We added code to create a `/etc/passwd` file that we bind-mount
into the container in some cases (most notably,
`--userns=keep-id` containers). This, unfortunately, was not
persistent, so user-added users would be dropped on container
restart. Changing where we store the file should fix this.
Further, we want to ensure that lookups of users in the container
use the right /etc/passwd if we replaced it. There was already
logic to do this, but it only worked for user-added mounts; it's
easy enough to alter it to use our mounts as well.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
Podman is committed to inclusivity, a core value of open source. Historically, there have been technology terms that are problematic and divisive, and should be changed. We are currently taking time to audit our repository in order to eliminate such terminology, and replace it with more inclusive terms. We are starting where we can, with our own code, comments, and documentation. However, such terms may be used in dependencies, and must be used in our repositories at the current moment for compatibility. Podman will change these terms in our repo as soon as new and better terminology is available to us via our dependencies.
For more information: https://www.redhat.com/en/blog/making-open-source-more-inclusive-eradicating-problematic-language?sc_cid=701600000011gf0AAA
Signed-off-by: Ashley Cui <acui@redhat.com>
When creating a pod or container where a static MAC or IP address is provided, we should return a proper error and exit as 125.
Fixes: #6972
Signed-off-by: Brent Baude <bbaude@redhat.com>
A newly-added test in #6835 was flaking in CI with:
not ok 143 [20-containers] DELETE libpod/containers/SHA
500 cannot remove container <sha> as it is running - running or paused containers cannot be removed without force: container state improper
Root cause: DELETE being run immediately after container start.
Although the container is short-lived, it does take time to
run and exit.
Solution: wait for container to exit (should be quick) before
deleting. This gives us a new test for the /wait endpoint.
Also: tweaked some comments for readability, removed unnecessary
container ps, added actual container status checks, and added
actual message checks to another test that was merely checking
exit status.
Signed-off-by: Ed Santiago <santiago@redhat.com>
PR #6957 added a new path (/sys/devs) to an existing list
of masked mount points which an unprivileged container
should not be able to access. Here we add a test for
those: run 'stat' on those devices in the container,
and make sure that they are dummies.
This is kind of kludgy, and relies on heuristics that
may not be 100% accurate. It also adds duplication,
a list that must be kept in sync with the original
list in pkg/specgen/generate/config_linux.go.
I'd love to hear suggestions on how to do it better.
Signed-off-by: Ed Santiago <santiago@redhat.com>
- Issue #6735 : problem with multiple namespaces; confirms
combinations of --userns=keep-id, --privileged, --user=XX
- Issue #6829 : --userns=keep-id will add a /etc/passwd entry
- Issue #6593 : podman exec, with --userns=keep-id, errors
(test is currently skipped because issue remains live)
...and, addendum: add new helper function, remove_same_dev_warning.
Some CI systems issue a warning on podman run --privileged:
WARNING: The same type, major and minor should not be used for multiple devices.
We already had special-case code to ignore than in the SELinux
test, but now we're seeing it in the new run tests I added, so
I've refactored the "ignore this warning" code and written
tests for the removal code.
Signed-off-by: Ed Santiago <santiago@redhat.com>
This allows us to determine if the container auto-detected that
systemd was in use, and correctly activated systemd integration.
Use this to wire up some integration tests to verify that systemd
integration is working properly.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
This change prevents this exception when loading a pod spec
using the "IfNotPresent" pull policy:
Error: invalid pull type "IfNotPresent"
Signed-off-by: Tristan Cacqueray <tdecacqu@redhat.com>
When running "podman pod create --share user" the errors appears:
Error: User sharing functionality not supported on pod level
Fix docs and remove 'user' from shareable parameters.
Signed-off-by: Sagi Shnaidman <sshnaidm@redhat.com>
We were only using the Command field in specgen when determining
whether to enable systemd if systemd=true (the default) was used.
This does not include the entrypoint, and does not include any
entrypoint/command sourced from the image - so an image could be
running systemd and we'd not correctly detect this. Using the
full, final command resolves this and matches Podman v1.9.x
behavior.
Fixes#6920
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
We were hard-coding two fields to false, instead of grabbing
their value from the pod config, which means that `pod inspect`
would print the wrong value always.
Fixes#6968
Signed-off-by: Matthew Heon <mheon@redhat.com>
We had a field for this in the inspect data, but it was never
being populated. Because of this, `podman pod inspect` stopped
showing port bindings (and other infra container settings). Add
code to populate the infra container inspect data, and add a test
to ensure we don't regress again.
Signed-off-by: Matthew Heon <mheon@redhat.com>
fedora removed the systemd package from its standard container image causing our systemd pid1 test to fail. Replacing usage of fedora to ubi-init.
adding ubi images to the cache for local tests.
also, remove installation of test/policy.json to the system wide /etc/containers
Signed-off-by: Brent Baude <bbaude@redhat.com>
Some time ago, we moved the Seccomp policy (and related setup
code) to a place where all our tools could share it [1]. We did
not, however, remove the in-repo seccomp.json file. Over the last
year or so, the in-repo seccomp policy has become progressively
more and more outdated, with no effort made to maintain it
(because what sense is there in keeping a duplicate?). Today, a
friend came to me and asked if a Podman container could access
keyctl, assuming it could not because he was reading the outdated
Seccomp policy which does not allow it. Since it's becoming clear
that this file is doing no good and actively causing confusion,
let's just drop it.
[1] https://github.com/seccomp/containers-golang
Signed-off-by: Matthew Heon <mheon@redhat.com>
