summaryrefslogtreecommitdiff
path: root/libpod
Commit message (Collapse)AuthorAge
* Merge pull request #7624 from QiWang19/policy-optionOpenShift Merge Robot2020-09-16
|\ | | | | Supports import&run--signature-policy
| * Supports import&run--signature-policyQi Wang2020-09-15
| | | | | | | | | | | | Enables podman create, pull, run, import to use --signature-policy option. Set it as hidden flag to be consistent with other commands. Signed-off-by: Qi Wang <qiwan@redhat.com>
* | Fix --systemd=always regressionDaniel J Walsh2020-09-15
|/ | | | | | | | | The kernel will not allow you to modify existing mount flags on a volume when bind mounting it to another place. Since /sys/fs/cgroup/systemd is mounted noexec on the host, it needs to be mounted with the same flags in the rootless container. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* rootless CNI: extract env and cmd from imageValentin Rothberg2020-09-15
| | | | Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* libpod: rootless CNI image: use quayValentin Rothberg2020-09-15
| | | | | | | Use the newly built image from quay.io. Also reference the image by digest. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* Merge pull request #7616 from EduardoVega/5845-support-for-systemd-resolvedOpenShift Merge Robot2020-09-14
|\ | | | | Determine if resolv.conf points to systemd-resolved
| * Determine if resolv.conf points to systemd-resolvedEduardo Vega2020-09-11
| | | | | | | | Signed-off-by: Eduardo Vega <edvegavalerio@gmail.com>
* | Merge pull request #7604 from vrothberg/fix-7406OpenShift Merge Robot2020-09-11
|\ \ | | | | | | system df: fix image-size calculations
| * | system df: fix image-size calculationsValentin Rothberg2020-09-11
| |/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fix the image-size calculations of system-df, where the shared size is the actual shared size with other images (including children) and the (total) size is the sum of the shared and unique size [1]. To calculate parent/child relations, make use of the recently added layer tree which allows for quick (and cached!) calculations. Break calculating image disk usages into the image runtime to a) access the layer tree, and b) make the code easier to maintain and extend. [1] https://docs.docker.com/engine/reference/commandline/system_df/ Fixes: #7406 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | Merge pull request #7600 from rhatdan/codespellOpenShift Merge Robot2020-09-11
|\ \ | | | | | | Fix up errors found by codespell
| * | Fix up errors found by codespellDaniel J Walsh2020-09-11
| |/ | | | | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Merge pull request #7403 from QiWang19/runtime-flagOpenShift Merge Robot2020-09-11
|\ \ | |/ |/| Add global options --runtime-flags
| * Add global options --runtime-flagsQi Wang2020-09-04
| | | | | | | | | | | | Add global options --runtime-flags for setting options to container runtime. Signed-off-by: Qi Wang <qiwan@redhat.com>
* | Merge pull request #7592 from mheon/force_attach_winchOpenShift Merge Robot2020-09-11
|\ \ | | | | | | Force Attach() to send a SIGWINCH and redraw
| * | Force Attach() to send a SIGWINCH and redrawMatthew Heon2020-09-10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Basically, we want to force the application in the container to (iff the container was made with a terminal) redraw said terminal immediately after an attach completes, so the fresh Attach session will be able to see what's going on (e.g. will have a shell prompt). Our current attach functions are unfortunately geared more towards `podman run` than `podman attach` and will start forwarding resize events *immediately* instead of waiting until the attach session is alive (much safer for short-lived `podman run` sessions, but broken for the `podman attach` case). To avoid a major rewrite, let's just manually send a SIGWINCH after attach succeeds to force a redraw. Fixes #6253 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | | Merge pull request #7591 from haircommander/play-kube-process-namespaceOpenShift Merge Robot2020-09-11
|\ \ \ | | | | | | | | play/generate: support shareProcessNamespace
| * | | play/generate: support shareProcessNamespacePeter Hunt2020-09-10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | this is an option that allows a user to specify whether to share PID namespace in the pod for play kube and generate kube associated test added Signed-off-by: Peter Hunt <pehunt@redhat.com>
* | | | Merge pull request #7587 from ParkerVR/kube-underscoresOpenShift Merge Robot2020-09-11
|\ \ \ \ | | | | | | | | | | Allowed underscores to remain in name for YAML (Kube generate)
| * | | | allowed underscores to remain in name for YAMLParker Van Roy2020-09-10
| | | | | | | | | | | | | | | | | | | | Signed-off-by: Parker Van Roy <pvanroy@redhat.com>
* | | | | Merge pull request #7541 from mheon/modify_groupOpenShift Merge Robot2020-09-10
|\ \ \ \ \ | |_|/ / / |/| | | | Make an entry in /etc/group when we modify /etc/passwd
| * | | | Make an entry in /etc/group when we modify /etc/passwdMatthew Heon2020-09-10
| | |/ / | |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | To ensure that the user running in the container ahs a valid entry in /etc/passwd so lookup functions for the current user will not error, Podman previously began adding entries to the passwd file. We did not, however, add entries to the group file, and this created problems - our passwd entries included the group the user is in, but said group might not exist. The solution is to mirror our logic for /etc/passwd modifications to also edit /etc/group in the container. Unfortunately, this is not a catch-all solution. Our logic here is only advanced enough to *add* to the group file - so if the group already exists but we add a user not a part of it, we will not modify that existing entry, and things remain inconsistent. We can look into adding this later if we absolutely need to, but it would involve adding significant complexity to this already massively complicated function. While we're here, address an edge case where Podman could add a user or group whose UID overlapped with an existing user or group. Also, let's make users able to log into users we added. Instead of generating user entries with an 'x' in the password field, indicating they have an entry in /etc/shadow, generate a '*' indicating the user has no password but can be logged into by other means e.g. ssh key, su. Fixes #7503 Fixes #7389 Fixes #7499 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | | | Merge pull request #7578 from giuseppe/join-userns-reuse-mappingsOpenShift Merge Robot2020-09-10
|\ \ \ \ | |_|/ / |/| | | libpod: read mappings when joining a container userns
| * | | libpod: read mappings when joining a container usernsGiuseppe Scrivano2020-09-10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | when joining an existing container user namespace, read the existing mappings so the storage can be created with the correct ownership. Closes: https://github.com/containers/podman/issues/7547 Signed-off-by: Giuseppe Scrivano <giuseppe@scrivano.org>
* | | | Merge pull request #7460 from AkihiroSuda/allow-rootless-cniOpenShift Merge Robot2020-09-10
|\ \ \ \ | |/ / / |/| | | rootless: support `podman network create` (CNI-in-slirp4netns)
| * | | rootless: support `podman network create` (CNI-in-slirp4netns)Akihiro Suda2020-09-09
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Usage: ``` $ podman network create foo $ podman run -d --name web --hostname web --network foo nginx:alpine $ podman run --rm --network foo alpine wget -O - http://web.dns.podman Connecting to web.dns.podman (10.88.4.6:80) ... <h1>Welcome to nginx!</h1> ... ``` See contrib/rootless-cni-infra for the design. Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
* | | | Merge pull request #7290 from rhatdan/externalOpenShift Merge Robot2020-09-09
|\ \ \ \ | | | | | | | | | | Show c/storage (Buildah/CRI-O) containers in ps
| * | | | Show c/storage (Buildah/CRI-O) containers in psDaniel J Walsh2020-09-09
| |/ / / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The `podman ps --all` command will now show containers that are under the control of other c/storage container systems and the new `ps --storage` option will show only containers that are in c/storage but are not controlled by libpod. In the below examples, the '*working-container' entries were created by Buildah. ``` podman ps -a CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 9257ef8c786c docker.io/library/busybox:latest ls /etc 8 hours ago Exited (0) 8 hours ago gifted_jang d302c81856da docker.io/library/busybox:latest buildah 30 hours ago storage busybox-working-container 7a5a7b099d33 localhost/tom:latest ls -alF 30 hours ago Exited (0) 30 hours ago hopeful_hellman 01d601fca090 localhost/tom:latest ls -alf 30 hours ago Exited (1) 30 hours ago determined_panini ee58f429ff26 localhost/tom:latest buildah 33 hours ago storage alpine-working-container podman ps --external CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES d302c81856da docker.io/library/busybox:latest buildah 30 hours ago external busybox-working-container ee58f429ff26 localhost/tom:latest buildah 33 hours ago external alpine-working-container ``` Signed-off-by: TomSweeneyRedHat <tsweeney@redhat.com> Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* / / / support multi-image (docker) archivesValentin Rothberg2020-09-08
|/ / / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Support loading and saving tarballs with more than one image. Add a new `/libpod/images/export` endpoint to the rest API to allow for exporting/saving multiple images into an archive. Note that a non-release version of containers/image is vendored. A release version must be vendored before cutting a new Podman release. We force the containers/image version via a replace in the go.mod file; this way go won't try to match the versions. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | / make image parent check more robustValentin Rothberg2020-09-07
| |/ |/| | | | | | | | | | | | | Follow up on issue #7444 and make the parent checks more robust. We can end up with an incoherent storage when, for instance, a build has been killed. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | We should not be mounting /run as noexec when run with --systemdDaniel J Walsh2020-09-02
|/ | | | | | | The system defaults /run to "exec" mode, and we default --read-only mounts on /run to "exec", so --systemd should follow suit. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Ensure rootless containers without a passwd can startMatthew Heon2020-08-31
| | | | | | | | | | | | | | | | We want to modify /etc/passwd to add an entry for the user in question, but at the same time we don't want to require the container provide a /etc/passwd (a container with a single, statically linked binary and nothing else is perfectly fine and should be allowed, for example). We could create the passwd file if it does not exist, but if the container doesn't provide one, it's probably better not to make one at all. Gate changes to /etc/passwd behind a stat() of the file in the container returning cleanly. Fixes #7515 Signed-off-by: Matthew Heon <mheon@redhat.com>
* Merge pull request #7469 from zhangguanzhang/generate-kube-with-ExtraHostsOpenShift Merge Robot2020-08-28
|\ | | | | fix podman generate kube with HostAliases
| * fix podman generate kube with HostAliaseszhangguanzhang2020-08-27
| | | | | | | | Signed-off-by: zhangguanzhang <zhangguanzhang@qq.com>
* | Merge pull request #7436 from rhatdan/variantOpenShift Merge Robot2020-08-28
|\ \ | | | | | | Add support for image pull overrides
| * | Add support for variant when pulling imagesDaniel J Walsh2020-08-28
| | | | | | | | | | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | Merge pull request #7481 from Luap99/keep-confOpenShift Merge Robot2020-08-28
|\ \ \ | | | | | | | | Don't remove config files with podman system reset
| * | | Don't remove config files with podman system resetPaul Holzinger2020-08-28
| |/ / | | | | | | | | | | | | | | | | | | Check if storage.conf exists and display a message that this file should be removed if it has not been modified. Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
* | | Merge pull request #7448 from baude/issue7444OpenShift Merge Robot2020-08-28
|\ \ \ | | | | | | | | fix panic when checking len on nil object
| * | | fix panic when checking len on nil objectBrent Baude2020-08-28
| |/ / | | | | | | | | | | | | | | | issue #7444 describes a problem where an image does not have a manifest file and cannot be processed by our library correctly. the origin of the panic is because we are checking the len of a nil object's attribute. this is a temporary fix to protect from the panic in the future. the origin of the problem is more interesting and requires more work when the code author returns from pto. Signed-off-by: Brent Baude <bbaude@redhat.com>
* / / Delete prior /dev/shm/*Lokesh Mandvekar2020-08-28
|/ / | | | | | | | | | | | | | | | | | | Currently, subsequent runs of `make localunit` fail and complain about prior existing /dev/shm/libpod_test and /dev/shm/test1. This commit deletes these files if existing already, prior to running the tests. Signed-off-by: Lokesh Mandvekar <lsm5@fedoraproject.org>
* | Fix up some error messagesMatthew Heon2020-08-27
| | | | | | | | | | | | | | | | | | We have a lot of 'cannot stat %s' errors in our codebase. These are terrible and confusing and utterly useless without context. Add some context to a few of them so we actually know what part of the code is failing. Signed-off-by: Matthew Heon <mheon@redhat.com>
* | Merge pull request #7451 from mheon/fix_7195Ed Santiago2020-08-27
|\ \ | |/ |/| Send HTTP Hijack headers after successful attach
| * Send HTTP Hijack headers after successful attachMatthew Heon2020-08-27
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Our previous flow was to perform a hijack before passing a connection into Libpod, and then Libpod would attach to the container's attach socket and begin forwarding traffic. A problem emerges: we write the attach header as soon as the attach complete. As soon as we write the header, the client assumes that all is ready, and sends a Start request. This Start may be processed *before* we successfully finish attaching, causing us to lose output. The solution is to handle hijacking inside Libpod. Unfortunately, this requires a downright extensive refactor of the Attach and HTTP Exec StartAndAttach code. I think the result is an improvement in some places (a lot more errors will be handled with a proper HTTP error code, before the hijack occurs) but other parts, like the relocation of printing container logs, are just *bad*. Still, we need this fixed now to get CI back into good shape... Fixes #7195 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | Merge pull request #7409 from ↵OpenShift Merge Robot2020-08-26
|\ \ | | | | | | | | | | | | zhangguanzhang/apiv2-create-ctr-with-invalid-entrypoint fix apiv2 will create containers with incorrect commands
| * | fix apiv2 will create containers with incorrect commandszhangguanzhang2020-08-24
| | | | | | | | | | | | Signed-off-by: zhangguanzhang <zhangguanzhang@qq.com>
* | | podman: add option --cgroup-confGiuseppe Scrivano2020-08-21
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | it allows to manually tweak the configuration for cgroup v2. we will expose some of the options in future as single options (e.g. the new memory knobs), but for now add the more generic --cgroup-conf mechanism for maximum control on the cgroup configuration. OCI specs change: https://github.com/opencontainers/runtime-spec/pull/1040 Requires: https://github.com/containers/crun/pull/459 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | | vendor: update opencontainers/runtime-specGiuseppe Scrivano2020-08-21
|/ / | | | | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* / error when adding container to pod with network informationBrent Baude2020-08-21
|/ | | | | | | | | | | | because a pod's network information is dictated by the infra container at creation, a container cannot be created with network attributes. this has been difficult for users to understand. we now return an error when a container is being created inside a pod and passes any of the following attributes: * static IP (v4 and v6) * static mac * ports -p (i.e. -p 8080:80) * exposed ports (i.e. 222-225) * publish ports from image -P Signed-off-by: Brent Baude <bbaude@redhat.com>
* Merge pull request #7383 from mheon/unmount_storage_ctrsOpenShift Merge Robot2020-08-20
|\ | | | | Unmount c/storage containers before removing them
| * Unmount c/storage containers before removing themMatthew Heon2020-08-19
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When `podman rmi --force` is run, it will remove any containers that depend on the image. This includes Podman containers, but also any other c/storage users who may be using it. With Podman containers, we use the standard Podman removal function for containers, which handles all edge cases nicely, shutting down running containers, ensuring they're unmounted, etc. Unfortunately, no such convient function exists (or can exist) for all c/storage containers. Identifying the PID of a Buildah, CRI-O, or Podman container is extremely different, and those are just the implementations under the containers org. We can't reasonably be able to know if a c/storage container is *in use* and safe for removal if it's not a Podman container. At the very least, though, we can attempt to unmount a storage container before removing it. If it is in use, this will fail (probably with a not-particularly-helpful error message), but if it is not in use but not fully cleaned up, this should make our removing it much more robust than it normally is. Signed-off-by: Matthew Heon <matthew.heon@pm.me>