summaryrefslogtreecommitdiff
path: root/libpod
Commit message (Collapse)AuthorAge
* Merge pull request #10136 from zhangguanzhang/generate-kube-volumeOpenShift Merge Robot2021-04-27
|\ | | | | Fixes generate kube incorrect when bind-mounting "/" and "/root"
| * Fixes generate kube incorrect when bind-mounting "/" and "/root"zhangguanzhang2021-04-26
| | | | | | | | Signed-off-by: zhangguanzhang <zhangguanzhang@qq.com>
* | Merge pull request #9941 from Luap99/fix-9828OpenShift Merge Robot2021-04-27
|\ \ | | | | | | Fix rootlesskit port forwarder with custom slirp cidr
| * | Fix rootlesskit port forwarder with custom slirp cidrPaul Holzinger2021-04-23
| |/ | | | | | | | | | | | | | | | | | | | | | | | | The source ip for the rootlesskit port forwarder was hardcoded to the standard slirp4netns ip. This is incorrect since users can change the subnet used by slirp4netns with `--network slirp4netns:cidr=10.5.0.0/24`. The container interface ip is always the .100 in the subnet. Only when the rootlesskit port forwarder child ip matches the container interface ip the port forwarding will work. Fixes #9828 Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
* | Merge pull request #10144 from jmguzik/fix-prune-until-filter-imagesOpenShift Merge Robot2021-04-26
|\ \ | | | | | | Fix images prune filter until
| * | Fix images prune filter untilJakub Guzik2021-04-26
| | | | | | | | | | | | | | | | | | | | | This commits fixes until filter. It is now checking if the created timestamp is before until filter value as expected in the docs. Signed-off-by: Jakub Guzik <jakubmguzik@gmail.com>
* | | libpod/image: unit tests: don't use system's registries.conf.dValentin Rothberg2021-04-26
|/ / | | | | | | | | | | This should make the unit tests pass on updated CI images. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | Merge pull request #10081 from sjug/cdi_device_libOpenShift Merge Robot2021-04-26
|\ \ | | | | | | Add support for CDI device configuration
| * | Add support for CDI device configurationSebastian Jug2021-04-20
| | | | | | | | | | | | | | | | | | | | | | | | - Persist CDIDevices in container config - Add e2e test - Log HasDevice error and add additional condition for safety Signed-off-by: Sebastian Jug <seb@stianj.ug>
* | | runtime: create userns when CAP_SYS_ADMIN is not presentGiuseppe Scrivano2021-04-26
| |/ |/| | | | | | | | | | | | | | | when deciding to create a user namespace, check for CAP_SYS_ADMIN instead of looking at the euid. [NO TESTS NEEDED] Needs nested Podman Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | Fixes from make codespellDaniel J Walsh2021-04-21
| | | | | | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Merge pull request #8979 from haircommander/full-attach-pathOpenShift Merge Robot2021-04-21
|\ \ | | | | | | Use full attach path, rather than a symlink
| * | runtime: bump required conmon versionPeter Hunt2021-04-16
| | | | | | | | | | | | | | | | | | 2.0.24 introduced the new behavior with --full-attach, allowing podman to no longer use the socketDir Signed-off-by: Peter Hunt <pehunt@redhat.com>
| * | runtime: return findConmon to libpodPeter Hunt2021-04-16
| | | | | | | | | | | | | | | | | | | | | | | | I believe moving the conmon probing code to c/common wasn't the best strategy. Different container engines have different requrements of which conmon version is required (based on what flags they use). Signed-off-by: Peter Hunt <pehunt@redhat.com>
| * | oci: drop ExecContainerCleanupPeter Hunt2021-04-16
| | | | | | | | | | | | | | | | | | without the socketsDir, we no longer need to worry about cleaning up after an exec. Signed-off-by: Peter Hunt <pehunt@redhat.com>
| * | oci: use `--full-path` option for conmonPeter Hunt2021-04-16
| | | | | | | | | | | | | | | | | | and stop relying on socket path Signed-off-by: Peter Hunt <pehunt@redhat.com>
| * | use AttachSocketPath when removing conmon filesPeter Hunt2021-04-16
| | | | | | | | | | | | Signed-off-by: Peter Hunt <pehunt@redhat.com>
* | | rmi: don't break when the image is missing a manifestNalin Dahyabhai2021-04-20
| |/ |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | In libpod/image.Image.Remove(), if the attempt to find the image's parent fails for any reason, log a warning and proceed as though it didn't have one instead of failing, which would leave us unable to remove the image without resetting everything. In libpod/Runtime.RemoveImage(), if we can't determine if an image has children, log a warning, and assume that it doesn't have any instead of failing, which would leave us unable to remove the image without resetting everything. In pkg/domain/infra/abi.ImageEngine.Remove(), when attempting to remove all images, if we encounter an error checking if a given image has children, log a warning, and assume that it doesn't have any instead of failing, which would leave us unable to remove the image without resetting everything. Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
* | Merge pull request #10041 from chenk008/add_pidfile_flagOpenShift Merge Robot2021-04-19
|\ \ | | | | | | Add flag "--pidfile" for podman create/run
| * | support pidfile on container restorechenkang2021-04-18
| | | | | | | | | | | | Signed-off-by: chenkang <kongchen28@gmail.com>
| * | fix start itchenkang2021-04-17
| | | | | | | | | | | | Signed-off-by: chenkang <kongchen28@gmail.com>
| * | set pidfile default value int containerconfigchenkang2021-04-17
| | | | | | | | | | | | Signed-off-by: chenkang <kongchen28@gmail.com>
| * | add pidfile in inspectionchenkang2021-04-17
| | | | | | | | | | | | Signed-off-by: chenkang <kongchen28@gmail.com>
| * | add flag "--pidfile" for podman create/runwuhua.ck2021-04-16
| | | | | | | | | | | | Signed-off-by: chenkang <kongchen28@gmail.com>
* | | Merge pull request #10056 from mheon/misc_cleanupOpenShift Merge Robot2021-04-19
|\ \ \ | |_|/ |/| | [NO TESTS NEEDED] Make an advanced layer diff function private
| * | Remove an advanced layer diff functionMatthew Heon2021-04-19
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Noticed this while I was poking around in the runtime doing DB work. The signature of this function makes me a bit uncomfortable (why should we let people apply arbitrary diffs to layers? Seems like a good way to break things...) and it's completely unused, so let's just remove it. [NO TESTS NEEDED] since this is a pure removal. Signed-off-by: Matthew Heon <mheon@redhat.com>
* | | Fix possible panic in libpod/image/prune.goPaul Holzinger2021-04-16
| |/ |/| | | | | | | | | | | | | | | podman image prune paniced locally for me. The error handling was not done correctly and we could end up with a nil pointer dereference. [NO TESTS NEEDED] I have no idea how I could force an error in img.Size(). Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
* | Merge pull request #9995 from rhatdan/debugOpenShift Merge Robot2021-04-14
|\ \ | | | | | | Fix message about runtime to show only the actual runtime
| * | Fix message about runtime to show only the actual runtimeDaniel J Walsh2021-04-13
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Currently the debug line shows every runtime up until it finds the correct one, confusing users on which runtime it is using. Also move missing OCI runtime from containers/conf down to Debug level and improved the debug message, to not report error. [NO TESTS NEEDED] Since this is just debug. Triggered by https://github.com/containers/podman/issues/4854 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | Remove in-memory state implementationMatthew Heon2021-04-13
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | We originally added this in the *very early* days of Podman, before a proper persistent state was written, so we had something to test with. It was retained after the original SQLite state (and current BoltDB state) were written so it could be used for testing Libpod in unit tests with no requirement for on-disk storage. Well, such unit tests never materialized, and if we were to write some now the requirement to have a temporary directory for storing data on disk is not that bad. I can basically guarantee there are no users of this in the wild because, even if you managed to figure out how to configure it when we don't document it, it's completely unusable with Podman since all your containers and pods will disappear every time Podman exits. Given all this, and since it's an ongoing maintenance burden I no longer wish to deal with, let's just remove it. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | | Merge pull request #10000 from rhatdan/cleanupOpenShift Merge Robot2021-04-13
|\ \ \ | |/ / |/| | Do not delete container twice
| * | Do not delete container twiceDaniel J Walsh2021-04-12
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | 10 lines above we had // Set ContainerStateRemoving c.state.State = define.ContainerStateRemoving Which causes the state to not be the two checked states. Since the c.cleanup call already deleted the OCI state, this meant that we were calling cleanup, and hence the postHook hook twice. Fixes: https://github.com/containers/podman/issues/9983 [NO TESTS NEEDED] Since it would be difficult to tests this. Main tests should handle that the container is being deleted successfully. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | cgroup: do not set cgroup parent when rootless and cgroupfsGiuseppe Scrivano2021-04-12
|/ / | | | | | | | | | | | | | | | | do not set the cgroup parent when running as rootless with cgroupfs, even if cgroup v2 is used. Closes: https://bugzilla.redhat.com/show_bug.cgi?id=1947999 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | Merge pull request #9935 from EduardoVega/5788-kube-volumeOpenShift Merge Robot2021-04-12
|\ \ | | | | | | Add support for play/generate kube PersistentVolumeClaims and Podman volumes
| * | Add support for play/generate kube volumesEduardo Vega2021-04-09
| | | | | | | | | | | | Signed-off-by: Eduardo Vega <edvegavalerio@gmail.com>
* | | podman unshare: add --rootless-cni to join the nsPaul Holzinger2021-04-07
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Add a new --rootless-cni option to podman unshare to also join the rootless-cni network namespace. This is useful if you want to connect to a rootless container via IP address. This is only possible from the rootless-cni namespace and not from the host namespace. This option also helps to debug problems in the rootless-cni namespace. Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
* | | rootless cni add /usr/sbin to PATH if not presentPaul Holzinger2021-04-06
| | | | | | | | | | | | | | | | | | | | | | | | | | | The CNI plugins need access to iptables in $PATH. On debian /usr/sbin is not added to $PATH for rootless users. This will break rootless cni completely. To prevent breaking existing users add /usr/sbin to $PATH in podman if needed. Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
* | | Merge pull request #9754 from mheon/add_depOpenShift Merge Robot2021-04-06
|\ \ \ | |_|/ |/| | Add --requires flag to podman run/create
| * | Add --requires flag to podman run/createMatthew Heon2021-04-06
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Podman has, for a long time, had an internal concept of dependency management, used mainly to ensure that pod infra containers are started before any other container in the pod. We also have the ability to recursively start these dependencies, which we use to ensure that `podman start` on a container in a pod will not fail because the infra container is stopped. We have not, however, exposed these via the command line until now. Add a `--requires` flag to `podman run` and `podman create` to allow users to manually specify dependency containers. These containers must be running before the container will start. Also, make recursive starting with `podman start` default so we can start these containers and their dependencies easily. Fixes #9250 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | | Merge pull request #9942 from mheon/fix_9919OpenShift Merge Robot2021-04-06
|\ \ \ | |_|/ |/| | Ensure that `--userns=keep-id` sets user in config
| * | Ensure that `--userns=keep-id` sets user in configMatthew Heon2021-04-06
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | One of the side-effects of the `--userns=keep-id` command is switching the default user of the container to the UID of the user running Podman (though this can still be overridden by the `--user` flag). However, it did this by setting the UID and GID in the OCI spec, and not by informing Libpod of its intention to switch users via the `WithUser()` option. Because of this, a lot of the code that should have triggered when the container ran with a non-root user was not triggering. In the case of the issue that this fixed, the code to remove capabilities from non-root users was not triggering. Adjust the keep-id code to properly inform Libpod of our intention to use a non-root user to fix this. Also, fix an annoying race around short-running exec sessions where Podman would always print a warning that the exec session had already stopped. Fixes #9919 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | | Merge pull request #9911 from rhatdan/storageOpenShift Merge Robot2021-04-05
|\ \ \ | | | | | | | | Allow users to override default storage opts with --storage-opt
| * | | Allow users to override default storage opts with --storage-optDaniel J Walsh2021-04-05
| |/ / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | We define in the man page that this overrides the default storage options, but the code was appending to the existing options. This PR also makes a change to allow users to specify --storage-opt="". This will turn off all storage options. https://github.com/containers/podman/issues/9852 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* / / Don't relabel volumes if running in a privileged containerDaniel J Walsh2021-04-05
|/ / | | | | | | | | | | | | | | | | Docker does not relabel this content, and openstack is running containers in this manner. There is a penalty for doing this on each container, that is not worth taking on a disable SELinux container. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Use the slrip4netns dns in the rootless cni nsPaul Holzinger2021-04-01
| | | | | | | | | | | | | | | | If a user only has a local dns server in the resolv.conf file the dns resolution will fail. Instead we create a new resolv.conf which will use the slirp4netns dns. Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
* | Cleanup the rootless cni namespacePaul Holzinger2021-04-01
| | | | | | | | | | | | | | Delte the network namespace and kill the slirp4netns process when it is no longer needed. Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
* | Remove unused rootless-cni-infra container filesPaul Holzinger2021-04-01
| | | | | | | | Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
* | Only use rootless RLK when the container has portsPaul Holzinger2021-04-01
| | | | | | | | | | | | | | Do not invoke the rootlesskit port forwarder when the container has no ports. Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
* | Enable rootless network connect/disconnectPaul Holzinger2021-04-01
| | | | | | | | | | | | | | With the new rootless cni supporting network connect/disconnect is easy. Combine common setps into extra functions to prevent code duplication. Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
* | Move slirp4netns functions into an extra filePaul Holzinger2021-04-01
| | | | | | | | | | | | This should make maintenance easier. Signed-off-by: Paul Holzinger <paul.holzinger@web.de>