summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAge
* Allow containerPortsToServicePorts to failMiloslav Trmač2021-12-06
| | | | | | | | Add an error return to it and affected callers. Should not affect behavior, the function can't currently fail. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
* Don't use the global math/rand RNG for service portsMiloslav Trmač2021-12-06
| | | | | | | | | | Use a private RNG with the desired seed, don't interfere with the other uses. Introducing the servicePortState type is rather overkill for the single member, but we'll add another one immediately. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
* Move a comment to the relevant placeMiloslav Trmač2021-12-06
| | | | Signed-off-by: Miloslav Trmač <mitr@redhat.com>
* compat: images/jsonValentin Rothberg2021-12-06
| | | | | | | Do not list manifest lists. Docker doesn't either. Fixes: #12453 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* Fixed the containerfile not found during remote build.Shion Tanaka2021-12-06
| | | | | | [NO NEW TESTS NEEDED] Signed-off-by: Shion Tanaka <shtanaka@redhat.com>
* container, cgroup: detect pid terminationGiuseppe Scrivano2021-12-06
| | | | | | | | | | | | | | If the /proc/$PID/cgroup file doesn't exist, then it is likely the container was terminated in the meanwhile so report ErrCtrStopped that is already handled instead of ENOENT. commit a66f40b4df039e94572fa38c070207a435cfa466 introduced the regression. Closes: https://github.com/containers/podman/issues/12457 [NO NEW TESTS NEEDED] it solves a race in the CI that is difficult to reproduce. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* top: parse ps(1) args correctlyValentin Rothberg2021-12-06
| | | | | | | The arguments of ps(1) should be shlexed. Fixes: #12452 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* Only open save output file with WRONLYDaniel J Walsh2021-12-06
| | | | | | | | | | The previous code fails on a MAC when opening /dev/stdout Fixes: https://github.com/containers/podman/issues/12402 [NO NEW TESTS NEEDED] No easy way to test this. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* List /etc/containers/certs.d as default for --cert-pathDaniel J Walsh2021-12-06
| | | | | | Helps Document https://github.com/containers/podman/issues/10116 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Move the chown to after the ADDsDaniel J Walsh2021-12-06
| | | | | | | | I have noticed that the containers.conf file in the /home/podman directory is owned by root and not Podman. This change fixes the ownership. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* compat: Add compatiblity with Docker/Moby API for scenarios where build failsAditya Rajan2021-12-06
| | | | | | | | | | | | | | In order to maintain compatiblity with `moby API` we must the field `errorDetail` which is primary error reporting field with stream. Currently podman is using `error` which is already deprecated by moby. Check: https://github.com/moby/moby/blob/master/pkg/jsonmessage/jsonmessage.go#L147 [NO NEW TESTS NEEDED] We can't test this in podman CI since we dont have a docker client. Signed-off-by: Aditya Rajan <arajan@redhat.com>
* fix: parsing of HostConfig.Mounts for container createMatej Vasek2021-12-06
| | | | Signed-off-by: Matej Vasek <mvasek@redhat.com>
* fix: error reporting for archive endpointMatej Vasek2021-12-06
| | | | | | Returning 500 when copying to read-only destination. Signed-off-by: Matej Vasek <mvasek@redhat.com>
* libpod: improve heuristic to detect cgroupGiuseppe Scrivano2021-12-06
| | | | | | | | | | | | | | | improve the heuristic to detect the scope that was created for the container. This is necessary with systemd running as PID 1, since it moves itself to a different sub-cgroup, thus stats would not account for other processes in the same container. Closes: https://github.com/containers/podman/issues/12400 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> <MH: Fixed cherry-pick conflicts> Signed-off-by: Matthew Heon <mheon@redhat.com>
* libpod, inspect: export cgroup pathGiuseppe Scrivano2021-12-06
| | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* stats: get the memory limit from the specGiuseppe Scrivano2021-12-06
| | | | | | | | | | OCI runtimes may set the memory limits in different ways, e.g., crun creates a sub-cgroup where the limits are applied, while runc applies them directly on the created cgroup. Since there is standardization on the cgroup path to use, just use the limit specified in the spec file. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* oci: ack crun output when container is not thereAditya Rajan2021-12-06
| | | | | | | | | `crun status ctrid` outputs `No such file or directory` when container is not there so podman much ack it. [NO NEW TESTS NEEDED] Signed-off-by: Aditya Rajan <arajan@redhat.com>
* oci: exit gracefully if container is already deadAditya Rajan2021-12-06
| | | | | | | | | | While trying to kill a container with a `signal` we cant do anything if container is already dead so `exit` gracefully instead of trying to delete container again. Get container status from runtime. [ NO NEW TESTS NEEDED ] Signed-off-by: Aditya Rajan <arajan@redhat.com>
* Add note about volume with unprivileged containerUrvashi Mohnani2021-12-06
| | | | | | | | | | | | | Add a note to the generated kube yaml if we detect a volume is being mounted. The note lets the user know what needs to be done to avoid permission denied error when trying to access the volume for an unprivileged container. Add the same note to the man pages. NO NEW TESTS NEEDED Signed-off-by: Urvashi Mohnani <umohnani@redhat.com>
* swagger: add layers to build api docsAditya Rajan2021-12-06
| | | | | | Add missing `layer` entry to swagger docs for `/build`. Signed-off-by: Aditya Rajan <arajan@redhat.com>
* compat: add layer caching compatiblity for non podman clientsAditya Rajan2021-12-06
| | | | | | | | | | | | | Non-podman clients do not set `layers` while making request. This is supposed to be `true` bydefault but `non-podman-clients i.e Docker` dont know about this field as a result they end up setting this values to `false`. Causing builds to never use cache for layers. Adds compatiblity for `docker SDK`. [NO NEW TESTS NEEDED] Signed-off-by: Aditya Rajan <arajan@redhat.com>
* fix duplicated logs commandPaul Holzinger2021-12-06
| | | | | | | | | | Podman logs was defined twice, once for container logs and once for pod logs. This causes problems with the shell completion. Also podman --help showed this command twice. [NO NEW TESTS NEEDED] Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* Change error message for compatibility with dockerMichael Scherer2021-12-06
| | | | | | Fix #12315 Signed-off-by: Michael Scherer <misc@redhat.com>
* podman machine start wait for sshPaul Holzinger2021-12-06
| | | | | | | | | | | | Wait for sshd to be ready before we return from start. This should make podman machine ssh immediately available without any race conditions. Fixes #11532 [NO NEW TESTS NEEDED] I could not reproduce the issue so I am not sure if this fixes it. Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* fix: take absolute path for dd on apple siliconetenzy2021-12-06
| | | | | | | | Fixes #12329 [NO NEW TESTS NEEDED] podman machine Signed-off-by: Michael Rödel <hello@mroedel.de>
* rootless: drop strerror(errno) callsGiuseppe Scrivano2021-12-06
| | | | | | *printf functions already support printing the errno string with %m Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* rootless: reuse existing open_namespace functionGiuseppe Scrivano2021-12-06
| | | | | | there is already a function for opening a namespace path, reuse it. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* rootless: use auto cleanup functionsGiuseppe Scrivano2021-12-06
| | | | | | | | simplify code using auto cleanup functions [NO NEW TESTS NEEDED] it is a refactoring of existing code Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Set flags to test 'logs -f' with journald driverHironori Shiina2021-12-06
| | | | | | | | | | | | | `logs -f` with `journald` is supported only when `journald` events backend is used. To pass system tests using `logs -f` in an environment where `events_logger` is not set to `journald` in `containers.conf`, this fix sets `--events-backend` or `--log-driver` temporally. Signed-off-by: Hironori Shiina <shiina.hironori@jp.fujitsu.com> <MH: Fixed cherry-pick conflicts> Signed-off-by: Matthew Heon <mheon@redhat.com>
* secret: honor custom target for secrets with runAditya Rajan2021-12-06
| | | | | | | | | | | Honor custom `target` if specified while running or creating containers with secret `type=mount`. Example: `podman run -it --secret token,type=mount,target=TOKEN ubi8/ubi:latest bash` Signed-off-by: Aditya Rajan <arajan@redhat.com>
* journald logs: keep reading until the journal's endNalin Dahyabhai2021-12-06
| | | | | | | | | | | When reading logs from the journal, keep going after the container exits, in case it gets restarted. Events logged to the journal via the normal paths don't include CONTAINER_ID_FULL, so don't bother adding it to the "history" event we use to force at least one entry for the container to show up in the log. Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
* Error logs --follow if events-backend != journald, event-logger=journaldDaniel J Walsh2021-12-06
| | | | | | Fixes: https://github.com/containers/podman/issues/11255 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* libpod: create /etc/mtab safelyGiuseppe Scrivano2021-12-06
| | | | | | | | | | | make sure the /etc/mtab symlink is created inside the rootfs when /etc is a symlink. Closes: https://github.com/containers/podman/issues/12189 [NO NEW TESTS NEEDED] there is already a test case Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Always create working directory when using compat APIMichael Scherer2021-12-06
| | | | | | | | | | | | | Docker/Moby always create the working directory, and some tools rely on that behavior (example, woodpecker/drone). Fixes #11842 Signed-off-by: Michael Scherer <misc@redhat.com> <MH: Fixed cherry-pick conflicts> Signed-off-by: Matthew Heon <mheon@redhat.com>
* Fix network mode in play kubePaul Holzinger2021-12-06
| | | | | | | | | | | | | | We need to use the config network mode when no network mode was set. To do so we have to keep the nsmode empty, MakeContainer() will use the correct network mode from the config when needed. Fixes #12248 Signed-off-by: Paul Holzinger <pholzing@redhat.com> <MH: Fixed cherry-pick conflicts> Signed-off-by: Matthew Heon <mheon@redhat.com>
* Bump to containers/image v5.17.0Matthew Heon2021-12-06
| | | | | | This resolves CVE-2021-41190 Signed-off-by: Matthew Heon <mheon@redhat.com>
* Update release notes for changes already in branchMatthew Heon2021-12-06
| | | | Signed-off-by: Matthew Heon <mheon@redhat.com>
* Merge pull request #12517 from Luap99/machine-dnsOpenShift Merge Robot2021-12-06
|\ | | | | podman machine: use gvproxy for host.containers.internal
| * podman machine: use gvproxy for host.containers.internalPaul Holzinger2021-12-06
|/ | | | | | | | | | | | | | | | Let the gvproxy dns server handle the host.containers.internal entry. Support for this is already added to gvproxy. [1] To make sure the container uses the dns response from gvproxy we should not add host.containers.internal to /etc/hosts in this case. [NO NEW TESTS NEEDED] podman machine has no tests Fixes #11642 [1] https://github.com/containers/gvisor-tap-vsock/commit/1108ea45162281046d239047a6db9bc187e64b08 Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* Merge pull request #12497 from mheon/fix_2021_4024OpenShift Merge Robot2021-12-03
|\ | | | | Fix CVE-2021-4024 - v3.4 branch
| * Swap bind address for gvproxy to localhost-onlyMatthew Heon2021-12-03
|/ | | | | | | | | | | This resolves CVE-2021-4024, where an attacker could access the API externally and forward any port they desired to the VM from `podman machine`. [NO NEW TESTS NEEDED] gvproxy is not tested directly at this time. Signed-off-by: Matthew Heon <mheon@redhat.com>
* Merge pull request #12463 from vrothberg/backport-12449OpenShift Merge Robot2021-12-01
|\ | | | | [3.4] systemd: replace multi-user with default.target
| * systemd: replace multi-user with default.targetValentin Rothberg2021-12-01
|/ | | | | | | | | | | | Replace multi-user.target with default.target across the code base. It seems like the multi-user one is not available for (rootless) users on F35 anymore is causing issues in all kinds of ways, for instance, enabling the podman.service or generated systemd units. Backport of commit 9a10e2124bb11027fc71db4c495c116277b8b7e3. Fixes: #12438 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* Merge pull request #12451 from vrothberg/backport-12064OpenShift Merge Robot2021-11-30
|\ | | | | [v3.4] container create: fix --tls-verify parsing
| * container create: fix --tls-verify parsingValentin Rothberg2021-11-30
|/ | | | | | | | | | | Make sure that the value is only set if specified on the CLI. c/image already defaults to true but if set in the system context, we'd skip settings in the registries.conf. Backport of commit ff31f2264da. Fixes: #11933 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* Merge pull request #12447 from jakub-dzon/env-config-maps-backportOpenShift Merge Robot2021-11-30
|\ | | | | Support env variables based on ConfigMaps sent in payload
| * Support env variables based on ConfigMaps sent in payloadJakub Dzon2021-11-30
|/ | | | | | Fixes #12363 Signed-off-by: Jakub Dzon <jdzon@redhat.com>
* Merge pull request #12383 from edsantiago/flake_fixesOpenShift Merge Robot2021-11-22
|\ | | | | [v3.4] backport Flake fixes
| * fix CIValentin Rothberg2021-11-22
| | | | | | | | | | | | | | | | | | | | | | | | | | | | [Backport #12343, which fixes the change in fedora-minimal image] Our fedora-minimal image on Quay bases on fedora-minimal:latest which starting with F35 removed a number of binaries that our CI depends on. Fix that by pulling `fedora-minimal:34` from the Fedora registry directly. Once the build bot on Quay has been disabled, we move the image over there to make sure that it will not change over time. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
| * utils: use podman-pause-$RANDOM.scope nameGiuseppe Scrivano2021-11-22
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | [Backport of #12323 into v3.4, to fix gating-test flakes] we try hard to re-use the existing podman-pause.scope name when it already exists, causing any sort of race errors when the already existing scope is terminating. There is no such a requirement though, so just try with a random name. Closes: https://github.com/containers/podman/issues/12065 [NO NEW TESTS NEEDED] it fixes a race in the CI Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>