summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAge
* test: test that an unprivileged user cannot access the storageEd Santiago2019-03-29
| | | | | Signed-off-by: Ed Santiago <santiago@redhat.com> Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* userns: do not use an intermediate mount namespaceGiuseppe Scrivano2019-03-29
| | | | | | | | | | | | | | We have an issue in the current implementation where the cleanup process is not able to umount the storage as it is running in a separate namespace. Simplify the implementation for user namespaces by not using an intermediate mount namespace. For doing it, we need to relax the permissions on the parent directories and allow browsing them. Containers that are running without a user namespace, will still maintain mode 0700 on their directory. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* volumes: push the chown logic to runtime_volume_linux.goGiuseppe Scrivano2019-03-29
| | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Merge pull request #2575 from haircommander/hotfix_play_kubeOpenShift Merge Robot2019-03-29
|\ | | | | Default to SELinux private label for play kube mounts
| * Default to SELinux private label for play kube mountsPeter Hunt2019-03-28
| | | | | | | | | | | | | | | | | | | | Before, there were SELinux denials when a volume was bind-mounted by podman play kube. Partially fix this by setting the default private label for mounts created by play kube (with DirectoryOrCreate) For volumes mounted as Directory, the user will have to set their own SELinux permissions on the mount point also remove left over debugging print statement Signed-off-by: Peter Hunt <pehunt@redhat.com>
* | Merge pull request #2524 from ekultails/podman-ps_man_page_statusOpenShift Merge Robot2019-03-29
|\ \ | | | | | | Add all possible container status states to the podman-ps manual page.
| * | Add all container status states to the podman-ps manual page.Luke Short2019-03-28
| |/ | | | | | | Signed-off-by: Luke Short <ekultails@gmail.com>
* | Merge pull request #2796 from mheon/fix_cni_multinetworkOpenShift Merge Robot2019-03-29
|\ \ | | | | | | Ensure that we make a netns for CNI non-default nets
| * | Fix lintMatthew Heon2019-03-28
| | | | | | | | | | | | Signed-off-by: Matthew Heon <mheon@redhat.com>
| * | Ensure that we make a netns for CNI non-default netsMatthew Heon2019-03-28
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | We accidentally patched this out trying to enable ns:/path/to/ns This should restore the ability to configure nondefault CNI networks with Podman, by ensuring that they request creation of a network namespace. Completely remove the WithNetNS() call when we do use an explicit namespace from a path. We use that call to indicate that a netns is going to be created - there should not be any question about whether it actually does. Fixes #2795 Signed-off-by: Matthew Heon <mheon@redhat.com>
* | | Merge pull request #2786 from giuseppe/change-rootless-env-namesOpenShift Merge Robot2019-03-28
|\ \ \ | | | | | | | | rootless: change env prefix
| * | | rootless: change env prefixGiuseppe Scrivano2019-03-28
| | |/ | |/| | | | | | | | | | | | | | | | | | | | | | | | | from _LIBPOD to _CONTAINERS. The same change was done in buildah unshare. This is necessary for podman to detect we are running in a rootless environment and work properly from a "buildah unshare" session. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | | Merge pull request #2784 from QiWang19/digestOpenShift Merge Robot2019-03-28
|\ \ \ | |_|/ |/| | fix bug remote-podman images --digests
| * | fix bug remote-podman images --digestsQi Wang2019-03-27
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Add `digest` field to Image struct and update API.md Show image digests when using --digests in podman-remote. ``` $ PODMAN_VARLINK_ADDRESS="tcp:127.0.0.1:1234" sudo bin/podman-remote images --digests REPOSITORY TAG DIGEST IMAGE ID CREATED SIZE docker.io/library/alpine latest sha256:d05ecd4520cab5d9e5d877595fb0532aadcd6c90f4bbc837bc11679f704c4c82 5cb3aa00f899 2 weeks ago 5.79 MB docker.io/library/busybox latest sha256:4415a904b1aca178c2450fd54928ab362825e863c0ad5452fd020e92f7a6a47e d8233ab899d4 5 weeks ago 1.42 MB ``` Signed-off-by: Qi Wang <qiwan@redhat.com>
* | | Merge pull request #2773 from QiWang19/bugOpenShift Merge Robot2019-03-28
|\ \ \ | | | | | | | | fix bug `system df` add a space to the output
| * | | fix bug `system df` add blank space to the outputQi Wang2019-03-28
| |/ / | | | | | | | | | | | | | | | fix typo in Containers space usage: of podman system df -v, add a space for created time Change format string to const Signed-off-by: Qi Wang <qiwan@redhat.com>
* | | Merge pull request #2789 from vrothberg/vendorOpenShift Merge Robot2019-03-28
|\ \ \ | | | | | | | | vendor buildah, image, storage, cni
| * | | vendor buildah, image, storage, cniValentin Rothberg2019-03-28
|/ / / | | | | | | | | | Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | | Merge pull request #2760 from mheon/misc_small_changesOpenShift Merge Robot2019-03-28
|\ \ \ | |_|/ |/| | Remove ulele/deepcopier in favor of JSON deep copy
| * | Use spaces instead of tab for JSON marshal indentMatthew Heon2019-03-27
| | | | | | | | | | | | | | | | | | | | | | | | The jsoniterator library believes that panic() is a reasonable response to being told to indent JSON with a tab. So use spaces instead. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
| * | Fix gofmtMatthew Heon2019-03-27
| | | | | | | | | | | | Signed-off-by: Matthew Heon <matthew.heon@pm.me>
| * | Remove ulele/deepcopier in favor of JSON deep copyMatthew Heon2019-03-27
| |/ | | | | | | | | | | | | | | | | | | | | | | | | We have a very high performance JSON library that doesn't need to perform code generation. Let's use it instead of our questionably performant, reflection-dependent deep copy library. Most changes because some functions can now return errors. Also converts cmd/podman to use jsoniter, instead of pkg/json, for increased performance. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | Merge pull request #2777 from edsantiago/system_df_invalid_argOpenShift Merge Robot2019-03-27
|\ \ | |/ |/| system df: reject invalid arguments
| * system df: reject invalid argumentsEd Santiago2019-03-27
| | | | | | | | Signed-off-by: Ed Santiago <santiago@redhat.com>
* | Merge pull request #2747 from mheon/dns_noneOpenShift Merge Robot2019-03-27
|\ \ | | | | | | Add --dns=none
| * | Resolve review commentsMatthew Heon2019-03-27
| | | | | | | | | | | | Signed-off-by: Matthew Heon <matthew.heon@pm.me>
| * | Add a test that --add-host conflicts with --no-hostsMatthew Heon2019-03-27
| | | | | | | | | | | | Signed-off-by: Matthew Heon <matthew.heon@pm.me>
| * | Add manpages and completions for dns=none and no-hostsMatthew Heon2019-03-27
| | | | | | | | | | | | Signed-off-by: Matthew Heon <matthew.heon@pm.me>
| * | Add --no-hosts flag to disable management of /etc/hostsMatthew Heon2019-03-27
| | | | | | | | | | | | Signed-off-by: Matthew Heon <matthew.heon@pm.me>
| * | Add for --dns=none to disable creation of resolv.confMatthew Heon2019-03-27
| | | | | | | | | | | | | | | | | | | | | Support in libpod was added in the previous commit. Wire it into the frontend here. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
| * | Add support to disable creation of network config filesMatthew Heon2019-03-27
| | | | | | | | | | | | | | | | | | | | | | | | Specifically, we want to be able to specify whether resolv.conf and /etc/hosts will be create and bind-mounted into the container. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | | Merge pull request #2779 from jcpunk/pod-static-publishOpenShift Merge Robot2019-03-27
|\ \ \ | | | | | | | | doc: add note that pod publish ports are static once defined
| * | | doc: add note that pod publish ports are static once definedPat Riehecky2019-03-27
| |/ / | | | | | | | | | Signed-off-by: Pat Riehecky <riehecky@fnal.gov>
* | | Merge pull request #2781 from edsantiago/batsOpenShift Merge Robot2019-03-27
|\ \ \ | | | | | | | | Sigh; disable pod-top test, it's unreliable (#2780)
| * | | Sigh; disable pod-top test, it's unreliable (#2780)Ed Santiago2019-03-27
| | |/ | |/| | | | | | | Signed-off-by: Ed Santiago <santiago@redhat.com>
* | | Merge pull request #2762 from giuseppe/rootless-exec-old-containers-uidmapOpenShift Merge Robot2019-03-27
|\ \ \ | |_|/ |/| | rootless: fix regression when using exec on old containers
| * | rootless: fix regression when using exec on old containersGiuseppe Scrivano2019-03-27
| | | | | | | | | | | | | | | | | | | | | | | | | | | fallback to the previous behavior of joining only the user namespace, when we cannot join the conmon userns+mount namespaces. Closes: https://github.com/containers/libpod/issues/2673 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | | Merge pull request #2433 from cevich/hack_around_homeOpenShift Merge Robot2019-03-27
|\ \ \ | |_|/ |/| | [ci skip] get_ci_vm.sh: Fix conflicting homedir files
| * | get_ci_vm.sh: Fix conflicting homedir filesChris Evich2019-03-01
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Previously, the script would bind mount the user's home directory into the container in order to execute gcloud commands. This was done to preserve the `.config/gcloud` directory and new ssh keys in `.ssh`. However, it's possible the user has modified `.bash*` or `.ssh/config` files which do not play nicely with gcloud and/or the container. Fix this by mounting the existing temporary directory on the host, as the user's home directory. Then bind mount in a dedicated `gcloud/ssh` sub-directory, and the libpod repo directory on top. Pre-create the necessary mount-points as the user, so later removal does not require root on the host. The gcloud tool takes minutes to setup/manage its ssh-keys, so preserving that work between runs is a necessary optimization. Similarly, saving the `.gcloud` directory prevents repeatedly going through the lengthy client-auth process. Overall, these changes make the container environment much more selective with the host-side data it has access to use/modify. Preventing unrelated details from getting in the way, and preserving only the bare-minimum of details on the host, between runs. Signed-off-by: Chris Evich <cevich@redhat.com>
* | | Merge pull request #2648 from cevich/check_manpagesOpenShift Merge Robot2019-03-27
|\ \ \ | |_|/ |/| | Cirrus: Verify manpages for all subcommands exist
| * | Cirrus: Verify manpages for all subcommands existChris Evich2019-03-21
| | | | | | | | | | | | | | | | | | fixes #2630 Signed-off-by: Chris Evich <cevich@redhat.com>
* | | Merge pull request #2749 from jcpunk/docOpenShift Merge Robot2019-03-27
|\ \ \ | | | | | | | | docs/podman-pod-create.1.md: add example with port mapping
| * | | docs/podman-pod-create.1.md: add example with port mappingPat Riehecky2019-03-25
| | | | | | | | | | | | | | | | Signed-off-by: Pat Riehecky <riehecky@fnal.gov>
* | | | Merge pull request #2772 from TomSweeneyRedHat/dev/tsweeney/commandstouchOpenShift Merge Robot2019-03-26
|\ \ \ \ | | | | | | | | | | Touchup commands.md
| * | | | Touchup commands.mdTomSweeneyRedHat2019-03-26
|/ / / / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Remove the runlabel command as it's now covered by the containers-runlabel command. Add the play command and remove all of the video links that don't have a video attached to them. Plus a little bit of table definition changes. Signed-off-by: TomSweeneyRedHat <tsweeney@redhat.com>
* | | | Merge pull request #2771 from baude/issue2765OpenShift Merge Robot2019-03-26
|\ \ \ \ | | | | | | | | | | size is optional for container inspection
| * | | | size is optional for container inspectionbaude2019-03-26
|/ / / / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | on the remote client, if a user wants to know the rootfs size of a container, a -s should be passed. this corrects a behavior where size was shown by default. Fixes #2765 Signed-off-by: baude <bbaude@redhat.com>
* | | | Merge pull request #2758 from baude/eventsDiedOpenShift Merge Robot2019-03-26
|\ \ \ \ | | | | | | | | | | Add "died" event
| * | | | Add "died" eventbaude2019-03-25
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | We have a new event for container 'Exited' which has been renamed to 'died'. also removed the stream bool from the varlink endpoint for events because it can be determined by the varlink more value. Signed-off-by: baude <bbaude@redhat.com>
* | | | | Merge pull request #2769 from ypu/attach_testOpenShift Merge Robot2019-03-26
|\ \ \ \ \ | | | | | | | | | | | | Add three test cases for podman attach test