We are resolving the homedir of the user in many different
places. This Patch consolodates them to use container/storage
version.
This PR also fixes a failure mode when the homedir does not
exists, and the user sets a root path. In this situation
podman should continue to work. Podman does not require a users
homedir to exist in order to run.
Finally the rootlessConfigHomeDirOnce and rootlessRuntimeDirOnce
were broken, because if an error ever happened, they would not be recorded
the second time, and "" would be returned as the path.
Fixes: https://github.com/containers/podman/issues/8131
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Continue progress on use of external containers.
This PR adds the ability to mount, umount and list the
storage containers whether they are in libpod or not.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Includes disk-space increase for all Fedora images to accommodate
the static-build job disk space requirements. This job substantially
leverages task-cache, which was previously failing to restore early on
in the Cirrus-CI task setup, due to disk-space limitations.
Also simplify .cirrus.yml slightly by removing an unncessary setup
and run directory change step.
Signed-off-by: Chris Evich <cevich@redhat.com>
On several occasions, fatal task failures were observed
during the upload of artifacts after a otherwise successful
testing. Prior to this commit, most tasks were storing both
logs and binary artifacts. Avoid possible major inconveniences
of upload failures, by only collecting binary artifacts when
necessary.
Signed-off-by: Chris Evich <cevich@redhat.com>
As of this commit, in Fedora 33, without without `CAP_NET_ADMIN` and
`CAP_NET_RAW`, require setting `net.ipv3.ping_group_range` in order for
the `ping` command to work inside a container. However, not all images
`ping` are created equal. For whatever reason, the busybox version in
the busybox container image, does not function. Switch to the Alpine
image's busybox ping, which seems to work fine.
Signed-off-by: Chris Evich <cevich@redhat.com>
Add a pull-request template that points to the section in the
contributing guidelines and to remind users to use the `[CI:DOCS]`
prefix if applicable.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
As part of this, we need two new functions, for retrieving all
aliases for a network and removing all aliases for a network,
both required to test.
Also, rework handling for some things the tests discovered were
broken (notably conflicts between container name and existing
aliases).
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
When using multiple filters, return a volume that matches any one of the used filters, rather than matching both of the filters.
This is for compatibility with docker's cli, and more importantly, the apiv2 compat endpoint
Closes#6765
Signed-off-by: Ashley Cui <acui@redhat.com>
Using a function like ContainSubstring or Equal is better because if
the test fails it will log a descriptive error that includes the
actual string generated during the test. This is more helpful than a
function like BeTrue that will only indicate that an assertion failed
without giving further details of the failure.
Signed-off-by: Debarshi Ray <rishi@fedoraproject.org>
fedora does not have the the ability in rootless to set cpu limits.
this requires a simple fix for fedora 33 to pass ci tests.
Signed-off-by: baude <bbaude@redhat.com>
When --userns=keep-id is used, Podman is supposed to set up the home
directory of the user inside the container to match that on the host
as long as the home directory or any of its parents are marked as
volumes to be bind mounted into the container.
Currently, the test only considers the case where the home directory
itself is bind mounted into the container. It doesn't cover the Podman
code that walks through all the bind mounts looking for ancestors in
case the home directory itself wasn't specified as a bind mount.
Therefore, this improves the existing test added in commit
6ca8067956 ("Setup HOME environment when using --userns=keep-id")
Note that this test can't be run as root. The home directory of the
root user is /root, and it's parent is /. Bind mounting the entire /
from the host into the container prevents it from starting:
Error: openat2 ``: No such file or directory: OCI not found
Signed-off-by: Debarshi Ray <rishi@fedoraproject.org>
* renamed old API tests to not be discovered, they do not pass
* Updated the API tests to use a pristine storage configuration
* Skipped attach test, it needs to be re-written
Signed-off-by: Jhon Honce <jhonce@redhat.com>
if --userns=keep-id is specified and not --user is specified, take the
unprivileged capabilities code path so that ambient capabilities are
honored in the container.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
if the kernel supports ambient capabilities (Linux 4.3+), also set
them when running with euid != 0.
This is different that what Moby does, as ambient capabilities are
never set.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Allow users to specify unbindable on volume command line
Switch internal mounts to rprivate to help prevent leaks.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
We now use the `osusergo` build tag to not use the glibc functions which
occur in the warnings but them from golang the os/user package.
Signed-off-by: Sascha Grunert <sgrunert@suse.com>
Currently it double counts connections because it's incrementing the
total for both the new and active states. Based on the comments, we
should only count new connections for the total count and perform the
timer stop actions when the connection has transitioned to an active
state.
Closes#8208
Signed-off-by: Alex Schultz <aschultz@redhat.com>
This is a continuation of #8189 and #8085.
When doing a `docker build` command, if the `--pull` command is not specified
or set to `false` the pullOption used is `PullifMissing`. This causes the
build to pull the image only if it is not present in local storage. It also will
raise an error if the image is not found in the registry (or the registry is down),
even if the image is present in local storage.
If the `--pull` command IS specified or specified with an argument of `true`, the
build will always pull the image from the registries. This uses the pullOption
`PullAlways`. It also will raise an error if the image is not found in the registry,
even if the image is present in local storage.
These changes now brings the pull functionality for `podman build` into line
with `docker build`.
However, I consider this to be a breaking change. Previously if you did
`podman build --pull`, `podman build` or `podman build --pull = true`, then
the image would be pulled from the registry if there was not an image in
local storage or if the image in the registry was newer than the one in
local storage. An error would *NOT* be raised if there was not an image in
the registry or the registry was down as long as there was a copy in the local
storage. An error would be raised if the image could not be retrieved from
both the registry and local storage. This is the PullOption `PullIfNewer`.
I believe this also differs from what Buildah does at this time but I'm too
beat to chase that down at the moment.
Personally I'd like to use the `PullIfNewer` for at least `--pull` and
`--pull=true` so that you don't get an error if the registry has a network
hiccup and the image is already stored locally. But this differs from Docker.
I'd like to post scrum about this at our next stand up to make sure we're
all on the same page about the ramifications of this change.
Signed-off-by: TomSweeneyRedHat <tsweeney@redhat.com>
