summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAge
* spec: add nosuid,noexec,nodev to ro bind mountGiuseppe Scrivano2019-01-11
| | | | | | | runc fails to change the ro mode of a rootless bind mount if the other flags are not kept. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Merge pull request #2131 from mheon/restore_storage_defaultsOpenShift Merge Robot2019-01-10
|\ | | | | Use defaults if paths are not specified in storage.conf
| * Use defaults if paths are not specified in storage.confMatthew Heon2019-01-10
| | | | | | | | | | | | | | | | | | | | For rootless Podman, if storage.conf exists but does not specify one or both of RunRoot and GraphRoot, set them to rootless defaults so we don't end up with an unusable configuration. Fixes #2125 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | Merge pull request #2120 from rhatdan/volumeOpenShift Merge Robot2019-01-10
|\ \ | | | | | | Fix handling of nil volumes
| * | Fix handling of nil volumesDaniel J Walsh2019-01-10
| | | | | | | | | | | | | | | | | | | | | | | | | | | Currently if a user passes in a -v with -v $bogus:/foobar We crash. This will throw a proper error. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | Merge pull request #2108 from QiWang19/from1899OpenShift Merge Robot2019-01-10
|\ \ \ | | | | | | | | Fix 'image trust' from PR1899
| * | | Fix 'image trust' from PR1899Qi Wang2019-01-09
| | | | | | | | | | | | | | | | Signed-off-by: Qi Wang <qiwan@redhat.com>
* | | | Merge pull request #2127 from QiWang19/fixsigstoreOpenShift Merge Robot2019-01-10
|\ \ \ \ | | | | | | | | | | fix up sigstore path
| * | | | fix up sigstore pathQi Wang2019-01-10
| | | | | | | | | | | | | | | | | | | | Signed-off-by: Qi Wang <qiwan@redhat.com>
* | | | | Merge pull request #2126 from giuseppe/set-prlimitOpenShift Merge Robot2019-01-10
|\ \ \ \ \ | | | | | | | | | | | | podman: bump RLIMIT_NOFILE also without CAP_SYS_RESOURCE
| * | | | | podman: bump RLIMIT_NOFILE also without CAP_SYS_RESOURCEGiuseppe Scrivano2019-01-10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | If we are not able to make arbitrary changes to the RLIMIT_NOFILE when lacking CAP_SYS_RESOURCE, don't fail but bump the limit to the maximum allowed. In this way the same code path works with rootless mode. Closes: https://github.com/containers/libpod/issues/2123 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | | | | | Merge pull request #2119 from jwhonce/wip/python_podmanOpenShift Merge Robot2019-01-10
|\ \ \ \ \ \ | | | | | | | | | | | | | | Move python code from contrib to it's own repo python-podman
| * | | | | | Move python code from contrib to it's own repo python-podmanJhon Honce2019-01-10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Signed-off-by: Jhon Honce <jhonce@redhat.com>
* | | | | | | Merge pull request #2129 from cevich/timestampOpenShift Merge Robot2019-01-10
|\ \ \ \ \ \ \ | |/ / / / / / |/| | | | | | Cirrus: (Minor) Print timestamp
| * | | | | | (Minor) Cirrus: Print timestamp at startChris Evich2019-01-10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Also record into a file in case a later reference is required Signed-off-by: Chris Evich <cevich@redhat.com>
* | | | | | | Merge pull request #2128 from mheon/pr_testOpenShift Merge Robot2019-01-10
|\ \ \ \ \ \ \ | |_|_|/ / / / |/| | | | | | Trivial readme updates
| * | | | | | Trivial readme updatesMatthew Heon2019-01-10
|/ / / / / / | | | | | | | | | | | | | | | | | | Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | | | | | Merge pull request #2111 from rhatdan/signOpenShift Merge Robot2019-01-10
|\ \ \ \ \ \ | | | | | | | | | | | | | | Fix up image sign and trust
| * | | | | | Fix up image sign and trustDaniel J Walsh2019-01-09
| | |_|/ / / | |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Add completions Fix man pages fix code in sign to answer PR Comments. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | | | | Merge pull request #2121 from giuseppe/always-cleanup-rootless-containersMatthew Heon2019-01-10
|\ \ \ \ \ \ | |_|_|_|_|/ |/| | | | | createconfig: always cleanup a rootless container
| * | | | | createconfig: always cleanup a rootless containerGiuseppe Scrivano2019-01-10
| | |_|_|/ | |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | the rootless container storage is always mounted in a different mount namespace, owned by the unprivileged user. Even if it is mounted, a process running in another namespace cannot reuse the already mounted storage. Make sure the storage is always cleaned up once the container terminates. This has worked with vfs since there is no real mounted storage. Closes: https://github.com/containers/libpod/issues/2112 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | | | | Merge pull request #2122 from giuseppe/sign-fixesOpenShift Merge Robot2019-01-10
|\ \ \ \ \ | | | | | | | | | | | | sign: some fixes
| * | | | | sign: make all error messages lowercaseGiuseppe Scrivano2019-01-10
| | | | | | | | | | | | | | | | | | | | | | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
| * | | | | sign: use filepath.Join instead of fmt.SprintfGiuseppe Scrivano2019-01-10
| |/ / / / | | | | | | | | | | | | | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | | | | Merge pull request #2095 from rhatdan/completionsOpenShift Merge Robot2019-01-10
|\ \ \ \ \ | |/ / / / |/| | | | Add Validate completions
| * | | | Add Validate completionsDaniel J Walsh2019-01-08
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | In podman 0.12.0 we have invalid completions. These should have been caught during testing. This check will throw an error if the completions do not successfully execute. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | | | Merge pull request #2114 from vrothberg/issue-2107OpenShift Merge Robot2019-01-10
|\ \ \ \ \ | |_|_|_|/ |/| | | | apparmor: apply default profile at container initialization
| * | | | apparmor: apply default profile at container initializationValentin Rothberg2019-01-09
| | |/ / | |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Apply the default AppArmor profile at container initialization to cover all possible code paths (i.e., podman-{start,run}) before executing the runtime. This allows moving most of the logic into pkg/apparmor. Also make the loading and application of the default AppArmor profile versio-indepenent by checking for the `libpod-default-` prefix and over-writing the profile in the run-time spec if needed. The intitial run-time spec of the container differs a bit from the applied one when having started the container, which results in displaying a potentially outdated AppArmor profile when inspecting a container. To fix that, load the container config from the file system if present and use it to display the data. Fixes: #2107 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | | | libpod/image: Use ParseNormalizedNamed in RepoDigestsW. Trevor King2019-01-09
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Avoid generating quay.io/openshift-release-dev/ocp-release@sha256@sha256:239... and similar when the image name is already digest-based [1]. It's not clear exactly how we get into this state, but as shown by the unit tests, the new code handles this case correctly (while the previous code does not). [1]: https://github.com/containers/libpod/issues/2086 Signed-off-by: W. Trevor King <wking@tremily.us> Closes: #2106 Approved by: rhatdan
* | | | Merge pull request #2115 from rhatdan/shmOpenShift Merge Robot2019-01-09
|\ \ \ \ | |/ / / |/| | | If you fail to open shm lock then attempt to create it
| * | | If you fail to open shm lock then attempt to create itDaniel J Walsh2019-01-09
|/ / / | | | | | | | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | Merge pull request #2040 from QiWang19/signimgOpenShift Merge Robot2019-01-09
|\ \ \ | | | | | | | | Support podman image sign
| * | | [WIP]Support podman image signQi Wang2019-01-08
| | | | | | | | | | | | | | | | | | | | | | | | Generate a signature claim for an image using user keyring (--sign-by). The signature file will be stored in simple json format under the default or the given directory (--directory or yaml file in /etc/containers/registries.d/). Signed-off-by: Qi Wang <qiwan@redhat.com>
* | | | Merge pull request #2061 from adrianreber/static-ipOpenShift Merge Robot2019-01-09
|\ \ \ \ | | | | | | | | | | Use existing interface to request IP address during restore
| * | | | Use existing interface to request IP address during restoreAdrian Reber2019-01-09
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The initial implementation to request the same IP address for a container during a restore was based on environment variables influencing CNI. With this commit the IP address selection switches to Podman's internal static IP API. This commit does a comment change in libpod/container_easyjson.go to avoid unnecessary re-generation of libpod/container_easyjson.go during build as this fails in CI. The reason for this is that make sees that libpod/container_easyjson.go needs to be re-created. The commit, however, only changes a part of libpod/container.go which is marked as 'ffjson: skip'. Signed-off-by: Adrian Reber <areber@redhat.com>
| * | | | Added checkpoint/restore test for same IPAdrian Reber2019-01-09
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Restoring a container from a checkpoint should give the container the same IP as before checkpointing. This adds a test to make sure the IP stays the same. Signed-off-by: Adrian Reber <areber@redhat.com>
| * | | | Enable checkpoint test with established TCP connectionsAdrian Reber2019-01-09
| | | | | | | | | | | | | | | | | | | | Signed-off-by: Adrian Reber <areber@redhat.com>
* | | | | Merge pull request #2087 from wking/kind-bugOpenShift Merge Robot2019-01-09
|\ \ \ \ \ | | | | | | | | | | | | .github/ISSUE_TEMPLATE: Suggest '/kind bug' and '/kind feature'
| * | | | | .github/ISSUE_TEMPLATE: Suggest '/kind bug' and '/kind feature'W. Trevor King2019-01-08
| |/ / / / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | So Prow's label plugin [1] can apply the appropriate label for us. [1] https://github.com/kubernetes/test-infra/tree/master/prow/plugins/label Signed-off-by: W. Trevor King <wking@tremily.us>
* | | | | Merge pull request #2103 from ↵OpenShift Merge Robot2019-01-09
|\ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | debarshiray/wip/debarshiray/man-page-order-long-short-options List the long variant of each option before its shorter counterpart
| * | | | | List the long variant of each option before its shorter counterpartDebarshi Ray2019-01-09
| |/ / / / | | | | | | | | | | | | | | | | | | | | | | | | | This is the style followed in most of the other man pages. Signed-off-by: Debarshi Ray <rishi@fedoraproject.org>
* | | | | Merge pull request #1830 from wking/config-filter-hooksOpenShift Merge Robot2019-01-09
|\ \ \ \ \ | |/ / / / |/| | | | hooks: Add pre-create hooks for runtime-config manipulation
| * | | | pkg/hooks/exec: Include failed command in hook errorsW. Trevor King2019-01-08
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | For example: $ cat /etc/containers/oci/hooks.d/test.json { "version": "1.0.0", "hook": { "path": "/bin/sh", "args": ["sh", "-c", "echo 'oh, noes!' >&2; exit 1"] }, "when": { "always": true }, "stages": ["precreate"] } $ podman run --rm docker.io/library/alpine echo 'successful container' error setting up OCI Hooks: executing [sh -c echo 'oh, noes!' >&2; exit 1]: exit status 1 The rendered command isn't in in the right syntax for copy/pasting into a shell, but it should be enough for the user to be able to locate the failing hook. They'll need to know their hook directories, but with the previous commits requiring explicit hook directories it's more likely that the caller is aware of them. And if they run at a debug level, they can see the lookups in the logs: $ podman --log-level=debug --hooks-dir=/etc/containers/oci/hooks.d run --rm docker.io/library/alpine echo 'successful container' 2>&1 | grep -i hook time="2018-12-02T22:15:16-08:00" level=debug msg="reading hooks from /etc/containers/oci/hooks.d" time="2018-12-02T22:15:16-08:00" level=debug msg="added hook /etc/containers/oci/hooks.d/test.json" time="2018-12-02T22:15:16-08:00" level=debug msg="hook test.json matched; adding to stages [precreate]" time="2018-12-02T22:15:16-08:00" level=warning msg="container 3695c6ba0cc961918bd3e4a769c52bd08b82afea5cd79e9749e9c7a63b5e7100: precreate hook: executing [sh -c echo 'oh, noes!' >&2; exit 1]: exit status 1" time="2018-12-02T22:15:16-08:00" level=error msg="error setting up OCI Hooks: executing [sh -c echo 'oh, noes!' >&2; exit 1]: exit status 1" Signed-off-by: W. Trevor King <wking@tremily.us>
| * | | | hooks/exec/runtimeconfigfilter: Log config changesW. Trevor King2019-01-08
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | To make it easier to notice and track down errors (or other surprising behavior) due to precreate hooks. With this commit, the logged messages look like: time="2018-11-19T13:35:18-08:00" level=debug msg="precreate hook 0 made configuration changes: --- Old +++ New @@ -18,3 +18,3 @@ Namespaces: ([]specs.LinuxNamespace) <nil>, - Devices: ([]specs.LinuxDevice) (len=1) { + Devices: ([]specs.LinuxDevice) (len=2) { (specs.LinuxDevice) { @@ -24,2 +24,11 @@ Minor: (int64) 229, + FileMode: (*os.FileMode)(-rw-------), + UID: (*uint32)(0), + GID: (*uint32)(0) + }, + (specs.LinuxDevice) { + Path: (string) (len=8) "/dev/sda", + Type: (string) (len=1) "b", + Major: (int64) 8, + Minor: (int64) 0, FileMode: (*os.FileMode)(-rw-------), " time="2018-11-19T13:35:18-08:00" level=debug msg="precreate hook 1 made configuration changes: --- Old +++ New @@ -29,3 +29,3 @@ (specs.LinuxDevice) { - Path: (string) (len=8) "/dev/sda", + Path: (string) (len=8) "/dev/sdb", Type: (string) (len=1) "b", " Ideally those logs would include the container ID, but we don't have access to that down at this level. I'm not sure if it's worth teaching RuntimeConfigFilter to accept a *logrus.Entry (so the caller could use WithFields [1]) or to use a generic logging interface (like go-log [2]). For now, I've left the container ID unlogged here. The spew/difflib implementation is based on stretchr/testify/assert, but I think the ~10 lines I'm borrowing are probably small enough to stay under the "all copies or substantial portions" condition in its MIT license. [1]: https://godoc.org/github.com/sirupsen/logrus#WithFields [2]: https://github.com/go-log/log Signed-off-by: W. Trevor King <wking@tremily.us>
| * | | | hooks: Add pre-create hooks for runtime-config manipulationW. Trevor King2019-01-08
|/ / / / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | There's been a lot of discussion over in [1] about how to support the NVIDIA folks and others who want to be able to create devices (possibly after having loaded kernel modules) and bind userspace libraries into the container. Currently that's happening in the middle of runc's create-time mount handling before the container pivots to its new root directory with runc's incorrectly-timed prestart hook trigger [2]. With this commit, we extend hooks with a 'precreate' stage to allow trusted parties to manipulate the config JSON before calling the runtime's 'create'. I'm recycling the existing Hook schema from pkg/hooks for this, because we'll want Timeout for reliability and When to avoid the expense of fork/exec when a given hook does not need to make config changes [3]. [1]: https://github.com/opencontainers/runc/pull/1811 [2]: https://github.com/opencontainers/runc/issues/1710 [3]: https://github.com/containers/libpod/issues/1828#issuecomment-439888059 Signed-off-by: W. Trevor King <wking@tremily.us>
* | | | Merge pull request #2097 from debarshiray/wip/debarshiray/podman-exec-workdirOpenShift Merge Robot2019-01-08
|\ \ \ \ | |_|/ / |/| | | Add a --workdir option to 'podman exec'
| * | | Add a --workdir option to 'podman exec'Debarshi Ray2019-01-08
| | | | | | | | | | | | | | | | Signed-off-by: Debarshi Ray <rishi@fedoraproject.org>
* | | | Merge pull request #2094 from ↵OpenShift Merge Robot2019-01-08
|\ \ \ \ | |/ / / |/| | | | | | | | | | | debarshiray/wip/debarshiray/podman-start-sig-proxy-default-doc Mention the default --sig-proxy value for 'podman start'
| * | | Default --sig-proxy to true for 'podman start --attach'Debarshi Ray2019-01-08
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The --sig-proxy option in both 'podman attach' and 'podman run' default to true, and there's no reason for 'podman start --attach' to be any different. However, since it only makes sense to proxy signals when the container is attached, 'podman start --sig-proxy' will continue to error if --attach isn't used. Signed-off-by: Debarshi Ray <rishi@fedoraproject.org>
| * | | Test that 'podman start --sig-proxy' does not work without --attachDebarshi Ray2019-01-08
|/ / / | | | | | | | | | Signed-off-by: Debarshi Ray <rishi@fedoraproject.org>