Add support for DefaultMode for configMaps and secrets.
This allows users to set the file permissions for files
created with their volume mounts. Adheres to k8s defaults.
Signed-off-by: Urvashi Mohnani <umohnani@redhat.com>
The id, digest, and intermediate filters were broken
for podman images. Fix to match on substrings instead of
the whole string for id and digest. Add the intermediate value
correctly when set.
Signed-off-by: Urvashi Mohnani <umohnani@redhat.com>
...from f38 + f37.
Requires one minor e2e test change, to handle an error logging
change in conmon 2.1.8.
Also, this is important, requires crun-1.9.1 because of a kernel
symlink change; see https://github.com/containers/crun/pull/1309
The VM images here were carefully built to include that. By the
time the next VM images get built, it should be default.
Since we've bumped crun, remove two obsolete skips
And, skip a flaky pasta test, #20170
Signed-off-by: Ed Santiago <santiago@redhat.com>
Commit 2 of 2: individual special-case handling of tests
which did not pass under ExitCleanly(), one or more of:
- add "-q" to commit & push commands
- add ErrorToString() checks
- remove unnecessary ErrorToString() checks
Signed-off-by: Ed Santiago <santiago@redhat.com>
Final push on RUN-1907. Commit 1 of 2.
This is the final set of test/e2e/*_test.go files to be
converted from Exit(0) to ExitCleanly().
This commit is a mix of automated string-replace with
manual revert-back: tests that did not pass with ExitCleanly()
are reverted back to Exit(0), so they will not show up as
diffs in this commit. When possible, I address those in
my next commit.
My goal was to make this commit a don't-bother-reviewing one
that will also pass tests (so as not to break git-bisect).
The next commit is the important one to review.
Signed-off-by: Ed Santiago <santiago@redhat.com>
Some keys, e.g. ro do not have values.
The current implementation crashed looking for the = sign
Externalize findMountType in a new package
Parse mount command using FindMountType
Rebuild parameter string using csv
Add test case and adjust the test framework
Signed-off-by: Ygal Blum <ygal.blum@gmail.com>
When you run e2e tests locally they use CNI unless the NETWORK_BACKEND
env was set to netavark. Because our main focus is on netavark we should
test it by default.
For local tests this should help to prevent CNI/netavark conflicts as I
assume most systems where people run tests on are on netavark by now.
For CI testing we hardcode NETWORK_BACKEND there to test both netavark
(on current fedora) and CNI (prior fedora). MAke sure to switch the
logic in the CI setup to reflect that.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Pass the _entire_ environment to conmon instead of selectively enabling
only specific variables. The main reasoning is to make sure that conmon
and the podman-cleanup callback process operate in the exact same
environment than the initial podman process. Some configuration files
may be passed via environment variables. Podman not passing those down
to conmon has led to subtle and hard to debug issues in the past, so
passing all down will avoid such kinds of issues in the future.
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
Commit 2 of 2: fixes to get tests passing
Mostly reverting back to Exit(0) on tests that produce stderr,
adding stderr checks when those are missing.
One pretty big exception: "run check dns" test was completely
broken in many respects. It should never have worked under CNI,
but was passing because nslookup in that alpine image was
checking /etc/hosts. This has been fixed in subsequent alpine
images, which we're now using in this test (CITEST_IMAGE).
Signed-off-by: Ed Santiago <santiago@redhat.com>
PR #20082 bumped fedora-minimal, from f34 to f39. This worked
fine for a few days, then all of a sudden CI started breaking
because the f39 minimal image got rebuilt and repushed without
adduser. #20127 was an emergency fix; this is a stabler fix.
We keep using not-under-our-control container images, and we
keep getting burned when those get updated in nasty ways. Here
we switch to using a tagged & versioned fedora-minimal image
that is under our control.
Signed-off-by: Ed Santiago <santiago@redhat.com>
The processing and setting of the static and volume directories was
scattered across the code base (including c/common) leading to subtle
errors that surfaced in #19938.
There were multiple issues that I try to summarize below:
- c/common loaded the graphroot from c/storage to set the defaults for
static and volume dir. That ignored Podman's --root flag and
surfaced in #19938 and other bugs. c/common does not set the
defaults anymore which gives Podman the ability to detect when the
user/admin configured a custom directory (not empty value).
- When parsing the CLI, Podman (ab)uses containers.conf structures to
set the defaults but also to override them in case the user specified
a flag. The --root flag overrode the static dir which is wrong and
broke a couple of use cases. Now there is a dedicated field for in
the "PodmanConfig" which also includes a containers.conf struct.
- The defaults for static and volume dir and now being set correctly
and adhere to --root.
- The CONTAINERS_CONF_OVERRIDE env variable has not been passed to the
cleanup process. I believe that _all_ env variables should be passed
to conmon to avoid such subtle bugs.
Overall I find that the code and logic is scattered and hard to
understand and follow. I refrained from larger refactorings as I really
just want to get #19938 fixed and then go back to other priorities.
https://github.com/containers/common/pull/1659 broke three pkg/machine
tests. Those have been commented out until getting fixed.
Fixes: #19938
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
The fedora minimal 39 image has been updated on the fedora registry and
removed the `useradd` binary. Since we were pulling by tag and not by
digest, updates to images outside of our control always entail a certain
risk - and now it bit us.
To fix it, try to move as many users of `useradd` to _our_ CITEST_IMAGE
and migrate the code where necessary to this Alpine-based tooling.
However, the Alpine-based `adduser` binary (not useradd!) doesn't work
well when being executed as a non-root user and will just error out.
Hence, move the fedora minimal image back to version 34 which is still
including the `useradd` binary.
Ultimately, all images on public registries should be pulled via digest
to make sure we pin them down. I refrain from doing this now to make
sure we can cherry-pick this PR to older branches and get things back
into a working state ASAP.
Fixes: #20119
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
Container ports defined with containerPort were exposed by default
even though kubernetes interprets them as mostly informative.
Closes#17028
Signed-off-by: Peter Werner <wpw.peter@gmail.com>
Fix farm update to verify a connection exists before
removing or adding it.
Also verify that the farm we want to update exists.
Signed-off-by: Urvashi Mohnani <umohnani@redhat.com>
This is not really an error, if the anonymous volume is still used then
this likely means it was transferred to another container with
--volumes-from. This is what the user wants and it is not like the user
can act on the logged error anyway. Once the last user of the volume is
removed it will be removed correctly.
see https://github.com/containers/podman/pull/19637
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Commit 2 of 2: steps to make tests work under ExitCleanly()
Mostly adding "-q" to push/pull, but also:
- revert ExitCleanly(), and add error-message checks
if absent;
- fix a test that was completely nonfunctional from
Day One: test was getting skipped because registry
couldn't start, because of missing ":z"s in mount option.
Fixed, and removed the bypass;
- use built-in skopeo, not pulled-container skopeo. Skopeo
is already a requirement for system tests.
Signed-off-by: Ed Santiago <santiago@redhat.com>
commit cf364703fc changed the way
/sys/fs/cgroup is mounted when there is not a netns and it now honors
the ro flag. The mount was created using a bind mount that is a
problem when using a cgroup namespace, fix that by mounting a fresh
cgroup file system.
Closes: https://github.com/containers/podman/issues/20073
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
If you are running a quadlet with anonymous volumes, then the volume
will leak ever time you restart the service. This change will
cause the volume to be removed.
Fixes: https://github.com/containers/podman/issues/20070
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Commit 3 of 3: make tests pass.
This is the tricky one requiring manual effort. For the most part,
all I did was replace ALPINE/"alpine" with CITEST_IMAGE so we
don't get "Pulling..." messages. Also added warning-message checks
to two truncation tests
Signed-off-by: Ed Santiago <santiago@redhat.com>
Commit 2 of 3:
- rewrite all but one commands, from "generate kube" to "kube g".
- remove "podman generate kube" from all It()s.
Signed-off-by: Ed Santiago <santiago@redhat.com>
Commit 3 of 3, and this one's a doozy. Sorry.
The main problem was that "kube play" re-pulled images.
To solve that, I changed PullPolicy to "missing" and,
where possible, replaced alpine/busybox with CITEST_IMAGE
because that one seems to be cached better? I couldn't
figure out why, but even without the PullPolicy change
everything worked better with CITEST_IMAGE. And it's
a better image to use anyway.
Other lesser changes (like adding "-q") as needed.
Also:
- in four tests that use "replica", we can't use ExitCleanly()
because of a run-time warning. Add a check for that warning.
- remove a workaround for a long-closed issue (c/storage 1232)
Signed-off-by: Ed Santiago <santiago@redhat.com>
Commit 2 of 3:
- rewrite all commands but one, from "play kube" to "kube play".
Considered renaming the file but no, maybe later.
- remove "podman play kube" from all It()s. "Podman kube play" is
already in the Description; unnecessary redundancy is unnecessary.
Signed-off-by: Ed Santiago <santiago@redhat.com>
