summaryrefslogtreecommitdiff
path: root/test/system
Commit message (Collapse)AuthorAge
* pass LISTEN_* environment into containerValentin Rothberg2021-08-31
| | | | | | | | | | | | | | | Make sure that Podman passes the LISTEN_* environment into containers. Similar to runc, LISTEN_PID is set to 1. Also remove conditionally passing the LISTEN_FDS as extra files. The condition was wrong (inverted) and introduced to fix #3572 which related to running under varlink which has been dropped entirely with Podman 3.0. Note that the NOTIFY_SOCKET and LISTEN_* variables are cleared when running `system service`. Fixes: #10443 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* auto-update: fix authfile labelValentin Rothberg2021-08-30
| | | | | | | | | | | | Make sure that the container's authfile label is used when pulling down a new image. [NO TESTS NEEDED] since it would require some larger rewrite of the auto-update system tests that I currently have no time for. I added a reminder to have some breadcrumbs when there is more time. Fixes: #11171 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* volumes: Add volume import to allow importing contents on tar into volumeflouthoc2021-08-26
| | | | | | | Following feature makes sure that users can load contents of external tarball into the podman volumes. Signed-off-by: flouthoc <flouthoc.git@gmail.com>
* Merge pull request #11263 from nalind/journal-readOpenShift Merge Robot2021-08-24
|\ | | | | libpod/Container.readFromJournal(): don't skip the first entry
| * 130-kill.bats: increase timeouts from 10s to 60sNalin Dahyabhai2021-08-23
| | | | | | | | | | | | | | | | | | | | Increase the amount of time we're willing to wait for a log message that a container should be printing to show up in the output of `logs -f`, since on at least one CI configuration we're seeing a turnaround as high as 46s, but it's not something we can directly control, so that's not a hard maximum. Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
| * 330-corrupt-images: don't try to tag with a canonical nameNalin Dahyabhai2021-08-23
| | | | | | | | | | | | | | In these tests, don't try to tag an image using a canonical ("with digest") image name. Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
* | generate systemd: use --cidfile againValentin Rothberg2021-08-24
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Commit 9ac5267 changed the type of the generated systemd units from `forking` to `notify`. It further stopped using `--cidfile` and instead intended systemd to take care of stopping the container, which turned out to be a bad idea. Systemd will send the stop/kill signals to conmon which in turn may exit non-zero, depending on the signal, and ultimately breaking container cleanup. Hence, we need to use --cidfile again and let podman stop and remove the container to make sure that everything's in order. Fixes: #11304 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | Revert "generate systemd: custom stop signal"Valentin Rothberg2021-08-24
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This reverts commit 70801b3d714b067d64744697433c5841926dad4d. It turns out that letting systemd handle stopping the container is not working as I thought it will. Conmon is receiving the stop/kill signals and may exit non-zero, which in turn lets the systemd service transition into the `failed` state. We need to get back to letting Podman stop the containers and do a partial revert of commit 9ac5267 which removed using --cidfile. Happening in a following commit. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | generate systemd: custom stop signalValentin Rothberg2021-08-24
|/ | | | | | | | | | | | | | | | | | | Commit 9ac5267598c3 changed the type of the generated systemd units from forking to notify. Parts of these changes was also removing the need to pass any information via the file system (e.g., PIDFILE, container ID). That in turn implies that systemd takes care of stopping the container. By default, systemd first sends a SIGTERM and after a certain timeout, it'll send a SIGKILL. That's pretty much what Podman is doing, unless the container was created with a custom stop signal which is the case when the --stop-signal flag was used or systemd is mounted. Account for that by using systemd's KillSignal option which allows for changing SIGTERM to another signal. Also make sure that we're using the correct timeout for units generated with --new. Fixes: #11304 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* Implement SD-NOTIFY proxy in conmonDaniel J Walsh2021-08-20
| | | | | | | | | | | | | | | | This leverages conmon's ability to proxy the SD-NOTIFY socket. This prevents locking caused by OCI runtime blocking, waiting for SD-NOTIFY messages, and instead passes the messages directly up to the host. NOTE: Also re-enable the auto-update tests which has been disabled due to flakiness. With this change, Podman properly integrates into systemd. Fixes: #7316 Signed-off-by: Joseph Gooch <mrwizard@dok.org> Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* Fix rootless cni dns without systemd stub resolverPaul Holzinger2021-08-16
| | | | | | | | | | | | | | | | | When a host uses systemd-resolved but not the resolved stub resolver the following symlinks are created: `/etc/resolv.conf` -> `/run/systemd/resolve/stub-resolv.conf` -> `/run/systemd/resolve/resolv.conf`. Because the code uses filepath.EvalSymlinks we put the new resolv.conf to `/run/systemd/resolve/resolv.conf` but the `/run/systemd/resolve/stub-resolv.conf` link does not exists in the mount ns. To fix this we will walk the symlinks manually until we reach the first one under `/run` and use this for the resolv.conf file destination. This fixes a regression which was introduced in e73d4829900c. Fixes #11222 Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* Run codespell to fix spellingDaniel J Walsh2021-08-11
| | | | | | [NO TESTS NEEDED] Just fixing spelling. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* skip flaking auto-update testPaul Holzinger2021-08-10
| | | | | | | This test flakes on almost every PR, so skip it for now until someone can fix it, see #11175. Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* Merge pull request #11134 from rhatdan/buildxopenshift-ci[bot]2021-08-09
|\ | | | | Alias build to buildx, so it won't fail
| * Alias build to buildx, so it won't failDaniel J Walsh2021-08-09
| | | | | | | | | | | | Add hidden --load and --progress flag as well. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | podman info show correct slirp4netns pathPaul Holzinger2021-08-09
|/ | | | | | | | | The slirp4netns path can be set in the config file or with --network-cmd-path. Podman info should read the version information correctly and not use PATH in this case. Also show the slirp4netns version information to root users. Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* auto-update: simple rollbackValentin Rothberg2021-08-05
| | | | | | | | | | | | | | | | | | | Add support for simple rollbacks during `podman auto-update`. Rollbacks are enabled by default. If a systemd unit cannot be restarted after an update, the previous image will be retagged and the unit will be restarted a second time. Add system tests for rollbacks. Also fix a bug in the restart sequence; we have to use the channel to actually know whether the restart was successful or not. NOTE: To make rollbacks really useful, users must run their containers with `--sdnotify=container` such that the containers send the ready message over the (mounted) socket. This way, restarting the systemd units during auto update will block until the message has been received (or a timeout kicked in). Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* Fix podman unpause,pause,kill --all to work like podman stop --allDaniel J Walsh2021-08-04
| | | | | | | | | | | | | | | | | | | Currently if you execute podman unpause --all, podman pause --all Podman shows attempts to unpause containers that are not paused and prints an error. This PR catches this error and only prints errors if a paused container was not able to be unpaused. Currently if you execute podman pause --all or podman kill --all, Podman Podman shows attempts to pause or kill containers that are not running and prints an error. This PR catches this error and only prints errors if a running container was not able to be paused or killed. Also change printing of multiple errors to go to stderr and to prefix "Error: " in front to match the output of the last error. Fixes: https://github.com/containers/podman/issues/11098 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* podman info: try qfile before equeryEd Santiago2021-08-03
| | | | | | | | | | | | | | | | | | podman info takes >20s on Gentoo, because equery is s..l..o..w. qfile is much faster and, I suspect, present in most Gentoo installations, so let's try it first. And, because packageVersion() was scarily unmaintainable, refactor it. Define a simple (string) list of packaging tools to query (rpm, dpkg, ...) and iterate until we find one that works. IMPORTANT NOTE: the Debian (and, presumably, Ubuntu) query does not include version number! There is no standard way on Debian to get a package version from a file path, you can only do it via pipes of chained commands, and I have no desire to implement that. Signed-off-by: Ed Santiago <santiago@redhat.com>
* Merge pull request #11091 from Luap99/connect-disconnectopenshift-ci[bot]2021-08-03
|\ | | | | fix rootless port forwarding with network dis-/connect
| * fix rootless port forwarding with network dis-/connectPaul Holzinger2021-08-03
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The rootlessport forwarder requires a child IP to be set. This must be a valid ip in the container network namespace. The problem is that after a network disconnect and connect the eth0 ip changed. Therefore the packages are dropped since the source ip does no longer exists in the netns. One solution is to set the child IP to 127.0.0.1, however this is a security problem. [1] To fix this we have to recreate the ports after network connect and disconnect. To make this work the rootlessport process exposes a socket where podman network connect/disconnect connect to and send to new child IP to rootlessport. The rootlessport process will remove all ports and recreate them with the new correct child IP. Also bump rootlesskit to v0.14.3 to fix a race with RemovePort(). Fixes #10052 [1] https://nvd.nist.gov/vuln/detail/CVE-2021-20199 Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* | Fix handling of user specified container labelsDaniel J Walsh2021-08-02
|/ | | | | | | | | | | Currently we override the SELinux labels specified by the user if the container is runing a kata container or systemd container. This PR fixes to use the label specified by the user. Fixes: https://github.com/containers/podman/issues/11100 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Fix auto-update system test for older systemdHironori Shiina2021-07-30
| | | | | | | | | | | If the systemd version is older than v245, the systemd uses 'Started' when a oneshot service finishes. In systemd, the change was done at: https://github.com/systemd/systemd/pull/14851 commit-id: eda0cbf07186d16a160bd1d810613586fdbdf587 Signed-off-by: Hironori Shiina <shiina.hironori@jp.fujitsu.com>
* system tests: fix race in stop testEd Santiago2021-07-29
| | | | | | | | | | | | | In the unlock/timeout test, on slow systems, 'podman ps' could catch the container before the just-backgrounded 'podman stop' sends the signal. Wait for signal ack from container before we inspect it. Also: If I understand the test correctly, it wasn't actually checking that 'ps' could grab the lock while the container was exiting. Add a check. Signed-off-by: Ed Santiago <santiago@redhat.com>
* remote build: fix streaming and error handlingValentin Rothberg2021-07-28
| | | | | | | | | | | | | | | | | | | | Address a number of issues in the streaming logic in remote build, most importantly an error in using buffered channels on the server side. The pattern below does not guarantee that the channel is entirely read before the context fires. for { select { case <- bufferedChannel: ... case <- ctx.Done(): ... } } Fixes: #10154 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* cp system tests: reduce number of exec'sValentin Rothberg2021-07-27
| | | | | | | | | | | Reduce the amount of `podman exec`s in the cp system tests. Exec is expensive and a number of them could easily be combined into the container command. This cuts down the costs of running the tests by around 25 percent on my local machine. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* support container to container copyMehul Arora2021-07-27
| | | | | | | | | Implement container to container copy. Previously data could only be copied from/to the host. Fixes: #7370 Co-authored-by: Mehul Arora <aroram18@mcmaster.ca> Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* Merge pull request #11019 from boaz0/test_corsOpenShift Merge Robot2021-07-26
|\ | | | | Add tests to verify CORs is enabled
| * Add tests to verify CORS is enabledBoaz Shuster2021-07-25
| | | | | | | | Signed-off-by: Boaz Shuster <boaz.shuster.github@gmail.com>
* | Merge pull request #10895 from rhatdan/devicesOpenShift Merge Robot2021-07-24
|\ \ | | | | | | Support DeviceCgroupRules to actually get added.
| * | Support DeviceCgroupRules to actually get added.Daniel J Walsh2021-07-21
| | | | | | | | | | | | | | | | | | Fixes: https://github.com/containers/podman/issues/10302 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | Merge pull request #10996 from cdoern/untilLogOpenShift Merge Robot2021-07-24
|\ \ \ | | | | | | | | Implemented --until flag for Libpod's Container Logs
| * | | Implemented --until flag for libpod's container logscdoern2021-07-22
| | | | | | | | | | | | | | | | | | | | | | | | | | | | compat containers/logs was missing actual usage of until query param. This led me to implement the until param for libpod's container logs as well. Added e2e tests. Signed-off-by: cdoern <cdoern@redhat.com>
* | | | Merge pull request #11018 from vrothberg/fix-10994OpenShift Merge Robot2021-07-24
|\ \ \ \ | | | | | | | | | | import: write stdin to tmp file
| * | | | import: write stdin to tmp fileValentin Rothberg2021-07-23
| | |/ / | |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | If importing an archive via stdin write it to a temporary file such that the temporary file can be opened multiple times later on. Otherwise, we may end up with an empty image. Also fix a bug in the URL parsing code; we need to check whether there's actually a scheme. Add system tests for `podman import` exercising the basics. Fixes: #10994 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* / | | Networking test: fix silent breakageEd Santiago2021-07-22
|/ / / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Wow did I screw up. #10982 introduced (at my suggestion) a new wait_for_port() helper, with the goal of eliminating a race condition. It didn't work. First: wait_for_port() tests by connecting to the port, which is a Bad Idea when you have a one-shot server that exits upon the first connection closing. We should've caught that, but: Second: I wrote wait_for_port() for a non-BATS test framework, and used the conventional file descriptor 3. BATS uses fd3 for internal control. Overriding that made the test silently just disappear, no "not ok" message, no warnings, nothing except vanishing into the ether. Third: this was caught by my log-colorizer script, which loudly yelled "WARNING: expected 234" (tests) at the bottom of the log. Unfortunately, since this wasn't my PR, I didn't actually look at the test logs. Solution: we can't use wait_for_port() in the network port test. Use wait_for_output() instead, triggering on the 'listening' message emitted by netcat in the container. Also: fix wait_for_port() to use fd5 instead of 3. Although no code currently uses wait_for_port() as of this PR, it's a useful helper that we may want to keep. Signed-off-by: Ed Santiago <santiago@redhat.com>
* | / Ensure journald events tests only run where supportedMatthew Heon2021-07-21
| |/ |/| | | | | | | | | | | | | | | We don't support the journald events backend on RHEL8, for example. So we can't unconditionally run these tests. Partial fix for RHBZ1955166 Signed-off-by: Matthew Heon <mheon@redhat.com>
* | system tests: cleaner, safer use of systemdEd Santiago2021-07-20
|/ | | | | | | | | | | | | | | | | First and foremost: use ephemeral (/run, $XDG) directories for systemd unit files, so as not to vandalize a working system. Second, refactor common systemd-related functionality into a new helper file, loaded by the systemd-related tests. Shared functionality includes: * setting $XDG_RUNTIME_DIR if unset and rootless * setting $UNIT_DIR for use by tests * new systemctl() and journalctl() functions, which include "--user" when rootless (why can't systemd figure this out on its own?) Signed-off-by: Ed Santiago <santiago@redhat.com>
* system test: auto-update: multiarch fixesEd Santiago2021-07-20
| | | | | | | | | | | | | | auto-update test is failing on non-x86_64 arch: https://gitlab.com/cki-project/kernel-tests/-/issues/614#note_630010734 Reason: test was relying on alpine_nginx image; this is a custom libpod image that only has a x86_64 version. Solution: use busybox instead. Busybox was copied from docker.io using skopeo copy --all, so it has all arches. Signed-off-by: Ed Santiago <santiago@redhat.com>
* system test: auto-update: allow running as rootlessEd Santiago2021-07-20
| | | | | | | | | | | | | They were being skipped for no clear reason. Also: use --files and --name option in generate-systemd. Before, output went to stdout, resulting in completely unreadable logs on test failure. Also: use volatile systemd directories (/run, $XDG_RUNTIME_DIR) instead of permanent ones. Thanks to @Luap99 for the reference. Signed-off-by: Ed Santiago <santiago@redhat.com>
* Flake Fix: Wait before connecting container portChris Evich2021-07-19
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | It was observed during periodic testing, this test can fail due to the container process being not fully running and listening on the expected port: ``` [+1069s] not ok 220 podman networking: port with --userns=keep-id [+1069s] # (in test file test/system/500-networking.bats, line 144) [+1069s] # `echo "$teststring" | nc 127.0.0.1 $myport' failed [+1069s] # # /var/tmp/go/src/github.com/containers/podman/bin/podman rm --all --force [+1069s] # # /var/tmp/go/src/github.com/containers/podman/bin/podman ps --all --external --format {{.ID}} {{.Names}} [+1069s] # # /var/tmp/go/src/github.com/containers/podman/bin/podman images --all --format {{.Repository}}:{{.Tag}} {{.ID}} [+1069s] # quay.io/libpod/testimage:20210610 9f9ec7f2fdef [+1069s] # # /var/tmp/go/src/github.com/containers/podman/bin/podman run -d --userns=keep-id -p 127.0.0.1:54322:54322 quay.io/libpod/testimage:20210610 nc -l -n -v -p 54322 [+1069s] # 252c562c9a3c96892d867d1d72fb52b2efdfe62855ebedbccd2d281c472c2988 [+1069s] # Ncat: No route to host. ``` Fix this by using a new `wait_for_port()` function (thanks @edsantiago) before attempting to communicate with the service. Signed-off-by: Chris Evich <cevich@redhat.com>
* systemd: require network*-online*.targetValentin Rothberg2021-07-16
| | | | | | | | | Require the network to be online in all (generated) systemd units to make sure that containers and Podman run only after the network has been fully configured. Fixes: #10655 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* Merge pull request #10820 from jvanz/indfra-container-name-issue-10794OpenShift Merge Robot2021-07-16
|\ | | | | --infra-name command line argument
| * --infra-name command line argumentJosé Guilherme Vanz2021-07-15
| | | | | | | | | | | | | | | | | | Adds the new --infra-name command line argument allowing users to define the name of the infra container Issue #10794 Signed-off-by: José Guilherme Vanz <jvanz@jvanz.com>
* | System tests: fix a multiarch problemEd Santiago2021-07-15
|/ | | | | | | | | | | | | | | | | | | | The multi-image load test was failing on non-x86_64 arch, because the images used by the test (:00000000, :20200902) did not have manifests for the given arch. Solution: all we need are two nonlocal images. Use the predefined NONLOCAL_IMAGE for one, and a new :multiimage tag (manually created, currently == :20210610) for the other. Document, so if/when RHEL adds new supported arches, the test will fail but a maintainer will have a clue what to do. Also, as long as I'm in here: add 'image prune -f' to teardown in build.bats, to avoid seeing lots of red "stray image" warnings in test logs. Also: skip a broken/flaky python test Signed-off-by: Ed Santiago <santiago@redhat.com>
* Merge pull request #10937 from vrothberg/auto-updateOpenShift Merge Robot2021-07-15
|\ | | | | auto-update: add --dry-run
| * auto-update: add --dry-runValentin Rothberg2021-07-15
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Add a --dry-run flag to `podman auto-update` which will look for new images but won't perform any pull or restart any service or container. The "UPDATED" column will now indicate the availability of a newer image via "pending". ``` $ podman auto-update --dry-run UNIT CONTAINER IMAGE POLICY UPDATED container-test.service 08fd34e533fd (test) localhost:5000/busybox registry false ``` Fixes: #9949 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | podman-remote build use .containerignore over .dockerignoreDaniel J Walsh2021-07-14
|/ | | | | | | | | | | | | | | | | | | | | | $ mkdir zzz;cd zzz $ printf "FROM quay.io/libpod/testimage:20210610\nCOPY ./ ./\nCOPY subdir ./\n" >Dockerfile $ printf "*\nsubdir\n\!*/sub1*\n" >.dockerignore $ mkdir subdir; touch subdir/sub1.txt $ ../bin/podman-remote build . Should fail, but succeeds because we are not sending over the .dockerignore file to the server side. This PR will send the .dockerignore so the server side and use it. Fixes: #10907 Also if both .containerignore and .dockerignore in the context directory, podman-remote should prefer .containerignore and not use .dockerignore. Fixes: #10908 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Merge pull request #10880 from vrothberg/auto-updateOpenShift Merge Robot2021-07-14
|\ | | | | auto-update: make output more user friendly
| * auto-update: make output more user friendlyValentin Rothberg2021-07-14
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The rather raw and scarce output of `podman auto-update` has been a thorn in my eyes for a longer while. So far, Podman would only print updated systemd units, one per line, without further formatting. Motivated by issue #9949 which is asking for some more useful information in combination with a dry-run feature, I sat down and reflected which information may come in handy. Running `podman auto-update` will now look as follows: ``` $ podman auto-update Trying to pull [...] UNIT CONTAINER IMAGE POLICY UPDATED container-test.service 08fd34e533fd (test) localhost:5000/busybox registry false ``` Also refactor the spaghetti code in the backend a bit to make it easier to digest and maintain. For easier testing and for the sake of consistency with other commands listing output, add a `--format` flag. The man page will get an overhaul in a follow up commit. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>