summaryrefslogtreecommitdiff
path: root/test
Commit message (Collapse)AuthorAge
* System tests: new system-df and passwd testsEd Santiago2020-07-30
| | | | | | | | | | | | | | | | | | | | | | - New test for #6991 - passwd file is writable even when run with --userns=keep-id - Enable another keep-id test, commented out due to #6593 - New test for podman system df Also, independently, removed this line: apt-get -y upgrade conmon ...because it's causing CI failures, probably because of the boothole CVE, probably because the Ubuntu grub update was rushed out. I believe it is safe to remove this, because both Ubuntu 19 and 20 report: conmon is already the newest version (2.0.18~1). Signed-off-by: Ed Santiago <santiago@redhat.com>
* Merge pull request #7074 from mheon/multi_ctrport_okOpenShift Merge Robot2020-07-29
|\ | | | | Binding the same container port to >1 host port is OK
| * Binding the same container port to >1 host port is OKMatthew Heon2020-07-29
| | | | | | | | | | | | | | | | | | | | | | The initial version of the new port code mistakenly restricted this, so un-restrict it. We still need to maintain the map of container ports, unfortunately (need to verify if the port in question is a duplicate, for example). Fixes #7062 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | Merge pull request #6991 from mheon/change_passwd_ondiskOpenShift Merge Robot2020-07-29
|\ \ | | | | | | Make changes to /etc/passwd on disk for non-read only
| * | Make changes to /etc/passwd on disk for non-read onlyMatthew Heon2020-07-23
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Bind-mounting /etc/passwd into the container is problematic becuase of how system utilities like `useradd` work. They want to make a copy and then rename to try to prevent breakage; this is, unfortunately, impossible when the file they want to rename is a bind mount. The current behavior is fine for read-only containers, though, because we expect useradd to fail in those cases. Instead of bind-mounting, we can edit /etc/passwd in the container's rootfs. This is kind of gross, because the change will show up in `podman diff` and similar tools, and will be included in images made by `podman commit`. However, it's a lot better than breaking important system tools. Fixes #6953 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | | Merge pull request #7121 from rhatdan/buildOpenShift Merge Robot2020-07-29
|\ \ \ | | | | | | | | Fix building from http or '-' options
| * | | Fix building from http or '-' optionsDaniel J Walsh2020-07-28
| | |/ | |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When copying from a URL, podman will download and create a context directory in a temporary file. The problem was that this directory was being removed as soon as the function that created it was returned. Later the build code would look for content in the temporary directory and fail to find it, blowing up the build. By pulling the extraction code back into the build function, we keep the temporary directory around until the build completes. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | Merge pull request #6851 from rhatdan/mountOpenShift Merge Robot2020-07-29
|\ \ \ | | | | | | | | Add podman image mount
| * | | Add podman image mountDaniel J Walsh2020-07-28
| |/ / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | There are many use cases where you want to just mount an image without creating a container on it. For example you might want to just examine the content in an image after you pull it for security analysys. Or you might want to just use the executables on the image without running it in a container. The image is mounted readonly since we do not want people changing images. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | Merge pull request #7109 from rhatdan/ipcOpenShift Merge Robot2020-07-28
|\ \ \ | | | | | | | | Specifying --ipc=host --pid=host is broken
| * | | Specifying --ipc=host --pid=host is brokenDaniel J Walsh2020-07-28
| |/ / | | | | | | | | | | | | | | | | | | | | | For some reason we were overwriting memory when handling both --pid=host and --ipc=host. Simplified the code to handle this correctly, and add test to make sure it does not happen again. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* / / System tests: add environment, volume testsEd Santiago2020-07-28
|/ / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Tests for #7094, in which symlinks in a volume would cause chown errors and nonrunnable containers. Tests for environment variable precedence, now include --env-host and proxy settings Fix a bug caught by covscan in helpers.t ('source' path would fail if path included spaces). Fix podman-run man page: it was incorrect in stating precedence between in-image environment and --env-host. Fixes: #7099 Signed-off-by: Ed Santiago <santiago@redhat.com>
* | Switch all references to github.com/containers/libpod -> podmanDaniel J Walsh2020-07-28
| | | | | | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Cleanup handling of podman mount/unmountDaniel J Walsh2020-07-27
| | | | | | | | | | | | | | | | | | | | | | We should default to the user name unmount rather then the internal name of umount. Also User namespace was not being handled correctly. We want to inform the user that if they do a mount when in rootless mode that they have to be first in the podman unshare state. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | test/apiv2: add a simple events testValentin Rothberg2020-07-27
| | | | | | | | | | | | | | Add a simple test to exercise the events API without the "filters" parameter. Prevents regressing on #7078. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | [WIP] Refactor podman system connectionJhon Honce2020-07-22
| | | | | | | | | | | | | | | | | | | | | | | | * Add support to manage multiple connections * Add connection * Remove connection * Rename connection * Set connection as default * Add markdown/man pages * Fix recursion in hack/xref-helpmsgs-manpages Signed-off-by: Jhon Honce <jhonce@redhat.com>
* | Merge pull request #7053 from ashley-cui/kubeipOpenShift Merge Robot2020-07-22
|\ \ | | | | | | Publish IP from YAML (podman play kube)
| * | Publish IP from YAML (podman play kube)Ashley Cui2020-07-22
| | | | | | | | | | | | | | | | | | podman play kube didn't set host ip correctly from YAML Signed-off-by: Ashley Cui <acui@redhat.com>
* | | Merge pull request #7048 from rhatdan/remotetestOpenShift Merge Robot2020-07-22
|\ \ \ | | | | | | | | Turn on a bunch more remote tests
| * | | Turn on a bunch more remote testsDaniel J Walsh2020-07-22
| |/ / | | | | | | | | | | | | | | | We need to be more specific about the remote tests we turn off. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | Merge pull request #7047 from edsantiago/ci_login_flake_fixOpenShift Merge Robot2020-07-22
|\ \ \ | |/ / |/| | CI: attempt to fix flake in login test
| * | CI: attempt to fix flake in login testEd Santiago2020-07-22
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fixes: #5212 ...or at least I hope it does. The symptom seems to be that INTEGRATION_ROOT is not being defined in some code flows. This PR blindly implements a suggestion from Miloslav, setting INTEGRATION_ROOT in one more place. We won't actually know for a long time if this works or not, because the test failure is a flake. Signed-off-by: Ed Santiago <santiago@redhat.com>
* | | Merge pull request #6992 from rhatdan/apparmorOpenShift Merge Robot2020-07-22
|\ \ \ | |/ / |/| | Support default profile for apparmor
| * | Support default profile for apparmorDaniel J Walsh2020-07-22
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Currently you can not apply an ApparmorProfile if you specify --privileged. This patch will allow both to be specified simultaniosly. By default Apparmor should be disabled if the user specifies --privileged, but if the user specifies --security apparmor:PROFILE, with --privileged, we should do both. Added e2e run_apparmor_test.go Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | Merge pull request #7044 from rhatdan/remotetestOpenShift Merge Robot2020-07-22
|\ \ \ | |/ / |/| | Enable a bunch of remote tests
| * | Enable a bunch of remote testsDaniel J Walsh2020-07-21
| | | | | | | | | | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | Merge pull request #7006 from ashley-cui/umaskOpenShift Merge Robot2020-07-22
|\ \ \ | | | | | | | | Add --umask flag for create, run
| * | | Add --umask flag for create, runAshley Cui2020-07-21
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | --umask sets the umask inside the container Defaults to 0022 Co-authored-by: Daniel J Walsh <dwalsh@redhat.com> Signed-off-by: Ashley Cui <acui@redhat.com>
* | | | fix play kube doesn't override dockerfile ENTRYPOINTzhangguanzhang2020-07-22
| |/ / |/| | | | | | | | Signed-off-by: zhangguanzhang <zhangguanzhang@qq.com>
* | | Merge pull request #7037 from edsantiago/batsOpenShift Merge Robot2020-07-21
|\ \ \ | | | | | | | | BATS help-message test: improve diagnostics
| * | | BATS help-message test: improve diagnosticsEd Santiago2020-07-21
| |/ / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The error messages from the 'podman xxx --help' cross-check test are unhelpful, and cause much wasted time when they trigger. Solution: instead of using the built-in exit-status check in run_podman, do an explicit check outside of run_podman. This lets us die() with a custom, hopefully useful, message. Signed-off-by: Ed Santiago <santiago@redhat.com>
* | | Merge pull request #6902 from vrothberg/events-endpointOpenShift Merge Robot2020-07-21
|\ \ \ | |/ / |/| | events endpoint: fix panic and race condition
| * | events endpoint: fix panic and race conditionValentin Rothberg2020-07-20
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fix a potential panic in the events endpoint when parsing the filters parameter. Values of the filters map might be empty, so we need to account for that instead of uncondtitionally accessing the first item. Also apply a similar for race conditions as done in commit f4a2d25c0fca: Fix a race that could cause read errors to be masked. Masking such errors is likely to report red herrings since users don't see that reading failed for some reasons but that a given event could not be found. Another race was the handler closing event channel, which could lead to two kinds of panics: double close, send to close channel. The backend takes care of that. However, make sure that the backend stops working in case the context has been cancelled. Fixes: #6899 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | | Merge pull request #7026 from edsantiago/bats_majorminor_warning_fixOpenShift Merge Robot2020-07-21
|\ \ \ | | | | | | | | BATS tests: more resilient remove_same_dev_warning
| * | | BATS tests: more resilient remove_same_dev_warningEd Santiago2020-07-20
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Some CI tests are flaking in the SELinux test, possibly because there's a new variation of the "multiple devices" warning I hadn't seen before: WARNING: Creating device "/dev/null" with same type, major and minor as existing "/dev/foodevdir/null". Solution: in remove_same_dev_warning(), remove "multiple" from the match string. Also: fix a Go test that wasn't cleaning up after itself. And add an actual test to it, not just check-exit-status. Signed-off-by: Ed Santiago <santiago@redhat.com>
* | | | Merge pull request #6895 from QiWang19/pr-3457OpenShift Merge Robot2020-07-20
|\ \ \ \ | | | | | | | | | | Add support for overlay volume mounts in podman.
| * | | | Add support for overlay volume mounts in podman.Qi Wang2020-07-20
| |/ / / | | | | | | | | | | | | | | | | | | | | | | | | | | | | Add support -v for overlay volume mounts in podman. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Signed-off-by: Qi Wang <qiwan@redhat.com>
* / / / Re-enable a generate kube test that failed on UbuntuMatthew Heon2020-07-20
|/ / / | | | | | | | | | | | | | | | | | | | | | The fix was a new runc version, which we may have sucked in. Fixes #6506 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* / / fix: system df error when an image has no namePaul Holzinger2020-07-19
|/ / | | | | | | | | | | | | | | | | | | | | | | | | When an image has no name/tag system df will error because it tries to parse an empty name. This commit makes sure we only parse non empty names and set the repository and tag to "<none>" otherwise. Closes #7015 Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
* | Merge pull request #6965 from giuseppe/followup-pr6324OpenShift Merge Robot2020-07-17
|\ \ | | | | | | allow switching of port-forward approaches in rootless/using slirp4netns
| * | network, slirp4netns: add option to allow host loopbackGiuseppe Scrivano2020-07-16
| | | | | | | | | | | | | | | | | | Closes: https://github.com/containers/podman/issues/6912 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
| * | libpod: pass down network optionsGiuseppe Scrivano2020-07-16
| | | | | | | | | | | | | | | | | | do not pass network specific options through the network namespace. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | | Merge pull request #6975 from baude/rootlessIPMACOpenShift Merge Robot2020-07-15
|\ \ \ | |_|/ |/| | Error on rootless mac and ip addresses
| * | Error on rootless mac and ip addressesBrent Baude2020-07-15
| | | | | | | | | | | | | | | | | | | | | | | | When creating a pod or container where a static MAC or IP address is provided, we should return a proper error and exit as 125. Fixes: #6972 Signed-off-by: Brent Baude <bbaude@redhat.com>
* | | Merge pull request #6979 from edsantiago/bats_masked_dirsOpenShift Merge Robot2020-07-15
|\ \ \ | | | | | | | | system tests: check for masked-device leaks
| * | | system tests: check for masked-device leaksEd Santiago2020-07-14
| | |/ | |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | PR #6957 added a new path (/sys/devs) to an existing list of masked mount points which an unprivileged container should not be able to access. Here we add a test for those: run 'stat' on those devices in the container, and make sure that they are dummies. This is kind of kludgy, and relies on heuristics that may not be 100% accurate. It also adds duplication, a list that must be kept in sync with the original list in pkg/specgen/generate/config_linux.go. I'd love to hear suggestions on how to do it better. Signed-off-by: Ed Santiago <santiago@redhat.com>
* | | Merge pull request #6958 from edsantiago/batsOpenShift Merge Robot2020-07-15
|\ \ \ | |_|/ |/| | system tests: new tests for run, exec
| * | system tests: new tests for run, execEd Santiago2020-07-14
| |/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | - Issue #6735 : problem with multiple namespaces; confirms combinations of --userns=keep-id, --privileged, --user=XX - Issue #6829 : --userns=keep-id will add a /etc/passwd entry - Issue #6593 : podman exec, with --userns=keep-id, errors (test is currently skipped because issue remains live) ...and, addendum: add new helper function, remove_same_dev_warning. Some CI systems issue a warning on podman run --privileged: WARNING: The same type, major and minor should not be used for multiple devices. We already had special-case code to ignore than in the SELinux test, but now we're seeing it in the new run tests I added, so I've refactored the "ignore this warning" code and written tests for the removal code. Signed-off-by: Ed Santiago <santiago@redhat.com>
* | Merge pull request #6949 from AkihiroSuda/fix-6948OpenShift Merge Robot2020-07-15
|\ \ | | | | | | Fix "Error: unrecognized protocol \"TCP\" in port mapping"
| * | Fix "Error: unrecognized protocol \"TCP\" in port mapping"Akihiro Suda2020-07-15
| |/ | | | | | | | | | | | | | | "TCP" in upper characters was not recognized as a valid protocol name. Fix #6948 Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>