From fb3aca0f7d6c02f423d6070849ab17d7ef1bbe2c Mon Sep 17 00:00:00 2001 From: Samuel Aubertin Date: Tue, 10 Mar 2026 11:02:44 +0100 Subject: [PATCH] Remove nested-podman --- .sloptrap | 2 +- AGENTS.md | 23 +- README.md | 4 +- sloptrap | 890 +------------------------------- tests/capability_repo/.sloptrap | 2 +- tests/run_tests.sh | 389 +------------- 6 files changed, 42 insertions(+), 1268 deletions(-) diff --git a/.sloptrap b/.sloptrap index e29f161..f7b9140 100644 --- a/.sloptrap +++ b/.sloptrap @@ -1,4 +1,4 @@ name=skz-sloptrap packages_extra=bash make shellcheck jq podman iproute2 strace -capabilities=apt-install nested-podman packet-capture +capabilities=apt-install packet-capture allow_host_network=false diff --git a/AGENTS.md b/AGENTS.md index 68466b3..78d8a03 100644 --- a/AGENTS.md +++ b/AGENTS.md @@ -3,16 +3,6 @@ This workspace is the source code of `sloptrap`, eg. your own runtime. Your author, 'sk4nz', has ran the command `sloptrap path/to/skz-sloptrap` and you are living in your own reflection. -# Recursive `slopsloptrap` - -sloptrap can recurse. - -If you need to prove it, spawn a child from this repo with sloptrap: - -`./sloptrap /workspace ...` - -This starts a child `slopsloptrap`. Use the child normally, as the end-user would. - # Keep Memory Future sloptrap instances should add short, useful, durable notes they learn during their session to this file. @@ -24,19 +14,8 @@ Do not remove existing instructions unless they are outdated or wrong. --- # Session Memory -- When you make changes that affect how the runtime behaves and cannot test it with recursion, you can ask sk4nz to restart you. -- If recursion is blocked by the current session state and a restart is required, give sk4nz an exact prompt to paste into the next restarted session so it can continue from the current checkpoint. +- When runtime changes need a fresh sloptrap session to validate, ask sk4nz to restart you and give an exact prompt to continue from the current checkpoint. - Useful checks in the skz-sloptrap repo: `shellcheck sloptrap` `bash tests/run_tests.sh` (you can also run them separately) -- Recursive nested-podman inside an already user-namespaced sloptrap needs subuid/subgid ranges derived from `/proc/self/uid_map` and `/proc/self/gid_map`; hardcoding `100000:65536` breaks `newuidmap`. - When running tests from inside sloptrap, inherited `CODEX_HOME=/codex` plus `SLOPTRAP_PREFER_CODEX_HOME=1` can leak into host-style child launches; ignore that preference when `HOME` has been redirected elsewhere and the runtime hints still point into the inherited `/codex` tree. -- For real recursive `./sloptrap` launches, correct `/proc/self/uid_map` alone is not enough: if the current session still has stale read-only `/etc/subuid` and `/etc/subgid` mounts (for example `sk4nz:100000:65536`), the first nested podman launch still fails before child startup. -- Forcing `SLOPTRAP_CONTAINER_ENGINE=sloppodman` inside sloptrap also needs `TMPDIR` under `/workspace`; otherwise its build-context path guard rejects the staged Dockerfile under `/tmp` before you reach the real subuid/subgid problem. -- If a restarted session still inherits stale read-only `/etc/subuid` and `/etc/subgid` tmpfs mounts, an unprivileged agent cannot repair them in-place (`umount` says `must be superuser to unmount`); both podman and sloppodman stay blocked until the session starts without those mounts. -- Outer sloptrap launches no longer need `/etc/subuid` or `/etc/subgid` bind mounts: `nested-podman` now disables read-only rootfs and the container entrypoint synthesizes container-local subid files from `/proc/self/{uid,gid}_map` before dropping privileges. -- Even without stale `/etc/subuid` mounts, recursion still fails if the container-local subid files name `sloptrap` instead of the real dropped user (`sk4nz` here): `podman info --debug` warns `no subuid ranges found for user "sk4nz"` and the first inner build dies in `newuidmap ... write to uid_map failed: Operation not permitted`. -- In this Debian 13 / podman 5.4.2 environment, exporting `_CONTAINERS_USERNS_CONFIGURED=done` for nested podman moves the failure past `newuidmap`, but the next blockers are inside Buildah: with `BUILDAH_ISOLATION=chroot`, recursive builds fail `cannot set --network other than host with --isolation chroot`; without chroot, `podman build` can segfault in `network.defaultNetworkBackend`. -- Recursive preload now has a host-side path: the outer launcher saves `$SLOPTRAP_IMAGE_NAME` into capability state and mounts it into the container as `SLOPTRAP_RECURSIVE_PARENT_IMAGE_ARCHIVE=/codex/capabilities/podman/preload/.tar`, and child `build-if-missing` tries `sloppodman load -i` before any inner build. A pre-existing session must be restarted to test that path because it cannot add the new preload mount/env to itself after startup. -- With stale subid mounts gone, recursive `./sloptrap /workspace` can still fail earlier during the inner image build: `crun` tries to open `/proc/sys/net/ipv4/ping_group_range` and gets `Read-only file system` while creating the build container. -- In a fragile nested-podman session, `podman system migrate` can make things worse: a state that still answered `podman info` fell back to repeated `newuidmap ... write to uid_map failed: Operation not permitted` failures afterward. diff --git a/README.md b/README.md index fbe54c1..9f99751 100644 --- a/README.md +++ b/README.md @@ -62,7 +62,7 @@ Supported keys when the manifest is present: | --- | --- | --- | | `name` | project directory name | Must match `^[A-Za-z0-9_.-]+$`. Used for image/container naming. | | `packages_extra` | *empty* | Additional Debian packages installed during `docker/podman build`. Tokens must be alphanumeric plus `+.-`. | -| `capabilities` | *empty* | Optional privileged features. Supported values are `apt-install`, `packet-capture`, and `nested-podman`. | +| `capabilities` | *empty* | Optional privileged features. Supported values are `apt-install` and `packet-capture`. | | `allow_host_network` | `false` | `true` opts into `--network host`; keep `false` unless the project absolutely requires direct access to host-local services. | Values containing `$`, `` ` ``, or newlines are rejected to prevent command injection. Setting illegal keys or malformed values aborts the run before containers start. @@ -131,8 +131,6 @@ When the current manifest's capabilities are trusted and enabled, the container - `slop-apt install ` for session-scoped package installation. - `slopcap capture --interface [--filter ] [--output ] [--stdout]` for packet capture. -- `sloppodman ...` for nested Podman workflows. `build` contexts and Dockerfiles must remain inside `/workspace`, and pushes are not supported. -- When `nested-podman` is enabled, sloptrap makes the container root filesystem writable long enough to synthesize container-local `/etc/subuid` and `/etc/subgid` files from the live namespace maps, so rootless nested Podman does not depend on host subid files. ## Execution Environment diff --git a/sloptrap b/sloptrap index 4fe0c42..ddfb40b 100755 --- a/sloptrap +++ b/sloptrap @@ -161,7 +161,7 @@ DEFAULT_CODEX_ARGS_DISPLAY=$(printf '%s ' "${DEFAULT_CODEX_ARGS[@]}") DEFAULT_CODEX_ARGS_DISPLAY=${DEFAULT_CODEX_ARGS_DISPLAY% } SLOPTRAP_IMAGE_LABEL_KEY="net.sk4nz.sloptrap.managed" SLOPTRAP_IMAGE_LABEL="${SLOPTRAP_IMAGE_LABEL_KEY}=1" -SLOPTRAP_SUPPORTED_CAPABILITIES=(apt-install packet-capture nested-podman) +SLOPTRAP_SUPPORTED_CAPABILITIES=(apt-install packet-capture) usage() { print_banner @@ -245,7 +245,6 @@ CAPABILITY_TRUST_ROOT_HOST="" CAPABILITY_TRUST_FILE_HOST="" CAPABILITY_BUILD_STAMP_HOST="" CAPABILITY_STATE_HOST="" -CAPABILITY_PRELOAD_DIR_HOST="" IGNORE_STUB_BASE="" IGNORE_HELPER_ROOT="" ALLOW_HOST_NETWORK=false @@ -334,10 +333,8 @@ COPY sloptrap-entrypoint /usr/local/bin/sloptrap-entrypoint COPY sloptrap-helperd /usr/local/bin/sloptrap-helperd COPY slop-apt /usr/local/bin/slop-apt COPY slopcap /usr/local/bin/slopcap -COPY sloppodman /usr/local/bin/sloppodman - RUN chmod 0755 /usr/local/bin/sloptrap-entrypoint /usr/local/bin/sloptrap-helperd \ - /usr/local/bin/slop-apt /usr/local/bin/slopcap /usr/local/bin/sloppodman \ + /usr/local/bin/slop-apt /usr/local/bin/slopcap \ && chown -R sloptrap:sloptrap /home/sloptrap WORKDIR /workspace @@ -350,132 +347,14 @@ EOF write_embedded_helper() { local helper=$1 case "$helper" in - sloptrap-entrypoint) - cat <<'EOF' + sloptrap-entrypoint) + cat <<'EOF' #!/usr/bin/env bash set -euo pipefail helper_pid="" helperd_bin=${SLOPTRAP_HELPERD_BIN:-/usr/local/bin/sloptrap-helperd} -has_capability() { - local needle=$1 - local token - for token in ${SLOPTRAP_ACTIVE_CAPABILITIES:-}; do - if [[ $token == "$needle" ]]; then - return 0 - fi - done - return 1 -} - -detect_subid_range_from_map() { - local map_path=$1 - local account_id=$2 - awk -v account_id="$account_id" ' - NF < 3 { next } - { - ns_start = $1 + 0 - ns_count = $3 + 0 - if (ns_count <= 0) { - next - } - if (account_id >= ns_start && account_id < (ns_start + ns_count)) { - next - } - if (ns_count > best_count) { - best_start = ns_start - best_count = ns_count - } - } - END { - if (best_count > 0) { - printf "%s %s", best_start, best_count - exit 0 - } - exit 1 - } - ' "$map_path" -} - -ensure_subid_mapping_file() { - local destination=$1 - local account_name=$2 - local account_id=$3 - local range_start=$4 - local range_count=$5 - local tmp_file="${destination}.tmp" - - if [[ -r $destination ]] && awk -F: -v account_name="$account_name" -v account_id="$account_id" -v range_start="$range_start" -v range_count="$range_count" ' - ($1 == account_name || $1 == account_id) && $2 == range_start && $3 == range_count { found=1; exit } - END { exit(found ? 0 : 1) } - ' "$destination"; then - return 0 - fi - - [[ -e $destination && ! -L $destination ]] || : >"$destination" - awk -F: -v account_name="$account_name" -v account_id="$account_id" ' - $1 == account_name || $1 == account_id { next } - { print } - ' "$destination" >"$tmp_file" - if [[ -n $account_name && $account_name != "$account_id" ]]; then - printf '%s:%s:%s\n' "$account_name" "$range_start" "$range_count" >>"$tmp_file" - else - printf '%s:%s:%s\n' "$account_id" "$range_start" "$range_count" >>"$tmp_file" - fi - chmod 0644 "$tmp_file" 2>/dev/null || true - if ! mv "$tmp_file" "$destination" 2>/dev/null; then - cat "$tmp_file" >"$destination" - rm -f "$tmp_file" - fi -} - -lookup_account_name() { - local account_id=$1 - local passwd_entry="" - if passwd_entry=$(getent passwd "$account_id" 2>/dev/null); then - printf '%s\n' "${passwd_entry%%:*}" - return 0 - fi - return 1 -} - -ensure_subid_mappings() { - local account_id account_gid account_name="" - local subuid_file subgid_file - local range_start="" range_count="" gid_start="" gid_count="" - local detected_range="" - - account_id=${SLOPTRAP_HOST_UID:-$(id -u)} - account_gid=${SLOPTRAP_HOST_GID:-$(id -g)} - account_name=${SLOPTRAP_HOST_USER:-} - subuid_file=${SLOPTRAP_PODMAN_SUBUID_FILE:-/etc/subuid} - subgid_file=${SLOPTRAP_PODMAN_SUBGID_FILE:-/etc/subgid} - if [[ -z $account_name ]] && ! account_name=$(lookup_account_name "$account_id"); then - account_name="" - fi - - if detected_range=$(detect_subid_range_from_map /proc/self/uid_map "$account_id" 2>/dev/null); then - read -r range_start range_count <<<"$detected_range" - elif [[ -n ${SLOPTRAP_PODMAN_SUBID_START:-} && -n ${SLOPTRAP_PODMAN_SUBID_COUNT:-} ]]; then - range_start=${SLOPTRAP_PODMAN_SUBID_START} - range_count=${SLOPTRAP_PODMAN_SUBID_COUNT} - fi - if detected_range=$(detect_subid_range_from_map /proc/self/gid_map "$account_gid" 2>/dev/null); then - read -r gid_start gid_count <<<"$detected_range" - elif [[ -n ${SLOPTRAP_PODMAN_SUBGID_START:-} && -n ${SLOPTRAP_PODMAN_SUBGID_COUNT:-} ]]; then - gid_start=${SLOPTRAP_PODMAN_SUBGID_START} - gid_count=${SLOPTRAP_PODMAN_SUBGID_COUNT} - fi - - if [[ -n $range_start && -n $range_count ]]; then - ensure_subid_mapping_file "$subuid_file" "$account_name" "$account_id" "$range_start" "$range_count" - fi - if [[ -n $gid_start && -n $gid_count ]]; then - ensure_subid_mapping_file "$subgid_file" "$account_name" "$account_id" "$gid_start" "$gid_count" - fi -} - cleanup() { if [[ -n $helper_pid ]]; then kill "$helper_pid" >/dev/null 2>&1 || true @@ -497,9 +376,6 @@ if [[ $(id -u) -eq 0 ]]; then chmod 1733 "$queue_dir" target_uid=${SLOPTRAP_HOST_UID:-} target_gid=${SLOPTRAP_HOST_GID:-} - if has_capability "nested-podman"; then - ensure_subid_mappings - fi if [[ -n ${SLOPTRAP_ACTIVE_CAPABILITIES:-} ]]; then "$helperd_bin" & helper_pid=$! @@ -1110,474 +986,6 @@ fi status=$(<"$request_dir/status") exit "$status" -EOF - ;; - sloppodman) - # shellcheck disable=SC2034 - local workspace_root="" podman_root="" podman_runroot="" runtime_dir="" config_home="" - # shellcheck disable=SC2034 - local storage_driver="" storage_conf="" containers_conf="" subcommand="" - cat <<'EOF' -#!/usr/bin/env bash -set -euo pipefail - -caps=${SLOPTRAP_ACTIVE_CAPABILITIES:-} - -has_capability() { - local needle=$1 - local token - for token in $caps; do - if [[ $token == "$needle" ]]; then - return 0 - fi - done - return 1 -} - -if [[ $# -eq 0 ]]; then - printf 'usage: sloppodman ...\n' >&2 - exit 2 -fi - -original_args=("$@") -subcommand=$1 -shift -subcommand_prefix=("$subcommand") - -case "$subcommand" in - pull|build|tag|load|import|run|ps|logs|stop|rm|inspect|rmi) - ;; - image) - [[ $# -gt 0 ]] || { - printf 'sloppodman: image requires a subcommand\n' >&2 - exit 2 - } - case "$1" in - inspect|prune) - subcommand_prefix=(image "$1") - shift - ;; - *) - printf 'sloppodman: unsupported image subcommand %s\n' "$1" >&2 - exit 2 - ;; - esac - ;; - *) - printf 'sloppodman: unsupported subcommand %s\n' "$subcommand" >&2 - exit 2 - ;; -esac - -has_capability "nested-podman" || { - printf 'sloppodman: capability nested-podman is not active\n' >&2 - exit 126 -} - -workspace_root=${SLOPTRAP_WORKDIR:-/workspace} -podman_root=${SLOPTRAP_INNER_PODMAN_ROOT:-/codex/capabilities/podman/storage} -podman_runroot=${SLOPTRAP_INNER_PODMAN_RUNROOT:-/codex/capabilities/podman/run} -runtime_dir=${XDG_RUNTIME_DIR:-/codex/capabilities/podman/runtime} -config_home=${SLOPTRAP_INNER_PODMAN_CONFIG_HOME:-$runtime_dir/config} -containers_conf_dir="$config_home/containers" -storage_driver=${SLOPTRAP_INNER_PODMAN_DRIVER:-vfs} -storage_conf="$containers_conf_dir/storage.conf" -containers_conf="$containers_conf_dir/containers.conf" -subuid_file=${SLOPTRAP_PODMAN_SUBUID_FILE:-/etc/subuid} -subgid_file=${SLOPTRAP_PODMAN_SUBGID_FILE:-/etc/subgid} -mkdir -p "$podman_root" "$podman_runroot" "$runtime_dir" "$containers_conf_dir" - -cat >"$storage_conf" <"$containers_conf" <<'CONTAINERS_CONF_EOF' -[engine] -cgroup_manager = "cgroupfs" -events_logger = "file" -CONTAINERS_CONF_EOF - -export CONTAINERS_STORAGE_CONF="$storage_conf" -export CONTAINERS_CONF="$containers_conf" -export BUILDAH_ISOLATION="${BUILDAH_ISOLATION:-chroot}" -export _CONTAINERS_USERNS_CONFIGURED="${_CONTAINERS_USERNS_CONFIGURED:-done}" - -detect_subid_range_from_map() { - local map_path=$1 - local account_id=$2 - awk -v account_id="$account_id" ' - NF < 3 { next } - { - ns_start = $1 + 0 - ns_count = $3 + 0 - if (ns_count <= 0) { - next - } - if (account_id >= ns_start && account_id < (ns_start + ns_count)) { - next - } - if (ns_count > best_count) { - best_start = ns_start - best_count = ns_count - } - } - END { - if (best_count > 0) { - printf "%s %s", best_start, best_count - exit 0 - } - exit 1 - } - ' "$map_path" -} - -ensure_subid_mapping_file() { - local destination=$1 - local account_name=$2 - local account_id=$3 - local range_start=$4 - local range_count=$5 - local tmp_file="${destination}.tmp" - - if [[ -r $destination ]] && awk -F: -v account_name="$account_name" -v account_id="$account_id" -v range_start="$range_start" -v range_count="$range_count" ' - ($1 == account_name || $1 == account_id) && $2 == range_start && $3 == range_count { found=1; exit } - END { exit(found ? 0 : 1) } - ' "$destination"; then - return 0 - fi - - [[ -e $destination && ! -L $destination ]] || : >"$destination" - awk -F: -v account_name="$account_name" -v account_id="$account_id" ' - $1 == account_name || $1 == account_id { next } - { print } - ' "$destination" >"$tmp_file" - if [[ -n $account_name && $account_name != "$account_id" ]]; then - printf '%s:%s:%s\n' "$account_name" "$range_start" "$range_count" >>"$tmp_file" - else - printf '%s:%s:%s\n' "$account_id" "$range_start" "$range_count" >>"$tmp_file" - fi - chmod 0644 "$tmp_file" 2>/dev/null || true - if ! mv "$tmp_file" "$destination" 2>/dev/null; then - cat "$tmp_file" >"$destination" - rm -f "$tmp_file" - fi -} - -ensure_subid_mappings() { - local account_id account_name range_start range_count gid_start gid_count detected_range - account_id=${SLOPTRAP_PODMAN_CALLER_UID:-$(id -u)} - account_name=${SLOPTRAP_PODMAN_CALLER_USER:-} - if [[ -z $account_name ]]; then - account_name=$(id -un 2>/dev/null || true) - fi - range_start=${SLOPTRAP_PODMAN_SUBID_START:-100000} - range_count=${SLOPTRAP_PODMAN_SUBID_COUNT:-65536} - gid_start=${SLOPTRAP_PODMAN_SUBGID_START:-$range_start} - gid_count=${SLOPTRAP_PODMAN_SUBGID_COUNT:-$range_count} - if detected_range=$(detect_subid_range_from_map /proc/self/uid_map "$account_id" 2>/dev/null); then - read -r range_start range_count <<<"$detected_range" - fi - if detected_range=$(detect_subid_range_from_map /proc/self/gid_map "${SLOPTRAP_PODMAN_CALLER_GID:-$(id -g)}" 2>/dev/null); then - read -r gid_start gid_count <<<"$detected_range" - fi - [[ -e $subuid_file && ! -L $subuid_file ]] || : >"$subuid_file" - [[ -e $subgid_file && ! -L $subgid_file ]] || : >"$subgid_file" - ensure_subid_mapping_file "$subuid_file" "$account_name" "$account_id" "$range_start" "$range_count" - ensure_subid_mapping_file "$subgid_file" "$account_name" "$account_id" "$gid_start" "$gid_count" - if [[ $(id -u) -eq 0 ]]; then - ensure_subid_mapping_file "$subuid_file" root 0 "$range_start" "$range_count" - ensure_subid_mapping_file "$subgid_file" root 0 "$gid_start" "$gid_count" - fi -} - -exec_podman() { - local -a cmd=( - podman - --root "$podman_root" - --runroot "$podman_runroot" - --storage-driver "$storage_driver" - --cgroup-manager cgroupfs - --events-backend file - "${subcommand_prefix[@]}" "$@" - ) - - if [[ $(id -u) -eq 0 ]]; then - ensure_subid_mappings - exec "${cmd[@]}" - fi - if [[ ${SLOPTRAP_PODMAN_ESCALATED:-0} == 1 ]]; then - exec "${cmd[@]}" - fi - if ! command -v setpriv >/dev/null 2>&1; then - printf 'sloppodman: setpriv is required to enter the nested podman capability profile\n' >&2 - exit 1 - fi - chmod 0777 "$podman_root" "$podman_runroot" "$runtime_dir" 2>/dev/null || true - exec setpriv --reuid 0 --regid 0 --clear-groups -- env \ - CONTAINERS_STORAGE_CONF="$CONTAINERS_STORAGE_CONF" \ - CONTAINERS_CONF="$CONTAINERS_CONF" \ - BUILDAH_ISOLATION="$BUILDAH_ISOLATION" \ - _CONTAINERS_USERNS_CONFIGURED="$_CONTAINERS_USERNS_CONFIGURED" \ - XDG_RUNTIME_DIR="$runtime_dir" \ - SLOPTRAP_PODMAN_ESCALATED=1 \ - SLOPTRAP_PODMAN_CALLER_UID="${SLOPTRAP_PODMAN_CALLER_UID:-$(id -u)}" \ - SLOPTRAP_PODMAN_CALLER_GID="${SLOPTRAP_PODMAN_CALLER_GID:-$(id -g)}" \ - SLOPTRAP_PODMAN_CALLER_USER="${SLOPTRAP_PODMAN_CALLER_USER:-$(id -un 2>/dev/null || true)}" \ - "$0" "${original_args[@]}" -} - -resolve_inner_path() { - local raw=$1 - if command -v realpath >/dev/null 2>&1; then - realpath -m "$raw" - return - fi - case "$raw" in - /*) printf '%s\n' "$raw" ;; - *) printf '%s/%s\n' "$(pwd -P)" "$raw" ;; - esac -} - -validate_workspace_path() { - local path=$1 - path=$(resolve_inner_path "$path") - case "$path" in - "$workspace_root"|"${workspace_root}/"*) ;; - *) - printf 'sloppodman: path must stay within %s (%s)\n' "$workspace_root" "$path" >&2 - exit 2 - ;; - esac -} - -validate_archive_path() { - local path=$1 - local resolved allowed_archive="" - resolved=$(resolve_inner_path "$path") - if [[ -n ${SLOPTRAP_RECURSIVE_PARENT_IMAGE_ARCHIVE:-} ]]; then - allowed_archive=$(resolve_inner_path "$SLOPTRAP_RECURSIVE_PARENT_IMAGE_ARCHIVE") - if [[ $resolved == "$allowed_archive" ]]; then - return 0 - fi - fi - validate_workspace_path "$path" -} - -reject_flag() { - local flag=$1 - printf 'sloppodman: %s is not permitted\n' "$flag" >&2 - exit 2 -} - -validate_volume_spec() { - local spec=$1 - local source - if [[ $spec != *:* ]]; then - return 0 - fi - source=${spec%%:*} - case "$source" in - "" ) - return 0 - ;; - .|..|/*|./*|../*|*/*) - validate_workspace_path "$source" - ;; - * ) - return 0 - ;; - esac -} - -validate_mount_spec() { - local spec=$1 - local type="" - local source="" - local part - IFS=',' read -r -a mount_parts <<< "$spec" - for part in "${mount_parts[@]}"; do - case "$part" in - type=*) - type=${part#type=} - ;; - source=*|src=*) - source=${part#*=} - ;; - esac - done - case "$type" in - volume|tmpfs) - return 0 - ;; - bind) - [[ -n $source ]] || reject_flag "--mount" - validate_workspace_path "$source" - return 0 - ;; - *) - reject_flag "--mount" - ;; - esac -} - -if [[ $subcommand == "build" ]]; then - args=("$@") - context="" - idx=0 - while (( idx < ${#args[@]} )); do - arg=${args[$idx]} - case "$arg" in - -f|--file) - ((idx+=1)) - (( idx < ${#args[@]} )) || { printf 'sloppodman: %s requires a path\n' "$arg" >&2; exit 2; } - validate_workspace_path "${args[$idx]}" - ;; - --file=*) - validate_workspace_path "${arg#*=}" - ;; - --network) - ((idx+=1)) - (( idx < ${#args[@]} )) || { printf 'sloppodman: --network requires a value\n' >&2; exit 2; } - if [[ ${args[$idx]} == "host" && ${SLOPTRAP_INNER_PODMAN_HOST_NETWORK:-0} != 1 ]]; then - printf 'sloppodman: host networking is not available in this session\n' >&2 - exit 2 - fi - ;; - --network=*) - if [[ ${arg#*=} == "host" && ${SLOPTRAP_INNER_PODMAN_HOST_NETWORK:-0} != 1 ]]; then - printf 'sloppodman: host networking is not available in this session\n' >&2 - exit 2 - fi - ;; - -v|--volume|--volume=*|--mount|--mount=*|--security-opt|--security-opt=*|--cap-add|--cap-add=*|--cap-drop|--cap-drop=*|--device|--device=*|--privileged|--privileged=*|--rootfs|--rootfs=*) - reject_flag "${arg%%=*}" - ;; - esac - ((idx+=1)) - done - if [[ ${#args[@]} -gt 0 ]]; then - context=${args[$(( ${#args[@]} - 1 ))]} - validate_workspace_path "$context" - fi -fi - -if [[ $subcommand == "import" ]]; then - args=("$@") - archive_path="" - idx=0 - while (( idx < ${#args[@]} )); do - arg=${args[$idx]} - case "$arg" in - --change|--message) - ((idx+=1)) - (( idx < ${#args[@]} )) || { printf 'sloppodman: %s requires a value\n' "$arg" >&2; exit 2; } - ;; - --change=*|--message=*|-q|--quiet) - ;; - -*) - ;; - *) - archive_path=$arg - break - ;; - esac - ((idx+=1)) - done - [[ -n $archive_path ]] || { printf 'sloppodman: import requires an archive path\n' >&2; exit 2; } - validate_archive_path "$archive_path" -fi - -if [[ $subcommand == "load" ]]; then - args=("$@") - archive_path="" - idx=0 - while (( idx < ${#args[@]} )); do - arg=${args[$idx]} - case "$arg" in - -i|--input) - ((idx+=1)) - (( idx < ${#args[@]} )) || { printf 'sloppodman: %s requires a path\n' "$arg" >&2; exit 2; } - archive_path=${args[$idx]} - ;; - --input=*|-i=*) - archive_path=${arg#*=} - ;; - -*) - ;; - *) - archive_path=$arg - break - ;; - esac - ((idx+=1)) - done - [[ -n $archive_path ]] || { printf 'sloppodman: load requires an archive path\n' >&2; exit 2; } - validate_archive_path "$archive_path" -fi - -if [[ $subcommand == "run" ]]; then - args=("$@") - idx=0 - while (( idx < ${#args[@]} )); do - arg=${args[$idx]} - case "$arg" in - --) - break - ;; - --network) - ((idx+=1)) - (( idx < ${#args[@]} )) || { printf 'sloppodman: --network requires a value\n' >&2; exit 2; } - if [[ ${args[$idx]} == "host" && ${SLOPTRAP_INNER_PODMAN_HOST_NETWORK:-0} != 1 ]]; then - printf 'sloppodman: host networking is not available in this session\n' >&2 - exit 2 - fi - ;; - --network=*) - if [[ ${arg#*=} == "host" && ${SLOPTRAP_INNER_PODMAN_HOST_NETWORK:-0} != 1 ]]; then - printf 'sloppodman: host networking is not available in this session\n' >&2 - exit 2 - fi - ;; - -v|--volume) - ((idx+=1)) - (( idx < ${#args[@]} )) || { printf 'sloppodman: %s requires a value\n' "$arg" >&2; exit 2; } - validate_volume_spec "${args[$idx]}" - ;; - --volume=*) - validate_volume_spec "${arg#*=}" - ;; - --mount) - ((idx+=1)) - (( idx < ${#args[@]} )) || { printf 'sloppodman: --mount requires a value\n' >&2; exit 2; } - validate_mount_spec "${args[$idx]}" - ;; - --mount=*) - validate_mount_spec "${arg#*=}" - ;; - --privileged|--privileged=*|--cap-add|--cap-add=*|--cap-drop|--cap-drop=*|--device|--device=*|--security-opt|--security-opt=*|--rootfs|--rootfs=*|--pid|--pid=*|--ipc|--ipc=*|--uts|--uts=*|--userns|--userns=*|--cgroupns|--cgroupns=*) - reject_flag "${arg%%=*}" - ;; - -*) - ;; - *) - break - ;; - esac - ((idx+=1)) - done -fi - -exec_podman "$@" EOF ;; *) @@ -1633,7 +1041,7 @@ prepare_build_context() { validate_basename "$SLOPTRAP_CODEX_BIN_NAME" CODEX_BIN_PATH="$SLOPTRAP_BUILD_CONTEXT/$SLOPTRAP_CODEX_BIN_NAME" local helper - for helper in sloptrap-entrypoint sloptrap-helperd slop-apt slopcap sloppodman; do + for helper in sloptrap-entrypoint sloptrap-helperd slop-apt slopcap; do populate_embedded_helper "$helper" "$SLOPTRAP_BUILD_CONTEXT/$helper" done } @@ -1649,8 +1057,6 @@ select_codex_home() { for runtime_hint in \ "${SLOPTRAP_CAPTURE_DIR:-}" \ "${SLOPTRAP_AUDIT_LOG:-}" \ - "${SLOPTRAP_INNER_PODMAN_ROOT:-}" \ - "${SLOPTRAP_INNER_PODMAN_RUNROOT:-}" \ "${XDG_CONFIG_HOME:-}" \ "${XDG_CACHE_HOME:-}" \ "${XDG_STATE_HOME:-}"; do @@ -1690,59 +1096,6 @@ select_codex_home() { fi } -write_subid_mapping_file() { - local destination=$1 - local existing_path=$2 - local account_name=$3 - local account_id=$4 - local range_start=$5 - local range_count=$6 - - if [[ -r $existing_path ]]; then - awk -F: -v account_name="$account_name" -v account_id="$account_id" ' - $1 == account_name || $1 == account_id { next } - { print } - ' "$existing_path" >"$destination" - else - : >"$destination" - fi - if [[ -n $account_name && $account_name != "$account_id" ]]; then - printf '%s:%s:%s\n' "$account_name" "$range_start" "$range_count" >>"$destination" - else - printf '%s:%s:%s\n' "$account_id" "$range_start" "$range_count" >>"$destination" - fi - chmod 0644 "$destination" -} - -detect_subid_range_from_map() { - local map_path=$1 - local account_id=$2 - awk -v account_id="$account_id" ' - NF < 3 { next } - { - ns_start = $1 + 0 - ns_count = $3 + 0 - if (ns_count <= 0) { - next - } - if (account_id >= ns_start && account_id < (ns_start + ns_count)) { - next - } - if (ns_count > best_count) { - best_start = ns_start - best_count = ns_count - } - } - END { - if (best_count > 0) { - printf "%s %s", best_start, best_count - exit 0 - } - exit 1 - } - ' "$map_path" -} - compute_manifest_digest() { if [[ -f $MANIFEST_PATH ]]; then local digest @@ -1759,7 +1112,6 @@ select_capability_state_paths() { CAPABILITY_TRUST_FILE_HOST="$CAPABILITY_TRUST_ROOT_HOST/$CODEX_STATE_KEY.trust" CAPABILITY_BUILD_STAMP_HOST="$capability_root/builds/$CODEX_STATE_KEY.stamp" CAPABILITY_STATE_HOST="$CODEX_STATE_HOME_HOST/capabilities" - CAPABILITY_PRELOAD_DIR_HOST="$CAPABILITY_STATE_HOST/podman-preload" } ensure_capability_state_paths() { @@ -1768,12 +1120,6 @@ ensure_capability_state_paths() { ensure_codex_directory "$CAPABILITY_TRUST_ROOT_HOST" "sloptrap capability trust root" ensure_codex_directory "$(dirname "$CAPABILITY_BUILD_STAMP_HOST")" "sloptrap capability build stamp root" ensure_codex_directory "$CAPABILITY_STATE_HOST" "project capability state" - if capability_list_contains "$REQUESTED_CAPABILITIES" "nested-podman"; then - ensure_codex_directory "$CAPABILITY_STATE_HOST/podman-storage" "nested podman storage state" - ensure_codex_directory "$CAPABILITY_STATE_HOST/podman-run" "nested podman runroot state" - ensure_codex_directory "$CAPABILITY_STATE_HOST/podman-runtime" "nested podman runtime state" - ensure_codex_directory "$CAPABILITY_PRELOAD_DIR_HOST" "nested podman preload state" - fi } capability_trust_matches_current() { @@ -1845,16 +1191,6 @@ capability_build_stamp_matches_current() { [[ $stamp_digest == "$CAPABILITY_MANIFEST_DIGEST" && $stamp_caps == "$REQUESTED_CAPABILITIES" ]] } -run_with_nested_podman_root() { - if capability_list_contains "${SLOPTRAP_ACTIVE_CAPABILITIES:-}" "nested-podman" \ - && [[ $(id -u) -ne 0 ]] \ - && command -v setpriv >/dev/null 2>&1; then - setpriv --reuid 0 --regid 0 --clear-groups -- "$@" - return - fi - "$@" -} - assert_path_within_code_dir() { local candidate=$1 local resolved @@ -2106,6 +1442,9 @@ validate_capability_list() { [[ -z $raw ]] && return 0 local token supported capability for token in $raw; do + if [[ $token == "nested-podman" ]]; then + error "$source: capability 'nested-podman' was removed; delete it from '$key'" + fi supported=false for capability in "${SLOPTRAP_SUPPORTED_CAPABILITIES[@]}"; do if [[ $token == "$capability" ]]; then @@ -2664,9 +2003,6 @@ prepare_container_runtime() { if capability_list_contains "$REQUESTED_CAPABILITIES" "packet-capture"; then SLOPTRAP_PACKAGES_CAPABILITY+=" tcpdump" fi - if capability_list_contains "$REQUESTED_CAPABILITIES" "nested-podman"; then - SLOPTRAP_PACKAGES_CAPABILITY+=" podman uidmap fuse-overlayfs slirp4netns" - fi SLOPTRAP_PACKAGES_CAPABILITY=$(normalize_package_list "$SLOPTRAP_PACKAGES_CAPABILITY") local default_codex_archive default_codex_archive=$(detect_codex_archive_name) @@ -2754,14 +2090,7 @@ prepare_container_runtime() { capability_opts+=(--cap-add NET_RAW --cap-add NET_ADMIN) SLOPTRAP_RUN_AS_ROOT=true fi - if capability_list_contains "$ENABLED_CAPABILITIES" "nested-podman"; then - capability_opts+=(--device /dev/fuse --cap-add SYS_CHROOT --cap-add MKNOD) - security_opts+=(--security-opt seccomp=unconfined) - SLOPTRAP_ROOTFS_READONLY=0 - SLOPTRAP_RUN_AS_ROOT=true - else - security_opts+=(--security-opt no-new-privileges) - fi + security_opts+=(--security-opt no-new-privileges) if $SLOPTRAP_RUN_AS_ROOT; then capability_opts+=( --cap-add SETUID @@ -2790,14 +2119,6 @@ prepare_container_runtime() { -v "$CODEX_STATE_HOME_HOST:$SLOPTRAP_CODEX_HOME_CONT$SLOPTRAP_VOLUME_LABEL" -v "$CODEX_AUTH_FILE_HOST:$SLOPTRAP_CODEX_HOME_CONT/auth.json$SLOPTRAP_VOLUME_LABEL" ) - if capability_list_contains "$ENABLED_CAPABILITIES" "nested-podman"; then - volume_opts+=( - -v "$CAPABILITY_STATE_HOST/podman-storage:$SLOPTRAP_CODEX_HOME_CONT/capabilities/podman/storage$SLOPTRAP_VOLUME_LABEL" - -v "$CAPABILITY_STATE_HOST/podman-run:$SLOPTRAP_CODEX_HOME_CONT/capabilities/podman/run$SLOPTRAP_VOLUME_LABEL" - -v "$CAPABILITY_STATE_HOST/podman-runtime:$SLOPTRAP_CODEX_HOME_CONT/capabilities/podman/runtime$SLOPTRAP_VOLUME_LABEL" - -v "$CAPABILITY_PRELOAD_DIR_HOST:$SLOPTRAP_CODEX_HOME_CONT/capabilities/podman/preload$SLOPTRAP_VOLUME_LABEL" - ) - fi local -a env_args=( -e "HOME=$SLOPTRAP_CODEX_HOME_CONT" @@ -2810,20 +2131,8 @@ prepare_container_runtime() { -e "SLOPTRAP_ACTIVE_CAPABILITIES=$ENABLED_CAPABILITIES" -e "SLOPTRAP_CAPTURE_DIR=$SLOPTRAP_CODEX_HOME_CONT/state/captures" -e "SLOPTRAP_AUDIT_LOG=$SLOPTRAP_CODEX_HOME_CONT/state/capabilities.log" - -e "SLOPTRAP_INNER_PODMAN_ROOT=$SLOPTRAP_CODEX_HOME_CONT/capabilities/podman/storage" - -e "SLOPTRAP_INNER_PODMAN_RUNROOT=$SLOPTRAP_CODEX_HOME_CONT/capabilities/podman/run" -e "SLOPTRAP_PREFER_CODEX_HOME=1" - -e "XDG_RUNTIME_DIR=$SLOPTRAP_CODEX_HOME_CONT/capabilities/podman/runtime" ) - if capability_list_contains "$ENABLED_CAPABILITIES" "nested-podman" && [[ $SLOPTRAP_NETWORK_NAME == "host" ]]; then - env_args+=(-e "SLOPTRAP_INNER_PODMAN_HOST_NETWORK=1") - fi - if capability_list_contains "$ENABLED_CAPABILITIES" "nested-podman"; then - env_args+=( - -e "SLOPTRAP_RECURSIVE_PARENT_IMAGE_ARCHIVE=$(recursive_preload_archive_container_path)" - -e "SLOPTRAP_RECURSIVE_PARENT_IMAGE_NAME=$SLOPTRAP_IMAGE_NAME" - ) - fi local uid gid user uid=$(id -u) @@ -2960,169 +2269,6 @@ rebuild_image() { write_capability_build_stamp } -compute_recursive_preload_stamp() { - local launcher_source=${BASH_SOURCE[0]:-$0} - local launcher_digest - launcher_digest=$(sha256sum "$launcher_source") - printf '%s\n%s\n' "${launcher_digest%% *}" "$SLOPTRAP_IMAGE_NAME" -} - -recursive_preload_archive_host_path() { - printf '%s/%s.tar\n' "$CAPABILITY_PRELOAD_DIR_HOST" "$SLOPTRAP_IMAGE_NAME" -} - -recursive_preload_archive_container_path() { - printf '%s/capabilities/podman/preload/%s.tar\n' "$SLOPTRAP_CODEX_HOME_CONT" "$SLOPTRAP_IMAGE_NAME" -} - -prepare_recursive_parent_image_preload() { - capability_list_contains "$ENABLED_CAPABILITIES" "nested-podman" || return 0 - local engine_name=${CONTAINER_ENGINE##*/} - case "$engine_name" in - sloppodman|sloppodman*|.sloppodman*) - return 0 - ;; - esac - - local archive_path stamp_path image_id recorded_id="" - archive_path=$(recursive_preload_archive_host_path) - stamp_path="${archive_path}.stamp" - if ! image_id=$("$CONTAINER_ENGINE" image inspect --format '{{.Id}}' "$SLOPTRAP_IMAGE_NAME" 2>/dev/null); then - return 1 - fi - if [[ -f $archive_path && -f $stamp_path ]]; then - recorded_id=$(sed -n '1p' "$stamp_path" 2>/dev/null || true) - if [[ $recorded_id == "$image_id" ]]; then - return 0 - fi - fi - local tmp_archive="${archive_path}.tmp" - if ! "$CONTAINER_ENGINE" save -o "$tmp_archive" "$SLOPTRAP_IMAGE_NAME"; then - rm -f "$tmp_archive" - return 1 - fi - mv "$tmp_archive" "$archive_path" - printf '%s\n%s\n' "$image_id" "$SLOPTRAP_IMAGE_NAME" >"$stamp_path" -} - -load_recursive_parent_image() { - local engine_name=${CONTAINER_ENGINE##*/} - local archive_path=${SLOPTRAP_RECURSIVE_PARENT_IMAGE_ARCHIVE:-} - local source_image_name=${SLOPTRAP_RECURSIVE_PARENT_IMAGE_NAME:-$SLOPTRAP_IMAGE_NAME} - case "$engine_name" in - sloppodman|sloppodman*|.sloppodman*) - ;; - *) - return 1 - ;; - esac - capability_list_contains "${SLOPTRAP_ACTIVE_CAPABILITIES:-}" "nested-podman" || return 1 - [[ -n $archive_path && -r $archive_path ]] || return 1 - - if ! "$CONTAINER_ENGINE" load -i "$archive_path"; then - return 1 - fi - if ! "$CONTAINER_ENGINE" image inspect "$SLOPTRAP_IMAGE_NAME" >/dev/null 2>&1; then - [[ -n $source_image_name ]] || return 1 - "$CONTAINER_ENGINE" tag "$source_image_name" "$SLOPTRAP_IMAGE_NAME" || return 1 - fi - "$CONTAINER_ENGINE" image inspect "$SLOPTRAP_IMAGE_NAME" >/dev/null 2>&1 || return 1 - write_capability_build_stamp - return 0 -} - -prepare_recursive_parent_image_archive() { - local archive_dir="$CODE_DIR/.sloptrap-preload" - local archive_path="$archive_dir/${SLOPTRAP_IMAGE_NAME}.tar" - local stamp_path="$archive_path.stamp" - local desired_stamp current_stamp="" - desired_stamp=$(compute_recursive_preload_stamp) - if [[ -f $archive_path && -f $stamp_path ]]; then - current_stamp=$(cat "$stamp_path" 2>/dev/null || true) - if [[ $current_stamp == "$desired_stamp" ]]; then - printf '%s\n' "$archive_path" - return 0 - fi - fi - - assert_path_within_code_dir "$archive_dir" - mkdir -p "$archive_dir" - - local overlay_dir - overlay_dir=$(create_temp_dir "recursive-preload") - local helper - for helper in sloptrap-entrypoint sloptrap-helperd slop-apt slopcap sloppodman; do - populate_embedded_helper "$helper" "$overlay_dir/usr/local/bin/$helper" - done - chmod 0755 \ - "$overlay_dir/usr/local/bin/sloptrap-entrypoint" \ - "$overlay_dir/usr/local/bin/sloptrap-helperd" \ - "$overlay_dir/usr/local/bin/slop-apt" \ - "$overlay_dir/usr/local/bin/slopcap" \ - "$overlay_dir/usr/local/bin/sloppodman" - - local tmp_archive="$archive_path.tmp" - rm -f "$tmp_archive" - if ! run_with_nested_podman_root tar --numeric-owner --one-file-system \ - --exclude=./proc \ - --exclude=./sys \ - --exclude=./dev \ - --exclude=./run \ - --exclude=./tmp \ - --exclude=./workspace \ - --exclude=./codex \ - --exclude=./usr/local/bin/sloptrap-entrypoint \ - --exclude=./usr/local/bin/sloptrap-helperd \ - --exclude=./usr/local/bin/slop-apt \ - --exclude=./usr/local/bin/slopcap \ - --exclude=./usr/local/bin/sloppodman \ - -cf "$tmp_archive" -C / .; then - rm -f "$tmp_archive" - return 1 - fi - if ! tar --numeric-owner -rf "$tmp_archive" -C "$overlay_dir" .; then - rm -f "$tmp_archive" - return 1 - fi - mv "$tmp_archive" "$archive_path" - printf '%s\n' "$desired_stamp" >"$stamp_path" - printf '%s\n' "$archive_path" -} - -import_recursive_parent_image() { - local engine_name=${CONTAINER_ENGINE##*/} - local archive_path=${SLOPTRAP_RECURSIVE_PARENT_IMAGE_ARCHIVE:-} - case "$engine_name" in - sloppodman|sloppodman*|.sloppodman*) - ;; - *) - return 1 - ;; - esac - capability_list_contains "${SLOPTRAP_ACTIVE_CAPABILITIES:-}" "nested-podman" || return 1 - - if [[ -n $archive_path ]]; then - [[ -r $archive_path ]] || return 1 - else - if ! archive_path=$(prepare_recursive_parent_image_archive); then - return 1 - fi - fi - - if ! "$CONTAINER_ENGINE" import \ - --change 'ENTRYPOINT ["/usr/local/bin/sloptrap-entrypoint"]' \ - --change 'WORKDIR /workspace' \ - --change 'ENV SHELL=/bin/bash' \ - --change 'ENV HOME=/home/sloptrap' \ - --change "LABEL $SLOPTRAP_IMAGE_LABEL" \ - "$archive_path" \ - "$SLOPTRAP_IMAGE_NAME"; then - return 1 - fi - write_capability_build_stamp - return 0 -} - build_if_missing() { ensure_capability_trust if $DRY_RUN; then @@ -3151,12 +2297,6 @@ build_if_missing() { fi return 0 fi - if load_recursive_parent_image; then - return 0 - fi - if import_recursive_parent_image; then - return 0 - fi build_image } @@ -3202,9 +2342,9 @@ prune_sloptrap_images() { run_codex_command() { local -a extra_args=("$@") + local -a source_args=("$SLOPTRAP_IMAGE_NAME") ensure_codex_storage_paths - prepare_recursive_parent_image_preload || true - local -a cmd=("${BASE_CONTAINER_CMD[@]}" "$SLOPTRAP_IMAGE_NAME" "codex") + local -a cmd=("${BASE_CONTAINER_CMD[@]}" "${source_args[@]}" "codex") if [[ ${#CODEX_ARGS_ARRAY[@]} -gt 0 ]]; then cmd+=("${CODEX_ARGS_ARRAY[@]}") fi @@ -3225,21 +2365,21 @@ run_codex() { run_login_target() { ensure_codex_storage_paths - prepare_recursive_parent_image_preload || true + local -a source_args=("$SLOPTRAP_IMAGE_NAME") if ! $DRY_RUN; then status_line "Login %s\n" "$SLOPTRAP_IMAGE_NAME" fi - local -a cmd=("${BASE_CONTAINER_CMD[@]}" "$SLOPTRAP_IMAGE_NAME" "codex" login) + local -a cmd=("${BASE_CONTAINER_CMD[@]}" "${source_args[@]}" "codex" login) run_or_print "${cmd[@]}" } run_shell_target() { ensure_codex_storage_paths - prepare_recursive_parent_image_preload || true + local -a source_args=("$SLOPTRAP_IMAGE_NAME") if ! $DRY_RUN; then status_line "Shell %s\n" "$SLOPTRAP_IMAGE_NAME" fi - local -a cmd=("${BASE_CONTAINER_CMD[@]}" "$SLOPTRAP_IMAGE_NAME" /bin/bash) + local -a cmd=("${BASE_CONTAINER_CMD[@]}" "${source_args[@]}" /bin/bash) run_or_print "${cmd[@]}" } diff --git a/tests/capability_repo/.sloptrap b/tests/capability_repo/.sloptrap index 4d663d3..45d88bc 100644 --- a/tests/capability_repo/.sloptrap +++ b/tests/capability_repo/.sloptrap @@ -1,3 +1,3 @@ name=capability-repo -capabilities=apt-install packet-capture nested-podman +capabilities=apt-install packet-capture allow_host_network=true diff --git a/tests/run_tests.sh b/tests/run_tests.sh index 73f4209..eb8b9b2 100755 --- a/tests/run_tests.sh +++ b/tests/run_tests.sh @@ -383,7 +383,7 @@ run_runtime_context_prompt() { record_failure "runtime_context_prompt: startup prompt missing from fresh run" fi if ! grep -q -- "name=capability-repo" "$STUB_LOG" \ - || ! grep -q -- "enabled_capabilities=apt-install nested-podman packet-capture" "$STUB_LOG" \ + || ! grep -q -- "enabled_capabilities=apt-install packet-capture" "$STUB_LOG" \ || ! grep -q -- "network_mode=host" "$STUB_LOG"; then record_failure "runtime_context_prompt: runtime summary missing manifest or capability state" fi @@ -483,170 +483,25 @@ run_codex_home_override() { teardown_stub_env } -run_recursive_slopsloptrap() { - local scenario_dir temp_root codex_root - printf '==> recursive_slopsloptrap\n' - setup_stub_env - temp_root=$(mktemp -d) - scenario_dir="$temp_root/slopsloptrap" - codex_root="$temp_root/codex-root" - mkdir -p "$scenario_dir" "$codex_root" +run_removed_nested_podman_manifest() { + local scenario_dir output_log + scenario_dir=$(mktemp -d) + output_log=$(mktemp) + printf '==> removed_nested_podman_manifest\n' cat >"$scenario_dir/.sloptrap" <<'EOF' -name=slopsloptrap -capabilities=nested-podman -allow_host_network=false -EOF - printf '{"access_token":"test"}\n' >"$codex_root/auth.json" - if ! PATH="$STUB_BIN:$PATH" HOME="$codex_root" CODEX_HOME="$codex_root" \ - FAKE_PODMAN_LOG="$STUB_LOG" FAKE_PODMAN_INSPECT_FAIL=1 \ - "$SLOPTRAP_BIN" --trust-capabilities "$scenario_dir" shell /dev/null 2>&1; then - record_failure "recursive_slopsloptrap: sloptrap exited non-zero" - teardown_stub_env - rm -rf "$temp_root" - return - fi - if ! grep -q -- "slopsloptrap-sloptrap-image" "$STUB_LOG"; then - record_failure "recursive_slopsloptrap: child image name missing" - fi - if ! grep -q -- "slopsloptrap-sloptrap-container" "$STUB_LOG"; then - record_failure "recursive_slopsloptrap: child container name missing" - fi - if ! grep -q -- "-v ${codex_root}/auth.json:/codex/auth.json:Z" "$STUB_LOG"; then - record_failure "recursive_slopsloptrap: missing recursive auth bind mount" - fi - if ! grep -q -- "/capabilities/podman-preload:/codex/capabilities/podman/preload:Z" "$STUB_LOG"; then - record_failure "recursive_slopsloptrap: missing recursive preload bind mount" - fi - if ! grep -q -- "-v ${codex_root}/sloptrap/state/" "$STUB_LOG"; then - record_failure "recursive_slopsloptrap: missing recursive state bind mount" - fi - if ! grep -q -- "SLOPTRAP_RECURSIVE_PARENT_IMAGE_ARCHIVE=/codex/capabilities/podman/preload/slopsloptrap-sloptrap-image.tar" "$STUB_LOG"; then - record_failure "recursive_slopsloptrap: missing recursive preload archive environment" - fi - if grep -q -- "-v ${codex_root}/.codex/auth.json:/codex/auth.json:Z" "$STUB_LOG"; then - record_failure "recursive_slopsloptrap: should not fall back to CODEX_HOME/.codex in recursive mode" - fi - if grep -q -- "/etc/subuid" "$STUB_LOG" || grep -q -- "/etc/subgid" "$STUB_LOG"; then - record_failure "recursive_slopsloptrap: launcher should not mount subid helper files" - fi - if grep -q -- "--read-only" "$STUB_LOG"; then - record_failure "recursive_slopsloptrap: nested podman should disable read-only rootfs" - fi - local first_run - first_run=$(grep "FAKE PODMAN: run " "$STUB_LOG" | head -n 1 || true) - if [[ -z $first_run || $first_run == *" login" ]]; then - record_failure "recursive_slopsloptrap: recursive auth should avoid login target" - fi - if ! grep -q -- "FAKE PODMAN: save -o " "$STUB_LOG"; then - record_failure "recursive_slopsloptrap: should export the parent image for recursive preload" - fi - if [[ $first_run != *"/bin/bash"* ]]; then - record_failure "recursive_slopsloptrap: shell target did not reach child container run" - fi - if [[ $first_run == *"--user "* ]]; then - record_failure "recursive_slopsloptrap: nested podman shell should not force --user" - fi - if [[ $first_run != *"--cap-add SETUID"* || $first_run != *"--cap-add SETGID"* ]]; then - record_failure "recursive_slopsloptrap: nested podman shell missing privilege bootstrap capabilities" - fi - teardown_stub_env - rm -rf "$temp_root" -} - -run_recursive_parent_image_fallback() { - printf '==> recursive_parent_image_fallback\n' - local temp_root helper_bin scenario_dir archive_path tool_log - local inner_podman_root inner_podman_runroot inner_runtime_dir - temp_root=$(mktemp -d) - helper_bin="$temp_root/bin" - scenario_dir="$temp_root/fallback-repo" - archive_path="$scenario_dir/parent-runtime.tar" - tool_log="$temp_root/tool.log" - inner_podman_root="$temp_root/podman-storage" - inner_podman_runroot="$temp_root/podman-run" - inner_runtime_dir="$temp_root/podman-runtime" - mkdir -p "$helper_bin" "$scenario_dir" "$inner_podman_root" "$inner_podman_runroot" "$inner_runtime_dir" - : >"$tool_log" - - cat >"$scenario_dir/.sloptrap" <<'EOF' -name=fallback-repo +name=removed-nested-podman capabilities=nested-podman EOF - printf 'archive\n' >"$archive_path" - - if ! extract_embedded_helper "sloppodman" "$helper_bin/sloppodman"; then - record_failure "recursive_parent_image_fallback: failed to extract sloppodman helper" - rm -rf "$temp_root" - return + if "$SLOPTRAP_BIN" --dry-run "$scenario_dir" >/dev/null 2>&1; then + record_failure "removed_nested_podman_manifest: expected nested-podman manifest rejection" fi - - cat >"$helper_bin/podman" <<'EOF' -#!/usr/bin/env bash -set -euo pipefail -printf 'podman %s\n' "$*" >>"$TEST_TOOL_LOG" -args=("$@") -idx=0 -loaded_flag="${TEST_TOOL_LOG}.loaded" -while (( idx < ${#args[@]} )); do - if [[ ${args[$idx]} == "image" ]] && (( idx + 1 < ${#args[@]} )) && [[ ${args[$((idx + 1))]} == "inspect" ]]; then - if [[ -f $loaded_flag ]]; then - exit 0 + if ! "$SLOPTRAP_BIN" --dry-run "$scenario_dir" >"$output_log" 2>&1; then + if ! grep -q -- "capability 'nested-podman' was removed" "$output_log"; then + record_failure "removed_nested_podman_manifest: missing explicit removal error" fi - exit 1 fi - if [[ ${args[$idx]} == "load" ]]; then - : >"$loaded_flag" - exit 0 - fi - ((idx+=1)) -done -exit 0 -EOF - cat >"$helper_bin/setpriv" <<'EOF' -#!/usr/bin/env bash -set -euo pipefail -while [[ $# -gt 0 ]]; do - case "$1" in - --reuid|--regid) - shift 2 - ;; - --clear-groups) - shift - ;; - --) - shift - break - ;; - *) - break - ;; - esac -done -exec "$@" -EOF - chmod +x "$helper_bin/sloppodman" "$helper_bin/podman" "$helper_bin/setpriv" - - if ! TEST_TOOL_LOG="$tool_log" PATH="$helper_bin:$PATH" HOME="$temp_root/home" CODEX_HOME="$temp_root/home" \ - SLOPTRAP_CONTAINER_ENGINE="sloppodman" \ - SLOPTRAP_ACTIVE_CAPABILITIES="nested-podman" \ - SLOPTRAP_WORKDIR="$scenario_dir" \ - SLOPTRAP_RECURSIVE_PARENT_IMAGE_ARCHIVE="$archive_path" \ - SLOPTRAP_INNER_PODMAN_ROOT="$inner_podman_root" \ - SLOPTRAP_INNER_PODMAN_RUNROOT="$inner_podman_runroot" \ - XDG_RUNTIME_DIR="$inner_runtime_dir" \ - "$SLOPTRAP_BIN" --trust-capabilities "$scenario_dir" build-if-missing >/dev/null 2>&1; then - record_failure "recursive_parent_image_fallback: build-if-missing exited non-zero" - rm -rf "$temp_root" - return - fi - if grep -q -- 'podman --root .* build ' "$tool_log"; then - record_failure "recursive_parent_image_fallback: fallback should avoid podman build" - fi - if ! grep -q -- "podman --root $inner_podman_root --runroot $inner_podman_runroot --storage-driver vfs --cgroup-manager cgroupfs --events-backend file load -i $archive_path" "$tool_log"; then - record_failure "recursive_parent_image_fallback: fallback did not load the parent archive into the nested store" - fi - - rm -rf "$temp_root" + rm -f "$output_log" + rm -rf "$scenario_dir" } run_project_state_isolation() { @@ -934,7 +789,7 @@ run_capability_profiles() { teardown_stub_env return fi - if ! grep -q -- "CAPABILITY_PACKAGES=tcpdump podman uidmap fuse-overlayfs slirp4netns" "$STUB_LOG"; then + if ! grep -q -- "CAPABILITY_PACKAGES=tcpdump" "$STUB_LOG"; then record_failure "capability_profiles: build arg for capability packages missing" fi if ! grep -q -- "FAKE PODMAN: build --quiet -t capability-repo-sloptrap-image -f .* --network host " "$STUB_LOG"; then @@ -946,15 +801,6 @@ run_capability_profiles() { if ! grep -q -- "--cap-add NET_ADMIN" "$STUB_LOG"; then record_failure "capability_profiles: NET_ADMIN capability missing" fi - if ! grep -q -- "--device /dev/fuse" "$STUB_LOG"; then - record_failure "capability_profiles: /dev/fuse device missing" - fi - if ! grep -q -- "--cap-add SYS_CHROOT" "$STUB_LOG"; then - record_failure "capability_profiles: SYS_CHROOT capability missing" - fi - if ! grep -q -- "--cap-add MKNOD" "$STUB_LOG"; then - record_failure "capability_profiles: MKNOD capability missing" - fi if ! grep -q -- "--cap-add SETUID" "$STUB_LOG"; then record_failure "capability_profiles: SETUID capability missing" fi @@ -970,11 +816,8 @@ run_capability_profiles() { if ! grep -q -- "--cap-add FOWNER" "$STUB_LOG"; then record_failure "capability_profiles: FOWNER capability missing" fi - if ! grep -q -- "--security-opt seccomp=unconfined" "$STUB_LOG"; then - record_failure "capability_profiles: nested podman seccomp override missing" - fi - if grep -q -- "--security-opt no-new-privileges" "$STUB_LOG"; then - record_failure "capability_profiles: nested podman should not force no-new-privileges" + if ! grep -q -- "--security-opt no-new-privileges" "$STUB_LOG"; then + record_failure "capability_profiles: no-new-privileges missing" fi if grep -q -- "--read-only" "$STUB_LOG"; then record_failure "capability_profiles: apt profile should disable read-only rootfs" @@ -985,7 +828,7 @@ run_capability_profiles() { if ! grep -q -- "--userns=keep-id:uid=$(id -u),gid=$(id -g)" "$STUB_LOG"; then record_failure "capability_profiles: podman keep-id user namespace missing" fi - if ! grep -q -- "SLOPTRAP_ACTIVE_CAPABILITIES=apt-install nested-podman packet-capture" "$STUB_LOG"; then + if ! grep -q -- "SLOPTRAP_ACTIVE_CAPABILITIES=apt-install packet-capture" "$STUB_LOG"; then record_failure "capability_profiles: active capability environment missing" fi if ! grep -q -- "SLOPTRAP_HOST_UID=$(id -u)" "$STUB_LOG"; then @@ -997,27 +840,11 @@ run_capability_profiles() { if ! grep -q -- "SLOPTRAP_HOST_USER=$(id -un)" "$STUB_LOG"; then record_failure "capability_profiles: host user environment missing" fi - if ! grep -q -- "SLOPTRAP_INNER_PODMAN_HOST_NETWORK=1" "$STUB_LOG"; then - record_failure "capability_profiles: inner podman host-network mirror flag missing" - fi - if grep -q -- "/etc/subuid" "$STUB_LOG" || grep -q -- "/etc/subgid" "$STUB_LOG"; then - record_failure "capability_profiles: launcher should not mount subid helper files" - fi local state_root capability_dir state_root="$STUB_HOME/.codex/sloptrap/state" capability_dir=$(find "$state_root" -mindepth 2 -maxdepth 2 -type d -name capabilities | head -n 1 || true) if [[ -z $capability_dir ]]; then record_failure "capability_profiles: project capability state directory missing" - else - if [[ ! -d $capability_dir/podman-storage ]]; then - record_failure "capability_profiles: nested podman storage state missing" - fi - if [[ ! -d $capability_dir/podman-run ]]; then - record_failure "capability_profiles: nested podman runroot state missing" - fi - if [[ ! -d $capability_dir/podman-runtime ]]; then - record_failure "capability_profiles: nested podman runtime state missing" - fi fi teardown_stub_env } @@ -1025,39 +852,25 @@ run_capability_profiles() { run_embedded_capability_helpers() { printf '==> embedded_capability_helpers\n' local temp_root helper_bin helper_dir workspace_dir capture_dir tool_log helper_pid - local inner_podman_root inner_podman_runroot inner_runtime_dir temp_root=$(mktemp -d) helper_bin="$temp_root/bin" helper_dir="$temp_root/helper" workspace_dir="$temp_root/workspace" capture_dir="$temp_root/captures" tool_log="$temp_root/tool.log" - inner_podman_root="$temp_root/podman-storage" - inner_podman_runroot="$temp_root/podman-run" - inner_runtime_dir="$temp_root/podman-runtime" helper_pid="" - mkdir -p "$helper_bin" "$helper_dir/queue" "$workspace_dir/data" "$capture_dir" \ - "$inner_podman_root" "$inner_podman_runroot" "$inner_runtime_dir" + mkdir -p "$helper_bin" "$helper_dir/queue" "$workspace_dir/data" "$capture_dir" : >"$tool_log" if ! extract_embedded_helper "sloptrap-entrypoint" "$helper_bin/sloptrap-entrypoint" \ || ! extract_embedded_helper "sloptrap-helperd" "$helper_bin/sloptrap-helperd" \ || ! extract_embedded_helper "slop-apt" "$helper_bin/slop-apt" \ - || ! extract_embedded_helper "slopcap" "$helper_bin/slopcap" \ - || ! extract_embedded_helper "sloppodman" "$helper_bin/sloppodman"; then + || ! extract_embedded_helper "slopcap" "$helper_bin/slopcap"; then record_failure "embedded_capability_helpers: failed to extract embedded helper scripts" rm -rf "$temp_root" return fi -cat >"$helper_bin/podman" <<'EOF' -#!/usr/bin/env bash -set -euo pipefail -printf 'podman-env BUILDAH_ISOLATION=%s _CONTAINERS_USERNS_CONFIGURED=%s CONTAINERS_STORAGE_CONF=%s CONTAINERS_CONF=%s\n' \ - "${BUILDAH_ISOLATION:-}" "${_CONTAINERS_USERNS_CONFIGURED:-}" "${CONTAINERS_STORAGE_CONF:-}" "${CONTAINERS_CONF:-}" >>"$TEST_TOOL_LOG" -printf 'podman %s\n' "$*" >>"$TEST_TOOL_LOG" -exit 0 -EOF cat >"$helper_bin/apt-get" <<'EOF' #!/usr/bin/env bash set -euo pipefail @@ -1106,7 +919,7 @@ while [[ $# -gt 0 ]]; do done exec "$@" EOF - chmod +x "$helper_bin/podman" "$helper_bin/apt-get" "$helper_bin/tcpdump" "$helper_bin/setpriv" + chmod +x "$helper_bin/apt-get" "$helper_bin/tcpdump" "$helper_bin/setpriv" if ! grep -q "chmod 711 \"\\\$helper_dir\"" "$helper_bin/sloptrap-entrypoint" \ || ! grep -q "chmod 1733 \"\\\$queue_dir\"" "$helper_bin/sloptrap-entrypoint"; then @@ -1130,161 +943,6 @@ EOF wait "$(cat "$autostart_helper_dir/helperd.pid")" >/dev/null 2>&1 || true fi - local missing_cap_status=0 - if TEST_TOOL_LOG="$tool_log" PATH="$helper_bin:$PATH" SLOPTRAP_ACTIVE_CAPABILITIES="" \ - SLOPTRAP_WORKDIR="$workspace_dir" \ - SLOPTRAP_INNER_PODMAN_ROOT="$inner_podman_root" \ - SLOPTRAP_INNER_PODMAN_RUNROOT="$inner_podman_runroot" \ - XDG_RUNTIME_DIR="$inner_runtime_dir" \ - "$helper_bin/sloppodman" ps >/dev/null 2>&1; then - record_failure "embedded_capability_helpers: sloppodman should reject runs without nested-podman" - else - missing_cap_status=$? - fi - if [[ $missing_cap_status -ne 126 ]]; then - record_failure "embedded_capability_helpers: sloppodman returned the wrong status when capability was absent" - fi - - if TEST_TOOL_LOG="$tool_log" PATH="$helper_bin:$PATH" SLOPTRAP_ACTIVE_CAPABILITIES="nested-podman" \ - SLOPTRAP_WORKDIR="$workspace_dir" \ - SLOPTRAP_INNER_PODMAN_ROOT="$inner_podman_root" \ - SLOPTRAP_INNER_PODMAN_RUNROOT="$inner_podman_runroot" \ - XDG_RUNTIME_DIR="$inner_runtime_dir" \ - "$helper_bin/sloppodman" run --privileged example/image >/dev/null 2>&1; then - record_failure "embedded_capability_helpers: sloppodman allowed --privileged" - fi - - if TEST_TOOL_LOG="$tool_log" PATH="$helper_bin:$PATH" SLOPTRAP_ACTIVE_CAPABILITIES="nested-podman" \ - SLOPTRAP_WORKDIR="$workspace_dir" \ - SLOPTRAP_INNER_PODMAN_ROOT="$inner_podman_root" \ - SLOPTRAP_INNER_PODMAN_RUNROOT="$inner_podman_runroot" \ - XDG_RUNTIME_DIR="$inner_runtime_dir" \ - "$helper_bin/sloppodman" run -v /tmp:/host example/image >/dev/null 2>&1; then - record_failure "embedded_capability_helpers: sloppodman allowed an out-of-workspace bind mount" - fi - - if ! ( - cd "$workspace_dir" && TEST_TOOL_LOG="$tool_log" PATH="$helper_bin:$PATH" \ - SLOPTRAP_ACTIVE_CAPABILITIES="nested-podman" SLOPTRAP_WORKDIR="$workspace_dir" \ - SLOPTRAP_INNER_PODMAN_ROOT="$inner_podman_root" \ - SLOPTRAP_INNER_PODMAN_RUNROOT="$inner_podman_runroot" \ - XDG_RUNTIME_DIR="$inner_runtime_dir" \ - "$helper_bin/sloppodman" run -v ./data:/data example/image true >/dev/null 2>&1 - ); then - record_failure "embedded_capability_helpers: sloppodman rejected a workspace-local bind mount" - fi - if ! grep -q -- 'podman --root ' "$tool_log" || ! grep -q -- '-v ./data:/data' "$tool_log"; then - record_failure "embedded_capability_helpers: sloppodman did not invoke podman with the validated run arguments" - fi - if ! grep -q -- 'setpriv --reuid 0 --regid 0 --clear-groups -- env ' "$tool_log"; then - record_failure "embedded_capability_helpers: sloppodman did not re-enter root before invoking podman" - fi - if ! TEST_TOOL_LOG="$tool_log" PATH="$helper_bin:$PATH" SLOPTRAP_ACTIVE_CAPABILITIES="nested-podman" \ - SLOPTRAP_WORKDIR="$workspace_dir" \ - SLOPTRAP_INNER_PODMAN_ROOT="$inner_podman_root" \ - SLOPTRAP_INNER_PODMAN_RUNROOT="$inner_podman_runroot" \ - XDG_RUNTIME_DIR="$inner_runtime_dir" \ - "$helper_bin/sloppodman" image inspect example/image >/dev/null 2>&1; then - record_failure "embedded_capability_helpers: sloppodman rejected image inspect" - fi - if ! grep -q -- 'podman --root .* image inspect example/image' "$tool_log"; then - record_failure "embedded_capability_helpers: sloppodman did not forward image inspect" - fi - if ! grep -q -- '--storage-driver vfs' "$tool_log" \ - || ! grep -q -- '--cgroup-manager cgroupfs' "$tool_log" \ - || ! grep -q -- '--events-backend file' "$tool_log"; then - record_failure "embedded_capability_helpers: sloppodman did not apply the nested podman runtime defaults" - fi - if ! grep -q -- 'podman-env BUILDAH_ISOLATION=chroot ' "$tool_log"; then - record_failure "embedded_capability_helpers: sloppodman did not set BUILDAH_ISOLATION=chroot" - fi - if ! grep -q -- '_CONTAINERS_USERNS_CONFIGURED=done ' "$tool_log"; then - record_failure "embedded_capability_helpers: sloppodman did not mark nested podman as already userns-configured" - fi - if [[ ! -f $inner_runtime_dir/config/containers/storage.conf ]] \ - || [[ ! -f $inner_runtime_dir/config/containers/containers.conf ]]; then - record_failure "embedded_capability_helpers: sloppodman did not materialize its container config files" - elif ! grep -q -- 'ignore_chown_errors = "true"' "$inner_runtime_dir/config/containers/storage.conf"; then - record_failure "embedded_capability_helpers: storage.conf did not enable ignore_chown_errors" - fi - - local caller_uid caller_gid caller_user - caller_uid=$(id -u) - caller_gid=$(id -g) - caller_user=$(id -un) - cat >"$helper_bin/id" <<'EOF' -#!/usr/bin/env bash -set -euo pipefail -case "${1-}" in - -u) - printf '0\n' - ;; - -g) - printf '0\n' - ;; - -un) - printf 'root\n' - ;; - *) - printf 'uid=0(root) gid=0(root) groups=0(root)\n' - ;; -esac -EOF - cat >"$temp_root/entrypoint-helperd" <<'EOF' -#!/usr/bin/env bash -set -euo pipefail -exit 0 -EOF - chmod +x "$helper_bin/id" "$temp_root/entrypoint-helperd" - local entry_subuid entry_subgid - entry_subuid="$temp_root/entry-subuid" - entry_subgid="$temp_root/entry-subgid" - printf 'sloptrap:100000:65536\n' >"$entry_subuid" - printf 'sloptrap:100000:65536\n' >"$entry_subgid" - if ! TEST_TOOL_LOG="$tool_log" PATH="$helper_bin:$PATH" SLOPTRAP_ACTIVE_CAPABILITIES="nested-podman" \ - SLOPTRAP_HOST_UID="1337" SLOPTRAP_HOST_GID="1337" SLOPTRAP_HOST_USER="$caller_user" \ - SLOPTRAP_PODMAN_SUBUID_FILE="$entry_subuid" SLOPTRAP_PODMAN_SUBGID_FILE="$entry_subgid" \ - SLOPTRAP_PODMAN_SUBID_START="200000" SLOPTRAP_PODMAN_SUBID_COUNT="65536" \ - SLOPTRAP_PODMAN_SUBGID_START="200000" SLOPTRAP_PODMAN_SUBGID_COUNT="65536" \ - SLOPTRAP_HELPERD_BIN="$temp_root/entrypoint-helperd" \ - "$helper_bin/sloptrap-entrypoint" true >/dev/null 2>&1; then - record_failure "embedded_capability_helpers: entrypoint did not synthesize subid files for the host user" - fi - if [[ -z $(awk -F: -v account="$caller_user" '$1 == account { print $2 ":" $3 }' "$entry_subuid" 2>/dev/null || true) ]]; then - record_failure "embedded_capability_helpers: entrypoint did not prefer SLOPTRAP_HOST_USER for subuid synthesis" - fi - if [[ -z $(awk -F: -v account="$caller_user" '$1 == account { print $2 ":" $3 }' "$entry_subgid" 2>/dev/null || true) ]]; then - record_failure "embedded_capability_helpers: entrypoint did not prefer SLOPTRAP_HOST_USER for subgid synthesis" - fi - local caller_subuid root_subuid caller_subgid root_subgid - local helper_subuid_file helper_subgid_file - helper_subuid_file="$temp_root/helper-subuid" - helper_subgid_file="$temp_root/helper-subgid" - if ! TEST_TOOL_LOG="$tool_log" PATH="$helper_bin:$PATH" SLOPTRAP_ACTIVE_CAPABILITIES="nested-podman" \ - SLOPTRAP_WORKDIR="$workspace_dir" \ - SLOPTRAP_INNER_PODMAN_ROOT="$inner_podman_root" \ - SLOPTRAP_INNER_PODMAN_RUNROOT="$inner_podman_runroot" \ - XDG_RUNTIME_DIR="$inner_runtime_dir" \ - SLOPTRAP_PODMAN_ESCALATED=1 \ - SLOPTRAP_PODMAN_CALLER_UID="$caller_uid" \ - SLOPTRAP_PODMAN_CALLER_GID="$caller_gid" \ - SLOPTRAP_PODMAN_CALLER_USER="$caller_user" \ - SLOPTRAP_PODMAN_SUBUID_FILE="$helper_subuid_file" \ - SLOPTRAP_PODMAN_SUBGID_FILE="$helper_subgid_file" \ - "$helper_bin/sloppodman" image inspect example/image >/dev/null 2>&1; then - record_failure "embedded_capability_helpers: sloppodman did not synthesize caller and root subid files" - fi - caller_subuid=$(awk -F: -v account="$caller_user" '$1 == account { print $2 ":" $3 }' "$helper_subuid_file" 2>/dev/null || true) - root_subuid=$(awk -F: '$1 == "root" { print $2 ":" $3 }' "$helper_subuid_file" 2>/dev/null || true) - caller_subgid=$(awk -F: -v account="$caller_user" '$1 == account { print $2 ":" $3 }' "$helper_subgid_file" 2>/dev/null || true) - root_subgid=$(awk -F: '$1 == "root" { print $2 ":" $3 }' "$helper_subgid_file" 2>/dev/null || true) - if [[ -z $caller_subuid || $caller_subuid != "$root_subuid" ]]; then - record_failure "embedded_capability_helpers: sloppodman did not mirror caller subuid data onto root" - fi - if [[ -z $caller_subgid || $caller_subgid != "$root_subgid" ]]; then - record_failure "embedded_capability_helpers: sloppodman did not mirror caller subgid data onto root" - fi - TEST_TOOL_LOG="$tool_log" PATH="$helper_bin:$PATH" SLOPTRAP_HELPER_DIR="$helper_dir" \ SLOPTRAP_ACTIVE_CAPABILITIES="apt-install packet-capture" \ SLOPTRAP_CAPTURE_DIR="$capture_dir" SLOPTRAP_WORKDIR="$workspace_dir" \ @@ -1373,7 +1031,7 @@ run_make_install_single_file() { record_failure "make_install_single_file: installed launcher missing" fi local helper - for helper in sloptrap-entrypoint sloptrap-helperd slop-apt slopcap sloppodman; do + for helper in sloptrap-entrypoint sloptrap-helperd slop-apt slopcap; do if [[ -e $install_dir/$helper ]]; then record_failure "make_install_single_file: unexpected helper installed ($helper)" fi @@ -1409,8 +1067,6 @@ run_sh_reexec run_resume_omits_runtime_context run_auth_file_mount run_codex_home_override -run_recursive_slopsloptrap -run_recursive_parent_image_fallback run_project_state_isolation run_auto_login_empty_auth run_codex_symlink_home @@ -1424,6 +1080,7 @@ run_invalid_manifest_sandbox run_invalid_manifest_packages run_invalid_manifest_capabilities run_invalid_allow_host_network +run_removed_nested_podman_manifest run_wizard_create_manifest run_wizard_existing_defaults run_wizard_build_trigger