opensource/podman
1
0
Fork 0
mirror of https://github.com/containers/podman.git synced 2025-12-09 23:27:09 +08:00
Code Issues Packages Projects Releases Wiki Activity
Files
ab259987ee4920e549a863ab3b7055877d6f61d7
podman/test/system/030-run.bats
Giuseppe Scrivano b7800889fb userns: prevent /sys/kernel/* paths in the container 
when we run in a user namespace, there are cases where we have not
enough privileges to mount a fresh sysfs on /sys.  To circumvent this
limitation, we rbind /sys from the host.  This carries inside of the
container also some mounts we probably don't want to.  We are also
limited by the kernel to use rbind instead of bind, as allowing a bind
would uncover paths that were not previously visible.

This is a slimmed down version of the intermediate mount namespace
logic we had before, where we only set /sys to slave, so the umounts
done to the storage by the cleanup process are propagated back to the
host.  We also don't setup any new directory, so there is no
additional cleanup to do.

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
2019-04-11 15:40:00 +02:00

43 lines
1.5 KiB
Bash
Raw Blame History

#!/usr/bin/env bats
load helpers
@test "podman run - basic tests" {
rand=$(random_string 30)
tests="
true | 0 |
false | 1 |
sh -c 'exit 32' | 32 |
echo $rand | 0 | $rand
/no/such/command | 127 | Error: container create failed:.*exec:.* no such file or dir
/etc | 126 | Error: container create failed:.*exec:.* permission denied
"
while read cmd expected_rc expected_output; do
if [ "$expected_output" = "''" ]; then expected_output=""; fi
# THIS IS TRICKY: this is what lets us handle a quoted command.
# Without this incantation (and the "$@" below), the cmd string
# gets passed on as individual tokens: eg "sh" "-c" "'exit" "32'"
# (note unmatched opening and closing single-quotes in the last 2).
# That results in a bizarre and hard-to-understand failure
# in the BATS 'run' invocation.
# This should really be done inside parse_table; I can't find
# a way to do so.
eval set "$cmd"
run_podman $expected_rc run $IMAGE "$@"
is "$output" "$expected_output" "podman run $cmd - output"
done < <(parse_table "$tests")
}
@test "podman run - uidmapping has no /sys/kernel mounts" {
run_podman $expected_rc run --uidmapping 0:100:10000 $IMAGE mount | grep /sys/kernel
is "$output" "" "podman run $cmd - output"
run_podman $expected_rc run --net host --uidmapping 0:100:10000 $IMAGE mount | grep /sys/kernel
is "$output" "" "podman run $cmd - output"
}
# vim: filetype=sh
Reference in New Issue View Git Blame Copy Permalink