-
Notifications
You must be signed in to change notification settings - Fork 2.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Need regression tests for podman build and mounts.conf #8679
Comments
A friendly reminder that this issue had no activity for 30 days. |
@vrothberg @edsantiago No movement on this issue. |
So, this may be a dumb question, but, do we expect this to actually work in podman right now? # mkdir -p /tmp/podmantest/secrets
# echo /tmp/podmantest/secrets:/run/secrets >/tmp/podmantest/mounts.conf
# echo shhhh >/tmp/podmantest/secrets/file
# printf "FROM quay.io/libpod/testimage:20200929\nRUN ls -l /run/secrets\n" | podman --default-mounts-file=/tmp/podman/mounts.conf build -t foo -
STEP 1: FROM quay.io/libpod/testimage:20200929
STEP 2: RUN ls -l /run/secrets
total 0
STEP 3: COMMIT foo
--> 0acf9c0d708
0acf9c0d708255abb9ef5c1984c1558ca5d735b1fcd4619131a9b1c7254e18ed It doesn't work via # podman --default-mounts-file=/tmp/podman/mounts.conf run quay.io/libpod/testimage:20200929 ls -l /run/secrets
total 0 Am I misunderstanding the |
This worked for me as root.
|
@rhatdan the # printf "FROM quay.io/libpod/testimage:20200929\nRUN ls -l /run/secrets\n" | podman --default-mounts-file=/tmp/podman/mounts.conf build -t foo - |
OK it looks like |
- stop: test --all and --ignore (containers#9051) - build: test /run/secrets (containers#8679, but see below) - sensitive mount points: deal with 'stat' failures - selinux: confirm useful diagnostics on unknown labels (containers#8946) The 'build' test is intended as a fix for containers#8679, in which 'podman build' does not mount secrets from mounts.conf. Unfortunately, as of this writing, 'podman build' does not pass the --default-mounts-file option to buildah, so there's no reasonable way to test this path. Still, we can at least confirm /run/secrets on 'podman run'. The /sys thing is related to containers#8949: RHEL8, rootless, cgroups v1. It's just a workaround to get gating tests to pass on RHEL. Signed-off-by: Ed Santiago <[email protected]>
Fixed in #9091 |
- stop: test --all and --ignore (containers#9051) - build: test /run/secrets (containers#8679, but see below) - sensitive mount points: deal with 'stat' failures - selinux: confirm useful diagnostics on unknown labels (containers#8946) The 'build' test is intended as a fix for containers#8679, in which 'podman build' does not mount secrets from mounts.conf. Unfortunately, as of this writing, 'podman build' does not pass the --default-mounts-file option to buildah, so there's no reasonable way to test this path. Still, we can at least confirm /run/secrets on 'podman run'. The /sys thing is related to containers#8949: RHEL8, rootless, cgroups v1. It's just a workaround to get gating tests to pass on RHEL. Signed-off-by: Ed Santiago <[email protected]>
I am currently looking at https://bugzilla.redhat.com/show_bug.cgi?id=1895027. We regressed in the 1.6.X series on mounting secrets during builds. It's fairly easy to reproduce with a Dockerfile:
With $MOUNT being the expected mount of the secret. For testing, we could setup a custom
mounts.conf
mounting a file.Pulling in @edsantiago for input.
The text was updated successfully, but these errors were encountered: