summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAge
* Merge pull request #6167 from giuseppe/fix-setting-limitsOpenShift Merge Robot2020-05-11
|\ | | | | spec: fix order for setting rlimits
| * spec: fix order for setting rlimitsGiuseppe Scrivano2020-05-11
|/ | | | | | | also make sure that the limits we set for rootless are not higher than what we'd set for root containers. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Merge pull request #6156 from TomSweeneyRedHat/secOpenShift Merge Robot2020-05-10
|\ | | | | [CI:DOCS] Add Security Policy
| * [CI:DOCS] Add Security PolicyTomSweeneyRedHat2020-05-09
| | | | | | | | | | | | As the title says Signed-off-by: TomSweeneyRedHat <tsweeney@redhat.com>
* | Merge pull request #6126 from baude/v2rootlessOpenShift Merge Robot2020-05-10
|\ \ | | | | | | enable rootless integration testing
| * | enable rootless integration testingBrent Baude2020-05-10
| | | | | | | | | | | | Signed-off-by: Brent Baude <bbaude@redhat.com>
* | | Merge pull request #6151 from lsm5/tests-apiv2-inspect-removeOpenShift Merge Robot2020-05-10
|\ \ \ | |/ / |/| | bindings tests for container remove and inspect
| * | bindings tests for container remove and inspectLokesh Mandvekar2020-05-08
| | | | | | | | | | | | Signed-off-by: Lokesh Mandvekar <lsm5@fedoraproject.org>
* | | Merge pull request #6152 from mheon/fix_pod_join_cgroupnsOpenShift Merge Robot2020-05-09
|\ \ \ | | | | | | | | Fix bug where pods would unintentionally share cgroupns
| * | | Ensure `podman inspect` output for NetworkMode is rightMatthew Heon2020-05-08
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | I realized that setting NetworkMode to private when we are making a network namespace but not configuring it with CNI or Slirp is wrong; that's considered `--net=none` not `--net=private`. At the same time, realized that we actually store whether Slirp is in use, so we can be more specific than just "default" and instead say slirp4netns or bridge. Signed-off-by: Matthew Heon <mheon@redhat.com>
| * | | Fix bug where pods would unintentionally share cgroupnsMatthew Heon2020-05-08
| |/ / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This one was a massive pain to track down. The original symptom was an error message from rootless Podman trying to make a container in a pod. I unfortunately did not look at the error message closely enough to realize that the namespace in question was the cgroup namespace (the reproducer pod was explicitly set to only share the network namespace), else this would have been quite a bit shorter. I spent considerable effort trying to track down differences between the inspect output of the two containers, and when that failed I was forced to resort to diffing the OCI specs. That finally proved fruitful, and I was able to determine what should have been obvious all along: the container was joining the cgroup namespace of the infra container when it really ought not to have. From there, I discovered a variable collision in pod config. The UsePodCgroup variable means "create a parent cgroup for the pod and join containers in the pod to it". Unfortunately, it is very similar to UsePodUTS, UsePodNet, etc, which mean "the pod shares this namespace", so an accessor was accidentally added for it that indicated the pod shared the cgroup namespace when it really did not. Once I realized that, it was a quick fix - add a bool to the pod's configuration to indicate whether the cgroup ns was shared (distinct from UsePodCgroup) and use that for the accessor. Also included are fixes for `podman inspect` and `podman pod inspect` that fix them to actually display the state of the cgroup namespace (for container inspect) and what namespaces are shared (for pod inspect). Either of those would have made tracking this down considerably quicker. Fixes #6149 Signed-off-by: Matthew Heon <mheon@redhat.com>
* | | Merge pull request #6148 from jwhonce/wip/versionOpenShift Merge Robot2020-05-09
|\ \ \ | |_|/ |/| | V2 Implement tunnelled podman version
| * | V2 Impliment tunnelled podman versionJhon Honce2020-05-08
| | | | | | | | | | | | Signed-off-by: Jhon Honce <jhonce@redhat.com>
* | | Merge pull request #6145 from baude/v2rootlesssearchDaniel J Walsh2020-05-09
|\ \ \ | | | | | | | | v2 podman search rootless
| * | | v2 podman search rootlessBrent Baude2020-05-08
| | | | | | | | | | | | | | | | | | | | | | | | enable the search command for rootless Signed-off-by: Brent Baude <bbaude@redhat.com>
* | | | Merge pull request #6147 from mheon/fix_inspect_annotationsDaniel J Walsh2020-05-09
|\ \ \ \ | |_|/ / |/| | | Add remaining annotations for `podman inspect`
| * | | Add remaining annotations for `podman inspect`Matthew Heon2020-05-08
| | | | | | | | | | | | | | | | | | | | | | | | This should finish support for `podman inspect` in APIv2. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | | | Merge pull request #6146 from baude/v2unshareDaniel J Walsh2020-05-08
|\ \ \ \ | |_|_|/ |/| | | v2 podman unshare command
| * | | v2 podman unshare commandBrent Baude2020-05-08
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | add unshare command add cp and init to container sub-command allow mount to run as rootless Signed-off-by: Brent Baude <bbaude@redhat.com>
* | | | Merge pull request #6049 from ↵OpenShift Merge Robot2020-05-08
|\ \ \ \ | |_|/ / |/| | | | | | | | | | | containers/dependabot/go_modules/github.com/uber/jaeger-client-go-2.23.1incompatible build(deps): bump github.com/uber/jaeger-client-go from 2.22.1+incompatible to 2.23.1+incompatible
| * | | build(deps): bump github.com/uber/jaeger-client-godependabot-preview[bot]2020-05-04
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Bumps [github.com/uber/jaeger-client-go](https://github.com/uber/jaeger-client-go) from 2.22.1+incompatible to 2.23.1+incompatible. - [Release notes](https://github.com/uber/jaeger-client-go/releases) - [Changelog](https://github.com/jaegertracing/jaeger-client-go/blob/master/CHANGELOG.md) - [Commits](https://github.com/uber/jaeger-client-go/compare/v2.22.1...v2.23.1) Signed-off-by: dependabot-preview[bot] <support@dependabot.com> Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | | Merge pull request #6120 from mheon/update_readme_novarlinkOpenShift Merge Robot2020-05-08
|\ \ \ \ | |_|/ / |/| | | [CI:DOCS] Update the Podman readme
| * | | Update the Podman readmeMatthew Heon2020-05-08
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | I noticed a large number of searches for Varlink on the Github page, and that the readme still called it out as our only supported API. This updates the readme to remove links to Varlink API documentation, and points to docs for the new HTTP API. I also updated other parts to reflect the current direction the project is taking (Podman v2 and the HTTP API). Signed-off-by: Matthew Heon <mheon@redhat.com>
* | | | Merge pull request #6144 from mheon/fix_pod_create_noinfraOpenShift Merge Robot2020-05-08
|\ \ \ \ | | | | | | | | | | Fix `podman pod create --infra=false`
| * | | | Fix `podman pod create --infra=false`Matthew Heon2020-05-08
| | |_|/ | |/| | | | | | | | | | | | | | | | | | | | | | | | | | We were accidentally setting incorrect defaults for the network namespace for rootless `pod create` when infra containers were not being created. This should resolve that issue. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | | | Merge pull request #6106 from mheon/fix_manpagesOpenShift Merge Robot2020-05-08
|\ \ \ \ | | | | | | | | | | [CI:DOCS] Update manpages for image volumes and MAC address
| * | | | Update manpages for image volumes and MAC addressMatthew Heon2020-05-06
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When reviewing the manpages for `podman run` to find options to test, I found a few mistakes. The description of how we handle image volumes is extremely outdated, and we now provide full support for the `--mac-address` option. Update the docs for these flags so they're accurate. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | | | | Merge pull request #6135 from nbycomp/masterOpenShift Merge Robot2020-05-08
|\ \ \ \ \ | | | | | | | | | | | | [CI:DOCS] Fix typo in path
| * | | | | Fix typo in pathTom Fenech2020-05-08
| | | | | | | | | | | | | | | | | | | | | | | | Signed-off-by: Tom Fenech <tomjwfenech@gmail.com>
* | | | | | Merge pull request #6143 from rhatdan/remoteOpenShift Merge Robot2020-05-08
|\ \ \ \ \ \ | |_|_|/ / / |/| | | | | default to tunnel without ABISupport tag
| * | | | | default to tunnel without ABISupport tagDaniel J Walsh2020-05-08
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When compiling a Linux binary without ABISupport, default to use the tunnel. The behaviour is expected in `podman-remote`. Also set a default for the remote flag so `podman-remote` works OOB. Signed-off-by: Valentin Rothberg <rothberg@redhat.com> Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | | | | Merge pull request #6118 from baude/v2bindingsenforceOpenShift Merge Robot2020-05-08
|\ \ \ \ \ \ | | | | | | | | | | | | | | set binding tests to required
| * | | | | | fix pod stats flakeBrent Baude2020-05-08
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | it appears that the pod stats flake can be attributed to the fact that the container being run is not fully running when the stats call is made. because the stats call is in format of json, it fails when nil Signed-off-by: Brent Baude <bbaude@redhat.com>
| * | | | | | set binding tests to requiredBrent Baude2020-05-08
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | some small fix ups for binding tests and then make them required. update containers-common V2 bindings tests were failing because of changes introduced in commit a2ad5bb. Fix some typos. Signed-off-by: Lokesh Mandvekar <lsm5@fedoraproject.org> in the case where the specgen attribute for Env and Labels are nil, we should should then make the map IF we have labels and envs that need to be added. Signed-off-by: Brent Baude <bbaude@redhat.com>
* | | | | | | Merge pull request #6137 from rhatdan/VENDOROpenShift Merge Robot2020-05-08
|\ \ \ \ \ \ \ | | | | | | | | | | | | | | | | Fix handling of overridden paths from database
| * | | | | | | Fix handling of overridden paths from databaseDaniel J Walsh2020-05-08
| | |_|/ / / / | |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | If the first time you run podman in a user account you do a su - USER, and the second time, you run as the logged in USER podman fails, because it is not handling the tmpdir definition in the database. This PR fixes this problem. vendor containers/common v0.11.1 This should fix a couple of issues we have seen in podman 1.9.1 with handling of libpod.conf. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | | | | | Merge pull request #6133 from e-minguez/only_bridge_man_podman_network_createOpenShift Merge Robot2020-05-08
|\ \ \ \ \ \ \ | | | | | | | | | | | | | | | | [CI:DOCS] Fixed typo on podman network create man
| * | | | | | | Fixed typo on podman network create manEduardo Minguez Perez2020-05-08
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Signed-off-by: Eduardo Minguez Perez <e.minguez@gmail.com>
* | | | | | | | Merge pull request #6136 from liuming50/fix-a-makefile-dependency-issueOpenShift Merge Robot2020-05-08
|\ \ \ \ \ \ \ \ | | | | | | | | | | | | | | | | | | Makefile: fix a dependency issue
| * | | | | | | | Makefile: fix a dependency issueMing Liu2020-05-08
| | |/ / / / / / | |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Instead of being depended by docs, targets '.install.md2man' and 'docdir' should be depended by 'MANPAGES', or else the path 'docs/build/man' or 'GOMD2MAN' might not exist when it tries to generate files in it. This fixes a following build error: | open docs/build/man/podman-volume-ls.1: no such file or directory | Makefile:377: recipe for target 'docs/source/markdown/podman-volume-ls.1' failed | make: *** [docs/source/markdown/podman-volume-ls.1] Error 1 | make: *** Waiting for unfinished jobs.... | open docs/build/man/podman-init.1: no such file or directory | Makefile:377: recipe for target 'docs/source/markdown/podman-init.1' failed Signed-off-by: Ming Liu <ming.liu@toradex.com>
* | | | | | | | Merge pull request #6141 from giuseppe/rootless-fixOpenShift Merge Robot2020-05-08
|\ \ \ \ \ \ \ \ | |_|_|_|/ / / / |/| | | | | | | abi: do not attempt to setup rootless if euid==0
| * | | | | | | abi: do not attempt to setup rootless if euid==0Giuseppe Scrivano2020-05-08
| | |/ / / / / | |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | if the process has already euid==0 do not attempt to setup rootless. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | | | | | | Merge pull request #6103 from rhatdan/makefile.1OpenShift Merge Robot2020-05-08
|\ \ \ \ \ \ \ | | | | | | | | | | | | | | | | Add podman-remote-static target
| * | | | | | | Add podman-remote-static targetDaniel J Walsh2020-05-07
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | We should not be building podman-remote with the BUILDTAGS, these only effect server side. CRC Group wants to use a static version of podman-remote in order to install the same podman-remote client on any Linux box. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | | | | | | Merge pull request #6124 from mheon/fix_rootless_podcreateOpenShift Merge Robot2020-05-08
|\ \ \ \ \ \ \ \ | | | | | | | | | | | | | | | | | | Fix parsing of --network for `podman pod create`
| * | | | | | | | Fix parsing of --network for `podman pod create`Matthew Heon2020-05-07
| | |/ / / / / / | |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Interpreting CNI networks was a bit broken, and it was causing rootless `podman pod create` to fail. Also, we were missing the `--net` alias for `--network`, so add that. Fixes #6119 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | | | | | | | Merge pull request #6134 from vrothberg/systemd-unit-testsOpenShift Merge Robot2020-05-08
|\ \ \ \ \ \ \ \ | | | | | | | | | | | | | | | | | | fix and enable systemd system tests
| * | | | | | | | fix and enable systemd system testsValentin Rothberg2020-05-08
| | |_|/ / / / / | |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The systemd unit test never ran in CI and was broken for various reasons. Fix the test to execute Podman in systemd units and to also run generated units files. Note: more tests will be added in the future. The simple check for now will prevent regressions. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | | | | | | | Merge pull request #6129 from ↵OpenShift Merge Robot2020-05-08
|\ \ \ \ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | containers/dependabot/go_modules/github.com/onsi/gomega-1.10.0 Bump github.com/onsi/gomega from 1.9.0 to 1.10.0
| * | | | | | | | Bump github.com/onsi/gomega from 1.9.0 to 1.10.0dependabot-preview[bot]2020-05-08
| | |/ / / / / / | |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Bumps [github.com/onsi/gomega](https://github.com/onsi/gomega) from 1.9.0 to 1.10.0. - [Release notes](https://github.com/onsi/gomega/releases) - [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md) - [Commits](https://github.com/onsi/gomega/compare/v1.9.0...v1.10.0) Signed-off-by: dependabot-preview[bot] <support@dependabot.com> Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>