summaryrefslogtreecommitdiff
path: root/test/e2e/run_test.go
Commit message (Collapse)AuthorAge
* Validate passed in timezone from tz optionTomSweeneyRedHat2021-03-21
| | | | | | | | | | | | | | | | | | | | | | | | Erik Sjolund reported an issue where a badly formated file could be passed into the `--tz` option and then the date in the container would be badly messed up: ``` erik@laptop:~$ echo Hello > file.txt erik@laptop:~$ podman run --tz=../../../home/erik/file.txt --rm -ti docker.io/library/alpine cat /etc/localtime Hello erik@laptop:~$ podman --version podman version 3.0.0-rc1 erik@laptop:~$ ``` This fix checks to make sure the TZ passed in is a valid value and then proceeds with the rest of the processing. This was first reported as a potential security issue, but it was thought not to be. However, I thought closing the hole sooner rather than later would be good. Signed-off-by: TomSweeneyRedHat <tsweeney@redhat.com>
* test: check for io.stat existence on cgroup v2Giuseppe Scrivano2021-03-17
| | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* test: fix test for last crun/runcGiuseppe Scrivano2021-03-17
| | | | | | | | | there was a documentation issue for the kernel that reported the range to be different than on cgroup v1. The issue has been fixed in crun/runc. Adapt the test. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* test: simplify cgroup pathGiuseppe Scrivano2021-03-17
| | | | | | with cgroup v2, the cgroupns is enabled by default. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Latest crun/runc should handle blkio-weight testDaniel J Walsh2021-03-17
| | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Enable cgroupsv2 rw mount via security-opt unmaskJakub Guzik2021-02-28
| | | | Signed-off-by: Jakub Guzik <jakubmguzik@gmail.com>
* test: ignore named hierarchies for cgroups=splitGiuseppe Scrivano2021-02-23
| | | | | | | | | ignore named hierarchies for the --cgroups=split test as crun does not set it. Closes: https://github.com/containers/podman/pull/9302#issuecomment-784157272 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* bump go module to v3Valentin Rothberg2021-02-22
| | | | | | | | | We missed bumping the go module, so let's do it now :) * Automated go code with github.com/sirkon/go-imports-rename * Manually via `vgrep podman/v2` the rest Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* Do not reset storage when running inside of a containerDaniel J Walsh2021-02-16
| | | | | | | | | | | | | | | | | | | | | | | | Currently if the host shares container storage with a container running podman, the podman inside of the container resets the storage on the host. This can cause issues on the host, as well as causes the podman command running the container, to fail to unmount /dev/shm. podman run -ti --rm --privileged -v /var/lib/containers:/var/lib/containers quay.io/podman/stable podman run alpine echo hello * unlinkat /var/lib/containers/storage/overlay-containers/a7f3c9deb0656f8de1d107e7ddff2d3c3c279c11c1635f233a0bffb16051fb2c/userdata/shm: device or resource busy * unlinkat /var/lib/containers/storage/overlay-containers/a7f3c9deb0656f8de1d107e7ddff2d3c3c279c11c1635f233a0bffb16051fb2c/userdata/shm: device or resource busy Since podman is volume mounting in the graphroot, it will add a flag to /run/.containerenv to tell podman inside of container whether to reset storage or not. Since the inner podman is running inside of the container, no reason to assume this is a fresh reboot, so if "container" environment variable is set then skip reset of storage. Also added tests to make sure /run/.containerenv is runnig correctly. Fixes: https://github.com/containers/podman/issues/9191 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* utils: takes the longest path on cgroup v1Giuseppe Scrivano2021-02-11
| | | | | | | | | | | | | | | | | | | | | | now getCgroupProcess takes the longest path on cgroup v1, instead of complaining if the paths are different. This should help when --cgroups=split is used on cgroup v1 and the process cgroups look like: $ cat /proc/self/cgroup 11:pids:/user.slice/user-0.slice/session-4.scope 10:blkio:/ 9:cpuset:/ 8:devices:/user.slice 7:freezer:/ 6:memory:/user.slice/user-0.slice/session-4.scope 5:net_cls,net_prio:/ 4:hugetlb:/ 3:cpu,cpuacct:/ 2:perf_event:/ Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Restart service when CONTAINERS_CONF changesDaniel J Walsh2021-02-09
| | | | | | | | | | Service needs to be restarted in order to read the CONTAINERS_CONF file. Not resetting this can lead to lots of flakes, since the test will use whatever the host system has to be set in it's containers.conf. Fixes: https://github.com/containers/podman/issues/9286 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Implement SecretsAshley Cui2021-02-09
| | | | | | | | | | | Implement podman secret create, inspect, ls, rm Implement podman run/create --secret Secrets are blobs of data that are sensitive. Currently, the only secret driver supported is filedriver, which means creating a secret stores it in base64 unencrypted in a file. After creating a secret, a user can use the --secret flag to expose the secret inside the container at /run/secrets/[secretname] This secret will not be commited to an image on a podman commit Signed-off-by: Ashley Cui <acui@redhat.com>
* Pass DefaultMountsFile to podman buildDaniel J Walsh2021-01-25
| | | | | | | The --default-mounts-file path was not being handled in podman build. This will enable it to use for testing. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Containers should not get inheritable caps by defaultDaniel J Walsh2021-01-07
| | | | | | | | | | | | When I launch a container with --userns=keep-id the rootless processes should have no caps by default even if I launch the container with --privileged. It should only get the caps if I specify by hand the caps I want leaked to the process. Currently we turn off capeff and capamb, but not capinh. This patch treats capinh the same way as capeff and capamb. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Ensure that user-specified HOSTNAME is honoredMatthew Heon2021-01-06
| | | | | | | | | | | When adding the HOSTNAME environment variable, only do so if it is not already present in the spec. If it is already present, it was likely added by the user, and we should honor their requested value. Fixes #8886 Signed-off-by: Matthew Heon <mheon@redhat.com>
* SpellingJosh Soref2020-12-22
| | | | Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
* Disable blkio.weight test on UbuntuChris Evich2020-12-15
| | | | | | | | | | | | | | These tests fail with `Error: opening file `io.bfq.weight` for writing: Permission denied: OCI permission denied`. Upon examination of the VMs, it was found the kernel and OS lacks support for the `BFQ` scheduler (which supplies the `weight` option). The only available schedulers are `none` and `mq-deadline`. Note: Recently updated F32 (prior-fedora) and Ubuntu 20.04 (prior-ubuntu) VMs always use CGroupsV1 with runc. F33 and Ubuntu 20.10 were updated to always use CGroupsV2 with crun. Signed-off-by: Chris Evich <cevich@redhat.com>
* security: honor systempaths=unconfined for ro pathsGiuseppe Scrivano2020-12-09
| | | | | | | | | we must honor systempaths=unconfined also for read-only paths, as Docker does: proc /proc proc rw,nosuid,nodev,noexec,relatime 0 0 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Merge pull request #8630 from umohnani8/sec-optOpenShift Merge Robot2020-12-08
|\ | | | | Add systempaths=unconfined option
| * Add systempaths=unconfined optionUrvashi Mohnani2020-12-08
| | | | | | | | | | | | | | | | | | Add the systempaths=unconfined option to --security-opt to match the docker options for unmasking all the paths that are masked by default. Add the mask and unmask options to the podman create doc. Signed-off-by: Urvashi Mohnani <umohnani@redhat.com>
* | Merge pull request #8561 from mheon/fix_gatingOpenShift Merge Robot2020-12-07
|\ \ | |/ |/| Do not mount sysfs as rootless in more cases
| * Do not mount sysfs as rootless in more casesMatthew Heon2020-12-04
| | | | | | | | | | | | | | | | | | | | | | | | We can't mount sysfs as rootless unless we manage the network namespace. Problem: slirp4netns is now creating and managing a network namespace separate from the OCI runtime, so we can't mount sysfs in many circumstances. The `crun` OCI runtime will automatically handle this by falling back to a bind mount, but `runc` will not, so we didn't notice until RHEL gating tests ran on the new branch. Signed-off-by: Matthew Heon <mheon@redhat.com>
* | Add mask and unmask option to --security-optUrvashi Mohnani2020-12-02
|/ | | | | | | | | Add the mask and unmask option to the --security-opt flag to allow users to specify paths to mask and unmask in the container. If unmask=ALL, this will unmask all the paths we mask by default. Signed-off-by: Urvashi Mohnani <umohnani@redhat.com>
* Allow containers to --restart on-failure with --rmDaniel J Walsh2020-11-20
| | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* use lookaside storage for remote testsbaude2020-11-16
| | | | | | | | | | in an effort to speed up the remote testing, we should be using lookaside storage to avoid pull images as well as importing multiple images into the RW store. one test was removed and added into system test by Ed in #8325 Signed-off-by: baude <bbaude@redhat.com>
* specgen: keep capabilities with --userns=keep-idGiuseppe Scrivano2020-11-02
| | | | | | | | if --userns=keep-id is specified and not --user is specified, take the unprivileged capabilities code path so that ambient capabilities are honored in the container. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* specgen: fix check for root userGiuseppe Scrivano2020-11-02
| | | | | | | if the username is specified in the USER:GROUP form, make sure we only check for USER. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* specgen: add support for ambient capabilitiesGiuseppe Scrivano2020-11-02
| | | | | | | | | | if the kernel supports ambient capabilities (Linux 4.3+), also set them when running with euid != 0. This is different that what Moby does, as ambient capabilities are never set. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* This PR allows users to remove external containers directlyDaniel J Walsh2020-10-09
| | | | | | | | | | | | | | | | | | | | | | | Currenly if a user specifies the name or ID of an external storage container, we report an error to them. buildah from scratch working-container-2 podman rm working-container-2 Error: no container with name or ID working-container-2 found: no such container Since the user specified the correct name and the container is in storage we force them to specify --storage to remove it. This is a bad experience for the user. This change will just remove the container from storage. If the container is known by libpod, it will remove the container from libpod as well. The podman rm --storage option has been deprecated, and removed from docs. Also cleaned documented options that are not available to podman-remote. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Attempt to turn on some more remote testsDaniel J Walsh2020-10-07
| | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* --rm option shold conflicts with --restartzhangguanzhang2020-10-02
| | | | Signed-off-by: zhangguanzhang <zhangguanzhang@qq.com>
* misc fixes for f33 integration testsbaude2020-09-30
| | | | | | some small fixes for testing on fedora 33 (non-btrfs) Signed-off-by: baude <bbaude@redhat.com>
* Make all Skips specify a reasonDaniel J Walsh2020-09-29
| | | | | | Always use CGROUPV2 rather then reading from system all the time. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Ignore containers.conf sysctl when namespaces set to hostDaniel J Walsh2020-09-28
| | | | | | | | | | | If user sets namespace to host, then default sysctls need to be ignored that are specific to that namespace. --net=host ignore sysctls that begin with net. --ipc=host ignore fs.mqueue --uts=host ignore kernel.domainname and kernel.hostname Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Properly handle podman run --pull commandDaniel J Walsh2020-09-27
| | | | | | | | | | | | | | | | | | Currently the --pull missing|always|never is ignored This PR implements this for local API. For remote we need to default to pullpolicy specified in the containers.conf file. Also fixed an issue when images were matching other images names based on prefix, causing images to always be pulled. I had named an image myfedora and when ever I pulled fedora, the system thought that it there were two images named fedora since it was checking for the name fedora as well as the prefix fedora. I changed it to check for fedora and the prefix /fedora, to prefent failures like I had. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Remove some SkipIfRootess flags from testsDaniel J Walsh2020-09-25
| | | | | | | We need to get more tests running in rootless mode. Since cgroupsV2 allows management of cgroups in rootless environments a lot of more tests can be run. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* e2e tests: SkipIfRemote(): add a reasonEd Santiago2020-09-23
| | | | | | | | | | | | | | | | | Now that Dan has added helpful comments to each SkipIfRemote, let's take the next step and include those messages in the Skip() output so someone viewing test results can easily see if a remote test is skipped for a real reason or for a FIXME. This commit is the result of a simple: perl -pi -e 's;(SkipIfRemote)\(\)(\s+//\s+(.*))?;$1("$3");' *.go in the test/e2e directory, with a few minor (manual) changes in wording. Signed-off-by: Ed Santiago <santiago@redhat.com>
* Examine all SkipIfRemote functionsDaniel J Walsh2020-09-22
| | | | | | | | Remove ones that are not needed. Document those that should be there. Document those that should be fixed. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Fix incorrect parsing of create/run --volumes-fromPaul Holzinger2020-09-20
| | | | | | | | | Add a bunch of tests to ensure that --volumes-from works as expected. Also align the podman create and run man page. Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
* Supports import&run--signature-policyQi Wang2020-09-15
| | | | | | Enables podman create, pull, run, import to use --signature-policy option. Set it as hidden flag to be consistent with other commands. Signed-off-by: Qi Wang <qiwan@redhat.com>
* Make oom-score-adj actually workDaniel J Walsh2020-09-09
| | | | | | | | | | | During the redesign of podman 2.0, we dropped the support for --oom-score-adj. Test for this flag was bogus and thus passing when it was broken. Basically just need to set the value in the spec. Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1877187 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* We should not be mounting /run as noexec when run with --systemdDaniel J Walsh2020-09-02
| | | | | | | The system defaults /run to "exec" mode, and we default --read-only mounts on /run to "exec", so --systemd should follow suit. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Fix log level case regressionSascha Grunert2020-08-28
| | | | | | | | | | With previous versions of Podman (like v1.9.2) it was always possible to specify the log level in any case, for example `INFO`. This behavior has silently changed, where the `--log-level` flag only accepts lower case levels. This commit re-enables the old behavior and adds an e2e test for it. Signed-off-by: Sascha Grunert <sgrunert@suse.com>
* fix pod creation with "new:" syntax followup + allow hostnamePaul Holzinger2020-08-20
| | | | | | | | | | | | | | | | | | | | | Fixes: 4c75fe3f70ed ("fix pod creation with "new:" syntax") Commit 4c75fe3f70ed passes all net options to the pod but forgot to unset the options for the container creation. This leads to erros when using flags like `--ip` since we tried setting the ip on the pod and container which obviously fails. I didn't notice the bug because we don't throw an error when specifing port bindings on a container which joins the pods network namespace. (#7373) Also allow the use of `--hostname` and pass that option to the pod and unset it for the container. The container has to use the pods hostname anyway. This would error otherwise. Added tests to prevent regression. Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
* run, create: add new security-opt proc-optsGiuseppe Scrivano2020-08-12
| | | | | | | it allows to customize the options passed down to the OCI runtime for setting up the /proc mount. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Merge pull request #7269 from openSUSE/seccompOpenShift Merge Robot2020-08-11
|\ | | | | Allow specifying seccomp profiles for privileged containers
| * Allow specifying seccomp profiles for privileged containersSascha Grunert2020-08-11
| | | | | | | | | | | | | | To sync the behavior between AppArmor and seccomp it is now possible to also specify seccomp profiles for privileged containers. Signed-off-by: Sascha Grunert <sgrunert@suse.com>
* | Do not use image CMD if user gave ENTRYPOINTMatthew Heon2020-08-10
|/ | | | | | | | | | | | | | | | This matches Docker behavior, and seems to make sense - the CMD may have been specific to the original entrypoint and probably does not make sense if it was changed. While we're in here, greatly simplify the logic for populating the SpecGen's Command. We create the full command when making the OCI spec, so the client should not be doing any more than setting it to the Command the user passed in, and completely ignoring ENTRYPOINT. Fixes #7115 Signed-off-by: Matthew Heon <mheon@redhat.com>
* Merge pull request #7176 from mheon/make_entrypointOpenShift Merge Robot2020-08-05
|\ | | | | Ensure WORKDIR from images is created
| * HACK HACK try debugging buildMatthew Heon2020-08-04
| | | | | | | | Signed-off-by: Matthew Heon <matthew.heon@pm.me>