aboutsummaryrefslogtreecommitdiff
path: root/test/system/030-run.bats
Commit message (Collapse)AuthorAge
* Bump VMs, to Ubuntu 2204 with cgroups v1Ed Santiago2022-07-21
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | ...and enable the at-test-time confirmation, the one that double-checks that if CI requests runc we actually use runc. This exposed a nasty surprise in our setup: there are steps to define $OCI_RUNTIME, but that's actually a total fakeout! OCI_RUNTIME is used only in e2e tests, it has no effect whatsoever on actual podman itself as invoked via command line such as in system tests. Solution: use containers.conf Given how fragile all this runtime stuff is, I've also added new tests (e2e and system) that will check $CI_DESIRED_RUNTIME. Image source: https://github.com/containers/automation_images/pull/146 Since we haven't actually been testing with runc, we need to fix a few tests: - handle an error-message change (make it work in both crun and runc) - skip one system test, "survive service stop", that doesn't work with runc and I don't think we care. ...and skip a bunch, filing issues for each: - #15013 pod create --share-parent - #15014 timeout in dd - #15015 checkpoint tests time out under $CONTAINER - #15017 networking timeout with registry - #15018 restore --pod gripes about missing --pod - #15025 run --uidmap broken - #15027 pod inspect cgrouppath broken - ...and a bunch more ("podman pause") that probably don't even merit filing an issue. Also, use /dev/urandom in one test (was: /dev/random) because the test is timing out and /dev/urandom does not block. (But the test is still timing out anyway, even with this change) Also, as part of the VM switch we are now using go 1.18 (up from 1.17) and this broke the gitlab tests. Thanks to @Luap99 for a quick fix. Also, slight tweak to #15021: include the timeout value, and reword message so command string is at end. Also, fixed a misspelling in a test name. Fixes: #14833 Signed-off-by: Ed Santiago <santiago@redhat.com>
* specgen: fix parsing of cgroup devices ruleGiuseppe Scrivano2022-07-01
| | | | | | | | | Fix the parse for the cgroup devices rule to correctly handle the wildcard syntax for the device major. Also make sure the device major and minor are not negative numbers. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* conmon: silence json-file errorValentin Rothberg2022-06-23
| | | | | | | We should just silently fall through. The log was flooding the system-service logs when running Gitlab runner. Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
* system test image: bump to 20220615Ed Santiago2022-06-15
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Changes: - use --timestamp option to produce 'created' stamps that can be reliably tested in the image-history test - podman now supports manifest & multiarch run, so we no longer need buildah - bump up base alpine & busybox images This turned out to be WAY more complicated than it should've been, because: - alpine 3.14 fixed 'date -Iseconds' to include a colon in the TZ offset ("-07:00", was "-0700"). This is now consistent with GNU date's --iso-8601 format, yay, so we can eliminate a minor workaround. - with --timestamp, all ADDed files are set to that timestamp, including the custom-reference-timestamp file that many tests rely on. So we need to split the build into two steps. But: - ...with a two-step build I need to use --squash-all, not --squash, but: - ... (deep sigh) --squash-all doesn't work with --timestamp (#14536) so we need to alter existing tests to deal with new image layers. - And, long and sordid story relating to --rootfs. TL;DR that option only worked by a miracle relating to something special in one specific test image; it doesn't work with any other images. Fix seems to be complicated, so we're bypassing with a FIXME (#14505). And, unrelated: - remove obsolete skip and workaround in run-basic test (dating back to varlink days) - add a pause-image cleanup to avoid icky red warnings in logs Fixes: #14456 Signed-off-by: Ed Santiago <santiago@redhat.com>
* Podman no-new-privileges formatNiall Crowe2022-05-30
| | | | | | | | | | | | In docker, the format of no-new-privileges is "no-new-privileges:true". However, for Podman all that's required is "no-new-privileges", leading to issues when attempting to use features desgined for docker in podman. Adding support for the ":" format to be used along with the "=" format, depedning on which one is entered by the user. fixes #14133 Signed-off-by: Niall Crowe <nicrowe@redhat.com>
* Merge pull request #13918 from Luap99/hostsOpenShift Merge Robot2022-04-22
|\ | | | | use etchosts package from c/common
| * use etchosts package from c/commonPaul Holzinger2022-04-22
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Use the new logic from c/common to create the hosts file. This will help to better allign the hosts files between buildah and podman. Also this fixes several bugs: - remove host entries when container is stopped and has a netNsCtr - add entries for containers in a pod - do not duplicate entries in the hosts file - use the correct slirp ip when an userns is used Features: - configure host.containers.internal entry in containers.conf - configure base hosts file in containers.conf Fixes #12003 Fixes #13224 Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* | Merge pull request #13881 from rhatdan/usernsOpenShift Merge Robot2022-04-22
|\ \ | |/ |/| Add support for --userns=nomap
| * Add support for --userns=nomapDaniel J Walsh2022-04-21
| | | | | | | | | | | | | | | | | | | | | | From a security point of view, it would be nice to be able to map a rootless usernamespace that does not use your own UID within the container. This would add protection against a hostile process escapping the container and reading content in your homedir. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | system tests: add assert(), and start using itEd Santiago2022-04-20
|/ | | | | | | | | | | | | | | | | | | | | Problem: the system test 'is()' checker was poorly thought out. For example, there is no way to check for inequality or for absence of a substring. Solution, step 1: introduce new assert(), copied almost verbatim from buildah, where it has been successful in addressing the gaps in is(). The logical next step is to search the tests for 'die' and for 'run', looking for negative assertions which we can replace with assert(). There were a lot, and in the process I found a number of ugly bugs in the tests themselves. I've taken the liberty of fixing these. Important note: at this time we have both assert() and is(). Replacing all instances of is() would be impossible to review. Signed-off-by: Ed Santiago <santiago@redhat.com>
* add a regression test for CVE-2022-1227Valentin Rothberg2022-04-14
| | | | | | Will also be included in the upcoming backports. Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
* specgen: do not set OOMScoreAdj by defaultGiuseppe Scrivano2022-04-04
| | | | | | | | | do not force a value of OOMScoreAdj=0 if it is wasn't specified by the user. Closes: https://github.com/containers/podman/issues/13731 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Make error message matching in 030-run.bats less fragileDavid Gibson2022-01-21
| | | | | | | | | | | | | | | | | | | | Amongst other things 030-run.bats checks for sensible error messages when attempting a "podman run" with a non-existent or inaccessible path. It checks for these messages, which come from the low-level runtime, in a lot of detail, including separate versions for runc and crun. This is fragile in several ways: * It's likely to fail if using a runtime other than crun or runc * It relies on detecting whether the runtime is crun vs. runc using the path, which could fail if the binary has been named something unusual * It will break if crun or runc ever alter their error message (even if it's just changing case) This replaces the checked versions with a much more accepting regex which will work for both the runc and crun messages, while still looking for the essential pieces. This isn't guaranteed to work with other runtimes, but it's much more likely to. Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
* test/system: podman run update /etc/hostsDaniel J Walsh2022-01-14
| | | | | | | This test case is used for covering rhbz#1902979. Signed-off-by: Alex Jia <ajia@redhat.com> Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Add --noout option to prevent the output of idsDaniel J Walsh2022-01-12
| | | | | | Fixes: https://github.com/containers/podman/issues/11515 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Emergency system-test fixesEd Santiago2022-01-06
| | | | | | | | | | | | | | | Emergency fix to image-scp tests. DO NOT CREATE A USER! These tests are run in all sorts of environments. We do not have the right to vandalize a production system. Also remove some misleading unneeded tests; and refactor a little; and add a bunch of FIXMEs which will need to be addressed later. Also, super-low priority, add 'crun: ' to expected error message in a run test (minor followup to #12758). Signed-off-by: Ed Santiago <santiago@redhat.com>
* add OCI Runtime name to errorsDaniel J Walsh2022-01-06
| | | | | | | | | It would be easier to diagnose OCI runtime errors if the error actually had the name of the OCI runtime that produced the error. [NO NEW TESTS NEEDED] Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* test/system: podman run image with filesystem permissionDaniel J Walsh2021-12-31
| | | | | | | | This test case is used for covering rhbz#1854566. Replaces: #12220 Signed-off-by: Alex Jia <ajia@redhat.com> Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* test/system: podman run with log-opt optionDaniel J Walsh2021-12-31
| | | | | | | | This test case is used for covering rhbz#1763007. Replaces: #12221 Signed-off-by: Alex Jia <ajia@redhat.com> Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Allow users to add host user accounts to /etc/passwdDaniel J Walsh2021-12-23
| | | | | | | | | | | Some containers require certain user account(s) to exist within the container when they are run. This option will allow callers to add a bunch of passwd entries from the host to the container even if the entries are not in the local /etc/passwd file on the host. Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1935831 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Warn on use of --kernel-memoryDaniel J Walsh2021-12-22
| | | | | | | | | It has been deprecated and is no longer supported. Fully remove it and only print a warning if a user uses it. Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2011695 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* support hosts without /etc/hostsValentin Rothberg2021-12-22
| | | | | Fixes: #12667 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* support advanced network configuration via cliPaul Holzinger2021-12-14
| | | | | | | | | | | | | | | | | | | | | | | | | | Rework the --network parse logic to support multiple networks with specific network configuration settings. --network can now be set multiple times. For bridge network mode the following options have been added: - **alias=name**: Add network-scoped alias for the container. - **ip=IPv4**: Specify a static ipv4 address for this container. - **ip=IPv6**: Specify a static ipv6 address for this container. - **mac=MAC**: Specify a static mac address address for this container. - **interface_name**: Specify a name for the created network interface inside the container. So now you can set --network bridge:ip=10.88.0.10,mac=44:33:22:11:00:99 for the default bridge network as well as for network names. This is better than using --ip because we can set the ip per network without any confusion which network the ip address should be assigned to. The --ip, --mac-address and --network-alias options are still supported but --ip or --mac-address can only be set when only one network is set. This limitation already existed previously. The ability to specify a custom network interface name is new Fixes #11534 Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* Semiperiodic cleanup of obsolete Skip()sEd Santiago2021-11-19
| | | | | | | | | | | | | | Found by my find-obsolete-skips script. Let's see which, if any, of these skipped tests can be reenabled. Some Skips are "this will never work", not "this is expected to work one day". Update the message on those to reflect that. Some were real bugs in the test framework. Fix those. And, joy of joys, some work today. Remove those skips. Signed-off-by: Ed Santiago <santiago@redhat.com>
* Add --unsetenv & --unsetenv-all to remove def environment variablesDaniel J Walsh2021-11-15
| | | | | | | | | | | | | | | | Podman adds a few environment variables by default, and currently there is no way to get rid of them from your container. This option will allow you to specify which defaults you don't want. --unsetenv-all will remove all default environment variables. Default environment variables can come from podman builtin, containers.conf or from the container image. Fixes: https://github.com/containers/podman/issues/11836 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* podman run --memory=0 ... should not set memory limitDaniel J Walsh2021-10-19
| | | | | | | | | On Docker this is ignored, and it should be on Podman as well. This is documented in the man page. Fixes: https://github.com/containers/podman/issues/12002 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* libpod: fix race when closing STDINPaul Holzinger2021-10-06
| | | | | | | | | | | | | | | | There is a race where `conn.Close()` was called before `conn.CloseWrite()`. In this case `CloseWrite` will fail and an useless error is printed. To fix this we move the the `CloseWrite()` call to the same goroutine to remove the race. This ensures that `CloseWrite()` is called before `Close()` and never afterwards. Also fixed podman-remote run where the STDIN was never was closed. This is causing flakes in CI testing. [NO TESTS NEEDED] Fixes #11856 Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* System tests: tighten 'is' operatorEd Santiago2021-09-30
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Fix day-one sloppiness: when I first wrote this framework it compared strings using 'expr', not '=', to be more forgiving of extra cruft in output. This was a bad decision. It means that warnings or additional text are ignored: is "all is ok, NOT!" "all is ok" <-- this would pass Solution: tighten up the 'is' check. Use '=' (direct compare) first. If it fails, look for wild cards ('*') or character classes ('[') in the expect string. If so, and only then, use 'expr'. And, thanks to a clever suggestion from Luap99, include '(using expr)' in the error message when we do so; this could make it easier for a developer to understand a string mismatch. This change exposes a lot of instances in which we weren't doing proper comparisons. Fix those. Thankfully, there weren't as many as I'd feared. Also, and completely unrelated, add '-T' flag to bats helper, for showing timing results. (I will open this as a separate PR if requested. I too find it offensive to jumble together unrelated commits.) Signed-off-by: Ed Santiago <santiago@redhat.com>
* Support DeviceCgroupRules to actually get added.Daniel J Walsh2021-07-21
| | | | | | Fixes: https://github.com/containers/podman/issues/10302 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* System tests: add :Z to volume mountsEd Santiago2021-06-01
| | | | | | | | | | | | | | | | | | | | | | | selinux-policy-34.9-1.fc34 breaks a behavior we've relied on since (at least) January 2020: - Revert "Add permission open to files_read_inherited_tmp_files() interface" That's probably the correct thing to do, but it breaks our existing tests. Solution: add ':Z' where needed. Tested on Ed's laptop, which has the offending selinux-policy as of 2021-05-31. Tests pass root and rootless. (I mention this because tests will obviously pass in CI, which has a much older selinux-policy). Also: add a 'podman rmi' for cleanup in one test, to avoid noise in test logs. Fixes: #10522 Signed-off-by: Ed Santiago <santiago@redhat.com>
* Improve OCI Runtime errorDaniel J Walsh2021-05-22
| | | | | | | | | | | | | ErrOCIRuntimeNotFound error is misleading. Try to make it more understandable to the user that the OCI Runtime IE crun or runc is not missing, but the command they attempted to run within the container is missing. [NO TESTS NEEDED] Regular tests should handle this. Fixes: https://github.com/containers/podman/issues/10432 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Create the /etc/mtab file if does not existsDaniel J Walsh2021-05-15
| | | | | | | | | | | We should create the /etc/mtab->/proc/mountinfo link so that mount command will work within the container. Docker does this by default. Fixes: https://github.com/containers/podman/issues/10263 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* migrate Podman to containers/common/libimageValentin Rothberg2021-05-05
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Migrate the Podman code base over to `common/libimage` which replaces `libpod/image` and a lot of glue code entirely. Note that I tried to leave bread crumbs for changed tests. Miscellaneous changes: * Some errors yield different messages which required to alter some tests. * I fixed some pre-existing issues in the code. Others were marked as `//TODO`s to prevent the PR from exploding. * The `NamesHistory` of an image is returned as is from the storage. Previously, we did some filtering which I think is undesirable. Instead we should return the data as stored in the storage. * Touched handlers use the ABI interfaces where possible. * Local image resolution: previously Podman would match "foo" on "myfoo". This behaviour has been changed and Podman will now only match on repository boundaries such that "foo" would match "my/foo" but not "myfoo". I consider the old behaviour to be a bug, at the very least an exotic corner case. * Futhermore, "foo:none" does *not* resolve to a local image "foo" without tag anymore. It's a hill I am (almost) willing to die on. * `image prune` prints the IDs of pruned images. Previously, in some cases, the names were printed instead. The API clearly states ID, so we should stick to it. * Compat endpoint image removal with _force_ deletes the entire not only the specified tag. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* Merge pull request #10157 from edsantiago/batsOpenShift Merge Robot2021-04-28
|\ | | | | System tests: fix two race conditions
| * System tests: fix two race conditionsEd Santiago2021-04-27
| | | | | | | | | | | | | | Basically, add 'podman wait' before 'podman rm'. See if this fixes gating tests run on ppc64le (possibly very very slow hosts) Signed-off-by: Ed Santiago <santiago@redhat.com>
* | Add podman run --timeout optionDaniel J Walsh2021-04-23
|/ | | | | | | | | This option allows users to specify the maximum amount of time to run before conmon sends the kill signal to the container. Fixes: https://github.com/containers/podman/issues/6412 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* system tests: new interactive testsEd Santiago2021-03-25
| | | | | | | | socat can create a dummy PTY that we can manipulate. This lets us run a variety of tests that we couldn't before, involving "run -it", and stty, and even "load" with no args. Signed-off-by: Ed Santiago <santiago@redhat.com>
* Check if stdin is a term in --interactive --tty modeDaniel J Walsh2021-03-24
| | | | | | | | | | | | | | | | If you are attempting to run a container in interactive mode, and want a --tty, then there must be a terminal in use. Docker exits right away when a user specifies to use a --interactive and --TTY but the stdin is not a tty. Currently podman will pull the image and then fail much later. Podman will continue to run but will print an warning message. Discussion in : https://github.com/containers/podman/issues/8916 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* system test image: build it multiarchEd Santiago2021-02-24
| | | | | | | | | | | | | | buildah now supports running under emulation[1] as well as creating manifests. Use those features to create a multiarch testimage that can be used to test podman on other arches. [1] on Fedora 33, this requires the qemu-user-static package We also build a new :00000001 image, replacing :00000000, because (sigh) some tests try to run 'true' in the container. Include instructions on building said image. Signed-off-by: Ed Santiago <santiago@redhat.com>
* do not set empty $HOMEValentin Rothberg2021-02-16
| | | | | | | | | | | Make sure to not set an empty $HOME for containers and let it default to "/". https://github.com/containers/crun/pull/599 is required to fully address #9378. Partially-Fixes: #9378 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* fix logic when not creating a workdirValentin Rothberg2021-02-05
| | | | | | | | | | | When resolving the workdir of a container, we may need to create unless the user set it explicitly on the command line. Otherwise, we just do a presence check. Unfortunately, there was a missing return that lead us to fall through into attempting to create and chown the workdir. That caused a regression when running on a read-only root fs. Fixes: #9230 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* System test for #9096 (truncated stdout)Ed Santiago2021-02-02
| | | | | | | | | | | This actually tests conmon, not podman; but that's the whole point of system tests in the first place: if a problem exists, we want to fail loudly, no matter whose fault it is. (I can't get this to fail on my f33 laptop; OP on #9096 claims it only fails on Ubuntu. We'll see what happens in CI). Signed-off-by: Ed Santiago <santiago@redhat.com>
* workdir presence checksValentin Rothberg2021-01-26
| | | | | | | | | | | | | | | | | | A container's workdir can be specified via the CLI via `--workdir` and via an image config with the CLI having precedence. Since images have a tendency to specify workdirs without necessarily shipping the paths with the root FS, make sure that Podman creates the workdir. When specified via the CLI, do not create the path, but check for its existence and return a human-friendly error. NOTE: `crun` is performing a similar check that would yield exit code 127. With this change, however, Podman performs the check and yields exit code 126. Since this is specific to `crun`, I do not consider it to be a breaking change of Podman. Fixes: #9040 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* Merge pull request #8730 from rhatdan/logOpenShift Merge Robot2020-12-16
|\ | | | | Add LogSize to container inspect
| * Add LogSize to container inspectDaniel J Walsh2020-12-15
| | | | | | | | | | | | | | Other log options are available so we need to add ability to look up LogSize. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | system tests: the catch-up gameEd Santiago2020-12-14
|/ | | | | | | | | | | | | | | | | | | | | | | | | - run test: minor cleanup to .containerenv test. Basically, make it do only two podman-runs (they're expensive) and tighten up the results checks - ps test: add ps -a --storage. Requires small tweak to run_podman helper, so we can have "timeout" be an expected result - sdnotify test: workaround for #8718 (seeing MAINPID=xxx as last output line instead of READY=1). As found by the newly-added debugging echos, what we are seeing is: MAINPID=103530 READY=1 MAINPID=103530 It's not supposed to be that way; it's supposed to be just the first two. But when faced with reality, we must bend to accommodate it, so let's accept READY=1 anywhere in the output stream, not just as the last line. Signed-off-by: Ed Santiago <santiago@redhat.com>
* RHEL gating tests: more journald exceptionsEd Santiago2020-12-14
| | | | | | | | | | | | | | | | | | | | Followup to #8284, due to my not having noticed #8096. RHEL gating tests are failing again due to rhbz#1895105, the one where we can't run journalctl rootless on RHEL. #8284 fixed this for some RHEL builds of older podman, but I missed #8096 which added yet another logs test. This brings us to three journalctl exceptions, which means it gets complicated because I have to refactor it all. **THIS IS NOT SUSTAINABLE**. We need some way to have a similar setup in CI, with a permission-less rootless login, so we don't add yet another logs test some day and discover, months later, that it doesn't work on RHEL and then have to go into crisis mode. Signed-off-by: Ed Santiago <santiago@redhat.com>
* add comment to #8558 regression testValentin Rothberg2020-12-07
| | | | | | | As suggested by @edsantiago, add a comment to the regression test of #8558 to better document the context. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* container create: do not clear image nameValentin Rothberg2020-12-07
| | | | | | | | When creating a container, do not clear the input-image name before looking up image names. Also add a regression test. Fixes: #8558 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* Add containerenv information to /run/.containerenvDaniel J Walsh2020-12-03
| | | | | | | | | | | | | We have been asked to leak some information into the container to indicate: * The name and id of the container * The version of podman used to launch the container * The image name and ID the container is based on. * Whether the container engine is running in rootless mode. Fixes: https://github.com/containers/podman/issues/6192 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>