| Commit message (Collapse) | Author | Age |
|\
| |
| | |
rootless: fix stop and rm when the container is running with uid != 0
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
join the user namespace where the pod is running, so that we can both
manage the storage and correctly send the kill signal to a process
which is not running as root in the namespace.
Closes: https://github.com/containers/libpod/issues/2577
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
| |
| |
| |
| | |
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
| |
| |
| |
| | |
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
| |
| |
| |
| | |
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
let the process running as euid != 0 pass down an argument to the
process running in the user namespace. This will be useful for
commands like rm -a that needs to join different namespaces, so that
we can re-exec separately for each of them.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
| |
| |
| |
| | |
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
|\ \
| | |
| | | |
Initialize field in InfoHost struct
|
| | |
| | |
| | |
| | |
| | |
| | | |
Fixes #2016
Signed-off-by: Jhon Honce <jhonce@redhat.com>
|
|\ \ \
| | | |
| | | | |
libpod: allow to configure path to the slirp4netns binary
|
| | |/
| |/|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
allow to configure the path to the network-cmd binary, either via an
option flag --network-cmd-path or through the libpod.conf
configuration file.
This is currently used to customize the path to the slirp4netns
binary.
Closes: https://github.com/containers/libpod/issues/2506
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
|\ \ \
| |_|/
|/| | |
rootless: allow single ID mappings
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
we were playing safe and not allowed any container to have less than
65536 mappings. There are a couple of reasons to change it:
- it blocked libpod to work in an environment where
newuidmap/newgidmap are not available, or not configured.
- not allowed to use different partitions of subuids, where each user
has less than 65536 ids available.
Hopefully this change in containers/storage:
https://github.com/containers/storage/pull/303
will make error clearers if there are not enough IDs for the image
that is being used.
Closes: https://github.com/containers/libpod/issues/1651
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
| |/
| |
| |
| |
| |
| | |
print an error if there is any failure pulling an image.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
|\ \
| |/
|/| |
Remove --rm and --detach don't coexist note
|
|/
|
|
|
|
|
|
|
|
|
| |
Signed-off-by: TomSweeneyRedHat <tsweeney@redhat.com>
With later changes of Podman, you can now use both the
--rm and --detach in a single run command. This PR removes
the documentation in the man pages saying this is not
allowed.
Fixes: #2601
|
|\
| |
| | |
Misc pod fixes
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
When sourcing from an image, we need to grab its entrypoint first
and then add command on to mimic the behavior of Docker.
The default Kube pause image just sets ENTRYPOINT, and not CMD,
so nothing changes there, but this ought to fix other images
(for example, nginx would try to run the pause command instead of
an nginx process without this patch)
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
| |
| |
| |
| | |
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The logic of deleting and recreating /etc/hosts and
/etc/resolv.conf only makes sense when we're the one that creates
the files - when we don't, it just removes them, and there's
nothing left to use.
Fixes #2602
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
|/
|
|
|
|
|
|
|
| |
I was seeing some segfaults where image config was being passed
as nil, causing a nil dereference segfault. Fix the apparent
cause and add some safety fencing to try and ensure it doesn't
happen again.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
|\
| |
| | |
Move secrets package to buildah
|
| |
| |
| |
| |
| |
| |
| |
| | |
Trying to remove circular dependencies between libpod and buildah.
First step to move pkg content from libpod to buildah.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
|\ \
| | |
| | | |
Add troublshoot information about SELinux labeling of containers/storage
|
| |/
| |
| |
| |
| |
| |
| | |
We have some bug reports about people moving containers storage to new
directories and this troubleshooter should help them fix this.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
|\ \
| | |
| | | |
Cirrus: Add dedicated rootless mode testing
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Certain integration tests require execution as a regular user.
This is acomplished by `PodmanTest.PodmanAsUserBase()` wrapping a
specialized execution environment, in `test/utils/utils.go`. However,
doing this requires passing through python, which vastly increases the
complexity of debugging low-level problems.
This commit introduces a new parallel task, run as a regular user on the
VM as set by three environment variables. All commands executed in the
``rootless_test.sh`` script, will occur as a real user with a name and
home directory, just as `$DIETY` intended. All env. vars established
during `environment_setup.sh` (for root) are available. The PR source
in `$GOSRC` and `$GOPATH` are owned by this user, and ready for use.
Signed-off-by: Chris Evich <cevich@redhat.com>
|
|\ \ \
| | | |
| | | | |
We don't use crio-umount.conf
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
It also causes conflicts with CRI-O packages.
Also, change the path on seccomp.json so it lives in /usr/share
by default, with everything else.
Fixes #2596
Signed-off-by: Matthew Heon <mheon@redhat.com>
|
|\ \ \ \
| | | | |
| | | | | |
test docs fixups
|
| | |_|/
| |/| |
| | | |
| | | |
| | | |
| | | | |
adding some clarification on testing based on tom's input.
Signed-off-by: baude <bbaude@redhat.com>
|
|\ \ \ \
| |/ / /
|/| | | |
Default to image entrypoint for infra container
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
If the pod infra container is overriden, we want to run the entry point of the image, instead of the default infra command. This allows users to override the infra-image with greater ease.
Also use process environment variables from image
Signed-off-by: Peter Hunt <pehunt@redhat.com>
|
|\ \ \ \
| | | | |
| | | | | |
ginkgo status improvements
|
|/ / / /
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
a series of improvements to our ginkgo test framework so we can
get better ideas of whats going on when run in CI
Signed-off-by: baude <bbaude@redhat.com>
|
|\ \ \ \
| | | | |
| | | | | |
podman play kube defaults
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
if an input YAML file lacks securitycontext and working dir for
a container, we need to be able to handle that. if no default for
working dir is provided, we use a default of "/".
fixes issue #2209
Signed-off-by: baude <bbaude@redhat.com>
|
|\ \ \ \ \
| | | | | |
| | | | | | |
container runlabel respect $PWD
|
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
When doing environment variable substitution, we need to make sure
$PWD is replaced with the current working directory.
fixes issue #2171
Signed-off-by: baude <bbaude@redhat.com>
|
|\ \ \ \ \ \
| |_|/ / / /
|/| | | | | |
rootless: propagate errors from info
|
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
we use "podman info" to reconfigure the runtime after a reboot, but we
don't propagate the error message back if something goes wrong.
Closes: https://github.com/containers/libpod/issues/2584
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
|\ \ \ \ \ \
| | | | | | |
| | | | | | | |
fix bug in podman images list all images with same name
|
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | | |
Signed-off-by: Qi Wang <qiwan@redhat.com>
|
|\ \ \ \ \ \ \
| | | | | | | |
| | | | | | | | |
[ci skip] System-test: Begin list of needed high-level tests
|
| | |_|_|_|_|/
| |/| | | | |
| | | | | | |
| | | | | | | |
Signed-off-by: Chris Evich <cevich@redhat.com>
|
|\ \ \ \ \ \ \
| |_|_|_|_|/ /
|/| | | | | | |
rootless: exec join the user+mount namespace
|
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | | |
when we are creating a container that depends on another one, be sure
we also join its mount namespace in addition to the user namespace.
Closes: https://github.com/containers/libpod/issues/2556
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
| | |_|_|_|/
| |/| | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
it is not enough to join the user namespace where the container is
running. We also need to join the mount namespace so that we can
correctly look-up inside of the container rootfs. This is necessary
to lookup the mounted /etc/passwd file when --user is specified.
Closes: https://github.com/containers/libpod/issues/2566
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
|\ \ \ \ \ \
| |_|_|_|_|/
|/| | | | | |
Remove 'podman ps' restarting filter and fix stopped
|
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
Podman has no concept of a "restarting" container - such a
container is just transitioning from running to stopped and
then back to running through our ordinary state machine.
As such, filtering "restarting" containers doesn't work and does
nothing.
Also, make "stopped" containers show as exited - this is a
momentary state we transition to before proper exited.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|