diff options
| -rw-r--r-- | README.md | 4 | ||||
| -rw-r--r-- | RELEASE_NOTES.md | 55 | ||||
| -rw-r--r-- | cmd/podman/common/specgen.go | 29 | ||||
| -rw-r--r-- | libpod/image/image.go | 7 | ||||
| -rw-r--r-- | libpod/lock/shm/shm_lock_test.go | 4 | ||||
| -rw-r--r-- | libpod/reset.go | 18 | ||||
| -rw-r--r-- | pkg/api/handlers/libpod/pods.go | 30 | ||||
| -rw-r--r-- | pkg/specgen/generate/container.go | 40 | ||||
| -rw-r--r-- | pkg/specgen/specgen.go | 7 |
9 files changed, 144 insertions, 50 deletions
@@ -5,7 +5,7 @@ Podman (the POD MANager) is a tool for managing containers and images, volumes mounted into those containers, and pods made from groups of containers. Podman is based on libpod, a library for container lifecycle management that is also contained in this repository. The libpod library provides APIs for managing containers, pods, container images, and volumes. -* [Latest Version: 2.0.4](https://github.com/containers/podman/releases/latest) +* [Latest Version: 2.0.5](https://github.com/containers/podman/releases/latest) * Latest Remote client for Windows * Latest Remote client for MacOs * Latest Static Remote client for Linux @@ -21,8 +21,10 @@ At a high level, the scope of Podman and libpod is the following: * Full management of those images, including pulling from various sources (including trust and verification), creating (built via Containerfile or Dockerfile or committed from a container), and pushing to registries and other storage backends. * Full management of container lifecycle, including creation (both from an image and from an exploded root filesystem), running, checkpointing and restoring (via CRIU), and removal. * Support for pods, groups of containers that share resources and are managed together. +* Support for running containers and pods without root or other elevated privileges. * Resource isolation of containers and pods. * Support for a Docker-compatible CLI interface. +* No manager daemon, for improved security and lower resource utilization at idle. * Support for a REST API providing both a Docker-compatible interface and an improved interface exposing advanced Podman functionality. * In the future, integration with [CRI-O](https://github.com/cri-o/cri-o) to share containers and backend code. diff --git a/RELEASE_NOTES.md b/RELEASE_NOTES.md index d6b0eb3dd..41bed3f90 100644 --- a/RELEASE_NOTES.md +++ b/RELEASE_NOTES.md @@ -1,5 +1,60 @@ # Release Notes +## 2.0.5 +### Features +- Rootless Podman will now add an entry to `/etc/passwd` for the user who ran Podman if run with `--userns=keep-id`. +- The `podman system connection` command has been reworked to support multiple connections, and reenabled for use! +- Podman now has a new global flag, `--connection`, to specify a connection to a remote Podman API instance. + +### Changes +- Podman's automatic systemd integration (activated by the `--systemd=true` flag, set by default) will now activate for containers using `/usr/local/sbin/init` as their command, instead of just `/usr/sbin/init` and `/sbin/init` (and any path ending in `systemd`). +- Seccomp profiles specified by the `--security-opt seccomp=...` flag to `podman create` and `podman run` will now be honored even if the container was created using `--privileged`. + +### Bugfixes +- Fixed a bug where the `podman play kube` would not honor the `hostIP` field for port forwarding ([#5964](https://github.com/containers/podman/issues/5964)). +- Fixed a bug where the `podman generate systemd` command would panic on an invalid restart policy being specified ([#7271](https://github.com/containers/podman/issues/7271)). +- Fixed a bug where the `podman images` command could take a very long time (several minutes) to complete when a large number of images were present. +- Fixed a bug where the `podman logs` command with the `--tail` flag would not work properly when a large amount of output would be printed ([#7230](https://github.com/containers/podman/issues/7230)). +- Fixed a bug where the `podman exec` command with remote Podman would not return a non-zero exit code when the exec session failed to start (e.g. invoking a non-existent command) ([#6893](https://github.com/containers/podman/issues/6893)). +- Fixed a bug where the `podman load` command with remote Podman would did not honor user-specified tags ([#7124](https://github.com/containers/podman/issues/7124)). +- Fixed a bug where the `podman system service` command, when run as a non-root user by Systemd, did not properly handle the Podman pause process and would not restart properly as a result ([#7180](https://github.com/containers/podman/issues/7180)). +- Fixed a bug where the `--publish` flag to `podman create`, `podman run`, and `podman pod create` did not properly handle a host IP of 0.0.0.0 (attempting to bind to literal 0.0.0.0, instead of all IPs on the system) ([#7104](https://github.com/containers/podman/issues/7014)). +- Fixed a bug where the `podman start --attach` command would not print the container's exit code when the command exited due to the container exiting. +- Fixed a bug where the `podman rm` command with remote Podman would not remove volumes, even if the `--volumes` flag was specified ([#7128](https://github.com/containers/podman/issues/7128)). +- Fixed a bug where the `podman run` command with remote Podman and the `--rm` flag could exit before the container was fully removed. +- Fixed a bug where the `--pod new:...` flag to `podman run` and `podman create` would create a pod that did not share any namespaces. +- Fixed a bug where the `--preserve-fds` flag to `podman run` and `podman exec` could close the wrong file descriptors while trying to close user-provided descriptors after passing them into the container. +- Fixed a bug where default environment variables (`$PATH` and `$TERM`) were not set in containers when not provided by the image. +- Fixed a bug where pod infra containers were not properly unmounted after exiting. +- Fixed a bug where networks created with `podman network create` with an IPv6 subnet did not properly set an IPv6 default route. +- Fixed a bug where the `podman save` command would not work properly when its output was piped to another command ([#7017](https://github.com/containers/podman/issues/7017)). +- Fixed a bug where containers using a systemd init on a cgroups v1 system could leak mounts under `/sys/fs/cgroup/systemd` to the host. +- Fixed a bug where `podman build` would not generate an event on completion ([#7022](https://github.com/containers/podman/issues/7022)). +- Fixed a bug where the `podman history` command with remote Podman printed incorrect creation times for layers ([#7122](https://github.com/containers/podman/issues/7122)). +- Fixed a bug where Podman would not create working directories specified by the container image if they did not exist. +- Fixed a bug where Podman did not clear `CMD` from the container image if the user overrode `ENTRYPOINT` ([#7115](https://github.com/containers/podman/issues/7115)). +- Fixed a bug where error parsing image names were not fully reported (part of the error message containing the exact issue was dropped). +- Fixed a bug where the `podman images` command with remote Podman did not support printing image tags in Go templates supplied to the `--format` flag ([#7123](https://github.com/containers/podman/issues/7123)). +- Fixed a bug where the `podman rmi --force` command would not attempt to unmount containers it was removing, which could cause a failure to remove the image. +- Fixed a bug where the `podman generate systemd --new` command could incorrectly quote arguments to Podman that contained whitespace, leading to nonfunctional unit files ([#7285](https://github.com/containers/podman/issues/7285)). +- Fixed a bug where the `podman version` command did not properly include build time and Git commit. +- Fixed a bug where running systemd in a Podman container on a system that did not use the `systemd` cgroup manager would fail ([#6734](https://github.com/containers/podman/issues/6734)). +- Fixed a bug where capabilities from `--cap-add` were not properly added when a container was started as a non-root user via `--user`. +- Fixed a bug where Pod infra containers were not properly cleaned up when they stopped, causing networking issues ([#7103](https://github.com/containers/podman/issues/7103)). + +### API +- Fixed a bug where the libpod and compat Build endpoints did not accept the `application/tar` content type (instead only accepting `application/x-tar`) ([#7185](https://github.com/containers/podman/issues/7185)). +- Fixed a bug where the libpod Exists endpoint would attempt to write a second header in some error conditions ([#7197](https://github.com/containers/podman/issues/7197)). +- Fixed a bug where compat and libpod Network Inspect and Network Remove endpoints would return a 500 instead of 404 when the requested network was not found. +- Added a versioned `_ping` endpoint (e.g. `http://localhost/v1.40/_ping`). +- Fixed a bug where containers started through a systemd-managed instance of the REST API would be shut down when `podman system service` shut down due to its idle timeout ([#7294](https://github.com/containers/podman/issues/7294)). +- Added stronger parameter verification for the libpod Network Create endpoint to ensure subnet mask is a valid value. +- The `Pod` URL parameter to the Libpod Container List endpoint has been deprecated; the information previously gated by the `Pod` boolean will now be included in the response unconditionally. + +### Misc +- Updated Buildah to v1.15.1 +- Updated containers/image library to v5.5.2 + ## 2.0.4 ### Bugfixes - Fixed a bug where the output of `podman image search` did not populate the Description field as it was mistakenly assigned to the ID field. diff --git a/cmd/podman/common/specgen.go b/cmd/podman/common/specgen.go index 4de622916..e7b88eb3f 100644 --- a/cmd/podman/common/specgen.go +++ b/cmd/podman/common/specgen.go @@ -307,10 +307,11 @@ func FillOutSpecGen(s *specgen.SpecGenerator, c *ContainerCLIOpts, args []string // ENVIRONMENT VARIABLES // // Precedence order (higher index wins): - // 1) env-host, 2) image data, 3) env-file, 4) env - env := map[string]string{ - "container": "podman", - } + // 1) containers.conf (EnvHost, EnvHTTP, Env) 2) image data, 3 User EnvHost/EnvHTTP, 4) env-file, 5) env + // containers.conf handled and image data handled on the server side + // user specified EnvHost and EnvHTTP handled on Server Side relative to Server + // env-file and env handled on client side + var env map[string]string // First transform the os env into a map. We need it for the labels later in // any case. @@ -319,24 +320,8 @@ func FillOutSpecGen(s *specgen.SpecGenerator, c *ContainerCLIOpts, args []string return errors.Wrap(err, "error parsing host environment variables") } - if c.EnvHost { - env = envLib.Join(env, osEnv) - } else if c.HTTPProxy { - for _, envSpec := range []string{ - "http_proxy", - "HTTP_PROXY", - "https_proxy", - "HTTPS_PROXY", - "ftp_proxy", - "FTP_PROXY", - "no_proxy", - "NO_PROXY", - } { - if v, ok := osEnv[envSpec]; ok { - env[envSpec] = v - } - } - } + s.EnvHost = c.EnvHost + s.HTTPProxy = c.HTTPProxy // env-file overrides any previous variables for _, f := range c.EnvFile { diff --git a/libpod/image/image.go b/libpod/image/image.go index 6106084d5..dee2ce0ee 100644 --- a/libpod/image/image.go +++ b/libpod/image/image.go @@ -1246,7 +1246,12 @@ func areParentAndChild(parent, child *imgspecv1.Image) bool { // the child and candidate parent should share all of the // candidate parent's diff IDs, which together would have // controlled which layers were used - if len(parent.RootFS.DiffIDs) > len(child.RootFS.DiffIDs) { + + // issue #7444 describes a panic where the length of child.RootFS.DiffIDs + // is checked but child is nil. Adding a simple band-aid approach to prevent + // the problem until the origin of the problem can be worked out in the issue + // itself. + if child == nil || len(parent.RootFS.DiffIDs) > len(child.RootFS.DiffIDs) { return false } childUsesCandidateDiffs := true diff --git a/libpod/lock/shm/shm_lock_test.go b/libpod/lock/shm/shm_lock_test.go index 362821c62..cb83c7c2c 100644 --- a/libpod/lock/shm/shm_lock_test.go +++ b/libpod/lock/shm/shm_lock_test.go @@ -27,6 +27,8 @@ const lockPath = "/libpod_test" // We need a test main to ensure that the SHM is created before the tests run func TestMain(m *testing.M) { + // Remove prior /dev/shm/libpod_test + os.RemoveAll("/dev/shm" + lockPath) shmLock, err := CreateSHMLock(lockPath, numLocks) if err != nil { fmt.Fprintf(os.Stderr, "Error creating SHM for tests: %v\n", err) @@ -73,6 +75,8 @@ func runLockTest(t *testing.T, testFunc func(*testing.T, *SHMLocks)) { // Test that creating an SHM with a bad size rounds up to a good size func TestCreateNewSHMBadSizeRoundsUp(t *testing.T) { + // Remove prior /dev/shm/test1 + os.RemoveAll("/dev/shm/test1") // Odd number, not a power of 2, should never be a word size on a system lock, err := CreateSHMLock("/test1", 7) assert.NoError(t, err) diff --git a/libpod/reset.go b/libpod/reset.go index cae4d3a04..f8828fed4 100644 --- a/libpod/reset.go +++ b/libpod/reset.go @@ -2,12 +2,14 @@ package libpod import ( "context" + "fmt" "os" "path/filepath" "github.com/containers/podman/v2/libpod/define" "github.com/containers/podman/v2/pkg/rootless" "github.com/containers/podman/v2/pkg/util" + "github.com/containers/storage" "github.com/pkg/errors" "github.com/sirupsen/logrus" ) @@ -103,14 +105,16 @@ func (r *Runtime) Reset(ctx context.Context) error { prevError = err } - if rootless.IsRootless() { - configPath := filepath.Join(os.Getenv("HOME"), ".config/containers") - if err := os.RemoveAll(configPath); err != nil { - if prevError != nil { - logrus.Error(prevError) - } - prevError = err + if storageConfPath, err := storage.DefaultConfigFile(rootless.IsRootless()); err == nil { + if _, err = os.Stat(storageConfPath); err == nil { + fmt.Printf("A storage.conf file exists at %s\n", storageConfPath) + fmt.Println("You should remove this file if you did not modified the configuration.") } + } else { + if prevError != nil { + logrus.Error(prevError) + } + prevError = err } return prevError diff --git a/pkg/api/handlers/libpod/pods.go b/pkg/api/handlers/libpod/pods.go index 6e704fe65..8f8292567 100644 --- a/pkg/api/handlers/libpod/pods.go +++ b/pkg/api/handlers/libpod/pods.go @@ -135,8 +135,8 @@ func PodStop(w http.ResponseWriter, r *http.Request) { } } var errs []error //nolint - for _, err := range responses { - errs = append(errs, err) + for id, err := range responses { + errs = append(errs, errors.Wrapf(err, "error stopping container %s", id)) } report := entities.PodStopReport{ Errs: errs, @@ -164,12 +164,12 @@ func PodStart(w http.ResponseWriter, r *http.Request) { return } responses, err := pod.Start(r.Context()) - if err != nil { + if err != nil && errors.Cause(err) != define.ErrPodPartialFail { utils.Error(w, "Something went wrong", http.StatusInternalServerError, err) return } - for _, err := range responses { - errs = append(errs, err) + for id, err := range responses { + errs = append(errs, errors.Wrapf(err, "error starting container %s", id)) } report := entities.PodStartReport{ Errs: errs, @@ -220,12 +220,12 @@ func PodRestart(w http.ResponseWriter, r *http.Request) { return } responses, err := pod.Restart(r.Context()) - if err != nil { + if err != nil && errors.Cause(err) != define.ErrPodPartialFail { utils.Error(w, "Something went wrong", http.StatusInternalServerError, err) return } - for _, err := range responses { - errs = append(errs, err) + for id, err := range responses { + errs = append(errs, errors.Wrapf(err, "error restarting container %s", id)) } report := entities.PodRestartReport{ Errs: errs, @@ -271,12 +271,12 @@ func PodPause(w http.ResponseWriter, r *http.Request) { return } responses, err := pod.Pause() - if err != nil { + if err != nil && errors.Cause(err) != define.ErrPodPartialFail { utils.Error(w, "Something went wrong", http.StatusInternalServerError, err) return } - for _, v := range responses { - errs = append(errs, v) + for id, v := range responses { + errs = append(errs, errors.Wrapf(v, "error pausing container %s", id)) } report := entities.PodPauseReport{ Errs: errs, @@ -295,12 +295,12 @@ func PodUnpause(w http.ResponseWriter, r *http.Request) { return } responses, err := pod.Unpause() - if err != nil { + if err != nil && errors.Cause(err) != define.ErrPodPartialFail { utils.Error(w, "failed to pause pod", http.StatusInternalServerError, err) return } - for _, v := range responses { - errs = append(errs, v) + for id, v := range responses { + errs = append(errs, errors.Wrapf(v, "error unpausing container %s", id)) } report := entities.PodUnpauseReport{ Errs: errs, @@ -403,7 +403,7 @@ func PodKill(w http.ResponseWriter, r *http.Request) { } responses, err := pod.Kill(uint(sig)) - if err != nil { + if err != nil && errors.Cause(err) != define.ErrPodPartialFail { utils.Error(w, "failed to kill pod", http.StatusInternalServerError, err) return } diff --git a/pkg/specgen/generate/container.go b/pkg/specgen/generate/container.go index 53d160442..147ebd61b 100644 --- a/pkg/specgen/generate/container.go +++ b/pkg/specgen/generate/container.go @@ -2,6 +2,7 @@ package generate import ( "context" + "os" "github.com/containers/image/v5/manifest" "github.com/containers/podman/v2/libpod" @@ -62,14 +63,24 @@ func CompleteSpec(ctx context.Context, r *libpod.Runtime, s *specgen.SpecGenerat if err != nil { return nil, err } - // Get Default Environment - defaultEnvs, err := envLib.ParseSlice(rtc.Containers.Env) + // First transform the os env into a map. We need it for the labels later in + // any case. + osEnv, err := envLib.ParseSlice(os.Environ()) if err != nil { - return nil, errors.Wrap(err, "Env fields in containers.conf failed to parse") + return nil, errors.Wrap(err, "error parsing host environment variables") } + // Get Default Environment from containers.conf + defaultEnvs, err := envLib.ParseSlice(rtc.GetDefaultEnv()) + if err != nil { + return nil, errors.Wrap(err, "error parsing fields in containers.conf") + } + if defaultEnvs["containers"] == "" { + defaultEnvs["containers"] = "podman" + } var envs map[string]string + // Image Environment defaults if newImage != nil { // Image envs from the image if they don't exist // already, overriding the default environments @@ -82,9 +93,30 @@ func CompleteSpec(ctx context.Context, r *libpod.Runtime, s *specgen.SpecGenerat if err != nil { return nil, errors.Wrap(err, "Env fields from image failed to parse") } + defaultEnvs = envLib.Join(defaultEnvs, envs) + } + + // Caller Specified defaults + if s.EnvHost { + defaultEnvs = envLib.Join(defaultEnvs, osEnv) + } else if s.HTTPProxy { + for _, envSpec := range []string{ + "http_proxy", + "HTTP_PROXY", + "https_proxy", + "HTTPS_PROXY", + "ftp_proxy", + "FTP_PROXY", + "no_proxy", + "NO_PROXY", + } { + if v, ok := osEnv[envSpec]; ok { + defaultEnvs[envSpec] = v + } + } } - s.Env = envLib.Join(envLib.Join(defaultEnvs, envs), s.Env) + s.Env = envLib.Join(defaultEnvs, s.Env) // Labels and Annotations annotations := make(map[string]string) diff --git a/pkg/specgen/specgen.go b/pkg/specgen/specgen.go index a52225f87..cca05eddb 100644 --- a/pkg/specgen/specgen.go +++ b/pkg/specgen/specgen.go @@ -43,6 +43,13 @@ type ContainerBasicConfig struct { // image's configuration. // Optional. Command []string `json:"command,omitempty"` + // EnvHost indicates that the host environment should be added to container + // Optional. + EnvHost bool `json:"env_host,omitempty"` + // EnvHTTPProxy indicates that the http host proxy environment variables + // should be added to container + // Optional. + HTTPProxy bool `json:"httpproxy,omitempty"` // Env is a set of environment variables that will be set in the // container. // Optional. |