Make Podman more tolerant when parsing image volumes during container
creation and further fix an infinite loop when checking them.
Consider `VOLUME ['/etc/foo', '/etc/bar']` in a Containerfile. While
it looks correct to the human eye, the single quotes are wrong and yield
the two volumes to be `[/etc/foo,` and `/etc/bar]` in Podman and Docker.
When running the container, it'll create a directory `bar]` in `/etc`
and a directory `[` in `/` with two subdirectories `etc/foo,`. This
behavior is surprising to me but how Docker behaves. We may improve on
that in the future. Note that the correct way to syntax for volumes in
a Containerfile is `VOLUME /A /B /C` or `VOLUME ["/A", "/B", "/C"]`;
single quotes are not supported.
This change restores this behavior without breaking container creation
or ending up in an infinite loop.
BZ: https://bugzilla.redhat.com/show_bug.cgi?id=2014149
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
otherwise passing a formatter string as an option causes a weird
error message:
$ podman run --mount type=devpts,destination=/dev/pts,%sfoo ...
Error: %!s(MISSING)foo: invalid mount option
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
commit 6b3b0a17c6 introduced a check for
the PID file before attempting to move the PID to a new scope.
This is still vulnerable to TOCTOU race condition though, since the
PID file or the PID can be removed/killed after the check was
successful but before it was used.
Closes: https://github.com/containers/podman/issues/12065
[NO NEW TESTS NEEDED] it fixes a CI flake
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
we are having a hard time figuring out a failure in the CI:
https://github.com/containers/podman/issues/11191
Rename the sub-cgroup created here, so we can be certain the error is
caused by this part.
[NO NEW TESTS NEEDED] we need this for the CI.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
A restored container still had the state set to 'Checkpointed: true'
which seems wrong if it running again.
[NO NEW TESTS NEEDED]
Signed-off-by: Adrian Reber <areber@redhat.com>
Make sure that the value is only set if specified on the CLI. c/image
already defaults to true but if set in the system context, we'd skip
settings in the registries.conf.
Fixes: #11933
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
Previously this test used an ad-hoc timeout mechanism to synchronize
with output of the container ID. However, depending on runtime
conditions this may not correctly correspond with complete startup
of the systemd process. Consequently this test fails under some
conditions with an error like:
`System has not been booted with systemd as init system (PID 1). Can't
operate. Failed to connect to bus: Host is down`
Fix this by using the more appropriate `WaitContainerReady()`
against output from system startup, close to finalization. In this way,
the test status command cannot run until systemd is fully operational.
Signed-off-by: Chris Evich <cevich@redhat.com>
do not start up a dbus daemon if it is not already running.
[NO NEW TESTS NEEDED] the fix is in a dependency.
Closes: https://github.com/containers/podman/issues/9727
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Duplicate Address Detection slows the ipv6 setup down for 1-2 seconds.
Since slirp4netns is run it is own namespace and not directly routed
we can skip this to make the ipv6 address immediately available.
We change the default to make sure the slirp tap interface gets the
correct value assigned so DAD is disabled for it.
Also make sure to change this value back to the original after slirp4netns
is ready in case users rely on this sysctl.
Fixes#11062
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
The following problems regarding `logs --tail` with the journald log
driver are fixed:
- One more line than a specified value is displayed.
- '--tail 0' displays all lines while the other log drivers displays
nothing.
- Partial lines are not considered.
- If the journald events backend is used and a container has exited,
nothing is displayed.
Integration tests that should have detected the bugs are also fixed. The
tests are executed with json-file log driver three times without this
fix.
Signed-off-by: Hironori Shiina <shiina.hironori@jp.fujitsu.com>
Trying to restore a container that was started with '--ipc host' fails
with:
Error: error creating container storage: ProcessLabel and Mountlabel must either not be specified or both specified
We already fixed this exact same error message for containers started
with '--privileged'. The previous fix was to check if the to be restored
container is a privileged container (c.config.Privileged). Unfortunately
this does not work for containers started with '--ipc host'.
This commit changes the check for a privileged container to check if
both the ProcessLabel and the MountLabel is actually set and only then
re-uses those labels.
Signed-off-by: Adrian Reber <areber@redhat.com>
So far, the infra containers of pods required pulling down an image
rendering pods not usable in disconnected environments. Instead, build
an image locally which uses local pause binary.
Fixes: #10354
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
Add the k8s pause binary to `pause/pause.c` and do the plumbing in the
Makefile to install it in $libexec/podman/pause/pause. It is intended to
replace the k8s pause image and hence the need for network connectivity
when creating pods.
[NO NEW TESTS NEEDED] since it will be tested in a following commit.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
Mount a directory from /var/tmp to /tmp to make sure that /tmp is not on
an overlay mount. This should make overlay mounts possible in the
containerized tests which we're currently skipping.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
Make sure to create the mounts for containers with an overlay root FS in
the runtime dir (e.g., /run/user/1000/...) to guarantee that we can
actually overlay mount on the specific path which is not the case for
the graph root.
[NO NEW TESTS NEEDED] since it is not a user-facing change.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
This will change mount of /dev within container to noexec, making
containers slightly more secure.
[NO NEW TESTS NEEDED]
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
We should only use the Containerfiles/Dockerfiles found in the context
directory.
Fixes: https://github.com/containers/podman/issues/12054
[NO NEW TESTS NEEDED] It is difficult to setup a test for this in the
CI/CD system, but build tests should find if this PR broke anything.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
OpenShift Merge Robot
Giacomo Sanchietti
Jhon Honce
Valentin Rothberg
Giuseppe Scrivano
dependabot[bot]
Adrian Reber
Chris Evich
Anders F Björklund
Paul Holzinger
Hironori Shiina
Daniel J Walsh