summaryrefslogtreecommitdiff
path: root/pkg/specgen
Commit message (Collapse)AuthorAge
* Support max_size logoptionsDaniel J Walsh2020-10-05
| | | | | | | | Docker supports log-opt max_size and so does conmon (ALthough poorly). Adding support for this allows users to at least make sure their containers logs do not become a DOS vector. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Add SELinux support for podsDaniel J Walsh2020-10-02
| | | | | | | | | | All containers within a Pod need to run with the same SELinux label, unless overwritten by the user. Also added a bunch of SELinux tests to make sure selinux labels are correct on namespaces. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Merge pull request #7882 from giuseppe/check-for-gids-before-adding-themOpenShift Merge Robot2020-10-02
|\ | | | | libpod: check there are enough gids before adding them
| * rootless: move GetAvailableGids to the rootless pkgGiuseppe Scrivano2020-10-02
| | | | | | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | spec: open fuse with --device .*/fuseGiuseppe Scrivano2020-10-02
|/ | | | | | | | | If the container uses the /dev/fuse device, attempt to load the fuse kernel module first so that nested containers can use it. Closes: https://bugzilla.redhat.com/show_bug.cgi?id=1872240 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Merge pull request #7798 from QiWang19/run-manifestOpenShift Merge Robot2020-09-30
|\ | | | | Use local image if input image is a manifest list
| * Use local image if input image is a manifest listQi Wang2020-09-30
| | | | | | | | | | | | If run&create image returns error: image contains manifest list, not a runnable image, find the local image that has digest matching the digest from the list and use the image from local storage for the command. Signed-off-by: Qi Wang <qiwan@redhat.com>
* | Merge pull request #7820 from giuseppe/fix-capabilities-not-rootOpenShift Merge Robot2020-09-30
|\ \ | | | | | | capabilities: always set ambient and inheritable
| * | capabilities: always set ambient and inheritableGiuseppe Scrivano2020-09-30
| |/ | | | | | | | | | | | | | | | | | | | | | | change capabilities handling to reflect what docker does. Bounding: set to caplist Inheritable: set to caplist Effective: if uid != 0 then clear; else set to caplist Permitted: if uid != 0 then clear; else set to caplist Ambient: clear Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* / We already set container=podman environment variableDaniel J Walsh2020-09-29
|/ | | | | | Only need to set container, no need for containers Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Merge pull request #7783 from ashley-cui/slirpOpenShift Merge Robot2020-09-29
|\ | | | | Add support for slirp network for pods
| * Add support for slirp network for podsAshley Cui2020-09-25
| | | | | | | | | | | | flag --network=slirp4netns[options] for root and rootless pods Signed-off-by: Ashley Cui <acui@redhat.com>
* | Ignore containers.conf sysctl when namespaces set to hostDaniel J Walsh2020-09-28
| | | | | | | | | | | | | | | | | | | | | | If user sets namespace to host, then default sysctls need to be ignored that are specific to that namespace. --net=host ignore sysctls that begin with net. --ipc=host ignore fs.mqueue --uts=host ignore kernel.domainname and kernel.hostname Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Fix incorrect parsing of create/run --volumes-fromPaul Holzinger2020-09-20
|/ | | | | | | | | Add a bunch of tests to ensure that --volumes-from works as expected. Also align the podman create and run man page. Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
* Fix podman pod create --infra-command and --infra-imageDaniel J Walsh2020-09-16
| | | | | | | | Currently infr-command and --infra-image commands are ignored from the user. This PR instruments them and adds tests for each combination. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* run/create: record raw imageValentin Rothberg2020-09-15
| | | | | | | | | | | | | | | | | | | | | | Record the user-specified "raw" image name in the SpecGenerator, so we can pass it along to the config when creating a container. We need a separate field as the image name in the generator may be set to the ID of the previously pulled image - ultimately the cause of #7404. Reverting the image name from the ID to the user input would not work since "alpine" for pulling iterates over the search registries in the registries.conf but looking up "alpine" normalizes to "localhost/alpine". Recording the raw-image name directly in the generator was the best of the options I considered as no hidden magic from search registries or normalizations (that may or may not change in the future) can interfere. The auto-update backend enforces that the raw-image name is a fully-qualified reference, so we need to worry about that in the front end. Fixes: #7407 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* Fix up errors found by codespellDaniel J Walsh2020-09-11
| | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Make oom-score-adj actually workDaniel J Walsh2020-09-09
| | | | | | | | | | | During the redesign of podman 2.0, we dropped the support for --oom-score-adj. Test for this flag was bogus and thus passing when it was broken. Basically just need to set the value in the spec. Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1877187 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Fix unconfined AppArmor profile usage for unsupported systemsSascha Grunert2020-09-07
| | | | | | | | If we select "unconfined" as AppArmor profile, then we should not error even if the host does not support it at all. This behavior has been fixed and a corresponding e2e test has been added as well. Signed-off-by: Sascha Grunert <sgrunert@suse.com>
* Merge pull request #7355 from rhatdan/envOpenShift Merge Robot2020-08-28
|\ | | | | Use environment from containers.conf
| * Use environment from containers.confDaniel J Walsh2020-08-28
| | | | | | | | | | | | | | | | | | | | podman needs to use the environment settings in containers.conf when setting up the containers. Also host environment variables should be relative to server side not the client. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Merge pull request #7427 from mheon/update_error_messagesOpenShift Merge Robot2020-08-28
|\ \ | |/ |/| Fix up some error messages
| * Fix up some error messagesMatthew Heon2020-08-27
| | | | | | | | | | | | | | | | | | We have a lot of 'cannot stat %s' errors in our codebase. These are terrible and confusing and utterly useless without context. Add some context to a few of them so we actually know what part of the code is failing. Signed-off-by: Matthew Heon <mheon@redhat.com>
* | Switch to containers/common for seccompSascha Grunert2020-08-27
|/ | | | | | | The seccomp/containers-golang library is not maintained any more and we should stick to containers/common. Signed-off-by: Sascha Grunert <sgrunert@suse.com>
* Merge pull request #7372 from giuseppe/add-unified-configurationOpenShift Merge Robot2020-08-24
|\ | | | | podman: add option --cgroup-conf
| * podman: add option --cgroup-confGiuseppe Scrivano2020-08-21
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | it allows to manually tweak the configuration for cgroup v2. we will expose some of the options in future as single options (e.g. the new memory knobs), but for now add the more generic --cgroup-conf mechanism for maximum control on the cgroup configuration. OCI specs change: https://github.com/opencontainers/runtime-spec/pull/1040 Requires: https://github.com/containers/crun/pull/459 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | Merge pull request #7274 from rhatdan/capsOpenShift Merge Robot2020-08-23
|\ \ | |/ |/| In podman 1.* regression on --cap-add
| * In podman 1.* regression on --cap-addDaniel J Walsh2020-08-21
| | | | | | | | | | | | | | | | | | | | | | | | In podman 1.0 if you executed a command like: podman run --user dwalsh --cap-add net_bind_service alpine nc -l 80 It would work, and the user dwalsh would get the capability, in podman 2.0, only root and the binding set gets the capability. This change restores us back to the way podman 1.0 worked. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | error when adding container to pod with network informationBrent Baude2020-08-21
|/ | | | | | | | | | | | because a pod's network information is dictated by the infra container at creation, a container cannot be created with network attributes. this has been difficult for users to understand. we now return an error when a container is being created inside a pod and passes any of the following attributes: * static IP (v4 and v6) * static mac * ports -p (i.e. -p 8080:80) * exposed ports (i.e. 222-225) * publish ports from image -P Signed-off-by: Brent Baude <bbaude@redhat.com>
* fix podman create/run UTS NS docsPaul Holzinger2020-08-18
| | | | | | | | Add better error message when using `--pod` and `--hostname`. Improve the docs to better explain the uts hostname relation. Add more valid options for the `--uts` flag. Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
* Merge pull request #7283 from mheon/pod_infra_has_exit_cmdOpenShift Merge Robot2020-08-17
|\ | | | | Ensure pod infra containers have an exit command
| * Ensure pod infra containers have an exit commandMatthew Heon2020-08-13
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Most Libpod containers are made via `pkg/specgen/generate` which includes code to generate an appropriate exit command which will handle unmounting the container's storage, cleaning up the container's network, etc. There is one notable exception: pod infra containers, which are made entirely within Libpod and do not touch pkg/specgen. As such, no cleanup process, network never cleaned up, bad things can happen. There is good news, though - it's not that difficult to add this, and it's done in this PR. Generally speaking, we don't allow passing options directly to the infra container at create time, but we do (optionally) proxy a pre-approved set of options into it when we create it. Add ExitCommand to these options, and set it at time of pod creation using the same code we use to generate exit commands for normal containers. Fixes #7103 Signed-off-by: Matthew Heon <mheon@redhat.com>
* | run, create: add new security-opt proc-optsGiuseppe Scrivano2020-08-12
| | | | | | | | | | | | | | it allows to customize the options passed down to the OCI runtime for setting up the /proc mount. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | Merge pull request #7288 from tiran/systemd_local_initOpenShift Merge Robot2020-08-11
|\ \ | |/ |/| Enable systemd mode for /usr/local/sbin/init
| * Use set for systemd commandsChristian Heimes2020-08-11
| | | | | | | | Signed-off-by: Christian Heimes <cheimes@redhat.com>
| * Enable systemd mode for /usr/local/sbin/initChristian Heimes2020-08-11
| | | | | | | | | | | | | | | | | | | | Podman 1.6.2 changed systemd mode auto-detection from commands ending in ``init`` to hard-coded paths ``/sbin/init`` and ``/usr/sbin/init``. This broke FreeIPA container. ``podman run`` and ``podman create`` now activate systemd mode when the command is ``/usr/local/sbin/init``. Fixes: https://github.com/containers/podman/issues/7287 Signed-off-by: Christian Heimes <cheimes@redhat.com>
* | Merge pull request #7269 from openSUSE/seccompOpenShift Merge Robot2020-08-11
|\ \ | | | | | | Allow specifying seccomp profiles for privileged containers
| * | Allow specifying seccomp profiles for privileged containersSascha Grunert2020-08-11
| | | | | | | | | | | | | | | | | | | | | To sync the behavior between AppArmor and seccomp it is now possible to also specify seccomp profiles for privileged containers. Signed-off-by: Sascha Grunert <sgrunert@suse.com>
* | | Merge pull request #7239 from rhatdan/workingOpenShift Merge Robot2020-08-11
|\ \ \ | |_|/ |/| | Fix handling of working dir
| * | Fix handling of working dirDaniel J Walsh2020-08-10
| |/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Buildah and podman build can create images without a working dir. FROM fedora WORKDIR /test If you build this image with caching twice, the second time the image will not have a working dir. Similarly if you execute podman run --workdir /foobar fedora It blows up since the workingdir is not created automatically. Finally there was duplicated code for getting the workingdir out of an image, that this PR removes. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* / Do not use image CMD if user gave ENTRYPOINTMatthew Heon2020-08-10
|/ | | | | | | | | | | | | | | | This matches Docker behavior, and seems to make sense - the CMD may have been specific to the original entrypoint and probably does not make sense if it was changed. While we're in here, greatly simplify the logic for populating the SpecGen's Command. We create the full command when making the OCI spec, so the client should not be doing any more than setting it to the Command the user passed in, and completely ignoring ENTRYPOINT. Fixes #7115 Signed-off-by: Matthew Heon <mheon@redhat.com>
* Merge pull request #7176 from mheon/make_entrypointOpenShift Merge Robot2020-08-05
|\ | | | | Ensure WORKDIR from images is created
| * Ensure WORKDIR from images is createdMatthew Heon2020-08-03
| | | | | | | | | | | | | | | | | | | | | | | | | | | | A recent crun change stopped the creation of the container's working directory if it does not exist. This is arguably correct for user-specified directories, to protect against typos; it is definitely not correct for image WORKDIR, where the image author definitely intended for the directory to be used. This makes Podman create the working directory and chown it to container root, if it does not already exist, and only if it was specified by an image, not the user. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | fix pod creation with "new:" syntaxPaul Holzinger2020-07-31
|/ | | | | | | | | | | When you execute podman create/run with the --pod new:<name> syntax the pod was created but the namespaces where not shared and therefore containers could not communicate over localhost. Add the default namespaces and pass the network options to the pod create options. Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
* Binding the same container port to >1 host port is OKMatthew Heon2020-07-29
| | | | | | | | | | | The initial version of the new port code mistakenly restricted this, so un-restrict it. We still need to maintain the map of container ports, unfortunately (need to verify if the port in question is a duplicate, for example). Fixes #7062 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Switch all references to github.com/containers/libpod -> podmanDaniel J Walsh2020-07-28
| | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Support default profile for apparmorDaniel J Walsh2020-07-22
| | | | | | | | | | | | | | Currently you can not apply an ApparmorProfile if you specify --privileged. This patch will allow both to be specified simultaniosly. By default Apparmor should be disabled if the user specifies --privileged, but if the user specifies --security apparmor:PROFILE, with --privileged, we should do both. Added e2e run_apparmor_test.go Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Add --umask flag for create, runAshley Cui2020-07-21
| | | | | | | | --umask sets the umask inside the container Defaults to 0022 Co-authored-by: Daniel J Walsh <dwalsh@redhat.com> Signed-off-by: Ashley Cui <acui@redhat.com>
* Add support for overlay volume mounts in podman.Qi Wang2020-07-20
| | | | | | | | Add support -v for overlay volume mounts in podman. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Signed-off-by: Qi Wang <qiwan@redhat.com>
* abi: set default umask and rlimitsGiuseppe Scrivano2020-07-17
| | | | | | | | the code got lost in the migration to podman 2.0, reintroduce it. Closes: https://github.com/containers/podman/issues/6989 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2024-11-01 08:22:38 +0000