summaryrefslogtreecommitdiff
path: root/pkg/specgen
Commit message (Collapse)AuthorAge
* [BZ #2083997] pod: build pause image in custom user NSValentin Rothberg2022-05-13
| | | | | | | | | | | Use the host UID and host GID mapping when building the local pause image for a Pod with a custom mapping. Otherwise, the mappings are off and the build fails. Propagating the mapping to the build container is not needed since the pause image ships merely a copied `catatonit` from the host. Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2083997 Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
* play kube: service containerValentin Rothberg2022-05-12
| | | | | | | | | | | | | | | | | | | | Add the notion of a "service container" to play kube. A service container is started before the pods in play kube and is (reverse) linked to them. The service container is stopped/removed *after* all pods it is associated with are stopped/removed. In other words, a service container tracks the entire life cycle of a service started via `podman play kube`. This is required to enable `play kube` in a systemd unit file. The service container is only used when the `--service-container` flag is set on the CLI. This flag has been marked as hidden as it is not meant to be used outside the context of `play kube`. It is further not supported on the remote client. The wiring with systemd will be done in a later commit. Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
* kube: add support for --userns=Giuseppe Scrivano2022-05-10
| | | | | | | | add support to override the user namespace to use for the pod. Closes: https://github.com/containers/podman/issues/7504 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* kube: honor pod security context IDsGiuseppe Scrivano2022-05-10
| | | | | | | | If the RunAsUser, RunAsGroup, SupplementalGroups settings are not overriden in the container security context, then take the value from the pod security context. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* kube: refactor setupSecurityContext to accept directly the security ctxGiuseppe Scrivano2022-05-10
| | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Merge pull request #14121 from cdoern/kubeOpenShift Merge Robot2022-05-09
|\ | | | | play kube log tag handling
| * play kube log tag handlingcdoern2022-05-06
| | | | | | | | | | | | | | | | | | currently tags cause a panic due to an uninitialized map. Initialize the map and add parsing to make sure we are only tagging with journald resolves #13356 Signed-off-by: cdoern <cbdoer23@g.holycross.edu>
* | libpod: add c.ConfigWithNetworks()Paul Holzinger2022-05-06
| | | | | | | | | | | | | | | | | | | | Reading the networks requires an extra db operation. Most c.Config() callers do not need them so create a new function which returns the config with networks. [NO NEW TESTS NEEDED] Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* | Merge pull request #14129 from Juneezee/test/t.TempDirOpenShift Merge Robot2022-05-06
|\ \ | | | | | | test: use `T.TempDir` to create temporary test directory
| * | test: use `T.TempDir` to create temporary test directoryEng Zer Jun2022-05-05
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This commit replaces `ioutil.TempDir` with `t.TempDir` in tests. The directory created by `t.TempDir` is automatically removed when the test and all its subtests complete. Prior to this commit, temporary directory created using `ioutil.TempDir` needs to be removed manually by calling `os.RemoveAll`, which is omitted in some tests. The error handling boilerplate e.g. defer func() { if err := os.RemoveAll(dir); err != nil { t.Fatal(err) } } is also tedious, but `t.TempDir` handles this for us nicely. Reference: https://pkg.go.dev/testing#T.TempDir Signed-off-by: Eng Zer Jun <engzerjun@gmail.com>
* | | Merge pull request #14059 from cdoern/cloneOpenShift Merge Robot2022-05-05
|\ \ \ | |/ / |/| | pass networks to container clone
| * | pass networks to container clonecdoern2022-05-03
| |/ | | | | | | | | | | | | | | | | since the network config is a string map, json.unmarshal does not recognize the config and spec as the same entity, need to map this option manually resolves #13713 Signed-off-by: cdoern <cbdoer23@g.holycross.edu>
* / pod: add exit policiesValentin Rothberg2022-05-02
|/ | | | | | | | | | | | | | | | | | | | | | | | Add the notion of an "exit policy" to a pod. This policy controls the behaviour when the last container of pod exits. Initially, there are two policies: - "continue" : the pod continues running. This is the default policy when creating a pod. - "stop" : stop the pod when the last container exits. This is the default behaviour for `play kube`. In order to implement the deferred stop of a pod, add a worker queue to the libpod runtime. The queue will pick up work items and in this case helps resolve dead locks that would otherwise occur if we attempted to stop a pod during container cleanup. Note that the default restart policy of `play kube` is "Always". Hence, in order to really solve #13464, the YAML files must set a custom restart policy; the tests use "OnFailure". Fixes: #13464 Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
* enable gocritic linterPaul Holzinger2022-04-26
| | | | | | | | | | | | | | | | | | | | | | The linter ensures a common code style. - use switch/case instead of else if - use if instead of switch/case for single case statement - add space between comment and text - detect the use of defer with os.Exit() - use short form var += "..." instead of var = var + "..." - detect problems with append() ``` newSlice := append(orgSlice, val) ``` This could lead to nasty bugs because the orgSlice will be changed in place if it has enough capacity too hold the new elements. Thus we newSlice might not be a copy. Of course most of the changes are just cosmetic and do not cause any logic errors but I think it is a good idea to enforce a common style. This should help maintainability. Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* Implements Windows volume/mount supportJason T. Greene2022-04-25
| | | | | | | Based on WSL2 9p support: remaps windows paths to /mnt/<drive> locations for both podman and Docker API clients. Signed-off-by: Jason T. Greene <jason.greene@redhat.com>
* Merge pull request #13978 from Luap99/unparamOpenShift Merge Robot2022-04-25
|\ | | | | enable unparam linter
| * enable unparam linterPaul Holzinger2022-04-25
| | | | | | | | | | | | | | The unparam linter is useful to detect unused function parameters and return values. Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* | Merge pull request #13973 from Luap99/linter-reviveOpenShift Merge Robot2022-04-23
|\ \ | |/ |/| replace golint with revive linter
| * replace golint with revive linterPaul Holzinger2022-04-22
| | | | | | | | | | | | | | | | | | | | | | | | golint, scopelint and interfacer are deprecated. golint is replaced by revive. This linter is better because it will also check for our error style: `error strings should not be capitalized or end with punctuation or a newline` scopelint is replaced by exportloopref (already endabled) interfacer has no replacement but I do not think this linter is important. Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* | Merge pull request #13918 from Luap99/hostsOpenShift Merge Robot2022-04-22
|\ \ | | | | | | use etchosts package from c/common
| * | shared netns and --add-host should conflictPaul Holzinger2022-04-22
| | | | | | | | | | | | | | | | | | | | | | | | Because /etc/hosts is shared for all containers with a shared network namespace you should not be able to add hosts from a joined container. Only the primary netns container can set the hosts. Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* | | Merge pull request #13881 from rhatdan/usernsOpenShift Merge Robot2022-04-22
|\ \ \ | |_|/ |/| | Add support for --userns=nomap
| * | Add support for --userns=nomapDaniel J Walsh2022-04-21
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | From a security point of view, it would be nice to be able to map a rootless usernamespace that does not use your own UID within the container. This would add protection against a hostile process escapping the container and reading content in your homedir. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | Merge pull request #13972 from Luap99/staticcheckOpenShift Merge Robot2022-04-22
|\ \ \ | |_|/ |/| | enable staticcheck linter
| * | enable staticcheck linterPaul Holzinger2022-04-22
| |/ | | | | | | | | | | | | Fix many problems reported by the staticcheck linter, including many real bugs! Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* / Run codespell on codeDaniel J Walsh2022-04-22
|/ | | | | | [NO NEW TESTS NEEDED] Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* healthcheck: set default healthcheck Interval if not specified in imageAditya R2022-04-20
| | | | | | | Set appropriate defaults for `--interval` when processing a Containerfile with build format as docker. Signed-off-by: Aditya R <arajan@redhat.com>
* Merge pull request #13583 from rhatdan/ipcOpenShift Merge Robot2022-04-16
|\ | | | | Add support for ipc namespace modes "none, private, sharable"
| * Add support for ipc namespace modes "none, private, sharable"Daniel J Walsh2022-04-12
| | | | | | | | | | | | Fixes: #13265 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Merge pull request #13868 from cdoern/cloneSwapOpenShift Merge Robot2022-04-15
|\ \ | | | | | | Fix Memory Swappiness passing in Container Clone
| * | Fix Memory Swappiness passing in Container Clonecdoern2022-04-14
| |/ | | | | | | | | | | | | | | | | `DefineCreateFlags` was excluding clone from using the memory-swappiness flag leading the value to be zero when our deafult is -1. Rearrange the if/else to give clone these memory related options resolves #13856 Signed-off-by: cdoern <cdoern@redhat.com>
* | run, create: add --passwd-entryGiuseppe Scrivano2022-04-14
| | | | | | | | | | | | | | | | | | It allows to customize the entry that is written to the `/etc/passwd` file when --passwd is used. Closes: https://github.com/containers/podman/issues/13185 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | API: use no_hosts from containers.confPaul Holzinger2022-04-11
|/ | | | | | | | | The API endpoints should properly honour the `no_hosts=true` setting in containers.conf. Fixes #13719 Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* Merge pull request #13594 from cdoern/podVolumesOpenShift Merge Robot2022-04-01
|\ | | | | fix pod volume passing and alter infra inheritance
| * fix pod volume passing and alter infra inheritancecdoern2022-03-29
| | | | | | | | | | | | | | | | | | | | | | | | | | the infra Inherit function was not properly passing pod volume information to new containers alter the inherit function and struct to use the new `ConfigToSpec` function used in clone pick and choose the proper entities from a temp spec and validate them on the spegen side rather than passing directly to a config resolves #13548 Signed-off-by: cdoern <cbdoer23@g.holycross.edu> Signed-off-by: cdoern <cdoern@redhat.com> Signed-off-by: cdoern <cbdoer23@g.holycross.edu>
* | specgen: permit --privileged and --cap-addGiuseppe Scrivano2022-04-01
|/ | | | | | | | | --cap-add is useful when running a privileged container with UID != 0, so that individual capabilities can be added to the container process. Closes: https://github.com/containers/podman/issues/13449 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Set systemd mode if entrypoint begins with /bin/sh -cDaniel J Walsh2022-03-28
| | | | | | Fixes: https://github.com/containers/podman/issues/13324 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Merge pull request #13668 from rhatdan/walkOpenShift Merge Robot2022-03-28
|\ | | | | Switch all calls to filepath.Walk to filepath.WalkDir
| * Switch all calls to filepath.Walk to filepath.WalkDirDaniel J Walsh2022-03-27
| | | | | | | | | | | | | | | | | | WalkDir should be faster the Walk, since we often do not need to stat files. [NO NEW TESTS NEEDED] Existing tests should find errors. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Merge pull request #13611 from rvandernoort/vendor_filtersOpenShift Merge Robot2022-03-28
|\ \ | |/ |/| Vendor c/common for filters
| * Vendor commonrvandernoort2022-03-27
| | | | | | | | | | | | | | | | Added patch provided by rhatdan to add support for shareable [NO NEW TESTS NEEDED] Signed-off-by: rvandernoort <s.r.vandernoort@student.tudelft.nl>
* | Merge pull request #13660 from rhatdan/errorOpenShift Merge Robot2022-03-27
|\ \ | | | | | | Remove error stutter
| * | Remove error stutterDaniel J Walsh2022-03-25
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When podman gets an error it prints out "Error: " before printing the error string. If the error message starts with error, we end up with Error: error ... This PR Removes all of these stutters. logrus.Error() also prints out that this is an error, so no need for the error stutter. [NO NEW TESTS NEEDED] Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | Run codespell to cleanup typosDaniel J Walsh2022-03-25
|/ / | | | | | | | | | | [NO NEW TESTS NEEDED] Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Merge pull request #13587 from giuseppe/clone-to-podOpenShift Merge Robot2022-03-24
|\ \ | | | | | | container: allow clone to an existing pod
| * | specgen: fix typoGiuseppe Scrivano2022-03-24
| |/ | | | | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | Merge pull request from GHSA-qvf8-p83w-v58jGiuseppe Scrivano2022-03-24
|\ \ | |/ |/| do not set the inheritable capabilities
| * do not set the inheritable capabilitiesGiuseppe Scrivano2022-03-23
| | | | | | | | | | | | | | | | | | The kernel never sets the inheritable capabilities for a process, they are only set by userspace. Emulate the same behavior. Closes: CVE-2022-27649 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | fix a number of errcheck issuesValentin Rothberg2022-03-22
| | | | | | | | | | | | Numerous issues remain, especially in tests/e2e. Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
* | linter: enable wastedassignValentin Rothberg2022-03-22
| | | | | | | | Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>