| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203 |
- import infra.basetest
- import json
- import os
- class PodmanBase(infra.basetest.BRTest):
- config = \
- """
- BR2_arm=y
- BR2_cortex_a9=y
- BR2_ARM_ENABLE_VFP=y
- BR2_TOOLCHAIN_EXTERNAL=y
- BR2_TOOLCHAIN_EXTERNAL_BOOTLIN=y
- BR2_PER_PACKAGE_DIRECTORIES=y
- BR2_SYSTEM_DHCP="eth0"
- BR2_LINUX_KERNEL=y
- BR2_LINUX_KERNEL_CUSTOM_VERSION=y
- BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="5.10.202"
- BR2_LINUX_KERNEL_DEFCONFIG="vexpress"
- BR2_LINUX_KERNEL_DTS_SUPPORT=y
- BR2_LINUX_KERNEL_INTREE_DTS_NAME="vexpress-v2p-ca9"
- BR2_PACKAGE_PODMAN=y
- BR2_PACKAGE_UTIL_LINUX=y
- BR2_PACKAGE_UTIL_LINUX_MOUNT=y
- BR2_PACKAGE_HOST_GO_BIN=y
- BR2_TARGET_ROOTFS_EXT2=y
- BR2_TARGET_ROOTFS_EXT2_SIZE="256M"
- # BR2_TARGET_ROOTFS_TAR is not set
- """
- def do_test(self):
- class _Emul():
- def __init__(self, orig_emulator):
- self.emulator = orig_emulator
- def run(self, cmd, timeout=-1):
- if timeout < 0:
- timeout = 60
- return self.emulator.run(cmd, timeout)
- def stop(self):
- self.emulator.stop()
- kernel_file = os.path.join(self.builddir, 'images', 'zImage')
- dtb_file = os.path.join(self.builddir, 'images', 'vexpress-v2p-ca9.dtb')
- ext2_file = os.path.join(self.builddir, 'images', 'rootfs.ext2')
- self.emulator.boot(
- arch='armv5',
- kernel=kernel_file,
- kernel_cmdline=[
- 'root=/dev/mmcblk0',
- 'rootwait',
- 'console=ttyAMA0',
- ],
- options=[
- '-M', 'vexpress-a9',
- '-dtb', dtb_file,
- '-drive', f'file={ext2_file},if=sd,format=raw',
- ]
- )
- self.emulator.login()
- # Trick: replace the original emulator with one that always
- # adds a timeout
- self.emulator = _Emul(self.emulator)
- # Do some preparation for rootless use
- self.assertRunOk("mount --make-shared /")
- self.assertRunOk("chmod 666 /dev/net/tun")
- self.assertRunOk("useradd -d /home/foo -m -s /bin/sh -u 1000 foo")
- self.assertRunOk("touch /etc/subuid /etc/subgid")
- self.assertRunOk("usermod --add-subuids 10000-75535 foo")
- self.assertRunOk("usermod --add-subgids 10000-75535 foo")
- # If /etc/resolv.conf is a symlink, it has to point either into /etc
- # (or deep in there), or into /run (or deep in there), as only those
- # would eventually get used by podman/netavark for # rootless containers.
- # This is considered a workaround to the current situation; resolv,conf
- # should ultimately be in /run rather than /tmp.
- self.assertRunOk("mv /tmp/resolv.conf /run/resolv.conf")
- self.assertRunOk("ln -sf /run/resolv.conf /etc/resolv.conf")
- # First, test podman as root (the current user)
- self.do_podman()
- # Now, test podman as non-root. We need a bit of setup
- # We need to use the same prompts for the user as used for root, so that the
- # REPLWrapper still detects the prompts. This means it is going to be a bit
- # difficut to directly see that it was a user that executed a command.
- self.assertRunOk('su -s /usr/bin/env - foo PS1="${PS1}" PS2="${PS2}" /bin/sh')
- output, _ = self.emulator.run("id -u")
- self.assertEqual(output[0], "1000", "Could not switch to non-root")
- self.do_podman()
- def do_podman(self):
- # The podman binary is huge, so it takes time to load...
- # Next calls will be faster, though, as it is going to be cached.
- self.assertRunOk('podman --version')
- # Check for an empty image store
- output, exit_code = self.emulator.run("podman image ls --format '{{ json }}'")
- img_info = json.loads("".join(output))
- self.assertEqual(len(img_info), 0, f"{len(img_info)} image(s) already present")
- # Pull an image; it can take time: network, hash checksums...
- self.assertRunOk('podman image pull busybox:1.37.0')
- output, exit_code = self.emulator.run("podman image ls --format '{{ json }}'")
- img_info = json.loads("".join(output))
- self.assertEqual(len(img_info), 1, f"{len(img_info)} image(s), expecting 1")
- self.assertTrue("Id" in img_info[0], '"Id" not in img_info[0]')
- self.assertTrue("Digest" in img_info[0], '"Digest" not in img_info[0]')
- self.assertEqual(img_info[0]["Names"][0], "docker.io/library/busybox:1.37.0")
- output, _ = self.emulator.run('echo ${br_container}')
- self.assertEqual(output[0], "", "Already in a container")
- # Spawn the container; that can take a bit of time
- # Propagate the prompt so that the REPLWrapper detects it
- self.assertRunOk(
- "podman container run --rm -ti -e PS1 -e br_container=podman busybox:1.37.0",
- )
- # Twist! The command above is still running, but the shell it
- # started exposes the same prompt we expect. This is all what we want.
- output, _ = self.emulator.run('echo ${br_container}')
- self.assertEqual(output[0], "podman", "Not in a podman container")
- # Check that pid1 is the shell
- output, _ = self.emulator.run('readlink /proc/1/exe')
- self.assertEqual(output[0], "/bin/sh", f"PID1 is {output[0]}, should be /bin/sh")
- # Try to get something off the network
- # Using http, not https, as busybox' wget does not do https
- # Using --spider to just check we can reach the remote.
- output, exit_code = self.emulator.run('wget --spider http://google.com/')
- self.assertEqual(exit_code, 0, "wget did not succeed to reach google.com")
- self.assertEqual(output[-1], "remote file exists", "wget did not succeed to reach google.com")
- # Exit the container
- self.assertRunOk("exit 0")
- # Twist, take two! We are now back to the shell in the VM.
- output, _ = self.emulator.run('echo ${br_container}')
- self.assertEqual(output[0], "", "Still in a container")
- # Spawn a container, round two, but with an injected init this time
- self.assertRunOk(
- "podman container run --rm -ti -e PS1 --init -e br_container=podman busybox:1.37.0",
- )
- output, _ = self.emulator.run('echo ${br_container}')
- self.assertEqual(output[0], "podman", "Not in a podman container")
- # Check that pid1 is the init injected by podman
- output, _ = self.emulator.run('readlink /proc/1/exe')
- self.assertEqual(output[0], "/run/podman-init", f"PID1 is {output[0]}, should be /run/podman-init")
- # Exit the container
- self.assertRunOk("exit 0")
- output, _ = self.emulator.run('echo ${br_container}')
- self.assertEqual(output[0], "", "Still in a container")
- # Use an image from another registry, spawn without pulling first
- self.assertRunOk(
- "podman container run --rm -ti -e PS1 -e br_container=podman quay.io/prometheus/busybox:latest",
- )
- output, _ = self.emulator.run('echo ${br_container}')
- self.assertEqual(output[0], "podman", "Not in a podman container")
- self.assertRunOk("exit 0")
- output, _ = self.emulator.run('echo ${br_container}')
- self.assertEqual(output[0], "", "Still in a container")
- # Remove the offical image
- self.assertRunOk('podman image rm busybox:1.37.0')
- output, _ = self.emulator.run("podman image ls --format '{{ json }}'")
- img_info = json.loads("".join(output))
- # There is still one image(the unofficial one from quay.io)
- self.assertEqual(len(img_info), 1, f"{len(img_info)} image(s) still present, expecting 1")
- # Remove all remaining images
- self.assertRunOk('podman image prune -af')
- output, exit_code = self.emulator.run("podman image ls --format '{{ json }}'")
- img_info = json.loads("".join(output))
- self.assertEqual(len(img_info), 0, f"{len(img_info)} image(s) still present, expecting 0")
- class TestPodmanIptables(PodmanBase):
- def test_run(self):
- self.do_test()
- class TestPodmanNftables(PodmanBase):
- config = PodmanBase.config + """
- BR2_PACKAGE_NFTABLES=y
- """
- def test_run(self):
- self.do_test()
- class TestPodmanTini(PodmanBase):
- config = PodmanBase.config + """
- BR2_PACKAGE_PODMAN_INIT_TINI=y
- """
- def test_run(self):
- self.do_test()
|
