According to the documentation
https://onsi.github.io/gomega/#eventually
> the default value for the polling interval is 10 milliseconds
That is excessively fast given the observed failures in
issue #4021 are always using podman-remote. Lower the interval to
3-seconds, which should be plenty long enough for container removal.
Signed-off-by: Chris Evich <cevich@redhat.com>
...e.g. cloud-user. 9822f54ac was intended to fix this,
but it doesn't. Simple and standard solution is to
move the dash to the end of the character class.
Signed-off-by: Ed Santiago <santiago@redhat.com>
On Ubuntu, /bin/sh != /bin/bash. Update system-tests to only use
bash for testing consistency across platforms.
Signed-off-by: Chris Evich <cevich@redhat.com>
Issue #3829 (cp symlinks) has been fixed: enable tests for it
And, it looks like podman-remote is now handling exit status
of a force-rm'ed container. Enable that test too.
Signed-off-by: Ed Santiago <santiago@redhat.com>
A true result from reexec.Init() isn't an error, but it indicates that
main() should exit with a success exit status.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Changing the test in WaitWithDefaultTimeout() to use Eventually() and
gexec.Exit(). Using ExitCode() before command has really exited returns
a -1, which can cause issues for tests testing for podman to return
non-zero values.
Signed-off-by: Jhon Honce <jhonce@redhat.com>
One or more tests are not taking advantage of the local image cache.
This has been observed to cause a testing flake in at least one
`--sigproxy` test which uses `PodmanTestIntegration.PodmanPID()`.
It has a rather short timeout of 15-seconds, which isn't always
enough time to pull down a remote image.
Fix this by reloacing the `noCache` logic from
`PodmanTest.PodmanAsUserBase()` down the stack into
`PodmanTestIntegration.makeOptions()`. This also eliminates the need to
also check if a remote-client is being used - since it uses a different
function.
Also reverse the parameter order in `PodmanTest.PodmanBase` so that
everywhere is consistently `noEvents` then `noCache`.
Signed-off-by: Chris Evich <cevich@redhat.com>
close#3894
This patch let podman cp return 'no such file or directory' error if DEST_PATH does not exist and ends with / when copying file.
Signed-off-by: Qi Wang <qiwan@redhat.com>
When a named volume is mounted on any of the tmpfs filesystems
created by read-only tmpfs, it caused a conflict that was not
resolved prior to this.
Fixes BZ1755119
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
Test had incorrectly been disabled for all podman; it
should've been disabled only for podman-remote. Fixed
that, and fixed the problem that was causing failures:
podman-remote is gobbling up stdin (#4095), so no
tests were actually being run at all, or only one.
Fixed by redirecting input on the run_podman invocation.
Added, as backup, a confirmation mechanism to ensure
that all expected tests are being run.
Note that test is reenabled, but the output check is
disabled for podman-remote due to #4096; this at least
lets us check exit status.
Signed-off-by: Ed Santiago <santiago@redhat.com>
Add two unit tests to determine whether mounts are being listed
correctly. One tests that a created container is not listed
until mounted. The second checks that running containers are
mounted, and then no longer listed as mounted when they stop
running. The final test creates three containers, mounts two,
and checks that mount correctly only lists the two mounted.
Signed-off-by: gabi beyer <gabrielle.n.beyer@intel.com>
If the HOME environment variable is not set, make sure it is set to
the configuration found in the container /etc/passwd file.
It was previously depending on a runc behavior that always set HOME
when it is not set. The OCI runtime specifications do not require
HOME to be set so move the logic to libpod.
Closes: https://github.com/debarshiray/toolbox/issues/266
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
While investigating issue
https://github.com/containers/libpod/issues/4044 there is no sense
subjecting forward progress elsewhere. Skip the test with a note
temporarily, until a resolution to 4044 and any other related issues
is found and fix implemented.
Signed-off-by: Chris Evich <cevich@redhat.com>
There were two problems with preserve fds.
libpod didn't open the fds before passing _OCI*PIPE to conmon. This caused libpod to talk on the preserved fds, rather than the pipes, with conmon talking on the pipes. This caused a hang.
Libpod also didn't convert an int to string correctly, so it would further fail.
Fix these and add a unit test to make sure we don't regress in the future
Note: this test will not pass on crun until crun supports --preserve-fds
Signed-off-by: Peter Hunt <pehunt@redhat.com>
The Expect function does not return a result of True or False
depending on the value of the first instance, but instead requires
a comparison using ".To(", so change to use ".To(ContainSubstring("
Signed-off-by: gabi beyer <gabrielle.n.beyer@intel.com>
This change matches what is happening on the podman local side
and should eliminate a race condition.
Also exit commands on the server side should start to return to client.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
We have leaked the exit number codess all over the code, this patch
removes the numbers to constants.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
This is mostly used with Systemd, which really wants to manage
CGroups itself when managing containers via unit file.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
This change adds the following annotation to every container created by
podman:
```json
"Annotations": {
"io.containers.manager": "libpod"
}
```
Target of this annotaions is to indicate which project in the containers
ecosystem is the major manager of a container when applications share
the same storage paths. This way projects can decide if they want to
manipulate the container or not. For example, since CRI-O and podman are
not using the same container library (libpod), CRI-O can skip podman
containers and provide the end user more useful information.
A corresponding end-to-end test has been adapted as well.
Relates to: https://github.com/cri-o/cri-o/pull/2761
Signed-off-by: Sascha Grunert <sgrunert@suse.com>
Previously, we only did this for volumes created at the same time
as the container. However, this is not correct behavior - Docker
does so for all named volumes, even those made with
'podman volume create' and mounted into a container later.
Fixes#3945
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
This isn't included in Docker, but seems handy enough.
Use the new API for 'volume rm' and 'volume inspect'.
Fixes#3891
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
When volume options and the local volume driver are specified,
the volume is intended to be mounted using the 'mount' command.
Supported options will be used to volume the volume before the
first container using it starts, and unmount the volume after the
last container using it dies.
This should work for any local filesystem, though at present I've
only tested with tmpfs and btrfs.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
Add '.To(BeTrue())' to 'Expect(' statements in unit tests that
are missing them. These tests weren't being compared to anything,
thus reporting false positives.
Signed-off-by: gabi beyer <gabrielle.n.beyer@intel.com>
crun emits wildly different error messages than runc in
two cases:
podman run ... /no/such/path (enoent)
podman run ... /etc (trying to exec a directory)
Deal with it by getting the runtime from 'podman info' and,
if crun, changing what we expect.
There may be more tweaks needed to get system tests working
with crun, but right now podman rawhide is too broken to
have any hope of finding them all.
Signed-off-by: Ed Santiago <santiago@redhat.com>
when running in rootless mode, --device creates a bind mount from the
host instead of specifying the device in the OCI configuration. This
is required as an unprivileged user cannot use mknod, even when root
in a user namespace.
Closes: https://github.com/containers/libpod/issues/3905
Signed-off-by: Giuseppe Scrivano <giuseppe@scrivano.org>
when using an upper case image name for container commit, we observed
panics due to a channel closing early.
Fixes: #3897
Signed-off-by: baude <bbaude@redhat.com>
This will require a 'podman system renumber' after being applied
to get lock numbers for existing volumes.
Add the DB backend code for rewriting volume configs and use it
for updating lock numbers as part of 'system renumber'.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
podman cp has had some unexpected bugs, and still has
some surprising behavior. It looks like this part of
the code is fragile. Add tests to try to prevent
future breakages.
Note that two of the new tests are disabled (skipped)
until #3829 gets fixed.
Signed-off-by: Ed Santiago <santiago@redhat.com>
Update the CNI configuration instructions to line up with
the changes introduced in #3868. Also do a bit less documentation
of the configuration and point to the GitHub project so we won't
get out of sync in the future.
Signed-off-by: TomSweeneyRedHat <tsweeney@redhat.com>
Support generating systemd unit files for a pod. Podman generates one
unit file for the pod including the PID file for the infra container's
conmon process and one unit file for each container (excluding the infra
container).
Note that this change implies refactorings in the `pkg/systemdgen` API.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
Add the digestfile option to the push command so the digest can
be stored away in a file when requested by the user. Also have added
a debug statement to show the completion of the push.
Emulates Buildah's https://github.com/containers/buildah/pull/1799/files
Signed-off-by: TomSweeneyRedHat <tsweeney@redhat.com>
Before, if the container was run with a specified user that wasn't root, exec would fail because it always set to root unless respecified by user.
instead, inherit the user from the container start.
Signed-off-by: Peter Hunt <pehunt@redhat.com>
The priv test added to the build test in June runs an 'apk'
command which, unavoidably, has to fetch stuff from the net.
This is slow and unreliable, and periodically leads to
timeout failures. Worse, when this happens, some sort of
invisible buildah-only container gets left behind that leads
to failures in subsequent tests when trying to reset to
known state.
Imperfect workaround: try a 240-second timeout (up from 60)
when running apk. As backup, add a custom teardown() which
attempts to force-remove all containers and any new images.
Signed-off-by: Ed Santiago <santiago@redhat.com>
This is a breaking change and modifies the resulting image name when
pulling from an directory via `oci:...`.
Without this patch, the image names pulled via a local directory got
processed incorrectly, like this:
```
> podman pull oci:alpine
> podman images
REPOSITORY TAG IMAGE ID CREATED SIZE
localhost/oci alpine 4fa153a82426 5 weeks ago 5.85 MB
```
We now use the same approach as in the corresponding [buildah fix][1] to
adapt the behavior for correct `localhost/` prefixing.
[1]: https://github.com/containers/buildah/pull/1800
After applying the patch the same OCI image pull looks like this:
```
> ./bin/podman pull oci:alpine
> podman images
REPOSITORY TAG IMAGE ID CREATED SIZE
localhost/alpine latest 4fa153a82426 5 weeks ago 5.85 MB
```
End-to-end tests have been adapted as well to cover the added scenario.
Relates to: https://github.com/containers/buildah/issues/1797
Signed-off-by: Sascha Grunert <sgrunert@suse.com>
adding podman network and the subcommands inspect, list, and rm. the
inspect subcommand displays the raw cni network configuration. the list
subcommand displays a summary of the cni networks ala ps. and the rm
subcommand removes a cni network.
Signed-off-by: baude <bbaude@redhat.com>
...and on a container killed by 'podman rm -f'. See #3795
Disable when testing podman-remote; see #3808
Signed-off-by: Ed Santiago <santiago@redhat.com>
Udica is adding new features to allow users to define container process
and file types. This would allow us to setup trusted communications channels
between multiple security domains. ContainerA -> ContainerB -> ContainerC
Add tests to make sure users can change file types
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Requirement from https://github.com/containers/libpod/issues/3575#issuecomment-512238393
Added --pull for podman create and pull to match the newly added flag in docker CLI.
`missing`: default value, podman will pull the image if it does not exist in the local.
`always`: podman will always pull the image.
`never`: podman will never pull the image.
Signed-off-by: Qi Wang <qiwan@redhat.com>
In the restore from external checkpoint archive test, the second restore
using a new name and ID is now done first to ensure that nothing in the
restored container depends on the original container.
Test has been adapted to catch errors like the one fixed with the
previous commit to adapt ConmonPidFile for restored containers.
Signed-off-by: Adrian Reber <areber@redhat.com>
Add flag `--authfile` to create and run so Podman can read authfile path from not only environemnt variable REGISTRY_AUTH_FILE but also CLI
Signed-off-by: Qi Wang <qiwan@redhat.com>
podman-remote rm now works; that's the only thing we were
waiting for to enable podman-remote (varlink) system tests.
Add a (too-complicated, sorry) Makefile target that will
define a random socket path, start the podman varlink server,
and run the test suite using podman-remote.
Also: add two convenience functions, is_rootless and is_remote,
and use those in skip_if_rootless/if_remote and elsewhere
Also: workarounds for broken tests:
- basic version test: podman-remote emits an empty 'Client'
line. Just ignore it.
- looks like 'podman-remote pod' doesn't work; skip test.
Also: minor documentation update
Signed-off-by: Ed Santiago <santiago@redhat.com>
when listing multiple ports on a container with podman port, an early
return was limiting results.
Fixes: #3747
Signed-off-by: baude <bbaude@redhat.com>
The 'podman run --mount' flag previously allowed the 'ro' option
to be specified, but was missing the ability to set it to a bool
(as is allowed by docker). Add that. While we're at it, allow
setting 'rw' explicitly as well.
Fixes#2980
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
It looks like #2780 is fixed: an overnight run yielded no
instances of 'pod top' returning incomplete output.
Signed-off-by: Ed Santiago <santiago@redhat.com>
If a container is restored multiple times from an exported checkpoint
with the help of '--import --name', the restore will fail if during
'podman run' a static container IP was set with '--ip'. The user can
tell the restore process to ignore the static IP with
'--ignore-static-ip'.
Signed-off-by: Adrian Reber <areber@redhat.com>
Fedora CI tests are failing on rawhide under kernel
5.3.0-0.rc1.git3.1.fc31 (rhbz#1736758). But there's
another insidious failure, a 4-hour hang in the
rootless tests on the same CI system. The culprit
line is in the podman build test, but it's actually
BATS itself that hangs, not the build command -- which
suggests that it's the usual FD 3 problem (see BATS README).
It would seem that podman is forking a process that
inherits fd 3 but that process is not getting cleaned
up when podman crashes upon encountering the kernel bug.
Today it's podman build, tomorrow it might be something
else. Let's just run all podman invocations in run_podman
with a non-bats FD 3.
Signed-off-by: Ed Santiago <santiago@redhat.com>
close https://bugzilla.redhat.com/show_bug.cgi?id=1732280
From the bug Podman search returns 25 results even when limit option `--limit` is larger than 25(maxQueries). They want Podman to return `--limit` results.
This PR fixes the number of output result.
if --limit not set, return MIN(maxQueries, len(res))
if --limit is set, return MIN(option, len(res))
Signed-off-by: Qi Wang <qiwan@redhat.com>
This enables programs and scripts wrapping the podman command to handle
'podman rm' and 'podman rmi' failures caused by paused or running
containers or due to images having other child images or dependent
containers. These errors are common enough that it makes sense to have
a more machine readable way of detecting them than parsing the standard
error output.
Signed-off-by: Ondrej Zoder <ozoder@redhat.com>
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Podman-in-podman (and possibly ubuntu) have "issues" with
journald. Let's just use file instead to be safe.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
Check the exit codes of pull, save and inspect to avoid masking those
errors. We've hit a case where a corrupted/broken image has been pulled
which then surfaced for some tests later.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
close#3648
podman create and podman run do not set --env variable if the environment is not present with a value
Signed-off-by: Qi Wang <qiwan@redhat.com>
The regular expression used in the `info` test does not allow for
usernames that have a dash, such as `test-user`. This patch adjusts
the regex to allow for a dash.
Fixes#3666.
Signed-off-by: Major Hayden <major@redhat.com>
The function to generate random IP addresses during ginkgo tests in
the checkpoint test code is moved to common and all tests using
hardcoded IP addresses have been changed to use random IP addresses to
reduce test errors when running the tests in parallel.
Signed-off-by: Adrian Reber <areber@redhat.com>
It seems like our VM images now support systemd CGroups with the
Ubuntu LTS images. No reason to keep testing CGroupfs as such,
systemd is much less racy (and CGroupfs on systemd-enabled
systems can be iffy).
Signed-off-by: Matthew Heon <mheon@redhat.com>
including changing -l to the container id
and separating a case of setting the env that remote can't handle
Signed-off-by: Peter Hunt <pehunt@redhat.com>
This includes:
Implement exec -i and fix some typos in description of -i docs
pass failed runtime status to caller
Add resize handling for a terminal connection
Customize exec systemd-cgroup slice
fix healthcheck
fix top
add --detach-keys
Implement podman-remote exec (jhonce)
* Cleanup some orphaned code (jhonce)
adapt remote exec for conmon exec (pehunt)
Fix healthcheck and exec to match docs
Introduce two new OCIRuntime errors to more comprehensively describe situations in which the runtime can error
Use these different errors in branching for exit code in healthcheck and exec
Set conmon to use new api version
Signed-off-by: Jhon Honce <jhonce@redhat.com>
Signed-off-by: Peter Hunt <pehunt@redhat.com>
When removing --all images prune images only attempt to remove read/write images,
ignore read/only images
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Close#3553
This PR makes --dns, --dns-option, --dns-search, and --network not set to host flag mutually exclusive for podman build and create. Returns conflict error if both flags are set.
Signed-off-by: Qi Wang <qiwan@redhat.com>
allow a container to run in a new cgroup namespace.
When running in a new cgroup namespace, the current cgroup appears to
be the root, so that there is no way for the container to access
cgroups outside of its own subtree.
By default it uses --cgroup=host to keep the previous behavior.
To create a new namespace, --cgroup=private must be provided.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
When we first began writing Podman, we ran into a major issue
when implementing Inspect. Libpod deliberately does not tie its
internal data structures to Docker, and stores most information
about containers encoded within the OCI spec. However, Podman
must present a CLI compatible with Docker, which means it must
expose all the information in 'docker inspect' - most of which is
not contained in the OCI spec or libpod's Config struct.
Our solution at the time was the create artifact. We JSON'd the
complete CreateConfig (a parsed form of the CLI arguments to
'podman run') and stored it with the container, restoring it when
we needed to run commands that required the extra info.
Over the past month, I've been looking more at Inspect, and
refactored large portions of it into Libpod - generating them
from what we know about the OCI config and libpod's (now much
expanded, versus previously) container configuration. This path
comes close to completing the process, moving the last part of
inspect into libpod and removing the need for the create
artifact.
This improves libpod's compatability with non-Podman containers.
We no longer require an arbitrarily-formatted JSON blob to be
present to run inspect.
Fixes: #3500
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
Before, play kube wasn't properly setting the command. Fix this
Also, begin a dedicated test suite for play kube to catch regressions like this in the future
Signed-off-by: Peter Hunt <pehunt@redhat.com>
Docker CLI calls the healthcheck flags "--health-*", instead of
"--healthcheck-*".
Introduce the former, in order to keep compatibility, and alias
the later, in order to avoid breaking current usage.
Change "--healthcheck-*" to "--health-*" in the docs and tests.
Signed-off-by: Hunor Csomortáni <csomh@redhat.com>
Fix Docker CLI compatibility issue: the "--healthcheck-command" option
value should not be split but instead be passed as single string to
"CMD-SHELL", i.e. "/bin/sh -c <opt>".
On the other hand implement the same extension as is already available
for "--entrypoint", i.e. allow the option value to be a JSON array of
strings. This will make life easier for tools like podman-compose.
Updated "--healthcheck-command" option values in tests accordingly.
Continuation of #3455 & #3507
Signed-off-by: Stefan Becker <chemobejk@gmail.com>
This flag passes the host environment into the container. The basic idea is to
leak all environment variables from the host into the container.
Environment variables from the image, and passed in via --env and --env-file
will override the host environment.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
be sure to load all the existing handlers, so that they can also be
freed in addition to the handlers we treat differently.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
This adds three tests for the --ignore-rootfs option to verify that it
works in all combination.
1. Not used at all
2. Only used during restore
3. Only used during checkpoint
Signed-off-by: Adrian Reber <areber@redhat.com>
This tries to reduce CI errors which might happen due to parallel CI
runs which all are using the same IP addresses. Using random addresses
should reduce the possibility of parallel tests using the same IP address.
Signed-off-by: Adrian Reber <areber@redhat.com>
when running integrations tests as rootless, several tests still
unnecessarily pull images which is costly in terms of time.
Signed-off-by: baude <bbaude@redhat.com>
add a simple way to copy ulimit values from the host.
if --ulimit host is used then the current ulimits in place are copied
to the container.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
There is no meaning of performing setup/teardown for these tests
when we even can not work with systemd.
Signed-off-by: Danila Kiver <danila.kiver@mail.ru>
Systemd manager drops non-existent directories from the units search
path during initialization, thus, creation of UNIT_DIR, if it did not
exist before, requres reloading the daemon.
Signed-off-by: Danila Kiver <danila.kiver@mail.ru>
By default, podman points PIDFile in generated unit file to non-existent
location. As a result, the unit file, generated by podman, is broken:
an attempt to start this unit without prior modification results in a crash,
because systemd can not find the pidfile of service's main process.
Fix the value of "PIDFile" and add a system test for this case.
Signed-off-by: Danila Kiver <danila.kiver@mail.ru>
When we're waiting for a container to come up with healthchecks,
and it's not even running, there's no point to waiting further.
Instead, let's restart the container and continue waiting.
This may fix some flakes we're seeing with 'podman port' tests.
Then again, all the tests there seem to fail, not just a single
test flaking - so I bet there's some other underlying cause.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
Podman 1.4.1 had problems with builds with a
RUN command that tried to to a privliged command.
This adds a gating test for that situation.
Signed-off-by: TomSweeneyRedHat <tsweeney@redhat.com>
Conmon has moved out of cri-o and into it's own dedicated repository.
This commit updates configuration and definitions which referenced
the old cri-o based paths.
Signed-off-by: Chris Evich <cevich@redhat.com>
A container restored from a checkpoint archive used to have the root
file-system mounted with a wrong (new) SELinux label. This made it, for
example, impossible to use 'podman exec' on a restored container.
This test tests exactly this. 'podman exec' after 'podman container restore'.
Unfortunately this test does not fail, even without the patch that fixes
it as the test seems to run in an environment where the SELinux label of
the container root file-system is not relevant. Somehow.
Signed-off-by: Adrian Reber <areber@redhat.com>
OutputToString() was mangling newlines, which made YAML parsers
very, very angry. But not angry enough to actually error, that
would be too easy. Just angry enough to silently not decode
anything.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
We need to verify that valid YAML was produced - Marshal will
just pack the generated YAML even further.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
This provides backwards compatability with 1.4.0-1.4.2 releases
which name .Source and .Destination as .Src and .Dst - useful for
not breaking toolbox.
Also add a test.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
We weren't properly populating the container's OCI Runtime in
Batch(), causing segfaults on attempting to access it. Add a test
to make sure we actually catch cases like this in the future.
Fixes#3411
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
The man page of 'podman diff' claims that the diff sub-command knows
about --latest, -l. This adds support, as described in the man-page, to
the diff sub-command for --latest, -l.
Signed-off-by: Adrian Reber <areber@redhat.com>
