From 5eb801a5621ab2e37dd2ae6bb72f169f12d47b79 Mon Sep 17 00:00:00 2001 From: Ed Santiago Date: Mon, 12 Feb 2024 06:50:35 -0700 Subject: [PATCH] Bump CI VMs to ones with netavark 1.10.3 And, runc-1.12 broke our seccomp e2e tests (runc now calls getcwd(), which is the dummy syscall blocked for testing seccomp). Switch to blocking link() instead. Also, disable v4.1.0 upgrade tests. They're hanging, and I have no idea why, and have wasted most of a day debugging. Fixes: #21546 Signed-off-by: Ed Santiago --- .cirrus.yml | 6 +++--- test/e2e/play_kube_test.go | 14 +++++++------- test/e2e/run_networking_test.go | 3 --- test/e2e/run_test.go | 32 +++++++++++++++++++++----------- 4 files changed, 31 insertions(+), 24 deletions(-) diff --git a/.cirrus.yml b/.cirrus.yml index db5ceffc5d..b26568939a 100644 --- a/.cirrus.yml +++ b/.cirrus.yml @@ -33,7 +33,7 @@ env: DEBIAN_NAME: "debian-13" # Image identifiers - IMAGE_SUFFIX: "c20240201t143038z-f39f38d13" + IMAGE_SUFFIX: "c20240212t122113z-f39f38d13" # EC2 images @@ -1010,8 +1010,8 @@ upgrade_test_task: - build - local_system_test matrix: - - env: - PODMAN_UPGRADE_FROM: v4.1.0 +# - env: +# PODMAN_UPGRADE_FROM: v4.1.0 - env: PODMAN_UPGRADE_FROM: v4.8.0 gce_instance: *standardvm diff --git a/test/e2e/play_kube_test.go b/test/e2e/play_kube_test.go index efa61a9794..35f12a3b42 100644 --- a/test/e2e/play_kube_test.go +++ b/test/e2e/play_kube_test.go @@ -1248,7 +1248,7 @@ var ( defaultConfigMapName = "testConfigMap" defaultSecretName = "testSecret" defaultPVCName = "testPVC" - seccompPwdEPERM = []byte(`{"defaultAction":"SCMP_ACT_ALLOW","syscalls":[{"name":"getcwd","action":"SCMP_ACT_ERRNO"}]}`) + seccompLinkEPERM = []byte(`{"defaultAction":"SCMP_ACT_ALLOW","syscalls":[{"name":"link","action":"SCMP_ACT_ERRNO"}]}`) // CPU Period in ms defaultCPUPeriod = 100 // Default secret in JSON. Note that the values ("foo" and "bar") are base64 encoded. @@ -3016,14 +3016,14 @@ var _ = Describe("Podman kube play", func() { It("seccomp container level", func() { SkipIfRemote("podman-remote does not support --seccomp-profile-root flag") // expect kube play is expected to set a seccomp label if it's applied as an annotation - jsonFile, err := podmanTest.CreateSeccompJSON(seccompPwdEPERM) + jsonFile, err := podmanTest.CreateSeccompJSON(seccompLinkEPERM) if err != nil { GinkgoWriter.Println(err) Skip("Failed to prepare seccomp.json for test.") } ctrAnnotation := "container.seccomp.security.alpha.kubernetes.io/" + defaultCtrName - ctr := getCtr(withCmd([]string{"pwd"}), withArg(nil)) + ctr := getCtr(withCmd([]string{"ln"}), withArg([]string{"/etc/motd", "/noneShallPass"})) pod := getPod(withCtr(ctr), withAnnotation(ctrAnnotation, "localhost/"+filepath.Base(jsonFile))) err = generateKubeYaml("pod", pod, kubeYaml) @@ -3042,20 +3042,20 @@ var _ = Describe("Podman kube play", func() { logs := podmanTest.Podman([]string{"logs", ctrName}) logs.WaitWithDefaultTimeout() Expect(logs).Should(Exit(0), "podman logs %s", ctrName) - Expect(logs.ErrorToString()).To(ContainSubstring("getcwd: Operation not permitted")) + Expect(logs.ErrorToString()).To(ContainSubstring("ln: /noneShallPass: Operation not permitted")) }) It("seccomp pod level", func() { SkipIfRemote("podman-remote does not support --seccomp-profile-root flag") // expect kube play is expected to set a seccomp label if it's applied as an annotation - jsonFile, err := podmanTest.CreateSeccompJSON(seccompPwdEPERM) + jsonFile, err := podmanTest.CreateSeccompJSON(seccompLinkEPERM) if err != nil { GinkgoWriter.Println(err) Skip("Failed to prepare seccomp.json for test.") } defer os.Remove(jsonFile) - ctr := getCtr(withCmd([]string{"pwd"}), withArg(nil)) + ctr := getCtr(withCmd([]string{"ln"}), withArg([]string{"/etc/motd", "/noPodsShallPass"})) pod := getPod(withCtr(ctr), withAnnotation("seccomp.security.alpha.kubernetes.io/pod", "localhost/"+filepath.Base(jsonFile))) err = generateKubeYaml("pod", pod, kubeYaml) @@ -3074,7 +3074,7 @@ var _ = Describe("Podman kube play", func() { logs := podmanTest.Podman([]string{"logs", podName}) logs.WaitWithDefaultTimeout() Expect(logs).Should(Exit(0)) - Expect(logs.ErrorToString()).To(ContainSubstring("Operation not permitted")) + Expect(logs.ErrorToString()).To(ContainSubstring("ln: /noPodsShallPass: Operation not permitted")) }) It("with pull policy of never should be 125", func() { diff --git a/test/e2e/run_networking_test.go b/test/e2e/run_networking_test.go index 42b25e80b2..b854e76010 100644 --- a/test/e2e/run_networking_test.go +++ b/test/e2e/run_networking_test.go @@ -24,7 +24,6 @@ var _ = Describe("Podman run networking", func() { hostname, _ := os.Hostname() It("podman verify network scoped DNS server and also verify updating network dns server", func() { - Skip("FIXME: needs netavark > 1.10.2, available >= 2024-02-02") // Following test is only functional with netavark and aardvark SkipIfCNI(podmanTest) net := createNetworkName("IntTest") @@ -72,8 +71,6 @@ var _ = Describe("Podman run networking", func() { }) It("podman network dns multiple servers", func() { - Skip("FIXME: needs netavark > 1.10.2, available >= 2024-02-02") - // Following test is only functional with netavark and aardvark SkipIfCNI(podmanTest) net := createNetworkName("IntTest") diff --git a/test/e2e/run_test.go b/test/e2e/run_test.go index 2ca307c0b6..ef7fc1bd8b 100644 --- a/test/e2e/run_test.go +++ b/test/e2e/run_test.go @@ -361,8 +361,8 @@ var _ = Describe("Podman run", func() { Expect(conData[0].Config.Annotations).To(Not(HaveKey("io.podman.annotations.init"))) }) - forbidGetCWDSeccompProfile := func() string { - in := []byte(`{"defaultAction":"SCMP_ACT_ALLOW","syscalls":[{"name":"getcwd","action":"SCMP_ACT_ERRNO"}]}`) + forbidLinkSeccompProfile := func() string { + in := []byte(`{"defaultAction":"SCMP_ACT_ALLOW","syscalls":[{"name":"link","action":"SCMP_ACT_ERRNO"}]}`) jsonFile, err := podmanTest.CreateSeccompJSON(in) if err != nil { GinkgoWriter.Println(err) @@ -517,17 +517,27 @@ var _ = Describe("Podman run", func() { }) It("podman run seccomp test", func() { - session := podmanTest.Podman([]string{"run", "--security-opt", strings.Join([]string{"seccomp=", forbidGetCWDSeccompProfile()}, ""), ALPINE, "pwd"}) - session.WaitWithDefaultTimeout() - Expect(session).To(ExitWithError()) - Expect(session.ErrorToString()).To(ContainSubstring("Operation not permitted")) - }) + secOpts := []string{"--security-opt", strings.Join([]string{"seccomp=", forbidLinkSeccompProfile()}, "")} + cmd := []string{ALPINE, "ln", "/etc/motd", "/linkNotAllowed"} - It("podman run seccomp test --privileged", func() { - session := podmanTest.Podman([]string{"run", "--privileged", "--security-opt", strings.Join([]string{"seccomp=", forbidGetCWDSeccompProfile()}, ""), ALPINE, "pwd"}) + // Without seccomp, this should succeed + session := podmanTest.Podman(append([]string{"run"}, cmd...)) session.WaitWithDefaultTimeout() - Expect(session).To(ExitWithError()) - Expect(session.ErrorToString()).To(ContainSubstring("Operation not permitted")) + Expect(session).To(ExitCleanly()) + + // With link syscall blocked, should fail + cmd = append(secOpts, cmd...) + session = podmanTest.Podman(append([]string{"run"}, cmd...)) + session.WaitWithDefaultTimeout() + Expect(session).To(Exit(1)) + Expect(session.ErrorToString()).To(ContainSubstring("ln: /linkNotAllowed: Operation not permitted")) + + // ...even with --privileged + cmd = append([]string{"--privileged"}, cmd...) + session = podmanTest.Podman(append([]string{"run"}, cmd...)) + session.WaitWithDefaultTimeout() + Expect(session).To(Exit(1)) + Expect(session.ErrorToString()).To(ContainSubstring("ln: /linkNotAllowed: Operation not permitted")) }) It("podman run seccomp test --privileged no profile should be unconfined", func() {