e2e/systemd: test with enforcing selinux #2002
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
F28 looks in infra issues |
|
We're waiting on containers/container-selinux#59 to merge before this is ready - WIP will come off once that's good |
|
☔ The latest upstream changes (presumably #2481) made this pull request unmergeable. Please resolve the merge conflicts. |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: EmilienM, mheon The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
☔ The latest upstream changes (presumably #2704) made this pull request unmergeable. Please resolve the merge conflicts. |
|
what is the status of this PR? @EmilienM are you still working on it? |
no I have not been catching up on that one, mostly doing it on my free time. I still see some value having it, please give me a bit of time. |
|
@EmilienM Is this still something you want/need or has it been fixed in the testing? |
Just rebased. I'll look at the tests this week if they fail and if I have the time otherwise close it. |
|
@rhatdan ready for review it seems |
|
LGTM |
|
@EmilienM Not sure what happened here, could you rebase and repush so we can get the CI/CD system running again. |
giuseppe
reviewed
Jul 24, 2019
| } | ||
|
|
||
| mode := selinux.DefaultEnforceMode() | ||
| selinux.SetEnforceMode(1) |
There was a problem hiding this comment.
could you change it to something like:
mode := selinux.EnforceMode()
if mode != selinux.Enforcing {
err := selinux.SetEnforceMode(selinux.Enforcing)
Expect(err).To(BeNil())
defer selinux.SetEnforceMode(mode)
}
then you can also drop the selinux.SetEnforceMode(mode) at line 92
Signed-off-by: Matthew Heon <mheon@redhat.com>
capabilities that were added and dropped were several times duplicated. Fix this Signed-off-by: Peter Hunt <pehunt@redhat.com>
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
Take capabilities written in a kube and add to a container adapt test suite and write cap-add/drop tests Signed-off-by: Peter Hunt <pehunt@redhat.com>
close https://bugzilla.redhat.com/show_bug.cgi?id=1732280 From the bug Podman search returns 25 results even when limit option `--limit` is larger than 25(maxQueries). They want Podman to return `--limit` results. This PR fixes the number of output result. if --limit not set, return MIN(maxQueries, len(res)) if --limit is set, return MIN(option, len(res)) Signed-off-by: Qi Wang <qiwan@redhat.com>
Fedora CI tests are failing on rawhide under kernel 5.3.0-0.rc1.git3.1.fc31 (rhbz#1736758). But there's another insidious failure, a 4-hour hang in the rootless tests on the same CI system. The culprit line is in the podman build test, but it's actually BATS itself that hangs, not the build command -- which suggests that it's the usual FD 3 problem (see BATS README). It would seem that podman is forking a process that inherits fd 3 but that process is not getting cleaned up when podman crashes upon encountering the kernel bug. Today it's podman build, tomorrow it might be something else. Let's just run all podman invocations in run_podman with a non-bats FD 3. Signed-off-by: Ed Santiago <santiago@redhat.com>
If a container is restored multiple times from an exported checkpoint with the help of '--import --name', the restore will fail if during 'podman run' a static container IP was set with '--ip'. The user can tell the restore process to ignore the static IP with '--ignore-static-ip'. Signed-off-by: Adrian Reber <areber@redhat.com>
Enable podman events to format the output as jsonline Signed-off-by: Qi Wang <qiwan@redhat.com>
Add warnings/work arounds about NFS and OverlayFS to the troubleshooting guide and also the main podman page. Verified that these warnings are on the rootless page already. Signed-off-by: TomSweeneyRedHat <tsweeney@redhat.com>
There are two cases logdriver can be empty, if it wasn't set by libpod, or if the user did --log-driver "" The latter case is an odd one, and the former is very possible and already handled for LogPath. Instead of printing an error for an entirely reasonable codepath, let's supress the error Signed-off-by: Peter Hunt <pehunt@redhat.com>
to help with future debugging, we now display the type of event logger being used inside podman info -> host. Signed-off-by: baude <bbaude@redhat.com>
Drop errors to debug when trying to setup the runtimetmpdir. If the tool can not setup a runtime dir, it will error out with a correct message no need to put errors on the screen, when the tool actually succeeds. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
if the image is unnamed, pass an nil slice to the parse repotags function instead of getting the image name by index. after this patch, unnamed images will be shown as <none> ``` Images space usage: REPOSITORY TAG IMAGE ID CREATED SIZE SHARED SIZE UNIQUE SIZE CONTAINERS docker.io/library/ubuntu bionic 3556258649b2 11 days ago 66.6MB 0B 66.6MB 0 <none> <none> dd8a8db2c79b 11 days ago 986MB 66.6MB 919MB 0 ``` Signed-off-by: Qi Wang <qiwan@redhat.com>
we should be looking for the libpod.conf file in /usr/share/containers and not in /usr/local. packages of podman should drop the default libpod.conf in /usr/share. the override remains /etc/containers/ as well. Fixes: #3702 Signed-off-by: baude <bbaude@redhat.com>
Old versions of conmon have a bug where they create the exit file before closing open file descriptors causing a race condition when restarting containers with open ports since we cannot bind the ports as they're not yet closed by conmon. Killing the old conmon PID is ~okay since it forces the FDs of old conmons to be closed, while it's a NOP for newer versions which should have exited already. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
A container restored from an exported checkpoint did not have its StartedTime set. Which resulted in a status like 'Up 292 years ago' after the restore. This just sets the StartedTime to time.Now() if a container is restored from an exported checkpoint. Signed-off-by: Adrian Reber <areber@redhat.com>
|
I broke the PR by accident, let me fix that |
Run the e2e/systemd_test with SElinux in enforcing mode. It'll just enable the mode during the test, and restore previous mode at the end of the test. Also, the test will be skipped if SElinux isn't enabled on the host. Signed-off-by: Emilien Macchi <emilien@redhat.com>
|
I'm going to create a new PR |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
e2e/systemd: test with enforcing selinux
Run the e2e/systemd_test with SElinux in enforcing mode.
It'll just enable the mode during the test, and restore previous mode at
the end of the test.
Also, the test will be skipped if SElinux isn't enabled on the host
e2e/systemd: move userns skip to BeforeEach
Moving the skip that check if userns is enabled to the BeforeEach
will help to skip the test quicker if not needed and also allow to add
more tests without adding the check everytime.