aboutsummaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAge
* oci: keep LC_ env variables to conmonGiuseppe Scrivano2021-01-11
| | | | | | | | | | it is necessary for conmon to deal with the correct locale, otherwise it uses C as a fallback. Closes: https://bugzilla.redhat.com/show_bug.cgi?id=1893567 Requires: https://github.com/containers/conmon/pull/215 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Merge pull request #8915 from rhatdan/remoteOpenShift Merge Robot2021-01-10
|\ | | | | Improve error message when the the podman service is not enabled
| * Improve error message when the the podman service is not enabledDaniel J Walsh2021-01-09
| | | | | | | | | | | | | | | | | | | | | | Currently if server is not connected, we return an error message that is confusing users on Mac and Windows boxes. The hope here is to make it a little easier to discover that a Podman service is required. This message is similar to what Docker puts out so people might under stand it better. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Merge pull request #8920 from Luap99/ps-network-filterOpenShift Merge Robot2021-01-10
|\ \ | |/ |/| podman ps/pod ps add network filter and .Networks format placeholder
| * Use abi PodPs implementation for libpod/pods/json endpointPaul Holzinger2021-01-09
| | | | | | | | | | | | This removes unnecessary code duplication. Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
| * Add Networks format placeholder to podman ps and pod psPaul Holzinger2021-01-09
| | | | | | | | | | | | | | `podman ps --format {{.Networks}}` will show all connected networks for this container. For `pod ps` it will show the infra container networks. Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
| * Add network filter for podman ps and pod psPaul Holzinger2021-01-09
|/ | | | | | | Allow to filter on the network name or full id. For pod ps it will filter on the infra container networks. Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
* Merge pull request #8781 from rst0git/cr-volumesOpenShift Merge Robot2021-01-08
|\ | | | | Add support for checkpoint/restore of containers with volumes
| * test: Add checkpoint/restore with volumesRadostin Stoyanov2021-01-07
| | | | | | | | Signed-off-by: Radostin Stoyanov <rstoyanov@fedoraproject.org>
| * Include named volumes in container migrationRadostin Stoyanov2021-01-07
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When migrating a container with associated volumes, the content of these volumes should be made available on the destination machine. This patch enables container checkpoint/restore with named volumes by including the content of volumes in checkpoint file. On restore, volumes associated with container are created and their content is restored. The --ignore-volumes option is introduced to disable this feature. Example: # podman container checkpoint --export checkpoint.tar.gz <container> The content of all volumes associated with the container are included in `checkpoint.tar.gz` # podman container checkpoint --export checkpoint.tar.gz --ignore-volumes <container> The content of volumes is not included in `checkpoint.tar.gz`. This is useful, for example, when the checkpoint/restore is performed on the same machine. # podman container restore --import checkpoint.tar.gz The associated volumes will be created and their content will be restored. Podman will exit with an error if volumes with the same name already exist on the system or the content of volumes is not included in checkpoint.tar.gz # podman container restore --ignore-volumes --import checkpoint.tar.gz Volumes associated with container must already exist. Podman will not create them or restore their content. Signed-off-by: Radostin Stoyanov <rstoyanov@fedoraproject.org>
| * Use Options as CRImportCheckpoint() argumentRadostin Stoyanov2021-01-07
| | | | | | | | | | | | | | | | | | Instead of specifying restore option arguments individually from RestoreOptions, provide the 'options' object to the CRImportCheckpoint method. This change makes the code in CRImportCheckpoint easier to extend as it doesn't require excessive number of function parameters. Signed-off-by: Radostin Stoyanov <rstoyanov@fedoraproject.org>
| * Use Options as exportCheckpoint() argumentRadostin Stoyanov2021-01-07
| | | | | | | | | | | | | | | | | | | | Instead of individual values from ContainerCheckpointOptions, provide the options object. This is a preparation for the next patch where one more value of the options object is required in exportCheckpoint(). Signed-off-by: Radostin Stoyanov <rstoyanov@fedoraproject.org>
* | Merge pull request #8912 from jwhonce/issues/8891OpenShift Merge Robot2021-01-08
|\ \ | | | | | | Restore compatible API for prune endpoints
| * | Restore compatible API for prune endpointsJhon Honce2021-01-07
|/ / | | | | | | | | | | | | | | | | | | | | * Restore correct API endpoint payloads including reclaimed space numbers * Include tests for API prune endpoints * Clean up function signatures with unused parameters * Update swagger for /networks/prune Fixes #8891 Signed-off-by: Jhon Honce <jhonce@redhat.com>
* | Merge pull request #8907 from Luap99/fix-mips-buildOpenShift Merge Robot2021-01-07
|\ \ | | | | | | Fix build for mips architecture follow-up
| * | Add mips architecture to the cross build targetPaul Holzinger2021-01-07
| | | | | | | | | | | | Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
| * | Fix build for mips architecture follow-upPaul Holzinger2021-01-07
| | | | | | | | | | | | | | | | | | | | | | | | Follow-up to commit (1ad796677e1c). The build on mips is still failing because SIGWINCH was not defined in the signal pkg. Also stat_t.Rdev is unit32 on mips so we need to typecast. Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
* | | Merge pull request #8771 from rhatdan/runOpenShift Merge Robot2021-01-07
|\ \ \ | | | | | | | | Switch references of /var/run -> /run
| * | | Switch references of /var/run -> /runDaniel J Walsh2021-01-07
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Systemd is now complaining or mentioning /var/run as a legacy directory. It has been many years where /var/run is a symlink to /run on all most distributions, make the change to the default. Partial fix for https://github.com/containers/podman/issues/8369 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | | Merge pull request #8821 from rhatdan/capsOpenShift Merge Robot2021-01-07
|\ \ \ \ | | | | | | | | | | Containers should not get inheritable caps by default
| * | | | Handle podman exec capabilities correctlyDaniel J Walsh2021-01-07
| | | | | | | | | | | | | | | | | | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
| * | | | Containers should not get inheritable caps by defaultDaniel J Walsh2021-01-07
| |/ / / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When I launch a container with --userns=keep-id the rootless processes should have no caps by default even if I launch the container with --privileged. It should only get the caps if I specify by hand the caps I want leaked to the process. Currently we turn off capeff and capamb, but not capinh. This patch treats capinh the same way as capeff and capamb. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | | Merge pull request #8816 from giuseppe/automatically-split-userns-mappingsOpenShift Merge Robot2021-01-07
|\ \ \ \ | | | | | | | | | | rootless: automatically split userns ranges
| * | | | rootless: automatically split userns rangesGiuseppe Scrivano2021-01-07
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | writing to the id map fails when an extent overlaps multiple mappings in the parent user namespace: $ cat /proc/self/uid_map 0 1000 1 1 100000 65536 $ unshare -U sleep 100 & [1] 1029703 $ printf "0 0 100\n" | tee /proc/$!/uid_map 0 0 100 tee: /proc/1029703/uid_map: Operation not permitted This limitation is particularly annoying when working with rootless containers as each container runs in the rootless user namespace, so a command like: $ podman run --uidmap 0:0:2 --rm fedora echo hi Error: writing file `/proc/664087/gid_map`: Operation not permitted: OCI permission denied would fail since the specified mapping overlaps the first mapping (where the user id is mapped to root) and the second extent with the additional IDs available. Detect such cases and automatically split the specified mapping with the equivalent of: $ podman run --uidmap 0:0:1 --uidmap 1:1:1 --rm fedora echo hi hi A fix has already been proposed for the kernel[1], but even if it accepted it will take time until it is available in a released kernel, so fix it also in pkg/rootless. [1] https://lkml.kernel.org/lkml/20201203150252.1229077-1-gscrivan@redhat.com/ Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
| * | | | rootless: add function to retrieve uid mappingsGiuseppe Scrivano2021-01-07
| | | | | | | | | | | | | | | | | | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
| * | | | rootless: add function to retrieve gid mappingsGiuseppe Scrivano2021-01-07
| | |_|/ | |/| | | | | | | | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | | | Merge pull request #8904 from Luap99/fix-podman-logsOpenShift Merge Robot2021-01-07
|\ \ \ \ | |_|/ / |/| | | Fix podman logs read partial log lines
| * | | Fix podman logs read partial log linesPaul Holzinger2021-01-07
| | |/ | |/| | | | | | | | | | | | | | | | | | | If a partial log line has the length 1 it was ignored by podman logs. Fixes #8879 Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
* | | Merge pull request #8884 from ↵OpenShift Merge Robot2021-01-07
|\ \ \ | |_|/ |/| | | | | | | | containers/dependabot/go_modules/github.com/google/uuid-1.1.4 Bump github.com/google/uuid from 1.1.3 to 1.1.4
| * | Bump github.com/google/uuid from 1.1.3 to 1.1.4dependabot-preview[bot]2021-01-05
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Bumps [github.com/google/uuid](https://github.com/google/uuid) from 1.1.3 to 1.1.4. - [Release notes](https://github.com/google/uuid/releases) - [Commits](https://github.com/google/uuid/compare/v1.1.3...v1.1.4) Signed-off-by: dependabot-preview[bot] <support@dependabot.com> Signed-off-by: Valentin Rothberg <rothberg@redhat.com> Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | Merge pull request #8832 from hshiina/logfileOpenShift Merge Robot2021-01-06
|\ \ \ | |_|/ |/| | Fix e2e test for `podman build --logfile`
| * | Fix e2e test for `podman build --logfile`Hironori Shiina2020-12-24
| | | | | | | | | | | | | | | | | | Type casting is necessary to see if the logfile size is not equal to 0. Signed-off-by: Hironori Shiina <Hironori.Shiina@fujitsu.com>
* | | Merge pull request #8805 from giuseppe/single-user-mapped-rootOpenShift Merge Robot2021-01-06
|\ \ \ | | | | | | | | libpod: handle single user mapped as root
| * | | libpod: handle single user mapped as rootGiuseppe Scrivano2020-12-24
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | if a single user is mapped in the user namespace, handle it as root. It is needed for running unprivileged containers with a single user available without being forced to run with euid and egid set to 0. Needs: https://github.com/containers/storage/pull/794 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | | | Merge pull request #8892 from mheon/fix_8886OpenShift Merge Robot2021-01-06
|\ \ \ \ | | | | | | | | | | Ensure that user-specified HOSTNAME is honored
| * | | | Ensure that user-specified HOSTNAME is honoredMatthew Heon2021-01-06
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When adding the HOSTNAME environment variable, only do so if it is not already present in the spec. If it is already present, it was likely added by the user, and we should honor their requested value. Fixes #8886 Signed-off-by: Matthew Heon <mheon@redhat.com>
* | | | | Merge pull request #8901 from mheon/reenable_cevich_testsOpenShift Merge Robot2021-01-06
|\ \ \ \ \ | | | | | | | | | | | | Revert e6fbc15f26b2a609936dfc11732037c70ee14cba and reenable tests
| * | | | | Revert e6fbc15f26b2a609936dfc11732037c70ee14cbaMatthew Heon2021-01-06
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The issue requiring these tests be disabled should be resolved. Reenable the tests as such. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | | | | | Merge pull request #8899 from cevich/new_2021_imagesOpenShift Merge Robot2021-01-06
|\ \ \ \ \ \ | |/ / / / / |/| | | | | Cirrus: Update Fedora & Ubuntu images
| * | | | | Cirrus: Update Fedora & Ubuntu imagesChris Evich2021-01-06
|/ / / / / | | | | | | | | | | | | | | | Signed-off-by: Chris Evich <cevich@redhat.com>
* | | | | Merge pull request #8685 from mheon/ignore_containersconf_sysctls_shared_netOpenShift Merge Robot2021-01-05
|\ \ \ \ \ | | | | | | | | | | | | Ignore containers.conf sysctls when sharing namespaces
| * | | | | Add default sysctls for pod infra containersMatthew Heon2021-01-04
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Ensure that infra containers for pods will grab default sysctls from containers.conf, to match how other containers are created. This mostly affects the other containers in the pod, which will inherit those sysctls when they join the pod's namespaces. Signed-off-by: Matthew Heon <mheon@redhat.com>
| * | | | | Ignore containers.conf sysctls when sharing namespacesMatthew Heon2020-12-10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The existing code prevents containers.conf default sysctls from being added if the container uses a host namespace. This patch expands that to not just host namespaces, but also *shared* namespaces - so we never modify another container's (or a pod's) namespaces without being explicitly directed to do so by the user. Signed-off-by: Matthew Heon <mheon@redhat.com>
* | | | | | Merge pull request #8889 from vrothberg/run-1138OpenShift Merge Robot2021-01-05
|\ \ \ \ \ \ | | | | | | | | | | | | | | generate systemd: do not set `KillMode`
| * | | | | | generate systemd: do not set `KillMode`Valentin Rothberg2021-01-05
| | |/ / / / | |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | `KillMode=none` has been deprecated in systemd and is now throwing big warnings when being used. Users have reported the issues upstream (see #8615) and on the mailing list. This deprecation was mainly motivated by an abusive use of third-party vendors causing all kinds of undesired side-effects. For instance, busy mounts that delay reboot. After talking to the systemd team, we came up with the following plan: **Short term**: we can use TimeoutStopSec and remove KillMode=none which will default to cgroup. **Long term**: we want to change the type to sdnotify. The plumbing for Podman is done but we need it for conmon. Once sdnotify is working, we can get rid of the pidfile handling etc. and let Podman handle it. Michal Seklatar came up with a nice idea that Podman increase the time out on demand. That's a much cleaner way than hard-coding the time out in the unit as suggest in the short-term solution. This change is executing the short-term plan and sets a minimum timeout of 60 seconds. User-specified timeouts are added to that. Fixes: #8615 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | | | | | Merge pull request #8831 from bblenard/issue-8658-system-prune-reclaimed-spaceOpenShift Merge Robot2021-01-05
|\ \ \ \ \ \ | | | | | | | | | | | | | | Rework pruning to report reclaimed space
| * | | | | | Rework pruning to report reclaimed spaceBaron Lenardson2020-12-30
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This change adds code to report the reclaimed space after a prune. Reclaimed space from volumes, images, and containers is recorded during the prune call in a PruneReport struct. These structs are collected into a slice during a system prune and processed afterwards to calculate the total reclaimed space. Closes #8658 Signed-off-by: Baron Lenardson <lenardson.baron@gmail.com>
* | | | | | | Merge pull request #8885 from vrothberg/vendor-psgoOpenShift Merge Robot2021-01-05
|\ \ \ \ \ \ \ | |_|/ / / / / |/| | | | | | vendor containers/psgo@v1.5.2
| * | | | | | vendor containers/psgo@v1.5.2Valentin Rothberg2021-01-05
|/ / / / / / | | | | | | | | | | | | | | | | | | Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | | | | | Merge pull request #8873 from baude/issue8864OpenShift Merge Robot2021-01-05
|\ \ \ \ \ \ | |_|_|_|_|/ |/| | | | | close journald when reading