summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAge
* rootless: detect when user namespaces are not enabledGiuseppe Scrivano2018-10-11
| | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* rootless: report more error messages from the startup phaseGiuseppe Scrivano2018-10-11
| | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* rootless: fix an hang on older versions of setresuid/setresgidGiuseppe Scrivano2018-10-11
| | | | | | | | | | | | | | | | the issue is caused by the Go Runtime that messes up with the process signals, overriding SIGSETXID and SIGCANCEL which are used internally by glibc. They are used to inform all the threads to update their stored uid/gid information. This causes a hang on the set*id glibc wrappers since the handler installed by glibc is never invoked. Since we are running with only one thread, we don't really need to update other threads or even the current thread as we are not using getuid/getgid before the execvp. Closes: https://github.com/containers/libpod/issues/1625 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Merge pull request #1622 from baude/paprdindOpenShift Merge Robot2018-10-11
|\ | | | | Paprdind
| * wipbaude2018-10-10
| | | | | | | | Signed-off-by: baude <bbaude@redhat.com>
| * remove hack/dindValentin Rothberg2018-10-10
|/ | | | | | | | | The docker-in-docker was script was needed to run AppArmor tests in Travis, which is not required anymore since Travis isn't being used for a while. Removing the script will also cure some hiccups on some atomic testing nodes. Signed-off-by: Valentin Rothberg <vrothberg@suse.com>
* Merge pull request #1587 from mheon/fix_pod_statusOpenShift Merge Robot2018-10-08
|\ | | | | Fix pod status reporting for new Exited state
| * Fix pod status reporting for new Exited stateMatthew Heon2018-10-03
| | | | | | | | Signed-off-by: Matthew Heon <mheon@redhat.com>
* | Merge pull request #1600 from rhatdan/vendorOpenShift Merge Robot2018-10-08
|\ \ | | | | | | Vendor in latest github.com/containers/storage,image, buildah
| * | Vendor in latest github.com/containers/storage,image, buildahDaniel J Walsh2018-10-07
|/ / | | | | | | | | | | | | | | | | Grab latest fixes from subpackages Including fixes for usernamespace chowning retaining file attributes Better logging of error messages. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Merge pull request #1573 from baude/readdgolangOpenShift Merge Robot2018-10-07
|\ \ | | | | | | re-add BR for golang compiler to contrib/spec/podman.spec.in
| * | re-add BR for golang compiler to contrib/spec/podman.spec.inbaude2018-10-04
| |/ | | | | | | Signed-off-by: baude <bbaude@redhat.com>
* | Merge pull request #1598 from cevich/readd_verifyOpenShift Merge Robot2018-10-05
|\ \ | | | | | | Lower Cirrus-CI CPU + Re-add verify step
| * | Re-add source-verify in cirrus-ciChris Evich2018-10-05
| | | | | | | | | | | | | | | | | | | | | | | | | | | Don't waste GCE VM resources for 30-min of testing, when verify would fail after 3-minutes. This is the simpelest mechanism to save cloud CPU-time while GCE is under trial-status (can not set quotas). Signed-off-by: Chris Evich <cevich@redhat.com>
| * | Lower CPU/Memory usage by cirrus VMsChris Evich2018-10-05
| | | | | | | | | | | | | | | | | | | | | These can increase again, once we have more control over setting quotas in GCE. At the moment it's limited because of trial-account status. Signed-off-by: Chris Evich <cevich@redhat.com>
* | | Merge pull request #1597 from jtligon/masterOpenShift Merge Robot2018-10-05
|\ \ \ | | | | | | | | added links to buildah.io and podman.io to README.md
| * | | added links to buildah.io and podman.io to README.mdjtligon2018-10-05
| |/ / | | | | | | | | | Signed-off-by: jtligon <jligon@redhat.com>
* | | Merge pull request #1594 from vrothberg/runlabelOpenShift Merge Robot2018-10-05
|\ \ \ | | | | | | | | runlabel: execute /proc/self/exe and avoid recursion
| * | | runlabel: execute /proc/self/exe and avoid recursionValentin Rothberg2018-10-05
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Execute /proc/self/exe instead of podman. This makes the runlabel command more portable as it works for binaries outside the path as well as for local builds. Also, avoid redundantly executing the runlabel command by setting the PODMAN_RUNLABEL_NESTED environment variable to "1". Podman now checks for this variable before executing the runlabel command and will throw an error in case the variable is set. Signed-off-by: Valentin Rothberg <vrothberg@suse.com>
* | | | Merge pull request #1590 from baude/skipusernsOpenShift Merge Robot2018-10-05
|\ \ \ \ | | | | | | | | | | skip userns tests on non-fedora distributions for now
| * | | | skip userns tests on non-fedora distributions for nowbaude2018-10-05
| | | | | | | | | | | | | | | | | | | | Signed-off-by: baude <bbaude@redhat.com>
* | | | | Merge pull request #1595 from baude/remove_travisOpenShift Merge Robot2018-10-05
|\ \ \ \ \ | |_|_|/ / |/| | | | Remove Travis
| * | | | Remove Travisbaude2018-10-05
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Now that we are testing ubuntu-bionic on a VM, we no longer need travis. Signed-off-by: baude <bbaude@redhat.com>
* | | | | Merge pull request #1593 from pkubatrh/dq_dockerOpenShift Merge Robot2018-10-05
|\ \ \ \ \ | | | | | | | | | | | | docker: Double quote array expansions to avoid re-splitting elements
| * | | | | docker: Double quote array expansions to avoid re-splitting elementsPetr Kubat2018-10-05
| | |_|/ / | |/| | | | | | | | | | | | | Signed-off-by: Petr Kubat <pkubat@redhat.com>
* | | | | Merge pull request #1537 from mheon/libnetwork_resolvOpenShift Merge Robot2018-10-05
|\ \ \ \ \ | |_|/ / / |/| | | | Switch to using libnetwork's resolvconf package
| * | | | Ensure resolv.conf has the right label and pathMatthew Heon2018-10-04
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Adds a few missing things from writeStringToRundir() to the new resolv.conf function, specifically relabelling and returning a path compatible with rootless podman Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
| * | | | Remove no longer used libnetwork from vendor.confMatthew Heon2018-10-04
| | | | | | | | | | | | | | | | | | | | Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
| * | | | Fix lintMatthew Heon2018-10-04
| | | | | | | | | | | | | | | | | | | | Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
| * | | | Drop libnetwork vendor and move the code into pkg/Matthew Heon2018-10-04
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The vendoring issues with libnetwork were significant (it was dragging in massive amounts of code) and were just not worth spending the time to work through. Highly unlikely we'll ever end up needing to update this code, so move it directly into pkg/ so we don't need to vendor libnetwork. Make a few small changes to remove the need for the remainder of libnetwork. Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
| * | | | Update libnetwork vendor to current master to fix CIMatthew Heon2018-10-04
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Avoid a Sirupsen vs sirupsen class for logrus by updating to master. Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
| * | | | Switch to using libnetwork's resolvconf packageMatthew Heon2018-10-04
| |/ / / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Libnetwork provides a well-tested package for generating resolv.conf from the host's that has some features our current implementation does not. Swap to using their code and remove our built-in implementation. Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
* | | | Merge pull request #1518 from cevich/cirrus-ciOpenShift Merge Robot2018-10-05
|\ \ \ \ | |/ / / |/| | | Add cirrus-ci: eventual replacement for papr and travis
| * | | Add configuration for Cirrus-CIChris Evich2018-10-04
|/ / / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Testing podman requires exercising on a full-blown VM. The current containerized-approach is complicated, and mostly a band-aid over shortcomings in the other CI systems. Namely, we want: * To pre-build environments with dependencies to reduce the setup time needed for testing. * The ability to verify the pre-built environments are working before utilizing them for further testing. * A simple, single set of flexible automation instructions to reduce maintenance burden. * Ease of environment reproduction across clouds or locally, for debugging failures. This change leverages Cirrus-CI + Packer + collection of shell scripts to realize all of the above. Signed-off-by: Chris Evich <cevich@redhat.com>
* | | Merge pull request #1570 from giuseppe/fix-gvisorOpenShift Merge Robot2018-10-04
|\ \ \ | | | | | | | | podman: allow usage of gVisor as OCI runtime
| * | | oci: split the stdout and stderr pipesGiuseppe Scrivano2018-10-03
| | | | | | | | | | | | | | | | | | | | | | | | | | | | read the OCI status from stdout, not the combined stdout+stderr stream. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
| * | | oci: always set XDG_RUNTIME_DIRGiuseppe Scrivano2018-10-03
| | |/ | |/| | | | | | | | | | | | | | | | | | | | | | Fix an issue when using gVisor that couldn't start the container since the XDG_RUNTIME_DIR env variable used for the "create" and "start" commands is different. Set the environment variable for each command so that the OCI runtime gets always the same value. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | | Merge pull request #469 from adrianreber/masterOpenShift Merge Robot2018-10-04
|\ \ \ | |_|/ |/| | Add support to checkpoint/restore containers
| * | completions: add checkpoint/restore completionsAdrian Reber2018-10-03
| | | | | | | | | | | | Signed-off-by: Adrian Reber <areber@redhat.com>
| * | tests: add checkpoint/restore testAdrian Reber2018-10-03
| | | | | | | | | | | | Signed-off-by: Adrian Reber <areber@redhat.com>
| * | tutorial: add checkpoint/restore to tutorialAdrian Reber2018-10-03
| | | | | | | | | | | | Signed-off-by: Adrian Reber <areber@redhat.com>
| * | docs: add checkpoint and restore man pagesAdrian Reber2018-10-03
| | | | | | | | | | | | | | | | | | | | | This adds the podman-container-checkpoint and podman-container-restore man pages. Signed-off-by: Adrian Reber <areber@redhat.com>
| * | Add support to checkpoint/restore containersAdrian Reber2018-10-03
| |/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | runc uses CRIU to support checkpoint and restore of containers. This brings an initial checkpoint/restore implementation to podman. None of the additional runc flags are yet supported and container migration optimization (pre-copy/post-copy) is also left for the future. The current status is that it is possible to checkpoint and restore a container. I am testing on RHEL-7.x and as the combination of RHEL-7 and CRIU has seccomp troubles I have to create the container without seccomp. With the following steps I am able to checkpoint and restore a container: # podman run --security-opt="seccomp=unconfined" -d registry.fedoraproject.org/f27/httpd # curl -I 10.22.0.78:8080 HTTP/1.1 403 Forbidden # <-- this is actually a good answer # podman container checkpoint <container> # curl -I 10.22.0.78:8080 curl: (7) Failed connect to 10.22.0.78:8080; No route to host # podman container restore <container> # curl -I 10.22.0.78:8080 HTTP/1.1 403 Forbidden I am using CRIU, runc and conmon from git. All required changes for checkpoint/restore support in podman have been merged in the corresponding projects. To have the same IP address in the restored container as before checkpointing, CNI is told which IP address to use. If the saved network configuration cannot be found during restore, the container is restored with a new IP address. For CRIU to restore established TCP connections the IP address of the network namespace used for restore needs to be the same. For TCP connections in the listening state the IP address can change. During restore only one network interface with one IP address is handled correctly. Support to restore containers with more advanced network configuration will be implemented later. v2: * comment typo * print debug messages during cleanup of restore files * use createContainer() instead of createOCIContainer() * introduce helper CheckpointPath() * do not try to restore a container that is paused * use existing helper functions for cleanup * restructure code flow for better readability * do not try to restore if checkpoint/inventory.img is missing * git add checkpoint.go restore.go v3: * move checkpoint/restore under 'podman container' v4: * incorporated changes from latest reviews Signed-off-by: Adrian Reber <areber@redhat.com>
* | Merge pull request #1557 from rhatdan/systemdOpenShift Merge Robot2018-10-04
|\ \ | | | | | | Don't tmpcopyup on systemd cgroup
| * | Don't tmpcopyup on systemd cgroupDaniel J Walsh2018-09-29
| | | | | | | | | | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | Merge pull request #1591 from baude/disablecontainerbuildserviceMatthew Heon2018-10-04
|\ \ \ | |_|/ |/| | disable gce building of images
| * | disable gce building of imagesbaude2018-10-04
|/ / | | | | | | Signed-off-by: baude <bbaude@redhat.com>
* | Merge pull request #1578 from baude/addubuntuciOpenShift Merge Robot2018-10-03
|\ \ | | | | | | Add Ubuntu-18.04 to CI testing
| * | Add ability for ubuntu to be testedbaude2018-10-03
| | | | | | | | | | | | | | | | | | | | | | | | unfortunately the papr CI system cannot test ubuntu as a VM; therefore, this PR still keeps travis. but it does include fixes that will be required for running on modern versions of ubuntu. Signed-off-by: baude <bbaude@redhat.com>
* | | Merge pull request #1584 from giuseppe/drop-superflous-relabelOpenShift Merge Robot2018-10-03
|\ \ \ | |/ / |/| | selinux: drop superflous relabel