mirror of
https://github.com/containers/podman
synced 2024-10-19 08:44:11 +00:00
Run podman inside a podman container
We should be able to run nested podman containers in particular for our testing environment. i.e. eat our own dog food. Some privileges had to be corrected in order for this to work correctly. Added a third papr target that runs podman tests inside podman. I marked the test as not required right now as we get more confident in the results Signed-off-by: baude <bbaude@redhat.com> Closes: #340 Approved by: rhatdan
This commit is contained in:
parent
bc1d25bb19
commit
586bb86a2a
23
.papr.yml
23
.papr.yml
|
@ -15,6 +15,7 @@ timeout: 45m
|
|||
tests:
|
||||
- sh .papr_prepare.sh
|
||||
|
||||
context: "FAH27"
|
||||
---
|
||||
|
||||
inherit: true
|
||||
|
@ -31,4 +32,24 @@ extra-repos:
|
|||
baseurl: https://cbs.centos.org/repos/virt7-container-common-candidate/$basearch/os
|
||||
gpgcheck: 0
|
||||
|
||||
context: centos/7/atomic/smoketested
|
||||
context: "CAH smoketested"
|
||||
|
||||
---
|
||||
|
||||
inherit: true
|
||||
host:
|
||||
distro: fedora/27/cloud
|
||||
specs:
|
||||
ram: 8192
|
||||
cpus: 4
|
||||
extra-repos:
|
||||
- name: crio_copr
|
||||
baseurl: https://copr-be.cloud.fedoraproject.org/results/baude/Upstream_CRIO_Family/fedora-27-x86_64/
|
||||
gpgcheck: 0
|
||||
packages:
|
||||
- podman
|
||||
- buildah
|
||||
tests:
|
||||
- CONTAINER_RUNTIME="podman" sh .papr_prepare.sh
|
||||
required: false
|
||||
context: "Fedora fedora/27/cloud Podman"
|
||||
|
|
|
@ -2,6 +2,7 @@
|
|||
set -xeuo pipefail
|
||||
|
||||
DIST=${DIST:=Fedora}
|
||||
CONTAINER_RUNTIME=${CONTAINER_RUNTIME:=docker}
|
||||
IMAGE=fedorapodmanbuild
|
||||
PYTHON=python3
|
||||
if [[ ${DIST} != "Fedora" ]]; then
|
||||
|
@ -10,7 +11,7 @@ if [[ ${DIST} != "Fedora" ]]; then
|
|||
fi
|
||||
|
||||
# Build the test image
|
||||
docker build -t ${IMAGE} -f Dockerfile.${DIST} .
|
||||
${CONTAINER_RUNTIME} build -t ${IMAGE} -f Dockerfile.${DIST} .
|
||||
|
||||
# Run the tests
|
||||
docker run --rm --privileged -v $PWD:/go/src/github.com/projectatomic/libpod --workdir /go/src/github.com/projectatomic/libpod -e PYTHON=$PYTHON -e STORAGE_OPTIONS="--storage-driver=vfs" -e CRIO_ROOT="/go/src/github.com/projectatomic/libpod" -e PODMAN_BINARY="/usr/bin/podman" -e CONMON_BINARY="/usr/libexec/crio/conmon" -e DIST=$DIST $IMAGE sh .papr.sh
|
||||
${CONTAINER_RUNTIME} run --rm --privileged --net=host -v $PWD:/go/src/github.com/projectatomic/libpod --workdir /go/src/github.com/projectatomic/libpod -e PYTHON=$PYTHON -e STORAGE_OPTIONS="--storage-driver=vfs" -e CRIO_ROOT="/go/src/github.com/projectatomic/libpod" -e PODMAN_BINARY="/usr/bin/podman" -e CONMON_BINARY="/usr/libexec/crio/conmon" -e DIST=$DIST $IMAGE sh .papr.sh
|
||||
|
|
2
Makefile
2
Makefile
|
@ -120,7 +120,7 @@ ginkgo:
|
|||
ginkgo -v test/e2e/
|
||||
|
||||
localintegration: test-binaries
|
||||
ginkgo -v -cover -flakeAttempts 3 -progress -trace test/e2e/.
|
||||
ginkgo -v -cover -flakeAttempts 3 -progress -trace -noColor test/e2e/.
|
||||
|
||||
vagrant-check:
|
||||
BOX=$(BOX) sh ./vagrant.sh
|
||||
|
|
|
@ -124,13 +124,9 @@ func addRlimits(config *createConfig, g *generate.Generator) error {
|
|||
func setupCapabilities(config *createConfig, configSpec *spec.Spec) error {
|
||||
var err error
|
||||
var caplist []string
|
||||
if config.Privileged {
|
||||
caplist = caps.GetAllCapabilities()
|
||||
} else {
|
||||
caplist, err = caps.TweakCapabilities(configSpec.Process.Capabilities.Bounding, config.CapAdd, config.CapDrop)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
caplist, err = caps.TweakCapabilities(configSpec.Process.Capabilities.Bounding, config.CapAdd, config.CapDrop)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
configSpec.Process.Capabilities.Bounding = caplist
|
||||
|
@ -163,6 +159,7 @@ func addDevice(g *generate.Generator, device string) error {
|
|||
func createConfigToOCISpec(config *createConfig) (*spec.Spec, error) {
|
||||
cgroupPerm := "ro"
|
||||
g := generate.New()
|
||||
g.HostSpecific = true
|
||||
if config.Privileged {
|
||||
cgroupPerm = "rw"
|
||||
g.RemoveMount("/sys")
|
||||
|
@ -319,8 +316,12 @@ func createConfigToOCISpec(config *createConfig) (*spec.Spec, error) {
|
|||
|
||||
// HANDLE CAPABILITIES
|
||||
// NOTE: Must happen before SECCOMP
|
||||
if err := setupCapabilities(config, configSpec); err != nil {
|
||||
return nil, err
|
||||
if !config.Privileged {
|
||||
if err := setupCapabilities(config, configSpec); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
} else {
|
||||
g.SetupPrivileged(true)
|
||||
}
|
||||
|
||||
// HANDLE SECCOMP
|
||||
|
|
|
@ -460,3 +460,23 @@ func (p *PodmanTest) BuildImage(dockerfile, imageName string) {
|
|||
session.Wait(120)
|
||||
Expect(session.ExitCode()).To(Equal(0))
|
||||
}
|
||||
|
||||
//GetHostDistribution returns the dist in string format. If the
|
||||
//distribution cannot be determined, an empty string will be returned.
|
||||
func (p *PodmanTest) GetHostDistribution() string {
|
||||
content, err := ioutil.ReadFile("/etc/os-release")
|
||||
if err != nil {
|
||||
return ""
|
||||
}
|
||||
for _, line := range content {
|
||||
if strings.HasPrefix(fmt.Sprintf("%s", line), "ID") {
|
||||
fields := strings.Split(fmt.Sprintf("%s", line), "=")
|
||||
if len(fields) < 2 {
|
||||
return ""
|
||||
}
|
||||
return strings.Trim(fields[1], "\"")
|
||||
|
||||
}
|
||||
}
|
||||
return ""
|
||||
}
|
||||
|
|
|
@ -61,16 +61,11 @@ var _ = Describe("Podman privileged container tests", func() {
|
|||
})
|
||||
|
||||
It("podman cap-drop CapEff", func() {
|
||||
cap := podmanTest.SystemExec("grep", []string{"CapAmb", "/proc/self/status"})
|
||||
cap.WaitWithDefaultTimeout()
|
||||
Expect(cap.ExitCode()).To(Equal(0))
|
||||
session := podmanTest.Podman([]string{"run", "--cap-drop", "all", "busybox", "grep", "CapEff", "/proc/self/status"})
|
||||
session.WaitWithDefaultTimeout()
|
||||
Expect(session.ExitCode()).To(Equal(0))
|
||||
|
||||
capAmp := strings.Split(cap.OutputToString(), " ")
|
||||
capEff := strings.Split(session.OutputToString(), " ")
|
||||
Expect(capAmp[1]).To(Equal(capEff[1]))
|
||||
Expect("0000000000000000").To(Equal(capEff[1]))
|
||||
})
|
||||
|
||||
It("podman non-privileged should have very few devices", func() {
|
||||
|
|
Loading…
Reference in a new issue