"Fossies" - the Fresh Open Source Software Archive  

Source code changes of the file "tests/namespaces.bats" between
buildah-1.10.1.tar.gz and buildah-1.11.0.tar.gz

About: Buildah is a tool that facilitates building Open Container Initiative (OCI) container images.

namespaces.bats  (buildah-1.10.1):namespaces.bats  (buildah-1.11.0)
#!/usr/bin/env bats #!/usr/bin/env bats
load helpers load helpers
@test "already-in-userns" {
if test "$BUILDAH_ISOLATION" != "rootless" -o $UID == 0 ; then
skip "BUILDAH_ISOLATION = $BUILDAH_ISOLATION"
fi
run_buildah --log-level=error from --signature-policy ${TESTSDIR}/policy.json
--quiet alpine
[ "$output" != "" ]
ctr="$output"
run_buildah unshare buildah run --isolation=oci "$ctr" echo hello
[ $status -eq 0 ]
[ "$output" == "hello" ]
}
@test "user-and-network-namespace" { @test "user-and-network-namespace" {
if test "$BUILDAH_ISOLATION" = "chroot" -o "$BUILDAH_ISOLATION" = "rootless" ; then if test "$BUILDAH_ISOLATION" = "chroot" -o "$BUILDAH_ISOLATION" = "rootless" ; then
skip "BUILDAH_ISOLATION = $BUILDAH_ISOLATION" skip "BUILDAH_ISOLATION = $BUILDAH_ISOLATION"
fi fi
mkdir -p $TESTDIR/no-cni-configs mkdir -p $TESTDIR/no-cni-configs
RUNOPTS="--cni-config-dir=${TESTDIR}/no-cni-configs ${RUNC_BINARY:+--runtime $ RUNC_BINARY}" RUNOPTS="--cni-config-dir=${TESTDIR}/no-cni-configs ${RUNC_BINARY:+--runtime $ RUNC_BINARY}"
# Check if we're running in an environment that can even test this. # Check if we're running in an environment that can even test this.
run readlink /proc/self/ns/user run readlink /proc/self/ns/user
echo "$output" echo "$output"
[ $status -eq 0 ] || skip "user namespaces not supported" [ $status -eq 0 ] || skip "user namespaces not supported"
skipping to change at line 27 skipping to change at line 41
[ $status -eq 0 ] || skip "network namespaces not supported" [ $status -eq 0 ] || skip "network namespaces not supported"
mynetns="$output" mynetns="$output"
# Generate the mappings to use for using-a-user-namespace cases. # Generate the mappings to use for using-a-user-namespace cases.
uidbase=$((${RANDOM}+1024)) uidbase=$((${RANDOM}+1024))
gidbase=$((${RANDOM}+1024)) gidbase=$((${RANDOM}+1024))
uidsize=$((${RANDOM}+1024)) uidsize=$((${RANDOM}+1024))
gidsize=$((${RANDOM}+1024)) gidsize=$((${RANDOM}+1024))
# Create a container that uses that mapping. # Create a container that uses that mapping.
run_buildah --debug=false from --signature-policy ${TESTSDIR}/policy.json --qu iet --userns-uid-map 0:$uidbase:$uidsize --userns-gid-map 0:$gidbase:$gidsize al pine run_buildah --log-level=error from --signature-policy ${TESTSDIR}/policy.json --quiet --userns-uid-map 0:$uidbase:$uidsize --userns-gid-map 0:$gidbase:$gidsiz e alpine
[ "$output" != "" ] [ "$output" != "" ]
ctr="$output" ctr="$output"
# Check that with settings that require a user namespace, we also get a new ne twork namespace by default. # Check that with settings that require a user namespace, we also get a new ne twork namespace by default.
buildah run $RUNOPTS "$ctr" readlink /proc/self/ns/net buildah run $RUNOPTS "$ctr" readlink /proc/self/ns/net
run_buildah --debug=false run $RUNOPTS "$ctr" readlink /proc/self/ns/net run_buildah --log-level=error run $RUNOPTS "$ctr" readlink /proc/self/ns/net
[ "$output" != "" ] [ "$output" != "" ]
[ "$output" != "$mynetns" ] [ "$output" != "$mynetns" ]
# Check that with settings that require a user namespace, we can still try to use the host's network namespace. # Check that with settings that require a user namespace, we can still try to use the host's network namespace.
buildah run $RUNOPTS --net=host "$ctr" readlink /proc/self/ns/net buildah run $RUNOPTS --net=host "$ctr" readlink /proc/self/ns/net
run_buildah --debug=false run $RUNOPTS --net=host "$ctr" readlink /proc/self/n s/net run_buildah --log-level=error run $RUNOPTS --net=host "$ctr" readlink /proc/se lf/ns/net
[ "$output" != "" ] [ "$output" != "" ]
[ "$output" == "$mynetns" ] [ "$output" == "$mynetns" ]
# Create a container that doesn't use that mapping. # Create a container that doesn't use that mapping.
run_buildah --debug=false from --signature-policy ${TESTSDIR}/policy.json --qu iet alpine run_buildah --log-level=error from --signature-policy ${TESTSDIR}/policy.json --quiet alpine
[ "$output" != "" ] [ "$output" != "" ]
ctr="$output" ctr="$output"
# Check that with settings that don't require a user namespace, we don't get a new network namespace by default. # Check that with settings that don't require a user namespace, we don't get a new network namespace by default.
buildah run $RUNOPTS "$ctr" readlink /proc/self/ns/net buildah run $RUNOPTS "$ctr" readlink /proc/self/ns/net
run_buildah --debug=false run $RUNOPTS "$ctr" readlink /proc/self/ns/net run_buildah --log-level=error run $RUNOPTS "$ctr" readlink /proc/self/ns/net
[ "$output" != "" ] [ "$output" != "" ]
[ "$output" == "$mynetns" ] [ "$output" == "$mynetns" ]
# Check that with settings that don't require a user namespace, we can request to use a per-container network namespace. # Check that with settings that don't require a user namespace, we can request to use a per-container network namespace.
buildah run $RUNOPTS --net=container "$ctr" readlink /proc/self/ns/net buildah run $RUNOPTS --net=container "$ctr" readlink /proc/self/ns/net
run_buildah --debug=false run $RUNOPTS --net=container "$ctr" readlink /proc/s elf/ns/net run_buildah --log-level=error run $RUNOPTS --net=container "$ctr" readlink /pr oc/self/ns/net
[ "$output" != "" ] [ "$output" != "" ]
[ "$output" != "$mynetns" ] [ "$output" != "$mynetns" ]
} }
@test "idmapping" { @test "idmapping" {
mkdir -p $TESTDIR/no-cni-configs mkdir -p $TESTDIR/no-cni-configs
RUNOPTS="--cni-config-dir=${TESTDIR}/no-cni-configs ${RUNC_BINARY:+--runtime $ RUNC_BINARY}" RUNOPTS="--cni-config-dir=${TESTDIR}/no-cni-configs ${RUNC_BINARY:+--runtime $ RUNC_BINARY}"
# Check if we're running in an environment that can even test this. # Check if we're running in an environment that can even test this.
run readlink /proc/self/ns/user run readlink /proc/self/ns/user
skipping to change at line 154 skipping to change at line 168
touch ${TESTDIR}/somefile touch ${TESTDIR}/somefile
mkdir ${TESTDIR}/somedir mkdir ${TESTDIR}/somedir
touch ${TESTDIR}/somedir/someotherfile touch ${TESTDIR}/somedir/someotherfile
chmod 700 ${TESTDIR}/somedir/someotherfile chmod 700 ${TESTDIR}/somedir/someotherfile
chmod u+s ${TESTDIR}/somedir/someotherfile chmod u+s ${TESTDIR}/somedir/someotherfile
for i in $(seq 0 "$((${#maps[*]}-1))") ; do for i in $(seq 0 "$((${#maps[*]}-1))") ; do
# Create a container using these mappings. # Create a container using these mappings.
echo "Building container with --signature-policy ${TESTSDIR}/policy.json --q uiet ${uidmapargs[$i]} ${gidmapargs[$i]} alpine" echo "Building container with --signature-policy ${TESTSDIR}/policy.json --q uiet ${uidmapargs[$i]} ${gidmapargs[$i]} alpine"
run_buildah --debug=false from --signature-policy ${TESTSDIR}/policy.json -- quiet ${uidmapargs[$i]} ${gidmapargs[$i]} alpine run_buildah --log-level=error from --signature-policy ${TESTSDIR}/policy.jso n --quiet ${uidmapargs[$i]} ${gidmapargs[$i]} alpine
[ "$output" != "" ] [ "$output" != "" ]
ctr="$output" ctr="$output"
# If we specified mappings, expect to be in a different namespace by default . # If we specified mappings, expect to be in a different namespace by default .
buildah run $RUNOPTS "$ctr" readlink /proc/self/ns/user buildah run $RUNOPTS "$ctr" readlink /proc/self/ns/user
run_buildah --debug=false run $RUNOPTS "$ctr" readlink /proc/self/ns/user run_buildah --log-level=error run $RUNOPTS "$ctr" readlink /proc/self/ns/use r
[ "$output" != "" ] [ "$output" != "" ]
case x"$map" in case x"$map" in
x) x)
if test "$BUILDAH_ISOLATION" != "chroot" -a "$BUILDAH_ISOLATION" != "rootl ess" ; then if test "$BUILDAH_ISOLATION" != "chroot" -a "$BUILDAH_ISOLATION" != "rootl ess" ; then
[ "$output" == "$mynamespace" ] [ "$output" == "$mynamespace" ]
fi fi
;; ;;
*) *)
[ "$output" != "$mynamespace" ] [ "$output" != "$mynamespace" ]
;; ;;
esac esac
# Check that we got the mappings that we expected. # Check that we got the mappings that we expected.
buildah run $RUNOPTS "$ctr" cat /proc/self/uid_map buildah run $RUNOPTS "$ctr" cat /proc/self/uid_map
run_buildah --debug=false run $RUNOPTS "$ctr" cat /proc/self/uid_map run_buildah --log-level=error run $RUNOPTS "$ctr" cat /proc/self/uid_map
[ "$output" != "" ] [ "$output" != "" ]
uidmap=$(sed -E -e 's, +, ,g' -e 's,^ +,,g' <<< "$output") uidmap=$(sed -E -e 's, +, ,g' -e 's,^ +,,g' <<< "$output")
buildah run $RUNOPTS "$ctr" cat /proc/self/gid_map buildah run $RUNOPTS "$ctr" cat /proc/self/gid_map
run_buildah --debug=false run $RUNOPTS "$ctr" cat /proc/self/gid_map run_buildah --log-level=error run $RUNOPTS "$ctr" cat /proc/self/gid_map
[ "$output" != "" ] [ "$output" != "" ]
gidmap=$(sed -E -e 's, +, ,g' -e 's,^ +,,g' <<< "$output") gidmap=$(sed -E -e 's, +, ,g' -e 's,^ +,,g' <<< "$output")
echo With settings "$map", expected UID map "${uidmaps[$i]}", got UID map "$ {uidmap}", expected GID map "${gidmaps[$i]}", got GID map "${gidmap}". echo With settings "$map", expected UID map "${uidmaps[$i]}", got UID map "$ {uidmap}", expected GID map "${gidmaps[$i]}", got GID map "${gidmap}".
[ "$uidmap" == "${uidmaps[$i]}" ] [ "$uidmap" == "${uidmaps[$i]}" ]
[ "$gidmap" == "${gidmaps[$i]}" ] [ "$gidmap" == "${gidmaps[$i]}" ]
rootuid=$(sed -E -e 's,^([^ ]*) (.*) ([^ ]*),\2,' <<< "$uidmap") rootuid=$(sed -E -e 's,^([^ ]*) (.*) ([^ ]*),\2,' <<< "$uidmap")
rootgid=$(sed -E -e 's,^([^ ]*) (.*) ([^ ]*),\2,' <<< "$gidmap") rootgid=$(sed -E -e 's,^([^ ]*) (.*) ([^ ]*),\2,' <<< "$gidmap")
# Check that if we copy a file into the container, it gets the right permiss ions. # Check that if we copy a file into the container, it gets the right permiss ions.
run_buildah copy --chown 1:1 "$ctr" ${TESTDIR}/somefile / run_buildah copy --chown 1:1 "$ctr" ${TESTDIR}/somefile /
buildah run $RUNOPTS "$ctr" stat -c '%u:%g' /somefile buildah run $RUNOPTS "$ctr" stat -c '%u:%g' /somefile
run_buildah --debug=false run $RUNOPTS "$ctr" stat -c '%u:%g' /somefile run_buildah --log-level=error run $RUNOPTS "$ctr" stat -c '%u:%g' /somefile
expect_output "1:1" expect_output "1:1"
# Check that if we copy a directory into the container, its contents get the right permissions. # Check that if we copy a directory into the container, its contents get the right permissions.
run_buildah copy "$ctr" ${TESTDIR}/somedir /somedir run_buildah copy "$ctr" ${TESTDIR}/somedir /somedir
buildah run $RUNOPTS "$ctr" stat -c '%u:%g' /somedir buildah run $RUNOPTS "$ctr" stat -c '%u:%g' /somedir
run_buildah --debug=false run $RUNOPTS "$ctr" stat -c '%u:%g' /somedir run_buildah --log-level=error run $RUNOPTS "$ctr" stat -c '%u:%g' /somedir
expect_output "0:0" expect_output "0:0"
run_buildah --debug=false mount "$ctr" run_buildah --log-level=error mount "$ctr"
mnt="$output" mnt="$output"
run stat -c '%u:%g %a' "$mnt"/somedir/someotherfile run stat -c '%u:%g %a' "$mnt"/somedir/someotherfile
[ $status -eq 0 ] [ $status -eq 0 ]
expect_output "$rootuid:$rootgid 4700" expect_output "$rootuid:$rootgid 4700"
buildah run $RUNOPTS "$ctr" stat -c '%u:%g %a' /somedir/someotherfile buildah run $RUNOPTS "$ctr" stat -c '%u:%g %a' /somedir/someotherfile
run_buildah --debug=false run $RUNOPTS "$ctr" stat -c '%u:%g %a' /somedir/so meotherfile run_buildah --log-level=error run $RUNOPTS "$ctr" stat -c '%u:%g %a' /somedi r/someotherfile
expect_output "0:0 4700" expect_output "0:0 4700"
done done
} }
general_namespace() { general_namespace() {
mkdir -p $TESTDIR/no-cni-configs mkdir -p $TESTDIR/no-cni-configs
RUNOPTS="--cni-config-dir=${TESTDIR}/no-cni-configs ${RUNC_BINARY:+--runtime $ RUNC_BINARY}" RUNOPTS="--cni-config-dir=${TESTDIR}/no-cni-configs ${RUNC_BINARY:+--runtime $ RUNC_BINARY}"
# The name of the /proc/self/ns/$link. # The name of the /proc/self/ns/$link.
nstype="$1" nstype="$1"
skipping to change at line 232 skipping to change at line 246
mynamespace="$output" mynamespace="$output"
# Settings to test. # Settings to test.
types[0]= types[0]=
types[1]=container types[1]=container
types[2]=host types[2]=host
types[3]=/proc/$$/ns/$nstype types[3]=/proc/$$/ns/$nstype
for namespace in "${types[@]}" ; do for namespace in "${types[@]}" ; do
# Specify the setting for this namespace for this container. # Specify the setting for this namespace for this container.
run_buildah --debug=false from --signature-policy ${TESTSDIR}/policy.json -- quiet --"$nsflag"=$namespace alpine run_buildah --log-level=error from --signature-policy ${TESTSDIR}/policy.jso n --quiet --"$nsflag"=$namespace alpine
[ "$output" != "" ] [ "$output" != "" ]
ctr="$output" ctr="$output"
# Check that, unless we override it, we get that setting in "run". # Check that, unless we override it, we get that setting in "run".
run_buildah --debug=false run $RUNOPTS "$ctr" readlink /proc/self/ns/"$nstyp e" run_buildah --log-level=error run $RUNOPTS "$ctr" readlink /proc/self/ns/"$n stype"
[ "$output" != "" ] [ "$output" != "" ]
case "$namespace" in case "$namespace" in
""|container) ""|container)
[ "$output" != "$mynamespace" ] [ "$output" != "$mynamespace" ]
;; ;;
host) host)
[ "$output" == "$mynamespace" ] [ "$output" == "$mynamespace" ]
;; ;;
/*) /*)
[ "$output" == $(readlink "$namespace") ] [ "$output" == $(readlink "$namespace") ]
;; ;;
esac esac
for different in $types ; do for different in $types ; do
# Check that, if we override it, we get what we specify for "run". # Check that, if we override it, we get what we specify for "run".
run_buildah --debug=false run $RUNOPTS --"$nsflag"=$different "$ctr" readl ink /proc/self/ns/"$nstype" run_buildah --log-level=error run $RUNOPTS --"$nsflag"=$different "$ctr" r eadlink /proc/self/ns/"$nstype"
[ "$output" != "" ] [ "$output" != "" ]
case "$different" in case "$different" in
""|container) ""|container)
[ "$output" != "$mynamespace" ] [ "$output" != "$mynamespace" ]
;; ;;
host) host)
[ "$output" == "$mynamespace" ] [ "$output" == "$mynamespace" ]
;; ;;
/*) /*)
[ "$output" == $(readlink "$namespace") ] [ "$output" == $(readlink "$namespace") ]
skipping to change at line 330 skipping to change at line 344
for pid in host container ; do for pid in host container ; do
for userns in host container ; do for userns in host container ; do
for uts in host container ; do for uts in host container ; do
if test $userns == container -a $pid == host ; then if test $userns == container -a $pid == host ; then
# We can't mount a fresh /proc, and runc won't let us bind mount t he host's. # We can't mount a fresh /proc, and runc won't let us bind mount t he host's.
continue continue
fi fi
echo "buildah from --signature-policy ${TESTSDIR}/policy.json --ipc= $ipc --net=$net --pid=$pid --userns=$userns --uts=$uts alpine" echo "buildah from --signature-policy ${TESTSDIR}/policy.json --ipc= $ipc --net=$net --pid=$pid --userns=$userns --uts=$uts alpine"
run_buildah --debug=false from --signature-policy ${TESTSDIR}/policy .json --quiet --ipc=$ipc --net=$net --pid=$pid --userns=$userns --uts=$uts alpin e run_buildah --log-level=error from --signature-policy ${TESTSDIR}/po licy.json --quiet --ipc=$ipc --net=$net --pid=$pid --userns=$userns --uts=$uts a lpine
[ "$output" != "" ] [ "$output" != "" ]
ctr="$output" ctr="$output"
buildah run $ctr pwd buildah run $ctr pwd
run_buildah --debug=false run $ctr pwd run_buildah --log-level=error run $ctr pwd
[ "$output" != "" ] [ "$output" != "" ]
buildah run --tty=true $ctr pwd buildah run --tty=true $ctr pwd
run_buildah --debug=false run --tty=true $ctr pwd run_buildah --log-level=error run --tty=true $ctr pwd
[ "$output" != "" ] [ "$output" != "" ]
buildah run --tty=false $ctr pwd buildah run --tty=false $ctr pwd
run_buildah --debug=false run --tty=false $ctr pwd run_buildah --log-level=error run --tty=false $ctr pwd
[ "$output" != "" ] [ "$output" != "" ]
done done
done done
done done
done done
done done
} }
@test "idmapping-and-squash" { @test "idmapping-and-squash" {
createrandom ${TESTDIR}/randomfile createrandom ${TESTDIR}/randomfile
 End of changes. 22 change blocks. 
21 lines changed or deleted 36 lines changed or added

Home  |  About  |  Features  |  All  |  Newest  |  Dox  |  Diffs  |  RSS Feeds  |  Screenshots  |  Comments  |  Imprint  |  Privacy  |  HTTP(S)