summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--Makefile5
-rw-r--r--contrib/cirrus/container_test.sh1
-rwxr-xr-xcontrib/cirrus/integration_test.sh1
-rw-r--r--contrib/cirrus/lib.sh1
-rwxr-xr-xcontrib/cirrus/setup_environment.sh6
-rw-r--r--contrib/spec/podman.spec.in4
-rw-r--r--go.mod2
-rw-r--r--go.sum2
-rw-r--r--libpod.conf181
-rw-r--r--test/system/160-volumes.bats234
-rw-r--r--vendor/gopkg.in/yaml.v2/apic.go1
-rw-r--r--vendor/modules.txt2
12 files changed, 239 insertions, 201 deletions
diff --git a/Makefile b/Makefile
index e991d4b35..d4eadbb5e 100644
--- a/Makefile
+++ b/Makefile
@@ -527,11 +527,6 @@ install.man-nobuild:
.PHONY: install.man
install.man: docs install.man-nobuild
-.PHONY: install.config
-install.config:
- install ${SELINUXOPT} -d -m 755 $(DESTDIR)$(SHAREDIR_CONTAINERS)
- install ${SELINUXOPT} -m 644 libpod.conf $(DESTDIR)$(SHAREDIR_CONTAINERS)/libpod.conf
-
.PHONY: install.seccomp
install.seccomp:
# TODO: we should really be using the upstream one from github.com/seccomp
diff --git a/contrib/cirrus/container_test.sh b/contrib/cirrus/container_test.sh
index 4624868f1..bf0a0d3f1 100644
--- a/contrib/cirrus/container_test.sh
+++ b/contrib/cirrus/container_test.sh
@@ -126,7 +126,6 @@ if [ $install -eq 1 ]; then
make TAGS="${TAGS}" install.bin PREFIX=/usr ETCDIR=/etc
make TAGS="${TAGS}" install.man PREFIX=/usr ETCDIR=/etc
make TAGS="${TAGS}" install.cni PREFIX=/usr ETCDIR=/etc
- make TAGS="${TAGS}" install.config PREFIX=/usr ETCDIR=/etc
make TAGS="${TAGS}" install.systemd PREFIX=/usr ETCDIR=/etc
fi
diff --git a/contrib/cirrus/integration_test.sh b/contrib/cirrus/integration_test.sh
index 6341bcb4a..0f2b2ab7e 100755
--- a/contrib/cirrus/integration_test.sh
+++ b/contrib/cirrus/integration_test.sh
@@ -50,7 +50,6 @@ case "$SPECIALMODE" in
none)
make
make install PREFIX=/usr ETCDIR=/etc
- make install.config PREFIX=/usr
make test-binaries
if [[ "$TEST_REMOTE_CLIENT" == "true" ]]
then
diff --git a/contrib/cirrus/lib.sh b/contrib/cirrus/lib.sh
index 750aec3b6..c0dd8cfc5 100644
--- a/contrib/cirrus/lib.sh
+++ b/contrib/cirrus/lib.sh
@@ -98,7 +98,6 @@ ROOTLESS_ENV_RE='(CIRRUS_.+)|(ROOTLESS_.+)|(.+_IMAGE.*)|(.+_BASE)|(.*DIRPATH)|(.
SECRET_ENV_RE='(IRCID)|(ACCOUNT)|(GC[EP]..+)|(SSH)'
SPECIALMODE="${SPECIALMODE:-none}"
-MOD_LIBPOD_CONF="${MOD_LIBPOD_CONF:false}"
TEST_REMOTE_CLIENT="${TEST_REMOTE_CLIENT:-false}"
export CONTAINER_RUNTIME=${CONTAINER_RUNTIME:-podman}
diff --git a/contrib/cirrus/setup_environment.sh b/contrib/cirrus/setup_environment.sh
index 756240444..945b33909 100755
--- a/contrib/cirrus/setup_environment.sh
+++ b/contrib/cirrus/setup_environment.sh
@@ -76,12 +76,6 @@ case "$CG_FS_TYPE" in
X=$(echo "export OCI_RUNTIME=/usr/bin/crun" | \
tee -a /etc/environment) && eval "$X" && echo "$X"
- if [[ "$MOD_LIBPOD_CONF" == "true" ]]; then
- warn "Updating runtime setting in repo. copy of libpod.conf"
- sed -i -r -e 's/^runtime = "runc"/runtime = "crun"/' $GOSRC/libpod.conf
- git diff $GOSRC/libpod.conf
- fi
-
if [[ "$OS_RELEASE_ID" == "fedora" ]]; then
warn "Upgrading to the latest crun"
# Normally not something to do for stable testing
diff --git a/contrib/spec/podman.spec.in b/contrib/spec/podman.spec.in
index 1dfbdf208..ff948701b 100644
--- a/contrib/spec/podman.spec.in
+++ b/contrib/spec/podman.spec.in
@@ -423,10 +423,6 @@ PODMAN_VERSION=%{version} %{__make} PREFIX=%{buildroot}%{_prefix} ETCDIR=%{build
mv pkg/hooks/README.md pkg/hooks/README-hooks.md
-# install libpod.conf
-install -dp %{buildroot}%{_datadir}/containers
-install -p -m 644 %{repo}.conf %{buildroot}%{_datadir}/containers
-
# install conmon
install -dp %{buildroot}%{_libexecdir}/%{name}
install -p -m 755 conmon/bin/conmon %{buildroot}%{_libexecdir}/%{name}
diff --git a/go.mod b/go.mod
index ef573a0c6..77c22e195 100644
--- a/go.mod
+++ b/go.mod
@@ -61,7 +61,7 @@ require (
golang.org/x/net v0.0.0-20200324143707-d3edc9973b7e
golang.org/x/sync v0.0.0-20200317015054-43a5402ce75a
golang.org/x/sys v0.0.0-20200420163511-1957bb5e6d1f
- gopkg.in/yaml.v2 v2.2.8
+ gopkg.in/yaml.v2 v2.3.0
k8s.io/api v0.18.2
k8s.io/apimachinery v0.18.2
k8s.io/client-go v0.0.0-20190620085101-78d2af792bab
diff --git a/go.sum b/go.sum
index ce98c506d..588dfef8c 100644
--- a/go.sum
+++ b/go.sum
@@ -650,6 +650,8 @@ gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
gopkg.in/yaml.v2 v2.2.8 h1:obN1ZagJSUGI0Ek/LBmuj4SNLPfIny3KsKFopxRdj10=
gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.3.0 h1:clyUAQHOM3G0M3f5vQj7LuJrETvjVot3Z5el9nffUtU=
+gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
gotest.tools v2.2.0+incompatible h1:VsBPFP1AI068pPrMxtb/S8Zkgf9xEmTLJjfM+P5UIEo=
gotest.tools v2.2.0+incompatible/go.mod h1:DsYFclhRJ6vuDpmuTbkuFWG+y2sxOXAzmJt81HFBacw=
honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
diff --git a/libpod.conf b/libpod.conf
deleted file mode 100644
index 1bc31eb4c..000000000
--- a/libpod.conf
+++ /dev/null
@@ -1,181 +0,0 @@
-# libpod.conf is the default configuration file for all tools using libpod to
-# manage containers
-
-# Default transport method for pulling and pushing for images
-image_default_transport = "docker://"
-
-# Paths to look for the conmon container manager binary.
-# If the paths are empty or no valid path was found, then the `$PATH`
-# environment variable will be used as the fallback.
-conmon_path = [
- "/usr/libexec/podman/conmon",
- "/usr/local/libexec/podman/conmon",
- "/usr/local/lib/podman/conmon",
- "/usr/bin/conmon",
- "/usr/sbin/conmon",
- "/usr/local/bin/conmon",
- "/usr/local/sbin/conmon",
- "/run/current-system/sw/bin/conmon",
-]
-
-# Environment variables to pass into conmon
-conmon_env_vars = [
- "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
-]
-
-# CGroup Manager - valid values are "systemd" and "cgroupfs"
-cgroup_manager = "systemd"
-
-# Container init binary
-#init_path = "/usr/libexec/podman/catatonit"
-
-# Directory for persistent libpod files (database, etc)
-# By default, this will be configured relative to where containers/storage
-# stores containers
-# Uncomment to change location from this default
-#static_dir = "/var/lib/containers/storage/libpod"
-
-# Directory for temporary files. Must be tmpfs (wiped after reboot)
-tmp_dir = "/var/run/libpod"
-
-# Maximum size of log files (in bytes)
-# -1 is unlimited
-max_log_size = -1
-
-# Whether to use chroot instead of pivot_root in the runtime
-no_pivot_root = false
-
-# Directory containing CNI plugin configuration files
-cni_config_dir = "/etc/cni/net.d/"
-
-# Directories where the CNI plugin binaries may be located
-cni_plugin_dir = [
- "/usr/libexec/cni",
- "/usr/lib/cni",
- "/usr/local/lib/cni",
- "/opt/cni/bin"
-]
-
-# Default CNI network for libpod.
-# If multiple CNI network configs are present, libpod will use the network with
-# the name given here for containers unless explicitly overridden.
-# The default here is set to the name we set in the
-# 87-podman-bridge.conflist included in the repository.
-# Not setting this, or setting it to the empty string, will use normal CNI
-# precedence rules for selecting between multiple networks.
-cni_default_network = "podman"
-
-# Default libpod namespace
-# If libpod is joined to a namespace, it will see only containers and pods
-# that were created in the same namespace, and will create new containers and
-# pods in that namespace.
-# The default namespace is "", which corresponds to no namespace. When no
-# namespace is set, all containers and pods are visible.
-#namespace = ""
-
-# Default infra (pause) image name for pod infra containers
-infra_image = "k8s.gcr.io/pause:3.2"
-
-# Default command to run the infra container
-infra_command = "/pause"
-
-# Determines whether libpod will reserve ports on the host when they are
-# forwarded to containers. When enabled, when ports are forwarded to containers,
-# they are held open by conmon as long as the container is running, ensuring that
-# they cannot be reused by other programs on the host. However, this can cause
-# significant memory usage if a container has many ports forwarded to it.
-# Disabling this can save memory.
-#enable_port_reservation = true
-
-# Default libpod support for container labeling
-# label=true
-
-# The locking mechanism to use
-lock_type = "shm"
-
-# Number of locks available for containers and pods.
-# If this is changed, a lock renumber must be performed (e.g. with the
-# 'podman system renumber' command).
-num_locks = 2048
-
-# Directory for libpod named volumes.
-# By default, this will be configured relative to where containers/storage
-# stores containers.
-# Uncomment to change location from this default.
-#volume_path = "/var/lib/containers/storage/volumes"
-
-# Selects which logging mechanism to use for Podman events. Valid values
-# are `journald` or `file`.
-# events_logger = "journald"
-
-# Specify the keys sequence used to detach a container.
-# Format is a single character [a-Z] or a comma separated sequence of
-# `ctrl-<value>`, where `<value>` is one of:
-# `a-z`, `@`, `^`, `[`, `\`, `]`, `^` or `_`
-#
-# detach_keys = "ctrl-p,ctrl-q"
-
-# Default OCI runtime
-runtime = "runc"
-
-# List of the OCI runtimes that support --format=json. When json is supported
-# libpod will use it for reporting nicer errors.
-runtime_supports_json = ["crun", "runc"]
-
-# List of all the OCI runtimes that support --cgroup-manager=disable to disable
-# creation of CGroups for containers.
-runtime_supports_nocgroups = ["crun"]
-
-# Paths to look for a valid OCI runtime (runc, runv, etc)
-# If the paths are empty or no valid path was found, then the `$PATH`
-# environment variable will be used as the fallback.
-[runtimes]
-runc = [
- "/usr/bin/runc",
- "/usr/sbin/runc",
- "/usr/local/bin/runc",
- "/usr/local/sbin/runc",
- "/sbin/runc",
- "/bin/runc",
- "/usr/lib/cri-o-runc/sbin/runc",
- "/run/current-system/sw/bin/runc",
-]
-
-crun = [
- "/usr/bin/crun",
- "/usr/sbin/crun",
- "/usr/local/bin/crun",
- "/usr/local/sbin/crun",
- "/sbin/crun",
- "/bin/crun",
- "/run/current-system/sw/bin/crun",
-]
-
-# Kata Containers is an OCI runtime, where containers are run inside lightweight
-# Virtual Machines (VMs). Kata provides additional isolation towards the host,
-# minimizing the host attack surface and mitigating the consequences of
-# containers breakout.
-# Please notes that Kata does not support rootless podman yet, but we can leave
-# the paths below blank to let them be discovered by the $PATH environment
-# variable.
-
-# Kata Containers with the default configured VMM
-kata-runtime = [
- "/usr/bin/kata-runtime",
-]
-
-# Kata Containers with the QEMU VMM
-kata-qemu = [
- "/usr/bin/kata-qemu",
-]
-
-# Kata Containers with the Firecracker VMM
-kata-fc = [
- "/usr/bin/kata-fc",
-]
-
-# The [runtimes] table MUST be the last thing in this file.
-# (Unless another table is added)
-# TOML does not provide a way to end a table other than a further table being
-# defined, so every key hereafter will be part of [runtimes] and not the main
-# config.
diff --git a/test/system/160-volumes.bats b/test/system/160-volumes.bats
new file mode 100644
index 000000000..cd9f3c8ad
--- /dev/null
+++ b/test/system/160-volumes.bats
@@ -0,0 +1,234 @@
+#!/usr/bin/env bats -*- bats -*-
+#
+# podman volume-related tests
+#
+
+load helpers
+
+function setup() {
+ basic_setup
+
+ run_podman '?' volume rm -a
+}
+
+function teardown() {
+ run_podman '?' rm -a --volumes
+ run_podman '?' volume rm -a -f
+
+ basic_teardown
+}
+
+
+# Simple volume tests: share files between host and container
+@test "podman run --volumes : basic" {
+ skip_if_remote "volumes cannot be shared across hosts"
+
+ # Create three temporary directories
+ vol1=${PODMAN_TMPDIR}/v1_$(random_string)
+ vol2=${PODMAN_TMPDIR}/v2_$(random_string)
+ vol3=${PODMAN_TMPDIR}/v3_$(random_string)
+ mkdir $vol1 $vol2 $vol3
+
+ # In each directory, write a random string to a file
+ echo $(random_string) >$vol1/file1_in
+ echo $(random_string) >$vol2/file2_in
+ echo $(random_string) >$vol3/file3_in
+
+ # Run 'cat' on each file, and compare against local files. Mix -v / --volume
+ # flags, and specify them out of order just for grins. The shell wildcard
+ # expansion must sort vol1/2/3 lexically regardless.
+ v_opts="-v $vol1:/vol1:z --volume $vol3:/vol3:z -v $vol2:/vol2:z"
+ run_podman run --rm $v_opts $IMAGE sh -c "cat /vol?/file?_in"
+
+ for i in 1 2 3; do
+ eval voldir=\$vol${i}
+ is "${lines[$(($i - 1))]}" "$(< $voldir/file${i}_in)" \
+ "contents of /vol${i}/file${i}_in"
+ done
+
+ # Confirm that container sees vol1 as a mount point
+ run_podman run --rm $v_opts $IMAGE mount
+ is "$output" ".* on /vol1 type .*" "'mount' in container lists vol1"
+
+ # Have the container do write operations, confirm them on host
+ out1=$(random_string)
+ run_podman run --rm $v_opts $IMAGE sh -c "echo $out1 >/vol1/file1_out;
+ cp /vol2/file2_in /vol3/file3_out"
+ is "$(<$vol1/file1_out)" "$out1" "contents of /vol1/file1_out"
+ is "$(<$vol3/file3_out)" "$(<$vol2/file2_in)" "contents of /vol3/file3_out"
+
+ # Writing to read-only volumes: not allowed
+ run_podman 1 run --rm -v $vol1:/vol1ro:z,ro $IMAGE sh -c "touch /vol1ro/abc"
+ is "$output" ".*Read-only file system" "touch on read-only volume"
+}
+
+
+# Named volumes
+@test "podman volume create / run" {
+ myvolume=myvol$(random_string)
+ mylabel=$(random_string)
+
+ # Create a named volume
+ run_podman volume create --label l=$mylabel $myvolume
+ is "$output" "$myvolume" "output from volume create"
+
+ # Confirm that it shows up in 'volume ls', and confirm values
+ run_podman volume ls --format json
+ tests="
+Name | $myvolume
+Driver | local
+Labels.l | $mylabel
+"
+ parse_table "$tests" | while read field expect; do
+ actual=$(jq -r ".[0].$field" <<<"$output")
+ is "$actual" "$expect" "volume ls .$field"
+ done
+
+ # Run a container that writes to a file in that volume
+ mountpoint=$(jq -r '.[0].Mountpoint' <<<"$output")
+ rand=$(random_string)
+ run_podman run --rm --volume $myvolume:/vol $IMAGE sh -c "echo $rand >/vol/myfile"
+
+ # Confirm that the file is visible, with content, outside the container
+ is "$(<$mountpoint/myfile)" "$rand" "we see content created in container"
+
+ # Clean up
+ run_podman volume rm $myvolume
+}
+
+
+# Running scripts (executables) from a volume
+@test "podman volume: exec/noexec" {
+ myvolume=myvol$(random_string)
+
+ run_podman volume create $myvolume
+ is "$output" "$myvolume" "output from volume create"
+
+ run_podman volume inspect --format '{{.Mountpoint}}' $myvolume
+ mountpoint="$output"
+
+ # Create a script, make it runnable
+ rand=$(random_string)
+ cat >$mountpoint/myscript <<EOF
+#!/bin/sh
+echo "got here -$rand-"
+EOF
+ chmod 755 $mountpoint/myscript
+
+ # By default, volumes are mounted noexec. This should fail.
+ run_podman 126 run --rm --volume $myvolume:/vol:z $IMAGE /vol/myscript
+ is "$output" ".* OCI runtime permission denied.*" "run on volume, noexec"
+
+ # With exec, it should pass
+ run_podman run --rm -v $myvolume:/vol:z,exec $IMAGE /vol/myscript
+ is "$output" "got here -$rand-" "script in volume is runnable with exec"
+
+ # Clean up
+ run_podman volume rm $myvolume
+}
+
+
+# Anonymous temporary volumes, and persistent autocreated named ones
+@test "podman volume, implicit creation with run" {
+
+ # No hostdir arg: create anonymous container with random name
+ rand=$(random_string)
+ run_podman run -v /myvol $IMAGE sh -c "echo $rand >/myvol/myfile"
+
+ run_podman volume ls -q
+ tempvolume="$output"
+
+ # We should see the file created in the container
+ run_podman volume inspect --format '{{.Mountpoint}}' $tempvolume
+ mountpoint="$output"
+ test -e "$mountpoint/myfile"
+ is "$(< $mountpoint/myfile)" "$rand" "file contents, anonymous volume"
+
+ # Remove the container, using rm --volumes. Volume should now be gone.
+ run_podman rm -a --volumes
+ run_podman volume ls -q
+ is "$output" "" "anonymous volume is removed after container is rm'ed"
+
+ # Create a *named* container. This one should persist after container ends
+ myvol=myvol$(random_string)
+ rand=$(random_string)
+
+ run_podman run --rm -v $myvol:/myvol:z $IMAGE \
+ sh -c "echo $rand >/myvol/myfile"
+ run_podman volume ls -q
+ is "$output" "$myvol" "autocreated named container persists"
+
+ # ...and should be usable, read/write, by a second container
+ run_podman run --rm -v $myvol:/myvol:z $IMAGE \
+ sh -c "cp /myvol/myfile /myvol/myfile2"
+
+ run_podman volume rm $myvol
+
+ # Autocreated volumes should also work with keep-id
+ # All we do here is check status; podman 1.9.1 would fail with EPERM
+ myvol=myvol$(random_string)
+ run_podman run --rm -v $myvol:/myvol:z --userns=keep-id $IMAGE \
+ touch /myvol/myfile
+
+ run_podman volume rm $myvol
+}
+
+
+# Confirm that container sees the correct id
+@test "podman volume with --userns=keep-id" {
+ is_rootless || skip "only meaningful when run rootless"
+
+ myvoldir=${PODMAN_TMPDIR}/volume_$(random_string)
+ mkdir $myvoldir
+ touch $myvoldir/myfile
+
+ # With keep-id
+ run_podman run --rm -v $myvoldir:/vol:z --userns=keep-id $IMAGE \
+ stat -c "%u:%s" /vol/myfile
+ is "$output" "$(id -u):0" "with keep-id: stat(file in container) == my uid"
+
+ # Without
+ run_podman run --rm -v $myvoldir:/vol:z $IMAGE \
+ stat -c "%u:%s" /vol/myfile
+ is "$output" "0:0" "w/o keep-id: stat(file in container) == root"
+}
+
+
+# 'volume prune' identifies and cleans up unused volumes
+@test "podman volume prune" {
+ # Create four named volumes
+ local -a v=()
+ for i in 1 2 3 4;do
+ vol=myvol${i}$(random_string)
+ v[$i]=$vol
+ run_podman volume create $vol
+ done
+
+ # Run two containers: one mounting v1, one mounting v2 & v3
+ run_podman run --name c1 --volume ${v[1]}:/vol1 $IMAGE date
+ run_podman run --name c2 --volume ${v[2]}:/vol2 -v ${v[3]}:/vol3 \
+ $IMAGE date
+
+ # prune should remove v4
+ run_podman volume prune --force
+ is "$output" "${v[4]}" "volume prune, with 1, 2, 3 in use, deletes only 4"
+
+ # Remove the container using v2 and v3. Prune should now remove those.
+ # The 'echo sort' is to get the output sorted and in one line.
+ run_podman rm c2
+ run_podman volume prune --force
+ is "$(echo $(sort <<<$output))" "${v[2]} ${v[3]}" \
+ "volume prune, after rm c2, deletes volumes 2 and 3"
+
+ # Remove the final container. Prune should now remove v1.
+ run_podman rm c1
+ run_podman volume prune --force
+ is "$output" "${v[1]}" "volume prune, after rm c2 & c1, deletes volume 1"
+
+ # Further prunes are NOPs
+ run_podman volume prune --force
+ is "$output" "" "no more volumes to prune"
+}
+
+
+# vim: filetype=sh
diff --git a/vendor/gopkg.in/yaml.v2/apic.go b/vendor/gopkg.in/yaml.v2/apic.go
index 1f7e87e67..d2c2308f1 100644
--- a/vendor/gopkg.in/yaml.v2/apic.go
+++ b/vendor/gopkg.in/yaml.v2/apic.go
@@ -86,6 +86,7 @@ func yaml_emitter_initialize(emitter *yaml_emitter_t) {
raw_buffer: make([]byte, 0, output_raw_buffer_size),
states: make([]yaml_emitter_state_t, 0, initial_stack_size),
events: make([]yaml_event_t, 0, initial_queue_size),
+ best_width: -1,
}
}
diff --git a/vendor/modules.txt b/vendor/modules.txt
index 0bd684c62..765e68108 100644
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@@ -640,7 +640,7 @@ gopkg.in/square/go-jose.v2/cipher
gopkg.in/square/go-jose.v2/json
# gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7
gopkg.in/tomb.v1
-# gopkg.in/yaml.v2 v2.2.8
+# gopkg.in/yaml.v2 v2.3.0
gopkg.in/yaml.v2
# k8s.io/api v0.18.2
k8s.io/api/core/v1