summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAge
...
| * docs: user namespace can't be shared in podsSagi Shnaidman2020-07-22
| | | | | | | | | | | | | | | | When running "podman pod create --share user" the errors appears: Error: User sharing functionality not supported on pod level Fix docs and remove 'user' from shareable parameters. Signed-off-by: Sagi Shnaidman <sshnaidm@redhat.com>
| * Fix "Error: unrecognized protocol \"TCP\" in port mapping"Akihiro Suda2020-07-22
| | | | | | | | | | | | | | | | "TCP" in upper characters was not recognized as a valid protocol name. Fix #6948 Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
| * Error on rootless mac and ip addressesBrent Baude2020-07-22
| | | | | | | | | | | | | | | | | | | | | | | | When creating a pod or container where a static MAC or IP address is provided, we should return a proper error and exit as 125. Fixes: #6972 Signed-off-by: Brent Baude <bbaude@redhat.com> <MH: Fixed build after cherry-pick> Signed-off-by: Matthew Heon <matthew.heon@pm.me>
| * Fix & add notes regarding problematic language in codebaseAshley Cui2020-07-22
| | | | | | | | | | | | | | | | Podman is committed to inclusivity, a core value of open source. Historically, there have been technology terms that are problematic and divisive, and should be changed. We are currently taking time to audit our repository in order to eliminate such terminology, and replace it with more inclusive terms. We are starting where we can, with our own code, comments, and documentation. However, such terms may be used in dependencies, and must be used in our repositories at the current moment for compatibility. Podman will change these terms in our repo as soon as new and better terminology is available to us via our dependencies. For more information: https://www.redhat.com/en/blog/making-open-source-more-inclusive-eradicating-problematic-language?sc_cid=701600000011gf0AAA Signed-off-by: Ashley Cui <acui@redhat.com>
| * abi: set default umask and rlimitsGiuseppe Scrivano2020-07-22
| | | | | | | | | | | | | | | | | | | | | | | | the code got lost in the migration to podman 2.0, reintroduce it. Closes: https://github.com/containers/podman/issues/6989 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> <MH: Fixed build> Signed-off-by: Matthew Heon <matthew.heon@pm.me>
| * Used reference package with errors for parsing tagParker Van Roy2020-07-22
| | | | | | | | Signed-off-by: Parker Van Roy <pvanroy@redhat.com>
| * fix: system df error when an image has no namePaul Holzinger2020-07-22
| | | | | | | | | | | | | | | | | | | | | | | | | | When an image has no name/tag system df will error because it tries to parse an empty name. This commit makes sure we only parse non empty names and set the repository and tag to "<none>" otherwise. Closes #7015 Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
| * Fix Generate API title/descriptionAshley Cui2020-07-22
| | | | | | | | | | | | generate kube title and descritopn was same as play kube for apiv2 docs Signed-off-by: Ashley Cui <acui@redhat.com>
| * Add noop function disable-content-trustDaniel J Walsh2020-07-22
| | | | | | | | | | | | | | | | People who use docker scripts with Podman see failures if they use disable-content-trust flag. This flag already existed for podman build, adding it to pull/push/create/run. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
| * fix play kube doesn't override dockerfile ENTRYPOINTzhangguanzhang2020-07-22
| | | | | | | | Signed-off-by: zhangguanzhang <zhangguanzhang@qq.com>
| * Support default profile for apparmorDaniel J Walsh2020-07-22
|/ | | | | | | | | | | | | | Currently you can not apply an ApparmorProfile if you specify --privileged. This patch will allow both to be specified simultaniosly. By default Apparmor should be disabled if the user specifies --privileged, but if the user specifies --security apparmor:PROFILE, with --privileged, we should do both. Added e2e run_apparmor_test.go Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Merge pull request #7049 from mheon/update_c_commonOpenShift Merge Robot2020-07-22
|\ | | | | Bump github.com/containers/common to v0.14.6
| * Bump github.com/containers/common to v0.14.6Matthew Heon2020-07-22
|/ | | | Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Merge pull request #7038 from vrothberg/2.0-events-endpointOpenShift Merge Robot2020-07-22
|\ | | | | [2.0] events fixes
| * events endpoint: backwards compat to old typeValentin Rothberg2020-07-21
| | | | | | | | | | | | | | | | | | | | | | | | | | | | The versions Docker that the compat endpoints currently support are using another type for the `filters` parameter than later versions of Docker, which the libpod/events endpoint is also using. To prevent existing deplopyments from breaking while still achieving backward compat, we now support both types for the filters parameter. Tested manually. Fixes: #6899 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
| * events endpoint: fix panic and race conditionValentin Rothberg2020-07-21
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fix a potential panic in the events endpoint when parsing the filters parameter. Values of the filters map might be empty, so we need to account for that instead of uncondtitionally accessing the first item. Also apply a similar for race conditions as done in commit f4a2d25c0fca: Fix a race that could cause read errors to be masked. Masking such errors is likely to report red herrings since users don't see that reading failed for some reasons but that a given event could not be found. Another race was the handler closing event channel, which could lead to two kinds of panics: double close, send to close channel. The backend takes care of that. However, make sure that the backend stops working in case the context has been cancelled. Fixes: #6899 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | Merge pull request #7033 from rhatdan/v2.0OpenShift Merge Robot2020-07-21
|\ \ | |/ |/| [2.0] Switch references from libpod.conf to containers.conf
| * Switch references from libpod.conf to containers.confDaniel J Walsh2020-07-21
| | | | | | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Merge pull request #7029 from vrothberg/2.0-systemd-cleanupsOpenShift Merge Robot2020-07-21
|\ \ | |/ |/| [2.0] contrib/systemd cleanups
| * podman.service: set type to simpleValentin Rothberg2020-07-21
| | | | | | | | | | | | | | | | Set the type of the podman.service to simple. This will correctly report the status of the service once it has started. As a oneshot service, it does not transition from the startup state to running. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
| * podman.service: set doc to podman-system-serviceValentin Rothberg2020-07-21
| | | | | | | | | | | | | | podman-api(1) does not exist, so set the man page to podman-system-service(1). Same for the .socket. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
| * podman.service: use default registries.confValentin Rothberg2020-07-21
| | | | | | | | | | | | | | | | | | Do not hard-set the registries.conf to `/etc/containers/registries.conf`. Podman (and other c/image users) already default to it. However, ordinary non-root users should still be able to use the configs in their home directories which is now possible. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
| * podman.service: use default killmodeValentin Rothberg2020-07-21
| | | | | | | | | | | | | | | | | | | | Do not set the killmode to process as it only kills the main process and leaves other processes untouched. Just remove the line and use the default cgroup killmode which will kill all processes in the service's cgroup. Fixes: #7021 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
| * podman.service: remove stop timeoutValentin Rothberg2020-07-21
| | | | | | | | | | | | | | Remove the stop timeout from the unit. As unit does not specify any stop command, the timeout is effectively 0 and a NOOP. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
| * systemd: symlink user->systemValentin Rothberg2020-07-21
|/ | | | | | | | | Symlink the user to the system services in `contrib/systemd`. There is no diference between the services, so we can reduce redundancy while not breaking downstream packages which might already be referencing `./contrib/systemd/user`. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* Merge pull request #6996 from vrothberg/2.0-update-x/textOpenShift Merge Robot2020-07-16
|\ | | | | [2.0] vendor golang.org/x/text@v0.3.3
| * vendor golang.org/x/text@v0.3.3Valentin Rothberg2020-07-16
|/ | | | | | Fixes: CVE-2020-14040 Fixes: bugzilla.redhat.com/show_bug.cgi?id=1854718 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* Merge pull request #6910 from mheon/fix_out_of_rangeOpenShift Merge Robot2020-07-15
|\ | | | | Fix a bug where --pids-limit was parsed incorrectly
| * Fix a bug where --pids-limit was parsed incorrectlyMatthew Heon2020-07-15
|/ | | | | | | | | | | | | | The --pids-limit flag was using strconv.ParseInt with bad arguments, resulting in it being unable to parse standard integers (1024, for example, would produce an 'out of range' error). Change the arguments to make sense (base 10, max 32-bit) and add a test to ensure we don't regress again. Fixes #6908 Signed-off-by: Matthew Heon <mheon@redhat.com>
* Merge pull request #6921 from vrothberg/2.0-wildcard-searchOpenShift Merge Robot2020-07-15
|\ | | | | [2.0] search: allow wildcards
| * search: allow wildcardsValentin Rothberg2020-07-15
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Allow wildcards in the search term. Note that not all registries support wildcards and it may only work with v1 registries. Note that searching implies figuring out if the specified search term includes a registry. If there's not registry detected, the search term will be used against all configured "unqualified-serach-registries" in the registries.conf. The parsing logic considers a registry to be the substring before the first slash `/`. With these changes we now not only support wildcards but arbitrary input; ultimately it's up to the registries to decide whether they support given input or not. Fixes: bugzilla.redhat.com/show_bug.cgi?id=1846629 Cherry-pick-of: commit b05888a97dbb Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
| * [CI:DOCS]Do not copy policy.json into gating imageBrent Baude2020-07-15
| | | | | | | | | | | | test/policy.json should not need to be copied into the gating image Signed-off-by: Brent Baude <bbaude@redhat.com>
| * Fix systemd pid 1 testBrent Baude2020-07-15
| | | | | | | | | | | | | | | | | | | | fedora removed the systemd package from its standard container image causing our systemd pid1 test to fail. Replacing usage of fedora to ubi-init. adding ubi images to the cache for local tests. also, remove installation of test/policy.json to the system wide /etc/containers Signed-off-by: Brent Baude <bbaude@redhat.com>
| * Cirrus: Rotate keys post repo. renameChris Evich2020-07-15
|/ | | | | | | | | | | Encode credentials at new repository settings page https://cirrus-ci.com/settings/repository/6707778565701632 Ref: https://cirrus-ci.org/guide/writing-tasks/#encrypted-variables Backport-of: commit 576ce0f1b501 Signed-off-by: Chris Evich <cevich@redhat.com> Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* Merge pull request #6888 from mheon/bump_202OpenShift Merge Robot2020-07-07
|\ | | | | [CI:DOCS] Bump to v2.0.2
| * Bump to v2.0.3-devMatthew Heon2020-07-07
| | | | | | | | Signed-off-by: Matthew Heon <mheon@redhat.com>
| * Bump to v2.0.2v2.0.2Matthew Heon2020-07-07
|/ | | | Signed-off-by: Matthew Heon <mheon@redhat.com>
* Merge pull request #6883 from vrothberg/2.0-events-raceOpenShift Merge Robot2020-07-07
|\ | | | | [2.0] fix race condition in `libpod.GetEvents(...)`
| * fix race condition in `libpod.GetEvents(...)`Valentin Rothberg2020-07-07
| | | | | | | | | | | | | | | | | | | | Fix a race that could cause read errors to be masked. Masking such errors is likely to report red herrings since users don't see that reading failed for some reasons but that a given event could not be found. Backport-of: commit f4a2d25c0fca Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | Merge pull request #6886 from mheon/final_202_relnotesOpenShift Merge Robot2020-07-07
|\ \ | |/ |/| [CI:DOCS] Finalize release notes for Podman v2.0.2
| * Finalize release notes for Podman v2.0.2Matthew Heon2020-07-07
|/ | | | Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Merge pull request #6873 from baude/v2.0disableconnectionOpenShift Merge Robot2020-07-07
|\ | | | | remove podman system connection
| * remove podman system connectionBrent Baude2020-07-06
| | | | | | | | | | | | podman system connection was panic'ing and not working as expected. we are temporarily removing to as to not confuse users until we can fix it and prevent regressions with integrations tests. Signed-off-by: Brent Baude <bbaude@redhat.com>
* | Merge pull request #6874 from mheon/backport_mount_fixOpenShift Merge Robot2020-07-06
|\ \ | |/ |/| Backport 'podman mount' bugfix
| * Fix bug where `podman mount` didn't error as rootlessMatthew Heon2020-07-06
|/ | | | | | | | | | | | | | | | | | We require that rootless `podman mount` be run inside a shell spawned by `podman unshare` (which gives us a mount namespace which actually lets other commands use the mounted filesystem). The fix is simple - we need to mark the command as requiring the rootless user namespace not be configured, so we can test for it later as part of the mount code and error if we needed to make one. Disable rootless tests as part of this - they were never expected to work. Fixes #6856 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Merge pull request #6871 from mheon/202_backportsOpenShift Merge Robot2020-07-06
|\ | | | | Backports for v2.0.2
| * Fix imports to ensure v2 is used with libpodMatthew Heon2020-07-06
| | | | | | | | Signed-off-by: Matthew Heon <matthew.heon@pm.me>
| * Update release notes for v2.0.2Matthew Heon2020-07-06
| | | | | | | | Signed-off-by: Matthew Heon <matthew.heon@pm.me>
| * specgen: fix order for setting rlimitsRalf Haferkamp2020-07-06
| | | | | | | | | | | | | | | | | | | | | | | | Also make sure that the limits we set for rootless are not higher than what we'd set for root containers. Rootless containers failed to start when the calling user already had ulimit (e.g. on NOFILE) set. This is basically a cherry-pick of 76f8efc0d0d into specgen Signed-off-by: Ralf Haferkamp <rhafer@suse.com>
| * Ensure umask is set appropriately for 'system service'Matthew Heon2020-07-06
| | | | | | | | | | | | | | | | | | | | | | | | We need a umask of 0022 to ensure containers are created correctly, but we set a different one prior to starting the server (to ensure the unix socket has the right permissions). Thus, we need to set the umask after the socket has been bound, but before the server begins accepting requests. Fixes #6787 Signed-off-by: Matthew Heon <matthew.heon@pm.me>