aboutsummaryrefslogtreecommitdiff
path: root/test
Commit message (Collapse)AuthorAge
* Merge pull request #7694 from mheon/fix_exec_supplemental_groupsOpenShift Merge Robot2020-09-19
|\ | | | | Preserve groups in exec sessions in ctrs with --user
| * Preserve groups in exec sessions in ctrs with --userMatthew Heon2020-09-18
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Podman wants to guarantee that exec sessions retain the groups of the container they are started in, unless explicitly overridden by the user. This guarantee was broken for containers where the `--user` flag was specified; this patch resolves that. Somewhere in the Exec rewrite for APIv2, I changed the location where the container's User is passed into the exec session (similar to groups, we also want to preserve user unless overridden). The lower-level Exec APIs already handled setting user and group appropriately if not specified when the exec session was created, but I added duplicate code to handle this higher in the stack - and that code only handled setting user, not supplemental groups, breaking support in that specific case. Two things conspired to make this one hard to track down: first, things were only broken if the container explicitly set a user; otherwise, the container user would still appear to be unset to the lower-level code, which would properly set supplemental groups (this tricked our existing test into passing). Also, the `crun` OCI runtime will add the groups without prompting, which further masked the problem there. I debated making `runc` do the same, but in the end it's better to fix this in Podman - it's better to be explicit about what we want done so we will work with all OCI runtimes. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | Merge pull request #7679 from baude/remoteiidfileOpenShift Merge Robot2020-09-18
|\ \ | | | | | | enable --iidfile for podman-remote build
| * | enable --iidfile for podman-remote buildbaude2020-09-17
| | | | | | | | | | | | | | | | | | for podman-remote build operations, the iidfile, when used, needs to write the file to the client's local filesystem. Signed-off-by: baude <bbaude@redhat.com>
* | | Merge pull request #7671 from zhangguanzhang/play-kube-handle-restartPolicyOpenShift Merge Robot2020-09-18
|\ \ \ | | | | | | | | handle the restartPolicy for play kube and generate kube
| * | | handle the play kube and generate kube for with restartPolicyzhangguanzhang2020-09-18
| | | | | | | | | | | | | | | | Signed-off-by: zhangguanzhang <zhangguanzhang@qq.com>
* | | | fix the .Path and .Args when use the infra-commandzhangguanzhang2020-09-18
|/ / / | | | | | | | | | Signed-off-by: zhangguanzhang <zhangguanzhang@qq.com>
* / / Fix play_kube_test deployment templateJordan Christiansen2020-09-17
|/ / | | | | | | | | | | | | Annotations were at the wrong indentation, making them a part of the labels map. Signed-off-by: Jordan Christiansen <xordspar0@gmail.com>
* | Merge pull request #7654 from vrothberg/fix-7651OpenShift Merge Robot2020-09-17
|\ \ | | | | | | image list: return all associated names
| * | image list: return all associated namesValentin Rothberg2020-09-17
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Always return all associated names / repo tags of an image and fix a bug with malformed repo tags. Previously, Podman returned all names only with `--all` but this flag only instructs to list intermediate images and should not alter associated names. With `--all` Podman queried the repo tags of an image which splits all *tagged* names into repository and tag which is then reassembled to eventually be parsed again in the frontend. Lot's of redundant CPU heat and buggy as the reassembly didn't consider digests which ultimately broke parsing in the frontend. Fixes: #7651 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | | Add labels to a pod created via play kubeJordan Christiansen2020-09-16
|/ / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When using `podman play kube` with a YAML file that has pod labels, apply those labels to the pods that podman makes. For example, this Deployment spec has labels on a pod: apiVersion: apps/v1 kind: Deployment metadata: name: myapp labels: app: myapp spec: selector: matchLabels: app: myapp template: metadata: labels: app: myapp spec: containers: - name: web image: nginx ports: - containerPort: 80 The pods that podman creates will have the label "app" set to "myapp" so that these pods can be found with `podman pods ps --filter label=app`. Signed-off-by: Jordan Christiansen <xordspar0@gmail.com>
* | Fix podman pod create --infra-command and --infra-imageDaniel J Walsh2020-09-16
| | | | | | | | | | | | | | | | Currently infr-command and --infra-image commands are ignored from the user. This PR instruments them and adds tests for each combination. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Merge pull request #7624 from QiWang19/policy-optionOpenShift Merge Robot2020-09-16
|\ \ | | | | | | Supports import&run--signature-policy
| * | Supports import&run--signature-policyQi Wang2020-09-15
| | | | | | | | | | | | | | | | | | Enables podman create, pull, run, import to use --signature-policy option. Set it as hidden flag to be consistent with other commands. Signed-off-by: Qi Wang <qiwan@redhat.com>
* | | Merge pull request #7636 from vrothberg/fix-7407OpenShift Merge Robot2020-09-16
|\ \ \ | | | | | | | | run/create: record raw image
| * | | run/create: record raw imageValentin Rothberg2020-09-15
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Record the user-specified "raw" image name in the SpecGenerator, so we can pass it along to the config when creating a container. We need a separate field as the image name in the generator may be set to the ID of the previously pulled image - ultimately the cause of #7404. Reverting the image name from the ID to the user input would not work since "alpine" for pulling iterates over the search registries in the registries.conf but looking up "alpine" normalizes to "localhost/alpine". Recording the raw-image name directly in the generator was the best of the options I considered as no hidden magic from search registries or normalizations (that may or may not change in the future) can interfere. The auto-update backend enforces that the raw-image name is a fully-qualified reference, so we need to worry about that in the front end. Fixes: #7407 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | | | Merge pull request #7642 from jwhonce/issues/7327-2OpenShift Merge Robot2020-09-16
|\ \ \ \ | | | | | | | | | | Refactor API version values
| * | | | Refactor API version valuesJhon Honce2020-09-15
| | |/ / | |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * API-Version header now Major.Minor to support tools parsing this header * Libpod Version updated to 2.0.0 to reflect changes in API field values * API-Version and Libpod-API-Version headers are now included in all results Fixes #7327 * Header support tested against goland 2020.2 and https://www.jetbrains.com/help/idea/docker.html plugin Signed-off-by: Jhon Honce <jhonce@redhat.com>
* | | | Merge pull request #7633 from edsantiago/minus_l_with_other_argsOpenShift Merge Robot2020-09-15
|\ \ \ \ | |/ / / |/| | | Usability: prevent "-l" with arguments
| * | | Usability: prevent "-l" with argumentsEd Santiago2020-09-14
| | |/ | |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | Add new system check confirming that "podman foo -l arg" throws an error; and fix lots of instances where code was not doing this check. I'll probably need to add something similar for --all but that can wait. Signed-off-by: Ed Santiago <santiago@redhat.com>
* | | Merge pull request #7452 from jwhonce/issues/7136OpenShift Merge Robot2020-09-15
|\ \ \ | |_|/ |/| | Refactor API build endpoint to be more compliant
| * | Refactor API build endpoint to be more compliantJhon Honce2020-09-14
| |/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * Refactor/Rename channel.WriteCloser() to encapsulate the channel * Refactor build endpoint to "live" stream buildah output channels over API rather then buffering output * Refactor bindings/tunnel build because endpoint changes * building tar file now in bindings rather then depending on caller * Cleanup initiating extra image engine * Remove setting fields to zero values (less noise in code) * Update tests to support remote builds Fixes #7136 Fixes #7137 Signed-off-by: Jhon Honce <jhonce@redhat.com>
* / podman wait accept args > 1Paul Holzinger2020-09-15
|/ | | | Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
* Merge pull request #7600 from rhatdan/codespellOpenShift Merge Robot2020-09-11
|\ | | | | Fix up errors found by codespell
| * Fix up errors found by codespellDaniel J Walsh2020-09-11
| | | | | | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Merge pull request #7403 from QiWang19/runtime-flagOpenShift Merge Robot2020-09-11
|\ \ | |/ |/| Add global options --runtime-flags
| * Add global options --runtime-flagsQi Wang2020-09-04
| | | | | | | | | | | | Add global options --runtime-flags for setting options to container runtime. Signed-off-by: Qi Wang <qiwan@redhat.com>
* | Merge pull request #7591 from haircommander/play-kube-process-namespaceOpenShift Merge Robot2020-09-11
|\ \ | | | | | | play/generate: support shareProcessNamespace
| * | play/generate: support shareProcessNamespacePeter Hunt2020-09-10
| | | | | | | | | | | | | | | | | | | | | | | | | | | this is an option that allows a user to specify whether to share PID namespace in the pod for play kube and generate kube associated test added Signed-off-by: Peter Hunt <pehunt@redhat.com>
* | | Merge pull request #7593 from edsantiago/network_test_cleanupOpenShift Merge Robot2020-09-11
|\ \ \ | | | | | | | | run_networking e2e test: add cleanup to some tests
| * | | run_networking e2e test: add cleanup to some testsEd Santiago2020-09-10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Problem: if either of the two "podman network create" tests fail, all subsequent retries will also fail because the created network has not been cleaned up (so "network create" will fail with EEXIST). Solution: run "podman network rm" as deferred cleanup instead of in each test. This is NOT a fix for #7583 - it is just a way to allow ginkgo to retry a failing test. Signed-off-by: Ed Santiago <santiago@redhat.com>
* | | | Merge pull request #7586 from ashley-cui/rokubeOpenShift Merge Robot2020-09-11
|\ \ \ \ | | | | | | | | | | Add read-only volume mount to play kube
| * | | | Add read-only mount to play kubeAshley Cui2020-09-10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | add support for read-only volume mounts in podman play kube Signed-off-by: Ashley Cui <acui@redhat.com>
* | | | | Merge pull request #7590 from edsantiago/batsOpenShift Merge Robot2020-09-10
|\ \ \ \ \ | |_|/ / / |/| | | | system tests: cleanup
| * | | | system tests: cleanupEd Santiago2020-09-10
| | |/ / | |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | - run tests: better "skip" message for docker-archive test; remove FIXME, document that podman-remote doesn't support it - run tests: instrument the --conmon-pidfile test in hopes of tracking down flake #7580: cross-check pidfile against output of 'podman inspect', and add some debug messages that will only be seen on test failure. - load tests: the pipe test: save and load a temporary tag, not $IMAGE. Primary reason is because of #7371, in which 'podman load' assigns a new image ID (instead of preserving the saved one). This messes with our image management, and it turns out to be nonfixable. Signed-off-by: Ed Santiago <santiago@redhat.com>
* | | | Merge pull request #7541 from mheon/modify_groupOpenShift Merge Robot2020-09-10
|\ \ \ \ | |/ / / |/| | | Make an entry in /etc/group when we modify /etc/passwd
| * | | Make an entry in /etc/group when we modify /etc/passwdMatthew Heon2020-09-10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | To ensure that the user running in the container ahs a valid entry in /etc/passwd so lookup functions for the current user will not error, Podman previously began adding entries to the passwd file. We did not, however, add entries to the group file, and this created problems - our passwd entries included the group the user is in, but said group might not exist. The solution is to mirror our logic for /etc/passwd modifications to also edit /etc/group in the container. Unfortunately, this is not a catch-all solution. Our logic here is only advanced enough to *add* to the group file - so if the group already exists but we add a user not a part of it, we will not modify that existing entry, and things remain inconsistent. We can look into adding this later if we absolutely need to, but it would involve adding significant complexity to this already massively complicated function. While we're here, address an edge case where Podman could add a user or group whose UID overlapped with an existing user or group. Also, let's make users able to log into users we added. Instead of generating user entries with an 'x' in the password field, indicating they have an entry in /etc/shadow, generate a '*' indicating the user has no password but can be logged into by other means e.g. ssh key, su. Fixes #7503 Fixes #7389 Fixes #7499 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | | | Merge pull request #7577 from rhatdan/runlabel1OpenShift Merge Robot2020-09-10
|\ \ \ \ | | | | | | | | | | podman container runlabel should pull the image if it does not exist
| * | | | podman container runlabel should pull the image if it does not existDaniel J Walsh2020-09-10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Since --pull is deprecated, remove it from help and hide if from --help Also set it to true by default. Share image pull code betweern podman image pull and podman container runlabel. Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1877181 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | | | Merge pull request #7578 from giuseppe/join-userns-reuse-mappingsOpenShift Merge Robot2020-09-10
|\ \ \ \ \ | | | | | | | | | | | | libpod: read mappings when joining a container userns
| * | | | | libpod: read mappings when joining a container usernsGiuseppe Scrivano2020-09-10
| |/ / / / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | when joining an existing container user namespace, read the existing mappings so the storage can be created with the correct ownership. Closes: https://github.com/containers/podman/issues/7547 Signed-off-by: Giuseppe Scrivano <giuseppe@scrivano.org>
* | | | | Merge pull request #7460 from AkihiroSuda/allow-rootless-cniOpenShift Merge Robot2020-09-10
|\ \ \ \ \ | | | | | | | | | | | | rootless: support `podman network create` (CNI-in-slirp4netns)
| * | | | | rootless: support `podman network create` (CNI-in-slirp4netns)Akihiro Suda2020-09-09
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Usage: ``` $ podman network create foo $ podman run -d --name web --hostname web --network foo nginx:alpine $ podman run --rm --network foo alpine wget -O - http://web.dns.podman Connecting to web.dns.podman (10.88.4.6:80) ... <h1>Welcome to nginx!</h1> ... ``` See contrib/rootless-cni-infra for the design. Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
* | | | | | Merge pull request #7574 from vrothberg/fix-7117OpenShift Merge Robot2020-09-10
|\ \ \ \ \ \ | | | | | | | | | | | | | | remote run: consult events for exit code
| * | | | | | remote run: consult events for exit codeValentin Rothberg2020-09-10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | After attaching to a container, we wait for the container to finish and return its exit code. Waiting for the container may not always succeed, for instance, when the container has been force removed by another process. In such case, we have to look at the *last* container-exit event. Also refactor the `ContainerRun` method a bit to return early on errors and de-spaghetti the code. Enable the remote-disabled system test. Fixes: #7117 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | | | | | | Merge pull request #7536 from Luap99/api-network-filterOpenShift Merge Robot2020-09-10
|\ \ \ \ \ \ \ | |_|_|/ / / / |/| | | | | | APIv2 Add network list filtering
| * | | | | | APIv2 Add network list filteringPaul Holzinger2020-09-07
| | |_|/ / / | |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Add the filter option to the libpod endpoint. Add support for the name filter on the docker endpoint. Add apiv2 tests for the network list endpoints. Enable podman network integration tests for remote. Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
* | | | | | Merge pull request #7575 from rhatdan/runlabelOpenShift Merge Robot2020-09-09
|\ \ \ \ \ \ | | | | | | | | | | | | | | Fix podman container runlabel --display
| * | | | | | Fix podman container runlabel --displayDaniel J Walsh2020-09-09
| | |/ / / / | |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Current podman container runlabel --display is being ignored. This is just supposed to display the command that would be run, and then exit, but instead is actually running the command. Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1877186 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | | | | Merge pull request #7573 from rhatdan/oomOpenShift Merge Robot2020-09-09
|\ \ \ \ \ \ | | | | | | | | | | | | | | Make oom-score-adj actually work