summaryrefslogtreecommitdiff
path: root/pkg
Commit message (Collapse)AuthorAge
* pkg/autoupdate: "image" policy: add deprecation commentValentin Rothberg2022-08-04
| | | | | | | | The "image" policy has been deprecated in favor of the more precise "registry" policy. Add a code comment to leave some breadcrumbs for future generations. Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
* pkg/autoupdate: decompose the update logicValentin Rothberg2022-08-04
| | | | | | | | | | | | | Decompose the update logic into smaller steps (update check, update, rollback, etc.) and move the implementation into the `task` API. This allows to transition a task from state to state, independent of its underlying auto-update policy. Supporting more than one container per unit is now really close. [NO NEW TESTS NEEDED] - should not change behavior. Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
* pkg/autoupdate: move status into `task`Valentin Rothberg2022-08-04
| | | | | | | | | | As state should be kept in a single `task`. This will allow for separating updates from rollbacks which will be needed to support multiple containers/tasks in a single unit. [NO NEW TESTS NEEDED] - should not change behavior. Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
* pkg/autoupdate: document fields of `updater`Valentin Rothberg2022-08-04
| | | | Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
* pkg/autoupdate: remove image map from updaterValentin Rothberg2022-08-04
| | | | | | | It is not state needed after assembling the tasks, so remove it to keep the task struct simpler. Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
* pkg/autoupdate: use policy consts were possibleValentin Rothberg2022-08-04
| | | | Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
* pkg/autoupdate: introduce status constantsValentin Rothberg2022-08-04
| | | | | | | | To replace redundant string scattered across the code with proper constants. The "status" will further be useful in a future change as it can be moved into a `task`. Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
* pkg/autoupdate: move authfile into `tasks`Valentin Rothberg2022-08-04
| | | | | | | | | Will simplify the code and speed up things as we do not consult a container's labels multiple times. [NO NEW TESTS NEEDED] - should not change behavior. Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
* pkg/autoupdate: move more logic under `task`Valentin Rothberg2022-08-04
| | | | | | | | | | | This will simplify the logic and pave the way for abstracting the auto-update policies to a certain degree that allows us to better control _when_ the updates and rollbacks happen and will ultimately reduce redundant code. [NO NEW TESTS NEEDED] - should not change behavior. Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
* pkg/autoupdate: s/updateImage/pullImage/Valentin Rothberg2022-08-04
| | | | | | "pull" is more expressive. Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
* pkg/autoupdate: repull image if other containers failedValentin Rothberg2022-08-04
| | | | | | | | | | | | If two containers use the same image and one rolled back (i.e., tagged the old image again), make sure to repull the image for the other container. Once an image has caused a rollback, it may be worth marking this image as broken and not update any other container using it but that is outside of the scope. Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
* pkg/autoupdate: update unit-by-unitValentin Rothberg2022-08-04
| | | | | | | | | | | Change the auto-update logic to update unit-by-unit rather by policy. This allows for, in theory now and in practice later, to have mutliple containers run in a single systemd unit and update them in sequence before restarting the unit. [NO NEW TESTS NEEDED] - should not change behavior. Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
* pkg/autoupdate: introduce the notion of a `task`Valentin Rothberg2022-08-04
| | | | | | | | | | A `task` includes data and state for updating a given container image. It will come in handy in future changes, but we are going there in baby steps to have smaller incremental changes. [NO NEW TESTS NEEDED] - should not change behaviour. Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
* pkg/autoupdate: remove redundant branchValentin Rothberg2022-08-04
| | | | | | [NO NEW TESTS NEEDED] - should not change behavior. Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
* pkg/autoupdate: move policy map into updaterValentin Rothberg2022-08-04
| | | | | | [NO NEW TESTS NEEDED] - should not change behavior. Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
* pkg/autoupdate: introduce `updater` for shared stateValentin Rothberg2022-08-04
| | | | | | | | | Introduce an `updater` type to allow for sharing state. This will be more useful for future changes. [NO NEW TESTS NEEDED] as it does not change behavior. Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
* Merge pull request #15158 from cdoern/secretsDaniel J Walsh2022-08-04
|\ | | | | add omitempty to Secret in k8s VolumeSource
| * add omitempty to Secret in k8s VolumeSourceCharlie Doern2022-08-03
| | | | | | | | | | | | | | | | | | Secret was populating a generated kube as `null`. Add omitempty so that when the volume source is not a secret, we do not print unnecessary info resolves #15156 Signed-off-by: Charlie Doern <cdoern@redhat.com>
* | Merge pull request #15068 from n1hility/wsl-as-useropenshift-ci[bot]2022-08-04
|\ \ | |/ |/| Default to rootless via Windows WSL prompt / Lock to WSL2
| * Add support, and default to rootless w/WSL promptJason T. Greene2022-08-02
| | | | | | | | | | | | Also force installation to use WSL2 to prevent accidental usage of WSL1 Signed-off-by: Jason T. Greene <jason.greene@redhat.com>
| * Disable F36 service that is incompat with WSL kernJason T. Greene2022-08-02
| | | | | | | | | | | | (requires psi) Signed-off-by: Jason T. Greene <jason.greene@redhat.com>
* | Merge pull request #15084 from sstosh/rm-filteropenshift-ci[bot]2022-08-03
|\ \ | | | | | | Add rm --filter option
| * | Add rm --filter optionToshiki Sonoda2022-07-30
| | | | | | | | | | | | | | | | | | --filter : remove the filtered container. Signed-off-by: Toshiki Sonoda <sonoda.toshiki@fujitsu.com>
* | | Merge pull request #15119 from nicrowe00/15071OpenShift Merge Robot2022-08-02
|\ \ \ | | | | | | | | switch from "kube/play" endpoint to "play/kube" endpoint.
| * | | switch from "kube/play" endpoint to "play/kube" endpoint.Niall Crowe2022-08-02
| | |/ | |/| | | | | | | | | | | | | | | | | | | | | | When podman kube play was added the endpoint for the kube play/play kube commands was switched from the "play kube" endpoint to the new "kube play" endpoint. This caused issues with the remote client, requiring the need to use the "play kube" endpoint again in order to avoid these issues. Signed-off-by: Niall Crowe <nicrowe@redhat.com>
* / | podman generate systemd --new: allow -h hostnamePaul Holzinger2022-08-02
|/ / | | | | | | | | | | | | | | | | | | podman run/create can accept `-h <hostname>` as argument. When parsing flags -h throws an help requested error from pflag. To prevent this error we have to define the help flag. Fixes #15124 Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* | Merge pull request #15108 from mtrmac/sigstore-signOpenShift Merge Robot2022-08-01
|\ \ | | | | | | Sigstore sign
| * | Add support for creating sigstore signatures, and providing passphrasesMiloslav Trmač2022-07-30
| |/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | - Allow creating sigstore signatures via --sign-by-sigstore-private-key . Like existing --sign-by, it does not work remote (in this case because we would have to copy the private key to the server). - Allow passing a passphrase (which is mandatory for sigstore private keys) via --sign-passphrase-file; if it is not provided, prompt interactively. - Also, use that passphrase for --sign-by as well, allowing non-interactive GPG use. (But --sign-passphrase-file can only be used with _one of_ --sign-by and --sign-by-sigstore-private-key.) Note that unlike the existing code, (podman build) does not yet implement sigstore (I'm not sure why it needs to, it seems not to push images?) because Buildah does not expose the feature yet. Also, (podman image sign) was not extended to support sigstore. The test for this follows existing (podman image sign) tests and doesn't work rootless; that could be improved by exposing a registries.d override option. The test for push is getting large; I didn't want to start yet another registry container, but that would be an alternative. In the future, Ginkgo's Ordered/BeforeAll would allow starting a registry once and using it for two tests. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
* | Merge pull request #15056 from Luap99/generate-systemd-sdnotifyOpenShift Merge Robot2022-08-01
|\ \ | | | | | | podman generate systemd: handle --sdnotify correctly
| * | podman generate systemd: handle --sdnotify correctlyPaul Holzinger2022-07-25
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When a container was created with `--sdnotify value` we would remove this arg instead of using it like with `--sdnotfiy=value`. Also when the arg is set to ignore we should force conmon in order to make the resulting Type=notify units work. Fixes #15052 Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* | | Add flag "--compression-format" to "podman manifest push" both in ↵Romain Geissler2022-07-30
| |/ |/| | | | | | | | | | | | | | | local/remote mode. Also Fix usage of flag "--compression-format" for remote "podman image push". Fix usage of flags "--format", "--remove-signatures" in remote "podman manifest push". Closes #15109. Signed-off-by: Romain Geissler <romain.geissler@amadeus.com>
* | Use 8k buffer to help clients w/ broken parsingJason T. Greene2022-07-29
| | | | | | | | Signed-off-by: Jason T. Greene <jason.greene@redhat.com>
* | With --rm option remove container if podman run failsDaniel J Walsh2022-07-28
| | | | | | | | | | | | Fixes https://github.com/containers/podman/issues/15049 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Merge pull request #15034 from sstosh/manifest-push-rmOpenShift Merge Robot2022-07-27
|\ \ | | | | | | Fix: manifest push --rm removes a correct manifest list
| * | Fix: manifest push --rm removes a correct manifest listToshiki Sonoda2022-07-27
| |/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This bug is reproduced when we execute the following command: 1. podman manifest add <manifest list> <images exist on local storage> 2. podman manifest push --rm <manifest list> dir:<directory> If pushing succeeds, it is expected to remove only a manifest list. However, manifest list remains on local storage and images are removed. This commit fixes `podman manifest push --rm` to remove only a manifest list. And, supports `manifest push --rm option` in remote environment, like host environment. Fixes: https://github.com/containers/podman/issues/15033 Signed-off-by: Toshiki Sonoda <sonoda.toshiki@fujitsu.com>
* | Merge pull request #14997 from cdoern/pruneOpenShift Merge Robot2022-07-27
|\ \ | | | | | | prune filter handling
| * | prune filter handlingCharlie Doern2022-07-25
| |/ | | | | | | | | | | | | | | | | network and container prune could not handle the label!=... filter. vendor in c/common to fix this and add some podman level handling to make everything run smoothly resolves #14182 Signed-off-by: Charlie Doern <cdoern@redhat.com>
* | Merge pull request #15061 from cfergeau/always-trueOpenShift Merge Robot2022-07-26
|\ \ | | | | | | machine: Fix check which is always true
| * | machine: Fix check which is always trueChristophe Fergeau2022-07-26
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Before making / mutable/immutable, podman-machine checks if the mount is being done in /home or /mnt. However the current check is always going to be true: ``` !strings.HasPrefix(mount.Target, "/home") || !strings.HasPrefix(mount.Target, "/mnt") ``` is false when mount.Target starts with "/home" and mount.Target starts with "/mnt", which cannot happen at the same time. The correct check is: ``` !strings.HasPrefix(mount.Target, "/home") && !strings.HasPrefix(mount.Target, "/mnt") ``` which can also be written as: ``` !(strings.HasPrefix(mount.Target, "/home") || strings.HasPrefix(mount.Target, "/mnt")) ``` The impact is not too bad, it results in extra 'chattr -i' calls which should be unneeded. [NO NEW TESTS NEEDED] Signed-off-by: Christophe Fergeau <cfergeau@redhat.com>
* | | Merge pull request #15057 from marshall-lee/tls-verify-default-trueOpenShift Merge Robot2022-07-26
|\ \ \ | |/ / |/| | Set TLSVerify=true by default for API endpoints
| * | Set TLSVerify=true by default for API endpointsVladimir Kochnev2022-07-26
| |/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Option defaults in API must be the same as in CLI. ``` % podman image push --help % podman image pull --help % podman manifest push --help % podman image search --help ``` All of these CLI commands them have --tls-verify=true by default: ``` --tls-verify require HTTPS and verify certificates when accessing the registry (default true) ``` As for `podman image build`, it doesn't have any means to control `tlsVerify` parameter but it must be true by default. Signed-off-by: Vladimir Kochnev <hashtable@yandex.ru>
* / Semiperiodoc cleanup of obsolete FIXMEsEd Santiago2022-07-25
|/ | | | | | | | | | | | | | | | Some refer to issues that are closed. Remove them. Some are runc bugs that will never be fixed. Say so, and remove the FIXME. One (bps/iops) should probably be fixed. File an issue for it, and update comment to include the issue# so my find-obsolete-skips script can track it. And one (rootless mount with a "kernel bug?" comment) is still not fixed. Leave the skip, but add a comment documenting the symptom. Signed-off-by: Ed Santiago <santiago@redhat.com>
* Merge pull request #15035 from cdoern/cgroupOpenShift Merge Robot2022-07-23
|\ | | | | fix container create/run throttle devices
| * fix container create/run throttle devicesCharlie Doern2022-07-22
| | | | | | | | | | | | pod resource limits introduced a regression where `FinishThrottleDevices` was not called for create/run Signed-off-by: Charlie Doern <cdoern@redhat.com>
* | Merge pull request #14967 from sstosh/pause-optionOpenShift Merge Robot2022-07-22
|\ \ | | | | | | Add pause/unpause --latest, --cidfile, --filter
| * | Add pause/unpause --latest, --cidfile, --filterToshiki Sonoda2022-07-20
| | | | | | | | | | | | | | | | | | | | | | | | --latest : pause/unpause the latest container. --filter : pause/unpause the filtered container. --cidfile : Read container ID from the specified file and pause/unpause the container. Signed-off-by: Toshiki Sonoda <sonoda.toshiki@fujitsu.com>
* | | Merge pull request #15040 from Luap99/api-umaskOpenShift Merge Robot2022-07-22
|\ \ \ | | | | | | | | API: libpod/create use correct default umask
| * | | API: libpod/create use correct default umaskPaul Holzinger2022-07-22
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Make sure containers created via API have the correct umask from containers.conf set. Fixes #15036 Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* | | | Merge pull request #14567 from cdoern/secretsOpenShift Merge Robot2022-07-22
|\ \ \ \ | |_|_|/ |/| | | Implement kubernetes secret handling for podman play kube
| * | | kube secret handling for podman play kubecdoern2022-07-20
| | |/ | |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | add support for both creating a secret using yaml and mounting a secret as a volume given a yaml file. Kubernetes secrets have a different structure than podman and therefore have to be handeled differently. In this PR, I have introduced the basic usecases of kube secrets with more implementations like env secrets to come! resolves #12396 Signed-off-by: Charlie Doern <cdoern@redhat.com>
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2024-10-22 22:17:13 +0000