summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAge
* Merge pull request #7694 from mheon/fix_exec_supplemental_groupsOpenShift Merge Robot2020-09-19
|\ | | | | Preserve groups in exec sessions in ctrs with --user
| * Preserve groups in exec sessions in ctrs with --userMatthew Heon2020-09-18
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Podman wants to guarantee that exec sessions retain the groups of the container they are started in, unless explicitly overridden by the user. This guarantee was broken for containers where the `--user` flag was specified; this patch resolves that. Somewhere in the Exec rewrite for APIv2, I changed the location where the container's User is passed into the exec session (similar to groups, we also want to preserve user unless overridden). The lower-level Exec APIs already handled setting user and group appropriately if not specified when the exec session was created, but I added duplicate code to handle this higher in the stack - and that code only handled setting user, not supplemental groups, breaking support in that specific case. Two things conspired to make this one hard to track down: first, things were only broken if the container explicitly set a user; otherwise, the container user would still appear to be unset to the lower-level code, which would properly set supplemental groups (this tricked our existing test into passing). Also, the `crun` OCI runtime will add the groups without prompting, which further masked the problem there. I debated making `runc` do the same, but in the end it's better to fix this in Podman - it's better to be explicit about what we want done so we will work with all OCI runtimes. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | Merge pull request #7660 from ashley-cui/logsOpenShift Merge Robot2020-09-18
|\ \ | | | | | | Fix remote logs
| * | WIP: Fix remote logsAshley Cui2020-09-16
| | | | | | | | | | | | | | | | | | Docker compatibility - logs endpoint does not write stream headers if container has a tty Signed-off-by: Ashley Cui <acui@redhat.com>
* | | Merge pull request #7594 from alvistack/master-linux-amd64OpenShift Merge Robot2020-09-18
|\ \ \ | | | | | | | | Update nix pin with `make nixpkgs`
| * | | Update nix pin with `make nixpkgs`Wong Hoi Sing Edison2020-09-18
| | | | | | | | | | | | | | | | | | | | | | | | Also backport changes from https://github.com/cri-o/cri-o/pull/4065/files#diff-1d37e48f9ceff6d8030570cd36286a61R189-R197 Signed-off-by: Wong Hoi Sing Edison <hswong3i@gmail.com>
* | | | Merge pull request #7679 from baude/remoteiidfileOpenShift Merge Robot2020-09-18
|\ \ \ \ | | | | | | | | | | enable --iidfile for podman-remote build
| * | | | enable --iidfile for podman-remote buildbaude2020-09-17
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | for podman-remote build operations, the iidfile, when used, needs to write the file to the client's local filesystem. Signed-off-by: baude <bbaude@redhat.com>
* | | | | Merge pull request #7676 from xordspar0/go-buildOpenShift Merge Robot2020-09-18
|\ \ \ \ \ | | | | | | | | | | | | Make Go builds more consistent
| * | | | | Make Go builds more consistentJordan Christiansen2020-09-17
| |/ / / / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * Use the BUILDFLAGS variable for all Go builds * Use `go install` instead of manually specifying the GOBIN path Signed-off-by: Jordan Christiansen <xordspar0@gmail.com>
* | | | | Merge pull request #7671 from zhangguanzhang/play-kube-handle-restartPolicyOpenShift Merge Robot2020-09-18
|\ \ \ \ \ | | | | | | | | | | | | handle the restartPolicy for play kube and generate kube
| * | | | | handle the play kube and generate kube for with restartPolicyzhangguanzhang2020-09-18
| | |/ / / | |/| | | | | | | | | | | | | Signed-off-by: zhangguanzhang <zhangguanzhang@qq.com>
* | | | | Merge pull request #7675 from ↵OpenShift Merge Robot2020-09-18
|\ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | zhangguanzhang/set-process-path-and-arg-with-infra-command fix the .Path and .Args when use the infra-command
| * | | | | fix the .Path and .Args when use the infra-commandzhangguanzhang2020-09-18
| |/ / / / | | | | | | | | | | | | | | | Signed-off-by: zhangguanzhang <zhangguanzhang@qq.com>
* | | | | Merge pull request #7681 from QiWang19/login.md-typoOpenShift Merge Robot2020-09-18
|\ \ \ \ \ | |/ / / / |/| | | | [CI:DOCS] fix a typo of login.1.md
| * | | | fix a typo of login.1.mdQi Wang2020-09-17
|/ / / / | | | | | | | | | | | | | | | | | | | | fix a typo of login.1.md and link containers-registries.conf(5). Signed-off-by: Qi Wang <qiwan@redhat.com>
* | | | Merge pull request #7680 from mheon/bump-2.1.0-rc2OpenShift Merge Robot2020-09-17
|\ \ \ \ | | | | | | | | | | Bump to v2.1.0-RC2
| * | | | Bump to v2.1.0-devMatthew Heon2020-09-17
| | | | | | | | | | | | | | | | | | | | Signed-off-by: Matthew Heon <mheon@redhat.com>
| * | | | Bump to v2.1.0-rc2v2.1.0-rc2Matthew Heon2020-09-17
| | | | | | | | | | | | | | | | | | | | Signed-off-by: Matthew Heon <mheon@redhat.com>
* | | | | Merge pull request #7465 from edsantiago/dependabot_danceOpenShift Merge Robot2020-09-17
|\ \ \ \ \ | | | | | | | | | | | | dependabot-dance: new tool for managing revendor PRs
| * | | | | dependabot-dance: new tool for managing revendor PRsEd Santiago2020-09-17
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | dependabot seems to submit PRs without running 'make vendor'. This script automates (with some safety checks) the manual process for pulling the PR, running 'make vendor-in-container', and force-pushing the PR. Usage: ./contrib/dependabot-dance It should take care of identifying your github repo, finding all active dependabot branches, running the make, git-add, and commit, then git-pushing. Signed-off-by: Ed Santiago <santiago@redhat.com>
* | | | | | Merge pull request #7677 from AkihiroSuda/update-moby-20200918OpenShift Merge Robot2020-09-17
|\ \ \ \ \ \ | |_|/ / / / |/| | | | | update github.com/docker/docker and relevant deps
| * | | | | update github.com/docker/docker and relevant depsAkihiro Suda2020-09-18
| | |/ / / | |/| | | | | | | | | | | | | Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
* | | | | Merge pull request #7678 from mheon/release_notes_210_rc2OpenShift Merge Robot2020-09-17
|\ \ \ \ \ | | | | | | | | | | | | [CI:DOCS] Update release notes for Podman v2.1.0-RC2
| * | | | | Update release notes for Podman v2.1.0-RC2Matthew Heon2020-09-17
| |/ / / / | | | | | | | | | | | | | | | Signed-off-by: Matthew Heon <mheon@redhat.com>
* | | | | Merge pull request #7672 from xordspar0/fix-templateOpenShift Merge Robot2020-09-17
|\ \ \ \ \ | | | | | | | | | | | | Fix play_kube_test deployment template
| * | | | | Fix play_kube_test deployment templateJordan Christiansen2020-09-17
| |/ / / / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Annotations were at the wrong indentation, making them a part of the labels map. Signed-off-by: Jordan Christiansen <xordspar0@gmail.com>
* | | | | Merge pull request #7669 from zhangguanzhang/missing-completionOpenShift Merge Robot2020-09-17
|\ \ \ \ \ | |/ / / / |/| | | | fix missing completion in podman run
| * | | | fix missing completion in podman runzhangguanzhang2020-09-17
| | | | | | | | | | | | | | | | | | | | Signed-off-by: zhangguanzhang <zhangguanzhang@qq.com>
* | | | | Merge pull request #7655 from vrothberg/fix-7628OpenShift Merge Robot2020-09-17
|\ \ \ \ \ | | | | | | | | | | | | --mount: support arbitrary mount-argument order
| * | | | | --mount: support arbitrary mount-argument orderValentin Rothberg2020-09-16
| | |_|/ / | |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Support an arbitrary order in which arguments are specified to the `--mount` flag. Previously, Podman expected `type=...` to come first which was breaking compatibility with Docker. Note that this is the ground work to default to "volume" (again Docker compat). However, this will require some further massaging as we have to assign a name. Fixes: #7628 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | | | | Merge pull request #7647 from jwhonce/issues/7543OpenShift Merge Robot2020-09-17
|\ \ \ \ \ | | | | | | | | | | | | Refactor remote pull to provide progress
| * | | | | Refactor remote pull to provide progressJhon Honce2020-09-16
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | podman and podman-remote do not exactly match as the lower layer code checks if the output is destined for a TTY before creating the progress bars. A future PR for containers/images could change this behavior. Fixes #7543 Tested with: $ (echo '# start'; podman-remote pull nginx ) 2>&1 | ts '[%Y-%m-%d %H:%M:%.S]' $ (echo '# start'; podman pull nginx ) 2>&1 | ts '[%Y-%m-%d %H:%M:%.S]' Signed-off-by: Jhon Honce <jhonce@redhat.com>
* | | | | | Merge pull request #7646 from edsantiago/version_optionsOpenShift Merge Robot2020-09-17
|\ \ \ \ \ \ | | | | | | | | | | | | | | podman version and --version: fix format, exit
| * | | | | | podman version and --version: fix format, exitEd Santiago2020-09-15
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Three unrelated fixes to version output: * podman version --format json: was missing a newline * podman version --format TEMPLATE: had too many newlines * podman --version: would neither display version nor exit if followed by a subcommand ('podman --version ps') The first two were easy: I used my best tweezers to delicately pluck and transfer the misplaced \n and place it where needed. The third was a doozy of a rabbit hole. As best I can tell, a workaround was added in root.go to override cobra's built-in Version handling, apparently to avoid having cobra add "-v" as an alias for "--version". As best I can tell, cobra only does this if the "-v" shortcut is not already taken (at least as of Nov 2019: https://github.com/spf13/cobra/pull/996 ). Also as best I can tell that workaround is purely vestigial, and removing it is safe. I've manually tested "-v" in podman run, system df, and rm. I've run system tests. Signed-off-by: Ed Santiago <santiago@redhat.com>
* | | | | | | Merge pull request #7654 from vrothberg/fix-7651OpenShift Merge Robot2020-09-17
|\ \ \ \ \ \ \ | | | | | | | | | | | | | | | | image list: return all associated names
| * | | | | | | image list: return all associated namesValentin Rothberg2020-09-17
| | |_|_|_|/ / | |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Always return all associated names / repo tags of an image and fix a bug with malformed repo tags. Previously, Podman returned all names only with `--all` but this flag only instructs to list intermediate images and should not alter associated names. With `--all` Podman queried the repo tags of an image which splits all *tagged* names into repository and tag which is then reassembled to eventually be parsed again in the frontend. Lot's of redundant CPU heat and buggy as the reassembly didn't consider digests which ultimately broke parsing in the frontend. Fixes: #7651 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | | | | | | Merge pull request #7666 from ↵OpenShift Merge Robot2020-09-17
|\ \ \ \ \ \ \ | |_|_|_|_|/ / |/| | | | | | | | | | | | | | | | | | | | containers/dependabot/go_modules/k8s.io/apimachinery-0.19.2 Bump k8s.io/apimachinery from 0.19.1 to 0.19.2
| * | | | | | Bump k8s.io/apimachinery from 0.19.1 to 0.19.2dependabot-preview[bot]2020-09-17
| |/ / / / / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Bumps [k8s.io/apimachinery](https://github.com/kubernetes/apimachinery) from 0.19.1 to 0.19.2. - [Release notes](https://github.com/kubernetes/apimachinery/releases) - [Commits](https://github.com/kubernetes/apimachinery/compare/v0.19.1...v0.19.2) Signed-off-by: dependabot-preview[bot] <support@dependabot.com> Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | | | | Merge pull request #7648 from xordspar0/kube-play-labelsOpenShift Merge Robot2020-09-17
|\ \ \ \ \ \ | |/ / / / / |/| | | | | Add labels to a pod created via play kube
| * | | | | Add labels to a pod created via play kubeJordan Christiansen2020-09-16
|/ / / / / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When using `podman play kube` with a YAML file that has pod labels, apply those labels to the pods that podman makes. For example, this Deployment spec has labels on a pod: apiVersion: apps/v1 kind: Deployment metadata: name: myapp labels: app: myapp spec: selector: matchLabels: app: myapp template: metadata: labels: app: myapp spec: containers: - name: web image: nginx ports: - containerPort: 80 The pods that podman creates will have the label "app" set to "myapp" so that these pods can be found with `podman pods ps --filter label=app`. Signed-off-by: Jordan Christiansen <xordspar0@gmail.com>
* | | | | Merge pull request #7621 from rhatdan/podsOpenShift Merge Robot2020-09-16
|\ \ \ \ \ | |_|/ / / |/| | | | Fix podman pod create --infra-command and --infra-image
| * | | | Fix podman pod create --infra-command and --infra-imageDaniel J Walsh2020-09-16
| | |/ / | |/| | | | | | | | | | | | | | | | | | | | | | | | | | Currently infr-command and --infra-image commands are ignored from the user. This PR instruments them and adds tests for each combination. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | | Merge pull request #7653 from AkihiroSuda/fix-7652OpenShift Merge Robot2020-09-16
|\ \ \ \ | |/ / / |/| | | Fix "rootless-cni-infra + runc fails with ENODEV"
| * | | Fix "rootless-cni-infra + runc fails with ENODEV"Akihiro Suda2020-09-16
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | runc always expect "bind" to be present in opts even when the type is "bind". Fix #7652 Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
* | | | Merge pull request #7624 from QiWang19/policy-optionOpenShift Merge Robot2020-09-16
|\ \ \ \ | |/ / / |/| | | Supports import&run--signature-policy
| * | | Supports import&run--signature-policyQi Wang2020-09-15
| | | | | | | | | | | | | | | | | | | | | | | | Enables podman create, pull, run, import to use --signature-policy option. Set it as hidden flag to be consistent with other commands. Signed-off-by: Qi Wang <qiwan@redhat.com>
* | | | Merge pull request #7636 from vrothberg/fix-7407OpenShift Merge Robot2020-09-16
|\ \ \ \ | | | | | | | | | | run/create: record raw image
| * | | | run/create: record raw imageValentin Rothberg2020-09-15
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Record the user-specified "raw" image name in the SpecGenerator, so we can pass it along to the config when creating a container. We need a separate field as the image name in the generator may be set to the ID of the previously pulled image - ultimately the cause of #7404. Reverting the image name from the ID to the user input would not work since "alpine" for pulling iterates over the search registries in the registries.conf but looking up "alpine" normalizes to "localhost/alpine". Recording the raw-image name directly in the generator was the best of the options I considered as no hidden magic from search registries or normalizations (that may or may not change in the future) can interfere. The auto-update backend enforces that the raw-image name is a fully-qualified reference, so we need to worry about that in the front end. Fixes: #7407 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | | | | Merge pull request #7642 from jwhonce/issues/7327-2OpenShift Merge Robot2020-09-16
|\ \ \ \ \ | | | | | | | | | | | | Refactor API version values