diff options
| -rw-r--r-- | docs/source/Introduction.rst | 4 | ||||
| -rw-r--r-- | go.mod | 2 | ||||
| -rw-r--r-- | go.sum | 2 | ||||
| -rw-r--r-- | test/system/050-stop.bats | 43 | ||||
| -rw-r--r-- | test/system/070-build.bats | 33 | ||||
| -rw-r--r-- | test/system/400-unprivileged-access.bats | 11 | ||||
| -rw-r--r-- | test/system/410-selinux.bats | 11 | ||||
| -rw-r--r-- | vendor/github.com/google/uuid/version4.go | 8 | ||||
| -rw-r--r-- | vendor/modules.txt | 2 |
9 files changed, 109 insertions, 7 deletions
diff --git a/docs/source/Introduction.rst b/docs/source/Introduction.rst index 9dcae8a83..9fdce6962 100644 --- a/docs/source/Introduction.rst +++ b/docs/source/Introduction.rst @@ -34,7 +34,7 @@ Sometimes we can find a publicly available container image for the exact workloa Container Images aren’t actually images, they’re repositories often made up of multiple layers. These layers can easily be added, saved, and shared with others by using a Containerfile (Dockerfile). This single file often contains all the instructions needed to build the new and can easily be shared with others publicly using tools like GitHub. -Here's an example of how to build an Nginx web server on top of a Debian base image using the Dockerfile maintained by Nginx and published in GitHub:: +Here's an example of how to build a Nginx web server on top of a Debian base image using the Dockerfile maintained by Nginx and published in GitHub:: podman build -t nginx https://git.io/Jf8ol @@ -62,7 +62,7 @@ Input:: Password: ******** Login Succeeded! -Nex, tag the image so that we can push it into our user account:: +Next, tag the image so that we can push it into our user account:: podman tag localhost/nginx quay.io/USERNAME/nginx @@ -29,7 +29,7 @@ require ( github.com/ghodss/yaml v1.0.0 github.com/godbus/dbus/v5 v5.0.3 github.com/google/shlex v0.0.0-20181106134648-c34317bd91bf - github.com/google/uuid v1.1.5 + github.com/google/uuid v1.2.0 github.com/gorilla/mux v1.8.0 github.com/gorilla/schema v1.2.0 github.com/hashicorp/go-multierror v1.1.0 @@ -263,6 +263,8 @@ github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+ github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/google/uuid v1.1.5 h1:kxhtnfFVi+rYdOALN0B3k9UT86zVJKfBimRaciULW4I= github.com/google/uuid v1.1.5/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= +github.com/google/uuid v1.2.0 h1:qJYtXnJRWmpe7m/3XlyhrsLrEURqHRM2kxzoxXqyUDs= +github.com/google/uuid v1.2.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg= github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk= github.com/googleapis/gnostic v0.0.0-20170729233727-0c5108395e2d/go.mod h1:sJBsCZ4ayReDTBIg8b9dl28c5xFWyhBTVRp3pOg5EKY= diff --git a/test/system/050-stop.bats b/test/system/050-stop.bats index 548fd56ee..7d9f1fcb3 100644 --- a/test/system/050-stop.bats +++ b/test/system/050-stop.bats @@ -30,6 +30,49 @@ load helpers run_podman rm $cid } +# #9051 : podman stop --all was not working with podman-remote +@test "podman stop --all" { + # Start three containers, create (without running) a fourth + run_podman run -d --name c1 $IMAGE sleep 20 + run_podman run -d --name c2 $IMAGE sleep 40 + run_podman run -d --name c3 $IMAGE sleep 60 + run_podman create --name c4 $IMAGE sleep 80 + + # podman ps (without -a) should show the three running containers + run_podman ps --sort names --format '{{.Names}}--{{.Status}}' + is "${#lines[*]}" "3" "podman ps shows exactly three containers" + is "${lines[0]}" "c1--Up.*" "podman ps shows running container (1)" + is "${lines[1]}" "c2--Up.*" "podman ps shows running container (2)" + is "${lines[2]}" "c3--Up.*" "podman ps shows running container (3)" + + # Stop -a + run_podman stop -a -t 1 + + # Now podman ps (without -a) should show nothing. + run_podman ps --format '{{.Names}}' + is "$output" "" "podman ps, after stop -a, shows no running containers" + + # ...but with -a, containers are shown + run_podman ps -a --sort names --format '{{.Names}}--{{.Status}}' + is "${#lines[*]}" "4" "podman ps -a shows exactly four containers" + is "${lines[0]}" "c1--Exited.*" "ps -a, first stopped container" + is "${lines[1]}" "c2--Exited.*" "ps -a, second stopped container" + is "${lines[2]}" "c3--Exited.*" "ps -a, third stopped container" + is "${lines[3]}" "c4--Created.*" "ps -a, created container (unaffected)" +} + +# #9051 : podman stop --ignore was not working with podman-remote +@test "podman stop --ignore" { + name=thiscontainerdoesnotexist + run_podman 125 stop $name + is "$output" \ + "Error: no container with name or ID $name found: no such container" \ + "podman stop nonexistent container" + + run_podman stop --ignore $name + is "$output" "" "podman stop nonexistent container, with --ignore" +} + # Test fallback diff --git a/test/system/070-build.bats b/test/system/070-build.bats index 0e83a184b..9e5e3ee1d 100644 --- a/test/system/070-build.bats +++ b/test/system/070-build.bats @@ -126,6 +126,23 @@ EOF label_name=l$(random_string 8) label_value=$(random_string 12) + # #8679: Create a secrets directory, and mount it in the container + # (can only test locally; podman-remote has no --default-mounts-file opt) + MOUNTS_CONF= + secret_contents="ceci nest pas un secret" + CAT_SECRET="echo $secret_contents" + if ! is_remote; then + mkdir $tmpdir/secrets + echo $tmpdir/secrets:/run/secrets > $tmpdir/mounts.conf + + secret_filename=secretfile-$(random_string 20) + secret_contents=shhh-$(random_string 30)-shhh + echo $secret_contents >$tmpdir/secrets/$secret_filename + + MOUNTS_CONF=--default-mounts-file=$tmpdir/mounts.conf + CAT_SECRET="cat /run/secrets/$secret_filename" + fi + # Command to run on container startup with no args cat >$tmpdir/mycmd <<EOF #!/bin/sh @@ -133,6 +150,7 @@ PATH=/usr/bin:/bin pwd echo "\$1" printenv | grep MYENV | sort | sed -e 's/^MYENV.=//' +$CAT_SECRET EOF # For overriding with --env-file; using multiple files confirms that @@ -169,14 +187,22 @@ ENV ftp_proxy ftp-proxy-in-image ADD mycmd /bin/mydefaultcmd RUN chmod 755 /bin/mydefaultcmd RUN chown 2:3 /bin/mydefaultcmd + +#FIXME FIXME FIXME: enable if/when 'podman build' passes mounts.conf to buildah +#RUN $CAT_SECRET + CMD ["/bin/mydefaultcmd","$s_echo"] EOF # cd to the dir, so we test relative paths (important for podman-remote) cd $PODMAN_TMPDIR - run_podman build -t build_test -f build-test/Containerfile build-test + run_podman ${MOUNTS_CONF} build \ + -t build_test -f build-test/Containerfile build-test local iid="${lines[-1]}" + # Make sure 'podman build' had the secret mounted + #FIXME FIXME: enable if/when 'podman build' passes mounts.conf to buildah + #is "$output" ".*$secret_contents.*" "podman build has /run/secrets mounted" if is_remote; then ENVHOST="" @@ -187,7 +213,7 @@ EOF # Run without args - should run the above script. Verify its output. export MYENV2="$s_env2" export MYENV3="env-file-should-override-env-host!" - run_podman run --rm \ + run_podman ${MOUNTS_CONF} run --rm \ --env-file=$PODMAN_TMPDIR/env-file1 \ --env-file=$PODMAN_TMPDIR/env-file2 \ ${ENVHOST} \ @@ -207,6 +233,9 @@ EOF is "${lines[4]}" "$s_env3" "container default command: env3 (from envfile)" is "${lines[5]}" "$s_env4" "container default command: env4 (from cmdline)" + is "${lines[6]}" "$secret_contents" \ + "Contents of /run/secrets/$secret_filename in container" + # Proxies - environment should override container, but not env-file http_proxy=http-proxy-from-env ftp_proxy=ftp-proxy-from-env \ run_podman run --rm \ diff --git a/test/system/400-unprivileged-access.bats b/test/system/400-unprivileged-access.bats index 6a89247e6..f26c97d1e 100644 --- a/test/system/400-unprivileged-access.bats +++ b/test/system/400-unprivileged-access.bats @@ -132,7 +132,11 @@ EOF # Run 'stat' on all the files, plus /dev/null. Get path, file type, # number of links, major, and minor (see below for why). Do it all # in one go, to avoid multiple podman-runs - run_podman run --rm $IMAGE stat -c'%n:%F:%h:%T:%t' /dev/null ${subset[@]} + run_podman '?' run --rm $IMAGE stat -c'%n:%F:%h:%T:%t' /dev/null ${subset[@]} + if [[ $status -gt 1 ]]; then + die "Unexpected exit status $status: expected 0 or 1" + fi + local devnull= for result in "${lines[@]}"; do # e.g. /proc/acpi:character special file:1:3:1 @@ -161,6 +165,11 @@ EOF # If you can think of a better way to do this check, # please feel free to fix it. is "$nlinks" "2" "$path: directory link count" + elif [[ $result =~ stat:.*No.such.file.or.directory ]]; then + # No matter what the path is, this is OK. It has to do with #8949 + # and RHEL8 and rootless and cgroups v1. Bottom line, what we care + # about is that the path not be available inside the container. + : else die "$path: Unknown file type '$type'" fi diff --git a/test/system/410-selinux.bats b/test/system/410-selinux.bats index 1e44fe06c..7482d3e55 100644 --- a/test/system/410-selinux.bats +++ b/test/system/410-selinux.bats @@ -171,4 +171,15 @@ function check_label() { run_podman pod rm myselinuxpod } +# #8946 - better diagnostics for nonexistent attributes +@test "podman with nonexistent labels" { + skip_if_no_selinux + + # The '.*' in the error below is for dealing with podman-remote, which + # includes "error preparing container <sha> for attach" in output. + run_podman 126 run --security-opt label=type:foo.bar $IMAGE true + is "$output" "Error.*: \`/proc/thread-self/attr/exec\`: OCI runtime error: unable to assign security attribute" "useful diagnostic" +} + + # vim: filetype=sh diff --git a/vendor/github.com/google/uuid/version4.go b/vendor/github.com/google/uuid/version4.go index c110465db..86160fbd0 100644 --- a/vendor/github.com/google/uuid/version4.go +++ b/vendor/github.com/google/uuid/version4.go @@ -14,6 +14,14 @@ func New() UUID { return Must(NewRandom()) } +// NewString creates a new random UUID and returns it as a string or panics. +// NewString is equivalent to the expression +// +// uuid.New().String() +func NewString() string { + return Must(NewRandom()).String() +} + // NewRandom returns a Random (Version 4) UUID. // // The strength of the UUIDs is based on the strength of the crypto/rand diff --git a/vendor/modules.txt b/vendor/modules.txt index 79aca766d..397ab70be 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -319,7 +319,7 @@ github.com/golang/protobuf/ptypes/timestamp github.com/google/gofuzz # github.com/google/shlex v0.0.0-20181106134648-c34317bd91bf github.com/google/shlex -# github.com/google/uuid v1.1.5 +# github.com/google/uuid v1.2.0 github.com/google/uuid # github.com/gorilla/mux v1.8.0 github.com/gorilla/mux |