| Commit message (Collapse) | Author | Age |
|\
| |
| |
| |
| | |
debarshiray/wip/rishi/toolbox_test-userns-keepid-HOME
Test $HOME when it's parent is bind mounted with --userns=keep-id
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
When --userns=keep-id is used, Podman is supposed to set up the home
directory of the user inside the container to match that on the host
as long as the home directory or any of its parents are marked as
volumes to be bind mounted into the container.
Currently, the test only considers the case where the home directory
itself is bind mounted into the container. It doesn't cover the Podman
code that walks through all the bind mounts looking for ancestors in
case the home directory itself wasn't specified as a bind mount.
Therefore, this improves the existing test added in commit
6ca8067956128585 ("Setup HOME environment when using --userns=keep-id")
Note that this test can't be run as root. The home directory of the
root user is /root, and it's parent is /. Bind mounting the entire /
from the host into the container prevents it from starting:
Error: openat2 ``: No such file or directory: OCI not found
Signed-off-by: Debarshi Ray <rishi@fedoraproject.org>
|
|\ \
| | |
| | | |
Update README.md
|
| | |
| | |
| | |
| | |
| | |
| | | |
Typo
Signed-off-by: JJ Asghar <jjasghar@gmail.com>
|
|\ \ \
| |/ /
|/| | |
specgen: add support for ambient capabilities
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
if --userns=keep-id is specified and not --user is specified, take the
unprivileged capabilities code path so that ambient capabilities are
honored in the container.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
if the username is specified in the USER:GROUP form, make sure we only
check for USER.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
if the kernel supports ambient capabilities (Linux 4.3+), also set
them when running with euid != 0.
This is different that what Moby does, as ambient capabilities are
never set.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
|\ \ \
| |_|/
|/| | |
Allow users to mount with unbindable flag
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Allow users to specify unbindable on volume command line
Switch internal mounts to rprivate to help prevent leaks.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
|\ \ \
| | | |
| | | | |
Centralize cores and period/quota conversion code
|
| |/ /
| | |
| | |
| | | |
Signed-off-by: Jordan Christiansen <xordspar0@gmail.com>
|
|\ \ \
| |_|/
|/| | |
Match build pull functionality with Docker's
|
| |/
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This is a continuation of #8189 and #8085.
When doing a `docker build` command, if the `--pull` command is not specified
or set to `false` the pullOption used is `PullifMissing`. This causes the
build to pull the image only if it is not present in local storage. It also will
raise an error if the image is not found in the registry (or the registry is down),
even if the image is present in local storage.
If the `--pull` command IS specified or specified with an argument of `true`, the
build will always pull the image from the registries. This uses the pullOption
`PullAlways`. It also will raise an error if the image is not found in the registry,
even if the image is present in local storage.
These changes now brings the pull functionality for `podman build` into line
with `docker build`.
However, I consider this to be a breaking change. Previously if you did
`podman build --pull`, `podman build` or `podman build --pull = true`, then
the image would be pulled from the registry if there was not an image in
local storage or if the image in the registry was newer than the one in
local storage. An error would *NOT* be raised if there was not an image in
the registry or the registry was down as long as there was a copy in the local
storage. An error would be raised if the image could not be retrieved from
both the registry and local storage. This is the PullOption `PullIfNewer`.
I believe this also differs from what Buildah does at this time but I'm too
beat to chase that down at the moment.
Personally I'd like to use the `PullIfNewer` for at least `--pull` and
`--pull=true` so that you don't get an error if the registry has a network
hiccup and the image is already stored locally. But this differs from Docker.
I'd like to post scrum about this at our next stand up to make sure we're
all on the same page about the ramifications of this change.
Signed-off-by: TomSweeneyRedHat <tsweeney@redhat.com>
|
|\ \
| |/
|/|
| |
| | |
containers/dependabot/go_modules/github.com/containers/storage-1.23.8
Bump github.com/containers/storage from 1.23.7 to 1.23.8
|
|/
|
|
|
|
|
|
|
|
| |
Bumps [github.com/containers/storage](https://github.com/containers/storage) from 1.23.7 to 1.23.8.
- [Release notes](https://github.com/containers/storage/releases)
- [Changelog](https://github.com/containers/storage/blob/master/docs/containers-storage-changes.md)
- [Commits](https://github.com/containers/storage/compare/v1.23.7...v1.23.8)
Signed-off-by: dependabot-preview[bot] <support@dependabot.com>
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
|\
| |
| | |
specgen, cgroup2: check whether memory swap is enabled
|
| |
| |
| |
| |
| |
| | |
add a similar check to what we do on cgroup v1.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
| |
| |
| |
| |
| |
| | |
refactor function into two separate ones.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
|\ \
| | |
| | | |
Fix dnsname when joining a different network namespace in a pod
|
| |/
| |
| |
| |
| |
| |
| |
| |
| |
| | |
When creating a container in a pod the podname was always set as
the dns entry. This is incorrect when the container is not part
of the pods network namespace. This happend both rootful and
rootless. To fix this check if we are part of the pods network
namespace and if not use the container name as dns entry.
Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
|
|\ \
| | |
| | | |
manifest list inspect single image
|
| |/
| |
| |
| |
| |
| | |
If the image name not a manifest list type, enable manifest inspect to return manifest of single image manifest type vnd.docker.distribution.manifest.v2+json.
Signed-off-by: Qi Wang <qiwan@redhat.com>
|
|\ \
| | |
| | | |
Remove search limit since pagination support
|
| |/
| |
| |
| |
| |
| | |
Remove the search limit check since the c/image v5.6.0 supports pagination and can give result over 100 entries.
Signed-off-by: Qi Wang <qiwan@redhat.com>
|
|\ \
| | |
| | | |
Bump Buildah to v1.17.0
|
| | |
| | |
| | |
| | |
| | |
| | | |
Bump Buildah to v1.17.0 on Master.
Signed-off-by: TomSweeneyRedHat <tsweeney@redhat.com>
|
|\ \ \
| | | |
| | | | |
Stop excessive wrapping of errors
|
| | |/
| |/|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Most of the builtin golang functions like os.Stat and
os.Open report errors including the file system object
path. We should not wrap these errors and put the file path
in a second time, causing stuttering of errors when they
get presented to the user.
This patch tries to cleanup a bunch of these errors.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
|\ \ \
| |_|/
|/| | |
spec: protect against segfault
|
| |/
| |
| |
| |
| |
| | |
when the user passes in "/dev/null::w"
Signed-off-by: Peter Hunt <pehunt@redhat.com>
|
|\ \
| | |
| | | |
specgen: fix error message
|
| |/
| |
| |
| |
| |
| | |
drop spurious comma.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
|\ \
| | |
| | | |
When container stops, drop sig-proxy errors to infos
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
The sig-proxy code is set up to error on failing to forward
signals to a container. This is reasonable in cases where the
container is running, but something strange went wrong - but when
the Kill fails because the container is stopped, we shouldn't
bother with aggressive Error logging since this is an expected
part of the container lifecycle - it stops, and then `podman run`
also stops, but there is a timing window in between where signals
will fail to be proxied, and we should not print angry errors
during that.
Signed-off-by: Matthew Heon <mheon@redhat.com>
|
|\ \ \
| | | |
| | | |
| | | |
| | | | |
andylibrian/grab-systemd-mount-flags-from-the-host-7661
Improve setupSystemd, grab mount options from the host
|
| | |/
| |/|
| | |
| | |
| | |
| | | |
fixes #7661
Signed-off-by: Andy Librian <andylibrian@gmail.com>
|
|\ \ \
| | | |
| | | | |
Restore --format table header support
|
| | | |
| | | |
| | | |
| | | | |
Signed-off-by: Jhon Honce <jhonce@redhat.com>
|
|\ \ \ \
| | | | |
| | | | | |
Pod's that share the IPC Namespace need to share /dev/shm
|
| | |/ /
| |/| |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Containers that share IPC Namespaces share each others
/dev/shm, which means a private /dev/shm needs to be setup
for the infra container.
Added a system test and an e2e test to make sure the
/dev/shm is shared.
Fixes: https://github.com/containers/podman/issues/8181
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
|\ \ \ \
| | | | |
| | | | | |
[CI:DOCS] Fix broken CI readme links
|
| |/ / /
| | | |
| | | |
| | | | |
Signed-off-by: Chris Evich <cevich@redhat.com>
|
|\ \ \ \
| |/ / /
|/| | | |
Cirrus: Workaround F32 BFQ Kernel bug
|
| | | |
| | | |
| | | |
| | | | |
Signed-off-by: Chris Evich <cevich@redhat.com>
|
|\ \ \ \
| | | | |
| | | | | |
Podman often reports OCI Runtime does not exist, even if it does
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
When the OCI Runtime tries to set certain settings in cgroups
it can get the error "no such file or directory", the wrapper
ends up reporting a bogus error like:
```
Request Failed(Internal Server Error): open io.max: No such file or directory: OCI runtime command not found error
{"cause":"OCI runtime command not found error","message":"open io.max: No such file or directory: OCI runtime command not found error","response":500}
```
On first reading of this, you would think the OCI Runtime (crun or runc) were not found. But the error is actually reporting
message":"open io.max: No such file or directory
Which is what we want the user to concentrate on.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
|\ \ \ \ \
| | | | | |
| | | | | | |
Fix the `--pull` flag to `podman build` to match Docker
|
| | |/ / /
| |/| | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
The behavior should be as follows: Unset, pull if missing by
default, obey the `--pull-never` and `--pull-always` flags. Set
to false, pull never. Set to true, pull always.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
|\ \ \ \ \
| |/ / / /
|/| | | | |
Create the default root API address path
|