We bind ports to ensure there are no conflicts and we leak them into
conmon to keep them open. However we bound the ports after the network
was set up so it was possible for a second network setup to overwrite
the firewall configs of a previous container as it failed only later
when binding the port. As such we must ensure we bind before the network
is set up.
This is not so simple because we still have to take care of
PostConfigureNetNS bool in which case the network set up happens after
we launch conmon. Thus we end up with two different conditions.
Also it is possible that we "leak" the ports that are set on the
container until the garbage collector will close them. This is not
perfect but the alternative is adding special error handling on each
function exit after prepare until we start conmon which is a lot of work
to do correctly.
Fixes https://issues.redhat.com/browse/RHEL-50746
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Fixes: e62c928642 ("Make podman-compose refer to podman-compose(1) when using an external provider")
- test: add coverage for PODMAN_COMPOSE_WARNING_LOGS
Signed-off-by: Petter Mikkelsen <43xhyr9m@anonaddy.me>
I broke the kube external storage test in the course of my
safename PR: _write_test_yaml() with no command generated
a pod that did not trigger the conditions required for
this test.
Solution: run a container (top). Add new checks to prevent
this gap from happening again.
Signed-off-by: Ed Santiago <santiago@redhat.com>
The value of the pointer might be changed while creating the container
causing unexpected side effects.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
when a --rootfs is specified with idmap, always use the specified
rootfs since we need a new mount on top of the original directory.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
These test steps check the automount feature with multi images for
following item:
1. multi images can be auotmounted with yaml file.
2. if there are same path exist in the images, the last one
should trumps.
3. the volume is mounted readonly in the container.
4. the volumes are only mounted in the specific container, but
not the whole pods.
Signed-off-by: Yiqiao Pu <ypu@redhat.com>
RHEL10 defaults to nftables and doesn't need
/usr/lib/modules-load.d/podman-iptables.conf so this should be Fedora
only.
Signed-off-by: Lokesh Mandvekar <lsm5@redhat.com>
validate that a "podman generate" and "podman play" cycle restores the
specified user namespace.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
layers restored from a tarball won't be converted to composefs so
disable the cache when using composefs.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
the condition is based on the fact that podman save|podman load
doesn't recreate the same digest, thus it would fail if the image in
the additional store was pulled with a simple "podman pull".
The same sequence of commands would fail using podman manually after a
"podman pull alpine".
Ignore the cache and use only the images that were pulled in the main
store.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
This contains a fix for a gvproxy crash on macos on fast connections
with heavy network load.
This should fix https://github.com/containers/podman/issues/23114
Signed-off-by: Christophe Fergeau <cfergeau@redhat.com>
The tests didn't check anything actually because default_ifname requires
an ip version argument to work. Thus pasta_iface was empty, add new
checks to prevent this kind of error again.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
The test assumes that if more than 1 ip on the host we should be able to
set host.containers.internal. This however is not how the logic works in
the code. What it actually does is to check all ips in the
rootless-netns and then it knows that it cannot use any of these ips.
This includes any podman bridge ips.
You can reproduce the error when you have only one ipv4 on the host then
run a container as root in the background and run the test:
hack/bats --rootless 505:host.containers.internal
So the failure here was that there was already a podman container
running as root on the default bridge thus the test saw 2 ips but then
the rootless run also uses the same subnet for its bridge and the code
knew that ip would not work either. I could have made another special
condition in test but the better way to work around it is to create a
new network. A new network will make sure there are no conflicting
subnets assigned so the test will pass.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
currently there is no way to specify the mappings, so at least treat a
private user namespace as "auto".
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Paul Holzinger