| Commit message (Collapse) | Author | Age |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There is a compiler warning that has been fixed in the
upstream, so I figured we should update to fix.
Also vendor in latest buildah to get better support for running builds in rootless
mode.
Vendor in latest containers/image to allow daemon support to be pluggable.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #1169
Approved by: mheon
|
|
|
|
|
|
|
|
|
| |
Now, for commands that have --latest and --all, the context flags are checked, and pods are grabbed in a single function
Signed-off-by: haircommander <pehunt@redhat.com>
Closes: #1161
Approved by: rhatdan
|
|
|
|
|
|
|
| |
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
Closes: #1165
Approved by: baude
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The CNI plugins upstream removed their network namespace creation
code, making it a test package only. Copy it into our repository
and slightly modify it for our use (most notably, use MNT_DETACH
when unmounting namespaces).
This new CNI code splits closing and unmounting network
namespaces, which allows us to greatly reduce the number of
occasions on which we call teardownNetwork() and make more errors
in that function fatal instead of warnings. Instead, we can call
Close() and just close the open file descriptor in cases where
the namespace has already been cleaned up.
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
Closes: #1165
Approved by: baude
|
|
|
|
|
|
|
|
|
|
| |
We need to pick up changes to the netns packages that are not yet
in a released tag.
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
Closes: #1165
Approved by: baude
|
|
|
|
|
|
|
| |
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #1167
Approved by: baude
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently, getRuntimeSpec always fails on non-Linux because
spec.CreateConfigToOCISpec always fails, because the podman CLI
sets up a seccomp path, and processing that on non-Linux is not supported. This
breaks testing of entirely unrelated options.
We can either skip the tests on non-Linux, or explicitly disable seccomp
inside the tests. Linux testing matters much more than other platforms,
and the tests are more reliable when they don't change supposedly
unrelated options; so, skip the tests on non-Linux.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
Closes: #1115
Approved by: rhatdan
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This just muves the Linux implementation, unchanged, to the
platform-agnostic file. Should not change behavior on Linux.
On non-Linux platforms, reading containers from BoltDB now works
(and rejects containers with namespace data). The checkRuntimeConfig
validation ensures that each BoltDB database is only used on one platform,
so network namespaces should never exist in non-Linux BoltDB files.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
Closes: #1115
Approved by: rhatdan
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is the actual platform-specific part of getContainerFromDB.
Factor it out, unchanged, on Linux. On other platforms, introduce
a stub which fails if any data exists; this stub is not yet called.
Should not change behavior.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
Closes: #1115
Approved by: rhatdan
|
|
|
|
|
|
|
| |
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
Closes: #1115
Approved by: rhatdan
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
On macOS NewImageRuntimeFromOptions fails with chown EPERM because the
"vfs" driver tries to chown its home to root:root 0700; in fact running
as root seems to be a generic requirement. So, skip the tests if not
running as root.
(This could maybe benefit from an extra state, maybe an environment
variable like RUNNING_IN_CI, to make sure the tests are actually
run often enough.)
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
Closes: #1115
Approved by: rhatdan
|
|
|
|
|
|
|
|
|
|
|
|
| |
(make localunit) complains about the unbuildable subpackage; silence that.
Actually, I can't find any user of checkseccomp in this repo; maybe
it is entirely unused?
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
Closes: #1115
Approved by: rhatdan
|
|
|
|
|
|
|
|
|
|
|
|
| |
None of the functions are used within the package, and it does not build
on non-Linux systems.
(Similar code continues to exist in pkg/chrootuser, and is unaffected.)
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
Closes: #1115
Approved by: rhatdan
|
|
|
|
|
|
|
| |
Signed-off-by: baude <bbaude@redhat.com>
Closes: #1163
Approved by: baude
|
|
|
|
|
|
|
| |
Signed-off-by: Valentin Rothberg <vrothberg@suse.com>
Closes: #1162
Approved by: rhatdan
|
|\
| |
| | |
Add a mutex to BoltDB state to prevent lock issues
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Per https://www.sqlite.org/src/artifact/c230a7a24?ln=994-1081,
POSIX file advisory locks are unsafe to use within a single
process if multiple file descriptors are open for the same file.
Unfortunately, this has a strong potential to happen for
multithreaded usage of libpod, and could result in DB corruption.
To prevent this, wrap all access to BoltDB within a single
libpod instance in a mutex to ensure concurrent access cannot
occur.
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
|
| |
| |
| |
| |
| |
| |
| | |
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #1160
Approved by: mheon
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
With tests, man page, and completions.
Signed-off-by: haircommander <pehunt@redhat.com>
Closes: #1125
Approved by: rhatdan
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
With tests, man page and completions.
Signed-off-by: haircommander <pehunt@redhat.com>
Closes: #1152
Approved by: rhatdan
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Moved contents of RestartWithTimeout to restartWithTimeout in container_internal to be able to call restart without locking in function.
Refactored startNode to be able to either start or restart a node.
Built pod Restart() with new startNode with refresh true.
Signed-off-by: haircommander <pehunt@redhat.com>
Closes: #1152
Approved by: rhatdan
|
|/
|
|
|
|
|
|
|
|
|
|
| |
If more than one volume was mounted using the --volume flag in
podman run, the second and onwards volumes were picking up options
of the previous volume mounts defined. Found out that the options were
not be cleared out after every volume was parsed.
Signed-off-by: umohnani8 <umohnani@redhat.com>
Closes: #1142
Approved by: mheon
|
|\
| |
| | |
Add Pod and Container namespaces
|
| |
| |
| |
| |
| |
| |
| | |
Better explain the inner workings of both state types in comments
to make reviews and changes easier.
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
|
| |
| |
| |
| | |
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
|
| |
| |
| |
| | |
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
|
| |
| |
| |
| |
| |
| | |
Also add namespace to inspect output to verify its presence
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
|
| |
| |
| |
| | |
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
|
| |
| |
| |
| |
| |
| |
| |
| | |
New containers and pods will default to the namespace of the
runtime, but this can be overridden by With... options if
desired.
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
|
| |
| |
| |
| |
| |
| |
| | |
Allows joining libpod to a specific namespace when running a
Podman command.
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
|
| |
| |
| |
| |
| |
| |
| | |
Include details on how namespaces interact with the
state.
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
|
| |
| |
| |
| | |
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
|
| |
| |
| |
| | |
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
|
| |
| |
| |
| | |
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
|
| |
| |
| |
| | |
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
All BoltDB access and update functions now understand namespaces.
Accessing containers outside of your namespace will produce
errors, except for Lookup and All functions, which will perform
their tasks only on containers within your namespace.
The "" namespace remains a reserved, no-restrictions namespace.
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
|
| |
| |
| |
| |
| |
| |
| | |
Dependency containers must be in the same namespace, to ensure
there are never problems resolving a dependency.
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
|
| |
| |
| |
| |
| |
| |
| |
| | |
Add basic awareness of namespaces to the database. As part of
this, add constraints so containers can only be added to pods in
the same namespace.
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
|
| |
| |
| |
| |
| |
| |
| | |
Libpod namespaces are a way to logically separate groups of pods
and containers within the state.
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* Some of the pedantic errors were not corrected
* Clean up prep for porting to MacOS and PyPi hosting
Signed-off-by: Jhon Honce <jhonce@redhat.com>
Closes: #1155
Approved by: baude
|
|\ \
| | |
| | | |
Fix varlink API usage of psgo
|
| |/
| |
| |
| | |
Signed-off-by: Jhon Honce <jhonce@redhat.com>
|
| |
| |
| |
| |
| |
| |
| | |
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Closes: #1145
Approved by: rhatdan
|
| |
| |
| |
| |
| |
| |
| | |
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Closes: #1145
Approved by: rhatdan
|
| |
| |
| |
| |
| |
| |
| | |
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Closes: #1145
Approved by: rhatdan
|
| |
| |
| |
| |
| |
| |
| | |
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Closes: #1145
Approved by: rhatdan
|
| |
| |
| |
| |
| |
| |
| | |
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Closes: #1145
Approved by: rhatdan
|
|/
|
|
|
|
|
| |
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Closes: #1145
Approved by: rhatdan
|
|
|
|
|
|
|
| |
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
Closes: #1150
Approved by: rhatdan
|
|
|
|
|
|
|
|
|
| |
Make this clear in the docs and Command.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #1138
Approved by: mheon
|