summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAge
* Merge pull request #8226 from ↵OpenShift Merge Robot2020-11-03
|\ | | | | | | | | debarshiray/wip/rishi/toolbox_test-userns-keepid-HOME Test $HOME when it's parent is bind mounted with --userns=keep-id
| * Test $HOME when it's parent is bind mounted with --userns=keep-idDebarshi Ray2020-11-03
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When --userns=keep-id is used, Podman is supposed to set up the home directory of the user inside the container to match that on the host as long as the home directory or any of its parents are marked as volumes to be bind mounted into the container. Currently, the test only considers the case where the home directory itself is bind mounted into the container. It doesn't cover the Podman code that walks through all the bind mounts looking for ancestors in case the home directory itself wasn't specified as a bind mount. Therefore, this improves the existing test added in commit 6ca8067956128585 ("Setup HOME environment when using --userns=keep-id") Note that this test can't be run as root. The home directory of the root user is /root, and it's parent is /. Bind mounting the entire / from the host into the container prevents it from starting: Error: openat2 ``: No such file or directory: OCI not found Signed-off-by: Debarshi Ray <rishi@fedoraproject.org>
* | Merge pull request #8224 from jjasghar/patch-1OpenShift Merge Robot2020-11-03
|\ \ | | | | | | Update README.md
| * | Update README.mdJJ Asghar2020-11-02
| | | | | | | | | | | | | | | | | | Typo Signed-off-by: JJ Asghar <jjasghar@gmail.com>
* | | Merge pull request #8217 from giuseppe/caps-ambientOpenShift Merge Robot2020-11-03
|\ \ \ | |/ / |/| | specgen: add support for ambient capabilities
| * | specgen: keep capabilities with --userns=keep-idGiuseppe Scrivano2020-11-02
| | | | | | | | | | | | | | | | | | | | | | | | if --userns=keep-id is specified and not --user is specified, take the unprivileged capabilities code path so that ambient capabilities are honored in the container. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
| * | specgen: fix check for root userGiuseppe Scrivano2020-11-02
| | | | | | | | | | | | | | | | | | | | | if the username is specified in the USER:GROUP form, make sure we only check for USER. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
| * | specgen: add support for ambient capabilitiesGiuseppe Scrivano2020-11-02
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | if the kernel supports ambient capabilities (Linux 4.3+), also set them when running with euid != 0. This is different that what Moby does, as ambient capabilities are never set. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | | Merge pull request #8166 from rhatdan/unbindableOpenShift Merge Robot2020-11-02
|\ \ \ | |_|/ |/| | Allow users to mount with unbindable flag
| * | Add better support for unbindable volume mountsDaniel J Walsh2020-11-02
| | | | | | | | | | | | | | | | | | | | | | | | Allow users to specify unbindable on volume command line Switch internal mounts to rprivate to help prevent leaks. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | Merge pull request #8207 from xordspar0/common-period-quotaOpenShift Merge Robot2020-11-02
|\ \ \ | | | | | | | | Centralize cores and period/quota conversion code
| * | | Centralize cores and period/quota conversion codeJordan Christiansen2020-10-31
| |/ / | | | | | | | | | Signed-off-by: Jordan Christiansen <xordspar0@gmail.com>
* | | Merge pull request #8210 from TomSweeneyRedHat/dev/tsweeney/fixpull2OpenShift Merge Robot2020-11-02
|\ \ \ | |_|/ |/| | Match build pull functionality with Docker's
| * | Match build pull functionality with Docker'sTomSweeneyRedHat2020-10-31
| |/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This is a continuation of #8189 and #8085. When doing a `docker build` command, if the `--pull` command is not specified or set to `false` the pullOption used is `PullifMissing`. This causes the build to pull the image only if it is not present in local storage. It also will raise an error if the image is not found in the registry (or the registry is down), even if the image is present in local storage. If the `--pull` command IS specified or specified with an argument of `true`, the build will always pull the image from the registries. This uses the pullOption `PullAlways`. It also will raise an error if the image is not found in the registry, even if the image is present in local storage. These changes now brings the pull functionality for `podman build` into line with `docker build`. However, I consider this to be a breaking change. Previously if you did `podman build --pull`, `podman build` or `podman build --pull = true`, then the image would be pulled from the registry if there was not an image in local storage or if the image in the registry was newer than the one in local storage. An error would *NOT* be raised if there was not an image in the registry or the registry was down as long as there was a copy in the local storage. An error would be raised if the image could not be retrieved from both the registry and local storage. This is the PullOption `PullIfNewer`. I believe this also differs from what Buildah does at this time but I'm too beat to chase that down at the moment. Personally I'd like to use the `PullIfNewer` for at least `--pull` and `--pull=true` so that you don't get an error if the registry has a network hiccup and the image is already stored locally. But this differs from Docker. I'd like to post scrum about this at our next stand up to make sure we're all on the same page about the ramifications of this change. Signed-off-by: TomSweeneyRedHat <tsweeney@redhat.com>
* | Merge pull request #8212 from ↵OpenShift Merge Robot2020-11-02
|\ \ | |/ |/| | | | | containers/dependabot/go_modules/github.com/containers/storage-1.23.8 Bump github.com/containers/storage from 1.23.7 to 1.23.8
| * Bump github.com/containers/storage from 1.23.7 to 1.23.8dependabot-preview[bot]2020-11-02
|/ | | | | | | | | | Bumps [github.com/containers/storage](https://github.com/containers/storage) from 1.23.7 to 1.23.8. - [Release notes](https://github.com/containers/storage/releases) - [Changelog](https://github.com/containers/storage/blob/master/docs/containers-storage-changes.md) - [Commits](https://github.com/containers/storage/compare/v1.23.7...v1.23.8) Signed-off-by: dependabot-preview[bot] <support@dependabot.com> Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Merge pull request #8197 from giuseppe/check-cgroupv2-swap-enabledOpenShift Merge Robot2020-10-31
|\ | | | | specgen, cgroup2: check whether memory swap is enabled
| * specgen, cgroup2: check whether memory swap is enabledGiuseppe Scrivano2020-10-30
| | | | | | | | | | | | add a similar check to what we do on cgroup v1. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
| * specgen: split cgroup v1 and cgroup v2 codeGiuseppe Scrivano2020-10-30
| | | | | | | | | | | | refactor function into two separate ones. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | Merge pull request #8203 from Luap99/fix-8194OpenShift Merge Robot2020-10-31
|\ \ | | | | | | Fix dnsname when joining a different network namespace in a pod
| * | Fix dnsname when joining a different network namespace in a podPaul Holzinger2020-10-30
| |/ | | | | | | | | | | | | | | | | | | When creating a container in a pod the podname was always set as the dns entry. This is incorrect when the container is not part of the pods network namespace. This happend both rootful and rootless. To fix this check if we are part of the pods network namespace and if not use the container name as dns entry. Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
* | Merge pull request #8100 from QiWang19/mirror-manifestOpenShift Merge Robot2020-10-31
|\ \ | | | | | | manifest list inspect single image
| * | manifest list inspect single imageQi Wang2020-10-30
| |/ | | | | | | | | | | If the image name not a manifest list type, enable manifest inspect to return manifest of single image manifest type vnd.docker.distribution.manifest.v2+json. Signed-off-by: Qi Wang <qiwan@redhat.com>
* | Merge pull request #8201 from QiWang19/search-limitOpenShift Merge Robot2020-10-30
|\ \ | | | | | | Remove search limit since pagination support
| * | Remove search limit since pagination supportQi Wang2020-10-30
| |/ | | | | | | | | | | Remove the search limit check since the c/image v5.6.0 supports pagination and can give result over 100 entries. Signed-off-by: Qi Wang <qiwan@redhat.com>
* | Merge pull request #8202 from TomSweeneyRedHat/dev/tsweeney/buildahv1.17.0OpenShift Merge Robot2020-10-30
|\ \ | | | | | | Bump Buildah to v1.17.0
| * | Bump Buildah to v1.17.0TomSweeneyRedHat2020-10-30
| | | | | | | | | | | | | | | | | | Bump Buildah to v1.17.0 on Master. Signed-off-by: TomSweeneyRedHat <tsweeney@redhat.com>
* | | Merge pull request #8177 from rhatdan/wrapOpenShift Merge Robot2020-10-30
|\ \ \ | | | | | | | | Stop excessive wrapping of errors
| * | | Stop excessive wrapping of errorsDaniel J Walsh2020-10-30
| | |/ | |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Most of the builtin golang functions like os.Stat and os.Open report errors including the file system object path. We should not wrap these errors and put the file path in a second time, causing stuttering of errors when they get presented to the user. This patch tries to cleanup a bunch of these errors. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | Merge pull request #8200 from haircommander/parse-segfaultOpenShift Merge Robot2020-10-30
|\ \ \ | |_|/ |/| | spec: protect against segfault
| * | spec: protect against segfaultPeter Hunt2020-10-30
| |/ | | | | | | | | | | when the user passes in "/dev/null::w" Signed-off-by: Peter Hunt <pehunt@redhat.com>
* | Merge pull request #8196 from giuseppe/specgen-swap-limit-err-messageOpenShift Merge Robot2020-10-30
|\ \ | | | | | | specgen: fix error message
| * | specgen: fix error messageGiuseppe Scrivano2020-10-30
| |/ | | | | | | | | | | drop spurious comma. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | Merge pull request #8191 from mheon/no_error_on_sigproxy_stoppedOpenShift Merge Robot2020-10-30
|\ \ | | | | | | When container stops, drop sig-proxy errors to infos
| * | When container stops, drop sig-proxy errors to infosMatthew Heon2020-10-30
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The sig-proxy code is set up to error on failing to forward signals to a container. This is reasonable in cases where the container is running, but something strange went wrong - but when the Kill fails because the container is stopped, we shouldn't bother with aggressive Error logging since this is an expected part of the container lifecycle - it stops, and then `podman run` also stops, but there is a timing window in between where signals will fail to be proxied, and we should not print angry errors during that. Signed-off-by: Matthew Heon <mheon@redhat.com>
* | | Merge pull request #8127 from ↵OpenShift Merge Robot2020-10-30
|\ \ \ | | | | | | | | | | | | | | | | andylibrian/grab-systemd-mount-flags-from-the-host-7661 Improve setupSystemd, grab mount options from the host
| * | | Improve setupSystemd, grab mount options from the hostAndy Librian2020-10-30
| | |/ | |/| | | | | | | | | | | | | fixes #7661 Signed-off-by: Andy Librian <andylibrian@gmail.com>
* | | Merge pull request #8187 from jwhonce/wip/tableOpenShift Merge Robot2020-10-30
|\ \ \ | | | | | | | | Restore --format table header support
| * | | Restore --format table header supportJhon Honce2020-10-29
| | | | | | | | | | | | | | | | Signed-off-by: Jhon Honce <jhonce@redhat.com>
* | | | Merge pull request #8192 from rhatdan/shmOpenShift Merge Robot2020-10-30
|\ \ \ \ | | | | | | | | | | Pod's that share the IPC Namespace need to share /dev/shm
| * | | | Pod's that share the IPC Namespace need to share /dev/shmDaniel J Walsh2020-10-30
| | |/ / | |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Containers that share IPC Namespaces share each others /dev/shm, which means a private /dev/shm needs to be setup for the infra container. Added a system test and an e2e test to make sure the /dev/shm is shared. Fixes: https://github.com/containers/podman/issues/8181 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | | Merge pull request #8199 from cevich/fix_missing_linksOpenShift Merge Robot2020-10-30
|\ \ \ \ | | | | | | | | | | [CI:DOCS] Fix broken CI readme links
| * | | | [CI:DOCS] Fix broken CI readme linksChris Evich2020-10-30
| |/ / / | | | | | | | | | | | | Signed-off-by: Chris Evich <cevich@redhat.com>
* | | | Merge pull request #8188 from cevich/workaround_agent_stopped_respondingOpenShift Merge Robot2020-10-30
|\ \ \ \ | |/ / / |/| | | Cirrus: Workaround F32 BFQ Kernel bug
| * | | Cirrus: Workaround F32 BFQ Kernel bugChris Evich2020-10-30
| | | | | | | | | | | | | | | | Signed-off-by: Chris Evich <cevich@redhat.com>
* | | | Merge pull request #8174 from rhatdan/errorsOpenShift Merge Robot2020-10-29
|\ \ \ \ | | | | | | | | | | Podman often reports OCI Runtime does not exist, even if it does
| * | | | Podman often reports OCI Runtime does not exist, even if it doesDaniel J Walsh2020-10-29
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When the OCI Runtime tries to set certain settings in cgroups it can get the error "no such file or directory", the wrapper ends up reporting a bogus error like: ``` Request Failed(Internal Server Error): open io.max: No such file or directory: OCI runtime command not found error {"cause":"OCI runtime command not found error","message":"open io.max: No such file or directory: OCI runtime command not found error","response":500} ``` On first reading of this, you would think the OCI Runtime (crun or runc) were not found. But the error is actually reporting message":"open io.max: No such file or directory Which is what we want the user to concentrate on. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | | | Merge pull request #8189 from mheon/further_fix_pull_flagOpenShift Merge Robot2020-10-29
|\ \ \ \ \ | | | | | | | | | | | | Fix the `--pull` flag to `podman build` to match Docker
| * | | | | Fix the `--pull` flag to `podman build` to match DockerMatthew Heon2020-10-29
| | |/ / / | |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The behavior should be as follows: Unset, pull if missing by default, obey the `--pull-never` and `--pull-always` flags. Set to false, pull never. Set to true, pull always. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | | | | Merge pull request #8186 from Luap99/fix-8184OpenShift Merge Robot2020-10-29
|\ \ \ \ \ | |/ / / / |/| | | | Create the default root API address path