This change is the first step of integrating appendable string arrays
into containers.conf and starts with enabling the `Env`, `Mounts`, and
`Volumes` fields in the `[Containers]` table.
Both, Buildah and Podman, read (and sometimes write) the fields of the
`Config` struct at various places, so I decided to migrate the fields
step-by-step. The ones in this change are most critical ones for
customers. Once all string slices/arrays are migrated, the docs of
containers.conf will be updated. The current changes are entirely
transparent to users.
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
We only care about the version so just import the define package for it,
the main buildah package causes big transitive imports which fail to
build with the remote tag (i.e. libimage)
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Tag now does a prepend internally instead of append with the names. Thus
the order changed which needs some test changes.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
commit 7ade972102 introduced the change
that caused an issue in crun since it forces the root user session
instead of the system one when DBUS_SESSION_BUS_ADDRESS is set.
I am addressing it in crun, but for the time being, let's also not
pass the variable down to conmon since the assumption is that when
running as root the containers must be created on the system bus.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
When the hostNetwork option is set to true in the k8s yaml,
set the pod's hostname to the name of the machine/node as is
done in k8s. Also set the utsns to host.
Signed-off-by: Urvashi Mohnani <umohnani@redhat.com>
Followup to #20394. For years (since BATS 1.5) we've been
seeing and ignoring nasty red warnings at the end of every
system test run. Thanks for fixing it, @giuseppe! But it
broke down in the '?' case when $expected_rc is empty:
test/system/helpers.bash: line 345: [: -eq: unary operator expected
Simple fix.
Signed-off-by: Ed Santiago <santiago@redhat.com>
always cleanup the exec session when the command specified to the
"exec" is not found.
Closes: https://github.com/containers/podman/issues/20392
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
cp tests flake constantly under VFS (discovered in #20161),
and the way these tests were written makes it very, very hard
to understand failures.
This is a (sorry) hard-to-review cleanup:
- use distinctive container names, not just "cpcontainer"
- add distinctive test names (e.g. RUNNING vs CREATED)
- remove unnecessary code
- remove --pause=false (option is deprecated and, IIUC, a NOP)
- clean up some confusing slashes in paths
- "dot notation" tests:
- add a comment linking to issue, because that's a weird one
that makes no sense whatsoever
- fix tests, because they were actually not testing
This cleanup has been tested repeatedly in 20161, I'm just bringing
it into main because 20161's future is uncertain.
Signed-off-by: Ed Santiago <santiago@redhat.com>
Updated the error message to suggest user to use --replace option to instruct Podman to replace the existsing external container with a newly created one.
closes#16759
Signed-off-by: Chetan Giradkar <cgiradka@redhat.com>
* rootful: NanoCpus needs to set more than 10000000 on cgroups v1.
* rootless: Resource limits that include NanoCPUs are not supported and ignored.
Signed-off-by: Toshiki Sonoda <sonoda.toshiki@fujitsu.com>
libimage did not walk thte layers correctly which was probably
inherited by old Podman code. Fix that by vendoring in the
corresponding changes in c/common.
Fixes: #20375
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
When trying to connect a container to a network and the connection
already exists, an error should only be raised if the container is
already running (or is in the `ContainerStateCreated` transition)
to mimic the behavior of Docker as described here:
https://github.com/containers/podman/pull/15516#issuecomment-1229265942
For running and connected containers 403 is returned which fixes#20365
Signed-off-by: Philipp Fruck <dev@p-fruck.de>
When a userns and netns is used we need to let the runtime create the
netns otherwise the netns is not owned by the right userns and thus
the capabilities would not be correct.
The current restart logic tries to reuse the netns which is fine if no
userns is used but when one is used we setup a new netns (which is
correct) but forgot to cleanup the old netns. This resulted in leaked
network namespaces and because no teardown was ever called leaked ipam
assignments, thus a quickly restarting container will run out of ip
space very fast.
Fixes#18615
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Allow users to specify
podman-remote top $cid -eo "pid comm"
or
podman-remote top $cid -eo pid,comm
Fixes: https://github.com/containers/podman/issues/19176
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
didid# new file: test/system/085-top.bats
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
(buildah PR 5084). Should actually have been added as a bud.bats
test in that PR, but I didn't catch it in time.
Also, remove an obsolete bud-tests skip
Signed-off-by: Ed Santiago <santiago@redhat.com>
When people report issues, we often ask for the result of `podman info`.
However, if the problem is the remote connection, it will error out with
no information at all. This PR at least will report client information
before disclosing the connection error. For example on Windows:
> .\bin\windows\podman.exe info
client:
OS: windows/amd64
provider: hyperv
version: 4.8.0-dev
host: null
Satisfies: RUN-1720
Signed-off-by: Brent Baude <bbaude@redhat.com>
This fixes a regression caused by commit 7e6e267329, unfortunately this
was not caught during review as for some reason this works fine rootless
and only fails as root.
Because we set the systemd log level to notice in order to hide the unit
started/stopped messages to prevent spamming the journal the issue is
that this now also causes systemd to ignore the events we write to
journald as we also send them as info level.
To fix this we simply send health_status events now on notice level. I
decided against sending all events on notice as I think info is fine for
them. Whenever the notice level is right is of course debatable but
given it may contain the unhealthy message I think having this a notice
should be ok.
The main reason this made it through testing is because we do not rely
on the systemd unit to fire healthchecks in the tests as this is flaky.
There is one test were we rely on it though and I added a check there
to make sure events are displayed correctly when trigger via systemd.
Fixes#20342
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Add a new `compatMode` parameter to libpod's pull endpoint. If set, the
streamed JSON payload is identical to the one of the Docker compat
endpoint and allows for a smooth integration into existing tooling such
as podman-py and Podman Desktop, some of which already have code for
rendering the compat progress data.
We may add a libpod-specific parameter in the future which will stream
differnt progress data.
Fixes: issues.redhat.com/browse/RUN-1936?
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
Use sqlite as default but for upgrades it will still use boltdb to avoid
breaking anyone. This is done by checking if the boltdb file already
exists and if it does then we have to use it.
I added a e2e test to check the new logic and removed the system test
for it, the problem with the system test is that we share the storage
dir there so all following commands without --db-backend would try to
use boltdb as a single --db-backend boltdb command will create the file
and then all folllwing commands will use it because of the backwards
compat. In e2e tests each test uses their own --root so it is not an
issue there.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
The libpod containers create endpoint wasn't checking whether
the image existed before creating the container. If the image
doesn't exist, it should return a 404 status code but it was
failing and returning a 500 status code.
This fix matches the behavior of the compat endpoint.
Signed-off-by: Urvashi Mohnani <umohnani@redhat.com>
Add support for adding podman level arguments before subcommand
Add specific key for Containers Conf Modules
Global arguments are added for both start and stop commands
Adjust testing environment
Add tests
Add to man page
Signed-off-by: Ygal Blum <ygal.blum@gmail.com>
As requested in containers/podman/issues/20000, add a `privileged` field
to the containers table in containers.conf. I was hesitant to add such
a field at first (for security reasons) but I understand that such a
field can come in handy when using modules - certain workloads require a
privileged container.
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
Podman server logs are mostly full of healthcheck output, making them hard to navigate. Hence, made healthcheck service to run with LogLevelMax=notice, this would remove the normal output, inclusive the started/stopped messages from systemd itself.
Fixes#17856
Signed-off-by: Chetan Giradkar <cgiradka@redhat.com>
Add support for DefaultMode for configMaps and secrets.
This allows users to set the file permissions for files
created with their volume mounts. Adheres to k8s defaults.
Signed-off-by: Urvashi Mohnani <umohnani@redhat.com>
The id, digest, and intermediate filters were broken
for podman images. Fix to match on substrings instead of
the whole string for id and digest. Add the intermediate value
correctly when set.
Signed-off-by: Urvashi Mohnani <umohnani@redhat.com>
print only the new container ID when using --replace instead of the
terminated container ID if it was stopped.
Closes: https://github.com/containers/podman/issues/20185
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
...from f38 + f37.
Requires one minor e2e test change, to handle an error logging
change in conmon 2.1.8.
Also, this is important, requires crun-1.9.1 because of a kernel
symlink change; see https://github.com/containers/crun/pull/1309
The VM images here were carefully built to include that. By the
time the next VM images get built, it should be default.
Since we've bumped crun, remove two obsolete skips
And, skip a flaky pasta test, #20170
Signed-off-by: Ed Santiago <santiago@redhat.com>
Commit 2 of 2: individual special-case handling of tests
which did not pass under ExitCleanly(), one or more of:
- add "-q" to commit & push commands
- add ErrorToString() checks
- remove unnecessary ErrorToString() checks
Signed-off-by: Ed Santiago <santiago@redhat.com>
Final push on RUN-1907. Commit 1 of 2.
This is the final set of test/e2e/*_test.go files to be
converted from Exit(0) to ExitCleanly().
This commit is a mix of automated string-replace with
manual revert-back: tests that did not pass with ExitCleanly()
are reverted back to Exit(0), so they will not show up as
diffs in this commit. When possible, I address those in
my next commit.
My goal was to make this commit a don't-bother-reviewing one
that will also pass tests (so as not to break git-bisect).
The next commit is the important one to review.
Signed-off-by: Ed Santiago <santiago@redhat.com>
Some keys, e.g. ro do not have values.
The current implementation crashed looking for the = sign
Externalize findMountType in a new package
Parse mount command using FindMountType
Rebuild parameter string using csv
Add test case and adjust the test framework
Signed-off-by: Ygal Blum <ygal.blum@gmail.com>
When you run e2e tests locally they use CNI unless the NETWORK_BACKEND
env was set to netavark. Because our main focus is on netavark we should
test it by default.
For local tests this should help to prevent CNI/netavark conflicts as I
assume most systems where people run tests on are on netavark by now.
For CI testing we hardcode NETWORK_BACKEND there to test both netavark
(on current fedora) and CNI (prior fedora). MAke sure to switch the
logic in the CI setup to reflect that.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Pass the _entire_ environment to conmon instead of selectively enabling
only specific variables. The main reasoning is to make sure that conmon
and the podman-cleanup callback process operate in the exact same
environment than the initial podman process. Some configuration files
may be passed via environment variables. Podman not passing those down
to conmon has led to subtle and hard to debug issues in the past, so
passing all down will avoid such kinds of issues in the future.
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
Commit 2 of 2: fixes to get tests passing
Mostly reverting back to Exit(0) on tests that produce stderr,
adding stderr checks when those are missing.
One pretty big exception: "run check dns" test was completely
broken in many respects. It should never have worked under CNI,
but was passing because nslookup in that alpine image was
checking /etc/hosts. This has been fixed in subsequent alpine
images, which we're now using in this test (CITEST_IMAGE).
Signed-off-by: Ed Santiago <santiago@redhat.com>
PR #20082 bumped fedora-minimal, from f34 to f39. This worked
fine for a few days, then all of a sudden CI started breaking
because the f39 minimal image got rebuilt and repushed without
adduser. #20127 was an emergency fix; this is a stabler fix.
We keep using not-under-our-control container images, and we
keep getting burned when those get updated in nasty ways. Here
we switch to using a tagged & versioned fedora-minimal image
that is under our control.
Signed-off-by: Ed Santiago <santiago@redhat.com>
The processing and setting of the static and volume directories was
scattered across the code base (including c/common) leading to subtle
errors that surfaced in #19938.
There were multiple issues that I try to summarize below:
- c/common loaded the graphroot from c/storage to set the defaults for
static and volume dir. That ignored Podman's --root flag and
surfaced in #19938 and other bugs. c/common does not set the
defaults anymore which gives Podman the ability to detect when the
user/admin configured a custom directory (not empty value).
- When parsing the CLI, Podman (ab)uses containers.conf structures to
set the defaults but also to override them in case the user specified
a flag. The --root flag overrode the static dir which is wrong and
broke a couple of use cases. Now there is a dedicated field for in
the "PodmanConfig" which also includes a containers.conf struct.
- The defaults for static and volume dir and now being set correctly
and adhere to --root.
- The CONTAINERS_CONF_OVERRIDE env variable has not been passed to the
cleanup process. I believe that _all_ env variables should be passed
to conmon to avoid such subtle bugs.
Overall I find that the code and logic is scattered and hard to
understand and follow. I refrained from larger refactorings as I really
just want to get #19938 fixed and then go back to other priorities.
https://github.com/containers/common/pull/1659 broke three pkg/machine
tests. Those have been commented out until getting fixed.
Fixes: #19938
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
The fedora minimal 39 image has been updated on the fedora registry and
removed the `useradd` binary. Since we were pulling by tag and not by
digest, updates to images outside of our control always entail a certain
risk - and now it bit us.
To fix it, try to move as many users of `useradd` to _our_ CITEST_IMAGE
and migrate the code where necessary to this Alpine-based tooling.
However, the Alpine-based `adduser` binary (not useradd!) doesn't work
well when being executed as a non-root user and will just error out.
Hence, move the fedora minimal image back to version 34 which is still
including the `useradd` binary.
Ultimately, all images on public registries should be pulled via digest
to make sure we pin them down. I refrain from doing this now to make
sure we can cherry-pick this PR to older branches and get things back
into a working state ASAP.
Fixes: #20119
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
Container ports defined with containerPort were exposed by default
even though kubernetes interprets them as mostly informative.
Closes#17028
Signed-off-by: Peter Werner <wpw.peter@gmail.com>
Fix farm update to verify a connection exists before
removing or adding it.
Also verify that the farm we want to update exists.
Signed-off-by: Urvashi Mohnani <umohnani@redhat.com>
This is not really an error, if the anonymous volume is still used then
this likely means it was transferred to another container with
--volumes-from. This is what the user wants and it is not like the user
can act on the logged error anyway. Once the last user of the volume is
removed it will be removed correctly.
see https://github.com/containers/podman/pull/19637
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Commit 2 of 2: steps to make tests work under ExitCleanly()
Mostly adding "-q" to push/pull, but also:
- revert ExitCleanly(), and add error-message checks
if absent;
- fix a test that was completely nonfunctional from
Day One: test was getting skipped because registry
couldn't start, because of missing ":z"s in mount option.
Fixed, and removed the bypass;
- use built-in skopeo, not pulled-container skopeo. Skopeo
is already a requirement for system tests.
Signed-off-by: Ed Santiago <santiago@redhat.com>
the test works only when the user owns the outer mount namespace,
which is likely not the case when running in rootless mode.
Closes: https://github.com/containers/podman/issues/20076
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
commit cf364703fc changed the way
/sys/fs/cgroup is mounted when there is not a netns and it now honors
the ro flag. The mount was created using a bind mount that is a
problem when using a cgroup namespace, fix that by mounting a fresh
cgroup file system.
Closes: https://github.com/containers/podman/issues/20073
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
If you are running a quadlet with anonymous volumes, then the volume
will leak ever time you restart the service. This change will
cause the volume to be removed.
Fixes: https://github.com/containers/podman/issues/20070
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Commit 3 of 3: make tests pass.
This is the tricky one requiring manual effort. For the most part,
all I did was replace ALPINE/"alpine" with CITEST_IMAGE so we
don't get "Pulling..." messages. Also added warning-message checks
to two truncation tests
Signed-off-by: Ed Santiago <santiago@redhat.com>
Commit 2 of 3:
- rewrite all but one commands, from "generate kube" to "kube g".
- remove "podman generate kube" from all It()s.
Signed-off-by: Ed Santiago <santiago@redhat.com>
Commit 3 of 3, and this one's a doozy. Sorry.
The main problem was that "kube play" re-pulled images.
To solve that, I changed PullPolicy to "missing" and,
where possible, replaced alpine/busybox with CITEST_IMAGE
because that one seems to be cached better? I couldn't
figure out why, but even without the PullPolicy change
everything worked better with CITEST_IMAGE. And it's
a better image to use anyway.
Other lesser changes (like adding "-q") as needed.
Also:
- in four tests that use "replica", we can't use ExitCleanly()
because of a run-time warning. Add a check for that warning.
- remove a workaround for a long-closed issue (c/storage 1232)
Signed-off-by: Ed Santiago <santiago@redhat.com>
Commit 2 of 3:
- rewrite all commands but one, from "play kube" to "kube play".
Considered renaming the file but no, maybe later.
- remove "podman play kube" from all It()s. "Podman kube play" is
already in the Description; unnecessary redundancy is unnecessary.
Signed-off-by: Ed Santiago <santiago@redhat.com>
The --syslog flag has not been passed to the cleanup process (i.e.,
conmon's exit args) complicating debugging quite a bit.
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
The test started to fail in gating and on workstations. It turned out
that pushing the test image to the registry recompresses it which in
turn may change the digest. The digest now started to change; computing
it depends on the toolchain so the test passed before by pure luck it
seems.
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
cli flags couldn't override the active-destination when env variables were set. As a remedy, the precedence of cli flags has been changed.
Signed-off-by: Chetan Giradkar <cgiradka@redhat.com>
Commit 1 of 2.
More easy ones: test files that either work with ExitCleanly()
or require very, very simple tweaks.
Signed-off-by: Ed Santiago <santiago@redhat.com>
Part of RUN-1906.
Followup to #19878 (check stderr in system tests): allow_warnings()
and require_warning() functions to make sure no unexpected messages
fall through the cracks.
Signed-off-by: Ed Santiago <santiago@redhat.com>
Commit 2 of 2: manual tweaks to get tests passing. Very trivial,
the vast majority of these test files worked with no changes.
Signed-off-by: Ed Santiago <santiago@redhat.com>
Continuing work on RUN-1907: huge set of files, but not
as intimidating as it looks.
Commit 1 of 2: mindless replace of Exit(0) with ExitCleanly()
Signed-off-by: Ed Santiago <santiago@redhat.com>
Followup to #20016:
- remove obsolete (misleading) comment
- prune dangling <none>:<none> image
Also, in kube test, rmi pause_image to avoid nasty red warnings
Also, ouch, fix a stupid that I introduced in #19878: the PODMAN
command path got dropped from log messages.
Signed-off-by: Ed Santiago <santiago@redhat.com>
main
----
Use order number to order the units processing
Process .image file
Usage of .image file should not log Ambiguous Name warning
Use AmbiguousName for .volume and .image units
Quadlet
-------
Convert .image files
Add driver and Image keys to .volume files
Handle usage of .image as Image
Man Page
--------
Add comments for new keys in .volume file
Add comment about using .image files as images
Add section about .image units
Tests
-----
Add integration tests
Add system test
Signed-off-by: Ygal Blum <ygal.blum@gmail.com>
Co-authored-by: Tom Sweeney <tsweeney@redhat.com>
As found while working on #20000, the `--env-host` flag should use the
default from containers.conf. Add a new "supported fields" test to the
system tests to make sure we have a goto test for catching such
regressions. I suspect more flags to not use the defaults from
containers.conf.
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
The --module can only be parsed on the root level. It cannot work on
the command level, because it must be "manually" parsed on init() to
make sure the specified configuration files/modules are loaded prior to
parsing the flags via Cobra.
Hence move --module from the "persistent" to the "local" flags which
will yield an error instead of doing nothing when being specified on the
command level:
```
$ ./bin/podman run --module=foo.conf --rm alpine
Error: unknown flag: --module
See 'podman run --help'
```
Reported in #20000.
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
Commit 2 of 2: manual fixes to get tests to pass
Mostly adding "-q" to pull & push. In a few places that's
not possible, so revert to Exit(0) with stderr checks.
We do a *LOT* of image pulling! In a desperate attempt
to fix that, change some instances of ALPINE to CITEST_IMAGE.
Signed-off-by: Ed Santiago <santiago@redhat.com>
QM needs to be able to specify the maximum number of open files within the QM
environment to ensure FFI.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
QM needs to be able to specify the maximum number of PIDs within the QM
environment to ensure FFI.
Picking a total of 10,000 Pids might be a rasonable constraint on the
QM.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Commit 2 of 2: manual fixes to get tests to pass.
Mostly adding "-q", but in some cases reverting back to Exit(0)
with progress-message checks.
Plus, fix a typo in an error message
Signed-off-by: Ed Santiago <santiago@redhat.com>
Ongoing steps toward RUN-1907: replace Exit(0) with ExitCleanly()
Commit 1 of 2: simple automated string-replace, plus fixes
to includes.
Signed-off-by: Ed Santiago <santiago@redhat.com>
Ongoing steps toward RUN-1907: replace Exit(0) with ExitCleanly()
Several manual fixes for tests that broke:
1. (the usual case): add "-q" to podman-create or -pull; or
2. Revert back to Expect(Exit(0)), and add stderr checks for
progress messages
Signed-off-by: Ed Santiago <santiago@redhat.com>
Ongoing steps toward RUN-1907: replace Exit(0) with ExitCleanly()
One manual fix: adding -q to podman commit, to avoid progress messages
Signed-off-by: Ed Santiago <santiago@redhat.com>
Ongoing steps toward RUN-1907: replace Exit(0) with ExitCleanly()
A handful of test files with trivial command-line replacement,
and no manual muckery (aside from includes).
Signed-off-by: Ed Santiago <santiago@redhat.com>
It is perfectly valid to have only scheme and path (no "authority"),
but unfortunately it doesn't work with external clients like Docker.
Signed-off-by: Anders F Björklund <anders.f.bjorklund@gmail.com>
commit 8b4a79a744 introduced
oom_score_adj clamping when the container oom_score_adj value is lower
than the current one in a rootless environment. Move the check to
init() time so it is performed every time the container starts and not
only when it is created. It is more robust if the oom_score_adj value
is changed for the current user session.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Ongoing steps toward RUN-1907: replace Exit(0) with ExitCleanly()
Clean command-line replace, but required adding "-q" (quiet)
to all commit commands. Except one, on which I added tests
for the expected progress messages.
Signed-off-by: Ed Santiago <santiago@redhat.com>
Ongoing steps toward RUN-1907: replace Exit(0) with ExitCleanly()
Clean command-line replace, with manual tweaks to two tests:
* clone to a pod: revert to just Exit(0), because podman issues
a namespace warning
* --destroy --force : run "top" in container, not default (shell),
to avoid the 10-second SIGKILL fallback warning
Signed-off-by: Ed Santiago <santiago@redhat.com>
Ongoing steps toward RUN-1907: replace Exit(0) with ExitCleanly()
Clean command-line replace.
Also, fix up the Containerized and Debian exceptions in matcher.
I was in a huge rush Thursday night when I added the Debian
exception. This, I hope, makes it slightly easier to understand
the cases where we don't check stderr.
Signed-off-by: Ed Santiago <santiago@redhat.com>
HC events were firing as part of the `exec` call, before it had
even been decided whether the HC succeeded or failed. As such,
the status was not going to be correct any time there was a
change (e.g. the first event after a container went healthy to
unhealthy would still read healthy). Move the event into the
actual Healthcheck function and throw it in a defer to make sure
it happens at the very end, after logs are written.
Ignores several conditions that did not log previously (container
in question does not have a healthcheck, or an internal failure
that should not really happen).
Still not a perfect solution. This relies on the HC log being
written, when instead we could just get the status straight from
the function writing the event - so if we fail to write the log,
we can still report a bad status. But if the log wasn't written,
we're in bad shape regardless - `podman ps` would disagree with
the event written, for example.
Fixes#19237
Signed-off-by: Matt Heon <mheon@redhat.com>
Shortcuts like unix:path and unix:/path do not work everywhere,
so make sure to use unix://path when quoting the url (or address)
Signed-off-by: Anders F Björklund <anders.f.bjorklund@gmail.com>
Add support to kube play to support the TerminationGracePeriodSeconds
fiels by sending the value of that to podman's stopTimeout.
Add support to kube generate to generate TerminationGracePeriodSeconds
if stopTimeout is set for a container (will ignore podman's default).
Signed-off-by: Urvashi Mohnani <umohnani@redhat.com>
If some volumes are specified in containers.conf, they are currently
added twice to the containers spec causing the container to fail:
$ head -n2 ~/.config/containers/containers.conf
[containers]
volumes = ["/tmp:/tmp"]
$ podman pod create --name foo
7ac7f97f9b74a596332483e4a13e58cb9c8d997e9c5baae46804ae0acc26cbc6
$ podman run --pod=foo alpine true
Error: "/tmp": duplicate mount destination
The fix is to ignore the setting from containers.conf when setting the
pod default configuration.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
This test checks that the pod cgroups are created and that the limits
set for a pod cgroup are enforced also after a reboot.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Ongoing steps toward RUN-1907: replace Exit(0) with ExitCleanly()
Clean command-line replace, with one manual reversion (commented)
And -- duh! -- skip the stderr check on Debian!
Signed-off-by: Ed Santiago <santiago@redhat.com>
When the "rmi" part of "run --rmi" fails due to image being in use
by another container (or for any reason, actually), issue a warning
message, not an error.
Signed-off-by: Ed Santiago <santiago@redhat.com>
Under some circumstances podman tries to kill a container
using signal 37, for which unix.SignalName() returns "".
Not helpful. So, when that happens, show "(signal number)".
Signed-off-by: Ed Santiago <santiago@redhat.com>
PR #19878 (checking for warnings in system tests) broke upgrade tests.
Reason: my long-ago "optimization" in which, if a PR touches only
tests in X, do not run tests in Y. Unfortunately, upgrade tests
rely on code in the system-test directory. I don't know if this
is fixable; nor if it's an acceptable tradeoff. Please discuss.
Sorry, everyone.
Signed-off-by: Ed Santiago <santiago@redhat.com>
Also add a new `StoppedByUser` field to the container-inspect state
which can be useful during debugging and is now also used in the
regression test. Note that I moved the `false` check one test above
such that we can compare the previous Podman version which should just
be stuck in the `wait $ctr` command since it will continue restarting.
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
The logic here makes little sense, basically the /tmp and /var/tmp are
always set noexec, while /run is not. I don't see a reason to set any
of the three noexec by default.
Fixes: https://github.com/containers/podman/issues/19886
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
With few exceptions, commands that exit 0 should not emit any
messages with level=warning or =error. Let's start enforcing
that in run_podman.
Allow one-off exceptions, typically when we're testing an
actual warning condition (usual case: "podman stop" where it
times out to SIGKILL). Exceptions are specified via:
run_podman 0+w subcommand...
^^^---- or, rarely, 0+e
"0" stands for "expect exit status 0", which is the default
so it's implicit anyway. The +w / +e (or even +we) is the
new part. I have added it to tests where necessary.
And, because life is what it is, add two global exceptions:
- Debian. Because runc has too many flakes.
- kube. Ditto. Kube commands emit lots of nasty error
messages (yes, level=error) that don't seem to affect
results.
Similar to #18442
Signed-off-by: Ed Santiago <santiago@redhat.com>
Small steps toward RUN-1907: replace Exit(0) with ExitCleanly()
in ginkgo tests in two test files. Also, when practical,
replace ALPINE with CITEST_IMAGE.
There are still many thousands of instances left to fix. I will
be submitting in reviewable chunks.
Signed-off-by: Ed Santiago <santiago@redhat.com>
allow the image to specify an empty list of capabilities, currently
podman chokes when the io.containers.capabilities specified in an
image does not contain at least one capability.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Fixes infrequent but annoying flake in which system tests
call random_free_port(), get a nice-looking port, then
fail with "bind: address already in use".
Signed-off-by: Ed Santiago <santiago@redhat.com>
Primarily, build test images FROM scratch, not alpine, to
avoid image pulls and network flakes and potential pull-
the-rug-out errors if the base alpine image changes.
This was much more complicated than it should've been,
because creating unique arch-specific FROM-scratch images
triggered a weird manifest bug, filed as #19860.
Also:
- add a teardown() to clean up manifests
- remove test for skopeo (skopeo is required for sys tests)
- remove unnecessary intermediate tmpdir
- deduplicate, by looping over amd+arm
- fix indentation
- and, finally, clean up dangling images (this was the initial
reason behind my diving in here. Such a simple thing, I thought.)
Signed-off-by: Ed Santiago <santiago@redhat.com>
when running rootless, if the specified oom_score_adj for the
container process is lower than the current value, clamp it to the
current value and print a warning.
Closes: https://github.com/containers/podman/issues/19829
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Fix unquoted string vars. Something like this:
is $output "what we expect"
...will fail with a misleading error message if $output is "".
Also fix typos in a diagnostic; this was causing unhelpful message
on failure
Signed-off-by: Ed Santiago <santiago@redhat.com>
A nearly-trivial first effort to use the new ExitCleanly().
Requires using the new CITEST_IMAGE (see prior commit)
because nginx causes the tests to fail:
[FAILED] Unexpected warnings seen on stderr: \
level=warning \
msg="HEALTHCHECK is not supported for OCI image format ...
Oh, I also took the liberty of rewriting "play kube" -> "kube play".
Signed-off-by: Ed Santiago <santiago@redhat.com>
Combined test for (exitcode == 0) && (nothing on stderr).
Returns more useful diagnostic messages than the default:
old: Expected N to equal 0
new: Command failed with exit status N
new: Unexpected warnings seen on stderr: "...."
Signed-off-by: Ed Santiago <santiago@redhat.com>
Finally, after so many years, let's start using testimage:YYYYMMDD.
Use it in place of LABELS_IMAGE, which nothing/nowhere was using.
Signed-off-by: Ed Santiago <santiago@redhat.com>
Use the `newer` pull policy only for the "latest" tag and default to
using `missing` otherwise. This speeds up `kube play` as it'll skip
reaching out to the registry and also fixes other side-effects described
in #19801.
Fixes: #19801
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
When pulling from an OCI source, make sure to preseve the optional name.
For instance, a podman pull oci:/tmp/foo:quay.io/foo/bar:latest should
pull the image and name it quay.io/foo/bar:latest.
While at it, also fix a bug when pulling an OCI without the optional
name. Previously, we used the path to name the image which will error in
most cases due to invalid characters (e.g., capital ones). Hence, apply
the same trick as for the dir transport and generate a sha.
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
Use `add_compression` field from `containers.conf` if found instead and
`CLI` field `--add-compression` is not set.
Signed-off-by: Aditya R <arajan@redhat.com>
... by updating for a c/common API change.
[NO NEW TESTS NEEDED]: Only moves unchanged code,
should not change behavior.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
Motivation
===========
This feature aims to make --uidmap and --gidmap easier to use, especially in rootless podman setups.
(I will focus here on the --gidmap option, although the same applies for --uidmap.)
In rootless podman, the user namespace mapping happens in two steps, through an intermediate mapping.
See https://docs.podman.io/en/latest/markdown/podman-run.1.html#uidmap-container-uid-from-uid-amount
for further detail, here is a summary:
First the user GID is mapped to 0 (root), and all subordinate GIDs (defined at /etc/subgid, and
usually >100000) are mapped starting at 1.
One way to customize the mapping is through the `--gidmap` option, that maps that intermediate mapping
to the final mapping that will be seen by the container.
As an example, let's say we have as main GID the group 1000, and we also belong to the additional GID 2000,
that we want to make accessible inside the container.
We first ask the sysadmin to subordinate the group to us, by adding "$user:2000:1" to /etc/subgid.
Then we need to use --gidmap to specify that we want to map GID 2000 into some GID inside the container.
And here is the first trouble:
Since the --gidmap option operates on the intermediate mapping, we first need to figure out where has
podman placed our GID 2000 in that intermediate mapping using:
podman unshare cat /proc/self/gid_map
Then, we may see that GID 2000 was mapped to intermediate GID 5. So our --gidmap option should include:
--gidmap 20000:5:1
This intermediate mapping may change in the future if further groups are subordinated to us (or we stop
having its subordination), so we are forced to verify the mapping with
`podman unshare cat /proc/self/gid_map` every time, and parse it if we want to script it.
**The first usability improvement** we agreed on #18333 is to be able to use:
--gidmap 20000:@2000:1
so podman does this lookup in the parent user namespace for us.
But this is only part of the problem. We must specify a **full** gidmap and not only what we want:
--gidmap 0:0:5 --gidmap 5:6:15000 --gidmap 20000:5:1
This is becoming complicated. We had to break the gidmap at 5, because the intermediate 5 had to
be mapped to another value (20000), and then we had to keep mapping all other subordinate ids... up to
close to the maximum number of subordinate ids that we have (or some reasonable value). This is hard
to explain to someone who does not understand how the mappings work internally.
To simplify this, **the second usability improvement** is to be able to use:
--gidmap "+20000:@2000:1"
where the plus flag (`+`) states that the given mapping should extend any previous/default mapping,
overriding any previous conflicting assignment.
Podman will set that mapping and fill the rest of mapped gids with all other subordinated gids, leading
to the same (or an equivalent) full gidmap that we were specifying before.
One final usability improvement related to this is the following:
By default, when podman gets a --gidmap argument but not a --uidmap argument, it copies the mapping.
This is convenient in many scenarios, since usually subordinated uids and gids are assigned in chunks
simultaneously, and the subordinated IDs in /etc/subuid and /etc/subgid for a given user match.
For scenarios with additional subordinated GIDs, this map copying is annoying, since it forces the user
to provide a --uidmap, to prevent the copy from being made. This means, that when the user wants:
--gidmap 0:0:5 --gidmap 5:6:15000 --gidmap 20000:5:1
The user has to include a uidmap as well:
--gidmap 0:0:5 --gidmap 5:6:15000 --gidmap 20000:5:1 --uidmap 0:0:65000
making everything even harder to understand without proper context.
For this reason, besides the "+" flag, we introduce the "u" and "g" flags. Those flags applied to a
mapping tell podman that the mapping should only apply to users or groups, and ignored otherwise.
Therefore we can use:
--gidmap "+g20000:@2000:1"
So the mapping only applies to groups and is ignored for uidmaps. If no "u" nor "g" flag is assigned
podman assumes the mapping applies to both users and groups as before, so we preserve backwards compatibility.
Co-authored-by: Tom Sweeney <tsweeney@redhat.com>
Signed-off-by: Sergio Oller <sergioller@gmail.com>
The docker client expects to read the OSType header from the `/_ping` response in order to determine the OS type of the server, for example, when running `docker run --device=/dev/fuse ...`
https://github.com/moby/moby/blob/master/client/ping.go#L57
Signed-off-by: chnrxn <cohawk@yahoo.com>
The usual bug that we always seem to forget about: "kube play"
needs "podman wait" before we can "podman logs". (And, reminder,
"kube play --wait" is worthless because it destroys containers).
Reference: #18074, the original PR that fixed a bunch of these flakes.
Signed-off-by: Ed Santiago <santiago@redhat.com>
Make sure that `kube down` and `kube play --replace` do not error out
when an object does not exist (or has already been removed). Such kind
of teardown should not be treated as an ordinary `rm` but as an
`rm --ignore`. It's purpose it to make sure that all objects in a YAML
are removed; even if they existed only partially.
Fixes: #19711
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
Value of `--force-compression` should be already `true` is
`--compression-format` is selected otherwise let users decide.
Signed-off-by: Aditya R <arajan@redhat.com>
Ygal Blum
Urvashi Mohnani
Valentin Rothberg
openshift-ci[bot]
Paul Holzinger
Toshiki Sonoda
Ed Santiago
Daniel J Walsh
renovate[bot]
Giuseppe Scrivano
Chetan Giradkar
Philipp Fruck
Aditya R
Gabriel Pozo
Brent Baude
Aleksei Kosyrev
OpenShift Merge Robot
Wolfgang Pross
Peter Werner
xtex
ryanhockstad
Ryan Hockstad
Anders F Björklund
Radostin Stoyanov
danishprakash
Matt Heon
Miloslav Trmač
Sergio Oller
chnrxn