The main purpose of the transient services/timers is to trigger the
healthcheck execution in regular intervals, their own state should
not depend on the result of the healthchecks. This way there are no
failing systemd services unless there is actually a fatal error.
Signed-off-by: Patrick Wicki <patrick.wicki@siemens.com>
This is useful for triggering the execution of a healthcheck
without caring about it's result as long as no fatal error occured.
Signed-off-by: Patrick Wicki <patrick.wicki@siemens.com>
With the config file rewrite we now get other error messages so fix the
tests.
Also note the shell completion test is skipped for now as the logic to
get the directories is not yet exposed in container-libs. I enable that
later.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Remove test cases that only tested CNI-specific functionality:
- Remove "podman --cni-config-dir backwards compat" test
- Remove "podman CNI network create with internal should not have dnsname" test
Update CNI-specific test names to be network-backend agnostic:
- Rename "podman inspect container single CNI network" to "podman inspect container single network"
- Rename "podman inspect container two CNI networks (container not running)" to "podman inspect container two networks (container not running)"
- Rename "podman inspect container two CNI networks" to "podman inspect container two networks"
- Rename "podman run in custom CNI network with --static-ip" to "podman run in custom network with --static-ip"
- Rename "podman rootless cni adds /usr/sbin to PATH" to "podman rootless adds /usr/sbin to PATH"
Update test content to be backend-agnostic:
- Update skip reasons from "Requires root CNI networking" to "Requires root networking"
- Change --rootless-cni flag usage to --rootless-netns
- Update comments from "CNI network" to "network"
- Update comments from "iptables" to "nftables" for netavark
- Update test assertions to remove CNI-specific messaging
Remove CNI-related test documentation and comments:
- Remove commented-out CNI error messages from Python API tests
- Remove CNI network namespace error documentation from upgrade tests
- Remove CNI-related comments from BATS tests
Remove unused import of github.com/containernetworking/plugins/pkg/ns
from test/e2e/run_networking_test.go (test-only usage).
Signed-off-by: Lokesh Mandvekar <lsm5@redhat.com>
use name_to_handle_at and open_by_handle_at to persist rootless
namespaces without needing a pause process.
The namespace file handles are stored in a file and can be used to
rejoin the namespaces, as long as the namespaces still exist.
Fall back to the pause process approach only when the kernel doesn't
support nsfs handles (EOPNOTSUPP).
The feature is currently only enabled when the PODMAN_NO_PAUSE_PROCESS
environment variable is set.
These changes in the kernel are required (landed in Linux 6.18):
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=3ab378cfa793
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
The test for issue #19800 depended on finding a system user with an
octal UID. This approach was fragile because system users found on the
host may have a different UID in the testing image.
Use the rootless user ID instead which is likely to be octal anyway as
new user IDs start with 1000.
Signed-off-by: Ricardo Branco <rbranco@suse.de>
We do not use that package that we install for the test anyway and doing
this networking connection is causing heavy flakes at the moment.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
It fails due selinux, it is unlcear why so I filled #27759 for now to
track that so we can get the image update merged.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
There are two fields I'm worried about: shared namespaces and pod
containers. Both are generated via loops over maps and are thus
non-deterministic in ordering. Throw a sort on each to fix the
order so we can actually diff `podman pod inspect` output.
Signed-off-by: Matt Heon <mheon@redhat.com>
By default, systemd sets a limit of how many times a service can start,
which means that if you have a healthcheck that runs more often than the
limits, systemd will refuse to start it with a message like "Start request
repeated too quickly." emitted to the journal.
Signed-off-by: Winter M <winter@antithesis.com>
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
When trying to join the conmon pid to recreate the pause process based
on the namespace it can be that the pid is no longer valid, i.e. when
conmon crashed or was killed.
Currently we have a big issue that can be reproduced using:
$ podman run -d quay.io/libpod/testimage:20241011 sleep 100
$ killall -9 conmon
$ killall catatonit
All commands would fail as we keep trying to rejoin the namespace of the
non existing conmon process.
So to address that fall back to creating a new namespace if we fail to
join the conmon pids.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
- remove old CLI validation that only checked --pod flag
- add validation in namespaces.go to catch all paths (cli, quadlet, api)
- block userns mixing for all pods with infra, not just ipc/net
- update error message to be clearer
- fix test cleanup to use PodmanExitCleanly()
- use dynamic pod names in system tests to avoid conflicts
fixes#26848
Signed-off-by: 0xdvc <neilohene@gmail.com>
Remove skip_if_rootless_cgroupsv1 call from quadlet tests since
cgroupsv1 is deprecated and no longer needs special handling
Signed-off-by: Jan Rodák <hony.com@seznam.cz>
Quadlets installed from `.quadlet` file now belongs to a single
application, anyone file removed from this application removes all the
other files as well.
Assited by: claude-4-sonnet
Signed-off-by: flouthoc <flouthoc.git@gmail.com>
Enable installing multiple quadlets from one file using '---' delimiters.
Each section requires '# FileName=<name>' comment for custom naming.
Single quadlet files remain unchanged for backward compatibility.
Assited by: claude-4-sonnet
Signed-off-by: flouthoc <flouthoc.git@gmail.com>
This got broken during the remote testing rewrite to enable tls testing
in commit feb36e4fe6. The problem is the function didn't use the proper
podman command with the remote arg so it tried to connect to the default
socket with remote testing.
And in the checkpoint file we use it before the PODMAN_CMD was defined
so fix this by moving the basic_setup before and the use the variable
PODMAN_RUNTIME instead of having to do another info call.
Also fix the debug log output to correctly log the podman commands with
all arguments on a single line.
Fixes: feb36e4fe6 ("Implement TLS API Support")
Fixes: #27266
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Make sure to rmeove the artifact but we don't need to remove the
testfiles as they are part under PODMAN_TMPDIR which gets removed by
default so don't bother with that.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
- use nanoseconds, so we don't need to sleep a full second do put the
time forward.
- use the --format option instead of jq
- run test via remote as well
- don't use static file content
Fixes: #27265
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Somehow this only flakes on debian as it seem the /etc/hosts file on the
host system changes and thus causes a false postive with the
before/after restore comparison.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
The remote client (podman --remote) was incorrectly throwing an error
when --detach-keys="" was specified for attach, run, or start commands.
According to documentation and the v1.7.0 release notes, specifying an
empty string should disable detaching, not cause an error.
Fixes: #27414
Signed-off-by: shiavm006 <shivammittal42006@gmail.com>
