summaryrefslogtreecommitdiff
path: root/pkg/specgen
Commit message (Collapse)AuthorAge
* Ensure that `--userns=keep-id` sets user in configMatthew Heon2021-04-06
| | | | | | | | | | | | | | | | | | | | | | | One of the side-effects of the `--userns=keep-id` command is switching the default user of the container to the UID of the user running Podman (though this can still be overridden by the `--user` flag). However, it did this by setting the UID and GID in the OCI spec, and not by informing Libpod of its intention to switch users via the `WithUser()` option. Because of this, a lot of the code that should have triggered when the container ran with a non-root user was not triggering. In the case of the issue that this fixed, the code to remove capabilities from non-root users was not triggering. Adjust the keep-id code to properly inform Libpod of our intention to use a non-root user to fix this. Also, fix an annoying race around short-running exec sessions where Podman would always print a warning that the exec session had already stopped. Fixes #9919 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Fix pod infra container cni network setupPaul Holzinger2021-04-01
| | | | | | | | For rootless users the infra container used the slirp4netns net mode even when bridge was requested. We can support bridge networking for rootless users so we have allow this. The default is not changed. Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
* Add rootless support for cni and --uidmapPaul Holzinger2021-04-01
| | | | | | This is supported with the new rootless cni logic. Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
* Merge pull request #9516 from rhatdan/shrinkOpenShift Merge Robot2021-03-29
|\ | | | | [NO TESTS NEEDED] Shrink the size of podman bindings
| * [NO TESTS NEEDED] Shrink the size of podman-remoteDaniel J Walsh2021-03-29
| | | | | | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Merge pull request #9842 from AlbanBedel/play-kube-env-from-secretsOpenShift Merge Robot2021-03-29
|\ \ | |/ |/| Add support for env from secrets in play kube
| * play kube: add support for env vars defined from secretsAlban Bedel2021-03-28
| | | | | | | | | | | | | | | | | | | | Add support for secretRef and secretKeyRef to allow env vars to be set from a secret. As K8S secrets are dictionaries the secret value must be a JSON dictionary compatible with the data field of a K8S secret object. The keys must consist of alphanumeric characters, '-', '_' or '.', and the values must be base64 encoded strings. Signed-off-by: Alban Bedel <albeu@free.fr>
| * play kube: support optional/mandatory env var from config mapAlban Bedel2021-03-28
| | | | | | | | | | | | | | | | | | | | | | | | | | In K8S the pod creation fails if an env var reference a non existing config map key. It can be marked as optional, but per default it is mandatory. Podman on the other hand always treat such references as optional. Rework envVarsFrom() and envVarValue() to additionaly return an error and add support for the optional attribute in configMapRef and configMapKeyRef. Signed-off-by: Alban Bedel <albeu@free.fr>
| * play kube: prepare supporting other env source than config mapsAlban Bedel2021-03-28
| | | | | | | | | | | | | | | | | | | | | | Rework envVarsFromConfigMap() and envVarValue() to simplify supporting other env sources than config maps. For this we pass the whole spec generator options struct as parameter instead of just the config maps list. Then we rename envVarsFromConfigMap() to envVarsFrom() and in envVarValue() we reposition the loop over the config maps to only run it when a configMapRef element exists. Signed-off-by: Alban Bedel <albeu@free.fr>
* | Add problematic volume name to kube play error messagesJordan Christiansen2021-03-27
|/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When kube play fails to create a volume, it should say which volume had the problem so the user doesn't have to guess. For the following pod spec: apiVersion: v1 kind: Pod metadata: name: mypod spec: containers: - name: myfrontend image: nginx volumeMounts: - mountPath: "/var/www/html" name: mypd volumes: - name: mypd hostPath: path: /var/blah podman will now report: Error: failed to create volume "mypd": error in parsing HostPath in YAML: error checking path "/var/blah": stat /var/blah: no such file or directory Signed-off-by: Jordan Christiansen <xordspar0@gmail.com>
* Merge pull request #9816 from jwhonce/wip/namespaceOpenShift Merge Robot2021-03-25
|\ | | | | Correct json encoding field name for Namespace type
| * Correct json field nameJhon Honce2021-03-25
| | | | | | | | | | | | | | | | | | [NO TESTS NEEDED] * When using the Namespace type, the field Value was json encoded with the name "string" vs "value". Signed-off-by: Jhon Honce <jhonce@redhat.com>
* | Improvements for machinebaude2021-03-25
| | | | | | | | | | | | clean up ci failures and add appropriate arch,os exclusion tags Signed-off-by: baude <bbaude@redhat.com>
* | introduce podman machinebaude2021-03-25
|/ | | | | | | | | | | | | | | podman machine allows podman to create, manage, and interact with a vm running some form of linux (default is fcos). podman is then configured to be able to interact with the vm automatically. while this is usable on linux, the real push is to get this working on both current apple architectures in macos. Ashley Cui contributed to this PR and was a great help. [NO TESTS NEEDED] Signed-off-by: baude <bbaude@redhat.com>
* security: use the bounding caps with --privilegedGiuseppe Scrivano2021-03-19
| | | | | | | | | when --privileged is used, make sure to not request more capabilities than currently available in the current context. [NO TESTS NEEDED] since it fixes existing tests. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* replace local mount consts with libpod/defineJakub Guzik2021-03-07
| | | | Signed-off-by: Jakub Guzik <jakubmguzik@gmail.com>
* Enable cgroupsv2 rw mount via security-opt unmaskJakub Guzik2021-02-28
| | | | Signed-off-by: Jakub Guzik <jakubmguzik@gmail.com>
* Add U volume flag to chown source volumesEduardo Vega2021-02-22
| | | | Signed-off-by: Eduardo Vega <edvegavalerio@gmail.com>
* bump go module to v3Valentin Rothberg2021-02-22
| | | | | | | | | We missed bumping the go module, so let's do it now :) * Automated go code with github.com/sirkon/go-imports-rename * Manually via `vgrep podman/v2` the rest Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* Ignore entrypoint=[\"\"]Daniel J Walsh2021-02-17
| | | | | | | | | | | | | We recieved an issue with an image that was built with entrypoint=[""] This blows up on Podman, but works on Docker. When we setup the OCI Runtime, we should drop entrypoint if it is == [""] https://github.com/containers/podman/issues/9377 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Enable more golangci-lint lintersPaul Holzinger2021-02-12
| | | | | | | | | | | | | | | | | Cleanup the golangci.yml file and enable more linters. `pkg/spec` and `iopodman.io` is history. The vendor directory is excluded by default. The dependencies dir was listed twice. Fix the reported problems in `pkg/specgen` because that was also excluded by `pkg/spec`. Enable the structcheck, typecheck, varcheck, deadcode and depguard linters. [NO TESTS NEEDED] Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
* Support annotations from containers.confDaniel J Walsh2021-02-09
| | | | | | | Currently podman does not use the annotations specified in the containers.conf. This PR fixes this. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Implement SecretsAshley Cui2021-02-09
| | | | | | | | | | | Implement podman secret create, inspect, ls, rm Implement podman run/create --secret Secrets are blobs of data that are sensitive. Currently, the only secret driver supported is filedriver, which means creating a secret stores it in base64 unencrypted in a file. After creating a secret, a user can use the --secret flag to expose the secret inside the container at /run/secrets/[secretname] This secret will not be commited to an image on a podman commit Signed-off-by: Ashley Cui <acui@redhat.com>
* Merge pull request #9205 from st1971/issue-8710OpenShift Merge Robot2021-02-05
|\ | | | | play kube selinux label issue
| * play kube selinux label issueSteven Taylor2021-02-02
| | | | | | | | | | | | | | | | | | play kube function not respecting selinux options in kube yaml, all options were being mapped to role. fixes issue 8710 Signed-off-by: Steven Taylor <steven@taylormuff.co.uk>
* | Allow pods to use --net=noneMatthew Heon2021-02-02
|/ | | | | | | | | | | We need an extra field in the pod infra container config. We may want to reevaluate that struct at some point, as storing network modes as bools will rapidly become unsustainable, but that's a discussion for another time. Otherwise, straightforward plumbing. Fixes #9165 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Honor custom DNS in play|generate kubebaude2021-01-29
| | | | | | | | | | | | | | | | | | when creating kubernetes yaml from containers and pods, we should honor any custom dns settings the user provided. in the case of generate kube, these would be provided by --dns, --dns-search, and --dns-opt. if multiple containers are involved in the generate, the options will be cumulative and unique with the exception of dns-opt. when replaying a kube file that has kubernetes dns information, we now also add that information to the pod creation. the options for dnspolicy is not enabled as there seemed to be no direct correlation between kubernetes and podman. Fixes: #9132 Signed-off-by: baude <bbaude@redhat.com>
* Allow static ip and mac with rootless cni networkPaul Holzinger2021-01-27
| | | | | | | | Make sure we pass the ip and mac address as CNI_ARGS to the cnitool which is executed in the rootless-cni-infra container. Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
* workdir presence checksValentin Rothberg2021-01-26
| | | | | | | | | | | | | | | | | | A container's workdir can be specified via the CLI via `--workdir` and via an image config with the CLI having precedence. Since images have a tendency to specify workdirs without necessarily shipping the paths with the root FS, make sure that Podman creates the workdir. When specified via the CLI, do not create the path, but check for its existence and return a human-friendly error. NOTE: `crun` is performing a similar check that would yield exit code 127. With this change, however, Podman performs the check and yields exit code 126. Since this is specific to `crun`, I do not consider it to be a breaking change of Podman. Fixes: #9040 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* Set log driver for compatability containersbaude2021-01-20
| | | | | | | | | | | | | | | when using the compatibility api to create containers, now reflect the use of k8s-file as json-file so that clients, which are unaware of k8s-file, can work. specifically, if the container is using k8s-file as the log driver, we change the log type in container inspection to json-file. These terms are used interchangably in other locations in libpod/podman. this fixes log messages in compose as well. [NO TESTS NEEDED] Signed-off-by: baude <bbaude@redhat.com>
* specgen: improve heuristic for /sys bind mountGiuseppe Scrivano2021-01-15
| | | | | | | | | | | | | partially revert 95c45773d7dbca2880152de681c81f0a2afec99b restrict the cases where /sys is bind mounted from the host. The heuristic doesn't detect all the cases where the bind mount is not necessary, but it is an improvement on the previous version where /sys was always bind mounted for rootless containers unless --net none was specified. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Merge pull request #8960 from giuseppe/bridge-no-post-configOpenShift Merge Robot2021-01-13
|\ | | | | network: disallow CNI networks with user namespaces
| * network: disallow CNI networks with user namespacesGiuseppe Scrivano2021-01-13
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | it solves a segfault when running as rootless a command like: $ podman run --uidmap 0:0:1 --net foo --rm fedora true panic: runtime error: invalid memory address or nil pointer dereference [signal SIGSEGV: segmentation violation code=0x1 addr=0x30 pc=0x5629bccc407c] goroutine 1 [running]: panic(0x5629bd3d39e0, 0x5629be0ab8e0) /usr/lib/golang/src/runtime/panic.go:1064 +0x545 fp=0xc0004592c0 sp=0xc0004591f8 pc=0x5629bbd35d85 runtime.panicmem(...) /usr/lib/golang/src/runtime/panic.go:212 runtime.sigpanic() /usr/lib/golang/src/runtime/signal_unix.go:742 +0x413 fp=0xc0004592f0 sp=0xc0004592c0 pc=0x5629bbd4cd33 github.com/containers/podman/libpod.(*Runtime).setupRootlessNetNS(0xc0003fe9c0, 0xc0003d74a0, 0x0, 0x0) /builddir/build/BUILD/podman-2.2.1/_build/src/github.com/containers/podman/libpod/networking_linux.go:238 +0xdc fp=0xc000459338 sp=0xc0004592f0 pc=0x5629bccc407c github.com/containers/podman/libpod.(*Container).completeNetworkSetup(0xc0003d74a0, 0x0, 0x0) /builddir/build/BUILD/podman-2.2.1/_build/src/github.com/containers/podman/libpod/container_internal.go:965 +0xb72 fp=0xc0004594d8 sp=0xc000459338 pc=0x5629bcc81732 [.....] Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | Merge pull request #8954 from baude/reducebindingsizeOpenShift Merge Robot2021-01-13
|\ \ | | | | | | Reduce general binding binary size
| * | Reduce general binding binary sizebaude2021-01-13
| |/ | | | | | | | | | | | | | | when using the bindings to *only* make a connection, the binary was rough 28MB. This PR reduces it down to 11. There is more work to do but it will come in a secondary PR. Signed-off-by: baude <bbaude@redhat.com>
* / play kube: set entrypoint when interpreting CommandDaniel J Walsh2021-01-13
|/ | | | | | | | | | | | | We now set Entrypoint when interpeting the image Entrypoint (or yaml.Command) and Command when interpreting image Cmd (or yaml.Args) This change is kind of breaking because now checking Config.Cmd won't return the full command, but only the {cmd,args}. Adapt the tests to this change as well Signed-off-by: Peter Hunt <pehunt@redhat.com> Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Merge pull request #8947 from Luap99/cleanup-codeOpenShift Merge Robot2021-01-12
|\ | | | | Fix problems reported by staticcheck
| * Fix problems reported by staticcheckPaul Holzinger2021-01-12
| | | | | | | | | | | | | | | | | | | | | | | | | | | | `staticcheck` is a golang code analysis tool. https://staticcheck.io/ This commit fixes a lot of problems found in our code. Common problems are: - unnecessary use of fmt.Sprintf - duplicated imports with different names - unnecessary check that a key exists before a delete call There are still a lot of reported problems in the test files but I have not looked at those. Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
* | Use HTTPProxy settings from containers.confDaniel J Walsh2021-01-11
|/ | | | | | | | | | | This PR takes the settings from containers.conf and uses them. This works on the podman local but does not fix the issue for podman remote or for APIv2. We need a way to specify optionalbooleans when creating containers. Fixes: https://github.com/containers/podman/issues/8843 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Merge pull request #8907 from Luap99/fix-mips-buildOpenShift Merge Robot2021-01-07
|\ | | | | Fix build for mips architecture follow-up
| * Fix build for mips architecture follow-upPaul Holzinger2021-01-07
| | | | | | | | | | | | | | | | Follow-up to commit (1ad796677e1c). The build on mips is still failing because SIGWINCH was not defined in the signal pkg. Also stat_t.Rdev is unit32 on mips so we need to typecast. Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
* | Containers should not get inheritable caps by defaultDaniel J Walsh2021-01-07
|/ | | | | | | | | | | | When I launch a container with --userns=keep-id the rootless processes should have no caps by default even if I launch the container with --privileged. It should only get the caps if I specify by hand the caps I want leaked to the process. Currently we turn off capeff and capamb, but not capinh. This patch treats capinh the same way as capeff and capamb. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Merge pull request #8892 from mheon/fix_8886OpenShift Merge Robot2021-01-06
|\ | | | | Ensure that user-specified HOSTNAME is honored
| * Ensure that user-specified HOSTNAME is honoredMatthew Heon2021-01-06
| | | | | | | | | | | | | | | | | | | | | | When adding the HOSTNAME environment variable, only do so if it is not already present in the spec. If it is already present, it was likely added by the user, and we should honor their requested value. Fixes #8886 Signed-off-by: Matthew Heon <mheon@redhat.com>
* | Merge pull request #8685 from mheon/ignore_containersconf_sysctls_shared_netOpenShift Merge Robot2021-01-05
|\ \ | |/ |/| Ignore containers.conf sysctls when sharing namespaces
| * Ignore containers.conf sysctls when sharing namespacesMatthew Heon2020-12-10
| | | | | | | | | | | | | | | | | | | | | | The existing code prevents containers.conf default sysctls from being added if the container uses a host namespace. This patch expands that to not just host namespaces, but also *shared* namespaces - so we never modify another container's (or a pod's) namespaces without being explicitly directed to do so by the user. Signed-off-by: Matthew Heon <mheon@redhat.com>
* | fix: disable seccomp by default when privileged.Max Goltzsche2021-01-02
| | | | | | | | | | | | | | | | | | When running a privileged container and `SeccompProfilePath` is empty no seccomp profile should be applied. (Previously this was the case only if `SeccompProfilePath` was set to a non-empty default path.) Closes #8849 Signed-off-by: Max Goltzsche <max.goltzsche@gmail.com>
* | Refactor kube.ToSpecGen parameters to structBenedikt Ziemons2020-12-23
| | | | | | | | | | | | | | Create kube.CtrSpecGenOptions and document parameters. Follow-up on https://github.com/containers/podman/pull/8792#discussion_r546673758 Signed-off-by: Benedikt Ziemons <ben@rs485.network>
* | Set NetNS mode instead of valueBenedikt Ziemons2020-12-23
| | | | | | | | | | | | | | | | | | | | when HostNetwork is true in the pod spec. Also propagate whether host network namespace should be used for containers. Add test for HostNetwork setting in kubeYaml. The infra configuration should reflect the setting. Signed-off-by: Benedikt Ziemons <ben@rs485.network>
* | Merge pull request #8787 from jsoref/spellingOpenShift Merge Robot2020-12-23
|\ \ | | | | | | Spelling