Unify the functions used to detect rootless to "isRootless()".
This function can detect to join the user namespace by mistake.
Signed-off-by: Toshiki Sonoda <sonoda.toshiki@fujitsu.com>
...and instrument with 'podman ps'es for debugging failures.
Test flakes pretty regularly in Fedora gating. If the increased
timeout doesn't help, at least we should be able to see if the
container is stopping or failed or something.
Signed-off-by: Ed Santiago <santiago@redhat.com>
to not give a false sense of security since these are not a security
mechanism but a hook to run arbitrary code before executing a
command.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Until Podman v4.3, privileged rootfull containers would expose all the
host devices to the container while rootless ones would exclude
`/dev/ptmx` and `/dev/tty*`.
When 5a2405ae1b ("Don't mount /dev/tty* inside privileged containers
running systemd") landed, rootfull containers started excluding all the
`/dev/tty*` devices when the container would be running in systemd
mode, reducing the disparity between rootless and rootfull containers
when running in this mode.
However, this commit regressed some legitimate use cases: exposing
non-virtual-terminal tty devices (modems, arduinos, serial
consoles, ...) to the container, and the regression was addressed in
f4c81b0aa5 ("Only prevent VTs to be mounted inside privileged
systemd containers").
This now calls into question why all tty devices were historically
prevented from being shared to the rootless non-privileged containers.
A look at the podman git history reveals that the code was introduced
as part of ba430bfe5e ("podman v2 remove bloat v2"), and obviously
was copy-pasted from some other code I couldn't find.
In any case, we can easily guess that this check was put for the same
reason 5a2405ae1b was introduced: to prevent breaking the host
environment's consoles. This also means that excluding *all* tty
devices is overbearing, and should instead be limited to just virtual
terminals like we do on the rootfull path.
This is what this commit does, thus making the rootless codepath behave
like the rootfull one when in systemd mode.
This leaves `/dev/ptmx` as the main difference between the two
codepath. Based on the blog post from the then-runC maintainer[1] and
this Red Hat bug[2], I believe that this is intentional and a needed
difference for the rootless path.
Closes: #16925
Suggested-by: Fabian Holler <mail@fholler.de>
Signed-off-by: Martin Roukala (né Peres) <martin.roukala@mupuf.org>
[1]: https://www.cyphar.com/blog/post/20160627-rootless-containers-with-runc
[2]: https://bugzilla.redhat.com/show_bug.cgi?id=501718
Increase the loop range from 5 to 20 to make sure we give the service
enough time to transition to inactive. Other tests have the same range
with 0.5 seconds sleeps, so I expect the new value to be sufficient and
consistent.
Fixes: #17093
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
Make sure that the specs of containers generated by `kube play` are
correctly completed. They have not before which surfaced in default
environment variables not being set.
Fixes: #17016
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
The StoppedByUser variable indicates that the container was
requested to stop by a user. It's used to prevent restart policy
from firing (so that a restart=always container won't restart if
the user does a `podman stop`. The problem is we were setting it
*very* late in the stop() function. Originally, this was fine,
but after the changes to add the new Stopping state, the logic
that triggered restart policy was firing before StoppedByUser was
even set - so the container would still restart.
Setting it earlier shouldn't hurt anything and guarantees that
checks will see that the container was stopped manually.
Fixes#17069
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
The kube-play test file was a rat's nest of long complicated
yaml strings all differing only slightly. Clean it up, by
adding a helper function with optional parameters. The
helper is ugly, but the actual test code (the important
stuff) is cleaner.
Signed-off-by: Ed Santiago <santiago@redhat.com>
While manually playing with --service-container, I encountered a number
of too verbose logs. For instance, there's no need to error-log when
the service-container has already been stopped.
For testing, add a new kube test with a multi-pod YAML which will
implicitly show that #17024 is now working.
Fixes: #17024
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
Move the handling of Publish key to a method
use --publish instead of -p
Use the new method for both .container and .kube files
Adjust .container tests
Add .kube tests
Update the man page
Signed-off-by: Ygal Blum <ygal.blum@gmail.com>
- When SELinux is enabled, a storage root directory
should be labeled with a specific value.
- `stop podman.service` test changes a storage root directory,
therefore we need to cleanup a container with --root option.
Signed-off-by: Toshiki Sonoda <sonoda.toshiki@fujitsu.com>
While mounting virtual console devices in a systemd container is a
recipe for disaster (I experienced it first hand), mounting serial
console devices, modems, and others should still be done by default
for privileged systemd-based containers.
v2, addressing the review from @fho:
- use backticks in the regular expression to remove backslashes
- pre-compile the regex at the package level
- drop IsVirtualTerminalDevice (not needed for a one-liner)
v3, addressing the review from @fho and @rhatdan:
- re-introduce a private function for matching the device names
- use path.Match rather than a regex not to slow down startup time
Closes#16925.
Fixes: 5a2405ae1b ("Don't mount /dev/tty* inside privileged...")
Signed-off-by: Martin Roukala (né Peres) <martin.roukala@mupuf.org>
When SELinux is enabled, e2e test could be failed
due to run a ls command in a running container.
Signed-off-by: Toshiki Sonoda <sonoda.toshiki@fujitsu.com>
Much as we'd love to eat our dogfood, podman.io is not hosted
on reliable infrastructure; redhat.com is. Let's see if this
gets rid of CI flakes.
Closes: #17044
Signed-off-by: Ed Santiago <santiago@redhat.com>
If the run errors, cobra does not execute post runs. It is a somehow
known issue (https://github.com/spf13/cobra/issues/914) but problematic
for Podmand as the runtime is shutdown during post run.
Since some commands overwrite the post run and a general lack in cobra
of post runs on errors, move the shutting down the engines directly into
Execute. Fixing the issue may fix a number of flakes.
Note that the shutdowns are NOPs for the remote client.
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
follow-up to 6886e80b45
when "podman -rm -f" is used on a container in "stopping" state, also
make sure it is terminated before removing it from the local storage.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
if /sys is bind mounted from the host then also add an explicit mount
for /sys/fs/cgroup so that 'ro' is honored.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Do not allow for removing the service container unless all associated
pods have been removed. Previously, the service container could be
removed when all pods have exited which can lead to a number of issues.
Now, the service container is treated like an infra container and can
only be removed along with the pods.
Also make sure that a pod is unlinked from the service container once
it's being removed.
Fixes: #16964
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
Add a new flag --publish
Remote - Pass PublishPorts as a string array
ABI - translate the string array to Ports and merge with the ports in the spec
Add e2e tests
Add option to man doc
Signed-off-by: Ygal Blum <ygal.blum@gmail.com>
Red Hat registry is too unreliable. (As of this writing
in January 2023, quay.io is not much better, but this is
a new flake. Ubi has been flaking for a year or more).
Instead of UBI, use the new systemd-image added to system tests
in #16814. Since this reduces the number of cached images,
a few unrelated tests (image count) need to be tweaked.
And, sigh, Fedora systemd colorizes boot messages by default,
causing a failure where we don't see an expected Reached Target
message. I don't want to rely on ASCII formatting codes, so
I've updated the build-systemd-image script so it disables
systemd colors, and have built a new systemd-image:20230106.
Made a few small usability improvements to the script as well.
Closes: #16695
Signed-off-by: Ed Santiago <santiago@redhat.com>
When you use podman logs with --until and --follow it should exit after
the requested until time and not keep hanging forever.
This fixes the behavior for the k8s-file backend.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
When you use podman logs with --until and --follow it should exit after
the requested until time and not keep hanging forever.
To make this work I reworked the code to use the better journald event
reading code for logs as well. this correctly uses the sd_journal API
without having to compare the cursors to find the EOF.
The same problems exists for the k8s-file driver, I will fix this in the
next commit.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
The `containerCouldBeLogging` bool should not be false by default, when
--since is used we seek in the journal and can miss the start event so
that bool would stay false forever. This means that a running container
is not followed even when it should.
To fix this we can just set the `containerCouldBeLogging` bool based on
the current contianer state.
Fixes#16950
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
do not allow removing containers that are in the stopping state,
otherwise it can lead to a race condition where a "podman rm" removes
the container from the storage while another process is stopping the
same container.
Closes: https://bugzilla.redhat.com/show_bug.cgi?id=2155828
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
When SELinux is running in enforcing mode,
this test needs to add an suffix :Z to the volume mount.
Signed-off-by: Toshiki Sonoda <sonoda.toshiki@fujitsu.com>
This change aims to store an error message to the ContainerState struct
with the last known error from the Start, StartAndAttach, and Stop OCI
Runtime functions.
The goal was to act in accordance with Docker's behavior.
Fixes: #13729
Signed-off-by: Jake Correnti <jakecorrenti+github@proton.me>
Add the new keys to the supported keys list for the Container group
Pass the list of EnvironmentFile values while maintaining the order
Quadlet e2e test framework: Add support for checking regex in Podman args
Add relevant tests
Update man
Signed-off-by: Ygal Blum <ygal.blum@gmail.com>
Reasoning
---------
When the log-driver is passthrough, the journal socket is passed to the containers as-is which has two advantages:
1. journald can see who the actual sender of the log event is,
rather than thinking everything comes from the conmon process
2. conmon will not have to copy all the log data
Code Changes
------------
If log-driver was not set by the user and service-container is set use
passthrough as the default log-driver
Update the system tests
- explicitly set logdriver in sdnotify and play tests
- podman-kube template test: Verify the default log driver for service-container
Signed-off-by: Ygal Blum <ygal.blum@gmail.com>
New tests got added since I've been on PTO. Some of those tests
weren't doing cleanup, resulting in nasty red logs. Fix.
Signed-off-by: Ed Santiago <santiago@redhat.com>
In 'run_podman ? ...', the question mark will _usually_ be
interpreted as a literal question mark, meaning "ignore
exit status". But if there are one or more single-character
filenames in the working directory, such as droppings from
a command such as 'my-test-command > a', Very Bad Things
will happen: the test will fail with an incomprehensible
error message. Prevent that.
Signed-off-by: Ed Santiago <santiago@redhat.com>
...based on f37, not f31. And make it fedora-minimal so it's
smaller. And clean up dnf so it's even smaller. And tag it
with our proper YMD tag, and commit the script that builds it.
This broke the system-df tests. In the process of resolving
that, I found those tests a little lacking. So, improve their
coverage a little bit.
Signed-off-by: Ed Santiago <santiago@redhat.com>
Make sure the Container unit correctly references the volume
Start the Container service and not the Volume one
Remove the volume
Print the name of the service when status does not match
Signed-off-by: Ygal Blum <ygal.blum@gmail.com>
The test was only waiting for the port to be ready but that doesn't
imply the server being ready to serve requests. Hence, add a loop
waiting for the `info` call to succeed.
Fixes: #16916
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
Added the functionality for a user to update the PIDs limit for a
container.
Fixes: #16543
Signed-off-by: Jake Correnti <jakecorrenti+github@proton.me>
podman-remote converts and sends absolute path as context when its an
emptydir by adding additional seperator however it should correctly trim
the path and not add additional seperator for such use cases.
Closes: BZ#2145054
Signed-off-by: Aditya R <arajan@redhat.com>
If you are running temporary containers within podman play kube
we should really be running these in read-only mode. For automotive
they plan on running all of their containers in read-only temporal
mode. Adding this option guarantees that the container image is not
being modified during the running of the container.
The containers can only write to tmpfs mounted directories.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
The function grew into a big hairy ball over time and I personally
refrained from touching it as it seemed fragile. Hence, refactor
the function into something more comprehensible and maintainable.
There is still potential for improvement but I want to tackle one
thing at a time.
[NO NEW TESTS NEEDED] as it shouldn't change behavior.
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
These just run once and are considered successful at exist. Not much is
needed to support it, but we have to avoid overwriting the type
with Type=notify.
Signed-off-by: Alexander Larsson <alexl@redhat.com>
...make sure podman rejects being called with incompatible options
Replaces: https://github.com/containers/podman/pull/16813
Which is stuck in CI and Ed is on break.
Signed-off-by: Ed Santiago <santiago@redhat.com>
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
podman play kube now supports and has tests for the subpath field when using a hostPath volume type and a configMap volume type.
The hostpath works similarly to the named volume, allowing a user to specify a whole directory but also a specific file or subdir within that mount. Config Maps operate the same way but specifically allow users to mount specific data in a subpath alongside the existing data
resolves#16828
Signed-off-by: Charlie Doern <cbddoern@gmail.com>
This allows use to use STDOUT directly without having to call open
again, also this makes the export API endpoint much more performant
since it no longer needs to copy to a temp file.
I noticed that there was no export API test so I added one.
And lastly opening /dev/stdout will not work on windows.
Fixes#16870
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
The ReadOnly and the RunInit keys affect options that have a variable
default (configurable in containers.conf). This means we need to
handle them a bit differently in quadlet to allow overriding the
default. For example, we can't assume ReadOnly=false doesn't need to
add any argument because no argument may mean readonly=true if the default
is changed.
We now don't add any argument (leaving the default) if the key is not specified,
or we always add an argument (--foo or --foo=false) if the key is specified (overriding whatever the default is).
Signed-off-by: Alexander Larsson <alexl@redhat.com>
False is the assumed value, and inspect and podman generate kube are
being cluttered with a ton of annotations that indicate nothing.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Support .network file to create a systemd service that runs podman network create
Support networks with .network suffix in Container and Kube to link with Quadlet created networks
Add E2E Tests
Add man doc
Signed-off-by: Ygal Blum <ygal.blum@gmail.com>
Override the signature policy to always allow pushing images from local
storage, even if the default policy is set up to always disallow reading
images from any location.
Pay attention to the --signature-policy option in `podman push`, so that
we can test this properly.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
This adds basic container and volume system tests for quadlet. These
install and run actual systemd units and ensure they work.
Signed-off-by: Alexander Larsson <alexl@redhat.com>
When we read logs there can be full or partial lines, when it is full we
need to append a newline, thus the message length must be incremented by
one.
Fixes#16856
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
In the recent past, I met the frequent need to wait for a container to
exist that, at the same time, may get removed (e.g., system tests in [1]).
Add an `--ignore` option to podman-wait which will ignore errors when a
specified container is missing and mark its exit code as -1. Also
remove ID fields from the WaitReport. It is actually not used by
callers and removing it makes the code simpler and faster.
Once merged, we can go over the tests and simplify them.
[1] github.com/containers/podman/pull/16852
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
This changes the podman binary name embedded in the generated files.
This is primarily needed for testing podman.
This also adds a -X config for BINDIR so that we pick up the right
install target. This required tweaking some tests to handle the default
bindir not being /usr/bin.
Signed-off-by: Alexander Larsson <alexl@redhat.com>
Also update vendor of containers/storage and image
Cleanup display of added/dropped capabilties as well
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
whenever the podman process is launched, it runs any file found in
these directories:
- /etc/containers/auth-scripts
- /usr/libexec/podman/auth-scripts
The current podman command line is passed as arguments to the
process.
If any of the processes fail, the error is immediately reported back
from podman that exits with the same error code.
[NO NEW TESTS NEEDED] requires a system-wide configuration.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Also fix a number of duplicate words. Yet disable the new `dupword`
linter as it displays too many false positives.
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
Add --ignore flag to the command line
Add a new parameter to the NetworkCreate interface in pkg/domain for CreateOptions
Add a new API Network CreateWithOptions in pkg/bindings
Remote API - Add a query parameter to set the ignore flag
Kube - use the IgnoreIfExists flag when creating the default network instead of handling the failure
Add e2e tests
Update man page for podman-network-create
Signed-off-by: Ygal Blum <ygal.blum@gmail.com>
Init containers are removed once they exit, but podman
reports and error that the container does not exist, when
it was previously removed. Stop reporting missing containers
when removing.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
With the 4.0 network rewrite I introduced a regression in 094e1d70de.
It only covered the case where a checkpoint is restored via --import.
The normal restore path was not covered since the static ip/mac are now
part in an extra db bucket. This commit fixes that by changing the config
in the db.
Note that there were no test for --ignore-static-ip/mac so I added a big
system test which should cover all cases (even the ones that already
work). This is not exactly pretty but I don't have to enough time to
come up with something better at the moment.
Fixes#16666
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
subpath allows for only a subdirecty of a volumes data to be mounted in the container
add support for the named volume type sub path with others to follow.
resolves#12929
Signed-off-by: Charlie Doern <cbddoern@gmail.com>
* podman kube play support startup probe
* make probe use json string array instead of CMD-SHELL
Signed-off-by: Liang Chu-Xuan <karta0807913@gmail.com>
Just like podman-remote run users should still be able to set volumes,
of course the source must be on the server machine but this is already
the case for podman machine for example.
Fixes#16694
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
The remote client should be allowed to specify if the container should
be run with the proxy env vars. It will still use the proxy vars from
the server process and not the client. This makes podman-remote more
consistent with the local version and easier to use in environments
where a proxy is required.
Fixes#16520
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
If an error happening while playing a kube yaml,
clean up any pods, containers, and volumes that might
have been created before the error was hit.
This improves the user experience for when they go to
re-run the same yaml with their fixes and podman doesn't
complain about any existing workloads from the previously
failed run.
Suppress the clean up output when clean up happens after an
error as the user doesn't need to see or know about that.
Signed-off-by: Urvashi Mohnani <umohnani@redhat.com>
Fixes e2e tests, remove '\n' from base64 encoded data.
Correct test to check that data in secret mounted file is decoded.
Closes#16269Closes#16625
Signed-off-by: Andrei Natanael Cosma <andrei@intersect.ro>
As outlined in #16076, a subsequent BARRIER *may* follow the READY
message sent by a container. To correctly imitate the behavior of
systemd's NOTIFY_SOCKET, the notify proxies span up by `kube play` must
hence process messages for the entirety of the workload.
We know that the workload is done and that all containers and pods have
exited when the service container exits. Hence, all proxies are closed
at that time.
The above changes imply that Podman runs for the entirety of the
workload and will henceforth act as the MAINPID when running inside of
systemd. Prior to this change, the service container acted as the
MAINPID which is now not possible anymore; Podman would be killed
immediately on exit of the service container and could not clean up.
The kube template now correctly transitions to in-active instead of
failed in systemd.
Fixes: #16076Fixes: #16515
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
- podman generate kube inheritents the proxy environment valiable by default.
Therefore, Env field is not empty if it is set.
- systemd-socket-acrivate needs to pass an proxy environment variable.
- busybox wget with an proxy doesn't work.
Network tests should use not wget but curl.
https://gitlab.alpinelinux.org/alpine/aports/-/issues/10446
Signed-off-by: Toshiki Sonoda <sonoda.toshiki@fujitsu.com>
Move the handling of userns keys from ConvertContainer to a separate method
Adjust the method according to the different supported values
Use the new method in both ConvertContainer and ConvertKube
Pass isUser to ConvertKube as well
Add tests
Signed-off-by: Ygal Blum <ygal.blum@gmail.com>
This just calls GC on the local storage, which will remove any leftover
directories from previous containers that are not in the podman db anymore.
This is useful primarily for transient store mode, but can also help in
the case of an unclean shutdown.
Also adds some e2e test to ensure prune --external works.
Signed-off-by: Alexander Larsson <alexl@redhat.com>
docker-compose sets the mac address in the container config and not the
network endpoint config. This is ugly when you have more than one
network, in this case docker just chooses the first network.
Fixes#16411
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
The flake in #16076 is likely related to the notify message not being
delivered/read correctly. Move sending the message into an exec session
such that flakes will reveal an error message.
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
Since https://github.com/containers/podman/pull/16394 was merged
we now always delete the cid file if --replace=true was specified,
so we can avoid this extra command being launched.
[NO NEW TESTS NEEDED] Already tested in above PR.
Signed-off-by: Alexander Larsson <alexl@redhat.com>
The containers should be able to write to tmpfs mounted directories.
Also cleanup output of podman kube generate to not show default values.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
These tests were unintentionally removed in commit
b47b48f (Revert "Add checkpoint image tests"). They
verify the functionality of the `--create-image` option for
`podman container checkpoint`.
Signed-off-by: Radostin Stoyanov <radostin@redhat.com>
Fix an overriding logic in Inhearit function.
Alos, ToSpecGen function doesn't load the cgroup/image volume config from containers.conf.
Signed-off-by: karta0807913 <karta0807913@gmail.com>
When the new `events_container_create_inspect_data` option is enabled in
containers.conf set the `ContainersInspectData` event field for each
container-create event.
The data was requested for the purpose of auditing (e.g., intrusion
detection).
Jira: https://issues.redhat.com/browse/RUN-1702
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
Startup healthchecks are similar to K8S startup probes, in that
they are a separate check from the regular healthcheck that runs
before it. If the startup healthcheck fails repeatedly, the
associated container is restarted.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
If the secret exists, set optional in the KubeVolume to false to always use it
If the secret does not exist, if optional, set the same in the KubeVolume to skip it, otherwise fail
Add e2e tests
Signed-off-by: Ygal Blum <ygal.blum@gmail.com>
I found the ginkgolinter[1] by accident, this looks for not optimal
matching and suggest how to do it better.
Overall these fixes seem to be all correct and they will give much
better error messages when something fails.
Check out the repo to see what the linter reports.
[1] https://github.com/nunnatsa/ginkgolinter
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
- move the ginkgo deps into test/tools which is more consitent with the
other tools there, listing in dependencies always causes errors with
linters
- do not install it globally on the system, instead we use it in a
subdir of this project
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
When restarting a container, clean up the healthcheck state by removing
the old log on disk. Carrying over the old state can lead to various
issues, for instance, in a wrong failing streak and hence wrong
behaviour after the restart.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2144754
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
honor eventual options set in the containers.userns setting in the
containers.conf file, e.g.:
[containers]
userns = "auto:size=8192"
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Quadlet was doing some custom handling of uid/gid remapping, originating
from pre --userns=auto support, including its own user for getting subuids
which kinda conflicts with the "container" user used for that.
This drops all the old support for id remapping in favour of a new set
of keys that more directly map to the podman run options.
We have essentially 3 modes now:
```
RemapUsers=manual
RemapUid=0:10000:10
RemapUid=10:20000:10
RemapGid=0:10000:10
RemapGid=10:20000:10
```
This maps to --uidmap and --gidmap options.
```
RemapUsers=auto
```
This maps to --userns=auto. But you can additionally specify RemapUid,
RemapGid and RemapUidSize which gets applied as options to the
--userns podman option.
```
RemapUsers=keep-id
```
This maps to --userns=keep-id and only works for user units.
Signed-off-by: Alexander Larsson <alexl@redhat.com>
The 900-ssh test is not an actual test, and I'm unable to
figure out how to make it one. Skip it for now, but add a
bunch of FIXMEs some someone can come in later and actually
implement it.
Also removed lots of dead code and misleading comments.
Signed-off-by: Ed Santiago <santiago@redhat.com>
The current test uses registry.redhat.io which does not support unauthenticated access
Replace the registry with registry.access.redhat.com which does
Signed-off-by: Ygal Blum <ygal.blum@gmail.com>
It's so easy to forget that "podman start" is nonblocking.
So podman create, start, restart has a race where "restart"
can run before the container actually starts.
Solution: start --attach. Thanks to @vrothberg for noticing that.
There are still a handful of other suspicious-looking restarts
in this test, but all involve "top" which of course has to be
detached. Since those don't have any flakes that I know of, I
choose to ignore them.
Fixes: #16505
Signed-off-by: Ed Santiago <santiago@redhat.com>
Podman --noout was not suppressing output from commands that do not
create the podman engine. Now, podman --noout properly suppresses output
from every command.
Fixes: https://github.com/containers/podman/issues/16201
Signed-off-by: Ashley Cui <acui@redhat.com>
No issue filed, because I thought these were related to 16132.
They're not: they're actual test bugs, running "play kube"
without actually waiting for the container to run. Fix that.
Signed-off-by: Ed Santiago <santiago@redhat.com>
Weird one-off flake seen:
# ... healthcheck run <containername>
Error: container SHA is not running
The only way I can see this happening is if the healthcheck
auto-timer triggered, which seems impossible because that
should be 30s and the log timestamps show this test taking
18s. But, shrug, let's see if disabling the timer works. I
don't have high hopes that this will fix anything, but it's
probably a good idea regardless.
Also, since this test loops over different policies, include
policy name in error messages as a courtesy. (It's obtainable
anyway by scrolling up)
Signed-off-by: Ed Santiago <santiago@redhat.com>
Docker's newer clients popuates `cacheFrom` and `cacheTo` parameter
by default as empty array for all commands but buildah's design of
distributed cache expects this to be a repo not image hence parse
only the first populated repo and igore if empty array.
Signed-off-by: Aditya R <arajan@redhat.com>
Fix a bug for special-casing "." where Podman has mistakenly been
looking for a "." suffix instead of interpreting it as a path.
Add regression tests for the host-to-container, container-to-host and
container-to-container use cases. Have separate tests for each to
verify that previous Podman versions fail each case.
Fixes: #16421
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
--connection was failing due to the servicedestinations array being empty on runtime.
Fix by making sure the cached config is used
resolves#16282
Signed-off-by: Charlie Doern <cdoern@redhat.com>
Attempts to fix#16419
podman generate systemd --restart-sec pod
^now generates RestartSec= both in pod service file and in container service file.
podman generate systemd --restart-sec container
^now generates RestartSec= in container service file.
Signed-off-by: Veronika Fuxova <vfuxova@redhat.com>
`--format json` should not be the same as `--format {{json .}}`, the
later should actually run through the go template and thus create one
json object per entry instead of an json array.
Includes a vendor of c/common@main since it requires a fix from there as
well.
This matches docker compat.
Fixes#16436
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
`podman-remote` does not support `--events-backend`, which overrides a
log driver. When `--events-backend` is necessary in a test for
`podman-remote`, the test should be skipped.
We don't need to fix the other cases with
`_additional_events_backend()` because `_log_test_follow()` already has
the same skipping logic and `_log_test_multi()` always skips a test when
testing `podman-remote`.
Signed-off-by: Hironori Shiina <shiina.hironori@fujitsu.com>
Up - do not fail if volume already exists, use the existing one
Down - allow the user to remove the volume by passing --force
Add tests
Update the documentation
Signed-off-by: Ygal Blum <ygal.blum@gmail.com>
When we are using a proxy, 'podman build - basic test'
will be failed on remote.
This test needs to add the '--http-proxy' option.
Signed-off-by: Toshiki Sonoda <sonoda.toshiki@fujitsu.com>
_test_skopeo_credential_sharing() used port_is_free() to check if a
port has no active listeners. With the new implementation, this is
not equivalent anymore: a port might be in TIME_WAIT, so it's not
free, but the listener might be long gone.
Add tcp_port_probe() to check if there's an active listener on a
given port, and use it in _test_skopeo_credential_sharing().
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
These tests should cover all the basic networking functionality with
pasta(1). Namely, they check:
- IPv4 and IPv6 addressing and routing settings
- TCP and UDP port forwarding over IPv4 and IPv6
- data transfers and ICMP/ICMPv6 echo requests
- the (exceedingly simple) lifecycle handling
These tests need some new helpers, to obtain IPv4 and IPv4 addresses
and routes, as well as MTU and interface names. Those use jq(1) for
parsing.
Some availability checks are implemented as well, to skip tests if
pasta(1) is not available, or if IPv4 and IPv6 are not usable.
To get consistent outcomes across distributions, and to enable
uncomplicated termination for UDP tests based on zero-sized packets,
use socat(1), which, unlike netcat, doesn't suffer from option
inconsistencies depending on flavours (traditional, BSD, NMAP) and
versions.
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
The main helpers.bash file is rather bloated and it's difficult to
find stuff there. Move networking functions to their own helper
file.
While at it, apply a consistent style, and rearrange logically
related functions into sections.
Suggested-by: Ed Santiago <santiago@redhat.com>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Using bash /dev/tcp/ pseudo-device files to probe for bound ports has
indeed the advantage of simplicity, but comes with a few drawbacks:
- it will actually send data to unsuspecting services that might be
running in the same network namespace as the tests, possibly
causing unwanted interactions
- it doesn't allow for UDP probing
- it makes it impossible to clearly distinguish between different
address bindings
Replace that approach with a new helper, port_is_bound(), that uses
procfs entries at /proc/net to detect bound ports, without the need
for active probing.
We can now implement optional parameters in callers, to check if a
port if free for binding to a given address, including any IPv4
(0.0.0.0) or any IPv6 (::0) address, and for a given protocol, TCP
or UDP.
Extend random_free_port() and random_free_port_range() to support
that.
The implementation of one function in the file
test/system/helpers.bash, namely ipv6_to_procfs(), and the
implementation of the corresponding own test, delimited by the
markers "# BEGIN ipv6_to_procfs" and "# END ipv6_to_procfs" in the
file test/system/helpers.c was provided, on the public forum at:
https://github.com/containers/podman/pull/16141
by Ed Santiago <santiago@redhat.com>, who expressly invited me to
include them in this code submission.
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Currently, wait_for_port() duplicates the check logic implemented by
port_is_free().
Add an optional argument to port_is_free(), representing the bound
address to check, and call it, dropping the direct check in
wait_for_port().
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
It looks like #16132 was my fault: a missing 'wait' for a container
to exit. Let's see if this fixes the flake.
And, while poking through flake logs, I found another missing wait.
And... in wait_for_output(), address a potential race.
Signed-off-by: Ed Santiago <santiago@redhat.com>
This one has been a thorn in my side: it's a podman-log issue,
but not remote, so I _almost_ retitled #16132 (removing "remote").
Nope, it's a bug in the tests themselves. One solution would be to
podman-wait, but I see no reason for logs to be involved, so I
went with podman start -a instead. This removes the k8s-log stuff
which is no longer necessary. Cleanup all around.
Signed-off-by: Ed Santiago <santiago@redhat.com>
As far as I can tell there is no reason to use apk in these tests. They
just build an image and check for it and never use the installed binary.
Network calls are always unstable and therefore should be avoided when
possible, this ensures no/less flakes.
Fixes#16391
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Remove the container/pod ID file along with the container/pod. It's
primarily used in the context of systemd and are not useful nor needed
once a container/pod has ceased to exist.
Fixes: #16387
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
--insecure and --verbose flags for docker compatibility
--tls-verify for syntax compatibility and allow users to inspect
manifests at remote Container Registiries without requiring tls.
Helps fix: https://github.com/containers/podman/issues/14917
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
there is already the same check when using cgroupfs, but not when
using the systemd cgroup backend. The check is needed to avoid a
confusing error from the OCI runtime.
Closes: https://github.com/containers/podman/issues/16376
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
We have CI tests running in netavark mode when CNI is desired.
Add a new .cirrus.yml envariable, CI_DESIRED_NETWORK, which
we then force-check in e2e and system tests. Simple copy/paste
of #14912 (the RUNTIME check) with manual s/RUNTIME/NETWORK/
and other minor changes.
Signed-off-by: Ed Santiago <santiago@redhat.com>
When I first enabled buildah-bud tests under podman-remote (#9887),
I got one aspect all wrong: I added a podman-remote() helper function
to match the podman() one. Turns out it's never actually called,
even when $PODMAN_BINARY=podman-remote, because functions/aliases
don't work that way.
The way it works is, those few cases in which bud.bats runs
podman are not magically remapped to podman-remote, they use
the podman() function. That's where we need to check if
we're using podman-remote, and that's where we need to
remove the registry-and-rootdir options.
With this fix, we can reenable two previously-skipped bud tests.
Signed-off-by: Ed Santiago <santiago@redhat.com>
Add the abilitiy to deploy the generated kube yaml to a
kubernetes cluster with the podman kube apply command.
Add support to directly apply containers, pods, or volumes
by passing in their names or ids to the command.
Use the kubernetes API endpoints and http requests to connect
to the cluster and deploy the various kubernetes object kinds.
Signed-off-by: Urvashi Mohnani <umohnani@redhat.com>
Basically, acknowledge the need for dependencies and link
to Fedora specfile which is the only sane place to find
such a list.
Closes: #16365
Signed-off-by: Ed Santiago <santiago@redhat.com>
Only want to report if user created local customized storage in
/etc/containers/storage.conf or in
$HOME/.config/containers/storage.conf, when resetting storage.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
When there is a podman pause process running the local podman ginkgo
tests will join the usernamespace. This because pkg/rootless will
automatically join the ns on startup when possible. To fix this we
need to use the remote build tag which disables that behavior.
However since the remote tag is also used in the e2e test itself we
would always run remote tests which is wrong, this is fixed by using a
new `remote_testing` tag for the test.
see discussion here: https://github.com/containers/podman/pull/16309#discussion_r1006166930
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
We've had some oopsies in system tests:
podman foo bar
run podman foo bar
...all of which should be run_podman with underscore. Those
have been passing because /usr/bin/podman is the fallback
from $PATH. In those (few) cases, we haven't actually been
testing the podman we should be testing.
Solution: nuke /usr/bin/podman and podman-remote before
invoking system and unit tests. As an extra level of
paranoia, check for other podmans in $PATH - if any
exist, bail out with a fatal error.
Also: in a few cases where runner.sh invokes podman for
containerized something-something, run bin/podman instead
of podman from $PATH.
Also: fix existing dependencies on /usr/bin/podman
Signed-off-by: Ed Santiago <santiago@redhat.com>
idmap is documented as supported for volumes, but it was not added to
the getNamedVolume() function.
Fixes: e83d36665 ("volumes: add new option idmap")
Signed-off-by: Kristian Klausen <kristian@klausen.dk>
Emergency import of https://github.com/containers/buildah/pull/4377
required because the ubi8 image changed behind our backs.
On podman main, this commit will be reverted by Ed's
treadmill as soon as a new buildah is vendored into podman.
On side branches, the human doing the vendoring will need to
perform manual surgery. I hope the instructions are good enough.
Signed-off-by: Ed Santiago <santiago@redhat.com>
One of the system tests was creating a volume and not cleaning up
after itself. Fix that: do cleanup in the test itself. And, add
a 'volume rm -af' to global teardown() to leave things clean for
the next tests.
Also, OOPS! Correct some instances of 'podman' in two system
tests to 'run_podman'. And remove an unused (misleading) variable.
And, one more: in auto-update test, unit file, use $PODMAN,
not /usr/bin/podman
UGH! Yet one more: found/fixed a 'run<space>podman'
Signed-off-by: Ed Santiago <santiago@redhat.com>
I have no idea what this usage means, but the test fails
on a system with no /usr/bin/podman ... and that suggests
to me that the test is broken, in that it's been using
/usr/bin/podman instead of the $PODMAN we're testing.
Solution: 'podman', not '/usr/bin/podman'. Per @Luap99,
podman will replace the string 'podman' with /proc/self/exe
Signed-off-by: Ed Santiago <santiago@redhat.com>
One test was using a hardcoded fixed port, with a comment
referring to #10806. That issue seems fixed, so let's
try switching to a pseudorandom open port.
Does not actually fix#16289 but I'm going to close that
anyway, will reopen if it recurs.
Signed-off-by: Ed Santiago <santiago@redhat.com>
Bump the timeout waiting for the container to process the signal.
The comparatively short timeout is most likely responsible for
flakes in gating tests.
Fixes: #16091
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
Add a new annotation to allow the user to point to a local tar file
If the annotation is present, import the file's content into the volume
Add a flag to PlayKubeOptions to note remote requests
Fail when trying to import volume content in remote requests
Add the annotation to the documentation
Add an E2E test to the new annotation
Signed-off-by: Ygal Blum <ygal.blum@gmail.com>
It was a bit unclear what setting it to empty means.
Also, add to the tests verification that this works.
Signed-off-by: Alexander Larsson <alexl@redhat.com>
This is much better for the systemd case becase we pass the journal
socket fds directly to the container. This means less copying of the
logs, but it also means the journal will correctly get the peer
process id when it tries to extract things like the name of what
is logging something.
With this we correctly name the logging process rather than claim
everything comes from conmon.
Signed-off-by: Alexander Larsson <alexl@redhat.com>
This makees much more sense for typical service loads, and can
easily be reverted by `ReadOnly=no`.
Also updates and adds various tests for this.
Signed-off-by: Alexander Larsson <alexl@redhat.com>
Truncate the container and pod ID files instead of throwing an error.
The main motivation is to prevent redundant work when starting systemd
units. Throwing an error when the file already exists is not preventing
races or file corruptions, so let's leave that to the user which in
almost all cases are generated (and tested) systemd units.
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
This way we don't have to use the `ExecCondition=podman volume exist`,
which saves one process start.
Signed-off-by: Alexander Larsson <alexl@redhat.com>
This ignores the create request if the named volume already exists.
It is very useful when scripting stuff.
Signed-off-by: Alexander Larsson <alexl@redhat.com>
There's no guarantee that the searched image will be returned, so only
make sure that "alpine" is mentioned somewhere.
Fixes: #16248
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
Fixed the issue of `--format` and `--verbose` flags being allowed in
combination with one another.
Implemented functionality for `--format json` or `--format '{{ json }}' `.
Implemented command-completion help for `--format`.
Fixes: #16204
Signed-off-by: Jake Correnti <jcorrenti13@gmail.com>
Reduce the number of top-level packages in ./pkg by moving quadlet
packages under ./pkg/systemd.
[NO NEW TESTS NEEDED] - no functional change.
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
Fix two bugs in `system df`:
1. The total size was calculated incorrectly as it was creating the sum
of all image sizes but did not consider that a) the same image may
be listed more than once (i.e., for each repo-tag pair), and that
b) images share layers.
The total size is now calculated directly in `libimage` by taking
multi-layer use into account.
2. The reclaimable size was calculated incorrectly. This number
indicates which data we can actually remove which means the total
size minus what containers use (i.e., the "unique" size of the image
in use by containers).
NOTE: The c/storage version is pinned back to the previous commit as it
is buggy. c/common already requires the buggy version, so use a
`replace` to force/pin.
Fixes: #16135
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
PR #16141 introduces a new network type, "pasta". Its tests
rely on running 'ip -j' and socat in the container. Add them.
Also: bump to alpine 3.16.2 (from 3.16.0)
Also: clean up apk cache, this saves us 2MB+ in the image
Also (unrelated): clean up two broken uses of '$(< ...)' that
are causing tests to blow up under bats 1.8 on my laptop
New testimage is 20221018 and, sigh, is 12.7MB (up 4MB).
Signed-off-by: Ed Santiago <santiago@redhat.com>
Based on the initial port in https://github.com/containers/quadlet/pull/41
This contains the unit tests and the testcases from the C code as well
as modification to the podman spec file based on what the quadlet
spec file looks like, producing a podman-quadlet subpackage.
Signed-off-by: Alexander Larsson <alexl@redhat.com>
Also create one constant for ErrDuplicateDest, rather then have the same
value set three times.
Fixes: https://github.com/containers/podman/issues/4217
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Make sure to wait for the container to exit after kill. While the
cleanup process will take care eventually of transitioning the state, we
need to give a guarantee to the user to leave the container in the
expected state once the (kill) command has finished.
The issue could be observed in a flaking test (#16142) where
`podman rm -f -t0` failed because the preceding `podman kill`
left the container in "running" state which ultimately confused
the "stop" backend.
Note that we should only wait for the container to exit when SIGKILL is
being used. Other signals have different semantics.
[NO NEW TESTS NEEDED] as I do not know how to reliably reproduce the
issue. If #16142 stops flaking, we are good.
Fixes: #16142
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
The new cobra update fixed a bug which caused some options to not be
included in --help when there was already a option with the same name
on a parent command.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Basically, in the timeout loop where we checked for new CID
on the restarted container, we were running 'podman inspect'
(not 'inspect --format ID'), and comparing full hundred-line
output against single-line CID string.
While I'm in here, add 'c_' prefix to container to make it
easier for my old eyes to recognize "oh, that's a container name"
vs "is that a name? a SHA? a woozle?"
Signed-off-by: Ed Santiago <santiago@redhat.com>
Fix the "stop" on-failure action by not removing the transient systemd
timer and service during container stop. Removing the service will
in turn cause systemd to terminate the Podman process attempting to
stop the container and hence leave it in the "stopping" state.
Instead move the removal into the restart sequence.
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
Make sure that the on-failure actions only kick in once the health check
has passed its retries. Also fix race conditions on reading/writing the
log.
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
In order to allow pods to reach other pods (as in Kubernetes) they all
need to be added to the same network. A network is created (if it
doesn't exist) and pods created by play-kube are added to that network.
When network options are passed to kube command the pods are not
attached to the default kube network.
Signed-off-by: Andrei Natanael Cosma <andrei@intersect.ro>
Include the digest of the image in `podman container inspect`. The image
digest is a key information for auditing as it defines the identify of
an image. This way, it can be determined whether a container used an
image with a given CVE etc.
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
I see no reason to block --network host with kube play and force users
to have to set it in the yaml file.
This is just confusing when compared to the other podman create/run
--network options, see discussion in #15945.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Fixed issue where executing the command `podman pod logs -l` would panic
because it was indexing into an empty arguments array.
Signed-off-by: Jake Correnti <jcorrenti13@gmail.com>
Since by default the network config dir is shared in the e2e tests any
other parallel running test could remove a network and cause this test to
fail.
Fixes#15990
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
The `podman run` command has been extended with support for checkpoint
images. A checkpoint image contains image files generated by criu that
allow to restore the runtime state of containerized applications. This
patch adds a test case for this functionality.
Signed-off-by: Radostin Stoyanov <radostin@redhat.com>
This reverts commit 32f54a81ed.
`pkg/bindings` is supported outside of podman and we have to keep it
stable.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
I was testing --log-level by --storage-opt=mount_program=/bin/false
Stop doing that. It's just constantly breaking everything (#15698
and #15977).
I am violently of the opinion that a command-line option must
not destroy a user's system (except for --set-something, --config,
something that makes it very very clear that it is a lasting
change). I seem to be in the minority on this opinion. So, I
give up.
Signed-off-by: Ed Santiago <santiago@redhat.com>
If user does not specify hostPort in a kube.yml file but does specify
a containerPort, then the hostPort should default to the containerPort.
Fixes: https://github.com/containers/podman/issues/15942
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Followup to #15895:
- add a normal-case test, to ensure that --privileged without
systemd continues to pass through /dev/ttyN devices
- explain why we die() if host has no ttyN devices
- I find grep -vx slightly easier to read than sed backslash-slash
- run cleanup with '-t 0', to shave ten seconds from CI run
Signed-off-by: Ed Santiago <santiago@redhat.com>
Auto updates using the "registry" policy require container to be created
with a fully-qualified image reference. Short names are not supported
due the ambiguity of their source registry. Initially, container
creation errored out for non FQN images but it seems that Podman has
regressed.
Fixes: #15879
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
We force the isolate option on new newtworks because that is the docker
behavior. However when we inspect them they should not be displayed to
the caller since they have no idea about it and docker-compose throws an
error because of that.
Fixes#15580
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Changes since 2022-09-09:
- man page: add --skip-unused-stages (buildah 4249)
- man page: bring in new Note for --cache-ttl (4248)
- system tests: de-stutter (4205)
- (internal): in skip() applier: escape asterisk, otherwise
the "bud with --dns* flags" sed expression never applies.
Signed-off-by: Ed Santiago <santiago@redhat.com>
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
restore endpoint was totally ignoring --pod, it was missing from the schema and from query handling
on the api handlers side. add support for it here.
resolves#15018
Signed-off-by: cdoern <cbdoer23@g.holycross.edu>
This allows tools like Cockpit to know that the pod in question
has also been updated, so they can refresh the list of containers
in the pod.
Fixes#15408
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
We added the concept of image volumes in 2.2.0, to support
inspecting an image from within a container. However, this is a
strictly read-only mount, with no modification allowed.
By contrast, the new `image` volume driver creates a c/storage
container as its underlying storage, so we have a read/write
layer. This, in and of itself, is not especially interesting, but
what it will enable in the future is. If we add a new command to
allow these image volumes to be committed, we can now distribute
volumes - and changes to them - via a standard OCI image registry
(which is rather new and quite exciting).
Future work in this area:
- Add support for `podman volume push` (commit volume changes and
push resulting image to OCI registry).
- Add support for `podman volume pull` (currently, we require
that the image a volume is created from be already pulled; it
would be simpler if we had a dedicated command that did the
pull and made a volume from it)
- Add support for scratch images (make an empty image on demand
to use as the base of the volume)
- Add UOR support to `podman volume push` and
`podman volume pull` to enable both with non-image volume
drivers
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
According to https://systemd.io/CONTAINER_INTERFACE/, systemd will try take
control over /dev/ttyN if exported, which can cause conflicts with the host's tty
in privileged containers. Thus we will not expose these to privileged containers
in systemd mode, as this is a bad idea according to systemd's maintainers.
Additionally, this commit adds a bats regression test to check that no /dev/ttyN
are present in a privileged container in systemd mode
This fixes https://github.com/containers/podman/issues/15878
Signed-off-by: Dan Čermák <dcermak@suse.com>
Toshiki Sonoda
Ed Santiago
OpenShift Merge Robot
Giuseppe Scrivano
Martin Roukala (né Peres)
Valentin Rothberg
Ygal Blum
Dan Čermák
Matthew Heon
Aditya R
Romain Geissler
Daniel J Walsh
Paul Holzinger
dependabot[bot]
Ashley Cui
Jake Correnti
SamirPS
Leonardo Rossetti
Alexander Larsson
Charlie Doern
Liang Chu-Xuan
Nalin Dahyabhai
Jakob Ahrer
Matej Vasek
Urvashi Mohnani
Andrei Natanael Cosma
Radostin Stoyanov
Miloslav Trmač
Evan Lezar
gupttaru
Erik Sjölund
Charlie Doern
Chris Evich
Veronika Fuxova
Hironori Shiina
Stefano Brivio
Jake Torrance
Björn Mosler
Prajwal S N
Kristian Klausen
Jake Correnti
Piotr Resztak
Mikhail Khachayants
Boaz Shuster
cdoern