The biggest obstacle here was cleanup - we needed a way to remove
detached exec sessions after they exited, but there's no way to
tell if an exec session will be attached or detached when it's
created, and that's when we must add the exit command that would
do the removal. The solution was adding a delay to the exit
command (5 minutes), which gives sufficient time for attached
exec sessions to retrieve the exit code of the session after it
exits, but still guarantees that they will be removed, even for
detached sessions. This requires Conmon 2.0.17, which has the new
`--exit-delay` flag.
As part of the exit command rework, we can drop the hack we were
using to clean up exec sessions (remove them as part of inspect).
This is a lot cleaner, and I'm a lot happier about it.
Otherwise, this is just plumbing - we need a bindings call for
detached exec, and that needed to be added to the tunnel mode
backend for entities.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Support the `X-Registry-Auth` http-request header.
* The content of the header is a base64 encoded JSON payload which can
either be a single auth config or a map of auth configs (user+pw or
token) with the corresponding registries being the keys. Vanilla
Docker, projectatomic Docker and the bindings are transparantly
supported.
* Add a hidden `--registries-conf` flag. Buildah exposes the same
flag, mostly for testing purposes.
* Do all credential parsing in the client (i.e., `cmd/podman`) pass
the username and password in the backend instead of unparsed
credentials.
* Add a `pkg/auth` which handles most of the heavy lifting.
* Go through the authentication-handling code of most commands, bindings
and endpoints. Migrate them to the new code and fix issues as seen.
A final evaluation and more tests is still required *after* this
change.
* The manifest-push endpoint is missing certain parameters and should
use the ABI function instead. Adding auth-support isn't really
possible without these parts working.
* The container commands and endpoints (i.e., create and run) have not
been changed yet. The APIs don't yet account for the authfile.
* Add authentication tests to `pkg/bindings`.
Fixes: #6384
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
This properly prints out image-name hints when executing the hack script
without any arguments. It is required due to changes made by Ed for
test-name beatification. An identical change was made and reviewed by
Ed in the containers/storage repo.
Signed-off-by: Chris Evich <cevich@redhat.com>
Now that we're shipping containers.conf, we don't want to provide
a libpod.conf anymore. This removes libpod.conf from the repo and
as many direct uses as I can find.
There are a few more mentions in the documentation, but someone
more familiar with containers.conf should make those edits.
Signed-off-by: Matthew Heon <mheon@redhat.com>
some small fix ups for binding tests and then make them required.
update containers-common
V2 bindings tests were failing because of changes introduced in commit
a2ad5bb.
Fix some typos.
Signed-off-by: Lokesh Mandvekar <lsm5@fedoraproject.org>
in the case where the specgen attribute for Env and Labels are nil, we should should then make the map IF we have labels and envs that need to be added.
Signed-off-by: Brent Baude <bbaude@redhat.com>
Now that it's officially released, update to it from the beta. Also
(and significant), adjust the SELinux context of the GCP metadata
service. Add a comment to the code explaining why this is necessary.
Signed-off-by: Chris Evich <cevich@redhat.com>
BATS emits a summary line (number of tests passed/failed)...
but only on a tty or when run with --pretty! In our CI
context, with TAP output, it gives no end summary.
Fix that. Keep track of 'ok', 'not ok', and 'skipped',
and display the counts at the end.
Also: add a regression test. You don't need to review
or even read it: it's stark, and I'm not even enabling
it for CI because it almost certainly won't run due to
missing Perl library modules. It's just something I
need on my end.
Signed-off-by: Ed Santiago <santiago@redhat.com>
apiv2 tests emit TAP-compliant output; recognize it and
highlight it the same way we do BATS tests.
Add anchor links to TAP output, so other tools (e.g.
cirrus-flake-summarize) can link to particular lines
And, remove a "-f" from "wait" in test-apiv2; looks
like there's some version of bash used in some CI VM
that doesn't grok it.
Signed-off-by: Ed Santiago <santiago@redhat.com>
Many of the packages required for CI in buildah overlap with libpod.
When building new VM images, attempt to source a package list
from the buildah repository. If found, also install the listed
packages on the VM.
Signed-off-by: Chris Evich <cevich@redhat.com>
this is a temporary fix for the flake that has been troubling us. once conmon is in fedora 30 and 31 stable, we can remove this fix. the images will just need to be rebuilt.
Signed-off-by: Brent Baude <bbaude@redhat.com>
1) 'podman system info' (in logcollector): has been silently
failing in special_testing_rootless, with:
logcollector.sh: line 16: podman: command not found
Use ./bin/podman instead of just podman; this is probably
the right thing to do in the general case anyway
2) logformatter: highlight 'panic:', seen in bindings test:
https://storage.googleapis.com/cirrus-ci-5385732420009984-fcae48/artifacts/containers/libpod/6693715108429824/html/integration_test.log.html
3) logformatter: handle Unicode bullet in front of 'Running',
seen in bindings test.
4) logformatter: turn down contrast on BATS 'ok' results,
for legibility
Signed-off-by: Ed Santiago <santiago@redhat.com>
Detecting when it's time to upload a release inside Cirrus-CI is really
difficult for many automation and human reasons. Disabling it for now
until a more robust solution can be implemented
Signed-off-by: Chris Evich <cevich@redhat.com>
the binding ginkgo tests were using color mode which throws in a bunch of ansi garbage that makes it hard to read the logs
Signed-off-by: Brent Baude <bbaude@redhat.com>
during container creation, if no network is provided, we need to add a default value so the container can be later started.
use apiv2 container creation for RunTopContainer instead of an exec to the system podman. RunTopContainer now also returns the container id and an error.
added a libpod commit endpoint.
also, changed the use of the connections and bindings slightly to make it more convenient to write tests.
Fixes: 5366
Signed-off-by: Brent Baude <bbaude@redhat.com>
This introduces a new cirrus helper script, logformatter.
Usage is:
[commands...] | logformatter TEST-NAME
It reformats its input into a readable, highlighed, linkable
form. Some features:
- boring stuff (timestamps, standard podman options) is
deemphasized
- important stuff (warnings, errors) is emphasized
- in-page links to the actual failures
- active links to source files
- jumps to bottom of page on load, because that's where
the errors are. (All errors are linked)
Add it to select test commands (integration, system) and
add a new artifacts_html, run in the 'always' block, which
uploads generated *.log.html into Cirrus; from there we
generate a live URL that can be viewed in browser.
Unfortunately, due to security concerns in Cirrus, it is
not currently possible to make the link a live one.
Kludge: add a line of dashes after Restoring images; without this,
the first test ("systemd PID 1") has no dashes before it, so
logformatter doesn't see it.
Signed-off-by: Ed Santiago <santiago@redhat.com>
API v2 has been quiet for a few days, and the test script is
actually passing. Let's take advantage of this opportunity
to get them running in CI.
Requires adding a check for cgroupsv2
Signed-off-by: Ed Santiago <santiago@redhat.com>
A number of scripts relating to tooling used and the gate container
image were not exiting upon errors as intended. Coupled with
external service unavailability (i.e. downloading golangci-lint)
was observed to cause difficult to debug failures.
This change corrects the scripts inside/out of the gate container as
well as fixes many golang related path consistency problems vs other CI
jobs. After this change, all jobs use consistent path names reducing
the number of special-case overrides needed.
Lastly, I also made a documentation-pass, updating/correcting as needed,
including documenting a likely local validation-failure mode, related to
`$EPOCH_TEST_COMMIT`. This is dependent on the developers git
environment, so documentation is the only possible "fix".
Signed-off-by: Chris Evich <cevich@redhat.com>
Suspect crun might be sneaking in during VM image build via podman RPM
dependency. Add it to the removal list when building, then also force
use of runc at runtime in F30.
Also quote all true/false vars to force them as strings instead of
booleans (which will become capitalized)
Signed-off-by: Chris Evich <cevich@redhat.com>
There are a number of env. vars set during the setup script. Therefore
displaying them at end of the script is more helpful for debugging.
Signed-off-by: Chris Evich <cevich@redhat.com>
In the package_versions CI step, include Fedora/Ubuntu
version, uname -r, and cgroups version.
Cgroups version is simply the FS type of /sys/fs/cgroup,
which shows 'tmpfs' for v1 and 'cgroup2fs' for v2. I
don't think it's worth the effort to prettify those
into 'v1/v2' - I think our readers are sophisticated
enough to figure it out from context - but am willing
to add that feature if requested.
Signed-off-by: Ed Santiago <santiago@redhat.com>
In some distributions it's possible to have both runc and crun
installed and/or for podman to be confused about which to use. In these
instances, force the decision by adding `OCI_RUNTIME=/usr/bin/crun` into
`/etc/environment`. Also in-place modify libpod.conf to use 'crun'
instead of 'runc'
Signed-off-by: Chris Evich <cevich@redhat.com>
