Add a bunch of tests to ensure that --volumes-from
works as expected.
Also align the podman create and run man page.
Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
- podman network create: new test
- podman pull by-sha + podman images -a (#7651)
- podman image mount: new test
- podman pod: --infra-image and --infra-command (#7167)
For convenience and robustness, build a new testimage
containing a custom file /home/podman/testimage-id
with contents YYYYMMDD (same as image tag). The
image-mount test checks that this file exists and
has the desired content. New testimage also includes
a dummy 'pause' executable, for testing pod infra.
Updates from testimage:20200902 to :20200917
Signed-off-by: Ed Santiago <santiago@redhat.com>
Podman wants to guarantee that exec sessions retain the groups of
the container they are started in, unless explicitly overridden
by the user. This guarantee was broken for containers where the
`--user` flag was specified; this patch resolves that.
Somewhere in the Exec rewrite for APIv2, I changed the location
where the container's User is passed into the exec session
(similar to groups, we also want to preserve user unless
overridden). The lower-level Exec APIs already handled setting
user and group appropriately if not specified when the exec
session was created, but I added duplicate code to handle this
higher in the stack - and that code only handled setting user,
not supplemental groups, breaking support in that specific case.
Two things conspired to make this one hard to track down: first,
things were only broken if the container explicitly set a user;
otherwise, the container user would still appear to be unset to
the lower-level code, which would properly set supplemental
groups (this tricked our existing test into passing). Also, the
`crun` OCI runtime will add the groups without prompting, which
further masked the problem there. I debated making `runc` do the
same, but in the end it's better to fix this in Podman - it's
better to be explicit about what we want done so we will work
with all OCI runtimes.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
for podman-remote build operations, the iidfile, when used, needs to write the file to the client's local filesystem.
Signed-off-by: baude <bbaude@redhat.com>
Always return all associated names / repo tags of an image and fix a bug
with malformed repo tags.
Previously, Podman returned all names only with `--all` but this flag
only instructs to list intermediate images and should not alter
associated names. With `--all` Podman queried the repo tags of an image
which splits all *tagged* names into repository and tag which is then
reassembled to eventually be parsed again in the frontend. Lot's of
redundant CPU heat and buggy as the reassembly didn't consider digests
which ultimately broke parsing in the frontend.
Fixes: #7651
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
When using `podman play kube` with a YAML file that has pod labels,
apply those labels to the pods that podman makes.
For example, this Deployment spec has labels on a pod:
apiVersion: apps/v1
kind: Deployment
metadata:
name: myapp
labels:
app: myapp
spec:
selector:
matchLabels:
app: myapp
template:
metadata:
labels:
app: myapp
spec:
containers:
- name: web
image: nginx
ports:
- containerPort: 80
The pods that podman creates will have the label "app" set to "myapp" so
that these pods can be found with `podman pods ps --filter label=app`.
Signed-off-by: Jordan Christiansen <xordspar0@gmail.com>
Currently infr-command and --infra-image commands are ignored
from the user. This PR instruments them and adds tests for
each combination.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Enables podman create, pull, run, import to use --signature-policy option. Set it as hidden flag to be consistent with other commands.
Signed-off-by: Qi Wang <qiwan@redhat.com>
* API-Version header now Major.Minor to support tools parsing this
header
* Libpod Version updated to 2.0.0 to reflect changes in API field
values
* API-Version and Libpod-API-Version headers are now included in all
results
Fixes#7327
* Header support tested against goland 2020.2 and
https://www.jetbrains.com/help/idea/docker.html plugin
Signed-off-by: Jhon Honce <jhonce@redhat.com>
Record the user-specified "raw" image name in the SpecGenerator, so we
can pass it along to the config when creating a container. We need a
separate field as the image name in the generator may be set to the
ID of the previously pulled image - ultimately the cause of #7404.
Reverting the image name from the ID to the user input would not work
since "alpine" for pulling iterates over the search registries in the
registries.conf but looking up "alpine" normalizes to
"localhost/alpine".
Recording the raw-image name directly in the generator was the best of
the options I considered as no hidden magic from search registries or
normalizations (that may or may not change in the future) can interfere.
The auto-update backend enforces that the raw-image name is a
fully-qualified reference, so we need to worry about that in the front
end.
Fixes: #7407
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
Add new system check confirming that "podman foo -l arg"
throws an error; and fix lots of instances where code
was not doing this check.
I'll probably need to add something similar for --all but
that can wait.
Signed-off-by: Ed Santiago <santiago@redhat.com>
* Refactor/Rename channel.WriteCloser() to encapsulate the channel
* Refactor build endpoint to "live" stream buildah output channels
over API rather then buffering output
* Refactor bindings/tunnel build because endpoint changes
* building tar file now in bindings rather then depending on
caller
* Cleanup initiating extra image engine
* Remove setting fields to zero values (less noise in code)
* Update tests to support remote builds
Fixes#7136Fixes#7137
Signed-off-by: Jhon Honce <jhonce@redhat.com>
Problem: if either of the two "podman network create" tests
fail, all subsequent retries will also fail because the
created network has not been cleaned up (so "network create"
will fail with EEXIST).
Solution: run "podman network rm" as deferred cleanup instead
of in each test.
This is NOT a fix for #7583 - it is just a way to allow
ginkgo to retry a failing test.
Signed-off-by: Ed Santiago <santiago@redhat.com>
this is an option that allows a user to specify whether to share PID namespace in the pod
for play kube and generate kube
associated test added
Signed-off-by: Peter Hunt <pehunt@redhat.com>
- run tests: better "skip" message for docker-archive test;
remove FIXME, document that podman-remote doesn't support it
- run tests: instrument the --conmon-pidfile test in hopes
of tracking down flake #7580: cross-check pidfile against
output of 'podman inspect', and add some debug messages
that will only be seen on test failure.
- load tests: the pipe test: save and load a temporary tag,
not $IMAGE. Primary reason is because of #7371, in which
'podman load' assigns a new image ID (instead of preserving
the saved one). This messes with our image management, and
it turns out to be nonfixable.
Signed-off-by: Ed Santiago <santiago@redhat.com>
To ensure that the user running in the container ahs a valid
entry in /etc/passwd so lookup functions for the current user
will not error, Podman previously began adding entries to the
passwd file. We did not, however, add entries to the group file,
and this created problems - our passwd entries included the group
the user is in, but said group might not exist. The solution is
to mirror our logic for /etc/passwd modifications to also edit
/etc/group in the container.
Unfortunately, this is not a catch-all solution. Our logic here
is only advanced enough to *add* to the group file - so if the
group already exists but we add a user not a part of it, we will
not modify that existing entry, and things remain inconsistent.
We can look into adding this later if we absolutely need to, but
it would involve adding significant complexity to this already
massively complicated function.
While we're here, address an edge case where Podman could add a
user or group whose UID overlapped with an existing user or
group.
Also, let's make users able to log into users we added. Instead
of generating user entries with an 'x' in the password field,
indicating they have an entry in /etc/shadow, generate a '*'
indicating the user has no password but can be logged into by
other means e.g. ssh key, su.
Fixes#7503Fixes#7389Fixes#7499
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
Since --pull is deprecated, remove it from help and hide if from --help
Also set it to true by default.
Share image pull code betweern podman image pull and podman container runlabel.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1877181
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
After attaching to a container, we wait for the container to finish and
return its exit code. Waiting for the container may not always succeed,
for instance, when the container has been force removed by another
process. In such case, we have to look at the *last* container-exit
event.
Also refactor the `ContainerRun` method a bit to return early on errors
and de-spaghetti the code.
Enable the remote-disabled system test.
Fixes: #7117
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
