| Commit message (Collapse) | Author | Age |
|
|
|
|
|
|
|
|
|
| |
Revert : https://github.com/containers/podman/pull/9895
Turns out that if Docker is in --selinux-enabeled, it still relabels if
the user tells the system to, even if running a --privileged container
or if the selinux separation is disabled --security-opt label=disable.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
|\
| |
| | |
add restart-policy to container filters & --filter to podman start
|
| |
| |
| |
| | |
Signed-off-by: Boaz Shuster <boaz.shuster.github@gmail.com>
|
|/
|
|
|
|
|
|
|
|
| |
extend to pods the existing check whether the cgroup is usable when
running as rootless with cgroupfs.
commit 17ce567c6827abdcd517699bc07e82ccf48f7619 introduced the
regression.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
|
|
|
|
|
| |
[NO TESTS NEEDED] This is just running codespell on podman
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
|\
| |
| | |
podman: set volatile storage flag for --rm containers
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
volatile containers are a storage optimization that disables *sync()
syscalls for the container rootfs.
If a container is created with --rm, then automatically set the
volatile storage flag as anyway the container won't persist after a
reboot or machine crash.
[NO TESTS NEEDED]
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Migrate the Podman code base over to `common/libimage` which replaces
`libpod/image` and a lot of glue code entirely.
Note that I tried to leave bread crumbs for changed tests.
Miscellaneous changes:
* Some errors yield different messages which required to alter some
tests.
* I fixed some pre-existing issues in the code. Others were marked as
`//TODO`s to prevent the PR from exploding.
* The `NamesHistory` of an image is returned as is from the storage.
Previously, we did some filtering which I think is undesirable.
Instead we should return the data as stored in the storage.
* Touched handlers use the ABI interfaces where possible.
* Local image resolution: previously Podman would match "foo" on
"myfoo". This behaviour has been changed and Podman will now
only match on repository boundaries such that "foo" would match
"my/foo" but not "myfoo". I consider the old behaviour to be a
bug, at the very least an exotic corner case.
* Futhermore, "foo:none" does *not* resolve to a local image "foo"
without tag anymore. It's a hill I am (almost) willing to die on.
* `image prune` prints the IDs of pruned images. Previously, in some
cases, the names were printed instead. The API clearly states ID,
so we should stick to it.
* Compat endpoint image removal with _force_ deletes the entire not
only the specified tag.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
|
|\ \
| | |
| | | |
cgroup: always honor --cgroup-parent
|
| |/
| |
| |
| |
| |
| |
| |
| |
| | |
if --cgroup-parent is specified, always honor it without doing any
detection whether cgroups are supported or not.
Closes: https://github.com/containers/podman/issues/10173
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
|/
|
|
|
|
|
|
|
|
|
|
| |
When in podman machine virtual machines, podman needs to be able to
detect as such. One implementation for this is when creating networks,
the podman-machine cni plugin needs to be added to the configuration.
This PR also includes the latest containers-common.
[NO TESTS NEEDED]
Signed-off-by: Brent Baude <bbaude@redhat.com>
|
|
|
|
|
|
|
| |
Edits `podman info` to provide the default seccomp profile
detected in the output
Signed-off-by: Pablo Correa Gómez <ablocorrea@hotmail.com>
|
|\
| |
| | |
Add podman run --timeout option
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This option allows users to specify the maximum amount of time to run
before conmon sends the kill signal to the container.
Fixes: https://github.com/containers/podman/issues/6412
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
|\ \
| | |
| | | |
Fixes generate kube incorrect when bind-mounting "/" and "/root"
|
| |/
| |
| |
| | |
Signed-off-by: zhangguanzhang <zhangguanzhang@qq.com>
|
|\ \
| | |
| | | |
Fix rootlesskit port forwarder with custom slirp cidr
|
| |/
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The source ip for the rootlesskit port forwarder was hardcoded to the
standard slirp4netns ip. This is incorrect since users can change the
subnet used by slirp4netns with `--network slirp4netns:cidr=10.5.0.0/24`.
The container interface ip is always the .100 in the subnet. Only when
the rootlesskit port forwarder child ip matches the container interface
ip the port forwarding will work.
Fixes #9828
Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
|
|\ \
| | |
| | | |
Fix images prune filter until
|
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
This commits fixes until filter. It is now checking if the created
timestamp is before until filter value as expected in the docs.
Signed-off-by: Jakub Guzik <jakubmguzik@gmail.com>
|
|/ /
| |
| |
| |
| |
| | |
This should make the unit tests pass on updated CI images.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
|
|\ \
| | |
| | | |
Add support for CDI device configuration
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
- Persist CDIDevices in container config
- Add e2e test
- Log HasDevice error and add additional condition for safety
Signed-off-by: Sebastian Jug <seb@stianj.ug>
|
| |/
|/|
| |
| |
| |
| |
| |
| |
| | |
when deciding to create a user namespace, check for CAP_SYS_ADMIN
instead of looking at the euid.
[NO TESTS NEEDED] Needs nested Podman
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
| |
| |
| |
| | |
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
|\ \
| | |
| | | |
Use full attach path, rather than a symlink
|
| | |
| | |
| | |
| | |
| | |
| | | |
2.0.24 introduced the new behavior with --full-attach, allowing podman to no longer use the socketDir
Signed-off-by: Peter Hunt <pehunt@redhat.com>
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
I believe moving the conmon probing code to c/common wasn't the best strategy.
Different container engines have different requrements of which conmon version is required
(based on what flags they use).
Signed-off-by: Peter Hunt <pehunt@redhat.com>
|
| | |
| | |
| | |
| | |
| | |
| | | |
without the socketsDir, we no longer need to worry about cleaning up after an exec.
Signed-off-by: Peter Hunt <pehunt@redhat.com>
|
| | |
| | |
| | |
| | |
| | |
| | | |
and stop relying on socket path
Signed-off-by: Peter Hunt <pehunt@redhat.com>
|
| | |
| | |
| | |
| | | |
Signed-off-by: Peter Hunt <pehunt@redhat.com>
|
| |/
|/|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
In libpod/image.Image.Remove(), if the attempt to find the image's
parent fails for any reason, log a warning and proceed as though it
didn't have one instead of failing, which would leave us unable to
remove the image without resetting everything.
In libpod/Runtime.RemoveImage(), if we can't determine if an image has
children, log a warning, and assume that it doesn't have any instead of
failing, which would leave us unable to remove the image without
resetting everything.
In pkg/domain/infra/abi.ImageEngine.Remove(), when attempting to remove
all images, if we encounter an error checking if a given image has
children, log a warning, and assume that it doesn't have any instead of
failing, which would leave us unable to remove the image without
resetting everything.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
|
|\ \
| | |
| | | |
Add flag "--pidfile" for podman create/run
|
| | |
| | |
| | |
| | | |
Signed-off-by: chenkang <kongchen28@gmail.com>
|
| | |
| | |
| | |
| | | |
Signed-off-by: chenkang <kongchen28@gmail.com>
|
| | |
| | |
| | |
| | | |
Signed-off-by: chenkang <kongchen28@gmail.com>
|
| | |
| | |
| | |
| | | |
Signed-off-by: chenkang <kongchen28@gmail.com>
|
| | |
| | |
| | |
| | | |
Signed-off-by: chenkang <kongchen28@gmail.com>
|
|\ \ \
| |_|/
|/| | |
[NO TESTS NEEDED] Make an advanced layer diff function private
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Noticed this while I was poking around in the runtime doing DB
work. The signature of this function makes me a bit uncomfortable
(why should we let people apply arbitrary diffs to layers? Seems
like a good way to break things...) and it's completely unused,
so let's just remove it.
[NO TESTS NEEDED] since this is a pure removal.
Signed-off-by: Matthew Heon <mheon@redhat.com>
|
| |/
|/|
| |
| |
| |
| |
| |
| |
| | |
podman image prune paniced locally for me. The error handling was not
done correctly and we could end up with a nil pointer dereference.
[NO TESTS NEEDED] I have no idea how I could force an error in img.Size().
Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
|
|\ \
| | |
| | | |
Fix message about runtime to show only the actual runtime
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Currently the debug line shows every runtime up until it finds
the correct one, confusing users on which runtime it is using.
Also move missing OCI runtime from containers/conf down to Debug level
and improved the debug message, to not report error.
[NO TESTS NEEDED] Since this is just debug.
Triggered by https://github.com/containers/podman/issues/4854
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
We originally added this in the *very early* days of Podman,
before a proper persistent state was written, so we had something
to test with. It was retained after the original SQLite state
(and current BoltDB state) were written so it could be used for
testing Libpod in unit tests with no requirement for on-disk
storage. Well, such unit tests never materialized, and if we were
to write some now the requirement to have a temporary directory
for storing data on disk is not that bad. I can basically
guarantee there are no users of this in the wild because, even if
you managed to figure out how to configure it when we don't
document it, it's completely unusable with Podman since all your
containers and pods will disappear every time Podman exits.
Given all this, and since it's an ongoing maintenance burden I no
longer wish to deal with, let's just remove it.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
|\ \ \
| |/ /
|/| | |
Do not delete container twice
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
10 lines above we had
// Set ContainerStateRemoving
c.state.State = define.ContainerStateRemoving
Which causes the state to not be the two checked states. Since the
c.cleanup call already deleted the OCI state, this meant that we were
calling cleanup, and hence the postHook hook twice.
Fixes: https://github.com/containers/podman/issues/9983
[NO TESTS NEEDED] Since it would be difficult to tests this. Main tests
should handle that the container is being deleted successfully.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
|/ /
| |
| |
| |
| |
| |
| |
| |
| | |
do not set the cgroup parent when running as rootless with cgroupfs,
even if cgroup v2 is used.
Closes: https://bugzilla.redhat.com/show_bug.cgi?id=1947999
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
|\ \
| | |
| | | |
Add support for play/generate kube PersistentVolumeClaims and Podman volumes
|
| | |
| | |
| | |
| | | |
Signed-off-by: Eduardo Vega <edvegavalerio@gmail.com>
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Add a new --rootless-cni option to podman unshare to also join the
rootless-cni network namespace. This is useful if you want to connect
to a rootless container via IP address. This is only possible from the
rootless-cni namespace and not from the host namespace. This option also
helps to debug problems in the rootless-cni namespace.
Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
|