...and remove one old skip() for older debian, but leave
two others in place and mark that they're still a problem.
Signed-off-by: Ed Santiago <santiago@redhat.com>
It qemu cannot be compiled anyway so make sure we do not try to compile
parts where the typechecker complains about on windows.
Also all the e2e test files are only used on linux as well.
pkg/machine/wsl also reports some error but to many for me to fix them
now. One minor problem was fixed in pkg/machine/machine_windows.go.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Use network slirp4netns for the registry container to work around a
pasta regression (#23517). This should be revert once it is fixed in
pasta and included in our CI images.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
"/my-alpine" is also being used by tests in search_test.go;
use unique names to make sure we are trying to pull the encrypted
images created in the test.
Purely to avoid doubt, this should not actually change (test) behavior.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
When a users asks for specific devices we should still add them and not
ignore them just because privileged adds all of them.
Most notably if you set --device /dev/null:/dev/test you expect
/dev/test in the container, however as we ignored them this was not the
case. Another side effect is that the input was not validated at at all.
This leads to confusion as descriped in the issue.
Fixes#23132
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Followup to #22270: wherever possible/practical, extend command
error checks to include explicit exit status codes and error strings.
Signed-off-by: Ed Santiago <santiago@redhat.com>
When you run locally with a higher oom_score_adj then the one used in
the test podman will print a warning and not set the oom lower then the
current value. Thus use 999 as value which should only cause problems
for users with oom_score_adj value of 1000 (max value) which seems
unlikely.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Too many tests use port 5000. Although there's a putative GetPortLock()
it seems to be unreliable, and we often get what appear to be collisions
between tests.
A proper solution would be to pseudorandomly allocate ports, verify
that they're not being reused, Sprintf() these everywhere that
needs them, and sprinkle some powdered cinnamon on top.
This is not that proper solution.
Fixes: #20655
Signed-off-by: Ed Santiago <santiago@redhat.com>
This removes a lot of boilerplate, but also ensures that every
stop test that is not directly testing podman stop or podman pod
stop uses `-t0` for quick, error-free stopping.
Signed-off-by: Matt Heon <mheon@redhat.com>
Continuing to see CI failures of the form "StopSignal SIGTERM
failed to stop container in 10 seconds". Work around those,
either by adding "-t0" to podman stop, or by using Expect(Exit(0))
instead of ExitCleanly().
Addresses, but does not close, #20196
Signed-off-by: Ed Santiago <santiago@redhat.com>
And, runc-1.12 broke our seccomp e2e tests (runc now calls getcwd(),
which is the dummy syscall blocked for testing seccomp). Switch
to blocking link() instead.
Also, disable v4.1.0 upgrade tests. They're hanging, and I have
no idea why, and have wasted most of a day debugging.
Fixes: #21546
Signed-off-by: Ed Santiago <santiago@redhat.com>
Moving from Go module v4 to v5 prepares us for public releases.
Move done using gomove [1] as with the v3 and v4 moves.
[1] https://github.com/KSubedi/gomove
Signed-off-by: Matt Heon <mheon@redhat.com>
This option accepts a file path so we should allow commas in it.
Also add tests for --decryption-key
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
...while Ed was napping:
- create/run based on remote image: was not actually testing anything
- create/run --tls-verify: ditto
- run --decryption-key: sort of testing but not really
- Fail(), not Skip(), if we can't start registry.
- never Skip() halfway through a test: emit a message, and return
The Skip-in-the-middle thing deserves to be shouted from the rooftops.
Let's please never do that again. Skip() says "this entire test was
skipped", which can be misleading to a spelunker trying to track
down a problem related to those tests.
Also, more minor:
- reduce use of port 5000
- rename a confusingly-named test
Ref: #11205, #12009
Signed-off-by: Ed Santiago <santiago@redhat.com>
I don't really like this solution because it can't be undone by
`--security-opt unmask=all` but I don't see another way to make
this retroactive. We can potentially change things up to do this
the right way with 5.0 (actually have it in the list of masked
paths, as opposed to adding at spec finalization as now).
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
Commit 2 of 2: fixes to get tests passing
Mostly reverting back to Exit(0) on tests that produce stderr,
adding stderr checks when those are missing.
One pretty big exception: "run check dns" test was completely
broken in many respects. It should never have worked under CNI,
but was passing because nslookup in that alpine image was
checking /etc/hosts. This has been fixed in subsequent alpine
images, which we're now using in this test (CITEST_IMAGE).
Signed-off-by: Ed Santiago <santiago@redhat.com>
commit 8b4a79a744 introduced
oom_score_adj clamping when the container oom_score_adj value is lower
than the current one in a rootless environment. Move the check to
init() time so it is performed every time the container starts and not
only when it is created. It is more robust if the oom_score_adj value
is changed for the current user session.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
We do not allow volumes and mounts to be placed at the same
location in the container, with create-time checks to ensure this
does not happen. User-added conflicts cannot be resolved (if the
user adds two separate mounts to, say, /myapp, we can't resolve
that contradiction and error), but for many other volume sources,
we can solve the contradiction ourselves via a priority
hierarchy. Image volumes come first, and are overridden by the
`--volumes-from` flag, which are overridden by user-added mounts,
etc, etc. The problem here is that we were not properly handling
volumes-from overriding image volumes. An inherited volume from
--volumes-from would supercede an image volume, but an inherited
mount would not. Solution is fortunately simple - just clear out
the map entry for the other type when adding volumes-from
volumes.
Makes me wish for Rust sum types - conflict resolution would be a
lot simpler if we could use a sum type for volumes and bind
mounts and thus have a single map instead of two maps, one for
each type.
Fixes#19529
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
The current way of bind mounting the host timezone file has problems.
Because /etc/localtime in the image may exist and is a symlink under
/usr/share/zoneinfo it will overwrite the targetfile. That confuses
timezone parses especially java where this approach does not work at
all. So we end up with an link which does not reflect the actual truth.
The better way is to just change the symlink in the image like it is
done on the host. However because not all images ship tzdata we cannot
rely on that either. So now we do both, when tzdata is installed then
use the symlink and if not we keep the current way of copying the host
timezone file in the container to /etc/localtime.
Also note that we need to rebuild the systemd image to include tzdata in
order to test this as our images do not contain the tzdata by default.
Fixes https://bugzilla.redhat.com/show_bug.cgi?id=2149876
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
There is no reason to define the same code every time in each file, just
use global nodes. This diff should speak for itself.
CleanupSecrets()/Volume() no longer call Cleanup() directly, as the
global AfterEach node will always call Cleanup() this is no longer
necessary. If one AfterEach() node fails it will still run the others.
Also always unset the CONTAINERS_CONF env vars. This prevents people
from forgetting to unset it. And fix the special CONTAINERS_CONF logic
in the system connection tests, we do not want to preserve
CONTAINERS_CONF anyway so just remove this logic.
Ginkgo orders the BeforeEach and AfterEach nodes. They will be executed
from the outer-most defined to inner-most. This means our global
BeforeEach is always first. Only then the inner one (in the Describe()
function in each file). For AfterEach it is inverted, from the inner to
the outer.
Also see https://onsi.github.io/ginkgo/#organizing-specs-with-container-nodes
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
These annotations can have security implications - crun, for
example, allows rootless containers to preserve the user's groups
through an annotation. We absolutely should not include
annotations from an untrusted image off the internet by default.
We may consider whitelisting some annotations (e.g. the legacy
WASM annotations), but given that there is now a more explicit
way of specifying an image uses the WASM runtime in the OCI image
spec, I'm just tearing this out entirely for now.
Signed-off-by: Matt Heon <mheon@redhat.com>
- fix a typo that was resulting in a test being a NOP, and
add actual testing to it.
- fix two Expects() with incorrectly-ordered actual/expects
- remove leading whitespace from an It() test name
- To(BeTrue()) is evil. Wherever possible, replace it with
useful string or field checks. When not possible, use
the annotation field to indicate what failed. I got
carried away here, #sorrynotsorry
- remove unused system-test code
Signed-off-by: Ed Santiago <santiago@redhat.com>
Directly writing to stdout/err is not safe when run in parallel.
Ginkgo v2 fixed this buffering the output and syncing the output so it
is not mangled between tests.
This means we should use the GinkgoWriter everywhere to make sure the
output stays in sync.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Podman's container-name generation depends on the global RNG state being
properly initialized (seeded). Should this not happen for some reason
(or it's seeded with a static value), podman will generate the exact
same repeating sequence of container names (assuming no clashes with
existing containers). Add a test to confirm this is always the case.
Signed-off-by: Chris Evich <cevich@redhat.com>
...at least as many as possible. "run/exec -it" make no sense
in a CI environment; I believe the vast majority of these are
the result of fingers typing on autopilot, then copy/pasting
cascades from those. This PR gets rid of as many -it/-ti as
possible. Some are still needed for testing purposes.
Y'all have no idea how much I hate #10927 (the "no logs from conmon"
flake). This does not fix the underlying problem, nor does it even
eliminate the flake (The "exec terminal doesn't hang" test needs
to keep the -ti flag, and that's one of the most popular flakers).
But this at least reduces the scope of the problem. It also removes
a ton of nasty orange "input device is not a TTY" warnings from logs.
Signed-off-by: Ed Santiago <santiago@redhat.com>
* add tests
* add documentation for --shm-size-systemd
* add support for both pod and standalone run
Signed-off-by: danishprakash <danish.prakash@suse.com>
Unify the functions used to detect rootless to "isRootless()".
This function can detect to join the user namespace by mistake.
Signed-off-by: Toshiki Sonoda <sonoda.toshiki@fujitsu.com>
The StoppedByUser variable indicates that the container was
requested to stop by a user. It's used to prevent restart policy
from firing (so that a restart=always container won't restart if
the user does a `podman stop`. The problem is we were setting it
*very* late in the stop() function. Originally, this was fine,
but after the changes to add the new Stopping state, the logic
that triggered restart policy was firing before StoppedByUser was
even set - so the container would still restart.
Setting it earlier shouldn't hurt anything and guarantees that
checks will see that the container was stopped manually.
Fixes#17069
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
False is the assumed value, and inspect and podman generate kube are
being cluttered with a ton of annotations that indicate nothing.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Also update vendor of containers/storage and image
Cleanup display of added/dropped capabilties as well
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
