summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--.cirrus.yml10
-rw-r--r--Makefile5
-rwxr-xr-xcontrib/cirrus/setup_environment.sh2
-rw-r--r--pkg/domain/infra/abi/containers.go6
-rw-r--r--test/e2e/run_privileged_test.go42
-rw-r--r--test/system/010-images.bats14
-rw-r--r--test/system/030-run.bats23
-rw-r--r--test/system/110-history.bats3
-rw-r--r--test/system/150-login.bats43
-rw-r--r--test/system/260-sdnotify.bats5
-rw-r--r--test/system/500-networking.bats13
-rwxr-xr-xtest/system/build-testimage59
-rw-r--r--test/system/helpers.bash4
13 files changed, 161 insertions, 68 deletions
diff --git a/.cirrus.yml b/.cirrus.yml
index 367d9e770..67c212c15 100644
--- a/.cirrus.yml
+++ b/.cirrus.yml
@@ -34,12 +34,12 @@ env:
####
#### Cache-image names to test with (double-quotes around names are critical)
###
- FEDORA_NAME: "fedora-32"
- PRIOR_FEDORA_NAME: "fedora-31"
- UBUNTU_NAME: "ubuntu-20"
- PRIOR_UBUNTU_NAME: "ubuntu-19"
+ FEDORA_NAME: "fedora"
+ PRIOR_FEDORA_NAME: "prior-fedora"
+ UBUNTU_NAME: "ubuntu"
+ PRIOR_UBUNTU_NAME: "prior-ubuntu"
- _BUILT_IMAGE_SUFFIX: "podman-6530021898584064"
+ _BUILT_IMAGE_SUFFIX: "c5809900649447424"
FEDORA_CACHE_IMAGE_NAME: "${FEDORA_NAME}-${_BUILT_IMAGE_SUFFIX}"
PRIOR_FEDORA_CACHE_IMAGE_NAME: "${PRIOR_FEDORA_NAME}-${_BUILT_IMAGE_SUFFIX}"
UBUNTU_CACHE_IMAGE_NAME: "${UBUNTU_NAME}-${_BUILT_IMAGE_SUFFIX}"
diff --git a/Makefile b/Makefile
index 8ce1946ee..07ff21445 100644
--- a/Makefile
+++ b/Makefile
@@ -106,7 +106,10 @@ GOMD2MAN ?= $(shell command -v go-md2man || echo '$(GOBIN)/go-md2man')
CROSS_BUILD_TARGETS := \
bin/podman.cross.linux.amd64 \
bin/podman.cross.linux.ppc64le \
- bin/podman.cross.linux.arm
+ bin/podman.cross.linux.arm \
+ bin/podman.cross.linux.arm64 \
+ bin/podman.cross.linux.386 \
+ bin/podman.cross.linux.s390x
.PHONY: all
all: binaries docs
diff --git a/contrib/cirrus/setup_environment.sh b/contrib/cirrus/setup_environment.sh
index e22f92a5b..855866477 100755
--- a/contrib/cirrus/setup_environment.sh
+++ b/contrib/cirrus/setup_environment.sh
@@ -68,7 +68,7 @@ case "$CG_FS_TYPE" in
tmpfs)
warn "Forcing testing with runc instead of crun"
# On ubuntu, the default runc is usually not new enough.
- if ${OS_RELEASE_ID} == "ubuntu"; then
+ if [[ "${OS_RELEASE_ID}" == "ubuntu" ]]; then
X=$(echo "export OCI_RUNTIME=/usr/lib/cri-o-runc/sbin/runc" | \
tee -a /etc/environment) && eval "$X" && echo "$X"
else
diff --git a/pkg/domain/infra/abi/containers.go b/pkg/domain/infra/abi/containers.go
index 3fee5d394..0537942e6 100644
--- a/pkg/domain/infra/abi/containers.go
+++ b/pkg/domain/infra/abi/containers.go
@@ -174,6 +174,12 @@ func (ic *ContainerEngine) ContainerStop(ctx context.Context, namesOrIds []strin
return err
}
}
+ if c.AutoRemove() {
+ // Issue #7384: if the container is configured for
+ // auto-removal, it might already have been removed at
+ // this point.
+ return nil
+ }
return c.Cleanup(ctx)
})
if err != nil {
diff --git a/test/e2e/run_privileged_test.go b/test/e2e/run_privileged_test.go
index ca8da981f..064ba7d2c 100644
--- a/test/e2e/run_privileged_test.go
+++ b/test/e2e/run_privileged_test.go
@@ -2,13 +2,36 @@ package integration
import (
"os"
+ "strconv"
"strings"
. "github.com/containers/podman/v2/test/utils"
. "github.com/onsi/ginkgo"
. "github.com/onsi/gomega"
+ "github.com/syndtr/gocapability/capability"
)
+// helper function for confirming that container capabilities are equal
+// to those of the host, but only to the extent of caps we (podman)
+// know about at compile time. That is: the kernel may have more caps
+// available than we are aware of, leading to host=FFF... and ctr=3FF...
+// because the latter is all we request. Accept that.
+func containerCapMatchesHost(ctr_cap string, host_cap string) {
+ ctr_cap_n, err := strconv.ParseUint(ctr_cap, 16, 64)
+ Expect(err).NotTo(HaveOccurred(), "Error parsing %q as hex", ctr_cap)
+
+ host_cap_n, err := strconv.ParseUint(host_cap, 16, 64)
+ Expect(err).NotTo(HaveOccurred(), "Error parsing %q as hex", host_cap)
+
+ // host caps can never be zero (except rootless, which we don't test).
+ // and host caps must always be a superset (inclusive) of container
+ Expect(host_cap_n).To(BeNumerically(">", 0), "host cap %q should be nonzero", host_cap)
+ Expect(host_cap_n).To(BeNumerically(">=", ctr_cap_n), "host cap %q should never be less than container cap %q", host_cap, ctr_cap)
+
+ host_cap_masked := host_cap_n & (1<<len(capability.List()) - 1)
+ Expect(ctr_cap_n).To(Equal(host_cap_masked), "container cap %q is not a subset of host cap %q", ctr_cap, host_cap)
+}
+
var _ = Describe("Podman privileged container tests", func() {
var (
tempdir string
@@ -44,24 +67,27 @@ var _ = Describe("Podman privileged container tests", func() {
It("podman privileged CapEff", func() {
SkipIfRootless()
- cap := SystemExec("grep", []string{"CapEff", "/proc/self/status"})
- Expect(cap.ExitCode()).To(Equal(0))
+ host_cap := SystemExec("awk", []string{"/^CapEff/ { print $2 }", "/proc/self/status"})
+ Expect(host_cap.ExitCode()).To(Equal(0))
- session := podmanTest.Podman([]string{"run", "--privileged", "busybox", "grep", "CapEff", "/proc/self/status"})
+ session := podmanTest.Podman([]string{"run", "--privileged", "busybox", "awk", "/^CapEff/ { print $2 }", "/proc/self/status"})
session.WaitWithDefaultTimeout()
Expect(session.ExitCode()).To(Equal(0))
- Expect(session.OutputToString()).To(Equal(cap.OutputToString()))
+
+ containerCapMatchesHost(session.OutputToString(), host_cap.OutputToString())
})
It("podman cap-add CapEff", func() {
SkipIfRootless()
- cap := SystemExec("grep", []string{"CapEff", "/proc/self/status"})
- Expect(cap.ExitCode()).To(Equal(0))
+ // Get caps of current process
+ host_cap := SystemExec("awk", []string{"/^CapEff/ { print $2 }", "/proc/self/status"})
+ Expect(host_cap.ExitCode()).To(Equal(0))
- session := podmanTest.Podman([]string{"run", "--cap-add", "all", "busybox", "grep", "CapEff", "/proc/self/status"})
+ session := podmanTest.Podman([]string{"run", "--cap-add", "all", "busybox", "awk", "/^CapEff/ { print $2 }", "/proc/self/status"})
session.WaitWithDefaultTimeout()
Expect(session.ExitCode()).To(Equal(0))
- Expect(session.OutputToString()).To(Equal(cap.OutputToString()))
+
+ containerCapMatchesHost(session.OutputToString(), host_cap.OutputToString())
})
It("podman cap-drop CapEff", func() {
diff --git a/test/system/010-images.bats b/test/system/010-images.bats
index 7fd731ca0..c0a8936e3 100644
--- a/test/system/010-images.bats
+++ b/test/system/010-images.bats
@@ -14,6 +14,8 @@ load helpers
--format {{.ID}} | [0-9a-f]\\\{12\\\}
--format {{.ID}} --no-trunc | sha256:[0-9a-f]\\\{64\\\}
--format {{.Repository}}:{{.Tag}} | $PODMAN_TEST_IMAGE_FQN
+--format {{.Labels.created_by}} | test/system/build-testimage
+--format {{.Labels.created_at}} | 20[0-9-]\\\+T[0-9:]\\\+Z
"
parse_table "$tests" | while read fmt expect; do
@@ -27,11 +29,13 @@ load helpers
@test "podman images - json" {
# 'created': podman includes fractional seconds, podman-remote does not
tests="
-Names[0] | $PODMAN_TEST_IMAGE_FQN
-Id | [0-9a-f]\\\{64\\\}
-Digest | sha256:[0-9a-f]\\\{64\\\}
-CreatedAt | [0-9-]\\\+T[0-9:.]\\\+Z
-Size | [0-9]\\\+
+Names[0] | $PODMAN_TEST_IMAGE_FQN
+Id | [0-9a-f]\\\{64\\\}
+Digest | sha256:[0-9a-f]\\\{64\\\}
+CreatedAt | [0-9-]\\\+T[0-9:.]\\\+Z
+Size | [0-9]\\\+
+Labels.created_by | test/system/build-testimage
+Labels.created_at | 20[0-9-]\\\+T[0-9:]\\\+Z
"
run_podman images -a --format json
diff --git a/test/system/030-run.bats b/test/system/030-run.bats
index 198c8881d..0b92554b8 100644
--- a/test/system/030-run.bats
+++ b/test/system/030-run.bats
@@ -134,24 +134,29 @@ echo $rand | 0 | $rand
run_podman run --pull=never $IMAGE true
is "$output" "" "--pull=never [present]: no output"
- # Now test with busybox, which we don't have present
- run_podman 125 run --pull=never busybox true
- is "$output" "Error: unable to find a name and tag match for busybox in repotags: no such image" "--pull=never [busybox/missing]: error"
+ # Now test with a remote image which we don't have present (the 00 tag)
+ NONLOCAL_IMAGE="$PODMAN_TEST_IMAGE_REGISTRY/$PODMAN_TEST_IMAGE_USER/$PODMAN_TEST_IMAGE_NAME:00000000"
- run_podman run --pull=missing busybox true
- is "$output" "Trying to pull .*" "--pull=missing [busybox/missing]: fetches"
+ run_podman 125 run --pull=never $NONLOCAL_IMAGE true
+ is "$output" "Error: unable to find a name and tag match for $NONLOCAL_IMAGE in repotags: no such image" "--pull=never [with image not present]: error"
- run_podman run --pull=always busybox true
- is "$output" "Trying to pull .*" "--pull=always [busybox/present]: fetches"
+ run_podman run --pull=missing $NONLOCAL_IMAGE true
+ is "$output" "Trying to pull .*" "--pull=missing [with image NOT PRESENT]: fetches"
+
+ run_podman run --pull=missing $NONLOCAL_IMAGE true
+ is "$output" "" "--pull=missing [with image PRESENT]: does not re-fetch"
+
+ run_podman run --pull=always $NONLOCAL_IMAGE true
+ is "$output" "Trying to pull .*" "--pull=always [with image PRESENT]: re-fetches"
run_podman rm -a
- run_podman rmi busybox
+ run_podman rmi $NONLOCAL_IMAGE
}
# 'run --rmi' deletes the image in the end unless it's used by another container
@test "podman run --rmi" {
# Name of a nonlocal image. It should be pulled in by the first 'run'
- NONLOCAL_IMAGE=busybox
+ NONLOCAL_IMAGE="$PODMAN_TEST_IMAGE_REGISTRY/$PODMAN_TEST_IMAGE_USER/$PODMAN_TEST_IMAGE_NAME:00000000"
run_podman 1 image exists $NONLOCAL_IMAGE
# Run a container, without --rm; this should block subsequent --rmi
diff --git a/test/system/110-history.bats b/test/system/110-history.bats
index 5dc221d61..75c15b088 100644
--- a/test/system/110-history.bats
+++ b/test/system/110-history.bats
@@ -22,9 +22,10 @@ load helpers
}
@test "podman history - json" {
+ # Sigh. Timestamp in .created can be '...Z' or '...-06:00'
tests="
id | [0-9a-f]\\\{64\\\}
-created | [0-9-]\\\+T[0-9:.]\\\+Z
+created | [0-9-]\\\+T[0-9:.]\\\+[Z0-9:+-]\\\+
size | -\\\?[0-9]\\\+
"
diff --git a/test/system/150-login.bats b/test/system/150-login.bats
index 00c60ca95..5151ab0e1 100644
--- a/test/system/150-login.bats
+++ b/test/system/150-login.bats
@@ -56,14 +56,17 @@ function setup() {
AUTHDIR=${PODMAN_LOGIN_WORKDIR}/auth
mkdir -p $AUTHDIR
+ # Registry image; copy of docker.io, but on our own registry
+ local REGISTRY_IMAGE="$PODMAN_TEST_IMAGE_REGISTRY/$PODMAN_TEST_IMAGE_USER/registry:2.7"
+
# Pull registry image, but into a separate container storage
mkdir -p ${PODMAN_LOGIN_WORKDIR}/root
mkdir -p ${PODMAN_LOGIN_WORKDIR}/runroot
PODMAN_LOGIN_ARGS="--root ${PODMAN_LOGIN_WORKDIR}/root --runroot ${PODMAN_LOGIN_WORKDIR}/runroot"
# Give it three tries, to compensate for flakes
- run_podman ${PODMAN_LOGIN_ARGS} pull registry:2.6 ||
- run_podman ${PODMAN_LOGIN_ARGS} pull registry:2.6 ||
- run_podman ${PODMAN_LOGIN_ARGS} pull registry:2.6
+ run_podman ${PODMAN_LOGIN_ARGS} pull $REGISTRY_IMAGE ||
+ run_podman ${PODMAN_LOGIN_ARGS} pull $REGISTRY_IMAGE ||
+ run_podman ${PODMAN_LOGIN_ARGS} pull $REGISTRY_IMAGE
# Registry image needs a cert. Self-signed is good enough.
CERT=$AUTHDIR/domain.crt
@@ -76,10 +79,8 @@ function setup() {
# Store credentials where container will see them
if [ ! -e $AUTHDIR/htpasswd ]; then
- run_podman ${PODMAN_LOGIN_ARGS} run --rm \
- --entrypoint htpasswd registry:2.6 \
- -Bbn ${PODMAN_LOGIN_USER} ${PODMAN_LOGIN_PASS} \
- > $AUTHDIR/htpasswd
+ htpasswd -Bbn ${PODMAN_LOGIN_USER} ${PODMAN_LOGIN_PASS} \
+ > $AUTHDIR/htpasswd
# In case $PODMAN_TEST_KEEP_LOGIN_REGISTRY is set, for testing later
echo "${PODMAN_LOGIN_USER}:${PODMAN_LOGIN_PASS}" \
@@ -97,7 +98,7 @@ function setup() {
-e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \
-e REGISTRY_HTTP_TLS_CERTIFICATE=/auth/domain.crt \
-e REGISTRY_HTTP_TLS_KEY=/auth/domain.key \
- registry:2.6
+ $REGISTRY_IMAGE
}
# END first "test" - start a registry for use by other tests
@@ -189,38 +190,26 @@ EOF
}
@test "podman push ok" {
- # ARGH! We can't push $IMAGE (alpine_labels) to this registry; error is:
- #
- # Writing manifest to image destination
- # Error: Error copying image to the remote destination: Error writing manifest: Error uploading manifest latest to localhost:${PODMAN_LOGIN_REGISTRY_PORT}/okpush: received unexpected HTTP status: 500 Internal Server Error
- #
- # Root cause: something to do with v1/v2 s1/s2:
- #
- # https://github.com/containers/skopeo/issues/651
- #
-
- run_podman pull busybox
-
- # Preserve its ID for later comparison against push/pulled image
- run_podman inspect --format '{{.Id}}' busybox
- id_busybox=$output
+ # Preserve image ID for later comparison against push/pulled image
+ run_podman inspect --format '{{.Id}}' $IMAGE
+ iid=$output
destname=ok-$(random_string 10 | tr A-Z a-z)-ok
# Use command-line credentials
run_podman push --tls-verify=false \
--creds ${PODMAN_LOGIN_USER}:${PODMAN_LOGIN_PASS} \
- busybox localhost:${PODMAN_LOGIN_REGISTRY_PORT}/$destname
+ $IMAGE localhost:${PODMAN_LOGIN_REGISTRY_PORT}/$destname
# Yay! Pull it back
run_podman pull --tls-verify=false \
--creds ${PODMAN_LOGIN_USER}:${PODMAN_LOGIN_PASS} \
localhost:${PODMAN_LOGIN_REGISTRY_PORT}/$destname
- # Compare to original busybox
+ # Compare to original image
run_podman inspect --format '{{.Id}}' $destname
- is "$output" "$id_busybox" "Image ID of pulled image == busybox"
+ is "$output" "$iid" "Image ID of pulled image == original IID"
- run_podman rmi busybox $destname
+ run_podman rmi $destname
}
# END primary podman login/push/pull tests
diff --git a/test/system/260-sdnotify.bats b/test/system/260-sdnotify.bats
index 62d3c1497..06aa3bba7 100644
--- a/test/system/260-sdnotify.bats
+++ b/test/system/260-sdnotify.bats
@@ -115,9 +115,10 @@ function _assert_mainpid_is_conmon() {
@test "sdnotify : container" {
# Sigh... we need to pull a humongous image because it has systemd-notify.
+ # (IMPORTANT: fedora:32 and above silently removed systemd-notify; this
+ # caused CI to hang. That's why we explicitly require fedora:31)
# FIXME: is there a smaller image we could use?
- _FEDORA=registry.fedoraproject.org/fedora:31
-
+ local _FEDORA="$PODMAN_TEST_IMAGE_REGISTRY/$PODMAN_TEST_IMAGE_USER/fedora:31"
# Pull that image. Retry in case of flakes.
run_podman pull $_FEDORA || \
run_podman pull $_FEDORA || \
diff --git a/test/system/500-networking.bats b/test/system/500-networking.bats
index 0fae3dcd3..39de8ad54 100644
--- a/test/system/500-networking.bats
+++ b/test/system/500-networking.bats
@@ -12,7 +12,7 @@ load helpers
random_2=$(random_string 30)
HOST_PORT=8080
- SERVER=http://localhost:$HOST_PORT
+ SERVER=http://127.0.0.1:$HOST_PORT
# Create a test file with random content
INDEX1=$PODMAN_TMPDIR/hello.txt
@@ -22,7 +22,7 @@ load helpers
run_podman run -d --name myweb -p "$HOST_PORT:80" \
-v $INDEX1:/var/www/index.txt \
-w /var/www \
- busybox httpd -f -p 80
+ $IMAGE /bin/busybox-extras httpd -f -p 80
cid=$output
# In that container, create a second file, using exec and redirection
@@ -33,14 +33,14 @@ load helpers
# Verify http contents: curl from localhost
run curl -s $SERVER/index.txt
- is "$output" "$random_1" "curl localhost:/index.txt"
+ is "$output" "$random_1" "curl 127.0.0.1:/index.txt"
run curl -s $SERVER/index2.txt
- is "$output" "$random_2" "curl localhost:/index2.txt"
+ is "$output" "$random_2" "curl 127.0.0.1:/index2.txt"
# Verify http contents: wget from a second container
- run_podman run --rm --net=host busybox wget -qO - $SERVER/index.txt
+ run_podman run --rm --net=host $IMAGE wget -qO - $SERVER/index.txt
is "$output" "$random_1" "podman wget /index.txt"
- run_podman run --rm --net=host busybox wget -qO - $SERVER/index2.txt
+ run_podman run --rm --net=host $IMAGE wget -qO - $SERVER/index2.txt
is "$output" "$random_2" "podman wget /index2.txt"
# Tests #4889 - two-argument form of "podman ports" was broken
@@ -57,7 +57,6 @@ load helpers
# Clean up
run_podman stop -t 1 myweb
run_podman rm myweb
- run_podman rmi busybox
}
# Issue #5466 - port-forwarding doesn't work with this option and -d
diff --git a/test/system/build-testimage b/test/system/build-testimage
new file mode 100755
index 000000000..64aa46337
--- /dev/null
+++ b/test/system/build-testimage
@@ -0,0 +1,59 @@
+#!/bin/bash
+#
+# build-testimage - script for producing a test image for podman CI
+#
+# The idea is to have a small multi-purpose image that can be pulled once
+# by system tests and used for as many tests as possible. This image
+# should live on quay.io, should be small in size, and should include
+# as many components as needed by system tests so they don't have to
+# pull other images.
+#
+# Unfortunately, "small" is incompatible with "systemd" so tests
+# still need a fedora image for that.
+#
+
+# Tag for this new image
+YMD=$(date +%Y%m%d)
+
+# git-relative path to this script
+create_script=$(cd $(dirname $0) && git ls-files --full-name $(basename $0))
+if [ -z "$create_script" ]; then
+ create_script=$0
+fi
+
+# Creation timestamp, Zulu time
+create_time_z=$(env TZ=UTC date +'%Y-%m-%dT%H:%M:%SZ')
+
+set -ex
+
+# Please document the reason for all flags, apk's, and anything non-obvious
+#
+# --squash-all : needed by 'tree' test in 070-build.bats
+# busybox-extras : provides httpd needed in 500-networking.bats
+#
+podman rmi -f testimage &> /dev/null || true
+podman build --squash-all -t testimage - <<EOF
+FROM docker.io/library/alpine:3.12.0
+RUN apk add busybox-extras
+LABEL created_by=$create_script
+LABEL created_at=$create_time_z
+CMD ["/bin/echo", "This container is intended for podman CI testing"]
+EOF
+
+# Tag and push to quay.
+podman tag testimage quay.io/edsantiago/testimage:$YMD
+podman push quay.io/edsantiago/testimage:$YMD
+
+# Side note: there should always be a testimage tagged ':00000000'
+# (eight zeroes) in the same location; this is used by tests which
+# need to pull a non-locally-cached image. This image will rarely
+# if ever need to change, nor in fact does it even have to be a
+# copy of this testimage since all we use it for is 'true'.
+#
+# As of 2020-09-02 it is simply busybox, because it is super small:
+#
+# podman pull docker.io/library/busybox:1.32.0
+# podman tag docker.io/library/busybox:1.32.0 \
+# quay.io/edsantiago/testimage:00000000
+# podman push quay.io/edsantiago/testimage:00000000
+#
diff --git a/test/system/helpers.bash b/test/system/helpers.bash
index 6c24b24b3..514ba249e 100644
--- a/test/system/helpers.bash
+++ b/test/system/helpers.bash
@@ -6,8 +6,8 @@ PODMAN=${PODMAN:-podman}
# Standard image to use for most tests
PODMAN_TEST_IMAGE_REGISTRY=${PODMAN_TEST_IMAGE_REGISTRY:-"quay.io"}
PODMAN_TEST_IMAGE_USER=${PODMAN_TEST_IMAGE_USER:-"libpod"}
-PODMAN_TEST_IMAGE_NAME=${PODMAN_TEST_IMAGE_NAME:-"alpine_labels"}
-PODMAN_TEST_IMAGE_TAG=${PODMAN_TEST_IMAGE_TAG:-"latest"}
+PODMAN_TEST_IMAGE_NAME=${PODMAN_TEST_IMAGE_NAME:-"testimage"}
+PODMAN_TEST_IMAGE_TAG=${PODMAN_TEST_IMAGE_TAG:-"20200902"}
PODMAN_TEST_IMAGE_FQN="$PODMAN_TEST_IMAGE_REGISTRY/$PODMAN_TEST_IMAGE_USER/$PODMAN_TEST_IMAGE_NAME:$PODMAN_TEST_IMAGE_TAG"
# Because who wants to spell that out each time?