summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAge
* fix rootless port forwarding with network dis-/connectPaul Holzinger2021-08-03
| | | | | | | | | | | | | | | | | | | | | | | | The rootlessport forwarder requires a child IP to be set. This must be a valid ip in the container network namespace. The problem is that after a network disconnect and connect the eth0 ip changed. Therefore the packages are dropped since the source ip does no longer exists in the netns. One solution is to set the child IP to 127.0.0.1, however this is a security problem. [1] To fix this we have to recreate the ports after network connect and disconnect. To make this work the rootlessport process exposes a socket where podman network connect/disconnect connect to and send to new child IP to rootlessport. The rootlessport process will remove all ports and recreate them with the new correct child IP. Also bump rootlesskit to v0.14.3 to fix a race with RemovePort(). Fixes #10052 [1] https://nvd.nist.gov/vuln/detail/CVE-2021-20199 Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* Merge pull request #11099 from edsantiago/podman_registry_tweakopenshift-ci[bot]2021-08-02
|\ | | | | podman-registry: minor usability updates
| * podman-registry: minor usability updatesEd Santiago2021-08-02
|/ | | | | | | 1) use cached quay.io image 2) use 'podman unshare' when rm -rf'ing, to avoid EPERM Signed-off-by: Ed Santiago <santiago@redhat.com>
* Merge pull request #11094 from mheon/bump_400_devopenshift-ci[bot]2021-08-02
|\ | | | | Bump to v4.0.0-dev
| * Bump to v4.0.0-devMatthew Heon2021-08-02
| | | | | | | | Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | Merge pull request #10828 from cdoern/scpopenshift-ci[bot]2021-08-02
|\ \ | |/ |/| Created image scp feature
| * Created scp.go image_scp_test.go and podman-image-scp.1.mdcdoern2021-07-30
| | | | | | | | | | | | | | | | added functionality for image secure copying from local to remote. Also moved system connection add code around a bit so functions within that file can be used by scp. Signed-off-by: cdoern <cdoern@redhat.com>
* | Merge pull request #11092 from ↵openshift-ci[bot]2021-08-02
|\ \ | | | | | | | | | | | | containers/dependabot/go_modules/github.com/containers/storage-1.33.1 Bump github.com/containers/storage from 1.33.0 to 1.33.1
| * | Bump github.com/containers/storage from 1.33.0 to 1.33.1dependabot[bot]2021-08-02
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Bumps [github.com/containers/storage](https://github.com/containers/storage) from 1.33.0 to 1.33.1. - [Release notes](https://github.com/containers/storage/releases) - [Changelog](https://github.com/containers/storage/blob/main/docs/containers-storage-changes.md) - [Commits](https://github.com/containers/storage/compare/v1.33.0...v1.33.1) --- updated-dependencies: - dependency-name: github.com/containers/storage dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
* | | Merge pull request #11064 from cevich/daily_version_updateopenshift-ci[bot]2021-08-02
|\ \ \ | | | | | | | | [CI:DOCS] Multi-arch image build: Daily version-tag push
| * | | Multi-arch image build: Daily version-tag pushChris Evich2021-07-27
| | | | | | | | | | | | | | | | | | | | | | | | | | | | This mirrors changes from https://github.com/containers/buildah/pull/3381 Signed-off-by: Chris Evich <cevich@redhat.com>
* | | | Merge pull request #11072 from matejvasek/header-timeoutopenshift-ci[bot]2021-08-02
|\ \ \ \ | |_|/ / |/| | | Remove ReadHeaderTimeout
| * | | Remove ReadHeaderTimeoutMatej Vasek2021-07-29
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Effectively sets timeout to infinity. This is needed in order to make `podman` work with `pack`. The `pack` CLI is keeping one connection for prolonged time. Closing the connection breaks `pack`'s functionality. [NO TESTS NEEDED] Signed-off-by: Matej Vasek <mvasek@redhat.com>
* | | | Merge pull request #11082 from ↵openshift-ci[bot]2021-08-02
|\ \ \ \ | | | | | | | | | | | | | | | | | | | | containers/dependabot/go_modules/github.com/containers/image/v5-5.15.0 Bump github.com/containers/image/v5 from 5.14.0 to 5.15.0
| * | | | Bump github.com/containers/image/v5 from 5.14.0 to 5.15.0dependabot[bot]2021-08-01
|/ / / / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Bumps [github.com/containers/image/v5](https://github.com/containers/image) from 5.14.0 to 5.15.0. - [Release notes](https://github.com/containers/image/releases) - [Commits](https://github.com/containers/image/compare/v5.14.0...v5.15.0) --- updated-dependencies: - dependency-name: github.com/containers/image/v5 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
* | | | Merge pull request #11054 from saschagrunert/login-logout-path-testsopenshift-ci[bot]2021-08-01
|\ \ \ \ | | | | | | | | | | Add `--accept-repositories` integration tests
| * | | | Add `--accept-repositories` integration testsSascha Grunert2021-07-30
| |/ / / | | | | | | | | | | | | | | | | | | | | | | | | This adds the integration tests for the repository or namespaced registry feature introduced in c/common. Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
* | | | Merge pull request #11086 from hshiina/update-testopenshift-ci[bot]2021-07-31
|\ \ \ \ | | | | | | | | | | Fix auto-update system test for older systemd
| * | | | Fix auto-update system test for older systemdHironori Shiina2021-07-30
|/ / / / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | If the systemd version is older than v245, the systemd uses 'Started' when a oneshot service finishes. In systemd, the change was done at: https://github.com/systemd/systemd/pull/14851 commit-id: eda0cbf07186d16a160bd1d810613586fdbdf587 Signed-off-by: Hironori Shiina <shiina.hironori@jp.fujitsu.com>
* | | | Merge pull request #11075 from flouthoc/ps-filter-network-by-containeropenshift-ci[bot]2021-07-30
|\ \ \ \ | | | | | | | | | | ps: support the `container...` notation for `ps --filter network=...`
| * | | | ps: support the container notation for ps --filter network=...flouthoc2021-07-30
| | | | | | | | | | | | | | | | | | | | Signed-off-by: flouthoc <flouthoc.git@gmail.com>
* | | | | Merge pull request #11080 from edsantiago/batsOpenShift Merge Robot2021-07-30
|\ \ \ \ \ | |/ / / / |/| | | | system tests: fix race in stop test
| * | | | system tests: fix race in stop testEd Santiago2021-07-29
|/ / / / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | In the unlock/timeout test, on slow systems, 'podman ps' could catch the container before the just-backgrounded 'podman stop' sends the signal. Wait for signal ack from container before we inspect it. Also: If I understand the test correctly, it wasn't actually checking that 'ps' could grab the lock while the container was exiting. Add a check. Signed-off-by: Ed Santiago <santiago@redhat.com>
* | | | Merge pull request #11077 from flouthoc/healthcheck-nitOpenShift Merge Robot2021-07-29
|\ \ \ \ | | | | | | | | | | `ci-fix`: healthcheck tests should use `.Should()` instead of `.To()`.
| * | | | Fix: healthcheck tests use .Should() instead of .To()flouthoc2021-07-29
| | | | | | | | | | | | | | | | | | | | Signed-off-by: flouthoc <flouthoc.git@gmail.com>
* | | | | Merge pull request #9887 from edsantiago/test_buildah_bud_with_remoteOpenShift Merge Robot2021-07-29
|\ \ \ \ \ | | | | | | | | | | | | buildah bud tests under podman-remote
| * | | | | buildah bud tests under podman-remoteEd Santiago2021-07-28
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | New functionality -- mostly in the diffs we apply to buildah's helpers.bash -- to enable running buildah-bud tests under podman-remote. The gist of it is, we start a 'podman system service' before each test, and clean it up on test exit. Design decision: the diff file for helpers.bash is no longer trailing-whitespace-clean: that ended up producing diffs that git wouldn't apply, because in some cases the whitespace is actually important. In order to pass CI, we need to exclude this file from some checks. Signed-off-by: Ed Santiago <santiago@redhat.com>
* | | | | | Merge pull request #11073 from giuseppe/fix-zombie-process-first-runOpenShift Merge Robot2021-07-29
|\ \ \ \ \ \ | | | | | | | | | | | | | | rootless: avoid zombie process on first launch
| * | | | | | rootless: avoid zombie process on first launchGiuseppe Scrivano2021-07-29
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | avoid a zombie process if on the first launch Podman creates a long living process, such as "podman system service -t 0". The `r` variable was overriden thus causing the waitpid to fail and not clean up the intermediate process. Closes: https://github.com/containers/podman/issues/10575 [NO TESTS NEEDED] Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | | | | | | Merge pull request #11043 from Kiritow/patch-1OpenShift Merge Robot2021-07-29
|\ \ \ \ \ \ \ | |_|_|/ / / / |/| | | | | | [CI:DOCS] Fix: broken links in transfer doc
| * | | | | | Update transfer.mdKirito2021-07-29
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fix broken `podman healthcheck` link Signed-off-by: Kiritow <1362050620@qq.com>
* | | | | | | Merge pull request #11048 from cdoern/heatlhCheckCompatOpenShift Merge Robot2021-07-29
|\ \ \ \ \ \ \ | |_|_|/ / / / |/| | | | | | Fixed Healthcheck formatting, string to []string
| * | | | | | Fixed Healthcheck formatting, string to []stringcdoern2021-07-28
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Compat healthcheck tests are of the format []string but podman's were of the format string. Converted podman's to []string at the specgen level since it has the same effect and removed the incorrect parsing of compat healthchecks. fixes #10617 Signed-off-by: cdoern <cdoern@redhat.com>
| * | | | | | Fixed Healthcheck formatting, string to []stringcdoern2021-07-26
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Compat healthcheck tests are of the format []string but podman's were of the format string. Converted podman's to []string at the specgen level since it has the same effect and removed the incorrect parsing of compat healthchecks. fixes #10617 Signed-off-by: cdoern <cdoern@redhat.com>
* | | | | | | Merge pull request #11067 from vrothberg/fix-10154-2OpenShift Merge Robot2021-07-28
|\ \ \ \ \ \ \ | |_|_|/ / / / |/| | | | | | remote build: fix streaming and error handling
| * | | | | | remote build: fix streaming and error handlingValentin Rothberg2021-07-28
| | |_|/ / / | |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Address a number of issues in the streaming logic in remote build, most importantly an error in using buffered channels on the server side. The pattern below does not guarantee that the channel is entirely read before the context fires. for { select { case <- bufferedChannel: ... case <- ctx.Done(): ... } } Fixes: #10154 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | | | | | Merge pull request #11066 from infiniteregrets/cp-mdOpenShift Merge Robot2021-07-28
|\ \ \ \ \ \ | | | | | | | | | | | | | | [CI:DOCS] Update podman-cp manpage
| * | | | | | [CI:DOCS] Update podman-cp manpageMehul Arora2021-07-28
| |/ / / / / | | | | | | | | | | | | | | | | | | Signed-off-by: Mehul Arora <aroram18@mcmaster.ca>
* | | | | | Merge pull request #11065 from vrothberg/cp-cleanupsOpenShift Merge Robot2021-07-28
|\ \ \ \ \ \ | | | | | | | | | | | | | | cp: consolidate and simplify
| * | | | | | cp: consolidate and simplifyValentin Rothberg2021-07-28
| |/ / / / / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Consolidate and simplify code in `podman cp` a bit. PR #11049 introduced some code duplicates that were worth tackling. [NO TESTS NEEDED] Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | | | | | Merge pull request #11056 from giuseppe/warning-root-no-sharedOpenShift Merge Robot2021-07-28
|\ \ \ \ \ \ | | | | | | | | | | | | | | rootless: check that / is mounted as shared
| * | | | | | rootless: check that / is mounted as sharedGiuseppe Scrivano2021-07-28
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | if the root mount '/' is not mounted as MS_SHARED, print a warning, otherwise new mounts that are created in the host won't be propagated to the rootless mount namespace. Closes: https://github.com/containers/podman/issues/10946 [NO TESTS NEEDED] Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | | | | | | Merge pull request #10910 from ↵OpenShift Merge Robot2021-07-28
|\ \ \ \ \ \ \ | |_|/ / / / / |/| | | | | | | | | | | | | | | | | | | | adrianreber/2021-07-12-checkpoint-restore-into-pod Add support for checkpoint/restore into and out of pods
| * | | | | | Added tests for out of and into pod checkpoint and restore supportAdrian Reber2021-07-27
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Signed-off-by: Adrian Reber <areber@redhat.com>
| * | | | | | Support checkpoint/restore with podsAdrian Reber2021-07-27
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This adds support to checkpoint containers out of pods and restore container into pods. It is only possible to restore a container into a pod if it has been checkpointed out of pod. It is also not possible to restore a non pod container into a pod. The main reason this does not work is the PID namespace. If a non pod container is being restored in a pod with a shared PID namespace, at least one process in the restored container uses PID 1 which is already in use by the infrastructure container. If someone tries to restore container from a pod with a shared PID namespace without a shared PID namespace it will also fail because the resulting PID namespace will not have a PID 1. Signed-off-by: Adrian Reber <areber@redhat.com>
| * | | | | | Vendor in go-criu v5.1.0 for Pod checkpoint/restore supportAdrian Reber2021-07-27
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Signed-off-by: Adrian Reber <areber@redhat.com>
| * | | | | | Prepare CRIU version check to work with multiple versionsAdrian Reber2021-07-27
| | |_|_|/ / | |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The upcoming commit to support checkpointing out of Pods requires CRIU 3.16. This changes the CRIU version check to support checking for different versions. Signed-off-by: Adrian Reber <areber@redhat.com>
* | | | | | Merge pull request #11049 from vrothberg/fix-7370OpenShift Merge Robot2021-07-27
|\ \ \ \ \ \ | | | | | | | | | | | | | | support container to container copy
| * | | | | | cp system tests: reduce number of exec'sValentin Rothberg2021-07-27
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Reduce the amount of `podman exec`s in the cp system tests. Exec is expensive and a number of them could easily be combined into the container command. This cuts down the costs of running the tests by around 25 percent on my local machine. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
| * | | | | | support container to container copyMehul Arora2021-07-27
| |/ / / / / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Implement container to container copy. Previously data could only be copied from/to the host. Fixes: #7370 Co-authored-by: Mehul Arora <aroram18@mcmaster.ca> Signed-off-by: Valentin Rothberg <rothberg@redhat.com>