Skip to content

Commit

Permalink
Fix AVC denials in tests of volume mounts
Browse files Browse the repository at this point in the history
This becomes a problem on hosts with upgraded policies.  Ref:
containers#10522

Also, made a small change to compose-test setup to reduce runtime.

Signed-off-by: Chris Evich <[email protected]>
  • Loading branch information
cevich committed Aug 18, 2021
1 parent 77f6652 commit dc70382
Show file tree
Hide file tree
Showing 4 changed files with 11 additions and 6 deletions.
2 changes: 1 addition & 1 deletion contrib/cirrus/setup_environment.sh
Original file line number Diff line number Diff line change
Expand Up @@ -208,7 +208,7 @@ case "$TEST_FLAVOR" in
unit) ;;
apiv2) ;& # use next item
compose)
dnf install -y $PACKAGE_DOWNLOAD_DIR/podman-docker*
rpm -ivh $PACKAGE_DOWNLOAD_DIR/podman-docker*
;& # continue with next item
int) ;&
sys) ;&
Expand Down
2 changes: 2 additions & 0 deletions test/compose/mount_and_label/docker-compose.yml
Original file line number Diff line number Diff line change
Expand Up @@ -6,5 +6,7 @@ services:
- '5000:5000'
volumes:
- /tmp/data:/data:ro
security_opt:
- label=disable
labels:
- "io.podman=the_best"
11 changes: 7 additions & 4 deletions test/e2e/login_logout_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -79,9 +79,9 @@ var _ = Describe("Podman login and logout", func() {

session = podmanTest.Podman([]string{"run", "-d", "-p", strings.Join([]string{strconv.Itoa(port), strconv.Itoa(port)}, ":"),
"-e", strings.Join([]string{"REGISTRY_HTTP_ADDR=0.0.0.0", strconv.Itoa(port)}, ":"), "--name", "registry", "-v",
strings.Join([]string{authPath, "/auth"}, ":"), "-e", "REGISTRY_AUTH=htpasswd", "-e",
strings.Join([]string{authPath, "/auth:Z"}, ":"), "-e", "REGISTRY_AUTH=htpasswd", "-e",
"REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm", "-e", "REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd",
"-v", strings.Join([]string{certPath, "/certs"}, ":"), "-e", "REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt",
"-v", strings.Join([]string{certPath, "/certs:Z"}, ":"), "-e", "REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt",
"-e", "REGISTRY_HTTP_TLS_KEY=/certs/domain.key", "registry:2.6"})
session.WaitWithDefaultTimeout()
Expect(session).Should(Exit(0))
Expand Down Expand Up @@ -235,10 +235,13 @@ var _ = Describe("Podman login and logout", func() {
setup.WaitWithDefaultTimeout()
defer os.RemoveAll(certDir)

// N/B: This second registry container shares the same auth and cert dirs
// as the registry started from BeforeEach(). Since this one starts
// second, re-labeling the volumes should keep SELinux happy.
session := podmanTest.Podman([]string{"run", "-d", "-p", "9001:9001", "-e", "REGISTRY_HTTP_ADDR=0.0.0.0:9001", "--name", "registry1", "-v",
strings.Join([]string{authPath, "/auth"}, ":"), "-e", "REGISTRY_AUTH=htpasswd", "-e",
strings.Join([]string{authPath, "/auth:z"}, ":"), "-e", "REGISTRY_AUTH=htpasswd", "-e",
"REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm", "-e", "REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd",
"-v", strings.Join([]string{certPath, "/certs"}, ":"), "-e", "REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt",
"-v", strings.Join([]string{certPath, "/certs:z"}, ":"), "-e", "REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt",
"-e", "REGISTRY_HTTP_TLS_KEY=/certs/domain.key", "registry:2.6"})
session.WaitWithDefaultTimeout()
Expect(session).Should(Exit(0))
Expand Down
2 changes: 1 addition & 1 deletion test/e2e/run_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -946,7 +946,7 @@ USER mail`, BB)
Expect(err).To(BeNil())
mountpoint := "/myvol/"

session := podmanTest.Podman([]string{"create", "--volume", vol + ":" + mountpoint, ALPINE, "cat", mountpoint + filename})
session := podmanTest.Podman([]string{"create", "--volume", vol + ":" + mountpoint + ":z", ALPINE, "cat", mountpoint + filename})
session.WaitWithDefaultTimeout()
Expect(session).Should(Exit(0))
ctrID := session.OutputToString()
Expand Down

0 comments on commit dc70382

Please sign in to comment.