`--format json` should not be the same as `--format {{json .}}`, the
later should actually run through the go template and thus create one
json object per entry instead of an json array.
Includes a vendor of c/common@main since it requires a fix from there as
well.
This matches docker compat.
Fixes#16436
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
`podman-remote` does not support `--events-backend`, which overrides a
log driver. When `--events-backend` is necessary in a test for
`podman-remote`, the test should be skipped.
We don't need to fix the other cases with
`_additional_events_backend()` because `_log_test_follow()` already has
the same skipping logic and `_log_test_multi()` always skips a test when
testing `podman-remote`.
Signed-off-by: Hironori Shiina <shiina.hironori@fujitsu.com>
Up - do not fail if volume already exists, use the existing one
Down - allow the user to remove the volume by passing --force
Add tests
Update the documentation
Signed-off-by: Ygal Blum <ygal.blum@gmail.com>
When we are using a proxy, 'podman build - basic test'
will be failed on remote.
This test needs to add the '--http-proxy' option.
Signed-off-by: Toshiki Sonoda <sonoda.toshiki@fujitsu.com>
_test_skopeo_credential_sharing() used port_is_free() to check if a
port has no active listeners. With the new implementation, this is
not equivalent anymore: a port might be in TIME_WAIT, so it's not
free, but the listener might be long gone.
Add tcp_port_probe() to check if there's an active listener on a
given port, and use it in _test_skopeo_credential_sharing().
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
These tests should cover all the basic networking functionality with
pasta(1). Namely, they check:
- IPv4 and IPv6 addressing and routing settings
- TCP and UDP port forwarding over IPv4 and IPv6
- data transfers and ICMP/ICMPv6 echo requests
- the (exceedingly simple) lifecycle handling
These tests need some new helpers, to obtain IPv4 and IPv4 addresses
and routes, as well as MTU and interface names. Those use jq(1) for
parsing.
Some availability checks are implemented as well, to skip tests if
pasta(1) is not available, or if IPv4 and IPv6 are not usable.
To get consistent outcomes across distributions, and to enable
uncomplicated termination for UDP tests based on zero-sized packets,
use socat(1), which, unlike netcat, doesn't suffer from option
inconsistencies depending on flavours (traditional, BSD, NMAP) and
versions.
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
The main helpers.bash file is rather bloated and it's difficult to
find stuff there. Move networking functions to their own helper
file.
While at it, apply a consistent style, and rearrange logically
related functions into sections.
Suggested-by: Ed Santiago <santiago@redhat.com>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Using bash /dev/tcp/ pseudo-device files to probe for bound ports has
indeed the advantage of simplicity, but comes with a few drawbacks:
- it will actually send data to unsuspecting services that might be
running in the same network namespace as the tests, possibly
causing unwanted interactions
- it doesn't allow for UDP probing
- it makes it impossible to clearly distinguish between different
address bindings
Replace that approach with a new helper, port_is_bound(), that uses
procfs entries at /proc/net to detect bound ports, without the need
for active probing.
We can now implement optional parameters in callers, to check if a
port if free for binding to a given address, including any IPv4
(0.0.0.0) or any IPv6 (::0) address, and for a given protocol, TCP
or UDP.
Extend random_free_port() and random_free_port_range() to support
that.
The implementation of one function in the file
test/system/helpers.bash, namely ipv6_to_procfs(), and the
implementation of the corresponding own test, delimited by the
markers "# BEGIN ipv6_to_procfs" and "# END ipv6_to_procfs" in the
file test/system/helpers.c was provided, on the public forum at:
https://github.com/containers/podman/pull/16141
by Ed Santiago <santiago@redhat.com>, who expressly invited me to
include them in this code submission.
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Currently, wait_for_port() duplicates the check logic implemented by
port_is_free().
Add an optional argument to port_is_free(), representing the bound
address to check, and call it, dropping the direct check in
wait_for_port().
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Conceptually equivalent to networking by means of slirp4netns(1),
with a few practical differences:
- pasta(1) forks to background once networking is configured in the
namespace and quits on its own once the namespace is deleted:
file descriptor synchronisation and PID tracking are not needed
- port forwarding is configured via command line options at start-up,
instead of an API socket: this is taken care of right away as we're
about to start pasta
- there's no need for further selection of port forwarding modes:
pasta behaves similarly to containers-rootlessport for local binds
(splice() instead of read()/write() pairs, without L2-L4
translation), and keeps the original source address for non-local
connections like slirp4netns does
- IPv6 is not an experimental feature, and enabled by default. IPv6
port forwarding is supported
- by default, addresses and routes are copied from the host, that is,
container users will see the same IP address and routes as if they
were in the init namespace context. The interface name is also
sourced from the host upstream interface with the first default
route in the routing table. This is also configurable as documented
- sandboxing and seccomp(2) policies cannot be disabled
- only rootless mode is supported.
See https://passt.top for more details about pasta.
Also add a link to the maintained build of pasta(1) manual as valid
in the man page cross-reference checks: that's where the man page
for the latest build actually is -- it's not on Github and it doesn't
match any existing pattern, so add it explicitly.
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
It looks like #16132 was my fault: a missing 'wait' for a container
to exit. Let's see if this fixes the flake.
And, while poking through flake logs, I found another missing wait.
And... in wait_for_output(), address a potential race.
Signed-off-by: Ed Santiago <santiago@redhat.com>
This one has been a thorn in my side: it's a podman-log issue,
but not remote, so I _almost_ retitled #16132 (removing "remote").
Nope, it's a bug in the tests themselves. One solution would be to
podman-wait, but I see no reason for logs to be involved, so I
went with podman start -a instead. This removes the k8s-log stuff
which is no longer necessary. Cleanup all around.
Signed-off-by: Ed Santiago <santiago@redhat.com>
Check for the directory /run/systemd/system, this is described in
sd_booted(3). Reading /proc/1/comm will fail when /proc is mounted
with the `hidepid=2` option.
[NO NEW TESTS NEEDED]
Fixes#16022
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Lack of proper testing possibility for github actions and lack of
script-testing by me, allowed several flaws through into 'main'. Fix
the problems and manually test the scripts to make sure they're working.
Note: Also revert the stupid SHA-based action-pinning back to normal,
human-readable version numbers. The value of using SHAs in the name of
improved "security" is real, but the value of human-readability and
ease of maintenance is greater.
Signed-off-by: Chris Evich <cevich@redhat.com>
There is no equivalent equivalent on FreeBSD and this causes lint
failures when packaging.
[NO NEW TESTS NEEDED]
Signed-off-by: Doug Rabson <dfr@rabson.org>
