summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAge
* Handle podman exec capabilities correctlyDaniel J Walsh2021-01-07
| | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Containers should not get inheritable caps by defaultDaniel J Walsh2021-01-07
| | | | | | | | | | | | When I launch a container with --userns=keep-id the rootless processes should have no caps by default even if I launch the container with --privileged. It should only get the caps if I specify by hand the caps I want leaked to the process. Currently we turn off capeff and capamb, but not capinh. This patch treats capinh the same way as capeff and capamb. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Merge pull request #8884 from ↵OpenShift Merge Robot2021-01-07
|\ | | | | | | | | containers/dependabot/go_modules/github.com/google/uuid-1.1.4 Bump github.com/google/uuid from 1.1.3 to 1.1.4
| * Bump github.com/google/uuid from 1.1.3 to 1.1.4dependabot-preview[bot]2021-01-05
| | | | | | | | | | | | | | | | | | | | Bumps [github.com/google/uuid](https://github.com/google/uuid) from 1.1.3 to 1.1.4. - [Release notes](https://github.com/google/uuid/releases) - [Commits](https://github.com/google/uuid/compare/v1.1.3...v1.1.4) Signed-off-by: dependabot-preview[bot] <support@dependabot.com> Signed-off-by: Valentin Rothberg <rothberg@redhat.com> Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Merge pull request #8832 from hshiina/logfileOpenShift Merge Robot2021-01-06
|\ \ | | | | | | Fix e2e test for `podman build --logfile`
| * | Fix e2e test for `podman build --logfile`Hironori Shiina2020-12-24
| | | | | | | | | | | | | | | | | | Type casting is necessary to see if the logfile size is not equal to 0. Signed-off-by: Hironori Shiina <Hironori.Shiina@fujitsu.com>
* | | Merge pull request #8805 from giuseppe/single-user-mapped-rootOpenShift Merge Robot2021-01-06
|\ \ \ | | | | | | | | libpod: handle single user mapped as root
| * | | libpod: handle single user mapped as rootGiuseppe Scrivano2020-12-24
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | if a single user is mapped in the user namespace, handle it as root. It is needed for running unprivileged containers with a single user available without being forced to run with euid and egid set to 0. Needs: https://github.com/containers/storage/pull/794 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | | | Merge pull request #8892 from mheon/fix_8886OpenShift Merge Robot2021-01-06
|\ \ \ \ | | | | | | | | | | Ensure that user-specified HOSTNAME is honored
| * | | | Ensure that user-specified HOSTNAME is honoredMatthew Heon2021-01-06
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When adding the HOSTNAME environment variable, only do so if it is not already present in the spec. If it is already present, it was likely added by the user, and we should honor their requested value. Fixes #8886 Signed-off-by: Matthew Heon <mheon@redhat.com>
* | | | | Merge pull request #8901 from mheon/reenable_cevich_testsOpenShift Merge Robot2021-01-06
|\ \ \ \ \ | | | | | | | | | | | | Revert e6fbc15f26b2a609936dfc11732037c70ee14cba and reenable tests
| * | | | | Revert e6fbc15f26b2a609936dfc11732037c70ee14cbaMatthew Heon2021-01-06
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The issue requiring these tests be disabled should be resolved. Reenable the tests as such. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | | | | | Merge pull request #8899 from cevich/new_2021_imagesOpenShift Merge Robot2021-01-06
|\ \ \ \ \ \ | |/ / / / / |/| | | | | Cirrus: Update Fedora & Ubuntu images
| * | | | | Cirrus: Update Fedora & Ubuntu imagesChris Evich2021-01-06
|/ / / / / | | | | | | | | | | | | | | | Signed-off-by: Chris Evich <cevich@redhat.com>
* | | | | Merge pull request #8685 from mheon/ignore_containersconf_sysctls_shared_netOpenShift Merge Robot2021-01-05
|\ \ \ \ \ | | | | | | | | | | | | Ignore containers.conf sysctls when sharing namespaces
| * | | | | Add default sysctls for pod infra containersMatthew Heon2021-01-04
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Ensure that infra containers for pods will grab default sysctls from containers.conf, to match how other containers are created. This mostly affects the other containers in the pod, which will inherit those sysctls when they join the pod's namespaces. Signed-off-by: Matthew Heon <mheon@redhat.com>
| * | | | | Ignore containers.conf sysctls when sharing namespacesMatthew Heon2020-12-10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The existing code prevents containers.conf default sysctls from being added if the container uses a host namespace. This patch expands that to not just host namespaces, but also *shared* namespaces - so we never modify another container's (or a pod's) namespaces without being explicitly directed to do so by the user. Signed-off-by: Matthew Heon <mheon@redhat.com>
* | | | | | Merge pull request #8889 from vrothberg/run-1138OpenShift Merge Robot2021-01-05
|\ \ \ \ \ \ | | | | | | | | | | | | | | generate systemd: do not set `KillMode`
| * | | | | | generate systemd: do not set `KillMode`Valentin Rothberg2021-01-05
| | |/ / / / | |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | `KillMode=none` has been deprecated in systemd and is now throwing big warnings when being used. Users have reported the issues upstream (see #8615) and on the mailing list. This deprecation was mainly motivated by an abusive use of third-party vendors causing all kinds of undesired side-effects. For instance, busy mounts that delay reboot. After talking to the systemd team, we came up with the following plan: **Short term**: we can use TimeoutStopSec and remove KillMode=none which will default to cgroup. **Long term**: we want to change the type to sdnotify. The plumbing for Podman is done but we need it for conmon. Once sdnotify is working, we can get rid of the pidfile handling etc. and let Podman handle it. Michal Seklatar came up with a nice idea that Podman increase the time out on demand. That's a much cleaner way than hard-coding the time out in the unit as suggest in the short-term solution. This change is executing the short-term plan and sets a minimum timeout of 60 seconds. User-specified timeouts are added to that. Fixes: #8615 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | | | | | Merge pull request #8831 from bblenard/issue-8658-system-prune-reclaimed-spaceOpenShift Merge Robot2021-01-05
|\ \ \ \ \ \ | | | | | | | | | | | | | | Rework pruning to report reclaimed space
| * | | | | | Rework pruning to report reclaimed spaceBaron Lenardson2020-12-30
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This change adds code to report the reclaimed space after a prune. Reclaimed space from volumes, images, and containers is recorded during the prune call in a PruneReport struct. These structs are collected into a slice during a system prune and processed afterwards to calculate the total reclaimed space. Closes #8658 Signed-off-by: Baron Lenardson <lenardson.baron@gmail.com>
* | | | | | | Merge pull request #8885 from vrothberg/vendor-psgoOpenShift Merge Robot2021-01-05
|\ \ \ \ \ \ \ | |_|/ / / / / |/| | | | | | vendor containers/psgo@v1.5.2
| * | | | | | vendor containers/psgo@v1.5.2Valentin Rothberg2021-01-05
|/ / / / / / | | | | | | | | | | | | | | | | | | Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | | | | | Merge pull request #8873 from baude/issue8864OpenShift Merge Robot2021-01-05
|\ \ \ \ \ \ | |_|_|_|_|/ |/| | | | | close journald when reading
| * | | | | close journald when readingbaude2021-01-04
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | when reading from journald, we need to close the journal handler for events and logging. Fixes: #8864 Signed-off-by: baude <bbaude@redhat.com>
* | | | | | Merge pull request #8878 from mheon/no_edit_configOpenShift Merge Robot2021-01-04
|\ \ \ \ \ \ | | | | | | | | | | | | | | Ensure we do not edit container config in Exec
| * | | | | | Ensure we do not edit container config in ExecMatthew Heon2021-01-04
| |/ / / / / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The existing code grabs the base container's process, and then modifies it for use with the exec session. This could cause errors in `podman inspect` or similar on the container, as the definition of its OCI spec has been changed by the exec session. The change never propagates to the DB, so it's limited to a single process, but we should still avoid it when possible - so deep-copy it before use. Signed-off-by: Matthew Heon <mheon@redhat.com>
* | | | | | Merge pull request #8875 from rhatdan/imageOpenShift Merge Robot2021-01-04
|\ \ \ \ \ \ | | | | | | | | | | | | | | Allow image errors to bubble up from lower level functions.
| * | | | | | Allow image errors to bubble up from lower level functions.Daniel J Walsh2021-01-04
| |/ / / / / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Currently we ignore ErrMultipleImages being returned from findImageInRepoTags. Fixes: https://github.com/containers/podman/issues/8868 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | | | | Merge pull request #8876 from vrothberg/fix-8870OpenShift Merge Robot2021-01-04
|\ \ \ \ \ \ | | | | | | | | | | | | | | libpod API: pull: fix channel race
| * | | | | | libpod API: pull: fix channel raceValentin Rothberg2021-01-04
| |/ / / / / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fix a race condition in the pull endpoint caused by buffered channels. Using buffered channels can lead to the context's cancel function to be executed prior to the items being read from the channel. Fixes: #8870 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | | | | | Merge pull request #8869 from giuseppe/make-rundir-accessibleOpenShift Merge Robot2021-01-04
|\ \ \ \ \ \ | |/ / / / / |/| | | | | systemd: make rundir always accessible
| * | | | | test: fix variable nameGiuseppe Scrivano2021-01-04
| | | | | | | | | | | | | | | | | | | | | | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
| * | | | | systemd: make rundir always accessibleGiuseppe Scrivano2021-01-04
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | so that the PIDFile can be accessed also without being in the rootless user namespace. Closes: https://github.com/containers/podman/issues/8506 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | | | | | Merge pull request #8859 from ↵OpenShift Merge Robot2021-01-04
|\ \ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | containers/dependabot/go_modules/github.com/google/uuid-1.1.3 Bump github.com/google/uuid from 1.1.2 to 1.1.3
| * | | | | | Bump github.com/google/uuid from 1.1.2 to 1.1.3dependabot-preview[bot]2020-12-31
| | |/ / / / | |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Bumps [github.com/google/uuid](https://github.com/google/uuid) from 1.1.2 to 1.1.3. - [Release notes](https://github.com/google/uuid/releases) - [Commits](https://github.com/google/uuid/compare/v1.1.2...v1.1.3) Signed-off-by: dependabot-preview[bot] <support@dependabot.com> Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | | | | Merge pull request #8863 from mgoltzsche/fix_seccomp_when_privilegedOpenShift Merge Robot2021-01-04
|\ \ \ \ \ \ | |_|/ / / / |/| | | | | Disable seccomp by default when creating a privileged container.
| * | | | | fix: disable seccomp by default when privileged.Max Goltzsche2021-01-02
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When running a privileged container and `SeccompProfilePath` is empty no seccomp profile should be applied. (Previously this was the case only if `SeccompProfilePath` was set to a non-empty default path.) Closes #8849 Signed-off-by: Max Goltzsche <max.goltzsche@gmail.com>
* | | | | | Merge pull request #8823 from giuseppe/exec-honor-privilegedOpenShift Merge Robot2021-01-04
|\ \ \ \ \ \ | | | | | | | | | | | | | | exec: honor --privileged
| * | | | | | test: fix variables nameGiuseppe Scrivano2020-12-24
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
| * | | | | | exec: honor --privilegedGiuseppe Scrivano2020-12-24
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | write the capabilities to the configuration passed to the OCI runtime. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
| * | | | | | libpod: change function to accept ExecOptionsGiuseppe Scrivano2020-12-24
| | |_|_|/ / | |/| | | | | | | | | | | | | | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | | | | | Merge pull request #8862 from Luap99/compat-list-filterOpenShift Merge Robot2021-01-03
|\ \ \ \ \ \ | |_|/ / / / |/| | | | | Compat api containers/json add support for filters
| * | | | | Compat api containers/json add support for filtersPaul Holzinger2021-01-01
|/ / / / / | | | | | | | | | | | | | | | | | | | | | | | | | Fixes #8860 Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
* | | | | Merge pull request #8858 from jwhonce/issues/7102OpenShift Merge Robot2020-12-31
|\ \ \ \ \ | |_|/ / / |/| | | | Expose Height/Width fields to decoder
| * | | | Expose Height/Width fields to decoderJhon Honce2020-12-30
|/ / / / | | | | | | | | | | | | | | | | | | | | Fixes #7102 Signed-off-by: Jhon Honce <jhonce@redhat.com>
* | | | Merge pull request #8852 from afbjorklund/slirp_sandbox-no_pivot_rootOpenShift Merge Robot2020-12-30
|\ \ \ \ | | | | | | | | | | The slirp4netns sandbox requires pivot_root
| * | | | The slirp4netns sandbox requires pivot_rootAnders F Björklund2020-12-29
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Disable the sandbox, when running on rootfs Signed-off-by: Anders F Björklund <anders.f.bjorklund@gmail.com>
* | | | | Merge pull request #8853 from jubalh/gentooOpenShift Merge Robot2020-12-30
|\ \ \ \ \ | | | | | | | | | | | | Add support for Gentoo file to package query
| * | | | | Add support for Gentoo file to package queryMichael Vetter2020-12-29
| |/ / / / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | On Gentoo systems where `app-portage/gentoolkit` is installed the binary `equery` is used to query for information on which package a file belongs to. Signed-off-by: Michael Vetter <jubalh@iodoru.org>
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2024-09-30 09:21:45 +0000