summaryrefslogtreecommitdiff
path: root/pkg
Commit message (Collapse)AuthorAge
* rootless cni without infra containerPaul Holzinger2021-04-01
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Instead of creating an extra container create a network and mount namespace inside the podman user namespace. This ns is used to for rootless cni operations. This helps to align the rootless and rootful network code path. If we run as rootless we just have to set up a extra net ns and initialize slirp4netns in it. The ocicni lib will be called in that net ns. This design allows allows easier maintenance, no extra container with pause processes, support for rootless cni with --uidmap and possibly more. The biggest problem is backwards compatibility. I don't think live migration can be possible. If the user reboots or restart all cni containers everything should work as expected again. The user is left with the rootless-cni-infa container and image but this can safely be removed. To make the existing cni configs work we need execute the cni plugins in a extra mount namespace. This ensures that we can safely mount over /run and /var which have to be writeable for the cni plugins without removing access to these files by the main podman process. One caveat is that we need to keep the netns files at `XDG_RUNTIME_DIR/netns` accessible. `XDG_RUNTIME_DIR/rootless-cni/{run,var}` will be mounted to `/{run,var}`. To ensure that we keep the netns directory we bind mount this relative to the new root location, e.g. XDG_RUNTIME_DIR/rootless-cni/run/user/1000/netns before we mount the run directory. The run directory is mounted recursive, this makes the netns directory at the same path accessible as before. This also allows iptables-legacy to work because /run/xtables.lock is now writeable. Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
* Remove --execute from podman machine sshbaude2021-03-31
| | | | | | | | | | | The --execute flag ended up serving no purpose. It was removed and documentation was updated. Fixed a panic when no VM name was provided. [NO TESTS NEEDED] Signed-off-by: baude <bbaude@redhat.com>
* Merge pull request #9903 from rhatdan/rusageOpenShift Merge Robot2021-03-31
|\ | | | | Fix handling of remote --log-rusage param
| * Fix handling of remove --log-rusage paramDaniel J Walsh2021-03-31
| | | | | | | | | | | | Fixes: https://github.com/containers/podman/issues/9889 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Merge pull request #9902 from jmguzik/fix-containers-flaky-bindings-prune-testOpenShift Merge Robot2021-03-31
|\ \ | | | | | | Fix bindings prune containers flaky test
| * | Fix bindings prune containers flaky testJakub Guzik2021-03-31
| |/ | | | | | | | | | | | | | | In #9863 prune containers filter params were narrowed to support only those required by http API. name filter in bindings was replaced by until filter, which is not a good match, as until filters are causing tests to be flaky. Signed-off-by: Jakub Guzik <jakubmguzik@gmail.com>
* | Merge pull request #9888 from baude/machineignOpenShift Merge Robot2021-03-31
|\ \ | |/ |/| podman machine init --ignition-path
| * podman machine init --ignition-pathbaude2021-03-30
| | | | | | | | | | | | | | | | | | | | | | | | allow for the user to provide an alternate ignition-file rather than the auto-generated one. updated docs to describe ramifications of providing an alterate ignition file. [NO TESTS NEEDED] Signed-off-by: baude <bbaude@redhat.com>
* | Merge pull request #9885 from ashley-cui/machinelsOpenShift Merge Robot2021-03-30
|\ \ | | | | | | Add podman machine ls
| * | Add podman machine listAshley Cui2021-03-30
| |/ | | | | | | | | | | | | | | | | | | podman machine list lists all virtual machines & indicates the default VM connection, if it exists. it also can take a --format flag arg as a go template. [NO TESTS NEEDED] Signed-off-by: Ashley Cui <acui@redhat.com>
* | Merge pull request #9892 from jwhonce/wip/topOpenShift Merge Robot2021-03-30
|\ \ | | | | | | Trim white space from /top endpoint results
| * | Trim white space from /top endpoint resultsJhon Honce2021-03-30
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Versions of the ps command have additional spaces between fields, this manifests as the container asking to run "top" and API reporting "top " as a process. Endpoint and tests updated to check that "top" is reported. There is no libpod specialized endpoint to update. Signed-off-by: Jhon Honce <jhonce@redhat.com>
* | | Merge pull request #9863 from jmguzik/fix-prune-filter-funcsOpenShift Merge Robot2021-03-30
|\ \ \ | | | | | | | | Containers prune endpoint should use only prune filters
| * | | Containers prune endpoint should use only prune filtersJakub Guzik2021-03-30
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Containers endpoints for HTTP compad and libpod APIs allowed usage of list HTTP endpoint filter funcs. Documentation in case of libpod and compat API does not allow that. This commit aligns code with the documentation. Signed-off-by: Jakub Guzik <jakubmguzik@gmail.com>
* | | | Merge pull request #9878 from jwhonce/wip/versionOpenShift Merge Robot2021-03-30
|\ \ \ \ | |_|/ / |/| | | [NO TESTS NEEDED] Remove semantic version suffices from API calls
| * | | Remove semantic version suffices from API callsJhon Honce2021-03-30
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When using the bindings do not include the pre-release or build metadata in the URL for the service. This breaks older services, while not providing that much additional functionality. [NO TESTS NEEDED] Signed-off-by: Jhon Honce <jhonce@redhat.com>
* | | | Merge pull request #9873 from baude/correctaarch64OpenShift Merge Robot2021-03-30
|\ \ \ \ | |_|_|/ |/| | | resolve proper aarch64 image names
| * | | resolve proper aarch64 image namesbaude2021-03-29
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | when automatically downloading fcos for the Apple M1, we needed to replace a statically defined URL with the dynamically determined one. also, it appears boolean qemu options `server` and `onwait` are not defined as `server=on` and `wait=off`. [NO TESTS NEEDED] Signed-off-by: baude <bbaude@redhat.com>
* | | | Merge pull request #9872 from baude/vmaltimageOpenShift Merge Robot2021-03-30
|\ \ \ \ | |/ / / |/| | | podman machine init user input
| * | | podman machine init user inputbaude2021-03-29
| |/ / | | | | | | | | | | | | | | | | | | | | | | | | users may now provide a fully qualified local file path or a URL to seed the disk-image to be used in the VM. [NO TESTS NEEDED] Signed-off-by: baude <bbaude@redhat.com>
* / / Add machine support for qemu-system-aarch64Anders F Björklund2021-03-29
|/ / | | | | | | | | | | | | | | | | | | | | | | - Build machine also for podman-linux-arm64 - Add default machine type for linux arm64 - Add the required qemu-uefi bios parameter - Remove hardcoded outdated path and show url Signed-off-by: Anders F Björklund <anders.f.bjorklund@gmail.com>
* | Merge pull request #9855 from giuseppe/fix-service-race-conditionOpenShift Merge Robot2021-03-29
|\ \ | | | | | | service: use LISTEN_FDS
| * | rootless: use is_fd_inheritedGiuseppe Scrivano2021-03-29
| | | | | | | | | | | | | | | | | | | | | since we already have an exported function that does the check, refactor the code to use it instead of duplicating the logic. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | | Merge pull request #9516 from rhatdan/shrinkOpenShift Merge Robot2021-03-29
|\ \ \ | | | | | | | | [NO TESTS NEEDED] Shrink the size of podman bindings
| * | | [NO TESTS NEEDED] Shrink the size of podman-remoteDaniel J Walsh2021-03-29
| | | | | | | | | | | | | | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | | Merge pull request #9842 from AlbanBedel/play-kube-env-from-secretsOpenShift Merge Robot2021-03-29
|\ \ \ \ | | | | | | | | | | Add support for env from secrets in play kube
| * | | | play kube: add support for env vars defined from secretsAlban Bedel2021-03-28
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Add support for secretRef and secretKeyRef to allow env vars to be set from a secret. As K8S secrets are dictionaries the secret value must be a JSON dictionary compatible with the data field of a K8S secret object. The keys must consist of alphanumeric characters, '-', '_' or '.', and the values must be base64 encoded strings. Signed-off-by: Alban Bedel <albeu@free.fr>
| * | | | play kube: support optional/mandatory env var from config mapAlban Bedel2021-03-28
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | In K8S the pod creation fails if an env var reference a non existing config map key. It can be marked as optional, but per default it is mandatory. Podman on the other hand always treat such references as optional. Rework envVarsFrom() and envVarValue() to additionaly return an error and add support for the optional attribute in configMapRef and configMapKeyRef. Signed-off-by: Alban Bedel <albeu@free.fr>
| * | | | play kube: prepare supporting other env source than config mapsAlban Bedel2021-03-28
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Rework envVarsFromConfigMap() and envVarValue() to simplify supporting other env sources than config maps. For this we pass the whole spec generator options struct as parameter instead of just the config maps list. Then we rename envVarsFromConfigMap() to envVarsFrom() and in envVarValue() we reposition the loop over the config maps to only run it when a configMapRef element exists. Signed-off-by: Alban Bedel <albeu@free.fr>
* | | | | Merge pull request #9858 from rhatdan/warnOpenShift Merge Robot2021-03-29
|\ \ \ \ \ | | | | | | | | | | | | [NO TESTS NEEDED] Drop Warning to Info, if cgroups not mounted
| * | | | | [NO TESTS NEEDED] Drop Warning to Info, if cgroups not mountedDaniel J Walsh2021-03-29
| | |_|/ / | |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | If I run podman within a container without /sys/fs/cgroups mounted, we get this warning, which the user can not do much about. I don't see a reason for requiring this warning to show by default, so we should drop it to Info. User can not do anything about it either, and code works well with the somewhat expected error. Helps fix: https://github.com/containers/podman/issues/9753 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | | | Merge pull request #9861 from TristanCacqueray/version-swaggerOpenShift Merge Robot2021-03-29
|\ \ \ \ \ | |_|_|_|/ |/| | | | [CI:DOCS] swagger: update system version response body
| * | | | swagger: update system version response bodyTristan Cacqueray2021-03-29
| |/ / / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This change updates the swagger documentation of the system version response body to match the actual response. Fixes: #9522 Signed-off-by: Tristan Cacqueray <tdecacqu@redhat.com>
* | | | Merge pull request #9848 from Luap99/fix-9776OpenShift Merge Robot2021-03-29
|\ \ \ \ | | | | | | | | | | podman generate systemd --new do not duplicate params
| * | | | podman generate systemd --new do not duplicate paramsPaul Holzinger2021-03-28
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | podman generate systemd --new inserts extra idfile arguments. The generated unit can break when the user did provide their own idfile arguments as they overwrite the arguments added by generate systemd. This also happens when a user tries to generate the systemd unit on a container already create with a --new unit. This should now create a identical unit. The solution is to remove all user provided idfile arguments. This commit also ensures that we do not remove arguments that are part off the containers entrypoint. Fixes #9776 Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
* | | | | Merge pull request #9844 from afbjorklund/qemu-kvmOpenShift Merge Robot2021-03-29
|\ \ \ \ \ | |_|_|_|/ |/| | | | Add machine support for more Linux distros
| * | | | Add machine support for more Linux distrosAnders F Björklund2021-03-28
| |/ / / | | | | | | | | | | | | | | | | | | | | | | | | | | | | There are no regression tests for machine [NO TESTS NEEDED] Signed-off-by: Anders F Björklund <anders.f.bjorklund@gmail.com>
* | | | Merge pull request #9631 from rhatdan/pullOpenShift Merge Robot2021-03-29
|\ \ \ \ | |_|/ / |/| | | Fix podman build --pull-never
| * | | Fix podman build --pull-neverDaniel J Walsh2021-03-27
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Currently pull policy is set incorrectly when users set --pull-never. Also pull-policy is not being translated correctly when using podman-remote. Fixes: #9573 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | | Merge pull request #9829 from rhatdan/rmiOpenShift Merge Robot2021-03-28
|\ \ \ \ | |_|/ / |/| | | [NO TESTS NEEDED] Use same function podman-remote rmi as podman
| * | | [NO TESTS NEEDED] Use same function podman-remote rmi as podmanDaniel J Walsh2021-03-28
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Make sure fixes that go into local podman commands also work in podman-remote, by using the same function. Since this is just a rewrite of existing code, existing tests should handle it. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | | Merge pull request #9467 from rhatdan/buildahOpenShift Merge Robot2021-03-28
|\ \ \ \ | | | | | | | | | | [NO TESTS NEEDED] Turn on podman-remote build --isolation
| * | | | [NO TESTS NEEDED] Turn on podman-remote build --isolationDaniel J Walsh2021-03-26
| | |/ / | |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Currently podman only works with --isolation chroot. This PR fixes this by allowing the isolation mode to default to OCI and to also allow users to pass the isolation mode into the containers. The current tests for --isolation should cause this code to be tested. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | | Merge pull request #9836 from baude/vmcreateresizeOpenShift Merge Robot2021-03-28
|\ \ \ \ | |_|/ / |/| | | Podman machine enhancements
| * | | Podman machine enhancementsbaude2021-03-27
| | |/ | |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Podman machine remove is now called `rm`. Podman machine create now supports resizing the image to the value of --disk-size as provided. The default is to 10G. Added systemd unit file on guest via ignition that sends a Ready message to the host over a virtio-socket so that we know when the VM is booted and ready for use. Podman machine commands no longer require a VM name as an argument. A default VM name is defined and if no VM name is provided as a arg, the default will be used. [NO TESTS NEEDED] Signed-off-by: baude <bbaude@redhat.com>
* | | Merge pull request #9838 from xordspar0/kubeVolumeErrorsOpenShift Merge Robot2021-03-28
|\ \ \ | |/ / |/| | Add problematic volume name to kube play error messages
| * | Add problematic volume name to kube play error messagesJordan Christiansen2021-03-27
| |/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When kube play fails to create a volume, it should say which volume had the problem so the user doesn't have to guess. For the following pod spec: apiVersion: v1 kind: Pod metadata: name: mypod spec: containers: - name: myfrontend image: nginx volumeMounts: - mountPath: "/var/www/html" name: mypd volumes: - name: mypd hostPath: path: /var/blah podman will now report: Error: failed to create volume "mypd": error in parsing HostPath in YAML: error checking path "/var/blah": stat /var/blah: no such file or directory Signed-off-by: Jordan Christiansen <xordspar0@gmail.com>
* | Merge pull request #9822 from jmguzik/fix-pods-list-filters-http-apiOpenShift Merge Robot2021-03-27
|\ \ | |/ |/| Fix list pods filter handling in libpod api
| * Fix list pods filter handling in libpod apiJakub Guzik2021-03-26
| | | | | | | | Signed-off-by: Jakub Guzik <jakubmguzik@gmail.com>
* | Remove resize race conditionDaniel J Walsh2021-03-26
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Since podman-remote resize requests can come in at random times, this generates a real potential for race conditions. We should only be attempting to resize TTY on running containers, but the containers can go from running to stopped at any time, and returning an error to the caller is just causing noice. This change will basically ignore requests to resize terminals if the container is not running and return the caller to success. All other callers will still return failure. Fixes: https://github.com/containers/podman/issues/9831 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>