| Commit message (Collapse) | Author | Age |
|---|
| |
|
|
|
|
|
|
|
|
| |
This is an incomplete fix, as it would be best for the libpod library to be in charge of coordinating the container's dependencies on the infra container. A TODO was left as such. UTS is a special case, because the docker library that namespace handling is based off of doesn't recognize a UTS based on another container as valid, despite the library being able to handle it correctly. Thus, it is left in the old way.
Signed-off-by: haircommander <pehunt@redhat.com>
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #1347
Approved by: mheon
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
We should be sharing cgroups namespace by default in pods
uts namespace sharing was broken in pods.
Create a new libpod/pkg/namespaces for handling of namespace fields
in containers
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #1418
Approved by: mheon
|
| |
|
|
|
|
|
|
|
|
|
|
| |
change the tests to use chroot to set a numeric UID/GID.
Go syscall.Credential doesn't change the effective UID/GID of the
process.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Closes: #1372
Approved by: mheon
|
| |
|
|
|
|
|
| |
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Closes: #1372
Approved by: mheon
|
| |
|
|
|
|
|
|
|
|
| |
move re-exec later on, so that we can check whether we need to join
the infra container user namespace or we need to create another one.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Closes: #1372
Approved by: mheon
|
| |
|
|
| |
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Don't print potentially verbose help messages in case of usage errors,
but print only the usage error followed by a pointer to the command's
help. This aligns with Docker.
```
$ podman run -h
flag needs an argument: -h
See 'podman run --help'.
```
Signed-off-by: Valentin Rothberg <vrothberg@suse.com>
Closes: #1379
Approved by: rhatdan
|
| |
|
|
|
|
|
|
|
|
|
| |
Move the `-h` short flag from `--help` to `--hostname` for podman-run,
podman-create and podman-pod-create to be compatible with Docker.
Fixes: #1367
Signed-off-by: Valentin Rothberg <vrothberg@suse.com>
Closes: #1373
Approved by: rhatdan
|
| |
|
|
|
|
|
| |
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #1352
Approved by: mheon
|
| |
|
|
|
|
|
|
|
|
|
| |
When in rootless mode it's not possible to load profiles or
check which profiles are loaded.
Added a few baseline tests to check all possible cases.
Signed-off-by: Marco Vedovati <mvedovati@suse.com>
Closes: #1250
Approved by: mheon
|
| |
|
|
|
|
|
|
|
| |
As well as small style corrections, update pod_top_test to use CreatePod, and move handling of adding a container to the pod's namespace from container_internal_linux to libpod/option.
Signed-off-by: haircommander <pehunt@redhat.com>
Closes: #1187
Approved by: mheon
|
| |
|
|
|
|
|
|
|
| |
A pause container is added to the pod if the user opts in. The default pause image and command can be overridden. Pause containers are ignored in ps unless the -a option is present. Pod inspect and pod ps show shared namespaces and pause container. A pause container can't be removed with podman rm, and a pod can be removed if it only has a pause container.
Signed-off-by: haircommander <pehunt@redhat.com>
Closes: #1187
Approved by: mheon
|
| |
|
|
|
|
|
|
|
|
| |
Need to get some small changes into libpod to pull back into buildah
to complete buildah transition.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #1270
Approved by: mheon
|
| |
|
|
|
|
|
|
|
|
| |
The "unconfined" profile must be treated specially to turn off apparmor
confinement and to avoid applying any other profile.
Signed-off-by: Valentin Rothberg <vrothberg@suse.com>
Closes: #1241
Approved by: mheon
|
| |
|
|
|
|
|
| |
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #1167
Approved by: baude
|
| |
|
|
|
|
|
| |
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Closes: #1145
Approved by: rhatdan
|
| |
|
|
|
|
|
| |
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Closes: #1145
Approved by: rhatdan
|
| |
|
|
|
|
|
| |
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Closes: #1145
Approved by: rhatdan
|
| |
|
|
|
|
|
| |
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Closes: #1145
Approved by: rhatdan
|
| |
|
|
|
|
|
|
|
| |
Make this clear in the docs and Command.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #1138
Approved by: mheon
|
| |
|
|
|
|
|
|
|
| |
Check at runtime if AppArmor is enabled on the host.
Signed-off-by: Valentin Rothberg <vrothberg@suse.com>
Closes: #1128
Approved by: mheon
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Make users of libpod more secure by adding the libpod/apparmor package
to load a pre-defined AppArmor profile. Large chunks of libpod/apparmor
come from github.com/moby/moby.
Also check if a specified AppArmor profile is actually loaded and throw
an error if necessary.
The default profile is loaded only on Linux builds with the `apparmor`
buildtag enabled.
Signed-off-by: Valentin Rothberg <vrothberg@suse.com>
Closes: #1063
Approved by: rhatdan
|
| |
|
|
|
|
|
|
|
|
| |
podman now supports --volumes-from flag, which allows users
to add all the volumes an existing container has to a new one.
Signed-off-by: umohnani8 <umohnani@redhat.com>
Closes: #931
Approved by: mheon
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
When we run containers in detach mode, nothing cleans up the network stack or
the mount points. This patch will tell conmon to execute the cleanup code when
the container exits.
It can also be called to attempt to cleanup previously running containers.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #942
Approved by: mheon
|
| |
|
|
|
|
|
|
|
|
|
| |
Everytime we add a new option for create, we end up having to also
add it to run, this makes it error prone. Moving these to the same
function makes it easier to develop and prevents user mistakes.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #975
Approved by: mheon
|
| |
|
|
|
|
|
|
|
| |
so that the user has rw access to it.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Closes: #871
Approved by: mheon
|
| |
|
|
|
|
|
| |
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Closes: #871
Approved by: mheon
|
| |
|
|
|
|
|
|
|
| |
Have to specify all names.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #933
Approved by: baude
|
| |
|
|
|
|
|
|
|
|
| |
Also add annotations from the image the container was created
from.
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
Closes: #886
Approved by: rhatdan
|
| |
|
|
|
|
|
| |
Signed-off-by: Matthew Heon <mheon@redhat.com>
Closes: #862
Approved by: rhatdan
|
| |
|
|
|
|
|
|
|
|
|
| |
we cannot set additional ports on an existing container namespace, so we should
not allow --network=container with publish or publish-all.
Signed-off-by: baude <bbaude@redhat.com>
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #853
Approved by: baude
|
| |
|
|
|
|
|
| |
Signed-off-by: Jhon Honce <jhonce@redhat.com>
Closes: #831
Approved by: rhatdan
|
| |
|
|
|
|
|
|
|
| |
First pass at implement API endpoints for create and start.
Signed-off-by: baude <bbaude@redhat.com>
Closes: #805
Approved by: baude
|
| |
|
|
|
|
|
| |
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #690
Approved by: mheon
|
| |
|
|
|
|
|
|
|
|
|
| |
If the user does not provide a host port when adding -p to create/run, podman should inject an available random port.
podman run -p 80 .... podman should assign a random port to the host and expose the container port 80 to it
Signed-off-by: baude <bbaude@redhat.com>
Closes: #703
Approved by: rhatdan
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
implement varlink image functions for working with libpod with the exception of a
couple due to incompletions on the libpod side of things (build).
also, created a first pass at a libpodpy package which will stand as a client to
working with libpod's varlink methods using python.
Signed-off-by: baude <bbaude@redhat.com>
Closes: #669
Approved by: baude
|
| |
|
|
|
|
|
|
|
| |
Made necessary changes to functions to include contex.Context wherever needed
Signed-off-by: umohnani8 <umohnani@redhat.com>
Closes: #640
Approved by: baude
|
| |
|
|
|
|
|
|
|
|
|
| |
In the case where podman needs to pull an image, if that registry that the image
resides on is known to be insesure (as defined in /etc/containers/registries.conf),
tls-verify should be altered on the fly.
Signed-off-by: baude <bbaude@redhat.com>
Closes: #626
Approved by: mheon
|
| |
|
|
|
|
|
| |
Signed-off-by: baude <bbaude@redhat.com>
Closes: #628
Approved by: baude
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
In the case where you have an image local, if the the user runs
podman pull, we should always attempt to pull an updated image.
Added a forceRemote bool to New (image) so we can differentiate
between "pull" or run because the actions differ. Run does not
need to pull the latest -- only run.
Signed-off-by: baude <bbaude@redhat.com>
Closes: #618
Approved by: baude
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
--group-add
--blkio-weight-device
--device-read-bps
--device-write-bps
--device-read-iops
--device-write-iops
--group-add now supports group names as well as the gid associated with them.
All the --device flags work now with moderate changes to the code to support both
bps and iops.
Added tests for all the flags.
Signed-off-by: umohnani8 <umohnani@redhat.com>
Closes: #590
Approved by: mheon
|
| |
|
|
|
|
|
|
|
|
|
| |
In our ezrly development, we always allocated a tty when not -d. Now we should only allocated when the user asks for it.
Resolves: #573
Signed-off-by: baude <bbaude@redhat.com>
Closes: #574
Approved by: rhatdan
|
| |
|
|
|
|
|
|
|
| |
Resolves: #572
Signed-off-by: baude <bbaude@redhat.com>
Closes: #585
Approved by: mheon
|
| |
|
|
|
|
|
|
|
|
| |
Adds support for mounting secrets especially on RHEL where the container
can use the host subsription to run yum
Signed-off-by: umohnani8 <umohnani@redhat.com>
Closes: #544
Approved by: rhatdan
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
so that it is possible to use systemd to automatically restart the
container:
[Service]
Type=forking
PIDFile=/run/awesome-service.pid
ExecStart=/usr/bin/podman run --conmon-pidfile=/run/awesome-service.pid --name awesome -d IMAGE /usr/bin/do-something
ExecStopPost=/usr/bin/podman rm awesome
Restart=always
Closes: https://github.com/projectatomic/libpod/issues/534
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Closes: #549
Approved by: rhatdan
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Both podman run and create have an option to write the container ID to a file. The option
is called cidfile. If the cidfile exists, we should not create or run a container but rather
output a sensical error message.
Resolves: #530
Signed-off-by: baude <bbaude@redhat.com>
Closes: #531
Approved by: rhatdan
|
| |
|
|
|
|
|
| |
Signed-off-by: baude <bbaude@redhat.com>
Closes: #525
Approved by: baude
|
| |
|
|
|
|
|
|
|
|
| |
Migrate the podman create and commit subcommandis to leverage the images library. I also had
to migrate the cmd/ portions of run and rmi.
Signed-off-by: baude <bbaude@redhat.com>
Closes: #498
Approved by: mheon
|
| |
|
|
|
|
|
| |
Also removes sig-proxy from 'podman create', where is does not
make sense.
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
|
| |
|
|
|
|
|
|
|
|
| |
Having a default workdir is causing us not to use the
container images workdir.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #501
Approved by: mheon
|
