When we execute ps(1) in the container and the container uses a userns
with a different id mapping the user id field will be wrong.
To fix this we must join the userns in such case.
Fixes#22293
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
The docker API uses only a single arg for platform and multiple
platforms are given as comma separated list.
Fixes#22071
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
This subpackage will fetch dependencies for podman machine and create a
symlink /usr/libexecdir/podman/virtiofsd -> ../virtiofsd .
Co-authored-by: Colin Walters <walters@verbum.org>
Signed-off-by: Lokesh Mandvekar <lsm5@redhat.com>
Two tests are skipped for a long time because they flaked to much,
nobody cares about them and there are only debugging endpoints mostly so
it is not critical either.
The "of 2 seconds" tests isn't useful either. It waits up to 30s for the
exit so it doesn't actually verify a proper timeout. Additionally we
have similar checks in the system tests "podman system service -
CORS enabled in logs" so I consider this safe to remove.
Fixes#12624
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
The current timeout was not long enough. Systemd default is 90s so we
should wait for at least that long. Also it really doesn't make sense to
throw an error we saying we failed waiting for stop. We should hard
terminate the VM in case a graceful shutdown did not happen.
Fixes#22515
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Two enormous misunderstandings:
1) $CIRRUS_BASE_SHA is worthless. I thought it was, you know,
the BASE SHA of the current commit, but (as best I can tell)
it seems to be the SHA of the most recent commit on the
destination branch. Cirrus docs are unhelpful. Anyhow,
it's clearly not anything useful. Stop using it.
2) $EPOCH_TEST_COMMIT is closer to what we want. It is
defined in Makefile as the git merge-base. But for unknown
reasons it was being clobbered in CI scripts, and it
doesn't seem to work in all contexts, so, eliminate it
from CI setup scripts. Leave it only in Makefile.
This leaves us with no option other than defining our own
merge-base variable, PR_BASE_SHA. Do so and pass it along
to rootless jobs.
Signed-off-by: Ed Santiago <santiago@redhat.com>
Add some test steps into quadlet - ContainerName. These steps are
used to ensure the default configuration for quadlets generated
service files is sending stdout/stderr/syslog to the journald.
Signed-off-by: Yiqiao Pu <ypu@redhat.com>
The restore code path never called completeNetworkSetup() and this means
that hosts/resolv.conf files were not populated. This fix is simply to
call this function. There is a big catch here. Technically this is
suposed to be called after the container is created but before it is
started. There is no such thing for restore, the container runs right
away. This means that if we do the call afterwards there is a short
interval where the file is still empty. Thus I decided to call it
before which makes it not working with PostConfigureNetNS (userns) but
as this does not work anyway today so I don't see it as problem.
Fixes#22901
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
The pod was set after we checked the namespace and the namespace code
only checked the --pod flag but didn't consider --pod-id-file option.
As such fix the check to first set the pod option on the spec then use
that for the namespace. Also make sure we always use an empty default
otherwise it would be impossible in the backend to know if a user
requested a specific userns or not, i.e. even in case of a set
PODMAN_USERNS env a container should still get the userns from the pod
and not use the var in this case. Therefore unset it from the default
cli value.
There are more issues here around --pod-id-file and cli validation that
does not consider the option as conflicting with --userns like --pod
does but I decided to fix the bug at hand and don't try to fix the
entire mess which most likely would take days.
Fixes#22931
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Extend Makefile and package.sh to download, sign and bundle krunkit and
its dependencies into the package.
Signed-off-by: Sergio Lopez <slp@redhat.com>
Do not return 200 status code before we know if there will be an error.
Delay writing the status code until we send the first response. That way
we can set an error code inside the loop when we get a error on the
first try, i.e. because an invalid descriptor was used.
Fixes#22986
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
When we failed to do anything we should return 500, the 409 code has a
special meaing to the client as it uses a different error format. As
such the remote client was not able to unmarshal the error correctly and
just returned an empty string.
Fixes#22989
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Stop copying the pre-pulled uncompressed machine disk into the individual test dir. The machine pull code already makes a copy of the disk into the test's HOMEDIR/.local/share/containers/podman/machine, and works off that copy.
Before the change: TESTDIR/<image> is copied to TESTDIR/podman_test/<image> by the test, and then podman machine copies the image to TESTDIR/podman_test/.local/share/containers/podman/machine/provider/<image>
After the change: TESTDIR/<image> is copied to TESTDIR/podman_test/.local/share/containers/podman/machine/provider/<image> by podman machine
The image that is actually run is at TESTDIR/podman_test/.local/share/containers/podman/machine/provider/<image> in both instances.
Signed-off-by: Ashley Cui <acui@redhat.com>
if the current user is not mapped into the new user namespace, use an
intermediate mount to allow the mount point to be accessible instead
of opening up all the parent directories for the mountpoint.
Closes: https://github.com/containers/podman/issues/23028
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
with the new mount API is available, the OCI runtime doesn't require
that each parent directory for a bind mount must be accessible.
Instead it is opened in the initial user namespace and passed down to
the container init process.
This requires that the kernel supports the new mount API and that the
OCI runtime uses it.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
With (esp. Debian) CI VM images built by
https://github.com/containers/automation_images/ pull/338 CI no-longer
tests with runc nor cgroups v1. Add logic to fail under these
conditions. Prune back high-level YAML/script envars and logic formerly
required to support these things.
Signed-off-by: Chris Evich <cevich@redhat.com>
When a user specifies a invalid connection in CONTAINER_CONNECTION then
podman should return a proper error saying so. Currently it ignored the
error and in rootFlags() just exited early with defining any flags. This
caused a panic then when trying to use the flags later.
In order to address this first store the connection error in the
PodmanConfig struct and not abort right away during flag setup. This is
important as the user might have specified a flag with a valid remote
connection. As such we check all flags and only when none were given we
return the connection error.
Also while at it I noticed that the default connection reported via
podman --help was wrong as it only used the old containers.conf field
for it and did not consider the podman-connections.json default.
New regression tests have been added to make sure it behaves correctly.
This fixes the problem reported in the PR #22997.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
