| Commit message (Collapse) | Author | Age |
|---|
| |
|
|
|
|
|
|
|
|
| |
Use a pipe instead of a temporary file to load the apparmor profile.
This change has a measurable speed improvement for apparmor users.
Signed-off-by: Valentin Rothberg <vrothberg@suse.com>
Closes: #1262
Approved by: mheon
|
| |
|
|
|
|
|
|
|
|
| |
Move all Linux-related data under the corresponding buildtags to reduce
the memory footprint and speed up compilation for non-apparmor builds.
Signed-off-by: Valentin Rothberg <vrothberg@suse.com>
Closes: #1262
Approved by: mheon
|
| |
|
|
|
|
|
|
|
| |
For easier maintenance and clearer structure of the code.
Signed-off-by: Valentin Rothberg <vrothberg@suse.com>
Closes: #1262
Approved by: mheon
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
when searching multiple registries for images, if we get an error on one
of the searches, we should keep going and complete the search. if there
is only one search registry however, we will return an error.
Resolves: #1255
Signed-off-by: baude <bbaude@redhat.com>
Closes: #1257
Approved by: mheon
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Lookup the current username by UID if the USER env variable is not
set.
Reported in: https://github.com/projectatomic/libpod/issues/1092
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Closes: #1217
Approved by: rhatdan
|
| |
|
|
|
|
|
|
|
| |
io.projectatomic.podman -> io.podman
Signed-off-by: baude <bbaude@redhat.com>
Closes: #1204
Approved by: mheon
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Rather than making a runtime each time a client hits a varlink endpoint, we now
make a single runtime when the varlink service starts up. This fixes a problem
where we hit a max inotify limit from CNI.
Resolves: #1211
Signed-off-by: baude <bbaude@redhat.com>
Closes: #1215
Approved by: rhatdan
|
| |
|
|
|
| |
Closes: #1206
Approved by: giuseppe
|
| |
|
|
|
|
|
|
|
| |
It is required only when directly configuring the user namespace.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Closes: #1200
Approved by: rhatdan
|
| |\
| |
| | |
rootless: do not segfault if the parent already died
|
| | |
| |
| |
| |
| |
| | |
Closes: https://github.com/projectatomic/libpod/issues/1189
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
| |/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The goal is to be very explicit about which functions try to heuristically
guess what is the expected format of the string. Not quite "shaming"
the users, but making sure they stand out.
RFC:
- Is this at all acceptable? Desirable?
- varlink ExportImage says "destination must have transport type";
should it be using alltransports.ParseImageReference
+ PushImageToReference, then?
(While touching the call in cmd/podman, also remove a commented-out
older version of the call.)
Should not change behavior (but does not add unit tests).
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
Closes: #1176
Approved by: rhatdan
|
| |
|
|
|
|
|
|
|
|
|
| |
slirp4netns is required to setup the network namespace:
https://github.com/rootless-containers/slirp4netns
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Closes: #1156
Approved by: rhatdan
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
When removing an image via varlink, we should always return the
ID of the image even in the case where the image has multiple
repository names and one was only untagged.
Reported by jhonce during integration testing.
Signed-off-by: baude <bbaude@redhat.com>
Closes: #1191
Approved by: jwhonce
|
| |
|
|
|
|
|
| |
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
Closes: #1165
Approved by: baude
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The CNI plugins upstream removed their network namespace creation
code, making it a test package only. Copy it into our repository
and slightly modify it for our use (most notably, use MNT_DETACH
when unmounting namespaces).
This new CNI code splits closing and unmounting network
namespaces, which allows us to greatly reduce the number of
occasions on which we call teardownNetwork() and make more errors
in that function fatal instead of warnings. Instead, we can call
Close() and just close the open file descriptor in cases where
the namespace has already been cleaned up.
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
Closes: #1165
Approved by: baude
|
| |
|
|
|
|
|
|
|
|
|
|
| |
If more than one volume was mounted using the --volume flag in
podman run, the second and onwards volumes were picking up options
of the previous volume mounts defined. Found out that the options were
not be cleared out after every volume was parsed.
Signed-off-by: umohnani8 <umohnani@redhat.com>
Closes: #1142
Approved by: mheon
|
| |\
| |
| | |
Add Pod and Container namespaces
|
| | |
| |
| |
| |
| |
| | |
Also add namespace to inspect output to verify its presence
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
|
| |\ \
| | |
| | | |
Fix varlink API usage of psgo
|
| | |/
| |
| |
| | |
Signed-off-by: Jhon Honce <jhonce@redhat.com>
|
| | |
| |
| |
| |
| |
| |
| | |
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Closes: #1145
Approved by: rhatdan
|
| | |
| |
| |
| |
| |
| |
| | |
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Closes: #1145
Approved by: rhatdan
|
| | |
| |
| |
| |
| |
| |
| | |
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Closes: #1145
Approved by: rhatdan
|
| | |
| |
| |
| |
| |
| |
| | |
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Closes: #1145
Approved by: rhatdan
|
| | |
| |
| |
| |
| |
| |
| | |
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Closes: #1145
Approved by: rhatdan
|
| |/
|
|
|
|
|
| |
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Closes: #1145
Approved by: rhatdan
|
| |
|
|
|
|
|
|
|
| |
Check at runtime if AppArmor is enabled on the host.
Signed-off-by: Valentin Rothberg <vrothberg@suse.com>
Closes: #1128
Approved by: mheon
|
| |
|
|
| |
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
| |
|
|
| |
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
| |
|
|
| |
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Most images won't work without multiple ids/gids. Error out
immediately if there are no multiple ids available.
The error code when the user is not present in /etc/sub{g,u}id looks
like:
$ bin/podman run --rm -ti alpine echo hello
ERRO[0000] No subuid ranges found for user "gscrivano"
Closes: https://github.com/projectatomic/libpod/issues/1087
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Closes: #1097
Approved by: rhatdan
|
| |
|
|
|
|
|
| |
To do this, move it into a separate struct, and embed that in
the JSON we return.
Signed-off-by: Matthew Heon <mheon@redhat.com>
|
| |\
| |
| | |
rootless: unshare mount namespace
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
unshare the mount namespace as well when creating an user namespace so
that we are the owner of the mount namespace and we can mount FUSE
file systems on Linux 4.18. Tested on Fedora Rawhide:
podman --storage-opt overlay.fuse_program=/usr/bin/fuse-overlayfs run alpine echo hello
hello
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
| |\ \
| | |
| | | |
rootless: fix usage on Fedora Silverblue/CoreOS
|
| | | |
| | |
| | |
| | | |
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
| | | |
| | |
| | |
| | | |
Signed-off-by: haircommander <pehunt@redhat.com>
|
| | |/
|/|
| |
| |
| |
| | |
Includes a very stripped down version of podman pod ps, just for testing
Signed-off-by: haircommander <pehunt@redhat.com>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This is a refresh of Dan William's PR #974 with a rebase and proper
vendoring of ocicni and containernetworking/cni. It adds the ability
to define multiple networks as so:
podman run --network=net1,net2,foobar ...
Signed-off-by: baude <bbaude@redhat.com>
Closes: #1082
Approved by: baude
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
when using the getattachsockets endpoint, which returns the sockets needed
to create and use a terminal, we should check if the container is just in the
configured state. if so, we need to perform a container init to have conmon
create the required sockets so we can attach to them prior to starting the container.
Signed-off-by: baude <bbaude@redhat.com>
Closes: #1067
Approved by: jwhonce
|
| |/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Make users of libpod more secure by adding the libpod/apparmor package
to load a pre-defined AppArmor profile. Large chunks of libpod/apparmor
come from github.com/moby/moby.
Also check if a specified AppArmor profile is actually loaded and throw
an error if necessary.
The default profile is loaded only on Linux builds with the `apparmor`
buildtag enabled.
Signed-off-by: Valentin Rothberg <vrothberg@suse.com>
Closes: #1063
Approved by: rhatdan
|
| |
|
|
|
|
|
|
|
|
|
|
| |
use execvp instead of exec so that we keep the PATH environment
variable and the lookup for the "podman" executable works.
Closes: https://github.com/projectatomic/libpod/issues/1070
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Closes: #1072
Approved by: mheon
|
| |
|
|
|
|
|
|
|
|
| |
podman now supports --volumes-from flag, which allows users
to add all the volumes an existing container has to a new one.
Signed-off-by: umohnani8 <umohnani@redhat.com>
Closes: #931
Approved by: mheon
|
| |
|
|
|
|
|
| |
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #1060
Approved by: mheon
|
| |
|
|
|
|
|
|
|
|
|
| |
We added the explicit int64 casts for 32-bit builds in 35e1ad78 (Make
libpod build on 32-bit systems, 2018-02-12, #324), but the explicit
casts work fine on 64-bit systems too.
Signed-off-by: W. Trevor King <wking@tremily.us>
Closes: #1058
Approved by: mheon
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This removes some boilerplate from the libpod package, so we can focus
on container stuff there. And it gives us a tidy sub-package for
focusing on ctime extraction, so we can focus on unit testing and
portability of the extraction utility there.
For the unsupported implementation, I'm falling back to Go's ModTime
[1]. That's obviously not the creation time, but it's likely to be
closer than the uninitialized Time structure from cc6f0e85 (more
changes to compile darwin, 2018-07-04, #1047). Especially for our use
case in libpod/oci, where we're looking at write-once exit files.
The test is more complicated than I initially expected, because on
Linux filesystem timestamps come from a truncated clock without
interpolation [2] (and network filesystems can be completely decoupled
[3]). So even for local disks, creation times can be up to a jiffie
earlier than 'before'. This test ensures at least monotonicity by
creating two files and ensuring the reported creation time for the
second is greater than or equal to the reported creation time for the
first. It also checks that both creation times are within the window
from one second earlier than 'before' through 'after'. That should be
enough of a window for local disks, even if the kernel for those
systems has an abnormally large jiffie. It might be ok on network
filesystems, although it will not be very resilient to network clock
lagging behind the local system clock.
[1]: https://golang.org/pkg/os/#FileInfo
[2]: https://groups.google.com/d/msg/linux.kernel/mdeXx2TBYZA/_4eJEuJoAQAJ
Subject: Re: Apparent backward time travel in timestamps on file creation
Date: Thu, 30 Mar 2017 20:20:02 +0200
Message-ID: <tqMPU-1Sb-21@gated-at.bofh.it>
[3]: https://groups.google.com/d/msg/linux.kernel/mdeXx2TBYZA/cTKj4OBuAQAJ
Subject: Re: Apparent backward time travel in timestamps on file creation
Date: Thu, 30 Mar 2017 22:10:01 +0200
Message-ID: <tqOyl-36A-1@gated-at.bofh.it>
Signed-off-by: W. Trevor King <wking@tremily.us>
Closes: #1050
Approved by: mheon
|
| |
|
|
|
|
|
| |
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #1053
Approved by: mheon
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
b96be3af (changes to allow for darwin compilation, 2018-06-20, #1015)
made AddPrivilegedDevices per-platform and cc6f0e85 (more changes to
compile darwin, 2018-07-04, #1047) made CreateBlockIO per-platform.
But both left but left out docs for the unsupported version [1]:
pkg/spec/config_unsupported.go:18:1:warning: exported method
CreateConfig.AddPrivilegedDevices should have comment or be
unexported (golint)
pkg/spec/config_unsupported.go:22:1:warning: exported method
CreateConfig.CreateBlockIO should have comment or be unexported
(golint)
To keep the docs DRY, I've restored the public methods and their docs,
and I've added new, internal methods for the per-platform
implementations.
[1]: https://travis-ci.org/projectatomic/libpod/jobs/400555937#L160
Signed-off-by: W. Trevor King <wking@tremily.us>
Closes: #1034
Approved by: baude
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The files were split apart by b96be3af (changes to allow for darwin
compilation, 2018-06-20, #1015), but the C import and two functions
left in rootless.go are all Linux-specific as well. This commit moves
all of the pre-b96be3af rootless.go into rootless_linux.go, just
adding the '// +build linux' header (b96be3af also scrambled the + in
that header) and keeping the new GetRootlessUID from a1545fe6
(rootless: add function to retrieve the original UID, 2018-07-05, #1048).
Signed-off-by: W. Trevor King <wking@tremily.us>
Closes: #1034
Approved by: baude
|
