Just like we do with RUNTIME and NETWORK. Skipped for now in
system tests because there's no way yet to actually set the
database backend.
Also, in system test oneliner (first test), include DB
Signed-off-by: Ed Santiago <santiago@redhat.com>
This reverts commit 1c08f2edac3f9ecf128cf8da91276e963e6ad14c: the
original failure reported in #17287 persists:
[+1306s] not ok 453 podman networking with pasta(1) - TCP translated port range forwarding, IPv4, loopback
...
[+1306s] # 2023/03/15 14:33:33 socat[119870] E connect(8, AF=2 127.0.0.1:5127, 16): Interrupted system call
[+1306s] # xx
[+1306s] # #/vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv
[+1306s] # #| FAIL: Mismatch between data sent and received
[+1306s] # #| expected: = xxx
[+1306s] # #| actual: xx
[+1306s] # #\^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
so keep two connections instead of three as long as I'm too dumb to
figure this out.
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Transient mode means the DB should not persist, so instead of
using the GraphRoot we should use the RunRoot instead.
Signed-off-by: Matt Heon <mheon@redhat.com>
Two main changes:
- The transient state tests relied on BoltDB paths, change to
make them agnostic
- The volume code in SQLite wasn't retrieving and setting the
volume plugin for volumes that used one.
Signed-off-by: Matt Heon <mheon@redhat.com>
When streaming events, prevent returning duplicates after a log rotation
by marking a beginning and an end for rotated events. Before starting to
stream, get a timestamp while holding the event lock. The timestamp
allows for detecting whether a rotation event happened while reading the
log file and to skip all events between the begin and end rotation
event.
In an ideal scenario, we could detect rotated events by enforcing a
chronological order when reading and skip those detected to not be more
recent than the last read event. However, events are not always
_written_ in chronological order. While this can be changed, existing
event files could not be read correctly anymore.
Fixes: #17665
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
When the service is running with trace log level it wraps the
`http.ResponseWriter` to log extra information. The problem is that the
new type does not keep all the functions from the embedded type.
Instead we have to implement them ourselves, however only Write() was
implemented. Thus `Hijack()`could not be called on the writer. To
prevent these issues we would implement all the interfaces that the
inner type supports (Header, WriteHeader, Flush, Hijack).
Fixes#17749
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
The goal of the wait_for_port() function is to return when the port is
bound. This is to make sure we wait for application startup time.
This can be seen in some comments of the callers.
Commit 7e3d04fb caused this regression while reworking the logic to read
ports from /proc. I doesn't seem to cause problems in CI, properly
because the function returns before the port is bound.
I have not seen any flakes related to this but I only see the ones on
PRs where I rerun tests so it is best to wait for Ed to take a look.
Also fixes the broken ipv4_to_procfs() which only passes one argument to
__ipv4_to_procfs(), this results in the ipv4 not beeing inverted.
Therefore all bind checks against a direct ipv4 did not work.
This function accepts only an ipv4 but one caller passes localhost
which is invalid.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
On cgroup v1 we need to mount only the systemd named hierarchy as
writeable, so we configure the OCI runtime to mount /sys/fs/cgroup as
read-only and on top of that bind mount /sys/fs/cgroup/systemd.
But when we use a private cgroupns, we cannot do that since we don't
know the final cgroup path.
Also, do not override the mount if there is already one for
/sys/fs/cgroup/systemd.
Closes: https://github.com/containers/podman/issues/17727
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Wait for all generated services to be ready to be sure we can iron out
race conditions. Also disable rollbacks to make sure we can analyze
the error if restarting a service fails. This information may be
crucial to understand the flakes on Debian as tracked in #17607.
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
To help debug #17607, turn off rollbacks for tests that do not require
rollbacks. Error when restarting the systemd units are then not
suppressed but returned which should give us more information about what
is going on the Debian systems.
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
This reverts commit e33f4e0bc7429038ba6aa82285ae8749c9037c88, going
back to three connections (not two) for each range in TCP tests. I'm
not sure yet what caused the original issue, but it might be fixed
now. If it does, this fixes#17287.
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Currently Podman prevents SELinux container separation,
when running within a container. This PR adds a new
--security-opt label=nested
When setting this option, Podman unmasks and mountsi
/sys/fs/selinux into the containers making /sys/fs/selinux
fully exposed. Secondly Podman sets the attribute
run.oci.mount_context_type=rootcontext
This attribute tells crun to mount volumes with rootcontext=MOUNTLABEL
as opposed to context=MOUNTLABEL.
With these two settings Podman inside the container is allowed to set
its own SELinux labels on tmpfs file systems mounted into its parents
container, while still being confined by SELinux. Thus you can have
nested SELinux labeling inside of a container.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Another followup to #17608. Nightly tests were hanging,
because /run/podman/podman.sock was hardcoded (bad idea
for rootless). Poor testing on my part.
Signed-off-by: Ed Santiago <santiago@redhat.com>
This case is fixed by passt commit bad252687271 ("conf, udp: Allow
any loopback address to be used as resolver") and the fix is now
available in packages included by the CI images.
Note that, depending on the resolver on the host, we might get
1.0.0.127.in-addr.arpa resolved to localhost, or simply NXDOMAIN for
it: accept a failure on the nslookup command, as long as we have a
response for 1.0.0.127.in-addr.arpa in the output. If we have any
response, that means we could talk to the resolver.
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Add a hidden flag to set the database backend and plumb it into
podman-info. Further add a system test to make sure the flag and the
info output are working properly.
Note that the test may need to be changed once we settled on how
to test the sqlite backend in CI.
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
The symptoms in #17607 point to some race since it does not always flake
on Debian (and Debian only). Hence, wait for the service to be ready
before building the image to make sure that the service is started with
the old image and that everything's in order.
Fixes: #17607
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
Add a way to keep play kube running in the foreground and terminating all pods
after receiving a a SIGINT or SIGTERM signal. The pods will also be
cleaned up after the containers in it have exited.
If an error occurrs during kube play, any resources created till the
error point will be cleane up also.
Add tests for the various scenarios.
Fixes#14522
Signed-off-by: Urvashi Mohnani <umohnani@redhat.com>
The buildah bud tests run rootless, so attempting to bypass the
ident-check with a `git config --system` fails with a permission denied
error (as it should). Update the command to use `--global` instead,
which writes to `~/.gitconfig` and so works for regular users.
Also setup a fake identity for the CI-user and enable shell-debugging
for the commands to inform humans of what is happening in the script.
Signed-off-by: Chris Evich <cevich@redhat.com>
Handle the Mount key
Reuse code from the handling of the Volume key
Add E2E Test
E2E Test - Add checker for KeyValue string
Update man page
Signed-off-by: Ygal Blum <ygal.blum@gmail.com>
The test should make sure the logs --follow call will log entries that
are created in the future when --since is used and doe not include the
container start event. However it seems the timing is to tight. I think
it was possible that CI logged the line before the logs call was made,
thus it is missing because --since excluded it.
I cannot reproduce so I am not 100% on this but we can reopen the issue
if it still happens.
Fixes#17616
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
This reverts commit 81f116c59c291793742e10ea84b77511902a0338: the
passt package for Fedora 37 images is now fixed in the
c20230223t153813z-f37f36d12 image.
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
For some weeks or longer, the buildah bud tests have been failing under
cirrus-cron with the message:
```
+ git am --reject
Committer identity unknown
*** Please tell me who you are.
Run
git config --global user.email "you@example.com"
git config --global user.name "Your Name"
to set your account's default identity.
Omit --global to set the identity only in this repository.
fatal: empty ident name (for
<some30462dude@cirrus-task-5479994827210752.c.libpod-218412.internal>)
not allowed
```
Fix this by marking the clone directory "safe" when the script is
running under CI.
Signed-off-by: Chris Evich <cevich@redhat.com>
