keremet/rpm-ostree
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
90f9fe80e4
rpm-ostree/tests
History
Colin Walters 90f9fe80e4 scripts: Drop most capabilities 
Note this PR requires [bubblewrap 0.2.0](https://github.com/projectatomic/bubblewrap/releases/tag/v0.2.0).

Change our bwrap invocations drop truly dangerous capabilities like
`cap_sys_admin` and `cap_sys_module` just like Docker does today. Because of the
popularity of Docker, we can be pretty sure that most RPM scripts should have
adapted to this (although a problematic area here is that traditional librpm
doesn't actually error out if scripts fail).

There are two reasons to do this:

 - We want "offline" updates by default; updates shouldn't affect the
   running system.  If we prepare the new root in the background, a
   %post shouldn't restart a service for example.  We already "handle"
   this by making `systemctl` a symlink to `/bin/true`, but this approach
   also shuts off `%post`s that do e.g. `insmod`.
 - Protection against accidental system damage

Closes: #1099
Approved by: jlebon
2017-12-05 02:54:23 +00:00
..
check Change unpacking to use a single ostree txn 2017-11-29 16:48:19 +00:00
common tests/libtest: Fix logic error in creation test-repo file 2017-12-04 14:24:53 +00:00
compose-tests Introduce experimental "rpm-ostree jigdo" 2017-12-04 14:24:53 +00:00
composedata Introduce experimental "rpm-ostree jigdo" 2017-12-04 14:24:53 +00:00
ex-container-tests core: Don't try to apply non-root uid/gid when run as non-root 2017-11-17 18:59:34 +00:00
gpghome daemon: start with one commit only when resolving versions 2016-12-24 12:28:48 +00:00
manual db: Remove query parameter to diff 2015-04-23 16:30:18 -04:00
utils daemon: Add a sanitycheck(/bin/true) before we deploy a tree 2017-07-27 17:58:58 +00:00
vmcheck scripts: Drop most capabilities 2017-12-05 02:54:23 +00:00
compose tests/compose: Rework caching to cache RPMs 2017-12-01 19:20:40 +00:00
ex-container tests/ex-container: Disable parallelism for now 2017-11-17 18:59:34 +00:00
README.md tests: Add ./tests/compose 2016-12-06 19:05:05 +00:00

README.md

Tests are divided into three groups:

  • Tests in the check directory are non-destructive and uninstalled. Some of the tests require root privileges. Use make check to run these.

  • The composecheck tests currently require uid 0 capabilities - the default in Docker, or you can run them via a user namespace. They are non-destructive, but are installed.

    To use them, you might do a make && sudo make install inside a Docker container.

    Then invoke ./tests/compose. Alternatively of course, you can simply run the tests on a host system or in an existing container, without doing a build.

    Note: This is intentionally not a Makefile target because it doesn't require building and doesn't use uninstalled binaries.

  • Tests in the vmcheck directory are oriented around using Vagrant. Use make vmcheck to run them. See also HACKING.md in the top directory.

The common directory contains files used by multiple tests. The utils directory contains helper utilities required to run the tests.