github.com/containers/podman/v5@v5.1.0-rc1/test/system/170-run-userns.bats

github.com/containers/podman/v5@v5.1.0-rc1/test/system/170-run-userns.bats (about)

     1  #!/usr/bin/env bats   -*- bats -*-
     2  # shellcheck disable=SC2096
     3  #
     4  # Tests for podman build
     5  #
     6  # bats file_tags=distro-integration
     7  #
     8  
     9  load helpers
    10  
    11  function _require_crun() {
    12      runtime=$(podman_runtime)
    13      if [[ $runtime != "crun" ]]; then
    14          skip "runtime is $runtime; keep-groups requires crun"
    15      fi
    16  }
    17  
    18  @test "podman --group-add keep-groups while in a userns" {
    19      skip_if_rootless "chroot is not allowed in rootless mode"
    20      skip_if_remote "--group-add keep-groups not supported in remote mode"
    21      _require_crun
    22      run chroot --groups 1234 / ${PODMAN} run --rm --uidmap 0:200000:5000 --group-add keep-groups $IMAGE id
    23      is "$output" ".*65534(nobody)" "Check group leaked into user namespace"
    24  }
    25  
    26  @test "podman --group-add keep-groups while not in a userns" {
    27      skip_if_rootless "chroot is not allowed in rootless mode"
    28      skip_if_remote "--group-add keep-groups not supported in remote mode"
    29      _require_crun
    30      run chroot --groups 1234,5678 / ${PODMAN} run --rm --group-add keep-groups $IMAGE id
    31      is "$output" ".*1234" "Check group leaked into container"
    32  }
    33  
    34  @test "podman --group-add without keep-groups while in a userns" {
    35      skip_if_cgroupsv1 "run --uidmap fails on cgroups v1 (issue 15025, wontfix)"
    36      skip_if_rootless "chroot is not allowed in rootless mode"
    37      skip_if_remote "--group-add keep-groups not supported in remote mode"
    38      run chroot --groups 1234,5678 / ${PODMAN} run --rm --uidmap 0:200000:5000 --group-add 457 $IMAGE id
    39      is "$output" ".*457" "Check group leaked into container"
    40  }
    41  
    42  @test "rootful pod with custom ID mapping" {
    43      skip_if_cgroupsv1 "run --uidmap fails on cgroups v1 (issue 15025, wontfix)"
    44      skip_if_rootless "does not work rootless - rootful feature"
    45      random_pod_name=$(random_string 30)
    46      run_podman pod create --uidmap 0:200000:5000 --name=$random_pod_name
    47      run_podman pod start $random_pod_name
    48      run_podman pod inspect --format '{{.InfraContainerID}}' $random_pod_name
    49      run_podman inspect --format '{{.HostConfig.IDMappings.UIDMap}}' $output
    50      is "$output" ".*0:200000:5000" "UID Map Successful"
    51  
    52      # Remove the pod and the pause image
    53      run_podman pod rm $random_pod_name
    54      run_podman rmi -f $(pause_image)
    55  }
    56  
    57  @test "podman --remote --group-add keep-groups " {
    58      if ! is_remote; then
    59          skip "this test only meaningful under podman-remote"
    60      fi
    61  
    62      run_podman 125 run --rm --group-add keep-groups $IMAGE id
    63      is "$output" ".*not supported in remote mode" "Remote check --group-add keep-groups"
    64  }
    65  
    66  @test "podman --group-add without keep-groups " {
    67      run_podman run --rm --group-add 457 $IMAGE id
    68      is "$output" ".*457" "Check group leaked into container"
    69  }
    70  
    71  @test "podman --group-add keep-groups plus added groups " {
    72      run_podman 125 run --rm --group-add keep-groups --group-add 457 $IMAGE id
    73      is "$output" ".*the '--group-add keep-groups' option is not allowed with any other --group-add options" "Check group leaked into container"
    74  }
    75  
    76  @test "podman userns=auto in config file" {
    77      skip_if_remote "userns=auto is set on the server"
    78  
    79      if is_rootless; then
    80          grep -E -q "^$(id -un):" /etc/subuid || skip "no IDs allocated for current user"
    81      else
    82          grep -E -q "^containers:" /etc/subuid || skip "no IDs allocated for user 'containers'"
    83      fi
    84  
    85      cat > $PODMAN_TMPDIR/userns_auto.conf <<EOF
    86  [containers]
    87  userns="auto"
    88  EOF
    89      # First make sure a user namespace is created
    90      CONTAINERS_CONF_OVERRIDE=$PODMAN_TMPDIR/userns_auto.conf run_podman run -d $IMAGE sleep infinity
    91      cid=$output
    92  
    93      run_podman inspect --format '{{.HostConfig.UsernsMode}}' $cid
    94      is "$output" "private" "Check that a user namespace was created for the container"
    95  
    96      run_podman rm -t 0 -f $cid
    97  
    98      # Then check that the main user is not mapped into the user namespace
    99      CONTAINERS_CONF_OVERRIDE=$PODMAN_TMPDIR/userns_auto.conf run_podman 0 run --rm $IMAGE awk '{if($2 == "0"){exit 1}}' /proc/self/uid_map /proc/self/gid_map
   100  }
   101  
   102  @test "podman userns=auto and secrets" {
   103      ns_user="containers"
   104      if is_rootless; then
   105          ns_user=$(id -un)
   106      fi
   107      grep -E -q "${ns_user}:" /etc/subuid || skip "no IDs allocated for user ${ns_user}"
   108      test_name="test_$(random_string 12)"
   109      secret_file=$PODMAN_TMPDIR/secret$(random_string 12)
   110      secret_content=$(random_string)
   111      echo ${secret_content} > ${secret_file}
   112      run_podman secret create ${test_name} ${secret_file}
   113      run_podman run --rm --secret=${test_name} --userns=auto:size=1000 $IMAGE cat /run/secrets/${test_name}
   114      is "$output" "$secret_content" "Secrets should work with user namespace"
   115      run_podman secret rm ${test_name}
   116  }
   117  
   118  @test "podman userns=nomap" {
   119      if is_rootless; then
   120          ns_user=$(id -un)
   121          baseuid=$(grep -E "${ns_user}:" /etc/subuid | cut -f2 -d:)
   122          test ! -z ${baseuid} ||  skip "no IDs allocated for user ${ns_user}"
   123  
   124          test_name="test_$(random_string 12)"
   125          run_podman run -d --userns=nomap $IMAGE sleep 100
   126          cid=${output}
   127          run_podman top ${cid} huser
   128          is "${output}" "HUSER.*${baseuid}" "Container should start with baseuid from /etc/subuid not user UID"
   129          run_podman rm -t 0 --force ${cid}
   130      else
   131          run_podman 125 run -d --userns=nomap $IMAGE sleep 100
   132          is "${output}" "Error: nomap is only supported in rootless mode" "Container should fail to start since nomap is not supported in rootful mode"
   133      fi
   134  }
   135  
   136  @test "podman userns=keep-id" {
   137      user=$(id -u)
   138      run_podman run --rm --userns=keep-id $IMAGE id -u
   139      is "${output}" "$user" "Container should run as the current user"
   140  }
   141  
   142  @test "podman userns=keep-id in a pod" {
   143      user=$(id -u)
   144      run_podman pod create --userns keep-id
   145      pid=$output
   146      run_podman run --rm --pod $pid $IMAGE id -u
   147      is "${output}" "$user" "Container should run as the current user"
   148      run_podman rmi -f $(pause_image)
   149  }
   150  
   151  @test "podman userns=auto with id mapping" {
   152      skip_if_not_rootless
   153      skip_if_remote
   154      run_podman unshare awk '{if(NR == 2){print $2}}' /proc/self/uid_map
   155      first_id=$output
   156      mapping=1:@$first_id:1
   157      run_podman run --rm --userns=auto:uidmapping=$mapping $IMAGE awk '{if($1 == 1){print $2}}' /proc/self/uid_map
   158      assert "$output" == 1
   159  }