This patch set add crio-umount.conf file which tells oci-umount plugin
to look for leaked mount points in /var/lib/containers/storage/* and
/var/run/containers/*
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Both the base and extras repos are required. Rather than try to fuss
around with subscription manager, require two variables be defined
pointing to the baseurl's to use. Assert that these variables are set
and non-empty.
Signed-off-by: Chris Evich <cevich@redhat.com>
Depending on circumstances out of our control, the 'integration tests'
may take longer than an hour (3600 seconds). Since the maximum time
is referenced in several places, define a variable with a larger value
then reference it from the affected tasks.
Signed-off-by: Chris Evich <cevich@redhat.com>
Previously, an internal playbook installed many extra
necessary/unnecessary packages before this playbook even started. Since
this is a terrible design, move all dependencies here so that nothing is
unwritten. This includes installing some deps. for ansible itself
(which must be done as a raw command).
Signed-off-by: Chris Evich <cevich@redhat.com>
If running a playbook more than once, there's no need to re-bootstrap
the virtual environment. Assume if the verified crio directory already
exists, it should be used (after re-asserting hashes of requirements).
Signed-off-by: Chris Evich <cevich@redhat.com>
server: fix selinux labels for pod and containers
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
sandbox: set selinux labels from request, not defaults
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
container_create: use sandbox's selinux if container's nil
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
sandbox: correctly init selinux labels
First, we weren't correctly initializing selinux labels. If any of
(level, user, role, type) was missing from kube selinux options, we
were erroring out. This is wrong as kube sends just `level=s0`
sometimes and docker itself allows `--security-opt label=level:s0`.
This patch directly initializes selinux labels, correctly, and adds a
test to verify it.
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
test: testdata: use container_runtime_t selinux type
RHEL SELinux policy doesn't have `container_t` type but we're using it
in our fixtures. That means Fedora integration tests pass because
`container_t` is in Fedora's container policy but RHEL is broken.
Fix it by using `container_runtime_t` which is aliased in Fedora policy
to `container_t`.
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
The inspect endpoint is used mainly in the CRI-O cAdvisor handler.
Let's make sure we don't break it by adding some trivial unit tests.
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
There is cleanup code that will never get run.
This code will print out all errors and then return the last error.
This should allow for proper cleanup.
Also cleanup help to switch usage and description.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
If the user provides kpod pull a short name like 'debian', we
still want the pull to be sucessful. As such, when a short
name is provided, we get the list of searchable registries via
the systemregistries code in containers-storage. We then
append a tag of 'latest' (if not provided) and we formulate
a list of possible fully-qualified image names to try.
Vendor update for containers-storage to bring in the system_registries
code.
Also includes a patch from Nalin to fix compilation errors.
Signed-off-by: baude <bbaude@redhat.com>