NormalizeVolumePruneFilters discarded every query filter when the "all"
pseudo-filter was set, deleting label/label!/until before they reached the
volume filter generator. As a result `podman volume prune --all --filter
label=foo` ignored the label and pruned every unused volume.
"all" only widens the prune scope from anonymous-only to all unused volumes;
it is orthogonal to the label filters, which must still select which of those
volumes are removed. Drop only the "all" key and keep the remaining filters so
they continue to apply.
NormalizeVolumePruneFilters is shared by the local (abi), remote (libpod API),
and Docker-compat prune paths, so all three were affected.
Signed-off-by: Shuai Yuan <shuaiyuanzju@gmail.com>
Checking the state outside of locks is not safe and does not guarantee
us anything as the container could be stopped afterwards anyways.
So just skip the state check and then later in the exec logic we do the
same check again and return ErrCtrStateInvalid so just handle that
afterwards.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
When checkpointing a container with --leave-running, libpod dumps the
container's memory via the OCI runtime (CRIU) first and only captures
the rootfs diff and named volumes afterwards. CRIU thaws the container
as soon as the memory dump finishes, so the processes inside the
container continue to run between the memory snapshot and the
file-system capture. As a result, the checkpoint can be inconsistent:
have CRIU images and a file system that reflect different points in time.
To fix this, we freeze the container's cgroup before invoking the OCI
runtime and thaw it again only after the checkpoint image/archive has
been written. The OCI runtime calls CRIU with the freezer cgroup and
restores it to its previous state once the dump completes, so a
container that was already frozen stays frozen across the dump and
the file system is captured at the same instant as the CRIU images.
This mirrors the approach other engines (e.g. CRI-O and containerd).
The default (stopping) checkpoint functionality is not affected by this
issue because CRIU leaves the tasks dead after the dump.
This patch also adds a regression test for the consistency of live
(--leave-running) checkpoints. The container runs a workload that
keeps an in-memory counter in sync with a value written to a file
on its root file system, maintaining the invariant that the on-disk
value never gets ahead of the in-memory counter.
Signed-off-by: Radostin Stoyanov <rstoyanov@fedoraproject.org>
Add `--ignore` to `podman network rm` so removing a missing
network returns success instead of exit code 1.
Keep existing error behavior for networks in use and other failures.
This commit message was translated from Korean to English using an LLM.
Fixes: #28363
Signed-off-by: KyounghoonJang <matkimchi_@naver.com>
This patch adds retry plumbing for podman manifest push.
CLI flags added: --retry and --retry-delay
Flags are read into ImagePushOptions and passed through the local ABI path
Remote clients and REST API now respect retry settings (retry / retryDelay)
retry-delay is parsed with time.ParseDuration
Defaults fall back to containers.conf when the flags are not set
Updated manpages, Swagger comments, and e2e tests to validate retry behavior
Fixes: #28590
Signed-off-by: Valen Torassa <valentintorassacolombero@gmail.com>
For most callers podman run -d already makes sure the container runs so
this does nothing and only slows the test down.
For the signal test we can instead check for container output which is
better as we know the pid1 is actually ready to get the signal.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
We do not use this anywhere to run as a different uid. In fact it should
not be supported as it would run without a proper systemd session for
example.
Because we run the test suite as root and a rootless user in CI there is
no need for a specific test to run podman as a different user here.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
We hard require netavark v2 to run with podman 6, as such it makes
little sense to guard just a specific set of tests.
Remove the helper to remove some code and skip the podman info call to
also speed it up a bit.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Right now the tmpdir for the test and cli are are the same and worse the
root/runroot directories are subdirectories of the tmpdir so tests can
create conflicting files.
Also for rootless remote builds this cuases problems for all tests which
uses the main tmpdir as context dir as they then try to copy the storage
files with different uids which will fail. Commit 79e7b0f6fd tried to
work around it but it is not enough as much more tests use this pattern.
So to fix this once and for all properly separate them. And then fixup a
few test cases that depended on the wrong value and make them use the
proper root value directly.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Add a podman volume rename command, REST API endpoint, and bindings for renaming volumes.
The rename updates both the VolumeConfig and VolumeState tables in a single transaction and moves the volume directory on disk, rolling back if the transaction fails. Renaming an anonymous volume converts it to a named volume. Volumes that are in use, mounted, or backed by a volume plugin or the image driver cannot be renamed.
Fixes: #28189
Signed-off-by: MayorFaj <mayorfaj@gmail.com>
So when running remote and rootless tests the buildImage() thing has one
big problem because it used the main test tmpdir as context.
However that dir also holds all the image layers with files that are
owned by other uids and because podman-remote does not use the userns it
cannot read some files and then fails when trying to tar up the context
dir.
To fix this use an extra sub directory. Now because some tests where
using the parent directory to supply context files just switch the
callers so they have full control still.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
By default we run tests in parallel so when we mount test/certs with the
":Z" option it means only one container can read it, depending on the
startup times this can mean the container fails to start. I observed
this error in a CI run:
level=fatal msg="open /certs/domain.crt: permission denied"
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Because we use hard coded names anyway we might as well skip the extra
command execution here that happened for each test.
Just inline a valid htpasswd line. Also remove the extra sync call,
there is no reason whatsoever for this file to be synced.
For cp there is also no reason at all to call an external command. Worse
the command also was never checked for errors.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
log_path is currently set at the client side and is ignored by
the server in a remote session. This leads to either incorrect log_path
being considered by the server or not honored at all. Move the handling
from client to the server, in line with other flags such as log_driver.
Signed-off-by: Danish Prakash <contact@danishpraka.sh>
Add CDI information to podman info and podman system info.
The host info now includes the configured CDI spec directories and the
currently discovered CDI devices. The devices are resolved when the info
endpoint is called and there is no need to refresh these in the background.
Also map the same data into the Docker-compatible /info response as CDISpecDirs and DiscoveredDevices.
Signed-off-by: Evan Lezar <elezar@nvidia.com>
`podman run -ti` warns when stdin is not a tty, but if the container is
run in detached state that warning does not make much sense: we just
need the environment where podman attach will be run to be a tty.
Running with `-ti` even in detached state can make sense to avoid
applications buffering their output (for realtime logs) or allowing
later interaction and should not warn users.
Also remove the comment saying that warning will become fatal, as there
seems to be agreement that such a breaking change will not be made
Signed-off-by: Dominique Martinet <dominique.martinet@atmark-techno.com>
With a high parallel node run we have much more test cases run in
parallel, as such I am seeing a lot of network subnet flakes as they
were using the same one and thus failed since there can only be one
config using it at a time.
Now hard coding this here is ugly, yes. But for now I just need to get
the flakes down in the new CI. Long term we should likely have a helper
that hands out known unused subnets for the tests.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Add support for blackhole, unreachable, and prohibit route types in podman
networks. These route types allow silently discarding packets (blackhole),
rejecting with destination unreachable (unreachable), or rejecting with
administratively prohibited (prohibit).
Note: Blackhole routes require netavark >= 2.0.0. Regular unicast routes
remain backward compatible with all netavark versions.
Signed-off-by: Povilas Kanapickas <povilas@radix.lt>
<MH: Rebased atop latest main & fixed cherry-pick conflicts>
Signed-off-by: Matt Heon <matthew.heon@pm.me>
This seems to flake in the parallel CI runs as another process might
also use 8080 already.
We can use any port here so use GetPort() which should give us a
conflict free one.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
This is really not nice but it is a quick fix to avoid more flakes.
The 10.11.12.0/24 was used by several tests and podman will only allow
the network to be created once with a given subnet so we need to ensure
they are conflict free, otherwise in parallel runs they will fail
randomly.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
The container prints "Failed to set RLIMIT_CORE: Operation not permitted"
I do not know why this fails when run with sudo but lets just skip it it
for now.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
The test assumes a local id_ed25519 ssh key exists and is setup to
connect to its own user. That is basically never the case locally so the
test is broken by design.
If the test should run in some special CI setup where that is the case
we need to enable it and guard based on that later.
For now I just like to get the lima VM tests passing.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
The pasta_t SELinux domain is denied { create } for pasta.sock
on ifconfig_var_run_t directories. Disable all pasta forwarder
tests (BATS + e2e) until a new passt release ships the fix.
Signed-off-by: Jan Rodák <hony.com@seznam.cz>
Using os.Is{Exist,NotExist,Permission} checks is not recommended in the
new code (see official documentation). While using it in the existing
code is OK, it may still result in a subtle errors later (for a specific
example of that, see [1]).
Replace those with errors.Is.
Generated by:
gofmt -r 'os.IsExist(a) -> errors.Is(a, os.ErrExist)' -w .
gofmt -r 'os.IsNotExist(a) -> errors.Is(a, os.ErrNotExist)' -w .
gofmt -r 'os.IsPermission(a) -> errors.Is(a, os.ErrPermission)' -w .
goimports -w .
git diff vendor test/tools/vendor | patch -p1 -R
[1]: https://github.com/opencontainers/runc/pull/5061
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Add rootless_port_forwarder="pasta" option that uses pesto to update
pasta's forwarding table via UNIX socket, preserving source IPs that
rootlessport's userspace proxy masks.
HostIP is stripped from port mappings in the netavark wrapper when
pasta forwarding is active because pesto handles host-side binding
while pasta's splice changes the destination IP that netavark DNAT
expects. Pesto binds both 0.0.0.0 and [::] for dual-stack support.
Fixes: https://redhat.atlassian.net/browse/RUN-2214
Fixes: https://github.com/containers/podman/issues/8193
Fixes: https://redhat.atlassian.net/browse/RUN-3587
Signed-off-by: Jan Rodák <hony.com@seznam.cz>