summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAge
* Don't mount /dev/* if user mounted /devDaniel J Walsh2018-09-14
| | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* libpod/image/pull: Return image-pulling errors from doPullImageW. Trevor King2018-09-14
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | We were already writing these to our debug logs. But collecting them and including them in the error message will make it easier for callers who don't have debugging enabled to figure out what's going wrong. Using multierror gives us both pretty formatting (when we print this for the user) and programmatic access (for any callers that need to inspect the constituent errors). With this commit and a config like: $ cat /etc/containers/registries.conf [registries.search] registries = ['registry.access.redhat.com', 'quay.io', 'docker.io'] pulling an unqualified missing image looks like: $ podman pull does-not/exist Trying to pull registry.access.redhat.com/does-not/exist:latest...Failed Trying to pull quay.io/does-not/exist:latest...Failed Trying to pull docker.io/does-not/exist:latest...Failed error pulling image "does-not/exist": unable to pull does-not/exist: 3 errors occurred: * Error determining manifest MIME type for docker://registry.access.redhat.com/does-not/exist:latest: Error reading manifest latest in registry.access.redhat.com/does-not/exist: unknown: Not Found * Error determining manifest MIME type for docker://quay.io/does-not/exist:latest: Error reading manifest latest in quay.io/does-not/exist: unauthorized: access to the requested resource is not authorized * Error determining manifest MIME type for docker://does-not/exist:latest: Error reading manifest latest in docker.io/does-not/exist: errors: denied: requested access to the resource is denied unauthorized: authentication required A qualified image looks like: $ podman pull quay.io/does-not/exist Trying to pull quay.io/does-not/exist...Failed error pulling image "quay.io/does-not/exist": unable to pull quay.io/does-not/exist: unable to pull image: Error determining manifest MIME type for docker://quay.io/does-not/exist:latest: Error reading manifest latest in quay.io/does-not/exist: unauthorized: access to the requested resource is not authorized If one of the searched repositories was offline, you'd get a more useful routing error for that specific registry. For example: $ cat /etc/hosts 127.0.0.1 quay.io $ podman pull does-not/exist Trying to pull registry.access.redhat.com/does-not/exist:latest...Failed Trying to pull quay.io/does-not/exist:latest...Failed Trying to pull docker.io/does-not/exist:latest...Failed error pulling image "does-not/exist": unable to pull does-not/exist: 3 errors occurred: * Error determining manifest MIME type for docker://registry.access.redhat.com/does-not/exist:latest: Error reading manifest latest in registry.access.redhat.com/does-not/exist: unknown: Not Found * Error determining manifest MIME type for docker://quay.io/does-not/exist:latest: pinging docker registry returned: Get https://quay.io/v2/: dial tcp 127.0.0.1:443: connect: connection refused * Error determining manifest MIME type for docker://does-not/exist:latest: Error reading manifest latest in docker.io/does-not/exist: errors: denied: requested access to the resource is denied unauthorized: authentication required This is our first direct dependency on multierror, but we've been vendoring it for a while now because opencontainers/runtime-tools uses it for config validation. Signed-off-by: W. Trevor King <wking@tremily.us> Closes: #1456 Approved by: rhatdan
* Merge pull request #1473 from mheon/update_gitvalidation_epochMatthew Heon2018-09-14
|\ | | | | Update gitvalidation epoch to avoid a bad commit
| * Update gitvalidation epoch to avoid a bad commitMatthew Heon2018-09-14
| | | | | | | | Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
| * Update README to reflect current development effortsMatthew Heon2018-09-14
|/ | | | Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
* Merge pull request #1468 from TomSweeneyRedHat/dev/tsweeney/readmerelMatthew Heon2018-09-14
|\ | | | | Add Buildah Podman relationship to README.md
| * Add Buildah Podman relationship to README.mdTomSweeneyRedHat2018-09-13
|/ | | | Signed-off-by: TomSweeneyRedHat <tsweeney@redhat.com>
* Swap default mount propagation from private to rprivateMatthew Heon2018-09-13
| | | | | | | | | | This matches Docker behavior more closely and should resolve an issue we were seeing with /sys mounts Signed-off-by: Matthew Heon <matthew.heon@gmail.com> Closes: #1465 Approved by: rhatdan
* Add notes to check version on problemTomSweeneyRedHat2018-09-13
| | | | | | | Signed-off-by: TomSweeneyRedHat <tsweeney@redhat.com> Closes: #1462 Approved by: rhatdan
* Do not set rlimits if we are rootlessMatthew Heon2018-09-13
| | | | | | | Signed-off-by: Matthew Heon <matthew.heon@gmail.com> Closes: #1437 Approved by: rhatdan
* Up default Podman rlimits to avoid max open filesMatthew Heon2018-09-13
| | | | | | | | | | | Every port we open consumes an open FD. This can easily consume all available FDs for the podman process. Set rlimits to resolve this. Signed-off-by: Matthew Heon <matthew.heon@gmail.com> Closes: #1437 Approved by: rhatdan
* Search registries with an empty queryUrvashi Mohnani2018-09-13
| | | | | | | | | | | | | | Adds functionality to search registries implementing the v2 endpoint with an empty query, that is the results will be all the available images on the registries. If this is tried with a v1 registry an error will occur. To search a whole registry, there needs to be a trailing slash at the end, i.e `podman search registry.fedoraproject.org/`. Signed-off-by: Urvashi Mohnani <umohnani@redhat.com> Closes: #1444 Approved by: rhatdan
* Vendor in latest containers/imageUrvashi Mohnani2018-09-13
| | | | | | | | | Picks up changes made to authentication for registry search. Signed-off-by: Urvashi Mohnani <umohnani@redhat.com> Closes: #1444 Approved by: rhatdan
* Add `podman rm --volumes` flagDaniel J Walsh2018-09-13
| | | | | | | | | | While this is not implemented yet, it is needed for working with existing docker scripts. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #1460 Approved by: mheon
* Vendor in latest containers/storage to eliminage deadlockDaniel J Walsh2018-09-12
| | | | | | | | | | When running lots of podman commands simultaneously we were able to get into a deadlock situation. The updated containers/storage should fix this issue. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #1454 Approved by: mheon
* do not build with devicemapperbaude2018-09-12
| | | | | | | | | | as of now, we do not want to build with device mapper because it cannot handle parallel requests which would be common-place in podman. Signed-off-by: baude <bbaude@redhat.com> Closes: #1445 Approved by: mheon
* run different cgroup tests depending on conditionsbaude2018-09-12
| | | | | | | | | | | | | | when running podman's integration tests, we need to be able to understand our environment because the podman command will differ as will the results. there is no 100% way to know if we are in a container, but using a combination of container= and checking /proc seemed reasonable for our test suite. non of this code is run in podman proper. Signed-off-by: baude <bbaude@redhat.com> Closes: #1441 Approved by: mheon
* dont make python when running makebaude2018-09-12
| | | | | | | Signed-off-by: baude <bbaude@redhat.com> Closes: #1443 Approved by: mheon
* Explicitly set default CNI network name in libpod.confMatthew Heon2018-09-12
| | | | | | | Signed-off-by: Matthew Heon <matthew.heon@gmail.com> Closes: #1438 Approved by: TomSweeneyRedHat
* Pass on securityOpts from podInfraContainer to container added to pod.Daniel J Walsh2018-09-11
| | | | | | | | | | This is an incomplete fix, as it would be best for the libpod library to be in charge of coordinating the container's dependencies on the infra container. A TODO was left as such. UTS is a special case, because the docker library that namespace handling is based off of doesn't recognize a UTS based on another container as valid, despite the library being able to handle it correctly. Thus, it is left in the old way. Signed-off-by: haircommander <pehunt@redhat.com> Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #1347 Approved by: mheon
* Merge pull request #1436 from mheon/bump-0.9.1.1Matthew Heon2018-09-10
|\ | | | | Bump to v0.9.1.1
| * Bump gitvalidation epochMatthew Heon2018-09-10
| | | | | | | | Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
| * Bump to v0.9.2-devMatthew Heon2018-09-10
| | | | | | | | Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
| * Bump to v0.9.1.1v0.9.1.1Matthew Heon2018-09-10
|/ | | | Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
* Merge pull request #1435 from mheon/release_notes_0.9.1.1Matthew Heon2018-09-10
|\ | | | | Update release notes for 0.9.1.1
| * Update release notes for 0.9.1.1Matthew Heon2018-09-10
|/ | | | Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
* Replace existing iptables handler with firewall codeMatthew Heon2018-09-10
| | | | | | | | | | | | Use the new firewall code vendored from CNI to replace the existing iptables rule addition handler we had in place. This adds proper support for firewalld and should be much better at interacting with the firewall. Signed-off-by: Matthew Heon <matthew.heon@gmail.com> Closes: #1431 Approved by: baude
* Vendor CNI plugins firewall codeMatthew Heon2018-09-10
| | | | | | | | | | | | | | The upstream CNI project has a PR open for adding iptables and firewalld support, but this has been stalled for the better part of a year upstream. On advice of several maintainers, we are vendoring this code into libpod, to perform the relevant firewall configuration ourselves. Signed-off-by: Matthew Heon <matthew.heon@gmail.com> Closes: #1431 Approved by: baude
* Fix displaying size on size calculation errorSteve Baker2018-09-07
| | | | | | | | | | | | | | With this change if an error is raised when fetching the size of the image, the error string will be printed as the size (instead of panicing). In this particular case, the error string is "unable to determine size". This fixes bug #1405 Signed-off-by: Steve Baker <sbaker@redhat.com> Closes: #1423 Approved by: mheon
* Merge pull request #1428 from mheon/bump-0.9.1Matthew Heon2018-09-07
|\ | | | | Bump to v0.9.1
| * Bump gitvalidation epochMatthew Heon2018-09-07
| | | | | | | | Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
| * Bump to v0.9.2-devMatthew Heon2018-09-07
| | | | | | | | Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
| * Bump to v0.9.1v0.9.1Matthew Heon2018-09-07
|/ | | | Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
* Merge pull request #1427 from mheon/release_notes_0.9.1Matthew Heon2018-09-07
|\ | | | | Update RELEASE_NOTES for 0.9.1 release
| * Update RELEASE_NOTES for 0.9.1 releaseMatthew Heon2018-09-07
|/ | | | Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
* Fix pod sharing for utsmodeDaniel J Walsh2018-09-07
| | | | | | | | | | | | | We should be sharing cgroups namespace by default in pods uts namespace sharing was broken in pods. Create a new libpod/pkg/namespaces for handling of namespace fields in containers Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #1418 Approved by: mheon
* Respect user-added mounts over default spec mountsMatthew Heon2018-09-07
| | | | | | | | | | | | | | When there was a conflict between a user-added volume and a mount already in the spec, we previously respected the mount already in the spec and discarded the user-added mount. This is counter to expected behavior - if I volume-mount /dev into the container, I epxect it will override the default /dev in the container, and not be ignored. Signed-off-by: Matthew Heon <matthew.heon@gmail.com> Closes: #1419 Approved by: TomSweeneyRedHat
* Ensure we do not overlap mounts in the specMatthew Heon2018-09-07
| | | | | | | | | | | When user-specified volume mounts overlap with mounts already in the spec, remove the mount in the spec to ensure there are no conflicts. Signed-off-by: Matthew Heon <matthew.heon@gmail.com> Closes: #1419 Approved by: TomSweeneyRedHat
* Change references to cri-o to point at new repositoryDaniel J Walsh2018-09-07
| | | | | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #1425 Approved by: mheon
* fix docs for podman buildbaude2018-09-07
| | | | | | | | | podman build docs should now reflect that the --layers default value is true. Signed-off-by: baude <bbaude@redhat.com> Closes: #1424 Approved by: mheon
* use layer cache when building imagesbaude2018-09-07
| | | | | | | | | | | | | | | | to more closely mimic docker default behavior, the --layers cli option is set to true by default for podman. the buildah environment variable of BUILDAH_LAYERS is still honored and will override the command line input. this should be considered in place of PR #1383. Many thanks for Scott McCarty for inspiring this welcome change. Signed-off-by: baude <bbaude@redhat.com> Closes: #1422 Approved by: rhatdan
* Add first pass for baseline pod testsbaude2018-09-07
| | | | | | | | | | | This bash script is meant to compliment the podman baseline test script. It primarily focuses on exercising the common actions of pods. Signed-off-by: baude <bbaude@redhat.com> Closes: #1421 Approved by: rhatdan
* Change shm test to be less flaky.Daniel J Walsh2018-09-07
| | | | | | | | | | | This tests fails a lot, I think because of a race condition. Changing to just make sure the inode of the /dev/shm on the host is the same as inside the container. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #1420 Approved by: mheon
* Update WaitForTimeOut to output OutputString to help with debugging.Daniel J Walsh2018-09-06
| | | | | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #1416 Approved by: baude
* Fixups for baseline test scriptbaude2018-09-06
| | | | | | | | | | | Small amount of clean up on the baseline script to handle failing on error. I also added an option to not use docker at all for platoforms where docker cannot be installed. Signed-off-by: baude <bbaude@redhat.com> Closes: #1411 Approved by: rhatdan
* Fix nameing of Namespaces to be more consistentDaniel J Walsh2018-09-06
| | | | | | | | | | Figuring out the difference between a User and a USERNS as well as Cgroup and CGROUPNS Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #1417 Approved by: TomSweeneyRedHat
* Start pod infra container when pod is createdbaude2018-09-06
| | | | | | | | | | | When we create a pod that also has an infra container, we should start the infra container automatically. This allows users to add running containers to the pod immediately. Signed-off-by: baude <bbaude@redhat.com> Closes: #1415 Approved by: rhatdan
* vendor containerd/cgroupsbaude2018-09-06
| | | | | | | | | | | We need to vendor in the latest containerd/cgroups for a fix related to slice delegation and systemd <= 239. The opencontainer/runtime-spec is brought along for the ride. Signed-off-by: baude <bbaude@redhat.com> Closes: #1414 Approved by: mheon
* Fix up libpod.conf man pages and referencese to it.Daniel J Walsh2018-09-06
| | | | | | | | | Remove podman --config option, since it does not do anything. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #1410 Approved by: mheon
* Print errors from individual pull attemptsMatthew Heon2018-09-05
| | | | | | | | | | | Right now, we don't print errors from c/image while trying to pull images. This prints the errors when log-level=debug is set so we can debug errors while pulling. Signed-off-by: Matthew Heon <mheon@redhat.com> Closes: #1409 Approved by: baude