summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAge
* Merge pull request #1939 from mheon/no_firewall_if_rootlessOpenShift Merge Robot2018-12-04
|\ | | | | Don't initialize CNI when running as rootless
| * Don't initialize CNI when running as rootlessMatthew Heon2018-12-04
| | | | | | | | | | | | | | | | We don't use CNI to configure networks for rootless containers, so no need to set it up. It may also cause issues with inotify, so disabling it resolves some potential problems. Signed-off-by: Matthew Heon <mheon@redhat.com>
* | Merge pull request #1920 from wking/explicit-hooks-dirsOpenShift Merge Robot2018-12-04
|\ \ | | | | | | libpod/container_internal: Deprecate implicit hook directories
| * | libpod/container_internal: Deprecate implicit hook directoriesW. Trevor King2018-12-03
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Part of the motivation for 800eb863 (Hooks supports two directories, process default and override, 2018-09-17, #1487) was [1]: > We only use this for override. The reason this was caught is people > are trying to get hooks to work with CoreOS. You are not allowed to > write to /usr/share... on CoreOS, so they wanted podman to also look > at /etc, where users and third parties can write. But we'd also been disabling hooks completely for rootless users. And even for root users, the override logic was tricky when folks actually had content in both directories. For example, if you wanted to disable a hook from the default directory, you'd have to add a no-op hook to the override directory. Also, the previous implementation failed to handle the case where there hooks defined in the override directory but the default directory did not exist: $ podman version Version: 0.11.2-dev Go Version: go1.10.3 Git Commit: "6df7409cb5a41c710164c42ed35e33b28f3f7214" Built: Sun Dec 2 21:30:06 2018 OS/Arch: linux/amd64 $ ls -l /etc/containers/oci/hooks.d/test.json -rw-r--r--. 1 root root 184 Dec 2 16:27 /etc/containers/oci/hooks.d/test.json $ podman --log-level=debug run --rm docker.io/library/alpine echo 'successful container' 2>&1 | grep -i hook time="2018-12-02T21:31:19-08:00" level=debug msg="reading hooks from /usr/share/containers/oci/hooks.d" time="2018-12-02T21:31:19-08:00" level=warning msg="failed to load hooks: {}%!(EXTRA *os.PathError=open /usr/share/containers/oci/hooks.d: no such file or directory)" With this commit: $ podman --log-level=debug run --rm docker.io/library/alpine echo 'successful container' 2>&1 | grep -i hook time="2018-12-02T21:33:07-08:00" level=debug msg="reading hooks from /usr/share/containers/oci/hooks.d" time="2018-12-02T21:33:07-08:00" level=debug msg="reading hooks from /etc/containers/oci/hooks.d" time="2018-12-02T21:33:07-08:00" level=debug msg="added hook /etc/containers/oci/hooks.d/test.json" time="2018-12-02T21:33:07-08:00" level=debug msg="hook test.json matched; adding to stages [prestart]" time="2018-12-02T21:33:07-08:00" level=warning msg="implicit hook directories are deprecated; set --hooks-dir="/etc/containers/oci/hooks.d" explicitly to continue to load hooks from this directory" time="2018-12-02T21:33:07-08:00" level=error msg="container create failed: container_linux.go:336: starting container process caused "process_linux.go:399: container init caused \"process_linux.go:382: running prestart hook 0 caused \\\"error running hook: exit status 1, stdout: , stderr: oh, noes!\\\\n\\\"\"" (I'd setup the hook to error out). You can see that it's silenly ignoring the ENOENT for /usr/share/containers/oci/hooks.d and continuing on to load hooks from /etc/containers/oci/hooks.d. When it loads the hook, it also logs a warning-level message suggesting that callers explicitly configure their hook directories. That will help consumers migrate, so we can drop the implicit hook directories in some future release. When folks *do* explicitly configure hook directories (via the newly-public --hooks-dir and hooks_dir options), we error out if they're missing: $ podman --hooks-dir /does/not/exist run --rm docker.io/library/alpine echo 'successful container' error setting up OCI Hooks: open /does/not/exist: no such file or directory I've dropped the trailing "path" from the old, hidden --hooks-dir-path and hooks_dir_path because I think "dir(ectory)" is already enough context for "we expect a path argument". I consider this name change non-breaking because the old forms were undocumented. Coming back to rootless users, I've enabled hooks now. I expect they were previously disabled because users had no way to avoid /usr/share/containers/oci/hooks.d which might contain hooks that required root permissions. But now rootless users will have to explicitly configure hook directories, and since their default config is from ~/.config/containers/libpod.conf, it's a misconfiguration if it contains hooks_dir entries which point at directories with hooks that require root access. We error out so they can fix their libpod.conf. [1]: https://github.com/containers/libpod/pull/1487#discussion_r218149355 Signed-off-by: W. Trevor King <wking@tremily.us>
* | | Merge pull request #1933 from giuseppe/update-runc-againOpenShift Merge Robot2018-12-04
|\ \ \ | | | | | | | | test: update runc again
| * | | test: update runc againGiuseppe Scrivano2018-12-04
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | the regression we noticed in runc was fixed upstream: https://github.com/opencontainers/runc/pull/1943 so we can use again runc from master. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | | | Merge pull request #1932 from giuseppe/vendor-storageOpenShift Merge Robot2018-12-04
|\ \ \ \ | |_|_|/ |/| | | vendor: update containers/storage
| * | | vendor: update containers/storageGiuseppe Scrivano2018-12-04
| | |/ | |/| | | | | | | | | | | | | | | | inherit a change for rootless containers to ignore devices nodes inside of images. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | | Merge pull request #1938 from baude/rmichildrenOpenShift Merge Robot2018-12-04
|\ \ \ | | | | | | | | correct algorithm for deleting all images
| * | | correct algorithm for deleting all imagesbaude2018-12-04
| | |/ | |/| | | | | | | | | | | | | | | | | | | | | | when deleting all images, we need to iterate all the images deleting on those who dont have children first. And then reiterate until they are all gone. This resolves #1926 Signed-off-by: baude <bbaude@redhat.com>
* | | Merge pull request #1894 from jwhonce/bug/1876OpenShift Merge Robot2018-12-04
|\ \ \ | | | | | | | | Only include container SizeRootFs when requested
| * | | Only include container SizeRootFs when requestedJhon Honce2018-11-28
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * API always returns value, so we remove it if not asked for Fixes #1876 Signed-off-by: Jhon Honce <jhonce@redhat.com>
* | | | Merge pull request #1907 from baude/createpodautomaticallyOpenShift Merge Robot2018-12-04
|\ \ \ \ | |_|/ / |/| | | create pod on the fly
| * | | create pod on the flybaude2018-12-03
|/ / / | | | | | | | | | | | | | | | | | | | | | | | | | | | when a user specifies --pod to podman create|run, we should create that pod automatically. the port bindings from the container are then inherited by the infra container. this signicantly improves the workflow of running containers inside pods with podman. the user is still encouraged to use podman pod create to have more granular control of the pod create options. Signed-off-by: baude <bbaude@redhat.com>
* | | Merge pull request #1913 from baude/podexistsOpenShift Merge Robot2018-12-03
|\ \ \ | | | | | | | | podman pod exists
| * | | podman pod existsbaude2018-12-03
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | like containers and images, users would benefit from being able to check if a pod exists in local storage. if the pod exists, the return code is 0. if the pod does not exists, the return code is 1. Any other return code indicates a real errors, such as permissions or runtime. Signed-off-by: baude <bbaude@redhat.com>
* | | | Merge pull request #1923 from giuseppe/rootless-no-newuidmap-installedOpenShift Merge Robot2018-12-03
|\ \ \ \ | |/ / / |/| | | rootless: raise error if newuidmap/newgidmap are not installed
| * | | rootless: raise error if newuidmap/newgidmap are not installedGiuseppe Scrivano2018-12-03
| | |/ | |/| | | | | | | | | | | | | | | | | | | | | | | | | it was reported on IRC that Podman on Ubuntu failed as newuidmap/newgidmap were not installed by default. Raise an error if we are not allowing single mappings (used only by the tests suite) and any of the binaries is not present. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | | Merge pull request #1914 from baude/logslatestOpenShift Merge Robot2018-12-03
|\ \ \ | |/ / |/| | Add short-option handling to logs
| * | Add short-option handling to logsbaude2018-12-01
|/ / | | | | | | | | | | | | podman logs already supports the latest command line switch. users should be able to use the short-options combined (i.e. podman logs -lf). Signed-off-by: baude <bbaude@redhat.com>
* | Merge pull request #1903 from giuseppe/fix-rootless-testsOpenShift Merge Robot2018-12-01
|\ \ | | | | | | tests: fix rootless tests on Ubuntu
| * | tests: always install runc on UbuntuGiuseppe Scrivano2018-12-01
| | | | | | | | | | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
| * | cirrus: update ubuntu imageGiuseppe Scrivano2018-11-30
| | | | | | | | | | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
| * | cirrus: make apt noninteractiveGiuseppe Scrivano2018-11-30
| | | | | | | | | | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
| * | Dockerfile, .cirrus.yml: update runc commitGiuseppe Scrivano2018-11-30
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | we need to inherit this change from runc. commit 869add33186caff4a22e3e11a7472a2d48d77889: rootless: fix running with /proc/self/setgroups set to deny This is a regression from 06f789cf26774dd64cb2a9cc0b3c6a6ff832733b when the user namespace was configured without a privileged helper. To allow a single mapping in an user namespace, it is necessary to set /proc/self/setgroups to "deny". For a simple reproducer, the user namespace can be created with "unshare -r". Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
| * | rootless: propagate XDG_RUNTIME_DIR to the OCI runtimeGiuseppe Scrivano2018-11-30
| | | | | | | | | | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
| * | Update ubuntu VM image w/ newer runcChris Evich2018-11-30
|/ / | | | | | | Signed-off-by: Chris Evich <cevich@redhat.com>
* | Merge pull request #1896 from ypu/mount-create-testOpenShift Merge Robot2018-11-30
|\ \ | | | | | | Add create test with --mount flag
| * | Add create test with --mount flagYiqiao Pu2018-11-29
| |/ | | | | | | Signed-off-by: Yiqiao Pu <ypu@redhat.com>
* | Merge pull request #1886 from edsantiago/pypod_run_argsOpenShift Merge Robot2018-11-30
|\ \ | | | | | | pypod run: ignore args intended for container command
| * | pypod create/run: ignore args for container commandEd Santiago2018-11-28
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Don't try to argparse command-line arguments on the right-hand side of the image; those are intended for the container command: pypodman create fedora ls -l pypodman run fedora find / -name foo pypodman run fedora bash -c 'echo hi' If/when `pypodman exec` gets implemented, it should use this too. Signed-off-by: Ed Santiago <santiago@redhat.com>
* | | Merge pull request #1317 from rhatdan/privilegedOpenShift Merge Robot2018-11-30
|\ \ \ | | | | | | | | Disable mount options when running --privileged
| * | | Disable mount options when running --privilegedDaniel J Walsh2018-11-28
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | We now default to setting storage options to "nodev", when running privileged containers, we need to turn this off so the processes can manipulate the image. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
| * | | Vendor in latest containers/storageDaniel J Walsh2018-11-28
| | | | | | | | | | | | | | | | | | | | | | | | This allows us to modify the containers mount option on a per/container basis Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | | Merge pull request #1777 from rhatdan/shmOpenShift Merge Robot2018-11-30
|\ \ \ \ | | | | | | | | | | /dev/shm should be mounted even in rootless mode.
| * | | | /dev/shm should be mounted even in rootless mode.Daniel J Walsh2018-11-28
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Currently we are mounting /dev/shm from disk, it should be from a tmpfs. User Namespace supports tmpfs mounts for nonroot users, so this section of code should work fine in bother root and rootless mode. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | | | Merge pull request #1906 from baude/addpspOpenShift Merge Robot2018-11-30
|\ \ \ \ \ | |_|_|_|/ |/| | | | add pod short option to ps
| * | | | add pod short option to psbaude2018-11-30
|/ / / / | | | | | | | | | | | | | | | | | | | | podman ps has a flag --pod; simply adding a short option of -p Signed-off-by: baude <bbaude@redhat.com>
* | | | Merge pull request #1890 from baude/disablecheckpointtestsOpenShift Merge Robot2018-11-28
|\ \ \ \ | | | | | | | | | | disable checkpoint tests on f29
| * | | | disable checkpoint tests on f29baude2018-11-28
| | |_|/ | |/| | | | | | | | | | | | | | | | | | temporarily disabling checkpoint tests on f29 as they don't currently pass. Signed-off-by: baude <bbaude@redhat.com>
* | | | Merge pull request #1714 from giuseppe/fix-rootless-testsOpenShift Merge Robot2018-11-28
|\ \ \ \ | | | | | | | | | | tests: fix rootless tests with an updated runc
| * | | | test, rootless: specify USER env variableGiuseppe Scrivano2018-11-28
| | | | | | | | | | | | | | | | | | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
| * | | | Revert "downgrade runc due a rootless bug"Giuseppe Scrivano2018-11-28
| | |/ / | |/| | | | | | | | | | | | | | | | | | This reverts commit 803efd4d380f091c85cd45e0b3c35cf6333d47b7. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | | | Merge pull request #1852 from rhatdan/completionsOpenShift Merge Robot2018-11-28
|\ \ \ \ | |/ / / |/| | | Cleaning up completions.
| * | | Fix completions to work with podman run commandDaniel J Walsh2018-11-28
| |/ / | | | | | | | | | | | | | | | | | | Also add missing --help and -h and add some consistency to the usage of boolean_options. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | Merge pull request #1888 from baude/hidekubeOpenShift Merge Robot2018-11-28
|\ \ \ | |/ / |/| | hide kube command for now
| * | hide kube command for nowbaude2018-11-28
|/ / | | | | | | | | | | | | until the kube commands are ironed out, we dont want it drawing attention in any release Signed-off-by: baude <bbaude@redhat.com>
* | Merge pull request #1851 from jwhonce/wip/cmdOpenShift Merge Robot2018-11-28
|\ \ | | | | | | Add support for --all in pypodman ps command
| * | Add support for --all in pypodman ps commandJhon Honce2018-11-28
| | | | | | | | | | | | | | | | | | | | | | | | * Updated field widths to match changes in go code Fixes #1654 Signed-off-by: Jhon Honce <jhonce@redhat.com>
* | | Merge pull request #1798 from giuseppe/fix-notify-socketOpenShift Merge Robot2018-11-28
|\ \ \ | | | | | | | | systemd: fix NOTIFY_SOCKET with patched runc