aboutsummaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAge
* specgen: check that networks are only set with bridgePaul Holzinger2021-12-14
| | | | | | | | | | Because we cannot reqad the networking mode in the frontent because we should always use the server default we have to parse the mac and ip address to the server via a default network. Now when the server reads the default nsmode it has to reject the provided networks when the mode is not set to bridge. Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* container restore/import: store networks from dbPaul Holzinger2021-12-14
| | | | | | | | It is important that we store the current networks from the db in the config. Also make sure to properly handle aliases and ignore static ip/mac addresses. Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* play kube add support for multiple networksPaul Holzinger2021-12-14
| | | | | | Allow the same --network options for play kube as for podman run/create. Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* support advanced network configuration via cliPaul Holzinger2021-12-14
| | | | | | | | | | | | | | | | | | | | | | | | | | Rework the --network parse logic to support multiple networks with specific network configuration settings. --network can now be set multiple times. For bridge network mode the following options have been added: - **alias=name**: Add network-scoped alias for the container. - **ip=IPv4**: Specify a static ipv4 address for this container. - **ip=IPv6**: Specify a static ipv6 address for this container. - **mac=MAC**: Specify a static mac address address for this container. - **interface_name**: Specify a name for the created network interface inside the container. So now you can set --network bridge:ip=10.88.0.10,mac=44:33:22:11:00:99 for the default bridge network as well as for network names. This is better than using --ip because we can set the ip per network without any confusion which network the ip address should be assigned to. The --ip, --mac-address and --network-alias options are still supported but --ip or --mac-address can only be set when only one network is set. This limitation already existed previously. The ability to specify a custom network interface name is new Fixes #11534 Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* Add new networks format to spegecenPaul Holzinger2021-12-14
| | | | | | | | Add the new networks format to specgen. For api users cni_networks is still supported to make migration easier however the static ip and mac fields are removed. Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* fix incorrect swagger doc for network dis/connectPaul Holzinger2021-12-14
| | | | | | | The swagger api docs used the extra Body struct as part of the request which is wrong. We just want the plain type. Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* network connect allow ip, ipv6 and mac addressPaul Holzinger2021-12-14
| | | | | | | | | Network connect now supports setting a static ipv4, ipv6 and mac address for the container network. The options are added to the cli and api. Fixes #9883 Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* network db: add new strucutre to container createPaul Holzinger2021-12-14
| | | | | | | | | | Make sure we create new containers in the db with the correct structure. Also remove some unneeded code for alias handling. We no longer need this functions. The specgen format has not been changed for now. Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* remove unneeded return value from c.Networks()Paul Holzinger2021-12-14
| | | | | | We do not need to return a extra bool. Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* network db rewrite: migrate existing settingsPaul Holzinger2021-12-14
| | | | | | | | | | | | | | The new network db structure stores everything in the networks bucket. Previously some network settings were not written the the network bucket and only stored in the container config. Instead of the old format which used the container ID as value in the networks buckets we now use the PerNetworkoptions struct there. To migrate existing users we use the state.GetNetworks() function. If it fails to read the new format it will automatically migrate the old config format to the new one. This is allows a flawless migration path. Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* Merge pull request #12588 from vrothberg/fix-12167OpenShift Merge Robot2021-12-14
|\ | | | | pprof flakes: bump timeout to 20 seconds
| * pprof flakes: bump timeout to 20 secondsValentin Rothberg2021-12-14
|/ | | | | | | | | | | | This is the third and hopefully the last attempt to address the flakes in the pprof tests. We first bumped the timeouts to 2 seconds, then to 5, and since I am running out of ideas let's bump it now to 20 seconds. Since the timeouts poll, the tests will terminate much earlier but 20 seconds should now really be enough even under highly loaded CI VMs. Fixes: #12167 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* Merge pull request #12571 from vrothberg/fix-12566Daniel J Walsh2021-12-13
|\ | | | | compat build: adhere to q/quiet
| * compat build: adhere to q/quietValentin Rothberg2021-12-13
| | | | | | | | | | Fixes: #12566 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | Merge pull request #12581 from cevich/disable_gitlabOpenShift Merge Robot2021-12-13
|\ \ | |/ |/| [CI:DOCS] Cirrus: Temp. ignore gitlab task failures
| * Cirrus: Temp. ignore gitlab task failuresChris Evich2021-12-13
|/ | | | | | | | | Appears related to https://gitlab.com/gitlab-org/gitlab-runner/-/issues/28732 Log: https://cirrus-ci.com/task/5708221852680192?logs=setup#L433 Marking test to be ignored until I can figure out where/how to fix it. Signed-off-by: Chris Evich <cevich@redhat.com>
* Merge pull request #12573 from Luap99/fix-testOpenShift Merge Robot2021-12-10
|\ | | | | fix e2e test missing network cleanup
| * fix e2e test missing network cleanupPaul Holzinger2021-12-10
| | | | | | | | | | | | | | | | I noticed that this test will fail its flake rerun because the network was not removed and it tried to create a network with the same name. Also network disconnect works rootless now. Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* | Merge pull request #12569 from vrothberg/fix-12167OpenShift Merge Robot2021-12-10
|\ \ | | | | | | pprof CI flakes: enforce 5 seconds grace period
| * | pprof CI flakes: enforce 5 seconds grace periodValentin Rothberg2021-12-10
| |/ | | | | | | | | | | | | | | | | This gives the service 5 seconds to digest the signal and 5 more seconds to shutdown. Create a new variable to make bumping the timeout easier in case we see re-flake in the future. Fixes: #12167 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | Merge pull request #12564 from Darkness4/mainOpenShift Merge Robot2021-12-10
|\ \ | |/ |/| rootless: declare TEMP_FAILURE_RETRY before usage (Fixes: #12563)
| * [NO NEW TESTS NEEDED] rootless: declare TEMP_FAILURE_RETRY before usage ↵Marc Nguyen2021-12-10
|/ | | | | | (Fixes: #12563) Signed-off-by: Nguyen Marc <nguyen_marc@live.fr>
* Merge pull request #12555 from rhatdan/podDaniel J Walsh2021-12-09
|\ | | | | --hostname should be set with podman create --pod new:PODNAME
| * --hostname should be set when using --pod new:foobarDaniel J Walsh2021-12-09
| | | | | | | | | | | | | | | | | | | | | | | | Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2030599 When you create pod, it shares the UTS namespace with Containers. Currently the --hostname is not passed to the pod created when you create a container and pod in the same command. Also fix error message on supported --share flags Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Merge pull request #12547 from cevich/cached_swaggerOpenShift Merge Robot2021-12-09
|\ \ | |/ |/| [CI:DOCS] Cirrus: Use cached swagger binary
| * Cirrus: Use cached swagger binaryChris Evich2021-12-09
| | | | | | | | | | | | | | | | | | | | | | | | An error was observed in another PR while downloading the swagger binary. The error was relating to the upstream egress quota. Obviously our downloading it every time for each CI run isn't helping. Fix this by moving the download into the image-build process, and simply re-use the already present binary here. Ref: https://github.com/containers/automation_images/pull/103 Signed-off-by: Chris Evich <cevich@redhat.com>
* | Merge pull request #12556 from edsantiago/rm_rm_podman_pause_imageOpenShift Merge Robot2021-12-09
|\ \ | | | | | | System tests: remove rm_pause_image()
| * | System tests: remove rm_pause_image()Ed Santiago2021-12-09
| | | | | | | | | | | | | | | | | | | | | | | | ...it's not needed: teardown() already does it. Or, it would, if it had been updated to deal with the new pause image naming convention, which I've just done. Signed-off-by: Ed Santiago <santiago@redhat.com>
* | | Merge pull request #12557 from vrothberg/fix-11825OpenShift Merge Robot2021-12-09
|\ \ \ | |/ / |/| | inotify: make sure to remove files
| * | inotify: make sure to remove filesValentin Rothberg2021-12-09
|/ / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Issue #11825 suggests that *rootless* Podman can run into situations where too many inotify fds are open. Indeed, rootless Podman has a slightly higher usage of inotify watchers than the root counterpart when using slirp4netns Make sure to not only close all watchers but to also remove the files from being watched. Otherwise, the fds only get closed when the files are removed. [NO NEW TESTS NEEDED] since we don't have a way to test it. Fixes: #11825 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | Merge pull request #12545 from vrothberg/fix-12477OpenShift Merge Robot2021-12-09
|\ \ | | | | | | generate systemd: support entrypoint JSON strings
| * | generate systemd: support entrypoint JSON stringsValentin Rothberg2021-12-08
| | | | | | | | | | | | | | | | | | | | | Make sure to preserve the quoting of entrypoint JSON strings. Fixes: #12477 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | | Merge pull request #12541 from flouthoc/remote_blank_entrypointOpenShift Merge Robot2021-12-08
|\ \ \ | |_|/ |/| | specgen: honor empty args for entrypoint specified as `--entrypoint ""`
| * | specgen: honor empty args for entrypointAditya Rajan2021-12-08
| |/ | | | | | | | | | | | | | | | | | | | | Users should be able to override containers entrypoint using `--entrypoint ""` following works fine for podman but not for podman remote. Specgen ignores empty argument for entrypoint so make specgen honor empty arguments. Signed-off-by: Aditya Rajan <arajan@redhat.com>
* | Merge pull request #12529 from vrothberg/fix-12436OpenShift Merge Robot2021-12-08
|\ \ | | | | | | remove runlabel test for global opts
| * | remove runlabel test for global optsValentin Rothberg2021-12-08
| | | | | | | | | | | | | | | | | | | | | | | | | | | GLOBAL_OPTS haven't been supported for at least two major versions of Podman. The runlabel code is extremely fragile and I think it should be rewritten before adding new features. Fixes: #12436 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | | Merge pull request #12543 from ↵OpenShift Merge Robot2021-12-08
|\ \ \ | |_|/ |/| | | | | | | | containers/dependabot/go_modules/github.com/uber/jaeger-client-go-2.30.0incompatible Bump github.com/uber/jaeger-client-go from 2.29.1+incompatible to 2.30.0+incompatible
| * | Bump github.com/uber/jaeger-client-godependabot[bot]2021-12-08
|/ / | | | | | | | | | | | | | | | | | | | | | | | | | | | | Bumps [github.com/uber/jaeger-client-go](https://github.com/uber/jaeger-client-go) from 2.29.1+incompatible to 2.30.0+incompatible. - [Release notes](https://github.com/uber/jaeger-client-go/releases) - [Changelog](https://github.com/jaegertracing/jaeger-client-go/blob/master/CHANGELOG.md) - [Commits](https://github.com/uber/jaeger-client-go/compare/v2.29.1...v2.30.0) --- updated-dependencies: - dependency-name: github.com/uber/jaeger-client-go dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
* | Merge pull request #12538 from giuseppe/fix-12535OpenShift Merge Robot2021-12-08
|\ \ | | | | | | utils: reintroduce moveToCgroup
| * | utils: reintroduce moveToCgroupGiuseppe Scrivano2021-12-08
|/ / | | | | | | | | | | | | | | | | | | | | | | | | | | | | commit ee62711136339c5daf38e38859227d85b06fc32a introduced the regression. It was mistakenly removed as part of a cleanup, but this code is needed by another code path, where we move conmon for the exec session to the same cgroup used by conmon for the process. Closes: https://github.com/containers/podman/issues/12535 [NO NEW TESTS NEEDED] it fixes a regression in the CI Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | Merge pull request #12531 from vrothberg/fix-11636OpenShift Merge Robot2021-12-07
|\ \ | | | | | | vendor c/image/v5@main
| * | vendor c/image/v5@mainValentin Rothberg2021-12-07
| |/ | | | | | | | | | | | | | | Mainly to pull in fixes for #11636 which handles credential helpers correctly. Fixes: #11636 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | Merge pull request #12524 from Luap99/resolve-symlinkOpenShift Merge Robot2021-12-07
|\ \ | | | | | | rootless netns: resolve all path components for resolv.conf
| * | rootless netns: resolve all path components for resolv.confPaul Holzinger2021-12-06
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | We need to follow all symlinks in the /etc/resolv.conf path. Currently we would only check the last file but it is possible that any directory before that is also a link. Unfortunately this code is very hard to maintain and not well tested. I will try to come up with a unit test when I have more time. I think we could utilize some for of chroot for this. For now we are stucked with the default setup in the fedora/ubunutu test VMs. [NO NEW TESTS NEEDED] Fixes #12461 Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* | | Merge pull request #12532 from lsm5/containers-common-rpm-version-coprOpenShift Merge Robot2021-12-07
|\ \ \ | |_|/ |/| | autocopr: distro conditionals for containers-common
| * | autocopr: distro conditionals for containers-commonLokesh Mandvekar2021-12-07
|/ / | | | | | | | | | | [NO NEW TESTS NEEDED] Signed-off-by: Lokesh Mandvekar <lsm5@fedoraproject.org>
* | Merge pull request #12498 from rhatdan/cgroupsOpenShift Merge Robot2021-12-07
|\ \ | | | | | | Update vendor or containers/common moving pkg/cgroups there
| * | Update vendor or containers/common moving pkg/cgroups thereDaniel J Walsh2021-12-07
| | | | | | | | | | | | | | | | | | | | | [NO NEW TESTS NEEDED] This is just moving pkg/cgroups out so existing tests should be fine. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | Merge pull request #12528 from flouthoc/dont_modify_mount_permissionsOpenShift Merge Robot2021-12-07
|\ \ \ | |/ / |/| | volume: apply exact permission of target directory without adding extra `0111`
| * | volume: apply exact permission of target directory without adding extra 0111Aditya Rajan2021-12-07
| | | | | | | | | | | | | | | | | | | | | | | | While trying to match permissions of target directory podman adds extra `0111` which should not be needed if target path does not have execute permission. Signed-off-by: Aditya Rajan <arajan@redhat.com>