Commit Graph

280 Commits

Author SHA1 Message Date
Paul Holzinger
cdb178e954 cli: podman push --encryption-key use StringArray()
This option accepts a file path so we should allow commas in it.
Also add tests for --decryption-key

Signed-off-by: Paul Holzinger <pholzing@redhat.com>
2023-12-11 15:43:20 +01:00
Paul Holzinger
c5258d4630 cli: podman --hooks-dir use StringArray()
This option accepts a file path so we should allow commas in it.

Signed-off-by: Paul Holzinger <pholzing@redhat.com>
2023-12-08 12:17:01 +01:00
Daniel J Walsh
62060f3234 Get masked paths and readonly masked patchs from containers/common
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
2023-11-19 10:01:20 -05:00
Ed Santiago
d2a4ec867d Test fixes for debian
Signed-off-by: Ed Santiago <santiago@redhat.com>
2023-11-16 15:14:36 -07:00
Ed Santiago
6b5b399121 CI: e2e: fix a smattering of test bugs that slipped in
...while Ed was napping:
 - create/run based on remote image: was not actually testing anything
 - create/run --tls-verify: ditto
 - run --decryption-key: sort of testing but not really
 - Fail(), not Skip(), if we can't start registry.
 - never Skip() halfway through a test: emit a message, and return

The Skip-in-the-middle thing deserves to be shouted from the rooftops.
Let's please never do that again. Skip() says "this entire test was
skipped", which can be misleading to a spelunker trying to track
down a problem related to those tests.

Also, more minor:
 - reduce use of port 5000
 - rename a confusingly-named test

Ref: #11205, #12009

Signed-off-by: Ed Santiago <santiago@redhat.com>
2023-11-10 13:41:34 -07:00
Brent Baude
78798cab00 Automatic code cleanups - JetBrains
A bunch of cleanups as suggested by linters/etc in JetBrains IDE.

Signed-off-by: Brent Baude <bbaude@redhat.com>
2023-11-07 14:05:15 -06:00
Matthew Heon
be7dd128ef Mask /sys/devices/virtual/powercap
I don't really like this solution because it can't be undone by
`--security-opt unmask=all` but I don't see another way to make
this retroactive. We can potentially change things up to do this
the right way with 5.0 (actually have it in the list of masked
paths, as opposed to adding at spec finalization as now).

Signed-off-by: Matthew Heon <matthew.heon@pm.me>
2023-10-26 18:24:25 -04:00
Giuseppe Scrivano
f21c1d238d podman: run --replace prints only the new container id
print only the new container ID when using --replace instead of the
terminated container ID if it was stopped.

Closes: https://github.com/containers/podman/issues/20185

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
2023-09-28 23:32:27 +02:00
Ed Santiago
e4b7455b72 e2e: ExitCleanly(): manual fixes to get tests working
Commit 2 of 2: fixes to get tests passing

Mostly reverting back to Exit(0) on tests that produce stderr,
adding stderr checks when those are missing.

One pretty big exception: "run check dns" test was completely
broken in many respects. It should never have worked under CNI,
but was passing because nslookup in that alpine image was
checking /etc/hosts. This has been fixed in subsequent alpine
images, which we're now using in this test (CITEST_IMAGE).

Signed-off-by: Ed Santiago <santiago@redhat.com>
2023-09-26 08:47:16 -06:00
Ed Santiago
dbd946a932 e2e: ExitCleanly(): a few more
Commit 1 of 2: automated string replace Exit(0) -> ExitCleanly()

Signed-off-by: Ed Santiago <santiago@redhat.com>
2023-09-26 08:47:16 -06:00
Giuseppe Scrivano
83b6975d10 test: fix rootless propagation test
the test works only when the user owns the outer mount namespace,
which is likely not the case when running in rootless mode.

Closes: https://github.com/containers/podman/issues/20076

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
2023-09-21 21:33:27 +02:00
Giuseppe Scrivano
19bd9b33dd libpod: move oom_score_adj clamp to init
commit 8b4a79a744 introduced
oom_score_adj clamping when the container oom_score_adj value is lower
than the current one in a rootless environment.  Move the check to
init() time so it is performed every time the container starts and not
only when it is created.  It is more robust if the oom_score_adj value
is changed for the current user session.

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
2023-09-11 17:04:37 +02:00
Matthew Heon
2de22ebf0d Ensure volumes-from mounts override image volumes
We do not allow volumes and mounts to be placed at the same
location in the container, with create-time checks to ensure this
does not happen. User-added conflicts cannot be resolved (if the
user adds two separate mounts to, say, /myapp, we can't resolve
that contradiction and error), but for many other volume sources,
we can solve the contradiction ourselves via a priority
hierarchy. Image volumes come first, and are overridden by the
`--volumes-from` flag, which are overridden by user-added mounts,
etc, etc. The problem here is that we were not properly handling
volumes-from overriding image volumes. An inherited volume from
--volumes-from would supercede an image volume, but an inherited
mount would not. Solution is fortunately simple - just clear out
the map entry for the other type when adding volumes-from
volumes.

Makes me wish for Rust sum types - conflict resolution would be a
lot simpler if we could use a sum type for volumes and bind
mounts and thus have a single map instead of two maps, one for
each type.

Fixes #19529

Signed-off-by: Matthew Heon <matthew.heon@pm.me>
2023-08-07 15:04:33 -04:00
Daniel J Walsh
f256f4f954 Use constants for mount types
Inspired by https://github.com/containers/podman/pull/19238

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
2023-07-14 07:17:21 -04:00
Paul Holzinger
34c258b419 libpod: fix timezone handling
The current way of bind mounting the host timezone file has problems.
Because /etc/localtime in the image may exist and is a symlink under
/usr/share/zoneinfo it will overwrite the targetfile. That confuses
timezone parses especially java where this approach does not work at
all. So we end up with an link which does not reflect the actual truth.

The better way is to just change the symlink in the image like it is
done on the host. However because not all images ship tzdata we cannot
rely on that either. So now we do both, when tzdata is installed then
use the symlink and if not we keep the current way of copying the host
timezone file in the container to /etc/localtime.

Also note that we need to rebuild the systemd image to include tzdata in
order to test this as our images do not contain the tzdata by default.

Fixes https://bugzilla.redhat.com/show_bug.cgi?id=2149876

Signed-off-by: Paul Holzinger <pholzing@redhat.com>
2023-06-01 11:04:13 +02:00
Erik Sjölund
685c736185 source code comments and docs: fix typos, language, Markdown layout
- fix a/an before noun
- fix loose -> lose
- fix "the the"
- fix lets -> let's
- fix Markdown layout
- fix a few typos
- remove unnecessary text in troubleshooting.md

Signed-off-by: Erik Sjölund <erik.sjolund@gmail.com>
2023-05-22 07:52:16 +02:00
Paul Holzinger
ab29ff2f66 test/e2e: dedup Before/AfterEach nodes
There is no reason to define the same code every time in each file, just
use global nodes. This diff should speak for itself.

CleanupSecrets()/Volume() no longer call Cleanup() directly, as the
global AfterEach node will always call Cleanup() this is no longer
necessary. If one AfterEach() node fails it will still run the others.

Also always unset the CONTAINERS_CONF env vars. This prevents people
from forgetting to unset it. And fix the special CONTAINERS_CONF logic
in the system connection tests, we do not want to preserve
CONTAINERS_CONF anyway so just remove this logic.

Ginkgo orders the BeforeEach and AfterEach nodes. They will be executed
from the outer-most defined to inner-most. This means our global
BeforeEach is always first. Only then the inner one (in the Describe()
function in each file). For AfterEach it is inverted, from the inner to
the outer.
Also see https://onsi.github.io/ginkgo/#organizing-specs-with-container-nodes

Signed-off-by: Paul Holzinger <pholzing@redhat.com>
2023-05-15 16:56:18 +02:00
Matt Heon
2c0f404826 Do not include image annotations when building spec
These annotations can have security implications - crun, for
example, allows rootless containers to preserve the user's groups
through an annotation. We absolutely should not include
annotations from an untrusted image off the internet by default.

We may consider whitelisting some annotations (e.g. the legacy
WASM annotations), but given that there is now a more explicit
way of specifying an image uses the WASM runtime in the OCI image
spec, I'm just tearing this out entirely for now.

Signed-off-by: Matt Heon <mheon@redhat.com>
2023-05-11 23:48:23 -04:00
Ed Santiago
3050a64373 e2e test cleanup
- fix a typo that was resulting in a test being a NOP, and
   add actual testing to it.

 - fix two Expects() with incorrectly-ordered actual/expects

 - remove leading whitespace from an It() test name

 - To(BeTrue()) is evil. Wherever possible, replace it with
   useful string or field checks. When not possible, use
   the annotation field to indicate what failed. I got
   carried away here, #sorrynotsorry

 - remove unused system-test code

Signed-off-by: Ed Santiago <santiago@redhat.com>
2023-05-02 08:36:26 -06:00
Paul Holzinger
fb7a96638c test/e2e: switch to GinkgoWriter
Directly writing to stdout/err is not safe when run in parallel.
Ginkgo v2 fixed this buffering the output and syncing the output so it
is not mangled between tests.

This means we should use the GinkgoWriter everywhere to make sure the
output stays in sync.

Signed-off-by: Paul Holzinger <pholzing@redhat.com>
2023-05-02 11:27:38 +02:00
Paul Holzinger
c564d9d7af ginkgo v2: remove CurrentGinkgoTestDescription()
This function is deprecated and replaced with CurrentSpecReport().
Also fix inconsitent callers.

Signed-off-by: Paul Holzinger <pholzing@redhat.com>
2023-05-02 11:27:36 +02:00
Paul Holzinger
445815036f update to ginkgo v2
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
2023-05-02 11:27:35 +02:00
Chris Evich
e8f34e4579 Add name-generation test
Podman's container-name generation depends on the global RNG state being
properly initialized (seeded).  Should this not happen for some reason
(or it's seeded with a static value), podman will generate the exact
same repeating sequence of container names (assuming no clashes with
existing containers).  Add a test to confirm this is always the case.

Signed-off-by: Chris Evich <cevich@redhat.com>
2023-04-28 16:30:01 -04:00
Ed Santiago
eeb210bc56 e2e: remove "-it" from podman run & exec
...at least as many as possible. "run/exec -it" make no sense
in a CI environment; I believe the vast majority of these are
the result of fingers typing on autopilot, then copy/pasting
cascades from those. This PR gets rid of as many -it/-ti as
possible. Some are still needed for testing purposes.

Y'all have no idea how much I hate #10927 (the "no logs from conmon"
flake). This does not fix the underlying problem, nor does it even
eliminate the flake (The "exec terminal doesn't hang" test needs
to keep the -ti flag, and that's one of the most popular flakers).
But this at least reduces the scope of the problem. It also removes
a ton of nasty orange "input device is not a TTY" warnings from logs.

Signed-off-by: Ed Santiago <santiago@redhat.com>
2023-04-26 09:21:02 -06:00
Valentin Rothberg
5f86fae71f vendor containers/common@main
Also adjust the e2e tests to account for SYS_CHROOT having made it back
to the default caps.

Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
2023-03-23 15:16:57 +01:00
danishprakash
0999991b20 add support for limiting tmpfs size for systemd-specific mnts
* add tests
* add documentation for --shm-size-systemd
* add support for both pod and standalone run

Signed-off-by: danishprakash <danish.prakash@suse.com>
2023-02-14 14:56:09 +05:30
Toshiki Sonoda
17b5bd758d e2e: use isRootless() instead of rootless.IsRootless()
Unify the functions used to detect rootless to "isRootless()".
This function can detect to join the user namespace by mistake.

Signed-off-by: Toshiki Sonoda <sonoda.toshiki@fujitsu.com>
2023-01-18 10:34:51 +09:00
Matthew Heon
1ab833fb73 Set StoppedByUser earlier in the process of stopping
The StoppedByUser variable indicates that the container was
requested to stop by a user. It's used to prevent restart policy
from firing (so that a restart=always container won't restart if
the user does a `podman stop`. The problem is we were setting it
*very* late in the stop() function. Originally, this was fine,
but after the changes to add the new Stopping state, the logic
that triggered restart policy was firing before StoppedByUser was
even set - so the container would still restart.

Setting it earlier shouldn't hurt anything and guarantees that
checks will see that the container was stopped manually.

Fixes #17069

Signed-off-by: Matthew Heon <matthew.heon@pm.me>
2023-01-12 14:45:34 -05:00
Paul Holzinger
8e05caef6c ginkgo tests: apply ginkgolinter fixes
New fixes since my last commit 2ddf1c5cbd.

https://github.com/nunnatsa/ginkgolinter

Signed-off-by: Paul Holzinger <pholzing@redhat.com>
2022-12-20 16:47:17 +01:00
Daniel J Walsh
80de850817 Stop recording annotations set to false
False is the assumed value, and inspect and podman generate kube are
being cluttered with a ton of annotations that indicate nothing.

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
2022-12-19 16:07:33 -05:00
Daniel J Walsh
3718ac8e96 Vendor in latest containers/common with default capabilities
Also update vendor of containers/storage and image

Cleanup display of added/dropped capabilties as well

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
2022-12-15 14:28:30 -05:00
OpenShift Merge Robot
c1db4f85ae Merge pull request #16329 from gupttaru/encryption-decryption-feature
Add encryption decryption feature
2022-11-28 06:33:59 -05:00
Paul Holzinger
2ddf1c5cbd ginkgo tests: apply ginkgolinter fixes
I found the ginkgolinter[1] by accident, this looks for not optimal
matching and suggest how to do it better.

Overall these fixes seem to be all correct and they will give much
better error messages when something fails.
Check out the repo to see what the linter reports.

[1] https://github.com/nunnatsa/ginkgolinter

Signed-off-by: Paul Holzinger <pholzing@redhat.com>
2022-11-25 14:41:43 +01:00
gupttaru
3bb9ed4f09 Adding encryption decryption feature
Signed-off-by: Tarun1 Gupta <gupttaru@deshaw.com>
2022-11-24 04:53:59 -05:00
Chris Evich
d968f3fe09 Replace deprecated ioutil
Package `io/ioutil` was deprecated in golang 1.16, preventing podman from
building under Fedora 37.  Fortunately, functionality identical
replacements are provided by the packages `io` and `os`.  Replace all
usage of all `io/ioutil` symbols with appropriate substitutions
according to the golang docs.

Signed-off-by: Chris Evich <cevich@redhat.com>
2022-09-20 15:34:27 -04:00
Kir Kolyshkin
75740be395 all: stop using deprecated GenerateNonCryptoID
In view of https://github.com/containers/storage/pull/1337, do this:

	for f in $(git grep -l stringid.GenerateNonCryptoID | grep -v '^vendor/'); do
		sed -i 's/stringid.GenerateNonCryptoID/stringid.GenerateRandomID/g' $f;
	done

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-09-13 16:26:26 -07:00
Matthew Heon
d82a41687e Add container GID to additional groups
Mitigates a potential permissions issue. Mirrors Buildah PR #4200
and CRI-O PR #6159.

Signed-off-by: Matthew Heon <mheon@redhat.com>
2022-09-02 15:51:36 -04:00
Giuseppe Scrivano
35b4f26c70 test: use private instead of slave for the mount
using "slave" means that every mount operation on the host that
happens between the mount creation for `/host` and running `findmnt`
will be propagated to the container mount.  To prevent new mounts on
the host to appear in the container thus invalidating the test we
have, just create the mount as private and use `/sys` as source as it
has multiple mounts on the top but less likely to get new mounts once
it is configured.

Closes: https://github.com/containers/podman/issues/15241

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
2022-08-24 22:24:09 +02:00
Giuseppe Scrivano
ea67d84f5a test: fix comment
it is not a kernel bug.

Rootless users are not allowed to use non recursive bind mounts,
otherwise they would be able to uncover mounts that were not visible
before to them.

[CI:DOCS] it is just a comment fix.

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
2022-08-24 17:39:15 +02:00
Ed Santiago
94e0a364a8 Semiperiodoc cleanup of obsolete FIXMEs
Some refer to issues that are closed. Remove them.

Some are runc bugs that will never be fixed. Say so, and remove
the FIXME.

One (bps/iops) should probably be fixed. File an issue for it, and
update comment to include the issue# so my find-obsolete-skips script
can track it.

And one (rootless mount with a "kernel bug?" comment) is still
not fixed. Leave the skip, but add a comment documenting the symptom.

Signed-off-by: Ed Santiago <santiago@redhat.com>
2022-07-25 13:08:35 -06:00
Charlie Doern
ad8940cecf fix container create/run throttle devices
pod resource limits introduced a regression where `FinishThrottleDevices` was not called for create/run

Signed-off-by: Charlie Doern <cdoern@redhat.com>
2022-07-22 11:42:51 -04:00
Ed Santiago
0a160fed77 Bump VMs, to Ubuntu 2204 with cgroups v1
...and enable the at-test-time confirmation, the one that
double-checks that if CI requests runc we actually use runc.
This exposed a nasty surprise in our setup: there are steps to
define $OCI_RUNTIME, but that's actually a total fakeout!
OCI_RUNTIME is used only in e2e tests, it has no effect
whatsoever on actual podman itself as invoked via command
line such as in system tests. Solution: use containers.conf

Given how fragile all this runtime stuff is, I've also added
new tests (e2e and system) that will check $CI_DESIRED_RUNTIME.

Image source: https://github.com/containers/automation_images/pull/146

Since we haven't actually been testing with runc, we need
to fix a few tests:

  - handle an error-message change (make it work in both crun and runc)
  - skip one system test, "survive service stop", that doesn't
    work with runc and I don't think we care.

...and skip a bunch, filing issues for each:

  - #15013 pod create --share-parent
  - #15014 timeout in dd
  - #15015 checkpoint tests time out under $CONTAINER
  - #15017 networking timeout with registry
  - #15018 restore --pod gripes about missing --pod
  - #15025 run --uidmap broken
  - #15027 pod inspect cgrouppath broken
  - ...and a bunch more ("podman pause") that probably don't
    even merit filing an issue.

Also, use /dev/urandom in one test (was: /dev/random) because
the test is timing out and /dev/urandom does not block. (But
the test is still timing out anyway, even with this change)

Also, as part of the VM switch we are now using go 1.18 (up
from 1.17) and this broke the gitlab tests. Thanks to @Luap99
for a quick fix.

Also, slight tweak to #15021: include the timeout value, and
reword message so command string is at end.

Also, fixed a misspelling in a test name.

Fixes: #14833

Signed-off-by: Ed Santiago <santiago@redhat.com>
2022-07-21 20:08:32 -06:00
Ed Santiago
4fd5fb97a0 e2e tests: cleanup: capitalize CONSTANTS
A number of standard image names were lower-case, leading to
confusion in code such as:

    registry := podman(... , "-n", "registry", registry, ...)
    ^--- variable                              ^---- constant

Fix a number of those to be capitalized and with _IMAGE suffix:

    registry := podman(...,                    REGISTRY_IMAGE

Signed-off-by: Ed Santiago <santiago@redhat.com>
2022-07-05 15:36:08 -06:00
Sascha Grunert
251d91699d libpod: switch to golang native error wrapping
We now use the golang error wrapping format specifier `%w` instead of
the deprecated github.com/pkg/errors package.

[NO NEW TESTS NEEDED]

Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
2022-07-05 16:06:32 +02:00
Aditya R
efe1176dd9 specgen,run: support running container from valid manifest list
Following PR adds support for running containers from a manifest list
present on localstorage. Before this PR podman only supports running
containers from valid images but not from manifest list.

So `podman run -it --platform <some> <manifest-list> command` should
become functional now and users should be able to resolve images on the
bases of provided `--platform` string.

Example
```
podman manifest create test
podman build --platform linux/amd64,linux/arm64 --manifest test .
podman run --rm --platform linux/arm64/v8 test uname -a
```

Closes: https://github.com/containers/podman/issues/14773

Signed-off-by: Aditya R <arajan@redhat.com>
2022-07-05 12:39:37 +05:30
Erik Sjölund
24fcfb5d9e Fix spelling "read only" -> "read-only"
Signed-off-by: Erik Sjölund <erik.sjolund@gmail.com>
2022-07-02 08:37:43 +02:00
Valentin Rothberg
633d5f1f8b fix --init with /dev bind mount
The init binary until now has been bind-mounted to /dev/init which
breaks when bind-mounting to /dev.  Instead mount the init to
/run/podman-init.  The reasoning for using /run is that it is already
used for other runtime data such as secrets.

Fixes: #14251
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
2022-05-23 13:59:05 +02:00
Paul Holzinger
a48c37df37 fix broken hooks-dir test
The test has been broken since it was added 4 years ago. Instead of
using hardcoded paths we should use tmp files.

Signed-off-by: Paul Holzinger <pholzing@redhat.com>
2022-04-29 14:06:54 +02:00
Paul Holzinger
69c479b16e enable errcheck linter
The errcheck linter makes sure that errors are always check and not
ignored by accident. It spotted a lot of unchecked errors, mostly in the
tests but also some real problem in the code.

Signed-off-by: Paul Holzinger <pholzing@redhat.com>
2022-04-29 14:06:38 +02:00
Ed Santiago
b3f38c31b2 Ginkgo: use HaveField() for better error checking
This is a very late followup to my ginkgo-improving work of 2021.
It has been stuck since December because it requires gomega 1.17,
which we've just enabled.

This commit is simply a copy-paste of a command I saved in
my TODO list many months ago:

     sed -i -e 's/Expect(\([^ ]\+\)\.\([a-zA-Z0-9]\+\))\.To(Equal(/Expect(\1).To(HaveField(\"\2\", /' test/e2e/*_test.go

Signed-off-by: Ed Santiago <santiago@redhat.com>
2022-04-28 05:41:53 -06:00