opensource/podman
1
0
Fork 0
mirror of https://github.com/containers/podman.git synced 2025-08-06 19:44:14 +08:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #12797 from edsantiago/test_image_scp_sudo

Browse Source 
Tests for podman image scp (the sudo form)
This commit is contained in:
OpenShift Merge Robot
2022-01-18 10:30:08 -05:00
committed by GitHub
parent 55ad6188b0 471a4356bf
commit 0bbf8fa140
5 changed files with 121 additions and 30 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
contrib/cirrus/lib.sh
View File

@ -138,7 +138,9 @@ passthrough_envars(){
} }
setup_rootless() { setup_rootless() {
req_env_vars ROOTLESS_USER GOPATH GOSRC SECRET_ENV_RE req_env_vars GOPATH GOSRC SECRET_ENV_RE
ROOTLESS_USER="${ROOTLESS_USER:-some${RANDOM}dude}"
local rootless_uid local rootless_uid
local rootless_gid local rootless_gid
@ -150,9 +152,11 @@ setup_rootless() {
# shellcheck disable=SC2154 # shellcheck disable=SC2154
if passwd --status $ROOTLESS_USER if passwd --status $ROOTLESS_USER
then then
msg "Updating $ROOTLESS_USER user permissions on possibly changed libpod code" if [[ $PRIV_NAME = "rootless" ]]; then
chown -R $ROOTLESS_USER:$ROOTLESS_USER "$GOPATH" "$GOSRC" msg "Updating $ROOTLESS_USER user permissions on possibly changed libpod code"
return 0 chown -R $ROOTLESS_USER:$ROOTLESS_USER "$GOPATH" "$GOSRC"
return 0
fi
fi fi
msg "************************************************************" msg "************************************************************"
msg "Setting up rootless user '$ROOTLESS_USER'" msg "Setting up rootless user '$ROOTLESS_USER'"
@ -164,7 +168,11 @@ setup_rootless() {
msg "creating $rootless_uid:$rootless_gid $ROOTLESS_USER user" msg "creating $rootless_uid:$rootless_gid $ROOTLESS_USER user"
groupadd -g $rootless_gid $ROOTLESS_USER groupadd -g $rootless_gid $ROOTLESS_USER
useradd -g $rootless_gid -u $rootless_uid --no-user-group --create-home $ROOTLESS_USER useradd -g $rootless_gid -u $rootless_uid --no-user-group --create-home $ROOTLESS_USER
chown -R $ROOTLESS_USER:$ROOTLESS_USER "$GOPATH" "$GOSRC"
# We also set up rootless user for image-scp tests (running as root)
if [[ $PRIV_NAME = "rootless" ]]; then
chown -R $ROOTLESS_USER:$ROOTLESS_USER "$GOPATH" "$GOSRC"
fi
echo "$ROOTLESS_USER ALL=(root) NOPASSWD: ALL" > /etc/sudoers.d/ci-rootless echo "$ROOTLESS_USER ALL=(root) NOPASSWD: ALL" > /etc/sudoers.d/ci-rootless
mkdir -p "$HOME/.ssh" "/home/$ROOTLESS_USER/.ssh" mkdir -p "$HOME/.ssh" "/home/$ROOTLESS_USER/.ssh"

15
contrib/cirrus/setup_environment.sh
View File

@ -177,19 +177,26 @@ esac
# Required to be defined by caller: Are we testing as root or a regular user # Required to be defined by caller: Are we testing as root or a regular user
case "$PRIV_NAME" in case "$PRIV_NAME" in
root) ;; root)
if [[ "$TEST_FLAVOR" = "sys" ]]; then
# Used in local image-scp testing
setup_rootless
echo "PODMAN_ROOTLESS_USER=$ROOTLESS_USER" >> /etc/ci_environment
fi
;;
rootless) rootless)
# load kernel modules since the rootless user has no permission to do so # load kernel modules since the rootless user has no permission to do so
modprobe ip6_tables || : modprobe ip6_tables || :
modprobe ip6table_nat || : modprobe ip6table_nat || :
# Needs to exist for setup_rootless()
ROOTLESS_USER="${ROOTLESS_USER:-some${RANDOM}dude}"
echo "ROOTLESS_USER=$ROOTLESS_USER" >> /etc/ci_environment
setup_rootless setup_rootless
;; ;;
*) die_unknown PRIV_NAME *) die_unknown PRIV_NAME
esac esac
if [[ -n "$ROOTLESS_USER" ]]; then
echo "ROOTLESS_USER=$ROOTLESS_USER" >> /etc/ci_environment
fi
# Required to be defined by caller: Are we testing podman or podman-remote client # Required to be defined by caller: Are we testing podman or podman-remote client
# shellcheck disable=SC2154 # shellcheck disable=SC2154
case "$PODBIN_NAME" in case "$PODBIN_NAME" in

4
hack/bats
View File

@ -98,6 +98,9 @@ if [[ -z "$CONTAINERS_HELPER_BINARY_DIR" ]]; then
export CONTAINERS_HELPER_BINARY_DIR=$(pwd)/bin export CONTAINERS_HELPER_BINARY_DIR=$(pwd)/bin
fi fi
# Used in 120-load test to identify rootless destination for podman image scp
export PODMAN_ROOTLESS_USER=$(id -un)
# Root # Root
if [ -z "$ROOTLESS_ONLY" ]; then if [ -z "$ROOTLESS_ONLY" ]; then
echo "# bats ${bats_filter[@]} $TESTS" echo "# bats ${bats_filter[@]} $TESTS"
@ -105,6 +108,7 @@ if [ -z "$ROOTLESS_ONLY" ]; then
--preserve-env=PODMAN_TEST_DEBUG \ --preserve-env=PODMAN_TEST_DEBUG \
--preserve-env=OCI_RUNTIME \ --preserve-env=OCI_RUNTIME \
--preserve-env=CONTAINERS_HELPER_BINARY_DIR \ --preserve-env=CONTAINERS_HELPER_BINARY_DIR \
--preserve-env=PODMAN_ROOTLESS_USER \
bats "${bats_opts[@]}" "${bats_filter[@]}" $TESTS bats "${bats_opts[@]}" "${bats_filter[@]}" $TESTS
rc=$? rc=$?
fi fi

106
test/system/120-load.bats
View File

@ -80,26 +80,94 @@ verify_iid_and_name() {
@test "podman image scp transfer" { @test "podman image scp transfer" {
skip_if_remote "only applicable under local podman" skip_if_remote "only applicable under local podman"
if is_ubuntu; then
skip "FIXME FIXME FIXME: this needs a big rewrite" skip "I don't have time to deal with this"
get_iid_and_name
if is_rootless; then
whoami=$(id -un)
# FIXME: first, test that we can sudo. If we can't, skip.
# FIXME: test 'scp $IMAGE root@localhost::'
# FIXME: then test the rest
# FIXME: check output
run_podman image scp $whoami@localhost::$iid root@localhost::
is "$output" "Loaded image.*: $iid" "...."
# FIXME: "-q" is a NOP
run_podman image scp -q $whoami@localhost::$iid root@localhost::
else
# root
# FIXME: identify a rootless user. DO NOT CREATE ONE.
run_podman image scp root@localhost::$iid 1000:1000@localhost::
fi fi
# The testing is the same whether we're root or rootless; all that
# differs is the destination (not-me) username.
if is_rootless; then
# Simple: push to root.
whoami=$(id -un)
notme=root
_sudo() { command sudo -n "$@"; }
else
# Harder: our CI infrastructure needs to define this & set up the acct
whoami=root
notme=${PODMAN_ROOTLESS_USER}
if [[ -z "$notme" ]]; then
skip "To run this test, set PODMAN_ROOTLESS_USER to a safe username"
fi
_sudo() { command sudo -n -u "$notme" "$@"; }
fi
# If we can't sudo, we can't test.
_sudo true || skip "cannot sudo to $notme"
# FIXME FIXME FIXME: it'd be reeeeeeally nice if we could pass --root
# to the non-self user, hence avoid vandalizing
# their storage.
# Preserve digest of original image; we will compare against it later
run_podman image inspect --format '{{.Digest}}' $IMAGE
src_digest=$output
# image name that is not likely to exist in the destination
newname=foo.bar/nonesuch/c_$(random_string 10 | tr A-Z a-z):mytag
run_podman tag $IMAGE $newname
# Copy it there.
# FIXME: the first '.*' in the expect string below is unfortunate; it's
# a workaround for Ubuntu which gripes:
# "warning.*defaulting to su since machinectl is not available"
# Reexamine this once #12829 is fixed
run_podman image scp $newname ${notme}@localhost::
is "$output" ".*Copying blob .*Copying config.*Writing manifest.*Storing signatures"
# confirm that image was copied. FIXME: also try $PODMAN image inspect?
_sudo $PODMAN image exists $newname
# Copy it back, this time using -q
run_podman untag $IMAGE $newname
run_podman image scp -q ${notme}@localhost::$newname
expect="Loaded image(s): $newname"
# FIXME FIXME FIXME: ubuntu has no machinectl, emits useless warning message instead
if ! is_rootless; then
# FIXME: root on fedora uses machinectl, which emits useless \n and \r (#12829)
NL=$'\n'
CR=$'\r'
expect="$NL$expect$CR"
fi
is "$output" "$expect" "-q silences output"
# Confirm that we have it, and that its digest matches our original
run_podman image inspect --format '{{.Digest}}' $newname
is "$output" "$src_digest" "Digest of re-fetched image matches original"
# Clean up
_sudo $PODMAN image rm $newname
run_podman untag $IMAGE $newname
# Negative test for nonexistent image.
# FIXME FIXME: cannot test on root, because it uses machinectl (#12829)
if is_rootless; then
# FIXME: error message is 2 lines, the 2nd being "exit status 125".
# FIXME: is that fixable, or do we have to live with it?
nope="nope.nope/nonesuch:notag"
run_podman 125 image scp ${notme}@localhost::$nope
is "$output" "Error: $nope: image not known.*" "Pulling nonexistent image"
run_podman 125 image scp $nope ${notme}@localhost::
is "$output" "Error: $nope: image not known.*" "Pushing nonexistent image"
fi
# Negative test for copying to a different name
run_podman 125 image scp $IMAGE ${notme}@localhost::newname:newtag
is "$output" "Error: cannot specify an image rename: invalid argument" \
"Pushing with a different name: not allowed"
# FIXME: any point in copying by image ID? What else should we test?
} }

8
test/system/272-system-connection.bats
View File

@ -124,10 +124,14 @@ $c2[ ]\+tcp://localhost:54321[ ]\+true" \
# If we have ssh access to localhost (unlikely in CI), test that. # If we have ssh access to localhost (unlikely in CI), test that.
@test "podman system connection - ssh" { @test "podman system connection - ssh" {
rand=$(random_string 20) # system connection only really works if we have an agent
echo $rand >$PODMAN_TMPDIR/testfile run ssh-add -l
test "$status" -eq 0 || skip "Not running under ssh-agent"
test "${#lines[@]}" -ge 1 || skip "ssh agent has no identities"
# Can we actually ssh to localhost? # Can we actually ssh to localhost?
rand=$(random_string 20)
echo $rand >$PODMAN_TMPDIR/testfile
run ssh -q -o BatchMode=yes \ run ssh -q -o BatchMode=yes \
-o UserKnownHostsFile=/dev/null \ -o UserKnownHostsFile=/dev/null \
-o StrictHostKeyChecking=no \ -o StrictHostKeyChecking=no \