This adds basic container and volume system tests for quadlet. These
install and run actual systemd units and ensure they work.
Signed-off-by: Alexander Larsson <alexl@redhat.com>
In the recent past, I met the frequent need to wait for a container to
exist that, at the same time, may get removed (e.g., system tests in [1]).
Add an `--ignore` option to podman-wait which will ignore errors when a
specified container is missing and mark its exit code as -1. Also
remove ID fields from the WaitReport. It is actually not used by
callers and removing it makes the code simpler and faster.
Once merged, we can go over the tests and simplify them.
[1] github.com/containers/podman/pull/16852
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
Also update vendor of containers/storage and image
Cleanup display of added/dropped capabilties as well
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
whenever the podman process is launched, it runs any file found in
these directories:
- /etc/containers/auth-scripts
- /usr/libexec/podman/auth-scripts
The current podman command line is passed as arguments to the
process.
If any of the processes fail, the error is immediately reported back
from podman that exits with the same error code.
[NO NEW TESTS NEEDED] requires a system-wide configuration.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Init containers are removed once they exit, but podman
reports and error that the container does not exist, when
it was previously removed. Stop reporting missing containers
when removing.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
With the 4.0 network rewrite I introduced a regression in 094e1d70de.
It only covered the case where a checkpoint is restored via --import.
The normal restore path was not covered since the static ip/mac are now
part in an extra db bucket. This commit fixes that by changing the config
in the db.
Note that there were no test for --ignore-static-ip/mac so I added a big
system test which should cover all cases (even the ones that already
work). This is not exactly pretty but I don't have to enough time to
come up with something better at the moment.
Fixes#16666
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
The remote client should be allowed to specify if the container should
be run with the proxy env vars. It will still use the proxy vars from
the server process and not the client. This makes podman-remote more
consistent with the local version and easier to use in environments
where a proxy is required.
Fixes#16520
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
As outlined in #16076, a subsequent BARRIER *may* follow the READY
message sent by a container. To correctly imitate the behavior of
systemd's NOTIFY_SOCKET, the notify proxies span up by `kube play` must
hence process messages for the entirety of the workload.
We know that the workload is done and that all containers and pods have
exited when the service container exits. Hence, all proxies are closed
at that time.
The above changes imply that Podman runs for the entirety of the
workload and will henceforth act as the MAINPID when running inside of
systemd. Prior to this change, the service container acted as the
MAINPID which is now not possible anymore; Podman would be killed
immediately on exit of the service container and could not clean up.
The kube template now correctly transitions to in-active instead of
failed in systemd.
Fixes: #16076Fixes: #16515
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
The flake in #16076 is likely related to the notify message not being
delivered/read correctly. Move sending the message into an exec session
such that flakes will reveal an error message.
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
The containers should be able to write to tmpfs mounted directories.
Also cleanup output of podman kube generate to not show default values.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
When the new `events_container_create_inspect_data` option is enabled in
containers.conf set the `ContainersInspectData` event field for each
container-create event.
The data was requested for the purpose of auditing (e.g., intrusion
detection).
Jira: https://issues.redhat.com/browse/RUN-1702
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
When restarting a container, clean up the healthcheck state by removing
the old log on disk. Carrying over the old state can lead to various
issues, for instance, in a wrong failing streak and hence wrong
behaviour after the restart.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2144754
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
The 900-ssh test is not an actual test, and I'm unable to
figure out how to make it one. Skip it for now, but add a
bunch of FIXMEs some someone can come in later and actually
implement it.
Also removed lots of dead code and misleading comments.
Signed-off-by: Ed Santiago <santiago@redhat.com>
Podman --noout was not suppressing output from commands that do not
create the podman engine. Now, podman --noout properly suppresses output
from every command.
Fixes: https://github.com/containers/podman/issues/16201
Signed-off-by: Ashley Cui <acui@redhat.com>
Weird one-off flake seen:
# ... healthcheck run <containername>
Error: container SHA is not running
The only way I can see this happening is if the healthcheck
auto-timer triggered, which seems impossible because that
should be 30s and the log timestamps show this test taking
18s. But, shrug, let's see if disabling the timer works. I
don't have high hopes that this will fix anything, but it's
probably a good idea regardless.
Also, since this test loops over different policies, include
policy name in error messages as a courtesy. (It's obtainable
anyway by scrolling up)
Signed-off-by: Ed Santiago <santiago@redhat.com>
Fix a bug for special-casing "." where Podman has mistakenly been
looking for a "." suffix instead of interpreting it as a path.
Add regression tests for the host-to-container, container-to-host and
container-to-container use cases. Have separate tests for each to
verify that previous Podman versions fail each case.
Fixes: #16421
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
`podman-remote` does not support `--events-backend`, which overrides a
log driver. When `--events-backend` is necessary in a test for
`podman-remote`, the test should be skipped.
We don't need to fix the other cases with
`_additional_events_backend()` because `_log_test_follow()` already has
the same skipping logic and `_log_test_multi()` always skips a test when
testing `podman-remote`.
Signed-off-by: Hironori Shiina <shiina.hironori@fujitsu.com>
When we are using a proxy, 'podman build - basic test'
will be failed on remote.
This test needs to add the '--http-proxy' option.
Signed-off-by: Toshiki Sonoda <sonoda.toshiki@fujitsu.com>
_test_skopeo_credential_sharing() used port_is_free() to check if a
port has no active listeners. With the new implementation, this is
not equivalent anymore: a port might be in TIME_WAIT, so it's not
free, but the listener might be long gone.
Add tcp_port_probe() to check if there's an active listener on a
given port, and use it in _test_skopeo_credential_sharing().
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
These tests should cover all the basic networking functionality with
pasta(1). Namely, they check:
- IPv4 and IPv6 addressing and routing settings
- TCP and UDP port forwarding over IPv4 and IPv6
- data transfers and ICMP/ICMPv6 echo requests
- the (exceedingly simple) lifecycle handling
These tests need some new helpers, to obtain IPv4 and IPv4 addresses
and routes, as well as MTU and interface names. Those use jq(1) for
parsing.
Some availability checks are implemented as well, to skip tests if
pasta(1) is not available, or if IPv4 and IPv6 are not usable.
To get consistent outcomes across distributions, and to enable
uncomplicated termination for UDP tests based on zero-sized packets,
use socat(1), which, unlike netcat, doesn't suffer from option
inconsistencies depending on flavours (traditional, BSD, NMAP) and
versions.
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
The main helpers.bash file is rather bloated and it's difficult to
find stuff there. Move networking functions to their own helper
file.
While at it, apply a consistent style, and rearrange logically
related functions into sections.
Suggested-by: Ed Santiago <santiago@redhat.com>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Using bash /dev/tcp/ pseudo-device files to probe for bound ports has
indeed the advantage of simplicity, but comes with a few drawbacks:
- it will actually send data to unsuspecting services that might be
running in the same network namespace as the tests, possibly
causing unwanted interactions
- it doesn't allow for UDP probing
- it makes it impossible to clearly distinguish between different
address bindings
Replace that approach with a new helper, port_is_bound(), that uses
procfs entries at /proc/net to detect bound ports, without the need
for active probing.
We can now implement optional parameters in callers, to check if a
port if free for binding to a given address, including any IPv4
(0.0.0.0) or any IPv6 (::0) address, and for a given protocol, TCP
or UDP.
Extend random_free_port() and random_free_port_range() to support
that.
The implementation of one function in the file
test/system/helpers.bash, namely ipv6_to_procfs(), and the
implementation of the corresponding own test, delimited by the
markers "# BEGIN ipv6_to_procfs" and "# END ipv6_to_procfs" in the
file test/system/helpers.c was provided, on the public forum at:
https://github.com/containers/podman/pull/16141
by Ed Santiago <santiago@redhat.com>, who expressly invited me to
include them in this code submission.
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Currently, wait_for_port() duplicates the check logic implemented by
port_is_free().
Add an optional argument to port_is_free(), representing the bound
address to check, and call it, dropping the direct check in
wait_for_port().
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
It looks like #16132 was my fault: a missing 'wait' for a container
to exit. Let's see if this fixes the flake.
And, while poking through flake logs, I found another missing wait.
And... in wait_for_output(), address a potential race.
Signed-off-by: Ed Santiago <santiago@redhat.com>
Remove the container/pod ID file along with the container/pod. It's
primarily used in the context of systemd and are not useful nor needed
once a container/pod has ceased to exist.
Fixes: #16387
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
--insecure and --verbose flags for docker compatibility
--tls-verify for syntax compatibility and allow users to inspect
manifests at remote Container Registiries without requiring tls.
Helps fix: https://github.com/containers/podman/issues/14917
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
We have CI tests running in netavark mode when CNI is desired.
Add a new .cirrus.yml envariable, CI_DESIRED_NETWORK, which
we then force-check in e2e and system tests. Simple copy/paste
of #14912 (the RUNTIME check) with manual s/RUNTIME/NETWORK/
and other minor changes.
Signed-off-by: Ed Santiago <santiago@redhat.com>
One of the system tests was creating a volume and not cleaning up
after itself. Fix that: do cleanup in the test itself. And, add
a 'volume rm -af' to global teardown() to leave things clean for
the next tests.
Also, OOPS! Correct some instances of 'podman' in two system
tests to 'run_podman'. And remove an unused (misleading) variable.
And, one more: in auto-update test, unit file, use $PODMAN,
not /usr/bin/podman
UGH! Yet one more: found/fixed a 'run<space>podman'
Signed-off-by: Ed Santiago <santiago@redhat.com>
I have no idea what this usage means, but the test fails
on a system with no /usr/bin/podman ... and that suggests
to me that the test is broken, in that it's been using
/usr/bin/podman instead of the $PODMAN we're testing.
Solution: 'podman', not '/usr/bin/podman'. Per @Luap99,
podman will replace the string 'podman' with /proc/self/exe
Signed-off-by: Ed Santiago <santiago@redhat.com>
One test was using a hardcoded fixed port, with a comment
referring to #10806. That issue seems fixed, so let's
try switching to a pseudorandom open port.
Does not actually fix#16289 but I'm going to close that
anyway, will reopen if it recurs.
Signed-off-by: Ed Santiago <santiago@redhat.com>
Bump the timeout waiting for the container to process the signal.
The comparatively short timeout is most likely responsible for
flakes in gating tests.
Fixes: #16091
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
Truncate the container and pod ID files instead of throwing an error.
The main motivation is to prevent redundant work when starting systemd
units. Throwing an error when the file already exists is not preventing
races or file corruptions, so let's leave that to the user which in
almost all cases are generated (and tested) systemd units.
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
