system tests: fix volume exec/noexec test

[sstosh]

The return code is "126" in the current version of runc.

Signed-off-by: Toshiki Sonoda [email protected]

---

podman info

# podman info
host:
  arch: amd64
  buildahVersion: 1.27.1
  cgroupControllers:
  - cpuset
  - cpu
  - cpuacct
  - blkio
  - memory
  - devices
  - freezer
  - net_cls
  - perf_event
  - net_prio
  - hugetlb
  - pids
  - rdma
  cgroupManager: systemd
  cgroupVersion: v1
  conmon:
    package: conmon-2.1.4-1.module+el8.7.0+16772+33343656.x86_64
    path: /usr/bin/conmon
    version: 'conmon version 2.1.4, commit: 691ad93a4898a57af5788c41fa22a45fac3beaae'
  cpuUtilization:
    idlePercent: 99.63
    systemPercent: 0.09
    userPercent: 0.28
  cpus: 4
  distribution:
    distribution: '"rhel"'
    version: "8.7"
  eventLogger: file
  hostname: rhel87
  idMappings:
    gidmap: null
    uidmap: null
  kernel: 4.18.0-425.3.1.el8.x86_64
  linkmode: dynamic
  logDriver: k8s-file
  memFree: 2629210112
  memTotal: 3912503296
  networkBackend: cni
  ociRuntime:
    name: runc
    package: runc-1.1.4-1.module+el8.7.0+16772+33343656.x86_64
    path: /usr/bin/runc
    version: |-
      runc version 1.1.4
      spec: 1.0.2-dev
      go: go1.18.4
      libseccomp: 2.5.2
  os: linux
  remoteSocket:
    path: /run/podman/podman.sock
  security:
    apparmorEnabled: false
    capabilities: CAP_NET_RAW,CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: false
    seccompEnabled: true
    seccompProfilePath: /usr/share/containers/seccomp.json
    selinuxEnabled: true
  serviceIsRemote: false
  slirp4netns:
    executable: /usr/bin/slirp4netns
    package: slirp4netns-1.2.0-2.module+el8.7.0+16772+33343656.x86_64
    version: |-
      slirp4netns version 1.2.0
      commit: 656041d45cfca7a4176f6b7eed9e4fe6c11e8383
      libslirp: 4.4.0
      SLIRP_CONFIG_VERSION_MAX: 3
      libseccomp: 2.5.2
  swapFree: 4248825856
  swapTotal: 4248825856
  uptime: 2h 9m 42.00s (Approximately 0.08 days)
plugins:
  authorization: null
  log:
  - k8s-file
  - none
  - passthrough
  - journald
  network:
  - bridge
  - macvlan
  - ipvlan
  volume:
  - local
registries:
  search:
  - registry.access.redhat.com
  - registry.redhat.io
  - docker.io
store:
  configFile: /etc/containers/storage.conf
  containerStore:
    number: 0
    paused: 0
    running: 0
    stopped: 0
  graphDriverName: overlay
  graphOptions:
    overlay.mountopt: nodev,metacopy=on
  graphRoot: /var/lib/containers/storage
  graphRootAllocated: 54113640448
  graphRootUsed: 2547527680
  graphStatus:
    Backing Filesystem: xfs
    Native Overlay Diff: "false"
    Supports d_type: "true"
    Using metacopy: "true"
  imageCopyTmpDir: /var/tmp
  imageStore:
    number: 1
  runRoot: /run/containers/storage
  volumePath: /var/lib/containers/storage/volumes
version:
  APIVersion: 4.2.0
  Built: 1664492105
  BuiltTime: Fri Sep 30 07:55:05 2022
  GitCommit: ""
  GoVersion: go1.18.4
  Os: linux
  OsArch: linux/amd64
  Version: 4.2.0

# podman volume create testvol
testvol
# podman volume inspect --format '{{.Mountpoint}}' testvol
/var/lib/containers/storage/volumes/testvol/_data
# cat >/var/lib/containers/storage/volumes/testvol/_data/myscript <<EOF
#!/bin/sh
echo "test message"
EOF

# chmod 755 /var/lib/containers/storage/volumes/testvol/_data/myscript
# podman run --rm --volume testvol:/vol:noexec,z quay.io/libpod/testimage:20220615 /vol/myscript
Error: runc: runc create failed: unable to start container process: exec /vol/myscript: permission denied: OCI permission denied
# echo $?
126

Does this PR introduce a user-facing change?

None

[edsantiago]

I've confirmed that this makes the test pass on RHEL8.8 with runc-1.1.4-1.module+el8.8.0+17695+8a9c0c1b.x86_64.

The word "current" is antihelpful in commit messages, but it probably doesn't matter too much in this case.

/lgtm
/hold

Restarted two flakes, new ones, look like temporary github outage.

[mheon]

LGTM

[edsantiago]

/hold cancel

[edsantiago]

Can someone with cherrypick privs bring this into 4.4?

[mheon]

/cherry-pick v4.4

[openshift-cherrypick-robot]

@mheon: once the present PR merges, I will cherry-pick it on top of v4.4 in a new PR and assign it to you.

In response to this:

/cherry-pick v4.4

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[mheon]

Oops

/approve

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: mheon, sstosh

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [mheon]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-cherrypick-robot]

@mheon: new pull request created: #17344

In response to this:

/cherry-pick v4.4

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.