summaryrefslogtreecommitdiff
path: root/pkg/specgen
Commit message (Collapse)AuthorAge
* personality: Add support for setting execution domain.flouthoc2021-08-06
| | | | | | | | | | Execution domains tell Linux how to map signal numbers into signal actions. The execution domain system allows Linux to provide limited support for binaries compiled under other UNIX-like operating systems. Reference: https://man7.org/linux/man-pages/man2/personality.2.html Signed-off-by: flouthoc <flouthoc.git@gmail.com>
* implement init containers in podmanBrent Baude2021-08-04
| | | | | | | | | | | | | | this is the first pass at implementing init containers for podman pods. init containersare made popular by k8s as a way to run setup for pods before the pods standard containers run. unlike k8s, we support two styles of init containers: always and oneshot. always means the container stays in the pod and starts whenever a pod is started. this does not apply to pods restarting. oneshot means the container runs onetime when the pod starts and then is removed. Signed-off-by: Brent Baude <bbaude@redhat.com>
* Support DeviceCgroupRules to actually get added.Daniel J Walsh2021-07-21
| | | | | | Fixes: https://github.com/containers/podman/issues/10302 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Merge pull request #10992 from rhatdan/playOpenShift Merge Robot2021-07-21
|\ | | | | Fix handling of selinux labels in podman play kube
| * Fix handling of selinux labels in podman play kubeDaniel J Walsh2021-07-20
| | | | | | | | | | | | | | | | | | | | Fixes: https://github.com/containers/podman/issues/10969 [NO TESTS NEEDED] We added tests for this, but they don't seem to be running. If I run the local system tests, they fail with the current Podman and work with this version. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Merge pull request #10970 from vikas-goel/prepare-volumeOpenShift Merge Robot2021-07-21
|\ \ | |/ |/| Copy the content from the underlying image into the newly created volume
| * Copy the content from the underlying image into the newly created volume.Vikas Goel2021-07-20
| | | | | | | | | | | | Fixes: #10262 Signed-off-by: Vikas Goel <vikas.goel@gmail.com>
* | Merge pull request #10956 from flouthoc/kube-liveness-probe-systemdOpenShift Merge Robot2021-07-19
|\ \ | |/ |/| Kube: Add liveness probe for containers backed by native (systemd) healthchecks instead of kubelet.
| * Kube: Add liveness probe for containers.flouthoc2021-07-17
| | | | | | | | Signed-off-by: flouthoc <flouthoc.git@gmail.com>
* | Merge pull request #10848 from vrothberg/update-libimageOpenShift Merge Robot2021-07-16
|\ \ | | | | | | vendor containers/common@main
| * | vendor containers/common@mainValentin Rothberg2021-07-16
| |/ | | | | | | | | | | | | | | | | | | | | | | | | The `IgnorePlatform` options has been removed from the `LookupImageOptions` in libimage to properly support multi-arch images. Skip one buildah-bud test which requires updated CI images. This is currently being done in github.com/containers/podman/pull/10829 but we need to unblock merging common and buildah into podman. [NO TESTS NEEDED] Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* / --infra-name command line argumentJosé Guilherme Vanz2021-07-15
|/ | | | | | | | | Adds the new --infra-name command line argument allowing users to define the name of the infra container Issue #10794 Signed-off-by: José Guilherme Vanz <jvanz@jvanz.com>
* podman pod create --pid flagcdoern2021-07-15
| | | | | | | | added support for --pid flag. User can specify ns:file, pod, private, or host. container returns an error since you cannot point the ns of the pods infra container to a container outside of the pod. Signed-off-by: cdoern <cdoern@redhat.com>
* Handle advanced --network options in podman play kubeDaniel J Walsh2021-06-30
| | | | | | | | Since Podman create/run can support this, so should play. Fixes: https://github.com/containers/podman/issues/10807 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Merge pull request #10583 from rhatdan/logOpenShift Merge Robot2021-06-24
|\ | | | | Support log_tag defaults from containers.conf
| * Support log_tag defaults from containers.confDaniel J Walsh2021-06-23
| | | | | | | | | | | | Fixes: https://github.com/containers/podman/issues/10204 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Merge pull request #10716 from cdoern/podFlagsOpenShift Merge Robot2021-06-23
|\ \ | | | | | | Podman Pod Create --cpus and --cpuset-cpus flags
| * | Podman Pod Create --cpus and --cpuset-cpus flagscdoern2021-06-23
| |/ | | | | | | | | | | | | | | | | | | | | | | Added logic and handling for two new Podman pod create Flags. --cpus specifies the total number of cores on which the pod can execute, this is a combination of the period and quota for the CPU. --cpuset-cpus is a string value which determines of these available cores, how many we will truly execute on. Signed-off-by: cdoern <cbdoer23@g.holycross.edu>
* / create: support images with invalid platformValentin Rothberg2021-06-23
|/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Much to my regret, there is a number of images in the wild with invalid platforms breaking the platform checks in libimage that want to make sure that a local image is matching the expected platform. Imagine a `podman run --arch=arm64 fedora` with a local amd64 fedora image. We really shouldn't use the local one in this case and pull down the arm64 one. The strict platform checks in libimage in combination with invalid platforms in images surfaced in Podman being able to pull an image but failing to look it up in subsequent presence checks. A `podman run` would hence pull such an image but fail to create the container. Support images with invalid platforms by vendoring the latest HEAD from containers/common. Also remove the partially implemented pull-policy logic from Podman and let libimage handle that entirely. However, whenever --arch, --os or --platform are specified, the pull policy will be forced to "newer". This way, we pessimistically assume that the local image has an invalid platform and we reach out to the registry. If there's a newer image (i.e., one with a different digest), we'll pull it down. Please note that most of the logic has either already been implemented in libimage or been moved down which allows for removing some clutter from Podman. [NO TESTS NEEDED] since c/common has new tests. Podman can rely on the existing tests. Fixes: #10648 Fixes: #10682 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* Allow changing of port forward rules on restoreAdrian Reber2021-06-04
| | | | | | | | | | | | | | | | | | | | Restored containers, until now, had the same port mappings as the original started container. This commit adds the parameter '--publish' to 'podman container restore' with the same semantic as during create/run. With this change it is possible to create a copy from a container with a '--publish' rule and replace the original '--publish' setting with a new one. # podman run -p 2345:8080 container # podman container checkpoint -l --export=dump.tar # podman container restore -p 5432:8080 --import=dump.tar The restored container will now listen on localhost:5432 instead of localhost:2345 as the original created container. Signed-off-by: Adrian Reber <areber@redhat.com>
* Merge pull request #10383 from rhatdan/kubeOpenShift Merge Robot2021-05-27
|\ | | | | Handle image user and exposed ports in podman play kube
| * Handle image user and exposed ports in podman play kubeDaniel J Walsh2021-05-26
| | | | | | | | | | | | | | | | | | Currently if a user runs an image with a user specified or exposed ports with podman play kube, the fields are ignored. Fixed: https://github.com/containers/podman/issues/9609 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Add the option of Rootless CNI networking by defaultMatthew Heon2021-05-26
|/ | | | | | | | | | | | | | | | | | | When the containers.conf field "NetNS" is set to "Bridge" and the "RootlessNetworking" field is set to "cni", Podman will now handle rootless in the same way it does root - all containers will be joined to a default CNI network, instead of exclusively using slirp4netns. If no CNI default network config is present for the user, one will be auto-generated (this also works for root, but it won't be nearly as common there since the package should already ship a config). I eventually hope to remove the "NetNS=Bridge" bit from containers.conf, but let's get something in for Brent to work with. Signed-off-by: Matthew Heon <mheon@redhat.com>
* Merge pull request #10339 from rhatdan/selinuxOpenShift Merge Robot2021-05-17
|\ | | | | Support automatic labeling of kube volumes
| * Support automatic labeling of kube volumesDaniel J Walsh2021-05-16
| | | | | | | | | | | | | | | | | | | | Allow users to specify options on the volume mount path. This will trigger relabels of user specifies :z,:Z Also will handle User Relabels if the user specifies :U Fixes: https://github.com/containers/podman/issues/9371 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Support uid,gid,mode options for secretsAshley Cui2021-05-17
|/ | | | | | | Support UID, GID, Mode options for mount type secrets. Also, change default secret permissions to 444 so all users can read secret. Signed-off-by: Ashley Cui <acui@redhat.com>
* Kube like pods should share ipc,net,uts by defaultflouthoc2021-05-10
| | | | Signed-off-by: flouthoc <flouthoc.git@gmail.com>
* Merge pull request #10202 from EduardoVega/9763-kube-auto-updateOpenShift Merge Robot2021-05-07
|\ | | | | Add support to preserve auto-update labels in play / generate kube
| * Adds support to preserve auto update labels in generate and play kubeEduardo Vega2021-05-06
| | | | | | | | | | | | In the case of generate kube the auto-update labels will be converted into kube annotations and for play kube they will be converted back to labels since that's what podman understands Signed-off-by: Eduardo Vega <edvegavalerio@gmail.com>
* | Merge pull request #10221 from ashley-cui/envsecOpenShift Merge Robot2021-05-07
|\ \ | |/ |/| Add support for environment variable secrets
| * Add support for environment variable secretsAshley Cui2021-05-06
| | | | | | | | | | | | | | | | Env var secrets are env vars that are set inside the container but not commited to and image. Also support reading from env var when creating a secret. Signed-off-by: Ashley Cui <acui@redhat.com>
* | Merge pull request #10185 from rhatdan/volumeOpenShift Merge Robot2021-05-05
|\ \ | | | | | | Add filepath glob support to --security-opt unmask
| * | Add filepath glob support to --security-opt unmaskDaniel J Walsh2021-05-04
| | | | | | | | | | | | | | | | | | | | | | | | Want to allow users to specify --security-opt unmask=/proc/*. This allows us to run podman within podman more securely, then specifing umask=all, also gives the user more flexibilty. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | Merge pull request #10220 from giuseppe/rm-volatileOpenShift Merge Robot2021-05-05
|\ \ \ | | | | | | | | podman: set volatile storage flag for --rm containers
| * | | podman: set volatile storage flag for --rm containersGiuseppe Scrivano2021-05-05
| |/ / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | volatile containers are a storage optimization that disables *sync() syscalls for the container rootfs. If a container is created with --rm, then automatically set the volatile storage flag as anyway the container won't persist after a reboot or machine crash. [NO TESTS NEEDED] Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* / / migrate Podman to containers/common/libimageValentin Rothberg2021-05-05
|/ / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Migrate the Podman code base over to `common/libimage` which replaces `libpod/image` and a lot of glue code entirely. Note that I tried to leave bread crumbs for changed tests. Miscellaneous changes: * Some errors yield different messages which required to alter some tests. * I fixed some pre-existing issues in the code. Others were marked as `//TODO`s to prevent the PR from exploding. * The `NamesHistory` of an image is returned as is from the storage. Previously, we did some filtering which I think is undesirable. Instead we should return the data as stored in the storage. * Touched handlers use the ABI interfaces where possible. * Local image resolution: previously Podman would match "foo" on "myfoo". This behaviour has been changed and Podman will now only match on repository boundaries such that "foo" would match "my/foo" but not "myfoo". I consider the old behaviour to be a bug, at the very least an exotic corner case. * Futhermore, "foo:none" does *not* resolve to a local image "foo" without tag anymore. It's a hill I am (almost) willing to die on. * `image prune` prints the IDs of pruned images. Previously, in some cases, the names were printed instead. The API clearly states ID, so we should stick to it. * Compat endpoint image removal with _force_ deletes the entire not only the specified tag. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | Merge pull request #10119 from rhatdan/timeoutOpenShift Merge Robot2021-04-27
|\ \ | |/ |/| Add podman run --timeout option
| * Add podman run --timeout optionDaniel J Walsh2021-04-23
| | | | | | | | | | | | | | | | | | This option allows users to specify the maximum amount of time to run before conmon sends the kill signal to the container. Fixes: https://github.com/containers/podman/issues/6412 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Merge pull request #10081 from sjug/cdi_device_libOpenShift Merge Robot2021-04-26
|\ \ | |/ |/| Add support for CDI device configuration
| * Add support for CDI device configurationSebastian Jug2021-04-20
| | | | | | | | | | | | | | | | - Persist CDIDevices in container config - Add e2e test - Log HasDevice error and add additional condition for safety Signed-off-by: Sebastian Jug <seb@stianj.ug>
* | Fixes from make codespellDaniel J Walsh2021-04-21
|/ | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Merge pull request #10041 from chenk008/add_pidfile_flagOpenShift Merge Robot2021-04-19
|\ | | | | Add flag "--pidfile" for podman create/run
| * add flag "--pidfile" for podman create/runwuhua.ck2021-04-16
| | | | | | | | Signed-off-by: chenkang <kongchen28@gmail.com>
* | Ensure mount destination is clean, no trailing slashEduardo Vega2021-04-18
|/ | | | Signed-off-by: Eduardo Vega <edvegavalerio@gmail.com>
* podman play kube apply correct log driverPaul Holzinger2021-04-15
| | | | | | | | | | The --log-driver flag was silently ignored by podman play kube. This regression got introduced during the play kube rework. Unfortunately the test for this was skipped for no good reason. Fixes #10015 Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
* Merge pull request #9754 from mheon/add_depOpenShift Merge Robot2021-04-06
|\ | | | | Add --requires flag to podman run/create
| * Add --requires flag to podman run/createMatthew Heon2021-04-06
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Podman has, for a long time, had an internal concept of dependency management, used mainly to ensure that pod infra containers are started before any other container in the pod. We also have the ability to recursively start these dependencies, which we use to ensure that `podman start` on a container in a pod will not fail because the infra container is stopped. We have not, however, exposed these via the command line until now. Add a `--requires` flag to `podman run` and `podman create` to allow users to manually specify dependency containers. These containers must be running before the container will start. Also, make recursive starting with `podman start` default so we can start these containers and their dependencies easily. Fixes #9250 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | Ensure that `--userns=keep-id` sets user in configMatthew Heon2021-04-06
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | One of the side-effects of the `--userns=keep-id` command is switching the default user of the container to the UID of the user running Podman (though this can still be overridden by the `--user` flag). However, it did this by setting the UID and GID in the OCI spec, and not by informing Libpod of its intention to switch users via the `WithUser()` option. Because of this, a lot of the code that should have triggered when the container ran with a non-root user was not triggering. In the case of the issue that this fixed, the code to remove capabilities from non-root users was not triggering. Adjust the keep-id code to properly inform Libpod of our intention to use a non-root user to fix this. Also, fix an annoying race around short-running exec sessions where Podman would always print a warning that the exec session had already stopped. Fixes #9919 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | Fix pod infra container cni network setupPaul Holzinger2021-04-01
| | | | | | | | | | | | | | | | For rootless users the infra container used the slirp4netns net mode even when bridge was requested. We can support bridge networking for rootless users so we have allow this. The default is not changed. Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
* | Add rootless support for cni and --uidmapPaul Holzinger2021-04-01
|/ | | | | | This is supported with the new rootless cni logic. Signed-off-by: Paul Holzinger <paul.holzinger@web.de>