summaryrefslogtreecommitdiff
path: root/libpod
Commit message (Collapse)AuthorAge
* Revert Patch to relabel if selinux not enabledDaniel J Walsh2021-05-06
| | | | | | | | | | Revert : https://github.com/containers/podman/pull/9895 Turns out that if Docker is in --selinux-enabeled, it still relabels if the user tells the system to, even if running a --privileged container or if the selinux separation is disabled --security-opt label=disable. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Merge pull request #9689 from boaz0/boaz-1OpenShift Merge Robot2021-05-06
|\ | | | | add restart-policy to container filters & --filter to podman start
| * Add restart-policy to container filters & --filter to podman startBoaz Shuster2021-05-06
| | | | | | | | Signed-off-by: Boaz Shuster <boaz.shuster.github@gmail.com>
* | cgroup: fix rootless --cgroup-parent with podsGiuseppe Scrivano2021-05-06
|/ | | | | | | | | | extend to pods the existing check whether the cgroup is usable when running as rootless with cgroupfs. commit 17ce567c6827abdcd517699bc07e82ccf48f7619 introduced the regression. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* codespell cleanupDaniel J Walsh2021-05-05
| | | | | | [NO TESTS NEEDED] This is just running codespell on podman Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Merge pull request #10220 from giuseppe/rm-volatileOpenShift Merge Robot2021-05-05
|\ | | | | podman: set volatile storage flag for --rm containers
| * podman: set volatile storage flag for --rm containersGiuseppe Scrivano2021-05-05
| | | | | | | | | | | | | | | | | | | | | | | | | | volatile containers are a storage optimization that disables *sync() syscalls for the container rootfs. If a container is created with --rm, then automatically set the volatile storage flag as anyway the container won't persist after a reboot or machine crash. [NO TESTS NEEDED] Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | migrate Podman to containers/common/libimageValentin Rothberg2021-05-05
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Migrate the Podman code base over to `common/libimage` which replaces `libpod/image` and a lot of glue code entirely. Note that I tried to leave bread crumbs for changed tests. Miscellaneous changes: * Some errors yield different messages which required to alter some tests. * I fixed some pre-existing issues in the code. Others were marked as `//TODO`s to prevent the PR from exploding. * The `NamesHistory` of an image is returned as is from the storage. Previously, we did some filtering which I think is undesirable. Instead we should return the data as stored in the storage. * Touched handlers use the ABI interfaces where possible. * Local image resolution: previously Podman would match "foo" on "myfoo". This behaviour has been changed and Podman will now only match on repository boundaries such that "foo" would match "my/foo" but not "myfoo". I consider the old behaviour to be a bug, at the very least an exotic corner case. * Futhermore, "foo:none" does *not* resolve to a local image "foo" without tag anymore. It's a hill I am (almost) willing to die on. * `image prune` prints the IDs of pruned images. Previously, in some cases, the names were printed instead. The API clearly states ID, so we should stick to it. * Compat endpoint image removal with _force_ deletes the entire not only the specified tag. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | Merge pull request #10177 from giuseppe/always-honor-cgroup-parentOpenShift Merge Robot2021-05-03
|\ \ | | | | | | cgroup: always honor --cgroup-parent
| * | cgroup: always honor --cgroup-parent with cgroupfsGiuseppe Scrivano2021-05-03
| |/ | | | | | | | | | | | | | | | | if --cgroup-parent is specified, always honor it without doing any detection whether cgroups are supported or not. Closes: https://github.com/containers/podman/issues/10173 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* / Detect if in podman machine virtual vmBrent Baude2021-04-30
|/ | | | | | | | | | | | When in podman machine virtual machines, podman needs to be able to detect as such. One implementation for this is when creating networks, the podman-machine cni plugin needs to be added to the configuration. This PR also includes the latest containers-common. [NO TESTS NEEDED] Signed-off-by: Brent Baude <bbaude@redhat.com>
* Use seccomp_profile as default profile if defined in containers.confPablo Correa Gómez2021-04-28
| | | | | | | Edits `podman info` to provide the default seccomp profile detected in the output Signed-off-by: Pablo Correa Gómez <ablocorrea@hotmail.com>
* Merge pull request #10119 from rhatdan/timeoutOpenShift Merge Robot2021-04-27
|\ | | | | Add podman run --timeout option
| * Add podman run --timeout optionDaniel J Walsh2021-04-23
| | | | | | | | | | | | | | | | | | This option allows users to specify the maximum amount of time to run before conmon sends the kill signal to the container. Fixes: https://github.com/containers/podman/issues/6412 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Merge pull request #10136 from zhangguanzhang/generate-kube-volumeOpenShift Merge Robot2021-04-27
|\ \ | | | | | | Fixes generate kube incorrect when bind-mounting "/" and "/root"
| * | Fixes generate kube incorrect when bind-mounting "/" and "/root"zhangguanzhang2021-04-26
| |/ | | | | | | Signed-off-by: zhangguanzhang <zhangguanzhang@qq.com>
* | Merge pull request #9941 from Luap99/fix-9828OpenShift Merge Robot2021-04-27
|\ \ | | | | | | Fix rootlesskit port forwarder with custom slirp cidr
| * | Fix rootlesskit port forwarder with custom slirp cidrPaul Holzinger2021-04-23
| |/ | | | | | | | | | | | | | | | | | | | | | | | | The source ip for the rootlesskit port forwarder was hardcoded to the standard slirp4netns ip. This is incorrect since users can change the subnet used by slirp4netns with `--network slirp4netns:cidr=10.5.0.0/24`. The container interface ip is always the .100 in the subnet. Only when the rootlesskit port forwarder child ip matches the container interface ip the port forwarding will work. Fixes #9828 Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
* | Merge pull request #10144 from jmguzik/fix-prune-until-filter-imagesOpenShift Merge Robot2021-04-26
|\ \ | | | | | | Fix images prune filter until
| * | Fix images prune filter untilJakub Guzik2021-04-26
| | | | | | | | | | | | | | | | | | | | | This commits fixes until filter. It is now checking if the created timestamp is before until filter value as expected in the docs. Signed-off-by: Jakub Guzik <jakubmguzik@gmail.com>
* | | libpod/image: unit tests: don't use system's registries.conf.dValentin Rothberg2021-04-26
|/ / | | | | | | | | | | This should make the unit tests pass on updated CI images. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | Merge pull request #10081 from sjug/cdi_device_libOpenShift Merge Robot2021-04-26
|\ \ | | | | | | Add support for CDI device configuration
| * | Add support for CDI device configurationSebastian Jug2021-04-20
| | | | | | | | | | | | | | | | | | | | | | | | - Persist CDIDevices in container config - Add e2e test - Log HasDevice error and add additional condition for safety Signed-off-by: Sebastian Jug <seb@stianj.ug>
* | | runtime: create userns when CAP_SYS_ADMIN is not presentGiuseppe Scrivano2021-04-26
| |/ |/| | | | | | | | | | | | | | | when deciding to create a user namespace, check for CAP_SYS_ADMIN instead of looking at the euid. [NO TESTS NEEDED] Needs nested Podman Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | Fixes from make codespellDaniel J Walsh2021-04-21
| | | | | | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Merge pull request #8979 from haircommander/full-attach-pathOpenShift Merge Robot2021-04-21
|\ \ | | | | | | Use full attach path, rather than a symlink
| * | runtime: bump required conmon versionPeter Hunt2021-04-16
| | | | | | | | | | | | | | | | | | 2.0.24 introduced the new behavior with --full-attach, allowing podman to no longer use the socketDir Signed-off-by: Peter Hunt <pehunt@redhat.com>
| * | runtime: return findConmon to libpodPeter Hunt2021-04-16
| | | | | | | | | | | | | | | | | | | | | | | | I believe moving the conmon probing code to c/common wasn't the best strategy. Different container engines have different requrements of which conmon version is required (based on what flags they use). Signed-off-by: Peter Hunt <pehunt@redhat.com>
| * | oci: drop ExecContainerCleanupPeter Hunt2021-04-16
| | | | | | | | | | | | | | | | | | without the socketsDir, we no longer need to worry about cleaning up after an exec. Signed-off-by: Peter Hunt <pehunt@redhat.com>
| * | oci: use `--full-path` option for conmonPeter Hunt2021-04-16
| | | | | | | | | | | | | | | | | | and stop relying on socket path Signed-off-by: Peter Hunt <pehunt@redhat.com>
| * | use AttachSocketPath when removing conmon filesPeter Hunt2021-04-16
| | | | | | | | | | | | Signed-off-by: Peter Hunt <pehunt@redhat.com>
* | | rmi: don't break when the image is missing a manifestNalin Dahyabhai2021-04-20
| |/ |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | In libpod/image.Image.Remove(), if the attempt to find the image's parent fails for any reason, log a warning and proceed as though it didn't have one instead of failing, which would leave us unable to remove the image without resetting everything. In libpod/Runtime.RemoveImage(), if we can't determine if an image has children, log a warning, and assume that it doesn't have any instead of failing, which would leave us unable to remove the image without resetting everything. In pkg/domain/infra/abi.ImageEngine.Remove(), when attempting to remove all images, if we encounter an error checking if a given image has children, log a warning, and assume that it doesn't have any instead of failing, which would leave us unable to remove the image without resetting everything. Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
* | Merge pull request #10041 from chenk008/add_pidfile_flagOpenShift Merge Robot2021-04-19
|\ \ | | | | | | Add flag "--pidfile" for podman create/run
| * | support pidfile on container restorechenkang2021-04-18
| | | | | | | | | | | | Signed-off-by: chenkang <kongchen28@gmail.com>
| * | fix start itchenkang2021-04-17
| | | | | | | | | | | | Signed-off-by: chenkang <kongchen28@gmail.com>
| * | set pidfile default value int containerconfigchenkang2021-04-17
| | | | | | | | | | | | Signed-off-by: chenkang <kongchen28@gmail.com>
| * | add pidfile in inspectionchenkang2021-04-17
| | | | | | | | | | | | Signed-off-by: chenkang <kongchen28@gmail.com>
| * | add flag "--pidfile" for podman create/runwuhua.ck2021-04-16
| | | | | | | | | | | | Signed-off-by: chenkang <kongchen28@gmail.com>
* | | Merge pull request #10056 from mheon/misc_cleanupOpenShift Merge Robot2021-04-19
|\ \ \ | |_|/ |/| | [NO TESTS NEEDED] Make an advanced layer diff function private
| * | Remove an advanced layer diff functionMatthew Heon2021-04-19
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Noticed this while I was poking around in the runtime doing DB work. The signature of this function makes me a bit uncomfortable (why should we let people apply arbitrary diffs to layers? Seems like a good way to break things...) and it's completely unused, so let's just remove it. [NO TESTS NEEDED] since this is a pure removal. Signed-off-by: Matthew Heon <mheon@redhat.com>
* | | Fix possible panic in libpod/image/prune.goPaul Holzinger2021-04-16
| |/ |/| | | | | | | | | | | | | | | podman image prune paniced locally for me. The error handling was not done correctly and we could end up with a nil pointer dereference. [NO TESTS NEEDED] I have no idea how I could force an error in img.Size(). Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
* | Merge pull request #9995 from rhatdan/debugOpenShift Merge Robot2021-04-14
|\ \ | | | | | | Fix message about runtime to show only the actual runtime
| * | Fix message about runtime to show only the actual runtimeDaniel J Walsh2021-04-13
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Currently the debug line shows every runtime up until it finds the correct one, confusing users on which runtime it is using. Also move missing OCI runtime from containers/conf down to Debug level and improved the debug message, to not report error. [NO TESTS NEEDED] Since this is just debug. Triggered by https://github.com/containers/podman/issues/4854 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | Remove in-memory state implementationMatthew Heon2021-04-13
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | We originally added this in the *very early* days of Podman, before a proper persistent state was written, so we had something to test with. It was retained after the original SQLite state (and current BoltDB state) were written so it could be used for testing Libpod in unit tests with no requirement for on-disk storage. Well, such unit tests never materialized, and if we were to write some now the requirement to have a temporary directory for storing data on disk is not that bad. I can basically guarantee there are no users of this in the wild because, even if you managed to figure out how to configure it when we don't document it, it's completely unusable with Podman since all your containers and pods will disappear every time Podman exits. Given all this, and since it's an ongoing maintenance burden I no longer wish to deal with, let's just remove it. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | | Merge pull request #10000 from rhatdan/cleanupOpenShift Merge Robot2021-04-13
|\ \ \ | |/ / |/| | Do not delete container twice
| * | Do not delete container twiceDaniel J Walsh2021-04-12
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | 10 lines above we had // Set ContainerStateRemoving c.state.State = define.ContainerStateRemoving Which causes the state to not be the two checked states. Since the c.cleanup call already deleted the OCI state, this meant that we were calling cleanup, and hence the postHook hook twice. Fixes: https://github.com/containers/podman/issues/9983 [NO TESTS NEEDED] Since it would be difficult to tests this. Main tests should handle that the container is being deleted successfully. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | cgroup: do not set cgroup parent when rootless and cgroupfsGiuseppe Scrivano2021-04-12
|/ / | | | | | | | | | | | | | | | | do not set the cgroup parent when running as rootless with cgroupfs, even if cgroup v2 is used. Closes: https://bugzilla.redhat.com/show_bug.cgi?id=1947999 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | Merge pull request #9935 from EduardoVega/5788-kube-volumeOpenShift Merge Robot2021-04-12
|\ \ | | | | | | Add support for play/generate kube PersistentVolumeClaims and Podman volumes
| * | Add support for play/generate kube volumesEduardo Vega2021-04-09
| | | | | | | | | | | | Signed-off-by: Eduardo Vega <edvegavalerio@gmail.com>
* | | podman unshare: add --rootless-cni to join the nsPaul Holzinger2021-04-07
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Add a new --rootless-cni option to podman unshare to also join the rootless-cni network namespace. This is useful if you want to connect to a rootless container via IP address. This is only possible from the rootless-cni namespace and not from the host namespace. This option also helps to debug problems in the rootless-cni namespace. Signed-off-by: Paul Holzinger <paul.holzinger@web.de>