summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAge
* Validate passed in timezone from tz optionTomSweeneyRedHat2021-03-21
| | | | | | | | | | | | | | | | | | | | | | | | Erik Sjolund reported an issue where a badly formated file could be passed into the `--tz` option and then the date in the container would be badly messed up: ``` erik@laptop:~$ echo Hello > file.txt erik@laptop:~$ podman run --tz=../../../home/erik/file.txt --rm -ti docker.io/library/alpine cat /etc/localtime Hello erik@laptop:~$ podman --version podman version 3.0.0-rc1 erik@laptop:~$ ``` This fix checks to make sure the TZ passed in is a valid value and then proceeds with the rest of the processing. This was first reported as a potential security issue, but it was thought not to be. However, I thought closing the hole sooner rather than later would be good. Signed-off-by: TomSweeneyRedHat <tsweeney@redhat.com>
* Merge pull request #9762 from giuseppe/use-bounding-caps-for---privilegedOpenShift Merge Robot2021-03-19
|\ | | | | security: use the bounding caps with --privileged
| * vendor: drop replace for github.com/syndtr/gocapabilityGiuseppe Scrivano2021-03-19
| | | | | | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
| * security: use the bounding caps with --privilegedGiuseppe Scrivano2021-03-19
| | | | | | | | | | | | | | | | | | when --privileged is used, make sure to not request more capabilities than currently available in the current context. [NO TESTS NEEDED] since it fixes existing tests. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
| * Bump github.com/containers/common from 0.35.0 to 0.35.3dependabot[bot]2021-03-19
| | | | | | | | | | | | | | | | Bumps [github.com/containers/common](https://github.com/containers/common) from 0.35.0 to 0.35.3. - [Release notes](https://github.com/containers/common/releases) - [Commits](https://github.com/containers/common/compare/v0.35.0...v0.35.3) Signed-off-by: dependabot[bot] <support@github.com>
* | Merge pull request #9735 from ↵OpenShift Merge Robot2021-03-19
|\ \ | |/ |/| | | | | containers/dependabot/go_modules/github.com/onsi/ginkgo-1.15.2 Bump github.com/onsi/ginkgo from 1.15.1 to 1.15.2
| * Bump github.com/onsi/ginkgo from 1.15.1 to 1.15.2dependabot-preview[bot]2021-03-18
| | | | | | | | | | | | | | | | | | | | Bumps [github.com/onsi/ginkgo](https://github.com/onsi/ginkgo) from 1.15.1 to 1.15.2. - [Release notes](https://github.com/onsi/ginkgo/releases) - [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md) - [Commits](https://github.com/onsi/ginkgo/compare/v1.15.1...v1.15.2) Signed-off-by: dependabot-preview[bot] <support@dependabot.com> Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | Merge pull request #9758 from jmguzik/volumes-networks-http-fixOpenShift Merge Robot2021-03-19
|\ \ | | | | | | Fix volumes and networks list/prune filters in http api
| * | Fix volumes and networks list/prune filters in http apiJakub Guzik2021-03-19
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This is the continuation work started in #9711. It turns out that list/prune commands for volumes in libpod/compat api have very dangerous error handling when broken filter input is supplied. Problem also affects network list/prune in libpod. This commit unifies filter handling across libpod/compat api and adds sanity apiv2 testcases. Signed-off-by: Jakub Guzik <jakubmguzik@gmail.com>
* | | Merge pull request #9760 from ↵OpenShift Merge Robot2021-03-19
|\ \ \ | | | | | | | | | | | | | | | | containers/dependabot/go_modules/k8s.io/apimachinery-0.20.5 Bump k8s.io/apimachinery from 0.20.4 to 0.20.5
| * | | Bump k8s.io/apimachinery from 0.20.4 to 0.20.5dependabot[bot]2021-03-19
|/ / / | | | | | | | | | | | | | | | | | | Bumps [k8s.io/apimachinery](https://github.com/kubernetes/apimachinery) from 0.20.4 to 0.20.5. - [Release notes](https://github.com/kubernetes/apimachinery/releases) - [Commits](https://github.com/kubernetes/apimachinery/compare/v0.20.4...v0.20.5) Signed-off-by: dependabot[bot] <support@github.com>
* | | Merge pull request #9734 from ↵OpenShift Merge Robot2021-03-19
|\ \ \ | |/ / |/| | | | | | | | containers/dependabot/go_modules/github.com/containers/storage-1.28.0 Bump github.com/containers/storage from 1.25.0 to 1.28.0
| * | Bump github.com/containers/storage from 1.25.0 to 1.28.0Giuseppe Scrivano2021-03-18
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Bumps [github.com/containers/storage](https://github.com/containers/storage) from 1.25.0 to 1.28.0. - [Release notes](https://github.com/containers/storage/releases) - [Changelog](https://github.com/containers/storage/blob/master/docs/containers-storage-changes.md) - [Commits](https://github.com/containers/storage/compare/v1.25.0...v1.28.0) Signed-off-by: dependabot-preview[bot] <support@dependabot.com> Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | | Merge pull request #9748 from vrothberg/lazy-vendoringOpenShift Merge Robot2021-03-18
|\ \ \ | | | | | | | | add a dependabot config to automate vendoring
| * | | add a dependabot config to automate vendoringValentin Rothberg2021-03-18
|/ / / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | While dependabot has turned out great to automate updating dependencies, a major painpoint was that we had to manually run `make vendor` for each and every commit. It was causing noise. Adding the config file to `.github/dependabot.yml` will take of also updating the `./vendor` tree. `containers/common` is using this config for a while successfully. [NO TESTS NEEDED] Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | | Merge pull request #9710 from jmguzik/network-prune-filters-http-apiOpenShift Merge Robot2021-03-18
|\ \ \ | |/ / |/| | Network prune filters for http api (compat and libpod)
| * | network prune filters for http compat and libpod apiJakub Guzik2021-03-18
| | | | | | | | | | | | Signed-off-by: Jakub Guzik <jakubmguzik@gmail.com>
* | | Merge pull request #9739 from giuseppe/use-latest-crun-runcOpenShift Merge Robot2021-03-18
|\ \ \ | | | | | | | | Latest crun/runc should handle blkio-weight test
| * | | test: check for io.stat existence on cgroup v2Giuseppe Scrivano2021-03-17
| | | | | | | | | | | | | | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
| * | | test: fix test for last crun/runcGiuseppe Scrivano2021-03-17
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | there was a documentation issue for the kernel that reported the range to be different than on cgroup v1. The issue has been fixed in crun/runc. Adapt the test. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
| * | | test: simplify cgroup pathGiuseppe Scrivano2021-03-17
| | | | | | | | | | | | | | | | | | | | | | | | with cgroup v2, the cgroupns is enabled by default. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
| * | | Latest crun/runc should handle blkio-weight testDaniel J Walsh2021-03-17
| | | | | | | | | | | | | | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | | Merge pull request #9736 from jmguzik/fix-image-prune-cmd-messageOpenShift Merge Robot2021-03-17
|\ \ \ \ | | | | | | | | | | fix user message image prune --all
| * | | | fix user message image prune --allJakub Guzik2021-03-17
| |/ / / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | User message was the same as in the case of no flag provided. This commit aligns message with the one used in docker. [NO TESTS NEEDED] Signed-off-by: Jakub Guzik <jakubmguzik@gmail.com>
* | | | Merge pull request #9717 from nalind/error-raceOpenShift Merge Robot2021-03-17
|\ \ \ \ | |/ / / |/| | | [NO TESTS NEEDED] pkg/bindings/images.Build(): fix a race condition in error reporting
| * | | Downgrade github.com/coreos/go-systemd/v22Nalin Dahyabhai2021-03-16
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Downgrade github.com/coreos/go-systemd/v22 to a version that will build against systemd headers that we have on CentOS 8. This also pulls in github.com/varlink/go. Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
| * | | pkg/bindings/images.Build(): fix a race condition in error reportingNalin Dahyabhai2021-03-16
| | |/ | |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | In nTar(), don't return the error value when the goroutine that's populating the error value can continue running long after nTar() returns. Instead, wrap the Close() method of the pipe that we're returning in a function that collects those errors, along with any error we get from closing the pipe, and returns them from Close() wrapper. In Build(), if the Close() method returns an error, at least log it. Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
* | | Merge pull request #9714 from rhatdan/buildOpenShift Merge Robot2021-03-17
|\ \ \ | | | | | | | | Switch all builds to pull-never
| * | | Switch all builds to pull-neverDaniel J Walsh2021-03-16
| | |/ | |/| | | | | | | | | | | | | Fixes: https://github.com/containers/buildah/issues/2779 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | Merge pull request #9728 from ashley-cui/secretdocsOpenShift Merge Robot2021-03-17
|\ \ \ | |_|/ |/| | [CI:DOCS] removing secrets is safe for in-use secrets
| * | Docs: removing secrets is safe for in-use secretsAshley Cui2021-03-16
|/ / | | | | | | | | | | | | | | Add docs explaining that it is safe to remove a secret that is in use by a container: secrets are copied and mounted into the container at creation Signed-off-by: Ashley Cui <acui@redhat.com>
* | Merge pull request #9711 from jmguzik/volume-prune-fix-http-compatOpenShift Merge Robot2021-03-16
|\ \ | | | | | | Fix for volumes prune in http compat api when using filters
| * | Fix for volumes prune in http compat apiJakub Guzik2021-03-15
| |/ | | | | | | Signed-off-by: Jakub Guzik <jakubmguzik@gmail.com>
* | Merge pull request #9695 from jmguzik/array-inspect-network-fixOpenShift Merge Robot2021-03-16
|\ \ | | | | | | Fix array instead of one elem network http api
| * | Fix array instead of one elem network http apiJakub Guzik2021-03-12
| | | | | | | | | | | | Signed-off-by: Jakub Guzik <jakubmguzik@gmail.com>
* | | Merge pull request #9589 from troyready/add_compat_auth_endpointOpenShift Merge Robot2021-03-16
|\ \ \ | | | | | | | | add /auth for docker compatibility
| * | | fix use with localhost (testing)troyready2021-03-12
| | | | | | | | | | | | | | | | Signed-off-by: troyready <troy@troyready.com>
| * | | add /auth for docker compatibilitytroyready2021-03-12
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This endpoint just validates credentials: https://github.com/moby/moby/blob/v20.10.4/api/swagger.yaml#L7936-L7977 Fixes: #9564 Signed-off-by: troyready <troy@troyready.com>
* | | | Merge pull request #9719 from edsantiago/batsOpenShift Merge Robot2021-03-16
|\ \ \ \ | |_|_|/ |/| | | System test cleanup
| * | | System test cleanupEd Santiago2021-03-15
|/ / / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | - cp test: clean up stray image - build test: add workaround for #9567 (ultra-slow ubuntu). We're seeing CI flakes (timeouts) due to ubuntu 2004 being absurdly slow. Workaround: double our timeout on one specific test when ubuntu + remote. - build test: clean up new copy-from test (from #9275). The test was copy-pasted from buildah system tests, without really adapting for podman environment (e.g. it was using images that we don't use here, and would cause pulls, which will cause flakes). Rewrite test so it references only $IMAGE, remove some confusing/unnecessary stuff, selectively run parts of it even when rootless or remote, and add a test to confirm that copy-from succeeded. - load test: add error-message test to new load-invalid (#9672). Basically, make sure the command fails for the right reason. - play test (kube): use $IMAGE, not alpine; and add pause-image cleanup to teardown() - apiv2 mounts test: add a maintainability comment in a tricky section of code; and tighten up the mount point test. Signed-off-by: Ed Santiago <santiago@redhat.com>
* | | Merge pull request #9716 from Luap99/remote-libpodOpenShift Merge Robot2021-03-15
|\ \ \ | |/ / |/| | Do not leak libpod package into the remote client
| * | Fix remote client timezone testPaul Holzinger2021-03-15
| | | | | | | | | | | | | | | | | | | | | The New York timezone changes between summer and winter time. Make sure the test allows both timezones. Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
| * | Do not leak libpod package into the remote clientPaul Holzinger2021-03-15
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Some packages used by the remote client imported the libpod package. This is not wanted because it adds unnecessary bloat to the client and also causes problems with platform specific code(linux only), see #9710. The solution is to move the used functions/variables into extra packages which do not import libpod. This change shrinks the remote client size more than 6MB compared to the current master. [NO TESTS NEEDED] I have no idea how to test this properly but with #9710 the cross compile should fail. Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
| * | Split libpod/network packagePaul Holzinger2021-03-15
|/ / | | | | | | | | | | | | | | | | | | | | | | The `libpod/network` package should only be used on the backend and not the client. The client used this package only for two functions so move them into a new `pkg/network` package. This is needed so we can put linux only code into `libpod/network`, see #9710. [NO TESTS NEEDED] Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
* | Merge pull request #9684 from ↵OpenShift Merge Robot2021-03-12
|\ \ | | | | | | | | | | | | containers/dependabot/go_modules/github.com/sirupsen/logrus-1.8.1 Bump github.com/sirupsen/logrus from 1.8.0 to 1.8.1
| * | Bump github.com/sirupsen/logrus from 1.8.0 to 1.8.1dependabot-preview[bot]2021-03-12
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Bumps [github.com/sirupsen/logrus](https://github.com/sirupsen/logrus) from 1.8.0 to 1.8.1. - [Release notes](https://github.com/sirupsen/logrus/releases) - [Changelog](https://github.com/sirupsen/logrus/blob/master/CHANGELOG.md) - [Commits](https://github.com/sirupsen/logrus/compare/v1.8.0...v1.8.1) Signed-off-by: dependabot-preview[bot] <support@dependabot.com> Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | Merge pull request #9703 from jmguzik/endpoint-networksOpenShift Merge Robot2021-03-12
|\ \ \ | | | | | | | | [NO TESTS NEEDED] create endpoint for querying libpod networks
| * | | create endpoint for querying libpod networksJakub Guzik2021-03-12
| | |/ | |/| | | | | | | Signed-off-by: Jakub Guzik <jakubmguzik@gmail.com>
* | | Merge pull request #9699 from jwhonce/wip/testsOpenShift Merge Robot2021-03-12
|\ \ \ | | | | | | | | Delete all containers and pods between tests
| * | | Delete all containers and pods between testsJhon Honce2021-03-11
| | |/ | |/| | | | | | | | | | | | | New tearDown() deletes all pods and containers between tests Signed-off-by: Jhon Honce <jhonce@redhat.com>