| Commit message (Collapse) | Author | Age |
|\
| |
| | |
Support volume bind mounts for rootless containers
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Fix handling of "bind" and "tmpfs" olumes to actually work.
Allow bind, tmpfs local volumes to work in rootless mode.
Also removed the string "error" from all error messages that begine with it.
All Podman commands are printed with Error:, so this causes an ugly
stutter.
Fixes: https://github.com/containers/podman/issues/12013
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
|\ \
| |/
|/| |
Pod Security Option support and Infra Inheritance changes
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Added support for pod security options. These are applied to infra and passed down to the
containers as added (unless overridden).
Modified the inheritance process from infra, creating a new function Inherit() which reads the config, and marshals the compatible options into an intermediate struct `InfraInherit`
This is then unmarshaled into a container config and all of this is added to the CtrCreateOptions. Removes the need (mostly) for special additons which complicate the Container_create
code and pod creation.
resolves #12173
Signed-off-by: cdoern <cdoern@redhat.com>
|
|\ \
| | |
| | | |
.service file removal on failure
|
| |/
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Prodding bz #2024229 a little more, it turns out the service file is NOT
deleted when it is in a failed state (i.e the healtch check has failed
for some reason). The state must be reset before the service is stopped
on container removal and then the files will be removed properly.
BZ#:2024229
[NO NEW TESTS NEEDED]
Signed-off-by: Brent Baude <bbaude@redhat.com>
|
|/
|
|
| |
Signed-off-by: ye.sijun <junnplus@gmail.com>
|
|\
| |
| | |
Allow users to add host user accounts to /etc/passwd
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Some containers require certain user account(s) to exist within the
container when they are run. This option will allow callers to add a
bunch of passwd entries from the host to the container even if the
entries are not in the local /etc/passwd file on the host.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1935831
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
|/
|
|
|
|
|
|
|
|
| |
Do not apply reserved annotations from the image to the container.
Reserved annotations are applied during container creation to retrieve
certain information (e.g., custom seccomp profile or autoremoval)
once a container has been created.
Context: #12671
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
|
|\
| |
| | |
Warn on use of --kernel-memory
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
It has been deprecated and is no longer supported. Fully remove it and
only print a warning if a user uses it.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2011695
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
When Podman is running a container in private IPC mode (default), it
creates a bind mount for /dev/shm that is then attached to a tmpfs
folder on the host file system. However, checkpointing a container has
the side-effect of stopping that container and unmount the tmpfs used
for /dev/shm. As a result, after checkpoint all files stored in the
container's /dev/shm would be lost and the container might fail to
restore from checkpoint.
To address this problem, this patch creates a tar file with the
content of /dev/shm that is included in the container checkpoint and
used to restore the container.
Signed-off-by: Radostin Stoyanov <rstoyanov@fedoraproject.org>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This ensures that existing containers will still manage
`/etc/passwd` by default, as they have been doing until now. New
containers that explicitly set `false` will still have passwd
management disabled, but otherwise the code will run.
[NO NEW TESTS NEEDED] This will only be caught on upgrade and I
don't really know how to write update tests - and Ed is on PTO.
Signed-off-by: Matthew Heon <mheon@redhat.com>
|
|\ \
| |/
|/| |
Use hosts public ip address in rootless containers
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Add first non localhost ipv4 of all host interfaces as destination
for host.contaners.internal for rootless containers.
Fixes: https://github.com/containers/podman/issues/12000
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
|\ \
| | |
| | | |
support hosts without /etc/hosts
|
| |/
| |
| |
| |
| | |
Fixes: #12667
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
|
|\ \
| |/
|/| |
Podman run --passwd
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
added support for a new flag --passwd which, when false prohibits podman from creating entries in
/etc/passwd and /etc/groups allowing users to modify those files in the container entrypoint
resolves #11805
Signed-off-by: cdoern <cdoern@redhat.com>
|
|\ \
| |/
|/| |
fix(generate): fix up podman generate kube missing env field bug
|
| |
| |
| |
| |
| |
| |
| |
| | |
the logic is: if the process env vars key exists in podman default or in image defined, and the value is equal, skip the env var key.
the typo make it compare to itself -_-
so, here comes the simple fixup.
Signed-off-by: 荒野無燈 <ttys3.rust@gmail.com>
|
|\ \
| |/
|/| |
image rm: allow for force-remove infra images
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Force removal of images will also remove associated containers.
Historically, infra containers have been excluded resulting in
rather annoying errors, for instance, when running `rmi -af`.
Since there is not reasons to exclude infra containers, allow for
removing the entire pod when an infra image is force removed.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
|
|\ \
| | |
| | | |
Add more checkpoint/restore information to 'inspect'
|
| |/
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This adds the following information to the output of 'podman inspect':
* CheckpointedAt - time the container was checkpointed
Only set if the container has been checkpointed
* RestoredAt - time the container was restored
Only set if the container has been restored
* CheckpointLog - path to the checkpoint log file (CRIU's dump.log)
Only set if the log file exists (--keep)
* RestoreLog - path to the restore log file (CRIU's restore.log)
Only set if the log file exists (--keep)
* CheckpointPath - path to the actual (CRIU) checkpoint files
Only set if the checkpoint files exists (--keep)
* Restored - set to true if the container has been restored
Only set if the container has been restored
Signed-off-by: Adrian Reber <areber@redhat.com>
|
|/
|
|
|
|
|
|
|
|
| |
when a container with healthchecks exits due to stopping or failure, we
need the cleanup process to remove both the timer file and the service
file.
Bz#:2024229
Signed-off-by: Brent Baude <bbaude@redhat.com>
|
|
|
|
|
|
|
|
| |
It is important that we store the current networks from the db in the
config. Also make sure to properly handle aliases and ignore static ip/mac
addresses.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
|
|
|
|
|
|
|
|
| |
Add the new networks format to specgen. For api users cni_networks is
still supported to make migration easier however the static ip and mac
fields are removed.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
|
|
|
|
|
|
|
|
|
| |
Network connect now supports setting a static ipv4, ipv6 and mac address
for the container network. The options are added to the cli and api.
Fixes #9883
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
Make sure we create new containers in the db with the correct structure.
Also remove some unneeded code for alias handling. We no longer need this
functions.
The specgen format has not been changed for now.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
|
|
|
|
|
|
| |
We do not need to return a extra bool.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The new network db structure stores everything in the networks bucket.
Previously some network settings were not written the the network bucket
and only stored in the container config.
Instead of the old format which used the container ID as value in the
networks buckets we now use the PerNetworkoptions struct there.
To migrate existing users we use the state.GetNetworks() function. If it
fails to read the new format it will automatically migrate the old
config format to the new one. This is allows a flawless migration path.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Issue #11825 suggests that *rootless* Podman can run into situations
where too many inotify fds are open. Indeed, rootless Podman has a
slightly higher usage of inotify watchers than the root counterpart
when using slirp4netns
Make sure to not only close all watchers but to also remove the files
from being watched. Otherwise, the fds only get closed
when the files are removed.
[NO NEW TESTS NEEDED] since we don't have a way to test it.
Fixes: #11825
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
|
|\
| |
| | |
rootless netns: resolve all path components for resolv.conf
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
We need to follow all symlinks in the /etc/resolv.conf path. Currently
we would only check the last file but it is possible that any directory
before that is also a link.
Unfortunately this code is very hard to maintain and not well tested. I
will try to come up with a unit test when I have more time. I think we
could utilize some for of chroot for this. For now we are stucked with
the default setup in the fedora/ubunutu test VMs.
[NO NEW TESTS NEEDED]
Fixes #12461
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
|
|\ \
| | |
| | | |
Update vendor or containers/common moving pkg/cgroups there
|
| |/
| |
| |
| |
| |
| |
| | |
[NO NEW TESTS NEEDED] This is just moving pkg/cgroups out so
existing tests should be fine.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
|/
|
|
|
|
|
|
| |
While trying to match permissions of target directory podman adds
extra `0111` which should not be needed if target path does not have
execute permission.
Signed-off-by: Aditya Rajan <arajan@redhat.com>
|
|\
| |
| | |
Don't use a global RNG, and avoid conflicts, when generating NodePorts
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
... at least within a single service.
[NO NEW TESTS NEEDED]
because testing RNGs is problematic. (We _could_
probably inject a mock RNG implementation that always
returns the same value, or something like that.)
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
|
| |
| |
| |
| |
| |
| |
| |
| | |
Add an error return to it and affected callers.
Should not affect behavior, the function can't currently fail.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Use a private RNG with the desired seed, don't interfere
with the other uses.
Introducing the servicePortState type is rather overkill
for the single member, but we'll add another one immediately.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
|
| |
| |
| |
| | |
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
|
|\ \
| | |
| | | |
Fix possible rootless netns cleanup race
|
| |/
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
rootlessNetNS.Cleanup() has an issue with how it detects if cleanup
is needed, reading the container state is not good ebough because
containers are first stopped and than cleanup will be called. So at one
time two containers could wait for cleanup but the second one will fail
because the first one triggered already the cleanup thus making rootless
netns unavailable for the second container resulting in an teardown
error. Instead of checking the container state we need to check the
netns state.
Secondly, podman unshare --rootless-netns should not do the cleanup.
This causes more issues than it is worth fixing. Users also might want
to use this to setup the namespace in a special way. If unshare also
cleans this up right away we cannot do this.
[NO NEW TESTS NEEDED]
Fixes #12459
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
|
|\ \
| | |
| | | |
container, cgroup: detect pid termination
|
| |/
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
If the /proc/$PID/cgroup file doesn't exist, then it is likely the
container was terminated in the meanwhile so report ErrCtrStopped that
is already handled instead of ENOENT.
commit a66f40b4df039e94572fa38c070207a435cfa466 introduced the regression.
Closes: https://github.com/containers/podman/issues/12457
[NO NEW TESTS NEEDED] it solves a race in the CI that is difficult to reproduce.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
|/
|
|
|
|
|
| |
The arguments of ps(1) should be shlexed.
Fixes: #12452
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
|
|\
| |
| | |
checkpoint do not modify XDG_RUNTIME_DIR
|