| Commit message (Collapse) | Author | Age |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
...and enable the at-test-time confirmation, the one that
double-checks that if CI requests runc we actually use runc.
This exposed a nasty surprise in our setup: there are steps to
define $OCI_RUNTIME, but that's actually a total fakeout!
OCI_RUNTIME is used only in e2e tests, it has no effect
whatsoever on actual podman itself as invoked via command
line such as in system tests. Solution: use containers.conf
Given how fragile all this runtime stuff is, I've also added
new tests (e2e and system) that will check $CI_DESIRED_RUNTIME.
Image source: https://github.com/containers/automation_images/pull/146
Since we haven't actually been testing with runc, we need
to fix a few tests:
- handle an error-message change (make it work in both crun and runc)
- skip one system test, "survive service stop", that doesn't
work with runc and I don't think we care.
...and skip a bunch, filing issues for each:
- #15013 pod create --share-parent
- #15014 timeout in dd
- #15015 checkpoint tests time out under $CONTAINER
- #15017 networking timeout with registry
- #15018 restore --pod gripes about missing --pod
- #15025 run --uidmap broken
- #15027 pod inspect cgrouppath broken
- ...and a bunch more ("podman pause") that probably don't
even merit filing an issue.
Also, use /dev/urandom in one test (was: /dev/random) because
the test is timing out and /dev/urandom does not block. (But
the test is still timing out anyway, even with this change)
Also, as part of the VM switch we are now using go 1.18 (up
from 1.17) and this broke the gitlab tests. Thanks to @Luap99
for a quick fix.
Also, slight tweak to #15021: include the timeout value, and
reword message so command string is at end.
Also, fixed a misspelling in a test name.
Fixes: #14833
Signed-off-by: Ed Santiago <santiago@redhat.com>
|
|
|
|
|
|
|
|
|
| |
Fix the parse for the cgroup devices rule to correctly handle the
wildcard syntax for the device major.
Also make sure the device major and minor are not negative numbers.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
|
|
|
|
|
|
| |
We should just silently fall through. The log was flooding the
system-service logs when running Gitlab runner.
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Changes:
- use --timestamp option to produce 'created' stamps
that can be reliably tested in the image-history test
- podman now supports manifest & multiarch run, so we
no longer need buildah
- bump up base alpine & busybox images
This turned out to be WAY more complicated than it should've been,
because:
- alpine 3.14 fixed 'date -Iseconds' to include a colon in
the TZ offset ("-07:00", was "-0700"). This is now consistent
with GNU date's --iso-8601 format, yay, so we can eliminate
a minor workaround.
- with --timestamp, all ADDed files are set to that timestamp,
including the custom-reference-timestamp file that many tests
rely on. So we need to split the build into two steps. But:
- ...with a two-step build I need to use --squash-all, not --squash, but:
- ... (deep sigh) --squash-all doesn't work with --timestamp (#14536)
so we need to alter existing tests to deal with new image layers.
- And, long and sordid story relating to --rootfs. TL;DR that option
only worked by a miracle relating to something special in one
specific test image; it doesn't work with any other images. Fix
seems to be complicated, so we're bypassing with a FIXME (#14505).
And, unrelated:
- remove obsolete skip and workaround in run-basic test (dating
back to varlink days)
- add a pause-image cleanup to avoid icky red warnings in logs
Fixes: #14456
Signed-off-by: Ed Santiago <santiago@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
In docker, the format of no-new-privileges is
"no-new-privileges:true". However, for Podman
all that's required is "no-new-privileges", leading to issues
when attempting to use features desgined for docker in podman.
Adding support for the ":" format to be used along with the "="
format, depedning on which one is entered by the user.
fixes #14133
Signed-off-by: Niall Crowe <nicrowe@redhat.com>
|
|\
| |
| | |
use etchosts package from c/common
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Use the new logic from c/common to create the hosts file. This will help
to better allign the hosts files between buildah and podman.
Also this fixes several bugs:
- remove host entries when container is stopped and has a netNsCtr
- add entries for containers in a pod
- do not duplicate entries in the hosts file
- use the correct slirp ip when an userns is used
Features:
- configure host.containers.internal entry in containers.conf
- configure base hosts file in containers.conf
Fixes #12003
Fixes #13224
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
|
|\ \
| |/
|/| |
Add support for --userns=nomap
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
From a security point of view, it would be nice to be able to map a
rootless usernamespace that does not use your own UID within the
container.
This would add protection against a hostile process escapping the
container and reading content in your homedir.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
|/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Problem: the system test 'is()' checker was poorly thought out.
For example, there is no way to check for inequality or for
absence of a substring.
Solution, step 1: introduce new assert(), copied almost verbatim
from buildah, where it has been successful in addressing the
gaps in is().
The logical next step is to search the tests for 'die' and
for 'run', looking for negative assertions which we can
replace with assert(). There were a lot, and in the process
I found a number of ugly bugs in the tests themselves. I've
taken the liberty of fixing these.
Important note: at this time we have both assert() and is().
Replacing all instances of is() would be impossible to review.
Signed-off-by: Ed Santiago <santiago@redhat.com>
|
|
|
|
|
|
| |
Will also be included in the upcoming backports.
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
|
|
|
|
|
|
|
|
|
| |
do not force a value of OOMScoreAdj=0 if it is wasn't specified by the
user.
Closes: https://github.com/containers/podman/issues/13731
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Amongst other things 030-run.bats checks for sensible error messages when
attempting a "podman run" with a non-existent or inaccessible path. It
checks for these messages, which come from the low-level runtime, in a lot
of detail, including separate versions for runc and crun. This is fragile
in several ways:
* It's likely to fail if using a runtime other than crun or runc
* It relies on detecting whether the runtime is crun vs. runc using the
path, which could fail if the binary has been named something unusual
* It will break if crun or runc ever alter their error message (even if
it's just changing case)
This replaces the checked versions with a much more accepting regex which
will work for both the runc and crun messages, while still looking for the
essential pieces. This isn't guaranteed to work with other runtimes, but
it's much more likely to.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
|
|
|
|
|
|
|
| |
This test case is used for covering rhbz#1902979.
Signed-off-by: Alex Jia <ajia@redhat.com>
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
|
|
|
|
|
| |
Fixes: https://github.com/containers/podman/issues/11515
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Emergency fix to image-scp tests. DO NOT CREATE A USER!
These tests are run in all sorts of environments. We
do not have the right to vandalize a production system.
Also remove some misleading unneeded tests; and refactor a
little; and add a bunch of FIXMEs which will need to be
addressed later.
Also, super-low priority, add 'crun: ' to expected error
message in a run test (minor followup to #12758).
Signed-off-by: Ed Santiago <santiago@redhat.com>
|
|
|
|
|
|
|
|
|
| |
It would be easier to diagnose OCI runtime errors if the error actually
had the name of the OCI runtime that produced the error.
[NO NEW TESTS NEEDED]
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
|
|
|
|
|
|
|
| |
This test case is used for covering rhbz#1854566.
Replaces: #12220
Signed-off-by: Alex Jia <ajia@redhat.com>
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
|
|
|
|
|
|
|
| |
This test case is used for covering rhbz#1763007.
Replaces: #12221
Signed-off-by: Alex Jia <ajia@redhat.com>
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
Some containers require certain user account(s) to exist within the
container when they are run. This option will allow callers to add a
bunch of passwd entries from the host to the container even if the
entries are not in the local /etc/passwd file on the host.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1935831
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
|
|
|
|
|
|
|
|
| |
It has been deprecated and is no longer supported. Fully remove it and
only print a warning if a user uses it.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2011695
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
|
|
|
|
| |
Fixes: #12667
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Rework the --network parse logic to support multiple networks with
specific network configuration settings.
--network can now be set multiple times. For bridge network mode the
following options have been added:
- **alias=name**: Add network-scoped alias for the container.
- **ip=IPv4**: Specify a static ipv4 address for this container.
- **ip=IPv6**: Specify a static ipv6 address for this container.
- **mac=MAC**: Specify a static mac address address for this container.
- **interface_name**: Specify a name for the created network interface inside the container.
So now you can set --network bridge:ip=10.88.0.10,mac=44:33:22:11:00:99
for the default bridge network as well as for network names.
This is better than using --ip because we can set the ip per network
without any confusion which network the ip address should be assigned
to.
The --ip, --mac-address and --network-alias options are still supported
but --ip or --mac-address can only be set when only one network is set.
This limitation already existed previously.
The ability to specify a custom network interface name is new
Fixes #11534
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Found by my find-obsolete-skips script. Let's see which, if any,
of these skipped tests can be reenabled.
Some Skips are "this will never work", not "this is expected to
work one day". Update the message on those to reflect that.
Some were real bugs in the test framework. Fix those.
And, joy of joys, some work today. Remove those skips.
Signed-off-by: Ed Santiago <santiago@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Podman adds a few environment variables by default, and
currently there is no way to get rid of them from your container.
This option will allow you to specify which defaults you don't
want.
--unsetenv-all will remove all default environment variables.
Default environment variables can come from podman builtin,
containers.conf or from the container image.
Fixes: https://github.com/containers/podman/issues/11836
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
|
|
|
|
|
|
|
|
| |
On Docker this is ignored, and it should be on Podman as
well. This is documented in the man page.
Fixes: https://github.com/containers/podman/issues/12002
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There is a race where `conn.Close()` was called before `conn.CloseWrite()`.
In this case `CloseWrite` will fail and an useless error is printed. To
fix this we move the the `CloseWrite()` call to the same goroutine to
remove the race. This ensures that `CloseWrite()` is called before
`Close()` and never afterwards.
Also fixed podman-remote run where the STDIN was never was closed.
This is causing flakes in CI testing.
[NO TESTS NEEDED]
Fixes #11856
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fix day-one sloppiness: when I first wrote this framework
it compared strings using 'expr', not '=', to be more
forgiving of extra cruft in output. This was a bad decision.
It means that warnings or additional text are ignored:
is "all is ok, NOT!" "all is ok" <-- this would pass
Solution: tighten up the 'is' check. Use '=' (direct
compare) first. If it fails, look for wild cards ('*')
or character classes ('[') in the expect string. If
so, and only then, use 'expr'. And, thanks to a clever
suggestion from Luap99, include '(using expr)' in the
error message when we do so; this could make it easier
for a developer to understand a string mismatch.
This change exposes a lot of instances in which we weren't
doing proper comparisons. Fix those. Thankfully, there
weren't as many as I'd feared.
Also, and completely unrelated, add '-T' flag to bats
helper, for showing timing results. (I will open this
as a separate PR if requested. I too find it offensive
to jumble together unrelated commits.)
Signed-off-by: Ed Santiago <santiago@redhat.com>
|
|
|
|
|
|
| |
Fixes: https://github.com/containers/podman/issues/10302
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
selinux-policy-34.9-1.fc34 breaks a behavior we've relied on
since (at least) January 2020:
- Revert "Add permission open to files_read_inherited_tmp_files()
interface"
That's probably the correct thing to do, but it breaks our
existing tests. Solution: add ':Z' where needed.
Tested on Ed's laptop, which has the offending selinux-policy
as of 2021-05-31. Tests pass root and rootless. (I mention
this because tests will obviously pass in CI, which has a
much older selinux-policy).
Also: add a 'podman rmi' for cleanup in one test, to avoid
noise in test logs.
Fixes: #10522
Signed-off-by: Ed Santiago <santiago@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
ErrOCIRuntimeNotFound error is misleading. Try to make it more
understandable to the user that the OCI Runtime IE crun or runc is not
missing, but the command they attempted to run within the container is
missing.
[NO TESTS NEEDED] Regular tests should handle this.
Fixes: https://github.com/containers/podman/issues/10432
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
We should create the /etc/mtab->/proc/mountinfo link
so that mount command will work within the container.
Docker does this by default.
Fixes: https://github.com/containers/podman/issues/10263
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Migrate the Podman code base over to `common/libimage` which replaces
`libpod/image` and a lot of glue code entirely.
Note that I tried to leave bread crumbs for changed tests.
Miscellaneous changes:
* Some errors yield different messages which required to alter some
tests.
* I fixed some pre-existing issues in the code. Others were marked as
`//TODO`s to prevent the PR from exploding.
* The `NamesHistory` of an image is returned as is from the storage.
Previously, we did some filtering which I think is undesirable.
Instead we should return the data as stored in the storage.
* Touched handlers use the ABI interfaces where possible.
* Local image resolution: previously Podman would match "foo" on
"myfoo". This behaviour has been changed and Podman will now
only match on repository boundaries such that "foo" would match
"my/foo" but not "myfoo". I consider the old behaviour to be a
bug, at the very least an exotic corner case.
* Futhermore, "foo:none" does *not* resolve to a local image "foo"
without tag anymore. It's a hill I am (almost) willing to die on.
* `image prune` prints the IDs of pruned images. Previously, in some
cases, the names were printed instead. The API clearly states ID,
so we should stick to it.
* Compat endpoint image removal with _force_ deletes the entire not
only the specified tag.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
|
|\
| |
| | |
System tests: fix two race conditions
|
| |
| |
| |
| |
| |
| |
| | |
Basically, add 'podman wait' before 'podman rm'. See if this
fixes gating tests run on ppc64le (possibly very very slow hosts)
Signed-off-by: Ed Santiago <santiago@redhat.com>
|
|/
|
|
|
|
|
|
|
| |
This option allows users to specify the maximum amount of time to run
before conmon sends the kill signal to the container.
Fixes: https://github.com/containers/podman/issues/6412
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
|
|
|
|
|
|
|
| |
socat can create a dummy PTY that we can manipulate. This
lets us run a variety of tests that we couldn't before,
involving "run -it", and stty, and even "load" with no args.
Signed-off-by: Ed Santiago <santiago@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If you are attempting to run a container in interactive mode, and want
a --tty, then there must be a terminal in use.
Docker exits right away when a user specifies to use a --interactive and
--TTY but the stdin is not a tty.
Currently podman will pull the image and then fail much later.
Podman will continue to run but will print an warning message.
Discussion in : https://github.com/containers/podman/issues/8916
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
buildah now supports running under emulation[1] as well as
creating manifests. Use those features to create a multiarch
testimage that can be used to test podman on other arches.
[1] on Fedora 33, this requires the qemu-user-static package
We also build a new :00000001 image, replacing :00000000,
because (sigh) some tests try to run 'true' in the container.
Include instructions on building said image.
Signed-off-by: Ed Santiago <santiago@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
Make sure to not set an empty $HOME for containers and let it default to
"/".
https://github.com/containers/crun/pull/599 is required to fully
address #9378.
Partially-Fixes: #9378
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
When resolving the workdir of a container, we may need to create unless
the user set it explicitly on the command line. Otherwise, we just do a
presence check. Unfortunately, there was a missing return that lead us
to fall through into attempting to create and chown the workdir. That
caused a regression when running on a read-only root fs.
Fixes: #9230
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
This actually tests conmon, not podman; but that's the whole
point of system tests in the first place: if a problem exists,
we want to fail loudly, no matter whose fault it is.
(I can't get this to fail on my f33 laptop; OP on #9096 claims
it only fails on Ubuntu. We'll see what happens in CI).
Signed-off-by: Ed Santiago <santiago@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
A container's workdir can be specified via the CLI via `--workdir` and
via an image config with the CLI having precedence.
Since images have a tendency to specify workdirs without necessarily
shipping the paths with the root FS, make sure that Podman creates the
workdir. When specified via the CLI, do not create the path, but check
for its existence and return a human-friendly error.
NOTE: `crun` is performing a similar check that would yield exit code
127. With this change, however, Podman performs the check and yields
exit code 126. Since this is specific to `crun`, I do not consider it
to be a breaking change of Podman.
Fixes: #9040
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
|
|\
| |
| | |
Add LogSize to container inspect
|
| |
| |
| |
| |
| |
| |
| | |
Other log options are available so we need to add ability to look
up LogSize.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
|/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- run test: minor cleanup to .containerenv test. Basically,
make it do only two podman-runs (they're expensive) and
tighten up the results checks
- ps test: add ps -a --storage. Requires small tweak to
run_podman helper, so we can have "timeout" be an expected
result
- sdnotify test: workaround for #8718 (seeing MAINPID=xxx as
last output line instead of READY=1). As found by the
newly-added debugging echos, what we are seeing is:
MAINPID=103530
READY=1
MAINPID=103530
It's not supposed to be that way; it's supposed to be just
the first two. But when faced with reality, we must bend
to accommodate it, so let's accept READY=1 anywhere in
the output stream, not just as the last line.
Signed-off-by: Ed Santiago <santiago@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Followup to #8284, due to my not having noticed #8096.
RHEL gating tests are failing again due to rhbz#1895105, the
one where we can't run journalctl rootless on RHEL. #8284 fixed
this for some RHEL builds of older podman, but I missed #8096
which added yet another logs test.
This brings us to three journalctl exceptions, which means
it gets complicated because I have to refactor it all.
**THIS IS NOT SUSTAINABLE**. We need some way to have a similar
setup in CI, with a permission-less rootless login, so we don't
add yet another logs test some day and discover, months later,
that it doesn't work on RHEL and then have to go into crisis
mode.
Signed-off-by: Ed Santiago <santiago@redhat.com>
|
|
|
|
|
|
|
| |
As suggested by @edsantiago, add a comment to the regression test
of #8558 to better document the context.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
|
|
|
|
|
|
|
|
| |
When creating a container, do not clear the input-image name before
looking up image names. Also add a regression test.
Fixes: #8558
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We have been asked to leak some information into the container
to indicate:
* The name and id of the container
* The version of podman used to launch the container
* The image name and ID the container is based on.
* Whether the container engine is running in rootless mode.
Fixes: https://github.com/containers/podman/issues/6192
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|