summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAge
* Fix podman cp testsMatthew Heon2019-05-30
| | | | Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Error when trying to copy into a running rootless ctrMatthew Heon2019-05-30
| | | | | | We can't pause them, so if that's requested, throw an error. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* We can't pause rootless containers during cpMatthew Heon2019-05-29
| | | | | | | | | Rootless containers can't be paused (no CGroups, so no freezer). We could try and emulate this with a SIGSTOP to all PIDs in the container, but that's inherently racy, so let's avoid it for now. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Fix bug in e2e tests for podman cpMatthew Heon2019-05-29
| | | | Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Tolerate non-running containers in paused cpMatthew Heon2019-05-29
| | | | Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Add test to ensure symlinks are resolved in ctr scopeMatthew Heon2019-05-29
| | | | Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Add --pause to podman cp manpage and bash completionsMatthew Heon2019-05-29
| | | | Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Pause containers while copying into themMatthew Heon2019-05-29
| | | | | | Should fix CVE-2018-15664 for Podman. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Use securejoin to merge paths in `podman cp`Matthew Heon2019-05-29
| | | | | | | | | Securejoin ensures that paths are resolved in the container, not on the host. Fixes #3211 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Merge pull request #3230 from ashley-cui/dnsdocOpenShift Merge Robot2019-05-29
|\ | | | | add dns flags to docs
| * add dns flags to docsAshley Cui2019-05-29
| | | | | | | | | | | | Added same dns flags from buildah documentation to podman Signed-off-by: Ashley Cui <ashleycui16@gmail.com>
* | Merge pull request #3221 from josegonzalez/masterOpenShift Merge Robot2019-05-29
|\ \ | | | | | | Add missing 'container cp' alias and document missing 'container update' command
| * | add missing container cp commandJose Diaz-Gonzalez2019-05-29
| | | | | | | | | | | | | | | | | | 'docker cp' is an alias for 'docker container cp', and podman should have the equivalent alias. Signed-off-by: Jose Diaz-Gonzalez <email@josediazgonzalez.com>
| * | document missing container update commandJose Diaz-Gonzalez2019-05-29
| | | | | | | | | | | | | | | | | | Also reorder the missing update command to better match the container update command (it is in the same management namespace) Signed-off-by: Jose Diaz-Gonzalez <email@josediazgonzalez.com>
* | | Merge pull request #3228 from rhatdan/manOpenShift Merge Robot2019-05-29
|\ \ \ | | | | | | | | Podman logs man page shouldn't include timestamps
| * | | Podman logs man page shouldn't include timestampsDaniel J Walsh2019-05-29
|/ / / | | | | | | | | | | | | | | | | | | Change man page to reflect default output. Commands with timestamps should include `-t` option. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | Merge pull request #2709 from haircommander/journaldOpenShift Merge Robot2019-05-29
|\ \ \ | | | | | | | | Add libpod journald logging
| * | | Add --follow to journald ctr loggingPeter Hunt2019-05-28
| | | | | | | | | | | | | | | | Signed-off-by: Peter Hunt <pehunt@redhat.com>
| * | | Address commentsPeter Hunt2019-05-28
| | | | | | | | | | | | | | | | Signed-off-by: Peter Hunt <pehunt@redhat.com>
| * | | Implement podman logs with log-driver journaldPeter Hunt2019-05-28
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Add a journald reader that translates the journald entry to a k8s-file formatted line, to be added as a log line Note: --follow with journald hasn't been implemented. It's going to be a larger undertaking that can wait. Signed-off-by: Peter Hunt <pehunt@redhat.com>
| * | | bump go-systemd versionPeter Hunt2019-05-28
| | | | | | | | | | | | | | | | Signed-off-by: Peter Hunt <pehunt@redhat.com>
| * | | Added --log-driver and journald loggingPeter Hunt2019-05-28
| | | | | | | | | | | | | | | | Signed-off-by: Peter Hunt <pehunt@redhat.com>
| * | | Update completions and docs to use k8s file as log driverPeter Hunt2019-05-28
| | | | | | | | | | | | | | | | Signed-off-by: Peter Hunt <pehunt@redhat.com>
* | | | Merge pull request #3223 from cevich/multi-zone-hackOpenShift Merge Robot2019-05-29
|\ \ \ \ | | | | | | | | | | hack: support setting local region/zone
| * | | | hack: support setting local region/zoneChris Evich2019-05-29
| | |/ / | |/| | | | | | | | | | Signed-off-by: Chris Evich <cevich@redhat.com>
* | | | Merge pull request #3188 from giuseppe/fix-join-existing-containersOpenShift Merge Robot2019-05-29
|\ \ \ \ | |/ / / |/| | | rootless: new function to join existing conmon processes
| * | | rootless: make JoinUserAndMountNS privateGiuseppe Scrivano2019-05-25
| | | | | | | | | | | | | | | | | | | | | | | | as it is used only by the rootless package now. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
| * | | Revert "rootless: change default path for conmon.pid"Giuseppe Scrivano2019-05-25
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | since we now enter the user namespace prior to read the conmon.pid, we can write the conmon.pid file again to the runtime dir. This reverts commit 6c6a8654363457a9638d58265d0a7e8743575d7a. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
| * | | rootless: enable loginctl lingerGiuseppe Scrivano2019-05-25
| | | | | | | | | | | | | | | | | | | | | | | | | | | | otherwise the processes we leave around will be killed once the session terminates. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
| * | | rootless: new function to join existing conmon processesGiuseppe Scrivano2019-05-25
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | move the logic for joining existing namespaces down to the rootless package. In main_local we still retrieve the list of conmon pid files and use it from the rootless package. In addition, create a temporary user namespace for reading these files, as the unprivileged user might not have enough privileges for reading the conmon pid file, for example when running with a different uidmap and root in the container is different than the rootless user. Closes: https://github.com/containers/libpod/issues/3187 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
| * | | rootless: block signals for pauseGiuseppe Scrivano2019-05-25
| | | | | | | | | | | | | | | | | | | | | | | | | | | | block signals for the pause process, so it can't be killed by mistake. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | | | Merge pull request #3210 from haircommander/conmon-0.2.0OpenShift Merge Robot2019-05-28
|\ \ \ \ | |_|_|/ |/| | | bump conmon to v0.2.0
| * | | bump conmon to v0.2.0Peter Hunt2019-05-28
| | | | | | | | | | | | | | | | Signed-off-by: Peter Hunt <pehunt@redhat.com>
* | | | Merge pull request #3208 from vrothberg/fix-3207OpenShift Merge Robot2019-05-28
|\ \ \ \ | | | | | | | | | | runtime: unlock the alive lock only once
| * | | | runtime: unlock the alive lock only onceValentin Rothberg2019-05-28
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Unlock the alive lock only once in the deferred func call. Fixes: #3207 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | | | | Merge pull request #3137 from giuseppe/unshare-fixesOpenShift Merge Robot2019-05-28
|\ \ \ \ \ | | | | | | | | | | | | unshare: some cleanups and define CONTAINERS_{RUNROOT,GRAPHROOT}
| * | | | | unshare: define CONTAINERS_GRAPHROOT and CONTAINERS_RUNROOTGiuseppe Scrivano2019-05-16
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | define two environment variables, that simplify the task of cleaning up the storage, as we can do something like: podman unshare sh -c 'rm -rf $CONTAINERS_GRAPHROOT $CONTAINERS_RUNROOT' Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
| * | | | | unshare: use rootless from libpodGiuseppe Scrivano2019-05-16
| | | | | | | | | | | | | | | | | | | | | | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | | | | | Merge pull request #3194 from QiWang19/cptarOpenShift Merge Robot2019-05-28
|\ \ \ \ \ \ | |_|_|_|_|/ |/| | | | | fix bug dest path of copying tar
| * | | | | fix bug dest path of copying tarQi Wang2019-05-24
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | when podman cp tar without --extract flag, if the destination already exists, or ends with path seprator, cp the tar under the directory, otherwise copy the tar named with the destination Signed-off-by: Qi Wang <qiwan@redhat.com>
* | | | | | Merge pull request #3189 from vrothberg/apparmor-fixesOpenShift Merge Robot2019-05-28
|\ \ \ \ \ \ | |_|_|/ / / |/| | | | | Apparmor fixes
| * | | | | warn when --security-opt and --privilegedValentin Rothberg2019-05-24
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Log a warning when --security-opt and --privileged are used together to indicate that it has no effect since --privileged will set everything. To avoid regressions, only warn, do not error out and do not print on error level. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
| * | | | | baseline tests: apparmor with --privilegedValentin Rothberg2019-05-24
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | https://github.com/containers/libpod/issues/3112 has revealed a regression in apparmor when running privileged containers where the profile must not be set or loaded. Add a simple test to avoid potential future regressions. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
| * | | | | apparmor: don't load/set profile in privileged modeValentin Rothberg2019-05-23
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Commit 27f9e23a0b9e already prevents setting the profile when creating the spec but we also need to avoid loading and setting the profile when creating the container. Fixes: #3112 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | | | | | Merge pull request #3198 from jjwatt/patch-1OpenShift Merge Robot2019-05-26
|\ \ \ \ \ \ | |_|_|_|_|/ |/| | | | | Update install.md ostree Debian dependencies.
| * | | | | Update install.md ostree Debian dependencies.Jesse Wattenbarger2019-05-24
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Add more Debian dependencies that I needed in Debian 9.9. Signed-off-by: Jesse Wattenbarger <jesse.j.wattenbarger@gmail.com>
* | | | | | Merge pull request #3196 from giuseppe/keep-idOpenShift Merge Robot2019-05-25
|\ \ \ \ \ \ | | | | | | | | | | | | | | userns: add new option --userns=keep-id
| * | | | | | podman: honor env variable PODMAN_USERNSGiuseppe Scrivano2019-05-24
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
| * | | | | | userns: add new option --userns=keep-idGiuseppe Scrivano2019-05-24
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | it creates a namespace where the current UID:GID on the host is mapped to the same UID:GID in the container. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
| * | | | | | rootless: store also the original GID in the hostGiuseppe Scrivano2019-05-23
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>