| Commit message (Collapse) | Author | Age |
|---|
| |\
| |
| | |
Add support for --userns=nomap
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
From a security point of view, it would be nice to be able to map a
rootless usernamespace that does not use your own UID within the
container.
This would add protection against a hostile process escapping the
container and reading content in your homedir.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
| |/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Problem: the system test 'is()' checker was poorly thought out.
For example, there is no way to check for inequality or for
absence of a substring.
Solution, step 1: introduce new assert(), copied almost verbatim
from buildah, where it has been successful in addressing the
gaps in is().
The logical next step is to search the tests for 'die' and
for 'run', looking for negative assertions which we can
replace with assert(). There were a lot, and in the process
I found a number of ugly bugs in the tests themselves. I've
taken the liberty of fixing these.
Important note: at this time we have both assert() and is().
Replacing all instances of is() would be impossible to review.
Signed-off-by: Ed Santiago <santiago@redhat.com>
|
| |
|
|
|
|
| |
Fixes: https://github.com/containers/podman/issues/12768
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Minimal: only test Fedora.Latest.
Reason: podman 4.0.0-0.2.rc2 broke bodhi gating tests:
https://github.com/containers/podman/issues/12989
Requires skipping two recently-added tests that use 'podman unshare',
which doesn't work on remote.
Signed-off-by: Ed Santiago <santiago@redhat.com>
|
| |
|
|
| |
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Currently Docker copies up the first volume on a mountpoint with
data.
Fixes: https://github.com/containers/podman/issues/12714
Also added NeedsCopyUP, NeedsChown and MountCount to the podman volume
inspect code.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Fix handling of "bind" and "tmpfs" olumes to actually work.
Allow bind, tmpfs local volumes to work in rootless mode.
Also removed the string "error" from all error messages that begine with it.
All Podman commands are printed with Error:, so this causes an ugly
stutter.
Fixes: https://github.com/containers/podman/issues/12013
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
On the second runs, the labels should be the same so no
need to relabel.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2013548
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
| |
|
|
|
|
|
|
| |
Currently we are not passing the force flag down to the removal of
the running container. If the container is running, and we set
--force when removing the volume, the container should be stopped.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Add --time flag to podman container rm
Add --time flag to podman pod rm
Add --time flag to podman volume rm
Add --time flag to podman network rm
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
| |
|
|
|
|
|
|
| |
...in volume test. Looks like Bodhi gating tests run from a
nonwritable directory. I feel really stupid for not realizing
this when I first tried to fix this bug two weeks ago.
Signed-off-by: Ed Santiago <santiago@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fix day-one sloppiness: when I first wrote this framework
it compared strings using 'expr', not '=', to be more
forgiving of extra cruft in output. This was a bad decision.
It means that warnings or additional text are ignored:
is "all is ok, NOT!" "all is ok" <-- this would pass
Solution: tighten up the 'is' check. Use '=' (direct
compare) first. If it fails, look for wild cards ('*')
or character classes ('[') in the expect string. If
so, and only then, use 'expr'. And, thanks to a clever
suggestion from Luap99, include '(using expr)' in the
error message when we do so; this could make it easier
for a developer to understand a string mismatch.
This change exposes a lot of instances in which we weren't
doing proper comparisons. Fix those. Thankfully, there
weren't as many as I'd feared.
Also, and completely unrelated, add '-T' flag to bats
helper, for showing timing results. (I will open this
as a separate PR if requested. I too find it offensive
to jumble together unrelated commits.)
Signed-off-by: Ed Santiago <santiago@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* 070-build:
- remove workaround for #9567, which is closed.
- add many more cases to the ignorefile test,
to test complicated special cases of Buildah PR 3486.
* 160-volumes:
- remove a skip_if_remote, volumes now work on remote
- use a random name for tarball, and clean up when
done using it. This fixes a gating-test failure
(test runs as root, then rootless, and rootless
can't clobber root's file).
Signed-off-by: Ed Santiago <santiago@redhat.com>
|
| |
|
|
|
|
|
| |
Following feature makes sure that users can load contents of external
tarball into the podman volumes.
Signed-off-by: flouthoc <flouthoc.git@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Some CI systems set $OCI_RUNTIME as a way to override the
default crun. Integration (e2e) tests honor this, but system
tests were not aware of the convention; this means we haven't
been testing system tests with runc, which means RHEL gating
tests are now failing.
The proper solution would be to edit containers.conf on CI
systems. Sorry, that would involve too much CI-VM work.
Instead, this PR detects $OCI_RUNTIME and creates a dummy
containers.conf file using that runtime.
Add: various skips for tests that don't work with runc.
Refactor: add a helper function so we don't need to do
the complicated 'podman info blah blah .OCIRuntime.blah'
thing in many places.
BUG: we leave a tmp file behind on exit.
Signed-off-by: Ed Santiago <santiago@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Currently we have only podman images list --noheading.
This PR Adds this option to volumes, containers, pods, networks,
machines, and secrets.
Fixes: https://github.com/containers/podman/issues/10065
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
| |
|
|
| |
Signed-off-by: Achilleas Tzenetopoulos <atzenetopoulos@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- images: confirm that 'podman images' emits headings
even if there are no images present. Intended to
replace e2e test which is difficult to get working
under podman-remote.
- build: add test for #8092, podman-build gobbling stdin.
Workaround needed for issues #8342 and #8343, in which
podman-remote output differs from podman local.
- volumes: add test for #8307, double-lock on same volume.
Signed-off-by: Ed Santiago <santiago@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When the OCI Runtime tries to set certain settings in cgroups
it can get the error "no such file or directory", the wrapper
ends up reporting a bogus error like:
```
Request Failed(Internal Server Error): open io.max: No such file or directory: OCI runtime command not found error
{"cause":"OCI runtime command not found error","message":"open io.max: No such file or directory: OCI runtime command not found error","response":500}
```
On first reading of this, you would think the OCI Runtime (crun or runc) were not found. But the error is actually reporting
message":"open io.max: No such file or directory
Which is what we want the user to concentrate on.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- run --userns=keep-id: confirm that $HOME gets set (#8013)
- inspect: confirm that JSON output is a sane number of
lines (10 or more), not an unreadable one-liner (#8011
and #8021). Do so with image, pod, network, volume
because the code paths might be different.
- cgroups: confirm that 'run' preserves cgroup manager (#7970)
- sdnotify: reenable tests, and hope CI doesn't hang. This
test was disabled on August 18 because CI jobs were hanging
and timing out. My suspicion was that it was #7316, which
in turn seems to have hinged on conmon #182. The latter
was merged on Sep 16, so let's cross our fingers and see
what happens.
Also: remove inaccurate warning from a networking test.
And, wow, fix is_cgroupsv2(), it has never actually worked.
Signed-off-by: Ed Santiago <santiago@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- pause test: enable when rootless + cgroups v2
(was previously disabled for all rootless)
- run --pull: now works with podman-remote
(in #7647, thank you @jwhonce)
- various other run/volumes tests: try reenabling
It looks like #7195 was fixed (by #7451? I'm not
sure if I'm reading the conversation correctly).
Anyway, remove all the skip()s on 7195. Only time
will tell if it's really fixed)
Also:
- new test for podman image tree --whatrequires
(because TIL). Doesn't work with podman-remote.
Signed-off-by: Ed Santiago <santiago@redhat.com>
|
| |
|
|
|
|
|
|
| |
We need to remove the container after it has exited for
podman-remote run --rm commands. If we don't remove this
container at this step, we open ourselves up to race conditions.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
| |
|
|
|
|
|
|
| |
the go binding for remove container was using 'vols' for a key to remove volumes associated to the container. the correct key should be "v" and is documented as such.
Fixes: #7128
Signed-off-by: Brent Baude <bbaude@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
podman-remote is in better shape now. Let's see what needs
to be done to reenable remote system tests.
- logs test: skip multilog, it doesn't work remote
- diff test: use -l only when local, not with remote
- many other tests: skip_if_remote, with 'FIXME: pending #xxxx'
where xxxx is a filed issue.
Unrelated: added new helper to skip_if_remote and _if_rootless,
where we check if the source message includes "remote"/"rootless"
and insert it if missing. This is a minor usability enhancement
to make it easier to understand at-a-glance why a skip triggers.
Signed-off-by: Ed Santiago <santiago@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
We previously enforced this for security reasons, but as Dan has
explained on several occasions, it's not very valuable there
(it's trivially easy to bypass) and it does seriously annoy folks
trying to use named volumes. Flip the default from 'on' to 'off'.
Signed-off-by: Matthew Heon <mheon@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Three small fixes for breaking tests on rawhide:
1) run test: looks like runc changed the format of
an error message, adding a colon in one place.
runc is used on rawhide when booted in cgroups v1
2) volumes test: difference in exit status and error
message between runc and crun.
3) systemd test: define XDG_RUNTIME_DIR if unset.
podman helpfully sets this to a reasonable default,
but the 'systemctl' commands used in this test do not.
Signed-off-by: Ed Santiago <santiago@redhat.com>
|
|
|
Signed-off-by: Ed Santiago <santiago@redhat.com>
|
