summaryrefslogtreecommitdiff
path: root/test
Commit message (Collapse)AuthorAge
* podman unshare: add --rootless-cni to join the nsPaul Holzinger2021-04-07
| | | | | | | | | | Add a new --rootless-cni option to podman unshare to also join the rootless-cni network namespace. This is useful if you want to connect to a rootless container via IP address. This is only possible from the rootless-cni namespace and not from the host namespace. This option also helps to debug problems in the rootless-cni namespace. Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
* Merge pull request #9955 from edsantiago/batsOpenShift Merge Robot2021-04-07
|\ | | | | System tests: special case for RHEL: require runc
| * System tests: special case for RHEL: require runcEd Santiago2021-04-06
| | | | | | | | | | | | | | | | As discussed in watercooler 2021-04-06: make sure that RHEL8 and CentOS are using runc. Using crun is probably a packaging error that should be caught early. Signed-off-by: Ed Santiago <santiago@redhat.com>
* | Fix flaking rootless compose testPaul Holzinger2021-04-07
| | | | | | | | | | | | | | | | | | | | The compose port test is flaking with an empty curl result. The curl retry does not work properly. Given the the tests never expect an empty result lets just wait one second and retry again. Unfortunately there is no way for me to actually verify if this will fix the flake. Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
* | rootless cni add /usr/sbin to PATH if not presentPaul Holzinger2021-04-06
| | | | | | | | | | | | | | | | | | The CNI plugins need access to iptables in $PATH. On debian /usr/sbin is not added to $PATH for rootless users. This will break rootless cni completely. To prevent breaking existing users add /usr/sbin to $PATH in podman if needed. Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
* | Merge pull request #9754 from mheon/add_depOpenShift Merge Robot2021-04-06
|\ \ | |/ |/| Add --requires flag to podman run/create
| * Add --requires flag to podman run/createMatthew Heon2021-04-06
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Podman has, for a long time, had an internal concept of dependency management, used mainly to ensure that pod infra containers are started before any other container in the pod. We also have the ability to recursively start these dependencies, which we use to ensure that `podman start` on a container in a pod will not fail because the infra container is stopped. We have not, however, exposed these via the command line until now. Add a `--requires` flag to `podman run` and `podman create` to allow users to manually specify dependency containers. These containers must be running before the container will start. Also, make recursive starting with `podman start` default so we can start these containers and their dependencies easily. Fixes #9250 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | Merge pull request #9942 from mheon/fix_9919OpenShift Merge Robot2021-04-06
|\ \ | | | | | | Ensure that `--userns=keep-id` sets user in config
| * | Ensure that `--userns=keep-id` sets user in configMatthew Heon2021-04-06
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | One of the side-effects of the `--userns=keep-id` command is switching the default user of the container to the UID of the user running Podman (though this can still be overridden by the `--user` flag). However, it did this by setting the UID and GID in the OCI spec, and not by informing Libpod of its intention to switch users via the `WithUser()` option. Because of this, a lot of the code that should have triggered when the container ran with a non-root user was not triggering. In the case of the issue that this fixed, the code to remove capabilities from non-root users was not triggering. Adjust the keep-id code to properly inform Libpod of our intention to use a non-root user to fix this. Also, fix an annoying race around short-running exec sessions where Podman would always print a warning that the exec session had already stopped. Fixes #9919 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | | Merge pull request #9933 from jmguzik/network-prune-with-until-testsOpenShift Merge Robot2021-04-05
|\ \ \ | | | | | | | | Http api tests for network prune with until filter
| * | | Http api tests for network prune with until filterJakub Guzik2021-04-04
| | | | | | | | | | | | | | | | Signed-off-by: Jakub Guzik <jakubmguzik@gmail.com>
* | | | Merge pull request #9940 from rhatdan/authOpenShift Merge Robot2021-04-05
|\ \ \ \ | | | | | | | | | | Verify existence of auth file if specified
| * | | | Verify existence of auth file if specifiedDaniel J Walsh2021-04-05
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fixes: https://github.com/containers/podman/issues/9572 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | | | Merge pull request #9911 from rhatdan/storageOpenShift Merge Robot2021-04-05
|\ \ \ \ \ | | | | | | | | | | | | Allow users to override default storage opts with --storage-opt
| * | | | | Allow users to override default storage opts with --storage-optDaniel J Walsh2021-04-05
| | |_|/ / | |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | We define in the man page that this overrides the default storage options, but the code was appending to the existing options. This PR also makes a change to allow users to specify --storage-opt="". This will turn off all storage options. https://github.com/containers/podman/issues/9852 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | | | Merge pull request #9907 from rhatdan/optionsOpenShift Merge Robot2021-04-05
|\ \ \ \ \ | | | | | | | | | | | | Add support for podman --context default
| * | | | | Add support for podman --context defaultDaniel J Walsh2021-04-05
| |/ / / / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This is a noop but helps with scripting and docker-compose. Fixes: https://github.com/containers/podman/issues/9806 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* / / / / Don't relabel volumes if running in a privileged containerDaniel J Walsh2021-04-05
|/ / / / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Docker does not relabel this content, and openstack is running containers in this manner. There is a penalty for doing this on each container, that is not worth taking on a disable SELinux container. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | | Merge pull request #9423 from Luap99/rootless-cni-no-infraOpenShift Merge Robot2021-04-05
|\ \ \ \ | |/ / / |/| | | rootless cni without infra container
| * | | Add new docker-compose test for two networksPaul Holzinger2021-04-01
| | | | | | | | | | | | | | | | | | | | | | | | Also fix the tests so we can use the podman function with the output. Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
| * | | Make the docker-compose test work rootlessPaul Holzinger2021-04-01
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Make sure the DOCKER_SOCK location is accessible by the user when run rootless. Alos set the DOCKER_HOST env var to ensure docker-compose will use the non default location. Cleanup steps such as `rm` or `umount` must be run inside podman unshare otherwise they can fail due missing privileges. Change the curl test to use --retry-all-errors otherwise the tests will flake. The web server inside the container will return http code 500 sometimes, most likely because it is not fully ready to accept connections. With --retry-all-errors curl will retry instead of failing and thus the test will work. Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
| * | | Fix dnsname testPaul Holzinger2021-04-01
| | | | | | | | | | | | | | | | Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
| * | | Enable rootless network connect/disconnectPaul Holzinger2021-04-01
| | | | | | | | | | | | | | | | | | | | | | | | | | | | With the new rootless cni supporting network connect/disconnect is easy. Combine common setps into extra functions to prevent code duplication. Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
| * | | Add rootless support for cni and --uidmapPaul Holzinger2021-04-01
| | | | | | | | | | | | | | | | | | | | | | | | This is supported with the new rootless cni logic. Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
| * | | rootless cni without infra containerPaul Holzinger2021-04-01
| |/ / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Instead of creating an extra container create a network and mount namespace inside the podman user namespace. This ns is used to for rootless cni operations. This helps to align the rootless and rootful network code path. If we run as rootless we just have to set up a extra net ns and initialize slirp4netns in it. The ocicni lib will be called in that net ns. This design allows allows easier maintenance, no extra container with pause processes, support for rootless cni with --uidmap and possibly more. The biggest problem is backwards compatibility. I don't think live migration can be possible. If the user reboots or restart all cni containers everything should work as expected again. The user is left with the rootless-cni-infa container and image but this can safely be removed. To make the existing cni configs work we need execute the cni plugins in a extra mount namespace. This ensures that we can safely mount over /run and /var which have to be writeable for the cni plugins without removing access to these files by the main podman process. One caveat is that we need to keep the netns files at `XDG_RUNTIME_DIR/netns` accessible. `XDG_RUNTIME_DIR/rootless-cni/{run,var}` will be mounted to `/{run,var}`. To ensure that we keep the netns directory we bind mount this relative to the new root location, e.g. XDG_RUNTIME_DIR/rootless-cni/run/user/1000/netns before we mount the run directory. The run directory is mounted recursive, this makes the netns directory at the same path accessible as before. This also allows iptables-legacy to work because /run/xtables.lock is now writeable. Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
* | | Merge pull request #9928 from pendulm/fix_rootless_socket_activationOpenShift Merge Robot2021-04-05
|\ \ \ | | | | | | | | Fix rootless socket activation
| * | | Move socket activation check into init() and set global condition.pendulm2021-04-05
| |/ / | | | | | | | | | | | | | | | | | | | | | | | | So rootless setup could use this condition in parent and child, child podman should adjust LISTEN_PID to its self PID. Add system test for systemd socket activation Signed-off-by: pendulm <lonependulm@gmail.com>
* / / Fix missing podman-remote build optionsDaniel J Walsh2021-04-02
|/ / | | | | | | | | | | | | | | | | | | | | | | | | Fix handling of SecurityOpts LabelOpts SeccompProfilePath ApparmorProfile Fix Ulimits Fixes: https://github.com/containers/podman/issues/9869 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Fix handling of remove --log-rusage paramDaniel J Walsh2021-03-31
| | | | | | | | | | | | Fixes: https://github.com/containers/podman/issues/9889 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Merge pull request #9892 from jwhonce/wip/topOpenShift Merge Robot2021-03-30
|\ \ | | | | | | Trim white space from /top endpoint results
| * | Trim white space from /top endpoint resultsJhon Honce2021-03-30
| |/ | | | | | | | | | | | | | | | | | | | | | | Versions of the ps command have additional spaces between fields, this manifests as the container asking to run "top" and API reporting "top " as a process. Endpoint and tests updated to check that "top" is reported. There is no libpod specialized endpoint to update. Signed-off-by: Jhon Honce <jhonce@redhat.com>
* | Merge pull request #9863 from jmguzik/fix-prune-filter-funcsOpenShift Merge Robot2021-03-30
|\ \ | |/ |/| Containers prune endpoint should use only prune filters
| * Containers prune endpoint should use only prune filtersJakub Guzik2021-03-30
| | | | | | | | | | | | | | | | Containers endpoints for HTTP compad and libpod APIs allowed usage of list HTTP endpoint filter funcs. Documentation in case of libpod and compat API does not allow that. This commit aligns code with the documentation. Signed-off-by: Jakub Guzik <jakubmguzik@gmail.com>
* | APIv2 basic test: relax APIVersion checkEd Santiago2021-03-29
| | | | | | | | | | | | | | | | It is tedious and error-prone to update the 'APIVersion=<exact>' test every time there's a minor bump. Change the test so it confirms only the major version. Signed-off-by: Ed Santiago <santiago@redhat.com>
* | Merge pull request #9795 from mheon/bump_320_devOpenShift Merge Robot2021-03-29
|\ \ | | | | | | Bump to v3.2.0-dev
| * | Bump to v3.2.0-devMatthew Heon2021-03-29
| | | | | | | | | | | | Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | | Merge pull request #9842 from AlbanBedel/play-kube-env-from-secretsOpenShift Merge Robot2021-03-29
|\ \ \ | | | | | | | | Add support for env from secrets in play kube
| * | | play kube: add support for env vars defined from secretsAlban Bedel2021-03-28
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Add support for secretRef and secretKeyRef to allow env vars to be set from a secret. As K8S secrets are dictionaries the secret value must be a JSON dictionary compatible with the data field of a K8S secret object. The keys must consist of alphanumeric characters, '-', '_' or '.', and the values must be base64 encoded strings. Signed-off-by: Alban Bedel <albeu@free.fr>
| * | | play kube: support optional/mandatory env var from config mapAlban Bedel2021-03-28
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | In K8S the pod creation fails if an env var reference a non existing config map key. It can be marked as optional, but per default it is mandatory. Podman on the other hand always treat such references as optional. Rework envVarsFrom() and envVarValue() to additionaly return an error and add support for the optional attribute in configMapRef and configMapKeyRef. Signed-off-by: Alban Bedel <albeu@free.fr>
* | | | Merge pull request #9862 from edsantiago/bud_reenable_pull_neverOpenShift Merge Robot2021-03-29
|\ \ \ \ | |_|_|/ |/| | | buildah-bud tests: reenable pull-never test
| * | | buildah-bud tests: reenable pull-never testEd Santiago2021-03-29
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Issue #9573 (podman build --pull-never is a NOP) is fixed. Remove the 'skip' in the buildah-bud pull-never test. Signed-off-by: Ed Santiago <santiago@redhat.com>
* | | | Merge pull request #9857 from edsantiago/batsOpenShift Merge Robot2021-03-29
|\ \ \ \ | |/ / / |/| | | system tests: friendier messages for 2-arg is()
| * | | system tests: friendier messages for 2-arg is()Ed Santiago2021-03-29
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The 'is' check was intended to be called with three arguments, the last one being a nice helpful test name. There's a fallback for two-argument calls, but it was a horrible FIXME. New fallback: the most recently run podman command. We keep track of it in each run_podman() invocation. This is not ideal, because it's theoretically possible to invoke 'is' on something other than the output of run_podman, but this at least fixes the by-far-most-common case. [NO TESTS NEEDED] Signed-off-by: Ed Santiago <santiago@redhat.com>
* | | | Merge pull request #9631 from rhatdan/pullOpenShift Merge Robot2021-03-29
|\ \ \ \ | |/ / / |/| | | Fix podman build --pull-never
| * | | Fix podman build --pull-neverDaniel J Walsh2021-03-27
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Currently pull policy is set incorrectly when users set --pull-never. Also pull-policy is not being translated correctly when using podman-remote. Fixes: #9573 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | | Merge pull request #9838 from xordspar0/kubeVolumeErrorsOpenShift Merge Robot2021-03-28
|\ \ \ \ | |_|/ / |/| | | Add problematic volume name to kube play error messages
| * | | Add problematic volume name to kube play error messagesJordan Christiansen2021-03-27
| |/ / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When kube play fails to create a volume, it should say which volume had the problem so the user doesn't have to guess. For the following pod spec: apiVersion: v1 kind: Pod metadata: name: mypod spec: containers: - name: myfrontend image: nginx volumeMounts: - mountPath: "/var/www/html" name: mypd volumes: - name: mypd hostPath: path: /var/blah podman will now report: Error: failed to create volume "mypd": error in parsing HostPath in YAML: error checking path "/var/blah": stat /var/blah: no such file or directory Signed-off-by: Jordan Christiansen <xordspar0@gmail.com>
* | | Merge pull request #9822 from jmguzik/fix-pods-list-filters-http-apiOpenShift Merge Robot2021-03-27
|\ \ \ | |/ / |/| | Fix list pods filter handling in libpod api
| * | Fix list pods filter handling in libpod apiJakub Guzik2021-03-26
| | | | | | | | | | | | Signed-off-by: Jakub Guzik <jakubmguzik@gmail.com>
* | | Merge pull request #9833 from rhatdan/resizeOpenShift Merge Robot2021-03-27
|\ \ \ | | | | | | | | Remove resize race condition