From 62325f9a49a28d62faca95ef7ad8087a9af785a5 Mon Sep 17 00:00:00 2001 From: Ed Santiago Date: Wed, 10 May 2023 14:10:36 -0600 Subject: [PATCH] system tests: instrument, to try to catch unlinkat-ebusy Several tweaks to see if we can track down #17216, the unlinkat-ebusy flake: - teardown(): if a cleanup command fails, display it and its output to the debug channel. This should never happen, but it can and does (see #18180, dependent containers). We need to know about it. - selinux tests: use unique pod names. This should help when scanning journal logs. - many tests: add "-f -t0" to "pod rm" And, several unrelated changes caught by accident: - images-commit-with-comment test: was leaving a stray image behind. Clean it up, and make a few more readability tweaks - podman-remote-group-add test: add an explicit skip() when not remote. (Otherwise, test passes cleanly on podman local, which is misleading) - lots of container cleanup and/or adding "--rm" to run commands, to avoid leaving stray containers Signed-off-by: Ed Santiago --- test/system/010-images.bats | 18 +++++++++++----- test/system/170-run-userns.bats | 8 ++++--- test/system/410-selinux.bats | 38 +++++++++++++++++++++------------ test/system/500-networking.bats | 2 +- test/system/helpers.bash | 24 +++++++++++++++++---- 5 files changed, 63 insertions(+), 27 deletions(-) diff --git a/test/system/010-images.bats b/test/system/010-images.bats index 70184b6a1a0a..ffcedb9880cd 100644 --- a/test/system/010-images.bats +++ b/test/system/010-images.bats @@ -310,15 +310,23 @@ Deleted: $pauseID" } @test "podman images - commit docker with comment" { - run_podman run --name my-container -itd $IMAGE sleep 1d + run_podman run --name my-container -d $IMAGE top run_podman 125 commit -m comment my-container my-test-image assert "$output" == "Error: messages are only compatible with the docker image format (-f docker)" "podman should fail unless docker format" - run_podman commit my-container --format docker -m comment my-test-image - run_podman commit -q my-container --format docker -m comment my-test-image + + # Without -q: verbose output, but only on podman-local, not remote + run_podman commit my-container --format docker -m comment my-test-image1 + if ! is_remote; then + assert "$output" =~ "Getting image.*Writing manif.*Storing signatu" \ + "Without -q, verbose output" + fi + + # With -q, both local and remote: only an image ID + run_podman commit -q my-container --format docker -m comment my-test-image2 assert "$output" =~ "^[0-9a-f]{64}\$" \ - "Output is a commit ID, no warnings or other output" + "With -q, output is a commit ID, no warnings or other output" - run_podman rmi my-test-image + run_podman rmi my-test-image1 my-test-image2 run_podman rm my-container --force -t 0 } diff --git a/test/system/170-run-userns.bats b/test/system/170-run-userns.bats index bf9ea9b32e3f..9083195d6beb 100644 --- a/test/system/170-run-userns.bats +++ b/test/system/170-run-userns.bats @@ -53,10 +53,12 @@ function _require_crun() { } @test "podman --remote --group-add keep-groups " { - if is_remote; then - run_podman 125 run --rm --group-add keep-groups $IMAGE id - is "$output" ".*not supported in remote mode" "Remote check --group-add keep-groups" + if ! is_remote; then + skip "this test only meaningful under podman-remote" fi + + run_podman 125 run --rm --group-add keep-groups $IMAGE id + is "$output" ".*not supported in remote mode" "Remote check --group-add keep-groups" } @test "podman --group-add without keep-groups " { diff --git a/test/system/410-selinux.bats b/test/system/410-selinux.bats index 92ce40b05307..8ccbe7535ce7 100644 --- a/test/system/410-selinux.bats +++ b/test/system/410-selinux.bats @@ -89,6 +89,8 @@ function check_label() { run_podman create --runtime=${KATA} --name myc $IMAGE run_podman inspect --format='{{ .ProcessLabel }}' myc is "$output" ".*container_kvm_t" + + run_podman rm myc } # pr #6752 @@ -154,43 +156,49 @@ function check_label() { @test "podman selinux: containers in pods share full context" { skip_if_no_selinux + # unique pod name helps when tracking down failure in journal + local podname=myselinuxpod_do_share + # We don't need a fullblown pause container; avoid pulling the k8s one - run_podman pod create --name myselinuxpod \ + run_podman pod create --name $podname \ --infra-image $IMAGE \ --infra-command /home/podman/pause # Get baseline - run_podman run --rm --pod myselinuxpod $IMAGE cat -v /proc/self/attr/current + run_podman run --rm --pod $podname $IMAGE cat -v /proc/self/attr/current context_c1="$output" # Prior to #7902, the labels (':c123,c456') would be different - run_podman run --rm --pod myselinuxpod $IMAGE cat -v /proc/self/attr/current + run_podman run --rm --pod $podname $IMAGE cat -v /proc/self/attr/current is "$output" "$context_c1" "SELinux context of 2nd container matches 1st" # What the heck. Try a third time just for extra confidence - run_podman run --rm --pod myselinuxpod $IMAGE cat -v /proc/self/attr/current + run_podman run --rm --pod $podname $IMAGE cat -v /proc/self/attr/current is "$output" "$context_c1" "SELinux context of 3rd container matches 1st" - run_podman pod rm myselinuxpod + run_podman pod rm -f -t0 $podname } # more pr #7902 @test "podman selinux: containers in --no-infra pods do not share context" { skip_if_no_selinux + # unique pod name helps when tracking down failure in journal + local podname=myselinuxpod_dont_share + # We don't need a fullblown pause container; avoid pulling the k8s one - run_podman pod create --name myselinuxpod --infra=false + run_podman pod create --name $podname --infra=false # Get baseline - run_podman run --rm --pod myselinuxpod $IMAGE cat -v /proc/self/attr/current + run_podman run --rm --pod $podname $IMAGE cat -v /proc/self/attr/current context_c1="$output" # Even after #7902, labels (':c123,c456') should be different - run_podman run --rm --pod myselinuxpod $IMAGE cat -v /proc/self/attr/current + run_podman run --rm --pod $podname $IMAGE cat -v /proc/self/attr/current assert "$output" != "$context_c1" \ "context of two separate containers should be different" - run_podman pod rm myselinuxpod + run_podman pod rm -f -t0 $podname } # #8946 - better diagnostics for nonexistent attributes @@ -214,7 +222,7 @@ function check_label() { # The '.*' in the error below is for dealing with podman-remote, which # includes "error preparing container for attach" in output. - run_podman 126 run --security-opt label=type:foo.bar $IMAGE true + run_podman 126 run --rm --security-opt label=type:foo.bar $IMAGE true is "$output" "Error.*: $expect" "podman emits useful diagnostic on failure" } @@ -228,15 +236,15 @@ function check_label() { chcon -vR ${LABEL} $tmpdir ls -Z $tmpdir - run_podman run -v $tmpdir:/test $IMAGE cat /proc/self/attr/current + run_podman run --rm -v $tmpdir:/test $IMAGE cat /proc/self/attr/current run ls -dZ ${tmpdir} is "$output" "${LABEL} ${tmpdir}" "No Relabel Correctly" - run_podman run -v $tmpdir:/test:z --security-opt label=disable $IMAGE cat /proc/self/attr/current + run_podman run --rm -v $tmpdir:/test:z --security-opt label=disable $IMAGE cat /proc/self/attr/current run ls -dZ $tmpdir is "$output" "${RELABEL} $tmpdir" "Privileged Relabel Correctly" - run_podman run -v $tmpdir:/test:z --privileged $IMAGE cat /proc/self/attr/current + run_podman run --rm -v $tmpdir:/test:z --privileged $IMAGE cat /proc/self/attr/current run ls -dZ $tmpdir is "$output" "${RELABEL} $tmpdir" "Privileged Relabel Correctly" @@ -271,7 +279,9 @@ function check_label() { is "$output" "system_u:object_r:usr_t:s0 $tmpdir/test1" \ "Start did not Relabel" fi - run_podman run -v $tmpdir:/test:z $IMAGE cat /proc/self/attr/current + run_podman rm label + + run_podman run --rm -v $tmpdir:/test:z $IMAGE cat /proc/self/attr/current run ls -dZ $tmpdir is "$output" "${RELABEL} $tmpdir" "Shared Relabel Correctly" } diff --git a/test/system/500-networking.bats b/test/system/500-networking.bats index b6390f5f3d5a..fd3aa7c74b32 100644 --- a/test/system/500-networking.bats +++ b/test/system/500-networking.bats @@ -168,7 +168,7 @@ load helpers.network is "${lines[0]}" "$pod_name" "hostname is the pod hostname" is "${lines[1]}" "$pod_name" "/etc/hostname contains correct pod hostname" - run_podman pod rm $pod_name + run_podman pod rm -f -t0 $pod_name is "$output" "$pid" "Only ID in output (no extra errors)" # Clean up diff --git a/test/system/helpers.bash b/test/system/helpers.bash index 486b1cbc3d8d..dd9e1e97014b 100644 --- a/test/system/helpers.bash +++ b/test/system/helpers.bash @@ -102,10 +102,26 @@ function basic_setup() { # Basic teardown: remove all pods and containers function basic_teardown() { echo "# [teardown]" >&2 - run_podman '?' pod rm -t 0 --all --force --ignore - run_podman '?' rm -t 0 --all --force --ignore - run_podman '?' network prune --force - run_podman '?' volume rm -a -f + local actions=( + "pod rm -t 0 --all --force --ignore" + "rm -t 0 --all --force --ignore" + "network prune --force" + "volume rm -a -f" + ) + for action in "${actions[@]}"; do + run_podman '?' $action + + # The -f commands should never exit nonzero, but if they do we want + # to know about it. + # FIXME: someday: also test for [[ -n "$output" ]] - can't do this + # yet because too many tests don't clean up their containers + if [[ $status -ne 0 ]]; then + echo "# [teardown] $_LOG_PROMPT podman $action" >&3 + for line in "${lines[*]}"; do + echo "# $line" >&3 + done + fi + done command rm -rf $PODMAN_TMPDIR }