Comments

298 Comments

Ran through docker-autotest; LGTM

Ran docker-autotest on podman-1.2.0-2.git3bd528e.fc29; no regressions or problems seen.

Two regressions: #2823 and 2824. I think the latter merits a new build.

Tested with podman; lgtm

LGTM

Minor issues (#2473 and #2530); otherwise LGTM

@dustymabe too many to list. All are fixed in master, 1.1.1 coming soon.

I'm gonna have to vote for 1.1.1.

Sorry for not catching these earlier. I have test setups optimized for testing RPMs; nothing that will (without lots of manual effort) build from sources.

Installs cleanly. Ran test suite against mildly-tweaked podman-1.0, passes expected tests. LGTM.

Two regressions, neither is a blocker. LGTM.

Two regressions, neither is a blocker. LGTM.

AVC was due to a fedora 28 problem on fresh installs. After resolving, podman now passes expected set of tests.

LGTM. Passes expected subsets of docker-autotest suite as root and nonroot.

After full dnf upgrade and reboot, I now get:

# podman run alpine date
Error relocating /lib/ld-musl-x86_64.so.1: RELRO protection failed: Permission denied
Error relocating /bin/date: RELRO protection failed: Permission denied
# echo $?
127

...and, this time I get AVCs:

type=AVC msg=audit(1545067349.224:320): avc:  denied  { read write } for  pid=2156 comm="date" path="/dev/null" dev="tmpfs" ino=27403 scontext=system_u:system_r:container_t:s0:c804,c891 tcontext=system_u:object_r:container_file_t:s0:c804,c891 tclass=chr_file permissive=0
type=AVC msg=audit(1545067349.224:321): avc:  denied  { read } for  pid=2156 comm="date" path="/lib/ld-musl-x86_64.so.1" dev="vda1" ino=525411 scontext=system_u:system_r:container_t:s0:c804,c891 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=0
type=AVC msg=audit(1545067349.224:322): avc:  denied  { read } for  pid=2156 comm="date" path="/bin/busybox" dev="vda1" ino=525253 scontext=system_u:system_r:container_t:s0:c804,c891 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=0            

(last time, no AVCs). Surprisingly, it works as nonroot:

$ podman run alpine date
Mon Dec 17 17:25:25 UTC 2018

container-selinux-2.76-1.git87fae85.fc28.noarch

run doesn't work at all:

# podman run alpine date
# echo $?
139

Debug log shows nothing useful.

Issues with nonroot, but otherwise LGTM

Addresses the AVC when running systemd-notify under podman, ref: libpod #746

Still some unresolved issues; one new iptables-related weirdness, will investigate further on Monday. Otherwise LGTM.

Tested root & rootless; LGTM