--cap-add is useful when running a privileged container with UID != 0,
so that individual capabilities can be added to the container process.
Closes: https://github.com/containers/podman/issues/13449
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
When podman gets an error it prints out "Error: " before
printing the error string. If the error message starts with
error, we end up with
Error: error ...
This PR Removes all of these stutters.
logrus.Error() also prints out that this is an error, so no need for the
error stutter.
[NO NEW TESTS NEEDED]
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
The kernel never sets the inheritable capabilities for a process, they
are only set by userspace. Emulate the same behavior.
Closes: CVE-2022-27649
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
these mount flags are already used for the /dev/shm mount on the host,
but they are not set for the bind mount itself.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Commit e1443fe05d added a test case that ran "date +%N" inside
a Fedora container (without actually using its output).
Commit ccc5bc167f changed that test case to use Alpine. Problem
is, %N is not supported by date in Alpine (it only prints a newline).
To eliminate the ambiguity, replace date with touch.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
sed -i -e 's/Expect(\(.*\)\[\(\".*\"\)\])\.To(Equal(/Expect(\1).To(HaveKeyWithValue(\2, /' test/e2e/*_test.go
...with two manual tweaks, because this converted:
Expect(foo["bar"]).To(Equal(""))
-> Expect(foo).To(HaveKeyWithValue("bar",""))
It looks like the intention of the test was, instead:
...To(Not(HaveKey("bar")))
Signed-off-by: Ed Santiago <santiago@redhat.com>
Many ginkgo tests have been written to use this evil form:
GrepString("foo")
Expect(that to BeTrue())
...which yields horrible useless messages on failure:
false is not true
Identify those (automatically, via script) and convert to:
Expect(output to ContainSubstring("foo"))
...which yields:
"this output" does not contain substring "foo"
There are still many BeTrue()s left. This is just a start.
This is commit 1 of 2. It includes the script I used, and
all changes to *.go are those computed by the script.
Commit 2 will apply some manual fixes.
Signed-off-by: Ed Santiago <santiago@redhat.com>
Found by my find-obsolete-skips script. Let's see which, if any,
of these skipped tests can be reenabled.
Some Skips are "this will never work", not "this is expected to
work one day". Update the message on those to reflect that.
Some were real bugs in the test framework. Fix those.
And, joy of joys, some work today. Remove those skips.
Signed-off-by: Ed Santiago <santiago@redhat.com>
Our fedora-minimal image on Quay bases on fedora-minimal:latest which
starting with F35 removed a number of binaries that our CI depends on.
Fix that by pulling `fedora-minimal:34` from the Fedora registry
directly.
Once the build bot on Quay has been disabled, we move the image over
there to make sure that it will not change over time.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
Honor custom `target` if specified while running or creating containers
with secret `type=mount`.
Example:
`podman run -it --secret token,type=mount,target=TOKEN ubi8/ubi:latest
bash`
Signed-off-by: Aditya Rajan <arajan@redhat.com>
the --cgroups=split test changes the current cgroup as it creates a
sub-cgroup. This can cause a race condition in tests that are reading
the current cgroup.
Closes: https://github.com/containers/podman/issues/11191
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Make sure that the value is only set if specified on the CLI. c/image
already defaults to true but if set in the system context, we'd skip
settings in the registries.conf.
Fixes: #11933
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
Allow chainging ownership of mountpoint created on top external overlay
rootfs to support use-cases when custom --uidmap and --gidmap are
specified.
Signed-off-by: Aditya Rajan <arajan@redhat.com>
Following commit ensures not dandling mounts are left behind when we are
creating an overlay on top of external rootfs.
Co-authored-by: Valentin Rothberg <rothberg@redhat.com>
Signed-off-by: Aditya Rajan <arajan@redhat.com>
(Sorry, couldn't resist).
CI flakes have been coming down - thank you to everyone who has
been making them a priority.
This leaves a noisy subset that I've just been ignoring for months:
Running: podman ... -p 8080:something
...cannot listen on the TCP port: listen tcp4 :8080: bind: address already in use
Sometimes these are one-time errors resolved on 2nd try; sometimes
they fail three times, forcing CI user to hit Rerun. In all cases
they make noise in my flake logs, which costs me time.
My assumption is that this has to do with ginkgo running random
tests in parallel. Since many e2e tests simplemindedly use 8080,
collisions are inevitable.
Solution: simplemindedly replace 8080 with other (also arbitrarily
picked) numbers. This is imperfect -- it requires human developers
to pick a number NNNN and 'grep NNNN test/e2e/*' before adding
new tests, which I am 100% confident ain't gonna happen -- but
it's better than what we have now.
Side note: I considered writing and using a RandomAvailablePort()
helper, but that would still be racy. Plus, it would be a pain
to interpolate strings into so many places. Finally, with this
hand-tooled approach, if/when we _do_ get conflicts on port NNNN,
it should be very easy to grep for NNNN, find the offending tests
that reuse that port, and fix one of them.
Signed-off-by: Ed Santiago <santiago@redhat.com>
* Add response.Body.Close() where needed to release HTTP
connections to API server.
* Add tests to ensure no general leaks occur. 100% coverage would be
required to ensure no leaks on any call.
* Update code comments to be godoc correct
Signed-off-by: Jhon Honce <jhonce@redhat.com>
This becomes a problem on hosts with upgraded policies. Ref:
https://github.com/containers/podman/issues/10522
Also, made a small change to compose-test setup to reduce runtime.
Signed-off-by: Chris Evich <cevich@redhat.com>
Execution domains tell Linux how to map signal numbers into signal actions.
The execution domain system allows Linux to provide limited support for binaries
compiled under other UNIX-like operating systems.
Reference: https://man7.org/linux/man-pages/man2/personality.2.html
Signed-off-by: flouthoc <flouthoc.git@gmail.com>
Compat healthcheck tests are of the format []string but podman's were of
the format string. Converted podman's to []string at the specgen level since it has the same effect
and removed the incorrect parsing of compat healthchecks.
fixes#10617
Signed-off-by: cdoern <cdoern@redhat.com>
Compat healthcheck tests are of the format []string but podman's were of
the format string. Converted podman's to []string at the specgen level since it has the same effect
and removed the incorrect parsing of compat healthchecks.
fixes#10617
Signed-off-by: cdoern <cdoern@redhat.com>
e2e test failures are rife with messages like:
Expected 1 to equal 0
These make me cry. They're anti-helpful, requiring the reader
to dive into the source code to figure out what those numbers
mean.
Solution: Go tests have a '.Should(Exit(NNN))' mechanism. I
don't know if it spits out a better diagnostic (I have no way
to run e2e tests on my laptop), but I have to fantasize that
it will, and given the state of our flakes I assume that at
least one test will fail and give me the opportunity to see
what the error message looks like.
THIS IS NOT REVIEWABLE CODE. There is no way for a human
to review it. Don't bother. Maybe look at a few random
ones for sanity. If you want to really review, here is
a reproducer of what I did:
cd test/e2e
! positive assertions. The second is the same as the first,
! with the addition of (unnecessary) parentheses because
! some invocations were written that way. The third is BeZero().
perl -pi -e 's/Expect\((\S+)\.ExitCode\(\)\)\.To\(Equal\((\d+)\)\)/Expect($1).Should(Exit($2))/' *_test.go
perl -pi -e 's/Expect\((\S+)\.ExitCode\(\)\)\.To\(\(Equal\((\d+)\)\)\)/Expect($1).Should(Exit($2))/' *_test.go
perl -pi -e 's/Expect\((\S+)\.ExitCode\(\)\)\.To\(BeZero\(\)\)/Expect($1).Should(Exit(0))/' *_test.go
! Same as above, but handles three non-numeric exit codes
! in run_exit_test.go
perl -pi -e 's/Expect\((\S+)\.ExitCode\(\)\)\.To\(Equal\((\S+)\)\)/Expect($1).Should(Exit($2))/' *_test.go
! negative assertions. Difference is the spelling of 'To(Not)',
! 'ToNot', and 'NotTo'. I assume those are all the same.
perl -pi -e 's/Expect\((\S+)\.ExitCode\(\)\)\.To\(Not\(Equal\((0)\)\)\)/Expect($1).To(ExitWithError())/' *_test.go
perl -pi -e 's/Expect\((\S+)\.ExitCode\(\)\)\.ToNot\(Equal\((0)\)\)/Expect($1).To(ExitWithError())/' *_test.go
perl -pi -e 's/Expect\((\S+)\.ExitCode\(\)\)\.NotTo\(Equal\((0)\)\)/Expect($1).To(ExitWithError())/' *_test.go
! negative, old use of BeZero()
perl -pi -e 's/Expect\((\S+)\.ExitCode\(\)\)\.ToNot\(BeZero\(\)\)/Expect($1).Should(ExitWithError())/' *_test.go
Run those on a clean copy of main branch (at the same branch
point as my PR, of course), then diff against a checked-out
copy of my PR. There should be no differences. Then all you
have to review is that my replacements above are sane.
UPDATE: nope, that's not enough, you also need to add gomega/gexec
to the files that don't have it:
perl -pi -e '$_ .= "$1/gexec\"\n" if m!^(.*/onsi/gomega)"!' $(grep -L gomega/gexec $(git log -1 --stat | awk '$1 ~ /test\/e2e\// { print $1}'))
UPDATE 2: hand-edit run_volume_test.go
UPDATE 3: sigh, add WaitWithDefaultTimeout() to a couple of places
UPDATE 4: skip a test due to bug #10935 (race condition)
Signed-off-by: Ed Santiago <santiago@redhat.com>
runc-1.0-rc95 refuses destination paths that are not absolute.
The test was causing a mount with a destination "[/etc/foo]" causing
the OCI runtime to fail.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Support UID, GID, Mode options for mount type secrets. Also, change
default secret permissions to 444 so all users can read secret.
Signed-off-by: Ashley Cui <acui@redhat.com>
The initial version of libimage changed the order of layers which has
now been restored to remain backwards compatible.
Further changes:
* Fix a bug in the journald logging which requires to strip trailing
new lines from the message. The system tests did not pass due to
empty new lines. Triggered by changing the default logger to
journald in containers/common.
* Fix another bug in the journald logging which embedded the container
ID inside the message rather than the specifid field. That surfaced
in a preceeding whitespace of each log line which broke the system
tests.
* Alter the system tests to make sure that the k8s-file and the
journald logging drivers are executed.
* A number of e2e tests have been changed to force the k8s-file driver
to make them pass when running inside a root container.
* Increase the timeout in a kill test which seems to take longer now.
Reasons are unknown. Tests passed earlier and no signal-related
changes happend. It may be CI VM flake since some system tests but
other flaked.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
Env var secrets are env vars that are set inside the container but not
commited to and image. Also support reading from env var when creating a
secret.
Signed-off-by: Ashley Cui <acui@redhat.com>
filepath.Dir in some cases returns `.` symbol and calling this function
again returns same result. In such cases this function
never returns and causes some operations to stuck forever.
Closes#10216
Signed-off-by: Slava Bacherikov <slava@bacher09.org>
Want to allow users to specify --security-opt unmask=/proc/*.
This allows us to run podman within podman more securely, then
specifing umask=all, also gives the user more flexibilty.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
OpenShift Merge Robot
Giuseppe Scrivano
Daniel J Walsh
Valentin Rothberg
Kir Kolyshkin
Ed Santiago
Aditya Rajan
Jhon Honce
Shivkumar13
Chris Evich
flouthoc
cdoern
Ashley Cui
Slava Bacherikov