From 5cf92f98270fed005e15decb5bbaf016747d9df2 Mon Sep 17 00:00:00 2001 From: Ed Santiago Date: Wed, 24 Jul 2024 05:51:29 -0600 Subject: [PATCH] CI: enable root user namespaces Signed-off-by: Ed Santiago (cherry picked from commit 7bb3b83c17fb9412ad33ad3be3810bebed8c3f03) --- contrib/cirrus/setup_environment.sh | 7 +++++++ test/e2e/pod_create_test.go | 4 ++-- test/e2e/run_userns_test.go | 4 ++-- test/system/030-run.bats | 30 +++++++++++++++++------------ 4 files changed, 29 insertions(+), 16 deletions(-) diff --git a/contrib/cirrus/setup_environment.sh b/contrib/cirrus/setup_environment.sh index 04442cc2a7..f3d9f8940b 100755 --- a/contrib/cirrus/setup_environment.sh +++ b/contrib/cirrus/setup_environment.sh @@ -285,6 +285,13 @@ case "$PRIV_NAME" in *) die_unknown PRIV_NAME esac +# Root user namespace +for which in uid gid;do + if ! grep -qE '^containers:' /etc/sub$which; then + echo 'containers:10000000:1048576' >>/etc/sub$which + fi +done + # FIXME! experimental workaround for #16973, the "lookup cdn03.quay.io" flake. # # If you are reading this on or after April 2023: diff --git a/test/e2e/pod_create_test.go b/test/e2e/pod_create_test.go index a84f640b8f..12fc929310 100644 --- a/test/e2e/pod_create_test.go +++ b/test/e2e/pod_create_test.go @@ -799,7 +799,7 @@ ENTRYPOINT ["sleep","99999"] session.WaitWithDefaultTimeout() Expect(session).Should(ExitCleanly()) output := session.OutputToString() - Expect(output).To(MatchRegexp("\\s0\\s0\\s1")) + Expect(output).To(MatchRegexp(`(^|\s)0\s+0\s+1(\s|$)`)) podName = "testPod-1" podCreate = podmanTest.Podman([]string{"pod", "create", "--userns=auto:size=8192,uidmapping=0:0:1", "--name", podName}) @@ -836,7 +836,7 @@ ENTRYPOINT ["sleep","99999"] session.WaitWithDefaultTimeout() Expect(session).Should(ExitCleanly()) output := session.OutputToString() - Expect(output).To(MatchRegexp("\\s0\\s0\\s1")) + Expect(output).To(MatchRegexp(`(^|\s)0\s+0\s+1(\s|$)`)) podName = "testPod-1" podCreate = podmanTest.Podman([]string{"pod", "create", "--userns=auto:size=8192,gidmapping=0:0:1", "--name", podName}) diff --git a/test/e2e/run_userns_test.go b/test/e2e/run_userns_test.go index 2d09ae2aef..29e5323498 100644 --- a/test/e2e/run_userns_test.go +++ b/test/e2e/run_userns_test.go @@ -284,7 +284,7 @@ var _ = Describe("Podman UserNS support", func() { session.WaitWithDefaultTimeout() Expect(session).Should(ExitCleanly()) output := session.OutputToString() - Expect(output).To(MatchRegexp("\\s0\\s0\\s1")) + Expect(output).To(MatchRegexp(`(^|\s)0\s+0\s+1(\s|$)`)) session = podmanTest.Podman([]string{"run", "--userns=auto:size=8192,uidmapping=0:0:1", "alpine", "cat", "/proc/self/uid_map"}) session.WaitWithDefaultTimeout() @@ -313,7 +313,7 @@ var _ = Describe("Podman UserNS support", func() { session.WaitWithDefaultTimeout() Expect(session).Should(ExitCleanly()) output := session.OutputToString() - Expect(output).To(MatchRegexp("\\s0\\s0\\s1")) + Expect(output).To(MatchRegexp(`(^|\s)0\s+0\s+1(\s|$)`)) session = podmanTest.Podman([]string{"run", "--userns=auto:size=8192,gidmapping=0:0:1", "alpine", "cat", "/proc/self/gid_map"}) session.WaitWithDefaultTimeout() diff --git a/test/system/030-run.bats b/test/system/030-run.bats index c48fed05d5..70731b4829 100644 --- a/test/system/030-run.bats +++ b/test/system/030-run.bats @@ -1260,38 +1260,44 @@ EOF grep -E -q "^containers:" /etc/subuid || skip "no IDs allocated for user 'containers'" - # check if the underlying file system supports idmapped mounts - check_dir=$PODMAN_TMPDIR/idmap-check - mkdir $check_dir - run_podman '?' run --rm --uidmap=0:1000:10000 --rootfs $check_dir:idmap true - if [[ "$output" == *"failed to create idmapped mount: invalid argument"* ]]; then - skip "idmapped mounts not supported" - fi + # the TMPDIR must be accessible by different users as the following tests use different mappings + chmod 755 $PODMAN_TMPDIR run_podman image mount $IMAGE src="$output" # we cannot use idmap on top of overlay, so we need a copy romount=$PODMAN_TMPDIR/rootfs - cp -ar "$src" "$romount" + cp -a "$src" "$romount" run_podman image unmount $IMAGE - run_podman run --rm --uidmap=0:1000:10000 --rootfs $romount:idmap stat -c %u:%g /bin + # check if the underlying file system supports idmapped mounts + run_podman '?' run --security-opt label=disable --rm --uidmap=0:1000:10000 --rootfs $romount:idmap true + if [[ $status -ne 0 ]]; then + if [[ "$output" =~ "failed to create idmapped mount: invalid argument" ]]; then + skip "idmapped mounts not supported" + fi + # Any other error is fatal + die "Cannot create idmap mount: $output" + fi + + run_podman run --security-opt label=disable --rm --uidmap=0:1000:10000 --rootfs $romount:idmap stat -c %u:%g /bin is "$output" "0:0" - run_podman run --uidmap=0:1000:10000 --rm --rootfs "$romount:idmap=uids=0-1001-10000;gids=0-1002-10000" stat -c %u:%g /bin + run_podman run --security-opt label=disable --uidmap=0:1000:10000 --rm --rootfs "$romount:idmap=uids=0-1001-10000;gids=0-1002-10000" stat -c %u:%g /bin is "$output" "1:2" touch $romount/testfile chown 2000:2000 $romount/testfile - run_podman run --uidmap=0:1000:200 --rm --rootfs "$romount:idmap=uids=@2000-1-1;gids=@2000-1-1" stat -c %u:%g /testfile + run_podman run --security-opt label=disable --uidmap=0:1000:200 --rm --rootfs "$romount:idmap=uids=@2000-1-1;gids=@2000-1-1" stat -c %u:%g /testfile is "$output" "1:1" myvolume=my-volume-$(safename) run_podman volume create $myvolume mkdir $romount/volume - run_podman run --rm --uidmap=0:1000:10000 -v volume:/volume:idmap --rootfs $romount stat -c %u:%g /volume + chown 1000:1000 $romount/volume + run_podman run --security-opt label=disable --rm --uidmap=0:1000:10000 -v $myvolume:/volume:idmap --rootfs $romount stat -c %u:%g /volume is "$output" "0:0" run_podman volume rm $myvolume