597ebeb60f
This ended up more complicated then expected. Lets start first with the problem to show why I am doing this: Currently we simply execute ps(1) in the container. This has some drawbacks. First, obviously you need to have ps(1) in the container image. That is no always the case especially in small images. Second, even if you do it will often be only busybox's ps which supports far less options. Now we also have psgo which is used by default but that only supports a small subset of ps(1) options. Implementing all options there is way to much work. Docker on the other hand executes ps(1) directly on the host and tries to filter pids with `-q` an option which is not supported by busybox's ps and conflicts with other ps(1) arguments. That means they fall back to full ps(1) on the host and then filter based on the pid in the output. This is kinda ugly and fails short because users can modify the ps output and it may not even include the pid in the output which causes an error. So every solution has a different drawback, but what if we can combine them somehow?! This commit tries exactly that. We use ps(1) from the host and execute that in the container's pid namespace. There are some security concerns that must be addressed: - mount the executable paths for ps and podman itself readonly to prevent the container from overwriting it via /proc/self/exe. - set NO_NEW_PRIVS, SET_DUMPABLE and PDEATHSIG - close all non std fds to prevent leaking files in that the caller had open - unset all environment variables to not leak any into the contianer Technically this could be a breaking change if somebody does not have ps on the host and only in the container but I find that very unlikely, we still have the exec in container fallback. Because this can be insecure when the contianer has CAP_SYS_PTRACE we still only use the podman exec version in that case. This updates the docs accordingly, note that podman pod top never falls back to executing ps in the container as this makes no sense with multiple containers so I fixed the docs there as well. Fixes #19001 Fixes https://bugzilla.redhat.com/show_bug.cgi?id=2215572 Signed-off-by: Paul Holzinger <pholzing@redhat.com> |
||
|---|---|---|
| .. | ||
| python | ||
| 00-TEMPLATE | ||
| 01-basic.at | ||
| 10-images.at | ||
| 12-imagesMore.at | ||
| 15-manifest.at | ||
| 19-stats.at | ||
| 20-containers.at | ||
| 22-stop.at | ||
| 23-containersArchive.at | ||
| 25-containersMore.at | ||
| 26-containersWait.at | ||
| 27-containersEvents.at | ||
| 30-volumes.at | ||
| 35-networks.at | ||
| 40-pods.at | ||
| 44-mounts.at | ||
| 45-system.at | ||
| 50-secrets.at | ||
| 60-auth.at | ||
| 70-short-names.at | ||
| 80-kube.at | ||
| README.md | ||
| containers.conf | ||
| containers.host-netns.conf | ||
| containers.no_hosts.conf | ||
| test-apiv2 | ||
README.md
API v2 tests
This directory contains tests for the podman version 2 API (HTTP).
Tests themselves are in files of the form 'NN-NAME.at' where NN is a two-digit number, NAME is a descriptive name, and '.at' is just an extension I picked.
Running Tests
The main test runner is test-apiv2. Usage is:
$ sudo ./test-apiv2 [NAME [...]]
...where NAME is one or more optional test names, e.g. 'image' or 'pod'
or both. By default, test-apiv2 will invoke all *.at tests.
test-apiv2 connects to localhost only and via TCP. There is
no support here for remote hosts or for UNIX sockets. This is a
framework for testing the API, not all possible protocols.
test-apiv2 will start the service if it isn't already running.
Writing Tests
The main test function is t. It runs curl against the server,
with POST parameters if present, and compares return status and
(optionally) string results from the server:
t GET /_ping 200 OK
^^^ ^^^^^^ ^^^ ^^
| | | +--- expected string result
| | +------- expected return code
| +-------------- endpoint to access
+------------------ method (GET, POST, DELETE, HEAD)
t POST libpod/volumes/create name=foo 201 .ID~[0-9a-f]\\{12\\}
^^^^^^^^^^^^^^^^^^^^^ ^^^^^^^^ ^^^ ^^^^^^^^^^^^^^^^^^^^
| | | JSON '.ID': expect 12-char hex
| | +-- expected code
| +----------- POST params
+--------------------------------- note the missing slash
Never, ever, ever, seriously EVER exit from a test. Just don't.
That skips cleanup, and leaves the system in a broken state.
Notes:
-
If the endpoint has a leading slash (
/_ping),tleaves it unchanged. If there's no leading slash,tprepends/v1.40. This is a simple convenience for simplicity of writing tests. -
When method is POST, the argument(s) after the endpoint may be a series of POST parameters in the form 'key=value', separated by spaces: t POST myentrypoint 200 ! no params t POST myentrypoint id=$id 200 ! just one t POST myentrypoint id=$id filter='{"foo":"bar"}' 200 ! two, with json t POST myentrypoint name=$name badparam='["foo","bar"]' 500 ! etc...
twill convert the param list to JSON form for passing to the server. A numeric status code terminates processing of POST parameters. ** As a special case, when one POST argument is a string ending in.tar,.yaml, or.json,twill invokecurlwith--data-binary @PATHand setContent-typeas appropriate. This is useful forbuildendpoints. (To overrideContent-type, simply pass along an extra string argument matchingapplication/*): t POST myentrypoint /mytmpdir/myfile.tar application/foo 400 ** Like above, when using PUT,tdoes--upload-timeinstead of--data-binary -
The final arguments are one or more expected string results. If an argument starts with a dot,
twill invokejqon the output to fetch that field, and will compare it to the right-hand side of the argument. If the separator is=(equals),twill require an exact match; if~(tilde),twill useexprto compare. -
If your test expects
curlto time out: APIV2_TEST_EXPECT_TIMEOUT=5 t POST /foo 999