From 7848291d89c8d00836afa1e8fb3b972f0f395ba9 Mon Sep 17 00:00:00 2001 From: Toshiki Sonoda Date: Thu, 2 Feb 2023 18:18:28 +0900 Subject: [PATCH 1/4] system tests: fix volume exec/noexec test The return code is "126" in the current version of runc. Signed-off-by: Toshiki Sonoda --- test/system/160-volumes.bats | 13 ++++--------- 1 file changed, 4 insertions(+), 9 deletions(-) diff --git a/test/system/160-volumes.bats b/test/system/160-volumes.bats index dfc1a84137..df0f10c123 100644 --- a/test/system/160-volumes.bats +++ b/test/system/160-volumes.bats @@ -149,16 +149,11 @@ EOF # By default, volumes are mounted exec, but we have manually added the # noexec option. This should fail. - # ARGH. Unfortunately, runc (used for cgroups v1) produces a different error - local expect_rc=126 - local expect_msg='.* OCI permission denied.*' - if [[ $(podman_runtime) = "runc" ]]; then - expect_rc=1 - expect_msg='.* exec user process caused.*permission denied' - fi + run_podman 126 run --rm --volume $myvolume:/vol:noexec,z $IMAGE /vol/myscript - run_podman ${expect_rc} run --rm --volume $myvolume:/vol:noexec,z $IMAGE /vol/myscript - is "$output" "$expect_msg" "run on volume, noexec" + # crun and runc emit different messages, and even runc is inconsistent + # with itself (output changed some time in 2022?). Deal with all. + assert "$output" =~ 'permission denied' "run on volume, noexec" # With the default, it should pass run_podman run --rm -v $myvolume:/vol:z $IMAGE /vol/myscript From 0b309439f3f05799e0275b4483255fd60214a687 Mon Sep 17 00:00:00 2001 From: Ed Santiago Date: Wed, 12 Oct 2022 06:25:57 -0600 Subject: [PATCH 2/4] system tests: health-on-failure: fix broken logic Basically, in the timeout loop where we checked for new CID on the restarted container, we were running 'podman inspect' (not 'inspect --format ID'), and comparing full hundred-line output against single-line CID string. While I'm in here, add 'c_' prefix to container to make it easier for my old eyes to recognize "oh, that's a container name" vs "is that a name? a SHA? a woozle?" Signed-off-by: Ed Santiago --- test/system/250-systemd.bats | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/test/system/250-systemd.bats b/test/system/250-systemd.bats index 1bf2472c58..56a3a19010 100644 --- a/test/system/250-systemd.bats +++ b/test/system/250-systemd.bats @@ -299,7 +299,7 @@ LISTEN_FDNAMES=listen_fdnames" | sort) img="healthcheck_i" _build_health_check_image $img - cname=$(random_string) + cname=c_$(random_string) run_podman create --name $cname \ --health-cmd /healthcheck \ --health-on-failure=kill \ @@ -330,7 +330,11 @@ LISTEN_FDNAMES=listen_fdnames" | sort) # Wait at most 10 seconds for the service to be restarted local timeout=10 while [[ $timeout -gt 1 ]]; do - run_podman '?' container inspect $cname + # Possible outcomes: + # - status 0, old container is still terminating: sleep and retry + # - status 0, new CID: yay, break + # - status 1, container not found: sleep and retry + run_podman '?' container inspect $cname --format '{{.ID}}' if [[ $status == 0 ]]; then if [[ "$output" != "$oldID" ]]; then break From 11edb39d63d0d646a05538904d8e1c5a26e7724e Mon Sep 17 00:00:00 2001 From: Toshiki Sonoda Date: Fri, 3 Feb 2023 14:41:06 +0900 Subject: [PATCH 3/4] system tests: fix noexistent labels test in the remote In the remote environment, this test will be failed, because an error message is different from the local environment. Signed-off-by: Toshiki Sonoda --- test/system/410-selinux.bats | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/system/410-selinux.bats b/test/system/410-selinux.bats index d437465a4f..71e253476a 100644 --- a/test/system/410-selinux.bats +++ b/test/system/410-selinux.bats @@ -209,7 +209,7 @@ function check_label() { # https://github.com/opencontainers/selinux/pull/148/commits/a5dc47f74c56922d58ead05d1fdcc5f7f52d5f4e # from failed to set /proc/self/attr/keycreate on procfs # to write /proc/self/attr/keycreate: invalid argument - runc) expect="OCI runtime error: .*: \(failed to set|write\) /proc/self/attr/keycreate" ;; + runc) expect=".*: \(failed to set\|write\) /proc/self/attr/keycreate.*" ;; *) skip "Unknown runtime '$runtime'";; esac From a1be9a4c0d85cf56bfe5b4e95409e646f4c5311b Mon Sep 17 00:00:00 2001 From: Ed Santiago Date: Mon, 8 Apr 2024 10:06:32 -0600 Subject: [PATCH 4/4] RHEL gating tests: skip some tests under runc Manual cherrypick of (portions of) #14972, for tests that don't work under runc. Signed-off-by: Ed Santiago --- test/system/200-pod.bats | 5 ++--- test/system/251-system-service.bats | 4 ++++ 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/test/system/200-pod.bats b/test/system/200-pod.bats index 8d884f6af7..d4148bcce4 100644 --- a/test/system/200-pod.bats +++ b/test/system/200-pod.bats @@ -474,9 +474,8 @@ spec: @test "pod resource limits" { skip_if_remote "resource limits only implemented on non-remote" - if is_rootless; then - skip "only meaningful for rootful" - fi + skip_if_rootless "resource limits only work with root" + skip_if_cgroupsv1 "resource limits only meaningful on cgroups V2" local name1="resources1" run_podman --cgroup-manager=systemd pod create --name=$name1 --cpus=5 --memory=10m diff --git a/test/system/251-system-service.bats b/test/system/251-system-service.bats index edee4a28c4..197d1cb18e 100644 --- a/test/system/251-system-service.bats +++ b/test/system/251-system-service.bats @@ -17,6 +17,10 @@ function teardown() { @test "podman-system-service containers survive service stop" { skip_if_remote "podman system service unavailable over remote" + local runtime=$(podman_runtime) + if [[ "$runtime" != "crun" ]]; then + skip "survival code only implemented in crun; you're using $runtime" + fi port=$(random_free_port) URL=tcp://127.0.0.1:$port