github.com/hanks177/podman/v4@v4.1.3-0.20220613032544-16d90015bc83/test/test_podman_baseline.sh (about) 1 #!/usr/bin/env bash 2 # test_podman_baseline.sh 3 # A script to be run at the command line with Podman installed. 4 # This should be run against a new kit to provide base level testing 5 # on a freshly installed machine with no images or container in 6 # play. This currently needs to be run as root. 7 # 8 # Please leave the whale-says test as the last test in this script. 9 # It makes it easier to identify if the script has finished or not. 10 # 11 # To run this command: 12 # 13 # /bin/bash -v test_podman_baseline.sh -d # Install and then deinstall Docker 14 # /bin/bash -v test_podman_baseline.sh -n # Do not perform docker test 15 # /bin/bash -v test_podman_baseline.sh -e # Stop on error 16 # /bin/bash -v test_podman_baseline.sh # Continue on error 17 # 18 19 ####### 20 # See if we want to stop on errors and/or install and then remove Docker. 21 ####### 22 HOST_PORT="${HOST_PORT:-8080}" 23 showerror=0 24 installdocker=0 25 usedocker=1 26 while getopts "den" opt; do 27 case "$opt" in 28 d) installdocker=1 29 ;; 30 e) showerror=1 31 ;; 32 n) usedocker=0 33 ;; 34 esac 35 done 36 37 if [ "$installdocker" -eq 1 ] && [ "usedocker" -ne 0 ] 38 then 39 echo "Script will install and then deinstall Docker." 40 fi 41 42 if [ "$showerror" -eq 1 ] 43 then 44 echo "Script will stop on unexpected errors." 45 set -e 46 fi 47 48 pkg_manager=`command -v dnf` 49 if [ -z "$pkg_manager" ]; then 50 pkg_manager=`command -v yum` 51 fi 52 53 echo "Package manager binary: $pkg_manager" 54 55 ######## 56 # Next two commands should return blanks 57 ######## 58 podman images 59 podman ps --all 60 61 ######## 62 # Run ls in redis container, this should work 63 ######## 64 ctrid=$(podman pull docker.io/library/redis:4-alpine3.8) 65 podman run $ctrid ls / 66 67 ######## 68 # Remove images and containers 69 ######## 70 podman rm --all 71 podman rmi --all 72 73 ######## 74 # Create Fedora based image 75 ######## 76 image=$(podman pull registry.fedoraproject.org/fedora:latest) 77 echo $image 78 79 ######## 80 # Run container and display contents in /etc 81 ######## 82 podman run --rm $image ls -alF /etc 83 84 ######## 85 # Test networking, bind mounting a file, stdin/stdout redirect 86 ######## 87 echo "Testing networking: ..." 88 port_test_failed=0 89 txt1="Hello, Podman" 90 echo "$txt1" > /tmp/hello.txt 91 podman run -d --name myweb -p "$HOST_PORT:80" -w /var/www -v /tmp/hello.txt:/var/www/index.txt busybox httpd -f -p 80 92 echo "$txt1" | podman exec -i myweb sh -c "cat > /var/www/index2.txt" 93 txt2=$( podman exec myweb cat /var/www/index2.txt ) 94 [ "x$txt1" == "x$txt2" ] && echo "PASS1" || { echo "FAIL1"; port_test_failed=1; } 95 txt2=$( podman run --rm --net host busybox wget -qO - http://localhost:$HOST_PORT/index.txt ) 96 [ "x$txt1" == "x$txt2" ] && echo "PASS2" || { echo "FAIL2"; port_test_failed=1; } 97 txt2=$( podman run --rm --net host busybox wget -qO - http://localhost:$HOST_PORT/index2.txt ) 98 [ "x$txt1" == "x$txt2" ] && echo "PASS3" || { echo "FAIL3"; port_test_failed=1; } 99 # podman run --rm --net container:myweb --add-host myweb:127.0.0.1 busybox wget -qO - http://myweb/index.txt 100 rm /tmp/hello.txt 101 podman stop myweb 102 podman rm myweb 103 [ "0$port_test_failed" -eq 1 ] && [ "0$showerror" -eq 1 ] && { 104 echo "networking test failed"; 105 exit -1; 106 } 107 108 109 ######## 110 # pull and run many containers in parallel, test locks ..etc. 111 ######## 112 prun_test_failed=0 113 podman rmi docker.io/library/busybox:latest > /dev/null || : 114 for i in `seq 10` 115 do ( podman run -d --name b$i docker.io/library/busybox:latest busybox httpd -f -p 80 )& 116 done 117 echo -e "\nwaiting for creation...\n" 118 wait 119 echo -e "\ndone\n" 120 # assert we have 10 running containers 121 count=$( podman ps -q | wc -l ) 122 [ "x$count" == "x10" ] && echo "PASS" || { echo "FAIL, expecting 10 found $count"; prun_test_failed=1; } 123 [ "0$prun_test_failed" -eq 1 ] && [ "0$showerror" -eq 1 ] && { 124 echo "was expecting 10 running containers"; 125 exit -1; 126 } 127 128 prun_test_failed=0 129 for i in `seq 10`; do ( podman stop -t=1 b$i; podman rm b$i )& done 130 echo -e "\nwaiting for deletion...\n" 131 wait 132 echo -e "\ndone\n" 133 # assert we have 0 running containers 134 count=$( podman ps -q | wc -l ) 135 [ "x$count" == "x0" ] && echo "PASS" || { echo "FAIL, expecting 0 found $count"; prun_test_failed=1; } 136 [ "0$prun_test_failed" -eq 1 ] && [ "0$showerror" -eq 1 ] && { 137 echo "was expecting 0 running containers"; 138 exit -1; 139 } 140 141 142 143 ######## 144 # run many containers in parallel for an existing image, test locks ..etc. 145 ######## 146 prun_test_failed=0 147 podman pull docker.io/library/busybox:latest > /dev/null || : 148 for i in `seq 10` 149 do ( podman run -d --name c$i docker.io/library/busybox:latest busybox httpd -f -p 80 )& 150 done 151 echo -e "\nwaiting for creation...\n" 152 wait 153 echo -e "\ndone\n" 154 # assert we have 10 running containers 155 count=$( podman ps -q | wc -l ) 156 [ "x$count" == "x10" ] && echo "PASS" || { echo "FAIL, expecting 10 found $count"; prun_test_failed=1; } 157 [ "0$prun_test_failed" -eq 1 ] && [ "0$showerror" -eq 1 ] && { 158 echo "was expecting 10 running containers"; 159 exit -1; 160 } 161 162 163 for i in `seq 10`; do ( podman stop -t=1 c$i; podman rm c$i )& done 164 echo -e "\nwaiting for deletion...\n" 165 wait 166 echo -e "\ndone\n" 167 # assert we have 0 running containers 168 count=$( podman ps -q | wc -l ) 169 [ "x$count" == "x0" ] && echo "PASS" || { echo "FAIL, expecting 0 found $count"; prun_test_failed=1; } 170 [ "0$prun_test_failed" -eq 1 ] && [ "0$showerror" -eq 1 ] && { 171 echo "was expecting 0 running containers"; 172 exit -1; 173 } 174 175 176 ######## 177 # Run Java in the container - should ERROR but never stop 178 ######## 179 podman run $image java 2>&1 || echo $? 180 181 ######## 182 # Clean out containers 183 ######## 184 podman rm --all 185 186 ######## 187 # Install java onto the container, commit it, then run it showing java usage 188 ######## 189 podman run --net=host $image dnf -y install java 190 javaimage=$(podman ps --all -q) 191 podman commit $javaimage javaimage 192 podman run javaimage java -version 193 194 ######## 195 # Cleanup containers and images 196 ######## 197 podman rm --all 198 podman rmi --all 199 200 ######## 201 # Check images and containers, should be blanks 202 ######## 203 podman ps --all 204 podman images 205 206 ######## 207 # Create Fedora based container 208 ######## 209 image=$(podman pull registry.fedoraproject.org/fedora:latest) 210 echo $image 211 podman run $image ls / 212 213 ######## 214 # Create shell script to test on 215 ######## 216 FILE=./runecho.sh 217 /bin/cat <<EOM >$FILE 218 #!/usr/bin/env bash 219 for i in {1..9}; 220 do 221 echo "This is a new container pull ipbabble [" \$i "]" 222 done 223 EOM 224 chmod +x $FILE 225 226 ######## 227 # Copy and run file on container 228 ######## 229 ctrid=$(podman ps --all -q) 230 mnt=$(podman mount $ctrid) 231 cp ./runecho.sh ${mnt}/tmp/runecho.sh 232 podman umount $ctrid 233 podman commit $ctrid runecho 234 podman run runecho ./tmp/runecho.sh 235 236 ######## 237 # Inspect the container, verifying above was put into it 238 ######## 239 podman inspect $ctrid 240 241 ######## 242 # Check the images there should be a runecho image 243 ######## 244 podman images 245 246 ######## 247 # Remove the containers 248 ######## 249 podman rm -a 250 251 if [ "$usedocker" -ne 0 ]; then 252 if [ "$installdocker" -eq 1 ] 253 then 254 ######## 255 # Install Docker, but not for long! 256 ######## 257 $package_manager -y install docker 258 fi 259 systemctl restart docker 260 261 ######## 262 # Push fedora-bashecho to the Docker daemon 263 ######## 264 podman push runecho docker-daemon:fedora-bashecho:latest 265 266 ######## 267 # Run fedora-bashecho pull Docker 268 ######## 269 docker run fedora-bashecho ./tmp/runecho.sh 270 271 if [ "$installdocker" -eq 1 ] 272 then 273 ######## 274 # Time to remove Docker 275 ######## 276 $package_manager -y remove docker 277 fi 278 fi 279 280 ######## 281 # Clean up Podman 282 ######## 283 podman rm --all 284 podman rmi --all 285 286 ######## 287 # Set up xfs mount for overlay quota 288 ######## 289 290 # 1.004608 MB is 1,004,608 bytes. The container overhead is 4608 bytes (or 9 512 byte pages), so this allocates 1 MB of usable storage 291 PODMANBASE="--storage-driver overlay --storage-opt overlay.size=1.004608M --root /tmp/podman_test/crio" 292 TMPDIR=/tmp/podman_test 293 mkdir $TMPDIR 294 dd if=/dev/zero of=$TMPDIR/virtfs bs=1024 count=30720 295 device=$(losetup -f | tr -d '[:space:]') 296 losetup $device $TMPDIR/virtfs 297 mkfs.xfs $device 298 mount -t xfs -o prjquota $device $TMPDIR 299 300 ######## 301 # Expected to succeed 302 ######## 303 podman $PODMANBASE run --security-opt label=disable docker.io/library/alpine:latest sh -c 'touch file.txt && dd if=/dev/zero of=file.txt count=1048576 bs=1' 304 rc=$? 305 if [ $rc == 0 ]; 306 then 307 echo "Overlay test within limits passed" 308 else 309 echo "Overlay test within limits failed" 310 fi 311 312 before=`xfs_quota -x -c 'report -N -p' $TMPDIR | grep -c ^#` 313 podman $PODMANBASE volume create -o o=noquota test-no-quota 314 after=`xfs_quota -x -c 'report -N -p' $TMPDIR | grep -c ^#` 315 316 if [ $before != $after ]; 317 then 318 echo "Test -o=noquota doesn't create a projid failed" 319 else 320 echo "Test -o=noquota doesn't create a projid passed" 321 fi 322 323 before=`xfs_quota -x -c 'report -N -p' $TMPDIR | grep -c ^#` 324 podman $PODMANBASE volume create -o test-no-quota 325 after=`xfs_quota -x -c 'report -N -p' $TMPDIR | grep -c ^#` 326 327 if [ $before == $after ]; 328 then 329 echo "Test without -o=noquota creates a projid failed" 330 else 331 echo "Test without -o=noquota creates a projid passed" 332 fi 333 334 ######## 335 # Expected to fail 336 ######## 337 338 if [ "$showerror" -ne 1 ]; then 339 podman $PODMANBASE run --security-opt label=disable docker.io/library/alpine:latest sh -c 'touch file.txt && dd if=/dev/zero of=file.txt count=1048577 bs=1' 340 rc=$? 341 if [ $rc != 0 ]; 342 then 343 echo "Overlay test outside limits passed" 344 else 345 echo "Overlay test outside limits failed" 346 fi 347 fi 348 349 ######## 350 # Clean up Podman 351 ######## 352 podman rm --all 353 podman rmi --all 354 umount $TMPDIR -l 355 losetup -d $device 356 rm -rf /tmp/podman_test 357 358 ######## 359 # Prep for UserNamespace testing 360 # Thanks @marcov! 361 ######## 362 PODMAN_OPTS_VOLUMES="-v /tmp/voltest/vol-0:/mnt/vol-0 -v /tmp/voltest/vol-1000:/mnt/vol-1000 -v /tmp/voltest/vol-100000:/mnt/vol-100000 -v /tmp/voltest/vol-101000:/mnt/vol-101000" 363 PODMAN_OPTS="$PODMAN_OPTS_VOLUMES --rm" 364 PODMAN_ID_MAPS="--uidmap=0:100000:1000000 --gidmap=0:100000:1000000" 365 366 ######## 367 # Make directories for UserNamespace testing 368 ######## 369 mkdir -p /tmp/voltest/vol-0 370 mkdir -p /tmp/voltest/vol-1000 371 mkdir -p /tmp/voltest/vol-100000 372 mkdir -p /tmp/voltest/vol-101000 373 UIDGID=`/usr/bin/tr -cd "[:digit:]" <<< /tmp/voltest/vol-0` 374 375 chown $UIDGID:$UIDGID /tmp/voltest/vol-0 376 chown $UIDGID:$UIDGID /tmp/voltest/vol-1000 377 chown $UIDGID:$UIDGID /tmp/voltest/vol-100000 378 chown $UIDGID:$UIDGID /tmp/voltest/vol-101000 379 380 ######## 381 # Make run test script 382 ######## 383 FILE=./runtest.sh 384 /bin/cat <<EOM >$FILE 385 #!/usr/bin/env bash 386 ls -n /mnt 387 for i in $(find /mnt -mindepth 1 -type d); do 388 touch "$i/foobar" 2>/dev/null; 389 echo "create $i/foobar: $?"; 390 /bin/rm "$i/foobar" 2>/dev/null; 391 done; 392 exit 0 393 EOM 394 chmod +x $FILE 395 396 ######## 397 # Make Dockerfile 398 ######## 399 FILE=./Dockerfile 400 /bin/cat <<EOM >$FILE 401 FROM docker.io/library/debian:latest 402 ADD ./runtest.sh /runtest.sh 403 EOM 404 chmod +x $FILE 405 406 ######## 407 # Build container 408 ######## 409 podman build -t usernamespace -f ./Dockerfile . 410 411 ######## 412 # Run the tests for UserNamespaces 413 ######## 414 echo "Run as root with no user NS" 415 podman run $PODMAN_OPTS usernamespace /bin/bash runtest.sh 416 echo "" 417 418 echo "Run as user 1000 with no user NS" 419 podman run --user=1000 $PODMAN_OPTS usernamespace /bin/bash /runtest.sh 420 echo "" 421 422 echo "Run as root with user NS " 423 podman run $PODMAN_ID_MAPS $PODMAN_OPTS usernamespace /bin/bash /runtest.sh 424 echo "" 425 426 echo "Run as user 1000 with user NS " 427 podman run --user=1000 $PODMAN_ID_MAPS $PODMAN_OPTS usernamespace /bin/bash /runtest.sh 428 echo "" 429 430 ######## 431 # Clean up Podman 432 ######## 433 podman rm --all 434 podman rmi --all 435 rm -f ./runtest.sh 436 rm -rf /tmp/voltest 437 rm -f ./Dockerfile 438 439 ######## 440 # Build Dockerfiles for OnBuild Test 441 # (Thanks @clcollins!) 442 ######## 443 FILE=./Dockerfile 444 /bin/cat <<EOM >$FILE 445 FROM docker.io/library/alpine:latest 446 RUN touch /foo 447 ONBUILD RUN touch /bar 448 EOM 449 chmod +x $FILE 450 451 FILE=./Dockerfile-2 452 /bin/cat <<EOM >$FILE 453 FROM onbuild-image 454 RUN touch /baz 455 EOM 456 chmod +x $FILE 457 458 ######## 459 # Build with Dockerfiles 460 ######## 461 podman build -f ./Dockerfile --format=docker -t onbuild-image . 462 podman build -f ./Dockerfile-2 --format=docker -t result-image . 463 464 ######## 465 # Check for /bar /baz and /foo files 466 ######## 467 podman run --network=host result-image ls -alF /bar /baz /foo 468 469 ######## 470 # Clean up Podman 471 ######## 472 podman rm --all 473 podman rmi --all 474 rm ./Dockerfile* 475 476 ######## 477 # Run AppArmor rootless tests 478 ######## 479 if aa-enabled >/dev/null && getent passwd 1000 >/dev/null; then 480 # Expected to succeed 481 sudo -u "#1000" podman run docker.io/library/alpine:latest echo hello 482 rc=$? 483 echo -n "rootless with no AppArmor profile " 484 if [ $rc == 0 ]; then 485 echo "passed" 486 else 487 echo "failed" 488 fi 489 490 # Expected to succeed 491 sudo -u "#1000" podman run --security-opt apparmor=unconfined docker.io/library/alpine:latest echo hello 492 rc=$? 493 echo -n "rootless with unconfined AppArmor profile " 494 if [ $rc == 0 ]; then 495 echo "passed" 496 else 497 echo "failed" 498 fi 499 500 aaFile="/tmp/aaProfile" 501 aaProfile="aa-demo-profile" 502 cat > $aaFile << EOF 503 #include <tunables/global> 504 profile aa-demo-profile flags=(attach_disconnected,mediate_deleted) { 505 #include <abstractions/base> 506 deny mount, 507 deny /sys/[^f]*/** wklx, 508 deny /sys/f[^s]*/** wklx, 509 deny /sys/fs/[^c]*/** wklx, 510 deny /sys/fs/c[^g]*/** wklx, 511 deny /sys/fs/cg[^r]*/** wklx, 512 deny /sys/firmware/efi/efivars/** rwklx, 513 deny /sys/kernel/security/** rwklx, 514 } 515 EOF 516 517 apparmor_parser -Kr $aaFile 518 519 #Expected to pass (as root) 520 podman run --security-opt apparmor=$aaProfile docker.io/library/alpine:latest echo hello 521 rc=$? 522 echo -n "root with specified AppArmor profile: " 523 if [ $rc == 0 ]; then 524 echo "passed" 525 else 526 echo "failed" 527 fi 528 529 #Expected to pass (as root with --privileged). 530 #Note that the profile should not be loaded letting the mount succeed. 531 podman run --privileged docker.io/library/alpine:latest sh -c "mkdir tmp2; mount --bind tmp tmp2" 532 rc=$? 533 echo -n "root with specified AppArmor profile but --privileged: " 534 if [ $rc == 0 ]; then 535 echo "passed" 536 else 537 echo "failed" 538 fi 539 #Expected to fail (as rootless) 540 sudo -u "#1000" podman run --security-opt apparmor=$aaProfile docker.io/library/alpine:latest echo hello 541 rc=$? 542 echo -n "rootless with specified AppArmor profile: " 543 if [ $rc != 0 ]; then 544 echo "passed" 545 else 546 echo "failed" 547 fi 548 549 ######## 550 # Clean up Podman and $aaFile 551 ######## 552 apparmor_parser -R $aaFile 553 podman rm --all 554 podman rmi --all 555 sudo -u "#1000" podman rm --all 556 sudo -u "#1000" podman rmi --all 557 rm -f $aaFile 558 fi 559 560 ######## 561 # Build Dockerfile for RUN with priv'd command test 562 ######## 563 FILE=./Dockerfile 564 /bin/cat <<EOM >$FILE 565 FROM alpine 566 RUN apk add nginx 567 EOM 568 chmod +x $FILE 569 570 ######## 571 # Build with the Dockerfile 572 ######## 573 podman build -f Dockerfile -t build-priv 574 575 ######## 576 # Cleanup 577 ######## 578 podman rm -a -f -t 0 579 podman rmi -a -f 580 rm ./Dockerfile 581 582 ######## 583 # Build Dockerfile for WhaleSays test 584 ######## 585 FILE=./Dockerfile 586 /bin/cat <<EOM >$FILE 587 FROM pharshal/whalesay:latest 588 RUN apt-get -y update && apt-get install -y fortunes 589 CMD /usr/games/fortune -a | cowsay 590 EOM 591 chmod +x $FILE 592 593 ######## 594 # Build with the Dockerfile 595 ######## 596 podman build -f Dockerfile -t whale-says 597 598 ######## 599 # Run the container to see what the whale says 600 ######## 601 podman run whale-says 602 603 ######## 604 # NOTE: Please leave the whale-says as the last test 605 # in this script. 606 ######## 607 608 ######## 609 # Clean up Podman and /tmp 610 ######## 611 podman rm --all 612 podman rmi --all 613 rm ./Dockerfile*