| Commit message (Collapse) | Author | Age |
|---|
| |
|
|
|
|
|
|
|
|
| |
The kernel never sets the inheritable capabilities for a process, they
are only set by userspace. Emulate the same behavior.
Closes: CVE-2022-27649
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
(cherry picked from commit aafa80918a245edcbdaceb1191d749570f1872d0)
|
| |
|
|
|
|
| |
Start in a reduced mode for recovery, warn, and provide instructions to recreate them
Signed-off-by: Jason T. Greene <jason.greene@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
If you want to remove a running machine, you can now pass the --force/-f
to podman machine rm and the machine will be stopped and removed without
confirmations.
Fixes: #13448
[NO NEW TESTS NEEDED]
Signed-off-by: Brent Baude <bbaude@redhat.com>
|
| |
|
|
| |
Signed-off-by: Jason T. Greene <jason.greene@redhat.com>
|
| |
|
|
|
|
|
|
| |
* Enable support of virtfs in Podman and darwin. At the time of this writing, it requires a special patch not yet included in upstream qemu.
* Prefer to use a specially built qemu to support virtfs. The qemu is installed under libexec/podman.
[NO NEW TESTS NEEDED]
Signed-off-by: Brent Baude <bbaude@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Backports: #13421 Set default rule at the head of device configuration
by @hshiina
The default rule should be set at the head of device configuration.
Otherwise, rules for user devices are overridden by the default rule so
that any access to the user devices are denied.
This has been requested to backport and to include in RHEL 8.6 and 9.0.
The exception process is underway.
Addresses these BZs for the backport:
https://bugzilla.redhat.com/show_bug.cgi?id=2059296
https://bugzilla.redhat.com/show_bug.cgi?id=2062835
Signed-off-by: tomsweeneyredhat <tsweeney@redhat.com>
|
| |
|
|
|
|
|
|
| |
This reverts commit fc5cf812c81a10f8a021aae11df5f12ab2a6f6f6.
[NO NEW TESTS NEEDED]
Signed-off-by: Brent Baude <bbaude@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
To prevent duplication and potential bugs we should use the same
GetRuntimeDir function that is used in c/common.
[NO NEW TESTS NEEDED]
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
|
| |
|
|
|
|
|
|
| |
`podman play kube` tries to build images even if `--build` is set to
false so lets honor that and make `--build` , `true` by default so it
matches the original behviour.
Signed-off-by: Aditya R <arajan@redhat.com>
|
| |
|
|
|
|
|
| |
convert the propagation mode specified for the mount to the expected
Linux mount option.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
| |
|
|
| |
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
| |
|
|
|
|
| |
Branch forced 4.0 only endpoints
Signed-off-by: Jhon Honce <jhonce@redhat.com>
|
| |
|
|
|
|
| |
Switch default to rootless for mac and windows
Signed-off-by: Jason T. Greene <jason.greene@redhat.com>
|
| |
|
|
|
|
| |
claim helper
Signed-off-by: Jason T. Greene <jason.greene@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Set proxy settings (such as `HTTP_PROXY`, and others)
for the whole guest OS with setting up `DefaultEnvironment`
with a `systemd` configuration file `default-env.conf`,
a `profile.d` scenario file - `default-env.sh` and
a `environment.d` configuration file `default-env.conf`
The **actual** environment variables are read by podman
at a start, then they are encrypted with base64 into
a single string and after are provided into a VM through
QEMU Firmware Configuration (fw_cfg) Device
Inside a VM a systemd service `envset-fwcfg.service`
reads the providead encrypted string from fw_cfg, decrypts
and then adds to the files
- `/etc/systemd/system.conf.d/default-env.conf`
- `/etc/profile.d/default-env.sh`
- `/etc/environment.d/default-env.conf`
At the end this service execute `systemctl daemon-reload`
to propagate new variables for systemd manager
[NO NEW TESTS NEEDED]
Closes #13168
Signed-off-by: esendjer <esendjer@gmail.com>
|
| |
|
|
| |
Signed-off-by: Jason T. Greene <jason.greene@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Checkpoint/restore pod tests are not running with an older runc and now
that runc 1.1.0 appears in the repositories it was detected that the
tests were failing. This was not detected in CI as CI was not using runc
1.1.0 yet.
Signed-off-by: Adrian Reber <areber@redhat.com>
|
| |
|
|
|
|
| |
Fixes: https://github.com/containers/podman/issues/12763
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
When attempting to create a network with a name that already exists,
a 409 status code will be returned
[NO NEW TESTS NEEDED]
Signed-off-by: Jhon Honce <jhonce@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Until podman4 is in the fcos trees, we need to pull the machine images
from a side repository. There is a hard coded bit that forces the
side repo download right now. Simple comment or removal of the bit will
revert to normal download behavior.
[NO NEW TESTS NEEDED]
Signed-off-by: Brent Baude <bbaude@redhat.com>
|
| |
|
|
| |
Signed-off-by: Tom Deseyn <tom.deseyn@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
reponse
Lot of clients are expecting proper `Content-type: application/json`
configured in response headers of `/build` compat api. Following commit
fixes that.
Fixes issues where code is setting header field after writing header
which is wrong. We must set `content-type` before we write and flush
http header.
Signed-off-by: Aditya R <arajan@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
separated cgroupNS sharing from setting the pod as the cgroup parent,
made a new flag --share-parent which sets the pod as the cgroup parent for all
containers entering the pod
remove cgroup from the default kernel namespaces since we want the same default behavior as before which is just the cgroup parent.
resolves #12765
Signed-off-by: cdoern <cdoern@redhat.com>
Signed-off-by: cdoern <cbdoer23@g.holycross.edu>
Signed-off-by: cdoern <cdoern@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
* Ensure meaningful behaviour when called with /v3.x.x semantics
* Change return code to 409 from 500 when client attempts to use an
existing network name
* Update API bats test runner to support /v4.0.0 endpoints by default
Signed-off-by: Jhon Honce <jhonce@redhat.com>
|
| |
|
|
|
|
|
|
| |
[NO NEW TESTS NEEDED] crun is not available everywhere to test idmap.
Kernel might not be recent enough and not all file systems support
idmap option.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
This reverts commit a1bc8cb52cefd49e8cc54ae14d1864b8a1ec216e.
Please see resolv.conf(5) search domains must be on the same line. If
you use multiple seach key words only the last one is used. I tested this
with alpine and it works correctly when they are on the same line so I
am not sure what issues Dan had with it but this is not correct.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Alpine does not seem to use search correctly when there are multiple
search domains on the same line. It only uses the first with the advent.
When podman runs within a separate network we are appending on
dns.podman as a search, if you add a search domain, then this causes the
local search on network to fail.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
| |
|
|
|
|
| |
Fixes: https://github.com/containers/podman/issues/13096
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
| |
|
|
| |
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Makes sure that ignition setups up systemd config so cgroup controllers
like `cpu, io` are also delegated to `non-root` along with `memory,
pid`.
This allows general users of `podman` on `macOS` and `podman-remote` to
do operations which are dependent on `cpu, io` cgroup controllers.
[NO TESTS NEEDED]
[NO NEW TESTS NEEDED]
We don't have a CI infra to test this, please pull the tree and run
`podman info` inside the machine to confirm.
Signed-off-by: Aditya R <arajan@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
When the Dockerfile isn't in the root directory of the build context,
the client supplies its pathname to the server, but it needs to do so
using "/" as the path separator, not the client OS's path separator.
CI can't test Windows clients, so
[NO NEW TESTS NEEDED]
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
|
| |\
| |
| | |
volume: add support for non-volatile `upperdir`,`workdir` for overlay volumes
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Often users want their overlayed volumes to be `non-volatile` in nature
that means that same `upper` dir can be re-used by one or more
containers but overall of nature of volumes still have to be `overlay`
so work done is still on a overlay not on the actual volume.
Following PR adds support for more advanced options i.e custom `workdir`
and `upperdir` for overlayed volumes. So that users can re-use `workdir`
and `upperdir` across new containers as well.
Usage
```console
$ podman run -it -v myvol:/data:O,upperdir=/path/persistant/upper,workdir=/path/persistant/work alpine sh
```
Signed-off-by: Aditya R <arajan@redhat.com>
|
| |/
|
|
|
|
|
|
|
|
|
| |
podman network create --subnet, --gateway and --ip-range can now be
specified multiple times to join the network to more than one subnet.
This is very useful if you want to use a dual stack network and assign a
fixed ipv4 and ipv6 subnet. The order of the options is important here,
the first --gateway/--ip-range will be assigned to the first subnet and
so on.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
|
| |\
| |
| | |
switch podman image scp from depending on machinectl to just os/exec
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
machinectl does not propogate error messages and adds extra lines in the output, exec.Cmd is able to clear the env besides PATH and TERM,
and use the given UID and GID to execute the command properly.
machinectl is still used to create a user session. Ubuntu support is limited by this.
Signed-off-by: cdoern <cdoern@redhat.com>
|
| |/
|
|
|
|
|
|
|
|
|
|
|
| |
commit 350ede1eeb6ab33bce2918d7768b940c255e63c6 added the feature.
Do not check whether the device is usable by the rootless user before
adding to the container.
Closes: https://github.com/containers/podman/issues/12704
[NO NEW TESTS NEEDED] it requires changes on the host to test it
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Documentation for API volume list, pointed to a different struct
than the code.
[NO NEW TESTS NEEDED]
Fixes #12987
Signed-off-by: Jhon Honce <jhonce@redhat.com>
|
| |\
| |
| | |
pkg/specgen/generate/security: fix error message text
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
This should be Network Namespace, not Host Namespace.
[NO NEW TESTS NEEDED]
Fixes: 0d70df11
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
|
| |\ \
| | |
| | | |
Fix handling of duplicate matches on id expansion
|
| | |/
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Fixes: https://github.com/containers/podman/issues/12963
[NO NEW TESTS NEEDED] I don't know how to create two
containers with the same first digit of the digest,
which I could them attempt to remove.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
| |/
|
|
|
|
|
|
|
|
|
|
|
|
| |
When we run rootless buildah needs to have IsolationOCIRootless set
otherwise it will run code which cannot be used as rootless user.
Podman should use the buildah default if possible and change it to
rootless mode if needed.
[NO NEW TESTS NEEDED] Should be covered by existing tests once we have
podman-remote rootless tests.
Fixes #12989
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
|
| |
|
|
|
|
|
|
| |
This commit removes error message string from utils.Error in pkg/api.
Param was not used inside a function for quite a long time
[NO NEW TESTS NEEDED]
Signed-off-by: Jakub Guzik <jguzik@redhat.com>
|
| |\
| |
| | |
Run codespell
|
| | |
| |
| |
| | |
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
| |\ \
| | |
| | | |
Restore machine start logic that was hanging
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
After refactoring Stop(), mounting volumes was hanging in Start().
Restore the conditional, and add error reporting from isListening.
[NO NEW TESTS NEEDED]
Signed-off-by: Anders F Björklund <anders.f.bjorklund@gmail.com>
|
| |\ \ \
| | | |
| | | | |
Fix #2 for compat commit handling of --changes
|
| | | | |
| | | |
| | | |
| | | | |
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
