summaryrefslogtreecommitdiff
path: root/pkg
Commit message (Collapse)AuthorAge
* Merge pull request #7952 from baude/issue7934OpenShift Merge Robot2020-10-08
|\ | | | | APIv2 compatibility rootless network fix
| * APIv2 compatibility rootless network fixbaude2020-10-07
| | | | | | | | | | | | | | | | when using the compatibility mode as rootless, containers that were created were not setting their host names correctly due to the netmode not being set. Fixes: #7934 Signed-off-by: baude <bbaude@redhat.com>
* | Merge pull request #7382 from mheon/pod_parallelOpenShift Merge Robot2020-10-07
|\ \ | | | | | | Move pod jobs to parallel execution
| * | Move pod jobs to parallel executionMatthew Heon2020-10-07
| |/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Make Podman pod operations that do not involve starting containers (which needs to be done in a specific order) use the same parallel operation code we use to make `podman stop` on large numbers of containers fast. We were previously stopping containers in a pod serially, which could take up to the timeout (default 15 seconds) for each container - stopping 100 containers that do not respond to SIGTERM would take 25 minutes. To do this, refactor the parallel operation code a bit to remove its dependency on libpod (damn circular import restrictions...) and use parallel functions that just re-use the standard container API operations - maximizes code reuse (previously each pod handler had a separate implementation of the container function it performed). This is a bit of a palate cleanser after fighting CI for two days - nice to be able to return to a land of sanity. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* / prevent unpredictable results with network create|removebaude2020-10-07
|/ | | | | | | | | | due to a lack of "locking" on cni operations, we could get ourselves in trouble when doing rapid creation or removal of networks. added a simple file lock to deal with the collision and because it is not considered a performent path, use of the file lock should be ok. if proven otherwise in the future, some generic shared memory lock should be implemented for libpod and also used here. moved pkog/network to libpod/network because libpod is now being pulled into the package and it has therefore lost its generic nature. this will make it easier to absorb into libpod as we try to make the network closer to core operations. Fixes: #7807 Signed-off-by: baude <bbaude@redhat.com>
* Merge pull request #7918 from zhangguanzhang/apiv2-wrong-StopSignalOpenShift Merge Robot2020-10-06
|\ | | | | [apiv2] /containers/$name/json return wrong value in `.Config.StopSignal`
| * fix apiv2 /containers/$name/json return wrong value in `.Config.StopSignal`zhangguanzhang2020-10-06
| | | | | | | | Signed-off-by: zhangguanzhang <zhangguanzhang@qq.com>
* | Merge pull request #7929 from kolyshkin/nits-errOpenShift Merge Robot2020-10-06
|\ \ | | | | | | Nits
| * | pkg/cgroups/createCgroupv2Path: nitsKir Kolyshkin2020-10-05
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | 1. Check the path validity before trying to read the cgroup.controllers. 2. Do not hardcode "/sys/fs/cgroup". 3. Simplify creating the "+this +that" string. 4. Do not wrap ioutil.WriteFile error. Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
| * | Lowercase some errorsKir Kolyshkin2020-10-05
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This commit is courtesy of ``` for f in $(git ls-files *.go | grep -v ^vendor/); do \ sed -i 's/\(errors\..*\)"Error /\1"error /' $f; done for f in $(git ls-files *.go | grep -v ^vendor/); do \ sed -i 's/\(errors\..*\)"Failed to /\1"failed to /' $f; done ``` etc. Self-reviewed using `git diff --word-diff`, found no issues. Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
| * | Remove excessive error wrappingKir Kolyshkin2020-10-05
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | In case os.Open[File], os.Mkdir[All], ioutil.ReadFile and the like fails, the error message already contains the file name and the operation that fails, so there is no need to wrap the error with something like "open %s failed". While at it - replace a few places with os.Open, ioutil.ReadAll with ioutil.ReadFile. - replace errors.Wrapf with errors.Wrap for cases where there are no %-style arguments. Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
* | | Merge pull request #7931 from rhatdan/sizeOpenShift Merge Robot2020-10-06
|\ \ \ | |_|/ |/| | Support max_size logoptions
| * | Support max_size logoptionsDaniel J Walsh2020-10-05
| |/ | | | | | | | | | | | | | | Docker supports log-opt max_size and so does conmon (ALthough poorly). Adding support for this allows users to at least make sure their containers logs do not become a DOS vector. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Merge pull request #7919 from rhatdan/subuidOpenShift Merge Robot2020-10-05
|\ \ | | | | | | Fix handling of CheckRootlessUIDRange
| * | Fix handling of CheckRootlessUIDRangeDaniel J Walsh2020-10-05
| |/ | | | | | | | | | | | | If I have multiple ranges of UIDs specified in the /etc/subuid, this check blows up and incorrectly blocks the use of --user flag. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* / Fixes remote attach and exec to signal IdleTrackerJhon Honce2020-10-05
|/ | | | | | | | | | - Fixes issue where remote attach and exec only signaled the IdleTracker on errors. Needs to done anytime after connection has been hijacked - Fixes trying to send multiple http status codes to client - Changes pprof and API server shutdowns to run in parallel - Changes shutdown to run in sync.Once block Signed-off-by: Jhon Honce <jhonce@redhat.com>
* Merge pull request #7909 from zhangguanzhang/remote-ps-ns-brokenOpenShift Merge Robot2020-10-05
|\ | | | | Fix podman-remote ps --ns broken
| * Fix podman-remote ps --ns brokenzhangguanzhang2020-10-04
| | | | | | | | Signed-off-by: zhangguanzhang <zhangguanzhang@qq.com>
* | Merge pull request #7902 from rhatdan/selinuxOpenShift Merge Robot2020-10-05
|\ \ | |/ |/| Add SELinux support for pods
| * Add SELinux support for podsDaniel J Walsh2020-10-02
| | | | | | | | | | | | | | | | | | | | All containers within a Pod need to run with the same SELinux label, unless overwritten by the user. Also added a bunch of SELinux tests to make sure selinux labels are correct on namespaces. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Merge pull request #7899 from zhangguanzhang/service-panic-client-killOpenShift Merge Robot2020-10-03
|\ \ | |/ |/| [podman-remote] Fix closed connection on pull causes service panic
| * fix closed the remote connection on pull causes service paniczhangguanzhang2020-10-03
| | | | | | | | Signed-off-by: zhangguanzhang <zhangguanzhang@qq.com>
* | Merge pull request #7901 from vrothberg/fix-compat-images-createOpenShift Merge Robot2020-10-02
|\ \ | | | | | | compat: images/create: fix tag parsing
| * | compat: images/create: fix tag parsingValentin Rothberg2020-10-02
| | | | | | | | | | | | | | | | | | | | | | | | The `tag` parameter of the compat `images/create` endpoint can be both, a tag and a digest. Fix parsing of the parameter to detect digests and use the appropriate `@` separator. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | | Merge pull request #7882 from giuseppe/check-for-gids-before-adding-themOpenShift Merge Robot2020-10-02
|\ \ \ | | | | | | | | libpod: check there are enough gids before adding them
| * | | rootless: use sync.Once for GetAvailableGids()Giuseppe Scrivano2020-10-02
| | | | | | | | | | | | | | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
| * | | rootless: move GetAvailableGids to the rootless pkgGiuseppe Scrivano2020-10-02
| | | | | | | | | | | | | | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | | | Merge pull request #7887 from vrothberg/fix-7872OpenShift Merge Robot2020-10-02
|\ \ \ \ | |_|/ / |/| | | image prune: remove all candidates
| * | | image prune: remove all candidatesValentin Rothberg2020-10-02
| |/ / | | | | | | | | | | | | | | | | | | | | | Make sure to remove images until there's nothing left to prune. A single iteration may not be sufficient. Fixes: #7872 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | | Merge pull request #7456 from giuseppe/modprobe-fuseOpenShift Merge Robot2020-10-02
|\ \ \ | |_|/ |/| | spec: modprobe fuse with --device .*/fuse
| * | spec: open fuse with --device .*/fuseGiuseppe Scrivano2020-10-02
| |/ | | | | | | | | | | | | | | | | If the container uses the /dev/fuse device, attempt to load the fuse kernel module first so that nested containers can use it. Closes: https://bugzilla.redhat.com/show_bug.cgi?id=1872240 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | Merge pull request #7867 from vrothberg/fix-7837OpenShift Merge Robot2020-10-02
|\ \ | | | | | | remote: fix name and ID collisions of containers and pods
| * | remote: fix name and ID collisions of containers and podsValentin Rothberg2020-10-01
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fix the look up of containers and pods in the remote client. User input can refer to both, names or IDs of containers and pods, so there is a fair chance of collisions (e.g., "c1" name with a "c1...." ID). Those collisions are well handled (and battle tested) in the local client which is directly using the libpod backend. Hence, the remote client should not attempt to introduce its own logic to prevent bugs and divergence between the local and the remote clients. To prevent collisions such as in #7837, do a container/pod inspect on the user-provided input to find the corresponding ID and eventually do full ID comparisons to avoid potential collisions with names. Note that this has a cost that I am not entirely happy with. Looking at issue #7837, the collisions are happening when removing the two containers. Remote container removal is now very chatty with the server as it first queries for all containers, then iterates over the provided names or IDs and does a remote inspect to figure out the IDs and find a matching container object. However, remote removal could just pass the names and IDs directly to the batch removal endpoint. Querying for all containers could be prevented if the batch removal endpoint would remove all if the slice is empty. In other words, the bug is fixed but there's room for performance improvements. Fixes: #7837 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | | Merge pull request #7815 from jwhonce/wip/creds_remoteOpenShift Merge Robot2020-10-02
|\ \ \ | | | | | | | | Add X-Registry-Config support
| * | | Add X-Registry-Config supportJhon Honce2020-09-29
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * Refactor auth pkg to support X-Registry-Config * Refactor build endpoint to support X-Registry-Config. Supports: * --creds * --authfile * Added X-Reference-Id Header to http.Request to support log event correlation * Log headers from http.Request Signed-off-by: Jhon Honce <jhonce@redhat.com>
* | | | fix compat api privileged and entrypoint codebaude2020-10-01
| |_|/ |/| | | | | | | | | | | | | | | | | | | | when adding /dev to a privileged container using the compatibility API, we need to make sure we dont pass on devices that are simply symlinks. this was already being done by specgen but not on the compat. side. the entrypoint code that was recently rewritten for the compatibility layer was also failing due to the odd inputs that docker is willing to accept in its json, specifically [] vs "". in the case of the latter, this was being made into a []string with a len of one but no content. this would then be used to prefix the command to run in the container and would fail. For example " ls" vs "ls". Signed-off-by: baude <bbaude@redhat.com>
* | | Merge pull request #7735 from QiWang19/manifest-inspectOpenShift Merge Robot2020-10-01
|\ \ \ | | | | | | | | fix allowing inspect manifest of non-local image
| * | | fix allowing inspect manifest of non-local imageQi Wang2020-09-30
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Add support of `podman manifest inspect` returning manifest list of non-local manifest. Close #https://github.com/containers/podman/issues/7726 Signed-off-by: Qi Wang <qiwan@redhat.com>
* | | | Merge pull request #7864 from rhatdan/volumeOpenShift Merge Robot2020-10-01
|\ \ \ \ | | | | | | | | | | Volume prune should not pass down the force flag
| * | | | Volume prune should not pass down the force flagDaniel J Walsh2020-10-01
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | podman volume prune -f Should just tell the prune command to not prompt for confirmation. It should not be passing the prune flag into the API. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | | | Merge pull request #7851 from zhangguanzhang/fix-apiv2-ctr-workdir-and-envOpenShift Merge Robot2020-10-01
|\ \ \ \ \ | |/ / / / |/| | | | [apiv2] don't ignore the ENV and WorkDir from the image
| * | | | fix: The container created by APIV2 has an incorrect Env and WorkDirzhangguanzhang2020-10-01
| | |/ / | |/| | | | | | | | | | Signed-off-by: zhangguanzhang <zhangguanzhang@qq.com>
* | | | Merge pull request #7858 from jwhonce/wip/http_proxyOpenShift Merge Robot2020-10-01
|\ \ \ \ | |_|_|/ |/| | | Support --http-proxy for remote builds
| * | | Support --http-proxy for remote buildsJhon Honce2020-09-30
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * Fix misspelled parameter * add http-proxy support for builds http_proxy must be set in the podman.service unit file, for example Environment=http_proxy=<value> Signed-off-by: Jhon Honce <jhonce@redhat.com>
* | | | Merge pull request #7823 from vrothberg/fix-6381OpenShift Merge Robot2020-10-01
|\ \ \ \ | |/ / / |/| | | image look up: consult registries.conf
| * | | pkg/registries: add a retiring noteValentin Rothberg2020-09-30
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The registries package should be retired. It was introduced as an easier to use wrapper around c/image `sysregistries` which has been replaced by `sysregistriesv2` a long while ago. Users should either use the `sysregistriesv2` package directly or, even better, we cache the config in libpod's image runtime to prevent redundant (and ~expensive) parsing of the registries.conf files. For now, just add a note in hope we'll not forgert about it when we find time in the future. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | | | Merge pull request #7798 from QiWang19/run-manifestOpenShift Merge Robot2020-09-30
|\ \ \ \ | |_|_|/ |/| | | Use local image if input image is a manifest list
| * | | Use local image if input image is a manifest listQi Wang2020-09-30
| | |/ | |/| | | | | | | | | | | | | If run&create image returns error: image contains manifest list, not a runnable image, find the local image that has digest matching the digest from the list and use the image from local storage for the command. Signed-off-by: Qi Wang <qiwan@redhat.com>
* | | Merge pull request #7820 from giuseppe/fix-capabilities-not-rootOpenShift Merge Robot2020-09-30
|\ \ \ | | | | | | | | capabilities: always set ambient and inheritable
| * | | capabilities: always set ambient and inheritableGiuseppe Scrivano2020-09-30
| |/ / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | change capabilities handling to reflect what docker does. Bounding: set to caplist Inheritable: set to caplist Effective: if uid != 0 then clear; else set to caplist Permitted: if uid != 0 then clear; else set to caplist Ambient: clear Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>