Some architectures (i.e., arm64) do not implement the link(2) system
call and ln(1) uses linkat(2) instead.
Use the names array to block both syscalls so the tests works on all
architectures.
Signed-off-by: Ricardo Branco <rbranco@suse.de>
This allows things like compose project names to be associated with log
messages and later used in log processing and analysis.
Signed-off-by: Povilas Kanapickas <povilas@radix.lt>
For remote operation, start the remote service with --tls-details:
using --tls-details on the client side will only affect client's
connection.
This should eventually include many more tests - track down all current
uses of libpod.Runtime.{SystemContext,imageContext,LibimageRuntime}.
That will come later
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
Currently validation that log tag requires journald driver is done in several
places and emits only warning. Making it an error and moving to
`(c *Container) validate()` is a more correct approach.
Signed-off-by: Povilas Kanapickas <povilas@radix.lt>
When we have the _precise_ knowledge of where the parameter boundaries
are, and an API that allows us to express that, just _do that_ instead
of completely unnecessarily worrying about spaces in parameter values.
Also, this allows us to format the code to make the option and value
correspondence much easier to see.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
Add a per-volume 'nocreate' option that prevents automatic creation of
named volumes when they don't exist. When specified, Podman will fail
if the volume is not found instead of creating it automatically.
Usage: -v myvolume:/data:nocreate
--mount type=volume,src=myvolume,dst=/data,nocreate
See: #27862
Signed-off-by: Ygal Blum <ygal.blum@gmail.com>
ConfigToSpec() serializes the container config to JSON and deserializes
it into a SpecGenerator. Both structs use the JSON tag "secret_env" but
with incompatible types: the container config uses map[string]*secrets.Secret
(complex objects) while the specgen uses map[string]string (env var name
to secret name). This causes an unmarshal error when cloning containers
that use --secret with type=env.
Fix this by saving and clearing EnvSecrets before JSON marshal (same
pattern as existing tmpSystemd/tmpMounts), then converting the secret
objects to name strings and assigning them to the specgen afterward.
Also fix FillOutSpecGen to not overwrite env secrets populated by
ConfigToSpec when no new secrets are provided on the command line.
Fixes: #28130
Signed-off-by: Ozgur As <ozgur@live.com>
This is useful for triggering the execution of a healthcheck
without caring about it's result as long as no fatal error occured.
Signed-off-by: Patrick Wicki <patrick.wicki@siemens.com>
Remove user-facing CLI options for CNI network backend:
CLI flags:
- Keep --network-backend global flag as hidden and deprecated for
backward compatibility with cleanup commands from 5.x containers
- Map flag to a throwaway variable (value is ignored)
- Remove shell completion for network backend values
Shell completions:
- Remove AutocompleteNetworkBackend() function
- Remove references to CNI and Netavark type constants
Backward compatibility:
- Remove --rootless-cni flag alias for podman unshare
- Remove SetNormalizeFunc that mapped rootless-cni to rootless-netns
- Update --rootless-netns flag description to mention only netavark
The --network-backend flag remains as a hidden deprecated flag to
prevent failures when upgrading from 5.x where containers may have
cleanup commands that include this flag. The flag is accepted but
ignored. Users can no longer specify CNI as a network backend option.
The --rootless-cni alias is removed; users must use --rootless-netns.
Signed-off-by: Lokesh Mandvekar <lsm5@redhat.com>
Remove test framework code that supported dual network backends:
Test utilities:
- Remove NetworkBackend enum type and constants (CNI, Netavark)
- Remove NetworkBackend.ToString() method
- Remove NetworkBackend field from PodmanTest struct
Test infrastructure:
- Remove SkipIfCNI() helper function
- Remove SkipIfNetavark() helper function
- Remove network backend selection logic based on NETWORK_BACKEND env var
- Remove CNI-specific network config directory setup
- Hardcode "netavark" in podman command line construction (flag will be removed in later commit)
Simplify test helpers:
- Simplify generateNetworkConfig() to only generate Netavark configs
- Remove conditional CNI vs Netavark network ID logic
- Update IP allocation comment to remove CNI-specific behavior description
Remove SkipIfCNI() calls from tests:
- Remove skip guards from Netavark-only feature tests
- These tests now run universally since Netavark is the only backend
Documentation:
- Remove NETWORK_BACKEND environment variable from test/README.md
All tests that were previously skipped with SkipIfCNI (Netavark-only
features) will now run for all users since Netavark is the only
supported network backend.
Signed-off-by: Lokesh Mandvekar <lsm5@redhat.com>
Remove test cases that only tested CNI-specific functionality:
- Remove "podman --cni-config-dir backwards compat" test
- Remove "podman CNI network create with internal should not have dnsname" test
Update CNI-specific test names to be network-backend agnostic:
- Rename "podman inspect container single CNI network" to "podman inspect container single network"
- Rename "podman inspect container two CNI networks (container not running)" to "podman inspect container two networks (container not running)"
- Rename "podman inspect container two CNI networks" to "podman inspect container two networks"
- Rename "podman run in custom CNI network with --static-ip" to "podman run in custom network with --static-ip"
- Rename "podman rootless cni adds /usr/sbin to PATH" to "podman rootless adds /usr/sbin to PATH"
Update test content to be backend-agnostic:
- Update skip reasons from "Requires root CNI networking" to "Requires root networking"
- Change --rootless-cni flag usage to --rootless-netns
- Update comments from "CNI network" to "network"
- Update comments from "iptables" to "nftables" for netavark
- Update test assertions to remove CNI-specific messaging
Remove CNI-related test documentation and comments:
- Remove commented-out CNI error messages from Python API tests
- Remove CNI network namespace error documentation from upgrade tests
- Remove CNI-related comments from BATS tests
Remove unused import of github.com/containernetworking/plugins/pkg/ns
from test/e2e/run_networking_test.go (test-only usage).
Signed-off-by: Lokesh Mandvekar <lsm5@redhat.com>
Previously, `secret create` required stdin to be a pipe when using `-`,
blocking interactive stdin forcing users to use insecure patterns like
`echo "secret" | podman secret create <name>`.
Remove the pipe check to allow interactive stdin.
Closes#18591, #27879
Signed-off-by: Danish Prakash <contact@danishpraka.sh>
I happened to run `podman run --config=/path/to/file` and got
an error without a trailing newline, which was a bit jarring.
Fix the instances I noticed.
Assisted-by: OpenCode (Claude Opus 4.5)
Signed-off-by: Colin Walters <walters@verbum.org>
The code checks for isPathOnVolume and isPathOnMount so we can just use
the SecureJoin here directly to check for path existance.
Then instead of walking symlinks and trying to guess if they are on a
mount just assume if it is a link (path is different from the normal
joined one) then don't error out early and let the OCI runtime deal with
it. The runtime does produce a less readable error but it still fails
and we have much less fragile code.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
MkdirAll can fail with EEXIST when the path is a symlink and the target
doesn't exist. As such we should ignore the error.
Note there is something fundemantal wrong here with the path access as
it is following the symlink to the host, however it is only for a
stat() so it is not an security issue here.
Fixes: 637c264e2e ("fix issues found by nilness")
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
