aboutsummaryrefslogtreecommitdiff
path: root/contrib
Commit message (Collapse)AuthorAge
...
* Merge pull request #6992 from rhatdan/apparmorOpenShift Merge Robot2020-07-22
|\ | | | | Support default profile for apparmor
| * Support default profile for apparmorDaniel J Walsh2020-07-22
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Currently you can not apply an ApparmorProfile if you specify --privileged. This patch will allow both to be specified simultaniosly. By default Apparmor should be disabled if the user specifies --privileged, but if the user specifies --security apparmor:PROFILE, with --privileged, we should do both. Added e2e run_apparmor_test.go Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Merge pull request #6955 from edsantiago/logformatter_fix_bucket_nameOpenShift Merge Robot2020-07-22
|\ \ | |/ |/| logformatter: update MAGIC BLOB string
| * logformatter: update MAGIC BLOB stringEd Santiago2020-07-20
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fallout from libpod->podman repo name move: the HTML logs created by logformatter are no longer accessible. They render as: https://storage.googleapis.com/SECRET-5385732420009984-fcae48/artifacts/containers/podman/6313596734930944/html/integration_test.log.html (yes, "SECRET" instead of "cirrus-ci". Possibly because the GCE_SSH_USERNAME key, "cirrus-ci", was overzealously encrypted, making Cirrus censor any instances of the string in output. Let's see if this fixes it. But anyway this is a secondary unrelated bug). Reason: it looks like Cirrus "generated a new magic blob" when we renamed libpod -> podman. Chris was kind enough to locate the new magic blob and to give me a link to where we can discover it ourselves. I added that as a code comment. Signed-off-by: Ed Santiago <santiago@redhat.com>
* | podman.service: set type to simpleValentin Rothberg2020-07-20
| | | | | | | | | | | | | | | | Set the type of the podman.service to simple. This will correctly report the status of the service once it has started. As a oneshot service, it does not transition from the startup state to running. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | podman.service: set doc to podman-system-serviceValentin Rothberg2020-07-20
| | | | | | | | | | | | | | podman-api(1) does not exist, so set the man page to podman-system-service(1). Same for the .socket. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | podman.service: use default registries.confValentin Rothberg2020-07-20
| | | | | | | | | | | | | | | | | | Do not hard-set the registries.conf to `/etc/containers/registries.conf`. Podman (and other c/image users) already default to it. However, ordinary non-root users should still be able to use the configs in their home directories which is now possible. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | podman.service: use default killmodeValentin Rothberg2020-07-20
| | | | | | | | | | | | | | | | | | | | Do not set the killmode to process as it only kills the main process and leaves other processes untouched. Just remove the line and use the default cgroup killmode which will kill all processes in the service's cgroup. Fixes: #7021 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | podman.service: remove stop timeoutValentin Rothberg2020-07-20
| | | | | | | | | | | | | | Remove the stop timeout from the unit. As unit does not specify any stop command, the timeout is effectively 0 and a NOOP. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | systemd: symlink user->systemValentin Rothberg2020-07-20
|/ | | | | | | | | Symlink the user to the system services in `contrib/systemd`. There is no diference between the services, so we can reduce redundancy while not breaking downstream packages which might already be referencing `./contrib/systemd/user`. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* [CI:DOCS]Do not copy policy.json into gating imageBrent Baude2020-07-14
| | | | | | test/policy.json should not need to be copied into the gating image Signed-off-by: Brent Baude <bbaude@redhat.com>
* Fix systemd pid 1 testBrent Baude2020-07-13
| | | | | | | | | | fedora removed the systemd package from its standard container image causing our systemd pid1 test to fail. Replacing usage of fedora to ubi-init. adding ubi images to the cache for local tests. also, remove installation of test/policy.json to the system wide /etc/containers Signed-off-by: Brent Baude <bbaude@redhat.com>
* Add containers.conf default file for windows and MAC InstallsDaniel J Walsh2020-06-24
| | | | | | | We want to add this configuration file so that users can descover how to configure the permanent connection to a remote podman instance. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* system tests: invoke with abs path to podmanEd Santiago2020-06-23
| | | | | | | | | | | | | | | | | | | | | | Reversion of one part of #6679: my handling of 'realpath' would not work when $PODMAN is 'podman-remote --url etc'. Trying to handle that case got unmaintainable; so instead let's just force 'make {local,remote}system' to invoke with a full PODMAN path. This breaks down if someone runs the tests with a manual 'bats' invocation, but I think I'm the only one who ever does that. Since podman path will now be very long in the logs, add code to logformatter to abbreviate it like we do for the ginkgo logs. And, one thing that has bugged me for a long time: in the error logs, show a different prompt ('#' vs '$') to distinguish root vs rootless. This should make it much easier to see at-a-glance whether a log file is root or not. Add tests for it. Signed-off-by: Ed Santiago <santiago@redhat.com>
* Bump master to v2.1.0-dev following release of v2.0Matthew Heon2020-06-19
| | | | Signed-off-by: Matthew Heon <mheon@redhat.com>
* Do not share container log driver for execMatthew Heon2020-06-17
| | | | | | | | | | | | | | | | | | | | | When the container uses journald logging, we don't want to automatically use the same driver for its exec sessions. If we do we will pollute the journal (particularly in the case of healthchecks) with large amounts of undesired logs. Instead, force exec sessions logs to file for now; we can add a log-driver flag later (we'll probably want to add a `podman logs` command that reads exec session logs at the same time). As part of this, add support for the new 'none' logs driver in Conmon. It will be the default log driver for exec sessions, and can be optionally selected for containers. Great thanks to Joe Gooch (mrwizard@dok.org) for adding support to Conmon for a null log driver, and wiring it in here. Fixes #6555 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Revert "Change Varlink systemd unit to use `system service`"Matthew Heon2020-06-16
| | | | | | | | | | | | | | This reverts commit 1bc992bfc3a983b4d9ab53f778a545d83bcde94d. We originally thought `podman varlink` was entirely removed, but that was not true. We originally thought that `podman system service --varlink` worked the same as `podman varlink` but that was also not true. `system service` is broken when used under systemd units, and `podman varlink` still exists and works. Revert the change to `podman system service` to fix socket-activated Varlink under systemd. Signed-off-by: Matthew Heon <mheon@redhat.com>
* Merge pull request #6608 from mheon/fix_varlink_unitOpenShift Merge Robot2020-06-15
|\ | | | | [CI:DOCS] Change Varlink systemd unit to use `system service`
| * Change Varlink systemd unit to use `system service`Matthew Heon2020-06-15
| | | | | | | | | | | | | | | | | | | | | | We completely removed `podman varlink`, which broke the systemd unit file used by the Varlink code. Change that to use the new `podman system service --varlink` command which replaced it. Also needs a slight reorder of args to make things work happily on my system. Signed-off-by: Matthew Heon <mheon@redhat.com>
* | Fix builds for RDODaniel J Walsh2020-06-11
|/ | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Merge pull request #6530 from edsantiago/test_podman_remoteOpenShift Merge Robot2020-06-10
|\ | | | | Enable, then partially disable, podman-remote testing
| * WIP: Enable (and disable) remote testingEd Santiago2020-06-09
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | podman-remote has not been tested. A principal part of the problem was #5387 - the YAML I wrote did not have the intended effect, it did not set TEST_REMOTE_CLIENT=true and because of my multiple iterations I did not catch this during testing. Part 1 of this PR is to fix .cirrus.yml to enable remote tests. Part 2 -- what I had first noticed and tried to fix -- is that rootless_test.sh was never running remote because, of course, envariables are not sent via ssh. I reworked integration_test.sh and rootless_test.sh to use a command-line decision instead. Part 3, sigh, is to disable one failing integration test and *all* system tests, because so many of the latter are failing. Addressing those failures needs to be done in subsequent PRs. Issues #6538, #6539, #6540 are filed for some of the problems I isolated. There will be more. Also, minor, fixed some stale references to varlink. Signed-off-by: Ed Santiago <santiago@redhat.com>
* | Merge pull request #6193 from cevich/conmon_ci_packagesOpenShift Merge Robot2020-06-09
|\ \ | |/ |/| Cirrus: Include packages for containers/conmon CI
| * Cirrus: Include packages for containers/conmon CIChris Evich2020-06-09
| | | | | | | | | | | | | | | | | | | | | | | | | | | | This allows the containers/conmon repository to share the same VM images produced by containers/libpod. Included are several packages which are downloaded only since they might otherwise interfere with testing for some repos. This allows stable versions to be at the ready at testing runtime, avoiding any version updates surprising developers. Also, re-enable running the VM-image check test which was not working due to a logic problem in Cirrus-CI configuration. Update the neglected tests so that they pass on all distros. Signed-off-by: Chris Evich <cevich@redhat.com>
* | Merge pull request #6521 from cevich/update_cors_docsOpenShift Merge Robot2020-06-09
|\ \ | | | | | | [CI:DOCS] Improve swagger+CORS metadata docs
| * | Improve swagger+CORS metadata docsChris Evich2020-06-09
| |/ | | | | | | Signed-off-by: Chris Evich <cevich@redhat.com>
* | force bats version to v1.1.0Valentin Rothberg2020-06-08
| | | | | | | | | | | | | | | | We experienced regression when using the latest `v1.2.0-dev` bats in Ubuntu 20.04 (see github.com/containers/libpod/pull/6418). Using bats v1.1.0 worked in the Ubuntu test VM. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | Enable Ubuntu tests in CIBrent Baude2020-06-08
|/ | | | | | Add updates required for ubuntu and run integration tests Signed-off-by: Brent Baude <bbaude@redhat.com>
* Attempt to turn on special_testing_in_podman testsDaniel J Walsh2020-06-04
| | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Vendor in container/storage v1.20.2Daniel J Walsh2020-06-03
| | | | | | | Also modify gate Dockerfile to take advantage of skipping mounting of the storage directory. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* RHEL8 and Centos8 don't have oci-runtime yetDaniel J Walsh2020-06-03
| | | | | | | For the time being we need to just require runc this should fix rdoproject.org/github-check Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Bump Conmon in COPR specMatthew Heon2020-06-02
| | | | | | We need 2.0.17 for detached remote exec. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Enable detached exec for remoteMatthew Heon2020-06-02
| | | | | | | | | | | | | | | | | | | | | | | The biggest obstacle here was cleanup - we needed a way to remove detached exec sessions after they exited, but there's no way to tell if an exec session will be attached or detached when it's created, and that's when we must add the exit command that would do the removal. The solution was adding a delay to the exit command (5 minutes), which gives sufficient time for attached exec sessions to retrieve the exit code of the session after it exits, but still guarantees that they will be removed, even for detached sessions. This requires Conmon 2.0.17, which has the new `--exit-delay` flag. As part of the exit command rework, we can drop the hack we were using to clean up exec sessions (remove them as part of inspect). This is a lot cleaner, and I'm a lot happier about it. Otherwise, this is just plumbing - we need a bindings call for detached exec, and that needed to be added to the tunnel mode backend for entities. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* default build without `varlink` tagLokesh Mandvekar2020-05-29
| | | | | | | | | | | | | Issue gh#6286 was already fixed in a prior commit but the Makefile still ran some varlink steps by default. This commit makes any varlink build steps dependent on the varlink build tag and also makes the contrib rpm spec file independent of varlink. Endpoint tests will be run only if BUILDTAGS contains varlink. Signed-off-by: Lokesh Mandvekar <lsm5@fedoraproject.org>
* compat handlers: add X-Registry-Auth header supportValentin Rothberg2020-05-29
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * Support the `X-Registry-Auth` http-request header. * The content of the header is a base64 encoded JSON payload which can either be a single auth config or a map of auth configs (user+pw or token) with the corresponding registries being the keys. Vanilla Docker, projectatomic Docker and the bindings are transparantly supported. * Add a hidden `--registries-conf` flag. Buildah exposes the same flag, mostly for testing purposes. * Do all credential parsing in the client (i.e., `cmd/podman`) pass the username and password in the backend instead of unparsed credentials. * Add a `pkg/auth` which handles most of the heavy lifting. * Go through the authentication-handling code of most commands, bindings and endpoints. Migrate them to the new code and fix issues as seen. A final evaluation and more tests is still required *after* this change. * The manifest-push endpoint is missing certain parameters and should use the ABI function instead. Adding auth-support isn't really possible without these parts working. * The container commands and endpoints (i.e., create and run) have not been changed yet. The APIs don't yet account for the authfile. * Add authentication tests to `pkg/bindings`. Fixes: #6384 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* Fix DockerfileDaniel J Walsh2020-05-26
| | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* [CI:DOCS] Prepare image to turn on podman-commands testDaniel J Walsh2020-05-23
| | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* [CI:DOCS]add crun to gating imageBrent Baude2020-05-22
| | | | | | the gating tests for commands needs crun to exercise itself Signed-off-by: Brent Baude <bbaude@redhat.com>
* [CI:DOCS]Add conmon to gating imageBrent Baude2020-05-22
| | | | | | the gating image now needs conmon to perform the commands check Signed-off-by: Brent Baude <bbaude@redhat.com>
* Cirrus: Fix image-name hintsChris Evich2020-05-14
| | | | | | | | | This properly prints out image-name hints when executing the hack script without any arguments. It is required due to changes made by Ed for test-name beatification. An identical change was made and reviewed by Ed in the containers/storage repo. Signed-off-by: Chris Evich <cevich@redhat.com>
* Cirrus: Update Ubuntu 18 to 20Chris Evich2020-05-14
| | | | Signed-off-by: Chris Evich <cevich@redhat.com>
* Default podman.spec to use crunDaniel J Walsh2020-05-14
| | | | | | | On systems with cgroupV2 runc will not currently work switch the default in spec file to use crun. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* [CI:DOCS]remove libpod.conf from specBrent Baude2020-05-13
| | | | | | in the contrib rpm.spec.in, we no longer should try to package libpod.conf Signed-off-by: Brent Baude <bbaude@redhat.com>
* Remove libpod.conf from repoMatthew Heon2020-05-12
| | | | | | | | | | | Now that we're shipping containers.conf, we don't want to provide a libpod.conf anymore. This removes libpod.conf from the repo and as many direct uses as I can find. There are a few more mentions in the documentation, but someone more familiar with containers.conf should make those edits. Signed-off-by: Matthew Heon <mheon@redhat.com>
* set binding tests to requiredBrent Baude2020-05-08
| | | | | | | | | | | | | | | | | some small fix ups for binding tests and then make them required. update containers-common V2 bindings tests were failing because of changes introduced in commit a2ad5bb. Fix some typos. Signed-off-by: Lokesh Mandvekar <lsm5@fedoraproject.org> in the case where the specgen attribute for Env and Labels are nil, we should should then make the map IF we have labels and envs that need to be added. Signed-off-by: Brent Baude <bbaude@redhat.com>
* CI:DOCS: Document API docs + CORS maintenanceChris Evich2020-05-06
| | | | Signed-off-by: Chris Evich <cevich@redhat.com>
* [CI:DOC]Use full repo name in podmanimage DockerfilesTomSweeneyRedHat2020-05-01
| | | | | | | | | | | | | | In the Buildah images, we had a problem where the testing image was installed with an older version of Buildah than the stable image. This was apparently due to quay.io using Docker and Dockerhub which has a version of Fedora that did not let testing version of Buildah to be installed as it should have been. This change fully specifies the name of the fedora image to use. This has not been a problem in Podman, but I'm carrying this change here to avoid future problems. Signed-off-by: TomSweeneyRedHat <tsweeney@redhat.com>
* Cirrus: Utilize new base imagesChris Evich2020-04-30
| | | | Signed-off-by: Chris Evich <cevich@redhat.com>
* cirrus: Update to Fedora 32 properChris Evich2020-04-30
| | | | | | | | Now that it's officially released, update to it from the beta. Also (and significant), adjust the SELinux context of the GCP metadata service. Add a comment to the code explaining why this is necessary. Signed-off-by: Chris Evich <cevich@redhat.com>
* Merge pull request #6010 from TomSweeneyRedHat/dev/tsweeney/ctrimagefixesOpenShift Merge Robot2020-04-29
|\ | | | | Update podmanimage files to adjust perms on containers.conf for rootless