aboutsummaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAge
* podman machine start: lookup qemu path again if not foundPaul Holzinger2022-03-30
| | | | | | | | | | | | | | | We store the full path to qemu in the machine config. When the path changes on the host the machine can longer be started. To fix it we get the path again when we fail to start the machine due the missing binary. We want to store and use the full path first because otherwise existing machines can break when the qemu version changed. [NO NEW TESTS NEEDED] We still have no machine tests. Fixes #13394 Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* Remove experimental warning from podman-remote rpmPaul Holzinger2022-03-30
| | | | | | | | | | podman-remote is considered stable and follows the same semver as podman. Fixes a question on the podman mailing list. https://lists.podman.io/archives/list/podman@lists.podman.io/thread/2DVCU5Z54U4PI5ROTBQXHDBLQSAXAHFU/ Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* podman machine set: clarify --rootful optionPaul Holzinger2022-03-30
| | | | | | | | | | | It is not quite clear what the difference between `podman machine set --rootful` and `podman system connection default` is. Add a small note with the difference, the --rootful option will also affect the socket forwarding. Fixes #13515 Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* play: kube: use in-memory kubefile and remove tempfileChristian Stewart2022-03-30
| | | | | | | | | | | | | | | | | | | | | The PlayKube and PlayKubeDown commands accepted a "path" argument to a YAML file to play. This requires the caller to write the YAML to a file path. The downside of this is apparent in the HTTP handlers which have to use a temporary file on disk to store the YAML file. The file is opened & used as the body of the HTTP request. It's possible to instead pass a io.Reader and use a fully in-memory request body. Add backwards-compatible changes to bindings to allow passing either a filepath or a io.Reader body. Refactor the podman bindings to use a io.Reader instead of a filepath. Simplify the HTTP handlers for PlayKube by removing the now unneeded tempfile. [NO NEW TESTS NEEDED] Signed-off-by: Christian Stewart <christian@paral.in>
* machine-set: fix example for setting rootful flagAditya R2022-03-30
| | | | | | | | | | | | Flag is actually named `rootful` however documented as `root`, fix the documented example as actual flag. Both `podman machine init` and `podman machine set` uses flag `rootfull` [NO TESTS NEEDED] [NO NEW TESTS NEEDED] Signed-off-by: Aditya R <arajan@redhat.com>
* podman stats: calc CPU percentage correctlyPaul Holzinger2022-03-30
| | | | | | | | | | | | | | | | | | | | | When you run podman stats, the first interval always shows the wrong cpu usage. To calculate cpu percentage we get the cpu time from the cgroup and compare this against the system time between two stats. Since the first time we do not have a previous stats an empty struct is used instead. Thus we do not use the actual running time of the container but the current unix timestamp (time since Jan 1 1970). To fix this we make sure that the previous stats time is set to the container start time, when it is empty. [NO NEW TESTS NEEDED] No idea how I could create a test which would have a predictable cpu usage. See the linked bugzilla for a reproducer. Fixes https://bugzilla.redhat.com/show_bug.cgi?id=2066145 Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* podman stats: improve cpu average calcPaul Holzinger2022-03-30
| | | | | | | We can just calculate the cpu percent for the time the container is running. There is no need to use datapoints. Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* Explicitly use IPv4 to check if podman-machine VM is listeningBurt Holzman2022-03-30
| | | | | | | | | | | | | | | | When starting a VM that has been configured with volume mounts, the podman client attempts to connect via TCP to localhost, which runs gvproxy to proxy an ephemeral port to the VM's ssh port. Previously, gvproxy was listening on all interfaces and IP addresses, but this behavior has changed to listening only on the IPv4 loopback address. Without this change, if a newer build of gvproxy is used, a podman machine configured with volume mounts will hang forever after "podman machine start" with "Waiting for VM ...". [NO NEW TESTS NEEDED] Signed-off-by: Burt Holzman <burt@fnal.gov>
* Fix a potential race around the exec cleanup processMatthew Heon2022-03-30
| | | | | | | | | | | | | | | | | | | | | Every exec session run attached will, on exit, do two things: it will signal the associated `podman exec` that it is finished (to allow Podman to collect the exit code and exit), and spawn a cleanup process to clean up the exec session (in case the `podman exec` process died, we still need to clean up). If an exec session is created that exits almost instantly, but generates a large amount of output (e.g. prints thousands of lines), the cleanup process can potentially execute before `podman exec` has a chance to read the exit code, resulting in errors. Handle this by detecting if the cleanup process has already removed the exec session before handling the error from reading the exec exit code. [NO NEW TESTS NEEDED] I have no idea how to test this in CI. Fixes #13227 Signed-off-by: Matthew Heon <mheon@redhat.com>
* docs: Fix links to Containerfile and containerignoreJohn Kristensen2022-03-30
| | | | | | | | | The documentation files for `Containerfile` and `containerignore` have been moved from the `buildah` repository to the `common` repository. ref: https://github.com/containers/buildah/commit/488e8654ea Signed-off-by: John Kristensen <john@jerrykan.com>
* podman unshare: document that command cannot be used with remotePaul Holzinger2022-03-30
| | | | | | Fixes #13596 Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* fix compose test error in retry logicPaul Holzinger2022-03-30
| | | | | | | | | We cannot use local var outside of a function. We have to use a global one. Log: https://storage.googleapis.com/cirrus-ci-6707778565701632-fcae48/artifacts/containers/podman/5970023511490560/html/compose_v2-podman-fedora-35-root-host.log.html Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* libpod: drop warning if cgroup doesn't existGiuseppe Scrivano2022-03-30
| | | | | | | | | | do not print a warning on cgroup removal if it doesn't exist. Closes: https://github.com/containers/podman/issues/13382 [NO NEW TESTS NEEDED] Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* healthcheck: stop showing wrong status when --no-healthcheck is setAditya R2022-03-30
| | | | | | | | | | | Containers started with `--no-healthcheck` are configured to contain no healthcheck and test configured as `NONE`. Podman shows wrong status as such use cases. Following commit fixes the faulty behavior of stauts field for containers started with `--no-healthcheck` Signed-off-by: Aditya R <arajan@redhat.com>
* Makefile: build podman-remote-static with cgo disabledLokesh Mandvekar2022-03-30
| | | | | | | | Resolves: #13557 [NO NEW TESTS NEEDED] Signed-off-by: Lokesh Mandvekar <lsm5@fedoraproject.org>
* libpod: drop warning for Fedora 31Giuseppe Scrivano2022-03-30
| | | | | | | | drop a warning for runc not supporting cgroup v2 on Fedora 31. [NO NEW TESTS NEEDED] Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* podman system df: fix percent calculationPaul Holzinger2022-03-30
| | | | | | | | | | | | | | | | The calculate the percentage we need floating point numbers. The current code however casted the result of reclaimable/size to an int first. Casting to an int in go will just discard the decimal points, thus the result was either 0 or 1 so if multiplied by 100 it would show up as 0% or 100%. To fix this we have to multiply by 100 first before casting the result to an int. Also add a check for div by zero which results in NaN and use math.Round() to correctly round a number. Ref #13516 Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* pod system tests: clean up stray imageEd Santiago2022-03-30
| | | | | | | | | | One of the pod tests was leaving a stray image behind, causing scary red warnings in CI logs. Clean that up. Also, now that #13541 has merged, use 'rmi --ignore' instead of ignoring exit status from rmi Signed-off-by: Ed Santiago <santiago@redhat.com>
* Fix documentation typoKuldar Kaasik2022-03-30
| | | | Signed-off-by: Kuldar Kaasik <kaasikkuldar@gmail.com>
* fix compose test flakePaul Holzinger2022-03-30
| | | | | | | | | | | | | | | Reading from the nc socket is flaky because docker-compose only starts the containers. We cannot know at this point if the container did already send the message. Give the container 5 seconds time to send the message to prevent flakes. This happened rarely with compose v1 but it looks like it will happen a lot more with compose v2. Example failure log: https://storage.googleapis.com/cirrus-ci-6707778565701632-fcae48/artifacts/containers/podman/6567556239589376/html/compose_v2-podman-fedora-35-rootless-host.log.html Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* fix dual stack network e2e flakePaul Holzinger2022-03-30
| | | | | | | | | | | | | We need to use different ipv6 subnets for the tests since they can collide otherwise when the tests are run in parallel. In the future we should rethink hardcoding subnets for ipv4/ipv6. This will make it impossible to run these tests if the subnet is already used on the host. Example log: https://storage.googleapis.com/cirrus-ci-6707778565701632-fcae48/artifacts/containers/podman/5711403297275904/html/int-podman-fedora-35-root-host-netavark.log.html#t--podman-network-create-with-multiple-subnets-dual-stack-with-gateway-and-range--1 Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* podman machine: remove hostip from portPaul Holzinger2022-03-30
| | | | | | | | | | | | | | | | Inside the podman machine vm we always remove the hostip from the port mapping because this should only be used on the actual host. Otherwise you run into issues when we would bind 127.0.0.1 or try to bind a host address that is not available in the VM. This was already done for cni/netavark ports and slirp4netns but not for the port bindings inside libpod which are only used as root. [NO NEW TESTS NEEDED] We still do not have machine tests! Fixes #13543 Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* podman create: building local pause image: do not read ignore filesValentin Rothberg2022-03-30
| | | | | | | | | Make sure to ignore local {container,docker}ignore files when building a local pause image. Otherwise, we may mistakenly not be able to copy catatonit into the build container. Fixes: #13529 Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
* Separator is no longer prepended when prefix is empty on podman generate systemdNirmal Patel2022-03-30
| | | | | | | | | | | | | | When podman generate systemd is invoked, it previously did not check if container-prefix or pod-prefix are empty. When these are empty, the file name starts with the separator, which is hyphen by default. This results in files like '-containername.service'. The code now checks if these prefixes are empty. If they are, the filename no longer adds a separator. Instead, it uses name or ID of the container or pod. Closes #13272 Signed-off-by: Nirmal Patel <npate012@gmail.com>
* [CI:DOCS]: Mention netavark limitations for macvlan/ipvlan driversClayton Craft2022-03-30
| | | | | | | The example is also improved to add the --subnet option, this option is required with netavark, else you get: Error: macvlan driver needs at least one subnet specified, DHCP is not supported with netavark Signed-off-by: Clayton Craft <clayton@craftyguy.net>
* fix empty newline in version outputPaul Holzinger2022-03-30
| | | | | | | | | | | | | When podman is build without git commit information it will print a empty newline instead. This is undesirable and a regression introduced in commit 7d22cc88ef38. To test build podman with `go build -mod=vendor -o bin/podman ./cmd/podman` and check the output of bin/podman version with and without this commit. [NO NEW TESTS NEEDED] Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* slirp: fix setup on ipv6 disabled systemsPaul Holzinger2022-03-30
| | | | | | | | | | | | | | | | | When enable_ipv6=true is set for slirp4netns (default since podman v4), we will try to set the accept sysctl. This sysctl will not exist on systems that have ipv6 disabled. In this case we should not error and just ignore the extra ipv6 setup. Also the current logic to wait for the slirp4 setup was kinda broken, it did not actually wait until the sysctl was set before starting slirp. This should now be fixed by using two `sync.WaitGroup`s. [NO NEW TESTS NEEDED] Fixes #13388 Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* Fixes TTY & resizing on Mac and WindowsJason T. Greene2022-03-30
| | | | Signed-off-by: Jason T. Greene <jason.greene@redhat.com>
* Fix handling of tmpfs-mode for tmpfs creation in compat modeDaniel J Walsh2022-03-30
| | | | | | | | | | | | The permissions on disk were wrong since we were not converting to octal. Fixes: https://github.com/containers/podman/issues/13108 [NO NEW TESTS NEEDED] Since we don't currently test using the docker client Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Skip flaky pprof testsEd Santiago2022-03-30
| | | | | | | | | | pprof tests are way too flaky, and are causing problems for community contributors who don't have privs to press Re-run. There has been no activity or interest in fixing the bug, and it's not something I can fix. So, just disable the test. Signed-off-by: Ed Santiago <santiago@redhat.com>
* Move secret-verify-leak containerfile into its own DirectoryAshley Cui2022-03-30
| | | | | | | | | | | | | | | | | | Secret-verify-leak is causing flakes, when running in parallel tests. This is because remote secrets are copied into the context directory to send to the API server, and secret-verify-leak is doing a COPY * and then checking if the temporary secret file ends up in the container or not. Since all the temporary files are prefixed with "podman-build-secret", this test checks if podman-build-secret is in the image. However, when run in parallel with other tests, other temporary podman-build-secrets might be in the context dir. Moving secret-verify-leak into its own directory makes sure that the context dir is used only by this one test. Also renamed Dockerfile -> Containerfile and cleaned up unused Containerfiles. Signed-off-by: Ashley Cui <acui@redhat.com>
* Fixes: #13301 ("machine rm removes the mounted socket file on macos")Thibault Gagnaux2022-03-30
| | | | | [NO NEW TESTS NEEDED] Signed-off-by: Thibault Gagnaux <tgagnaux@gmail.com>
* Throw an error if kube yaml has duplicate ctr namesUrvashi Mohnani2022-03-30
| | | | | | | Error out if the kube yaml passed to play kube has more than one container or init container with the same name. Signed-off-by: Urvashi Mohnani <umohnani@redhat.com>
* libpod: pods do not use cgroups if --cgroups=disabledGiuseppe Scrivano2022-03-30
| | | | | | | | | do not attempt to use cgroups with pods if the cgroups are disabled. A similar check is already in place for containers. Closes: https://github.com/containers/podman/issues/13411 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* container: workdir resolution must consider symlink if explicitly configuredAditya R2022-03-30
| | | | | | | | | | | | | | | | | | | | | | | While resolving `workdir` we mostly create a `workdir` when `stat` fails with `ENOENT` or `ErrNotExist` however following cases are not true when user explicitly specifies a `workdir` while `running` using `--workdir` which tells `podman` to only use workdir if its exists on the container. Following configuration is implicity set with other `run` mechanism like `podman play kube` Problem with explicit `--workdir` or similar implicit config in `podman play kube` is that currently podman ignores the fact that workdir can also be a `symlink` and actual `link` could be valid. Hence following commit ensures that in such scenarios when a `workdir` is not found and we cannot create a `workdir` podman must perform a check to ensure that if `workdir` is a `symlink` and `link` is resolved successfully and resolved link is present on the container then we return as it is. Docker performs a similar behviour. Signed-off-by: Aditya R <arajan@redhat.com>
* Merge pull request #13694 from giuseppe/v4.0-backport-no-inheritableOpenShift Merge Robot2022-03-30
|\ | | | | [4.0] do not set the inheritable capabilities
| * test: fix podman run test as rootlessGiuseppe Scrivano2022-03-30
| | | | | | | | | | | | | | aafa80918a245edcbdaceb1191d749570f1872d0 introduced the regression. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> (cherry picked from commit 640c2d53a88f46e997d4e5a594cfc85a57e74d36)
| * do not set the inheritable capabilitiesGiuseppe Scrivano2022-03-30
|/ | | | | | | | | | The kernel never sets the inheritable capabilities for a process, they are only set by userspace. Emulate the same behavior. Closes: CVE-2022-27649 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> (cherry picked from commit aafa80918a245edcbdaceb1191d749570f1872d0)
* Merge pull request #13568 from n1hility/upgrade-v4.0OpenShift Merge Robot2022-03-25
|\ | | | | [v4.0] Add Windows installer support for upgrades
| * Add Windows installer support for upgradesJason T. Greene2022-03-19
| | | | | | | | | | | | Fixes duplicate installer entries after multiple installs Signed-off-by: Jason T. Greene <jason.greene@redhat.com>
* | Merge pull request #13614 from vrothberg/backportDaniel J Walsh2022-03-24
|\ \ | | | | | | [v4.0] vendor c/common@v0.47.5
| * | vendor c/common@v0.47.5Valentin Rothberg2022-03-23
| |/ | | | | | | | | | | | | | | | | Update the login tests to reflect the latest changes to allow http{s} prefixes (again) to address bugzilla.redhat.com/show_bug.cgi?id=2062072. Backport of commit 57cdc21b0057. Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
* | Merge pull request #13630 from flouthoc/backport-race-build-v4.0OpenShift Merge Robot2022-03-24
|\ \ | | | | | | [v4.0 backport] bump to race-free `c/image` and `c/storage` along with test to verify `concurrent/parallel` builds
| * | test: add a test to verify race free concurrent/parallel buildsAditya R2022-03-24
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Invoking parallel/concurrent builds from podman race against each other following behviour was fixed in containers/storage#1153 and containers/image#1480 Test verifies if following bug is fixed in new race-free API or not. Read more about this issue, see bz 2055487 for more details. Test manually backported from: containers@63f92d0 Signed-off-by: Aditya R <arajan@redhat.com>
| * | vendor: bump c/image to v5.19.2Aditya R2022-03-24
| | | | | | | | | | | | | | | | | | | | | Bump c/image to upstream v5.19.2 so podman could use new race-free code. Signed-off-by: Aditya R <arajan@redhat.com>
| * | vendor: bump c/storage to v1.38.3Aditya R2022-03-24
| |/ | | | | | | | | | | | | Bump c/storage to v1.38.3 so podman could use new `race-free` `AddNames` and `RemoveNames` api Signed-off-by: Aditya R <arajan@redhat.com>
* | Merge pull request #13645 from lsm5/v4.0-cve-2022-21698OpenShift Merge Robot2022-03-24
|\ \ | |/ |/| Bump github.com/prometheus/client_golang to v1.11.1
| * Bump github.com/prometheus/client_golang to v1.11.1Lokesh Mandvekar2022-03-24
|/ | | | | | Resolves: CVE-2022-21698 Signed-off-by: Lokesh Mandvekar <lsm5@fedoraproject.org>
* Merge pull request #13560 from n1hility/backport-handle-incompatibleOpenShift Merge Robot2022-03-19
|\ | | | | [v4.0] Backport handling of incompatible machines
| * Handle incompatible machinesJason T. Greene2022-03-18
| | | | | | | | | | | | Start in a reduced mode for recovery, warn, and provide instructions to recreate them Signed-off-by: Jason T. Greene <jason.greene@redhat.com>