summaryrefslogtreecommitdiff
path: root/libpod
Commit message (Collapse)AuthorAge
* Merge pull request #7694 from mheon/fix_exec_supplemental_groupsOpenShift Merge Robot2020-09-19
|\ | | | | Preserve groups in exec sessions in ctrs with --user
| * Preserve groups in exec sessions in ctrs with --userMatthew Heon2020-09-18
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Podman wants to guarantee that exec sessions retain the groups of the container they are started in, unless explicitly overridden by the user. This guarantee was broken for containers where the `--user` flag was specified; this patch resolves that. Somewhere in the Exec rewrite for APIv2, I changed the location where the container's User is passed into the exec session (similar to groups, we also want to preserve user unless overridden). The lower-level Exec APIs already handled setting user and group appropriately if not specified when the exec session was created, but I added duplicate code to handle this higher in the stack - and that code only handled setting user, not supplemental groups, breaking support in that specific case. Two things conspired to make this one hard to track down: first, things were only broken if the container explicitly set a user; otherwise, the container user would still appear to be unset to the lower-level code, which would properly set supplemental groups (this tricked our existing test into passing). Also, the `crun` OCI runtime will add the groups without prompting, which further masked the problem there. I debated making `runc` do the same, but in the end it's better to fix this in Podman - it's better to be explicit about what we want done so we will work with all OCI runtimes. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | Merge pull request #7671 from zhangguanzhang/play-kube-handle-restartPolicyOpenShift Merge Robot2020-09-18
|\ \ | | | | | | handle the restartPolicy for play kube and generate kube
| * | handle the play kube and generate kube for with restartPolicyzhangguanzhang2020-09-18
| | | | | | | | | | | | Signed-off-by: zhangguanzhang <zhangguanzhang@qq.com>
* | | fix the .Path and .Args when use the infra-commandzhangguanzhang2020-09-18
|/ / | | | | | | Signed-off-by: zhangguanzhang <zhangguanzhang@qq.com>
* | update github.com/docker/docker and relevant depsAkihiro Suda2020-09-18
| | | | | | | | Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
* | image list: return all associated namesValentin Rothberg2020-09-17
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Always return all associated names / repo tags of an image and fix a bug with malformed repo tags. Previously, Podman returned all names only with `--all` but this flag only instructs to list intermediate images and should not alter associated names. With `--all` Podman queried the repo tags of an image which splits all *tagged* names into repository and tag which is then reassembled to eventually be parsed again in the frontend. Lot's of redundant CPU heat and buggy as the reassembly didn't consider digests which ultimately broke parsing in the frontend. Fixes: #7651 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | Merge pull request #7621 from rhatdan/podsOpenShift Merge Robot2020-09-16
|\ \ | | | | | | Fix podman pod create --infra-command and --infra-image
| * | Fix podman pod create --infra-command and --infra-imageDaniel J Walsh2020-09-16
| | | | | | | | | | | | | | | | | | | | | | | | Currently infr-command and --infra-image commands are ignored from the user. This PR instruments them and adds tests for each combination. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | Merge pull request #7653 from AkihiroSuda/fix-7652OpenShift Merge Robot2020-09-16
|\ \ \ | |/ / |/| | Fix "rootless-cni-infra + runc fails with ENODEV"
| * | Fix "rootless-cni-infra + runc fails with ENODEV"Akihiro Suda2020-09-16
| | | | | | | | | | | | | | | | | | | | | | | | runc always expect "bind" to be present in opts even when the type is "bind". Fix #7652 Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
* | | Merge pull request #7624 from QiWang19/policy-optionOpenShift Merge Robot2020-09-16
|\ \ \ | |/ / |/| | Supports import&run--signature-policy
| * | Supports import&run--signature-policyQi Wang2020-09-15
| | | | | | | | | | | | | | | | | | Enables podman create, pull, run, import to use --signature-policy option. Set it as hidden flag to be consistent with other commands. Signed-off-by: Qi Wang <qiwan@redhat.com>
* | | Fix --systemd=always regressionDaniel J Walsh2020-09-15
|/ / | | | | | | | | | | | | | | | | The kernel will not allow you to modify existing mount flags on a volume when bind mounting it to another place. Since /sys/fs/cgroup/systemd is mounted noexec on the host, it needs to be mounted with the same flags in the rootless container. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | rootless CNI: extract env and cmd from imageValentin Rothberg2020-09-15
| | | | | | | | Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | libpod: rootless CNI image: use quayValentin Rothberg2020-09-15
|/ | | | | | | Use the newly built image from quay.io. Also reference the image by digest. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* Merge pull request #7616 from EduardoVega/5845-support-for-systemd-resolvedOpenShift Merge Robot2020-09-14
|\ | | | | Determine if resolv.conf points to systemd-resolved
| * Determine if resolv.conf points to systemd-resolvedEduardo Vega2020-09-11
| | | | | | | | Signed-off-by: Eduardo Vega <edvegavalerio@gmail.com>
* | Merge pull request #7604 from vrothberg/fix-7406OpenShift Merge Robot2020-09-11
|\ \ | | | | | | system df: fix image-size calculations
| * | system df: fix image-size calculationsValentin Rothberg2020-09-11
| |/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fix the image-size calculations of system-df, where the shared size is the actual shared size with other images (including children) and the (total) size is the sum of the shared and unique size [1]. To calculate parent/child relations, make use of the recently added layer tree which allows for quick (and cached!) calculations. Break calculating image disk usages into the image runtime to a) access the layer tree, and b) make the code easier to maintain and extend. [1] https://docs.docker.com/engine/reference/commandline/system_df/ Fixes: #7406 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | Merge pull request #7600 from rhatdan/codespellOpenShift Merge Robot2020-09-11
|\ \ | | | | | | Fix up errors found by codespell
| * | Fix up errors found by codespellDaniel J Walsh2020-09-11
| |/ | | | | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Merge pull request #7403 from QiWang19/runtime-flagOpenShift Merge Robot2020-09-11
|\ \ | |/ |/| Add global options --runtime-flags
| * Add global options --runtime-flagsQi Wang2020-09-04
| | | | | | | | | | | | Add global options --runtime-flags for setting options to container runtime. Signed-off-by: Qi Wang <qiwan@redhat.com>
* | Merge pull request #7592 from mheon/force_attach_winchOpenShift Merge Robot2020-09-11
|\ \ | | | | | | Force Attach() to send a SIGWINCH and redraw
| * | Force Attach() to send a SIGWINCH and redrawMatthew Heon2020-09-10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Basically, we want to force the application in the container to (iff the container was made with a terminal) redraw said terminal immediately after an attach completes, so the fresh Attach session will be able to see what's going on (e.g. will have a shell prompt). Our current attach functions are unfortunately geared more towards `podman run` than `podman attach` and will start forwarding resize events *immediately* instead of waiting until the attach session is alive (much safer for short-lived `podman run` sessions, but broken for the `podman attach` case). To avoid a major rewrite, let's just manually send a SIGWINCH after attach succeeds to force a redraw. Fixes #6253 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | | Merge pull request #7591 from haircommander/play-kube-process-namespaceOpenShift Merge Robot2020-09-11
|\ \ \ | | | | | | | | play/generate: support shareProcessNamespace
| * | | play/generate: support shareProcessNamespacePeter Hunt2020-09-10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | this is an option that allows a user to specify whether to share PID namespace in the pod for play kube and generate kube associated test added Signed-off-by: Peter Hunt <pehunt@redhat.com>
* | | | Merge pull request #7587 from ParkerVR/kube-underscoresOpenShift Merge Robot2020-09-11
|\ \ \ \ | | | | | | | | | | Allowed underscores to remain in name for YAML (Kube generate)
| * | | | allowed underscores to remain in name for YAMLParker Van Roy2020-09-10
| | | | | | | | | | | | | | | | | | | | Signed-off-by: Parker Van Roy <pvanroy@redhat.com>
* | | | | Merge pull request #7541 from mheon/modify_groupOpenShift Merge Robot2020-09-10
|\ \ \ \ \ | |_|/ / / |/| | | | Make an entry in /etc/group when we modify /etc/passwd
| * | | | Make an entry in /etc/group when we modify /etc/passwdMatthew Heon2020-09-10
| | |/ / | |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | To ensure that the user running in the container ahs a valid entry in /etc/passwd so lookup functions for the current user will not error, Podman previously began adding entries to the passwd file. We did not, however, add entries to the group file, and this created problems - our passwd entries included the group the user is in, but said group might not exist. The solution is to mirror our logic for /etc/passwd modifications to also edit /etc/group in the container. Unfortunately, this is not a catch-all solution. Our logic here is only advanced enough to *add* to the group file - so if the group already exists but we add a user not a part of it, we will not modify that existing entry, and things remain inconsistent. We can look into adding this later if we absolutely need to, but it would involve adding significant complexity to this already massively complicated function. While we're here, address an edge case where Podman could add a user or group whose UID overlapped with an existing user or group. Also, let's make users able to log into users we added. Instead of generating user entries with an 'x' in the password field, indicating they have an entry in /etc/shadow, generate a '*' indicating the user has no password but can be logged into by other means e.g. ssh key, su. Fixes #7503 Fixes #7389 Fixes #7499 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | | | Merge pull request #7578 from giuseppe/join-userns-reuse-mappingsOpenShift Merge Robot2020-09-10
|\ \ \ \ | |_|/ / |/| | | libpod: read mappings when joining a container userns
| * | | libpod: read mappings when joining a container usernsGiuseppe Scrivano2020-09-10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | when joining an existing container user namespace, read the existing mappings so the storage can be created with the correct ownership. Closes: https://github.com/containers/podman/issues/7547 Signed-off-by: Giuseppe Scrivano <giuseppe@scrivano.org>
* | | | Merge pull request #7460 from AkihiroSuda/allow-rootless-cniOpenShift Merge Robot2020-09-10
|\ \ \ \ | |/ / / |/| | | rootless: support `podman network create` (CNI-in-slirp4netns)
| * | | rootless: support `podman network create` (CNI-in-slirp4netns)Akihiro Suda2020-09-09
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Usage: ``` $ podman network create foo $ podman run -d --name web --hostname web --network foo nginx:alpine $ podman run --rm --network foo alpine wget -O - http://web.dns.podman Connecting to web.dns.podman (10.88.4.6:80) ... <h1>Welcome to nginx!</h1> ... ``` See contrib/rootless-cni-infra for the design. Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
* | | | Merge pull request #7290 from rhatdan/externalOpenShift Merge Robot2020-09-09
|\ \ \ \ | | | | | | | | | | Show c/storage (Buildah/CRI-O) containers in ps
| * | | | Show c/storage (Buildah/CRI-O) containers in psDaniel J Walsh2020-09-09
| |/ / / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The `podman ps --all` command will now show containers that are under the control of other c/storage container systems and the new `ps --storage` option will show only containers that are in c/storage but are not controlled by libpod. In the below examples, the '*working-container' entries were created by Buildah. ``` podman ps -a CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 9257ef8c786c docker.io/library/busybox:latest ls /etc 8 hours ago Exited (0) 8 hours ago gifted_jang d302c81856da docker.io/library/busybox:latest buildah 30 hours ago storage busybox-working-container 7a5a7b099d33 localhost/tom:latest ls -alF 30 hours ago Exited (0) 30 hours ago hopeful_hellman 01d601fca090 localhost/tom:latest ls -alf 30 hours ago Exited (1) 30 hours ago determined_panini ee58f429ff26 localhost/tom:latest buildah 33 hours ago storage alpine-working-container podman ps --external CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES d302c81856da docker.io/library/busybox:latest buildah 30 hours ago external busybox-working-container ee58f429ff26 localhost/tom:latest buildah 33 hours ago external alpine-working-container ``` Signed-off-by: TomSweeneyRedHat <tsweeney@redhat.com> Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* / / / support multi-image (docker) archivesValentin Rothberg2020-09-08
|/ / / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Support loading and saving tarballs with more than one image. Add a new `/libpod/images/export` endpoint to the rest API to allow for exporting/saving multiple images into an archive. Note that a non-release version of containers/image is vendored. A release version must be vendored before cutting a new Podman release. We force the containers/image version via a replace in the go.mod file; this way go won't try to match the versions. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | / make image parent check more robustValentin Rothberg2020-09-07
| |/ |/| | | | | | | | | | | | | Follow up on issue #7444 and make the parent checks more robust. We can end up with an incoherent storage when, for instance, a build has been killed. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | We should not be mounting /run as noexec when run with --systemdDaniel J Walsh2020-09-02
|/ | | | | | | The system defaults /run to "exec" mode, and we default --read-only mounts on /run to "exec", so --systemd should follow suit. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Ensure rootless containers without a passwd can startMatthew Heon2020-08-31
| | | | | | | | | | | | | | | | We want to modify /etc/passwd to add an entry for the user in question, but at the same time we don't want to require the container provide a /etc/passwd (a container with a single, statically linked binary and nothing else is perfectly fine and should be allowed, for example). We could create the passwd file if it does not exist, but if the container doesn't provide one, it's probably better not to make one at all. Gate changes to /etc/passwd behind a stat() of the file in the container returning cleanly. Fixes #7515 Signed-off-by: Matthew Heon <mheon@redhat.com>
* Merge pull request #7469 from zhangguanzhang/generate-kube-with-ExtraHostsOpenShift Merge Robot2020-08-28
|\ | | | | fix podman generate kube with HostAliases
| * fix podman generate kube with HostAliaseszhangguanzhang2020-08-27
| | | | | | | | Signed-off-by: zhangguanzhang <zhangguanzhang@qq.com>
* | Merge pull request #7436 from rhatdan/variantOpenShift Merge Robot2020-08-28
|\ \ | | | | | | Add support for image pull overrides
| * | Add support for variant when pulling imagesDaniel J Walsh2020-08-28
| | | | | | | | | | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | Merge pull request #7481 from Luap99/keep-confOpenShift Merge Robot2020-08-28
|\ \ \ | | | | | | | | Don't remove config files with podman system reset
| * | | Don't remove config files with podman system resetPaul Holzinger2020-08-28
| |/ / | | | | | | | | | | | | | | | | | | Check if storage.conf exists and display a message that this file should be removed if it has not been modified. Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
* | | Merge pull request #7448 from baude/issue7444OpenShift Merge Robot2020-08-28
|\ \ \ | | | | | | | | fix panic when checking len on nil object
| * | | fix panic when checking len on nil objectBrent Baude2020-08-28
| |/ / | | | | | | | | | | | | | | | issue #7444 describes a problem where an image does not have a manifest file and cannot be processed by our library correctly. the origin of the panic is because we are checking the len of a nil object's attribute. this is a temporary fix to protect from the panic in the future. the origin of the problem is more interesting and requires more work when the code author returns from pto. Signed-off-by: Brent Baude <bbaude@redhat.com>