validate that a "podman generate" and "podman play" cycle restores the
specified user namespace.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
layers restored from a tarball won't be converted to composefs so
disable the cache when using composefs.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
the condition is based on the fact that podman save|podman load
doesn't recreate the same digest, thus it would fail if the image in
the additional store was pulled with a simple "podman pull".
The same sequence of commands would fail using podman manually after a
"podman pull alpine".
Ignore the cache and use only the images that were pulled in the main
store.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
The tests didn't check anything actually because default_ifname requires
an ip version argument to work. Thus pasta_iface was empty, add new
checks to prevent this kind of error again.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
The test assumes that if more than 1 ip on the host we should be able to
set host.containers.internal. This however is not how the logic works in
the code. What it actually does is to check all ips in the
rootless-netns and then it knows that it cannot use any of these ips.
This includes any podman bridge ips.
You can reproduce the error when you have only one ipv4 on the host then
run a container as root in the background and run the test:
hack/bats --rootless 505:host.containers.internal
So the failure here was that there was already a podman container
running as root on the default bridge thus the test saw 2 ips but then
the rootless run also uses the same subnet for its bridge and the code
knew that ip would not work either. I could have made another special
condition in test but the better way to work around it is to create a
new network. A new network will make sure there are no conflicting
subnets assigned so the test will pass.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Continuing efforts on making system tests parallel-safe by
using unique names for containers and pods.
Signed-off-by: Ed Santiago <santiago@redhat.com>
"/my-alpine" is also being used by tests in search_test.go;
use unique names to make sure we are trying to pull the encrypted
images created in the test.
Purely to avoid doubt, this should not actually change (test) behavior.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
Two tests failing in gating but never CI; add some debug
instrumentation to make it possible to find out what
is going on
Signed-off-by: Ed Santiago <santiago@redhat.com>
These tests are flaking for unknown reasons. One problem could be ncat
did not bound the port before we connect to it. Simple fix do not use
ncat and just use the golang API to listen on the port without the
extra ncat process. This should be race free in theory.
Also do not run the nc container in the background, we want to see the
errors from the ncat process in the container.
And because both tests do the same thing deduplicate them into one that
just uses a loop to create both tests.
Fixes#23263
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Using the scanner is just unnecessary complicated an buggy as it will
not read the final line with a newline. There is also the problem that
it happens in a separate goroutine so it could loose output if we read
the array before the scanner was done.
The API accepts a Writer so we can just directly use a bytes.Buffer
which captures all output in memory without the need of another
goroutine.
This also means that now we always include the final newline in the
output. I checked with docker and they do the same so this is good.
Fixes#23332
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
When the file is empty it is possible our code panics as bar.ProxyReader
returns nil when the bar is finished which is the case for 0 size as it
doesn't have to read anything from there. However as this happens on
different goroutines it is race and most of the time still works.
To fix this simply skip the progress bar setup for empty files.
While at it fix the deprecated argument in the tests.
Fixes#23281
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
nmap-ncat has been downgraded on Fedora, to 7.92.
nc -l -p PORT requires 7.95. Switch to nc -l ADDR PORT.
Signed-off-by: Ed Santiago <santiago@redhat.com>
The end goal is making this test file parallel-safe, by:
1) Having all tests use unique names for all objects; and
2) Not doing "rm -a" or "expect ps to be empty".
This commit is not enough to make tests parallel-safe. The
rest of the changes are not relevant for now. This set of
changes is _necessary_ for parallelizing, and is _meaningful_
(good practice) for current linear-testing podman without
introducing any unnecessary cruft.
Signed-off-by: Ed Santiago <santiago@redhat.com>
Make safename() invocations consistent within the same
test. This puts the onus on the caller to add a unique
element when calling multiple times, e.g. "ctr1-$(safename)".
This is not too much of a burden. Major benefit is making
it easy for a reader to associate containers, pods, volumes,
images within a given test.
And, use dashes, not underscores. "podman generate kube"
removes underscores, making it very difficult to do
things like "podman inspect $podname" (because we need
to generate "$podname_with_underscores_removed")
Signed-off-by: Ed Santiago <santiago@redhat.com>
Many instances. Simplify by having _write_test_yaml() define
the variable TESTYAML and make it available to callers.
Global replace, with care taken to undo any instances
where _write_test_yaml() is not invoked first.
Signed-off-by: Ed Santiago <santiago@redhat.com>
Get rid of the last two instances of the clunky $testYaml
writing, by adding a 'volume=' arg to _write_test_yaml()
Signed-off-by: Ed Santiago <santiago@redhat.com>
Remnant from the very early days of this test file. There's
a boilerplate $testYaml string used in many tests; each
use requires three clunky lines of prep. Most of those
were not needed; we can (and now do) use _write_test_yaml()
instead.
There are still two instances that could not be fixed in
this commit. I will do those next. This commit is kept
relatively simple for ease of review.
Signed-off-by: Ed Santiago <santiago@redhat.com>
Many system tests use hardcoded names for containers, images,
and everything. This has worked because system tests run
serially. It will not work if we ever run in parallel.
Create a new safename() helper, and use it as follows:
myctr=c_$(safename)
myvol1=v1_$(safename)
...
Find current instances of hardcoded names, and replace
with safe ones.
Whether or not we ever end up parallelizing system tests,
this is simply good practice.
There are far too many instances to fix in one (reviewable) PR.
This is commit 1 of N.
Signed-off-by: Ed Santiago <santiago@redhat.com>
The unmount for the driver home dir is done automatically by the store
on Shutdown. Do not do the unmount from the tests cleanup.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
send a SIGTERM to the server process instead of killing it so it has
time to do a proper cleanup and don't leak the home mount.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
shutdown the containers store so that the home directory mount is not
leaked when "podman system service" exits.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Adds a `NetworkAlias=` key to both .container and .pod quadlet files,
which translates to the `--network-alias` option to `podman run` and
`podman pod create` respectively. Can be repeated multiple times.
Signed-off-by: Félix Saparelli <felix@passcod.name>
Old netavark version only supported iptables, however a new version on
th ehost might use nftables. This breaks the networking tests here as
they are not compatible and you would need to reboot to fix that.
Because this is not possible for our tests make sure we force the
iptables driver always to keep the test working.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
netavark can use iptables or nftables as firewall driver, thus if we try
to flush rules make sure we try both to keep the test working when we
switch the default to nftables.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Stop using iptables to check anything, it does not work rootless and
will no longer work with nftables which will be used in the future.
Also fix up the test that say podman run to actually use podman run and
then just check via inspect that the ports are set correctly.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
This commit gets tests working under the new local-registry system:
* amend a few image names, mostly just sticking to a consistent
list of those images in our registry cache. Mostly minor
tag updates.
* trickier: pull_test: change some error messages, and remove
a test that's now a NOP. Basically, with a local (unprotected)
registry we always get "404 manifest unknown"; with a real
registry we'll get "403 I can't tell you".
* trickiest: seccomp_test: build our own images at run time,
with our desired labels. Until now we've been pulling
prebuilt images, but those will not copy to the local
cache registry. Something about v1? Anyhow, I gave up
trying to cache them, and the workaround is straightforward.
Also took the liberty of strengthening a few error-message checks
Signed-off-by: Ed Santiago <santiago@redhat.com>
