Merge pull request #16237 from alexlarsson/quadlet-updates

Various quadlet updates
2025-12-07 22:32:46 +08:00 · 2022-10-26 04:05:40 -04:00
parent 02fc9eb78e bac907abf8
commit ac8b401c48
16 changed files with 157 additions and 41 deletions
--- a/test/e2e/quadlet/basepodman.container
+++ b/test/e2e/quadlet/basepodman.container
@@ -1,10 +1,10 @@
-## assert-podman-final-args run --name=systemd-%N --cidfile=%t/%N.cid --replace --rm -d --log-driver journald --pull=never --runtime /usr/bin/crun --cgroups=split --sdnotify=conmon imagename
+## assert-podman-final-args run --name=systemd-%N --cidfile=%t/%N.cid --replace --rm -d --log-driver passthrough --pull=never --runtime /usr/bin/crun --cgroups=split --sdnotify=conmon imagename

 [Container]
 Image=imagename

 # Disable all default features to get as empty podman run command as we can
-RemapUsers=no
+ReadOnly=no
 NoNewPrivileges=no
 DropCapability=
 RunInit=no
--- a/test/e2e/quadlet/basic.container
+++ b/test/e2e/quadlet/basic.container
@@ -4,7 +4,7 @@
 ## assert-podman-args "--rm"
 ## assert-podman-args "--replace"
 ## assert-podman-args "-d"
-## assert-podman-args "--log-driver" "journald"
+## assert-podman-args "--log-driver" "passthrough"
 ## assert-podman-args "--pull=never"
 ## assert-podman-args "--init"
 ## assert-podman-args "--runtime" "/usr/bin/crun"
@@ -12,7 +12,8 @@
 ## assert-podman-args "--sdnotify=conmon"
 ## assert-podman-args "--security-opt=no-new-privileges"
 ## assert-podman-args "--cap-drop=all"
-## assert-podman-args "--tmpfs" "/tmp:rw,size=512M,mode=1777"
+## assert-podman-args "--read-only"
+## !assert-podman-args "--read-only-tmpfs=false"
 ## assert-key-is "Unit" "RequiresMountsFor" "%t/containers"
 ## assert-key-is "Service" "KillMode" "mixed"
 ## assert-key-is "Service" "Delegate" "yes"
--- a/test/e2e/quadlet/capabilities.container
+++ b/test/e2e/quadlet/capabilities.container
@@ -1,8 +1,11 @@
-## assert-podman-args "--cap-drop=all"
+## !assert-podman-args "--cap-drop=all"
 ## assert-podman-args "--cap-add=cap_dac_override"
+## assert-podman-args "--cap-add=cap_audit_write"
 ## assert-podman-args "--cap-add=cap_ipc_owner"

 [Container]
 Image=imagename
-AddCapability=CAP_DAC_OVERRIDE
+# Verify that we can reset to the default cap set
+DropCapability=
+AddCapability=CAP_DAC_OVERRIDE CAP_AUDIT_WRITE
 AddCapability=CAP_IPC_OWNER
--- a/test/e2e/quadlet/capabilities2.container
+++ b/test/e2e/quadlet/capabilities2.container
@@ -0,0 +1,9 @@
+## !assert-podman-args "--cap-drop=all"
+## assert-podman-args "--cap-drop=cap_dac_override"
+## assert-podman-args "--cap-drop=cap_audit_write"
+## assert-podman-args "--cap-drop=cap_ipc_owner"
+
+[Container]
+Image=localhost/imagename
+DropCapability=CAP_DAC_OVERRIDE CAP_AUDIT_WRITE
+DropCapability=CAP_IPC_OWNER
--- a/test/e2e/quadlet/devices.container
+++ b/test/e2e/quadlet/devices.container
@@ -0,0 +1,7 @@
+## assert-podman-args --device=/dev/fuse
+## assert-podman-args --device=/dev/loop0:r
+
+[Container]
+Image=localhost/imagename
+AddDevice=/dev/fuse
+AddDevice=/dev/loop0:r
--- a/test/e2e/quadlet/network.container
+++ b/test/e2e/quadlet/network.container
@@ -0,0 +1,5 @@
+## assert-podman-args "--network=host"
+
+[Container]
+Image=localhost/imagename
+Network=host
--- a/test/e2e/quadlet/noimage.container
+++ b/test/e2e/quadlet/noimage.container
@@ -1,4 +1,4 @@
 ## assert-failed
-## assert-stderr-contains "No Image key specified"
+## assert-stderr-contains "no Image key specified"

 [Container]
--- a/test/e2e/quadlet/readonly-notmpfs.container
+++ b/test/e2e/quadlet/readonly-notmpfs.container
@@ -0,0 +1,6 @@
+## assert-podman-args "--read-only-tmpfs=false"
+## assert-podman-args "--read-only"
+
+[Container]
+Image=localhost/imagename
+VolatileTmp=no
--- a/test/e2e/quadlet/readwrite-notmpfs.container
+++ b/test/e2e/quadlet/readwrite-notmpfs.container
@@ -0,0 +1,7 @@
+## !assert-podman-args "--read-only"
+## !assert-podman-args "--tmpfs" "/tmp:rw,size=512M,mode=1777"
+
+[Container]
+Image=localhost/imagename
+VolatileTmp=no
+ReadOnly=no
--- a/test/e2e/quadlet/readwrite.container
+++ b/test/e2e/quadlet/readwrite.container
@@ -0,0 +1,6 @@
+## !assert-podman-args "--read-only"
+## assert-podman-args "--tmpfs" "/tmp:rw,size=512M,mode=1777"
+
+[Container]
+Image=localhost/imagename
+ReadOnly=no
--- a/test/e2e/quadlet/seccomp.container
+++ b/test/e2e/quadlet/seccomp.container
@@ -0,0 +1,5 @@
+## assert-podman-args --security-opt seccomp=unconfined
+
+[Container]
+Image=localhost/imagename
+SeccompProfile=unconfined
--- a/test/e2e/quadlet_test.go
+++ b/test/e2e/quadlet_test.go
@@ -80,7 +80,7 @@ func findSublist(full []string, sublist []string) int {
 }

 func (t *quadletTestcase) assertStdErrContains(args []string, session *PodmanSessionIntegration) bool {
-	return strings.Contains(session.OutputToString(), args[0])
+	return strings.Contains(session.ErrorToString(), args[0])
 }

 func (t *quadletTestcase) assertKeyIs(args []string, unit *parser.UnitFile) bool {
@@ -174,7 +174,10 @@ func (t *quadletTestcase) doAssert(check []string, unit *parser.UnitFile, sessio
 	}

 	if !ok {
-		s, _ := unit.ToString()
+		s := "(nil)"
+		if unit != nil {
+			s, _ = unit.ToString()
+		}
 		return fmt.Errorf("Failed assertion for %s: %s\n\n%s", t.serviceName, strings.Join(check, " "), s)
 	}
 	return nil
@@ -189,12 +192,18 @@ func (t *quadletTestcase) check(generateDir string, session *PodmanSessionIntegr
 	}

 	file := filepath.Join(generateDir, t.serviceName)
-	if _, err := os.Stat(file); os.IsNotExist(err) && expectFail {
-		return // Successful fail
+	_, err := os.Stat(file)
+	if expectFail {
+		Expect(err).To(MatchError(os.ErrNotExist))
+	} else {
+		Expect(err).ToNot(HaveOccurred())
 	}

-	unit, err := parser.ParseUnitFile(file)
-	Expect(err).To(BeNil())
+	var unit *parser.UnitFile
+	if !expectFail {
+		unit, err = parser.ParseUnitFile(file)
+		Expect(err).To(BeNil())
+	}

 	for _, check := range t.checks {
 		err := t.doAssert(check, unit, session)
@@ -244,7 +253,7 @@ var _ = Describe("quadlet system generator", func() {
 			Expect(err).To(BeNil())

 			// Run quadlet to convert the file
-			session := podmanTest.Quadlet([]string{generatedDir}, quadletDir)
+			session := podmanTest.Quadlet([]string{"-no-kmsg-log", generatedDir}, quadletDir)
 			session.WaitWithDefaultTimeout()
 			Expect(session).Should(Exit(0))

@@ -260,6 +269,8 @@ var _ = Describe("quadlet system generator", func() {
 		Entry("annotation.container", "annotation.container"),
 		Entry("basepodman.container", "basepodman.container"),
 		Entry("capabilities.container", "capabilities.container"),
+		Entry("capabilities2.container", "capabilities2.container"),
+		Entry("devices.container", "devices.container"),
 		Entry("env.container", "env.container"),
 		Entry("escapes.container", "escapes.container"),
 		Entry("exec.container", "exec.container"),
@@ -267,6 +278,7 @@ var _ = Describe("quadlet system generator", func() {
 		Entry("install.container", "install.container"),
 		Entry("label.container", "label.container"),
 		Entry("name.container", "name.container"),
+		Entry("network.container", "network.container"),
 		Entry("noimage.container", "noimage.container"),
 		Entry("noremapuser2.container", "noremapuser2.container"),
 		Entry("noremapuser.container", "noremapuser.container"),
@@ -275,7 +287,10 @@ var _ = Describe("quadlet system generator", func() {
 		Entry("podmanargs.container", "podmanargs.container"),
 		Entry("ports.container", "ports.container"),
 		Entry("ports_ipv6.container", "ports_ipv6.container"),
-		Entry("socketactivated.container", "socketactivated.container"),
+		Entry("readonly-notmpfs.container", "readonly-notmpfs.container"),
+		Entry("readwrite.container", "readwrite.container"),
+		Entry("readwrite-notmpfs.container", "readwrite-notmpfs.container"),
+		Entry("seccomp.container", "seccomp.container"),
 		Entry("timezone.container", "timezone.container"),
 		Entry("user.container", "user.container"),
 		Entry("user-host.container", "user-host.container"),