mirror of
https://github.com/containers/podman.git
synced 2025-09-09 21:52:21 +08:00
547fff2703
e2e test failures are rife with messages like:
Expected 1 to equal 0
These make me cry. They're anti-helpful, requiring the reader
to dive into the source code to figure out what those numbers
mean.
Solution: Go tests have a '.Should(Exit(NNN))' mechanism. I
don't know if it spits out a better diagnostic (I have no way
to run e2e tests on my laptop), but I have to fantasize that
it will, and given the state of our flakes I assume that at
least one test will fail and give me the opportunity to see
what the error message looks like.
THIS IS NOT REVIEWABLE CODE. There is no way for a human
to review it. Don't bother. Maybe look at a few random
ones for sanity. If you want to really review, here is
a reproducer of what I did:
cd test/e2e
! positive assertions. The second is the same as the first,
! with the addition of (unnecessary) parentheses because
! some invocations were written that way. The third is BeZero().
perl -pi -e 's/Expect\((\S+)\.ExitCode\(\)\)\.To\(Equal\((\d+)\)\)/Expect($1).Should(Exit($2))/' *_test.go
perl -pi -e 's/Expect\((\S+)\.ExitCode\(\)\)\.To\(\(Equal\((\d+)\)\)\)/Expect($1).Should(Exit($2))/' *_test.go
perl -pi -e 's/Expect\((\S+)\.ExitCode\(\)\)\.To\(BeZero\(\)\)/Expect($1).Should(Exit(0))/' *_test.go
! Same as above, but handles three non-numeric exit codes
! in run_exit_test.go
perl -pi -e 's/Expect\((\S+)\.ExitCode\(\)\)\.To\(Equal\((\S+)\)\)/Expect($1).Should(Exit($2))/' *_test.go
! negative assertions. Difference is the spelling of 'To(Not)',
! 'ToNot', and 'NotTo'. I assume those are all the same.
perl -pi -e 's/Expect\((\S+)\.ExitCode\(\)\)\.To\(Not\(Equal\((0)\)\)\)/Expect($1).To(ExitWithError())/' *_test.go
perl -pi -e 's/Expect\((\S+)\.ExitCode\(\)\)\.ToNot\(Equal\((0)\)\)/Expect($1).To(ExitWithError())/' *_test.go
perl -pi -e 's/Expect\((\S+)\.ExitCode\(\)\)\.NotTo\(Equal\((0)\)\)/Expect($1).To(ExitWithError())/' *_test.go
! negative, old use of BeZero()
perl -pi -e 's/Expect\((\S+)\.ExitCode\(\)\)\.ToNot\(BeZero\(\)\)/Expect($1).Should(ExitWithError())/' *_test.go
Run those on a clean copy of main branch (at the same branch
point as my PR, of course), then diff against a checked-out
copy of my PR. There should be no differences. Then all you
have to review is that my replacements above are sane.
UPDATE: nope, that's not enough, you also need to add gomega/gexec
to the files that don't have it:
perl -pi -e '$_ .= "$1/gexec\"\n" if m!^(.*/onsi/gomega)"!' $(grep -L gomega/gexec $(git log -1 --stat | awk '$1 ~ /test\/e2e\// { print $1}'))
UPDATE 2: hand-edit run_volume_test.go
UPDATE 3: sigh, add WaitWithDefaultTimeout() to a couple of places
UPDATE 4: skip a test due to bug #10935 (race condition)
Signed-off-by: Ed Santiago <santiago@redhat.com>
165 lines
5.8 KiB
Go
165 lines
5.8 KiB
Go
package integration
|
|
|
|
import (
|
|
"os"
|
|
"strconv"
|
|
"strings"
|
|
|
|
. "github.com/containers/podman/v3/test/utils"
|
|
. "github.com/onsi/ginkgo"
|
|
. "github.com/onsi/gomega"
|
|
. "github.com/onsi/gomega/gexec"
|
|
"github.com/syndtr/gocapability/capability"
|
|
)
|
|
|
|
// helper function for confirming that container capabilities are equal
|
|
// to those of the host, but only to the extent of caps we (podman)
|
|
// know about at compile time. That is: the kernel may have more caps
|
|
// available than we are aware of, leading to host=FFF... and ctr=3FF...
|
|
// because the latter is all we request. Accept that.
|
|
func containerCapMatchesHost(ctrCap string, hostCap string) {
|
|
if isRootless() {
|
|
return
|
|
}
|
|
ctrCap_n, err := strconv.ParseUint(ctrCap, 16, 64)
|
|
Expect(err).NotTo(HaveOccurred(), "Error parsing %q as hex", ctrCap)
|
|
|
|
hostCap_n, err := strconv.ParseUint(hostCap, 16, 64)
|
|
Expect(err).NotTo(HaveOccurred(), "Error parsing %q as hex", hostCap)
|
|
|
|
// host caps can never be zero (except rootless).
|
|
// and host caps must always be a superset (inclusive) of container
|
|
Expect(hostCap_n).To(BeNumerically(">", 0), "host cap %q should be nonzero", hostCap)
|
|
Expect(hostCap_n).To(BeNumerically(">=", ctrCap_n), "host cap %q should never be less than container cap %q", hostCap, ctrCap)
|
|
hostCap_masked := hostCap_n & (1<<len(capability.List()) - 1)
|
|
Expect(ctrCap_n).To(Equal(hostCap_masked), "container cap %q is not a subset of host cap %q", ctrCap, hostCap)
|
|
}
|
|
|
|
var _ = Describe("Podman privileged container tests", func() {
|
|
var (
|
|
tempdir string
|
|
err error
|
|
podmanTest *PodmanTestIntegration
|
|
)
|
|
|
|
BeforeEach(func() {
|
|
tempdir, err = CreateTempDirInTempDir()
|
|
if err != nil {
|
|
os.Exit(1)
|
|
}
|
|
podmanTest = PodmanTestCreate(tempdir)
|
|
podmanTest.Setup()
|
|
podmanTest.SeedImages()
|
|
})
|
|
|
|
AfterEach(func() {
|
|
podmanTest.Cleanup()
|
|
f := CurrentGinkgoTestDescription()
|
|
processTestResult(f)
|
|
|
|
})
|
|
|
|
It("podman privileged make sure sys is mounted rw", func() {
|
|
session := podmanTest.Podman([]string{"run", "--privileged", BB, "mount"})
|
|
session.WaitWithDefaultTimeout()
|
|
Expect(session).Should(Exit(0))
|
|
ok, lines := session.GrepString("sysfs")
|
|
Expect(ok).To(BeTrue())
|
|
Expect(lines[0]).To(ContainSubstring("sysfs (rw,"))
|
|
})
|
|
|
|
It("podman privileged CapEff", func() {
|
|
hostCap := SystemExec("awk", []string{"/^CapEff/ { print $2 }", "/proc/self/status"})
|
|
Expect(hostCap).Should(Exit(0))
|
|
|
|
session := podmanTest.Podman([]string{"run", "--privileged", BB, "awk", "/^CapEff/ { print $2 }", "/proc/self/status"})
|
|
session.WaitWithDefaultTimeout()
|
|
Expect(session).Should(Exit(0))
|
|
|
|
containerCapMatchesHost(session.OutputToString(), hostCap.OutputToString())
|
|
})
|
|
|
|
It("podman cap-add CapEff", func() {
|
|
// Get caps of current process
|
|
hostCap := SystemExec("awk", []string{"/^CapEff/ { print $2 }", "/proc/self/status"})
|
|
Expect(hostCap).Should(Exit(0))
|
|
|
|
session := podmanTest.Podman([]string{"run", "--cap-add", "all", BB, "awk", "/^CapEff/ { print $2 }", "/proc/self/status"})
|
|
session.WaitWithDefaultTimeout()
|
|
Expect(session).Should(Exit(0))
|
|
|
|
containerCapMatchesHost(session.OutputToString(), hostCap.OutputToString())
|
|
})
|
|
|
|
It("podman cap-add CapEff with --user", func() {
|
|
// Get caps of current process
|
|
hostCap := SystemExec("awk", []string{"/^CapEff/ { print $2 }", "/proc/self/status"})
|
|
Expect(hostCap).Should(Exit(0))
|
|
|
|
session := podmanTest.Podman([]string{"run", "--user=bin", "--cap-add", "all", BB, "awk", "/^CapEff/ { print $2 }", "/proc/self/status"})
|
|
session.WaitWithDefaultTimeout()
|
|
Expect(session).Should(Exit(0))
|
|
|
|
containerCapMatchesHost(session.OutputToString(), hostCap.OutputToString())
|
|
})
|
|
|
|
It("podman cap-drop CapEff", func() {
|
|
session := podmanTest.Podman([]string{"run", "--cap-drop", "all", BB, "grep", "CapEff", "/proc/self/status"})
|
|
session.WaitWithDefaultTimeout()
|
|
Expect(session).Should(Exit(0))
|
|
capEff := strings.Split(session.OutputToString(), " ")
|
|
Expect("0000000000000000").To(Equal(capEff[1]))
|
|
})
|
|
|
|
It("podman privileged should disable seccomp by default", func() {
|
|
hostSeccomp := SystemExec("grep", []string{"-Ei", "^Seccomp:\\s+0$", "/proc/self/status"})
|
|
Expect(hostSeccomp).Should(Exit(0))
|
|
|
|
session := podmanTest.Podman([]string{"run", "--privileged", ALPINE, "grep", "-Ei", "^Seccomp:\\s+0$", "/proc/self/status"})
|
|
session.WaitWithDefaultTimeout()
|
|
Expect(session).Should(Exit(0))
|
|
})
|
|
|
|
It("podman non-privileged should have very few devices", func() {
|
|
session := podmanTest.Podman([]string{"run", "-t", BB, "ls", "-l", "/dev"})
|
|
session.WaitWithDefaultTimeout()
|
|
Expect(session).Should(Exit(0))
|
|
Expect(len(session.OutputToStringArray())).To(Equal(17))
|
|
})
|
|
|
|
It("podman privileged should inherit host devices", func() {
|
|
SkipIfRootless("FIXME: This seems to be broken for rootless mode, /dev/ is close to the same")
|
|
session := podmanTest.Podman([]string{"run", "--privileged", ALPINE, "ls", "-l", "/dev"})
|
|
session.WaitWithDefaultTimeout()
|
|
Expect(session).Should(Exit(0))
|
|
Expect(len(session.OutputToStringArray())).To(BeNumerically(">", 20))
|
|
})
|
|
|
|
It("run no-new-privileges test", func() {
|
|
// Check if our kernel is new enough
|
|
k, err := IsKernelNewerThan("4.14")
|
|
Expect(err).To(BeNil())
|
|
if !k {
|
|
Skip("Kernel is not new enough to test this feature")
|
|
}
|
|
|
|
cap := SystemExec("grep", []string{"NoNewPrivs", "/proc/self/status"})
|
|
if cap.ExitCode() != 0 {
|
|
Skip("Can't determine NoNewPrivs")
|
|
}
|
|
|
|
session := podmanTest.Podman([]string{"run", BB, "grep", "NoNewPrivs", "/proc/self/status"})
|
|
session.WaitWithDefaultTimeout()
|
|
Expect(session).Should(Exit(0))
|
|
|
|
privs := strings.Split(session.OutputToString(), ":")
|
|
session = podmanTest.Podman([]string{"run", "--security-opt", "no-new-privileges", BB, "grep", "NoNewPrivs", "/proc/self/status"})
|
|
session.WaitWithDefaultTimeout()
|
|
Expect(session).Should(Exit(0))
|
|
|
|
noprivs := strings.Split(session.OutputToString(), ":")
|
|
Expect(privs[1]).To(Not(Equal(noprivs[1])))
|
|
})
|
|
|
|
})
|