when joining an existing container user namespace, read the existing
mappings so the storage can be created with the correct ownership.
Closes: https://github.com/containers/podman/issues/7547
Signed-off-by: Giuseppe Scrivano <giuseppe@scrivano.org>
Current podman container runlabel --display is being ignored.
This is just supposed to display the command that would be run, and
then exit, but instead is actually running the command.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1877186
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
During the redesign of podman 2.0, we dropped the support for --oom-score-adj.
Test for this flag was bogus and thus passing when it was broken.
Basically just need to set the value in the spec.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1877187
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Invert the branch logic to match the comment. Docker seems to wait for
the container while Podman does not.
Enable the remote-disabled system test as well.
Fixes: #7135
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
The systemd generator looks for certain flags in the containers' create
commands to determine which flags need to be added. In case of named
containers, the generator adds the `--replace` flag to prevent name
conflicts at container creation. Fix the generator to not only cover
the `--name foo` syntax but also the `--name=foo` one.
Fixes: #7157
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
Currently this command blows up because it closes the file descriptor before
doing the build.
Add tests to make sure we don't regress.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1877188
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
There is no need to setup the image and container engine when calling
a command with subcommands since we only print a usage message.
e.g `podman`,`podman container`
This also allows the remote client to show the usage message on
these commands without a running endpoint. I added a test for this.
Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
CI and system tests currently pull some images from docker.io.
Eliminate that, by:
- building a custom image containing much of what we need
for testing; and
- copying other needed images to quay.io
(Reason: effective 2020-11-01 docker.io will limit the
number of image pulls).
The principal change is to create a new quay.io/libpod/testimage,
using the new test/system/build-testimage script, instead of
relying on quay.io/libpod/alpine_labels. We also switch to
using a hardcoded :YYYYMMDD tag, instead of :latest, in an
attempt to futureproof our CI. This image includes 'httpd'
from busybox-extras, which we use in our networking test
(previously we had to pull and run busybox from docker.io).
The testimage can and should be extended as needed for future
tests, e.g. adding test file content or other useful tools.
For the '--pull' tests which require actually pulling from
the registry, I've created an image with the same name but
tagged :00000000 so it will never be pulled by default.
Since this image is only used minimally, it's just busybox.
Unfortunately there remain two cases we cannot solve in
this tiny alpine-based image:
1) docker registry
2) systemd
For those, I've (manually) run:
podman pull [ docker.io/library/registry:2.7 | registry.fedoraproject.org/fedora:31 ]
podman tag !$ quay.io/...
podman push !$
...and amended the calling tests accordingly.
I've tried to make the the smallest reasonable diff, not the
smallest possible one. I hope it's a reasonable tradeoff.
Signed-off-by: Ed Santiago <santiago@redhat.com>
Support loading and saving tarballs with more than one image.
Add a new `/libpod/images/export` endpoint to the rest API to
allow for exporting/saving multiple images into an archive.
Note that a non-release version of containers/image is vendored.
A release version must be vendored before cutting a new Podman
release. We force the containers/image version via a replace in
the go.mod file; this way go won't try to match the versions.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
If we select "unconfined" as AppArmor profile, then we should not error
even if the host does not support it at all. This behavior has been
fixed and a corresponding e2e test has been added as well.
Signed-off-by: Sascha Grunert <sgrunert@suse.com>
(This is an adoption of #7533 because Brent is on PTO).
Pick up new crun and crio-runc.
Also: renames from useful fedora-32 and -31 to less-useful
names; presumably this is needed by something-something in
the new VM setup.
Also: tweak two e2e tests to more properly handle a kernel
(5.8.4) with a greater set of capabilities than what we
or crun can yet handle.
Signed-off-by: Ed Santiago <santiago@redhat.com>
Add support for generating systemd units
via the api and podman-remote.
Change the GenerateSystemdReport type to return the
units as map[string]string with the unit name as key.
Add `--format` flag to `podman generate systemd`
to allow the output to be formatted as json.
Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
The system defaults /run to "exec" mode, and we default --read-only
mounts on /run to "exec", so --systemd should follow suit.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
We want to modify /etc/passwd to add an entry for the user in
question, but at the same time we don't want to require the
container provide a /etc/passwd (a container with a single,
statically linked binary and nothing else is perfectly fine and
should be allowed, for example). We could create the passwd file
if it does not exist, but if the container doesn't provide one,
it's probably better not to make one at all. Gate changes to
/etc/passwd behind a stat() of the file in the container
returning cleanly.
Fixes#7515
Signed-off-by: Matthew Heon <mheon@redhat.com>
With previous versions of Podman (like v1.9.2) it was always possible to
specify the log level in any case, for example `INFO`. This behavior has
silently changed, where the `--log-level` flag only accepts lower case
levels. This commit re-enables the old behavior and adds an e2e test for
it.
Signed-off-by: Sascha Grunert <sgrunert@suse.com>
The test that does 'adduser' in a keep-id container had a
really dumb bug: if the user running the test has UID 1000,
then podman itself (via keep-id) will add the "1000" passwd
entry, and the in-container "adduser" will allocate 1001,
making our test fail. This triggered in f31/f32 podman gating
tests, but (?!?) never in rawhide gating tests.
Solution: explicitly feed a UID to adduser. Make sure that
it's not the same as the UID of the current user.
Also (unrelated): fix a ridiculous "run mkdir || die". At
the time I wrote that I probably had no idea how BATS works.
Signed-off-by: Ed Santiago <santiago@redhat.com>
because a pod's network information is dictated by the infra container at creation, a container cannot be created with network attributes. this has been difficult for users to understand. we now return an error when a container is being created inside a pod and passes any of the following attributes:
* static IP (v4 and v6)
* static mac
* ports -p (i.e. -p 8080:80)
* exposed ports (i.e. 222-225)
* publish ports from image -P
Signed-off-by: Brent Baude <bbaude@redhat.com>
Fixes: 4c75fe3f70 ("fix pod creation with "new:" syntax")
Commit 4c75fe3f70 passes all net options to the pod but forgot
to unset the options for the container creation. This leads to
erros when using flags like `--ip` since we tried setting
the ip on the pod and container which obviously fails.
I didn't notice the bug because we don't throw an error when
specifing port bindings on a container which joins the pods
network namespace. (#7373)
Also allow the use of `--hostname` and pass that option to the
pod and unset it for the container. The container has to use
the pods hostname anyway. This would error otherwise.
Added tests to prevent regression.
Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
info, images, run, networking tests: remove some skip_if_remote()s
that were added in the varlink days. All of these tests now seem
to work with APIv2.
help test: check that first output line from 'podman --help'
is the program description (regression check for #7273).
load test: clean up stray images, rewrite test to make it conform
to existing convention. In the process, discover and file #7337
exec test (and networking): file #7360, and add FIXME comment
to skip()s suggesting evaluating those tests once that is fixed.
pod test: now that #6328 is fixed, use 'podman pod inspect --format'
instead of relying on jq
Various other tests: add an explanation of why test is disabled
so we can more easily distinguish "this will never be meaningful
under remote" vs "hey, doesn't work for now, but maybe someday".
Signed-off-by: Ed Santiago <santiago@redhat.com>
Giuseppe Scrivano
OpenShift Merge Robot
Daniel J Walsh
Valentin Rothberg
zhangguanzhang
Paul Holzinger
Ed Santiago
Sascha Grunert
Edward Shen
Matthew Heon
Peter Hunt
Brent Baude