summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAge
* podman machine: make 9p security model configurable; adjust docsCorey Hickey2022-07-06
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This addresses: Symlinks don't work on podman machine on macOS Monterey when using volumes feature #13784 This change does NOT exactly fix the bug, but it does allow the user to work around it via 'podman init' option, e.g.: podman machine init -v "$HOME/git:$HOME/git:ro:security_model=none" If the default security model were to be changed to 'none', then that would fix the bug, at the possible cost of breaking any use cases that depend on 'mapped-xattr'. The documentation of the purpose and behavior of the different security models seems to be rather light: https://wiki.qemu.org/Documentation/9psetup#Starting_the_Guest_directly From testing, it appears that the mapped-xattr security model intends to manage symlinks such that the guest can see the symlinks but the host only sees regular files (with extended attributes). As far as I can tell, this behavior only makes sense when the guest is the only thing that ever needs to create and read symlinks. Otherwise, symlinks created on the host are unusable on the guest, and vice versa. As per the original commit: 8e7eeaa4dd14621bda15e396fcd7b9187bc500c5 [NO NEW TESTS NEEDED] Also document existing ro and rw options. Also remove misleading statement about /mnt. By my observation, this line is incorrect. If the intended meaning is different, then I don't understand. The default volume is mounted read/write and is not within /mnt. [core@localhost ~]$ mount | grep 9p vol0 on /Users/chickey type 9p (rw,relatime,sync,dirsync,access=client,trans=virtio) Signed-off-by: Corey Hickey <chickey@tagged.com>
* Merge pull request #14799 from vrothberg/fix-buildopenshift-ci[bot]2022-07-01
|\ | | | | fix build
| * fix buildValentin Rothberg2022-07-01
| | | | | | | | | | | | | | | | | | PR containers/podman/pull/14449 had an outdated base. Merging it broke builds. [NO NEW TESTS NEEDED] Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
* | Merge pull request #14798 from flouthoc/overlay-mount-path-absopenshift-ci[bot]2022-07-01
|\ \ | |/ |/| overlay,mount: convert source to absolute path for `overlay` mounts of paths
| * overlay,mount: convert lowerdir to absolute path for overlay mounts of pathAditya R2022-07-01
| | | | | | | | | | | | | | | | | | | | When mounting paths as overlay mounts we end up passing source as is to lowerdir options, resolve all relative paths in such cases for overlay mounts. Closes: https://github.com/containers/podman/issues/14797 Signed-off-by: Aditya R <arajan@redhat.com>
* | Merge pull request #14794 from n1hility/fix-winopenshift-ci[bot]2022-07-01
|\ \ | | | | | | Fix podman machine on Windows
| * | Fix podman machine on WindowsJason T. Greene2022-06-30
| |/ | | | | | | Signed-off-by: Jason T. Greene <jason.greene@redhat.com>
* | Merge pull request #14795 from giuseppe/fix-wildcard-major-device-cgroupopenshift-ci[bot]2022-07-01
|\ \ | | | | | | specgen: fix parsing of cgroup devices rule
| * | specgen: fix parsing of cgroup devices ruleGiuseppe Scrivano2022-07-01
| | | | | | | | | | | | | | | | | | | | | | | | | | | Fix the parse for the cgroup devices rule to correctly handle the wildcard syntax for the device major. Also make sure the device major and minor are not negative numbers. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | | Merge pull request #14788 from vrothberg/rename-templateopenshift-ci[bot]2022-07-01
|\ \ \ | | | | | | | | podman-play-kube template: rename to podman-kube
| * | | docs: mention the podman-kube templateValentin Rothberg2022-06-30
| | | | | | | | | | | | | | | | | | | | | | | | Mention the template in the docs for play-kube and generate-systemd. Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
| * | | podman-play-kube template: rename to podman-kubeValentin Rothberg2022-06-30
| |/ / | | | | | | | | | | | | | | | | | | | | | With the upcoming plans of introducing a podman-kube command with various subcommands, rename the podman-play-kube systemd template to podman-kube before releasing it. Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
* | | Merge pull request #14449 from cdoern/podVolumesopenshift-ci[bot]2022-07-01
|\ \ \ | |_|/ |/| | podman volume create --opt=o=timeout...
| * | podman volume create --opt=o=timeout...cdoern2022-06-09
| | | | | | | | | | | | | | | | | | | | | add an option to configure the driver timeout when creating a volume. The default is 5 seconds but this value is too small for some custom drivers. Signed-off-by: cdoern <cdoern@redhat.com>
* | | Merge pull request #14704 from baude/machinestoppedopenshift-ci[bot]2022-06-30
|\ \ \ | | | | | | | | reveal machine error, ignore false state
| * | | reveal machine error, ignore false stateBrent Baude2022-06-27
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This PR covers two edge cases discovered by fiddling with machine manually. It is possible (like after a manual cleanup of a machine) that a leftover qemu socket file can indicate the prescense of a machine running. Also, reveal the error of a Exec.Command by wrapping the generic error around what was in stderr. [NO NEW TESTS NEEDED] Signed-off-by: Brent Baude <bbaude@redhat.com>
* | | | Merge pull request #14787 from giuseppe/move-systemd-service-to-subcgroupopenshift-ci[bot]2022-06-30
|\ \ \ \ | | | | | | | | | | service: do not run under the root cgroup
| * | | | service: do not run under the root cgroupGiuseppe Scrivano2022-06-30
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | at startup, when running on a cgroup v2 system, check if the current process is running in the root cgroup and move it to a sub-cgroup, otherwise Podman is not able to create cgroups and move processes there. Closes: https://github.com/containers/podman/issues/14573 [NO NEW TESTS NEEDED] it needs nested podman Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
| * | | | utils: move the cgroup if root on cgroupv2Giuseppe Scrivano2022-06-30
| | |_|/ | |/| | | | | | | | | | | | | | | | | | | | | | if we are running on cgroupv2, force the creation of a sub-cgroup even when we are at the root for the cgroup v2 unified mount. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | | | Merge pull request #14785 from saschagrunert/cmd-podman-errorsDaniel J Walsh2022-06-30
|\ \ \ \ | | | | | | | | | | cmd/podman: switch to golang native error wrapping
| * | | | cmd/podman: switch to golang native error wrappingSascha Grunert2022-06-30
| |/ / / | | | | | | | | | | | | | | | | | | | | | | | | We now use the golang error wrapping format specifier `%w` instead of the deprecated github.com/pkg/errors package. Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
* | | | Merge pull request #14783 from flouthoc/api-image-lookup-manifestopenshift-ci[bot]2022-06-30
|\ \ \ \ | |/ / / |/| | | api,images: add support for `LookupManifest` to `Image removal` REST API
| * | | api,images: add support for LookupManifest to Image remove APIAditya R2022-06-30
|/ / / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | ImagesBatchRemoval and ImageRemoval now honors and accepts `LookupManifest` parameter which further tells libimage to resolve to manifest list if it exists instead of actual image. Following PR also makes `podman-remote manifest rm` functional which was broken till now. Closes: https://github.com/containers/podman/issues/14763 Signed-off-by: Aditya R <arajan@redhat.com>
* | | Merge pull request #14770 from ↵openshift-ci[bot]2022-06-29
|\ \ \ | | | | | | | | | | | | | | | | containers/dependabot/go_modules/github.com/stretchr/testify-1.8.0 build(deps): bump github.com/stretchr/testify from 1.7.5 to 1.8.0
| * | | build(deps): bump github.com/stretchr/testify from 1.7.5 to 1.8.0dependabot[bot]2022-06-29
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Bumps [github.com/stretchr/testify](https://github.com/stretchr/testify) from 1.7.5 to 1.8.0. - [Release notes](https://github.com/stretchr/testify/releases) - [Commits](https://github.com/stretchr/testify/compare/v1.7.5...v1.8.0) --- updated-dependencies: - dependency-name: github.com/stretchr/testify dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
* | | | Merge pull request #14720 from sstosh/rm-optionopenshift-ci[bot]2022-06-29
|\ \ \ \ | | | | | | | | | | Fix: Prevent OCI runtime directory remain
| * | | | Fix: Prevent OCI runtime directory remainToshiki Sonoda2022-06-24
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This bug was introduced in https://github.com/containers/podman/pull/8906. When we use 'podman rm/restart/stop/kill etc...' command to the container running with --rm, the OCI runtime directory remains at /run/<runtime name> (root user) or /run/user/<user id>/<runtime name> (rootless user). This bug could cause other bugs. For example, when we checkpoint the container running with --rm (podman checkpoint --export) and restore it (podman restore --import) with crun, error message "Error: OCI runtime error: crun: container `<container id>` already exists" is outputted. This error is caused by an attempt to restore the container with the same container ID as the remaining OCI runtime's container ID. Therefore, I fix that the cleanupRuntime() function runs to remove the OCI runtime directory, even if the container has already been removed by --rm option. Signed-off-by: Toshiki Sonoda <sonoda.toshiki@fujitsu.com>
* | | | | Merge pull request #14706 from ashley-cui/rootmachopenshift-ci[bot]2022-06-29
|\ \ \ \ \ | | | | | | | | | | | | Only allow Rootless runs of Podman Machine
| * | | | | Only allow Rootless runs of Podman MachineAshley Cui2022-06-29
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Podman Machine crashes if run as root. When creating the machine, we write the ignition so that the UID of the core user matches the UID of the user on the host. We by default, create the root user on the machine with UID 0. If the user on the host is root, the core UID and the Root UID collide, causing a the VM not to boot. [NO NEW TESTS NEEDED] Signed-off-by: Ashley Cui <acui@redhat.com>
* | | | | | Merge pull request #14775 from cevich/podman_image_commentopenshift-ci[bot]2022-06-29
|\ \ \ \ \ \ | | | | | | | | | | | | | | [CI:DOCS] Update podmanimage comment.
| * | | | | | [CI:DOCS] Update podmanimage comment.Chris Evich2022-06-29
|/ / / / / / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Drop a reference as to why the `rpm --setcaps...` line is needed, along with a `TODO` reminder to check if it's still needed. Signed-off-by: Chris Evich <cevich@redhat.com>
* | | | | | Merge pull request #14764 from cdoern/cgroupopenshift-ci[bot]2022-06-29
|\ \ \ \ \ \ | |_|_|/ / / |/| | | | | limit cgroupfs when rootless
| * | | | | only create crgoup when not rootless if using cgroupfsCharlie Doern2022-06-28
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | [NO NEW TESTS NEEDED] now that podman's cgroup config tries to initialize controllers, cgroupfs errors out on pod creation we need to mimic the behavior that used to exist and only create the cgroup when running as rootful Signed-off-by: Charlie Doern <cdoern@redhat.com>
* | | | | | Merge pull request #14740 from flouthoc/bindings-remove-manifestopenshift-ci[bot]2022-06-29
|\ \ \ \ \ \ | | | | | | | | | | | | | | bindings: Add support for `Delete` for deleting manifest list from local storage.
| * | | | | | bindings: Add support for Delete in pkg/bingings/manifestAditya R2022-06-29
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Bindings already support `Remove` which removes a manifest from the list following function adds support for removing entire manifest for local storage. Similar functionality can be also used indirectly by using `Remove` defined in image bindings Signed-off-by: Aditya R <arajan@redhat.com>
* | | | | | | Merge pull request #14666 from shanesmith/machine-pidfileopenshift-ci[bot]2022-06-29
|\ \ \ \ \ \ \ | | | | | | | | | | | | | | | | Make `podman machine stop` wait for qemu to exit
| * | | | | | | Make `podman machine stop` wait for qemu to exitShane Smith2022-06-28
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | - New `VMPidFilePath` field in MachineVM config holds the path for the qemu PID file - qemu is now started with the `-pidfile` argument set to `VMPidFilePath` - Machines created before this won't have the VM PID file configured, stopping these VMs will revert back to waiting on the state to change away from `Running`, plus an added 2s sleep to give time for the VM to exit and to avoid potential issues - Machines created after this will have a VM PID file configured and stopping the machine will wait indefinitely for the VM to exit [NO NEW TESTS NEEDED] Signed-off-by: Shane Smith <shane.smith@shopify.com>
* | | | | | | | Merge pull request #14765 from giuseppe/unpause-before-killopenshift-ci[bot]2022-06-29
|\ \ \ \ \ \ \ \ | |_|_|/ / / / / |/| | | | | | | runtime: unpause the container before killing it
| * | | | | | | runtime: unpause the container before killing itGiuseppe Scrivano2022-06-28
|/ / / / / / / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | the new version of runc has the same check in place and it automatically resume the container if it is paused. So when Podman tries to resume it again, it fails since the container is not in the paused state. Closes: https://bugzilla.redhat.com/show_bug.cgi?id=2100740 [NO NEW TESTS NEEDED] the CI doesn't use a new runc on cgroup v1 systems. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | | | | | | Merge pull request #14754 from vrothberg/fix-14669openshift-ci[bot]2022-06-28
|\ \ \ \ \ \ \ | | | | | | | | | | | | | | | | vendor containers/common
| * | | | | | | vendor containers/commonValentin Rothberg2022-06-28
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Pull in fixes for platform checks to silence annoying warnings when pulling images by platforms using uname values. Fixes: #14669 Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
* | | | | | | | Merge pull request #14755 from cdoern/systemopenshift-ci[bot]2022-06-28
|\ \ \ \ \ \ \ \ | | | | | | | | | | | | | | | | | | fix volume reporting in system df
| * | | | | | | | fix volume reporting in system dfCharlie Doern2022-06-28
| | |_|_|/ / / / | |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | currently, podman system df incorrectly calculates the reclaimable storage for volumes, using a cumulative reclaimable variable that is incremented and placed into each report entry causing values to rise above 100%. Switch this variables to be in the context of the loop, so it resets per volume just like the size variable does. resolves #13516 Signed-off-by: Charlie Doern <cdoern@redhat.com>
* | | | | | | | Merge pull request #14717 from ZeyadYasser/fix-restore-runtime-checkopenshift-ci[bot]2022-06-28
|\ \ \ \ \ \ \ \ | | | | | | | | | | | | | | | | | | Fix runtime check during restore
| * | | | | | | | Add test for restore runtime verification using non-default runtimeZeyad Yasser2022-06-28
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Runtime verification test for container checkpoint with export used the default runtime for test which causes test to always pass. Problem rises when using non-default runtime, then doing a restore. This test forcse using a non-default runtime during container creation. Edge case: 1. Default runtime is crun 2. Container is created with runc 3. Checkpoint without setting --runtime into archive 4. Restore without setting --runtime from archive It should be expected that podman identifies runtime from the checkpoint archive. Signed-off-by: Zeyad Yasser <zeyady98@gmail.com>
| * | | | | | | | Fix runtime check during restoreZeyad Yasser2022-06-28
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | cfg.RuntimePath was set to default runtime, so the empty string check fails. Instead we could check if the flag was changed. Signed-off-by: Zeyad Yasser <zeyady98@gmail.com>
* | | | | | | | | Merge pull request #14400 from cdoern/scpopenshift-ci[bot]2022-06-28
|\ \ \ \ \ \ \ \ \ | |_|_|/ / / / / / |/| | | | | | | | podman image scp remote support & podman image scp tagging
| * | | | | | | | podman image scp remote support & podman image scp taggingcdoern2022-06-28
| |/ / / / / / / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | add support for podman-remote image scp as well as direct access via the API. This entailed a full rework of the layering of image scp functions as well as the usual API plugging and type creation also, implemented podman image scp tagging. which makes the syntax much more readable and allows users t tag the new image they are loading to the local/remote machine: allow users to pass a "new name" for the image they are transferring `podman tag` as implemented creates a new image im `image list` when tagging, so this does the same meaning that when transferring images with tags, podman on the remote machine/user will load two images ex: `podman image scp computer1::alpine computer2::foobar` creates alpine:latest and localhost/foobar on the remote host implementing tags means removal of the flexible syntax. In the currently released podman image scp, the user can either specify `podman image scp source::img dest::` or `podman image scp dest:: source::img`. However, with tags this task becomes really hard to check which is the image (src) and which is the new tag (dst). Removal of that streamlines the arg parsing process Signed-off-by: Charlie Doern <cdoern@redhat.com>
* | | | | | | | Merge pull request #14700 from shuttle-hq/bug/docker-compat-initializedopenshift-ci[bot]2022-06-28
|\ \ \ \ \ \ \ \ | | | | | | | | | | | | | | | | | | Docker compat returning unknown "initialized" for `status.status`
| * | | | | | | | Docker compat returning unknown "initialized" for `status.status`chesedo2022-06-28
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Some background for this PR is in discussion #14641. In short, ever so often a container inspect will return a `status.status` of `initialized` from the Docker compat socket. From the discussion I found these lines which tries to fix a "configured" status to "created". https://github.com/containers/podman/blob/c936d1e61154b6826e9d8df46e9660aba6c86cfe/pkg/api/handlers/compat/containers.go#L291-L294 However, commit 141de8686289 (Revamp Libpod state strings for Docker compat) removed the "configured" return value from the `String()` method called on line 291 above. Thus, making the `if` check redundant as it will never hit. But the same commit also introduces a return for "initialized" which this `if` should probably have been adapted for. Signed-off-by: Pieter Engelbrecht <pieter@shuttle.rs>