selinux-policy-34.9-1.fc34 breaks a behavior we've relied on
since (at least) January 2020:
- Revert "Add permission open to files_read_inherited_tmp_files()
interface"
That's probably the correct thing to do, but it breaks our
existing tests. Solution: add ':Z' where needed.
Tested on Ed's laptop, which has the offending selinux-policy
as of 2021-05-31. Tests pass root and rootless. (I mention
this because tests will obviously pass in CI, which has a
much older selinux-policy).
Also: add a 'podman rmi' for cleanup in one test, to avoid
noise in test logs.
Fixes: #10522
Signed-off-by: Ed Santiago <santiago@redhat.com>
Vendor in the latest HEAd of containers/common to implicitly support the
tag@digest notation for images. To remain compatible with Docker, the
tag will be stripped off the image reference and is entirely ignored.
Fixes: #6721
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
Currently if a user runs an image with a user specified or
exposed ports with podman play kube, the fields are ignored.
Fixed: https://github.com/containers/podman/issues/9609
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
When the containers.conf field "NetNS" is set to "Bridge" and the
"RootlessNetworking" field is set to "cni", Podman will now
handle rootless in the same way it does root - all containers
will be joined to a default CNI network, instead of exclusively
using slirp4netns.
If no CNI default network config is present for the user, one
will be auto-generated (this also works for root, but it won't be
nearly as common there since the package should already ship a
config).
I eventually hope to remove the "NetNS=Bridge" bit from
containers.conf, but let's get something in for Brent to work
with.
Signed-off-by: Matthew Heon <mheon@redhat.com>
Fix a race in journald driver. Following the logs implies streaming
until the container is dead. Streaming happened in one goroutine,
waiting for the container to exit/die and signaling that event happened
in another goroutine.
The nature of having two goroutines running simultaneously is pretty
much the core of the race condition. When the streaming goroutines
received the signal that the container has exitted, the routine may not
have read and written all of the container's logs.
Fix this race by reading both, the logs and the events, of the container
and stop streaming when the died/exited event has been read. The died
event is guaranteed to be after all logs in the journal which guarantees
not only consistencty but also a deterministic behavior.
Note that the journald log driver now requires the journald event
backend to be set.
Fixes: #10323
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
Make sure all containers exit after start
There is a race condition in that container could still be running when
we attempt to remove them.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
All of the tests has an assumption that RunLsContainer and RunLsContainerInPod completes
the container before returning. But since the container is running
in back ground mode, the container could be still running before tools
attempt to remove it. Removing the "-d" from the command fixes the
container to match the assumption.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
ErrOCIRuntimeNotFound error is misleading. Try to make it more
understandable to the user that the OCI Runtime IE crun or runc is not
missing, but the command they attempted to run within the container is
missing.
[NO TESTS NEEDED] Regular tests should handle this.
Fixes: https://github.com/containers/podman/issues/10432
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Remove all Types no longer referenced, they were never used
A future API breaking version of Podman API, may restore these Types
and push formatting into presentation layer vs. server.
Fixes#9578
Signed-off-by: Jhon Honce <jhonce@redhat.com>
Creating a macvlan network with the subnet or ipRange option should set
the ipam plugin type to `host-local`. We also have to insert the default
route.
Fixes#10283
Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
Update containers common to the latest HEAD. Some bug fixes in libimage
forced us to have a clearer separation between ordinary images and
manifest lists. Hence, when looking up manifest lists without recursing
into any of their instances, we need to use `LookupManifestList()`.
Also account for some other changes in c/common (e.g., the changed order
in the security labels).
Further vendor the latest HEAD from Buildah which is required to get the
bud tests to pass.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
Fixes: https://github.com/containers/podman/issues/10393
Currently if a user specifies a --root flag to override the location of
the container storage, we still enforce the storage-opts from
storage.conf. This causes issues with people trying to intereact with
the additional stores feature, and then forces them to use the obscure
--storage-opt="" option. I belive this should be the default and we
already do this when the user specifies the --storage-driver option.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
When attempting to copy files into and out of running containers
within the host pidnamespace, the code was attempting to join the
host pidns again, and getting an error. This was causing the podman
cp command to fail. Since we are already in the host pid namespace,
we should not be attempting to join. This PR adds a check to see if
the container is in NOT host pid namespace, and only then attempts to
join.
Fixes: https://github.com/containers/podman/issues/9985
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
The `Error` part of response must be nil (or omitted) if no error occurred.
Before this commit a zero value for the struct was returned.
Signed-off-by: Matej Vasek <mvasek@redhat.com>
* Tests broken up into areas of concern
* Introduced fixtures to reduce duplicated code
* Introduced new assert methods with APITestCase
* General cleanup of code while visiting
* Tests now targeting quay.io
Known issues:
* is-official against quay.io not working
Fixes: #9238
Signed-off-by: Jhon Honce <jhonce@redhat.com>
Support UID, GID, Mode options for mount type secrets. Also, change
default secret permissions to 444 so all users can read secret.
Signed-off-by: Ashley Cui <acui@redhat.com>
This change adds the entry `host.containers.internal` to the `/etc/hosts`
file within a new containers filesystem. The ip address is determined by
the containers networking configuration and points to the gateway address
for the containers networking namespace.
Closes#5651
Signed-off-by: Baron Lenardson <lenardson.baron@gmail.com>
Docker allows relabeling of any volume passed in via -v, even
including named volumes. This normally isn't an issue at all,
given named volumes get the right label for container access
automatically, but this becomes an issue when volume plugins are
involved - these aren't managed by Podman, and may well be
unaware of SELinux labelling. We could automatically relabel
these volumes on creation, but I'm still reluctant to do that
(feels like it could break things). Instead, let's allow :z and
:Z to be used with named volumes, so users can explicitly request
relabel of a volume plugin-backed volume.
We also get :U at the same time. I don't see any real need for it
but it also doesn't seem to hurt, so I didn't bother disabling
it.
Fixes#10273
Signed-off-by: Matthew Heon <mheon@redhat.com>
Fix a regression in `podman image prune` where unused images were
accidentally removed even when `--all=false`. Extend and partially
rewrite the e2e tests to make sure we're not regressing again in the
future.
Fixing the aforementioned issue revealed another issue in the default
prune filter. While prune should remove all "dangling" images (i.e.,
those without tag), it removed only "intermediate" ones; dangling images
without children. Remove the mistaken comment from the libimage
migration.
Also clarify the help message and man page.
Fixes: #10350
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
Allow podman network reload to be run as rootless user. While it is
unlikely that the iptable rules are flushed inside the rootless cni
namespace, it could still happen. Also fix podman network reload --all
to ignore errors when a container does not have the bridge network mode,
e.g. slirp4netns.
Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
Allow users to specify options on the volume mount path.
This will trigger relabels of user specifies :z,:Z
Also will handle User Relabels if the user specifies :U
Fixes: https://github.com/containers/podman/issues/9371
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
We should create the /etc/mtab->/proc/mountinfo link
so that mount command will work within the container.
Docker does this by default.
Fixes: https://github.com/containers/podman/issues/10263
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
The initial version of libimage changed the order of layers which has
now been restored to remain backwards compatible.
Further changes:
* Fix a bug in the journald logging which requires to strip trailing
new lines from the message. The system tests did not pass due to
empty new lines. Triggered by changing the default logger to
journald in containers/common.
* Fix another bug in the journald logging which embedded the container
ID inside the message rather than the specifid field. That surfaced
in a preceeding whitespace of each log line which broke the system
tests.
* Alter the system tests to make sure that the k8s-file and the
journald logging drivers are executed.
* A number of e2e tests have been changed to force the k8s-file driver
to make them pass when running inside a root container.
* Increase the timeout in a kill test which seems to take longer now.
Reasons are unknown. Tests passed earlier and no signal-related
changes happend. It may be CI VM flake since some system tests but
other flaked.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
The added test in 30544f225e is flaking. Podman inspect is always
working so we have to check the pid instead.
Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
When a container is automatically restarted due its restart policy and
the container used the slirp4netns netmode, the slirp4netns process
died. This caused the container to lose network connectivity.
To fix this we have to start a new slirp4netns process.
Fixes#8047
Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
Developers asked for a deterministic field to verify if podman is
running via API or linked directly to libpod library.
$ podman info --format '{{.Host.ServiceIsRemote}}'
false
$ podman-remote info --format '{{.Host.ServiceIsRemote}}'
true
$ podman --remote info --format '{{.Host.ServiceIsRemote}}'
true
* docs/conf.py formatted via black
Signed-off-by: Jhon Honce <jhonce@redhat.com>
The following bugs seem to be fixed:
* #6510 (e2e tests) - podman rmi gives "layer not known"
* #9915 (buildah-bud tests) - podman build --arch
* #10248 - spurious warning from first-ever invocation
of rootless podman
Signed-off-by: Ed Santiago <santiago@redhat.com>
Using event API to detect changes to container instead of polling.
Polling was unreliable, sometime change of a state might have been
missed.
Signed-off-by: Matej Vasek <mvasek@redhat.com>
The with --new generated systemd unit loses the environment variables
when the create command only contains the key without the value. Since
podman tries to lookup those values from the environment the unit can
fail.
This commits ensures that we will add the environment variables to the
unit file when this is the case. The container environment variables are
looked up in the container spec.
Fixes#10101
Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
In the case of generate kube the auto-update labels will be converted into kube annotations and for play kube they will be converted back to labels since that's what podman understands
Signed-off-by: Eduardo Vega <edvegavalerio@gmail.com>
Revert : https://github.com/containers/podman/pull/9895
Turns out that if Docker is in --selinux-enabeled, it still relabels if
the user tells the system to, even if running a --privileged container
or if the selinux separation is disabled --security-opt label=disable.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Env var secrets are env vars that are set inside the container but not
commited to and image. Also support reading from env var when creating a
secret.
Signed-off-by: Ashley Cui <acui@redhat.com>
filepath.Dir in some cases returns `.` symbol and calling this function
again returns same result. In such cases this function
never returns and causes some operations to stuck forever.
Closes#10216
Signed-off-by: Slava Bacherikov <slava@bacher09.org>
Reason: to catch errors before they surface in RHEL.
One of the Ubuntus is specially crafted to run with cgroups v1
and runc. Although this isn't quite the same as RHEL, it's as
close as we can come in our CI environment, and I suspect it
would have caught #10234 (a regression).
Sorry, team.
Also: play kube limits test: skip on all rootless, not just
rootless+fedora. There was a complicated and unnecessary
check in there for Fedora.
Also: workaround for bug #10248, a spurious error message on
the first invocation of rootless podman on Ubuntu.Old
Signed-off-by: Ed Santiago <santiago@redhat.com>
Migrate the Podman code base over to `common/libimage` which replaces
`libpod/image` and a lot of glue code entirely.
Note that I tried to leave bread crumbs for changed tests.
Miscellaneous changes:
* Some errors yield different messages which required to alter some
tests.
* I fixed some pre-existing issues in the code. Others were marked as
`//TODO`s to prevent the PR from exploding.
* The `NamesHistory` of an image is returned as is from the storage.
Previously, we did some filtering which I think is undesirable.
Instead we should return the data as stored in the storage.
* Touched handlers use the ABI interfaces where possible.
* Local image resolution: previously Podman would match "foo" on
"myfoo". This behaviour has been changed and Podman will now
only match on repository boundaries such that "foo" would match
"my/foo" but not "myfoo". I consider the old behaviour to be a
bug, at the very least an exotic corner case.
* Futhermore, "foo:none" does *not* resolve to a local image "foo"
without tag anymore. It's a hill I am (almost) willing to die on.
* `image prune` prints the IDs of pruned images. Previously, in some
cases, the names were printed instead. The API clearly states ID,
so we should stick to it.
* Compat endpoint image removal with _force_ deletes the entire not
only the specified tag.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
Want to allow users to specify --security-opt unmask=/proc/*.
This allows us to run podman within podman more securely, then
specifing umask=all, also gives the user more flexibilty.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Add a new --mac-address flag to podman play kube. This is used to specify
a static MAC address which should be used for the pod. This option can be
specified several times because play kube can create more than one pod.
Fixes#9731
Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
The compat endpoint for container inspect must return {} instead of null
for NetworkSettings.Networks.
Fixes#9837
Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
Some CI systems set $OCI_RUNTIME as a way to override the
default crun. Integration (e2e) tests honor this, but system
tests were not aware of the convention; this means we haven't
been testing system tests with runc, which means RHEL gating
tests are now failing.
The proper solution would be to edit containers.conf on CI
systems. Sorry, that would involve too much CI-VM work.
Instead, this PR detects $OCI_RUNTIME and creates a dummy
containers.conf file using that runtime.
Add: various skips for tests that don't work with runc.
Refactor: add a helper function so we don't need to do
the complicated 'podman info blah blah .OCIRuntime.blah'
thing in many places.
BUG: we leave a tmp file behind on exit.
Signed-off-by: Ed Santiago <santiago@redhat.com>
The RHEL multi-arch team informed me that we were missing
aarch64; add it, using the new name (arm64v8).
(This is from last week, so the image date tag does not
match today's date. I was waiting for confirmation that
things were working).
Signed-off-by: Ed Santiago <santiago@redhat.com>
if --cgroup-parent is specified, always honor it without doing any
detection whether cgroups are supported or not.
Closes: https://github.com/containers/podman/issues/10173
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
changed struct to policyMapper
change "image" to "registry" in multiple locations
Updated documentation with registry alias & autoupdate local
Added relevant test
Signed-off-by: Parker Van Roy <pvanroy@redhat.com>
Basically, add 'podman wait' before 'podman rm'. See if this
fixes gating tests run on ppc64le (possibly very very slow hosts)
Signed-off-by: Ed Santiago <santiago@redhat.com>
Namely the Ubuntu 21.04 Kernel does not support BFQ. Regardless of the
distro. skip this test if the required cgroup node doesn't exist.
Signed-off-by: Chris Evich <cevich@redhat.com>
This commits fixes until filter. It is now checking if the created
timestamp is before until filter value as expected in the docs.
Signed-off-by: Jakub Guzik <jakubmguzik@gmail.com>
This option allows users to specify the maximum amount of time to run
before conmon sends the kill signal to the container.
Fixes: https://github.com/containers/podman/issues/6412
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Parse the slirp4netns network options when called via compat api. The
options must be extracted from the NetworkMode string.
Fixes#10110
Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
The source ip for the rootlesskit port forwarder was hardcoded to the
standard slirp4netns ip. This is incorrect since users can change the
subnet used by slirp4netns with `--network slirp4netns:cidr=10.5.0.0/24`.
The container interface ip is always the .100 in the subnet. Only when
the rootlesskit port forwarder child ip matches the container interface
ip the port forwarding will work.
Fixes#9828
Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
Currently we have rootless users who want to leak their groups access
into containers, but this group access is only able to be pushed in by
a hard to find OCI Runtime annotation. This PR makes this option a lot
more visable and hides the complexity within the podman client.
This option is only really needed for local rootless users. It makes
no sense for remote clients, and probably makes little sense for
rootfull containers.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Followup to #10033: actually implement the system reset test.
And, just out of paranoia, extend the warning-message check.
Signed-off-by: Ed Santiago <santiago@redhat.com>
Currently we have only podman images list --noheading.
This PR Adds this option to volumes, containers, pods, networks,
machines, and secrets.
Fixes: https://github.com/containers/podman/issues/10065
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
In libpod/image.Image.Remove(), if the attempt to find the image's
parent fails for any reason, log a warning and proceed as though it
didn't have one instead of failing, which would leave us unable to
remove the image without resetting everything.
In libpod/Runtime.RemoveImage(), if we can't determine if an image has
children, log a warning, and assume that it doesn't have any instead of
failing, which would leave us unable to remove the image without
resetting everything.
In pkg/domain/infra/abi.ImageEngine.Remove(), when attempting to remove
all images, if we encounter an error checking if a given image has
children, log a warning, and assume that it doesn't have any instead of
failing, which would leave us unable to remove the image without
resetting everything.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
- Persist CDIDevices in container config
- Add e2e test
- Log HasDevice error and add additional condition for safety
Signed-off-by: Sebastian Jug <seb@stianj.ug>
Add a new --ip flag to podman play kube. This is used to specify a
static IP address which should be used for the pod. This option can be
specified several times because play kube can create more than one pod.
Fixes#8442
Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
This test continues to flake on podman-remote (especially Ubuntu)
even after #10030 and #10034. I give up. Stop checking the error
message in podman-remote tests.
Signed-off-by: Ed Santiago <santiago@redhat.com>
From the debug output we know that rootlesskit does not bind the port
correctly. The rootlesskit port forwarder has a quite a few debug
statements so lets see the debug log when the test fails. Also check
if it binded the port inside the rootless cni namespace.
Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
The --log-driver flag was silently ignored by podman play kube. This
regression got introduced during the play kube rework.
Unfortunately the test for this was skipped for no good reason.
Fixes#10015
Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
Yay, we got a failure with the new code (#10017). It shows
one ECONNRESET followed by a lot of ECONNREFUSED over an 8-second
period (actually 15s because of the second curl retry).
My hunch: the container itself is dying. No amount of retrying
will get anything to work. So, instead of the curl retry, if
curl fails, run 'docker-compose logs', 'podman ps', and 'ss -tulpn'
and hope that one/more of those tells us something useful when
the test flakes again.
Also: DUH! Bitten by one of the most common bash pitfalls.
Checking exit status after 'local' will always be zero.
Split the declaration and the action into separate lines.
Also: if curl fails, return immediately. There's no point in
running the string output comparison.
Also: in _show_ok(), don't emit "actual/expect" messages
if both strings are empty.
Signed-off-by: Ed Santiago <santiago@redhat.com>
docker-compose test continues to flake even after #9961.
Let's try to get some useful data from the failures, by:
* adding -S (--show-error) to curl. With just -s (--silent),
curl is completely quiet. With -S, it displays errors.
(Not in TAP form, but I'm OK with that)
* oops, adding safety checks to the fix from #9961 (it
was inadvertently clobbering the curl exit status)
And, as long as I'm in this code: logformatter was not
highlighting these results, because the '1..N' TAP line
needs to be spit out at the end. Have test-compose emit
a 'TAP' header <http://testanything.org/> and make
logformatter recognize it.
Signed-off-by: Ed Santiago <santiago@redhat.com>
Fix a corner case in basic_setup(), where we rmi stray images.
If a test tags $IMAGE and fails to rmi by tag name, cleanup
could rmi both tag name and IID, wiping out the desired image:
podman tag $IMAGE foo
...
cleanup: rmi foo $FOO_IID [this removes $IMAGE!]
Solution: rmi by name, but only rmi by IID if != $IMAGE.
TOTH to ypu for bringing this to my attention.
Signed-off-by: Ed Santiago <santiago@redhat.com>
Swagger documentation reported that the API endpoint /pods/create
returned 200 while the as-built code returned 201. 201 is more
correct so documentation updated.
Tests already checked for 201 so no updated needed.
Signed-off-by: Jhon Honce <jhonce@redhat.com>
do not set the cgroup parent when running as rootless with cgroupfs,
even if cgroup v2 is used.
Closes: https://bugzilla.redhat.com/show_bug.cgi?id=1947999
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Add validation for manifest name
* Always return an array for manifests even if empty
* Add missing return in df handler when returning error. Caused an
additional null to be written to client crashing python decoder.
When c/image is refactored to include manifests, manifest endpoints should
be revisited.
Signed-off-by: Jhon Honce <jhonce@redhat.com>
Experience this week has shown that managing .diff files
is too difficult for humans, and too fragile. Opportunities
for errors abound. So, let's try to minimize the diffs.
We can't eliminate the diffs to helpers.bash: those are
true code changes that are absolutely required for running
tests using podman instead of buildah. We need to carry
those ourselves: they are not appropriate for the buildah
repo itself.
What we can do is simplify the patching of bud.bats. That
is fragile, because bud.bats changes often, and context-
sensitive git patch files can easily get confused.
Recognizing that the changes to bud.bats fall under two types:
- tests that are skipped
- tests in which podman error messages differ from buildah's
...we now have a new script, apply-podman-deltas, which
is (I hope) much user-friendlier. It understands two directives:
errmsg - alter the expected error message
skip - skip a test
Both operate based on a bats test name. The test name must
match exactly. These directives use 'sed' to update bud.bats.
If any directive fails, the script will keep going (so you
get as many errors as possible in a run), then exits failure.
Instructions (README.md) now explain the process for dealing
with all expected test failures.
(Sneak checkin: add '--filter=NAME' option to test runner,
allowing for targeted and much shorter test runs).
Signed-off-by: Ed Santiago <santiago@redhat.com>
libpod df handler missing a return after writing error to client. This
caused a null to be appended to JSON and crashed python decoder.
Signed-off-by: Jhon Honce <jhonce@redhat.com>
Volumes endpoints for HTTP compat and libpod APIs allowed
usage of list HTTP endpoint filter funcs. Documentation in
case of compat API does not allow that. This commit aligns
code with the documentation and also ligns libpod with compat API.
Signed-off-by: Jakub Guzik <jakubmguzik@gmail.com>
Add a new --rootless-cni option to podman unshare to also join the
rootless-cni network namespace. This is useful if you want to connect
to a rootless container via IP address. This is only possible from the
rootless-cni namespace and not from the host namespace. This option also
helps to debug problems in the rootless-cni namespace.
Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
Handle go pseudoversions, e.g. a custom non-released buildah
used during testing of a PR. This will be something like:
v1.20.1-0.20210402144408-36a37402d0c8
...and it makes it impossible (AFAIK) to do a shallow checkout;
we need to do a full clone of buildah, then git-checkout the
SHA (last element of the long string above).
FIXME: this is great for testing, but we almost certainly
want some way to block this PR from merging, don't we?
And, while testing this, found and fixed three bugs:
- quote "$failhint" when echoing it on failure; otherwise
we lose original whitespace.
- invoke git-am with --reject! This makes it SO MUCH EASIER
to identify the failing part of our patch!
- sigh: generate the make-new-buildah-diffs helper *BEFORE*
we try git-am! Otherwise, duh, if git-am fails we have no
way to help the developer create a new diff file.
Signed-off-by: Ed Santiago <santiago@redhat.com>
The compose port test is flaking with an empty curl result. The curl retry
does not work properly. Given the the tests never expect an empty result
lets just wait one second and retry again.
Unfortunately there is no way for me to actually verify if this will fix
the flake.
Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
The CNI plugins need access to iptables in $PATH. On debian /usr/sbin
is not added to $PATH for rootless users. This will break rootless
cni completely. To prevent breaking existing users add /usr/sbin to
$PATH in podman if needed.
Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
As discussed in watercooler 2021-04-06: make sure that RHEL8
and CentOS are using runc. Using crun is probably a packaging
error that should be caught early.
Signed-off-by: Ed Santiago <santiago@redhat.com>
Podman has, for a long time, had an internal concept of
dependency management, used mainly to ensure that pod infra
containers are started before any other container in the pod. We
also have the ability to recursively start these dependencies,
which we use to ensure that `podman start` on a container in a
pod will not fail because the infra container is stopped. We have
not, however, exposed these via the command line until now.
Add a `--requires` flag to `podman run` and `podman create` to
allow users to manually specify dependency containers. These
containers must be running before the container will start. Also,
make recursive starting with `podman start` default so we can
start these containers and their dependencies easily.
Fixes#9250
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
One of the side-effects of the `--userns=keep-id` command is
switching the default user of the container to the UID of the
user running Podman (though this can still be overridden by the
`--user` flag). However, it did this by setting the UID and GID
in the OCI spec, and not by informing Libpod of its intention to
switch users via the `WithUser()` option. Because of this, a lot
of the code that should have triggered when the container ran
with a non-root user was not triggering. In the case of the issue
that this fixed, the code to remove capabilities from non-root
users was not triggering. Adjust the keep-id code to properly
inform Libpod of our intention to use a non-root user to fix
this.
Also, fix an annoying race around short-running exec sessions
where Podman would always print a warning that the exec session
had already stopped.
Fixes#9919
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
Docker does not relabel this content, and openstack is running
containers in this manner. There is a penalty for doing this
on each container, that is not worth taking on a disable SELinux
container.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
We define in the man page that this overrides the default storage
options, but the code was appending to the existing options.
This PR also makes a change to allow users to specify --storage-opt="".
This will turn off all storage options.
https://github.com/containers/podman/issues/9852
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
So rootless setup could use this condition in parent and child, child
podman should adjust LISTEN_PID to its self PID.
Add system test for systemd socket activation
Signed-off-by: pendulm <lonependulm@gmail.com>
Make sure the DOCKER_SOCK location is accessible by the user when run
rootless. Alos set the DOCKER_HOST env var to ensure docker-compose will
use the non default location. Cleanup steps such as `rm` or `umount`
must be run inside podman unshare otherwise they can fail due missing
privileges.
Change the curl test to use --retry-all-errors otherwise the tests will
flake. The web server inside the container will return http code 500
sometimes, most likely because it is not fully ready to accept
connections. With --retry-all-errors curl will retry instead of failing
and thus the test will work.
Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
With the new rootless cni supporting network connect/disconnect is easy.
Combine common setps into extra functions to prevent code duplication.
Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
Instead of creating an extra container create a network and mount
namespace inside the podman user namespace. This ns is used to
for rootless cni operations.
This helps to align the rootless and rootful network code path.
If we run as rootless we just have to set up a extra net ns and
initialize slirp4netns in it. The ocicni lib will be called in
that net ns.
This design allows allows easier maintenance, no extra container
with pause processes, support for rootless cni with --uidmap
and possibly more.
The biggest problem is backwards compatibility. I don't think
live migration can be possible. If the user reboots or restart
all cni containers everything should work as expected again.
The user is left with the rootless-cni-infa container and image
but this can safely be removed.
To make the existing cni configs work we need execute the cni plugins
in a extra mount namespace. This ensures that we can safely mount over
/run and /var which have to be writeable for the cni plugins without
removing access to these files by the main podman process. One caveat
is that we need to keep the netns files at `XDG_RUNTIME_DIR/netns`
accessible.
`XDG_RUNTIME_DIR/rootless-cni/{run,var}` will be mounted to `/{run,var}`.
To ensure that we keep the netns directory we bind mount this relative
to the new root location, e.g. XDG_RUNTIME_DIR/rootless-cni/run/user/1000/netns
before we mount the run directory. The run directory is mounted recursive,
this makes the netns directory at the same path accessible as before.
This also allows iptables-legacy to work because /run/xtables.lock is
now writeable.
Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
Versions of the ps command have additional spaces between fields, this
manifests as the container asking to run "top" and API reporting "top "
as a process.
Endpoint and tests updated to check that "top" is reported.
There is no libpod specialized endpoint to update.
Signed-off-by: Jhon Honce <jhonce@redhat.com>
Containers endpoints for HTTP compad and libpod APIs allowed usage of list HTTP
endpoint filter funcs. Documentation in case of libpod and compat API does not allow that.
This commit aligns code with the documentation.
Signed-off-by: Jakub Guzik <jakubmguzik@gmail.com>
It is tedious and error-prone to update the 'APIVersion=<exact>'
test every time there's a minor bump. Change the test so it
confirms only the major version.
Signed-off-by: Ed Santiago <santiago@redhat.com>
Issue #9573 (podman build --pull-never is a NOP) is fixed.
Remove the 'skip' in the buildah-bud pull-never test.
Signed-off-by: Ed Santiago <santiago@redhat.com>
The 'is' check was intended to be called with three arguments,
the last one being a nice helpful test name. There's a fallback
for two-argument calls, but it was a horrible FIXME.
New fallback: the most recently run podman command. We keep
track of it in each run_podman() invocation.
This is not ideal, because it's theoretically possible to
invoke 'is' on something other than the output of run_podman,
but this at least fixes the by-far-most-common case.
[NO TESTS NEEDED]
Signed-off-by: Ed Santiago <santiago@redhat.com>
Add support for secretRef and secretKeyRef to allow env vars to be set
from a secret. As K8S secrets are dictionaries the secret value must
be a JSON dictionary compatible with the data field of a K8S secret
object. The keys must consist of alphanumeric characters, '-', '_'
or '.', and the values must be base64 encoded strings.
Signed-off-by: Alban Bedel <albeu@free.fr>
In K8S the pod creation fails if an env var reference a non existing
config map key. It can be marked as optional, but per default it is
mandatory. Podman on the other hand always treat such references as
optional.
Rework envVarsFrom() and envVarValue() to additionaly return an error
and add support for the optional attribute in configMapRef and
configMapKeyRef.
Signed-off-by: Alban Bedel <albeu@free.fr>
When kube play fails to create a volume, it should say which volume had
the problem so the user doesn't have to guess. For the following pod
spec:
apiVersion: v1
kind: Pod
metadata:
name: mypod
spec:
containers:
- name: myfrontend
image: nginx
volumeMounts:
- mountPath: "/var/www/html"
name: mypd
volumes:
- name: mypd
hostPath:
path: /var/blah
podman will now report:
Error: failed to create volume "mypd": error in parsing HostPath
in YAML: error checking path "/var/blah": stat /var/blah: no such
file or directory
Signed-off-by: Jordan Christiansen <xordspar0@gmail.com>
Currently pull policy is set incorrectly when users set --pull-never.
Also pull-policy is not being translated correctly when using
podman-remote.
Fixes: #9573
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Since podman-remote resize requests can come in at random times, this
generates a real potential for race conditions. We should only be
attempting to resize TTY on running containers, but the containers can
go from running to stopped at any time, and returning an error to the
caller is just causing noice.
This change will basically ignore requests to resize terminals if the
container is not running and return the caller to success. All other
callers will still return failure.
Fixes: https://github.com/containers/podman/issues/9831
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
socat can create a dummy PTY that we can manipulate. This
lets us run a variety of tests that we couldn't before,
involving "run -it", and stty, and even "load" with no args.
Signed-off-by: Ed Santiago <santiago@redhat.com>
If you are attempting to run a container in interactive mode, and want
a --tty, then there must be a terminal in use.
Docker exits right away when a user specifies to use a --interactive and
--TTY but the stdin is not a tty.
Currently podman will pull the image and then fail much later.
Podman will continue to run but will print an warning message.
Discussion in : https://github.com/containers/podman/issues/8916
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
As part of a fix for an earlier bug (#5698) we added the ability
for Podman to chown volumes to correctly match the user running
in the container, even in adverse circumstances (where we don't
know the right UID/GID until very late in the process). However,
we only did this for volumes created automatically by a
`podman run` or `podman create`. Volumes made by
`podman volume create` do not get this chown, so their
permissions may not be correct. I've looked, and I don't think
there's a good reason not to do this chwon for all volumes the
first time the container is started.
I would prefer to do this as part of volume copy-up, but I don't
think that's really possible (copy-up happens earlier in the
process and we don't have a spec). There is a small chance, as
things stand, that a copy-up happens for one container and then
a chown for a second, unrelated container, but the odds of this
are astronomically small (we'd need a very close race between two
starting containers).
Fixes#9608
Signed-off-by: Matthew Heon <mheon@redhat.com>
Erik Sjolund reported an issue where a badly formated file
could be passed into the `--tz` option and then the date in the container
would be badly messed up:
```
erik@laptop:~$ echo Hello > file.txt
erik@laptop:~$ podman run --tz=../../../home/erik/file.txt --rm -ti
docker.io/library/alpine cat /etc/localtime
Hello
erik@laptop:~$ podman --version
podman version 3.0.0-rc1
erik@laptop:~$
```
This fix checks to make sure the TZ passed in is a valid
value and then proceeds with the rest of the processing.
This was first reported as a potential security issue, but it
was thought not to be. However, I thought closing the hole
sooner rather than later would be good.
Signed-off-by: TomSweeneyRedHat <tsweeney@redhat.com>
Set of scripts to run buildah's bud.bats test using
podman build in podman CI.
podman build is not 100% compatible with buildah bud.
In particular:
* podman defaults to --layers=true; buildah to false
* podman defaults to --force-rm=true; buildah to false
* podman error exit status is 125; buildah is 2
* differences in error messages, command-line arguments
Some of the above can be dealt with programmatically,
by tweaking the buildah helpers.bash (BATS helpers).
Some need to be tweaked by patching bud.bats itself.
This PR includes a patch that will, I fear, need to
be periodically maintained over time.
There will likely be failures when vendoring in a
new buildah, possibly because new tests were added
for new features that don't exist in podman, possibly
(I hope unlikely) if existing tests are changed in
ways that make the patch file fail to apply. I've
tried to write good instructions and to write the run
script in such a way that it will offer helpful hints
on failure. My instructions and code will be imperfect;
I hope they will be good enough to merit continued use
of this test (possibly with improvements to the instructions
as we learn more about real-world failures).
Signed-off-by: Ed Santiago <santiago@redhat.com>
The problem described in #9711 and followed by #9758 affects
containers as well. When user provides wrong filter input, error
message should occur, not fallback to full list/prune command.
This change fixes the issue. Additionally, there are error message
fixes for docker http api compat.
Signed-off-by: Jakub Guzik <jakubmguzik@gmail.com>
Checking for 'skip.*[0-9]{4,5}', and checking status on said
issues, finds several that have been closed. Let's see if
they're really fixed.
Signed-off-by: Ed Santiago <santiago@redhat.com>
Fixes#5788
This commit adds support for named volumes in podman-generate-kube.
Named volumes are output in the YAML as PersistentVolumeClaims.
To avoid naming conflicts, the volume name is suffixed with "-pvc".
This commit adds a corresponding suffix for host path mounts.
Host path volumes are suffixed with "-host".
Signed-off-by: Jordan Williams <jordan@jwillikers.com>
* Remove orphaned code
* Add meaningful error from LoadImageFromSingleImageArchive() when
heuristic fails to determine payload format
* Correct swagger to output correct types and headers
Signed-off-by: Jhon Honce <jhonce@redhat.com>
This is the continuation work started in #9711. It turns out
that list/prune commands for volumes in libpod/compat api have
very dangerous error handling when broken filter input is supplied.
Problem also affects network list/prune in libpod. This commit
unifies filter handling across libpod/compat api and adds sanity
apiv2 testcases.
Signed-off-by: Jakub Guzik <jakubmguzik@gmail.com>
there was a documentation issue for the kernel that reported the range
to be different than on cgroup v1.
The issue has been fixed in crun/runc. Adapt the test.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
- cp test: clean up stray image
- build test: add workaround for #9567 (ultra-slow ubuntu).
We're seeing CI flakes (timeouts) due to ubuntu 2004 being
absurdly slow. Workaround: double our timeout on one specific
test when ubuntu + remote.
- build test: clean up new copy-from test (from #9275).
The test was copy-pasted from buildah system tests, without
really adapting for podman environment (e.g. it was using
images that we don't use here, and would cause pulls, which
will cause flakes). Rewrite test so it references only $IMAGE,
remove some confusing/unnecessary stuff, selectively run
parts of it even when rootless or remote, and add a
test to confirm that copy-from succeeded.
- load test: add error-message test to new load-invalid (#9672).
Basically, make sure the command fails for the right reason.
- play test (kube): use $IMAGE, not alpine; and add pause-image
cleanup to teardown()
- apiv2 mounts test: add a maintainability comment in a tricky
section of code; and tighten up the mount point test.
Signed-off-by: Ed Santiago <santiago@redhat.com>
The New York timezone changes between summer and winter time.
Make sure the test allows both timezones.
Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
podman gating tests are hanging in the new Fedora CI setup;
long and tedious investigation suggests that 'socat' processes
are being left unkilled, which then causes BATS to hang when
it (presumably) runs a final 'wait' in its end cleanup.
The two principal changes are to exec socat in a subshell
with fd3 closed, and to pkill its child processes before
killing the process itself. I don't know if both are needed.
The pkill definitely is; the exec may just be superstition.
Since I've wasted more than a day of PTO time on this, I'm
okay with a little superstition. What I do know is that with
these two changes, my reproducer fails to reproduce in over
one hour of trying (normally it fails within 5 minutes).
AND, update: only rawhide (f35) leaves stray socat processes
behind. f33 and ubuntu do not, so 'pkill -P' fails.
I really have no idea what's going on.
Signed-off-by: Ed Santiago <santiago@redhat.com>
When I originally wrote this code I had no idea what POST
would look like so I did a sloppy job, deferring making it
usable. Now that we have some real-world examples in place,
I have a better understanding of what params look like and
how to make tests more readable/maintainable. (Deferring isn't
always bad: one of my early ideas was to separate params using
commas; that would've been a disaster because some JSON values,
such as arrays, include commas).
This commit implements a better way of dealing with POST:
* The main concept is still 'key=value'
* When value is a JSON object (dictionary, array), it
can be quoted.
* Multiple params are simply separated by spaces.
The 3-digit HTTP code is a prominent, readable separator
between POST params and expected results. The parsing
code is a little uglier, but test developers need
never see that. The important thing is that writing
tests is now easier.
* POST params can be empty (this removes the need for a
useless '')
I snuck in one unrelated change: one of the newly-added
tests, .NetworkSettings, was failing when run rootless
(which is how I test on my setup). I made it conditional.
Signed-off-by: Ed Santiago <santiago@redhat.com>
Currently we were overwrapping error returned from removal
of a non existing container.
$ podman rm bogus -f
Error: failed to evict container: "": failed to find container "bogus" in state: no container with name or ID bogus found: no such container
Removal of wraps gets us to.
./bin/podman rm bogus -f
Error: no container with name or ID "bogus" found: no such container
Finally also added quotes around container name to help make it standout
when you get an error, currently it gets lost in the error.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
When copying from a container, make sure to evaluate the symlinks
correctly. Add tests copying a symlinked directory from a running and
a non-running container to execute both path-resolution paths.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
Copy is full of perils. Some of them are the nuances when copying
directories. Who would have thought that
* cp dir foo
* cp dir/ foo
* cp dir/. foo
are all supposed to yield the same result when foo does not exist.
`podman cp` now supports all three notations, which required to massage
the front-end code in `cmd/podman` a bit. The tests have been extended
and partially rewritten to test container->host and host->container
copy operations.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
Make sure the files are chowned to the host/container user, depending on
where things are being copied to.
Fixes: #9626
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
Ignore permission errors when copying from a rootless container.
TTY devices inside rootless containers are owned by the host's
root user which is "nobody" inside the container's user namespace
rendering us unable to even read them.
Enable the integration test which was temporarily disabled for rootless
users.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
...and a rudimentary set of /auth tests for PR#9589 (disabled).
This simply adds a new start_registry() helper function that
allocates a random unused port, pulls a registry image, creates
a local certificate + random username + random password, and
fires everything up. Since none of this is (yet) used in CI,
this is very low risk.
The only infinitessimally-risky change is using a dedicated
subdirectory of $WORKDIR (instead of $WORKDIR itself) as
the podman root. This fixes a dumb oversight on my part:
the workdir has grown to be used for much more than just
podman root; this change removes clutter and makes it
easier for humans to debug in cases of problems.
Signed-off-by: Ed Santiago <santiago@redhat.com>
Currently if you attempt to create a kube.yaml file off of a non running
container where the container runs as a specific User, the creation
fails because the storage container is not mounted. Podman is supposed to
read the /etc/passwd entry inside of the container but since the
container is not mounted, the c.State.Mountpoint == "". Podman
incorrectly attempts to read /etc/passwd on the host, and fails if the
specified user is not in the hosts /etc/passwd.
This PR mounts the storage container, if it was not mounted so the read
succeeds.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
OpenShift Merge Robot
Ed Santiago
cdoern
Valentin Rothberg
Daniel J Walsh
Matthew Heon
Sebastian Jug
flouthoc
Jhon Honce
Paul Holzinger
Matej Vasek
Ashley Cui
Baron Lenardson
Jakub Guzik
Eduardo Vega
Slava Bacherikov
Boaz Shuster
zhangguanzhang
Giuseppe Scrivano
Parker Van Roy
Pablo Correa Gómez
Chris Evich
Nalin Dahyabhai
chenkang
Peter Hunt
baude
Matthew Heon
pendulm
Alban Bedel
Jordan Christiansen
Anders F Björklund
TomSweeneyRedHat
Jordan Williams
troyready
Milivoje Legenovic