This reverts commit c12b1b32bc165766c1aa229ca05432c75cc74c3b.
The content contains incorrect information and misses a lot of details
from the previous page that must be restored.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Using golang.org/x/tools/gopls/internal/analysis/modernize/cmd/modernize
+ some manual cleanup in libpod/lock/shm/shm_lock_test.go as it
generated an unused variable
+ restored one removed comment
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
There are endless of links pointing to this document we should not get
rid of that.
Also I find having two podman-quadlet with different numbers rather
confusing, while I understand the motivation I think for most users this
is not intuitive. Most people will not type the man section numbers.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
This commit does the following:
- Splits the podman-systemd.unit.5.md into multiple files - one for each
quadlet file type, podman-quadlet.7.md for general quadlet information
and podman-quadlet-basic-usage.7.md for quadlet examples.
- Removes the original podman-systemd.unit.5.md file.
- Adds support for jinja2 templating language in the markdown_preprocess.
- Uses jinja2 in options/*.md to use the single .md file for both podman
subcommands man-pages and quadlet man-pages. This deduplicates
the Quadlet man-pages a lot.
- Adds new `@@option quadlet:source.md` preprocess command to import
such .md files from options directory.
Signed-off-by: Jan Kaluza <jkaluza@redhat.com>
The distro-integration tag was added for fedora openQA to only run a
subset of tests. However since it was added only a few new tests have
been labelled like that and in general a normal contributor or even
maintianer has no idea when to add this tag.
We also have been seeing several regressions getting into fedora that
these tests would have caught. As such I worked with Adam to enable all
tests for fedora openQA so we actually have proper coverage. This has
been working for a few weeks so I think we can dop these tags so
upstream does not need to bother with them at all.
https://pagure.io/fedora-qa/os-autoinst-distri-fedora/issue/373
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
It seems the new bpftrace version since 0.22 logs a warning if we try to
delete a key that does not exist.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
On bpftrace 0.22 this fails to compile and load so the script currently
does not show us anything in CI there.
We need to clamp the string size a bit 128 chars seems more than enough
for the podman/conmon binary path length.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
The default has been set to 1024 which should bee good enough and better
than having to unroll this loop like that.
This is supported since bpftrace 0.22 which is in fedora 42.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
This was not updated to the latest versions and CI and basically any
user should get in from their distro repos.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
This script is no longer used as the device mapper storage driver was
removed over a year ago.
Commit 60692ca already removed the build tag reference but not this
script which set a buildtag for it.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Dynamically link sqlite3 when installed, the main motivation is that we
reduce the podman binary size with that. I see about 2.5 MB savings.
But also dynamically linking it means if there a vulnerabilities only
the sqlite3 distro package needs updating and we don't have to make a
new podman release with the vendored update.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
This reverts commit d633824a9527b9ec937cdfc8aacc890ec3249127.
The issue has been fixed in commit 9a0c0b2eef and I have not seen it
since so remove this special case.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
This could have been done by simply running
GOOS=freebsd ./bin/golangci-lint run [options] ./...
on Linux, but some freebsd code is using cgo (i.e. is linked to C
libraries), so real freebsd environment is required.
This also fixes the issue of ignoring linter errors for Windows and
Darwin (exit 0), introduced by commit c9b108d5b38.
Fixes: c9b108d5b38 ("Bump golangci-lint to v2.0.2")
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
1. Strip leading v from VERSION.
This will allow to simplify renovate rule at [1].
2. Fix git branch in the URL.
In golangci-lint v2 they've switched from master to main,
and it's not clear what will happen to master over time,
so let's just switch to main prophylactically.
3. Use -b option instead of undocumented hack.
Instead of relying on an undocumented feature of having BINDIR,
let's use -b option as recommended by the official docs at [2].
4. Avoid stuttering in the output.
Before:
[kir@kir-tp1 podman]$ VERSION=2.0.2 ./hack/install_golangci.sh
golangci-lint has version 2.0.2 built with go1.24.1 from 2b224c2c on 2025-03-25T21:36:18Z
Using existing ./bin/golangci-lint has version 2.0.2 built with go1.24.1 from 2b224c2c on 2025-03-25T21:36:18Z
After:
[kir@kir-tp1 podman]$ VERSION=2.0.2 ./hack/install_golangci.sh
golangci-lint has version 2.0.2 built with go1.24.1 from 2b224c2c on 2025-03-25T21:36:18Z
Using existing ./bin/golangci-lint
5. Fix shellcheck warnings.
6. Also retry when reinstalling.
The code logic to retry install for up to 5 times when installation
fails was introduced by commit dd8574022d ("CI: retry the golangci
install").
For some reason, the above commit only uses the logic when the binary is
not found. In a situation when the binary is found but is of the wrong
version, no retries are done.
Fix that.
7. Add -f option to curl.
As recommended by the official installation docs at [2].
[1]: 16f757f699/renovate/defaults.json5 (L106-L108)
[2]: https://golangci-lint.run/welcome/install/#binaries
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
This ended up slightly more complicated than anticipated, tin part
because golangci-lint v2 dropped support for --exclude-dirs, so
linter issues with GOOS=windows and GOOS=darwin which were previously
ignored had to be fixed now.
This is also the reason why the ./hack/golangci-lint was simplified.
In addition, it now runs linters on Linux without systemd tag set.
Tested locally with:
for OS in linux windows darwin; do GOOS=$OS ./hack/golangci-lint.sh; done
Linting for GOOS=linux
+ ./bin/golangci-lint run --build-tags=apparmor,seccomp,selinux
0 issues.
+ ./bin/golangci-lint run --build-tags=apparmor,seccomp,selinux,systemd
0 issues.
+ ./bin/golangci-lint run --build-tags=apparmor,seccomp,selinux,remote
0 issues.
Linting for GOOS=windows
+ ./bin/golangci-lint run --build-tags=remote,containers_image_openpgp
0 issues.
Linting for GOOS=darwin
+ ./bin/golangci-lint run --build-tags=remote,containers_image_openpgp
0 issues.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
* treadmill script: handle an obscure corner case
wherein the script would bail because it thought
there were no buildah-vendor changes.
* two new test skips
* update the diffs; line-number changes due to buildah
PRs touching helpers.bash
Signed-off-by: Ed Santiago <santiago@redhat.com>
Debug for #23913, I though if we have no idea which process is nuking
the volume then we need to figure this out. As there is no reproducer
we can (ab)use the cleanup tracer. Simply trace all unlink syscalls to
see which process deletes our special named volume. Given the volume
name is used as path on the fs and is deleted on volume rm we should
know exactly which process deleted it the next time hopefully.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Equivalent to print() + system(). Shows individual commands
being run, which may help a developer understand and replicate
actions if they fail.
Signed-off-by: Ed Santiago <santiago@redhat.com>
Initial purpose of treadmill PR was to run buildah-bud tests
early, and not run anything else if they fail. This was to
catch vendoring problems and not be distracted by flakes.
This was done by inspecting and massaging .cirrus.yml.
As of #21639 this code was a silent NOP because the entire
CI tree was overhauled. Here we make that work again.
Also, in #20947 I enhanced this script to run rootless
bud tests but neglected to updated the comments. Do so now.
Signed-off-by: Ed Santiago <santiago@redhat.com>
Quadlet inserts network-online.target Wants/After dependencies to ensure pulling works.
Those systemd statements cannot be subsequently reset.
In the cases where those dependencies are not wanted, we add a new
configuration item called `DefaultDependencies=` in a new section called
[Quadlet]. This section is shared between different unit types.
fixes#24193
Signed-off-by: Farya L. Maerten <me@ltow.me>
Add a new program based on bpftrace[1] to trace all podman processes
with arguments and exit code/signals. Additionally this captures stderr
from all podman container cleanup processes spawned by conmon which
otherwise go to /dev/null and are never seen in any CI logs.
Hopefull this allows us to debug strange network cleanup error seen in
CI, my plan is to add this to the cirrus setup and upload the logs so we
can check them when the flakes happen.
[1] https://github.com/bpftrace/bpftrace
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
For the past two months we've been splitting system tests
into two categories: those that CAN be run in parallel,
and those that CANNOT. Much work has been done to replace
hardcoded names (mycontainer, mypod) with safename().
Hundreds of test runs, in CI and on Ed's laptop, have
proven this approach viable.
make {local,remote}system now runs in two steps: first
the serial ones, then the parallel ones. hack/bats will
now recognize the 'ci:parallel' tag and add --jobs (nprocs).
This requires some tweaking of leak_check, because there
can be umpteen tests running (affecting image/container/pod/etc
state) when any given test completes.
Rules for enabling parallelization in tests:
* use unique container/pod/volume/network names (safename)
* do not run 'podman rm -a' or 'rmi -a'
* never use the -l (--latest) option
* do not run 'podman ps/images' and expect precise output
Signed-off-by: Ed Santiago <santiago@redhat.com>
Generated at build time from troubleshooting.md. Purpose is
to ship an actual man page to end users.
Much more complicated than initial guess, because there was
a bug in my Makefile man page filtering, the sed expression
that cleans up markdown that does not translate to roff.
All I've done here is reorder some of the expressions,
stripping off https links *before* we process
podman man page links.
Signed-off-by: Ed Santiago <santiago@redhat.com>
It qemu cannot be compiled anyway so make sure we do not try to compile
parts where the typechecker complains about on windows.
Also all the e2e test files are only used on linux as well.
pkg/machine/wsl also reports some error but to many for me to fix them
now. One minor problem was fixed in pkg/machine/machine_windows.go.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Now that we have propert !remote tags set everywhere we can just rely on
that and do not need to skip any dirs.
Also on linux do not lint three times, one remote run is enough.
We still have to skip the test dir for windows/macos though or we need
to add linux build tags there everywhere as well. This seems simpler.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
This commit gets tests working under the new local-registry system:
* amend a few image names, mostly just sticking to a consistent
list of those images in our registry cache. Mostly minor
tag updates.
* trickier: pull_test: change some error messages, and remove
a test that's now a NOP. Basically, with a local (unprotected)
registry we always get "404 manifest unknown"; with a real
registry we'll get "403 I can't tell you".
* trickiest: seccomp_test: build our own images at run time,
with our desired labels. Until now we've been pulling
prebuilt images, but those will not copy to the local
cache registry. Something about v1? Anyhow, I gave up
trying to cache them, and the workaround is straightforward.
Also took the liberty of strengthening a few error-message checks
Signed-off-by: Ed Santiago <santiago@redhat.com>
While these are not really slow they still take about 100-250ms if I
time this locally. Given they are run for every test this adds up
quickly. Looking at CI logs I can see the timings for skipped
tests are all in 600ms range. So I think it is safe to assume that these
functions need to get faster.
We have over 670 test cases currently so we talk about over 400s spend
in these functions in CI. This allows for big gains.
Now overall this is a tricky trade of, while all tests should cleanup
after themselves there is no guarantee for that as such errors can be
leaked into other tests making debugging much harder. To work at least a
bit against this teardown checks if the test was successful and only
skips the podman commands bases on that. Without it a single flake could
cause all following tets to fail.
As such this commit does the proper setup once one suite start then only
after a test failed.
In order for this to work at all we have to fix all leaks first, see
previous commits. And then for the future keep a very strong eye on
this during reviews.
Also add a PODMAN_BATS_LEAK_CHECK option
By default test must cleanup themselves and to speed up CI we no longer
do any cleanup in teardown by default. However there is still many cases
where we might have to debug a leak so add a new PODMAN_BATS_LEAK_CHECK
env option that can be set and should cause teardown to fail if the test
did not cleanup properly.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Testing `podman system check` requires that we have a way to
intentionally introduce storage corruptions. Add a hidden `podman
testing` command that provides the necessary internal logic in
subcommands. Stub out the tunnel implementation for now.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
First of all this removes the need for a network connection, second
renovate can update the version as it is tracked in go.mod.
However the real important part is that the binary downloads are
broken[1]. For some reason the swagger created with them does not
include all the type information for the examples. However when building
from source the same thing works fine.
[1] https://github.com/go-swagger/go-swagger/issues/2842
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
when listing images through the restful service, consumers want to know
if the image they are listing is a manifest or not because the libpod
endpoint returns both images and manifest lists.
in addition, we now add `arch` and `os` as fields in the libpod endpoint
for image listing as well.
Fixes: #22184Fixes: #22185
Signed-off-by: Brent Baude <bbaude@redhat.com>
Belated followup to #21981. (Looks like I started to add this
functionality back in 2020 but left it unfinished. Tsk tsk.)
docs/source/Commands.rst is unnecessary duplication. It _should_
be autogenerated, but I can't figure out how to cleanly add
that to our Make process. This PR is an interim cross-check
until we get that resolved:
- everything in podman --help must have a matching entry
in Commands.rst (top-level commands only)
- check for dups and out-of-sequence in Commands.rst
- also for anything in Commands.rst that is not in --help
Fix existing mismatches in Commands.rst.
Also, #21784 removed a format specifier that I was using in
regression tests. Switch to using something else, to get
test passing again. Given the fact the correct solution
is autogenerating Commands.rst, I choose not to add new
tests for the rst xref.
Also, executive decision, remove volume.rst. It is not referenced
from anywhere, it looks like a lonely orphan remnant from days
of yore.
Signed-off-by: Ed Santiago <santiago@redhat.com>
pasta only works when we run as container_runtime_exec_t, now that pasta
is the default this means that the current binary will not work when
doing local dev without manually fixing the label.
There are also other parts where the correct label is important. So as a
simple fix always set the proper label in the bin/podman target.
This also means we can drop this line from the hack/bats script.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
