Vendor in latest containers/common with default capabilities

Also update vendor of containers/storage and image Cleanup display of added/dropped capabilties as well Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
2025-12-02 02:58:03 +08:00 · 2022-12-06 19:49:31 -05:00
parent 1cc22631f6
commit 3718ac8e96
141 changed files with 2344 additions and 1555 deletions
--- a/test/e2e/config/containers-caps.conf
+++ b/test/e2e/config/containers-caps.conf
@@ -6,12 +6,10 @@
 default_capabilities = [
    "CHOWN",
    "DAC_OVERRIDE",
-    "FOWNER",
    "FSETID",
    "KILL",
    "MKNOD",
    "NET_BIND_SERVICE",
    "SETGID",
    "SETPCAP",
-    "SETUID",
 ]
--- a/test/e2e/containers_conf_test.go
+++ b/test/e2e/containers_conf_test.go
@@ -113,8 +113,8 @@ var _ = Describe("Verify podman containers.conf usage", func() {
 		Expect(result).Should(Exit(0))
 		Expect(result.Out.Contents()).To(
 			And(
-				ContainSubstring("SYS_CHROOT"),
-				ContainSubstring("NET_RAW"),
+				ContainSubstring("FOWNER"),
+				ContainSubstring("SETFCAP"),
 			))
 	})

@@ -130,8 +130,8 @@ var _ = Describe("Verify podman containers.conf usage", func() {
 		Expect(result).Should(Exit(0))
 		Expect(result.Out.Contents()).ToNot(
 			And(
-				ContainSubstring("SYS_CHROOT"),
-				ContainSubstring("NET_RAW"),
+				ContainSubstring("SETUID"),
+				ContainSubstring("FOWNER"),
 			))
 	})

--- a/test/e2e/generate_kube_test.go
+++ b/test/e2e/generate_kube_test.go
@@ -69,6 +69,7 @@ var _ = Describe("Podman generate kube", func() {
 		Expect(pod.Spec.SecurityContext).To(BeNil())
 		Expect(pod.Spec.DNSConfig).To(BeNil())
 		Expect(pod.Spec.Containers[0]).To(HaveField("WorkingDir", ""))
+		Expect(pod.Spec.Containers[0].SecurityContext).To(BeNil())
 		Expect(pod.Spec.Containers[0].Env).To(BeNil())
 		Expect(pod).To(HaveField("Name", "top-pod"))

--- a/test/e2e/inspect_test.go
+++ b/test/e2e/inspect_test.go
@@ -514,7 +514,7 @@ var _ = Describe("Podman inspect", func() {

 	It("Dropped capabilities are sorted", func() {
 		ctrName := "testCtr"
-		session := podmanTest.Podman([]string{"run", "-d", "--cap-drop", "CAP_AUDIT_WRITE", "--cap-drop", "CAP_MKNOD", "--cap-drop", "CAP_NET_RAW", "--name", ctrName, ALPINE, "top"})
+		session := podmanTest.Podman([]string{"run", "-d", "--cap-drop", "SETUID", "--cap-drop", "SETGID", "--cap-drop", "CAP_NET_BIND_SERVICE", "--name", ctrName, ALPINE, "top"})
 		session.WaitWithDefaultTimeout()
 		Expect(session).Should(Exit(0))

@@ -525,9 +525,26 @@ var _ = Describe("Podman inspect", func() {
 		data := inspect.InspectContainerToJSON()
 		Expect(data).To(HaveLen(1))
 		Expect(data[0].HostConfig.CapDrop).To(HaveLen(3))
-		Expect(data[0].HostConfig.CapDrop[0]).To(Equal("CAP_AUDIT_WRITE"))
-		Expect(data[0].HostConfig.CapDrop[1]).To(Equal("CAP_MKNOD"))
-		Expect(data[0].HostConfig.CapDrop[2]).To(Equal("CAP_NET_RAW"))
+		Expect(data[0].HostConfig.CapDrop[0]).To(Equal("CAP_NET_BIND_SERVICE"))
+		Expect(data[0].HostConfig.CapDrop[1]).To(Equal("CAP_SETGID"))
+		Expect(data[0].HostConfig.CapDrop[2]).To(Equal("CAP_SETUID"))
+	})
+
+	It("Add capabilities are sorted", func() {
+		ctrName := "testCtr"
+		session := podmanTest.Podman([]string{"run", "-d", "--cap-add", "SYS_ADMIN", "--cap-add", "CAP_NET_ADMIN", "--name", ctrName, ALPINE, "top"})
+		session.WaitWithDefaultTimeout()
+		Expect(session).Should(Exit(0))
+
+		inspect := podmanTest.Podman([]string{"inspect", ctrName})
+		inspect.WaitWithDefaultTimeout()
+		Expect(inspect).Should(Exit(0))
+
+		data := inspect.InspectContainerToJSON()
+		Expect(data).To(HaveLen(1))
+		Expect(data[0].HostConfig.CapAdd).To(HaveLen(2))
+		Expect(data[0].HostConfig.CapAdd[0]).To(Equal("CAP_NET_ADMIN"))
+		Expect(data[0].HostConfig.CapAdd[1]).To(Equal("CAP_SYS_ADMIN"))
 	})

 	It("podman inspect container with GO format for PidFile", func() {
--- a/test/e2e/play_build_test.go
+++ b/test/e2e/play_build_test.go
@@ -62,11 +62,6 @@ spec:
    resources: {}
    securityContext:
      allowPrivilegeEscalation: true
-      capabilities:
-        drop:
-        - CAP_MKNOD
-        - CAP_NET_RAW
-        - CAP_AUDIT_WRITE
      privileged: false
      readOnlyRootFilesystem: false
      seLinuxOptions: {}
--- a/test/e2e/play_kube_test.go
+++ b/test/e2e/play_kube_test.go
@@ -423,11 +423,6 @@ spec:
    name: test
    securityContext:
      allowPrivilegeEscalation: true
-      capabilities:
-        drop:
-        - CAP_MKNOD
-        - CAP_NET_RAW
-        - CAP_AUDIT_WRITE
      privileged: false
      readOnlyRootFilesystem: false
      seLinuxOptions:
@@ -4463,12 +4458,6 @@ spec:
 	- "1000"
 	image: non-existing-image
 	name: vol-test-3
-	securityContext:
-		capabilities:
-		drop:
-		- CAP_MKNOD
-		- CAP_NET_RAW
-		- CAP_AUDIT_WRITE
 `

 		// the image is incorrect so the kube play will fail, but it will clean up the pod that was created for it before the failure happened
--- a/test/e2e/pod_infra_container_test.go
+++ b/test/e2e/pod_infra_container_test.go
@@ -411,7 +411,7 @@ var _ = Describe("Podman pod create", func() {
 		Expect(session.ErrorToString()).To(ContainSubstring("extra host entries must be specified on the pod: network cannot be configured when it is shared with a pod"))

 		// verify we can see the pods hosts
-		session = podmanTest.Podman([]string{"run", "--pod", podID, ALPINE, "ping", "-c", "1", "host1"})
+		session = podmanTest.Podman([]string{"run", "--cap-add", "net_raw", "--pod", podID, ALPINE, "ping", "-c", "1", "host1"})
 		session.WaitWithDefaultTimeout()
 		Expect(session).Should(Exit(0))
 	})
--- a/test/e2e/run_networking_test.go
+++ b/test/e2e/run_networking_test.go
@@ -434,7 +434,7 @@ EXPOSE 2004-2005/tcp`, ALPINE)
 	})

 	It("podman run slirp4netns network with host loopback", func() {
-		session := podmanTest.Podman([]string{"run", "--network", "slirp4netns:allow_host_loopback=true", ALPINE, "ping", "-c1", "10.0.2.2"})
+		session := podmanTest.Podman([]string{"run", "--cap-add", "net_raw", "--network", "slirp4netns:allow_host_loopback=true", ALPINE, "ping", "-c1", "10.0.2.2"})
 		session.Wait(30)
 		Expect(session).Should(Exit(0))
 	})
@@ -451,7 +451,7 @@ EXPOSE 2004-2005/tcp`, ALPINE)
 		Expect(slirp4netnsHelp).Should(Exit(0))

 		networkConfiguration := "slirp4netns:cidr=192.168.0.0/24,allow_host_loopback=true"
-		session := podmanTest.Podman([]string{"run", "--network", networkConfiguration, ALPINE, "ping", "-c1", "192.168.0.2"})
+		session := podmanTest.Podman([]string{"run", "--cap-add", "net_raw", "--network", networkConfiguration, ALPINE, "ping", "-c1", "192.168.0.2"})
 		session.Wait(30)

 		if strings.Contains(slirp4netnsHelp.OutputToString(), "cidr") {
@@ -988,11 +988,11 @@ EXPOSE 2004-2005/tcp`, ALPINE)

 	pingTest := func(netns string) {
 		hostname := "testctr"
-		run := podmanTest.Podman([]string{"run", netns, "--hostname", hostname, ALPINE, "ping", "-c", "1", hostname})
+		run := podmanTest.Podman([]string{"run", netns, "--cap-add", "net_raw", "--hostname", hostname, ALPINE, "ping", "-c", "1", hostname})
 		run.WaitWithDefaultTimeout()
 		Expect(run).Should(Exit(0))

-		run = podmanTest.Podman([]string{"run", netns, "--hostname", hostname, "--name", "test", ALPINE, "ping", "-c", "1", "test"})
+		run = podmanTest.Podman([]string{"run", netns, "--cap-add", "net_raw", "--hostname", hostname, "--name", "test", ALPINE, "ping", "-c", "1", "test"})
 		run.WaitWithDefaultTimeout()
 		Expect(run).Should(Exit(0))
 	}
--- a/test/e2e/run_security_labels_test.go
+++ b/test/e2e/run_security_labels_test.go
@@ -94,7 +94,7 @@ var _ = Describe("Podman generate kube", func() {
 		test1.WaitWithDefaultTimeout()
 		Expect(test1).Should(Exit(0))

-		commit := podmanTest.Podman([]string{"commit", "-c", "label=io.containers.capabilities=sys_chroot,setuid", "test1", "image1"})
+		commit := podmanTest.Podman([]string{"commit", "-c", "label=io.containers.capabilities=setgid,setuid", "test1", "image1"})
 		commit.WaitWithDefaultTimeout()
 		Expect(commit).Should(Exit(0))

@@ -108,7 +108,7 @@ var _ = Describe("Podman generate kube", func() {

 		ctr := inspect.InspectContainerToJSON()
 		caps := strings.Join(ctr[0].EffectiveCaps, ",")
-		Expect(caps).To(Equal("CAP_SETUID,CAP_SYS_CHROOT"))
+		Expect(caps).To(Equal("CAP_SETGID,CAP_SETUID"))

 	})

--- a/test/e2e/run_test.go
+++ b/test/e2e/run_test.go
@@ -495,7 +495,7 @@ var _ = Describe("Podman run", func() {
 		session := podmanTest.Podman([]string{"run", "--rm", "--user", "bin", ALPINE, "grep", "CapBnd", "/proc/self/status"})
 		session.WaitWithDefaultTimeout()
 		Expect(session).Should(Exit(0))
-		Expect(session.OutputToString()).To(ContainSubstring("00000000a80425fb"))
+		Expect(session.OutputToString()).To(ContainSubstring("00000000800005fb"))

 		session = podmanTest.Podman([]string{"run", "--rm", "--user", "bin", ALPINE, "grep", "CapEff", "/proc/self/status"})
 		session.WaitWithDefaultTimeout()
@@ -510,12 +510,12 @@ var _ = Describe("Podman run", func() {
 		session = podmanTest.Podman([]string{"run", "--rm", "--user", "root", ALPINE, "grep", "CapBnd", "/proc/self/status"})
 		session.WaitWithDefaultTimeout()
 		Expect(session).Should(Exit(0))
-		Expect(session.OutputToString()).To(ContainSubstring("00000000a80425fb"))
+		Expect(session.OutputToString()).To(ContainSubstring("00000000800005fb"))

 		session = podmanTest.Podman([]string{"run", "--rm", "--user", "root", ALPINE, "grep", "CapEff", "/proc/self/status"})
 		session.WaitWithDefaultTimeout()
 		Expect(session).Should(Exit(0))
-		Expect(session.OutputToString()).To(ContainSubstring("00000000a80425fb"))
+		Expect(session.OutputToString()).To(ContainSubstring("00000000800005fb"))

 		session = podmanTest.Podman([]string{"run", "--rm", "--user", "root", ALPINE, "grep", "CapInh", "/proc/self/status"})
 		session.WaitWithDefaultTimeout()
@@ -525,12 +525,12 @@ var _ = Describe("Podman run", func() {
 		session = podmanTest.Podman([]string{"run", "--rm", ALPINE, "grep", "CapBnd", "/proc/self/status"})
 		session.WaitWithDefaultTimeout()
 		Expect(session).Should(Exit(0))
-		Expect(session.OutputToString()).To(ContainSubstring("00000000a80425fb"))
+		Expect(session.OutputToString()).To(ContainSubstring("00000000800005fb"))

 		session = podmanTest.Podman([]string{"run", "--rm", ALPINE, "grep", "CapEff", "/proc/self/status"})
 		session.WaitWithDefaultTimeout()
 		Expect(session).Should(Exit(0))
-		Expect(session.OutputToString()).To(ContainSubstring("00000000a80425fb"))
+		Expect(session.OutputToString()).To(ContainSubstring("00000000800005fb"))

 		session = podmanTest.Podman([]string{"run", "--user=1000:1000", "--cap-add=DAC_OVERRIDE", "--rm", ALPINE, "grep", "CapAmb", "/proc/self/status"})
 		session.WaitWithDefaultTimeout()
@@ -598,7 +598,7 @@ USER bin`, BB)
 		session := podmanTest.Podman([]string{"run", "--rm", "--user", "bin", "test", "grep", "CapBnd", "/proc/self/status"})
 		session.WaitWithDefaultTimeout()
 		Expect(session).Should(Exit(0))
-		Expect(session.OutputToString()).To(ContainSubstring("00000000a80425fb"))
+		Expect(session.OutputToString()).To(ContainSubstring("00000000800005fb"))

 		session = podmanTest.Podman([]string{"run", "--rm", "--user", "bin", "test", "grep", "CapEff", "/proc/self/status"})
 		session.WaitWithDefaultTimeout()
--- a/test/system/090-events.bats
+++ b/test/system/090-events.bats
@@ -262,10 +262,10 @@ EOF
    t0=$(date --iso-8601=seconds)

    CONTAINERS_CONF=$containersConf run_podman create --name=$cname $IMAGE
-    run_podman container inspect --size=true $cname
+    CONTAINERS_CONF=$containersConf run_podman container inspect --size=true $cname
    inspect_json=$(jq -r --tab . <<< "$output")

-    run_podman --events-backend=$1 events \
+    CONTAINERS_CONF=$containersConf run_podman --events-backend=$1 events \
        --since="$t0"           \
        --filter=status=$cname  \
        --filter=status=create  \
@@ -276,7 +276,7 @@ EOF

    # Make sure that the inspect data doesn't show by default in
    # podman-events.
-    run_podman --events-backend=$1 events \
+    CONTAINERS_CONF=$containersConf run_podman --events-backend=$1 events \
        --since="$t0"           \
        --filter=status=$cname  \
        --filter=status=create  \
--- a/test/system/710-kube.bats
+++ b/test/system/710-kube.bats
@@ -5,8 +5,8 @@

 load helpers

-# standard capability drop list
-capabilities='{"drop":["CAP_MKNOD","CAP_NET_RAW","CAP_AUDIT_WRITE"]}'
+# capability drop list
+capabilities='{"drop":["CAP_FOWNER","CAP_SETFCAP"]}'

 # Warning that is emitted once on containers, multiple times on pods
 kubernetes_63='Truncation Annotation: .* Kubernetes only allows 63 characters'
@@ -31,7 +31,7 @@ json.dump(yaml.safe_load(sys.stdin), sys.stdout)'

@test "podman kube generate - container" {
    cname=c$(random_string 15)
-    run_podman container create --name $cname $IMAGE top
+    run_podman container create --cap-drop fowner --cap-drop setfcap --name $cname $IMAGE top
    run_podman kube generate $cname

    # Convert yaml to json, and dump to stdout (to help in case of errors)
@@ -95,7 +95,7 @@ status                           | =  | null
    run_podman 125 kube generate $pname
    assert "$output" =~ "Error: .* only has an infra container"

-    run_podman container create --name $cname1 --pod $pname $IMAGE top
+    run_podman container create --cap-drop fowner --cap-drop setfcap --name $cname1 --pod $pname $IMAGE top
    run_podman container create --name $cname2 --pod $pname $IMAGE bottom
    run_podman kube generate $pname