- ImageCacheDir is hard-coded as "/tmp/podman/imagecachedir".
To avoid this hard-coding, I changed it to "os.TempDir()/imagecachedir".
- Change ImageCacheDir permissions from 0777 to 0700.
This directory should be used by per-user.
Signed-off-by: Toshiki Sonoda <sonoda.toshiki@fujitsu.com>
A number of standard image names were lower-case, leading to
confusion in code such as:
registry := podman(... , "-n", "registry", registry, ...)
^--- variable ^---- constant
Fix a number of those to be capitalized and with _IMAGE suffix:
registry := podman(..., REGISTRY_IMAGE
Signed-off-by: Ed Santiago <santiago@redhat.com>
Libpod requires that all volumes are stored in the libpod db. Because
volume plugins can be created outside of podman, it will not show all
available plugins. This podman volume reload command allows users to
sync the libpod db with their external volume plugins. All new volumes
from the plugin are also created in the libpod db and when a volume from
the db no longer exists it will be removed if possible.
There are some problems:
- naming conflicts, in this case we only use the first volume we found.
This is not deterministic.
- race conditions, we have no control over the volume plugins. It is
possible that the volumes changed while we run this command.
Fixes#14207
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Our fedora-minimal image on Quay bases on fedora-minimal:latest which
starting with F35 removed a number of binaries that our CI depends on.
Fix that by pulling `fedora-minimal:34` from the Fedora registry
directly.
Once the build bot on Quay has been disabled, we move the image over
there to make sure that it will not change over time.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
This involves a new test binary (a basic implementation of the
volume plugin protocol) and a new image on quay.io (Containerfile
to produce it and all sources located in this commit). The image
is used to run a containerized plugin we can test against.
Signed-off-by: Matthew Heon <mheon@redhat.com>
Followon to #7965 (mirror registry). mirror.gcr.io doesn't
cache all the images we need, and I can't find a way to
add to its cache, so let's just use quay.io for those
images that it can't serve.
Tools used:
skopeo copy --all docker://docker.io/library/alpine:3.10.2 \
docker://quay.io/libpod/alpine:3.10.2
...and also:
docker.io/library/alpine:3.2
docker.io/library/busybox:latest
docker.io/library/busybox:glibc
docker.io/library/busybox:1.30.1
docker.io/library/redis:alpine
docker.io/libpod/alpine-with-bogus-seccomp:label
docker.io/libpod/alpine-with-seccomp:label
docker.io/libpod/alpine_healthcheck:latest
docker.io/libpod/badhealthcheck:latest
Since most of those were new quay.io/libpod images, they required
going in through the quay.io GUI, image, settings, Make Public.
Signed-off-by: Ed Santiago <santiago@redhat.com>
In the past, Toolbox[0] has been affected by several of Podman's
bugs/changes of behaviour. This is one of the steps to assure that as
Podman progresses, Podman itself and subsequently Toolbox do not regress.
One of the other steps is including Toolbox's system tests in Podman's
gating systems (which and to what extent is yet to be decided on).
The tests are trying to stress parts of Podman that Toolbox needs for
its functionality: permission to handle some system files, correct
values/permissions/limits in certain parts, management of users and
groups, mounting of paths,.. The list is most likely longer and
therefore more commits will be needed to control every aspect of the
Toolbox/Podman relationship :).
Some test cases in test/e2e/toolbox_test.go rely on some tools being
present in the base image[1]. That is not the case with the common
ALPINE image or the basic Fedora image.
Some tests might be duplicates of already existing tests. I'm more in
favour of having those duplicates. Thanks to that it will be clear what
functionality/behaviour Toolbox requires.
[0] https://github.com/containers/toolbox
[1] https://github.com/containers/toolbox/#image-requirements
Signed-off-by: Ondřej Míchal <harrymichal@seznam.cz>
Most have been fixed, others I replaced with SkipIfRemote
Fix ContainerStart on tunnel, it needs to wait for the exit status
before returning.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
The `pause:3.1` has wrong configs for non-amd64 images as they all claim
to be for amd64. The issue has now been fixed in the latest
`pause:3.2`.
[1] https://github.com/kubernetes/kubernetes/issues/87325
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
Move the seccomp profile from a manifest annotation to a config label.
This way, we can support it for Docker images as well and provide an
easy way to add that data via Dockerfiles.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
Implement a policy for selecting a seccomp profile. In addition to the
default behaviour (default profile unless --security-opt seccomp is set)
add a second policy doing a lookup in the image annotation.
If the image has the "io.containers.seccomp.profile" set its value will be
interpreted as a seccomp profile. The policy can be selected via the
new --seccomp-policy CLI flag.
Once the containers.conf support is merged into libpod, we can add an
option there as well.
Note that this feature is marked as experimental and may change in the
future.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
Test that when we pull using tag or digest references from locations
that are manifest lists, that we can inspect using the references that
we used for pulling, that the tags show up in the RepoTag list when we
inspect an image that was pulled using a tag, and that the list and
instance digests always both show up in the RepoDigest list.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
when doing localized tests (not varlink), we can use secondary image
stores as read-only image caches. this cuts down on test time
significantly because each test does not need to restore the images from
a tarball anymore.
Signed-off-by: baude <bbaude@redhat.com>
Add the ability to manually run a container's healthcheck command.
This is only the first phase of implementing the healthcheck.
Subsequent pull requests will deal with the exposing the results and
history of healthchecks as well as the scheduling.
Signed-off-by: baude <bbaude@redhat.com>
this pr allows the libpod integration suite to pass on the
ppc64le architecture. in some cases, I had to skip tests.
eventually, these tests need to be fixed so that they properly pass. of
note for this PR is:
* changed the ppc64le default container os to be overlay (over vfs) as vfs seems non-performant on ppc64le
* still run vfs for rootless operations
* some images names for ppc64le had to change because they don't exist.
* this should help getting our CI to run on the platform
Signed-off-by: baude <bbaude@redhat.com>
Toshiki Sonoda
Ed Santiago
Paul Holzinger
Giuseppe Scrivano
Valentin Rothberg
Matthew Heon
Ondřej Míchal
Daniel J Walsh
Brent Baude
Nalin Dahyabhai