| Commit message (Collapse) | Author | Age |
... | |
|/ / / /
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
The CNI plugins need access to iptables in $PATH. On debian /usr/sbin
is not added to $PATH for rootless users. This will break rootless
cni completely. To prevent breaking existing users add /usr/sbin to
$PATH in podman if needed.
Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
|
|\ \ \ \
| | | | |
| | | | | |
Add --requires flag to podman run/create
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Podman has, for a long time, had an internal concept of
dependency management, used mainly to ensure that pod infra
containers are started before any other container in the pod. We
also have the ability to recursively start these dependencies,
which we use to ensure that `podman start` on a container in a
pod will not fail because the infra container is stopped. We have
not, however, exposed these via the command line until now.
Add a `--requires` flag to `podman run` and `podman create` to
allow users to manually specify dependency containers. These
containers must be running before the container will start. Also,
make recursive starting with `podman start` default so we can
start these containers and their dependencies easily.
Fixes #9250
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
|\ \ \ \ \
| | | | | |
| | | | | | |
[CI:DOCS] swagger-check: compare operations
|
|/ / / / /
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Until now we've only compared operations when called with the
non-default --pedantic flag, because there were way too many
exceptions.
With the merge of #9944 the rules have become much cleaner.
Still not perfect, but it's now possible to have simple
general rules with a (semi-)manageable list of exceptions.
Signed-off-by: Ed Santiago <santiago@redhat.com>
|
|\ \ \ \ \
| | |_|_|/
| |/| | | |
[CI:DOCS] Polish swagger OperationIDs
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Renamed 4 IDs to be consistent with other endpoints.
Fixes #9951
Signed-off-by: Jhon Honce <jhonce@redhat.com>
|
|\ \ \ \ \
| |_|_|_|/
|/| | | | |
Cirrus: Make use of shared get_ci_vm container
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Depends on:
https://github.com/containers/automation_images/pull/57
https://github.com/containers/automation/pull/64
https://github.com/containers/automation/pull/66
https://github.com/containers/automation/pull/67
https://github.com/containers/automation/pull/68
Signed-off-by: Chris Evich <cevich@redhat.com>
|
|\ \ \ \ \
| |_|_|_|/
|/| | | | |
Ensure that `--userns=keep-id` sets user in config
|
| |/ / /
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
One of the side-effects of the `--userns=keep-id` command is
switching the default user of the container to the UID of the
user running Podman (though this can still be overridden by the
`--user` flag). However, it did this by setting the UID and GID
in the OCI spec, and not by informing Libpod of its intention to
switch users via the `WithUser()` option. Because of this, a lot
of the code that should have triggered when the container ran
with a non-root user was not triggering. In the case of the issue
that this fixed, the code to remove capabilities from non-root
users was not triggering. Adjust the keep-id code to properly
inform Libpod of our intention to use a non-root user to fix
this.
Also, fix an annoying race around short-running exec sessions
where Podman would always print a warning that the exec session
had already stopped.
Fixes #9919
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
|\ \ \ \
| | |/ /
| |/| | |
[CI:DOCS] Set all swagger operation id's to be compatible
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Libpod operation id's changed to better match compatibile id
Builds on https://github.com/containers/podman/pull/9123 and corrects
a duplicated ID.
Signed-off-by: Jhon Honce <jhonce@redhat.com>
|
| | | |
| | | |
| | | |
| | | | |
Signed-off-by: Tom Deseyn <tom.deseyn@gmail.com>
|
|/ / /
| | |
| | |
| | | |
Signed-off-by: Tom Deseyn <tom.deseyn@gmail.com>
|
|\ \ \
| | | |
| | | | |
Initial network bindings tests
|
| | | |
| | | |
| | | |
| | | | |
Signed-off-by: Jakub Guzik <jakubmguzik@gmail.com>
|
|\ \ \ \
| | | | |
| | | | | |
fix machine naming conventions
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
try to align the machine commands and their usage descriptions.
[NO TESTS NEEDED]
Signed-off-by: baude <bbaude@redhat.com>
|
|\ \ \ \ \
| | | | | |
| | | | | | |
Http api tests for network prune with until filter
|
| | |/ / /
| |/| | |
| | | | |
| | | | | |
Signed-off-by: Jakub Guzik <jakubmguzik@gmail.com>
|
|\ \ \ \ \
| | | | | |
| | | | | | |
[ci:docs] Update release notes to indicate CVE fix
|
| | |/ / /
| |/| | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
We didn't release this with the original release notes as the fix
was still under embargo.
Signed-off-by: Matthew Heon <mheon@redhat.com>
|
|\ \ \ \ \
| | | | | |
| | | | | | |
Verify existence of auth file if specified
|
| |/ / / /
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Fixes: https://github.com/containers/podman/issues/9572
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
|\ \ \ \ \
| | | | | |
| | | | | | |
[CI:DOCS] Add transport and destination info to manifest doc
|
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
Initially I was missing transport information on podman manifest add.
Especially the `containers-storage` transport which references the
local image store. Had a use case where this came in quite handy and it
is not stated anywhere else in the docs. Suppose it does not make sense
for podman pull & push.
I've only added containers-storage and docker transports for
manifest add since I know those work. Maybe others work too.
I then also added the destination section to manifest push as it is done
in podman push & pull. I've added all transports here, but I don't know
if all are supported. Please review.
Signed-off-by: Alexander Wellbrock <a.wellbrock@mailbox.org>
|
|\ \ \ \ \ \
| | | | | | |
| | | | | | | |
Allow users to override default storage opts with --storage-opt
|
| | |_|_|/ /
| |/| | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
We define in the man page that this overrides the default storage
options, but the code was appending to the existing options.
This PR also makes a change to allow users to specify --storage-opt="".
This will turn off all storage options.
https://github.com/containers/podman/issues/9852
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
|\ \ \ \ \ \
| | | | | | |
| | | | | | | |
Add support for podman --context default
|
| |/ / / / /
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
This is a noop but helps with scripting and docker-compose.
Fixes: https://github.com/containers/podman/issues/9806
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
|\ \ \ \ \ \
| |/ / / / /
|/| | | | | |
Don't relabel volumes if running in a privileged container
|
|/ / / / /
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Docker does not relabel this content, and openstack is running
containers in this manner. There is a penalty for doing this
on each container, that is not worth taking on a disable SELinux
container.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
|\ \ \ \ \
| | | | | |
| | | | | | |
Add default template functions
|
| | |_|/ /
| |/| | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
For commands that use the golang template library directly add the
compatible template functions
[NO TESTS NEEDED]
Fixes #8773
Signed-off-by: Jhon Honce <jhonce@redhat.com>
|
|\ \ \ \ \
| |_|_|/ /
|/| | | | |
rootless cni without infra container
|
| | | | |
| | | | |
| | | | |
| | | | | |
Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
If a user only has a local dns server in the resolv.conf file the dns
resolution will fail. Instead we create a new resolv.conf which will use
the slirp4netns dns.
Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Delte the network namespace and kill the slirp4netns process when it is
no longer needed.
Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Also fix the tests so we can use the podman function with the output.
Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Make sure the DOCKER_SOCK location is accessible by the user when run
rootless. Alos set the DOCKER_HOST env var to ensure docker-compose will
use the non default location. Cleanup steps such as `rm` or `umount`
must be run inside podman unshare otherwise they can fail due missing
privileges.
Change the curl test to use --retry-all-errors otherwise the tests will
flake. The web server inside the container will return http code 500
sometimes, most likely because it is not fully ready to accept
connections. With --retry-all-errors curl will retry instead of failing
and thus the test will work.
Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
|
| | | | |
| | | | |
| | | | |
| | | | | |
Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Do not invoke the rootlesskit port forwarder when the container has no
ports.
Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
|
| | | | |
| | | | |
| | | | |
| | | | | |
Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
With the new rootless cni supporting network connect/disconnect is easy.
Combine common setps into extra functions to prevent code duplication.
Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
This should make maintenance easier.
Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
For rootless users the infra container used the slirp4netns net mode
even when bridge was requested. We can support bridge networking for
rootless users so we have allow this. The default is not changed.
Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
This is supported with the new rootless cni logic.
Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Instead of creating an extra container create a network and mount
namespace inside the podman user namespace. This ns is used to
for rootless cni operations.
This helps to align the rootless and rootful network code path.
If we run as rootless we just have to set up a extra net ns and
initialize slirp4netns in it. The ocicni lib will be called in
that net ns.
This design allows allows easier maintenance, no extra container
with pause processes, support for rootless cni with --uidmap
and possibly more.
The biggest problem is backwards compatibility. I don't think
live migration can be possible. If the user reboots or restart
all cni containers everything should work as expected again.
The user is left with the rootless-cni-infa container and image
but this can safely be removed.
To make the existing cni configs work we need execute the cni plugins
in a extra mount namespace. This ensures that we can safely mount over
/run and /var which have to be writeable for the cni plugins without
removing access to these files by the main podman process. One caveat
is that we need to keep the netns files at `XDG_RUNTIME_DIR/netns`
accessible.
`XDG_RUNTIME_DIR/rootless-cni/{run,var}` will be mounted to `/{run,var}`.
To ensure that we keep the netns directory we bind mount this relative
to the new root location, e.g. XDG_RUNTIME_DIR/rootless-cni/run/user/1000/netns
before we mount the run directory. The run directory is mounted recursive,
this makes the netns directory at the same path accessible as before.
This also allows iptables-legacy to work because /run/xtables.lock is
now writeable.
Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
|
|\ \ \ \ \
| | | | | |
| | | | | | |
Fix rootless socket activation
|