summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAge
* Ensure that `--userns=keep-id` sets user in configMatthew Heon2021-04-06
| | | | | | | | | | | | | | | | | | | | | | | One of the side-effects of the `--userns=keep-id` command is switching the default user of the container to the UID of the user running Podman (though this can still be overridden by the `--user` flag). However, it did this by setting the UID and GID in the OCI spec, and not by informing Libpod of its intention to switch users via the `WithUser()` option. Because of this, a lot of the code that should have triggered when the container ran with a non-root user was not triggering. In the case of the issue that this fixed, the code to remove capabilities from non-root users was not triggering. Adjust the keep-id code to properly inform Libpod of our intention to use a non-root user to fix this. Also, fix an annoying race around short-running exec sessions where Podman would always print a warning that the exec session had already stopped. Fixes #9919 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Merge pull request #9313 from jwhonce/issues/8773OpenShift Merge Robot2021-04-05
|\ | | | | Add default template functions
| * Add default template functionsJhon Honce2021-04-02
| | | | | | | | | | | | | | | | | | | | | | For commands that use the golang template library directly add the compatible template functions [NO TESTS NEEDED] Fixes #8773 Signed-off-by: Jhon Honce <jhonce@redhat.com>
* | Merge pull request #9423 from Luap99/rootless-cni-no-infraOpenShift Merge Robot2021-04-05
|\ \ | | | | | | rootless cni without infra container
| * | Add rootless docker-compose test to the CIPaul Holzinger2021-04-01
| | | | | | | | | | | | Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
| * | Use the slrip4netns dns in the rootless cni nsPaul Holzinger2021-04-01
| | | | | | | | | | | | | | | | | | | | | | | | If a user only has a local dns server in the resolv.conf file the dns resolution will fail. Instead we create a new resolv.conf which will use the slirp4netns dns. Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
| * | Cleanup the rootless cni namespacePaul Holzinger2021-04-01
| | | | | | | | | | | | | | | | | | | | | Delte the network namespace and kill the slirp4netns process when it is no longer needed. Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
| * | Add new docker-compose test for two networksPaul Holzinger2021-04-01
| | | | | | | | | | | | | | | | | | Also fix the tests so we can use the podman function with the output. Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
| * | Make the docker-compose test work rootlessPaul Holzinger2021-04-01
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Make sure the DOCKER_SOCK location is accessible by the user when run rootless. Alos set the DOCKER_HOST env var to ensure docker-compose will use the non default location. Cleanup steps such as `rm` or `umount` must be run inside podman unshare otherwise they can fail due missing privileges. Change the curl test to use --retry-all-errors otherwise the tests will flake. The web server inside the container will return http code 500 sometimes, most likely because it is not fully ready to accept connections. With --retry-all-errors curl will retry instead of failing and thus the test will work. Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
| * | Remove unused rootless-cni-infra container filesPaul Holzinger2021-04-01
| | | | | | | | | | | | Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
| * | Only use rootless RLK when the container has portsPaul Holzinger2021-04-01
| | | | | | | | | | | | | | | | | | | | | Do not invoke the rootlesskit port forwarder when the container has no ports. Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
| * | Fix dnsname testPaul Holzinger2021-04-01
| | | | | | | | | | | | Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
| * | Enable rootless network connect/disconnectPaul Holzinger2021-04-01
| | | | | | | | | | | | | | | | | | | | | With the new rootless cni supporting network connect/disconnect is easy. Combine common setps into extra functions to prevent code duplication. Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
| * | Move slirp4netns functions into an extra filePaul Holzinger2021-04-01
| | | | | | | | | | | | | | | | | | This should make maintenance easier. Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
| * | Fix pod infra container cni network setupPaul Holzinger2021-04-01
| | | | | | | | | | | | | | | | | | | | | | | | For rootless users the infra container used the slirp4netns net mode even when bridge was requested. We can support bridge networking for rootless users so we have allow this. The default is not changed. Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
| * | Add rootless support for cni and --uidmapPaul Holzinger2021-04-01
| | | | | | | | | | | | | | | | | | This is supported with the new rootless cni logic. Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
| * | rootless cni without infra containerPaul Holzinger2021-04-01
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Instead of creating an extra container create a network and mount namespace inside the podman user namespace. This ns is used to for rootless cni operations. This helps to align the rootless and rootful network code path. If we run as rootless we just have to set up a extra net ns and initialize slirp4netns in it. The ocicni lib will be called in that net ns. This design allows allows easier maintenance, no extra container with pause processes, support for rootless cni with --uidmap and possibly more. The biggest problem is backwards compatibility. I don't think live migration can be possible. If the user reboots or restart all cni containers everything should work as expected again. The user is left with the rootless-cni-infa container and image but this can safely be removed. To make the existing cni configs work we need execute the cni plugins in a extra mount namespace. This ensures that we can safely mount over /run and /var which have to be writeable for the cni plugins without removing access to these files by the main podman process. One caveat is that we need to keep the netns files at `XDG_RUNTIME_DIR/netns` accessible. `XDG_RUNTIME_DIR/rootless-cni/{run,var}` will be mounted to `/{run,var}`. To ensure that we keep the netns directory we bind mount this relative to the new root location, e.g. XDG_RUNTIME_DIR/rootless-cni/run/user/1000/netns before we mount the run directory. The run directory is mounted recursive, this makes the netns directory at the same path accessible as before. This also allows iptables-legacy to work because /run/xtables.lock is now writeable. Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
* | | Merge pull request #9928 from pendulm/fix_rootless_socket_activationOpenShift Merge Robot2021-04-05
|\ \ \ | | | | | | | | Fix rootless socket activation
| * | | Move socket activation check into init() and set global condition.pendulm2021-04-05
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | So rootless setup could use this condition in parent and child, child podman should adjust LISTEN_PID to its self PID. Add system test for systemd socket activation Signed-off-by: pendulm <lonependulm@gmail.com>
* | | | Merge pull request #9937 from ↵OpenShift Merge Robot2021-04-05
|\ \ \ \ | | | | | | | | | | | | | | | | | | | | containers/dependabot/go_modules/github.com/onsi/ginkgo-1.16.0 Bump github.com/onsi/ginkgo from 1.15.2 to 1.16.0
| * | | | Bump github.com/onsi/ginkgo from 1.15.2 to 1.16.0dependabot[bot]2021-04-05
|/ / / / | | | | | | | | | | | | | | | | | | | | | | | | | | | | Bumps [github.com/onsi/ginkgo](https://github.com/onsi/ginkgo) from 1.15.2 to 1.16.0. - [Release notes](https://github.com/onsi/ginkgo/releases) - [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md) - [Commits](https://github.com/onsi/ginkgo/compare/v1.15.2...v1.16.0) Signed-off-by: dependabot[bot] <support@github.com>
* | | | Merge pull request #9929 from eriksjolund/fix_typo_uidmappingOpenShift Merge Robot2021-04-05
|\ \ \ \ | | | | | | | | | | [CI:DOCS] Fix typos --uidmapping and --gidmapping and adjust Markdown layout for --userns
| * | | | podman-run.1.md, podman-create.1.md : Adjust Markdown layout for --usernsErik Sjölund2021-04-03
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * Adjust Markdown layout for --userns. * Make the --userns sections identical for podman-run.1.md and podman-create.1.md Signed-off-by: Erik Sjölund <erik.sjolund@gmail.com>
| * | | | Fix typos --uidmapping and --gidmappingErik Sjölund2021-04-03
| | |_|/ | |/| | | | | | | | | | | | | | | | | | | | | | * Fix typos --uidmapping and --gidmapping in podman-run.1.md * Add the corresponding sentence in podman-create.1.md Signed-off-by: Erik Sjölund <erik.sjolund@gmail.com>
* | | | Merge pull request #9900 from ↵OpenShift Merge Robot2021-04-04
|\ \ \ \ | | | | | | | | | | | | | | | | | | | | containers/dependabot/go_modules/github.com/rootless-containers/rootlesskit-0.14.1 Bump github.com/rootless-containers/rootlesskit from 0.14.0 to 0.14.1
| * | | | Bump github.com/rootless-containers/rootlesskit from 0.14.0 to 0.14.1dependabot[bot]2021-04-03
| |/ / / | | | | | | | | | | | | | | | | | | | | | | | | Bumps [github.com/rootless-containers/rootlesskit](https://github.com/rootless-containers/rootlesskit) from 0.14.0 to 0.14.1. - [Release notes](https://github.com/rootless-containers/rootlesskit/releases) - [Commits](https://github.com/rootless-containers/rootlesskit/compare/v0.14.0...v0.14.1) Signed-off-by: dependabot[bot] <support@github.com>
* | | | Merge pull request #9884 from rhatdan/buildOpenShift Merge Robot2021-04-04
|\ \ \ \ | |/ / / |/| | | Fix missing podman-remote build options
| * | | Fix missing podman-remote build optionsDaniel J Walsh2021-04-02
|/ / / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fix handling of SecurityOpts LabelOpts SeccompProfilePath ApparmorProfile Fix Ulimits Fixes: https://github.com/containers/podman/issues/9869 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | Merge pull request #9912 from jmguzik/recreate-prune-until-tests-for-containersOpenShift Merge Robot2021-04-02
|\ \ \ | | | | | | | | Recreate until container prune tests for bindings
| * | | Recreate until container prune tests for bindingsJakub Guzik2021-04-01
| | | | | | | | | | | | | | | | Signed-off-by: Jakub Guzik <jakubmguzik@gmail.com>
* | | | Merge pull request #9920 from ashley-cui/rootyOpenShift Merge Robot2021-04-02
|\ \ \ \ | | | | | | | | | | [NO TESTS NEEDED] Add ssh connection to root user
| * | | | Add ssh connection to root userAshley Cui2021-04-01
| | |_|/ | |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When initing a VM, create two add connections - one to user, one to root. podman machine remove removes both connections as well. [NO TESTS NEEDED] Signed-off-by: Ashley Cui <acui@redhat.com>
* | | | Merge pull request #9925 from ↵OpenShift Merge Robot2021-04-02
|\ \ \ \ | |_|_|/ |/| | | | | | | | | | | containers/dependabot/go_modules/github.com/coreos/go-systemd/v22-22.3.1 Bump github.com/coreos/go-systemd/v22 from 22.3.0 to 22.3.1
| * | | Bump github.com/coreos/go-systemd/v22 from 22.3.0 to 22.3.1dependabot[bot]2021-04-02
|/ / / | | | | | | | | | | | | | | | | | | Bumps [github.com/coreos/go-systemd/v22](https://github.com/coreos/go-systemd) from 22.3.0 to 22.3.1. - [Release notes](https://github.com/coreos/go-systemd/releases) - [Commits](https://github.com/coreos/go-systemd/compare/v22.3.0...v22.3.1) Signed-off-by: dependabot[bot] <support@github.com>
* | | Merge pull request #9899 from kellen-dunham/fix_9698OpenShift Merge Robot2021-04-01
|\ \ \ | |/ / |/| | Fix #9698 Updated reference to network
| * | Fixed podman-remote --network flagKellen Dunham2021-03-31
| | | | | | | | | | | | | | | | | | | | | | | | Updated reference to network [NO TESTS NEEDED] Signed-off-by: Kellen Dunham <kellen@oneaib.com>
* | | Merge pull request #9894 from baude/machinesshfixOpenShift Merge Robot2021-04-01
|\ \ \ | |_|/ |/| | Remove --execute from podman machine ssh
| * | Remove --execute from podman machine sshbaude2021-03-31
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The --execute flag ended up serving no purpose. It was removed and documentation was updated. Fixed a panic when no VM name was provided. [NO TESTS NEEDED] Signed-off-by: baude <bbaude@redhat.com>
* | | Merge pull request #9906 from rhatdan/runtimeOpenShift Merge Robot2021-04-01
|\ \ \ | | | | | | | | Should send the OCI runtime path not just the name to buildah
| * | | Should send the OCI runtime path not just the name to buildahDaniel J Walsh2021-03-31
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | [NO TESTS NEEDED] Mainly because I have no idea how we would test this. Fixes: https://github.com/containers/podman/issues/9459 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | | Merge pull request #9898 from Foxboron/morten/fix-makefileOpenShift Merge Robot2021-03-31
|\ \ \ \ | |_|/ / |/| | | [CI:DOCS] Makefile: Fix make install.docker regression
| * | | Makefile: introduce install.docker-fullMorten Linderud2021-03-31
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The split of install.docker and install.docker-docs makes some sense but there should be some way to specify both for packagers. This introduces `make install.docker-full` which installs both the docker binary and the documentation. Signed-off-by: Morten Linderud <morten@linderud.pw>
| * | | Makefile: ensure install.docker creates BINDIRMorten Linderud2021-03-31
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Commit 3908c00799fe2af1a12c9c4f4be8b49dbdecd9be introduces a split for installing the docker binary and the docker documentation. The install line creating BINDIR and MANDIR was both moved to the install.docker-docs path which makes `install.docker` fail. Signed-off-by: Morten Linderud <morten@linderud.pw>
* | | | Merge pull request #9904 from Luap99/podman-machine-autocompleteOpenShift Merge Robot2021-03-31
|\ \ \ \ | | | | | | | | | | podman machine shell completion
| * | | | podman machine shell completionPaul Holzinger2021-03-31
| | |/ / | |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Add shell completion for machine names. [NO TESTS NEEDED] I would like to add one to the shell completion test however using podman machine init is to expensive. Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
* | | | Merge pull request #9903 from rhatdan/rusageOpenShift Merge Robot2021-03-31
|\ \ \ \ | | | | | | | | | | Fix handling of remote --log-rusage param
| * | | | Fix handling of remove --log-rusage paramDaniel J Walsh2021-03-31
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fixes: https://github.com/containers/podman/issues/9889 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | | | Merge pull request #9902 from jmguzik/fix-containers-flaky-bindings-prune-testOpenShift Merge Robot2021-03-31
|\ \ \ \ \ | | | | | | | | | | | | Fix bindings prune containers flaky test
| * | | | | Fix bindings prune containers flaky testJakub Guzik2021-03-31
| | |/ / / | |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | In #9863 prune containers filter params were narrowed to support only those required by http API. name filter in bindings was replaced by until filter, which is not a good match, as until filters are causing tests to be flaky. Signed-off-by: Jakub Guzik <jakubmguzik@gmail.com>
* | | | | Merge pull request #9901 from w4tsn/docs/fix-podman-image-unmount-linkOpenShift Merge Robot2021-03-31
|\ \ \ \ \ | |_|_|/ / |/| | | | [CI:DOCS] Fix unmount doc reference in image.rst