diff options
Diffstat (limited to 'test')
| -rw-r--r-- | test/e2e/play_kube_test.go | 44 | ||||
| -rw-r--r-- | test/e2e/run_networking_test.go | 10 | ||||
| -rw-r--r-- | test/e2e/run_passwd_test.go | 54 | ||||
| -rw-r--r-- | test/system/030-run.bats | 18 | ||||
| -rw-r--r-- | test/system/120-load.bats | 34 |
5 files changed, 139 insertions, 21 deletions
diff --git a/test/e2e/play_kube_test.go b/test/e2e/play_kube_test.go index 121cea017..5e01971cb 100644 --- a/test/e2e/play_kube_test.go +++ b/test/e2e/play_kube_test.go @@ -99,6 +99,12 @@ spec: hostPort: {{ .Port }} protocol: TCP workingDir: / + volumeMounts: + {{ if .VolumeMount }} + - name: {{.VolumeName}} + mountPath: {{ .VolumeMountPath }} + readonly: {{.VolumeReadOnly}} + {{ end }} {{ end }} {{ end }} {{ end }} @@ -383,12 +389,16 @@ type Ctr struct { PullPolicy string HostIP string Port string + VolumeMount bool + VolumeMountPath string + VolumeName string + VolumeReadOnly bool } // getCtr takes a list of ctrOptions and returns a Ctr with sane defaults // and the configured options func getCtr(options ...ctrOption) *Ctr { - c := Ctr{defaultCtrName, defaultCtrImage, defaultCtrCmd, defaultCtrArg, true, false, nil, nil, "", "", ""} + c := Ctr{defaultCtrName, defaultCtrImage, defaultCtrCmd, defaultCtrArg, true, false, nil, nil, "", "", "", false, "", "", false} for _, option := range options { option(&c) } @@ -448,6 +458,15 @@ func withHostIP(ip string, port string) ctrOption { } } +func withVolumeMount(mountPath string, readonly bool) ctrOption { + return func(c *Ctr) { + c.VolumeMountPath = mountPath + c.VolumeName = defaultVolName + c.VolumeReadOnly = readonly + c.VolumeMount = true + } +} + func getCtrNameInPod(pod *Pod) string { return fmt.Sprintf("%s-%s", pod.Name, defaultCtrName) } @@ -1035,4 +1054,27 @@ spec: kube.WaitWithDefaultTimeout() Expect(kube.ExitCode()).NotTo(Equal(0)) }) + + It("podman play kube test with read only volume", func() { + hostPathLocation := filepath.Join(tempdir, "file") + f, err := os.Create(hostPathLocation) + Expect(err).To(BeNil()) + f.Close() + + ctr := getCtr(withVolumeMount(hostPathLocation, true), withImage(BB)) + pod := getPod(withVolume(getVolume("File", hostPathLocation)), withCtr(ctr)) + err = generatePodKubeYaml(pod, kubeYaml) + Expect(err).To(BeNil()) + + kube := podmanTest.Podman([]string{"play", "kube", kubeYaml}) + kube.WaitWithDefaultTimeout() + Expect(kube.ExitCode()).To(Equal(0)) + + inspect := podmanTest.Podman([]string{"inspect", getCtrNameInPod(pod), "--format", "'{{.HostConfig.Binds}}'"}) + inspect.WaitWithDefaultTimeout() + Expect(inspect.ExitCode()).To(Equal(0)) + + correct := fmt.Sprintf("%s:%s:%s", hostPathLocation, hostPathLocation, "ro") + Expect(inspect.OutputToString()).To(ContainSubstring(correct)) + }) }) diff --git a/test/e2e/run_networking_test.go b/test/e2e/run_networking_test.go index a48f7c83e..c20bfe631 100644 --- a/test/e2e/run_networking_test.go +++ b/test/e2e/run_networking_test.go @@ -535,15 +535,12 @@ var _ = Describe("Podman run networking", func() { create := podmanTest.Podman([]string{"network", "create", "--subnet", "10.25.30.0/24", netName}) create.WaitWithDefaultTimeout() Expect(create.ExitCode()).To(BeZero()) + defer podmanTest.removeCNINetwork(netName) run := podmanTest.Podman([]string{"run", "-t", "-i", "--rm", "--net", netName, "--ip", ipAddr, ALPINE, "ip", "addr"}) run.WaitWithDefaultTimeout() Expect(run.ExitCode()).To(BeZero()) Expect(run.OutputToString()).To(ContainSubstring(ipAddr)) - - netrm := podmanTest.Podman([]string{"network", "rm", netName}) - netrm.WaitWithDefaultTimeout() - Expect(netrm.ExitCode()).To(BeZero()) }) It("podman run with new:pod and static-ip", func() { @@ -555,6 +552,7 @@ var _ = Describe("Podman run networking", func() { create := podmanTest.Podman([]string{"network", "create", "--subnet", "10.25.40.0/24", netName}) create.WaitWithDefaultTimeout() Expect(create.ExitCode()).To(BeZero()) + defer podmanTest.removeCNINetwork(netName) run := podmanTest.Podman([]string{"run", "-t", "-i", "--rm", "--pod", "new:" + podname, "--net", netName, "--ip", ipAddr, ALPINE, "ip", "addr"}) run.WaitWithDefaultTimeout() @@ -564,9 +562,5 @@ var _ = Describe("Podman run networking", func() { podrm := podmanTest.Podman([]string{"pod", "rm", "-f", podname}) podrm.WaitWithDefaultTimeout() Expect(podrm.ExitCode()).To(BeZero()) - - netrm := podmanTest.Podman([]string{"network", "rm", netName}) - netrm.WaitWithDefaultTimeout() - Expect(netrm.ExitCode()).To(BeZero()) }) }) diff --git a/test/e2e/run_passwd_test.go b/test/e2e/run_passwd_test.go index c48876dee..dfb8c72a1 100644 --- a/test/e2e/run_passwd_test.go +++ b/test/e2e/run_passwd_test.go @@ -71,4 +71,58 @@ USER 1000` Expect(session.ExitCode()).To(Equal(0)) Expect(session.OutputToString()).To(Not(ContainSubstring("passwd"))) }) + + It("podman run with no user specified does not change --group specified", func() { + session := podmanTest.Podman([]string{"run", "--read-only", BB, "mount"}) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(Equal(0)) + Expect(session.LineInOutputContains("/etc/group")).To(BeFalse()) + }) + + It("podman run group specified in container", func() { + session := podmanTest.Podman([]string{"run", "--read-only", "-u", "root:bin", BB, "mount"}) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(Equal(0)) + Expect(session.LineInOutputContains("/etc/group")).To(BeFalse()) + }) + + It("podman run non-numeric group not specified in container", func() { + session := podmanTest.Podman([]string{"run", "--read-only", "-u", "root:doesnotexist", BB, "mount"}) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(Not(Equal(0))) + }) + + It("podman run numeric group specified in container", func() { + session := podmanTest.Podman([]string{"run", "--read-only", "-u", "root:11", BB, "mount"}) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(Equal(0)) + Expect(session.LineInOutputContains("/etc/group")).To(BeFalse()) + }) + + It("podman run numeric group not specified in container", func() { + session := podmanTest.Podman([]string{"run", "--read-only", "-u", "20001:20001", BB, "mount"}) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(Equal(0)) + Expect(session.LineInOutputContains("/etc/group")).To(BeTrue()) + }) + + It("podman run numeric user not specified in container modifies group", func() { + session := podmanTest.Podman([]string{"run", "--read-only", "-u", "20001", BB, "mount"}) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(Equal(0)) + Expect(session.LineInOutputContains("/etc/group")).To(BeTrue()) + }) + + It("podman run numeric group from image and no group file", func() { + SkipIfRemote() + dockerfile := `FROM alpine +RUN rm -f /etc/passwd /etc/shadow /etc/group +USER 1000` + imgName := "testimg" + podmanTest.BuildImage(dockerfile, imgName, "false") + session := podmanTest.Podman([]string{"run", "--rm", imgName, "ls", "/etc/"}) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(Equal(0)) + Expect(session.OutputToString()).To(Not(ContainSubstring("/etc/group"))) + }) }) diff --git a/test/system/030-run.bats b/test/system/030-run.bats index 0b92554b8..4e518c571 100644 --- a/test/system/030-run.bats +++ b/test/system/030-run.bats @@ -189,9 +189,19 @@ echo $rand | 0 | $rand is "$(< $cidfile)" "$cid" "contents of cidfile == container ID" - conmon_pid=$(< $pidfile) - is "$(readlink /proc/$conmon_pid/exe)" ".*/conmon" \ - "conmon pidfile (= PID $conmon_pid) points to conmon process" + # Cross-check --conmon-pidfile against 'podman inspect' + local conmon_pid_from_file=$(< $pidfile) + run_podman inspect --format '{{.State.ConmonPid}}' $cid + local conmon_pid_from_inspect="$output" + is "$conmon_pid_from_file" "$conmon_pid_from_inspect" \ + "Conmon pid in pidfile matches what 'podman inspect' claims" + + # /proc/PID/exe should be a symlink to a conmon executable + # FIXME: 'echo' and 'ls' are to help debug #7580, a CI flake + echo "conmon pid = $conmon_pid_from_file" + ls -l /proc/$conmon_pid_from_file + is "$(readlink /proc/$conmon_pid_from_file/exe)" ".*/conmon" \ + "conmon pidfile (= PID $conmon_pid_from_file) points to conmon process" # All OK. Kill container. run_podman rm -f $cid @@ -204,7 +214,7 @@ echo $rand | 0 | $rand } @test "podman run docker-archive" { - skip_if_remote "FIXME: pending #7116" + skip_if_remote "podman-remote does not support docker-archive (#7116)" # Create an image that, when run, outputs a random magic string expect=$(random_string 20) diff --git a/test/system/120-load.bats b/test/system/120-load.bats index 86b396c4a..d7aa16d95 100644 --- a/test/system/120-load.bats +++ b/test/system/120-load.bats @@ -27,25 +27,43 @@ verify_iid_and_name() { } @test "podman save to pipe and load" { - get_iid_and_name + # Generate a random name and tag (must be lower-case) + local random_name=x$(random_string 12 | tr A-Z a-z) + local random_tag=t$(random_string 7 | tr A-Z a-z) + local fqin=localhost/$random_name:$random_tag + run_podman tag $IMAGE $fqin + + archive=$PODMAN_TMPDIR/myimage-$(random_string 8).tar # We can't use run_podman because that uses the BATS 'run' function # which redirects stdout and stderr. Here we need to guarantee # that podman's stdout is a pipe, not any other form of redirection - $PODMAN save --format oci-archive $IMAGE | cat >$archive + $PODMAN save --format oci-archive $fqin | cat >$archive if [ "$status" -ne 0 ]; then die "Command failed: podman save ... | cat" fi # Make sure we can reload it - # FIXME: when/if 7337 gets fixed, add a random tag instead of rmi'ing - # FIXME: when/if 7371 gets fixed, use verify_iid_and_name() - run_podman rmi $iid + run_podman rmi $fqin run_podman load -i $archive - # FIXME: cannot compare IID, see #7371 - run_podman images -a --format '{{.Repository}}:{{.Tag}}' - is "$output" "$IMAGE" "image preserves name across save/load" + # FIXME: cannot compare IID, see #7371, so we check only the tag + run_podman images $fqin --format '{{.Repository}}:{{.Tag}}' + is "$output" "$fqin" "image preserves name across save/load" + + # FIXME: when/if 7337 gets fixed, load with a new tag + if false; then + local new_name=x$(random_string 14 | tr A-Z a-z) + local new_tag=t$(random_string 6 | tr A-Z a-z) + run_podman rmi $fqin + fqin=localhost/$new_name:$new_tag + run_podman load -i $archive $fqin + run_podman images $fqin --format '{{.Repository}}:{{.Tag}}' + is "$output" "$fqin" "image can be loaded with new name:tag" + fi + + # Clean up + run_podman rmi $fqin } |