selinux-policy-34.9-1.fc34 breaks a behavior we've relied on
since (at least) January 2020:
- Revert "Add permission open to files_read_inherited_tmp_files()
interface"
That's probably the correct thing to do, but it breaks our
existing tests. Solution: add ':Z' where needed.
Tested on Ed's laptop, which has the offending selinux-policy
as of 2021-05-31. Tests pass root and rootless. (I mention
this because tests will obviously pass in CI, which has a
much older selinux-policy).
Also: add a 'podman rmi' for cleanup in one test, to avoid
noise in test logs.
Fixes: #10522
Signed-off-by: Ed Santiago <santiago@redhat.com>
ErrOCIRuntimeNotFound error is misleading. Try to make it more
understandable to the user that the OCI Runtime IE crun or runc is not
missing, but the command they attempted to run within the container is
missing.
[NO TESTS NEEDED] Regular tests should handle this.
Fixes: https://github.com/containers/podman/issues/10432
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Migrate the Podman code base over to `common/libimage` which replaces
`libpod/image` and a lot of glue code entirely.
Note that I tried to leave bread crumbs for changed tests.
Miscellaneous changes:
* Some errors yield different messages which required to alter some
tests.
* I fixed some pre-existing issues in the code. Others were marked as
`//TODO`s to prevent the PR from exploding.
* The `NamesHistory` of an image is returned as is from the storage.
Previously, we did some filtering which I think is undesirable.
Instead we should return the data as stored in the storage.
* Touched handlers use the ABI interfaces where possible.
* Local image resolution: previously Podman would match "foo" on
"myfoo". This behaviour has been changed and Podman will now
only match on repository boundaries such that "foo" would match
"my/foo" but not "myfoo". I consider the old behaviour to be a
bug, at the very least an exotic corner case.
* Futhermore, "foo:none" does *not* resolve to a local image "foo"
without tag anymore. It's a hill I am (almost) willing to die on.
* `image prune` prints the IDs of pruned images. Previously, in some
cases, the names were printed instead. The API clearly states ID,
so we should stick to it.
* Compat endpoint image removal with _force_ deletes the entire not
only the specified tag.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
Basically, add 'podman wait' before 'podman rm'. See if this
fixes gating tests run on ppc64le (possibly very very slow hosts)
Signed-off-by: Ed Santiago <santiago@redhat.com>
socat can create a dummy PTY that we can manipulate. This
lets us run a variety of tests that we couldn't before,
involving "run -it", and stty, and even "load" with no args.
Signed-off-by: Ed Santiago <santiago@redhat.com>
If you are attempting to run a container in interactive mode, and want
a --tty, then there must be a terminal in use.
Docker exits right away when a user specifies to use a --interactive and
--TTY but the stdin is not a tty.
Currently podman will pull the image and then fail much later.
Podman will continue to run but will print an warning message.
Discussion in : https://github.com/containers/podman/issues/8916
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
buildah now supports running under emulation[1] as well as
creating manifests. Use those features to create a multiarch
testimage that can be used to test podman on other arches.
[1] on Fedora 33, this requires the qemu-user-static package
We also build a new :00000001 image, replacing :00000000,
because (sigh) some tests try to run 'true' in the container.
Include instructions on building said image.
Signed-off-by: Ed Santiago <santiago@redhat.com>
When resolving the workdir of a container, we may need to create unless
the user set it explicitly on the command line. Otherwise, we just do a
presence check. Unfortunately, there was a missing return that lead us
to fall through into attempting to create and chown the workdir. That
caused a regression when running on a read-only root fs.
Fixes: #9230
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
This actually tests conmon, not podman; but that's the whole
point of system tests in the first place: if a problem exists,
we want to fail loudly, no matter whose fault it is.
(I can't get this to fail on my f33 laptop; OP on #9096 claims
it only fails on Ubuntu. We'll see what happens in CI).
Signed-off-by: Ed Santiago <santiago@redhat.com>
A container's workdir can be specified via the CLI via `--workdir` and
via an image config with the CLI having precedence.
Since images have a tendency to specify workdirs without necessarily
shipping the paths with the root FS, make sure that Podman creates the
workdir. When specified via the CLI, do not create the path, but check
for its existence and return a human-friendly error.
NOTE: `crun` is performing a similar check that would yield exit code
127. With this change, however, Podman performs the check and yields
exit code 126. Since this is specific to `crun`, I do not consider it
to be a breaking change of Podman.
Fixes: #9040
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
- run test: minor cleanup to .containerenv test. Basically,
make it do only two podman-runs (they're expensive) and
tighten up the results checks
- ps test: add ps -a --storage. Requires small tweak to
run_podman helper, so we can have "timeout" be an expected
result
- sdnotify test: workaround for #8718 (seeing MAINPID=xxx as
last output line instead of READY=1). As found by the
newly-added debugging echos, what we are seeing is:
MAINPID=103530
READY=1
MAINPID=103530
It's not supposed to be that way; it's supposed to be just
the first two. But when faced with reality, we must bend
to accommodate it, so let's accept READY=1 anywhere in
the output stream, not just as the last line.
Signed-off-by: Ed Santiago <santiago@redhat.com>
Followup to #8284, due to my not having noticed #8096.
RHEL gating tests are failing again due to rhbz#1895105, the
one where we can't run journalctl rootless on RHEL. #8284 fixed
this for some RHEL builds of older podman, but I missed #8096
which added yet another logs test.
This brings us to three journalctl exceptions, which means
it gets complicated because I have to refactor it all.
**THIS IS NOT SUSTAINABLE**. We need some way to have a similar
setup in CI, with a permission-less rootless login, so we don't
add yet another logs test some day and discover, months later,
that it doesn't work on RHEL and then have to go into crisis
mode.
Signed-off-by: Ed Santiago <santiago@redhat.com>
As suggested by @edsantiago, add a comment to the regression test
of #8558 to better document the context.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
When creating a container, do not clear the input-image name before
looking up image names. Also add a regression test.
Fixes: #8558
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
We have been asked to leak some information into the container
to indicate:
* The name and id of the container
* The version of podman used to launch the container
* The image name and ID the container is based on.
* Whether the container engine is running in rootless mode.
Fixes: https://github.com/containers/podman/issues/6192
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
- run test : tweaks to recently-added network-conflict test:
* remove "-d" in run
* confirm exact warning text, and also that container
runs successfully
* test multiple --net options (regression #8057)
- images, run, build, exec tests: add multiple-flag
testing for various flags, confirming as appropriate
whether options are overridden or accumulated.
- ps test : add --filter and --sort tests
- pod test: run 'ping' inside container (confirms that
container gets PING capability)
Signed-off-by: Ed Santiago <santiago@redhat.com>
(actually, on any system exhibiting the symptom wherein
journalctl fails due to insufficient permissions, which
for all practical purposes means only RHEL8)
Signed-off-by: Ed Santiago <santiago@redhat.com>
Setting port mappings only works when CNI is configuring our
network (or slirp4netns, in the rootless case). This is not the
case with `--net=host`, `--net=container:`, and joining the
network namespace of the pod we are part of. Instead of allowing
users to do these things and then be confused why they do
nothing, let's match Docker and return a warning that your port
mappings will do nothing.
Signed-off-by: Matthew Heon <mheon@redhat.com>
When the OCI Runtime tries to set certain settings in cgroups
it can get the error "no such file or directory", the wrapper
ends up reporting a bogus error like:
```
Request Failed(Internal Server Error): open io.max: No such file or directory: OCI runtime command not found error
{"cause":"OCI runtime command not found error","message":"open io.max: No such file or directory: OCI runtime command not found error","response":500}
```
On first reading of this, you would think the OCI Runtime (crun or runc) were not found. But the error is actually reporting
message":"open io.max: No such file or directory
Which is what we want the user to concentrate on.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
- run test: preserve --runtime test: use a random executable
path. And, clean up better.
- run test: "look up correct image name" test: use random
strings; test both without and with a :tag
- events test: use random label strings, add more filter tests
Signed-off-by: Ed Santiago <santiago@redhat.com>
Add a check step in podman run --log-driver test. Prefer to add
it here as it already has a loop to cover all different drivers
in this test.
Signed-off-by: Yiqiao Pu <ypu@redhat.com>
Record the correct image name when creating a container by using the
resolved image name if present. Otherwise, default to using the first
available name or an empty string in which case the image must have been
referenced by ID.
Fixes: #8082
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
The BATS 'run' directive is really quite obnoxious; for the
most part we really don't want to use it. Remove some uses
that snuck in last week, and remove one test (exists) that
can more naturally be piggybacked into an rm test.
While we're at it: in setup(), look for and delete stray
external (buildah) containers. This will be important if
any of the external-container tests fails; this way we
don't leave behind a state that causes subsequent tests
to fail.
Signed-off-by: Ed Santiago <santiago@redhat.com>
External containers are containers created outside of Podman.
For example Buildah and CRI-O Containers.
$ buildah from alpine
alpine-working-container
$ buildah run alpine-working-container touch /test
$ podman container exists --external alpine-working-container
$ podman container diff alpine-working-container
C /etc
A /test
Added --external flag to refer to external containers, rather then --storage.
Added --external for podman container exists and modified podman ps to use
--external rather then --storage. It was felt that --storage would confuse
the user into thinking about changing the storage driver or options.
--storage is still supported through the use of aliases.
Finally podman contianer diff, does not require the --external flag, since it
there is little change of users making the mistake, and would just be a pain
for the user to remember the flag.
podman container exists --external is required because it could fool scripts
that rely on the existance of a Podman container, and there is a potential
for a partial deletion of a container, which could mess up existing users.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Current these commands only check if a container exists in libpod. With
this fix, the commands will also check if they are in containers/storage.
This allows users to look at differences within a buildah or CRI-O container.
Currently buildah diff does not exists, so this helps out in that situation
as well as in CRI-O since the cri does not implement a diff command.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
- run --userns=keep-id: confirm that $HOME gets set (#8013)
- inspect: confirm that JSON output is a sane number of
lines (10 or more), not an unreadable one-liner (#8011
and #8021). Do so with image, pod, network, volume
because the code paths might be different.
- cgroups: confirm that 'run' preserves cgroup manager (#7970)
- sdnotify: reenable tests, and hope CI doesn't hang. This
test was disabled on August 18 because CI jobs were hanging
and timing out. My suspicion was that it was #7316, which
in turn seems to have hinged on conmon #182. The latter
was merged on Sep 16, so let's cross our fingers and see
what happens.
Also: remove inaccurate warning from a networking test.
And, wow, fix is_cgroupsv2(), it has never actually worked.
Signed-off-by: Ed Santiago <santiago@redhat.com>
change capabilities handling to reflect what docker does.
Bounding: set to caplist
Inheritable: set to caplist
Effective: if uid != 0 then clear; else set to caplist
Permitted: if uid != 0 then clear; else set to caplist
Ambient: clear
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
New tests for podman run --tz=EXPLICIT and =local. Requires
updating our testimage by adding a fixed reference timestamp
to a known file path.
Signed-off-by: Ed Santiago <santiago@redhat.com>
Obscure corner case in which 'podman run --pull=never alpine'
will actually pass *with no alpine image* if there's an
image named "myalpine". (i.e. a substring match, not full
string match). Fixed in #7770 but the tests that were added
there do not actually test that.
This adds a double-duty test for that as well as making
sure that 'run --pull=never SHORTNAME' (implicit :latest)
does not match our existing :YYYYMMDD image; then one
more quick test to make sure that if we tag as :latest,
the same --pull=never succeeds.
Signed-off-by: Ed Santiago <santiago@redhat.com>
- pause test: enable when rootless + cgroups v2
(was previously disabled for all rootless)
- run --pull: now works with podman-remote
(in #7647, thank you @jwhonce)
- various other run/volumes tests: try reenabling
It looks like #7195 was fixed (by #7451? I'm not
sure if I'm reading the conversation correctly).
Anyway, remove all the skip()s on 7195. Only time
will tell if it's really fixed)
Also:
- new test for podman image tree --whatrequires
(because TIL). Doesn't work with podman-remote.
Signed-off-by: Ed Santiago <santiago@redhat.com>
Tests all (current) values for --log-driver=X, and one test
for invalid value. For those drivers that write a local
file (json-file, k8s-file), test that the file exists and
contains results of the expected form (timestamp, stdout,
'F' for 'F'ull line, and the expected string output.
For json-file, confirm that podman issues a "Choosing k8s-file"
warning (only on local. On podman-remote, the warning goes only
to the server's stderr).
Written in response to #7754 in which driver=json-file was
falling through to 'none' instead of 'k8s-file'.
Signed-off-by: Ed Santiago <santiago@redhat.com>
- run tests: better "skip" message for docker-archive test;
remove FIXME, document that podman-remote doesn't support it
- run tests: instrument the --conmon-pidfile test in hopes
of tracking down flake #7580: cross-check pidfile against
output of 'podman inspect', and add some debug messages
that will only be seen on test failure.
- load tests: the pipe test: save and load a temporary tag,
not $IMAGE. Primary reason is because of #7371, in which
'podman load' assigns a new image ID (instead of preserving
the saved one). This messes with our image management, and
it turns out to be nonfixable.
Signed-off-by: Ed Santiago <santiago@redhat.com>
CI and system tests currently pull some images from docker.io.
Eliminate that, by:
- building a custom image containing much of what we need
for testing; and
- copying other needed images to quay.io
(Reason: effective 2020-11-01 docker.io will limit the
number of image pulls).
The principal change is to create a new quay.io/libpod/testimage,
using the new test/system/build-testimage script, instead of
relying on quay.io/libpod/alpine_labels. We also switch to
using a hardcoded :YYYYMMDD tag, instead of :latest, in an
attempt to futureproof our CI. This image includes 'httpd'
from busybox-extras, which we use in our networking test
(previously we had to pull and run busybox from docker.io).
The testimage can and should be extended as needed for future
tests, e.g. adding test file content or other useful tools.
For the '--pull' tests which require actually pulling from
the registry, I've created an image with the same name but
tagged :00000000 so it will never be pulled by default.
Since this image is only used minimally, it's just busybox.
Unfortunately there remain two cases we cannot solve in
this tiny alpine-based image:
1) docker registry
2) systemd
For those, I've (manually) run:
podman pull [ docker.io/library/registry:2.7 | registry.fedoraproject.org/fedora:31 ]
podman tag !$ quay.io/...
podman push !$
...and amended the calling tests accordingly.
I've tried to make the the smallest reasonable diff, not the
smallest possible one. I hope it's a reasonable tradeoff.
Signed-off-by: Ed Santiago <santiago@redhat.com>
