summaryrefslogtreecommitdiff
path: root/contrib
Commit message (Collapse)AuthorAge
* Cirrus: Authorize rootless user self-sshChris Evich2021-11-01
| | | | | | | | | | | Future testing needs dictate rootless (in addition to root) users are able to ssh to localhost. Add ssh-key generation commands for the rootless user, and authorize their public key. Minor: Also remove update of `/etc/sub{uid,gid}` files, since this is now done automatically by `{user,group}add` commands. Signed-off-by: Chris Evich <cevich@redhat.com>
* add kubernetes pauseValentin Rothberg2021-10-26
| | | | | | | | | | | Add the k8s pause binary to `pause/pause.c` and do the plumbing in the Makefile to install it in $libexec/podman/pause/pause. It is intended to replace the k8s pause image and hence the need for network connectivity when creating pods. [NO NEW TESTS NEEDED] since it will be tested in a following commit. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* cirrus: containers: mount directory in /var/tmp to /tmpValentin Rothberg2021-10-26
| | | | | | | | Mount a directory from /var/tmp to /tmp to make sure that /tmp is not on an overlay mount. This should make overlay mounts possible in the containerized tests which we're currently skipping. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* systemd: compatible with rootless modeEaston Man2021-10-20
| | | | | | | - change the type to forking to allow fork. - add default.target for user systemd service Signed-off-by: Easton Man <manyang.me@outlook.com>
* rootlessport: reduce memory usage of the processPaul Holzinger2021-10-12
| | | | | | | | | | | | | | | | | | | | | | Don't use reexec for the rootlessport process, instead make it a separate binary to reduce the memory usage. The problem with reexec is that it will import all packages that podman uses and therefore loads a lot of stuff into the heap. The rootlessport process however only needs the rootlesskit library. The memory usage is a concern since the rootlessport process will spawn two process per container which has ports forwarded. The processes stay until the container dies. On my laptop the current reexec version uses 47800 KB RSS. The new separate binary only uses 4540 KB RSS. This is more than a 90% improvement. The Makefile has been updated to compile the new binary and install it to the libexec directory. Fixes #10790 [NO TESTS NEEDED] Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* Unit files: Use actual installed path for podmanEd Santiago2021-10-12
| | | | | | | | | | | | | | | | | | | | | Don't hardcode /usr/bin/podman in unit files: instead, use template files with a path replaced at install time. Because 'make' can be invoked repeatedly, with different PREFIX, do not leave the generated files behind in our work directory: wipe them immediately after install. To get this to work, fix a longstanding bug in podman.spec.in, a PREFIX that should've been DESTDIR. Side note: #7023 made contrib/systemd/user a symlink to .../system but did not update paths in Makefile. The unrelated-looking path change you see here is a belated correction for that. Fixes: #10787 Signed-off-by: Ed Santiago <santiago@redhat.com>
* Merge pull request #11855 from rhatdan/DockerfileOpenShift Merge Robot2021-10-06
|\ | | | | Add podman-plugins to upstream image
| * Add podman-plugins to upstream imageMatthew Mosesohn2021-10-04
| | | | | | | | | | | | | | | | Fixes #11380 Replaces https://github.com/containers/podman/pull/11385 Originally subbmitted by @mattymo Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | It really should be no **NEW** tests neededEd Santiago2021-10-04
|/ | | | | | | | | | | | Accept both "NO TESTS NEEDED" and "NO NEW TESTS NEEDED". That was a usability mistake I made on Day One. Fixed it in Buildah but oops never got around to fixing it here. Also, fix the test suite script: remove a no-longer-working test case (changelog.txt, removed in #11467) and add a new test for commits that include the magic string. Signed-off-by: Ed Santiago <santiago@redhat.com>
* Cirrus: Fix defunct package metadata breaking cacheChris Evich2021-10-01
| | | | | | | | | | | | | | | | | | | | | Original workaround https://github.com/containers/podman/pull/11821 During VM image build, a number of packages are downloaded but not installed, since they may interfere with some testing. Then at runtime, where required, the packages are installed from cache and used. However, between image build and runtime it's possible the repository contents change, which will invalidate the package cache. Since the `--no-download --ignore-missing` options were used, the install will fail. Ref: https://github.com/containers/automation_images/issues/95 Fortunately, when it comes to the docker packages, no other dependencies are required and so `apt-get` isn't required. Switch to using a simple dpkg install command on the necessary files. If this ever breaks due to new dependencies, the list of files may simply be updated. Signed-off-by: Chris Evich <cevich@redhat.com>
* cirrus: gitlab: download packagesValentin Rothberg2021-10-01
| | | | | | | | | | It looks like the containerd.io package is not present anymore in the package cache which ultimately breaks CI since it's a requirement for docker. Hence, download the few packages instead of relying on the cache. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* Merge pull request #11759 from jedieaston/msi-fixOpenShift Merge Robot2021-09-27
|\ | | | | Set MSI to be 64-bit only.
| * Set MSI to be 64-bit only.Easton Pillay2021-09-27
| | | | | | | | | | | | Hi there! I noticed that the MSI file built for Windows was building in 32-bit mode, even though Podman is 64-bit only. I added a flag to wixl in the Makefile to tell it to build a 64-bit MSI, and I adjusted the podman.wxs file to use the right settings for 64-bit programs. Signed-off-by: GitHub <noreply@github.com>
* | Cirrus: Add gitlab podman runner testChris Evich2021-09-27
|/ | | | | | | | | | Add execution of the downstream gitlab-runner tests using rootless podman through the magic of socket-level docker compatibility. Include a comment suggesting how to temporarily disable the test in case it fails beyond podman code scope. Signed-off-by: Chris Evich <cevich@redhat.com>
* [CI:DOCS] Add link to running ctrimage on enablesysadmTomSweeneyRedHat2021-09-22
| | | | | | | | | Add a link to the podman images readme.md to Dan's recent post on Enable Sysadm about running containers inside of Podman Fixes: https://github.com/containers/buildah/issues/3119 Signed-off-by: TomSweeneyRedHat <tsweeney@redhat.com>
* Cross-build release-archives w/ arch in filenameChris Evich2021-09-21
| | | | | | | | | | | | | | | | | | | | | | | | | | | Fixes #11417 Cross-building the podman-remote documentation requires a functional native architecture executable. However `make` only deals with files/timestamps, it doesn't understand if an existing binary will function on the system or not. This makes building cross-platform releases incredibly accident-prone and fragile. A practical way to deal with this, is via multiple conditional (nested) `make` calls along with careful manipulation of `$GOOS` and `$GOARCH`. Also, when cross-building releases be kind to humans and cleanup any non-native binaries left behind. Update the `Alt Arch. Cross` Cirrus-CI task to build release archives for all Linux architectures supported by golang and podman. Update the `OSX Cross` task to additionally build for the M1 (arm64) architecture. Finally, update the release process documentation to reflect the new locations (Cirrus-CI task names) for the release archives. Include a note about additional manual work being required to produce the signed `.dmg` file for MacOS. Signed-off-by: Chris Evich <cevich@redhat.com>
* Merge pull request #11322 from Luap99/network-libpodOpenShift Merge Robot2021-09-15
|\ | | | | Wire network interface into libpod
| * CI: load ipv6 kernel modules for rootless testsPaul Holzinger2021-09-15
| | | | | | | | | | | | | | | | Rootless cni with ipv6 needs the `ip6_tables` module loaded, normally the cni plugins will load this module but as rootless it does not have the necessary permission to do so. Therefore we load it manually. Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* | Set default storage from containers.conf for temporary imagesDaniel J Walsh2021-09-15
|/ | | | | | Fixes: https://github.com/containers/podman/issues/11107 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Remove changelog.txt from the repositoryjesperpedersen2021-09-07
| | | | | | | | | | | The changelog.txt file hasn't been kept in sync with release tags, especially on main, so remove it. The release notes will be featured in RELEASE_NOTES.md. Signed-off-by: jesperpedersen <jesper.pedersen@redhat.com> [NO TESTS NEEDED]
* Cirrus: Confirm CGv1 / CGv2 VM expectationsChris Evich2021-08-18
| | | | Signed-off-by: Chris Evich <cevich@redhat.com>
* Fix AVC denials in tests of volume mountsChris Evich2021-08-18
| | | | | | | | | This becomes a problem on hosts with upgraded policies. Ref: https://github.com/containers/podman/issues/10522 Also, made a small change to compose-test setup to reduce runtime. Signed-off-by: Chris Evich <cevich@redhat.com>
* Merge pull request #11169 from cevich/enable_docker_py_testingopenshift-ci[bot]2021-08-16
|\ | | | | Enable docker-py compat. testing w/ ignored result
| * Enable docker-py compat. testing w/ ignored resultChris Evich2021-08-09
| | | | | | | | | | | | | | | | | | | | Significant bitrot results in almost immediate test failure. This commit adds only the very basic, bare-minimum needed to get them started. ***TESTING RESULTS ARE IGNORED*** Signed-off-by: Chris Evich <cevich@redhat.com>
* | [CI:DOCS] Fix multi-arch image docsChris Evich2021-08-10
|/ | | | | | | | | | The automation workflow was altered in recent history to build images daily, even if the podman version didn't change. This was is necessary so that any updates/security vulnerabilities in ancillary packages are incorporated quickly. However, documentation was never updated to reflect this change. This commit puts the two in sync. Signed-off-by: Chris Evich <cevich@redhat.com>
* Fix handling of shadow-utilsDaniel J Walsh2021-07-24
| | | | | | | | | | | | | | There seems to be a bug in rpm, where it fails silently if you specify rpm --restore --quiet shadow-utils. rpm --restore shadow-utils 2> /dev/null Does the right thing. [NO TESTS NEEDED] Might add tests from buildah, once we have them working correctly. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Just restore protections of shadow-utilsDaniel J Walsh2021-07-19
| | | | | | | | | | Rather then reinstalling shadow-utils to fix permissions, just restore the correct permissions. [NO TESTS NEEDED] Since this does not affect Podman, just the prebuilt images on quay.io/podman. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* systemd: require network*-online*.targetValentin Rothberg2021-07-16
| | | | | | | | | Require the network to be online in all (generated) systemd units to make sure that containers and Podman run only after the network has been fully configured. Fixes: #10655 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* Randomize the auto-update of podman containersrugk2021-07-15
| | | | | | | | | | | | This makes sure, that the podman auto-update is not executed exactly at midnight for the same time always. If many things do the same and many services use this keyword and react at midnight, this can cause a lot of stress to a server. Thus, this adds a 900s/15min delay. As [the arch wiki says](https://wiki.archlinux.org/title/Systemd/Timers#Realtime_timer): > Special event expressions like daily and weekly refer to specific start times and thus any timers sharing such calendar events will start simultaneously. Timers sharing start events can cause poor system performance if the timers' services compete for system resources. The RandomizedDelaySec option in the [Timer] section avoids this problem by randomly staggering the start time of each timer. See systemd.timer(5). Signed-off-by: rugk <rugk+git@posteo.de>
* Make rootless-cni setup more robustPaul Holzinger2021-07-06
| | | | | | | | | | | | | | | | | | | The rootless cni namespace needs a valid /etc/resolv.conf file. On some distros is a symlink to somewhere under /run. Because the kernel will follow the symlink before mounting, it is not possible to mount a file at exactly /etc/resolv.conf. We have to ensure that the link target will be available in the rootless cni mount ns. Fixes #10855 Also fixed a bug in the /var/lib/cni directory lookup logic. It used `filepath.Base` instead of `filepath.Dir` and thus looping infinitely. Fixes #10857 [NO TESTS NEEDED] Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* update shell completion scriptsPaul Holzinger2021-07-02
| | | | | | | | | | | | | The new cobra v1.2.0 release brings a number of bug fixes for shell completion scripts. Regenerate the scripts with `make completions` to sync them with the upstream version, currently we have some custom ones to avoid some upstream bugs. Because the new cobra version has all fixes we should use the upstream scripts. Add a check to CI to ensure we always use the up to date scripts. [NO TESTS NEEDED] Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* Cirrus: Fixes due to master->main renameChris Evich2021-06-30
| | | | Signed-off-by: Chris Evich <cevich@redhat.com>
* Makefile: remove install.cniLokesh Mandvekar2021-06-28
| | | | | | | We no longer need to install /etc/cni/net.d/87-podman-bridge.conflist so install.cni isn't needed either. Signed-off-by: Lokesh Mandvekar <lsm5@fedoraproject.org>
* Add an entry for `/run/user-$UID/libpod` to tmpfilesMatthew Heon2021-06-18
| | | | | | | | | | | | | | | The systemd-tmpfiles configuration is meant preserve important paths in /tmp that are used by Podman against deletion by systemd. However, not all paths we previously used were included. Some older versions used the `/tmp/use-$UID/libpod` directory instead (when `/run/user/$UID` was unavailable). Add an entry for these old paths to ensure tmpfiles treats the directory correctly. Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1960948 Signed-off-by: Matthew Heon <mheon@redhat.com>
* Merge pull request #10680 from bburky/dockerfile-volume-permissionsDaniel J Walsh2021-06-15
|\ | | | | Create user storage dir with correct permissions in Dockerfiles
| * Create user storage dir with correct permissionsBlake Burkhart2021-06-14
| | | | | | | | | | | | | | | | Docker VOLUMEs will inherit permissions from an existing directory at the same path. If the path does not exist, the directory will be owned by root which makes this image unusable in rootless mode. Signed-off-by: Blake Burkhart <blake.burkhart@us.af.mil>
* | Restart all containers with restart-policy=always on bootBoaz Shuster2021-06-13
|/ | | | | | | * Add podman-restart systemd unit file and add it to podman RPM package * Fix podman start to filter all containers + unit test Signed-off-by: Boaz Shuster <boaz.shuster.github@gmail.com>
* Version bump: 3.3.0-devLokesh Mandvekar2021-06-07
| | | | | | Keep master branch version ahead of that on any other branch. Signed-off-by: Lokesh Mandvekar <lsm5@fedoraproject.org>
* auto-update service: prune imagesValentin Rothberg2021-05-14
| | | | | | | | | | | | | Extend the systemd auto-update service to prune images after an update has run. As reported by a user [1], auto updates can over time cause the disk to run out of space. With Edge being a target use case, we need to make sure that systems can run without much supervision, so let's make sure to run `podman image prune` to clean up dangling images. [1] https://twitter.com/r_isc_y/status/1388981737011793921 Fixes: #10190 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* fix incorrect log driver in podman container imagePaul Holzinger2021-05-12
| | | | | | | | | Commit 7f2c27d43fc5 added an invalid value for the log_driver in the containers.conf file inside the podman image. Fixes #10312 Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
* Merge pull request #10231 from rhatdan/cleanupOpenShift Merge Robot2021-05-06
|\ | | | | codespell cleanup
| * codespell cleanupDaniel J Walsh2021-05-05
| | | | | | | | | | | | [NO TESTS NEEDED] This is just running codespell on podman Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Merge pull request #10227 from cevich/podman_image_docsOpenShift Merge Robot2021-05-05
|\ \ | |/ |/| [CI:DOCS] Minor podmanimage docs updates.
| * Minor podmanimage docs updates.Chris Evich2021-05-05
| | | | | | | | | | | | | | Discovered by review of https://github.com/containers/buildah/pull/3200 Signed-off-by: Chris Evich <cevich@redhat.com>
* | Force log_driver to k8s-file for containers in containersDaniel J Walsh2021-05-04
|/ | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Don't require tests for github-actions & metadataChris Evich2021-04-30
| | | | Signed-off-by: Chris Evich <cevich@redhat.com>
* Update container image docs + fix unstable executionChris Evich2021-04-29
| | | | | | | | | | | | | | | | Update the order of image documentation to be from most to least stable. Similarly, avoid depending on execution of upstream podman, when building/pushing. It's easily possible for this build to function but execution to fail due to some partially implemented feature. Also, ensure images tagged `latest` are pushed for every matrix item. For 'upstream' and 'testing', this replaces use of the 'master' tag. Lastly, update workflow comments and split the 'podman' and 'containers' FQIN steps and outputs to improve readability. Signed-off-by: Chris Evich <cevich@redhat.com>
* Cirrus: Update Ubuntu images to 21.04Chris Evich2021-04-27
| | | | | | | | | | | | | Also simplify `lib.sh` after supporting changes incorporated into automation library 2.x+ (present in all VM and container images). * No need to force-load `/etc/profile` and handle it's expectation to **not** being in `errexit` mode. * Slightly re-arrange loading of automation library files for clarity. * Update comments. Signed-off-by: Chris Evich <cevich@redhat.com>
* Fixes from make codespellDaniel J Walsh2021-04-21
| | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Fix build with GO111MODULE=offLokesh Mandvekar2021-04-15
| | | | | | | | | | | | | | | | | | | | Distro builds on Fedora and Kubic projects use GO111MODULE=off by default which are currently failing. This commit fixes it and going forward, podman CI will also indicate failures in rpm builds. The additional LDFLAGS have been removed from the spec file which is not ideal. But, currently we only use the spec file to check if the rpm builds fine. We can fix the LDFLAGS in a later commit when we're working on packit integration. conmon build has also been removed from podman.spec.in because the COPR for which it was provided has been discontinued. [NO TESTS NEEDED] Fixes: #10009 Signed-off-by: Lokesh Mandvekar <lsm5@fedoraproject.org>