summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--.github/workflows/multi-arch-build.yaml107
-rw-r--r--Makefile12
-rw-r--r--cmd/podman/common/create.go9
-rw-r--r--cmd/podman/containers/create.go2
-rw-r--r--cmd/podman/root.go8
-rw-r--r--contrib/podmanimage/stable/Dockerfile2
-rw-r--r--contrib/podmanimage/testing/Dockerfile2
-rw-r--r--contrib/podmanimage/upstream/Dockerfile2
-rw-r--r--docs/source/includes.rst2
-rw-r--r--docs/source/markdown/podman-container-runlabel.1.md77
-rw-r--r--docs/source/markdown/podman-container.1.md2
-rw-r--r--go.mod2
-rw-r--r--go.sum4
-rw-r--r--libpod/container_internal.go1
-rw-r--r--libpod/runtime_ctr.go26
-rw-r--r--pkg/api/handlers/compat/images.go35
-rw-r--r--pkg/api/handlers/libpod/containers_create.go1
-rw-r--r--pkg/api/server/docs.go2
-rw-r--r--pkg/specgen/generate/container_create.go10
-rw-r--r--pkg/specgen/generate/kube/kube.go108
-rw-r--r--test/README.md2
-rw-r--r--test/apiv2/10-images.at5
-rwxr-xr-xtest/apiv2/test-apiv24
-rw-r--r--test/e2e/common_test.go2
-rw-r--r--test/e2e/container_create_volume_test.go127
-rw-r--r--test/e2e/play_kube_test.go100
-rw-r--r--test/e2e/pod_create_test.go16
-rw-r--r--test/e2e/run_exit_test.go6
-rw-r--r--test/system/090-events.bats1
-rw-r--r--test/system/250-systemd.bats39
-rw-r--r--test/system/255-auto-update.bats11
-rw-r--r--test/system/270-socket-activation.bats17
-rw-r--r--test/system/500-networking.bats2
-rw-r--r--test/system/helpers.bash18
-rw-r--r--test/system/helpers.systemd.bash30
-rw-r--r--vendor/github.com/opencontainers/runc/libcontainer/user/user.go92
-rw-r--r--vendor/modules.txt2
37 files changed, 637 insertions, 251 deletions
diff --git a/.github/workflows/multi-arch-build.yaml b/.github/workflows/multi-arch-build.yaml
index 9bd98078b..f364cd6c6 100644
--- a/.github/workflows/multi-arch-build.yaml
+++ b/.github/workflows/multi-arch-build.yaml
@@ -1,6 +1,6 @@
---
-# Please see contrib/podmanimage/README.md for details on the intentions
+# Please see contrib/<reponame>image/README.md for details on the intentions
# of this workflow.
#
# BIG FAT WARNING: This workflow is duplicated across containers/skopeo,
@@ -11,7 +11,7 @@
name: build multi-arch images
on:
- # Upstream podman tends to be very active, with many merges per day.
+ # Upstream tends to be very active, with many merges per day.
# Only run this daily via cron schedule, or manually, not by branch push.
schedule:
- cron: '0 8 * * *'
@@ -20,19 +20,23 @@ on:
jobs:
multi:
- name: multi-arch Podman build
+ name: multi-arch image build
env:
- PODMAN_QUAY_REGISTRY: quay.io/podman
+ REPONAME: podman # No easy way to parse this out of $GITHUB_REPOSITORY
+ # Server/namespace value used to format FQIN
+ REPONAME_QUAY_REGISTRY: quay.io/podman
CONTAINERS_QUAY_REGISTRY: quay.io/containers
# list of architectures for build
PLATFORMS: linux/amd64,linux/s390x,linux/ppc64le,linux/arm64
+ # Command to execute in container to obtain project version number
+ VERSION_CMD: "podman --version"
# build several images (upstream, testing, stable) in parallel
strategy:
# By default, failure of one matrix item cancels all others
fail-fast: false
matrix:
- # Builds are located under contrib/podmanimage/<source> directory
+ # Builds are located under contrib/<reponame>image/<source> directory
source:
- upstream
- testing
@@ -57,14 +61,14 @@ jobs:
driver-opts: network=host
install: true
- - name: Build and locally push Podman
+ - name: Build and locally push image
uses: docker/build-push-action@v2
with:
- context: contrib/podmanimage/${{ matrix.source }}
- file: ./contrib/podmanimage/${{ matrix.source }}/Dockerfile
+ context: contrib/${{ env.REPONAME }}image/${{ matrix.source }}
+ file: ./contrib/${{ env.REPONAME }}image/${{ matrix.source }}/Dockerfile
platforms: ${{ env.PLATFORMS }}
push: true
- tags: localhost:5000/podman/${{ matrix.source }}
+ tags: localhost:5000/${{ env.REPONAME }}/${{ matrix.source }}
# Simple verification that stable images work, and
# also grab version number use in forming the FQIN.
@@ -73,41 +77,41 @@ jobs:
id: sniff_test
run: |
podman pull --tls-verify=false \
- localhost:5000/podman/${{ matrix.source }}
- VERSION_OUTPUT="$(podman run \
- localhost:5000/podman/${{ matrix.source }} \
- podman --storage-driver=vfs version)"
+ localhost:5000/$REPONAME/${{ matrix.source }}
+ VERSION_OUTPUT=$(podman run \
+ localhost:5000/$REPONAME/${{ matrix.source }} \
+ $VERSION_CMD)
echo "$VERSION_OUTPUT"
- VERSION=$(grep -Em1 '^Version: ' <<<"$VERSION_OUTPUT" | awk '{print $2}')
+ VERSION=$(awk -r -e "/^${REPONAME} version /"'{print $3}' <<<"$VERSION_OUTPUT")
test -n "$VERSION"
- echo "::set-output name=version::${VERSION}"
+ echo "::set-output name=version::$VERSION"
- - name: Generate podman reg. image FQIN(s)
- id: podman_reg
+ - name: Generate image FQIN(s) to push
+ id: gen_fqin
run: |
if [[ "${{ matrix.source }}" == 'stable' ]]; then
- # The `podman version` in image just built
+ # The command version in image just built
VERSION='v${{ steps.sniff_test.outputs.version }}'
# workaround vim syntax-highlight bug: '
# Image tags previously pushed to quay
ALLTAGS=$(skopeo list-tags \
- docker://$PODMAN_QUAY_REGISTRY/stable | \
+ docker://$REPONAME_QUAY_REGISTRY/stable | \
jq -r '.Tags[]')
- # New version? Push quay.io/podman/stable:vX.X.X and :latest
+ # New version? Push quay.io/$REPONAME/stable:vX.X.X and :latest
if ! fgrep -qx "$VERSION" <<<"$ALLTAGS"; then
# Assume version-tag is also the most up to date (i.e. "latest")
- FQIN="$PODMAN_QUAY_REGISTRY/stable:$VERSION,$PODMAN_QUAY_REGISTRY/stable:latest"
+ FQIN="$REPONAME_QUAY_REGISTRY/stable:$VERSION,$REPONAME_QUAY_REGISTRY/stable:latest"
else # Not a new version-tagged image
# Assume other contents changed, so this is the "new" latest.
- FQIN="$PODMAN_QUAY_REGISTRY/stable:latest"
+ FQIN="$REPONAME_QUAY_REGISTRY/stable:latest"
fi
elif [[ "${{ matrix.source }}" == 'testing' ]]; then
# Assume some contents changed, always push latest testing.
- FQIN="$PODMAN_QUAY_REGISTRY/testing:latest"
+ FQIN="$REPONAME_QUAY_REGISTRY/testing:latest"
elif [[ "${{ matrix.source }}" == 'upstream' ]]; then
# Assume some contents changed, always push latest upstream.
- FQIN="$PODMAN_QUAY_REGISTRY/upstream:latest"
+ FQIN="$REPONAME_QUAY_REGISTRY/upstream:latest"
else
echo "::error::Unknown matrix item '${{ matrix.source }}'"
exit 1
@@ -126,14 +130,14 @@ jobs:
VERSION='v${{ steps.sniff_test.outputs.version }}'
# workaround vim syntax-highlight bug: '
ALLTAGS=$(skopeo list-tags \
- docker://$CONTAINERS_QUAY_REGISTRY/podman | \
+ docker://$CONTAINERS_QUAY_REGISTRY/$REPONAME | \
jq -r '.Tags[]')
- # New version? Push quay.io/containers/podman:vX.X.X and latest
+ # New version? Push quay.io/containers/$REPONAME:vX.X.X and latest
if ! fgrep -qx "$VERSION" <<<"$ALLTAGS"; then
- FQIN="$CONTAINERS_QUAY_REGISTRY/podman:$VERSION,$CONTAINERS_QUAY_REGISTRY/podman:latest"
+ FQIN="$CONTAINERS_QUAY_REGISTRY/$REPONAME:$VERSION,$CONTAINERS_QUAY_REGISTRY/$REPONAME:latest"
else # Not a new version-tagged image, only update latest.
- FQIN="$CONTAINERS_QUAY_REGISTRY/podman:latest"
+ FQIN="$CONTAINERS_QUAY_REGISTRY/$REPONAME:latest"
fi
echo "::warning::Pushing $FQIN"
echo "::set-output name=fqin::${FQIN}"
@@ -153,40 +157,39 @@ jobs:
DELIMITER
EOF
- # Separate steps to login and push for podman and containers quay
- # repositories are required, because 2 sets of credentials are used and `docker
- # login` as well as `podman login` do not support having 2 different
- # credential sets for 1 registry.
- # At the same time reuse of non-shell steps is not supported by Github Actions
- # via anchors or composite actions
+ # Separate steps to login and push for $REPONAME_QUAY_REGISTRY and
+ # $CONTAINERS_QUAY_REGISTRY are required, because 2 sets of credentials
+ # are used and namespaced within the registry. At the same time, reuse
+ # of non-shell steps is not supported by Github Actions nor are YAML
+ # anchors/aliases, nor composite actions.
- # Push to 'podman' Quay repo for stable, testing. and upstream
- - name: Login to 'podman' Quay registry
+ # Push to $REPONAME_QUAY_REGISTRY for stable, testing. and upstream
+ - name: Login to ${{ env.REPONAME_QUAY_REGISTRY }}
uses: docker/login-action@v1
- if: steps.podman_reg.outputs.push == 'true'
+ if: steps.gen_fqin.outputs.push == 'true'
with:
- registry: ${{ env.PODMAN_QUAY_REGISTRY }}
+ registry: ${{ env.REPONAME_QUAY_REGISTRY }}
# N/B: Secrets are not passed to workflows that are triggered
# by a pull request from a fork
- username: ${{ secrets.PODMAN_QUAY_USERNAME }}
- password: ${{ secrets.PODMAN_QUAY_PASSWORD }}
+ username: ${{ secrets.REPONAME_QUAY_USERNAME }}
+ password: ${{ secrets.REPONAME_QUAY_PASSWORD }}
- - name: Push images to 'podman' Quay
+ - name: Push images to ${{ steps.gen_fqin.outputs.fqin }}
uses: docker/build-push-action@v2
- if: steps.podman_reg.outputs.push == 'true'
+ if: steps.gen_fqin.outputs.push == 'true'
with:
- cache-from: type=registry,ref=localhost:5000/podman/${{ matrix.source }}
+ cache-from: type=registry,ref=localhost:5000/${{ env.REPONAME }}/${{ matrix.source }}
cache-to: type=inline
- context: contrib/podmanimage/${{ matrix.source }}
- file: ./contrib/podmanimage/${{ matrix.source }}/Dockerfile
+ context: contrib/${{ env.REPONAME }}image/${{ matrix.source }}
+ file: ./contrib/${{ env.REPONAME }}image/${{ matrix.source }}/Dockerfile
platforms: ${{ env.PLATFORMS }}
push: true
- tags: ${{ steps.podman_reg.outputs.fqin }}
+ tags: ${{ steps.gen_fqin.outputs.fqin }}
labels: |
${{ env.LABELS }}
- # Push to 'containers' Quay repo only stable podman
- - name: Login to 'containers' Quay registry
+ # Push to $CONTAINERS_QUAY_REGISTRY only stable
+ - name: Login to ${{ env.CONTAINERS_QUAY_REGISTRY }}
if: steps.containers_reg.outputs.push == 'true'
uses: docker/login-action@v1
with:
@@ -194,14 +197,14 @@ jobs:
username: ${{ secrets.CONTAINERS_QUAY_USERNAME }}
password: ${{ secrets.CONTAINERS_QUAY_PASSWORD }}
- - name: Push images to 'containers' Quay
+ - name: Push images to ${{ steps.containers_reg.outputs.fqin }}
if: steps.containers_reg.outputs.push == 'true'
uses: docker/build-push-action@v2
with:
- cache-from: type=registry,ref=localhost:5000/podman/${{ matrix.source }}
+ cache-from: type=registry,ref=localhost:5000/${{ env.REPONAME }}/${{ matrix.source }}
cache-to: type=inline
- context: contrib/podmanimage/${{ matrix.source }}
- file: ./contrib/podmanimage/${{ matrix.source }}/Dockerfile
+ context: contrib/${{ env.REPONAME }}image/${{ matrix.source }}
+ file: ./contrib/${{ env.REPONAME }}image/${{ matrix.source }}/Dockerfile
platforms: ${{ env.PLATFORMS }}
push: true
tags: ${{ steps.containers_reg.outputs.fqin }}
diff --git a/Makefile b/Makefile
index 8e66f629a..832671337 100644
--- a/Makefile
+++ b/Makefile
@@ -261,7 +261,7 @@ codespell:
codespell -S bin,vendor,.git,go.sum,changelog.txt,.cirrus.yml,"RELEASE_NOTES.md,*.xz,*.gz,*.tar,*.tgz,bin2img,*ico,*.png,*.1,*.5,copyimg,*.orig,apidoc.go" -L uint,iff,od,seeked,splitted,marge,ERRO,hist,ether -w
.PHONY: validate
-validate: gofmt lint .gitvalidation validate.completions man-page-check swagger-check tests-included
+validate: gofmt lint .gitvalidation validate.completions man-page-check swagger-check tests-included tests-expect-exit
.PHONY: build-all-new-commits
build-all-new-commits:
@@ -605,6 +605,16 @@ test-binaries: test/checkseccomp/checkseccomp test/goecho/goecho install.cataton
tests-included:
contrib/cirrus/pr-should-include-tests
+.PHONY: tests-expect-exit
+tests-expect-exit:
+ @if egrep 'Expect.*ExitCode' test/e2e/*.go | egrep -v ', ".*"\)'; then \
+ echo "^^^ Unhelpful use of Expect(ExitCode())"; \
+ echo " Please use '.Should(Exit(...))' pattern instead."; \
+ echo " If that's not possible, please add an annotation (description) to your assertion:"; \
+ echo " Expect(...).To(..., \"Friendly explanation of this check\")"; \
+ exit 1; \
+ fi
+
###
### Release/Packaging targets
###
diff --git a/cmd/podman/common/create.go b/cmd/podman/common/create.go
index 64d1956eb..96414add4 100644
--- a/cmd/podman/common/create.go
+++ b/cmd/podman/common/create.go
@@ -655,15 +655,6 @@ func DefineCreateFlags(cmd *cobra.Command, cf *ContainerCLIOpts) {
)
_ = cmd.RegisterFlagCompletionFunc(stopTimeoutFlagName, completion.AutocompleteNone)
- storageOptFlagName := "storage-opt"
- createFlags.StringSliceVar(
- &cf.StorageOpt,
- storageOptFlagName, []string{},
- "Storage driver options per container",
- )
- //FIXME: What should we suggest here? The flag is not in the man page.
- _ = cmd.RegisterFlagCompletionFunc(storageOptFlagName, completion.AutocompleteNone)
-
subgidnameFlagName := "subgidname"
createFlags.StringVar(
&cf.SubUIDName,
diff --git a/cmd/podman/containers/create.go b/cmd/podman/containers/create.go
index df0fa6f9d..c63c074f7 100644
--- a/cmd/podman/containers/create.go
+++ b/cmd/podman/containers/create.go
@@ -146,6 +146,8 @@ func replaceContainer(name string) error {
}
func createInit(c *cobra.Command) error {
+ cliVals.StorageOpt = registry.PodmanConfig().StorageOpts
+
if c.Flag("shm-size").Changed {
cliVals.ShmSize = c.Flag("shm-size").Value.String()
}
diff --git a/cmd/podman/root.go b/cmd/podman/root.go
index 9e5d2a236..2633e4040 100644
--- a/cmd/podman/root.go
+++ b/cmd/podman/root.go
@@ -342,10 +342,6 @@ func rootFlags(cmd *cobra.Command, opts *entities.PodmanConfig) {
pFlags.StringVar(&opts.StorageDriver, storageDriverFlagName, "", "Select which storage driver is used to manage storage of images and containers (default is overlay)")
_ = cmd.RegisterFlagCompletionFunc(storageDriverFlagName, completion.AutocompleteNone) //TODO: what can we recommend here?
- storageOptFlagName := "storage-opt"
- pFlags.StringArrayVar(&opts.StorageOpts, storageOptFlagName, []string{}, "Used to pass an option to the storage driver")
- _ = cmd.RegisterFlagCompletionFunc(storageOptFlagName, completion.AutocompleteNone)
-
tmpdirFlagName := "tmpdir"
pFlags.StringVar(&opts.Engine.TmpDir, tmpdirFlagName, "", "Path to the tmp directory for libpod state content.\n\nNote: use the environment variable 'TMPDIR' to change the temporary storage location for container images, '/var/tmp'.\n")
_ = cmd.RegisterFlagCompletionFunc(tmpdirFlagName, completion.AutocompleteDefault)
@@ -365,6 +361,10 @@ func rootFlags(cmd *cobra.Command, opts *entities.PodmanConfig) {
}
}
}
+ storageOptFlagName := "storage-opt"
+ pFlags.StringArrayVar(&opts.StorageOpts, storageOptFlagName, []string{}, "Used to pass an option to the storage driver")
+ _ = cmd.RegisterFlagCompletionFunc(storageOptFlagName, completion.AutocompleteNone)
+
// Override default --help information of `--help` global flag
var dummyHelp bool
pFlags.BoolVar(&dummyHelp, "help", false, "Help for podman")
diff --git a/contrib/podmanimage/stable/Dockerfile b/contrib/podmanimage/stable/Dockerfile
index 2f86dd4ae..a5d485e7f 100644
--- a/contrib/podmanimage/stable/Dockerfile
+++ b/contrib/podmanimage/stable/Dockerfile
@@ -11,7 +11,7 @@ FROM registry.fedoraproject.org/fedora:latest
# Don't include container-selinux and remove
# directories used by yum that are just taking
# up space.
-RUN dnf -y update; yum -y reinstall shadow-utils; \
+RUN dnf -y update; rpm --restore --quiet shadow-utils; \
yum -y install podman fuse-overlayfs --exclude container-selinux; \
rm -rf /var/cache /var/log/dnf* /var/log/yum.*
diff --git a/contrib/podmanimage/testing/Dockerfile b/contrib/podmanimage/testing/Dockerfile
index 63b31252f..1090fed00 100644
--- a/contrib/podmanimage/testing/Dockerfile
+++ b/contrib/podmanimage/testing/Dockerfile
@@ -13,7 +13,7 @@ FROM registry.fedoraproject.org/fedora:latest
# Don't include container-selinux and remove
# directories used by yum that are just taking
# up space.
-RUN yum -y update; yum -y reinstall shadow-utils; yum -y install podman fuse-overlayfs --exclude container-selinux --enablerepo updates-testing; rm -rf /var/cache /var/log/dnf* /var/log/yum.*
+RUN yum -y update; rpm --restore --quiet shadow-utils; yum -y install podman fuse-overlayfs --exclude container-selinux --enablerepo updates-testing; rm -rf /var/cache /var/log/dnf* /var/log/yum.*
RUN useradd podman; \
echo podman:10000:5000 > /etc/subuid; \
diff --git a/contrib/podmanimage/upstream/Dockerfile b/contrib/podmanimage/upstream/Dockerfile
index 922eee748..01666e453 100644
--- a/contrib/podmanimage/upstream/Dockerfile
+++ b/contrib/podmanimage/upstream/Dockerfile
@@ -17,7 +17,7 @@ ENV GOPATH=/root/podman
# to the container.
# Finally remove the podman directory and a few other packages
# that are needed for building but not running Podman
-RUN yum -y update; yum -y reinstall shadow-utils; yum -y install --exclude container-selinux \
+RUN yum -y update; rpm --restore --quiet shadow-utils; yum -y install --exclude container-selinux \
--enablerepo=updates-testing \
btrfs-progs-devel \
containernetworking-cni \
diff --git a/docs/source/includes.rst b/docs/source/includes.rst
index 6e04d77f4..8d5f18e4d 100644
--- a/docs/source/includes.rst
+++ b/docs/source/includes.rst
@@ -16,4 +16,4 @@
.. _podman run: http://docs.podman.io/en/latest/markdown/podman-run.1.html
.. _podman build: http://docs.podman.io/en/latest/markdown/podman-build.1.html
.. _podman push: http://docs.podman.io/en/latest/markdown/podman-push.1.html
-.. image:: https://github.com/containers/podman/blob/main/logo/podman-logo.png?raw=true
+.. image:: https://raw.githubusercontent.com/containers/podman/main/logo/podman-logo.png
diff --git a/docs/source/markdown/podman-container-runlabel.1.md b/docs/source/markdown/podman-container-runlabel.1.md
index e343a12fe..ec67a2687 100644
--- a/docs/source/markdown/podman-container-runlabel.1.md
+++ b/docs/source/markdown/podman-container-runlabel.1.md
@@ -1,76 +1,58 @@
% podman-container-runlabel(1)
## NAME
-podman-container-runlabel - Executes a command as described by a container image label
+podman-container-runlabel - Executes a command as described by a container-image label
## SYNOPSIS
**podman container runlabel** [*options*] *label* *image* [*arg...*]
## DESCRIPTION
-**podman container runlabel** reads the provided `LABEL` field in the container
-IMAGE and executes the provided value for the label as a command. If this field does not
-exist, `podman container runlabel` will just exit.
+**podman container runlabel** reads the specified `label` of the `image` and executes it as command on the host. If the label does not exist, Podman will exit with an error. Additional arguments will be appended to the command.
-If the container image has a LABEL INSTALL instruction like the following:
+Historically, container images describe the contents (e.g., layers) and how a container runtime (e.g., crun(1) or runc(1)) should execute the container. For instance, an image may set the environment and the command in its configuration. However, a container image cannot directly specify how a container engine such as Podman should execute it. For instance, an image configuration does not include information about log drivers, namespaces or which capabilities it needs to run correctly.
-`LABEL INSTALL /usr/bin/podman run -t -i --rm \${OPT1} --privileged -v /:/host --net=host --ipc=host --pid=host -e HOST=/host -e NAME=\${NAME} -e IMAGE=\${IMAGE} -e CONFDIR=/etc/\${NAME} -e LOGDIR=/var/log/\${NAME} -e DATADIR=/var/lib/\${NAME} \${IMAGE} \${OPT2} /bin/install.sh \${OPT3}`
+`podman container runlabel` addresses the limitation of container images in a simple yet efficient way. Podman will read the contents of the label and interpret it as a command that will be executed on the host. This way an image can describe exactly how it should be executed by Podman. For instance, a label with the content `/usr/bin/podman run -d --pid=host --privileged \${IMAGE}` instructs the image to be executed in a detached, privileged container that is using the PID namespace of the host. This lifts the self-description of a container image from "what" to "how".
-`podman container runlabel` will set the following environment variables for use in the command:
+Please note that the `runlabel` command is intended to be run in trusted environments exclusively. Using the command on untrusted images is not recommended.
-If the container image does not have the desired label, an error message will be displayed along with a non-zero
-return code. If the image is not found in local storage, Podman will attempt to pull it first.
+## VARIABLES
-**LABEL**
-The label name specified via the command.
+The contents of a label may refer to the following variables which will be substituted while processing the label.
**IMAGE**
-Image name specified via the command.
+The name of the image. When executing `podman container runlabel label fedora` the `IMAGE` variable will be replaced with `fedora`. Valid formats are `IMAGE`, `$IMAGE`, `${IMAGE}` and `=IMAGE`.
-**SUDO_UID**
-The `SUDO_UID` environment variable. This is useful with the podman
-`-u` option for user space tools. If the environment variable is
-not available, the value of `/proc/self/loginuid` is used.
+**NAME**
+As specified by the `--name` option. The format is identical to the one of the IMAGE attribute.
-**SUDO_GID**
-The `SUDO_GID` environment variable. This is useful with the podman
-`-u` option for user space tools. If the environment variable is
-not available, the default GID of the value for `SUDO_UID` is used.
-If this value is not available, the value of `/proc/self/loginuid`
-is used.
-
-Any additional arguments will be appended to the command.
+**PWD**
+Will be replaced with the current working directory.
## OPTIONS
#### **--authfile**=*path*
-Path of the authentication file. Default is ${XDG\_RUNTIME\_DIR}/containers/auth.json, which is set using `podman login`.
-If the authorization state is not found there, $HOME/.docker/config.json is checked, which is set using `docker login`.
+Path of the containers-auth.json(5) file. Default is ${XDG\_RUNTIME\_DIR}/containers/auth.json, which is set using `podman login`. If the authorization state is not found there, $HOME/.docker/config.json is checked, which is set using `docker login`.
-Note: You can also override the default path of the authentication file by setting the REGISTRY\_AUTH\_FILE
-environment variable. `export REGISTRY_AUTH_FILE=path`
+Note: You can also override the default path of the authentication file by setting the REGISTRY\_AUTH\_FILE environment variable. `export REGISTRY_AUTH_FILE=path`
#### **--display**
-Display the label's value of the image having populated its environment variables.
-The runlabel command will not execute if --display is specified.
+Display the label's value of the image having populated its environment variables. The runlabel command will not execute if --display is specified.
#### **--cert-dir**=*path*
-Use certificates at *path* (\*.crt, \*.cert, \*.key) to connect to the registry.
-Please refer to containers-certs.d(5) for details. (This option is not available with the remote Podman client)
+Use certificates at *path* (\*.crt, \*.cert, \*.key) to connect to the registry. Please refer to containers-certs.d(5) for details. (This option is not available with the remote Podman client)
#### **--creds**=*[username[:password]]*
-The [username[:password]] to use to authenticate with the registry if required.
-If one or both values are not supplied, a command line prompt will appear and the
-value can be entered. The password is entered without echo.
+The [username[:password]] to use to authenticate with the registry if required. If one or both values are not supplied, a command line prompt will appear and the value can be entered. The password is entered without echo.
#### **--help**, **-h**
Print usage statement
#### **--name**, **-n**=*name*
-Use this name for creating content for the container. NAME will default to the IMAGENAME if it is not specified.
+Use this name for creating content for the container. If not specified, name defaults to the name of the image.
#### **--quiet**, **-q**
@@ -78,34 +60,33 @@ Suppress output information when pulling images
#### **--replace**
-If a container exists of the default or given name, as needed it will be stopped, deleted and a new container will be
-created from this image.
+If a container exists of the default or given name, as needed it will be stopped, deleted and a new container will be created from this image.
#### **--tls-verify**
-Require HTTPS and verify certificates when contacting registries (default: true). If explicitly set to true,
-then TLS verification will be used. If set to false, then TLS verification will not be used. If not specified,
-TLS verification will be used unless the target registry is listed as an insecure registry in registries.conf.
+Require HTTPS and verify certificates when contacting registries (default: true). If explicitly set to true, then TLS verification will be used. If set to false, then TLS verification will not be used. If not specified, TLS verification will be used unless the target registry is listed as an insecure registry in containers-registries.conf(5).
## EXAMPLES
-Execute the run label of an image called foobar.
+Execute the `run` label of an image called foobar.
```
-$ sudo podman container runlabel run foobar
+$ podman container runlabel run foobar
```
-Execute the install label of an image called foobar with additional arguments.
+Execute the `install` label of an image called foobar with additional arguments.
```
-$ sudo podman container runlabel install foobar apples oranges
+$ podman container runlabel install foobar apples oranges
```
-Display the command that would be executed by runlabel.
+Display the contents of the `run` label of image foobar.
```
-$ sudo podman container runlabel --display run foobar
+$ podman container runlabel --display run foobar
```
## SEE ALSO
-podman(1), containers-certs.d(5)
+podman(1), crun(1), runc(1), containers-auth.json(5), containers-certs.d(5), containers-registries.conf(5)
## HISTORY
+August 2021, Refinements by Valentin Rothberg (rothberg at redhat dot com)
+
September 2018, Originally compiled by Brent Baude (bbaude at redhat dot com)
diff --git a/docs/source/markdown/podman-container.1.md b/docs/source/markdown/podman-container.1.md
index e69c5a170..3cc90d9ec 100644
--- a/docs/source/markdown/podman-container.1.md
+++ b/docs/source/markdown/podman-container.1.md
@@ -38,7 +38,7 @@ The container command allows you to manage containers
| restore | [podman-container-restore(1)](podman-container-restore.1.md) | Restores one or more containers from a checkpoint. |
| rm | [podman-rm(1)](podman-rm.1.md) | Remove one or more containers. |
| run | [podman-run(1)](podman-run.1.md) | Run a command in a container. |
-| runlabel | [podman-container-runlabel(1)](podman-container-runlabel.1.md) | Executes a command as described by a container image label. |
+| runlabel | [podman-container-runlabel(1)](podman-container-runlabel.1.md) | Executes a command as described by a container-image label. |
| start | [podman-start(1)](podman-start.1.md) | Starts one or more containers. |
| stats | [podman-stats(1)](podman-stats.1.md) | Display a live stream of one or more container's resource usage statistics. |
| stop | [podman-stop(1)](podman-stop.1.md) | Stop one or more running containers. |
diff --git a/go.mod b/go.mod
index da54d9a3c..156ec6ef1 100644
--- a/go.mod
+++ b/go.mod
@@ -46,7 +46,7 @@ require (
github.com/onsi/gomega v1.14.0
github.com/opencontainers/go-digest v1.0.0
github.com/opencontainers/image-spec v1.0.2-0.20190823105129-775207bd45b6
- github.com/opencontainers/runc v1.0.0
+ github.com/opencontainers/runc v1.0.1
github.com/opencontainers/runtime-spec v1.0.3-0.20210326190908-1c3f411f0417
github.com/opencontainers/runtime-tools v0.9.0
github.com/opencontainers/selinux v1.8.2
diff --git a/go.sum b/go.sum
index 5c932e575..b42ab330b 100644
--- a/go.sum
+++ b/go.sum
@@ -146,6 +146,7 @@ github.com/cilium/ebpf v0.2.0/go.mod h1:To2CFviqOWL/M0gIMsvSMlqe7em/l1ALkX1PyjrX
github.com/cilium/ebpf v0.4.0/go.mod h1:4tRaxcgiL706VnOzHOdBlY8IEAIdxINsQBcU4xJJXRs=
github.com/cilium/ebpf v0.5.0/go.mod h1:4tRaxcgiL706VnOzHOdBlY8IEAIdxINsQBcU4xJJXRs=
github.com/cilium/ebpf v0.6.1/go.mod h1:4tRaxcgiL706VnOzHOdBlY8IEAIdxINsQBcU4xJJXRs=
+github.com/cilium/ebpf v0.6.2/go.mod h1:4tRaxcgiL706VnOzHOdBlY8IEAIdxINsQBcU4xJJXRs=
github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc=
github.com/cncf/udpa/go v0.0.0-20200629203442-efcf912fb354/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk=
@@ -729,8 +730,9 @@ github.com/opencontainers/runc v1.0.0-rc9/go.mod h1:qT5XzbpPznkRYVz/mWwUaVBUv2rm
github.com/opencontainers/runc v1.0.0-rc91/go.mod h1:3Sm6Dt7OT8z88EbdQqqcRN2oCT54jbi72tT/HqgflT8=
github.com/opencontainers/runc v1.0.0-rc93/go.mod h1:3NOsor4w32B2tC0Zbl8Knk4Wg84SM2ImC1fxBuqJ/H0=
github.com/opencontainers/runc v1.0.0-rc95/go.mod h1:z+bZxa/+Tz/FmYVWkhUajJdzFeOqjc5vrqskhVyHGUM=
-github.com/opencontainers/runc v1.0.0 h1:QOhAQAYUlKeofuyeKdR6ITvOnXLPbEAjPMjz9wCUXcU=
github.com/opencontainers/runc v1.0.0/go.mod h1:MU2S3KEB2ZExnhnAQYbwjdYV6HwKtDlNbA2Z2OeNDeA=
+github.com/opencontainers/runc v1.0.1 h1:G18PGckGdAm3yVQRWDVQ1rLSLntiniKJ0cNRT2Tm5gs=
+github.com/opencontainers/runc v1.0.1/go.mod h1:aTaHFFwQXuA71CiyxOdFFIorAoemI04suvGRQFzWTD0=
github.com/opencontainers/runtime-spec v0.1.2-0.20190507144316-5b71a03e2700/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
github.com/opencontainers/runtime-spec v1.0.1/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
github.com/opencontainers/runtime-spec v1.0.2-0.20190207185410-29686dbc5559/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
diff --git a/libpod/container_internal.go b/libpod/container_internal.go
index 2555f15ec..e7694227a 100644
--- a/libpod/container_internal.go
+++ b/libpod/container_internal.go
@@ -420,7 +420,6 @@ func (c *Container) setupStorage(ctx context.Context) error {
if c.config.Rootfs == "" && (c.config.RootfsImageID == "" || c.config.RootfsImageName == "") {
return errors.Wrapf(define.ErrInvalidArg, "must provide image ID and image name to use an image")
}
-
options := storage.ContainerOptions{
IDMappingOptions: storage.IDMappingOptions{
HostUIDMapping: true,
diff --git a/libpod/runtime_ctr.go b/libpod/runtime_ctr.go
index 6c69d1b72..ce4c5d758 100644
--- a/libpod/runtime_ctr.go
+++ b/libpod/runtime_ctr.go
@@ -47,6 +47,32 @@ func (r *Runtime) NewContainer(ctx context.Context, rSpec *spec.Spec, options ..
return r.newContainer(ctx, rSpec, options...)
}
+func (r *Runtime) PrepareVolumeOnCreateContainer(ctx context.Context, ctr *Container) error {
+ // Copy the content from the underlying image into the newly created
+ // volume if configured to do so.
+ if !r.config.Containers.PrepareVolumeOnCreate {
+ return nil
+ }
+
+ defer func() {
+ if err := ctr.cleanupStorage(); err != nil {
+ logrus.Errorf("error cleaning up container storage %s: %v", ctr.ID(), err)
+ }
+ }()
+
+ mountPoint, err := ctr.mountStorage()
+ if err == nil {
+ // Finish up mountStorage
+ ctr.state.Mounted = true
+ ctr.state.Mountpoint = mountPoint
+ if err = ctr.save(); err != nil {
+ logrus.Errorf("Error saving container %s state: %v", ctr.ID(), err)
+ }
+ }
+
+ return err
+}
+
// RestoreContainer re-creates a container from an imported checkpoint
func (r *Runtime) RestoreContainer(ctx context.Context, rSpec *spec.Spec, config *ContainerConfig) (*Container, error) {
r.lock.Lock()
diff --git a/pkg/api/handlers/compat/images.go b/pkg/api/handlers/compat/images.go
index 7baa1145a..6f8fb21f0 100644
--- a/pkg/api/handlers/compat/images.go
+++ b/pkg/api/handlers/compat/images.go
@@ -266,41 +266,26 @@ func CreateImageFromImage(w http.ResponseWriter, r *http.Request) {
}
defer auth.RemoveAuthfile(authfile)
- platformSpecs := strings.Split(query.Platform, "/") // split query into its parts
-
- addOS := true // default assume true due to structure of if/else below
- addArch := false
- addVariant := false
-
- if len(platformSpecs) > 1 { // if we have two arguments then we have os and arch
- addArch = true
- if len(platformSpecs) > 2 { // if we have 3 arguments then we have os arch and variant
- addVariant = true
- }
- } else if len(platformSpecs) == 0 {
- addOS = false
- }
-
pullOptions := &libimage.PullOptions{}
pullOptions.AuthFilePath = authfile
if authConf != nil {
pullOptions.Username = authConf.Username
pullOptions.Password = authConf.Password
pullOptions.IdentityToken = authConf.IdentityToken
- if addOS { // if the len is not 0
- pullOptions.OS = platformSpecs[0]
- if addArch {
- pullOptions.Architecture = platformSpecs[1]
- }
- if addVariant {
- pullOptions.Variant = platformSpecs[2]
- }
- }
}
pullOptions.Writer = os.Stderr // allows for debugging on the server
- progress := make(chan types.ProgressProperties)
+ // Handle the platform.
+ platformSpecs := strings.Split(query.Platform, "/")
+ pullOptions.OS = platformSpecs[0] // may be empty
+ if len(platformSpecs) > 1 {
+ pullOptions.Architecture = platformSpecs[1]
+ if len(platformSpecs) > 2 {
+ pullOptions.Variant = platformSpecs[2]
+ }
+ }
+ progress := make(chan types.ProgressProperties)
pullOptions.Progress = progress
pullResChan := make(chan pullResult)
diff --git a/pkg/api/handlers/libpod/containers_create.go b/pkg/api/handlers/libpod/containers_create.go
index b92588346..65951861b 100644
--- a/pkg/api/handlers/libpod/containers_create.go
+++ b/pkg/api/handlers/libpod/containers_create.go
@@ -22,6 +22,7 @@ func CreateContainer(w http.ResponseWriter, r *http.Request) {
utils.Error(w, "Something went wrong.", http.StatusInternalServerError, errors.Wrap(err, "Decode()"))
return
}
+
warn, err := generate.CompleteSpec(r.Context(), runtime, &sg)
if err != nil {
utils.InternalServerError(w, err)
diff --git a/pkg/api/server/docs.go b/pkg/api/server/docs.go
index e72b78221..bf15afbf9 100644
--- a/pkg/api/server/docs.go
+++ b/pkg/api/server/docs.go
@@ -42,7 +42,7 @@
//
// InfoExtensions:
// x-logo:
-// - url: https://raw.githubusercontent.com/containers/libpod/master/logo/podman-logo.png
+// - url: https://raw.githubusercontent.com/containers/libpod/main/logo/podman-logo.png
// - altText: "Podman logo"
//
// Produces:
diff --git a/pkg/specgen/generate/container_create.go b/pkg/specgen/generate/container_create.go
index b569f8390..4e3a86ae4 100644
--- a/pkg/specgen/generate/container_create.go
+++ b/pkg/specgen/generate/container_create.go
@@ -153,7 +153,15 @@ func MakeContainer(ctx context.Context, rt *libpod.Runtime, s *specgen.SpecGener
if err != nil {
return nil, err
}
- return rt.NewContainer(ctx, runtimeSpec, options...)
+
+ ctr, err := rt.NewContainer(ctx, runtimeSpec, options...)
+ if err != nil {
+ return ctr, err
+ }
+
+ // Copy the content from the underlying image into the newly created
+ // volume if configured to do so.
+ return ctr, rt.PrepareVolumeOnCreateContainer(ctx, ctr)
}
func extractCDIDevices(s *specgen.SpecGenerator) []libpod.CtrCreateOption {
diff --git a/pkg/specgen/generate/kube/kube.go b/pkg/specgen/generate/kube/kube.go
index fb563f935..fb7eb99a2 100644
--- a/pkg/specgen/generate/kube/kube.go
+++ b/pkg/specgen/generate/kube/kube.go
@@ -6,10 +6,12 @@ import (
"fmt"
"net"
"strings"
+ "time"
"github.com/containers/common/libimage"
"github.com/containers/common/pkg/parse"
"github.com/containers/common/pkg/secrets"
+ "github.com/containers/image/v5/manifest"
ann "github.com/containers/podman/v3/pkg/annotations"
"github.com/containers/podman/v3/pkg/specgen"
"github.com/containers/podman/v3/pkg/specgen/generate"
@@ -129,6 +131,10 @@ func ToSpecGen(ctx context.Context, opts *CtrSpecGenOptions) (*specgen.SpecGener
}
setupSecurityContext(s, opts.Container)
+ err := setupLivenessProbe(s, opts.Container, opts.RestartPolicy)
+ if err != nil {
+ return nil, errors.Wrap(err, "Failed to configure livenessProbe")
+ }
// Since we prefix the container name with pod name to work-around the uniqueness requirement,
// the seccomp profile should reference the actual container name from the YAML
@@ -270,10 +276,11 @@ func ToSpecGen(ctx context.Context, opts *CtrSpecGenOptions) (*specgen.SpecGener
return nil, err
}
+ volume.MountPath = dest
switch volumeSource.Type {
case KubeVolumeTypeBindMount:
mount := spec.Mount{
- Destination: dest,
+ Destination: volume.MountPath,
Source: volumeSource.Source,
Type: "bind",
Options: options,
@@ -281,7 +288,7 @@ func ToSpecGen(ctx context.Context, opts *CtrSpecGenOptions) (*specgen.SpecGener
s.Mounts = append(s.Mounts, mount)
case KubeVolumeTypeNamed:
namedVolume := specgen.NamedVolume{
- Dest: dest,
+ Dest: volume.MountPath,
Name: volumeSource.Source,
Options: options,
}
@@ -324,12 +331,105 @@ func parseMountPath(mountPath string, readOnly bool) (string, []string, error) {
options = strings.Split(splitVol[1], ",")
}
if err := parse.ValidateVolumeCtrDir(dest); err != nil {
- return "", options, errors.Wrapf(err, "error in parsing MountPath")
+ return "", options, errors.Wrapf(err, "parsing MountPath")
}
if readOnly {
options = append(options, "ro")
}
- return dest, options, nil
+ opts, err := parse.ValidateVolumeOpts(options)
+ if err != nil {
+ return "", opts, errors.Wrapf(err, "parsing MountOptions")
+ }
+ return dest, opts, nil
+}
+
+func setupLivenessProbe(s *specgen.SpecGenerator, containerYAML v1.Container, restartPolicy string) error {
+ var err error
+ if containerYAML.LivenessProbe == nil {
+ return nil
+ }
+ emptyHandler := v1.Handler{}
+ if containerYAML.LivenessProbe.Handler != emptyHandler {
+ var commandString string
+ failureCmd := "exit 1"
+ probe := containerYAML.LivenessProbe
+ probeHandler := probe.Handler
+
+ // append `exit 1` to `cmd` so healthcheck can be marked as `unhealthy`.
+ // append `kill 1` to `cmd` if appropriate restart policy is configured.
+ if restartPolicy == "always" || restartPolicy == "onfailure" {
+ // container will be restarted so we can kill init.
+ failureCmd = "kill 1"
+ }
+
+ // configure healthcheck on the basis of Handler Actions.
+ if probeHandler.Exec != nil {
+ execString := strings.Join(probeHandler.Exec.Command, " ")
+ commandString = fmt.Sprintf("%s || %s", execString, failureCmd)
+ } else if probeHandler.HTTPGet != nil {
+ commandString = fmt.Sprintf("curl %s://%s:%d/%s || %s", probeHandler.HTTPGet.Scheme, probeHandler.HTTPGet.Host, probeHandler.HTTPGet.Port.IntValue(), probeHandler.HTTPGet.Path, failureCmd)
+ } else if probeHandler.TCPSocket != nil {
+ commandString = fmt.Sprintf("nc -z -v %s %d || %s", probeHandler.TCPSocket.Host, probeHandler.TCPSocket.Port.IntValue(), failureCmd)
+ }
+ s.HealthConfig, err = makeHealthCheck(commandString, probe.PeriodSeconds, probe.FailureThreshold, probe.TimeoutSeconds, probe.InitialDelaySeconds)
+ if err != nil {
+ return err
+ }
+ return nil
+ }
+ return nil
+}
+
+func makeHealthCheck(inCmd string, interval int32, retries int32, timeout int32, startPeriod int32) (*manifest.Schema2HealthConfig, error) {
+ // Every healthcheck requires a command
+ if len(inCmd) == 0 {
+ return nil, errors.New("Must define a healthcheck command for all healthchecks")
+ }
+
+ // first try to parse option value as JSON array of strings...
+ cmd := []string{}
+
+ if inCmd == "none" {
+ cmd = []string{"NONE"}
+ } else {
+ err := json.Unmarshal([]byte(inCmd), &cmd)
+ if err != nil {
+ // ...otherwise pass it to "/bin/sh -c" inside the container
+ cmd = []string{"CMD-SHELL"}
+ cmd = append(cmd, strings.Split(inCmd, " ")...)
+ }
+ }
+ hc := manifest.Schema2HealthConfig{
+ Test: cmd,
+ }
+
+ if interval < 1 {
+ //kubernetes interval defaults to 10 sec and cannot be less than 1
+ interval = 10
+ }
+ hc.Interval = (time.Duration(interval) * time.Second)
+ if retries < 1 {
+ //kubernetes retries defaults to 3
+ retries = 3
+ }
+ hc.Retries = int(retries)
+ if timeout < 1 {
+ //kubernetes timeout defaults to 1
+ timeout = 1
+ }
+ timeoutDuration := (time.Duration(timeout) * time.Second)
+ if timeoutDuration < time.Duration(1) {
+ return nil, errors.New("healthcheck-timeout must be at least 1 second")
+ }
+ hc.Timeout = timeoutDuration
+
+ startPeriodDuration := (time.Duration(startPeriod) * time.Second)
+ if startPeriodDuration < time.Duration(0) {
+ return nil, errors.New("healthcheck-start-period must be 0 seconds or greater")
+ }
+ hc.StartPeriod = startPeriodDuration
+
+ return &hc, nil
}
func setupSecurityContext(s *specgen.SpecGenerator, containerYAML v1.Container) {
diff --git a/test/README.md b/test/README.md
index d7710cc95..769bdbfd7 100644
--- a/test/README.md
+++ b/test/README.md
@@ -84,7 +84,7 @@ file itself. Consider the following actual test:
It("podman inspect bogus pod", func() {
session := podmanTest.Podman([]string{"pod", "inspect", "foobar"})
session.WaitWithDefaultTimeout()
- Expect(session.ExitCode()).To(Not(Equal(0)))
+ Expect(session).To(ExitWithError())
})
```
diff --git a/test/apiv2/10-images.at b/test/apiv2/10-images.at
index 9e464dbc7..195b11ff0 100644
--- a/test/apiv2/10-images.at
+++ b/test/apiv2/10-images.at
@@ -45,6 +45,11 @@ t POST "images/create?fromImage=alpine" 200 .error~null .status~".*Download comp
t POST "images/create?fromImage=alpine&tag=latest" 200
+# 10977 - handle platform parameter correctly
+t POST "images/create?fromImage=alpine&platform=linux/arm64" 200
+t GET "images/alpine/json" 200 \
+ .Architecture=arm64
+
# Make sure that new images are pulled
old_iid=$(podman image inspect --format "{{.ID}}" docker.io/library/alpine:latest)
podman rmi -f docker.io/library/alpine:latest
diff --git a/test/apiv2/test-apiv2 b/test/apiv2/test-apiv2
index 9f6bf257f..26619ae03 100755
--- a/test/apiv2/test-apiv2
+++ b/test/apiv2/test-apiv2
@@ -442,10 +442,10 @@ function random_string() {
function wait_for_port() {
local host=$1 # Probably "localhost"
local port=$2 # Numeric port
- local timeout=${3:-5} # Optional; default to 5 seconds
+ local _timeout=${3:-5} # Optional; default to 5 seconds
# Wait
- while [ $timeout -gt 0 ]; do
+ while [ $_timeout -gt 0 ]; do
{ exec 3<> /dev/tcp/$host/$port; } &>/dev/null && return
sleep 1
_timeout=$(( $_timeout - 1 ))
diff --git a/test/e2e/common_test.go b/test/e2e/common_test.go
index 5a6cf7ffb..2e48e1763 100644
--- a/test/e2e/common_test.go
+++ b/test/e2e/common_test.go
@@ -811,7 +811,7 @@ func generateNetworkConfig(p *PodmanTestIntegration) (string, string) {
func (p *PodmanTestIntegration) removeCNINetwork(name string) {
session := p.Podman([]string{"network", "rm", "-f", name})
session.WaitWithDefaultTimeout()
- Expect(session.ExitCode()).To(BeNumerically("<=", 1))
+ Expect(session.ExitCode()).To(BeNumerically("<=", 1), "Exit code must be 0 or 1")
}
func (p *PodmanSessionIntegration) jq(jqCommand string) (string, error) {
diff --git a/test/e2e/container_create_volume_test.go b/test/e2e/container_create_volume_test.go
new file mode 100644
index 000000000..001698239
--- /dev/null
+++ b/test/e2e/container_create_volume_test.go
@@ -0,0 +1,127 @@
+package integration
+
+import (
+ "fmt"
+ "io/ioutil"
+ "os"
+ "path/filepath"
+
+ . "github.com/containers/podman/v3/test/utils"
+ . "github.com/onsi/ginkgo"
+ . "github.com/onsi/gomega"
+ . "github.com/onsi/gomega/gexec"
+)
+
+func buildDataVolumeImage(pTest *PodmanTestIntegration, image, data, dest string) {
+ // Create a dummy file for data volume
+ dummyFile := filepath.Join(pTest.TempDir, data)
+ err := ioutil.WriteFile(dummyFile, []byte(data), 0644)
+ Expect(err).To(BeNil())
+
+ // Create a data volume container image but no CMD binary in it
+ containerFile := fmt.Sprintf(`FROM scratch
+CMD doesnotexist.sh
+ADD %s %s/
+VOLUME %s/`, data, dest, dest)
+ pTest.BuildImage(containerFile, image, "false")
+}
+
+func createContainersConfFile(pTest *PodmanTestIntegration) {
+ configPath := filepath.Join(pTest.TempDir, "containers.conf")
+ containersConf := []byte(fmt.Sprintf("[containers]\nprepare_volume_on_create = true\n"))
+ err := ioutil.WriteFile(configPath, containersConf, os.ModePerm)
+ Expect(err).To(BeNil())
+
+ // Set custom containers.conf file
+ os.Setenv("CONTAINERS_CONF", configPath)
+ if IsRemote() {
+ pTest.RestartRemoteService()
+ }
+}
+
+func checkDataVolumeContainer(pTest *PodmanTestIntegration, image, cont, dest, data string) {
+ create := pTest.Podman([]string{"create", "--name", cont, image})
+ create.WaitWithDefaultTimeout()
+ Expect(create).Should(Exit(0))
+
+ inspect := pTest.InspectContainer(cont)
+ Expect(len(inspect)).To(Equal(1))
+ Expect(len(inspect[0].Mounts)).To(Equal(1))
+ Expect(inspect[0].Mounts[0].Destination).To(Equal(dest))
+
+ mntName, mntSource := inspect[0].Mounts[0].Name, inspect[0].Mounts[0].Source
+
+ volList := pTest.Podman([]string{"volume", "list", "--quiet"})
+ volList.WaitWithDefaultTimeout()
+ Expect(volList).Should(Exit(0))
+ Expect(len(volList.OutputToStringArray())).To(Equal(1))
+ Expect(volList.OutputToStringArray()[0]).To(Equal(mntName))
+
+ // Check the mount source directory
+ files, err := ioutil.ReadDir(mntSource)
+ Expect(err).To(BeNil())
+
+ if data == "" {
+ Expect(len(files)).To(Equal(0))
+ } else {
+ Expect(len(files)).To(Equal(1))
+ Expect(files[0].Name()).To(Equal(data))
+ }
+}
+
+var _ = Describe("Podman create data volume", func() {
+ var (
+ tempdir string
+ err error
+ podmanTest *PodmanTestIntegration
+ )
+
+ BeforeEach(func() {
+ tempdir, err = CreateTempDirInTempDir()
+ if err != nil {
+ os.Exit(1)
+ }
+ podmanTest = PodmanTestCreate(tempdir)
+ podmanTest.Setup()
+ podmanTest.SeedImages()
+ })
+
+ AfterEach(func() {
+ podmanTest.Cleanup()
+ f := CurrentGinkgoTestDescription()
+ processTestResult(f)
+ os.Unsetenv("CONTAINERS_CONF")
+ })
+
+ It("podman create with volume data copy turned off", func() {
+ imgName, volData, volDest := "dataimg", "dummy", "/test"
+
+ buildDataVolumeImage(podmanTest, imgName, volData, volDest)
+
+ // Create a container with the default containers.conf and
+ // check that the volume is not copied from the image.
+ checkDataVolumeContainer(podmanTest, imgName, "ctr-nocopy", volDest, "")
+ })
+
+ It("podman create with volume data copy turned on", func() {
+ imgName, volData, volDest := "dataimg", "dummy", "/test"
+
+ buildDataVolumeImage(podmanTest, imgName, volData, volDest)
+
+ // Create a container with the custom containers.conf and
+ // check that the volume is copied from the image.
+ createContainersConfFile(podmanTest)
+
+ checkDataVolumeContainer(podmanTest, imgName, "ctr-copy", volDest, volData)
+ })
+
+ It("podman run with volume data copy turned on", func() {
+ // Create a container with the custom containers.conf and
+ // check that the container is run successfully
+ createContainersConfFile(podmanTest)
+
+ session := podmanTest.Podman([]string{"run", "--rm", ALPINE, "echo"})
+ session.WaitWithDefaultTimeout()
+ Expect(session).Should(Exit(0))
+ })
+})
diff --git a/test/e2e/play_kube_test.go b/test/e2e/play_kube_test.go
index 42bb0cb64..5e303bf2f 100644
--- a/test/e2e/play_kube_test.go
+++ b/test/e2e/play_kube_test.go
@@ -9,6 +9,7 @@ import (
"strconv"
"strings"
"text/template"
+ "time"
"github.com/containers/podman/v3/pkg/util"
. "github.com/containers/podman/v3/test/utils"
@@ -67,6 +68,75 @@ spec:
shareProcessNamespace: true
status: {}
`
+var livenessProbePodYaml = `
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: liveness-probe
+ labels:
+ app: alpine
+spec:
+ replicas: 1
+ selector:
+ matchLabels:
+ app: alpine
+ template:
+ metadata:
+ labels:
+ app: alpine
+ spec:
+ containers:
+ - command:
+ - top
+ - -d
+ - "1.5"
+ name: alpine
+ image: quay.io/libpod/alpine:latest
+ ports:
+ - containerPort: 80
+ livenessProbe:
+ exec:
+ command:
+ - echo
+ - hello
+ initialDelaySeconds: 5
+ periodSeconds: 5
+`
+var livenessProbeUnhealthyPodYaml = `
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: liveness-unhealthy-probe
+ labels:
+ app: alpine
+spec:
+ replicas: 1
+ selector:
+ matchLabels:
+ app: alpine
+ template:
+ metadata:
+ labels:
+ app: alpine
+ spec:
+ restartPolicy: Never
+ containers:
+ - command:
+ - top
+ - -d
+ - "1.5"
+ name: alpine
+ image: quay.io/libpod/alpine:latest
+ ports:
+ - containerPort: 80
+ livenessProbe:
+ exec:
+ command:
+ - cat
+ - /randomfile
+ initialDelaySeconds: 0
+ periodSeconds: 1
+`
var selinuxLabelPodYaml = `
apiVersion: v1
@@ -1061,6 +1131,36 @@ var _ = Describe("Podman play kube", func() {
Expect(sharednamespaces).To(ContainSubstring("pid"))
})
+ It("podman play kube support container liveness probe", func() {
+ err := writeYaml(livenessProbePodYaml, kubeYaml)
+ Expect(err).To(BeNil())
+
+ kube := podmanTest.Podman([]string{"play", "kube", kubeYaml})
+ kube.WaitWithDefaultTimeout()
+ Expect(kube).Should(Exit(0))
+
+ inspect := podmanTest.Podman([]string{"inspect", "liveness-probe-pod-0-alpine", "--format", "'{{ .Config.Healthcheck }}'"})
+ inspect.WaitWithDefaultTimeout()
+ healthcheckcmd := inspect.OutputToString()
+ // check if CMD-SHELL based equivalent health check is added to container
+ Expect(healthcheckcmd).To(ContainSubstring("CMD-SHELL"))
+ })
+
+ It("podman play kube liveness probe should fail", func() {
+ err := writeYaml(livenessProbeUnhealthyPodYaml, kubeYaml)
+ Expect(err).To(BeNil())
+
+ kube := podmanTest.Podman([]string{"play", "kube", kubeYaml})
+ kube.WaitWithDefaultTimeout()
+ Expect(kube).Should(Exit(0))
+
+ time.Sleep(2 * time.Second)
+ hc := podmanTest.Podman([]string{"healthcheck", "run", "liveness-unhealthy-probe-pod-0-alpine"})
+ hc.WaitWithDefaultTimeout()
+ hcoutput := hc.OutputToString()
+ Expect(hcoutput).To(ContainSubstring("unhealthy"))
+ })
+
It("podman play kube fail with nonexistent authfile", func() {
err := generateKubeYaml("pod", getPod(), kubeYaml)
Expect(err).To(BeNil())
diff --git a/test/e2e/pod_create_test.go b/test/e2e/pod_create_test.go
index 63f55fb88..4c6788b9d 100644
--- a/test/e2e/pod_create_test.go
+++ b/test/e2e/pod_create_test.go
@@ -566,11 +566,11 @@ ENTRYPOINT ["sleep","99999"]
ns := "ns:/proc/self/ns/"
podCreate := podmanTest.Podman([]string{"pod", "create", "--pid", ns, "--name", podName, "--share", "pid"})
podCreate.WaitWithDefaultTimeout()
- Expect(podCreate.ExitCode()).To(Equal(0))
+ Expect(podCreate).Should(Exit(0))
podInspect := podmanTest.Podman([]string{"pod", "inspect", podName})
podInspect.WaitWithDefaultTimeout()
- Expect(podInspect.ExitCode()).To(Equal(0))
+ Expect(podInspect).Should(Exit(0))
podJSON := podInspect.InspectPodToJSON()
Expect(podJSON.InfraConfig.PidNS).To(Equal("path"))
@@ -579,11 +579,11 @@ ENTRYPOINT ["sleep","99999"]
podCreate = podmanTest.Podman([]string{"pod", "create", "--pid", ns, "--name", podName, "--share", "pid"})
podCreate.WaitWithDefaultTimeout()
- Expect(podCreate.ExitCode()).To(Equal(0))
+ Expect(podCreate).Should(Exit(0))
podInspect = podmanTest.Podman([]string{"pod", "inspect", podName})
podInspect.WaitWithDefaultTimeout()
- Expect(podInspect.ExitCode()).To(Equal(0))
+ Expect(podInspect).Should(Exit(0))
podJSON = podInspect.InspectPodToJSON()
Expect(podJSON.InfraConfig.PidNS).To(Equal("pod"))
@@ -592,11 +592,11 @@ ENTRYPOINT ["sleep","99999"]
podCreate = podmanTest.Podman([]string{"pod", "create", "--pid", ns, "--name", podName, "--share", "pid"})
podCreate.WaitWithDefaultTimeout()
- Expect(podCreate.ExitCode()).To(Equal(0))
+ Expect(podCreate).Should(Exit(0))
podInspect = podmanTest.Podman([]string{"pod", "inspect", podName})
podInspect.WaitWithDefaultTimeout()
- Expect(podInspect.ExitCode()).To(Equal(0))
+ Expect(podInspect).Should(Exit(0))
podJSON = podInspect.InspectPodToJSON()
Expect(podJSON.InfraConfig.PidNS).To(Equal("host"))
@@ -605,11 +605,11 @@ ENTRYPOINT ["sleep","99999"]
podCreate = podmanTest.Podman([]string{"pod", "create", "--pid", ns, "--name", podName, "--share", "pid"})
podCreate.WaitWithDefaultTimeout()
- Expect(podCreate.ExitCode()).To(Equal(0))
+ Expect(podCreate).Should(Exit(0))
podInspect = podmanTest.Podman([]string{"pod", "inspect", podName})
podInspect.WaitWithDefaultTimeout()
- Expect(podInspect.ExitCode()).To(Equal(0))
+ Expect(podInspect).Should(Exit(0))
podJSON = podInspect.InspectPodToJSON()
Expect(podJSON.InfraConfig.PidNS).To(Equal("private"))
diff --git a/test/e2e/run_exit_test.go b/test/e2e/run_exit_test.go
index 21f1a8650..e86718577 100644
--- a/test/e2e/run_exit_test.go
+++ b/test/e2e/run_exit_test.go
@@ -49,11 +49,7 @@ var _ = Describe("Podman run exit", func() {
It("podman run exit ExecErrorCodeNotFound", func() {
result := podmanTest.Podman([]string{"run", ALPINE, "foobar"})
result.WaitWithDefaultTimeout()
- Expect(result.ExitCode()).To(Not(Equal(define.ExecErrorCodeGeneric)))
- // TODO This is failing we believe because of a race condition
- // Between conmon and podman closing the socket early.
- // Test with the following, once the race condition is solved
- // Expect(result).Should(Exit(define.ExecErrorCodeNotFound))
+ Expect(result).Should(Exit(define.ExecErrorCodeNotFound))
})
It("podman run exit 0", func() {
diff --git a/test/system/090-events.bats b/test/system/090-events.bats
index d889bd7f9..22edaeee9 100644
--- a/test/system/090-events.bats
+++ b/test/system/090-events.bats
@@ -81,6 +81,7 @@ function _events_disjunctive_filters() {
@test "events with disjunctive filters - journald" {
skip_if_remote "remote does not support --events-backend"
+ skip_if_journald_unavailable "system does not support journald events"
_events_disjunctive_filters --events-backend=journald
}
diff --git a/test/system/250-systemd.bats b/test/system/250-systemd.bats
index aafe385c8..ee951ff21 100644
--- a/test/system/250-systemd.bats
+++ b/test/system/250-systemd.bats
@@ -4,17 +4,10 @@
#
load helpers
+load helpers.systemd
SERVICE_NAME="podman_test_$(random_string)"
-SYSTEMCTL="systemctl"
-UNIT_DIR="/usr/lib/systemd/system"
-if is_rootless; then
- UNIT_DIR="$HOME/.config/systemd/user"
- mkdir -p $UNIT_DIR
-
- SYSTEMCTL="$SYSTEMCTL --user"
-fi
UNIT_FILE="$UNIT_DIR/$SERVICE_NAME.service"
function setup() {
@@ -24,38 +17,28 @@ function setup() {
}
function teardown() {
- run '?' $SYSTEMCTL stop "$SERVICE_NAME"
+ run '?' systemctl stop "$SERVICE_NAME"
rm -f "$UNIT_FILE"
- $SYSTEMCTL daemon-reload
+ systemctl daemon-reload
run_podman rmi -a
basic_teardown
}
-# Helper to setup xdg runtime for rootless
-function xdg_rootless() {
- # podman initializes this if unset, but systemctl doesn't
- if is_rootless; then
- if [ -z "$XDG_RUNTIME_DIR" ]; then
- export XDG_RUNTIME_DIR=/run/user/$(id -u)
- fi
- fi
-}
-
# Helper to start a systemd service running a container
function service_setup() {
run_podman generate systemd --new $cname
echo "$output" > "$UNIT_FILE"
run_podman rm $cname
- $SYSTEMCTL daemon-reload
+ systemctl daemon-reload
- run $SYSTEMCTL start "$SERVICE_NAME"
+ run systemctl start "$SERVICE_NAME"
if [ $status -ne 0 ]; then
die "Error starting systemd unit $SERVICE_NAME, output: $output"
fi
- run $SYSTEMCTL status "$SERVICE_NAME"
+ run systemctl status "$SERVICE_NAME"
if [ $status -ne 0 ]; then
die "Non-zero status of systemd unit $SERVICE_NAME, output: $output"
fi
@@ -63,20 +46,18 @@ function service_setup() {
# Helper to stop a systemd service running a container
function service_cleanup() {
- run $SYSTEMCTL stop "$SERVICE_NAME"
+ run systemctl stop "$SERVICE_NAME"
if [ $status -ne 0 ]; then
die "Error stopping systemd unit $SERVICE_NAME, output: $output"
fi
rm -f "$UNIT_FILE"
- $SYSTEMCTL daemon-reload
+ systemctl daemon-reload
}
# These tests can fail in dev. environment because of SELinux.
# quick fix: chcon -t container_runtime_exec_t ./bin/podman
@test "podman generate - systemd - basic" {
- xdg_rootless
-
cname=$(random_string)
# See #7407 for --pull=always.
run_podman create --pull=always --name $cname --label "io.containers.autoupdate=registry" $IMAGE top
@@ -100,8 +81,6 @@ function service_cleanup() {
}
@test "podman autoupdate local" {
- xdg_rootless
-
cname=$(random_string)
run_podman create --name $cname --label "io.containers.autoupdate=local" $IMAGE top
@@ -128,8 +107,6 @@ function service_cleanup() {
# These tests can fail in dev. environment because of SELinux.
# quick fix: chcon -t container_runtime_exec_t ./bin/podman
@test "podman generate systemd - envar" {
- xdg_rootless
-
cname=$(random_string)
FOO=value BAR=%s run_podman create --name $cname --env FOO -e BAR --env MYVAR=myval \
$IMAGE sh -c 'printenv && sleep 100'
diff --git a/test/system/255-auto-update.bats b/test/system/255-auto-update.bats
index a73ed94e8..25eaba45b 100644
--- a/test/system/255-auto-update.bats
+++ b/test/system/255-auto-update.bats
@@ -4,14 +4,12 @@
#
load helpers
+load helpers.systemd
-UNIT_DIR="/usr/lib/systemd/system"
SNAME_FILE=$BATS_TMPDIR/services
function setup() {
skip_if_remote "systemd tests are meaningless over remote"
- skip_if_rootless
-
basic_setup
}
@@ -29,7 +27,7 @@ function teardown() {
rm -f $SNAME_FILE
run_podman ? rmi quay.io/libpod/alpine:latest
- run_podman ? rmi quay.io/libpod/alpine_nginx:latest
+ run_podman ? rmi quay.io/libpod/busybox:latest
run_podman ? rmi quay.io/libpod/localtest:latest
basic_teardown
}
@@ -58,8 +56,7 @@ function generate_service() {
fi
run_podman run -d --name $cname $label $target_img top -d 120
- run_podman generate systemd --new $cname
- echo "$output" > "$UNIT_DIR/container-$cname.service"
+ (cd $UNIT_DIR; run_podman generate systemd --new --files --name $cname)
echo "container-$cname" >> $SNAME_FILE
run_podman rm -f $cname
@@ -185,7 +182,7 @@ function _confirm_update() {
do
local img_base="alpine"
if [[ $auto_update == "registry" ]]; then
- img_base="alpine_nginx"
+ img_base="busybox"
elif [[ $auto_update == "local" ]]; then
img_base="localtest"
fi
diff --git a/test/system/270-socket-activation.bats b/test/system/270-socket-activation.bats
index 25206c6a7..031ba161b 100644
--- a/test/system/270-socket-activation.bats
+++ b/test/system/270-socket-activation.bats
@@ -4,21 +4,12 @@
#
load helpers
+load helpers.systemd
SERVICE_NAME="podman_test_$(random_string)"
-SYSTEMCTL="systemctl"
-UNIT_DIR="/usr/lib/systemd/system"
SERVICE_SOCK_ADDR="/run/podman/podman.sock"
-
if is_rootless; then
- UNIT_DIR="$HOME/.config/systemd/user"
- mkdir -p $UNIT_DIR
-
- SYSTEMCTL="$SYSTEMCTL --user"
- if [ -z "$XDG_RUNTIME_DIR" ]; then
- export XDG_RUNTIME_DIR=/run/user/$(id -u)
- fi
SERVICE_SOCK_ADDR="$XDG_RUNTIME_DIR/podman/podman.sock"
fi
@@ -66,13 +57,13 @@ EOF
rm -f $pause_pid
fi
fi
- $SYSTEMCTL start "$SERVICE_NAME.socket"
+ systemctl start "$SERVICE_NAME.socket"
}
function teardown() {
- $SYSTEMCTL stop "$SERVICE_NAME.socket"
+ systemctl stop "$SERVICE_NAME.socket"
rm -f "$SERVICE_FILE" "$SOCKET_FILE"
- $SYSTEMCTL daemon-reload
+ systemctl daemon-reload
basic_teardown
}
diff --git a/test/system/500-networking.bats b/test/system/500-networking.bats
index 4feb57807..419d325b0 100644
--- a/test/system/500-networking.bats
+++ b/test/system/500-networking.bats
@@ -139,6 +139,8 @@ load helpers
$IMAGE nc -l -n -v -p $myport
cid="$output"
+ wait_for_port 127.0.0.1 $myport
+
# emit random string, and check it
teststring=$(random_string 30)
echo "$teststring" | nc 127.0.0.1 $myport
diff --git a/test/system/helpers.bash b/test/system/helpers.bash
index 1859a2168..02fd7252c 100644
--- a/test/system/helpers.bash
+++ b/test/system/helpers.bash
@@ -278,6 +278,24 @@ function wait_for_ready {
wait_for_output 'READY' "$@"
}
+###################
+# wait_for_port # Returns once port is available on host
+###################
+function wait_for_port() {
+ local host=$1 # Probably "localhost"
+ local port=$2 # Numeric port
+ local _timeout=${3:-5} # Optional; default to 5 seconds
+
+ # Wait
+ while [ $_timeout -gt 0 ]; do
+ { exec 3<> /dev/tcp/$host/$port; } &>/dev/null && return
+ sleep 1
+ _timeout=$(( $_timeout - 1 ))
+ done
+
+ die "Timed out waiting for $host:$port"
+}
+
# END podman helpers
###############################################################################
# BEGIN miscellaneous tools
diff --git a/test/system/helpers.systemd.bash b/test/system/helpers.systemd.bash
new file mode 100644
index 000000000..4bde912a4
--- /dev/null
+++ b/test/system/helpers.systemd.bash
@@ -0,0 +1,30 @@
+# -*- bash -*-
+#
+# BATS helpers for systemd-related functionality
+#
+
+# podman initializes this if unset, but systemctl doesn't
+if [ -z "$XDG_RUNTIME_DIR" ]; then
+ if is_rootless; then
+ export XDG_RUNTIME_DIR=/run/user/$(id -u)
+ fi
+fi
+
+# For tests which write systemd unit files
+UNIT_DIR="/run/systemd/system"
+_DASHUSER=
+if is_rootless; then
+ UNIT_DIR="${XDG_RUNTIME_DIR}/systemd/user"
+ # Why isn't systemd smart enough to figure this out on its own?
+ _DASHUSER="--user"
+fi
+
+mkdir -p $UNIT_DIR
+
+systemctl() {
+ command systemctl $_DASHUSER "$@"
+}
+
+journalctl() {
+ command journalctl $_DASHUSER "$@"
+}
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/user/user.go b/vendor/github.com/opencontainers/runc/libcontainer/user/user.go
index d2c16f7fd..cc7a106be 100644
--- a/vendor/github.com/opencontainers/runc/libcontainer/user/user.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/user/user.go
@@ -2,6 +2,7 @@ package user
import (
"bufio"
+ "bytes"
"errors"
"fmt"
"io"
@@ -55,11 +56,11 @@ type IDMap struct {
Count int64
}
-func parseLine(line string, v ...interface{}) {
- parseParts(strings.Split(line, ":"), v...)
+func parseLine(line []byte, v ...interface{}) {
+ parseParts(bytes.Split(line, []byte(":")), v...)
}
-func parseParts(parts []string, v ...interface{}) {
+func parseParts(parts [][]byte, v ...interface{}) {
if len(parts) == 0 {
return
}
@@ -75,16 +76,16 @@ func parseParts(parts []string, v ...interface{}) {
// This is legit.
switch e := v[i].(type) {
case *string:
- *e = p
+ *e = string(p)
case *int:
// "numbers", with conversion errors ignored because of some misbehaving configuration files.
- *e, _ = strconv.Atoi(p)
+ *e, _ = strconv.Atoi(string(p))
case *int64:
- *e, _ = strconv.ParseInt(p, 10, 64)
+ *e, _ = strconv.ParseInt(string(p), 10, 64)
case *[]string:
// Comma-separated lists.
- if p != "" {
- *e = strings.Split(p, ",")
+ if len(p) != 0 {
+ *e = strings.Split(string(p), ",")
} else {
*e = []string{}
}
@@ -128,8 +129,8 @@ func ParsePasswdFilter(r io.Reader, filter func(User) bool) ([]User, error) {
)
for s.Scan() {
- line := strings.TrimSpace(s.Text())
- if line == "" {
+ line := bytes.TrimSpace(s.Bytes())
+ if len(line) == 0 {
continue
}
@@ -179,15 +180,53 @@ func ParseGroupFilter(r io.Reader, filter func(Group) bool) ([]Group, error) {
if r == nil {
return nil, fmt.Errorf("nil source for group-formatted data")
}
+ rd := bufio.NewReader(r)
+ out := []Group{}
- var (
- s = bufio.NewScanner(r)
- out = []Group{}
- )
+ // Read the file line-by-line.
+ for {
+ var (
+ isPrefix bool
+ wholeLine []byte
+ err error
+ )
- for s.Scan() {
- text := s.Text()
- if text == "" {
+ // Read the next line. We do so in chunks (as much as reader's
+ // buffer is able to keep), check if we read enough columns
+ // already on each step and store final result in wholeLine.
+ for {
+ var line []byte
+ line, isPrefix, err = rd.ReadLine()
+
+ if err != nil {
+ // We should return no error if EOF is reached
+ // without a match.
+ if err == io.EOF { //nolint:errorlint // comparison with io.EOF is legit, https://github.com/polyfloyd/go-errorlint/pull/12
+ err = nil
+ }
+ return out, err
+ }
+
+ // Simple common case: line is short enough to fit in a
+ // single reader's buffer.
+ if !isPrefix && len(wholeLine) == 0 {
+ wholeLine = line
+ break
+ }
+
+ wholeLine = append(wholeLine, line...)
+
+ // Check if we read the whole line already.
+ if !isPrefix {
+ break
+ }
+ }
+
+ // There's no spec for /etc/passwd or /etc/group, but we try to follow
+ // the same rules as the glibc parser, which allows comments and blank
+ // space at the beginning of a line.
+ wholeLine = bytes.TrimSpace(wholeLine)
+ if len(wholeLine) == 0 || wholeLine[0] == '#' {
continue
}
@@ -197,17 +236,12 @@ func ParseGroupFilter(r io.Reader, filter func(Group) bool) ([]Group, error) {
// root:x:0:root
// adm:x:4:root,adm,daemon
p := Group{}
- parseLine(text, &p.Name, &p.Pass, &p.Gid, &p.List)
+ parseLine(wholeLine, &p.Name, &p.Pass, &p.Gid, &p.List)
if filter == nil || filter(p) {
out = append(out, p)
}
}
- if err := s.Err(); err != nil {
- return nil, err
- }
-
- return out, nil
}
type ExecUser struct {
@@ -278,7 +312,7 @@ func GetExecUser(userSpec string, defaults *ExecUser, passwd, group io.Reader) (
// Allow for userArg to have either "user" syntax, or optionally "user:group" syntax
var userArg, groupArg string
- parseLine(userSpec, &userArg, &groupArg)
+ parseLine([]byte(userSpec), &userArg, &groupArg)
// Convert userArg and groupArg to be numeric, so we don't have to execute
// Atoi *twice* for each iteration over lines.
@@ -496,8 +530,8 @@ func ParseSubIDFilter(r io.Reader, filter func(SubID) bool) ([]SubID, error) {
)
for s.Scan() {
- line := strings.TrimSpace(s.Text())
- if line == "" {
+ line := bytes.TrimSpace(s.Bytes())
+ if len(line) == 0 {
continue
}
@@ -549,14 +583,14 @@ func ParseIDMapFilter(r io.Reader, filter func(IDMap) bool) ([]IDMap, error) {
)
for s.Scan() {
- line := strings.TrimSpace(s.Text())
- if line == "" {
+ line := bytes.TrimSpace(s.Bytes())
+ if len(line) == 0 {
continue
}
// see: man 7 user_namespaces
p := IDMap{}
- parseParts(strings.Fields(line), &p.ID, &p.ParentID, &p.Count)
+ parseParts(bytes.Fields(line), &p.ID, &p.ParentID, &p.Count)
if filter == nil || filter(p) {
out = append(out, p)
diff --git a/vendor/modules.txt b/vendor/modules.txt
index cdda0641f..337d85442 100644
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@@ -503,7 +503,7 @@ github.com/opencontainers/go-digest
# github.com/opencontainers/image-spec v1.0.2-0.20190823105129-775207bd45b6
github.com/opencontainers/image-spec/specs-go
github.com/opencontainers/image-spec/specs-go/v1
-# github.com/opencontainers/runc v1.0.0
+# github.com/opencontainers/runc v1.0.1
github.com/opencontainers/runc/libcontainer/apparmor
github.com/opencontainers/runc/libcontainer/cgroups
github.com/opencontainers/runc/libcontainer/configs