summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAge
* rootless: fix --pid=hostGiuseppe Scrivano2018-08-27
| | | | | | | | | | | | Unfortunately this is not enough to get it working as runc doesn't allow to bind mount /proc. Depends on: https://github.com/opencontainers/runc/pull/1832 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> Closes: #1349 Approved by: rhatdan
* rootless: fix --ipc=hostGiuseppe Scrivano2018-08-27
| | | | | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> Closes: #1349 Approved by: rhatdan
* spec: bind mount /sys only when userNS are enabledGiuseppe Scrivano2018-08-27
| | | | | | | | | | | Fix the test for checking when /sys must be bind mounted from the host. It should be done only when userNS are enabled (the !UsernsMode.IsHost() check is not enough for that). Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> Closes: #1349 Approved by: rhatdan
* rootless, tests: add test for --uts=hostGiuseppe Scrivano2018-08-27
| | | | | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> Closes: #1349 Approved by: rhatdan
* Dockerfile.Fedora: install slirp4netnsGiuseppe Scrivano2018-08-27
| | | | | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> Closes: #1349 Approved by: rhatdan
* rootless: don't use kill --allGiuseppe Scrivano2018-08-26
| | | | | | | | | | | | | The OCI runtime might use the cgroups to see what PIDs are inside the container, but that doesn't work with rootless containers. Closes: https://github.com/containers/libpod/issues/1337 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> Closes: #1331 Approved by: rhatdan
* rootless: exec handle processes that create an user namespaceGiuseppe Scrivano2018-08-26
| | | | | | | | | | | | | | Manage the case where the main process of the container creates and joins a new user namespace. In this case we want to join only the first child in the new hierarchy, which is the user namespace that was used to create the container. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> Closes: #1331 Approved by: rhatdan
* rootless: fix execGiuseppe Scrivano2018-08-26
| | | | | | | | | | | | | | | | | | | | | We cannot re-exec into a new user namespace to gain privileges and access an existing as the new namespace is not the owner of the existing container. "unshare" is used to join the user namespace of the target container. The current implementation assumes that the main process of the container didn't create a new user namespace. Since in the setup phase we are not running with euid=0, we must skip the setup for containers/storage. Closes: https://github.com/containers/libpod/issues/1329 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> Closes: #1331 Approved by: rhatdan
* Move whale-says test to end of baselineTomSweeneyRedHat2018-08-25
| | | | | | | Signed-off-by: TomSweeneyRedHat <tsweeney@redhat.com> Closes: #1346 Approved by: rhatdan
* Merge pull request #1343 from mheon/bump-0.8.4Matthew Heon2018-08-24
|\ | | | | Bump to 0.8.4
| * Bump gitvalidation epochMatthew Heon2018-08-24
| | | | | | | | Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
| * Bump to v0.8.5-devMatthew Heon2018-08-24
| | | | | | | | Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
| * Bump to v0.8.4v0.8.4Matthew Heon2018-08-24
|/ | | | Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
* Merge pull request #1342 from mheon/add_release_notesMatthew Heon2018-08-24
|\ | | | | Add release notes for 0.8.4
| * Add release notesMatthew Heon2018-08-24
|/ | | | Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
* Regenerate easyjson after rebaseMatthew Heon2018-08-24
| | | | | | | Signed-off-by: Matthew Heon <matthew.heon@gmail.com> Closes: #1322 Approved by: mheon
* Vendor easyjson code to fix buildMatthew Heon2018-08-24
| | | | | | | | | | | To ensure we can build without easyjson installed, vendor the easyjson repository as the generated files use the easyjson library. Signed-off-by: Matthew Heon <matthew.heon@gmail.com> Closes: #1322 Approved by: mheon
* Swap from FFJSON to easyjsonMatthew Heon2018-08-24
| | | | | | | | | | | | | | | FFJSON has serialization differences versus stock Go - namely, it does not respect the MarshalText() and UnmarshalText() methods, particularly on []byte, which causes incompatability with pre-FFJSON containers which contained DNS servers. EasyJSON does not have these issues, and might even be slightly faster. Signed-off-by: Matthew Heon <matthew.heon@gmail.com> Closes: #1322 Approved by: mheon
* Make 'make clean' remove FFJSON generated codeMatthew Heon2018-08-24
| | | | | | | Signed-off-by: Matthew Heon <matthew.heon@gmail.com> Closes: #1322 Approved by: mheon
* rootless: allow to override policy.json by the userGiuseppe Scrivano2018-08-24
| | | | | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> Closes: #1336 Approved by: mheon
* add completion for --pod in run and createhaircommander2018-08-24
| | | | | | | Signed-off-by: haircommander <pehunt@redhat.com> Closes: #1339 Approved by: mheon
* Fixed formatting and lowered verbosity of pod pshaircommander2018-08-24
| | | | | | | | | CtrInfo now is formatted in the way originally intended. s/Number Of Containers/# Of Containers and s/Infra Container ID/Infra ID. Make json camel case. Signed-off-by: haircommander <pehunt@redhat.com> Closes: #1338 Approved by: mheon
* Do not try to enable AppArmor in rootless modeMarco Vedovati2018-08-24
| | | | | | | | | | | When in rootless mode it's not possible to load profiles or check which profiles are loaded. Added a few baseline tests to check all possible cases. Signed-off-by: Marco Vedovati <mvedovati@suse.com> Closes: #1250 Approved by: mheon
* exposes tcp port only if no proto specified.Kunal Kushwaha2018-08-24
| | | | | | | | | | Also it fix the issue of exposing both tc/udp port even if only one proto specified. Signed-off-by: Kunal Kushwaha <kushwaha_kunal_v7@lab.ntt.co.jp> Closes: #1325 Approved by: mheon
* rpm-spec: use skopeo-containers instead of containers-commonLokesh Mandvekar2018-08-24
| | | | | | | | | skopeo-containers is available everywhere, but not containers-common Signed-off-by: Lokesh Mandvekar <lsm5@fedoraproject.org> Closes: #1332 Approved by: rhatdan
* Reveal information about container capabilitiesDaniel J Walsh2018-08-24
| | | | | | | | | | | I am often asked about the list of capabilities availabel to a container. We should be listing this data in the inspect command for effective capabilities and the bounding set. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #1335 Approved by: TomSweeneyRedHat
* Vendor in latest projectatomic/buildahumohnani82018-08-23
| | | | | | | | | | Fixes to podman build for unknown image and ADD with url when doing --layers. Signed-off-by: umohnani8 <umohnani@redhat.com> Closes: #1330 Approved by: mheon
* Refactor error checking in With*NSFromPod optionshaircommander2018-08-23
| | | | | | | Signed-off-by: haircommander <pehunt@redhat.com> Closes: #1187 Approved by: mheon
* Fixing network ns segfaulthaircommander2018-08-23
| | | | | | | | | As well as small style corrections, update pod_top_test to use CreatePod, and move handling of adding a container to the pod's namespace from container_internal_linux to libpod/option. Signed-off-by: haircommander <pehunt@redhat.com> Closes: #1187 Approved by: mheon
* Change pause container to infra containerhaircommander2018-08-23
| | | | | | | Signed-off-by: haircommander <pehunt@redhat.com> Closes: #1187 Approved by: mheon
* Support pause containers in varlinkhaircommander2018-08-23
| | | | | | | Signed-off-by: haircommander <pehunt@redhat.com> Closes: #1187 Approved by: mheon
* Added option to share kernel namespaces in libpod and podmanhaircommander2018-08-23
| | | | | | | | | A pause container is added to the pod if the user opts in. The default pause image and command can be overridden. Pause containers are ignored in ps unless the -a option is present. Pod inspect and pod ps show shared namespaces and pause container. A pause container can't be removed with podman rm, and a pod can be removed if it only has a pause container. Signed-off-by: haircommander <pehunt@redhat.com> Closes: #1187 Approved by: mheon
* Changed GetContainerStats to return ErrCtrStateInvalidhaircommander2018-08-23
| | | | | | | | | | | | | | This results in some functionality changes: If a ErrCtrStateInvalid is returned to GetPodStats, the container is ommitted from the stats. As such, if an empty slice of Container stats are returned to GetPodStats in varlink, an error will occur. GetContainerStats will return the ErrCtrStateInvalid as well. Finally, if ErrCtrStateInvalid is returned to the podman stats call, the container will be ommitted from the stats. Signed-off-by: haircommander <pehunt@redhat.com> Closes: #1319 Approved by: baude
* Add GetPodStats to varlinkhaircommander2018-08-23
| | | | | | | Signed-off-by: haircommander <pehunt@redhat.com> Closes: #1319 Approved by: baude
* rpm-spec: update distro-specific dependenciesLokesh Mandvekar2018-08-23
| | | | | | | | | remove slirp4netns as hard dep as it isn't available on rhel7. Signed-off-by: Lokesh Mandvekar <lsm5@fedoraproject.org> Closes: #1328 Approved by: baude
* Add podman pod tophaircommander2018-08-23
| | | | | | | | | Using the vendored changes from psgo, incorporate JoinNamespaceAndProcessInfoByPids to get process information for each pid namespace of running containers in the pod. Also added a man page, and tests. Signed-off-by: haircommander <pehunt@redhat.com> Closes: #1298 Approved by: mheon
* Include pod stats and top in commands/completionshaircommander2018-08-23
| | | | | | | Signed-off-by: haircommander <pehunt@redhat.com> Closes: #1298 Approved by: mheon
* Vendor changes to psgohaircommander2018-08-23
| | | | | | | Signed-off-by: haircommander <pehunt@redhat.com> Closes: #1298 Approved by: mheon
* Fix syntax description of --ulimit commandDaniel J Walsh2018-08-23
| | | | | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #1327 Approved by: vrothberg
* Swap test image in exec test to fedora for useraddMatthew Heon2018-08-23
| | | | | | | | | | We need a useradd binary in the container for this test, so swap from Alpine to fedora-minimal. Signed-off-by: Matthew Heon <matthew.heon@gmail.com> Closes: #1315 Approved by: vrothberg
* Add tests for exec --userMatthew Heon2018-08-23
| | | | | | | Signed-off-by: Matthew Heon <matthew.heon@gmail.com> Closes: #1315 Approved by: vrothberg
* Properly translate users into runc format for execMatthew Heon2018-08-23
| | | | | | | | | | | Runc exec expects the --user flag to be formatted as UID:GID. Use chrootuser code to translate whatever user is passed to exec into this format. Signed-off-by: Matthew Heon <matthew.heon@gmail.com> Closes: #1315 Approved by: vrothberg
* test: ad more tests for rootless containersGiuseppe Scrivano2018-08-22
| | | | | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> Closes: #1323 Approved by: umohnani8
* rootless: fix --net host --privilegedGiuseppe Scrivano2018-08-22
| | | | | | | | | Closes: https://github.com/containers/libpod/issues/1313 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> Closes: #1323 Approved by: umohnani8
* Fix a bug with hook ALWAYS matching with a processMatthew Heon2018-08-22
| | | | | | | | | | | | When a non-nil process was used and a hook was set to match always, this would not actually match. Fix this. Fixes: #1308 Signed-off-by: Matthew Heon <matthew.heon@gmail.com> Closes: #1311 Approved by: rhatdan
* Fixed segfault in stats where container had netNS none or from containerhaircommander2018-08-21
| | | | | | | Signed-off-by: haircommander <pehunt@redhat.com> Closes: #1306 Approved by: rhatdan
* Enable pod stats with short ID and namehaircommander2018-08-21
| | | | | | | Signed-off-by: haircommander <pehunt@redhat.com> Closes: #1307 Approved by: rhatdan
* Touch up cert-dir in man pagesTomSweeneyRedHat2018-08-21
| | | | | | | Signed-off-by: TomSweeneyRedHat <tsweeney@redhat.com> Closes: #1312 Approved by: rhatdan
* make dbuild fixed on ubuntu/debianKunal Kushwaha2018-08-21
| | | | | | | Signed-off-by: Kunal Kushwaha <kushwaha_kunal_v7@lab.ntt.co.jp> Closes: #1309 Approved by: mheon
* vendor latest github.com/urfave/cliValentin Rothberg2018-08-21
| | | | | | | | | | Change from an external patched branch to the upstream master. The vendored code is indentical to the previous one. Signed-off-by: Valentin Rothberg <vrothberg@suse.com> Closes: #1310 Approved by: mheon