| Commit message (Collapse) | Author | Age |
|---|
| |\
| |
| | |
fix rootless port forwarding with network dis-/connect
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The rootlessport forwarder requires a child IP to be set. This must be a
valid ip in the container network namespace. The problem is that after a
network disconnect and connect the eth0 ip changed. Therefore the
packages are dropped since the source ip does no longer exists in the
netns.
One solution is to set the child IP to 127.0.0.1, however this is a
security problem. [1]
To fix this we have to recreate the ports after network connect and
disconnect. To make this work the rootlessport process exposes a socket
where podman network connect/disconnect connect to and send to new child
IP to rootlessport. The rootlessport process will remove all ports and
recreate them with the new correct child IP.
Also bump rootlesskit to v0.14.3 to fix a race with RemovePort().
Fixes #10052
[1] https://nvd.nist.gov/vuln/detail/CVE-2021-20199
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
|
| |\ \
| | |
| | | |
test: move container process to a sub-cgroup
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | | |
move the container to a sub-cgroup before creating a sibling
hierarchy.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
| | |/
|/|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Currently we override the SELinux labels specified by the user
if the container is runing a kata container or systemd container.
This PR fixes to use the label specified by the user.
Fixes: https://github.com/containers/podman/issues/11100
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
| |\ \
| | |
| | | |
Bump to v4.0.0-dev
|
| | | |
| | |
| | |
| | | |
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
| |\ \ \
| |/ /
|/| | |
Created image scp feature
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
added functionality for image secure copying from local to remote.
Also moved system connection add code around a bit so functions within that file
can be used by scp.
Signed-off-by: cdoern <cdoern@redhat.com>
|
| |\ \ \
| | | |
| | | | |
Add `--accept-repositories` integration tests
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
This adds the integration tests for the repository or namespaced
registry feature introduced in c/common.
Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
If the systemd version is older than v245, the systemd uses 'Started'
when a oneshot service finishes.
In systemd, the change was done at:
https://github.com/systemd/systemd/pull/14851
commit-id: eda0cbf07186d16a160bd1d810613586fdbdf587
Signed-off-by: Hironori Shiina <shiina.hironori@jp.fujitsu.com>
|
| |\ \ \ \
| | | | |
| | | | | |
ps: support the `container...` notation for `ps --filter network=...`
|
| | | | | |
| | | | |
| | | | |
| | | | | |
Signed-off-by: flouthoc <flouthoc.git@gmail.com>
|
| |/ / / /
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
In the unlock/timeout test, on slow systems, 'podman ps' could
catch the container before the just-backgrounded 'podman stop'
sends the signal. Wait for signal ack from container before
we inspect it.
Also: If I understand the test correctly, it wasn't actually
checking that 'ps' could grab the lock while the container
was exiting. Add a check.
Signed-off-by: Ed Santiago <santiago@redhat.com>
|
| |\ \ \ \
| | | | |
| | | | | |
`ci-fix`: healthcheck tests should use `.Should()` instead of `.To()`.
|
| | | | | |
| | | | |
| | | | |
| | | | | |
Signed-off-by: flouthoc <flouthoc.git@gmail.com>
|
| |\ \ \ \ \
| |/ / / /
|/| | | | |
buildah bud tests under podman-remote
|
| | | |_|/
| |/| |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
New functionality -- mostly in the diffs we apply to
buildah's helpers.bash -- to enable running buildah-bud
tests under podman-remote. The gist of it is, we start
a 'podman system service' before each test, and clean
it up on test exit.
Design decision: the diff file for helpers.bash is no
longer trailing-whitespace-clean: that ended up producing
diffs that git wouldn't apply, because in some cases
the whitespace is actually important. In order to pass CI,
we need to exclude this file from some checks.
Signed-off-by: Ed Santiago <santiago@redhat.com>
|
| |\ \ \ \
| |/ / /
|/| | | |
Fixed Healthcheck formatting, string to []string
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Compat healthcheck tests are of the format []string but podman's were of
the format string. Converted podman's to []string at the specgen level since it has the same effect
and removed the incorrect parsing of compat healthchecks.
fixes #10617
Signed-off-by: cdoern <cdoern@redhat.com>
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Compat healthcheck tests are of the format []string but podman's were of
the format string. Converted podman's to []string at the specgen level since it has the same effect
and removed the incorrect parsing of compat healthchecks.
fixes #10617
Signed-off-by: cdoern <cdoern@redhat.com>
|
| |\ \ \ \
| | | | |
| | | | | |
remote build: fix streaming and error handling
|
| | | |/ /
| |/| |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Address a number of issues in the streaming logic in remote build, most
importantly an error in using buffered channels on the server side.
The pattern below does not guarantee that the channel is entirely read
before the context fires.
for {
select {
case <- bufferedChannel:
...
case <- ctx.Done():
...
}
}
Fixes: #10154
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
|
| |\ \ \ \
| |/ / /
|/| | |
| | | |
| | | | |
adrianreber/2021-07-12-checkpoint-restore-into-pod
Add support for checkpoint/restore into and out of pods
|
| | | | |
| | | |
| | | |
| | | | |
Signed-off-by: Adrian Reber <areber@redhat.com>
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
The upcoming commit to support checkpointing out of Pods requires CRIU
3.16. This changes the CRIU version check to support checking for
different versions.
Signed-off-by: Adrian Reber <areber@redhat.com>
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Reduce the amount of `podman exec`s in the cp system tests.
Exec is expensive and a number of them could easily be combined
into the container command.
This cuts down the costs of running the tests by around 25 percent
on my local machine.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
|
| |/ / /
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Implement container to container copy. Previously data could only be
copied from/to the host.
Fixes: #7370
Co-authored-by: Mehul Arora <aroram18@mcmaster.ca>
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
|
| |\ \ \
| | | |
| | | |
| | | |
| | | | |
containers/dependabot/go_modules/github.com/containers/image/v5-5.14.0
Bump github.com/containers/image/v5 from 5.13.2 to 5.14.0
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Bumps [github.com/containers/image/v5](https://github.com/containers/image) from 5.13.2 to 5.14.0.
- [Release notes](https://github.com/containers/image/releases)
- [Commits](https://github.com/containers/image/compare/v5.13.2...v5.14.0)
---
updated-dependencies:
- dependency-name: github.com/containers/image/v5
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
|
| |\ \ \ \
| | | | |
| | | | | |
Add prune until filter test for podman volume cli
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
This commit follows work started in #10756. Changes made in #11015
enabled cli support for volume prune --filter until. Adding e2e test
closes #10579.
Signed-off-by: Jakub Guzik <jakubmguzik@gmail.com>
|
| |\ \ \ \ \
| |/ / / /
|/| | | | |
refine dangling checks
|
| | |/ / /
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
By proxy by vendoring containers/common. Previously, a "dangling" image
was an untagged image; just a described in the Docker docs. The
definition of dangling has now been refined to an untagged image without
children to be compatible with Docker.
Further update a redundant image-prune test.
Fixes: #10998
Fixes: #10832
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
|
| |\ \ \ \
| | | | |
| | | | | |
dual-stack network: fix duplicated subnet assignment
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Make sure podman network create reads all subnets from existing cni configs
and not only the first one.
Fixes #11032
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
|
| |\ \ \ \ \
| |/ / / /
|/| | | | |
Add tests to verify CORs is enabled
|
| | | | | |
| | | | |
| | | | |
| | | | | |
Signed-off-by: Boaz Shuster <boaz.shuster.github@gmail.com>
|
| | |/ / /
|/| | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Pull policies in K8s yaml may be capitalized, so lower them before
parsing.
Fixes: bugzilla.redhat.com/show_bug.cgi?id=1985905
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
|
| |\ \ \ \
| | | | |
| | | | | |
Support DeviceCgroupRules to actually get added.
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Fixes: https://github.com/containers/podman/issues/10302
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
| |\ \ \ \ \
| | | | | |
| | | | | | |
Implemented --until flag for Libpod's Container Logs
|
| | | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
compat containers/logs was missing actual usage of until query param.
This led me to implement the until param for libpod's container logs as well. Added e2e tests.
Signed-off-by: cdoern <cdoern@redhat.com>
|
| |\ \ \ \ \ \
| | | | | | |
| | | | | | | |
import: write stdin to tmp file
|
| | | |/ / / /
| |/| | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
If importing an archive via stdin write it to a temporary file such that
the temporary file can be opened multiple times later on. Otherwise, we
may end up with an empty image.
Also fix a bug in the URL parsing code; we need to check whether there's
actually a scheme.
Add system tests for `podman import` exercising the basics.
Fixes: #10994
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
|
| | | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
Wow did I screw up. #10982 introduced (at my suggestion) a
new wait_for_port() helper, with the goal of eliminating a
race condition. It didn't work.
First: wait_for_port() tests by connecting to the port, which
is a Bad Idea when you have a one-shot server that exits upon
the first connection closing. We should've caught that, but:
Second: I wrote wait_for_port() for a non-BATS test framework,
and used the conventional file descriptor 3. BATS uses fd3
for internal control. Overriding that made the test silently
just disappear, no "not ok" message, no warnings, nothing
except vanishing into the ether.
Third: this was caught by my log-colorizer script, which
loudly yelled "WARNING: expected 234" (tests) at the
bottom of the log. Unfortunately, since this wasn't
my PR, I didn't actually look at the test logs.
Solution: we can't use wait_for_port() in the network port
test. Use wait_for_output() instead, triggering on the
'listening' message emitted by netcat in the container.
Also: fix wait_for_port() to use fd5 instead of 3. Although
no code currently uses wait_for_port() as of this PR, it's
a useful helper that we may want to keep.
Signed-off-by: Ed Santiago <santiago@redhat.com>
|
| |\ \ \ \ \ \
| |/ / / / /
|/| | | | | |
Add until filter to volume ls filters list
|
| | | |_|_|/
| |/| | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
As a conclusion of a discussion in #10861, until filter is added
by this commit to volume ls filters.
Signed-off-by: Jakub Guzik <jakubmguzik@gmail.com>
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
We don't support the journald events backend on RHEL8, for
example. So we can't unconditionally run these tests.
Partial fix for RHBZ1955166
Signed-off-by: Matthew Heon <mheon@redhat.com>
|
