The default_ulimits field is currently ignored in podman run commands.
This PR fixes this.
Fixes: https://github.com/containers/podman/issues/17396
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Just like we do with RUNTIME and NETWORK. Skipped for now in
system tests because there's no way yet to actually set the
database backend.
Also, in system test oneliner (first test), include DB
Signed-off-by: Ed Santiago <santiago@redhat.com>
Add debug logs from systemctl and journalctl in hope to get more data on
the Debian flakes tracked in #17796.
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
This reverts commit 1c08f2edac3f9ecf128cf8da91276e963e6ad14c: the
original failure reported in #17287 persists:
[+1306s] not ok 453 podman networking with pasta(1) - TCP translated port range forwarding, IPv4, loopback
...
[+1306s] # 2023/03/15 14:33:33 socat[119870] E connect(8, AF=2 127.0.0.1:5127, 16): Interrupted system call
[+1306s] # xx
[+1306s] # #/vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv
[+1306s] # #| FAIL: Mismatch between data sent and received
[+1306s] # #| expected: = xxx
[+1306s] # #| actual: xx
[+1306s] # #\^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
so keep two connections instead of three as long as I'm too dumb to
figure this out.
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Transient mode means the DB should not persist, so instead of
using the GraphRoot we should use the RunRoot instead.
Signed-off-by: Matt Heon <mheon@redhat.com>
Two main changes:
- The transient state tests relied on BoltDB paths, change to
make them agnostic
- The volume code in SQLite wasn't retrieving and setting the
volume plugin for volumes that used one.
Signed-off-by: Matt Heon <mheon@redhat.com>
When streaming events, prevent returning duplicates after a log rotation
by marking a beginning and an end for rotated events. Before starting to
stream, get a timestamp while holding the event lock. The timestamp
allows for detecting whether a rotation event happened while reading the
log file and to skip all events between the begin and end rotation
event.
In an ideal scenario, we could detect rotated events by enforcing a
chronological order when reading and skip those detected to not be more
recent than the last read event. However, events are not always
_written_ in chronological order. While this can be changed, existing
event files could not be read correctly anymore.
Fixes: #17665
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
When we searching any image at a container registry,
--cert-dir and --creds could be required
as well as push, pull, etc.
Signed-off-by: Toshiki Sonoda <sonoda.toshiki@fujitsu.com>
When the service is running with trace log level it wraps the
`http.ResponseWriter` to log extra information. The problem is that the
new type does not keep all the functions from the embedded type.
Instead we have to implement them ourselves, however only Write() was
implemented. Thus `Hijack()`could not be called on the writer. To
prevent these issues we would implement all the interfaces that the
inner type supports (Header, WriteHeader, Flush, Hijack).
Fixes#17749
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
The goal of the wait_for_port() function is to return when the port is
bound. This is to make sure we wait for application startup time.
This can be seen in some comments of the callers.
Commit 7e3d04fb caused this regression while reworking the logic to read
ports from /proc. I doesn't seem to cause problems in CI, properly
because the function returns before the port is bound.
I have not seen any flakes related to this but I only see the ones on
PRs where I rerun tests so it is best to wait for Ed to take a look.
Also fixes the broken ipv4_to_procfs() which only passes one argument to
__ipv4_to_procfs(), this results in the ipv4 not beeing inverted.
Therefore all bind checks against a direct ipv4 did not work.
This function accepts only an ipv4 but one caller passes localhost
which is invalid.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
On cgroup v1 we need to mount only the systemd named hierarchy as
writeable, so we configure the OCI runtime to mount /sys/fs/cgroup as
read-only and on top of that bind mount /sys/fs/cgroup/systemd.
But when we use a private cgroupns, we cannot do that since we don't
know the final cgroup path.
Also, do not override the mount if there is already one for
/sys/fs/cgroup/systemd.
Closes: https://github.com/containers/podman/issues/17727
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Wait for all generated services to be ready to be sure we can iron out
race conditions. Also disable rollbacks to make sure we can analyze
the error if restarting a service fails. This information may be
crucial to understand the flakes on Debian as tracked in #17607.
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
To help debug #17607, turn off rollbacks for tests that do not require
rollbacks. Error when restarting the systemd units are then not
suppressed but returned which should give us more information about what
is going on the Debian systems.
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
This reverts commit e33f4e0bc7, going
back to three connections (not two) for each range in TCP tests. I'm
not sure yet what caused the original issue, but it might be fixed
now. If it does, this fixes#17287.
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Currently Podman prevents SELinux container separation,
when running within a container. This PR adds a new
--security-opt label=nested
When setting this option, Podman unmasks and mountsi
/sys/fs/selinux into the containers making /sys/fs/selinux
fully exposed. Secondly Podman sets the attribute
run.oci.mount_context_type=rootcontext
This attribute tells crun to mount volumes with rootcontext=MOUNTLABEL
as opposed to context=MOUNTLABEL.
With these two settings Podman inside the container is allowed to set
its own SELinux labels on tmpfs file systems mounted into its parents
container, while still being confined by SELinux. Thus you can have
nested SELinux labeling inside of a container.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Another followup to #17608. Nightly tests were hanging,
because /run/podman/podman.sock was hardcoded (bad idea
for rootless). Poor testing on my part.
Signed-off-by: Ed Santiago <santiago@redhat.com>
This case is fixed by passt commit bad252687271 ("conf, udp: Allow
any loopback address to be used as resolver") and the fix is now
available in packages included by the CI images.
Note that, depending on the resolver on the host, we might get
1.0.0.127.in-addr.arpa resolved to localhost, or simply NXDOMAIN for
it: accept a failure on the nslookup command, as long as we have a
response for 1.0.0.127.in-addr.arpa in the output. If we have any
response, that means we could talk to the resolver.
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Add a hidden flag to set the database backend and plumb it into
podman-info. Further add a system test to make sure the flag and the
info output are working properly.
Note that the test may need to be changed once we settled on how
to test the sqlite backend in CI.
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
The symptoms in #17607 point to some race since it does not always flake
on Debian (and Debian only). Hence, wait for the service to be ready
before building the image to make sure that the service is started with
the old image and that everything's in order.
Fixes: #17607
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
Add a way to keep play kube running in the foreground and terminating all pods
after receiving a a SIGINT or SIGTERM signal. The pods will also be
cleaned up after the containers in it have exited.
If an error occurrs during kube play, any resources created till the
error point will be cleane up also.
Add tests for the various scenarios.
Fixes#14522
Signed-off-by: Urvashi Mohnani <umohnani@redhat.com>
The buildah bud tests run rootless, so attempting to bypass the
ident-check with a `git config --system` fails with a permission denied
error (as it should). Update the command to use `--global` instead,
which writes to `~/.gitconfig` and so works for regular users.
Also setup a fake identity for the CI-user and enable shell-debugging
for the commands to inform humans of what is happening in the script.
Signed-off-by: Chris Evich <cevich@redhat.com>
Handle the Mount key
Reuse code from the handling of the Volume key
Add E2E Test
E2E Test - Add checker for KeyValue string
Update man page
Signed-off-by: Ygal Blum <ygal.blum@gmail.com>
The test should make sure the logs --follow call will log entries that
are created in the future when --since is used and doe not include the
container start event. However it seems the timing is to tight. I think
it was possible that CI logged the line before the logs call was made,
thus it is missing because --since excluded it.
I cannot reproduce so I am not 100% on this but we can reopen the issue
if it still happens.
Fixes#17616
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
This reverts commit 81f116c59c291793742e10ea84b77511902a0338: the
passt package for Fedora 37 images is now fixed in the
c20230223t153813z-f37f36d12 image.
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
For some weeks or longer, the buildah bud tests have been failing under
cirrus-cron with the message:
```
+ git am --reject
Committer identity unknown
*** Please tell me who you are.
Run
git config --global user.email "you@example.com"
git config --global user.name "Your Name"
to set your account's default identity.
Omit --global to set the identity only in this repository.
fatal: empty ident name (for
<some30462dude@cirrus-task-5479994827210752.c.libpod-218412.internal>)
not allowed
```
Fix this by marking the clone directory "safe" when the script is
running under CI.
Signed-off-by: Chris Evich <cevich@redhat.com>
Do not set the runtime when processing a .container file
Let Podman choose the runtime based on its configuration
Signed-off-by: Ygal Blum <ygal.blum@gmail.com>
A horrible timeout-flake exists in the version presently in CI VM images
`c20230221t162829z-f37f36d12`. Since the PR for adding the 2023-02-21
images is more urgently needed (#17305) than a pasta fix, skip all pasta
tests while waiting for a fix.
Signed-off-by: Chris Evich <cevich@redhat.com>
Test emits nasty warning message:
`Resource limits are not supported and ignored on cgroups V1 rootless
systems`
Ref: issue #17582
Signed-off-by: Chris Evich <cevich@redhat.com>
...in hopes of fixing a flake with podman-remote. It's still
possible that there's a real problem with logs under remote,
and this will just sweep that under the rug.
Also, fix a nasty-red test warning (add cleanup), refactor
uses of $(pause_image), and improve a few test assertions.
Closes: #17286
Signed-off-by: Ed Santiago <santiago@redhat.com>
If the name already exists and CheckDuplicate is set we need to return
409, if CheckDuplicate is not set we return the network without error.
Fixes#17585
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
always use the direct mapping when writing the mappings for an
idmapped mount. crun was previously using the reverse mapping, which
is not correct and it is being addressed here:
https://github.com/containers/crun/pull/1147
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Since commit 06241077cc we use the aardvark per container dns
functionality. This means we should only have the aardvark ip in
resolv.conf otherwise the client resolver could skip aardvark, thus
ignoring the special dns option for this container.
Fixes#17499
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
When run with --cgroups=split mode (e.g. quadlet) we do not use the a
separate cgroup for the container and just run in the unit cgroup.
When we filter logs we thus must match the unit name.
Added a small test to the quadlet test to make sure it will work.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
It makes little sense to create a log line string from the entry just to
parse it again into a LogLine. We have the typed fields so we can
assemble the logLine direclty, this makes things simpler and more
efficient.
Also entries from the passthrough driver do not use the CONTAINER_ID_FULL
field, instead we can just access c.ID() directly.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
The passthrough driver is designed for use in systemd units. By default
we can expect systemd to log the output on journald unless the unit sets
differen StandardOutput/StandardError settings.
At the moment podman logs just errors out when the passthrough driver is
used. With this change we will read the journald for the unit messages.
The logic is actually very similar to the existing one, we just need to
change the filter. We now filter by SYSTEMD_UNIT wich equals to the
contianer cgroup, this allows us the actually filter on a per contianer
basis even when multiple contianers are started in the same unit, i.e.
via podman-kube@.service.
The only difference a user will see is that journald will merge
stdout/err into one stream so we loose the separation there.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Only enforce the passthrough log driver for Quadlet. Commit 68fbebf
introduced a regression on the `podman-kube@` template as `podman logs`
stopped working and settings from containers.conf were ignored.
Fixes: #17482
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
Support auto updating containers running inside pods. Similar to
containers, the systemd units need to be generated via
`podman-generate-systemd --new $POD` to generate the pod's units.
Note that auto updating a container inside a pod will restart the entire
pod. Updates of multiple containers inside a pod are batched, such that
a pod is restarted at most once. That is effectively the same mechanism
for auto updating containers in a K8s YAML via the `podman-kube@`
template or via Quadlet.
Updating a single container unit without restarting the entire pod is
not possible. The reasoning behind is that pods are created with
--exit-policy=stop which will render the pod to be stopped when auto
updating the only container inside the pod. The (reverse) dependencies
between the pod and its containers unit have been carefully selected for
robustness. Changes may entail undesired side effects or backward
incompatibilities that I am not comfortable with.
Fixes: #17181
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
...safer, too: the big change is using 'mapfile' to split
multiline strings; this preserves empty lines, making it
easy to see spurious (or missing) blank lines in output.
Another change is to indent the expected-output string
consistently, for readability.
Then, to handle \r (CR) and other control characters, use
bash %q to format special chars. But %q makes\ it\ hard\ to
read\ lines\ with\ spaces, so strip off those backslashes.
This makes assert() much larger and uglier, but this is
code that shouldn't be touched often.
Finally, because these are big changes to critical code,
write a complicated regression test suite for assert().
Signed-off-by: Ed Santiago <santiago@redhat.com>
Tests constantly fail with zero indication of why. Fix that.
- add correct default for $QUADLET path
- add check to make sure it exists
- log quadlet commands and their output
Signed-off-by: Ed Santiago <santiago@redhat.com>
Replace existing tab indentations with spaces, and add
a test to CI to prevent new ones from sneaking in.
Signed-off-by: Ed Santiago <santiago@redhat.com>
When generating a kube yaml with kube generate, do not
set the hostPort in the pod spec if the service flag is
set and we are generating a service kind too.
Signed-off-by: Urvashi Mohnani <umohnani@redhat.com>
* add tests
* add documentation for --shm-size-systemd
* add support for both pod and standalone run
Signed-off-by: danishprakash <danish.prakash@suse.com>
Add a podman ulimit annotation to kube generate and play.
If a container has a container with ulimits set, kube gen
will add those as an annotation to the generated yaml.
If kube play encounters the ulimit annotation, it will set
ulimits for the container being played.
Signed-off-by: Urvashi Mohnani <umohnani@redhat.com>
Remove the container in ExecStop to make sure that Quadlet's adheres to
Podman's customizable stop signal/timeout. Certain programs ignore
SIGTERM which renders the services generated by Quadlet less user
friendly compared to the ones from podman-generate-systemd.
Previously, `systemctl stop` would just hang until systemd's stop
timeout is hit. Since `podman rm` also removes the CID file, the
additional `rm` can be removed. Note that `podman rm` will return
immediately if the specified CID file isn't present.
I am working on a short tutorial on Quadlet and hit the issue with a
simple container running `sleep`. `sleep` ignores SIGTERM and stopping
the service would take forever even with `PodmanArgs=--stop-timeout=0`.
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
Install the signal proxy before attaching to/starting the container to
make sure there's no race-condition as revealed in the failing start/run
tests in #16901. The tests had the valid expectation that signal
forwarding works once the container is running.
Further update the tests to account for the attach test where the
expectation is that signal forwarding works once Podman has attached to
container (or even before).
Fixes: #16901
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
Signed-off-by: Ed Santiago <santiago@redhat.com>
Commit 4fa307f149 fixed a number of issues in the sdnotify proxies.
Whenever a container runs with a custom sdnotify policy, the proxies
need to keep running which in turn required Podman to run and wait for
the service container to stop. Improve on that behavior and set the
service container as the main PID (instead of Podman) when no container
needs sdnotify.
Fixes: #17345
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
Primarily, add skip_if_journald_unavailable because RHEL.
Secondarily, reverse a flipped actual/expect assertion
that made it difficult to understand the RHEL failure.
Signed-off-by: Ed Santiago <santiago@redhat.com>
We currently name the container being created during kube play
as ctrName-podName, but this is not how it is done in k8s.
Since we can't change this at the CLI level as it will be a breaking
change (it will be planned for podman 5.0), add only ctrName as an alias
to the network of the pod.
Signed-off-by: Urvashi Mohnani <umohnani@redhat.com>
Also includes unreleased https://github.com/openshift/imagebuilder/pull/246 to work
with the updated docker/docker dependency.
And updates some references to newly deprecated docker/docker symbols.
[NO NEW TESTS NEEDED]
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
- podman-remote unshare returns an error message
with the exit code '125'.
- Need to run RestartRemoteService() to apply
changes to the TMPDIR.
Signed-off-by: Toshiki Sonoda <sonoda.toshiki@fujitsu.com>
Commit 2f29639bd3 added a UX improvement to cleanup/teardown when
running the specified YAML has failed. However, the teardown happens
unconditionally such that rerunning the same YAML file will teardown the
previously created workload instead of just failing with a name-conflict
error (e.g., "pod already exists"). The regression popped up testing
the Ansible system role with Podman v4.4.0.
For now, do not teardown at all on error to quickly fix this regression
for the upcoming Podman v4.4.1 release. The UX improvement is still
desired but must be conditional and only happen on newly created
resources, which probably requires moving it down to the backend.
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
The new version contains the ginkgolinter, which makes sure the
assertions are more helpful.
Also replace the deprecated os.SEEK_END with io.SeekEnd.
There is also a new `musttag` linter which checks if struct that are
un/marshalled all have json tags. This results in many warnings so I
disabled the check for now. We can reenable it if we think it is worth
it but for now it way to much work to fix all report problems.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Quadlet should not exit with failure if no files to process have been
found. Otherwise, even simple operations such as reloading systemd
will fail as it retriggers generators.
Fixes: #17374
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
Similarly to the ICMP test for IPv4, I broke the command line on a
rebase of the initial test import.
Note that, unless we pass an IPv6 resolver directly to pasta, Podman
won't add one to /etc/resolv.conf in the container. We could pass
that explicitly, but then end up hitting the same issue as the one
described in the "Local forwarder, IPv6" case. Skip this test for
the moment being.
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Parameter substitution in the command line went lost on some rebase
of the initial test import. Add it back and actually test that we can
ping the resolver.
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
For some reason I couldn't figure out yet, on CI systems running
Fedora 37, tests for TCP port forwarding with ranges fail on the
third connection, as connect() from the socat client gets
interrupted -- and socat doesn't handle this.
Mitigate this by connecting twice, to two different ports, instead of
using three ports.
Reported-by: Ed Santiago <santiago@redhat.com>
Link: https://github.com/containers/podman/issues/17287
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Add support for disabeling SELinux process separation in the container.
Add support for setting the process type of the container.
Add support for setting the process MCS level of the container.
Add support for setting the file type of the container.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
copy the current mapping into a new user namespace, and run into a
separate user namespace.
Closes: https://github.com/containers/podman/issues/17337
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Just like buildkit buildah must allow cleaning the buildcache and cache generated on host by --mount=type=cache just like buildkit's prune command.
See: https://github.com/moby/buildkit#cache
Signed-off-by: Aditya R <arajan@redhat.com>
In the remote environment, this test will be failed,
because an error message is different from the local environment.
Signed-off-by: Toshiki Sonoda <sonoda.toshiki@fujitsu.com>
quadlet tests were using 'systemctl show -P', a shortcut
that doesn't exist on RHEL8. Translate to old-systemd
language.
And, minor tweaks to make future test diagnosing easier.
This is a frontport of #17311; bringing from release branch
to main. Except that was an emergency, so it was a one-line
fix. This is a better long-term fix, not as trivial to review.
Signed-off-by: Ed Santiago <santiago@redhat.com>
http.Get() could not recognize no_proxy with "ginkgo -nodes <any>".
Therefore, we set http.Client not to use a proxy instead of os.Setenv().
Fixes#17135
Signed-off-by: Toshiki Sonoda <sonoda.toshiki@fujitsu.com>
Ha ha. This was supposed to be a trivial little followup to #17174:
https://github.com/containers/podman/pull/17174#discussion_r1085963780
(safer username check when --userns=keep-id)
It got complicated. TL;DR we need to use User.Username, not User.Name.
The latter is GECOS! Tests were working because, on Fedora, GECOS
for root is "root". Found and fixed all 'u.Name' instances, but
if there are any references with a variable other than 'u', they
still need looking into.
Signed-off-by: Ed Santiago <santiago@redhat.com>
- ImageCacheDir is hard-coded as "/tmp/podman/imagecachedir".
To avoid this hard-coding, I changed it to "os.TempDir()/imagecachedir".
- Change ImageCacheDir permissions from 0777 to 0700.
This directory should be used by per-user.
Signed-off-by: Toshiki Sonoda <sonoda.toshiki@fujitsu.com>
Add test to verify that updates without a pids-limit specified no longer
overwrite the previous value.
Also fixes erroneous warning generated by remote clients:
"Resource limits are not supported and ignored on cgroups V1 rootless
systems"
Signed-off-by: Jason T. Greene <jason.greene@redhat.com>
(podman push) and (podman manifest push) now support --sign-by-sigstore=param-file,
using the containers-sigstore-signing-params.yaml(5) file format.
That notably adds support for Fulcio and Rekor signing.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
If rootless, os.RemoveAll() is failed due to permission denied.
Therefore, we use "podman unshare rm" instead of os.RemoveAll().
Signed-off-by: Toshiki Sonoda <sonoda.toshiki@fujitsu.com>
We had a number of references, mostly in docs, to the word master that
can now be changed to main. This PR does that and makes the project a
bit more inclusive.
[NO NEW TESTS NEEDED]
Signed-off-by: tomsweeneyredhat <tsweeney@redhat.com>
containers/podman/pull/17186 and containers/podman/pull/17201 have been
merged at roughly the same time. Both work fine in isolation but the
new kube test breaks in combination.
Fix the IPC kube test to make CI healthy.
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
- Use filepath.Join(podmanTest.TempDir, "any") instead of "/tmp/any"
- Add generatePolicyFile() to avoid the hardcording of "keyPath": "tmp/key.gpg"
Signed-off-by: Toshiki Sonoda <sonoda.toshiki@fujitsu.com>
The Device, Type, Copy and Options keys are now supported in
quadlet .volume files. This allows users to create filesystem
based volumes with quadlets .volume files.
Signed-off-by: Ingo Becker <ingo@orgizm.net>
Signed-off-by: Ygal Blum <ygal.blum@gmail.com>
Drop support for remote use-cases when `.containerignore` or
`.dockerignore` is a symlink pointing to arbitrary location on host.
Signed-off-by: Aditya R <arajan@redhat.com>
The test was added in commit 1424f0958f, it can flake because the
attach test needs the message in the log. On slow CI systems this can
take longer. Add a retry logic which checks the container log every
second for up to 5 seconds. That should be plenty of time.
Fixes#17204
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
If the image being used has a user set that is a positive
integer greater than 0, then set the securityContext.runAsNonRoot
to true for the container in the generated kube yaml.
Signed-off-by: Urvashi Mohnani <umohnani@redhat.com>
After https://github.com/containers/netavark/pull/452 `netavark` is
incharge of deciding `custom_dns_servers` if any so lets honor that and
libpod should not set these manually.
This also ensures docker parity
Podman populates container's `/etc/resolv.conf` with custom DNS servers ( specified via `--dns` or `dns_server` in containers.conf )
even when container is connected to a network where `dns_enabled` is `true`.
Current behavior does not matches with docker, hence following commit ensures that podman only populates custom DNS server when container is not connected to any network where DNS is enabled and for the cases where `dns_enabled` is `true`
the resolution for custom DNS server will happen via ( `aardvark-dns` or `dnsname` ).
Reference: https://docs.docker.com/config/containers/container-networking/#dns-services
Closes: containers#16172
Signed-off-by: Aditya R <arajan@redhat.com>
`default` is already used as network mode, i.e. podman run --network
default will choose the default mode not a network named `default`.
We already block names from other network modes, default was forgotten.
Fixes#17169
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Output from podman system service, on system tests, is
being saved... it just hasn't been collected as an artifact.
Start collecting it. And, remove obsolete-unused-misleading
code that made me think it _was_ being collected.
Also: log system-service output for bud tests, and set
log-level to info per suggestion from @Luap99
Signed-off-by: Ed Santiago <santiago@redhat.com>
July 2022: test was flaking on new VM images. We needed new
images, so I filed #15014 and skipped the test.
January 2023: no attention from anyone, so I'll try bumping up
a dd timeout from 10s to 30s. But in the interim, the test
has broken: it used to expect "Containerfile" in output (this
was deliberately added in #13655)... but #16810 changed that
so Containerfile no longer appears. @flouthoc argues that
this too is deliberate (#17059). Okay, so let's change the
test then. All I care about is not adding more regressions.
Signed-off-by: Ed Santiago <santiago@redhat.com>
Reserved annotations are used internally by Podman and would effect
nothing when run with Kubernetes so we should not be generating these
annotations.
Fixes: https://github.com/containers/podman/issues/17105
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
OpenShift Merge Robot
Ygal Blum
Daniel J Walsh
Ed Santiago
Valentin Rothberg
Stefano Brivio
Matt Heon
dependabot[bot]
Toshiki Sonoda
Paul Holzinger
Giuseppe Scrivano
restitux
Urvashi Mohnani
Chris Evich
danishprakash
T K Chandra Hasan
vyasgun
Erik Sjölund
Miloslav Trmač
Alex Jia
Aditya R
Jason T. Greene
tomsweeneyredhat
Daniel Lublin
Ingo Becker
danishprakash