runlabel: run any command

As discussed [1], the runlabel command should execute any command specified in a label. The reasoning behind is that we cannot restrict which options are passed to Podman which thereby has full access to the host (runlabels must be used with care). With the updated semantics, runlabel will substitute the commands with a basepath equal to "docker" or "podman" with "/proc/self/exe", and otherwise leave the command unchanged to execute any other command on the host. [1] https://github.com/containers/libpod/pull/1607#issuecomment-428321382 Signed-off-by: Valentin Rothberg <vrothberg@suse.com>
2025-06-05 22:31:06 +08:00 · 2018-10-12 13:18:36 +02:00
parent cde41c0b84
commit 606a5cec8f
4 changed files with 190 additions and 11 deletions
--- a/test/e2e/runlabel_test.go
+++ b/test/e2e/runlabel_test.go
@ -0,0 +1,68 @@
+package integration
+
+import (
+	"fmt"
+	"os"
+
+	. "github.com/onsi/ginkgo"
+	. "github.com/onsi/gomega"
+)
+
+var PodmanDockerfile = `
+FROM  alpine:latest
+LABEL RUN podman --version`
+
+var LsDockerfile = `
+FROM  alpine:latest
+LABEL RUN ls -la`
+
+var _ = Describe("podman container runlabel", func() {
+	var (
+		tempdir    string
+		err        error
+		podmanTest PodmanTest
+	)
+
+	BeforeEach(func() {
+		tempdir, err = CreateTempDirInTempDir()
+		if err != nil {
+			os.Exit(1)
+		}
+		podmanTest = PodmanCreate(tempdir)
+		podmanTest.RestoreAllArtifacts()
+	})
+
+	AfterEach(func() {
+		podmanTest.Cleanup()
+		f := CurrentGinkgoTestDescription()
+		timedResult := fmt.Sprintf("Test: %s completed in %f seconds", f.TestText, f.Duration.Seconds())
+		GinkgoWriter.Write([]byte(timedResult))
+
+	})
+
+	It("podman container runlabel (podman --version)", func() {
+		image := "podman-runlabel-test:podman"
+		podmanTest.BuildImage(PodmanDockerfile, image, "false")
+
+		result := podmanTest.Podman([]string{"container", "runlabel", "RUN", image})
+		result.WaitWithDefaultTimeout()
+		Expect(result.ExitCode()).To(Equal(0))
+
+		result = podmanTest.Podman([]string{"rmi", image})
+		result.WaitWithDefaultTimeout()
+		Expect(result.ExitCode()).To(Equal(0))
+	})
+
+	It("podman container runlabel (ls -la)", func() {
+		image := "podman-runlabel-test:ls"
+		podmanTest.BuildImage(LsDockerfile, image, "false")
+
+		result := podmanTest.Podman([]string{"container", "runlabel", "RUN", image})
+		result.WaitWithDefaultTimeout()
+		Expect(result.ExitCode()).To(Equal(0))
+
+		result = podmanTest.Podman([]string{"rmi", image})
+		result.WaitWithDefaultTimeout()
+		Expect(result.ExitCode()).To(Equal(0))
+	})
+})