| Commit message (Collapse) | Author | Age |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
After this patch v2 hijacking endpoints, exec/start and
containers/attach follow rfc 7230 specification.
Connection will only be upgraded, if client specifies upgrade
headers:
For tcp connections:
Connection: Upgrade
Upgrade: tcp
For unix socket connections:
Connection: Upgrade
Upgrade: sock
There are currently no checks if upgrade type actually matches with
available protocols. Implementation just protocol that client
requested
Signed-off-by: Sami Korhonen <skorhone@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
StateHijacked is a terminal state. If hijacked connection
is registered as an active connection, connection will
never be unregistered. This causes two issues
First issue is that active connection counters are off.
Second issue is a resource leak caused by connection
object that is stored to a map.
After this patch hijacked connections are no longer
visible in counters. If a counter for hijacked
connections is required, podman must track
connections returned by Hijacker.Hijack()
It might make sense to develop abstraction layer for
hijacking - and move all hijacking related code to a
separate package. Hijacking code is prone to resource
leaks and it should be thoroughly tested.
Signed-off-by: Sami Korhonen <skorhone@gmail.com>
|
| |
|
|
|
|
|
|
|
| |
Allow more variants to yield json output for `podman version` and
`podman info`. Instead of comparing strings, use a regex and add
unit and e2e tests.
Fixes: #6927
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
I confused STDIN and STDOUT's file descriptors (it's 0 and 1, I
thought they were 1 and 0). As such, we were looking at whether
we wanted to print STDIN when we looked to print STDOUT. This
bool was set when `-i` was set in at the `podman exec` command
line, which masked the problem when it was set.
Fixes #6890
Fixes #6891
Fixes #6892
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In `podman inspect` output for containers and pods, we include
the command that was used to create the container. This is also
used by `podman generate systemd --new` to generate unit files.
With remote podman, the generated create commands were incorrect
since we sourced directly from os.Args on the server side, which
was guaranteed to be `podman system service` (or some variant
thereof). The solution is to pass the command along in the
Specgen or PodSpecgen, where we can source it from the client's
os.Args.
This will still be VERY iffy for mixed local/remote use (doing a
`podman --remote run ...` on a remote client then a
`podman generate systemd --new` on the server on the same
container will not work, because the `--remote` flag will slip
in) but at the very least the output of `podman inspect` will be
correct. We can look into properly handling `--remote` (parsing
it out would be a little iffy) in a future PR.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
<MH: Fixed build after cherry-pick>
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
| |
|
|
| |
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
We properly determined what sig-proxy should be set to, but we
never passed that along to the backend. As such, cases where the
default swapped (mostly when `--attach` was specified but the
`--sig-proxy` flag was not) were not handled correctly
Fixes #6928
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This allows us to determine if the container auto-detected that
systemd was in use, and correctly activated systemd integration.
Use this to wire up some integration tests to verify that systemd
integration is working properly.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
<MH: Fixed Compile after cherry-pick>
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We were only using the Command field in specgen when determining
whether to enable systemd if systemd=true (the default) was used.
This does not include the entrypoint, and does not include any
entrypoint/command sourced from the image - so an image could be
running systemd and we'd not correctly detect this. Using the
full, final command resolves this and matches Podman v1.9.x
behavior.
Fixes #6920
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
<MH: Fixed compile after backport>
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
| |
|
|
| |
Signed-off-by: Matthew Heon <mheon@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
We were hard-coding two fields to false, instead of grabbing
their value from the pod config, which means that `pod inspect`
would print the wrong value always.
Fixes #6968
Signed-off-by: Matthew Heon <mheon@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
We had a field for this in the inspect data, but it was never
being populated. Because of this, `podman pod inspect` stopped
showing port bindings (and other infra container settings). Add
code to populate the infra container inspect data, and add a test
to ensure we don't regress again.
Signed-off-by: Matthew Heon <mheon@redhat.com>
|
| |
|
|
|
|
|
|
| |
This change prevents this exception when loading a pod spec
using the "IfNotPresent" pull policy:
Error: invalid pull type "IfNotPresent"
Signed-off-by: Tristan Cacqueray <tdecacqu@redhat.com>
|
| |
|
|
|
|
|
|
| |
When running "podman pod create --share user" the errors appears:
Error: User sharing functionality not supported on pod level
Fix docs and remove 'user' from shareable parameters.
Signed-off-by: Sagi Shnaidman <sshnaidm@redhat.com>
|
| |
|
|
|
|
|
|
| |
"TCP" in upper characters was not recognized as a valid protocol name.
Fix #6948
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
When creating a pod or container where a static MAC or IP address is provided, we should return a proper error and exit as 125.
Fixes: #6972
Signed-off-by: Brent Baude <bbaude@redhat.com>
<MH: Fixed build after cherry-pick>
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
| |
|
|
|
|
|
|
| |
Podman is committed to inclusivity, a core value of open source. Historically, there have been technology terms that are problematic and divisive, and should be changed. We are currently taking time to audit our repository in order to eliminate such terminology, and replace it with more inclusive terms. We are starting where we can, with our own code, comments, and documentation. However, such terms may be used in dependencies, and must be used in our repositories at the current moment for compatibility. Podman will change these terms in our repo as soon as new and better terminology is available to us via our dependencies.
For more information: https://www.redhat.com/en/blog/making-open-source-more-inclusive-eradicating-problematic-language?sc_cid=701600000011gf0AAA
Signed-off-by: Ashley Cui <acui@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
the code got lost in the migration to podman 2.0, reintroduce it.
Closes: https://github.com/containers/podman/issues/6989
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
<MH: Fixed build>
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
| |
|
|
| |
Signed-off-by: Parker Van Roy <pvanroy@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
When an image has no name/tag system df will
error because it tries to parse an empty name.
This commit makes sure we only parse non
empty names and set the repository and tag
to "<none>" otherwise.
Closes #7015
Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
|
| |
|
|
|
|
| |
generate kube title and descritopn was same as play kube for apiv2 docs
Signed-off-by: Ashley Cui <acui@redhat.com>
|
| |
|
|
|
|
|
|
| |
People who use docker scripts with Podman see failures
if they use disable-content-trust flag. This flag already
existed for podman build, adding it to pull/push/create/run.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
| |
|
|
| |
Signed-off-by: zhangguanzhang <zhangguanzhang@qq.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently you can not apply an ApparmorProfile if you specify
--privileged. This patch will allow both to be specified
simultaniosly.
By default Apparmor should be disabled if the user
specifies --privileged, but if the user specifies --security apparmor:PROFILE,
with --privileged, we should do both.
Added e2e run_apparmor_test.go
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
| |\
| |
| | |
Bump github.com/containers/common to v0.14.6
|
| |/
|
|
| |
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
| |\
| |
| | |
[2.0] events fixes
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The versions Docker that the compat endpoints currently support are
using another type for the `filters` parameter than later versions
of Docker, which the libpod/events endpoint is also using.
To prevent existing deplopyments from breaking while still achieving
backward compat, we now support both types for the filters parameter.
Tested manually.
Fixes: #6899
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Fix a potential panic in the events endpoint when parsing the filters
parameter. Values of the filters map might be empty, so we need to
account for that instead of uncondtitionally accessing the first item.
Also apply a similar for race conditions as done in commit f4a2d25c0fca:
Fix a race that could cause read errors to be masked. Masking
such errors is likely to report red herrings since users don't
see that reading failed for some reasons but that a given event
could not be found.
Another race was the handler closing event channel, which could lead to
two kinds of panics: double close, send to close channel. The backend
takes care of that. However, make sure that the backend stops working
in case the context has been cancelled.
Fixes: #6899
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
|
| |\ \
| |/
|/| |
[2.0] Switch references from libpod.conf to containers.conf
|
| | |
| |
| |
| | |
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
| |\ \
| |/
|/| |
[2.0] contrib/systemd cleanups
|
| | |
| |
| |
| |
| |
| |
| |
| | |
Set the type of the podman.service to simple. This will correctly
report the status of the service once it has started. As a oneshot
service, it does not transition from the startup state to running.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
|
| | |
| |
| |
| |
| |
| |
| | |
podman-api(1) does not exist, so set the man page to
podman-system-service(1). Same for the .socket.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
Do not hard-set the registries.conf to `/etc/containers/registries.conf`.
Podman (and other c/image users) already default to it. However,
ordinary non-root users should still be able to use the configs in their
home directories which is now possible.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Do not set the killmode to process as it only kills the main process and
leaves other processes untouched. Just remove the line and use the
default cgroup killmode which will kill all processes in the service's
cgroup.
Fixes: #7021
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
|
| | |
| |
| |
| |
| |
| |
| | |
Remove the stop timeout from the unit. As unit does not specify any
stop command, the timeout is effectively 0 and a NOOP.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
|
| |/
|
|
|
|
|
|
|
| |
Symlink the user to the system services in `contrib/systemd`.
There is no diference between the services, so we can reduce
redundancy while not breaking downstream packages which might
already be referencing `./contrib/systemd/user`.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
|
| |\
| |
| | |
[2.0] vendor golang.org/x/text@v0.3.3
|
| |/
|
|
|
|
| |
Fixes: CVE-2020-14040
Fixes: bugzilla.redhat.com/show_bug.cgi?id=1854718
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
|
| |\
| |
| | |
Fix a bug where --pids-limit was parsed incorrectly
|
| |/
|
|
|
|
|
|
|
|
|
|
|
|
| |
The --pids-limit flag was using strconv.ParseInt with bad
arguments, resulting in it being unable to parse standard
integers (1024, for example, would produce an 'out of range'
error).
Change the arguments to make sense (base 10, max 32-bit) and
add a test to ensure we don't regress again.
Fixes #6908
Signed-off-by: Matthew Heon <mheon@redhat.com>
|
| |\
| |
| | |
[2.0] search: allow wildcards
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Allow wildcards in the search term. Note that not all registries
support wildcards and it may only work with v1 registries.
Note that searching implies figuring out if the specified search term
includes a registry. If there's not registry detected, the search term
will be used against all configured "unqualified-serach-registries" in
the registries.conf. The parsing logic considers a registry to be the
substring before the first slash `/`.
With these changes we now not only support wildcards but arbitrary
input; ultimately it's up to the registries to decide whether they
support given input or not.
Fixes: bugzilla.redhat.com/show_bug.cgi?id=1846629
Cherry-pick-of: commit b05888a97dbb
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
|
| | |
| |
| |
| |
| |
| | |
test/policy.json should not need to be copied into the gating image
Signed-off-by: Brent Baude <bbaude@redhat.com>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
fedora removed the systemd package from its standard container image causing our systemd pid1 test to fail. Replacing usage of fedora to ubi-init.
adding ubi images to the cache for local tests.
also, remove installation of test/policy.json to the system wide /etc/containers
Signed-off-by: Brent Baude <bbaude@redhat.com>
|
| |/
|
|
|
|
|
|
|
|
|
| |
Encode credentials at new repository settings page
https://cirrus-ci.com/settings/repository/6707778565701632
Ref: https://cirrus-ci.org/guide/writing-tasks/#encrypted-variables
Backport-of: commit 576ce0f1b501
Signed-off-by: Chris Evich <cevich@redhat.com>
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
|
| |\
| |
| | |
[CI:DOCS] Bump to v2.0.2
|
| | |
| |
| |
| | |
Signed-off-by: Matthew Heon <mheon@redhat.com>
|
| |/
|
|
| |
Signed-off-by: Matthew Heon <mheon@redhat.com>
|
