| Commit message (Collapse) | Author | Age |
|\
| |
| | |
Use jsoniter instead of easyjson
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The json-iterator package will panic on attempting to use
MarshalIndent with a non-space indentation. This is sort of silly
but swapping from tabs to spaces is not a big issue for us, so
let's work around the silly panic.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
| |
| |
| |
| | |
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
| |
| |
| |
| |
| |
| | |
The vndr tool isn't updating vendor.conf so do it manually.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
| |
| |
| |
| | |
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
| |
| |
| |
| |
| |
| |
| |
| | |
We already have it vendored for a Kube package we import, but we
want a more recent version with additional bugfixes over the 1.0
release we originally had.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
|/
|
|
|
|
|
|
|
| |
The jsoniter library does not require code generation, which is a
massive advantage over easyjson (it's also about the same in
performance). Begin moving over to it by removing the existing
easyjson code.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
|\
| |
| | |
Use defaults if paths are not specified in storage.conf
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
For rootless Podman, if storage.conf exists but does not specify
one or both of RunRoot and GraphRoot, set them to rootless
defaults so we don't end up with an unusable configuration.
Fixes #2125
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
|\ \
| | |
| | | |
Fix handling of nil volumes
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Currently if a user passes in a -v with
-v $bogus:/foobar
We crash. This will throw a proper error.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
|\ \ \
| | | |
| | | | |
Fix 'image trust' from PR1899
|
| | | |
| | | |
| | | |
| | | | |
Signed-off-by: Qi Wang <qiwan@redhat.com>
|
|\ \ \ \
| | | | |
| | | | | |
fix up sigstore path
|
| | | | |
| | | | |
| | | | |
| | | | | |
Signed-off-by: Qi Wang <qiwan@redhat.com>
|
|\ \ \ \ \
| | | | | |
| | | | | | |
podman: bump RLIMIT_NOFILE also without CAP_SYS_RESOURCE
|
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
If we are not able to make arbitrary changes to the RLIMIT_NOFILE when
lacking CAP_SYS_RESOURCE, don't fail but bump the limit to the maximum
allowed. In this way the same code path works with rootless mode.
Closes: https://github.com/containers/libpod/issues/2123
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
|\ \ \ \ \ \
| | | | | | |
| | | | | | | |
Move python code from contrib to it's own repo python-podman
|
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | | |
Signed-off-by: Jhon Honce <jhonce@redhat.com>
|
|\ \ \ \ \ \ \
| |/ / / / / /
|/| | | | | | |
Cirrus: (Minor) Print timestamp
|
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | | |
Also record into a file in case a later reference is required
Signed-off-by: Chris Evich <cevich@redhat.com>
|
|\ \ \ \ \ \ \
| |_|_|/ / / /
|/| | | | | | |
Trivial readme updates
|
|/ / / / / /
| | | | | |
| | | | | |
| | | | | | |
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
|\ \ \ \ \ \
| | | | | | |
| | | | | | | |
Fix up image sign and trust
|
| | |_|/ / /
| |/| | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
Add completions
Fix man pages
fix code in sign to answer PR Comments.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
|\ \ \ \ \ \
| |_|_|_|_|/
|/| | | | | |
createconfig: always cleanup a rootless container
|
| | |_|_|/
| |/| | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
the rootless container storage is always mounted in a different mount
namespace, owned by the unprivileged user. Even if it is mounted, a
process running in another namespace cannot reuse the already mounted
storage.
Make sure the storage is always cleaned up once the container
terminates.
This has worked with vfs since there is no real mounted storage.
Closes: https://github.com/containers/libpod/issues/2112
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
|\ \ \ \ \
| | | | | |
| | | | | | |
sign: some fixes
|
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
| |/ / / /
| | | | |
| | | | |
| | | | | |
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
|\ \ \ \ \
| |/ / / /
|/| | | | |
Add Validate completions
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
In podman 0.12.0 we have invalid completions. These should have been
caught during testing. This check will throw an error if the completions
do not successfully execute.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
|\ \ \ \ \
| |_|_|_|/
|/| | | | |
apparmor: apply default profile at container initialization
|
| | |/ /
| |/| |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Apply the default AppArmor profile at container initialization to cover
all possible code paths (i.e., podman-{start,run}) before executing the
runtime. This allows moving most of the logic into pkg/apparmor.
Also make the loading and application of the default AppArmor profile
versio-indepenent by checking for the `libpod-default-` prefix and
over-writing the profile in the run-time spec if needed.
The intitial run-time spec of the container differs a bit from the
applied one when having started the container, which results in
displaying a potentially outdated AppArmor profile when inspecting
a container. To fix that, load the container config from the file
system if present and use it to display the data.
Fixes: #2107
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Avoid generating
quay.io/openshift-release-dev/ocp-release@sha256@sha256:239... and
similar when the image name is already digest-based [1]. It's not
clear exactly how we get into this state, but as shown by the unit
tests, the new code handles this case correctly (while the previous
code does not).
[1]: https://github.com/containers/libpod/issues/2086
Signed-off-by: W. Trevor King <wking@tremily.us>
Closes: #2106
Approved by: rhatdan
|
|\ \ \ \
| |/ / /
|/| | | |
If you fail to open shm lock then attempt to create it
|
|/ / /
| | |
| | |
| | | |
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
|\ \ \
| | | |
| | | | |
Support podman image sign
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Generate a signature claim for an image using user keyring (--sign-by). The signature file will be stored in simple json format under the default or the given directory (--directory or yaml file in /etc/containers/registries.d/).
Signed-off-by: Qi Wang <qiwan@redhat.com>
|
|\ \ \ \
| | | | |
| | | | | |
Use existing interface to request IP address during restore
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
The initial implementation to request the same IP address for a
container during a restore was based on environment variables
influencing CNI.
With this commit the IP address selection switches to Podman's internal
static IP API.
This commit does a comment change in libpod/container_easyjson.go to
avoid unnecessary re-generation of libpod/container_easyjson.go during
build as this fails in CI. The reason for this is that make sees that
libpod/container_easyjson.go needs to be re-created. The commit,
however, only changes a part of libpod/container.go which is marked as
'ffjson: skip'.
Signed-off-by: Adrian Reber <areber@redhat.com>
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Restoring a container from a checkpoint should give the container the
same IP as before checkpointing. This adds a test to make sure the IP
stays the same.
Signed-off-by: Adrian Reber <areber@redhat.com>
|
| | | | |
| | | | |
| | | | |
| | | | | |
Signed-off-by: Adrian Reber <areber@redhat.com>
|
|\ \ \ \ \
| | | | | |
| | | | | | |
.github/ISSUE_TEMPLATE: Suggest '/kind bug' and '/kind feature'
|
| |/ / / /
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
So Prow's label plugin [1] can apply the appropriate label for us.
[1] https://github.com/kubernetes/test-infra/tree/master/prow/plugins/label
Signed-off-by: W. Trevor King <wking@tremily.us>
|
|\ \ \ \ \
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
debarshiray/wip/debarshiray/man-page-order-long-short-options
List the long variant of each option before its shorter counterpart
|
| |/ / / /
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
This is the style followed in most of the other man pages.
Signed-off-by: Debarshi Ray <rishi@fedoraproject.org>
|
|\ \ \ \ \
| |/ / / /
|/| | | | |
hooks: Add pre-create hooks for runtime-config manipulation
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
For example:
$ cat /etc/containers/oci/hooks.d/test.json
{
"version": "1.0.0",
"hook": {
"path": "/bin/sh",
"args": ["sh", "-c", "echo 'oh, noes!' >&2; exit 1"]
},
"when": {
"always": true
},
"stages": ["precreate"]
}
$ podman run --rm docker.io/library/alpine echo 'successful container'
error setting up OCI Hooks: executing [sh -c echo 'oh, noes!' >&2; exit 1]: exit status 1
The rendered command isn't in in the right syntax for copy/pasting
into a shell, but it should be enough for the user to be able to
locate the failing hook. They'll need to know their hook directories,
but with the previous commits requiring explicit hook directories it's
more likely that the caller is aware of them. And if they run at a
debug level, they can see the lookups in the logs:
$ podman --log-level=debug --hooks-dir=/etc/containers/oci/hooks.d run --rm docker.io/library/alpine echo 'successful container' 2>&1 | grep -i hook
time="2018-12-02T22:15:16-08:00" level=debug msg="reading hooks from /etc/containers/oci/hooks.d"
time="2018-12-02T22:15:16-08:00" level=debug msg="added hook /etc/containers/oci/hooks.d/test.json"
time="2018-12-02T22:15:16-08:00" level=debug msg="hook test.json matched; adding to stages [precreate]"
time="2018-12-02T22:15:16-08:00" level=warning msg="container 3695c6ba0cc961918bd3e4a769c52bd08b82afea5cd79e9749e9c7a63b5e7100: precreate hook: executing [sh -c echo 'oh, noes!' >&2; exit 1]: exit status 1"
time="2018-12-02T22:15:16-08:00" level=error msg="error setting up OCI Hooks: executing [sh -c echo 'oh, noes!' >&2; exit 1]: exit status 1"
Signed-off-by: W. Trevor King <wking@tremily.us>
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
To make it easier to notice and track down errors (or other surprising
behavior) due to precreate hooks. With this commit, the logged
messages look like:
time="2018-11-19T13:35:18-08:00" level=debug msg="precreate hook 0 made configuration changes:
--- Old
+++ New
@@ -18,3 +18,3 @@
Namespaces: ([]specs.LinuxNamespace) <nil>,
- Devices: ([]specs.LinuxDevice) (len=1) {
+ Devices: ([]specs.LinuxDevice) (len=2) {
(specs.LinuxDevice) {
@@ -24,2 +24,11 @@
Minor: (int64) 229,
+ FileMode: (*os.FileMode)(-rw-------),
+ UID: (*uint32)(0),
+ GID: (*uint32)(0)
+ },
+ (specs.LinuxDevice) {
+ Path: (string) (len=8) "/dev/sda",
+ Type: (string) (len=1) "b",
+ Major: (int64) 8,
+ Minor: (int64) 0,
FileMode: (*os.FileMode)(-rw-------),
"
time="2018-11-19T13:35:18-08:00" level=debug msg="precreate hook 1 made configuration changes:
--- Old
+++ New
@@ -29,3 +29,3 @@
(specs.LinuxDevice) {
- Path: (string) (len=8) "/dev/sda",
+ Path: (string) (len=8) "/dev/sdb",
Type: (string) (len=1) "b",
"
Ideally those logs would include the container ID, but we don't have
access to that down at this level. I'm not sure if it's worth
teaching RuntimeConfigFilter to accept a *logrus.Entry (so the caller
could use WithFields [1]) or to use a generic logging interface (like
go-log [2]). For now, I've left the container ID unlogged here.
The spew/difflib implementation is based on stretchr/testify/assert,
but I think the ~10 lines I'm borrowing are probably small enough to
stay under the "all copies or substantial portions" condition in its
MIT license.
[1]: https://godoc.org/github.com/sirupsen/logrus#WithFields
[2]: https://github.com/go-log/log
Signed-off-by: W. Trevor King <wking@tremily.us>
|