| Commit message (Collapse) | Author | Age |
|---|
| |\
| |
| | |
Fix build for mips architecture follow-up
|
| | |
| |
| |
| | |
Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
|
| | |
| |
| |
| |
| |
| |
| |
| | |
Follow-up to commit (1ad796677e1c). The build on mips is still
failing because SIGWINCH was not defined in the signal pkg.
Also stat_t.Rdev is unit32 on mips so we need to typecast.
Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
|
| |\ \
| | |
| | | |
Switch references of /var/run -> /run
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Systemd is now complaining or mentioning /var/run as a legacy directory.
It has been many years where /var/run is a symlink to /run on all
most distributions, make the change to the default.
Partial fix for https://github.com/containers/podman/issues/8369
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
| |\ \ \
| | | |
| | | | |
Containers should not get inheritable caps by default
|
| | | | |
| | | |
| | | |
| | | | |
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
| | |/ /
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
When I launch a container with --userns=keep-id the rootless processes
should have no caps by default even if I launch the container with
--privileged. It should only get the caps if I specify by hand the
caps I want leaked to the process.
Currently we turn off capeff and capamb, but not capinh. This patch
treats capinh the same way as capeff and capamb.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
| |\ \ \
| | | |
| | | | |
rootless: automatically split userns ranges
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
writing to the id map fails when an extent overlaps multiple mappings
in the parent user namespace:
$ cat /proc/self/uid_map
0 1000 1
1 100000 65536
$ unshare -U sleep 100 &
[1] 1029703
$ printf "0 0 100\n" | tee /proc/$!/uid_map
0 0 100
tee: /proc/1029703/uid_map: Operation not permitted
This limitation is particularly annoying when working with rootless
containers as each container runs in the rootless user namespace, so a
command like:
$ podman run --uidmap 0:0:2 --rm fedora echo hi
Error: writing file `/proc/664087/gid_map`: Operation not permitted: OCI permission denied
would fail since the specified mapping overlaps the first
mapping (where the user id is mapped to root) and the second extent
with the additional IDs available.
Detect such cases and automatically split the specified mapping with
the equivalent of:
$ podman run --uidmap 0:0:1 --uidmap 1:1:1 --rm fedora echo hi
hi
A fix has already been proposed for the kernel[1], but even if it
accepted it will take time until it is available in a released kernel,
so fix it also in pkg/rootless.
[1] https://lkml.kernel.org/lkml/20201203150252.1229077-1-gscrivan@redhat.com/
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
| | | | |
| | | |
| | | |
| | | | |
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
| | | | |
| | | |
| | | |
| | | | |
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
| |\ \ \ \
| |_|/ /
|/| | | |
Fix podman logs read partial log lines
|
| | | |/
| |/|
| | |
| | |
| | |
| | |
| | |
| | | |
If a partial log line has the length 1 it was ignored by podman logs.
Fixes #8879
Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
|
| |\ \ \
| |_|/
|/| |
| | |
| | | |
containers/dependabot/go_modules/github.com/google/uuid-1.1.4
Bump github.com/google/uuid from 1.1.3 to 1.1.4
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Bumps [github.com/google/uuid](https://github.com/google/uuid) from 1.1.3 to 1.1.4.
- [Release notes](https://github.com/google/uuid/releases)
- [Commits](https://github.com/google/uuid/compare/v1.1.3...v1.1.4)
Signed-off-by: dependabot-preview[bot] <support@dependabot.com>
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
| |\ \ \
| |_|/
|/| | |
Fix e2e test for `podman build --logfile`
|
| | | |
| | |
| | |
| | |
| | |
| | | |
Type casting is necessary to see if the logfile size is not equal to 0.
Signed-off-by: Hironori Shiina <Hironori.Shiina@fujitsu.com>
|
| |\ \ \
| | | |
| | | | |
libpod: handle single user mapped as root
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
if a single user is mapped in the user namespace, handle it as root.
It is needed for running unprivileged containers with a single user
available without being forced to run with euid and egid set to 0.
Needs: https://github.com/containers/storage/pull/794
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
| |\ \ \ \
| | | | |
| | | | | |
Ensure that user-specified HOSTNAME is honored
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
When adding the HOSTNAME environment variable, only do so if it
is not already present in the spec. If it is already present, it
was likely added by the user, and we should honor their requested
value.
Fixes #8886
Signed-off-by: Matthew Heon <mheon@redhat.com>
|
| |\ \ \ \ \
| | | | | |
| | | | | | |
Revert e6fbc15f26b2a609936dfc11732037c70ee14cba and reenable tests
|
| | | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
The issue requiring these tests be disabled should be resolved.
Reenable the tests as such.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
| |\ \ \ \ \ \
| |/ / / / /
|/| | | | | |
Cirrus: Update Fedora & Ubuntu images
|
| |/ / / / /
| | | | |
| | | | |
| | | | | |
Signed-off-by: Chris Evich <cevich@redhat.com>
|
| |\ \ \ \ \
| | | | | |
| | | | | | |
Ignore containers.conf sysctls when sharing namespaces
|
| | | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
Ensure that infra containers for pods will grab default sysctls
from containers.conf, to match how other containers are created.
This mostly affects the other containers in the pod, which will
inherit those sysctls when they join the pod's namespaces.
Signed-off-by: Matthew Heon <mheon@redhat.com>
|
| | | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
The existing code prevents containers.conf default sysctls from
being added if the container uses a host namespace. This patch
expands that to not just host namespaces, but also *shared*
namespaces - so we never modify another container's (or a pod's)
namespaces without being explicitly directed to do so by the
user.
Signed-off-by: Matthew Heon <mheon@redhat.com>
|
| |\ \ \ \ \ \
| | | | | | |
| | | | | | | |
generate systemd: do not set `KillMode`
|
| | | |/ / / /
| |/| | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
`KillMode=none` has been deprecated in systemd and is now throwing big
warnings when being used. Users have reported the issues upstream
(see #8615) and on the mailing list.
This deprecation was mainly motivated by an abusive use of third-party
vendors causing all kinds of undesired side-effects. For instance, busy
mounts that delay reboot.
After talking to the systemd team, we came up with the following plan:
**Short term**: we can use TimeoutStopSec and remove KillMode=none which
will default to cgroup.
**Long term**: we want to change the type to sdnotify. The plumbing for
Podman is done but we need it for conmon. Once sdnotify is working, we
can get rid of the pidfile handling etc. and let Podman handle it.
Michal Seklatar came up with a nice idea that Podman increase the time
out on demand. That's a much cleaner way than hard-coding the time out
in the unit as suggest in the short-term solution.
This change is executing the short-term plan and sets a minimum timeout
of 60 seconds. User-specified timeouts are added to that.
Fixes: #8615
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
|
| |\ \ \ \ \ \
| | | | | | |
| | | | | | | |
Rework pruning to report reclaimed space
|
| | | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | | |
This change adds code to report the reclaimed space after a prune.
Reclaimed space from volumes, images, and containers is recorded
during the prune call in a PruneReport struct. These structs are
collected into a slice during a system prune and processed afterwards
to calculate the total reclaimed space.
Closes #8658
Signed-off-by: Baron Lenardson <lenardson.baron@gmail.com>
|
| |\ \ \ \ \ \ \
| |_|/ / / / /
|/| | | | | | |
vendor containers/psgo@v1.5.2
|
| |/ / / / / /
| | | | | |
| | | | | |
| | | | | | |
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
|
| |\ \ \ \ \ \
| |_|_|_|_|/
|/| | | | | |
close journald when reading
|
| | | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
when reading from journald, we need to close the journal handler for
events and logging.
Fixes: #8864
Signed-off-by: baude <bbaude@redhat.com>
|
| |\ \ \ \ \ \
| | | | | | |
| | | | | | | |
Ensure we do not edit container config in Exec
|
| | |/ / / / /
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
The existing code grabs the base container's process, and then
modifies it for use with the exec session. This could cause
errors in `podman inspect` or similar on the container, as the
definition of its OCI spec has been changed by the exec session.
The change never propagates to the DB, so it's limited to a
single process, but we should still avoid it when possible - so
deep-copy it before use.
Signed-off-by: Matthew Heon <mheon@redhat.com>
|
| |\ \ \ \ \ \
| | | | | | |
| | | | | | | |
Allow image errors to bubble up from lower level functions.
|
| | |/ / / / /
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
Currently we ignore ErrMultipleImages being returned from findImageInRepoTags.
Fixes: https://github.com/containers/podman/issues/8868
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
| |\ \ \ \ \ \
| | | | | | |
| | | | | | | |
libpod API: pull: fix channel race
|
| | |/ / / / /
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
Fix a race condition in the pull endpoint caused by buffered channels.
Using buffered channels can lead to the context's cancel function to be
executed prior to the items being read from the channel.
Fixes: #8870
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
|
| |\ \ \ \ \ \
| |/ / / / /
|/| | | | | |
systemd: make rundir always accessible
|
| | | | | | |
| | | | | |
| | | | | |
| | | | | | |
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
| | | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
so that the PIDFile can be accessed also without being in the rootless
user namespace.
Closes: https://github.com/containers/podman/issues/8506
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
| |\ \ \ \ \ \
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | | |
containers/dependabot/go_modules/github.com/google/uuid-1.1.3
Bump github.com/google/uuid from 1.1.2 to 1.1.3
|
| | | |/ / / /
| |/| | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
Bumps [github.com/google/uuid](https://github.com/google/uuid) from 1.1.2 to 1.1.3.
- [Release notes](https://github.com/google/uuid/releases)
- [Commits](https://github.com/google/uuid/compare/v1.1.2...v1.1.3)
Signed-off-by: dependabot-preview[bot] <support@dependabot.com>
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
| |\ \ \ \ \ \
| |_|/ / / /
|/| | | | | |
Disable seccomp by default when creating a privileged container.
|
| | | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
When running a privileged container and `SeccompProfilePath` is empty no seccomp profile should be applied.
(Previously this was the case only if `SeccompProfilePath` was set to a non-empty default path.)
Closes #8849
Signed-off-by: Max Goltzsche <max.goltzsche@gmail.com>
|
