diff options
| -rw-r--r-- | Makefile | 5 | ||||
| -rw-r--r-- | contrib/cirrus/container_test.sh | 1 | ||||
| -rwxr-xr-x | contrib/cirrus/integration_test.sh | 1 | ||||
| -rw-r--r-- | contrib/cirrus/lib.sh | 1 | ||||
| -rwxr-xr-x | contrib/cirrus/setup_environment.sh | 6 | ||||
| -rw-r--r-- | contrib/spec/podman.spec.in | 4 | ||||
| -rw-r--r-- | go.mod | 2 | ||||
| -rw-r--r-- | go.sum | 2 | ||||
| -rw-r--r-- | libpod.conf | 181 | ||||
| -rw-r--r-- | pkg/cgroups/cgroups.go | 4 | ||||
| -rw-r--r-- | test/system/160-volumes.bats | 234 | ||||
| -rw-r--r-- | vendor/gopkg.in/yaml.v2/apic.go | 1 | ||||
| -rw-r--r-- | vendor/modules.txt | 2 |
13 files changed, 243 insertions, 201 deletions
@@ -527,11 +527,6 @@ install.man-nobuild: .PHONY: install.man install.man: docs install.man-nobuild -.PHONY: install.config -install.config: - install ${SELINUXOPT} -d -m 755 $(DESTDIR)$(SHAREDIR_CONTAINERS) - install ${SELINUXOPT} -m 644 libpod.conf $(DESTDIR)$(SHAREDIR_CONTAINERS)/libpod.conf - .PHONY: install.seccomp install.seccomp: # TODO: we should really be using the upstream one from github.com/seccomp diff --git a/contrib/cirrus/container_test.sh b/contrib/cirrus/container_test.sh index 4624868f1..bf0a0d3f1 100644 --- a/contrib/cirrus/container_test.sh +++ b/contrib/cirrus/container_test.sh @@ -126,7 +126,6 @@ if [ $install -eq 1 ]; then make TAGS="${TAGS}" install.bin PREFIX=/usr ETCDIR=/etc make TAGS="${TAGS}" install.man PREFIX=/usr ETCDIR=/etc make TAGS="${TAGS}" install.cni PREFIX=/usr ETCDIR=/etc - make TAGS="${TAGS}" install.config PREFIX=/usr ETCDIR=/etc make TAGS="${TAGS}" install.systemd PREFIX=/usr ETCDIR=/etc fi diff --git a/contrib/cirrus/integration_test.sh b/contrib/cirrus/integration_test.sh index 6341bcb4a..0f2b2ab7e 100755 --- a/contrib/cirrus/integration_test.sh +++ b/contrib/cirrus/integration_test.sh @@ -50,7 +50,6 @@ case "$SPECIALMODE" in none) make make install PREFIX=/usr ETCDIR=/etc - make install.config PREFIX=/usr make test-binaries if [[ "$TEST_REMOTE_CLIENT" == "true" ]] then diff --git a/contrib/cirrus/lib.sh b/contrib/cirrus/lib.sh index 750aec3b6..c0dd8cfc5 100644 --- a/contrib/cirrus/lib.sh +++ b/contrib/cirrus/lib.sh @@ -98,7 +98,6 @@ ROOTLESS_ENV_RE='(CIRRUS_.+)|(ROOTLESS_.+)|(.+_IMAGE.*)|(.+_BASE)|(.*DIRPATH)|(. SECRET_ENV_RE='(IRCID)|(ACCOUNT)|(GC[EP]..+)|(SSH)' SPECIALMODE="${SPECIALMODE:-none}" -MOD_LIBPOD_CONF="${MOD_LIBPOD_CONF:false}" TEST_REMOTE_CLIENT="${TEST_REMOTE_CLIENT:-false}" export CONTAINER_RUNTIME=${CONTAINER_RUNTIME:-podman} diff --git a/contrib/cirrus/setup_environment.sh b/contrib/cirrus/setup_environment.sh index 756240444..945b33909 100755 --- a/contrib/cirrus/setup_environment.sh +++ b/contrib/cirrus/setup_environment.sh @@ -76,12 +76,6 @@ case "$CG_FS_TYPE" in X=$(echo "export OCI_RUNTIME=/usr/bin/crun" | \ tee -a /etc/environment) && eval "$X" && echo "$X" - if [[ "$MOD_LIBPOD_CONF" == "true" ]]; then - warn "Updating runtime setting in repo. copy of libpod.conf" - sed -i -r -e 's/^runtime = "runc"/runtime = "crun"/' $GOSRC/libpod.conf - git diff $GOSRC/libpod.conf - fi - if [[ "$OS_RELEASE_ID" == "fedora" ]]; then warn "Upgrading to the latest crun" # Normally not something to do for stable testing diff --git a/contrib/spec/podman.spec.in b/contrib/spec/podman.spec.in index 1dfbdf208..ff948701b 100644 --- a/contrib/spec/podman.spec.in +++ b/contrib/spec/podman.spec.in @@ -423,10 +423,6 @@ PODMAN_VERSION=%{version} %{__make} PREFIX=%{buildroot}%{_prefix} ETCDIR=%{build mv pkg/hooks/README.md pkg/hooks/README-hooks.md -# install libpod.conf -install -dp %{buildroot}%{_datadir}/containers -install -p -m 644 %{repo}.conf %{buildroot}%{_datadir}/containers - # install conmon install -dp %{buildroot}%{_libexecdir}/%{name} install -p -m 755 conmon/bin/conmon %{buildroot}%{_libexecdir}/%{name} @@ -61,7 +61,7 @@ require ( golang.org/x/net v0.0.0-20200324143707-d3edc9973b7e golang.org/x/sync v0.0.0-20200317015054-43a5402ce75a golang.org/x/sys v0.0.0-20200420163511-1957bb5e6d1f - gopkg.in/yaml.v2 v2.2.8 + gopkg.in/yaml.v2 v2.3.0 k8s.io/api v0.18.2 k8s.io/apimachinery v0.18.2 k8s.io/client-go v0.0.0-20190620085101-78d2af792bab @@ -650,6 +650,8 @@ gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.8 h1:obN1ZagJSUGI0Ek/LBmuj4SNLPfIny3KsKFopxRdj10= gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v2 v2.3.0 h1:clyUAQHOM3G0M3f5vQj7LuJrETvjVot3Z5el9nffUtU= +gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gotest.tools v2.2.0+incompatible h1:VsBPFP1AI068pPrMxtb/S8Zkgf9xEmTLJjfM+P5UIEo= gotest.tools v2.2.0+incompatible/go.mod h1:DsYFclhRJ6vuDpmuTbkuFWG+y2sxOXAzmJt81HFBacw= honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= diff --git a/libpod.conf b/libpod.conf deleted file mode 100644 index 1bc31eb4c..000000000 --- a/libpod.conf +++ /dev/null @@ -1,181 +0,0 @@ -# libpod.conf is the default configuration file for all tools using libpod to -# manage containers - -# Default transport method for pulling and pushing for images -image_default_transport = "docker://" - -# Paths to look for the conmon container manager binary. -# If the paths are empty or no valid path was found, then the `$PATH` -# environment variable will be used as the fallback. -conmon_path = [ - "/usr/libexec/podman/conmon", - "/usr/local/libexec/podman/conmon", - "/usr/local/lib/podman/conmon", - "/usr/bin/conmon", - "/usr/sbin/conmon", - "/usr/local/bin/conmon", - "/usr/local/sbin/conmon", - "/run/current-system/sw/bin/conmon", -] - -# Environment variables to pass into conmon -conmon_env_vars = [ - "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" -] - -# CGroup Manager - valid values are "systemd" and "cgroupfs" -cgroup_manager = "systemd" - -# Container init binary -#init_path = "/usr/libexec/podman/catatonit" - -# Directory for persistent libpod files (database, etc) -# By default, this will be configured relative to where containers/storage -# stores containers -# Uncomment to change location from this default -#static_dir = "/var/lib/containers/storage/libpod" - -# Directory for temporary files. Must be tmpfs (wiped after reboot) -tmp_dir = "/var/run/libpod" - -# Maximum size of log files (in bytes) -# -1 is unlimited -max_log_size = -1 - -# Whether to use chroot instead of pivot_root in the runtime -no_pivot_root = false - -# Directory containing CNI plugin configuration files -cni_config_dir = "/etc/cni/net.d/" - -# Directories where the CNI plugin binaries may be located -cni_plugin_dir = [ - "/usr/libexec/cni", - "/usr/lib/cni", - "/usr/local/lib/cni", - "/opt/cni/bin" -] - -# Default CNI network for libpod. -# If multiple CNI network configs are present, libpod will use the network with -# the name given here for containers unless explicitly overridden. -# The default here is set to the name we set in the -# 87-podman-bridge.conflist included in the repository. -# Not setting this, or setting it to the empty string, will use normal CNI -# precedence rules for selecting between multiple networks. -cni_default_network = "podman" - -# Default libpod namespace -# If libpod is joined to a namespace, it will see only containers and pods -# that were created in the same namespace, and will create new containers and -# pods in that namespace. -# The default namespace is "", which corresponds to no namespace. When no -# namespace is set, all containers and pods are visible. -#namespace = "" - -# Default infra (pause) image name for pod infra containers -infra_image = "k8s.gcr.io/pause:3.2" - -# Default command to run the infra container -infra_command = "/pause" - -# Determines whether libpod will reserve ports on the host when they are -# forwarded to containers. When enabled, when ports are forwarded to containers, -# they are held open by conmon as long as the container is running, ensuring that -# they cannot be reused by other programs on the host. However, this can cause -# significant memory usage if a container has many ports forwarded to it. -# Disabling this can save memory. -#enable_port_reservation = true - -# Default libpod support for container labeling -# label=true - -# The locking mechanism to use -lock_type = "shm" - -# Number of locks available for containers and pods. -# If this is changed, a lock renumber must be performed (e.g. with the -# 'podman system renumber' command). -num_locks = 2048 - -# Directory for libpod named volumes. -# By default, this will be configured relative to where containers/storage -# stores containers. -# Uncomment to change location from this default. -#volume_path = "/var/lib/containers/storage/volumes" - -# Selects which logging mechanism to use for Podman events. Valid values -# are `journald` or `file`. -# events_logger = "journald" - -# Specify the keys sequence used to detach a container. -# Format is a single character [a-Z] or a comma separated sequence of -# `ctrl-<value>`, where `<value>` is one of: -# `a-z`, `@`, `^`, `[`, `\`, `]`, `^` or `_` -# -# detach_keys = "ctrl-p,ctrl-q" - -# Default OCI runtime -runtime = "runc" - -# List of the OCI runtimes that support --format=json. When json is supported -# libpod will use it for reporting nicer errors. -runtime_supports_json = ["crun", "runc"] - -# List of all the OCI runtimes that support --cgroup-manager=disable to disable -# creation of CGroups for containers. -runtime_supports_nocgroups = ["crun"] - -# Paths to look for a valid OCI runtime (runc, runv, etc) -# If the paths are empty or no valid path was found, then the `$PATH` -# environment variable will be used as the fallback. -[runtimes] -runc = [ - "/usr/bin/runc", - "/usr/sbin/runc", - "/usr/local/bin/runc", - "/usr/local/sbin/runc", - "/sbin/runc", - "/bin/runc", - "/usr/lib/cri-o-runc/sbin/runc", - "/run/current-system/sw/bin/runc", -] - -crun = [ - "/usr/bin/crun", - "/usr/sbin/crun", - "/usr/local/bin/crun", - "/usr/local/sbin/crun", - "/sbin/crun", - "/bin/crun", - "/run/current-system/sw/bin/crun", -] - -# Kata Containers is an OCI runtime, where containers are run inside lightweight -# Virtual Machines (VMs). Kata provides additional isolation towards the host, -# minimizing the host attack surface and mitigating the consequences of -# containers breakout. -# Please notes that Kata does not support rootless podman yet, but we can leave -# the paths below blank to let them be discovered by the $PATH environment -# variable. - -# Kata Containers with the default configured VMM -kata-runtime = [ - "/usr/bin/kata-runtime", -] - -# Kata Containers with the QEMU VMM -kata-qemu = [ - "/usr/bin/kata-qemu", -] - -# Kata Containers with the Firecracker VMM -kata-fc = [ - "/usr/bin/kata-fc", -] - -# The [runtimes] table MUST be the last thing in this file. -# (Unless another table is added) -# TOML does not provide a way to end a table other than a further table being -# defined, so every key hereafter will be part of [runtimes] and not the main -# config. diff --git a/pkg/cgroups/cgroups.go b/pkg/cgroups/cgroups.go index d51905f4b..3b56f944f 100644 --- a/pkg/cgroups/cgroups.go +++ b/pkg/cgroups/cgroups.go @@ -517,6 +517,10 @@ func (c *CgroupControl) AddPid(pid int) error { } for _, n := range names { + // If we aren't using cgroup2, we won't write correctly to unified hierarchy + if !c.cgroup2 && n == "unified" { + continue + } p := filepath.Join(c.getCgroupv1Path(n), "tasks") if err := ioutil.WriteFile(p, pidString, 0644); err != nil { return errors.Wrapf(err, "write %s", p) diff --git a/test/system/160-volumes.bats b/test/system/160-volumes.bats new file mode 100644 index 000000000..cd9f3c8ad --- /dev/null +++ b/test/system/160-volumes.bats @@ -0,0 +1,234 @@ +#!/usr/bin/env bats -*- bats -*- +# +# podman volume-related tests +# + +load helpers + +function setup() { + basic_setup + + run_podman '?' volume rm -a +} + +function teardown() { + run_podman '?' rm -a --volumes + run_podman '?' volume rm -a -f + + basic_teardown +} + + +# Simple volume tests: share files between host and container +@test "podman run --volumes : basic" { + skip_if_remote "volumes cannot be shared across hosts" + + # Create three temporary directories + vol1=${PODMAN_TMPDIR}/v1_$(random_string) + vol2=${PODMAN_TMPDIR}/v2_$(random_string) + vol3=${PODMAN_TMPDIR}/v3_$(random_string) + mkdir $vol1 $vol2 $vol3 + + # In each directory, write a random string to a file + echo $(random_string) >$vol1/file1_in + echo $(random_string) >$vol2/file2_in + echo $(random_string) >$vol3/file3_in + + # Run 'cat' on each file, and compare against local files. Mix -v / --volume + # flags, and specify them out of order just for grins. The shell wildcard + # expansion must sort vol1/2/3 lexically regardless. + v_opts="-v $vol1:/vol1:z --volume $vol3:/vol3:z -v $vol2:/vol2:z" + run_podman run --rm $v_opts $IMAGE sh -c "cat /vol?/file?_in" + + for i in 1 2 3; do + eval voldir=\$vol${i} + is "${lines[$(($i - 1))]}" "$(< $voldir/file${i}_in)" \ + "contents of /vol${i}/file${i}_in" + done + + # Confirm that container sees vol1 as a mount point + run_podman run --rm $v_opts $IMAGE mount + is "$output" ".* on /vol1 type .*" "'mount' in container lists vol1" + + # Have the container do write operations, confirm them on host + out1=$(random_string) + run_podman run --rm $v_opts $IMAGE sh -c "echo $out1 >/vol1/file1_out; + cp /vol2/file2_in /vol3/file3_out" + is "$(<$vol1/file1_out)" "$out1" "contents of /vol1/file1_out" + is "$(<$vol3/file3_out)" "$(<$vol2/file2_in)" "contents of /vol3/file3_out" + + # Writing to read-only volumes: not allowed + run_podman 1 run --rm -v $vol1:/vol1ro:z,ro $IMAGE sh -c "touch /vol1ro/abc" + is "$output" ".*Read-only file system" "touch on read-only volume" +} + + +# Named volumes +@test "podman volume create / run" { + myvolume=myvol$(random_string) + mylabel=$(random_string) + + # Create a named volume + run_podman volume create --label l=$mylabel $myvolume + is "$output" "$myvolume" "output from volume create" + + # Confirm that it shows up in 'volume ls', and confirm values + run_podman volume ls --format json + tests=" +Name | $myvolume +Driver | local +Labels.l | $mylabel +" + parse_table "$tests" | while read field expect; do + actual=$(jq -r ".[0].$field" <<<"$output") + is "$actual" "$expect" "volume ls .$field" + done + + # Run a container that writes to a file in that volume + mountpoint=$(jq -r '.[0].Mountpoint' <<<"$output") + rand=$(random_string) + run_podman run --rm --volume $myvolume:/vol $IMAGE sh -c "echo $rand >/vol/myfile" + + # Confirm that the file is visible, with content, outside the container + is "$(<$mountpoint/myfile)" "$rand" "we see content created in container" + + # Clean up + run_podman volume rm $myvolume +} + + +# Running scripts (executables) from a volume +@test "podman volume: exec/noexec" { + myvolume=myvol$(random_string) + + run_podman volume create $myvolume + is "$output" "$myvolume" "output from volume create" + + run_podman volume inspect --format '{{.Mountpoint}}' $myvolume + mountpoint="$output" + + # Create a script, make it runnable + rand=$(random_string) + cat >$mountpoint/myscript <<EOF +#!/bin/sh +echo "got here -$rand-" +EOF + chmod 755 $mountpoint/myscript + + # By default, volumes are mounted noexec. This should fail. + run_podman 126 run --rm --volume $myvolume:/vol:z $IMAGE /vol/myscript + is "$output" ".* OCI runtime permission denied.*" "run on volume, noexec" + + # With exec, it should pass + run_podman run --rm -v $myvolume:/vol:z,exec $IMAGE /vol/myscript + is "$output" "got here -$rand-" "script in volume is runnable with exec" + + # Clean up + run_podman volume rm $myvolume +} + + +# Anonymous temporary volumes, and persistent autocreated named ones +@test "podman volume, implicit creation with run" { + + # No hostdir arg: create anonymous container with random name + rand=$(random_string) + run_podman run -v /myvol $IMAGE sh -c "echo $rand >/myvol/myfile" + + run_podman volume ls -q + tempvolume="$output" + + # We should see the file created in the container + run_podman volume inspect --format '{{.Mountpoint}}' $tempvolume + mountpoint="$output" + test -e "$mountpoint/myfile" + is "$(< $mountpoint/myfile)" "$rand" "file contents, anonymous volume" + + # Remove the container, using rm --volumes. Volume should now be gone. + run_podman rm -a --volumes + run_podman volume ls -q + is "$output" "" "anonymous volume is removed after container is rm'ed" + + # Create a *named* container. This one should persist after container ends + myvol=myvol$(random_string) + rand=$(random_string) + + run_podman run --rm -v $myvol:/myvol:z $IMAGE \ + sh -c "echo $rand >/myvol/myfile" + run_podman volume ls -q + is "$output" "$myvol" "autocreated named container persists" + + # ...and should be usable, read/write, by a second container + run_podman run --rm -v $myvol:/myvol:z $IMAGE \ + sh -c "cp /myvol/myfile /myvol/myfile2" + + run_podman volume rm $myvol + + # Autocreated volumes should also work with keep-id + # All we do here is check status; podman 1.9.1 would fail with EPERM + myvol=myvol$(random_string) + run_podman run --rm -v $myvol:/myvol:z --userns=keep-id $IMAGE \ + touch /myvol/myfile + + run_podman volume rm $myvol +} + + +# Confirm that container sees the correct id +@test "podman volume with --userns=keep-id" { + is_rootless || skip "only meaningful when run rootless" + + myvoldir=${PODMAN_TMPDIR}/volume_$(random_string) + mkdir $myvoldir + touch $myvoldir/myfile + + # With keep-id + run_podman run --rm -v $myvoldir:/vol:z --userns=keep-id $IMAGE \ + stat -c "%u:%s" /vol/myfile + is "$output" "$(id -u):0" "with keep-id: stat(file in container) == my uid" + + # Without + run_podman run --rm -v $myvoldir:/vol:z $IMAGE \ + stat -c "%u:%s" /vol/myfile + is "$output" "0:0" "w/o keep-id: stat(file in container) == root" +} + + +# 'volume prune' identifies and cleans up unused volumes +@test "podman volume prune" { + # Create four named volumes + local -a v=() + for i in 1 2 3 4;do + vol=myvol${i}$(random_string) + v[$i]=$vol + run_podman volume create $vol + done + + # Run two containers: one mounting v1, one mounting v2 & v3 + run_podman run --name c1 --volume ${v[1]}:/vol1 $IMAGE date + run_podman run --name c2 --volume ${v[2]}:/vol2 -v ${v[3]}:/vol3 \ + $IMAGE date + + # prune should remove v4 + run_podman volume prune --force + is "$output" "${v[4]}" "volume prune, with 1, 2, 3 in use, deletes only 4" + + # Remove the container using v2 and v3. Prune should now remove those. + # The 'echo sort' is to get the output sorted and in one line. + run_podman rm c2 + run_podman volume prune --force + is "$(echo $(sort <<<$output))" "${v[2]} ${v[3]}" \ + "volume prune, after rm c2, deletes volumes 2 and 3" + + # Remove the final container. Prune should now remove v1. + run_podman rm c1 + run_podman volume prune --force + is "$output" "${v[1]}" "volume prune, after rm c2 & c1, deletes volume 1" + + # Further prunes are NOPs + run_podman volume prune --force + is "$output" "" "no more volumes to prune" +} + + +# vim: filetype=sh diff --git a/vendor/gopkg.in/yaml.v2/apic.go b/vendor/gopkg.in/yaml.v2/apic.go index 1f7e87e67..d2c2308f1 100644 --- a/vendor/gopkg.in/yaml.v2/apic.go +++ b/vendor/gopkg.in/yaml.v2/apic.go @@ -86,6 +86,7 @@ func yaml_emitter_initialize(emitter *yaml_emitter_t) { raw_buffer: make([]byte, 0, output_raw_buffer_size), states: make([]yaml_emitter_state_t, 0, initial_stack_size), events: make([]yaml_event_t, 0, initial_queue_size), + best_width: -1, } } diff --git a/vendor/modules.txt b/vendor/modules.txt index 0bd684c62..765e68108 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -640,7 +640,7 @@ gopkg.in/square/go-jose.v2/cipher gopkg.in/square/go-jose.v2/json # gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 gopkg.in/tomb.v1 -# gopkg.in/yaml.v2 v2.2.8 +# gopkg.in/yaml.v2 v2.3.0 gopkg.in/yaml.v2 # k8s.io/api v0.18.2 k8s.io/api/core/v1 |