Bump Buildah to v1.43.2 in prepration of the next Podman v5.8 release.
Also includes the changes from 47ab0f1e94
And adjustments to test/buildah-bud/buildah-tests.diff
Signed-off-by: Tom Sweeney <tsweeney@redhat.com>
It does not seem to work in the new CI system right now.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
(cherry picked from commit 30aaf14abb)
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Since commit def70012b9 git-validation is only used to check if the
commit subject is less than 90 characters.
Drop the vendored git-validation Go tool and the .gitvalidation make
target in favor of hack/commit-subject-check.sh.
This removes a Go build dependency and a vendored tree from
test/tools/ while keeping the same CI and local behavior.
Note the now-removed GIT_CHECK_EXCLUDE was not used by gitvalidation
since commit def70012b9 because it was not checking any specific
files, just the commit subject lengths.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit f45b4c506a)
[manually fixed merge conflicts]
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Using os.Is{Exist,NotExist,Permission} checks is not recommended in the
new code (see official documentation). While using it in the existing
code is OK, it may still result in a subtle errors later (for a specific
example of that, see [1]).
Replace those with errors.Is.
Generated by:
gofmt -r 'os.IsExist(a) -> errors.Is(a, os.ErrExist)' -w .
gofmt -r 'os.IsNotExist(a) -> errors.Is(a, os.ErrNotExist)' -w .
gofmt -r 'os.IsPermission(a) -> errors.Is(a, os.ErrPermission)' -w .
goimports -w .
git diff vendor test/tools/vendor | patch -p1 -R
[1]: https://github.com/opencontainers/runc/pull/5061
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 7f7b35356f)
[Added extra replacements manually that were only in the 5.8 tree]
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
The test flakes on the socat pid kill when the pid already exited.
Because the timeout is just 10s we can just bump it to something loinger
to ensure the process is still alive when we kill it. Also move it up a
bit so the kill happens earlier.
I observed multiple time failing with test times of 11s+. This should be
enough to make it work properly.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
(cherry picked from commit c1ffafe5b7)
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
In the new CI with run with many parallel jobs (8) and that is messing
up timings a fair but, any command might take unexpected long to
scheduling delays and lock holding by other tests.
Any test doing a podman ps -a while need to take all container locks
for example and that then can delay the stop command an unknown amount
of time, bump the timeout to 8 and use a higher stop timeout so we are
still testing that we exit before the wait timeout is reached.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
(cherry picked from commit 48594b61c8)
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
This started to fail on fedora rawhide with kernel 7.1. I have not
looked into why exactly why but the theory from commit 12d40777f0
is likely related. What I do not get is why this tests seem to pass
elsewhere, i.e. it passes in openQA and testing farm but not in our
custom lima based VMs.
Lets hope this works better.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
(cherry picked from commit f9db3cbd2b)
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
It is possible that the background podman stop -t 1 completes before we
get to podman kill making the kill fail as the container is not running.
The result is this error in the test:
"Error: can only kill running containers. xxx is in state exited: container state improper"
We can just bump the stop timeout to have a larger time where we can
trigger kill on a stopping container.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
(cherry picked from commit c4c2778776)
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
The problem is by default we create the systemd timers and run hc in the
background. This means any tests who depend on exact hc timing can get
broken by this so use the DISABLE_HC_SYSTEMD=true env which makes podman
skip creating the systemd timers but still allows you to manually run
the commands.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
(cherry picked from commit ea51ae7305)
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
With a high parallel node run we have much more test cases run in
parallel, as such I am seeing a lot of network subnet flakes as they
were using the same one and thus failed since there can only be one
config using it at a time.
Now hard coding this here is ugly, yes. But for now I just need to get
the flakes down in the new CI. Long term we should likely have a helper
that hands out known unused subnets for the tests.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
(cherry picked from commit a2581cc82f)
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
In parallel runs the timings might be a bit slower than normal. Increase
the timeout here, it should not affect the test as we use a 20s stop
timeout which is more than the ready loop which uses 5s now.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
(cherry picked from commit d1d0c84a56)
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
podman ps -a causes unexpected timing delays as it tries to take locks for
all containers and parallel tests may cause it to block for a while.
In CI logs I see ps -a take over 3 seconds which is enough to mess with
the expect time and make the test fail. Since testing the ps -a output
as part of the test just switch the test to not run in parallel.
This failed with "delta t between paused and restarted" where it took 10
seconds instead of the max expected 6 seconds.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
(cherry picked from commit b498cefd5c)
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
This is a long standing flake but I see it again in the lima CI, the
problem seems to happen when we stop the container before the background
healthcheck fires.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
(cherry picked from commit 90ba6562d5)
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
In highly parallel runs this can fail its timeout due the fact that we
run podman ps -a which takes all contianer locks, even the ones from
unrelated tests. thus this command can take a long time, from a CI log I
see:
[18:22:30.932958589] # /var/tmp/podman/bin/podman ps -a
[18:22:34.338904713] CONTAINER ID IMAGE
So like a 4s delay just on that and hence the test later failed with
"Operations took too long" as it took 7 seconds overall.
So since we know podman inspect takes the lock just keep that and not
try to get all containers for no reason.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
(cherry picked from commit 34137c40f6)
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
This seems to flake in the parallel CI runs as another process might
also use 8080 already.
We can use any port here so use GetPort() which should give us a
conflict free one.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
(cherry picked from commit 472c53b122)
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
I saw this already in openQA and now with the new rawhide images we hit
it in upstream as well. Skip this for now to not cause so many flakes.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
(cherry picked from commit 0dbe00d272)
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
This is really not nice but it is a quick fix to avoid more flakes.
The 10.11.12.0/24 was used by several tests and podman will only allow
the network to be created once with a given subnet so we need to ensure
they are conflict free, otherwise in parallel runs they will fail
randomly.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
(cherry picked from commit 97d0279e94)
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
The container prints "Failed to set RLIMIT_CORE: Operation not permitted"
I do not know why this fails when run with sudo but lets just skip it it
for now.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
(cherry picked from commit 07e257e7f6)
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
The test assumes a local id_ed25519 ssh key exists and is setup to
connect to its own user. That is basically never the case locally so the
test is broken by design.
If the test should run in some special CI setup where that is the case
we need to enable it and guard based on that later.
For now I just like to get the lima VM tests passing.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
(cherry picked from commit 1de60ebf7b)
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
The test assumed /home/$USER == $HOME which may not be the case. In fact
it is not the case in the new lima VM runners.
Fix the test to actually use the path we want to test for, $HOME.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
(cherry picked from commit 39ee9baf66)
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
It is not working in all ipv6 setups. In the new lima testing env
default_addr is just null causing the test to fail because the container
address was "fec0::5055:55ff:fe2b:6cc9".
For now skip this until we can figure something better out.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
(cherry picked from commit 9aca6010ee)
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
As found in fedora openQA testing on the kernel update this test fails
due a selinux denial.
The kernel now correctly checks the backing fs selinux context in all
cases. See kernel commit 82544d36b172 (selinux: fix overlayfs mmap()
and mprotect() access checks).
The test tries to access another container so the selinux level will
be different from the quadlet roofs container and therefore fail to
access the files.
To fix this we should be able to just use the regular image mount which
has a level all containers can access. The comment that this is not
parallel safe is untrue, mounts are reference counted so this should not
get unmounted all of the sudden by another test.
In fact we have another --rootfs test case where we do this and it
passed in openQA, see "podman run - check workdir".
Fixes: #28602
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
(cherry picked from commit 12d40777f0)
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Verify that creating a secret with driver=shell and no --driver-opts
does not inherit the file driver's default path option. Before the fix,
this produced "invalid shell driver option"; after, it correctly fails
with "missing config value" for unconfigured shell commands.
Signed-off-by: Joe Doss <joe@solidadmin.com>
(cherry picked from commit 8b905613b5)
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Setting Entrypoint= (empty value) in a quadlet .container file should
produce --entrypoint "" in the generated podman command, which clears
the image's default entrypoint. Previously this was silently ignored
because lookupAndAddString skips empty values.
Move the Entrypoint key out of the generic stringKeys map and handle
it separately so that an empty value is passed through.
Closes#28213
Signed-off-by: umut-polat <52835619+umut-polat@users.noreply.github.com>
(cherry picked from commit 926f562bd5)
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
If the sqlite file exists make sure we always use that db and no longer
botldb. There are known race conditions in the db migration logic that
might make it so that both database files exists at once.
In order to ensure we use the correctly migrated one we must prefer
sqlite here.
see https://github.com/containers/podman/issues/28216
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
It fails due selinux, it is unlcear why so I filled #27759 for now to
track that so we can get the image update merged.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
There are two fields I'm worried about: shared namespaces and pod
containers. Both are generated via loops over maps and are thus
non-deterministic in ordering. Throw a sort on each to fix the
order so we can actually diff `podman pod inspect` output.
Signed-off-by: Matt Heon <mheon@redhat.com>
Previously, using --secret=id=foo,env=BAR in remote mode would fail because the client sent the env var name to the server, which tried to resolve it locally. This patch modifies the client to resolve the environment variable locally, write it to a temp file, and send it as a file-based secret.
Fixes#27494
Signed-off-by: ZuhairM7 <ZuhairM7>
Signed-off-by: ZuhairM7 <zuhairmerali@gmail.com>
- Update documentation: Differentiate `unless-stopped` from `always` - containers stopped by the user before a reboot will not restart.
- Add `should-start-on-boot` filter: Identify containers that require a restart after a system reboot.
- Update command documentation: Add `restart-policy` and `label!` filters to the documentation for container commands (rm, ps, start, stop, pause, unpause, restart).
- Add `restart-policy` and `shoud-start-on-boot` to completions.
- Update service: Update `podman-restart.service` to use the `needs-restart=true` filter.
- Preserve state: Preserve the `StoppedByUser` state across reboots.
- Update API: Add a `ShouldStartOnBoot()` method to the Container API.
- Update documentation: Add descriptions for the `should-start-on-boot` filter.
Fixes: https://issues.redhat.com/browse/RHEL-129405
Fixes: https://github.com/containers/podman/issues/20418
Signed-off-by: Jan Rodák <hony.com@seznam.cz>
<MH: Fixed cherry-pick conflicts>
Signed-off-by: Matt Heon <matthew.heon@pm.me>
- remove old CLI validation that only checked --pod flag
- add validation in namespaces.go to catch all paths (cli, quadlet, api)
- block userns mixing for all pods with infra, not just ipc/net
- update error message to be clearer
- fix test cleanup to use PodmanExitCleanly()
- use dynamic pod names in system tests to avoid conflicts
fixes#26848
Signed-off-by: 0xdvc <neilohene@gmail.com>
<MH: Fixed cherry-pick conflicts>
Signed-off-by: Matt Heon <matthew.heon@pm.me>
Fixes: #26588
For use cases like HPC, where `podman exec` is called in rapid succession, the standard exec process can become a bottleneck due to container locking and database I/O for session tracking.
This commit introduces a new `--no-session` flag to `podman exec`. When used, this flag invokes a new, lightweight backend implementation that:
- Skips container locking, reducing lock contention
- Bypasses the creation, tracking, and removal of exec sessions in the database
- Executes the command directly and retrieves the exit code without persisting session state
- Maintains consistency with regular exec for container lookup, TTY handling, and environment setup
- Shares implementation with health check execution to avoid code duplication
The implementation addresses all performance bottlenecks while preserving compatibility with existing exec functionality including --latest flag support and proper exit code handling.
Changes include:
- Add --no-session flag to cmd/podman/containers/exec.go
- Implement lightweight execution path in libpod/container_exec.go
- Ensure consistent container validation and environment setup
- Add comprehensive exit code testing including signal handling (exit 137)
- Optimize configuration to skip unnecessary exit command setup
Signed-off-by: Ryan McCann <ryan_mccann@student.uml.edu>
Signed-off-by: ryanmccann1024 <ryan_mccann@student.uml.edu>
Quadlets installed from `.quadlet` file now belongs to a single
application, anyone file removed from this application removes all the
other files as well.
Assited by: claude-4-sonnet
Signed-off-by: flouthoc <flouthoc.git@gmail.com>
Enable installing multiple quadlets from one file using '---' delimiters.
Each section requires '# FileName=<name>' comment for custom naming.
Single quadlet files remain unchanged for backward compatibility.
Assited by: claude-4-sonnet
Signed-off-by: flouthoc <flouthoc.git@gmail.com>
The remote client (podman --remote) was incorrectly throwing an error
when --detach-keys="" was specified for attach, run, or start commands.
According to documentation and the v1.7.0 release notes, specifying an
empty string should disable detaching, not cause an error.
Fixes: #27414
Signed-off-by: shiavm006 <shivammittal42006@gmail.com>