summaryrefslogtreecommitdiff
path: root/pkg/domain/infra
Commit message (Collapse)AuthorAge
* Merge pull request #16057 from mheon/fix_16046OpenShift Merge Robot2022-10-07
|\ | | | | Clean up when stopping pods
| * Clean up when stopping podsMatthew Heon2022-10-05
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | We have a test to verify that init containers in pods are deleted when the `--init-ctr=once` option is specified. The test creates two containers, one of them an init container, starts the pod, stops the pod, and restarts the pod, checking for the presence of a file created by the init container during the second start. We're seeing a race where the file still exists, which I'm fairly certain comes down to the SHM mount not being cleaned up after the pod is stopped. Fortunately, we already have code to do this - just flip the bool that controls cleanup from false to true. [NO NEW TESTS NEEDED] Fixes a difficult to reproduce race condition. Fixes #16046 Signed-off-by: Matthew Heon <mheon@redhat.com>
* | Add pods created by kube play to a default networkAndrei Natanael Cosma2022-10-04
| | | | | | | | | | | | | | | | | | | | In order to allow pods to reach other pods (as in Kubernetes) they all need to be added to the same network. A network is created (if it doesn't exist) and pods created by play-kube are added to that network. When network options are passed to kube command the pods are not attached to the default kube network. Signed-off-by: Andrei Natanael Cosma <andrei@intersect.ro>
* | Merge pull request #15846 from jakecorrenti/pod-logs-latestOpenShift Merge Robot2022-10-03
|\ \ | | | | | | `podman pod logs -l` no longer panics
| * | `podman pod logs -l` no longer panicsJake Correnti2022-09-29
| | | | | | | | | | | | | | | | | | | | | Fixed issue where executing the command `podman pod logs -l` would panic because it was indexing into an empty arguments array. Signed-off-by: Jake Correnti <jcorrenti13@gmail.com>
* | | podman kube play allow --network hostPaul Holzinger2022-09-29
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | I see no reason to block --network host with kube play and force users to have to set it in the yaml file. This is just confusing when compared to the other podman create/run --network options, see discussion in #15945. Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* | | Revert "remote: fix manifest add --annotation"Paul Holzinger2022-09-29
| |/ |/| | | | | | | | | | | | | | | This reverts commit 32f54a81ed797597827123b671b6e73194354327. `pkg/bindings` is supported outside of podman and we have to keep it stable. Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* | remote: fix manifest add --annotationToshiki Sonoda2022-09-29
| | | | | | | | | | | | | | | | | | | | | | * `manifest add --annotation option` adds annotations field on remote environment. * `manifest inspect` prints annotations field on remote environment. Fixes: #15952 Signed-off-by: Toshiki Sonoda <sonoda.toshiki@fujitsu.com>
* | podman machine ssh handlingCharlie Doern2022-09-26
| | | | | | | | | | | | | | | | | | | | add the key used in newly initialized machines to the user's known_hosts file. This ensures that golang will be able to ssh into the machine using podman-remote. Also, remove the /dev/null redirection for podman machine ssh's known_hosts file. resolves #15347 Signed-off-by: Charlie Doern <cdoern@redhat.com> Signed-off-by: cdoern <cbdoer23@g.holycross.edu>
* | Merge pull request #15933 from vrothberg/fix-15879OpenShift Merge Robot2022-09-26
|\ \ | | | | | | auto-update: validate container image
| * | auto-update: validate container imageValentin Rothberg2022-09-26
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Auto updates using the "registry" policy require container to be created with a fully-qualified image reference. Short names are not supported due the ambiguity of their source registry. Initially, container creation errored out for non FQN images but it seems that Podman has regressed. Fixes: #15879 Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
* | | Merge pull request #15820 from vrothberg/fix-15800OpenShift Merge Robot2022-09-26
|\ \ \ | |/ / |/| | kube: notifyproxy: fix lost READY message
| * | kube play: sdnotify proxy: use a wait groupValentin Rothberg2022-09-16
| |/ | | | | | | | | | | | | | | | | Use a wait group to a) wait for all proxies in parallel b) avoid the potential for ABBA deadlocks [NO NEW TESTS NEEDED] as it is not changing functionality Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
* | Merge pull request #15131 from boaz0/closes_14707OpenShift Merge Robot2022-09-22
|\ \ | | | | | | Add support to sig-proxy for podman-remote
| * | Add support to sig-proxy for podman-remoteBoaz Shuster2022-09-20
| |/ | | | | | | Signed-off-by: Boaz Shuster <boaz.shuster.github@gmail.com>
* | Merge pull request #15870 from idleroamer/podman-saveOpenShift Merge Robot2022-09-22
|\ \ | | | | | | podman-save: Add signature-policy flag
| * | cli: Add signature-policy flag to podman save😎Mostafa Emami2022-09-21
| |/ | | | | | | | | | | | | | | Allow overwrite of the signature-policy file by passing signature-policy flag to podman save command Closes: https://github.com/containers/podman/issues/15869 Signed-off-by: 😎Mostafa Emami <mustafaemami@gmail.com>
* | Merge pull request #15871 from cevich/replace_ioutilOpenShift Merge Robot2022-09-21
|\ \ | | | | | | Replace deprecated ioutil
| * | Replace deprecated ioutilChris Evich2022-09-20
| |/ | | | | | | | | | | | | | | | | | | Package `io/ioutil` was deprecated in golang 1.16, preventing podman from building under Fedora 37. Fortunately, functionality identical replacements are provided by the packages `io` and `os`. Replace all usage of all `io/ioutil` symbols with appropriate substitutions according to the golang docs. Signed-off-by: Chris Evich <cevich@redhat.com>
* | Merge pull request #15842 from ashley-cui/seclabelsOpenShift Merge Robot2022-09-21
|\ \ | | | | | | Add labels to secrets
| * | Add labels to secretsAshley Cui2022-09-20
| | | | | | | | | | | | | | | | | | | | | Add --label/-l label flag to secret create, and show labels when inspecting secrets. Also allow labeling secrets via libpod/compat API. Signed-off-by: Ashley Cui <acui@redhat.com>
* | | Merge pull request #15866 from boaz0/closes_15746OpenShift Merge Robot2022-09-21
|\ \ \ | |_|/ |/| | Fix podman-remote run --attach stdin to show container ID
| * | Fix podman-remote run --attach stdin to show container IDBoaz Shuster2022-09-20
| | | | | | | | | | | | Signed-off-by: Boaz Shuster <boaz.shuster.github@gmail.com>
* | | remote: checkpoint --export prints a rawInput or an error on remoteToshiki Sonoda2022-09-16
|/ / | | | | | | | | | | | | | | | | This commit fixes `container checkpoint --export` to print a rawInput or an error. Fixes: #15743 Signed-off-by: Toshiki Sonoda <sonoda.toshiki@fujitsu.com>
* | System tests: fix three racesEd Santiago2022-09-14
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Three tests were running 'container rm' on 'start'ed containers that might not yet have exited. Fix. Also, tighten up the tests themselves, to make even more sure that they test what they're supposed to test. Discovered, in CI, that 'podman-remote logs --timestamps' was unimplemented. Thanks to @Luap99 for the fix to that. Fixes: #15783 Fixes: #15795 Signed-off-by: Ed Santiago <santiago@redhat.com>
* | Merge pull request #15753 from mheon/fix_15720OpenShift Merge Robot2022-09-13
|\ \ | |/ |/| Ensure that the DF endpoint updated volume refcount
| * Ensure that the DF endpoint updated volume refcountMatthew Heon2022-09-12
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The field was already exposed already in the `system df` output so this just required a bit of plumbing and testing. As part of this, fix `podman systemd df` volume in-use logic. Previously, volumes were only considered to be in use if the container using them was running. This does not match Docker's behavior, where a volume is considered in use as long as a container exists that uses the volume, even if said container is not running. Fixes #15720 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | Use new secret store APIAshley Cui2022-09-12
| | | | | | | | | | | | | | | | | | Refactored secrets API in common for stability purposes. Move podman to said API. [NO NEW TESTS NEEDED] Signed-off-by: Ashley Cui <acui@redhat.com>
* | Merge pull request #15511 from rhatdan/codespellOpenShift Merge Robot2022-09-12
|\ \ | | | | | | Fix stutters
| * | Fix stuttersDaniel J Walsh2022-09-10
| |/ | | | | | | | | | | | | | | | | | | | | | | | | | | Podman adds an Error: to every error message. So starting an error message with "error" ends up being reported to the user as Error: error ... This patch removes the stutter. Also ioutil.ReadFile errors report the Path, so wrapping the err message with the path causes a stutter. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* / refactor: use `os.ReadDir` for lightweight directory readingEng Zer Jun2022-09-11
|/ | | | | | | | `os.ReadDir` was added in Go 1.16 as part of the deprecation of `ioutil` package. It is a more efficient implementation than `ioutil.ReadDir`. Reference: https://pkg.go.dev/io/ioutil#ReadDir Signed-off-by: Eng Zer Jun <engzerjun@gmail.com>
* kube: plug HostUsers in the pod specGiuseppe Scrivano2022-09-08
| | | | | | | | | | | | map HostUsers=false to userns=auto. One difference with the current implementation in the Kubelet is that the podman default size is 1024 while the Kubelet uses 65536. This is done on purpose, because 65536 is a problem for rootless as the entire IDs space would be allocated to a single pod. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* fix podman pod inspect to support multiple podsPaul Holzinger2022-09-08
| | | | | | | | | | | | | | | | | Just like the other inspect commands `podman pod inspect p1 p2` should return the json for both. To correctly implement this we follow the container inspect logic, this allows use to reuse the global inspect command. Note: To not break the existing single pod output format for podman pod inspect I added a pod-legacy inspect type. This is only used to make sure we will print the pod as single json and not an array like for the other commands. We cannot use the pod type since podman inspect --type pod did return an array and we should not break that as well. Fixes #15674 Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* Merge pull request #15547 from vrothberg/RUN-1606OpenShift Merge Robot2022-09-06
|\ | | | | Support auto updates for Kubernetes workloads
| * kube play: support auto updates and rollbacksValentin Rothberg2022-09-06
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Add auto-update support to `podman kube play`. Auto-update policies can be configured for: * the entire pod via the `io.containers.autoupdate` annotation * a specific container via the `io.containers.autoupdate/$name` annotation To make use of rollbacks, the `io.containers.sdnotify` policy should be set to `container` such that the workload running _inside_ the container can send the READY message via the NOTIFY_SOCKET once ready. For further details on auto updates and rollbacks, please refer to the specific article [1]. Since auto updates and rollbacks bases on Podman's systemd integration, the k8s YAML must be executed in the `podman-kube@` systemd template. For further details on how to run k8s YAML in systemd via Podman, please refer to the specific article [2]. An examplary k8s YAML may look as follows: ```YAML apiVersion: v1 kind: Pod metadata: annotations: io.containers.autoupdate: "local" io.containers.autoupdate/b: "registry" labels: app: test name: test_pod spec: containers: - command: - top image: alpine name: a - command: - top image: alpine name: b ``` [1] https://www.redhat.com/sysadmin/podman-auto-updates-rollbacks [2] https://www.redhat.com/sysadmin/kubernetes-workloads-podman-systemd Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
* | Add generate systemd -e/--env optionToshiki Sonoda2022-09-06
|/ | | | | | | | -e/--env option sets environment variables to the systemd unit files. Fixes: #15523 Signed-off-by: Toshiki Sonoda <sonoda.toshiki@fujitsu.com>
* implement podman updateCharlie Doern2022-09-01
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | podman update allows users to change the cgroup configuration of an existing container using the already defined resource limits flags from podman create/run. The supported flags in crun are: this command is also now supported in the libpod api via the /libpod/containers/<CID>/update endpoint where the resource limits are passed inthe request body and follow the OCI resource spec format –memory –cpus –cpuset-cpus –cpuset-mems –memory-swap –memory-reservation –cpu-shares –cpu-quota –cpu-period –blkio-weight –cpu-rt-period –cpu-rt-runtime -device-read-bps -device-write-bps -device-read-iops -device-write-iops -memory-swappiness -blkio-weight-device resolves #15067 Signed-off-by: Charlie Doern <cdoern@redhat.com>
* Merge pull request #15473 from umohnani8/empty-dirOpenShift Merge Robot2022-08-31
|\ | | | | Add emptyDir volume support to kube play
| * Add emptyDir volume support to kube playUrvashi Mohnani2022-08-30
| | | | | | | | | | | | | | | | | | | | | | When a kube yaml has a volume set as empty dir, podman will create an anonymous volume with the empty dir name and attach it to the containers running in the pod. When the pod is removed, the empy dir volume created is also removed. Add tests and docs for this as well. Signed-off-by: Urvashi Mohnani <umohnani@redhat.com>
* | infra: remove dead codeGiuseppe Scrivano2022-08-30
|/ | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* pkg/domain: Add terminal support for FreeBSDDoug Rabson2022-08-27
| | | | | | | | This just moves the code to files which can be shared with freebsd. [NO NEW TESTS NEEDED] Signed-off-by: Doug Rabson <dfr@rabson.org>
* Move most of ImageEngine.ShowTrust into pkg/trust.PolicyDescriptionMiloslav Trmač2022-08-25
| | | | | | | | | This will allow us to write unit tests without setting up the complete Podman runtime (and without the Linux dependency). Should not change behavior. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
* Move most of imageEngine.SetTrust to pkg/trust.AddPolicyEntriesMiloslav Trmač2022-08-25
| | | | | | | | | | | This will allow us to write unit tests without setting up the complete Podman runtime (and without the Linux dependency). Also, actually add a basic smoke test of the core functionality. Should not change behavior. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
* Add a variable for scopeMiloslav Trmač2022-08-25
| | | | | | | | | | | Only process the incoming args[] (which is a single-element array for some reason) once, and use a semantic variable name for the value we care about. Should not change behavior, the only caller already supposedly ensures that len(args) == 1. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
* Remove commented out codeMiloslav Trmač2022-08-25
| | | | | | | | | We can always recover it from git, but it seems to serve no purpose anyway. Should not change behavior. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
* Merge pull request #15437 from mheon/default_volume_timeoutOpenShift Merge Robot2022-08-24
|\ | | | | Add support for containers.conf volume timeouts
| * Add support for containers.conf volume timeoutsMatthew Heon2022-08-23
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Also, do a general cleanup of all the timeout code. Changes include: - Convert from int to *uint where possible. Timeouts cannot be negative, hence the uint change; and a timeout of 0 is valid, so we need a new way to detect that the user set a timeout (hence, pointer). - Change name in the database to avoid conflicts between new data type and old one. This will cause timeouts set with 4.2.0 to be lost, but considering nobody is using the feature at present (and the lack of validation means we could have invalid, negative timeouts in the DB) this feels safe. - Ensure volume plugin timeouts can only be used with volumes created using a plugin. Timeouts on the local driver are nonsensical. - Remove the existing test, as it did not use a volume plugin. Write a new test that does. The actual plumbing of the containers.conf timeout in is one line in volume_api.go; the remainder are the above-described cleanups. Signed-off-by: Matthew Heon <mheon@redhat.com>
* | Merge pull request #15351 from marshall-lee/images-pull-simpleOpenShift Merge Robot2022-08-24
|\ \ | |/ |/| Simplify ImagesPull for when Quiet flag is on
| * Add ProgressWriter to PullOptionsVladimir Kochnev2022-08-19
| | | | | | | | Signed-off-by: Vladimir Kochnev <hashtable@yandex.ru>
* | Refactor: About the RawInput processToshiki Sonoda2022-08-23
|/ | | | | | | | | | Refactor the RawInput process of the `rm` and `start` subcommands, like the other subcommands such as `restart, stop, etc`. [NO NEW TESTS NEEDED] Signed-off-by: Toshiki Sonoda <sonoda.toshiki@fujitsu.com>