diff options
| -rw-r--r-- | docs/source/markdown/podman-login.1.md | 12 | ||||
| -rw-r--r-- | docs/source/markdown/podman-logout.1.md | 4 | ||||
| -rw-r--r-- | libpod/kube.go | 2 | ||||
| -rw-r--r-- | pkg/domain/infra/abi/play.go | 6 | ||||
| -rw-r--r-- | test/e2e/play_kube_test.go | 44 | ||||
| -rw-r--r-- | test/system/030-run.bats | 18 | ||||
| -rw-r--r-- | test/system/120-load.bats | 34 |
7 files changed, 99 insertions, 21 deletions
diff --git a/docs/source/markdown/podman-login.1.md b/docs/source/markdown/podman-login.1.md index 79c7ff640..efc7f05e2 100644 --- a/docs/source/markdown/podman-login.1.md +++ b/docs/source/markdown/podman-login.1.md @@ -12,9 +12,13 @@ and password. If the registry is not specified, the first registry under [regist from registries.conf will be used. **podman login** reads in the username and password from STDIN. The username and password can also be set using the **username** and **password** flags. The path of the authentication file can be specified by the user by setting the **authfile** -flag. The default path used is **${XDG\_RUNTIME\_DIR}/containers/auth.json**. If there is a valid -username and password in the **authfile** , Podman will use those existing credentials if the user does not pass in a username. -If those credentials are not present, Podman will then use any existing credentials found in **$HOME/.docker/config.json**. +flag. The default path for reading and writing credentials is **${XDG\_RUNTIME\_DIR}/containers/auth.json**. +Podman will use existing credentials if the user does not pass in a username. +Podman will first search for the username and password in the **${XDG\_RUNTIME\_DIR}/containers/auth.json**, if they are not valid, +Podman will then use any existing credentials found in **$HOME/.docker/config.json**. +If those credentials are not present, Podman will create **${XDG\_RUNTIME\_DIR}/containers/auth.json** (if the file does not exist) and +will then store the username and password from STDIN as a base64 encoded string in it. +For more details about format and configurations of the auth,json file, please refer to containers-auth.json(5) **podman [GLOBAL OPTIONS]** @@ -104,7 +108,7 @@ Login Succeeded! ``` ## SEE ALSO -podman(1), podman-logout(1) +podman(1), podman-logout(1), containers-auth.json(5) ## HISTORY August 2017, Originally compiled by Urvashi Mohnani <umohnani@redhat.com> diff --git a/docs/source/markdown/podman-logout.1.md b/docs/source/markdown/podman-logout.1.md index 8b9f75760..0ff954d43 100644 --- a/docs/source/markdown/podman-logout.1.md +++ b/docs/source/markdown/podman-logout.1.md @@ -10,7 +10,7 @@ podman\-logout - Logout of a container registry **podman logout** logs out of a specified registry server by deleting the cached credentials stored in the **auth.json** file. If the registry is not specified, the first registry under [registries.search] from registries.conf will be used. The path of the authentication file can be overridden by the user by setting the **authfile** flag. -The default path used is **${XDG\_RUNTIME\_DIR}/containers/auth.json**. +The default path used is **${XDG\_RUNTIME\_DIR}/containers/auth.json**. For more details about format and configurations of the auth,json file, please refer to containers-auth.json(5) All the cached credentials can be removed by setting the **all** flag. **podman [GLOBAL OPTIONS]** @@ -54,7 +54,7 @@ Remove login credentials for all registries ``` ## SEE ALSO -podman(1), podman-login(1) +podman(1), podman-login(1), containers-auth.json(5) ## HISTORY August 2017, Originally compiled by Urvashi Mohnani <umohnani@redhat.com> diff --git a/libpod/kube.go b/libpod/kube.go index 5f2c9e0fd..864bc78c7 100644 --- a/libpod/kube.go +++ b/libpod/kube.go @@ -191,7 +191,7 @@ func addContainersAndVolumesToPodObject(containers []v1.Container, volumes []v1. labels["app"] = removeUnderscores(podName) om := v12.ObjectMeta{ // The name of the pod is container_name-libpod - Name: removeUnderscores(podName), + Name: podName, Labels: labels, // CreationTimestamp seems to be required, so adding it; in doing so, the timestamp // will reflect time this is run (not container create time) because the conversion diff --git a/pkg/domain/infra/abi/play.go b/pkg/domain/infra/abi/play.go index 31ad51672..47d1c48f2 100644 --- a/pkg/domain/infra/abi/play.go +++ b/pkg/domain/infra/abi/play.go @@ -556,6 +556,7 @@ func kubeContainerToCreateConfig(ctx context.Context, containerYAML v1.Container containerConfig.Env = envs for _, volume := range containerYAML.VolumeMounts { + var readonly string hostPath, exists := volumes[volume.Name] if !exists { return nil, errors.Errorf("Volume mount %s specified for container but not configured in volumes", volume.Name) @@ -563,7 +564,10 @@ func kubeContainerToCreateConfig(ctx context.Context, containerYAML v1.Container if err := parse.ValidateVolumeCtrDir(volume.MountPath); err != nil { return nil, errors.Wrapf(err, "error in parsing MountPath") } - containerConfig.Volumes = append(containerConfig.Volumes, fmt.Sprintf("%s:%s", hostPath, volume.MountPath)) + if volume.ReadOnly { + readonly = ":ro" + } + containerConfig.Volumes = append(containerConfig.Volumes, fmt.Sprintf("%s:%s%s", hostPath, volume.MountPath, readonly)) } return &containerConfig, nil } diff --git a/test/e2e/play_kube_test.go b/test/e2e/play_kube_test.go index 121cea017..5e01971cb 100644 --- a/test/e2e/play_kube_test.go +++ b/test/e2e/play_kube_test.go @@ -99,6 +99,12 @@ spec: hostPort: {{ .Port }} protocol: TCP workingDir: / + volumeMounts: + {{ if .VolumeMount }} + - name: {{.VolumeName}} + mountPath: {{ .VolumeMountPath }} + readonly: {{.VolumeReadOnly}} + {{ end }} {{ end }} {{ end }} {{ end }} @@ -383,12 +389,16 @@ type Ctr struct { PullPolicy string HostIP string Port string + VolumeMount bool + VolumeMountPath string + VolumeName string + VolumeReadOnly bool } // getCtr takes a list of ctrOptions and returns a Ctr with sane defaults // and the configured options func getCtr(options ...ctrOption) *Ctr { - c := Ctr{defaultCtrName, defaultCtrImage, defaultCtrCmd, defaultCtrArg, true, false, nil, nil, "", "", ""} + c := Ctr{defaultCtrName, defaultCtrImage, defaultCtrCmd, defaultCtrArg, true, false, nil, nil, "", "", "", false, "", "", false} for _, option := range options { option(&c) } @@ -448,6 +458,15 @@ func withHostIP(ip string, port string) ctrOption { } } +func withVolumeMount(mountPath string, readonly bool) ctrOption { + return func(c *Ctr) { + c.VolumeMountPath = mountPath + c.VolumeName = defaultVolName + c.VolumeReadOnly = readonly + c.VolumeMount = true + } +} + func getCtrNameInPod(pod *Pod) string { return fmt.Sprintf("%s-%s", pod.Name, defaultCtrName) } @@ -1035,4 +1054,27 @@ spec: kube.WaitWithDefaultTimeout() Expect(kube.ExitCode()).NotTo(Equal(0)) }) + + It("podman play kube test with read only volume", func() { + hostPathLocation := filepath.Join(tempdir, "file") + f, err := os.Create(hostPathLocation) + Expect(err).To(BeNil()) + f.Close() + + ctr := getCtr(withVolumeMount(hostPathLocation, true), withImage(BB)) + pod := getPod(withVolume(getVolume("File", hostPathLocation)), withCtr(ctr)) + err = generatePodKubeYaml(pod, kubeYaml) + Expect(err).To(BeNil()) + + kube := podmanTest.Podman([]string{"play", "kube", kubeYaml}) + kube.WaitWithDefaultTimeout() + Expect(kube.ExitCode()).To(Equal(0)) + + inspect := podmanTest.Podman([]string{"inspect", getCtrNameInPod(pod), "--format", "'{{.HostConfig.Binds}}'"}) + inspect.WaitWithDefaultTimeout() + Expect(inspect.ExitCode()).To(Equal(0)) + + correct := fmt.Sprintf("%s:%s:%s", hostPathLocation, hostPathLocation, "ro") + Expect(inspect.OutputToString()).To(ContainSubstring(correct)) + }) }) diff --git a/test/system/030-run.bats b/test/system/030-run.bats index 0b92554b8..4e518c571 100644 --- a/test/system/030-run.bats +++ b/test/system/030-run.bats @@ -189,9 +189,19 @@ echo $rand | 0 | $rand is "$(< $cidfile)" "$cid" "contents of cidfile == container ID" - conmon_pid=$(< $pidfile) - is "$(readlink /proc/$conmon_pid/exe)" ".*/conmon" \ - "conmon pidfile (= PID $conmon_pid) points to conmon process" + # Cross-check --conmon-pidfile against 'podman inspect' + local conmon_pid_from_file=$(< $pidfile) + run_podman inspect --format '{{.State.ConmonPid}}' $cid + local conmon_pid_from_inspect="$output" + is "$conmon_pid_from_file" "$conmon_pid_from_inspect" \ + "Conmon pid in pidfile matches what 'podman inspect' claims" + + # /proc/PID/exe should be a symlink to a conmon executable + # FIXME: 'echo' and 'ls' are to help debug #7580, a CI flake + echo "conmon pid = $conmon_pid_from_file" + ls -l /proc/$conmon_pid_from_file + is "$(readlink /proc/$conmon_pid_from_file/exe)" ".*/conmon" \ + "conmon pidfile (= PID $conmon_pid_from_file) points to conmon process" # All OK. Kill container. run_podman rm -f $cid @@ -204,7 +214,7 @@ echo $rand | 0 | $rand } @test "podman run docker-archive" { - skip_if_remote "FIXME: pending #7116" + skip_if_remote "podman-remote does not support docker-archive (#7116)" # Create an image that, when run, outputs a random magic string expect=$(random_string 20) diff --git a/test/system/120-load.bats b/test/system/120-load.bats index 86b396c4a..d7aa16d95 100644 --- a/test/system/120-load.bats +++ b/test/system/120-load.bats @@ -27,25 +27,43 @@ verify_iid_and_name() { } @test "podman save to pipe and load" { - get_iid_and_name + # Generate a random name and tag (must be lower-case) + local random_name=x$(random_string 12 | tr A-Z a-z) + local random_tag=t$(random_string 7 | tr A-Z a-z) + local fqin=localhost/$random_name:$random_tag + run_podman tag $IMAGE $fqin + + archive=$PODMAN_TMPDIR/myimage-$(random_string 8).tar # We can't use run_podman because that uses the BATS 'run' function # which redirects stdout and stderr. Here we need to guarantee # that podman's stdout is a pipe, not any other form of redirection - $PODMAN save --format oci-archive $IMAGE | cat >$archive + $PODMAN save --format oci-archive $fqin | cat >$archive if [ "$status" -ne 0 ]; then die "Command failed: podman save ... | cat" fi # Make sure we can reload it - # FIXME: when/if 7337 gets fixed, add a random tag instead of rmi'ing - # FIXME: when/if 7371 gets fixed, use verify_iid_and_name() - run_podman rmi $iid + run_podman rmi $fqin run_podman load -i $archive - # FIXME: cannot compare IID, see #7371 - run_podman images -a --format '{{.Repository}}:{{.Tag}}' - is "$output" "$IMAGE" "image preserves name across save/load" + # FIXME: cannot compare IID, see #7371, so we check only the tag + run_podman images $fqin --format '{{.Repository}}:{{.Tag}}' + is "$output" "$fqin" "image preserves name across save/load" + + # FIXME: when/if 7337 gets fixed, load with a new tag + if false; then + local new_name=x$(random_string 14 | tr A-Z a-z) + local new_tag=t$(random_string 6 | tr A-Z a-z) + run_podman rmi $fqin + fqin=localhost/$new_name:$new_tag + run_podman load -i $archive $fqin + run_podman images $fqin --format '{{.Repository}}:{{.Tag}}' + is "$output" "$fqin" "image can be loaded with new name:tag" + fi + + # Clean up + run_podman rmi $fqin } |