summaryrefslogtreecommitdiff
path: root/test
Commit message (Collapse)AuthorAge
* Ensure that `--userns=keep-id` sets user in configMatthew Heon2021-04-06
| | | | | | | | | | | | | | | | | | | | | | | One of the side-effects of the `--userns=keep-id` command is switching the default user of the container to the UID of the user running Podman (though this can still be overridden by the `--user` flag). However, it did this by setting the UID and GID in the OCI spec, and not by informing Libpod of its intention to switch users via the `WithUser()` option. Because of this, a lot of the code that should have triggered when the container ran with a non-root user was not triggering. In the case of the issue that this fixed, the code to remove capabilities from non-root users was not triggering. Adjust the keep-id code to properly inform Libpod of our intention to use a non-root user to fix this. Also, fix an annoying race around short-running exec sessions where Podman would always print a warning that the exec session had already stopped. Fixes #9919 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Merge pull request #9423 from Luap99/rootless-cni-no-infraOpenShift Merge Robot2021-04-05
|\ | | | | rootless cni without infra container
| * Add new docker-compose test for two networksPaul Holzinger2021-04-01
| | | | | | | | | | | | Also fix the tests so we can use the podman function with the output. Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
| * Make the docker-compose test work rootlessPaul Holzinger2021-04-01
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Make sure the DOCKER_SOCK location is accessible by the user when run rootless. Alos set the DOCKER_HOST env var to ensure docker-compose will use the non default location. Cleanup steps such as `rm` or `umount` must be run inside podman unshare otherwise they can fail due missing privileges. Change the curl test to use --retry-all-errors otherwise the tests will flake. The web server inside the container will return http code 500 sometimes, most likely because it is not fully ready to accept connections. With --retry-all-errors curl will retry instead of failing and thus the test will work. Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
| * Fix dnsname testPaul Holzinger2021-04-01
| | | | | | | | Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
| * Enable rootless network connect/disconnectPaul Holzinger2021-04-01
| | | | | | | | | | | | | | With the new rootless cni supporting network connect/disconnect is easy. Combine common setps into extra functions to prevent code duplication. Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
| * Add rootless support for cni and --uidmapPaul Holzinger2021-04-01
| | | | | | | | | | | | This is supported with the new rootless cni logic. Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
| * rootless cni without infra containerPaul Holzinger2021-04-01
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Instead of creating an extra container create a network and mount namespace inside the podman user namespace. This ns is used to for rootless cni operations. This helps to align the rootless and rootful network code path. If we run as rootless we just have to set up a extra net ns and initialize slirp4netns in it. The ocicni lib will be called in that net ns. This design allows allows easier maintenance, no extra container with pause processes, support for rootless cni with --uidmap and possibly more. The biggest problem is backwards compatibility. I don't think live migration can be possible. If the user reboots or restart all cni containers everything should work as expected again. The user is left with the rootless-cni-infa container and image but this can safely be removed. To make the existing cni configs work we need execute the cni plugins in a extra mount namespace. This ensures that we can safely mount over /run and /var which have to be writeable for the cni plugins without removing access to these files by the main podman process. One caveat is that we need to keep the netns files at `XDG_RUNTIME_DIR/netns` accessible. `XDG_RUNTIME_DIR/rootless-cni/{run,var}` will be mounted to `/{run,var}`. To ensure that we keep the netns directory we bind mount this relative to the new root location, e.g. XDG_RUNTIME_DIR/rootless-cni/run/user/1000/netns before we mount the run directory. The run directory is mounted recursive, this makes the netns directory at the same path accessible as before. This also allows iptables-legacy to work because /run/xtables.lock is now writeable. Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
* | Merge pull request #9928 from pendulm/fix_rootless_socket_activationOpenShift Merge Robot2021-04-05
|\ \ | | | | | | Fix rootless socket activation
| * | Move socket activation check into init() and set global condition.pendulm2021-04-05
| |/ | | | | | | | | | | | | | | | | So rootless setup could use this condition in parent and child, child podman should adjust LISTEN_PID to its self PID. Add system test for systemd socket activation Signed-off-by: pendulm <lonependulm@gmail.com>
* / Fix missing podman-remote build optionsDaniel J Walsh2021-04-02
|/ | | | | | | | | | | | | Fix handling of SecurityOpts LabelOpts SeccompProfilePath ApparmorProfile Fix Ulimits Fixes: https://github.com/containers/podman/issues/9869 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Fix handling of remove --log-rusage paramDaniel J Walsh2021-03-31
| | | | | | Fixes: https://github.com/containers/podman/issues/9889 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Merge pull request #9892 from jwhonce/wip/topOpenShift Merge Robot2021-03-30
|\ | | | | Trim white space from /top endpoint results
| * Trim white space from /top endpoint resultsJhon Honce2021-03-30
| | | | | | | | | | | | | | | | | | | | | | | | Versions of the ps command have additional spaces between fields, this manifests as the container asking to run "top" and API reporting "top " as a process. Endpoint and tests updated to check that "top" is reported. There is no libpod specialized endpoint to update. Signed-off-by: Jhon Honce <jhonce@redhat.com>
* | Merge pull request #9863 from jmguzik/fix-prune-filter-funcsOpenShift Merge Robot2021-03-30
|\ \ | |/ |/| Containers prune endpoint should use only prune filters
| * Containers prune endpoint should use only prune filtersJakub Guzik2021-03-30
| | | | | | | | | | | | | | | | Containers endpoints for HTTP compad and libpod APIs allowed usage of list HTTP endpoint filter funcs. Documentation in case of libpod and compat API does not allow that. This commit aligns code with the documentation. Signed-off-by: Jakub Guzik <jakubmguzik@gmail.com>
* | APIv2 basic test: relax APIVersion checkEd Santiago2021-03-29
| | | | | | | | | | | | | | | | It is tedious and error-prone to update the 'APIVersion=<exact>' test every time there's a minor bump. Change the test so it confirms only the major version. Signed-off-by: Ed Santiago <santiago@redhat.com>
* | Merge pull request #9795 from mheon/bump_320_devOpenShift Merge Robot2021-03-29
|\ \ | | | | | | Bump to v3.2.0-dev
| * | Bump to v3.2.0-devMatthew Heon2021-03-29
| | | | | | | | | | | | Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | | Merge pull request #9842 from AlbanBedel/play-kube-env-from-secretsOpenShift Merge Robot2021-03-29
|\ \ \ | | | | | | | | Add support for env from secrets in play kube
| * | | play kube: add support for env vars defined from secretsAlban Bedel2021-03-28
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Add support for secretRef and secretKeyRef to allow env vars to be set from a secret. As K8S secrets are dictionaries the secret value must be a JSON dictionary compatible with the data field of a K8S secret object. The keys must consist of alphanumeric characters, '-', '_' or '.', and the values must be base64 encoded strings. Signed-off-by: Alban Bedel <albeu@free.fr>
| * | | play kube: support optional/mandatory env var from config mapAlban Bedel2021-03-28
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | In K8S the pod creation fails if an env var reference a non existing config map key. It can be marked as optional, but per default it is mandatory. Podman on the other hand always treat such references as optional. Rework envVarsFrom() and envVarValue() to additionaly return an error and add support for the optional attribute in configMapRef and configMapKeyRef. Signed-off-by: Alban Bedel <albeu@free.fr>
* | | | Merge pull request #9862 from edsantiago/bud_reenable_pull_neverOpenShift Merge Robot2021-03-29
|\ \ \ \ | |_|_|/ |/| | | buildah-bud tests: reenable pull-never test
| * | | buildah-bud tests: reenable pull-never testEd Santiago2021-03-29
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Issue #9573 (podman build --pull-never is a NOP) is fixed. Remove the 'skip' in the buildah-bud pull-never test. Signed-off-by: Ed Santiago <santiago@redhat.com>
* | | | Merge pull request #9857 from edsantiago/batsOpenShift Merge Robot2021-03-29
|\ \ \ \ | |/ / / |/| | | system tests: friendier messages for 2-arg is()
| * | | system tests: friendier messages for 2-arg is()Ed Santiago2021-03-29
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The 'is' check was intended to be called with three arguments, the last one being a nice helpful test name. There's a fallback for two-argument calls, but it was a horrible FIXME. New fallback: the most recently run podman command. We keep track of it in each run_podman() invocation. This is not ideal, because it's theoretically possible to invoke 'is' on something other than the output of run_podman, but this at least fixes the by-far-most-common case. [NO TESTS NEEDED] Signed-off-by: Ed Santiago <santiago@redhat.com>
* | | | Merge pull request #9631 from rhatdan/pullOpenShift Merge Robot2021-03-29
|\ \ \ \ | |/ / / |/| | | Fix podman build --pull-never
| * | | Fix podman build --pull-neverDaniel J Walsh2021-03-27
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Currently pull policy is set incorrectly when users set --pull-never. Also pull-policy is not being translated correctly when using podman-remote. Fixes: #9573 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | | Merge pull request #9838 from xordspar0/kubeVolumeErrorsOpenShift Merge Robot2021-03-28
|\ \ \ \ | |_|/ / |/| | | Add problematic volume name to kube play error messages
| * | | Add problematic volume name to kube play error messagesJordan Christiansen2021-03-27
| |/ / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When kube play fails to create a volume, it should say which volume had the problem so the user doesn't have to guess. For the following pod spec: apiVersion: v1 kind: Pod metadata: name: mypod spec: containers: - name: myfrontend image: nginx volumeMounts: - mountPath: "/var/www/html" name: mypd volumes: - name: mypd hostPath: path: /var/blah podman will now report: Error: failed to create volume "mypd": error in parsing HostPath in YAML: error checking path "/var/blah": stat /var/blah: no such file or directory Signed-off-by: Jordan Christiansen <xordspar0@gmail.com>
* | | Merge pull request #9822 from jmguzik/fix-pods-list-filters-http-apiOpenShift Merge Robot2021-03-27
|\ \ \ | |/ / |/| | Fix list pods filter handling in libpod api
| * | Fix list pods filter handling in libpod apiJakub Guzik2021-03-26
| | | | | | | | | | | | Signed-off-by: Jakub Guzik <jakubmguzik@gmail.com>
* | | Merge pull request #9833 from rhatdan/resizeOpenShift Merge Robot2021-03-27
|\ \ \ | | | | | | | | Remove resize race condition
| * | | Remove resize race conditionDaniel J Walsh2021-03-26
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Since podman-remote resize requests can come in at random times, this generates a real potential for race conditions. We should only be attempting to resize TTY on running containers, but the containers can go from running to stopped at any time, and returning an error to the caller is just causing noice. This change will basically ignore requests to resize terminals if the container is not running and return the caller to success. All other callers will still return failure. Fixes: https://github.com/containers/podman/issues/9831 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | | [NO TESTS NEEDED] Vendor in containers/buildah v1.20.0Daniel J Walsh2021-03-26
|/ / / | | | | | | | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | Fix swapped dimensions from terminal.GetSizeAnders F Björklund2021-03-26
| | | | | | | | | | | | Signed-off-by: Anders F Björklund <anders.f.bjorklund@gmail.com>
* | | Merge pull request #9810 from jmguzik/fix-impages-filter-http-apiOpenShift Merge Robot2021-03-25
|\ \ \ | | | | | | | | Fix filters list/prune in image http compat/libpod api endpoints
| * | | Fix filters in image http compat/libpod api endpointsJakub Guzik2021-03-25
| | | | | | | | | | | | | | | | Signed-off-by: Jakub Guzik <jakubmguzik@gmail.com>
* | | | Merge pull request #9818 from edsantiago/batsOpenShift Merge Robot2021-03-25
|\ \ \ \ | |_|/ / |/| | | system tests: new interactive tests
| * | | system tests: new interactive testsEd Santiago2021-03-25
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | socat can create a dummy PTY that we can manipulate. This lets us run a variety of tests that we couldn't before, involving "run -it", and stty, and even "load" with no args. Signed-off-by: Ed Santiago <santiago@redhat.com>
* | | | Support multi doc yaml for generate/play kubeEduardo Vega2021-03-25
|/ / / | | | | | | | | | Signed-off-by: Eduardo Vega <edvegavalerio@gmail.com>
* | | Merge pull request #9768 from mheon/fix_9608OpenShift Merge Robot2021-03-25
|\ \ \ | |/ / |/| | Ensure manually-created volumes have correct ownership
| * | Ensure manually-created volumes have correct ownershipMatthew Heon2021-03-24
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | As part of a fix for an earlier bug (#5698) we added the ability for Podman to chown volumes to correctly match the user running in the container, even in adverse circumstances (where we don't know the right UID/GID until very late in the process). However, we only did this for volumes created automatically by a `podman run` or `podman create`. Volumes made by `podman volume create` do not get this chown, so their permissions may not be correct. I've looked, and I don't think there's a good reason not to do this chwon for all volumes the first time the container is started. I would prefer to do this as part of volume copy-up, but I don't think that's really possible (copy-up happens earlier in the process and we don't have a spec). There is a small chance, as things stand, that a copy-up happens for one container and then a chown for a second, unrelated container, but the odds of this are astronomically small (we'd need a very close race between two starting containers). Fixes #9608 Signed-off-by: Matthew Heon <mheon@redhat.com>
* | | Check if stdin is a term in --interactive --tty modeDaniel J Walsh2021-03-24
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | If you are attempting to run a container in interactive mode, and want a --tty, then there must be a terminal in use. Docker exits right away when a user specifies to use a --interactive and --TTY but the stdin is not a tty. Currently podman will pull the image and then fail much later. Podman will continue to run but will print an warning message. Discussion in : https://github.com/containers/podman/issues/8916 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | Merge pull request #9790 from matejvasek/fix-isolation-serdeOpenShift Merge Robot2021-03-24
|\ \ \ | |_|/ |/| | fix: build endpoint for compat API
| * | fix: build endpoint for compat APIMatej Vasek2021-03-23
| | | | | | | | | | | | Signed-off-by: Matej Vasek <mvasek@redhat.com>
* | | Merge pull request #9749 from jwillikers/generate-kube-persistent-volume-claimOpenShift Merge Robot2021-03-23
|\ \ \ | | | | | | | | Generate Kubernetes PersistentVolumeClaims from named volumes
| * | | Generate Kubernetes PersistentVolumeClaims from named volumesJordan Williams2021-03-19
| | |/ | |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fixes #5788 This commit adds support for named volumes in podman-generate-kube. Named volumes are output in the YAML as PersistentVolumeClaims. To avoid naming conflicts, the volume name is suffixed with "-pvc". This commit adds a corresponding suffix for host path mounts. Host path volumes are suffixed with "-host". Signed-off-by: Jordan Williams <jordan@jwillikers.com>
* | | Merge pull request #9537 from TomSweeneyRedHat/dev/tsweeney/tz_checkOpenShift Merge Robot2021-03-23
|\ \ \ | |_|/ |/| | Validate passed in timezone from tz option
| * | Validate passed in timezone from tz optionTomSweeneyRedHat2021-03-21
| |/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Erik Sjolund reported an issue where a badly formated file could be passed into the `--tz` option and then the date in the container would be badly messed up: ``` erik@laptop:~$ echo Hello > file.txt erik@laptop:~$ podman run --tz=../../../home/erik/file.txt --rm -ti docker.io/library/alpine cat /etc/localtime Hello erik@laptop:~$ podman --version podman version 3.0.0-rc1 erik@laptop:~$ ``` This fix checks to make sure the TZ passed in is a valid value and then proceeds with the rest of the processing. This was first reported as a potential security issue, but it was thought not to be. However, I thought closing the hole sooner rather than later would be good. Signed-off-by: TomSweeneyRedHat <tsweeney@redhat.com>