From d1af8f12d4576aaa87b1c2deb69f12892454e786 Mon Sep 17 00:00:00 2001
From: Adam Williamson <awilliam@redhat.com>
Date: Wed, 23 Jul 2025 13:10:09 -0700
Subject: [PATCH] podman: run the http server test rootless

Signed-off-by: Adam Williamson <awilliam@redhat.com>
---
 tests/_podman_client.pm |  2 +-
 tests/podman.pm         | 31 +++++++++++++++++++------------
 2 files changed, 20 insertions(+), 13 deletions(-)

diff --git a/tests/_podman_client.pm b/tests/_podman_client.pm
index c63449b5..58f17ceb 100644
--- a/tests/_podman_client.pm
+++ b/tests/_podman_client.pm
@@ -13,7 +13,7 @@ sub run {
     mutex_lock "podman_server_ready";
     mutex_unlock "podman_server_ready";
     # connect to server then tell server we're done
-    my $ret = script_run "curl http://172.16.2.114";
+    my $ret = script_run "curl http://172.16.2.114:8080";
     mutex_create "podman_connect_done";
     # sleep a bit to give server time to pick up the mutex
     # server tries every 5 seconds, but an attempt can fail,
diff --git a/tests/podman.pm b/tests/podman.pm
index c8202ed0..94e13351 100644
--- a/tests/podman.pm
+++ b/tests/podman.pm
@@ -9,11 +9,6 @@ use utils;
 sub run {
     my $self = shift;
     $self->root_console(tty => 3);
-    # on non-canned flavors, we need to install podman, may as well
-    # also install the tests now
-
-    # check podman is installed
-
     my $relnum = get_release_number;
     if (get_var("CANNED")) {
         # check podman is pre-installed
@@ -34,6 +29,23 @@ sub run {
         # restore default behaviour
         assert_script_run "set +o pipefail";
     }
+    # Open the firewall, except on CoreOS where it's not installed
+    unless (get_var("SUBVARIANT") eq "CoreOS") {
+        assert_script_run "firewall-cmd --add-port=8080/tcp";
+    }
+    # create a non-root user to check rootless operation
+    assert_script_run "useradd testman";
+    assert_script_run("echo 'testman:weakpassword' | chpasswd");
+    # let it write to the serial port
+    assert_script_run "chmod 666 /dev/${serialdev}";
+    if (script_run "grep testman /etc/subuid") {
+        # workaround https://bugzilla.redhat.com/show_bug.cgi?id=2334165#c2
+        assert_script_run("usermod --add-subuids 100000-165535 testman");
+        assert_script_run("usermod --add-subgids 100000-165535 testman");
+    }
+    # login as the non-root user
+    select_console "tty4-console";
+    console_login(user => "testman", password => "weakpassword");
     # check to see if you can pull an image from the registry
     assert_script_run "podman pull registry.fedoraproject.org/fedora:latest", 300;
     # run hello-world to test
@@ -45,16 +57,11 @@ sub run {
     # Verify the image
     validate_script_output "podman images", sub { m/fedora-httpd/ };
     # Run the container
-    assert_script_run "podman run -d -p 80:80 localhost/fedora-httpd";
+    assert_script_run "podman run -d -p 8080:80 localhost/fedora-httpd";
     # Verify the container is running
     validate_script_output "podman container ls", sub { m/fedora-httpd/ };
     # Test apache is working
-    assert_script_run "curl http://localhost";
-    # Open the firewall, except on CoreOS where it's not installed
-    unless (get_var("SUBVARIANT") eq "CoreOS") {
-        assert_script_run "firewall-cmd --permanent --zone=internal --add-interface=cni-podman0";
-        assert_script_run "firewall-cmd --permanent --zone=internal --add-port=80/tcp";
-    }
+    assert_script_run "curl http://localhost:8080";
     # tell client we're ready and wait for it to send the message
     mutex_create("podman_server_ready");
     my $children = get_children();