summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAge
* libpod: create /etc/mtab safelyGiuseppe Scrivano2021-12-06
| | | | | | | | | | | make sure the /etc/mtab symlink is created inside the rootfs when /etc is a symlink. Closes: https://github.com/containers/podman/issues/12189 [NO NEW TESTS NEEDED] there is already a test case Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Always create working directory when using compat APIMichael Scherer2021-12-06
| | | | | | | | | | | | | Docker/Moby always create the working directory, and some tools rely on that behavior (example, woodpecker/drone). Fixes #11842 Signed-off-by: Michael Scherer <misc@redhat.com> <MH: Fixed cherry-pick conflicts> Signed-off-by: Matthew Heon <mheon@redhat.com>
* Fix network mode in play kubePaul Holzinger2021-12-06
| | | | | | | | | | | | | | We need to use the config network mode when no network mode was set. To do so we have to keep the nsmode empty, MakeContainer() will use the correct network mode from the config when needed. Fixes #12248 Signed-off-by: Paul Holzinger <pholzing@redhat.com> <MH: Fixed cherry-pick conflicts> Signed-off-by: Matthew Heon <mheon@redhat.com>
* Bump to containers/image v5.17.0Matthew Heon2021-12-06
| | | | | | This resolves CVE-2021-41190 Signed-off-by: Matthew Heon <mheon@redhat.com>
* Update release notes for changes already in branchMatthew Heon2021-12-06
| | | | Signed-off-by: Matthew Heon <mheon@redhat.com>
* Merge pull request #12517 from Luap99/machine-dnsOpenShift Merge Robot2021-12-06
|\ | | | | podman machine: use gvproxy for host.containers.internal
| * podman machine: use gvproxy for host.containers.internalPaul Holzinger2021-12-06
|/ | | | | | | | | | | | | | | | Let the gvproxy dns server handle the host.containers.internal entry. Support for this is already added to gvproxy. [1] To make sure the container uses the dns response from gvproxy we should not add host.containers.internal to /etc/hosts in this case. [NO NEW TESTS NEEDED] podman machine has no tests Fixes #11642 [1] https://github.com/containers/gvisor-tap-vsock/commit/1108ea45162281046d239047a6db9bc187e64b08 Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* Merge pull request #12497 from mheon/fix_2021_4024OpenShift Merge Robot2021-12-03
|\ | | | | Fix CVE-2021-4024 - v3.4 branch
| * Swap bind address for gvproxy to localhost-onlyMatthew Heon2021-12-03
|/ | | | | | | | | | | This resolves CVE-2021-4024, where an attacker could access the API externally and forward any port they desired to the VM from `podman machine`. [NO NEW TESTS NEEDED] gvproxy is not tested directly at this time. Signed-off-by: Matthew Heon <mheon@redhat.com>
* Merge pull request #12463 from vrothberg/backport-12449OpenShift Merge Robot2021-12-01
|\ | | | | [3.4] systemd: replace multi-user with default.target
| * systemd: replace multi-user with default.targetValentin Rothberg2021-12-01
|/ | | | | | | | | | | | Replace multi-user.target with default.target across the code base. It seems like the multi-user one is not available for (rootless) users on F35 anymore is causing issues in all kinds of ways, for instance, enabling the podman.service or generated systemd units. Backport of commit 9a10e2124bb11027fc71db4c495c116277b8b7e3. Fixes: #12438 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* Merge pull request #12451 from vrothberg/backport-12064OpenShift Merge Robot2021-11-30
|\ | | | | [v3.4] container create: fix --tls-verify parsing
| * container create: fix --tls-verify parsingValentin Rothberg2021-11-30
|/ | | | | | | | | | | Make sure that the value is only set if specified on the CLI. c/image already defaults to true but if set in the system context, we'd skip settings in the registries.conf. Backport of commit ff31f2264da. Fixes: #11933 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* Merge pull request #12447 from jakub-dzon/env-config-maps-backportOpenShift Merge Robot2021-11-30
|\ | | | | Support env variables based on ConfigMaps sent in payload
| * Support env variables based on ConfigMaps sent in payloadJakub Dzon2021-11-30
|/ | | | | | Fixes #12363 Signed-off-by: Jakub Dzon <jdzon@redhat.com>
* Merge pull request #12383 from edsantiago/flake_fixesOpenShift Merge Robot2021-11-22
|\ | | | | [v3.4] backport Flake fixes
| * fix CIValentin Rothberg2021-11-22
| | | | | | | | | | | | | | | | | | | | | | | | | | | | [Backport #12343, which fixes the change in fedora-minimal image] Our fedora-minimal image on Quay bases on fedora-minimal:latest which starting with F35 removed a number of binaries that our CI depends on. Fix that by pulling `fedora-minimal:34` from the Fedora registry directly. Once the build bot on Quay has been disabled, we move the image over there to make sure that it will not change over time. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
| * utils: use podman-pause-$RANDOM.scope nameGiuseppe Scrivano2021-11-22
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | [Backport of #12323 into v3.4, to fix gating-test flakes] we try hard to re-use the existing podman-pause.scope name when it already exists, causing any sort of race errors when the already existing scope is terminating. There is no such a requirement though, so just try with a random name. Closes: https://github.com/containers/podman/issues/12065 [NO NEW TESTS NEEDED] it fixes a race in the CI Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
| * Network test: fix podman-remote-rootless corner caseEd Santiago2021-11-22
| | | | | | | | | | | | | | | | | | | | [Backport of #12297 into v3.4, to fix gating-test failures] Followup to #12229, in which I added a podman unshare for flake debugging. Turns out that doesn't work in podman-remote. It was not caught because CI doesn't run podman-remote rootless. Signed-off-by: Ed Santiago <santiago@redhat.com>
* | Merge pull request #12327 from zeha/backport-11976OpenShift Merge Robot2021-11-17
|\| | | | | Backport #11976 to 3.4
| * Use CGO_ENABLED=1 when building natively on darwinJhon Honce2021-11-17
|/ | | | | | | | | | | Need to use CGO for mDNS resolution, but cross builds need CGO disabled See https://github.com/golang/go/issues/12524 for details Note: Homebrew forumla will need to be updated to pick up this change Fixes #10737 Signed-off-by: Jhon Honce <jhonce@redhat.com>
* Merge pull request #12274 from mheon/bump_342OpenShift Merge Robot2021-11-12
|\ | | | | Bump to v3.4.2
| * Bump to v3.4.3-devMatthew Heon2021-11-12
| | | | | | | | Signed-off-by: Matthew Heon <matthew.heon@pm.me>
| * Bump to v3.4.2v3.4.2Matthew Heon2021-11-12
| | | | | | | | Signed-off-by: Matthew Heon <matthew.heon@pm.me>
| * Add release notes for v3.4.2Matthew Heon2021-11-12
| | | | | | | | Signed-off-by: Matthew Heon <matthew.heon@pm.me>
| * Fix partial log line handling with journald log driverMatthew Heon2021-11-12
| | | | | | | | | | | | | | | | | | | | | | Patch originally by Paul Holzinger (sourced from [1]). This is necessary to get the tests to pass in order to include a batch of other, related journald fixes in `podman logs`. [1] https://github.com/containers/podman/pull/12274#issuecomment-967168173 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
| * Fix Zsh completion command documentationYahav Itzhak2021-11-12
| | | | | | | | Signed-off-by: yahavi <yahavi@jfrog.com>
| * Fix flake in upgrade testsPaul Holzinger2021-11-12
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The cni plugins need access to /run/cni and the dnsname plugin needs access to /run/containers. The race condition was basically that a `podman stop` could either do the cleanup itself or the spawned cleanup process would do the cleanup if it was fast enough. The `podman stop` is executed on the host while the podman cleanup process is executed in the "parent container". The parent container contains older plugins than on the host. The dnsname plugin before version 1.3 could error and this would prevent CNI from doing a proper cleanup. The plugin errors because it could not find its files in /run/containers. On my system the test always failed because the cleanup process was always faster than the stop process. However in the CI VMs the stop process was usually faster and so it failed only sometimes. Fixes #11558 Signed-off-by: Paul Holzinger <pholzing@redhat.com>
| * VOLUME must be declared after RUN chown commandJindrich Novy2021-11-12
| | | | | | | | | | | | | | | | | | | | Podman and Docker will not commit changes via RUN command of a VOLUME directory, so we need to chown path first. Not doing do will cause: https://bugzilla.redhat.com/show_bug.cgi?id=2009266 Signed-off-by: Jindrich Novy <jnovy@redhat.com> Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
| * podman-generate-kube - remove empty structs from YAMLBoaz Shuster2021-11-12
| | | | | | | | | | | | [NO NEW TESTS NEEDED] Signed-off-by: Boaz Shuster <boaz.shuster.github@gmail.com>
| * Exclude already built sources for static buildSascha Grunert2021-11-12
| | | | | | | | | | | | | | | | | | We now do not copy the `bin` directory to the target nix sources to avoid skipping the build because "everything is up to date". Fixes https://github.com/containers/podman/issues/12198 Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
| * Match .c files in MakefileIan Wienand2021-11-12
| | | | | | | | | | | | | | Ensure that rebuilds happen when .c files are updated in the source tree. Signed-off-by: Ian Wienand <iwienand@redhat.com>
| * shm_lock: Handle ENOSPC better in AllocateSemaphoreIan Wienand2021-11-12
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When starting a container libpod/runtime_pod_linux.go:NewPod calls libpod/lock/lock.go:AllocateLock ends up in here. If you exceed num_locks, in response to a "podman run ..." you will see: Error: error allocating lock for new container: no space left on device As noted inline, this error is technically true as it is talking about the SHM area, but for anyone who has not dug into the source (i.e. me, before a few hours ago :) your initial thought is going to be that your disk is full. I spent quite a bit of time trying to diagnose what disk, partition, overlay, etc. was filling up before I realised this was actually due to leaking from failing containers. This overrides this case to give a more explicit message that hopefully puts people on the right track to fixing this faster. You will now see: $ ./bin/podman run --rm -it fedora bash Error: error allocating lock for new container: allocation failed; exceeded num_locks (20) [NO NEW TESTS NEEDED] (just changes an existing error message) Signed-off-by: Ian Wienand <iwienand@redhat.com>
| * Minor test tweaksEd Santiago2021-11-12
| | | | | | | | | | | | | | | | | | | | - remove 'NO TESTS NEEDED' as a valid bypass string. Henceforth only 'NO NEW TESTS NEEDED' will work. - add a debugging aid for #11871, in which bodhi tests time out in nslookup. Signed-off-by: Ed Santiago <santiago@redhat.com>
| * pod/container create: resolve conflicts of generated namesValentin Rothberg2021-11-12
| | | | | | | | | | | | | | | | | | | | | | Address the TOCTOU when generating random names by having at most 10 attempts to assign a random name when creating a pod or container. [NO TESTS NEEDED] since I do not know a way to force a conflict with randomly generated names in a reasonable time frame. Fixes: #11735 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
| * Add some information about disabling SELinux when using system volumesDaniel J Walsh2021-11-12
| | | | | | | | | | | | | | | | | | | | | | A comment was made on internal mailing list about confusion on SELinux labeling of volumes. This PR makes it a little more clear about when you should or should not relabel. We need a similar comment in podman pod create, but it does not support --security-opt processing yet. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
| * Log Apache access_log-like entries at Info level [NO NEW TESTS NEEDED]Jhon Honce2021-11-12
| | | | | | | | | | | | | | | | Only log API access entries when --log-level set to Info or below. Fixes #12181 Signed-off-by: Jhon Honce <jhonce@redhat.com>
| * tweak a couple of flag descriptions in help outputNalin Dahyabhai2021-11-12
| | | | | | | | | | | | Descriptions of flags don't need to start with whitespace of their own. Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
| * Fix bindings container log testPaul Holzinger2021-11-12
| | | | | | | | | | | | | | | | | | | | | | The returned error was not checked, thus the test could hang forever since it blocks on the log channel. Also handle unexpectedEOF like EOF. Fixes #12176 Signed-off-by: Paul Holzinger <pholzing@redhat.com>
| * test: run --cgroups=split in new cgroupGiuseppe Scrivano2021-11-12
| | | | | | | | | | | | | | | | | | | | the --cgroups=split test changes the current cgroup as it creates a sub-cgroup. This can cause a race condition in tests that are reading the current cgroup. Closes: https://github.com/containers/podman/issues/11191 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
| * Fix tests of podman image trust --raw and --jsonMiloslav Trmač2021-11-12
| | | | | | | | | | | | | | | | Instead using the OS-wide system default policy, use the one in this repo, and adjust the expected results (as well as making the test stricter). Signed-off-by: Miloslav Trmač <mitr@redhat.com>
| * Tighten the expected output of the "podman image trust show" testMiloslav Trmač2021-11-12
| | | | | | | | | | | | ... to include all fields. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
| * Use INTEGRATION_ROOT instead of current directoryMiloslav Trmač2021-11-12
| | | | | | | | | | | | | | Should not change behavior, just to set a consistent precedent for code introduced in future commits. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
| * Handle HTTP 409 error messages properly for Pod actionsOndra Machacek2021-11-12
| | | | | | | | | | | | | | This PR fixes the case when the API return HTTP 409 response. Where the API return the body format different then for other HTTP error codes. Signed-off-by: Ondra Machacek <omachace@redhat.com>
| * Fix swagger definitionsMatej Vasek2021-11-12
| | | | | | | | | | | | [NO TESTS NEEDED] Signed-off-by: Matej Vasek <mvasek@redhat.com>
| * Cirrus: Authorize rootless user self-sshChris Evich2021-11-12
| | | | | | | | | | | | | | | | | | | | | | Future testing needs dictate rootless (in addition to root) users are able to ssh to localhost. Add ssh-key generation commands for the rootless user, and authorize their public key. Minor: Also remove update of `/etc/sub{uid,gid}` files, since this is now done automatically by `{user,group}add` commands. Signed-off-by: Chris Evich <cevich@redhat.com>
| * Add information on how podman machine is updatedAshley Cui2021-11-12
| | | | | | | | | | | | | | Update documentation on how the default podman machine distribution, FCOS, is updated. Signed-off-by: Ashley Cui <acui@redhat.com>
| * Fix help message case for `podman version`Praveen Kumar2021-11-12
| | | | | | | | | | | | | | | | | | This is a cosmetic change. The help message for `podman version` is in title case whereas all other command help messages are not in title case. This stands out as inconsistent when looking at the output of `podman help`. Signed-off-by: Praveen Kumar <praveen+git@kumar.in>
| * Fix pause usage exampleGiacomo Sanchietti2021-11-12
| | | | | | | | | | | | The page contains a wrong 'stop' command example. Signed-off-by: Giacomo Sanchietti <giacomo.sanchietti@nethesis.it>
| * Set Checkpointed state to false after restoreAdrian Reber2021-11-12
| | | | | | | | | | | | | | | | | | A restored container still had the state set to 'Checkpointed: true' which seems wrong if it running again. [NO NEW TESTS NEEDED] Signed-off-by: Adrian Reber <areber@redhat.com>
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2024-12-28 15:59:45 +0000