diff options
| -rw-r--r-- | cmd/podman/images/build.go | 8 | ||||
| -rw-r--r-- | go.mod | 2 | ||||
| -rw-r--r-- | go.sum | 2 | ||||
| -rw-r--r-- | libpod/runtime.go | 14 | ||||
| -rw-r--r-- | libpod/shutdown/handler.go | 10 | ||||
| -rw-r--r-- | pkg/api/server/server.go | 8 | ||||
| -rw-r--r-- | test/e2e/run_test.go | 2 | ||||
| -rw-r--r-- | test/system/050-stop.bats | 43 | ||||
| -rw-r--r-- | test/system/070-build.bats | 31 | ||||
| -rw-r--r-- | test/system/400-unprivileged-access.bats | 11 | ||||
| -rw-r--r-- | test/system/410-selinux.bats | 11 | ||||
| -rw-r--r-- | vendor/github.com/google/uuid/version4.go | 8 | ||||
| -rw-r--r-- | vendor/modules.txt | 2 |
13 files changed, 131 insertions, 21 deletions
diff --git a/cmd/podman/images/build.go b/cmd/podman/images/build.go index 1029e03d1..4219e325b 100644 --- a/cmd/podman/images/build.go +++ b/cmd/podman/images/build.go @@ -423,10 +423,10 @@ func buildFlagsWrapperToOptions(c *cobra.Command, contextDir string, flags *buil Ulimit: flags.Ulimit, Volumes: flags.Volumes, }, - Compression: compression, - ConfigureNetwork: networkPolicy, - ContextDirectory: contextDir, - // DefaultMountsFilePath: FIXME: this requires global flags to be working! + Compression: compression, + ConfigureNetwork: networkPolicy, + ContextDirectory: contextDir, + DefaultMountsFilePath: containerConfig.Containers.DefaultMountsFile, Devices: flags.Devices, DropCapabilities: flags.CapDrop, Err: stderr, @@ -29,7 +29,7 @@ require ( github.com/ghodss/yaml v1.0.0 github.com/godbus/dbus/v5 v5.0.3 github.com/google/shlex v0.0.0-20181106134648-c34317bd91bf - github.com/google/uuid v1.1.5 + github.com/google/uuid v1.2.0 github.com/gorilla/mux v1.8.0 github.com/gorilla/schema v1.2.0 github.com/hashicorp/go-multierror v1.1.0 @@ -263,6 +263,8 @@ github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+ github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/google/uuid v1.1.5 h1:kxhtnfFVi+rYdOALN0B3k9UT86zVJKfBimRaciULW4I= github.com/google/uuid v1.1.5/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= +github.com/google/uuid v1.2.0 h1:qJYtXnJRWmpe7m/3XlyhrsLrEURqHRM2kxzoxXqyUDs= +github.com/google/uuid v1.2.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg= github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk= github.com/googleapis/gnostic v0.0.0-20170729233727-0c5108395e2d/go.mod h1:sJBsCZ4ayReDTBIg8b9dl28c5xFWyhBTVRp3pOg5EKY= diff --git a/libpod/runtime.go b/libpod/runtime.go index 34c737a67..0dc220b52 100644 --- a/libpod/runtime.go +++ b/libpod/runtime.go @@ -180,6 +180,13 @@ func newRuntimeFromConfig(ctx context.Context, conf *config.Config, options ...R } } + if err := shutdown.Register("libpod", func(sig os.Signal) error { + os.Exit(1) + return nil + }); err != nil && errors.Cause(err) != shutdown.ErrHandlerExists { + logrus.Errorf("Error registering shutdown handler for libpod: %v", err) + } + if err := shutdown.Start(); err != nil { return nil, errors.Wrapf(err, "error starting shutdown signal handler") } @@ -188,13 +195,6 @@ func newRuntimeFromConfig(ctx context.Context, conf *config.Config, options ...R return nil, err } - if err := shutdown.Register("libpod", func(sig os.Signal) error { - os.Exit(1) - return nil - }); err != nil && errors.Cause(err) != shutdown.ErrHandlerExists { - logrus.Errorf("Error registering shutdown handler for libpod: %v", err) - } - return runtime, nil } diff --git a/libpod/shutdown/handler.go b/libpod/shutdown/handler.go index f0f228b19..ac1d33910 100644 --- a/libpod/shutdown/handler.go +++ b/libpod/shutdown/handler.go @@ -18,6 +18,8 @@ var ( stopped bool sigChan chan os.Signal cancelChan chan bool + // Syncronize accesses to the map + handlerLock sync.Mutex // Definitions of all on-shutdown handlers handlers map[string]func(os.Signal) error // Ordering that on-shutdown handlers will be invoked. @@ -50,6 +52,7 @@ func Start() error { case sig := <-sigChan: logrus.Infof("Received shutdown signal %v, terminating!", sig) shutdownInhibit.Lock() + handlerLock.Lock() for _, name := range handlerOrder { handler, ok := handlers[name] if !ok { @@ -61,6 +64,7 @@ func Start() error { logrus.Errorf("Error running shutdown handler %s: %v", name, err) } } + handlerLock.Unlock() shutdownInhibit.Unlock() return } @@ -97,6 +101,9 @@ func Uninhibit() { // by a signal. Handlers are invoked LIFO - the last handler registered is the // first run. func Register(name string, handler func(os.Signal) error) error { + handlerLock.Lock() + defer handlerLock.Unlock() + if handlers == nil { handlers = make(map[string]func(os.Signal) error) } @@ -113,6 +120,9 @@ func Register(name string, handler func(os.Signal) error) error { // Unregister un-registers a given shutdown handler. func Unregister(name string) error { + handlerLock.Lock() + defer handlerLock.Unlock() + if handlers == nil { return nil } diff --git a/pkg/api/server/server.go b/pkg/api/server/server.go index 046f6561c..d612041f6 100644 --- a/pkg/api/server/server.go +++ b/pkg/api/server/server.go @@ -179,15 +179,15 @@ func setupSystemd() { func (s *APIServer) Serve() error { setupSystemd() - // Start the shutdown signal handler. - if err := shutdown.Start(); err != nil { - return err - } if err := shutdown.Register("server", func(sig os.Signal) error { return s.Shutdown() }); err != nil { return err } + // Start the shutdown signal handler. + if err := shutdown.Start(); err != nil { + return err + } errChan := make(chan error, 1) diff --git a/test/e2e/run_test.go b/test/e2e/run_test.go index 19060ecdc..caeaf190e 100644 --- a/test/e2e/run_test.go +++ b/test/e2e/run_test.go @@ -669,7 +669,7 @@ USER bin` }) It("podman run with secrets", func() { - SkipIfRemote("--default-mount-file option is not supported in podman-remote") + SkipIfRemote("--default-mounts-file option is not supported in podman-remote") containersDir := filepath.Join(podmanTest.TempDir, "containers") err := os.MkdirAll(containersDir, 0755) Expect(err).To(BeNil()) diff --git a/test/system/050-stop.bats b/test/system/050-stop.bats index 548fd56ee..7d9f1fcb3 100644 --- a/test/system/050-stop.bats +++ b/test/system/050-stop.bats @@ -30,6 +30,49 @@ load helpers run_podman rm $cid } +# #9051 : podman stop --all was not working with podman-remote +@test "podman stop --all" { + # Start three containers, create (without running) a fourth + run_podman run -d --name c1 $IMAGE sleep 20 + run_podman run -d --name c2 $IMAGE sleep 40 + run_podman run -d --name c3 $IMAGE sleep 60 + run_podman create --name c4 $IMAGE sleep 80 + + # podman ps (without -a) should show the three running containers + run_podman ps --sort names --format '{{.Names}}--{{.Status}}' + is "${#lines[*]}" "3" "podman ps shows exactly three containers" + is "${lines[0]}" "c1--Up.*" "podman ps shows running container (1)" + is "${lines[1]}" "c2--Up.*" "podman ps shows running container (2)" + is "${lines[2]}" "c3--Up.*" "podman ps shows running container (3)" + + # Stop -a + run_podman stop -a -t 1 + + # Now podman ps (without -a) should show nothing. + run_podman ps --format '{{.Names}}' + is "$output" "" "podman ps, after stop -a, shows no running containers" + + # ...but with -a, containers are shown + run_podman ps -a --sort names --format '{{.Names}}--{{.Status}}' + is "${#lines[*]}" "4" "podman ps -a shows exactly four containers" + is "${lines[0]}" "c1--Exited.*" "ps -a, first stopped container" + is "${lines[1]}" "c2--Exited.*" "ps -a, second stopped container" + is "${lines[2]}" "c3--Exited.*" "ps -a, third stopped container" + is "${lines[3]}" "c4--Created.*" "ps -a, created container (unaffected)" +} + +# #9051 : podman stop --ignore was not working with podman-remote +@test "podman stop --ignore" { + name=thiscontainerdoesnotexist + run_podman 125 stop $name + is "$output" \ + "Error: no container with name or ID $name found: no such container" \ + "podman stop nonexistent container" + + run_podman stop --ignore $name + is "$output" "" "podman stop nonexistent container, with --ignore" +} + # Test fallback diff --git a/test/system/070-build.bats b/test/system/070-build.bats index 0e83a184b..05518d8fc 100644 --- a/test/system/070-build.bats +++ b/test/system/070-build.bats @@ -126,6 +126,23 @@ EOF label_name=l$(random_string 8) label_value=$(random_string 12) + # #8679: Create a secrets directory, and mount it in the container + # (can only test locally; podman-remote has no --default-mounts-file opt) + MOUNTS_CONF= + secret_contents="ceci nest pas un secret" + CAT_SECRET="echo $secret_contents" + if ! is_remote; then + mkdir $tmpdir/secrets + echo $tmpdir/secrets:/run/secrets > $tmpdir/mounts.conf + + secret_filename=secretfile-$(random_string 20) + secret_contents=shhh-$(random_string 30)-shhh + echo $secret_contents >$tmpdir/secrets/$secret_filename + + MOUNTS_CONF=--default-mounts-file=$tmpdir/mounts.conf + CAT_SECRET="cat /run/secrets/$secret_filename" + fi + # Command to run on container startup with no args cat >$tmpdir/mycmd <<EOF #!/bin/sh @@ -133,6 +150,7 @@ PATH=/usr/bin:/bin pwd echo "\$1" printenv | grep MYENV | sort | sed -e 's/^MYENV.=//' +$CAT_SECRET EOF # For overriding with --env-file; using multiple files confirms that @@ -169,14 +187,20 @@ ENV ftp_proxy ftp-proxy-in-image ADD mycmd /bin/mydefaultcmd RUN chmod 755 /bin/mydefaultcmd RUN chown 2:3 /bin/mydefaultcmd + +RUN $CAT_SECRET + CMD ["/bin/mydefaultcmd","$s_echo"] EOF # cd to the dir, so we test relative paths (important for podman-remote) cd $PODMAN_TMPDIR - run_podman build -t build_test -f build-test/Containerfile build-test + run_podman ${MOUNTS_CONF} build \ + -t build_test -f build-test/Containerfile build-test local iid="${lines[-1]}" + # Make sure 'podman build' had the secret mounted + is "$output" ".*$secret_contents.*" "podman build has /run/secrets mounted" if is_remote; then ENVHOST="" @@ -187,7 +211,7 @@ EOF # Run without args - should run the above script. Verify its output. export MYENV2="$s_env2" export MYENV3="env-file-should-override-env-host!" - run_podman run --rm \ + run_podman ${MOUNTS_CONF} run --rm \ --env-file=$PODMAN_TMPDIR/env-file1 \ --env-file=$PODMAN_TMPDIR/env-file2 \ ${ENVHOST} \ @@ -207,6 +231,9 @@ EOF is "${lines[4]}" "$s_env3" "container default command: env3 (from envfile)" is "${lines[5]}" "$s_env4" "container default command: env4 (from cmdline)" + is "${lines[6]}" "$secret_contents" \ + "Contents of /run/secrets/$secret_filename in container" + # Proxies - environment should override container, but not env-file http_proxy=http-proxy-from-env ftp_proxy=ftp-proxy-from-env \ run_podman run --rm \ diff --git a/test/system/400-unprivileged-access.bats b/test/system/400-unprivileged-access.bats index 6a89247e6..f26c97d1e 100644 --- a/test/system/400-unprivileged-access.bats +++ b/test/system/400-unprivileged-access.bats @@ -132,7 +132,11 @@ EOF # Run 'stat' on all the files, plus /dev/null. Get path, file type, # number of links, major, and minor (see below for why). Do it all # in one go, to avoid multiple podman-runs - run_podman run --rm $IMAGE stat -c'%n:%F:%h:%T:%t' /dev/null ${subset[@]} + run_podman '?' run --rm $IMAGE stat -c'%n:%F:%h:%T:%t' /dev/null ${subset[@]} + if [[ $status -gt 1 ]]; then + die "Unexpected exit status $status: expected 0 or 1" + fi + local devnull= for result in "${lines[@]}"; do # e.g. /proc/acpi:character special file:1:3:1 @@ -161,6 +165,11 @@ EOF # If you can think of a better way to do this check, # please feel free to fix it. is "$nlinks" "2" "$path: directory link count" + elif [[ $result =~ stat:.*No.such.file.or.directory ]]; then + # No matter what the path is, this is OK. It has to do with #8949 + # and RHEL8 and rootless and cgroups v1. Bottom line, what we care + # about is that the path not be available inside the container. + : else die "$path: Unknown file type '$type'" fi diff --git a/test/system/410-selinux.bats b/test/system/410-selinux.bats index 1e44fe06c..7482d3e55 100644 --- a/test/system/410-selinux.bats +++ b/test/system/410-selinux.bats @@ -171,4 +171,15 @@ function check_label() { run_podman pod rm myselinuxpod } +# #8946 - better diagnostics for nonexistent attributes +@test "podman with nonexistent labels" { + skip_if_no_selinux + + # The '.*' in the error below is for dealing with podman-remote, which + # includes "error preparing container <sha> for attach" in output. + run_podman 126 run --security-opt label=type:foo.bar $IMAGE true + is "$output" "Error.*: \`/proc/thread-self/attr/exec\`: OCI runtime error: unable to assign security attribute" "useful diagnostic" +} + + # vim: filetype=sh diff --git a/vendor/github.com/google/uuid/version4.go b/vendor/github.com/google/uuid/version4.go index c110465db..86160fbd0 100644 --- a/vendor/github.com/google/uuid/version4.go +++ b/vendor/github.com/google/uuid/version4.go @@ -14,6 +14,14 @@ func New() UUID { return Must(NewRandom()) } +// NewString creates a new random UUID and returns it as a string or panics. +// NewString is equivalent to the expression +// +// uuid.New().String() +func NewString() string { + return Must(NewRandom()).String() +} + // NewRandom returns a Random (Version 4) UUID. // // The strength of the UUIDs is based on the strength of the crypto/rand diff --git a/vendor/modules.txt b/vendor/modules.txt index 79aca766d..397ab70be 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -319,7 +319,7 @@ github.com/golang/protobuf/ptypes/timestamp github.com/google/gofuzz # github.com/google/shlex v0.0.0-20181106134648-c34317bd91bf github.com/google/shlex -# github.com/google/uuid v1.1.5 +# github.com/google/uuid v1.2.0 github.com/google/uuid # github.com/gorilla/mux v1.8.0 github.com/gorilla/mux |