When the service is running with trace log level it wraps the
`http.ResponseWriter` to log extra information. The problem is that the
new type does not keep all the functions from the embedded type.
Instead we have to implement them ourselves, however only Write() was
implemented. Thus `Hijack()`could not be called on the writer. To
prevent these issues we would implement all the interfaces that the
inner type supports (Header, WriteHeader, Flush, Hijack).
Fixes#17749
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
The goal of the wait_for_port() function is to return when the port is
bound. This is to make sure we wait for application startup time.
This can be seen in some comments of the callers.
Commit 7e3d04fb caused this regression while reworking the logic to read
ports from /proc. I doesn't seem to cause problems in CI, properly
because the function returns before the port is bound.
I have not seen any flakes related to this but I only see the ones on
PRs where I rerun tests so it is best to wait for Ed to take a look.
Also fixes the broken ipv4_to_procfs() which only passes one argument to
__ipv4_to_procfs(), this results in the ipv4 not beeing inverted.
Therefore all bind checks against a direct ipv4 did not work.
This function accepts only an ipv4 but one caller passes localhost
which is invalid.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
On cgroup v1 we need to mount only the systemd named hierarchy as
writeable, so we configure the OCI runtime to mount /sys/fs/cgroup as
read-only and on top of that bind mount /sys/fs/cgroup/systemd.
But when we use a private cgroupns, we cannot do that since we don't
know the final cgroup path.
Also, do not override the mount if there is already one for
/sys/fs/cgroup/systemd.
Closes: https://github.com/containers/podman/issues/17727
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Wait for all generated services to be ready to be sure we can iron out
race conditions. Also disable rollbacks to make sure we can analyze
the error if restarting a service fails. This information may be
crucial to understand the flakes on Debian as tracked in #17607.
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
To help debug #17607, turn off rollbacks for tests that do not require
rollbacks. Error when restarting the systemd units are then not
suppressed but returned which should give us more information about what
is going on the Debian systems.
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
This reverts commit e33f4e0bc7, going
back to three connections (not two) for each range in TCP tests. I'm
not sure yet what caused the original issue, but it might be fixed
now. If it does, this fixes#17287.
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Currently Podman prevents SELinux container separation,
when running within a container. This PR adds a new
--security-opt label=nested
When setting this option, Podman unmasks and mountsi
/sys/fs/selinux into the containers making /sys/fs/selinux
fully exposed. Secondly Podman sets the attribute
run.oci.mount_context_type=rootcontext
This attribute tells crun to mount volumes with rootcontext=MOUNTLABEL
as opposed to context=MOUNTLABEL.
With these two settings Podman inside the container is allowed to set
its own SELinux labels on tmpfs file systems mounted into its parents
container, while still being confined by SELinux. Thus you can have
nested SELinux labeling inside of a container.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Another followup to #17608. Nightly tests were hanging,
because /run/podman/podman.sock was hardcoded (bad idea
for rootless). Poor testing on my part.
Signed-off-by: Ed Santiago <santiago@redhat.com>
This case is fixed by passt commit bad252687271 ("conf, udp: Allow
any loopback address to be used as resolver") and the fix is now
available in packages included by the CI images.
Note that, depending on the resolver on the host, we might get
1.0.0.127.in-addr.arpa resolved to localhost, or simply NXDOMAIN for
it: accept a failure on the nslookup command, as long as we have a
response for 1.0.0.127.in-addr.arpa in the output. If we have any
response, that means we could talk to the resolver.
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Add a hidden flag to set the database backend and plumb it into
podman-info. Further add a system test to make sure the flag and the
info output are working properly.
Note that the test may need to be changed once we settled on how
to test the sqlite backend in CI.
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
The symptoms in #17607 point to some race since it does not always flake
on Debian (and Debian only). Hence, wait for the service to be ready
before building the image to make sure that the service is started with
the old image and that everything's in order.
Fixes: #17607
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
Add a way to keep play kube running in the foreground and terminating all pods
after receiving a a SIGINT or SIGTERM signal. The pods will also be
cleaned up after the containers in it have exited.
If an error occurrs during kube play, any resources created till the
error point will be cleane up also.
Add tests for the various scenarios.
Fixes#14522
Signed-off-by: Urvashi Mohnani <umohnani@redhat.com>
The buildah bud tests run rootless, so attempting to bypass the
ident-check with a `git config --system` fails with a permission denied
error (as it should). Update the command to use `--global` instead,
which writes to `~/.gitconfig` and so works for regular users.
Also setup a fake identity for the CI-user and enable shell-debugging
for the commands to inform humans of what is happening in the script.
Signed-off-by: Chris Evich <cevich@redhat.com>
Handle the Mount key
Reuse code from the handling of the Volume key
Add E2E Test
E2E Test - Add checker for KeyValue string
Update man page
Signed-off-by: Ygal Blum <ygal.blum@gmail.com>
The test should make sure the logs --follow call will log entries that
are created in the future when --since is used and doe not include the
container start event. However it seems the timing is to tight. I think
it was possible that CI logged the line before the logs call was made,
thus it is missing because --since excluded it.
I cannot reproduce so I am not 100% on this but we can reopen the issue
if it still happens.
Fixes#17616
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
This reverts commit 81f116c59c: the
passt package for Fedora 37 images is now fixed in the
c20230223t153813z-f37f36d12 image.
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
For some weeks or longer, the buildah bud tests have been failing under
cirrus-cron with the message:
```
+ git am --reject
Committer identity unknown
*** Please tell me who you are.
Run
git config --global user.email "you@example.com"
git config --global user.name "Your Name"
to set your account's default identity.
Omit --global to set the identity only in this repository.
fatal: empty ident name (for
<some30462dude@cirrus-task-5479994827210752.c.libpod-218412.internal>)
not allowed
```
Fix this by marking the clone directory "safe" when the script is
running under CI.
Signed-off-by: Chris Evich <cevich@redhat.com>
Do not set the runtime when processing a .container file
Let Podman choose the runtime based on its configuration
Signed-off-by: Ygal Blum <ygal.blum@gmail.com>
A horrible timeout-flake exists in the version presently in CI VM images
`c20230221t162829z-f37f36d12`. Since the PR for adding the 2023-02-21
images is more urgently needed (#17305) than a pasta fix, skip all pasta
tests while waiting for a fix.
Signed-off-by: Chris Evich <cevich@redhat.com>
Test emits nasty warning message:
`Resource limits are not supported and ignored on cgroups V1 rootless
systems`
Ref: issue #17582
Signed-off-by: Chris Evich <cevich@redhat.com>
