summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAge
* hardening flags for fedora rpmbuildsLokesh Mandvekar2021-02-09
| | | | | | | | | | | This commit sets the CGO_CFLAGS variable for hardening the Fedora rpm binaries. The flags used are the same as those in the official Fedora rpms. Setting the flags in upstream spec would provide early warnings for flag adjustments or other hardening issues. Signed-off-by: Lokesh Mandvekar <lsm5@fedoraproject.org>
* Merge pull request #9288 from vrothberg/vendor-imageOpenShift Merge Robot2021-02-09
|\ | | | | vendor github.com/containers/image v5.10.2
| * vendor github.com/containers/image v5.10.2Valentin Rothberg2021-02-09
| | | | | | | | | | Fixes: #8559 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | Merge pull request #9289 from edsantiago/apiv2_test_fixesOpenShift Merge Robot2021-02-09
|\ \ | | | | | | apiv2 test fixes
| * | APIv2 tests: lots of cleanupEd Santiago2021-02-09
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | It's been a while since I last looked at these; some cruft has crept in, generating noise and hence unreadable test results. Clean it up: * remove pushd/popd in one subtest, replace with 'tar -C'. (Also remove confusing quotation marks). This removes spurious directory names from output. * in like(), show only first line of actual output. Some commands ('tree', 'generate kube') produce voluminous multi-line output, which is super useless and distracting when reading a test run. * Recognize that some queries will not generate output, e.g. HEAD requests and some POSTs. Deal with that. This fixes "curl.result.out: no such file" and "parse error" warnings. * In cleanup, 'podman rm -a' and 'rmi -af'; this gets rid of errors when deleting $WORKDIR. (EBUSY error when root, EPERM when rootless). And, the original reason for poking in here: refactor the wait-for-port part of start_server() into its own helper function, so we can use it when starting a local registry in 12-imagesMore. (Ref: #9270) Signed-off-by: Ed Santiago <santiago@redhat.com>
* | | Merge pull request #9270 from matejvasek/fix_apiv2_pushOpenShift Merge Robot2021-02-09
|\| | | | | | | | Fix Docker APIv2 push endpoint
| * | Fix Docker APIv2 push endpointMatej Vasek2021-02-09
| | | | | | | | | | | | | | | | | | | | | Docker doesn't have the destination parameter as libpod does, the "image name" path parameter is supposed to be the destination. Signed-off-by: Matej Vasek <mvasek@redhat.com>
* | | Merge pull request #9283 from vrothberg/fix-8897OpenShift Merge Robot2021-02-09
|\ \ \ | |_|/ |/| | generate kube: do not set caps with --privileged
| * | generate kube: support --privilegedValentin Rothberg2021-02-09
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Do not play with capabilities for privileged containers where all capabilities will be set implicitly. Also, avoid the device check when running privileged since all of /dev/* will be mounted in any case. Fixes: #8897 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | | Merge pull request #9281 from ↵OpenShift Merge Robot2021-02-09
|\ \ \ | | | | | | | | | | | | | | | | containers/dependabot/go_modules/github.com/containers/ocicrypt-1.1.0 Bump github.com/containers/ocicrypt from 1.0.3 to 1.1.0
| * | | Bump github.com/containers/ocicrypt from 1.0.3 to 1.1.0dependabot-preview[bot]2021-02-09
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Bumps [github.com/containers/ocicrypt](https://github.com/containers/ocicrypt) from 1.0.3 to 1.1.0. - [Release notes](https://github.com/containers/ocicrypt/releases) - [Commits](https://github.com/containers/ocicrypt/compare/v1.0.3...v1.1.0) Signed-off-by: dependabot-preview[bot] <support@dependabot.com> Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | | Merge pull request #9125 from ashley-cui/secretswiringOpenShift Merge Robot2021-02-09
|\ \ \ \ | |_|/ / |/| | | Implement Secrets
| * | | Implement SecretsAshley Cui2021-02-09
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Implement podman secret create, inspect, ls, rm Implement podman run/create --secret Secrets are blobs of data that are sensitive. Currently, the only secret driver supported is filedriver, which means creating a secret stores it in base64 unencrypted in a file. After creating a secret, a user can use the --secret flag to expose the secret inside the container at /run/secrets/[secretname] This secret will not be commited to an image on a podman commit Signed-off-by: Ashley Cui <acui@redhat.com>
* | | | Merge pull request #9269 from Luap99/rootfs-shell-completionOpenShift Merge Robot2021-02-09
|\ \ \ \ | | | | | | | | | | Allow path completion for podman create/run --rootfs
| * | | | Allow path completion for podman create/run --rootfsPaul Holzinger2021-02-08
| | |_|/ | |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | If the --rootfs flag is set podman create/run expect a host path as first argument. The shell completion should provide path completion in that case. [NO TESTS NEEDED] This can manually be verified with `podman run --rootfs [TAB]`. Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
* | | | Merge pull request #9272 from rhatdan/VENDOROpenShift Merge Robot2021-02-09
|\ \ \ \ | |_|_|/ |/| | | Bump containers/buildah to v1.19.4
| * | | Bump containers/buildah to v1.19.4Daniel J Walsh2021-02-08
|/ / / | | | | | | | | | | | | | | | Fix handling of --iidfile to happen on the client side. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | Merge pull request #9246 from rhatdan/buildOpenShift Merge Robot2021-02-08
|\ \ \ | |/ / |/| | Implement missing arguments for podman build
| * | Implement missing arguments for podman buildDaniel J Walsh2021-02-08
| | | | | | | | | | | | | | | | | | | | | | | | Buildah bud passes a bunch more flags then podman build. We need to implement hook up all of these flags to get full functionality. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | Merge pull request #9266 from vrothberg/fix-6510OpenShift Merge Robot2021-02-08
|\ \ \ | | | | | | | | make `podman rmi` more robust
| * | | make `podman rmi` more robustValentin Rothberg2021-02-08
| |/ / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The c/storage library is subject to TOCTOUs as the central container and image storage may be shared by many instances of many tools. As shown in #6510, it's fairly easy to have multiple instances of Podman running in parallel and yield image-lookup errors when removing them. The underlying issue is the TOCTOU of removal being split into multiple stages of first reading the local images and then removing them. Some images may already have been removed in between the two stages. To make image removal more robust, handle errors at stage two when a given image is not present (anymore) in the storage. Fixes: #6510 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | | Merge pull request #9236 from baude/networkpruneOpenShift Merge Robot2021-02-08
|\ \ \ | |_|/ |/| | add network prune
| * | add network prunebaude2021-02-06
| | | | | | | | | | | | | | | | | | | | | | | | | | | add the ability to prune unused cni networks. filters are not implemented but included both compat and podman api endpoints. Fixes :#8673 Signed-off-by: baude <bbaude@redhat.com>
* | | Merge pull request #9265 from vrothberg/vendor-commonOpenShift Merge Robot2021-02-08
|\ \ \ | |_|/ |/| | vendor latest containers/common
| * | vendor latest containers/commonValentin Rothberg2021-02-08
|/ / | | | | | | | | | | | | | | We had a couple of regressions in containers/common in the last release. Before cutting a new release, let's vendor it here. Since 3.0 has been branched, we can vendor a non-release commit of c/common. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | Merge pull request #9205 from st1971/issue-8710OpenShift Merge Robot2021-02-05
|\ \ | |/ |/| play kube selinux label issue
| * play kube selinux test caseSteven Taylor2021-02-04
| | | | | | | | | | | | added skip to test case where selinux not enabled Signed-off-by: Steven Taylor <steven@taylormuff.co.uk>
| * play kube selinux test caseSteven Taylor2021-02-03
| | | | | | | | | | | | fixed typo in the label comparison Signed-off-by: Steven Taylor <steven@taylormuff.co.uk>
| * play kube selinux label test caseSteven Taylor2021-02-03
| | | | | | | | | | | | | | test case added to e2e test suite to validate process label being correctly set on play kube Signed-off-by: Steven Taylor <steven@taylormuff.co.uk>
| * play kube selinux label issueSteven Taylor2021-02-02
| | | | | | | | | | | | | | | | | | play kube function not respecting selinux options in kube yaml, all options were being mapped to role. fixes issue 8710 Signed-off-by: Steven Taylor <steven@taylormuff.co.uk>
* | Merge pull request #9231 from vrothberg/rootfs-workdirOpenShift Merge Robot2021-02-05
|\ \ | | | | | | fix logic when not creating a workdir
| * | fix logic when not creating a workdirValentin Rothberg2021-02-05
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When resolving the workdir of a container, we may need to create unless the user set it explicitly on the command line. Otherwise, we just do a presence check. Unfortunately, there was a missing return that lead us to fall through into attempting to create and chown the workdir. That caused a regression when running on a read-only root fs. Fixes: #9230 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | | Merge pull request #9048 from matejvasek/apiv2_waitOpenShift Merge Robot2021-02-05
|\ \ \ | | | | | | | | Fix Docker APIv2 container wait endpoint
| * | | Fix per review requestMatej Vasek2021-02-04
| | | | | | | | | | | | | | | | Signed-off-by: Matej Vasek <mvasek@redhat.com>
| * | | Increase timeouts in some testsMatej Vasek2021-02-03
| | | | | | | | | | | | | | | | Signed-off-by: Matej Vasek <mvasek@redhat.com>
| * | | Add test for Docker APIv2 waitMatej Vasek2021-02-03
| | | | | | | | | | | | | | | | Signed-off-by: Matej Vasek <mvasek@redhat.com>
| * | | Implement Docker wait conditionsMatej Vasek2021-02-03
| | | | | | | | | | | | | | | | Signed-off-by: Matej Vasek <mvasek@redhat.com>
| * | | Improve ContainerEngine.ContainerWait()Matej Vasek2021-02-03
| | | | | | | | | | | | | | | | Signed-off-by: Matej Vasek <mvasek@redhat.com>
| * | | Improve container libpod.Wait*() functionsMatej Vasek2021-02-03
| |/ / | | | | | | | | | Signed-off-by: Matej Vasek <mvasek@redhat.com>
* | | Merge pull request #9182 from mheon/bump_apiOpenShift Merge Robot2021-02-05
|\ \ \ | | | | | | | | Bump remote API version to 3.0.0
| * | | Bump remote API version to 3.0.0Matthew Heon2021-02-04
| | | | | | | | | | | | | | | | | | | | | | | | Fixes #9175 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | | | Merge pull request #9235 from Luap99/fix-9234OpenShift Merge Robot2021-02-04
|\ \ \ \ | | | | | | | | | | Fix podman network disconnect wrong NetworkStatus number
| * | | | Fix podman network disconnect wrong NetworkStatus numberPaul Holzinger2021-02-04
| | |/ / | |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The allocated `tmpNetworkStatus` must be allocated with the length 0. Otherwise append would add new elements to the end of the slice and not at the beginning of the allocated memory. This caused inspect to fail since the number of networks did not matched the number of network statuses. Fixes #9234 Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
* | | | Merge pull request #9113 from cevich/ginkgo_logs_artifactOpenShift Merge Robot2021-02-04
|\ \ \ \ | | | | | | | | | | Cirrus: Collect ginkgo node logs artifacts
| * | | | Cirrus: Collect ginkgo node logs artifactsChris Evich2021-02-03
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | In rare cases, it's possible for one of the ginkgo processes to "hang". When this occurs, the main output will contain this message: ``Ginkgo timed out waiting for all parallel nodes to report`` The only way to debug this was to look through concatenated printing of the ginkgo node logs. This is a tedious and daunting task, requiring special search knowledge, facing a "wall of text". Simplify the situation by collecting the node logs separately, as individual files in a cirrus-artifact. In this way, it's faster to figure out which test "hung" by examining each log individually. The log file which does not have a pass/fail summary at the end, indicates the last test hung (for whatever reason), and includes it's output (if any). Signed-off-by: Chris Evich <cevich@redhat.com>
* | | | | Merge pull request #9220 from vrothberg/fix-9211OpenShift Merge Robot2021-02-04
|\ \ \ \ \ | | | | | | | | | | | | generate kube: handle entrypoint
| * | | | | generate kube: handle entrypointValentin Rothberg2021-02-04
| |/ / / / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The spec of a Kube Container has a `Command` and `Args`. While both are slices, the `Command` is the counterpart of the entrypoint of a libpod container. Kube is also happily accepting the arguments to as following items in the slice but it's cleaner to move those to `Args`. Fixes: #9211 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | | | | Merge pull request #9154 from alvistack/master-linux-amd64OpenShift Merge Robot2021-02-04
|\ \ \ \ \ | |_|/ / / |/| | | | Update nix pin with `make nixpkgs`
| * | | | Update nix pin with `make nixpkgs`Wong Hoi Sing Edison2021-02-03
| | | | | | | | | | | | | | | | | | | | Signed-off-by: Wong Hoi Sing Edison <hswong3i@pantarei-design.com>
* | | | | Merge pull request #9188 from jwhonce/issues/8865OpenShift Merge Robot2021-02-03
|\ \ \ \ \ | | | | | | | | | | | | Report StatusConflict on Pod opt partial failures