| Commit message (Collapse) | Author | Age |
|\
| |
| | |
Allow devs to set labels in container images for default capabilities.
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This patch allows users to specify the list of capabilities required
to run their container image.
Setting a image/container label "io.containers.capabilities=setuid,setgid"
tells podman that the contained image should work fine with just these two
capabilties, instead of running with the default capabilities, podman will
launch the container with just these capabilties.
If the user or image specified capabilities that are not in the default set,
the container will print an error message and will continue to run with the
default capabilities.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
|/
|
|
|
|
|
|
|
| |
Env-variable related code is scattered across several packages making it
hard to maintain and extend. Consolidate the code into a new pkg/env
package.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
|
|
|
|
|
|
|
| |
Previously --uts=container: expected the full container ID.
Closes: https://github.com/containers/libpod/issues/5289
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Before Libpod supported named volumes, we approximated image
volumes by bind-mounting in per-container temporary directories.
This was handled by Libpod, and had a corresponding database
entry to enable/disable it.
However, when we enabled named volumes, we completely rewrote the
old implementation; none of the old bind mount implementation
still exists, save one flag in the database. With nothing
remaining to use it, it has no further purpose.
Signed-off-by: Matthew Heon <mheon@redhat.com>
|
|\
| |
| | |
Use cleaned destination path for indexing image volumes
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
We use filepath.Clean() to remove trailing slashes to ensure that
when we supercede image mounts with mounts from --volume and
--mount, paths are consistent when we compare. Unfortunately,
while we used the cleaned path for the destination in the mount,
it was accidentally not used to index the maps that we use to
identify what to supercede, so our comparisons might be thrown
off by trailing slashes and similar.
Fixes #5219
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
| |
| |
| |
| |
| |
| | |
this uses the specgen structure to create containers rather than the outdated createconfig. right now, only the apiv2 create is wired up. eventually the cli will also have to be done.
Signed-off-by: Brent Baude <bbaude@redhat.com>
|
|/
|
|
|
|
|
|
| |
Set the (default) process labels in `pkg/spec`. This way, we can also
query libpod.conf and disable labeling if needed.
Fixes: #5087
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
|
|
|
|
|
|
|
|
|
| |
Add pkg/capabibilities to deal with capabilities. The code has been
copied from Docker (and attributed with the copyright) but changed
significantly to only do what we really need. The code has also been
simplified and will perform better due to removed redundancy.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
|
|\
| |
| | |
support device-cgroup-rule
|
| |
| |
| |
| |
| |
| |
| | |
fix #4876
Add `--device-cgroup-rule` to podman create and run. This enables to add device rules after the container has been created.
Signed-off-by: Qi Wang <qiwan@redhat.com>
|
|/
|
|
|
|
|
|
| |
Add pkg/seccomp to consolidate all seccomp-policy related code which is
currently scattered across multiple packages and complicating the
creatconfig refactoring.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
|
|
|
|
|
|
|
|
| |
it allows to disable cgroups creation only for the conmon process.
A new cgroup is created for the container payload.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
|\
| |
| | |
policy for seccomp-profile selection
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Implement a policy for selecting a seccomp profile. In addition to the
default behaviour (default profile unless --security-opt seccomp is set)
add a second policy doing a lookup in the image annotation.
If the image has the "io.containers.seccomp.profile" set its value will be
interpreted as a seccomp profile. The policy can be selected via the
new --seccomp-policy CLI flag.
Once the containers.conf support is merged into libpod, we can add an
option there as well.
Note that this feature is marked as experimental and may change in the
future.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
|
| |
| |
| |
| |
| |
| |
| | |
`gocritic` is a powerful linter that helps in preventing certain kinds
of errors as well as enforcing a coding style.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
|
|/
|
|
|
|
|
|
|
|
| |
support a custom tag to add to each log for the container.
It is currently supported only by the journald backend.
Closes: https://github.com/containers/libpod/issues/3653
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
|
|
|
| |
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
|
|
|
|
| |
Signed-off-by: Dmitry Smirnov <onlyjob@member.fsf.org>
|
|
|
|
|
|
|
|
| |
As it stands, createconfig is a huge struct. This works fine when the only caller is when we create a container with a fully created config. However, if we wish to share code for security and namespace configuration, a single large struct becomes unweildy, as well as difficult to configure with the single createConfigToOCISpec function.
This PR breaks up namespace and security configuration into their own structs, with the eventual goal of allowing the namespace/security fields to be configured by the pod create cli, and allow the infra container to share this with the pod's containers.
Signed-off-by: Peter Hunt <pehunt@redhat.com>
|
|\
| |
| | |
mount: add new options nocopyup|copyup for tmpfs
|
| |
| |
| |
| |
| |
| | |
add a way to disable tmpcopyup for tmpfs.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
|/
|
|
|
|
|
|
| |
I basically copied and adapted the statements for setting IP.
Closes #1136
Signed-off-by: Jakub Filak <jakub.filak@sap.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
change the default on cgroups v2 and create a new cgroup namespace.
When a cgroup namespace is used, processes inside the namespace are
only able to see cgroup paths relative to the cgroup namespace root
and not have full visibility on all the cgroups present on the
system.
The previous behaviour is maintained on a cgroups v1 host, where a
cgroup namespace is not created by default.
Closes: https://github.com/containers/libpod/issues/4363
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Refactor the `RuntimeConfig` along with related code from libpod into
libpod/config. Note that this is a first step of consolidating code
into more coherent packages to make the code more maintainable and less
prone to regressions on the long runs.
Some libpod definitions were moved to `libpod/define` to resolve
circular dependencies.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
|
|
|
|
|
|
|
|
| |
Use the github.com/seccomp/containers-golang library instead of the
docker package. The docker package has changed and silently broke
on F31.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
|
|
|
|
|
|
|
|
|
| |
Move to containers/image v5 and containers/buildah to v1.11.4.
Replace an equality check with a type assertion when checking for a
docker.ErrUnauthorizedForCredentials in `podman login`.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
|
|\
| |
| | |
rootless: detect no system session with --cgroup-manager=systemd
|
| |
| |
| |
| |
| |
| |
| | |
if the cgroup manager is set to systemd, detect if dbus is available,
otherwise fallback to --cgroup-manager=cgroupfs.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This matches Docker more closely, but retains the more important
protections of nosuid/nodev.
Fixes #4318
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
|/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Previously, when `podman run` encountered a volume mount without
separate source and destination (e.g. `-v /run`) we would assume
that both were the same - a bind mount of `/run` on the host to
`/run` in the container. However, this does not match Docker's
behavior - in Docker, this makes an anonymous named volume that
will be mounted at `/run`.
We already have (more limited) support for these anonymous
volumes in the form of image volumes. Extend this support to
allow it to be used with user-created volumes coming in from the
`-v` flag.
This change also affects how named volumes created by the
container but given names are treated by `podman run --rm` and
`podman rm -v`. Previously, they would be removed with the
container in these cases, but this did not match Docker's
behaviour. Docker only removed anonymous volumes. With this patch
we move to that model as well; `podman run -v testvol:/test` will
not have `testvol` survive the container being removed by `podman
rm -v`.
The sum total of these changes let us turn on volume removal in
`--rm` by default.
Fixes: #4276
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
|\
| |
| | |
Allow giving path to Podman for cleanup command
|
| |
| |
| |
| |
| |
| |
| |
| | |
For non-Podman users of Libpod, we don't want to force the exit
command to use ARGV[0], which probably does not support a cleanup
command.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
|\ \
| | |
| | | |
rootless: do not set PIDs limit if --cgroup-manager=cgroupfs
|
| |/
| |
| |
| |
| |
| |
| | |
even if the system is using cgroups v2, rootless is not able to setup
limits when the cgroup-manager is not systemd.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
|/
|
|
|
|
|
|
|
|
|
|
| |
"init" is a quite common name for the command executed in a container
image and Podman ends up using the systemd mode also when not
required.
Be stricter on enabling the systemd mode and not enable it
automatically when the basename is "init" but expect the full path
"/usr/sbin/init".
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
|\
| |
| | |
Setup a reasonable default for pids-limit 4096
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
CRI-O defaults to 1024 for the maximum pids in a container. Podman
should have a similar limit. Once we have a containers.conf, we can
set the limit in this file, and have it easily customizable.
Currently the documentation says that -1 sets pids-limit=max, but -1 fails.
This patch allows -1, but also indicates that 0 also sets the max pids limit.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
|/
|
|
|
|
|
|
|
|
|
|
|
|
| |
This requires updating all import paths throughout, and a matching
buildah update to interoperate.
I can't figure out the reason for go.mod tracking
github.com/containers/image v3.0.2+incompatible // indirect
((go mod graph) lists it as a direct dependency of libpod, but
(go list -json -m all) lists it as an indirect dependency),
but at least looking at the vendor subdirectory, it doesn't seem
to be actually used in the built binaries.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
|
|
|
|
|
|
|
| |
if there are no resources specified, make sure the OCI resources block
is empty so that the OCI runtime won't complain.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
When a named volume is mounted on any of the tmpfs filesystems
created by read-only tmpfs, it caused a conflict that was not
resolved prior to this.
Fixes BZ1755119
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In order to run Podman with VM-based runtimes unprivileged, the
network must be set up prior to the container creation. Therefore
this commit modifies Podman to run rootless containers by:
1. create a network namespace
2. pass the netns persistent mount path to the slirp4netns
to create the tap inferface
3. pass the netns path to the OCI spec, so the runtime can
enter the netns
Closes #2897
Signed-off-by: Gabi Beyer <gabrielle.n.beyer@intel.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We identify and resolve conflicts in paths using destination path
matches. We require exact matches, largely for performance
reasons (we use maps to efficiently access, keyed by
destination). This usually works fine, until you get mounts that
are targetted at /output and /output/ - the same path, but not
the same string.
Use filepath.Clean() aggressively to try and solve this.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
|\
| |
| | |
Add 'relabel' to --mount options
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Currently if a user specifies a --mount option, their is no way to tell SELinux
to relabel the mount point.
This patch addes the relabel=shared and relabel=private options.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
| |
| |
| |
| | |
Signed-off-by: Danila Kiver <danila.kiver@mail.ru>
|
|/
|
|
| |
Signed-off-by: Danila Kiver <danila.kiver@mail.ru>
|
|
|
|
|
|
|
| |
This is mostly used with Systemd, which really wants to manage
CGroups itself when managing containers via unit file.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
|\
| |
| | |
Allow suid, exec, dev mount options to cancel nosuid/noexec/nodev
|