From 1814bac92e98bf24c8f757dcd42fc0ae9fb9f9b0 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Tue, 13 Oct 2020 17:43:26 -0400 Subject: Setup HOME environment when using --userns=keep-id Currently the HOME environment is set to /root if the user does not override it. Also walk the parent directories of users homedir to see if it is volume mounted into the container, if yes, then set it correctly. Signed-off-by: Daniel J Walsh --- libpod/container_internal_linux.go | 30 +++++++++++++++++++++++++++--- test/e2e/toolbox_test.go | 12 ++++++++++++ 2 files changed, 39 insertions(+), 3 deletions(-) diff --git a/libpod/container_internal_linux.go b/libpod/container_internal_linux.go index 3a71c6601..105623810 100644 --- a/libpod/container_internal_linux.go +++ b/libpod/container_internal_linux.go @@ -1717,11 +1717,35 @@ func (c *Container) generateCurrentUserPasswdEntry() (string, int, int, error) { // If the user's actual home directory exists, or was mounted in - use // that. homeDir := c.WorkingDir() - if MountExists(c.config.Spec.Mounts, u.HomeDir) { - homeDir = u.HomeDir + hDir := u.HomeDir + for hDir != "/" { + if MountExists(c.config.Spec.Mounts, hDir) { + homeDir = u.HomeDir + break + } + hDir = filepath.Dir(hDir) + } + if homeDir != u.HomeDir { + for _, hDir := range c.UserVolumes() { + if hDir == u.HomeDir { + homeDir = u.HomeDir + break + } + } + } + // Set HOME environment if not already set + hasHomeSet := false + for _, s := range c.config.Spec.Process.Env { + if strings.HasPrefix(s, "HOME=") { + hasHomeSet = true + break + } + } + if !hasHomeSet { + c.config.Spec.Process.Env = append(c.config.Spec.Process.Env, fmt.Sprintf("HOME=%s", homeDir)) } - return fmt.Sprintf("%s:*:%s:%s:%s:%s:/bin/sh\n", u.Username, u.Uid, u.Gid, u.Username, homeDir), uid, rootless.GetRootlessGID(), nil + return fmt.Sprintf("%s:*:%s:%s:%s:%s:/bin/sh\n", u.Username, u.Uid, u.Gid, u.Name, homeDir), uid, rootless.GetRootlessGID(), nil } // generateUserPasswdEntry generates an /etc/passwd entry for the container user diff --git a/test/e2e/toolbox_test.go b/test/e2e/toolbox_test.go index 6122cee19..4f4113bd4 100644 --- a/test/e2e/toolbox_test.go +++ b/test/e2e/toolbox_test.go @@ -365,4 +365,16 @@ var _ = Describe("Toolbox-specific testing", func() { Expect(session.ExitCode()).To(Equal(0)) Expect(session.OutputToString()).To(ContainSubstring("READY")) }) + + It("podman run --userns=keep-id check $HOME", func() { + var session *PodmanSessionIntegration + + currentUser, err := user.Current() + Expect(err).To(BeNil()) + session = podmanTest.Podman([]string{"run", "-v", fmt.Sprintf("%s:%s", currentUser.HomeDir, currentUser.HomeDir), "--userns=keep-id", fedoraToolbox, "sh", "-c", "echo $HOME"}) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(Equal(0)) + Expect(session.OutputToString()).To(ContainSubstring(currentUser.HomeDir)) + }) + }) -- cgit v1.2.3-54-g00ecf From 1646da834c06d55e7bf56b272f2666659117e6fa Mon Sep 17 00:00:00 2001 From: Ed Santiago Date: Wed, 14 Oct 2020 06:24:17 -0600 Subject: System test additions - run --userns=keep-id: confirm that $HOME gets set (#8013) - inspect: confirm that JSON output is a sane number of lines (10 or more), not an unreadable one-liner (#8011 and #8021). Do so with image, pod, network, volume because the code paths might be different. - cgroups: confirm that 'run' preserves cgroup manager (#7970) - sdnotify: reenable tests, and hope CI doesn't hang. This test was disabled on August 18 because CI jobs were hanging and timing out. My suspicion was that it was #7316, which in turn seems to have hinged on conmon #182. The latter was merged on Sep 16, so let's cross our fingers and see what happens. Also: remove inaccurate warning from a networking test. And, wow, fix is_cgroupsv2(), it has never actually worked. Signed-off-by: Ed Santiago --- test/system/030-run.bats | 30 +++++++++++++++++++++++++++++- test/system/070-build.bats | 6 ++++++ test/system/160-volumes.bats | 6 ++++++ test/system/200-pod.bats | 6 ++++++ test/system/260-sdnotify.bats | 2 -- test/system/420-cgroups.bats | 34 ++++++++++++++++++++++++++++++++++ test/system/500-networking.bats | 7 ++++++- test/system/helpers.bash | 2 +- 8 files changed, 88 insertions(+), 5 deletions(-) create mode 100644 test/system/420-cgroups.bats diff --git a/test/system/030-run.bats b/test/system/030-run.bats index 766948ecc..28dc7c7a7 100644 --- a/test/system/030-run.bats +++ b/test/system/030-run.bats @@ -303,8 +303,36 @@ echo $rand | 0 | $rand # This would always work on root, but is new behavior on rootless: #6829 # adds a user entry to /etc/passwd + whoami=$(id -un) run_podman run --rm --userns=keep-id $IMAGE id -un - is "$output" "$(id -un)" "username on container with keep-id" + is "$output" "$whoami" "username on container with keep-id" + + # Setting user should also set $HOME (#8013). + # Test setup below runs three cases: one with an existing home dir + # and two without (one without any volume mounts, one with a misspelled + # username). In every case, initial cwd should be /home/podman because + # that's the container-defined WORKDIR. In the case of an existing + # home dir, $HOME and ~ (passwd entry) will be /home/user; otherwise + # they should be /home/podman. + if is_rootless; then + tests=" + | /home/podman /home/podman /home/podman | no vol mount +/home/x$whoami | /home/podman /home/podman /home/podman | bad vol mount +/home/$whoami | /home/podman /home/$whoami /home/$whoami | vol mount +" + while read vol expect name; do + opts= + if [[ "$vol" != "''" ]]; then + opts="-v $vol" + fi + run_podman run --rm $opts --userns=keep-id \ + $IMAGE sh -c 'echo $(pwd;printenv HOME;echo ~)' + is "$output" "$expect" "run with --userns=keep-id and $name sets \$HOME" + done < <(parse_table "$tests") + + # Clean up volumes + run_podman volume rm -a + fi # --privileged should make no difference run_podman run --rm --privileged --userns=keep-id $IMAGE id -un diff --git a/test/system/070-build.bats b/test/system/070-build.bats index 287323bbf..0741357ed 100644 --- a/test/system/070-build.bats +++ b/test/system/070-build.bats @@ -224,6 +224,12 @@ EOF # Confirm that 'podman inspect' shows the expected values # FIXME: can we rely on .Env[0] being PATH, and the rest being in order?? run_podman image inspect build_test + + # (Assert that output is formatted, not a one-line blob: #8011) + if [[ "${#lines[*]}" -lt 10 ]]; then + die "Output from 'image inspect' is only ${#lines[*]} lines; see #8011" + fi + tests=" Env[1] | MYENV1=$s_env1 Env[2] | MYENV2=this-should-be-overridden-by-env-host diff --git a/test/system/160-volumes.bats b/test/system/160-volumes.bats index 1c1e0f4ae..9f4bb76a2 100644 --- a/test/system/160-volumes.bats +++ b/test/system/160-volumes.bats @@ -213,6 +213,12 @@ EOF run_podman volume create $vol done + # (Assert that output is formatted, not a one-line blob: #8011) + run_podman volume inspect ${v[1]} + if [[ "${#lines[*]}" -lt 10 ]]; then + die "Output from 'volume inspect' is only ${#lines[*]} lines; see #8011" + fi + # Run two containers: one mounting v1, one mounting v2 & v3 run_podman run --name c1 --volume ${v[1]}:/vol1 $IMAGE date run_podman run --name c2 --volume ${v[2]}:/vol2 -v ${v[3]}:/vol3 \ diff --git a/test/system/200-pod.bats b/test/system/200-pod.bats index 2ae038dfe..1d17c8cad 100644 --- a/test/system/200-pod.bats +++ b/test/system/200-pod.bats @@ -66,6 +66,12 @@ function teardown() { run_podman pod exists $podname run_podman pod exists $podid + # (Assert that output is formatted, not a one-line blob: #8021) + run_podman pod inspect $podname + if [[ "${#lines[*]}" -lt 10 ]]; then + die "Output from 'pod inspect' is only ${#lines[*]} lines; see #8011" + fi + # Randomly-assigned port in the 5xxx range for port in $(shuf -i 5000-5999);do if ! { exec 3<> /dev/tcp/127.0.0.1/$port; } &>/dev/null; then diff --git a/test/system/260-sdnotify.bats b/test/system/260-sdnotify.bats index 06aa3bba7..2ddeda96a 100644 --- a/test/system/260-sdnotify.bats +++ b/test/system/260-sdnotify.bats @@ -12,8 +12,6 @@ _SOCAT_LOG= function setup() { skip_if_remote "systemd tests are meaningless over remote" - skip "FIXME FIXME FIXME, is this what's causing the CI hang???" - # Skip if systemd is not running systemctl list-units &>/dev/null || skip "systemd not available" diff --git a/test/system/420-cgroups.bats b/test/system/420-cgroups.bats new file mode 100644 index 000000000..615e43e6c --- /dev/null +++ b/test/system/420-cgroups.bats @@ -0,0 +1,34 @@ +#!/usr/bin/env bats -*- bats -*- +# +# cgroups-related tests +# + +load helpers + +@test "podman run, preserves initial --cgroup-manager" { + skip_if_remote "podman-remote does not support --cgroup-manager" + + if is_rootless && is_cgroupsv1; then + skip "not supported as rootless under cgroups v1" + fi + + # Find out our default cgroup manager, and from that, get the non-default + run_podman info --format '{{.Host.CgroupManager}}' + case "$output" in + systemd) other="cgroupfs" ;; + cgroupfs) other="systemd" ;; + *) die "Unknown CgroupManager '$output'" ;; + esac + + run_podman --cgroup-manager=$other run --name myc $IMAGE true + run_podman container inspect --format '{{.HostConfig.CgroupManager}}' myc + is "$output" "$other" "podman preserved .HostConfig.CgroupManager" + + # Restart the container, without --cgroup-manager option (ie use default) + # Prior to #7970, this would fail with an OCI runtime error + run_podman start myc + + run_podman rm myc +} + +# vim: filetype=sh diff --git a/test/system/500-networking.bats b/test/system/500-networking.bats index a923402ac..44cc731cf 100644 --- a/test/system/500-networking.bats +++ b/test/system/500-networking.bats @@ -90,7 +90,12 @@ load helpers run_podman network create --subnet "${mysubnet}.0/24" $mynetname is "$output" ".*/cni/net.d/$mynetname.conflist" "output of 'network create'" - # WARNING: this pulls a ~100MB image from quay.io, hence is slow/flaky + # (Assert that output is formatted, not a one-line blob: #8011) + run_podman network inspect $mynetname + if [[ "${#lines[*]}" -lt 5 ]]; then + die "Output from 'pod inspect' is only ${#lines[*]} lines; see #8011" + fi + run_podman run --rm --network $mynetname $IMAGE ip a is "$output" ".* inet ${mysubnet}\.2/24 brd ${mysubnet}\.255 " \ "sdfsdf" diff --git a/test/system/helpers.bash b/test/system/helpers.bash index c6c2c12df..4591c9015 100644 --- a/test/system/helpers.bash +++ b/test/system/helpers.bash @@ -247,7 +247,7 @@ function is_cgroupsv1() { function is_cgroupsv2() { cgroup_type=$(stat -f -c %T /sys/fs/cgroup) - test "$cgroup_type" = "cgroupfs" + test "$cgroup_type" = "cgroup2fs" } ########################### -- cgit v1.2.3-54-g00ecf