support using keep-id when only one mapping is available to the
rootless user.
When there is only one id available (e.g. there are no additional IDs
set in /etc/subuid and /etc/subgid for the unprivileged user), then
only add the identity mapping $ID -> $ID, leaving unmapped other IDs
in the user namespace.
[NO NEW TESTS NEEDED] it needs a configuration with only one ID
available.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
The rest of the code has been using golang.org/x/* for the IsTerminal()
API for a long time, not github.com/mattn/go-isatty. It seems better to
stick to packages from the golang.org domain, whenever possible, and one
less dependency is always a good thing.
The modules were not cleaned up with 'make vendor' because 'go mod tidy'
was running into:
go: error loading go 1.16 module graph:
github.com/containers/image/v5@v5.23.1-0.20221015133641-1921a1993c67
requires
github.com/honeycombio/beeline-go@v1.9.0 requires
github.com/mattn/go-sqlite3@v2.0.3+incompatible: reading
github.com/mattn/go-sqlite3/go.mod at revision v2.0.3: unknown
revision v2.0.3
If reproducibility with go 1.16 is not needed:
go mod tidy -compat=1.17
Since go.mod already requires Go 1.17, the following commands were
manually run:
$ go mod tidy -compat=1.17
$ go mod vendor
$ go mod verify
Further modifications to go.sum were done manually based on the
complaints from postbuild.sh run by the CI.
[NO NEW TESTS NEEDED] as it's not a functional change.
Fixes: 85db895012bead6b ("logging: new mode -l passthrough")
Signed-off-by: Debarshi Ray <rishi@fedoraproject.org>
The OCI Runtime's KillContainer interface can modify container
state (if the signal fails to send, as it would if the container
failed immediately after starting, we will update state to pick
up the fact that the container exited). As such, it can edit the
DB, and needs to be run locked.
There are fortunately only a few places where this function is
used, and most of them are already safe. The only exception is
StartAndAttach(), which does a SIGWINCH in an unlocked portion of
the function. Fortunately it's a goroutine, so just add a lock
and defer unlock and it should be fixed.
[NO NEW TESTS NEEDED] I have no idea how to induce a scenario
that would cause this consistently.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
When there is a podman pause process running the local podman ginkgo
tests will join the usernamespace. This because pkg/rootless will
automatically join the ns on startup when possible. To fix this we
need to use the remote build tag which disables that behavior.
However since the remote tag is also used in the e2e test itself we
would always run remote tests which is wrong, this is fixed by using a
new `remote_testing` tag for the test.
see discussion here: https://github.com/containers/podman/pull/16309#discussion_r1006166930
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
We've had some oopsies in system tests:
podman foo bar
run podman foo bar
...all of which should be run_podman with underscore. Those
have been passing because /usr/bin/podman is the fallback
from $PATH. In those (few) cases, we haven't actually been
testing the podman we should be testing.
Solution: nuke /usr/bin/podman and podman-remote before
invoking system and unit tests. As an extra level of
paranoia, check for other podmans in $PATH - if any
exist, bail out with a fatal error.
Also: in a few cases where runner.sh invokes podman for
containerized something-something, run bin/podman instead
of podman from $PATH.
Also: fix existing dependencies on /usr/bin/podman
Signed-off-by: Ed Santiago <santiago@redhat.com>
idmap is documented as supported for volumes, but it was not added to
the getNamedVolume() function.
Fixes: e83d36665 ("volumes: add new option idmap")
Signed-off-by: Kristian Klausen <kristian@klausen.dk>
Emergency import of https://github.com/containers/buildah/pull/4377
required because the ubi8 image changed behind our backs.
On podman main, this commit will be reverted by Ed's
treadmill as soon as a new buildah is vendored into podman.
On side branches, the human doing the vendoring will need to
perform manual surgery. I hope the instructions are good enough.
Signed-off-by: Ed Santiago <santiago@redhat.com>
One of the system tests was creating a volume and not cleaning up
after itself. Fix that: do cleanup in the test itself. And, add
a 'volume rm -af' to global teardown() to leave things clean for
the next tests.
Also, OOPS! Correct some instances of 'podman' in two system
tests to 'run_podman'. And remove an unused (misleading) variable.
And, one more: in auto-update test, unit file, use $PODMAN,
not /usr/bin/podman
UGH! Yet one more: found/fixed a 'run<space>podman'
Signed-off-by: Ed Santiago <santiago@redhat.com>
I have no idea what this usage means, but the test fails
on a system with no /usr/bin/podman ... and that suggests
to me that the test is broken, in that it's been using
/usr/bin/podman instead of the $PODMAN we're testing.
Solution: 'podman', not '/usr/bin/podman'. Per @Luap99,
podman will replace the string 'podman' with /proc/self/exe
Signed-off-by: Ed Santiago <santiago@redhat.com>
One test was using a hardcoded fixed port, with a comment
referring to #10806. That issue seems fixed, so let's
try switching to a pseudorandom open port.
Does not actually fix#16289 but I'm going to close that
anyway, will reopen if it recurs.
Signed-off-by: Ed Santiago <santiago@redhat.com>
Bump the timeout waiting for the container to process the signal.
The comparatively short timeout is most likely responsible for
flakes in gating tests.
Fixes: #16091
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
Add a new annotation to allow the user to point to a local tar file
If the annotation is present, import the file's content into the volume
Add a flag to PlayKubeOptions to note remote requests
Fail when trying to import volume content in remote requests
Add the annotation to the documentation
Add an E2E test to the new annotation
Signed-off-by: Ygal Blum <ygal.blum@gmail.com>
It was a bit unclear what setting it to empty means.
Also, add to the tests verification that this works.
Signed-off-by: Alexander Larsson <alexl@redhat.com>
This just fixes the indentation which was previously breaking the
list such that the various network modes were just mixed into one large
paragraph instead of a list.
Signed-off-by: Alexander Larsson <alexl@redhat.com>
The binary name is not the same as in the old quadlet, and can anyway
differ in system and user runs, so use os.Args[0] to get the right name
in the comment.
Signed-off-by: Alexander Larsson <alexl@redhat.com>
This is much better for the systemd case becase we pass the journal
socket fds directly to the container. This means less copying of the
logs, but it also means the journal will correctly get the peer
process id when it tries to extract things like the name of what
is logging something.
With this we correctly name the logging process rather than claim
everything comes from conmon.
Signed-off-by: Alexander Larsson <alexl@redhat.com>
This makees much more sense for typical service loads, and can
easily be reverted by `ReadOnly=no`.
Also updates and adds various tests for this.
Signed-off-by: Alexander Larsson <alexl@redhat.com>
