From 4352d585490f6c1eb7234ef4f92e0157083d69b3 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Fri, 27 Mar 2020 10:13:51 -0400 Subject: Add support for containers.conf vendor in c/common config pkg for containers.conf Signed-off-by: Qi Wang qiwan@redhat.com Signed-off-by: Daniel J Walsh --- test/e2e/config/containers-caps.conf | 17 +++ test/e2e/config/containers-ns.conf | 24 ++++ test/e2e/config/containers.conf | 50 ++++++++ test/e2e/containers_conf_test.go | 214 +++++++++++++++++++++++++++++++++++ 4 files changed, 305 insertions(+) create mode 100644 test/e2e/config/containers-caps.conf create mode 100644 test/e2e/config/containers-ns.conf create mode 100644 test/e2e/config/containers.conf create mode 100644 test/e2e/containers_conf_test.go (limited to 'test') diff --git a/test/e2e/config/containers-caps.conf b/test/e2e/config/containers-caps.conf new file mode 100644 index 000000000..7b964e4a7 --- /dev/null +++ b/test/e2e/config/containers-caps.conf @@ -0,0 +1,17 @@ +[containers] + +# List of default capabilities for containers. If it is empty or commented out, +# the default capabilities defined in the container engine will be added. +# +default_capabilities = [ + "CHOWN", + "DAC_OVERRIDE", + "FOWNER", + "FSETID", + "KILL", + "MKNOD", + "NET_BIND_SERVICE", + "SETGID", + "SETPCAP", + "SETUID", +] diff --git a/test/e2e/config/containers-ns.conf b/test/e2e/config/containers-ns.conf new file mode 100644 index 000000000..d2cf5b03f --- /dev/null +++ b/test/e2e/config/containers-ns.conf @@ -0,0 +1,24 @@ +[containers] + +pidns = "host" +netns = "host" +ipcns = "host" +utsns = "host" +userns = "host" +cgroupns = "host" + +# List of default capabilities for containers. If it is empty or commented out, +# the default capabilities defined in the container engine will be added. +# +default_capabilities = [ + "CHOWN", + "DAC_OVERRIDE", + "FOWNER", + "FSETID", + "KILL", + "MKNOD", + "NET_BIND_SERVICE", + "SETGID", + "SETPCAP", + "SETUID", +] diff --git a/test/e2e/config/containers.conf b/test/e2e/config/containers.conf new file mode 100644 index 000000000..55d18f5e8 --- /dev/null +++ b/test/e2e/config/containers.conf @@ -0,0 +1,50 @@ +[containers] + +# A list of ulimits to be set in containers by default, specified as +# "=:", for example: +# "nofile=1024:2048" +# See setrlimit(2) for a list of resource names. +# Any limit not specified here will be inherited from the process launching the +# container engine. +# Ulimits has limits for non privileged container engines. +# +default_ulimits = [ + "nofile=500:500", +] + +# Environment variable list for the conmon process; used for passing necessary +# environment variables to conmon or the runtime. +# +env = [ + "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", + "foo=bar", +] + +# container engines use container separation using MAC(SELinux) labeling. +# Flag is ignored on label disabled systems. +# +label = true + +# Size of /dev/shm. Specified as . +# Unit is optional, values: +# b (bytes), k (kilobytes), m (megabytes), or g (gigabytes). +# If the unit is omitted, the system uses bytes. +# +shm_size = "201k" + +# List of devices. Specified as +# "::", for example: +# "/dev/sdc:/dev/xvdc:rwm". +# If it is empty or commented out, only the default devices will be used +# +devices = [ + "/dev/zero:/dev/notone,rwm", +] + +default_sysctls = [ + "net.ipv4.ping_group_range=0 1000", +] + +dns_searches=[ "foobar.com", ] +dns_servers=[ "1.2.3.4", ] +dns_options=[ "debug", ] diff --git a/test/e2e/containers_conf_test.go b/test/e2e/containers_conf_test.go new file mode 100644 index 000000000..a2ef7eb4a --- /dev/null +++ b/test/e2e/containers_conf_test.go @@ -0,0 +1,214 @@ +// +build !remoteclient + +package integration + +import ( + "fmt" + "io/ioutil" + "os" + "os/exec" + "path/filepath" + "strings" + + . "github.com/containers/libpod/test/utils" + . "github.com/onsi/ginkgo" + . "github.com/onsi/gomega" +) + +var _ = Describe("Podman run", func() { + var ( + tempdir string + err error + podmanTest *PodmanTestIntegration + ) + + BeforeEach(func() { + tempdir, err = CreateTempDirInTempDir() + if err != nil { + os.Exit(1) + } + podmanTest = PodmanTestCreate(tempdir) + podmanTest.Setup() + podmanTest.SeedImages() + os.Setenv("CONTAINERS_CONF", "config/containers.conf") + }) + + AfterEach(func() { + podmanTest.Cleanup() + f := CurrentGinkgoTestDescription() + processTestResult(f) + os.Unsetenv("CONTAINERS_CONF") + }) + + It("podman run limits test", func() { + SkipIfRootless() + //containers.conf is set to "nofile=500:500" + session := podmanTest.Podman([]string{"run", "--rm", fedoraMinimal, "ulimit", "-n"}) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(Equal(0)) + Expect(session.OutputToString()).To(ContainSubstring("500")) + + session = podmanTest.Podman([]string{"run", "--rm", "--ulimit", "nofile=2048:2048", fedoraMinimal, "ulimit", "-n"}) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(Equal(0)) + Expect(session.OutputToString()).To(ContainSubstring("2048")) + }) + + It("podman run with containers.conf having additional env", func() { + //containers.conf default env includes foo + session := podmanTest.Podman([]string{"run", ALPINE, "printenv"}) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(Equal(0)) + Expect(session.OutputToString()).To(ContainSubstring("foo=bar")) + }) + + It("podman run with additional devices", func() { + //containers.conf devices includes notone + session := podmanTest.Podman([]string{"run", "--device", "/dev/null:/dev/bar", ALPINE, "ls", "/dev"}) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(Equal(0)) + Expect(session.OutputToString()).To(ContainSubstring("bar")) + Expect(session.OutputToString()).To(ContainSubstring("notone")) + }) + + It("podman run shm-size", func() { + //containers.conf default sets shm-size=201k, which ends up as 200k + session := podmanTest.Podman([]string{"run", ALPINE, "grep", "shm", "/proc/self/mounts"}) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(Equal(0)) + Expect(session.OutputToString()).To(ContainSubstring("size=200k")) + }) + + It("podman Capabilities in containers.conf", func() { + SkipIfRootless() + os.Setenv("CONTAINERS_CONF", "config/containers.conf") + cap := podmanTest.Podman([]string{"run", ALPINE, "grep", "CapEff", "/proc/self/status"}) + cap.WaitWithDefaultTimeout() + Expect(cap.ExitCode()).To(Equal(0)) + + os.Setenv("CONTAINERS_CONF", "config/containers-ns.conf") + session := podmanTest.Podman([]string{"run", "busybox", "grep", "CapEff", "/proc/self/status"}) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(Equal(0)) + Expect(session.OutputToString()).ToNot(Equal(cap.OutputToString())) + }) + + It("podman Regular capabilties", func() { + SkipIfRootless() + os.Setenv("CONTAINERS_CONF", "config/containers.conf") + setup := podmanTest.RunTopContainer("test1") + setup.WaitWithDefaultTimeout() + result := podmanTest.Podman([]string{"top", "test1", "capeff"}) + result.WaitWithDefaultTimeout() + Expect(result.ExitCode()).To(Equal(0)) + Expect(result.OutputToString()).To(ContainSubstring("SYS_CHROOT")) + Expect(result.OutputToString()).To(ContainSubstring("NET_RAW")) + }) + + It("podman drop capabilties", func() { + os.Setenv("CONTAINERS_CONF", "config/containers-caps.conf") + setup := podmanTest.RunTopContainer("test1") + setup.WaitWithDefaultTimeout() + result := podmanTest.Podman([]string{"container", "top", "test1", "capeff"}) + result.WaitWithDefaultTimeout() + Expect(result.ExitCode()).To(Equal(0)) + Expect(result.OutputToString()).ToNot(ContainSubstring("SYS_CHROOT")) + Expect(result.OutputToString()).ToNot(ContainSubstring("NET_RAW")) + }) + + verifyNSHandling := func(nspath, option string) { + os.Setenv("CONTAINERS_CONF", "config/containers-ns.conf") + //containers.conf default ipcns to default to host + session := podmanTest.Podman([]string{"run", ALPINE, "ls", "-l", nspath}) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(Equal(0)) + fields := strings.Split(session.OutputToString(), " ") + ctrNS := strings.TrimSuffix(fields[len(fields)-1], "\n") + + cmd := exec.Command("ls", "-l", nspath) + res, err := cmd.Output() + Expect(err).To(BeNil()) + fields = strings.Split(string(res), " ") + hostNS := strings.TrimSuffix(fields[len(fields)-1], "\n") + Expect(hostNS).To(Equal(ctrNS)) + + session = podmanTest.Podman([]string{"run", option, "private", ALPINE, "ls", "-l", nspath}) + fields = strings.Split(session.OutputToString(), " ") + ctrNS = fields[len(fields)-1] + Expect(hostNS).ToNot(Equal(ctrNS)) + } + + It("podman compare netns", func() { + verifyNSHandling("/proc/self/ns/net", "--network") + }) + + It("podman compare ipcns", func() { + verifyNSHandling("/proc/self/ns/ipc", "--ipc") + }) + + It("podman compare utsns", func() { + verifyNSHandling("/proc/self/ns/uts", "--uts") + }) + + It("podman compare pidns", func() { + verifyNSHandling("/proc/self/ns/pid", "--pid") + }) + + It("podman compare cgroupns", func() { + verifyNSHandling("/proc/self/ns/cgroup", "--cgroupns") + }) + + It("podman containers.conf additionalvolumes", func() { + conffile := filepath.Join(podmanTest.TempDir, "container.conf") + tempdir, err = CreateTempDirInTempDir() + if err != nil { + os.Exit(1) + } + err := ioutil.WriteFile(conffile, []byte(fmt.Sprintf("[containers]\nvolumes=[\"%s:%s:Z\",]\n", tempdir, tempdir)), 0755) + if err != nil { + os.Exit(1) + } + + os.Setenv("CONTAINERS_CONF", conffile) + result := podmanTest.Podman([]string{"run", ALPINE, "ls", tempdir}) + result.WaitWithDefaultTimeout() + Expect(result.ExitCode()).To(Equal(0)) + }) + + It("podman run containers.conf sysctl test", func() { + SkipIfRootless() + //containers.conf is set to "net.ipv4.ping_group_range=0 1000" + session := podmanTest.Podman([]string{"run", "--rm", fedoraMinimal, "cat", "/proc/sys/net/ipv4/ping_group_range"}) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(Equal(0)) + Expect(session.OutputToString()).To(ContainSubstring("1000")) + }) + + It("podman run containers.conf search domain", func() { + session := podmanTest.Podman([]string{"run", ALPINE, "cat", "/etc/resolv.conf"}) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(Equal(0)) + session.LineInOuputStartsWith("search foobar.com") + }) + + It("podman run add dns server", func() { + session := podmanTest.Podman([]string{"run", ALPINE, "cat", "/etc/resolv.conf"}) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(Equal(0)) + session.LineInOuputStartsWith("server 1.2.3.4") + }) + + It("podman run add dns option", func() { + session := podmanTest.Podman([]string{"run", ALPINE, "cat", "/etc/resolv.conf"}) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(Equal(0)) + session.LineInOuputStartsWith("options debug") + }) + + It("podman run containers.conf remove all search domain", func() { + session := podmanTest.Podman([]string{"run", "--dns-search=.", ALPINE, "cat", "/etc/resolv.conf"}) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(Equal(0)) + Expect(session.LineInOuputStartsWith("search")).To(BeFalse()) + }) +}) -- cgit v1.2.3-54-g00ecf