summaryrefslogtreecommitdiff
path: root/pkg
Commit message (Collapse)AuthorAge
* policy for seccomp-profile selectionValentin Rothberg2020-01-09
| | | | | | | | | | | | | | | | | | Implement a policy for selecting a seccomp profile. In addition to the default behaviour (default profile unless --security-opt seccomp is set) add a second policy doing a lookup in the image annotation. If the image has the "io.containers.seccomp.profile" set its value will be interpreted as a seccomp profile. The policy can be selected via the new --seccomp-policy CLI flag. Once the containers.conf support is merged into libpod, we can add an option there as well. Note that this feature is marked as experimental and may change in the future. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* Merge pull request #4802 from rhatdan/varlinkOpenShift Merge Robot2020-01-09
|\ | | | | Fix podman-remote info to show registry data
| * Fix podman-remote info to show registry dataDaniel J Walsh2020-01-07
| | | | | | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Merge pull request #4816 from vrothberg/lintOpenShift Merge Robot2020-01-08
|\ \ | | | | | | Fix golint errors
| * | fix lint - pkg/varlinkapi/virtwriterValentin Rothberg2020-01-08
| | | | | | | | | | | | Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
| * | fix lint - pkg/util: func commentValentin Rothberg2020-01-08
| | | | | | | | | | | | Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
| * | fix lint - pkg/specValentin Rothberg2020-01-08
| | | | | | | | | | | | Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
| * | fix lint in pkg/rootlessValentin Rothberg2020-01-08
| | | | | | | | | | | | Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
| * | fix lint - pkg/network: comment exported typesValentin Rothberg2020-01-08
| | | | | | | | | | | | Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
| * | fix lint - pkg/adapter: comment exported APIValentin Rothberg2020-01-08
| | | | | | | | | | | | Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | | Merge pull request #4712 from openSUSE/untag-commandOpenShift Merge Robot2020-01-08
|\ \ \ | |/ / |/| | Add `untag` sub-command
| * | Add `untag` sub-commandSascha Grunert2020-01-08
| |/ | | | | | | | | | | | | | | Podman now supports untagging images via the `untag` sub-command for the root and `image` commands. Testing and documentation has been added as well. Signed-off-by: Sascha Grunert <sgrunert@suse.com>
* / rootless: use RootlessKit port forwarderAkihiro Suda2020-01-08
|/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | RootlessKit port forwarder has a lot of advantages over the slirp4netns port forwarder: * Very high throughput. Benchmark result on Travis: socat: 5.2 Gbps, slirp4netns: 8.3 Gbps, RootlessKit: 27.3 Gbps (https://travis-ci.org/rootless-containers/rootlesskit/builds/597056377) * Connections from the host are treated as 127.0.0.1 rather than 10.0.2.2 in the namespace. No UDP issue (#4586) * No tcp_rmem issue (#4537) * Probably works with IPv6. Even if not, it is trivial to support IPv6. (#4311) * Easily extensible for future support of SCTP * Easily extensible for future support of `lxc-user-nic` SUID network RootlessKit port forwarder has been already adopted as the default port forwarder by Rootless Docker/Moby, and no issue has been reported AFAIK. As the port forwarder is imported as a Go package, no `rootlesskit` binary is required for Podman. Fix #4586 May-fix #4559 Fix #4537 May-fix #4311 See https://github.com/rootless-containers/rootlesskit/blob/v0.7.0/pkg/port/builtin/builtin.go Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
* play kube: make seccomp handling better conform to k8sPeter Hunt2020-01-03
| | | | | | | Add flag --seccomp-profile-root in play kube to allow users to specify where to look for seccomp profiles update tests Signed-off-by: Peter Hunt <pehunt@redhat.com>
* refactor network commandsbaude2019-12-29
| | | | | | | move core of network commands from pkg/adapter to pkg/network to assist with api development and remote podman commands. Signed-off-by: baude <bbaude@redhat.com>
* signal parsing - better input validationEd Santiago2019-12-26
| | | | | | | | | | | | | | | | | | | | | | The helper function we use for signal name mapping does not check for negative numbers nor invalid (too-high) ones. This can yield unexpected error messages: # podman kill -s -1 foo ERRO[0000] unknown signal "18446744073709551615" This PR introduces a small wrapper for it that: 1) Strips off a leading dash, allowing '-1' or '-HUP' as valid inputs; and 2) Rejects numbers <1 or >64 (SIGRTMAX) Also adds a test suite checking signal handling as well as ensuring that invalid signals are rejected by the command line. Fixes: #4746 Signed-off-by: Ed Santiago <santiago@redhat.com>
* add struct response for removal of imagesbaude2019-12-23
| | | | | | | | when removing an image from storage, we should return a struct that details what was untagged vs deleted. this replaces the simple println's used previously and assists in API development. Signed-off-by: baude <bbaude@redhat.com>
* Merge pull request #4643 from adrianreber/masterOpenShift Merge Robot2019-12-17
|\ | | | | Correctly export the root file-system changes
| * Correctly export the root file-system changesAdrian Reber2019-12-09
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When doing a checkpoint with --export the root file-system diff was not working as expected. Instead of getting the changes from the running container to the highest storage layer it got the changes from the highest layer to that parent's layer. For a one layer container this could mean that the complete root file-system is part of the checkpoint. With this commit this changes to use the same functionality as 'podman diff'. This actually enables to correctly diff the root file-system including tracking deleted files. This also removes the non-working helper functions from libpod/diff.go. Signed-off-by: Adrian Reber <areber@redhat.com>
* | Merge pull request #4681 from jvanz/issue4553OpenShift Merge Robot2019-12-17
|\ \ | | | | | | podman: mirror information
| * | podman: mirror informationJosé Guilherme Vanz2019-12-12
| | | | | | | | | | | | | | | | | | | | | | | | Updates the podman info command to show the mirror information Issue https://github.com/containers/libpod/issues/4553 Signed-off-by: José Guilherme Vanz <jvanz@jvanz.com>
* | | Merge pull request #4677 from baude/execenvfileOpenShift Merge Robot2019-12-11
|\ \ \ | | | | | | | | allow exec to read files of environment variables
| * | | allow exec to read files of environment variablesbaude2019-12-11
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | we want the ability to define environment variables in files for the exec command. Fixes: #1782408 Signed-off-by: baude <bbaude@redhat.com>
* | | | move image filters under libpod/imagesbaude2019-12-10
|/ / / | | | | | | | | | | | | | | | | | | | | | to make things more effecient for the api work we are doing, we should process image filters internally (as opposed to in main). this allows for better api responses and more closely affiliated functions. Signed-off-by: baude <bbaude@redhat.com>
* | | Merge pull request #4517 from baude/macvlanOpenShift Merge Robot2019-12-09
|\ \ \ | |_|/ |/| | macvlan networks
| * | macvlan networksbaude2019-12-09
| | | | | | | | | | | | | | | | | | add the ability to a macvlan network with podman network create. Signed-off-by: baude <bbaude@redhat.com>
* | | Return empty runtime directory if we're not rootlessJonathan Dieter2019-12-07
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Currently, we return a runtime directory of the form `/run/user/<uid>`, even when running as root. Depending on configuration, that directory may be deleted when the user logs out, which is quite awkward when the container is started as a systemd service and then someone logs in and out as root. This patch fixes the problem by returning an empty runtime directory if the container is being started by root. The runtime should automatically use the default runtime directory (`/run/crun` when crun is used), which should be accessible to root. Tested in Fedora 31 by running containers under both root and a regular user. State for root containers is stored in `/run/crun`, while state for rootless containers is in `/run/user/<uid>/crun`. Signed-off-by: Jonathan Dieter <jdieter@gmail.com>
* | | Merge pull request #4563 from mheon/fix_change_parsingOpenShift Merge Robot2019-12-06
|\ \ \ | | | | | | | | Fix parsing for arrays of values in image changes
| * | | Add ONBUILD support to --changeMatthew Heon2019-12-05
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Return types had to change a bit for this, but since we can wrap the old v1.ImageConfig, changes are overall not particularly bad. At present, I believe this only works with commit, not import. This matches how things were before we changed to the new parsing so I think this is fine. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
| * | | Completely rework --change parsingMatthew Heon2019-12-04
| | |/ | |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The way we were trying to parse was very broken. I originally attempted to use Buildah's Dockerfile parser here, but dealing with it (and convincing it to accept only a limited subset, and only one instruction at a time) was challenging, so I rewrote a subset of Dockerfile parsing. This should handle most common cases well, though there are definitely unhandled edge cases for ENV and LABEL. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* / | Use terminal detach keys sequence specified in the config fileMarco Vedovati2019-12-06
|/ / | | | | | | | | | | Fixes: #4556 Signed-off-by: Marco Vedovati <mv@sba.lat>
* | rootless: add fallback for renameat2 at runtimeGiuseppe Scrivano2019-12-04
| | | | | | | | | | | | | | | | | | | | | | | | the renameat2 syscall might be defined in the C library but lacking support in the kernel. In such case, let it fallback to open(O_CREAT)+rename as it does on systems lacking the definition for renameat2. Closes: https://github.com/containers/libpod/issues/4570 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | Ignore ErrCtrRemoved when removing a containerDaniel J Walsh2019-12-03
| | | | | | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Merge pull request #4596 from kunalkushwaha/container-pruneOpenShift Merge Robot2019-12-02
|\ \ | | | | | | container prune command fixed as per docker prune command
| * | filter added to container prune commandKunal Kushwaha2019-11-29
| | | | | | | | | | | | | | | | | | | | | filter flag helps to filter the containers based on labels, until(time), name, etc for prune command. Signed-off-by: Kunal Kushwaha <kunal.kushwaha@gmail.com>
* | | Add podman system reset commandDaniel J Walsh2019-11-29
|/ / | | | | | | | | | | | | This command will destroy all data created via podman. It will remove containers, images, volumes, pods. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Merge pull request #4568 from openSUSE/historyOpenShift Merge Robot2019-11-27
|\ \ | | | | | | Add support for image name history
| * | Add support for image name historySascha Grunert2019-11-27
| | | | | | | | | | | | | | | | | | | | | | | | We leverage the containers/storage image history tracking feature to show the previously used image names when running: `podman images --history` Signed-off-by: Sascha Grunert <sgrunert@suse.com>
* | | Remove containers when pruning a stopped pod.Qi Wang2019-11-26
|/ / | | | | | | | | | | | | This path allows pod prune & pod rm to remove stopped containers in the pod before deleting the pod. PrunePods and RemovePod should be able to remove containers without force removal of stopped pods. Signed-off-by: Qi Wang <qiwan@redhat.com>
* | podman {pod,} rm/stop: add --ignore flagValentin Rothberg2019-11-25
| | | | | | | | | | | | | | | | | | | | | | | | Add an --ignore flag to podman rm and stop. When specified, Podman will ignore "no such {container,pod}" errors that occur when a specified container/pod is not present in the store (anymore). The motivation behind adding this flag is to write more robust systemd services using Podman. A user might have manually decided to remove a container/pod which would lead to a failure during the `ExecStop` directive of a systemd service referencing that container/pod. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | Merge pull request #4512 from kunalkushwaha/prune-filterOpenShift Merge Robot2019-11-22
|\ \ | | | | | | image prune command fixed as per docker image prune.
| * | filter added to image pruge command.Kunal Kushwaha2019-11-22
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | filter option accepts two filters. - label - until label supports "label=value" or "label=key=value" format until supports all golang compatible time/duration formats. Signed-off-by: Kunal Kushwaha <kunal.kushwaha@gmail.com>
| * | timestamp related functions addedKunal Kushwaha2019-11-14
| | | | | | | | | | | | | | | | | | | | | | | | timetype package include functions for calculating time input in string as one of golang duration format and calculate as unix timestamp Signed-off-by: Kunal Kushwaha <kunal.kushwaha@gmail.com>
* | | Merge pull request #4528 from haircommander/kube-seccompOpenShift Merge Robot2019-11-22
|\ \ \ | | | | | | | | Handle seccomp annotations in play kube
| * | | play kube: handle seccomp labelsPeter Hunt2019-11-18
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Add handling of seccomp annotations to play kube at both container and pod levels. also add a test Signed-off-by: Peter Hunt <pehunt@redhat.com>
* | | | Merge pull request #4523 from vrothberg/systemd-improvementsOpenShift Merge Robot2019-11-19
|\ \ \ \ | |/ / / |/| | | podman rm/stop --cidfile
| * | | podman rm/stop --cidfileValentin Rothberg2019-11-18
| | |/ | |/| | | | | | | | | | | | | | | | | | | | | | | | | Add a --cidfile flag to podman rm/stop to pass a container ID via a file. Podman run already provides the functionaly to store the ID in a specified file which we now complete with rm/stop. This allows for a better life-cycle management in systemd services. Note that --cdifile can be specified multiple times to rm/stop. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | | Merge pull request #4368 from haircommander/pod-annotationsOpenShift Merge Robot2019-11-15
|\ \ \ | |/ / |/| | Add pod annotations to container
| * | Add annotations in play kubePeter Hunt2019-11-08
| |/ | | | | | | Signed-off-by: Peter Hunt <pehunt@redhat.com>
* / codespell: spelling correctionsDmitry Smirnov2019-11-13
|/ | | | Signed-off-by: Dmitry Smirnov <onlyjob@member.fsf.org>