| Commit message (Collapse) | Author | Age |
|
|
|
|
|
|
|
|
|
| |
Execution domains tell Linux how to map signal numbers into signal actions.
The execution domain system allows Linux to provide limited support for binaries
compiled under other UNIX-like operating systems.
Reference: https://man7.org/linux/man-pages/man2/personality.2.html
Signed-off-by: flouthoc <flouthoc.git@gmail.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
this is the first pass at implementing init containers for podman pods.
init containersare made popular by k8s as a way to run setup for pods
before the pods standard containers run.
unlike k8s, we support two styles of init containers: always and
oneshot. always means the container stays in the pod and starts
whenever a pod is started. this does not apply to pods restarting.
oneshot means the container runs onetime when the pod starts and then is
removed.
Signed-off-by: Brent Baude <bbaude@redhat.com>
|
|
|
|
|
|
| |
Fixes: https://github.com/containers/podman/issues/10302
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
|\
| |
| | |
Fix handling of selinux labels in podman play kube
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Fixes: https://github.com/containers/podman/issues/10969
[NO TESTS NEEDED] We added tests for this, but they don't seem to be
running. If I run the local system tests, they fail with the current
Podman and work with this version.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
|\ \
| |/
|/| |
Copy the content from the underlying image into the newly created volume
|
| |
| |
| |
| |
| |
| | |
Fixes: #10262
Signed-off-by: Vikas Goel <vikas.goel@gmail.com>
|
|\ \
| |/
|/| |
Kube: Add liveness probe for containers backed by native (systemd) healthchecks instead of kubelet.
|
| |
| |
| |
| | |
Signed-off-by: flouthoc <flouthoc.git@gmail.com>
|
|\ \
| | |
| | | |
vendor containers/common@main
|
| |/
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The `IgnorePlatform` options has been removed from the
`LookupImageOptions` in libimage to properly support multi-arch images.
Skip one buildah-bud test which requires updated CI images. This is
currently being done in github.com/containers/podman/pull/10829 but
we need to unblock merging common and buildah into podman.
[NO TESTS NEEDED]
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
|
|/
|
|
|
|
|
|
|
| |
Adds the new --infra-name command line argument allowing users to define
the name of the infra container
Issue #10794
Signed-off-by: José Guilherme Vanz <jvanz@jvanz.com>
|
|
|
|
|
|
|
|
| |
added support for --pid flag. User can specify ns:file, pod, private, or host.
container returns an error since you cannot point the ns of the pods infra container
to a container outside of the pod.
Signed-off-by: cdoern <cdoern@redhat.com>
|
|
|
|
|
|
|
|
| |
Since Podman create/run can support this, so should play.
Fixes: https://github.com/containers/podman/issues/10807
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
|\
| |
| | |
Support log_tag defaults from containers.conf
|
| |
| |
| |
| |
| |
| | |
Fixes: https://github.com/containers/podman/issues/10204
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
|\ \
| | |
| | | |
Podman Pod Create --cpus and --cpuset-cpus flags
|
| |/
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Added logic and handling for two new Podman pod create Flags.
--cpus specifies the total number of cores on which the pod can execute, this
is a combination of the period and quota for the CPU.
--cpuset-cpus is a string value which determines of these available cores,
how many we will truly execute on.
Signed-off-by: cdoern <cbdoer23@g.holycross.edu>
|
|/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Much to my regret, there is a number of images in the wild with invalid
platforms breaking the platform checks in libimage that want to make
sure that a local image is matching the expected platform.
Imagine a `podman run --arch=arm64 fedora` with a local amd64 fedora
image. We really shouldn't use the local one in this case and pull down
the arm64 one.
The strict platform checks in libimage in combination with invalid
platforms in images surfaced in Podman being able to pull an image but
failing to look it up in subsequent presence checks. A `podman run`
would hence pull such an image but fail to create the container.
Support images with invalid platforms by vendoring the latest HEAD from
containers/common. Also remove the partially implemented pull-policy
logic from Podman and let libimage handle that entirely. However,
whenever --arch, --os or --platform are specified, the pull policy will
be forced to "newer". This way, we pessimistically assume that the
local image has an invalid platform and we reach out to the registry.
If there's a newer image (i.e., one with a different digest), we'll pull
it down.
Please note that most of the logic has either already been implemented
in libimage or been moved down which allows for removing some clutter
from Podman.
[NO TESTS NEEDED] since c/common has new tests. Podman can rely on the
existing tests.
Fixes: #10648
Fixes: #10682
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Restored containers, until now, had the same port mappings as the
original started container. This commit adds the parameter '--publish'
to 'podman container restore' with the same semantic as during
create/run.
With this change it is possible to create a copy from a container with a
'--publish' rule and replace the original '--publish' setting with a new
one.
# podman run -p 2345:8080 container
# podman container checkpoint -l --export=dump.tar
# podman container restore -p 5432:8080 --import=dump.tar
The restored container will now listen on localhost:5432 instead of
localhost:2345 as the original created container.
Signed-off-by: Adrian Reber <areber@redhat.com>
|
|\
| |
| | |
Handle image user and exposed ports in podman play kube
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Currently if a user runs an image with a user specified or
exposed ports with podman play kube, the fields are ignored.
Fixed: https://github.com/containers/podman/issues/9609
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
|/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When the containers.conf field "NetNS" is set to "Bridge" and the
"RootlessNetworking" field is set to "cni", Podman will now
handle rootless in the same way it does root - all containers
will be joined to a default CNI network, instead of exclusively
using slirp4netns.
If no CNI default network config is present for the user, one
will be auto-generated (this also works for root, but it won't be
nearly as common there since the package should already ship a
config).
I eventually hope to remove the "NetNS=Bridge" bit from
containers.conf, but let's get something in for Brent to work
with.
Signed-off-by: Matthew Heon <mheon@redhat.com>
|
|\
| |
| | |
Support automatic labeling of kube volumes
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Allow users to specify options on the volume mount path.
This will trigger relabels of user specifies :z,:Z
Also will handle User Relabels if the user specifies :U
Fixes: https://github.com/containers/podman/issues/9371
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
|/
|
|
|
|
|
| |
Support UID, GID, Mode options for mount type secrets. Also, change
default secret permissions to 444 so all users can read secret.
Signed-off-by: Ashley Cui <acui@redhat.com>
|
|
|
|
| |
Signed-off-by: flouthoc <flouthoc.git@gmail.com>
|
|\
| |
| | |
Add support to preserve auto-update labels in play / generate kube
|
| |
| |
| |
| |
| |
| | |
In the case of generate kube the auto-update labels will be converted into kube annotations and for play kube they will be converted back to labels since that's what podman understands
Signed-off-by: Eduardo Vega <edvegavalerio@gmail.com>
|
|\ \
| |/
|/| |
Add support for environment variable secrets
|
| |
| |
| |
| |
| |
| |
| |
| | |
Env var secrets are env vars that are set inside the container but not
commited to and image. Also support reading from env var when creating a
secret.
Signed-off-by: Ashley Cui <acui@redhat.com>
|
|\ \
| | |
| | | |
Add filepath glob support to --security-opt unmask
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Want to allow users to specify --security-opt unmask=/proc/*.
This allows us to run podman within podman more securely, then
specifing umask=all, also gives the user more flexibilty.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
|\ \ \
| | | |
| | | | |
podman: set volatile storage flag for --rm containers
|
| |/ /
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
volatile containers are a storage optimization that disables *sync()
syscalls for the container rootfs.
If a container is created with --rm, then automatically set the
volatile storage flag as anyway the container won't persist after a
reboot or machine crash.
[NO TESTS NEEDED]
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
|/ /
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Migrate the Podman code base over to `common/libimage` which replaces
`libpod/image` and a lot of glue code entirely.
Note that I tried to leave bread crumbs for changed tests.
Miscellaneous changes:
* Some errors yield different messages which required to alter some
tests.
* I fixed some pre-existing issues in the code. Others were marked as
`//TODO`s to prevent the PR from exploding.
* The `NamesHistory` of an image is returned as is from the storage.
Previously, we did some filtering which I think is undesirable.
Instead we should return the data as stored in the storage.
* Touched handlers use the ABI interfaces where possible.
* Local image resolution: previously Podman would match "foo" on
"myfoo". This behaviour has been changed and Podman will now
only match on repository boundaries such that "foo" would match
"my/foo" but not "myfoo". I consider the old behaviour to be a
bug, at the very least an exotic corner case.
* Futhermore, "foo:none" does *not* resolve to a local image "foo"
without tag anymore. It's a hill I am (almost) willing to die on.
* `image prune` prints the IDs of pruned images. Previously, in some
cases, the names were printed instead. The API clearly states ID,
so we should stick to it.
* Compat endpoint image removal with _force_ deletes the entire not
only the specified tag.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
|
|\ \
| |/
|/| |
Add podman run --timeout option
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This option allows users to specify the maximum amount of time to run
before conmon sends the kill signal to the container.
Fixes: https://github.com/containers/podman/issues/6412
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
|\ \
| |/
|/| |
Add support for CDI device configuration
|
| |
| |
| |
| |
| |
| |
| |
| | |
- Persist CDIDevices in container config
- Add e2e test
- Log HasDevice error and add additional condition for safety
Signed-off-by: Sebastian Jug <seb@stianj.ug>
|
|/
|
|
| |
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
|\
| |
| | |
Add flag "--pidfile" for podman create/run
|
| |
| |
| |
| | |
Signed-off-by: chenkang <kongchen28@gmail.com>
|
|/
|
|
| |
Signed-off-by: Eduardo Vega <edvegavalerio@gmail.com>
|
|
|
|
|
|
|
|
|
|
| |
The --log-driver flag was silently ignored by podman play kube. This
regression got introduced during the play kube rework.
Unfortunately the test for this was skipped for no good reason.
Fixes #10015
Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
|
|\
| |
| | |
Add --requires flag to podman run/create
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Podman has, for a long time, had an internal concept of
dependency management, used mainly to ensure that pod infra
containers are started before any other container in the pod. We
also have the ability to recursively start these dependencies,
which we use to ensure that `podman start` on a container in a
pod will not fail because the infra container is stopped. We have
not, however, exposed these via the command line until now.
Add a `--requires` flag to `podman run` and `podman create` to
allow users to manually specify dependency containers. These
containers must be running before the container will start. Also,
make recursive starting with `podman start` default so we can
start these containers and their dependencies easily.
Fixes #9250
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
One of the side-effects of the `--userns=keep-id` command is
switching the default user of the container to the UID of the
user running Podman (though this can still be overridden by the
`--user` flag). However, it did this by setting the UID and GID
in the OCI spec, and not by informing Libpod of its intention to
switch users via the `WithUser()` option. Because of this, a lot
of the code that should have triggered when the container ran
with a non-root user was not triggering. In the case of the issue
that this fixed, the code to remove capabilities from non-root
users was not triggering. Adjust the keep-id code to properly
inform Libpod of our intention to use a non-root user to fix
this.
Also, fix an annoying race around short-running exec sessions
where Podman would always print a warning that the exec session
had already stopped.
Fixes #9919
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
| |
| |
| |
| |
| |
| |
| |
| | |
For rootless users the infra container used the slirp4netns net mode
even when bridge was requested. We can support bridge networking for
rootless users so we have allow this. The default is not changed.
Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
|
|/
|
|
|
|
| |
This is supported with the new rootless cni logic.
Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
|