Currently Podman prevents SELinux container separation,
when running within a container. This PR adds a new
--security-opt label=nested
When setting this option, Podman unmasks and mountsi
/sys/fs/selinux into the containers making /sys/fs/selinux
fully exposed. Secondly Podman sets the attribute
run.oci.mount_context_type=rootcontext
This attribute tells crun to mount volumes with rootcontext=MOUNTLABEL
as opposed to context=MOUNTLABEL.
With these two settings Podman inside the container is allowed to set
its own SELinux labels on tmpfs file systems mounted into its parents
container, while still being confined by SELinux. Thus you can have
nested SELinux labeling inside of a container.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Another followup to #17608. Nightly tests were hanging,
because /run/podman/podman.sock was hardcoded (bad idea
for rootless). Poor testing on my part.
Signed-off-by: Ed Santiago <santiago@redhat.com>
Use `auth.Login` as `podman login` does which parses and normalizes the
input addresses correctly, especially for docker.io.
[NO NEW TESTS NEEDED] as we do not have means to test logging into
docker.io in CI.
Fixes: #17571
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
This case is fixed by passt commit bad252687271 ("conf, udp: Allow
any loopback address to be used as resolver") and the fix is now
available in packages included by the CI images.
Note that, depending on the resolver on the host, we might get
1.0.0.127.in-addr.arpa resolved to localhost, or simply NXDOMAIN for
it: accept a failure on the nslookup command, as long as we have a
response for 1.0.0.127.in-addr.arpa in the output. If we have any
response, that means we could talk to the resolver.
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
They include Fedora package passt-0^20230227.gc538ee8-1.fc37 and
passt-0.0~git20230227.c538ee8-1 for Debian, so that we can re-enable
the "Local Forwarder, IPv4" test for pasta(1).
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Given that flakes inevitably occur as testing grows wider, position the
system tests in parallel with the integration tests as much as possible.
The thinking here is, flaking sooner is better than later. This is
because it provides an earlier opportunity for developers to re-run
tasks.
Signed-off-by: Chris Evich <cevich@redhat.com>
On FreeBSD, c.config.Spec.Linux is not populated - in this case, we can
assume that the container is not using a pid namespace.
[NO NEW TESTS NEEDED]
Signed-off-by: Doug Rabson <dfr@rabson.org>
Addresses: https://bugzilla.redhat.com/show_bug.cgi?id=2139191
We have a timing issue when doing a build or pull of an image and
a second process is removing them at the same time. This is not
a window we're going to close now, so I'm adding a note to the
troubleshooting guide to document it.
[NO NEW TESTS NEEDED]
Signed-off-by: tomsweeneyredhat <tsweeney@redhat.com>
there are no commands that are not supported by rootless mode, but
some commands require to run in the user namespace.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
As suggested by @edsantiago, the complex script and direct-link in the
docs are adding little value while increasing the CI maintenance burden.
Simply retire the script and strip the direct (versioned) links from the
docs.
Signed-off-by: Chris Evich <cevich@redhat.com>
Add a hidden flag to set the database backend and plumb it into
podman-info. Further add a system test to make sure the flag and the
info output are working properly.
Note that the test may need to be changed once we settled on how
to test the sqlite backend in CI.
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
OpenShift Merge Robot
Daniel J Walsh
Ed Santiago
dependabot[bot]
Valentin Rothberg
Heniker
Giuseppe Scrivano
Lokesh Mandvekar
Stefano Brivio
Chris Evich
Adrian Reber
restitux
Doug Rabson
tomsweeneyredhat
Jason T. Greene
vyasgun