summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--Makefile2
-rw-r--r--RELEASE_NOTES.md69
-rw-r--r--changelog.txt385
-rw-r--r--cmd/podman/cleanup.go2
-rw-r--r--cmd/podman/logs.go2
-rw-r--r--cmd/podman/play_kube.go2
-rw-r--r--contrib/spec/podman.spec.in2
-rw-r--r--libpod/options.go16
-rw-r--r--libpod/runtime_ctr.go5
-rw-r--r--libpod/volume.go18
-rw-r--r--pkg/spec/createconfig.go2
-rw-r--r--vendor.conf2
-rw-r--r--vendor/github.com/containers/buildah/README.md29
-rw-r--r--vendor/github.com/containers/buildah/buildah.go2
-rw-r--r--vendor/github.com/containers/buildah/new.go2
-rw-r--r--vendor/github.com/containers/buildah/pkg/cli/common.go4
-rw-r--r--vendor/github.com/containers/buildah/pkg/secrets/secrets.go319
-rw-r--r--vendor/github.com/containers/buildah/pull.go4
-rw-r--r--vendor/github.com/containers/buildah/run.go10
-rw-r--r--vendor/github.com/containers/buildah/unshare/unshare_unsupported.go1
-rw-r--r--vendor/github.com/containers/buildah/vendor.conf2
-rw-r--r--version/version.go2
22 files changed, 843 insertions, 39 deletions
diff --git a/Makefile b/Makefile
index f634fcc81..7e2c98b8a 100644
--- a/Makefile
+++ b/Makefile
@@ -1,6 +1,6 @@
GO ?= go
DESTDIR ?= /
-EPOCH_TEST_COMMIT ?= 4406e1cfeed18fe89c0ad4e20a3c3b2f4b9ffcae
+EPOCH_TEST_COMMIT ?= 174e8997aa0d8fc648564a9ac2a79ab786e87362
HEAD ?= HEAD
CHANGELOG_BASE ?= HEAD~
CHANGELOG_TARGET ?= HEAD
diff --git a/RELEASE_NOTES.md b/RELEASE_NOTES.md
index b8b475362..0bacad0d7 100644
--- a/RELEASE_NOTES.md
+++ b/RELEASE_NOTES.md
@@ -1,5 +1,74 @@
# Release Notes
+## 1.1.0
+### Features
+- Added `--latest` and `--all` flags to `podman mount` and `podman umount`
+- Rootless Podman can now forward ports into containers (using the same `-p` and `-P` flags as root Podman)
+- Rootless Podman will now pull some configuration options (for example, OCI runtime path) from the default root `libpod.conf` if they are not explicitly set in the user's own `libpod.conf` ([#2174](https://github.com/containers/libpod/issues/2174))
+- Added an alias `-f` for the `--format` flag of the `podman info` and `podman version` commands
+- Added an alias `-s` for the `--size` flag of the `podman inspect` command
+- Added the `podman system info` and `podman system prune` commands
+- Added the `podman cp` command to copy files between containers and the host ([#613](https://github.com/containers/libpod/issues/613))
+- Added the `--password-stdin` flag to `podman login`
+- Added the `--all-tags` flag to `podman pull`
+- The `--rm` and `--detach` flags can now be used together with `podman run`
+- The `podman start` and `podman run` commands for containers in pods will now start dependency containers if they are stopped
+- Added the `podman system renumber` command to handle lock changes
+- The `--net=host` and `--dns` flags for `podman run` and `podman create` no longer conflict
+- Podman now handles mounting the shared /etc/resolv.conf from network namespaces created by `ip netns add` when they are passed in via `podman run --net=ns:`
+
+### Bugfixes
+- Fixed a bug with `podman inspect` where different information would be returned when the container was running versus when it was stopped
+- Fixed a bug where errors in Go templates passed to `podman inspect` were silently ignored instead of reported to the user ([#2159](https://github.com/containers/libpod/issues/2159))
+- Fixed a bug where rootless Podman with `--pid=host` containers was incorrectly masking paths in `/proc`
+- Fixed a bug where full errors starting rootless `Podman` were not reported when a refresh was requested
+- Fixed a bug where Podman would override the config file-specified storage driver with the driver the backing database was created with without warning users
+- Fixed a bug where `podman prune` would prune all images not in use by a container, as opposed to only untagged images, by default ([#2192](https://github.com/containers/libpod/issues/2192))
+- Fixed a bug where `podman create --quiet` and `podman run --quiet` were not properly suppressing output
+- Fixed a bug where the `table` keyword in Go template output of `podman ps` was not working ([#2221](https://github.com/containers/libpod/issues/2221))
+- Fixed a bug where `podman inspect` on images pulled by digest would double-print `@sha256` in output when printing digests ([#2086](https://github.com/containers/libpod/issues/2086))
+- Fixed a bug where `podman container runlabel` will return a non-0 exit code if the label does not exist
+- Fixed a bug where container state was always reset to Created after a reboot ([#1703](https://github.com/containers/libpod/issues/1703))
+- Fixed a bug where `/dev/pts` was unconditionally overridden in rootless Podman, which was unnecessary except in very specific cases
+- Fixed a bug where Podman run as root was ignoring some options in `/etc/containers/storage.conf` ([#2217](https://github.com/containers/libpod/issues/2217))
+- Fixed a bug where Podman cleanup processes were not being given the proper OCI runtime path if a custom one was specified
+- Fixed a bug where `podman images --filter dangling=true` would crash if no dangling images were present ([#2246](https://github.com/containers/libpod/issues/2246))
+- Fixed a bug where `podman ps --format "{{.Mounts}}"` would not display a container's mounts ([#2238](https://github.com/containers/libpod/issues/2238))
+- Fixed a bug where `podman pod stats` was ignoring Go templates specified by `--format` ([#2258](https://github.com/containers/libpod/issues/2258))
+- Fixed a bug where `podman generate kube` would fail on containers with `--user` specified ([#2304](https://github.com/containers/libpod/issues/2304))
+- Fixed a bug where `podman images` displayed incorrect output for images pulled by digest ([#2175](https://github.com/containers/libpod/issues/2175))
+- Fixed a bug where `podman port` and `podman ps` did not properly display ports if the container joined a network namespace from a pod or another container ([#846](https://github.com/containers/libpod/issues/846))
+- Fixed a bug where detaching from a container using the detach keys would cause Podman to hang until the container exited
+- Fixed a bug where `podman create --rm` did not work with `podman start --attach`
+- Fixed a bug where invalid named volumes specified in `podman create` and `podman run` could cause segfaults ([#2301](https://github.com/containers/libpod/issues/2301))
+- Fixed a bug where the `runtime` field in `libpod.conf` was being ignored. `runtime` is legacy and deprecated, but will continue to be respected for the forseeable future
+- Fixed a bug where `podman login` would sometimes report it logged in successfully when it did not
+- Fixed a bug where `podman pod create` would not error on receiving unused CLI argument
+- Fixed a bug where rootless `podman run` with the `--pod` argument would fail if the pod was stopped
+- Fixed a bug where `podman images` did not print a trailing newline when not invoked on a TTY ([#2388](https://github.com/containers/libpod/issues/2388))
+- Fixed a bug where the `--runtime` option was sometimes not overriding `libpod.conf`
+- Fixed a bug where `podman pull` and `podman runlabel` would sometimes exit with 0 when they should have exited with an error ([#2405](https://github.com/containers/libpod/issues/2405))
+- Fixed a bug where rootless `podman export -o` would fail ([#2381](https://github.com/containers/libpod/issues/2381))
+- Fixed a bug where read-only volumes would fail in rootless Podman when the volume originated on a filesystem mounted `nosuid`, `nodev`, or `noexec` ([#2312](https://github.com/containers/libpod/issues/2312))
+- Fixed a bug where some files used by checkpoint and restore received improper SELinux labels ([#2334](https://github.com/containers/libpod/issues/2334))
+- Fixed a bug where Podman's volume path was not properly changed when containers/storage changed location ([#2395](https://github.com/containers/libpod/issues/2395))
+
+### Misc
+- Podman migrated to a new, shared memory locking model in this release. As part of this, if you are running Podman with pods or dependency containers (e.g. `--net=container:`), you should run the `podman system renumber` command to migrate your containers to the new model - please reference the `podman-system-renumber(1)` man page for further details
+- Podman migrated to a new command-line parsing library, and the output format of help and usage text has somewhat changed as a result
+- Updated Buildah to v1.7, picking up a number of bugfixes
+- Updated containers/image library to v1.5, picking up a number of bugfixes and performance improvements to pushing images
+- Updated containers/storage library to v1.10, picking up a number of bugfixes
+- Work on the remote Podman client for interacting with Podman remotely over Varlink is progressing steadily, and many image and pod commands are supported
+- Added path masking to mounts with the `:z` and `:Z` options, preventing users from accidentally performing an SELinux relabel of their entire home directory
+- The `podman container runlabel` command will not pull an image if it does not contain the requested label
+- Many commands' usage information now includes examples
+- `podman rm` can now delete containers in containers/storage, which can be used to resolve some situations where Podman fails to remove a container
+- The `podman search` command now searches multiple registries in parallel for improved performance
+- The `podman build` command now defaults `--pull-always` to true
+- Containers which share a network namespace (for example, when in a pod) will now share /etc/hosts and /etc/resolv.conf between all containers in the pod, causing changes in one container to propogate to all containers sharing their networks
+- The `podman rm` and `podman rmi` commands now return 1 (instead of 127) when all specified container or images are missing
+
## 1.0.0
### Features
- The `podman exec` command now includes a `--workdir` option to set working directory for the executed command
diff --git a/changelog.txt b/changelog.txt
index 8ee11cdc4..803aad796 100644
--- a/changelog.txt
+++ b/changelog.txt
@@ -1,3 +1,388 @@
+- Changelog for v1.1.0 (2019-02-26)
+ * Vendor in latest buildah 1.7.1
+ * volume: do not create a volume if there is a bind
+ * Only remove image volumes when removing containers
+ * Fix podman logs -l
+ * start pod containers recursively
+ * Update release notes for v1.1.0
+ * vendor containers/image v1.5
+ * Record when volume path is explicitly set in config
+ * Add debug information when overriding paths with the DB
+ * Add path for named volumes to `podman info`
+ * Add volume path to default libpod.conf (and manpage)
+ * Validate VolumePath against DB configuration
+ * When location of c/storage root changes, set VolumePath
+ * docs: cross-reference `podman-{generate,play}-kube`
+ * README: refine "Out of scope" section
+ * oci: improve error message when the OCI runtime is not found
+ * Label CRIU log files correctly
+ * Add num_locks to the default libpod config
+ * podman-remote pod pause|unpause|restart
+ * podman: fix ro bind mounts if no* opts are on the source
+ * Change exit code to 1 on podman rmi nosuch image
+ * README.md: rephrase Buildah description
+ * README: update "out of scope" section
+ * Change exit code to 1 on podman rm nosuch container
+ * podman-remote create|ps
+ * remove duplicate commands in main
+ * issue template: run `podman info --debug`
+ * Fix play to show up in podman help
+ * Switch defaults for podman build versus buildah
+ * In shared networkNS /etc/resolv.conf&/etc/hosts should be shared
+ * Allow dns settings with --net=host
+ * Fix up handling of user defined network namespaces
+ * Enable more podman-remote pod commands
+ * tests, rootless: use relative path for export test
+ * rootless: force same cwd when re-execing
+ * Vendor Buildah v1.7
+ * Exit with errors not just logging error
+ * cmd: support rootless mode for cp command
+ * hide --latest on the remote-client
+ * Improve command line validation
+ * make remote-client error messaging more robust
+ * podman: --runtime has higher priority on runtime_path
+ * podman-remote pod inspect|exists
+ * Cirrus: Install Go 1.11 on Ubuntu VMs
+ * Cirrus: Add 20m extra timeout for Ubuntu
+ * Introduce how to start to hack on libpod.
+ * update: remove duplicate newline
+ * Fix typo in comment
+ * podman-remote load image
+ * Do not make renumber shut down the runtime
+ * Add podman system renumber command
+ * Add ability to get a runtime that renumbers
+ * Recreate SHM locks when renumbering on count mismatch
+ * Move RenumberLocks into runtime init
+ * Remove locks from volumes
+ * Expand renumber to also renumber pod locks
+ * Add ability to rewrite pod configs in the database
+ * Add initial version of renumber backend
+ * Add a function for overwriting container config
+ * enable podman-remote pod rm
+ * vendor containers/image v1.4
+ * Adjust LISTEN_PID for reexec in varlink mode
+ * Update c/storage vendor to v1.10 release
+ * add newline to images output
+ * podman-remote save [image]
+ * hack/tree_status.sh: preserve new lines
+ * remove duplicate kill from `podman --help`
+ * iopodman.SearchImages: add ImageSearchFilter to Varlink API
+ * image.SearchImages: use SearchFilter type
+ * SearchImages: extend API with filter parameter
+ * podman-search: refactor code to libpod/image/search.go
+ * podman-search: run in parallel
+ * Ensure that userns is created for stopped rootless pods
+ * Podman pod create now errors on receiving CLI args
+ * podman-remote pull
+ * Don't start running dependencies
+ * Fifth chunk of Cobra Examples
+ * Add 4th chunk of Cobra Examples
+ * OpenTracing support added to start, stop, run, create, pull, and ps
+ * packer: Make Makefile host arch sensitive
+ * Add 3rd chunk of Cobra examples
+ * pod infra container is started before a container in a pod is run, started, or attached.
+ * Add registry name to fields returned by varlink image search
+ * Second chunk of Cobra help
+ * podman: honor --storage-opt again
+ * docs: mention the new OCI runtime configuration
+ * libpod: honor runtime_path from libpod.conf
+ * rootless: open the correct file
+ * Fix `podman login` lying problem
+ * Fix error code retrieval for podman start --attach
+ * Enable --rm with --detach
+ * Add examples for Cobra
+ * Add tlsVerify bool to SearchImage for varlink
+ * Fix volume handling in podman
+ * enable podman-remote volume prune
+ * add build to main and as subcommand to image
+ * --password-stdin flag in `podman login`
+ * 'podman cp' copy between host and container
+ * podman-remote build
+ * Vendor in latest c/storage and c/image
+ * show container ports of network namespace
+ * podman-remote volume inspect|ls
+ * build varlink without GOPATH
+ * completions: add --pod to run/create
+ * Parse fq name correctly for images
+ * Try disabling --rm on notify_socket test
+ * podman-remote push
+ * get_ci_vm : allow running without sudo
+ * Only build varlink when buildtag is available
+ * Remove a lot of '--rm' options from unit tests
+ * Address review comments on #2319
+ * Retain a copy of container exit file on cleanup
+ * Fix manual detach from containers to not wait for exit
+ * varlink: Rename `SearchImage` to `SearchImages`
+ * varlink: Rename `ContainerInList` to `Container`
+ * varlink: Rename `ImageInList` to `Image`
+ * varlink: Simplify GetVersion() call
+ * varlink: Return all times in RFC 3339 format
+ * Makefile: Don't include quotes around GIT_COMMIT
+ * varlink: Remove the Ping() method
+ * podman: Show error when creating varlink listener failed
+ * varlink: Remove `NotImplemented` type
+ * Don't show global flags except for podman command
+ * podman-remote volume rm
+ * Remove urfave/cli from libpod
+ * podman-remote volume create
+ * Separate remote and local commands
+ * lock and sync container before checking mountpoint
+ * oci: do not set XDG_RUNTIME_DIR twice
+ * pod: drop not valid check for rootless
+ * Podman pod stats -- fix GO template output
+ * Add troubleshooting information about running a rootless containers.
+ * Add --all-tags to pull command
+ * Add common_test.go to single test instructions
+ * Remove container from storage on --force
+ * do not crash when displaying dangling images
+ * Add volume mounts to PS output
+ * Update image-trust man with further comments
+ * Migrate to cobra CLI
+ * Remove some dead type declarations
+ * Fix down/missing registry.access.redhat.com
+ * cleanup: use the correct runtime
+ * make vendor: always check for latest vndr
+ * install.md: add section about vendoring
+ * Add varlink generate to the make documentation
+ * Mention OSes that pass the build
+ * Generate make helping message dynamicaly.
+ * Makefile: minor fix to reenable system tests
+ * Add StartPeriod to cmd/podman/docker.HealthConfig
+ * Unconditionally refresh storage options from config
+ * rootless: do not override /dev/pts if not needed
+ * Fix handling of memory limits via varlink
+ * Add documentation on running systemd on SELinux systems
+ * Cirrus: add vendor_check_task
+ * cleanup vendor directory
+ * Revert "Vendor containers/buildah"
+ * e2e tests: sigproxy: fix rare hang condition
+ * Preserve exited state across reboot
+ * Apply 50min timeout to integration tests
+ * Capatilize all usage and descriptions
+ * Add podman system prune and info commands
+ * podman-remote import|export
+ * tests: allow to override the OCI runtime
+ * rootless: copy some settings from the global configuration
+ * Vendor containers/buildah
+ * Increase e2e info/json test exit timeout
+ * Touch up image-trust man
+ * Rework Podman description
+ * vendor latest containers/image
+ * Reduce Dockerfile based build time for libpod.
+ * libpod/image: Use RepoDigests() in Inspect()
+ * add Pod Manager References
+ * Add support for short option -f in podman version
+ * Add support for short option -s in podman inspect
+ * Add support for short option -f
+ * Changes to container runlabel for toolbox project
+ * Fix regression in ps with custom format
+ * Set SELinux type on bin/podman after install
+ * Cirrus: Add RHEL-7 testing
+ * For consistency in usage output the verbs changed from 3rd person to 1st person.
+ * podman image prune -- implement all flag
+ * Alter varlink API for ListContainerMounts to return a map
+ * Make --quiet work in podman create/run
+ * apparmor: don't load default profile in rootless mode
+ * Cirrus: Enable AppArmor build and test
+ * Update ArchLinux installation instructions
+ * tutorials: describe how to use podman in updates-testing
+ * [skip ci] Cirrus: Container for tracking image use
+ * Cirrus: Use freshly built images
+ * remove sudo
+ * Vendor in latest containers/storage
+ * Show a better error message when podman info fails during a refresh
+ * enable podman-remote version
+ * Update transfer.md and commands.md to add missing commands.
+ * rootless: support port redirection from the host
+ * Mask unimplemeted commands for remote client
+ * Vendor in latest opencontainers/selinux
+ * podman-remote inspect
+ * Vendor in latest containers/storage
+ * rootless: fix --pid=host without --privileged
+ * Do not unmarshal into c.config.Spec
+ * podman-inspect: don't ignore errors
+ * Add openSUSE Kubic to install.md
+ * cirrus: Record start/end time of important things
+ * Cirrus: Consolidate VM image names in once place
+ * Update README for v1.0.0
+ * Installing podman
+ * Ensure that wait exits on state transition
+ * Vendor in containers/storage
+ * Add --latest and --all to podman mount/umount
+ * Cleanup coverity scan issues
+ * Embed runtime struct in super localRuntime
+ * Collaberative podman-remote container exists
+ * Fix up `image sign` in PR 2108
+ * add support for podman-remote history
+ * Rename localRuntime to runtime in cmd/podman
+ * podman remote integrations tests
+ * podman remote client -- add rmi
+ * Run integrations test with remote-client
+ * [skip ci] Hack: Fix get_ci_vm.sh w/ gcloud ssh/scp
+ * Update master branch with v1.0 changes from 1.0 branch
+ * Add local storage.conf example to troubleshoot
+ * config: store the runtime used to create each container
+ * oci: allow to define multiple OCI runtimes
+ * libpod: allow multiple oci runtimes
+ * Remove imageParts.{isTagged,registry,name,tag}
+ * Clarify comments about isRegistry a bit.
+ * Use imageParts.unnormalizedRef in GetImageBaseName
+ * FIXME? Introduce imageParts.suspiciousRefNameTagValuesForSearch
+ * Use imageParts.referenceWithRegistry in Image.getLocalImage
+ * Don't try to look up local images with an explicit :latest suffix
+ * Return a reference.Named from normalizedTag
+ * Use reference.TagNameOnly instead of manually adding imageParts.tag in normalizeTag
+ * Use imageParts.normalizedReference in normalizeTag
+ * Add imageParts.normalizedReference()
+ * Use imageparts.referenceWithRegistry in normalizeTag
+ * Remove no longer used imageParts.assemble()
+ * Use getPullRefPair / getSinglePullRefPairGoal in pullGoalFromPossiblyUnqualifiedName
+ * Use imageParts.referenceWithRegistry in pullGoalFromPossiblyUnqualifiedName
+ * Use imageParts.referenceWithRegistry in getPullRefPair
+ * Add imageParts.referenceWithRegistry
+ * Don't use imageParts.assemble when pulling from a qualified name
+ * Reorganize normalizeTag
+ * Simplify pullGoalFromPossiblyUnqualifiedName
+ * Remove imageParts.transport
+ * Simplify pullGoalFromPossiblyUnqualifiedName
+ * Inline imageParts.assembleWithTransport into callers
+ * Record the original reference.Named in imageParts
+ * Drop image.DecomposeString, make image.Parts private imageParts again
+ * Don't call image.DecomposeString in imageInListToContainerImage
+ * Add bridge support, for the varlink connection
+ * Add troubleshooting statement for homedirs mounted noexec
+ * Set default storage options from mounts.conf file.
+ * podman play kube: add containers to pod
+ * Add darwin support for remote-client
+ * vendor: update everything
+ * vendor make target
+ * rootless: create the userns immediately when creating a new pod
+ * rootless: join both userns and mount namespace with --pod
+ * spec: add nosuid,noexec,nodev to ro bind mount
+ * Use multi-arch images in test case scripts
+ * Add varlink support for prune
+ * Replace tab with spaces in MarshalIndent in libpod
+ * Remove one more usage of encoding/json in libpod
+ * Update vendor.conf for jsoniter vendor changes
+ * Move all libpod/ JSON references over to jsoniter
+ * Update json-iterator vendor to v1.1.5
+ * Remove easyjson in preparation for switch to jsoniter
+ * remote-client support for images
+ * Move python code from contrib to it's own repo python-podman
+ * Use defaults if paths are not specified in storage.conf
+ * (Minor) Cirrus: Print timestamp at start
+ * fix up sigstore path
+ * Trivial readme updates
+ * podman: bump RLIMIT_NOFILE also without CAP_SYS_RESOURCE
+ * Fix handling of nil volumes
+ * sign: make all error messages lowercase
+ * sign: use filepath.Join instead of fmt.Sprintf
+ * createconfig: always cleanup a rootless container
+ * Fix 'image trust' from PR1899
+ * libpod/image: Use ParseNormalizedNamed in RepoDigests
+ * apparmor: apply default profile at container initialization
+ * Fix up image sign and trust
+ * If you fail to open shm lock then attempt to create it
+ * List the long variant of each option before its shorter counterpart
+ * Use existing interface to request IP address during restore
+ * Added checkpoint/restore test for same IP
+ * Enable checkpoint test with established TCP connections
+ * .github/ISSUE_TEMPLATE: Suggest '/kind bug' and '/kind feature'
+ * pkg/hooks/exec: Include failed command in hook errors
+ * hooks/exec/runtimeconfigfilter: Log config changes
+ * hooks: Add pre-create hooks for runtime-config manipulation
+ * Add Validate completions
+ * Add a --workdir option to 'podman exec'
+ * Default --sig-proxy to true for 'podman start --attach'
+ * Test that 'podman start --sig-proxy' does not work without --attach
+ * [WIP]Support podman image sign
+ * vendor latest buildah
+ * Honor image environment variables with exec
+ * Minor: Remove redundant basename command in ooe.sh
+ * Rename libpod.Config back to ContainerConfig
+ * Add ability to build golang remote client
+ * vendor latest buildah
+ * Add the configuration file used to setup storage to podman info
+ * Address lingering review comments from SHM locking PR
+ * podman: set umask to 022
+ * podman-login: adhere to user input
+ * Vendor in latest containers/buildah code
+ * Rootless with shmlocks was not working.
+ * Readd Python testing
+ * Update vendor of runc
+ * [skip ci] Docs: Add Bot Interactions section
+ * container runlabel NAME implementation
+ * Bump time for build_each_commit step
+ * Move lock init after tmp dir is populated properly
+ * DO NOT MERGE temporarily remove python tests
+ * When refreshing libpod, if SHM locks exist, remove them
+ * Ensure different error messages and creating/opening locks
+ * Update unit tests to use in-memory lock manager
+ * Remove runtime lockDir and add in-memory lock manager
+ * Convert pods to SHM locks
+ * Convert containers to SHM locking
+ * Add lock manager to libpod runtime
+ * Move to POSIX mutexes for SHM locks
+ * Disable lint on SHMLock struct
+ * Refactor locks package to build on non-Linux
+ * Add an SHM-backed Lock Manager implementation
+ * Add interface for libpod multiprocess locks
+ * Improve documentation and unit tests for SHM locks
+ * Propogate error codes from SHM lock creation and open
+ * Add mutex invariant to SHM semaphores.
+ * Initial skeleton of in-memory locks
+ * add container-init support
+ * If local storage file exists, then use it rather then defaults.
+ * vendor in new containers/storage
+ * Fix completions
+ * Touch up some troubleshooting nits
+ * Warn on overriding user-specified storage driver w/ DB
+ * Log container command before starting the container
+ * Use sprintf to generate port numbers while committing
+ * Add troubleshooting for sparse files
+ * Fix handling of symbolic links
+ * podman build is not using the default oci-runtime
+ * Re-enable checkpoint/restore CI tests on Fedora
+ * Fixes to handle /dev/shm correctly.
+ * rootless tests using stop is more reliable
+ * Allow alias for list, ls, ps to work
+ * Refactor: use idtools.ParseIDMap instead of bundling own version
+ * cirrus: Use updated images including new crui
+ * Switch all referencs to image.ContainerConfig to image.Config
+ * Allow users to specify a directory for additonal devices
+ * Change all 'can not' to 'cannot' for proper usage
+ * Invalid index for array
+ * Vendor in latest psgo code to fix race conditions
+ * test: add test for rootless export
+ * export: fix usage with rootless containers
+ * rootless: add function to join user and mount namespace
+ * libpod: always store the conmon pid file
+ * Use existing CRIU packages in CI setup
+ * skip test for blkio.weight when kernel does not support it
+ * Add Play
+ * Cirrus: Skip build all commits test on master
+ * prepare for move to validate on 1.11 only
+ * [skip ci] Gate: Update docs w/ safer local command
+ * Support podman image trust command
+ * Makefile: validate that each commit can at least build
+ * perf test a stress test to profile CPU load of podman
+ * all flakes must die
+ * Add information on --restart
+ * generate service object inline
+ * Cirrus: One IRC notice only
+ * docs/tutorials: add a basic network config
+ * display proper error when rmi -fa with infra containers
+ * add --get-login command to podman-login.
+ * Show image only once with images -q
+ * Add script to create CI VMs for debugging
+ * Cirrus: Migrate PAPR testing of F28 to Cirrus
+ * Skip checkpoint tests on Fedora <30
+ * Cirrus: Add text editors to cache-images
+ * Bump gitvalidation epoch
+ * Bump to v0.12.2-dev
+ * Clean up some existing varlink endpoints
+ * mount: allow mount only when using vfs
+
- Changelog for v1.0.0 (2018-1-11)
* Update release notes for v1.0
* Remove clientintegration from Makefile
diff --git a/cmd/podman/cleanup.go b/cmd/podman/cleanup.go
index d68255aa2..33d456643 100644
--- a/cmd/podman/cleanup.go
+++ b/cmd/podman/cleanup.go
@@ -60,7 +60,7 @@ func cleanupCmd(c *cliconfig.CleanupValues) error {
for _, ctr := range cleanupContainers {
hadError := false
if c.Remove {
- if err := runtime.RemoveContainer(ctx, ctr, false, false); err != nil {
+ if err := runtime.RemoveContainer(ctx, ctr, false, true); err != nil {
if lastError != nil {
fmt.Fprintln(os.Stderr, lastError)
}
diff --git a/cmd/podman/logs.go b/cmd/podman/logs.go
index 97d835d8f..40ae2c846 100644
--- a/cmd/podman/logs.go
+++ b/cmd/podman/logs.go
@@ -38,7 +38,7 @@ func init() {
flags := logsCommand.Flags()
flags.BoolVar(&logsCommand.Details, "details", false, "Show extra details provided to the logs")
flags.BoolVarP(&logsCommand.Follow, "follow", "f", false, "Follow log output. The default is false")
- flags.BoolVarP(&waitCommand.Latest, "latest", "l", false, "Act on the latest container podman is aware of")
+ flags.BoolVarP(&logsCommand.Latest, "latest", "l", false, "Act on the latest container podman is aware of")
flags.StringVar(&logsCommand.Since, "since", "", "Show logs since TIMESTAMP")
flags.Uint64Var(&logsCommand.Tail, "tail", 0, "Output the specified number of LINES at the end of the logs. Defaults to 0, which prints all lines")
flags.BoolVarP(&logsCommand.Timestamps, "timestamps", "t", false, "Output the timestamps in the log")
diff --git a/cmd/podman/play_kube.go b/cmd/podman/play_kube.go
index a59460b71..1a45cbed9 100644
--- a/cmd/podman/play_kube.go
+++ b/cmd/podman/play_kube.go
@@ -153,7 +153,7 @@ func playKubeYAMLCmd(c *cliconfig.KubePlayValues) error {
// start the containers
for _, ctr := range containers {
- if err := ctr.Start(ctx, false); err != nil {
+ if err := ctr.Start(ctx, true); err != nil {
// Making this a hard failure here to avoid a mess
// the other containers are in created status
return err
diff --git a/contrib/spec/podman.spec.in b/contrib/spec/podman.spec.in
index bf75522dc..703b942b6 100644
--- a/contrib/spec/podman.spec.in
+++ b/contrib/spec/podman.spec.in
@@ -39,7 +39,7 @@
%global shortcommit_conmon %(c=%{commit_conmon}; echo ${c:0:7})
Name: podman
-Version: 1.0.1
+Version: 1.2.0
Release: #COMMITDATE#.git%{shortcommit0}%{?dist}
Summary: Manage Pods, Containers and Container Images
License: ASL 2.0
diff --git a/libpod/options.go b/libpod/options.go
index 184d5d59f..1e8592a25 100644
--- a/libpod/options.go
+++ b/libpod/options.go
@@ -1248,6 +1248,22 @@ func WithVolumeOptions(options map[string]string) VolumeCreateOption {
}
}
+// withSetCtrSpecific sets a bool notifying libpod that a volume was created
+// specifically for a container.
+// These volumes will be removed when the container is removed and volumes are
+// also specified for removal.
+func withSetCtrSpecific() VolumeCreateOption {
+ return func(volume *Volume) error {
+ if volume.valid {
+ return ErrVolumeFinalized
+ }
+
+ volume.config.IsCtrSpecific = true
+
+ return nil
+ }
+}
+
// Pod Creation Options
// WithPodName sets the name of the pod.
diff --git a/libpod/runtime_ctr.go b/libpod/runtime_ctr.go
index 2ec8d0795..cfa4f9654 100644
--- a/libpod/runtime_ctr.go
+++ b/libpod/runtime_ctr.go
@@ -180,7 +180,7 @@ func (r *Runtime) newContainer(ctx context.Context, rSpec *spec.Spec, options ..
if vol.Source[0] != '/' && isNamedVolume(vol.Source) {
volInfo, err := r.state.Volume(vol.Source)
if err != nil {
- newVol, err := r.newVolume(ctx, WithVolumeName(vol.Source))
+ newVol, err := r.newVolume(ctx, WithVolumeName(vol.Source), withSetCtrSpecific())
if err != nil {
return nil, errors.Wrapf(err, "error creating named volume %q", vol.Source)
}
@@ -421,6 +421,9 @@ func (r *Runtime) removeContainer(ctx context.Context, c *Container, force bool,
for _, v := range volumes {
if volume, err := runtime.state.Volume(v); err == nil {
+ if !volume.IsCtrSpecific() {
+ continue
+ }
if err := runtime.removeVolume(ctx, volume, false); err != nil && err != ErrNoSuchVolume && err != ErrVolumeBeingUsed {
logrus.Errorf("cleanup volume (%s): %v", v, err)
}
diff --git a/libpod/volume.go b/libpod/volume.go
index 74878b6a4..0c7618841 100644
--- a/libpod/volume.go
+++ b/libpod/volume.go
@@ -15,11 +15,12 @@ type VolumeConfig struct {
// Name of the volume
Name string `json:"name"`
- Labels map[string]string `json:"labels"`
- MountPoint string `json:"mountPoint"`
- Driver string `json:"driver"`
- Options map[string]string `json:"options"`
- Scope string `json:"scope"`
+ Labels map[string]string `json:"labels"`
+ MountPoint string `json:"mountPoint"`
+ Driver string `json:"driver"`
+ Options map[string]string `json:"options"`
+ Scope string `json:"scope"`
+ IsCtrSpecific bool `json:"ctrSpecific"`
}
// Name retrieves the volume's name
@@ -60,3 +61,10 @@ func (v *Volume) Options() map[string]string {
func (v *Volume) Scope() string {
return v.config.Scope
}
+
+// IsCtrSpecific returns whether this volume was created specifically for a
+// given container. Images with this set to true will be removed when the
+// container is removed with the Volumes parameter set to true.
+func (v *Volume) IsCtrSpecific() bool {
+ return v.config.IsCtrSpecific
+}
diff --git a/pkg/spec/createconfig.go b/pkg/spec/createconfig.go
index 50e07ee74..31039bfdf 100644
--- a/pkg/spec/createconfig.go
+++ b/pkg/spec/createconfig.go
@@ -240,7 +240,7 @@ func (c *CreateConfig) GetVolumeMounts(specMounts []spec.Mount) ([]spec.Mount, e
}
for vol := range c.BuiltinImgVolumes {
- if libpod.MountExists(specMounts, vol) {
+ if libpod.MountExists(specMounts, vol) || libpod.MountExists(m, vol) {
continue
}
diff --git a/vendor.conf b/vendor.conf
index 678807d1c..f739c76f4 100644
--- a/vendor.conf
+++ b/vendor.conf
@@ -93,7 +93,7 @@ k8s.io/apimachinery kubernetes-1.10.13-beta.0 https://github.com/kubernetes/apim
k8s.io/client-go kubernetes-1.10.13-beta.0 https://github.com/kubernetes/client-go
github.com/mrunalp/fileutils 7d4729fb36185a7c1719923406c9d40e54fb93c7
github.com/varlink/go 3ac79db6fd6aec70924193b090962f92985fe199
-github.com/containers/buildah v1.7
+github.com/containers/buildah v1.7.1
# TODO: Gotty has not been updated since 2012. Can we find replacement?
github.com/Nvveen/Gotty cd527374f1e5bff4938207604a14f2e38a9cf512
# do not go beyond the below commit as the next one requires a more recent
diff --git a/vendor/github.com/containers/buildah/README.md b/vendor/github.com/containers/buildah/README.md
index 12eafdf88..913a4336f 100644
--- a/vendor/github.com/containers/buildah/README.md
+++ b/vendor/github.com/containers/buildah/README.md
@@ -35,18 +35,23 @@ For blogs, release announcements and more, please checkout the [buildah.io](http
## Buildah and Podman relationship
-Buildah and Podman are two complementary Open-source projects that are available on
-most Linux platforms and both projects reside at [GitHub.com](https://github.com)
-with Buildah [here](https://github.com/containers/buildah) and
-Podman [here](https://github.com/containers/libpod). Both Buildah and Podman are
-command line tools that work on OCI images and containers. The two projects
-differentiate in their specialization.
+Buildah and Podman are two complementary open-source projects that are
+available on most Linux platforms and both projects reside at
+[GitHub.com](https://github.com) with Buildah
+[here](https://github.com/containers/buildah) and Podman
+[here](https://github.com/containers/libpod). Both, Buildah and Podman are
+command line tools that work on Open Container Initiative (OCI) images and
+containers. The two projects differentiate in their specialization.
Buildah specializes in building OCI images. Buildah's commands replicate all
-of the commands that are found in a Dockerfile. Buildah’s goal is also to
-provide a lower level coreutils interface to build images, allowing people to build
-containers without requiring a Dockerfile. The intent with Buildah is to allow other
-scripting languages to build container images, without requiring a daemon.
+of the commands that are found in a Dockerfile. This allows building images
+with and without Dockerfiles while not requiring any root privileges.
+Buildah’s ultimate goal is to provide a lower-level coreutils interface to
+build images. The flexibility of building images without Dockerfiles allows
+for the integration of other scripting languages into the build process.
+Buildah follows a simple fork-exec model and does not run as a daemon
+but it is based on a comprehensive API in golang, which can be vendored
+into other tools.
Podman specializes in all of the commands and functions that help you to maintain and modify
OCI images, such as pulling and tagging. It also allows you to create, run, and maintain those containers
@@ -55,12 +60,12 @@ created from those images.
A major difference between Podman and Buildah is their concept of a container. Podman
allows users to create "traditional containers" where the intent of these containers is
to be long lived. While Buildah containers are really just created to allow content
-to be added back to the container image. An easy way to think of it is the
+to be added back to the container image. An easy way to think of it is the
`buildah run` command emulates the RUN command in a Dockerfile while the `podman run`
command emulates the `docker run` command in functionality. Because of this and their underlying
storage differences, you can not see Podman containers from within Buildah or vice versa.
-In short Buildah is an efficient way to create OCI images while Podman allows
+In short, Buildah is an efficient way to create OCI images while Podman allows
you to manage and maintain those images and containers in a production environment using
familiar container cli commands. For more details, see the
[Container Tools Guide](https://github.com/containers/buildah/tree/master/docs/containertools).
diff --git a/vendor/github.com/containers/buildah/buildah.go b/vendor/github.com/containers/buildah/buildah.go
index 755bc348e..cca80a308 100644
--- a/vendor/github.com/containers/buildah/buildah.go
+++ b/vendor/github.com/containers/buildah/buildah.go
@@ -26,7 +26,7 @@ const (
Package = "buildah"
// Version for the Package. Bump version in contrib/rpm/buildah.spec
// too.
- Version = "1.7"
+ Version = "1.7.1"
// The value we use to identify what type of information, currently a
// serialized Builder structure, we are using as per-container state.
// This should only be changed when we make incompatible changes to
diff --git a/vendor/github.com/containers/buildah/new.go b/vendor/github.com/containers/buildah/new.go
index 01c2e733f..768cdd0c6 100644
--- a/vendor/github.com/containers/buildah/new.go
+++ b/vendor/github.com/containers/buildah/new.go
@@ -303,7 +303,7 @@ func newBuilder(ctx context.Context, store storage.Store, options BuilderOptions
}
conflict := 100
- for true {
+ for {
coptions := storage.ContainerOptions{
LabelOpts: options.CommonBuildOpts.LabelOpts,
IDMappingOptions: newContainerIDMappingOptions(options.IDMappingOptions),
diff --git a/vendor/github.com/containers/buildah/pkg/cli/common.go b/vendor/github.com/containers/buildah/pkg/cli/common.go
index 09f951b35..f167353b8 100644
--- a/vendor/github.com/containers/buildah/pkg/cli/common.go
+++ b/vendor/github.com/containers/buildah/pkg/cli/common.go
@@ -125,7 +125,7 @@ func GetNameSpaceFlags(flags *NameSpaceResults) pflag.FlagSet {
func GetLayerFlags(flags *LayerResults) pflag.FlagSet {
fs := pflag.FlagSet{}
fs.BoolVar(&flags.ForceRm, "force-rm", false, "Always remove intermediate containers after a build, even if the build is unsuccessful.")
- fs.BoolVar(&flags.Layers, "layers", false, fmt.Sprintf("cache intermediate layers during build. Use BUILDAH_LAYERS environment variable to override. (default %t)", UseLayers()))
+ fs.BoolVar(&flags.Layers, "layers", UseLayers(), fmt.Sprintf("cache intermediate layers during build. Use BUILDAH_LAYERS environment variable to override."))
return fs
}
@@ -152,7 +152,7 @@ func GetBudFlags(flags *BudResults) pflag.FlagSet {
fs.BoolVar(&flags.Pull, "pull", true, "pull the image if not present")
fs.BoolVar(&flags.PullAlways, "pull-always", false, "pull the image, even if a version is present")
fs.BoolVarP(&flags.Quiet, "quiet", "q", false, "refrain from announcing build instructions and image read/write progress")
- fs.BoolVar(&flags.Rm, "rm", true, "Remove intermediate containers after a successful build (default true)")
+ fs.BoolVar(&flags.Rm, "rm", true, "Remove intermediate containers after a successful build")
fs.StringVar(&flags.Runtime, "runtime", util.Runtime(), "`path` to an alternate runtime. Use BUILDAH_RUNTIME environment variable to override.")
fs.StringSliceVar(&flags.RuntimeFlags, "runtime-flag", []string{}, "add global flags for the container runtime")
fs.StringVar(&flags.SignaturePolicy, "signature-policy", "", "`pathname` of signature policy file (not usually used)")
diff --git a/vendor/github.com/containers/buildah/pkg/secrets/secrets.go b/vendor/github.com/containers/buildah/pkg/secrets/secrets.go
new file mode 100644
index 000000000..242953609
--- /dev/null
+++ b/vendor/github.com/containers/buildah/pkg/secrets/secrets.go
@@ -0,0 +1,319 @@
+package secrets
+
+import (
+ "bufio"
+ "io/ioutil"
+ "os"
+ "path/filepath"
+ "strings"
+
+ "github.com/containers/libpod/pkg/rootless"
+ rspec "github.com/opencontainers/runtime-spec/specs-go"
+ "github.com/opencontainers/selinux/go-selinux/label"
+ "github.com/pkg/errors"
+ "github.com/sirupsen/logrus"
+)
+
+var (
+ // DefaultMountsFile holds the default mount paths in the form
+ // "host_path:container_path"
+ DefaultMountsFile = "/usr/share/containers/mounts.conf"
+ // OverrideMountsFile holds the default mount paths in the form
+ // "host_path:container_path" overridden by the user
+ OverrideMountsFile = "/etc/containers/mounts.conf"
+ // UserOverrideMountsFile holds the default mount paths in the form
+ // "host_path:container_path" overridden by the rootless user
+ UserOverrideMountsFile = filepath.Join(os.Getenv("HOME"), ".config/containers/mounts.conf")
+)
+
+// secretData stores the name of the file and the content read from it
+type secretData struct {
+ name string
+ data []byte
+}
+
+// saveTo saves secret data to given directory
+func (s secretData) saveTo(dir string) error {
+ path := filepath.Join(dir, s.name)
+ if err := os.MkdirAll(filepath.Dir(path), 0700); err != nil && !os.IsExist(err) {
+ return err
+ }
+ return ioutil.WriteFile(path, s.data, 0700)
+}
+
+func readAll(root, prefix string) ([]secretData, error) {
+ path := filepath.Join(root, prefix)
+
+ data := []secretData{}
+
+ files, err := ioutil.ReadDir(path)
+ if err != nil {
+ if os.IsNotExist(err) {
+ return data, nil
+ }
+
+ return nil, err
+ }
+
+ for _, f := range files {
+ fileData, err := readFile(root, filepath.Join(prefix, f.Name()))
+ if err != nil {
+ // If the file did not exist, might be a dangling symlink
+ // Ignore the error
+ if os.IsNotExist(err) {
+ continue
+ }
+ return nil, err
+ }
+ data = append(data, fileData...)
+ }
+
+ return data, nil
+}
+
+func readFile(root, name string) ([]secretData, error) {
+ path := filepath.Join(root, name)
+
+ s, err := os.Stat(path)
+ if err != nil {
+ return nil, err
+ }
+
+ if s.IsDir() {
+ dirData, err := readAll(root, name)
+ if err != nil {
+ return nil, err
+ }
+ return dirData, nil
+ }
+ bytes, err := ioutil.ReadFile(path)
+ if err != nil {
+ return nil, err
+ }
+ return []secretData{{name: name, data: bytes}}, nil
+}
+
+func getHostSecretData(hostDir string) ([]secretData, error) {
+ var allSecrets []secretData
+ hostSecrets, err := readAll(hostDir, "")
+ if err != nil {
+ return nil, errors.Wrapf(err, "failed to read secrets from %q", hostDir)
+ }
+ return append(allSecrets, hostSecrets...), nil
+}
+
+func getMounts(filePath string) []string {
+ file, err := os.Open(filePath)
+ if err != nil {
+ // This is expected on most systems
+ logrus.Debugf("file %q not found, skipping...", filePath)
+ return nil
+ }
+ defer file.Close()
+ scanner := bufio.NewScanner(file)
+ if err = scanner.Err(); err != nil {
+ logrus.Errorf("error reading file %q, %v skipping...", filePath, err)
+ return nil
+ }
+ var mounts []string
+ for scanner.Scan() {
+ mounts = append(mounts, scanner.Text())
+ }
+ return mounts
+}
+
+// getHostAndCtrDir separates the host:container paths
+func getMountsMap(path string) (string, string, error) {
+ arr := strings.SplitN(path, ":", 2)
+ if len(arr) == 2 {
+ return arr[0], arr[1], nil
+ }
+ return "", "", errors.Errorf("unable to get host and container dir")
+}
+
+// SecretMounts copies, adds, and mounts the secrets to the container root filesystem
+func SecretMounts(mountLabel, containerWorkingDir, mountFile string) []rspec.Mount {
+ return SecretMountsWithUIDGID(mountLabel, containerWorkingDir, mountFile, containerWorkingDir, 0, 0)
+}
+
+// SecretMountsWithUIDGID specifies the uid/gid of the owner
+func SecretMountsWithUIDGID(mountLabel, containerWorkingDir, mountFile, mountPrefix string, uid, gid int) []rspec.Mount {
+ var (
+ secretMounts []rspec.Mount
+ mountFiles []string
+ )
+ // Add secrets from paths given in the mounts.conf files
+ // mountFile will have a value if the hidden --default-mounts-file flag is set
+ // Note for testing purposes only
+ if mountFile == "" {
+ mountFiles = append(mountFiles, []string{OverrideMountsFile, DefaultMountsFile}...)
+ if rootless.IsRootless() {
+ mountFiles = append([]string{UserOverrideMountsFile}, mountFiles...)
+ _, err := os.Stat(UserOverrideMountsFile)
+ if err != nil && os.IsNotExist(err) {
+ os.MkdirAll(filepath.Dir(UserOverrideMountsFile), 0755)
+ if f, err := os.Create(UserOverrideMountsFile); err != nil {
+ logrus.Warnf("could not create file %s: %v", UserOverrideMountsFile, err)
+ } else {
+ f.Close()
+ }
+ }
+ }
+ } else {
+ mountFiles = append(mountFiles, mountFile)
+ }
+ for _, file := range mountFiles {
+ if _, err := os.Stat(file); err == nil {
+ mounts, err := addSecretsFromMountsFile(file, mountLabel, containerWorkingDir, mountPrefix, uid, gid)
+ if err != nil {
+ logrus.Warnf("error mounting secrets, skipping: %v", err)
+ }
+ secretMounts = mounts
+ break
+ }
+ }
+
+ // Add FIPS mode secret if /etc/system-fips exists on the host
+ _, err := os.Stat("/etc/system-fips")
+ if err == nil {
+ if err := addFIPSModeSecret(&secretMounts, containerWorkingDir); err != nil {
+ logrus.Errorf("error adding FIPS mode secret to container: %v", err)
+ }
+ } else if os.IsNotExist(err) {
+ logrus.Debug("/etc/system-fips does not exist on host, not mounting FIPS mode secret")
+ } else {
+ logrus.Errorf("stat /etc/system-fips failed for FIPS mode secret: %v", err)
+ }
+ return secretMounts
+}
+
+func rchown(chowndir string, uid, gid int) error {
+ return filepath.Walk(chowndir, func(filePath string, f os.FileInfo, err error) error {
+ return os.Lchown(filePath, uid, gid)
+ })
+}
+
+// addSecretsFromMountsFile copies the contents of host directory to container directory
+// and returns a list of mounts
+func addSecretsFromMountsFile(filePath, mountLabel, containerWorkingDir, mountPrefix string, uid, gid int) ([]rspec.Mount, error) {
+ var mounts []rspec.Mount
+ defaultMountsPaths := getMounts(filePath)
+ for _, path := range defaultMountsPaths {
+ hostDir, ctrDir, err := getMountsMap(path)
+ if err != nil {
+ return nil, err
+ }
+ // skip if the hostDir path doesn't exist
+ if _, err = os.Stat(hostDir); err != nil {
+ if os.IsNotExist(err) {
+ logrus.Warnf("Path %q from %q doesn't exist, skipping", hostDir, filePath)
+ continue
+ }
+ return nil, errors.Wrapf(err, "failed to stat %q", hostDir)
+ }
+
+ ctrDirOnHost := filepath.Join(containerWorkingDir, ctrDir)
+
+ // In the event of a restart, don't want to copy secrets over again as they already would exist in ctrDirOnHost
+ _, err = os.Stat(ctrDirOnHost)
+ if os.IsNotExist(err) {
+ if err = os.MkdirAll(ctrDirOnHost, 0755); err != nil {
+ return nil, errors.Wrapf(err, "making container directory %q failed", ctrDirOnHost)
+ }
+ hostDir, err = resolveSymbolicLink(hostDir)
+ if err != nil {
+ return nil, err
+ }
+
+ data, err := getHostSecretData(hostDir)
+ if err != nil {
+ return nil, errors.Wrapf(err, "getting host secret data failed")
+ }
+ for _, s := range data {
+ if err := s.saveTo(ctrDirOnHost); err != nil {
+ return nil, errors.Wrapf(err, "error saving data to container filesystem on host %q", ctrDirOnHost)
+ }
+ }
+
+ err = label.Relabel(ctrDirOnHost, mountLabel, false)
+ if err != nil {
+ return nil, errors.Wrap(err, "error applying correct labels")
+ }
+ if uid != 0 || gid != 0 {
+ if err := rchown(ctrDirOnHost, uid, gid); err != nil {
+ return nil, err
+ }
+ }
+ } else if err != nil {
+ return nil, errors.Wrapf(err, "error getting status of %q", ctrDirOnHost)
+ }
+
+ m := rspec.Mount{
+ Source: filepath.Join(mountPrefix, ctrDir),
+ Destination: ctrDir,
+ Type: "bind",
+ Options: []string{"bind", "rprivate"},
+ }
+
+ mounts = append(mounts, m)
+ }
+ return mounts, nil
+}
+
+// addFIPSModeSecret creates /run/secrets/system-fips in the container
+// root filesystem if /etc/system-fips exists on hosts.
+// This enables the container to be FIPS compliant and run openssl in
+// FIPS mode as the host is also in FIPS mode.
+func addFIPSModeSecret(mounts *[]rspec.Mount, containerWorkingDir string) error {
+ secretsDir := "/run/secrets"
+ ctrDirOnHost := filepath.Join(containerWorkingDir, secretsDir)
+ if _, err := os.Stat(ctrDirOnHost); os.IsNotExist(err) {
+ if err = os.MkdirAll(ctrDirOnHost, 0755); err != nil {
+ return errors.Wrapf(err, "making container directory on host failed")
+ }
+ }
+ fipsFile := filepath.Join(ctrDirOnHost, "system-fips")
+ // In the event of restart, it is possible for the FIPS mode file to already exist
+ if _, err := os.Stat(fipsFile); os.IsNotExist(err) {
+ file, err := os.Create(fipsFile)
+ if err != nil {
+ return errors.Wrapf(err, "error creating system-fips file in container for FIPS mode")
+ }
+ defer file.Close()
+ }
+
+ if !mountExists(*mounts, secretsDir) {
+ m := rspec.Mount{
+ Source: ctrDirOnHost,
+ Destination: secretsDir,
+ Type: "bind",
+ Options: []string{"bind", "rprivate"},
+ }
+ *mounts = append(*mounts, m)
+ }
+
+ return nil
+}
+
+// mountExists checks if a mount already exists in the spec
+func mountExists(mounts []rspec.Mount, dest string) bool {
+ for _, mount := range mounts {
+ if mount.Destination == dest {
+ return true
+ }
+ }
+ return false
+}
+
+// resolveSymbolicLink resolves a possbile symlink path. If the path is a symlink, returns resolved
+// path; if not, returns the original path.
+func resolveSymbolicLink(path string) (string, error) {
+ info, err := os.Lstat(path)
+ if err != nil {
+ return "", err
+ }
+ if info.Mode()&os.ModeSymlink != os.ModeSymlink {
+ return path, nil
+ }
+ return filepath.EvalSymlinks(path)
+}
diff --git a/vendor/github.com/containers/buildah/pull.go b/vendor/github.com/containers/buildah/pull.go
index d1f33fb01..363cf5ce2 100644
--- a/vendor/github.com/containers/buildah/pull.go
+++ b/vendor/github.com/containers/buildah/pull.go
@@ -194,12 +194,12 @@ func Pull(ctx context.Context, imageName string, options PullOptions) error {
errs = multierror.Append(errs, err)
continue
}
- img, err := is.Transport.GetStoreImage(options.Store, ref)
+ taggedImg, err := is.Transport.GetStoreImage(options.Store, ref)
if err != nil {
errs = multierror.Append(errs, err)
continue
}
- fmt.Printf("%s\n", img.ID)
+ fmt.Printf("%s\n", taggedImg.ID)
}
} else {
fmt.Printf("%s\n", img.ID)
diff --git a/vendor/github.com/containers/buildah/run.go b/vendor/github.com/containers/buildah/run.go
index 3a248f4f2..4d6d28380 100644
--- a/vendor/github.com/containers/buildah/run.go
+++ b/vendor/github.com/containers/buildah/run.go
@@ -21,15 +21,15 @@ import (
"github.com/containernetworking/cni/libcni"
"github.com/containers/buildah/bind"
"github.com/containers/buildah/chroot"
+ "github.com/containers/buildah/pkg/secrets"
"github.com/containers/buildah/util"
- "github.com/containers/libpod/pkg/secrets"
"github.com/containers/storage/pkg/idtools"
"github.com/containers/storage/pkg/ioutils"
"github.com/containers/storage/pkg/reexec"
"github.com/containers/storage/pkg/stringid"
units "github.com/docker/go-units"
digest "github.com/opencontainers/go-digest"
- "github.com/opencontainers/runtime-spec/specs-go"
+ specs "github.com/opencontainers/runtime-spec/specs-go"
"github.com/opencontainers/runtime-tools/generate"
"github.com/opencontainers/selinux/go-selinux/label"
"github.com/pkg/errors"
@@ -840,7 +840,7 @@ func setupNamespaces(g *generate.Generator, namespaceOptions NamespaceOptions, i
// valid resolution.
func runLookupPath(g *generate.Generator, command []string) []string {
// Look for the configured $PATH.
- spec := g.Spec()
+ spec := g.Config
envPath := ""
for i := range spec.Process.Env {
if strings.HasPrefix(spec.Process.Env[i], "PATH=") {
@@ -953,7 +953,7 @@ func (b *Builder) configureNamespaces(g *generate.Generator, options RunOptions)
}
found := false
- spec := g.Spec()
+ spec := g.Config
for i := range spec.Process.Env {
if strings.HasPrefix(spec.Process.Env[i], "HOSTNAME=") {
found = true
@@ -1054,7 +1054,7 @@ func (b *Builder) Run(command []string, options RunOptions) error {
// Now grab the spec from the generator. Set the generator to nil so that future contributors
// will quickly be able to tell that they're supposed to be modifying the spec directly from here.
- spec := g.Spec()
+ spec := g.Config
g = nil
logrus.Debugf("ensuring working directory %q exists", filepath.Join(mountPoint, spec.Process.Cwd))
diff --git a/vendor/github.com/containers/buildah/unshare/unshare_unsupported.go b/vendor/github.com/containers/buildah/unshare/unshare_unsupported.go
deleted file mode 100644
index feeceae66..000000000
--- a/vendor/github.com/containers/buildah/unshare/unshare_unsupported.go
+++ /dev/null
@@ -1 +0,0 @@
-package unshare
diff --git a/vendor/github.com/containers/buildah/vendor.conf b/vendor/github.com/containers/buildah/vendor.conf
index 7438fc909..27bf45541 100644
--- a/vendor/github.com/containers/buildah/vendor.conf
+++ b/vendor/github.com/containers/buildah/vendor.conf
@@ -3,7 +3,7 @@ github.com/blang/semver v3.5.0
github.com/BurntSushi/toml v0.2.0
github.com/containerd/continuity 004b46473808b3e7a4a3049c20e4376c91eb966d
github.com/containernetworking/cni v0.7.0-alpha1
-github.com/containers/image v1.4
+github.com/containers/image v1.5
github.com/vbauerster/mpb v3.3.4
github.com/mattn/go-isatty v0.0.4
github.com/VividCortex/ewma v1.1.1
diff --git a/version/version.go b/version/version.go
index 24daf707c..89b5fbd8b 100644
--- a/version/version.go
+++ b/version/version.go
@@ -4,7 +4,7 @@ package version
// NOTE: remember to bump the version at the top
// of the top-level README.md file when this is
// bumped.
-const Version = "1.0.1-dev"
+const Version = "1.2.0-dev"
// RemoteAPIVersion is the version for the remote
// client API. It is used to determine compatibility