Oops! Logs of podman-remote tests are unreadable, they have
multiple (useless) --remote options plus '--url /something/long'
that makes it impossible to read the actual command being run.
This commit strips off '--remote' entirely, and hides '--url'
and its arg in the only-on-mouse-hover '[options]' text.
Signed-off-by: Ed Santiago <santiago@redhat.com>
Mainly needed for buildah testing: the htpasswd command was removed from
the upstream registry container image. Making it available on the
host-side enables configuring details needed by the registry during
it's initial setup.
Signed-off-by: Chris Evich <cevich@redhat.com>
Currently you can not apply an ApparmorProfile if you specify
--privileged. This patch will allow both to be specified
simultaniosly.
By default Apparmor should be disabled if the user
specifies --privileged, but if the user specifies --security apparmor:PROFILE,
with --privileged, we should do both.
Added e2e run_apparmor_test.go
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Fallout from libpod->podman repo name move: the HTML logs
created by logformatter are no longer accessible. They
render as:
https://storage.googleapis.com/SECRET-5385732420009984-fcae48/artifacts/containers/podman/6313596734930944/html/integration_test.log.html
(yes, "SECRET" instead of "cirrus-ci". Possibly because
the GCE_SSH_USERNAME key, "cirrus-ci", was overzealously
encrypted, making Cirrus censor any instances of the
string in output. Let's see if this fixes it. But anyway
this is a secondary unrelated bug).
Reason: it looks like Cirrus "generated a new magic blob"
when we renamed libpod -> podman. Chris was kind enough to
locate the new magic blob and to give me a link to where
we can discover it ourselves. I added that as a code comment.
Signed-off-by: Ed Santiago <santiago@redhat.com>
Set the type of the podman.service to simple. This will correctly
report the status of the service once it has started. As a oneshot
service, it does not transition from the startup state to running.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
podman-api(1) does not exist, so set the man page to
podman-system-service(1). Same for the .socket.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
Do not hard-set the registries.conf to `/etc/containers/registries.conf`.
Podman (and other c/image users) already default to it. However,
ordinary non-root users should still be able to use the configs in their
home directories which is now possible.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
Do not set the killmode to process as it only kills the main process and
leaves other processes untouched. Just remove the line and use the
default cgroup killmode which will kill all processes in the service's
cgroup.
Fixes: #7021
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
Remove the stop timeout from the unit. As unit does not specify any
stop command, the timeout is effectively 0 and a NOOP.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
Symlink the user to the system services in `contrib/systemd`.
There is no diference between the services, so we can reduce
redundancy while not breaking downstream packages which might
already be referencing `./contrib/systemd/user`.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
fedora removed the systemd package from its standard container image causing our systemd pid1 test to fail. Replacing usage of fedora to ubi-init.
adding ubi images to the cache for local tests.
also, remove installation of test/policy.json to the system wide /etc/containers
Signed-off-by: Brent Baude <bbaude@redhat.com>
We want to add this configuration file so that users can descover
how to configure the permanent connection to a remote podman instance.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Reversion of one part of #6679: my handling of 'realpath'
would not work when $PODMAN is 'podman-remote --url etc'.
Trying to handle that case got unmaintainable; so instead
let's just force 'make {local,remote}system' to invoke
with a full PODMAN path. This breaks down if someone
runs the tests with a manual 'bats' invocation, but I
think I'm the only one who ever does that.
Since podman path will now be very long in the logs,
add code to logformatter to abbreviate it like we do
for the ginkgo logs.
And, one thing that has bugged me for a long time:
in the error logs, show a different prompt ('#' vs '$')
to distinguish root vs rootless. This should make it
much easier to see at-a-glance whether a log file
is root or not. Add tests for it.
Signed-off-by: Ed Santiago <santiago@redhat.com>
When the container uses journald logging, we don't want to
automatically use the same driver for its exec sessions. If we do
we will pollute the journal (particularly in the case of
healthchecks) with large amounts of undesired logs. Instead,
force exec sessions logs to file for now; we can add a log-driver
flag later (we'll probably want to add a `podman logs` command
that reads exec session logs at the same time).
As part of this, add support for the new 'none' logs driver in
Conmon. It will be the default log driver for exec sessions, and
can be optionally selected for containers.
Great thanks to Joe Gooch (mrwizard@dok.org) for adding support
to Conmon for a null log driver, and wiring it in here.
Fixes#6555
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
This reverts commit 1bc992bfc3.
We originally thought `podman varlink` was entirely removed, but
that was not true. We originally thought that
`podman system service --varlink` worked the same as
`podman varlink` but that was also not true. `system service` is
broken when used under systemd units, and `podman varlink` still
exists and works. Revert the change to `podman system service` to
fix socket-activated Varlink under systemd.
Signed-off-by: Matthew Heon <mheon@redhat.com>
We completely removed `podman varlink`, which broke the systemd
unit file used by the Varlink code. Change that to use the new
`podman system service --varlink` command which replaced it.
Also needs a slight reorder of args to make things work happily
on my system.
Signed-off-by: Matthew Heon <mheon@redhat.com>
This allows the containers/conmon repository to share the same VM
images produced by containers/libpod. Included are several packages
which are downloaded only since they might otherwise interfere with
testing for some repos. This allows stable versions to be at the ready
at testing runtime, avoiding any version updates surprising developers.
Also, re-enable running the VM-image check test which was not working
due to a logic problem in Cirrus-CI configuration. Update the neglected
tests so that they pass on all distros.
Signed-off-by: Chris Evich <cevich@redhat.com>
podman-remote has not been tested. A principal part of the
problem was #5387 - the YAML I wrote did not have the
intended effect, it did not set TEST_REMOTE_CLIENT=true
and because of my multiple iterations I did not catch this
during testing.
Part 1 of this PR is to fix .cirrus.yml to enable remote tests.
Part 2 -- what I had first noticed and tried to fix -- is that
rootless_test.sh was never running remote because, of course,
envariables are not sent via ssh. I reworked integration_test.sh
and rootless_test.sh to use a command-line decision instead.
Part 3, sigh, is to disable one failing integration test
and *all* system tests, because so many of the latter are
failing. Addressing those failures needs to be done in
subsequent PRs. Issues #6538, #6539, #6540 are filed for
some of the problems I isolated. There will be more.
Also, minor, fixed some stale references to varlink.
Signed-off-by: Ed Santiago <santiago@redhat.com>
We experienced regression when using the latest `v1.2.0-dev` bats in
Ubuntu 20.04 (see github.com/containers/libpod/pull/6418). Using
bats v1.1.0 worked in the Ubuntu test VM.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
The biggest obstacle here was cleanup - we needed a way to remove
detached exec sessions after they exited, but there's no way to
tell if an exec session will be attached or detached when it's
created, and that's when we must add the exit command that would
do the removal. The solution was adding a delay to the exit
command (5 minutes), which gives sufficient time for attached
exec sessions to retrieve the exit code of the session after it
exits, but still guarantees that they will be removed, even for
detached sessions. This requires Conmon 2.0.17, which has the new
`--exit-delay` flag.
As part of the exit command rework, we can drop the hack we were
using to clean up exec sessions (remove them as part of inspect).
This is a lot cleaner, and I'm a lot happier about it.
Otherwise, this is just plumbing - we need a bindings call for
detached exec, and that needed to be added to the tunnel mode
backend for entities.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
Issue gh#6286 was already fixed in a prior commit but the Makefile still
ran some varlink steps by default.
This commit makes any varlink build steps dependent on the varlink
build tag and also makes the contrib rpm spec file independent of
varlink.
Endpoint tests will be run only if BUILDTAGS contains varlink.
Signed-off-by: Lokesh Mandvekar <lsm5@fedoraproject.org>
* Support the `X-Registry-Auth` http-request header.
* The content of the header is a base64 encoded JSON payload which can
either be a single auth config or a map of auth configs (user+pw or
token) with the corresponding registries being the keys. Vanilla
Docker, projectatomic Docker and the bindings are transparantly
supported.
* Add a hidden `--registries-conf` flag. Buildah exposes the same
flag, mostly for testing purposes.
* Do all credential parsing in the client (i.e., `cmd/podman`) pass
the username and password in the backend instead of unparsed
credentials.
* Add a `pkg/auth` which handles most of the heavy lifting.
* Go through the authentication-handling code of most commands, bindings
and endpoints. Migrate them to the new code and fix issues as seen.
A final evaluation and more tests is still required *after* this
change.
* The manifest-push endpoint is missing certain parameters and should
use the ABI function instead. Adding auth-support isn't really
possible without these parts working.
* The container commands and endpoints (i.e., create and run) have not
been changed yet. The APIs don't yet account for the authfile.
* Add authentication tests to `pkg/bindings`.
Fixes: #6384
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
This properly prints out image-name hints when executing the hack script
without any arguments. It is required due to changes made by Ed for
test-name beatification. An identical change was made and reviewed by
Ed in the containers/storage repo.
Signed-off-by: Chris Evich <cevich@redhat.com>
Now that we're shipping containers.conf, we don't want to provide
a libpod.conf anymore. This removes libpod.conf from the repo and
as many direct uses as I can find.
There are a few more mentions in the documentation, but someone
more familiar with containers.conf should make those edits.
Signed-off-by: Matthew Heon <mheon@redhat.com>
some small fix ups for binding tests and then make them required.
update containers-common
V2 bindings tests were failing because of changes introduced in commit
a2ad5bb.
Fix some typos.
Signed-off-by: Lokesh Mandvekar <lsm5@fedoraproject.org>
in the case where the specgen attribute for Env and Labels are nil, we should should then make the map IF we have labels and envs that need to be added.
Signed-off-by: Brent Baude <bbaude@redhat.com>
