github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-23 03:41:45 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #39496 from stevekuznetsov/skuznets/fix-e2e-container-context

Browse Source 
Automatic merge from submit-queue (batch tested with PRs 39493, 39496)

Use privileged containers for host path e2e tests

Test containers need to run as spc_t in order to interact with the host
filesystem under /tmp, as the tests for HostPath are doing. Docker will
transition the container into this domain when running the container as
privileged.

Signed-off-by: Steve Kuznetsov <skuznets@redhat.com>

Currently, this test fails with AVC denials like:
```
time->Thu Jan  5 10:17:51 2017
type=SYSCALL msg=audit(1483629471.846:6623): arch=c000003e syscall=257 success=no exit=-13 a0=ffffffffffffff9c a1=c820010120 a2=80241 a3=1a4 items=0 ppid=4112 pid=4130 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mt" exe="/mt" subj=system_u:system_r:svirt_lxc_net_t:s0:c123,c328 key=(null)
type=AVC msg=audit(1483629471.846:6623): avc:  denied  { write } for  pid=4130 comm="mt" name="sub-path" dev="xvda2" ino=118491348 scontext=system_u:system_r:svirt_lxc_net_t:s0:c123,c328 tcontext=system_u:object_r:container_runtime_tmp_t:s0 tclass=dir
```

```release-note
NONE
```

/cc @ncdc @pmorie
This commit is contained in:
Kubernetes Submit Queue 2017-01-06 08:44:20 -08:00 committed by GitHub
commit 9ce93ed50a
1 changed files with 7 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
test/e2e/common/host_path.go
View File

@ -132,6 +132,7 @@ func mount(source *v1.HostPathVolumeSource) []v1.Volume {
//TODO: To merge this with the emptyDir tests, we can make source a lambda.
func testPodWithHostVol(path string, source *v1.HostPathVolumeSource) *v1.Pod {
podName := "pod-host-path-test"
privileged := true
return &v1.Pod{
TypeMeta: metav1.TypeMeta{
@ -152,6 +153,9 @@ func testPodWithHostVol(path string, source *v1.HostPathVolumeSource) *v1.Pod {
MountPath: path,
},
},
SecurityContext: &v1.SecurityContext{
Privileged: &privileged,
},
},
{
Name: containerName2,
@ -162,6 +166,9 @@ func testPodWithHostVol(path string, source *v1.HostPathVolumeSource) *v1.Pod {
MountPath: path,
},
},
SecurityContext: &v1.SecurityContext{
Privileged: &privileged,
},
},
},
RestartPolicy: v1.RestartPolicyNever,