The current code did something like this:
lock()
getState()
unlock()
if state != running
lock()
getState() == running -> error
unlock()
This of course is wrong because between the first unlock() and second
lock() call another process could have modified the state. This meant
that sometimes you would get a weird error on start because the internal
setup errored as the container was already running.
In general any state check without holding the lock is incorrect and
will result in race conditions. As such refactor the code to combine
both StartAndAttach and Attach() into one function that can handle both.
With that we can move the running check into the locked code.
Also use typed error for this specific error case then the callers can
check and ignore the specific error when needed. This also allows us to
fix races in the compat API that did a similar racy state check.
This commit changes slightly how we output the result, previously a
start on already running container would never print the id/name of the
container which is confusing and sort of breaks idempotence. Now it will
include the output except when --all is used. Then it only reports the
ids that were actually started.
Fixes#23246
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
When the path does not exist, filepath.EvalSymlinks returns an
empty string - so we can't just ignore ENOENT, we have to discard
the result if an ENOENT is returned.
Should fix Jira issue RHEL-37948
Signed-off-by: Matt Heon <mheon@redhat.com>
Old netavark version only supported iptables, however a new version on
th ehost might use nftables. This breaks the networking tests here as
they are not compatible and you would need to reboot to fix that.
Because this is not possible for our tests make sure we force the
iptables driver always to keep the test working.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
netavark can use iptables or nftables as firewall driver, thus if we try
to flush rules make sure we try both to keep the test working when we
switch the default to nftables.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Stop using iptables to check anything, it does not work rootless and
will no longer work with nftables which will be used in the future.
Also fix up the test that say podman run to actually use podman run and
then just check via inspect that the ports are set correctly.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
New tool, get-local-registry-script, intended for developers
to get a local registry running in their environment. This is
not necessary for any tests, but may be desirable for performance
reasons and/or to recreate the CI environment.
Signed-off-by: Ed Santiago <santiago@redhat.com>
This commit gets tests working under the new local-registry system:
* amend a few image names, mostly just sticking to a consistent
list of those images in our registry cache. Mostly minor
tag updates.
* trickier: pull_test: change some error messages, and remove
a test that's now a NOP. Basically, with a local (unprotected)
registry we always get "404 manifest unknown"; with a real
registry we'll get "403 I can't tell you".
* trickiest: seccomp_test: build our own images at run time,
with our desired labels. Until now we've been pulling
prebuilt images, but those will not copy to the local
cache registry. Something about v1? Anyhow, I gave up
trying to cache them, and the workaround is straightforward.
Also took the liberty of strengthening a few error-message checks
Signed-off-by: Ed Santiago <santiago@redhat.com>
As of https://github.com/containers/automation_images/pull/357
our CI VMs include a local registry preloaded with all(*)
images used in tests.
* where "all" means "most".
This commit installs a new registries.conf that redirects docker
and quay to the new local registry. The hope is that this will
reduce CI flakes.
Since tests change over time, and new tests may require new
images, this commit also adds a mechanism for pulling in
remote images at test run time. Obviously this negates
the purpose of the cache, since it introduces a flake
pain point. The idea is: DO NOT DO THIS UNLESS ABSOLUTELY
NECESSARY, and then, if we have to do this, hurry up and
spin new CI VMs that include the new image(s).
Signed-off-by: Ed Santiago <santiago@redhat.com>
Run root e2e & system tests using composefs on rawhide.
Write magic settings to storage.conf. That part is easy.
e2e tests, however, ignore storage.conf. They require everything
to be specified on the command line. And "everything", in the
case of composefs, includes a long complicated --pull-options
string which in turn requires containers-storage PR 1966
which, as of this writing, is finally vendored into podman.
Signed-off-by: Ed Santiago <santiago@redhat.com>
This test flakes frequently and its status is completely ignored in CI.
At the time of this commit, nobody has stepped up to debug or fix it.
Drop the test.
Signed-off-by: Chris Evich <cevich@redhat.com>
When we check if source code was changed also include header files.
There is only one header file currently but that can change and it may
be possible that changes in this file can break things so make sure it
is considered source code so that all tests are triggered.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
It seems that if some background tasks are queued in libpod's Runtime before the worker's channel is set up (eg. in the refresh phase), they are not executed later on, but the workerGroup's counter is still ticked up. This leads podman to hang when the imageEngine is shutdown, since it waits for the workerGroup to be done.
fixescontainers/podman#22984
Signed-off-by: Farya Maerten <me@ltow.me>
When a system has one ipv4 and one ipv6 address hostname -I will show
both causing a failure in the case where this is only one address.
To fix this stop using hostname -I and use ip -4 to only list v4
addresses and the use jq to filter the output accordingly.
Fixes#23227
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Building the MSI hook on Windows
(`contrib/win-installer/podman-msihooks/check.c`)
currently requires MinGW. This commit updates the build
script so that, when MinGW is absent but the C compiler
included in Visual Studio BuildTools is installed, the
latter is used to build the MSI hook.
Other than that, `winmake.ps1` has a new `installertest`
target to run the Windows installer tests that are
currently verified by Cirrus CI.
Signed-off-by: Mario Loriedo <mario.loriedo@gmail.com>
We should never try to reexxec when we are already root with
CAP_SYS_ADMIN. The code contained a bug when --cgroups=disabled is used
as it tried to perfom a reexec even when it was not needed.
Fixes: 900e29549a ("libpod: do not move podman with --cgroups=disabled")
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
The code currently tried to avoid joining the userns from conmon
directly and rather joined to only read the pid file and then send this
back to use so we could join the userns. From the comment this was done
because we could not read the pid file. However this is no longer true
as of commit 49eb5af301 and file is no always owned by the real user.
This means we can just remove this special logic and join the namespace
directly there. A test has been added to check the rejoin logic with a
custom uidmapping.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
This directory contains important tools such as ginkgo as such updates
there should run through all testing and not skip anything.
Technically we do not need to run system tests as it doesn't use any
tool from there but that
a) might change in the future and
b) would make the only_if rules much more complicated if we try to
exclude it and
c) updates in test/tools are rare and/or automated so it does not cause
inconveniences to run all anyway
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Paul Holzinger
openshift-merge-bot[bot]
renovate[bot]
Matt Heon
Ed Santiago
Wanqi Li
Colin Walters
Chris Evich
Brent Baude
Farya L. Maerten
Mario Loriedo