Files
podman/test/system/170-run-userns.bats
Paul Holzinger 247a80db45 test/system: remove distro-integration bats tag
The distro-integration tag was added for fedora openQA to only run a
subset of tests. However since it was added only a few new tests have
been labelled like that and in general a normal contributor or even
maintianer has no idea when to add this tag.

We also have been seeing several regressions getting into fedora that
these tests would have caught. As such I worked with Adam to enable all
tests for fedora openQA so we actually have proper coverage. This has
been working for a few weeks so I think we can dop these tags so
upstream does not need to bother with them at all.

https://pagure.io/fedora-qa/os-autoinst-distri-fedora/issue/373

Signed-off-by: Paul Holzinger <pholzing@redhat.com>
2025-09-02 12:10:08 +02:00

182 lines
6.9 KiB
Bash

#!/usr/bin/env bats -*- bats -*-
# shellcheck disable=SC2096
#
# Tests for podman build
#
load helpers
function _require_crun() {
runtime=$(podman_runtime)
if [[ $runtime != "crun" ]]; then
skip "runtime is $runtime; keep-groups requires crun"
fi
}
# bats test_tags=ci:parallel
@test "podman --group-add keep-groups while in a userns" {
skip_if_rootless "chroot is not allowed in rootless mode"
skip_if_remote "--group-add keep-groups not supported in remote mode"
_require_crun
run chroot --groups 1234 / ${PODMAN} run --rm --uidmap 0:200000:5000 --group-add keep-groups $IMAGE id
is "$output" ".*65534(nobody)" "Check group leaked into user namespace"
}
# bats test_tags=ci:parallel
@test "podman --group-add keep-groups while not in a userns" {
skip_if_rootless "chroot is not allowed in rootless mode"
skip_if_remote "--group-add keep-groups not supported in remote mode"
_require_crun
run chroot --groups 1234,5678 / ${PODMAN} run --rm --group-add keep-groups $IMAGE id
is "$output" ".*1234" "Check group leaked into container"
}
# bats test_tags=ci:parallel
@test "podman --group-add without keep-groups while in a userns" {
skip_if_cgroupsv1 "run --uidmap fails on cgroups v1 (issue 15025, wontfix)"
skip_if_rootless "chroot is not allowed in rootless mode"
skip_if_remote "--group-add keep-groups not supported in remote mode"
run chroot --groups 1234,5678 / ${PODMAN} run --rm --uidmap 0:200000:5000 --group-add 457 $IMAGE id
is "$output" ".*457" "Check group leaked into container"
}
# bats test_tags=ci:parallel
@test "rootful pod with custom ID mapping" {
skip_if_cgroupsv1 "run --uidmap fails on cgroups v1 (issue 15025, wontfix)"
skip_if_rootless "does not work rootless - rootful feature"
random_pod_name=p_$(safename)
run_podman pod create --uidmap 0:200000:5000 --name=$random_pod_name
run_podman pod start $random_pod_name
run_podman pod inspect --format '{{.InfraContainerID}}' $random_pod_name
run_podman inspect --format '{{.HostConfig.IDMappings.UIDMap}}' $output
is "$output" ".*0:200000:5000" "UID Map Successful"
# Clean up
run_podman pod rm $random_pod_name
}
# bats test_tags=ci:parallel
@test "podman --remote --group-add keep-groups " {
if ! is_remote; then
skip "this test only meaningful under podman-remote"
fi
run_podman 125 run --rm --group-add keep-groups $IMAGE id
is "$output" ".*not supported in remote mode" "Remote check --group-add keep-groups"
}
# bats test_tags=ci:parallel
@test "podman --group-add without keep-groups " {
run_podman run --rm --group-add 457 $IMAGE id
is "$output" ".*457" "Check group leaked into container"
}
# bats test_tags=ci:parallel
@test "podman --group-add keep-groups plus added groups " {
run_podman 125 run --rm --group-add keep-groups --group-add 457 $IMAGE id
is "$output" ".*the '--group-add keep-groups' option is not allowed with any other --group-add options" "Check group leaked into container"
}
# CANNOT BE PARALLELIZED: userns=auto, rootless, => not enough unused IDs in user namespace
@test "podman userns=auto in config file" {
skip_if_remote "userns=auto is set on the server"
if is_rootless; then
grep -E -q "^$(id -un):" /etc/subuid || skip "no IDs allocated for current user"
else
grep -E -q "^containers:" /etc/subuid || skip "no IDs allocated for user 'containers'"
fi
cat > $PODMAN_TMPDIR/userns_auto.conf <<EOF
[containers]
userns="auto"
EOF
# First make sure a user namespace is created
CONTAINERS_CONF_OVERRIDE=$PODMAN_TMPDIR/userns_auto.conf run_podman run -d $IMAGE sleep infinity
cid=$output
run_podman inspect --format '{{.HostConfig.UsernsMode}}' $cid
is "$output" "private" "Check that a user namespace was created for the container"
run_podman rm -t 0 -f $cid
# Then check that the main user is not mapped into the user namespace
CONTAINERS_CONF_OVERRIDE=$PODMAN_TMPDIR/userns_auto.conf run_podman 0 run --rm $IMAGE awk '{if($2 == "0"){exit 1}}' /proc/self/uid_map /proc/self/gid_map
}
# CANNOT BE PARALLELIZED: userns=auto, rootless, => not enough unused IDs in user namespace
@test "podman userns=auto and secrets" {
ns_user="containers"
if is_rootless; then
ns_user=$(id -un)
fi
grep -E -q "${ns_user}:" /etc/subuid || skip "no IDs allocated for user ${ns_user}"
test_name="test_$(random_string 12)"
secret_file=$PODMAN_TMPDIR/secret$(random_string 12)
secret_content=$(random_string)
echo ${secret_content} > ${secret_file}
run_podman secret create ${test_name} ${secret_file}
run_podman run --rm --secret=${test_name} --userns=auto:size=1000 $IMAGE cat /run/secrets/${test_name}
is "$output" "$secret_content" "Secrets should work with user namespace"
run_podman secret rm ${test_name}
}
# bats test_tags=ci:parallel
@test "podman userns=nomap" {
if is_rootless; then
ns_user=$(id -un)
baseuid=$(grep -E "${ns_user}:" /etc/subuid | cut -f2 -d:)
test ! -z ${baseuid} || skip "no IDs allocated for user ${ns_user}"
test_name="test_$(random_string 12)"
run_podman run -d --userns=nomap $IMAGE sleep 100
cid=${output}
run_podman top ${cid} huser
is "${output}" "HUSER.*${baseuid}" "Container should start with baseuid from /etc/subuid not user UID"
run_podman rm -t 0 --force ${cid}
else
run_podman 125 run -d --userns=nomap $IMAGE sleep 100
is "${output}" "Error: nomap is only supported in rootless mode" "Container should fail to start since nomap is not supported in rootful mode"
fi
}
# bats test_tags=ci:parallel
@test "podman userns=keep-id" {
user=$(id -u)
run_podman run --rm --userns=keep-id $IMAGE id -u
is "${output}" "$user" "Container should run as the current user"
}
# bats test_tags=ci:parallel
@test "podman userns=keep-id in a pod" {
user=$(id -u)
run_podman pod create --name p_$(safename) --userns keep-id
pid=$output
run_podman run --rm --pod $pid $IMAGE id -u
is "${output}" "$user" "Container should run as the current user"
run_podman pod rm $pid
}
# CANNOT BE PARALLELIZED: userns=auto, rootless, => not enough unused IDs in user namespace
@test "podman userns=auto with id mapping" {
skip_if_not_rootless
skip_if_remote
run_podman unshare awk '{if(NR == 2){print $2}}' /proc/self/uid_map
first_id=$output
mapping=1:@$first_id:1
run_podman run --rm --userns=auto:uidmapping=$mapping $IMAGE awk '{if($1 == 1){print $2}}' /proc/self/uid_map
assert "$output" == 1
}
# bats test_tags=ci:parallel
@test "podman current user not mapped in the userns" {
# both uid and gid not mapped
run_podman run --rm --uidmap 0:1:1000 $IMAGE true
# uid not mapped
run_podman run --rm --uidmap 0:1:1000 --gidmap 0:0:1000 $IMAGE true
# gid not mapped
run_podman run --rm --uidmap 0:0:1000 --gidmap 0:1:1000 $IMAGE true
}