| Commit message (Collapse) | Author | Age |
|
|
|
| |
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
|
|
|
|
|
| |
We can't pause them, so if that's requested, throw an error.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
|
|
|
|
|
|
|
|
| |
Rootless containers can't be paused (no CGroups, so no freezer).
We could try and emulate this with a SIGSTOP to all PIDs in the
container, but that's inherently racy, so let's avoid it for now.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
|
|
|
| |
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
|
|
|
| |
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
|
|
|
| |
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
|
|
|
| |
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
|
|
|
|
|
| |
Should fix CVE-2018-15664 for Podman.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
|
|
|
|
|
|
|
|
| |
Securejoin ensures that paths are resolved in the container, not
on the host.
Fixes #3211
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
|\
| |
| | |
add dns flags to docs
|
| |
| |
| |
| |
| |
| | |
Added same dns flags from buildah documentation to podman
Signed-off-by: Ashley Cui <ashleycui16@gmail.com>
|
|\ \
| | |
| | | |
Add missing 'container cp' alias and document missing 'container update' command
|
| | |
| | |
| | |
| | |
| | |
| | | |
'docker cp' is an alias for 'docker container cp', and podman should have the equivalent alias.
Signed-off-by: Jose Diaz-Gonzalez <email@josediazgonzalez.com>
|
| | |
| | |
| | |
| | |
| | |
| | | |
Also reorder the missing update command to better match the container update command (it is in the same management namespace)
Signed-off-by: Jose Diaz-Gonzalez <email@josediazgonzalez.com>
|
|\ \ \
| | | |
| | | | |
Podman logs man page shouldn't include timestamps
|
|/ / /
| | |
| | |
| | |
| | |
| | |
| | | |
Change man page to reflect default output. Commands
with timestamps should include `-t` option.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
|\ \ \
| | | |
| | | | |
Add libpod journald logging
|
| | | |
| | | |
| | | |
| | | | |
Signed-off-by: Peter Hunt <pehunt@redhat.com>
|
| | | |
| | | |
| | | |
| | | | |
Signed-off-by: Peter Hunt <pehunt@redhat.com>
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Add a journald reader that translates the journald entry to a k8s-file formatted line, to be added as a log line
Note: --follow with journald hasn't been implemented. It's going to be a larger undertaking that can wait.
Signed-off-by: Peter Hunt <pehunt@redhat.com>
|
| | | |
| | | |
| | | |
| | | | |
Signed-off-by: Peter Hunt <pehunt@redhat.com>
|
| | | |
| | | |
| | | |
| | | | |
Signed-off-by: Peter Hunt <pehunt@redhat.com>
|
| | | |
| | | |
| | | |
| | | | |
Signed-off-by: Peter Hunt <pehunt@redhat.com>
|
|\ \ \ \
| | | | |
| | | | | |
hack: support setting local region/zone
|
| | |/ /
| |/| |
| | | |
| | | | |
Signed-off-by: Chris Evich <cevich@redhat.com>
|
|\ \ \ \
| |/ / /
|/| | | |
rootless: new function to join existing conmon processes
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
as it is used only by the rootless package now.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
since we now enter the user namespace prior to read the conmon.pid, we
can write the conmon.pid file again to the runtime dir.
This reverts commit 6c6a8654363457a9638d58265d0a7e8743575d7a.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
otherwise the processes we leave around will be killed once the
session terminates.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
move the logic for joining existing namespaces down to the rootless
package. In main_local we still retrieve the list of conmon pid files
and use it from the rootless package.
In addition, create a temporary user namespace for reading these
files, as the unprivileged user might not have enough privileges for
reading the conmon pid file, for example when running with a different
uidmap and root in the container is different than the rootless user.
Closes: https://github.com/containers/libpod/issues/3187
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
block signals for the pause process, so it can't be killed by
mistake.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
|\ \ \ \
| |_|_|/
|/| | | |
bump conmon to v0.2.0
|
| | | |
| | | |
| | | |
| | | | |
Signed-off-by: Peter Hunt <pehunt@redhat.com>
|
|\ \ \ \
| | | | |
| | | | | |
runtime: unlock the alive lock only once
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Unlock the alive lock only once in the deferred func call.
Fixes: #3207
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
|
|\ \ \ \ \
| | | | | |
| | | | | | |
unshare: some cleanups and define CONTAINERS_{RUNROOT,GRAPHROOT}
|
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
define two environment variables, that simplify the task of cleaning
up the storage, as we can do something like:
podman unshare sh -c 'rm -rf $CONTAINERS_GRAPHROOT $CONTAINERS_RUNROOT'
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
|\ \ \ \ \ \
| |_|_|_|_|/
|/| | | | | |
fix bug dest path of copying tar
|
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
when podman cp tar without --extract flag, if the destination already exists, or ends with path seprator, cp the tar under the directory, otherwise copy the tar named with the destination
Signed-off-by: Qi Wang <qiwan@redhat.com>
|
|\ \ \ \ \ \
| |_|_|/ / /
|/| | | | | |
Apparmor fixes
|
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
Log a warning when --security-opt and --privileged are used together to
indicate that it has no effect since --privileged will set everything.
To avoid regressions, only warn, do not error out and do not print on
error level.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
|
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
https://github.com/containers/libpod/issues/3112 has revealed a
regression in apparmor when running privileged containers where the
profile must not be set or loaded. Add a simple test to avoid potential
future regressions.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
|
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
Commit 27f9e23a0b9e already prevents setting the profile when creating
the spec but we also need to avoid loading and setting the profile when
creating the container.
Fixes: #3112
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
|
|\ \ \ \ \ \
| |_|_|_|_|/
|/| | | | | |
Update install.md ostree Debian dependencies.
|
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
Add more Debian dependencies that I needed in Debian 9.9.
Signed-off-by: Jesse Wattenbarger <jesse.j.wattenbarger@gmail.com>
|
|\ \ \ \ \ \
| | | | | | |
| | | | | | | |
userns: add new option --userns=keep-id
|
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | | |
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | | |
it creates a namespace where the current UID:GID on the host is mapped
to the same UID:GID in the container.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | | |
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|