Try to inject the parent image in slopslopstrap
This commit is contained in:
Samuel Aubertin
@@ -98,6 +98,10 @@ verify_secret_mounts() {
|
||||
}
|
||||
|
||||
if [[ ${1-} == "image" && ${2-} == "inspect" && ${FAKE_PODMAN_INSPECT_FAIL:-0} == 1 ]]; then
|
||||
if [[ " $* " == *" --format "* ]]; then
|
||||
printf 'fake-image-id\n'
|
||||
exit 0
|
||||
fi
|
||||
echo "FAKE PODMAN (fail): $*" >>"$FAKE_PODMAN_LOG"
|
||||
exit 1
|
||||
fi
|
||||
@@ -510,9 +514,15 @@ EOF
|
||||
if ! grep -q -- "-v ${codex_root}/auth.json:/codex/auth.json:Z" "$STUB_LOG"; then
|
||||
record_failure "recursive_slopsloptrap: missing recursive auth bind mount"
|
||||
fi
|
||||
if ! grep -q -- "/capabilities/podman-preload:/codex/capabilities/podman/preload:Z" "$STUB_LOG"; then
|
||||
record_failure "recursive_slopsloptrap: missing recursive preload bind mount"
|
||||
fi
|
||||
if ! grep -q -- "-v ${codex_root}/sloptrap/state/" "$STUB_LOG"; then
|
||||
record_failure "recursive_slopsloptrap: missing recursive state bind mount"
|
||||
fi
|
||||
if ! grep -q -- "SLOPTRAP_RECURSIVE_PARENT_IMAGE_ARCHIVE=/codex/capabilities/podman/preload/slopsloptrap-sloptrap-image.tar" "$STUB_LOG"; then
|
||||
record_failure "recursive_slopsloptrap: missing recursive preload archive environment"
|
||||
fi
|
||||
if grep -q -- "-v ${codex_root}/.codex/auth.json:/codex/auth.json:Z" "$STUB_LOG"; then
|
||||
record_failure "recursive_slopsloptrap: should not fall back to CODEX_HOME/.codex in recursive mode"
|
||||
fi
|
||||
@@ -527,6 +537,9 @@ EOF
|
||||
if [[ -z $first_run || $first_run == *" login" ]]; then
|
||||
record_failure "recursive_slopsloptrap: recursive auth should avoid login target"
|
||||
fi
|
||||
if ! grep -q -- "FAKE PODMAN: save -o " "$STUB_LOG"; then
|
||||
record_failure "recursive_slopsloptrap: should export the parent image for recursive preload"
|
||||
fi
|
||||
if [[ $first_run != *"/bin/bash"* ]]; then
|
||||
record_failure "recursive_slopsloptrap: shell target did not reach child container run"
|
||||
fi
|
||||
@@ -540,6 +553,102 @@ EOF
|
||||
rm -rf "$temp_root"
|
||||
}
|
||||
|
||||
run_recursive_parent_image_fallback() {
|
||||
printf '==> recursive_parent_image_fallback\n'
|
||||
local temp_root helper_bin scenario_dir archive_path tool_log
|
||||
local inner_podman_root inner_podman_runroot inner_runtime_dir
|
||||
temp_root=$(mktemp -d)
|
||||
helper_bin="$temp_root/bin"
|
||||
scenario_dir="$temp_root/fallback-repo"
|
||||
archive_path="$scenario_dir/parent-runtime.tar"
|
||||
tool_log="$temp_root/tool.log"
|
||||
inner_podman_root="$temp_root/podman-storage"
|
||||
inner_podman_runroot="$temp_root/podman-run"
|
||||
inner_runtime_dir="$temp_root/podman-runtime"
|
||||
mkdir -p "$helper_bin" "$scenario_dir" "$inner_podman_root" "$inner_podman_runroot" "$inner_runtime_dir"
|
||||
: >"$tool_log"
|
||||
|
||||
cat >"$scenario_dir/.sloptrap" <<'EOF'
|
||||
name=fallback-repo
|
||||
capabilities=nested-podman
|
||||
EOF
|
||||
printf 'archive\n' >"$archive_path"
|
||||
|
||||
if ! extract_embedded_helper "sloppodman" "$helper_bin/sloppodman"; then
|
||||
record_failure "recursive_parent_image_fallback: failed to extract sloppodman helper"
|
||||
rm -rf "$temp_root"
|
||||
return
|
||||
fi
|
||||
|
||||
cat >"$helper_bin/podman" <<'EOF'
|
||||
#!/usr/bin/env bash
|
||||
set -euo pipefail
|
||||
printf 'podman %s\n' "$*" >>"$TEST_TOOL_LOG"
|
||||
args=("$@")
|
||||
idx=0
|
||||
loaded_flag="${TEST_TOOL_LOG}.loaded"
|
||||
while (( idx < ${#args[@]} )); do
|
||||
if [[ ${args[$idx]} == "image" ]] && (( idx + 1 < ${#args[@]} )) && [[ ${args[$((idx + 1))]} == "inspect" ]]; then
|
||||
if [[ -f $loaded_flag ]]; then
|
||||
exit 0
|
||||
fi
|
||||
exit 1
|
||||
fi
|
||||
if [[ ${args[$idx]} == "load" ]]; then
|
||||
: >"$loaded_flag"
|
||||
exit 0
|
||||
fi
|
||||
((idx+=1))
|
||||
done
|
||||
exit 0
|
||||
EOF
|
||||
cat >"$helper_bin/setpriv" <<'EOF'
|
||||
#!/usr/bin/env bash
|
||||
set -euo pipefail
|
||||
while [[ $# -gt 0 ]]; do
|
||||
case "$1" in
|
||||
--reuid|--regid)
|
||||
shift 2
|
||||
;;
|
||||
--clear-groups)
|
||||
shift
|
||||
;;
|
||||
--)
|
||||
shift
|
||||
break
|
||||
;;
|
||||
*)
|
||||
break
|
||||
;;
|
||||
esac
|
||||
done
|
||||
exec "$@"
|
||||
EOF
|
||||
chmod +x "$helper_bin/sloppodman" "$helper_bin/podman" "$helper_bin/setpriv"
|
||||
|
||||
if ! TEST_TOOL_LOG="$tool_log" PATH="$helper_bin:$PATH" HOME="$temp_root/home" CODEX_HOME="$temp_root/home" \
|
||||
SLOPTRAP_CONTAINER_ENGINE="sloppodman" \
|
||||
SLOPTRAP_ACTIVE_CAPABILITIES="nested-podman" \
|
||||
SLOPTRAP_WORKDIR="$scenario_dir" \
|
||||
SLOPTRAP_RECURSIVE_PARENT_IMAGE_ARCHIVE="$archive_path" \
|
||||
SLOPTRAP_INNER_PODMAN_ROOT="$inner_podman_root" \
|
||||
SLOPTRAP_INNER_PODMAN_RUNROOT="$inner_podman_runroot" \
|
||||
XDG_RUNTIME_DIR="$inner_runtime_dir" \
|
||||
"$SLOPTRAP_BIN" --trust-capabilities "$scenario_dir" build-if-missing >/dev/null 2>&1; then
|
||||
record_failure "recursive_parent_image_fallback: build-if-missing exited non-zero"
|
||||
rm -rf "$temp_root"
|
||||
return
|
||||
fi
|
||||
if grep -q -- 'podman --root .* build ' "$tool_log"; then
|
||||
record_failure "recursive_parent_image_fallback: fallback should avoid podman build"
|
||||
fi
|
||||
if ! grep -q -- "podman --root $inner_podman_root --runroot $inner_podman_runroot --storage-driver vfs --cgroup-manager cgroupfs --events-backend file load -i $archive_path" "$tool_log"; then
|
||||
record_failure "recursive_parent_image_fallback: fallback did not load the parent archive into the nested store"
|
||||
fi
|
||||
|
||||
rm -rf "$temp_root"
|
||||
}
|
||||
|
||||
run_project_state_isolation() {
|
||||
local scenario_a scenario_b
|
||||
scenario_a=$(cd "$TEST_ROOT/resume_target" && pwd -P)
|
||||
@@ -885,6 +994,9 @@ run_capability_profiles() {
|
||||
if ! grep -q -- "SLOPTRAP_HOST_GID=$(id -g)" "$STUB_LOG"; then
|
||||
record_failure "capability_profiles: host gid environment missing"
|
||||
fi
|
||||
if ! grep -q -- "SLOPTRAP_HOST_USER=$(id -un)" "$STUB_LOG"; then
|
||||
record_failure "capability_profiles: host user environment missing"
|
||||
fi
|
||||
if ! grep -q -- "SLOPTRAP_INNER_PODMAN_HOST_NETWORK=1" "$STUB_LOG"; then
|
||||
record_failure "capability_profiles: inner podman host-network mirror flag missing"
|
||||
fi
|
||||
@@ -938,11 +1050,11 @@ run_embedded_capability_helpers() {
|
||||
return
|
||||
fi
|
||||
|
||||
cat >"$helper_bin/podman" <<'EOF'
|
||||
cat >"$helper_bin/podman" <<'EOF'
|
||||
#!/usr/bin/env bash
|
||||
set -euo pipefail
|
||||
printf 'podman-env BUILDAH_ISOLATION=%s CONTAINERS_STORAGE_CONF=%s CONTAINERS_CONF=%s\n' \
|
||||
"${BUILDAH_ISOLATION:-}" "${CONTAINERS_STORAGE_CONF:-}" "${CONTAINERS_CONF:-}" >>"$TEST_TOOL_LOG"
|
||||
printf 'podman-env BUILDAH_ISOLATION=%s _CONTAINERS_USERNS_CONFIGURED=%s CONTAINERS_STORAGE_CONF=%s CONTAINERS_CONF=%s\n' \
|
||||
"${BUILDAH_ISOLATION:-}" "${_CONTAINERS_USERNS_CONFIGURED:-}" "${CONTAINERS_STORAGE_CONF:-}" "${CONTAINERS_CONF:-}" >>"$TEST_TOOL_LOG"
|
||||
printf 'podman %s\n' "$*" >>"$TEST_TOOL_LOG"
|
||||
exit 0
|
||||
EOF
|
||||
@@ -1086,6 +1198,9 @@ EOF
|
||||
if ! grep -q -- 'podman-env BUILDAH_ISOLATION=chroot ' "$tool_log"; then
|
||||
record_failure "embedded_capability_helpers: sloppodman did not set BUILDAH_ISOLATION=chroot"
|
||||
fi
|
||||
if ! grep -q -- '_CONTAINERS_USERNS_CONFIGURED=done ' "$tool_log"; then
|
||||
record_failure "embedded_capability_helpers: sloppodman did not mark nested podman as already userns-configured"
|
||||
fi
|
||||
if [[ ! -f $inner_runtime_dir/config/containers/storage.conf ]] \
|
||||
|| [[ ! -f $inner_runtime_dir/config/containers/containers.conf ]]; then
|
||||
record_failure "embedded_capability_helpers: sloppodman did not materialize its container config files"
|
||||
@@ -1115,7 +1230,32 @@ case "${1-}" in
|
||||
;;
|
||||
esac
|
||||
EOF
|
||||
chmod +x "$helper_bin/id"
|
||||
cat >"$temp_root/entrypoint-helperd" <<'EOF'
|
||||
#!/usr/bin/env bash
|
||||
set -euo pipefail
|
||||
exit 0
|
||||
EOF
|
||||
chmod +x "$helper_bin/id" "$temp_root/entrypoint-helperd"
|
||||
local entry_subuid entry_subgid
|
||||
entry_subuid="$temp_root/entry-subuid"
|
||||
entry_subgid="$temp_root/entry-subgid"
|
||||
printf 'sloptrap:100000:65536\n' >"$entry_subuid"
|
||||
printf 'sloptrap:100000:65536\n' >"$entry_subgid"
|
||||
if ! TEST_TOOL_LOG="$tool_log" PATH="$helper_bin:$PATH" SLOPTRAP_ACTIVE_CAPABILITIES="nested-podman" \
|
||||
SLOPTRAP_HOST_UID="1337" SLOPTRAP_HOST_GID="1337" SLOPTRAP_HOST_USER="$caller_user" \
|
||||
SLOPTRAP_PODMAN_SUBUID_FILE="$entry_subuid" SLOPTRAP_PODMAN_SUBGID_FILE="$entry_subgid" \
|
||||
SLOPTRAP_PODMAN_SUBID_START="200000" SLOPTRAP_PODMAN_SUBID_COUNT="65536" \
|
||||
SLOPTRAP_PODMAN_SUBGID_START="200000" SLOPTRAP_PODMAN_SUBGID_COUNT="65536" \
|
||||
SLOPTRAP_HELPERD_BIN="$temp_root/entrypoint-helperd" \
|
||||
"$helper_bin/sloptrap-entrypoint" true >/dev/null 2>&1; then
|
||||
record_failure "embedded_capability_helpers: entrypoint did not synthesize subid files for the host user"
|
||||
fi
|
||||
if [[ -z $(awk -F: -v account="$caller_user" '$1 == account { print $2 ":" $3 }' "$entry_subuid" 2>/dev/null || true) ]]; then
|
||||
record_failure "embedded_capability_helpers: entrypoint did not prefer SLOPTRAP_HOST_USER for subuid synthesis"
|
||||
fi
|
||||
if [[ -z $(awk -F: -v account="$caller_user" '$1 == account { print $2 ":" $3 }' "$entry_subgid" 2>/dev/null || true) ]]; then
|
||||
record_failure "embedded_capability_helpers: entrypoint did not prefer SLOPTRAP_HOST_USER for subgid synthesis"
|
||||
fi
|
||||
local caller_subuid root_subuid caller_subgid root_subgid
|
||||
local helper_subuid_file helper_subgid_file
|
||||
helper_subuid_file="$temp_root/helper-subuid"
|
||||
@@ -1270,6 +1410,7 @@ run_resume_omits_runtime_context
|
||||
run_auth_file_mount
|
||||
run_codex_home_override
|
||||
run_recursive_slopsloptrap
|
||||
run_recursive_parent_image_fallback
|
||||
run_project_state_isolation
|
||||
run_auto_login_empty_auth
|
||||
run_codex_symlink_home
|
||||
|
||||
Reference in New Issue
Block a user