diff options
| -rw-r--r-- | cmd/podman/machine/start.go | 8 | ||||
| -rw-r--r-- | docs/source/markdown/podman-create.1.md | 12 | ||||
| -rw-r--r-- | docs/source/markdown/podman-run.1.md | 12 | ||||
| -rw-r--r-- | pkg/auth/auth.go | 20 | ||||
| -rw-r--r-- | pkg/auth/auth_test.go | 66 | ||||
| -rw-r--r-- | test/upgrade/helpers.bash | 8 | ||||
| -rw-r--r-- | test/upgrade/test-upgrade.bats | 62 |
7 files changed, 155 insertions, 33 deletions
diff --git a/cmd/podman/machine/start.go b/cmd/podman/machine/start.go index a5ba74599..4ae31e6de 100644 --- a/cmd/podman/machine/start.go +++ b/cmd/podman/machine/start.go @@ -3,6 +3,8 @@ package machine import ( + "fmt" + "github.com/containers/podman/v3/cmd/podman/registry" "github.com/containers/podman/v3/pkg/machine" "github.com/containers/podman/v3/pkg/machine/qemu" @@ -58,5 +60,9 @@ func start(cmd *cobra.Command, args []string) error { if err != nil { return err } - return vm.Start(vmName, machine.StartOptions{}) + if err := vm.Start(vmName, machine.StartOptions{}); err != nil { + return err + } + fmt.Printf("Machine %q started successfully\n", vmName) + return nil } diff --git a/docs/source/markdown/podman-create.1.md b/docs/source/markdown/podman-create.1.md index 0e32fb20d..00e94b41d 100644 --- a/docs/source/markdown/podman-create.1.md +++ b/docs/source/markdown/podman-create.1.md @@ -1125,21 +1125,21 @@ Example: `containers:2147483647:2147483648`. Podman allocates unique ranges of UIDs and GIDs from the `containers` subpordinate user ids. The size of the ranges is based on the number of UIDs required in the image. The number of UIDs and GIDs can be overridden with the `size` option. The `auto` options currently does not work in rootless mode - Valid `auto`options: + Valid `auto` options: - *gidmapping*=_CONTAINER_GID:HOST_GID:SIZE_: to force a GID mapping to be present in the user namespace. - *size*=_SIZE_: to specify an explicit size for the automatic user namespace. e.g. `--userns=auto:size=8192`. If `size` is not specified, `auto` will estimate a size for the user namespace. - *uidmapping*=_CONTAINER_UID:HOST_UID:SIZE_: to force a UID mapping to be present in the user namespace. -- **container:**_id_: join the user namespace of the specified container. +**container:**_id_: join the user namespace of the specified container. -- **host**: run in the user namespace of the caller. The processes running in the container will have the same privileges on the host as any other process launched by the calling user (default). +**host**: run in the user namespace of the caller. The processes running in the container will have the same privileges on the host as any other process launched by the calling user (default). -- **keep-id**: creates a user namespace where the current rootless user's UID:GID are mapped to the same values in the container. This option is ignored for containers created by the root user. +**keep-id**: creates a user namespace where the current rootless user's UID:GID are mapped to the same values in the container. This option is ignored for containers created by the root user. -- **ns:**_namespace_: run the container in the given existing user namespace. +**ns:**_namespace_: run the container in the given existing user namespace. -- **private**: create a new namespace for the container. +**private**: create a new namespace for the container. This option is incompatible with **--gidmap**, **--uidmap**, **--subuidname** and **--subgidname**. diff --git a/docs/source/markdown/podman-run.1.md b/docs/source/markdown/podman-run.1.md index 3bbe41cc2..63224b49d 100644 --- a/docs/source/markdown/podman-run.1.md +++ b/docs/source/markdown/podman-run.1.md @@ -1184,21 +1184,21 @@ Example: `containers:2147483647:2147483648`. Podman allocates unique ranges of UIDs and GIDs from the `containers` subpordinate user ids. The size of the ranges is based on the number of UIDs required in the image. The number of UIDs and GIDs can be overridden with the `size` option. The `auto` options currently does not work in rootless mode - Valid `auto`options: + Valid `auto` options: - *gidmapping*=_CONTAINER_GID:HOST_GID:SIZE_: to force a GID mapping to be present in the user namespace. - *size*=_SIZE_: to specify an explicit size for the automatic user namespace. e.g. `--userns=auto:size=8192`. If `size` is not specified, `auto` will estimate a size for the user namespace. - *uidmapping*=_CONTAINER_UID:HOST_UID:SIZE_: to force a UID mapping to be present in the user namespace. -- **container:**_id_: join the user namespace of the specified container. +**container:**_id_: join the user namespace of the specified container. -- **host**: run in the user namespace of the caller. The processes running in the container will have the same privileges on the host as any other process launched by the calling user (default). +**host**: run in the user namespace of the caller. The processes running in the container will have the same privileges on the host as any other process launched by the calling user (default). -- **keep-id**: creates a user namespace where the current rootless user's UID:GID are mapped to the same values in the container. This option is ignored for containers created by the root user. +**keep-id**: creates a user namespace where the current rootless user's UID:GID are mapped to the same values in the container. This option is ignored for containers created by the root user. -- **ns:**_namespace_: run the container in the given existing user namespace. +**ns:**_namespace_: run the container in the given existing user namespace. -- **private**: create a new namespace for the container. +**private**: create a new namespace for the container. This option is incompatible with **--gidmap**, **--uidmap**, **--subuidname** and **--subgidname**. diff --git a/pkg/auth/auth.go b/pkg/auth/auth.go index ecfa6651c..6aff880f4 100644 --- a/pkg/auth/auth.go +++ b/pkg/auth/auth.go @@ -259,7 +259,9 @@ func authConfigsToAuthFile(authConfigs map[string]types.DockerAuthConfig) (strin // tested, and we make sure to use the same code as the image backend. sys := types.SystemContext{AuthFilePath: authFilePath} for server, config := range authConfigs { - // Note that we do not validate the credentials here. Wassume + server = normalize(server) + + // Note that we do not validate the credentials here. We assume // that all credentials are valid. They'll be used on demand // later. if err := imageAuth.SetAuthentication(&sys, server, config.Username, config.Password); err != nil { @@ -270,6 +272,22 @@ func authConfigsToAuthFile(authConfigs map[string]types.DockerAuthConfig) (strin return authFilePath, nil } +// normalize takes a server and removes the leading "http[s]://" prefix as well +// as removes path suffixes from docker registries. +func normalize(server string) string { + stripped := strings.TrimPrefix(server, "http://") + stripped = strings.TrimPrefix(stripped, "https://") + + /// Normalize docker registries + if strings.HasPrefix(stripped, "index.docker.io/") || + strings.HasPrefix(stripped, "registry-1.docker.io/") || + strings.HasPrefix(stripped, "docker.io/") { + stripped = strings.SplitN(stripped, "/", 2)[0] + } + + return stripped +} + // dockerAuthToImageAuth converts a docker auth config to one we're using // internally from c/image. Note that the Docker types look slightly // different, so we need to convert to be extra sure we're not running into diff --git a/pkg/auth/auth_test.go b/pkg/auth/auth_test.go new file mode 100644 index 000000000..da2d9a5c5 --- /dev/null +++ b/pkg/auth/auth_test.go @@ -0,0 +1,66 @@ +package auth + +import ( + "io/ioutil" + "testing" + + "github.com/containers/image/v5/types" + "github.com/stretchr/testify/assert" +) + +func TestAuthConfigsToAuthFile(t *testing.T) { + for _, tc := range []struct { + name string + server string + shouldErr bool + expectedContains string + }{ + { + name: "empty auth configs", + server: "", + shouldErr: false, + expectedContains: "{}", + }, + { + name: "registry with prefix", + server: "my-registry.local/username", + shouldErr: false, + expectedContains: `"my-registry.local/username":`, + }, + { + name: "normalize https:// prefix", + server: "http://my-registry.local/username", + shouldErr: false, + expectedContains: `"my-registry.local/username":`, + }, + { + name: "normalize docker registry with https prefix", + server: "http://index.docker.io/v1/", + shouldErr: false, + expectedContains: `"index.docker.io":`, + }, + { + name: "normalize docker registry without https prefix", + server: "docker.io/v2/", + shouldErr: false, + expectedContains: `"docker.io":`, + }, + } { + configs := map[string]types.DockerAuthConfig{} + if tc.server != "" { + configs[tc.server] = types.DockerAuthConfig{} + } + + filePath, err := authConfigsToAuthFile(configs) + + if tc.shouldErr { + assert.NotNil(t, err) + assert.Empty(t, filePath) + } else { + assert.Nil(t, err) + content, err := ioutil.ReadFile(filePath) + assert.Nil(t, err) + assert.Contains(t, string(content), tc.expectedContains) + } + } +} diff --git a/test/upgrade/helpers.bash b/test/upgrade/helpers.bash index 41d9279e6..16fedb053 100644 --- a/test/upgrade/helpers.bash +++ b/test/upgrade/helpers.bash @@ -9,3 +9,11 @@ setup() { teardown() { : } + +# skip a test when the given version is older than the currently tested one +skip_if_version_older() { + # use ${PODMAN_UPGRADE_FROM##v} to trim the leading "v" + if printf '%s\n%s\n' "${PODMAN_UPGRADE_FROM##v}" "$1" | sort --check=quiet --version-sort; then + skip "${2-test is only meaningful when upgrading from $1 or later}" + fi +} diff --git a/test/upgrade/test-upgrade.bats b/test/upgrade/test-upgrade.bats index ca478e263..5cb302a85 100644 --- a/test/upgrade/test-upgrade.bats +++ b/test/upgrade/test-upgrade.bats @@ -21,9 +21,7 @@ if [ -z "${RANDOM_STRING_1}" ]; then export LABEL_CREATED=$(random_string 16) export LABEL_FAILED=$(random_string 17) export LABEL_RUNNING=$(random_string 18) - - # FIXME: randomize this - HOST_PORT=34567 + export HOST_PORT=$(random_free_port) fi # Version string of the podman we're actually testing, e.g. '3.0.0-dev-d1a26013' @@ -44,7 +42,8 @@ setup() { false fi - export _PODMAN_TEST_OPTS="--root=$PODMAN_UPGRADE_WORKDIR/root --runroot=$PODMAN_UPGRADE_WORKDIR/runroot --tmpdir=$PODMAN_UPGRADE_WORKDIR/tmp" + # cgroup-manager=systemd does not work inside a container + export _PODMAN_TEST_OPTS="--cgroup-manager=cgroupfs --root=$PODMAN_UPGRADE_WORKDIR/root --runroot=$PODMAN_UPGRADE_WORKDIR/runroot --tmpdir=$PODMAN_UPGRADE_WORKDIR/tmp" } ############################################################################### @@ -76,8 +75,8 @@ setup() { cat >| $pmscript <<EOF #!/bin/bash -# cgroup-manager=systemd does not work inside a container -opts="--cgroup-manager=cgroupfs --events-backend=file $_PODMAN_TEST_OPTS" +# events-backend=journald does not work inside a container +opts="--events-backend=file $_PODMAN_TEST_OPTS" set -ex @@ -95,22 +94,17 @@ podman \$opts run --name mydonecontainer $IMAGE echo ++$RANDOM_STRING_1++ podman \$opts run --name myfailedcontainer --label mylabel=$LABEL_FAILED \ $IMAGE sh -c 'exit 17' || true -# FIXME: add "-p $HOST_PORT:80" -# ...I tried and tried, and could not get this to work. I could never -# connect to the port from the host, nor even from the podman_parent -# container; I could never see the port listed in 'ps' nor 'inspect'. -# And, finally, I ended up in a state where the container wouldn't -# even start, and via complicated 'podman logs' found out: -# httpd: bind: Address in use -# So I just give up for now. -# podman \$opts run -d --name myrunningcontainer --label mylabel=$LABEL_RUNNING \ + --network bridge \ + -p $HOST_PORT:80 \ -v $pmroot/var/www:/var/www \ -w /var/www \ $IMAGE /bin/busybox-extras httpd -f -p 80 podman \$opts pod create --name mypod +podman \$opts network create mynetwork + echo READY while :;do if [ -e /stop ]; then @@ -140,6 +134,7 @@ EOF # # mount /etc/containers/storage.conf to use the same storage settings as on the host # mount /dev/shm because the container locks are stored there + # mount /var/lib/cni and /etc/cni/net.d for cni networking # $PODMAN run -d --name podman_parent --pid=host \ --privileged \ @@ -149,6 +144,9 @@ EOF -v /etc/containers/storage.conf:/etc/containers/storage.conf \ -v /dev/fuse:/dev/fuse \ -v /run/crun:/run/crun \ + -v /run/netns:/run/netns:rshared \ + -v /var/lib/cni:/var/lib/cni \ + -v /etc/cni/net.d:/etc/cni/net.d \ -v /dev/shm:/dev/shm \ -v $pmroot:$pmroot \ $OLD_PODMAN $pmroot/setup @@ -187,7 +185,7 @@ EOF is "${lines[1]}" "mycreatedcontainer--Created----$LABEL_CREATED" "created" is "${lines[2]}" "mydonecontainer--Exited (0).*----<no value>" "done" is "${lines[3]}" "myfailedcontainer--Exited (17) .*----$LABEL_FAILED" "fail" - is "${lines[4]}" "myrunningcontainer--Up .*----$LABEL_RUNNING" "running" + is "${lines[4]}" "myrunningcontainer--Up .*--0.0.0.0:$HOST_PORT->80/tcp--$LABEL_RUNNING" "running" # For debugging: dump containers and IDs if [[ -n "$PODMAN_UPGRADE_TEST_DEBUG" ]]; then @@ -212,6 +210,30 @@ failed | exited | 17 done < <(parse_table "$tests") } +@test "network - curl" { + run curl --max-time 3 -s 127.0.0.1:$HOST_PORT/index.txt + is "$output" "$RANDOM_STRING_1" "curl on running container" +} + +# IMPORTANT: connect should happen before restart, we want to check +# if we can connect on an existing running container +@test "network - connect" { + skip_if_version_older 2.2.0 + run_podman network connect mynetwork myrunningcontainer + run_podman network disconnect podman myrunningcontainer + run curl --max-time 3 -s 127.0.0.1:$HOST_PORT/index.txt + is "$output" "$RANDOM_STRING_1" "curl on container with second network connected" +} + +@test "network - restart" { + # restart the container and check if we can still use the port + run_podman stop -t0 myrunningcontainer + run_podman start myrunningcontainer + run curl --max-time 3 -s 127.0.0.1:$HOST_PORT/index.txt + is "$output" "$RANDOM_STRING_1" "curl on restarted container" +} + + @test "logs" { run_podman logs mydonecontainer is "$output" "++$RANDOM_STRING_1++" "podman logs on stopped container" @@ -235,7 +257,7 @@ failed | exited | 17 run_podman pod inspect mypod is "$output" ".*mypod.*" - run_podman --cgroup-manager=cgroupfs pod start mypod + run_podman pod start mypod is "$output" "[0-9a-f]\\{64\\}" "podman pod start" run_podman pod ps @@ -245,7 +267,7 @@ failed | exited | 17 run_podman pod stop mypod is "$output" "[0-9a-f]\\{64\\}" "podman pod stop" - run_podman --cgroup-manager=cgroupfs pod rm mypod + run_podman pod rm mypod # FIXME: CI runs show this (non fatal) error: # Error updating pod <ID> conmon cgroup PID limit: open /sys/fs/cgroup/libpod_parent/<ID>/conmon/pids.max: no such file or directory # Investigate how to fix this (likely a race condition) @@ -257,7 +279,7 @@ failed | exited | 17 @test "start" { - run_podman --cgroup-manager=cgroupfs start -a mydonecontainer + run_podman start -a mydonecontainer is "$output" "++$RANDOM_STRING_1++" "start on already-run container" } @@ -295,6 +317,8 @@ failed | exited | 17 run_podman logs podman_parent run_podman rm -f podman_parent + run_podman network rm -f mynetwork + umount $PODMAN_UPGRADE_WORKDIR/root/overlay || true rm -rf $PODMAN_UPGRADE_WORKDIR |