PR #20082 bumped fedora-minimal, from f34 to f39. This worked
fine for a few days, then all of a sudden CI started breaking
because the f39 minimal image got rebuilt and repushed without
adduser. #20127 was an emergency fix; this is a stabler fix.
We keep using not-under-our-control container images, and we
keep getting burned when those get updated in nasty ways. Here
we switch to using a tagged & versioned fedora-minimal image
that is under our control.
Signed-off-by: Ed Santiago <santiago@redhat.com>
The processing and setting of the static and volume directories was
scattered across the code base (including c/common) leading to subtle
errors that surfaced in #19938.
There were multiple issues that I try to summarize below:
- c/common loaded the graphroot from c/storage to set the defaults for
static and volume dir. That ignored Podman's --root flag and
surfaced in #19938 and other bugs. c/common does not set the
defaults anymore which gives Podman the ability to detect when the
user/admin configured a custom directory (not empty value).
- When parsing the CLI, Podman (ab)uses containers.conf structures to
set the defaults but also to override them in case the user specified
a flag. The --root flag overrode the static dir which is wrong and
broke a couple of use cases. Now there is a dedicated field for in
the "PodmanConfig" which also includes a containers.conf struct.
- The defaults for static and volume dir and now being set correctly
and adhere to --root.
- The CONTAINERS_CONF_OVERRIDE env variable has not been passed to the
cleanup process. I believe that _all_ env variables should be passed
to conmon to avoid such subtle bugs.
Overall I find that the code and logic is scattered and hard to
understand and follow. I refrained from larger refactorings as I really
just want to get #19938 fixed and then go back to other priorities.
https://github.com/containers/common/pull/1659 broke three pkg/machine
tests. Those have been commented out until getting fixed.
Fixes: #19938
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
The fedora minimal 39 image has been updated on the fedora registry and
removed the `useradd` binary. Since we were pulling by tag and not by
digest, updates to images outside of our control always entail a certain
risk - and now it bit us.
To fix it, try to move as many users of `useradd` to _our_ CITEST_IMAGE
and migrate the code where necessary to this Alpine-based tooling.
However, the Alpine-based `adduser` binary (not useradd!) doesn't work
well when being executed as a non-root user and will just error out.
Hence, move the fedora minimal image back to version 34 which is still
including the `useradd` binary.
Ultimately, all images on public registries should be pulled via digest
to make sure we pin them down. I refrain from doing this now to make
sure we can cherry-pick this PR to older branches and get things back
into a working state ASAP.
Fixes: #20119
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
Container ports defined with containerPort were exposed by default
even though kubernetes interprets them as mostly informative.
Closes#17028
Signed-off-by: Peter Werner <wpw.peter@gmail.com>
Fix farm update to verify a connection exists before
removing or adding it.
Also verify that the farm we want to update exists.
Signed-off-by: Urvashi Mohnani <umohnani@redhat.com>
This is not really an error, if the anonymous volume is still used then
this likely means it was transferred to another container with
--volumes-from. This is what the user wants and it is not like the user
can act on the logged error anyway. Once the last user of the volume is
removed it will be removed correctly.
see https://github.com/containers/podman/pull/19637
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Commit 2 of 2: steps to make tests work under ExitCleanly()
Mostly adding "-q" to push/pull, but also:
- revert ExitCleanly(), and add error-message checks
if absent;
- fix a test that was completely nonfunctional from
Day One: test was getting skipped because registry
couldn't start, because of missing ":z"s in mount option.
Fixed, and removed the bypass;
- use built-in skopeo, not pulled-container skopeo. Skopeo
is already a requirement for system tests.
Signed-off-by: Ed Santiago <santiago@redhat.com>
commit cf364703fc changed the way
/sys/fs/cgroup is mounted when there is not a netns and it now honors
the ro flag. The mount was created using a bind mount that is a
problem when using a cgroup namespace, fix that by mounting a fresh
cgroup file system.
Closes: https://github.com/containers/podman/issues/20073
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
If you are running a quadlet with anonymous volumes, then the volume
will leak ever time you restart the service. This change will
cause the volume to be removed.
Fixes: https://github.com/containers/podman/issues/20070
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Commit 3 of 3: make tests pass.
This is the tricky one requiring manual effort. For the most part,
all I did was replace ALPINE/"alpine" with CITEST_IMAGE so we
don't get "Pulling..." messages. Also added warning-message checks
to two truncation tests
Signed-off-by: Ed Santiago <santiago@redhat.com>
Commit 2 of 3:
- rewrite all but one commands, from "generate kube" to "kube g".
- remove "podman generate kube" from all It()s.
Signed-off-by: Ed Santiago <santiago@redhat.com>
Commit 3 of 3, and this one's a doozy. Sorry.
The main problem was that "kube play" re-pulled images.
To solve that, I changed PullPolicy to "missing" and,
where possible, replaced alpine/busybox with CITEST_IMAGE
because that one seems to be cached better? I couldn't
figure out why, but even without the PullPolicy change
everything worked better with CITEST_IMAGE. And it's
a better image to use anyway.
Other lesser changes (like adding "-q") as needed.
Also:
- in four tests that use "replica", we can't use ExitCleanly()
because of a run-time warning. Add a check for that warning.
- remove a workaround for a long-closed issue (c/storage 1232)
Signed-off-by: Ed Santiago <santiago@redhat.com>
Commit 2 of 3:
- rewrite all commands but one, from "play kube" to "kube play".
Considered renaming the file but no, maybe later.
- remove "podman play kube" from all It()s. "Podman kube play" is
already in the Description; unnecessary redundancy is unnecessary.
Signed-off-by: Ed Santiago <santiago@redhat.com>
The --syslog flag has not been passed to the cleanup process (i.e.,
conmon's exit args) complicating debugging quite a bit.
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
The test started to fail in gating and on workstations. It turned out
that pushing the test image to the registry recompresses it which in
turn may change the digest. The digest now started to change; computing
it depends on the toolchain so the test passed before by pure luck it
seems.
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
cli flags couldn't override the active-destination when env variables were set. As a remedy, the precedence of cli flags has been changed.
Signed-off-by: Chetan Giradkar <cgiradka@redhat.com>
Commit 1 of 2.
More easy ones: test files that either work with ExitCleanly()
or require very, very simple tweaks.
Signed-off-by: Ed Santiago <santiago@redhat.com>
Part of RUN-1906.
Followup to #19878 (check stderr in system tests): allow_warnings()
and require_warning() functions to make sure no unexpected messages
fall through the cracks.
Signed-off-by: Ed Santiago <santiago@redhat.com>
Commit 2 of 2: manual tweaks to get tests passing. Very trivial,
the vast majority of these test files worked with no changes.
Signed-off-by: Ed Santiago <santiago@redhat.com>
Continuing work on RUN-1907: huge set of files, but not
as intimidating as it looks.
Commit 1 of 2: mindless replace of Exit(0) with ExitCleanly()
Signed-off-by: Ed Santiago <santiago@redhat.com>
Followup to #20016:
- remove obsolete (misleading) comment
- prune dangling <none>:<none> image
Also, in kube test, rmi pause_image to avoid nasty red warnings
Also, ouch, fix a stupid that I introduced in #19878: the PODMAN
command path got dropped from log messages.
Signed-off-by: Ed Santiago <santiago@redhat.com>
