This will require a 'podman system renumber' after being applied
to get lock numbers for existing volumes.
Add the DB backend code for rewriting volume configs and use it
for updating lock numbers as part of 'system renumber'.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
podman cp has had some unexpected bugs, and still has
some surprising behavior. It looks like this part of
the code is fragile. Add tests to try to prevent
future breakages.
Note that two of the new tests are disabled (skipped)
until #3829 gets fixed.
Signed-off-by: Ed Santiago <santiago@redhat.com>
Update the CNI configuration instructions to line up with
the changes introduced in #3868. Also do a bit less documentation
of the configuration and point to the GitHub project so we won't
get out of sync in the future.
Signed-off-by: TomSweeneyRedHat <tsweeney@redhat.com>
Support generating systemd unit files for a pod. Podman generates one
unit file for the pod including the PID file for the infra container's
conmon process and one unit file for each container (excluding the infra
container).
Note that this change implies refactorings in the `pkg/systemdgen` API.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
Add the digestfile option to the push command so the digest can
be stored away in a file when requested by the user. Also have added
a debug statement to show the completion of the push.
Emulates Buildah's https://github.com/containers/buildah/pull/1799/files
Signed-off-by: TomSweeneyRedHat <tsweeney@redhat.com>
Before, if the container was run with a specified user that wasn't root, exec would fail because it always set to root unless respecified by user.
instead, inherit the user from the container start.
Signed-off-by: Peter Hunt <pehunt@redhat.com>
The priv test added to the build test in June runs an 'apk'
command which, unavoidably, has to fetch stuff from the net.
This is slow and unreliable, and periodically leads to
timeout failures. Worse, when this happens, some sort of
invisible buildah-only container gets left behind that leads
to failures in subsequent tests when trying to reset to
known state.
Imperfect workaround: try a 240-second timeout (up from 60)
when running apk. As backup, add a custom teardown() which
attempts to force-remove all containers and any new images.
Signed-off-by: Ed Santiago <santiago@redhat.com>
This is a breaking change and modifies the resulting image name when
pulling from an directory via `oci:...`.
Without this patch, the image names pulled via a local directory got
processed incorrectly, like this:
```
> podman pull oci:alpine
> podman images
REPOSITORY TAG IMAGE ID CREATED SIZE
localhost/oci alpine 4fa153a82426 5 weeks ago 5.85 MB
```
We now use the same approach as in the corresponding [buildah fix][1] to
adapt the behavior for correct `localhost/` prefixing.
[1]: https://github.com/containers/buildah/pull/1800
After applying the patch the same OCI image pull looks like this:
```
> ./bin/podman pull oci:alpine
> podman images
REPOSITORY TAG IMAGE ID CREATED SIZE
localhost/alpine latest 4fa153a82426 5 weeks ago 5.85 MB
```
End-to-end tests have been adapted as well to cover the added scenario.
Relates to: https://github.com/containers/buildah/issues/1797
Signed-off-by: Sascha Grunert <sgrunert@suse.com>
adding podman network and the subcommands inspect, list, and rm. the
inspect subcommand displays the raw cni network configuration. the list
subcommand displays a summary of the cni networks ala ps. and the rm
subcommand removes a cni network.
Signed-off-by: baude <bbaude@redhat.com>
...and on a container killed by 'podman rm -f'. See #3795
Disable when testing podman-remote; see #3808
Signed-off-by: Ed Santiago <santiago@redhat.com>
Udica is adding new features to allow users to define container process
and file types. This would allow us to setup trusted communications channels
between multiple security domains. ContainerA -> ContainerB -> ContainerC
Add tests to make sure users can change file types
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Requirement from https://github.com/containers/libpod/issues/3575#issuecomment-512238393
Added --pull for podman create and pull to match the newly added flag in docker CLI.
`missing`: default value, podman will pull the image if it does not exist in the local.
`always`: podman will always pull the image.
`never`: podman will never pull the image.
Signed-off-by: Qi Wang <qiwan@redhat.com>
In the restore from external checkpoint archive test, the second restore
using a new name and ID is now done first to ensure that nothing in the
restored container depends on the original container.
Test has been adapted to catch errors like the one fixed with the
previous commit to adapt ConmonPidFile for restored containers.
Signed-off-by: Adrian Reber <areber@redhat.com>
Add flag `--authfile` to create and run so Podman can read authfile path from not only environemnt variable REGISTRY_AUTH_FILE but also CLI
Signed-off-by: Qi Wang <qiwan@redhat.com>
podman-remote rm now works; that's the only thing we were
waiting for to enable podman-remote (varlink) system tests.
Add a (too-complicated, sorry) Makefile target that will
define a random socket path, start the podman varlink server,
and run the test suite using podman-remote.
Also: add two convenience functions, is_rootless and is_remote,
and use those in skip_if_rootless/if_remote and elsewhere
Also: workarounds for broken tests:
- basic version test: podman-remote emits an empty 'Client'
line. Just ignore it.
- looks like 'podman-remote pod' doesn't work; skip test.
Also: minor documentation update
Signed-off-by: Ed Santiago <santiago@redhat.com>
when listing multiple ports on a container with podman port, an early
return was limiting results.
Fixes: #3747
Signed-off-by: baude <bbaude@redhat.com>
The 'podman run --mount' flag previously allowed the 'ro' option
to be specified, but was missing the ability to set it to a bool
(as is allowed by docker). Add that. While we're at it, allow
setting 'rw' explicitly as well.
Fixes#2980
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
It looks like #2780 is fixed: an overnight run yielded no
instances of 'pod top' returning incomplete output.
Signed-off-by: Ed Santiago <santiago@redhat.com>
If a container is restored multiple times from an exported checkpoint
with the help of '--import --name', the restore will fail if during
'podman run' a static container IP was set with '--ip'. The user can
tell the restore process to ignore the static IP with
'--ignore-static-ip'.
Signed-off-by: Adrian Reber <areber@redhat.com>
Fedora CI tests are failing on rawhide under kernel
5.3.0-0.rc1.git3.1.fc31 (rhbz#1736758). But there's
another insidious failure, a 4-hour hang in the
rootless tests on the same CI system. The culprit
line is in the podman build test, but it's actually
BATS itself that hangs, not the build command -- which
suggests that it's the usual FD 3 problem (see BATS README).
It would seem that podman is forking a process that
inherits fd 3 but that process is not getting cleaned
up when podman crashes upon encountering the kernel bug.
Today it's podman build, tomorrow it might be something
else. Let's just run all podman invocations in run_podman
with a non-bats FD 3.
Signed-off-by: Ed Santiago <santiago@redhat.com>
close https://bugzilla.redhat.com/show_bug.cgi?id=1732280
From the bug Podman search returns 25 results even when limit option `--limit` is larger than 25(maxQueries). They want Podman to return `--limit` results.
This PR fixes the number of output result.
if --limit not set, return MIN(maxQueries, len(res))
if --limit is set, return MIN(option, len(res))
Signed-off-by: Qi Wang <qiwan@redhat.com>
This enables programs and scripts wrapping the podman command to handle
'podman rm' and 'podman rmi' failures caused by paused or running
containers or due to images having other child images or dependent
containers. These errors are common enough that it makes sense to have
a more machine readable way of detecting them than parsing the standard
error output.
Signed-off-by: Ondrej Zoder <ozoder@redhat.com>
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Podman-in-podman (and possibly ubuntu) have "issues" with
journald. Let's just use file instead to be safe.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
Check the exit codes of pull, save and inspect to avoid masking those
errors. We've hit a case where a corrupted/broken image has been pulled
which then surfaced for some tests later.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
close#3648
podman create and podman run do not set --env variable if the environment is not present with a value
Signed-off-by: Qi Wang <qiwan@redhat.com>
The regular expression used in the `info` test does not allow for
usernames that have a dash, such as `test-user`. This patch adjusts
the regex to allow for a dash.
Fixes#3666.
Signed-off-by: Major Hayden <major@redhat.com>
The function to generate random IP addresses during ginkgo tests in
the checkpoint test code is moved to common and all tests using
hardcoded IP addresses have been changed to use random IP addresses to
reduce test errors when running the tests in parallel.
Signed-off-by: Adrian Reber <areber@redhat.com>
It seems like our VM images now support systemd CGroups with the
Ubuntu LTS images. No reason to keep testing CGroupfs as such,
systemd is much less racy (and CGroupfs on systemd-enabled
systems can be iffy).
Signed-off-by: Matthew Heon <mheon@redhat.com>
including changing -l to the container id
and separating a case of setting the env that remote can't handle
Signed-off-by: Peter Hunt <pehunt@redhat.com>
This includes:
Implement exec -i and fix some typos in description of -i docs
pass failed runtime status to caller
Add resize handling for a terminal connection
Customize exec systemd-cgroup slice
fix healthcheck
fix top
add --detach-keys
Implement podman-remote exec (jhonce)
* Cleanup some orphaned code (jhonce)
adapt remote exec for conmon exec (pehunt)
Fix healthcheck and exec to match docs
Introduce two new OCIRuntime errors to more comprehensively describe situations in which the runtime can error
Use these different errors in branching for exit code in healthcheck and exec
Set conmon to use new api version
Signed-off-by: Jhon Honce <jhonce@redhat.com>
Signed-off-by: Peter Hunt <pehunt@redhat.com>
When removing --all images prune images only attempt to remove read/write images,
ignore read/only images
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Close#3553
This PR makes --dns, --dns-option, --dns-search, and --network not set to host flag mutually exclusive for podman build and create. Returns conflict error if both flags are set.
Signed-off-by: Qi Wang <qiwan@redhat.com>
allow a container to run in a new cgroup namespace.
When running in a new cgroup namespace, the current cgroup appears to
be the root, so that there is no way for the container to access
cgroups outside of its own subtree.
By default it uses --cgroup=host to keep the previous behavior.
To create a new namespace, --cgroup=private must be provided.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
When we first began writing Podman, we ran into a major issue
when implementing Inspect. Libpod deliberately does not tie its
internal data structures to Docker, and stores most information
about containers encoded within the OCI spec. However, Podman
must present a CLI compatible with Docker, which means it must
expose all the information in 'docker inspect' - most of which is
not contained in the OCI spec or libpod's Config struct.
Our solution at the time was the create artifact. We JSON'd the
complete CreateConfig (a parsed form of the CLI arguments to
'podman run') and stored it with the container, restoring it when
we needed to run commands that required the extra info.
Over the past month, I've been looking more at Inspect, and
refactored large portions of it into Libpod - generating them
from what we know about the OCI config and libpod's (now much
expanded, versus previously) container configuration. This path
comes close to completing the process, moving the last part of
inspect into libpod and removing the need for the create
artifact.
This improves libpod's compatability with non-Podman containers.
We no longer require an arbitrarily-formatted JSON blob to be
present to run inspect.
Fixes: #3500
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
Before, play kube wasn't properly setting the command. Fix this
Also, begin a dedicated test suite for play kube to catch regressions like this in the future
Signed-off-by: Peter Hunt <pehunt@redhat.com>
Docker CLI calls the healthcheck flags "--health-*", instead of
"--healthcheck-*".
Introduce the former, in order to keep compatibility, and alias
the later, in order to avoid breaking current usage.
Change "--healthcheck-*" to "--health-*" in the docs and tests.
Signed-off-by: Hunor Csomortáni <csomh@redhat.com>
Fix Docker CLI compatibility issue: the "--healthcheck-command" option
value should not be split but instead be passed as single string to
"CMD-SHELL", i.e. "/bin/sh -c <opt>".
On the other hand implement the same extension as is already available
for "--entrypoint", i.e. allow the option value to be a JSON array of
strings. This will make life easier for tools like podman-compose.
Updated "--healthcheck-command" option values in tests accordingly.
Continuation of #3455 & #3507
Signed-off-by: Stefan Becker <chemobejk@gmail.com>
This flag passes the host environment into the container. The basic idea is to
leak all environment variables from the host into the container.
Environment variables from the image, and passed in via --env and --env-file
will override the host environment.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
be sure to load all the existing handlers, so that they can also be
freed in addition to the handlers we treat differently.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
This adds three tests for the --ignore-rootfs option to verify that it
works in all combination.
1. Not used at all
2. Only used during restore
3. Only used during checkpoint
Signed-off-by: Adrian Reber <areber@redhat.com>
This tries to reduce CI errors which might happen due to parallel CI
runs which all are using the same IP addresses. Using random addresses
should reduce the possibility of parallel tests using the same IP address.
Signed-off-by: Adrian Reber <areber@redhat.com>
when running integrations tests as rootless, several tests still
unnecessarily pull images which is costly in terms of time.
Signed-off-by: baude <bbaude@redhat.com>
add a simple way to copy ulimit values from the host.
if --ulimit host is used then the current ulimits in place are copied
to the container.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
There is no meaning of performing setup/teardown for these tests
when we even can not work with systemd.
Signed-off-by: Danila Kiver <danila.kiver@mail.ru>
Systemd manager drops non-existent directories from the units search
path during initialization, thus, creation of UNIT_DIR, if it did not
exist before, requres reloading the daemon.
Signed-off-by: Danila Kiver <danila.kiver@mail.ru>
By default, podman points PIDFile in generated unit file to non-existent
location. As a result, the unit file, generated by podman, is broken:
an attempt to start this unit without prior modification results in a crash,
because systemd can not find the pidfile of service's main process.
Fix the value of "PIDFile" and add a system test for this case.
Signed-off-by: Danila Kiver <danila.kiver@mail.ru>
When we're waiting for a container to come up with healthchecks,
and it's not even running, there's no point to waiting further.
Instead, let's restart the container and continue waiting.
This may fix some flakes we're seeing with 'podman port' tests.
Then again, all the tests there seem to fail, not just a single
test flaking - so I bet there's some other underlying cause.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
Podman 1.4.1 had problems with builds with a
RUN command that tried to to a privliged command.
This adds a gating test for that situation.
Signed-off-by: TomSweeneyRedHat <tsweeney@redhat.com>
Conmon has moved out of cri-o and into it's own dedicated repository.
This commit updates configuration and definitions which referenced
the old cri-o based paths.
Signed-off-by: Chris Evich <cevich@redhat.com>
A container restored from a checkpoint archive used to have the root
file-system mounted with a wrong (new) SELinux label. This made it, for
example, impossible to use 'podman exec' on a restored container.
This test tests exactly this. 'podman exec' after 'podman container restore'.
Unfortunately this test does not fail, even without the patch that fixes
it as the test seems to run in an environment where the SELinux label of
the container root file-system is not relevant. Somehow.
Signed-off-by: Adrian Reber <areber@redhat.com>
OutputToString() was mangling newlines, which made YAML parsers
very, very angry. But not angry enough to actually error, that
would be too easy. Just angry enough to silently not decode
anything.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
We need to verify that valid YAML was produced - Marshal will
just pack the generated YAML even further.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
This provides backwards compatability with 1.4.0-1.4.2 releases
which name .Source and .Destination as .Src and .Dst - useful for
not breaking toolbox.
Also add a test.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
We weren't properly populating the container's OCI Runtime in
Batch(), causing segfaults on attempting to access it. Add a test
to make sure we actually catch cases like this in the future.
Fixes#3411
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
The man page of 'podman diff' claims that the diff sub-command knows
about --latest, -l. This adds support, as described in the man-page, to
the diff sub-command for --latest, -l.
Signed-off-by: Adrian Reber <areber@redhat.com>
Four of the healthcheck tests were completely broken. They
were written with the option '--healthcheck-cmd' which is
not an option (it should be '--healthcheck-command', with
'command' as a full word). The tests were merely checking
exit code, not error message, so of course they failed.
I have fixed the command line and added checks for the
expected diagnostic.
(Side note: do not write tests that check exit code but
nothing else. This should not need to be said).
One of the four tests was invalid: --healthcheck-interval 0.5s.
Per Brent:
initially i was going to restrict sub one-second intervals
That test has been removed. It would probably be a good idea
for a future PR to add some validation such as preventing
negative values, but that's left as an exercise for later.
Also: grammar fix in an error message.
Caught by my ginkgo log greasemonkey script, which
highlights 'Error' messages and grabbed my attention.
Signed-off-by: Ed Santiago <santiago@redhat.com>
many of the port tests use our nginx container image. in some cases, we have timing
issues between when the nginx and the container are running and when the port -l
command is run causing test flakes. we now use the container image's built in
healthcheck to ensure that nginx is running (and subsequently the container
itself) before running the port command.
Fixes: #3309
Signed-off-by: Brent Baude <bbaude@redhat.com>
Signed-off-by: baude <bbaude@redhat.com>
I'm running the BATS tests manually once in a while, and
catching several problems each week that make it past
the rest of CI. Since the BATS tests run at RPM gating
time, we need to catch problems earlier. Try running
the tests from Cirrus.
Tests will be skipped on Ubuntu due to a too-ancient
version of coreutils (8.28; the 'timeout -v' we use
requires 8.29).
Tests are run *after* integration tests, even though
these take three minutes and would be nice to have
fail quickly, because running before causes bizarre
CI failures. Shrug.
UPDATE: also fix run test, broken by #3311.
Signed-off-by: Ed Santiago <santiago@redhat.com>
This is failing 100% on CI. No time to debug why properly before
we need to cut a release, but is probably related to the change
from a slice to an array.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
Remove disused `build_cache_images` task, and
update relevant dockerfiles for F30.
Fix problem of cloud-init failing to expand root-device on boot
(/var/lib/cloud/instance left in improper state).
Fix problem of cloud-init racing with google-network-daemon.service on
boot (looking for cloudconfig metadata too early). Causing
root-device to _sometimes_ fail to expand.
Fix problem of hack/get_ci_vm.sh argument passing.
Signed-off-by: Chris Evich <cevich@redhat.com>
This allows writing output directly to a file, instead of STDOUT.
Makes things easier for some scripting tasks. Like the unit tests
for 'play kube'.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
Various small fixes to get BATS tests working again.
Split from #2947 because that one keeps getting stalled,
and I'm hoping these separate changes get approved.
I consider these changes urgent because RHEL8 gating
tests are failing, and will fail even more if/when #2272
gets picked up and packaged for RHEL8, and I consider
it important to have clean passing tests for RHEL8.
* info test: 'insecure registries' is gone. A recent
commit (d1a7378aa) changed the format of 'podman info',
removing the 'insecure registries' key. Deal with it.
* info test: remove check for .host.{Conmon,OCIRuntime}.package;
the value on f28 and f29 is 'Unknown' (instead of an NVR).
We can live without this check.
* 'load' test: skip when running in CI, because stdin
is not a tty.
* container restore: fix arg processing. #2272 broke argument
processing: 'podman container restore', with no args, should
exit with 'argument required' error. Root cause is that the
new --import option takes the place of an argument, so the
checkAllAndLatest() call had to be changed to not exit on error.
Workaround is (sigh) to copy/paste the skipped checkAllAndLatest()
code, with minor tweaks to accommodate --import.
Signed-off-by: Ed Santiago <santiago@redhat.com>
The option to restore a container from an external checkpoint archive
(podman container restore -i /tmp/checkpoint.tar.gz) restores a
container with the same name and same ID as id had before checkpointing.
This commit adds the option '--name,-n' to 'podman container restore'.
With this option the restored container gets the name specified after
'--name,-n' and a new ID. This way it is possible to restore one
container multiple times.
If a container is restored with a new name Podman will not try to
request the same IP address for the container as it had during
checkpointing. This implicitly assumes that if a container is restored
from a checkpoint archive with a different name, that it will be
restored multiple times and restoring a container multiple times with
the same IP address will fail as each IP address can only be used once.
Signed-off-by: Adrian Reber <areber@redhat.com>
The difference between container checkpoint/restore and container
migration is that for migration the container which was checkpointed
must not exist during restore. To simulate migration the container
is remove ('podman rm -fa') before being restored. The migration test
does following steps:
* podman run
* podman container checkpoint -l -e /tmp/checkpoint.tar.gz
* podman rm -fa
* podman container restore -i /tmp/checkpoint.tar.gz
Signed-off-by: Adrian Reber <areber@redhat.com>
Let's put inspect structs where they're actually being used. We
originally made pkg/inspect to solve circular import issues.
There are no more circular import issues.
Image structs remain for now, I'm focusing on container inspect.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
some integration tests are inherently problematic due to timing issues.
one such case is running a valid health check on container that runs
nginx. while the container may be running, nginx may not have finished
executing itself and therefore the healthcheck fails.
Signed-off-by: baude <bbaude@redhat.com>
when doing localized tests (not varlink), we can use secondary image
stores as read-only image caches. this cuts down on test time
significantly because each test does not need to restore the images from
a tarball anymore.
Signed-off-by: baude <bbaude@redhat.com>
Add a journald reader that translates the journald entry to a k8s-file formatted line, to be added as a log line
Note: --follow with journald hasn't been implemented. It's going to be a larger undertaking that can wait.
Signed-off-by: Peter Hunt <pehunt@redhat.com>
when podman cp tar without --extract flag, if the destination already exists, or ends with path seprator, cp the tar under the directory, otherwise copy the tar named with the destination
Signed-off-by: Qi Wang <qiwan@redhat.com>
it creates a namespace where the current UID:GID on the host is mapped
to the same UID:GID in the container.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
https://github.com/containers/libpod/issues/3112 has revealed a
regression in apparmor when running privileged containers where the
profile must not be set or loaded. Add a simple test to avoid potential
future regressions.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
Instead of using the working directory, use a subdirectory of the
temporary directory created for the individual test, to prevent a
potential EEXIST for shared working directory.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
As logout test request login to the registry, we plan to test them
together. There are five test cases added:
1. Podman login and logout with default value
3. Podman login and logout with --authfile
2. Podman login and logout with --tls-verify
4. Podman login and logout with --cert-dir
5. Podman login and logout with multi registry
All above test cases are using docker rgistry v2
Signed-off-by: Yiqiao Pu <ypu@redhat.com>
`string.Split()` splits into slice of size greater than 2
which may result in loss of environment variables
fixes#3132
Signed-off-by: Divyansh Kamboj <kambojdivyansh2000@gmail.com>
OpenShift Merge Robot
Matthew Heon
Matthew Heon
Ed Santiago
TomSweeneyRedHat
Valentin Rothberg
Peter Hunt
Ashley Cui
Giuseppe Scrivano
Sascha Grunert
Chen Zhiwei
baude
Daniel J Walsh
Qi Wang
Adrian Reber
Major Hayden
Hunor Csomortáni
Stefan Becker
Danila Kiver
Chris Evich
Nalin Dahyabhai
Yiqiao Pu
Divyansh Kamboj