597ebeb60f
This ended up more complicated then expected. Lets start first with the problem to show why I am doing this: Currently we simply execute ps(1) in the container. This has some drawbacks. First, obviously you need to have ps(1) in the container image. That is no always the case especially in small images. Second, even if you do it will often be only busybox's ps which supports far less options. Now we also have psgo which is used by default but that only supports a small subset of ps(1) options. Implementing all options there is way to much work. Docker on the other hand executes ps(1) directly on the host and tries to filter pids with `-q` an option which is not supported by busybox's ps and conflicts with other ps(1) arguments. That means they fall back to full ps(1) on the host and then filter based on the pid in the output. This is kinda ugly and fails short because users can modify the ps output and it may not even include the pid in the output which causes an error. So every solution has a different drawback, but what if we can combine them somehow?! This commit tries exactly that. We use ps(1) from the host and execute that in the container's pid namespace. There are some security concerns that must be addressed: - mount the executable paths for ps and podman itself readonly to prevent the container from overwriting it via /proc/self/exe. - set NO_NEW_PRIVS, SET_DUMPABLE and PDEATHSIG - close all non std fds to prevent leaking files in that the caller had open - unset all environment variables to not leak any into the contianer Technically this could be a breaking change if somebody does not have ps on the host and only in the container but I find that very unlikely, we still have the exec in container fallback. Because this can be insecure when the contianer has CAP_SYS_PTRACE we still only use the podman exec version in that case. This updates the docs accordingly, note that podman pod top never falls back to executing ps in the container as this makes no sense with multiple containers so I fixed the docs there as well. Fixes #19001 Fixes https://bugzilla.redhat.com/show_bug.cgi?id=2215572 Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Test utils
Test utils provide common functions and structs for testing. It includes two structs:
-
PodmanTest: Handle the podman command and other global resources like temporary directory. It provides basic methods, like checking podman image and pod status. Test suites should create their owner test struct as a composite ofPodmanTest, and their owner PodmanMakeOptions(). -
PodmanSession: Store execution session data and related methods. Such like get command output and so on. It can be used directly in the test suite, only embed it to your owner session struct if you need expend it.
Unittest for test/utils
To ensure neither tests nor utils break, There are unit-tests for each functions and
structs in test/utils. When you adding functions or structs to this package, please
update both unit-tests for it and this documentation.
Run unit test for test/utils
Run unit test for test/utils.
make localunit
Structure of the test utils and test suites
The test utils package is at the same level of test suites. Each test suites also have their
owner common functions and structs stored in libpod_suite_test.go.
Ginkgo test framework
Ginkgo is a BDD testing framework. This allows us to use native Golang to perform our tests and there is a strong affiliation between Ginkgo and the Go test framework.
Installing dependencies
Some external binaries are required to successfully run the tests. The test currently depend on:
- normal podman runtime dependencies
- coreutils
- ncat
- gzip
- xz
- htpasswd
- iproute2
- iptables
- util-linux
- tar
- docker
- systemd/systemctl
Most of these are only required for a few tests so it is not a big issue if not everything is installed. Only a few test should fail then.
Installing ginkgo
Build ginkgo and install it under ./test/tools/build/ginkgo with the following command:
make .install.ginkgo
Integration Tests
Test suite for integration test for podman command line. It has its own structs:
-
PodmanTestIntegration: Integration test struct as a composite ofPodmanTest. It set up the global options for podman command to ignore the environment influence from different test system. -
PodmanSessionIntegration: This struct has it own methods for checking command output with given format JSON by using structs defined in inspect package.
Running the integration tests
You can run the entire suite of integration tests with the following command:
make localintegration
To run the remote tests use:
make remoteintegration
Test variables
Some test only work as rootless while others only work as root. So to test everything you should make sure to run the make command above as normal user and root.
The following environment variables are supported by the test setup:
PODMAN_BINARY: path to the podman binary, defaults tobin/podmanin the repository root.PODMAN_REMOTE_BINARY: path to the podman-remote binary, defaults tobin/podman-remotein the repository root.QUADLET_BINARY: path to the quadlet binary, defaults tobin/quadletin the repository root.CONMON_BINARY: path to th conmon binary, defaults to/usr/libexec/podman/conmon.OCI_RUNTIME: which oci runtime to use, defaults tocrun.NETWORK_BACKEND: the network backend, eithercni(default) ornetavark.PODMAN_DB: the database backendboltdb(default) orsqlite.PODMAN_TEST_IMAGE_CACHE_DIR: path were the container images should be cached, defaults to/tmp.
Running a single file of integration tests
You can run a single file of integration tests using the go test command:
make localintegration FOCUS_FILE=your_test.go
FOCUS_FILE file maps to ginkgo's --focus-file option, see the ginkgo
docs for the accepted syntax.
For remote tests use the remoteintegration Makefile target instead.
Running a single integration test
Before running the test suite, you have to declare which test you want run in the test file itself. Consider the following actual test:
It("podman inspect bogus pod", func() {
session := podmanTest.Podman([]string{"pod", "inspect", "foobar"})
session.WaitWithDefaultTimeout()
Expect(session).To(ExitWithError())
})
To mark this as the test you want run, you simply change the It description to FIt. Please note how
both the F and I are capitalized. Also see the ginkgo docs.
Note: Be sure you remove the F from the tests before committing your changes or you will skip all tests
in that file except the one with the FIt denotation.
Alternatively you can use the FOCUS option which maps to --focus, again see the ginkgo
docs for more info about the syntax.
make localintegration FOCUS="podman inspect bogus pod"
System tests
System tests are used for testing the podman CLI in the context of a complete system. It requires that podman, all dependencies, and configurations are in place. The intention of system testing is to match as closely as possible with real-world user/developer use-cases and environments. The orchestration of the environments and tests is left to external tooling.
System tests use Bash Automated Testing System (bats) as a testing framework.
Install it via your package manager or get latest stable version
directly from the repository, e.g.:
mkdir -p ~/tools/bats
git clone --single-branch --branch v1.1.0 https://github.com/bats-core/bats-core.git ~/tools/bats
Make sure that bats binary (bin/bats in the repository) is in your PATH, if not - add it:
PATH=$PATH:~/tools/bats/bin
System tests also rely on jq, socat, nmap, and other tools. For a
comprehensive list, see the %package tests section in the
fedora specfile.
Running system tests
When bats is installed and is in your PATH, you can run the test suite with following command:
make localsystem
Running the system tests in a more controlled way
If you would like to run a subset of the system tests, or configure the environment (e.g. root vs rootless, local vs remote),
use hack/bats.
For usage run:
hack/bats --help
Contributing to system tests
Please see the TODO list of needed workflows/tests.