summaryrefslogtreecommitdiff
path: root/contrib
Commit message (Collapse)AuthorAge
* Cirrus: Obsolete CI:IMG process & related filesChris Evich2020-09-09
| | | | | | | | | | | All VM-building functionality has been migrated to https://github.com/containers/automation_images Some container-build functions are still maintained here but are on a very-short list to also be migrated to the repository linked above. Signed-off-by: Chris Evich <cevich@redhat.com>
* Merge pull request #7538 from edsantiago/cap_test_robustOpenShift Merge Robot2020-09-08
|\ | | | | Update VM images for new crun; adapt Cap tests to work with new kernel
| * WIP: update VM imagesEd Santiago2020-09-03
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | (This is an adoption of #7533 because Brent is on PTO). Pick up new crun and crio-runc. Also: renames from useful fedora-32 and -31 to less-useful names; presumably this is needed by something-something in the new VM setup. Also: tweak two e2e tests to more properly handle a kernel (5.8.4) with a greater set of capabilities than what we or crun can yet handle. Signed-off-by: Ed Santiago <santiago@redhat.com>
* | [CI:DOCS] Add note on run image fuse problem - try 2TomSweeneyRedHat2020-09-04
|/ | | | | | | | | | | | | | | | | | We've recently had a number of issues reported against our pre-fabricated images on quay.io and a couple of rhel repositories throwing a fuse error when run: ``` fuse: device not found, try 'modprobe fuse' first ``` The tip on modprobe fuse is not always seen by or displayed to the end user. Adding a couple of doc pointers to hopefully help. Arises from this BZ: https://bugzilla.redhat.com/show_bug.cgi?id=1867892 and several others. Replaces: 7453 where I was going crazy with whitespace and merge issues. Signed-off-by: TomSweeneyRedHat <tsweeney@redhat.com>
* use crio runc on CICID ubuntuBrent Baude2020-08-31
| | | | | | | when running CICD on Ubuntu where no cgroups v2, we need to use a newer runc for things like seccomp and the default ubuntu runc is not new enough. Signed-off-by: Brent Baude <bbaude@redhat.com>
* Use `bash` binary from env instead of /bin/bash for scriptsSascha Grunert2020-08-17
| | | | | | | | It's not possible to run any of the scripts on distributions which do have `bash` not in `/bin`. This is being fixed by using `/usr/bin/env bash` instead. Signed-off-by: Sascha Grunert <sgrunert@suse.com>
* Merge pull request #7237 from TomSweeneyRedHat/dev/tsweeney/imagedocOpenShift Merge Robot2020-08-15
|\ | | | | [CI:DOCS] Update podmanimages README.md
| * [CI:DOCS] Update podmanimages README.mdTomSweeneyRedHat2020-08-05
| | | | | | | | | | | | | | | | | | Updates to the README.md for the contrib/podmanimages directory. This completes the changes to answer this Buildah issue: https://github.com/containers/buildah/issues/1693 and then also adds the quay.io/conatiners/podman images to the list of images. Signed-off-by: TomSweeneyRedHat <tsweeney@redhat.com>
* | podman.service: use sdnotiyValentin Rothberg2020-08-13
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Commit 2b6dd3fb4384 set the killmode of the podman.service to the systemd default which ultimately lead to the problem that systemd will kill *all* processes inside the unit's cgroup and hence kill all containers whenever the service is stopped. Fix it by setting the type to sdnotify and the killmode to process. `podman system service` will send the necessary notify messages when the NOTIFY_SOCKET is set and unset it right after to prevent the backend and container runtimes from jumping in between and send messages as well. Fixes: #7294 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | Merge pull request #7299 from jobcespedes/patch-1OpenShift Merge Robot2020-08-12
|\ \ | | | | | | add xz as a recommended pkg
| * | add xz as a recommended pkgJob Cespedes2020-08-11
| | | | | | | | | | | | | | | | | | | | | | | | xz package is required by buildah and podman when building a image and ADD a tar.xz file archive is used See https://github.com/containers/buildah/issues/2525 Signed-off-by: Job Cespedes Ortiz <jobcespedes@gmail.com>
* | | podman-remote fixes for msi and clientBrent Baude2020-08-12
|/ / | | | | | | | | | | | | | | correct small typo that sets the path on windows via the msi xml. in the remote client, prompt for SSH password when no identity or alternate means of authentication are provided. Signed-off-by: Brent Baude <bbaude@redhat.com>
* | Merge pull request #7270 from Fodoj/masterOpenShift Merge Robot2020-08-10
|\ \ | | | | | | Allign container image storage configuration with Buildah
| * | Align images with BuildahKirill Shirinkin2020-08-10
| | | | | | | | | | | | Signed-off-by: Kirill Shirinkin <kirill@hey.com>
* | | Remove TEST_REMOTE_CLIENT from RCLIDaniel J Walsh2020-08-10
|/ / | | | | | | | | | | | | | | We know these are TEST_, hoping this makes the display in cirrus easier for users to see true|false, since this is the valuable information is. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Merge pull request #7138 from cevich/add_python_packagesOpenShift Merge Robot2020-08-10
|\ \ | |/ |/| Cirrus: Add python packages to images
| * Cirrus: Install golang 1.14 on UbuntuChris Evich2020-07-31
| | | | | | | | | | | | | | This more/less reverts efd142214 + updates to 1.13 on all Ubuntus for all `containers` projects. Signed-off-by: Chris Evich <cevich@redhat.com>
| * Cirrus: Add python packages to imagesChris Evich2020-07-31
| | | | | | | | | | | | | | | | | | They are needed in support of future testing additions. Also reduce unnecessary output by not printing the downloaded package list. The set can be examined using other tooling if/when necessary. Signed-off-by: Chris Evich <cevich@redhat.com>
* | Merge pull request #7193 from vrothberg/fix-7190OpenShift Merge Robot2020-08-03
|\ \ | | | | | | podman.service: drop install section
| * | podman.service: drop install sectionValentin Rothberg2020-08-03
| |/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | podman.service is socket activated through podman.socket. It should not have its own [Install] section, it does not make sense to systemctl enable podman.service. This leads to podman.service always running on a Debian system, as Debian's policy is to enable/start running services by default. We don't want a daemon :^) Fixes: #7190 Reported-by: @martinpitt Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | Install auto-update services for usersValentin Rothberg2020-08-03
| | | | | | | | Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | Fix test failure regarding unpackaged files.Peter Oliver2020-08-03
|/ | | | Signed-off-by: Peter Oliver <git@mavit.org.uk>
* System tests: new system-df and passwd testsEd Santiago2020-07-30
| | | | | | | | | | | | | | | | | | | | | | - New test for #6991 - passwd file is writable even when run with --userns=keep-id - Enable another keep-id test, commented out due to #6593 - New test for podman system df Also, independently, removed this line: apt-get -y upgrade conmon ...because it's causing CI failures, probably because of the boothole CVE, probably because the Ubuntu grub update was rushed out. I believe it is safe to remove this, because both Ubuntu 19 and 20 report: conmon is already the newest version (2.0.18~1). Signed-off-by: Ed Santiago <santiago@redhat.com>
* logformatter: more libpod-podman falloutEd Santiago2020-07-29
| | | | | | | | | | | Problem: formatted logs no longer have live links to sources in error-report lines. Cause: script was searching for '/libpod'. Solution: make it more flexible. Signed-off-by: Ed Santiago <santiago@redhat.com>
* Switch all references to github.com/containers/libpod -> podmanDaniel J Walsh2020-07-28
| | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* CI - various fixesEd Santiago2020-07-25
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Primary purpose: upgrade crun to 0.14 on f31, in hopes of eliminating the 'cgroups.freeze' flake that is plaguing CI. While I'm at it: - remove a no-longer-needed dnf upgrade that was running in CI itself (not image building, in each actual CI run). The purpose was to upgrade conmon, but that was added a long time ago and the required conmon is now in stable. The effect of this dnf upgrade today was simply to cause flakes when fedora repos were offline. - remove a no-longer-needed check for varlink. - networking.sh : add a timeout! 'openssl s_client' will happily hang forever if a host is unreachable, which means we waste two hours waiting for Cirrus to time out. - timestamp.awk : include date (not just time) in START/END msgs. There are times when I'm looking at a CI log and it is ultra important to know if it is from yesterday or today. - add progress messages in some places where I've previously struggled to understand context in logs; and improve some unlikely error messages to include script name. ...then, after all that, wrote a new README about how to to all this. Hope it helps someone. Signed-off-by: Ed Santiago <santiago@redhat.com>
* CI: fix rootless permission errorEd Santiago2020-07-23
| | | | | | | | | | | | | CI runs are failing in special_testing_rootless: mkdir /var/tmp/go/pkg: permission denied Probable cause: #6822, which universally set GOPATH. Solution: in rootless setup, chown -R GOPATH as well as GOSRC (the latter was already being chowned). Signed-off-by: Ed Santiago <santiago@redhat.com>
* Merge pull request #7050 from edsantiago/logformat_trim_remoteOpenShift Merge Robot2020-07-22
|\ | | | | logformatter: handle podman-remote
| * logformatter: handle podman-remoteEd Santiago2020-07-22
| | | | | | | | | | | | | | | | | | | | Oops! Logs of podman-remote tests are unreadable, they have multiple (useless) --remote options plus '--url /something/long' that makes it impossible to read the actual command being run. This commit strips off '--remote' entirely, and hides '--url' and its arg in the only-on-mouse-hover '[options]' text. Signed-off-by: Ed Santiago <santiago@redhat.com>
* | Cirrus: Add packages that provide htpasswdChris Evich2020-07-22
| | | | | | | | | | | | | | | | | | Mainly needed for buildah testing: the htpasswd command was removed from the upstream registry container image. Making it available on the host-side enables configuring details needed by the registry during it's initial setup. Signed-off-by: Chris Evich <cevich@redhat.com>
* | Cirrus: Ensure GOPATH is properly set during image-buildsChris Evich2020-07-22
|/ | | | Signed-off-by: Chris Evich <cevich@redhat.com>
* Merge pull request #6992 from rhatdan/apparmorOpenShift Merge Robot2020-07-22
|\ | | | | Support default profile for apparmor
| * Support default profile for apparmorDaniel J Walsh2020-07-22
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Currently you can not apply an ApparmorProfile if you specify --privileged. This patch will allow both to be specified simultaniosly. By default Apparmor should be disabled if the user specifies --privileged, but if the user specifies --security apparmor:PROFILE, with --privileged, we should do both. Added e2e run_apparmor_test.go Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Merge pull request #6955 from edsantiago/logformatter_fix_bucket_nameOpenShift Merge Robot2020-07-22
|\ \ | |/ |/| logformatter: update MAGIC BLOB string
| * logformatter: update MAGIC BLOB stringEd Santiago2020-07-20
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fallout from libpod->podman repo name move: the HTML logs created by logformatter are no longer accessible. They render as: https://storage.googleapis.com/SECRET-5385732420009984-fcae48/artifacts/containers/podman/6313596734930944/html/integration_test.log.html (yes, "SECRET" instead of "cirrus-ci". Possibly because the GCE_SSH_USERNAME key, "cirrus-ci", was overzealously encrypted, making Cirrus censor any instances of the string in output. Let's see if this fixes it. But anyway this is a secondary unrelated bug). Reason: it looks like Cirrus "generated a new magic blob" when we renamed libpod -> podman. Chris was kind enough to locate the new magic blob and to give me a link to where we can discover it ourselves. I added that as a code comment. Signed-off-by: Ed Santiago <santiago@redhat.com>
* | podman.service: set type to simpleValentin Rothberg2020-07-20
| | | | | | | | | | | | | | | | Set the type of the podman.service to simple. This will correctly report the status of the service once it has started. As a oneshot service, it does not transition from the startup state to running. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | podman.service: set doc to podman-system-serviceValentin Rothberg2020-07-20
| | | | | | | | | | | | | | podman-api(1) does not exist, so set the man page to podman-system-service(1). Same for the .socket. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | podman.service: use default registries.confValentin Rothberg2020-07-20
| | | | | | | | | | | | | | | | | | Do not hard-set the registries.conf to `/etc/containers/registries.conf`. Podman (and other c/image users) already default to it. However, ordinary non-root users should still be able to use the configs in their home directories which is now possible. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | podman.service: use default killmodeValentin Rothberg2020-07-20
| | | | | | | | | | | | | | | | | | | | Do not set the killmode to process as it only kills the main process and leaves other processes untouched. Just remove the line and use the default cgroup killmode which will kill all processes in the service's cgroup. Fixes: #7021 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | podman.service: remove stop timeoutValentin Rothberg2020-07-20
| | | | | | | | | | | | | | Remove the stop timeout from the unit. As unit does not specify any stop command, the timeout is effectively 0 and a NOOP. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | systemd: symlink user->systemValentin Rothberg2020-07-20
|/ | | | | | | | | Symlink the user to the system services in `contrib/systemd`. There is no diference between the services, so we can reduce redundancy while not breaking downstream packages which might already be referencing `./contrib/systemd/user`. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* [CI:DOCS]Do not copy policy.json into gating imageBrent Baude2020-07-14
| | | | | | test/policy.json should not need to be copied into the gating image Signed-off-by: Brent Baude <bbaude@redhat.com>
* Fix systemd pid 1 testBrent Baude2020-07-13
| | | | | | | | | | fedora removed the systemd package from its standard container image causing our systemd pid1 test to fail. Replacing usage of fedora to ubi-init. adding ubi images to the cache for local tests. also, remove installation of test/policy.json to the system wide /etc/containers Signed-off-by: Brent Baude <bbaude@redhat.com>
* Add containers.conf default file for windows and MAC InstallsDaniel J Walsh2020-06-24
| | | | | | | We want to add this configuration file so that users can descover how to configure the permanent connection to a remote podman instance. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* system tests: invoke with abs path to podmanEd Santiago2020-06-23
| | | | | | | | | | | | | | | | | | | | | | Reversion of one part of #6679: my handling of 'realpath' would not work when $PODMAN is 'podman-remote --url etc'. Trying to handle that case got unmaintainable; so instead let's just force 'make {local,remote}system' to invoke with a full PODMAN path. This breaks down if someone runs the tests with a manual 'bats' invocation, but I think I'm the only one who ever does that. Since podman path will now be very long in the logs, add code to logformatter to abbreviate it like we do for the ginkgo logs. And, one thing that has bugged me for a long time: in the error logs, show a different prompt ('#' vs '$') to distinguish root vs rootless. This should make it much easier to see at-a-glance whether a log file is root or not. Add tests for it. Signed-off-by: Ed Santiago <santiago@redhat.com>
* Bump master to v2.1.0-dev following release of v2.0Matthew Heon2020-06-19
| | | | Signed-off-by: Matthew Heon <mheon@redhat.com>
* Do not share container log driver for execMatthew Heon2020-06-17
| | | | | | | | | | | | | | | | | | | | | When the container uses journald logging, we don't want to automatically use the same driver for its exec sessions. If we do we will pollute the journal (particularly in the case of healthchecks) with large amounts of undesired logs. Instead, force exec sessions logs to file for now; we can add a log-driver flag later (we'll probably want to add a `podman logs` command that reads exec session logs at the same time). As part of this, add support for the new 'none' logs driver in Conmon. It will be the default log driver for exec sessions, and can be optionally selected for containers. Great thanks to Joe Gooch (mrwizard@dok.org) for adding support to Conmon for a null log driver, and wiring it in here. Fixes #6555 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Revert "Change Varlink systemd unit to use `system service`"Matthew Heon2020-06-16
| | | | | | | | | | | | | | This reverts commit 1bc992bfc3a983b4d9ab53f778a545d83bcde94d. We originally thought `podman varlink` was entirely removed, but that was not true. We originally thought that `podman system service --varlink` worked the same as `podman varlink` but that was also not true. `system service` is broken when used under systemd units, and `podman varlink` still exists and works. Revert the change to `podman system service` to fix socket-activated Varlink under systemd. Signed-off-by: Matthew Heon <mheon@redhat.com>
* Merge pull request #6608 from mheon/fix_varlink_unitOpenShift Merge Robot2020-06-15
|\ | | | | [CI:DOCS] Change Varlink systemd unit to use `system service`
| * Change Varlink systemd unit to use `system service`Matthew Heon2020-06-15
| | | | | | | | | | | | | | | | | | | | | | We completely removed `podman varlink`, which broke the systemd unit file used by the Varlink code. Change that to use the new `podman system service --varlink` command which replaced it. Also needs a slight reorder of args to make things work happily on my system. Signed-off-by: Matthew Heon <mheon@redhat.com>