From 15465ffe8fff1b872cfa9ed1e77bef94dd7a0b05 Mon Sep 17 00:00:00 2001
From: Ivan Lausuch <ilausuch@suse.com>
Date: Mon, 18 Sep 2023 13:15:25 +0200
Subject: [PATCH] Containers: test privileged mode

Test privileged mode in podman and docker. The command
mount -t tmpfs none /mnt
only works in privileged mode because the read-only protection in
the default mode

https://progress.opensuse.org/issues/135518
---
 lib/main_containers.pm              | 38 +++++++++++++-----------
 tests/containers/privileged_mode.pm | 46 +++++++++++++++++++++++++++++
 2 files changed, 66 insertions(+), 18 deletions(-)
 create mode 100644 tests/containers/privileged_mode.pm

diff --git a/lib/main_containers.pm b/lib/main_containers.pm
index bf052cdc1253..ed77565fe568 100644
--- a/lib/main_containers.pm
+++ b/lib/main_containers.pm
@@ -89,24 +89,25 @@ sub load_host_tests_podman {
     my ($run_args) = @_;
     # podman package is only available as of 15-SP1
     unless (is_sle("<15-sp1")) {
-        load_container_engine_test($run_args);
-        # In Public Cloud we don't have internal resources
-        load_image_test($run_args) unless is_public_cloud || is_alp;
-        load_3rd_party_image_test($run_args);
-        loadtest 'containers/podman_bci_systemd';
-        loadtest 'containers/podman_pods';
-        # Default for ALP is Netavark
-        loadtest('containers/podman_network_cni') unless (is_alp);
-        # Netavark not supported in 15-SP1 and 15-SP2 (due to podman version older than 4.0.0)
-        loadtest 'containers/podman_netavark' unless (is_staging || is_sle("<15-sp3") || is_ppc64le);
-        # Firewall is not installed in JeOS OpenStack, MicroOS and Public Cloud images
-        loadtest 'containers/podman_firewall' unless (is_public_cloud || is_openstack || is_microos || is_alp);
-        # Buildah is not available in SLE Micro, MicroOS and staging projects
-        loadtest 'containers/buildah' unless (is_sle_micro || is_microos || is_leap_micro || is_alp || is_staging);
-        # https://github.com/containers/podman/issues/5732#issuecomment-610222293
-        # exclude rootless poman on public cloud because of cgroups2 special settings
-        loadtest 'containers/rootless_podman' unless (is_sle('<15-sp2') || is_openstack || is_public_cloud);
-        load_volume_tests($run_args);
+        # load_container_engine_test($run_args);
+        # # In Public Cloud we don't have internal resources
+        # load_image_test($run_args) unless is_public_cloud || is_alp;
+        # load_3rd_party_image_test($run_args);
+        loadtest 'containers/privileged_mode';
+        # loadtest 'containers/podman_bci_systemd';
+        # loadtest 'containers/podman_pods';
+        # # Default for ALP is Netavark
+        # loadtest('containers/podman_network_cni') unless (is_alp);
+        # # Netavark not supported in 15-SP1 and 15-SP2 (due to podman version older than 4.0.0)
+        # loadtest 'containers/podman_netavark' unless (is_staging || is_sle("<15-sp3") || is_ppc64le);
+        # # Firewall is not installed in JeOS OpenStack, MicroOS and Public Cloud images
+        # loadtest 'containers/podman_firewall' unless (is_public_cloud || is_openstack || is_microos || is_alp);
+        # # Buildah is not available in SLE Micro, MicroOS and staging projects
+        # loadtest 'containers/buildah' unless (is_sle_micro || is_microos || is_leap_micro || is_alp || is_staging);
+        # # https://github.com/containers/podman/issues/5732#issuecomment-610222293
+        # # exclude rootless poman on public cloud because of cgroups2 special settings
+        # loadtest 'containers/rootless_podman' unless (is_sle('<15-sp2') || is_openstack || is_public_cloud);
+        # load_volume_tests($run_args);
     }
 }
 
@@ -116,6 +117,7 @@ sub load_host_tests_docker {
     # In Public Cloud we don't have internal resources
     load_image_test($run_args) unless is_public_cloud || is_alp;
     load_3rd_party_image_test($run_args);
+    loadtest 'containers/privileged_mode';
     # Firewall is not installed in Public Cloud, JeOS OpenStack and MicroOS but it is in SLE Micro
     loadtest 'containers/docker_firewall' unless (is_public_cloud || is_openstack || is_microos);
     unless (is_sle("<=15") && is_aarch64) {
diff --git a/tests/containers/privileged_mode.pm b/tests/containers/privileged_mode.pm
new file mode 100644
index 000000000000..981a7fec0518
--- /dev/null
+++ b/tests/containers/privileged_mode.pm
@@ -0,0 +1,46 @@
+# SUSE's openQA tests
+#
+# Copyright 2023 SUSE LLC
+# SPDX-License-Identifier: FSFAP
+
+# Package: podman
+# Summary: Test podman with systemd
+# Maintainer: qa-c@suse.de
+
+use Mojo::Base 'containers::basetest';
+use testapi;
+use serial_terminal 'select_serial_terminal';
+use utils qw(validate_script_output_retry);
+use containers::utils qw(reset_container_network_if_needed);
+
+sub run {
+    my ($self, $args) = @_;
+    select_serial_terminal;
+
+    my $runtime = "podman";
+    my $engine = $self->containers_factory($runtime);
+    $self->{runtime} = $engine;
+    reset_container_network_if_needed($runtime);
+
+    my $image = get_var("CONTAINER_IMAGE_TO_TEST", "registry.suse.com/bci/bci-base:latest");
+
+    record_info('Test', 'Launch a container with privileged mode');
+    assert_script_run("$runtime run -ti --rm --privileged $image mount -t tmpfs none /mnt");
+}
+
+sub cleanup {
+    my ($self) = @_;
+    $self->{runtime}->cleanup_system_host();
+}
+
+sub post_run_hook {
+    my ($self) = @_;
+    $self->cleanup();
+}
+
+sub post_fail_hook {
+    my ($self) = @_;
+    $self->cleanup();
+}
+
+1;