summaryrefslogtreecommitdiff
path: root/pkg/specgen
Commit message (Collapse)AuthorAge
* patch for pod host networking & other host namespace handlingcdoern2022-06-14
| | | | | | | | | this patch included additonal host namespace checks when creating a ctr as well as fixing of the tests to check /proc/self/ns/net see #14461 Signed-off-by: cdoern <cdoern@redhat.com>
* Infra Inheritance patchcdoern2022-06-14
| | | | | | | | | infra was overriding options that it should be appending rather than resetting. fix this by appending the given container's spec to the compatible options before marshaling/unmarshaling resolves #14454 Signed-off-by: cdoern <cdoern@redhat.com>
* fix pod network handling with a host networkcdoern2022-06-14
| | | | | | | | | | | | | the function `GetDefaultNamespaceMode` for pods checks if we are sharing each namespace and if not, returns the default which in the case of a network is slirp. add a switch case for explicitly checking if the pod's network mode is host and if so, return specgen.Host for the container resolves #13763 Signed-off-by: cdoern <cbdoer23@g.holycross.edu> Signed-off-by: cdoern <cdoern@redhat.com>
* pkg/specgen: parse default network mode on serverPaul Holzinger2022-06-14
| | | | | | | | | | | | | | | | | | | | | When podman-remote is used we should not resolve the default network mode on the client. Defaults should be set on the server. In this case this is important because we have different defaults for root/rootless. So when the client is rootless and the server is root we must pick the root default. Note that this already worked when --network was set since we did not parsed the flag in this case. To reproduce you need --network=default. Also removed a unused function. [NO NEW TESTS NEEDED] I tested it manually but I am not sure how I can hook a test like this up in CI. The client would need to run as rootless and the server as root or the other way around. Fixes #14368 Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* podman pod create --uidmap patchcdoern2022-06-14
| | | | | | | | | | | | | podmans remote API does not marshal infra's spec due to the fact that if it did, all of those options would be available to the users on the command line. This means we need to manually map "backwards" some container spec items -> pod spec items before calling PodCreate, this was one of them that was forgotten resolves #14233 Signed-off-by: cdoern <cbdoer23@g.holycross.edu> Signed-off-by: cdoern <cdoern@redhat.com>
* Support running podman under a root v2 cgroupJason T. Greene2022-06-14
| | | | Signed-off-by: Jason T. Greene <jason.greene@redhat.com>
* Use containers/common/pkg/util.StringToSliceDaniel J Walsh2022-06-14
| | | | | | [NO NEW TESTS NEEDED] Just code cleanup for better reuse Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* linter: enable unconvert linterValentin Rothberg2022-06-14
| | | | | | | Detects unneccessary type conversions and helps in keeping the code base cleaner. Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
* play kube log tag handlingcdoern2022-06-14
| | | | | | | | | currently tags cause a panic due to an uninitialized map. Initialize the map and add parsing to make sure we are only tagging with journald resolves #13356 Signed-off-by: cdoern <cbdoer23@g.holycross.edu>
* [BZ #2083997] pod: build pause image in custom user NSValentin Rothberg2022-05-18
| | | | | | | | | | | | Use the host UID and host GID mapping when building the local pause image for a Pod with a custom mapping. Otherwise, the mappings are off and the build fails. Propagating the mapping to the build container is not needed since the pause image ships merely a copied `catatonit` from the host. Backport-of: commit c45d51899a8190bd3797cdee71b74b912a634c71 Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2083997 Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
* pass networks to container clonecdoern2022-05-05
| | | | | | | | | since the network config is a string map, json.unmarshal does not recognize the config and spec as the same entity, need to map this option manually resolves #13713 Signed-off-by: cdoern <cbdoer23@g.holycross.edu>
* enable gocritic linterPaul Holzinger2022-04-26
| | | | | | | | | | | | | | | | | | | | | | The linter ensures a common code style. - use switch/case instead of else if - use if instead of switch/case for single case statement - add space between comment and text - detect the use of defer with os.Exit() - use short form var += "..." instead of var = var + "..." - detect problems with append() ``` newSlice := append(orgSlice, val) ``` This could lead to nasty bugs because the orgSlice will be changed in place if it has enough capacity too hold the new elements. Thus we newSlice might not be a copy. Of course most of the changes are just cosmetic and do not cause any logic errors but I think it is a good idea to enforce a common style. This should help maintainability. Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* Implements Windows volume/mount supportJason T. Greene2022-04-25
| | | | | | | Based on WSL2 9p support: remaps windows paths to /mnt/<drive> locations for both podman and Docker API clients. Signed-off-by: Jason T. Greene <jason.greene@redhat.com>
* Merge pull request #13978 from Luap99/unparamOpenShift Merge Robot2022-04-25
|\ | | | | enable unparam linter
| * enable unparam linterPaul Holzinger2022-04-25
| | | | | | | | | | | | | | The unparam linter is useful to detect unused function parameters and return values. Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* | Merge pull request #13973 from Luap99/linter-reviveOpenShift Merge Robot2022-04-23
|\ \ | |/ |/| replace golint with revive linter
| * replace golint with revive linterPaul Holzinger2022-04-22
| | | | | | | | | | | | | | | | | | | | | | | | golint, scopelint and interfacer are deprecated. golint is replaced by revive. This linter is better because it will also check for our error style: `error strings should not be capitalized or end with punctuation or a newline` scopelint is replaced by exportloopref (already endabled) interfacer has no replacement but I do not think this linter is important. Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* | Merge pull request #13918 from Luap99/hostsOpenShift Merge Robot2022-04-22
|\ \ | | | | | | use etchosts package from c/common
| * | shared netns and --add-host should conflictPaul Holzinger2022-04-22
| | | | | | | | | | | | | | | | | | | | | | | | Because /etc/hosts is shared for all containers with a shared network namespace you should not be able to add hosts from a joined container. Only the primary netns container can set the hosts. Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* | | Merge pull request #13881 from rhatdan/usernsOpenShift Merge Robot2022-04-22
|\ \ \ | |_|/ |/| | Add support for --userns=nomap
| * | Add support for --userns=nomapDaniel J Walsh2022-04-21
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | From a security point of view, it would be nice to be able to map a rootless usernamespace that does not use your own UID within the container. This would add protection against a hostile process escapping the container and reading content in your homedir. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | Merge pull request #13972 from Luap99/staticcheckOpenShift Merge Robot2022-04-22
|\ \ \ | |_|/ |/| | enable staticcheck linter
| * | enable staticcheck linterPaul Holzinger2022-04-22
| |/ | | | | | | | | | | | | Fix many problems reported by the staticcheck linter, including many real bugs! Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* / Run codespell on codeDaniel J Walsh2022-04-22
|/ | | | | | [NO NEW TESTS NEEDED] Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* healthcheck: set default healthcheck Interval if not specified in imageAditya R2022-04-20
| | | | | | | Set appropriate defaults for `--interval` when processing a Containerfile with build format as docker. Signed-off-by: Aditya R <arajan@redhat.com>
* Merge pull request #13583 from rhatdan/ipcOpenShift Merge Robot2022-04-16
|\ | | | | Add support for ipc namespace modes "none, private, sharable"
| * Add support for ipc namespace modes "none, private, sharable"Daniel J Walsh2022-04-12
| | | | | | | | | | | | Fixes: #13265 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Merge pull request #13868 from cdoern/cloneSwapOpenShift Merge Robot2022-04-15
|\ \ | | | | | | Fix Memory Swappiness passing in Container Clone
| * | Fix Memory Swappiness passing in Container Clonecdoern2022-04-14
| |/ | | | | | | | | | | | | | | | | `DefineCreateFlags` was excluding clone from using the memory-swappiness flag leading the value to be zero when our deafult is -1. Rearrange the if/else to give clone these memory related options resolves #13856 Signed-off-by: cdoern <cdoern@redhat.com>
* | run, create: add --passwd-entryGiuseppe Scrivano2022-04-14
| | | | | | | | | | | | | | | | | | It allows to customize the entry that is written to the `/etc/passwd` file when --passwd is used. Closes: https://github.com/containers/podman/issues/13185 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | API: use no_hosts from containers.confPaul Holzinger2022-04-11
|/ | | | | | | | | The API endpoints should properly honour the `no_hosts=true` setting in containers.conf. Fixes #13719 Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* Merge pull request #13594 from cdoern/podVolumesOpenShift Merge Robot2022-04-01
|\ | | | | fix pod volume passing and alter infra inheritance
| * fix pod volume passing and alter infra inheritancecdoern2022-03-29
| | | | | | | | | | | | | | | | | | | | | | | | | | the infra Inherit function was not properly passing pod volume information to new containers alter the inherit function and struct to use the new `ConfigToSpec` function used in clone pick and choose the proper entities from a temp spec and validate them on the spegen side rather than passing directly to a config resolves #13548 Signed-off-by: cdoern <cbdoer23@g.holycross.edu> Signed-off-by: cdoern <cdoern@redhat.com> Signed-off-by: cdoern <cbdoer23@g.holycross.edu>
* | specgen: permit --privileged and --cap-addGiuseppe Scrivano2022-04-01
|/ | | | | | | | | --cap-add is useful when running a privileged container with UID != 0, so that individual capabilities can be added to the container process. Closes: https://github.com/containers/podman/issues/13449 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Set systemd mode if entrypoint begins with /bin/sh -cDaniel J Walsh2022-03-28
| | | | | | Fixes: https://github.com/containers/podman/issues/13324 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Merge pull request #13668 from rhatdan/walkOpenShift Merge Robot2022-03-28
|\ | | | | Switch all calls to filepath.Walk to filepath.WalkDir
| * Switch all calls to filepath.Walk to filepath.WalkDirDaniel J Walsh2022-03-27
| | | | | | | | | | | | | | | | | | WalkDir should be faster the Walk, since we often do not need to stat files. [NO NEW TESTS NEEDED] Existing tests should find errors. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Merge pull request #13611 from rvandernoort/vendor_filtersOpenShift Merge Robot2022-03-28
|\ \ | |/ |/| Vendor c/common for filters
| * Vendor commonrvandernoort2022-03-27
| | | | | | | | | | | | | | | | Added patch provided by rhatdan to add support for shareable [NO NEW TESTS NEEDED] Signed-off-by: rvandernoort <s.r.vandernoort@student.tudelft.nl>
* | Merge pull request #13660 from rhatdan/errorOpenShift Merge Robot2022-03-27
|\ \ | | | | | | Remove error stutter
| * | Remove error stutterDaniel J Walsh2022-03-25
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When podman gets an error it prints out "Error: " before printing the error string. If the error message starts with error, we end up with Error: error ... This PR Removes all of these stutters. logrus.Error() also prints out that this is an error, so no need for the error stutter. [NO NEW TESTS NEEDED] Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | Run codespell to cleanup typosDaniel J Walsh2022-03-25
|/ / | | | | | | | | | | [NO NEW TESTS NEEDED] Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Merge pull request #13587 from giuseppe/clone-to-podOpenShift Merge Robot2022-03-24
|\ \ | | | | | | container: allow clone to an existing pod
| * | specgen: fix typoGiuseppe Scrivano2022-03-24
| |/ | | | | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | Merge pull request from GHSA-qvf8-p83w-v58jGiuseppe Scrivano2022-03-24
|\ \ | |/ |/| do not set the inheritable capabilities
| * do not set the inheritable capabilitiesGiuseppe Scrivano2022-03-23
| | | | | | | | | | | | | | | | | | The kernel never sets the inheritable capabilities for a process, they are only set by userspace. Emulate the same behavior. Closes: CVE-2022-27649 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | fix a number of errcheck issuesValentin Rothberg2022-03-22
| | | | | | | | | | | | Numerous issues remain, especially in tests/e2e. Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
* | linter: enable wastedassignValentin Rothberg2022-03-22
| | | | | | | | Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
* | go fmt: use go 1.18 conditional-build syntaxValentin Rothberg2022-03-18
| | | | | | | | Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
* | podman create: building local pause image: do not read ignore filesValentin Rothberg2022-03-17
| | | | | | | | | | | | | | | | | | Make sure to ignore local {container,docker}ignore files when building a local pause image. Otherwise, we may mistakenly not be able to copy catatonit into the build container. Fixes: #13529 Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2025-01-13 11:13:47 +0000