summaryrefslogtreecommitdiff
path: root/pkg/specgen
Commit message (Collapse)AuthorAge
* Merge pull request #14483 from ↵OpenShift Merge Robot2022-06-07
|\ | | | | | | | | jakecorrenti/restart-privelaged-containers-after-host-device-change Privileged containers can now restart if the host devices change
| * Privileged containers can now restart if the host devices changeJake Correnti2022-06-06
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | If a privileged container is running, stops, and the devices on the host change, such as a USB device is unplugged, then a container would no longer start. Previously, the devices from the host were only being added to the container once: when the container was created. Now, this happens every time the container starts. I did this by adding a boolean to the container config that indicates whether to mount all of the devices or not, which can be set via an option. During spec generation, if the `MountAllDevices` option is set in the container config, all host devices are added to the container. Additionally, a couple of functions from `pkg/specgen/generate/config_linux.go` were moved into `pkg/util/utils_linux.go` as they were needed in multiple packages. Closes #13899 Signed-off-by: Jake Correnti <jcorrenti13@gmail.com>
* | Infra Inheritance patchcdoern2022-06-07
| | | | | | | | | | | | | | | | | | infra was overriding options that it should be appending rather than resetting. fix this by appending the given container's spec to the compatible options before marshaling/unmarshaling resolves #14454 Signed-off-by: cdoern <cdoern@redhat.com>
* | overlay-volumes: add support for non-volatile upperdir,workdir for anonymous ↵Aditya R2022-06-06
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | volumes Similar feature was added for named overlay volumes here: https://github.com/containers/podman/pull/12712 Following PR just mimics similar feature for anonymous volumes. Often users want their anonymous overlayed volumes to be `non-volatile` in nature that means that same `upper` dir can be re-used by one or more containers but overall of nature of volumes still have to be overlay so work done is still on a overlay not on the actual volume. Following PR adds support for more advanced options i.e custom `workdir` and `upperdir` for overlayed volumes. So that users can re-use `workdir` and `upperdir` across new containers as well. Usage ```console podman run -it -v /some/path:/data:O,upperdir=/path/persistant/upper,workdir=/path/persistant/work alpine sh ``` Signed-off-by: Aditya R <arajan@redhat.com>
* | fix pod network handling with a host networkcdoern2022-06-02
| | | | | | | | | | | | | | | | | | | | | | | | | | the function `GetDefaultNamespaceMode` for pods checks if we are sharing each namespace and if not, returns the default which in the case of a network is slirp. add a switch case for explicitly checking if the pod's network mode is host and if so, return specgen.Host for the container resolves #13763 Signed-off-by: cdoern <cbdoer23@g.holycross.edu> Signed-off-by: cdoern <cdoern@redhat.com>
* | Merge pull request #14436 from Luap99/net-remote-defaultOpenShift Merge Robot2022-06-02
|\ \ | | | | | | pkg/specgen: parse default network mode on server
| * | pkg/specgen: parse default network mode on serverPaul Holzinger2022-06-01
| |/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When podman-remote is used we should not resolve the default network mode on the client. Defaults should be set on the server. In this case this is important because we have different defaults for root/rootless. So when the client is rootless and the server is root we must pick the root default. Note that this already worked when --network was set since we did not parsed the flag in this case. To reproduce you need --network=default. Also removed a unused function. [NO NEW TESTS NEEDED] I tested it manually but I am not sure how I can hook a test like this up in CI. The client would need to run as rootless and the server as root or the other way around. Fixes #14368 Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* | Merge pull request #14344 from cdoern/podCreateOpenShift Merge Robot2022-06-02
|\ \ | |/ |/| podman pod create --uidmap patch
| * podman pod create --uidmap patchcdoern2022-06-01
| | | | | | | | | | | | | | | | | | | | | | | | | | podmans remote API does not marshal infra's spec due to the fact that if it did, all of those options would be available to the users on the command line. This means we need to manually map "backwards" some container spec items -> pod spec items before calling PodCreate, this was one of them that was forgotten resolves #14233 Signed-off-by: cdoern <cbdoer23@g.holycross.edu> Signed-off-by: cdoern <cdoern@redhat.com>
* | Merge pull request #14308 from n1hility/root-cgroupOpenShift Merge Robot2022-05-25
|\ \ | | | | | | Support running podman under a root v2 cgroup
| * | Support running podman under a root v2 cgroupJason T. Greene2022-05-21
| | | | | | | | | | | | Signed-off-by: Jason T. Greene <jason.greene@redhat.com>
* | | Use containers/common/pkg/util.StringToSliceDaniel J Walsh2022-05-23
| |/ |/| | | | | | | | | [NO NEW TESTS NEEDED] Just code cleanup for better reuse Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Merge pull request #14281 from vrothberg/fix-14251OpenShift Merge Robot2022-05-23
|\ \ | | | | | | fix --init with /dev bind mount
| * | fix --init with /dev bind mountValentin Rothberg2022-05-23
| |/ | | | | | | | | | | | | | | | | | | The init binary until now has been bind-mounted to /dev/init which breaks when bind-mounting to /dev. Instead mount the init to /run/podman-init. The reasoning for using /run is that it is already used for other runtime data such as secrets. Fixes: #14251 Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
* | Merge pull request #14266 from tupyy/add-blockdevice-play-kubeOpenShift Merge Robot2022-05-23
|\ \ | |/ |/| Expose block and character devices with play kube
| * add tests and fix bug when char device pass the test as block deviceCosmin Tupangiu2022-05-18
| | | | | | | | | | | | | | | | | | | | | | - add test - fix bug when a character device set in a volume as a block device is seen as block device in _pkg/specgen/generate/kube/volume.go_. At this stage the type does not matter much because the devices are recreated at lower layer but the bug allowed a CharDevice volume to be passed to lower layer as a BlockDevice. Signed-off-by: Cosmin Tupangiu <cosmin@redhat.com>
| * expose block and char devices with play kubeCosmin Tupangiu2022-05-17
| | | | | | | | | | | | [NO NEW TESTS NEEDED] Signed-off-by: Cosmin Tupangiu <cosmin@redhat.com>
* | linter: enable unconvert linterValentin Rothberg2022-05-19
|/ | | | | | | Detects unneccessary type conversions and helps in keeping the code base cleaner. Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
* [BZ #2083997] pod: build pause image in custom user NSValentin Rothberg2022-05-13
| | | | | | | | | | | Use the host UID and host GID mapping when building the local pause image for a Pod with a custom mapping. Otherwise, the mappings are off and the build fails. Propagating the mapping to the build container is not needed since the pause image ships merely a copied `catatonit` from the host. Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2083997 Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
* play kube: service containerValentin Rothberg2022-05-12
| | | | | | | | | | | | | | | | | | | | Add the notion of a "service container" to play kube. A service container is started before the pods in play kube and is (reverse) linked to them. The service container is stopped/removed *after* all pods it is associated with are stopped/removed. In other words, a service container tracks the entire life cycle of a service started via `podman play kube`. This is required to enable `play kube` in a systemd unit file. The service container is only used when the `--service-container` flag is set on the CLI. This flag has been marked as hidden as it is not meant to be used outside the context of `play kube`. It is further not supported on the remote client. The wiring with systemd will be done in a later commit. Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
* kube: add support for --userns=Giuseppe Scrivano2022-05-10
| | | | | | | | add support to override the user namespace to use for the pod. Closes: https://github.com/containers/podman/issues/7504 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* kube: honor pod security context IDsGiuseppe Scrivano2022-05-10
| | | | | | | | If the RunAsUser, RunAsGroup, SupplementalGroups settings are not overriden in the container security context, then take the value from the pod security context. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* kube: refactor setupSecurityContext to accept directly the security ctxGiuseppe Scrivano2022-05-10
| | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Merge pull request #14121 from cdoern/kubeOpenShift Merge Robot2022-05-09
|\ | | | | play kube log tag handling
| * play kube log tag handlingcdoern2022-05-06
| | | | | | | | | | | | | | | | | | currently tags cause a panic due to an uninitialized map. Initialize the map and add parsing to make sure we are only tagging with journald resolves #13356 Signed-off-by: cdoern <cbdoer23@g.holycross.edu>
* | libpod: add c.ConfigWithNetworks()Paul Holzinger2022-05-06
| | | | | | | | | | | | | | | | | | | | Reading the networks requires an extra db operation. Most c.Config() callers do not need them so create a new function which returns the config with networks. [NO NEW TESTS NEEDED] Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* | Merge pull request #14129 from Juneezee/test/t.TempDirOpenShift Merge Robot2022-05-06
|\ \ | | | | | | test: use `T.TempDir` to create temporary test directory
| * | test: use `T.TempDir` to create temporary test directoryEng Zer Jun2022-05-05
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This commit replaces `ioutil.TempDir` with `t.TempDir` in tests. The directory created by `t.TempDir` is automatically removed when the test and all its subtests complete. Prior to this commit, temporary directory created using `ioutil.TempDir` needs to be removed manually by calling `os.RemoveAll`, which is omitted in some tests. The error handling boilerplate e.g. defer func() { if err := os.RemoveAll(dir); err != nil { t.Fatal(err) } } is also tedious, but `t.TempDir` handles this for us nicely. Reference: https://pkg.go.dev/testing#T.TempDir Signed-off-by: Eng Zer Jun <engzerjun@gmail.com>
* | | Merge pull request #14059 from cdoern/cloneOpenShift Merge Robot2022-05-05
|\ \ \ | |/ / |/| | pass networks to container clone
| * | pass networks to container clonecdoern2022-05-03
| |/ | | | | | | | | | | | | | | | | since the network config is a string map, json.unmarshal does not recognize the config and spec as the same entity, need to map this option manually resolves #13713 Signed-off-by: cdoern <cbdoer23@g.holycross.edu>
* / pod: add exit policiesValentin Rothberg2022-05-02
|/ | | | | | | | | | | | | | | | | | | | | | | | Add the notion of an "exit policy" to a pod. This policy controls the behaviour when the last container of pod exits. Initially, there are two policies: - "continue" : the pod continues running. This is the default policy when creating a pod. - "stop" : stop the pod when the last container exits. This is the default behaviour for `play kube`. In order to implement the deferred stop of a pod, add a worker queue to the libpod runtime. The queue will pick up work items and in this case helps resolve dead locks that would otherwise occur if we attempted to stop a pod during container cleanup. Note that the default restart policy of `play kube` is "Always". Hence, in order to really solve #13464, the YAML files must set a custom restart policy; the tests use "OnFailure". Fixes: #13464 Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
* enable gocritic linterPaul Holzinger2022-04-26
| | | | | | | | | | | | | | | | | | | | | | The linter ensures a common code style. - use switch/case instead of else if - use if instead of switch/case for single case statement - add space between comment and text - detect the use of defer with os.Exit() - use short form var += "..." instead of var = var + "..." - detect problems with append() ``` newSlice := append(orgSlice, val) ``` This could lead to nasty bugs because the orgSlice will be changed in place if it has enough capacity too hold the new elements. Thus we newSlice might not be a copy. Of course most of the changes are just cosmetic and do not cause any logic errors but I think it is a good idea to enforce a common style. This should help maintainability. Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* Implements Windows volume/mount supportJason T. Greene2022-04-25
| | | | | | | Based on WSL2 9p support: remaps windows paths to /mnt/<drive> locations for both podman and Docker API clients. Signed-off-by: Jason T. Greene <jason.greene@redhat.com>
* Merge pull request #13978 from Luap99/unparamOpenShift Merge Robot2022-04-25
|\ | | | | enable unparam linter
| * enable unparam linterPaul Holzinger2022-04-25
| | | | | | | | | | | | | | The unparam linter is useful to detect unused function parameters and return values. Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* | Merge pull request #13973 from Luap99/linter-reviveOpenShift Merge Robot2022-04-23
|\ \ | |/ |/| replace golint with revive linter
| * replace golint with revive linterPaul Holzinger2022-04-22
| | | | | | | | | | | | | | | | | | | | | | | | golint, scopelint and interfacer are deprecated. golint is replaced by revive. This linter is better because it will also check for our error style: `error strings should not be capitalized or end with punctuation or a newline` scopelint is replaced by exportloopref (already endabled) interfacer has no replacement but I do not think this linter is important. Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* | Merge pull request #13918 from Luap99/hostsOpenShift Merge Robot2022-04-22
|\ \ | | | | | | use etchosts package from c/common
| * | shared netns and --add-host should conflictPaul Holzinger2022-04-22
| | | | | | | | | | | | | | | | | | | | | | | | Because /etc/hosts is shared for all containers with a shared network namespace you should not be able to add hosts from a joined container. Only the primary netns container can set the hosts. Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* | | Merge pull request #13881 from rhatdan/usernsOpenShift Merge Robot2022-04-22
|\ \ \ | |_|/ |/| | Add support for --userns=nomap
| * | Add support for --userns=nomapDaniel J Walsh2022-04-21
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | From a security point of view, it would be nice to be able to map a rootless usernamespace that does not use your own UID within the container. This would add protection against a hostile process escapping the container and reading content in your homedir. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | Merge pull request #13972 from Luap99/staticcheckOpenShift Merge Robot2022-04-22
|\ \ \ | |_|/ |/| | enable staticcheck linter
| * | enable staticcheck linterPaul Holzinger2022-04-22
| |/ | | | | | | | | | | | | Fix many problems reported by the staticcheck linter, including many real bugs! Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* / Run codespell on codeDaniel J Walsh2022-04-22
|/ | | | | | [NO NEW TESTS NEEDED] Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* healthcheck: set default healthcheck Interval if not specified in imageAditya R2022-04-20
| | | | | | | Set appropriate defaults for `--interval` when processing a Containerfile with build format as docker. Signed-off-by: Aditya R <arajan@redhat.com>
* Merge pull request #13583 from rhatdan/ipcOpenShift Merge Robot2022-04-16
|\ | | | | Add support for ipc namespace modes "none, private, sharable"
| * Add support for ipc namespace modes "none, private, sharable"Daniel J Walsh2022-04-12
| | | | | | | | | | | | Fixes: #13265 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Merge pull request #13868 from cdoern/cloneSwapOpenShift Merge Robot2022-04-15
|\ \ | | | | | | Fix Memory Swappiness passing in Container Clone
| * | Fix Memory Swappiness passing in Container Clonecdoern2022-04-14
| |/ | | | | | | | | | | | | | | | | `DefineCreateFlags` was excluding clone from using the memory-swappiness flag leading the value to be zero when our deafult is -1. Rearrange the if/else to give clone these memory related options resolves #13856 Signed-off-by: cdoern <cdoern@redhat.com>
* | run, create: add --passwd-entryGiuseppe Scrivano2022-04-14
| | | | | | | | | | | | | | | | | | It allows to customize the entry that is written to the `/etc/passwd` file when --passwd is used. Closes: https://github.com/containers/podman/issues/13185 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>