summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAge
* replace local mount consts with libpod/defineJakub Guzik2021-03-07
| | | | Signed-off-by: Jakub Guzik <jakubmguzik@gmail.com>
* separate file with mount consts in libpod/defineJakub Guzik2021-03-07
| | | | Signed-off-by: Jakub Guzik <jakubmguzik@gmail.com>
* Merge pull request #9599 from rhatdan/selinuxOpenShift Merge Robot2021-03-05
|\ | | | | Add tests for selinux kvm/init labels
| * Add tests for selinux kvm/init labelsDaniel J Walsh2021-03-04
| | | | | | | | | | | | spc_t tests should be able to run rootless as well. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Merge pull request #9635 from rhatdan/stopOpenShift Merge Robot2021-03-05
|\ \ | | | | | | podman-remote stop -time 0 does not work
| * | podman-remote stop -time 0 does not workDaniel J Walsh2021-03-05
| | | | | | | | | | | | | | | | | | | | | | | | This patch will allow users to pass in the time 0. Currently the timeout will take 10 seconds if user passes in the 0 flag. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | Merge pull request #9624 from mheon/fix_9615OpenShift Merge Robot2021-03-05
|\ \ \ | |/ / |/| | [NO TESTS NEEDED] Do not return from c.stop() before re-locking
| * | Do not return from c.stop() before re-lockingMatthew Heon2021-03-05
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Unlocking an already unlocked lock is a panic. As such, we have to make sure that the deferred c.lock.Unlock() in c.StopWithTimeout() always runs on a locked container. There was a case in c.stop() where we could return an error after we unlock the container to stop it, but before we re-lock it - thus allowing for a double-unlock to occur. Fix the error return to not happen until after the lock has been re-acquired. Fixes #9615 Signed-off-by: Matthew Heon <mheon@redhat.com>
* | | Merge pull request #9622 from jmguzik/network-rm-fixOpenShift Merge Robot2021-03-05
|\ \ \ | | | | | | | | Fix podman network rm (-f) workflow
| * | | Fix for podman network rm (-f) workflowJakub Guzik2021-03-05
| | | | | | | | | | | | | | | | Signed-off-by: Jakub Guzik <jakubmguzik@gmail.com>
* | | | Merge pull request #9628 from ↵OpenShift Merge Robot2021-03-05
|\ \ \ \ | | | | | | | | | | | | | | | | | | | | containers/dependabot/go_modules/github.com/containers/buildah-1.19.7 Bump github.com/containers/buildah from 1.19.6 to 1.19.7
| * | | | Bump github.com/containers/buildah from 1.19.6 to 1.19.7dependabot-preview[bot]2021-03-05
|/ / / / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Bumps [github.com/containers/buildah](https://github.com/containers/buildah) from 1.19.6 to 1.19.7. - [Release notes](https://github.com/containers/buildah/releases) - [Changelog](https://github.com/containers/buildah/blob/master/CHANGELOG.md) - [Commits](https://github.com/containers/buildah/compare/v1.19.6...v1.19.7) Signed-off-by: dependabot-preview[bot] <support@dependabot.com> Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | | Merge pull request #9593 from vrothberg/cp-tmpOpenShift Merge Robot2021-03-05
|\ \ \ \ | |_|_|/ |/| | | podman cp: support copying on tmpfs mounts
| * | | podman cp: support copying on tmpfs mountsValentin Rothberg2021-03-04
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Traditionally, the path resolution for containers has been resolved on the *host*; relative to the container's mount point or relative to specified bind mounts or volumes. While this works nicely for non-running containers, it poses a problem for running ones. In that case, certain kinds of mounts (e.g., tmpfs) will not resolve correctly. A tmpfs is held in memory and hence cannot be resolved relatively to the container's mount point. A copy operation will succeed but the data will not show up inside the container. To support these kinds of mounts, we need to join the *running* container's mount namespace (and PID namespace) when copying. Note that this change implies moving the copy and stat logic into `libpod` since we need to keep the container locked to avoid race conditions. The immediate benefit is that all logic is now inside `libpod`; the code isn't scattered anymore. Further note that Docker does not support copying to tmpfs mounts. Tests have been extended to cover *both* path resolutions for running and created containers. New tests have been added to exercise the tmpfs-mount case. For the record: Some tests could be improved by using `start -a` instead of a start-exec sequence. Unfortunately, `start -a` is flaky in the CI which forced me to use the more expensive start-exec option. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | | | Merge pull request #9607 from mheon/fix_9523OpenShift Merge Robot2021-03-04
|\ \ \ \ | | | | | | | | | | Respect NanoCpus in Compat Create
| * | | | Respect NanoCpus in Compat CreateMatthew Heon2021-03-04
| | |/ / | |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The NanoCpus field in HostConfig was not wired up. It conflicts with CPU period and quota (it hard-codes period to a specific value and then sets the user-specified value as Quota). Fixes #9523 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | | | Merge pull request #9598 from rhatdan/kvmOpenShift Merge Robot2021-03-04
|\ \ \ \ | | | | | | | | | | Check for supportsKVM based on basename of the runtime
| * | | | Check for supportsKVM based on basename of the runtimeDaniel J Walsh2021-03-03
| |/ / / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fixes: https://github.com/containers/podman/issues/9582 This PR also adds tests to make sure SELinux labels match the runtime, or if init is specified works with the correct label. Add tests for selinux kvm/init labels Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | | Merge pull request #9604 from mheon/fix_9510OpenShift Merge Robot2021-03-04
|\ \ \ \ | | | | | | | | | | Compat API: create volume source dirs on the host
| * | | | Compat API: create volume source dirs on the hostMatthew Heon2021-03-03
| |/ / / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | It took a lot to figure out exactly how this should work, but I think I finally have it. My initial versions of this created the directory with the same owner as the user the container was run with, which was rather complicated - but after review against Docker, I have determined that is incorrect, and it's always made as root:root 0755 (Ubuntu's Docker, which I was using to try and test, is a snap - and as such it was sandboxed, and not actually placing directories it made in a place I could find?). This makes things much easier, since I just need to parse out source directories for binds and ensure they exist. Fixes #9510 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | | | Merge pull request #9550 from baude/issue9517OpenShift Merge Robot2021-03-04
|\ \ \ \ | | | | | | | | | | Support label type dict on compat build
| * | | | Support label type dict on compat buildbaude2021-03-02
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The compatibility endpoint for build labels should be of type dict (not list). For backwards compatibility, we support both. Fixes: #9517 Signed-off-by: baude <bbaude@redhat.com>
* | | | | Merge pull request #9568 from wjt/podman-system-service-timeout-docsOpenShift Merge Robot2021-03-04
|\ \ \ \ \ | | | | | | | | | | | | [ci:docs] podman-system-service.1.md: fix timeout example
| * | | | | podman-system-service.1.md: fix timeout exampleWill Thompson2021-03-02
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The rest of this document claims that the argument is called '--time', not '--timeout', and that the value is expressed in seconds. As currently written, the example (which ostensibly runs the API service for 5 seconds) uses the '--timeout' spelling (which actually does work, as an undocumented alias) and passes a value of '5000', which is more than an hour. Fix both. [NO TESTS NEEDED] as this is a simple documentation change. Signed-off-by: Will Thompson <wjt@endlessos.org>
* | | | | | Merge pull request #9617 from vrothberg/fix-9588OpenShift Merge Robot2021-03-04
|\ \ \ \ \ \ | | | | | | | | | | | | | | image removal: ignore unknown-layer errors
| * | | | | | image removal: ignore unknown-layer errorsValentin Rothberg2021-03-04
| | |_|_|/ / | |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | [NO TESTS NEEDED] as I have absolutely no idea how to force a reliable reproducer. Fixes: #9588 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | | | | | Merge pull request #9601 from jwhonce/issues/9207OpenShift Merge Robot2021-03-04
|\ \ \ \ \ \ | | | | | | | | | | | | | | Use version package to track all versions
| * | | | | | Use version package to track all versionsJhon Honce2021-03-03
| | |_|_|/ / | |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * Server, bindings, and CLI all now pull version information from version package. * Current /libpod API version slaved to podman/libpod Version * Bindings validate against libpod API Minimal version * Remove pkg/bindings/bindings.go and updated tests Fixes: #9207 Signed-off-by: Jhon Honce <jhonce@redhat.com>
* | | | | | Merge pull request #9614 from Luap99/fix-9602OpenShift Merge Robot2021-03-04
|\ \ \ \ \ \ | |_|/ / / / |/| | | | | Fix cni teardown errors
| * | | | | Fix cni teardown errorsPaul Holzinger2021-03-04
| |/ / / / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Make sure to pass the cni interface descriptions to cni teardowns. Otherwise cni cannot find the correct cache files because the interface name might not match the networks. This can only happen when network disconnect was used. Fixes #9602 Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
* | | | | Merge pull request #9605 from lsm5/Makefile-install-docker-docs-nobuildOpenShift Merge Robot2021-03-04
|\ \ \ \ \ | |/ / / / |/| | | | Makefile: add install.docker-docs-nobuild for packaging use
| * | | | Makefile: add install.docker-docs-nobuild for packaging useLokesh Mandvekar2021-03-03
|/ / / / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This will allow installation of the manpages without the need to rebuild them in the installation stage of distro packaging. [NO TESTS NEEDED] Signed-off-by: Lokesh Mandvekar <lsm5@fedoraproject.org>
* | | | Merge pull request #9536 from jmguzik/enable-cgroupsv2-sec-optsOpenShift Merge Robot2021-03-03
|\ \ \ \ | | | | | | | | | | Enable cgroupsv2 rw mount via security-opt unmask
| * | | | Add /sys/fs/cgroup as readonly path in docsJakub Guzik2021-03-03
| | | | | | | | | | | | | | | | | | | | Signed-off-by: Jakub Guzik <jakubmguzik@gmail.com>
| * | | | Enable cgroupsv2 rw mount via security-opt unmaskJakub Guzik2021-02-28
| | | | | | | | | | | | | | | | | | | | Signed-off-by: Jakub Guzik <jakubmguzik@gmail.com>
* | | | | Merge pull request #9595 from Luap99/fix-9594OpenShift Merge Robot2021-03-03
|\ \ \ \ \ | | | | | | | | | | | | Fix possible panic with podman build --iidfile
| * | | | | Fix possible panic with podman build --iidfilePaul Holzinger2021-03-03
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Make sure we check for errors before trying to write the iidfile. [NO TESTS NEEDED] Ref #9594 Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
* | | | | | Merge pull request #9581 from baude/issue9529OpenShift Merge Robot2021-03-03
|\ \ \ \ \ \ | |_|_|_|_|/ |/| | | | | Add network summary to compat ps
| * | | | | Add network summary to compat psbaude2021-03-03
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The compatibility endpoint for listing containers should have the summarized network configuration with it. Fixes: #9529 Signed-off-by: baude <bbaude@redhat.com>
* | | | | | Merge pull request #9583 from ashley-cui/secOpenShift Merge Robot2021-03-03
|\ \ \ \ \ \ | | | | | | | | | | | | | | Add version field to secret compat list/inspect api
| * | | | | | Add version field to secret compat list/inspect apiAshley Cui2021-03-02
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Docker api expects secrets endpoint to have a version field. So, the version field is added into the compat endpoint only. The version field is always 1, since Docker uses the version to keep track of updates to the secret, and currently we cannot update a secret. Signed-off-by: Ashley Cui <acui@redhat.com>
* | | | | | | Merge pull request #9575 from mheon/rewrite_renameOpenShift Merge Robot2021-03-03
|\ \ \ \ \ \ \ | |_|_|/ / / / |/| | | | | | Rewrite Rename backend in a more atomic fashion
| * | | | | | Rewrite Rename backend in a more atomic fashionMatthew Heon2021-03-02
| |/ / / / / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Move the core of renaming logic into the DB. This guarantees a lot more atomicity than we have right now (our current solution, removing the container from the DB and re-creating it, is *VERY* not atomic and prone to leaving a corrupted state behind if things go wrong. Moving things into the DB allows us to remove most, but not all, of this - there's still a potential scenario where the c/storage rename fails but the Podman rename succeeds, and we end up with a mismatched state. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | | | | | Merge pull request #9580 from rhatdan/timestampDaniel J Walsh2021-03-03
|\ \ \ \ \ \ | | | | | | | | | | | | | | Fix support for podman build --timestamp
| * | | | | | Fix support for podman build --timestampDaniel J Walsh2021-03-02
| |/ / / / / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Currently podman is ignoreing the build --timestamp flag. This PR fixes this for local and remote clients. Fixes: https://github.com/containers/podman/issues/9569 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | | | | Merge pull request #9521 from adrianreber/2021-02-25-checkpointctlOpenShift Merge Robot2021-03-03
|\ \ \ \ \ \ | | | | | | | | | | | | | | Reorder checkpoint/restore code for CRI-O
| * | | | | | Use functions and defines from checkpointctlAdrian Reber2021-03-02
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | No functional changes. [NO TESTS NEEDED] - only moving code around Signed-off-by: Adrian Reber <areber@redhat.com>
| * | | | | | Move checkpoint/restore code to pkg/checkpoint/crutilsAdrian Reber2021-03-02
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | To be able to reuse common checkpoint/restore functions this commit moves code to pkg/checkpoint/crutils. This commit has not functional changes. It only moves code around. [NO TESTS NEEDED] - only moving code around Signed-off-by: Adrian Reber <areber@redhat.com>
| * | | | | | Vendor in checkpointctlAdrian Reber2021-03-02
| |/ / / / / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | checkpointctl contains common code to work with checkpoint images in Podman, CRI-O and Kubernetes. Use functions and definitions from checkpointctl where possible. Signed-off-by: Adrian Reber <areber@redhat.com>
* | | | | | Merge pull request #9477 from ashley-cui/journaldOpenShift Merge Robot2021-03-02
|\ \ \ \ \ \ | | | | | | | | | | | | | | Tidy duplicate log tests