Not sure why this only triggers now but this code was broken for a
while. It is racy as reported on the issue but because it changes the
actual map part of the network backend it means it can also alter the
behavior of the network which is very bad.
Fixes#22330
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
...and an optional error-message string, to be checked
against stderr.
This is a starting point and baby-steps progress toward #18188.
There are 249 ExitWithError() checks in test/e2e. It will take
weeks to fix them all. This commit enables new functionality:
Expect(ExitWithError(125, "expected substring"))
...while also allowing the current empty-args form. Once
all 249 empty-args uses are modernized, the matcher code
will be cleaned up.
I expect it will take several months of light effort to get
all e2e tests transitioned to the new form. I am choosing to
do so in pieces, for (relative) ease of review. This PR:
1) makes the initial changes described above; and
2) updates a small subset of e2e _test.go files such that:
a) ExitWithError() is given an exit code and error string; and
b) Exit(Nonzero) is changed to ExitWithError(Nonzero, "string")
(when possible)
Signed-off-by: Ed Santiago <santiago@redhat.com>
Docker shows exposed ports as just PORT/PROTO so match that behavior. It
is not clear to me why someone needs that information in ps as "expose"
doesn't effect anything networking related.
Fixes https://issues.redhat.com/browse/RHEL-32154
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
A simple file rename quickly broke the same workflow in both the Buildah
and Skopeo repos. Add a big-fat warning comment to prevent this from
happening again.
Signed-off-by: Chris Evich <cevich@redhat.com>
Periodically, the discussion-lock workflow throws the error: `Resource
not accessible by integration`
This was identified in the
[upstream](https://github.com/dessant/lock-threads)
issue 47, as caused by a version-5 change that adds support for
management of discussions but requires additional permissions
and possibly settings. Given the low notification traffic from
discussions, old discussions may remain valid for a long while, and are
a useful community-interface: Disable management of discussions.
Signed-off-by: Chris Evich <cevich@redhat.com>
As of April 2024, it's no longer included in rawhide by default.
We could force-install it, but it's 2024 and it seems likely
that all systems on which Podman 5 will run will have kernels
that support native overlay.
I also added two debugging printfs to the 'podman info' test
that initially failed on an (unpublished) rawhide VM. Without
these printfs it was impossible to diagnose the failure.
Updating docs is left as a future exercise.
Signed-off-by: Ed Santiago <santiago@redhat.com>
Non-Linux systems, such as BSD kernels, constrain xatter updates
according to file permissions. This is in contrast to Linux selinux
attr writes, which are governed by an selinux policy. By dafault this
policy apllows users to relabel files owned by themselves even if file
perms would otherwise disallow write.
This results in robust container relabeling results on Linux, and
fragile results everywhere else. Therefore, change the mac policy to
force the nfs_t context on all files, and ignore all relabel
events.
As a side-effect, this will disallow any ability to store custom
selinux constants on files. However, this is of limited use in
a machine context, since files in these volumes are externally
managed on systems which do not support SELinux.
Signed-off-by: Jason T. Greene <jason.greene@redhat.com>
Currently when we run make docs we will see 100+ lines of
`grep: docs/build/man/links: Is a directory` printed.
This makes no sense as we should only try to validate the man page.
The manpage target is structured in a way that it runs the generation
for each file individually. As such the current way of grep'ing the
entire directory for each page is wrong. It should only validate the on
page that was created by the command above.
To fix this first define a OUTFILE var for the target to not have to
call the substitution every time we use the path and then only grep this
one file and not everything in the dir.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
This includes migrating from cdi.GetRegistry() to cdi.Configure() and
cdi.GetDefaultCache() as applicable.
Signed-off-by: Evan Lezar <elezar@nvidia.com>
Podman needs to be able to detect when a system reboot occurs to
do certain types of cleanup operation (for example, reset
container states, clean up IPAM allocations, etc). our current
method for this is a sentinel file on a tmpfs filesystem. The
problem emerges that there is no directory that is guaranteed to
be a tmpfs and is also guaranteed to be accessible to rootless
users in the FHS. If the user has a systemd user session, we can
depend on /run/user/$UID, but we can't reliably say that they do.
This code will detect the no-tmpfs-but-reboot-occurred case by
writing the current system boot ID to our tmpfs sentinel file
when it is created, and checking that file every time Podman
starts to make sure that the current boot ID matches the cached
one in the sentinel file. If they don't match, a reboot occurred
and the sentinel file was not on a tmpfs and thus survived. In
that case, throw an error telling the user to remove certain
directories (the ones that are supposed to be tmpfs), so we can
proceed as expected.
Signed-off-by: Matt Heon <mheon@redhat.com>
This was added ages ago in commit c65b3599cc, however in the meantime
both podman and conmon can support longer socket paths as they use a
workaround to open the path via /proc/self/fd, see openUnixSocket() in
libpod/oci_conmon_attach_linux.go
Thus this restriction is not needed anymore and we can drop a workaround
in the tests.
Fixes#22272
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Contains a breaking change but also besides this renovate is not able to
update the import paths so this needs to be done by hand.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
