add a function to securely mount a subpath inside a volume. We cannot
trust that the subpath is safe since it is beneath a volume that could
be controlled by a separate container. To avoid TOCTOU races between
when we check the subpath and when the OCI runtime mounts it, we open
the subpath, validate it, bind mount to a temporary directory and use
it instead of the original path.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
If the kube yaml volumes has secret.items set, then use
the values from that to set up the paths inside the container
similar to what we do for configMap.
Add tests for this as well.
Signed-off-by: Urvashi Mohnani <umohnani@redhat.com>
the exec hooks already print the error message, so there is no need to
print another one.
[NO NEW TESTS NEEDED]
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Fix the example for RemapGid from keep-id to keep-groups
Reflect the chnages to the support for keep-id in Containers as well
Signed-off-by: Ygal Blum <ygal.blum@gmail.com>
As found in #17828, image listing does not scale well with a growing
number of local images. Make use of recent improvements in libimage
that allow for computing the dangling and parent data with _one_ layer
tree. Prior, the layer tree had to be recomputed _twice_ for each
image.
[NO NEW TESTS NEEDED] as it's a non-functional performance change.
Fixes: #17828
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
By default go will not keep the stdout/err attach when executing
commands via exec.Command(). It is required to explicitly pass the
current stdout/err fds down to the child so we can see the error output
in the logs to debug #17966.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
It turns out the restart is _not_ a stop+start but keeps certain
resources open and is subject to some timeouts that may differ across
distributions' default settings.
[NO NEW TESTS NEEDED] as I have absolutely no idea how to reliably cause
the failure/flake/race.
Also ignore ENOENTS of the CID file when removing a container which has
been identified of actually fixing #17607.
Fixes: #17607
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
Add a debug line to the wait to test to see which container
is being left behind after the cleaup where the race is happening.
Signed-off-by: Urvashi Mohnani <umohnani@redhat.com>
When a userns is set we setup the network after the bind mounts, at the
point where resolv.conf is generated we do not yet know the subnet.
Just like the other dns servers for bridge networks we need to add the
ip later in completeNetworkSetup()
Fixes https://bugzilla.redhat.com/show_bug.cgi?id=2182052
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Some key are available only for user scope while there are no keys that
are supported only for system. So, better to run in user scope
Signed-off-by: Ygal Blum <ygal.blum@gmail.com>
`Ping()` requires the DB lock, so we had to move it into a transaction
to fix#17859. Since we try to access the DB directly afterwards, I
prefer to let that fail instead of paying the cost of a transaction
which would lock the DB for _all_ processes.
[NO NEW TESTS NEEDED] as it's a hard to reproduce race.
Fixes: #17859
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
If a path (Yaml, ConfigMap, EnvFile) starts with a systemd path
specifier, treat the path as absolute
Add tests - unit, e2e and bats
Signed-off-by: Ygal Blum <ygal.blum@gmail.com>
...not CONTAINERS_CONF. At least for most tests.
Nearly every system test currently using CONTAINERS_CONF=tmpfile
should be using CONTAINERS_CONF_OVERRIDE.
Simple reason: runtime (crun/runc), database_backend (bolt/sqlite),
logger, and other important settings from /etc/c.conf are not
usually written into the tmpfile. Those tests, therefore, are
not running podman as configured on the system.
Much more discussion: #15413
This PR is a prerequisite for enabling sqlite system tests. For
the sake of simplicity and sanity, I choose to submit the sqlite
switch as a separate PR once this passes and merges.
Signed-off-by: Ed Santiago <santiago@redhat.com>
It flakes once or twice a day:
VERSION=1.51.1 ./hack/install_golangci.sh
Installing golangci-lint v1.51.1 into ./bin/golangci-lint
golangci/golangci-lint info checking GitHub for tag 'v1.51.1'
golangci/golangci-lint crit unable to find 'v1.51.1' - use 'latest'
or see https://github.com/golangci/golangci-lint/releases for details
No visibility into why, and no special reason to believe that
retrying five seconds later will work, but it seems worth a try.
Signed-off-by: Ed Santiago <santiago@redhat.com>
Race introduced in #16709, which changed 'top' to 'true', so
there was only a narrow window in which '.State.ConmonPod'
would be valid. Remove the race.
Fixes: #17882
Signed-off-by: Ed Santiago <santiago@redhat.com>
Alexis Couvreur
OpenShift Merge Robot
Giuseppe Scrivano
Urvashi Mohnani
Ygal Blum
Valentin Rothberg
Arthur Sengileyev
Paul Holzinger
Daniel J Walsh
Ed Santiago
Brent Baude
tomsweeneyredhat