summaryrefslogtreecommitdiff
path: root/test
Commit message (Collapse)AuthorAge
* seccomp policy: expect profile in config labelValentin Rothberg2020-01-23
| | | | | | | | Move the seccomp profile from a manifest annotation to a config label. This way, we can support it for Docker images as well and provide an easy way to add that data via Dockerfiles. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* Merge pull request #4887 from vrothberg/fix-4886OpenShift Merge Robot2020-01-16
|\ | | | | e2e/run_signal_test.go: make it more robust
| * e2e/run_signal_test.go: make it more robustValentin Rothberg2020-01-16
| | | | | | | | | | | | | | | | | | | | Make the signal test more robust by just checking that the container's exit code is non-zero. There are two possible exit codes (i.e., 130 and 137) depending on how the container is being killed, which is likely responsible for CI flakes. Fixes: #4886 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | systemdgen: add --ignore flag to generic servicesValentin Rothberg2020-01-16
|/ | | | | | | | | | | | | | | | | The --ignore flag lets Podman ignore errors when a specified container does not exist (anymore). That's a nice addition to generic services generated via the --new flag. Those services create new containers and can hence allows user to manually remove a container; may it only be by accident. The important part of using the --ignore flag is that Podman will exit 0 which plays nicer with most restart policies; a non-zero exit may yield systemd to restart the entire service which is arguably wrong if the user manually deletes the container. If desired, users can still alter the generated files. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* Merge pull request #4807 from ssbarnea/fix/pre-commitOpenShift Merge Robot2020-01-15
|\ | | | | Enable pre-commit linting
| * Enable pre-commit tool lintingSorin Sbarnea2020-01-14
| | | | | | | | | | | | | | | | | | | | | | | | | | | | This should help use keep the codebase more consistent, and avoid sevel whitespace related issues, or bad file permissions. pre-commit allows us to easily introduce other linters in follow-ups, like bashate. Note: pre-commit tool does *not* install any git-hooks. Making commits will will call the tool unless you deliverately tell it to install the hooks. Signed-off-by: Sorin Sbarnea <ssbarnea@redhat.com>
* | Merge pull request #4824 from edsantiago/batsOpenShift Merge Robot2020-01-15
|\ \ | | | | | | more BATS tests
| * | more BATS testsEd Santiago2020-01-13
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | - run: --name (includes 'podman container exists' tests) - run: --pull (always, never, missing) - build: new test for ADD URL (#4420) - exec: new test for issue #4785 (pipe getting lost) - diff: new test - selinux (mostly copied from docker-autotest) Plus a bug fix: the wait_for_output() helper would continue checking, eventually timing out, even if the container had already exited (probably because of an error). Fix: as part of the loop, run 'podman inspect' and bail out if container is not running. Include exit code and logs. Signed-off-by: Ed Santiago <santiago@redhat.com>
* | | Merge pull request #4806 from vrothberg/seccompOpenShift Merge Robot2020-01-15
|\ \ \ | |_|/ |/| | policy for seccomp-profile selection
| * | policy for seccomp-profile selectionValentin Rothberg2020-01-09
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Implement a policy for selecting a seccomp profile. In addition to the default behaviour (default profile unless --security-opt seccomp is set) add a second policy doing a lookup in the image annotation. If the image has the "io.containers.seccomp.profile" set its value will be interpreted as a seccomp profile. The policy can be selected via the new --seccomp-policy CLI flag. Once the containers.conf support is merged into libpod, we can add an option there as well. Note that this feature is marked as experimental and may change in the future. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | | Merge pull request #4817 from rhatdan/codespellOpenShift Merge Robot2020-01-13
|\ \ \ | |_|/ |/| | Add codespell to validate spelling mistakes in code.
| * | Add codespell to validate spelling mistakes in code.Daniel J Walsh2020-01-11
| | | | | | | | | | | | | | | | | | Fix all errors found by codespell Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | Merge pull request #4823 from vrothberg/gen-systemdOpenShift Merge Robot2020-01-12
|\ \ \ | |/ / |/| | podman-generate-systemd --new
| * | podman-generate-systemd --newValentin Rothberg2020-01-09
| |/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | Add a --new flag to podman-generate-systemd to create a new container via podman-run instead of starting an existing container. Creating a new container presents the challenge to find a reverse mapping from a container to the CLI flags it can be created with. We are doing this via `(Container).Config.CreateCommand` field, which includes a copy of the process' command from procFS at creating time. This field may not be useful when the container was not created via the Podman CLI (e.g., via a Python script). Hence, we do not guarantee the correctness of the generated files. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | test: fix error messageGiuseppe Scrivano2020-01-10
| | | | | | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | log: support --log-opt tag=Giuseppe Scrivano2020-01-10
|/ | | | | | | | | | support a custom tag to add to each log for the container. It is currently supported only by the journald backend. Closes: https://github.com/containers/libpod/issues/3653 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Merge pull request #4802 from rhatdan/varlinkOpenShift Merge Robot2020-01-09
|\ | | | | Fix podman-remote info to show registry data
| * Fix podman-remote info to show registry dataDaniel J Walsh2020-01-07
| | | | | | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Add `untag` sub-commandSascha Grunert2020-01-08
|/ | | | | | | | Podman now supports untagging images via the `untag` sub-command for the root and `image` commands. Testing and documentation has been added as well. Signed-off-by: Sascha Grunert <sgrunert@suse.com>
* Merge pull request #4781 from haircommander/seccomp-profile-rootOpenShift Merge Robot2020-01-07
|\ | | | | play kube: make seccomp handling better conform to k8s
| * play kube: make seccomp handling better conform to k8sPeter Hunt2020-01-03
| | | | | | | | | | | | | | Add flag --seccomp-profile-root in play kube to allow users to specify where to look for seccomp profiles update tests Signed-off-by: Peter Hunt <pehunt@redhat.com>
* | fix bug copy from container directoryQi Wang2020-01-02
|/ | | | | | Keep the original input source path with "/." so podman can copy the content of the directory when copying from container to host. Signed-off-by: Qi Wang <qiwan@redhat.com>
* Merge pull request #4748 from NevilleC/nc-podnameOpenShift Merge Robot2019-12-29
|\ | | | | [Issue #4703] Add the pod name when we use `podman ps -p`
| * Add the pod name when we use `podman ps -p`Neville Cain2019-12-28
| | | | | | | | | | | | | | | | | | | | | | | | The pod name does not appear when doing `podman ps -p`. It is missing as the documentation says: -p, --pod Print the ID and name of the pod the containers are associated with The pod name is added in the ps output and checked in unit tests. Closes #4703 Signed-off-by: NevilleC <neville.cain@qonto.eu>
* | Fix race condition in kill test leading to hangEd Santiago2019-12-28
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When you open a FIFO for reading, but there's no writer, you hang. This is just one of those obscure UNIXisms we all know but just forget all too often. My last PR was guilty of introducing such a condition; I caught it by accident while testing other stuff. In short, the signal container was doing 'echo DONE' as its last step, and we (BATS) were reading the FIFO to check for it; but if the container exited before we opened the FIFO for read, the open would hang. This is not a hang that we can catch in the test: it would hang the entire job forever. CI would presumably time out eventually, but with no useful indication of the cause of the error. Solution: use 'exec' to open the FIFO early and keep it open, and use 'read -u FD' instead of 'read <$fifo': the former reads from an open FD, the latter forces a new open() each time. There is a shorter, more maintainable solution -- see #4755 -- but that suffers from the same hanging problem in the (unlikely) case where the signal-handling container exits, e.g. if signal handling is broken in podman. The test would hang, with no helpful indicator. Although this PR is a little more advanced scripting, I have commented the relevant code well and believe the maintenance cost is worth the risk of undebuggable hangs. There is still a hang risk: if 'podman logs -f' fails and exits immediately, the 'exec' will hang. I can't think of a non-racy way to prevent that, and choose to live with that risk. Tested by temporarily including 9 (SIGKILL) in the signals list. The read timeout triggers, and the end user has a fair chance of tracking down the root cause. Signed-off-by: Ed Santiago <santiago@redhat.com>
* | Merge pull request #4753 from NevilleC/nc-missingsizeOpenShift Merge Robot2019-12-28
|\ \ | | | | | | Ensure SizeRw is shown when a user does 'inspect --size -t container'.
| * | Ensure SizeRw is shown when a user does 'inspect --size -t container'.Neville Cain2019-12-27
| |/ | | | | | | | | | | | | | | | | | | | | | | | | | | Currently, if a user requests the size on a container (inspect --size -t container), the SizeRw does not show up if the value is 0. It's because InspectContainerData is defined as int64 and there is an omit when empty. We do want to display it even if the value is empty. I have changed the type of SizeRw to be a pointer to an int64 instead of an int64. It will allow us todistinguish the empty value to the missing value. I updated the test "podman inspect container with size" to ensure we check thatSizeRw is displayed correctly. Closes #4744 Signed-off-by: NevilleC <neville.cain@qonto.eu>
* | Merge pull request #4749 from edsantiago/parse_and_validate_signalOpenShift Merge Robot2019-12-27
|\ \ | | | | | | signal parsing - better input validation
| * | signal parsing - better input validationEd Santiago2019-12-26
| |/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The helper function we use for signal name mapping does not check for negative numbers nor invalid (too-high) ones. This can yield unexpected error messages: # podman kill -s -1 foo ERRO[0000] unknown signal "18446744073709551615" This PR introduces a small wrapper for it that: 1) Strips off a leading dash, allowing '-1' or '-HUP' as valid inputs; and 2) Rejects numbers <1 or >64 (SIGRTMAX) Also adds a test suite checking signal handling as well as ensuring that invalid signals are rejected by the command line. Fixes: #4746 Signed-off-by: Ed Santiago <santiago@redhat.com>
* / The --quiet flag does not conflict with templates in psMatthew Heon2019-12-26
|/ | | | | | | | To match Docker behavior, make `--quiet` and `--format` with a Go template not conflict. Instead, just turn off `--quiet` in such cases, as we'll be using Go template output instead. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* build(deps): bump github.com/containers/image/v5 from 5.0.0 to 5.1.0Daniel J Walsh2019-12-20
| | | | | | | | | Bumps [github.com/containers/image/v5](https://github.com/containers/image) from 5.0.0 to 5.1.0. - [Release notes](https://github.com/containers/image/releases) - [Commits](https://github.com/containers/image/compare/v5.0.0...v5.1.0) Signed-off-by: dependabot-preview[bot] <support@dependabot.com> Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Merge pull request #4684 from vrothberg/systemd-improvementsOpenShift Merge Robot2019-12-19
|\ | | | | container config: add CreateCommand
| * container config: add CreateCommandValentin Rothberg2019-12-13
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Store the full command plus arguments of the process the container has been created with. Expose this data as a `Config.CreateCommand` field in the container-inspect data as well. This information can be useful for debugging, as we can find out which command has created the container, and, if being created via the Podman CLI, we know exactly with which flags the container has been created with. The immediate motivation for this change is to use this information for `podman-generate-systemd` to generate systemd-service files that allow for creating new containers (in contrast to only starting existing ones). Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | Merge pull request #4689 from edsantiago/batsOpenShift Merge Robot2019-12-19
|\ \ | | | | | | podman images history test - clean up
| * | podman images history test - clean upEd Santiago2019-12-12
| |/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | As initially written the test does not work other than in a CI environment because it relies on an empty tag history. Rewrite so we can guarantee that, by creating a new image. Also add slightly more helpful tests: the initial tests would just show "expected 0, got 1" which is unhelpful. Tweak so we test on actual history contents, which will show more informative messages on failure. And, finally, clean up after ourselves. Signed-off-by: Ed Santiago <santiago@redhat.com>
* | Merge pull request #4643 from adrianreber/masterOpenShift Merge Robot2019-12-17
|\ \ | | | | | | Correctly export the root file-system changes
| * | Correctly export the root file-system changesAdrian Reber2019-12-09
| |/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When doing a checkpoint with --export the root file-system diff was not working as expected. Instead of getting the changes from the running container to the highest storage layer it got the changes from the highest layer to that parent's layer. For a one layer container this could mean that the complete root file-system is part of the checkpoint. With this commit this changes to use the same functionality as 'podman diff'. This actually enables to correctly diff the root file-system including tracking deleted files. This also removes the non-working helper functions from libpod/diff.go. Signed-off-by: Adrian Reber <areber@redhat.com>
* / Remove coverprofile from the repositorySascha Grunert2019-12-16
|/ | | | | | | The profile should not be part of the repo and is already in the gitignore. Signed-off-by: Sascha Grunert <sgrunert@suse.com>
* Merge pull request #4440 from edsantiago/batsOpenShift Merge Robot2019-12-06
|\ | | | | test for #3920 (improper caching of tarballs in build)
| * test for #3920 (improper caching of tarballs in build)Ed Santiago2019-12-05
| | | | | | | | | | | | | | | | | | See https://github.com/containers/buildah/pull/1955 I've confirmed that this test fails under podman-1.6.2-2.fc30 and passes under current master. Signed-off-by: Ed Santiago <santiago@redhat.com>
* | Merge pull request #4563 from mheon/fix_change_parsingOpenShift Merge Robot2019-12-06
|\ \ | | | | | | Fix parsing for arrays of values in image changes
| * | Completely rework --change parsingMatthew Heon2019-12-04
| |/ | | | | | | | | | | | | | | | | | | | | | | The way we were trying to parse was very broken. I originally attempted to use Buildah's Dockerfile parser here, but dealing with it (and convincing it to accept only a limited subset, and only one instruction at a time) was challenging, so I rewrote a subset of Dockerfile parsing. This should handle most common cases well, though there are definitely unhandled edge cases for ENV and LABEL. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* / rootless: enable stats test on cgroup v2Giuseppe Scrivano2019-12-04
|/ | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Merge pull request #4596 from kunalkushwaha/container-pruneOpenShift Merge Robot2019-12-02
|\ | | | | container prune command fixed as per docker prune command
| * filter added to container prune commandKunal Kushwaha2019-11-29
| | | | | | | | | | | | | | filter flag helps to filter the containers based on labels, until(time), name, etc for prune command. Signed-off-by: Kunal Kushwaha <kunal.kushwaha@gmail.com>
* | Fix podman-remote version to print client and serverDaniel J Walsh2019-12-02
| | | | | | | | | | | | | | | | | | | | | | If the user specifies .Server.* on a non podman-remote, substitute .Client for .Server and return the value. This is for compatability with Docker. Since prior versions documented --format {{ .Version }}, we have to continue to support that. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Add podman system reset commandDaniel J Walsh2019-11-29
| | | | | | | | | | | | | | This command will destroy all data created via podman. It will remove containers, images, volumes, pods. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Disable checkpointing of containers started with --rmAdrian Reber2019-11-28
|/ | | | | | | | | | | | | Trying to checkpoint a container started with --rm works, but it makes no sense as the container, including the checkpoint, will be deleted after writing the checkpoint. This commit inhibits checkpointing containers started with '--rm' unless '--export' is used. If the checkpoint is exported it can easily be restored from the exported checkpoint, even if '--rm' is used. To restore a container from a checkpoint it is even necessary to manually run 'podman rm' if the container is not started with '--rm'. Signed-off-by: Adrian Reber <areber@redhat.com>
* Merge pull request #4568 from openSUSE/historyOpenShift Merge Robot2019-11-27
|\ | | | | Add support for image name history
| * Add support for image name historySascha Grunert2019-11-27
| | | | | | | | | | | | | | | | We leverage the containers/storage image history tracking feature to show the previously used image names when running: `podman images --history` Signed-off-by: Sascha Grunert <sgrunert@suse.com>