| Commit message (Collapse) | Author | Age |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If I mount, say, /usr/bin into my container - I expect to be able
to run the executables in that mount. Unconditionally applying
noexec would be a bad idea.
Before my patches to change mount options and allow exec/dev/suid
being set explicitly, we inferred the mount options from where on
the base system the mount originated, and the options it had
there. Implement the same functionality for the new option
handling.
There's a lot of performance left on the table here, but I don't
know that this is ever going to take enough time to make it worth
optimizing.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
|
|
|
|
|
|
|
| |
We already process the options on all tmpfs filesystems during
final addition of mounts to the spec. We don't need to do it
before that in parseVolumes.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Previously, we explicitly set noexec/nosuid/nodev on every mount,
with no ability to disable them. The 'mount' command on Linux
will accept their inverses without complaint, though - 'noexec'
is counteracted by 'exec', 'nosuid' by 'suid', etc. Add support
for passing these options at the command line to disable our
explicit forcing of security options.
This also cleans up mount option handling significantly. We are
still parsing options in more than one place, which isn't good,
but option parsing for bind and tmpfs mounts has been unified.
Fixes: #3819
Fixes: #3803
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
|
|
|
|
|
| |
Vendor some changes to parsing code that we need for Podman.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
|\
| |
| | |
Re-add volume locks
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This will require a 'podman system renumber' after being applied
to get lock numbers for existing volumes.
Add the DB backend code for rewriting volume configs and use it
for updating lock numbers as part of 'system renumber'.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
|\ \
| | |
| | | |
Add an integration test for systemd in a container
|
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Revert this one CGroups V2 support for systemd containers is
added.
Signed-off-by: Matthew Heon <mheon@redhat.com>
|
| | |
| | |
| | |
| | | |
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
when performing an image build over a varlink connection, we should
clean up tmp files that are a result of sending the file to the host and
untarring it for the build.
Fixes: #3869
Signed-off-by: baude <bbaude@redhat.com>
|
|\ \ \
| | | |
| | | | |
Cirrus: Enable VM image housekeeping
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Also do some minor cleanup and add additional safety-checks to pruning
script (container image).
Signed-off-by: Chris Evich <cevich@redhat.com>
|
|\ \ \ \
| | | | |
| | | | | |
image: remove unused Decompose method
|
|/ / / /
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Decompose() returns an error defined in CNI which has been removed
upstream because it had no in-tree (eg in CNI) users.
Signed-off-by: Dan Williams <dcbw@redhat.com>
|
|\ \ \ \
| | | | |
| | | | | |
Test build snap with Cirrus CI
|
| | | | |
| | | | |
| | | | |
| | | | | |
Signed-off-by: Anatoli Babenia <anatoli@rainforce.org>
|
| | | | |
| | | | |
| | | | |
| | | | | |
Signed-off-by: Anatoli Babenia <anatoli@rainforce.org>
|
| | | | |
| | | | |
| | | | |
| | | | | |
Signed-off-by: Anatoli Babenia <anatoli@rainforce.org>
|
| | |_|/
| |/| |
| | | |
| | | | |
Signed-off-by: Anatoli Babenia <anatoli@rainforce.org>
|
|\ \ \ \
| |/ / /
|/| | | |
podman cp: big set of system tests
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
podman cp has had some unexpected bugs, and still has
some surprising behavior. It looks like this part of
the code is fragile. Add tests to try to prevent
future breakages.
Note that two of the new tests are disabled (skipped)
until #3829 gets fixed.
Signed-off-by: Ed Santiago <santiago@redhat.com>
|
|\ \ \ \
| |/ / /
|/| | | |
Update varlink doc and code for images
|
|/ / /
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
* Improved error message
* Added documentation
* Updated messages to include missing data
Signed-off-by: Jhon Honce <jhonce@redhat.com>
|
|\ \ \
| |/ /
|/| | |
add iproute to podman in podman image
|
|/ /
| |
| |
| |
| |
| |
| | |
the network create function relies on the prescense of iproute's binary
'ip'.
Signed-off-by: baude <bbaude@redhat.com>
|
|\ \
| |/
|/| |
clean up after remote build
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
when performing an image build over a varlink connection, we should
clean up tmp files that are a result of sending the file to the host and
untarring it for the build.
Fixes: #3869
Signed-off-by: baude <bbaude@redhat.com>
|
|\ \
| | |
| | | |
Create framework for varlink endpoint integration tests
|
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
add the ability to write integration tests similar to our e2e tests for
the varlink endpoints.
Signed-off-by: baude <bbaude@redhat.com>
|
|\ \ \
| |_|/
|/| | |
Adjust name of Podman CNI network bridge
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Both Podman and CRI-O set up CNI bridges with the name 'cni0'. If
both our CNI conflist and the CRI-O conflist are installed,
whoever runs first will win - that is, they will configure the
bridge, and everyone will use it. Problem: the CRI-O CNI config
conflicts with ours and results in containers with no networking.
Solution: rename our bridge so we don't conflict with CRI-O.
At the same time, hit our IPAM configuration. The current version
was an older format in danger of deprecation. The new format is
documented at [1].
Finally, fix indentation for the entire file.
[1] https://github.com/containernetworking/plugins/tree/master/plugins/ipam/host-local#example-configurations
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
|\ \ \
| |/ /
|/| | |
Update cni config instructions
|
|/ /
| |
| |
| |
| |
| |
| |
| |
| | |
Update the CNI configuration instructions to line up with
the changes introduced in #3868. Also do a bit less documentation
of the configuration and point to the GitHub project so we won't
get out of sync in the future.
Signed-off-by: TomSweeneyRedHat <tsweeney@redhat.com>
|
|\ \
| | |
| | | |
Fix minor typos in podman-run docs.
|
| | |
| | |
| | |
| | | |
Signed-off-by: Chris Hunt <chrahunt@gmail.com>
|
|\ \ \
| | | |
| | | | |
Fix link format in rootless_tutorial.md.
|
| |/ /
| | |
| | |
| | |
| | |
| | | |
From `[link](url)` to [`link`](url)
Signed-off-by: Chris Hunt <chrahunt@gmail.com>
|
|\ \ \
| | | |
| | | | |
generate systemd pod
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Support generating systemd unit files for a pod. Podman generates one
unit file for the pod including the PID file for the infra container's
conmon process and one unit file for each container (excluding the infra
container).
Note that this change implies refactorings in the `pkg/systemdgen` API.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Drop the support for remote clients to generate systemd-service files.
The generated files are machine-dependent and hence relate only to the
a local machine. Furthermore, a proper service management when using
a remote-client is not possible as systemd has no access to a process.
Dropping the support will also reduce the risk of making users believe
that the generated services are usable in a remote scenario.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
|
|\ \ \ \
| | | | |
| | | | | |
Need to include command name in error message
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
I hit this error and it told be to system migrate`
as opposed to `podman system migrate`
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
|\ \ \ \ \
| | | | | |
| | | | | | |
podman-remote: cp crashes
|
| | |/ / /
| |/| | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
prune unwanted messages when running a container remotely. also, cp is
not remote-enabled yet and as such should not be available on the remote
client.
Fixes: #3861
Signed-off-by: baude <bbaude@redhat.com>
|
|\ \ \ \ \
| | | | | |
| | | | | | |
Dockerfile.fedora: install cni plugins package
|
| |/ / / /
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
the version available on Fedora is updated, so we don't need to build
from source.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
|\ \ \ \ \
| |_|/ / /
|/| | | | |
Add --digestfile option to push
|
| |/ / /
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Add the digestfile option to the push command so the digest can
be stored away in a file when requested by the user. Also have added
a debug statement to show the completion of the push.
Emulates Buildah's https://github.com/containers/buildah/pull/1799/files
Signed-off-by: TomSweeneyRedHat <tsweeney@redhat.com>
|
|\ \ \ \
| |/ / /
|/| | | |
networking: use firewall plugin
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
drop the pkg/firewall module and start using the firewall CNI plugin.
It requires an updated package for CNI plugins.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|