summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAge
* bump conmon to 1.0.0-rc2Peter Hunt2019-07-22
| | | | Signed-off-by: Peter Hunt <pehunt@redhat.com>
* Merge pull request #3605 from nc-ruth/patch-1OpenShift Merge Robot2019-07-22
|\ | | | | "mkdir -p /etc/cni/net.d" requires sudo
| * mkdir -p /etc/cni/net.d requires sudoRubatharisan Thirumathyam2019-07-19
| | | | | | | | Signed-off-by: Rubatharisan Thirumathyam <ruth@netcompany.com>
* | Merge pull request #3562 from baude/golangcilint3OpenShift Merge Robot2019-07-22
|\ \ | | | | | | golangci-lint round #3
| * | golangci-lint round #3baude2019-07-21
| | | | | | | | | | | | | | | | | | | | | this is the third round of preparing to use the golangci-lint on our code base. Signed-off-by: baude <bbaude@redhat.com>
* | | Merge pull request #3611 from rhatdan/danOpenShift Merge Robot2019-07-21
|\ \ \ | |/ / |/| | Remove debug message
| * | Remove debug messageDaniel J Walsh2019-07-20
| | | | | | | | | | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | Merge pull request #3610 from rhatdan/pullmsgOpenShift Merge Robot2019-07-20
|\ \ \ | | | | | | | | Cleanup Pull Message
| * | | Cleanup Pull MessageDaniel J Walsh2019-07-20
| |/ / | | | | | | | | | | | | | | | | | | | | | | | | | | | Currently the pull message on failure is UGLY. This patch removes a lot of the noice when pulling an image from multiple registries to make the user experience better. Our current messages are way too verbose and need to be dampened down. Still has verbose mode if you turn on log-level=debug. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | Merge pull request #3601 from cevich/fix_post_merge_build_each_commitOpenShift Merge Robot2019-07-20
|\ \ \ | |/ / |/| | Cirrus: Fix post-merge env. var. not set.
| * | Cirrus: Fix post-merge env. var. not set.Chris Evich2019-07-19
|/ / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Cirrus-CI automatically sets `$CIRRUS_BASE_BRANCH` during PR testing. This is used for the `build_each_commit` task, in order to compute the commit-chain properly. However, prior to this commit and after a PR merges, the post-merge `build_each_commit` task would fail with something similar to: ``` make build-all-new-commits GIT_BASE_BRANCH=origin/$CIRRUS_BASE_BRANCH |& ${TIMESTAMP} [12:28:59] START - All [+xxxx] lines that follow are relative to right now. [+0000s] # Validate that all the commits build on top of origin/ [+0000s] git rebase origin/ -x make [+0000s] fatal: invalid upstream 'origin/' [+0000s] make: *** [Makefile:426: build-all-new-commits] Error 128 [12:28:59] END - [+0000s] total duration since START Exit status: 2 ``` This is because `$CIRRUS_BASE_BRANCH` is undefined when CI runs against a branch (by design). This commit fixes the problem by referring to `$DEST_BRANCH` instead. This variable must always point at the intended destination branch for testing, and so can be used in this context as well. Also updated a few comments to help steer understanding of the `$DEST_BRANCH` purpose. Signed-off-by: Chris Evich <cevich@redhat.com>
* | Merge pull request #3590 from rhatdan/roOpenShift Merge Robot2019-07-19
|\ \ | |/ |/| Add support for listing read/only and read/write images
| * Add support for listing read/only and read/write imagesDaniel J Walsh2019-07-19
|/ | | | | | | When removing --all images prune images only attempt to remove read/write images, ignore read/only images Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Merge pull request #3599 from QiWang19/ps-regexpOpenShift Merge Robot2019-07-19
|\ | | | | support podman ps filter regular expressions
| * support podman ps filter regular expressionsQi Wang2019-07-18
| | | | | | | | | | | | podman ps --filter use regexp to match the container name. Signed-off-by: Qi Wang <qiwan@redhat.com>
* | Merge pull request #3443 from adrianreber/rootfs-changes-migrationOpenShift Merge Robot2019-07-19
|\ \ | | | | | | Include changes to the container's root file-system in the checkpoint archive
| * | Add tests for --ignore-rootfs checkpoint/restore optionAdrian Reber2019-07-11
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This adds three tests for the --ignore-rootfs option to verify that it works in all combination. 1. Not used at all 2. Only used during restore 3. Only used during checkpoint Signed-off-by: Adrian Reber <areber@redhat.com>
| * | Add --ignore-rootfs option for checkpoint/restoreAdrian Reber2019-07-11
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The newly added functionality to include the container's root file-system changes into the checkpoint archive can now be explicitly disabled. Either during checkpoint or during restore. If a container changes a lot of files during its runtime it might be more effective to migrated the root file-system changes in some other way and to not needlessly increase the size of the checkpoint archive. If a checkpoint archive does not contain the root file-system changes information it will automatically be skipped. If the root file-system changes are part of the checkpoint archive it is also possible to tell Podman to ignore these changes. Signed-off-by: Adrian Reber <areber@redhat.com>
| * | Fix typo in checkpoint/restore related textsAdrian Reber2019-07-11
| | | | | | | | | | | | Signed-off-by: Adrian Reber <areber@redhat.com>
| * | Include root file-system changes in container migrationAdrian Reber2019-07-11
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | One of the last limitations when migrating a container using Podman's 'podman container checkpoint --export=/path/to/archive.tar.gz' was that it was necessary to manually handle changes to the container's root file-system. The recommendation was to mount everything as --tmpfs where the root file-system was changed. This extends the checkpoint export functionality to also include all changes to the root file-system in the checkpoint archive. The checkpoint archive now includes a tarstream of the result from 'podman diff'. This tarstream will be applied to the restored container before restoring the container. With this any container can now be migrated, even it there are changes to the root file-system. There was some discussion before implementing this to base the root file-system migration on 'podman commit', but it seemed wrong to do a 'podman commit' before the migration as that would change the parent layer the restored container is referencing. Probably not really a problem, but it would have meant that a migrated container will always reference another storage top layer than it used to reference during initial creation. Signed-off-by: Adrian Reber <areber@redhat.com>
| * | Add function to get a filtered tarstream diffAdrian Reber2019-07-11
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The newly added function GetDiffTarStream() mirrors the GetDiff() function. It tries to get the correct layer ID from getLayerID() and it filters out containerMounts from the tarstream. Thus the behavior is the same as GetDiff(), but it returns a tarstream. This also adds the function ApplyDiffTarStream() to apply the tarstream generated by GetDiffTarStream(). These functions are targeted to support container migration with root file-system changes. Signed-off-by: Adrian Reber <areber@redhat.com>
* | | Merge pull request #3579 from QiWang19/dns_netOpenShift Merge Robot2019-07-19
|\ \ \ | | | | | | | | fix --dns and --network conflict
| * | | fix --dns* and --network not set to host conflictQi Wang2019-07-18
| | |/ | |/| | | | | | | | | | | | | | | | Close #3553 This PR makes --dns, --dns-option, --dns-search, and --network not set to host flag mutually exclusive for podman build and create. Returns conflict error if both flags are set. Signed-off-by: Qi Wang <qiwan@redhat.com>
* | | Merge pull request #3597 from cevich/fix_cmd_not_foundOpenShift Merge Robot2019-07-19
|\ \ \ | | | | | | | | Cirrus: Minor scripting typo fix
| * | | Cirrus: Minor scripting typo fixChris Evich2019-07-18
| |/ / | | | | | | | | | Signed-off-by: Chris Evich <cevich@redhat.com>
* | | Merge pull request #3593 from giuseppe/rootless-privileged-devicesOpenShift Merge Robot2019-07-18
|\ \ \ | | | | | | | | rootless: add host devices with --privileged
| * | | rootless: add rw devices with --privilegedGiuseppe Scrivano2019-07-18
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | when --privileged is specified, add all the devices that are usable by the user. Closes: https://bugzilla.redhat.com/show_bug.cgi?id=1730773 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | | | Merge pull request #3584 from QiWang19/pssizeOpenShift Merge Robot2019-07-18
|\ \ \ \ | | | | | | | | | | podman-remote make --size optional in ps
| * | | | podman-remote make --size optional in psQi Wang2019-07-18
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Close #3578 Add `size` field to PsOpts in podman remote to receive size as an option. Signed-off-by: Qi Wang <qiwan@redhat.com>
* | | | | Merge pull request #3509 from giuseppe/cgroup-namespaceOpenShift Merge Robot2019-07-18
|\ \ \ \ \ | | | | | | | | | | | | libpod: support for cgroup namespace
| * | | | | libpod: support for cgroup namespaceGiuseppe Scrivano2019-07-18
| | |/ / / | |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | allow a container to run in a new cgroup namespace. When running in a new cgroup namespace, the current cgroup appears to be the root, so that there is no way for the container to access cgroups outside of its own subtree. By default it uses --cgroup=host to keep the previous behavior. To create a new namespace, --cgroup=private must be provided. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | | | | Merge pull request #3595 from mheon/fix_exec_leakOpenShift Merge Robot2019-07-18
|\ \ \ \ \ | |_|_|/ / |/| | | | Remove exec PID files after use to prevent memory leaks
| * | | | Remove exec PID files after use to prevent memory leaksMatthew Heon2019-07-18
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | We have another patch running to do the same for exit files, with a much more in-depth explanation of why it's necessary. Suffice to say that persistent files in tmpfs tied to container CGroups lead to significant memory allocations that last for the lifetime of the file. Based on a patch by Andrea Arcangeli (aarcange@redhat.com). Signed-off-by: Matthew Heon <mheon@redhat.com>
* | | | | Merge pull request #3592 from openSUSE/aa-fileOpenShift Merge Robot2019-07-18
|\ \ \ \ \ | | | | | | | | | | | | Add DefaultContent API to retrieve apparmor profile content
| * | | | | Add DefaultContent API to retrieve apparmor profile contentSascha Grunert2019-07-18
| | |/ / / | |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The default apparmor profile is not stored on disk which causes confusion when debugging the content of the profile. To solve this, we now add an additional API which returns the profile as byte slice. Signed-off-by: Sascha Grunert <sgrunert@suse.com>
* | | | | Merge pull request #3591 from llchan/makefile-symlink-tweakOpenShift Merge Robot2019-07-18
|\ \ \ \ \ | |/ / / / |/| | | | Tweak GOPATH-related symlinking
| * | | | Make GOPATH-related symlinking more preciseLawrence Chan2019-07-17
| | |/ / | |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This change tweaks the symlink commands that are invoked when libpod is not on GOPATH. This has the following effects: - If the working directory is not "libpod", it will still create the symlink at the correct github.com/containers/libpod path. - If the github.com/varlink directory/symlink already exists, it will still create the symlink at the intended path. Signed-off-by: Lawrence Chan <element103@gmail.com>
* | | | Merge pull request #3522 from mheon/nix_the_artifactOpenShift Merge Robot2019-07-18
|\ \ \ \ | | | | | | | | | | Move the HostConfig portion of Inspect inside libpod
| * | | | Populate inspect with security-opt settingsMatthew Heon2019-07-17
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | We can infer no-new-privileges. For now, manually populate seccomp (can't infer what file we sourced from) and SELinux/Apparmor (hard to tell if they're enabled or not). Signed-off-by: Matthew Heon <mheon@redhat.com>
| * | | | Properly retrieve Conmon PIDMatthew Heon2019-07-17
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Our previous method (just read the PID that we spawned) doesn't work - Conmon double-forks to daemonize, so we end up with a PID pointing to the first process, which dies almost immediately. Reading from the PID file gets us the real PID. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
| * | | | Move the HostConfig portion of Inspect inside libpodMatthew Heon2019-07-17
| |/ / / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When we first began writing Podman, we ran into a major issue when implementing Inspect. Libpod deliberately does not tie its internal data structures to Docker, and stores most information about containers encoded within the OCI spec. However, Podman must present a CLI compatible with Docker, which means it must expose all the information in 'docker inspect' - most of which is not contained in the OCI spec or libpod's Config struct. Our solution at the time was the create artifact. We JSON'd the complete CreateConfig (a parsed form of the CLI arguments to 'podman run') and stored it with the container, restoring it when we needed to run commands that required the extra info. Over the past month, I've been looking more at Inspect, and refactored large portions of it into Libpod - generating them from what we know about the OCI config and libpod's (now much expanded, versus previously) container configuration. This path comes close to completing the process, moving the last part of inspect into libpod and removing the need for the create artifact. This improves libpod's compatability with non-Podman containers. We no longer require an arbitrarily-formatted JSON blob to be present to run inspect. Fixes: #3500 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | | | Merge pull request #3588 from haircommander/play-kube-commandOpenShift Merge Robot2019-07-18
|\ \ \ \ | |/ / / |/| | | Fix play kube command
| * | | Fix play kube commandPeter Hunt2019-07-17
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Before, play kube wasn't properly setting the command. Fix this Also, begin a dedicated test suite for play kube to catch regressions like this in the future Signed-off-by: Peter Hunt <pehunt@redhat.com>
* | | | Merge pull request #3583 from giuseppe/ulimit-host-not-setOpenShift Merge Robot2019-07-17
|\ \ \ \ | |/ / / |/| | | spec: simplify handling of --ulimit host
| * | | spec: rework --ulimit hostGiuseppe Scrivano2019-07-17
| | | | | | | | | | | | | | | | | | | | | | | | | | | | it seems enough to not specify any ulimit block to maintain the host limits. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | | | Merge pull request #3335 from cevich/imgpruneOpenShift Merge Robot2019-07-17
|\ \ \ \ | | | | | | | | | | Cirrus: Print images that should be pruned
| * | | | Cirrus: Print images that should be prunedChris Evich2019-07-15
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Over time unless they're removed, the project could grow quite a large collection of VM images. While generally cheap (less than a penny each, per month), these will become a significant cost item if not kept in-check. Add a specialized container for handling image-pruning, but limit it to only finding and printing (not actually deleting) images. Also update the image-building workflow so that base-images used to compose cache-images are also labeled with metadata. N/B: As an additional safeguard, the service account which executes the new container in production *DOES NOT* have access to delete images. This can be enabled by adding the GCE IAM role: CustomComputeImagePrune Signed-off-by: Chris Evich <cevich@redhat.com>
* | | | | Merge pull request #3548 from cevich/disable_periodic_activityOpenShift Merge Robot2019-07-16
|\ \ \ \ \ | | | | | | | | | | | | Cirrus: Disable most periodic services/timers
| * | | | | Cirrus: Add image-test for locked dpkgChris Evich2019-07-16
| | | | | | | | | | | | | | | | | | | | | | | | Signed-off-by: Chris Evich <cevich@redhat.com>
| * | | | | Cirrus: Use images w/o periodic svcsChris Evich2019-07-16
| | | | | | | | | | | | | | | | | | | | | | | | Signed-off-by: Chris Evich <cevich@redhat.com>