Merge pull request #11878 from b10n1k/87976_rootless_podman

Create test to run podman in rootless mode
os-autoinst · Feb 19, 2021 · f282ffa · f282ffa
2 parents 95f33b5 + 0023382
commit f282ffa
Show file tree

Hide file tree

Showing 6 changed files with 103 additions and 4 deletions.
diff --git a/lib/containers/common.pm b/lib/containers/common.pm
@@ -135,8 +135,8 @@ sub clean_container_host {
         assert_script_run("$runtime rm --all");
         assert_script_run("$runtime rmi --all --force");
     } else {
-        assert_script_run("$runtime stop \$($runtime ps -q)", 180) if script_output("$runtime ps -q | wc -l") != '0';
-        assert_script_run("$runtime system prune -a -f",      180);
+        assert_script_run("$runtime ps -q | xargs -r $runtime stop", 180);
+        assert_script_run("$runtime system prune -a -f",             180);
     }
 }
 
@@ -234,6 +234,7 @@ sub test_container_image {
             upload_logs("$logfile");
             die "Heartbeat test failed for $image";
         }
+        assert_script_run "rm $logfile";
     }
 }
 

diff --git a/lib/containers/container_images.pm b/lib/containers/container_images.pm
@@ -25,7 +25,8 @@ use version;
 use containers::utils;
 
 our @EXPORT = qw(build_container_image build_with_zypper_docker build_with_sle2docker
-  test_opensuse_based_image exec_on_container ensure_container_rpm_updates test_containered_app);
+  test_opensuse_based_image exec_on_container ensure_container_rpm_updates test_containered_app
+  test_zypper_on_container verify_userid_on_container);
 
 # Build any container image using a basic Dockerfile. Not applicable for buildah builds
 sub build_container_image {
@@ -36,7 +37,7 @@ sub build_container_image {
     die 'Argument $image not provided!'   unless $image;
     die 'Argument $runtime not provided!' unless $runtime;
 
-    my $dir = "/root/sle_base_image/docker_build";
+    my $dir = "~/sle_base_image/docker_build";
 
     record_info("Building $image", "Building $image using $runtime");
 
@@ -185,6 +186,33 @@ sub test_opensuse_based_image {
     }
 }
 
+sub verify_userid_on_container {
+    my ($runtime, $image) = @_;
+    record_info "host uid", script_output "echo \$UID";
+
+    record_info "root default user", "rootless mode process runs with the default container user(root)";
+    my $cid = script_output "$runtime run -d --rm --name test1 $image sleep infinity";
+    validate_script_output "$runtime top $cid user huser", sub { /root\s+1000/ };
+    validate_script_output "$runtime top $cid capeff",     sub { /setuid/i };
+
+    record_info "non-root user", "process runs under the range of subuids assigned for regular user";
+    $cid = script_output "$runtime run -d --rm --name test2 --user 1000 $image sleep infinity";
+    validate_script_output "$runtime top $cid user huser", sub { /1000\s+200999/ };
+    validate_script_output "$runtime top $cid capeff",     sub { /none/ };
+
+    record_info "root with keep-id", "the default user(root) starts process with the same uid as host user";
+    $cid = script_output "$runtime run -d --rm --userns keep-id $image sleep infinity";
+    # Remove once the softfail removed. it is just checks the user's mapped uid
+    validate_script_output "$runtime exec -it $cid cat /proc/self/uid_map", sub { /1000/ };
+    if (is_sle) {
+        validate_script_output "$runtime top $cid user huser", sub { /bernhard\s+bernhard/ };
+        validate_script_output "$runtime top $cid capeff",     sub { /setuid/i };
+    }
+    else {
+        record_soft_failure "bsc#1182428 - Issue with nsenter from podman-top";
+    }
+}
+
 sub test_zypper_on_container {
     my ($runtime, $image) = @_;
 
@@ -216,6 +244,7 @@ sub test_zypper_on_container {
         # Verify the image works
         assert_script_run("$runtime run --rm refreshed-image sh -c 'zypper -v ref | grep \"All repositories have been refreshed\"'", 120);
     }
+    record_info "zypper test completed";
 }
 
 sub ensure_container_rpm_updates {

diff --git a/lib/main_common.pm b/lib/main_common.pm
@@ -1722,6 +1722,7 @@ sub load_extra_tests_docker {
     loadtest "containers/docker_compose" unless (is_sle('<15') || is_sle('>=15-sp2'));
     loadtest 'containers/registry';
     loadtest "containers/zypper_docker";
+    loadtest "containers/rootless_podman";
 }
 
 sub load_extra_tests_prepare {

diff --git a/schedule/containers/extra_tests_textmode_containers.yaml b/schedule/containers/extra_tests_textmode_containers.yaml
@@ -29,3 +29,4 @@ schedule:
   - containers/containers_3rd_party
   - containers/registry
   - console/coredump_collect
+  - containers/rootless_podman
diff --git a/schedule/containers/sle_image_on_sle_host.yaml b/schedule/containers/sle_image_on_sle_host.yaml
@@ -20,3 +20,4 @@ schedule:
   - containers/docker_image
   - containers/container_diff
   - '{{validate_btrfs}}'
+  - containers/rootless_podman
diff --git a/tests/containers/rootless_podman.pm b/tests/containers/rootless_podman.pm
@@ -0,0 +1,66 @@
+# SUSE's openQA tests
+#
+# Copyright © 2021 SUSE LLC
+#
+# Copying and distribution of this file, with or without modification,
+# are permitted in any medium without royalty provided the copyright
+# notice and this notice are preserved.  This file is offered as-is,
+# without any warranty.
+
+# Summary: Test rootless mode on podman.
+# - add a user on the /etc/subuid and /etc/subgid to allow automatically allocation subuid and subgid ranges.
+# - check uids allocated to user (inside the container are mapped on the host)
+# - give read access to the SUSE Customer Center credentials to call zypper from in the container
+#   proper way to add Access Control List is via `setfacl` which is not available so we just do
+#   `chmod` instead!! This grants the current user the required access rights
+# - Test rootless container:
+#   * container is launched with default root user
+#   * container is launched with existing user id
+#   * container is launched with keep-id of the user who run the container
+# - Restore /etc/zypp/credentials.d/ credentials
+# Maintainer: qa-c team <qa-c@suse.de>
+
+use Mojo::Base qw(consoletest);
+use testapi;
+use utils;
+use containers::common;
+use containers::container_images;
+use suse_container_urls 'get_suse_container_urls';
+use version_utils qw(get_os_release);
+use version_utils 'is_sle';
+
+sub run {
+    my ($self) = @_;
+    my ($image_names, $stable_names) = get_suse_container_urls();
+    my ($running_version, $sp, $host_distri) = get_os_release;
+    my $runtime = "podman";
+
+    install_podman_when_needed($host_distri);
+    allow_selected_insecure_registries(runtime => $runtime);
+    my $user      = $testapi::username;
+    my $check_msg = 'Checking allocation range of user';
+    script_run "grep $user /etc/subuid || echo /etc/subuid has no uid range for $user", output => $check_msg;
+    script_run "grep $user /etc/subgid || echo /etc/subgid has no gid range for $user", output => $check_msg;
+    assert_script_run "usermod --add-subuids 200000-201000 --add-subgids 200000-201000 $user";
+    assert_script_run "grep $user /etc/subuid", fail_message => "subuid range not assigned for $user";
+    assert_script_run "grep $user /etc/subgid", fail_message => "subgid range not assigned for $user";
+    # Workaround instead of
+    # "setfacl -m u:$user:r /etc/zypp/credentials.d/*"
+    assert_script_run "chmod -R 666 /etc/zypp/credentials.d/*" if is_sle;
+    ensure_serialdev_permissions;
+    select_console "user-console";
+
+    # smoke test
+    assert_script_run "$runtime images -a";
+    for my $iname (@{$image_names}) {
+        test_container_image(image => $iname, runtime => $runtime);
+        build_container_image(image => $iname, runtime => $runtime);
+        test_zypper_on_container($runtime, $iname);
+        verify_userid_on_container($runtime, $iname);
+    }
+    clean_container_host(runtime => $runtime);
+    $self->select_serial_terminal();
+    assert_script_run "chmod -R 600 /etc/zypp/credentials.d/*" if is_sle;
+}
+
+1;