diff options
| -rw-r--r-- | Makefile | 2 | ||||
| -rw-r--r-- | changelog.txt | 159 | ||||
| -rw-r--r-- | contrib/spec/podman.spec.in | 2 | ||||
| -rw-r--r-- | libpod/container_internal.go | 2 | ||||
| -rw-r--r-- | libpod/networking_linux.go | 11 | ||||
| -rw-r--r-- | libpod/oci_linux.go | 15 | ||||
| -rw-r--r-- | pkg/spec/spec_test.go | 38 | ||||
| -rw-r--r-- | test/e2e/exec_test.go | 15 | ||||
| -rw-r--r-- | test/e2e/run_cleanup_test.go | 16 | ||||
| -rw-r--r-- | version/version.go | 2 |
10 files changed, 228 insertions, 34 deletions
@@ -3,7 +3,7 @@ export GOPROXY=https://proxy.golang.org GO ?= go DESTDIR ?= -EPOCH_TEST_COMMIT ?= b9a176bea94b8e3a97a70dd7cd599f1a057777b0 +EPOCH_TEST_COMMIT ?= 2366fd7ac621ba15abe559832f024d06b3db3c9b HEAD ?= HEAD CHANGELOG_BASE ?= HEAD~ CHANGELOG_TARGET ?= HEAD diff --git a/changelog.txt b/changelog.txt index b0a847aee..c2c2a8ce9 100644 --- a/changelog.txt +++ b/changelog.txt @@ -1,3 +1,162 @@ +- Changelog for v1.6.0-rc1 (2019-09-16) + * Fix default to pause in podman cp + * Update release notes for v1.6.0 + * Vendor Bulidah 1.11.2 + * get runtime for podman-remote push earlier + * rootless: report the correct error + * Report errors when trying to pause rootless containers + * Do not support wildcards on cp + * Podman-remote run should wait for exit code + * Use exit code constants + * exec: Register resize func a bit later + * clean up after healthcheck execs + * enhance podman network rm + * Add podman icon to installer + * Test that PTYs created by 'podman exec --tty' have the ONLCR flag + * Prevent podman varlink socket fight + * Touch up some bad grammar in rootless doc + * linux: fix systemd with --cgroupns=private + * rootless: run pause process in its own scope + * rootless: automatically create a systemd scope + * utils: use the user session for systemd + * Support building Windows msi file + * Add cgroup v2 info to rootless tutorial + * fix podman sign signature store for rootless + * podman-remote image trust is broken + * Cirrus: Fix unnecessary setsebool + * Add further fields to StorageContainer + * Volume lookup needs to include state to unmarshal into + * Do not prune images being used by a container + * Add support for launching containers without CGroups + * add lint and manpage check to make validate + * Add `ContainerManager` annotation to created containers + * When first mounting any named volume, copy up + * Add function for looking up volumes by partial name + * hack/man_page_checker - improve diagnostics + * podman network create + * Fixup `util.GetRootlessConfigHomeDir` permission requirements + * Fixup Makefile for BSD systems, e.g. macOS + * Replace "podman" with "Podman" + * Add instructions for mounting named volumes from the host for `podman run` + * Add instruction for using fuse-overlayfs as the rootless storage driver + * Fix podman import bash completions + * Turn off journald in podmanimages on quay.io + * build: pass down the cgroup manager to buildah + * mac_client.md + * Ignore ENOENT on umount of SHM + * play kube: fix segfault + * Return information about mount_program (fuse-overlayfs) + * Ensure good defaults on blank c/storage configuration + * Correctly report errors on unmounting SHM + * Add ability for volumes with options to mount/umount + * Fixup README.md to give proper information + * Add volume state + * Change volume driver and options JSON tags + * Update buildah to v1.11.0 + * Set TMPDIR to /var/tmp by default + * cli-flags: use a consistent format for <size><unit> + * Fix unit tests missing comparative for 'Expect' + * System tests: support for crun on f31/rawhide + * libpod: avoid polling container status + * Add test to verify noexec works with volume mounts + * Cirrus: Update e-mail -> IRC Nick table + * handle dns response from cni + * pkg/util: use rootless function to read additional users + * Enable hack/man-page-checker in CI + * rootless: detect user namespace configuration changes + * rootless.md: add systemd unit example + * docs: add note about failing rhel7 systemd on cgroups v2 + * spec: provide custom implementation for getDevices + * spec: do not set devices cgroup when rootless + * rootless: bind mount devices instead of creating them + * Add command aliases to SYNOPSIS section + * Exclude podman-remote + * Cirrus: On success, add IRC nick mention to msg + * Fix table spacing + * Revert the descriptive text for podman-remote + * WIP - ignore man pages for commands besides podman + * podman-remote is not a subcommand + * Fix formatting and enable hack/man-page-checker + * Cirrus: Load base-image names indirectly + * Cirrus: Remove image_prune YAML-alias workaround + * Fix links to manpages + * Makefile: use go proxy + * man: events-logger → events-backend + * dont panic when using varlink commit and uppercase image names + * Add a test for the new suid/exec/dev options + * Fix addition of mount options when using RO tmpfs + * Allow :z and :Z with ProcessOptions + * Set base mount options for bind mounts from base system + * Don't double-process tmpfs options + * Add support for 'exec', 'suid', 'dev' mount flags + * Update buildah to current master + * Cirrus: Reimplement release archive + upload + * Readme: Links for automatic binary releases + * Re-add locks to volumes. + * image: remove unused Decompose method + * Temporarily disable systemd test for CGroups V2 + * Add an integration test for systemd in a container + * clean up after remote build + * Cirrus: Block CNI use of google VPCs + * Add snap build test to success and release check + * Run `apt-get update` to avoid missing package while building + * Use snapcraft on Ubuntu 18.04 for libostree-dev + * Test build snap with Cirrus CI + * Update varlink doc and code + * podman cp: big set of system tests + * add iproute to podman in podman image + * Cirrus: Enable VM image housekeeping + * clean up after remote build + * Adjust name of Podman CNI network bridge + * Update cni config instructions + * Fix minor typos in podman-run docs. + * Fix link format in rootless_tutorial.md. + * Need to include command name in error message + * podman-remote: cp crashes + * generate systemd: support pods and geneartig files + * Dockerfile.fedora: install cni plugins package + * Add --digestfile option to push + * generate systemd: drop support for remote clients + * exec: run with user specified on container start + * Dockerfile*: fix build for CNI plugins + * Touchup README with Buildah build usage + * Dockerfile.*: bump CNI plugins commit + * Implement healthcheck for remote client + * networking: use firewall plugin + * Flake fix: build test timeout + * Fix error message on podman stats on cgroups v1 rootless environments + * test: enable all tests for crun + * test: fix return code check for missing workdir + * Fix directory pull image name for OCI images + * .cirrus.yml: use crun from git master + * libpod, pkg: lookup also for crun failures + * libpod.conf: add crun to runtime_supports_json + * containers, create: debug message on failed deletion + * libpod: still attempt to read the oci log file if not output + * Issue template update to include package info + * Allow customizing pod hostname + * add --cert-dir image sign + * Cirrus: Minor: Simplify crun test task + * Create framework for varlink endpoint integration tests + * Cirrus: Confirm networking more + * inclusion of podman network + * do not activate sd_notify support when varlink + * Remove --tmpfs size default + * cirrus: enable cgroups v2 tests with crun + * tests: skip pause tests if freezer is not available + * tests: enable run tests for cgroups v2 + * tests: enable cpu tests for cgroups v2 + * tests: enable memory tests for cgroups v2 + * runtime: honor --runtime flag to build + * test: fix option name + * Add support & documentation to run containers with different file types + * Use GetRuntimeDir to setup auth.json for login + * add --pull flag for podman create&run + * Fix typos + * Update Varlink API documentation for volumes changes + * Swap 'volume inspect' frontend to use the new backend + * Implement backend for 'volume inspect' + - Changelog for v1.5.1 (2019-08-15) * Add release notes for v1.5.1 * Set Pod hostname as Pod name diff --git a/contrib/spec/podman.spec.in b/contrib/spec/podman.spec.in index 934f785db..6ac324499 100644 --- a/contrib/spec/podman.spec.in +++ b/contrib/spec/podman.spec.in @@ -39,7 +39,7 @@ %global shortcommit_conmon %(c=%{commit_conmon}; echo ${c:0:7}) Name: podman -Version: 1.5.2 +Version: 1.6.0 Release: #COMMITDATE#.git%{shortcommit0}%{?dist} Summary: Manage Pods, Containers and Container Images License: ASL 2.0 diff --git a/libpod/container_internal.go b/libpod/container_internal.go index 6bf8439da..8b96b3f62 100644 --- a/libpod/container_internal.go +++ b/libpod/container_internal.go @@ -1368,7 +1368,7 @@ func (c *Container) cleanupStorage() error { // error // We still want to be able to kick the container out of the // state - if errors.Cause(err) == storage.ErrNotAContainer || errors.Cause(err) == storage.ErrContainerUnknown { + if errors.Cause(err) == storage.ErrNotAContainer || errors.Cause(err) == storage.ErrContainerUnknown || errors.Cause(err) == storage.ErrLayerNotMounted { logrus.Errorf("Storage for container %s has been removed", c.ID()) } else { if cleanupErr != nil { diff --git a/libpod/networking_linux.go b/libpod/networking_linux.go index fd14b2f73..67dd0150b 100644 --- a/libpod/networking_linux.go +++ b/libpod/networking_linux.go @@ -127,13 +127,13 @@ type slirp4netnsCmd struct { Args slirp4netnsCmdArg `json:"arguments"` } -func checkSlirpFlags(path string) (bool, bool, error) { +func checkSlirpFlags(path string) (bool, bool, bool, error) { cmd := exec.Command(path, "--help") out, err := cmd.CombinedOutput() if err != nil { - return false, false, err + return false, false, false, err } - return strings.Contains(string(out), "--disable-host-loopback"), strings.Contains(string(out), "--mtu"), nil + return strings.Contains(string(out), "--disable-host-loopback"), strings.Contains(string(out), "--mtu"), strings.Contains(string(out), "--enable-sandbox"), nil } // Configure the network namespace for a rootless container @@ -166,7 +166,7 @@ func (r *Runtime) setupRootlessNetNS(ctr *Container) (err error) { if havePortMapping { cmdArgs = append(cmdArgs, "--api-socket", apiSocket, fmt.Sprintf("%d", ctr.state.PID)) } - dhp, mtu, err := checkSlirpFlags(path) + dhp, mtu, sandbox, err := checkSlirpFlags(path) if err != nil { return errors.Wrapf(err, "error checking slirp4netns binary %s", path) } @@ -176,6 +176,9 @@ func (r *Runtime) setupRootlessNetNS(ctr *Container) (err error) { if mtu { cmdArgs = append(cmdArgs, "--mtu", "65520") } + if sandbox { + cmdArgs = append(cmdArgs, "--enable-sandbox") + } cmdArgs = append(cmdArgs, "-c", "-e", "3", "-r", "4", fmt.Sprintf("%d", ctr.state.PID), "tap0") cmd := exec.Command(path, cmdArgs...) diff --git a/libpod/oci_linux.go b/libpod/oci_linux.go index 091b6d155..9ec074704 100644 --- a/libpod/oci_linux.go +++ b/libpod/oci_linux.go @@ -8,6 +8,7 @@ import ( "os/exec" "path/filepath" "runtime" + "strconv" "strings" "syscall" "time" @@ -199,7 +200,7 @@ func (r *OCIRuntime) execContainer(c *Container, cmd, capAdd, env []string, tty args := r.sharedConmonArgs(c, sessionID, c.execBundlePath(sessionID), c.execPidPath(sessionID), c.execLogPath(sessionID), c.execExitFileDir(sessionID), ociLog) if preserveFDs > 0 { - args = append(args, formatRuntimeOpts("--preserve-fds", string(preserveFDs))...) + args = append(args, formatRuntimeOpts("--preserve-fds", strconv.Itoa(preserveFDs))...) } for _, capability := range capAdd { @@ -236,6 +237,12 @@ func (r *OCIRuntime) execContainer(c *Container, cmd, capAdd, env []string, tty return -1, nil, err } + if preserveFDs > 0 { + for fd := 3; fd < 3+preserveFDs; fd++ { + execCmd.ExtraFiles = append(execCmd.ExtraFiles, os.NewFile(uintptr(fd), fmt.Sprintf("fd-%d", fd))) + } + } + // we don't want to step on users fds they asked to preserve // Since 0-2 are used for stdio, start the fds we pass in at preserveFDs+3 execCmd.Env = append(r.conmonEnv, fmt.Sprintf("_OCI_SYNCPIPE=%d", preserveFDs+3), fmt.Sprintf("_OCI_STARTPIPE=%d", preserveFDs+4), fmt.Sprintf("_OCI_ATTACHPIPE=%d", preserveFDs+5)) @@ -248,12 +255,6 @@ func (r *OCIRuntime) execContainer(c *Container, cmd, capAdd, env []string, tty Setpgid: true, } - if preserveFDs > 0 { - for fd := 3; fd < 3+preserveFDs; fd++ { - execCmd.ExtraFiles = append(execCmd.ExtraFiles, os.NewFile(uintptr(fd), fmt.Sprintf("fd-%d", fd))) - } - } - err = startCommandGivenSelinux(execCmd) // We don't need children pipes on the parent side diff --git a/pkg/spec/spec_test.go b/pkg/spec/spec_test.go index 0abff491b..2f91e1b21 100644 --- a/pkg/spec/spec_test.go +++ b/pkg/spec/spec_test.go @@ -4,6 +4,8 @@ import ( "runtime" "testing" + "github.com/containers/libpod/pkg/cgroups" + "github.com/containers/libpod/pkg/rootless" "github.com/containers/libpod/pkg/sysinfo" "github.com/containers/storage" "github.com/containers/storage/pkg/idtools" @@ -26,14 +28,30 @@ func makeTestCreateConfig() *CreateConfig { return cc } -// TestPIDsLimit verifies the given pid-limit is correctly defined in the spec -func TestPIDsLimit(t *testing.T) { +func doCommonSkipChecks(t *testing.T) { // The default configuration of podman enables seccomp, which is not available on non-Linux systems. // Thus, any tests that use the default seccomp setting would fail. // Skip the tests on non-Linux platforms rather than explicitly disable seccomp in the test and possibly affect the test result. if runtime.GOOS != "linux" { t.Skip("seccomp, which is enabled by default, is only supported on Linux") } + + if rootless.IsRootless() { + isCgroupV2, err := cgroups.IsCgroup2UnifiedMode() + if err != nil { + t.Errorf("unexpected error: %v", err) + } + + if !isCgroupV2 { + t.Skip("cgroups v1 cannot be used when rootless") + } + } +} + +// TestPIDsLimit verifies the given pid-limit is correctly defined in the spec +func TestPIDsLimit(t *testing.T) { + doCommonSkipChecks(t) + if !sysInfo.PidsLimit { t.Skip("running test not supported by the host system") } @@ -50,12 +68,8 @@ func TestPIDsLimit(t *testing.T) { // TestBLKIOWeightDevice verifies the given blkio weight is correctly set in the // spec. func TestBLKIOWeightDevice(t *testing.T) { - // The default configuration of podman enables seccomp, which is not available on non-Linux systems. - // Thus, any tests that use the default seccomp setting would fail. - // Skip the tests on non-Linux platforms rather than explicitly disable seccomp in the test and possibly affect the test result. - if runtime.GOOS != "linux" { - t.Skip("seccomp, which is enabled by default, is only supported on Linux") - } + doCommonSkipChecks(t) + if !sysInfo.BlkioWeightDevice { t.Skip("running test not supported by the host system") } @@ -75,12 +89,8 @@ func TestBLKIOWeightDevice(t *testing.T) { // TestMemorySwap verifies that the given swap memory limit is correctly set in // the spec. func TestMemorySwap(t *testing.T) { - // The default configuration of podman enables seccomp, which is not available on non-Linux systems. - // Thus, any tests that use the default seccomp setting would fail. - // Skip the tests on non-Linux platforms rather than explicitly disable seccomp in the test and possibly affect the test result. - if runtime.GOOS != "linux" { - t.Skip("seccomp, which is enabled by default, is only supported on Linux") - } + doCommonSkipChecks(t) + if !sysInfo.SwapLimit { t.Skip("running test not supported by the host system") } diff --git a/test/e2e/exec_test.go b/test/e2e/exec_test.go index 670269eab..13fdabb81 100644 --- a/test/e2e/exec_test.go +++ b/test/e2e/exec_test.go @@ -2,6 +2,7 @@ package integration import ( "os" + "strings" . "github.com/containers/libpod/test/utils" . "github.com/onsi/ginkgo" @@ -228,4 +229,18 @@ var _ = Describe("Podman exec", func() { session.WaitWithDefaultTimeout() Expect(session.ExitCode()).To(Equal(127)) }) + + It("podman exec preserve fds sanity check", func() { + // TODO: add this test once crun adds the --preserve-fds flag for exec + if strings.Contains(podmanTest.OCIRuntime, "crun") { + Skip("Test only works on crun") + } + setup := podmanTest.RunTopContainer("test1") + setup.WaitWithDefaultTimeout() + Expect(setup.ExitCode()).To(Equal(0)) + + session := podmanTest.Podman([]string{"exec", "--preserve-fds", "1", "test1", "ls"}) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(Equal(0)) + }) }) diff --git a/test/e2e/run_cleanup_test.go b/test/e2e/run_cleanup_test.go index 86790e726..99d0d55e5 100644 --- a/test/e2e/run_cleanup_test.go +++ b/test/e2e/run_cleanup_test.go @@ -4,7 +4,6 @@ package integration import ( "os" - "strings" . "github.com/containers/libpod/test/utils" . "github.com/onsi/ginkgo" @@ -36,6 +35,8 @@ var _ = Describe("Podman run exit", func() { }) It("podman run -d mount cleanup test", func() { + SkipIfRootless() + result := podmanTest.Podman([]string{"run", "-dt", ALPINE, "top"}) result.WaitWithDefaultTimeout() cid := result.OutputToString() @@ -43,25 +44,30 @@ var _ = Describe("Podman run exit", func() { mount := SystemExec("mount", nil) Expect(mount.ExitCode()).To(Equal(0)) - Expect(strings.Contains(mount.OutputToString(), cid)) + Expect(mount.OutputToString()).To(ContainSubstring(cid)) pmount := podmanTest.Podman([]string{"mount", "--notruncate"}) pmount.WaitWithDefaultTimeout() - Expect(strings.Contains(pmount.OutputToString(), cid)) Expect(pmount.ExitCode()).To(Equal(0)) + Expect(pmount.OutputToString()).To(ContainSubstring(cid)) stop := podmanTest.Podman([]string{"stop", cid}) stop.WaitWithDefaultTimeout() Expect(stop.ExitCode()).To(Equal(0)) + // We have to force cleanup so the unmount happens + podmanCleanupSession := podmanTest.Podman([]string{"container", "cleanup", cid}) + podmanCleanupSession.WaitWithDefaultTimeout() + Expect(podmanCleanupSession.ExitCode()).To(Equal(0)) + mount = SystemExec("mount", nil) Expect(mount.ExitCode()).To(Equal(0)) - Expect(!strings.Contains(mount.OutputToString(), cid)) + Expect(mount.OutputToString()).NotTo(ContainSubstring(cid)) pmount = podmanTest.Podman([]string{"mount", "--notruncate"}) pmount.WaitWithDefaultTimeout() - Expect(!strings.Contains(pmount.OutputToString(), cid)) Expect(pmount.ExitCode()).To(Equal(0)) + Expect(pmount.OutputToString()).NotTo(ContainSubstring(cid)) }) }) diff --git a/version/version.go b/version/version.go index f0823f260..348a69594 100644 --- a/version/version.go +++ b/version/version.go @@ -4,7 +4,7 @@ package version // NOTE: remember to bump the version at the top // of the top-level README.md file when this is // bumped. -const Version = "1.5.2-dev" +const Version = "1.6.0-dev" // RemoteAPIVersion is the version for the remote // client API. It is used to determine compatibility |