diff options
23 files changed, 163 insertions, 36 deletions
diff --git a/docs/source/markdown/podman-run.1.md b/docs/source/markdown/podman-run.1.md index 90c456544..0d9e6dbcd 100644 --- a/docs/source/markdown/podman-run.1.md +++ b/docs/source/markdown/podman-run.1.md @@ -1848,6 +1848,25 @@ $ podman run --name container1 --personaity=LINUX32 fedora bash $ podman run --name container1 --rootfs /path/to/rootfs:O bash ``` +### Handling Timezones in java applications in a container. + +In order to use a timezone other than UTC when running a +Java application within a container, the `TZ` environment variable must be +set within the container. Java applications will ignore the value set with the +`--tz` option. + +``` +# Example run +podman run -ti --rm -e TZ=EST mytzimage +lrwxrwxrwx. 1 root root 29 Nov 3 08:51 /etc/localtime -> ../usr/share/zoneinfo/Etc/UTC +Now with default timezone: +Fri Nov 19 18:10:55 EST 2021 +Java default sees the following timezone: +2021-11-19T18:10:55.651130-05:00 +Forcing UTC: +Fri Nov 19 23:10:55 UTC 2021 +``` + ### Rootless Containers Podman runs as a non root user on most systems. This feature requires that a new enough version of **shadow-utils** @@ -50,7 +50,7 @@ require ( github.com/opencontainers/runc v1.0.2 github.com/opencontainers/runtime-spec v1.0.3-0.20210326190908-1c3f411f0417 github.com/opencontainers/runtime-tools v0.9.1-0.20211020193359-09d837bf40a7 - github.com/opencontainers/selinux v1.9.1 + github.com/opencontainers/selinux v1.10.0 github.com/pkg/errors v0.9.1 github.com/pmezard/go-difflib v1.0.0 github.com/rootless-containers/rootlesskit v0.14.6 @@ -787,8 +787,9 @@ github.com/opencontainers/selinux v1.8.0/go.mod h1:RScLhm78qiWa2gbVCcGkC7tCGdgk3 github.com/opencontainers/selinux v1.8.2/go.mod h1:MUIHuUEvKB1wtJjQdOyYRgOnLD2xAPP8dBsCoU0KuF8= github.com/opencontainers/selinux v1.8.4/go.mod h1:HTvjPFoGMbpQsG886e3lQwnsRWtE4TC1OF3OUvG9FAo= github.com/opencontainers/selinux v1.8.5/go.mod h1:HTvjPFoGMbpQsG886e3lQwnsRWtE4TC1OF3OUvG9FAo= -github.com/opencontainers/selinux v1.9.1 h1:b4VPEF3O5JLZgdTDBmGepaaIbAo0GqoF6EBRq5f/g3Y= github.com/opencontainers/selinux v1.9.1/go.mod h1:2i0OySw99QjzBBQByd1Gr9gSjvuho1lHsJxIJ3gGbJI= +github.com/opencontainers/selinux v1.10.0 h1:rAiKF8hTcgLI3w0DHm6i0ylVVcOrlgR1kK99DRLDhyU= +github.com/opencontainers/selinux v1.10.0/go.mod h1:2i0OySw99QjzBBQByd1Gr9gSjvuho1lHsJxIJ3gGbJI= github.com/openshift/imagebuilder v1.2.2-0.20210415181909-87f3e48c2656 h1:WaxyNFpmIDu4i6so9r6LVFIbSaXqsj8oitMitt86ae4= github.com/openshift/imagebuilder v1.2.2-0.20210415181909-87f3e48c2656/go.mod h1:9aJRczxCH0mvT6XQ+5STAQaPWz7OsWcU5/mRkt8IWeo= github.com/ostreedev/ostree-go v0.0.0-20190702140239-759a8c1ac913 h1:TnbXhKzrTOyuvWrjI8W6pcoI9XPbLHFXCdN2dtUw7Rw= diff --git a/pkg/api/handlers/compat/images_build.go b/pkg/api/handlers/compat/images_build.go index 6152f1c02..7bbc4b99c 100644 --- a/pkg/api/handlers/compat/images_build.go +++ b/pkg/api/handlers/compat/images_build.go @@ -134,6 +134,15 @@ func BuildImage(w http.ResponseWriter, r *http.Request) { return } + // if layers field not set assume its not from a valid podman-client + // could be a docker client, set `layers=true` since that is the default + // expected behviour + if !utils.IsLibpodRequest(r) { + if _, found := r.URL.Query()["layers"]; !found { + query.Layers = true + } + } + // convert addcaps formats var addCaps = []string{} if _, found := r.URL.Query()["addcaps"]; found { diff --git a/pkg/api/server/register_images.go b/pkg/api/server/register_images.go index 38ceea271..bf8eeef40 100644 --- a/pkg/api/server/register_images.go +++ b/pkg/api/server/register_images.go @@ -1523,6 +1523,13 @@ func (s *APIServer) registerImagesHandlers(r *mux.Router) error { // JSON map of key, value pairs to set as labels on the new image // (As of version 1.xx) // - in: query + // name: layers + // type: boolean + // default: true + // description: | + // Cache intermediate layers during build. + // (As of version 1.xx) + // - in: query // name: networkmode // type: string // default: bridge diff --git a/test/e2e/common_test.go b/test/e2e/common_test.go index 200faae2d..6180343a7 100644 --- a/test/e2e/common_test.go +++ b/test/e2e/common_test.go @@ -320,7 +320,7 @@ func (p *PodmanTestIntegration) createArtifact(image string) { } dest := strings.Split(image, "/") destName := fmt.Sprintf("/tmp/%s.tar", strings.Replace(strings.Join(strings.Split(dest[len(dest)-1], "/"), ""), ":", "-", -1)) - fmt.Printf("Caching %s at %s...", image, destName) + fmt.Printf("Caching %s at %s...\n", image, destName) if _, err := os.Stat(destName); os.IsNotExist(err) { pull := p.PodmanNoCache([]string{"pull", image}) pull.Wait(440) @@ -466,6 +466,9 @@ func (p *PodmanTestIntegration) BuildImageWithLabel(dockerfile, imageName string // PodmanPID execs podman and returns its PID func (p *PodmanTestIntegration) PodmanPID(args []string) (*PodmanSessionIntegration, int) { podmanOptions := p.MakeOptions(args, false, false) + if p.RemoteTest { + podmanOptions = append([]string{"--remote", "--url", p.RemoteSocket}, podmanOptions...) + } fmt.Printf("Running: %s %s\n", p.PodmanBinary, strings.Join(podmanOptions, " ")) command := exec.Command(p.PodmanBinary, podmanOptions...) session, err := Start(command, GinkgoWriter, GinkgoWriter) diff --git a/test/e2e/import_test.go b/test/e2e/import_test.go index 519a7290c..13a0f6f90 100644 --- a/test/e2e/import_test.go +++ b/test/e2e/import_test.go @@ -18,7 +18,6 @@ var _ = Describe("Podman import", func() { ) BeforeEach(func() { - SkipIfRemote("FIXME: These look like it is supposed to work in remote") tempdir, err = CreateTempDirInTempDir() if err != nil { os.Exit(1) @@ -156,6 +155,8 @@ var _ = Describe("Podman import", func() { }) It("podman import with signature", func() { + SkipIfRemote("FIXME: remote ignores --signature-policy, #12357") + outfile := filepath.Join(podmanTest.TempDir, "container.tar") _, ec, cid := podmanTest.RunLsContainer("") Expect(ec).To(Equal(0)) diff --git a/test/e2e/logs_test.go b/test/e2e/logs_test.go index 3beabec4b..d901dde5c 100644 --- a/test/e2e/logs_test.go +++ b/test/e2e/logs_test.go @@ -214,7 +214,7 @@ var _ = Describe("Podman logs", func() { It("two containers showing short container IDs: "+log, func() { skipIfJournaldInContainer() - SkipIfRemote("FIXME: podman-remote logs does not support showing two containers at the same time") + SkipIfRemote("podman-remote logs does not support showing two containers at the same time") log1 := podmanTest.Podman([]string{"run", "--log-driver", log, "-dt", ALPINE, "sh", "-c", "echo podman; echo podman; echo podman"}) log1.WaitWithDefaultTimeout() diff --git a/test/e2e/push_test.go b/test/e2e/push_test.go index 7b35acd35..7038a09e8 100644 --- a/test/e2e/push_test.go +++ b/test/e2e/push_test.go @@ -95,7 +95,7 @@ var _ = Describe("Podman push", func() { }) It("podman push to local registry with authorization", func() { - SkipIfRootless("FIXME: Creating content in certs.d we use directories in homedir") + SkipIfRootless("volume-mounting a certs.d file N/A over remote") if podmanTest.Host.Arch == "ppc64le" { Skip("No registry image for ppc64le") } diff --git a/test/e2e/run_cgroup_parent_test.go b/test/e2e/run_cgroup_parent_test.go index e0e1d4b1d..6bdc6af08 100644 --- a/test/e2e/run_cgroup_parent_test.go +++ b/test/e2e/run_cgroup_parent_test.go @@ -48,21 +48,22 @@ var _ = Describe("Podman run with --cgroup-parent", func() { run := podmanTest.Podman([]string{"run", "--cgroupns=host", "--cgroup-parent", cgroup, fedoraMinimal, "cat", "/proc/self/cgroup"}) run.WaitWithDefaultTimeout() Expect(run).Should(Exit(0)) - ok, _ := run.GrepString(cgroup) - Expect(ok).To(BeTrue()) + Expect(run.OutputToString()).To(ContainSubstring(cgroup)) }) Specify("no --cgroup-parent", func() { - SkipIfRootless("FIXME This seems to be broken in rootless mode") cgroup := "/libpod_parent" if !Containerized() && podmanTest.CgroupManager != "cgroupfs" { - cgroup = "/machine.slice" + if isRootless() { + cgroup = "/user.slice" + } else { + cgroup = "/machine.slice" + } } run := podmanTest.Podman([]string{"run", "--cgroupns=host", fedoraMinimal, "cat", "/proc/self/cgroup"}) run.WaitWithDefaultTimeout() Expect(run).Should(Exit(0)) - ok, _ := run.GrepString(cgroup) - Expect(ok).To(BeTrue()) + Expect(run.OutputToString()).To(ContainSubstring(cgroup)) }) Specify("always honor --cgroup-parent", func() { @@ -114,7 +115,6 @@ var _ = Describe("Podman run with --cgroup-parent", func() { run := podmanTest.Podman([]string{"run", "--cgroupns=host", "--cgroup-parent", cgroup, fedoraMinimal, "cat", "/proc/1/cgroup"}) run.WaitWithDefaultTimeout() Expect(run).Should(Exit(0)) - ok, _ := run.GrepString(cgroup) - Expect(ok).To(BeTrue()) + Expect(run.OutputToString()).To(ContainSubstring(cgroup)) }) }) diff --git a/test/e2e/run_cleanup_test.go b/test/e2e/run_cleanup_test.go index 6753fcf12..cc4e66751 100644 --- a/test/e2e/run_cleanup_test.go +++ b/test/e2e/run_cleanup_test.go @@ -35,7 +35,7 @@ var _ = Describe("Podman run exit", func() { It("podman run -d mount cleanup test", func() { SkipIfRemote("podman-remote does not support mount") - SkipIfRootless("FIXME podman mount requires podman unshare first") + SkipIfRootless("TODO rootless podman mount requires podman unshare first") result := podmanTest.Podman([]string{"run", "-dt", ALPINE, "top"}) result.WaitWithDefaultTimeout() diff --git a/test/e2e/run_privileged_test.go b/test/e2e/run_privileged_test.go index 3e4262cfb..d793a01f8 100644 --- a/test/e2e/run_privileged_test.go +++ b/test/e2e/run_privileged_test.go @@ -128,7 +128,6 @@ var _ = Describe("Podman privileged container tests", func() { }) It("podman privileged should inherit host devices", func() { - SkipIfRootless("FIXME: This seems to be broken for rootless mode, /dev/ is close to the same") session := podmanTest.Podman([]string{"run", "--privileged", ALPINE, "ls", "-l", "/dev"}) session.WaitWithDefaultTimeout() Expect(session).Should(Exit(0)) diff --git a/test/e2e/run_signal_test.go b/test/e2e/run_signal_test.go index e9c073a6c..49f456366 100644 --- a/test/e2e/run_signal_test.go +++ b/test/e2e/run_signal_test.go @@ -45,7 +45,6 @@ var _ = Describe("Podman run with --sig-proxy", func() { }) Specify("signals are forwarded to container using sig-proxy", func() { - SkipIfRemote("FIXME: This looks like it is supposed to work in remote") if podmanTest.Host.Arch == "ppc64le" { Skip("Doesn't work on ppc64le") } @@ -111,7 +110,6 @@ var _ = Describe("Podman run with --sig-proxy", func() { }) Specify("signals are not forwarded to container with sig-proxy false", func() { - SkipIfRemote("FIXME: This looks like it is supposed to work in remote") signal := syscall.SIGFPE if rootless.IsRootless() { podmanTest.RestoreArtifact(fedoraMinimal) diff --git a/test/e2e/run_test.go b/test/e2e/run_test.go index 05cb986c6..2be2154ff 100644 --- a/test/e2e/run_test.go +++ b/test/e2e/run_test.go @@ -681,7 +681,7 @@ USER bin`, BB) }) It("podman run device-read-bps test", func() { - SkipIfRootless("FIXME: Missing /sys/fs/cgroup/user.slice/user-14467.slice/user@14467.service/cgroup.subtree_control") + SkipIfRootless("FIXME: requested cgroup controller `io` is not available") SkipIfRootlessCgroupsV1("Setting device-read-bps not supported on cgroupv1 for rootless users") var session *PodmanSessionIntegration @@ -700,7 +700,7 @@ USER bin`, BB) }) It("podman run device-write-bps test", func() { - SkipIfRootless("FIXME /sys/fs/cgroup/user.slice/user-14467.slice/user@14467.service/cgroup.subtree_control does not exist") + SkipIfRootless("FIXME: requested cgroup controller `io` is not available") SkipIfRootlessCgroupsV1("Setting device-write-bps not supported on cgroupv1 for rootless users") var session *PodmanSessionIntegration @@ -718,7 +718,7 @@ USER bin`, BB) }) It("podman run device-read-iops test", func() { - SkipIfRootless("FIXME /sys/fs/cgroup/user.slice/user-14467.slice/user@14467.service/cgroup.subtree_control does not exist") + SkipIfRootless("FIXME: requested cgroup controller `io` is not available") SkipIfRootlessCgroupsV1("Setting device-read-iops not supported on cgroupv1 for rootless users") var session *PodmanSessionIntegration @@ -736,7 +736,7 @@ USER bin`, BB) }) It("podman run device-write-iops test", func() { - SkipIfRootless("FIXME /sys/fs/cgroup/user.slice/user-14467.slice/user@14467.service/cgroup.subtree_control does not exist") + SkipIfRootless("FIXME: requested cgroup controller `io` is not available") SkipIfRootlessCgroupsV1("Setting device-write-iops not supported on cgroupv1 for rootless users") var session *PodmanSessionIntegration diff --git a/test/e2e/run_volume_test.go b/test/e2e/run_volume_test.go index 634a498b9..5ce4d9acf 100644 --- a/test/e2e/run_volume_test.go +++ b/test/e2e/run_volume_test.go @@ -282,8 +282,8 @@ var _ = Describe("Podman run with volumes", func() { }) It("podman run with tmpfs named volume mounts and unmounts", func() { - SkipIfRootless("FIXME: rootless podman mount requires you to be in a user namespace") - SkipIfRemote("podman-remote does not support --volumes this test could be simplified to be tested on Remote.") + SkipIfRootless("rootless podman mount requires you to be in a user namespace") + SkipIfRemote("podman-remote does not support --volumes. This test could be simplified to be tested on Remote.") volName := "testvol" mkVolume := podmanTest.Podman([]string{"volume", "create", "--opt", "type=tmpfs", "--opt", "device=tmpfs", "--opt", "o=nodev", "testvol"}) mkVolume.WaitWithDefaultTimeout() diff --git a/test/system/030-run.bats b/test/system/030-run.bats index ba21cd21d..5937d38f8 100644 --- a/test/system/030-run.bats +++ b/test/system/030-run.bats @@ -236,7 +236,7 @@ echo $rand | 0 | $rand } @test "podman run docker-archive" { - skip_if_remote "podman-remote does not support docker-archive (#7116)" + skip_if_remote "podman-remote does not support docker-archive" # Create an image that, when run, outputs a random magic string expect=$(random_string 20) diff --git a/test/system/400-unprivileged-access.bats b/test/system/400-unprivileged-access.bats index f26c97d1e..cf0d0e6bf 100644 --- a/test/system/400-unprivileged-access.bats +++ b/test/system/400-unprivileged-access.bats @@ -101,11 +101,6 @@ EOF # #6957 - mask out /proc/acpi, /sys/dev, and other sensitive system files @test "sensitive mount points are masked without --privileged" { - # Weird error, maybe a flake? - # can only attach to created or running containers: container state improper - # https://github.com/containers/podman/pull/7111#issuecomment-666858715 - skip_if_remote "FIXME: Weird flake" - # FIXME: this should match the list in pkg/specgen/generate/config_linux.go local -a mps=( /proc/acpi diff --git a/test/utils/utils.go b/test/utils/utils.go index 8d1edb23a..4a57d9ce7 100644 --- a/test/utils/utils.go +++ b/test/utils/utils.go @@ -121,6 +121,7 @@ func (p *PodmanTest) WaitForContainer() bool { } time.Sleep(1 * time.Second) } + fmt.Printf("WaitForContainer(): timed out\n") return false } diff --git a/vendor/github.com/opencontainers/selinux/go-selinux/selinux.go b/vendor/github.com/opencontainers/selinux/go-selinux/selinux.go index cad467507..5a59d151f 100644 --- a/vendor/github.com/opencontainers/selinux/go-selinux/selinux.go +++ b/vendor/github.com/opencontainers/selinux/go-selinux/selinux.go @@ -61,16 +61,30 @@ func ClassIndex(class string) (int, error) { return classIndex(class) } -// SetFileLabel sets the SELinux label for this path or returns an error. +// SetFileLabel sets the SELinux label for this path, following symlinks, +// or returns an error. func SetFileLabel(fpath string, label string) error { return setFileLabel(fpath, label) } -// FileLabel returns the SELinux label for this path or returns an error. +// LsetFileLabel sets the SELinux label for this path, not following symlinks, +// or returns an error. +func LsetFileLabel(fpath string, label string) error { + return lSetFileLabel(fpath, label) +} + +// FileLabel returns the SELinux label for this path, following symlinks, +// or returns an error. func FileLabel(fpath string) (string, error) { return fileLabel(fpath) } +// LfileLabel returns the SELinux label for this path, not following symlinks, +// or returns an error. +func LfileLabel(fpath string) (string, error) { + return lFileLabel(fpath) +} + // SetFSCreateLabel tells the kernel what label to use for all file system objects // created by this task. // Set the label to an empty string to return to the default label. Calls to SetFSCreateLabel diff --git a/vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go b/vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go index b045843ad..ee602ab96 100644 --- a/vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go +++ b/vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go @@ -316,8 +316,9 @@ func classIndex(class string) (int, error) { return index, nil } -// setFileLabel sets the SELinux label for this path or returns an error. -func setFileLabel(fpath string, label string) error { +// lSetFileLabel sets the SELinux label for this path, not following symlinks, +// or returns an error. +func lSetFileLabel(fpath string, label string) error { if fpath == "" { return ErrEmptyPath } @@ -334,12 +335,50 @@ func setFileLabel(fpath string, label string) error { return nil } -// fileLabel returns the SELinux label for this path or returns an error. +// setFileLabel sets the SELinux label for this path, following symlinks, +// or returns an error. +func setFileLabel(fpath string, label string) error { + if fpath == "" { + return ErrEmptyPath + } + for { + err := unix.Setxattr(fpath, xattrNameSelinux, []byte(label), 0) + if err == nil { + break + } + if err != unix.EINTR { //nolint:errorlint // unix errors are bare + return &os.PathError{Op: "setxattr", Path: fpath, Err: err} + } + } + + return nil +} + +// fileLabel returns the SELinux label for this path, following symlinks, +// or returns an error. func fileLabel(fpath string) (string, error) { if fpath == "" { return "", ErrEmptyPath } + label, err := getxattr(fpath, xattrNameSelinux) + if err != nil { + return "", &os.PathError{Op: "getxattr", Path: fpath, Err: err} + } + // Trim the NUL byte at the end of the byte buffer, if present. + if len(label) > 0 && label[len(label)-1] == '\x00' { + label = label[:len(label)-1] + } + return string(label), nil +} + +// lFileLabel returns the SELinux label for this path, not following symlinks, +// or returns an error. +func lFileLabel(fpath string) (string, error) { + if fpath == "" { + return "", ErrEmptyPath + } + label, err := lgetxattr(fpath, xattrNameSelinux) if err != nil { return "", &os.PathError{Op: "lgetxattr", Path: fpath, Err: err} diff --git a/vendor/github.com/opencontainers/selinux/go-selinux/selinux_stub.go b/vendor/github.com/opencontainers/selinux/go-selinux/selinux_stub.go index 42657759c..78743b020 100644 --- a/vendor/github.com/opencontainers/selinux/go-selinux/selinux_stub.go +++ b/vendor/github.com/opencontainers/selinux/go-selinux/selinux_stub.go @@ -17,10 +17,18 @@ func setFileLabel(fpath string, label string) error { return nil } +func lSetFileLabel(fpath string, label string) error { + return nil +} + func fileLabel(fpath string) (string, error) { return "", nil } +func lFileLabel(fpath string) (string, error) { + return "", nil +} + func setFSCreateLabel(label string) error { return nil } diff --git a/vendor/github.com/opencontainers/selinux/go-selinux/xattrs_linux.go b/vendor/github.com/opencontainers/selinux/go-selinux/xattrs_linux.go index c6b0a7f26..9e473ca16 100644 --- a/vendor/github.com/opencontainers/selinux/go-selinux/xattrs_linux.go +++ b/vendor/github.com/opencontainers/selinux/go-selinux/xattrs_linux.go @@ -36,3 +36,36 @@ func doLgetxattr(path, attr string, dest []byte) (int, error) { } } } + +// getxattr returns a []byte slice containing the value of +// an extended attribute attr set for path. +func getxattr(path, attr string) ([]byte, error) { + // Start with a 128 length byte array + dest := make([]byte, 128) + sz, errno := dogetxattr(path, attr, dest) + for errno == unix.ERANGE { //nolint:errorlint // unix errors are bare + // Buffer too small, use zero-sized buffer to get the actual size + sz, errno = dogetxattr(path, attr, []byte{}) + if errno != nil { + return nil, errno + } + + dest = make([]byte, sz) + sz, errno = dogetxattr(path, attr, dest) + } + if errno != nil { + return nil, errno + } + + return dest[:sz], nil +} + +// dogetxattr is a wrapper that retries on EINTR +func dogetxattr(path, attr string, dest []byte) (int, error) { + for { + sz, err := unix.Getxattr(path, attr, dest) + if err != unix.EINTR { //nolint:errorlint // unix errors are bare + return sz, err + } + } +} diff --git a/vendor/modules.txt b/vendor/modules.txt index 3000d4212..71658bf35 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -569,7 +569,7 @@ github.com/opencontainers/runtime-tools/generate github.com/opencontainers/runtime-tools/generate/seccomp github.com/opencontainers/runtime-tools/specerror github.com/opencontainers/runtime-tools/validate -# github.com/opencontainers/selinux v1.9.1 +# github.com/opencontainers/selinux v1.10.0 ## explicit github.com/opencontainers/selinux/go-selinux github.com/opencontainers/selinux/go-selinux/label |