summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAge
* compat API: allow enforcing short-names resolution to Docker HubValentin Rothberg2021-11-30
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The Docker-compatible REST API has historically behaved just as the rest of Podman and Buildah (and the atomic Docker in older RHEL/Fedora) where `containers-registries.conf` is centrally controlling which registries a short name may resolve to during pull or local image lookups. Please refer to a blog for more details [1]. Docker, however, is only resolving short names to docker.io which has been reported (see #12320) to break certain clients who rely on this behavior. In order to support this scenario, `containers.conf(5)` received a new option to control whether Podman's compat API resolves to docker.io only or behaves as before. Most endpoints allow for directly normalizing parameters that represent an image. If set in containers.conf, Podman will then normalize the references directly to docker.io. The build endpoint is an outlier since images are also referenced in Dockerfiles. The Buildah API, however, supports specifying a custom `types.SystemContext` in which we can set a field that enforces short-name resolution to docker.io in `c/image/pkg/shortnames`. Notice that this a "hybrid" approach of doing the normalization directly in the compat endpoints *and* in `pkg/shortnames` by passing a system context. Doing such a hybrid approach is neccessary since the compat and the libpod endpoints share the same `libimage.Runtime` which makes a global enforcement via the `libimage.Runtime.systemContext` impossible. Having two separate runtimes for the compat and the libpod endpoints seems risky and not generally applicable to all endpoints. [1] https://www.redhat.com/sysadmin/container-image-short-names Fixes: #12320 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* Merge pull request #12408 from rhatdan/stdoutOpenShift Merge Robot2021-11-30
|\ | | | | Only open save output file with WRONLY
| * Only open save output file with WRONLYDaniel J Walsh2021-11-29
| | | | | | | | | | | | | | | | | | | | The previous code fails on a MAC when opening /dev/stdout Fixes: https://github.com/containers/podman/issues/12402 [NO NEW TESTS NEEDED] No easy way to test this. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Merge pull request #12412 from rhatdan/manOpenShift Merge Robot2021-11-29
|\ \ | | | | | | [CI:DOCS] List /etc/containers/certs.d as default for --cert-path
| * | List /etc/containers/certs.d as default for --cert-pathDaniel J Walsh2021-11-29
| | | | | | | | | | | | | | | | | | Helps Document https://github.com/containers/podman/issues/10116 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | Merge pull request #12407 from edsantiago/bindings_test_add_gitcommitOpenShift Merge Robot2021-11-29
|\ \ \ | | | | | | | | Bindings test: emit GIT_COMMIT, for links in logs
| * | | Bindings test: emit GIT_COMMIT, for links in logsEd Santiago2021-11-24
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Add a magic 'echo' to runner.sh, displaying $GIT_COMMIT in a special syntax. The logformatter script, seeing this, will hyperlink error messages to the failing source file. Signed-off-by: Ed Santiago <santiago@redhat.com>
* | | | Merge pull request #12439 from rhatdan/DockerfileOpenShift Merge Robot2021-11-29
|\ \ \ \ | | | | | | | | | | [CI:DOCS] Move the chown to after the ADDs
| * | | | Move the chown to after the ADDsDaniel J Walsh2021-11-29
| | |/ / | |/| | | | | | | | | | | | | | | | | | | | | | | | | | I have noticed that the containers.conf file in the /home/podman directory is owned by root and not Podman. This change fixes the ownership. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | | Merge pull request #12405 from flouthoc/compat-build-errorOpenShift Merge Robot2021-11-29
|\ \ \ \ | |_|_|/ |/| | | compat: Add compatiblity with `Docker/Moby` API for scenarios where build fails.
| * | | compat: Add compatiblity with Docker/Moby API for scenarios where build failsAditya Rajan2021-11-24
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | In order to maintain compatiblity with `moby API` we must the field `errorDetail` which is primary error reporting field with stream. Currently podman is using `error` which is already deprecated by moby. Check: https://github.com/moby/moby/blob/master/pkg/jsonmessage/jsonmessage.go#L147 [NO NEW TESTS NEEDED] We can't test this in podman CI since we dont have a docker client. Signed-off-by: Aditya Rajan <arajan@redhat.com>
* | | | Merge pull request #12433 from matejvasek/fix-mount-parsingOpenShift Merge Robot2021-11-29
|\ \ \ \ | | | | | | | | | | fix: parsing of HostConfig.Mounts for container create
| * | | | fix: parsing of HostConfig.Mounts for container createMatej Vasek2021-11-29
| | |/ / | |/| | | | | | | | | | Signed-off-by: Matej Vasek <mvasek@redhat.com>
* | | | Merge pull request #12401 from edsantiago/lint_testsOpenShift Merge Robot2021-11-29
|\ \ \ \ | |/ / / |/| | | e2e tests: enable golint
| * | | e2e tests: enable golintEd Santiago2021-11-29
|/ / / | | | | | | | | | | | | | | | ...and fix problems found therewith. Signed-off-by: Ed Santiago <santiago@redhat.com>
* | | Merge pull request #12431 from matejvasek/fix-ctr-archive-epOpenShift Merge Robot2021-11-29
|\ \ \ | | | | | | | | fix: error reporting for archive endpoint
| * | | fix: error reporting for archive endpointMatej Vasek2021-11-28
|/ / / | | | | | | | | | | | | | | | Returning 500 when copying to read-only destination. Signed-off-by: Matej Vasek <mvasek@redhat.com>
* | | Merge pull request #12406 from Luap99/xdg-checkpointOpenShift Merge Robot2021-11-25
|\ \ \ | | | | | | | | checkpoint do not modify XDG_RUNTIME_DIR
| * | | checkpoint do not modify XDG_RUNTIME_DIRPaul Holzinger2021-11-24
| | |/ | |/| | | | | | | | | | | | | | | | | | | | | | | | | We should not modify the XDG_RUNTIME_DIR env value during runtime of libpod, this can cause hard to find bugs. Only set it for the OCI runtime, this matches the other commands such as start, stop, kill... [NO NEW TESTS NEEDED] Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* | | Merge pull request #12403 from giuseppe/improve-cgroup-detectionOpenShift Merge Robot2021-11-25
|\ \ \ | |/ / |/| | libpod: improve heuristic to detect cgroup
| * | libpod: improve heuristic to detect cgroupGiuseppe Scrivano2021-11-24
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | improve the heuristic to detect the scope that was created for the container. This is necessary with systemd running as PID 1, since it moves itself to a different sub-cgroup, thus stats would not account for other processes in the same container. Closes: https://github.com/containers/podman/issues/12400 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
| * | libpod, inspect: export cgroup pathGiuseppe Scrivano2021-11-24
| | | | | | | | | | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
| * | stats: get the memory limit from the specGiuseppe Scrivano2021-11-24
| |/ | | | | | | | | | | | | | | | | | | OCI runtimes may set the memory limits in different ways, e.g., crun creates a sub-cgroup where the limits are applied, while runc applies them directly on the created cgroup. Since there is standardization on the cgroup path to use, just use the limit specified in the spec file. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | Merge pull request #12404 from giuseppe/unlock-thread-only-on-successOpenShift Merge Robot2021-11-24
|\ \ | |/ |/| libpod: leave thread locked on errors
| * libpod: leave thread locked on errorsGiuseppe Scrivano2021-11-24
|/ | | | | | | | | | if the SELinux label could not be restored correctly, leave the OS thread locked so that it is terminated once it returns to the threads pool. [NO NEW TESTS NEEDED] the failure is hard to reproduce Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Merge pull request #12398 from edsantiago/remove_betrueOpenShift Merge Robot2021-11-24
|\ | | | | continue e2e test cleanup
| * Find and fix empty Expect()sEd Santiago2021-11-23
| | | | | | | | | | | | | | | | | | | | | | | | That previous commit made me wonder if there are any other instances of Expect() with no assertions. grep Expect test/e2e/*_test.go |egrep -v '\.(To|NotTo|Should)' ...finds a couple of handfuls, most of which are OK (continued on the next line) but a few of which are bugs. Fix those. Signed-off-by: Ed Santiago <santiago@redhat.com>
| * Remove StringInSlice(), part 2Ed Santiago2021-11-23
| | | | | | | | | | | | | | These were NOPs, and were testing the wrong thing (pod ID, not container ID). Fixed manually. Signed-off-by: Ed Santiago <santiago@redhat.com>
| * Remove StringInSlice(), part 1Ed Santiago2021-11-23
| | | | | | | | | | | | via: sed -i -e 's/Expect(StringInSlice(\(.*\), \(.*\))).To(BeTrue())/Expect(\2)\.To(ContainElement(\1))/' test/e2e/*_test.go Signed-off-by: Ed Santiago <santiago@redhat.com>
| * e2e test cleanup, continuedEd Santiago2021-11-23
| | | | | | | | | | | | | | | | Continue eliminating GrepString() and BeTrue(), in tiny incremental steps. Here I take the liberty of refactoring some hard-to-read code by adding a helper. Signed-off-by: Ed Santiago <santiago@redhat.com>
* | Merge pull request #12388 from rhatdan/testOpenShift Merge Robot2021-11-24
|\ \ | |/ |/| Unset SocketLabel after system finishes checkpointing
| * Unset SocketLabel after system finishes checkpointingDaniel J Walsh2021-11-23
|/ | | | | | | | | | | | This should fix the SELinux issue we are seeing with talking to /run/systemd/private. Fixes: https://github.com/containers/podman/issues/12362 Also unset the XDG_RUNTIME_DIR if set, since we don't know when running as a service if this will cause issue.s Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Merge pull request #12371 from jakub-dzon/env-config-mapsOpenShift Merge Robot2021-11-23
|\ | | | | Support env variables based on ConfigMaps sent in payload
| * Support env variables based on ConfigMaps sent in payloadJakub Dzon2021-11-23
| | | | | | | | | | | | Fixes #12363 Signed-off-by: Jakub Dzon <jdzon@redhat.com>
* | Merge pull request #12397 from mheon/warn_on_failed_updateDaniel J Walsh2021-11-23
|\ \ | | | | | | Warn on failing to update container status
| * | Warn on failing to update container statusMatthew Heon2021-11-23
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | failed to send a signal to the container's PID1, but ignored the results of that update. That's generally bad practice, since even if we can't directly take action on an error, we should still make an effort to report it for debugging purposes. I used Infof instead of something more serious to avoid duplicate reporting to the user if something has gone seriously wrong. [NO NEW TESTS NEEDED] this is just adding additional error reporting. Signed-off-by: Matthew Heon <mheon@redhat.com>
* | | Merge pull request #12377 from markzhang1996/patch-1OpenShift Merge Robot2021-11-23
|\ \ \ | | | | | | | | [CI:DOCS] Update basic_networking.md
| * | | Update basic_networking.mdMark Zhang2021-11-23
| | | | | | | | | | | | | | | | | | | | | | | | Correct a missing link in basic networking tutorial. Signed-off-by: Mark Zhang <markzhang1994@gmail.com>
* | | | Merge pull request #12328 from serverwentdown/fix-compat-ipaddressDaniel J Walsh2021-11-23
|\ \ \ \ | | | | | | | | | | compat: Add subnet mask behind IP address to match Docker API
| * | | | compat: Add subnet mask behind IP address to match Docker APIAmbrose Chua2021-11-20
| |/ / / | | | | | | | | | | | | Signed-off-by: Ambrose Chua <ambrose@hey.com>
* | | | Merge pull request #12361 from rhatdan/remoteDaniel J Walsh2021-11-23
|\ \ \ \ | |_|/ / |/| | | podman-remote does not support signature-policy
| * | | podman-remote does not support signature-policyDaniel J Walsh2021-11-19
| | | | | | | | | | | | | | | | | | | | | | | | Fixes: https://github.com/containers/podman/issues/12357 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | | Merge pull request #12394 from flouthoc/oci_dont_send_signal_to_deadOpenShift Merge Robot2021-11-23
|\ \ \ \ | | | | | | | | | | oci: exit `gracefully` if container is already dead instead of trying to `kill` it.
| * | | | oci: ack crun output when container is not thereAditya Rajan2021-11-23
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | `crun status ctrid` outputs `No such file or directory` when container is not there so podman much ack it. [NO NEW TESTS NEEDED] Signed-off-by: Aditya Rajan <arajan@redhat.com>
| * | | | oci: exit gracefully if container is already deadAditya Rajan2021-11-23
| | |_|/ | |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | While trying to kill a container with a `signal` we cant do anything if container is already dead so `exit` gracefully instead of trying to delete container again. Get container status from runtime. [ NO NEW TESTS NEEDED ] Signed-off-by: Aditya Rajan <arajan@redhat.com>
* | | | Merge pull request #12010 from vrothberg/fix-11964OpenShift Merge Robot2021-11-23
|\ \ \ \ | |/ / / |/| | | image lookup: do not match *any* tags
| * | | image lookup: do not match *any* tagsValentin Rothberg2021-11-23
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | For reasons buried in the history of Podman, looking up an untagged image would match any tag of matching image. For instance, looking up centos would match a local image centos:foobar. Change that behavior to only match the latest tag. Fix: #11964 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | | | Merge pull request #12380 from vrothberg/fix-11618OpenShift Merge Robot2021-11-23
|\ \ \ \ | |/ / / |/| | | generate systemd: add --start-timeout flag
| * | | generate systemd: add --start-timeout flagValentin Rothberg2021-11-23
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Add a new flag to set the start timeout for a generated systemd unit. To make naming consistent, add a new --stop-timeout flag as well and let the previous --time map to it. Fixes: #11618 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | | | Merge pull request #12387 from edsantiago/remove_betrueOpenShift Merge Robot2021-11-23
|\ \ \ \ | |/ / / |/| | | e2e tests: clean up antihelpful BeTrue()s