diff options
53 files changed, 397 insertions, 185 deletions
diff --git a/.cirrus.yml b/.cirrus.yml index c629bcf70..7a488216e 100644 --- a/.cirrus.yml +++ b/.cirrus.yml @@ -843,7 +843,7 @@ meta_task: container: cpu: 2 memory: 2 - image: quay.io/libpod/imgts:$IMAGE_SUFFIX + image: quay.io/libpod/imgts:latest env: # Space-separated list of images used by this repository state # Disabled ${PRIOR_FEDORA_CACHE_IMAGE_NAME} for Fedora 35 diff --git a/cmd/podman/networks/create.go b/cmd/podman/networks/create.go index 2cf7023f3..8b0ebeb2b 100644 --- a/cmd/podman/networks/create.go +++ b/cmd/podman/networks/create.go @@ -17,7 +17,7 @@ import ( ) var ( - networkCreateDescription = `create CNI networks for containers and pods` + networkCreateDescription = `create networks for containers and pods` networkCreateCommand = &cobra.Command{ Use: "create [options] [NAME]", Short: "network create", diff --git a/cmd/podman/networks/inspect.go b/cmd/podman/networks/inspect.go index 1a8444147..14f62cbd1 100644 --- a/cmd/podman/networks/inspect.go +++ b/cmd/podman/networks/inspect.go @@ -13,8 +13,8 @@ var ( networkinspectDescription = `Inspect network` networkinspectCommand = &cobra.Command{ Use: "inspect [options] NETWORK [NETWORK...]", - Short: "Displays the raw CNI network configuration for one or more networks.", - Long: networkinspectDescription, + Long: "Displays the network configuration for one or more networks.", + Short: networkinspectDescription, RunE: networkInspect, Example: `podman network inspect podman`, Args: cobra.MinimumNArgs(1), diff --git a/cmd/podman/pods/create.go b/cmd/podman/pods/create.go index aea8a7229..4f1f66ad6 100644 --- a/cmd/podman/pods/create.go +++ b/cmd/podman/pods/create.go @@ -134,6 +134,12 @@ func create(cmd *cobra.Command, args []string) error { imageName = infraImage } img := imageName + + if !cmd.Flag("infra").Changed && (share == "none" || share == "") { + // we do not want an infra container when not sharing namespaces + createOptions.Infra = false + } + if !createOptions.Infra { if cmd.Flag("no-hosts").Changed { return fmt.Errorf("cannot specify --no-hosts without an infra container") diff --git a/commands-demo.md b/commands-demo.md index c1413dd9e..dac279192 100644 --- a/commands-demo.md +++ b/commands-demo.md @@ -45,13 +45,13 @@ | [podman-logout(1)](https://podman.readthedocs.io/en/latest/markdown/podman-logout.1.html) | Logout of a container registry | | [podman-logs(1)](https://podman.readthedocs.io/en/latest/markdown/podman-logs.1.html) | Display the logs of one or more containers | | [podman-mount(1)](https://podman.readthedocs.io/en/latest/markdown/podman-mount.1.html) | Mount a working container's root filesystem | -| [podman-network(1)](https://podman.readthedocs.io/en/latest/network.html) | Manage Podman CNI networks | -| [podman-network-create(1)](https://podman.readthedocs.io/en/latest/markdown/podman-network-create.1.html) | Create a CNI network | -| [podman-network-connect(1)](https://podman.readthedocs.io/en/latest/markdown/podman-network-connect.1.html) | Connect a container to a CNI network | -| [podman-network-disconnect(1)](https://podman.readthedocs.io/en/latest/markdown/podman-network-disconnect.1.html) | Disconnect a container from a CNI network | -| [podman-network-inspect(1)](https://podman.readthedocs.io/en/latest/markdown/podman-network-inspect.1.html) | Displays the raw CNI network configuration for one or more networks | -| [podman-network-ls(1)](https://podman.readthedocs.io/en/latest/markdown/podman-network-ls.1.html) | Display a summary of CNI networks | -| [podman-network-rm(1)](https://podman.readthedocs.io/en/latest/markdown/podman-network-rm.1.html) | Remove one or more CNI networks | +| [podman-network(1)](https://podman.readthedocs.io/en/latest/network.html) | Manage Podman networks | +| [podman-network-create(1)](https://podman.readthedocs.io/en/latest/markdown/podman-network-create.1.html) | Create a network | +| [podman-network-connect(1)](https://podman.readthedocs.io/en/latest/markdown/podman-network-connect.1.html) | Connect a container to a network | +| [podman-network-disconnect(1)](https://podman.readthedocs.io/en/latest/markdown/podman-network-disconnect.1.html) | Disconnect a container from a network | +| [podman-network-inspect(1)](https://podman.readthedocs.io/en/latest/markdown/podman-network-inspect.1.html) | Displays the network configuration for one or more networks | +| [podman-network-ls(1)](https://podman.readthedocs.io/en/latest/markdown/podman-network-ls.1.html) | Display a summary of networks | +| [podman-network-rm(1)](https://podman.readthedocs.io/en/latest/markdown/podman-network-rm.1.html) | Remove one or more networks | | [podman-pause(1)](https://podman.readthedocs.io/en/latest/markdown/podman-pause.1.html) | Pause one or more running containers | [](https://podman.io/asciinema/podman/pause_unpause/) | [Here](https://github.com/containers/Demos/blob/master/podman_cli/podman_pause_unpause.sh) | | [podman-play(1)](https://podman.readthedocs.io/en/latest/play.html) | Play a pod | | [podman-play-kube(1)](https://podman.readthedocs.io/en/latest/markdown/podman-play-kube.1.html) | Create pods and containers based on Kubernetes YAML | diff --git a/contrib/pkginstaller/.gitignore b/contrib/pkginstaller/.gitignore new file mode 100644 index 000000000..5e597ab07 --- /dev/null +++ b/contrib/pkginstaller/.gitignore @@ -0,0 +1,6 @@ +out +Distribution +welcome.html +tmp-download +.vscode +root diff --git a/contrib/pkginstaller/Distribution.in b/contrib/pkginstaller/Distribution.in new file mode 100644 index 000000000..0e0d3843a --- /dev/null +++ b/contrib/pkginstaller/Distribution.in @@ -0,0 +1,17 @@ +<?xml version="1.0" encoding="utf-8" standalone="no"?> +<installer-script minSpecVersion="1.000000"> + <title>Podman __VERSION__</title> + <background mime-type="image/png" file="banner.png" scaling="proportional"/> + <welcome file="welcome.html" mime-type="text/html" /> + <conclusion file="conclusion.html" mime-type="text/html" /> + <license file="LICENSE.txt"/> + <options customize="never" hostArchitectures="x86_64,arm64" /> + <domains enable_localSystem="true" /> + <choices-outline> + <line choice="podman"/> + </choices-outline> + <choice id="podman" title="podman"> + <pkg-ref id="podman.pkg"/> + </choice> + <pkg-ref id="podman.pkg">podman.pkg</pkg-ref> +</installer-script> diff --git a/contrib/pkginstaller/Makefile b/contrib/pkginstaller/Makefile new file mode 100644 index 000000000..19c9b51aa --- /dev/null +++ b/contrib/pkginstaller/Makefile @@ -0,0 +1,50 @@ +SHELL := bash + +ARCH ?= aarch64 +PODMAN_VERSION ?= 4.1.0 +GVPROXY_VERSION ?= 0.4.0 +QEMU_VERSION ?= 7.0.0-2 +GVPROXY_RELEASE_URL ?= https://github.com/containers/gvisor-tap-vsock/releases/download/v$(GVPROXY_VERSION)/gvproxy-darwin +QEMU_RELEASE_URL ?= https://github.com/containers/podman-machine-qemu/releases/download/v$(QEMU_VERSION)/podman-machine-qemu-$(ARCH)-$(QEMU_VERSION).tar.xz +PACKAGE_DIR ?= out/packaging +TMP_DOWNLOAD ?= tmp-download +PACKAGE_ROOT ?= root + +default: pkginstaller + +get_gvproxy: + mkdir -p $(TMP_DOWNLOAD) + cd $(TMP_DOWNLOAD) && curl -sLo gvproxy $(GVPROXY_RELEASE_URL) + +get_qemu: + mkdir -p $(TMP_DOWNLOAD) + cd $(TMP_DOWNLOAD) && curl -sLO $(QEMU_RELEASE_URL) + +packagedir: package_root Distribution welcome.html + mkdir -p $(PACKAGE_DIR) + cp -r Resources $(PACKAGE_DIR)/ + cp welcome.html $(PACKAGE_DIR)/Resources/ + cp Distribution $(PACKAGE_DIR)/ + cp -r scripts $(PACKAGE_DIR)/ + cp -r $(PACKAGE_ROOT) $(PACKAGE_DIR)/ + cp package.sh $(PACKAGE_DIR)/ + cd $(PACKAGE_DIR) && pkgbuild --analyze --root ./root component.plist + echo -n $(PODMAN_VERSION) > $(PACKAGE_DIR)/VERSION + echo -n $(ARCH) > $(PACKAGE_DIR)/ARCH + cp ../../LICENSE $(PACKAGE_DIR)/Resources/LICENSE.txt + +package_root: get_gvproxy get_qemu + mkdir -p $(PACKAGE_ROOT)/podman/bin $(PACKAGE_ROOT)/podman/qemu + tar -C $(PACKAGE_ROOT)/podman/qemu -xf $(TMP_DOWNLOAD)/podman-machine-qemu-$(ARCH)-$(QEMU_VERSION).tar.xz + cp $(TMP_DOWNLOAD)/gvproxy $(PACKAGE_ROOT)/podman/bin/ + chmod a+x $(PACKAGE_ROOT)/podman/bin/* + +%: %.in + @sed -e 's/__VERSION__/'$(PODMAN_VERSION)'/g' $< >$@ + +pkginstaller: packagedir + cd $(PACKAGE_DIR) && ./package.sh .. + +.PHONY: clean +clean: + rm -rf $(TMP_DOWNLOAD) $(PACKAGE_ROOT) $(PACKAGE_DIR) Distribution welcome.html diff --git a/contrib/pkginstaller/README.md b/contrib/pkginstaller/README.md new file mode 100644 index 000000000..37c59ce04 --- /dev/null +++ b/contrib/pkginstaller/README.md @@ -0,0 +1,22 @@ +## How to build + +```sh +$ make ARCH=<amd64 | aarch64> NO_CODESIGN=1 pkginstaller + +# or to create signed pkg +$ make ARCH=<amd64 | aarch64> CODESIGN_IDENTITY=<ID> PRODUCTSIGN_IDENTITY=<ID> pkginstaller +``` + +The generated pkg will be written to `out/podman-macos-installer-*.pkg`. +Currently the pkg installs `podman`, `qemu`, `gvproxy` and `podman-mac-helper` to `/Applications/podman` + +The `qemu` build it uses is from [containers/podman-machine-qemu](https://github.com/containers/podman-machine-qemu) + +## Uninstalling + +```sh +$ sudo rm -rf /opt/podman +``` + +### Screenshot +<img width="626" alt="screenshot-macOS-pkg-podman" src="https://user-images.githubusercontent.com/8885742/157380992-2e3b1573-34a0-4aa0-bdc1-a85f4792a1d2.png"> diff --git a/contrib/pkginstaller/Resources/banner.png b/contrib/pkginstaller/Resources/banner.png Binary files differnew file mode 100644 index 000000000..7db751341 --- /dev/null +++ b/contrib/pkginstaller/Resources/banner.png diff --git a/contrib/pkginstaller/Resources/conclusion.html b/contrib/pkginstaller/Resources/conclusion.html new file mode 100644 index 000000000..c442e4ebf --- /dev/null +++ b/contrib/pkginstaller/Resources/conclusion.html @@ -0,0 +1,13 @@ +<!DOCTYPE html> +<html lang="en"> +<head> + <meta charset="utf-8"/> +</head> +<body> +<div align="left" style="font-family: Helvetica; padding-left: 10px;"> + <br/> + <p style="color: #020202; font-size: 12px;">Thanks for installing Podman!</p> + <p style="color: #020202; font-size: 12px;">You can now start using the 'podman' command. First run 'podman machine init'</b>.</p> +</div> +</body> +</html> diff --git a/contrib/pkginstaller/package.sh b/contrib/pkginstaller/package.sh new file mode 100755 index 000000000..b7b33954d --- /dev/null +++ b/contrib/pkginstaller/package.sh @@ -0,0 +1,60 @@ +#!/bin/bash + +set -euxo pipefail + +BASEDIR=$(dirname "$0") +OUTPUT=$1 +CODESIGN_IDENTITY=${CODESIGN_IDENTITY:-mock} +PRODUCTSIGN_IDENTITY=${PRODUCTSIGN_IDENTITY:-mock} +NO_CODESIGN=${NO_CODESIGN:-0} +HELPER_BINARIES_DIR="/opt/podman/qemu/bin" + +binDir="${BASEDIR}/root/podman/bin" + +function build_podman() { + pushd "$1" + make podman-remote HELPER_BINARIES_DIR="${HELPER_BINARIES_DIR}" + make podman-mac-helper + cp bin/darwin/podman "contrib/pkginstaller/out/packaging/${binDir}/podman" + cp bin/darwin/podman-mac-helper "contrib/pkginstaller/out/packaging/${binDir}/podman-mac-helper" + popd +} + +function sign() { + if [ "${NO_CODESIGN}" -eq "1" ]; then + return + fi + local opts="" + entitlements="${BASEDIR}/$(basename "$1").entitlements" + if [ -f "${entitlements}" ]; then + opts="--entitlements ${entitlements}" + fi + codesign --deep --sign "${CODESIGN_IDENTITY}" --options runtime --force --timestamp "${opts}" "$1" +} + +version=$(cat "${BASEDIR}/VERSION") +arch=$(cat "${BASEDIR}/ARCH") + +build_podman "../../../../" +sign "${binDir}/podman" +sign "${binDir}/gvproxy" +sign "${binDir}/podman-mac-helper" + +pkgbuild --identifier com.redhat.podman --version "${version}" \ + --scripts "${BASEDIR}/scripts" \ + --root "${BASEDIR}/root" \ + --install-location /opt \ + --component-plist "${BASEDIR}/component.plist" \ + "${OUTPUT}/podman.pkg" + +productbuild --distribution "${BASEDIR}/Distribution" \ + --resources "${BASEDIR}/Resources" \ + --package-path "${OUTPUT}" \ + "${OUTPUT}/podman-unsigned.pkg" +rm "${OUTPUT}/podman.pkg" + +if [ ! "${NO_CODESIGN}" -eq "1" ]; then + productsign --timestamp --sign "${PRODUCTSIGN_IDENTITY}" "${OUTPUT}/podman-unsigned.pkg" "${OUTPUT}/podman-installer-macos-${arch}.pkg" +else + mv "${OUTPUT}/podman-unsigned.pkg" "${OUTPUT}/podman-installer-macos-${arch}.pkg" +fi diff --git a/contrib/pkginstaller/scripts/postinstall b/contrib/pkginstaller/scripts/postinstall new file mode 100755 index 000000000..db17eede8 --- /dev/null +++ b/contrib/pkginstaller/scripts/postinstall @@ -0,0 +1,27 @@ +#!/bin/bash + +set -e + +BZSH_PODMAN_PATH_EXP='PATH="/opt/podman/bin:$PATH"' +FISH_PODMAN_PATH_EXP='set PATH "/opt/podman/bin $PATH"' +BASHRC_PATH="$HOME/.bash_profile" +ZSHENV_PATH="$HOME/.zshenv" +ZSHRC_PATH="$HOME/.zshrc" +FSHCFG_PATH="$HOME/.config/fish/config.fish" + +# append /Applications/podman/bin to $PATH +if [ -f "$BASHRC_PATH" ]; then + grep -Fxq "$BZSH_PODMAN_PATH_EXP" "$BASHRC_PATH" || echo "$BZSH_PODMAN_PATH_EXP" >> "$BASHRC_PATH" +fi +if [ -f "$ZSHENV_PATH" ]; then + grep -Fxq "$BZSH_PODMAN_PATH_EXP" "$ZSHENV_PATH" || echo "$BZSH_PODMAN_PATH_EXP" >> "$ZSHENV_PATH" +fi +if [ -f "$ZSHRC_PATH" ]; then + grep -Fxq "$BZSH_PODMAN_PATH_EXP" "$ZSHRC_PATH" || echo "$BZSH_PODMAN_PATH_EXP" >> "$ZSHRC_PATH" +fi +if [ -f "$FSHCFG_PATH" ]; then + grep -Fxq "$FISH_PODMAN_PATH_EXP" "$FSHCFG_PATH" || echo "$FISH_PODMAN_PATH_EXP" >> "$FSHCFG_PATH" +fi + +ln -s /opt/podman/bin/podman-mac-helper /opt/podman/qemu/bin/podman-mac-helper +ln -s /opt/podman/bin/gvproxy /opt/podman/qemu/bin/gvproxy diff --git a/contrib/pkginstaller/scripts/preinstall b/contrib/pkginstaller/scripts/preinstall new file mode 100755 index 000000000..a381868fc --- /dev/null +++ b/contrib/pkginstaller/scripts/preinstall @@ -0,0 +1,5 @@ +#!/bin/bash + +set -e + +rm -rf /opt/podman diff --git a/contrib/pkginstaller/welcome.html.in b/contrib/pkginstaller/welcome.html.in new file mode 100644 index 000000000..b06198716 --- /dev/null +++ b/contrib/pkginstaller/welcome.html.in @@ -0,0 +1,16 @@ +<!DOCTYPE html> +<html lang="en"> +<head> + <meta charset="utf-8"/> +</head> +<body> +<div align="left" style="font-family: Helvetica; padding-left: 10px;"> + <br/> + <p style="color: #020202; font-size: 12px;">This will install <span style="color: #46b9d6; font-size: 12px;">Podman __VERSION__</span> + on your computer. You will be guided through the steps necessary to install this software.</p> + <br/> + <p style="color: #abb0b0; font-size: 12px;">Click <span style="color: #626666">“Continue"</span> to continue the + setup</p> +</div> +</body> +</html> diff --git a/docs/source/markdown/podman-create.1.md b/docs/source/markdown/podman-create.1.md index 67bb573e2..6a951b421 100644 --- a/docs/source/markdown/podman-create.1.md +++ b/docs/source/markdown/podman-create.1.md @@ -738,9 +738,12 @@ Valid _mode_ values are: #### **--network-alias**=*alias* -Add a network-scoped alias for the container, setting the alias for all networks that the container joins. To set a name only for a specific network, use the alias option as described under the **--network** option. -Network aliases work only with the bridge networking mode. This option can be specified multiple times. -NOTE: A container will only have access to aliases on the first network that it joins. This is a limitation that will be removed in a later release. +Add a network-scoped alias for the container, setting the alias for all networks that the container joins. To set a +name only for a specific network, use the alias option as described under the **--network** option. +If the network has DNS enabled (`podman network inspect -f {{.DNSEnabled}} <name>`), +these aliases can be used for name resolution on the given network. This option can be specified multiple times. +NOTE: When using CNI a container will only have access to aliases on the first network that it joins. This limitation does +not exist with netavark/aardvark-dns. #### **--no-healthcheck** diff --git a/docs/source/markdown/podman-generate-systemd.1.md b/docs/source/markdown/podman-generate-systemd.1.md index 50881a509..fc2ce171e 100644 --- a/docs/source/markdown/podman-generate-systemd.1.md +++ b/docs/source/markdown/podman-generate-systemd.1.md @@ -14,6 +14,13 @@ Generating unit files for a pod requires the pod to be created with an infra con _Note: If you use this command with the remote client, including Mac and Windows (excluding WSL2) machines, you would still have to place the generated units on the remote system. Moreover, please make sure that the XDG_RUNTIME_DIR environment variable is set. If unset, you may set it via `export XDG_RUNTIME_DIR=/run/user/$(id -u)`._ +_Note: The generated `podman run` command contains an `--sdnotify` option with the value taken from the container. +If the container does not have any explicitly set value or the value is set to __ignore__, the value __conmon__ is used. +The reason for overriding the default value __container__ is that almost no container workloads send notify messages. +Systemd would wait for a ready message that never comes, if the value __container__ is used for a container +that does not send notify messages. The use of the default value might have been unintentional by the user, +therefore the overridden default value._ + ### Kubernetes Integration A Kubernetes YAML can be executed in systemd via the `podman-kube@.service` systemd template. The template's argument is the path to the YAML file. Given a `workload.yaml` file in the home directory, it can be executed as follows: diff --git a/docs/source/markdown/podman-kube-play.1.md b/docs/source/markdown/podman-kube-play.1.md index f52989623..25248ce99 100644 --- a/docs/source/markdown/podman-kube-play.1.md +++ b/docs/source/markdown/podman-kube-play.1.md @@ -322,7 +322,7 @@ $ podman kube play demo.yml --network net1:ip=10.89.1.5 --network net2:ip=10.89. 52182811df2b1e73f36476003a66ec872101ea59034ac0d4d3a7b40903b955a6 ``` -Please take into account that CNI networks must be created first using podman-network-create(1). +Please take into account that networks must be created first using podman-network-create(1). ## SEE ALSO **[podman(1)](podman.1.md)**, **[podman-kube(1)](podman-kube.1.md)**, **[podman-network-create(1)](podman-network-create.1.md)**, **[podman-generate-kube(1)](podman-generate-kube.1.md)**, **[containers-certs.d(5)](https://github.com/containers/image/blob/main/docs/containers-certs.d.5.md)** diff --git a/docs/source/markdown/podman-network-connect.1.md b/docs/source/markdown/podman-network-connect.1.md index c3eef4038..d1718b812 100644 --- a/docs/source/markdown/podman-network-connect.1.md +++ b/docs/source/markdown/podman-network-connect.1.md @@ -12,10 +12,10 @@ Once connected, the container can communicate with other containers in the same ## OPTIONS #### **--alias**=*name* -Add network-scoped alias for the container. If the network is using the `dnsname` CNI plugin, these aliases -can be used for name resolution on the given network. Multiple *--alias* options may be specified as input. -NOTE: A container will only have access to aliases on the first network that it joins. This is a limitation -that will be removed in a later release. +Add network-scoped alias for the container. If the network has DNS enabled (`podman network inspect -f {{.DNSEnabled}} <NAME>`), +these aliases can be used for name resolution on the given network. Multiple *--alias* options may be specified as input. +NOTE: When using CNI a container will only have access to aliases on the first network that it joins. This limitation does +not exist with netavark/aardvark-dns. #### **--ip**=*address* Set a static ipv4 address for this container on this network. @@ -44,7 +44,7 @@ podman network connect --ip 10.89.1.13 test web ``` ## SEE ALSO -**[podman(1)](podman.1.md)**, **[podman-network(1)](podman-network.1.md)**, **[podman-network-disconnect(1)](podman-network-disconnect.1.md)** +**[podman(1)](podman.1.md)**, **[podman-network(1)](podman-network.1.md)**, **[podman-network-inspect(1)](podman-network-inspect.1.md)**, **[podman-network-disconnect(1)](podman-network-disconnect.1.md)** ## HISTORY November 2020, Originally compiled by Brent Baude <bbaude@redhat.com> diff --git a/docs/source/markdown/podman-network-create.1.md b/docs/source/markdown/podman-network-create.1.md index 0ccc540f8..3836ea05c 100644 --- a/docs/source/markdown/podman-network-create.1.md +++ b/docs/source/markdown/podman-network-create.1.md @@ -7,11 +7,9 @@ podman\-network-create - Create a Podman network **podman network create** [*options*] [*name*] ## DESCRIPTION -Create a CNI-network configuration for use with Podman. By default, Podman creates a bridge connection. +Create a network configuration for use with Podman. By default, Podman creates a bridge connection. A *Macvlan* connection can be created with the *-d macvlan* option. A parent device for macvlan can -be designated with the *-o parent=`<device>`* option. In the case of *Macvlan* connections, the -CNI *dhcp* plugin needs to be activated or the container image must have a DHCP client to interact -with the host network's DHCP server. +be designated with the *-o parent=`<device>`* option. If no options are provided, Podman will assign a free subnet and name for your network. @@ -54,7 +52,7 @@ The argument order of the **--subnet**, **--gateway** and **--ip-range** options Set the ipam driver (IP Address Management Driver) for the network. When unset podman will choose an ipam driver automatically based on the network driver. Valid values are: - `host-local`: IP addresses are assigned locally. - - `dhcp`: IP addresses are assigned from a dhcp server on your network. This driver is not yet supported with netavark. + - `dhcp`: IP addresses are assigned from a dhcp server on your network. This driver is not yet supported with netavark. For CNI the *dhcp* plugin needs to be activated before. - `none`: No ip addresses are assigned to the interfaces. You can see the driver in the **podman network inspect** output under the `ipam_options` field. @@ -94,7 +92,7 @@ This is useful to set a static ipv4 and ipv6 subnet. Create a network with no options. ``` $ podman network create -cni-podman2 +podman2 ``` Create a network named *newnet* that uses *192.5.0.0/16* for its subnet. @@ -118,7 +116,7 @@ newnet Create a network that uses a *192.168.55.0/24** subnet and has an IP address range of *192.168.55.129 - 192.168.55.254*. ``` $ podman network create --subnet 192.168.55.0/24 --ip-range 192.168.55.128/25 -cni-podman5 +podman5 ``` Create a network with a static ipv4 and ipv6 subnet and set a gateway. diff --git a/docs/source/markdown/podman-network-inspect.1.md b/docs/source/markdown/podman-network-inspect.1.md index ba9cc94d5..2ba4a63cb 100644 --- a/docs/source/markdown/podman-network-inspect.1.md +++ b/docs/source/markdown/podman-network-inspect.1.md @@ -1,13 +1,13 @@ % podman-network-inspect(1) ## NAME -podman\-network\-inspect - Displays the raw network configuration for one or more networks +podman\-network\-inspect - Displays the network configuration for one or more networks ## SYNOPSIS **podman network inspect** [*options*] *network* [*network* ...] ## DESCRIPTION -Display the raw (JSON format) network configuration. +Display the (JSON format) network configuration. ## OPTIONS #### **--format**, **-f**=*format* @@ -40,7 +40,7 @@ $ podman network inspect podman "name": "podman", "id": "2f259bab93aaaaa2542ba43ef33eb990d0999ee1b9924b557b7be53c0b7a1bb9", "driver": "bridge", - "network_interface": "cni-podman0", + "network_interface": "podman0", "created": "2021-06-03T12:04:33.088567413+02:00", "subnets": [ { diff --git a/docs/source/markdown/podman-network-ls.1.md b/docs/source/markdown/podman-network-ls.1.md index 3c696d404..c7ea24b9b 100644 --- a/docs/source/markdown/podman-network-ls.1.md +++ b/docs/source/markdown/podman-network-ls.1.md @@ -77,8 +77,8 @@ Display networks $ podman network ls NETWORK ID NAME DRIVER 88a7120ee19d podman bridge -6dd508dbf8cd cni-podman6 bridge -8e35c2cd3bf6 cni-podman5 macvlan +6dd508dbf8cd podman6 bridge +8e35c2cd3bf6 podman5 macvlan ``` Display only network names @@ -101,7 +101,7 @@ List networks with their subnets ``` $ podman network ls --format "{{.Name}}: {{range .Subnets}}{{.Subnet}} {{end}}" podman: 10.88.0.0/16 -cni-podman3: 10.89.30.0/24 fde4:f86f:4aab:e68f::/64 +podman3: 10.89.30.0/24 fde4:f86f:4aab:e68f::/64 macvlan: ``` diff --git a/docs/source/markdown/podman-network-rm.1.md b/docs/source/markdown/podman-network-rm.1.md index c6e33c571..880f1d0c7 100644 --- a/docs/source/markdown/podman-network-rm.1.md +++ b/docs/source/markdown/podman-network-rm.1.md @@ -21,11 +21,11 @@ Seconds to wait before forcibly stopping the running containers that are using t ## EXAMPLE -Delete the `cni-podman9` network +Delete the `podman9` network ``` -# podman network rm cni-podman9 -Deleted: cni-podman9 +# podman network rm podman9 +Deleted: podman9 ``` Delete the `fred` network and all containers associated with the network. diff --git a/docs/source/markdown/podman-network.1.md b/docs/source/markdown/podman-network.1.md index bc75cce3b..f58bd5d5c 100644 --- a/docs/source/markdown/podman-network.1.md +++ b/docs/source/markdown/podman-network.1.md @@ -27,7 +27,7 @@ so networks have to be created again after a backend change. | create | [podman-network-create(1)](podman-network-create.1.md) | Create a Podman network | | disconnect | [podman-network-disconnect(1)](podman-network-disconnect.1.md) | Disconnect a container from a network | | exists | [podman-network-exists(1)](podman-network-exists.1.md) | Check if the given network exists | -| inspect | [podman-network-inspect(1)](podman-network-inspect.1.md) | Displays the raw network configuration for one or more networks | +| inspect | [podman-network-inspect(1)](podman-network-inspect.1.md) | Displays the network configuration for one or more networks | | ls | [podman-network-ls(1)](podman-network-ls.1.md) | Display a summary of networks | | prune | [podman-network-prune(1)](podman-network-prune.1.md) | Remove all unused networks | | reload | [podman-network-reload(1)](podman-network-reload.1.md) | Reload network configuration for containers | diff --git a/docs/source/markdown/podman-pod-create.1.md b/docs/source/markdown/podman-pod-create.1.md index 660112865..7b63ac51d 100644 --- a/docs/source/markdown/podman-pod-create.1.md +++ b/docs/source/markdown/podman-pod-create.1.md @@ -284,9 +284,12 @@ Valid _mode_ values are: #### **--network-alias**=*alias* -Add a network-scoped alias for the pod, setting the alias for all networks that the pod joins. To set a name only for a specific network, use the alias option as described under the **--network** option. -Network aliases work only with the bridge networking mode. This option can be specified multiple times. -NOTE: A container will only have access to aliases on the first network that it joins. This is a limitation that will be removed in a later release. +Add a network-scoped alias for the pod, setting the alias for all networks that the container joins. To set a +name only for a specific network, use the alias option as described under the **--network** option. +If the network has DNS enabled (`podman network inspect -f {{.DNSEnabled}} <name>`), +these aliases can be used for name resolution on the given network. This option can be specified multiple times. +NOTE: When using CNI a pod will only have access to aliases on the first network that it joins. This limitation does +not exist with netavark/aardvark-dns. #### **--no-hosts** @@ -370,7 +373,7 @@ Note: Labeling can be disabled for all containers by setting label=false in the #### **--share**=*namespace* -A comma-separated list of kernel namespaces to share. If none or "" is specified, no namespaces will be shared. The namespaces to choose from are cgroup, ipc, net, pid, uts. If the option is prefixed with a "+" then the namespace is appended to the default list, otherwise it replaces the default list. Defaults matches Kubernetes default (ipc, net, uts) +A comma-separated list of kernel namespaces to share. If none or "" is specified, no namespaces will be shared and the infra container will not be created unless expiclity specified via **--infra=true**. The namespaces to choose from are cgroup, ipc, net, pid, uts. If the option is prefixed with a "+" then the namespace is appended to the default list, otherwise it replaces the default list. Defaults matches Kubernetes default (ipc, net, uts) #### **--share-parent** diff --git a/docs/source/markdown/podman-run.1.md b/docs/source/markdown/podman-run.1.md index 4566a73d0..cb19e929e 100644 --- a/docs/source/markdown/podman-run.1.md +++ b/docs/source/markdown/podman-run.1.md @@ -755,9 +755,12 @@ Valid _mode_ values are: #### **--network-alias**=*alias* -Add a network-scoped alias for the container, setting the alias for all networks that the container joins. To set a name only for a specific network, use the alias option as described under the **--network** option. -Network aliases work only with the bridge networking mode. This option can be specified multiple times. -NOTE: A container will only have access to aliases on the first network that it joins. This is a limitation that will be removed in a later release. +Add a network-scoped alias for the container, setting the alias for all networks that the container joins. To set a +name only for a specific network, use the alias option as described under the **--network** option. +If the network has DNS enabled (`podman network inspect -f {{.DNSEnabled}} <name>`), +these aliases can be used for name resolution on the given network. This option can be specified multiple times. +NOTE: When using CNI a container will only have access to aliases on the first network that it joins. This limitation does +not exist with netavark/aardvark-dns. #### **--no-healthcheck** diff --git a/docs/tutorials/basic_networking.md b/docs/tutorials/basic_networking.md index 0a6034e7a..05c3a731e 100644 --- a/docs/tutorials/basic_networking.md +++ b/docs/tutorials/basic_networking.md @@ -32,7 +32,7 @@ port mapping. Depending on the firewall implementation, we have observed firewa ports being opened automatically due to running a container with a port mapping (for example). If container traffic does not seem to work properly, check the firewall and allow traffic on ports the container is using. A common problem is that -reloading the firewall deletes the cni iptables rules resulting in a loss of +reloading the firewall deletes the cni/netavark iptables rules resulting in a loss of network connectivity for rootful containers. Podman v3 provides the podman network reload command to restore this without having to restart the container. @@ -83,7 +83,7 @@ users. But as of Podman version 4.0, rootless users can also use netavark. The user experience of rootless netavark is very akin to a rootful netavark, except that there is no default network configuration provided. You simply need to create a network, and the one will be created as a bridge network. If you would like to switch from -CNI networking to netvaark, you must issue the `podman system reset --force` command. +CNI networking to netavark, you must issue the `podman system reset --force` command. This will delete all of your images, containers, and custom networks. ``` @@ -177,7 +177,7 @@ address, you should continue to use CNI instead of netavark. ``` $ sudo podman network create -d macvlan -o parent=eth0 webnetwork -/etc/cni/net.d/webnetwork.conflist +webnetwork ``` The next step is to ensure that the DHCP CNI plugin is running. This plugin facilitates the DHCP lease from the network. diff --git a/libpod/runtime_pod_linux.go b/libpod/runtime_pod_linux.go index 3bb22ec26..57c0b5c48 100644 --- a/libpod/runtime_pod_linux.go +++ b/libpod/runtime_pod_linux.go @@ -7,7 +7,6 @@ import ( "context" "errors" "fmt" - "os" "path" "path/filepath" "strings" @@ -18,7 +17,6 @@ import ( "github.com/containers/podman/v4/libpod/events" "github.com/containers/podman/v4/pkg/rootless" "github.com/containers/podman/v4/pkg/specgen" - runcconfig "github.com/opencontainers/runc/libcontainer/configs" "github.com/sirupsen/logrus" ) @@ -214,83 +212,37 @@ func (r *Runtime) removePod(ctx context.Context, p *Pod, removeCtrs, force bool, return fmt.Errorf("pod %s contains containers and cannot be removed: %w", p.ID(), define.ErrCtrExists) } - // Go through and lock all containers so we can operate on them all at - // once. - // First loop also checks that we are ready to go ahead and remove. - containersLocked := true + ctrNamedVolumes := make(map[string]*ContainerNamedVolume) + + var removalErr error for _, ctr := range ctrs { - ctrLock := ctr.lock - ctrLock.Lock() - defer func() { - if containersLocked { + err := func() error { + ctrLock := ctr.lock + ctrLock.Lock() + defer func() { ctrLock.Unlock() - } - }() + }() - // If we're force-removing, no need to check status. - if force { - continue - } - - // Sync all containers - if err := ctr.syncContainer(); err != nil { - return err - } - - // Ensure state appropriate for removal - if err := ctr.checkReadyForRemoval(); err != nil { - return fmt.Errorf("pod %s has containers that are not ready to be removed: %w", p.ID(), err) - } - } - - // We're going to be removing containers. - // If we are Cgroupfs cgroup driver, to avoid races, we need to hit - // the pod and conmon Cgroups with a PID limit to prevent them from - // spawning any further processes (particularly cleanup processes) which - // would prevent removing the Cgroups. - if p.runtime.config.Engine.CgroupManager == config.CgroupfsCgroupsManager { - // Get the conmon Cgroup - conmonCgroupPath := filepath.Join(p.state.CgroupPath, "conmon") - conmonCgroup, err := cgroups.Load(conmonCgroupPath) - if err != nil && err != cgroups.ErrCgroupDeleted && err != cgroups.ErrCgroupV1Rootless { - logrus.Errorf("Retrieving pod %s conmon cgroup %s: %v", p.ID(), conmonCgroupPath, err) - } - - // New resource limits - resLimits := new(runcconfig.Resources) - resLimits.PidsLimit = 1 // Inhibit forks with very low pids limit - - // Don't try if we failed to retrieve the cgroup - if err == nil { - if err := conmonCgroup.Update(resLimits); err != nil && !os.IsNotExist(err) { - logrus.Warnf("Error updating pod %s conmon cgroup PID limit: %v", p.ID(), err) + if err := ctr.syncContainer(); err != nil { + return err } - } - } - - var removalErr error - ctrNamedVolumes := make(map[string]*ContainerNamedVolume) + for _, vol := range ctr.config.NamedVolumes { + ctrNamedVolumes[vol.Name] = vol + } - // Second loop - all containers are good, so we should be clear to - // remove. - for _, ctr := range ctrs { - // Remove the container. - // Do NOT remove named volumes. Instead, we're going to build a - // list of them to be removed at the end, once the containers - // have been removed by RemovePodContainers. - for _, vol := range ctr.config.NamedVolumes { - ctrNamedVolumes[vol.Name] = vol - } + return r.removeContainer(ctx, ctr, force, false, true, timeout) + }() - if err := r.removeContainer(ctx, ctr, force, false, true, timeout); err != nil { - if removalErr == nil { - removalErr = err - } else { - logrus.Errorf("Removing container %s from pod %s: %v", ctr.ID(), p.ID(), err) - } + if removalErr == nil { + removalErr = err + } else { + logrus.Errorf("Removing container %s from pod %s: %v", ctr.ID(), p.ID(), err) } } + if removalErr != nil { + return removalErr + } // Clear infra container ID before we remove the infra container. // There is a potential issue if we don't do that, and removal is @@ -326,12 +278,6 @@ func (r *Runtime) removePod(ctx context.Context, p *Pod, removeCtrs, force bool, } } - // let's unlock the containers so if there is any cleanup process, it can terminate its execution - for _, ctr := range ctrs { - ctr.lock.Unlock() - } - containersLocked = false - // Remove pod cgroup, if present if p.state.CgroupPath != "" { logrus.Debugf("Removing pod cgroup %s", p.state.CgroupPath) diff --git a/pkg/api/handlers/compat/images_build.go b/pkg/api/handlers/compat/images_build.go index a9185c3d3..15cfc824e 100644 --- a/pkg/api/handlers/compat/images_build.go +++ b/pkg/api/handlers/compat/images_build.go @@ -140,6 +140,7 @@ func BuildImage(w http.ResponseWriter, r *http.Request) { Registry: "docker.io", Rm: true, ShmSize: 64 * 1024 * 1024, + TLSVerify: true, } decoder := r.Context().Value(api.DecoderKey).(*schema.Decoder) diff --git a/pkg/api/handlers/compat/images_search.go b/pkg/api/handlers/compat/images_search.go index a6fd3a3a1..2fc95e84e 100644 --- a/pkg/api/handlers/compat/images_search.go +++ b/pkg/api/handlers/compat/images_search.go @@ -26,6 +26,7 @@ func SearchImages(w http.ResponseWriter, r *http.Request) { ListTags bool `json:"listTags"` }{ // This is where you can override the golang default value for one of fields + TLSVerify: true, } if err := decoder.Decode(&query, r.URL.Query()); err != nil { diff --git a/pkg/api/handlers/libpod/images_push.go b/pkg/api/handlers/libpod/images_push.go index f427dc01b..9ee651f5b 100644 --- a/pkg/api/handlers/libpod/images_push.go +++ b/pkg/api/handlers/libpod/images_push.go @@ -32,6 +32,7 @@ func PushImage(w http.ResponseWriter, r *http.Request) { TLSVerify bool `schema:"tlsVerify"` Quiet bool `schema:"quiet"` }{ + TLSVerify: true, // #14971: older versions did not sent *any* data, so we need // to be quiet by default to remain backwards compatible Quiet: true, diff --git a/pkg/api/handlers/libpod/manifests.go b/pkg/api/handlers/libpod/manifests.go index 3235a2972..43c7139d3 100644 --- a/pkg/api/handlers/libpod/manifests.go +++ b/pkg/api/handlers/libpod/manifests.go @@ -310,6 +310,7 @@ func ManifestPush(w http.ResponseWriter, r *http.Request) { TLSVerify bool `schema:"tlsVerify"` }{ // Add defaults here once needed. + TLSVerify: true, } if err := decoder.Decode(&query, r.URL.Query()); err != nil { utils.Error(w, http.StatusBadRequest, diff --git a/pkg/api/server/register_images.go b/pkg/api/server/register_images.go index 11ab8cae0..1bfedd77e 100644 --- a/pkg/api/server/register_images.go +++ b/pkg/api/server/register_images.go @@ -192,8 +192,8 @@ func (s *APIServer) registerImagesHandlers(r *mux.Router) error { // - in: query // name: tlsVerify // type: boolean - // default: false - // description: skip TLS verification for registries + // default: true + // description: Require HTTPS and verify signatures when contacting registries. // - in: query // name: listTags // type: boolean @@ -1120,8 +1120,8 @@ func (s *APIServer) registerImagesHandlers(r *mux.Router) error { // - in: query // name: tlsVerify // type: boolean - // default: false - // description: skip TLS verification for registries + // default: true + // description: Require HTTPS and verify signatures when contacting registries. // - in: query // name: listTags // type: boolean diff --git a/pkg/api/server/register_manifest.go b/pkg/api/server/register_manifest.go index 4fadb92fd..19b507047 100644 --- a/pkg/api/server/register_manifest.go +++ b/pkg/api/server/register_manifest.go @@ -69,12 +69,12 @@ func (s *APIServer) registerManifestHandlers(r *mux.Router) error { // name: all // description: push all images // type: boolean - // default: false + // default: true // - in: query // name: tlsVerify // type: boolean - // default: false - // description: skip TLS verification for registries + // default: true + // description: Require HTTPS and verify signatures when contacting registries. // responses: // 200: // schema: @@ -195,8 +195,8 @@ func (s *APIServer) registerManifestHandlers(r *mux.Router) error { // - in: query // name: tlsVerify // type: boolean - // default: false - // description: skip TLS verification for registries + // default: true + // description: Require HTTPS and verify signatures when contacting registries. // - in: body // name: options // description: options for mutating a manifest diff --git a/pkg/bindings/test/images_test.go b/pkg/bindings/test/images_test.go index a005be6ac..8f76ce456 100644 --- a/pkg/bindings/test/images_test.go +++ b/pkg/bindings/test/images_test.go @@ -120,8 +120,6 @@ var _ = Describe("Podman images", func() { // deleting hence image cannot be deleted until the container is deleted. _, errs = images.Remove(bt.conn, []string{alpine.shortName}, nil) code, _ = bindings.CheckResponseCode(errs[0]) - // FIXME FIXME FIXME: #12441: another invalid error - // FIXME FIXME FIXME: this time msg="Image used by SHA: ..." Expect(code).To(BeNumerically("==", -1)) // Removing the image "alpine" where force = true diff --git a/pkg/machine/qemu/machine.go b/pkg/machine/qemu/machine.go index 3b57455c4..7974c261e 100644 --- a/pkg/machine/qemu/machine.go +++ b/pkg/machine/qemu/machine.go @@ -670,11 +670,11 @@ func (v *MachineVM) Start(name string, _ machine.StartOptions) error { // because / is immutable, we have to monkey around with permissions // if we dont mount in /home or /mnt args := []string{"-q", "--"} - if !strings.HasPrefix(mount.Target, "/home") || !strings.HasPrefix(mount.Target, "/mnt") { + if !strings.HasPrefix(mount.Target, "/home") && !strings.HasPrefix(mount.Target, "/mnt") { args = append(args, "sudo", "chattr", "-i", "/", ";") } args = append(args, "sudo", "mkdir", "-p", mount.Target) - if !strings.HasPrefix(mount.Target, "/home") || !strings.HasPrefix(mount.Target, "/mnt") { + if !strings.HasPrefix(mount.Target, "/home") && !strings.HasPrefix(mount.Target, "/mnt") { args = append(args, ";", "sudo", "chattr", "+i", "/", ";") } err = v.SSH(name, machine.SSHOptions{Args: args}) diff --git a/pkg/specgen/generate/container.go b/pkg/specgen/generate/container.go index 9bb7caace..8cfac924b 100644 --- a/pkg/specgen/generate/container.go +++ b/pkg/specgen/generate/container.go @@ -494,10 +494,10 @@ func FinishThrottleDevices(s *specgen.SpecGenerator) error { if s.ResourceLimits == nil { s.ResourceLimits = &spec.LinuxResources{} } - if s.ResourceLimits.BlockIO == nil { - s.ResourceLimits.BlockIO = &spec.LinuxBlockIO{} - } if bps := s.ThrottleReadBpsDevice; len(bps) > 0 { + if s.ResourceLimits.BlockIO == nil { + s.ResourceLimits.BlockIO = &spec.LinuxBlockIO{} + } for k, v := range bps { statT := unix.Stat_t{} if err := unix.Stat(k, &statT); err != nil { @@ -512,6 +512,9 @@ func FinishThrottleDevices(s *specgen.SpecGenerator) error { } } if bps := s.ThrottleWriteBpsDevice; len(bps) > 0 { + if s.ResourceLimits.BlockIO == nil { + s.ResourceLimits.BlockIO = &spec.LinuxBlockIO{} + } for k, v := range bps { statT := unix.Stat_t{} if err := unix.Stat(k, &statT); err != nil { @@ -523,6 +526,9 @@ func FinishThrottleDevices(s *specgen.SpecGenerator) error { } } if iops := s.ThrottleReadIOPSDevice; len(iops) > 0 { + if s.ResourceLimits.BlockIO == nil { + s.ResourceLimits.BlockIO = &spec.LinuxBlockIO{} + } for k, v := range iops { statT := unix.Stat_t{} if err := unix.Stat(k, &statT); err != nil { @@ -534,6 +540,9 @@ func FinishThrottleDevices(s *specgen.SpecGenerator) error { } } if iops := s.ThrottleWriteIOPSDevice; len(iops) > 0 { + if s.ResourceLimits.BlockIO == nil { + s.ResourceLimits.BlockIO = &spec.LinuxBlockIO{} + } for k, v := range iops { statT := unix.Stat_t{} if err := unix.Stat(k, &statT); err != nil { diff --git a/pkg/specgen/generate/container_create.go b/pkg/specgen/generate/container_create.go index 389900820..8334d386f 100644 --- a/pkg/specgen/generate/container_create.go +++ b/pkg/specgen/generate/container_create.go @@ -55,6 +55,10 @@ func MakeContainer(ctx context.Context, rt *libpod.Runtime, s *specgen.SpecGener } } + if err := FinishThrottleDevices(s); err != nil { + return nil, nil, nil, err + } + // Set defaults for unset namespaces if s.PidNS.IsDefault() { defaultNS, err := GetDefaultNamespaceMode("pid", rtc, pod) diff --git a/pkg/specgenutil/specgen.go b/pkg/specgenutil/specgen.go index 4ab019b5b..7392e7b44 100644 --- a/pkg/specgenutil/specgen.go +++ b/pkg/specgenutil/specgen.go @@ -77,11 +77,11 @@ func getIOLimits(s *specgen.SpecGenerator, c *entities.ContainerCreateOptions) ( if s.ResourceLimits == nil { s.ResourceLimits = &specs.LinuxResources{} } - if s.ResourceLimits.BlockIO == nil { - s.ResourceLimits.BlockIO = &specs.LinuxBlockIO{} - } hasLimits := false if b := c.BlkIOWeight; len(b) > 0 { + if s.ResourceLimits.BlockIO == nil { + s.ResourceLimits.BlockIO = &specs.LinuxBlockIO{} + } u, err := strconv.ParseUint(b, 10, 16) if err != nil { return nil, fmt.Errorf("invalid value for blkio-weight: %w", err) @@ -103,7 +103,6 @@ func getIOLimits(s *specgen.SpecGenerator, c *entities.ContainerCreateOptions) ( if s.ThrottleReadBpsDevice, err = parseThrottleBPSDevices(bps); err != nil { return nil, err } - hasLimits = true } @@ -131,8 +130,6 @@ func getIOLimits(s *specgen.SpecGenerator, c *entities.ContainerCreateOptions) ( if !hasLimits { return nil, nil } - io = s.ResourceLimits.BlockIO - return io, nil } diff --git a/test/apiv2/12-imagesMore.at b/test/apiv2/12-imagesMore.at index d4b09174f..498d67569 100644 --- a/test/apiv2/12-imagesMore.at +++ b/test/apiv2/12-imagesMore.at @@ -28,7 +28,10 @@ t GET libpod/images/$IMAGE/json 200 \ .RepoTags[1]=localhost:$REGISTRY_PORT/myrepo:mytag # Push to local registry... -t POST "images/localhost:$REGISTRY_PORT/myrepo/push?tlsVerify=false&tag=mytag" 200 +t POST "images/localhost:$REGISTRY_PORT/myrepo/push?tag=mytag" 200 \ + .error~".*x509: certificate signed by unknown authority" +t POST "images/localhost:$REGISTRY_PORT/myrepo/push?tlsVerify=false&tag=mytag" 200 \ + .error~null # ...and check output. We can't use our built-in checks because this output # is a sequence of JSON objects, i.e., individual ones, not in a JSON array. diff --git a/test/apiv2/15-manifest.at b/test/apiv2/15-manifest.at index 970bed5a8..6584ea8e4 100644 --- a/test/apiv2/15-manifest.at +++ b/test/apiv2/15-manifest.at @@ -31,6 +31,8 @@ t POST /v3.4.0/libpod/manifests/$id_abc/add images="[\"containers-storage:$id_ab t PUT /v4.0.0/libpod/manifests/$id_xyz operation='update' images="[\"containers-storage:$id_xyz_image\"]" 200 t POST "/v3.4.0/libpod/manifests/abc:latest/push?destination=localhost:$REGISTRY_PORT%2Fabc:latest&tlsVerify=false&all=true" 200 +t POST "/v4.0.0/libpod/manifests/xyz:latest/registry/localhost:$REGISTRY_PORT%2Fxyz:latest?all=true" 400 \ + .cause='x509: certificate signed by unknown authority' t POST "/v4.0.0/libpod/manifests/xyz:latest/registry/localhost:$REGISTRY_PORT%2Fxyz:latest?tlsVerify=false&all=true" 200 # /v3.x cannot delete a manifest list diff --git a/test/buildah-bud/apply-podman-deltas b/test/buildah-bud/apply-podman-deltas index d6d539fa4..6578afc93 100755 --- a/test/buildah-bud/apply-podman-deltas +++ b/test/buildah-bud/apply-podman-deltas @@ -163,7 +163,7 @@ skip "does not work under podman" \ # which we could and perhaps should fix in the buildah repo via: # - ... ${TESTSDIR}/bud/layers-squash/Dockerfile.hardlinks # + ... -f Dockerfile.hardlinks ${TESTSDIR}/bud/layers-squash -skip "FIXME FIXME FIXME: argument-order incompatible with podman" \ +skip "argument-order incompatible with podman" \ "bud-squash-hardlinks" # Fails with "Error: context must be a directory: /path/to/Dockerfile" @@ -231,7 +231,7 @@ skip_if_remote "FIXME FIXME FIXME: does this test make sense in remote?" \ ############################################################################### # BEGIN tests which are skipped due to actual podman or podman-remote bugs. -skip_if_remote "Podman #12838: different error messages" \ +skip_if_remote "different error messages between podman & podman-remote" \ "bud with .dockerignore #2" # These two tests, new in 2022-01, invoke podman (create, export) in ways diff --git a/test/e2e/benchmarks_test.go b/test/e2e/benchmarks_test.go index fe045b97a..4be048de2 100644 --- a/test/e2e/benchmarks_test.go +++ b/test/e2e/benchmarks_test.go @@ -240,7 +240,7 @@ var _ = Describe("Podman Benchmark Suite", func() { // -------------------------------------------------------------------------- newBenchmark("podman create", func() { - session := podmanTest.Podman([]string{"run", ALPINE, "true"}) + session := podmanTest.Podman([]string{"create", ALPINE, "true"}) session.WaitWithDefaultTimeout() Expect(session).Should(Exit(0)) }, nil) @@ -262,5 +262,11 @@ var _ = Describe("Podman Benchmark Suite", func() { session.WaitWithDefaultTimeout() Expect(session).Should(Exit(0)) }, nil) + + newBenchmark("podman run --detach", func() { + session := podmanTest.Podman([]string{"run", "--detach", ALPINE, "true"}) + session.WaitWithDefaultTimeout() + Expect(session).Should(Exit(0)) + }, nil) }) }) diff --git a/test/e2e/checkpoint_test.go b/test/e2e/checkpoint_test.go index a4646b6d1..d1771f336 100644 --- a/test/e2e/checkpoint_test.go +++ b/test/e2e/checkpoint_test.go @@ -1457,11 +1457,6 @@ var _ = Describe("Podman checkpoint", func() { }) It("podman checkpoint and restore container with --file-locks", func() { - if !strings.Contains(podmanTest.OCIRuntime, "runc") { - // TODO: Enable test for crun when this feature has been released - // https://github.com/containers/crun/pull/783 - Skip("FIXME: requires crun >= 1.4") - } localRunString := getRunString([]string{"--name", "test_name", ALPINE, "flock", "test.lock", "sleep", "100"}) session := podmanTest.Podman(localRunString) session.WaitWithDefaultTimeout() diff --git a/test/e2e/common_test.go b/test/e2e/common_test.go index 43367cf63..2d7c47a7f 100644 --- a/test/e2e/common_test.go +++ b/test/e2e/common_test.go @@ -856,12 +856,8 @@ func (p *PodmanTestIntegration) makeOptions(args []string, noEvents, noCache boo eventsType = "none" } - podmanOptions := strings.Split(fmt.Sprintf("%s--root %s --runroot %s --runtime %s --conmon %s --network-config-dir %s --cgroup-manager %s --tmpdir %s --events-backend %s", - debug, p.Root, p.RunRoot, p.OCIRuntime, p.ConmonBinary, p.NetworkConfigDir, p.CgroupManager, p.TmpDir, eventsType), " ") - - if !p.RemoteTest { - podmanOptions = append(podmanOptions, "--network-backend", p.NetworkBackend.ToString()) - } + podmanOptions := strings.Split(fmt.Sprintf("%s--root %s --runroot %s --runtime %s --conmon %s --network-config-dir %s --network-backend %s --cgroup-manager %s --tmpdir %s --events-backend %s", + debug, p.Root, p.RunRoot, p.OCIRuntime, p.ConmonBinary, p.NetworkConfigDir, p.NetworkBackend.ToString(), p.CgroupManager, p.TmpDir, eventsType), " ") podmanOptions = append(podmanOptions, strings.Split(p.StorageOptions, " ")...) if !noCache { diff --git a/test/e2e/containers_conf_test.go b/test/e2e/containers_conf_test.go index 819efa628..41e78ce0e 100644 --- a/test/e2e/containers_conf_test.go +++ b/test/e2e/containers_conf_test.go @@ -535,7 +535,8 @@ var _ = Describe("Verify podman containers.conf usage", func() { It("podman containers.conf cgroups=disabled", func() { if !strings.Contains(podmanTest.OCIRuntime, "crun") { - Skip("FIXME: requires crun") + // Assume this will never be fixed in runc + Skip("NoCgroups requires crun") } conffile := filepath.Join(podmanTest.TempDir, "container.conf") diff --git a/test/e2e/libpod_suite_remote_test.go b/test/e2e/libpod_suite_remote_test.go index 19affbc6d..86be17eb3 100644 --- a/test/e2e/libpod_suite_remote_test.go +++ b/test/e2e/libpod_suite_remote_test.go @@ -136,11 +136,8 @@ func (p *PodmanTestIntegration) StopRemoteService() { // MakeOptions assembles all the podman main options func getRemoteOptions(p *PodmanTestIntegration, args []string) []string { networkDir := p.NetworkConfigDir - podmanOptions := strings.Split(fmt.Sprintf("--root %s --runroot %s --runtime %s --conmon %s --network-config-dir %s --cgroup-manager %s", - p.Root, p.RunRoot, p.OCIRuntime, p.ConmonBinary, networkDir, p.CgroupManager), " ") - if p.NetworkBackend.ToString() == "netavark" { - podmanOptions = append(podmanOptions, "--network-backend", "netavark") - } + podmanOptions := strings.Split(fmt.Sprintf("--root %s --runroot %s --runtime %s --conmon %s --network-config-dir %s --network-backend %s --cgroup-manager %s", + p.Root, p.RunRoot, p.OCIRuntime, p.ConmonBinary, networkDir, p.NetworkBackend.ToString(), p.CgroupManager), " ") podmanOptions = append(podmanOptions, strings.Split(p.StorageOptions, " ")...) podmanOptions = append(podmanOptions, args...) return podmanOptions diff --git a/test/e2e/manifest_test.go b/test/e2e/manifest_test.go index ecddf2935..1f58419a1 100644 --- a/test/e2e/manifest_test.go +++ b/test/e2e/manifest_test.go @@ -293,9 +293,6 @@ var _ = Describe("Podman manifest", func() { }) It("authenticated push", func() { - if podmanTest.Host.Distribution == "ubuntu" && IsRemote() { - Skip("FIXME: #15017. Registry times out.") - } registryOptions := &podmanRegistry.Options{ Image: "docker-archive:" + imageTarPath(REGISTRY_IMAGE), } diff --git a/test/e2e/pod_infra_container_test.go b/test/e2e/pod_infra_container_test.go index a2e090524..b53630156 100644 --- a/test/e2e/pod_infra_container_test.go +++ b/test/e2e/pod_infra_container_test.go @@ -435,4 +435,20 @@ var _ = Describe("Podman pod create", func() { Expect(session).Should(Exit(0)) Expect(session.OutputToString()).To(ContainSubstring(hostname)) }) + + tests := []string{"", "none"} + for _, test := range tests { + test := test + It("podman pod create --share="+test+" should not create an infra ctr", func() { + session := podmanTest.Podman([]string{"pod", "create", "--share", test}) + session.WaitWithDefaultTimeout() + Expect(session).Should(Exit(0)) + + session = podmanTest.Podman([]string{"pod", "inspect", "--format", "{{.NumContainers}}", session.OutputToString()}) + session.WaitWithDefaultTimeout() + Expect(session).Should(Exit(0)) + Expect(session.OutputToString()).Should((Equal("0"))) + }) + } + }) diff --git a/test/e2e/run_test.go b/test/e2e/run_test.go index 64b70f1ee..c7a0b3f2b 100644 --- a/test/e2e/run_test.go +++ b/test/e2e/run_test.go @@ -715,9 +715,7 @@ USER bin`, BB) }) It("podman run device-read-bps test", func() { - SkipIfCgroupV1("FIXME: #15035 - bps broken") - SkipIfRootless("FIXME: requested cgroup controller `io` is not available") - SkipIfRootlessCgroupsV1("Setting device-read-bps not supported on cgroupv1 for rootless users") + SkipIfRootless("Setting device-read-bps not supported for rootless users") var session *PodmanSessionIntegration @@ -735,9 +733,7 @@ USER bin`, BB) }) It("podman run device-write-bps test", func() { - SkipIfCgroupV1("FIXME: #15035 - bps broken") - SkipIfRootless("FIXME: requested cgroup controller `io` is not available") - SkipIfRootlessCgroupsV1("Setting device-write-bps not supported on cgroupv1 for rootless users") + SkipIfRootless("Setting device-write-bps not supported for rootless users") var session *PodmanSessionIntegration @@ -754,9 +750,7 @@ USER bin`, BB) }) It("podman run device-read-iops test", func() { - SkipIfCgroupV1("FIXME: #15035 - bps broken") - SkipIfRootless("FIXME: requested cgroup controller `io` is not available") - SkipIfRootlessCgroupsV1("Setting device-read-iops not supported on cgroupv1 for rootless users") + SkipIfRootless("Setting device-read-iops not supported for rootless users") var session *PodmanSessionIntegration if CGROUPSV2 { @@ -773,9 +767,7 @@ USER bin`, BB) }) It("podman run device-write-iops test", func() { - SkipIfCgroupV1("FIXME: #15035 - bps broken") - SkipIfRootless("FIXME: requested cgroup controller `io` is not available") - SkipIfRootlessCgroupsV1("Setting device-write-iops not supported on cgroupv1 for rootless users") + SkipIfRootless("Setting device-write-iops not supported for rootless users") var session *PodmanSessionIntegration if CGROUPSV2 { @@ -1243,6 +1235,7 @@ USER mail`, BB) }) It("podman run --mount type=bind,bind-nonrecursive", func() { + // crun: mount `/` to `/host`: Invalid argument SkipIfRootless("FIXME: rootless users are not allowed to mount bind-nonrecursive (Could this be a Kernel bug?") session := podmanTest.Podman([]string{"run", "--mount", "type=bind,bind-nonrecursive,slave,src=/,target=/host", fedoraMinimal, "findmnt", "-nR", "/host"}) session.WaitWithDefaultTimeout() diff --git a/test/system/030-run.bats b/test/system/030-run.bats index e62e7679f..5014ef47b 100644 --- a/test/system/030-run.bats +++ b/test/system/030-run.bats @@ -855,4 +855,19 @@ EOF run_podman rm $output } +@test "podman run --device-read-bps" { + skip_if_rootless "cannot use this flag in rootless mode" + # this test is a triple check on blkio flags since they seem to sneak by the tests + if is_cgroupsv2; then + run_podman run -dt --device-read-bps=/dev/zero:1M $IMAGE top + run_podman exec -it $output cat /sys/fs/cgroup/io.max + is "$output" ".*1:5 rbps=1048576 wbps=max riops=max wiops=max" "throttle devices passed successfully.*" + else + run_podman run -dt --device-read-bps=/dev/zero:1M $IMAGE top + run_podman exec -it $output cat /sys/fs/cgroup/blkio/blkio.throttle.read_bps_device + is "$output" ".*1:5 1048576" "throttle devices passed successfully.*" + fi + run_podman container rm -fa +} + # vim: filetype=sh diff --git a/test/system/520-checkpoint.bats b/test/system/520-checkpoint.bats index 7f60f01b3..7c8fc143a 100644 --- a/test/system/520-checkpoint.bats +++ b/test/system/520-checkpoint.bats @@ -12,7 +12,7 @@ function setup() { # could run to see if it's fixed, but it's way too complicated. Since # integration tests also skip checkpoint tests on Ubuntu, do the same here. if is_ubuntu; then - skip "FIXME: checkpointing broken in Ubuntu 2004, 2104, 2110, ..." + skip "FIXME: checkpointing broken in Ubuntu 2004, 2104, 2110, 2204, ..." fi # None of these tests work rootless.... diff --git a/test/utils/utils.go b/test/utils/utils.go index e84b57cc6..9c2a63c81 100644 --- a/test/utils/utils.go +++ b/test/utils/utils.go @@ -110,9 +110,6 @@ func (p *PodmanTest) PodmanAsUserBase(args []string, uid, gid uint32, cwd string } runCmd := wrapper runCmd = append(runCmd, podmanBinary) - if !p.RemoteTest && p.NetworkBackend == Netavark { - runCmd = append(runCmd, []string{"--network-backend", "netavark"}...) - } if env == nil { fmt.Printf("Running: %s %s\n", strings.Join(runCmd, " "), strings.Join(podmanOptions, " ")) |
