summaryrefslogtreecommitdiff
path: root/pkg
Commit message (Collapse)AuthorAge
* Merge pull request #15895 from dcermak/don-expose-dev-for-privilegedOpenShift Merge Robot2022-09-22
|\ | | | | Don't mount /dev/ inside privileged containers running systemd
| * Don't mount /dev/tty* inside privileged containers running systemdDan Čermák2022-09-22
| | | | | | | | | | | | | | | | | | | | | | | | | | | | According to https://systemd.io/CONTAINER_INTERFACE/, systemd will try take control over /dev/ttyN if exported, which can cause conflicts with the host's tty in privileged containers. Thus we will not expose these to privileged containers in systemd mode, as this is a bad idea according to systemd's maintainers. Additionally, this commit adds a bats regression test to check that no /dev/ttyN are present in a privileged container in systemd mode This fixes https://github.com/containers/podman/issues/15878 Signed-off-by: Dan Čermák <dcermak@suse.com>
* | Merge pull request #15131 from boaz0/closes_14707OpenShift Merge Robot2022-09-22
|\ \ | |/ |/| Add support to sig-proxy for podman-remote
| * Add support to sig-proxy for podman-remoteBoaz Shuster2022-09-20
| | | | | | | | Signed-off-by: Boaz Shuster <boaz.shuster.github@gmail.com>
* | Merge pull request #15870 from idleroamer/podman-saveOpenShift Merge Robot2022-09-22
|\ \ | | | | | | podman-save: Add signature-policy flag
| * | cli: Add signature-policy flag to podman save😎Mostafa Emami2022-09-21
| |/ | | | | | | | | | | | | | | Allow overwrite of the signature-policy file by passing signature-policy flag to podman save command Closes: https://github.com/containers/podman/issues/15869 Signed-off-by: 😎Mostafa Emami <mustafaemami@gmail.com>
* | Fix a few missed io/ioutil -> os updatesChris Evich2022-09-21
| | | | | | | | | | | | Ref: https://github.com/containers/podman/pull/15871 Signed-off-by: Chris Evich <cevich@redhat.com>
* | Merge pull request #15871 from cevich/replace_ioutilOpenShift Merge Robot2022-09-21
|\ \ | | | | | | Replace deprecated ioutil
| * | Replace deprecated ioutilChris Evich2022-09-20
| |/ | | | | | | | | | | | | | | | | | | Package `io/ioutil` was deprecated in golang 1.16, preventing podman from building under Fedora 37. Fortunately, functionality identical replacements are provided by the packages `io` and `os`. Replace all usage of all `io/ioutil` symbols with appropriate substitutions according to the golang docs. Signed-off-by: Chris Evich <cevich@redhat.com>
* | Merge pull request #15837 from rhatdan/formatOpenShift Merge Robot2022-09-21
|\ \ | | | | | | Improve generate systemd format
| * | Improve generate systemd formatDaniel J Walsh2022-09-21
| |/ | | | | | | | | | | | | | | Fixes: https://github.com/containers/podman/issues/14897 Followup to #13814 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Merge pull request #15842 from ashley-cui/seclabelsOpenShift Merge Robot2022-09-21
|\ \ | | | | | | Add labels to secrets
| * | Add labels to secretsAshley Cui2022-09-20
| | | | | | | | | | | | | | | | | | | | | Add --label/-l label flag to secret create, and show labels when inspecting secrets. Also allow labeling secrets via libpod/compat API. Signed-off-by: Ashley Cui <acui@redhat.com>
* | | Merge pull request #15866 from boaz0/closes_15746OpenShift Merge Robot2022-09-21
|\ \ \ | |_|/ |/| | Fix podman-remote run --attach stdin to show container ID
| * | Fix podman-remote run --attach stdin to show container IDBoaz Shuster2022-09-20
| | | | | | | | | | | | Signed-off-by: Boaz Shuster <boaz.shuster.github@gmail.com>
* | | Merge pull request #15072 from rhatdan/contextOpenShift Merge Robot2022-09-19
|\ \ \ | | | | | | | | Add support for podman context as alias to podman system connection
| * | | Add support for podman context as alias to podman system connectionDaniel J Walsh2022-09-15
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Alias podman --context -> podman --connection podman context use -> podman system connection default podman context rm -> podman system connection rm podman context create -> podman system connection add podman context ls ->podman system connection ls podman context inspect ->podman system connection ls --json (For specified connections) Podman context is a hidden command, but can be used for existing scripts that assume Docker under the covers. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | | podman container clone env patchCharlie Doern2022-09-16
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | podman container clone was failing when env variables had multiple `=` in them. Switch split to splitn resolves #15836 Signed-off-by: Charlie Doern <cdoern@redhat.com>
* | | | Merge pull request #15812 from sstosh/checkpoint-export-rawinputOpenShift Merge Robot2022-09-16
|\ \ \ \ | |_|/ / |/| | | remote: checkpoint --export prints a rawInput or an error on remote
| * | | remote: checkpoint --export prints a rawInput or an error on remoteToshiki Sonoda2022-09-16
| |/ / | | | | | | | | | | | | | | | | | | | | | | | | This commit fixes `container checkpoint --export` to print a rawInput or an error. Fixes: #15743 Signed-off-by: Toshiki Sonoda <sonoda.toshiki@fujitsu.com>
* | | Revert "generate systemd: drop ExecStop"Valentin Rothberg2022-09-15
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This reverts commit c20abf12c714f359c7bbb291c444530f70cb1185. In the absence of `ExecStop` step, systemd will send the stop/kill signals to the main PID while I asummed that systemd would jump directly to an ExecStopPost step instead. Hence revert the commit to let Podman take care of stopping rather than systemd. Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
* | | generate systemd: drop ExecStopValentin Rothberg2022-09-15
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Drop the ExecStop step to simplify the generated units a bit. The extra ExecStopPost step was added by commit e5c343294424. If the main PID (i.e., conmon) is killed, systemd will not execute ExecStop (since the main PID is already down) but only execute the *Post steps. Credits to the late Ulrich Obergfell for tracking this issue down; he is missed. The ExecStop step can safely be dropped since the Post step will take of stopping (and removing) in any case. Context: #15686 Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
* | | stats: cap memory limit to the available memoryGiuseppe Scrivano2022-09-15
| | | | | | | | | | | | | | | | | | | | | | | | | | | Docker compatibility: cap the memory limit reported by the cgroup to the maximum available memory. Closes: https://github.com/containers/podman/issues/15765 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | | stats: map MaxUsage to the correct valueGiuseppe Scrivano2022-09-15
|/ / | | | | | | | | | | and make sure it is not set for cgroup v2 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | System tests: fix three racesEd Santiago2022-09-14
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Three tests were running 'container rm' on 'start'ed containers that might not yet have exited. Fix. Also, tighten up the tests themselves, to make even more sure that they test what they're supposed to test. Discovered, in CI, that 'podman-remote logs --timestamps' was unimplemented. Thanks to @Luap99 for the fix to that. Fixes: #15783 Fixes: #15795 Signed-off-by: Ed Santiago <santiago@redhat.com>
* | Merge pull request #15796 from vrothberg/fix-ciOpenShift Merge Robot2022-09-14
|\ \ | | | | | | fix ci: update systemd generate unit test
| * | fix ci: update systemd generate unit testValentin Rothberg2022-09-14
| | | | | | | | | | | | | | | | | | | | | Two PRs have been merged causing a failure in one unit test. Fix the unit test to turn CI green again. Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
* | | Merge pull request #15769 from dfr/freebsd-statsOpenShift Merge Robot2022-09-14
|\ \ \ | |/ / |/| | Add support for 'podman stats' on FreeBSD
| * | pkg/rctl: Add a simple FreeBSD RCTL libraryDoug Rabson2022-09-14
| | | | | | | | | | | | | | | | | | | | | | | | | | | Initially just supporting just rctl_get_racct for (*Container).GetContainerStats. [NO NEW TESTS NEEDED] we are not running any FreeBSD tests in CI Signed-off-by: Doug Rabson <dfr@rabson.org>
* | | Merge pull request #15777 from vrothberg/fix-14546OpenShift Merge Robot2022-09-14
|\ \ \ | | | | | | | | generate systemd: fix pod dependencies
| * | | generate systemd: fix pod dependenciesValentin Rothberg2022-09-13
| | |/ | |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Change the dependencies from a pod unit to its associated container units from `Requires` to `Wants` to prevent the entire pod from transitioning to a failed state. Restart policies for individual containers can be configured separately. Also make sure that the pod's RunRoot is always set. Fixes: #14546 Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
* | | [systemd] Ensure that podCreateArgs appear last in ExecStartPre=Dan Čermák2022-09-14
| |/ |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When creating a new pod without the `--name` flag, e.g.: `podman pod create foobar` it will get the name `foobar` implicitly and this will be recorded as the in the `podCreateArgs`. Unfortunately, the implicit name only works if it appears as the **last** argument of the startup command. With 6e2e3a78ed1d05ee5f23f65b814e8135021961dd we started appending the pod security policy to the startCommand, resulting in the following `ExecStartPre=` line: ``` /usr/bin/podman pod create --infra-conmon-pidfile %t/pod-foobar.pid --pod-id-file %t/pod-foobar.pod-id foobar --exit-policy=stop ``` This fails to launch, as the `pod create` command expects only a single non-flag parameter, but it assumes that `exit-policy=stop` is a second and terminates immediately instead. This fixes https://github.com/containers/podman/issues/15592 Signed-off-by: Dan Čermák <dcermak@suse.com>
* | Merge pull request #15673 from Luap99/templateOpenShift Merge Robot2022-09-13
|\ \ | | | | | | Fix go template parsing with "\n" in it
| * | podman machine inspect: use report.Formatter over TemplatePaul Holzinger2022-09-13
| |/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Currently the podman command --format output code uses a mix of report.Formatter and report.Template. I patched report.Formatter to correctly handle newlines[1]. Since we cannot fix this with report.Template we have to migrate all users to report.Formatter. This ensures consistent behavior for all commands. This change does not change the output, we can add a new test for the newline bug when the common PR is vendored in. Also fix a bug where a invlaid template would not cause a exit code > 0, see the added test case. [1] https://github.com/containers/common/pull/1146 Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* | Merge pull request #15753 from mheon/fix_15720OpenShift Merge Robot2022-09-13
|\ \ | | | | | | Ensure that the DF endpoint updated volume refcount
| * | Ensure that the DF endpoint updated volume refcountMatthew Heon2022-09-12
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The field was already exposed already in the `system df` output so this just required a bit of plumbing and testing. As part of this, fix `podman systemd df` volume in-use logic. Previously, volumes were only considered to be in use if the container using them was running. This does not match Docker's behavior, where a volume is considered in use as long as a container exists that uses the volume, even if said container is not running. Fixes #15720 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | | generate systemd: warn on --restart without --newValentin Rothberg2022-09-13
| |/ |/| | | | | | | | | | | | | | | | | | | Emit a warning to the user when generating a unit with --new on a container that was created with a custom --restart policy. As shown in #15284, a custom --restart policy in that case can lead to issues on system shutdown where systemd attempts to nuke the unit but Podman keeps on restarting the container. Fixes: #15284 Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
* | Use new secret store APIAshley Cui2022-09-12
| | | | | | | | | | | | | | | | | | Refactored secrets API in common for stability purposes. Move podman to said API. [NO NEW TESTS NEEDED] Signed-off-by: Ashley Cui <acui@redhat.com>
* | Merge pull request #15511 from rhatdan/codespellOpenShift Merge Robot2022-09-12
|\ \ | | | | | | Fix stutters
| * | Fix stuttersDaniel J Walsh2022-09-10
| |/ | | | | | | | | | | | | | | | | | | | | | | | | | | Podman adds an Error: to every error message. So starting an error message with "error" ends up being reported to the user as Error: error ... This patch removes the stutter. Also ioutil.ReadFile errors report the Path, so wrapping the err message with the path causes a stutter. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | refactor: use `os.ReadDir` for lightweight directory readingEng Zer Jun2022-09-11
| | | | | | | | | | | | | | | | `os.ReadDir` was added in Go 1.16 as part of the deprecation of `ioutil` package. It is a more efficient implementation than `ioutil.ReadDir`. Reference: https://pkg.go.dev/io/ioutil#ReadDir Signed-off-by: Eng Zer Jun <engzerjun@gmail.com>
* | Fix CPU usage limitation in play kube for non integer valuesMikhail Khachayants2022-09-10
|/ | | | | | | | | | This logic has been broken by commit 9c6c981928c3e020ff6eef9454c7ee86aa8c83d1 (kube: fix conversion from milliCPU to period/quota). [NO NEW TESTS NEEDED] Fixes: #15726 Signed-off-by: Mikhail Khachayants <tyler92@inbox.ru>
* Merge pull request #15687 from vrothberg/RUN-1639OpenShift Merge Robot2022-09-09
|\ | | | | health check: add on-failure actions
| * health check: add on-failure actionsValentin Rothberg2022-09-09
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | For systems that have extreme robustness requirements (edge devices, particularly those in difficult to access environments), it is important that applications continue running in all circumstances. When the application fails, Podman must restart it automatically to provide this robustness. Otherwise, these devices may require customer IT to physically gain access to restart, which can be prohibitively difficult. Add a new `--on-failure` flag that supports four actions: - **none**: Take no action. - **kill**: Kill the container. - **restart**: Restart the container. Do not combine the `restart` action with the `--restart` flag. When running inside of a systemd unit, consider using the `kill` or `stop` action instead to make use of systemd's restart policy. - **stop**: Stop the container. To remain backwards compatible, **none** is the default action. Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
* | Merge pull request #15692 from giuseppe/pod-spec-usernsOpenShift Merge Robot2022-09-09
|\ \ | | | | | | kube: plug HostUsers in the pod spec
| * | kube: plug HostUsers in the pod specGiuseppe Scrivano2022-09-08
| |/ | | | | | | | | | | | | | | | | | | | | | | map HostUsers=false to userns=auto. One difference with the current implementation in the Kubelet is that the podman default size is 1024 while the Kubelet uses 65536. This is done on purpose, because 65536 is a problem for rootless as the entire IDs space would be allocated to a single pod. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | Merge pull request #15712 from sstosh/fix-swaggerOpenShift Merge Robot2022-09-09
|\ \ | | | | | | Fix swagger documentation
| * | Fix swagger documentationToshiki Sonoda2022-09-09
| |/ | | | | | | | | | | | | | | | | * ContainerKillLibpod "signal" query default is SIGKILL. * ContainerStopLibpod "all" query doesn't exist. [NO NEW TESTS NEEDED] Signed-off-by: Toshiki Sonoda <sonoda.toshiki@fujitsu.com>
* | Merge pull request #15658 from rhatdan/configOpenShift Merge Robot2022-09-09
|\ \ | | | | | | Add --config for Docker compatibility
| * | Add --config for Docker compatibilityDaniel J Walsh2022-09-08
| | | | | | | | | | | | | | | | | | Fixes: https://github.com/containers/podman/issues/14767 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>