summaryrefslogtreecommitdiff
path: root/pkg
Commit message (Collapse)AuthorAge
* Switch to containers/common for seccompSascha Grunert2020-08-27
| | | | | | | The seccomp/containers-golang library is not maintained any more and we should stick to containers/common. Signed-off-by: Sascha Grunert <sgrunert@suse.com>
* Merge pull request #7451 from mheon/fix_7195Ed Santiago2020-08-27
|\ | | | | Send HTTP Hijack headers after successful attach
| * Send HTTP Hijack headers after successful attachMatthew Heon2020-08-27
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Our previous flow was to perform a hijack before passing a connection into Libpod, and then Libpod would attach to the container's attach socket and begin forwarding traffic. A problem emerges: we write the attach header as soon as the attach complete. As soon as we write the header, the client assumes that all is ready, and sends a Start request. This Start may be processed *before* we successfully finish attaching, causing us to lose output. The solution is to handle hijacking inside Libpod. Unfortunately, this requires a downright extensive refactor of the Attach and HTTP Exec StartAndAttach code. I think the result is an improvement in some places (a lot more errors will be handled with a proper HTTP error code, before the hijack occurs) but other parts, like the relocation of printing container logs, are just *bad*. Still, we need this fixed now to get CI back into good shape... Fixes #7195 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | Merge pull request #7409 from ↵OpenShift Merge Robot2020-08-26
|\ \ | | | | | | | | | | | | zhangguanzhang/apiv2-create-ctr-with-invalid-entrypoint fix apiv2 will create containers with incorrect commands
| * | fix apiv2 will create containers with incorrect commandszhangguanzhang2020-08-24
| | | | | | | | | | | | Signed-off-by: zhangguanzhang <zhangguanzhang@qq.com>
* | | Merge pull request #7372 from giuseppe/add-unified-configurationOpenShift Merge Robot2020-08-24
|\ \ \ | | | | | | | | podman: add option --cgroup-conf
| * | | podman: add option --cgroup-confGiuseppe Scrivano2020-08-21
| |/ / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | it allows to manually tweak the configuration for cgroup v2. we will expose some of the options in future as single options (e.g. the new memory knobs), but for now add the more generic --cgroup-conf mechanism for maximum control on the cgroup configuration. OCI specs change: https://github.com/opencontainers/runtime-spec/pull/1040 Requires: https://github.com/containers/crun/pull/459 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | | Merge pull request #7274 from rhatdan/capsOpenShift Merge Robot2020-08-23
|\ \ \ | |/ / |/| | In podman 1.* regression on --cap-add
| * | In podman 1.* regression on --cap-addDaniel J Walsh2020-08-21
| |/ | | | | | | | | | | | | | | | | | | | | | | In podman 1.0 if you executed a command like: podman run --user dwalsh --cap-add net_bind_service alpine nc -l 80 It would work, and the user dwalsh would get the capability, in podman 2.0, only root and the binding set gets the capability. This change restores us back to the way podman 1.0 worked. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Merge pull request #7390 from baude/podnetOpenShift Merge Robot2020-08-21
|\ \ | | | | | | error when adding container to pod with network information
| * | error when adding container to pod with network informationBrent Baude2020-08-21
| |/ | | | | | | | | | | | | | | | | | | | | | | because a pod's network information is dictated by the infra container at creation, a container cannot be created with network attributes. this has been difficult for users to understand. we now return an error when a container is being created inside a pod and passes any of the following attributes: * static IP (v4 and v6) * static mac * ports -p (i.e. -p 8080:80) * exposed ports (i.e. 222-225) * publish ports from image -P Signed-off-by: Brent Baude <bbaude@redhat.com>
* / fix /libpod/pods/json returns null when there are no podszhangguanzhang2020-08-21
|/ | | | Signed-off-by: zhangguanzhang <zhangguanzhang@qq.com>
* Merge pull request #7350 from vrothberg/fix-7285OpenShift Merge Robot2020-08-19
|\ | | | | generate systemd: quote arguments with whitespace
| * generate systemd: quote arguments with whitespaceValentin Rothberg2020-08-19
| | | | | | | | | | | | | | | | | | | | | | Make sure that arguments with whitespace are properly quoted so they are interpreted as one (and not multiple ones) by systemd. Now `-e tz="america/new york"` will be generated as `-e "tz=america/new york"`. The quotes are moving but the argument is still correct. Fixes: #7285 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | Ensure DefaultEnvVariables is used in SpecgenMatthew Heon2020-08-18
|/ | | | | | | | | | | | When we rewrote Podman's pkg/spec, one of the things that was lost was our use of a set of default environment variables, that ensure all containers have at least $PATH and $TERM set. While we're in the process of re-adding it, change it from a variable to a function, so we can ensure the Join function does not overwrite it and corrupt the defaults. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Merge pull request #7339 from giuseppe/change-systemd-detectionOpenShift Merge Robot2020-08-18
|\ | | | | abi: fix detection for systemd
| * abi: fix detection for systemdGiuseppe Scrivano2020-08-18
| | | | | | | | | | | | | | | | | | create a scope everytime we don't own the current cgroup and we are running on systemd. Closes: https://github.com/containers/podman/issues/6734 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | fix podman create/run UTS NS docsPaul Holzinger2020-08-18
|/ | | | | | | | Add better error message when using `--pod` and `--hostname`. Improve the docs to better explain the uts hostname relation. Add more valid options for the `--uts` flag. Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
* Merge pull request #7292 from spearlineltd/cleanupzombieOpenShift Merge Robot2020-08-18
|\ | | | | Wait for reexec to finish when fileOutput is nil
| * Wait for reexec to finish when fileOutput is nilJonathan Dieter2020-08-15
| | | | | | | | | | | | | | Currently, we're not cleanup up after ourselves when fileOutput is nil. This patch fixes that. Signed-off-by: Jonathan Dieter <jonathan.dieter@spearline.com>
* | Merge pull request #7283 from mheon/pod_infra_has_exit_cmdOpenShift Merge Robot2020-08-17
|\ \ | | | | | | Ensure pod infra containers have an exit command
| * | Clean up pods before returning from Pod Stop API callMatthew Heon2020-08-17
| | | | | | | | | | | | | | | | | | | | | This should help alleviate races where the pod is not fully cleaned up before subsequent API calls happen. Signed-off-by: Matthew Heon <mheon@redhat.com>
| * | Ensure pod infra containers have an exit commandMatthew Heon2020-08-13
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Most Libpod containers are made via `pkg/specgen/generate` which includes code to generate an appropriate exit command which will handle unmounting the container's storage, cleaning up the container's network, etc. There is one notable exception: pod infra containers, which are made entirely within Libpod and do not touch pkg/specgen. As such, no cleanup process, network never cleaned up, bad things can happen. There is good news, though - it's not that difficult to add this, and it's done in this PR. Generally speaking, we don't allow passing options directly to the infra container at create time, but we do (optionally) proxy a pre-approved set of options into it when we create it. Add ExitCommand to these options, and set it at time of pod creation using the same code we use to generate exit commands for normal containers. Fixes #7103 Signed-off-by: Matthew Heon <mheon@redhat.com>
* | | Merge pull request #7314 from aojea/ipv6_default_gwOpenShift Merge Robot2020-08-16
|\ \ \ | |_|/ |/| | IPv6 default route
| * | podman support for IPv6 networksAntonio Ojea2020-08-15
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | podman containers using IPv6 were missing the default route, breaking deployments trying to use them. The problem is that the default route was hardcoded to IPv4, this takes into consideration the podman subnet IP family to generate the corresponding default route. Signed-off-by: Antonio Ojea <aojea@redhat.com>
* | | Merge pull request #7312 from vrothberg/fix-7294OpenShift Merge Robot2020-08-13
|\ \ \ | | | | | | | | podman.service: use sdnotify
| * | | podman.service: use sdnotiyValentin Rothberg2020-08-13
| |/ / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Commit 2b6dd3fb4384 set the killmode of the podman.service to the systemd default which ultimately lead to the problem that systemd will kill *all* processes inside the unit's cgroup and hence kill all containers whenever the service is stopped. Fix it by setting the type to sdnotify and the killmode to process. `podman system service` will send the necessary notify messages when the NOTIFY_SOCKET is set and unset it right after to prevent the backend and container runtimes from jumping in between and send messages as well. Fixes: #7294 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | | Merge pull request #7227 from giuseppe/procfs-optsOpenShift Merge Robot2020-08-13
|\ \ \ | | | | | | | | run, create: add new security-opt proc-opts
| * | | run, create: add new security-opt proc-optsGiuseppe Scrivano2020-08-12
| |/ / | | | | | | | | | | | | | | | | | | it allows to customize the options passed down to the OCI runtime for setting up the /proc mount. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | | Merge pull request #7293 from spearlineltd/fixhangOpenShift Merge Robot2020-08-13
|\ \ \ | |/ / |/| | Fix hang when `path` doesn't exist
| * | Fix hang when `path` doesn't existJonathan Dieter2020-08-11
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | I'm not sure if this is an OS-specific issue, but on CentOS 8, if `path` doesn't exist, this hangs while waiting to read from this socket, even though the socket is closed by the `reexec_in_user_namespace`. Switching to a pipe fixes the problem, and pipes shouldn't be an issue since this is Linux-specific code. Signed-off-by: Jonathan Dieter <jonathan.dieter@spearline.com>
* | | Merge pull request #7295 from baude/msiremotefixesOpenShift Merge Robot2020-08-12
|\ \ \ | | | | | | | | podman-remote fixes for msi and client
| * | | podman-remote fixes for msi and clientBrent Baude2020-08-12
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | correct small typo that sets the path on windows via the msi xml. in the remote client, prompt for SSH password when no identity or alternate means of authentication are provided. Signed-off-by: Brent Baude <bbaude@redhat.com>
* | | | Merge pull request #7267 from zhangguanzhang/check-invalid-network-createOpenShift Merge Robot2020-08-12
|\ \ \ \ | |/ / / |/| | | Add parameter verification for api creation network
| * | | Add parameter verification for api creation networkzhangguanzhang2020-08-12
| | |/ | |/| | | | | | | Signed-off-by: zhangguanzhang <zhangguanzhang@qq.com>
* | | Merge pull request #7247 from baude/issue7122OpenShift Merge Robot2020-08-11
|\ \ \ | | | | | | | | Replace deepcopy on history results
| * | | Replace deepcopy on history resultsBrent Baude2020-08-11
| |/ / | | | | | | | | | | | | | | | | | | | | | the deepcopy in the remote history code path was throwing an uncaught error on a type mismatch. we now manually do the conversion and fix the type mismatch on the fly. Fixes: #7122 Signed-off-by: Brent Baude <bbaude@redhat.com>
* | | Merge pull request #7288 from tiran/systemd_local_initOpenShift Merge Robot2020-08-11
|\ \ \ | |/ / |/| | Enable systemd mode for /usr/local/sbin/init
| * | Use set for systemd commandsChristian Heimes2020-08-11
| | | | | | | | | | | | Signed-off-by: Christian Heimes <cheimes@redhat.com>
| * | Enable systemd mode for /usr/local/sbin/initChristian Heimes2020-08-11
| |/ | | | | | | | | | | | | | | | | | | Podman 1.6.2 changed systemd mode auto-detection from commands ending in ``init`` to hard-coded paths ``/sbin/init`` and ``/usr/sbin/init``. This broke FreeIPA container. ``podman run`` and ``podman create`` now activate systemd mode when the command is ``/usr/local/sbin/init``. Fixes: https://github.com/containers/podman/issues/7287 Signed-off-by: Christian Heimes <cheimes@redhat.com>
* | Merge pull request #7269 from openSUSE/seccompOpenShift Merge Robot2020-08-11
|\ \ | | | | | | Allow specifying seccomp profiles for privileged containers
| * | Allow specifying seccomp profiles for privileged containersSascha Grunert2020-08-11
| | | | | | | | | | | | | | | | | | | | | To sync the behavior between AppArmor and seccomp it is now possible to also specify seccomp profiles for privileged containers. Signed-off-by: Sascha Grunert <sgrunert@suse.com>
* | | Merge pull request #7239 from rhatdan/workingOpenShift Merge Robot2020-08-11
|\ \ \ | |_|/ |/| | Fix handling of working dir
| * | Fix handling of working dirDaniel J Walsh2020-08-10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Buildah and podman build can create images without a working dir. FROM fedora WORKDIR /test If you build this image with caching twice, the second time the image will not have a working dir. Similarly if you execute podman run --workdir /foobar fedora It blows up since the workingdir is not created automatically. Finally there was duplicated code for getting the workingdir out of an image, that this PR removes. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | Merge pull request #7261 from zhangguanzhang/ps-format-add-fieldOpenShift Merge Robot2020-08-11
|\ \ \ | | | | | | | | Add the `Status` field in the ps --format=json
| * | | Add the Status field in the ps --format=jsonzhangguanzhang2020-08-11
| | | | | | | | | | | | | | | | Signed-off-by: zhangguanzhang <zhangguanzhang@qq.com>
* | | | Merge pull request #7282 from ParkerVR/tags-digestOpenShift Merge Robot2020-08-11
|\ \ \ \ | |/ / / |/| | | Img Pull - Error pass through
| * | | Error pass through for more accurate error reportingParker Van Roy2020-08-10
| | |/ | |/| | | | | | | | | | | | | Included old error + wrapped Signed-off-by: Parker Van Roy <pvanroy@redhat.com>
* | | Merge pull request #7256 from mheon/fix_cmd_with_entrypointOpenShift Merge Robot2020-08-10
|\ \ \ | |/ / |/| | Do not use image CMD if user gave ENTRYPOINT
| * | Do not use image CMD if user gave ENTRYPOINTMatthew Heon2020-08-10
| |/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This matches Docker behavior, and seems to make sense - the CMD may have been specific to the original entrypoint and probably does not make sense if it was changed. While we're in here, greatly simplify the logic for populating the SpecGen's Command. We create the full command when making the OCI spec, so the client should not be doing any more than setting it to the Command the user passed in, and completely ignoring ENTRYPOINT. Fixes #7115 Signed-off-by: Matthew Heon <mheon@redhat.com>