When using `docker compose run --entrypoint ''`, docker sends
`"Entrypoint": []` in the JSON. Podman currently treats that
as `nil` and fallback to default image entrypoint.
This is not what is expected by the user. Instead, it should
not use any entrypoint.
This commit fixes it by properly propagating the `[]` downstream
to libpod.
Fixes: #26078
Signed-off-by: Jan Kaluza <jkaluza@redhat.com>
Hard coding to none without checking containers.conf is not a good idea
as users who liked the previous behavior and the podman default behavior
of keeping the hosts entries can no longer do that.
With this commit they can set base_hosts_file = "/etc/hosts" to restore
the previous behavior.
Fixes: https://issues.redhat.com/browse/RHEL-92995
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Cgroup block I/O limits cannot be applied to character devices.
Ignore character devices in the inspect output.
Update the API tests to use the null block device `/dev/nullb0` (if
available) instead of `/dev/zero` for testing I/O limits.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
The JSON decoder correctly cannot decode (overflow) negative values (e.g., `-1`) for fields of type `uint64`, as `-1` is used to represent `max` in `POSIXRlimit`. To handle this, we use `tmpSpecGenerator` to decode the request body. The `tmpSpecGenerator` replaces the `POSIXRlimit` type with a `tmpRlimit` type that uses the `json.Number` type for decoding values. The `tmpRlimit` is then converted into the `POSIXRlimit` type and assigned to the `SpecGenerator`.
This approach ensures compatibility with the Podman CLI and remote API, which already handle `-1` by casting it to `uint64` (`uint64(-1)` equals `MaxUint64`) to signify `max`.
Fixes: https://issues.redhat.com/browse/RUN-2859
Fixes: https://github.com/containers/podman/issues/24886
Signed-off-by: Jan Rodák <hony.com@seznam.cz>
GoLang sets unset values to the default value of the type. This means that the destination of the log is an empty string and the count and size are set to 0. However, this means that size and count are unbounded, and this is not the default behavior.
Fixes: https://github.com/containers/podman/issues/25473
Fixes: https://issues.redhat.com/browse/RHEL-83262
Signed-off-by: Jan Rodák <hony.com@seznam.cz>
This should be set only by podman as it is used for the podman generate
systemd --new command. For the api it was set to the system service
command which is simply pointless. It must be empty in these cases.
Fixes#25026
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
API clients expect the status code quickly otherwise they can time out.
If we do not flush we may not write the header immediately and only when
futher logs are send.
Fixes#23712
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
I'm assuming this was buildah#5595: the COMMENT field moved around.
Deal with it, and add a few more checks while we're at it.
Signed-off-by: Ed Santiago <santiago@redhat.com>
We were only splitting on tabs, not spaces, so we returned just a
single line most of the time, not an array of the fields in the
output of `ps`. Unfortunately, some of these fields are allowed
to contain spaces themselves, which makes things complicated, but
we got lucky in that Docker took the simplest possible solution
and just assumed that only one field would contain spaces and it
would always be the last one, which is easy enough to duplicate
on our end.
Fixes#23981
Signed-off-by: Matt Heon <mheon@redhat.com>
This commit gets tests working under the new local-registry system:
* amend a few image names, mostly just sticking to a consistent
list of those images in our registry cache. Mostly minor
tag updates.
* trickier: pull_test: change some error messages, and remove
a test that's now a NOP. Basically, with a local (unprotected)
registry we always get "404 manifest unknown"; with a real
registry we'll get "403 I can't tell you".
* trickiest: seccomp_test: build our own images at run time,
with our desired labels. Until now we've been pulling
prebuilt images, but those will not copy to the local
cache registry. Something about v1? Anyhow, I gave up
trying to cache them, and the workaround is straightforward.
Also took the liberty of strengthening a few error-message checks
Signed-off-by: Ed Santiago <santiago@redhat.com>
The Docker endpoint here is kind of a nightmare - accepts a full
Resources block, including a large number of scary things like
devices. But it only documents (and seems to use) a small subset
of those. This implements support for that subset. We can always
extend things to implement more later if we have a need.
Signed-off-by: Matt Heon <mheon@redhat.com>
This vendors the latest c/common version, including making Pasta
the default rootless network provider. That broke a number of
tests, which have been fixed as part of this PR.
Also includes a change to network stats logic, which simplifies
the code a bit and makes it actually work with Pasta.
Signed-off-by: Matt Heon <mheon@redhat.com>
Simply because it's been a while since the last testimage
build, and I want to confirm that our image build process
still works.
Added /home/podman/healthcheck. This saves us having to
podman-build on each healthcheck test. Removed now-
unneeded _build_health_check_image helper.
testimage: bump alpine 3.16.2 to 3.19.0
systemd-image: f38 to f39
- tzdata now requires dnf **install**, not reinstall
(this is exactly the sort of thing I was looking for)
PROBLEMS DISCOVERED:
- in e2e, fedoraMinimal is now == SYSTEMD_IMAGE. This
screws up some of the image-count tests (CACHE_IMAGES).
- "alter tarball" system test now barfs with tar < 1.35.
TODO: completely replace fedoraMinimal with SYSTEMD_IMAGE
in all tests.
Signed-off-by: Ed Santiago <santiago@redhat.com>
* rootful: NanoCpus needs to set more than 10000000 on cgroups v1.
* rootless: Resource limits that include NanoCPUs are not supported and ignored.
Signed-off-by: Toshiki Sonoda <sonoda.toshiki@fujitsu.com>
The libpod containers create endpoint wasn't checking whether
the image existed before creating the container. If the image
doesn't exist, it should return a 404 status code but it was
failing and returning a 500 status code.
This fix matches the behavior of the compat endpoint.
Signed-off-by: Urvashi Mohnani <umohnani@redhat.com>
Fixes: https://github.com/containers/podman/issues/19139
Service containers are defaulting to 0 seconds for Timeout rather then
the settings in containers.conf.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Currently containers created via DOCKER API without specifying
StopTimeout are defaulting to 0 seconds. This change should
default them to setting in containers.conf normally 10 seconds.
Fixes: https://github.com/containers/podman/issues/19139
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
The attach API used to always return the Content-Type
`vnd.docker.raw-stream`, however docker api v1.42 added the
`vnd.docker.multiplexed-stream` type when no tty was used.
Follow suit and return the same header for docker api v1.42 and libpod
v4.7.0. This technically allows clients to make a small optimization as
they no longer need to inspect the container to see if they get a raw or
multiplexed stream.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
This ended up more complicated then expected. Lets start first with the
problem to show why I am doing this:
Currently we simply execute ps(1) in the container. This has some
drawbacks. First, obviously you need to have ps(1) in the container
image. That is no always the case especially in small images. Second,
even if you do it will often be only busybox's ps which supports far
less options.
Now we also have psgo which is used by default but that only supports a
small subset of ps(1) options. Implementing all options there is way to
much work.
Docker on the other hand executes ps(1) directly on the host and tries
to filter pids with `-q` an option which is not supported by busybox's
ps and conflicts with other ps(1) arguments. That means they fall back
to full ps(1) on the host and then filter based on the pid in the
output. This is kinda ugly and fails short because users can modify the
ps output and it may not even include the pid in the output which causes
an error.
So every solution has a different drawback, but what if we can combine
them somehow?! This commit tries exactly that.
We use ps(1) from the host and execute that in the container's pid
namespace.
There are some security concerns that must be addressed:
- mount the executable paths for ps and podman itself readonly to
prevent the container from overwriting it via /proc/self/exe.
- set NO_NEW_PRIVS, SET_DUMPABLE and PDEATHSIG
- close all non std fds to prevent leaking files in that the caller had
open
- unset all environment variables to not leak any into the contianer
Technically this could be a breaking change if somebody does not
have ps on the host and only in the container but I find that very
unlikely, we still have the exec in container fallback.
Because this can be insecure when the contianer has CAP_SYS_PTRACE we
still only use the podman exec version in that case.
This updates the docs accordingly, note that podman pod top never falls
back to executing ps in the container as this makes no sense with
multiple containers so I fixed the docs there as well.
Fixes#19001
Fixes https://bugzilla.redhat.com/show_bug.cgi?id=2215572
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Wait before sending status code 200 for the first top call and if that
fails return a proper error code.
This was leading to some confusion in [1] because podman just reported
200 but did not wirte anything back.
[1] https://bugzilla.redhat.com/show_bug.cgi?id=2215572
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
The platform parameter has been ignored such that images have been
looked up by name only.
Fixes: #18951
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
The logic which checks for duplicated volumes here did not work
correctly because it used filepath.Clean(). However the writes to the
volDestinations map did not thus the string no longer matched when you
included a final slash for example.
So we can either call Clean() on all or no paths. I decided to call it
on no path because this is what we do right now. Just the check did it.
Fixed#18454
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Podman is attempting to split the headers returned by the ps
command into a list of headers. Problem is that some headers
are multi-word, and headers are not guaranteed to be split via
a tab. This PR splits the headers bases on white space, and for
the select group of CAPS headers which are multi-word, combines
them back together.
Fixes: https://github.com/containers/podman/issues/17524
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
We use the same endpoint for libpod and docker compat API. However as
reported docker returns "id" lowercase. Because we cannot break the
libpod API right now keep the output for the libpod endpoint and only
change the docker one.
To do so simply use two types that we can cast with different JSON tags.
Fixes#17869
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
When we read logs there can be full or partial lines, when it is full we
need to append a newline, thus the message length must be incremented by
one.
Fixes#16856
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Docker compatibility: cap the memory limit reported by the cgroup to
the maximum available memory.
Closes: https://github.com/containers/podman/issues/15765
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
podman update allows users to change the cgroup configuration of an existing container using the already defined resource limits flags
from podman create/run. The supported flags in crun are:
this command is also now supported in the libpod api via the /libpod/containers/<CID>/update endpoint where
the resource limits are passed inthe request body and follow the OCI resource spec format
–memory
–cpus
–cpuset-cpus
–cpuset-mems
–memory-swap
–memory-reservation
–cpu-shares
–cpu-quota
–cpu-period
–blkio-weight
–cpu-rt-period
–cpu-rt-runtime
-device-read-bps
-device-write-bps
-device-read-iops
-device-write-iops
-memory-swappiness
-blkio-weight-device
resolves#15067
Signed-off-by: Charlie Doern <cdoern@redhat.com>
Whole slew of bugs that got introduced while I wasn't paying
attention. Most of them are of the form "let's use hand-crafted
curl commands and do our own error checking and exit uncleanly
on error and leave the system in an unstable state". To be
fair, those were done because there was no existing mechanism
for uploading JSON files or somesuch. So, add one.
Signed-off-by: Ed Santiago <santiago@redhat.com>
implement a new command `podman generate spec` which can formulate a json specgen to be consumed by both the pod
and container creation API.
supported flags are
--verbose (default true) print output to the terminal
--compact print the json output in a single line format to be piped to the API
--filename put the output in a file
--clone rename the pod/ctr in the spec so it won't conflict w/ an existing entity
Signed-off-by: Charlie Doern <cdoern@redhat.com>
