summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAge
* Validate passed in timezone from tz optionTomSweeneyRedHat2021-03-29
| | | | | | | | | | | | | | | | | | | | | | | | Erik Sjolund reported an issue where a badly formated file could be passed into the `--tz` option and then the date in the container would be badly messed up: ``` erik@laptop:~$ echo Hello > file.txt erik@laptop:~$ podman run --tz=../../../home/erik/file.txt --rm -ti docker.io/library/alpine cat /etc/localtime Hello erik@laptop:~$ podman --version podman version 3.0.0-rc1 erik@laptop:~$ ``` This fix checks to make sure the TZ passed in is a valid value and then proceeds with the rest of the processing. This was first reported as a potential security issue, but it was thought not to be. However, I thought closing the hole sooner rather than later would be good. Signed-off-by: TomSweeneyRedHat <tsweeney@redhat.com>
* Generate Kubernetes PersistentVolumeClaims from named volumesJordan Williams2021-03-29
| | | | | | | | | | | | Fixes #5788 This commit adds support for named volumes in podman-generate-kube. Named volumes are output in the YAML as PersistentVolumeClaims. To avoid naming conflicts, the volume name is suffixed with "-pvc". This commit adds a corresponding suffix for host path mounts. Host path volumes are suffixed with "-host". Signed-off-by: Jordan Williams <jordan@jwillikers.com>
* libpod/image: unit tests: use a `registries.conf` for aliasesValentin Rothberg2021-03-29
| | | | | | | | | | Since some unit tests use "busybox", we need to point it to some alias if we want it to pass CI on F34 where we're running in enforced mode. Furthermore, make sure that the registries.conf can actually be overridden in the code. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* libpod/image: unit tests: defer cleanupValentin Rothberg2021-03-29
| | | | | | Defer cleaning up the test artifacts as early as possible. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* libpod/image: unit tests: use `require.NoError`Valentin Rothberg2021-03-29
| | | | | | | | In contrast to `assert.NoError`, `require.NoError` treats mismatches fatally which in many cases is necessary to prevent subsequent checks from segfaulting. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* Unification of until filter across list/prune endpointsJakub Guzik2021-03-29
| | | | Signed-off-by: Jakub Guzik <jakubmguzik@gmail.com>
* Unification of label filter across list/prune endpointsJakub Guzik2021-03-29
| | | | Signed-off-by: Jakub Guzik <jakubmguzik@gmail.com>
* fixupMatej Vasek2021-03-29
| | | | Signed-off-by: Matej Vasek <mvasek@redhat.com>
* fix: build endpoint for compat APIMatej Vasek2021-03-29
| | | | Signed-off-by: Matej Vasek <mvasek@redhat.com>
* [NO TESTS NEEDED] Remove /tmp/containers-users-* files on rebootDaniel J Walsh2021-03-29
| | | | | | Helps Fix https://github.com/containers/podman/issues/9765 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Check if stdin is a term in --interactive --tty modeDaniel J Walsh2021-03-29
| | | | | | | | | | | | | | | | If you are attempting to run a container in interactive mode, and want a --tty, then there must be a terminal in use. Docker exits right away when a user specifies to use a --interactive and --TTY but the stdin is not a tty. Currently podman will pull the image and then fail much later. Podman will continue to run but will print an warning message. Discussion in : https://github.com/containers/podman/issues/8916 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* [NO TESTS NEEDED] Fix rootless volume pluginsPhoenix The Fallen2021-03-29
| | | | | | In a case of volume plugins with custom options. Signed-off-by: Phoenix The Fallen <thephoenixofthevoid@gmail.com>
* Ensure manually-created volumes have correct ownershipMatthew Heon2021-03-29
| | | | | | | | | | | | | | | | | | | | | | | | | As part of a fix for an earlier bug (#5698) we added the ability for Podman to chown volumes to correctly match the user running in the container, even in adverse circumstances (where we don't know the right UID/GID until very late in the process). However, we only did this for volumes created automatically by a `podman run` or `podman create`. Volumes made by `podman volume create` do not get this chown, so their permissions may not be correct. I've looked, and I don't think there's a good reason not to do this chwon for all volumes the first time the container is started. I would prefer to do this as part of volume copy-up, but I don't think that's really possible (copy-up happens earlier in the process and we don't have a spec). There is a small chance, as things stand, that a copy-up happens for one container and then a chown for a second, unrelated container, but the odds of this are astronomically small (we'd need a very close race between two starting containers). Fixes #9608 Signed-off-by: Matthew Heon <mheon@redhat.com>
* Support multi doc yaml for generate/play kubeEduardo Vega2021-03-29
| | | | | | | | Signed-off-by: Eduardo Vega <edvegavalerio@gmail.com> <MH: Fixed cherry-pick conflicts> Signed-off-by: Matthew Heon <mheon@redhat.com>
* Correct json field nameJhon Honce2021-03-29
| | | | | | | | | [NO TESTS NEEDED] * When using the Namespace type, the field Value was json encoded with the name "string" vs "value". Signed-off-by: Jhon Honce <jhonce@redhat.com>
* Fix filters in image http compat/libpod api endpointsJakub Guzik2021-03-29
| | | | Signed-off-by: Jakub Guzik <jakubmguzik@gmail.com>
* podman generate systemd --new do not duplicate paramsPaul Holzinger2021-03-29
| | | | | | | | | | | | | | | | | podman generate systemd --new inserts extra idfile arguments. The generated unit can break when the user did provide their own idfile arguments as they overwrite the arguments added by generate systemd. This also happens when a user tries to generate the systemd unit on a container already create with a --new unit. This should now create a identical unit. The solution is to remove all user provided idfile arguments. This commit also ensures that we do not remove arguments that are part off the containers entrypoint. Fixes #9776 Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
* Fix podman build --pull-neverDaniel J Walsh2021-03-29
| | | | | | | | | | | | | | | Currently pull policy is set incorrectly when users set --pull-never. Also pull-policy is not being translated correctly when using podman-remote. Fixes: #9573 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> <MH: Fixed cherry-pick conflict> Signed-off-by: Matthew Heon <mheon@redhat.com>
* man pages: correct seccomp-policy labelValentin Rothberg2021-03-29
| | | | | | | | | The implementation uses `io.containers.seccomp.profile` while the docs mentioned `io.podman`. Correct the two references in the docs to reflect the implementation. Fixes: #9853 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* [NO TESTS NEEDED] Use same function podman-remote rmi as podmanDaniel J Walsh2021-03-29
| | | | | | | | | | Make sure fixes that go into local podman commands also work in podman-remote, by using the same function. Since this is just a rewrite of existing code, existing tests should handle it. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Add problematic volume name to kube play error messagesJordan Christiansen2021-03-29
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When kube play fails to create a volume, it should say which volume had the problem so the user doesn't have to guess. For the following pod spec: apiVersion: v1 kind: Pod metadata: name: mypod spec: containers: - name: myfrontend image: nginx volumeMounts: - mountPath: "/var/www/html" name: mypd volumes: - name: mypd hostPath: path: /var/blah podman will now report: Error: failed to create volume "mypd": error in parsing HostPath in YAML: error checking path "/var/blah": stat /var/blah: no such file or directory Signed-off-by: Jordan Christiansen <xordspar0@gmail.com>
* Fix list pods filter handling in libpod apiJakub Guzik2021-03-29
| | | | Signed-off-by: Jakub Guzik <jakubmguzik@gmail.com>
* [NO TESTS NEEDED] Fix for kernel without CONFIG_USER_NSなつき2021-03-29
| | | Signed-off-by: Natsuki <i@ntk.me>
* Remove resize race conditionDaniel J Walsh2021-03-29
| | | | | | | | | | | | | | | | | | | | Since podman-remote resize requests can come in at random times, this generates a real potential for race conditions. We should only be attempting to resize TTY on running containers, but the containers can go from running to stopped at any time, and returning an error to the caller is just causing noice. This change will basically ignore requests to resize terminals if the container is not running and return the caller to success. All other callers will still return failure. Fixes: https://github.com/containers/podman/issues/9831 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> <MH: Fixed cherry-pick conflicts> Signed-off-by: Matthew Heon <mheon@redhat.com>
* [NO TESTS NEEDED] Vendor in containers/buildah v1.20.0Daniel J Walsh2021-03-29
| | | | | | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> <MH: Fixed cherry-pick conflicts. Re-ran vendor.> Signed-off-by: Matthew Heon <mheon@redhat.com>
* Use TMPDIR when commiting imagesDaniel J Walsh2021-03-29
| | | | | | | | | | | | Fixes: https://github.com/containers/podman/issues/9825 Currently we are using TMPDIR for storaing temporary files when building images, but not when you directly commit the images. This change simply uses the TMPDIR environment variable if set to store temporary files. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Add RequiresMountsFor= to systemd generateRobb Manes2021-03-29
| | | | | | | | | | | | | | | It is rare but possible that storage locations for the graphroot and the runroot are not mounted at boot time, and therefore might race when doing container operations. An example we've seen in the wild is that a slow tmpfs mount for the runroot would suddenly mount over /run, causing the container to lose all currently-running data, requiring a system refresh to get it back. This patch adds RequiresMountsFor= to the systemd.unit header to ensure the paths for both the graphroot and runroot are mounted prior to starting any generated unit files. Signed-off-by: Robb Manes <rmanes@redhat.com>
* Fix swapped dimensions from terminal.GetSizeAnders F Björklund2021-03-29
| | | | | | | | Signed-off-by: Anders F Björklund <anders.f.bjorklund@gmail.com> <MH: Fixed cherry-pick conflicts> Signed-off-by: Matthew Heon <mheon@redhat.com>
* Revert go-systemd to v2.22.0Matthew Heon2021-03-29
| | | | | | | The newer v2.23.0 broke the build on 32-bit systems. We resolved it upstream, but there's no newer release with the fix yet. Signed-off-by: Matthew Heon <mheon@redhat.com>
* Merge pull request #9793 from cevich/v3.1_branch_updateOpenShift Merge Robot2021-03-23
|\ | | | | Cirrus: Update configuration for v3.1 branch
| * Cirrus: Update configuration for v3.1 branchChris Evich2021-03-23
| | | | | | | | Signed-off-by: Chris Evich <cevich@redhat.com>
* | Merge pull request #9789 from mheon/bump_310_rc2OpenShift Merge Robot2021-03-23
|\ \ | |/ |/| Bump to v3.1.0-RC2
| * Bump to v3.1.0-devMatthew Heon2021-03-23
| | | | | | | | Signed-off-by: Matthew Heon <matthew.heon@pm.me>
| * Bump to v3.1.0-rc2v3.1.0-rc2Matthew Heon2021-03-23
|/ | | | Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Merge pull request #9784 from mheon/release_notes_310_rc2OpenShift Merge Robot2021-03-23
|\ | | | | [CI:DOCS] Update release notes for v3.1.0-RC2
| * Update release notes for v3.1.0-RC2Matthew Heon2021-03-23
|/ | | | Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Merge pull request #9775 from jmguzik/system-prune-msg-fixOpenShift Merge Robot2021-03-22
|\ | | | | Fix system prune cmd user message with options
| * Fix system prune cmd user message with optionsJakub Guzik2021-03-21
| | | | | | | | Signed-off-by: Jakub Guzik <jakubmguzik@gmail.com>
* | Merge pull request #9757 from jwhonce/wip/loadOpenShift Merge Robot2021-03-22
|\ \ | | | | | | Cleanup /libpod/images/load handler
| * | Cleanup /libpod/images/load handlerJhon Honce2021-03-19
| | | | | | | | | | | | | | | | | | | | | | | | | | | * Remove orphaned code * Add meaningful error from LoadImageFromSingleImageArchive() when heuristic fails to determine payload format * Correct swagger to output correct types and headers Signed-off-by: Jhon Honce <jhonce@redhat.com>
* | | Merge pull request #9779 from ↵OpenShift Merge Robot2021-03-22
|\ \ \ | | | | | | | | | | | | | | | | containers/dependabot/go_modules/github.com/coreos/go-systemd/v22-22.3.0 Bump github.com/coreos/go-systemd/v22 from 22.1.0 to 22.3.0
| * | | Bump github.com/coreos/go-systemd/v22 from 22.1.0 to 22.3.0dependabot[bot]2021-03-22
|/ / / | | | | | | | | | | | | | | | | | | Bumps [github.com/coreos/go-systemd/v22](https://github.com/coreos/go-systemd) from 22.1.0 to 22.3.0. - [Release notes](https://github.com/coreos/go-systemd/releases) - [Commits](https://github.com/coreos/go-systemd/compare/v22.1.0...v22.3.0) Signed-off-by: dependabot[bot] <support@github.com>
* | | Merge pull request #9771 from edsantiago/batsOpenShift Merge Robot2021-03-22
|\ \ \ | |_|/ |/| | System tests: reenable a bunch of skipped tests
| * | System tests: reenable a bunch of skipped testsEd Santiago2021-03-20
|/ / | | | | | | | | | | | | | | Checking for 'skip.*[0-9]{4,5}', and checking status on said issues, finds several that have been closed. Let's see if they're really fixed. Signed-off-by: Ed Santiago <santiago@redhat.com>
* | Merge pull request #9762 from giuseppe/use-bounding-caps-for---privilegedOpenShift Merge Robot2021-03-19
|\ \ | |/ |/| security: use the bounding caps with --privileged
| * vendor: drop replace for github.com/syndtr/gocapabilityGiuseppe Scrivano2021-03-19
| | | | | | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
| * security: use the bounding caps with --privilegedGiuseppe Scrivano2021-03-19
| | | | | | | | | | | | | | | | | | when --privileged is used, make sure to not request more capabilities than currently available in the current context. [NO TESTS NEEDED] since it fixes existing tests. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
| * Bump github.com/containers/common from 0.35.0 to 0.35.3dependabot[bot]2021-03-19
| | | | | | | | | | | | | | | | Bumps [github.com/containers/common](https://github.com/containers/common) from 0.35.0 to 0.35.3. - [Release notes](https://github.com/containers/common/releases) - [Commits](https://github.com/containers/common/compare/v0.35.0...v0.35.3) Signed-off-by: dependabot[bot] <support@github.com>
* | Merge pull request #9735 from ↵OpenShift Merge Robot2021-03-19
|\ \ | |/ |/| | | | | containers/dependabot/go_modules/github.com/onsi/ginkgo-1.15.2 Bump github.com/onsi/ginkgo from 1.15.1 to 1.15.2
| * Bump github.com/onsi/ginkgo from 1.15.1 to 1.15.2dependabot-preview[bot]2021-03-18
| | | | | | | | | | | | | | | | | | | | Bumps [github.com/onsi/ginkgo](https://github.com/onsi/ginkgo) from 1.15.1 to 1.15.2. - [Release notes](https://github.com/onsi/ginkgo/releases) - [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md) - [Commits](https://github.com/onsi/ginkgo/compare/v1.15.1...v1.15.2) Signed-off-by: dependabot-preview[bot] <support@dependabot.com> Signed-off-by: Valentin Rothberg <rothberg@redhat.com>