| Commit message (Collapse) | Author | Age |
|---|
| |\
| |
| | |
Image volumes should not be mounted noexec
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
This matches Docker more closely, but retains the more important
protections of nosuid/nodev.
Fixes #4318
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
| |\ \
| |/
|/| |
Add parsing for UID, GID in volume "o" option
|
| | |
| |
| |
| |
| |
| |
| | |
Everything else is a flag to mount, but "uid" and "gid" are not.
We need to parse them out of "o" and handle them separately.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
| |/
|
|
|
|
|
|
|
|
| |
Unless specified otherwise by --all, --latest or via arguments, list all
running containers. This matches the behaviour of Docker and is also
illustrated in the man pages where containers and options are marked to
be optional.
Fixes: #4274
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
|
| |\
| |
| | |
Add support for anonymous volumes to `podman run -v`
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Previously, when `podman run` encountered a volume mount without
separate source and destination (e.g. `-v /run`) we would assume
that both were the same - a bind mount of `/run` on the host to
`/run` in the container. However, this does not match Docker's
behavior - in Docker, this makes an anonymous named volume that
will be mounted at `/run`.
We already have (more limited) support for these anonymous
volumes in the form of image volumes. Extend this support to
allow it to be used with user-created volumes coming in from the
`-v` flag.
This change also affects how named volumes created by the
container but given names are treated by `podman run --rm` and
`podman rm -v`. Previously, they would be removed with the
container in these cases, but this did not match Docker's
behaviour. Docker only removed anonymous volumes. With this patch
we move to that model as well; `podman run -v testvol:/test` will
not have `testvol` survive the container being removed by `podman
rm -v`.
The sum total of these changes let us turn on volume removal in
`--rm` by default.
Fixes: #4276
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
| |\ \
| | |
| | | |
Show volume options in 'volume inspect'
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | | |
We initialized the map to show them, but didn't actually copy
them in, so they weren't being displayed.
Signed-off-by: Matthew Heon <mheon@redhat.com>
|
| |\ \ \
| |_|/
|/| | |
play kube: refactor test suite
|
| | | |
| | |
| | |
| | |
| | |
| | | |
for berevity
Signed-off-by: Peter Hunt <pehunt@redhat.com>
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
The play kube test suite has many different cases to cover, and should only grow in coverage over time
The old design was difficult to extend, and there was lots of duplicated code.
The largest pain point was the Container struct needed to be changed often, and doing so caused changes every test case
Instead, adopt the `withOption` idiom. Now, adding a new option for customizing just involves adding a new withOption function, and changing the struct definition and initialization in one place.
Signed-off-by: Peter Hunt <pehunt@redhat.com>
|
| | |/
|/|
| |
| |
| |
| |
| | |
Rather than checking for non-zero, we need to check for >0 to
distinguish between timeouts and error exit codes.
Signed-off-by: Jhon Honce <jhonce@redhat.com>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The json field is called `Image` while the go field is called `ImageID`,
tricking users into filtering for `Image` which ultimately results in an
error. Hence, rename the field to `Image` to align json and go.
To prevent podman users from regressing, rename `Image` to `ImageID` in
the specified filters. Add tests to prevent us from regressing. Note
that consumers of the go API that are using `ImageID` are regressing;
ultimately we consider it to be a bug fix.
Fixes: #4193
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
similar change to f7d55d64e7040cdad149684234ea150b0a90cf0e
with images --format=json, be sure the output is valid json also when
it is an empty list.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
| |\ \
| | |
| | | |
tests: enable ps --size tests for rootless
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | | |
rootless podman is using a single user namespace for all the containers
so it can safely access the storage for all of them.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
| |\ \ \
| |/ /
|/| | |
container: initialize results list
|
| | |/
| |
| |
| |
| |
| |
| |
| |
| | |
it solves:
$ podman ps --format=json
null
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
| |\ \
| | |
| | | |
systemd: expect full path /usr/sbin/init
|
| | |/
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
"init" is a quite common name for the command executed in a container
image and Podman ends up using the systemd mode also when not
required.
Be stricter on enabling the systemd mode and not enable it
automatically when the basename is "init" but expect the full path
"/usr/sbin/init".
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
| |\ \
| |/
|/| |
Raise start_test polling interval
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
According to the documentation
https://onsi.github.io/gomega/#eventually
> the default value for the polling interval is 10 milliseconds
That is excessively fast given the observed failures in
issue #4021 are always using podman-remote. Lower the interval to
3-seconds, which should be plenty long enough for container removal.
Signed-off-by: Chris Evich <cevich@redhat.com>
|
| |/
|
|
|
|
|
| |
Disallow invalid/confusing names such as '../bar' or 'foo '
Closes #4184
Signed-off-by: Mrigank Krishan <mrigankkrishan@gmail.com>
|
| |\
| |
| | |
podman import syntax fix
|
| | |
| |
| |
| | |
Signed-off-by: Kunal Kushwaha <kunal.kushwaha@gmail.com>
|
| |\ \
| | |
| | | |
Move noCache logic lower in stack
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
One or more tests are not taking advantage of the local image cache.
This has been observed to cause a testing flake in at least one
`--sigproxy` test which uses `PodmanTestIntegration.PodmanPID()`.
It has a rather short timeout of 15-seconds, which isn't always
enough time to pull down a remote image.
Fix this by reloacing the `noCache` logic from
`PodmanTest.PodmanAsUserBase()` down the stack into
`PodmanTestIntegration.makeOptions()`. This also eliminates the need to
also check if a remote-client is being used - since it uses a different
function.
Also reverse the parameter order in `PodmanTest.PodmanBase` so that
everywhere is consistently `noEvents` then `noCache`.
Signed-off-by: Chris Evich <cevich@redhat.com>
|
| |\ \ \
| | | |
| | | | |
Change ginkgo Wait() to Eventually() test
|
| | |/ /
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Changing the test in WaitWithDefaultTimeout() to use Eventually() and
gexec.Exit(). Using ExitCode() before command has really exited returns
a -1, which can cause issues for tests testing for podman to return
non-zero values.
Signed-off-by: Jhon Honce <jhonce@redhat.com>
|
| |/ /
| |
| |
| |
| |
| |
| | |
A true result from reexec.Init() isn't an error, but it indicates that
main() should exit with a success exit status.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
|
| | |
| |
| |
| |
| |
| |
| | |
close #3894
This patch let podman cp return 'no such file or directory' error if DEST_PATH does not exist and ends with / when copying file.
Signed-off-by: Qi Wang <qiwan@redhat.com>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
When a named volume is mounted on any of the tmpfs filesystems
created by read-only tmpfs, it caused a conflict that was not
resolved prior to this.
Fixes BZ1755119
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Add two unit tests to determine whether mounts are being listed
correctly. One tests that a created container is not listed
until mounted. The second checks that running containers are
mounted, and then no longer listed as mounted when they stop
running. The final test creates three containers, mounts two,
and checks that mount correctly only lists the two mounted.
Signed-off-by: gabi beyer <gabrielle.n.beyer@intel.com>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
look if there are bind mounts that can shadow the /etc/passwd and
/etc/group files. In that case, look at the bind mount source.
Closes: https://github.com/containers/libpod/pull/4068#issuecomment-533782941
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
If the HOME environment variable is not set, make sure it is set to
the configuration found in the container /etc/passwd file.
It was previously depending on a runc behavior that always set HOME
when it is not set. The OCI runtime specifications do not require
HOME to be set so move the logic to libpod.
Closes: https://github.com/debarshiray/toolbox/issues/266
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
| | |
| |
| |
| |
| |
| | |
Be less precise on the exit code and lot the exit code to the journal when it fails.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
| |\ \
| | |
| | | |
exec: fix --preserve-fds
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
There were two problems with preserve fds.
libpod didn't open the fds before passing _OCI*PIPE to conmon. This caused libpod to talk on the preserved fds, rather than the pipes, with conmon talking on the pipes. This caused a hang.
Libpod also didn't convert an int to string correctly, so it would further fail.
Fix these and add a unit test to make sure we don't regress in the future
Note: this test will not pass on crun until crun supports --preserve-fds
Signed-off-by: Peter Hunt <pehunt@redhat.com>
|
| |\ \ \
| |/ /
|/| | |
fix unit test using strings.Contains
|
| | |/
| |
| |
| |
| |
| |
| |
| | |
The Expect function does not return a result of True or False
depending on the value of the first instance, but instead requires
a comparison using ".To(", so change to use ".To(ContainSubstring("
Signed-off-by: gabi beyer <gabrielle.n.beyer@intel.com>
|
| |\ \
| | |
| | | |
Podman-remote run should wait for exit code
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
This change matches what is happening on the podman local side
and should eliminate a race condition.
Also exit commands on the server side should start to return to client.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
| | |/
| |
| |
| |
| |
| |
| | |
We have leaked the exit number codess all over the code, this patch
removes the numbers to constants.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
| | |
| |
| |
| |
| |
| |
| | |
* symlink processing and wildcarding led to unexpected files
being copied
Signed-off-by: Jhon Honce <jhonce@redhat.com>
|
| |/
|
|
| |
Signed-off-by: Debarshi Ray <rishi@fedoraproject.org>
|
| |\
| |
| | |
Add `ContainerManager` annotation to created containers
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This change adds the following annotation to every container created by
podman:
```json
"Annotations": {
"io.containers.manager": "libpod"
}
```
Target of this annotaions is to indicate which project in the containers
ecosystem is the major manager of a container when applications share
the same storage paths. This way projects can decide if they want to
manipulate the container or not. For example, since CRI-O and podman are
not using the same container library (libpod), CRI-O can skip podman
containers and provide the end user more useful information.
A corresponding end-to-end test has been adapted as well.
Relates to: https://github.com/cri-o/cri-o/pull/2761
Signed-off-by: Sascha Grunert <sgrunert@suse.com>
|
| |\ \
| | |
| | | |
Support running containers without CGroups
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | | |
This is mostly used with Systemd, which really wants to manage
CGroups itself when managing containers via unit file.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
