91b8bc7f13
Motivation =========== This feature aims to make --uidmap and --gidmap easier to use, especially in rootless podman setups. (I will focus here on the --gidmap option, although the same applies for --uidmap.) In rootless podman, the user namespace mapping happens in two steps, through an intermediate mapping. See https://docs.podman.io/en/latest/markdown/podman-run.1.html#uidmap-container-uid-from-uid-amount for further detail, here is a summary: First the user GID is mapped to 0 (root), and all subordinate GIDs (defined at /etc/subgid, and usually >100000) are mapped starting at 1. One way to customize the mapping is through the `--gidmap` option, that maps that intermediate mapping to the final mapping that will be seen by the container. As an example, let's say we have as main GID the group 1000, and we also belong to the additional GID 2000, that we want to make accessible inside the container. We first ask the sysadmin to subordinate the group to us, by adding "$user:2000:1" to /etc/subgid. Then we need to use --gidmap to specify that we want to map GID 2000 into some GID inside the container. And here is the first trouble: Since the --gidmap option operates on the intermediate mapping, we first need to figure out where has podman placed our GID 2000 in that intermediate mapping using: podman unshare cat /proc/self/gid_map Then, we may see that GID 2000 was mapped to intermediate GID 5. So our --gidmap option should include: --gidmap 20000:5:1 This intermediate mapping may change in the future if further groups are subordinated to us (or we stop having its subordination), so we are forced to verify the mapping with `podman unshare cat /proc/self/gid_map` every time, and parse it if we want to script it. **The first usability improvement** we agreed on #18333 is to be able to use: --gidmap 20000:@2000:1 so podman does this lookup in the parent user namespace for us. But this is only part of the problem. We must specify a **full** gidmap and not only what we want: --gidmap 0:0:5 --gidmap 5:6:15000 --gidmap 20000:5:1 This is becoming complicated. We had to break the gidmap at 5, because the intermediate 5 had to be mapped to another value (20000), and then we had to keep mapping all other subordinate ids... up to close to the maximum number of subordinate ids that we have (or some reasonable value). This is hard to explain to someone who does not understand how the mappings work internally. To simplify this, **the second usability improvement** is to be able to use: --gidmap "+20000:@2000:1" where the plus flag (`+`) states that the given mapping should extend any previous/default mapping, overriding any previous conflicting assignment. Podman will set that mapping and fill the rest of mapped gids with all other subordinated gids, leading to the same (or an equivalent) full gidmap that we were specifying before. One final usability improvement related to this is the following: By default, when podman gets a --gidmap argument but not a --uidmap argument, it copies the mapping. This is convenient in many scenarios, since usually subordinated uids and gids are assigned in chunks simultaneously, and the subordinated IDs in /etc/subuid and /etc/subgid for a given user match. For scenarios with additional subordinated GIDs, this map copying is annoying, since it forces the user to provide a --uidmap, to prevent the copy from being made. This means, that when the user wants: --gidmap 0:0:5 --gidmap 5:6:15000 --gidmap 20000:5:1 The user has to include a uidmap as well: --gidmap 0:0:5 --gidmap 5:6:15000 --gidmap 20000:5:1 --uidmap 0:0:65000 making everything even harder to understand without proper context. For this reason, besides the "+" flag, we introduce the "u" and "g" flags. Those flags applied to a mapping tell podman that the mapping should only apply to users or groups, and ignored otherwise. Therefore we can use: --gidmap "+g20000:@2000:1" So the mapping only applies to groups and is ignored for uidmaps. If no "u" nor "g" flag is assigned podman assumes the mapping applies to both users and groups as before, so we preserve backwards compatibility. Co-authored-by: Tom Sweeney <tsweeney@redhat.com> Signed-off-by: Sergio Oller <sergioller@gmail.com>
Test utils
Test utils provide common functions and structs for testing. It includes two structs:
-
PodmanTest: Handle the podman command and other global resources like temporary directory. It provides basic methods, like checking podman image and pod status. Test suites should create their owner test struct as a composite ofPodmanTest, and their owner PodmanMakeOptions(). -
PodmanSession: Store execution session data and related methods. Such like get command output and so on. It can be used directly in the test suite, only embed it to your owner session struct if you need expend it.
Unittest for test/utils
To ensure neither tests nor utils break, There are unit-tests for each functions and
structs in test/utils. When you adding functions or structs to this package, please
update both unit-tests for it and this documentation.
Run unit test for test/utils
Run unit test for test/utils.
make localunit
Structure of the test utils and test suites
The test utils package is at the same level of test suites. Each test suites also have their
owner common functions and structs stored in libpod_suite_test.go.
Ginkgo test framework
Ginkgo is a BDD testing framework. This allows us to use native Golang to perform our tests and there is a strong affiliation between Ginkgo and the Go test framework.
Installing dependencies
Some external binaries are required to successfully run the tests. The test currently depend on:
- normal podman runtime dependencies
- coreutils
- ncat
- gzip
- xz
- htpasswd
- iproute2
- iptables
- util-linux
- tar
- docker
- systemd/systemctl
Most of these are only required for a few tests so it is not a big issue if not everything is installed. Only a few test should fail then.
Installing ginkgo
Build ginkgo and install it under ./test/tools/build/ginkgo with the following command:
make .install.ginkgo
Integration Tests
Test suite for integration test for podman command line. It has its own structs:
-
PodmanTestIntegration: Integration test struct as a composite ofPodmanTest. It set up the global options for podman command to ignore the environment influence from different test system. -
PodmanSessionIntegration: This struct has it own methods for checking command output with given format JSON by using structs defined in inspect package.
Running the integration tests
You can run the entire suite of integration tests with the following command:
make localintegration
To run the remote tests use:
make remoteintegration
Test variables
Some test only work as rootless while others only work as root. So to test everything you should make sure to run the make command above as normal user and root.
The following environment variables are supported by the test setup:
PODMAN_BINARY: path to the podman binary, defaults tobin/podmanin the repository root.PODMAN_REMOTE_BINARY: path to the podman-remote binary, defaults tobin/podman-remotein the repository root.QUADLET_BINARY: path to the quadlet binary, defaults tobin/quadletin the repository root.CONMON_BINARY: path to th conmon binary, defaults to/usr/libexec/podman/conmon.OCI_RUNTIME: which oci runtime to use, defaults tocrun.NETWORK_BACKEND: the network backend, eithercni(default) ornetavark.PODMAN_DB: the database backendboltdb(default) orsqlite.PODMAN_TEST_IMAGE_CACHE_DIR: path were the container images should be cached, defaults to/tmp.
Running a single file of integration tests
You can run a single file of integration tests using the go test command:
make localintegration FOCUS_FILE=your_test.go
FOCUS_FILE file maps to ginkgo's --focus-file option, see the ginkgo
docs for the accepted syntax.
For remote tests use the remoteintegration Makefile target instead.
Running a single integration test
Before running the test suite, you have to declare which test you want run in the test file itself. Consider the following actual test:
It("podman inspect bogus pod", func() {
session := podmanTest.Podman([]string{"pod", "inspect", "foobar"})
session.WaitWithDefaultTimeout()
Expect(session).To(ExitWithError())
})
To mark this as the test you want run, you simply change the It description to FIt. Please note how
both the F and I are capitalized. Also see the ginkgo docs.
Note: Be sure you remove the F from the tests before committing your changes or you will skip all tests
in that file except the one with the FIt denotation.
Alternatively you can use the FOCUS option which maps to --focus, again see the ginkgo
docs for more info about the syntax.
make localintegration FOCUS="podman inspect bogus pod"
System tests
System tests are used for testing the podman CLI in the context of a complete system. It requires that podman, all dependencies, and configurations are in place. The intention of system testing is to match as closely as possible with real-world user/developer use-cases and environments. The orchestration of the environments and tests is left to external tooling.
System tests use Bash Automated Testing System (bats) as a testing framework.
Install it via your package manager or get latest stable version
directly from the repository, e.g.:
mkdir -p ~/tools/bats
git clone --single-branch --branch v1.1.0 https://github.com/bats-core/bats-core.git ~/tools/bats
Make sure that bats binary (bin/bats in the repository) is in your PATH, if not - add it:
PATH=$PATH:~/tools/bats/bin
System tests also rely on jq, socat, nmap, and other tools. For a
comprehensive list, see the %package tests section in the
fedora specfile.
Running system tests
When bats is installed and is in your PATH, you can run the test suite with following command:
make localsystem
Running the system tests in a more controlled way
If you would like to run a subset of the system tests, or configure the environment (e.g. root vs rootless, local vs remote),
use hack/bats.
For usage run:
hack/bats --help
Contributing to system tests
Please see the TODO list of needed workflows/tests.