summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAge
* system tests: enable sdnotify testsEd Santiago2020-08-13
| | | | | | | | | | | | | | | | | | | | | | | | Oops. PR #6693 (sdnotify) added tests, but they were disabled due to broken crun on f31. I tried for three weeks to get a magic CI:IMG PR to update crun on the CI VMs ... but in that time I forgot to actually enable those new tests. This PR removes a 'skip', replacing it with a check that systemd is running plus one more to make sure our runtime is crun. It looks like sdnotify just doesn't work on Ubuntu (it hangs), and my guess is that it's a crun/runc issue. I also changed the test image from fedora:latest to :31, because, sigh, fedora:latest removed the systemd-notify tool. WARNING WARNING WARNING: the symptom of a missing systemd-notify is that podman will hang forever, not even stopped by the timeout command in podman_run! (Filed: #7316). This means that if the sdnotify-in-container test ever fails, the symptom will be that Cirrus itself will time out (2 hours?). This is horrible. I don't know what to do about it other than push for a fix for 7316. Signed-off-by: Ed Santiago <santiago@redhat.com>
* Merge pull request #7312 from vrothberg/fix-7294OpenShift Merge Robot2020-08-13
|\ | | | | podman.service: use sdnotify
| * podman.service: use sdnotiyValentin Rothberg2020-08-13
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Commit 2b6dd3fb4384 set the killmode of the podman.service to the systemd default which ultimately lead to the problem that systemd will kill *all* processes inside the unit's cgroup and hence kill all containers whenever the service is stopped. Fix it by setting the type to sdnotify and the killmode to process. `podman system service` will send the necessary notify messages when the NOTIFY_SOCKET is set and unset it right after to prevent the backend and container runtimes from jumping in between and send messages as well. Fixes: #7294 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | Merge pull request #7227 from giuseppe/procfs-optsOpenShift Merge Robot2020-08-13
|\ \ | | | | | | run, create: add new security-opt proc-opts
| * | run, create: add new security-opt proc-optsGiuseppe Scrivano2020-08-12
| |/ | | | | | | | | | | | | it allows to customize the options passed down to the OCI runtime for setting up the /proc mount. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | Merge pull request #7293 from spearlineltd/fixhangOpenShift Merge Robot2020-08-13
|\ \ | |/ |/| Fix hang when `path` doesn't exist
| * Fix hang when `path` doesn't existJonathan Dieter2020-08-11
| | | | | | | | | | | | | | | | | | | | I'm not sure if this is an OS-specific issue, but on CentOS 8, if `path` doesn't exist, this hangs while waiting to read from this socket, even though the socket is closed by the `reexec_in_user_namespace`. Switching to a pipe fixes the problem, and pipes shouldn't be an issue since this is Linux-specific code. Signed-off-by: Jonathan Dieter <jonathan.dieter@spearline.com>
* | Merge pull request #7073 from QiWang19/save-stdoutOpenShift Merge Robot2020-08-12
|\ \ | | | | | | podman save use named pipe
| * | podman save use named pipeQi Wang2020-08-12
| | | | | | | | | | | | | | | | | | | | | podman save uses named pipe as output path, not directly using /dev/stdout. fix #7017 Signed-off-by: Qi Wang <qiwan@redhat.com>
* | | Merge pull request #7306 from mheon/private_mountOpenShift Merge Robot2020-08-12
|\ \ \ | | | | | | | | Change /sys/fs/cgroup/systemd mount to rprivate
| * | | Change /sys/fs/cgroup/systemd mount to rprivateMatthew Heon2020-08-12
| |/ / | | | | | | | | | | | | | | | | | | | | | I used the wrong propagation first time around because I forgot that rprivate is the default propagation. Oops. Switch to rprivate so we're using the default. Signed-off-by: Matthew Heon <mheon@redhat.com>
* | | Merge pull request #7308 from hamzadis/slirp4netns-cidrOpenShift Merge Robot2020-08-12
|\ \ \ | | | | | | | | Add support for setting the CIDR when using slirp4netns
| * | | Add support for setting the CIDR when using slirp4netnsAdis Hamzić2020-08-12
| |/ / | | | | | | | | | | | | | | | | | | | | | This adds support for the --cidr parameter that is supported by slirp4netns since v0.3.0. This allows the user to change the ip range that is used for the network inside the container. Signed-off-by: Adis Hamzić <adis@hamzadis.com>
* | | Merge pull request #7299 from jobcespedes/patch-1OpenShift Merge Robot2020-08-12
|\ \ \ | | | | | | | | add xz as a recommended pkg
| * | | add xz as a recommended pkgJob Cespedes2020-08-11
| |/ / | | | | | | | | | | | | | | | | | | | | | xz package is required by buildah and podman when building a image and ADD a tar.xz file archive is used See https://github.com/containers/buildah/issues/2525 Signed-off-by: Job Cespedes Ortiz <jobcespedes@gmail.com>
* | | Merge pull request #7295 from baude/msiremotefixesOpenShift Merge Robot2020-08-12
|\ \ \ | | | | | | | | podman-remote fixes for msi and client
| * | | podman-remote fixes for msi and clientBrent Baude2020-08-12
| |/ / | | | | | | | | | | | | | | | | | | | | | correct small typo that sets the path on windows via the msi xml. in the remote client, prompt for SSH password when no identity or alternate means of authentication are provided. Signed-off-by: Brent Baude <bbaude@redhat.com>
* | | Merge pull request #7296 from lsm5/make-testOpenShift Merge Robot2020-08-12
|\ \ \ | | | | | | | | Makefile: use full path for ginkgo
| * | | Makefile: use full path for ginkgoLokesh Mandvekar2020-08-11
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Without this change, I get: ``` ginkgo \ -r \ \ --skipPackage test/e2e,pkg/apparmor,test/endpoint,pkg/bindings,hack \ --cover \ --covermode atomic \ --coverprofile coverprofile \ --outputdir .coverage \ --tags " selinux systemd exclude_graphdriver_devicemapper seccomp" \ --succinct /bin/sh: line 1: ginkgo: command not found ``` Signed-off-by: Lokesh Mandvekar <lsm5@fedoraproject.org>
* | | | Merge pull request #7202 from baude/buildeventOpenShift Merge Robot2020-08-12
|\ \ \ \ | | | | | | | | | | add event for image build
| * | | | add event for image buildBrent Baude2020-08-12
| | |/ / | |/| | | | | | | | | | | | | | | | | | | | | | | | | | upon image build completion, a new image type event is written for "build". more intricate details, like pulling an image, that might be done by build must be implemented in different vendored packages only after libpod is split from podman. Fixes: #7022 Signed-off-by: Brent Baude <bbaude@redhat.com>
* | | | Merge pull request #7267 from zhangguanzhang/check-invalid-network-createOpenShift Merge Robot2020-08-12
|\ \ \ \ | |/ / / |/| | | Add parameter verification for api creation network
| * | | Add parameter verification for api creation networkzhangguanzhang2020-08-12
| | | | | | | | | | | | | | | | Signed-off-by: zhangguanzhang <zhangguanzhang@qq.com>
* | | | Merge pull request #7247 from baude/issue7122OpenShift Merge Robot2020-08-11
|\ \ \ \ | | | | | | | | | | Replace deepcopy on history results
| * | | | Replace deepcopy on history resultsBrent Baude2020-08-11
| |/ / / | | | | | | | | | | | | | | | | | | | | | | | | | | | | the deepcopy in the remote history code path was throwing an uncaught error on a type mismatch. we now manually do the conversion and fix the type mismatch on the fly. Fixes: #7122 Signed-off-by: Brent Baude <bbaude@redhat.com>
* | | | Merge pull request #7286 from alvistack/master-linux-amd64OpenShift Merge Robot2020-08-11
|\ \ \ \ | | | | | | | | | | Update nix pin with `make nixpkgs`
| * | | | Update nix pin with `make nixpkgs`Wong Hoi Sing Edison2020-08-11
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Also sync nix `packageOverrides` across skopeo/buildah/podman/cri-o for utilizing local build cache. Signed-off-by: Wong Hoi Sing Edison <hswong3i@gmail.com>
* | | | | Merge pull request #7281 from mheon/ensure_mountprop_systemdOpenShift Merge Robot2020-08-11
|\ \ \ \ \ | | | | | | | | | | | | Ensure correct propagation for cgroupsv1 systemd cgroup
| * | | | | Ensure correct propagation for cgroupsv1 systemd cgroupMatthew Heon2020-08-11
| | |/ / / | |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | On cgroups v1 systems, we need to mount /sys/fs/cgroup/systemd into the container. We were doing this with no explicit mount propagation tag, which means that, under some circumstances, the shared mount propagation could be chosen - which, combined with the fact that we need a mount to mask /sys/fs/cgroup/systemd/release_agent in the container, means we would leak a never-ending set of mounts under /sys/fs/cgroup/systemd/ on container restart. Fortunately, the fix is very simple - hardcode mount propagation to something that won't leak. Signed-off-by: Matthew Heon <mheon@redhat.com>
* | | | | Merge pull request #7291 from edsantiago/man_page_subcommand_sortOpenShift Merge Robot2020-08-11
|\ \ \ \ \ | |_|_|/ / |/| | | | [CI:DOCS] cross-reference .rst files
| * | | | Cross-reference *.rst files tooEd Santiago2020-08-11
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | There are a bunch of *.rst files in docs/source, linking sometimes to man pages and sometimes to other .rst files. These files each have entries of the following form: :doc:`foo <link-to-foo>` Description of foo ...for all podman sub and sub-subcommands 'foo'. Read all .rst files and make sure that: - all entries in a given file are in alphabetical order - all link-to-foo targets point to existing doc files - every subcommand known by 'podman help' has a corresponding doc entry in a .rst file Signed-off-by: Ed Santiago <santiago@redhat.com>
| * | | | Man pages: assert that subcommands are in orderEd Santiago2020-08-11
| |/ / / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | For each podman*.md file with a subcommand table (podman, podman-container, etc), assert that the subcommand list is sorted. Change is bigger than it should be, because it switches from nice clean local per-function error counting to using a nasty global. Signed-off-by: Ed Santiago <santiago@redhat.com>
* | | | Merge pull request #7288 from tiran/systemd_local_initOpenShift Merge Robot2020-08-11
|\ \ \ \ | |/ / / |/| | | Enable systemd mode for /usr/local/sbin/init
| * | | Use set for systemd commandsChristian Heimes2020-08-11
| | | | | | | | | | | | | | | | Signed-off-by: Christian Heimes <cheimes@redhat.com>
| * | | Enable systemd mode for /usr/local/sbin/initChristian Heimes2020-08-11
| | |/ | |/| | | | | | | | | | | | | | | | | | | | | | | | | Podman 1.6.2 changed systemd mode auto-detection from commands ending in ``init`` to hard-coded paths ``/sbin/init`` and ``/usr/sbin/init``. This broke FreeIPA container. ``podman run`` and ``podman create`` now activate systemd mode when the command is ``/usr/local/sbin/init``. Fixes: https://github.com/containers/podman/issues/7287 Signed-off-by: Christian Heimes <cheimes@redhat.com>
* | | Merge pull request #7269 from openSUSE/seccompOpenShift Merge Robot2020-08-11
|\ \ \ | | | | | | | | Allow specifying seccomp profiles for privileged containers
| * | | Allow specifying seccomp profiles for privileged containersSascha Grunert2020-08-11
| | | | | | | | | | | | | | | | | | | | | | | | | | | | To sync the behavior between AppArmor and seccomp it is now possible to also specify seccomp profiles for privileged containers. Signed-off-by: Sascha Grunert <sgrunert@suse.com>
* | | | Merge pull request #7239 from rhatdan/workingOpenShift Merge Robot2020-08-11
|\ \ \ \ | |_|/ / |/| | | Fix handling of working dir
| * | | Fix handling of working dirDaniel J Walsh2020-08-10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Buildah and podman build can create images without a working dir. FROM fedora WORKDIR /test If you build this image with caching twice, the second time the image will not have a working dir. Similarly if you execute podman run --workdir /foobar fedora It blows up since the workingdir is not created automatically. Finally there was duplicated code for getting the workingdir out of an image, that this PR removes. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | | Merge pull request #7261 from zhangguanzhang/ps-format-add-fieldOpenShift Merge Robot2020-08-11
|\ \ \ \ | | | | | | | | | | Add the `Status` field in the ps --format=json
| * | | | Add the Status field in the ps --format=jsonzhangguanzhang2020-08-11
| | |_|/ | |/| | | | | | | | | | Signed-off-by: zhangguanzhang <zhangguanzhang@qq.com>
* | | | Merge pull request #7266 from rhatdan/manOpenShift Merge Robot2020-08-11
|\ \ \ \ | | | | | | | | | | [CI:DOCS] Add missing pages for docs.podman.io
| * | | | Add missing pages for docs.podman.ioDaniel J Walsh2020-08-10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Lots of references to man pages missing from docs.podman.io Also fix sort order in man pages and other documents. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | | | Merge pull request #7282 from ParkerVR/tags-digestOpenShift Merge Robot2020-08-11
|\ \ \ \ \ | |_|/ / / |/| | | | Img Pull - Error pass through
| * | | | Error pass through for more accurate error reportingParker Van Roy2020-08-10
| | |_|/ | |/| | | | | | | | | | | | | | | | | | Included old error + wrapped Signed-off-by: Parker Van Roy <pvanroy@redhat.com>
* | | | Merge pull request #7270 from Fodoj/masterOpenShift Merge Robot2020-08-10
|\ \ \ \ | |_|/ / |/| | | Allign container image storage configuration with Buildah
| * | | Align images with BuildahKirill Shirinkin2020-08-10
| |/ / | | | | | | | | | Signed-off-by: Kirill Shirinkin <kirill@hey.com>
* | | Merge pull request #7256 from mheon/fix_cmd_with_entrypointOpenShift Merge Robot2020-08-10
|\ \ \ | | | | | | | | Do not use image CMD if user gave ENTRYPOINT
| * | | Do not use image CMD if user gave ENTRYPOINTMatthew Heon2020-08-10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This matches Docker behavior, and seems to make sense - the CMD may have been specific to the original entrypoint and probably does not make sense if it was changed. While we're in here, greatly simplify the logic for populating the SpecGen's Command. We create the full command when making the OCI spec, so the client should not be doing any more than setting it to the Command the user passed in, and completely ignoring ENTRYPOINT. Fixes #7115 Signed-off-by: Matthew Heon <mheon@redhat.com>
* | | | Merge pull request #7244 from rhatdan/testOpenShift Merge Robot2020-08-10
|\ \ \ \ | | | | | | | | | | Remove TEST_ from TEST_REMOTE_*