summaryrefslogtreecommitdiff
path: root/pkg
Commit message (Collapse)AuthorAge
* Merge pull request #3876 from mheon/fix_mount_flagsOpenShift Merge Robot2019-09-04
|\ | | | | Allow suid, exec, dev mount options to cancel nosuid/noexec/nodev
| * Fix addition of mount options when using RO tmpfsMatthew Heon2019-08-28
| | | | | | | | | | | | | | | | For read-only containers set to create tmpfs filesystems over /run and other common destinations, we were incorrectly setting mount options, resulting in duplicate mount options. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
| * Allow :z and :Z with ProcessOptionsMatthew Heon2019-08-28
| | | | | | | | Signed-off-by: Matthew Heon <matthew.heon@pm.me>
| * Set base mount options for bind mounts from base systemMatthew Heon2019-08-28
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | If I mount, say, /usr/bin into my container - I expect to be able to run the executables in that mount. Unconditionally applying noexec would be a bad idea. Before my patches to change mount options and allow exec/dev/suid being set explicitly, we inferred the mount options from where on the base system the mount originated, and the options it had there. Implement the same functionality for the new option handling. There's a lot of performance left on the table here, but I don't know that this is ever going to take enough time to make it worth optimizing. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
| * Don't double-process tmpfs optionsMatthew Heon2019-08-28
| | | | | | | | | | | | | | | | We already process the options on all tmpfs filesystems during final addition of mounts to the spec. We don't need to do it before that in parseVolumes. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
| * Add support for 'exec', 'suid', 'dev' mount flagsMatthew Heon2019-08-28
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Previously, we explicitly set noexec/nosuid/nodev on every mount, with no ability to disable them. The 'mount' command on Linux will accept their inverses without complaint, though - 'noexec' is counteracted by 'exec', 'nosuid' by 'suid', etc. Add support for passing these options at the command line to disable our explicit forcing of security options. This also cleans up mount option handling significantly. We are still parsing options in more than one place, which isn't good, but option parsing for bind and tmpfs mounts has been unified. Fixes: #3819 Fixes: #3803 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | pkg/util: use rootless function to read additional usersGiuseppe Scrivano2019-09-03
| | | | | | | | | | | | | | make pkg/rootless.GetConfiguredMappings public so that it can be used from pkg/util. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | rootless: detect user namespace configuration changesGiuseppe Scrivano2019-09-03
| | | | | | | | | | | | | | | | | | | | | | detect if the current user namespace doesn't match the configuration in the /etc/subuid and /etc/subgid files. If there is a mismatch, raise a warning and suggest the user to recreate the user namespace with "system migrate", that also restarts the containers. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | spec: provide custom implementation for getDevicesGiuseppe Scrivano2019-09-02
| | | | | | | | | | | | | | | | | | | | | | | | provide an implementation for getDevices that skip unreadable directories for the current user. Based on the implementation from runc/libcontainer. Closes: https://github.com/containers/libpod/issues/3919 Signed-off-by: Giuseppe Scrivano <giuseppe@scrivano.org> Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | spec: do not set devices cgroup when rootlessGiuseppe Scrivano2019-09-02
| | | | | | | | | | | | eBPF requires to be root in the init namespace. Signed-off-by: Giuseppe Scrivano <giuseppe@scrivano.org>
* | rootless: bind mount devices instead of creating themGiuseppe Scrivano2019-09-02
| | | | | | | | | | | | | | | | | | | | | | when running in rootless mode, --device creates a bind mount from the host instead of specifying the device in the OCI configuration. This is required as an unprivileged user cannot use mknod, even when root in a user namespace. Closes: https://github.com/containers/libpod/issues/3905 Signed-off-by: Giuseppe Scrivano <giuseppe@scrivano.org>
* | dont panic when using varlink commit and uppercase image namesbaude2019-08-29
|/ | | | | | | | | when using an upper case image name for container commit, we observed panics due to a channel closing early. Fixes: #3897 Signed-off-by: baude <bbaude@redhat.com>
* Update varlink doc and codeJhon Honce2019-08-26
| | | | | | | | * Improved error message * Added documentation * Updated messages to include missing data Signed-off-by: Jhon Honce <jhonce@redhat.com>
* clean up after remote buildbaude2019-08-25
| | | | | | | | | | when performing an image build over a varlink connection, we should clean up tmp files that are a result of sending the file to the host and untarring it for the build. Fixes: #3869 Signed-off-by: baude <bbaude@redhat.com>
* Merge pull request #3800 from vrothberg/generate-podOpenShift Merge Robot2019-08-22
|\ | | | | generate systemd pod
| * generate systemd: support pods and geneartig filesValentin Rothberg2019-08-21
| | | | | | | | | | | | | | | | | | | | | | Support generating systemd unit files for a pod. Podman generates one unit file for the pod including the PID file for the infra container's conmon process and one unit file for each container (excluding the infra container). Note that this change implies refactorings in the `pkg/systemdgen` API. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
| * generate systemd: drop support for remote clientsValentin Rothberg2019-08-21
| | | | | | | | | | | | | | | | | | | | | | | | Drop the support for remote clients to generate systemd-service files. The generated files are machine-dependent and hence relate only to the a local machine. Furthermore, a proper service management when using a remote-client is not possible as systemd has no access to a process. Dropping the support will also reduce the risk of making users believe that the generated services are usable in a remote scenario. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | Merge pull request #3863 from TomSweeneyRedHat/dev/tsweeney/digestfile2OpenShift Merge Robot2019-08-21
|\ \ | | | | | | Add --digestfile option to push
| * | Add --digestfile option to pushTomSweeneyRedHat2019-08-21
| |/ | | | | | | | | | | | | | | | | | | Add the digestfile option to the push command so the digest can be stored away in a file when requested by the user. Also have added a debug statement to show the completion of the push. Emulates Buildah's https://github.com/containers/buildah/pull/1799/files Signed-off-by: TomSweeneyRedHat <tsweeney@redhat.com>
* | Merge pull request #2940 from giuseppe/drop-firewallOpenShift Merge Robot2019-08-21
|\ \ | |/ |/| networking: use firewall plugin
| * networking: use firewall pluginGiuseppe Scrivano2019-08-19
| | | | | | | | | | | | | | drop the pkg/firewall module and start using the firewall CNI plugin. It requires an updated package for CNI plugins. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | Merge pull request #3569 from rhatdan/cgroupsv1OpenShift Merge Robot2019-08-20
|\ \ | | | | | | Fix error message on podman stats on cgroups v1 rootless environments
| * | Fix error message on podman stats on cgroups v1 rootless environmentsDaniel J Walsh2019-08-19
| | | | | | | | | | | | | | | | | | | | | podman stats does not work in rootless environments with cgroups V1. Fix error message and document this fact. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | Merge pull request #3760 from rhatdan/authOpenShift Merge Robot2019-08-19
|\ \ \ | | | | | | | | Use GetRuntimeDir to setup auth.json for login
| * | | Use GetRuntimeDir to setup auth.json for loginDaniel J Walsh2019-08-12
| | | | | | | | | | | | | | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | | Implement healthcheck for remote clientAshley Cui2019-08-19
| | | | | | | | | | | | | | | | | | | | | | | | Previously unimplemented. Works the same way the local one does, except its remote. Signed-off-by: Ashley Cui <ashleycui16@gmail.com>
* | | | Merge pull request #3848 from giuseppe/enable-all-tests-crunOpenShift Merge Robot2019-08-19
|\ \ \ \ | |_|_|/ |/| | | tests: enable all tests for crun
| * | | libpod, pkg: lookup also for crun failuresGiuseppe Scrivano2019-08-19
| | | | | | | | | | | | | | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
| * | | containers, create: debug message on failed deletionGiuseppe Scrivano2019-08-19
| | | | | | | | | | | | | | | | | | | | | | | | | | | | if the container failed to be created, don't assume it is still known to the OCI runtime. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | | | Merge pull request #3709 from mheon/volume_inspectOpenShift Merge Robot2019-08-19
|\ \ \ \ | |_|_|/ |/| | | Change backend code for 'volume inspect'
| * | | Swap 'volume inspect' frontend to use the new backendMatthew Heon2019-08-02
| | | | | | | | | | | | | | | | Signed-off-by: Matthew Heon <matthew.heon@pm.me>
| * | | Implement backend for 'volume inspect'Matthew Heon2019-08-02
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Begin to separate the internal structures and frontend for inspect on volumes. We can't rely on keeping internal data structures for external presentation - separating presentation and internal data format is good practice. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | | | Merge pull request #3836 from chenzhiwei/hostnameOpenShift Merge Robot2019-08-19
|\ \ \ \ | |_|/ / |/| | | Allow customizing pod hostname
| * | | Allow customizing pod hostnameChen Zhiwei2019-08-18
| | | | | | | | | | | | | | | | | | | | | | | | | | | | * set hostname in pod yaml file * set --hostname in pod create command Signed-off-by: Chen Zhiwei <zhiweik@gmail.com>
* | | | Merge pull request #3617 from QiWang19/create_pullOpenShift Merge Robot2019-08-17
|\ \ \ \ | |/ / / |/| | | add --pull flag for podman create&run
| * | | add --pull flag for podman create&runQi Wang2019-08-09
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Requirement from https://github.com/containers/libpod/issues/3575#issuecomment-512238393 Added --pull for podman create and pull to match the newly added flag in docker CLI. `missing`: default value, podman will pull the image if it does not exist in the local. `always`: podman will always pull the image. `never`: podman will never pull the image. Signed-off-by: Qi Wang <qiwan@redhat.com>
* | | | Merge pull request #3719 from baude/networklistOpenShift Merge Robot2019-08-16
|\ \ \ \ | | | | | | | | | | inclusion of podman network
| * | | | inclusion of podman networkbaude2019-08-15
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | adding podman network and the subcommands inspect, list, and rm. the inspect subcommand displays the raw cni network configuration. the list subcommand displays a summary of the cni networks ala ps. and the rm subcommand removes a cni network. Signed-off-by: baude <bbaude@redhat.com>
* | | | | Merge pull request #3796 from giuseppe/enable-cgroupsv2-crunOpenShift Merge Robot2019-08-16
|\ \ \ \ \ | | | | | | | | | | | | cirrus: enable cgroups v2 tests with crun
| * | | | | runtime: honor --runtime flag to buildGiuseppe Scrivano2019-08-13
| | | | | | | | | | | | | | | | | | | | | | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | | | | | Merge pull request #3805 from ashley-cui/tmpfsOpenShift Merge Robot2019-08-16
|\ \ \ \ \ \ | |_|/ / / / |/| | | | | Remove --tmpfs size default
| * | | | | Remove --tmpfs size defaultAshley Cui2019-08-14
| |/ / / / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Docker has unlimited tmpfs size where Podman had it set to 64mb. Should be standard between the two. Remove noexec default Signed-off-by: Ashley Cui <ashleycui16@gmail.com>
* | | | | Merge pull request #3810 from giuseppe/use-cgroupsOpenShift Merge Robot2019-08-14
|\ \ \ \ \ | | | | | | | | | | | | pkg/cgroups: use DBUS session when rootless
| * | | | | pkg/cgroups: use DBUS session when rootlessGiuseppe Scrivano2019-08-14
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | use the DBUS user session when running in rootless mode. Closes: https://github.com/containers/libpod/issues/3801 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | | | | | Merge pull request #3809 from chenzhiwei/fix-play-kubeOpenShift Merge Robot2019-08-14
|\ \ \ \ \ \ | |/ / / / / |/| | | | | Fix play kube command in pod yaml
| * | | | | Fix play kube command in pod yamlChen Zhiwei2019-08-14
| |/ / / / | | | | | | | | | | | | | | | Signed-off-by: Chen Zhiwei <zhiweik@gmail.com>
* / / / / Running Podman with a nonexistent hooks dir is nonfatalMatthew Heon2019-08-13
|/ / / / | | | | | | | | | | | | | | | | | | | | | | | | | | | | Even explicitly defined hooks directories may not exist under some circumstances. It's not worth a hard-fail if we hit an ENOENT in these cases. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | | | Merge pull request #3753 from baude/varlinkrequiresrootOpenShift Merge Robot2019-08-12
|\ \ \ \ | |_|_|/ |/| | | varlink endpoint for containerstats requires root
| * | | varlink endpoint for containerstats requires rootbaude2019-08-12
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | obtaining containerstats requires the use of cgroups. at present, rootless users do not have privileges to create cgroups. add an error message that catches this for the varlink endpoint and return a proper error. Fixes: #3749 Signed-off-by: baude <bbaude@redhat.com>
* | | | Merge pull request #3789 from giuseppe/cirrus-add-crunOpenShift Merge Robot2019-08-12
|\ \ \ \ | | | | | | | | | | cirrus: run tests with crun