mirror of
				https://github.com/containers/podman.git
				synced 2025-10-26 02:35:43 +08:00 
			
		
		
		
	 1b5853e647
			
		
	
	1b5853e647
	
	
	
		
			
			Currently the --pull missing|always|never is ignored This PR implements this for local API. For remote we need to default to pullpolicy specified in the containers.conf file. Also fixed an issue when images were matching other images names based on prefix, causing images to always be pulled. I had named an image myfedora and when ever I pulled fedora, the system thought that it there were two images named fedora since it was checking for the name fedora as well as the prefix fedora. I changed it to check for fedora and the prefix /fedora, to prefent failures like I had. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
		
			
				
	
	
		
			172 lines
		
	
	
		
			5.2 KiB
		
	
	
	
		
			Go
		
	
	
	
	
	
			
		
		
	
	
			172 lines
		
	
	
		
			5.2 KiB
		
	
	
	
		
			Go
		
	
	
	
	
	
| // +build !remote
 | |
| 
 | |
| package integration
 | |
| 
 | |
| import (
 | |
| 	"fmt"
 | |
| 	"io/ioutil"
 | |
| 	"os"
 | |
| 	"path/filepath"
 | |
| 
 | |
| 	"github.com/containers/common/pkg/apparmor"
 | |
| 	. "github.com/containers/podman/v2/test/utils"
 | |
| 	. "github.com/onsi/ginkgo"
 | |
| 	. "github.com/onsi/gomega"
 | |
| )
 | |
| 
 | |
| func skipIfAppArmorEnabled() {
 | |
| 	if apparmor.IsEnabled() {
 | |
| 		Skip("Apparmor is enabled")
 | |
| 	}
 | |
| }
 | |
| func skipIfAppArmorDisabled() {
 | |
| 	if !apparmor.IsEnabled() {
 | |
| 		Skip("Apparmor is not enabled")
 | |
| 	}
 | |
| }
 | |
| 
 | |
| var _ = Describe("Podman run", func() {
 | |
| 	var (
 | |
| 		tempdir    string
 | |
| 		err        error
 | |
| 		podmanTest *PodmanTestIntegration
 | |
| 	)
 | |
| 
 | |
| 	BeforeEach(func() {
 | |
| 		tempdir, err = CreateTempDirInTempDir()
 | |
| 		if err != nil {
 | |
| 			os.Exit(1)
 | |
| 		}
 | |
| 		podmanTest = PodmanTestCreate(tempdir)
 | |
| 		podmanTest.Setup()
 | |
| 		podmanTest.SeedImages()
 | |
| 	})
 | |
| 
 | |
| 	AfterEach(func() {
 | |
| 		podmanTest.Cleanup()
 | |
| 		f := CurrentGinkgoTestDescription()
 | |
| 		processTestResult(f)
 | |
| 
 | |
| 	})
 | |
| 
 | |
| 	It("podman run apparmor default", func() {
 | |
| 		skipIfAppArmorDisabled()
 | |
| 		session := podmanTest.Podman([]string{"create", ALPINE, "ls"})
 | |
| 		session.WaitWithDefaultTimeout()
 | |
| 		Expect(session.ExitCode()).To(Equal(0))
 | |
| 
 | |
| 		cid := session.OutputToString()
 | |
| 		// Verify that apparmor.Profile is being set
 | |
| 		inspect := podmanTest.InspectContainer(cid)
 | |
| 		Expect(inspect[0].AppArmorProfile).To(Equal(apparmor.Profile))
 | |
| 	})
 | |
| 
 | |
| 	It("podman run no apparmor --privileged", func() {
 | |
| 		skipIfAppArmorDisabled()
 | |
| 		session := podmanTest.Podman([]string{"create", "--privileged", ALPINE, "ls"})
 | |
| 		session.WaitWithDefaultTimeout()
 | |
| 		Expect(session.ExitCode()).To(Equal(0))
 | |
| 
 | |
| 		cid := session.OutputToString()
 | |
| 		// Verify that apparmor.Profile is being set
 | |
| 		inspect := podmanTest.InspectContainer(cid)
 | |
| 		Expect(inspect[0].AppArmorProfile).To(Equal(""))
 | |
| 	})
 | |
| 
 | |
| 	It("podman run no apparmor --security-opt=apparmor.Profile --privileged", func() {
 | |
| 		skipIfAppArmorDisabled()
 | |
| 		session := podmanTest.Podman([]string{"create", "--security-opt", fmt.Sprintf("apparmor=%s", apparmor.Profile), "--privileged", ALPINE, "ls"})
 | |
| 		session.WaitWithDefaultTimeout()
 | |
| 		Expect(session.ExitCode()).To(Equal(0))
 | |
| 
 | |
| 		cid := session.OutputToString()
 | |
| 		// Verify that apparmor.Profile is being set
 | |
| 		inspect := podmanTest.InspectContainer(cid)
 | |
| 		Expect(inspect[0].AppArmorProfile).To(Equal(apparmor.Profile))
 | |
| 	})
 | |
| 
 | |
| 	It("podman run apparmor aa-test-profile", func() {
 | |
| 		skipIfAppArmorDisabled()
 | |
| 		aaProfile := `
 | |
| #include <tunables/global>
 | |
| profile aa-test-profile flags=(attach_disconnected,mediate_deleted) {
 | |
|   #include <abstractions/base>
 | |
|   deny mount,
 | |
|   deny /sys/[^f]*/** wklx,
 | |
|   deny /sys/f[^s]*/** wklx,
 | |
|   deny /sys/fs/[^c]*/** wklx,
 | |
|   deny /sys/fs/c[^g]*/** wklx,
 | |
|   deny /sys/fs/cg[^r]*/** wklx,
 | |
|   deny /sys/firmware/efi/efivars/** rwklx,
 | |
|   deny /sys/kernel/security/** rwklx,
 | |
| }
 | |
| `
 | |
| 		aaFile := filepath.Join(os.TempDir(), "aaFile")
 | |
| 		Expect(ioutil.WriteFile(aaFile, []byte(aaProfile), 0755)).To(BeNil())
 | |
| 		parse := SystemExec("apparmor_parser", []string{"-Kr", aaFile})
 | |
| 		Expect(parse.ExitCode()).To(Equal(0))
 | |
| 
 | |
| 		session := podmanTest.Podman([]string{"create", "--security-opt", "apparmor=aa-test-profile", ALPINE, "ls"})
 | |
| 		session.WaitWithDefaultTimeout()
 | |
| 		Expect(session.ExitCode()).To(Equal(0))
 | |
| 
 | |
| 		cid := session.OutputToString()
 | |
| 		// Verify that apparmor.Profile is being set
 | |
| 		inspect := podmanTest.InspectContainer(cid)
 | |
| 		Expect(inspect[0].AppArmorProfile).To(Equal("aa-test-profile"))
 | |
| 	})
 | |
| 
 | |
| 	It("podman run apparmor invalid", func() {
 | |
| 		skipIfAppArmorDisabled()
 | |
| 		session := podmanTest.Podman([]string{"run", "--security-opt", "apparmor=invalid", ALPINE, "ls"})
 | |
| 		session.WaitWithDefaultTimeout()
 | |
| 		Expect(session.ExitCode()).ToNot(Equal(0))
 | |
| 	})
 | |
| 
 | |
| 	It("podman run apparmor unconfined", func() {
 | |
| 		skipIfAppArmorDisabled()
 | |
| 		session := podmanTest.Podman([]string{"create", "--security-opt", "apparmor=unconfined", ALPINE, "ls"})
 | |
| 		session.WaitWithDefaultTimeout()
 | |
| 		Expect(session.ExitCode()).To(Equal(0))
 | |
| 
 | |
| 		cid := session.OutputToString()
 | |
| 		// Verify that apparmor.Profile is being set
 | |
| 		inspect := podmanTest.InspectContainer(cid)
 | |
| 		Expect(inspect[0].AppArmorProfile).To(Equal("unconfined"))
 | |
| 	})
 | |
| 
 | |
| 	It("podman run apparmor disabled --security-opt apparmor fails", func() {
 | |
| 		skipIfAppArmorEnabled()
 | |
| 		// Should fail if user specifies apparmor on disabled system
 | |
| 		session := podmanTest.Podman([]string{"create", "--security-opt", fmt.Sprintf("apparmor=%s", apparmor.Profile), ALPINE, "ls"})
 | |
| 		session.WaitWithDefaultTimeout()
 | |
| 		Expect(session.ExitCode()).ToNot(Equal(0))
 | |
| 	})
 | |
| 
 | |
| 	It("podman run apparmor disabled no default", func() {
 | |
| 		skipIfAppArmorEnabled()
 | |
| 		// Should succeed if user specifies apparmor on disabled system
 | |
| 		session := podmanTest.Podman([]string{"create", ALPINE, "ls"})
 | |
| 		session.WaitWithDefaultTimeout()
 | |
| 		Expect(session.ExitCode()).To(Equal(0))
 | |
| 
 | |
| 		cid := session.OutputToString()
 | |
| 		// Verify that apparmor.Profile is being set
 | |
| 		inspect := podmanTest.InspectContainer(cid)
 | |
| 		Expect(inspect[0].AppArmorProfile).To(Equal(""))
 | |
| 	})
 | |
| 
 | |
| 	It("podman run apparmor disabled unconfined", func() {
 | |
| 		skipIfAppArmorEnabled()
 | |
| 
 | |
| 		session := podmanTest.Podman([]string{"create", "--security-opt", "apparmor=unconfined", ALPINE, "ls"})
 | |
| 		session.WaitWithDefaultTimeout()
 | |
| 		Expect(session.ExitCode()).To(Equal(0))
 | |
| 
 | |
| 		cid := session.OutputToString()
 | |
| 		// Verify that apparmor.Profile is being set
 | |
| 		inspect := podmanTest.InspectContainer(cid)
 | |
| 		Expect(inspect[0].AppArmorProfile).To(Equal(""))
 | |
| 	})
 | |
| })
 |