| Commit message (Collapse) | Author | Age |
|---|
| |
|
|
| |
Signed-off-by: Peter Hunt <pehunt@redhat.com>
|
| |
|
|
|
|
|
| |
a PR slipped through without running the new linter. this cleans things
up for the master branch.
Signed-off-by: baude <bbaude@redhat.com>
|
| |\
| |
| | |
golangci-lint phase 4
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
clean up some final linter issues and add a make target for
golangci-lint. in addition, begin running the tests are part of the
gating tasks in cirrus ci.
we cannot fully shift over to the new linter until we fix the image on
the openshift side. for short term, we will use both
Signed-off-by: baude <bbaude@redhat.com>
|
| |/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This includes:
Implement exec -i and fix some typos in description of -i docs
pass failed runtime status to caller
Add resize handling for a terminal connection
Customize exec systemd-cgroup slice
fix healthcheck
fix top
add --detach-keys
Implement podman-remote exec (jhonce)
* Cleanup some orphaned code (jhonce)
adapt remote exec for conmon exec (pehunt)
Fix healthcheck and exec to match docs
Introduce two new OCIRuntime errors to more comprehensively describe situations in which the runtime can error
Use these different errors in branching for exit code in healthcheck and exec
Set conmon to use new api version
Signed-off-by: Jhon Honce <jhonce@redhat.com>
Signed-off-by: Peter Hunt <pehunt@redhat.com>
|
| |\
| |
| | |
golangci-lint round #3
|
| | |
| |
| |
| |
| |
| |
| | |
this is the third round of preparing to use the golangci-lint on our
code base.
Signed-off-by: baude <bbaude@redhat.com>
|
| |/
|
|
| |
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
| |
|
|
|
|
|
| |
When removing --all images prune images only attempt to remove read/write images,
ignore read/only images
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
| |\
| |
| | |
Include changes to the container's root file-system in the checkpoint archive
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The newly added functionality to include the container's root
file-system changes into the checkpoint archive can now be explicitly
disabled. Either during checkpoint or during restore.
If a container changes a lot of files during its runtime it might be
more effective to migrated the root file-system changes in some other
way and to not needlessly increase the size of the checkpoint archive.
If a checkpoint archive does not contain the root file-system changes
information it will automatically be skipped. If the root file-system
changes are part of the checkpoint archive it is also possible to tell
Podman to ignore these changes.
Signed-off-by: Adrian Reber <areber@redhat.com>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
One of the last limitations when migrating a container using Podman's
'podman container checkpoint --export=/path/to/archive.tar.gz' was
that it was necessary to manually handle changes to the container's root
file-system. The recommendation was to mount everything as --tmpfs where
the root file-system was changed.
This extends the checkpoint export functionality to also include all
changes to the root file-system in the checkpoint archive. The
checkpoint archive now includes a tarstream of the result from 'podman
diff'. This tarstream will be applied to the restored container before
restoring the container.
With this any container can now be migrated, even it there are changes
to the root file-system.
There was some discussion before implementing this to base the root
file-system migration on 'podman commit', but it seemed wrong to do
a 'podman commit' before the migration as that would change the parent
layer the restored container is referencing. Probably not really a
problem, but it would have meant that a migrated container will always
reference another storage top layer than it used to reference during
initial creation.
Signed-off-by: Adrian Reber <areber@redhat.com>
|
| |\ \
| | |
| | | |
rootless: add host devices with --privileged
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
when --privileged is specified, add all the devices that are usable by
the user.
Closes: https://bugzilla.redhat.com/show_bug.cgi?id=1730773
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
| |\ \ \
| | | |
| | | | |
podman-remote make --size optional in ps
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Close #3578 Add `size` field to PsOpts in podman remote to receive size as an option.
Signed-off-by: Qi Wang <qiwan@redhat.com>
|
| |\ \ \ \
| | | | |
| | | | | |
libpod: support for cgroup namespace
|
| | | |/ /
| |/| |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
allow a container to run in a new cgroup namespace.
When running in a new cgroup namespace, the current cgroup appears to
be the root, so that there is no way for the container to access
cgroups outside of its own subtree.
By default it uses --cgroup=host to keep the previous behavior.
To create a new namespace, --cgroup=private must be provided.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
| |/ / /
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
The default apparmor profile is not stored on disk which causes
confusion when debugging the content of the profile. To solve this, we
now add an additional API which returns the profile as byte slice.
Signed-off-by: Sascha Grunert <sgrunert@suse.com>
|
| |\ \ \
| | | |
| | | | |
Move the HostConfig portion of Inspect inside libpod
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
We can infer no-new-privileges. For now, manually populate
seccomp (can't infer what file we sourced from) and
SELinux/Apparmor (hard to tell if they're enabled or not).
Signed-off-by: Matthew Heon <mheon@redhat.com>
|
| | |/ /
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
When we first began writing Podman, we ran into a major issue
when implementing Inspect. Libpod deliberately does not tie its
internal data structures to Docker, and stores most information
about containers encoded within the OCI spec. However, Podman
must present a CLI compatible with Docker, which means it must
expose all the information in 'docker inspect' - most of which is
not contained in the OCI spec or libpod's Config struct.
Our solution at the time was the create artifact. We JSON'd the
complete CreateConfig (a parsed form of the CLI arguments to
'podman run') and stored it with the container, restoring it when
we needed to run commands that required the extra info.
Over the past month, I've been looking more at Inspect, and
refactored large portions of it into Libpod - generating them
from what we know about the OCI config and libpod's (now much
expanded, versus previously) container configuration. This path
comes close to completing the process, moving the last part of
inspect into libpod and removing the need for the create
artifact.
This improves libpod's compatability with non-Podman containers.
We no longer require an arbitrarily-formatted JSON blob to be
present to run inspect.
Fixes: #3500
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
| |\ \ \
| |/ /
|/| | |
Fix play kube command
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | | |
Before, play kube wasn't properly setting the command. Fix this
Also, begin a dedicated test suite for play kube to catch regressions like this in the future
Signed-off-by: Peter Hunt <pehunt@redhat.com>
|
| |/ /
| |
| |
| |
| |
| |
| | |
it seems enough to not specify any ulimit block to maintain the host
limits.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
| |\ \
| | |
| | | |
Fix the double replySendFile()
|
| | | |
| | |
| | |
| | | |
Signed-off-by: Harald Hoyer <harald@redhat.com>
|
| |\ \ \
| | | |
| | | | |
cgroupsv2: do not enable controllers for the last component
|
| | | |/
| |/|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
do not automatically enable the controllers for the last path
component. It is necessary as once there are enabled controllers in a
cgroup, it won't possible to add processes to it.
Fix conmon being moved to the correct cgroup path when using
--cgroup-manager cgroupfs.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
| |\ \ \
| | | |
| | | | |
spec: fix userns with less than 5 gids
|
| | |/ /
| | |
| | |
| | |
| | |
| | |
| | | |
when the container is running in a user namespace, check if gid=5 is
available, otherwise drop the option gid=5 for /dev/pts.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
| |\ \ \
| |_|/
|/| | |
fix bug convert volume host path to absolute
|
| | | |
| | |
| | |
| | |
| | |
| | | |
fix #3504 If --volume host:dest host is not a named volume, convert the host to a absolute directory path.
Signed-off-by: Qi Wang <qiwan@redhat.com>
|
| |\ \ \
| | | |
| | | | |
golangci-lint pass number 2
|
| | | |/
| |/|
| | |
| | |
| | |
| | | |
clean up and prepare to migrate to the golangci-linter
Signed-off-by: baude <bbaude@redhat.com>
|
| |\ \ \
| | | |
| | | | |
podman: add --ulimit host
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
add a simple way to copy ulimit values from the host.
if --ulimit host is used then the current ulimits in place are copied
to the container.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
be sure to load all the existing handlers, so that they can also be
freed in addition to the handlers we treat differently.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
| | |/ /
|/| |
| | |
| | |
| | |
| | |
| | | |
if the cgroup cannot be deleted, then attempt to delete all its
subdirectories and try again.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
| |\ \ \
| | | |
| | | | |
first pass of corrections for golangci-lint
|
| | | |/
| |/|
| | |
| | | |
Signed-off-by: baude <bbaude@redhat.com>
|
| |/ /
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
the commit and pull varlink endpoints were not working correctly when
'more' was not being specified.
Fixes: #3317
Fixes: #3318
Fixes: #3526
Signed-off-by: baude <bbaude@redhat.com>
|
| | |
| |
| |
| |
| |
| |
| |
| | |
if the cpuacct file doesn't exist, ignore it instead of erroring out.
Closes: https://bugzilla.redhat.com/show_bug.cgi?id=1728242
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
drop the limitation of not supporting creating new cgroups v2 paths.
Every controller enabled /sys/fs/cgroup will be propagated down to the
created path. This won't work for rootless cgroupsv2, but it is not
an issue for now, as this code is used only by CRI-O.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
| |\ \
| |/
|/| |
Use conmon pidfile in generated systemd unit as PIDFile.
|
| | |
| |
| |
| |
| |
| |
| |
| | |
It is not correct to rely on specific location of the podman binary.
In most cases it is /usr/bin/podman, but sometimes is not (e.g. in
system tests). Use /proc/self/exe instead of hardcoded path.
Signed-off-by: Danila Kiver <danila.kiver@mail.ru>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
By default, podman points PIDFile in generated unit file to non-existent
location. As a result, the unit file, generated by podman, is broken:
an attempt to start this unit without prior modification results in a crash,
because systemd can not find the pidfile of service's main process.
Fix the value of "PIDFile" and add a system test for this case.
Signed-off-by: Danila Kiver <danila.kiver@mail.ru>
|
| |/
|
|
|
|
| |
the results of a code cleanup performed by the goland IDE.
Signed-off-by: baude <bbaude@redhat.com>
|
| |\
| |
| | |
build: allow to build without cgo on RISC-V
|
| | |
| |
| |
| |
| |
| | |
so it can build without cgo since seccomp requires it.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
