mirror of
https://github.com/containers/podman
synced 2024-10-20 17:23:30 +00:00
9fd7ab50f8
Some CI systems set $OCI_RUNTIME as a way to override the default crun. Integration (e2e) tests honor this, but system tests were not aware of the convention; this means we haven't been testing system tests with runc, which means RHEL gating tests are now failing. The proper solution would be to edit containers.conf on CI systems. Sorry, that would involve too much CI-VM work. Instead, this PR detects $OCI_RUNTIME and creates a dummy containers.conf file using that runtime. Add: various skips for tests that don't work with runc. Refactor: add a helper function so we don't need to do the complicated 'podman info blah blah .OCIRuntime.blah' thing in many places. BUG: we leave a tmp file behind on exit. Signed-off-by: Ed Santiago <santiago@redhat.com>
55 lines
2 KiB
Bash
55 lines
2 KiB
Bash
#!/usr/bin/env bats -*- bats -*-
|
|
# shellcheck disable=SC2096
|
|
#
|
|
# Tests for podman build
|
|
#
|
|
|
|
load helpers
|
|
|
|
function _require_crun() {
|
|
runtime=$(podman_runtime)
|
|
if [[ $runtime != "crun" ]]; then
|
|
skip "runtime is $runtime; keep-groups requires crun"
|
|
fi
|
|
}
|
|
|
|
@test "podman --group-add keep-groups while in a userns" {
|
|
skip_if_rootless "chroot is not allowed in rootless mode"
|
|
skip_if_remote "--group-add keep-groups not supported in remote mode"
|
|
_require_crun
|
|
run chroot --groups 1234 / ${PODMAN} run --uidmap 0:200000:5000 --group-add keep-groups $IMAGE id
|
|
is "$output" ".*65534(nobody)" "Check group leaked into user namespace"
|
|
}
|
|
|
|
@test "podman --group-add keep-groups while not in a userns" {
|
|
skip_if_rootless "chroot is not allowed in rootless mode"
|
|
skip_if_remote "--group-add keep-groups not supported in remote mode"
|
|
_require_crun
|
|
run chroot --groups 1234,5678 / ${PODMAN} run --group-add keep-groups $IMAGE id
|
|
is "$output" ".*1234" "Check group leaked into container"
|
|
}
|
|
|
|
@test "podman --group-add without keep-groups while in a userns" {
|
|
skip_if_rootless "chroot is not allowed in rootless mode"
|
|
skip_if_remote "--group-add keep-groups not supported in remote mode"
|
|
run chroot --groups 1234,5678 / ${PODMAN} run --uidmap 0:200000:5000 --group-add 457 $IMAGE id
|
|
is "$output" ".*457" "Check group leaked into container"
|
|
}
|
|
|
|
@test "podman --remote --group-add keep-groups " {
|
|
if is_remote; then
|
|
run_podman 125 run --group-add keep-groups $IMAGE id
|
|
is "$output" ".*not supported in remote mode" "Remote check --group-add keep-groups"
|
|
fi
|
|
}
|
|
|
|
@test "podman --group-add without keep-groups " {
|
|
run_podman run --group-add 457 $IMAGE id
|
|
is "$output" ".*457" "Check group leaked into container"
|
|
}
|
|
|
|
@test "podman --group-add keep-groups plus added groups " {
|
|
run_podman 125 run --group-add keep-groups --group-add 457 $IMAGE id
|
|
is "$output" ".*the '--group-add keep-groups' option is not allowed with any other --group-add options" "Check group leaked into container"
|
|
}
|