The 'docker commit' will never include a container's volumes when
committing, without an explicit request through '--change'.
Podman, however, defaulted to including user volumes as image
volumes.
Make this behavior depend on a new flag, '--include-volumes',
and make the default behavior match Docker.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
when we run in a user namespace, there are cases where we have not
enough privileges to mount a fresh sysfs on /sys. To circumvent this
limitation, we rbind /sys from the host. This carries inside of the
container also some mounts we probably don't want to. We are also
limited by the kernel to use rbind instead of bind, as allowing a bind
would uncover paths that were not previously visible.
This is a slimmed down version of the intermediate mount namespace
logic we had before, where we only set /sys to slave, so the umounts
done to the storage by the cleanup process are propagated back to the
host. We also don't setup any new directory, so there is no
additional cleanup to do.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
podman-remote now supports rm! That's what we needed to start
running BATS tests.
Although most tests don't actually work, some do, and maybe
the rest will start working over time. For now, disable them.
The only significant difference found is that podman-remote
strips fractional seconds from timestamps in JSON output.
Probably not something worth caring about.
Signed-off-by: Ed Santiago <santiago@redhat.com>
* refactor command output to use one function
* Add new worker pool parallel operations
* Implement podman-remote umount
* Refactored podman wait to use printCmdOutput()
Signed-off-by: Jhon Honce <jhonce@redhat.com>
`podman cp` used to copy the contents under the source directory to the destination. But according to the specification in podman-cp.md. it should copy the whole directory to the destination if the destination directory already exists.
- src dir ends with /., copy the contents to dest dir
- src dir does not end with /.
- dest dir /home does not exist, copy the contents
- dest dir /home exists, copy the directory
```
$ sudo podman cp /home/qiwan/Documents/empty 7c47:/home
$ sudo podman exec -it 7c47 ls /home
$
$ sudo podman cp /home/qiwan/Documents/empty 7c47:/home
$ sudo podman exec -it 7c47 ls /home
empty
```
Signed-off-by: Qi Wang <qiwan@redhat.com>
The Commit test is blatantly wrong and testing buggy behavior. We
should be commiting the destination, if anything - and more
likely nothing at all.
When force-removing volumes, don't remove the volumes of
containers we need to remove. This can lead to a chicken and the
egg problem where the container removes the volume before we can.
When we re-add volume locks this could lead to deadlocks. I don't
really want to deal with this, and this doesn't seem a
particularly harmful quirk, so we'll let this slide until we get
a bug report.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
The flag should be substantially more durable, and no longer
relies on the create artifact.
This should allow it to properly handle our new named volume
implementation.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
When running as a user, the order of removal is database ID dependent.
This results in this test randomly failing. This condition was
very difficult to debug and the test was missing two critical checks.
One to confirm an expected error message was produced, and another
to verify the expected running container, remains running.
Fix the container and missing error-message checks, and vastly improve
the debug-ability of this test. Fixing the random-failures requires
intensive fixes in other areas, so that task will be left up to future
work.
Signed-off-by: Chris Evich <cevich@redhat.com>
on the remote client, if a user wants to know the rootfs size of a
container, a -s should be passed. this corrects a behavior where size
was shown by default.
Fixes#2765
Signed-off-by: baude <bbaude@redhat.com>
Add following test cases for podman attach test:
1. podman attach to a running container
2. podman attach to the latest container
3. podman attach to a container with --sig-proxy set to false
Signed-off-by: Yiqiao Pu <ypu@redhat.com>
podman will not start a transient service and timer for healthchecks.
this handles the tracking of the timing for health checks.
added the 'started' status which represents the time that a container is
in its start-period.
the systemd timing can be disabled with an env variable of
DISABLE_HC_SYSTEMD="true".
added filter for ps where --filter health=[starting, healthy, unhealthy]
can now be used.
Signed-off-by: baude <bbaude@redhat.com>
when --uidmap is used, the user won't be able to access
/var/lib/containers/storage/volumes. Use the intermediate mount
namespace, that is accessible to root in the container, for mounting
the volumes inside the container.
Closes: https://github.com/containers/libpod/issues/2713
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Former `domain.crt` was created with a one-year life and expired causing
all testing to fail. Create a replacement, along with configuration and
documentation on how to make a new certificate if ever required.
Signed-off-by: Chris Evich <cevich@redhat.com>
New:
- podman exec
- podman load (requires #2674)
- CLI parsing (regression test for #2574)
Improved:
- help: test "podman NoSuchCommand", and subcommands
- help: test "podman cmd" without required args
- pod: start with --infra=false; this allows running rootless
- log: also run 'logs' after container is run
- log: test -f with two containers
Also, use helpful descriptions for skip_if_rootless
Tested on f29, root and rootless. As soon as podman-remote
supports rm, I'll start testing that too.
Signed-off-by: Ed Santiago <santiago@redhat.com>
This can help scripts provide a more meaningful message when coming
across issues [1] which require the container to be re-created.
[1] eg., https://github.com/containers/libpod/issues/2673
Signed-off-by: Debarshi Ray <rishi@fedoraproject.org>
when running podman logs on a created container (which has no logs),
podman should return gracefully (like docker) with a 0 return code. if
multiple containers are provided and one is only in the created state
(and no follow is used), we still display the logs for the other ids.
fixes issue #2677
Signed-off-by: baude <bbaude@redhat.com>
add the ability for users to specify more than one container at a time
while using podman logs. If more than one container is being displayed,
podman will also prepend a shortened container id of the container on
the log line.
also, enabled the podman-remote logs command during the refactoring of
the above ability.
fixes issue #2219
Signed-off-by: baude <bbaude@redhat.com>
Getting a list of containers, and then deleting them are two separate
fallible steps that can run into different sets of errors. eg., in the
case of a bogus missing container and a container that's running or
paused, the first step will only trigger libpod.ErrNoSuchCtr. At this
point it might appear that the exit code ought to be 1. However, when
attempting the deletion, it will fail once more due to the status of
the running or paused container. Since libpod.ErrNoSuchCtr is no longer
the only error encountered, the exit code should be reset to 125.
This problem is currently masked for rootless usage due to commit
35432ecaae ("rootless: fix rm when uid in the container != 0").
Fixes: 85db895012 ("rm: set exit code to 1 if a specified ...")
e41279b902 ("Change exit code to 1 on podman rm ...")
Signed-off-by: Debarshi Ray <rishi@fedoraproject.org>
Make the usage messages (and options) different between
podman inspect, podman image inspect, and podman container inspect.
Disable inapplicable options (-l, -s) for podman image inspect
Disable -t (type) when the type is implicit through the subcommand.
Update man page to reflect differences in usage.
Fix broken test.
Uglier than desirable due to Go and Cobra limitations
Signed-off-by: Ed Santiago <santiago@redhat.com>
integration of healthcheck into create and run as well as inspect.
healthcheck enhancements are as follows:
* add the following options to create|run so that non-docker images can
define healthchecks at the container level.
* --healthcheck-command
* --healthcheck-retries
* --healthcheck-interval
* --healthcheck-start-period
* podman create|run --healthcheck-command=none disables healthcheck as
described by an image.
* the healthcheck itself and the healthcheck "history" can now be
observed in podman inspect
* added the wiring for healthcheck history which logs the health history
of the container, the current failed streak attempts, and log entries
for the last five attempts which themselves have start and stop times,
result, and a 500 character truncated (if needed) log of stderr/stdout.
The timings themselves are not implemented in this PR but will be in
future enablement (i.e. next).
Signed-off-by: baude <bbaude@redhat.com>
In lipod, we now log major events that occurr. These events
can be displayed using the `podman events` command. Each
event contains:
* Type (container, image, volume, pod...)
* Status (create, rm, stop, kill, ....)
* Timestamp in RFC3339Nano format
* Name (if applicable)
* Image (if applicable)
The format of the event and the varlink endpoint are to not
be considered stable until cockpit has done its enablement.
Signed-off-by: baude <bbaude@redhat.com>
we were playing safe and not allowed any container to have less than
65536 mappings. There are a couple of reasons to change it:
- it blocked libpod to work in an environment where
newuidmap/newgidmap are not available, or not configured.
- not allowed to use different partitions of subuids, where each user
has less than 65536 ids available.
Hopefully this change in containers/storage:
https://github.com/containers/storage/pull/303
will make error clearers if there are not enough IDs for the image
that is being used.
Closes: https://github.com/containers/libpod/issues/1651
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
If the pod infra container is overriden, we want to run the entry point of the image, instead of the default infra command. This allows users to override the infra-image with greater ease.
Also use process environment variables from image
Signed-off-by: Peter Hunt <pehunt@redhat.com>
a series of improvements to our ginkgo test framework so we can
get better ideas of whats going on when run in CI
Signed-off-by: baude <bbaude@redhat.com>
- document a recommended convention for fail-fast tests
- document the requirement for jq. (And, add a fail-fast
test for its presence; remove the duplicated checks
in subtests)
- add further sanity checks to 'help' test. Add missing
documentation. Remove a no-longer-needed workaround for
usage-message bug fixed in #2486
- add a documented TEMPLATE
- and, since we're at 1.1, enable 'Remote API' check in
version test
- better diagnostics in setup/teardown; add vim filetype hint;
better formatting of actual-vs-expect errors
- new pod-top, logs, build tests
- improve error messages
- add $IMAGE alias for ridiculous $PODMAN_TEST_IMAGE_FQN
- final cleanup, in prep for merge
Signed-off-by: Ed Santiago <santiago@redhat.com>
Initial attempt at writing a framework for podman system tests.
The idea is to define a useful set of primitives that will
make it easy to write actual tests and to interpret results
of failing ones.
This is a proof-of-concept right now; only a small number of
tests, by no means comprehensive. I am requesting review in
order to find showstopper problems: reasons why this approach
cannot work. Should there be none, we can work toward running
these as gating tests for Fedora and RHEL8.
Signed-off-by: Ed Santiago <santiago@redhat.com>
Add the ability to manually run a container's healthcheck command.
This is only the first phase of implementing the healthcheck.
Subsequent pull requests will deal with the exposing the results and
history of healthchecks as well as the scheduling.
Signed-off-by: baude <bbaude@redhat.com>
Before, any container with a netNS dependency simply used its dependency container's hosts file, and didn't abide its configuration (mainly --add-host). Fix this by always appending to the dependency container's hosts file, creating one if necessary.
Signed-off-by: Peter Hunt <pehunt@redhat.com>
The current aliased commands
podman container list
and
podman image list
podman image rm
Do not work properly. The global storage options are broken.
This patch fixes this issue.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
We have little to no testing to make sure we don't break podman image and
podman container commands that wrap traditional commands.
This PR adds tests for each of the commands.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Some callers assume when SystemExec returns, the command has completed.
Other callers explicitly wait for completion (as required). However,
forgetting to do that is an incredibly easy mistake to make. Fix this
by adding an explicit parameter to the function. This requires
every caller to deliberately state whether or not a completion-check
is required.
Also address **many** resource naming / cleanup completion-races.
Signed-off-by: Chris Evich <cevich@redhat.com>
To be able to use OCI runtimes which do not implement checkpoint/restore
this adds a check to the checkpoint code path and the checkpoint/restore
tests to see if it knows about the checkpoint subcommand. If the used
OCI runtime does not implement checkpoint/restore the tests are skipped
and the actual 'podman container checkpoint' returns an error.
Signed-off-by: Adrian Reber <areber@redhat.com>
pr #2480 fixed the missing 'podman image list/rm' commands;
it broke their usage messages. This corrects both usage
messages and also their examples.
Also: add an e2e test for 'podman image rm' (untested)
Signed-off-by: Ed Santiago <santiago@redhat.com>
Signed-off-by: TomSweeneyRedHat <tsweeney@redhat.com>
Changes the short option `-s` to the fully specified `--storage-driver`.
The short version is no longer supported.
There is currently still one SELinux related checkpoint/restore problem:
https://github.com/containers/libpod/issues/2334
To avoid unnecessary CI failures the checkpoint/restore tests are
temporarily disabled on Fedora.
It is not necessary to disable the tests on Ubuntu as it is running
without SELinux and it is also not necessary to disable the RHEL 7 tests
as RHEL's CRIU is too old to run the checkpoint/restore tests at all.
Signed-off-by: Adrian Reber <areber@redhat.com>
Make it easy for scripts to determine if an image removal
failure. If only errors were no such image exit with 1
versus 125.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Make it easy for scripts to determine if a container removal
fails versus the container did not exist.
If only errors were no such container exit with 1 versus 125.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
If user specifies network namespace and the /etc/netns/XXX/resolv.conf
exists, we should use this rather then /etc/resolv.conf
Also fail cleaner if the user specifies an invalid Network Namespace.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Prior, a pod would have to be started immediately when created, leading to confusion about what a pod state should be immediately after creation. The problem was podman run --pod ... would error out if the infra container wasn't started (as it is a dependency). Fix this by allowing for recursive start, where each of the container's dependencies are started prior to the new container. This is only applied to the case where a new container is attached to a pod.
Also rework container_api Start, StartAndAttach, and Init functions, as there was some duplicated code, which made addressing the problem easier to fix.
Signed-off-by: Peter Hunt <pehunt@redhat.com>
allow users to remotely prune volumes.
this is the last volume command for remote enablement. as such,
the volume commands are being folded back into main because they
are supported for both local and remote clients.
also, enable all volume tests that do not use containers
as containers are not enabled for the remote client yet.
Signed-off-by: baude <bbaude@redhat.com>
We have a consistent CI failure with the notify_socket test that
I can't reproduce locally. There's no reason for the test to have
--rm, so try removing it.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
Previously, 'podman create --rm' did not work - it wouldn't error
but it did nothing.
It is now fixed, but unfortunately the unit tests used it a lot,
in ways that just do not work when it actually functions.
Begin the process of fixing now-failing tests.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
This is the final cleanup to remove urfave/sli from libpod. Removed
old, disabled tests that have not been run in over a year.
Signed-off-by: baude <bbaude@redhat.com>
Go templates were not being processed or printed correctly for podman
pod stats. Added the ability to do templates as well as honor the
table identifier.
Fixes#2258
Signed-off-by: baude <bbaude@redhat.com>
Signed-off-by: TomSweeneyRedHat <tsweeney@redhat.com>
Add --all-tags for the `podman pull` command so all tags
of an image will be pulled, not just ':latest'. Emulates
the change in Buildah https://github.com/containers/buildah/pull/1263
Signed-off-by: TomSweeneyRedHat <tsweeney@redhat.com>
Signed-off-by: TomSweeneyRedHat <tsweeney@redhat.com>
Add e2e/test/common_test.go to the single integration test
instructions. Without it the documented process fails.
We intend to migrate to the cobra cli from urfave/cli because the
project is more well maintained. There are also some technical reasons
as well which extend into our remote client work.
Signed-off-by: baude <bbaude@redhat.com>
This registry responds differently depending on the the platform
accessing it. It also occasionally goes down or returns 404s. Improve
the reliability of the e2e tests by using the registry/image used
for gating pull-requests.
This way, if there's a registry/networking problem, the gating test
will fail and prevent anything else from running. This is a better
failure to have early, rather than wait and need to re-run all the
e2e tests again later.
Signed-off-by: Chris Evich <cevich@redhat.com>
* Make sure that all vendored dependencies are in sync with the code and
the vendor.conf by running `make vendor` with a follow-up status check
of the git tree.
* Vendor ginkgo and gomega to include the test dependencies.
Signed-off-by: Chris Evic <cevich@redhat.com>
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
The sig-proxy test creates a FIFO, runs podman with actions
that write to it, then tries reading from the FIFO.
Opening a FIFO for read or write blocks until the other end is
opened for the corresponding write/read. If our podman process
fails for any reason, the test's FIFO open will hang forever.
Solution: open with O_NONBLOCK.
Signed-off-by: Ed Santiago <santiago@redhat.com>
We are missing the equivalence of the docker system commands
This patch set adds `podman system prune`
and `podman system info`
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
addition of import and export for the podman-remote client. This includes
the ability to send and receive files between the remote-client and the
"podman" host using an upgraded varlink connection.
Signed-off-by: baude <bbaude@redhat.com>
For whatever reason, this specific test frequently fails on Ubuntu with
an error similar to:
```
Timed out after 1.000s.
Expected process to exit. It did not.
/var/tmp/go/src/github.com/containers/libpod/test/e2e/info_test.go:38
```
Ths changes alters the test behavior to use the `defaultWaitTimeout`
value (so 90 vs former 60 seconds) only for this test.
Signed-off-by: Chris Evich <cevich@redhat.com>
The toolbox project would benefit from a few changes to more closely
resembe the original atomic cli project. Changes made are:
* only pull image for container runlabel if the label exists in the image
* if a container image does not have the desired label, exit with non-zero
Signed-off-by: baude <bbaude@redhat.com>
we now, by default, only prune dangling images. if --all is passed, we
prune dangling images AND images that do not have an associated containers.
also went ahead and enabled the podman-remote image prune side of things.
Fixes: #2192
Signed-off-by: baude <bbaude@redhat.com>
initial enablement of podman-remote version. includes add a APIVersion const
that will allow us to check compatibility between host/client when connections
are made.
also added client related information to podman info.
Signed-off-by: baude <bbaude@redhat.com>
Masking main level, image, and container commands that are not yet
implemented for the remote client. As each command is completed, be
sure to unmask it.
Also, masking podman command line switches that are not applicable
to the remote client.
Signed-off-by: baude <bbaude@redhat.com>
When using --pid=host don't try to cover /proc paths, as they are
coming from the /proc bind mounted from the host.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Add the ability to run the integration (ginkgo) suite using
the remote client.
Only the images_test.go file is run right now; all the rest are
isolated with a // +build !remotelinux. As more content is
developed for the remote client, we can unblock the files and
just block single tests as needed.
Signed-off-by: baude <bbaude@redhat.com>
Restoring a container from a checkpoint should give the container the
same IP as before checkpointing. This adds a test to make sure the IP
stays the same.
Signed-off-by: Adrian Reber <areber@redhat.com>
Add support for executing an init binary as PID 1 in a container to
forward signals and reap processes. When the `--init` flag is set for
podman-create or podman-run, the init binary is bind-mounted to
`/dev/init` in the container and "/dev/init --" is prepended to the
container's command.
The default base path of the container-init binary is `/usr/libexec/podman`
while the default binary is catatonit [1]. This default can be changed
permanently via the `init_path` field in the `libpod.conf` configuration
file (which is recommended for packaging) or temporarily via the
`--init-path` flag of podman-create and podman-run.
[1] https://github.com/openSUSE/catatonitFixes: #1670
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
Now that the correct distribution CRIU packages are installed the
checkpoint/restore tests should no longer fail. This re-enables the
disabled tests on Fedora.
Signed-off-by: Adrian Reber <areber@redhat.com>
We had two problems with /dev/shm, first, you mount the
container read/only then /dev/shm was mounted read/only.
This is a bug a tmpfs directory should be read/write within
a read-only container.
The second problem is we were ignoring users mounted /dev/shm
from the host.
If user specified
podman run -d -v /dev/shm:/dev/shm ...
We were dropping this mount and still using the internal mount.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
when testing rootless containers, it is more reliable to stop
a container with a zero timeout than kill a container. We made
this change in non-rootless tests as well. When IO or CPU are
taxed, it avoids a situation where the kill signal is sent but the
container has not been able to update its status when a subsequent
action occurs.
Signed-off-by: baude <bbaude@redhat.com>
Display the trust policy of the host system. The trust policy is stored in the /etc/containers/policy.json file and defines a scope of registries or repositories.
Signed-off-by: Qi Wang <qiwan@redhat.com>
Since the most recent TWO versions of Fedora are officially supported
upstream, both need to be tested. Implement the concept of a 'prior'
Fedora release in both base-image and cache-image production. Utilize
the produced cache-image to test libpod. Remove F28 testing from PAPR.
Much thanks to @baude @giuseppe for help with this.
Signed-off-by: Chris Evich <cevich@redhat.com>
Add functional tests to start a container from systemd.
This patch will:
- create a systemd unit file to start redis container
- create the container with `podman create`
- enable the service
- start the container with systemd
- check that the service is actually running
Signed-off-by: Emilien Macchi <emilien@redhat.com>
when starting or running a container that has --rm, if the starting
container fails (like due to an invalid command), the container should
get removed.
Resolves: #1985
Signed-off-by: baude <bbaude@redhat.com>
With rootless containers we cannot really restart an existing container
as we would need to join the mount namespace as well to be able to reuse
the storage, so ensure the container is stopped first.
Closes: https://github.com/containers/libpod/issues/1965
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Allow user to prune unused/unnamed images, the layer images from building,
via podman rmi --prune.
Allow user to prune stopped/exiuted containers via podman rm --prune.
This should resolve#1910
Signed-off-by: baude <bbaude@redhat.com>
when a user specifies --pod to podman create|run, we should create that pod
automatically. the port bindings from the container are then inherited by
the infra container. this signicantly improves the workflow of running
containers inside pods with podman. the user is still encouraged to use
podman pod create to have more granular control of the pod create options.
Signed-off-by: baude <bbaude@redhat.com>
Part of the motivation for 800eb863 (Hooks supports two directories,
process default and override, 2018-09-17, #1487) was [1]:
> We only use this for override. The reason this was caught is people
> are trying to get hooks to work with CoreOS. You are not allowed to
> write to /usr/share... on CoreOS, so they wanted podman to also look
> at /etc, where users and third parties can write.
But we'd also been disabling hooks completely for rootless users. And
even for root users, the override logic was tricky when folks actually
had content in both directories. For example, if you wanted to
disable a hook from the default directory, you'd have to add a no-op
hook to the override directory.
Also, the previous implementation failed to handle the case where
there hooks defined in the override directory but the default
directory did not exist:
$ podman version
Version: 0.11.2-dev
Go Version: go1.10.3
Git Commit: "6df7409cb5a41c710164c42ed35e33b28f3f7214"
Built: Sun Dec 2 21:30:06 2018
OS/Arch: linux/amd64
$ ls -l /etc/containers/oci/hooks.d/test.json
-rw-r--r--. 1 root root 184 Dec 2 16:27 /etc/containers/oci/hooks.d/test.json
$ podman --log-level=debug run --rm docker.io/library/alpine echo 'successful container' 2>&1 | grep -i hook
time="2018-12-02T21:31:19-08:00" level=debug msg="reading hooks from /usr/share/containers/oci/hooks.d"
time="2018-12-02T21:31:19-08:00" level=warning msg="failed to load hooks: {}%!(EXTRA *os.PathError=open /usr/share/containers/oci/hooks.d: no such file or directory)"
With this commit:
$ podman --log-level=debug run --rm docker.io/library/alpine echo 'successful container' 2>&1 | grep -i hook
time="2018-12-02T21:33:07-08:00" level=debug msg="reading hooks from /usr/share/containers/oci/hooks.d"
time="2018-12-02T21:33:07-08:00" level=debug msg="reading hooks from /etc/containers/oci/hooks.d"
time="2018-12-02T21:33:07-08:00" level=debug msg="added hook /etc/containers/oci/hooks.d/test.json"
time="2018-12-02T21:33:07-08:00" level=debug msg="hook test.json matched; adding to stages [prestart]"
time="2018-12-02T21:33:07-08:00" level=warning msg="implicit hook directories are deprecated; set --hooks-dir="/etc/containers/oci/hooks.d" explicitly to continue to load hooks from this directory"
time="2018-12-02T21:33:07-08:00" level=error msg="container create failed: container_linux.go:336: starting container process caused "process_linux.go:399: container init caused \"process_linux.go:382: running prestart hook 0 caused \\\"error running hook: exit status 1, stdout: , stderr: oh, noes!\\\\n\\\"\""
(I'd setup the hook to error out). You can see that it's silenly
ignoring the ENOENT for /usr/share/containers/oci/hooks.d and
continuing on to load hooks from /etc/containers/oci/hooks.d.
When it loads the hook, it also logs a warning-level message
suggesting that callers explicitly configure their hook directories.
That will help consumers migrate, so we can drop the implicit hook
directories in some future release. When folks *do* explicitly
configure hook directories (via the newly-public --hooks-dir and
hooks_dir options), we error out if they're missing:
$ podman --hooks-dir /does/not/exist run --rm docker.io/library/alpine echo 'successful container'
error setting up OCI Hooks: open /does/not/exist: no such file or directory
I've dropped the trailing "path" from the old, hidden --hooks-dir-path
and hooks_dir_path because I think "dir(ectory)" is already enough
context for "we expect a path argument". I consider this name change
non-breaking because the old forms were undocumented.
Coming back to rootless users, I've enabled hooks now. I expect they
were previously disabled because users had no way to avoid
/usr/share/containers/oci/hooks.d which might contain hooks that
required root permissions. But now rootless users will have to
explicitly configure hook directories, and since their default config
is from ~/.config/containers/libpod.conf, it's a misconfiguration if
it contains hooks_dir entries which point at directories with hooks
that require root access. We error out so they can fix their
libpod.conf.
[1]: https://github.com/containers/libpod/pull/1487#discussion_r218149355
Signed-off-by: W. Trevor King <wking@tremily.us>
like containers and images, users would benefit from being able to check
if a pod exists in local storage. if the pod exists, the return code is 0.
if the pod does not exists, the return code is 1. Any other return code
indicates a real errors, such as permissions or runtime.
Signed-off-by: baude <bbaude@redhat.com>
We regressed on this at some point. Adding a new test should help
ensure that doesn't happen again.
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
The conmon exit command is running inside of a namespace where the
process is running with uid=0. When it launches again podman for the
cleanup, podman is not running in rootless mode as the uid=0.
Export some more env variables to tell podman we are in rootless
mode.
Closes: https://github.com/containers/libpod/issues/1859
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
This adds checkpoint/restore test cases for the newly added options
* --leave-running
* --tcp-established
* --all
* --latest
Signed-off-by: Adrian Reber <areber@redhat.com>
In some test env, mount with shared options is not included relatime
in the mountinfo file. So remove this from the test case.
Signed-off-by: Yiqiao Pu <ypu@redhat.com>
Add an exists subcommand to podman container and podman image that allows
users to verify the existence of a container or image by ID or name. The return
code can be 0 (success), 1 (failed to find), or 125 (failed to work with runtime).
Issue #1845
Signed-off-by: baude <bbaude@redhat.com>
Set the root propagation based on the properties of volumes and default
mounts. To remain compatibility, follow the semantics of Docker. If a
volume is shared, keep the root propagation shared which works for slave
and private volumes too. For slave volumes, it can either be shared or
rshared. Do not change the root propagation for private volumes and
stick with the default.
Fixes: #1834
Signed-off-by: Valentin Rothberg <vrothberg@suse.com>
we need to allow users to expose ports to the host for the purposes
of networking, like a webserver. the port exposure must be done at
the time the pod is created.
strictly speaking, the port exposure occurs on the infra container.
Signed-off-by: baude <bbaude@redhat.com>
The tests can be filter by --focus and --skip to fit different test
target. Also be able to set global options and cmd options by export
it to ENV to fit different test matrix.
Signed-off-by: Yiqiao Pu <ypu@redhat.com>
We now can remove a paused container by sending it a kill signal while it
is paused. We then unpause the container and it is immediately killed.
Also, reworked how the parallelWorker results are handled to provide a
more consistent approach to how each subcommand implements it. It also
fixes a bug where if one container errors, the error message is duplicated
when printed out.
Signed-off-by: baude <bbaude@redhat.com>
When running integration tests in our CI, we observe a problem where paused containers
are not able to be stopped; and therefore cannot be cleaned up. This leaves dangling mounts
and sometimes zombied conmon processes.
Signed-off-by: baude <bbaude@redhat.com>
Operations like kill, pause, and unpause -- which can operation on one or
more containers -- can greatly benefit from parallizing its main job (eq kill).
In the case of pauseand unpause, an --all option as was added. pause --all will
pause all **running** containers. And unpause --all will unpause all **paused**
containers.
Signed-off-by: baude <bbaude@redhat.com>
When attempting to restart many containers, we can benefit from making
the restarts parallel. For convenience, two new options are added:
--all attempts to restart all containers
--run-only when used with --all will attempt to restart only running containers
Signed-off-by: baude <bbaude@redhat.com>
this pr allows the libpod integration suite to pass on the
ppc64le architecture. in some cases, I had to skip tests.
eventually, these tests need to be fixed so that they properly pass. of
note for this PR is:
* changed the ppc64le default container os to be overlay (over vfs) as vfs seems non-performant on ppc64le
* still run vfs for rootless operations
* some images names for ppc64le had to change because they don't exist.
* this should help getting our CI to run on the platform
Signed-off-by: baude <bbaude@redhat.com>
As discussed [1], the runlabel command should execute any command
specified in a label. The reasoning behind is that we cannot restrict
which options are passed to Podman which thereby has full access to the
host (runlabels must be used with care).
With the updated semantics, runlabel will substitute the commands with a
basepath equal to "docker" or "podman" with "/proc/self/exe", and
otherwise leave the command unchanged to execute any other command on
the host.
[1] https://github.com/containers/libpod/pull/1607#issuecomment-428321382
Signed-off-by: Valentin Rothberg <vrothberg@suse.com>
when doing stats -a|--all, if you have non-running containers, we should
not error on not being able to get information like PID, etc on them.
Signed-off-by: baude <bbaude@redhat.com>
If someone runs podman as a user (uid) that is not defined in the container
we want generate a passwd file so that getpwuid() will work inside of container.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
unfortunately the papr CI system cannot test ubuntu as a VM; therefore,
this PR still keeps travis. but it does include fixes that will be required
for running on modern versions of ubuntu.
Signed-off-by: baude <bbaude@redhat.com>
Execute the command as described by a container image. The value of the label is processed
into a command by:
1. Ensuring the first argument of the command is podman.
2. Substituting any variables with those defined by the environment or otherwise.
If no label exists in the container image, nothing is done.
podman container runlabel LABEL IMAGE extra_args
Signed-off-by: baude <bbaude@redhat.com>
In cases where the image name is more complex like:
quay/baude/alpine_nginx:latest and is not from the docker
registry, we need to be able to run the image by its shortname
such as baude/alpine_nginx. The same goes when the image is
not from a registry but instead has the localhost repository.
This resolves buildah issue #1034
Signed-off-by: baude <bbaude@redhat.com>
This PR makes several key changes to our CI testing. Firstly, we now test
podman on fedora 28, fedora 29, and centos VMS (rather than containers). Any
of these that having failing tests are not marked as required yet. We
still preserve the podman in podman and podman in docker tests as well and
they are marked as required.
The lint and validate work is now done on a openshift container. We also
removed the rpm verification on papr and perform this test under the "images"
test on the openshift ci.
This PR exposes integration test fails on some of our OSs. My expectation is we
will fix those in additional PRs and as they are fixed, we should be flipping
the boolean bit to required.
Signed-off-by: baude <bbaude@redhat.com>
Closes: #1492
Approved by: mheon
We seem to be having a few flakes on namespace sharing.
Adding this test to make sure sharing with the host is working correctly.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #1485
Approved by: mheon
Adds functionality to search registries implementing the v2
endpoint with an empty query, that is the results will be
all the available images on the registries.
If this is tried with a v1 registry an error will occur.
To search a whole registry, there needs to be a trailing slash
at the end, i.e `podman search registry.fedoraproject.org/`.
Signed-off-by: Urvashi Mohnani <umohnani@redhat.com>
Closes: #1444
Approved by: rhatdan
when running podman's integration tests, we need to be able to understand
our environment because the podman command will differ as will the results.
there is no 100% way to know if we are in a container, but using a combination
of container= and checking /proc seemed reasonable for our test suite. non of this
code is run in podman proper.
Signed-off-by: baude <bbaude@redhat.com>
Closes: #1441
Approved by: mheon
This is an incomplete fix, as it would be best for the libpod library to be in charge of coordinating the container's dependencies on the infra container. A TODO was left as such. UTS is a special case, because the docker library that namespace handling is based off of doesn't recognize a UTS based on another container as valid, despite the library being able to handle it correctly. Thus, it is left in the old way.
Signed-off-by: haircommander <pehunt@redhat.com>
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #1347
Approved by: mheon
We should be sharing cgroups namespace by default in pods
uts namespace sharing was broken in pods.
Create a new libpod/pkg/namespaces for handling of namespace fields
in containers
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #1418
Approved by: mheon
This bash script is meant to compliment the podman baseline
test script. It primarily focuses on exercising the common
actions of pods.
Signed-off-by: baude <bbaude@redhat.com>
Closes: #1421
Approved by: rhatdan
This tests fails a lot, I think because of a race condition. Changing to
just make sure the inode of the /dev/shm on the host is the same as inside
the container.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #1420
Approved by: mheon
Small amount of clean up on the baseline script to handle failing
on error. I also added an option to not use docker at all for platoforms
where docker cannot be installed.
Signed-off-by: baude <bbaude@redhat.com>
Closes: #1411
Approved by: rhatdan
When running podman rm -a on a storage where no images exist,
the exit code should NOT be non-zero.
Signed-off-by: baude <bbaude@redhat.com>
Closes: #1402
Approved by: rhatdan
change the tests to use chroot to set a numeric UID/GID.
Go syscall.Credential doesn't change the effective UID/GID of the
process.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Closes: #1372
Approved by: mheon
also refactor the rootless_test.go to facilitate running a test in a
rootless context.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Closes: #1372
Approved by: mheon
join the user namespace used to create the container so that psgo can
work in the same way as with root containers.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Closes: #1371
Approved by: rhatdan
Docker expects multiple filters to be passed with multiple uses
of the --filter flag (e.g. --filter=label=a=b --filter=label=c=d)
and not a single comma-separated list of filters as we expected.
Convert to the Docker format, and make some small cleanups to our
handling of filters along the way.
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
Closes: #1345
Approved by: umohnani8
The OCI runtime might use the cgroups to see what PIDs
are inside the container, but that doesn't work with rootless
containers.
Closes: https://github.com/containers/libpod/issues/1337
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Closes: #1331
Approved by: rhatdan
Manage the case where the main process of the container creates and
joins a new user namespace.
In this case we want to join only the first child in the new
hierarchy, which is the user namespace that was used to create the
container.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Closes: #1331
Approved by: rhatdan
We cannot re-exec into a new user namespace to gain privileges and
access an existing as the new namespace is not the owner of the
existing container.
"unshare" is used to join the user namespace of the target container.
The current implementation assumes that the main process of the
container didn't create a new user namespace.
Since in the setup phase we are not running with euid=0, we must skip
the setup for containers/storage.
Closes: https://github.com/containers/libpod/issues/1329
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Closes: #1331
Approved by: rhatdan
When in rootless mode it's not possible to load profiles or
check which profiles are loaded.
Added a few baseline tests to check all possible cases.
Signed-off-by: Marco Vedovati <mvedovati@suse.com>
Closes: #1250
Approved by: mheon
Also it fix the issue of exposing both tc/udp port even if
only one proto specified.
Signed-off-by: Kunal Kushwaha <kushwaha_kunal_v7@lab.ntt.co.jp>
Closes: #1325
Approved by: mheon
As well as small style corrections, update pod_top_test to use CreatePod, and move handling of adding a container to the pod's namespace from container_internal_linux to libpod/option.
Signed-off-by: haircommander <pehunt@redhat.com>
Closes: #1187
Approved by: mheon
A pause container is added to the pod if the user opts in. The default pause image and command can be overridden. Pause containers are ignored in ps unless the -a option is present. Pod inspect and pod ps show shared namespaces and pause container. A pause container can't be removed with podman rm, and a pod can be removed if it only has a pause container.
Signed-off-by: haircommander <pehunt@redhat.com>
Closes: #1187
Approved by: mheon
Using the vendored changes from psgo, incorporate JoinNamespaceAndProcessInfoByPids to get process information for each pid namespace of running containers in the pod. Also added a man page, and tests.
Signed-off-by: haircommander <pehunt@redhat.com>
Closes: #1298
Approved by: mheon
We need a useradd binary in the container for this test, so swap
from Alpine to fedora-minimal.
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
Closes: #1315
Approved by: vrothberg
Devices are supposed to be able to be passed in via the form of
--device /dev/foo
--device /dev/foo:/dev/bar
--device /dev/foo:rwm
--device /dev/foo:/dev/bar:rwm
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #1299
Approved by: umohnani8
Do not set any hostname value in the OCI configuration when --uts=host
is used and the user didn't specify any value. This prevents an error
from the OCI runtime as it cannot set the hostname without a new UTS
namespace.
Differently, the HOSTNAME environment variable is always set. When
--uts=host is used, HOSTNAME gets the value from the host.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Closes: #1280
Approved by: baude
Need to get some small changes into libpod to pull back into buildah
to complete buildah transition.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #1270
Approved by: mheon
Hostname should be set to the hosts hostname when network is none.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #1274
Approved by: giuseppe
...and some naming decisions.
This change ensures podman save doesn't incorrectly prepend localhost when saving an image.
Signed-off-by: haircommander <pehunt@redhat.com>
Closes: #1140
Approved by: rhatdan
This adds support for Dockerfile.in and fixes some limits
issues on docker build
Also adds support for podman build to read Dockerfile from stdin.
cat Dockerfile | podman build -f - .
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #1209
Approved by: mheon
We should not be using the test systems registries.conf file for integration
tests. We should always use a constructed file created specifically for the
integration tests or we stand to have unpredictable results. The beforeTest
function now sets an environment variable pointing to a registries.conf file
in the test's tempdir. That file will container docker.io as a default.
The afterTest function then clears the environment variable.
Signed-off-by: baude <bbaude@redhat.com>
Closes: #1197
Approved by: rhatdan
This is the second round of performance improvements for out
integration tests.
Signed-off-by: baude <bbaude@redhat.com>
Closes: #1190
Approved by: rhatdan
due to how cstorage is designed, we were spewing thousands of fds when
we restored cached images causing unwieldy rlimits. we now use podman
load to restore the images thereby not tripping the issue.
Signed-off-by: baude <bbaude@redhat.com>
Closes: #1188
Approved by: baude
The auto decompression functionality was already vendored in
with containers/image. Adding a test for it.
Signed-off-by: umohnani8 <umohnani@redhat.com>
Closes: #1137
Approved by: rhatdan
Stop all containers with a zero timeout prior to trying to rm -fa. This results
in quicker teardown times by not waiting for timeouts.
Also, with wait tests, no need to wait the full 10 second sleep. 1 will do.
Signed-off-by: baude <bbaude@redhat.com>
Closes: #1181
Approved by: rhatdan
Because our tests are getting so long, we want to be able to audit which tests are taking
the longest to complete. This may indicate a bad test, bad CI, bad code, etc and therefore
should be auditable.
Also, make speed improvements to tests by making sure we only unpack caches images that
actually get used.
Signed-off-by: baude <bbaude@redhat.com>
Closes: #1178
Approved by: mheon
If an image is created from another and it is deleted,
only delete the actual image and not the parent images
if the parent images have names/references.
Signed-off-by: umohnani8 <umohnani@redhat.com>
Closes: #1174
Approved by: mheon
Added Pause() and Unpause() to libpod/pod.go
Added man pages, tests and completions
Signed-off-by: haircommander <pehunt@redhat.com>
Closes: #1126
Approved by: rhatdan
(make localunit) complains about the unbuildable subpackage; silence that.
Actually, I can't find any user of checkseccomp in this repo; maybe
it is entirely unused?
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
Closes: #1115
Approved by: rhatdan
If more than one volume was mounted using the --volume flag in
podman run, the second and onwards volumes were picking up options
of the previous volume mounts defined. Found out that the options were
not be cleared out after every volume was parsed.
Signed-off-by: umohnani8 <umohnani@redhat.com>
Closes: #1142
Approved by: mheon
As well as added tests, man pages, and completions.
Also reformatted and refactored a couple of other small things in the other pod commands.
Signed-off-by: haircommander <pehunt@redhat.com>
Use github.com/containers/psgo instead of execing `ps (1)`. The psgo
library enables a much more flexible interface with respect to which
data to be printed (e.g., capabilities, seccomp mode, PID, PCPU, etc.)
while the output can be parsed reliably. The library does not use
ps (1) but parses /proc and /dev instead. To list the processes of a
given container, psgo will join the mount namespace of the given
container and extract all data from there.
Notice that this commit breaks compatibility with docker-top.
Signed-off-by: Valentin Rothberg <vrothberg@suse.com>
Closes: #1113
Approved by: rhatdan
Bind all the specified TCP and UDP ports so that another process
cannot reuse them. The fd of the listener is then leaked into conmon
so that the socket is kept busy until the container exits.
Closes: https://github.com/projectatomic/libpod/issues/210
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Closes: #1100
Approved by: mheon
Most images won't work without multiple ids/gids. Error out
immediately if there are no multiple ids available.
The error code when the user is not present in /etc/sub{g,u}id looks
like:
$ bin/podman run --rm -ti alpine echo hello
ERRO[0000] No subuid ranges found for user "gscrivano"
Closes: https://github.com/projectatomic/libpod/issues/1087
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Closes: #1097
Approved by: rhatdan
I don't know how the previous test was succeeding, as we never
actually fetched the sizes to sort with. The test now does.
Signed-off-by: Matthew Heon <mheon@redhat.com>
when pulling an image that includes a sha such as:
centos/nginx-112-centos7@sha256:42330f7f29ba1ad67819f4ff3ae2472f62de13a827a74736a5098728462212e7
the final image name in libpod should not contain portions of the sha itself nor the sha
identifier. and like docker, we provide a 'none' tag as well.
this should fix#877
Signed-off-by: baude <bbaude@redhat.com>
Closes: #1085
Approved by: mheon
podman rmi was deleting an image even if it was a parent of
another image. This fix just untags the image instead.
This also fixes podman rmi to remove intermediate images of
an image when the image is removed.
Signed-off-by: umohnani8 <umohnani@redhat.com>
Closes: #1055
Approved by: mheon
Add the actual argument, not the one we're looking for when searching
the to-be-translated short-opt string. Otherwise, we're likely to hit
an infinite loop.
Signed-off-by: Valentin Rothberg <vrothberg@suse.com>
Closes: #1066
Approved by: rhatdan
podman now supports --volumes-from flag, which allows users
to add all the volumes an existing container has to a new one.
Signed-off-by: umohnani8 <umohnani@redhat.com>
Closes: #931
Approved by: mheon
Building our own image to test built-in volume and user
instead of using the mariadb one.
Solves timeout issue in travis tests.
Signed-off-by: umohnani8 <umohnani@redhat.com>
Closes: #1044
Approved by: mheon
Vendor an updated version of urfave/cli to fix the parsing of short
options. Until the fix is merged upstream, vendor the code from
github.com/vrothberg/cli containing both, the latest urfave/cli and
the bug fix.
Fixes: #714
Signed-off-by: Valentin Rothberg <vrothberg@suse.com>
Closes: #1046
Approved by: rhatdan
The destination path of the built-in volume was not being created
but a relabel was being attempted on it, this was causing issues
with all images that have built-in volumes.
This patch fixes that and ensures the destination volume path
is created.
Signed-off-by: umohnani8 <umohnani@redhat.com>
Closes: #1026
Approved by: mheon
When we run containers in detach mode, nothing cleans up the network stack or
the mount points. This patch will tell conmon to execute the cleanup code when
the container exits.
It can also be called to attempt to cleanup previously running containers.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #942
Approved by: mheon
Instead of setting the --registry flag to search a single registry,
prefix the registry before the image name in the input, an example is
`podman search registry.fedoraproject.org/fedora` and this will search for
the fedora image in only registry.fedoraproject.org.
Signed-off-by: umohnani8 <umohnani@redhat.com>
Closes: #1011
Approved by: rhatdan
Also podman ps now allows user to only output size of root FS, changed language of images and ps --sort to be by "created" as opposed to "time", and refactored the way templates are created (converted from psJSONParams type).
Signed-off-by: haircommander <pehunt@redhat.com>
Closes: #948
Approved by: rhatdan
podman images will not show intermediate images by default.
To view all images, including intermediate images created during
a build, use the --all flag.
Signed-off-by: umohnani8 <umohnani@redhat.com>
Closes: #947
Approved by: rhatdan
Make the output of top tabular to be compatible with Docker. Please
note, that any user-input for `GetContainerPidInformation(...)` will be
ignored until we have found a way to generically and reliably parse ps-1
output or until there is a go-lib to extract all the data from /proc in
a ps-1 compatible fashion.
Fixes: #458
Signed-off-by: Valentin Rothberg <vrothberg@suse.com>
Closes: #939
Approved by: rhatdan
podman run command screws up we should get 125
podman run command succeeds but command in container fails to exec 126
podman run command succeeds but command exits with non 0 exit code
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #921
Approved by: TomSweeneyRedHat
Add following test cases for security-opt:
- Check default selinux value
- Disable security options in container
- Setup selinux type in security-opt
- Disable seccomp protection
- Configure custom seccomp.json
Signed-off-by: Yiqiao Pu <ypu@redhat.com>
Closes: #837
Approved by: rhatdan
Use function in opencontainers/selinux/go-selinux to check the
selinux status in our test.
Signed-off-by: Yiqiao Pu <ypu@redhat.com>
Closes: #837
Approved by: rhatdan
Also add annotations from the image the container was created
from.
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
Closes: #886
Approved by: rhatdan
Currently we are giving all caps to users when running with podman run --user,
They should get none by default. If the command line includes --cap-add, then
we need to run with those capabilties. Similarly we need to drop caps from
bounding set, if user specifies --cap-drop
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #851
Approved by: mheon
The docker-archive tar files can have multiple tags for the same
image stored in it. Load pulls all the tags found in the archive
when loading a tar file. Save can oush multiple tags of the same
image to a tar archive.
Signed-off-by: umohnani8 <umohnani@redhat.com>
Closes: #819
Approved by: rhatdan
When we're given a numeric --user value, default to GID 0 if the numeric
ID doesn't correspond to a user entry in /etc/passwd that can provide us
with the user's primary group ID.
Make sure that GetAdditionalGroupsForUser() returns wrapped errors.
Also test various user:group forms.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #728
Approved by: mheon
If the user uses the image ID when saving to either docker-archive
or oci-archive, then do not save a reference in the manifest/index.json.
If the user chooses to push without an image reference, i.e <transport>:<path>
it should be valid and succeed.
Signed-off-by: umohnani8 <umohnani@redhat.com>
Closes: #782
Approved by: rhatdan
Until we get Systemd cgroup manager working, this will
cause a validation error.
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
Closes: #507
Approved by: baude
If the user does not provide a host port when adding -p to create/run, podman should inject an available random port.
podman run -p 80 .... podman should assign a random port to the host and expose the container port 80 to it
Signed-off-by: baude <bbaude@redhat.com>
Closes: #703
Approved by: rhatdan
when performing a container commit, we should not add the default list of volumes
for a container to the resulting image. it will cause the resulting image to crash
when run subsequently.
Signed-off-by: baude <bbaude@redhat.com>
Closes: #699
Approved by: mheon
file names for podman load, save, export, and import cannot
contain ":" in them. It is a reserved character for parsing
filenames.
Signed-off-by: umohnani8 <umohnani@redhat.com>
Closes: #694
Approved by: rhatdan
Vendor in buildah and use as much of commit and bug as possible for podman
build and commit.
Resolves#586
Signed-off-by: baude <bbaude@redhat.com>
Closes: #681
Approved by: mheon
- Allow unittest's to run as normal user
- Refactor tests to use unittest features
- Refactor tests to use fixtures to track resources
- Update test runner script to clean up on failure
Signed-off-by: Jhon Honce <jhonce@redhat.com>
Closes: #683
Approved by: rhatdan
The hidden flag is used to override the path of the default mounts file
for testing purposes.
Also modified the secrets pkg to allow for this override to happen.
Signed-off-by: umohnani8 <umohnani@redhat.com>
Closes: #678
Approved by: mheon
If an integer is passed into the --user flag, i.e --user=1234
don't look up the user in /etc/passwd, just assign the integer as the uid.
Signed-off-by: umohnani8 <umohnani@redhat.com>
Closes: #652
Approved by: mheon
Add --no-trunc to the command line and add output check for the
lines not include "..." with this flag.
Signed-off-by: Yiqiao Pu <ypu@redhat.com>
Closes: #662
Approved by: rhatdan
If the host is in FIPS mode and /etc/system-fips exists
/run/secrets/system-fips is created in the container so that
the container can run in FIPS mode as well.
Signed-off-by: umohnani8 <umohnani@redhat.com>
Test the --timeout flag with a container which can not be stopped with
SIGSTOP. This means the container should can not be stopped and will be
killed then restart with timeout value. Test steps:
Start a container with STOPSIGNAL=SIGKILL
Restart it with --timeout set to 2s
Check the restart command will finished more than 2s and less than
10s(the default timeout)
Signed-off-by: Yiqiao Pu <ypu@redhat.com>
Remove the --latest from the restart running container test, and
add a separated case with following steps:
start two container in order: test1, test2
restart container with --latest
check the start time for test1 and test2
And the results should be test1 is not restarted and test2 is restarted.
Signed-off-by: Yiqiao Pu <ypu@redhat.com>
been meaning to do this for a while. add an environment variable that
disables the caching and restoring of images before integration tests
are run. this is useful for developers only ... when testing specific
integration tests where caching and restoring the images is not worth
the benefit.
Signed-off-by: baude <bbaude@redhat.com>
Closes: #650
Approved by: rhatdan
When STDOUT and STDERR are not attached, we now print a container
ID. Make the tests aware of this.
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
Closes: #638
Approved by: rhatdan
The test steps are:
1. Start a container and touch a file under /tmp
2. Use diff to check the container
3. commit the change into a new image
4. Use diff to check the image
Signed-off-by: Yiqiao Pu <ypu@redhat.com>
Closes: #643
Approved by: mheon
Made necessary changes to functions to include contex.Context wherever needed
Signed-off-by: umohnani8 <umohnani@redhat.com>
Closes: #640
Approved by: baude
Sometime podman push local registry still failed caused by the
docker registry is not start yet after sleep 5s in the test.
So add this function to check the container status by its output
and skip the test when the docker registry can not start normally
instead of failed the case.
Signed-off-by: Yiqiao Pu <ypu@redhat.com>
Add five tests for podman push tests:
- push to docker with authorization
- push to docker-archive
- push to docker-daemon
- push to oci-archive
- push to ostree
Signed-off-by: Yiqiao Pu <ypu@redhat.com>
We used to not allow the use of -a/-i on containers that were not
started with -i or a tty. Given the improvements in our terminal
handling, this should work now.
This also fixes a systemic problem with the autotests.
Signed-off-by: baude <bbaude@redhat.com>
Closes: #617
Approved by: baude
The secrets code was just tarring and copying the contents of the secrets directory on host as is.
This meant it was not accounting for any symlinks inside the directory, leading up to the contents
not being copied over.
Signed-off-by: umohnani8 <umohnani@redhat.com>
Closes: #611
Approved by: mheon
We leak open files when creating new c/storage stores (locks do
not close themselves, so the open FDs in the test suite increase
every time we use c/storage to load cached images for the tests).
Fix this temporarily by increasing rlimits on open files until we
can create a permanent fix next release.
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
Closes: #615
Approved by: baude
--group-add
--blkio-weight-device
--device-read-bps
--device-write-bps
--device-read-iops
--device-write-iops
--group-add now supports group names as well as the gid associated with them.
All the --device flags work now with moderate changes to the code to support both
bps and iops.
Added tests for all the flags.
Signed-off-by: umohnani8 <umohnani@redhat.com>
Closes: #590
Approved by: mheon
In our ezrly development, we always allocated a tty when not -d. Now we should only allocated when the user asks for it.
Resolves: #573
Signed-off-by: baude <bbaude@redhat.com>
Closes: #574
Approved by: rhatdan
Some more features.
docker-archive generates docker legacy compatible images
Do not create $DiffID subdirectories for layers with no configs
Ensure the layer IDs in legacy docker/tarfile metadata are unique
docker-archive: repeated layers are symlinked in the tar file
sysregistries: remove all trailing slashes
Improve docker/* error messages
Fix failure to make auth directory
Create a new slice in Schema1.UpdateLayerInfos
Drop unused storageImageDestination.{image,systemContext}
Load a *storage.Image only once in storageImageSource
Support gzip for docker-archive files
Remove .tar extension from blob and config file names
ostree, src: support copy of compressed layers
ostree: re-pull layer if it misses uncompressed_digest|uncompressed_size
image: fix docker schema v1 -> OCI conversion
Add /etc/containers/certs.d as default certs directory
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #569
Approved by: mheon
Use a socket to coordinate between the test suite and the container and its
script.
Signed-off-by: baude <bbaude@redhat.com>
Closes: #567
Approved by: rhatdan
We should allow users to pass in image ids with the sha256: prefix
for local images.
Resolves: #493
Signed-off-by: baude <bbaude@redhat.com>
Closes: #560
Approved by: baude
Adds support for mounting secrets especially on RHEL where the container
can use the host subsription to run yum
Signed-off-by: umohnani8 <umohnani@redhat.com>
Closes: #544
Approved by: rhatdan
If the user does not specify foo=bar, then the exec code should
look for the foo environment variable in its environment and pass it
in. This is the way podman run works.
Also added tests to make sure this all works.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #552
Approved by: mheon
An image name is really just a tag. When an image has multiple tags, we should be
able to "delete" the one of its tags without harm. In this case, the "delete' is
really a form of Untag (removing the tag from the image).
If an image has multiple tags and the user tries to delete by ID without force, this
should be denied because when you delete by ID there is no distinguishing it like
image tags.
Signed-off-by: baude <bbaude@redhat.com>
Closes: #528
Approved by: mheon
Migrate the podman create and commit subcommandis to leverage the images library. I also had
to migrate the cmd/ portions of run and rmi.
Signed-off-by: baude <bbaude@redhat.com>
Closes: #498
Approved by: mheon
As Matt pointed out, when running sleep in a container, the clean up was taking a
full ten seconds to stop container because sleep does not catch SIGTERM which is
the default podman stop signal and it had to wait for SIGKILL. Changing sleep to
top should result in better test times.
Signed-off-by: baude <bbaude@redhat.com>
Closes: #492
Approved by: rhatdan
As podman-images(1) had some issues correctly reporting all RepoTags of
an image (in the default format), extend the e2e tests to avoid running
into similar in the future.
Signed-off-by: Valentin Rothberg <vrothberg@suse.com>
Closes: #477
Approved by: rhatdan
Some of the paths in the e2e tests are hard-coded, which complicates
testing a bit on systems with different paths for runc, conmon, etc.
Add a make shell target to the Makefile, which will build and run the
libpod containers, giving a shell to the user in which podman can be
built, run, tested etc.
Signed-off-by: Valentin Rothberg <vrothberg@suse.com>
Closes: #481
Approved by: rhatdan
Due to the way ps arguments work, it was possible to display pids
that dont below to the container in top output. We now filter pids
that dont belong to the container out of the output. This also means
the pid column must be present in the output or we throw an error.
This resolves issue #391
Signed-off-by: baude <bbaude@redhat.com>
Closes: #400
Approved by: rhatdan
When trying to tag an alias (tag) of an image using only the shortname
and no tag, we were unable to find the image in storage. This corrects
that issue and adds an integration test to protect against regression. I
also updated the man page per the filed issue.
While writing the integration test, I discovered that inspect could also
not find a tagged image without its :tag.
Resolves Issue #385
Resolves Issue #384
Signed-off-by: baude <bbaude@redhat.com>
Closes: #398
Approved by: mheon
When creating container storage by name, if that name is a tagged image then the storage
could not be found. We now use the image id which seems more reliable. Also added an
integration test to protect against regression.
Signed-off-by: baude <bbaude@redhat.com>
Closes: #393
Approved by: mheon
The exit codes for 126 and 127 were reversed. For the record, the exit
codes used are as follows:
* 125 if ‘chroot’ itself fails
* 126 if COMMAND is found but cannot be invoked
* 127 if COMMAND cannot be found
This resolves issue #367
Signed-off-by: baude <bbaude@redhat.com>
Closes: #378
Approved by: baude
Inspect should be able to inspect one or more containers depending
on the user input. Therefore, inspect output should be in array
format so the consumer could potentially iterate it. This PR allows
users to specify one more or containers|images|or a mix for
inspection. The output, as stated, is therefore in array form. This
holds true even for a singular image.
In the case that the user enters an invalid container|image "name", we
handle that gracefully. Podman will output json for the valid names
until it reaches the invalid one. For example:
In this case, podman will out the json for alpine and then print an
error about 123 being invalid. It will not continute onto busybox.
This behavior imatates docker.
This addresses issue #360
Signed-off-by: baude <bbaude@redhat.com>
Closes: #371
Approved by: baude
Previous code was using slow routines to collect some of the information
needed to output images. Specifically size was being calculated instead
of using the cached, already known size already available. Also, straight-
lined several of the code paths. Overall assessment is that these
improvements cut the time for images in half.
Signed-off-by: baude <bbaude@redhat.com>
Closes: #365
Approved by: mheon
We should be able to run nested podman containers in particular
for our testing environment. i.e. eat our own dog food.
Some privileges had to be corrected in order for this to work
correctly.
Added a third papr target that runs podman tests inside podman. I
marked the test as not required right now as we get more confident
in the results
Signed-off-by: baude <bbaude@redhat.com>
Closes: #340
Approved by: rhatdan
When using podman to pull an image, print the image id after
the image is pulled.
Resolves issue #329
Signed-off-by: baude <bbaude@redhat.com>
Closes: #342
Approved by: rhatdan
When an image does not have an ENTRYPOINT nor a CMD and the
user does not provide a command in the CLI, we should fail
gracefully.
This resolves issue #328
Signed-off-by: baude <bbaude@redhat.com>
Closes: #333
Approved by: mheon
When running a privileged container, it should inherit the same
devices the host has.
Signed-off-by: baude <bbaude@redhat.com>
Closes: #330
Approved by: mheon
Changing these fields caused the output of podman inspect to more
closely match docker inspect.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #306
Approved by: mheon
When an image has an ENTRYPOINT defined, we should be honoring it. The
problem is described in issue #321.
Also, added buildah binary to test runtimes for testing entrypoint and
will also allow us to test podman build as well.
Signed-off-by: baude <bbaude@redhat.com>
Closes: #322
Approved by: rhatdan
Rework port code for generalized clean up and to address
issue #269 where additional portbindings between host
and containers we being introduced by error.
Signed-off-by: baude <bbaude@redhat.com>
Closes: #308
Approved by: mheon
Matthew Heon
Giuseppe Scrivano
Ed Santiago
Matthew Heon
Jhon Honce
OpenShift Merge Robot
Brent Baude
Daniel J Walsh
Qi Wang
Sascha Grunert
Chris Evich
Yiqiao Pu
Debarshi Ray
Kunal Kushwaha
Peter Hunt
alsadi
Adrian Reber
TomSweeneyRedHat
Valentin Rothberg
Harshal Patil
Emilien Macchi
Miloslav Trmač
Urvashi Mohnani
W. Trevor King
Matthew Heon
Valentin Rothberg
Marco Vedovati
Nalin Dahyabhai
Nathan Williams
Valentin Rothberg