This reverts commit d633824a9527b9ec937cdfc8aacc890ec3249127.
The issue has been fixed in commit 9a0c0b2eef and I have not seen it
since so remove this special case.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
This could have been done by simply running
GOOS=freebsd ./bin/golangci-lint run [options] ./...
on Linux, but some freebsd code is using cgo (i.e. is linked to C
libraries), so real freebsd environment is required.
This also fixes the issue of ignoring linter errors for Windows and
Darwin (exit 0), introduced by commit c9b108d5b38.
Fixes: c9b108d5b38 ("Bump golangci-lint to v2.0.2")
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
1. Strip leading v from VERSION.
This will allow to simplify renovate rule at [1].
2. Fix git branch in the URL.
In golangci-lint v2 they've switched from master to main,
and it's not clear what will happen to master over time,
so let's just switch to main prophylactically.
3. Use -b option instead of undocumented hack.
Instead of relying on an undocumented feature of having BINDIR,
let's use -b option as recommended by the official docs at [2].
4. Avoid stuttering in the output.
Before:
[kir@kir-tp1 podman]$ VERSION=2.0.2 ./hack/install_golangci.sh
golangci-lint has version 2.0.2 built with go1.24.1 from 2b224c2c on 2025-03-25T21:36:18Z
Using existing ./bin/golangci-lint has version 2.0.2 built with go1.24.1 from 2b224c2c on 2025-03-25T21:36:18Z
After:
[kir@kir-tp1 podman]$ VERSION=2.0.2 ./hack/install_golangci.sh
golangci-lint has version 2.0.2 built with go1.24.1 from 2b224c2c on 2025-03-25T21:36:18Z
Using existing ./bin/golangci-lint
5. Fix shellcheck warnings.
6. Also retry when reinstalling.
The code logic to retry install for up to 5 times when installation
fails was introduced by commit dd8574022d ("CI: retry the golangci
install").
For some reason, the above commit only uses the logic when the binary is
not found. In a situation when the binary is found but is of the wrong
version, no retries are done.
Fix that.
7. Add -f option to curl.
As recommended by the official installation docs at [2].
[1]: 16f757f699/renovate/defaults.json5 (L106-L108)
[2]: https://golangci-lint.run/welcome/install/#binaries
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
This ended up slightly more complicated than anticipated, tin part
because golangci-lint v2 dropped support for --exclude-dirs, so
linter issues with GOOS=windows and GOOS=darwin which were previously
ignored had to be fixed now.
This is also the reason why the ./hack/golangci-lint was simplified.
In addition, it now runs linters on Linux without systemd tag set.
Tested locally with:
for OS in linux windows darwin; do GOOS=$OS ./hack/golangci-lint.sh; done
Linting for GOOS=linux
+ ./bin/golangci-lint run --build-tags=apparmor,seccomp,selinux
0 issues.
+ ./bin/golangci-lint run --build-tags=apparmor,seccomp,selinux,systemd
0 issues.
+ ./bin/golangci-lint run --build-tags=apparmor,seccomp,selinux,remote
0 issues.
Linting for GOOS=windows
+ ./bin/golangci-lint run --build-tags=remote,containers_image_openpgp
0 issues.
Linting for GOOS=darwin
+ ./bin/golangci-lint run --build-tags=remote,containers_image_openpgp
0 issues.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
* treadmill script: handle an obscure corner case
wherein the script would bail because it thought
there were no buildah-vendor changes.
* two new test skips
* update the diffs; line-number changes due to buildah
PRs touching helpers.bash
Signed-off-by: Ed Santiago <santiago@redhat.com>
Debug for #23913, I though if we have no idea which process is nuking
the volume then we need to figure this out. As there is no reproducer
we can (ab)use the cleanup tracer. Simply trace all unlink syscalls to
see which process deletes our special named volume. Given the volume
name is used as path on the fs and is deleted on volume rm we should
know exactly which process deleted it the next time hopefully.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Equivalent to print() + system(). Shows individual commands
being run, which may help a developer understand and replicate
actions if they fail.
Signed-off-by: Ed Santiago <santiago@redhat.com>
Initial purpose of treadmill PR was to run buildah-bud tests
early, and not run anything else if they fail. This was to
catch vendoring problems and not be distracted by flakes.
This was done by inspecting and massaging .cirrus.yml.
As of #21639 this code was a silent NOP because the entire
CI tree was overhauled. Here we make that work again.
Also, in #20947 I enhanced this script to run rootless
bud tests but neglected to updated the comments. Do so now.
Signed-off-by: Ed Santiago <santiago@redhat.com>
Quadlet inserts network-online.target Wants/After dependencies to ensure pulling works.
Those systemd statements cannot be subsequently reset.
In the cases where those dependencies are not wanted, we add a new
configuration item called `DefaultDependencies=` in a new section called
[Quadlet]. This section is shared between different unit types.
fixes#24193
Signed-off-by: Farya L. Maerten <me@ltow.me>
Add a new program based on bpftrace[1] to trace all podman processes
with arguments and exit code/signals. Additionally this captures stderr
from all podman container cleanup processes spawned by conmon which
otherwise go to /dev/null and are never seen in any CI logs.
Hopefull this allows us to debug strange network cleanup error seen in
CI, my plan is to add this to the cirrus setup and upload the logs so we
can check them when the flakes happen.
[1] https://github.com/bpftrace/bpftrace
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
For the past two months we've been splitting system tests
into two categories: those that CAN be run in parallel,
and those that CANNOT. Much work has been done to replace
hardcoded names (mycontainer, mypod) with safename().
Hundreds of test runs, in CI and on Ed's laptop, have
proven this approach viable.
make {local,remote}system now runs in two steps: first
the serial ones, then the parallel ones. hack/bats will
now recognize the 'ci:parallel' tag and add --jobs (nprocs).
This requires some tweaking of leak_check, because there
can be umpteen tests running (affecting image/container/pod/etc
state) when any given test completes.
Rules for enabling parallelization in tests:
* use unique container/pod/volume/network names (safename)
* do not run 'podman rm -a' or 'rmi -a'
* never use the -l (--latest) option
* do not run 'podman ps/images' and expect precise output
Signed-off-by: Ed Santiago <santiago@redhat.com>
Generated at build time from troubleshooting.md. Purpose is
to ship an actual man page to end users.
Much more complicated than initial guess, because there was
a bug in my Makefile man page filtering, the sed expression
that cleans up markdown that does not translate to roff.
All I've done here is reorder some of the expressions,
stripping off https links *before* we process
podman man page links.
Signed-off-by: Ed Santiago <santiago@redhat.com>
It qemu cannot be compiled anyway so make sure we do not try to compile
parts where the typechecker complains about on windows.
Also all the e2e test files are only used on linux as well.
pkg/machine/wsl also reports some error but to many for me to fix them
now. One minor problem was fixed in pkg/machine/machine_windows.go.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Now that we have propert !remote tags set everywhere we can just rely on
that and do not need to skip any dirs.
Also on linux do not lint three times, one remote run is enough.
We still have to skip the test dir for windows/macos though or we need
to add linux build tags there everywhere as well. This seems simpler.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
This commit gets tests working under the new local-registry system:
* amend a few image names, mostly just sticking to a consistent
list of those images in our registry cache. Mostly minor
tag updates.
* trickier: pull_test: change some error messages, and remove
a test that's now a NOP. Basically, with a local (unprotected)
registry we always get "404 manifest unknown"; with a real
registry we'll get "403 I can't tell you".
* trickiest: seccomp_test: build our own images at run time,
with our desired labels. Until now we've been pulling
prebuilt images, but those will not copy to the local
cache registry. Something about v1? Anyhow, I gave up
trying to cache them, and the workaround is straightforward.
Also took the liberty of strengthening a few error-message checks
Signed-off-by: Ed Santiago <santiago@redhat.com>
While these are not really slow they still take about 100-250ms if I
time this locally. Given they are run for every test this adds up
quickly. Looking at CI logs I can see the timings for skipped
tests are all in 600ms range. So I think it is safe to assume that these
functions need to get faster.
We have over 670 test cases currently so we talk about over 400s spend
in these functions in CI. This allows for big gains.
Now overall this is a tricky trade of, while all tests should cleanup
after themselves there is no guarantee for that as such errors can be
leaked into other tests making debugging much harder. To work at least a
bit against this teardown checks if the test was successful and only
skips the podman commands bases on that. Without it a single flake could
cause all following tets to fail.
As such this commit does the proper setup once one suite start then only
after a test failed.
In order for this to work at all we have to fix all leaks first, see
previous commits. And then for the future keep a very strong eye on
this during reviews.
Also add a PODMAN_BATS_LEAK_CHECK option
By default test must cleanup themselves and to speed up CI we no longer
do any cleanup in teardown by default. However there is still many cases
where we might have to debug a leak so add a new PODMAN_BATS_LEAK_CHECK
env option that can be set and should cause teardown to fail if the test
did not cleanup properly.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Testing `podman system check` requires that we have a way to
intentionally introduce storage corruptions. Add a hidden `podman
testing` command that provides the necessary internal logic in
subcommands. Stub out the tunnel implementation for now.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
First of all this removes the need for a network connection, second
renovate can update the version as it is tracked in go.mod.
However the real important part is that the binary downloads are
broken[1]. For some reason the swagger created with them does not
include all the type information for the examples. However when building
from source the same thing works fine.
[1] https://github.com/go-swagger/go-swagger/issues/2842
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
when listing images through the restful service, consumers want to know
if the image they are listing is a manifest or not because the libpod
endpoint returns both images and manifest lists.
in addition, we now add `arch` and `os` as fields in the libpod endpoint
for image listing as well.
Fixes: #22184Fixes: #22185
Signed-off-by: Brent Baude <bbaude@redhat.com>
Belated followup to #21981. (Looks like I started to add this
functionality back in 2020 but left it unfinished. Tsk tsk.)
docs/source/Commands.rst is unnecessary duplication. It _should_
be autogenerated, but I can't figure out how to cleanly add
that to our Make process. This PR is an interim cross-check
until we get that resolved:
- everything in podman --help must have a matching entry
in Commands.rst (top-level commands only)
- check for dups and out-of-sequence in Commands.rst
- also for anything in Commands.rst that is not in --help
Fix existing mismatches in Commands.rst.
Also, #21784 removed a format specifier that I was using in
regression tests. Switch to using something else, to get
test passing again. Given the fact the correct solution
is autogenerating Commands.rst, I choose not to add new
tests for the rst xref.
Also, executive decision, remove volume.rst. It is not referenced
from anywhere, it looks like a lonely orphan remnant from days
of yore.
Signed-off-by: Ed Santiago <santiago@redhat.com>
pasta only works when we run as container_runtime_exec_t, now that pasta
is the default this means that the current binary will not work when
doing local dev without manually fixing the label.
There are also other parts where the correct label is important. So as a
simple fix always set the proper label in the bin/podman target.
This also means we can drop this line from the hack/bats script.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Followup to:
- #21060, where I added new struct checks (but did not make them fatal)
- #21534, which added per-interface stats and a .Network field,
but its documentation was slightly off
Signed-off-by: Ed Santiago <santiago@redhat.com>
Moving from Go module v4 to v5 prepares us for public releases.
Move done using gomove [1] as with the v3 and v4 moves.
[1] https://github.com/KSubedi/gomove
Signed-off-by: Matt Heon <mheon@redhat.com>
Specifically, Darwin's bash is very old so it doesn't support newer
features like `declare -A`. Reduce the complexity of the script
so that it can be used for all platforms. Comment heavily regarding the
scripts various execution contexts to prevent developers relying on
advanced features for any future modifications.
Signed-off-by: Chris Evich <cevich@redhat.com>
There are darwin-specific code paths which were not being linted prior
to this commit. Fix this with a new, darwin-specific section of the lint
runner script.
Signed-off-by: Chris Evich <cevich@redhat.com>
New CI validation check: all keys in quadlet.go must be
documented at least once in podman-systemd.unit.5.md.
Adding '// deprecated' next to an enum definition will
exclude said key from the documentation cross-checks.
And, because the md file lists keys in both table and block
form, make sure those all match.
And make sure everything is sorted in lexical order, in
both .go source and in man page.
And add a validation check to make sure it stays that way.
Signed-off-by: Ed Santiago <santiago@redhat.com>
Initial impetus was #20958 (ps --format .Label abc). This is
a complicated solution to a simple-seeming problem.
The problem: .Label is a cobra *function*, something I did not
know about nor handle.
Solution: recognize cobra functions. Switch to __complete,
not __completeNoDesc, so we can see the number of arguments
required. Invent new man-page format for documenting functions.
And, finally, start enforcing how functions (and cobra structs)
are documented.
This discovered a never-used completion function, .Recycle(),
in podman-events. Remove it.
[NO NEW TESTS NEEDED] - the .go change is an excision of dead code.
Signed-off-by: Ed Santiago <santiago@redhat.com>
Followup to #21055: regression tests for the code that
reads man pages. These are not xref-related at all, just
simple consistency checks on the man page content.
In the process of writing these tests, I also fixed a
longstanding bug where warning messages could be emitted
multiple times, once for each time we read a man page file
(as happens with command aliases).
Signed-off-by: Ed Santiago <santiago@redhat.com>
In the process of adding new functionality to the xref script,
I realized it is much too fragile. It's too easy to make some
minor change that could break the crossrefs, giving us the
illusion of testing.
Solution: add a test suite for the script. Still incomplete,
but an important step toward building confidence.
Requires minor surgery to the script itself
Signed-off-by: Ed Santiago <santiago@redhat.com>
There's a stanza in .cirrus.yml that only "runs" in
the treadmill cron job ... but that job is long gone.
The task actually runs in the buildah treadmill PR, #13808,
but that's not obvious to someone reading .cirrus.yml.
This is a maintenance burden. Remove it.
Because rootless bud tests are still important, and we
still want to run them in the treadmill PR, modify the
treadmill script itself so it (ugh) injects rootless jobs
into the buildah_bud test matrix. This is super fragile
but acceptable because I am the only one who ever runs
the treadmill script. I will notice if this breaks.
Signed-off-by: Ed Santiago <santiago@redhat.com>
I'm not sure about apparmor tag. Atleast runc isn't using it anymore.
"apparmor (since runc v1.0.0-rc93 the feature is always enabled)" from https://github.com/opencontainers/runc
containers-common still seems to check for apparmor, so not touching it for now.
Signed-off-by: Rahil Bhimjiani <rahil3108@gmail.com>
Some --filter descriptions listed the filters with asterisks,
i.e. markdown italics. There were 60+ of those, 250+ without
asterisks, so I choose to de-asterisk them all. Update the
xref script to remove the allow-asterisk exception. (Except
for the column title, which is sometimes written with two
asterisks--boldface--and sometimes plain).
Signed-off-by: Ed Santiago <santiago@redhat.com>
For all commands with a --filter option, cross-reference
against man pages, and vice-versa.
I'm sorry. I know this script has gone off the deep end.
[NO NEW TESTS NEEDED] although actually I would like to test some broken completions
Signed-off-by: Ed Santiago <santiago@redhat.com>
First do not lint pkg/domain/infra/abi with the remote tag as this is
only local code.
Then mark the cacheLibImage field as unused, this should be an unused
stub for the remote client so that we do not leak libimage.
The linter sees that with the remote tag so we need to silence that
warning.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Shortcuts like unix:path and unix:/path do not work everywhere,
so make sure to use unix://path when quoting the url (or address)
Signed-off-by: Anders F Björklund <anders.f.bjorklund@gmail.com>
