summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAge
* rootless: use a single user namespaceGiuseppe Scrivano2019-04-01
| | | | | | | | | | | | | | | | | | | | | simplify the rootless implementation to use a single user namespace for all the running containers. This makes the rootless implementation behave more like root Podman, where each container is created in the host environment. There are multiple advantages to it: 1) much simpler implementation as there is only one namespace to join. 2) we can join namespaces owned by different containers. 3) commands like ps won't be limited to what container they can access as previously we either had access to the storage from a new namespace or access to /proc when running from the host. 4) rootless varlink works. 5) there are only two ways to enter in a namespace, either by creating a new one if no containers are running or joining the existing one from any container. Containers created by older Podman versions must be restarted. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* rootless: remove SkipStorageSetup()Giuseppe Scrivano2019-04-01
| | | | | | | | in the few places where we care about skipping the storage initialization, we can simply use the process effective UID, instead of relying on a global boolean flag. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Merge pull request #2812 from rpjday/topic/rpjday/missing_option_hyphenOpenShift Merge Robot2019-03-31
|\ | | | | docs/podman-inspect.1.md: add missing option hyphen for "-t"
| * docs/podman-inspect.1.md: add missing option hyphen for "-t"Robert P. J. Day2019-03-30
| | | | | | | | Signed-off-by: Robert P. J. Day <rpjday@crashcourse.ca>
* | Merge pull request #2816 from rpjday/topic/rpjday/missing_hyphensOpenShift Merge Robot2019-03-31
|\ \ | | | | | | docs/podman*.md: fix numerous option typos and spacing errors
| * | docs/podman*.md: fix numerous option typos and spacing errorsRobert P. J. Day2019-03-31
| |/ | | | | | | | | | | | | | | | | | | | | | | | | Cursory examination of man pages shows a number of typos: - missing hyphens - missing blank line - longer option should precede shorter option This is not an extensive fix, there's still a lot that could be cleaned up. Signed-off-by: Robert P. J. Day <rpjday@crashcourse.ca>
* | Merge pull request #2807 from mheon/bump-1.2.0OpenShift Merge Robot2019-03-31
|\ \ | | | | | | Bump to v1.2.0
| * | Bump gitvalidation epochMatthew Heon2019-03-30
| | | | | | | | | | | | Signed-off-by: Matthew Heon <matthew.heon@pm.me>
| * | Bump to v1.3.0-devMatthew Heon2019-03-30
| | | | | | | | | | | | Signed-off-by: Matthew Heon <matthew.heon@pm.me>
| * | Bump to v1.2.0v1.2.0Matthew Heon2019-03-30
| | | | | | | | | | | | Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | | Merge pull request #2814 from rpjday/topic/rpjday/container_rmOpenShift Merge Robot2019-03-31
|\ \ \ | |_|/ |/| | docs/podman-rm.1.md: delete "Not yet implemented" msg for volume removal
| * | docs/podman-rm.1.md: delete "Not yet implemented" msg for volume removalRobert P. J. Day2019-03-30
|/ / | | | | | | | | | | Since this feature appears to be implemented, remove the qualifier. Signed-off-by: Robert P. J. Day <rpjday@crashcourse.ca>
* | Merge pull request #2804 from rhatdan/helpOpenShift Merge Robot2019-03-30
|\ \ | |/ |/| Capitalize global options help information
| * Capitalize global options help informationDaniel J Walsh2019-03-30
|/ | | | | | | --trace, --help and --version were not capatilized like the rest of the global options. This patch fixes this problem. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Merge pull request #2803 from mheon/release_notes_v1.2.0OpenShift Merge Robot2019-03-29
|\ | | | | Update release notes for v1.2.0
| * Update release notes for v1.2.0Matthew Heon2019-03-29
| | | | | | | | Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | Merge pull request #2801 from mheon/remove_wait_eventOpenShift Merge Robot2019-03-29
|\ \ | | | | | | Remove wait event
| * | Remove wait eventMatthew Heon2019-03-29
| |/ | | | | | | | | | | | | It's not necessary to log an event for a read-only operation like wait. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | Merge pull request #2802 from TomSweeneyRedHat/dev/tsweeney/buildah1.7.2OpenShift Merge Robot2019-03-29
|\ \ | | | | | | Vendor Buildah 1.7.2
| * | Vendor Buildah 1.7.2TomSweeneyRedHat2019-03-29
| |/ | | | | | | Signed-off-by: TomSweeneyRedHat <tsweeney@redhat.com>
* | Merge pull request #2800 from mheon/lock_events_fileOpenShift Merge Robot2019-03-29
|\ \ | |/ |/| Add locking to ensure events file is concurrency-safe
| * Add locking to ensure events file is concurrency-safeMatthew Heon2019-03-29
|/ | | | Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Merge pull request #2691 from baude/psdynamicOpenShift Merge Robot2019-03-29
|\ | | | | Add watch mode to podman ps
| * Add watch mode to podman psbaude2019-03-28
| | | | | | | | | | | | | | | | | | allows users to "watch" the output of podman ps on a set interval in seconds. in watch mode, the screen is cleared between intervals as well. podman -ps -w1 watches on 1 second intervals Signed-off-by: baude <bbaude@redhat.com>
* | Merge pull request #2635 from rhatdan/cacheOpenShift Merge Robot2019-03-29
|\ \ | | | | | | Set blob cache directory based on GraphDriver
| * | Cleanup image2 -> image for importsDaniel J Walsh2019-03-29
| | | | | | | | | | | | | | | | | | | | | Remove references to image2 in source code. Makes the code slightly more readable. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
| * | Set blob cache directory based on GraphDriverDaniel J Walsh2019-03-29
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Currently in rootless containers, we end up not using the blob cache. We also don't store the blob cache based on the users specified graph storage. This change will cause the cache directory to be stored with the rest of the containe images. While doing this patch, I found that we had duplicated GetSystemContext in two places in libpod. I cleaned this up. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | Merge pull request #2797 from giuseppe/rootless-set-stickyOpenShift Merge Robot2019-03-29
|\ \ \ | | | | | | | | rootless: set sticky bit on rundir
| * | | utils: call GetRootlessRuntimeDir onceGiuseppe Scrivano2019-03-29
| | | | | | | | | | | | | | | | | | | | | | | | | | | | use a sync.Once to potentially avoid multiple system calls everytime the function is called. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
| * | | rootless: set sticky bit on rundirGiuseppe Scrivano2019-03-29
| | | | | | | | | | | | | | | | | | | | | | | | | | | | it prevents the directory to be auto pruned, according to the XDG specifications. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
| * | | oci: drop reference to runcGiuseppe Scrivano2019-03-29
| | | | | | | | | | | | | | | | | | | | | | | | it can be any OCI runtime. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | | | Merge pull request #2730 from giuseppe/userns-take-rid-of-intermediate-mountnsOpenShift Merge Robot2019-03-29
|\ \ \ \ | | | | | | | | | | userns: do not use an intermediate mount namespace
| * | | | test: test that an unprivileged user cannot access the storageEd Santiago2019-03-29
| | | | | | | | | | | | | | | | | | | | | | | | | Signed-off-by: Ed Santiago <santiago@redhat.com> Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
| * | | | userns: do not use an intermediate mount namespaceGiuseppe Scrivano2019-03-29
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | We have an issue in the current implementation where the cleanup process is not able to umount the storage as it is running in a separate namespace. Simplify the implementation for user namespaces by not using an intermediate mount namespace. For doing it, we need to relax the permissions on the parent directories and allow browsing them. Containers that are running without a user namespace, will still maintain mode 0700 on their directory. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
| * | | | volumes: push the chown logic to runtime_volume_linux.goGiuseppe Scrivano2019-03-29
| | | | | | | | | | | | | | | | | | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | | | | Merge pull request #2793 from mheon/alter_name_regexOpenShift Merge Robot2019-03-29
|\ \ \ \ \ | |/ / / / |/| | | | Alter container/pod/volume name regexp to match Docker
| * | | | Alter container/pod/volume name regexp to match DockerMatthew Heon2019-03-29
| | |_|/ | |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Docker's upstream name validation regex has two major differences from ours that we pick up in this PR. The first requires that the first character of a name is a letter or number, not a special character. The second allows periods in names. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | | | Merge pull request #2575 from haircommander/hotfix_play_kubeOpenShift Merge Robot2019-03-29
|\ \ \ \ | | | | | | | | | | Default to SELinux private label for play kube mounts
| * | | | Default to SELinux private label for play kube mountsPeter Hunt2019-03-28
| |/ / / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Before, there were SELinux denials when a volume was bind-mounted by podman play kube. Partially fix this by setting the default private label for mounts created by play kube (with DirectoryOrCreate) For volumes mounted as Directory, the user will have to set their own SELinux permissions on the mount point also remove left over debugging print statement Signed-off-by: Peter Hunt <pehunt@redhat.com>
* | | | Merge pull request #2524 from ekultails/podman-ps_man_page_statusOpenShift Merge Robot2019-03-29
|\ \ \ \ | |_|_|/ |/| | | Add all possible container status states to the podman-ps manual page.
| * | | Add all container status states to the podman-ps manual page.Luke Short2019-03-28
| |/ / | | | | | | | | | Signed-off-by: Luke Short <ekultails@gmail.com>
* | | Merge pull request #2796 from mheon/fix_cni_multinetworkOpenShift Merge Robot2019-03-29
|\ \ \ | |_|/ |/| | Ensure that we make a netns for CNI non-default nets
| * | Fix lintMatthew Heon2019-03-28
| | | | | | | | | | | | Signed-off-by: Matthew Heon <mheon@redhat.com>
| * | Ensure that we make a netns for CNI non-default netsMatthew Heon2019-03-28
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | We accidentally patched this out trying to enable ns:/path/to/ns This should restore the ability to configure nondefault CNI networks with Podman, by ensuring that they request creation of a network namespace. Completely remove the WithNetNS() call when we do use an explicit namespace from a path. We use that call to indicate that a netns is going to be created - there should not be any question about whether it actually does. Fixes #2795 Signed-off-by: Matthew Heon <mheon@redhat.com>
* | | Merge pull request #2786 from giuseppe/change-rootless-env-namesOpenShift Merge Robot2019-03-28
|\ \ \ | | | | | | | | rootless: change env prefix
| * | | rootless: change env prefixGiuseppe Scrivano2019-03-28
| | |/ | |/| | | | | | | | | | | | | | | | | | | | | | | | | from _LIBPOD to _CONTAINERS. The same change was done in buildah unshare. This is necessary for podman to detect we are running in a rootless environment and work properly from a "buildah unshare" session. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | | Merge pull request #2784 from QiWang19/digestOpenShift Merge Robot2019-03-28
|\ \ \ | |_|/ |/| | fix bug remote-podman images --digests
| * | fix bug remote-podman images --digestsQi Wang2019-03-27
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Add `digest` field to Image struct and update API.md Show image digests when using --digests in podman-remote. ``` $ PODMAN_VARLINK_ADDRESS="tcp:127.0.0.1:1234" sudo bin/podman-remote images --digests REPOSITORY TAG DIGEST IMAGE ID CREATED SIZE docker.io/library/alpine latest sha256:d05ecd4520cab5d9e5d877595fb0532aadcd6c90f4bbc837bc11679f704c4c82 5cb3aa00f899 2 weeks ago 5.79 MB docker.io/library/busybox latest sha256:4415a904b1aca178c2450fd54928ab362825e863c0ad5452fd020e92f7a6a47e d8233ab899d4 5 weeks ago 1.42 MB ``` Signed-off-by: Qi Wang <qiwan@redhat.com>
* | | Merge pull request #2773 from QiWang19/bugOpenShift Merge Robot2019-03-28
|\ \ \ | | | | | | | | fix bug `system df` add a space to the output
| * | | fix bug `system df` add blank space to the outputQi Wang2019-03-28
| |/ / | | | | | | | | | | | | | | | fix typo in Containers space usage: of podman system df -v, add a space for created time Change format string to const Signed-off-by: Qi Wang <qiwan@redhat.com>