System tests: honor $OCI_RUNTIME (for CI)

[edsantiago]

Some CI systems set $OCI_RUNTIME as a way to override the
default crun. Integration (e2e) tests honor this, but system
tests were not aware of the convention; this means we haven't
been testing system tests with runc, which means RHEL gating
tests are now failing.

The proper solution would be to edit containers.conf on CI
systems. Sorry, that would involve too much CI-VM work.
Instead, this PR detects $OCI_RUNTIME and creates a dummy
containers.conf file using that runtime.

Add: various skips for tests that don't work with runc.

Refactor: add a helper function so we don't need to do
the complicated 'podman info blah blah .OCIRuntime.blah'
thing in many places.

BUG: we leave a tmp file behind on exit.

Signed-off-by: Ed Santiago santiago@redhat.com

[rhatdan]

/approve
LGTM

[openshift-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: edsantiago, rhatdan

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [edsantiago,rhatdan]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[edsantiago]

[re-pushed with a refinement: the pid=host failure only happens when rootless, not rootful. I updated the skip correspondingly, so it still runs on root tests.]

[edsantiago]

This is a new skip; I realize that the clutter (removing very-old cruft) makes it hard to review. @rhatdan, do you have any idea why this would fail under runc? More importantly: is this an expected failure?

[rhatdan]

I have no memory of this. I guess the best we can do is try it out and see if it fails.

[edsantiago]

It does fail -- see the newly-added comment (lines 54-55, green) (and again, I apologize for the difficulty of review. The removed cruft (red) dates to October 2020, when some CI systems had an old version of container-selinux.)

[rhatdan]

podman --runtime=runc run --pid=host alpine cat /proc/self/attr/current
Error: container_linux.go:367: starting container process caused: process_linux.go:495: container init caused: readonly path /proc/asound: operation not permitted: OCI permission denied

Weird
@giuseppe any idea what is going on here?

[edsantiago]

One more data point: on RHEL, IIRC, the failure is in /proc/bus instead of /proc/asound. This makes me suspect that it's just hitting the alphabetically-first entry under /proc. In case that helps.

[rhatdan]

It seems like runc is attempting to write to /proc when --pid=host and SELinux is enabled, and failing.

[rhatdan]

If I build runc from main branch, I get.

podman --runtime=$PWD/runc run --pid=host alpine cat /proc/self/attr/current
unconfined_u:system_r:spc_t:s0

[rhatdan]

rpm -qf /bin/runc
containerd.io-1.4.3-3.2.fc33.x86_64

[edsantiago]

On my f33 system: runc-1.0.0-377.rc93.fc33.x86_64

[edsantiago]

This PR has already been much more complicated than it should've been; and it's getting worse. Ubunto 2010 (which is now old-ubuntu, apparently) is now failing, and it's not a flake:

[+0589s] not ok 135 podman volume: exec/noexec
         # (from function `die' in file test/system/helpers.bash, line 412,
         #  from function `run_podman' in file test/system/helpers.bash, line 220,
         #  in test file test/system/160-volumes.bats, line 131)
         #   `run_podman ${expect_rc} run --rm --volume $myvolume:/vol:noexec,z $IMAGE /vol/myscript' failed
         # # podman rm --all --force
         # # podman ps --all --external --format {{.ID}} {{.Names}}
         # # podman images --all --format {{.Repository}}:{{.Tag}} {{.ID}}
         # quay.io/libpod/testimage:20210223 4abe85964f5c
         # # podman volume rm -a
         # # podman volume create myvol15CCE5Uwiv
         # myvol15CCE5Uwiv
         # # podman volume inspect --format {{.Mountpoint}} myvol15CCE5Uwiv
         # /var/lib/containers/storage/volumes/myvol15CCE5Uwiv/_data
         # # podman run --rm --volume myvol15CCE5Uwiv:/vol:noexec,z quay.io/libpod/testimage:20210223 /vol/myscript
         # standard_init_linux.go:219: exec user process caused: permission denied
         # [ rc=1 (** EXPECTED 126 **) ]
         # #/vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv
         # #| FAIL: exit code is 1; expected 126
         # #\^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

I'll look into it tomorrow. I will also have to deal with OCI_RUNTIME=/path (I had assumed it was just the name). [UPDATE: solved, by making podman_runtime() return just basename of the runtime)

[edsantiago]

Tests green, but I need to go over each and every system-test result to confirm that nothing was skipped inadvertently; I'll do that later this morning.

[edsantiago]

Here we are. All looks good. For some reason I had thought f33 (prior fedora) would use runc; but no, it's only prior_ubuntu that uses runc. So we don't actually get any rootless runc testing. But anyway, PR is working as desired.

	runtime	root	rootless	remote(root)
fedora-33	crun	ok	ok	ok
fedora-34	crun	ok	ok	ok
ubuntu-2010	runc	ok	N/A	ok
ubuntu-2104	crun	ok	N/A	ok

There's only one useful result, but the others, at least I didn't break anything. I also confirmed the skips, that is, that I'm not inadvertently skipping code that should run.

[mheon]

/lgtm