summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAge
* Merge pull request #15057 from marshall-lee/tls-verify-default-trueOpenShift Merge Robot2022-07-26
|\ | | | | Set TLSVerify=true by default for API endpoints
| * Set TLSVerify=true by default for API endpointsVladimir Kochnev2022-07-26
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Option defaults in API must be the same as in CLI. ``` % podman image push --help % podman image pull --help % podman manifest push --help % podman image search --help ``` All of these CLI commands them have --tls-verify=true by default: ``` --tls-verify require HTTPS and verify certificates when accessing the registry (default true) ``` As for `podman image build`, it doesn't have any means to control `tlsVerify` parameter but it must be true by default. Signed-off-by: Vladimir Kochnev <hashtable@yandex.ru>
* | Merge pull request #15058 from edsantiago/obsolete_skipsOpenShift Merge Robot2022-07-26
|\ \ | |/ |/| Semiperiodoc cleanup of obsolete FIXMEs
| * Semiperiodoc cleanup of obsolete FIXMEsEd Santiago2022-07-25
|/ | | | | | | | | | | | | | | | Some refer to issues that are closed. Remove them. Some are runc bugs that will never be fixed. Say so, and remove the FIXME. One (bps/iops) should probably be fixed. File an issue for it, and update comment to include the issue# so my find-obsolete-skips script can track it. And one (rootless mount with a "kernel bug?" comment) is still not fixed. Leave the skip, but add a comment documenting the symptom. Signed-off-by: Ed Santiago <santiago@redhat.com>
* Merge pull request #15064 from vrothberg/benchmarksOpenShift Merge Robot2022-07-25
|\ | | | | benchmarks: fix create test
| * benchmarks: fix create testValentin Rothberg2022-07-25
|/ | | | | | And a new one for `run --detach`. Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
* Merge pull request #15035 from cdoern/cgroupOpenShift Merge Robot2022-07-23
|\ | | | | fix container create/run throttle devices
| * fix container create/run throttle devicesCharlie Doern2022-07-22
| | | | | | | | | | | | pod resource limits introduced a regression where `FinishThrottleDevices` was not called for create/run Signed-off-by: Charlie Doern <cdoern@redhat.com>
* | Merge pull request #15042 from Luap99/int-remote-netbackendOpenShift Merge Robot2022-07-22
|\ \ | | | | | | integration test: fix network backend option with remote
| * | integration test: fix network backend option with remotePaul Holzinger2022-07-22
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | I honestly do not understand all this extra option parsing here but there is really no reason to exclude the option for remote, all the other global options are also set there. This fixes a problem with mixed cni/netavark use because the option was unset. Fixes #15017 Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* | | Merge pull request #15039 from Luap99/cni-docOpenShift Merge Robot2022-07-22
|\ \ \ | | | | | | | | [CI:DOCS] docs: remove CNI word where it is not applicable
| * | | docs: remove CNI word where it is not applicablePaul Holzinger2022-07-22
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Most network commands/features work with both netavark and CNI. When we added added netavark most docs were not vetted and thus still use CNI network, it should just say network. Fixes #14990 Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* | | | Merge pull request #14976 from giuseppe/do-not-lock-containers-pod-rmOpenShift Merge Robot2022-07-22
|\ \ \ \ | | | | | | | | | | libpod: do not lock all containers on pod rm
| * | | | libpod: do not lock all containers on pod rmGiuseppe Scrivano2022-07-21
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | do not attempt to lock all containers on pod rm since it can cause deadlocks when other podman cleanup processes are attempting to lock the same containers in a different order. [NO NEW TESTS NEEDED] Closes: https://github.com/containers/podman/issues/14929 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | | | | Merge pull request #15038 from vrothberg/wait-errorOpenShift Merge Robot2022-07-22
|\ \ \ \ \ | | | | | | | | | | | | container wait: improve error message
| * | | | | container wait: improve error messageValentin Rothberg2022-07-22
| | |/ / / | |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Improve the error message when looking up the exit code of a container. The state of the container may help us track down #14859 which flakes rarely and is impossible to reproduce on my machine. [NO NEW TESTS NEEDED] Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
* | | | | Merge pull request #14967 from sstosh/pause-optionOpenShift Merge Robot2022-07-22
|\ \ \ \ \ | | | | | | | | | | | | Add pause/unpause --latest, --cidfile, --filter
| * | | | | Add pause/unpause --latest, --cidfile, --filterToshiki Sonoda2022-07-20
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | --latest : pause/unpause the latest container. --filter : pause/unpause the filtered container. --cidfile : Read container ID from the specified file and pause/unpause the container. Signed-off-by: Toshiki Sonoda <sonoda.toshiki@fujitsu.com>
* | | | | | Merge pull request #14957 from edsantiago/dont_remake_remoteOpenShift Merge Robot2022-07-22
|\ \ \ \ \ \ | | | | | | | | | | | | | | Makefile: use order-only prereq for podman-remote
| * | | | | | Makefile: use order-only prereq for podman-remoteEd Santiago2022-07-19
| | |_|/ / / | |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | podman-remote has a dependency on $(SRCBINDIR), because on Mac and Windows that's a special dir that may not exist. But depending on a directory means depending on its mtime, which changes every time a file in it is updated, which means running 'make' twice in a row will rebuild podman-remote for no good reason. Solution: GNU Make has the concept of "order-only" prerequisites, precisely for this situation. Use it. Since it's an obscure feature, document it. UPDATE: This exposed some nasty duplication wrt podman-remote rules. Clean those up, and add comments to some confusing sections. Fixes: #14756 (Also, drive-by edit to remove a stray misdocumented non-option) Signed-off-by: Ed Santiago <santiago@redhat.com>
* | | | | | Merge pull request #15040 from Luap99/api-umaskOpenShift Merge Robot2022-07-22
|\ \ \ \ \ \ | | | | | | | | | | | | | | API: libpod/create use correct default umask
| * | | | | | API: libpod/create use correct default umaskPaul Holzinger2022-07-22
| | |_|_|/ / | |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Make sure containers created via API have the correct umask from containers.conf set. Fixes #15036 Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* | | | | | Merge pull request #14567 from cdoern/secretsOpenShift Merge Robot2022-07-22
|\ \ \ \ \ \ | |_|_|_|_|/ |/| | | | | Implement kubernetes secret handling for podman play kube
| * | | | | kube secret handling for podman play kubecdoern2022-07-20
| | |_|/ / | |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | add support for both creating a secret using yaml and mounting a secret as a volume given a yaml file. Kubernetes secrets have a different structure than podman and therefore have to be handeled differently. In this PR, I have introduced the basic usecases of kube secrets with more implementations like env secrets to come! resolves #12396 Signed-off-by: Charlie Doern <cdoern@redhat.com>
* | | | | Merge pull request #15016 from Luap99/compat-netnameOpenShift Merge Robot2022-07-22
|\ \ \ \ \ | |_|/ / / |/| | | | compat api: allow default bridge name for networks
| * | | | compose test: remove cni config copyPaul Holzinger2022-07-21
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The network backend always has default config in memory so there is no need to copy it. Also netavark cannot use it. Signed-off-by: Paul Holzinger <pholzing@redhat.com>
| * | | | compat api: always turn on network isolation for networksPaul Holzinger2022-07-21
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fix some network option parsing logic to use constants. Always use the isolate option since this is what docker does. Remove the icc option, this is different from isolate and it is not implemented. Signed-off-by: Paul Holzinger <pholzing@redhat.com>
| * | | | compat api: allow default bridge name for networksPaul Holzinger2022-07-21
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Docker uses "bridge" as default network name so some tools expect this to work with network list or inspect. To fix this we change "bridge" to the podman default ("podman") name. Fixes #14983 Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* | | | | Merge pull request #14972 from edsantiago/ubuntu_cgroups_v1OpenShift Merge Robot2022-07-22
|\ \ \ \ \ | |_|_|_|/ |/| | | | Bump VMs, to Ubuntu 2204 with cgroups v1
| * | | | Bump VMs, to Ubuntu 2204 with cgroups v1Ed Santiago2022-07-21
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | ...and enable the at-test-time confirmation, the one that double-checks that if CI requests runc we actually use runc. This exposed a nasty surprise in our setup: there are steps to define $OCI_RUNTIME, but that's actually a total fakeout! OCI_RUNTIME is used only in e2e tests, it has no effect whatsoever on actual podman itself as invoked via command line such as in system tests. Solution: use containers.conf Given how fragile all this runtime stuff is, I've also added new tests (e2e and system) that will check $CI_DESIRED_RUNTIME. Image source: https://github.com/containers/automation_images/pull/146 Since we haven't actually been testing with runc, we need to fix a few tests: - handle an error-message change (make it work in both crun and runc) - skip one system test, "survive service stop", that doesn't work with runc and I don't think we care. ...and skip a bunch, filing issues for each: - #15013 pod create --share-parent - #15014 timeout in dd - #15015 checkpoint tests time out under $CONTAINER - #15017 networking timeout with registry - #15018 restore --pod gripes about missing --pod - #15025 run --uidmap broken - #15027 pod inspect cgrouppath broken - ...and a bunch more ("podman pause") that probably don't even merit filing an issue. Also, use /dev/urandom in one test (was: /dev/random) because the test is timing out and /dev/urandom does not block. (But the test is still timing out anyway, even with this change) Also, as part of the VM switch we are now using go 1.18 (up from 1.17) and this broke the gitlab tests. Thanks to @Luap99 for a quick fix. Also, slight tweak to #15021: include the timeout value, and reword message so command string is at end. Also, fixed a misspelling in a test name. Fixes: #14833 Signed-off-by: Ed Santiago <santiago@redhat.com>
* | | | | Merge pull request #14968 from jmguzik/compatOpenShift Merge Robot2022-07-22
|\ \ \ \ \ | | | | | | | | | | | | Compat API: unify pull/push and add missing progress info
| * | | | | Compat API: unify pull/push and add missing progress infoJakub Guzik2022-07-21
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Progress bar in JSONMessage is missing compared to docker output both in pull and push. Additionaly, pull was not using JSONMessage while push was using the type. [NO NEW TESTS NEEDED] Signed-off-by: Jakub Guzik <jguzik@redhat.com>
* | | | | | Merge pull request #15010 from Luap99/machine-e2eOpenShift Merge Robot2022-07-22
|\ \ \ \ \ \ | | | | | | | | | | | | | | enable linter for pkg/machine/e2e
| * | | | | | fix broken machine testPaul Holzinger2022-07-21
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The memory both local and in the CI test is converted to 3822. I don't know why this changed but I want to have this working again. For the future we should look at a more robust solution. Fixes #15012 Signed-off-by: Paul Holzinger <pholzing@redhat.com>
| * | | | | | pkg/machine/e2e: do not import from cmd/podmanPaul Holzinger2022-07-21
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The same problem again as 4374038cc67405e3f5555b1870d5bb7f6570fa5d. Also fix the incorrect --format autocompletion struct. It should be avoided to import cmd/podman/... packages from outside of cmd/podman. This can lead in weird hard to debug import paths but also can have negative consequences when imported in unit tests. In this case it will set XDG_CONFIG_HOME and thus the machine tests this dir over the tmp HOME env variable which is set at a later point. This caused machine files to be leaked into the actual users home dir. Signed-off-by: Paul Holzinger <pholzing@redhat.com>
| * | | | | | fix some pkg/machine/e2e test to read stderrPaul Holzinger2022-07-21
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Also fix the machine ssh code order to provide a better error message. Signed-off-by: Paul Holzinger <pholzing@redhat.com>
| * | | | | | enable linter for pkg/machine/e2ePaul Holzinger2022-07-21
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Rename all files to _test.go and rename the package to e2e_test. This makes the linter less strict about things like dot imports. Add some unused nolint directives to silence some warnings, these can be used to find untested options so someone could add tests for them. Fixes #14996 Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* | | | | | | Merge pull request #15022 from vrothberg/fix-14971OpenShift Merge Robot2022-07-22
|\ \ \ \ \ \ \ | |_|_|/ / / / |/| | | | | | remote push: show copy progress
| * | | | | | remote push: show copy progressValentin Rothberg2022-07-21
| |/ / / / / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | `podman-remote push` has shown absolutely no progress at all. Fix that by doing essentially the same as the remote-pull code does. The get-free-out-of-jail-card for backwards compatibility is to let the `quiet` parameter default to true. Since the --quioet flag wasn't working before either, older Podman clients do not set it. Also add regression tests to make sure we won't regress again. Fixes: #11554 Fixes: #14971 Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
* | | | | | Merge pull request #14876 from cdoern/cgroupOpenShift Merge Robot2022-07-21
|\ \ \ \ \ \ | | | | | | | | | | | | | | resource limits for pods
| * | | | | | resource limits for podsCharlie Doern2022-07-21
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | added the following flags and handling for podman pod create --memory-swap --cpuset-mems --device-read-bps --device-write-bps --blkio-weight --blkio-weight-device --cpu-shares given the new backend for systemd in c/common, all of these can now be exposed to pod create. most of the heavy lifting (nearly all) is done within c/common. However, some rewiring needed to be done here as well! Signed-off-by: Charlie Doern <cdoern@redhat.com>
* | | | | | | Merge pull request #15030 from cevich/gitlab_commentOpenShift Merge Robot2022-07-21
|\ \ \ \ \ \ \ | |/ / / / / / |/| | | | | | [CI:DOCS] Cirrus: Add prominent gitlab warning
| * | | | | | [CI:DOCS] Cirrus: Add prominent gitlab warningChris Evich2022-07-21
|/ / / / / / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | It was not obvious enough in the scripts how much of a snowflake this environment is. Fix that with lots of capitalized words and asterisks. Signed-off-by: Chris Evich <cevich@redhat.com>
* | | | | | Merge pull request #15003 from giuseppe/create-etc-passwdOpenShift Merge Robot2022-07-21
|\ \ \ \ \ \ | |/ / / / / |/| | | | | libpod: create /etc/passwd if missing
| * | | | | libpod: create /etc/passwd if missingGiuseppe Scrivano2022-07-21
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | create the /etc/passwd and /etc/group files if they are missing in the image. Closes: https://github.com/containers/podman/issues/14966 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | | | | | Merge pull request #15021 from Luap99/e2e-timeout-outputOpenShift Merge Robot2022-07-21
|\ \ \ \ \ \ | | | | | | | | | | | | | | e2e: show command and output when a timeout happens
| * | | | | | e2e: show command and output when a timeout happensPaul Holzinger2022-07-21
| | |_|/ / / | |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | To make debugging easier we should see the command and its output when a failure happens. Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* | | | | | Merge pull request #14984 from Luap99/logsOpenShift Merge Robot2022-07-21
|\ \ \ \ \ \ | | | | | | | | | | | | | | fix goroutine leaks in events and logs backend
| * | | | | | fix goroutine leaks in events and logs backendPaul Holzinger2022-07-20
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When running a single podman logs this is not really important since we will exit when we finish reading the logs. However for the system service this is very important. Leaking goroutines will cause an increased memory and CPU ussage over time. Both the the event and log backend have goroutine leaks with both the file and journald drivers. The journald backend has the problem that journal.Wait(IndefiniteWait) will block until we get a new journald event. So when a client closes the connection the goroutine would still wait until there is a new journal entry. To fix this we just wait for a maximum of 5 seconds, after that we can check if the client connection was closed and exit correctly in this case. For the file backend we can fix this by waiting for either the log line or context cancel at the same time. Currently it would block waiting for new log lines and only check afterwards if the client closed the connection and thus hang forever if there are no new log lines. [NO NEW TESTS NEEDED] I am open to ideas how we can test memory leaks in CI. To test manually run a container like this: `podman run --log-driver $driver --name test -d alpine sh -c 'i=1; while [ "$i" -ne 1000 ]; do echo "line $i"; i=$((i + 1)); done; sleep inf'` where `$driver` can be either `journald` or `k8s-file`. Then start the podman system service and use: `curl -m 1 --output - --unix-socket $XDG_RUNTIME_DIR/podman/podman.sock -v 'http://d/containers/test/logs?follow=1&since=0&stderr=1&stdout=1' &>/dev/null` to get the logs from the API and then it closes the connection after 1 second. Now run the curl command several times and check the memory usage of the service. Fixes #14879 Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* | | | | | | Merge pull request #15004 from vrothberg/fix-duplicatesOpenShift Merge Robot2022-07-21
|\ \ \ \ \ \ \ | |_|/ / / / / |/| | | | | | podman-remote pull: fix duplicate progress outputs