summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAge
* Pod Security Option supportcdoern2021-12-27
| | | | | | | | | | | | | Added support for pod security options. These are applied to infra and passed down to the containers as added (unless overridden). Modified the inheritance process from infra, creating a new function Inherit() which reads the config, and marshals the compatible options into an intermediate struct `InfraInherit` This is then unmarshaled into a container config and all of this is added to the CtrCreateOptions. Removes the need (mostly) for special additons which complicate the Container_create code and pod creation. resolves #12173 Signed-off-by: cdoern <cdoern@redhat.com>
* Merge pull request #12503 from n1hility/wsl-machineOpenShift Merge Robot2021-12-26
|\ | | | | Introduce Windows WSL implementation of podman machine
| * Introduce Windows WSL implementation of podman machineJason T. Greene2021-12-24
|/ | | | | | [NO NEW TESTS NEEDED] for now Signed-off-by: Jason Greene <jason.greene@redhat.com>
* Merge pull request #12627 from rhatdan/passwdOpenShift Merge Robot2021-12-23
|\ | | | | Allow users to add host user accounts to /etc/passwd
| * Allow users to add host user accounts to /etc/passwdDaniel J Walsh2021-12-23
| | | | | | | | | | | | | | | | | | | | | | Some containers require certain user account(s) to exist within the container when they are run. This option will allow callers to add a bunch of passwd entries from the host to the container even if the entries are not in the local /etc/passwd file on the host. Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1935831 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Merge pull request #12679 from vrothberg/fix-12671OpenShift Merge Robot2021-12-23
|\ \ | |/ |/| clarify `io.podman.annotations.seccomp`
| * container creation: don't apply reserved annotations from imageValentin Rothberg2021-12-23
| | | | | | | | | | | | | | | | | | | | Do not apply reserved annotations from the image to the container. Reserved annotations are applied during container creation to retrieve certain information (e.g., custom seccomp profile or autoremoval) once a container has been created. Context: #12671 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
| * [CI:DOCS] clarify `io.podman.annotations.seccomp`Valentin Rothberg2021-12-23
| | | | | | | | | | | | | | | | | | Clarify the semantics of the `io.podman.annotations.seccomp` annotation which is set when a container has been created with a custom seccomp profile. Fixes: #12671 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | Merge pull request #12692 from giuseppe/fix-additional-ids-docOpenShift Merge Robot2021-12-23
|\ \ | |/ |/| [CI:DOCS] docs: document rootless userns mappings
| * [CI:DOCS] docs: document rootless userns mappingsGiuseppe Scrivano2021-12-23
| | | | | | | | | | | | | | | | | | document how the host IDs are mapped inside the rootless user namespace. Closes: https://github.com/containers/podman/issues/12676 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | Merge pull request #12672 from adrianreber/2021-12-21-check-for-memtrackOpenShift Merge Robot2021-12-23
|\ \ | | | | | | Error out early if system does not support pre-copy checkpointing
| * | Error out early if system does not support pre-copy checkpointingAdrian Reber2021-12-23
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | CRIU's pre-copy migration support relies on the soft dirty page tracking in the Linux kernel: https://www.kernel.org/doc/Documentation/vm/soft-dirty.txt This functionality is not implemented for all architectures and it can also be turned off in the kernel. CRIU can check if the combination of architecture/kernel/CRIU supports the soft dirty page tracking and exports this feature checking functionality in go-criu. This commit adds an early check if the user selects pre-copy checkpointing to error out if the system does not support it. Signed-off-by: Adrian Reber <areber@redhat.com>
| * | Update go-criu to v5.3.0Adrian Reber2021-12-23
| | | | | | | | | | | | Signed-off-by: Adrian Reber <areber@redhat.com>
* | | Merge pull request #12599 from rhatdan/kernelmemoryOpenShift Merge Robot2021-12-23
|\ \ \ | | | | | | | | Warn on use of --kernel-memory
| * | | Warn on use of --kernel-memoryDaniel J Walsh2021-12-22
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | It has been deprecated and is no longer supported. Fully remove it and only print a warning if a user uses it. Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2011695 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | | Merge pull request #12597 from n1hility/msi-winpathOpenShift Merge Robot2021-12-23
|\ \ \ \ | |_|/ / |/| | | [Fixes #11089] Switch to a new installer approach using a path manipulation helper
| * | | Switch to a new installer approach using a path manipulation helperJason T. Greene2021-12-23
| | |/ | |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fixes #11089 - cleanup PATH on MSI uninstall Additionally fixes scenarios where the path can be overwritten by setx Also removes the console flash, since the helper is built as a silent gui Helper executable can be rerun by user to repair PATHs broken by other tools Utilizes executable location instead of passed parameters to remove delicate escaping requirements [NO NEW TESTS NEEDED] Signed-off-by: Jason T. Greene <jason.greene@redhat.com>
* | | Merge pull request #12665 from rst0git/dev-shmOpenShift Merge Robot2021-12-23
|\ \ \ | |/ / |/| | Enable checkpoint/restore of /dev/shm content
| * | e2e: Add dev/shm checkpoint/restore testRadostin Stoyanov2021-12-23
| | | | | | | | | | | | Signed-off-by: Radostin Stoyanov <rstoyanov@fedoraproject.org>
| * | Enable checkpoint/restore for /dev/shmRadostin Stoyanov2021-12-23
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When Podman is running a container in private IPC mode (default), it creates a bind mount for /dev/shm that is then attached to a tmpfs folder on the host file system. However, checkpointing a container has the side-effect of stopping that container and unmount the tmpfs used for /dev/shm. As a result, after checkpoint all files stored in the container's /dev/shm would be lost and the container might fail to restore from checkpoint. To address this problem, this patch creates a tar file with the content of /dev/shm that is included in the container checkpoint and used to restore the container. Signed-off-by: Radostin Stoyanov <rstoyanov@fedoraproject.org>
| * | Update github.com/checkpoint-restore/checkpointctlRadostin Stoyanov2021-12-23
|/ / | | | | | | | | | | | | | | | | | | | | | | DevShmCheckpointTar constant has been recently introduced in checkpointctl. This constant will be used in subsequent patch and this patch contains auto-generated changes with the following commands: go get github.com/checkpoint-restore/checkpointctl go mod tidy go mod vendor Signed-off-by: Radostin Stoyanov <rstoyanov@fedoraproject.org>
* | Merge pull request #12685 from mheon/handle_nil_passwdOpenShift Merge Robot2021-12-22
|\ \ | | | | | | Always run passwd management code when DB value is nil
| * | Always run passwd management code when DB value is nilMatthew Heon2021-12-22
|/ / | | | | | | | | | | | | | | | | | | | | | | This ensures that existing containers will still manage `/etc/passwd` by default, as they have been doing until now. New containers that explicitly set `false` will still have passwd management disabled, but otherwise the code will run. [NO NEW TESTS NEEDED] This will only be caught on upgrade and I don't really know how to write update tests - and Ed is on PTO. Signed-off-by: Matthew Heon <mheon@redhat.com>
* | Merge pull request #12375 from rhatdan/hostsOpenShift Merge Robot2021-12-22
|\ \ | |/ |/| Use hosts public ip address in rootless containers
| * Use hosts public ip address in rootless containersDaniel J Walsh2021-12-21
| | | | | | | | | | | | | | | | | | Add first non localhost ipv4 of all host interfaces as destination for host.contaners.internal for rootless containers. Fixes: https://github.com/containers/podman/issues/12000 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Merge pull request #12668 from vrothberg/fix-12667OpenShift Merge Robot2021-12-22
|\ \ | | | | | | support hosts without /etc/hosts
| * | support hosts without /etc/hostsValentin Rothberg2021-12-22
| | | | | | | | | | | | | | | Fixes: #12667 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | | Merge pull request #12664 from cdoern/noManagePasswdOpenShift Merge Robot2021-12-22
|\ \ \ | |/ / |/| | Podman run --passwd
| * | Podman run --passwdcdoern2021-12-21
| | | | | | | | | | | | | | | | | | | | | | | | | | | added support for a new flag --passwd which, when false prohibits podman from creating entries in /etc/passwd and /etc/groups allowing users to modify those files in the container entrypoint resolves #11805 Signed-off-by: cdoern <cdoern@redhat.com>
* | | Merge pull request #12670 from giuseppe/fix-crun-ciOpenShift Merge Robot2021-12-21
|\ \ \ | | | | | | | | ci: force scratch build for crun
| * | | ci: force scratch build for crunGiuseppe Scrivano2021-12-21
| | |/ | |/| | | | | | | | | | | | | force a version with this fix: https://github.com/containers/crun/pull/819 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | | Merge pull request #12663 from vrothberg/compat-normalizationOpenShift Merge Robot2021-12-21
|\ \ \ | |/ / |/| | compat: image normalization: handle sha256 prefix
| * | compat: image normalization: handle sha256 prefixValentin Rothberg2021-12-20
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When normalizing image names on the compat API, make sure to take the `sha256:` prefix into account when matching against the image ID. Otherwise, the name will mistakingly be subject to docker.io normalization. Signed-off-by: Valentin Rothberg <rothberg@redhat.com> Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | Merge pull request #12662 from ↵OpenShift Merge Robot2021-12-21
|\ \ \ | | | | | | | | | | | | | | | | adrianreber/2021-12-20-checkpoint-restore-man-pages [CI:DOCS] Small checkpoint/restore man page fixes
| * | | [CI:DOCS] Small checkpoint/restore man page fixesAdrian Reber2021-12-20
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | At some places the checkpoint restore man pages were using the markdown modifier `**` inside `*..*`. This does not seem to work as intended and results in markdown modifiers present in the final man page. Switching to `__` inside of `*..*` seems to fix this. Signed-off-by: Adrian Reber <areber@redhat.com>
* | | | Merge pull request #12659 from ↵OpenShift Merge Robot2021-12-21
|\ \ \ \ | | | | | | | | | | | | | | | | | | | | adrianreber/2021-12-20-checkpoint-systemd-entrypoint [CI:DOCS] Explicitly mention that checkpointing systemd containers might fail
| * | | | [CI:DOCS] Explicitly mention that checkpointing systemd containers might failAdrian Reber2021-12-20
| |/ / / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Checkpoint a container using systemd as entrypoint will probably result in an error as CRIU cannot handle all the resources latest systemd uses. This updates the checkpoint man page with this information. Signed-off-by: Adrian Reber <areber@redhat.com>
* | | | Merge pull request #12621 from giuseppe/honor-userns-auto-conf-fileOpenShift Merge Robot2021-12-21
|\ \ \ \ | |_|/ / |/| | | specgen: honor userns=auto from containers.conf
| * | | specgen: honor userns=auto from containers.confGiuseppe Scrivano2021-12-20
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | when using the default userns value, make sure its value is parsed so that userns=auto is parsed and the options for the storage are filled. Closes: https://github.com/containers/podman/issues/12615 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
| * | | test: add --rm to podman run commandsGiuseppe Scrivano2021-12-20
| | |/ | |/| | | | | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | | Merge pull request #12640 from vrothberg/fix-12631OpenShift Merge Robot2021-12-20
|\ \ \ | | | | | | | | apiv2 tests: use quay.io/libpod/testimage:20210610 for platform tests
| * | | apiv2 tests: use quay.io/libpod/testimage:20210610 for platform testsValentin Rothberg2021-12-17
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The quay.io/libpod/testimage:20210610 is known not to change and to remain stable over time. While the same should apply for alpine image on quay.io/libpod, we've seen it flake and return the wrong image. The reasons for that observation are unknown. Fixes: #12631 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | | | Merge pull request #12655 from giuseppe/fix-libsubid-testOpenShift Merge Robot2021-12-20
|\ \ \ \ | |_|_|/ |/| | | build: fix test for subid 4
| * | | vendor: update containers/storageGiuseppe Scrivano2021-12-20
| | | | | | | | | | | | | | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
| * | | build: fix test for subid 4Giuseppe Scrivano2021-12-20
| | |/ | |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | libsubid changes its ABI in version 4. Account for the different name in the configure script. Closes: https://github.com/containers/podman/issues/12654 [NO NEW TESTS NEEDED] it is a change in the build script Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | | Merge pull request #12648 from ttys3/fix-generate-kube-env-missingOpenShift Merge Robot2021-12-20
|\ \ \ | |/ / |/| | fix(generate): fix up podman generate kube missing env field bug
| * | fix(generate): fix up podman generate kube missing env field bug荒野無燈2021-12-18
| | | | | | | | | | | | | | | | | | | | | | | | the logic is: if the process env vars key exists in podman default or in image defined, and the value is equal, skip the env var key. the typo make it compare to itself -_- so, here comes the simple fixup. Signed-off-by: 荒野無燈 <ttys3.rust@gmail.com>
* | | Merge pull request #12626 from vrothberg/may-the-force-be-with-removalDaniel J Walsh2021-12-19
|\ \ \ | | | | | | | | image rm: allow for force-remove infra images
| * | | image rm: allow for force-remove infra imagesValentin Rothberg2021-12-17
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Force removal of images will also remove associated containers. Historically, infra containers have been excluded resulting in rather annoying errors, for instance, when running `rmi -af`. Since there is not reasons to exclude infra containers, allow for removing the entire pod when an infra image is force removed. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | | | Merge pull request #12641 from giuseppe/add-more-logging-setusernsDaniel J Walsh2021-12-19
|\ \ \ \ | |_|/ / |/| | | rootless: include the args in the debug message
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2024-11-06 15:36:08 +0000