| Commit message (Collapse) | Author | Age |
|---|
| |
|
|
|
|
|
|
|
| |
Symlink the user to the system services in `contrib/systemd`.
There is no diference between the services, so we can reduce
redundancy while not breaking downstream packages which might
already be referencing `./contrib/systemd/user`.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
|
| |\
| |
| | |
[2.0] vendor golang.org/x/text@v0.3.3
|
| |/
|
|
|
|
| |
Fixes: CVE-2020-14040
Fixes: bugzilla.redhat.com/show_bug.cgi?id=1854718
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
|
| |\
| |
| | |
Fix a bug where --pids-limit was parsed incorrectly
|
| |/
|
|
|
|
|
|
|
|
|
|
|
|
| |
The --pids-limit flag was using strconv.ParseInt with bad
arguments, resulting in it being unable to parse standard
integers (1024, for example, would produce an 'out of range'
error).
Change the arguments to make sense (base 10, max 32-bit) and
add a test to ensure we don't regress again.
Fixes #6908
Signed-off-by: Matthew Heon <mheon@redhat.com>
|
| |\
| |
| | |
[2.0] search: allow wildcards
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Allow wildcards in the search term. Note that not all registries
support wildcards and it may only work with v1 registries.
Note that searching implies figuring out if the specified search term
includes a registry. If there's not registry detected, the search term
will be used against all configured "unqualified-serach-registries" in
the registries.conf. The parsing logic considers a registry to be the
substring before the first slash `/`.
With these changes we now not only support wildcards but arbitrary
input; ultimately it's up to the registries to decide whether they
support given input or not.
Fixes: bugzilla.redhat.com/show_bug.cgi?id=1846629
Cherry-pick-of: commit b05888a97dbb
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
|
| | |
| |
| |
| |
| |
| | |
test/policy.json should not need to be copied into the gating image
Signed-off-by: Brent Baude <bbaude@redhat.com>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
fedora removed the systemd package from its standard container image causing our systemd pid1 test to fail. Replacing usage of fedora to ubi-init.
adding ubi images to the cache for local tests.
also, remove installation of test/policy.json to the system wide /etc/containers
Signed-off-by: Brent Baude <bbaude@redhat.com>
|
| |/
|
|
|
|
|
|
|
|
|
| |
Encode credentials at new repository settings page
https://cirrus-ci.com/settings/repository/6707778565701632
Ref: https://cirrus-ci.org/guide/writing-tasks/#encrypted-variables
Backport-of: commit 576ce0f1b501
Signed-off-by: Chris Evich <cevich@redhat.com>
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
|
| |\
| |
| | |
[CI:DOCS] Bump to v2.0.2
|
| | |
| |
| |
| | |
Signed-off-by: Matthew Heon <mheon@redhat.com>
|
| |/
|
|
| |
Signed-off-by: Matthew Heon <mheon@redhat.com>
|
| |\
| |
| | |
[2.0] fix race condition in `libpod.GetEvents(...)`
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Fix a race that could cause read errors to be masked. Masking such
errors is likely to report red herrings since users don't see that
reading failed for some reasons but that a given event could not be
found.
Backport-of: commit f4a2d25c0fca
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
|
| |\ \
| |/
|/| |
[CI:DOCS] Finalize release notes for Podman v2.0.2
|
| |/
|
|
| |
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
| |\
| |
| | |
remove podman system connection
|
| | |
| |
| |
| |
| |
| | |
podman system connection was panic'ing and not working as expected. we are temporarily removing to as to not confuse users until we can fix it and prevent regressions with integrations tests.
Signed-off-by: Brent Baude <bbaude@redhat.com>
|
| |\ \
| |/
|/| |
Backport 'podman mount' bugfix
|
| |/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We require that rootless `podman mount` be run inside a shell
spawned by `podman unshare` (which gives us a mount namespace
which actually lets other commands use the mounted filesystem).
The fix is simple - we need to mark the command as requiring the
rootless user namespace not be configured, so we can test for it
later as part of the mount code and error if we needed to make
one.
Disable rootless tests as part of this - they were never expected
to work.
Fixes #6856
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
| |\
| |
| | |
Backports for v2.0.2
|
| | |
| |
| |
| | |
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
| | |
| |
| |
| | |
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Also make sure that the limits we set for rootless are not higher than
what we'd set for root containers.
Rootless containers failed to start when the calling user already
had ulimit (e.g. on NOFILE) set.
This is basically a cherry-pick of 76f8efc0d0d into specgen
Signed-off-by: Ralf Haferkamp <rhafer@suse.com>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
We need a umask of 0022 to ensure containers are created
correctly, but we set a different one prior to starting the
server (to ensure the unix socket has the right permissions).
Thus, we need to set the umask after the socket has been bound,
but before the server begins accepting requests.
Fixes #6787
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
When generating systemd unit for pods, we need to remove certain
pod-related flags from the containers' create commands. Make sure
to account for all the syntax including a single argument with key and
value being split by `=`.
Fixes: #6766
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
|
| | |
| |
| |
| |
| |
| | |
instead of nil
Signed-off-by: Maximilian Müller <maxm123@techie.com>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* --remote, --url and --identity are now anchored to podman command.
Subcommands should no longer have issues
* TraverseChildren now set to V1 expectations
* Latest flag now has helper function. Now has consistent usage.
* IsRemote() uses cobra parser to determin if --remote is given
* Moved validation functions from parser pkg to validate pkg
*
Fixes #6598
Fixes #6704
Signed-off-by: Jhon Honce <jhonce@redhat.com>
<MH: Fixed import issues>
Signed-off-by: Matt Heon <matthew.heon@pm.me>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Windows terminal handling is different than darwin and linux. It needs to have the terminal mode set to enable virtual terminal processing. This allows colors and other things to work.
Signed-off-by: Brent Baude <bbaude@redhat.com>
<MH: Tweaked imports to compile>
Signed-off-by: Matt Heon <matthew.heon@pm.me>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
I didn't believe that this was actually legal, but it looks like
it is. And, unlike our previous understanding (host port being
empty means just use container port), empty host port actually
carries the same meaning as `--expose` + `--publish-all` (that
is, assign a random host port to the given container port). This
requires a significant rework of our port handling code to handle
this new case. I don't foresee this being commonly used, so I
optimized having a fixed port number as fast path, which this
random assignment code running after the main port handling code
only if necessary.
Fixes #6806
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
| | |
| |
| |
| |
| |
| |
| |
| | |
This makes it clear that we target compatibility with a specific
Docker version (v1.40), but do not reject other versions. It also
adds a link to documentation on the Podman-specific API.
Signed-off-by: Matthew Heon <mheon@redhat.com>
|
| | |
| |
| |
| |
| |
| |
| | |
This change ensures that we only override a container's entrypoint if it
is set to something other than `nil`.
Signed-off-by: Matt Brindley <58414429+maybe-sybr@users.noreply.github.com>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
Containers/image will use TMPDIR for the location of pulled layer blobs.
If TMPDIR is not set, it will use /tmp. Since this is known to be of
limited space on most systems, we change the default to /var/tmp
if the user has not told the tools where to store temporary files.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
| | |
| |
| |
| | |
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
move the chown for newly created volumes after the spec generation so
the correct UID/GID are known.
Closes: https://github.com/containers/libpod/issues/5698
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
| | |
| |
| |
| | |
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
We weren't actually halting the goroutine that sent events, so it
would continue sending even when the channel closed (the most
notable cause being early hangup - e.g. Control-c on a curl
session). Use a context to cancel the events goroutine and stop
sending events.
Fixes #6805
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
| | |
| |
| |
| |
| |
| | |
when running e2e tests, each test knows to stop its service when running remote; however, during setup and teardown remote services were not being killed when we were done with them.
Signed-off-by: Brent Baude <bbaude@redhat.com>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The infra/abi code for pods was written in a flawed way, assuming
that the map[string]error containing individual container errors
was only set when the global error for the pod function was nil;
that is not accurate, and we are actually *guaranteed* to set the
global error when any individual container errors. Thus, we'd
never actually include individual container errors, because the
infra code assumed that err being set meant everything failed and
no container operations were attempted.
We were originally setting the cause of the error to something
nonsensical ("container already exists"), so I made a new error
indicating that some containers in the pod failed. We can then
ignore that error when building the report on the pod operation
and actually return errors from individual containers.
Unfortunately, this exposed another weakness of the infra code,
which was discarding the container IDs. Errors from individual
containers are not guaranteed to identify which container they
came from, hence the use of map[string]error in the Pod API
functions. Rather than restructuring the structs we return from
pkg/infra, I just wrapped the returned errors with a message
including the ID of the container.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Clarify in the help message and the man page that auto updates only work
with systemd units that are similar to the ones from `generate systemd
--new`. Units that merely start/stop a container do not work as they
will use the same image.
Fixes: #6793
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
With a long create command the
output from ps is basically unreadable.
This is a regression that was introduced with Podman 2.0.
Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
|
| |\ \
| |/
|/| |
Pids-limit should only be set if the user set it
|
| |/
|
|
|
|
|
|
|
|
| |
Currently we are sending over pids-limits from the user even if they
never modified the defaults. The pids limit should be set at the server
side unless modified by the user.
This issue has led to failures on systems that were running with cgroups V1.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
| |\
| |
| | |
[2.0] move go module to v2
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
With the advent of Podman 2.0.0 we crossed the magical barrier of go
modules. While we were able to continue importing all packages inside
of the project, the project could not be vendored anymore from the
outside.
Move the go module to new major version and change all imports to
github.com/containers/libpod/v2. The renaming of the imports
was done via gomove [1].
[1] https://github.com/KSubedi/gomove
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
|
| |\ \
| |/
|/| |
Vendor containers/common v0.14.4
|
| |/
|
|
| |
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
| |\
| |
| | |
Bump to imagebuilder v1.1.6 on v2 branch
|
| |/
|
|
|
|
|
|
| |
As the title says.
Addresses: https://github.com/containers/buildah/issues/2424
Signed-off-by: TomSweeneyRedHat <tsweeney@redhat.com>
|
