summaryrefslogtreecommitdiff
path: root/test
Commit message (Collapse)AuthorAge
* Allow specifying seccomp profiles for privileged containersSascha Grunert2020-08-20
| | | | | | | To sync the behavior between AppArmor and seccomp it is now possible to also specify seccomp profiles for privileged containers. Signed-off-by: Sascha Grunert <sgrunert@suse.com>
* Replace deepcopy on history resultsBrent Baude2020-08-20
| | | | | | | | the deepcopy in the remote history code path was throwing an uncaught error on a type mismatch. we now manually do the conversion and fix the type mismatch on the fly. Fixes: #7122 Signed-off-by: Brent Baude <bbaude@redhat.com>
* Add parameter verification for api creation networkzhangguanzhang2020-08-20
| | | | Signed-off-by: zhangguanzhang <zhangguanzhang@qq.com>
* podman save use named pipeQi Wang2020-08-20
| | | | | | | | | | | podman save uses named pipe as output path, not directly using /dev/stdout. fix #7017 Signed-off-by: Qi Wang <qiwan@redhat.com> <MH: Corrected imports during cherry-pick> Signed-off-by: Matt Heon <matthew.heon@pm.me>
* podman support for IPv6 networksAntonio Ojea2020-08-20
| | | | | | | | | | | podman containers using IPv6 were missing the default route, breaking deployments trying to use them. The problem is that the default route was hardcoded to IPv4, this takes into consideration the podman subnet IP family to generate the corresponding default route. Signed-off-by: Antonio Ojea <aojea@redhat.com>
* system tests: invoke with abs path to podmanEd Santiago2020-08-11
| | | | | | | | | | | | | | | | | | | | | | Reversion of one part of #6679: my handling of 'realpath' would not work when $PODMAN is 'podman-remote --url etc'. Trying to handle that case got unmaintainable; so instead let's just force 'make {local,remote}system' to invoke with a full PODMAN path. This breaks down if someone runs the tests with a manual 'bats' invocation, but I think I'm the only one who ever does that. Since podman path will now be very long in the logs, add code to logformatter to abbreviate it like we do for the ginkgo logs. And, one thing that has bugged me for a long time: in the error logs, show a different prompt ('#' vs '$') to distinguish root vs rootless. This should make it much easier to see at-a-glance whether a log file is root or not. Add tests for it. Signed-off-by: Ed Santiago <santiago@redhat.com>
* Make changes to /etc/passwd on disk for non-read onlyMatthew Heon2020-08-11
| | | | | | | | | | | | | | | | | | | | Bind-mounting /etc/passwd into the container is problematic becuase of how system utilities like `useradd` work. They want to make a copy and then rename to try to prevent breakage; this is, unfortunately, impossible when the file they want to rename is a bind mount. The current behavior is fine for read-only containers, though, because we expect useradd to fail in those cases. Instead of bind-mounting, we can edit /etc/passwd in the container's rootfs. This is kind of gross, because the change will show up in `podman diff` and similar tools, and will be included in images made by `podman commit`. However, it's a lot better than breaking important system tools. Fixes #6953 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Add username to /etc/passwd inside of container if --userns keep-idDaniel J Walsh2020-08-11
| | | | | | | | | | If I enter a continer with --userns keep-id, my UID will be present inside of the container, but most likely my user will not be defined. This patch will take information about the user and stick it into the container. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* fix pod creation with "new:" syntaxPaul Holzinger2020-08-11
| | | | | | | | | | | When you execute podman create/run with the --pod new:<name> syntax the pod was created but the namespaces where not shared and therefore containers could not communicate over localhost. Add the default namespaces and pass the network options to the pod create options. Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
* Add versioned _ping endpointJhon Honce2020-08-11
| | | | | | Fixes #7008 Signed-off-by: Jhon Honce <jhonce@redhat.com>
* API returns 500 in case network is not found instead of 404zhangguanzhang2020-08-11
| | | | | Backported-by: Valentin Rothberg <rothberg@redhat.com> Signed-off-by: zhangguanzhang <zhangguanzhang@qq.com>
* Handle podman-remote run --rmDaniel J Walsh2020-08-11
| | | | | | | | We need to remove the container after it has exited for podman-remote run --rm commands. If we don't remove this container at this step, we open ourselves up to race conditions. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* correct go-binding key for volumesBrent Baude2020-08-11
| | | | | | | | the go binding for remove container was using 'vols' for a key to remove volumes associated to the container. the correct key should be "v" and is documented as such. Fixes: #7128 Signed-off-by: Brent Baude <bbaude@redhat.com>
* cherry-pick: Reenable remote system testsEd Santiago2020-08-11
| | | | | | | | | | | | | | | | | | | | | | | | NOTE: the remote tests are not reenabled but the changes are applied. Future commits depend on some of the changes and having the commit applied will likely facilitate future backports as well. podman-remote is in better shape now. Let's see what needs to be done to reenable remote system tests. - logs test: skip multilog, it doesn't work remote - diff test: use -l only when local, not with remote - many other tests: skip_if_remote, with 'FIXME: pending #xxxx' where xxxx is a filed issue. Unrelated: added new helper to skip_if_remote and _if_rootless, where we check if the source message includes "remote"/"rootless" and insert it if missing. This is a minor usability enhancement to make it easier to understand at-a-glance why a skip triggers. Backported-by: Valentin Rothberg <rothberg@redhat.com> Signed-off-by: Ed Santiago <santiago@redhat.com>
* system tests: new tests for run, execEd Santiago2020-08-11
| | | | | | | | | | | | | | | | | | | | | | - Issue #6735 : problem with multiple namespaces; confirms combinations of --userns=keep-id, --privileged, --user=XX - Issue #6829 : --userns=keep-id will add a /etc/passwd entry - Issue #6593 : podman exec, with --userns=keep-id, errors (test is currently skipped because issue remains live) ...and, addendum: add new helper function, remove_same_dev_warning. Some CI systems issue a warning on podman run --privileged: WARNING: The same type, major and minor should not be used for multiple devices. We already had special-case code to ignore than in the SELinux test, but now we're seeing it in the new run tests I added, so I've refactored the "ignore this warning" code and written tests for the removal code. Signed-off-by: Ed Santiago <santiago@redhat.com>
* implement the exitcode when start a container with attachzhangguanzhang2020-08-11
| | | | Signed-off-by: zhangguanzhang <zhangguanzhang@qq.com>
* Do not set host IP on ports when 0.0.0.0 requestedMatthew Heon2020-08-11
| | | | | | | | | | | | | | | | Docker and CNI have very different ideas of what 0.0.0.0 means. Docker takes it to be 0.0.0.0/0 - that is, bind to every IPv4 address on the host. CNI (and, thus, root Podman) take it to mean the literal IP 0.0.0.0. Instead, CNI interprets the empty string ("") as "bind to all IPs". We could ask CNI to change, but given this is established behavior, that's unlikely. Instead, let's just catch 0.0.0.0 and turn it into "" when we parse ports. Fixes #7014 Signed-off-by: Matthew Heon <mheon@redhat.com>
* fix bug podman sign storage pathQi Wang2020-08-11
| | | | | | | | | | - fix the bud podman not using specified --directory as signature storage. - use manifest and image referce to set repo@digest. close #6994 close #6993 Backported-by: Valentin Rothberg <rothberg@redhat.com> Signed-off-by: Qi Wang <qiwan@redhat.com>
* podman-remote send name and tagBrent Baude2020-08-11
| | | | | | | | | when loading an image with podman-remote load, we need to send a name and a tag to the endpoint Fixes: #7124 Backported-by: Valentin Rothberg <rothberg@redhat.com> Signed-off-by: Brent Baude <bbaude@redhat.com>
* Ensure that exec errors write exit codes to the DBMatthew Heon2020-08-11
| | | | | | | | | | | | | | | | | | | In local Podman, the frontend interprets the error and exit code given by the Exec API to determine the appropriate exit code to set for Podman itself; special cases like a missing executable receive special exit codes. Exec for the remote API, however, has to do this inside Libpod itself, as Libpod will be directly queried (via the Inspect API for exec sessions) to get the exit code. This was done correctly when the exec session started properly, but we did not properly handle cases where the OCI runtime fails before the exec session can properly start. Making two error returns that would otherwise not set exit code actually do so should resolve the issue. Fixes #6893 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* fix podman logs --tail when log is bigger than pagesizePaul Holzinger2020-08-11
| | | | Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
* generate systemd: fix error handlingValentin Rothberg2020-08-11
| | | | | | | | | Fix a bug in the error handling which returned nil instead of an error and ultimately lead to nil dereferences in the client. To prevent future regressions, add a test and check for the error message. Fixes: #7271 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* Publish IP from YAML (podman play kube)Ashley Cui2020-08-04
| | | | | | podman play kube didn't set host ip correctly from YAML Signed-off-by: Ashley Cui <acui@redhat.com>
* Disable a nonfunctional build testMatthew Heon2020-07-31
| | | | | | | The amount of drift in the system tests on v2.0 is starting to become difficult to deal with. 2.1.0 can't come soon enough. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* volumes: do not recurse when chowningGiuseppe Scrivano2020-07-31
| | | | | | | | | | | | | keep the file ownership when chowning and honor the user namespace mappings. Closes: https://github.com/containers/podman/issues/7130 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> <MH: Fixed conflicts from cherry pick> Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* add {{.RunningFor}} placeholder in ps --formatAshley Cui2020-07-31
| | | | | | For docker compatibility Signed-off-by: Ashley Cui <acui@redhat.com>
* Binding the same container port to >1 host port is OKMatthew Heon2020-07-31
| | | | | | | | | | | The initial version of the new port code mistakenly restricted this, so un-restrict it. We still need to maintain the map of container ports, unfortunately (need to verify if the port in question is a duplicate, for example). Fixes #7062 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Specifying --ipc=host --pid=host is brokenDaniel J Walsh2020-07-31
| | | | | | | | For some reason we were overwriting memory when handling both --pid=host and --ipc=host. Simplified the code to handle this correctly, and add test to make sure it does not happen again. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Fix building from http or '-' optionsDaniel J Walsh2020-07-31
| | | | | | | | | | | | | | When copying from a URL, podman will download and create a context directory in a temporary file. The problem was that this directory was being removed as soon as the function that created it was returned. Later the build code would look for content in the temporary directory and fail to find it, blowing up the build. By pulling the extraction code back into the build function, we keep the temporary directory around until the build completes. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* test/apiv2: add a simple events testValentin Rothberg2020-07-27
| | | | | | | Add a simple test to exercise the events API without the "filters" parameter. Prevents regressing on #7078. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* Drop a nonfunctional test in test/apiv2Matthew Heon2020-07-22
| | | | | | | | | I'm somewhat reluctant to do this, but the file has diverged majorly from master, and the amount of stuff we've backported (versus not backported) makes me very hesitant to try cherry picking more from master in the hope that it will start working. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Fix handling of entrypointDaniel J Walsh2020-07-22
| | | | | | | If a user specifies an entrypoint of "" then we should not use the images entrypoint. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* fix API: Create container with an invalid configurationzhangguanzhang2020-07-22
| | | | Signed-off-by: zhangguanzhang <zhangguanzhang@qq.com>
* version/info: format: allow more json variantsValentin Rothberg2020-07-22
| | | | | | | | | Allow more variants to yield json output for `podman version` and `podman info`. Instead of comparing strings, use a regex and add unit and e2e tests. Fixes: #6927 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* Correctly print STDOUT on non-terminal remote execMatthew Heon2020-07-22
| | | | | | | | | | | | | | I confused STDIN and STDOUT's file descriptors (it's 0 and 1, I thought they were 1 and 0). As such, we were looking at whether we wanted to print STDIN when we looked to print STDOUT. This bool was set when `-i` was set in at the `podman exec` command line, which masked the problem when it was set. Fixes #6890 Fixes #6891 Fixes #6892 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Add SystemdMode to inspect for containersMatthew Heon2020-07-22
| | | | | | | | | | | | | This allows us to determine if the container auto-detected that systemd was in use, and correctly activated systemd integration. Use this to wire up some integration tests to verify that systemd integration is working properly. Signed-off-by: Matthew Heon <matthew.heon@pm.me> <MH: Fixed Compile after cherry-pick> Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Fix lintMatthew Heon2020-07-22
| | | | Signed-off-by: Matthew Heon <mheon@redhat.com>
* Include infra container information in `pod inspect`Matthew Heon2020-07-22
| | | | | | | | | | We had a field for this in the inspect data, but it was never being populated. Because of this, `podman pod inspect` stopped showing port bindings (and other infra container settings). Add code to populate the infra container inspect data, and add a test to ensure we don't regress again. Signed-off-by: Matthew Heon <mheon@redhat.com>
* Fix "Error: unrecognized protocol \"TCP\" in port mapping"Akihiro Suda2020-07-22
| | | | | | | | "TCP" in upper characters was not recognized as a valid protocol name. Fix #6948 Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
* Error on rootless mac and ip addressesBrent Baude2020-07-22
| | | | | | | | | | | | When creating a pod or container where a static MAC or IP address is provided, we should return a proper error and exit as 125. Fixes: #6972 Signed-off-by: Brent Baude <bbaude@redhat.com> <MH: Fixed build after cherry-pick> Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* fix: system df error when an image has no namePaul Holzinger2020-07-22
| | | | | | | | | | | | | When an image has no name/tag system df will error because it tries to parse an empty name. This commit makes sure we only parse non empty names and set the repository and tag to "<none>" otherwise. Closes #7015 Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
* fix play kube doesn't override dockerfile ENTRYPOINTzhangguanzhang2020-07-22
| | | | Signed-off-by: zhangguanzhang <zhangguanzhang@qq.com>
* Support default profile for apparmorDaniel J Walsh2020-07-22
| | | | | | | | | | | | | | Currently you can not apply an ApparmorProfile if you specify --privileged. This patch will allow both to be specified simultaniosly. By default Apparmor should be disabled if the user specifies --privileged, but if the user specifies --security apparmor:PROFILE, with --privileged, we should do both. Added e2e run_apparmor_test.go Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* events endpoint: fix panic and race conditionValentin Rothberg2020-07-21
| | | | | | | | | | | | | | | | | | | | | Fix a potential panic in the events endpoint when parsing the filters parameter. Values of the filters map might be empty, so we need to account for that instead of uncondtitionally accessing the first item. Also apply a similar for race conditions as done in commit f4a2d25c0fca: Fix a race that could cause read errors to be masked. Masking such errors is likely to report red herrings since users don't see that reading failed for some reasons but that a given event could not be found. Another race was the handler closing event channel, which could lead to two kinds of panics: double close, send to close channel. The backend takes care of that. However, make sure that the backend stops working in case the context has been cancelled. Fixes: #6899 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* Fix a bug where --pids-limit was parsed incorrectlyMatthew Heon2020-07-15
| | | | | | | | | | | | | | The --pids-limit flag was using strconv.ParseInt with bad arguments, resulting in it being unable to parse standard integers (1024, for example, would produce an 'out of range' error). Change the arguments to make sense (base 10, max 32-bit) and add a test to ensure we don't regress again. Fixes #6908 Signed-off-by: Matthew Heon <mheon@redhat.com>
* search: allow wildcardsValentin Rothberg2020-07-15
| | | | | | | | | | | | | | | | | | | Allow wildcards in the search term. Note that not all registries support wildcards and it may only work with v1 registries. Note that searching implies figuring out if the specified search term includes a registry. If there's not registry detected, the search term will be used against all configured "unqualified-serach-registries" in the registries.conf. The parsing logic considers a registry to be the substring before the first slash `/`. With these changes we now not only support wildcards but arbitrary input; ultimately it's up to the registries to decide whether they support given input or not. Fixes: bugzilla.redhat.com/show_bug.cgi?id=1846629 Cherry-pick-of: commit b05888a97dbb Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* Fix systemd pid 1 testBrent Baude2020-07-15
| | | | | | | | | | fedora removed the systemd package from its standard container image causing our systemd pid1 test to fail. Replacing usage of fedora to ubi-init. adding ubi images to the cache for local tests. also, remove installation of test/policy.json to the system wide /etc/containers Signed-off-by: Brent Baude <bbaude@redhat.com>
* Fix bug where `podman mount` didn't error as rootlessMatthew Heon2020-07-06
| | | | | | | | | | | | | | | | | | We require that rootless `podman mount` be run inside a shell spawned by `podman unshare` (which gives us a mount namespace which actually lets other commands use the mounted filesystem). The fix is simple - we need to mark the command as requiring the rootless user namespace not be configured, so we can test for it later as part of the mount code and error if we needed to make one. Disable rootless tests as part of this - they were never expected to work. Fixes #6856 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Allow empty host port in --publish flagMatthew Heon2020-07-06
| | | | | | | | | | | | | | | | | I didn't believe that this was actually legal, but it looks like it is. And, unlike our previous understanding (host port being empty means just use container port), empty host port actually carries the same meaning as `--expose` + `--publish-all` (that is, assign a random host port to the given container port). This requires a significant rework of our port handling code to handle this new case. I don't foresee this being commonly used, so I optimized having a fixed port number as fast path, which this random assignment code running after the main port handling code only if necessary. Fixes #6806 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* test: add tests for --user and volumesValentin Rothberg2020-07-06
| | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>