diff options
Diffstat (limited to 'test')
| -rw-r--r-- | test/e2e/commit_test.go | 24 | ||||
| -rw-r--r-- | test/e2e/common_test.go | 7 | ||||
| -rw-r--r-- | test/e2e/play_kube_test.go | 3 | ||||
| -rw-r--r-- | test/e2e/run_test.go | 100 | ||||
| -rw-r--r-- | test/e2e/secret_test.go | 23 | ||||
| -rw-r--r-- | test/system/001-basic.bats | 25 | ||||
| -rw-r--r-- | test/system/410-selinux.bats | 13 |
7 files changed, 175 insertions, 20 deletions
diff --git a/test/e2e/commit_test.go b/test/e2e/commit_test.go index 0d3f2bed7..70a66124a 100644 --- a/test/e2e/commit_test.go +++ b/test/e2e/commit_test.go @@ -304,4 +304,28 @@ var _ = Describe("Podman commit", func() { Expect(session.ExitCode()).To(Not(Equal(0))) }) + + It("podman commit should not commit env secret", func() { + secretsString := "somesecretdata" + secretFilePath := filepath.Join(podmanTest.TempDir, "secret") + err := ioutil.WriteFile(secretFilePath, []byte(secretsString), 0755) + Expect(err).To(BeNil()) + + session := podmanTest.Podman([]string{"secret", "create", "mysecret", secretFilePath}) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(Equal(0)) + + session = podmanTest.Podman([]string{"run", "--secret", "source=mysecret,type=env", "--name", "secr", ALPINE, "printenv", "mysecret"}) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(Equal(0)) + Expect(session.OutputToString()).To(Equal(secretsString)) + + session = podmanTest.Podman([]string{"commit", "secr", "foobar.com/test1-image:latest"}) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(Equal(0)) + + session = podmanTest.Podman([]string{"run", "foobar.com/test1-image:latest", "printenv", "mysecret"}) + session.WaitWithDefaultTimeout() + Expect(session.OutputToString()).To(Not(ContainSubstring(secretsString))) + }) }) diff --git a/test/e2e/common_test.go b/test/e2e/common_test.go index 8530d3dd3..359345096 100644 --- a/test/e2e/common_test.go +++ b/test/e2e/common_test.go @@ -605,13 +605,6 @@ func SkipIfRootlessCgroupsV1(reason string) { } } -func SkipIfUnprivilegedCPULimits() { - info := GetHostDistributionInfo() - if isRootless() && info.Distribution == "fedora" { - ginkgo.Skip("Rootless Fedora doesn't have permission to set CPU limits") - } -} - func SkipIfRootless(reason string) { checkReason(reason) if os.Geteuid() != 0 { diff --git a/test/e2e/play_kube_test.go b/test/e2e/play_kube_test.go index d5861e7ba..3908d4075 100644 --- a/test/e2e/play_kube_test.go +++ b/test/e2e/play_kube_test.go @@ -2005,8 +2005,7 @@ VOLUME %s`, ALPINE, hostPathDir+"/") It("podman play kube allows setting resource limits", func() { SkipIfContainerized("Resource limits require a running systemd") - SkipIfRootlessCgroupsV1("Limits require root or cgroups v2") - SkipIfUnprivilegedCPULimits() + SkipIfRootless("CPU limits require root") podmanTest.CgroupManager = "systemd" var ( diff --git a/test/e2e/run_test.go b/test/e2e/run_test.go index d8d7dab07..59220cf01 100644 --- a/test/e2e/run_test.go +++ b/test/e2e/run_test.go @@ -921,6 +921,17 @@ USER mail`, BB) Expect(session.OutputToString()).To(ContainSubstring("mail root")) }) + It("podman run with incorect VOLUME", func() { + dockerfile := fmt.Sprintf(`FROM %s +VOLUME ['/etc/foo'] +WORKDIR /etc/foo`, BB) + podmanTest.BuildImage(dockerfile, "test", "false") + session := podmanTest.Podman([]string{"run", "--rm", "test", "echo", "test"}) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(Equal(0)) + Expect(session.OutputToString()).To(ContainSubstring("test")) + }) + It("podman run --volumes-from flag", func() { vol := filepath.Join(podmanTest.TempDir, "vol-test") err := os.MkdirAll(vol, 0755) @@ -1600,6 +1611,95 @@ WORKDIR /madethis`, BB) }) + It("podman run --secret source=mysecret,type=mount", func() { + secretsString := "somesecretdata" + secretFilePath := filepath.Join(podmanTest.TempDir, "secret") + err := ioutil.WriteFile(secretFilePath, []byte(secretsString), 0755) + Expect(err).To(BeNil()) + + session := podmanTest.Podman([]string{"secret", "create", "mysecret", secretFilePath}) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(Equal(0)) + + session = podmanTest.Podman([]string{"run", "--secret", "source=mysecret,type=mount", "--name", "secr", ALPINE, "cat", "/run/secrets/mysecret"}) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(Equal(0)) + Expect(session.OutputToString()).To(Equal(secretsString)) + + session = podmanTest.Podman([]string{"inspect", "secr", "--format", " {{(index .Config.Secrets 0).Name}}"}) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(Equal(0)) + Expect(session.OutputToString()).To(ContainSubstring("mysecret")) + + }) + + It("podman run --secret source=mysecret,type=env", func() { + secretsString := "somesecretdata" + secretFilePath := filepath.Join(podmanTest.TempDir, "secret") + err := ioutil.WriteFile(secretFilePath, []byte(secretsString), 0755) + Expect(err).To(BeNil()) + + session := podmanTest.Podman([]string{"secret", "create", "mysecret", secretFilePath}) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(Equal(0)) + + session = podmanTest.Podman([]string{"run", "--secret", "source=mysecret,type=env", "--name", "secr", ALPINE, "printenv", "mysecret"}) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(Equal(0)) + Expect(session.OutputToString()).To(Equal(secretsString)) + }) + + It("podman run --secret target option", func() { + secretsString := "somesecretdata" + secretFilePath := filepath.Join(podmanTest.TempDir, "secret") + err := ioutil.WriteFile(secretFilePath, []byte(secretsString), 0755) + Expect(err).To(BeNil()) + + session := podmanTest.Podman([]string{"secret", "create", "mysecret", secretFilePath}) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(Equal(0)) + // target with mount type should fail + session = podmanTest.Podman([]string{"run", "--secret", "source=mysecret,type=mount,target=anotherplace", "--name", "secr", ALPINE, "cat", "/run/secrets/mysecret"}) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(Not(Equal(0))) + + session = podmanTest.Podman([]string{"run", "--secret", "source=mysecret,type=env,target=anotherplace", "--name", "secr", ALPINE, "printenv", "anotherplace"}) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(Equal(0)) + Expect(session.OutputToString()).To(Equal(secretsString)) + }) + + It("podman run invalid secret option", func() { + secretsString := "somesecretdata" + secretFilePath := filepath.Join(podmanTest.TempDir, "secret") + err := ioutil.WriteFile(secretFilePath, []byte(secretsString), 0755) + Expect(err).To(BeNil()) + + session := podmanTest.Podman([]string{"secret", "create", "mysecret", secretFilePath}) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(Equal(0)) + + // Invalid type + session = podmanTest.Podman([]string{"run", "--secret", "source=mysecret,type=other", "--name", "secr", ALPINE, "printenv", "mysecret"}) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(Not(Equal(0))) + + // Invalid option + session = podmanTest.Podman([]string{"run", "--secret", "source=mysecret,invalid=invalid", "--name", "secr", ALPINE, "printenv", "mysecret"}) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(Not(Equal(0))) + + // Option syntax not valid + session = podmanTest.Podman([]string{"run", "--secret", "source=mysecret,type", "--name", "secr", ALPINE, "printenv", "mysecret"}) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(Not(Equal(0))) + + // No source given + session = podmanTest.Podman([]string{"run", "--secret", "type=env", "--name", "secr", ALPINE, "printenv", "mysecret"}) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(Not(Equal(0))) + }) + It("podman run --requires", func() { depName := "ctr1" depContainer := podmanTest.Podman([]string{"create", "--name", depName, ALPINE, "top"}) diff --git a/test/e2e/secret_test.go b/test/e2e/secret_test.go index fbee18442..b54b959bf 100644 --- a/test/e2e/secret_test.go +++ b/test/e2e/secret_test.go @@ -199,4 +199,27 @@ var _ = Describe("Podman secret", func() { Expect(len(session.OutputToStringArray())).To(Equal(1)) }) + It("podman secret creates from environment variable", func() { + // no env variable set, should fail + session := podmanTest.Podman([]string{"secret", "create", "--env", "a", "MYENVVAR"}) + session.WaitWithDefaultTimeout() + secrID := session.OutputToString() + Expect(session.ExitCode()).To(Not(Equal(0))) + + os.Setenv("MYENVVAR", "somedata") + if IsRemote() { + podmanTest.RestartRemoteService() + } + + session = podmanTest.Podman([]string{"secret", "create", "--env", "a", "MYENVVAR"}) + session.WaitWithDefaultTimeout() + secrID = session.OutputToString() + Expect(session.ExitCode()).To(Equal(0)) + + inspect := podmanTest.Podman([]string{"secret", "inspect", "--format", "{{.ID}}", secrID}) + inspect.WaitWithDefaultTimeout() + Expect(inspect.ExitCode()).To(Equal(0)) + Expect(inspect.OutputToString()).To(Equal(secrID)) + }) + }) diff --git a/test/system/001-basic.bats b/test/system/001-basic.bats index 35107f0a0..5d44c373f 100644 --- a/test/system/001-basic.bats +++ b/test/system/001-basic.bats @@ -10,16 +10,18 @@ function setup() { : } -@test "podman --context emits reasonable output" { - run_podman 125 --context=swarm version - is "$output" "Error: Podman does not support swarm, the only --context value allowed is \"default\"" "--context=default or fail" - - run_podman --context=default version -} +#### DO NOT ADD ANY TESTS HERE! ADD NEW TESTS AT BOTTOM! @test "podman version emits reasonable output" { run_podman version + # FIXME FIXME FIXME: #10248: nasty message on Ubuntu cgroups v1, rootless + if [[ "$output" =~ "overlay test mount with multiple lowers failed" ]]; then + if is_rootless; then + lines=("${lines[@]:1}") + fi + fi + # First line of podman-remote is "Client:<blank>". # Just delete it (i.e. remove the first entry from the 'lines' array) if is_remote; then @@ -41,6 +43,17 @@ function setup() { } +@test "podman --context emits reasonable output" { + # All we care about here is that the command passes + run_podman --context=default version + + # This one must fail + run_podman 125 --context=swarm version + is "$output" \ + "Error: Podman does not support swarm, the only --context value allowed is \"default\"" \ + "--context=default or fail" +} + @test "podman can pull an image" { run_podman pull $IMAGE } diff --git a/test/system/410-selinux.bats b/test/system/410-selinux.bats index 95233c1e6..f8cee0e59 100644 --- a/test/system/410-selinux.bats +++ b/test/system/410-selinux.bats @@ -198,20 +198,23 @@ function check_label() { skip_if_no_selinux LABEL="system_u:object_r:tmp_t:s0" + RELABEL="system_u:object_r:container_file_t:s0" tmpdir=$PODMAN_TMPDIR/vol touch $tmpdir chcon -vR ${LABEL} $tmpdir ls -Z $tmpdir run_podman run -v $tmpdir:/test $IMAGE cat /proc/self/attr/current - level=$(secon -l $output) run ls -dZ ${tmpdir} is "$output" ${LABEL} "No Relabel Correctly" - run_podman run -v $tmpdir:/test:Z --security-opt label=disable $IMAGE cat /proc/self/attr/current - level=$(secon -l $output) + run_podman run -v $tmpdir:/test:z --security-opt label=disable $IMAGE cat /proc/self/attr/current + run ls -dZ $tmpdir + is "$output" ${RELABEL} "Privileged Relabel Correctly" + + run_podman run -v $tmpdir:/test:z --privileged $IMAGE cat /proc/self/attr/current run ls -dZ $tmpdir - is "$output" ${LABEL} "No Privileged Relabel Correctly" + is "$output" ${RELABEL} "Privileged Relabel Correctly" run_podman run -v $tmpdir:/test:Z $IMAGE cat /proc/self/attr/current level=$(secon -l $output) @@ -220,7 +223,7 @@ function check_label() { run_podman run -v $tmpdir:/test:z $IMAGE cat /proc/self/attr/current run ls -dZ $tmpdir - is "$output" "system_u:object_r:container_file_t:s0" "Shared Relabel Correctly" + is "$output" ${RELABEL} "Shared Relabel Correctly" } # vim: filetype=sh |