| Commit message (Collapse) | Author | Age |
|
|
|
|
|
|
|
|
| |
when --privileged is specified, add all the devices that are usable by
the user.
Closes: https://bugzilla.redhat.com/show_bug.cgi?id=1730773
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
|\
| |
| | |
Move the HostConfig portion of Inspect inside libpod
|
| |
| |
| |
| |
| |
| |
| |
| | |
We can infer no-new-privileges. For now, manually populate
seccomp (can't infer what file we sourced from) and
SELinux/Apparmor (hard to tell if they're enabled or not).
Signed-off-by: Matthew Heon <mheon@redhat.com>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Our previous method (just read the PID that we spawned) doesn't
work - Conmon double-forks to daemonize, so we end up with a PID
pointing to the first process, which dies almost immediately.
Reading from the PID file gets us the real PID.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
When we first began writing Podman, we ran into a major issue
when implementing Inspect. Libpod deliberately does not tie its
internal data structures to Docker, and stores most information
about containers encoded within the OCI spec. However, Podman
must present a CLI compatible with Docker, which means it must
expose all the information in 'docker inspect' - most of which is
not contained in the OCI spec or libpod's Config struct.
Our solution at the time was the create artifact. We JSON'd the
complete CreateConfig (a parsed form of the CLI arguments to
'podman run') and stored it with the container, restoring it when
we needed to run commands that required the extra info.
Over the past month, I've been looking more at Inspect, and
refactored large portions of it into Libpod - generating them
from what we know about the OCI config and libpod's (now much
expanded, versus previously) container configuration. This path
comes close to completing the process, moving the last part of
inspect into libpod and removing the need for the create
artifact.
This improves libpod's compatability with non-Podman containers.
We no longer require an arbitrarily-formatted JSON blob to be
present to run inspect.
Fixes: #3500
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
|\ \
| |/
|/| |
Fix play kube command
|
| |
| |
| |
| |
| |
| |
| | |
Before, play kube wasn't properly setting the command. Fix this
Also, begin a dedicated test suite for play kube to catch regressions like this in the future
Signed-off-by: Peter Hunt <pehunt@redhat.com>
|
|\ \
| |/
|/| |
spec: simplify handling of --ulimit host
|
| |
| |
| |
| |
| |
| |
| | |
it seems enough to not specify any ulimit block to maintain the host
limits.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
|\ \
| | |
| | | |
Cirrus: Print images that should be pruned
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Over time unless they're removed, the project could grow quite a large
collection of VM images. While generally cheap (less than a penny each,
per month), these will become a significant cost item if not kept
in-check.
Add a specialized container for handling image-pruning, but limit
it to only finding and printing (not actually deleting) images.
Also update the image-building workflow so that base-images used to
compose cache-images are also labeled with metadata.
N/B: As an additional safeguard, the service account which
executes the new container in production *DOES NOT*
have access to delete images. This can be enabled
by adding the GCE IAM role: CustomComputeImagePrune
Signed-off-by: Chris Evich <cevich@redhat.com>
|
|\ \ \
| | | |
| | | | |
Cirrus: Disable most periodic services/timers
|
| | | |
| | | |
| | | |
| | | | |
Signed-off-by: Chris Evich <cevich@redhat.com>
|
| | | |
| | | |
| | | |
| | | | |
Signed-off-by: Chris Evich <cevich@redhat.com>
|
| | |/
| |/|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
For CI testing, it's important to remove as much variability from the
overall system as possible. This permits focusing just on problems
closely related to code-changes. To this end, and because VMs are very
short-lived (2 hours at most), disable all systemd services and timers
which perform periodic activities.
Signed-off-by: Chris Evich <cevich@redhat.com>
|
|\ \ \
| |/ /
|/| | |
Make the healthcheck flags compatible with Docker CLI
|
| | |
| | |
| | |
| | | |
Signed-off-by: Hunor Csomortáni <csomh@redhat.com>
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Docker CLI calls the healthcheck flags "--health-*", instead of
"--healthcheck-*".
Introduce the former, in order to keep compatibility, and alias
the later, in order to avoid breaking current usage.
Change "--healthcheck-*" to "--health-*" in the docs and tests.
Signed-off-by: Hunor Csomortáni <csomh@redhat.com>
|
| | |
| | |
| | |
| | | |
Signed-off-by: Hunor Csomortáni <csomh@redhat.com>
|
|\ \ \
| | | |
| | | | |
Cirrus: Abstract destination branch refs.
|
| | |/
| |/|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Various tasks and scripts behave differently depending on whether or not
the build is running against a PR or on a branch, post-merge. However,
a great number of them are hard-coded to the string 'master' as the
destination. Since this is not always the case (there are other
relevant branches), it makes sense to abstract the references with a
single definition.
Add a top-level `$DEST_BRANCH` variable to CI, and otherwise
default to 'master' when unset. This enables running CI builds on
additional branches without the overhead of updating all the static
references to 'master'. Simply update `$DEST_BRANCH` at the top-level
and all branch-conditional logic will function as intended.
Signed-off-by: Chris Evich <cevich@redhat.com>
|
|\ \ \
| | | |
| | | | |
Fix handling of healthcheck from image
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
An image with "HEALTHCHECK CMD ['']" is valid but as there is no command
defined the healthcheck will fail. Reject such a configuration.
Fixes #3507
Signed-off-by: Stefan Becker <chemobejk@gmail.com>
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
If the image was built with "HEALTHCHECK NONE" then we should create a
container without healthcheck configuration. Otherwise executing the
healthcheck on the container will return "unhealthy" instead of the
correct error message that the container doesn't have a healthcheck.
We also ignore the healthcheck configuration if the command list is
empty or the command string is empty.
Fixes #3525
Signed-off-by: Stefan Becker <chemobejk@gmail.com>
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
If the image doesn't provide any options, e.g. interval, timeout, etc.,
then apply the Docker defaults when creating the container. Otherwise
the defaults will be left 0 and podman doesn't schedule the healtcheck
service & timer for the container or incorrectly reports unhealthy state
when the check is executed.
Fixes #3525
Signed-off-by: Stefan Becker <chemobejk@gmail.com>
|
| | |/
| |/|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
- remove duplicate check, already called in HealthCheck()
- reject zero-length command list and empty command string as errorneous
- support all Docker command list keywords: NONE, CMD or CMD-SHELL
- use Docker default "/bin/sh -c" for CMD-SHELL
Fixes #3507
Signed-off-by: Stefan Becker <chemobejk@gmail.com>
|
|\ \ \
| |/ /
|/| | |
Binary bloat analyses
|
| | |
| | |
| | |
| | |
| | |
| | | |
Credits to bash wizard @edsantiago for the changes.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
|
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Change the script to generate two files. One including direct
dependencies, the other including direct and transitive dependencies.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
|
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Remove a blank line to make code examples more consistent and fix the
path of the 2nd example.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
|
| | |
| | |
| | |
| | | |
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
|
| | |
| | |
| | |
| | |
| | |
| | | |
Add a new analysis script to print the dependency tree.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
|
| | |
| | |
| | |
| | | |
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
|
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Move the analyses scripts to the dependencies directory to avoid
scattering of the dependency management.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
|
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Believe it or not:
`sort -ruh` is loosing data while `sort -u | sort -rh` does not.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
The script allows for analyzing the symbols of a go binary passed as an
argument. The tabular output looks as follows:
336 unicode/utf8.DecodeLastRune
323 unicode/utf8.DecodeLastRuneInString
518 unicode/utf8.DecodeRune
518 unicode/utf8.DecodeRuneInString
337 unicode/utf8.EncodeRune
The first column indicates the size in bytes of the symbol in the second
column. Note that only text symbols are considered, other symbols from
the data or the bss segment are ignored to avoid information overload.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
|
|/ /
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Analyse the size of all go-packages used during the build process via
the newly added `hack/analyses/go-archive-analysis.sh` script. The
script expects the `WORK` environment variable to be set, which points
to a temporary work directory generated by `go build`. To generate such
a work directory, set the `BUILDFLAGS="-work -a"`:
* `-work` for creating the work directory
* `-a` to force rebuilding all packages even when already cached
The workflow may look as follows:
```
$ BUILDFLAGS="-work -a" make podman
[...]
WORK=/tmp/go-build127001249
$ WORK=/tmp/go-build127001249 ./hack/analyses/go-archive-analysis.sh
```
The output of the script has the format `$SIZE $PACKAGE` where $SIZE is
the size of the compiled version of the go package (i.e., `.a` file) and
$PACKAGE for the corresponding package, for instance, `math/big` for a
stdlib package or vendor/... for vendored packages.
Credits to the authors of https://github.com/jondot/goweight, which
inspired this work.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
|
|\ \
| | |
| | | |
Improve parser for --healthcheck-command
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Fix Docker CLI compatibility issue: the "--healthcheck-command" option
value should not be split but instead be passed as single string to
"CMD-SHELL", i.e. "/bin/sh -c <opt>".
On the other hand implement the same extension as is already available
for "--entrypoint", i.e. allow the option value to be a JSON array of
strings. This will make life easier for tools like podman-compose.
Updated "--healthcheck-command" option values in tests accordingly.
Continuation of #3455 & #3507
Signed-off-by: Stefan Becker <chemobejk@gmail.com>
|
|\ \ \
| |_|/
|/| | |
Fix the double replySendFile()
|
| | |
| | |
| | |
| | | |
Signed-off-by: Harald Hoyer <harald@redhat.com>
|
|\ \ \
| | | |
| | | | |
Ensure we have a valid store when we refresh
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Fixes #3520
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
|\ \ \ \
| |_|_|/
|/| | | |
Improves STD output/readability in combination
|
|/ / /
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
with debug output.
Added \n char to specific standard output
Signed-off-by: dom finn <dom.finn00@gmail.com>
|
|\ \ \
| | | |
| | | | |
cgroupsv2: do not enable controllers for the last component
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
do not automatically enable the controllers for the last path
component. It is necessary as once there are enabled controllers in a
cgroup, it won't possible to add processes to it.
Fix conmon being moved to the correct cgroup path when using
--cgroup-manager cgroupfs.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
|\ \ \ \
| | | | |
| | | | | |
spec: fix userns with less than 5 gids
|
| |/ / /
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
when the container is running in a user namespace, check if gid=5 is
available, otherwise drop the option gid=5 for /dev/pts.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
|\ \ \ \
| | | | |
| | | | | |
fix bug convert volume host path to absolute
|