run test: run positive test before negative; and actually
implement real negative tests. Also, add confirmation tests for
cidfile/pidfile, not just 'exit status is good'.
systemd test: enable rootless, and again add actual content
testing.
Signed-off-by: Ed Santiago <santiago@redhat.com>
Remove the annotation from the umount command to make mount tests pass
and let podman-umount run as a non-root user.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
also make sure that the limits we set for rootless are not higher than
what we'd set for root containers.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
it appears that the pod stats flake can be attributed to the fact that the container being run is not fully running when the stats call is made. because the stats call is in format of json, it fails when nil
Signed-off-by: Brent Baude <bbaude@redhat.com>
The systemd unit test never ran in CI and was broken for various
reasons. Fix the test to execute Podman in systemd units and to also
run generated units files.
Note: more tests will be added in the future. The simple check for now
will prevent regressions.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
The --conmon-pidfile was not set in the spec leading to failing systemd
units. Also add a system test to prevent future regressions.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
There are three different priorities for applying env variables:
1) environment/config file environment variables
2) image's config
3) user overrides (--env)
The third kind are known to the client, while the default config and image's
config is handled by the backend.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Add the `podman generate kube` and `podman play kube` command. The code
has largely been copied from Podman v1 but restructured to not leak the
K8s core API into the (remote) client.
Both commands are added in the same commit to allow for enabling the
tests at the same time.
Move some exports from `cmd/podman/common` to the appropriate places in
the backend to avoid circular dependencies.
Move definitions of label annotations to `libpod/define` and set the
security-opt labels in the frontend to make kube tests pass.
Implement rest endpoints, bindings and the tunnel interface.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
To try and identify differences between Podman v1.9 and master,
I ran a series of `podman run` commands with various flags
through each, then inspecting the resulting containers and diffed
the inspect JSON between each. This identified a number of issues
which are fixed in this PR.
In order of discovery:
- Podman v2 gave short names for images, where Podman v1 gave the
fully-qualified name. Simple enough fix (get image tags and use
the first one if they're available)
- The --restart flag was not being parsed correctly when a number
of retries was specified. Parsing has been corrected.
- The -m flag was not setting the swap limit (simple fix to set
swap in that case if it's not explicitly set by the user)
- The --cpus flag was completely nonfunctional (wired in its
logic)
Tests have been added for all of these to catch future
regressions.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
add system df, info, load, renumber, and migrate
Refactor for specialized libpod engines
add the ability to prune images, volumes, containers, and pods
Signed-off-by: baude <bbaude@redhat.com>
Now that we've agreed that usage messages should match
what the user typed, confirm it. IOW 'podman foo --help'
should not issue a usage message for 'podman container foo'.
Fix one broken instance, 'unpause'.
Signed-off-by: Ed Santiago <santiago@redhat.com>
As part of this, make a major change to the type we use to
represent port mappings in SpecGen (from using existing OCICNI
structs to using our own custom one). This struct has the
advantage of supporting ranges, massively reducing traffic over
the wire for Podman commands using them (for example, the
`podman run -p 5000-6000` command will now send only one struct
instead of 1000). This struct also allows us to easily validate
which ports are in use, and which are not, which is necessary for
--expose.
Once we have parsed the ports from the new struct, we can produce
an accurate map including all currently requested ports, and use
that to determine what ports need to be exposed (some requested
exposed ports may already be included in a mapping from --publish
and will be ignored) and what open ports on the host we can map
them to.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
Adds podman system prune for v2.
Refactoring for code reuse from pods containers images and volume prune.
Adds and enables testcases to support the added feature.
Signed-off-by: Sujil02 <sushah@redhat.com>
in cases where commands require input and we dont provide it, we often would segv. This can be attributed in many cases to the subcommand not picked up the cobra Args attribute or neither had them.
Signed-off-by: baude <bbaude@redhat.com>
If a usage message is of the form '... [flags] ARGNAME',
where ARGNAME is all-caps and not in brackets, it must
be a required argument. Try running podman subcommand
without ARGNAME, and make sure that podman bails out
with an informative message. (Since this message is
freeform in each subcommand, not Cobra-generated,
we have a lot of possible variations to check for).
Fix podman login/logout Use messages to indicate that
REGISTRY is now optional (as of #5233).
This test has actually been in place for over a year but
due to a typo on my part -- a missing space -- it was
not being run. "For want of a space, much testing was lost".
Signed-off-by: Ed Santiago <santiago@redhat.com>
Fixes container prune to prune created and configured containers.
Disables couple of system prune test as not yet in with v2.
Signed-off-by: Sujil02 <sushah@redhat.com>
and fix them to use a distinct directory. I've seen a test failing as
it was using the same directory as another test, that is not related
to v2 itself.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
skopeo pr #829 adds REGISTRY_AUTH_FILE support; this lets us
enable the following test:
podman login - shares credentials with skopeo - via envariable
(I seriously doubt that the CI VMs have been updated with the
new skopeo, but I can leave this PR in limbo until that happens.
Otherwise I'll forget to enable the test).
Signed-off-by: Ed Santiago <santiago@redhat.com>
A surprisingly big change. A core problem was that `podman inspect`
allows for passing containers AND images with the default `--type=all`.
This only worked partially as the data was processed in isolation which
caused various issues (e.g., two separate outputs instead of one) but it
also caused issues regarding error handling.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
When using varlink we want to make sure that user specified environment variables
take precedence over http-proxy environment.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Adds check to parse normalized name and create docker archive dst reference
for tagged untagged image. Relevant test case added.
Signed-off-by: Sujil02 <sushah@redhat.com>
One test is still being skipped as container creation doesn't yet set
certain data from the image (e.g., PATH).
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
enabled integration tests for volumes. there are two exceptions that still need work because of something not yet implemented.
also, add code to deal with the fact that containers conf appears to set a local volume driver where it used to be simply blank.
Signed-off-by: Brent Baude <bbaude@redhat.com>
This should complete Podmanv2's support for volume-related flags.
Most code was sourced from the old pkg/spec implementation with
modifications to account for the split between frontend flags
(volume, mount, tmpfs) and the backend flags implemented here.
Also enables tests for podman run with volumes
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
Implement pod stats for the local and remote client. Both code paths end
up in infra/abi to allow for code share.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
There is no freezer controller in the cgroup root, use the current
cgroup to look it up.
The test was never running on cgroup v2.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Enable pod inspect integration test
Get rid of libpod pod inspect references
Remove libpod PodInspect struct.
Signed-off-by: Sujil02 <sushah@redhat.com>
Enable integration tests for pod ps.
In addition, fixed bug where output was still using slice go template routines and would fail when no infra container was present. Added integration test to prevent future regressions.
Signed-off-by: Brent Baude <bbaude@redhat.com>
* Introduced define.ErrImageInUse to assist in determining the exit code
without resorting string searches.
Signed-off-by: Jhon Honce <jhonce@redhat.com>
Currently podman -v does not work but the other version checks all pass.
enabling tests to that we can get more tests running in CI.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
test rootless_storage_path from strorage.conf. If user configured rootless_storage_path in storage.conf, podman info should suggest the change.
Signed-off-by: Qi Wang <qiwan@redhat.com>
If you attempt to remove a running container is it supposed to exit with
2
If you attempt to remove a non existing container is is supposed to exit with
1
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
This will change the default of UserNS to false
Also turn on tests for create_staticip_test.go
run_device_test.go, run_selinux_test.go
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Add the ability to prune pods for api v2,
Includes the addition of force flag, for client side prompt.
Update test suite to support this use case.
Signed-off-by: Sujil02 <sushah@redhat.com>
test case added for skipping cache images and
fixed condition in test case for prune dangling image
Signed-off-by: Kunal Kushwaha <kunal.kushwaha@gmail.com>
reverting name changes to the listcontainer structure because it negatively impacted the direct consumption of the restful API. instead we now use a local structure in the CLI to modify the output as needed.
Signed-off-by: Brent Baude <bbaude@redhat.com>
it specifies a fd is passed down but we are not really doing it, and
it triggers the wrong fd to be closed by Podman after the OCI runtime
invocation.
Closes: https://github.com/containers/libpod/issues/5769
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
apiv2 tests emit TAP-compliant output; recognize it and
highlight it the same way we do BATS tests.
Add anchor links to TAP output, so other tools (e.g.
cirrus-flake-summarize) can link to particular lines
And, remove a "-f" from "wait" in test-apiv2; looks
like there's some version of bash used in some CI VM
that doesn't grok it.
Signed-off-by: Ed Santiago <santiago@redhat.com>
in order to get the go templating to work for custom input, we now use structure methods instead of template map funcs. this requires some manipulation of fields so that the funcs can have the proper names.
Signed-off-by: Brent Baude <bbaude@redhat.com>
* Added support for system service
* Enabled linting on the varlinkapi source, needed to support V2
service command
* Added support for PODMAN_SOCKET
Skip linting deprecated code
Rather than introduce bugs by correcting deprecated code, linting the
code is being skipped. Code that is being ported into V2 is being
checked.
Signed-off-by: Jhon Honce <jhonce@redhat.com>
fix rootless login/logout tests. Since c/image can support peruser certs directory, this path uses $HOME dir as certs.d to avoid permission deny failures.
Signed-off-by: Qi Wang <qiwan@redhat.com>
the current implementation of info, while typed, is very loosely done so. we need stronger types for our apiv2 implmentation and bindings.
Signed-off-by: Brent Baude <bbaude@redhat.com>
Podman was checking if the runtime support checkpointing by running
'runtime checkpoint -h'. That works for runc.
crun, however, does not use '-h, --help' for help output but, '-?,
--help'.
This commit switches both checkpoint support detection from
'runtime checkpoint -h'
to
'runtime checkpoint --help'.
Podman can now correctly detect if 'crun' also support checkpointing.
Signed-off-by: Adrian Reber <areber@redhat.com>
For volume and bind mount tests, use the in-container mount point path
that has no common ancestor with any host path (except for root).
This might help to uncover bugs like [1]. Even if not, it seems
lile a good cleanup regardless.
[1] https://github.com/containers/libpod/pull/5676
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Move declaration of a dockerfile closer to its use.
Since it is used only once, there's no sense in having it declared
globally.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Remove repeated mountPath directory creation.
* For the first two hunks it is the same dir ("secrets") that was
already created before.
* For the last hunk ("scratchpad") it is not used at all.
Add an empty line after Mkdir for cases where dir is used more than once.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
if the control path file is deleted, libpod hangs waiting for a reader
to open it. Attempt to open it as non blocking until it returns an
error different than EINTR or EAGAIN.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
We need to consistently use --time rather then --timeout throughout the code.
Fix locations where timeout defaults are not set correctly as well.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Allow for descriptive comment in 't' invocations, making it
easier to distinguish similar requests
* Include test file basename (eg 40-pods) in 'ok/not ok' line
* Always symlink $TMPDIR/test-apiv2.log to latest YYMMDDetc file
* Include test result ('ok', 'not ok') in said log
* When curl results are JSON, filter them through jq into log
Signed-off-by: Ed Santiago <santiago@redhat.com>
using the factory approach similar to container, we now create pods based on a pod spec generator. wired up the podmanv2 pod create command, podcreatewithspec binding, simple binding test, and apiv2 endpoint.
also included some code refactoring as it introduced as easy circular import.
Signed-off-by: Brent Baude <bbaude@redhat.com>
The `pause:3.1` has wrong configs for non-amd64 images as they all claim
to be for amd64. The issue has now been fixed in the latest
`pause:3.2`.
[1] https://github.com/kubernetes/kubernetes/issues/87325
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
Update the podman pod ps command to support filtering by labels.
This brings the command in line with the documentation as well as
the functionality by the containers equivalent podman ps.
Signed-off-by: Stefano Pogliani <stefano@spogliani.net>
when removing networks in integration tests, we should should force; otherwise if the network has containers associated with it, it will fail to remove.
Signed-off-by: Brent Baude <bbaude@redhat.com>
* Add second go routine for when a Timer is not needed.
* goimports updated some project files
Fixes#5531
Signed-off-by: Jhon Honce <jhonce@redhat.com>
when building images, we can now add the os and arch of the image using overrides from the commandline. the commandline options set sane defaults so we use those as well.
Fixes: #5503
Signed-off-by: Brent Baude <bbaude@redhat.com>
the podman generated systemd service file has `Type=forking` service,
so the command after `ExecStart=` should not run in front.
if someone created a container and has the detach(`-d`) param missing
like this
```
podman create --name ngxdemo -P nginxdemos/hello
```
and generate the file with `--new` param:
```
podman generate systemd --name --new ngxdemo
```
because `podman run xxx` has no `-d` param,
so the container is not run in background and nerver exit.
and systemd will fail to start the service:
```
sudo systemctl start container-ngxdemo.service
Job for container-ngxdemo.service failed because a timeout was exceeded.
See "systemctl status container-ngxdemo.service" and "journalctl -xe" for details.
```
Signed-off-by: 荒野無燈 <ttys3@outlook.com>
The recently-added 'run --rmi' test was not actually doing
what it thinks it was doing: for one, 'run_podman | grep'
is never going to work; also, the test was leaving behind
stray images.
Rework to do what I believe the intention was; and, combine
into one test (down from two) for readability.
Signed-off-by: Ed Santiago <santiago@redhat.com>
Remove leading slashes from the run-dir paths. It was meant to make it
explicit that we're dealing with an absolute path but user feedback has
shown that most are aware. It also cleans up the path in the systemctl
status output.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
The --rmi flag will delete the container image after its execution
unless that image is already been used by another container(s).
This is useful when one wants to execute a container once and remove
any resources attached to it.
Signed-off-by: Boaz Shuster <boaz.shuster.github@gmail.com>
This introduces a new cirrus helper script, logformatter.
Usage is:
[commands...] | logformatter TEST-NAME
It reformats its input into a readable, highlighed, linkable
form. Some features:
- boring stuff (timestamps, standard podman options) is
deemphasized
- important stuff (warnings, errors) is emphasized
- in-page links to the actual failures
- active links to source files
- jumps to bottom of page on load, because that's where
the errors are. (All errors are linked)
Add it to select test commands (integration, system) and
add a new artifacts_html, run in the 'always' block, which
uploads generated *.log.html into Cirrus; from there we
generate a live URL that can be viewed in browser.
Unfortunately, due to security concerns in Cirrus, it is
not currently possible to make the link a live one.
Kludge: add a line of dashes after Restoring images; without this,
the first test ("systemd PID 1") has no dashes before it, so
logformatter doesn't see it.
Signed-off-by: Ed Santiago <santiago@redhat.com>
This patch allows users to specify the list of capabilities required
to run their container image.
Setting a image/container label "io.containers.capabilities=setuid,setgid"
tells podman that the contained image should work fine with just these two
capabilties, instead of running with the default capabilities, podman will
launch the container with just these capabilties.
If the user or image specified capabilities that are not in the default set,
the container will print an error message and will continue to run with the
default capabilities.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
API v2 has been quiet for a few days, and the test script is
actually passing. Let's take advantage of this opportunity
to get them running in CI.
Requires adding a check for cgroupsv2
Signed-off-by: Ed Santiago <santiago@redhat.com>
This corrects a regression from Podman 1.4.x where container exec
sessions inherited supplemental groups from the container, iff
the exec session did not specify a user.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
9f69c4eca (part of the f31 pr, #3091) semi-broke the kill test,
there's now an ugly warning:
setup(): removing stray images quay.io/libpod/fedora-minimal:latest 7bb5a60e8a78
The comments also didn't actually explain the problem
being addressed, and included a misleading reference
to busybox.
Here we switch to using fedora-minimal only with podman-remote,
clean it up (rmi) when finished, and include an explanation in
the comments about why this is needed; making it clear that
this workaround can be removed once we get rid of podman-remote.
We also reformat back to 80 columns.
Signed-off-by: Ed Santiago <santiago@redhat.com>
instead of searching the fedora registry which is error prone, we instead search a local registry for the empty set search.
when running two containers with the same IP, i suspect the first container has not fully gotten its ip information back from cni when the second container fires. rework this test such that we use nginx to make sure the container is up and running before continues which should pace the subsequent test.
Signed-off-by: Brent Baude <bbaude@redhat.com>
When inspecting containers, info on CNI networks added to the
container by name (e.g. --net=name1) should be displayed
separately from the configuration of the default network, in a
separate map called Networks.
This patch adds this separation, improving our Docker
compatibility and also adding the ability to see if a container
has more than one IPv4 and IPv6 address and more than one MAC
address.
Fixes#4907
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
It's possible/likely the container image for the test will need to be
pulled as part of the `run` command. Due to the way BATS handles
output, messages regarding image-pull could be misinterpreted as the
container's CID. Force the CID to be obtained by only the last line of
output.
Signed-off-by: Chris Evich <cevich@redhat.com>
Sometime between 10th and 23rd of Feb. 2020, the behavior of crun
changed. Upon consulting with Giuseppe, the podman run tests for
`device-read-*` and `device-write-*` do not depend on the container
output for success, only the exit code. Add a comment and conditional
regarding this in case of cgroupsv2. Also noted that these tests
will likely require future refactoring/simplification.
Signed-off-by: Chris Evich <cevich@redhat.com>
Looks like /libpod/pods/create has been fixed to return an
actual pod ID. Extend those tests.
Also, update timeout in the server command: it's now seconds,
not milliseconds.
Also, update FIXME comments in /pods/prune . Still doesn't
work, but clarify what we're seeing.
Also, add a new test that runs ten /info requests and
barfs if it takes more than 5 seconds.
Signed-off-by: Ed Santiago <santiago@redhat.com>
1) Help message for podman port was missing [PORT]
2) Add test for 'podman port'. And, actually, an entire
networking test that I'd written some weeks ago but
apparently didn't 'git add'.
Signed-off-by: Ed Santiago <santiago@redhat.com>
Signed-off-by: Brent Baude <bbaude@redhat.com>
Now support --no-healthcheck option to disable defined healthchecks in a container image. --health-cmd=none remains supported as well.
Fixes: #5299
Signed-off-by: Brent Baude <bbaude@redhat.com>
The "create two containers with the same IP" test failed:
https://api.cirrus-ci.com/v1/task/5992323062431744/logs/integration_test.log#t--Podman-create-two-containers-with-the-same-IP
...
(basically, expected error exit code, got 0)
Analysis: the sequence is 'start test1, start test2'. Perhaps it's
possible that 'podman start' exits before the test1 container has
an IP address assigned? There are no checks in the test, so it's
impossible to know what happened.
Solution: add a wait-loop invoking 'podman inspect', waiting
for a nonempty IP address on test 1; then assert that it's
what we expect it to be.
Signed-off-by: Ed Santiago <santiago@redhat.com>
...to try to compensate for flaky host.
registry.fedoraproject.org is just not reliable. It's flaking
with 503 errors, causing massive amounts of wasted CI time
and developer effort.
There is exactly one instance of that registry in these tests.
We can't replace it with quay.io, because "search quay.io/"
(trailing slash) fails with some sort of authentication error.
So let's just try a sleep/retry cycle instead.
Signed-off-by: Ed Santiago <santiago@redhat.com>
Great timing: this new test collided against #5268, which added
a warning about using command-line --password. CI is now going
to fail all over.
Fix: rework test to use --password-stdin. Am doing so only
in the places where output string is checked; other instances
can keep using '--password xxx' because it's simpler.
Signed-off-by: Ed Santiago <santiago@redhat.com>
Looks like a bit of a misunderstanding from early on.
Docker implements --filter=since=IMAGE. Podman implements 'after'
instead of 'since'. Add an equivalent case statement to handle
both, keeping 'after' because we have no way of knowing if it
is used in the field.
Update documentation ... and fix what looks like a complete
misinterpretation of what the code actually does: the man page
claimed that these were time fields, but I don't see any
possible incantation in which a time value works or could
work. Updated docs to reflect IMAGE usage. Also changed
nonworking '==' to single '='.
Added tests. [UPDATE: skip with broken podman-remote]
Fixes: #5040
Signed-off-by: Ed Santiago <santiago@redhat.com>
Test podman login/logout, login with wrong credentials,
auth file contents, auth file path override, push/pull,
and, if skopeo is installed, credentials sharing
Fixes: #4283
Signed-off-by: Ed Santiago <santiago@redhat.com>
Enables most of the network-related functionality from
`podman run` in `podman pod create`. Custom CNI networks can be
specified, host networking is supported, DNS options can be
configured.
Also enables host networking in `podman play kube`.
Fixes#2808Fixes#3837Fixes#4432Fixes#4718Fixes#4770
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
fix#5146
Insted of using a registry as mandatory parameter, this path allows podman to use the first registry from registries.conf.
Signed-off-by: Qi Wang <qiwan@redhat.com>
We use filepath.Clean() to remove trailing slashes to ensure that
when we supercede image mounts with mounts from --volume and
--mount, paths are consistent when we compare. Unfortunately,
while we used the cleaned path for the destination in the mount,
it was accidentally not used to index the maps that we use to
identify what to supercede, so our comparisons might be thrown
off by trailing slashes and similar.
Fixes#5219
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
We attempted to share all logic for parsing labels and
environment variables, which on the surface makes lots of sense
(both are formatted key=value so parsing logic should be
identical) but has begun to fall apart now that we have added
additional logic to environment variable handling. Environment
variables that are unset, for example, are looked up against
environment variables set for the process. We don't want this for
labels, so we have to split parsing logic.
Fixes#3854
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
Add pkg/signal to deal with parts of signal processing and translating
signals from string to numeric representations. The code has been
copied from docker/docker (and attributed with the copyright) but been
reduced to only what libpod needs (on Linux).
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
Ed Santiago
Giuseppe Scrivano
OpenShift Merge Robot
Valentin Rothberg
Brent Baude
Qi Wang
Sujil02
Matthew Heon
Matthew Heon
Daniel J Walsh
Jhon Honce
Kunal Kushwaha
Adrian Reber
Kir Kolyshkin
Stefano Pogliani
荒野無燈
Boaz Shuster
Chris Evich