When Podman starts, it checks a number of critical runtime paths
against stored values in the database to make sure that existing
containers are not broken by a configuration change. We recently
made some changes to this logic to make our handling of the some
options more sane (StaticDir in particular was set based on other
passed options in a way that was not particularly sane) which has
made the logic more sensitive to paths with symlinks. As a simple
fix, handle symlinks properly in our DB vs runtime comparisons.
The BoltDB bits are uglier because very, very old Podman versions
sometimes did not stuff a proper value in the database and
instead used the empty string. SQLite is new enough that we don't
have to worry about such things.
Fixes#20872
Signed-off-by: Matt Heon <mheon@redhat.com>
Right now, we always use a private UTS namespace on FreeBSD. This should
be made optional but implementing that cleanly needs a FreeBSD extension
to the OCI runtime config. The process for that is starting
(https://github.com/opencontainers/tob/pull/133) but in the meantime,
assume that the UTS namespace is private on FreeBSD.
This moves the Linux-specific namespace logic to
container_internal_linux.go and adds a FreeBSD stub.
[NO NEW TESTS NEEDED]
Signed-off-by: Doug Rabson <dfr@rabson.org>
The option `farm` which is used to specify the farm to be used, is moved to farm build command from farm command.
closes#20752
Signed-off-by: Chetan Giradkar <cgiradka@redhat.com>
Be specific that the `-v` flag only affects RUN instructions. The
previous wording left it ambiguous, and people might have concluded that
it applied to ADD and COPY as well.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
When committing containers to create new images, accept a container
config blob being passed in the body of the API request by adding a
Config field to our API structures. Populate it from the body of
requests that we receive, and use its contents as the body of requests
that we make.
Make the libpod commit endpoint split changes values at newlines, just
like the compat endpoint does.
Pass both the config blob and the "changes" slice to buildah's Commit()
API, so that it can handle cases where they overlap or conflict.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Followup to #20797 (defer assertion failures). The bail-now()
helper was being defined only in setup() ... and some tests,
particularly 001-basic.bats, define their own minimalist setup().
Symptom was "bail-now: command not found", which still caused
test to fail (so no failures were hidden) but led to concern
and wasted time when analyzing failures.
Solution: add one more definition of bail-now(), in outer scope.
There is still one pathological case I'm not addressing: a
bats file that defines its own teardown() which does not invoke
basic_teardown(), then has a test that runs defer-assertion-failures
without a followup immediate-assertion-failures. This would lead
to failures that are never seen. Since teardown() without basic_teardown()
is invalid, I choose not to worry about this case.
Signed-off-by: Ed Santiago <santiago@redhat.com>
Fixed a bug where `podman machine rm -f` would cause a deadlock when
running with WSL.
The deadlock is caused by the Remove() function calling the Stop()
function after Remove() locks the VM. Stop() also has a lock call, which
fails and deadlocks because Remove() already claimed lock. Fix this by
moving the stop call before the lock
[NO NEW TESTS NEEDED]
Signed-off-by: Ashley Cui <acui@redhat.com>
Only one process can write to the sqlite db at the same time, if another
process tries to use it at that time it fails and a database is locked
error is returned. If this happens sqlite should keep retrying until it
can write. To do that we can just set the _busy_timeout option. A 100s
timeout should be enough even on slower systems but not to much in case
there is a deadlock so it still returns in a reasonable time.
[NO NEW TESTS NEEDED] I think we strongly need to consider some form of
parallel stress testing to catch bugs like this.
Fixes#20809
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
In FreeBSD-14.0, it is possible to configure a jail's network settings
from outside the jail using ifconfig and route's new '-j' option. This
removes the need for a separate jail to own the container's vnet.
[NO NEW TESTS NEEDED]
Signed-off-by: Doug Rabson <dfr@rabson.org>
Two newly-added tests, fail in gating:
- system connection: difference in how sockets are set up
between CI and gating
- ulimit: gating seems to run with ulimit -c -H 0. Check, and
skip if ulimit is less than what we need
Signed-off-by: Ed Santiago <santiago@redhat.com>
When a new API call is added to the bindings we should guard it based on
the version and throw a useful error. Right now an old server that does
not implement a given endpoint would throw a "NOT FOUND" error which is
not good for callers.
Instead implement a custom error type to give a usefule error instead.
This allows bindings users to call errors.As() to know if they call and
to old version.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
When InitialDelaySeconds in the kube yaml is set for a helthcheck,
don't update the healthcheck status till those initial delay seconds are over.
We were waiting to update for a failing healtcheck, but when the healthcheck
was successful during the initial delay time, the status was being updated as healthy
immediately.
This is misleading to the users wondering why their healthcheck takes
much longer to fail for a failing case while it is quick to succeed for
a healthy case. It also doesn't match what the k8s InitialDelaySeconds
does. This change is only for kube play, podman healthcheck run is
unaffected.
Signed-off-by: Urvashi Mohnani <umohnani@redhat.com>
For a source file like `foo.container`, look for drop in named
`foo.container.d/*.conf` and merged them into the main file. The
dropins are applied in alphabetical order, and files in earlier
diretories override later files with same name.
This is similar to how systemd dropins work, see:
https://www.freedesktop.org/software/systemd/man/latest/systemd.unit.html
Also adds some tests for these
Signed-off-by: Alexander Larsson <alexl@redhat.com>
Commit f48a706abc added a new API endpoint to remove exec session
correctly. And the bindings try to call that endpoint for exec every
time. Now since client and server must not be the same version this
causes a problem if a new 4.8 client calls an older 4.7 server as it has
no idea about such endpoint and throws an ugly error. This is a common
scenario for podman machine setups.
The client does know the server version so it should make sure to not
call such endpoint if the server is older than 4.8.
I added a exec test to the machine tests as this can be reproduced with
podman machine as at the moment at least the VM image does not contain
podman 4.8. And it should at least make sure podman exec keeps working
for podman machine without regressions.
Fixes#20821
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
utils.Tar() and utils.TarWithChroot() both return ReadClosers, but when
we called them from utils.TarToFilesystem() and utils.TarChrootToFilesystem()
respectively, they were not being closed.
[NO NEW TESTS NEEDED]
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Instead of relying on the remote server to create tar files
with the right account IDs (which the remote server doesn't
even know, when the client and server run under different accounts),
have the remote client ignore the account IDs when unpacking.
Then just hard-code 0 in the remote server, so that the remote
server's account identity does not leak in the tar file contents.
Compare https://github.com/containers/image/issues/1627 .
[NO NEW TESTS NEEDED] : https://github.com/containers/podman/pull/18563
suggests that existing tests already cover these code paths / properties.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
