| Commit message (Collapse) | Author | Age |
|
|
|
|
|
|
|
|
| |
since we now enter the user namespace prior to read the conmon.pid, we
can write the conmon.pid file again to the runtime dir.
This reverts commit 6c6a8654363457a9638d58265d0a7e8743575d7a.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
|
|
|
|
|
|
| |
otherwise the processes we leave around will be killed once the
session terminates.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
move the logic for joining existing namespaces down to the rootless
package. In main_local we still retrieve the list of conmon pid files
and use it from the rootless package.
In addition, create a temporary user namespace for reading these
files, as the unprivileged user might not have enough privileges for
reading the conmon pid file, for example when running with a different
uidmap and root in the container is different than the rootless user.
Closes: https://github.com/containers/libpod/issues/3187
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
|
|
|
|
|
|
| |
block signals for the pause process, so it can't be killed by
mistake.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
|\
| |
| | |
userns: add new option --userns=keep-id
|
| |
| |
| |
| | |
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
| |
| |
| |
| |
| |
| |
| | |
it creates a namespace where the current UID:GID on the host is mapped
to the same UID:GID in the container.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
| |
| |
| |
| | |
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
|\ \
| | |
| | | |
Fix a potential flake in the tests for podman cp
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Instead of using the working directory, use a subdirectory of the
temporary directory created for the individual test, to prevent a
potential EEXIST for shared working directory.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
|\ \ \
| | | |
| | | | |
Cirrus: Add zip package to images
|
| | | |
| | | |
| | | |
| | | | |
Signed-off-by: Chris Evich <cevich@redhat.com>
|
| | | |
| | | |
| | | |
| | | | |
Signed-off-by: Chris Evich <cevich@redhat.com>
|
|\ \ \ \
| |_|_|/
|/| | | |
document nullable types
|
| |/ /
| | |
| | |
| | |
| | |
| | |
| | | |
the varlink doc generator was ignoring all nullable types when
generating its documentation
Signed-off-by: baude <bbaude@redhat.com>
|
|\ \ \
| | | |
| | | | |
rootless: fix top huser and hgroup
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
when running in rootless mode, be sure psgo is honoring the user
namespace settings for huser and hgroup.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
| | | |
| | | |
| | | |
| | | | |
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
|\ \ \ \
| |_|/ /
|/| | | |
hack: Display IP address of VM from script
|
| | | |
| | | |
| | | |
| | | | |
Signed-off-by: Chris Evich <cevich@redhat.com>
|
| | | |
| | | |
| | | |
| | | | |
Signed-off-by: Chris Evich <cevich@redhat.com>
|
|/ / /
| | |
| | |
| | |
| | |
| | | |
Useful for accessing it from other terminals.
Signed-off-by: Chris Evich <cevich@redhat.com>
|
|\ \ \
| | | |
| | | | |
Fixup Flags
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Mark hidden all references to signature-policy
Default all uses of --authfile
Add --authfile support to podman run and podman create.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
|\ \ \ \
| | | | |
| | | | | |
Add test cases for login and logout
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
As logout test request login to the registry, we plan to test them
together. There are five test cases added:
1. Podman login and logout with default value
3. Podman login and logout with --authfile
2. Podman login and logout with --tls-verify
4. Podman login and logout with --cert-dir
5. Podman login and logout with multi registry
All above test cases are using docker rgistry v2
Signed-off-by: Yiqiao Pu <ypu@redhat.com>
|
|\ \ \ \ \
| |_|_|/ /
|/| | | | |
Fix a 'generate kube' bug on ctrs with named volumes
|
| | | | |
| | | | |
| | | | |
| | | | | |
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
We need to pass the Pod ID in as part of the CreateConfig.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
| | |_|/
| |/| |
| | | |
| | | | |
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
|\ \ \ \
| |_|/ /
|/| | | |
make remote resize channel buffered
|
| |/ /
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
when doing any sort of attach to a container, a sigwinch is sent
followed by a resize event. this is fine for the local client but when
doing things over the varlink, the first sigwinch is wiped out by the
immediate resize event and is therefore lost. by making the channel
buffered, both events are processed after the varlink connection is
established.
Signed-off-by: baude <bbaude@redhat.com>
|
|\ \ \
| | | |
| | | | |
When superceding mounts, check for opposite types
|
| | | |
| | | |
| | | |
| | | | |
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
| |/ /
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
When we supercede low-priority mounts and volumes (image volumes,
and volumes sourced from --volumes-from) with higher-priority
ones (the --volume and --mount flags), we always replaced
lower-priority mounts of the same type (e.g. a user mount to
/tmp/test1 would supercede a volumes-from mount to the same
destination). However, we did not supercede the opposite type - a
named volume from image volumes at /tmp/test1 would be allowed to
remain and create a conflict, preventing container creation.
Solve this by destroying opposite types before merging (we can't
do it in the same loop, as then named volumes, which go second,
might trample changes made by mounts).
Fixes #3174
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
|\ \ \
| | | |
| | | | |
libpod: prefer WaitForFile to polling
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
replace two usage of kwait.ExponentialBackoff in favor of WaitForFile
that uses inotify when possible.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
|\ \ \ \
| | | | |
| | | | | |
rootless: use a pause process to keep namespaces alive
|
| | | | |
| | | | |
| | | | |
| | | | | |
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
| | | | |
| | | | |
| | | | |
| | | | | |
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
add a shortcut for joining immediately the namespace so we don't need
to re-exec Podman.
With the pause process simplificaton, we can now attempt to join the
namespaces as soon as Podman starts (and before the Go runtime kicks
in), so that we don't need to re-exec and use just one process.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
use a pause process to keep the user and mount namespace alive.
The pause process is created immediately on reload, and all successive
Podman processes will refer to it for joining the user&mount
namespace.
This solves all the race conditions we had on joining the correct
namespaces using the conmon processes.
As a fallback if the join fails for any reason (e.g. the pause process
was killed), then we try to join the running containers as we were
doing before.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
this leaves the containers stopped but we won't risk to use the wrong
user namespace.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
|\ \ \ \ \
| | | | | |
| | | | | | |
Cirrus: Support testing of VM cache-image changes
|
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
Signed-off-by: Chris Evich <cevich@redhat.com>
|
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
Occasionally, and seemingly only on F29 the root disk fails to expand
upon boot. When this happens, any number of failures could occur if
space runs out. Until there is time to investigate the actual cause,
workaround this problem by detecting it and acting accordingly.
Signed-off-by: Chris Evich <cevich@redhat.com>
|
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
New base-image boots, a cache-image builds, but more work is needed for
it to be prime-time ready. This commit just adds some updates to the
scafolding necessary to build the base-image. Future work will make F30
more of a reality.
Also add log-collection scripts to test image verification task
Signed-off-by: Chris Evich <cevich@redhat.com>
|
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
Also remove disused distros (RHEL/CentOS/FAH) and fix get_ci_vm script
Signed-off-by: Chris Evich <cevich@redhat.com>
|
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
Signed-off-by: Chris Evich <cevich@redhat.com>
|
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
Also, add jq and catatonit installs to images.
Signed-off-by: Chris Evich <cevich@redhat.com>
|