opensource/podman
1
0
Fork 0
mirror of https://github.com/containers/podman.git synced 2025-07-01 16:17:06 +08:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #21618 from edsantiago/vms-with-netavark-10-3

Browse Source 
Bump CI VMs to ones with netavark 1.10.3
This commit is contained in:
openshift-merge-bot[bot]
2024-02-13 02:42:56 +00:00
committed by GitHub
parent 66e292ebb9 5eb801a562
commit 007ccee9e2
4 changed files with 31 additions and 24 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
.cirrus.yml
View File

@ -33,7 +33,7 @@ env:
DEBIAN_NAME: "debian-13" DEBIAN_NAME: "debian-13"
# Image identifiers # Image identifiers
IMAGE_SUFFIX: "c20240201t143038z-f39f38d13" IMAGE_SUFFIX: "c20240212t122113z-f39f38d13"
# EC2 images # EC2 images
@ -1010,8 +1010,8 @@ upgrade_test_task:
- build - build
- local_system_test - local_system_test
matrix: matrix:
- env: # - env:
PODMAN_UPGRADE_FROM: v4.1.0 # PODMAN_UPGRADE_FROM: v4.1.0
- env: - env:
PODMAN_UPGRADE_FROM: v4.8.0 PODMAN_UPGRADE_FROM: v4.8.0
gce_instance: *standardvm gce_instance: *standardvm

14
test/e2e/play_kube_test.go
View File

@ -1248,7 +1248,7 @@ var (
defaultConfigMapName = "testConfigMap" defaultConfigMapName = "testConfigMap"
defaultSecretName = "testSecret" defaultSecretName = "testSecret"
defaultPVCName = "testPVC" defaultPVCName = "testPVC"
seccompPwdEPERM = []byte(`{"defaultAction":"SCMP_ACT_ALLOW","syscalls":[{"name":"getcwd","action":"SCMP_ACT_ERRNO"}]}`) seccompLinkEPERM = []byte(`{"defaultAction":"SCMP_ACT_ALLOW","syscalls":[{"name":"link","action":"SCMP_ACT_ERRNO"}]}`)
// CPU Period in ms // CPU Period in ms
defaultCPUPeriod = 100 defaultCPUPeriod = 100
// Default secret in JSON. Note that the values ("foo" and "bar") are base64 encoded. // Default secret in JSON. Note that the values ("foo" and "bar") are base64 encoded.
@ -3016,14 +3016,14 @@ var _ = Describe("Podman kube play", func() {
It("seccomp container level", func() { It("seccomp container level", func() {
SkipIfRemote("podman-remote does not support --seccomp-profile-root flag") SkipIfRemote("podman-remote does not support --seccomp-profile-root flag")
// expect kube play is expected to set a seccomp label if it's applied as an annotation // expect kube play is expected to set a seccomp label if it's applied as an annotation
jsonFile, err := podmanTest.CreateSeccompJSON(seccompPwdEPERM) jsonFile, err := podmanTest.CreateSeccompJSON(seccompLinkEPERM)
if err != nil { if err != nil {
GinkgoWriter.Println(err) GinkgoWriter.Println(err)
Skip("Failed to prepare seccomp.json for test.") Skip("Failed to prepare seccomp.json for test.")
} }
ctrAnnotation := "container.seccomp.security.alpha.kubernetes.io/" + defaultCtrName ctrAnnotation := "container.seccomp.security.alpha.kubernetes.io/" + defaultCtrName
ctr := getCtr(withCmd([]string{"pwd"}), withArg(nil)) ctr := getCtr(withCmd([]string{"ln"}), withArg([]string{"/etc/motd", "/noneShallPass"}))
pod := getPod(withCtr(ctr), withAnnotation(ctrAnnotation, "localhost/"+filepath.Base(jsonFile))) pod := getPod(withCtr(ctr), withAnnotation(ctrAnnotation, "localhost/"+filepath.Base(jsonFile)))
err = generateKubeYaml("pod", pod, kubeYaml) err = generateKubeYaml("pod", pod, kubeYaml)
@ -3042,20 +3042,20 @@ var _ = Describe("Podman kube play", func() {
logs := podmanTest.Podman([]string{"logs", ctrName}) logs := podmanTest.Podman([]string{"logs", ctrName})
logs.WaitWithDefaultTimeout() logs.WaitWithDefaultTimeout()
Expect(logs).Should(Exit(0), "podman logs %s", ctrName) Expect(logs).Should(Exit(0), "podman logs %s", ctrName)
Expect(logs.ErrorToString()).To(ContainSubstring("getcwd: Operation not permitted")) Expect(logs.ErrorToString()).To(ContainSubstring("ln: /noneShallPass: Operation not permitted"))
}) })
It("seccomp pod level", func() { It("seccomp pod level", func() {
SkipIfRemote("podman-remote does not support --seccomp-profile-root flag") SkipIfRemote("podman-remote does not support --seccomp-profile-root flag")
// expect kube play is expected to set a seccomp label if it's applied as an annotation // expect kube play is expected to set a seccomp label if it's applied as an annotation
jsonFile, err := podmanTest.CreateSeccompJSON(seccompPwdEPERM) jsonFile, err := podmanTest.CreateSeccompJSON(seccompLinkEPERM)
if err != nil { if err != nil {
GinkgoWriter.Println(err) GinkgoWriter.Println(err)
Skip("Failed to prepare seccomp.json for test.") Skip("Failed to prepare seccomp.json for test.")
} }
defer os.Remove(jsonFile) defer os.Remove(jsonFile)
ctr := getCtr(withCmd([]string{"pwd"}), withArg(nil)) ctr := getCtr(withCmd([]string{"ln"}), withArg([]string{"/etc/motd", "/noPodsShallPass"}))
pod := getPod(withCtr(ctr), withAnnotation("seccomp.security.alpha.kubernetes.io/pod", "localhost/"+filepath.Base(jsonFile))) pod := getPod(withCtr(ctr), withAnnotation("seccomp.security.alpha.kubernetes.io/pod", "localhost/"+filepath.Base(jsonFile)))
err = generateKubeYaml("pod", pod, kubeYaml) err = generateKubeYaml("pod", pod, kubeYaml)
@ -3074,7 +3074,7 @@ var _ = Describe("Podman kube play", func() {
logs := podmanTest.Podman([]string{"logs", podName}) logs := podmanTest.Podman([]string{"logs", podName})
logs.WaitWithDefaultTimeout() logs.WaitWithDefaultTimeout()
Expect(logs).Should(Exit(0)) Expect(logs).Should(Exit(0))
Expect(logs.ErrorToString()).To(ContainSubstring("Operation not permitted")) Expect(logs.ErrorToString()).To(ContainSubstring("ln: /noPodsShallPass: Operation not permitted"))
}) })
It("with pull policy of never should be 125", func() { It("with pull policy of never should be 125", func() {

3
test/e2e/run_networking_test.go
View File

@ -24,7 +24,6 @@ var _ = Describe("Podman run networking", func() {
hostname, _ := os.Hostname() hostname, _ := os.Hostname()
It("podman verify network scoped DNS server and also verify updating network dns server", func() { It("podman verify network scoped DNS server and also verify updating network dns server", func() {
Skip("FIXME: needs netavark > 1.10.2, available >= 2024-02-02")
// Following test is only functional with netavark and aardvark // Following test is only functional with netavark and aardvark
SkipIfCNI(podmanTest) SkipIfCNI(podmanTest)
net := createNetworkName("IntTest") net := createNetworkName("IntTest")
@ -72,8 +71,6 @@ var _ = Describe("Podman run networking", func() {
}) })
It("podman network dns multiple servers", func() { It("podman network dns multiple servers", func() {
Skip("FIXME: needs netavark > 1.10.2, available >= 2024-02-02")
// Following test is only functional with netavark and aardvark // Following test is only functional with netavark and aardvark
SkipIfCNI(podmanTest) SkipIfCNI(podmanTest)
net := createNetworkName("IntTest") net := createNetworkName("IntTest")

32
test/e2e/run_test.go
View File

@ -361,8 +361,8 @@ var _ = Describe("Podman run", func() {
Expect(conData[0].Config.Annotations).To(Not(HaveKey("io.podman.annotations.init"))) Expect(conData[0].Config.Annotations).To(Not(HaveKey("io.podman.annotations.init")))
}) })
forbidGetCWDSeccompProfile := func() string { forbidLinkSeccompProfile := func() string {
in := []byte(`{"defaultAction":"SCMP_ACT_ALLOW","syscalls":[{"name":"getcwd","action":"SCMP_ACT_ERRNO"}]}`) in := []byte(`{"defaultAction":"SCMP_ACT_ALLOW","syscalls":[{"name":"link","action":"SCMP_ACT_ERRNO"}]}`)
jsonFile, err := podmanTest.CreateSeccompJSON(in) jsonFile, err := podmanTest.CreateSeccompJSON(in)
if err != nil { if err != nil {
GinkgoWriter.Println(err) GinkgoWriter.Println(err)
@ -517,17 +517,27 @@ var _ = Describe("Podman run", func() {
}) })
It("podman run seccomp test", func() { It("podman run seccomp test", func() {
session := podmanTest.Podman([]string{"run", "--security-opt", strings.Join([]string{"seccomp=", forbidGetCWDSeccompProfile()}, ""), ALPINE, "pwd"}) secOpts := []string{"--security-opt", strings.Join([]string{"seccomp=", forbidLinkSeccompProfile()}, "")}
session.WaitWithDefaultTimeout() cmd := []string{ALPINE, "ln", "/etc/motd", "/linkNotAllowed"}
Expect(session).To(ExitWithError())
Expect(session.ErrorToString()).To(ContainSubstring("Operation not permitted"))
})
It("podman run seccomp test --privileged", func() { // Without seccomp, this should succeed
session := podmanTest.Podman([]string{"run", "--privileged", "--security-opt", strings.Join([]string{"seccomp=", forbidGetCWDSeccompProfile()}, ""), ALPINE, "pwd"}) session := podmanTest.Podman(append([]string{"run"}, cmd...))
session.WaitWithDefaultTimeout() session.WaitWithDefaultTimeout()
Expect(session).To(ExitWithError()) Expect(session).To(ExitCleanly())
Expect(session.ErrorToString()).To(ContainSubstring("Operation not permitted"))
// With link syscall blocked, should fail
cmd = append(secOpts, cmd...)
session = podmanTest.Podman(append([]string{"run"}, cmd...))
session.WaitWithDefaultTimeout()
Expect(session).To(Exit(1))
Expect(session.ErrorToString()).To(ContainSubstring("ln: /linkNotAllowed: Operation not permitted"))
// ...even with --privileged
cmd = append([]string{"--privileged"}, cmd...)
session = podmanTest.Podman(append([]string{"run"}, cmd...))
session.WaitWithDefaultTimeout()
Expect(session).To(Exit(1))
Expect(session.ErrorToString()).To(ContainSubstring("ln: /linkNotAllowed: Operation not permitted"))
}) })
It("podman run seccomp test --privileged no profile should be unconfined", func() { It("podman run seccomp test --privileged no profile should be unconfined", func() {