Since mountStorage and createNetNS run in parallel, the directory file
descriptors used by mountStorage were (rarely) propagated to the CNI
plugins. On FreeBSD, the CNI bridge plugin needs to make changes to the
network jail. This fails if there are any descriptors to open directories
to protect against host directories being visible to the jail's chroot.
Adding O_CLOEXEC to the unix.Open call in openDirectory ensures that these
descriptors are not visible to podman's child processes.
[NO NEW TESTS NEEDED]
Signed-off-by: Doug Rabson <dfr@rabson.org>
I found the ginkgolinter[1] by accident, this looks for not optimal
matching and suggest how to do it better.
Overall these fixes seem to be all correct and they will give much
better error messages when something fails.
Check out the repo to see what the linter reports.
[1] https://github.com/nunnatsa/ginkgolinter
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
- move the ginkgo deps into test/tools which is more consitent with the
other tools there, listing in dependencies always causes errors with
linters
- do not install it globally on the system, instead we use it in a
subdir of this project
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
This change adds a validate-in-container make target that can be used to run
the make validate target in a container instead of requiring the dependencies
to be available on the system. This mirrors what is already done for the vendor
target and allows additional targets to be added.
A PODMANCMD make variable is also added to allow for the podman binary to be
overridden in cases where this is not available.
Signed-off-by: Evan Lezar <elezar@nvidia.com>
When restarting a container, clean up the healthcheck state by removing
the old log on disk. Carrying over the old state can lead to various
issues, for instance, in a wrong failing streak and hence wrong
behaviour after the restart.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2144754
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
honor eventual options set in the containers.userns setting in the
containers.conf file, e.g.:
[containers]
userns = "auto:size=8192"
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Quadlet was doing some custom handling of uid/gid remapping, originating
from pre --userns=auto support, including its own user for getting subuids
which kinda conflicts with the "container" user used for that.
This drops all the old support for id remapping in favour of a new set
of keys that more directly map to the podman run options.
We have essentially 3 modes now:
```
RemapUsers=manual
RemapUid=0:10000:10
RemapUid=10:20000:10
RemapGid=0:10000:10
RemapGid=10:20000:10
```
This maps to --uidmap and --gidmap options.
```
RemapUsers=auto
```
This maps to --userns=auto. But you can additionally specify RemapUid,
RemapGid and RemapUidSize which gets applied as options to the
--userns podman option.
```
RemapUsers=keep-id
```
This maps to --userns=keep-id and only works for user units.
Signed-off-by: Alexander Larsson <alexl@redhat.com>
The checkout action by default, clones the current repository. However,
since this workflow is re-used by other repos, and it calls scripts in
the podman repo, those calls will all fail. Fix this by hard-coding the
podman repo.
Ref: https://github.com/actions/checkout
Signed-off-by: Chris Evich <cevich@redhat.com>
The 900-ssh test is not an actual test, and I'm unable to
figure out how to make it one. Skip it for now, but add a
bunch of FIXMEs some someone can come in later and actually
implement it.
Also removed lots of dead code and misleading comments.
Signed-off-by: Ed Santiago <santiago@redhat.com>
Depending on the backend (CNI, netavark) we support different drivers,
the auto completion should only suggest the ones that are available.
This list is podman info so we can get the correct list for local and
remote.
[NO NEW TESTS NEEDED]
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Some error reporting logic got lost from (*Container).prepare during the
port. This adds the missing logic, similar to the Linux version.
[NO NEW TESTS NEEDED]
Signed-off-by: Doug Rabson <dfr@rabson.org>
The current test uses registry.redhat.io which does not support unauthenticated access
Replace the registry with registry.access.redhat.com which does
Signed-off-by: Ygal Blum <ygal.blum@gmail.com>
