summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAge
* Merge pull request #9942 from mheon/fix_9919OpenShift Merge Robot2021-04-06
|\ | | | | Ensure that `--userns=keep-id` sets user in config
| * Ensure that `--userns=keep-id` sets user in configMatthew Heon2021-04-06
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | One of the side-effects of the `--userns=keep-id` command is switching the default user of the container to the UID of the user running Podman (though this can still be overridden by the `--user` flag). However, it did this by setting the UID and GID in the OCI spec, and not by informing Libpod of its intention to switch users via the `WithUser()` option. Because of this, a lot of the code that should have triggered when the container ran with a non-root user was not triggering. In the case of the issue that this fixed, the code to remove capabilities from non-root users was not triggering. Adjust the keep-id code to properly inform Libpod of our intention to use a non-root user to fix this. Also, fix an annoying race around short-running exec sessions where Podman would always print a warning that the exec session had already stopped. Fixes #9919 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | Merge pull request #9944 from jwhonce/wip/operation_idOpenShift Merge Robot2021-04-06
|\ \ | | | | | | [CI:DOCS] Set all swagger operation id's to be compatible
| * | [CI:DOCS] Set all operation id to be compatibileJhon Honce2021-04-05
| | | | | | | | | | | | | | | | | | | | | | | | | | | Libpod operation id's changed to better match compatibile id Builds on https://github.com/containers/podman/pull/9123 and corrects a duplicated ID. Signed-off-by: Jhon Honce <jhonce@redhat.com>
| * | Move operationIds to swagger:operation lineTom Deseyn2021-04-05
| | | | | | | | | | | | Signed-off-by: Tom Deseyn <tom.deseyn@gmail.com>
| * | swagger: add operationIds that match with dockerTom Deseyn2021-04-05
|/ / | | | | | | Signed-off-by: Tom Deseyn <tom.deseyn@gmail.com>
* | Merge pull request #9938 from jmguzik/network-bindings-initial-testsOpenShift Merge Robot2021-04-05
|\ \ | | | | | | Initial network bindings tests
| * | Initial network bindings testsJakub Guzik2021-04-05
| | | | | | | | | | | | Signed-off-by: Jakub Guzik <jakubmguzik@gmail.com>
* | | Merge pull request #9917 from baude/machineconventionsOpenShift Merge Robot2021-04-05
|\ \ \ | | | | | | | | fix machine naming conventions
| * | | fix machine naming conventionsbaude2021-04-05
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | try to align the machine commands and their usage descriptions. [NO TESTS NEEDED] Signed-off-by: baude <bbaude@redhat.com>
* | | | Merge pull request #9933 from jmguzik/network-prune-with-until-testsOpenShift Merge Robot2021-04-05
|\ \ \ \ | | | | | | | | | | Http api tests for network prune with until filter
| * | | | Http api tests for network prune with until filterJakub Guzik2021-04-04
| | |/ / | |/| | | | | | | | | | Signed-off-by: Jakub Guzik <jakubmguzik@gmail.com>
* | | | Merge pull request #9939 from mheon/release_notes_cveOpenShift Merge Robot2021-04-05
|\ \ \ \ | | | | | | | | | | [ci:docs] Update release notes to indicate CVE fix
| * | | | Update release notes to indicate CVE fixMatthew Heon2021-04-05
| | |/ / | |/| | | | | | | | | | | | | | | | | | | | | | We didn't release this with the original release notes as the fix was still under embargo. Signed-off-by: Matthew Heon <mheon@redhat.com>
* | | | Merge pull request #9940 from rhatdan/authOpenShift Merge Robot2021-04-05
|\ \ \ \ | | | | | | | | | | Verify existence of auth file if specified
| * | | | Verify existence of auth file if specifiedDaniel J Walsh2021-04-05
| |/ / / | | | | | | | | | | | | | | | | | | | | Fixes: https://github.com/containers/podman/issues/9572 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | | Merge pull request #9909 from w4tsn/docs/add-containers-storage-transportOpenShift Merge Robot2021-04-05
|\ \ \ \ | | | | | | | | | | [CI:DOCS] Add transport and destination info to manifest doc
| * | | | Add transport and destination info to manifest docAlexander Wellbrock2021-04-03
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Initially I was missing transport information on podman manifest add. Especially the `containers-storage` transport which references the local image store. Had a use case where this came in quite handy and it is not stated anywhere else in the docs. Suppose it does not make sense for podman pull & push. I've only added containers-storage and docker transports for manifest add since I know those work. Maybe others work too. I then also added the destination section to manifest push as it is done in podman push & pull. I've added all transports here, but I don't know if all are supported. Please review. Signed-off-by: Alexander Wellbrock <a.wellbrock@mailbox.org>
* | | | | Merge pull request #9911 from rhatdan/storageOpenShift Merge Robot2021-04-05
|\ \ \ \ \ | | | | | | | | | | | | Allow users to override default storage opts with --storage-opt
| * | | | | Allow users to override default storage opts with --storage-optDaniel J Walsh2021-04-05
| | |_|_|/ | |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | We define in the man page that this overrides the default storage options, but the code was appending to the existing options. This PR also makes a change to allow users to specify --storage-opt="". This will turn off all storage options. https://github.com/containers/podman/issues/9852 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | | | Merge pull request #9907 from rhatdan/optionsOpenShift Merge Robot2021-04-05
|\ \ \ \ \ | | | | | | | | | | | | Add support for podman --context default
| * | | | | Add support for podman --context defaultDaniel J Walsh2021-04-05
| |/ / / / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This is a noop but helps with scripting and docker-compose. Fixes: https://github.com/containers/podman/issues/9806 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | | | Merge pull request #9895 from rhatdan/relabelOpenShift Merge Robot2021-04-05
|\ \ \ \ \ | |/ / / / |/| | | | Don't relabel volumes if running in a privileged container
| * | | | Don't relabel volumes if running in a privileged containerDaniel J Walsh2021-04-05
|/ / / / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Docker does not relabel this content, and openstack is running containers in this manner. There is a penalty for doing this on each container, that is not worth taking on a disable SELinux container. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | | Merge pull request #9313 from jwhonce/issues/8773OpenShift Merge Robot2021-04-05
|\ \ \ \ | | | | | | | | | | Add default template functions
| * | | | Add default template functionsJhon Honce2021-04-02
| | |_|/ | |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | For commands that use the golang template library directly add the compatible template functions [NO TESTS NEEDED] Fixes #8773 Signed-off-by: Jhon Honce <jhonce@redhat.com>
* | | | Merge pull request #9423 from Luap99/rootless-cni-no-infraOpenShift Merge Robot2021-04-05
|\ \ \ \ | |_|_|/ |/| | | rootless cni without infra container
| * | | Add rootless docker-compose test to the CIPaul Holzinger2021-04-01
| | | | | | | | | | | | | | | | Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
| * | | Use the slrip4netns dns in the rootless cni nsPaul Holzinger2021-04-01
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | If a user only has a local dns server in the resolv.conf file the dns resolution will fail. Instead we create a new resolv.conf which will use the slirp4netns dns. Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
| * | | Cleanup the rootless cni namespacePaul Holzinger2021-04-01
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Delte the network namespace and kill the slirp4netns process when it is no longer needed. Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
| * | | Add new docker-compose test for two networksPaul Holzinger2021-04-01
| | | | | | | | | | | | | | | | | | | | | | | | Also fix the tests so we can use the podman function with the output. Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
| * | | Make the docker-compose test work rootlessPaul Holzinger2021-04-01
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Make sure the DOCKER_SOCK location is accessible by the user when run rootless. Alos set the DOCKER_HOST env var to ensure docker-compose will use the non default location. Cleanup steps such as `rm` or `umount` must be run inside podman unshare otherwise they can fail due missing privileges. Change the curl test to use --retry-all-errors otherwise the tests will flake. The web server inside the container will return http code 500 sometimes, most likely because it is not fully ready to accept connections. With --retry-all-errors curl will retry instead of failing and thus the test will work. Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
| * | | Remove unused rootless-cni-infra container filesPaul Holzinger2021-04-01
| | | | | | | | | | | | | | | | Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
| * | | Only use rootless RLK when the container has portsPaul Holzinger2021-04-01
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Do not invoke the rootlesskit port forwarder when the container has no ports. Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
| * | | Fix dnsname testPaul Holzinger2021-04-01
| | | | | | | | | | | | | | | | Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
| * | | Enable rootless network connect/disconnectPaul Holzinger2021-04-01
| | | | | | | | | | | | | | | | | | | | | | | | | | | | With the new rootless cni supporting network connect/disconnect is easy. Combine common setps into extra functions to prevent code duplication. Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
| * | | Move slirp4netns functions into an extra filePaul Holzinger2021-04-01
| | | | | | | | | | | | | | | | | | | | | | | | This should make maintenance easier. Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
| * | | Fix pod infra container cni network setupPaul Holzinger2021-04-01
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | For rootless users the infra container used the slirp4netns net mode even when bridge was requested. We can support bridge networking for rootless users so we have allow this. The default is not changed. Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
| * | | Add rootless support for cni and --uidmapPaul Holzinger2021-04-01
| | | | | | | | | | | | | | | | | | | | | | | | This is supported with the new rootless cni logic. Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
| * | | rootless cni without infra containerPaul Holzinger2021-04-01
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Instead of creating an extra container create a network and mount namespace inside the podman user namespace. This ns is used to for rootless cni operations. This helps to align the rootless and rootful network code path. If we run as rootless we just have to set up a extra net ns and initialize slirp4netns in it. The ocicni lib will be called in that net ns. This design allows allows easier maintenance, no extra container with pause processes, support for rootless cni with --uidmap and possibly more. The biggest problem is backwards compatibility. I don't think live migration can be possible. If the user reboots or restart all cni containers everything should work as expected again. The user is left with the rootless-cni-infa container and image but this can safely be removed. To make the existing cni configs work we need execute the cni plugins in a extra mount namespace. This ensures that we can safely mount over /run and /var which have to be writeable for the cni plugins without removing access to these files by the main podman process. One caveat is that we need to keep the netns files at `XDG_RUNTIME_DIR/netns` accessible. `XDG_RUNTIME_DIR/rootless-cni/{run,var}` will be mounted to `/{run,var}`. To ensure that we keep the netns directory we bind mount this relative to the new root location, e.g. XDG_RUNTIME_DIR/rootless-cni/run/user/1000/netns before we mount the run directory. The run directory is mounted recursive, this makes the netns directory at the same path accessible as before. This also allows iptables-legacy to work because /run/xtables.lock is now writeable. Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
* | | | Merge pull request #9928 from pendulm/fix_rootless_socket_activationOpenShift Merge Robot2021-04-05
|\ \ \ \ | | | | | | | | | | Fix rootless socket activation
| * | | | Move socket activation check into init() and set global condition.pendulm2021-04-05
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | So rootless setup could use this condition in parent and child, child podman should adjust LISTEN_PID to its self PID. Add system test for systemd socket activation Signed-off-by: pendulm <lonependulm@gmail.com>
* | | | | Merge pull request #9937 from ↵OpenShift Merge Robot2021-04-05
|\ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | containers/dependabot/go_modules/github.com/onsi/ginkgo-1.16.0 Bump github.com/onsi/ginkgo from 1.15.2 to 1.16.0
| * | | | | Bump github.com/onsi/ginkgo from 1.15.2 to 1.16.0dependabot[bot]2021-04-05
|/ / / / / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Bumps [github.com/onsi/ginkgo](https://github.com/onsi/ginkgo) from 1.15.2 to 1.16.0. - [Release notes](https://github.com/onsi/ginkgo/releases) - [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md) - [Commits](https://github.com/onsi/ginkgo/compare/v1.15.2...v1.16.0) Signed-off-by: dependabot[bot] <support@github.com>
* | | | | Merge pull request #9929 from eriksjolund/fix_typo_uidmappingOpenShift Merge Robot2021-04-05
|\ \ \ \ \ | | | | | | | | | | | | [CI:DOCS] Fix typos --uidmapping and --gidmapping and adjust Markdown layout for --userns
| * | | | | podman-run.1.md, podman-create.1.md : Adjust Markdown layout for --usernsErik Sjölund2021-04-03
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * Adjust Markdown layout for --userns. * Make the --userns sections identical for podman-run.1.md and podman-create.1.md Signed-off-by: Erik Sjölund <erik.sjolund@gmail.com>
| * | | | | Fix typos --uidmapping and --gidmappingErik Sjölund2021-04-03
| | |_|/ / | |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | * Fix typos --uidmapping and --gidmapping in podman-run.1.md * Add the corresponding sentence in podman-create.1.md Signed-off-by: Erik Sjölund <erik.sjolund@gmail.com>
* | | | | Merge pull request #9900 from ↵OpenShift Merge Robot2021-04-04
|\ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | containers/dependabot/go_modules/github.com/rootless-containers/rootlesskit-0.14.1 Bump github.com/rootless-containers/rootlesskit from 0.14.0 to 0.14.1
| * | | | | Bump github.com/rootless-containers/rootlesskit from 0.14.0 to 0.14.1dependabot[bot]2021-04-03
| |/ / / / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Bumps [github.com/rootless-containers/rootlesskit](https://github.com/rootless-containers/rootlesskit) from 0.14.0 to 0.14.1. - [Release notes](https://github.com/rootless-containers/rootlesskit/releases) - [Commits](https://github.com/rootless-containers/rootlesskit/compare/v0.14.0...v0.14.1) Signed-off-by: dependabot[bot] <support@github.com>
* | | | | Merge pull request #9884 from rhatdan/buildOpenShift Merge Robot2021-04-04
|\ \ \ \ \ | |/ / / / |/| | | | Fix missing podman-remote build options
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2024-10-12 23:26:39 +0000