github.com/AbhinandanKurakure/podman/v3@v3.4.10/test/test_podman_baseline.sh (about) 1 #!/usr/bin/env bash 2 # test_podman_baseline.sh 3 # A script to be run at the command line with Podman installed. 4 # This should be run against a new kit to provide base level testing 5 # on a freshly installed machine with no images or container in 6 # play. This currently needs to be run as root. 7 # 8 # Please leave the whale-says test as the last test in this script. 9 # It makes it easier to identify if the script has finished or not. 10 # 11 # To run this command: 12 # 13 # /bin/bash -v test_podman_baseline.sh -d # Install and then deinstall Docker 14 # /bin/bash -v test_podman_baseline.sh -n # Do not perform docker test 15 # /bin/bash -v test_podman_baseline.sh -e # Stop on error 16 # /bin/bash -v test_podman_baseline.sh # Continue on error 17 # 18 19 ####### 20 # See if we want to stop on errors and/or install and then remove Docker. 21 ####### 22 HOST_PORT="${HOST_PORT:-8080}" 23 showerror=0 24 installdocker=0 25 usedocker=1 26 while getopts "den" opt; do 27 case "$opt" in 28 d) installdocker=1 29 ;; 30 e) showerror=1 31 ;; 32 n) usedocker=0 33 ;; 34 esac 35 done 36 37 if [ "$installdocker" -eq 1 ] && [ "usedocker" -ne 0 ] 38 then 39 echo "Script will install and then deinstall Docker." 40 fi 41 42 if [ "$showerror" -eq 1 ] 43 then 44 echo "Script will stop on unexpected errors." 45 set -e 46 fi 47 48 pkg_manager=`command -v dnf` 49 if [ -z "$pkg_manager" ]; then 50 pkg_manager=`command -v yum` 51 fi 52 53 echo "Package manager binary: $pkg_manager" 54 55 ######## 56 # Next two commands should return blanks 57 ######## 58 podman images 59 podman ps --all 60 61 ######## 62 # Run ls in redis container, this should work 63 ######## 64 ctrid=$(podman pull docker.io/library/redis:4-alpine3.8) 65 podman run $ctrid ls / 66 67 ######## 68 # Remove images and containers 69 ######## 70 podman rm --all 71 podman rmi --all 72 73 ######## 74 # Create Fedora based image 75 ######## 76 image=$(podman pull registry.fedoraproject.org/fedora:latest) 77 echo $image 78 79 ######## 80 # Run container and display contents in /etc 81 ######## 82 podman run --rm $image ls -alF /etc 83 84 ######## 85 # Test networking, bind mounting a file, stdin/stdout redirect 86 ######## 87 echo "Testing networking: ..." 88 port_test_failed=0 89 txt1="Hello, Podman" 90 echo "$txt1" > /tmp/hello.txt 91 podman run -d --name myweb -p "$HOST_PORT:80" -w /var/www -v /tmp/hello.txt:/var/www/index.txt busybox httpd -f -p 80 92 echo "$txt1" | podman exec -i myweb sh -c "cat > /var/www/index2.txt" 93 txt2=$( podman exec myweb cat /var/www/index2.txt ) 94 [ "x$txt1" == "x$txt2" ] && echo "PASS1" || { echo "FAIL1"; port_test_failed=1; } 95 txt2=$( podman run --rm --net host busybox wget -qO - http://localhost:$HOST_PORT/index.txt ) 96 [ "x$txt1" == "x$txt2" ] && echo "PASS2" || { echo "FAIL2"; port_test_failed=1; } 97 txt2=$( podman run --rm --net host busybox wget -qO - http://localhost:$HOST_PORT/index2.txt ) 98 [ "x$txt1" == "x$txt2" ] && echo "PASS3" || { echo "FAIL3"; port_test_failed=1; } 99 # podman run --rm --net container:myweb --add-host myweb:127.0.0.1 busybox wget -qO - http://myweb/index.txt 100 rm /tmp/hello.txt 101 podman stop myweb 102 podman rm myweb 103 [ "0$port_test_failed" -eq 1 ] && [ "0$showerror" -eq 1 ] && { 104 echo "networking test failed"; 105 exit -1; 106 } 107 108 109 ######## 110 # pull and run many containers in parallel, test locks ..etc. 111 ######## 112 prun_test_failed=0 113 podman rmi docker.io/library/busybox:latest > /dev/null || : 114 for i in `seq 10` 115 do ( podman run -d --name b$i docker.io/library/busybox:latest busybox httpd -f -p 80 )& 116 done 117 echo -e "\nwaiting for creation...\n" 118 wait 119 echo -e "\ndone\n" 120 # assert we have 10 running containers 121 count=$( podman ps -q | wc -l ) 122 [ "x$count" == "x10" ] && echo "PASS" || { echo "FAIL, expecting 10 found $count"; prun_test_failed=1; } 123 [ "0$prun_test_failed" -eq 1 ] && [ "0$showerror" -eq 1 ] && { 124 echo "was expecting 10 running containers"; 125 exit -1; 126 } 127 128 prun_test_failed=0 129 for i in `seq 10`; do ( podman stop -t=1 b$i; podman rm b$i )& done 130 echo -e "\nwaiting for deletion...\n" 131 wait 132 echo -e "\ndone\n" 133 # assert we have 0 running containers 134 count=$( podman ps -q | wc -l ) 135 [ "x$count" == "x0" ] && echo "PASS" || { echo "FAIL, expecting 0 found $count"; prun_test_failed=1; } 136 [ "0$prun_test_failed" -eq 1 ] && [ "0$showerror" -eq 1 ] && { 137 echo "was expecting 0 running containers"; 138 exit -1; 139 } 140 141 142 143 ######## 144 # run many containers in parallel for an existing image, test locks ..etc. 145 ######## 146 prun_test_failed=0 147 podman pull docker.io/library/busybox:latest > /dev/null || : 148 for i in `seq 10` 149 do ( podman run -d --name c$i docker.io/library/busybox:latest busybox httpd -f -p 80 )& 150 done 151 echo -e "\nwaiting for creation...\n" 152 wait 153 echo -e "\ndone\n" 154 # assert we have 10 running containers 155 count=$( podman ps -q | wc -l ) 156 [ "x$count" == "x10" ] && echo "PASS" || { echo "FAIL, expecting 10 found $count"; prun_test_failed=1; } 157 [ "0$prun_test_failed" -eq 1 ] && [ "0$showerror" -eq 1 ] && { 158 echo "was expecting 10 running containers"; 159 exit -1; 160 } 161 162 163 for i in `seq 10`; do ( podman stop -t=1 c$i; podman rm c$i )& done 164 echo -e "\nwaiting for deletion...\n" 165 wait 166 echo -e "\ndone\n" 167 # assert we have 0 running containers 168 count=$( podman ps -q | wc -l ) 169 [ "x$count" == "x0" ] && echo "PASS" || { echo "FAIL, expecting 0 found $count"; prun_test_failed=1; } 170 [ "0$prun_test_failed" -eq 1 ] && [ "0$showerror" -eq 1 ] && { 171 echo "was expecting 0 running containers"; 172 exit -1; 173 } 174 175 176 ######## 177 # Run Java in the container - should ERROR but never stop 178 ######## 179 podman run $image java 2>&1 || echo $? 180 181 ######## 182 # Clean out containers 183 ######## 184 podman rm --all 185 186 ######## 187 # Install java onto the container, commit it, then run it showing java usage 188 ######## 189 podman run --net=host $image dnf -y install java 190 javaimage=$(podman ps --all -q) 191 podman commit $javaimage javaimage 192 podman run javaimage java -version 193 194 ######## 195 # Cleanup containers and images 196 ######## 197 podman rm --all 198 podman rmi --all 199 200 ######## 201 # Check images and containers, should be blanks 202 ######## 203 podman ps --all 204 podman images 205 206 ######## 207 # Create Fedora based container 208 ######## 209 image=$(podman pull registry.fedoraproject.org/fedora:latest) 210 echo $image 211 podman run $image ls / 212 213 ######## 214 # Create shell script to test on 215 ######## 216 FILE=./runecho.sh 217 /bin/cat <<EOM >$FILE 218 #!/usr/bin/env bash 219 for i in {1..9}; 220 do 221 echo "This is a new container pull ipbabble [" \$i "]" 222 done 223 EOM 224 chmod +x $FILE 225 226 ######## 227 # Copy and run file on container 228 ######## 229 ctrid=$(podman ps --all -q) 230 mnt=$(podman mount $ctrid) 231 cp ./runecho.sh ${mnt}/tmp/runecho.sh 232 podman umount $ctrid 233 podman commit $ctrid runecho 234 podman run runecho ./tmp/runecho.sh 235 236 ######## 237 # Inspect the container, verifying above was put into it 238 ######## 239 podman inspect $ctrid 240 241 ######## 242 # Check the images there should be a runecho image 243 ######## 244 podman images 245 246 ######## 247 # Remove the containers 248 ######## 249 podman rm -a 250 251 if [ "$usedocker" -ne 0 ]; then 252 if [ "$installdocker" -eq 1 ] 253 then 254 ######## 255 # Install Docker, but not for long! 256 ######## 257 $package_manager -y install docker 258 fi 259 systemctl restart docker 260 261 ######## 262 # Push fedora-bashecho to the Docker daemon 263 ######## 264 podman push runecho docker-daemon:fedora-bashecho:latest 265 266 ######## 267 # Run fedora-bashecho pull Docker 268 ######## 269 docker run fedora-bashecho ./tmp/runecho.sh 270 271 if [ "$installdocker" -eq 1 ] 272 then 273 ######## 274 # Time to remove Docker 275 ######## 276 $package_manager -y remove docker 277 fi 278 fi 279 280 ######## 281 # Clean up Podman 282 ######## 283 podman rm --all 284 podman rmi --all 285 286 ######## 287 # Set up xfs mount for overlay quota 288 ######## 289 290 # 1.004608 MB is 1,004,608 bytes. The container overhead is 4608 bytes (or 9 512 byte pages), so this allocates 1 MB of usable storage 291 PODMANBASE="--storage-driver overlay --storage-opt overlay.size=1.004608M --root /tmp/podman_test/crio" 292 TMPDIR=/tmp/podman_test 293 mkdir $TMPDIR 294 dd if=/dev/zero of=$TMPDIR/virtfs bs=1024 count=30720 295 device=$(losetup -f | tr -d '[:space:]') 296 losetup $device $TMPDIR/virtfs 297 mkfs.xfs $device 298 mount -t xfs -o prjquota $device $TMPDIR 299 300 ######## 301 # Expected to succeed 302 ######## 303 podman $PODMANBASE run --security-opt label=disable docker.io/library/alpine:latest sh -c 'touch file.txt && dd if=/dev/zero of=file.txt count=1048576 bs=1' 304 rc=$? 305 if [ $rc == 0 ]; 306 then 307 echo "Overlay test within limits passed" 308 else 309 echo "Overlay test within limits failed" 310 fi 311 312 ######## 313 # Expected to fail 314 ######## 315 316 if [ "$showerror" -ne 1 ]; then 317 podman $PODMANBASE run --security-opt label=disable docker.io/library/alpine:latest sh -c 'touch file.txt && dd if=/dev/zero of=file.txt count=1048577 bs=1' 318 rc=$? 319 if [ $rc != 0 ]; 320 then 321 echo "Overlay test outside limits passed" 322 else 323 echo "Overlay test outside limits failed" 324 fi 325 fi 326 327 ######## 328 # Clean up Podman 329 ######## 330 podman rm --all 331 podman rmi --all 332 umount $TMPDIR -l 333 losetup -d $device 334 rm -rf /tmp/podman_test 335 336 ######## 337 # Prep for UserNamespace testing 338 # Thanks @marcov! 339 ######## 340 PODMAN_OPTS_VOLUMES="-v /tmp/voltest/vol-0:/mnt/vol-0 -v /tmp/voltest/vol-1000:/mnt/vol-1000 -v /tmp/voltest/vol-100000:/mnt/vol-100000 -v /tmp/voltest/vol-101000:/mnt/vol-101000" 341 PODMAN_OPTS="$PODMAN_OPTS_VOLUMES --rm" 342 PODMAN_ID_MAPS="--uidmap=0:100000:1000000 --gidmap=0:100000:1000000" 343 344 ######## 345 # Make directories for UserNamespace testing 346 ######## 347 mkdir -p /tmp/voltest/vol-0 348 mkdir -p /tmp/voltest/vol-1000 349 mkdir -p /tmp/voltest/vol-100000 350 mkdir -p /tmp/voltest/vol-101000 351 UIDGID=`/usr/bin/tr -cd "[:digit:]" <<< /tmp/voltest/vol-0` 352 353 chown $UIDGID:$UIDGID /tmp/voltest/vol-0 354 chown $UIDGID:$UIDGID /tmp/voltest/vol-1000 355 chown $UIDGID:$UIDGID /tmp/voltest/vol-100000 356 chown $UIDGID:$UIDGID /tmp/voltest/vol-101000 357 358 ######## 359 # Make run test script 360 ######## 361 FILE=./runtest.sh 362 /bin/cat <<EOM >$FILE 363 #!/usr/bin/env bash 364 ls -n /mnt 365 for i in $(find /mnt -mindepth 1 -type d); do 366 touch "$i/foobar" 2>/dev/null; 367 echo "create $i/foobar: $?"; 368 /bin/rm "$i/foobar" 2>/dev/null; 369 done; 370 exit 0 371 EOM 372 chmod +x $FILE 373 374 ######## 375 # Make Dockerfile 376 ######## 377 FILE=./Dockerfile 378 /bin/cat <<EOM >$FILE 379 FROM docker.io/library/debian:latest 380 ADD ./runtest.sh /runtest.sh 381 EOM 382 chmod +x $FILE 383 384 ######## 385 # Build container 386 ######## 387 podman build -t usernamespace -f ./Dockerfile . 388 389 ######## 390 # Run the tests for UserNamespaces 391 ######## 392 echo "Run as root with no user NS" 393 podman run $PODMAN_OPTS usernamespace /bin/bash runtest.sh 394 echo "" 395 396 echo "Run as user 1000 with no user NS" 397 podman run --user=1000 $PODMAN_OPTS usernamespace /bin/bash /runtest.sh 398 echo "" 399 400 echo "Run as root with user NS " 401 podman run $PODMAN_ID_MAPS $PODMAN_OPTS usernamespace /bin/bash /runtest.sh 402 echo "" 403 404 echo "Run as user 1000 with user NS " 405 podman run --user=1000 $PODMAN_ID_MAPS $PODMAN_OPTS usernamespace /bin/bash /runtest.sh 406 echo "" 407 408 ######## 409 # Clean up Podman 410 ######## 411 podman rm --all 412 podman rmi --all 413 rm -f ./runtest.sh 414 rm -rf /tmp/voltest 415 rm -f ./Dockerfile 416 417 ######## 418 # Build Dockerfiles for OnBuild Test 419 # (Thanks @clcollins!) 420 ######## 421 FILE=./Dockerfile 422 /bin/cat <<EOM >$FILE 423 FROM docker.io/library/alpine:latest 424 RUN touch /foo 425 ONBUILD RUN touch /bar 426 EOM 427 chmod +x $FILE 428 429 FILE=./Dockerfile-2 430 /bin/cat <<EOM >$FILE 431 FROM onbuild-image 432 RUN touch /baz 433 EOM 434 chmod +x $FILE 435 436 ######## 437 # Build with Dockerfiles 438 ######## 439 podman build -f ./Dockerfile --format=docker -t onbuild-image . 440 podman build -f ./Dockerfile-2 --format=docker -t result-image . 441 442 ######## 443 # Check for /bar /baz and /foo files 444 ######## 445 podman run --network=host result-image ls -alF /bar /baz /foo 446 447 ######## 448 # Clean up Podman 449 ######## 450 podman rm --all 451 podman rmi --all 452 rm ./Dockerfile* 453 454 ######## 455 # Run AppArmor rootless tests 456 ######## 457 if aa-enabled >/dev/null && getent passwd 1000 >/dev/null; then 458 # Expected to succeed 459 sudo -u "#1000" podman run docker.io/library/alpine:latest echo hello 460 rc=$? 461 echo -n "rootless with no AppArmor profile " 462 if [ $rc == 0 ]; then 463 echo "passed" 464 else 465 echo "failed" 466 fi 467 468 # Expected to succeed 469 sudo -u "#1000" podman run --security-opt apparmor=unconfined docker.io/library/alpine:latest echo hello 470 rc=$? 471 echo -n "rootless with unconfined AppArmor profile " 472 if [ $rc == 0 ]; then 473 echo "passed" 474 else 475 echo "failed" 476 fi 477 478 aaFile="/tmp/aaProfile" 479 aaProfile="aa-demo-profile" 480 cat > $aaFile << EOF 481 #include <tunables/global> 482 profile aa-demo-profile flags=(attach_disconnected,mediate_deleted) { 483 #include <abstractions/base> 484 deny mount, 485 deny /sys/[^f]*/** wklx, 486 deny /sys/f[^s]*/** wklx, 487 deny /sys/fs/[^c]*/** wklx, 488 deny /sys/fs/c[^g]*/** wklx, 489 deny /sys/fs/cg[^r]*/** wklx, 490 deny /sys/firmware/efi/efivars/** rwklx, 491 deny /sys/kernel/security/** rwklx, 492 } 493 EOF 494 495 apparmor_parser -Kr $aaFile 496 497 #Expected to pass (as root) 498 podman run --security-opt apparmor=$aaProfile docker.io/library/alpine:latest echo hello 499 rc=$? 500 echo -n "root with specified AppArmor profile: " 501 if [ $rc == 0 ]; then 502 echo "passed" 503 else 504 echo "failed" 505 fi 506 507 #Expected to pass (as root with --privileged). 508 #Note that the profile should not be loaded letting the mount succeed. 509 podman run --privileged docker.io/library/alpine:latest sh -c "mkdir tmp2; mount --bind tmp tmp2" 510 rc=$? 511 echo -n "root with specified AppArmor profile but --privileged: " 512 if [ $rc == 0 ]; then 513 echo "passed" 514 else 515 echo "failed" 516 fi 517 #Expected to fail (as rootless) 518 sudo -u "#1000" podman run --security-opt apparmor=$aaProfile docker.io/library/alpine:latest echo hello 519 rc=$? 520 echo -n "rootless with specified AppArmor profile: " 521 if [ $rc != 0 ]; then 522 echo "passed" 523 else 524 echo "failed" 525 fi 526 527 ######## 528 # Clean up Podman and $aaFile 529 ######## 530 apparmor_parser -R $aaFile 531 podman rm --all 532 podman rmi --all 533 sudo -u "#1000" podman rm --all 534 sudo -u "#1000" podman rmi --all 535 rm -f $aaFile 536 fi 537 538 ######## 539 # Build Dockerfile for RUN with priv'd command test 540 ######## 541 FILE=./Dockerfile 542 /bin/cat <<EOM >$FILE 543 FROM alpine 544 RUN apk add nginx 545 EOM 546 chmod +x $FILE 547 548 ######## 549 # Build with the Dockerfile 550 ######## 551 podman build -f Dockerfile -t build-priv 552 553 ######## 554 # Cleanup 555 ######## 556 podman rm -a -f 557 podman rmi -a -f 558 rm ./Dockerfile 559 560 ######## 561 # Build Dockerfile for WhaleSays test 562 ######## 563 FILE=./Dockerfile 564 /bin/cat <<EOM >$FILE 565 FROM pharshal/whalesay:latest 566 RUN apt-get -y update && apt-get install -y fortunes 567 CMD /usr/games/fortune -a | cowsay 568 EOM 569 chmod +x $FILE 570 571 ######## 572 # Build with the Dockerfile 573 ######## 574 podman build -f Dockerfile -t whale-says 575 576 ######## 577 # Run the container to see what the whale says 578 ######## 579 podman run whale-says 580 581 ######## 582 # NOTE: Please leave the whale-says as the last test 583 # in this script. 584 ######## 585 586 ######## 587 # Clean up Podman and /tmp 588 ######## 589 podman rm --all 590 podman rmi --all 591 rm ./Dockerfile*