This reverts commit 1c08f2edac3f9ecf128cf8da91276e963e6ad14c: the
original failure reported in #17287 persists:
[+1306s] not ok 453 podman networking with pasta(1) - TCP translated port range forwarding, IPv4, loopback
...
[+1306s] # 2023/03/15 14:33:33 socat[119870] E connect(8, AF=2 127.0.0.1:5127, 16): Interrupted system call
[+1306s] # xx
[+1306s] # #/vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv
[+1306s] # #| FAIL: Mismatch between data sent and received
[+1306s] # #| expected: = xxx
[+1306s] # #| actual: xx
[+1306s] # #\^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
so keep two connections instead of three as long as I'm too dumb to
figure this out.
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Transient mode means the DB should not persist, so instead of
using the GraphRoot we should use the RunRoot instead.
Signed-off-by: Matt Heon <mheon@redhat.com>
Two main changes:
- The transient state tests relied on BoltDB paths, change to
make them agnostic
- The volume code in SQLite wasn't retrieving and setting the
volume plugin for volumes that used one.
Signed-off-by: Matt Heon <mheon@redhat.com>
Return more sensible errors than SQLite's embedded constraint
failure ones. Should fix a number of integration tests.
Signed-off-by: Matt Heon <mheon@redhat.com>
When streaming events, prevent returning duplicates after a log rotation
by marking a beginning and an end for rotated events. Before starting to
stream, get a timestamp while holding the event lock. The timestamp
allows for detecting whether a rotation event happened while reading the
log file and to skip all events between the begin and end rotation
event.
In an ideal scenario, we could detect rotated events by enforcing a
chronological order when reading and skip those detected to not be more
recent than the last read event. However, events are not always
_written_ in chronological order. While this can be changed, existing
event files could not be read correctly anymore.
Fixes: #17665
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
We should return a proper exit code to signal the failure.
[NO NEW TESTS NEEDED] We do have any tests on macOS.
Fixes#17785
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
When the service is running with trace log level it wraps the
`http.ResponseWriter` to log extra information. The problem is that the
new type does not keep all the functions from the embedded type.
Instead we have to implement them ourselves, however only Write() was
implemented. Thus `Hijack()`could not be called on the writer. To
prevent these issues we would implement all the interfaces that the
inner type supports (Header, WriteHeader, Flush, Hijack).
Fixes#17749
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
The goal of the wait_for_port() function is to return when the port is
bound. This is to make sure we wait for application startup time.
This can be seen in some comments of the callers.
Commit 7e3d04fb caused this regression while reworking the logic to read
ports from /proc. I doesn't seem to cause problems in CI, properly
because the function returns before the port is bound.
I have not seen any flakes related to this but I only see the ones on
PRs where I rerun tests so it is best to wait for Ed to take a look.
Also fixes the broken ipv4_to_procfs() which only passes one argument to
__ipv4_to_procfs(), this results in the ipv4 not beeing inverted.
Therefore all bind checks against a direct ipv4 did not work.
This function accepts only an ipv4 but one caller passes localhost
which is invalid.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
On cgroup v1 we need to mount only the systemd named hierarchy as
writeable, so we configure the OCI runtime to mount /sys/fs/cgroup as
read-only and on top of that bind mount /sys/fs/cgroup/systemd.
But when we use a private cgroupns, we cannot do that since we don't
know the final cgroup path.
Also, do not override the mount if there is already one for
/sys/fs/cgroup/systemd.
Closes: https://github.com/containers/podman/issues/17727
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
The --stream flag is being used extensively in the tests and some blog
posts refer to it which has been causing some confusion on why the flag
was hidden. I do not see a good reason to hide it anymore, so unhide it
and add some docs.
[NO NEW TESTS NEEDED] as it's already being tested.
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
Wait for all generated services to be ready to be sure we can iron out
race conditions. Also disable rollbacks to make sure we can analyze
the error if restarting a service fails. This information may be
crucial to understand the flakes on Debian as tracked in #17607.
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
To help debug #17607, turn off rollbacks for tests that do not require
rollbacks. Error when restarting the systemd units are then not
suppressed but returned which should give us more information about what
is going on the Debian systems.
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
The code was not using append() to add items to a slice.
Accessing non allocated elements of the slice failed with:
$ podman container restore -l
panic: runtime error: index out of range [0] with length 0
goroutine 1 [running]:
github.com/containers/podman/v4/pkg/domain/infra/abi.(*ContainerEngine).ContainerRestore(0xc00051a8b8, {0x1dbced0, 0xc0000440d0}, {0x2a31b30, 0x0, 0x0}, {0x0, 0x0, 0x0, 0x0, ...})
/share/go/src/github.com/containers/podman/pkg/domain/infra/abi/containers.go:676 +0x39c
github.com/containers/podman/v4/cmd/podman/containers.restore(0x28fb6c0?, {0xc0002c9080, 0x0, 0x1?})
/share/go/src/github.com/containers/podman/cmd/podman/containers/restore.go:171 +0x4ef
github.com/spf13/cobra.(*Command).execute(0x28fb6c0, {0xc0000400b0, 0x1, 0x1})
/share/go/src/github.com/containers/podman/vendor/github.com/spf13/cobra/command.go:916 +0x862
github.com/spf13/cobra.(*Command).ExecuteC(0x291ab00)
/share/go/src/github.com/containers/podman/vendor/github.com/spf13/cobra/command.go:1044 +0x3bd
github.com/spf13/cobra.(*Command).Execute(...)
/share/go/src/github.com/containers/podman/vendor/github.com/spf13/cobra/command.go:968
github.com/spf13/cobra.(*Command).ExecuteContext(...)
/share/go/src/github.com/containers/podman/vendor/github.com/spf13/cobra/command.go:961
main.Execute()
/share/go/src/github.com/containers/podman/cmd/podman/root.go:107 +0xcc
main.main()
/share/go/src/github.com/containers/podman/cmd/podman/main.go:41 +0x7c
[NO NEW TESTS NEEDED]
Signed-off-by: Adrian Reber <areber@redhat.com>
This reverts commit e33f4e0bc7429038ba6aa82285ae8749c9037c88, going
back to three connections (not two) for each range in TCP tests. I'm
not sure yet what caused the original issue, but it might be fixed
now. If it does, this fixes#17287.
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Currently Podman prevents SELinux container separation,
when running within a container. This PR adds a new
--security-opt label=nested
When setting this option, Podman unmasks and mountsi
/sys/fs/selinux into the containers making /sys/fs/selinux
fully exposed. Secondly Podman sets the attribute
run.oci.mount_context_type=rootcontext
This attribute tells crun to mount volumes with rootcontext=MOUNTLABEL
as opposed to context=MOUNTLABEL.
With these two settings Podman inside the container is allowed to set
its own SELinux labels on tmpfs file systems mounted into its parents
container, while still being confined by SELinux. Thus you can have
nested SELinux labeling inside of a container.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Another followup to #17608. Nightly tests were hanging,
because /run/podman/podman.sock was hardcoded (bad idea
for rootless). Poor testing on my part.
Signed-off-by: Ed Santiago <santiago@redhat.com>
Use `auth.Login` as `podman login` does which parses and normalizes the
input addresses correctly, especially for docker.io.
[NO NEW TESTS NEEDED] as we do not have means to test logging into
docker.io in CI.
Fixes: #17571
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
