1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
|
#!/usr/bin/env bats
load helpers
@test "podman run - basic tests" {
rand=$(random_string 30)
# 2019-09 Fedora 31 and rawhide (32) are switching from runc to crun
# because of cgroups v2; crun emits different error messages.
# Default to runc:
err_no_such_cmd="Error: .*: starting container process caused.*exec:.*stat /no/such/command: no such file or directory"
err_no_exec_dir="Error: .*: starting container process caused.*exec:.* permission denied"
# ...but check the configured runtime engine, and switch to crun as needed
run_podman info --format '{{ .Host.OCIRuntime.Path }}'
if expr "$output" : ".*/crun"; then
err_no_such_cmd="Error: executable file not found in \$PATH: No such file or directory: OCI runtime command not found error"
err_no_exec_dir="Error: open executable: Operation not permitted: OCI runtime permission denied error"
fi
tests="
true | 0 |
false | 1 |
sh -c 'exit 32' | 32 |
echo $rand | 0 | $rand
/no/such/command | 127 | $err_no_such_cmd
/etc | 126 | $err_no_exec_dir
"
tests_run=0
while read cmd expected_rc expected_output; do
if [ "$expected_output" = "''" ]; then expected_output=""; fi
# THIS IS TRICKY: this is what lets us handle a quoted command.
# Without this incantation (and the "$@" below), the cmd string
# gets passed on as individual tokens: eg "sh" "-c" "'exit" "32'"
# (note unmatched opening and closing single-quotes in the last 2).
# That results in a bizarre and hard-to-understand failure
# in the BATS 'run' invocation.
# This should really be done inside parse_table; I can't find
# a way to do so.
eval set "$cmd"
# FIXME: The </dev/null is a hack, necessary because as of 2019-09
# podman-remote has a bug in which it silently slurps up stdin,
# including the output of parse_table (i.e. tests to be run).
run_podman $expected_rc run $IMAGE "$@" </dev/null
# FIXME: remove conditional once podman-remote issue #4096 is fixed
if ! is_remote; then
is "$output" "$expected_output" "podman run $cmd - output"
fi
tests_run=$(expr $tests_run + 1)
done < <(parse_table "$tests")
# Make sure we ran the expected number of tests! Until 2019-09-24
# podman-remote was only running one test (the "true" one); all
# the rest were being silently ignored because of podman-remote
# bug #4095, in which it slurps up stdin.
is "$tests_run" "$(grep . <<<$tests | wc -l)" "Ran the full set of tests"
}
# 'run --preserve-fds' passes a number of additional file descriptors into the container
@test "podman run --preserve-fds" {
skip_if_remote "preserve-fds is meaningless over remote"
content=$(random_string 20)
echo "$content" > $PODMAN_TMPDIR/tempfile
run_podman run --rm -i --preserve-fds=2 $IMAGE sh -c "cat <&4" 4<$PODMAN_TMPDIR/tempfile
is "$output" "$content" "container read input from fd 4"
}
@test "podman run - uidmapping has no /sys/kernel mounts" {
skip_if_rootless "cannot umount as rootless"
skip_if_remote "TODO Fix this for remote case"
run_podman run --rm --uidmap 0:100:10000 $IMAGE mount
run grep /sys/kernel <(echo "$output")
is "$output" "" "unwanted /sys/kernel in 'mount' output"
run_podman run --rm --net host --uidmap 0:100:10000 $IMAGE mount
run grep /sys/kernel <(echo "$output")
is "$output" "" "unwanted /sys/kernel in 'mount' output (with --net=host)"
}
# 'run --rm' goes through different code paths and may lose exit status.
# See https://github.com/containers/podman/issues/3795
@test "podman run --rm" {
run_podman 0 run --rm $IMAGE /bin/true
run_podman 1 run --rm $IMAGE /bin/false
# Believe it or not, 'sh -c' resulted in different behavior
run_podman 0 run --rm $IMAGE sh -c /bin/true
run_podman 1 run --rm $IMAGE sh -c /bin/false
}
@test "podman run --name" {
randomname=$(random_string 30)
# Assume that 4 seconds gives us enough time for 3 quick tests (or at
# least for the 'ps'; the 'container exists' should pass even in the
# unlikely case that the container exits before we get to them)
run_podman run -d --name $randomname $IMAGE sleep 4
cid=$output
run_podman ps --format '{{.Names}}--{{.ID}}'
is "$output" "$randomname--${cid:0:12}"
run_podman container exists $randomname
run_podman container exists $cid
# Done with live-container tests; now let's test after container finishes
run_podman wait $cid
# Container still exists even after stopping:
run_podman container exists $randomname
run_podman container exists $cid
# ...but not after being removed:
run_podman rm $cid
run_podman 1 container exists $randomname
run_podman 1 container exists $cid
}
@test "podman run --pull" {
skip_if_remote "podman-remote does not emit 'Trying to pull' msgs"
run_podman run --pull=missing $IMAGE true
is "$output" "" "--pull=missing [present]: no output"
run_podman run --pull=never $IMAGE true
is "$output" "" "--pull=never [present]: no output"
# Now test with a remote image which we don't have present (the 00 tag)
NONLOCAL_IMAGE="$PODMAN_TEST_IMAGE_REGISTRY/$PODMAN_TEST_IMAGE_USER/$PODMAN_TEST_IMAGE_NAME:00000000"
run_podman 125 run --pull=never $NONLOCAL_IMAGE true
is "$output" "Error: unable to find a name and tag match for $NONLOCAL_IMAGE in repotags: no such image" "--pull=never [with image not present]: error"
run_podman run --pull=missing $NONLOCAL_IMAGE true
is "$output" "Trying to pull .*" "--pull=missing [with image NOT PRESENT]: fetches"
run_podman run --pull=missing $NONLOCAL_IMAGE true
is "$output" "" "--pull=missing [with image PRESENT]: does not re-fetch"
run_podman run --pull=always $NONLOCAL_IMAGE true
is "$output" "Trying to pull .*" "--pull=always [with image PRESENT]: re-fetches"
run_podman rm -a
run_podman rmi $NONLOCAL_IMAGE
}
# 'run --rmi' deletes the image in the end unless it's used by another container
@test "podman run --rmi" {
# Name of a nonlocal image. It should be pulled in by the first 'run'
NONLOCAL_IMAGE="$PODMAN_TEST_IMAGE_REGISTRY/$PODMAN_TEST_IMAGE_USER/$PODMAN_TEST_IMAGE_NAME:00000000"
run_podman 1 image exists $NONLOCAL_IMAGE
# Run a container, without --rm; this should block subsequent --rmi
run_podman run --name keepme $NONLOCAL_IMAGE /bin/true
run_podman image exists $NONLOCAL_IMAGE
# Now try running with --rmi : it should succeed, but not remove the image
run_podman run --rmi --rm $NONLOCAL_IMAGE /bin/true
run_podman image exists $NONLOCAL_IMAGE
# Remove the stray container, and run one more time with --rmi.
run_podman rm keepme
run_podman run --rmi --rm $NONLOCAL_IMAGE /bin/true
run_podman 1 image exists $NONLOCAL_IMAGE
}
# 'run --conmon-pidfile --cid-file' makes sure we don't regress on these flags.
# Both are critical for systemd units.
@test "podman run --conmon-pidfile --cidfile" {
pidfile=${PODMAN_TMPDIR}/pidfile
cidfile=${PODMAN_TMPDIR}/cidfile
cname=$(random_string)
run_podman run --name $cname \
--conmon-pidfile=$pidfile \
--cidfile=$cidfile \
--detach \
$IMAGE sleep infinity
cid="$output"
is "$(< $cidfile)" "$cid" "contents of cidfile == container ID"
# Cross-check --conmon-pidfile against 'podman inspect'
local conmon_pid_from_file=$(< $pidfile)
run_podman inspect --format '{{.State.ConmonPid}}' $cid
local conmon_pid_from_inspect="$output"
is "$conmon_pid_from_file" "$conmon_pid_from_inspect" \
"Conmon pid in pidfile matches what 'podman inspect' claims"
# /proc/PID/exe should be a symlink to a conmon executable
# FIXME: 'echo' and 'ls' are to help debug #7580, a CI flake
echo "conmon pid = $conmon_pid_from_file"
ls -l /proc/$conmon_pid_from_file
is "$(readlink /proc/$conmon_pid_from_file/exe)" ".*/conmon" \
"conmon pidfile (= PID $conmon_pid_from_file) points to conmon process"
# All OK. Kill container.
run_podman rm -f $cid
# Podman must not overwrite existing cid file.
# (overwriting conmon-pidfile is OK, so don't test that)
run_podman 125 run --cidfile=$cidfile $IMAGE true
is "$output" "Error: container id file exists. .* delete $cidfile" \
"podman will not overwrite existing cidfile"
}
@test "podman run docker-archive" {
skip_if_remote "podman-remote does not support docker-archive (#7116)"
# Create an image that, when run, outputs a random magic string
expect=$(random_string 20)
run_podman run --name myc --entrypoint="[\"/bin/echo\",\"$expect\"]" $IMAGE
is "$output" "$expect" "podman run --entrypoint echo-randomstring"
# Save it as a tar archive
run_podman commit myc myi
archive=$PODMAN_TMPDIR/archive.tar
run_podman save myi -o $archive
is "$output" "" "podman save"
# Clean up image and container from container storage...
run_podman rmi myi
run_podman rm myc
# ... then confirm we can run from archive. This re-imports the image
# and runs it, producing our random string as the last line.
run_podman run docker-archive:$archive
is "${lines[0]}" "Getting image source signatures" "podman run docker-archive, first line of output"
is "$output" ".*Copying blob" "podman run docker-archive"
is "$output" ".*Copying config" "podman run docker-archive"
is "$output" ".*Writing manifest" "podman run docker-archive"
is "${lines[-1]}" "$expect" "podman run docker-archive: expected random string output"
# Clean up container as well as re-imported image
run_podman rm -a
run_podman rmi myi
# Repeat the above, with podman-create and podman-start.
run_podman create docker-archive:$archive
cid=${lines[-1]}
run_podman start --attach $cid
is "$output" "$expect" "'podman run' of 'podman-create docker-archive'"
# Clean up.
run_podman rm $cid
run_podman rmi myi
}
# #6735 : complex interactions with multiple user namespaces
# The initial report has to do with bind mounts, but that particular
# symptom only manifests on a fedora container image -- we have no
# reproducer on alpine. Checking directory ownership is good enough.
@test "podman run : user namespace preserved root ownership" {
skip_if_remote "FIXME: pending #7195"
for priv in "" "--privileged"; do
for user in "--user=0" "--user=100"; do
for keepid in "" "--userns=keep-id"; do
opts="$priv $user $keepid"
for dir in /etc /usr;do
run_podman run --rm $opts $IMAGE stat -c '%u:%g:%n' $dir
remove_same_dev_warning # grumble
is "$output" "0:0:$dir" "run $opts ($dir)"
done
done
done
done
}
# #6829 : add username to /etc/passwd inside container if --userns=keep-id
@test "podman run : add username to /etc/passwd if --userns=keep-id" {
skip_if_remote "FIXME: pending #7195"
# Default: always run as root
run_podman run --rm $IMAGE id -un
is "$output" "root" "id -un on regular container"
# This would always work on root, but is new behavior on rootless: #6829
# adds a user entry to /etc/passwd
run_podman run --rm --userns=keep-id $IMAGE id -un
is "$output" "$(id -un)" "username on container with keep-id"
# --privileged should make no difference
run_podman run --rm --privileged --userns=keep-id $IMAGE id -un
remove_same_dev_warning # grumble
is "$output" "$(id -un)" "username on container with keep-id"
# ...but explicitly setting --user should override keep-id
run_podman run --rm --privileged --userns=keep-id --user=0 $IMAGE id -un
remove_same_dev_warning # grumble
is "$output" "root" "--user=0 overrides keep-id"
}
# #6991 : /etc/passwd is modifiable
@test "podman run : --userns=keep-id: passwd file is modifiable" {
skip_if_remote "FIXME: pending #7195"
run_podman run -d --userns=keep-id $IMAGE sh -c 'while ! test -e /stop; do sleep 0.1; done'
cid="$output"
# Assign a UID that is (a) not in our image /etc/passwd and (b) not
# the same as that of the user running the test script; this guarantees
# that the added passwd entry will be what we expect.
#
# For GID, we have to use one that already exists in the container. And
# unfortunately, 'adduser' requires a string name. We use 999:ping
local uid=4242
if [[ $uid == $(id -u) ]]; then
uid=4343
fi
gecos="$(random_string 6) $(random_string 8)"
run_podman exec --user root $cid adduser -u $uid -G ping -D -g "$gecos" -s /bin/sh newuser3
is "$output" "" "output from adduser"
run_podman exec $cid tail -1 /etc/passwd
is "$output" "newuser3:x:$uid:999:$gecos:/home/newuser3:/bin/sh" \
"newuser3 added to /etc/passwd in container"
run_podman exec $cid touch /stop
run_podman wait $cid
}
# vim: filetype=sh
|
