container/podman
container/podman
1
0
Fork 0
mirror of https://github.com/containers/podman synced 2024-10-19 08:44:11 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #9598 from rhatdan/kvm

Browse source 
Check for supportsKVM based on basename of the runtime
This commit is contained in:
OpenShift Merge Robot 2021-03-04 14:54:53 -05:00 committed by GitHub
parent e65bcc166c 252aec1c9a
commit a26b15265e
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 70 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
libpod/oci_conmon_linux.go
View file

@ -113,9 +113,11 @@ func newConmonOCIRuntime(name string, paths []string, conmonPath string, runtime
// TODO: probe OCI runtime for feature and enable automatically if // TODO: probe OCI runtime for feature and enable automatically if
// available. // available.
runtime.supportsJSON = supportsJSON[name]
runtime.supportsNoCgroups = supportsNoCgroups[name] base := filepath.Base(name)
runtime.supportsKVM = supportsKVM[name] runtime.supportsJSON = supportsJSON[base]
runtime.supportsNoCgroups = supportsNoCgroups[base]
runtime.supportsKVM = supportsKVM[base]
foundPath := false foundPath := false
for _, path := range paths { for _, path := range paths {

49
test/e2e/run_selinux_test.go
View file

@ -2,6 +2,7 @@ package integration
import ( import (
"os" "os"
"path/filepath"
. "github.com/containers/podman/v3/test/utils" . "github.com/containers/podman/v3/test/utils"
. "github.com/onsi/ginkgo" . "github.com/onsi/ginkgo"
@ -294,4 +295,52 @@ var _ = Describe("Podman run", func() {
Expect(session.ExitCode()).To(Equal(0)) Expect(session.ExitCode()).To(Equal(0))
Expect(session.OutputToString()).To(ContainSubstring("container_t")) Expect(session.OutputToString()).To(ContainSubstring("container_t"))
}) })
It("podman test --ipc=net", func() {
session := podmanTest.Podman([]string{"run", "--net=host", ALPINE, "cat", "/proc/self/attr/current"})
session.WaitWithDefaultTimeout()
Expect(session.ExitCode()).To(Equal(0))
Expect(session.OutputToString()).To(ContainSubstring("container_t"))
})
It("podman test --ipc=net", func() {
session := podmanTest.Podman([]string{"run", "--net=host", ALPINE, "cat", "/proc/self/attr/current"})
session.WaitWithDefaultTimeout()
Expect(session.ExitCode()).To(Equal(0))
Expect(session.OutputToString()).To(ContainSubstring("container_t"))
})
It("podman test --runtime=/PATHTO/kata-runtime", func() {
runtime := podmanTest.OCIRuntime
podmanTest.OCIRuntime = filepath.Join(podmanTest.TempDir, "kata-runtime")
err := os.Symlink("/bin/true", podmanTest.OCIRuntime)
Expect(err).To(BeNil())
if IsRemote() {
podmanTest.StopRemoteService()
podmanTest.StartRemoteService()
}
session := podmanTest.Podman([]string{"create", ALPINE})
session.WaitWithDefaultTimeout()
Expect(session.ExitCode()).To(Equal(0))
cid := session.OutputToString()
session = podmanTest.Podman([]string{"inspect", "--format", "{{ .ProcessLabel }}", cid})
session.WaitWithDefaultTimeout()
Expect(session.OutputToString()).To(ContainSubstring("container_kvm_t"))
podmanTest.OCIRuntime = runtime
if IsRemote() {
podmanTest.StopRemoteService()
podmanTest.StartRemoteService()
}
})
It("podman test init labels", func() {
session := podmanTest.Podman([]string{"create", ubi_init, "/sbin/init"})
session.WaitWithDefaultTimeout()
Expect(session.ExitCode()).To(Equal(0))
cid := session.OutputToString()
session = podmanTest.Podman([]string{"inspect", "--format", "{{ .ProcessLabel }}", cid})
session.WaitWithDefaultTimeout()
Expect(session.OutputToString()).To(ContainSubstring("container_init_t"))
})
}) })

20
test/system/410-selinux.bats
View file

@ -39,17 +39,17 @@ function check_label() {
} }
@test "podman selinux: container with label=disable" { @test "podman selinux: container with label=disable" {
skip_if_rootless
check_label "--security-opt label=disable" "spc_t" check_label "--security-opt label=disable" "spc_t"
} }
@test "podman selinux: privileged container" { @test "podman selinux: privileged container" {
skip_if_rootless
check_label "--privileged --userns=host" "spc_t" check_label "--privileged --userns=host" "spc_t"
} }
@test "podman selinux: init container" {
check_label "--systemd=always" "container_init_t"
}
@test "podman selinux: pid=host" { @test "podman selinux: pid=host" {
# FIXME FIXME FIXME: Remove these lines once all VMs have >= 2.146.0 # FIXME FIXME FIXME: Remove these lines once all VMs have >= 2.146.0
# (this is ugly, but better than an unconditional skip) # (this is ugly, but better than an unconditional skip)
@ -74,6 +74,18 @@ function check_label() {
check_label "--security-opt label=level:s0:c1,c2" "container_t" "s0:c1,c2" check_label "--security-opt label=level:s0:c1,c2" "container_t" "s0:c1,c2"
} }
@test "podman selinux: inspect kvm labels" {
skip_if_no_selinux
skip_if_remote "runtime flag is not passed over remote"
if [ ! -e /usr/bin/kata-runtime ]; then
skip "kata-runtime not available"
fi
run_podman create --runtime=kata --name myc $IMAGE
run_podman inspect --format='{{ .ProcessLabel }}' myc
is "$output" ".*container_kvm_t.*"
}
# pr #6752 # pr #6752
@test "podman selinux: inspect multiple labels" { @test "podman selinux: inspect multiple labels" {
skip_if_no_selinux skip_if_no_selinux