aboutsummaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAge
* Merge pull request #3593 from giuseppe/rootless-privileged-devicesOpenShift Merge Robot2019-07-18
|\ | | | | rootless: add host devices with --privileged
| * rootless: add rw devices with --privilegedGiuseppe Scrivano2019-07-18
| | | | | | | | | | | | | | | | | | when --privileged is specified, add all the devices that are usable by the user. Closes: https://bugzilla.redhat.com/show_bug.cgi?id=1730773 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | Merge pull request #3584 from QiWang19/pssizeOpenShift Merge Robot2019-07-18
|\ \ | | | | | | podman-remote make --size optional in ps
| * | podman-remote make --size optional in psQi Wang2019-07-18
| | | | | | | | | | | | | | | | | | Close #3578 Add `size` field to PsOpts in podman remote to receive size as an option. Signed-off-by: Qi Wang <qiwan@redhat.com>
* | | Merge pull request #3509 from giuseppe/cgroup-namespaceOpenShift Merge Robot2019-07-18
|\ \ \ | | | | | | | | libpod: support for cgroup namespace
| * | | libpod: support for cgroup namespaceGiuseppe Scrivano2019-07-18
| | |/ | |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | allow a container to run in a new cgroup namespace. When running in a new cgroup namespace, the current cgroup appears to be the root, so that there is no way for the container to access cgroups outside of its own subtree. By default it uses --cgroup=host to keep the previous behavior. To create a new namespace, --cgroup=private must be provided. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | | Merge pull request #3595 from mheon/fix_exec_leakOpenShift Merge Robot2019-07-18
|\ \ \ | | | | | | | | Remove exec PID files after use to prevent memory leaks
| * | | Remove exec PID files after use to prevent memory leaksMatthew Heon2019-07-18
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | We have another patch running to do the same for exit files, with a much more in-depth explanation of why it's necessary. Suffice to say that persistent files in tmpfs tied to container CGroups lead to significant memory allocations that last for the lifetime of the file. Based on a patch by Andrea Arcangeli (aarcange@redhat.com). Signed-off-by: Matthew Heon <mheon@redhat.com>
* | | | Merge pull request #3592 from openSUSE/aa-fileOpenShift Merge Robot2019-07-18
|\ \ \ \ | | | | | | | | | | Add DefaultContent API to retrieve apparmor profile content
| * | | | Add DefaultContent API to retrieve apparmor profile contentSascha Grunert2019-07-18
| | |/ / | |/| | | | | | | | | | | | | | | | | | | | | | | | | | The default apparmor profile is not stored on disk which causes confusion when debugging the content of the profile. To solve this, we now add an additional API which returns the profile as byte slice. Signed-off-by: Sascha Grunert <sgrunert@suse.com>
* | | | Merge pull request #3591 from llchan/makefile-symlink-tweakOpenShift Merge Robot2019-07-18
|\ \ \ \ | |/ / / |/| | | Tweak GOPATH-related symlinking
| * | | Make GOPATH-related symlinking more preciseLawrence Chan2019-07-17
| | |/ | |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This change tweaks the symlink commands that are invoked when libpod is not on GOPATH. This has the following effects: - If the working directory is not "libpod", it will still create the symlink at the correct github.com/containers/libpod path. - If the github.com/varlink directory/symlink already exists, it will still create the symlink at the intended path. Signed-off-by: Lawrence Chan <element103@gmail.com>
* | | Merge pull request #3522 from mheon/nix_the_artifactOpenShift Merge Robot2019-07-18
|\ \ \ | | | | | | | | Move the HostConfig portion of Inspect inside libpod
| * | | Populate inspect with security-opt settingsMatthew Heon2019-07-17
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | We can infer no-new-privileges. For now, manually populate seccomp (can't infer what file we sourced from) and SELinux/Apparmor (hard to tell if they're enabled or not). Signed-off-by: Matthew Heon <mheon@redhat.com>
| * | | Properly retrieve Conmon PIDMatthew Heon2019-07-17
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Our previous method (just read the PID that we spawned) doesn't work - Conmon double-forks to daemonize, so we end up with a PID pointing to the first process, which dies almost immediately. Reading from the PID file gets us the real PID. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
| * | | Move the HostConfig portion of Inspect inside libpodMatthew Heon2019-07-17
| |/ / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When we first began writing Podman, we ran into a major issue when implementing Inspect. Libpod deliberately does not tie its internal data structures to Docker, and stores most information about containers encoded within the OCI spec. However, Podman must present a CLI compatible with Docker, which means it must expose all the information in 'docker inspect' - most of which is not contained in the OCI spec or libpod's Config struct. Our solution at the time was the create artifact. We JSON'd the complete CreateConfig (a parsed form of the CLI arguments to 'podman run') and stored it with the container, restoring it when we needed to run commands that required the extra info. Over the past month, I've been looking more at Inspect, and refactored large portions of it into Libpod - generating them from what we know about the OCI config and libpod's (now much expanded, versus previously) container configuration. This path comes close to completing the process, moving the last part of inspect into libpod and removing the need for the create artifact. This improves libpod's compatability with non-Podman containers. We no longer require an arbitrarily-formatted JSON blob to be present to run inspect. Fixes: #3500 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | | Merge pull request #3588 from haircommander/play-kube-commandOpenShift Merge Robot2019-07-18
|\ \ \ | |/ / |/| | Fix play kube command
| * | Fix play kube commandPeter Hunt2019-07-17
| | | | | | | | | | | | | | | | | | | | | Before, play kube wasn't properly setting the command. Fix this Also, begin a dedicated test suite for play kube to catch regressions like this in the future Signed-off-by: Peter Hunt <pehunt@redhat.com>
* | | Merge pull request #3583 from giuseppe/ulimit-host-not-setOpenShift Merge Robot2019-07-17
|\ \ \ | |/ / |/| | spec: simplify handling of --ulimit host
| * | spec: rework --ulimit hostGiuseppe Scrivano2019-07-17
| | | | | | | | | | | | | | | | | | | | | it seems enough to not specify any ulimit block to maintain the host limits. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | | Merge pull request #3335 from cevich/imgpruneOpenShift Merge Robot2019-07-17
|\ \ \ | | | | | | | | Cirrus: Print images that should be pruned
| * | | Cirrus: Print images that should be prunedChris Evich2019-07-15
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Over time unless they're removed, the project could grow quite a large collection of VM images. While generally cheap (less than a penny each, per month), these will become a significant cost item if not kept in-check. Add a specialized container for handling image-pruning, but limit it to only finding and printing (not actually deleting) images. Also update the image-building workflow so that base-images used to compose cache-images are also labeled with metadata. N/B: As an additional safeguard, the service account which executes the new container in production *DOES NOT* have access to delete images. This can be enabled by adding the GCE IAM role: CustomComputeImagePrune Signed-off-by: Chris Evich <cevich@redhat.com>
* | | | Merge pull request #3548 from cevich/disable_periodic_activityOpenShift Merge Robot2019-07-16
|\ \ \ \ | | | | | | | | | | Cirrus: Disable most periodic services/timers
| * | | | Cirrus: Add image-test for locked dpkgChris Evich2019-07-16
| | | | | | | | | | | | | | | | | | | | Signed-off-by: Chris Evich <cevich@redhat.com>
| * | | | Cirrus: Use images w/o periodic svcsChris Evich2019-07-16
| | | | | | | | | | | | | | | | | | | | Signed-off-by: Chris Evich <cevich@redhat.com>
| * | | | Cirrus: Disable most periodic services/timersChris Evich2019-07-16
| | |/ / | |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | For CI testing, it's important to remove as much variability from the overall system as possible. This permits focusing just on problems closely related to code-changes. To this end, and because VMs are very short-lived (2 hours at most), disable all systemd services and timers which perform periodic activities. Signed-off-by: Chris Evich <cevich@redhat.com>
* | | | Merge pull request #3508 from csomh/healthcheck-flag-compatOpenShift Merge Robot2019-07-16
|\ \ \ \ | |/ / / |/| | | Make the healthcheck flags compatible with Docker CLI
| * | | Completion: complete "--health-start-period" in bashHunor Csomortáni2019-07-16
| | | | | | | | | | | | | | | | Signed-off-by: Hunor Csomortáni <csomh@redhat.com>
| * | | Make the healthcheck flags compatible with Docker CLIHunor Csomortáni2019-07-16
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Docker CLI calls the healthcheck flags "--health-*", instead of "--healthcheck-*". Introduce the former, in order to keep compatibility, and alias the later, in order to avoid breaking current usage. Change "--healthcheck-*" to "--health-*" in the docs and tests. Signed-off-by: Hunor Csomortáni <csomh@redhat.com>
| * | | Completion: --no-healthcheck is not an optionHunor Csomortáni2019-07-16
| | | | | | | | | | | | | | | | Signed-off-by: Hunor Csomortáni <csomh@redhat.com>
* | | | Merge pull request #3546 from cevich/abstract_dest_branchOpenShift Merge Robot2019-07-16
|\ \ \ \ | | | | | | | | | | Cirrus: Abstract destination branch refs.
| * | | | Cirrus: Abstract destination branch refs.Chris Evich2019-07-15
| | |/ / | |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Various tasks and scripts behave differently depending on whether or not the build is running against a PR or on a branch, post-merge. However, a great number of them are hard-coded to the string 'master' as the destination. Since this is not always the case (there are other relevant branches), it makes sense to abstract the references with a single definition. Add a top-level `$DEST_BRANCH` variable to CI, and otherwise default to 'master' when unset. This enables running CI builds on additional branches without the overhead of updating all the static references to 'master'. Simply update `$DEST_BRANCH` at the top-level and all branch-conditional logic will function as intended. Signed-off-by: Chris Evich <cevich@redhat.com>
* | | | Merge pull request #3539 from stefanb2/topic-pr-3507-3525OpenShift Merge Robot2019-07-16
|\ \ \ \ | | | | | | | | | | Fix handling of healthcheck from image
| * | | | healthcheck: reject empty commandsStefan Becker2019-07-16
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | An image with "HEALTHCHECK CMD ['']" is valid but as there is no command defined the healthcheck will fail. Reject such a configuration. Fixes #3507 Signed-off-by: Stefan Becker <chemobejk@gmail.com>
| * | | | create: ignore check if image has HEALTHCHECK NONEStefan Becker2019-07-16
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | If the image was built with "HEALTHCHECK NONE" then we should create a container without healthcheck configuration. Otherwise executing the healthcheck on the container will return "unhealthy" instead of the correct error message that the container doesn't have a healthcheck. We also ignore the healthcheck configuration if the command list is empty or the command string is empty. Fixes #3525 Signed-off-by: Stefan Becker <chemobejk@gmail.com>
| * | | | create: apply defaults on image healthcheck optionsStefan Becker2019-07-16
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | If the image doesn't provide any options, e.g. interval, timeout, etc., then apply the Docker defaults when creating the container. Otherwise the defaults will be left 0 and podman doesn't schedule the healtcheck service & timer for the container or incorrectly reports unhealthy state when the check is executed. Fixes #3525 Signed-off-by: Stefan Becker <chemobejk@gmail.com>
| * | | | healthcheck: improve command list parserStefan Becker2019-07-16
| | |/ / | |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | - remove duplicate check, already called in HealthCheck() - reject zero-length command list and empty command string as errorneous - support all Docker command list keywords: NONE, CMD or CMD-SHELL - use Docker default "/bin/sh -c" for CMD-SHELL Fixes #3507 Signed-off-by: Stefan Becker <chemobejk@gmail.com>
* | | | Merge pull request #3513 from vrothberg/analysesOpenShift Merge Robot2019-07-16
|\ \ \ \ | |/ / / |/| | | Binary bloat analyses
| * | | dependency/analyses: simplify scriptsValentin Rothberg2019-07-16
| | | | | | | | | | | | | | | | | | | | | | | | Credits to bash wizard @edsantiago for the changes. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
| * | | dependency-tree analysis: direct and transitiveValentin Rothberg2019-07-16
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Change the script to generate two files. One including direct dependencies, the other including direct and transitive dependencies. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
| * | | analyses: README: consistent code examplesValentin Rothberg2019-07-16
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Remove a blank line to make code examples more consistent and fix the path of the 2nd example. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
| * | | analyses: README: fix typosValentin Rothberg2019-07-16
| | | | | | | | | | | | | | | | Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
| * | | analyses: add dependency-tree.shValentin Rothberg2019-07-16
| | | | | | | | | | | | | | | | | | | | | | | | Add a new analysis script to print the dependency tree. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
| * | | analyses: add README.mdValentin Rothberg2019-07-16
| | | | | | | | | | | | | | | | Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
| * | | hack/analyses -> dependencies/analysesValentin Rothberg2019-07-16
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Move the analyses scripts to the dependencies directory to avoid scattering of the dependency management. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
| * | | hack/analyses/go-archive-analysis.sh: fix sortingValentin Rothberg2019-07-16
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Believe it or not: `sort -ruh` is loosing data while `sort -u | sort -rh` does not. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
| * | | add hack/analyses/nm-symbols-analysis.shValentin Rothberg2019-07-16
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The script allows for analyzing the symbols of a go binary passed as an argument. The tabular output looks as follows: 336 unicode/utf8.DecodeLastRune 323 unicode/utf8.DecodeLastRuneInString 518 unicode/utf8.DecodeRune 518 unicode/utf8.DecodeRuneInString 337 unicode/utf8.EncodeRune The first column indicates the size in bytes of the symbol in the second column. Note that only text symbols are considered, other symbols from the data or the bss segment are ignored to avoid information overload. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
| * | | analyse package sizesValentin Rothberg2019-07-16
|/ / / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Analyse the size of all go-packages used during the build process via the newly added `hack/analyses/go-archive-analysis.sh` script. The script expects the `WORK` environment variable to be set, which points to a temporary work directory generated by `go build`. To generate such a work directory, set the `BUILDFLAGS="-work -a"`: * `-work` for creating the work directory * `-a` to force rebuilding all packages even when already cached The workflow may look as follows: ``` $ BUILDFLAGS="-work -a" make podman [...] WORK=/tmp/go-build127001249 $ WORK=/tmp/go-build127001249 ./hack/analyses/go-archive-analysis.sh ``` The output of the script has the format `$SIZE $PACKAGE` where $SIZE is the size of the compiled version of the go package (i.e., `.a` file) and $PACKAGE for the corresponding package, for instance, `math/big` for a stdlib package or vendor/... for vendored packages. Credits to the authors of https://github.com/jondot/goweight, which inspired this work. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | | Merge pull request #3574 from stefanb2/topic-health-cmd-parsingOpenShift Merge Robot2019-07-15
|\ \ \ | | | | | | | | Improve parser for --healthcheck-command
| * | | create: improve parser for --healthcheck-commandStefan Becker2019-07-14
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fix Docker CLI compatibility issue: the "--healthcheck-command" option value should not be split but instead be passed as single string to "CMD-SHELL", i.e. "/bin/sh -c <opt>". On the other hand implement the same extension as is already available for "--entrypoint", i.e. allow the option value to be a JSON array of strings. This will make life easier for tools like podman-compose. Updated "--healthcheck-command" option values in tests accordingly. Continuation of #3455 & #3507 Signed-off-by: Stefan Becker <chemobejk@gmail.com>