summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAge
* Merge pull request #1091 from giuseppe/rootless-unshare-mount-nsDaniel J Walsh2018-07-13
|\ | | | | rootless: unshare mount namespace
| * rootless: unshare mount namespaceGiuseppe Scrivano2018-07-13
| | | | | | | | | | | | | | | | | | | | | | unshare the mount namespace as well when creating an user namespace so that we are the owner of the mount namespace and we can mount FUSE file systems on Linux 4.18. Tested on Fedora Rawhide: podman --storage-opt overlay.fuse_program=/usr/bin/fuse-overlayfs run alpine echo hello hello Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | Merge pull request #1075 from giuseppe/rootless-no-symlinks-into-storage-pathDaniel J Walsh2018-07-13
|\ \ | | | | | | rootless: fix usage on Fedora Silverblue/CoreOS
| * | rootless: correctly propagate the exit status from the containerGiuseppe Scrivano2018-07-13
| | | | | | | | | | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
| * | runtime: delete unused functionGiuseppe Scrivano2018-07-11
| | | | | | | | | | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
| * | rootless: propagate errors from GetRootlessRuntimeDir()Giuseppe Scrivano2018-07-11
| | | | | | | | | | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
| * | rootless: resolve the user home directoryGiuseppe Scrivano2018-07-11
| | | | | | | | | | | | | | | | | | Closes: https://github.com/projectatomic/libpod/issues/1073 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | | Merge pull request #1065 from haircommander/pod-start-create-rmDaniel J Walsh2018-07-13
|\ \ \ | | | | | | | | Podman pod create/rm/ps commands with man pages and tests
| * | | Added full podman pod ps, with tests and man pagehaircommander2018-07-13
| | | | | | | | | | | | | | | | Signed-off-by: haircommander <pehunt@redhat.com>
| * | | Podman pod create/rm commands with man page and tests.haircommander2018-07-13
| | | | | | | | | | | | | | | | | | | | | | | | Includes a very stripped down version of podman pod ps, just for testing Signed-off-by: haircommander <pehunt@redhat.com>
* | | | Need to wait for container to exit before completing run/start completesDaniel J Walsh2018-07-13
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This fixes a race condition where conmon is still writing the exit file and the container is exiting. Also we should not be ignoring the -a stdin flag if the user specifies --interactive mode. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #1086 Approved by: baude
* | | | If proxy fails then then signal should be sent to the main processDaniel J Walsh2018-07-13
| |_|/ |/| | | | | | | | | | | | | | | | | | | | | | | | | | This way ^c will actually kill the host process if the container is not actually running. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #1086 Approved by: baude
* | | fix pull image that includes a shabaude2018-07-13
|/ / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | when pulling an image that includes a sha such as: centos/nginx-112-centos7@sha256:42330f7f29ba1ad67819f4ff3ae2472f62de13a827a74736a5098728462212e7 the final image name in libpod should not contain portions of the sha itself nor the sha identifier. and like docker, we provide a 'none' tag as well. this should fix #877 Signed-off-by: baude <bbaude@redhat.com> Closes: #1085 Approved by: mheon
* | Added created time to pod statehaircommander2018-07-12
| | | | | | | | | | | | | | Signed-off-by: haircommander <pehunt@redhat.com> Closes: #1079 Approved by: rhatdan
* | Support multiple networksbaude2018-07-12
| | | | | | | | | | | | | | | | | | | | | | | | | | This is a refresh of Dan William's PR #974 with a rebase and proper vendoring of ocicni and containernetworking/cni. It adds the ability to define multiple networks as so: podman run --network=net1,net2,foobar ... Signed-off-by: baude <bbaude@redhat.com> Closes: #1082 Approved by: baude
* | Log all output of logrus to syslog as well as stdout/stderrDaniel J Walsh2018-07-12
| | | | | | | | | | | | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #1084 Approved by: baude
* | podman rmi should only untag image if parent of anotherumohnani82018-07-12
| | | | | | | | | | | | | | | | | | | | | | | | podman rmi was deleting an image even if it was a parent of another image. This fix just untags the image instead. This also fixes podman rmi to remove intermediate images of an image when the image is removed. Signed-off-by: umohnani8 <umohnani@redhat.com> Closes: #1055 Approved by: mheon
* | Changed container status of Unknown from being printed as Dead to Error in Pshaircommander2018-07-12
| | | | | | | | | | | | | | Signed-off-by: haircommander <pehunt@redhat.com> Closes: #1083 Approved by: rhatdan
* | Fix podman build completionsDaniel J Walsh2018-07-12
| | | | | | | | | | | | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #1077 Approved by: giuseppe
* | Refactor attach()/start() after podman changesJhon Honce2018-07-12
| | | | | | | | | | | | | | | | | | | | | | * Update examples * Update/Clean up unittests * Add Mixins for container attach()/start() Signed-off-by: Jhon Honce <jhonce@redhat.com> Closes: #1080 Approved by: baude
* | create conmon sockets when getting their pathsbaude2018-07-11
| | | | | | | | | | | | | | | | | | | | | | | | when using the getattachsockets endpoint, which returns the sockets needed to create and use a terminal, we should check if the container is just in the configured state. if so, we need to perform a container init to have conmon create the required sockets so we can attach to them prior to starting the container. Signed-off-by: baude <bbaude@redhat.com> Closes: #1067 Approved by: jwhonce
* | build: enable ostree in containers/storage when availableGiuseppe Scrivano2018-07-11
| | | | | | | | | | | | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> Closes: #1071 Approved by: rhatdan
* | podman/libpod: add default AppArmor profileValentin Rothberg2018-07-11
|/ | | | | | | | | | | | | | | | | Make users of libpod more secure by adding the libpod/apparmor package to load a pre-defined AppArmor profile. Large chunks of libpod/apparmor come from github.com/moby/moby. Also check if a specified AppArmor profile is actually loaded and throw an error if necessary. The default profile is loaded only on Linux builds with the `apparmor` buildtag enabled. Signed-off-by: Valentin Rothberg <vrothberg@suse.com> Closes: #1063 Approved by: rhatdan
* rootless: fix when argv[0] is not an absolute pathGiuseppe Scrivano2018-07-10
| | | | | | | | | | | | use execvp instead of exec so that we keep the PATH environment variable and the lookup for the "podman" executable works. Closes: https://github.com/projectatomic/libpod/issues/1070 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> Closes: #1072 Approved by: mheon
* Allow Init() on stopped containersMatthew Heon2018-07-09
| | | | | | | Signed-off-by: Matthew Heon <mheon@redhat.com> Closes: #1068 Approved by: baude
* urfave/cli: fix regression in short-opts parsingValentin Rothberg2018-07-09
| | | | | | | | | | | Add the actual argument, not the one we're looking for when searching the to-be-translated short-opt string. Otherwise, we're likely to hit an infinite loop. Signed-off-by: Valentin Rothberg <vrothberg@suse.com> Closes: #1066 Approved by: rhatdan
* Add --volumes-from flag to podman run and createumohnani82018-07-09
| | | | | | | | | | podman now supports --volumes-from flag, which allows users to add all the volumes an existing container has to a new one. Signed-off-by: umohnani8 <umohnani@redhat.com> Closes: #931 Approved by: mheon
* Vendor in latest buildah to add masks for /proc/keys and /proc/acpiDaniel J Walsh2018-07-09
| | | | | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #1062 Approved by: baude
* Vendor in latest containers/storageDaniel J Walsh2018-07-08
| | | | | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #1061 Approved by: baude
* Mask /proc/keys to protect information leak about keys on hostDaniel J Walsh2018-07-08
| | | | | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #1060 Approved by: mheon
* ctime: Drop 32-/64-bit distinction on LinuxW. Trevor King2018-07-07
| | | | | | | | | | | We added the explicit int64 casts for 32-bit builds in 35e1ad78 (Make libpod build on 32-bit systems, 2018-02-12, #324), but the explicit casts work fine on 64-bit systems too. Signed-off-by: W. Trevor King <wking@tremily.us> Closes: #1058 Approved by: mheon
* Podman stats with no containers listed is the same as podman stats --allhaircommander2018-07-07
| | | | | | | Signed-off-by: haircommander <pehunt@redhat.com> Closes: #1031 Approved by: rhatdan
* Refactor unittest for change in history APIJhon Honce2018-07-06
| | | | | | | | | | | * test_images.TestImages.test_history changed to allow '<missing>' as legal image ID. Previously all layers used the image ID. Now layer 0 reports '<missing>'. Signed-off-by: Jhon Honce <jhonce@redhat.com> Closes: #1056 Approved by: jwhonce
* Merge pull request #1059 from mheon/bump-0.7.1Matthew Heon2018-07-06
|\ | | | | Bump to 0.7.1
| * Bump gitvalidation epochMatthew Heon2018-07-06
| | | | | | | | Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
| * Bump to v0.7.2-devMatthew Heon2018-07-06
| | | | | | | | Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
| * Bump to v0.7.1v0.7.1Matthew Heon2018-07-06
|/ | | | Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
* pkg/ctime: Factor libpod/finished* into a separate packageW. Trevor King2018-07-06
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This removes some boilerplate from the libpod package, so we can focus on container stuff there. And it gives us a tidy sub-package for focusing on ctime extraction, so we can focus on unit testing and portability of the extraction utility there. For the unsupported implementation, I'm falling back to Go's ModTime [1]. That's obviously not the creation time, but it's likely to be closer than the uninitialized Time structure from cc6f0e85 (more changes to compile darwin, 2018-07-04, #1047). Especially for our use case in libpod/oci, where we're looking at write-once exit files. The test is more complicated than I initially expected, because on Linux filesystem timestamps come from a truncated clock without interpolation [2] (and network filesystems can be completely decoupled [3]). So even for local disks, creation times can be up to a jiffie earlier than 'before'. This test ensures at least monotonicity by creating two files and ensuring the reported creation time for the second is greater than or equal to the reported creation time for the first. It also checks that both creation times are within the window from one second earlier than 'before' through 'after'. That should be enough of a window for local disks, even if the kernel for those systems has an abnormally large jiffie. It might be ok on network filesystems, although it will not be very resilient to network clock lagging behind the local system clock. [1]: https://golang.org/pkg/os/#FileInfo [2]: https://groups.google.com/d/msg/linux.kernel/mdeXx2TBYZA/_4eJEuJoAQAJ Subject: Re: Apparent backward time travel in timestamps on file creation Date: Thu, 30 Mar 2017 20:20:02 +0200 Message-ID: <tqMPU-1Sb-21@gated-at.bofh.it> [3]: https://groups.google.com/d/msg/linux.kernel/mdeXx2TBYZA/cTKj4OBuAQAJ Subject: Re: Apparent backward time travel in timestamps on file creation Date: Thu, 30 Mar 2017 22:10:01 +0200 Message-ID: <tqOyl-36A-1@gated-at.bofh.it> Signed-off-by: W. Trevor King <wking@tremily.us> Closes: #1050 Approved by: mheon
* Block use of /proc/acpi from inside containersDaniel J Walsh2018-07-06
| | | | | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #1053 Approved by: mheon
* remove buildah requirement for the libpod image librarybaude2018-07-06
| | | | | | | | | | | if we snip the requirement to use a buildah const in the libpod image library, we can save something on the order of 85 vendored files in consumers of the the library. Signed-off-by: baude <bbaude@redhat.com> Closes: #1054 Approved by: mheon
* contrib/python/test/test_tunnel: Fix -nNT -> -nNTqW. Trevor King2018-07-06
| | | | | | | | | | | | | | | | | | | | | | | | | | | Catching the tests up with 60427ab3 (add podman remote client, 2018-06-22, #986) to avoid non-fatal smoketest failures like [1]: ====================================================================== FAIL: test_tunnel (test.test_tunnel.TestTunnel) ---------------------------------------------------------------------- Traceback (most recent call last): File "/usr/lib64/python3.6/unittest/mock.py", line 1179, in patched return func(*args, **keywargs) File "/go/src/github.com/projectatomic/libpod/contrib/python/test/test_tunnel.py", line 79, in test_tunnel mock_Popen.assert_called_once_with(cmd, close_fds=True) File "/usr/lib64/python3.6/unittest/mock.py", line 825, in assert_called_once_with return self.assert_called_with(*args, **kwargs) File "/usr/lib64/python3.6/unittest/mock.py", line 814, in assert_called_with raise AssertionError(_error_message()) from cause AssertionError: Expected call: Popen(['ssh', '-nNT', '-L', '/tmp/user/socket:/run/podman/socket', '-i', '~/.ssh/id_rsa', 'ssh://user@hostname'], close_fds=True) Actual call: Popen(['ssh', '-nNTq', '-L', '/tmp/user/socket:/run/podman/socket', '-i', '~/.ssh/id_rsa', 'ssh://user@hostname'], close_fds=True) [1]: https://s3.amazonaws.com/aos-ci/ghprb/projectatomic/libpod/0d792d5c92900ebd07c75bc3c0cb11753319682e.1.1529764423989739036/output.log Signed-off-by: W. Trevor King <wking@tremily.us> Closes: #1035 Approved by: mheon
* Refactor podman/utils with a single container start and attach functionMarco Vedovati2018-07-06
| | | | | | | | | | | Use a single function startAttachCtr() to handle both container start with attach and attach to running containers, as the code handling the attach is common for the 2 use cases. Signed-off-by: Marco Vedovati <mvedovati@suse.com> Closes: #1025 Approved by: rhatdan
* Remove now-unneeded cleanupCgroup() for unsupported OSMatthew Heon2018-07-06
| | | | | | | Signed-off-by: Matthew Heon <matthew.heon@gmail.com> Closes: #1051 Approved by: umohnani8
* Remove per-container CGroup parentsMatthew Heon2018-07-06
| | | | | | | | | | | | | | | | | | | Originally, it seemed like a good idea to place Conmon and the container it managed under a shared CGroup, so we could manage the two together. It's become increasingly clear that this is a potential performance sore point, gains us little practical benefit in managing Conmon, and adds extra steps to container cleanup that interfere with Conmon postrun hooks. Revert back to a shared CGroup for conmon processes under the CGroup parent. This will retain per-pod conmon CGroups as well if the pod is set to create a CGroup and act as CGroup parent for its containers. Signed-off-by: Matthew Heon <matthew.heon@gmail.com> Closes: #1051 Approved by: umohnani8
* Fix nits and GOPATH in tutorialTomSweeneyRedHat2018-07-06
| | | | | | | Signed-off-by: TomSweeneyRedHat <tsweeney@redhat.com> Closes: #1052 Approved by: baude
* spec: Make addPrivilegedDevices and createBlockIO per-platformW. Trevor King2018-07-06
| | | | | | | | | | | | | | | | | | | | | | | | | b96be3af (changes to allow for darwin compilation, 2018-06-20, #1015) made AddPrivilegedDevices per-platform and cc6f0e85 (more changes to compile darwin, 2018-07-04, #1047) made CreateBlockIO per-platform. But both left but left out docs for the unsupported version [1]: pkg/spec/config_unsupported.go:18:1:warning: exported method CreateConfig.AddPrivilegedDevices should have comment or be unexported (golint) pkg/spec/config_unsupported.go:22:1:warning: exported method CreateConfig.CreateBlockIO should have comment or be unexported (golint) To keep the docs DRY, I've restored the public methods and their docs, and I've added new, internal methods for the per-platform implementations. [1]: https://travis-ci.org/projectatomic/libpod/jobs/400555937#L160 Signed-off-by: W. Trevor King <wking@tremily.us> Closes: #1034 Approved by: baude
* libpod/runtime_pod: Make removePod per-platformW. Trevor King2018-07-06
| | | | | | | | | | | | | | | | | | | | b96be3af (changes to allow for darwin compilation, 2018-06-20, #1015) made RemovePod per-platform, but left out docs for the unsupported version [1]: libpod/runtime_pod_unsupported.go:14:1:warning: exported method Runtime.RemovePod should have comment or be unexported (golint) To keep the docs DRY, I've restored RemovePod and its docs to their previous location, and named a new, internal removePod for the per-platform implementations. [1]: https://travis-ci.org/projectatomic/libpod/jobs/400555937#L159 Signed-off-by: W. Trevor King <wking@tremily.us> Closes: #1034 Approved by: baude
* libpod/networking_unsupported: Remove JoinNetworkNameSpaceW. Trevor King2018-07-06
| | | | | | | | | | | | | | | | | | This function was added in cc6f0e85 (more changes to compile darwin, 2018-07-04, #1047), but it has no consumers and no Linux analog. Remove it, which also fixes the [1]: libpod/networking_unsupported.go:9:1:warning: exported function JoinNetworkNameSpace should have comment or be unexported (golint) lint issue. [1]: https://travis-ci.org/projectatomic/libpod/jobs/400555937#L158 Signed-off-by: W. Trevor King <wking@tremily.us> Closes: #1034 Approved by: baude
* .travis: Run gofmt and lint on OS XW. Trevor King2018-07-06
| | | | | | | | | | | | | | Just in case their output depends on the target GOOS. Lint, at least, does care, because it can pass on Linux [1] and fail on OS X [2] with the same code. [1]: https://travis-ci.org/projectatomic/libpod/jobs/400555936#L856 [2]: https://travis-ci.org/projectatomic/libpod/jobs/400555937#L153 Signed-off-by: W. Trevor King <wking@tremily.us> Closes: #1034 Approved by: baude
* rootless: Merge rootless.go back into rootless_linux.goW. Trevor King2018-07-06
| | | | | | | | | | | | | | | The files were split apart by b96be3af (changes to allow for darwin compilation, 2018-06-20, #1015), but the C import and two functions left in rootless.go are all Linux-specific as well. This commit moves all of the pre-b96be3af rootless.go into rootless_linux.go, just adding the '// +build linux' header (b96be3af also scrambled the + in that header) and keeping the new GetRootlessUID from a1545fe6 (rootless: add function to retrieve the original UID, 2018-07-05, #1048). Signed-off-by: W. Trevor King <wking@tremily.us> Closes: #1034 Approved by: baude
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2024-11-06 18:40:57 +0000