Comments

269 Comments

Two regressions, neither is a blocker. LGTM.

Two regressions, neither is a blocker. LGTM.

AVC was due to a fedora 28 problem on fresh installs. After resolving, podman now passes expected set of tests.

LGTM. Passes expected subsets of docker-autotest suite as root and nonroot.

After full dnf upgrade and reboot, I now get:

# podman run alpine date
Error relocating /lib/ld-musl-x86_64.so.1: RELRO protection failed: Permission denied
Error relocating /bin/date: RELRO protection failed: Permission denied
# echo $?
127

...and, this time I get AVCs:

type=AVC msg=audit(1545067349.224:320): avc:  denied  { read write } for  pid=2156 comm="date" path="/dev/null" dev="tmpfs" ino=27403 scontext=system_u:system_r:container_t:s0:c804,c891 tcontext=system_u:object_r:container_file_t:s0:c804,c891 tclass=chr_file permissive=0
type=AVC msg=audit(1545067349.224:321): avc:  denied  { read } for  pid=2156 comm="date" path="/lib/ld-musl-x86_64.so.1" dev="vda1" ino=525411 scontext=system_u:system_r:container_t:s0:c804,c891 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=0
type=AVC msg=audit(1545067349.224:322): avc:  denied  { read } for  pid=2156 comm="date" path="/bin/busybox" dev="vda1" ino=525253 scontext=system_u:system_r:container_t:s0:c804,c891 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=0            

(last time, no AVCs). Surprisingly, it works as nonroot:

$ podman run alpine date
Mon Dec 17 17:25:25 UTC 2018

container-selinux-2.76-1.git87fae85.fc28.noarch

run doesn't work at all:

# podman run alpine date
# echo $?
139

Debug log shows nothing useful.

Issues with nonroot, but otherwise LGTM

Addresses the AVC when running systemd-notify under podman, ref: libpod #746

Still some unresolved issues; one new iptables-related weirdness, will investigate further on Monday. Otherwise LGTM.

Tested root & rootless; LGTM

Issue #1640 (rm --force) unfixed, but otherwise LGTM

SELinux issues (filed #1560, investigating one more). Systemd-in-container not working ("Failed to allocate manager object"; I'm still investigating). Otherwise LGTM.

Totally broken; do not use. Fix is under discussion.

With containernetworking-plugins-0.7.3-2.fc29, passes the expected subset of docker-autotest. LGTM, but I'm not adding karma because I agree that the RPM requirements should be updated to specify the above containernetworking-plugins.

Tested install over containernetworking-cni-0.7.1-1.fc29: worked fine. (Also confirmed that containernetworking-plugins-0.7.3-1.fc29, the previous build, does not install cleanly on top of containernetworking-cni. I.e. the rpm Obsoletes is now correct).

Then tested ugrade from 0.7.3-1; that too worked fine.

Also ran docker-autotest suite, all fine.

LGTM.

Passes most of docker-autotest. New failures in build subtest; could just be harmless behavioral differences. Am investigating and will file issues if necessary, otherwise LGTM.

BZ#1622640 rpm -qi podman shows a wrong url

If I were to suggest updating the RPM, adding a dependency on container-selinux >= 2:2.71, would I need to go into hiding for my own protection?

Passes (expected subset of) docker-autotest suite.

BZ#1622640 rpm -qi podman shows a wrong url