aboutsummaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAge
...
| * podman.service: use sdnotiyValentin Rothberg2020-08-20
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Commit 2b6dd3fb4384 set the killmode of the podman.service to the systemd default which ultimately lead to the problem that systemd will kill *all* processes inside the unit's cgroup and hence kill all containers whenever the service is stopped. Fix it by setting the type to sdnotify and the killmode to process. `podman system service` will send the necessary notify messages when the NOTIFY_SOCKET is set and unset it right after to prevent the backend and container runtimes from jumping in between and send messages as well. Fixes: #7294 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
| * podman support for IPv6 networksAntonio Ojea2020-08-20
| | | | | | | | | | | | | | | | | | | | | | podman containers using IPv6 were missing the default route, breaking deployments trying to use them. The problem is that the default route was hardcoded to IPv4, this takes into consideration the podman subnet IP family to generate the corresponding default route. Signed-off-by: Antonio Ojea <aojea@redhat.com>
* | Merge pull request #7353 from rhatdan/v2.0OpenShift Merge Robot2020-08-20
|\ \ | |/ |/| Cleanup handling of podman mount/unmount
| * Cleanup handling of podman mount/unmountDaniel J Walsh2020-08-20
|/ | | | | | | | | | | We should default to the user name unmount rather then the internal name of umount. Also User namespace was not being handled correctly. We want to inform the user that if they do a mount when in rootless mode that they have to be first in the podman unshare state. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Merge pull request #7356 from vrothberg/2.0-vendor-imageOpenShift Merge Robot2020-08-20
|\ | | | | [2.0] vendor c/image v5.5.2
| * vendor c/image v5.5.2Valentin Rothberg2020-08-20
|/ | | | | | | | Enable pagination until the search result reaches the limit, instead of returning default 100 limit from registry API. BZ: https://bugzilla.redhat.com/show_bug.cgi?id=1866153 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* Merge pull request #7381 from baude/v2CIFixOpenShift Merge Robot2020-08-19
|\ | | | | Fix v2.0.x CI
| * Fix v2.0.x CIBrent Baude2020-08-19
|/ | | | | | Fix the Ci for our 2.0.x branch. Signed-off-by: Brent Baude <bbaude@redhat.com>
* Merge pull request #7289 from vrothberg/v2-backportsOpenShift Merge Robot2020-08-11
|\ | | | | V2 backports
| * system tests: invoke with abs path to podmanEd Santiago2020-08-11
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Reversion of one part of #6679: my handling of 'realpath' would not work when $PODMAN is 'podman-remote --url etc'. Trying to handle that case got unmaintainable; so instead let's just force 'make {local,remote}system' to invoke with a full PODMAN path. This breaks down if someone runs the tests with a manual 'bats' invocation, but I think I'm the only one who ever does that. Since podman path will now be very long in the logs, add code to logformatter to abbreviate it like we do for the ginkgo logs. And, one thing that has bugged me for a long time: in the error logs, show a different prompt ('#' vs '$') to distinguish root vs rootless. This should make it much easier to see at-a-glance whether a log file is root or not. Add tests for it. Signed-off-by: Ed Santiago <santiago@redhat.com>
| * Make changes to /etc/passwd on disk for non-read onlyMatthew Heon2020-08-11
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Bind-mounting /etc/passwd into the container is problematic becuase of how system utilities like `useradd` work. They want to make a copy and then rename to try to prevent breakage; this is, unfortunately, impossible when the file they want to rename is a bind mount. The current behavior is fine for read-only containers, though, because we expect useradd to fail in those cases. Instead of bind-mounting, we can edit /etc/passwd in the container's rootfs. This is kind of gross, because the change will show up in `podman diff` and similar tools, and will be included in images made by `podman commit`. However, it's a lot better than breaking important system tools. Fixes #6953 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
| * Add username to /etc/passwd inside of container if --userns keep-idDaniel J Walsh2020-08-11
| | | | | | | | | | | | | | | | | | | | If I enter a continer with --userns keep-id, my UID will be present inside of the container, but most likely my user will not be defined. This patch will take information about the user and stick it into the container. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
| * Fix close fds of exec --preserve-fdsQi Wang2020-08-11
| | | | | | | | | | | | Fix the closing of fds from --preserve-fds to avoid the operation on unrelated fds. Signed-off-by: Qi Wang <qiwan@redhat.com>
| * fix pod creation with "new:" syntaxPaul Holzinger2020-08-11
| | | | | | | | | | | | | | | | | | | | | | When you execute podman create/run with the --pod new:<name> syntax the pod was created but the namespaces where not shared and therefore containers could not communicate over localhost. Add the default namespaces and pass the network options to the pod create options. Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
| * Fix podman service --valink timeoutJhon Honce2020-08-11
| | | | | | | | | | | | | | | | Documentation and unit files call for a millisecond timeout while the code was using a second resolution. Code change is smaller given varlink has been deprecated. Signed-off-by: Jhon Honce <jhonce@redhat.com>
| * Add versioned _ping endpointJhon Honce2020-08-11
| | | | | | | | | | | | Fixes #7008 Signed-off-by: Jhon Honce <jhonce@redhat.com>
| * Change recommended systemd unit path for root.Paul Holzinger2020-08-11
| | | | | | | | | | | | | | | | | | | | `/usr/lib/systemd/system` should only be used by the package manager administrators should use: `/etc/systemd/system` or `/usr/local/lib/systemd/system` see: man systemd.unit Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
| * API returns 500 in case network is not found instead of 404zhangguanzhang2020-08-11
| | | | | | | | | | Backported-by: Valentin Rothberg <rothberg@redhat.com> Signed-off-by: zhangguanzhang <zhangguanzhang@qq.com>
| * podman.service: drop install sectionValentin Rothberg2020-08-11
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | podman.service is socket activated through podman.socket. It should not have its own [Install] section, it does not make sense to systemctl enable podman.service. This leads to podman.service always running on a Debian system, as Debian's policy is to enable/start running services by default. We don't want a daemon :^) Fixes: #7190 Reported-by: @martinpitt Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
| * Handle podman-remote run --rmDaniel J Walsh2020-08-11
| | | | | | | | | | | | | | | | We need to remove the container after it has exited for podman-remote run --rm commands. If we don't remove this container at this step, we open ourselves up to race conditions. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
| * correct go-binding key for volumesBrent Baude2020-08-11
| | | | | | | | | | | | | | | | the go binding for remove container was using 'vols' for a key to remove volumes associated to the container. the correct key should be "v" and is documented as such. Fixes: #7128 Signed-off-by: Brent Baude <bbaude@redhat.com>
| * cherry-pick: Reenable remote system testsEd Santiago2020-08-11
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | NOTE: the remote tests are not reenabled but the changes are applied. Future commits depend on some of the changes and having the commit applied will likely facilitate future backports as well. podman-remote is in better shape now. Let's see what needs to be done to reenable remote system tests. - logs test: skip multilog, it doesn't work remote - diff test: use -l only when local, not with remote - many other tests: skip_if_remote, with 'FIXME: pending #xxxx' where xxxx is a filed issue. Unrelated: added new helper to skip_if_remote and _if_rootless, where we check if the source message includes "remote"/"rootless" and insert it if missing. This is a minor usability enhancement to make it easier to understand at-a-glance why a skip triggers. Backported-by: Valentin Rothberg <rothberg@redhat.com> Signed-off-by: Ed Santiago <santiago@redhat.com>
| * system tests: new tests for run, execEd Santiago2020-08-11
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | - Issue #6735 : problem with multiple namespaces; confirms combinations of --userns=keep-id, --privileged, --user=XX - Issue #6829 : --userns=keep-id will add a /etc/passwd entry - Issue #6593 : podman exec, with --userns=keep-id, errors (test is currently skipped because issue remains live) ...and, addendum: add new helper function, remove_same_dev_warning. Some CI systems issue a warning on podman run --privileged: WARNING: The same type, major and minor should not be used for multiple devices. We already had special-case code to ignore than in the SELinux test, but now we're seeing it in the new run tests I added, so I've refactored the "ignore this warning" code and written tests for the removal code. Signed-off-by: Ed Santiago <santiago@redhat.com>
| * implement the exitcode when start a container with attachzhangguanzhang2020-08-11
| | | | | | | | Signed-off-by: zhangguanzhang <zhangguanzhang@qq.com>
| * Do not set host IP on ports when 0.0.0.0 requestedMatthew Heon2020-08-11
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Docker and CNI have very different ideas of what 0.0.0.0 means. Docker takes it to be 0.0.0.0/0 - that is, bind to every IPv4 address on the host. CNI (and, thus, root Podman) take it to mean the literal IP 0.0.0.0. Instead, CNI interprets the empty string ("") as "bind to all IPs". We could ask CNI to change, but given this is established behavior, that's unlikely. Instead, let's just catch 0.0.0.0 and turn it into "" when we parse ports. Fixes #7014 Signed-off-by: Matthew Heon <mheon@redhat.com>
| * Missing return after early exitBrent Baude2020-08-11
| | | | | | | | | | | | | | | | the exists code was plagued by a missing return statement meant to trigger an early exit. Fixes: #7197 Signed-off-by: Brent Baude <bbaude@redhat.com>
| * docker-compose uses application/tarBrent Baude2020-08-11
| | | | | | | | | | | | | | | | even though the official documentation suggests that application/x-tar should be used for tar files, it seems docker-compose uses application/tar. we now accept them and issue a warning. Fixes: #7185 Signed-off-by: Brent Baude <bbaude@redhat.com>
| * rootless: system service joins immediately the namespacesGiuseppe Scrivano2020-08-11
| | | | | | | | | | | | | | | | | | | | when there is a pause process running, let the "system service" podman instance join immediately the existing namespaces. Closes: https://github.com/containers/podman/issues/7180 Closes: https://github.com/containers/podman/issues/6660 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
| * fix bug podman sign storage pathQi Wang2020-08-11
| | | | | | | | | | | | | | | | | | | | - fix the bud podman not using specified --directory as signature storage. - use manifest and image referce to set repo@digest. close #6994 close #6993 Backported-by: Valentin Rothberg <rothberg@redhat.com> Signed-off-by: Qi Wang <qiwan@redhat.com>
| * podman-remote send name and tagBrent Baude2020-08-11
| | | | | | | | | | | | | | | | | | when loading an image with podman-remote load, we need to send a name and a tag to the endpoint Fixes: #7124 Backported-by: Valentin Rothberg <rothberg@redhat.com> Signed-off-by: Brent Baude <bbaude@redhat.com>
| * Ensure that exec errors write exit codes to the DBMatthew Heon2020-08-11
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | In local Podman, the frontend interprets the error and exit code given by the Exec API to determine the appropriate exit code to set for Podman itself; special cases like a missing executable receive special exit codes. Exec for the remote API, however, has to do this inside Libpod itself, as Libpod will be directly queried (via the Inspect API for exec sessions) to get the exit code. This was done correctly when the exec session started properly, but we did not properly handle cases where the OCI runtime fails before the exec session can properly start. Making two error returns that would otherwise not set exit code actually do so should resolve the issue. Fixes #6893 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
| * fix podman logs --tail when log is bigger than pagesizePaul Holzinger2020-08-11
| | | | | | | | Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
| * image list: speed upValentin Rothberg2020-08-11
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Listing images has shown increasing performance penalties with an increasing number of images. Unless `--all` is specified, Podman will filter intermediate images. Determining intermediate images has been done by finding (and comparing!) parent images which is expensive. We had to query the storage many times which turned it into a bottleneck. Instead, create a layer tree and assign one or more images to nodes that match the images' top layer. Determining the children of an image is now exponentially faster as we already know the child images from the layer graph and the images using the same top layer, which may also be considered child images based on their history. On my system with 510 images, a rootful image list drops from 6 secs down to 0.3 secs. Also use the tree to compute parent nodes, and to filter intermediate images for pruning. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
| * generate systemd: fix error handlingValentin Rothberg2020-08-11
|/ | | | | | | | | Fix a bug in the error handling which returned nil instead of an error and ultimately lead to nil dereferences in the client. To prevent future regressions, add a test and check for the error message. Fixes: #7271 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* Merge pull request #7226 from ashley-cui/v2.0OpenShift Merge Robot2020-08-05
|\ | | | | v2.0 Backports
| * Publish IP from YAML (podman play kube)Ashley Cui2020-08-04
| | | | | | | | | | | | podman play kube didn't set host ip correctly from YAML Signed-off-by: Ashley Cui <acui@redhat.com>
| * Add containers.conf default file for windows and MAC InstallsDaniel J Walsh2020-08-04
|/ | | | | | | We want to add this configuration file so that users can descover how to configure the permanent connection to a remote podman instance. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Merge pull request #7200 from TomSweeneyRedHat/dev/tsweeney/v2_buildah_1.15.1OpenShift Merge Robot2020-08-04
|\ | | | | Bump Buildah to v1.15.1 on v2.0 branch
| * Bump Buildah to v1.15.1 on v2.0 branchTomSweeneyRedHat2020-08-03
|/ | | | | | As the title says Signed-off-by: TomSweeneyRedHat <tsweeney@redhat.com>
* Merge pull request #7174 from mheon/bump_204OpenShift Merge Robot2020-07-31
|\ | | | | [CI:DOCS] Bump to v2.0.4
| * Bump to v2.0.5-devMatthew Heon2020-07-31
| | | | | | | | Signed-off-by: Matthew Heon <mheon@redhat.com>
| * Bump to v2.0.4v2.0.4Matthew Heon2020-07-31
|/ | | | Signed-off-by: Matthew Heon <mheon@redhat.com>
* Merge pull request #7173 from mheon/204_relnotes_backportsOpenShift Merge Robot2020-07-31
|\ | | | | [CI:DOCS] Update release notes for v2.0.4
| * Update release notes for v2.0.4Matthew Heon2020-07-31
|/ | | | Signed-off-by: Matthew Heon <mheon@redhat.com>
* Merge pull request #7170 from mheon/204_backportsOpenShift Merge Robot2020-07-31
|\ | | | | Extra backports for v2.0.4
| * Disable a nonfunctional build testMatthew Heon2020-07-31
| | | | | | | | | | | | | | The amount of drift in the system tests on v2.0 is starting to become difficult to deal with. 2.1.0 can't come soon enough. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
| * volumes: do not recurse when chowningGiuseppe Scrivano2020-07-31
| | | | | | | | | | | | | | | | | | | | | | | | | | keep the file ownership when chowning and honor the user namespace mappings. Closes: https://github.com/containers/podman/issues/7130 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> <MH: Fixed conflicts from cherry pick> Signed-off-by: Matthew Heon <matthew.heon@pm.me>
| * add {{.RunningFor}} placeholder in ps --formatAshley Cui2020-07-31
| | | | | | | | | | | | For docker compatibility Signed-off-by: Ashley Cui <acui@redhat.com>
| * fix swapped mem_usage/percent fieldsPaul Holzinger2020-07-31
| | | | | | | | | | | | Correct the wrong field assignment in `podman stats --format=json`. Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
| * Ensure that 'rmi --force' evicts Podman containersMatthew Heon2020-07-31
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The logic for `podman rmi --force` includes a bit of code that will remove Libpod containers using Libpod's container removal logic - this ensures that they're cleanly and completely removed. For other containers (Buildah, CRI-O, etc) we fall back to manually removing the containers using the image from c/storage. Unfortunately, our logic for invoking the Podman removal function had an error, and it did not properly handle cases where we were force-removing an image with >1 name. Force-removing such images by ID guarantees their removal, not just an untag of a single name; our code for identifying whether to remove containers did not proper detect this case, so we fell through and deleted the Podman containers as storage containers, leaving traces of them in the Libpod DB. Fixes #7153 Signed-off-by: Matthew Heon <matthew.heon@pm.me>