container_init_t" +} + @test "podman selinux: pid=host" { # FIXME FIXME FIXME: Remove these lines once all VMs have >= 2.146.0 # (this is ugly, but better than an unconditional skip) @@ -74,6 +74,19 @@ function check_label() { check_label "--security-opt label=level:s0:c1,c2" "container_t" "s0:c1,c2" } +@test "podman selinux: inspect kvm labels" { + skip_if_no_selinux + skip_if_remote "runtime flag is not passed over remote" + + tmpdir=$PODMAN_TMPDIR/kata-test + mkdir -p $tmpdir + KATA=${tmpdir}/kata-runtime + ln -s /bin/true ${KATA} + run_podman create --runtime=${KATA} --name myc $IMAGE + run_podman inspect --format='{{ .ProcessLabel }}' myc + is "$output" ".*container_kvm_t" +} + # pr #6752 @test "podman selinux: inspect multiple labels" { skip_if_no_selinux diff --git a/test/system/build-testimage b/test/system/build-testimage index 53ade57f0..aac08e307 100755 --- a/test/system/build-testimage +++ b/test/system/build-testimage @@ -12,6 +12,9 @@ # still need a fedora image for that. # +# Buildah binary +BUILDAH=${BUILDAH:-buildah} + # Tag for this new image YMD=$(date +%Y%m%d) @@ -58,7 +61,8 @@ chmod 755 pause # - check for updates @ https://hub.docker.com/_/alpine # busybox-extras provides httpd needed in 500-networking.bats cat >Containerfile <<EOF -FROM docker.io/library/alpine:3.12.0 +ARG ARCH=please-override-arch +FROM docker.io/\${ARCH}/alpine:3.12.0 RUN apk add busybox-extras ADD testimage-id pause /home/podman/ LABEL created_by=$create_script @@ -69,26 +73,44 @@ EOF # --squash-all : needed by 'tree' test in 070-build.bats podman rmi -f testimage &> /dev/null || true -podman build --squash-all -t testimage . + +# We need to use buildah because (as of 2021-02-23) only buildah has --manifest +# and because Dan says arch emulation is not currently working on podman +# (no further details). +# Arch emulation on Fedora requires the qemu-user-static package. +for arch in amd64 ppc64le s390x;do + ${BUILDAH} bud \ + --arch=$arch \ + --build-arg ARCH=$arch \ + --manifest=testimage \ + --squash \ + . +done # Clean up cd /tmp rm -rf $tmpdir -# Tag and push to quay. -podman tag testimage quay.io/libpod/testimage:$YMD -podman push quay.io/libpod/testimage:$YMD +# Tag image and push (all arches) to quay. +remote_tag=quay.io/libpod/testimage:$YMD +podman tag testimage ${remote_tag} +${BUILDAH} manifest push --all ${remote_tag} docker://${remote_tag} -# Side note: there should always be a testimage tagged ':00000000' -# (eight zeroes) in the same location; this is used by tests which -# need to pull a non-locally-cached image. This image will rarely -# if ever need to change, nor in fact does it even have to be a -# copy of this testimage since all we use it for is 'true'. +# Side note: there should always be a testimage tagged ':0000000<X>' +# (eight digits, zero-padded sequence ID) in the same location; this is +# used by tests which need to pull a non-locally-cached image. This +# image will rarely if ever need to change, nor in fact does it even +# have to be a copy of this testimage since all we use it for is 'true'. +# However, it does need to be multiarch :-( # -# As of 2020-09-02 it is simply busybox, because it is super small: +# As of 2021-02-24 it is simply busybox, because it is super small, +# but it's complicated because of multiarch: # -# podman pull docker.io/library/busybox:1.32.0 -# podman tag docker.io/library/busybox:1.32.0 \ -# quay.io/libpod/testimage:00000000 -# podman push quay.io/libpod/testimage:00000000 +# img=quay.io/libpod/testimage:00000001 +# buildah manifest create $img +# for arch in amd64 ppc64le s390x;do +# buildah pull --arch $arch docker.io/$arch/busybox:1.32.0 +# buildah manifest add $img docker.io/$arch/busybox:1.32.0 +# done +# buildah manifest push --all $img docker://$img # diff --git a/test/system/helpers.bash b/test/system/helpers.bash index 0572c6866..38e317709 100644 --- a/test/system/helpers.bash +++ b/test/system/helpers.bash @@ -7,9 +7,14 @@ PODMAN=${PODMAN:-podman} PODMAN_TEST_IMAGE_REGISTRY=${PODMAN_TEST_IMAGE_REGISTRY:-"quay.io"} PODMAN_TEST_IMAGE_USER=${PODMAN_TEST_IMAGE_USER:-"libpod"} PODMAN_TEST_IMAGE_NAME=${PODMAN_TEST_IMAGE_NAME:-"testimage"} -PODMAN_TEST_IMAGE_TAG=${PODMAN_TEST_IMAGE_TAG:-"20200929"} +PODMAN_TEST_IMAGE_TAG=${PODMAN_TEST_IMAGE_TAG:-"20210223"} PODMAN_TEST_IMAGE_FQN="$PODMAN_TEST_IMAGE_REGISTRY/$PODMAN_TEST_IMAGE_USER/$PODMAN_TEST_IMAGE_NAME:$PODMAN_TEST_IMAGE_TAG" +# Remote image that we *DO NOT* fetch or keep by default; used for testing pull +# This changed from 0 to 1 on 2021-02-24 due to multiarch considerations; it +# should change only very rarely. +PODMAN_NONLOCAL_IMAGE_FQN="$PODMAN_TEST_IMAGE_REGISTRY/$PODMAN_TEST_IMAGE_USER/$PODMAN_TEST_IMAGE_NAME:00000001" + # Because who wants to spell that out each time? IMAGE=$PODMAN_TEST_IMAGE_FQN @@ -149,7 +154,7 @@ function run_podman() { echo "$_LOG_PROMPT $PODMAN $*" # BATS hangs if a subprocess remains and keeps FD 3 open; this happens # if podman crashes unexpectedly without cleaning up subprocesses. - run timeout --foreground -v --kill=10 $PODMAN_TIMEOUT $PODMAN "$@" 3>/dev/null + run timeout --foreground -v --kill=10 $PODMAN_TIMEOUT $PODMAN $_PODMAN_TEST_OPTS "$@" 3>/dev/null # without "quotes", multiple lines are glommed together into one if [ -n "$output" ]; then echo "$output" diff --git a/test/upgrade/README.md b/test/upgrade/README.md new file mode 100644 index 000000000..2979a66d7 --- /dev/null +++ b/test/upgrade/README.md @@ -0,0 +1,87 @@ +Background +========== + +For years we've been needing a way to test podman upgrades; this +became much more critical on December 7, 2020, when Matt disclosed +a bug he had found over the weekend +([#8613](https://github.com/containers/podman/issues/8613)) +in which reuse of a previously-defined field name would +result in fatal JSON decode failures if current-podman were +to try reading containers created with podman <= 1.8 (FIXME: confirm) + +Upgrade testing is a daunting problem; but in the December 12 +Cabal meeting Dan suggested using podman-in-podman. This PR +is the result of fleshing out that idea. + +Overview +======== + +The BATS script in this directory fetches and runs an old-podman +container image from quay.io/podman, uses it to create and run +a number of containers, then uses new-podman to interact with +those containers. + +As of 2021-02-23 the available old-podman versions are: + +```console +$ ./bin/podman search --list-tags quay.io/podman/stable | awk '$2 ~ /^v/ { print $2}' | sort | column -c 75 +v1.4.2 v1.5.0 v1.6 v1.9.0 v2.0.2 v2.1.1 +v1.4.4 v1.5.1 v1.6.2 v1.9.1 v2.0.6 v2.2.1 +``` + +Test invocation is: +```console +$ sudo env PODMAN=bin/podman PODMAN_UPGRADE_FROM=v1.9.0 PODMAN_UPGRADE_TEST_DEBUG= bats test/upgrade +``` +(Path assumes you're cd'ed to top-level podman repo). `PODMAN_UPGRADE_FROM` +can be any of the versions above. `PODMAN_UPGRADE_TEST_DEBUG` is empty +here, but listed so you can set it `=1` and leave the podman_parent +container running. Interacting with this container is left as an +exercise for the reader. + +The script will pull the given podman image, invoke it with a scratch +root directory, and have it do a small set of podman stuff (pull an +image, create/run some containers). This podman process stays running +because if it exits, it kills containers running inside the container. + +We then invoke the current (host-installed) podman, using the same +scratch root directory, and perform operations on those images and +containers. Most of those operations are done in individual @tests. + +The goal is to have this upgrade test run in CI, iterating over a +loop of known old versions. This list would need to be hand-maintained +and updated on new releases. There might also need to be extra +configuration defined, such as per-version commands (see below). + +Findings +======== + +Well, first, `v1.6.2` won't work on default f32/f33: the image +does not include `crun`, so it can't work at all: + + ERRO[0000] oci runtime "runc" does not support CGroups V2: use system migrate to mitigate + +I realize that it's kind of stupid not to test 1.6, since that's +precisely the test that would've caught #8613 early, but I just +don't think it's worth the hassle of setting up cgroupsv1 VMs. + +For posterity, in an earlier incantation of this script I tried +booting f32 into cgroupsv1 and ran into the following warnings +when running new-podman on old-containers: +``` +ERRO[0000] error joining network namespace for container 322b66d94640e31b2e6921565445cf0dade4ec13cabc16ee5f29292bdc038341: error retrieving network namespace at /var/run/netns/cni-577e2289-2c05-2e28-3c3d-002a5596e7da: failed to Statfs "/var/run/netns/cni-577e2289 +``` + +Where To Go From Here +===================== + +* Tests are still (2021-02-23) incomplete, with several failing outright. + See FIXMEs in the code. + +* Figuring out how/if to run rootless. I think this is possible, perhaps + even necessary, but will be tricky to get right because of home-directory + mounting. + +* Figuring out how/if to run variations with different config files + (e.g. running OLD-PODMAN that creates a user libpod.conf, tweaking + that in the test, then running NEW-PODMAN upgrate tests) diff --git a/test/upgrade/helpers.bash b/test/upgrade/helpers.bash new file mode 100644 index 000000000..41d9279e6 --- /dev/null +++ b/test/upgrade/helpers.bash @@ -0,0 +1,11 @@ +# -*- bash -*- + +load "../system/helpers" + +setup() { + : +} + +teardown() { + : +} diff --git a/test/upgrade/test-upgrade.bats b/test/upgrade/test-upgrade.bats new file mode 100644 index 000000000..dd827b398 --- /dev/null +++ b/test/upgrade/test-upgrade.bats @@ -0,0 +1,313 @@ +# -*- bats -*- + +load helpers + +# Create a var-lib-containers dir for this podman. We need to bind-mount +# this into the container, and use --root and --runroot and --tmpdir +# options both in the container podman and out here: that's the only +# way to share image and container storage. +if [ -z "${PODMAN_UPGRADE_WORKDIR}" ]; then + # Much as I'd love a descriptive name like "podman-upgrade-tests.XXXXX", + # keep it short ("pu") because of the 100-character path length limit + # for UNIX sockets (needed by conmon) + export PODMAN_UPGRADE_WORKDIR=$(mktemp -d --tmpdir=${BATS_TMPDIR:-${TMPDIR:-/tmp}} pu.XXXXXX) + + touch $PODMAN_UPGRADE_WORKDIR/status +fi + +# Generate a set of random strings used for content verification +if [ -z "${RANDOM_STRING_1}" ]; then + export RANDOM_STRING_1=$(random_string 15) + export LABEL_CREATED=$(random_string 16) + export LABEL_FAILED=$(random_string 17) + export LABEL_RUNNING=$(random_string 18) + + # FIXME: randomize this + HOST_PORT=34567 +fi + +# Version string of the podman we're actually testing, e.g. '3.0.0-dev-d1a26013' +PODMAN_VERSION=$($PODMAN version |awk '/^Version:/ { V=$2 } /^Git Commit:/ { G=$3 } END { print V "-" substr(G,0,8) }') + +setup() { + skip_if_rootless + + # The podman-in-podman image (old podman) + if [[ -z "$PODMAN_UPGRADE_FROM" ]]; then + echo "# \$PODMAN_UPGRADE_FROM is undefined (should be e.g. v1.9.0)" >&3 + false + fi + + if [ "$(< $PODMAN_UPGRADE_WORKDIR/status)" = "failed" ]; then + # FIXME: exit instead? + echo "*** setup failed - no point in running tests" + false + fi + + export _PODMAN_TEST_OPTS="--root=$PODMAN_UPGRADE_WORKDIR/root --runroot=$PODMAN_UPGRADE_WORKDIR/runroot --tmpdir=$PODMAN_UPGRADE_WORKDIR/tmp" +} + +############################################################################### +# BEGIN setup + +@test "initial setup: start $PODMAN_UPGRADE_FROM containers" { + echo failed >| $PODMAN_UPGRADE_WORKDIR/status + + OLD_PODMAN=quay.io/podman/stable:$PODMAN_UPGRADE_FROM + $PODMAN pull $OLD_PODMAN + + # Shortcut name, because we're referencing it a lot + pmroot=$PODMAN_UPGRADE_WORKDIR + + # WWW content to share + mkdir -p $pmroot/var/www + echo $RANDOM_STRING_1 >$pmroot/var/www/index.txt + + # podman tmpdir + mkdir -p $pmroot/tmp + + # + # Script to run >>OLD<< podman commands. + # + # These commands will be run inside a podman container. The "podman" + # command in this script will be the desired old-podman version. + # + pmscript=$pmroot/setup + cat >| $pmscript <<EOF +#!/bin/bash + +# cgroup-manager=systemd does not work inside a container +opts="--cgroup-manager=cgroupfs --events-backend=file $_PODMAN_TEST_OPTS" + +set -ex + +# Try try again, because network flakiness makes this a point of failure +podman \$opts pull $IMAGE \ + || (sleep 10; podman \$opts pull $IMAGE) \ + || (sleep 30; podman \$opts pull $IMAGE) + + +podman \$opts create --name mycreatedcontainer --label mylabel=$LABEL_CREATED \ + $IMAGE false + +podman \$opts run --name mydonecontainer $IMAGE echo ++$RANDOM_STRING_1++ + +podman \$opts run --name myfailedcontainer --label mylabel=$LABEL_FAILED \ + $IMAGE sh -c 'exit 17' || true + +# FIXME: add "-p $HOST_PORT:80" +# ...I tried and tried, and could not get this to work. I could never +# connect to the port from the host, nor even from the podman_parent +# container; I could never see the port listed in 'ps' nor 'inspect'. +# And, finally, I ended up in a state where the container wouldn't +# even start, and via complicated 'podman logs' found out: +# httpd: bind: Address in use +# So I just give up for now. +# +podman \$opts run -d --name myrunningcontainer --label mylabel=$LABEL_RUNNING \ + -v $pmroot/var/www:/var/www \ + -w /var/www \ + $IMAGE /bin/busybox-extras httpd -f -p 80 + +echo READY +while :;do + if [ -e /stop ]; then + echo STOPPING + podman \$opts stop -t 0 myrunningcontainer || true + podman \$opts rm -f myrunningcontainer || true + exit 0 + fi + sleep 0.5 +done +EOF + chmod 555 $pmscript + + # Clean up vestiges of previous run + $PODMAN rm -f podman_parent || true + + # Not entirely a NOP! This is just so we get /run/crun created on a CI VM + $PODMAN run --rm $OLD_PODMAN true + + # + # Use new-podman to run the above script under old-podman. + # + # DO NOT USE run_podman HERE! That would use $_PODMAN_TEST_OPTS + # and would write into our shared test dir, which would then + # pollute it for use by old-podman. We must keep that pristine + # so old-podman is the first to write to it. + # + $PODMAN run -d --name podman_parent --pid=host \ + --privileged \ + --net=host \ + --cgroupns=host \ + -v /dev/fuse:/dev/fuse \ + -v /run/crun:/run/crun \ + -v $pmroot:$pmroot \ + $OLD_PODMAN $pmroot/setup + + _PODMAN_TEST_OPTS= wait_for_ready podman_parent + + echo OK >| $PODMAN_UPGRADE_WORKDIR/status +} + +# END setup +############################################################################### +# BEGIN actual tests + +# This is a NOP; used only so the version string will show up in logs +@test "upgrade: $PODMAN_UPGRADE_FROM -> $PODMAN_VERSION" { + : +} + +@test "images" { + run_podman images -a --format '{{.Names}}' + is "$output" "\[$IMAGE\]" "podman images" +} + +@test "ps : one container running" { + run_podman ps --format '{{.Image}}--{{.Names}}' + is "$output" "$IMAGE--myrunningcontainer" "ps: one container running" +} + +@test "ps -a : shows all containers" { + # IMPORTANT: we can't use --sort=created, because that requires #8427 + # on the *creating* podman end. + run_podman ps -a \ + --format '{{.Names}}--{{.Status}}--{{.Ports}}--{{.Labels.mylabel}}' \ + --sort=names + is "${lines[0]}" "mycreatedcontainer--Created----$LABEL_CREATED" "created" + is "${lines[1]}" "mydonecontainer--Exited (0).*----<no value>" "done" + is "${lines[2]}" "myfailedcontainer--Exited (17) .*----$LABEL_FAILED" "fail" + is "${lines[3]}" "myrunningcontainer--Up .*----$LABEL_RUNNING" "running" + + # For debugging: dump containers and IDs + if [[ -n "$PODMAN_UPGRADE_TEST_DEBUG" ]]; then + run_podman ps -a + for l in "${lines[@]}"; do + echo "# $l" >&3 + done + fi +} + + +@test "inspect - all container status" { + tests=" +running | running | 0 +created | configured | 0 +done | exited | 0 +failed | exited | 17 +" + while read cname state exitstatus; do + run_podman inspect --format '{{.State.Status}}--{{.State.ExitCode}}' my${cname}container + is "$output" "$state--$exitstatus" "status of my${cname}container" + done < <(parse_table "$tests") +} + +@test "logs" { + run_podman logs mydonecontainer + is "$output" "++$RANDOM_STRING_1++" "podman logs on stopped container" + +# run_podman logs myrunningcontainer +# is "$output" "READY" "podman logs on running container" +} + +@test "exec" { + run_podman exec myrunningcontainer cat /var/www/index.txt + is "$output" "$RANDOM_STRING_1" "exec into myrunningcontainer" +} + +@test "load" { + # FIXME, is this really necessary? + skip "TBI. Not sure if there's any point to this." +} + +@test "mount" { + skip "TBI" +} + +@test "pods" { + skip "TBI" +} + +# FIXME: commit? kill? network? pause? restart? top? volumes? What else? + + +@test "start" { + skip "FIXME: this leaves a mount behind: root/overlay/sha/merged" + run_podman --cgroup-manager=cgroupfs start -a mydonecontainer + is "$output" "++$RANDOM_STRING_1++" "start on already-run container" +} + +@test "rm a stopped container" { + # FIXME FIXME FIXME! + # + # I have no idea what's going on here. For most of my testing in this + # section, the code here was simply 'podman rm myfailedcontainer', and + # it would succeed, but then way down, in 'cleanup' below, the 'rm -f' + # step would fail: + # + # # podman rm -f podman_parent + # error freeing lock for container <sha>: no such file or directory + # ...where <sha> is the ID of the podman_parent container. + # + # I started playing with this section, by adding 'rm mydonecontainer', + # and now it always fails, the same way, but with the container we're + # removing right here: + # + # error freeing lock for container <sha>: no such file or directory + # ...where <sha> is the ID of mydonecontainer. + # + # I don't know. I give up for now, and am skip'ing the whole thing. + # If you want to play with it, try commenting out the 'myfailed' lines, + # or just the 'mydone' ones, or, I don't know. + skip "FIXME: error freeing lock for container <sha>: no such file or dir" + + # For debugging, so we can see what 'error freeing lock' refers to + run_podman ps -a + + run_podman rm myfailedcontainer + is "$output" "[0-9a-f]\\{64\\}" "podman rm myfailedcontainer" + + run_podman rm mydonecontainer + is "$output" "[0-9a-f]\\{64\\}" "podman rm mydonecontainer" +} + + +@test "stop and rm" { + # About a ten-second pause, then: + # Error: timed out waiting for file /tmp/pu.nf747w/tmp/exits/<sha>: internal libpod error + # It doesn't seem to be a socket-length issue: the paths are ~80-88 chars. + # Leaving podman_parent running, and exec'ing into it, it doesn't look + # like the file is being written to the wrong place. + skip "FIXME: this doesn't work: timed out waiting for file tmpdir/exits/sha" + run_podman stop myrunningcontainer + run_podman rm myrunningcontainer +} + +@test "clean up parent" { + if [[ -n "$PODMAN_UPGRADE_TEST_DEBUG" ]]; then + skip "workdir is $PODMAN_UPGRADE_WORKDIR" + fi + + # We're done with shared environment. By clearing this, we can now + # use run_podman for actions on the podman_parent container + unset _PODMAN_TEST_OPTS + + # (Useful for debugging the 'rm -f' step below, which, when it fails, only + # gives a container ID. This 'ps' confirms that the CID is podman_parent) + run_podman ps -a + + # Stop the container gracefully + run_podman exec podman_parent touch /stop + run_podman wait podman_parent + + run_podman logs podman_parent + run_podman rm -f podman_parent + + # FIXME: why does this remain mounted? + umount $PODMAN_UPGRADE_WORKDIR/root/overlay || true + + rm -rf $PODMAN_UPGRADE_WORKDIR +} + +# FIXME: now clean up |