summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAge
* pkginstaller: add makefile target to notarize the built pkgAnjan Nath2022-08-04
| | | | | | [NO NEW TESTS NEEDED] Signed-off-by: Anjan Nath <kaludios@gmail.com>
* pkginstaller: sign qemu-system-* binary for the pkgAnjan Nath2022-08-04
| | | | | | | | | add file hvf.entitlements which has the com.apple.security.hypervisor entitlement needed for qemu [NO NEW TESTS NEEDED] Signed-off-by: Anjan Nath <kaludios@gmail.com>
* Add support for building macOS pkg installerAnjan Nath2022-08-04
| | | | | | | | | | | | | | it installs podman and supporting binaries along with qemu to have a functioning podman install using a pkg podman and podman-mac-helper is compiled from source gvproxy binary is downloaded from its github releases and qemu from github release of containers/podman-machine-qemu [NO NEW TESTS NEEDED] Signed-off-by: Anjan Nath <kaludios@gmail.com>
* Merge pull request #15142 from mtrmac/sigstore-sign-4.2openshift-ci[bot]2022-08-02
|\ | | | | [v4.2] Sigstore sign
| * Add support for creating sigstore signatures, and providing passphrasesMiloslav Trmač2022-08-02
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | - Allow creating sigstore signatures via --sign-by-sigstore-private-key . Like existing --sign-by, it does not work remote (in this case because we would have to copy the private key to the server). - Allow passing a passphrase (which is mandatory for sigstore private keys) via --sign-passphrase-file; if it is not provided, prompt interactively. - Also, use that passphrase for --sign-by as well, allowing non-interactive GPG use. (But --sign-passphrase-file can only be used with _one of_ --sign-by and --sign-by-sigstore-private-key.) Note that unlike the existing code, (podman build) does not yet implement sigstore (I'm not sure why it needs to, it seems not to push images?) because Buildah does not expose the feature yet. Also, (podman image sign) was not extended to support sigstore. The test for this follows existing (podman image sign) tests and doesn't work rootless; that could be improved by exposing a registries.d override option. The test for push is getting large; I didn't want to start yet another registry container, but that would be an alternative. In the future, Ginkgo's Ordered/BeforeAll would allow starting a registry once and using it for two tests. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
| * Hide podman manifest push --sign-by on remoteMiloslav Trmač2022-08-02
| | | | | | | | | | | | ... because it is documented to be ignored. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
| * Use signByFlagName instead of copy&pasting the stringMiloslav Trmač2022-08-02
| | | | | | | | Signed-off-by: Miloslav Trmač <mitr@redhat.com>
| * Remove libpod/commonMiloslav Trmač2022-08-02
| | | | | | | | | | | | AFAICS it is not used anywhere. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
| * Update c/common to an unreleased versionMiloslav Trmač2022-08-02
| | | | | | | | | | | | ... to get https://github.com/containers/common/pull/1106 . Signed-off-by: Miloslav Trmač <mitr@redhat.com>
| * Update the registry server we test against from 2.6 to 2.8Miloslav Trmač2022-08-02
| | | | | | | | | | | | | | | | | | | | | | | | | | ... primarily so that it can support OCI artifacts. 2.8 already seems to exist in the repo. This requires changing WaitContainerReady to also check stderr (ultimately because docker/distribution was updated to a more recent sirupsen/logrus, which logs by default to stderr instead of stdout). Signed-off-by: Miloslav Trmač <mitr@redhat.com>
| * Use existing REGISTRY_IMAGE variables in more placesMiloslav Trmač2022-08-02
| | | | | | | | | | | | | | | | | | ... instead of hard-coding a copy of the value. Notably this makes hack/podman_registry actually support the documented -i option. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
| * Use httpasswd from the surrouding OS instead of the registry imageMiloslav Trmač2022-08-02
| | | | | | | | | | | | | | | | | | | | | | htpasswd is no longer included in docker.io/library/distribution after 2.7.0, per https://github.com/docker/distribution-library-image/issues/107 , and we want to upgrade to a recent version. At least system tests currently execute htpasswd from the OS, so it seems that it is likely to be available. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
| * fix e2e sign testsValentin Rothberg2022-08-02
|/ | | | | | | The key used in the tests has expired. Remove the expiration date to turn CI happy and green. Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
* Merge pull request #15076 from mheon/bump_420_rc2OpenShift Merge Robot2022-07-27
|\ | | | | Bump to v4.2.0-RC2
| * Final v4.2.0-RC2 release notesMatthew Heon2022-07-27
| | | | | | | | Signed-off-by: Matthew Heon <matthew.heon@pm.me>
| * Skip one failing test on UbuntuMatthew Heon2022-07-27
| | | | | | | | | | | | | | | | Probably a result of the Ubuntu images being bumped on Main but not in this branch. Not worth chasing down exactly what's going wrong, so let's just disable it. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
| * Fix incorrect release note about regexpMatthew Heon2022-07-26
| | | | | | | | | | | | | | Label matching did not use regular expressions, it used glob matching. Let's fix the release notes to prevent confusion. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
| * Bump to v4.2.0-devMatthew Heon2022-07-26
| | | | | | | | Signed-off-by: Matthew Heon <matthew.heon@pm.me>
| * Bump to v4.2.0-RC2v4.2.0-rc2Matthew Heon2022-07-26
| | | | | | | | Signed-off-by: Matthew Heon <matthew.heon@pm.me>
| * Final release notes for v4.2.0-RC2Matthew Heon2022-07-26
| | | | | | | | Signed-off-by: Matthew Heon <matthew.heon@pm.me>
| * [CI:DOCS] podman-generate-systemd.1.md: document --sdnotifyErik Sjölund2022-07-26
| | | | | | | | | | | | | | | | | | | | | | | | | | | | * Document why the default value for --sdnotify is overridden. Some was included text from https://github.com/containers/podman/issues/15029#issuecomment-1192244755 * Document that --sdnotify=ignore is overridden. Fixes #15029 Co-authored-by: Valentin Rothberg <vrothberg@redhat.com> Co-authored-by: Tom Sweeney <tsweeney@redhat.com> Signed-off-by: Erik Sjölund <erik.sjolund@gmail.com>
| * pod create --share none should not create infraCharlie Doern2022-07-26
| | | | | | | | | | | | | | | | | | | | | | for podman pod create, when we are not sharing any namespaces there is no point for the infra container. This is especially true since resources have also been decoupled from the container recently. handle this on the cmd level so that we can still create infra if set explicitly resolves #15048 Signed-off-by: Charlie Doern <cdoern@redhat.com>
| * machine: Fix check which is always trueChristophe Fergeau2022-07-26
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Before making / mutable/immutable, podman-machine checks if the mount is being done in /home or /mnt. However the current check is always going to be true: ``` !strings.HasPrefix(mount.Target, "/home") || !strings.HasPrefix(mount.Target, "/mnt") ``` is false when mount.Target starts with "/home" and mount.Target starts with "/mnt", which cannot happen at the same time. The correct check is: ``` !strings.HasPrefix(mount.Target, "/home") && !strings.HasPrefix(mount.Target, "/mnt") ``` which can also be written as: ``` !(strings.HasPrefix(mount.Target, "/home") || strings.HasPrefix(mount.Target, "/mnt")) ``` The impact is not too bad, it results in extra 'chattr -i' calls which should be unneeded. [NO NEW TESTS NEEDED] Signed-off-by: Christophe Fergeau <cfergeau@redhat.com>
| * Set TLSVerify=true by default for API endpointsVladimir Kochnev2022-07-26
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Option defaults in API must be the same as in CLI. ``` % podman image push --help % podman image pull --help % podman manifest push --help % podman image search --help ``` All of these CLI commands them have --tls-verify=true by default: ``` --tls-verify require HTTPS and verify certificates when accessing the registry (default true) ``` As for `podman image build`, it doesn't have any means to control `tlsVerify` parameter but it must be true by default. Signed-off-by: Vladimir Kochnev <hashtable@yandex.ru>
| * Semiperiodoc cleanup of obsolete FIXMEsEd Santiago2022-07-26
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Some refer to issues that are closed. Remove them. Some are runc bugs that will never be fixed. Say so, and remove the FIXME. One (bps/iops) should probably be fixed. File an issue for it, and update comment to include the issue# so my find-obsolete-skips script can track it. And one (rootless mount with a "kernel bug?" comment) is still not fixed. Leave the skip, but add a comment documenting the symptom. Signed-off-by: Ed Santiago <santiago@redhat.com>
| * benchmarks: fix create testValentin Rothberg2022-07-26
| | | | | | | | | | | | And a new one for `run --detach`. Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
| * integration test: fix network backend option with remotePaul Holzinger2022-07-26
| | | | | | | | | | | | | | | | | | | | | | | | | | I honestly do not understand all this extra option parsing here but there is really no reason to exclude the option for remote, all the other global options are also set there. This fixes a problem with mixed cni/netavark use because the option was unset. Fixes #15017 Signed-off-by: Paul Holzinger <pholzing@redhat.com>
| * docs: remove CNI word where it is not applicablePaul Holzinger2022-07-26
| | | | | | | | | | | | | | | | | | | | Most network commands/features work with both netavark and CNI. When we added added netavark most docs were not vetted and thus still use CNI network, it should just say network. Fixes #14990 Signed-off-by: Paul Holzinger <pholzing@redhat.com>
| * libpod: do not lock all containers on pod rmGiuseppe Scrivano2022-07-26
| | | | | | | | | | | | | | | | | | | | | | | | do not attempt to lock all containers on pod rm since it can cause deadlocks when other podman cleanup processes are attempting to lock the same containers in a different order. [NO NEW TESTS NEEDED] Closes: https://github.com/containers/podman/issues/14929 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
| * container wait: improve error messageValentin Rothberg2022-07-26
| | | | | | | | | | | | | | | | | | | | Improve the error message when looking up the exit code of a container. The state of the container may help us track down #14859 which flakes rarely and is impossible to reproduce on my machine. [NO NEW TESTS NEEDED] Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
| * Makefile: use order-only prereq for podman-remoteEd Santiago2022-07-26
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | podman-remote has a dependency on $(SRCBINDIR), because on Mac and Windows that's a special dir that may not exist. But depending on a directory means depending on its mtime, which changes every time a file in it is updated, which means running 'make' twice in a row will rebuild podman-remote for no good reason. Solution: GNU Make has the concept of "order-only" prerequisites, precisely for this situation. Use it. Since it's an obscure feature, document it. UPDATE: This exposed some nasty duplication wrt podman-remote rules. Clean those up, and add comments to some confusing sections. Fixes: #14756 (Also, drive-by edit to remove a stray misdocumented non-option) Signed-off-by: Ed Santiago <santiago@redhat.com>
| * API: libpod/create use correct default umaskPaul Holzinger2022-07-26
| | | | | | | | | | | | | | | | | | Make sure containers created via API have the correct umask from containers.conf set. Fixes #15036 Signed-off-by: Paul Holzinger <pholzing@redhat.com>
| * compose test: remove cni config copyPaul Holzinger2022-07-26
| | | | | | | | | | | | | | The network backend always has default config in memory so there is no need to copy it. Also netavark cannot use it. Signed-off-by: Paul Holzinger <pholzing@redhat.com>
| * compat api: always turn on network isolation for networksPaul Holzinger2022-07-26
| | | | | | | | | | | | | | | | | | Fix some network option parsing logic to use constants. Always use the isolate option since this is what docker does. Remove the icc option, this is different from isolate and it is not implemented. Signed-off-by: Paul Holzinger <pholzing@redhat.com>
| * compat api: allow default bridge name for networksPaul Holzinger2022-07-26
| | | | | | | | | | | | | | | | | | | | Docker uses "bridge" as default network name so some tools expect this to work with network list or inspect. To fix this we change "bridge" to the podman default ("podman") name. Fixes #14983 Signed-off-by: Paul Holzinger <pholzing@redhat.com>
| * Compat API: unify pull/push and add missing progress infoJakub Guzik2022-07-26
| | | | | | | | | | | | | | | | | | Progress bar in JSONMessage is missing compared to docker output both in pull and push. Additionaly, pull was not using JSONMessage while push was using the type. [NO NEW TESTS NEEDED] Signed-off-by: Jakub Guzik <jguzik@redhat.com>
| * remote push: show copy progressValentin Rothberg2022-07-26
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | `podman-remote push` has shown absolutely no progress at all. Fix that by doing essentially the same as the remote-pull code does. The get-free-out-of-jail-card for backwards compatibility is to let the `quiet` parameter default to true. Since the --quioet flag wasn't working before either, older Podman clients do not set it. Also add regression tests to make sure we won't regress again. Fixes: #11554 Fixes: #14971 Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
| * fix broken machine testPaul Holzinger2022-07-26
| | | | | | | | | | | | | | | | | | | | The memory both local and in the CI test is converted to 3822. I don't know why this changed but I want to have this working again. For the future we should look at a more robust solution. Fixes #15012 Signed-off-by: Paul Holzinger <pholzing@redhat.com>
| * pkg/machine/e2e: do not import from cmd/podmanPaul Holzinger2022-07-26
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The same problem again as 4374038cc67405e3f5555b1870d5bb7f6570fa5d. Also fix the incorrect --format autocompletion struct. It should be avoided to import cmd/podman/... packages from outside of cmd/podman. This can lead in weird hard to debug import paths but also can have negative consequences when imported in unit tests. In this case it will set XDG_CONFIG_HOME and thus the machine tests this dir over the tmp HOME env variable which is set at a later point. This caused machine files to be leaked into the actual users home dir. Signed-off-by: Paul Holzinger <pholzing@redhat.com>
| * fix some pkg/machine/e2e test to read stderrPaul Holzinger2022-07-26
| | | | | | | | | | | | Also fix the machine ssh code order to provide a better error message. Signed-off-by: Paul Holzinger <pholzing@redhat.com>
| * enable linter for pkg/machine/e2ePaul Holzinger2022-07-26
| | | | | | | | | | | | | | | | | | | | | | | | Rename all files to _test.go and rename the package to e2e_test. This makes the linter less strict about things like dot imports. Add some unused nolint directives to silence some warnings, these can be used to find untested options so someone could add tests for them. Fixes #14996 Signed-off-by: Paul Holzinger <pholzing@redhat.com>
| * [CI:DOCS] Cirrus: Add prominent gitlab warningChris Evich2022-07-26
| | | | | | | | | | | | | | It was not obvious enough in the scripts how much of a snowflake this environment is. Fix that with lots of capitalized words and asterisks. Signed-off-by: Chris Evich <cevich@redhat.com>
| * libpod: create /etc/passwd if missingGiuseppe Scrivano2022-07-26
| | | | | | | | | | | | | | | | | | create the /etc/passwd and /etc/group files if they are missing in the image. Closes: https://github.com/containers/podman/issues/14966 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
| * e2e: show command and output when a timeout happensPaul Holzinger2022-07-26
| | | | | | | | | | | | | | To make debugging easier we should see the command and its output when a failure happens. Signed-off-by: Paul Holzinger <pholzing@redhat.com>
| * fix goroutine leaks in events and logs backendPaul Holzinger2022-07-26
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When running a single podman logs this is not really important since we will exit when we finish reading the logs. However for the system service this is very important. Leaking goroutines will cause an increased memory and CPU ussage over time. Both the the event and log backend have goroutine leaks with both the file and journald drivers. The journald backend has the problem that journal.Wait(IndefiniteWait) will block until we get a new journald event. So when a client closes the connection the goroutine would still wait until there is a new journal entry. To fix this we just wait for a maximum of 5 seconds, after that we can check if the client connection was closed and exit correctly in this case. For the file backend we can fix this by waiting for either the log line or context cancel at the same time. Currently it would block waiting for new log lines and only check afterwards if the client closed the connection and thus hang forever if there are no new log lines. [NO NEW TESTS NEEDED] I am open to ideas how we can test memory leaks in CI. To test manually run a container like this: `podman run --log-driver $driver --name test -d alpine sh -c 'i=1; while [ "$i" -ne 1000 ]; do echo "line $i"; i=$((i + 1)); done; sleep inf'` where `$driver` can be either `journald` or `k8s-file`. Then start the podman system service and use: `curl -m 1 --output - --unix-socket $XDG_RUNTIME_DIR/podman/podman.sock -v 'http://d/containers/test/logs?follow=1&since=0&stderr=1&stdout=1' &>/dev/null` to get the logs from the API and then it closes the connection after 1 second. Now run the curl command several times and check the memory usage of the service. Fixes #14879 Signed-off-by: Paul Holzinger <pholzing@redhat.com>
| * podman-remote pull: fix duplicate progress outputsValentin Rothberg2022-07-26
| | | | | | | | | | | | | | By vendoring the fixes from containers/image. Also add a test (thanks @edsantiago) to make sure we won't regress in the future again. Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
| * Fix potential leak on mid-stream read errorJason T. Greene2022-07-26
| | | | | | | | Signed-off-by: Jason T. Greene <jason.greene@redhat.com>
| * vendor: remove unused depsAditya R2022-07-26
| | | | | | | | | | | | | | | | | | Some deps cleaned by `make vendor` [NO NEW TESTS NEEDED] [NO TESTS NEEDED] Signed-off-by: Aditya R <arajan@redhat.com>
| * Makefile: remove building pages for man5Aditya R2022-07-26
| | | | | | | | | | | | | | [NO NEW TESTS NEEDED] [NO TESTS NEEDED] Signed-off-by: Aditya R <arajan@redhat.com>
| * makefile: remove processing of pkg/docsAditya R2022-07-26
| | | | | | | | | | | | | | | | | | Since no pkg now containers this path [NO NEW TESTS NEEDED] [NO TESTS NEEDED] Signed-off-by: Aditya R <arajan@redhat.com>