While mounting virtual console devices in a systemd container is a
recipe for disaster (I experienced it first hand), mounting serial
console devices, modems, and others should still be done by default
for privileged systemd-based containers.
v2, addressing the review from @fho:
- use backticks in the regular expression to remove backslashes
- pre-compile the regex at the package level
- drop IsVirtualTerminalDevice (not needed for a one-liner)
v3, addressing the review from @fho and @rhatdan:
- re-introduce a private function for matching the device names
- use path.Match rather than a regex not to slow down startup time
Closes#16925.
Fixes: 5a2405ae1b3a ("Don't mount /dev/tty* inside privileged...")
Signed-off-by: Martin Roukala (né Peres) <martin.roukala@mupuf.org>
When SELinux is enabled, e2e test could be failed
due to run a ls command in a running container.
Signed-off-by: Toshiki Sonoda <sonoda.toshiki@fujitsu.com>
This is to help me in my flake analysis.
Scenario: I'm looking at recent flakes, and see Flake X. I know
that Flake X was "fixed" two weeks ago. Did the fix not work?
Or is this just one of those PRs that was created three weeks
ago (or three months ago) and never rebased to pick up the fix?
This adds a one-click way for me to tell.
Signed-off-by: Ed Santiago <santiago@redhat.com>
Much as we'd love to eat our dogfood, podman.io is not hosted
on reliable infrastructure; redhat.com is. Let's see if this
gets rid of CI flakes.
Closes: #17044
Signed-off-by: Ed Santiago <santiago@redhat.com>
If the run errors, cobra does not execute post runs. It is a somehow
known issue (https://github.com/spf13/cobra/issues/914) but problematic
for Podmand as the runtime is shutdown during post run.
Since some commands overwrite the post run and a general lack in cobra
of post runs on errors, move the shutting down the engines directly into
Execute. Fixing the issue may fix a number of flakes.
Note that the shutdowns are NOPs for the remote client.
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
Using "w" suffixed versions of QEMU binaries for correct background process
handling and not bind it to lifecycle of command prompt window. Stub for
arm64 version added to fix compilation issues of this target, when QEMU
machine will be finally enabled.
Signed-off-by: Arthur Sengileyev <arthur.sengileyev@gmail.com>
follow-up to 6886e80b45caae27dda81a9b44d8dd179c414580
when "podman -rm -f" is used on a container in "stopping" state, also
make sure it is terminated before removing it from the local storage.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
check that the container has a valid pid before attempting to use
kill($PID, 0) on it. If the PID==0, it means the container is already
stopped.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
if /sys is bind mounted from the host then also add an explicit mount
for /sys/fs/cgroup so that 'ro' is honored.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Do not allow for removing the service container unless all associated
pods have been removed. Previously, the service container could be
removed when all pods have exited which can lead to a number of issues.
Now, the service container is treated like an infra container and can
only be removed along with the pods.
Also make sure that a pod is unlinked from the service container once
it's being removed.
Fixes: #16964
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
Add a new flag --publish
Remote - Pass PublishPorts as a string array
ABI - translate the string array to Ports and merge with the ports in the spec
Add e2e tests
Add option to man doc
Signed-off-by: Ygal Blum <ygal.blum@gmail.com>
if the container has no pid namespace, they are not killed when the
container process ends. In this case, attempt to kill them in the
same way.
The problem was noticed with toolbox where the exec'ed sessions are
not terminated when the container is stopped, blocking the system
shutdown.
[NO NEW TESTS NEEDED]
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
in several top-level API functions. These are the first line of
the function that contains them, which makes sense; we want to
capture any error returned by the function. However, making this
the first defer means that it is the last thing to run after the
function returns - meaning that the container's
`defer c.lock.Unlock()` has already fired, leading to a chance we
modify the container without holding its lock.
We could move the function around so it's no longer the first
defer, but then we'd have to call it twice (immediately after
`defer c.lock.Unlock()` if the container is not batched, and a
second time in a new `else` block right after the lock/sync call
to make sure we handle batched containers). Seems simpler to just
leave it like this.
[NO NEW TESTS NEEDED] Can't really test for DB corruption easily.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
add a new failblock style, with light red background all across
the entire page, and use it for bats "FAIL" blocks.
Also highlight logrus level=(debug|info|warning|error|fatal)
messages in increasingly prominent styles
Signed-off-by: Ed Santiago <santiago@redhat.com>
Red Hat registry is too unreliable. (As of this writing
in January 2023, quay.io is not much better, but this is
a new flake. Ubi has been flaking for a year or more).
Instead of UBI, use the new systemd-image added to system tests
in #16814. Since this reduces the number of cached images,
a few unrelated tests (image count) need to be tweaked.
And, sigh, Fedora systemd colorizes boot messages by default,
causing a failure where we don't see an expected Reached Target
message. I don't want to rely on ASCII formatting codes, so
I've updated the build-systemd-image script so it disables
systemd colors, and have built a new systemd-image:20230106.
Made a few small usability improvements to the script as well.
Closes: #16695
Signed-off-by: Ed Santiago <santiago@redhat.com>
When you use podman logs with --until and --follow it should exit after
the requested until time and not keep hanging forever.
This fixes the behavior for the k8s-file backend.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
When you use podman logs with --until and --follow it should exit after
the requested until time and not keep hanging forever.
To make this work I reworked the code to use the better journald event
reading code for logs as well. this correctly uses the sd_journal API
without having to compare the cursors to find the EOF.
The same problems exists for the k8s-file driver, I will fix this in the
next commit.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Instead of reading the full journal which can be expensive we can seek
based on the time.
If you have a journald with many podman events just compare the time
`time podman events --since 1s --stream=false` with and without this
patch.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
The `containerCouldBeLogging` bool should not be false by default, when
--since is used we seek in the journal and can miss the start event so
that bool would stay false forever. This means that a running container
is not followed even when it should.
To fix this we can just set the `containerCouldBeLogging` bool based on
the current contianer state.
Fixes#16950
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Some (?) Python versions assume that text files are encoded as 7-bit ASCII and abort when encountering other encoding. Some of podman's markdown documentation files are encoded as UTF-8, and this needs to be specified explicitly when opening files.
Closes https://github.com/containers/podman/issues/16996.
[NO NEW TESTS NEEDED]
Signed-off-by: Erik Schnetter <schnetter@gmail.com>
