summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAge
* vendor containers/psgo@v1.7.3Valentin Rothberg2022-09-06
| | | | | | | | | | | | | | Add three new capabilities that would otherwise be reported as unknown. Also add an e2e test making sure that `podman top` knows all capabilities of the current kernel. I refrained from adding a system test since this may blow up in gating tests. Signed-off-by: Valentin Rothberg <vrothberg@redhat.com> <MH: Fixed cherry-pick conflicts> Signed-off-by: Matthew Heon <mheon@redhat.com>
* Allow podman to run in an environment with keys containing spacesDaniel J Walsh2022-09-06
| | | | | | Fixes: https://github.com/containers/podman/issues/15251 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Document restrictions on transport in FROMTomas Volf2022-09-06
| | | | | | | | When using remote podman client, not all transports work as expected. So document this limitation. Fixes: containers/podman#15141 Signed-off-by: Tomas Volf <tomas.volf@showmax.com>
* Improved Windows compatibilityArthur Sengileyev2022-09-06
| | | | Signed-off-by: Arthur Sengileyev <arthur.sengileyev@gmail.com>
* pass environment variables to container cloneCharlie Doern2022-09-06
| | | | | | | | the env vars are held in the spec rather than the config, so they need to be mapped manually. They are also of a different format so special handling needed to be added. All env from the parent container will now be passed to the clone. resolves #15242 Signed-off-by: Charlie Doern <cdoern@redhat.com>
* podman save: update --compress validationHoang Thanh VO2022-09-06
| | | | | | [NO NEW TESTS NEEDED] Signed-off-by: Hoang Thanh VO <111461555+ht-vo@users.noreply.github.com>
* sort hc.Binds returned from compat apiJosh Patterson2022-09-06
| | | | Signed-off-by: Josh Patterson <josh.patterson@securityonionsolutions.com>
* Cirrus: Update podman-machine commentChris Evich2022-09-06
| | | | | | Replace TODO comment with helpful hint for future maintainers. Signed-off-by: Chris Evich <cevich@redhat.com>
* podman images and friends can take one image as argumentDaniel J Walsh2022-09-06
| | | | | | Fixes: https://github.com/containers/podman/issues/15309 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* [CI:DOCS] Add .DS_Store to gitignoreAshley Cui2022-09-06
| | | | | | Ignore .DS_Store, a MacOS metadata file created by the OS. Signed-off-by: Ashley Cui <acui@redhat.com>
* podman-kube@.service.in: Remove Restart=never option with typoAndrew Gunnerson2022-09-06
| | | | | | | | | | systemd expects the value of the option to be `no` instead, but this is already the default behavior. This fixes the following warning when running `systemctl status` on the unit: Failed to parse service restart specifier, ignoring: never Signed-off-by: Andrew Gunnerson <chillermillerlong@hotmail.com>
* Merge pull request #15554 from ↵OpenShift Merge Robot2022-08-31
|\ | | | | | | | | openshift-cherrypick-robot/cherry-pick-15516-to-v4.2 [v4.2] Handle an already connected network in libpod API
| * Fix #15499 already connected networkAlessandro Rossi2022-08-30
| | | | | | | | | | | | | | | | | | | | | | Compat: Treat already attached networks as a no-op Applies only to containers in created state. Maintain error in running state. Co-authored-by: Alessandro Rossi <al.rossi87@gmail.com> Co-authored-by: Brent Baude <bbaude@redhat.com> Co-authored-by: Jason T. Greene <jason.greene@redhat.com> Signed-off-by: Alessandro Rossi <al.rossi87@gmail.com> Signed-off-by: Jason T. Greene <jason.greene@redhat.com>
* | Merge pull request #15539 from cevich/ec2_imgtsOpenShift Merge Robot2022-08-31
|\ \ | |/ |/| [v4.2] [CI:DOCS] Cirrus: Update meta task for EC2
| * [CI:DOCS] Cirrus: Update meta-task for EC2 imageLokesh Mandvekar2022-08-30
| | | | | | | | | | | | | | | | | | Copied from: https://github.com/containers/aardvark-dns/pull/207 Fixes: #15502 Signed-off-by: Lokesh Mandvekar <lsm5@fedoraproject.org> Signed-off-by: Chris Evich <cevich@redhat.com>
* | Merge pull request #15533 from mtrmac/trust-4.2OpenShift Merge Robot2022-08-30
|\ \ | | | | | | podman image trust overhaul, incl. sigstore
| * | fix CI: remove hardcodeded alpine versionValentin Rothberg2022-08-29
| | | | | | | | | | | | | | | | | | | | | | | | The apiv2 test hardcoded the tag of the alpine image. Remove it to unblock CI. Fixes: #15388 Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
| * | Preserve all unknown PolicyRequirement fields on (podman image trust set)Miloslav Trmač2022-08-29
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | We are unmarshaling and re-marshaling JSON, which can _silently_ drop data with the Go design decision.data. Try harder, by using json.RawMessage at least for the data we care about. Alternatively, this could use json.Decoder.DisallowUnknownFields. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
| * | Reorganize the types in policy.go a bitMiloslav Trmač2022-08-29
| | | | | | | | | | | | | | | | | | | | | | | | ... to go from top to bottom. Should not change behavior. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
| * | Add support for showing keyPaths in (podman image trust show)Miloslav Trmač2022-08-29
| | | | | | | | | | | | Signed-off-by: Miloslav Trmač <mitr@redhat.com>
| * | Support (image trust show) for sigstoreSigned entriesMiloslav Trmač2022-08-29
| | | | | | | | | | | | | | | | | | | | | | | | | | | sigstoreSigned does not have GPG IDs, so we add N/A in that column. NOTE: this does not show the use-sigstore-attachments value from registries.d. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
| * | BREAKING CHANGE: Change how (podman image trust show) represents multiple ↵Miloslav Trmač2022-08-29
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | requirements Currently - the output uses the first entry's type, even if the requirements are different (notably signedBy + sigstoreSIgned) - all public keys IDs are collected to a single line, even if some of them are interchangeable, and some are required (e.g. two signedBy requirements could require an image to be signed by (redhatProd OR redhatBeta) AND (vendor1 OR vendor2) So, stop collapsing the requirements, and return a separate entry for each one. Multiple GPG IDs on a single line used to mean AND or OR, now they always mean AND. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
| * | Reorganize descriptionsOfPolicyRequirements a bitMiloslav Trmač2022-08-29
| | | | | | | | | | | | | | | | | | | | | | | | | | | Do the registries.d lookup once, separately from building an entry, so that we can share it across entries. Also prepare a separate res to allow adding multiple entries. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
| * | Use the full descriptionsOfPolicyRequirements for the default scopeMiloslav Trmač2022-08-29
| | | | | | | | | | | | | | | | | | ... instead of taking a shortcut, e.g. not listing any keys if they are required. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
| * | Rename haveMatchRegistry to registriesDConfigurationForScopeMiloslav Trmač2022-08-29
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Just so that we don't have a boolean-named function returning a struct. Also reorder the parameters to have the container first, and the lookup key second. Shoud not change behavior. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
| * | Rename tempTrustShowOutput to entryMiloslav Trmač2022-08-29
| | | | | | | | | | | | | | | | | | | | | | | | | | | Now that it is the primary return value of a small function, the long name only makes reading harder. Should not change behavior. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
| * | Split descriptionsOfPolicyRequirements out of getPolicyShowOutputMiloslav Trmač2022-08-29
| | | | | | | | | | | | | | | | | | | | | | | | | | | This will evetually allow us to use it for the default scope as well, which currently uses a simplified version. Should not change behavior. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
| * | Recognize the new lookaside names for simple signing sigstoreMiloslav Trmač2022-08-29
| | | | | | | | | | | | Signed-off-by: Miloslav Trmač <mitr@redhat.com>
| * | Add a unit test for trust.PolicyDescriptionMiloslav Trmač2022-08-29
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Add at least a basic unit test for the various entry types. So that we don't have to actually deal with GPG keys and /usr/bin/gpg*, parametrize the code with a gpgIDReader , and pass a fake one in the unit test. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
| * | Make the output of (podman image trust show) deterministicMiloslav Trmač2022-08-29
| | | | | | | | | | | | | | | | | | Sort map keys instead of iterating in the Go-imposed random order. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
| * | Make most of pkg/trust package-privateMiloslav Trmač2022-08-29
| | | | | | | | | | | | | | | | | | | | | | | | We now have only a few entrypoints that are called externally, so make the rest private. This will make it more obvious that we are not breaking any external users. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
| * | Move most of ImageEngine.ShowTrust into pkg/trust.PolicyDescriptionMiloslav Trmač2022-08-29
| | | | | | | | | | | | | | | | | | | | | | | | | | | This will allow us to write unit tests without setting up the complete Podman runtime (and without the Linux dependency). Should not change behavior. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
| * | Add support for sigstoreSigned in (podman image trust set)Miloslav Trmač2022-08-29
| | | | | | | | | | | | | | | | | | | | | | | | NOTE: This does not edit the use-sigstore-attachments value in registries.d, similarly to how (podman image trust set) didn't set the lookaside paths for simple signing. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
| * | Create new policy entries together with validating inputMiloslav Trmač2022-08-29
| | | | | | | | | | | | | | | | | | | | | | | | That way, we don't have to switch over trustType twice. Should not change behavior. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
| * | Improve validation of data in ImageEngine.SetTrustMiloslav Trmač2022-08-29
| | | | | | | | | | | | | | | | | | | | | | | | - Also reject public keys with types that don't use them - Reject unknown trust types - And add unit tests Signed-off-by: Miloslav Trmač <mitr@redhat.com>
| * | Move most of imageEngine.SetTrust to pkg/trust.AddPolicyEntriesMiloslav Trmač2022-08-29
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This will allow us to write unit tests without setting up the complete Podman runtime (and without the Linux dependency). Also, actually add a basic smoke test of the core functionality. Should not change behavior. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
| * | Add a variable for scopeMiloslav Trmač2022-08-29
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Only process the incoming args[] (which is a single-element array for some reason) once, and use a semantic variable name for the value we care about. Should not change behavior, the only caller already supposedly ensures that len(args) == 1. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
| * | Make trust.CreateTempFile privateMiloslav Trmač2022-08-29
| | | | | | | | | | | | | | | | | | | | | | | | Nothing uses it outside the package. Should not change behavior. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
| * | Reorganize pkg/trustMiloslav Trmač2022-08-29
| | | | | | | | | | | | | | | | | | | | | | | | | | | Split the existing code into policy.go and registries.go, depending on which files it concerns. Only moves unchanged code, should not change behavior. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
| * | Remove an unused trust.ShowOutput typeMiloslav Trmač2022-08-29
| | | | | | | | | | | | | | | | | | Should not change behavior. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
| * | Remove commented out codeMiloslav Trmač2022-08-29
| |/ | | | | | | | | | | | | | | | | We can always recover it from git, but it seems to serve no purpose anyway. Should not change behavior. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
* | Merge pull request #15521 from vrothberg/v4.2-fix-15492OpenShift Merge Robot2022-08-30
|\ \ | |/ |/| [v4.2] libpod: UpdateContainerStatus: do not wait for container
| * fix CI: remove hardcodeded alpine versionValentin Rothberg2022-08-30
| | | | | | | | | | | | | | | | The apiv2 test hardcoded the tag of the alpine image. Remove it to unblock CI. Fixes: #15388 Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
| * libpod: UpdateContainerStatus: do not wait for containerValentin Rothberg2022-08-28
|/ | | | | | | | | | | | | | Commit 30e7cbccc194 accidentally added a deadlock as Podman was waiting for the exit code to show up when the container transitioned to stopped. Code paths that require the exit code to be written (by the cleanup process) should already be using `(*Container).Wait()` in a deadlock free way. [NO NEW TESTS NEEDED] as I did not manage to a reproducer that would work in CI. Ultimately, it's a race condition. Backport-for: #15492 Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
* Merge pull request #15326 from edsantiago/rhel8_test_skipOpenShift Merge Robot2022-08-16
|\ | | | | [v4.2] Skip / update some tests under runc
| * Skip / update some tests under runcEd Santiago2022-08-15
|/ | | | | | | | | | | | | | | | | | | Two fixes done in #14972 (the "oops test under runc again" PR which was not backported into 4.2): - "survive service stop" - skip. Test is only applicable under crun. - "volume exec/noexec" - update the expected error message One hail-mary fix for a test failure seen in RHEL87 gating: - "nonexistent labels" - slight tweak to expected error message None of these fixes will actually be tested in CI, because v4.2 does not run any runc tests. We'll have to wait and see what happens on the next RHEL build. Signed-off-by: Ed Santiago <santiago@redhat.com>
* Merge pull request #15279 from mheon/bump_420_finalOpenShift Merge Robot2022-08-11
|\ | | | | Final Backports and Bump to v4.2.0
| * Bump to v4.2.1-devMatthew Heon2022-08-10
| | | | | | | | Signed-off-by: Matthew Heon <mheon@redhat.com>
| * Bump to v4.2.0v4.2.0Matthew Heon2022-08-10
| | | | | | | | Signed-off-by: Matthew Heon <mheon@redhat.com>
| * Final release notes for v4.2.0Matthew Heon2022-08-10
| | | | | | | | Signed-off-by: Matthew Heon <mheon@redhat.com>