test: skip test on rootless cgroupsv1

skip the test "podman selinux: shared context in (some) namespaces" on cgroupsv1 when running as rootless since the tests requires --pid=container:. If the container runtime cannot use cgroupsv1 and the container has no pid namespace. then it is not possible to correctly terminate the container. Without a cgroup or a pid namespace, the runtime has no control on what processes are in the container. Closes: containers#11785 Signed-off-by: Giuseppe Scrivano <[email protected]>
giuseppe · Sep 30, 2021 · 788106d · 788106d
1 parent cd10304
commit 788106d
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 0 deletions.
diff --git a/test/system/410-selinux.bats b/test/system/410-selinux.bats
@@ -113,6 +113,10 @@ function check_label() {
 @test "podman selinux: shared context in (some) namespaces" {
     skip_if_no_selinux
 
+    # rootless users have no usable cgroups with cgroupsv1, so containers
+    # must use a pid namespace and not join an existing one.
+    skip_if_rootless_cgroupsv1
+
     run_podman run -d --name myctr $IMAGE top
     run_podman exec myctr cat -v /proc/self/attr/current
     context_c1="$output"

diff --git a/test/system/helpers.bash b/test/system/helpers.bash
@@ -428,6 +428,18 @@ function skip_if_cgroupsv1() {
     fi
 }
 
+######################
+#  skip_if_rootless_cgroupsv1  #  ...with an optional message
+######################
+function skip_if_rootless_cgroupsv1() {
+    if is_rootless; then
+        if ! is_cgroupsv2; then
+            local msg=$(_add_label_if_missing "$1" "rootless cgroupvs1")
+            skip "${msg:-not supported as rootless under cgroupsv1}"
+        fi
+    fi
+}
+
 ##################################
 #  skip_if_journald_unavailable  #  rhbz#1895105: rootless journald permissions
 ##################################