summaryrefslogtreecommitdiff
path: root/test/system/410-selinux.bats
Commit message (Collapse)AuthorAge
* system tests: fix broken runc testEd Santiago2022-08-16
| | | | | | | | | | | | | Followup to #14613, which was never actually tested until this week in RHEL8 gating tests (see issue #15337). * add missing backslash in '|' expression * allow extra text after error (e.g., "invalid argument") No way to test this until it makes its way into RHEL8, so, fingers crossed. Signed-off-by: Ed Santiago <santiago@redhat.com>
* Cirrus: enable Fedora 36 aarch64 tasks on EC2Lokesh Mandvekar2022-07-27
| | | | | | | | | | | new file: test/e2e/config_arm64.go Tests that fail on aarch64 have been skipped with `skip_if_aarch64`. Co-authored-by: Chris Evich <cevich@redhat.com> Co-authored-by: Ed Santiago <santiago@redhat.com> Signed-off-by: Lokesh Mandvekar <lsm5@fedoraproject.org>
* test/system/410-selinux: fix for newer runcKir Kolyshkin2022-06-15
| | | | | | | | | | | | | | | | With runc 1.1, we have the following failure: # #| FAIL: podman emits useful diagnostic on failure # #| expected: 'Error.*: OCI runtime error: .*: failed to set /proc/self/attr/keycreate on procfs' (using expr) # #| actual: 'Error: OCI runtime error: runc: runc create failed: unable to start container process: error during container init: write /proc/self/attr/keycreate: invalid argument' which is caused by the fact that runc 1.1 uses newer opencontainers/selinux package, which changes custom errors to standard os.PathError instances (so that they can be unwrapped if needed). Fix the test case accordingly. Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
* system tests: add assert(), and start using itEd Santiago2022-04-20
| | | | | | | | | | | | | | | | | | | | | Problem: the system test 'is()' checker was poorly thought out. For example, there is no way to check for inequality or for absence of a substring. Solution, step 1: introduce new assert(), copied almost verbatim from buildah, where it has been successful in addressing the gaps in is(). The logical next step is to search the tests for 'die' and for 'run', looking for negative assertions which we can replace with assert(). There were a lot, and in the process I found a number of ugly bugs in the tests themselves. I've taken the liberty of fixing these. Important note: at this time we have both assert() and is(). Replacing all instances of is() would be impossible to review. Signed-off-by: Ed Santiago <santiago@redhat.com>
* CI: enable rootless-remote system testsEd Santiago2022-01-24
| | | | | | | | | | | | Minimal: only test Fedora.Latest. Reason: podman 4.0.0-0.2.rc2 broke bodhi gating tests: https://github.com/containers/podman/issues/12989 Requires skipping two recently-added tests that use 'podman unshare', which doesn't work on remote. Signed-off-by: Ed Santiago <santiago@redhat.com>
* We should only be relabeling when on first runDaniel J Walsh2021-10-15
| | | | | | | | | On the second runs, the labels should be the same so no need to relabel. Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2013548 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Add --time out for podman * rm -f commandsDaniel J Walsh2021-10-04
| | | | | | | | | Add --time flag to podman container rm Add --time flag to podman pod rm Add --time flag to podman volume rm Add --time flag to podman network rm Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* System tests: tighten 'is' operatorEd Santiago2021-09-30
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Fix day-one sloppiness: when I first wrote this framework it compared strings using 'expr', not '=', to be more forgiving of extra cruft in output. This was a bad decision. It means that warnings or additional text are ignored: is "all is ok, NOT!" "all is ok" <-- this would pass Solution: tighten up the 'is' check. Use '=' (direct compare) first. If it fails, look for wild cards ('*') or character classes ('[') in the expect string. If so, and only then, use 'expr'. And, thanks to a clever suggestion from Luap99, include '(using expr)' in the error message when we do so; this could make it easier for a developer to understand a string mismatch. This change exposes a lot of instances in which we weren't doing proper comparisons. Fix those. Thankfully, there weren't as many as I'd feared. Also, and completely unrelated, add '-T' flag to bats helper, for showing timing results. (I will open this as a separate PR if requested. I too find it offensive to jumble together unrelated commits.) Signed-off-by: Ed Santiago <santiago@redhat.com>
* test: skip test on rootless cgroupsv1Giuseppe Scrivano2021-09-30
| | | | | | | | | | | | | | | skip the test "podman selinux: shared context in (some) namespaces" on cgroupsv1 when running as rootless since the tests requires --pid=container:. If the container runtime cannot use cgroupsv1 and the container has no pid namespace. then it is not possible to correctly terminate the container. Without a cgroup or a pid namespace, the runtime has no control on what processes are in the container. Closes: https://github.com/containers/podman/issues/11785 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Fix handling of user specified container labelsDaniel J Walsh2021-08-02
| | | | | | | | | | | Currently we override the SELinux labels specified by the user if the container is runing a kata container or systemd container. This PR fixes to use the label specified by the user. Fixes: https://github.com/containers/podman/issues/11100 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* System tests: deal with crun 0.20.1Ed Santiago2021-06-09
| | | | | | | | | | crun 0.20.1 changed an error message that we relied on. Deal with it by accepting the old and new message. Also (unrelated): sneak in some doc fixes to get rid of nasty go-md2man warnings that have crept into man pages. Signed-off-by: Ed Santiago <santiago@redhat.com>
* Revert Patch to relabel if selinux not enabledDaniel J Walsh2021-05-06
| | | | | | | | | | Revert : https://github.com/containers/podman/pull/9895 Turns out that if Docker is in --selinux-enabeled, it still relabels if the user tells the system to, even if running a --privileged container or if the selinux separation is disabled --security-opt label=disable. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* System tests: honor $OCI_RUNTIME (for CI)Ed Santiago2021-05-03
| | | | | | | | | | | | | | | | | | | | | | | Some CI systems set $OCI_RUNTIME as a way to override the default crun. Integration (e2e) tests honor this, but system tests were not aware of the convention; this means we haven't been testing system tests with runc, which means RHEL gating tests are now failing. The proper solution would be to edit containers.conf on CI systems. Sorry, that would involve too much CI-VM work. Instead, this PR detects $OCI_RUNTIME and creates a dummy containers.conf file using that runtime. Add: various skips for tests that don't work with runc. Refactor: add a helper function so we don't need to do the complicated 'podman info blah blah .OCIRuntime.blah' thing in many places. BUG: we leave a tmp file behind on exit. Signed-off-by: Ed Santiago <santiago@redhat.com>
* Don't relabel volumes if running in a privileged containerDaniel J Walsh2021-04-05
| | | | | | | | | Docker does not relabel this content, and openstack is running containers in this manner. There is a penalty for doing this on each container, that is not worth taking on a disable SELinux container. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* System tests: reenable a bunch of skipped testsEd Santiago2021-03-20
| | | | | | | | Checking for 'skip.*[0-9]{4,5}', and checking status on said issues, finds several that have been closed. Let's see if they're really fixed. Signed-off-by: Ed Santiago <santiago@redhat.com>
* Add tests for selinux kvm/init labelsDaniel J Walsh2021-03-04
| | | | | | spc_t tests should be able to run rootless as well. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Check for supportsKVM based on basename of the runtimeDaniel J Walsh2021-03-03
| | | | | | | | | | | Fixes: https://github.com/containers/podman/issues/9582 This PR also adds tests to make sure SELinux labels match the runtime, or if init is specified works with the correct label. Add tests for selinux kvm/init labels Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* System tests: cover gaps from the last monthEd Santiago2021-01-25
| | | | | | | | | | | | | | | | | | | - stop: test --all and --ignore (#9051) - build: test /run/secrets (#8679, but see below) - sensitive mount points: deal with 'stat' failures - selinux: confirm useful diagnostics on unknown labels (#8946) The 'build' test is intended as a fix for #8679, in which 'podman build' does not mount secrets from mounts.conf. Unfortunately, as of this writing, 'podman build' does not pass the --default-mounts-file option to buildah, so there's no reasonable way to test this path. Still, we can at least confirm /run/secrets on 'podman run'. The /sys thing is related to #8949: RHEL8, rootless, cgroups v1. It's just a workaround to get gating tests to pass on RHEL. Signed-off-by: Ed Santiago <santiago@redhat.com>
* system tests: cleanup, and add more testsEd Santiago2020-10-07
| | | | | | | | | | | | | | | | | | | | - images test: add test for 'table' and '\t' formatting - image mount test: check output from 'umount', test repeat umount (NOP), and test invalid-umount - kill test: remove kludgy workaround for crun signal bug ref: #5004 -- code is no longer needed (fingers crossed), and the workaround involved pulling an expensive image. - selinux test: add new tests for shared context in: * pods , w/ and w/o infra container (ref: #7902) * containers with namespace sharing: --ipc, --pid, --net - selinux test: new test for --pid=host (disabled pending propagation of container-selinux-2.146, ref: #7939) Signed-off-by: Ed Santiago <santiago@redhat.com>
* Handle podman-remote run --rmDaniel J Walsh2020-08-04
| | | | | | | | We need to remove the container after it has exited for podman-remote run --rm commands. If we don't remove this container at this step, we open ourselves up to race conditions. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Reenable remote system testsEd Santiago2020-08-03
| | | | | | | | | | | | | | | | | | | podman-remote is in better shape now. Let's see what needs to be done to reenable remote system tests. - logs test: skip multilog, it doesn't work remote - diff test: use -l only when local, not with remote - many other tests: skip_if_remote, with 'FIXME: pending #xxxx' where xxxx is a filed issue. Unrelated: added new helper to skip_if_remote and _if_rootless, where we check if the source message includes "remote"/"rootless" and insert it if missing. This is a minor usability enhancement to make it easier to understand at-a-glance why a skip triggers. Signed-off-by: Ed Santiago <santiago@redhat.com>
* system tests: new tests for run, execEd Santiago2020-07-14
| | | | | | | | | | | | | | | | | | | | | | - Issue #6735 : problem with multiple namespaces; confirms combinations of --userns=keep-id, --privileged, --user=XX - Issue #6829 : --userns=keep-id will add a /etc/passwd entry - Issue #6593 : podman exec, with --userns=keep-id, errors (test is currently skipped because issue remains live) ...and, addendum: add new helper function, remove_same_dev_warning. Some CI systems issue a warning on podman run --privileged: WARNING: The same type, major and minor should not be used for multiple devices. We already had special-case code to ignore than in the SELinux test, but now we're seeing it in the new run tests I added, so I've refactored the "ignore this warning" code and written tests for the removal code. Signed-off-by: Ed Santiago <santiago@redhat.com>
* system tests: add pod, inspect testingEd Santiago2020-06-26
| | | | | | | | | | | | | | | | Followup to #6761: confirm that 'podman ps' shows the ports on a running container in a pod created with -p (not to be confused with the container itself running with -p, tested in 500-networking.bats). While we're at it, test that the port handling itself works, by sending random text to the container and making sure the container receives it. Followup to #6752: 'podman inspect' should show multiple security opts Signed-off-by: Ed Santiago <santiago@redhat.com>
* more BATS testsEd Santiago2020-01-13
- run: --name (includes 'podman container exists' tests) - run: --pull (always, never, missing) - build: new test for ADD URL (#4420) - exec: new test for issue #4785 (pipe getting lost) - diff: new test - selinux (mostly copied from docker-autotest) Plus a bug fix: the wait_for_output() helper would continue checking, eventually timing out, even if the container had already exited (probably because of an error). Fix: as part of the loop, run 'podman inspect' and bail out if container is not running. Include exit code and logs. Signed-off-by: Ed Santiago <santiago@redhat.com>