Commit Graph

5163 Commits

Author SHA1 Message Date
OpenShift Merge Robot
998acd760f Merge pull request #17707 from Luap99/wait-for-port
test/system: fix wait_for_port() to wait for bind
2023-03-14 12:35:58 -04:00
OpenShift Merge Robot
08cd180abc Merge pull request #17736 from giuseppe/no-private-cgroupns-systemd
cgroupns: private cgroupns on cgroupv1 breaks --systemd
2023-03-14 11:33:24 -04:00
OpenShift Merge Robot
1a8a5bc04c Merge pull request #17758 from edsantiago/bud_rootless_remote
bud tests: rootless remote: use correct socket path
2023-03-14 10:26:57 -04:00
OpenShift Merge Robot
6025103196 Merge pull request #17759 from sbrivio-rh/pasta
Revert "pasta: Use two connections instead of three in TCP range forward tests"
2023-03-14 10:00:02 -04:00
Paul Holzinger
7d8d3e810f system service --log-level=trace: support hijack
When the service is running with trace log level it wraps the
`http.ResponseWriter` to log extra information. The problem is that the
new type does not keep all the functions from the embedded type.
Instead we have to implement them ourselves, however only Write() was
implemented. Thus `Hijack()`could not be called on the writer. To
prevent these issues we would implement all the interfaces that the
inner type supports (Header, WriteHeader, Flush, Hijack).

Fixes #17749

Signed-off-by: Paul Holzinger <pholzing@redhat.com>
2023-03-14 14:33:52 +01:00
Paul Holzinger
eed389508e test/system: fix wait_for_port() to wait for bind
The goal of the wait_for_port() function is to return when the port is
bound. This is to make sure we wait for application startup time.
This can be seen in some comments of the callers.

Commit 7e3d04fb caused this regression while reworking the logic to read
ports from /proc. I doesn't seem to cause problems in CI, properly
because the function returns before the port is bound.
I have not seen any flakes related to this but I only see the ones on
PRs where I rerun tests so it is best to wait for Ed to take a look.

Also fixes the broken ipv4_to_procfs() which only passes one argument to
__ipv4_to_procfs(), this results in the ipv4 not beeing inverted.
Therefore all bind checks against a direct ipv4 did not work.
This function accepts only an ipv4 but one caller passes localhost
which is invalid.

Signed-off-by: Paul Holzinger <pholzing@redhat.com>
2023-03-14 14:24:04 +01:00
Giuseppe Scrivano
2d1f4a8bff cgroupns: private cgroupns on cgroupv1 breaks --systemd
On cgroup v1 we need to mount only the systemd named hierarchy as
writeable, so we configure the OCI runtime to mount /sys/fs/cgroup as
read-only and on top of that bind mount /sys/fs/cgroup/systemd.

But when we use a private cgroupns, we cannot do that since we don't
know the final cgroup path.

Also, do not override the mount if there is already one for
/sys/fs/cgroup/systemd.

Closes: https://github.com/containers/podman/issues/17727

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
2023-03-14 12:34:52 +01:00
Valentin Rothberg
7a7af735ad test/system/255-auto-update.bats: multiple services
Wait for all generated services to be ready to be sure we can iron out
race conditions.  Also disable rollbacks to make sure we can analyze
the error if restarting a service fails.  This information may be
crucial to understand the flakes on Debian as tracked in #17607.

Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
2023-03-14 10:30:32 +01:00
Valentin Rothberg
40d0d233eb 255-auto-update.bats: turn off rollback where needed
To help debug #17607, turn off rollbacks for tests that do not require
rollbacks.  Error when restarting the systemd units are then not
suppressed but returned which should give us more information about what
is going on the Debian systems.

Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
2023-03-14 10:16:59 +01:00
Stefano Brivio
1c08f2edac Revert "pasta: Use two connections instead of three in TCP range forward tests"
This reverts commit e33f4e0bc7, going
back to three connections (not two) for each range in TCP tests. I'm
not sure yet what caused the original issue, but it might be fixed
now. If it does, this fixes #17287.

Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
2023-03-13 20:40:15 +01:00
Daniel J Walsh
ad8a96ab95 Support running nested SELinux container separation
Currently Podman prevents SELinux container separation,
when running within a container. This PR adds a new
--security-opt label=nested

When setting this option, Podman unmasks and mountsi
/sys/fs/selinux into the containers making /sys/fs/selinux
fully exposed. Secondly Podman sets the attribute
run.oci.mount_context_type=rootcontext

This attribute tells crun to mount volumes with rootcontext=MOUNTLABEL
as opposed to context=MOUNTLABEL.

With these two settings Podman inside the container is allowed to set
its own SELinux labels on tmpfs file systems mounted into its parents
container, while still being confined by SELinux. Thus you can have
nested SELinux labeling inside of a container.

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
2023-03-13 14:21:12 -04:00
Ed Santiago
159936a114 bud tests: rootless remote: use correct socket path
Another followup to #17608. Nightly tests were hanging,
because /run/podman/podman.sock was hardcoded (bad idea
for rootless). Poor testing on my part.

Signed-off-by: Ed Santiago <santiago@redhat.com>
2023-03-13 10:59:38 -06:00
Giuseppe Scrivano
fb4f6f95c5 test: reenable idmap test
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
2023-03-11 12:15:38 +01:00
OpenShift Merge Robot
9a45503c80 Merge pull request #17249 from rhatdan/qm
Must use mountlabel when creating builtin volumes
2023-03-09 14:27:05 -05:00
Daniel J Walsh
b5a99e0816 Must use mountlabel when creating builtin volumes
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
2023-03-09 12:36:52 -05:00
Daniel J Walsh
21651706e3 podman inspect list network when using --net=host or none
This will match Docker behaviour.

Fixes: https://github.com/containers/podman/issues/17385

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
2023-03-08 17:27:08 -05:00
OpenShift Merge Robot
747369c82d Merge pull request #17713 from sbrivio-rh/pasta
pasta: Re-enable "Local forwarder, IPv4" test now that packages in CI images are fixed
2023-03-08 20:22:45 +01:00
Stefano Brivio
f928cf54aa pasta: Re-enable "Local forwarder, IPv4" test, accept NXDOMAIN as response
This case is fixed by passt commit bad252687271 ("conf, udp: Allow
any loopback address to be used as resolver") and the fix is now
available in packages included by the CI images.

Note that, depending on the resolver on the host, we might get
1.0.0.127.in-addr.arpa resolved to localhost, or simply NXDOMAIN for
it: accept a failure on the nslookup command, as long as we have a
response for 1.0.0.127.in-addr.arpa in the output. If we have any
response, that means we could talk to the resolver.

Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
2023-03-08 17:09:40 +01:00
dependabot[bot]
829e910cde build(deps): bump golang.org/x/tools from 0.6.0 to 0.7.0 in /test/tools
Bumps [golang.org/x/tools](https://github.com/golang/tools) from 0.6.0 to 0.7.0.
- [Release notes](https://github.com/golang/tools/releases)
- [Commits](https://github.com/golang/tools/compare/v0.6.0...v0.7.0)

---
updated-dependencies:
- dependency-name: golang.org/x/tools
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-03-08 13:02:30 +00:00
restitux
cb3cda55f2 Quadlet: add support for setting --ip and --ip6
Signed-off-by: restitux <restitux@ohea.xyz>
2023-03-06 18:36:41 -07:00
Valentin Rothberg
e77f370f86 sqlite: add a hidden --db-backend flag
Add a hidden flag to set the database backend and plumb it into
podman-info.  Further add a system test to make sure the flag and the
info output are working properly.

Note that the test may need to be changed once we settled on how
to test the sqlite backend in CI.

Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
2023-03-02 13:43:11 +01:00
OpenShift Merge Robot
8457bb5542 Merge pull request #16717 from umohnani8/detach
play kube: Add --wait option
2023-03-01 16:46:54 +01:00
OpenShift Merge Robot
4f4665cbda Merge pull request #17673 from vrothberg/fix-17607
auto-update test: wait for service to be ready
2023-03-01 16:09:14 +01:00
OpenShift Merge Robot
86a0e44ccd Merge pull request #17659 from cevich/fix_bud_git_config
Cirrus: Fix git config permission denied
2023-03-01 15:15:35 +01:00
OpenShift Merge Robot
69ba3548f0 Merge pull request #17653 from Luap99/fix-17616
fix "podman logs --since --follow" flake
2023-03-01 15:12:32 +01:00
Valentin Rothberg
51cf2dd363 test/system/255-auto-update.bats: wait 10 for update to finish
10 seconds is used by most other tests as a timeout. Given the test
flakes on Debian use it.

Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
2023-03-01 14:45:59 +01:00
Valentin Rothberg
b727f30ac6 auto-update test: wait for service to be ready
The symptoms in #17607 point to some race since it does not always flake
on Debian (and Debian only).  Hence, wait for the service to be ready
before building the image to make sure that the service is started with
the old image and that everything's in order.

Fixes: #17607
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
2023-03-01 13:43:29 +01:00
OpenShift Merge Robot
3cab05aa3e Merge pull request #17656 from ygalblum/quadlet-container-mount
Quadlet: Add support for the Mount key in .container files
2023-03-01 09:21:09 +01:00
OpenShift Merge Robot
02a77d27a2 Merge pull request #17450 from danishprakash/add-group-entry
create: add entry to /etc/group via `--group-entry`
2023-02-28 21:59:59 +01:00
Urvashi Mohnani
20a42d0e4f play kube: Add --wait option
Add a way to keep play kube running in the foreground and terminating all pods
after receiving a a SIGINT or SIGTERM signal. The pods will also be
cleaned up after the containers in it have exited.
If an error occurrs during kube play, any resources created till the
error point will be cleane up also.

Add tests for the various scenarios.

Fixes #14522

Signed-off-by: Urvashi Mohnani <umohnani@redhat.com>
2023-02-28 13:45:36 -05:00
Chris Evich
6babef5983 Cirrus: Fix git config permission denied
The buildah bud tests run rootless, so attempting to bypass the
ident-check with a `git config --system` fails with a permission denied
error (as it should).  Update the command to use `--global` instead,
which writes to `~/.gitconfig` and so works for regular users.

Also setup a fake identity for the CI-user and enable shell-debugging
for the commands to inform humans of what is happening in the script.

Signed-off-by: Chris Evich <cevich@redhat.com>
2023-02-28 10:52:20 -05:00
Ygal Blum
ccc5aa59a0 Quadlet: Add support for the Mount key in .container files
Handle the Mount key
Reuse code from the handling of the Volume key
Add E2E Test
E2E Test - Add checker for KeyValue string
Update man page

Signed-off-by: Ygal Blum <ygal.blum@gmail.com>
2023-02-28 16:14:19 +02:00
OpenShift Merge Robot
a5895e3ed7 Merge pull request #17650 from sbrivio-rh/pasta
Revert "Skip all pasta tests"
2023-02-28 13:47:27 +01:00
Paul Holzinger
77861d6af3 fix "podman logs --since --follow" flake
The test should make sure the logs --follow call will log entries that
are created in the future when --since is used and doe not include the
container start event. However it seems the timing is to tight. I think
it was possible that CI logged the line before the logs call was made,
thus it is missing because --since excluded it.

I cannot reproduce so I am not 100% on this but we can reopen the issue
if it still happens.

Fixes #17616

Signed-off-by: Paul Holzinger <pholzing@redhat.com>
2023-02-28 13:31:28 +01:00
Stefano Brivio
42540a6679 Revert "Skip all pasta tests"
This reverts commit 81f116c59c: the
passt package for Fedora 37 images is now fixed in the
c20230223t153813z-f37f36d12 image.

Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
2023-02-28 11:37:59 +01:00
Chris Evich
0f92e19e8e Cirrus: Fix bud tests failing to apply patches
For some weeks or longer, the buildah bud tests have been failing under
cirrus-cron with the message:

```
+ git am --reject
Committer identity unknown

*** Please tell me who you are.

Run

  git config --global user.email "you@example.com"
  git config --global user.name "Your Name"

to set your account's default identity.
Omit --global to set the identity only in this repository.

fatal: empty ident name (for
<some30462dude@cirrus-task-5479994827210752.c.libpod-218412.internal>)
not allowed
```

Fix this by marking the clone directory "safe" when the script is
running under CI.

Signed-off-by: Chris Evich <cevich@redhat.com>
2023-02-27 12:08:41 -05:00
Ed Santiago
d838c08b30 buildah-bud tests: don't sudo when rootless is desired
Followup to #17608, rootless buildah-bud in cron. I forgot
one crucial step, skipping the sudo.

Signed-off-by: Ed Santiago <santiago@redhat.com>
2023-02-24 05:49:45 -07:00
OpenShift Merge Robot
afa0167d47 Merge pull request #17601 from ygalblum/quadlet-do-not-set-runtime
Quadlet - use the default runtime
2023-02-23 10:54:48 +01:00
OpenShift Merge Robot
3796e22761 Merge pull request #17586 from mheon/add_sql_state
Add initial SQLite-backed state implementation
2023-02-23 09:11:05 +01:00
Ygal Blum
0d75854c52 Quadlet - use the default runtime
Do not set the runtime when processing a .container file
Let Podman choose the runtime based on its configuration

Signed-off-by: Ygal Blum <ygal.blum@gmail.com>
2023-02-23 09:29:39 +02:00
OpenShift Merge Robot
7fba1db31a Merge pull request #17526 from danishprakash/fix-kube-secret
kube: rm secret on down, print secret on play
2023-02-22 19:34:18 +01:00
OpenShift Merge Robot
efbc35601f Merge pull request #17305 from cevich/swap_ubuntu_debian
Replace Ubuntu -> Debian SID
2023-02-22 19:31:45 +01:00
Matt Heon
89d0ccd195 Get E2E tests to pass
Signed-off-by: Matt Heon <mheon@redhat.com>
2023-02-22 11:00:50 -05:00
Chris Evich
81f116c59c Skip all pasta tests
A horrible timeout-flake exists in the version presently in CI VM images
`c20230221t162829z-f37f36d12`.  Since the PR for adding the 2023-02-21
images is more urgently needed (#17305) than a pasta fix, skip all pasta
tests while waiting for a fix.

Signed-off-by: Chris Evich <cevich@redhat.com>
2023-02-22 10:55:12 -05:00
Chris Evich
642e9ddb8d Skip buildah-bud test
Test is completely broken, see buildah issue 4396.

Thanks to @edsantiago for the patch.

Signed-off-by: Chris Evich <cevich@redhat.com>
2023-02-22 10:44:03 -05:00
Chris Evich
10382d0bca Skip buildx test with VFS podman storage driver
Ref: https://github.com/containers/podman/issues/17520

Signed-off-by: Chris Evich <cevich@redhat.com>
2023-02-22 10:44:03 -05:00
Chris Evich
dd51b62b7a Skip 'podman kube --network' test for rootless CGv1
Test emits nasty warning message:
`Resource limits are not supported and ignored on cgroups V1 rootless
systems`

Ref: issue #17582

Signed-off-by: Chris Evich <cevich@redhat.com>
2023-02-22 10:43:19 -05:00
Chris Evich
197529f084 Skip tests which fail with CGv1 & runc
* Skip play-kube test when runc is in use #17436
* Skip uid/gidmapping idmapped-volume test #17433

Signed-off-by: Chris Evich <cevich@redhat.com>
2023-02-22 10:35:03 -05:00
OpenShift Merge Robot
d71c341b94 Merge pull request #17603 from edsantiago/bats_cleanup
Logs follow-until tests: loosen checks
2023-02-22 16:32:01 +01:00
Chris Evich
5b4f248a84 Skip rootless CGv1 quadlet tests due to issue
Signed-off-by: Chris Evich <cevich@redhat.com>
2023-02-22 10:31:18 -05:00