Skip to content

Commit

Permalink
Containers: test privileged mode
Browse files Browse the repository at this point in the history
Test privileged mode in podman and docker. The command
mount -t tmpfs none /mnt
only works in privileged mode because the read-only protection in
the default mode

https://progress.opensuse.org/issues/135518
  • Loading branch information
ilausuch committed Sep 21, 2023
1 parent 651e520 commit 15465ff
Show file tree
Hide file tree
Showing 2 changed files with 66 additions and 18 deletions.
38 changes: 20 additions & 18 deletions lib/main_containers.pm
Original file line number Diff line number Diff line change
Expand Up @@ -89,24 +89,25 @@ sub load_host_tests_podman {
my ($run_args) = @_;
# podman package is only available as of 15-SP1
unless (is_sle("<15-sp1")) {
load_container_engine_test($run_args);
# In Public Cloud we don't have internal resources
load_image_test($run_args) unless is_public_cloud || is_alp;
load_3rd_party_image_test($run_args);
loadtest 'containers/podman_bci_systemd';
loadtest 'containers/podman_pods';
# Default for ALP is Netavark
loadtest('containers/podman_network_cni') unless (is_alp);
# Netavark not supported in 15-SP1 and 15-SP2 (due to podman version older than 4.0.0)
loadtest 'containers/podman_netavark' unless (is_staging || is_sle("<15-sp3") || is_ppc64le);
# Firewall is not installed in JeOS OpenStack, MicroOS and Public Cloud images
loadtest 'containers/podman_firewall' unless (is_public_cloud || is_openstack || is_microos || is_alp);
# Buildah is not available in SLE Micro, MicroOS and staging projects
loadtest 'containers/buildah' unless (is_sle_micro || is_microos || is_leap_micro || is_alp || is_staging);
# https://github.com/containers/podman/issues/5732#issuecomment-610222293
# exclude rootless poman on public cloud because of cgroups2 special settings
loadtest 'containers/rootless_podman' unless (is_sle('<15-sp2') || is_openstack || is_public_cloud);
load_volume_tests($run_args);
# load_container_engine_test($run_args);
# # In Public Cloud we don't have internal resources
# load_image_test($run_args) unless is_public_cloud || is_alp;
# load_3rd_party_image_test($run_args);
loadtest 'containers/privileged_mode';
# loadtest 'containers/podman_bci_systemd';
# loadtest 'containers/podman_pods';
# # Default for ALP is Netavark
# loadtest('containers/podman_network_cni') unless (is_alp);
# # Netavark not supported in 15-SP1 and 15-SP2 (due to podman version older than 4.0.0)
# loadtest 'containers/podman_netavark' unless (is_staging || is_sle("<15-sp3") || is_ppc64le);
# # Firewall is not installed in JeOS OpenStack, MicroOS and Public Cloud images
# loadtest 'containers/podman_firewall' unless (is_public_cloud || is_openstack || is_microos || is_alp);
# # Buildah is not available in SLE Micro, MicroOS and staging projects
# loadtest 'containers/buildah' unless (is_sle_micro || is_microos || is_leap_micro || is_alp || is_staging);
# # https://github.com/containers/podman/issues/5732#issuecomment-610222293
# # exclude rootless poman on public cloud because of cgroups2 special settings
# loadtest 'containers/rootless_podman' unless (is_sle('<15-sp2') || is_openstack || is_public_cloud);
# load_volume_tests($run_args);
}
}

Expand All @@ -116,6 +117,7 @@ sub load_host_tests_docker {
# In Public Cloud we don't have internal resources
load_image_test($run_args) unless is_public_cloud || is_alp;
load_3rd_party_image_test($run_args);
loadtest 'containers/privileged_mode';
# Firewall is not installed in Public Cloud, JeOS OpenStack and MicroOS but it is in SLE Micro
loadtest 'containers/docker_firewall' unless (is_public_cloud || is_openstack || is_microos);
unless (is_sle("<=15") && is_aarch64) {
Expand Down
46 changes: 46 additions & 0 deletions tests/containers/privileged_mode.pm
Original file line number Diff line number Diff line change
@@ -0,0 +1,46 @@
# SUSE's openQA tests
#
# Copyright 2023 SUSE LLC
# SPDX-License-Identifier: FSFAP

# Package: podman
# Summary: Test podman with systemd
# Maintainer: [email protected]

use Mojo::Base 'containers::basetest';
use testapi;
use serial_terminal 'select_serial_terminal';
use utils qw(validate_script_output_retry);
use containers::utils qw(reset_container_network_if_needed);

sub run {
my ($self, $args) = @_;
select_serial_terminal;

my $runtime = "podman";
my $engine = $self->containers_factory($runtime);
$self->{runtime} = $engine;
reset_container_network_if_needed($runtime);

my $image = get_var("CONTAINER_IMAGE_TO_TEST", "registry.suse.com/bci/bci-base:latest");

record_info('Test', 'Launch a container with privileged mode');
assert_script_run("$runtime run -ti --rm --privileged $image mount -t tmpfs none /mnt");
}

sub cleanup {
my ($self) = @_;
$self->{runtime}->cleanup_system_host();
}

sub post_run_hook {
my ($self) = @_;
$self->cleanup();
}

sub post_fail_hook {
my ($self) = @_;
$self->cleanup();
}

1;

0 comments on commit 15465ff

Please sign in to comment.