...from the test name. Eliminates scary duplication.
Followup to #19053: instead of cross-checking pasta test args
against test name, eliminate the args entirely. Determine
them all from the @test name itself.
Example:
"TCP translated port range forwarding, IPv4, loopback"
| | | | | | +-- iftype=loopback
| | | | | +-------- ip_ver=4
| | | | +-------------------- bytes=1
| | | +-------------------------- range=3
| | +------------------------------- (ignored)
| +------------------------------------------ delta=1
+--------------------------------------------- proto=tcp
Signed-off-by: Ed Santiago <santiago@redhat.com>
Do not use podman info/version as they are expensive and clutter the log
for no reason. Just checking if we can connect to the socket should be
good enough and much faster.
Fix the non existing error checking, so that we actually see an useful
error when this does not work.
Also change the interval, why wait 2s for a retry lets take 100ms steps
instead.
Fixes#19010
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Previous tests have worked by pure chance since the client and server
ran on the same host; the server picked up the credentials created by
the client login.
Extend the gating tests and add a new integration test which is further
capable of exercising the remote code.
Note that fixing authentication support requires adding a new
`--authfile` CLi flag to `manifest inspect`. This will at least allow
for passing an authfile to be bindings. Username and password are not
yet supported.
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
This endpoint queried the same package versions twice causing it to be
slower than info. Because it already called info we can just reuse the
package versions from there.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
This file has not been present in BSD systems since 2.9.1 BSD and as far
as I remember /proc/mounts has never existed on BSD systems.
[NO NEW TESTS NEEDED]
Signed-off-by: Doug Rabson <dfr@rabson.org>
Podman is basically unusable without cgo, checking if it compiles
without adds no value and just tricks people into thinking it works when
it does not.
This means we do not need extra to NOP out a lot of cgo calls with
functions that just return an error like `XXX is not supported without
cgo`.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
We never ever close the stream so we do not need the Close() function in
th ebackend, the caller should close when required which may no be the
case, i.e. when os.Stdout/err is used.
This should not be a breaking change as the io.Writer is a subset of
io.WriteCloser, therfore all code should still compile while allowing to
pass in Writers without Close().
This is useful for podman top where we exec ps in the container via
podman exec.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
This ended up more complicated then expected. Lets start first with the
problem to show why I am doing this:
Currently we simply execute ps(1) in the container. This has some
drawbacks. First, obviously you need to have ps(1) in the container
image. That is no always the case especially in small images. Second,
even if you do it will often be only busybox's ps which supports far
less options.
Now we also have psgo which is used by default but that only supports a
small subset of ps(1) options. Implementing all options there is way to
much work.
Docker on the other hand executes ps(1) directly on the host and tries
to filter pids with `-q` an option which is not supported by busybox's
ps and conflicts with other ps(1) arguments. That means they fall back
to full ps(1) on the host and then filter based on the pid in the
output. This is kinda ugly and fails short because users can modify the
ps output and it may not even include the pid in the output which causes
an error.
So every solution has a different drawback, but what if we can combine
them somehow?! This commit tries exactly that.
We use ps(1) from the host and execute that in the container's pid
namespace.
There are some security concerns that must be addressed:
- mount the executable paths for ps and podman itself readonly to
prevent the container from overwriting it via /proc/self/exe.
- set NO_NEW_PRIVS, SET_DUMPABLE and PDEATHSIG
- close all non std fds to prevent leaking files in that the caller had
open
- unset all environment variables to not leak any into the contianer
Technically this could be a breaking change if somebody does not
have ps on the host and only in the container but I find that very
unlikely, we still have the exec in container fallback.
Because this can be insecure when the contianer has CAP_SYS_PTRACE we
still only use the podman exec version in that case.
This updates the docs accordingly, note that podman pod top never falls
back to executing ps in the container as this makes no sense with
multiple containers so I fixed the docs there as well.
Fixes#19001
Fixes https://bugzilla.redhat.com/show_bug.cgi?id=2215572
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Podman will always pass down --syslog to conmon since 13c2aca21.
However there systems without syslog running, likely in container
setups. As reported in this was already a problem before when debug
level is used. Then conmon will pass down --syslog back to the podman
container cleanup command causing it to fail without doing anything.
Given that I think it is better to just ignore the error and log it on
debug level, we need to make sure cleanup works consistently.
[NO NEW TESTS NEEDED]
Fixes#19075
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
The libpod API does not set a default. Also PodTop is podman sepecific
so we can just rmeove this extra branch there.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Users may want to replace the secret used within containers, without
destroying the secret and recreating it.
Partial fix for https://github.com/containers/podman/issues/18667
Make sure podman --remote secret inspect and podman secret inspect
return the same error message.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
The markdown-to-manpage sequence interprets
_from_uid_ and *from_uid* differently.
Use the latter syntax to get the expected result.
Fixes: https://github.com/containers/podman/issues/19171
Signed-off-by: Erik Sjölund <erik.sjolund@gmail.com>
Regarding "The command does not support more than one listening socket for the API service."
See this Podman source code: (a permalink into the main branch as of 2 July 2023)
539be58163/cmd/podman/system/service_abi.go (L48-L50)
Move up the paragraph "The REST API provided ...".
Move up the sentence "Note: The default systemd ...".
Signed-off-by: Erik Sjölund <erik.sjolund@gmail.com>
Previously podman was using "MB" and "GB" (binary) for input but
"MB" and "GB" (decimal) for output, which was causing confusion.
Signed-off-by: Anders F Björklund <anders.f.bjorklund@gmail.com>
An empty range caused a panic as parseOptionIDs tried to check further
down for an @ at index 0 without taking into account that the splitted
out string could be empty.
Signed-off-by: Simon Brakhane <simon@brakhane.net>
One of the reasons the last propose-downstream task failed for Fedora
was the `golist` tool wasn't available in the Packit environment.
This commit adds golist to the environment by downloading and extracting
the golist rpm.
This dependency could've been added in packit's upstream config but
there were a few blockers, so it's easiest to add them in our action
script.
Ref: https://github.com/containers/podman/issues/19094
[NO NEW TESTS NEEDED]
Signed-off-by: Lokesh Mandvekar <lsm5@fedoraproject.org>
1. toolbox UID/GID allocation: pick numbers < 1500. Otherwise
we run the risk of colliding with the Cirrus rootless user.
2. WaitContainerReady(): check the results of the last "podman logs"
before timing out. Otherwise, the user will see "READY" followed
immediately by "Container is not ready".
(global bug, not just toolbox, but that's where I discovered it).
Signed-off-by: Ed Santiago <santiago@redhat.com>
Using GinkgoT().TempDir() will automatically result in the directy to be
cleaned up when the test is done. This should help to prevent leaking
files and we do not need to error check every time.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Like LockTmpDir use a random tmpdir for this directory. Make sure it is
set for all parallel ginkgo processes.
Also GinkgoT().TempDir() will automatcially remove the directory at the
end so we do not need to worry about cleanup.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
