| Commit message (Collapse) | Author | Age |
|\
| |
| | |
move formats pkg to and vendor from buildah
|
| |
| |
| |
| | |
Signed-off-by: Qi Wang <qiwan@redhat.com>
|
|\ \
| | |
| | | |
Ensure that tmpfs mounts do not have symlinks
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
When mounting a tmpfs, runc attempts to make the directory it
will be mounted at. Unfortunately, Golang's os.MkdirAll deals
very poorly with symlinks being part of the path. I looked into
fixing this in runc, but it's honestly much easier to just ensure
we don't trigger the issue on our end.
Fixes BZ #1686610
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
|\ \ \
| | | |
| | | | |
Fix SELinux on host shared systems in userns
|
|/ / /
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Currently if you turn on --net=host on a rootless container
and have selinux-policy installed in the image, tools running with
SELinux will see that the system is SELinux enabled in rootless mode.
This patch mounts a tmpfs over /sys/fs/selinux blocking this behaviour.
This patch also fixes the fact that if you shared --pid=host we were not
masking over certin /proc paths.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
|\ \ \
| |/ /
|/| | |
preparation for remote-client create container
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
to prepare for being able to remotely run a container, we need to
perform a refactor to get code out of main because it is not
reusable. the shared location is a good starting spot though
eventually some will likely end up in pkg/spec/ at some point.
Signed-off-by: baude <bbaude@redhat.com>
|
|\ \ \
| |_|/
|/| | |
Buffer stdin to a file when importing "-"
|
|/ /
| |
| |
| |
| |
| |
| |
| | |
When importing an image from a file somewhere, we already know how to
download data from a URL to a file, so do the same for stdin, in case
it's unexpectedly large.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
|
|\ \
| | |
| | | |
rootless: fix stop and rm when the container is running with uid != 0
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
join the user namespace where the pod is running, so that we can both
manage the storage and correctly send the kill signal to a process
which is not running as root in the namespace.
Closes: https://github.com/containers/libpod/issues/2577
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
| | |
| | |
| | |
| | | |
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
| | |
| | |
| | |
| | | |
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
| | |
| | |
| | |
| | | |
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
let the process running as euid != 0 pass down an argument to the
process running in the user namespace. This will be useful for
commands like rm -a that needs to join different namespaces, so that
we can re-exec separately for each of them.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
| | |
| | |
| | |
| | | |
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
|\ \ \
| | | |
| | | | |
Initialize field in InfoHost struct
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Fixes #2016
Signed-off-by: Jhon Honce <jhonce@redhat.com>
|
|\ \ \ \
| |_|_|/
|/| | | |
libpod: allow to configure path to the slirp4netns binary
|
| | |/
| |/|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
allow to configure the path to the network-cmd binary, either via an
option flag --network-cmd-path or through the libpod.conf
configuration file.
This is currently used to customize the path to the slirp4netns
binary.
Closes: https://github.com/containers/libpod/issues/2506
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
|\ \ \
| |_|/
|/| | |
rootless: allow single ID mappings
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
we were playing safe and not allowed any container to have less than
65536 mappings. There are a couple of reasons to change it:
- it blocked libpod to work in an environment where
newuidmap/newgidmap are not available, or not configured.
- not allowed to use different partitions of subuids, where each user
has less than 65536 ids available.
Hopefully this change in containers/storage:
https://github.com/containers/storage/pull/303
will make error clearers if there are not enough IDs for the image
that is being used.
Closes: https://github.com/containers/libpod/issues/1651
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
| |/
| |
| |
| |
| |
| | |
print an error if there is any failure pulling an image.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
|\ \
| |/
|/| |
Remove --rm and --detach don't coexist note
|
|/
|
|
|
|
|
|
|
|
|
| |
Signed-off-by: TomSweeneyRedHat <tsweeney@redhat.com>
With later changes of Podman, you can now use both the
--rm and --detach in a single run command. This PR removes
the documentation in the man pages saying this is not
allowed.
Fixes: #2601
|
|\
| |
| | |
Misc pod fixes
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
When sourcing from an image, we need to grab its entrypoint first
and then add command on to mimic the behavior of Docker.
The default Kube pause image just sets ENTRYPOINT, and not CMD,
so nothing changes there, but this ought to fix other images
(for example, nginx would try to run the pause command instead of
an nginx process without this patch)
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
| |
| |
| |
| | |
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The logic of deleting and recreating /etc/hosts and
/etc/resolv.conf only makes sense when we're the one that creates
the files - when we don't, it just removes them, and there's
nothing left to use.
Fixes #2602
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
|/
|
|
|
|
|
|
|
| |
I was seeing some segfaults where image config was being passed
as nil, causing a nil dereference segfault. Fix the apparent
cause and add some safety fencing to try and ensure it doesn't
happen again.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
|\
| |
| | |
Move secrets package to buildah
|
| |
| |
| |
| |
| |
| |
| |
| | |
Trying to remove circular dependencies between libpod and buildah.
First step to move pkg content from libpod to buildah.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
|\ \
| | |
| | | |
Add troublshoot information about SELinux labeling of containers/storage
|
| |/
| |
| |
| |
| |
| |
| | |
We have some bug reports about people moving containers storage to new
directories and this troubleshooter should help them fix this.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
|\ \
| | |
| | | |
Cirrus: Add dedicated rootless mode testing
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Certain integration tests require execution as a regular user.
This is acomplished by `PodmanTest.PodmanAsUserBase()` wrapping a
specialized execution environment, in `test/utils/utils.go`. However,
doing this requires passing through python, which vastly increases the
complexity of debugging low-level problems.
This commit introduces a new parallel task, run as a regular user on the
VM as set by three environment variables. All commands executed in the
``rootless_test.sh`` script, will occur as a real user with a name and
home directory, just as `$DIETY` intended. All env. vars established
during `environment_setup.sh` (for root) are available. The PR source
in `$GOSRC` and `$GOPATH` are owned by this user, and ready for use.
Signed-off-by: Chris Evich <cevich@redhat.com>
|
|\ \ \
| | | |
| | | | |
We don't use crio-umount.conf
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
It also causes conflicts with CRI-O packages.
Also, change the path on seccomp.json so it lives in /usr/share
by default, with everything else.
Fixes #2596
Signed-off-by: Matthew Heon <mheon@redhat.com>
|
|\ \ \ \
| | | | |
| | | | | |
test docs fixups
|
| | |_|/
| |/| |
| | | |
| | | |
| | | |
| | | | |
adding some clarification on testing based on tom's input.
Signed-off-by: baude <bbaude@redhat.com>
|
|\ \ \ \
| |/ / /
|/| | | |
Default to image entrypoint for infra container
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
If the pod infra container is overriden, we want to run the entry point of the image, instead of the default infra command. This allows users to override the infra-image with greater ease.
Also use process environment variables from image
Signed-off-by: Peter Hunt <pehunt@redhat.com>
|
|\ \ \ \
| | | | |
| | | | | |
ginkgo status improvements
|
|/ / / /
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
a series of improvements to our ginkgo test framework so we can
get better ideas of whats going on when run in CI
Signed-off-by: baude <bbaude@redhat.com>
|
|\ \ \ \
| | | | |
| | | | | |
podman play kube defaults
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
if an input YAML file lacks securitycontext and working dir for
a container, we need to be able to handle that. if no default for
working dir is provided, we use a default of "/".
fixes issue #2209
Signed-off-by: baude <bbaude@redhat.com>
|
|\ \ \ \ \
| | | | | |
| | | | | | |
container runlabel respect $PWD
|
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
When doing environment variable substitution, we need to make sure
$PWD is replaced with the current working directory.
fixes issue #2171
Signed-off-by: baude <bbaude@redhat.com>
|
|\ \ \ \ \ \
| |_|/ / / /
|/| | | | | |
rootless: propagate errors from info
|