From 6a47afa79c04ddc6153e451df9de86317713fdfb Mon Sep 17 00:00:00 2001 From: zhangguanzhang Date: Wed, 14 Apr 2021 12:55:45 +0800 Subject: Fixes invalid expression in save command Signed-off-by: zhangguanzhang --- test/e2e/save_test.go | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) (limited to 'test') diff --git a/test/e2e/save_test.go b/test/e2e/save_test.go index 5ddd5efc8..42ee7440b 100644 --- a/test/e2e/save_test.go +++ b/test/e2e/save_test.go @@ -111,6 +111,24 @@ var _ = Describe("Podman save", func() { Expect(save.ExitCode()).To(Equal(0)) }) + It("podman save to directory with --compress but not use docker-dir and oci-dir", func() { + if rootless.IsRootless() && podmanTest.RemoteTest { + Skip("Requires a fix in containers image for chown/lchown") + } + outdir := filepath.Join(podmanTest.TempDir, "save") + + save := podmanTest.Podman([]string{"save", "--compress", "--format", "docker-archive", "-o", outdir, ALPINE}) + save.WaitWithDefaultTimeout() + // should not be 0 + Expect(save.ExitCode()).ToNot(Equal(0)) + + save = podmanTest.Podman([]string{"save", "--compress", "--format", "oci-archive", "-o", outdir, ALPINE}) + save.WaitWithDefaultTimeout() + // should not be 0 + Expect(save.ExitCode()).ToNot(Equal(0)) + + }) + It("podman save bad filename", func() { outdir := filepath.Join(podmanTest.TempDir, "save:colon") -- cgit v1.2.3-54-g00ecf From 4d4babac7615ac832edaa8d405b507e5264a2122 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Mon, 5 Apr 2021 18:12:50 -0400 Subject: Fix handling of $NAME and $IMAGE in runlabel Fixes: https://github.com/containers/podman/issues/9405 Add system runlabel tests. Signed-off-by: Daniel J Walsh --- .../source/markdown/podman-container-runlabel.1.md | 2 +- pkg/domain/infra/abi/containers_runlabel.go | 25 ++++++++--------- test/system/037-runlabel.bats | 32 ++++++++++++++++++++++ 3 files changed, 45 insertions(+), 14 deletions(-) create mode 100644 test/system/037-runlabel.bats (limited to 'test') diff --git a/docs/source/markdown/podman-container-runlabel.1.md b/docs/source/markdown/podman-container-runlabel.1.md index 84d283cf8..9557303b6 100644 --- a/docs/source/markdown/podman-container-runlabel.1.md +++ b/docs/source/markdown/podman-container-runlabel.1.md @@ -13,7 +13,7 @@ exist, `podman container runlabel` will just exit. If the container image has a LABEL INSTALL instruction like the following: -`LABEL INSTALL /usr/bin/podman run -t -i --rm \${OPT1} --privileged -v /:/host --net=host --ipc=host --pid=host -e HOST=/host -e NAME=\${NAME} -e IMAGE=\${IMAGE} -e CONFDIR=\/etc/${NAME} -e LOGDIR=/var/log/\${NAME} -e DATADIR=/var/lib/\${NAME} \${IMAGE} \${OPT2} /bin/install.sh \${OPT3}` +`LABEL INSTALL /usr/bin/podman run -t -i --rm \${OPT1} --privileged -v /:/host --net=host --ipc=host --pid=host -e HOST=/host -e NAME=\${NAME} -e IMAGE=\${IMAGE} -e CONFDIR=/etc/\${NAME} -e LOGDIR=/var/log/\${NAME} -e DATADIR=/var/lib/\${NAME} \${IMAGE} \${OPT2} /bin/install.sh \${OPT3}` `podman container runlabel` will set the following environment variables for use in the command: diff --git a/pkg/domain/infra/abi/containers_runlabel.go b/pkg/domain/infra/abi/containers_runlabel.go index 8de383926..2cabab988 100644 --- a/pkg/domain/infra/abi/containers_runlabel.go +++ b/pkg/domain/infra/abi/containers_runlabel.go @@ -177,6 +177,16 @@ func generateRunlabelCommand(runlabel string, img *image.Image, args []string, o return cmd, env, nil } +func replaceName(arg, name string) string { + newarg := strings.ReplaceAll(arg, "$NAME", name) + return strings.ReplaceAll(newarg, "${NAME}", name) +} + +func replaceImage(arg, image string) string { + newarg := strings.ReplaceAll(arg, "$IMAGE", image) + return strings.ReplaceAll(newarg, "${IMAGE}", image) +} + // generateCommand takes a label (string) and converts it to an executable command func generateCommand(command, imageName, name, globalOpts string) ([]string, error) { if name == "" { @@ -196,26 +206,15 @@ func generateCommand(command, imageName, name, globalOpts string) ([]string, err for _, arg := range cmd[1:] { var newArg string switch arg { - case "IMAGE": - newArg = imageName - case "$IMAGE": - newArg = imageName case "IMAGE=IMAGE": newArg = fmt.Sprintf("IMAGE=%s", imageName) - case "IMAGE=$IMAGE": - newArg = fmt.Sprintf("IMAGE=%s", imageName) - case "NAME": - newArg = name case "NAME=NAME": newArg = fmt.Sprintf("NAME=%s", name) - case "NAME=$NAME": - newArg = fmt.Sprintf("NAME=%s", name) - case "$NAME": - newArg = name case "$GLOBAL_OPTS": newArg = globalOpts default: - newArg = arg + newArg = replaceName(arg, name) + newArg = replaceImage(newArg, imageName) } newCommand = append(newCommand, newArg) } diff --git a/test/system/037-runlabel.bats b/test/system/037-runlabel.bats new file mode 100644 index 000000000..8e18f40d3 --- /dev/null +++ b/test/system/037-runlabel.bats @@ -0,0 +1,32 @@ +#!/usr/bin/env bats + +load helpers + +@test "podman container runlabel test" { + skip_if_remote "container runlabel is not supported for remote" + tmpdir=$PODMAN_TMPDIR/runlabel-test + mkdir -p $tmpdir + containerfile=$tmpdir/Containerfile + rand1=$(random_string 30) + rand2=$(random_string 30) + rand3=$(random_string 30) + cat >$containerfile < Date: Wed, 14 Apr 2021 14:15:13 -0400 Subject: Test that we don't error out on advertised --log-level values Signed-off-by: Nalin Dahyabhai --- test/system/001-basic.bats | 13 +++++++++++++ 1 file changed, 13 insertions(+) (limited to 'test') diff --git a/test/system/001-basic.bats b/test/system/001-basic.bats index d276cfda1..f2e85ef6b 100644 --- a/test/system/001-basic.bats +++ b/test/system/001-basic.bats @@ -104,4 +104,17 @@ function setup() { is "$output" "you found me" "sample invocation of 'jq'" } +@test "podman --log-level recognizes log levels" { + run_podman 1 --log-level=telepathic info + is "$output" 'Log Level "telepathic" is not supported.*' + run_podman --log-level=trace info + run_podman --log-level=debug info + run_podman --log-level=info info + run_podman --log-level=warn info + run_podman --log-level=warning info + run_podman --log-level=error info + run_podman --log-level=fatal info + run_podman --log-level=panic info +} + # vim: filetype=sh -- cgit v1.2.3-54-g00ecf From 386300443b4b7acecba25809e4af3129d640aee5 Mon Sep 17 00:00:00 2001 From: Giuseppe Scrivano Date: Mon, 12 Apr 2021 16:52:42 +0200 Subject: cgroup: do not set cgroup parent when rootless and cgroupfs do not set the cgroup parent when running as rootless with cgroupfs, even if cgroup v2 is used. Closes: https://bugzilla.redhat.com/show_bug.cgi?id=1947999 Signed-off-by: Giuseppe Scrivano --- libpod/container_internal_linux.go | 2 +- test/system/420-cgroups.bats | 5 +++++ 2 files changed, 6 insertions(+), 1 deletion(-) (limited to 'test') diff --git a/libpod/container_internal_linux.go b/libpod/container_internal_linux.go index a136fb72d..0669f4db5 100644 --- a/libpod/container_internal_linux.go +++ b/libpod/container_internal_linux.go @@ -2214,7 +2214,7 @@ func (c *Container) getOCICgroupPath() (string, error) { } cgroupManager := c.CgroupManager() switch { - case (rootless.IsRootless() && !unified) || c.config.NoCgroups: + case (rootless.IsRootless() && (cgroupManager == config.CgroupfsCgroupsManager || !unified)) || c.config.NoCgroups: return "", nil case c.config.CgroupsMode == cgroupSplit: if c.config.CgroupParent != "" { diff --git a/test/system/420-cgroups.bats b/test/system/420-cgroups.bats index 615e43e6c..89c81a742 100644 --- a/test/system/420-cgroups.bats +++ b/test/system/420-cgroups.bats @@ -24,6 +24,11 @@ load helpers run_podman container inspect --format '{{.HostConfig.CgroupManager}}' myc is "$output" "$other" "podman preserved .HostConfig.CgroupManager" + if is_rootless && test $other = cgroupfs ; then + run_podman container inspect --format '{{.HostConfig.CgroupParent}}' myc + is "$output" "" "podman didn't set .HostConfig.CgroupParent for cgroupfs and rootless" + fi + # Restart the container, without --cgroup-manager option (ie use default) # Prior to #7970, this would fail with an OCI runtime error run_podman start myc -- cgit v1.2.3-54-g00ecf From f218d8849dd27d13a990bf998e64a40169e8674c Mon Sep 17 00:00:00 2001 From: Jhon Honce Date: Mon, 12 Apr 2021 09:33:51 -0700 Subject: [CI:DOCS] Correct status code for /pods/create Swagger documentation reported that the API endpoint /pods/create returned 200 while the as-built code returned 201. 201 is more correct so documentation updated. Tests already checked for 201 so no updated needed. Signed-off-by: Jhon Honce --- pkg/api/server/register_pods.go | 2 +- test/apiv2/rest_api/test_rest_v2_0_0.py | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) (limited to 'test') diff --git a/pkg/api/server/register_pods.go b/pkg/api/server/register_pods.go index c66cc48ff..d0887aada 100644 --- a/pkg/api/server/register_pods.go +++ b/pkg/api/server/register_pods.go @@ -38,7 +38,7 @@ func (s *APIServer) registerPodsHandlers(r *mux.Router) error { // schema: // $ref: "#/definitions/PodSpecGenerator" // responses: - // 200: + // 201: // schema: // $ref: "#/definitions/IdResponse" // 400: diff --git a/test/apiv2/rest_api/test_rest_v2_0_0.py b/test/apiv2/rest_api/test_rest_v2_0_0.py index d7910f555..9924bd65e 100644 --- a/test/apiv2/rest_api/test_rest_v2_0_0.py +++ b/test/apiv2/rest_api/test_rest_v2_0_0.py @@ -728,5 +728,6 @@ class TestApi(unittest.TestCase): self.assertGreater(len(start["Errs"]), 0, r.text) + if __name__ == "__main__": unittest.main() -- cgit v1.2.3-54-g00ecf From 7ccccd22cd8413e3319c24be6b074385d760d341 Mon Sep 17 00:00:00 2001 From: Jhon Honce Date: Wed, 7 Apr 2021 13:55:03 -0700 Subject: Add missing return libpod df handler missing a return after writing error to client. This caused a null to be appended to JSON and crashed python decoder. Signed-off-by: Jhon Honce --- pkg/api/handlers/libpod/system.go | 1 + test/apiv2/rest_api/test_rest_v2_0_0.py | 4 ++++ 2 files changed, 5 insertions(+) (limited to 'test') diff --git a/pkg/api/handlers/libpod/system.go b/pkg/api/handlers/libpod/system.go index 02457eb8f..2b4cef1bb 100644 --- a/pkg/api/handlers/libpod/system.go +++ b/pkg/api/handlers/libpod/system.go @@ -72,6 +72,7 @@ func DiskUsage(w http.ResponseWriter, r *http.Request) { response, err := ic.SystemDf(r.Context(), options) if err != nil { utils.InternalServerError(w, err) + return } utils.WriteResponse(w, http.StatusOK, response) } diff --git a/test/apiv2/rest_api/test_rest_v2_0_0.py b/test/apiv2/rest_api/test_rest_v2_0_0.py index 9924bd65e..75e07ad3c 100644 --- a/test/apiv2/rest_api/test_rest_v2_0_0.py +++ b/test/apiv2/rest_api/test_rest_v2_0_0.py @@ -727,6 +727,10 @@ class TestApi(unittest.TestCase): start = json.loads(r.text) self.assertGreater(len(start["Errs"]), 0, r.text) + def test_df(self): + r = requests.get(_url("/system/df")) + self.assertEqual(r.status_code, 200, r.text) + if __name__ == "__main__": -- cgit v1.2.3-54-g00ecf From 3338901c4fe0c185a3980b799d2f687d0731b327 Mon Sep 17 00:00:00 2001 From: Jakub Guzik Date: Wed, 7 Apr 2021 00:02:12 +0200 Subject: Volumes prune endpoint should use only prune filters Volumes endpoints for HTTP compat and libpod APIs allowed usage of list HTTP endpoint filter funcs. Documentation in case of compat API does not allow that. This commit aligns code with the documentation and also ligns libpod with compat API. Signed-off-by: Jakub Guzik --- pkg/api/handlers/compat/volumes.go | 2 +- pkg/api/handlers/libpod/volumes.go | 2 +- pkg/domain/filters/volumes.go | 20 +++++++++++++++++++- test/apiv2/30-volumes.at | 16 ++++++++++++++++ 4 files changed, 37 insertions(+), 3 deletions(-) (limited to 'test') diff --git a/pkg/api/handlers/compat/volumes.go b/pkg/api/handlers/compat/volumes.go index 42ece643b..d86fc1e19 100644 --- a/pkg/api/handlers/compat/volumes.go +++ b/pkg/api/handlers/compat/volumes.go @@ -266,7 +266,7 @@ func PruneVolumes(w http.ResponseWriter, r *http.Request) { } f := (url.Values)(*filterMap) - filterFuncs, err := filters.GenerateVolumeFilters(f) + filterFuncs, err := filters.GeneratePruneVolumeFilters(f) if err != nil { utils.Error(w, "Something when wrong.", http.StatusInternalServerError, errors.Wrapf(err, "failed to parse filters for %s", f.Encode())) return diff --git a/pkg/api/handlers/libpod/volumes.go b/pkg/api/handlers/libpod/volumes.go index 442b53d1e..68aec30d5 100644 --- a/pkg/api/handlers/libpod/volumes.go +++ b/pkg/api/handlers/libpod/volumes.go @@ -150,7 +150,7 @@ func pruneVolumesHelper(r *http.Request) ([]*reports.PruneReport, error) { } f := (url.Values)(*filterMap) - filterFuncs, err := filters.GenerateVolumeFilters(f) + filterFuncs, err := filters.GeneratePruneVolumeFilters(f) if err != nil { return nil, err } diff --git a/pkg/domain/filters/volumes.go b/pkg/domain/filters/volumes.go index 9b2fc5280..9a08adf82 100644 --- a/pkg/domain/filters/volumes.go +++ b/pkg/domain/filters/volumes.go @@ -75,7 +75,25 @@ func GenerateVolumeFilters(filters url.Values) ([]libpod.VolumeFilter, error) { return dangling }) default: - return nil, errors.Errorf("%q is in an invalid volume filter", filter) + return nil, errors.Errorf("%q is an invalid volume filter", filter) + } + } + } + return vf, nil +} + +func GeneratePruneVolumeFilters(filters url.Values) ([]libpod.VolumeFilter, error) { + var vf []libpod.VolumeFilter + for filter, v := range filters { + for _, val := range v { + switch filter { + case "label": + filter := val + vf = append(vf, func(v *libpod.Volume) bool { + return util.MatchLabelFilters([]string{filter}, v.Labels()) + }) + default: + return nil, errors.Errorf("%q is an invalid volume filter", filter) } } } diff --git a/test/apiv2/30-volumes.at b/test/apiv2/30-volumes.at index 18ff31100..623e691e3 100644 --- a/test/apiv2/30-volumes.at +++ b/test/apiv2/30-volumes.at @@ -123,4 +123,20 @@ t POST libpod/volumes/prune 200 #After prune volumes, there should be no volume existing t GET libpod/volumes/json 200 length=0 +# libpod api: do not use list filters for prune +t POST libpod/volumes/prune?filters='{"name":["anyname"]}' 500 \ + .cause="\"name\" is an invalid volume filter" +t POST libpod/volumes/prune?filters='{"driver":["anydriver"]}' 500 \ + .cause="\"driver\" is an invalid volume filter" +t POST libpod/volumes/prune?filters='{"scope":["anyscope"]}' 500 \ + .cause="\"scope\" is an invalid volume filter" + +# compat api: do not use list filters for prune +t POST volumes/prune?filters='{"name":["anyname"]}' 500 \ + .cause="\"name\" is an invalid volume filter" +t POST volumes/prune?filters='{"driver":["anydriver"]}' 500 \ + .cause="\"driver\" is an invalid volume filter" +t POST volumes/prune?filters='{"scope":["anyscope"]}' 500 \ + .cause="\"scope\" is an invalid volume filter" + # vim: filetype=sh -- cgit v1.2.3-54-g00ecf From 0cbd3225909d982a7dbd5fbc8c593dc1315abb8b Mon Sep 17 00:00:00 2001 From: Matthew Heon Date: Mon, 5 Apr 2021 15:49:35 -0400 Subject: Ensure that `--userns=keep-id` sets user in config One of the side-effects of the `--userns=keep-id` command is switching the default user of the container to the UID of the user running Podman (though this can still be overridden by the `--user` flag). However, it did this by setting the UID and GID in the OCI spec, and not by informing Libpod of its intention to switch users via the `WithUser()` option. Because of this, a lot of the code that should have triggered when the container ran with a non-root user was not triggering. In the case of the issue that this fixed, the code to remove capabilities from non-root users was not triggering. Adjust the keep-id code to properly inform Libpod of our intention to use a non-root user to fix this. Also, fix an annoying race around short-running exec sessions where Podman would always print a warning that the exec session had already stopped. Fixes #9919 Signed-off-by: Matthew Heon --- libpod/container_exec.go | 27 +++++++- libpod/container_validate.go | 6 ++ libpod/oci_conmon_exec_linux.go | 124 +++++++++++++++++++++++++++++++++++++ libpod/oci_conmon_linux.go | 120 ----------------------------------- pkg/specgen/generate/namespaces.go | 10 +++ test/e2e/exec_test.go | 14 ++++- 6 files changed, 178 insertions(+), 123 deletions(-) (limited to 'test') diff --git a/libpod/container_exec.go b/libpod/container_exec.go index bb43287d9..8d8ed14aa 100644 --- a/libpod/container_exec.go +++ b/libpod/container_exec.go @@ -696,6 +696,24 @@ func (c *Container) ExecResize(sessionID string, newSize define.TerminalSize) er return errors.Wrapf(define.ErrExecSessionStateInvalid, "cannot resize container %s exec session %s as it is not running", c.ID(), session.ID()) } + // The exec session may have exited since we last updated. + // Needed to prevent race conditions around short-running exec sessions. + running, err := c.ociRuntime.ExecUpdateStatus(c, session.ID()) + if err != nil { + return err + } + if !running { + session.State = define.ExecStateStopped + + if err := c.save(); err != nil { + logrus.Errorf("Error saving state of container %s: %v", c.ID(), err) + } + + return errors.Wrapf(define.ErrExecSessionStateInvalid, "cannot resize container %s exec session %s as it has stopped", c.ID(), session.ID()) + } + + // Make sure the exec session is still running. + return c.ociRuntime.ExecAttachResize(c, sessionID, newSize) } @@ -720,8 +738,13 @@ func (c *Container) Exec(config *ExecConfig, streams *define.AttachStreams, resi logrus.Debugf("Sending resize events to exec session %s", sessionID) for resizeRequest := range resize { if err := c.ExecResize(sessionID, resizeRequest); err != nil { - // Assume the exec session went down. - logrus.Warnf("Error resizing exec session %s: %v", sessionID, err) + if errors.Cause(err) == define.ErrExecSessionStateInvalid { + // The exec session stopped + // before we could resize. + logrus.Infof("Missed resize on exec session %s, already stopped", sessionID) + } else { + logrus.Warnf("Error resizing exec session %s: %v", sessionID, err) + } return } } diff --git a/libpod/container_validate.go b/libpod/container_validate.go index 245121a91..aae96ae85 100644 --- a/libpod/container_validate.go +++ b/libpod/container_validate.go @@ -126,5 +126,11 @@ func (c *Container) validate() error { } } + // If User in the OCI spec is set, require that c.config.User is set for + // security reasons (a lot of our code relies on c.config.User). + if c.config.User == "" && (c.config.Spec.Process.User.UID != 0 || c.config.Spec.Process.User.GID != 0) { + return errors.Wrapf(define.ErrInvalidArg, "please set User explicitly via WithUser() instead of in OCI spec directly") + } + return nil } diff --git a/libpod/oci_conmon_exec_linux.go b/libpod/oci_conmon_exec_linux.go index 173edba2b..b43316951 100644 --- a/libpod/oci_conmon_exec_linux.go +++ b/libpod/oci_conmon_exec_linux.go @@ -2,18 +2,23 @@ package libpod import ( "fmt" + "io/ioutil" "net/http" "os" "os/exec" "path/filepath" + "strings" "syscall" "time" + "github.com/containers/common/pkg/capabilities" "github.com/containers/common/pkg/config" "github.com/containers/podman/v3/libpod/define" "github.com/containers/podman/v3/pkg/errorhandling" + "github.com/containers/podman/v3/pkg/lookup" "github.com/containers/podman/v3/pkg/util" "github.com/containers/podman/v3/utils" + spec "github.com/opencontainers/runtime-spec/specs-go" "github.com/pkg/errors" "github.com/sirupsen/logrus" "golang.org/x/sys/unix" @@ -654,3 +659,122 @@ func attachExecHTTP(c *Container, sessionID string, r *http.Request, w http.Resp } } } + +// prepareProcessExec returns the path of the process.json used in runc exec -p +// caller is responsible to close the returned *os.File if needed. +func prepareProcessExec(c *Container, options *ExecOptions, env []string, sessionID string) (*os.File, error) { + f, err := ioutil.TempFile(c.execBundlePath(sessionID), "exec-process-") + if err != nil { + return nil, err + } + pspec := new(spec.Process) + if err := JSONDeepCopy(c.config.Spec.Process, pspec); err != nil { + return nil, err + } + pspec.SelinuxLabel = c.config.ProcessLabel + pspec.Args = options.Cmd + + // We need to default this to false else it will inherit terminal as true + // from the container. + pspec.Terminal = false + if options.Terminal { + pspec.Terminal = true + } + if len(env) > 0 { + pspec.Env = append(pspec.Env, env...) + } + + if options.Cwd != "" { + pspec.Cwd = options.Cwd + } + + var addGroups []string + var sgids []uint32 + + // if the user is empty, we should inherit the user that the container is currently running with + user := options.User + if user == "" { + logrus.Debugf("Set user to %s", c.config.User) + user = c.config.User + addGroups = c.config.Groups + } + + overrides := c.getUserOverrides() + execUser, err := lookup.GetUserGroupInfo(c.state.Mountpoint, user, overrides) + if err != nil { + return nil, err + } + + if len(addGroups) > 0 { + sgids, err = lookup.GetContainerGroups(addGroups, c.state.Mountpoint, overrides) + if err != nil { + return nil, errors.Wrapf(err, "error looking up supplemental groups for container %s exec session %s", c.ID(), sessionID) + } + } + + // If user was set, look it up in the container to get a UID to use on + // the host + if user != "" || len(sgids) > 0 { + if user != "" { + for _, sgid := range execUser.Sgids { + sgids = append(sgids, uint32(sgid)) + } + } + processUser := spec.User{ + UID: uint32(execUser.Uid), + GID: uint32(execUser.Gid), + AdditionalGids: sgids, + } + + pspec.User = processUser + } + + ctrSpec, err := c.specFromState() + if err != nil { + return nil, err + } + + allCaps, err := capabilities.BoundingSet() + if err != nil { + return nil, err + } + if options.Privileged { + pspec.Capabilities.Bounding = allCaps + } else { + pspec.Capabilities.Bounding = ctrSpec.Process.Capabilities.Bounding + } + if execUser.Uid == 0 { + pspec.Capabilities.Effective = pspec.Capabilities.Bounding + pspec.Capabilities.Inheritable = pspec.Capabilities.Bounding + pspec.Capabilities.Permitted = pspec.Capabilities.Bounding + pspec.Capabilities.Ambient = pspec.Capabilities.Bounding + } else { + if user == c.config.User { + pspec.Capabilities.Effective = ctrSpec.Process.Capabilities.Effective + pspec.Capabilities.Inheritable = ctrSpec.Process.Capabilities.Effective + pspec.Capabilities.Permitted = ctrSpec.Process.Capabilities.Effective + pspec.Capabilities.Ambient = ctrSpec.Process.Capabilities.Effective + } + } + + hasHomeSet := false + for _, s := range pspec.Env { + if strings.HasPrefix(s, "HOME=") { + hasHomeSet = true + break + } + } + if !hasHomeSet { + pspec.Env = append(pspec.Env, fmt.Sprintf("HOME=%s", execUser.Home)) + } + + processJSON, err := json.Marshal(pspec) + if err != nil { + return nil, err + } + + if err := ioutil.WriteFile(f.Name(), processJSON, 0644); err != nil { + return nil, err + } + return f, nil +} diff --git a/libpod/oci_conmon_linux.go b/libpod/oci_conmon_linux.go index 643a626fc..5e8ed12e7 100644 --- a/libpod/oci_conmon_linux.go +++ b/libpod/oci_conmon_linux.go @@ -22,7 +22,6 @@ import ( "text/template" "time" - "github.com/containers/common/pkg/capabilities" "github.com/containers/common/pkg/config" conmonConfig "github.com/containers/conmon/runner/config" "github.com/containers/podman/v3/libpod/define" @@ -30,7 +29,6 @@ import ( "github.com/containers/podman/v3/pkg/cgroups" "github.com/containers/podman/v3/pkg/checkpoint/crutils" "github.com/containers/podman/v3/pkg/errorhandling" - "github.com/containers/podman/v3/pkg/lookup" "github.com/containers/podman/v3/pkg/rootless" "github.com/containers/podman/v3/pkg/util" "github.com/containers/podman/v3/utils" @@ -1195,124 +1193,6 @@ func (r *ConmonOCIRuntime) createOCIContainer(ctr *Container, restoreOptions *Co return nil } -// prepareProcessExec returns the path of the process.json used in runc exec -p -// caller is responsible to close the returned *os.File if needed. -func prepareProcessExec(c *Container, options *ExecOptions, env []string, sessionID string) (*os.File, error) { - f, err := ioutil.TempFile(c.execBundlePath(sessionID), "exec-process-") - if err != nil { - return nil, err - } - pspec := new(spec.Process) - if err := JSONDeepCopy(c.config.Spec.Process, pspec); err != nil { - return nil, err - } - pspec.SelinuxLabel = c.config.ProcessLabel - pspec.Args = options.Cmd - - // We need to default this to false else it will inherit terminal as true - // from the container. - pspec.Terminal = false - if options.Terminal { - pspec.Terminal = true - } - if len(env) > 0 { - pspec.Env = append(pspec.Env, env...) - } - - if options.Cwd != "" { - pspec.Cwd = options.Cwd - } - - var addGroups []string - var sgids []uint32 - - // if the user is empty, we should inherit the user that the container is currently running with - user := options.User - if user == "" { - user = c.config.User - addGroups = c.config.Groups - } - - overrides := c.getUserOverrides() - execUser, err := lookup.GetUserGroupInfo(c.state.Mountpoint, user, overrides) - if err != nil { - return nil, err - } - - if len(addGroups) > 0 { - sgids, err = lookup.GetContainerGroups(addGroups, c.state.Mountpoint, overrides) - if err != nil { - return nil, errors.Wrapf(err, "error looking up supplemental groups for container %s exec session %s", c.ID(), sessionID) - } - } - - // If user was set, look it up in the container to get a UID to use on - // the host - if user != "" || len(sgids) > 0 { - if user != "" { - for _, sgid := range execUser.Sgids { - sgids = append(sgids, uint32(sgid)) - } - } - processUser := spec.User{ - UID: uint32(execUser.Uid), - GID: uint32(execUser.Gid), - AdditionalGids: sgids, - } - - pspec.User = processUser - } - - ctrSpec, err := c.specFromState() - if err != nil { - return nil, err - } - - allCaps, err := capabilities.BoundingSet() - if err != nil { - return nil, err - } - if options.Privileged { - pspec.Capabilities.Bounding = allCaps - } else { - pspec.Capabilities.Bounding = ctrSpec.Process.Capabilities.Bounding - } - if execUser.Uid == 0 { - pspec.Capabilities.Effective = pspec.Capabilities.Bounding - pspec.Capabilities.Inheritable = pspec.Capabilities.Bounding - pspec.Capabilities.Permitted = pspec.Capabilities.Bounding - pspec.Capabilities.Ambient = pspec.Capabilities.Bounding - } else { - if user == c.config.User { - pspec.Capabilities.Effective = ctrSpec.Process.Capabilities.Effective - pspec.Capabilities.Inheritable = ctrSpec.Process.Capabilities.Effective - pspec.Capabilities.Permitted = ctrSpec.Process.Capabilities.Effective - pspec.Capabilities.Ambient = ctrSpec.Process.Capabilities.Effective - } - } - - hasHomeSet := false - for _, s := range pspec.Env { - if strings.HasPrefix(s, "HOME=") { - hasHomeSet = true - break - } - } - if !hasHomeSet { - pspec.Env = append(pspec.Env, fmt.Sprintf("HOME=%s", execUser.Home)) - } - - processJSON, err := json.Marshal(pspec) - if err != nil { - return nil, err - } - - if err := ioutil.WriteFile(f.Name(), processJSON, 0644); err != nil { - return nil, err - } - return f, nil -} - // configureConmonEnv gets the environment values to add to conmon's exec struct // TODO this may want to be less hardcoded/more configurable in the future func (r *ConmonOCIRuntime) configureConmonEnv(ctr *Container, runtimeDir string) ([]string, []*os.File) { diff --git a/pkg/specgen/generate/namespaces.go b/pkg/specgen/generate/namespaces.go index b87375a92..214f6c1bc 100644 --- a/pkg/specgen/generate/namespaces.go +++ b/pkg/specgen/generate/namespaces.go @@ -157,6 +157,16 @@ func namespaceOptions(ctx context.Context, s *specgen.SpecGenerator, rt *libpod. case specgen.KeepID: if rootless.IsRootless() { toReturn = append(toReturn, libpod.WithAddCurrentUserPasswdEntry()) + + // If user is not overridden, set user in the container + // to user running Podman. + if s.User == "" { + _, uid, gid, err := util.GetKeepIDMapping() + if err != nil { + return nil, err + } + toReturn = append(toReturn, libpod.WithUser(fmt.Sprintf("%d:%d", uid, gid))) + } } else { // keep-id as root doesn't need a user namespace s.UserNS.NSMode = specgen.Host diff --git a/test/e2e/exec_test.go b/test/e2e/exec_test.go index df86eab15..e6f63a391 100644 --- a/test/e2e/exec_test.go +++ b/test/e2e/exec_test.go @@ -119,6 +119,19 @@ var _ = Describe("Podman exec", func() { Expect(session.ExitCode()).To(Equal(100)) }) + It("podman exec in keep-id container drops privileges", func() { + SkipIfNotRootless("This function is not enabled for rootful podman") + ctrName := "testctr1" + testCtr := podmanTest.Podman([]string{"run", "-d", "--name", ctrName, "--userns=keep-id", ALPINE, "top"}) + testCtr.WaitWithDefaultTimeout() + Expect(testCtr.ExitCode()).To(Equal(0)) + + session := podmanTest.Podman([]string{"exec", ctrName, "grep", "CapEff", "/proc/self/status"}) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(Equal(0)) + Expect(session.OutputToString()).To(ContainSubstring("0000000000000000")) + }) + It("podman exec --privileged", func() { session := podmanTest.Podman([]string{"run", "--privileged", "--rm", ALPINE, "sh", "-c", "grep ^CapBnd /proc/self/status | cut -f 2"}) session.WaitWithDefaultTimeout() @@ -143,7 +156,6 @@ var _ = Describe("Podman exec", func() { session.WaitWithDefaultTimeout() Expect(session.ExitCode()).To(Equal(0)) Expect(session.OutputToString()).To(ContainSubstring(bndPerms)) - }) It("podman exec --privileged", func() { -- cgit v1.2.3-54-g00ecf From b3ef9e4dd8f91326b1f5e85360679ec5ffd213f9 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Wed, 31 Mar 2021 16:45:35 -0400 Subject: Allow users to override default storage opts with --storage-opt We define in the man page that this overrides the default storage options, but the code was appending to the existing options. This PR also makes a change to allow users to specify --storage-opt="". This will turn off all storage options. https://github.com/containers/podman/issues/9852 Signed-off-by: Daniel J Walsh --- docs/source/markdown/podman.1.md | 2 +- libpod/options.go | 3 +-- pkg/domain/infra/runtime_libpod.go | 6 +++++- test/system/005-info.bats | 9 +++++++++ 4 files changed, 16 insertions(+), 4 deletions(-) (limited to 'test') diff --git a/docs/source/markdown/podman.1.md b/docs/source/markdown/podman.1.md index 87e3c4eab..c25ff17fa 100644 --- a/docs/source/markdown/podman.1.md +++ b/docs/source/markdown/podman.1.md @@ -148,7 +148,7 @@ specify additional options via the `--storage-opt` flag. #### **\-\-storage-opt**=*value* -Storage driver option, Default storage driver options are configured in /etc/containers/storage.conf (`$HOME/.config/containers/storage.conf` in rootless mode). The `STORAGE_OPTS` environment variable overrides the default. The --storage-opt specified options overrides all. +Storage driver option, Default storage driver options are configured in /etc/containers/storage.conf (`$HOME/.config/containers/storage.conf` in rootless mode). The `STORAGE_OPTS` environment variable overrides the default. The --storage-opt specified options overrides all. If you specify --storage-opt="", no storage options will be used. #### **\-\-syslog**=*true|false* diff --git a/libpod/options.go b/libpod/options.go index 24e9d74f4..333a7c4a5 100644 --- a/libpod/options.go +++ b/libpod/options.go @@ -77,8 +77,7 @@ func WithStorageConfig(config storage.StoreOptions) RuntimeOption { rt.storageConfig.GraphDriverOptions = make([]string, len(config.GraphDriverOptions)) copy(rt.storageConfig.GraphDriverOptions, config.GraphDriverOptions) } else { - // append new options after what is specified in the config files - rt.storageConfig.GraphDriverOptions = append(rt.storageConfig.GraphDriverOptions, config.GraphDriverOptions...) + rt.storageConfig.GraphDriverOptions = config.GraphDriverOptions } setField = true } diff --git a/pkg/domain/infra/runtime_libpod.go b/pkg/domain/infra/runtime_libpod.go index 8b6581c7b..889a81acc 100644 --- a/pkg/domain/infra/runtime_libpod.go +++ b/pkg/domain/infra/runtime_libpod.go @@ -146,7 +146,11 @@ func getRuntime(ctx context.Context, fs *flag.FlagSet, opts *engineOpts) (*libpo // This should always be checked after storage-driver is checked if len(cfg.StorageOpts) > 0 { storageSet = true - storageOpts.GraphDriverOptions = cfg.StorageOpts + if len(cfg.StorageOpts) == 1 && cfg.StorageOpts[0] == "" { + storageOpts.GraphDriverOptions = []string{} + } else { + storageOpts.GraphDriverOptions = cfg.StorageOpts + } } if opts.migrate { options = append(options, libpod.WithMigrate()) diff --git a/test/system/005-info.bats b/test/system/005-info.bats index 7452c1901..c0af2e937 100644 --- a/test/system/005-info.bats +++ b/test/system/005-info.bats @@ -53,4 +53,13 @@ store.imageStore.number | 1 } +@test "podman info --storage-opt='' " { + skip_if_remote "--storage-opt flag is not supported for remote" + skip_if_rootless "storage opts are required for rootless running" + run_podman --storage-opt='' info + # Note this will not work in rootless mode, unless you specify + # storage-driver=vfs, until we have kernels that support rootless overlay + # mounts. + is "$output" ".*graphOptions: {}" "output includes graphOptions: {}" +} # vim: filetype=sh -- cgit v1.2.3-54-g00ecf From 179f02621554e08005df005c162eba482f808c60 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Tue, 30 Mar 2021 16:46:52 -0400 Subject: Don't relabel volumes if running in a privileged container Docker does not relabel this content, and openstack is running containers in this manner. There is a penalty for doing this on each container, that is not worth taking on a disable SELinux container. Signed-off-by: Daniel J Walsh --- libpod/container_internal_linux.go | 10 ++++++++-- test/system/410-selinux.bats | 28 ++++++++++++++++++++++++++++ 2 files changed, 36 insertions(+), 2 deletions(-) (limited to 'test') diff --git a/libpod/container_internal_linux.go b/libpod/container_internal_linux.go index 0669f4db5..1990ac776 100644 --- a/libpod/container_internal_linux.go +++ b/libpod/container_internal_linux.go @@ -380,8 +380,14 @@ func (c *Container) generateSpec(ctx context.Context) (*spec.Spec, error) { case "z": fallthrough case "Z": - if err := label.Relabel(m.Source, c.MountLabel(), label.IsShared(o)); err != nil { - return nil, err + if c.MountLabel() != "" { + if c.ProcessLabel() != "" { + if err := label.Relabel(m.Source, c.MountLabel(), label.IsShared(o)); err != nil { + return nil, err + } + } else { + logrus.Infof("Not relabeling volume %q in container %s as SELinux is disabled", m.Source, c.ID()) + } } default: diff --git a/test/system/410-selinux.bats b/test/system/410-selinux.bats index 4a2c7b7a4..8a690fb48 100644 --- a/test/system/410-selinux.bats +++ b/test/system/410-selinux.bats @@ -191,5 +191,33 @@ function check_label() { is "$output" "Error.*: \`/proc/thread-self/attr/exec\`: OCI runtime error: unable to assign security attribute" "useful diagnostic" } +@test "podman selinux: check relabel" { + skip_if_no_selinux + + LABEL="system_u:object_r:tmp_t:s0" + tmpdir=$PODMAN_TMPDIR/vol + touch $tmpdir + chcon -vR ${LABEL} $tmpdir + ls -Z $tmpdir + + run_podman run -v $tmpdir:/test $IMAGE cat /proc/self/attr/current + level=$(secon -l $output) + run ls -dZ ${tmpdir} + is "$output" ${LABEL} "No Relabel Correctly" + + run_podman run -v $tmpdir:/test:Z --security-opt label=disable $IMAGE cat /proc/self/attr/current + level=$(secon -l $output) + run ls -dZ $tmpdir + is "$output" ${LABEL} "No Privileged Relabel Correctly" + + run_podman run -v $tmpdir:/test:Z $IMAGE cat /proc/self/attr/current + level=$(secon -l $output) + run ls -dZ $tmpdir + is "$output" "system_u:object_r:container_file_t:$level" "Confined Relabel Correctly" + + run_podman run -v $tmpdir:/test:z $IMAGE cat /proc/self/attr/current + run ls -dZ $tmpdir + is "$output" "system_u:object_r:container_file_t:s0" "Shared Relabel Correctly" +} # vim: filetype=sh -- cgit v1.2.3-54-g00ecf From 10bc6233bb621bdc4971ae1da234208b1936d4cc Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Wed, 31 Mar 2021 07:37:36 -0400 Subject: Fix handling of remove --log-rusage param Fixes: https://github.com/containers/podman/issues/9889 Signed-off-by: Daniel J Walsh --- pkg/api/handlers/compat/images_build.go | 1 + test/e2e/build_test.go | 17 +++++++++++++++++ 2 files changed, 18 insertions(+) (limited to 'test') diff --git a/pkg/api/handlers/compat/images_build.go b/pkg/api/handlers/compat/images_build.go index 5b8741e89..52012cde8 100644 --- a/pkg/api/handlers/compat/images_build.go +++ b/pkg/api/handlers/compat/images_build.go @@ -350,6 +350,7 @@ func BuildImage(w http.ResponseWriter, r *http.Request) { Jobs: &jobs, Labels: labels, Layers: query.Layers, + LogRusage: query.LogRusage, Manifest: query.Manifest, MaxPullPushRetries: 3, NamespaceOptions: nsoptions, diff --git a/test/e2e/build_test.go b/test/e2e/build_test.go index 95ed23313..4f337116e 100644 --- a/test/e2e/build_test.go +++ b/test/e2e/build_test.go @@ -549,4 +549,21 @@ RUN echo hello`, ALPINE) inspect.WaitWithDefaultTimeout() Expect(inspect.OutputToString()).To(Equal("1970-01-01 00:00:00 +0000 UTC")) }) + + It("podman build --log-rusage", func() { + targetPath, err := CreateTempDirInTempDir() + Expect(err).To(BeNil()) + + containerFile := filepath.Join(targetPath, "Containerfile") + content := `FROM scratch` + + Expect(ioutil.WriteFile(containerFile, []byte(content), 0755)).To(BeNil()) + + session := podmanTest.Podman([]string{"build", "--log-rusage", "--pull-never", targetPath}) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(Equal(0)) + Expect(session.OutputToString()).To(ContainSubstring("(system)")) + Expect(session.OutputToString()).To(ContainSubstring("(user)")) + Expect(session.OutputToString()).To(ContainSubstring("(elapsed)")) + }) }) -- cgit v1.2.3-54-g00ecf From 10a58c976bf716e8f91b80759d3043f5986f5c9e Mon Sep 17 00:00:00 2001 From: Jhon Honce Date: Tue, 30 Mar 2021 10:42:06 -0700 Subject: Trim white space from /top endpoint results Versions of the ps command have additional spaces between fields, this manifests as the container asking to run "top" and API reporting "top " as a process. Endpoint and tests updated to check that "top" is reported. There is no libpod specialized endpoint to update. Signed-off-by: Jhon Honce --- pkg/api/handlers/compat/containers_top.go | 10 +++++++++- test/apiv2/25-containersMore.at | 3 ++- 2 files changed, 11 insertions(+), 2 deletions(-) (limited to 'test') diff --git a/pkg/api/handlers/compat/containers_top.go b/pkg/api/handlers/compat/containers_top.go index ab9f613af..cae044a89 100644 --- a/pkg/api/handlers/compat/containers_top.go +++ b/pkg/api/handlers/compat/containers_top.go @@ -46,8 +46,16 @@ func TopContainer(w http.ResponseWriter, r *http.Request) { var body = handlers.ContainerTopOKBody{} if len(output) > 0 { body.Titles = strings.Split(output[0], "\t") + for i := range body.Titles { + body.Titles[i] = strings.TrimSpace(body.Titles[i]) + } + for _, line := range output[1:] { - body.Processes = append(body.Processes, strings.Split(line, "\t")) + process := strings.Split(line, "\t") + for i := range process { + process[i] = strings.TrimSpace(process[i]) + } + body.Processes = append(body.Processes, process) } } utils.WriteJSON(w, http.StatusOK, body) diff --git a/test/apiv2/25-containersMore.at b/test/apiv2/25-containersMore.at index 39bfa2e32..0a049d869 100644 --- a/test/apiv2/25-containersMore.at +++ b/test/apiv2/25-containersMore.at @@ -38,7 +38,8 @@ t GET libpod/containers/foo/json 200 \ # List processes of the container t GET libpod/containers/foo/top 200 \ - length=2 + length=2 \ + .Processes[0][7]="top" # List processes of none such t GET libpod/containers/nonesuch/top 404 -- cgit v1.2.3-54-g00ecf From f5a25c59e3928233da84989da2cbeff73e97c02d Mon Sep 17 00:00:00 2001 From: Jakub Guzik Date: Tue, 30 Mar 2021 10:19:22 +0200 Subject: Containers prune endpoint should use only prune filters Containers endpoints for HTTP compad and libpod APIs allowed usage of list HTTP endpoint filter funcs. Documentation in case of libpod and compat API does not allow that. This commit aligns code with the documentation. Signed-off-by: Jakub Guzik --- pkg/api/handlers/compat/containers_prune.go | 2 +- pkg/bindings/test/containers_test.go | 15 ++++++++---- pkg/domain/filters/containers.go | 37 +++++++++++++++++++++-------- pkg/domain/infra/abi/containers.go | 2 +- test/apiv2/20-containers.at | 18 +++++++++++++- 5 files changed, 57 insertions(+), 17 deletions(-) (limited to 'test') diff --git a/pkg/api/handlers/compat/containers_prune.go b/pkg/api/handlers/compat/containers_prune.go index e37929d27..61ea7a89e 100644 --- a/pkg/api/handlers/compat/containers_prune.go +++ b/pkg/api/handlers/compat/containers_prune.go @@ -23,7 +23,7 @@ func PruneContainers(w http.ResponseWriter, r *http.Request) { filterFuncs := make([]libpod.ContainerFilter, 0, len(*filtersMap)) for k, v := range *filtersMap { - generatedFunc, err := filters.GenerateContainerFilterFuncs(k, v, runtime) + generatedFunc, err := filters.GeneratePruneContainerFilterFuncs(k, v, runtime) if err != nil { utils.InternalServerError(w, err) return diff --git a/pkg/bindings/test/containers_test.go b/pkg/bindings/test/containers_test.go index b0ddc7862..cb9e0721b 100644 --- a/pkg/bindings/test/containers_test.go +++ b/pkg/bindings/test/containers_test.go @@ -550,21 +550,28 @@ var _ = Describe("Podman containers ", func() { filtersIncorrect := map[string][]string{ "status": {"dummy"}, } - pruneResponse, err := containers.Prune(bt.conn, new(containers.PruneOptions).WithFilters(filtersIncorrect)) + _, err = containers.Prune(bt.conn, new(containers.PruneOptions).WithFilters(filtersIncorrect)) + Expect(err).ToNot(BeNil()) + + // List filter params should not work with prune. + filtersIncorrect = map[string][]string{ + "name": {"top"}, + } + _, err = containers.Prune(bt.conn, new(containers.PruneOptions).WithFilters(filtersIncorrect)) Expect(err).ToNot(BeNil()) // Mismatched filter params no container should be pruned. filtersIncorrect = map[string][]string{ - "name": {"r"}, + "label": {"xyz"}, } - pruneResponse, err = containers.Prune(bt.conn, new(containers.PruneOptions).WithFilters(filtersIncorrect)) + pruneResponse, err := containers.Prune(bt.conn, new(containers.PruneOptions).WithFilters(filtersIncorrect)) Expect(err).To(BeNil()) Expect(len(reports.PruneReportsIds(pruneResponse))).To(Equal(0)) Expect(len(reports.PruneReportsErrs(pruneResponse))).To(Equal(0)) // Valid filter params container should be pruned now. filters := map[string][]string{ - "name": {"top"}, + "until": {"0s"}, } pruneResponse, err = containers.Prune(bt.conn, new(containers.PruneOptions).WithFilters(filters)) Expect(err).To(BeNil()) diff --git a/pkg/domain/filters/containers.go b/pkg/domain/filters/containers.go index 84cf03764..19d704da1 100644 --- a/pkg/domain/filters/containers.go +++ b/pkg/domain/filters/containers.go @@ -165,16 +165,7 @@ func GenerateContainerFilterFuncs(filter string, filterValues []string, r *libpo return false }, nil case "until": - until, err := util.ComputeUntilTimestamp(filterValues) - if err != nil { - return nil, err - } - return func(c *libpod.Container) bool { - if !until.IsZero() && c.CreatedTime().After((until)) { - return true - } - return false - }, nil + return prepareUntilFilterFunc(filterValues) case "pod": var pods []*libpod.Pod for _, podNameOrID := range filterValues { @@ -226,3 +217,29 @@ func GenerateContainerFilterFuncs(filter string, filterValues []string, r *libpo } return nil, errors.Errorf("%s is an invalid filter", filter) } + +// GeneratePruneContainerFilterFuncs return ContainerFilter functions based of filter for prune operation +func GeneratePruneContainerFilterFuncs(filter string, filterValues []string, r *libpod.Runtime) (func(container *libpod.Container) bool, error) { + switch filter { + case "label": + return func(c *libpod.Container) bool { + return util.MatchLabelFilters(filterValues, c.Labels()) + }, nil + case "until": + return prepareUntilFilterFunc(filterValues) + } + return nil, errors.Errorf("%s is an invalid filter", filter) +} + +func prepareUntilFilterFunc(filterValues []string) (func(container *libpod.Container) bool, error) { + until, err := util.ComputeUntilTimestamp(filterValues) + if err != nil { + return nil, err + } + return func(c *libpod.Container) bool { + if !until.IsZero() && c.CreatedTime().After((until)) { + return true + } + return false + }, nil +} diff --git a/pkg/domain/infra/abi/containers.go b/pkg/domain/infra/abi/containers.go index 637531ee9..24261e5ed 100644 --- a/pkg/domain/infra/abi/containers.go +++ b/pkg/domain/infra/abi/containers.go @@ -194,7 +194,7 @@ func (ic *ContainerEngine) ContainerStop(ctx context.Context, namesOrIds []strin func (ic *ContainerEngine) ContainerPrune(ctx context.Context, options entities.ContainerPruneOptions) ([]*reports.PruneReport, error) { filterFuncs := make([]libpod.ContainerFilter, 0, len(options.Filters)) for k, v := range options.Filters { - generatedFunc, err := dfilters.GenerateContainerFilterFuncs(k, v, ic.Libpod) + generatedFunc, err := dfilters.GeneratePruneContainerFilterFuncs(k, v, ic.Libpod) if err != nil { return nil, err } diff --git a/test/apiv2/20-containers.at b/test/apiv2/20-containers.at index 9030f0095..58b2dff0a 100644 --- a/test/apiv2/20-containers.at +++ b/test/apiv2/20-containers.at @@ -298,7 +298,7 @@ t POST containers/prune?filters='garb1age}' 500 \ t POST libpod/containers/prune?filters='garb1age}' 500 \ .cause="invalid character 'g' looking for beginning of value" -## Prune containers with illformed label +# Prune containers with illformed label t POST containers/prune?filters='{"label":["tes' 500 \ .cause="unexpected end of JSON input" t POST libpod/containers/prune?filters='{"label":["tes' 500 \ @@ -306,6 +306,22 @@ t POST libpod/containers/prune?filters='{"label":["tes' 500 \ t GET libpod/containers/json?filters='{"label":["testlabel"]}' 200 length=0 +# libpod api: do not use list filters for prune +t POST libpod/containers/prune?filters='{"name":["anyname"]}' 500 \ + .cause="name is an invalid filter" +t POST libpod/containers/prune?filters='{"id":["anyid"]}' 500 \ + .cause="id is an invalid filter" +t POST libpod/containers/prune?filters='{"network":["anynetwork"]}' 500 \ + .cause="network is an invalid filter" + +# compat api: do not use list filters for prune +t POST containers/prune?filters='{"name":["anyname"]}' 500 \ + .cause="name is an invalid filter" +t POST containers/prune?filters='{"id":["anyid"]}' 500 \ + .cause="id is an invalid filter" +t POST containers/prune?filters='{"network":["anynetwork"]}' 500 \ + .cause="network is an invalid filter" + # Test CPU limit (NanoCPUs) t POST containers/create Image=$IMAGE HostConfig='{"NanoCpus":500000}' 201 \ .Id~[0-9a-f]\\{64\\} -- cgit v1.2.3-54-g00ecf From dda91e3454a7154ccf2c3d87a918ae931e54c738 Mon Sep 17 00:00:00 2001 From: Ed Santiago Date: Tue, 6 Apr 2021 11:33:03 -0600 Subject: System tests: special case for RHEL: require runc As discussed in watercooler 2021-04-06: make sure that RHEL8 and CentOS are using runc. Using crun is probably a packaging error that should be caught early. Signed-off-by: Ed Santiago --- test/system/005-info.bats | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) (limited to 'test') diff --git a/test/system/005-info.bats b/test/system/005-info.bats index c0af2e937..ed341dd17 100644 --- a/test/system/005-info.bats +++ b/test/system/005-info.bats @@ -53,6 +53,27 @@ store.imageStore.number | 1 } +# 2021-04-06 discussed in watercooler: RHEL must never use crun, even if +# using cgroups v2. +@test "podman info - RHEL8 must use runc" { + local osrelease=/etc/os-release + test -e $osrelease || skip "Not a RHEL system (no $osrelease)" + + local osname=$(source $osrelease; echo $NAME) + if [[ $osname =~ Red.Hat || $osname =~ CentOS ]]; then + # Version can include minor; strip off first dot an all beyond it + local osver=$(source $osrelease; echo $VERSION_ID) + test ${osver%%.*} -le 8 || skip "$osname $osver > RHEL8" + + # RHEL or CentOS 8. + # FIXME: what does 'CentOS 8' even mean? What is $VERSION_ID in CentOS? + run_podman info --format '{{.Host.OCIRuntime.Name}}' + is "$output" "runc" "$osname only supports OCI Runtime = runc" + else + skip "only applicable on RHEL, this is $osname" + fi +} + @test "podman info --storage-opt='' " { skip_if_remote "--storage-opt flag is not supported for remote" skip_if_rootless "storage opts are required for rootless running" -- cgit v1.2.3-54-g00ecf From c8130be174e0f5209661ab454bee37a3765d1b04 Mon Sep 17 00:00:00 2001 From: pendulm Date: Fri, 2 Apr 2021 19:33:05 +0800 Subject: Move socket activation check into init() and set global condition. So rootless setup could use this condition in parent and child, child podman should adjust LISTEN_PID to its self PID. Add system test for systemd socket activation Signed-off-by: pendulm --- pkg/rootless/rootless_linux.c | 58 +++++++++++++++---- test/system/270-socket-activation.bats | 103 +++++++++++++++++++++++++++++++++ 2 files changed, 149 insertions(+), 12 deletions(-) create mode 100644 test/system/270-socket-activation.bats (limited to 'test') diff --git a/pkg/rootless/rootless_linux.c b/pkg/rootless/rootless_linux.c index 7a2bf0377..918b9a7e6 100644 --- a/pkg/rootless/rootless_linux.c +++ b/pkg/rootless/rootless_linux.c @@ -61,6 +61,10 @@ static int open_files_max_fd; static fd_set *open_files_set; static uid_t rootless_uid_init; static gid_t rootless_gid_init; +static bool do_socket_activation = false; +static char *saved_systemd_listen_fds; +static char *saved_systemd_listen_pid; +static char *saved_systemd_listen_fdnames; static int syscall_setresuid (uid_t ruid, uid_t euid, uid_t suid) @@ -242,6 +246,10 @@ static void __attribute__((constructor)) init() { const char *xdg_runtime_dir; const char *pause; + const char *listen_pid; + const char *listen_fds; + const char *listen_fdnames; + DIR *d; pause = getenv ("_PODMAN_PAUSE"); @@ -293,6 +301,26 @@ static void __attribute__((constructor)) init() closedir (d); } + listen_pid = getenv("LISTEN_PID"); + listen_fds = getenv("LISTEN_FDS"); + listen_fdnames = getenv("LISTEN_FDNAMES"); + + if (listen_pid != NULL && listen_fds != NULL && strtol(listen_pid, NULL, 10) == getpid()) + { + // save systemd socket environment for rootless child + do_socket_activation = true; + saved_systemd_listen_pid = strdup(listen_pid); + saved_systemd_listen_fds = strdup(listen_fds); + saved_systemd_listen_fdnames = strdup(listen_fdnames); + if (saved_systemd_listen_pid == NULL + || saved_systemd_listen_fds == NULL + || saved_systemd_listen_fdnames == NULL) + { + fprintf (stderr, "save socket listen environments error: %s\n", strerror (errno)); + _exit (EXIT_FAILURE); + } + } + /* Shortcut. If we are able to join the pause pid file, do it now so we don't need to re-exec. */ xdg_runtime_dir = getenv ("XDG_RUNTIME_DIR"); @@ -635,6 +663,12 @@ reexec_userns_join (int pid_to_join, char *pause_pid_file_path) for (f = 3; f <= open_files_max_fd; f++) if (is_fd_inherited (f)) close (f); + if (do_socket_activation) + { + unsetenv ("LISTEN_PID"); + unsetenv ("LISTEN_FDS"); + unsetenv ("LISTEN_FDNAMES"); + } return pid; } @@ -660,6 +694,15 @@ reexec_userns_join (int pid_to_join, char *pause_pid_file_path) _exit (EXIT_FAILURE); } + if (do_socket_activation) + { + char s[32]; + sprintf (s, "%d", getpid()); + setenv ("LISTEN_PID", s, true); + setenv ("LISTEN_FDS", saved_systemd_listen_fds, true); + setenv ("LISTEN_FDNAMES", saved_systemd_listen_fdnames, true); + } + setenv ("_CONTAINERS_USERNS_CONFIGURED", "init", 1); setenv ("_CONTAINERS_ROOTLESS_UID", uid, 1); setenv ("_CONTAINERS_ROOTLESS_GID", gid, 1); @@ -777,9 +820,6 @@ reexec_in_user_namespace (int ready, char *pause_pid_file_path, char *file_to_re char **argv; char uid[16]; char gid[16]; - char *listen_fds = NULL; - char *listen_pid = NULL; - bool do_socket_activation = false; char *cwd = getcwd (NULL, 0); sigset_t sigset, oldsigset; @@ -789,14 +829,6 @@ reexec_in_user_namespace (int ready, char *pause_pid_file_path, char *file_to_re _exit (EXIT_FAILURE); } - listen_pid = getenv("LISTEN_PID"); - listen_fds = getenv("LISTEN_FDS"); - - if (listen_pid != NULL && listen_fds != NULL) - { - if (strtol(listen_pid, NULL, 10) == getpid()) - do_socket_activation = true; - } sprintf (uid, "%d", geteuid ()); sprintf (gid, "%d", getegid ()); @@ -814,7 +846,7 @@ reexec_in_user_namespace (int ready, char *pause_pid_file_path, char *file_to_re { long num_fds; - num_fds = strtol (listen_fds, NULL, 10); + num_fds = strtol (saved_systemd_listen_fds, NULL, 10); if (num_fds != LONG_MIN && num_fds != LONG_MAX) { int f; @@ -863,6 +895,8 @@ reexec_in_user_namespace (int ready, char *pause_pid_file_path, char *file_to_re char s[32]; sprintf (s, "%d", getpid()); setenv ("LISTEN_PID", s, true); + setenv ("LISTEN_FDS", saved_systemd_listen_fds, true); + setenv ("LISTEN_FDNAMES", saved_systemd_listen_fdnames, true); } setenv ("_CONTAINERS_USERNS_CONFIGURED", "init", 1); diff --git a/test/system/270-socket-activation.bats b/test/system/270-socket-activation.bats new file mode 100644 index 000000000..25206c6a7 --- /dev/null +++ b/test/system/270-socket-activation.bats @@ -0,0 +1,103 @@ +#!/usr/bin/env bats -*- bats -*- +# +# Tests podman system service under systemd socket activation +# + +load helpers + +SERVICE_NAME="podman_test_$(random_string)" + +SYSTEMCTL="systemctl" +UNIT_DIR="/usr/lib/systemd/system" +SERVICE_SOCK_ADDR="/run/podman/podman.sock" + +if is_rootless; then + UNIT_DIR="$HOME/.config/systemd/user" + mkdir -p $UNIT_DIR + + SYSTEMCTL="$SYSTEMCTL --user" + if [ -z "$XDG_RUNTIME_DIR" ]; then + export XDG_RUNTIME_DIR=/run/user/$(id -u) + fi + SERVICE_SOCK_ADDR="$XDG_RUNTIME_DIR/podman/podman.sock" +fi + +SERVICE_FILE="$UNIT_DIR/$SERVICE_NAME.service" +SOCKET_FILE="$UNIT_DIR/$SERVICE_NAME.socket" + + +function setup() { + skip_if_remote "systemd tests are meaningless over remote" + + basic_setup + + cat > $SERVICE_FILE < $SOCKET_FILE < /dev/null + rm -f $pause_pid + fi + fi + $SYSTEMCTL start "$SERVICE_NAME.socket" +} + +function teardown() { + $SYSTEMCTL stop "$SERVICE_NAME.socket" + rm -f "$SERVICE_FILE" "$SOCKET_FILE" + $SYSTEMCTL daemon-reload + basic_teardown +} + +@test "podman system service - socket activation - no container" { + run curl -s --max-time 3 --unix-socket $SERVICE_SOCK_ADDR http://podman/libpod/_ping + is "$output" "OK" "podman service responses normally" +} + +@test "podman system service - socket activation - exist container " { + run_podman run $IMAGE sleep 90 + run curl -s --max-time 3 --unix-socket $SERVICE_SOCK_ADDR http://podman/libpod/_ping + is "$output" "OK" "podman service responses normally" +} + +@test "podman system service - socket activation - kill rootless pause " { + if ! is_rootless; then + skip "root podman no need pause process" + fi + run_podman run $IMAGE sleep 90 + local pause_pid="$XDG_RUNTIME_DIR/libpod/tmp/pause.pid" + if [ -f $pause_pid ]; then + kill -9 $(cat $pause_pid) 2> /dev/null + fi + run curl -s --max-time 3 --unix-socket $SERVICE_SOCK_ADDR http://podman/libpod/_ping + is "$output" "OK" "podman service responses normally" +} + +# vim: filetype=sh -- cgit v1.2.3-54-g00ecf From af5dba34b2a27313dcec57c2223b0e8f83799743 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Tue, 30 Mar 2021 06:39:49 -0400 Subject: Fix missing podman-remote build options Fix handling of SecurityOpts LabelOpts SeccompProfilePath ApparmorProfile Fix Ulimits Fixes: https://github.com/containers/podman/issues/9869 Signed-off-by: Daniel J Walsh --- pkg/api/handlers/compat/images_build.go | 202 ++++++++++++++++++++++---------- pkg/bindings/images/build.go | 32 +++++ test/system/070-build.bats | 40 +++++++ 3 files changed, 210 insertions(+), 64 deletions(-) (limited to 'test') diff --git a/pkg/api/handlers/compat/images_build.go b/pkg/api/handlers/compat/images_build.go index 8cd993b8b..6f21ecf3d 100644 --- a/pkg/api/handlers/compat/images_build.go +++ b/pkg/api/handlers/compat/images_build.go @@ -10,6 +10,7 @@ import ( "os" "path/filepath" "strconv" + "strings" "time" "github.com/containers/buildah" @@ -63,52 +64,55 @@ func BuildImage(w http.ResponseWriter, r *http.Request) { }() query := struct { - AddHosts string `schema:"extrahosts"` - AdditionalCapabilities string `schema:"addcaps"` - Annotations string `schema:"annotations"` - BuildArgs string `schema:"buildargs"` - CacheFrom string `schema:"cachefrom"` - Compression uint64 `schema:"compression"` - ConfigureNetwork string `schema:"networkmode"` - CpuPeriod uint64 `schema:"cpuperiod"` // nolint - CpuQuota int64 `schema:"cpuquota"` // nolint - CpuSetCpus string `schema:"cpusetcpus"` // nolint - CpuShares uint64 `schema:"cpushares"` // nolint - Devices string `schema:"devices"` - Dockerfile string `schema:"dockerfile"` - DropCapabilities string `schema:"dropcaps"` - DNSServers string `schema:"dnsservers"` - DNSOptions string `schema:"dnsoptions"` - DNSSearch string `schema:"dnssearch"` - Excludes string `schema:"excludes"` - ForceRm bool `schema:"forcerm"` - From string `schema:"from"` - HTTPProxy bool `schema:"httpproxy"` - Isolation string `schema:"isolation"` - Ignore bool `schema:"ignore"` - Jobs int `schema:"jobs"` // nolint - Labels string `schema:"labels"` - Layers bool `schema:"layers"` - LogRusage bool `schema:"rusage"` - Manifest string `schema:"manifest"` - MemSwap int64 `schema:"memswap"` - Memory int64 `schema:"memory"` - NamespaceOptions string `schema:"nsoptions"` - NoCache bool `schema:"nocache"` - OutputFormat string `schema:"outputformat"` - Platform string `schema:"platform"` - Pull bool `schema:"pull"` - PullPolicy string `schema:"pullpolicy"` - Quiet bool `schema:"q"` - Registry string `schema:"registry"` - Rm bool `schema:"rm"` - //FIXME SecurityOpt in remote API is not handled - SecurityOpt string `schema:"securityopt"` - ShmSize int `schema:"shmsize"` - Squash bool `schema:"squash"` - Tag []string `schema:"t"` - Target string `schema:"target"` - Timestamp int64 `schema:"timestamp"` + AddHosts string `schema:"extrahosts"` + AdditionalCapabilities string `schema:"addcaps"` + Annotations string `schema:"annotations"` + AppArmor string `schema:"apparmor"` + BuildArgs string `schema:"buildargs"` + CacheFrom string `schema:"cachefrom"` + Compression uint64 `schema:"compression"` + ConfigureNetwork string `schema:"networkmode"` + CpuPeriod uint64 `schema:"cpuperiod"` // nolint + CpuQuota int64 `schema:"cpuquota"` // nolint + CpuSetCpus string `schema:"cpusetcpus"` // nolint + CpuShares uint64 `schema:"cpushares"` // nolint + DNSOptions string `schema:"dnsoptions"` + DNSSearch string `schema:"dnssearch"` + DNSServers string `schema:"dnsservers"` + Devices string `schema:"devices"` + Dockerfile string `schema:"dockerfile"` + DropCapabilities string `schema:"dropcaps"` + Excludes string `schema:"excludes"` + ForceRm bool `schema:"forcerm"` + From string `schema:"from"` + HTTPProxy bool `schema:"httpproxy"` + Ignore bool `schema:"ignore"` + Isolation string `schema:"isolation"` + Jobs int `schema:"jobs"` // nolint + LabelOpts string `schema:"labelopts"` + Labels string `schema:"labels"` + Layers bool `schema:"layers"` + LogRusage bool `schema:"rusage"` + Manifest string `schema:"manifest"` + MemSwap int64 `schema:"memswap"` + Memory int64 `schema:"memory"` + NamespaceOptions string `schema:"nsoptions"` + NoCache bool `schema:"nocache"` + OutputFormat string `schema:"outputformat"` + Platform string `schema:"platform"` + Pull bool `schema:"pull"` + PullPolicy string `schema:"pullpolicy"` + Quiet bool `schema:"q"` + Registry string `schema:"registry"` + Rm bool `schema:"rm"` + Seccomp string `schema:"seccomp"` + SecurityOpt string `schema:"securityopt"` + ShmSize int `schema:"shmsize"` + Squash bool `schema:"squash"` + Tag []string `schema:"t"` + Target string `schema:"target"` + Timestamp int64 `schema:"timestamp"` + Ulimits string `schema:"ulimits"` }{ Dockerfile: "Dockerfile", Registry: "docker.io", @@ -123,7 +127,7 @@ func BuildImage(w http.ResponseWriter, r *http.Request) { return } - // convert label formats + // convert addcaps formats var addCaps = []string{} if _, found := r.URL.Query()["addcaps"]; found { var m = []string{} @@ -133,6 +137,7 @@ func BuildImage(w http.ResponseWriter, r *http.Request) { } addCaps = m } + addhosts := []string{} if _, found := r.URL.Query()["extrahosts"]; found { if err := json.Unmarshal([]byte(query.AddHosts), &addhosts); err != nil { @@ -142,7 +147,8 @@ func BuildImage(w http.ResponseWriter, r *http.Request) { } compression := archive.Compression(query.Compression) - // convert label formats + + // convert dropcaps formats var dropCaps = []string{} if _, found := r.URL.Query()["dropcaps"]; found { var m = []string{} @@ -153,7 +159,7 @@ func BuildImage(w http.ResponseWriter, r *http.Request) { dropCaps = m } - // convert label formats + // convert devices formats var devices = []string{} if _, found := r.URL.Query()["devices"]; found { var m = []string{} @@ -233,7 +239,7 @@ func BuildImage(w http.ResponseWriter, r *http.Request) { } } - // convert label formats + // convert annotations formats var annotations = []string{} if _, found := r.URL.Query()["annotations"]; found { if err := json.Unmarshal([]byte(query.Annotations), &annotations); err != nil { @@ -242,7 +248,7 @@ func BuildImage(w http.ResponseWriter, r *http.Request) { } } - // convert label formats + // convert nsoptions formats nsoptions := buildah.NamespaceOptions{} if _, found := r.URL.Query()["nsoptions"]; found { if err := json.Unmarshal([]byte(query.NamespaceOptions), &nsoptions); err != nil { @@ -271,11 +277,75 @@ func BuildImage(w http.ResponseWriter, r *http.Request) { } } } + jobs := 1 if _, found := r.URL.Query()["jobs"]; found { jobs = query.Jobs } + var ( + labelOpts = []string{} + seccomp string + apparmor string + ) + + if utils.IsLibpodRequest(r) { + seccomp = query.Seccomp + apparmor = query.AppArmor + // convert labelopts formats + if _, found := r.URL.Query()["labelopts"]; found { + var m = []string{} + if err := json.Unmarshal([]byte(query.LabelOpts), &m); err != nil { + utils.BadRequest(w, "labelopts", query.LabelOpts, err) + return + } + labelOpts = m + } + } else { + // handle security-opt + if _, found := r.URL.Query()["securityopt"]; found { + var securityOpts = []string{} + if err := json.Unmarshal([]byte(query.SecurityOpt), &securityOpts); err != nil { + utils.BadRequest(w, "securityopt", query.SecurityOpt, err) + return + } + for _, opt := range securityOpts { + if opt == "no-new-privileges" { + utils.BadRequest(w, "securityopt", query.SecurityOpt, errors.New("no-new-privileges is not supported")) + return + } + con := strings.SplitN(opt, "=", 2) + if len(con) != 2 { + utils.BadRequest(w, "securityopt", query.SecurityOpt, errors.Errorf("Invalid --security-opt name=value pair: %q", opt)) + return + } + + switch con[0] { + case "label": + labelOpts = append(labelOpts, con[1]) + case "apparmor": + apparmor = con[1] + case "seccomp": + seccomp = con[1] + default: + utils.BadRequest(w, "securityopt", query.SecurityOpt, errors.Errorf("Invalid --security-opt 2: %q", opt)) + return + } + } + } + } + + // convert ulimits formats + var ulimits = []string{} + if _, found := r.URL.Query()["ulimits"]; found { + var m = []string{} + if err := json.Unmarshal([]byte(query.Ulimits), &m); err != nil { + utils.BadRequest(w, "ulimits", query.Ulimits, err) + return + } + ulimits = m + } + pullPolicy := buildahDefine.PullIfMissing if utils.IsLibpodRequest(r) { pullPolicy = buildahDefine.PolicyMap[query.PullPolicy] @@ -320,18 +390,22 @@ func BuildImage(w http.ResponseWriter, r *http.Request) { Annotations: annotations, Args: buildArgs, CommonBuildOpts: &buildah.CommonBuildOptions{ - AddHost: addhosts, - CPUPeriod: query.CpuPeriod, - CPUQuota: query.CpuQuota, - CPUShares: query.CpuShares, - CPUSetCPUs: query.CpuSetCpus, - DNSServers: dnsservers, - DNSOptions: dnsoptions, - DNSSearch: dnssearch, - HTTPProxy: query.HTTPProxy, - Memory: query.Memory, - MemorySwap: query.MemSwap, - ShmSize: strconv.Itoa(query.ShmSize), + AddHost: addhosts, + ApparmorProfile: apparmor, + CPUPeriod: query.CpuPeriod, + CPUQuota: query.CpuQuota, + CPUSetCPUs: query.CpuSetCpus, + CPUShares: query.CpuShares, + DNSOptions: dnsoptions, + DNSSearch: dnssearch, + DNSServers: dnsservers, + HTTPProxy: query.HTTPProxy, + LabelOpts: labelOpts, + Memory: query.Memory, + MemorySwap: query.MemSwap, + SeccompProfilePath: seccomp, + ShmSize: strconv.Itoa(query.ShmSize), + Ulimit: ulimits, }, CNIConfigDir: rtc.Network.CNIPluginDirs[0], CNIPluginPath: util.DefaultCNIPluginPath, @@ -364,11 +438,11 @@ func BuildImage(w http.ResponseWriter, r *http.Request) { RemoveIntermediateCtrs: query.Rm, ReportWriter: reporter, Squash: query.Squash, + Target: query.Target, SystemContext: &types.SystemContext{ AuthFilePath: authfile, DockerAuthConfig: creds, }, - Target: query.Target, } if _, found := r.URL.Query()["timestamp"]; found { diff --git a/pkg/bindings/images/build.go b/pkg/bindings/images/build.go index df4b150c4..51f902780 100644 --- a/pkg/bindings/images/build.go +++ b/pkg/bindings/images/build.go @@ -120,6 +120,9 @@ func Build(ctx context.Context, containerFiles []string, options entities.BuildO if options.ForceRmIntermediateCtrs { params.Set("forcerm", "1") } + if options.RemoveIntermediateCtrs { + params.Set("rm", "1") + } if len(options.From) > 0 { params.Set("from", options.From) } @@ -140,6 +143,23 @@ func Build(ctx context.Context, containerFiles []string, options entities.BuildO } params.Set("labels", l) } + + if opt := options.CommonBuildOpts.LabelOpts; len(opt) > 0 { + o, err := jsoniter.MarshalToString(opt) + if err != nil { + return nil, err + } + params.Set("labelopts", o) + } + + if len(options.CommonBuildOpts.SeccompProfilePath) > 0 { + params.Set("seccomp", options.CommonBuildOpts.SeccompProfilePath) + } + + if len(options.CommonBuildOpts.ApparmorProfile) > 0 { + params.Set("apparmor", options.CommonBuildOpts.ApparmorProfile) + } + if options.Layers { params.Set("layers", "1") } @@ -174,6 +194,7 @@ func Build(ctx context.Context, containerFiles []string, options entities.BuildO if len(platform) > 0 { params.Set("platform", platform) } + params.Set("pullpolicy", options.PullPolicy.String()) if options.Quiet { @@ -182,6 +203,10 @@ func Build(ctx context.Context, containerFiles []string, options entities.BuildO if options.RemoveIntermediateCtrs { params.Set("rm", "1") } + if len(options.Target) > 0 { + params.Set("target", options.Target) + } + if hosts := options.CommonBuildOpts.AddHost; len(hosts) > 0 { h, err := jsoniter.MarshalToString(hosts) if err != nil { @@ -212,6 +237,13 @@ func Build(ctx context.Context, containerFiles []string, options entities.BuildO params.Set("timestamp", strconv.FormatInt(t.Unix(), 10)) } + if len(options.CommonBuildOpts.Ulimit) > 0 { + ulimitsJSON, err := json.Marshal(options.CommonBuildOpts.Ulimit) + if err != nil { + return nil, err + } + params.Set("ulimits", string(ulimitsJSON)) + } var ( headers map[string]string err error diff --git a/test/system/070-build.bats b/test/system/070-build.bats index e5b68a0d8..2e97c93e0 100644 --- a/test/system/070-build.bats +++ b/test/system/070-build.bats @@ -712,6 +712,46 @@ EOF run_podman rmi -f build_test } +@test "podman build check_label" { + skip_if_no_selinux + tmpdir=$PODMAN_TMPDIR/build-test + mkdir -p $tmpdir + tmpbuilddir=$tmpdir/build + mkdir -p $tmpbuilddir + dockerfile=$tmpbuilddir/Dockerfile + cat >$dockerfile <$dockerfile < Date: Thu, 15 Apr 2021 18:24:22 +0200 Subject: podman play kube apply correct log driver The --log-driver flag was silently ignored by podman play kube. This regression got introduced during the play kube rework. Unfortunately the test for this was skipped for no good reason. Fixes #10015 Signed-off-by: Paul Holzinger Signed-off-by: Matthew Heon --- pkg/domain/infra/abi/play.go | 21 +++++++++++---------- pkg/specgen/generate/kube/kube.go | 6 ++++++ test/e2e/play_kube_test.go | 1 - 3 files changed, 17 insertions(+), 11 deletions(-) (limited to 'test') diff --git a/pkg/domain/infra/abi/play.go b/pkg/domain/infra/abi/play.go index 7d87fc83a..6e705ddd2 100644 --- a/pkg/domain/infra/abi/play.go +++ b/pkg/domain/infra/abi/play.go @@ -261,16 +261,17 @@ func (ic *ContainerEngine) playKubePod(ctx context.Context, podName string, podY } specgenOpts := kube.CtrSpecGenOptions{ - Container: container, - Image: newImage, - Volumes: volumes, - PodID: pod.ID(), - PodName: podName, - PodInfraID: podInfraID, - ConfigMaps: configMaps, - SeccompPaths: seccompPaths, - RestartPolicy: ctrRestartPolicy, - NetNSIsHost: p.NetNS.IsHost(), + Container: container, + Image: newImage, + Volumes: volumes, + PodID: pod.ID(), + PodName: podName, + PodInfraID: podInfraID, + ConfigMaps: configMaps, + SeccompPaths: seccompPaths, + RestartPolicy: ctrRestartPolicy, + NetNSIsHost: p.NetNS.IsHost(), + LogDriver: options.LogDriver, } specGen, err := kube.ToSpecGen(ctx, &specgenOpts) if err != nil { diff --git a/pkg/specgen/generate/kube/kube.go b/pkg/specgen/generate/kube/kube.go index d61c8bd19..45cb7c3f6 100644 --- a/pkg/specgen/generate/kube/kube.go +++ b/pkg/specgen/generate/kube/kube.go @@ -94,6 +94,8 @@ type CtrSpecGenOptions struct { RestartPolicy string // NetNSIsHost tells the container to use the host netns NetNSIsHost bool + // LogDriver which should be used for the container + LogDriver string } func ToSpecGen(ctx context.Context, opts *CtrSpecGenOptions) (*specgen.SpecGenerator, error) { @@ -111,6 +113,10 @@ func ToSpecGen(ctx context.Context, opts *CtrSpecGenOptions) (*specgen.SpecGener s.Pod = opts.PodID + s.LogConfiguration = &specgen.LogConfig{ + Driver: opts.LogDriver, + } + setupSecurityContext(s, opts.Container) // Since we prefix the container name with pod name to work-around the uniqueness requirement, diff --git a/test/e2e/play_kube_test.go b/test/e2e/play_kube_test.go index a4c738f17..2a1ba86e5 100644 --- a/test/e2e/play_kube_test.go +++ b/test/e2e/play_kube_test.go @@ -1674,7 +1674,6 @@ MemoryReservation: {{ .HostConfig.MemoryReservation }}`}) }) It("podman play kube applies log driver to containers", func() { - Skip("need to verify images have correct packages for journald") pod := getPod() err := generateKubeYaml("pod", pod, kubeYaml) Expect(err).To(BeNil()) -- cgit v1.2.3-54-g00ecf