Skip to content

Commit

Permalink
CI: enable root user namespaces
Browse files Browse the repository at this point in the history
Signed-off-by: Ed Santiago <[email protected]>
(cherry picked from commit 7bb3b83)
  • Loading branch information
edsantiago authored and giuseppe committed Jan 10, 2025
1 parent 941c489 commit 5cf92f9
Show file tree
Hide file tree
Showing 4 changed files with 29 additions and 16 deletions.
7 changes: 7 additions & 0 deletions contrib/cirrus/setup_environment.sh
Original file line number Diff line number Diff line change
Expand Up @@ -285,6 +285,13 @@ case "$PRIV_NAME" in
*) die_unknown PRIV_NAME
esac

# Root user namespace
for which in uid gid;do
if ! grep -qE '^containers:' /etc/sub$which; then
echo 'containers:10000000:1048576' >>/etc/sub$which
fi
done

# FIXME! experimental workaround for #16973, the "lookup cdn03.quay.io" flake.
#
# If you are reading this on or after April 2023:
Expand Down
4 changes: 2 additions & 2 deletions test/e2e/pod_create_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -799,7 +799,7 @@ ENTRYPOINT ["sleep","99999"]
session.WaitWithDefaultTimeout()
Expect(session).Should(ExitCleanly())
output := session.OutputToString()
Expect(output).To(MatchRegexp("\\s0\\s0\\s1"))
Expect(output).To(MatchRegexp(`(^|\s)0\s+0\s+1(\s|$)`))

podName = "testPod-1"
podCreate = podmanTest.Podman([]string{"pod", "create", "--userns=auto:size=8192,uidmapping=0:0:1", "--name", podName})
Expand Down Expand Up @@ -836,7 +836,7 @@ ENTRYPOINT ["sleep","99999"]
session.WaitWithDefaultTimeout()
Expect(session).Should(ExitCleanly())
output := session.OutputToString()
Expect(output).To(MatchRegexp("\\s0\\s0\\s1"))
Expect(output).To(MatchRegexp(`(^|\s)0\s+0\s+1(\s|$)`))

podName = "testPod-1"
podCreate = podmanTest.Podman([]string{"pod", "create", "--userns=auto:size=8192,gidmapping=0:0:1", "--name", podName})
Expand Down
4 changes: 2 additions & 2 deletions test/e2e/run_userns_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -284,7 +284,7 @@ var _ = Describe("Podman UserNS support", func() {
session.WaitWithDefaultTimeout()
Expect(session).Should(ExitCleanly())
output := session.OutputToString()
Expect(output).To(MatchRegexp("\\s0\\s0\\s1"))
Expect(output).To(MatchRegexp(`(^|\s)0\s+0\s+1(\s|$)`))

session = podmanTest.Podman([]string{"run", "--userns=auto:size=8192,uidmapping=0:0:1", "alpine", "cat", "/proc/self/uid_map"})
session.WaitWithDefaultTimeout()
Expand Down Expand Up @@ -313,7 +313,7 @@ var _ = Describe("Podman UserNS support", func() {
session.WaitWithDefaultTimeout()
Expect(session).Should(ExitCleanly())
output := session.OutputToString()
Expect(output).To(MatchRegexp("\\s0\\s0\\s1"))
Expect(output).To(MatchRegexp(`(^|\s)0\s+0\s+1(\s|$)`))

session = podmanTest.Podman([]string{"run", "--userns=auto:size=8192,gidmapping=0:0:1", "alpine", "cat", "/proc/self/gid_map"})
session.WaitWithDefaultTimeout()
Expand Down
30 changes: 18 additions & 12 deletions test/system/030-run.bats
Original file line number Diff line number Diff line change
Expand Up @@ -1260,38 +1260,44 @@ EOF

grep -E -q "^containers:" /etc/subuid || skip "no IDs allocated for user 'containers'"

# check if the underlying file system supports idmapped mounts
check_dir=$PODMAN_TMPDIR/idmap-check
mkdir $check_dir
run_podman '?' run --rm --uidmap=0:1000:10000 --rootfs $check_dir:idmap true
if [[ "$output" == *"failed to create idmapped mount: invalid argument"* ]]; then
skip "idmapped mounts not supported"
fi
# the TMPDIR must be accessible by different users as the following tests use different mappings
chmod 755 $PODMAN_TMPDIR

run_podman image mount $IMAGE
src="$output"

# we cannot use idmap on top of overlay, so we need a copy
romount=$PODMAN_TMPDIR/rootfs
cp -ar "$src" "$romount"
cp -a "$src" "$romount"

run_podman image unmount $IMAGE

run_podman run --rm --uidmap=0:1000:10000 --rootfs $romount:idmap stat -c %u:%g /bin
# check if the underlying file system supports idmapped mounts
run_podman '?' run --security-opt label=disable --rm --uidmap=0:1000:10000 --rootfs $romount:idmap true
if [[ $status -ne 0 ]]; then
if [[ "$output" =~ "failed to create idmapped mount: invalid argument" ]]; then
skip "idmapped mounts not supported"
fi
# Any other error is fatal
die "Cannot create idmap mount: $output"
fi

run_podman run --security-opt label=disable --rm --uidmap=0:1000:10000 --rootfs $romount:idmap stat -c %u:%g /bin
is "$output" "0:0"

run_podman run --uidmap=0:1000:10000 --rm --rootfs "$romount:idmap=uids=0-1001-10000;gids=0-1002-10000" stat -c %u:%g /bin
run_podman run --security-opt label=disable --uidmap=0:1000:10000 --rm --rootfs "$romount:idmap=uids=0-1001-10000;gids=0-1002-10000" stat -c %u:%g /bin
is "$output" "1:2"

touch $romount/testfile
chown 2000:2000 $romount/testfile
run_podman run --uidmap=0:1000:200 --rm --rootfs "$romount:idmap=uids=@2000-1-1;gids=@2000-1-1" stat -c %u:%g /testfile
run_podman run --security-opt label=disable --uidmap=0:1000:200 --rm --rootfs "$romount:idmap=uids=@2000-1-1;gids=@2000-1-1" stat -c %u:%g /testfile
is "$output" "1:1"

myvolume=my-volume-$(safename)
run_podman volume create $myvolume
mkdir $romount/volume
run_podman run --rm --uidmap=0:1000:10000 -v volume:/volume:idmap --rootfs $romount stat -c %u:%g /volume
chown 1000:1000 $romount/volume
run_podman run --security-opt label=disable --rm --uidmap=0:1000:10000 -v $myvolume:/volume:idmap --rootfs $romount stat -c %u:%g /volume
is "$output" "0:0"
run_podman volume rm $myvolume

Expand Down

0 comments on commit 5cf92f9

Please sign in to comment.