From 7a5342804944472246ed0b977e9088e0b01be87b Mon Sep 17 00:00:00 2001 From: cdoern Date: Mon, 21 Mar 2022 22:52:50 -0400 Subject: fix pod volume passing and alter infra inheritance the infra Inherit function was not properly passing pod volume information to new containers alter the inherit function and struct to use the new `ConfigToSpec` function used in clone pick and choose the proper entities from a temp spec and validate them on the spegen side rather than passing directly to a config resolves #13548 Signed-off-by: cdoern Signed-off-by: cdoern Signed-off-by: cdoern --- test/e2e/pod_create_test.go | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'test') diff --git a/test/e2e/pod_create_test.go b/test/e2e/pod_create_test.go index 04e8cfd07..8def80213 100644 --- a/test/e2e/pod_create_test.go +++ b/test/e2e/pod_create_test.go @@ -874,6 +874,10 @@ ENTRYPOINT ["sleep","99999"] ctr3 := podmanTest.Podman([]string{"run", "--pod", podName, ALPINE, "cat", "/tmp1/test"}) ctr3.WaitWithDefaultTimeout() Expect(ctr3.OutputToString()).To(ContainSubstring("hello")) + + ctr4 := podmanTest.Podman([]string{"run", "--pod", podName, ALPINE, "touch", "/tmp1/testing.txt"}) + ctr4.WaitWithDefaultTimeout() + Expect(ctr4).Should(Exit(0)) }) It("podman pod create --device", func() { -- cgit v1.2.3-54-g00ecf From 2a882b7703574dc890dd8e3a07be5ca9decd68ac Mon Sep 17 00:00:00 2001 From: Ed Santiago Date: Tue, 29 Mar 2022 10:18:02 -0600 Subject: Upgrade tests: reexamine cross-testing matrix - removed: v1.9.0, v2.0.6 + added: v3.4.0 (Cannot add v4 because there's no such image on quay. As soon as one appears, we should add it.) Add a workaround for a UTS namespace conflict new in v3.4 Signed-off-by: Ed Santiago --- .cirrus.yml | 6 ++---- test/upgrade/test-upgrade.bats | 10 ++++++++++ 2 files changed, 12 insertions(+), 4 deletions(-) (limited to 'test') diff --git a/.cirrus.yml b/.cirrus.yml index ae5463427..4001704c4 100644 --- a/.cirrus.yml +++ b/.cirrus.yml @@ -721,14 +721,12 @@ upgrade_test_task: depends_on: - local_system_test matrix: - - env: - PODMAN_UPGRADE_FROM: v1.9.0 - - env: - PODMAN_UPGRADE_FROM: v2.0.6 - env: PODMAN_UPGRADE_FROM: v2.1.1 - env: PODMAN_UPGRADE_FROM: v3.1.2 + - env: + PODMAN_UPGRADE_FROM: v3.4.4 gce_instance: *standardvm env: TEST_FLAVOR: upgrade_test diff --git a/test/upgrade/test-upgrade.bats b/test/upgrade/test-upgrade.bats index 063f4d624..198d8a169 100644 --- a/test/upgrade/test-upgrade.bats +++ b/test/upgrade/test-upgrade.bats @@ -75,6 +75,16 @@ setup() { cat >| $pmscript <= 3.4 something something namespace something, fails with +# Error: invalid config provided: cannot set hostname when running in the host UTS namespace: invalid configuration +# +# https://github.com/containers/podman/issues/11969#issuecomment-943386484 +# +if grep -q utsns /etc/containers/containers.conf; then + sed -i -e '/^\utsns=/d' /etc/containers/containers.conf +fi + # events-backend=journald does not work inside a container opts="--events-backend=file $_PODMAN_TEST_OPTS" -- cgit v1.2.3-54-g00ecf From daeea48df5061d1d7a7207995fa166c2106ba3ae Mon Sep 17 00:00:00 2001 From: Aditya R Date: Thu, 31 Mar 2022 14:46:50 +0530 Subject: kube: configmap volume should be reused if already exists `podman play kube` creates a new volume for configmap, if same configmap is applied again volume can be re-used, there is no need to remove and re-create the volume again Signed-off-by: Aditya R --- pkg/domain/infra/abi/play.go | 11 ++++++++++- test/e2e/play_kube_test.go | 26 ++++++++++++++++++++++++++ 2 files changed, 36 insertions(+), 1 deletion(-) (limited to 'test') diff --git a/pkg/domain/infra/abi/play.go b/pkg/domain/infra/abi/play.go index 1423ab06e..c3f6bb17d 100644 --- a/pkg/domain/infra/abi/play.go +++ b/pkg/domain/infra/abi/play.go @@ -290,7 +290,16 @@ func (ic *ContainerEngine) playKubePod(ctx context.Context, podName string, podY if v.Type == kube.KubeVolumeTypeConfigMap && !v.Optional { vol, err := ic.Libpod.NewVolume(ctx, libpod.WithVolumeName(v.Source)) if err != nil { - return nil, errors.Wrapf(err, "cannot create a local volume for volume from configmap %q", v.Source) + if errors.Is(err, define.ErrVolumeExists) { + // Volume for this configmap already exists do not + // error out instead reuse the current volume. + vol, err = ic.Libpod.GetVolume(v.Source) + if err != nil { + return nil, errors.Wrapf(err, "cannot re-use local volume for volume from configmap %q", v.Source) + } + } else { + return nil, errors.Wrapf(err, "cannot create a local volume for volume from configmap %q", v.Source) + } } mountPoint, err := vol.MountPoint() if err != nil || mountPoint == "" { diff --git a/test/e2e/play_kube_test.go b/test/e2e/play_kube_test.go index 6a4083565..f16180854 100644 --- a/test/e2e/play_kube_test.go +++ b/test/e2e/play_kube_test.go @@ -1679,6 +1679,32 @@ var _ = Describe("Podman play kube", func() { Expect(inspect.OutputToString()).To(ContainSubstring(`FOO=foo`)) }) + It("podman play kube test env value from configmap and --replace should reuse the configmap volume", func() { + SkipIfRemote("configmap list is not supported as a param") + cmYamlPathname := filepath.Join(podmanTest.TempDir, "foo-cm.yaml") + cm := getConfigMap(withConfigMapName("foo"), withConfigMapData("FOO", "foo")) + err := generateKubeYaml("configmap", cm, cmYamlPathname) + Expect(err).To(BeNil()) + + pod := getPod(withCtr(getCtr(withEnv("FOO", "", "configmap", "foo", "FOO", false)))) + err = generateKubeYaml("pod", pod, kubeYaml) + Expect(err).To(BeNil()) + + kube := podmanTest.Podman([]string{"play", "kube", kubeYaml, "--configmap", cmYamlPathname}) + kube.WaitWithDefaultTimeout() + Expect(kube).Should(Exit(0)) + + // create pod again with --replace + kube = podmanTest.Podman([]string{"play", "kube", "--replace", kubeYaml, "--configmap", cmYamlPathname}) + kube.WaitWithDefaultTimeout() + Expect(kube).Should(Exit(0)) + + inspect := podmanTest.Podman([]string{"inspect", getCtrNameInPod(pod), "--format", "'{{ .Config.Env }}'"}) + inspect.WaitWithDefaultTimeout() + Expect(inspect).Should(Exit(0)) + Expect(inspect.OutputToString()).To(ContainSubstring(`FOO=foo`)) + }) + It("podman play kube test required env value from configmap with missing key", func() { SkipIfRemote("configmap list is not supported as a param") cmYamlPathname := filepath.Join(podmanTest.TempDir, "foo-cm.yaml") -- cgit v1.2.3-54-g00ecf From e5745139a71bd5b894d5fb6a80c04c39fd71540a Mon Sep 17 00:00:00 2001 From: Paul Holzinger Date: Thu, 31 Mar 2022 15:54:32 +0200 Subject: cli commands: better error for unsupported commands When you run podman-remote unsahre for example you currently get: Error: unrecognized command `podman-remote unshare` This is because we do not add the command to the cobra tree when we run in remote mode. However this is a bad user experience since it is not clear that the command is only supported for local podman. Users are left wondering why this does not work and could think the documentation is wrong. To fix it we add a clear error message: Error: cannot use command "podman-remote unshare" with the remote podman client Signed-off-by: Paul Holzinger --- cmd/podman/main.go | 64 +++++++++++++++++++++++++++++++++++------------- test/e2e/unshare_test.go | 14 +++++++++-- 2 files changed, 59 insertions(+), 19 deletions(-) (limited to 'test') diff --git a/cmd/podman/main.go b/cmd/podman/main.go index 4f8131653..8f580601e 100644 --- a/cmd/podman/main.go +++ b/cmd/podman/main.go @@ -3,7 +3,6 @@ package main import ( "fmt" "os" - "strings" _ "github.com/containers/podman/v4/cmd/podman/completion" _ "github.com/containers/podman/v4/cmd/podman/containers" @@ -20,6 +19,7 @@ import ( _ "github.com/containers/podman/v4/cmd/podman/system" _ "github.com/containers/podman/v4/cmd/podman/system/connection" _ "github.com/containers/podman/v4/cmd/podman/volumes" + "github.com/containers/podman/v4/pkg/domain/entities" "github.com/containers/podman/v4/pkg/rootless" "github.com/containers/podman/v4/pkg/terminal" "github.com/containers/storage/pkg/reexec" @@ -44,7 +44,29 @@ func parseCommands() *cobra.Command { cfg := registry.PodmanConfig() for _, c := range registry.Commands { if supported, found := c.Command.Annotations[registry.EngineMode]; found { - if !strings.Contains(cfg.EngineMode.String(), supported) { + if cfg.EngineMode.String() != supported { + var client string + switch cfg.EngineMode { + case entities.TunnelMode: + client = "remote" + case entities.ABIMode: + client = "local" + } + + // add error message to the command so the user knows that this command is not supported with local/remote + c.Command.RunE = func(cmd *cobra.Command, args []string) error { + return fmt.Errorf("cannot use command %q with the %s podman client", cmd.CommandPath(), client) + } + // turn of flag parsing to make we do not get flag errors + c.Command.DisableFlagParsing = true + + // mark command as hidden so it is not shown in --help + c.Command.Hidden = true + + // overwrite persistent pre/post function to skip setup + c.Command.PersistentPostRunE = noop + c.Command.PersistentPreRunE = noop + addCommand(c) continue } } @@ -65,22 +87,9 @@ func parseCommands() *cobra.Command { } } } - - parent := rootCmd - if c.Parent != nil { - parent = c.Parent - } - parent.AddCommand(c.Command) - - c.Command.SetFlagErrorFunc(flagErrorFuncfunc) - - // - templates need to be set here, as PersistentPreRunE() is - // not called when --help is used. - // - rootCmd uses cobra default template not ours - c.Command.SetHelpTemplate(helpTemplate) - c.Command.SetUsageTemplate(usageTemplate) - c.Command.DisableFlagsInUseLine = true + addCommand(c) } + if err := terminal.SetConsole(); err != nil { logrus.Error(err) os.Exit(1) @@ -94,3 +103,24 @@ func flagErrorFuncfunc(c *cobra.Command, e error) error { e = fmt.Errorf("%w\nSee '%s --help'", e, c.CommandPath()) return e } + +func addCommand(c registry.CliCommand) { + parent := rootCmd + if c.Parent != nil { + parent = c.Parent + } + parent.AddCommand(c.Command) + + c.Command.SetFlagErrorFunc(flagErrorFuncfunc) + + // - templates need to be set here, as PersistentPreRunE() is + // not called when --help is used. + // - rootCmd uses cobra default template not ours + c.Command.SetHelpTemplate(helpTemplate) + c.Command.SetUsageTemplate(usageTemplate) + c.Command.DisableFlagsInUseLine = true +} + +func noop(cmd *cobra.Command, args []string) error { + return nil +} diff --git a/test/e2e/unshare_test.go b/test/e2e/unshare_test.go index ac4fa46bf..8b06dd4f5 100644 --- a/test/e2e/unshare_test.go +++ b/test/e2e/unshare_test.go @@ -16,7 +16,6 @@ var _ = Describe("Podman unshare", func() { podmanTest *PodmanTestIntegration ) BeforeEach(func() { - SkipIfRemote("podman-remote unshare is not supported") if _, err := os.Stat("/proc/self/uid_map"); err != nil { Skip("User namespaces not supported.") } @@ -43,6 +42,7 @@ var _ = Describe("Podman unshare", func() { }) It("podman unshare", func() { + SkipIfRemote("podman-remote unshare is not supported") userNS, _ := os.Readlink("/proc/self/ns/user") session := podmanTest.Podman([]string{"unshare", "readlink", "/proc/self/ns/user"}) session.WaitWithDefaultTimeout() @@ -50,7 +50,8 @@ var _ = Describe("Podman unshare", func() { Expect(session.OutputToString()).ToNot(ContainSubstring(userNS)) }) - It("podman unshare --rootles-cni", func() { + It("podman unshare --rootless-cni", func() { + SkipIfRemote("podman-remote unshare is not supported") session := podmanTest.Podman([]string{"unshare", "--rootless-netns", "ip", "addr"}) session.WaitWithDefaultTimeout() Expect(session).Should(Exit(0)) @@ -58,6 +59,7 @@ var _ = Describe("Podman unshare", func() { }) It("podman unshare exit codes", func() { + SkipIfRemote("podman-remote unshare is not supported") session := podmanTest.Podman([]string{"unshare", "false"}) session.WaitWithDefaultTimeout() Expect(session).Should(Exit(1)) @@ -88,4 +90,12 @@ var _ = Describe("Podman unshare", func() { Expect(session.OutputToString()).Should(Equal("")) Expect(session.ErrorToString()).Should(ContainSubstring("unknown flag: --bogus")) }) + + It("podman unshare check remote error", func() { + SkipIfNotRemote("check for podman-remote unshare error") + session := podmanTest.Podman([]string{"unshare"}) + session.WaitWithDefaultTimeout() + Expect(session).Should(Exit(0)) + Expect(session.OutputToString()).To(Equal(`Error: cannot use command "podman-remote unshare" with the remote podman client`)) + }) }) -- cgit v1.2.3-54-g00ecf From f8c2df87cbb48e2e57710d8bc7d024b615235dbf Mon Sep 17 00:00:00 2001 From: Jhon Honce Date: Fri, 25 Mar 2022 15:19:10 -0700 Subject: Add build test for .containerignore tar file Ensure a directory added to .containerignore on client is not included in tar sent to remote podman API service * Clean up podman invocations to not include duplicate --remote and --url flags * Use pkill vs. pgrep when cleaning up podman API service in tests * Add exit code when logging error when testing Closes #13535 Signed-off-by: Jhon Honce --- pkg/bindings/images/build.go | 9 +++-- test/e2e/build_test.go | 66 ++++++++++++++++++++++++++++---- test/e2e/common_test.go | 15 ++++---- test/e2e/libpod_suite_remote_test.go | 73 +++++++++++++----------------------- test/utils/utils.go | 4 +- 5 files changed, 100 insertions(+), 67 deletions(-) (limited to 'test') diff --git a/pkg/bindings/images/build.go b/pkg/bindings/images/build.go index f6739b7ca..ab562377f 100644 --- a/pkg/bindings/images/build.go +++ b/pkg/bindings/images/build.go @@ -367,20 +367,20 @@ func Build(ctx context.Context, containerFiles []string, options entities.BuildO return nil, err } - // Check if Containerfile is in the context directory, if so truncate the contextdirectory off path + // Check if Containerfile is in the context directory, if so truncate the context directory off path // Do NOT add to tarfile if strings.HasPrefix(containerfile, contextDir+string(filepath.Separator)) { containerfile = strings.TrimPrefix(containerfile, contextDir+string(filepath.Separator)) dontexcludes = append(dontexcludes, "!"+containerfile) } else { - // If Containerfile does not exists assume it is in context directory, do Not add to tarfile + // If Containerfile does not exist, assume it is in context directory and do Not add to tarfile if _, err := os.Lstat(containerfile); err != nil { if !os.IsNotExist(err) { return nil, err } containerfile = c } else { - // If Containerfile does exists but is not in context directory add it to the tarfile + // If Containerfile does exist and not in the context directory, add it to the tarfile tarContent = append(tarContent, containerfile) } } @@ -586,6 +586,9 @@ func nTar(excludes []string, sources ...string) (io.ReadCloser, error) { return errors.Wrapf(err, "error checking if %q is excluded", name) } if excluded { + // Note: filepath.SkipDir is not possible to use given .dockerignore semantics. + // An exception to exclusions may include an excluded directory, therefore we + // are required to visit all files. :( return nil } diff --git a/test/e2e/build_test.go b/test/e2e/build_test.go index 096c98727..0c665687d 100644 --- a/test/e2e/build_test.go +++ b/test/e2e/build_test.go @@ -1,9 +1,11 @@ package integration import ( + "bytes" "fmt" "io/ioutil" "os" + "os/exec" "path/filepath" "runtime" "strings" @@ -493,14 +495,64 @@ subdir**` Expect(output).NotTo(ContainSubstring("/testfilter/subdir")) }) + // See https://github.com/containers/podman/issues/13535 + It("Remote build .containerignore filtering embedded directory (#13535)", func() { + SkipIfNotRemote("Testing remote .containerignore file filtering") + podmanTest.RestartRemoteService() + + // Switch to temp dir and restore it afterwards + cwd, err := os.Getwd() + Expect(err).ToNot(HaveOccurred()) + + podmanTest.AddImageToRWStore(ALPINE) + + contents := bytes.Buffer{} + contents.WriteString("FROM " + ALPINE + "\n") + contents.WriteString("ADD . /testfilter/\n") + contents.WriteString("RUN find /testfilter/ -print\n") + + containerfile := filepath.Join(tempdir, "Containerfile") + Expect(ioutil.WriteFile(containerfile, contents.Bytes(), 0644)).ToNot(HaveOccurred()) + + contextDir, err := CreateTempDirInTempDir() + Expect(err).ToNot(HaveOccurred()) + defer os.RemoveAll(contextDir) + + Expect(ioutil.WriteFile(filepath.Join(contextDir, "expected"), contents.Bytes(), 0644)). + ToNot(HaveOccurred()) + + subdirPath := filepath.Join(contextDir, "subdir") + Expect(os.MkdirAll(subdirPath, 0755)).ToNot(HaveOccurred()) + Expect(ioutil.WriteFile(filepath.Join(subdirPath, "extra"), contents.Bytes(), 0644)). + ToNot(HaveOccurred()) + randomFile := filepath.Join(subdirPath, "randomFile") + dd := exec.Command("dd", "if=/dev/random", "of="+randomFile, "bs=1G", "count=1") + ddSession, err := Start(dd, GinkgoWriter, GinkgoWriter) + Expect(err).ToNot(HaveOccurred()) + Eventually(ddSession).Should(Exit(0)) + + // make cwd as context root path + Expect(os.Chdir(contextDir)).ToNot(HaveOccurred()) + defer os.Chdir(cwd) + + By("Test .containerignore filtering subdirectory") + err = ioutil.WriteFile(filepath.Join(contextDir, ".containerignore"), []byte(`subdir/`), 0644) + Expect(err).ToNot(HaveOccurred()) + + session := podmanTest.Podman([]string{"build", "-f", containerfile, contextDir}) + session.WaitWithDefaultTimeout() + Expect(session).To(Exit(0)) + + output := session.OutputToString() + Expect(output).To(ContainSubstring("Containerfile")) + Expect(output).To(ContainSubstring("/testfilter/expected")) + Expect(output).NotTo(ContainSubstring("subdir")) + }) + It("podman remote test context dir contains empty dirs and symlinks", func() { - if IsRemote() { - podmanTest.StopRemoteService() - podmanTest.StartRemoteService() - } else { - Skip("Only valid at remote test") - } - // Given + SkipIfNotRemote("Testing remote contextDir empty") + podmanTest.RestartRemoteService() + // Switch to temp dir and restore it afterwards cwd, err := os.Getwd() Expect(err).To(BeNil()) diff --git a/test/e2e/common_test.go b/test/e2e/common_test.go index cb6574f23..620494b34 100644 --- a/test/e2e/common_test.go +++ b/test/e2e/common_test.go @@ -20,6 +20,7 @@ import ( "github.com/containers/podman/v4/libpod/define" "github.com/containers/podman/v4/pkg/inspect" "github.com/containers/podman/v4/pkg/rootless" + "github.com/containers/podman/v4/pkg/util" . "github.com/containers/podman/v4/test/utils" "github.com/containers/storage" "github.com/containers/storage/pkg/reexec" @@ -500,14 +501,12 @@ func (p *PodmanTestIntegration) BuildImageWithLabel(dockerfile, imageName string // PodmanPID execs podman and returns its PID func (p *PodmanTestIntegration) PodmanPID(args []string) (*PodmanSessionIntegration, int) { podmanOptions := p.MakeOptions(args, false, false) - if p.RemoteTest { - podmanOptions = append([]string{"--remote", "--url", p.RemoteSocket}, podmanOptions...) - } fmt.Printf("Running: %s %s\n", p.PodmanBinary, strings.Join(podmanOptions, " ")) + command := exec.Command(p.PodmanBinary, podmanOptions...) session, err := Start(command, GinkgoWriter, GinkgoWriter) if err != nil { - Fail(fmt.Sprintf("unable to run podman command: %s", strings.Join(podmanOptions, " "))) + Fail("unable to run podman command: " + strings.Join(podmanOptions, " ")) } podmanSession := &PodmanSession{Session: session} return &PodmanSessionIntegration{podmanSession}, command.Process.Pid @@ -843,11 +842,13 @@ func (p *PodmanTestIntegration) PodmanNoEvents(args []string) *PodmanSessionInte // MakeOptions assembles all the podman main options func (p *PodmanTestIntegration) makeOptions(args []string, noEvents, noCache bool) []string { if p.RemoteTest { + if !util.StringInSlice("--remote", args) { + return append([]string{"--remote", "--url", p.RemoteSocket}, args...) + } return args } - var ( - debug string - ) + + var debug string if _, ok := os.LookupEnv("DEBUG"); ok { debug = "--log-level=debug --syslog=true " } diff --git a/test/e2e/libpod_suite_remote_test.go b/test/e2e/libpod_suite_remote_test.go index b4a59c54d..dddcf5c14 100644 --- a/test/e2e/libpod_suite_remote_test.go +++ b/test/e2e/libpod_suite_remote_test.go @@ -4,7 +4,6 @@ package integration import ( - "bytes" "errors" "fmt" "io/ioutil" @@ -25,31 +24,28 @@ func IsRemote() bool { // Podman is the exec call to podman on the filesystem func (p *PodmanTestIntegration) Podman(args []string) *PodmanSessionIntegration { - var remoteArgs = []string{"--remote", "--url", p.RemoteSocket} - remoteArgs = append(remoteArgs, args...) - podmanSession := p.PodmanBase(remoteArgs, false, false) + args = p.makeOptions(args, false, false) + podmanSession := p.PodmanBase(args, false, false) return &PodmanSessionIntegration{podmanSession} } // PodmanSystemdScope runs the podman command in a new systemd scope func (p *PodmanTestIntegration) PodmanSystemdScope(args []string) *PodmanSessionIntegration { - var remoteArgs = []string{"--remote", "--url", p.RemoteSocket} - remoteArgs = append(remoteArgs, args...) + args = p.makeOptions(args, false, false) wrapper := []string{"systemd-run", "--scope"} if rootless.IsRootless() { wrapper = []string{"systemd-run", "--scope", "--user"} } - podmanSession := p.PodmanAsUserBase(remoteArgs, 0, 0, "", nil, false, false, wrapper, nil) + podmanSession := p.PodmanAsUserBase(args, 0, 0, "", nil, false, false, wrapper, nil) return &PodmanSessionIntegration{podmanSession} } // PodmanExtraFiles is the exec call to podman on the filesystem and passes down extra files func (p *PodmanTestIntegration) PodmanExtraFiles(args []string, extraFiles []*os.File) *PodmanSessionIntegration { - var remoteArgs = []string{"--remote", "--url", p.RemoteSocket} - remoteArgs = append(remoteArgs, args...) - podmanSession := p.PodmanAsUserBase(remoteArgs, 0, 0, "", nil, false, false, nil, extraFiles) + args = p.makeOptions(args, false, false) + podmanSession := p.PodmanAsUserBase(args, 0, 0, "", nil, false, false, nil, extraFiles) return &PodmanSessionIntegration{podmanSession} } @@ -96,57 +92,39 @@ func (p *PodmanTestIntegration) StartRemoteService() { command.SysProcAttr = &syscall.SysProcAttr{Setpgid: true} p.RemoteCommand = command p.RemoteSession = command.Process - err := p.DelayForService() - p.RemoteStartErr = err + p.RemoteStartErr = p.DelayForService() } func (p *PodmanTestIntegration) StopRemoteService() { - var out bytes.Buffer - var pids []int - remoteSession := p.RemoteSession - if !rootless.IsRootless() { - if err := remoteSession.Kill(); err != nil { + if err := p.RemoteSession.Kill(); err != nil { fmt.Fprintf(os.Stderr, "error on remote stop-kill %q", err) } - if _, err := remoteSession.Wait(); err != nil { + if _, err := p.RemoteSession.Wait(); err != nil { fmt.Fprintf(os.Stderr, "error on remote stop-wait %q", err) } } else { - parentPid := fmt.Sprintf("%d", p.RemoteSession.Pid) - pgrep := exec.Command("pgrep", "-P", parentPid) - fmt.Printf("running: pgrep %s\n", parentPid) - pgrep.Stdout = &out - err := pgrep.Run() - if err != nil { - fmt.Fprint(os.Stderr, "unable to find remote pid") - } - - for _, s := range strings.Split(out.String(), "\n") { - if len(s) == 0 { - continue - } - p, err := strconv.Atoi(s) - if err != nil { - fmt.Fprintf(os.Stderr, "unable to convert %s to int", s) - } - if p != 0 { - pids = append(pids, p) + // Stop any children of `podman system service` + pkill := exec.Command("pkill", "-P", strconv.Itoa(p.RemoteSession.Pid), "-15") + if err := pkill.Run(); err != nil { + exitErr := err.(*exec.ExitError) + if exitErr.ExitCode() != 1 { + fmt.Fprintf(os.Stderr, "pkill unable to clean up service %d children, exit code %d\n", + p.RemoteSession.Pid, exitErr.ExitCode()) } } - - pids = append(pids, p.RemoteSession.Pid) - for _, pid := range pids { - syscall.Kill(pid, syscall.SIGKILL) + if err := p.RemoteSession.Kill(); err != nil { + fmt.Fprintf(os.Stderr, "unable to clean up service %d, %v\n", p.RemoteSession.Pid, err) } } + socket := strings.Split(p.RemoteSocket, ":")[1] - if err := os.Remove(socket); err != nil { - fmt.Println(err) + if err := os.Remove(socket); err != nil && !errors.Is(err, os.ErrNotExist) { + fmt.Fprintf(os.Stderr, "%v\n", err) } if p.RemoteSocketLock != "" { - if err := os.Remove(p.RemoteSocketLock); err != nil { - fmt.Println(err) + if err := os.Remove(p.RemoteSocketLock); err != nil && !errors.Is(err, os.ErrNotExist) { + fmt.Fprintf(os.Stderr, "%v\n", err) } } } @@ -185,8 +163,9 @@ func (p *PodmanTestIntegration) RestoreArtifact(image string) error { } func (p *PodmanTestIntegration) DelayForService() error { + var session *PodmanSessionIntegration for i := 0; i < 5; i++ { - session := p.Podman([]string{"info"}) + session = p.Podman([]string{"info"}) session.WaitWithDefaultTimeout() if session.ExitCode() == 0 { return nil @@ -195,5 +174,5 @@ func (p *PodmanTestIntegration) DelayForService() error { } time.Sleep(2 * time.Second) } - return errors.New("Service not detected") + return fmt.Errorf("service not detected, exit code(%d)", session.ExitCode()) } diff --git a/test/utils/utils.go b/test/utils/utils.go index a6295cd19..57f002130 100644 --- a/test/utils/utils.go +++ b/test/utils/utils.go @@ -100,9 +100,7 @@ func (p *PodmanTest) PodmanAsUserBase(args []string, uid, gid uint32, cwd string if p.NetworkBackend == Netavark { runCmd = append(runCmd, []string{"--network-backend", "netavark"}...) } - if p.RemoteTest { - podmanOptions = append([]string{"--remote", "--url", p.RemoteSocket}, podmanOptions...) - } + if env == nil { fmt.Printf("Running: %s %s\n", strings.Join(runCmd, " "), strings.Join(podmanOptions, " ")) } else { -- cgit v1.2.3-54-g00ecf From 1cd529b22d40205c1f3246ed49f07e3615cf8292 Mon Sep 17 00:00:00 2001 From: Giuseppe Scrivano Date: Fri, 1 Apr 2022 10:15:08 +0200 Subject: specgen: permit --privileged and --cap-add --cap-add is useful when running a privileged container with UID != 0, so that individual capabilities can be added to the container process. Closes: https://github.com/containers/podman/issues/13449 Signed-off-by: Giuseppe Scrivano --- pkg/specgen/container_validate.go | 4 ---- test/e2e/run_test.go | 5 +++++ 2 files changed, 5 insertions(+), 4 deletions(-) (limited to 'test') diff --git a/pkg/specgen/container_validate.go b/pkg/specgen/container_validate.go index e71eafb75..42b70e334 100644 --- a/pkg/specgen/container_validate.go +++ b/pkg/specgen/container_validate.go @@ -83,10 +83,6 @@ func (s *SpecGenerator) Validate() error { // // ContainerSecurityConfig // - // capadd and privileged are exclusive - if len(s.CapAdd) > 0 && s.Privileged { - return exclusiveOptions("CapAdd", "privileged") - } // userns and idmappings conflict if s.UserNS.IsPrivate() && s.IDMappings == nil { return errors.Wrap(ErrInvalidSpecConfig, "IDMappings are required when not creating a User namespace") diff --git a/test/e2e/run_test.go b/test/e2e/run_test.go index 1a93296b7..a1d04ddee 100644 --- a/test/e2e/run_test.go +++ b/test/e2e/run_test.go @@ -535,6 +535,11 @@ var _ = Describe("Podman run", func() { Expect(session).Should(Exit(0)) Expect(session.OutputToString()).To(ContainSubstring("0000000000000000")) + session = podmanTest.Podman([]string{"run", "--user=1:1", "--cap-add=DAC_OVERRIDE", "--rm", ALPINE, "grep", "CapEff", "/proc/self/status"}) + session.WaitWithDefaultTimeout() + Expect(session).Should(Exit(0)) + Expect(session.OutputToString()).To(ContainSubstring("0000000000000002")) + if os.Geteuid() > 0 { if os.Getenv("SKIP_USERNS") != "" { Skip("Skip userns tests.") -- cgit v1.2.3-54-g00ecf