summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAge
* Merge pull request #6958 from edsantiago/batsOpenShift Merge Robot2020-07-15
|\ | | | | system tests: new tests for run, exec
| * system tests: new tests for run, execEd Santiago2020-07-14
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | - Issue #6735 : problem with multiple namespaces; confirms combinations of --userns=keep-id, --privileged, --user=XX - Issue #6829 : --userns=keep-id will add a /etc/passwd entry - Issue #6593 : podman exec, with --userns=keep-id, errors (test is currently skipped because issue remains live) ...and, addendum: add new helper function, remove_same_dev_warning. Some CI systems issue a warning on podman run --privileged: WARNING: The same type, major and minor should not be used for multiple devices. We already had special-case code to ignore than in the SELinux test, but now we're seeing it in the new run tests I added, so I've refactored the "ignore this warning" code and written tests for the removal code. Signed-off-by: Ed Santiago <santiago@redhat.com>
* | Merge pull request #6949 from AkihiroSuda/fix-6948OpenShift Merge Robot2020-07-15
|\ \ | | | | | | Fix "Error: unrecognized protocol \"TCP\" in port mapping"
| * | Fix "Error: unrecognized protocol \"TCP\" in port mapping"Akihiro Suda2020-07-15
| | | | | | | | | | | | | | | | | | | | | | | | "TCP" in upper characters was not recognized as a valid protocol name. Fix #6948 Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
* | | Merge pull request #6974 from sshnaidm/fixdocs1OpenShift Merge Robot2020-07-15
|\ \ \ | | | | | | | | docs: user namespace can't be shared in pods
| * | | docs: user namespace can't be shared in podsSagi Shnaidman2020-07-14
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When running "podman pod create --share user" the errors appears: Error: User sharing functionality not supported on pod level Fix docs and remove 'user' from shareable parameters. Signed-off-by: Sagi Shnaidman <sshnaidm@redhat.com>
* | | | Merge pull request #6978 from edsantiago/apiv2_flake_fixOpenShift Merge Robot2020-07-15
|\ \ \ \ | | | | | | | | | | APIv2 tests: fix race condition causing CI flake
| * | | | APIv2 tests: fix race condition causing CI flakeEd Santiago2020-07-14
| | |_|/ | |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | A newly-added test in #6835 was flaking in CI with: not ok 143 [20-containers] DELETE libpod/containers/SHA 500 cannot remove container <sha> as it is running - running or paused containers cannot be removed without force: container state improper Root cause: DELETE being run immediately after container start. Although the container is short-lived, it does take time to run and exit. Solution: wait for container to exit (should be quick) before deleting. This gives us a new test for the /wait endpoint. Also: tweaked some comments for readability, removed unnecessary container ps, added actual container status checks, and added actual message checks to another test that was merely checking exit status. Signed-off-by: Ed Santiago <santiago@redhat.com>
* | | | Merge pull request #6971 from TristanCacqueray/masterOpenShift Merge Robot2020-07-15
|\ \ \ \ | | | | | | | | | | play-kube: add suport for "IfNotPresent" pull type
| * | | | play-kube: add suport for "IfNotPresent" pull typeTristan Cacqueray2020-07-14
| | |/ / | |/| | | | | | | | | | | | | | | | | | | | | | | | | | This change prevents this exception when loading a pod spec using the "IfNotPresent" pull policy: Error: invalid pull type "IfNotPresent" Signed-off-by: Tristan Cacqueray <tdecacqu@redhat.com>
* | | | Merge pull request #6956 from mheon/add_ports_to_pod_inspectOpenShift Merge Robot2020-07-15
|\ \ \ \ | |_|_|/ |/| | | Include infra container information in `pod inspect`
| * | | Fix lintMatthew Heon2020-07-14
| | | | | | | | | | | | | | | | Signed-off-by: Matthew Heon <mheon@redhat.com>
| * | | Populate remaining unused fields in `pod inspect`Matthew Heon2020-07-14
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | We were hard-coding two fields to false, instead of grabbing their value from the pod config, which means that `pod inspect` would print the wrong value always. Fixes #6968 Signed-off-by: Matthew Heon <mheon@redhat.com>
| * | | Include infra container information in `pod inspect`Matthew Heon2020-07-14
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | We had a field for this in the inspect data, but it was never being populated. Because of this, `podman pod inspect` stopped showing port bindings (and other infra container settings). Add code to populate the infra container inspect data, and add a test to ensure we don't regress again. Signed-off-by: Matthew Heon <mheon@redhat.com>
* | | | Merge pull request #6957 from rhatdan/sysdevOpenShift Merge Robot2020-07-14
|\ \ \ \ | | | | | | | | | | Mask out /sys/dev to prevent information leak from the host
| * | | | Mask out /sys/dev to prevent information leak from the hostDaniel J Walsh2020-07-14
| | |/ / | |/| | | | | | | | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | | Merge pull request #6964 from ↵OpenShift Merge Robot2020-07-14
|\ \ \ \ | |_|_|/ |/| | | | | | | | | | | containers/dependabot/go_modules/github.com/containers/storage-1.21.1 Bump github.com/containers/storage from 1.21.0 to 1.21.1
| * | | Bump github.com/containers/storage from 1.21.0 to 1.21.1dependabot-preview[bot]2020-07-14
| |/ / | | | | | | | | | | | | | | | | | | | | | | | | | | | Bumps [github.com/containers/storage](https://github.com/containers/storage) from 1.21.0 to 1.21.1. - [Release notes](https://github.com/containers/storage/releases) - [Changelog](https://github.com/containers/storage/blob/master/docs/containers-storage-changes.md) - [Commits](https://github.com/containers/storage/compare/v1.21.0...v1.21.1) Signed-off-by: dependabot-preview[bot] <support@dependabot.com> Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | Merge pull request #6939 from rhatdan/entrypointOpenShift Merge Robot2020-07-14
|\ \ \ | | | | | | | | Fix handling of entrypoint
| * | | Fix handling of entrypointDaniel J Walsh2020-07-14
| |/ / | | | | | | | | | | | | | | | | | | If a user specifies an entrypoint of "" then we should not use the images entrypoint. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | Merge pull request #6951 from mheon/check_full_commandOpenShift Merge Robot2020-07-14
|\ \ \ | | | | | | | | When determining systemd mode, use full command
| * | | Add SystemdMode to inspect for containersMatthew Heon2020-07-14
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This allows us to determine if the container auto-detected that systemd was in use, and correctly activated systemd integration. Use this to wire up some integration tests to verify that systemd integration is working properly. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
| * | | When determining systemd mode, use full commandMatthew Heon2020-07-14
| |/ / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | We were only using the Command field in specgen when determining whether to enable systemd if systemd=true (the default) was used. This does not include the entrypoint, and does not include any entrypoint/command sourced from the image - so an image could be running systemd and we'd not correctly detect this. Using the full, final command resolves this and matches Podman v1.9.x behavior. Fixes #6920 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | | Merge pull request #6931 from mheon/apply_sigproxyOpenShift Merge Robot2020-07-14
|\ \ \ | |/ / |/| | Ensure sig-proxy default is propagated in start
| * | Ensure sig-proxy default is propagated in startMatthew Heon2020-07-10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | We properly determined what sig-proxy should be set to, but we never passed that along to the backend. As such, cases where the default swapped (mostly when `--attach` was specified but the `--sig-proxy` flag was not) were not handled correctly Fixes #6928 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | | Merge pull request #6973 from baude/policygatingOpenShift Merge Robot2020-07-14
|\ \ \ | |_|/ |/| | [CI:DOCS]Do not copy policy.json into gating image
| * | [CI:DOCS]Do not copy policy.json into gating imageBrent Baude2020-07-14
|/ / | | | | | | | | | | test/policy.json should not need to be copied into the gating image Signed-off-by: Brent Baude <bbaude@redhat.com>
* | Merge pull request #6952 from baude/systemdpid1fixOpenShift Merge Robot2020-07-14
|\ \ | | | | | | add systemd to fedora image
| * | Fix systemd pid 1 testBrent Baude2020-07-13
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | fedora removed the systemd package from its standard container image causing our systemd pid1 test to fail. Replacing usage of fedora to ubi-init. adding ubi images to the cache for local tests. also, remove installation of test/policy.json to the system wide /etc/containers Signed-off-by: Brent Baude <bbaude@redhat.com>
* | | Merge pull request #6959 from mheon/remove_seccomp_policyOpenShift Merge Robot2020-07-13
|\ \ \ | | | | | | | | [CI:DOCS] Remove outdated seccomp policy
| * | | Remove outdated seccomp policyMatthew Heon2020-07-13
|/ / / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Some time ago, we moved the Seccomp policy (and related setup code) to a place where all our tools could share it [1]. We did not, however, remove the in-repo seccomp.json file. Over the last year or so, the in-repo seccomp policy has become progressively more and more outdated, with no effort made to maintain it (because what sense is there in keeping a duplicate?). Today, a friend came to me and asked if a Podman container could access keyctl, assuming it could not because he was reading the outdated Seccomp policy which does not allow it. Since it's becoming clear that this file is doing no good and actively causing confusion, let's just drop it. [1] https://github.com/seccomp/containers-golang Signed-off-by: Matthew Heon <mheon@redhat.com>
* | | Merge pull request #6842 from rhatdan/pids-limitOpenShift Merge Robot2020-07-13
|\ \ \ | |/ / |/| | Pids-limit should only be set if the user set it
| * | Pids-limit should only be set if the user set itDaniel J Walsh2020-07-10
| |/ | | | | | | | | | | | | | | | | | | Currently we are sending over pids-limits from the user even if they never modified the defaults. The pids limit should be set at the server side unless modified by the user. This issue has led to failures on systems that were running with cgroups V1. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Merge pull request #6896 from mheon/fix_remote_createcommandOpenShift Merge Robot2020-07-13
|\ \ | | | | | | Fix container and pod create commands for remote create
| * | Fix container and pod create commands for remote createMatthew Heon2020-07-10
| |/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | In `podman inspect` output for containers and pods, we include the command that was used to create the container. This is also used by `podman generate systemd --new` to generate unit files. With remote podman, the generated create commands were incorrect since we sourced directly from os.Args on the server side, which was guaranteed to be `podman system service` (or some variant thereof). The solution is to pass the command along in the Specgen or PodSpecgen, where we can source it from the client's os.Args. This will still be VERY iffy for mixed local/remote use (doing a `podman --remote run ...` on a remote client then a `podman generate systemd --new` on the server on the same container will not work, because the `--remote` flag will slip in) but at the very least the output of `podman inspect` will be correct. We can look into properly handling `--remote` (parsing it out would be a little iffy) in a future PR. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | Merge pull request #6926 from ↵OpenShift Merge Robot2020-07-11
|\ \ | | | | | | | | | | | | containers/dependabot/go_modules/github.com/containers/storage-1.21.0 Bump github.com/containers/storage from 1.20.2 to 1.21.0
| * | Bump github.com/containers/storage from 1.20.2 to 1.21.0dependabot-preview[bot]2020-07-10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Bumps [github.com/containers/storage](https://github.com/containers/storage) from 1.20.2 to 1.21.0. - [Release notes](https://github.com/containers/storage/releases) - [Changelog](https://github.com/containers/storage/blob/master/docs/containers-storage-changes.md) - [Commits](https://github.com/containers/storage/compare/v1.20.2...v1.21.0) Signed-off-by: dependabot-preview[bot] <support@dependabot.com> Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | Merge pull request #6932 from rhafer/aa_privOpenShift Merge Robot2020-07-11
|\ \ \ | | | | | | | | Don't setup AppArmor provile for privileged pods
| * | | Don't setup AppArmor provile for privileged podsRalf Haferkamp2020-07-10
| |/ / | | | | | | | | | | | | | | | This is essentially db218e7162c2 forward-ported to specgen Signed-off-by: Ralf Haferkamp <rhafer@suse.com>
* | | Merge pull request #6936 from mheon/matt_cant_countOpenShift Merge Robot2020-07-11
|\ \ \ | | | | | | | | Correctly print STDOUT on non-terminal remote exec
| * | | Correctly print STDOUT on non-terminal remote execMatthew Heon2020-07-10
| | |/ | |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | I confused STDIN and STDOUT's file descriptors (it's 0 and 1, I thought they were 1 and 0). As such, we were looking at whether we wanted to print STDIN when we looked to print STDOUT. This bool was set when `-i` was set in at the `podman exec` command line, which masked the problem when it was set. Fixes #6890 Fixes #6891 Fixes #6892 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | | Merge pull request #6929 from vrothberg/fix-9627OpenShift Merge Robot2020-07-11
|\ \ \ | | | | | | | | version/info: format: allow more json variants
| * | | version/info: format: allow more json variantsValentin Rothberg2020-07-10
| |/ / | | | | | | | | | | | | | | | | | | | | | | | | Allow more variants to yield json output for `podman version` and `podman info`. Instead of comparing strings, use a regex and add unit and e2e tests. Fixes: #6927 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | | Merge pull request #6918 from skorhone/fix/hijacked_connection_handlingOpenShift Merge Robot2020-07-10
|\ \ \ | |/ / |/| | Fix: Correct connection counters for hijacked connections
| * | Fix: Correct connection counters for hijacked connectionsKorhonen Sami (Samlink)2020-07-09
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch fixes connection counters for v2 endpoints Idletracker was moved to a new package to prevent package cycle. Hijacking code still remains in wrong place and should be moved later to isolated package Signed-off-by: Sami Korhonen <skorhone@gmail.com>
| * | Fix: Hijacking v2 endpoints to follow rfc 7230 semanticsKorhonen Sami (Samlink)2020-07-09
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | After this patch v2 hijacking endpoints, exec/start and containers/attach follow rfc 7230 specification. Connection will only be upgraded, if client specifies upgrade headers: For tcp connections: Connection: Upgrade Upgrade: tcp For unix socket connections: Connection: Upgrade Upgrade: sock There are currently no checks if upgrade type actually matches with available protocols. Implementation just protocol that client requested Signed-off-by: Sami Korhonen <skorhone@gmail.com>
| * | Remove hijacked connections from active connections listKorhonen Sami (Samlink)2020-07-09
| |/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | StateHijacked is a terminal state. If hijacked connection is registered as an active connection, connection will never be unregistered. This causes two issues First issue is that active connection counters are off. Second issue is a resource leak caused by connection object that is stored to a map. After this patch hijacked connections are no longer visible in counters. If a counter for hijacked connections is required, podman must track connections returned by Hijacker.Hijack() It might make sense to develop abstraction layer for hijacking - and move all hijacking related code to a separate package. Hijacking code is prone to resource leaks and it should be thoroughly tested. Signed-off-by: Sami Korhonen <skorhone@gmail.com>
* | Merge pull request #6917 from mheon/retErr_for_libpodOpenShift Merge Robot2020-07-10
|\ \ | |/ |/| Remove all instances of named return "err" from Libpod
| * Remove all instances of named return "err" from LibpodMatthew Heon2020-07-09
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This was inspired by https://github.com/cri-o/cri-o/pull/3934 and much of the logic for it is contained there. However, in brief, a named return called "err" can cause lots of code confusion and encourages using the wrong err variable in defer statements, which can make them work incorrectly. Using a separate name which is not used elsewhere makes it very clear what the defer should be doing. As part of this, remove a large number of named returns that were not used anywhere. Most of them were once needed, but are no longer necessary after previous refactors (but were accidentally retained). Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | Merge pull request #6906 from rhatdan/VENDOROpenShift Merge Robot2020-07-09
|\ \ | |/ |/| Vendor in new version of Buildah