aboutsummaryrefslogtreecommitdiff
path: root/pkg/spec
Commit message (Collapse)AuthorAge
* Merge pull request #3563 from giuseppe/fix-single-mapping-rootlessOpenShift Merge Robot2019-07-12
|\ | | | | spec: fix userns with less than 5 gids
| * spec: fix userns with less than 5 gidsGiuseppe Scrivano2019-07-12
| | | | | | | | | | | | | | when the container is running in a user namespace, check if gid=5 is available, otherwise drop the option gid=5 for /dev/pts. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | Merge pull request #3537 from QiWang19/volumeabsOpenShift Merge Robot2019-07-12
|\ \ | | | | | | fix bug convert volume host path to absolute
| * | fix bug convert volume host path to absoluteQi Wang2019-07-10
| | | | | | | | | | | | | | | | | | fix #3504 If --volume host:dest host is not a named volume, convert the host to a absolute directory path. Signed-off-by: Qi Wang <qiwan@redhat.com>
* | | Merge pull request #3491 from giuseppe/rlimit-hostOpenShift Merge Robot2019-07-11
|\ \ \ | |_|/ |/| | podman: add --ulimit host
| * | podman: add --ulimit hostGiuseppe Scrivano2019-07-08
| |/ | | | | | | | | | | | | | | | | add a simple way to copy ulimit values from the host. if --ulimit host is used then the current ulimits in place are copied to the container. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* / first pass of corrections for golangci-lintbaude2019-07-10
|/ | | | Signed-off-by: baude <bbaude@redhat.com>
* spec: move cgo stuff to their own fileGiuseppe Scrivano2019-07-02
| | | | | | so it can build without cgo since seccomp requires it. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* util: drop IsCgroup2UnifiedMode and use it from cgroupsGiuseppe Scrivano2019-06-26
| | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* remove libpod from mainbaude2019-06-25
| | | | | | | | | | | | | the compilation demands of having libpod in main is a burden for the remote client compilations. to combat this, we should move the use of libpod structs, vars, constants, and functions into the adapter code where it will only be compiled by the local client. this should result in cleaner code organization and smaller binaries. it should also help if we ever need to compile the remote client on non-Linux operating systems natively (not cross-compiled). Signed-off-by: baude <bbaude@redhat.com>
* Add tests for cached and delegated mountsMatthew Heon2019-06-19
| | | | Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Allow (but ignore) Cached and Delegated volume optionsMatthew Heon2019-06-18
| | | | | | | | | | These are only used on OS X Docker, and ignored elsewhere - but since they are ignored, they're guaranteed to be safe everywhere, and people are using them. Fixes: #3340 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Merge pull request #3328 from mheon/storage_opts_for_cleanupOpenShift Merge Robot2019-06-15
|\ | | | | When creating exit command, pass storage options on
| * When creating exit command, pass storage options onMatthew Heon2019-06-13
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | We made changes earlier that empty storage options when setting storage driver explicitly. Unfortunately, this breaks rootless cleanup commands, as they lose the fuse-overlayfs mount program path. Fix this by passing along the storage options to the cleanup process. Also, fix --syslog, which was broken a while ago (probably when we broke up main to add main_remote). Fixes #3326 Signed-off-by: Matthew Heon <mheon@redhat.com>
* | storage: support --mount type=bind,bind-nonrecursiveGiuseppe Scrivano2019-06-13
| | | | | | | | | | | | | | | | add support for not recursive bind mounts. Closes: https://github.com/containers/libpod/issues/3314 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | storage: fix typoGiuseppe Scrivano2019-06-13
|/ | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* only set log driver if it isn't emptyPeter Hunt2019-06-08
| | | | | | Now, not setting a log driver in a create config correctly takes the default (k8s-logging) Signed-off-by: Peter Hunt <pehunt@redhat.com>
* Merge pull request #3238 from mheon/no_tmpcopyup_devOpenShift Merge Robot2019-05-31
|\ | | | | Do not set tmpcopyup on /dev
| * Do not set tmpcopyup on /devMatthew Heon2019-05-30
| | | | | | | | | | | | Fixes #3229 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | Added --log-driver and journald loggingPeter Hunt2019-05-28
|/ | | | Signed-off-by: Peter Hunt <pehunt@redhat.com>
* When superceding mounts, check for opposite typesMatthew Heon2019-05-21
| | | | | | | | | | | | | | | | | | | When we supercede low-priority mounts and volumes (image volumes, and volumes sourced from --volumes-from) with higher-priority ones (the --volume and --mount flags), we always replaced lower-priority mounts of the same type (e.g. a user mount to /tmp/test1 would supercede a volumes-from mount to the same destination). However, we did not supercede the opposite type - a named volume from image volumes at /tmp/test1 would be allowed to remain and create a conflict, preventing container creation. Solve this by destroying opposite types before merging (we can't do it in the same loop, as then named volumes, which go second, might trample changes made by mounts). Fixes #3174 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* rootless: force resources to be nil on cgroup v1Giuseppe Scrivano2019-05-20
| | | | | | | | | force the resources block to be empty instead of having default values. Regression introduced by 8e88461511e81d2327e4c1a1315bb58fda1827ca Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Don't set apparmor if --priviligedDaniel J Walsh2019-05-20
| | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* rootless, spec: allow resources with cgroup v2Giuseppe Scrivano2019-05-13
| | | | | | | We were always raising an error when the rootless user attempted to setup resources, but this is not the case anymore with cgroup v2. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Add support for retry count with --restart flagMatthew Heon2019-05-03
| | | | | | | | | The on-failure restart option supports restarting only a given number of times. To do this, we need one additional field in the DB to track restart count (which conveniently fills a field in Inspect we weren't populating), plus some plumbing logic. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Add container restart policy to Libpod & PodmanMatthew Heon2019-05-03
| | | | | | | This initial version does not support restart count, but it works as advertised otherwise. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Merge pull request #2959 from mheon/merge_volume_flagsOpenShift Merge Robot2019-05-03
|\ | | | | Merge volume flags implementation
| * Move handling of ReadOnlyTmpfs into new mounts codeMatthew Heon2019-05-01
| | | | | | | | Signed-off-by: Matthew Heon <matthew.heon@pm.me>
| * Ensure that named volumes have their options parsedMatthew Heon2019-05-01
| | | | | | | | | | | | | | This involves moving some code out of pkg/spec/ into util/ so it can also be used by libpod. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
| * Add options parsing for tmpfs mountsMatthew Heon2019-05-01
| | | | | | | | | | | | | | | | | | This ensures that all tmpfs mounts added by the user, even with the --mount flag, share a few common options (nosuid, noexec, nodev), and options for tmpfs mounts are properly validated to ensure they are correct. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
| * Use EqualValues instead of reflect equalityMatthew Heon2019-05-01
| | | | | | | | | | | | | | Same result, but notably better error messages when things go wrong. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
| * Hit a number of to-do comments in unified volumes codeMatthew Heon2019-05-01
| | | | | | | | | | | | | | | | As part of this, move bind mount option validity parsing and modification (adding e.g. rbind on bind mounts that are missing it), which requires test changes (expected values have changed). Signed-off-by: Matthew Heon <matthew.heon@pm.me>
| * Fix options for non-bind and non-tmpfs volumesMatthew Heon2019-05-01
| | | | | | | | | | | | | | | | | | We were unconditionally resetting volume mount options for all mount points (and by the looks of things, completely dropping tmpfs mounts), which was causing runc to refuse to run containers and all the tests to consequently fail. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
| * Migrate unit tests from cmd/podman into pkg/specMatthew Heon2019-05-01
| | | | | | | | | | | | | | | | | | | | Several changes made in the interface of pkg/spec make interacting with it without a runtime difficult to impossible, so move the existing limited testing from cmd/podman (which mostly tested pkg/spec) into pkg/spec itself where we can call individual functions that don't break things. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
| * Migrate to unified volume handling codeMatthew Heon2019-05-01
| | | | | | | | | | | | | | | | | | | | | | | | | | Unify handling for the --volume, --mount, --volumes-from, --tmpfs and --init flags into a single file and set of functions. This will greatly improve readability and maintainability. Further, properly handle superceding and conflicting mounts. Our current patchwork has serious issues when mounts conflict, or when a mount from --volumes-from or an image volume should be overwritten by a user volume or named volume. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
| * Always pass pod into MakeContainerConfigMatthew Heon2019-05-01
| | | | | | | | | | | | | | | | Play kube was passing the pod, but CreateConfig was not. Unify it so they both do, so we can remove some unnecessary duplicate lookup code. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
| * Remove non-config fields from CreateConfigMatthew Heon2019-05-01
| | | | | | | | | | | | | | | | | | The goal here is to keep only the configuration directly used to build the container in CreateConfig, and scrub temporary state and helpers that we need to generate. We'll keep those internally in MakeContainerConfig. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
| * Add a new function for converting a CreateConfigMatthew Heon2019-05-01
| | | | | | | | | | | | | | | | | | | | | | Right now, there are two major API calls necessary to turn a filled-in CreateConfig into the options and OCI spec necessary to make a libpod Container. I'm intending on refactoring both of these extensively to unify a few things, so make a common frontend to both that will prevent API changes from leaking out of the package. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | Merge pull request #3031 from baude/remotewindowsOpenShift Merge Robot2019-05-01
|\ \ | |/ |/| enable podman-remote on windows
| * enable podman-remote on windowsbaude2019-04-30
| | | | | | | | | | | | | | build a podman-remote binary for windows that allows users to use the remote client on windows and interact with podman on linux system. Signed-off-by: baude <bbaude@redhat.com>
* | auto pass http_proxy into containerJames Cassell2019-04-30
|/ | | | Signed-off-by: James Cassell <code@james.cassell.me>
* Add --read-only-tmpfs optionsDaniel J Walsh2019-04-26
| | | | | | | | | | | The --read-only-tmpfs option caused podman to mount tmpfs on /run, /tmp, /var/tmp if the container is running int read-only mode. The default is true, so you would need to execute a command like --read-only --read-only-tmpfs=false to turn off this behaviour. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* spec: mask /sys/kernel when bind mounting /sysGiuseppe Scrivano2019-04-11
| | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* oci: add /sys/kernel to the masked pathsGiuseppe Scrivano2019-04-11
| | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Drop LocalVolumes from our the databaseMatthew Heon2019-04-04
| | | | | | | | We were never using it. It's actually a potentially quite sizable field (very expensive to decode an array of structs!). Removing it should do no harm. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Major rework of --volumes-from flagMatthew Heon2019-04-04
| | | | | | | | | | The flag should be substantially more durable, and no longer relies on the create artifact. This should allow it to properly handle our new named volume implementation. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Add handling for new named volumes code in pkg/specMatthew Heon2019-04-04
| | | | | | | | | Now that named volumes must be explicitly enumerated rather than passed in with all other volumes, we need to split normal and named volumes up before passing them into libpod. This PR does this. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* rootless: remove SkipStorageSetup()Giuseppe Scrivano2019-04-01
| | | | | | | | in the few places where we care about skipping the storage initialization, we can simply use the process effective UID, instead of relying on a global boolean flag. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Ensure that we make a netns for CNI non-default netsMatthew Heon2019-03-28
| | | | | | | | | | | | | | | | | We accidentally patched this out trying to enable ns:/path/to/ns This should restore the ability to configure nondefault CNI networks with Podman, by ensuring that they request creation of a network namespace. Completely remove the WithNetNS() call when we do use an explicit namespace from a path. We use that call to indicate that a netns is going to be created - there should not be any question about whether it actually does. Fixes #2795 Signed-off-by: Matthew Heon <mheon@redhat.com>
* Remove ulele/deepcopier in favor of JSON deep copyMatthew Heon2019-03-27
| | | | | | | | | | | | | We have a very high performance JSON library that doesn't need to perform code generation. Let's use it instead of our questionably performant, reflection-dependent deep copy library. Most changes because some functions can now return errors. Also converts cmd/podman to use jsoniter, instead of pkg/json, for increased performance. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2024-11-15 22:21:14 +0000