Merge pull request #21618 from edsantiago/vms-with-netavark-10-3

Bump CI VMs to ones with netavark 1.10.3
2025-07-01 00:01:02 +08:00 · 2024-02-13 02:42:56 +00:00
parent 66e292ebb9 5eb801a562
commit 007ccee9e2
4 changed files with 31 additions and 24 deletions
--- a/.cirrus.yml
+++ b/.cirrus.yml
@ -33,7 +33,7 @@ env:
    DEBIAN_NAME: "debian-13"

    # Image identifiers
-    IMAGE_SUFFIX: "c20240201t143038z-f39f38d13"
+    IMAGE_SUFFIX: "c20240212t122113z-f39f38d13"


    # EC2 images
@ -1010,8 +1010,8 @@ upgrade_test_task:
        - build
        - local_system_test
    matrix:
-        - env:
-              PODMAN_UPGRADE_FROM: v4.1.0
+#        - env:
+#              PODMAN_UPGRADE_FROM: v4.1.0
        - env:
              PODMAN_UPGRADE_FROM: v4.8.0
    gce_instance: *standardvm
--- a/test/e2e/play_kube_test.go
+++ b/test/e2e/play_kube_test.go
@ -1248,7 +1248,7 @@ var (
 	defaultConfigMapName  = "testConfigMap"
 	defaultSecretName     = "testSecret"
 	defaultPVCName        = "testPVC"
-	seccompPwdEPERM       = []byte(`{"defaultAction":"SCMP_ACT_ALLOW","syscalls":[{"name":"getcwd","action":"SCMP_ACT_ERRNO"}]}`)
+	seccompLinkEPERM      = []byte(`{"defaultAction":"SCMP_ACT_ALLOW","syscalls":[{"name":"link","action":"SCMP_ACT_ERRNO"}]}`)
 	// CPU Period in ms
 	defaultCPUPeriod = 100
 	// Default secret in JSON. Note that the values ("foo" and "bar") are base64 encoded.
@ -3016,14 +3016,14 @@ var _ = Describe("Podman kube play", func() {
 	It("seccomp container level", func() {
 		SkipIfRemote("podman-remote does not support --seccomp-profile-root flag")
 		// expect kube play is expected to set a seccomp label if it's applied as an annotation
-		jsonFile, err := podmanTest.CreateSeccompJSON(seccompPwdEPERM)
+		jsonFile, err := podmanTest.CreateSeccompJSON(seccompLinkEPERM)
 		if err != nil {
 			GinkgoWriter.Println(err)
 			Skip("Failed to prepare seccomp.json for test.")
 		}

 		ctrAnnotation := "container.seccomp.security.alpha.kubernetes.io/" + defaultCtrName
-		ctr := getCtr(withCmd([]string{"pwd"}), withArg(nil))
+		ctr := getCtr(withCmd([]string{"ln"}), withArg([]string{"/etc/motd", "/noneShallPass"}))

 		pod := getPod(withCtr(ctr), withAnnotation(ctrAnnotation, "localhost/"+filepath.Base(jsonFile)))
 		err = generateKubeYaml("pod", pod, kubeYaml)
@ -3042,20 +3042,20 @@ var _ = Describe("Podman kube play", func() {
 		logs := podmanTest.Podman([]string{"logs", ctrName})
 		logs.WaitWithDefaultTimeout()
 		Expect(logs).Should(Exit(0), "podman logs %s", ctrName)
-		Expect(logs.ErrorToString()).To(ContainSubstring("getcwd: Operation not permitted"))
+		Expect(logs.ErrorToString()).To(ContainSubstring("ln: /noneShallPass: Operation not permitted"))
 	})

 	It("seccomp pod level", func() {
 		SkipIfRemote("podman-remote does not support --seccomp-profile-root flag")
 		// expect kube play is expected to set a seccomp label if it's applied as an annotation
-		jsonFile, err := podmanTest.CreateSeccompJSON(seccompPwdEPERM)
+		jsonFile, err := podmanTest.CreateSeccompJSON(seccompLinkEPERM)
 		if err != nil {
 			GinkgoWriter.Println(err)
 			Skip("Failed to prepare seccomp.json for test.")
 		}
 		defer os.Remove(jsonFile)

-		ctr := getCtr(withCmd([]string{"pwd"}), withArg(nil))
+		ctr := getCtr(withCmd([]string{"ln"}), withArg([]string{"/etc/motd", "/noPodsShallPass"}))

 		pod := getPod(withCtr(ctr), withAnnotation("seccomp.security.alpha.kubernetes.io/pod", "localhost/"+filepath.Base(jsonFile)))
 		err = generateKubeYaml("pod", pod, kubeYaml)
@ -3074,7 +3074,7 @@ var _ = Describe("Podman kube play", func() {
 		logs := podmanTest.Podman([]string{"logs", podName})
 		logs.WaitWithDefaultTimeout()
 		Expect(logs).Should(Exit(0))
-		Expect(logs.ErrorToString()).To(ContainSubstring("Operation not permitted"))
+		Expect(logs.ErrorToString()).To(ContainSubstring("ln: /noPodsShallPass: Operation not permitted"))
 	})

 	It("with pull policy of never should be 125", func() {
--- a/test/e2e/run_networking_test.go
+++ b/test/e2e/run_networking_test.go
@ -24,7 +24,6 @@ var _ = Describe("Podman run networking", func() {
 	hostname, _ := os.Hostname()

 	It("podman verify network scoped DNS server and also verify updating network dns server", func() {
-		Skip("FIXME: needs netavark > 1.10.2, available >= 2024-02-02")
 		// Following test is only functional with netavark and aardvark
 		SkipIfCNI(podmanTest)
 		net := createNetworkName("IntTest")
@ -72,8 +71,6 @@ var _ = Describe("Podman run networking", func() {
 	})

 	It("podman network dns multiple servers", func() {
-		Skip("FIXME: needs netavark > 1.10.2, available >= 2024-02-02")
-
 		// Following test is only functional with netavark and aardvark
 		SkipIfCNI(podmanTest)
 		net := createNetworkName("IntTest")
--- a/test/e2e/run_test.go
+++ b/test/e2e/run_test.go
@ -361,8 +361,8 @@ var _ = Describe("Podman run", func() {
 		Expect(conData[0].Config.Annotations).To(Not(HaveKey("io.podman.annotations.init")))
 	})

-	forbidGetCWDSeccompProfile := func() string {
-		in := []byte(`{"defaultAction":"SCMP_ACT_ALLOW","syscalls":[{"name":"getcwd","action":"SCMP_ACT_ERRNO"}]}`)
+	forbidLinkSeccompProfile := func() string {
+		in := []byte(`{"defaultAction":"SCMP_ACT_ALLOW","syscalls":[{"name":"link","action":"SCMP_ACT_ERRNO"}]}`)
 		jsonFile, err := podmanTest.CreateSeccompJSON(in)
 		if err != nil {
 			GinkgoWriter.Println(err)
@ -517,17 +517,27 @@ var _ = Describe("Podman run", func() {
 	})

 	It("podman run seccomp test", func() {
-		session := podmanTest.Podman([]string{"run", "--security-opt", strings.Join([]string{"seccomp=", forbidGetCWDSeccompProfile()}, ""), ALPINE, "pwd"})
-		session.WaitWithDefaultTimeout()
-		Expect(session).To(ExitWithError())
-		Expect(session.ErrorToString()).To(ContainSubstring("Operation not permitted"))
-	})
+		secOpts := []string{"--security-opt", strings.Join([]string{"seccomp=", forbidLinkSeccompProfile()}, "")}
+		cmd := []string{ALPINE, "ln", "/etc/motd", "/linkNotAllowed"}

-	It("podman run seccomp test --privileged", func() {
-		session := podmanTest.Podman([]string{"run", "--privileged", "--security-opt", strings.Join([]string{"seccomp=", forbidGetCWDSeccompProfile()}, ""), ALPINE, "pwd"})
+		// Without seccomp, this should succeed
+		session := podmanTest.Podman(append([]string{"run"}, cmd...))
 		session.WaitWithDefaultTimeout()
-		Expect(session).To(ExitWithError())
-		Expect(session.ErrorToString()).To(ContainSubstring("Operation not permitted"))
+		Expect(session).To(ExitCleanly())
+
+		// With link syscall blocked, should fail
+		cmd = append(secOpts, cmd...)
+		session = podmanTest.Podman(append([]string{"run"}, cmd...))
+		session.WaitWithDefaultTimeout()
+		Expect(session).To(Exit(1))
+		Expect(session.ErrorToString()).To(ContainSubstring("ln: /linkNotAllowed: Operation not permitted"))
+
+		// ...even with --privileged
+		cmd = append([]string{"--privileged"}, cmd...)
+		session = podmanTest.Podman(append([]string{"run"}, cmd...))
+		session.WaitWithDefaultTimeout()
+		Expect(session).To(Exit(1))
+		Expect(session.ErrorToString()).To(ContainSubstring("ln: /linkNotAllowed: Operation not permitted"))
 	})

 	It("podman run seccomp test --privileged no profile should be unconfined", func() {