* Added flags to point to TLS PEM files to use for exposing and connecting
to an encrypted remote API socket with server and client authentication.
* Added TLS fields for system connection ls templates.
* Added special "tls" format for system connection ls to list TLS fields
in human-readable table format.
* Updated remote integration and system tests to allow specifying a
"transport" to run the full suite against a unix, tcp, tls, or mtls
system service.
* Added system tests to verify basic operation of unix, tcp, tls, and mtls
services, clients, and connections.
Signed-off-by: Andrew Melnick <meln5674.5674@gmail.com>
Using golang.org/x/tools/gopls/internal/analysis/modernize/cmd/modernize
+ some manual cleanup in libpod/lock/shm/shm_lock_test.go as it
generated an unused variable
+ restored one removed comment
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
The tests for device I/O limits were using `/dev/zero`,
which is not a block device suitable for these cgroup
controls.
Update the tests to use `/dev/nullb0` if it exists.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
This was added by commit 84e42877a ("make lint: re-enable revive"),
making nolintlint became almost useless.
Remove the ungodly amount of unused nolint annotations.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
This is simpler as we don't have to rely on an external command. The
retry loop is need as we check for a container porcess connection, and
while we know podman binds the port before returning there is no way to
know whenthe contianer application bound the port so we must retry a
bit.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
There is no need whatsoever to run container to populate a random file,
this is just much slower than just writing some random bytes directly
without having to run a container and run dd in it.
Also the function accepted the number of bytes, however because dd uses
a minimum block size of 512 bytes it was actually numBytes * 1024 which
where written. That makes no sense so fix the two tests that depended on
the wrong number.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Add a new command to extract the blob content of the artifact store to a
local path.
Fixes https://issues.redhat.com/browse/RUN-2445
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
... because (podman system reset) will delete all of it,
interfering with the test storing other data in the directory.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
This is a generalization of PodmanExitCleanly, scalable
to an arbitrary number of possible options.
Should not change behavior.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
Eliminate this helper / indirection, and pass around
PodmanExecOptions explicitly.
Should not change behavior.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
This will make it easier to structure the API, at the cost
of making it a bit more opaque about which parts of PodmanExecOptions
are implemented where.
Should not change behavior.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
... replacing the many parameters with a struct with named fields.
This makes the meaning of parameters more explicit, and more importantly
it makes it easier to just edit _one_ of the parameters without requiring
specialized wrappers for every single case.
Should not change behavior.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
the podman artifact verb is used to manage OCI artifacts. the following
verbs were added to `podman artifact`:
* add
* inspect
* ls
* pull
* push
* rm
Notable items with this PR:
* all artifact commands and their output are subject to change. i.e.
consider all of this tech preview
* there is no way to add a file to an artifact that already exists in
the store. you would need to delete and recreate the artifact.
* all references to artifacts names should be fully qualified names in
the form of repo/name:tag (i.e. quay.io/artifact/foobar:latest)
* i understand that we will likely want to be able to attribute things
like arch, etc to artifact files. this function is not available yet.
Many thanks to Paul Holzinger for autocompletion PRs and review PRs that
fixed issues early on.
Also fix up some Args function to specify the correct number of args.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Signed-off-by: Brent Baude <bbaude@redhat.com>
This significantly simplifies the ceromony of running a Podman command
in integration tests, from
> session := p.Podman([]string{"stop", id})
> session.WaitWithDefaultTimeout()
> Expect(session).Should(ExitCleanly())
to
> p.PodmanExitCleanly("stop", id)
There are >4650 instances of ExitCleanly() in the tests,
and many could be migrated; this does not do that.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
If the source dir is owned by another user then the test the chown will
fail assuming we run the tests rootless. This function is only used by
the quadlet tests and for the purpose all we need is to read the files
so the simple fix is remove the chown as this should make the tests pass
on the special debian gating env.
Fixes#24802
Signed-off-by: Paul Holzinger <git@holzinger.dev>
* Add --hosts-file flag to container create, container run and pod create
* Add HostsFile field to pod inspect and container inspect results
* Test BaseHostsFile config in containers.conf
Signed-off-by: Gavin Lam <gavin.oss@tutamail.com>
- fix issues found by recvcheck
- skip k8s files from recvcheck
- remove two removed linters gomnd and execinquery
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Like we do in system tests now check for netns leaks in e2e as well. Now
because things run in parallel and this dir is shared we cannot test
after each test only once per suite. This will be a PITA to debug if
leaks happen as the netns files do not contain the container ID and are
just random bytes (maybe we should change this?)
Fixes#23715
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Creating networks in a different dir is not parallel safe when running
containers on them as the network configs may end up using the same
bridge names which then causes conflicts on the host.
Fixes#23876
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
It qemu cannot be compiled anyway so make sure we do not try to compile
parts where the typechecker complains about on windows.
Also all the e2e test files are only used on linux as well.
pkg/machine/wsl also reports some error but to many for me to fix them
now. One minor problem was fixed in pkg/machine/machine_windows.go.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
layers restored from a tarball won't be converted to composefs so
disable the cache when using composefs.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
The unmount for the driver home dir is done automatically by the store
on Shutdown. Do not do the unmount from the tests cleanup.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
This commit gets tests working under the new local-registry system:
* amend a few image names, mostly just sticking to a consistent
list of those images in our registry cache. Mostly minor
tag updates.
* trickier: pull_test: change some error messages, and remove
a test that's now a NOP. Basically, with a local (unprotected)
registry we always get "404 manifest unknown"; with a real
registry we'll get "403 I can't tell you".
* trickiest: seccomp_test: build our own images at run time,
with our desired labels. Until now we've been pulling
prebuilt images, but those will not copy to the local
cache registry. Something about v1? Anyhow, I gave up
trying to cache them, and the workaround is straightforward.
Also took the liberty of strengthening a few error-message checks
Signed-off-by: Ed Santiago <santiago@redhat.com>
Run root e2e & system tests using composefs on rawhide.
Write magic settings to storage.conf. That part is easy.
e2e tests, however, ignore storage.conf. They require everything
to be specified on the command line. And "everything", in the
case of composefs, includes a long complicated --pull-options
string which in turn requires containers-storage PR 1966
which, as of this writing, is finally vendored into podman.
Signed-off-by: Ed Santiago <santiago@redhat.com>
Follow up to commit eaf60c7fe7, with the toolbox image removal it is
possible to run all tests from tmpfs.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
The image is way to big (over 800MB) that slows tests down as we always
have to pull this, the tests itself are also super slow due the
entrypoint logic that we don't care about. We should be testing for
features needed and not specific tools.
I think the current changes should have a similar coverage in terms of
podman features, it no longer tests toolbox but IMO this never was a
task for podman CI tests.
The main driver for this is to make the tests run entirely based on
tmpfs and this image is just to much[1].
[1] https://github.com/containers/podman/pull/22533
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
..to match the version in root dir, to get rid of the mismatch
warning on every ginkgo run.
I still don't understand why renovatebot isn't doing this.
(Also, touch a file under e2e, to force tests to run)
Signed-off-by: Ed Santiago <santiago@redhat.com>
TMPDIR is typically /tmp which is typically(*) a tmpfs.
This PR ignores $TMPDIR when $CI is defined, forcing all
e2e tests to set up one central working directory in /var/tmp
instead.
Also, lots of cleanup.
(*) For many years, up to and still including the time of
this PR, /tmp on Fedora CI VMs is actually NOT tmpfs,
it is just / (root). This is nonstandard and undesirable.
Efforts are underway to remove this special case.
Signed-off-by: Ed Santiago <santiago@redhat.com>
It is not clear why rootless was forced to the cgroupfs manager when
systemd is the default. In any case it causes local test failures as
described in the issue[1]. Using systemd manager makes them pass as
expected, I don't know enough aout cgroups to know the difference and
why certain tests have bad asumptions but this fixes it.
[1] https://github.com/containers/podman/issues/22474
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
This is something Docker does, and we did not do until now. Most
difficult/annoying part was the REST API, where I did not really
want to modify the struct being sent, so I made the new restart
policy parameters query parameters instead.
Testing was also a bit annoying, because testing restart policy
always is.
Signed-off-by: Matt Heon <mheon@redhat.com>
There are many code paths which only do logrus but still exit 0 so this
should catch more bugs. Unfortunately runc logs way to much random stuff
so we ignore this check for runc right now.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Too many tests use port 5000. Although there's a putative GetPortLock()
it seems to be unreliable, and we often get what appear to be collisions
between tests.
A proper solution would be to pseudorandomly allocate ports, verify
that they're not being reused, Sprintf() these everywhere that
needs them, and sprinkle some powdered cinnamon on top.
This is not that proper solution.
Fixes: #20655
Signed-off-by: Ed Santiago <santiago@redhat.com>
This removes a lot of boilerplate, but also ensures that every
stop test that is not directly testing podman stop or podman pod
stop uses `-t0` for quick, error-free stopping.
Signed-off-by: Matt Heon <mheon@redhat.com>
Moving from Go module v4 to v5 prepares us for public releases.
Move done using gomove [1] as with the v3 and v4 moves.
[1] https://github.com/KSubedi/gomove
Signed-off-by: Matt Heon <mheon@redhat.com>
Just like all the other inspect commands that accept multiple args we
should just make podman pod inspect output a json array.
This makes the code more consistent and removes the extra workaround
which was needed before to support this.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
We now no longer write containers.conf, instead system connections and
farms are written to a new file called podman-connections.conf.
This is a major rework and I had to change a lot of things to get this
to compile again with my c/common changes.
It is a breaking change for users as connections/farms added before this
commit can now no longer be removed or modified directly. However because
the logic keeps reading from containers.conf the old connections can
still be used to connect to a remote host.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Cut is a cleaner & more performant api relative to SplitN(_, _, 2) added in go 1.18
Previously applied this refactoring to buildah:
https://github.com/containers/buildah/pull/5239
Signed-off-by: Philip Dubé <philip@peerdb.io>
Test "podman start container by systemd" is failed on the system in
which rootless users don't have accessibility to journald. Therefore,
skip the part that reads journal with journalctl.
Signed-off-by: Tsubasa Watanabe <w.tsubasa@fujitsu.com>
A number of tests start a container then immediately run podman stop.
This frequently flakes with:
StopSignal SIGTERM failed to stop [...] in 10 seconds, resorting to SIGKILL
Likely reason: container is still initializing, and its process
has not yet set up its signal handlers.
Solution: if possible (containers running "top"), wait for "Mem:"
to indicate that top is running. If not possible (pods / catatonit),
sleep half a second.
Intended to fix some of the flakes cataloged in #20196 but I'm
leaving that open in case we see more. These are hard to identify
just by looking in the code.
Signed-off-by: Ed Santiago <santiago@redhat.com>
We're only testing vfs in CI. That's bad. #18822 tried to
remedy that but that only worked on system tests, not e2e.
Here we introduce CI_DESIRED_STORAGE, to be set in .cirrus.yml
in the same vein as all the other CI_DESIRED_X. Since it's 2023
we default to overlay, testing vfs only in priorfedora.
Fixes required:
- e2e tests:
- in cleanup, umount ROOT/overlay to avoid leaking mounts
- system tests:
- fix a few badly-written tests that assumed/hardcoded overlay
- buildx test: add weird exception to device-number test
- mount tests: add special case code for vfs
- unprivileged test: disable one section that is N/A on vfs
Signed-off-by: Ed Santiago <santiago@redhat.com>
Followup to #20318: now that sqlite is the podman default,
enforce that in CI as well. Test boltdb only in Prior Fedora.
In the process, discovered & cleaned up some duplication
and unused YAML anchors.
Signed-off-by: Ed Santiago <santiago@redhat.com>
Problem: frequent CI flakes of the form:
Error: cannot listen on the TCP port: listen tcp4 :5355: bind: address already in use
Always 5355.
Cause: systemd-resolve listens on 5355, but not on 127.0.0.1. So
when GetPort() tries its is-it-in-use check by binding localhost,
it succeeds; but then podman binds * and fails.
Solution: GetPort(): test by binding 0.0.0.0.
Also, improve the failure message.
Signed-off-by: Ed Santiago <santiago@redhat.com>
