summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAge
* Add more information and examples on podman and pipesDaniel J Walsh2021-01-13
| | | | | | | | | Improve the documentation to help users to know proper way to use podman within a pipe. Helps Prevent: https://github.com/containers/podman/issues/8916 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Merge pull request #8960 from giuseppe/bridge-no-post-configOpenShift Merge Robot2021-01-13
|\ | | | | network: disallow CNI networks with user namespaces
| * test: use stringid.GenerateNonCryptoID() in more testsGiuseppe Scrivano2021-01-13
| | | | | | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
| * network: disallow CNI networks with user namespacesGiuseppe Scrivano2021-01-13
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | it solves a segfault when running as rootless a command like: $ podman run --uidmap 0:0:1 --net foo --rm fedora true panic: runtime error: invalid memory address or nil pointer dereference [signal SIGSEGV: segmentation violation code=0x1 addr=0x30 pc=0x5629bccc407c] goroutine 1 [running]: panic(0x5629bd3d39e0, 0x5629be0ab8e0) /usr/lib/golang/src/runtime/panic.go:1064 +0x545 fp=0xc0004592c0 sp=0xc0004591f8 pc=0x5629bbd35d85 runtime.panicmem(...) /usr/lib/golang/src/runtime/panic.go:212 runtime.sigpanic() /usr/lib/golang/src/runtime/signal_unix.go:742 +0x413 fp=0xc0004592f0 sp=0xc0004592c0 pc=0x5629bbd4cd33 github.com/containers/podman/libpod.(*Runtime).setupRootlessNetNS(0xc0003fe9c0, 0xc0003d74a0, 0x0, 0x0) /builddir/build/BUILD/podman-2.2.1/_build/src/github.com/containers/podman/libpod/networking_linux.go:238 +0xdc fp=0xc000459338 sp=0xc0004592f0 pc=0x5629bccc407c github.com/containers/podman/libpod.(*Container).completeNetworkSetup(0xc0003d74a0, 0x0, 0x0) /builddir/build/BUILD/podman-2.2.1/_build/src/github.com/containers/podman/libpod/container_internal.go:965 +0xb72 fp=0xc0004594d8 sp=0xc000459338 pc=0x5629bcc81732 [.....] Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | Merge pull request #8951 from edsantiago/fix_dev_diagnosticOpenShift Merge Robot2021-01-13
|\ \ | | | | | | CI: fix broken diagnostic message for -dev check
| * | CI: fix broken diagnostic message for -dev checkEd Santiago2021-01-13
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | There's a CI check for the presence of "-dev" in podman-info output (it should not appear). This test is unlikely to fail, but if it ever does, the diagnostic output is unhelpful. This makes it helpful. Tested via: $ ln -s /bin/echo ~/bin/msg $ ln -s /bin/echo ~/bin/die $ TEST_FLAVOR=release ./contrib/cirrus/runner.sh ... Releases must never contain '-dev' in output of 'podman info' ( buildahVersion: 1.19.0-dev Version: 3.0.0-dev) Signed-off-by: Ed Santiago <santiago@redhat.com>
* | | Merge pull request #8954 from baude/reducebindingsizeOpenShift Merge Robot2021-01-13
|\ \ \ | |/ / |/| | Reduce general binding binary size
| * | Reduce general binding binary sizebaude2021-01-13
| | | | | | | | | | | | | | | | | | | | | | | | when using the bindings to *only* make a connection, the binary was rough 28MB. This PR reduces it down to 11. There is more work to do but it will come in a secondary PR. Signed-off-by: baude <bbaude@redhat.com>
* | | Merge pull request #8961 from rhatdan/kubeOpenShift Merge Robot2021-01-13
|\ \ \ | |/ / |/| | play kube: set entrypoint when interpreting Command
| * | play kube: set entrypoint when interpreting CommandDaniel J Walsh2021-01-13
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | We now set Entrypoint when interpeting the image Entrypoint (or yaml.Command) and Command when interpreting image Cmd (or yaml.Args) This change is kind of breaking because now checking Config.Cmd won't return the full command, but only the {cmd,args}. Adapt the tests to this change as well Signed-off-by: Peter Hunt <pehunt@redhat.com> Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | Merge pull request #8958 from zhangguanzhang/duplicated-hostsOpenShift Merge Robot2021-01-13
|\ \ \ | |_|/ |/| | Fixes /etc/hosts duplicated every time after container restarted in a pod
| * | Fxes /etc/hosts duplicated every time after container restarted in a podzhangguanzhang2021-01-13
| |/ | | | | | | Signed-off-by: zhangguanzhang <zhangguanzhang@qq.com>
* | Merge pull request #8957 from srcshelton/feature/issue-8945OpenShift Merge Robot2021-01-13
|\ \ | | | | | | Add 'MemUsageBytes' format option
| * | Merge branch 'master' into feature/issue-8945Stuart Shelton2021-01-13
| |\| | | | | | | | | | Signed-off-by: Stuart Shelton <stuart@shelton.me>
| * | Add 'MemUsageBytes' format optionStuart Shelton2021-01-12
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Although storage is more human-readable when expressed in SI units, IEC/JEDEC (Bytes) units are more pertinent for memory-related values (and match the format of the --memory* command-line options). (To prevent possible compatibility issues, the default SI display is left unchanged) See https://github.com/containers/podman/issues/8945 Signed-off-by: Stuart Shelton <stuart@shelton.me>
* | | Merge pull request #8877 from rhatdan/loadOpenShift Merge Robot2021-01-13
|\ \ \ | |_|/ |/| | Remove the ability to use [name:tag] in podman load command
| * | Remove the ability to use [name:tag] in podman load commandDaniel J Walsh2021-01-12
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Docker does not support this, and it is confusing what to do if the image has more then one tag. We are dropping support for this in podman 3.0 Fixes: https://github.com/containers/podman/issues/7387 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
| * | More /var/run -> /runEd Santiago2021-01-12
| |/ | | | | | | | | | | | | PR #8851 broke CI: it included "/var/run" strings that, per #8771, should have been just "/run". Signed-off-by: Ed Santiago <santiago@redhat.com>
* | Merge pull request #8953 from edsantiago/var_run_againOpenShift Merge Robot2021-01-12
|\ \ | |/ |/| More /var/run -> /run
| * More /var/run -> /runEd Santiago2021-01-12
| | | | | | | | | | | | | | PR #8851 broke CI: it included "/var/run" strings that, per #8771, should have been just "/run". Signed-off-by: Ed Santiago <santiago@redhat.com>
* | Merge pull request #8950 from mheon/exorcise_driverOpenShift Merge Robot2021-01-12
|\ \ | | | | | | Exorcise Driver code from libpod/define
| * | Exorcise Driver code from libpod/defineMatthew Heon2021-01-12
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The libpod/define code should not import any large dependencies, as it is intended to be structures and definitions only. It included the libpod/driver package for information on the storage driver, though, which brought in all of c/storage. Split the driver package so that define has the struct, and thus does not need to import Driver. And simplify the driver code while we're at it. Signed-off-by: Matthew Heon <mheon@redhat.com>
* | | Merge pull request #8946 from JAORMX/sec-errorsOpenShift Merge Robot2021-01-12
|\ \ \ | |_|/ |/| | Expose security attribute errors with their own messages
| * | Expose security attribute errors with their own messagesJuan Antonio Osorio Robles2021-01-12
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This creates error objects for runtime errors that might come from the runtime. Thus, indicating to users that the place to debug should be in the security attributes of the container. When creating a container with a SELinux label that doesn't exist, we get a fairly cryptic error message: ``` $ podman run --security-opt label=type:my_container.process -it fedora bash Error: OCI runtime error: write file `/proc/thread-self/attr/exec`: Invalid argument ``` This instead handles any errors coming from LSM's `/proc` API and enhances the error message with a relevant indicator that it's related to the container's security attributes. A sample run looks as follows: ``` $ bin/podman run --security-opt label=type:my_container.process -it fedora bash Error: `/proc/thread-self/attr/exec`: OCI runtime error: unable to assign security attribute ``` With `debug` log level enabled it would be: ``` Error: write file `/proc/thread-self/attr/exec`: Invalid argument: OCI runtime error: unable to assign security attribute ``` Note that these errors wrap ErrOCIRuntime, so it's still possible to to compare these errors with `errors.Is/errors.As`. One advantage of this approach is that we could start handling these errors in a more efficient manner in the future. e.g. If a SELinux label doesn't exist (yet), we could retry until it becomes available. Signed-off-by: Juan Antonio Osorio Robles <jaosorior@redhat.com>
* | | Merge pull request #8900 from cevich/no_tag_testingOpenShift Merge Robot2021-01-12
|\ \ \ | | | | | | | | Cirrus: Skip most tests on tag-push
| * | | Cirrus: Skip most tests on tag-pushChris Evich2021-01-07
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Due to various reasons, CI results (esp. testing tasks) are completely ignored for builds triggered by a new tag-push. Additionally, since many of the automation scripts are in the repo., any related failures/flakes would require code changes (therefore a new tag). Resolve this by skipping every testing-type task for builds triggered by tag-push. Only retain tasks which build things intended for consumption associated with a possible official release. Signed-off-by: Chris Evich <cevich@redhat.com>
* | | | Merge pull request #8947 from Luap99/cleanup-codeOpenShift Merge Robot2021-01-12
|\ \ \ \ | | | | | | | | | | Fix problems reported by staticcheck
| * | | | Fix problems reported by staticcheckPaul Holzinger2021-01-12
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | `staticcheck` is a golang code analysis tool. https://staticcheck.io/ This commit fixes a lot of problems found in our code. Common problems are: - unnecessary use of fmt.Sprintf - duplicated imports with different names - unnecessary check that a key exists before a delete call There are still a lot of reported problems in the test files but I have not looked at those. Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
* | | | | Merge pull request #8851 from Luap99/fix-generate-systemd-flag-parsingOpenShift Merge Robot2021-01-12
|\ \ \ \ \ | | | | | | | | | | | | Make podman generate systemd --new flag parsing more robust
| * | | | | Make podman generate systemd --new flag parsing more robustPaul Holzinger2021-01-07
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | First, use the pflag library to parse the flags. With this we can handle all corner cases such as -td or --detach=false. Second, preserve the root args with --new. They are used for all podman commands in the unit file. (e.g. podman --root /tmp run alpine) Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
* | | | | | Merge pull request #8923 from Afourcat/masterOpenShift Merge Robot2021-01-12
|\ \ \ \ \ \ | |_|_|_|/ / |/| | | | | Adding json formatting to `--list-tags` option in `podman search` command.
| * | | | | Better test and idomatic code.Alexandre Fourcat2021-01-11
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Adding another check in the `podman search --list-tags --format json` test case. Replacing an anonymous struct by \`listEntryTag\` struct. Signed-off-by: Alexandre Fourcat <afourcat@gmail.com>
| * | | | | Adding json formatting to `--list-tags` option in `podman search`Alexandre Fourcat2021-01-10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | command. Data is formatted following this JSON structure: ```json { "Name": "...", "Tags": ["...", "...", "..."] } ``` Closes: #8740. Signed-off-by: Alexandre Fourcat <afourcat@gmail.com>
* | | | | | Merge pull request #8905 from rhatdan/proxyOpenShift Merge Robot2021-01-12
|\ \ \ \ \ \ | | | | | | | | | | | | | | Use HTTPProxy settings from containers.conf
| * | | | | | Use HTTPProxy settings from containers.confDaniel J Walsh2021-01-11
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This PR takes the settings from containers.conf and uses them. This works on the podman local but does not fix the issue for podman remote or for APIv2. We need a way to specify optionalbooleans when creating containers. Fixes: https://github.com/containers/podman/issues/8843 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | | | | | Merge pull request #8819 from chen-zhuohan/add-pre-checkpointOpenShift Merge Robot2021-01-12
|\ \ \ \ \ \ \ | | | | | | | | | | | | | | | | Add pre-checkpoint and restore with previous
| * | | | | | | add pre checkpointunknown2021-01-10
| | |/ / / / / | |/| | | | | | | | | | | | | | | | | | | Signed-off-by: Zhuohan Chen <chen_zhuohan@163.com>
* | | | | | | Merge pull request #8933 from giuseppe/use-O_PATH-for-unix-sockOpenShift Merge Robot2021-01-12
|\ \ \ \ \ \ \ | |_|_|_|/ / / |/| | | | | | oci: use /proc/self/fd/FD to open unix socket
| * | | | | | oci: use /proc/self/fd/FD to open unix socketGiuseppe Scrivano2021-01-12
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | instead of opening directly the UNIX socket path, grab a reference to it through a O_PATH file descriptor and use the fixed size string "/proc/self/fd/%d" to open the UNIX socket. In this way it won't hit the 108 chars length limit. Closes: https://github.com/containers/podman/issues/8798 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | | | | | | Merge pull request #8939 from cevich/more_cross_buildsOpenShift Merge Robot2021-01-11
|\ \ \ \ \ \ \ | | | | | | | | | | | | | | | | Cirrus: Add cross-compile test for alternative arches
| * | | | | | | Cirrus: Add cross-compile test for alternative archesChris Evich2021-01-11
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Followup to https://github.com/containers/podman/pull/8907 that simply ensures cross-compiling podman completes. Signed-off-by: Chris Evich <cevich@redhat.com>
* | | | | | | | Merge pull request #8934 from vrothberg/fix-8931OpenShift Merge Robot2021-01-11
|\ \ \ \ \ \ \ \ | |_|_|_|/ / / / |/| | | | | | | image list: ignore bare manifest list
| * | | | | | | image list: ignore bare manifest listValentin Rothberg2021-01-11
| | |/ / / / / | |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Handle empty/bare manifest lists when listing images. Fixes: #8931 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | | | | | | Merge pull request #8917 from mheon/actually_report_play_kube_errorsOpenShift Merge Robot2021-01-11
|\ \ \ \ \ \ \ | | | | | | | | | | | | | | | | Ensure that `podman play kube` actually reports errors
| * | | | | | | Ensure that `podman play kube` actually reports errorsMatthew Heon2021-01-11
| | |_|/ / / / | |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | In 2.2.x, we moved `play kube` to use the Start() API for pods, which reported errors in a different way (all containers are started in parallel, and then results reported as a block). The migration attempted to preserve compatibility by returning only one error, but that's not really a viable option as it can obscure the real reason that a pod is failing. Further, the code was not correctly handling the API's errors - Pod Start() will, on any container error, return a map of container ID to error populated for all container errors *and* return ErrPodPartialFail for overall error - the existing code did not handle the partial failure error and thus would never return container errors. Refactor the `play kube` API to include a set of errors for containers in each pod, so we can return all errors that occurred to the frontend and print them for the user, and correct the backend code so container errors are actually forwarded. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | | | | | | Merge pull request #8932 from ↵OpenShift Merge Robot2021-01-11
|\ \ \ \ \ \ \ | |_|_|/ / / / |/| | | | | | | | | | | | | | | | | | | | containers/dependabot/go_modules/github.com/containers/storage-1.24.5 Bump github.com/containers/storage from 1.24.4 to 1.24.5
| * | | | | | Bump github.com/containers/storage from 1.24.4 to 1.24.5dependabot-preview[bot]2021-01-11
| | |/ / / / | |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Bumps [github.com/containers/storage](https://github.com/containers/storage) from 1.24.4 to 1.24.5. - [Release notes](https://github.com/containers/storage/releases) - [Changelog](https://github.com/containers/storage/blob/master/docs/containers-storage-changes.md) - [Commits](https://github.com/containers/storage/compare/v1.24.4...v1.24.5) Signed-off-by: dependabot-preview[bot] <support@dependabot.com> Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | | | | Merge pull request #8935 from giuseppe/conmon-keep-LC_OpenShift Merge Robot2021-01-11
|\ \ \ \ \ \ | | | | | | | | | | | | | | oci: keep LC_ env variables to conmon
| * | | | | | oci: keep LC_ env variables to conmonGiuseppe Scrivano2021-01-11
| |/ / / / / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | it is necessary for conmon to deal with the correct locale, otherwise it uses C as a fallback. Closes: https://bugzilla.redhat.com/show_bug.cgi?id=1893567 Requires: https://github.com/containers/conmon/pull/215 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | | | | | Merge pull request #8925 from rhatdan/buildOpenShift Merge Robot2021-01-11
|\ \ \ \ \ \ | |/ / / / / |/| | | | | podman build --force-rm defaults to true in code