| Commit message (Collapse) | Author | Age |
|---|
| |
|
|
|
|
|
|
|
| |
Ensure that infra containers for pods will grab default sysctls
from containers.conf, to match how other containers are created.
This mostly affects the other containers in the pod, which will
inherit those sysctls when they join the pod's namespaces.
Signed-off-by: Matthew Heon <mheon@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
The existing code prevents containers.conf default sysctls from
being added if the container uses a host namespace. This patch
expands that to not just host namespaces, but also *shared*
namespaces - so we never modify another container's (or a pod's)
namespaces without being explicitly directed to do so by the
user.
Signed-off-by: Matthew Heon <mheon@redhat.com>
|
| |\
| |
| | |
security: honor systempaths=unconfined for ro paths
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
we must honor systempaths=unconfined also for read-only paths, as
Docker does:
proc /proc proc rw,nosuid,nodev,noexec,relatime 0 0
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
| |\ \
| | |
| | |
| | |
| | | |
containers/dependabot/go_modules/github.com/opencontainers/selinux-1.7.0
Bump github.com/opencontainers/selinux from 1.6.0 to 1.7.0
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Bumps [github.com/opencontainers/selinux](https://github.com/opencontainers/selinux) from 1.6.0 to 1.7.0.
- [Release notes](https://github.com/opencontainers/selinux/releases)
- [Commits](https://github.com/opencontainers/selinux/compare/v1.6.0...v1.7.0)
Signed-off-by: dependabot-preview[bot] <support@dependabot.com>
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
| |\ \ \
| | | |
| | | |
| | | |
| | | | |
containers/dependabot/go_modules/github.com/onsi/gomega-1.10.4
Bump github.com/onsi/gomega from 1.10.3 to 1.10.4
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Bumps [github.com/onsi/gomega](https://github.com/onsi/gomega) from 1.10.3 to 1.10.4.
- [Release notes](https://github.com/onsi/gomega/releases)
- [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md)
- [Commits](https://github.com/onsi/gomega/compare/v1.10.3...v1.10.4)
Signed-off-by: dependabot-preview[bot] <support@dependabot.com>
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
| |\ \ \ \
| | | | |
| | | | | |
Honor the --layers flag
|
| | |/ / /
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Currently the --layers flag set by the user is ignored, and only the BUILDAH_LAYERS
environment variable being set is observed.
Fixes: https://github.com/containers/podman/issues/8643
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
| |\ \ \ \
| | | | |
| | | | | |
Add system test for shell completion
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
There exists a unit test to ensure that shell completion functions are
defined. However there was no check about the quality of the provided
shell completions. Lets change that.
The idea is to create a general test that makes sure we are suggesting
containers,pods,images... for the correct commands. This works by
reading the command use line and checking for each arg if we provide
the correct suggestions for this arg.
It includes the following tests:
- flag suggestions if [options] is set
- container, pod, image, network, volume, registry completion
- path completion for the appropriate arg KEYWORDS (`PATH`,`CONTEXT`,etc.)
- no completion if there are no args
- completion for more than one arg if it ends with `...]`
The test does not cover completion values for flags and not every arg KEYWORD
is supported. This is still a huge improvement and covers most use cases.
This test spotted several inconsistencies between the completion and the
command use line. All of them have been adjusted to make the test pass.
The biggest advantage is that the completions always match the latest
command changes. So if someone changes the arguments for a command this
ensures that the completions must be adjusted.
Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
|
| |\ \ \ \ \
| | | | | |
| | | | | | |
archive endpoint massaging
|
| | | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
Introduce a `Copier` object to separate the copy-rule enforcement from
copying. That allows for a better error reporting of the REST API.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
|
| | | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
Move handling the stat header into `pkg/copy`. All copy-related should
ideally be located in this package to increase locality and reduce
scattering where possible.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
|
| | | |_|/ /
| |/| | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Add an API for parsing user input into a possibly specified container
and path. This allows for sharing the parsing code between the local
and the remote client (and bindings) in the future.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
|
| |\ \ \ \ \
| | | | | |
| | | | | | |
enable short-name aliasing
|
| | | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
Short-name aliasing was introduced with Podman 2.2 as an opt-in preview
by enabling an environment variable. Now, as we're preparing for the
3.0 release, we can enable short-name aliasing by default. Opting out
can be done by configuring the `registries.conf` config file.
Please refer to the following blog post for more details:
https://www.redhat.com/sysadmin/container-image-short-names
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
|
| |\ \ \ \ \ \
| |_|_|_|_|/
|/| | | | | |
Fix spelling mistakes
|
| | | |/ / /
| |/| | |
| | | | |
| | | | | |
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
| |\ \ \ \ \
| | | | | |
| | | | | | |
Repeat system pruning until there is nothing removed
|
| | |/ / / /
| | | | |
| | | | |
| | | | | |
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
| |\ \ \ \ \
| |_|_|_|/
|/| | | | |
make podman play use ENVs from image
|
| | |/ / /
| | | |
| | | |
| | | |
| | | |
| | | | |
fixes #8608.
Signed-off-by: Christopher J. Ruwe <cjr@cruwe.de>
|
| |\ \ \ \
| | | | |
| | | | |
| | | | |
| | | | | |
containers/dependabot/go_modules/k8s.io/apimachinery-0.20.0
Bump k8s.io/apimachinery from 0.19.4 to 0.20.0
|
| | |/ / /
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Bumps [k8s.io/apimachinery](https://github.com/kubernetes/apimachinery) from 0.19.4 to 0.20.0.
- [Release notes](https://github.com/kubernetes/apimachinery/releases)
- [Commits](https://github.com/kubernetes/apimachinery/compare/v0.19.4...v0.20.0)
Signed-off-by: dependabot-preview[bot] <support@dependabot.com>
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
| |\ \ \ \
| |/ / /
|/| | | |
auto updates: document systemd unit and timer
|
| |/ / /
| | |
| | |
| | |
| | | |
Fixes: #8605
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
|
| |\ \ \
| |_|/
|/| | |
Correct port range logic for port generation
|
| |/ /
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The existing logic (Range > 0) always triggered, because range is
guaranteed to be at least 1 (a single port has a range of 1, a
two port range (e.g. 80-81) has a range of 2, and so on). As such
this could cause ports that had a host port assigned to them by
the user to randomly assign one instead.
Fixes #8650
Fixes #8651
Signed-off-by: Matthew Heon <mheon@redhat.com>
|
| |\ \
| | |
| | | |
Restore json format for fields as well as whole structs
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
* Add template func to inspect template processing
* Added test using repro from #8444
Fixes #8444
Signed-off-by: Jhon Honce <jhonce@redhat.com>
|
| |\ \ \
| | | |
| | | | |
Pass full NetworkMode to ParseNetworkNamespace
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
This should create the correct namespace for NetworkModes like container:containerid
Signed-off-by: Kevin Wiesmueller <kwiesmul@redhat.com>
|
| |\ \ \ \
| | | | |
| | | | | |
Make `podman stats` slirp check more robust
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Just checking for `rootless.IsRootless()` does not catch all the
cases where slirp4netns is in use - we actually allow it to be
used as root as well. Fortify the conditional here so we don't
fail in the root + slirp case.
Fixes #7883
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
| |\ \ \ \ \
| |/ / / /
|/| | | | |
Add systempaths=unconfined option
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Add the systempaths=unconfined option to --security-opt
to match the docker options for unmasking all the paths
that are masked by default.
Add the mask and unmask options to the podman create doc.
Signed-off-by: Urvashi Mohnani <umohnani@redhat.com>
|
| |\ \ \ \ \
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
containers/dependabot/go_modules/github.com/containers/image/v5-5.9.0
Bump github.com/containers/image/v5 from 5.8.1 to 5.9.0
|
| |/ / / / /
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Bumps [github.com/containers/image/v5](https://github.com/containers/image) from 5.8.1 to 5.9.0.
- [Release notes](https://github.com/containers/image/releases)
- [Commits](https://github.com/containers/image/compare/v5.8.1...v5.9.0)
Signed-off-by: dependabot-preview[bot] <support@dependabot.com>
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
|
| |\ \ \ \ \
| |_|_|/ /
|/| | | | |
Implement pod-network-reload
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
This adds a new command, 'podman network reload', to reload the
networks of existing containers, forcing recreation of firewall
rules after e.g. `firewall-cmd --reload` wipes them out.
Under the hood, this works by calling CNI to tear down the
existing network, then recreate it using identical settings. We
request that CNI preserve the old IP and MAC address in most
cases (where the container only had 1 IP/MAC), but there will be
some downtime inherent to the teardown/bring-up approach. The
architecture of CNI doesn't really make doing this without
downtime easy (or maybe even possible...).
At present, this only works for root Podman, and only locally.
I don't think there is much of a point to adding remote support
(this is very much a local debugging command), but I think adding
rootless support (to kill/recreate slirp4netns) could be
valuable.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
|
| |\ \ \ \ \
| | | | | |
| | | | | | |
Fix network ls --filter invalid value flake
|
| | | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
The filter is only validated when at least one network exists.
Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
|
| |\ \ \ \ \ \
| |/ / / / /
|/| | | | | |
generate kube on multiple containers
|
| | | |/ / /
| |/| | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
add the ability to add multiple containers into a single k8s pod
instead of just one.
also fixed some bugs in the resulting yaml where an empty service
description was being added on error causing the k8s validation to fail.
Signed-off-by: baude <bbaude@redhat.com>
|
| |\ \ \ \ \
| | | | | |
| | | | | | |
Change name of imageVolumes in container config JSON
|
| | | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
Podman pre-1.8 also included a field with this name, which was a
String. Podman 2.2.0 added a new field reusing the name but as a
Struct. This completely broke JSON decode for pre-1.8 containers
in Podman 2.2, resulting in completely broken behavior.
Re-name the JSON field and add a note that the old name should
not be re-used to prevent this problem from re-occurring. This
will still result in containers from 2.2.0 being broken
(specifically, containers with image volumes will have them
disappear) but this is the lesser of two evils.
Fixes #8613
Signed-off-by: Matthew Heon <mheon@redhat.com>
|
| |\ \ \ \ \ \
| | | | | | |
| | | | | | | |
image sign using per user registries.d
|
| | |/ / / / /
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
Support per user ~/.config/containers/registries.d to allow rootless image sign configurations.
Signed-off-by: Qi Wang <qiwan@redhat.com>
|
