summaryrefslogtreecommitdiff
path: root/pkg/specgen
Commit message (Collapse)AuthorAge
* Merge pull request #8685 from mheon/ignore_containersconf_sysctls_shared_netOpenShift Merge Robot2021-01-05
|\ | | | | Ignore containers.conf sysctls when sharing namespaces
| * Ignore containers.conf sysctls when sharing namespacesMatthew Heon2020-12-10
| | | | | | | | | | | | | | | | | | | | | | The existing code prevents containers.conf default sysctls from being added if the container uses a host namespace. This patch expands that to not just host namespaces, but also *shared* namespaces - so we never modify another container's (or a pod's) namespaces without being explicitly directed to do so by the user. Signed-off-by: Matthew Heon <mheon@redhat.com>
* | fix: disable seccomp by default when privileged.Max Goltzsche2021-01-02
| | | | | | | | | | | | | | | | | | When running a privileged container and `SeccompProfilePath` is empty no seccomp profile should be applied. (Previously this was the case only if `SeccompProfilePath` was set to a non-empty default path.) Closes #8849 Signed-off-by: Max Goltzsche <max.goltzsche@gmail.com>
* | Refactor kube.ToSpecGen parameters to structBenedikt Ziemons2020-12-23
| | | | | | | | | | | | | | Create kube.CtrSpecGenOptions and document parameters. Follow-up on https://github.com/containers/podman/pull/8792#discussion_r546673758 Signed-off-by: Benedikt Ziemons <ben@rs485.network>
* | Set NetNS mode instead of valueBenedikt Ziemons2020-12-23
| | | | | | | | | | | | | | | | | | | | when HostNetwork is true in the pod spec. Also propagate whether host network namespace should be used for containers. Add test for HostNetwork setting in kubeYaml. The infra configuration should reflect the setting. Signed-off-by: Benedikt Ziemons <ben@rs485.network>
* | Merge pull request #8787 from jsoref/spellingOpenShift Merge Robot2020-12-23
|\ \ | | | | | | Spelling
| * | SpellingJosh Soref2020-12-22
| | | | | | | | | | | | Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
* | | play kube: fix args/command handlingPeter Hunt2020-12-22
|/ / | | | | | | | | | | | | | | | | | | when neither yaml.Args nor yaml.Command are specified, we should use the entrypoint and cmd from the image. update the tests to cover this and another case (both args and command are specified). use the registry image instead of redis, as it has both an entrypoint and command specified. update the documentation around this handling to hopefully prevent regressions and confusion. Signed-off-by: Peter Hunt <pehunt@redhat.com>
* | Merge pull request #8670 from rhatdan/capsOpenShift Merge Robot2020-12-09
|\ \ | |/ |/| Properly handle --cap-add all when running with a --user flag
| * Properly handle --cap-add all when running with a --user flagDaniel J Walsh2020-12-09
| | | | | | | | | | | | | | | | | | | | Handle the ALL Flag when running with an account as a user. Currently we throw an error when the user specifies podman run --user bin --cap-add all fedora echo hello Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Merge pull request #8669 from giuseppe/unmask-also-cover-ro-pathsOpenShift Merge Robot2020-12-09
|\ \ | |/ |/| security: honor systempaths=unconfined for ro paths
| * security: honor systempaths=unconfined for ro pathsGiuseppe Scrivano2020-12-09
| | | | | | | | | | | | | | | | | | we must honor systempaths=unconfined also for read-only paths, as Docker does: proc /proc proc rw,nosuid,nodev,noexec,relatime 0 0 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | Merge pull request #8661 from rhatdan/codespellOpenShift Merge Robot2020-12-09
|\ \ | |/ |/| Fix spelling mistakes
| * Fix spelling mistakesDaniel J Walsh2020-12-09
| | | | | | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | make podman play use ENVs from imageChristopher J. Ruwe2020-12-09
|/ | | | | | fixes #8608. Signed-off-by: Christopher J. Ruwe <cjr@cruwe.de>
* Correct port range logic for port generationMatthew Heon2020-12-08
| | | | | | | | | | | | | The existing logic (Range > 0) always triggered, because range is guaranteed to be at least 1 (a single port has a range of 1, a two port range (e.g. 80-81) has a range of 2, and so on). As such this could cause ports that had a host port assigned to them by the user to randomly assign one instead. Fixes #8650 Fixes #8651 Signed-off-by: Matthew Heon <mheon@redhat.com>
* Merge pull request #8561 from mheon/fix_gatingOpenShift Merge Robot2020-12-07
|\ | | | | Do not mount sysfs as rootless in more cases
| * Do not mount sysfs as rootless in more casesMatthew Heon2020-12-04
| | | | | | | | | | | | | | | | | | | | | | | | We can't mount sysfs as rootless unless we manage the network namespace. Problem: slirp4netns is now creating and managing a network namespace separate from the OCI runtime, so we can't mount sysfs in many circumstances. The `crun` OCI runtime will automatically handle this by falling back to a bind mount, but `runc` will not, so we didn't notice until RHEL gating tests ran on the new branch. Signed-off-by: Matthew Heon <mheon@redhat.com>
* | container create: do not clear image nameValentin Rothberg2020-12-07
| | | | | | | | | | | | | | | | When creating a container, do not clear the input-image name before looking up image names. Also add a regression test. Fixes: #8558 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | Merge pull request #8551 from rhatdan/defaultOpenShift Merge Robot2020-12-03
|\ \ | | | | | | Support --network=default as if it was private
| * | Support --network=default as if it was privateDaniel J Walsh2020-12-02
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Docker defines an option of "default" which means to use the default network. We should support this with the same code path as --network="". This is important for compatibility with the Docker API. Fixes: https://github.com/containers/podman/issues/8544 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | Merge pull request #8408 from umohnani8/sec-optOpenShift Merge Robot2020-12-03
|\ \ \ | |/ / |/| | Add mask and unmask option to --security-opt
| * | Add mask and unmask option to --security-optUrvashi Mohnani2020-12-02
| |/ | | | | | | | | | | | | | | | | Add the mask and unmask option to the --security-opt flag to allow users to specify paths to mask and unmask in the container. If unmask=ALL, this will unmask all the paths we mask by default. Signed-off-by: Urvashi Mohnani <umohnani@redhat.com>
* / Do not use "true" after "syslog" in exit commandsMatthew Heon2020-12-01
|/ | | | | | | | | | | | | | | | | | | | | Instead of being interpreted as an argument to the boolean flag, the 'true' is being intepreted as the Podman command to be run - so we're trying to run `podman true`, which does not exist. This causes the cleanup command to fail when `--log-level=debug` is set, so containers are not cleaned up or removed. This problem is easily reproduced with any command combining the `--rm`, `-d`, and `--log-level=debug` flags - the command will execute and exit, but the container will not be removed. Separate, but worth looking into later: the errors we get on trying `podman true` with any flags are terrible - if you just type `podman true` you get a quite sane "Unrecognized command" error, but if you try `podman true --rm` you get an "unknown flag --rm" error - which makes very little sense given the command itself doesn't exist. Signed-off-by: Matthew Heon <mheon@redhat.com>
* Merge pull request #8514 from Luap99/revert-8410-fix-multiple-networksOpenShift Merge Robot2020-11-30
|\ | | | | Revert "Allow multiple --network flags for podman run/create"
| * Revert "Allow multiple --network flags for podman run/create"Luap992020-11-30
| | | | | | | | | | | | | | | | | | As described in issue #8507 this commit contains a breaking change which is not wanted in v2.2. We can discuss later if we want this in 3.0 or not. Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
* | Merge pull request #8230 from mheon/port_net_host_conflictOpenShift Merge Robot2020-11-30
|\ \ | | | | | | Ensure that --net=host/pod/container conflicts with -p
| * | Ensure that --net=host/pod/container/none warn with -pMatthew Heon2020-11-04
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Setting port mappings only works when CNI is configuring our network (or slirp4netns, in the rootless case). This is not the case with `--net=host`, `--net=container:`, and joining the network namespace of the pod we are part of. Instead of allowing users to do these things and then be confused why they do nothing, let's match Docker and return a warning that your port mappings will do nothing. Signed-off-by: Matthew Heon <mheon@redhat.com>
* | | Merge branch 'master' into patch-1jortkoopmans2020-11-30
|\ \ \ | | |/ | |/|
| * | Add support for persistent volume claims in kube filesAlban Bedel2020-11-27
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | In k8s a persistent volume claim (PVC) allow pods to define a volume by referencing the name of a PVC. The PVC basically contains criterias that k8s then use to select which storage source it will use for the volume. Podman only provide one abtracted storage, the named volumes, and create them if they don't exists yet. So this patch simply use a volume with the name of the PVC. Signed-off-by: Alban Bedel <albeu@free.fr>
| * | Prepare support in kube play for other volume types than hostPathAlban Bedel2020-11-27
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Replace the simple map of names to paths with a map of names to a struct to allow passing more parameters. Also move the code to parse the volumes to its own file to avoid making the playKubePod() function overly complex. Finally rework the kube volumes test to also be ready to support more volume types. Signed-off-by: Alban Bedel <albeu@free.fr>
| * | Do not validate the volume source path in specgenPaul Holzinger2020-11-26
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The volume src path should not be validated in specgen since the remote client also uses that part and the path must only exists on the server. This now fails later and only on the server and not the client. I don't think I can add a test for this because the CI runs server and client always on the same vm. Fixes #8473 Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
| * | Merge pull request #8410 from Luap99/fix-multiple-networksOpenShift Merge Robot2020-11-21
| |\ \ | | | | | | | | Allow multiple --network flags for podman run/create
| | * | Allow multiple --network flags for podman run/createPaul Holzinger2020-11-20
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | We allow a container to be connected to several cni networks but only if they are listed comma sperated. This is not intuitive for users especially since the flag parsing allows multiple string flags but only would take the last value. see: spf13/pflag#72 Also get rid of the extra parsing logic for pods. The invalid options are already handled by `pkg/specgen`. A test is added to prevent a future regression. Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
| * | | Document containers.conf settings for remote connectionsDaniel J Walsh2020-11-19
| |/ / | | | | | | | | | | | | | | | | | | | | | | | | | | | Currently we don't document which end of the podman-remote client server operations uses the containers.conf. This PR begins documenting this and then testing to make sure the defaults follow the rules. Fixes: https://github.com/containers/podman/issues/7657 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* / / squashjortkoopmans2020-11-25
|/ / | | | | | | Signed-off-by: jortkoopmans <jort@jabo-solutions.eu>
* | Merge pull request #8252 from baude/playkubetospecgenOpenShift Merge Robot2020-11-10
|\ \ | | | | | | migrate play kube to spec gen
| * | migrate play kube to spec genbaude2020-11-10
| | | | | | | | | | | | | | | | | | | | | | | | we need to migrate play kube away from using the old container creation method. the new approach is specgen and this aligns play kube with container creation in the rest of podman. Signed-off-by: baude <bbaude@redhat.com>
* | | network aliases for container creationbaude2020-11-09
|/ / | | | | | | | | | | | | | | podman can now support adding network aliases when running containers (--network-alias). It requires an updated dnsname plugin as well as an updated ocicni to work properly. Signed-off-by: baude <bbaude@redhat.com>
* | rootless container creation settingsbaude2020-11-05
| | | | | | | | | | | | | | | | when running container creation as rootless on the compatibility layer, we need to make sure settings are not being done for memory and memory swappiness. Signed-off-by: baude <bbaude@redhat.com>
* | specgen: keep capabilities with --userns=keep-idGiuseppe Scrivano2020-11-02
| | | | | | | | | | | | | | | | if --userns=keep-id is specified and not --user is specified, take the unprivileged capabilities code path so that ambient capabilities are honored in the container. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | specgen: fix check for root userGiuseppe Scrivano2020-11-02
| | | | | | | | | | | | | | if the username is specified in the USER:GROUP form, make sure we only check for USER. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | specgen: add support for ambient capabilitiesGiuseppe Scrivano2020-11-02
| | | | | | | | | | | | | | | | | | | | if the kernel supports ambient capabilities (Linux 4.3+), also set them when running with euid != 0. This is different that what Moby does, as ambient capabilities are never set. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | Merge pull request #8197 from giuseppe/check-cgroupv2-swap-enabledOpenShift Merge Robot2020-10-31
|\ \ | | | | | | specgen, cgroup2: check whether memory swap is enabled
| * | specgen, cgroup2: check whether memory swap is enabledGiuseppe Scrivano2020-10-30
| | | | | | | | | | | | | | | | | | add a similar check to what we do on cgroup v1. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
| * | specgen: split cgroup v1 and cgroup v2 codeGiuseppe Scrivano2020-10-30
| | | | | | | | | | | | | | | | | | refactor function into two separate ones. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | | Merge pull request #8177 from rhatdan/wrapOpenShift Merge Robot2020-10-30
|\ \ \ | | | | | | | | Stop excessive wrapping of errors
| * | | Stop excessive wrapping of errorsDaniel J Walsh2020-10-30
| |/ / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Most of the builtin golang functions like os.Stat and os.Open report errors including the file system object path. We should not wrap these errors and put the file path in a second time, causing stuttering of errors when they get presented to the user. This patch tries to cleanup a bunch of these errors. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | Merge pull request #8196 from giuseppe/specgen-swap-limit-err-messageOpenShift Merge Robot2020-10-30
|\ \ \ | | | | | | | | specgen: fix error message
| * | | specgen: fix error messageGiuseppe Scrivano2020-10-30
| |/ / | | | | | | | | | | | | | | | drop spurious comma. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>