Extend the systemd auto-update service to prune images after an update
has run. As reported by a user [1], auto updates can over time cause
the disk to run out of space. With Edge being a target use case, we
need to make sure that systems can run without much supervision, so
let's make sure to run `podman image prune` to clean up dangling images.
[1] https://twitter.com/r_isc_y/status/1388981737011793921Fixes: #10190
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
Commit 7f2c27d43f added an invalid value for the log_driver in the
containers.conf file inside the podman image.
Fixes#10312
Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
Update the order of image documentation to be from most to least stable.
Similarly, avoid depending on execution of upstream podman, when
building/pushing. It's easily possible for this build to function but
execution to fail due to some partially implemented feature.
Also, ensure images tagged `latest` are pushed for every matrix
item. For 'upstream' and 'testing', this replaces use of the
'master' tag.
Lastly, update workflow comments and split the 'podman' and 'containers'
FQIN steps and outputs to improve readability.
Signed-off-by: Chris Evich <cevich@redhat.com>
Also simplify `lib.sh` after supporting changes incorporated
into automation library 2.x+ (present in all VM and container images).
* No need to force-load `/etc/profile` and handle it's expectation
to **not** being in `errexit` mode.
* Slightly re-arrange loading of automation library files for
clarity.
* Update comments.
Signed-off-by: Chris Evich <cevich@redhat.com>
Distro builds on Fedora and Kubic projects use GO111MODULE=off
by default which are currently failing. This commit fixes it and
going forward, podman CI will also indicate failures in rpm builds.
The additional LDFLAGS have been removed from the spec file
which is not ideal. But, currently we only use the spec file
to check if the rpm builds fine. We can fix the LDFLAGS in a
later commit when we're working on packit integration.
conmon build has also been removed from podman.spec.in because the COPR
for which it was provided has been discontinued.
[NO TESTS NEEDED]
Fixes: #10009
Signed-off-by: Lokesh Mandvekar <lsm5@fedoraproject.org>
docker-compose test continues to flake even after #9961.
Let's try to get some useful data from the failures, by:
* adding -S (--show-error) to curl. With just -s (--silent),
curl is completely quiet. With -S, it displays errors.
(Not in TAP form, but I'm OK with that)
* oops, adding safety checks to the fix from #9961 (it
was inadvertently clobbering the curl exit status)
And, as long as I'm in this code: logformatter was not
highlighting these results, because the '1..N' TAP line
needs to be spit out at the end. Have test-compose emit
a 'TAP' header <http://testanything.org/> and make
logformatter recognize it.
Signed-off-by: Ed Santiago <santiago@redhat.com>
* Incorporate changes from abandoned #9918: Use dedicated `bin`
sub-directories for `windows` and `darwin` when building
`podman-remote`. The linux flavor remains under `bin` as before.
* Fix MacOS Documentation-generation for release-packaging.
The `install-podman-remote-%-docs` target requires local execution
of `podman-remote`, but it was assuming GOOS=linux. Fix this
by dynamically discovering the local OS/architecture type while
still permitting cross-building of MacOS binaries under Linux.
* Unify temporary directory/file behavior to use a common template.
In case of left-over temporary items left in the repository,
update the `clean` target accordingly to remove them.
* Fix broken podman-remote-static and MacOS release archive targets
mismatching the `podman-remote-%` target. Disambiguate this target
for all platforms by spelling each out in full, instead of using
a wild-card recipe.
* Fix Windows-installer target to properly recognize existing
output files and not constantly rebuild every time.
* Include the podman version number in the Windows-installer target
in case a user downloads multiple releases.
* Include a subdirectory containing the podman version number for
both `tar.gz` and `zip` targets. This prevents users clobbering
existing directories when un-archiving from releases.
Signed-off-by: Chris Evich <cevich@redhat.com>
[NO TEST NEEDED] Can not test this in CI/CD system since it needs to be
merged in order for the Dockerfiles to even work.
Modified the /etc/subuid and /etc/subgid to be able to run in rootless
containers. The Range can not be the same as on the host.
Add /home/podman/.config/containers/containers.conf to automatically
mount /proc on /proc while inside of the container. This prevents
additional permissions being required that are blocked when not in
--privileged mode.
Setup volumes for /var/lib/containers and
/home/podman/.local/share/containwers
This will prevent the errors where people are doing overlay on overlay.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Currently podman only works with --isolation chroot. This PR
fixes this by allowing the isolation mode to default to OCI and to
also allow users to pass the isolation mode into the containers.
The current tests for --isolation should cause this code to be tested.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Set of scripts to run buildah's bud.bats test using
podman build in podman CI.
podman build is not 100% compatible with buildah bud.
In particular:
* podman defaults to --layers=true; buildah to false
* podman defaults to --force-rm=true; buildah to false
* podman error exit status is 125; buildah is 2
* differences in error messages, command-line arguments
Some of the above can be dealt with programmatically,
by tweaking the buildah helpers.bash (BATS helpers).
Some need to be tweaked by patching bud.bats itself.
This PR includes a patch that will, I fear, need to
be periodically maintained over time.
There will likely be failures when vendoring in a
new buildah, possibly because new tests were added
for new features that don't exist in podman, possibly
(I hope unlikely) if existing tests are changed in
ways that make the patch file fail to apply. I've
tried to write good instructions and to write the run
script in such a way that it will offer helpful hints
on failure. My instructions and code will be imperfect;
I hope they will be good enough to merit continued use
of this test (possibly with improvements to the instructions
as we learn more about real-world failures).
Signed-off-by: Ed Santiago <santiago@redhat.com>
Initial validation of using podman-in-podman to create an
old-podman root, then use new-podman to play with the
containers created therein.
Signed-off-by: Ed Santiago <santiago@redhat.com>
git tries to recognize renamed files. This isn't always
as helpful as intended. Turn it off, so we'll always see
files as 'A'dded.
Signed-off-by: Ed Santiago <santiago@redhat.com>
This commit sets the CGO_CFLAGS variable for hardening the Fedora rpm
binaries.
The flags used are the same as those in the official Fedora rpms.
Setting the flags in upstream spec would provide early warnings for
flag adjustments or other hardening issues.
Signed-off-by: Lokesh Mandvekar <lsm5@fedoraproject.org>
This mailing-list was established to allow people to sub/unsub from
automated notifications. Add it to the list of destinations picked up
by the Github Actions workflow
`.github/workflows/check_cirrus_cron.yml`.
Signed-off-by: Chris Evich <cevich@redhat.com>
In rare cases, it's possible for one of the ginkgo processes to "hang".
When this occurs, the main output will contain this message:
``Ginkgo timed out waiting for all parallel nodes to report``
The only way to debug this was to look through concatenated printing
of the ginkgo node logs. This is a tedious and daunting task,
requiring special search knowledge, facing a "wall of text".
Simplify the situation by collecting the node logs separately, as
individual files in a cirrus-artifact. In this way, it's faster to
figure out which test "hung" by examining each log individually. The
log file which does not have a pass/fail summary at the end,
indicates the last test hung (for whatever reason), and includes it's
output (if any).
Signed-off-by: Chris Evich <cevich@redhat.com>
Prior to this commit, the "Static Build" task only produced a
`bin/podman`. Update this to also include a `bin/podman-remote`
binary.
Update the pr-should-include-tests checker to ignore the `nix`
directory, which isn't applicable.
Lastly, restore the static build task to 'required' for CI success.
Leaving the comment inplace in case it needs to be bypassed in the
future on short notice.
Signed-off-by: Chris Evich <cevich@redhat.com>
Make sure we pass the network aliases as capability args to the
cnitool in the rootless-cni-infra container. Also update the
dnsname plugin in the cni-infra container.
Fixes#8567
Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
Make sure we pass the ip and mac address as CNI_ARGS to
the cnitool which is executed in the rootless-cni-infra
container.
Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
Followup to dbb9943
Despite skipping the `Smoke` check, it was observed on a *new* branch,
the `validate` task (specifically `git-validation`) will fail. This
is because:
* `$CIRRUS_LAST_GREEN_CHANGE` will be empty on a new branch.
* `$CIRRUS_BASE_SHA` is always empty for runs triggered by branch-push
* `$EPOCH_TEST_COMMIT` will be set to `YOU_FOUND_A_BUG`.
Fix this by eliminating the `Smoke` task entirely, simplifying all
the `make validate` operations into the `validate` cirrus task. Ensure
this task does not run when a new branch or tag is pushed.
Also, eliminate the `$CIRRUS_BUILD_ID` value as it's confusing and not
actually used anywhere. It was formerly used for building VM images,
but this has moved to another repo entirely.
Signed-off-by: Chris Evich <cevich@redhat.com>
It looks like we always hit the caching issue in Cirrus CI described
within #8313. A solution around that is to use cachix, which has been
pre-populated from my local machine.
To push all (runtime and build) dependencies, we can leverage a
pre-populated store by:
```
> nix-store -qR --include-outputs $(nix-instantiate nix/default.nix) | cachix push podman
```
The cache can be re-used by everybody to rapidly build static Podman
binaries: https://app.cachix.org/cache/podman
[NO TESTS NEEDED]
Signed-off-by: Sascha Grunert <mail@saschagrunert.de>
The podman documentation site uses javascript to display
API documentation at:
http://docs.podman.io/en/latest/Reference.html
As input, the javascript sources from a CORS-enabled Google Cloud
Storage object. This commit ensures the storage object is present and
updated for every Cirrus-CI execution context: Tags, Branches, and PRs.
As of this commit, the documentation site only utilizes the object
uploaded by the Cirrus-CI run on the `master` branch:
`swagger-master.yaml`. The file produced and uploaded due to a PR is
intended for testing purposes: Confirm it's generation and uploading are
both functional.
Signed-off-by: Chris Evich <cevich@redhat.com>
Make sure that bindings are in sync with the code. The check is similar
to what's already being done with `make vendor`, so integrate the two.
[NO TESTS NEEDED]
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
On each PR (with a few exceptions), check the list of git-touched
files, and abort if no tests are added. Include instructions
on how to bypass the check if tests really aren't needed.
Include a hardcoded exception list for PRs that only touch a
well-known subset of "safe" files: docs, .cirrus.yml, vendor,
version, hack, contrib, or *.md. This list is likely to need
tuning over time.
Add a test suite, but not one recognized by the new script
(because it's a "*.t" file), so: [NO TESTS NEEDED]
Signed-off-by: Ed Santiago <santiago@redhat.com>
Release trigger script failed[1] because the entire script
runs under 'set -e'; so a 'grep -- -dev' that finds no
results will cause a nonzero exit status and hence the
entire script to fail. Work around that.
[1] https://cirrus-ci.com/task/4541290882793472
Signed-off-by: Ed Santiago <santiago@redhat.com>
Since CI doesn't depend heavily on installing packages at runtime
(there is some minor use) there's no need to exhaustively check
repository mirror hosts. Remove them from the list.
Signed-off-by: Chris Evich <cevich@redhat.com>
There's a CI check for the presence of "-dev" in podman-info output
(it should not appear). This test is unlikely to fail, but if it
ever does, the diagnostic output is unhelpful. This makes it helpful.
Tested via:
$ ln -s /bin/echo ~/bin/msg
$ ln -s /bin/echo ~/bin/die
$ TEST_FLAVOR=release ./contrib/cirrus/runner.sh
...
Releases must never contain '-dev' in output of 'podman info' ( buildahVersion: 1.19.0-dev
Version: 3.0.0-dev)
Signed-off-by: Ed Santiago <santiago@redhat.com>
