Do not use Default() in unit tests, that caches the config in a global
var so it conflicts with other tests also calling it.
Now only the Reload test should test that. The Default() call got broken
by commit c2dee68766 because now the test only unsets the env after the
last Reload() call which should already use the actual default.
Fixes: c2dee68766 ("*_test.go: use t.TempDir, t.Setenv")
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Instead of using os.MkdirTemp in tests, use t.TempDir.
In a few places where the parent directory is already create by t.TempDir,
replace os.MkdirTemp with os.Mkdir.
While at it, make sure to not a leak opened file descriptor returned by
os.CreateTemp.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Using os.Setenv in tests is problematic, because the change is
process-wise and other tests running in parallel might be affected.
Also, a somewhat complicated cleanup is needed.
Both issues are solved by using t.Setenv.
This commit also uses t.TempDir, t.Cleanup, and t.Helper when it makes
sense.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
This fixes 'podman build' and 'buildah build' on non-linux platforms
where (*Config).Capabilities started throwing errors after the
pkg/capabilities package started using github.com/moby/sys/capability to
validate the capability lists.
Signed-off-by: Doug Rabson <dfr@rabson.org>
* Added ContainerHostname to NetworkOptions. Podman will set this
and Netavark will read it.
* Added the `container_name_as_hostname` option to the
CONTAINERS table in containers.conf. Currently, if you don't
explicitly set a hostname when creating a container, podman will
set it to the short ID. If this option set to `true` and a
hostname isn't explicitly set, podman will use the container's
name, with characters not in the set `[0-9a-zA-Z.-]` removed,
as the hostname instead of the short ID. Set to false by default
to preserve existing behavior.
Signed-off-by: George Joseph <g.devel@wxy78.net>
Adds a new configuration section `podmansh` to configure the shell,
container and the timeout for podmansh.
Signed-off-by: phoenix <felix.niederwanger@suse.com>
Some users wish to turn of healthcheck events in Podman so add a config
option to allow that. The actual logic must live in Podman.
Link: https://issues.redhat.com/browse/RHEL-18987
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
This linter creates better assertions in ginkgo tests.
Fixes were made with `ginkgolinter -fix ./...`.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
podman systemd conenction and farm currently both write containers.conf
to store their settings. Each write removes comments from the user
config file and thus makes it not great to use.
The new approach is to have a seperate file connections.conf (json
format) to store both conenctions and farms for podman. We continue to
read containers.conf for the connections and farms as well and podman
can read both. This means we have a read only store in containers.conf
(manually added by users), they cannot be removed by the podman cli.
This is a breaking chnage and will require many chnages in podman to
migrate to the new APIs added in this commit.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
The current code has a small race it first stats the file and if it
exists it tries to read the file. Between this it is possible that the
file was removed and thus cause a fatal error when reading the config.
The better way is to simply read the file and ignore the ENOENT error
instead where we want this behavior. This avoids the need for the extra
stat syscalls. For CONTAINERS_CONF and modules we still need the hard
error if the file does not exists so we have to keep it there.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Add a new containers.conf attribute to define how to set interface name inside containers.
Relates to: containers/podman#21313
Signed-off-by: Vikas Goel <vikas.goel@gmail.com>
We have not supported type=bind image volumes since pre-1.0
Podman - we phased them out when we added support for actual
volumes. Also, our image volume valid modes checker did not even
allow the actual default (anonymous). This is technically a
breaking change, so it will go into Podman 5.0 - but I strongly
doubt anyone is actually using this field if no one has noticed
this issue before now.
Signed-off-by: Matt Heon <mheon@redhat.com>
The tests are messy and should be turned into table-driven tests but I
do not have time at the moment.
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
Commit 395ba05c44 implemented a POC to allow for changing the behavior
when loading multiple container.conf files in sequence. By default, the
TOML encoder will override existing data/fields with the one specified
in the loaded file. The POC has demonstrated how this behavior can be
changed to append string slices instead of overriding/replacing them
entirely.
This change is the first step of integrating these appendable string
arrays into containers.conf and starts with enabling the `Env`,
`Mounts`, and `Volumes` fields in the `[Containers]` table.
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
Podman should default to sqlite for new installs, however to not break
upgrades we should detect if a boltdb database exists and use that in
such case. Now in order to distinguish between an explicitly set
"sqlite" and "boltdb" and nothing set we use an empty default.
With that podman can know if we really should use the default or if it
was configured for a db explicitly. The actual detection logic must be
implemented in podman as we only know the file locations there.
This commit also drops the unused StateType as this was not used at all.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
As requested in containers/podman/issues/20000, add a `privileged` field
to the containers table in containers.conf. I was hesitant to add such
a field at first (for security reasons) but I understand that such a
field can come in handy when using modules - certain workloads require a
privileged container.
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
The method ActiveDestination was being used only by Podman and there seemed to code complications as the code is split in multiple parts. Hence, moved the code to Podman to make it more readable and efficient.
Signed-off-by: Chetan Giradkar <cgiradka@redhat.com>
It's wasteful and `sut` was not a name I would now understand. Change
the tests that need a default config. The diff also shows that the
tests would benefit a lot from a rewrite into a table-driven form but I
do not want to shave the entire Yak.
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
It has no external user and should not be exported to avoid any API
misuse; built-in defaults are an implementation detail.
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
A new --farm flag is being added to podman system connection
add so that when a new connection is added it can be added to a new
or existing farm. Update the code here to be able to do that.
Signed-off-by: Urvashi Mohnani <umohnani@redhat.com>
Add two new fields Farms and DefaultFarm to the Config
to be used by the new podman buildfarm command.
Signed-off-by: Urvashi Mohnani <umohnani@redhat.com>
We want to allow HPC Customers and others to specify mounts
inside of containers.conf, so that they can have a default
list of mounts into all of thier containers.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
This fixes a regression in
https://github.com/containers/podman/pull/19241 which quite reasonably
assumed that the default image volume mode from pkg/config was correct.
Signed-off-by: Doug Rabson <dfr@rabson.org>
The original SELinux support in Docker and Podman does not follow the
default SELinux rules for how label transitions are supposed to be
handled. Containers always switch their user and role to
system_u:system_r, rather then maintain the collers user and role.
For example
unconfined_u:unconfined_r:container_t:s0:c1,c2
Advanced SELinux administrators want to confine users but still allow
them to create containers from their role, but not allow them to launch
a privileged container like spc_t.
This means if a user running as
container_user_u:container_user_r:container_user_t:s0
Ran a container they would get
container_user_u:container_user_r:container_t:s0:c1,c2
If they run a privileged container they would run it with:
container_user_u:container_user_r:container_user_t:s0
If they want to force the label they would get an error
podman run --security-opt label=type:spc_t ...
Should fail. Because the container_user_r can not run with the spc_t.
SELinux rules would also prevent the user from forcing system_u user and
the sytem_r role.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Paul Holzinger
Kir Kolyshkin
Doug Rabson
George Joseph
phoenix
Daniel J Walsh
openshift-merge-bot[bot]
Vikas Goel
Matt Heon
Lokesh Mandvekar
Valentin Rothberg
Chetan Giradkar
Aditya R
OpenShift Merge Robot
Urvashi Mohnani
Lokesh Mandvekar
Giuseppe Scrivano