sk4nz/skz-sloptrap
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Remove nested-podman

Browse Source
This commit is contained in:
Samuel Aubertin
2026-03-10 11:02:44 +01:00
parent 438959ca03
commit fb3aca0f7d
6 changed files with 42 additions and 1268 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
.sloptrap
View File

@@ -1,4 +1,4 @@
name=skz-sloptrap name=skz-sloptrap
packages_extra=bash make shellcheck jq podman iproute2 strace packages_extra=bash make shellcheck jq podman iproute2 strace
capabilities=apt-install nested-podman packet-capture capabilities=apt-install packet-capture
allow_host_network=false allow_host_network=false

23
AGENTS.md
View File

@@ -3,16 +3,6 @@
This workspace is the source code of `sloptrap`, eg. your own runtime. This workspace is the source code of `sloptrap`, eg. your own runtime.
Your author, 'sk4nz', has ran the command `sloptrap path/to/skz-sloptrap` and you are living in your own reflection. Your author, 'sk4nz', has ran the command `sloptrap path/to/skz-sloptrap` and you are living in your own reflection.
# Recursive `slopsloptrap`
sloptrap can recurse.
If you need to prove it, spawn a child from this repo with sloptrap:
`./sloptrap /workspace ...`
This starts a child `slopsloptrap`. Use the child normally, as the end-user would.
# Keep Memory # Keep Memory
Future sloptrap instances should add short, useful, durable notes they learn during their session to this file. Future sloptrap instances should add short, useful, durable notes they learn during their session to this file.
@@ -24,19 +14,8 @@ Do not remove existing instructions unless they are outdated or wrong.
--- ---
# Session Memory # Session Memory
- When you make changes that affect how the runtime behaves and cannot test it with recursion, you can ask sk4nz to restart you. - When runtime changes need a fresh sloptrap session to validate, ask sk4nz to restart you and give an exact prompt to continue from the current checkpoint.
- If recursion is blocked by the current session state and a restart is required, give sk4nz an exact prompt to paste into the next restarted session so it can continue from the current checkpoint.
- Useful checks in the skz-sloptrap repo: - Useful checks in the skz-sloptrap repo:
`shellcheck sloptrap` `shellcheck sloptrap`
`bash tests/run_tests.sh` (you can also run them separately) `bash tests/run_tests.sh` (you can also run them separately)
- Recursive nested-podman inside an already user-namespaced sloptrap needs subuid/subgid ranges derived from `/proc/self/uid_map` and `/proc/self/gid_map`; hardcoding `100000:65536` breaks `newuidmap`.
- When running tests from inside sloptrap, inherited `CODEX_HOME=/codex` plus `SLOPTRAP_PREFER_CODEX_HOME=1` can leak into host-style child launches; ignore that preference when `HOME` has been redirected elsewhere and the runtime hints still point into the inherited `/codex` tree. - When running tests from inside sloptrap, inherited `CODEX_HOME=/codex` plus `SLOPTRAP_PREFER_CODEX_HOME=1` can leak into host-style child launches; ignore that preference when `HOME` has been redirected elsewhere and the runtime hints still point into the inherited `/codex` tree.
- For real recursive `./sloptrap` launches, correct `/proc/self/uid_map` alone is not enough: if the current session still has stale read-only `/etc/subuid` and `/etc/subgid` mounts (for example `sk4nz:100000:65536`), the first nested podman launch still fails before child startup.
- Forcing `SLOPTRAP_CONTAINER_ENGINE=sloppodman` inside sloptrap also needs `TMPDIR` under `/workspace`; otherwise its build-context path guard rejects the staged Dockerfile under `/tmp` before you reach the real subuid/subgid problem.
- If a restarted session still inherits stale read-only `/etc/subuid` and `/etc/subgid` tmpfs mounts, an unprivileged agent cannot repair them in-place (`umount` says `must be superuser to unmount`); both podman and sloppodman stay blocked until the session starts without those mounts.
- Outer sloptrap launches no longer need `/etc/subuid` or `/etc/subgid` bind mounts: `nested-podman` now disables read-only rootfs and the container entrypoint synthesizes container-local subid files from `/proc/self/{uid,gid}_map` before dropping privileges.
- Even without stale `/etc/subuid` mounts, recursion still fails if the container-local subid files name `sloptrap` instead of the real dropped user (`sk4nz` here): `podman info --debug` warns `no subuid ranges found for user "sk4nz"` and the first inner build dies in `newuidmap ... write to uid_map failed: Operation not permitted`.
- In this Debian 13 / podman 5.4.2 environment, exporting `_CONTAINERS_USERNS_CONFIGURED=done` for nested podman moves the failure past `newuidmap`, but the next blockers are inside Buildah: with `BUILDAH_ISOLATION=chroot`, recursive builds fail `cannot set --network other than host with --isolation chroot`; without chroot, `podman build` can segfault in `network.defaultNetworkBackend`.
- Recursive preload now has a host-side path: the outer launcher saves `$SLOPTRAP_IMAGE_NAME` into capability state and mounts it into the container as `SLOPTRAP_RECURSIVE_PARENT_IMAGE_ARCHIVE=/codex/capabilities/podman/preload/<image>.tar`, and child `build-if-missing` tries `sloppodman load -i` before any inner build. A pre-existing session must be restarted to test that path because it cannot add the new preload mount/env to itself after startup.
- With stale subid mounts gone, recursive `./sloptrap /workspace` can still fail earlier during the inner image build: `crun` tries to open `/proc/sys/net/ipv4/ping_group_range` and gets `Read-only file system` while creating the build container.
- In a fragile nested-podman session, `podman system migrate` can make things worse: a state that still answered `podman info` fell back to repeated `newuidmap ... write to uid_map failed: Operation not permitted` failures afterward.

4
README.md
View File

@@ -62,7 +62,7 @@ Supported keys when the manifest is present:
| --- | --- | --- | | --- | --- | --- |
| `name` | project directory name | Must match `^[A-Za-z0-9_.-]+$`. Used for image/container naming. | | `name` | project directory name | Must match `^[A-Za-z0-9_.-]+$`. Used for image/container naming. |
| `packages_extra` | *empty* | Additional Debian packages installed during `docker/podman build`. Tokens must be alphanumeric plus `+.-`. | | `packages_extra` | *empty* | Additional Debian packages installed during `docker/podman build`. Tokens must be alphanumeric plus `+.-`. |
| `capabilities` | *empty* | Optional privileged features. Supported values are `apt-install`, `packet-capture`, and `nested-podman`. | | `capabilities` | *empty* | Optional privileged features. Supported values are `apt-install` and `packet-capture`. |
| `allow_host_network` | `false` | `true` opts into `--network host`; keep `false` unless the project absolutely requires direct access to host-local services. | | `allow_host_network` | `false` | `true` opts into `--network host`; keep `false` unless the project absolutely requires direct access to host-local services. |
Values containing `$`, `` ` ``, or newlines are rejected to prevent command injection. Setting illegal keys or malformed values aborts the run before containers start. Values containing `$`, `` ` ``, or newlines are rejected to prevent command injection. Setting illegal keys or malformed values aborts the run before containers start.
@@ -131,8 +131,6 @@ When the current manifest's capabilities are trusted and enabled, the container
- `slop-apt install <package...>` for session-scoped package installation. - `slop-apt install <package...>` for session-scoped package installation.
- `slopcap capture --interface <iface> [--filter <expr>] [--output <path>] [--stdout]` for packet capture. - `slopcap capture --interface <iface> [--filter <expr>] [--output <path>] [--stdout]` for packet capture.
- `sloppodman <pull|build|tag|run|ps|logs|stop|rm|inspect> ...` for nested Podman workflows. `build` contexts and Dockerfiles must remain inside `/workspace`, and pushes are not supported.
- When `nested-podman` is enabled, sloptrap makes the container root filesystem writable long enough to synthesize container-local `/etc/subuid` and `/etc/subgid` files from the live namespace maps, so rootless nested Podman does not depend on host subid files.
## Execution Environment ## Execution Environment

890
sloptrap
View File

File diff suppressed because it is too large Load Diff

2
tests/capability_repo/.sloptrap
View File

@@ -1,3 +1,3 @@
name=capability-repo name=capability-repo
capabilities=apt-install packet-capture nested-podman capabilities=apt-install packet-capture
allow_host_network=true allow_host_network=true

389
tests/run_tests.sh
View File

@@ -383,7 +383,7 @@ run_runtime_context_prompt() {
record_failure "runtime_context_prompt: startup prompt missing from fresh run" record_failure "runtime_context_prompt: startup prompt missing from fresh run"
fi fi
if ! grep -q -- "name=capability-repo" "$STUB_LOG" \ if ! grep -q -- "name=capability-repo" "$STUB_LOG" \
|| ! grep -q -- "enabled_capabilities=apt-install nested-podman packet-capture" "$STUB_LOG" \ || ! grep -q -- "enabled_capabilities=apt-install packet-capture" "$STUB_LOG" \
|| ! grep -q -- "network_mode=host" "$STUB_LOG"; then || ! grep -q -- "network_mode=host" "$STUB_LOG"; then
record_failure "runtime_context_prompt: runtime summary missing manifest or capability state" record_failure "runtime_context_prompt: runtime summary missing manifest or capability state"
fi fi
@@ -483,170 +483,25 @@ run_codex_home_override() {
teardown_stub_env teardown_stub_env
} }
run_recursive_slopsloptrap() { run_removed_nested_podman_manifest() {
local scenario_dir temp_root codex_root local scenario_dir output_log
printf '==> recursive_slopsloptrap\n' scenario_dir=$(mktemp -d)
setup_stub_env output_log=$(mktemp)
temp_root=$(mktemp -d) printf '==> removed_nested_podman_manifest\n'
scenario_dir="$temp_root/slopsloptrap"
codex_root="$temp_root/codex-root"
mkdir -p "$scenario_dir" "$codex_root"
cat >"$scenario_dir/.sloptrap" <<'EOF' cat >"$scenario_dir/.sloptrap" <<'EOF'
name=slopsloptrap name=removed-nested-podman
capabilities=nested-podman
allow_host_network=false
EOF
printf '{"access_token":"test"}\n' >"$codex_root/auth.json"
if ! PATH="$STUB_BIN:$PATH" HOME="$codex_root" CODEX_HOME="$codex_root" \
FAKE_PODMAN_LOG="$STUB_LOG" FAKE_PODMAN_INSPECT_FAIL=1 \
"$SLOPTRAP_BIN" --trust-capabilities "$scenario_dir" shell </dev/null >/dev/null 2>&1; then
record_failure "recursive_slopsloptrap: sloptrap exited non-zero"
teardown_stub_env
rm -rf "$temp_root"
return
fi
if ! grep -q -- "slopsloptrap-sloptrap-image" "$STUB_LOG"; then
record_failure "recursive_slopsloptrap: child image name missing"
fi
if ! grep -q -- "slopsloptrap-sloptrap-container" "$STUB_LOG"; then
record_failure "recursive_slopsloptrap: child container name missing"
fi
if ! grep -q -- "-v ${codex_root}/auth.json:/codex/auth.json:Z" "$STUB_LOG"; then
record_failure "recursive_slopsloptrap: missing recursive auth bind mount"
fi
if ! grep -q -- "/capabilities/podman-preload:/codex/capabilities/podman/preload:Z" "$STUB_LOG"; then
record_failure "recursive_slopsloptrap: missing recursive preload bind mount"
fi
if ! grep -q -- "-v ${codex_root}/sloptrap/state/" "$STUB_LOG"; then
record_failure "recursive_slopsloptrap: missing recursive state bind mount"
fi
if ! grep -q -- "SLOPTRAP_RECURSIVE_PARENT_IMAGE_ARCHIVE=/codex/capabilities/podman/preload/slopsloptrap-sloptrap-image.tar" "$STUB_LOG"; then
record_failure "recursive_slopsloptrap: missing recursive preload archive environment"
fi
if grep -q -- "-v ${codex_root}/.codex/auth.json:/codex/auth.json:Z" "$STUB_LOG"; then
record_failure "recursive_slopsloptrap: should not fall back to CODEX_HOME/.codex in recursive mode"
fi
if grep -q -- "/etc/subuid" "$STUB_LOG" || grep -q -- "/etc/subgid" "$STUB_LOG"; then
record_failure "recursive_slopsloptrap: launcher should not mount subid helper files"
fi
if grep -q -- "--read-only" "$STUB_LOG"; then
record_failure "recursive_slopsloptrap: nested podman should disable read-only rootfs"
fi
local first_run
first_run=$(grep "FAKE PODMAN: run " "$STUB_LOG" | head -n 1 || true)
if [[ -z $first_run || $first_run == *" login" ]]; then
record_failure "recursive_slopsloptrap: recursive auth should avoid login target"
fi
if ! grep -q -- "FAKE PODMAN: save -o " "$STUB_LOG"; then
record_failure "recursive_slopsloptrap: should export the parent image for recursive preload"
fi
if [[ $first_run != *"/bin/bash"* ]]; then
record_failure "recursive_slopsloptrap: shell target did not reach child container run"
fi
if [[ $first_run == *"--user "* ]]; then
record_failure "recursive_slopsloptrap: nested podman shell should not force --user"
fi
if [[ $first_run != *"--cap-add SETUID"* || $first_run != *"--cap-add SETGID"* ]]; then
record_failure "recursive_slopsloptrap: nested podman shell missing privilege bootstrap capabilities"
fi
teardown_stub_env
rm -rf "$temp_root"
}
run_recursive_parent_image_fallback() {
printf '==> recursive_parent_image_fallback\n'
local temp_root helper_bin scenario_dir archive_path tool_log
local inner_podman_root inner_podman_runroot inner_runtime_dir
temp_root=$(mktemp -d)
helper_bin="$temp_root/bin"
scenario_dir="$temp_root/fallback-repo"
archive_path="$scenario_dir/parent-runtime.tar"
tool_log="$temp_root/tool.log"
inner_podman_root="$temp_root/podman-storage"
inner_podman_runroot="$temp_root/podman-run"
inner_runtime_dir="$temp_root/podman-runtime"
mkdir -p "$helper_bin" "$scenario_dir" "$inner_podman_root" "$inner_podman_runroot" "$inner_runtime_dir"
: >"$tool_log"
cat >"$scenario_dir/.sloptrap" <<'EOF'
name=fallback-repo
capabilities=nested-podman capabilities=nested-podman
EOF EOF
printf 'archive\n' >"$archive_path" if "$SLOPTRAP_BIN" --dry-run "$scenario_dir" >/dev/null 2>&1; then
record_failure "removed_nested_podman_manifest: expected nested-podman manifest rejection"
if ! extract_embedded_helper "sloppodman" "$helper_bin/sloppodman"; then
record_failure "recursive_parent_image_fallback: failed to extract sloppodman helper"
rm -rf "$temp_root"
return
fi fi
if ! "$SLOPTRAP_BIN" --dry-run "$scenario_dir" >"$output_log" 2>&1; then
cat >"$helper_bin/podman" <<'EOF' if ! grep -q -- "capability 'nested-podman' was removed" "$output_log"; then
#!/usr/bin/env bash record_failure "removed_nested_podman_manifest: missing explicit removal error"
set -euo pipefail
printf 'podman %s\n' "$*" >>"$TEST_TOOL_LOG"
args=("$@")
idx=0
loaded_flag="${TEST_TOOL_LOG}.loaded"
while (( idx < ${#args[@]} )); do
if [[ ${args[$idx]} == "image" ]] && (( idx + 1 < ${#args[@]} )) && [[ ${args[$((idx + 1))]} == "inspect" ]]; then
if [[ -f $loaded_flag ]]; then
exit 0
fi fi
exit 1
fi fi
if [[ ${args[$idx]} == "load" ]]; then rm -f "$output_log"
: >"$loaded_flag" rm -rf "$scenario_dir"
exit 0
fi
((idx+=1))
done
exit 0
EOF
cat >"$helper_bin/setpriv" <<'EOF'
#!/usr/bin/env bash
set -euo pipefail
while [[ $# -gt 0 ]]; do
case "$1" in
--reuid|--regid)
shift 2
;;
--clear-groups)
shift
;;
--)
shift
break
;;
*)
break
;;
esac
done
exec "$@"
EOF
chmod +x "$helper_bin/sloppodman" "$helper_bin/podman" "$helper_bin/setpriv"
if ! TEST_TOOL_LOG="$tool_log" PATH="$helper_bin:$PATH" HOME="$temp_root/home" CODEX_HOME="$temp_root/home" \
SLOPTRAP_CONTAINER_ENGINE="sloppodman" \
SLOPTRAP_ACTIVE_CAPABILITIES="nested-podman" \
SLOPTRAP_WORKDIR="$scenario_dir" \
SLOPTRAP_RECURSIVE_PARENT_IMAGE_ARCHIVE="$archive_path" \
SLOPTRAP_INNER_PODMAN_ROOT="$inner_podman_root" \
SLOPTRAP_INNER_PODMAN_RUNROOT="$inner_podman_runroot" \
XDG_RUNTIME_DIR="$inner_runtime_dir" \
"$SLOPTRAP_BIN" --trust-capabilities "$scenario_dir" build-if-missing >/dev/null 2>&1; then
record_failure "recursive_parent_image_fallback: build-if-missing exited non-zero"
rm -rf "$temp_root"
return
fi
if grep -q -- 'podman --root .* build ' "$tool_log"; then
record_failure "recursive_parent_image_fallback: fallback should avoid podman build"
fi
if ! grep -q -- "podman --root $inner_podman_root --runroot $inner_podman_runroot --storage-driver vfs --cgroup-manager cgroupfs --events-backend file load -i $archive_path" "$tool_log"; then
record_failure "recursive_parent_image_fallback: fallback did not load the parent archive into the nested store"
fi
rm -rf "$temp_root"
} }
run_project_state_isolation() { run_project_state_isolation() {
@@ -934,7 +789,7 @@ run_capability_profiles() {
teardown_stub_env teardown_stub_env
return return
fi fi
if ! grep -q -- "CAPABILITY_PACKAGES=tcpdump podman uidmap fuse-overlayfs slirp4netns" "$STUB_LOG"; then if ! grep -q -- "CAPABILITY_PACKAGES=tcpdump" "$STUB_LOG"; then
record_failure "capability_profiles: build arg for capability packages missing" record_failure "capability_profiles: build arg for capability packages missing"
fi fi
if ! grep -q -- "FAKE PODMAN: build --quiet -t capability-repo-sloptrap-image -f .* --network host " "$STUB_LOG"; then if ! grep -q -- "FAKE PODMAN: build --quiet -t capability-repo-sloptrap-image -f .* --network host " "$STUB_LOG"; then
@@ -946,15 +801,6 @@ run_capability_profiles() {
if ! grep -q -- "--cap-add NET_ADMIN" "$STUB_LOG"; then if ! grep -q -- "--cap-add NET_ADMIN" "$STUB_LOG"; then
record_failure "capability_profiles: NET_ADMIN capability missing" record_failure "capability_profiles: NET_ADMIN capability missing"
fi fi
if ! grep -q -- "--device /dev/fuse" "$STUB_LOG"; then
record_failure "capability_profiles: /dev/fuse device missing"
fi
if ! grep -q -- "--cap-add SYS_CHROOT" "$STUB_LOG"; then
record_failure "capability_profiles: SYS_CHROOT capability missing"
fi
if ! grep -q -- "--cap-add MKNOD" "$STUB_LOG"; then
record_failure "capability_profiles: MKNOD capability missing"
fi
if ! grep -q -- "--cap-add SETUID" "$STUB_LOG"; then if ! grep -q -- "--cap-add SETUID" "$STUB_LOG"; then
record_failure "capability_profiles: SETUID capability missing" record_failure "capability_profiles: SETUID capability missing"
fi fi
@@ -970,11 +816,8 @@ run_capability_profiles() {
if ! grep -q -- "--cap-add FOWNER" "$STUB_LOG"; then if ! grep -q -- "--cap-add FOWNER" "$STUB_LOG"; then
record_failure "capability_profiles: FOWNER capability missing" record_failure "capability_profiles: FOWNER capability missing"
fi fi
if ! grep -q -- "--security-opt seccomp=unconfined" "$STUB_LOG"; then if ! grep -q -- "--security-opt no-new-privileges" "$STUB_LOG"; then
record_failure "capability_profiles: nested podman seccomp override missing" record_failure "capability_profiles: no-new-privileges missing"
fi
if grep -q -- "--security-opt no-new-privileges" "$STUB_LOG"; then
record_failure "capability_profiles: nested podman should not force no-new-privileges"
fi fi
if grep -q -- "--read-only" "$STUB_LOG"; then if grep -q -- "--read-only" "$STUB_LOG"; then
record_failure "capability_profiles: apt profile should disable read-only rootfs" record_failure "capability_profiles: apt profile should disable read-only rootfs"
@@ -985,7 +828,7 @@ run_capability_profiles() {
if ! grep -q -- "--userns=keep-id:uid=$(id -u),gid=$(id -g)" "$STUB_LOG"; then if ! grep -q -- "--userns=keep-id:uid=$(id -u),gid=$(id -g)" "$STUB_LOG"; then
record_failure "capability_profiles: podman keep-id user namespace missing" record_failure "capability_profiles: podman keep-id user namespace missing"
fi fi
if ! grep -q -- "SLOPTRAP_ACTIVE_CAPABILITIES=apt-install nested-podman packet-capture" "$STUB_LOG"; then if ! grep -q -- "SLOPTRAP_ACTIVE_CAPABILITIES=apt-install packet-capture" "$STUB_LOG"; then
record_failure "capability_profiles: active capability environment missing" record_failure "capability_profiles: active capability environment missing"
fi fi
if ! grep -q -- "SLOPTRAP_HOST_UID=$(id -u)" "$STUB_LOG"; then if ! grep -q -- "SLOPTRAP_HOST_UID=$(id -u)" "$STUB_LOG"; then
@@ -997,27 +840,11 @@ run_capability_profiles() {
if ! grep -q -- "SLOPTRAP_HOST_USER=$(id -un)" "$STUB_LOG"; then if ! grep -q -- "SLOPTRAP_HOST_USER=$(id -un)" "$STUB_LOG"; then
record_failure "capability_profiles: host user environment missing" record_failure "capability_profiles: host user environment missing"
fi fi
if ! grep -q -- "SLOPTRAP_INNER_PODMAN_HOST_NETWORK=1" "$STUB_LOG"; then
record_failure "capability_profiles: inner podman host-network mirror flag missing"
fi
if grep -q -- "/etc/subuid" "$STUB_LOG" || grep -q -- "/etc/subgid" "$STUB_LOG"; then
record_failure "capability_profiles: launcher should not mount subid helper files"
fi
local state_root capability_dir local state_root capability_dir
state_root="$STUB_HOME/.codex/sloptrap/state" state_root="$STUB_HOME/.codex/sloptrap/state"
capability_dir=$(find "$state_root" -mindepth 2 -maxdepth 2 -type d -name capabilities | head -n 1 || true) capability_dir=$(find "$state_root" -mindepth 2 -maxdepth 2 -type d -name capabilities | head -n 1 || true)
if [[ -z $capability_dir ]]; then if [[ -z $capability_dir ]]; then
record_failure "capability_profiles: project capability state directory missing" record_failure "capability_profiles: project capability state directory missing"
else
if [[ ! -d $capability_dir/podman-storage ]]; then
record_failure "capability_profiles: nested podman storage state missing"
fi
if [[ ! -d $capability_dir/podman-run ]]; then
record_failure "capability_profiles: nested podman runroot state missing"
fi
if [[ ! -d $capability_dir/podman-runtime ]]; then
record_failure "capability_profiles: nested podman runtime state missing"
fi
fi fi
teardown_stub_env teardown_stub_env
} }
@@ -1025,39 +852,25 @@ run_capability_profiles() {
run_embedded_capability_helpers() { run_embedded_capability_helpers() {
printf '==> embedded_capability_helpers\n' printf '==> embedded_capability_helpers\n'
local temp_root helper_bin helper_dir workspace_dir capture_dir tool_log helper_pid local temp_root helper_bin helper_dir workspace_dir capture_dir tool_log helper_pid
local inner_podman_root inner_podman_runroot inner_runtime_dir
temp_root=$(mktemp -d) temp_root=$(mktemp -d)
helper_bin="$temp_root/bin" helper_bin="$temp_root/bin"
helper_dir="$temp_root/helper" helper_dir="$temp_root/helper"
workspace_dir="$temp_root/workspace" workspace_dir="$temp_root/workspace"
capture_dir="$temp_root/captures" capture_dir="$temp_root/captures"
tool_log="$temp_root/tool.log" tool_log="$temp_root/tool.log"
inner_podman_root="$temp_root/podman-storage"
inner_podman_runroot="$temp_root/podman-run"
inner_runtime_dir="$temp_root/podman-runtime"
helper_pid="" helper_pid=""
mkdir -p "$helper_bin" "$helper_dir/queue" "$workspace_dir/data" "$capture_dir" \ mkdir -p "$helper_bin" "$helper_dir/queue" "$workspace_dir/data" "$capture_dir"
"$inner_podman_root" "$inner_podman_runroot" "$inner_runtime_dir"
: >"$tool_log" : >"$tool_log"
if ! extract_embedded_helper "sloptrap-entrypoint" "$helper_bin/sloptrap-entrypoint" \ if ! extract_embedded_helper "sloptrap-entrypoint" "$helper_bin/sloptrap-entrypoint" \
|| ! extract_embedded_helper "sloptrap-helperd" "$helper_bin/sloptrap-helperd" \ || ! extract_embedded_helper "sloptrap-helperd" "$helper_bin/sloptrap-helperd" \
|| ! extract_embedded_helper "slop-apt" "$helper_bin/slop-apt" \ || ! extract_embedded_helper "slop-apt" "$helper_bin/slop-apt" \
|| ! extract_embedded_helper "slopcap" "$helper_bin/slopcap" \ || ! extract_embedded_helper "slopcap" "$helper_bin/slopcap"; then
|| ! extract_embedded_helper "sloppodman" "$helper_bin/sloppodman"; then
record_failure "embedded_capability_helpers: failed to extract embedded helper scripts" record_failure "embedded_capability_helpers: failed to extract embedded helper scripts"
rm -rf "$temp_root" rm -rf "$temp_root"
return return
fi fi
cat >"$helper_bin/podman" <<'EOF'
#!/usr/bin/env bash
set -euo pipefail
printf 'podman-env BUILDAH_ISOLATION=%s _CONTAINERS_USERNS_CONFIGURED=%s CONTAINERS_STORAGE_CONF=%s CONTAINERS_CONF=%s\n' \
"${BUILDAH_ISOLATION:-}" "${_CONTAINERS_USERNS_CONFIGURED:-}" "${CONTAINERS_STORAGE_CONF:-}" "${CONTAINERS_CONF:-}" >>"$TEST_TOOL_LOG"
printf 'podman %s\n' "$*" >>"$TEST_TOOL_LOG"
exit 0
EOF
cat >"$helper_bin/apt-get" <<'EOF' cat >"$helper_bin/apt-get" <<'EOF'
#!/usr/bin/env bash #!/usr/bin/env bash
set -euo pipefail set -euo pipefail
@@ -1106,7 +919,7 @@ while [[ $# -gt 0 ]]; do
done done
exec "$@" exec "$@"
EOF EOF
chmod +x "$helper_bin/podman" "$helper_bin/apt-get" "$helper_bin/tcpdump" "$helper_bin/setpriv" chmod +x "$helper_bin/apt-get" "$helper_bin/tcpdump" "$helper_bin/setpriv"
if ! grep -q "chmod 711 \"\\\$helper_dir\"" "$helper_bin/sloptrap-entrypoint" \ if ! grep -q "chmod 711 \"\\\$helper_dir\"" "$helper_bin/sloptrap-entrypoint" \
|| ! grep -q "chmod 1733 \"\\\$queue_dir\"" "$helper_bin/sloptrap-entrypoint"; then || ! grep -q "chmod 1733 \"\\\$queue_dir\"" "$helper_bin/sloptrap-entrypoint"; then
@@ -1130,161 +943,6 @@ EOF
wait "$(cat "$autostart_helper_dir/helperd.pid")" >/dev/null 2>&1 || true wait "$(cat "$autostart_helper_dir/helperd.pid")" >/dev/null 2>&1 || true
fi fi
local missing_cap_status=0
if TEST_TOOL_LOG="$tool_log" PATH="$helper_bin:$PATH" SLOPTRAP_ACTIVE_CAPABILITIES="" \
SLOPTRAP_WORKDIR="$workspace_dir" \
SLOPTRAP_INNER_PODMAN_ROOT="$inner_podman_root" \
SLOPTRAP_INNER_PODMAN_RUNROOT="$inner_podman_runroot" \
XDG_RUNTIME_DIR="$inner_runtime_dir" \
"$helper_bin/sloppodman" ps >/dev/null 2>&1; then
record_failure "embedded_capability_helpers: sloppodman should reject runs without nested-podman"
else
missing_cap_status=$?
fi
if [[ $missing_cap_status -ne 126 ]]; then
record_failure "embedded_capability_helpers: sloppodman returned the wrong status when capability was absent"
fi
if TEST_TOOL_LOG="$tool_log" PATH="$helper_bin:$PATH" SLOPTRAP_ACTIVE_CAPABILITIES="nested-podman" \
SLOPTRAP_WORKDIR="$workspace_dir" \
SLOPTRAP_INNER_PODMAN_ROOT="$inner_podman_root" \
SLOPTRAP_INNER_PODMAN_RUNROOT="$inner_podman_runroot" \
XDG_RUNTIME_DIR="$inner_runtime_dir" \
"$helper_bin/sloppodman" run --privileged example/image >/dev/null 2>&1; then
record_failure "embedded_capability_helpers: sloppodman allowed --privileged"
fi
if TEST_TOOL_LOG="$tool_log" PATH="$helper_bin:$PATH" SLOPTRAP_ACTIVE_CAPABILITIES="nested-podman" \
SLOPTRAP_WORKDIR="$workspace_dir" \
SLOPTRAP_INNER_PODMAN_ROOT="$inner_podman_root" \
SLOPTRAP_INNER_PODMAN_RUNROOT="$inner_podman_runroot" \
XDG_RUNTIME_DIR="$inner_runtime_dir" \
"$helper_bin/sloppodman" run -v /tmp:/host example/image >/dev/null 2>&1; then
record_failure "embedded_capability_helpers: sloppodman allowed an out-of-workspace bind mount"
fi
if ! (
cd "$workspace_dir" && TEST_TOOL_LOG="$tool_log" PATH="$helper_bin:$PATH" \
SLOPTRAP_ACTIVE_CAPABILITIES="nested-podman" SLOPTRAP_WORKDIR="$workspace_dir" \
SLOPTRAP_INNER_PODMAN_ROOT="$inner_podman_root" \
SLOPTRAP_INNER_PODMAN_RUNROOT="$inner_podman_runroot" \
XDG_RUNTIME_DIR="$inner_runtime_dir" \
"$helper_bin/sloppodman" run -v ./data:/data example/image true >/dev/null 2>&1
); then
record_failure "embedded_capability_helpers: sloppodman rejected a workspace-local bind mount"
fi
if ! grep -q -- 'podman --root ' "$tool_log" || ! grep -q -- '-v ./data:/data' "$tool_log"; then
record_failure "embedded_capability_helpers: sloppodman did not invoke podman with the validated run arguments"
fi
if ! grep -q -- 'setpriv --reuid 0 --regid 0 --clear-groups -- env ' "$tool_log"; then
record_failure "embedded_capability_helpers: sloppodman did not re-enter root before invoking podman"
fi
if ! TEST_TOOL_LOG="$tool_log" PATH="$helper_bin:$PATH" SLOPTRAP_ACTIVE_CAPABILITIES="nested-podman" \
SLOPTRAP_WORKDIR="$workspace_dir" \
SLOPTRAP_INNER_PODMAN_ROOT="$inner_podman_root" \
SLOPTRAP_INNER_PODMAN_RUNROOT="$inner_podman_runroot" \
XDG_RUNTIME_DIR="$inner_runtime_dir" \
"$helper_bin/sloppodman" image inspect example/image >/dev/null 2>&1; then
record_failure "embedded_capability_helpers: sloppodman rejected image inspect"
fi
if ! grep -q -- 'podman --root .* image inspect example/image' "$tool_log"; then
record_failure "embedded_capability_helpers: sloppodman did not forward image inspect"
fi
if ! grep -q -- '--storage-driver vfs' "$tool_log" \
|| ! grep -q -- '--cgroup-manager cgroupfs' "$tool_log" \
|| ! grep -q -- '--events-backend file' "$tool_log"; then
record_failure "embedded_capability_helpers: sloppodman did not apply the nested podman runtime defaults"
fi
if ! grep -q -- 'podman-env BUILDAH_ISOLATION=chroot ' "$tool_log"; then
record_failure "embedded_capability_helpers: sloppodman did not set BUILDAH_ISOLATION=chroot"
fi
if ! grep -q -- '_CONTAINERS_USERNS_CONFIGURED=done ' "$tool_log"; then
record_failure "embedded_capability_helpers: sloppodman did not mark nested podman as already userns-configured"
fi
if [[ ! -f $inner_runtime_dir/config/containers/storage.conf ]] \
|| [[ ! -f $inner_runtime_dir/config/containers/containers.conf ]]; then
record_failure "embedded_capability_helpers: sloppodman did not materialize its container config files"
elif ! grep -q -- 'ignore_chown_errors = "true"' "$inner_runtime_dir/config/containers/storage.conf"; then
record_failure "embedded_capability_helpers: storage.conf did not enable ignore_chown_errors"
fi
local caller_uid caller_gid caller_user
caller_uid=$(id -u)
caller_gid=$(id -g)
caller_user=$(id -un)
cat >"$helper_bin/id" <<'EOF'
#!/usr/bin/env bash
set -euo pipefail
case "${1-}" in
-u)
printf '0\n'
;;
-g)
printf '0\n'
;;
-un)
printf 'root\n'
;;
*)
printf 'uid=0(root) gid=0(root) groups=0(root)\n'
;;
esac
EOF
cat >"$temp_root/entrypoint-helperd" <<'EOF'
#!/usr/bin/env bash
set -euo pipefail
exit 0
EOF
chmod +x "$helper_bin/id" "$temp_root/entrypoint-helperd"
local entry_subuid entry_subgid
entry_subuid="$temp_root/entry-subuid"
entry_subgid="$temp_root/entry-subgid"
printf 'sloptrap:100000:65536\n' >"$entry_subuid"
printf 'sloptrap:100000:65536\n' >"$entry_subgid"
if ! TEST_TOOL_LOG="$tool_log" PATH="$helper_bin:$PATH" SLOPTRAP_ACTIVE_CAPABILITIES="nested-podman" \
SLOPTRAP_HOST_UID="1337" SLOPTRAP_HOST_GID="1337" SLOPTRAP_HOST_USER="$caller_user" \
SLOPTRAP_PODMAN_SUBUID_FILE="$entry_subuid" SLOPTRAP_PODMAN_SUBGID_FILE="$entry_subgid" \
SLOPTRAP_PODMAN_SUBID_START="200000" SLOPTRAP_PODMAN_SUBID_COUNT="65536" \
SLOPTRAP_PODMAN_SUBGID_START="200000" SLOPTRAP_PODMAN_SUBGID_COUNT="65536" \
SLOPTRAP_HELPERD_BIN="$temp_root/entrypoint-helperd" \
"$helper_bin/sloptrap-entrypoint" true >/dev/null 2>&1; then
record_failure "embedded_capability_helpers: entrypoint did not synthesize subid files for the host user"
fi
if [[ -z $(awk -F: -v account="$caller_user" '$1 == account { print $2 ":" $3 }' "$entry_subuid" 2>/dev/null || true) ]]; then
record_failure "embedded_capability_helpers: entrypoint did not prefer SLOPTRAP_HOST_USER for subuid synthesis"
fi
if [[ -z $(awk -F: -v account="$caller_user" '$1 == account { print $2 ":" $3 }' "$entry_subgid" 2>/dev/null || true) ]]; then
record_failure "embedded_capability_helpers: entrypoint did not prefer SLOPTRAP_HOST_USER for subgid synthesis"
fi
local caller_subuid root_subuid caller_subgid root_subgid
local helper_subuid_file helper_subgid_file
helper_subuid_file="$temp_root/helper-subuid"
helper_subgid_file="$temp_root/helper-subgid"
if ! TEST_TOOL_LOG="$tool_log" PATH="$helper_bin:$PATH" SLOPTRAP_ACTIVE_CAPABILITIES="nested-podman" \
SLOPTRAP_WORKDIR="$workspace_dir" \
SLOPTRAP_INNER_PODMAN_ROOT="$inner_podman_root" \
SLOPTRAP_INNER_PODMAN_RUNROOT="$inner_podman_runroot" \
XDG_RUNTIME_DIR="$inner_runtime_dir" \
SLOPTRAP_PODMAN_ESCALATED=1 \
SLOPTRAP_PODMAN_CALLER_UID="$caller_uid" \
SLOPTRAP_PODMAN_CALLER_GID="$caller_gid" \
SLOPTRAP_PODMAN_CALLER_USER="$caller_user" \
SLOPTRAP_PODMAN_SUBUID_FILE="$helper_subuid_file" \
SLOPTRAP_PODMAN_SUBGID_FILE="$helper_subgid_file" \
"$helper_bin/sloppodman" image inspect example/image >/dev/null 2>&1; then
record_failure "embedded_capability_helpers: sloppodman did not synthesize caller and root subid files"
fi
caller_subuid=$(awk -F: -v account="$caller_user" '$1 == account { print $2 ":" $3 }' "$helper_subuid_file" 2>/dev/null || true)
root_subuid=$(awk -F: '$1 == "root" { print $2 ":" $3 }' "$helper_subuid_file" 2>/dev/null || true)
caller_subgid=$(awk -F: -v account="$caller_user" '$1 == account { print $2 ":" $3 }' "$helper_subgid_file" 2>/dev/null || true)
root_subgid=$(awk -F: '$1 == "root" { print $2 ":" $3 }' "$helper_subgid_file" 2>/dev/null || true)
if [[ -z $caller_subuid || $caller_subuid != "$root_subuid" ]]; then
record_failure "embedded_capability_helpers: sloppodman did not mirror caller subuid data onto root"
fi
if [[ -z $caller_subgid || $caller_subgid != "$root_subgid" ]]; then
record_failure "embedded_capability_helpers: sloppodman did not mirror caller subgid data onto root"
fi
TEST_TOOL_LOG="$tool_log" PATH="$helper_bin:$PATH" SLOPTRAP_HELPER_DIR="$helper_dir" \ TEST_TOOL_LOG="$tool_log" PATH="$helper_bin:$PATH" SLOPTRAP_HELPER_DIR="$helper_dir" \
SLOPTRAP_ACTIVE_CAPABILITIES="apt-install packet-capture" \ SLOPTRAP_ACTIVE_CAPABILITIES="apt-install packet-capture" \
SLOPTRAP_CAPTURE_DIR="$capture_dir" SLOPTRAP_WORKDIR="$workspace_dir" \ SLOPTRAP_CAPTURE_DIR="$capture_dir" SLOPTRAP_WORKDIR="$workspace_dir" \
@@ -1373,7 +1031,7 @@ run_make_install_single_file() {
record_failure "make_install_single_file: installed launcher missing" record_failure "make_install_single_file: installed launcher missing"
fi fi
local helper local helper
for helper in sloptrap-entrypoint sloptrap-helperd slop-apt slopcap sloppodman; do for helper in sloptrap-entrypoint sloptrap-helperd slop-apt slopcap; do
if [[ -e $install_dir/$helper ]]; then if [[ -e $install_dir/$helper ]]; then
record_failure "make_install_single_file: unexpected helper installed ($helper)" record_failure "make_install_single_file: unexpected helper installed ($helper)"
fi fi
@@ -1409,8 +1067,6 @@ run_sh_reexec
run_resume_omits_runtime_context run_resume_omits_runtime_context
run_auth_file_mount run_auth_file_mount
run_codex_home_override run_codex_home_override
run_recursive_slopsloptrap
run_recursive_parent_image_fallback
run_project_state_isolation run_project_state_isolation
run_auto_login_empty_auth run_auto_login_empty_auth
run_codex_symlink_home run_codex_symlink_home
@@ -1424,6 +1080,7 @@ run_invalid_manifest_sandbox
run_invalid_manifest_packages run_invalid_manifest_packages
run_invalid_manifest_capabilities run_invalid_manifest_capabilities
run_invalid_allow_host_network run_invalid_allow_host_network
run_removed_nested_podman_manifest
run_wizard_create_manifest run_wizard_create_manifest
run_wizard_existing_defaults run_wizard_existing_defaults
run_wizard_build_trigger run_wizard_build_trigger