| Commit message (Collapse) | Author | Age |
|---|
| |\
| |
| | |
Set blob cache directory based on GraphDriver
|
| | |
| |
| |
| |
| |
| |
| | |
Remove references to image2 in source code. Makes the code
slightly more readable.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Currently in rootless containers, we end up not using the blob cache.
We also don't store the blob cache based on the users specified graph
storage. This change will cause the cache directory to be stored with
the rest of the containe images.
While doing this patch, I found that we had duplicated GetSystemContext in
two places in libpod. I cleaned this up.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
| |\ \
| | |
| | | |
rootless: set sticky bit on rundir
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | | |
use a sync.Once to potentially avoid multiple system calls everytime
the function is called.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | | |
it prevents the directory to be auto pruned, according to the XDG
specifications.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
| | | |
| | |
| | |
| | |
| | |
| | | |
it can be any OCI runtime.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
| |\ \ \
| | | |
| | | | |
userns: do not use an intermediate mount namespace
|
| | | | |
| | | |
| | | |
| | | |
| | | | |
Signed-off-by: Ed Santiago <santiago@redhat.com>
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
We have an issue in the current implementation where the cleanup
process is not able to umount the storage as it is running in a
separate namespace.
Simplify the implementation for user namespaces by not using an
intermediate mount namespace. For doing it, we need to relax the
permissions on the parent directories and allow browsing
them. Containers that are running without a user namespace, will still
maintain mode 0700 on their directory.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
| | | | |
| | | |
| | | |
| | | | |
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
| |\ \ \ \
| |/ / /
|/| | | |
Alter container/pod/volume name regexp to match Docker
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Docker's upstream name validation regex has two major differences
from ours that we pick up in this PR.
The first requires that the first character of a name is a letter
or number, not a special character.
The second allows periods in names.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
| |\ \ \ \
| | | | |
| | | | | |
Default to SELinux private label for play kube mounts
|
| | |/ / /
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Before, there were SELinux denials when a volume was bind-mounted by podman play kube.
Partially fix this by setting the default private label for mounts created by play kube (with DirectoryOrCreate)
For volumes mounted as Directory, the user will have to set their own SELinux permissions on the mount point
also remove left over debugging print statement
Signed-off-by: Peter Hunt <pehunt@redhat.com>
|
| |\ \ \ \
| |_|_|/
|/| | | |
Add all possible container status states to the podman-ps manual page.
|
| | |/ /
| | |
| | |
| | | |
Signed-off-by: Luke Short <ekultails@gmail.com>
|
| |\ \ \
| |_|/
|/| | |
Ensure that we make a netns for CNI non-default nets
|
| | | |
| | |
| | |
| | | |
Signed-off-by: Matthew Heon <mheon@redhat.com>
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
We accidentally patched this out trying to enable ns:/path/to/ns
This should restore the ability to configure nondefault CNI
networks with Podman, by ensuring that they request creation of a
network namespace.
Completely remove the WithNetNS() call when we do use an explicit
namespace from a path. We use that call to indicate that a netns
is going to be created - there should not be any question about
whether it actually does.
Fixes #2795
Signed-off-by: Matthew Heon <mheon@redhat.com>
|
| |\ \ \
| | | |
| | | | |
rootless: change env prefix
|
| | | |/
| |/|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
from _LIBPOD to _CONTAINERS. The same change was done in buildah
unshare.
This is necessary for podman to detect we are running in a rootless
environment and work properly from a "buildah unshare" session.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
| |\ \ \
| |_|/
|/| | |
fix bug remote-podman images --digests
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Add `digest` field to Image struct and update API.md
Show image digests when using --digests in podman-remote.
```
$ PODMAN_VARLINK_ADDRESS="tcp:127.0.0.1:1234" sudo bin/podman-remote images --digests
REPOSITORY TAG DIGEST IMAGE ID CREATED SIZE
docker.io/library/alpine latest sha256:d05ecd4520cab5d9e5d877595fb0532aadcd6c90f4bbc837bc11679f704c4c82 5cb3aa00f899 2 weeks ago 5.79 MB
docker.io/library/busybox latest sha256:4415a904b1aca178c2450fd54928ab362825e863c0ad5452fd020e92f7a6a47e d8233ab899d4 5 weeks ago 1.42 MB
```
Signed-off-by: Qi Wang <qiwan@redhat.com>
|
| |\ \ \
| | | |
| | | | |
fix bug `system df` add a space to the output
|
| | |/ /
| | |
| | |
| | |
| | |
| | | |
fix typo in Containers space usage: of podman system df -v, add a space for created time Change format string to const
Signed-off-by: Qi Wang <qiwan@redhat.com>
|
| |\ \ \
| | | |
| | | | |
vendor buildah, image, storage, cni
|
| |/ / /
| | |
| | |
| | | |
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
|
| |\ \ \
| |_|/
|/| | |
Remove ulele/deepcopier in favor of JSON deep copy
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
The jsoniterator library believes that panic() is a reasonable
response to being told to indent JSON with a tab. So use spaces
instead.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
| | | |
| | |
| | |
| | | |
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
| | |/
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
We have a very high performance JSON library that doesn't need to
perform code generation. Let's use it instead of our questionably
performant, reflection-dependent deep copy library.
Most changes because some functions can now return errors.
Also converts cmd/podman to use jsoniter, instead of pkg/json,
for increased performance.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
| |\ \
| |/
|/| |
system df: reject invalid arguments
|
| | |
| |
| |
| | |
Signed-off-by: Ed Santiago <santiago@redhat.com>
|
| |\ \
| | |
| | | |
Add --dns=none
|
| | | |
| | |
| | |
| | | |
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
| | | |
| | |
| | |
| | | |
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
| | | |
| | |
| | |
| | | |
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
| | | |
| | |
| | |
| | | |
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | | |
Support in libpod was added in the previous commit. Wire it into
the frontend here.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Specifically, we want to be able to specify whether resolv.conf
and /etc/hosts will be create and bind-mounted into the
container.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
| |\ \ \
| | | |
| | | | |
doc: add note that pod publish ports are static once defined
|
| | |/ /
| | |
| | |
| | | |
Signed-off-by: Pat Riehecky <riehecky@fnal.gov>
|
| |\ \ \
| | | |
| | | | |
Sigh; disable pod-top test, it's unreliable (#2780)
|
| | | |/
| |/|
| | |
| | | |
Signed-off-by: Ed Santiago <santiago@redhat.com>
|
| |\ \ \
| |_|/
|/| | |
rootless: fix regression when using exec on old containers
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
fallback to the previous behavior of joining only the user namespace,
when we cannot join the conmon userns+mount namespaces.
Closes: https://github.com/containers/libpod/issues/2673
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
| |\ \ \
| |_|/
|/| | |
[ci skip] get_ci_vm.sh: Fix conflicting homedir files
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Previously, the script would bind mount the user's home directory into
the container in order to execute gcloud commands. This was done
to preserve the `.config/gcloud` directory and new ssh keys in `.ssh`.
However, it's possible the user has modified `.bash*` or `.ssh/config`
files which do not play nicely with gcloud and/or the container.
Fix this by mounting the existing temporary directory on the host, as
the user's home directory. Then bind mount in a dedicated `gcloud/ssh`
sub-directory, and the libpod repo directory on top. Pre-create the
necessary mount-points as the user, so later removal does not require
root on the host.
The gcloud tool takes minutes to setup/manage its ssh-keys, so preserving
that work between runs is a necessary optimization. Similarly, saving the
`.gcloud` directory prevents repeatedly going through the lengthy
client-auth process.
Overall, these changes make the container environment much more selective
with the host-side data it has access to use/modify. Preventing unrelated
details from getting in the way, and preserving only the bare-minimum of
details on the host, between runs.
Signed-off-by: Chris Evich <cevich@redhat.com>
|
| |\ \ \
| |_|/
|/| | |
Cirrus: Verify manpages for all subcommands exist
|
