| Commit message (Collapse) | Author | Age |
|---|
| |\
| |
| | |
image prune: remove all candidates
|
| | |
| |
| |
| |
| |
| |
| |
| | |
Make sure to remove images until there's nothing left to prune.
A single iteration may not be sufficient.
Fixes: #7872
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
|
| |\ \
| |/
|/| |
Fix for incorrect evaluation of error condition within libpod.LabelVolumePath.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
A reading of LabelVolumePath suggests that the intended behavior
upon encountering ENOTSUP is to log the issue and continue without
error, while all other errors in the Relabeling operation should
be considered errors of LabelVolumePath and passed up accordingly.
This is not the behavior that is encountered, as this test shows:
it is instead considered an error if and only if the Relabeling
operation returns ENOTSUP, spitting out a somewhat incongruous
error message, while all other error types that may be returned
are logged without being propogated, with an even more incongruous
error message saying that the operation was not supported.
The comparison was changed to match the behavior documented by the
log messages, and a test was added that will simulate executing
this function on a path where the mounted filesystem does not
support SELinux labels, with the assertion that the function should
not return an error in order to highlight the condition these
changes seek to alleviate.
Signed-off-by: Peter <peter@psanders.me>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
There is a risk here, that if the GID does not exists
within the User Namespace the container will fail to start.
This is only likely to happen in HPC Envioronments, and I think
we should add a field to disable it for this environment,
Added a FIXME for this issue.
We currently have this problem with running a rootfull container within
a user namespace, it will fail if the GID is not available.
I looked at potentially checking the usernamespace that you are assigned
to, but I believe this will be very difficult to code up and to figure out.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
When looking up local images, take the unqualified-serach registries of
the registries.conf into account (on top of "localhost/").
Also extend the integration tests to prevent future regressions.
Fixes: #6381
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
|
| |\ \
| | |
| | | |
rootless-cni-infra v3: fix cleaning up DNS entries
|
| | | |
| | |
| | |
| | | |
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
|
| |\ \ \
| | | |
| | | | |
Fix handling of remove of bogus volumes, networks and Pods
|
| | |/ /
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
In podman containers rm and podman images rm, the commands
exit with error code 1 if the object does not exists.
This PR implements similar functionality to volumes, networks, and Pods.
Similarly if volumes or Networks are in use by other containers, and return
exit code 2.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
| |\ \ \
| |/ /
|/| | |
healthchecks: return systemd-run error
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
In case `systemd-run` errors when creating transient unit files (and
timers), create an error based on the combined output from stdout and
stderr. Using the error from `exec.Command` contains the exit code
only which is not useful to debug (see #7484).
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
|
| |\ \ \
| |/ /
|/| | |
Add support for slirp network for pods
|
| | | |
| | |
| | |
| | |
| | |
| | | |
flag --network=slirp4netns[options] for root and rootless pods
Signed-off-by: Ashley Cui <acui@redhat.com>
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Currently the --pull missing|always|never is ignored
This PR implements this for local API. For remote we
need to default to pullpolicy specified in the containers.conf
file.
Also fixed an issue when images were matching other images names
based on prefix, causing images to always be pulled.
I had named an image myfedora and when ever I pulled fedora, the system
thought that it there were two images named fedora since it was checking
for the name fedora as well as the prefix fedora. I changed it to check
for fedora and the prefix /fedora, to prefent failures like I had.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
In the old code, there was a chance that we could return when
only one of STDIN or STDOUT had finished - this could lead to us
dropping either input to the container, or output from it, in the
case that one stream terminated early.
To resolve this, use separate channels to return STDOUT and STDIN
errors, and track which ones have returned cleanly to ensure that
we need bith in order to return from the HTTP attach function and
pass control back to the HTTP handler (which would assume we
exited cleanly and close the client's attach connection).
Signed-off-by: Matthew Heon <mheon@redhat.com>
|
| |\ \ \
| | | |
| | | | |
Fix a bug where log-driver json-file was made no logs
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
When we added the None log driver, it was accidentally added in
the middle of a set of Fallthrough stanzas which all should have
led to k8s-file, so that JSON file logging accidentally caused
no logging to be selected instead of k8s-file.
Signed-off-by: Matthew Heon <mheon@redhat.com>
|
| |/ / /
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
This is very useful for debugging cgroups v2, especially on
rootless - we need to ensure people are correctly using systemd
cgroups in these cases.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
| |\ \ \
| | | |
| | | | |
rootless-cni-infra: fix flakiness during bringing up lo interface
|
| | | | |
| | | |
| | | |
| | | | |
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
|
| |\ \ \ \
| |/ / /
|/| | | |
Refactor version handling in cmd tree
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
* Move from simple string to semver objects
* Change client API Version from '1' to 2.0.0
Signed-off-by: Jhon Honce <jhonce@redhat.com>
|
| |\ \ \ \
| |/ / /
|/| | | |
Preserve groups in exec sessions in ctrs with --user
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Podman wants to guarantee that exec sessions retain the groups of
the container they are started in, unless explicitly overridden
by the user. This guarantee was broken for containers where the
`--user` flag was specified; this patch resolves that.
Somewhere in the Exec rewrite for APIv2, I changed the location
where the container's User is passed into the exec session
(similar to groups, we also want to preserve user unless
overridden). The lower-level Exec APIs already handled setting
user and group appropriately if not specified when the exec
session was created, but I added duplicate code to handle this
higher in the stack - and that code only handled setting user,
not supplemental groups, breaking support in that specific case.
Two things conspired to make this one hard to track down: first,
things were only broken if the container explicitly set a user;
otherwise, the container user would still appear to be unset to
the lower-level code, which would properly set supplemental
groups (this tricked our existing test into passing). Also, the
`crun` OCI runtime will add the groups without prompting, which
further masked the problem there. I debated making `runc` do the
same, but in the end it's better to fix this in Podman - it's
better to be explicit about what we want done so we will work
with all OCI runtimes.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
| |\ \ \ \
| | | | |
| | | | | |
handle the restartPolicy for play kube and generate kube
|
| | | | | |
| | | | |
| | | | |
| | | | | |
Signed-off-by: zhangguanzhang <zhangguanzhang@qq.com>
|
| |/ / / /
| | | |
| | | |
| | | | |
Signed-off-by: zhangguanzhang <zhangguanzhang@qq.com>
|
| | | | |
| | | |
| | | |
| | | | |
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
|
| | |/ /
|/| |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Always return all associated names / repo tags of an image and fix a bug
with malformed repo tags.
Previously, Podman returned all names only with `--all` but this flag
only instructs to list intermediate images and should not alter
associated names. With `--all` Podman queried the repo tags of an image
which splits all *tagged* names into repository and tag which is then
reassembled to eventually be parsed again in the frontend. Lot's of
redundant CPU heat and buggy as the reassembly didn't consider digests
which ultimately broke parsing in the frontend.
Fixes: #7651
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
|
| |\ \ \
| | | |
| | | | |
Fix podman pod create --infra-command and --infra-image
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Currently infr-command and --infra-image commands are ignored
from the user. This PR instruments them and adds tests for
each combination.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
| |\ \ \ \
| |/ / /
|/| | | |
Fix "rootless-cni-infra + runc fails with ENODEV"
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
runc always expect "bind" to be present in opts even when the type is "bind".
Fix #7652
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
|
| |\ \ \ \
| |/ / /
|/| | | |
Supports import&run--signature-policy
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Enables podman create, pull, run, import to use --signature-policy option. Set it as hidden flag to be consistent with other commands.
Signed-off-by: Qi Wang <qiwan@redhat.com>
|
| |/ / /
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
The kernel will not allow you to modify existing mount flags on a volume
when bind mounting it to another place. Since /sys/fs/cgroup/systemd is
mounted noexec on the host, it needs to be mounted with the same flags
in the rootless container.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
| | | |
| | |
| | |
| | | |
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
|
| |/ /
| |
| |
| |
| |
| |
| | |
Use the newly built image from quay.io. Also reference the image by
digest.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
|
| |\ \
| |/
|/| |
Determine if resolv.conf points to systemd-resolved
|
| | |
| |
| |
| | |
Signed-off-by: Eduardo Vega <edvegavalerio@gmail.com>
|
| |\ \
| | |
| | | |
system df: fix image-size calculations
|
| | |/
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Fix the image-size calculations of system-df, where the shared size is
the actual shared size with other images (including children) and the
(total) size is the sum of the shared and unique size [1].
To calculate parent/child relations, make use of the recently added
layer tree which allows for quick (and cached!) calculations.
Break calculating image disk usages into the image runtime to a) access
the layer tree, and b) make the code easier to maintain and extend.
[1] https://docs.docker.com/engine/reference/commandline/system_df/
Fixes: #7406
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
|
| |\ \
| | |
| | | |
Fix up errors found by codespell
|
| | |/
| |
| |
| | |
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
| |\ \
| |/
|/| |
Add global options --runtime-flags
|
| | |
| |
| |
| |
| |
| | |
Add global options --runtime-flags for setting options to container runtime.
Signed-off-by: Qi Wang <qiwan@redhat.com>
|
| |\ \
| | |
| | | |
Force Attach() to send a SIGWINCH and redraw
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Basically, we want to force the application in the container to
(iff the container was made with a terminal) redraw said terminal
immediately after an attach completes, so the fresh Attach
session will be able to see what's going on (e.g. will have a
shell prompt). Our current attach functions are unfortunately
geared more towards `podman run` than `podman attach` and will
start forwarding resize events *immediately* instead of waiting
until the attach session is alive (much safer for short-lived
`podman run` sessions, but broken for the `podman attach` case).
To avoid a major rewrite, let's just manually send a SIGWINCH
after attach succeeds to force a redraw.
Fixes #6253
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
| |\ \ \
| | | |
| | | | |
play/generate: support shareProcessNamespace
|
