So rootless setup could use this condition in parent and child, child
podman should adjust LISTEN_PID to its self PID.
Add system test for systemd socket activation
Signed-off-by: pendulm <lonependulm@gmail.com>
Make sure the DOCKER_SOCK location is accessible by the user when run
rootless. Alos set the DOCKER_HOST env var to ensure docker-compose will
use the non default location. Cleanup steps such as `rm` or `umount`
must be run inside podman unshare otherwise they can fail due missing
privileges.
Change the curl test to use --retry-all-errors otherwise the tests will
flake. The web server inside the container will return http code 500
sometimes, most likely because it is not fully ready to accept
connections. With --retry-all-errors curl will retry instead of failing
and thus the test will work.
Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
With the new rootless cni supporting network connect/disconnect is easy.
Combine common setps into extra functions to prevent code duplication.
Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
Instead of creating an extra container create a network and mount
namespace inside the podman user namespace. This ns is used to
for rootless cni operations.
This helps to align the rootless and rootful network code path.
If we run as rootless we just have to set up a extra net ns and
initialize slirp4netns in it. The ocicni lib will be called in
that net ns.
This design allows allows easier maintenance, no extra container
with pause processes, support for rootless cni with --uidmap
and possibly more.
The biggest problem is backwards compatibility. I don't think
live migration can be possible. If the user reboots or restart
all cni containers everything should work as expected again.
The user is left with the rootless-cni-infa container and image
but this can safely be removed.
To make the existing cni configs work we need execute the cni plugins
in a extra mount namespace. This ensures that we can safely mount over
/run and /var which have to be writeable for the cni plugins without
removing access to these files by the main podman process. One caveat
is that we need to keep the netns files at `XDG_RUNTIME_DIR/netns`
accessible.
`XDG_RUNTIME_DIR/rootless-cni/{run,var}` will be mounted to `/{run,var}`.
To ensure that we keep the netns directory we bind mount this relative
to the new root location, e.g. XDG_RUNTIME_DIR/rootless-cni/run/user/1000/netns
before we mount the run directory. The run directory is mounted recursive,
this makes the netns directory at the same path accessible as before.
This also allows iptables-legacy to work because /run/xtables.lock is
now writeable.
Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
Versions of the ps command have additional spaces between fields, this
manifests as the container asking to run "top" and API reporting "top "
as a process.
Endpoint and tests updated to check that "top" is reported.
There is no libpod specialized endpoint to update.
Signed-off-by: Jhon Honce <jhonce@redhat.com>
Containers endpoints for HTTP compad and libpod APIs allowed usage of list HTTP
endpoint filter funcs. Documentation in case of libpod and compat API does not allow that.
This commit aligns code with the documentation.
Signed-off-by: Jakub Guzik <jakubmguzik@gmail.com>
It is tedious and error-prone to update the 'APIVersion=<exact>'
test every time there's a minor bump. Change the test so it
confirms only the major version.
Signed-off-by: Ed Santiago <santiago@redhat.com>
Issue #9573 (podman build --pull-never is a NOP) is fixed.
Remove the 'skip' in the buildah-bud pull-never test.
Signed-off-by: Ed Santiago <santiago@redhat.com>
The 'is' check was intended to be called with three arguments,
the last one being a nice helpful test name. There's a fallback
for two-argument calls, but it was a horrible FIXME.
New fallback: the most recently run podman command. We keep
track of it in each run_podman() invocation.
This is not ideal, because it's theoretically possible to
invoke 'is' on something other than the output of run_podman,
but this at least fixes the by-far-most-common case.
[NO TESTS NEEDED]
Signed-off-by: Ed Santiago <santiago@redhat.com>
Add support for secretRef and secretKeyRef to allow env vars to be set
from a secret. As K8S secrets are dictionaries the secret value must
be a JSON dictionary compatible with the data field of a K8S secret
object. The keys must consist of alphanumeric characters, '-', '_'
or '.', and the values must be base64 encoded strings.
Signed-off-by: Alban Bedel <albeu@free.fr>
In K8S the pod creation fails if an env var reference a non existing
config map key. It can be marked as optional, but per default it is
mandatory. Podman on the other hand always treat such references as
optional.
Rework envVarsFrom() and envVarValue() to additionaly return an error
and add support for the optional attribute in configMapRef and
configMapKeyRef.
Signed-off-by: Alban Bedel <albeu@free.fr>
When kube play fails to create a volume, it should say which volume had
the problem so the user doesn't have to guess. For the following pod
spec:
apiVersion: v1
kind: Pod
metadata:
name: mypod
spec:
containers:
- name: myfrontend
image: nginx
volumeMounts:
- mountPath: "/var/www/html"
name: mypd
volumes:
- name: mypd
hostPath:
path: /var/blah
podman will now report:
Error: failed to create volume "mypd": error in parsing HostPath
in YAML: error checking path "/var/blah": stat /var/blah: no such
file or directory
Signed-off-by: Jordan Christiansen <xordspar0@gmail.com>
Currently pull policy is set incorrectly when users set --pull-never.
Also pull-policy is not being translated correctly when using
podman-remote.
Fixes: #9573
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Since podman-remote resize requests can come in at random times, this
generates a real potential for race conditions. We should only be
attempting to resize TTY on running containers, but the containers can
go from running to stopped at any time, and returning an error to the
caller is just causing noice.
This change will basically ignore requests to resize terminals if the
container is not running and return the caller to success. All other
callers will still return failure.
Fixes: https://github.com/containers/podman/issues/9831
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
socat can create a dummy PTY that we can manipulate. This
lets us run a variety of tests that we couldn't before,
involving "run -it", and stty, and even "load" with no args.
Signed-off-by: Ed Santiago <santiago@redhat.com>
If you are attempting to run a container in interactive mode, and want
a --tty, then there must be a terminal in use.
Docker exits right away when a user specifies to use a --interactive and
--TTY but the stdin is not a tty.
Currently podman will pull the image and then fail much later.
Podman will continue to run but will print an warning message.
Discussion in : https://github.com/containers/podman/issues/8916
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
As part of a fix for an earlier bug (#5698) we added the ability
for Podman to chown volumes to correctly match the user running
in the container, even in adverse circumstances (where we don't
know the right UID/GID until very late in the process). However,
we only did this for volumes created automatically by a
`podman run` or `podman create`. Volumes made by
`podman volume create` do not get this chown, so their
permissions may not be correct. I've looked, and I don't think
there's a good reason not to do this chwon for all volumes the
first time the container is started.
I would prefer to do this as part of volume copy-up, but I don't
think that's really possible (copy-up happens earlier in the
process and we don't have a spec). There is a small chance, as
things stand, that a copy-up happens for one container and then
a chown for a second, unrelated container, but the odds of this
are astronomically small (we'd need a very close race between two
starting containers).
Fixes#9608
Signed-off-by: Matthew Heon <mheon@redhat.com>
Erik Sjolund reported an issue where a badly formated file
could be passed into the `--tz` option and then the date in the container
would be badly messed up:
```
erik@laptop:~$ echo Hello > file.txt
erik@laptop:~$ podman run --tz=../../../home/erik/file.txt --rm -ti
docker.io/library/alpine cat /etc/localtime
Hello
erik@laptop:~$ podman --version
podman version 3.0.0-rc1
erik@laptop:~$
```
This fix checks to make sure the TZ passed in is a valid
value and then proceeds with the rest of the processing.
This was first reported as a potential security issue, but it
was thought not to be. However, I thought closing the hole
sooner rather than later would be good.
Signed-off-by: TomSweeneyRedHat <tsweeney@redhat.com>
Set of scripts to run buildah's bud.bats test using
podman build in podman CI.
podman build is not 100% compatible with buildah bud.
In particular:
* podman defaults to --layers=true; buildah to false
* podman defaults to --force-rm=true; buildah to false
* podman error exit status is 125; buildah is 2
* differences in error messages, command-line arguments
Some of the above can be dealt with programmatically,
by tweaking the buildah helpers.bash (BATS helpers).
Some need to be tweaked by patching bud.bats itself.
This PR includes a patch that will, I fear, need to
be periodically maintained over time.
There will likely be failures when vendoring in a
new buildah, possibly because new tests were added
for new features that don't exist in podman, possibly
(I hope unlikely) if existing tests are changed in
ways that make the patch file fail to apply. I've
tried to write good instructions and to write the run
script in such a way that it will offer helpful hints
on failure. My instructions and code will be imperfect;
I hope they will be good enough to merit continued use
of this test (possibly with improvements to the instructions
as we learn more about real-world failures).
Signed-off-by: Ed Santiago <santiago@redhat.com>
The problem described in #9711 and followed by #9758 affects
containers as well. When user provides wrong filter input, error
message should occur, not fallback to full list/prune command.
This change fixes the issue. Additionally, there are error message
fixes for docker http api compat.
Signed-off-by: Jakub Guzik <jakubmguzik@gmail.com>
Checking for 'skip.*[0-9]{4,5}', and checking status on said
issues, finds several that have been closed. Let's see if
they're really fixed.
Signed-off-by: Ed Santiago <santiago@redhat.com>
Fixes#5788
This commit adds support for named volumes in podman-generate-kube.
Named volumes are output in the YAML as PersistentVolumeClaims.
To avoid naming conflicts, the volume name is suffixed with "-pvc".
This commit adds a corresponding suffix for host path mounts.
Host path volumes are suffixed with "-host".
Signed-off-by: Jordan Williams <jordan@jwillikers.com>
* Remove orphaned code
* Add meaningful error from LoadImageFromSingleImageArchive() when
heuristic fails to determine payload format
* Correct swagger to output correct types and headers
Signed-off-by: Jhon Honce <jhonce@redhat.com>
This is the continuation work started in #9711. It turns out
that list/prune commands for volumes in libpod/compat api have
very dangerous error handling when broken filter input is supplied.
Problem also affects network list/prune in libpod. This commit
unifies filter handling across libpod/compat api and adds sanity
apiv2 testcases.
Signed-off-by: Jakub Guzik <jakubmguzik@gmail.com>
there was a documentation issue for the kernel that reported the range
to be different than on cgroup v1.
The issue has been fixed in crun/runc. Adapt the test.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
- cp test: clean up stray image
- build test: add workaround for #9567 (ultra-slow ubuntu).
We're seeing CI flakes (timeouts) due to ubuntu 2004 being
absurdly slow. Workaround: double our timeout on one specific
test when ubuntu + remote.
- build test: clean up new copy-from test (from #9275).
The test was copy-pasted from buildah system tests, without
really adapting for podman environment (e.g. it was using
images that we don't use here, and would cause pulls, which
will cause flakes). Rewrite test so it references only $IMAGE,
remove some confusing/unnecessary stuff, selectively run
parts of it even when rootless or remote, and add a
test to confirm that copy-from succeeded.
- load test: add error-message test to new load-invalid (#9672).
Basically, make sure the command fails for the right reason.
- play test (kube): use $IMAGE, not alpine; and add pause-image
cleanup to teardown()
- apiv2 mounts test: add a maintainability comment in a tricky
section of code; and tighten up the mount point test.
Signed-off-by: Ed Santiago <santiago@redhat.com>
The New York timezone changes between summer and winter time.
Make sure the test allows both timezones.
Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
podman gating tests are hanging in the new Fedora CI setup;
long and tedious investigation suggests that 'socat' processes
are being left unkilled, which then causes BATS to hang when
it (presumably) runs a final 'wait' in its end cleanup.
The two principal changes are to exec socat in a subshell
with fd3 closed, and to pkill its child processes before
killing the process itself. I don't know if both are needed.
The pkill definitely is; the exec may just be superstition.
Since I've wasted more than a day of PTO time on this, I'm
okay with a little superstition. What I do know is that with
these two changes, my reproducer fails to reproduce in over
one hour of trying (normally it fails within 5 minutes).
AND, update: only rawhide (f35) leaves stray socat processes
behind. f33 and ubuntu do not, so 'pkill -P' fails.
I really have no idea what's going on.
Signed-off-by: Ed Santiago <santiago@redhat.com>
When I originally wrote this code I had no idea what POST
would look like so I did a sloppy job, deferring making it
usable. Now that we have some real-world examples in place,
I have a better understanding of what params look like and
how to make tests more readable/maintainable. (Deferring isn't
always bad: one of my early ideas was to separate params using
commas; that would've been a disaster because some JSON values,
such as arrays, include commas).
This commit implements a better way of dealing with POST:
* The main concept is still 'key=value'
* When value is a JSON object (dictionary, array), it
can be quoted.
* Multiple params are simply separated by spaces.
The 3-digit HTTP code is a prominent, readable separator
between POST params and expected results. The parsing
code is a little uglier, but test developers need
never see that. The important thing is that writing
tests is now easier.
* POST params can be empty (this removes the need for a
useless '')
I snuck in one unrelated change: one of the newly-added
tests, .NetworkSettings, was failing when run rootless
(which is how I test on my setup). I made it conditional.
Signed-off-by: Ed Santiago <santiago@redhat.com>
Currently we were overwrapping error returned from removal
of a non existing container.
$ podman rm bogus -f
Error: failed to evict container: "": failed to find container "bogus" in state: no container with name or ID bogus found: no such container
Removal of wraps gets us to.
./bin/podman rm bogus -f
Error: no container with name or ID "bogus" found: no such container
Finally also added quotes around container name to help make it standout
when you get an error, currently it gets lost in the error.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
When copying from a container, make sure to evaluate the symlinks
correctly. Add tests copying a symlinked directory from a running and
a non-running container to execute both path-resolution paths.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
Copy is full of perils. Some of them are the nuances when copying
directories. Who would have thought that
* cp dir foo
* cp dir/ foo
* cp dir/. foo
are all supposed to yield the same result when foo does not exist.
`podman cp` now supports all three notations, which required to massage
the front-end code in `cmd/podman` a bit. The tests have been extended
and partially rewritten to test container->host and host->container
copy operations.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
Make sure the files are chowned to the host/container user, depending on
where things are being copied to.
Fixes: #9626
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
Ignore permission errors when copying from a rootless container.
TTY devices inside rootless containers are owned by the host's
root user which is "nobody" inside the container's user namespace
rendering us unable to even read them.
Enable the integration test which was temporarily disabled for rootless
users.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
...and a rudimentary set of /auth tests for PR#9589 (disabled).
This simply adds a new start_registry() helper function that
allocates a random unused port, pulls a registry image, creates
a local certificate + random username + random password, and
fires everything up. Since none of this is (yet) used in CI,
this is very low risk.
The only infinitessimally-risky change is using a dedicated
subdirectory of $WORKDIR (instead of $WORKDIR itself) as
the podman root. This fixes a dumb oversight on my part:
the workdir has grown to be used for much more than just
podman root; this change removes clutter and makes it
easier for humans to debug in cases of problems.
Signed-off-by: Ed Santiago <santiago@redhat.com>
Currently if you attempt to create a kube.yaml file off of a non running
container where the container runs as a specific User, the creation
fails because the storage container is not mounted. Podman is supposed to
read the /etc/passwd entry inside of the container but since the
container is not mounted, the c.State.Mountpoint == "". Podman
incorrectly attempts to read /etc/passwd on the host, and fails if the
specified user is not in the hosts /etc/passwd.
This PR mounts the storage container, if it was not mounted so the read
succeeds.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
This patch will allow users to pass in the time 0.
Currently the timeout will take 10 seconds if user passes
in the 0 flag.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
The NanoCpus field in HostConfig was not wired up. It conflicts
with CPU period and quota (it hard-codes period to a specific
value and then sets the user-specified value as Quota).
Fixes#9523
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
Traditionally, the path resolution for containers has been resolved on
the *host*; relative to the container's mount point or relative to
specified bind mounts or volumes.
While this works nicely for non-running containers, it poses a problem
for running ones. In that case, certain kinds of mounts (e.g., tmpfs)
will not resolve correctly. A tmpfs is held in memory and hence cannot
be resolved relatively to the container's mount point. A copy operation
will succeed but the data will not show up inside the container.
To support these kinds of mounts, we need to join the *running*
container's mount namespace (and PID namespace) when copying.
Note that this change implies moving the copy and stat logic into
`libpod` since we need to keep the container locked to avoid race
conditions. The immediate benefit is that all logic is now inside
`libpod`; the code isn't scattered anymore.
Further note that Docker does not support copying to tmpfs mounts.
Tests have been extended to cover *both* path resolutions for running
and created containers. New tests have been added to exercise the
tmpfs-mount case.
For the record: Some tests could be improved by using `start -a` instead
of a start-exec sequence. Unfortunately, `start -a` is flaky in the CI
which forced me to use the more expensive start-exec option.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
Make sure to pass the cni interface descriptions to cni teardowns.
Otherwise cni cannot find the correct cache files because the
interface name might not match the networks. This can only happen
when network disconnect was used.
Fixes#9602
Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
* Server, bindings, and CLI all now pull version information from version
package.
* Current /libpod API version slaved to podman/libpod Version
* Bindings validate against libpod API Minimal version
* Remove pkg/bindings/bindings.go and updated tests
Fixes: #9207
Signed-off-by: Jhon Honce <jhonce@redhat.com>
Fixes: https://github.com/containers/podman/issues/9582
This PR also adds tests to make sure SELinux labels match the runtime,
or if init is specified works with the correct label.
Add tests for selinux kvm/init labels
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
It took a lot to figure out exactly how this should work, but I
think I finally have it. My initial versions of this created the
directory with the same owner as the user the container was run
with, which was rather complicated - but after review against
Docker, I have determined that is incorrect, and it's always made
as root:root 0755 (Ubuntu's Docker, which I was using to try and
test, is a snap - and as such it was sandboxed, and not actually
placing directories it made in a place I could find?). This makes
things much easier, since I just need to parse out source
directories for binds and ensure they exist.
Fixes#9510
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
The compatibility endpoint for listing containers should have the
summarized network configuration with it.
Fixes: #9529
Signed-off-by: baude <bbaude@redhat.com>
Docker api expects secrets endpoint to have a version field. So, the
version field is added into the compat endpoint only. The version field
is always 1, since Docker uses the version to keep track of updates to
the secret, and currently we cannot update a secret.
Signed-off-by: Ashley Cui <acui@redhat.com>
Some log tests were duplicated, and some didn't need to be repeated for
every driver. Also, added some comments
Signed-off-by: Ashley Cui <acui@redhat.com>
Currently podman is ignoreing the build --timestamp flag.
This PR fixes this for local and remote clients.
Fixes: https://github.com/containers/podman/issues/9569
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Move the core of renaming logic into the DB. This guarantees a
lot more atomicity than we have right now (our current solution,
removing the container from the DB and re-creating it, is *VERY*
not atomic and prone to leaving a corrupted state behind if
things go wrong. Moving things into the DB allows us to remove
most, but not all, of this - there's still a potential scenario
where the c/storage rename fails but the Podman rename succeeds,
and we end up with a mismatched state.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
The compatibility endpoint for build labels should be of type dict (not
list). For backwards compatibility, we support both.
Fixes: #9517
Signed-off-by: baude <bbaude@redhat.com>
* Introduce sub-package compat to meet packaging and import requirements
* Update documenation for running tests
* Add requirements.txt to improve IDE support
Signed-off-by: Jhon Honce <jhonce@redhat.com>
While I wasn't looking, some completely unreadable cruft
crept in here, and it's totally my fault: I never knew
you could pass JSON to a GET query. Everyone who DID
know that, did so, but had to URL-escape it into a
completely gobbledygook mess to make curl happy.
Solution: trivial, do the URL-escaping in 't' itself. I
just never realized that was needed.
I'm so sorry. I hope this helps.
Signed-off-by: Ed Santiago <santiago@redhat.com>
Docker allows both the old `map[string]map[string]bool`
and the newer `map[string][]string` for the filter param
so we should too.
Fixes#9526
Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
Since we have no good way to enable this on the server side, we will
just allow it to be set on the client side. This should solve almost all
cases.
Partially fixes: https://github.com/containers/podman/issues/9500
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Create is not formatted as `key=value` but rather `key:value`
(technically `path:option1,option2`). As such we can't use the
stringMapToArray function, and instead need to generate it
manually.
Fixes#9511
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
buildah now supports running under emulation[1] as well as
creating manifests. Use those features to create a multiarch
testimage that can be used to test podman on other arches.
[1] on Fedora 33, this requires the qemu-user-static package
We also build a new :00000001 image, replacing :00000000,
because (sigh) some tests try to run 'true' in the container.
Include instructions on building said image.
Signed-off-by: Ed Santiago <santiago@redhat.com>
Added ID to default
removed outdated imports
slight refactor
Test Network Headers added to network_test.go
Signed-off-by: Parker Van Roy <pvanroy@redhat.com>
Only the the network mode bridge supports cni networks.
Other network modes cannot use network connect/disconnect
so we should throw a error.
Fixes#9496
Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
The order of CapAdd when inspecting containers is deterministic.
However, the order of CapDrop is not (for unclear reasons). Add a
quick sort on the final array to guarantee a consistent order.
Fixes#9490
Signed-off-by: Matthew Heon <mheon@redhat.com>
Initial validation of using podman-in-podman to create an
old-podman root, then use new-podman to play with the
containers created therein.
Signed-off-by: Ed Santiago <santiago@redhat.com>
Since commit d54478d8ea, a container's lock is released before
attempting to stop it via the OCI runtime. This opened the window
for various kinds of race conditions. One of them led to #9479 where
the removal+cleanup sequences of a `run --rm` session overlapped with
`rm -af`. Make both execution paths more robust by handling the case of
an already removed container.
Fixes: #9479
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
/dev/stdin should not be treated as "-" to remain compatible with Docker
and to have a more consistent and idiomatic interface.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
/dev/stdout should not be treated as "-" to remain compatible with
Docker and to have a more consistent and idiomatic interface.
Fixes: #9362
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
The libpod network logic knows about networks IDs but OCICNI
does not. We cannot pass the network ID to OCICNI. Instead we
need to make sure we only use network names internally. This
is also important for libpod since we also only store the
network names in the state. If we would add a ID there the
same networks could accidentally be added twice.
Fixes#9451
Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
We missed bumping the go module, so let's do it now :)
* Automated go code with github.com/sirkon/go-imports-rename
* Manually via `vgrep podman/v2` the rest
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
Make sure to treat "." and "/." correctly. Both cases imply to copy the
contents of a directory in contrast to the directory. This implies to
unset the KeepDirectoryNames options of the copiah package.
Previously, the code was performing a simple string suffix check which
is not enough since it would match files and directories ending with
".".
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
Instead of using the container's mountpoint as the base of the
chroot and indexing from there by the volume directory, instead
use the full path of what we want to copy as the base of the
chroot and copy everything in it. This resolves the bug, ends up
being a bit simpler code-wise (no string concatenation, as we
already have the full path calculated for other checks), and
seems more understandable than trying to resolve things on the
destination side of the copy-up.
Fixes#9354
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
Podman -s crashes when the user specifies the '{{ .Size }}` format
on the podman ps command, without specifying the --size option.
This PR will stop the crash and print out a logrus.Error stating that
the caller should add the --size option.
Fixes: https://github.com/containers/podman/issues/9408
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
We recieved an issue with an image that was built with
entrypoint=[""]
This blows up on Podman, but works on Docker.
When we setup the OCI Runtime, we should drop
entrypoint if it is == [""]
https://github.com/containers/podman/issues/9377
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Currently if the host shares container storage with a container
running podman, the podman inside of the container resets the
storage on the host. This can cause issues on the host, as
well as causes the podman command running the container, to
fail to unmount /dev/shm.
podman run -ti --rm --privileged -v /var/lib/containers:/var/lib/containers quay.io/podman/stable podman run alpine echo hello
* unlinkat /var/lib/containers/storage/overlay-containers/a7f3c9deb0656f8de1d107e7ddff2d3c3c279c11c1635f233a0bffb16051fb2c/userdata/shm: device or resource busy
* unlinkat /var/lib/containers/storage/overlay-containers/a7f3c9deb0656f8de1d107e7ddff2d3c3c279c11c1635f233a0bffb16051fb2c/userdata/shm: device or resource busy
Since podman is volume mounting in the graphroot, it will add a flag to
/run/.containerenv to tell podman inside of container whether to reset storage or not.
Since the inner podman is running inside of the container, no reason to assume this is a fresh reboot, so if "container" environment variable is set then skip
reset of storage.
Also added tests to make sure /run/.containerenv is runnig correctly.
Fixes: https://github.com/containers/podman/issues/9191
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
This one is rather bizarre because it triggers only on some
systems. I've included a CI test, for example, but I'm 99% sure
we use images in CI that have volumes over empty directories, and
the earlier patch to change copy-up implementation passed CI
without complaint.
I can reproduce this on a stock F33 VM, but that's the only place
I have been able to see it.
Regardless, the issue: under certain as-yet-unidentified
environmental conditions, the copier.Get method will return an
ENOENT attempting to stream a directory that is empty. Work
around this by avoiding the copy altogether in this case.
Signed-off-by: Matthew Heon <mheon@redhat.com>
Make sure to not set an empty $HOME for containers and let it default to
"/".
https://github.com/containers/crun/pull/599 is required to fully
address #9378.
Partially-Fixes: #9378
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
The `images/create` endpoint should always attempt to pull a newer
image. Previously, the local images was used which is not compatible
with Docker and caused issues in the Gitlab CI.
Fixes: #9232
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
when creating a pod with --infra-image and using a untagged image for
the infra-image (none/none), the lookup for the image's name was
creating a panic.
Fixes: #9374
Signed-off-by: baude <bbaude@redhat.com>
Make sure that Podman's default OCI runtime is passed to Buildah in
`podman build`. In theory, Podman and Buildah should use the same
defaults but the projects move at different speeds and it turns out
we caused a regression in v3.0.
Fixes: #9365
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
Fixes: https://github.com/containers/podman/issues/9290
Currently we still have hard coded --isolation=chroot for podman-remote build.
Implement missing arguments for podman build
Implements
--jobs, --disable-compression, --excludes
Fixes:
MaxPullPushRetries
RetryDuration
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
When we stop a container we are printing the full id,
this does not match Docker behaviour or the start behavior.
We should be printing the users rawInput when we successfully
stop the container.
Fixes: https://github.com/containers/podman/issues/9386
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Currently podman is always chowning the WORKDIR to root:root
This PR will return if the WORKDIR already exists.
Fixes: https://github.com/containers/podman/issues/9387
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
The logic in the e2e test for multiple network aliases is indicating the
test should wait for the containerized nginx to be ready. As this may
take some time, the test does an exponential backoff starting at 2050ms.
Fix the logic by removing the `Expect(...)` call during the exponential
backoff. Otherwise, the test errors immediately.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
The timestamps of some images must have changed changing the number of
expected filtered images. The test conditions seem fragile but for now
it's more important to get CI back.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
now getCgroupProcess takes the longest path on cgroup v1, instead of
complaining if the paths are different.
This should help when --cgroups=split is used on cgroup v1 and the
process cgroups look like:
$ cat /proc/self/cgroup
11:pids:/user.slice/user-0.slice/session-4.scope
10:blkio:/
9:cpuset:/
8:devices:/user.slice
7:freezer:/
6:memory:/user.slice/user-0.slice/session-4.scope
5:net_cls,net_prio:/
4:hugetlb:/
3:cpu,cpuacct:/
2:perf_event:/
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
when printing out json format, we mistakenly changed the Created field
output to be a time.time in a different commit. This allows for
override of the Created field to be a unix ts as type int64.
Fixes: #9315
Signed-off-by: baude <bbaude@redhat.com>
Correcting the structure of the compat network prune response. They
should follow {"NetworksDeleted": [<network_name>",...]}
Fixes: #9310
Signed-off-by: baude <bbaude@redhat.com>
When doing a container inspect on a container with unlimited ulimits,
the value should be -1. But because the OCI spec requires the ulimit
value to be uint64, we were displaying the inspect values as a uint64 as
well. Simple change to display as an int64.
Fixes: #9303
Signed-off-by: baude <bbaude@redhat.com>
When docker-java calls images/create?fromImage=x, it expects two things
for a successful response: that both "error" and "errorDetail" are not
set, and that the "progress" message contains one of five hard-coded
strings ("Download complete" being one of them).
Signed-off-by: Igor Korolev <missterr@gmail.com>
The old copy-up implementation was very unhappy with symlinks,
which could cause containers to fail to start for unclear reasons
when a directory we wanted to copy-up contained one. Rewrite to
use the Buildah Copier, which is more recent and should be both
safer and less likely to blow up over links.
At the same time, fix a deadlock in copy-up for volumes requiring
mounting - the Mountpoint() function tried to take the
already-acquired volume lock.
Fixes#6003
Signed-off-by: Matthew Heon <mheon@redhat.com>
Add the SECRET keyword to the shell completion test. Also update the
use line for podman secret create to use `NAME` instead of `SECRET`.
This matches the other commands such as network/volume create.
Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
The networks list compat api endpoint must return `[]`
and not `null` if no networks are found.
Fixes#9293
Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
Service needs to be restarted in order to read the CONTAINERS_CONF file.
Not resetting this can lead to lots of flakes, since the test will use
whatever the host system has to be set in it's containers.conf.
Fixes: https://github.com/containers/podman/issues/9286
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
It's been a while since I last looked at these; some cruft
has crept in, generating noise and hence unreadable test
results. Clean it up:
* remove pushd/popd in one subtest, replace with 'tar -C'.
(Also remove confusing quotation marks). This removes
spurious directory names from output.
* in like(), show only first line of actual output.
Some commands ('tree', 'generate kube') produce
voluminous multi-line output, which is super useless
and distracting when reading a test run.
* Recognize that some queries will not generate output,
e.g. HEAD requests and some POSTs. Deal with that.
This fixes "curl.result.out: no such file" and "parse
error" warnings.
* In cleanup, 'podman rm -a' and 'rmi -af'; this gets
rid of errors when deleting $WORKDIR. (EBUSY error
when root, EPERM when rootless).
And, the original reason for poking in here: refactor the
wait-for-port part of start_server() into its own helper
function, so we can use it when starting a local registry
in 12-imagesMore. (Ref: #9270)
Signed-off-by: Ed Santiago <santiago@redhat.com>
Docker doesn't have the destination parameter as libpod does,
the "image name" path parameter is supposed to be the destination.
Signed-off-by: Matej Vasek <mvasek@redhat.com>
Do not play with capabilities for privileged containers where all
capabilities will be set implicitly.
Also, avoid the device check when running privileged since all of /dev/*
will be mounted in any case.
Fixes: #8897
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
Implement podman secret create, inspect, ls, rm
Implement podman run/create --secret
Secrets are blobs of data that are sensitive.
Currently, the only secret driver supported is filedriver, which means creating a secret stores it in base64 unencrypted in a file.
After creating a secret, a user can use the --secret flag to expose the secret inside the container at /run/secrets/[secretname]
This secret will not be commited to an image on a podman commit
Signed-off-by: Ashley Cui <acui@redhat.com>
The c/storage library is subject to TOCTOUs as the central container and
image storage may be shared by many instances of many tools. As shown
in #6510, it's fairly easy to have multiple instances of Podman running
in parallel and yield image-lookup errors when removing them.
The underlying issue is the TOCTOU of removal being split into multiple
stages of first reading the local images and then removing them. Some
images may already have been removed in between the two stages. To make
image removal more robust, handle errors at stage two when a given image
is not present (anymore) in the storage.
Fixes: #6510
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
Buildah bud passes a bunch more flags then podman build.
We need to implement hook up all of these flags to get full functionality.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
add the ability to prune unused cni networks. filters are not implemented
but included both compat and podman api endpoints.
Fixes :#8673
Signed-off-by: baude <bbaude@redhat.com>
When resolving the workdir of a container, we may need to create unless
the user set it explicitly on the command line. Otherwise, we just do a
presence check. Unfortunately, there was a missing return that lead us
to fall through into attempting to create and chown the workdir. That
caused a regression when running on a read-only root fs.
Fixes: #9230
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
The allocated `tmpNetworkStatus` must be allocated with the length 0.
Otherwise append would add new elements to the end of the slice and
not at the beginning of the allocated memory.
This caused inspect to fail since the number of networks did not
matched the number of network statuses.
Fixes#9234
Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
The spec of a Kube Container has a `Command` and `Args`. While both are
slices, the `Command` is the counterpart of the entrypoint of a libpod
container. Kube is also happily accepting the arguments to as following
items in the slice but it's cleaner to move those to `Args`.
Fixes: #9211
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
When using the compatability tests on kill, the kill
function goes into an infinite wait loop taking all of the CPU.
This change will use the correct wait function and exit properly.
Fixes: https://github.com/containers/podman/issues/9206
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
This actually tests conmon, not podman; but that's the whole
point of system tests in the first place: if a problem exists,
we want to fail loudly, no matter whose fault it is.
(I can't get this to fail on my f33 laptop; OP on #9096 claims
it only fails on Ubuntu. We'll see what happens in CI).
Signed-off-by: Ed Santiago <santiago@redhat.com>
- When one or more containers in the Pod reports an error on an operation
report StatusConflict and report the error(s)
- jsoniter type encoding used to marshal error as string using error.Error()
- Update test framework to allow setting any flag when creating pods
- Fix test_resize() result check
Fixes#8865
Signed-off-by: Jhon Honce <jhonce@redhat.com>
when creating a macvlan network, we should honor gateway, subnet, and
mtu as provided by the user.
Fixes: #9167
Signed-off-by: baude <bbaude@redhat.com>
The mtu default value is currently forced to 65520.
This let the user control it using the config key network_cmd_options,
i.e.: network_cmd_options=["mtu=9000"]
Signed-off-by: bitstrings <pino.silvaggio@gmail.com>
We need an extra field in the pod infra container config. We may
want to reevaluate that struct at some point, as storing network
modes as bools will rapidly become unsustainable, but that's a
discussion for another time. Otherwise, straightforward plumbing.
Fixes#9165
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
instead of using the --macvlan to indicate that you want to make a
macvlan network, podman network create now honors the driver name of
*macvlan*. Any options to macvlan, like the parent device, should be
specified as a -o option. For example, -o parent=eth0.
the --macvlan option was marked as deprecated in the man page but is
still supported for the duration of 3.0.
Signed-off-by: baude <bbaude@redhat.com>
Eclipse and Intellij Docker plugin determines the state of the
container via the Status field, returned from /containers/json call.
Podman always returns empty string, and because of that, both IDEs
show the wrong state of the container.
Signed-off-by: Milivoje Legenovic <m.legenovic@gmail.com>
The `--network` flag is parsed differently for `podman pod create`.
This causes confusion and problems for users. The extra parsing
logic ignored unsupported network options such as `none`,
`container:...` and `ns:...` and instead interpreted them as cni
network names.
Tests are added to ensure the correct errors are shown.
Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1915332
```
According to the Docker docs, the consistency option should be ignored on Linux.
the possible values are 'cached', 'delegated', and 'consistent', but they should be ignored equally.
This is a widely used option in scripts run by developer machines, as this makes file I/O less horribly slow on MacOS.
```
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Change API Handlers to use the same functions that the
local podman uses.
At the same time:
implement remote API for --all and --ignore flags for podman stop
implement remote API for --all flags for podman stop
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
when creating kubernetes yaml from containers and pods, we should honor
any custom dns settings the user provided. in the case of generate kube,
these would be provided by --dns, --dns-search, and --dns-opt. if
multiple containers are involved in the generate, the options will be
cumulative and unique with the exception of dns-opt.
when replaying a kube file that has kubernetes dns information, we now
also add that information to the pod creation.
the options for dnspolicy is not enabled as there seemed to be no direct
correlation between kubernetes and podman.
Fixes: #9132
Signed-off-by: baude <bbaude@redhat.com>
Fix man page to document podman push --format fully.
Also found that push was not handling the tlsverify so fixed this.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
This reverts commit 15caebfe56.
The previous behaviour of `--pull` to *always* attempt to pull the image
and error out if the pull failed aligns with Docker. Since Podman aims
at feature parity with Docker, the `--pull` behaviour must match.
Fixes: #9134
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
Remove bindings that are not handled over the API.
Leaving this one to not use image pull, since this would
break progress handling. We should revisit this in the
future.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Make sure we pass the network aliases as capability args to the
cnitool in the rootless-cni-infra container. Also update the
dnsname plugin in the cni-infra container.
Fixes#8567
Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
Make sure we pass the ip and mac address as CNI_ARGS to
the cnitool which is executed in the rootless-cni-infra
container.
Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
The `--pull` flag should be using the "pull if newer" pull policy rather
than "pull always". This aligns with what the help message states, what
Buildah does and, according to #9111, what was done before,
Also add a test to prevent future regressions.
Fixes: #9111
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
Change API Handlers to use the same functions that the
local podman uses.
At the same time:
Cleanup and pass proper bindings. Remove cli options from
podman-remote push. Cleanup manifest push.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Use a mutex to synchronize the slice for storing tests results.
Running the e2e tests in parallel is otherwise subject to race
conditions surfacing in lost entries.
Fixes: #8358
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
Fixup the bindings and the handling of the --external --por and --sort
flags.
The --storage option was renamed --external, make sure we use
external up and down the stack.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Make sure to write error from conmon on the hijacked http connection.
This fixes issues where errors were not reported on the client side,
for instance, when specified command was not found on the container.
To future generations: I am sorry. The code is complex, and there are
many interdependencies among the concurrent goroutines. I added more
complexity on top but I don't have a good idea of how to reduce
complexity in the available time.
Fixes: #8281
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
when inspecting a container that is only connected to the default
network, we should populate the default network in the container inspect
information.
Fixes: #6618
Signed-off-by: baude <bbaude@redhat.com>
MH: Small fixes, added another test
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
Docker has, for unclear reasons, three separate fields in their
Create Container struct in which volumes can be placed. Right now
we support two of those - Binds and Mounts, which (roughly)
correspond to `-v` and `--mount` respectively. Unfortunately, we
did not support the third, `Volumes`, which is used for anonymous
named volumes created by `-v` (e.g. `-v /test`). It seems that
volumes listed here are *not* included in the remaining two from
my investigation, so it should be safe to just append them into
our handling of the `Binds` (`-v`) field.
Fixes#8649
Signed-off-by: Matthew Heon <mheon@redhat.com>
A container's workdir can be specified via the CLI via `--workdir` and
via an image config with the CLI having precedence.
Since images have a tendency to specify workdirs without necessarily
shipping the paths with the root FS, make sure that Podman creates the
workdir. When specified via the CLI, do not create the path, but check
for its existence and return a human-friendly error.
NOTE: `crun` is performing a similar check that would yield exit code
127. With this change, however, Podman performs the check and yields
exit code 126. Since this is specific to `crun`, I do not consider it
to be a breaking change of Podman.
Fixes: #9040
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
podman-remote search had some FIXMEs in tests that were failing.
So I reworked the search handler to use the local abi. This
means the podman search and podman-remote search will use the
same functions.
While doing this, I noticed we were just outputing errors via
logrus.Error rather then returning them, which works ok for
podman but the messages get lost on podman-remote. Changed
the code to actually return the error messages to the caller.
This allows us to turn on the remaining podman-remote FIXME
tests.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
The --default-mounts-file path was not being handled in
podman build. This will enable it to use for testing.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
- stop: test --all and --ignore (#9051)
- build: test /run/secrets (#8679, but see below)
- sensitive mount points: deal with 'stat' failures
- selinux: confirm useful diagnostics on unknown labels (#8946)
The 'build' test is intended as a fix for #8679, in which
'podman build' does not mount secrets from mounts.conf.
Unfortunately, as of this writing, 'podman build' does
not pass the --default-mounts-file option to buildah,
so there's no reasonable way to test this path. Still,
we can at least confirm /run/secrets on 'podman run'.
The /sys thing is related to #8949: RHEL8, rootless, cgroups v1.
It's just a workaround to get gating tests to pass on RHEL.
Signed-off-by: Ed Santiago <santiago@redhat.com>
Currently podman implements --override-arch and --overide-os
But Podman has made these aliases for --arch and --os. No
reason to have to specify --override, since it is clear what
the user intends.
Currently if the user specifies an --override-arch field but the
image was previously pulled for a different Arch, podman run uses
the different arch. This PR also fixes this issue.
Fixes: https://github.com/containers/podman/issues/8001
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
when doing a network creation, the dnsname plugin should be disabled
when the --internal bool is set. a warning is displayed if this
happens and docs are updated.
Signed-off-by: baude <bbaude@redhat.com>
if a CNI network is added to the container, use the IP address in that
network instead of hard-coding the slirp4netns default.
commit 5e65f0ba30 introduced this
regression.
Closes: https://github.com/containers/podman/issues/9065
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
docker-client is a library written in Java and used in Eclipse to
speak with Docker API. When endpoint /images/search is called,
HTTP header attribute X-Registry-Auth has value "null". This is for
sure wrong but Docker tolerates this value, and call works. With this
patch call works also with Podman. #7857
Signed-off-by: Milivoje Legenovic <m.legenovic@gmail.com>
Just running through the tests that have SkipIfRemote("FIXME")
and attempting to not skip. Found these tests now work.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
set the source IP to the slirp4netns address instead of 127.0.0.1 when
using rootlesskit.
Closes: https://github.com/containers/podman/issues/5138
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Unlike the container storage all e2e test are using the same cni
config directory. This causes problems if the network name already
exists. Using random names will make the second run pass even if the
first failed. This is only done to prevent full CI failures.
Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
If the container create command contains an argument with double
curly braces the golang template parsing can fail since it tries
to interpret the value as variable. To fix this change the default
delimiter for the internal template to `{{{{`.
Fixes#9034
Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
I found several problems with container remove
podman-remote rm --all
Was not handled
podman-remote rm --ignore
Was not handled
Return better errors when attempting to remove an --external container.
Currently we return the container does not exists, as opposed to container
is an external container that is being used.
This patch also consolidates the tunnel code to use the same code for
removing the container, as the local API, removing duplication of code
and potential problems.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
When doing a podman images, manifests lists look just like images, so
it is logical that users would assume that they can just podman push them
to a registry. The problem is we throw out weird errors when this happens
and users need to somehow figure out this is a manifest list rather then
an image, and frankly the user will not understand the difference.
This PR will make podman push just do the right thing, by failing over and
attempting to push the manifest if it fails to push the image.
Fix up handling of manifest push
Protocol should bring back a digest string, which can either be
printed or stored in a file.
We should not reimplement the manifest push setup code in the tunnel
code but take advantage of the api path, to make sure remote and local
work the same way.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
partially revert 95c45773d7
restrict the cases where /sys is bind mounted from the host.
The heuristic doesn't detect all the cases where the bind mount is not
necessary, but it is an improvement on the previous version where /sys
was always bind mounted for rootless containers unless --net none was
specified.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Basic theory: We remove the container, but *only from the DB*.
We leave it in c/storage, we leave the lock allocated, we leave
it running (if it is). Then we create an identical container with
an altered name, and add that back to the database. Theoretically
we now have a renamed container.
The advantage of this approach is that it doesn't just apply to
rename - we can use this to make *any* configuration change to a
container that does not alter its container ID.
Potential problems are numerous. This process is *THOROUGHLY*
non-atomic at present - if you `kill -9` Podman mid-rename things
will be in a bad place, for example. Also, we can't rename
containers that can't be removed normally - IE, containers with
dependencies (pod infra containers, for example).
The largest potential improvement will be to move the majority of
the work into the DB, with a `RecreateContainer()` method - that
will add atomicity, and let us remove the container without
worrying about depencies and similar issues.
Potential problems: long-running processes that edit the DB and
may have an older version of the configuration around. Most
notable example is `podman run --rm` - the removal command needed
to be manually edited to avoid this one. This begins to get at
the heart of me not wanting to do this in the first place...
This provides CLI and API implementations for frontend, but no
tunnel implementation. It will be added in a future release (just
held back for time now - we need this in 3.0 and are running low
on time).
This is honestly kind of horrifying, but I think it will work.
Signed-off-by: Matthew Heon <mheon@redhat.com>
This involves a new test binary (a basic implementation of the
volume plugin protocol) and a new image on quay.io (Containerfile
to produce it and all sources located in this commit). The image
is used to run a containerized plugin we can test against.
Signed-off-by: Matthew Heon <mheon@redhat.com>
This implements support for mounting and unmounting volumes
backed by volume plugins. Support for actually retrieving
plugins requires a pull request to land in containers.conf and
then that to be vendored, and as such is not yet ready. Given
this, this code is only compile tested. However, the code for
everything past retrieving the plugin has been written - there is
support for creating, removing, mounting, and unmounting volumes,
which should allow full functionality once the c/common PR is
merged.
A major change is the signature of the MountPoint function for
volumes, which now, by necessity, returns an error. Named volumes
managed by a plugin do not have a mountpoint we control; instead,
it is managed entirely by the plugin. As such, we need to cache
the path in the DB, and calls to retrieve it now need to access
the DB (and may fail as such).
Notably absent is support for SELinux relabelling and chowning
these volumes. Given that we don't manage the mountpoint for
these volumes, I am extremely reluctant to try and modify it - we
could easily break the plugin trying to chown or relabel it.
Also, we had no less than *5* separate implementations of
inspecting a volume floating around in pkg/infra/abi and
pkg/api/handlers/libpod. And none of them used volume.Inspect(),
the only correct way of inspecting volumes. Remove them all and
consolidate to using the correct way. Compat API is likely still
doing things the wrong way, but that is an issue for another day.
Fixes#4304
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
Podman defers stopping the container to the runtime, which can take some
time. Keeping the lock while waiting for the runtime to complete the
stop procedure, prevents other commands from acquiring the lock as shown
in #8501.
To improve the user experience, release the lock before invoking the
runtime, and re-acquire the lock when the runtime is finished. Also
introduce an intermediate "stopping" to properly distinguish from
"stopped" containers etc.
Fixes: #8501
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
We now set Entrypoint when interpeting the image Entrypoint (or yaml.Command)
and Command when interpreting image Cmd (or yaml.Args)
This change is kind of breaking because now checking Config.Cmd won't return
the full command, but only the {cmd,args}.
Adapt the tests to this change as well
Signed-off-by: Peter Hunt <pehunt@redhat.com>
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Docker does not support this, and it is confusing what to do if
the image has more then one tag. We are dropping support for this
in podman 3.0
Fixes: https://github.com/containers/podman/issues/7387
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Adding another check in the `podman search --list-tags --format json` test case.
Replacing an anonymous struct by \`listEntryTag\` struct.
Signed-off-by: Alexandre Fourcat <afourcat@gmail.com>
`podman ps --format {{.Networks}}` will show all connected networks for
this container. For `pod ps` it will show the infra container networks.
Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
Allow to filter on the network name or full id.
For pod ps it will filter on the infra container networks.
Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
* Restore correct API endpoint payloads including reclaimed space numbers
* Include tests for API prune endpoints
* Clean up function signatures with unused parameters
* Update swagger for /networks/prune
Fixes#8891
Signed-off-by: Jhon Honce <jhonce@redhat.com>
When I launch a container with --userns=keep-id the rootless processes
should have no caps by default even if I launch the container with
--privileged. It should only get the caps if I specify by hand the
caps I want leaked to the process.
Currently we turn off capeff and capamb, but not capinh. This patch
treats capinh the same way as capeff and capamb.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
First, use the pflag library to parse the flags. With this we can
handle all corner cases such as -td or --detach=false.
Second, preserve the root args with --new. They are used for all podman
commands in the unit file. (e.g. podman --root /tmp run alpine)
Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
Systemd is now complaining or mentioning /var/run as a legacy directory.
It has been many years where /var/run is a symlink to /run on all
most distributions, make the change to the default.
Partial fix for https://github.com/containers/podman/issues/8369
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
When adding the HOSTNAME environment variable, only do so if it
is not already present in the spec. If it is already present, it
was likely added by the user, and we should honor their requested
value.
Fixes#8886
Signed-off-by: Matthew Heon <mheon@redhat.com>
`KillMode=none` has been deprecated in systemd and is now throwing big
warnings when being used. Users have reported the issues upstream
(see #8615) and on the mailing list.
This deprecation was mainly motivated by an abusive use of third-party
vendors causing all kinds of undesired side-effects. For instance, busy
mounts that delay reboot.
After talking to the systemd team, we came up with the following plan:
**Short term**: we can use TimeoutStopSec and remove KillMode=none which
will default to cgroup.
**Long term**: we want to change the type to sdnotify. The plumbing for
Podman is done but we need it for conmon. Once sdnotify is working, we
can get rid of the pidfile handling etc. and let Podman handle it.
Michal Seklatar came up with a nice idea that Podman increase the time
out on demand. That's a much cleaner way than hard-coding the time out
in the unit as suggest in the short-term solution.
This change is executing the short-term plan and sets a minimum timeout
of 60 seconds. User-specified timeouts are added to that.
Fixes: #8615
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
so that the PIDFile can be accessed also without being in the rootless
user namespace.
Closes: https://github.com/containers/podman/issues/8506
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
1.) podman cannot send proper dockerfile when it is not inside root
folder.
2.) support for sending symlinks and folders inside context dir
3.) when sending context dir as tar to remote, prevent sending items
inside .dockerignore
Signed-off-by: Kazım SARIKAYA <kazimsarikaya@sanaldiyar.com>
When running a privileged container and `SeccompProfilePath` is empty no seccomp profile should be applied.
(Previously this was the case only if `SeccompProfilePath` was set to a non-empty default path.)
Closes#8849
Signed-off-by: Max Goltzsche <max.goltzsche@gmail.com>
This change adds code to report the reclaimed space after a prune.
Reclaimed space from volumes, images, and containers is recorded
during the prune call in a PruneReport struct. These structs are
collected into a slice during a system prune and processed afterwards
to calculate the total reclaimed space.
Closes#8658
Signed-off-by: Baron Lenardson <lenardson.baron@gmail.com>
when HostNetwork is true in the pod spec.
Also propagate whether host network namespace should be used for containers.
Add test for HostNetwork setting in kubeYaml.
The infra configuration should reflect the setting.
Signed-off-by: Benedikt Ziemons <ben@rs485.network>
A opened file object of a logfile gets lost because the variable
`logfile` is redefined in a `if` block. This fix stops redefining
the variable.
Signed-off-by: Hironori Shiina <Hironori.Shiina@fujitsu.com>
when neither yaml.Args nor yaml.Command are specified, we should use the entrypoint and cmd from the image.
update the tests to cover this and another case (both args and command are specified).
use the registry image instead of redis, as it has both an entrypoint and command specified.
update the documentation around this handling to hopefully prevent regressions and confusion.
Signed-off-by: Peter Hunt <pehunt@redhat.com>
With additional stores there is a risk that you could have
multiple images with the same name. IE An older image in a
read/only store versus a newer version in the read/write store.
This patch will ignore multiple images with the same name iff
one is read/write and all of the others are read/only.
Fixes: https://github.com/containers/podman/issues/8176
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
adds the ability to filter containers based on the filter "pod". the
value can be a pod name or its full or partial id.
Fixes: #8512
Signed-off-by: baude <bbaude@redhat.com>
This change was missed in pull/8689. Now that volume pruneing supports
filters system pruneing can pass its filters down to the volume
pruneing. Additionally this change adds tests for the following components
* podman system prune subcommand with `--volumes` & `--filter` options
* apiv2 api tests for `/system/` and `/libpod/system` endpoints
Relates to #8453, #8672
Signed-off-by: Baron Lenardson <lenardson.baron@gmail.com>
The new Ubuntu 20.04 VMs seem very slow and fail reproducibly in a build
test (i.e, "wordir, cmd, env, label"). Bumping up the time out to 120
seconds will help get the CI green.
See github.com/containers/podman/pull/8747.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
Implement `podman-remote cp` and break out the logic from the previously
added `pkg/copy` into it's basic building blocks and move them up into
the `ContainerEngine` interface and `cmd/podman`.
The `--pause` and `--extract` flags are now deprecated and turned into
nops.
Note that this commit is vendoring a non-release version of Buildah to
pull in updates to the copier package.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
`podman network create` should always add a gateway to the cni config.
If no gateway is given use the first ip in the subnet. CNI does not require
the gateway field but we need it because of network inspect.
This worked with previous version but was dropped in Commit(e7a72d72fd).
Fixes#8748
Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
Tracking down a CI failure earlier today, I was slightly
delayed by the absence of context information in a test
failure. This PR adds full command context to each
subtest, making it much easier for the developer to
narrow down the cause of a failure.
Signed-off-by: Ed Santiago <santiago@redhat.com>
These tests simply will not work under these conditions.
Note: Recently updated F32 (prior-fedora) and Ubuntu 20.04
(prior-ubuntu) VMs always use CGroupsV1 with runc. F33 and
Ubuntu 20.10 were updated to always use CGroupsV2 with crun.
Signed-off-by: Chris Evich <cevich@redhat.com>
When running as rootless, on a CgroupV1 host these tests all report:
`Error: pod stats is not supported in rootless mode without cgroups v2`
Note: Recently updated F32 (prior-fedora) and Ubuntu 20.04
(prior-ubuntu) VMs always use CGroupsV1 with runc. F33 and
Ubuntu 20.10 were updated to always use CGroupsV2 with crun.
Signed-off-by: Chris Evich <cevich@redhat.com>
This should be addressed by PR
https://github.com/containers/podman/pull/8685
Note: Recently updated F32 (prior-fedora) and Ubuntu 20.04
(prior-ubuntu) VMs always use CGroupsV1 with runc. F33 and
Ubuntu 20.10 were updated to always use CGroupsV2 with crun.
Signed-off-by: Chris Evich <cevich@redhat.com>
Nearly/all of the 'podman stats' tests fail on Fedora when
executing testing inside a container, and CGroupsV1 is used on the
host. The typical failure message is of the form `Error: unable to
load cgroup at /machine.slice/.../: cgroup deleted`.
Note: Recently updated F32 (prior-fedora) and Ubuntu 20.04
(prior-ubuntu) VMs always use CGroupsV1 with runc. F33 and
Ubuntu 20.10 were updated to always use CGroupsV2 with crun.
Signed-off-by: Chris Evich <cevich@redhat.com>
These tests fail with `Error: opening file `io.bfq.weight` for writing:
Permission denied: OCI permission denied`. Upon examination of the
VMs, it was found the kernel and OS lacks support for the `BFQ`
scheduler (which supplies the `weight` option). The only available
schedulers are `none` and `mq-deadline`.
Note: Recently updated F32 (prior-fedora) and Ubuntu 20.04
(prior-ubuntu) VMs always use CGroupsV1 with runc. F33 and
Ubuntu 20.10 were updated to always use CGroupsV2 with crun.
Signed-off-by: Chris Evich <cevich@redhat.com>
- run test: minor cleanup to .containerenv test. Basically,
make it do only two podman-runs (they're expensive) and
tighten up the results checks
- ps test: add ps -a --storage. Requires small tweak to
run_podman helper, so we can have "timeout" be an expected
result
- sdnotify test: workaround for #8718 (seeing MAINPID=xxx as
last output line instead of READY=1). As found by the
newly-added debugging echos, what we are seeing is:
MAINPID=103530
READY=1
MAINPID=103530
It's not supposed to be that way; it's supposed to be just
the first two. But when faced with reality, we must bend
to accommodate it, so let's accept READY=1 anywhere in
the output stream, not just as the last line.
Signed-off-by: Ed Santiago <santiago@redhat.com>
Followup to #8284, due to my not having noticed #8096.
RHEL gating tests are failing again due to rhbz#1895105, the
one where we can't run journalctl rootless on RHEL. #8284 fixed
this for some RHEL builds of older podman, but I missed #8096
which added yet another logs test.
This brings us to three journalctl exceptions, which means
it gets complicated because I have to refactor it all.
**THIS IS NOT SUSTAINABLE**. We need some way to have a similar
setup in CI, with a permission-less rootless login, so we don't
add yet another logs test some day and discover, months later,
that it doesn't work on RHEL and then have to go into crisis
mode.
Signed-off-by: Ed Santiago <santiago@redhat.com>
This change adds support for the `--filter` / `?filters` arguments on
the `podman volume prune` subcommand.
* Adds ParseFilterArgumentsIntoFilters helper for consistent
Filter string slice handling
* Adds `--filter` support to podman volume prune cli
* Adds `?filters...` support to podman volume prune api
* Updates apiv2 / e2e tests
Closes#8672
Signed-off-by: Baron Lenardson <lenardson.baron@gmail.com>
The podman events aren't read until the given timestamp if the
timestamp is in the future. It just reads all events until now
and exits afterwards.
This does not make sense and does not match docker. The correct
behavior is to read all events until the given time is reached.
This fixes a bug where the wrong event log file path was used
when running first time with a new storage location.
Fixes#8694
This also fixes the events api endpoint which only exited when
an error occurred. Otherwise it just hung after reading all events.
Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
podman image sign handles muti-arch images.
--all option to create signature for each manifest from the image manifest list.
Signed-off-by: Qi Wang <qiwan@redhat.com>
git-fetch a set of docker-compose examples
Add a mechanism for 'curl'ing to verify that service is up.
For each docker-compose directory:
1) test that it comes up
2) use 'curl' to confirm that the service is up
3) bring it back down
Signed-off-by: Ed Santiago <santiago@redhat.com>
Network create could panic when used with a json body like this:
`{"Name":"net","IPAM":{"Config":[]}}`
The network scope for list and inspect should not be empty. It can
be swarm, global or local. We only support local networks so
hardcode this field to local.
Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
Make the ContainerLogsOptions support two io.Writers,
one for stdout and the other for stderr. The logline already
includes the information to which Writer it has to be written.
Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
The libpod images exists endpoint panics when called with
a non existing image and therefore returns 500 as status
code instead of the expected 404.
A test is added to ensure it is working.
Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
Handle the ALL Flag when running with an account as a user.
Currently we throw an error when the user specifies
podman run --user bin --cap-add all fedora echo hello
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
we must honor systempaths=unconfined also for read-only paths, as
Docker does:
proc /proc proc rw,nosuid,nodev,noexec,relatime 0 0
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
There exists a unit test to ensure that shell completion functions are
defined. However there was no check about the quality of the provided
shell completions. Lets change that.
The idea is to create a general test that makes sure we are suggesting
containers,pods,images... for the correct commands. This works by
reading the command use line and checking for each arg if we provide
the correct suggestions for this arg.
It includes the following tests:
- flag suggestions if [options] is set
- container, pod, image, network, volume, registry completion
- path completion for the appropriate arg KEYWORDS (`PATH`,`CONTEXT`,etc.)
- no completion if there are no args
- completion for more than one arg if it ends with `...]`
The test does not cover completion values for flags and not every arg KEYWORD
is supported. This is still a huge improvement and covers most use cases.
This test spotted several inconsistencies between the completion and the
command use line. All of them have been adjusted to make the test pass.
The biggest advantage is that the completions always match the latest
command changes. So if someone changes the arguments for a command this
ensures that the completions must be adjusted.
Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
Currently the --layers flag set by the user is ignored, and only the BUILDAH_LAYERS
environment variable being set is observed.
Fixes: https://github.com/containers/podman/issues/8643
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
The existing logic (Range > 0) always triggered, because range is
guaranteed to be at least 1 (a single port has a range of 1, a
two port range (e.g. 80-81) has a range of 2, and so on). As such
this could cause ports that had a host port assigned to them by
the user to randomly assign one instead.
Fixes#8650Fixes#8651
Signed-off-by: Matthew Heon <mheon@redhat.com>
Just checking for `rootless.IsRootless()` does not catch all the
cases where slirp4netns is in use - we actually allow it to be
used as root as well. Fortify the conditional here so we don't
fail in the root + slirp case.
Fixes#7883
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
Add the systempaths=unconfined option to --security-opt
to match the docker options for unmasking all the paths
that are masked by default.
Add the mask and unmask options to the podman create doc.
Signed-off-by: Urvashi Mohnani <umohnani@redhat.com>
This adds a new command, 'podman network reload', to reload the
networks of existing containers, forcing recreation of firewall
rules after e.g. `firewall-cmd --reload` wipes them out.
Under the hood, this works by calling CNI to tear down the
existing network, then recreate it using identical settings. We
request that CNI preserve the old IP and MAC address in most
cases (where the container only had 1 IP/MAC), but there will be
some downtime inherent to the teardown/bring-up approach. The
architecture of CNI doesn't really make doing this without
downtime easy (or maybe even possible...).
At present, this only works for root Podman, and only locally.
I don't think there is much of a point to adding remote support
(this is very much a local debugging command), but I think adding
rootless support (to kill/recreate slirp4netns) could be
valuable.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
add the ability to add multiple containers into a single k8s pod
instead of just one.
also fixed some bugs in the resulting yaml where an empty service
description was being added on error causing the k8s validation to fail.
Signed-off-by: baude <bbaude@redhat.com>
As suggested by @edsantiago, add a comment to the regression test
of #8558 to better document the context.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
When creating a container, do not clear the input-image name before
looking up image names. Also add a regression test.
Fixes: #8558
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* Update tests to reflect system endpoints
* First implementation of compat /system/df, only fields that are
populated by libpod are set
Signed-off-by: Jhon Honce <jhonce@redhat.com>
* Add network API tests
* Update network create endpoint to return ID not Name
Audit:
- GET /networks ListNetworks
- GET /networks/{id} InspectNetwork
- DELETE /networks/{id} RemoveNetwork
- POST /networks/create CreateNetwork
- POST /networks/prune 405 not implemented
Signed-off-by: Jhon Honce <jhonce@redhat.com>
We can't mount sysfs as rootless unless we manage the network
namespace. Problem: slirp4netns is now creating and managing a
network namespace separate from the OCI runtime, so we can't
mount sysfs in many circumstances. The `crun` OCI runtime will
automatically handle this by falling back to a bind mount, but
`runc` will not, so we didn't notice until RHEL gating tests ran
on the new branch.
Signed-off-by: Matthew Heon <mheon@redhat.com>
* Add a new `pkg/copy` to centralize all container-copy related code.
* The new code is based on Buildah's `copier` package.
* The compat `/archive` endpoints use the new `copy` package.
* Update docs and an several new tests.
* Includes many fixes, most notably, the look-up of volumes and mounts.
Breaking changes:
* Podman is now expecting that container-destination paths exist.
Before, Podman created the paths if needed. Docker does not do
that and I believe Podman should not either as it's a recipe for
masking errors. These errors may be user induced (e.g., a path
typo), or internal typos (e.g., when the destination may be a
mistakenly unmounted volume). Let's keep the magic low for such
a security sensitive feature.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* Audit and add tests for required fields.
* Added issue for /images/load implementation
Audit:
- GET /images/json GetImages
- POST /build BuildImage
- POST /build/prune 404 not found
- POST /images/create CreateImageFromImage/CreateImageFromSrc
- GET /images/{name}/json GetImage
- GET /images/{name}/history HistoryImage
- POST /images/{name}/push PushImage
- POST /images/{name}/tag TagImage
- DELETE /images/{name} RemoveImage
- POST /images/prune PruneImages
- POST /commit CommitContainer
- GET /images/{name}/get ExportImage
- GET /images/get ExportImages
- POST /images/load LoadImages See https://github.com/containers/podman/issues/8586
Signed-off-by: Jhon Honce <jhonce@redhat.com>
We have been asked to leak some information into the container
to indicate:
* The name and id of the container
* The version of podman used to launch the container
* The image name and ID the container is based on.
* Whether the container engine is running in rootless mode.
Fixes: https://github.com/containers/podman/issues/6192
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Docker defines an option of "default" which means to
use the default network. We should support this with
the same code path as --network="".
This is important for compatibility with the Docker API.
Fixes: https://github.com/containers/podman/issues/8544
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Looks like #7337 was fixed (by #8112). Reenable a disabled
test for it; and make it actually work. Confirmed that
newly-added test fails on d45676549 (the commit before #8112).
Signed-off-by: Ed Santiago <santiago@redhat.com>
Add the mask and unmask option to the --security-opt flag
to allow users to specify paths to mask and unmask in the
container. If unmask=ALL, this will unmask all the paths we
mask by default.
Signed-off-by: Urvashi Mohnani <umohnani@redhat.com>
The network ID is not stored. It is just the sha256 hash from
the network name. There is a risk of a potential hash collision.
However it's very unlikely and even if we hit this it will
complain that more than network with this ID exists.
The main benefit is that the compat api can have proper
network ID support. Also this adds the support for
`podman network ls --format "{{.ID}}"` and `--filter id=<ID>`.
It also ensures that we can do network rm <ID> and network
inspect <ID>.
Since we use a hash this commit is backwards compatible even for
already existing networks.
Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
OpenShift Merge Robot
pendulm
Jakub Guzik
Daniel J Walsh
Paul Holzinger
Jhon Honce
Ed Santiago
Matthew Heon
Alban Bedel
Jordan Christiansen
Anders F Björklund
Eduardo Vega
Matthew Heon
Matej Vasek
TomSweeneyRedHat
Jordan Williams
Giuseppe Scrivano
troyready
Valentin Rothberg
Milivoje Legenovic
baude
Ashley Cui
Parker Van Roy
Nikolay Edigaryev
Igor Korolev
Steven Taylor
bitstrings
Achilleas Tzenetopoulos
zhangguanzhang
Alexandre Fourcat
unknown
Radostin Stoyanov
Kazım SARIKAYA
Max Goltzsche
Baron Lenardson
Hironori Shiina
Benedikt Ziemons
Josh Soref
Peter Hunt
Chris Evich
Qi Wang
Urvashi Mohnani
Edward Shen
Chih-Hsuan Yen