github.com/containers/libpod@v1.9.4-0.20220419124438-4284fd425507/test/e2e/run_userns_test.go (about) 1 // +build !remoteclient 2 3 package integration 4 5 import ( 6 "fmt" 7 "io/ioutil" 8 "os" 9 "os/user" 10 "strings" 11 12 . "github.com/containers/libpod/test/utils" 13 . "github.com/onsi/ginkgo" 14 . "github.com/onsi/gomega" 15 ) 16 17 var _ = Describe("Podman UserNS support", func() { 18 var ( 19 tempdir string 20 err error 21 podmanTest *PodmanTestIntegration 22 ) 23 24 BeforeEach(func() { 25 if os.Getenv("SKIP_USERNS") != "" { 26 Skip("Skip userns tests.") 27 } 28 if _, err := os.Stat("/proc/self/uid_map"); err != nil { 29 Skip("User namespaces not supported.") 30 } 31 tempdir, err = CreateTempDirInTempDir() 32 if err != nil { 33 os.Exit(1) 34 } 35 podmanTest = PodmanTestCreate(tempdir) 36 podmanTest.Setup() 37 podmanTest.SeedImages() 38 }) 39 40 AfterEach(func() { 41 podmanTest.Cleanup() 42 f := CurrentGinkgoTestDescription() 43 processTestResult(f) 44 45 }) 46 47 It("podman uidmapping and gidmapping", func() { 48 session := podmanTest.Podman([]string{"run", "--uidmap=0:100:5000", "--gidmap=0:200:5000", "alpine", "echo", "hello"}) 49 session.WaitWithDefaultTimeout() 50 Expect(session.ExitCode()).To(Equal(0)) 51 ok, _ := session.GrepString("hello") 52 Expect(ok).To(BeTrue()) 53 }) 54 55 // It essentially repeats the test above but with the `-it` short option 56 // that broke execution at: 57 // https://github.com/containers/libpod/pull/1066#issuecomment-403562116 58 // To avoid a potential future regression, use this as a test. 59 It("podman uidmapping and gidmapping with short-opts", func() { 60 session := podmanTest.Podman([]string{"run", "--uidmap=0:1:5000", "--gidmap=0:200:5000", "-it", "alpine", "echo", "hello"}) 61 session.WaitWithDefaultTimeout() 62 Expect(session.ExitCode()).To(Equal(0)) 63 ok, _ := session.GrepString("hello") 64 Expect(ok).To(BeTrue()) 65 }) 66 67 It("podman uidmapping and gidmapping with a volume", func() { 68 session := podmanTest.Podman([]string{"run", "--uidmap=0:1:500", "--gidmap=0:200:5000", "-v", "my-foo-volume:/foo:Z", "alpine", "echo", "hello"}) 69 session.WaitWithDefaultTimeout() 70 Expect(session.ExitCode()).To(Equal(0)) 71 ok, _ := session.GrepString("hello") 72 Expect(ok).To(BeTrue()) 73 }) 74 75 It("podman uidmapping and gidmapping --net=host", func() { 76 session := podmanTest.Podman([]string{"run", "--net=host", "--uidmap=0:1:5000", "--gidmap=0:200:5000", "alpine", "echo", "hello"}) 77 session.WaitWithDefaultTimeout() 78 Expect(session.ExitCode()).To(Equal(0)) 79 ok, _ := session.GrepString("hello") 80 Expect(ok).To(BeTrue()) 81 }) 82 83 It("podman --userns=keep-id", func() { 84 session := podmanTest.Podman([]string{"run", "--userns=keep-id", "alpine", "id", "-u"}) 85 session.WaitWithDefaultTimeout() 86 Expect(session.ExitCode()).To(Equal(0)) 87 uid := fmt.Sprintf("%d", os.Geteuid()) 88 ok, _ := session.GrepString(uid) 89 Expect(ok).To(BeTrue()) 90 }) 91 92 It("podman --userns=auto", func() { 93 u, err := user.Current() 94 Expect(err).To(BeNil()) 95 name := u.Name 96 if name == "root" { 97 name = "containers" 98 } 99 100 content, err := ioutil.ReadFile("/etc/subuid") 101 if err != nil { 102 Skip("cannot read /etc/subuid") 103 } 104 if !strings.Contains(string(content), name) { 105 Skip("cannot find mappings for the current user") 106 } 107 108 m := make(map[string]string) 109 for i := 0; i < 5; i++ { 110 session := podmanTest.Podman([]string{"run", "--userns=auto", "alpine", "cat", "/proc/self/uid_map"}) 111 session.WaitWithDefaultTimeout() 112 Expect(session.ExitCode()).To(Equal(0)) 113 l := session.OutputToString() 114 Expect(strings.Contains(l, "1024")).To(BeTrue()) 115 m[l] = l 116 } 117 // check for no duplicates 118 Expect(len(m)).To(Equal(5)) 119 }) 120 121 It("podman --userns=auto:size=%d", func() { 122 u, err := user.Current() 123 Expect(err).To(BeNil()) 124 125 name := u.Name 126 if name == "root" { 127 name = "containers" 128 } 129 130 content, err := ioutil.ReadFile("/etc/subuid") 131 if err != nil { 132 Skip("cannot read /etc/subuid") 133 } 134 if !strings.Contains(string(content), name) { 135 Skip("cannot find mappings for the current user") 136 } 137 138 session := podmanTest.Podman([]string{"run", "--userns=auto:size=500", "alpine", "cat", "/proc/self/uid_map"}) 139 session.WaitWithDefaultTimeout() 140 Expect(session.ExitCode()).To(Equal(0)) 141 ok, _ := session.GrepString("500") 142 143 session = podmanTest.Podman([]string{"run", "--userns=auto:size=3000", "alpine", "cat", "/proc/self/uid_map"}) 144 session.WaitWithDefaultTimeout() 145 Expect(session.ExitCode()).To(Equal(0)) 146 ok, _ = session.GrepString("3000") 147 148 session = podmanTest.Podman([]string{"run", "--userns=auto", "--user=2000:3000", "alpine", "cat", "/proc/self/uid_map"}) 149 session.WaitWithDefaultTimeout() 150 Expect(session.ExitCode()).To(Equal(0)) 151 ok, _ = session.GrepString("3001") 152 153 session = podmanTest.Podman([]string{"run", "--userns=auto", "--user=4000:1000", "alpine", "cat", "/proc/self/uid_map"}) 154 session.WaitWithDefaultTimeout() 155 Expect(session.ExitCode()).To(Equal(0)) 156 ok, _ = session.GrepString("4001") 157 Expect(ok).To(BeTrue()) 158 }) 159 160 It("podman --userns=auto:uidmapping=", func() { 161 u, err := user.Current() 162 Expect(err).To(BeNil()) 163 164 name := u.Name 165 if name == "root" { 166 name = "containers" 167 } 168 169 content, err := ioutil.ReadFile("/etc/subuid") 170 if err != nil { 171 Skip("cannot read /etc/subuid") 172 } 173 if !strings.Contains(string(content), name) { 174 Skip("cannot find mappings for the current user") 175 } 176 177 session := podmanTest.Podman([]string{"run", "--userns=auto:uidmapping=0:0:1", "alpine", "cat", "/proc/self/uid_map"}) 178 session.WaitWithDefaultTimeout() 179 Expect(session.ExitCode()).To(Equal(0)) 180 output := session.OutputToString() 181 Expect(output).To(MatchRegexp("\\s0\\s0\\s1")) 182 183 session = podmanTest.Podman([]string{"run", "--userns=auto:size=8192,uidmapping=0:0:1", "alpine", "cat", "/proc/self/uid_map"}) 184 session.WaitWithDefaultTimeout() 185 Expect(session.ExitCode()).To(Equal(0)) 186 ok, _ := session.GrepString("8191") 187 Expect(ok).To(BeTrue()) 188 }) 189 190 It("podman --userns=auto:gidmapping=", func() { 191 u, err := user.Current() 192 Expect(err).To(BeNil()) 193 194 name := u.Name 195 if name == "root" { 196 name = "containers" 197 } 198 199 content, err := ioutil.ReadFile("/etc/subuid") 200 if err != nil { 201 Skip("cannot read /etc/subuid") 202 } 203 if !strings.Contains(string(content), name) { 204 Skip("cannot find mappings for the current user") 205 } 206 207 session := podmanTest.Podman([]string{"run", "--userns=auto:gidmapping=0:0:1", "alpine", "cat", "/proc/self/gid_map"}) 208 session.WaitWithDefaultTimeout() 209 Expect(session.ExitCode()).To(Equal(0)) 210 output := session.OutputToString() 211 Expect(output).To(MatchRegexp("\\s0\\s0\\s1")) 212 213 session = podmanTest.Podman([]string{"run", "--userns=auto:size=8192,gidmapping=0:0:1", "alpine", "cat", "/proc/self/gid_map"}) 214 session.WaitWithDefaultTimeout() 215 Expect(session.ExitCode()).To(Equal(0)) 216 ok, _ := session.GrepString("8191") 217 Expect(ok).To(BeTrue()) 218 }) 219 220 It("podman --userns=container:CTR", func() { 221 ctrName := "userns-ctr" 222 session := podmanTest.Podman([]string{"run", "-d", "--uidmap=0:0:1", "--uidmap=1:1:4998", "--name", ctrName, "alpine", "top"}) 223 session.WaitWithDefaultTimeout() 224 Expect(session.ExitCode()).To(Equal(0)) 225 226 // runc has an issue and we also need to join the IPC namespace. 227 session = podmanTest.Podman([]string{"run", "--rm", "--userns=container:" + ctrName, "--ipc=container:" + ctrName, "alpine", "cat", "/proc/self/uid_map"}) 228 session.WaitWithDefaultTimeout() 229 Expect(session.ExitCode()).To(Equal(0)) 230 231 ok, _ := session.GrepString("4998") 232 Expect(ok).To(BeTrue()) 233 }) 234 })