summaryrefslogtreecommitdiff
path: root/test
diff options
context:
space:
mode:
Diffstat (limited to 'test')
-rw-r--r--test/apiv2/12-imagesMore.at44
-rw-r--r--test/apiv2/20-containers.at2
-rw-r--r--test/e2e/network_test.go39
-rw-r--r--test/e2e/play_kube_test.go2
-rw-r--r--test/e2e/pod_ps_test.go3
-rw-r--r--test/e2e/pod_stats_test.go5
-rw-r--r--test/e2e/ps_test.go12
-rw-r--r--test/e2e/rm_test.go1
-rw-r--r--test/e2e/run_test.go2
-rw-r--r--test/e2e/search_test.go20
-rw-r--r--test/e2e/volume_ls_test.go7
-rw-r--r--test/system/010-images.bats52
-rw-r--r--test/system/055-rm.bats15
-rw-r--r--test/system/060-mount.bats13
-rw-r--r--test/system/130-kill.bats20
-rw-r--r--test/system/410-selinux.bats108
-rw-r--r--test/system/helpers.bash11
17 files changed, 314 insertions, 42 deletions
diff --git a/test/apiv2/12-imagesMore.at b/test/apiv2/12-imagesMore.at
new file mode 100644
index 000000000..30ccf0cfc
--- /dev/null
+++ b/test/apiv2/12-imagesMore.at
@@ -0,0 +1,44 @@
+# -*- sh -*-
+#
+# Tests for more image-related endpoints
+#
+
+podman pull -q $IMAGE
+
+t GET libpod/images/json 200 \
+ .[0].Id~[0-9a-f]\\{64\\}
+iid=$(jq -r '.[0].Id' <<<"$output")
+
+# Retrieve the image tree
+t GET libpod/images/$IMAGE/tree 200 \
+ .Tree~^Image
+
+# Tag nonesuch image
+t POST "libpod/images/nonesuch/tag?repo=myrepo&tag=mytag" '' 404
+
+# Tag the image
+t POST "libpod/images/$IMAGE/tag?repo=localhost:5000/myrepo&tag=mytag" '' 201
+
+t GET libpod/images/$IMAGE/json 200 \
+ .RepoTags[1]=localhost:5000/myrepo:mytag
+
+# Run registry container
+podman run -d --name registry -p 5000:5000 docker.io/library/registry:2.6 /entrypoint.sh /etc/docker/registry/config.yml
+
+# Push to local registry
+t POST libpod/images/localhost:5000/myrepo:mytag/push\?tlsVerify\=false '' 200
+
+# Untag the image
+t POST "libpod/images/$iid/untag?repo=localhost:5000/myrepo&tag=mytag" '' 201
+
+t GET libpod/images/$IMAGE/json 200 \
+ .RepoTags[-1]=$IMAGE
+
+# Remove the registry container
+t DELETE libpod/containers/registry?force=true 204
+
+# Remove images
+t DELETE libpod/images/$IMAGE 200 \
+ .ExitCode=0
+t DELETE libpod/images/docker.io/library/registry:2.6 200 \
+ .ExitCode=0
diff --git a/test/apiv2/20-containers.at b/test/apiv2/20-containers.at
index 28289955a..d7e5bfee8 100644
--- a/test/apiv2/20-containers.at
+++ b/test/apiv2/20-containers.at
@@ -206,7 +206,7 @@ t POST containers/${cid_top}/stop "" 204
t DELETE containers/$cid 204
t DELETE containers/$cid_top 204
-# test the apiv2 create, should't ignore the ENV and WORKDIR from the image
+# test the apiv2 create, shouldn't ignore the ENV and WORKDIR from the image
t POST containers/create '"Image":"'$ENV_WORKDIR_IMG'","Env":["testKey1"]' 201 \
.Id~[0-9a-f]\\{64\\}
cid=$(jq -r '.Id' <<<"$output")
diff --git a/test/e2e/network_test.go b/test/e2e/network_test.go
index a15359ea3..9bd16c008 100644
--- a/test/e2e/network_test.go
+++ b/test/e2e/network_test.go
@@ -28,7 +28,7 @@ func removeConf(confPath string) {
// generateNetworkConfig generates a cni config with a random name
// it returns the network name and the filepath
func generateNetworkConfig(p *PodmanTestIntegration) (string, string) {
- // generate a random name to preven conflicts with other tests
+ // generate a random name to prevent conflicts with other tests
name := "net" + stringid.GenerateNonCryptoID()
path := filepath.Join(p.CNIConfigDir, fmt.Sprintf("%s.conflist", name))
conf := fmt.Sprintf(`{
@@ -211,6 +211,43 @@ var _ = Describe("Podman network", func() {
Expect(rmAll.ExitCode()).To(BeZero())
})
+ It("podman inspect container two CNI networks (container not running)", func() {
+ netName1 := "testNetThreeCNI1"
+ network1 := podmanTest.Podman([]string{"network", "create", netName1})
+ network1.WaitWithDefaultTimeout()
+ Expect(network1.ExitCode()).To(BeZero())
+ defer podmanTest.removeCNINetwork(netName1)
+
+ netName2 := "testNetThreeCNI2"
+ network2 := podmanTest.Podman([]string{"network", "create", netName2})
+ network2.WaitWithDefaultTimeout()
+ Expect(network2.ExitCode()).To(BeZero())
+ defer podmanTest.removeCNINetwork(netName2)
+
+ ctrName := "testCtr"
+ container := podmanTest.Podman([]string{"create", "--network", fmt.Sprintf("%s,%s", netName1, netName2), "--name", ctrName, ALPINE, "top"})
+ container.WaitWithDefaultTimeout()
+ Expect(container.ExitCode()).To(BeZero())
+
+ inspect := podmanTest.Podman([]string{"inspect", ctrName})
+ inspect.WaitWithDefaultTimeout()
+ Expect(inspect.ExitCode()).To(BeZero())
+ conData := inspect.InspectContainerToJSON()
+ Expect(len(conData)).To(Equal(1))
+ Expect(len(conData[0].NetworkSettings.Networks)).To(Equal(2))
+ net1, ok := conData[0].NetworkSettings.Networks[netName1]
+ Expect(ok).To(BeTrue())
+ Expect(net1.NetworkID).To(Equal(netName1))
+ net2, ok := conData[0].NetworkSettings.Networks[netName2]
+ Expect(ok).To(BeTrue())
+ Expect(net2.NetworkID).To(Equal(netName2))
+
+ // Necessary to ensure the CNI network is removed cleanly
+ rmAll := podmanTest.Podman([]string{"rm", "-f", ctrName})
+ rmAll.WaitWithDefaultTimeout()
+ Expect(rmAll.ExitCode()).To(BeZero())
+ })
+
It("podman inspect container two CNI networks", func() {
netName1 := "testNetTwoCNI1"
network1 := podmanTest.Podman([]string{"network", "create", "--subnet", "10.50.51.0/25", netName1})
diff --git a/test/e2e/play_kube_test.go b/test/e2e/play_kube_test.go
index b0831c823..b6a390950 100644
--- a/test/e2e/play_kube_test.go
+++ b/test/e2e/play_kube_test.go
@@ -769,7 +769,7 @@ var _ = Describe("Podman generate kube", func() {
It("podman play kube test restartPolicy", func() {
// podName, set, expect
testSli := [][]string{
- {"testPod1", "", "always"}, // Default eqaul to always
+ {"testPod1", "", "always"}, // Default equal to always
{"testPod2", "Always", "always"},
{"testPod3", "OnFailure", "on-failure"},
{"testPod4", "Never", "no"},
diff --git a/test/e2e/pod_ps_test.go b/test/e2e/pod_ps_test.go
index 17ed6a9c0..a299d3cf2 100644
--- a/test/e2e/pod_ps_test.go
+++ b/test/e2e/pod_ps_test.go
@@ -8,6 +8,7 @@ import (
. "github.com/containers/podman/v2/test/utils"
. "github.com/onsi/ginkgo"
. "github.com/onsi/gomega"
+ . "github.com/onsi/gomega/gexec"
)
var _ = Describe("Podman ps", func() {
@@ -63,7 +64,7 @@ var _ = Describe("Podman ps", func() {
result := podmanTest.Podman([]string{"pod", "ps", "-q"})
result.WaitWithDefaultTimeout()
- Expect(result.ExitCode()).To(Equal(0))
+ Expect(result).To(Exit(0))
Expect(len(result.OutputToStringArray())).Should(BeNumerically(">", 0))
Expect(podid).To(ContainSubstring(result.OutputToStringArray()[0]))
})
diff --git a/test/e2e/pod_stats_test.go b/test/e2e/pod_stats_test.go
index 1ffbe282b..41fc59267 100644
--- a/test/e2e/pod_stats_test.go
+++ b/test/e2e/pod_stats_test.go
@@ -6,6 +6,7 @@ import (
. "github.com/containers/podman/v2/test/utils"
. "github.com/onsi/ginkgo"
. "github.com/onsi/gomega"
+ . "github.com/onsi/gomega/gexec"
)
var _ = Describe("Podman pod stats", func() {
@@ -156,9 +157,9 @@ var _ = Describe("Podman pod stats", func() {
session := podmanTest.RunTopContainerInPod("", podid)
session.WaitWithDefaultTimeout()
Expect(session.ExitCode()).To(Equal(0))
- stats := podmanTest.Podman([]string{"pod", "stats", "-a", "--no-reset", "--no-stream", "--format", "\"table {{.CID}} {{.Pod}} {{.Mem}} {{.MemUsage}} {{.CPU}} {{.NetIO}} {{.BlockIO}} {{.PIDS}} {{.Pod}}\""})
+ stats := podmanTest.Podman([]string{"pod", "stats", "-a", "--no-reset", "--no-stream", "--format", "table {{.CID}} {{.Pod}} {{.Mem}} {{.MemUsage}} {{.CPU}} {{.NetIO}} {{.BlockIO}} {{.PIDS}} {{.Pod}}"})
stats.WaitWithDefaultTimeout()
- Expect(stats.ExitCode()).To(Equal(0))
+ Expect(stats).To(Exit(0))
})
It("podman stats with invalid GO template", func() {
diff --git a/test/e2e/ps_test.go b/test/e2e/ps_test.go
index 0f2ce2d46..48ef566ce 100644
--- a/test/e2e/ps_test.go
+++ b/test/e2e/ps_test.go
@@ -11,6 +11,7 @@ import (
"github.com/docker/go-units"
. "github.com/onsi/ginkgo"
. "github.com/onsi/gomega"
+ . "github.com/onsi/gomega/gexec"
)
var _ = Describe("Podman ps", func() {
@@ -218,17 +219,16 @@ var _ = Describe("Podman ps", func() {
})
It("podman ps namespace flag with go template format", func() {
- Skip("FIXME: table still not supported in podman ps command")
_, ec, _ := podmanTest.RunLsContainer("test1")
Expect(ec).To(Equal(0))
result := podmanTest.Podman([]string{"ps", "-a", "--format", "table {{.ID}} {{.Image}} {{.ImageID}} {{.Labels}}"})
result.WaitWithDefaultTimeout()
- Expect(strings.Contains(result.OutputToStringArray()[0], "table")).To(BeFalse())
- Expect(strings.Contains(result.OutputToStringArray()[0], "ID")).To(BeTrue())
- Expect(strings.Contains(result.OutputToStringArray()[0], "ImageID")).To(BeTrue())
- Expect(strings.Contains(result.OutputToStringArray()[1], "alpine:latest")).To(BeTrue())
- Expect(result.ExitCode()).To(Equal(0))
+
+ Expect(result.OutputToStringArray()[0]).ToNot(ContainSubstring("table"))
+ Expect(result.OutputToStringArray()[0]).ToNot(ContainSubstring("ImageID"))
+ Expect(result.OutputToStringArray()[0]).To(ContainSubstring("alpine:latest"))
+ Expect(result).Should(Exit(0))
})
It("podman ps ancestor filter flag", func() {
diff --git a/test/e2e/rm_test.go b/test/e2e/rm_test.go
index 7eff8c6ed..524c07cc6 100644
--- a/test/e2e/rm_test.go
+++ b/test/e2e/rm_test.go
@@ -236,7 +236,6 @@ var _ = Describe("Podman rm", func() {
})
It("podman rm --ignore bogus container and a running container", func() {
-
session := podmanTest.RunTopContainer("test1")
session.WaitWithDefaultTimeout()
Expect(session.ExitCode()).To(Equal(0))
diff --git a/test/e2e/run_test.go b/test/e2e/run_test.go
index cd32e5a77..e6bba9f67 100644
--- a/test/e2e/run_test.go
+++ b/test/e2e/run_test.go
@@ -394,7 +394,7 @@ USER bin`
})
It("podman run sysctl test", func() {
- SkipIfRootless("Network sysctls are not avalable root rootless")
+ SkipIfRootless("Network sysctls are not available root rootless")
session := podmanTest.Podman([]string{"run", "--rm", "--sysctl", "net.core.somaxconn=65535", ALPINE, "sysctl", "net.core.somaxconn"})
session.WaitWithDefaultTimeout()
Expect(session.ExitCode()).To(Equal(0))
diff --git a/test/e2e/search_test.go b/test/e2e/search_test.go
index 043da9059..0cf005529 100644
--- a/test/e2e/search_test.go
+++ b/test/e2e/search_test.go
@@ -423,4 +423,24 @@ registries = ['{{.Host}}:{{.Port}}']`
Expect(search.ExitCode()).To(Equal(0))
Expect(len(search.OutputToStringArray()) > 1).To(BeTrue())
})
+
+ It("podman search repository tags", func() {
+ search := podmanTest.Podman([]string{"search", "--list-tags", "--limit", "30", "docker.io/library/alpine"})
+ search.WaitWithDefaultTimeout()
+ Expect(search.ExitCode()).To(Equal(0))
+ Expect(len(search.OutputToStringArray())).To(Equal(31))
+
+ search = podmanTest.Podman([]string{"search", "--list-tags", "docker.io/library/alpine"})
+ search.WaitWithDefaultTimeout()
+ Expect(search.ExitCode()).To(Equal(0))
+ Expect(len(search.OutputToStringArray()) > 2).To(BeTrue())
+
+ search = podmanTest.Podman([]string{"search", "--filter=is-official", "--list-tags", "docker.io/library/alpine"})
+ search.WaitWithDefaultTimeout()
+ Expect(search.ExitCode()).To(Not(Equal(0)))
+
+ search = podmanTest.Podman([]string{"search", "--list-tags", "docker.io/library/"})
+ search.WaitWithDefaultTimeout()
+ Expect(len(search.OutputToStringArray()) == 0).To(BeTrue())
+ })
})
diff --git a/test/e2e/volume_ls_test.go b/test/e2e/volume_ls_test.go
index 4a2c2d324..1cb6440aa 100644
--- a/test/e2e/volume_ls_test.go
+++ b/test/e2e/volume_ls_test.go
@@ -7,6 +7,7 @@ import (
. "github.com/containers/podman/v2/test/utils"
. "github.com/onsi/ginkgo"
. "github.com/onsi/gomega"
+ . "github.com/onsi/gomega/gexec"
)
var _ = Describe("Podman volume ls", func() {
@@ -56,15 +57,15 @@ var _ = Describe("Podman volume ls", func() {
})
It("podman ls volume with Go template", func() {
- Skip("FIXME: table still not supported in podman volume command")
session := podmanTest.Podman([]string{"volume", "create", "myvol"})
session.WaitWithDefaultTimeout()
Expect(session.ExitCode()).To(Equal(0))
session = podmanTest.Podman([]string{"volume", "ls", "--format", "table {{.Name}} {{.Driver}} {{.Scope}}"})
session.WaitWithDefaultTimeout()
- Expect(session.ExitCode()).To(Equal(0))
- Expect(len(session.OutputToStringArray())).To(Equal(2))
+
+ Expect(session).Should(Exit(0))
+ Expect(len(session.OutputToStringArray())).To(Equal(1), session.OutputToString())
})
It("podman ls volume with --filter flag", func() {
diff --git a/test/system/010-images.bats b/test/system/010-images.bats
index ac65e54d9..900a24368 100644
--- a/test/system/010-images.bats
+++ b/test/system/010-images.bats
@@ -159,4 +159,56 @@ Labels.created_at | 20[0-9-]\\\+T[0-9:]\\\+Z
is "$output" "$images_baseline" "after podman rmi @sha, still the same"
}
+# Tests #7199 (Restore "table" --format from V1)
+#
+# Tag our image with different-length strings; confirm table alignment
+@test "podman images - table format" {
+ # Craft two tags such that they will bracket $IMAGE on either side (above
+ # and below). This assumes that $IMAGE is quay.io or foo.com or simply
+ # not something insane that will sort before 'aaa' or after 'zzz'.
+ local aaa_name=a.b/c
+ local aaa_tag=d
+ local zzz_name=zzzzzzzzzz.yyyyyyyyy/xxxxxxxxx
+ local zzz_tag=$(random_string 15)
+
+ # Helper function to check one line of tabular output; all this does is
+ # generate a line with the given repo/tag, formatted to the width of the
+ # widest image, which is the zzz one. Fields are separated by TWO spaces.
+ function _check_line() {
+ local lineno=$1
+ local name=$2
+ local tag=$3
+
+ is "${lines[$lineno]}" \
+ "$(printf '%-*s %-*s %s' ${#zzz_name} ${name} ${#zzz_tag} ${tag} $iid)" \
+ "podman images, $testname, line $lineno"
+ }
+
+ function _run_format_test() {
+ local testname=$1
+ local format=$2
+
+ run_podman images --sort repository --format "$format"
+ _check_line 0 ${aaa_name} ${aaa_tag}
+ _check_line 1 "${PODMAN_TEST_IMAGE_REGISTRY}/${PODMAN_TEST_IMAGE_USER}/${PODMAN_TEST_IMAGE_NAME}" "${PODMAN_TEST_IMAGE_TAG}"
+ _check_line 2 ${zzz_name} ${zzz_tag}
+ }
+
+ # Begin the test: tag $IMAGE with both the given names
+ run_podman tag $IMAGE ${aaa_name}:${aaa_tag}
+ run_podman tag $IMAGE ${zzz_name}:${zzz_tag}
+
+ # Get the image ID, used to verify output below (all images share same IID)
+ run_podman inspect --format '{{.ID}}' $IMAGE
+ iid=${output:0:12}
+
+ # Run the test: this will output three column-aligned rows. Test them.
+ # Tab character (\t) should have the same effect as the 'table' directive
+ _run_format_test 'table' 'table {{.Repository}} {{.Tag}} {{.ID}}'
+ _run_format_test 'tabs' '{{.Repository}}\t{{.Tag}}\t{{.ID}}'
+
+ # Clean up.
+ run_podman rmi ${aaa_name}:${aaa_tag} ${zzz_name}:${zzz_tag}
+}
+
# vim: filetype=sh
diff --git a/test/system/055-rm.bats b/test/system/055-rm.bats
index c8475c3e9..7176ae4b8 100644
--- a/test/system/055-rm.bats
+++ b/test/system/055-rm.bats
@@ -33,6 +33,21 @@ load helpers
run_podman rm -f $cid
}
+@test "podman rm container from storage" {
+ if is_remote; then
+ skip "only applicable for local podman"
+ fi
+ rand=$(random_string 30)
+ run_podman create --name $rand $IMAGE /bin/true
+
+ # Create a container that podman does not know about
+ run buildah from $IMAGE
+ cid="$output"
+
+ # rm should succeed
+ run_podman rm $rand $cid
+}
+
# I'm sorry! This test takes 13 seconds. There's not much I can do about it,
# please know that I think it's justified: podman 1.5.0 had a strange bug
# in with exit status was not preserved on some code paths with 'rm -f'
diff --git a/test/system/060-mount.bats b/test/system/060-mount.bats
index f11aff773..ece87acf6 100644
--- a/test/system/060-mount.bats
+++ b/test/system/060-mount.bats
@@ -43,6 +43,11 @@ load helpers
# Start with clean slate
run_podman image umount -a
+ # Get full image ID, to verify umount
+ run_podman image inspect --format '{{.ID}}' $IMAGE
+ iid="$output"
+
+ # Mount, and make sure the mount point exists
run_podman image mount $IMAGE
mount_path="$output"
@@ -60,6 +65,14 @@ load helpers
# Clean up
run_podman image umount $IMAGE
+ is "$output" "$iid" "podman image umount: image ID of what was umounted"
+
+ run_podman image umount $IMAGE
+ is "$output" "" "podman image umount: does not re-umount"
+
+ run_podman 125 image umount no-such-container
+ is "$output" "Error: unable to find a name and tag match for no-such-container in repotags: no such image" \
+ "error message from image umount no-such-container"
run_podman image mount
is "$output" "" "podman image mount, no args, after umount"
diff --git a/test/system/130-kill.bats b/test/system/130-kill.bats
index c16e64c58..3770eac27 100644
--- a/test/system/130-kill.bats
+++ b/test/system/130-kill.bats
@@ -6,23 +6,9 @@
load helpers
@test "podman kill - test signal handling in containers" {
- # podman-remote and crun interact poorly in f31: crun seems to gobble up
- # some signals.
- # Workaround: run 'env --default-signal sh' instead of just 'sh' in
- # the container. Since env on our regular alpine image doesn't support
- # that flag, we need to pull fedora-minimal. See:
- # https://github.com/containers/podman/issues/5004
- # FIXME: remove this kludge once we get rid of podman-remote
- local _image=$IMAGE
- local _sh_cmd="sh"
- if is_remote; then
- _image=quay.io/libpod/fedora-minimal:latest
- _sh_cmd="env --default-signal sh"
- fi
-
# Start a container that will handle all signals by emitting 'got: N'
local -a signals=(1 2 3 4 5 6 8 10 12 13 14 15 16 20 21 22 23 24 25 26 64)
- run_podman run -d $_image $_sh_cmd -c \
+ run_podman run -d $IMAGE sh -c \
"for i in ${signals[*]}; do trap \"echo got: \$i\" \$i; done;
echo READY;
while ! test -e /stop; do sleep 0.05; done;
@@ -81,10 +67,6 @@ load helpers
run_podman wait $cid
run_podman rm $cid
wait $podman_log_pid
-
- if [[ $_image != $IMAGE ]]; then
- run_podman rmi $_image
- fi
}
@test "podman kill - rejects invalid args" {
diff --git a/test/system/410-selinux.bats b/test/system/410-selinux.bats
index 497e29b3e..1e44fe06c 100644
--- a/test/system/410-selinux.bats
+++ b/test/system/410-selinux.bats
@@ -7,9 +7,7 @@ load helpers
function check_label() {
- if [ ! -e /usr/sbin/selinuxenabled ] || ! /usr/sbin/selinuxenabled; then
- skip "selinux disabled or not available"
- fi
+ skip_if_no_selinux
local args="$1"; shift # command-line args for run
@@ -52,15 +50,33 @@ function check_label() {
check_label "--privileged --userns=host" "spc_t"
}
+@test "podman selinux: pid=host" {
+ # FIXME FIXME FIXME: Remove these lines once all VMs have >= 2.146.0
+ # (this is ugly, but better than an unconditional skip)
+ skip_if_no_selinux
+ if is_rootless; then
+ if [ -x /usr/bin/rpm ]; then
+ cs_version=$(rpm -q --qf '%{version}' container-selinux)
+ else
+ # SELinux not enabled on Ubuntu, so we should never get here
+ die "WHOA! SELinux enabled, but no /usr/bin/rpm!"
+ fi
+ if [[ "$cs_version" < "2.146" ]]; then
+ skip "FIXME: #7939: requires container-selinux-2.146.0 (currently installed: $cs_version)"
+ fi
+ fi
+ # FIXME FIXME FIXME: delete up to here, leaving just check_label
+
+ check_label "--pid=host" "spc_t"
+}
+
@test "podman selinux: container with overridden range" {
check_label "--security-opt label=level:s0:c1,c2" "container_t" "s0:c1,c2"
}
# pr #6752
@test "podman selinux: inspect multiple labels" {
- if [ ! -e /usr/sbin/selinuxenabled ] || ! /usr/sbin/selinuxenabled; then
- skip "selinux disabled or not available"
- fi
+ skip_if_no_selinux
run_podman run -d --name myc \
--security-opt seccomp=unconfined \
@@ -75,4 +91,84 @@ function check_label() {
run_podman rm -f myc
}
+# Sharing context between two containers not in a pod
+# These tests were piggybacked in with #7902, but are not actually related
+@test "podman selinux: shared context in (some) namespaces" {
+ skip_if_no_selinux
+
+ run_podman run -d --name myctr $IMAGE top
+ run_podman exec myctr cat -v /proc/self/attr/current
+ context_c1="$output"
+
+ # --ipc container
+ run_podman run --name myctr2 --ipc container:myctr $IMAGE cat -v /proc/self/attr/current
+ is "$output" "$context_c1" "new container, run with ipc of existing one "
+
+ # --pid container
+ run_podman run --rm --pid container:myctr $IMAGE cat -v /proc/self/attr/current
+ is "$output" "$context_c1" "new container, run with --pid of existing one "
+
+ # net NS: do not share context
+ run_podman run --rm --net container:myctr $IMAGE cat -v /proc/self/attr/current
+ if [[ "$output" = "$context_c1" ]]; then
+ die "run --net : context ($output) is same as running container (it should not be)"
+ fi
+
+ # The 'myctr2' above was not run with --rm, so it still exists, and
+ # we can't remove the original container until this one is gone.
+ run_podman stop -t 0 myctr
+ run_podman 125 rm myctr
+ is "$output" "Error: container .* has dependent containers"
+
+ # We have to do this in two steps: even if ordered as 'myctr2 myctr',
+ # podman will try the removes in random order, which fails if it
+ # tries myctr first.
+ run_podman rm myctr2
+ run_podman rm myctr
+}
+
+# pr #7902 - containers in pods should all run under same context
+@test "podman selinux: containers in pods share full context" {
+ skip_if_no_selinux
+
+ # We don't need a fullblown pause container; avoid pulling the k8s one
+ run_podman pod create --name myselinuxpod \
+ --infra-image $IMAGE \
+ --infra-command /home/podman/pause
+
+ # Get baseline
+ run_podman run --rm --pod myselinuxpod $IMAGE cat -v /proc/self/attr/current
+ context_c1="$output"
+
+ # Prior to #7902, the labels (':c123,c456') would be different
+ run_podman run --rm --pod myselinuxpod $IMAGE cat -v /proc/self/attr/current
+ is "$output" "$context_c1" "SELinux context of 2nd container matches 1st"
+
+ # What the heck. Try a third time just for extra confidence
+ run_podman run --rm --pod myselinuxpod $IMAGE cat -v /proc/self/attr/current
+ is "$output" "$context_c1" "SELinux context of 3rd container matches 1st"
+
+ run_podman pod rm myselinuxpod
+}
+
+# more pr #7902
+@test "podman selinux: containers in --no-infra pods do not share context" {
+ skip_if_no_selinux
+
+ # We don't need a fullblown pause container; avoid pulling the k8s one
+ run_podman pod create --name myselinuxpod --infra=false
+
+ # Get baseline
+ run_podman run --rm --pod myselinuxpod $IMAGE cat -v /proc/self/attr/current
+ context_c1="$output"
+
+ # Even after #7902, labels (':c123,c456') should be different
+ run_podman run --rm --pod myselinuxpod $IMAGE cat -v /proc/self/attr/current
+ if [[ "$output" = "$context_c1" ]]; then
+ die "context ($output) is the same on two separate containers, it should have been different"
+ fi
+
+ run_podman pod rm myselinuxpod
+}
+
# vim: filetype=sh
diff --git a/test/system/helpers.bash b/test/system/helpers.bash
index 998db5283..c6c2c12df 100644
--- a/test/system/helpers.bash
+++ b/test/system/helpers.bash
@@ -286,6 +286,17 @@ function skip_if_remote() {
fi
}
+########################
+# skip_if_no_selinux #
+########################
+function skip_if_no_selinux() {
+ if [ ! -e /usr/sbin/selinuxenabled ]; then
+ skip "selinux not available"
+ elif ! /usr/sbin/selinuxenabled; then
+ skip "selinux disabled"
+ fi
+}
+
#########
# die # Abort with helpful message
#########