diff options
| -rw-r--r-- | .cirrus.yml | 24 | ||||
| -rw-r--r-- | cmd/podman/main.go | 8 | ||||
| -rw-r--r-- | cmd/podman/registry/remote.go | 8 | ||||
| -rwxr-xr-x | contrib/cirrus/setup_environment.sh | 3 | ||||
| -rw-r--r-- | docs/source/markdown/podman.1.md | 2 | ||||
| -rw-r--r-- | libpod/oci_conmon_linux.go | 4 | ||||
| -rw-r--r-- | pkg/util/utils.go | 2 | ||||
| -rw-r--r-- | pkg/util/utils_supported.go | 50 | ||||
| -rw-r--r-- | test/system/001-basic.bats | 31 | ||||
| -rw-r--r-- | test/system/300-cli-parsing.bats | 14 | ||||
| -rw-r--r-- | test/system/800-config.bats | 80 | ||||
| -rw-r--r-- | test/system/helpers.bash | 3 | ||||
| -rw-r--r-- | troubleshooting.md | 29 |
13 files changed, 182 insertions, 76 deletions
diff --git a/.cirrus.yml b/.cirrus.yml index 7a306175a..7e523c4ae 100644 --- a/.cirrus.yml +++ b/.cirrus.yml @@ -38,7 +38,7 @@ env: UBUNTU_NAME: "ubuntu-2110" # Google-cloud VM Images - IMAGE_SUFFIX: "c6454758209748992" + IMAGE_SUFFIX: "c5814666029957120" FEDORA_CACHE_IMAGE_NAME: "fedora-${IMAGE_SUFFIX}" PRIOR_FEDORA_CACHE_IMAGE_NAME: "prior-fedora-${IMAGE_SUFFIX}" UBUNTU_CACHE_IMAGE_NAME: "ubuntu-${IMAGE_SUFFIX}" @@ -157,11 +157,11 @@ build_task: CTR_FQIN: ${FEDORA_CONTAINER_FQIN} # ID for re-use of build output _BUILD_CACHE_HANDLE: ${FEDORA_NAME}-build-${CIRRUS_BUILD_ID} - - env: &priorfedora_envvars - DISTRO_NV: ${PRIOR_FEDORA_NAME} - VM_IMAGE_NAME: ${PRIOR_FEDORA_CACHE_IMAGE_NAME} - CTR_FQIN: ${PRIOR_FEDORA_CONTAINER_FQIN} - _BUILD_CACHE_HANDLE: ${PRIOR_FEDORA_NAME}-build-${CIRRUS_BUILD_ID} + #- env: &priorfedora_envvars + # DISTRO_NV: ${PRIOR_FEDORA_NAME} + # VM_IMAGE_NAME: ${PRIOR_FEDORA_CACHE_IMAGE_NAME} + # CTR_FQIN: ${PRIOR_FEDORA_CONTAINER_FQIN} + # _BUILD_CACHE_HANDLE: ${PRIOR_FEDORA_NAME}-build-${CIRRUS_BUILD_ID} - env: &ubuntu_envvars DISTRO_NV: ${UBUNTU_NAME} VM_IMAGE_NAME: ${UBUNTU_CACHE_IMAGE_NAME} @@ -390,7 +390,7 @@ unit_test_task: - validate matrix: - env: *stdenvars - - env: *priorfedora_envvars + #- env: *priorfedora_envvars - env: *ubuntu_envvars # Special-case: Rootless on latest Fedora (standard) VM - name: "Rootless unit on $DISTRO_NV" @@ -504,11 +504,11 @@ container_integration_test_task: _BUILD_CACHE_HANDLE: ${FEDORA_NAME}-build-${CIRRUS_BUILD_ID} VM_IMAGE_NAME: ${FEDORA_CACHE_IMAGE_NAME} CTR_FQIN: ${FEDORA_CONTAINER_FQIN} - - env: - DISTRO_NV: ${PRIOR_FEDORA_NAME} - _BUILD_CACHE_HANDLE: ${PRIOR_FEDORA_NAME}-build-${CIRRUS_BUILD_ID} - VM_IMAGE_NAME: ${PRIOR_FEDORA_CACHE_IMAGE_NAME} - CTR_FQIN: ${PRIOR_FEDORA_CONTAINER_FQIN} + #- env: + # DISTRO_NV: ${PRIOR_FEDORA_NAME} + # _BUILD_CACHE_HANDLE: ${PRIOR_FEDORA_NAME}-build-${CIRRUS_BUILD_ID} + # VM_IMAGE_NAME: ${PRIOR_FEDORA_CACHE_IMAGE_NAME} + # CTR_FQIN: ${PRIOR_FEDORA_CONTAINER_FQIN} gce_instance: *standardvm timeout_in: 90m env: diff --git a/cmd/podman/main.go b/cmd/podman/main.go index 9850f5d27..4f8131653 100644 --- a/cmd/podman/main.go +++ b/cmd/podman/main.go @@ -72,6 +72,8 @@ func parseCommands() *cobra.Command { } parent.AddCommand(c.Command) + c.Command.SetFlagErrorFunc(flagErrorFuncfunc) + // - templates need to be set here, as PersistentPreRunE() is // not called when --help is used. // - rootCmd uses cobra default template not ours @@ -84,5 +86,11 @@ func parseCommands() *cobra.Command { os.Exit(1) } + rootCmd.SetFlagErrorFunc(flagErrorFuncfunc) return rootCmd } + +func flagErrorFuncfunc(c *cobra.Command, e error) error { + e = fmt.Errorf("%w\nSee '%s --help'", e, c.CommandPath()) + return e +} diff --git a/cmd/podman/registry/remote.go b/cmd/podman/registry/remote.go index f05d8f7b4..181ef6b4a 100644 --- a/cmd/podman/registry/remote.go +++ b/cmd/podman/registry/remote.go @@ -30,6 +30,12 @@ func IsRemote() bool { fs.Usage = func() {} fs.SetInterspersed(false) fs.BoolVarP(&remoteFromCLI.Value, "remote", "r", remote, "") + connectionFlagName := "connection" + ignoredConnection := "" + fs.StringVarP(&ignoredConnection, connectionFlagName, "c", "", "") + urlFlagName := "url" + ignoredURL := "" + fs.StringVar(&ignoredURL, urlFlagName, "", "") // The shell completion logic will call a command called "__complete" or "__completeNoDesc" // This command will always be the second argument @@ -39,6 +45,8 @@ func IsRemote() bool { start = 2 } _ = fs.Parse(os.Args[start:]) + // --connection or --url implies --remote + remoteFromCLI.Value = remoteFromCLI.Value || fs.Changed(connectionFlagName) || fs.Changed(urlFlagName) }) return podmanOptions.EngineMode == entities.TunnelMode || remoteFromCLI.Value } diff --git a/contrib/cirrus/setup_environment.sh b/contrib/cirrus/setup_environment.sh index 829bb651d..93f085983 100755 --- a/contrib/cirrus/setup_environment.sh +++ b/contrib/cirrus/setup_environment.sh @@ -247,6 +247,7 @@ esac case "$TEST_FLAVOR" in ext_svc) ;; validate) + dnf install -y $PACKAGE_DOWNLOAD_DIR/python3*.rpm # For some reason, this is also needed for validation make .install.pre-commit ;; @@ -257,7 +258,7 @@ case "$TEST_FLAVOR" in if [[ "$ALT_NAME" =~ RPM ]]; then bigto dnf install -y glibc-minimal-langpack go-rpm-macros rpkg rpm-build shadow-utils-subid-devel fi - ;& + ;; docker-py) remove_packaged_podman_files make install PREFIX=/usr ETCDIR=/etc diff --git a/docs/source/markdown/podman.1.md b/docs/source/markdown/podman.1.md index b318001e4..4d3e92dd2 100644 --- a/docs/source/markdown/podman.1.md +++ b/docs/source/markdown/podman.1.md @@ -42,6 +42,7 @@ and "$graphroot/networks" as rootless. #### **--connection**, **-c** Connection to use for remote podman, including Mac and Windows (excluding WSL2) machines, (Default connection is configured in `containers.conf`) +Setting this option will switch the **--remote** option to true. Remote connections use local containers.conf for default. #### **--conmon** @@ -108,6 +109,7 @@ environment variable is set, the **--remote** option defaults to true. #### **--url**=*value* URL to access Podman service (default from `containers.conf`, rootless `unix://run/user/$UID/podman/podman.sock` or as root `unix://run/podman/podman.sock`). +Setting this option will switch the **--remote** option to true. - `CONTAINER_HOST` is of the format `<schema>://[<user[:<password>]@]<host>[:<port>][<path>]` diff --git a/libpod/oci_conmon_linux.go b/libpod/oci_conmon_linux.go index 268a301fb..a328f7621 100644 --- a/libpod/oci_conmon_linux.go +++ b/libpod/oci_conmon_linux.go @@ -1318,6 +1318,10 @@ func (r *ConmonOCIRuntime) configureConmonEnv(ctr *Container, runtimeDir string) env = append(env, e) } } + conf, ok := os.LookupEnv("CONTAINERS_CONF") + if ok { + env = append(env, fmt.Sprintf("CONTAINERS_CONF=%s", conf)) + } env = append(env, fmt.Sprintf("XDG_RUNTIME_DIR=%s", runtimeDir)) env = append(env, fmt.Sprintf("_CONTAINERS_USERNS_CONFIGURED=%s", os.Getenv("_CONTAINERS_USERNS_CONFIGURED"))) env = append(env, fmt.Sprintf("_CONTAINERS_ROOTLESS_UID=%s", os.Getenv("_CONTAINERS_ROOTLESS_UID"))) diff --git a/pkg/util/utils.go b/pkg/util/utils.go index 925ff9830..bdd1e1383 100644 --- a/pkg/util/utils.go +++ b/pkg/util/utils.go @@ -463,8 +463,6 @@ func ParseIDMapping(mode namespaces.UsernsMode, uidMapSlice, gidMapSlice []strin var ( rootlessConfigHomeDirOnce sync.Once rootlessConfigHomeDir string - rootlessRuntimeDirOnce sync.Once - rootlessRuntimeDir string ) type tomlOptionsConfig struct { diff --git a/pkg/util/utils_supported.go b/pkg/util/utils_supported.go index 848b35a45..e9d6bfa31 100644 --- a/pkg/util/utils_supported.go +++ b/pkg/util/utils_supported.go @@ -6,67 +6,21 @@ package util // should work to take darwin from this import ( - "fmt" "os" "path/filepath" "syscall" + cutil "github.com/containers/common/pkg/util" "github.com/containers/podman/v4/pkg/rootless" "github.com/pkg/errors" - "github.com/sirupsen/logrus" ) // GetRuntimeDir returns the runtime directory func GetRuntimeDir() (string, error) { - var rootlessRuntimeDirError error - if !rootless.IsRootless() { return "", nil } - - rootlessRuntimeDirOnce.Do(func() { - runtimeDir := os.Getenv("XDG_RUNTIME_DIR") - uid := fmt.Sprintf("%d", rootless.GetRootlessUID()) - if runtimeDir == "" { - tmpDir := filepath.Join("/run", "user", uid) - if err := os.MkdirAll(tmpDir, 0700); err != nil { - logrus.Debug(err) - } - st, err := os.Stat(tmpDir) - if err == nil && int(st.Sys().(*syscall.Stat_t).Uid) == os.Geteuid() && (st.Mode().Perm()&0700 == 0700) { - runtimeDir = tmpDir - } - } - if runtimeDir == "" { - tmpDir := filepath.Join(os.TempDir(), fmt.Sprintf("podman-run-%s", uid)) - if err := os.MkdirAll(tmpDir, 0700); err != nil { - logrus.Debug(err) - } - st, err := os.Stat(tmpDir) - if err == nil && int(st.Sys().(*syscall.Stat_t).Uid) == os.Geteuid() && (st.Mode().Perm()&0700 == 0700) { - runtimeDir = tmpDir - } - } - if runtimeDir == "" { - home := os.Getenv("HOME") - if home == "" { - rootlessRuntimeDirError = fmt.Errorf("neither XDG_RUNTIME_DIR nor HOME was set non-empty") - return - } - resolvedHome, err := filepath.EvalSymlinks(home) - if err != nil { - rootlessRuntimeDirError = errors.Wrapf(err, "cannot resolve %s", home) - return - } - runtimeDir = filepath.Join(resolvedHome, "rundir") - } - rootlessRuntimeDir = runtimeDir - }) - - if rootlessRuntimeDirError != nil { - return "", rootlessRuntimeDirError - } - return rootlessRuntimeDir, nil + return cutil.GetRuntimeDir() } // GetRootlessConfigHomeDir returns the config home directory when running as non root diff --git a/test/system/001-basic.bats b/test/system/001-basic.bats index 9b0a71285..582efa058 100644 --- a/test/system/001-basic.bats +++ b/test/system/001-basic.bats @@ -33,6 +33,23 @@ function setup() { fi } +@test "podman info" { + # These will be displayed on the test output stream, offering an + # at-a-glance overview of important system configuration details + local -a want=( + 'Arch:{{.Host.Arch}}' + 'OS:{{.Host.Distribution.Distribution}}{{.Host.Distribution.Version}}' + 'Runtime:{{.Host.OCIRuntime.Name}}' + 'Rootless:{{.Host.Security.Rootless}}' + 'Events:{{.Host.EventLogger}}' + 'Logdriver:{{.Host.LogDriver}}' + 'Cgroups:{{.Host.CgroupsVersion}}+{{.Host.CgroupManager}}' + 'Net:{{.Host.NetworkBackend}}' + ) + run_podman info --format "$(IFS='/' echo ${want[@]})" + echo "# $output" >&3 +} + @test "podman --context emits reasonable output" { # All we care about here is that the command passes @@ -88,7 +105,8 @@ function setup() { # ...but no matter what, --remote is never allowed after subcommand PODMAN="${podman_non_remote} ${podman_args[@]}" run_podman 125 version --remote - is "$output" "Error: unknown flag: --remote" "podman version --remote" + is "$output" "Error: unknown flag: --remote +See 'podman version --help'" "podman version --remote" } @test "podman-remote: defaults" { @@ -108,6 +126,17 @@ function setup() { if grep -- " --remote " <<<"$output"; then die "podman --help, with CONTAINER_CONNECTION set, is showing --remote" fi + + # When it detects --url or --connection, --remote is not an option + run_podman --url foobar --help + if grep -- " --remote " <<<"$output"; then + die "podman --help, with --url set, is showing --remote" + fi + + run_podman --connection foobar --help + if grep -- " --remote " <<<"$output"; then + die "podman --help, with --connection set, is showing --remote" + fi } # Check that just calling "podman-remote" prints the usage message even diff --git a/test/system/300-cli-parsing.bats b/test/system/300-cli-parsing.bats index 92c073102..ec493d3d8 100644 --- a/test/system/300-cli-parsing.bats +++ b/test/system/300-cli-parsing.bats @@ -12,4 +12,18 @@ load helpers run_podman run --rm --label 'true="false"' $IMAGE true } +@test "podman flag error" { + local name="podman" + if is_remote; then + name="podman-remote" + fi + run_podman 125 run -h + is "$output" "Error: flag needs an argument: 'h' in -h +See '$name run --help'" "expected error output" + + run_podman 125 bad --invalid + is "$output" "Error: unknown flag: --invalid +See '$name --help'" "expected error output" +} + # vim: filetype=sh diff --git a/test/system/800-config.bats b/test/system/800-config.bats new file mode 100644 index 000000000..f5b4e9570 --- /dev/null +++ b/test/system/800-config.bats @@ -0,0 +1,80 @@ +#!/usr/bin/env bats -*- bats -*- +# +# Test specific configuration options and overrides +# + +load helpers + +@test "podman CONTAINERS_CONF - CONTAINERS_CONF in conmon" { + skip_if_remote "can't check conmon environment over remote" + + # Get the normal runtime for this host + run_podman info --format '{{ .Host.OCIRuntime.Name }}' + runtime="$output" + run_podman info --format "{{ .Host.OCIRuntime.Path }}" + ocipath="$output" + + # Make an innocuous containers.conf in a non-standard location + conf_tmp="$PODMAN_TMPDIR/containers.conf" + cat >$conf_tmp <<EOF +[engine] +runtime="$runtime" +[engine.runtimes] +$runtime = ["$ocipath"] +EOF + CONTAINERS_CONF="$conf_tmp" run_podman run -d $IMAGE sleep infinity + cid="$output" + + CONTAINERS_CONF="$conf_tmp" run_podman inspect "$cid" --format "{{ .State.ConmonPid }}" + conmon="$output" + + output="$(tr '\0' '\n' < /proc/$conmon/environ | grep '^CONTAINERS_CONF=')" + is "$output" "CONTAINERS_CONF=$conf_tmp" + + # Clean up + # Oddly, sleep can't be interrupted with SIGTERM, so we need the + # "-f -t 0" to force a SIGKILL + CONTAINERS_CONF="$conf_tmp" run_podman rm -f -t 0 "$cid" +} + +@test "podman CONTAINERS_CONF - override runtime name" { + skip_if_remote "Can't set CONTAINERS_CONF over remote" + + # Get the path of the normal runtime + run_podman info --format "{{ .Host.OCIRuntime.Path }}" + ocipath="$output" + + export conf_tmp="$PODMAN_TMPDIR/nonstandard_runtime_name.conf" + cat > $conf_tmp <<EOF +[engine] +runtime = "nonstandard_runtime_name" +[engine.runtimes] +nonstandard_runtime_name = ["$ocipath"] +EOF + + CONTAINERS_CONF="$conf_tmp" run_podman run -d --rm $IMAGE true + cid="$output" + + # We need to wait for the container to finish before we can check + # if it was cleaned up properly. But in the common case that the + # container completes fast, and the cleanup *did* happen properly + # the container is now gone. So, we need to ignore "no such + # container" errors from podman wait. + CONTAINERS_CONF="$conf_tmp" run_podman '?' wait "$cid" + if [[ $status != 0 ]]; then + is "$output" "Error:.*no such container" "unexpected error from podman wait" + fi + + # The --rm option means the container should no longer exist. + # However https://github.com/containers/podman/issues/12917 meant + # that the container cleanup triggered by conmon's --exit-cmd + # could fail, leaving the container in place. + # + # We verify that the container is indeed gone, by checking that a + # podman rm *fails* here - and it has the side effect of cleaning + # up in the case this test fails. + CONTAINERS_CONF="$conf_tmp" run_podman 1 rm "$cid" + is "$output" "Error:.*no such container" +} + +# vim: filetype=sh diff --git a/test/system/helpers.bash b/test/system/helpers.bash index c622a5172..ee5f73867 100644 --- a/test/system/helpers.bash +++ b/test/system/helpers.bash @@ -37,9 +37,6 @@ fi # while retaining the ability to include these if they so desire. # Some CI systems set this to runc, overriding the default crun. -# Although it would be more elegant to override options in run_podman(), -# we instead override $PODMAN itself because some tests (170-run-userns) -# have to invoke $PODMAN directly. if [[ -n $OCI_RUNTIME ]]; then if [[ -z $CONTAINERS_CONF ]]; then # FIXME: BATS provides no mechanism for end-of-run cleanup[1]; how diff --git a/troubleshooting.md b/troubleshooting.md index 6f2a96a56..dedcf6bb9 100644 --- a/troubleshooting.md +++ b/troubleshooting.md @@ -87,7 +87,7 @@ error pulling image "fedora": unable to pull fedora: error getting default regis ### 4) http: server gave HTTP response to HTTPS client When doing a Podman command such as `build`, `commit`, `pull`, or `push` to a registry, -tls verification is turned on by default. If authentication is not used with +TLS verification is turned on by default. If encryption is not used with those commands, this error can occur. #### Symptom @@ -100,13 +100,13 @@ Get https://localhost:5000/v2/: http: server gave HTTP response to HTTPS client #### Solution -By default tls verification is turned on when communicating to registries from -Podman. If the registry does not require authentication the Podman commands -such as `build`, `commit`, `pull` and `push` will fail unless tls verification is turned +By default TLS verification is turned on when communicating to registries from +Podman. If the registry does not require encryption the Podman commands +such as `build`, `commit`, `pull` and `push` will fail unless TLS verification is turned off using the `--tls-verify` option. **NOTE:** It is not at all recommended to -communicate with a registry and not use tls verification. +communicate with a registry and not use TLS verification. - * Turn off tls verification by passing false to the tls-verification option. + * Turn off TLS verification by passing false to the tls-verify option. * I.e. `podman push --tls-verify=false alpine docker://localhost:5000/myalpine:latest` --- @@ -259,7 +259,8 @@ You should ensure that each user has a unique range of uids, because overlapping would potentially allow one user to attack another user. In addition, make sure that the range of uids you allocate can cover all uids that the container requires. For example, if the container has a user with uid 10000, ensure you -have at least 10001 subuids. +have at least 10001 subuids, and if the container needs to be run as a user with +uid 1000000, ensure you have at least 1000001 subuids. You could also use the usermod program to assign UIDs to a user. @@ -645,16 +646,26 @@ to mount volumes on them. Run the container once in read/write mode, Podman will generate all of the FDs on the rootfs, and from that point forward you can run with a read-only rootfs. +``` $ podman run --rm --rootfs /path/to/rootfs true +``` The command above will create all the missing directories needed to run the container. After that, it can be used in read only mode, by multiple containers at the same time: +``` $ podman run --read-only --rootfs /path/to/rootfs .... +``` + +Another option is to use an Overlay Rootfs Mount: + +``` +$ podman run --rootfs /path/to/rootfs:O .... +``` -Another option would be to create an overlay file system on the directory as a lower and then -then allow podman to create the files on the upper. +Modifications to the mount point are destroyed when the container +finishes executing, similar to a tmpfs mount point being unmounted. ### 26) Running containers with CPU limits fails with a permissions error |