summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAge
* Add test to verify noexec works with volume mountsMatthew Heon2019-09-04
| | | | Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Add a test for the new suid/exec/dev optionsMatthew Heon2019-08-28
| | | | Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Fix addition of mount options when using RO tmpfsMatthew Heon2019-08-28
| | | | | | | | For read-only containers set to create tmpfs filesystems over /run and other common destinations, we were incorrectly setting mount options, resulting in duplicate mount options. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Allow :z and :Z with ProcessOptionsMatthew Heon2019-08-28
| | | | Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Set base mount options for bind mounts from base systemMatthew Heon2019-08-28
| | | | | | | | | | | | | | | | | | If I mount, say, /usr/bin into my container - I expect to be able to run the executables in that mount. Unconditionally applying noexec would be a bad idea. Before my patches to change mount options and allow exec/dev/suid being set explicitly, we inferred the mount options from where on the base system the mount originated, and the options it had there. Implement the same functionality for the new option handling. There's a lot of performance left on the table here, but I don't know that this is ever going to take enough time to make it worth optimizing. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Don't double-process tmpfs optionsMatthew Heon2019-08-28
| | | | | | | | We already process the options on all tmpfs filesystems during final addition of mounts to the spec. We don't need to do it before that in parseVolumes. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Add support for 'exec', 'suid', 'dev' mount flagsMatthew Heon2019-08-28
| | | | | | | | | | | | | | | | | | Previously, we explicitly set noexec/nosuid/nodev on every mount, with no ability to disable them. The 'mount' command on Linux will accept their inverses without complaint, though - 'noexec' is counteracted by 'exec', 'nosuid' by 'suid', etc. Add support for passing these options at the command line to disable our explicit forcing of security options. This also cleans up mount option handling significantly. We are still parsing options in more than one place, which isn't good, but option parsing for bind and tmpfs mounts has been unified. Fixes: #3819 Fixes: #3803 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Update buildah to current masterMatthew Heon2019-08-28
| | | | | | Vendor some changes to parsing code that we need for Podman. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Merge pull request #3893 from mheon/readd_volume_locksOpenShift Merge Robot2019-08-28
|\ | | | | Re-add volume locks
| * Re-add locks to volumes.Matthew Heon2019-08-28
| | | | | | | | | | | | | | | | | | | | This will require a 'podman system renumber' after being applied to get lock numbers for existing volumes. Add the DB backend code for rewriting volume configs and use it for updating lock numbers as part of 'system renumber'. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | Merge pull request #3728 from mheon/systemd_container_testOpenShift Merge Robot2019-08-28
|\ \ | | | | | | Add an integration test for systemd in a container
| * | Temporarily disable systemd test for CGroups V2Matthew Heon2019-08-28
| | | | | | | | | | | | | | | | | | | | | Revert this one CGroups V2 support for systemd containers is added. Signed-off-by: Matthew Heon <mheon@redhat.com>
| * | Add an integration test for systemd in a containerMatthew Heon2019-08-28
| | | | | | | | | | | | Signed-off-by: Matthew Heon <matthew.heon@pm.me>
| * | clean up after remote buildbaude2019-08-28
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | when performing an image build over a varlink connection, we should clean up tmp files that are a result of sending the file to the host and untarring it for the build. Fixes: #3869 Signed-off-by: baude <bbaude@redhat.com>
* | | Merge pull request #3823 from cevich/prune_old_imagesOpenShift Merge Robot2019-08-28
|\ \ \ | | | | | | | | Cirrus: Enable VM image housekeeping
| * | | Cirrus: Enable VM image housekeepingChris Evich2019-08-26
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Also do some minor cleanup and add additional safety-checks to pruning script (container image). Signed-off-by: Chris Evich <cevich@redhat.com>
* | | | Merge pull request #3898 from dcbw/remove-decomposeOpenShift Merge Robot2019-08-28
|\ \ \ \ | | | | | | | | | | image: remove unused Decompose method
| * | | | image: remove unused Decompose methodDan Williams2019-08-28
|/ / / / | | | | | | | | | | | | | | | | | | | | | | | | Decompose() returns an error defined in CNI which has been removed upstream because it had no in-tree (eg in CNI) users. Signed-off-by: Dan Williams <dcbw@redhat.com>
* | | | Merge pull request #3889 from abitrolly/patch-1OpenShift Merge Robot2019-08-28
|\ \ \ \ | | | | | | | | | | Test build snap with Cirrus CI
| * | | | Add snap build test to success and release checkAnatoli Babenia2019-08-28
| | | | | | | | | | | | | | | | | | | | Signed-off-by: Anatoli Babenia <anatoli@rainforce.org>
| * | | | Run `apt-get update` to avoid missing package while buildingAnatoli Babenia2019-08-28
| | | | | | | | | | | | | | | | | | | | Signed-off-by: Anatoli Babenia <anatoli@rainforce.org>
| * | | | Use snapcraft on Ubuntu 18.04 for libostree-devAnatoli Babenia2019-08-28
| | | | | | | | | | | | | | | | | | | | Signed-off-by: Anatoli Babenia <anatoli@rainforce.org>
| * | | | Test build snap with Cirrus CIAnatoli Babenia2019-08-28
| | |_|/ | |/| | | | | | | | | | Signed-off-by: Anatoli Babenia <anatoli@rainforce.org>
* | | | Merge pull request #3887 from edsantiago/batsOpenShift Merge Robot2019-08-28
|\ \ \ \ | |/ / / |/| | | podman cp: big set of system tests
| * | | podman cp: big set of system testsEd Santiago2019-08-26
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | podman cp has had some unexpected bugs, and still has some surprising behavior. It looks like this part of the code is fragile. Add tests to try to prevent future breakages. Note that two of the new tests are disabled (skipped) until #3829 gets fixed. Signed-off-by: Ed Santiago <santiago@redhat.com>
* | | | Merge pull request #3888 from jwhonce/wip/apiOpenShift Merge Robot2019-08-27
|\ \ \ \ | |/ / / |/| | | Update varlink doc and code for images
| * | | Update varlink doc and codeJhon Honce2019-08-26
|/ / / | | | | | | | | | | | | | | | | | | | | | * Improved error message * Added documentation * Updated messages to include missing data Signed-off-by: Jhon Honce <jhonce@redhat.com>
* | | Merge pull request #3886 from baude/addiprouteOpenShift Merge Robot2019-08-26
|\ \ \ | |/ / |/| | add iproute to podman in podman image
| * | add iproute to podman in podman imagebaude2019-08-26
|/ / | | | | | | | | | | | | the network create function relies on the prescense of iproute's binary 'ip'. Signed-off-by: baude <bbaude@redhat.com>
* | Merge pull request #3883 from baude/varlinkbuildcleanupOpenShift Merge Robot2019-08-26
|\ \ | |/ |/| clean up after remote build
| * clean up after remote buildbaude2019-08-25
| | | | | | | | | | | | | | | | | | | | when performing an image build over a varlink connection, we should clean up tmp files that are a result of sending the file to the host and untarring it for the build. Fixes: #3869 Signed-off-by: baude <bbaude@redhat.com>
* | Merge pull request #3824 from baude/varlinkendpointtestOpenShift Merge Robot2019-08-26
|\ \ | | | | | | Create framework for varlink endpoint integration tests
| * | Create framework for varlink endpoint integration testsbaude2019-08-16
| | | | | | | | | | | | | | | | | | | | | add the ability to write integration tests similar to our e2e tests for the varlink endpoints. Signed-off-by: baude <bbaude@redhat.com>
* | | Merge pull request #3755 from mheon/fix_cninameOpenShift Merge Robot2019-08-26
|\ \ \ | |_|/ |/| | Adjust name of Podman CNI network bridge
| * | Adjust name of Podman CNI network bridgeMatthew Heon2019-08-23
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Both Podman and CRI-O set up CNI bridges with the name 'cni0'. If both our CNI conflist and the CRI-O conflist are installed, whoever runs first will win - that is, they will configure the bridge, and everyone will use it. Problem: the CRI-O CNI config conflicts with ours and results in containers with no networking. Solution: rename our bridge so we don't conflict with CRI-O. At the same time, hit our IPAM configuration. The current version was an older format in danger of deprecation. The new format is documented at [1]. Finally, fix indentation for the entire file. [1] https://github.com/containernetworking/plugins/tree/master/plugins/ipam/host-local#example-configurations Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | | Merge pull request #3877 from TomSweeneyRedHat/dev/tsweeney/cnifixOpenShift Merge Robot2019-08-25
|\ \ \ | |/ / |/| | Update cni config instructions
| * | Update cni config instructionsTomSweeneyRedHat2019-08-22
|/ / | | | | | | | | | | | | | | | | Update the CNI configuration instructions to line up with the changes introduced in #3868. Also do a bit less documentation of the configuration and point to the GitHub project so we won't get out of sync in the future. Signed-off-by: TomSweeneyRedHat <tsweeney@redhat.com>
* | Merge pull request #3845 from chrahunt/patch-2OpenShift Merge Robot2019-08-22
|\ \ | | | | | | Fix minor typos in podman-run docs.
| * | Fix minor typos in podman-run docs.Christopher Hunt2019-08-21
| | | | | | | | | | | | Signed-off-by: Chris Hunt <chrahunt@gmail.com>
* | | Merge pull request #3844 from chrahunt/patch-1OpenShift Merge Robot2019-08-22
|\ \ \ | | | | | | | | Fix link format in rootless_tutorial.md.
| * | | Fix link format in rootless_tutorial.md.Christopher Hunt2019-08-21
| |/ / | | | | | | | | | | | | | | | From `[link](url)` to [`link`](url) Signed-off-by: Chris Hunt <chrahunt@gmail.com>
* | | Merge pull request #3800 from vrothberg/generate-podOpenShift Merge Robot2019-08-22
|\ \ \ | | | | | | | | generate systemd pod
| * | | generate systemd: support pods and geneartig filesValentin Rothberg2019-08-21
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Support generating systemd unit files for a pod. Podman generates one unit file for the pod including the PID file for the infra container's conmon process and one unit file for each container (excluding the infra container). Note that this change implies refactorings in the `pkg/systemdgen` API. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
| * | | generate systemd: drop support for remote clientsValentin Rothberg2019-08-21
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Drop the support for remote clients to generate systemd-service files. The generated files are machine-dependent and hence relate only to the a local machine. Furthermore, a proper service management when using a remote-client is not possible as systemd has no access to a process. Dropping the support will also reduce the risk of making users believe that the generated services are usable in a remote scenario. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | | | Merge pull request #3873 from rhatdan/migrateOpenShift Merge Robot2019-08-22
|\ \ \ \ | | | | | | | | | | Need to include command name in error message
| * | | | Need to include command name in error messageDaniel J Walsh2019-08-21
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | I hit this error and it told be to system migrate` as opposed to `podman system migrate` Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | | | Merge pull request #3872 from baude/3861OpenShift Merge Robot2019-08-22
|\ \ \ \ \ | | | | | | | | | | | | podman-remote: cp crashes
| * | | | | podman-remote: cp crashesbaude2019-08-21
| | |/ / / | |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | prune unwanted messages when running a container remotely. also, cp is not remote-enabled yet and as such should not be available on the remote client. Fixes: #3861 Signed-off-by: baude <bbaude@redhat.com>
* | | | | Merge pull request #3868 from giuseppe/dockerfile-cni-rpmOpenShift Merge Robot2019-08-22
|\ \ \ \ \ | | | | | | | | | | | | Dockerfile.fedora: install cni plugins package
| * | | | | Dockerfile.fedora: install cni plugins packageGiuseppe Scrivano2019-08-21
| |/ / / / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | the version available on Fedora is updated, so we don't need to build from source. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>