Merge pull request #21563 from mheon/test_pasta_default

Vendor c/common pasta branch for testing

go.mod

@@ -11,7 +11,7 @@ require (
 	github.com/checkpoint-restore/go-criu/v7 v7.0.0
 	github.com/containernetworking/plugins v1.4.0
 	github.com/containers/buildah v1.34.1-0.20240201124221-b850c711ff5c
-	github.com/containers/common v0.57.1-0.20240229151045-1c65e0de241a
+	github.com/containers/common v0.57.1-0.20240229165734-cec09922602e
 	github.com/containers/conmon v2.0.20+incompatible
 	github.com/containers/gvisor-tap-vsock v0.7.3
 	github.com/containers/image/v5 v5.29.3-0.20240227090231-5bef5e1e1506

go.sum

@@ -76,8 +76,8 @@ github.com/containernetworking/plugins v1.4.0 h1:+w22VPYgk7nQHw7KT92lsRmuToHvb7w
 github.com/containernetworking/plugins v1.4.0/go.mod h1:UYhcOyjefnrQvKvmmyEKsUA+M9Nfn7tqULPpH0Pkcj0=
 github.com/containers/buildah v1.34.1-0.20240201124221-b850c711ff5c h1:r+1vFyTAoXptJrsPsnOMI3G0jm4+BCfXAcIyuA33lzo=
 github.com/containers/buildah v1.34.1-0.20240201124221-b850c711ff5c/go.mod h1:Hw4qo2URFpWvZ2tjLstoQMpNC6+gR4PtxQefvV/UKaA=
-github.com/containers/common v0.57.1-0.20240229151045-1c65e0de241a h1:N/AOv7bQBTD/+inld7Qpc2WzxtpbsPgPDB/gg7JGQKA=
-github.com/containers/common v0.57.1-0.20240229151045-1c65e0de241a/go.mod h1:8irlyBcVooYx0F+YmoY7PQPAIgdJvCj17bvL7PqeaxI=
+github.com/containers/common v0.57.1-0.20240229165734-cec09922602e h1:TPgCd6bWFyliJxCXEiCI1LnbB3kBUkpx1dw51ngDjWI=
+github.com/containers/common v0.57.1-0.20240229165734-cec09922602e/go.mod h1:8irlyBcVooYx0F+YmoY7PQPAIgdJvCj17bvL7PqeaxI=
 github.com/containers/conmon v2.0.20+incompatible h1:YbCVSFSCqFjjVwHTPINGdMX1F6JXHGTUje2ZYobNrkg=
 github.com/containers/conmon v2.0.20+incompatible/go.mod h1:hgwZ2mtuDrppv78a/cOBNiCm6O0UMWGx1mu7P00nu5I=
 github.com/containers/gvisor-tap-vsock v0.7.3 h1:yORnf15sP+sLFhxLNLgmB5/lOhldn9dRMHx/tmYtSOQ=

libpod/events/config.go

@@ -41,6 +41,8 @@ type Event struct {
 	Type Type
 	// Health status of the current container
 	HealthStatus string `json:"health_status,omitempty"`
+	// Error code for certain events involving errors.
+	Error error `json:"error,omitempty"`
 
 	Details
 }
@@ -170,6 +172,8 @@ const (
 	Prune Status = "prune"
 	// Pull ...
 	Pull Status = "pull"
+	// PullError is an error pulling an image
+	PullError Status = "pull-error"
 	// Push ...
 	Push Status = "push"
 	// Refresh indicates that the system refreshed the state after a

libpod/events/events.go

@@ -194,6 +194,8 @@ func StringToStatus(name string) (Status, error) {
 		return Prune, nil
 	case Pull.String():
 		return Pull, nil
+	case PullError.String():
+		return PullError, nil
 	case Push.String():
 		return Push, nil
 	case Refresh.String():

libpod/events/journal_linux.go

@@ -43,6 +43,9 @@ func (e EventJournalD) Write(ee Event) error {
 	case Image:
 		m["PODMAN_NAME"] = ee.Name
 		m["PODMAN_ID"] = ee.ID
+		if ee.Error != nil {
+			m["ERROR"] = ee.Error.Error()
+		}
 	case Container, Pod:
 		m["PODMAN_IMAGE"] = ee.Image
 		m["PODMAN_NAME"] = ee.Name
@@ -228,6 +231,9 @@ func newEventFromJournalEntry(entry *sdjournal.JournalEntry) (*Event, error) {
 		newEvent.Network = entry.Fields["PODMAN_NETWORK_NAME"]
 	case Image:
 		newEvent.ID = entry.Fields["PODMAN_ID"]
+		if _, ok := entry.Fields["ERROR"]; ok {
+			newEvent.Error = errors.New(entry.Fields["ERROR"])
+		}
 	}
 	return &newEvent, nil
 }

libpod/networking_linux.go

@@ -191,7 +191,7 @@ func getContainerNetNS(ctr *Container) (string, *Container, error) {
 func getContainerNetIO(ctr *Container) (map[string]define.ContainerNetworkStats, error) {
 	perNetworkStats := make(map[string]define.ContainerNetworkStats)
 
-	netNSPath, otherCtr, netPathErr := getContainerNetNS(ctr)
+	netNSPath, _, netPathErr := getContainerNetNS(ctr)
 	if netPathErr != nil {
 		return nil, netPathErr
 	}
@@ -201,49 +201,39 @@ func getContainerNetIO(ctr *Container) (map[string]define.ContainerNetworkStats,
 		return nil, nil
 	}
 
-	netMode := ctr.config.NetMode
-	netStatus := ctr.getNetworkStatus()
-	if otherCtr != nil {
-		netMode = otherCtr.config.NetMode
-		netStatus = otherCtr.getNetworkStatus()
-	}
-	if netMode.IsSlirp4netns() {
-		// create a fake status with correct interface name for the logic below
-		netStatus = map[string]types.StatusBlock{
-			"slirp4netns": {
-				Interfaces: map[string]types.NetInterface{"tap0": {}},
-			},
-		}
-	}
 	err := ns.WithNetNSPath(netNSPath, func(_ ns.NetNS) error {
-		for _, status := range netStatus {
-			for dev := range status.Interfaces {
-				link, err := netlink.LinkByName(dev)
-				if err != nil {
-					return err
-				}
-				stats := link.Attrs().Statistics
-				if stats != nil {
-					newStats := define.ContainerNetworkStats{
-						RxBytes:   stats.RxBytes,
-						RxDropped: stats.RxDropped,
-						RxErrors:  stats.RxErrors,
-						RxPackets: stats.RxPackets,
-						TxBytes:   stats.TxBytes,
-						TxDropped: stats.TxDropped,
-						TxErrors:  stats.TxErrors,
-						TxPackets: stats.TxPackets,
-					}
+		links, err := netlink.LinkList()
+		if err != nil {
+			return fmt.Errorf("retrieving all network interfaces: %w", err)
+		}
+		for _, link := range links {
+			attributes := link.Attrs()
+			if attributes.Flags&net.FlagLoopback != 0 {
+				continue
+			}
 
-					perNetworkStats[dev] = newStats
-				}
+			if attributes.Statistics != nil {
+				perNetworkStats[attributes.Name] = getNetStatsFromNetlinkStats(attributes.Statistics)
 			}
 		}
 		return nil
 	})
 	return perNetworkStats, err
 }
 
+func getNetStatsFromNetlinkStats(stats *netlink.LinkStatistics) define.ContainerNetworkStats {
+	return define.ContainerNetworkStats{
+		RxBytes:   stats.RxBytes,
+		RxDropped: stats.RxDropped,
+		RxErrors:  stats.RxErrors,
+		RxPackets: stats.RxPackets,
+		TxBytes:   stats.TxBytes,
+		TxDropped: stats.TxDropped,
+		TxErrors:  stats.TxErrors,
+		TxPackets: stats.TxPackets,
+	}
+}
+
 // joinedNetworkNSPath returns netns path and bool if netns was set
 func (c *Container) joinedNetworkNSPath() (string, bool) {
 	for _, namespace := range c.config.Spec.Linux.Namespaces {

libpod/runtime.go

@@ -696,15 +696,16 @@ func (r *Runtime) GetConfig() (*config.Config, error) {
 
 // libimageEventsMap translates a libimage event type to a libpod event status.
 var libimageEventsMap = map[libimage.EventType]events.Status{
-	libimage.EventTypeImagePull:    events.Pull,
-	libimage.EventTypeImagePush:    events.Push,
-	libimage.EventTypeImageRemove:  events.Remove,
-	libimage.EventTypeImageLoad:    events.LoadFromArchive,
-	libimage.EventTypeImageSave:    events.Save,
-	libimage.EventTypeImageTag:     events.Tag,
-	libimage.EventTypeImageUntag:   events.Untag,
-	libimage.EventTypeImageMount:   events.Mount,
-	libimage.EventTypeImageUnmount: events.Unmount,
+	libimage.EventTypeImagePull:      events.Pull,
+	libimage.EventTypeImagePullError: events.PullError,
+	libimage.EventTypeImagePush:      events.Push,
+	libimage.EventTypeImageRemove:    events.Remove,
+	libimage.EventTypeImageLoad:      events.LoadFromArchive,
+	libimage.EventTypeImageSave:      events.Save,
+	libimage.EventTypeImageTag:       events.Tag,
+	libimage.EventTypeImageUntag:     events.Untag,
+	libimage.EventTypeImageMount:     events.Mount,
+	libimage.EventTypeImageUnmount:   events.Unmount,
 }
 
 // libimageEvents spawns a goroutine which will listen for events on

test/apiv2/20-containers.at

@@ -69,7 +69,7 @@ t GET libpod/containers/json?all=true 200 \
   .[0].IsInfra=false
 
 # Test compat API for Network Settings (.Network is N/A when rootless)
-network_expect="Networks.slirp4netns.NetworkID=slirp4netns"
+network_expect="Networks.pasta.NetworkID=pasta"
 if root; then
     network_expect="Networks.podman.NetworkID=podman"
 fi

test/e2e/unshare_test.go

@@ -9,14 +9,6 @@ import (
 	. "github.com/onsi/gomega/gexec"
 )
 
-// podman unshare --rootless-netns leaks the process by design.
-// Running a container will cause the cleanup to kick in when this container gets stopped.
-func cleanupRootlessSlirp4netns(p *PodmanTestIntegration) {
-	session := p.Podman([]string{"run", "--network", "bridge", ALPINE, "true"})
-	session.WaitWithDefaultTimeout()
-	Expect(session).Should(ExitCleanly())
-}
-
 var _ = Describe("Podman unshare", func() {
 	BeforeEach(func() {
 		if _, err := os.Stat("/proc/self/uid_map"); err != nil {
@@ -37,15 +29,6 @@ var _ = Describe("Podman unshare", func() {
 		Expect(session.OutputToString()).ToNot(ContainSubstring(userNS))
 	})
 
-	It("podman unshare --rootless-netns", func() {
-		SkipIfRemote("podman-remote unshare is not supported")
-		defer cleanupRootlessSlirp4netns(podmanTest)
-		session := podmanTest.Podman([]string{"unshare", "--rootless-netns", "ip", "addr"})
-		session.WaitWithDefaultTimeout()
-		Expect(session).Should(ExitCleanly())
-		Expect(session.OutputToString()).To(ContainSubstring("tap0"))
-	})
-
 	It("podman unshare exit codes", func() {
 		SkipIfRemote("podman-remote unshare is not supported")
 		session := podmanTest.Podman([]string{"unshare", "false"})

test/system/250-systemd.bats

@@ -5,6 +5,7 @@
 
 load helpers
 load helpers.systemd
+load helpers.network
 
 SERVICE_NAME="podman_test_$(random_string)"
 
@@ -294,7 +295,7 @@ LISTEN_FDNAMES=listen_fdnames" | sort)
 }
 
 # https://github.com/containers/podman/issues/13153
-@test "podman rootless-netns slirp4netns process should be in different cgroup" {
+@test "podman rootless-netns pasta processes should be in different cgroup" {
     is_rootless || skip "only meaningful for rootless"
 
     cname=$(random_string)
@@ -314,9 +315,11 @@ LISTEN_FDNAMES=listen_fdnames" | sort)
     # stop systemd container
     service_cleanup
 
+    pasta_iface=$(default_ifname)
+
     # now check that the rootless netns slirp4netns process is still alive and working
     run_podman unshare --rootless-netns ip addr
-    is "$output" ".*tap0.*" "slirp4netns interface exists in the netns"
+    is "$output" ".*$pasta_iface.*" "pasta interface exists in the netns"
     run_podman exec $cname2 nslookup google.com
 
     run_podman rm -f -t0 $cname2

test/system/252-quadlet.bats

@@ -144,13 +144,16 @@ function remove_secret() {
 }
 
 @test "quadlet - basic" {
+    # Network=none is to work around a Pasta bug, can be removed once a patched Pasta is available.
+    # Ref https://github.com/containers/podman/pull/21563#issuecomment-1965145324
     local quadlet_file=$PODMAN_TMPDIR/basic_$(random_string).container
     cat > $quadlet_file <<EOF
 [Container]
 Image=$IMAGE
 Exec=sh -c "echo STARTED CONTAINER; echo "READY=1" | socat -u STDIN unix-sendto:\$NOTIFY_SOCKET; sleep inf"
 Notify=yes
 LogDriver=passthrough
+Network=none
 EOF
 
     # FIXME: Temporary until podman fully removes cgroupsv1 support; see #21431

test/system/270-socket-activation.bats

@@ -4,8 +4,17 @@
 #
 
 load helpers
+load helpers.registry
 load helpers.systemd
 
+function setup_file() {
+    # We have to stop the background registry here. These tests kill the podman pause
+    # process which means commands after that are in a new one and when the cleanup
+    # later tries to stop the registry container it will be in the wrong ns and can fail.
+    # https://github.com/containers/podman/pull/21563#issuecomment-1960047648
+    stop_registry
+}
+
 SERVICE_NAME="podman_test_$(random_string)"
 
 SERVICE_SOCK_ADDR="/run/podman/$SERVICE_NAME.sock"

test/system/500-networking.bats

@@ -857,7 +857,7 @@ EOF
     cid=${output}
     run_podman inspect --format '{{ .NetworkSettings.Networks }}' $cid
     if is_rootless; then
-        is "$output" "map\[slirp4netns:.*" "NeworkSettings should contain one network named slirp4netns"
+        is "$output" "map\[pasta:.*" "NeworkSettings should contain one network named pasta"
     else
         is "$output" "map\[podman:.*" "NeworkSettings should contain one network named podman"
     fi

test/system/505-networking-pasta.bats

@@ -18,21 +18,6 @@ function setup() {
     XFER_FILE="${PODMAN_TMPDIR}/pasta.bin"
 }
 
-function default_ifname() {
-    local ip_ver="${1}"
-
-    local expr='[.[] | select(.dst == "default").dev] | .[0]'
-    ip -j -"${ip_ver}" route show | jq -rM "${expr}"
-}
-
-function default_addr() {
-    local ip_ver="${1}"
-    local ifname="${2:-$(default_ifname "${ip_ver}")}"
-
-    local expr='.[0] | .addr_info[0].local'
-    ip -j -"${ip_ver}" addr show "${ifname}" | jq -rM "${expr}"
-}
-
 # _set_opt() - meta-helper for pasta_test_do.
 #
 # Sets an option, but panics if option is already set (e.g. UDP+TCP, IPv4/v6)
@@ -789,3 +774,14 @@ EOF
     CONTAINERS_CONF_OVERRIDE=$containersconf run_podman run --net=pasta:--ns-mac-addr,"$mac2" $IMAGE ip link show myname
     assert "$output" =~ "$mac2" "mac address from cli is set on custom interface"
 }
+
+### Rootless unshare testins
+
+@test "Podman unshare --rootless-netns with Pasta" {
+    skip_if_remote "unshare is local-only"
+
+    pasta_iface=$(default_ifname)
+
+    run_podman unshare --rootless-netns ip addr
+    is "$output" ".*${pasta_iface}.*"
+}

test/system/550-pause-process.bats

@@ -4,8 +4,17 @@
 #
 
 load helpers
+load helpers.registry
 load helpers.sig-proxy
 
+function setup_file() {
+    # We have to stop the background registry here. These tests kill the podman pause
+    # process which means commands after that are in a new one and when the cleanup
+    # later tries to stop the registry container it will be in the wrong ns and can fail.
+    # https://github.com/containers/podman/pull/21563#issuecomment-1960047648
+    stop_registry
+}
+
 function _check_pause_process() {
     pause_pid=
     if [[ -z "$pause_pid_file" ]]; then

test/system/helpers.network.bash

@@ -369,3 +369,20 @@ function tcp_port_probe() {
 
     : | nc "${address}" "${1}"
 }
+
+### Pasta Helpers ##############################################################
+
+function default_ifname() {
+    local ip_ver="${1}"
+
+    local expr='[.[] | select(.dst == "default").dev] | .[0]'
+    ip -j -"${ip_ver}" route show | jq -rM "${expr}"
+}
+
+function default_addr() {
+    local ip_ver="${1}"
+    local ifname="${2:-$(default_ifname "${ip_ver}")}"
+
+    local expr='.[0] | .addr_info[0].local'
+    ip -j -"${ip_ver}" addr show "${ifname}" | jq -rM "${expr}"
+}