summaryrefslogtreecommitdiff
path: root/pkg
Commit message (Collapse)AuthorAge
* Pod Security Option supportcdoern2021-12-27
| | | | | | | | | | | | | Added support for pod security options. These are applied to infra and passed down to the containers as added (unless overridden). Modified the inheritance process from infra, creating a new function Inherit() which reads the config, and marshals the compatible options into an intermediate struct `InfraInherit` This is then unmarshaled into a container config and all of this is added to the CtrCreateOptions. Removes the need (mostly) for special additons which complicate the Container_create code and pod creation. resolves #12173 Signed-off-by: cdoern <cdoern@redhat.com>
* Introduce Windows WSL implementation of podman machineJason T. Greene2021-12-24
| | | | | | [NO NEW TESTS NEEDED] for now Signed-off-by: Jason Greene <jason.greene@redhat.com>
* Merge pull request #12627 from rhatdan/passwdOpenShift Merge Robot2021-12-23
|\ | | | | Allow users to add host user accounts to /etc/passwd
| * Allow users to add host user accounts to /etc/passwdDaniel J Walsh2021-12-23
| | | | | | | | | | | | | | | | | | | | | | Some containers require certain user account(s) to exist within the container when they are run. This option will allow callers to add a bunch of passwd entries from the host to the container even if the entries are not in the local /etc/passwd file on the host. Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1935831 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | container creation: don't apply reserved annotations from imageValentin Rothberg2021-12-23
|/ | | | | | | | | | Do not apply reserved annotations from the image to the container. Reserved annotations are applied during container creation to retrieve certain information (e.g., custom seccomp profile or autoremoval) once a container has been created. Context: #12671 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* Merge pull request #12672 from adrianreber/2021-12-21-check-for-memtrackOpenShift Merge Robot2021-12-23
|\ | | | | Error out early if system does not support pre-copy checkpointing
| * Error out early if system does not support pre-copy checkpointingAdrian Reber2021-12-23
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | CRIU's pre-copy migration support relies on the soft dirty page tracking in the Linux kernel: https://www.kernel.org/doc/Documentation/vm/soft-dirty.txt This functionality is not implemented for all architectures and it can also be turned off in the kernel. CRIU can check if the combination of architecture/kernel/CRIU supports the soft dirty page tracking and exports this feature checking functionality in go-criu. This commit adds an early check if the user selects pre-copy checkpointing to error out if the system does not support it. Signed-off-by: Adrian Reber <areber@redhat.com>
* | Warn on use of --kernel-memoryDaniel J Walsh2021-12-22
|/ | | | | | | | | It has been deprecated and is no longer supported. Fully remove it and only print a warning if a user uses it. Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2011695 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Merge pull request #12664 from cdoern/noManagePasswdOpenShift Merge Robot2021-12-22
|\ | | | | Podman run --passwd
| * Podman run --passwdcdoern2021-12-21
| | | | | | | | | | | | | | | | | | added support for a new flag --passwd which, when false prohibits podman from creating entries in /etc/passwd and /etc/groups allowing users to modify those files in the container entrypoint resolves #11805 Signed-off-by: cdoern <cdoern@redhat.com>
* | Merge pull request #12663 from vrothberg/compat-normalizationOpenShift Merge Robot2021-12-21
|\ \ | | | | | | compat: image normalization: handle sha256 prefix
| * | compat: image normalization: handle sha256 prefixValentin Rothberg2021-12-20
| |/ | | | | | | | | | | | | | | | | | | When normalizing image names on the compat API, make sure to take the `sha256:` prefix into account when matching against the image ID. Otherwise, the name will mistakingly be subject to docker.io normalization. Signed-off-by: Valentin Rothberg <rothberg@redhat.com> Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* / specgen: honor userns=auto from containers.confGiuseppe Scrivano2021-12-20
|/ | | | | | | | | when using the default userns value, make sure its value is parsed so that userns=auto is parsed and the options for the storage are filled. Closes: https://github.com/containers/podman/issues/12615 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Merge pull request #12641 from giuseppe/add-more-logging-setusernsDaniel J Walsh2021-12-19
|\ | | | | rootless: include the args in the debug message
| * rootless: include the args in the debug messageGiuseppe Scrivano2021-12-17
| | | | | | | | | | | | | | | | | | include the arguments used to create the user namespace to help debugging. [NO NEW TESTS NEEDED] it changes a debug message Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | Set machine timezoneBrent Baude2021-12-16
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Added an option to podman machine init to declare the timezone of the resulting machine. the default is to use the value of the host name or else a given timezone name like America/Chicago. Fixes: #11895 Signed-off-by: Brent Baude <bbaude@redhat.com> [NO NEW TESTS NEEDED] Signed-off-by: Brent Baude <bbaude@redhat.com>
* | Merge pull request #12606 from vrothberg/fix-12441OpenShift Merge Robot2021-12-16
|\ \ | | | | | | bindings rmi test: clarify behavior
| * | bindings rmi test: clarify behaviorValentin Rothberg2021-12-16
| |/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The libpod/images/remove endpoint is not very REST-ish but, after some debate, was decided to be implemented as for the following reasons. First, it allows for batch removing images which improves performance significantly. Note that Docker does support `rmi -a`! Second, it allows for hiding the logic of setting the right exit code to use from the client and keep all the logic on the server. Hence, when removing an image that does not exist, the server will return a 200. The response, however, includes the error message to be used *and* the exit code that podman-remote will use. Fixes: #12441 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* / oci: configure the devices cgroup with default devicesGiuseppe Scrivano2021-12-16
|/ | | | | | | always set the default devices to the devices cgroup when not running in a user namespace. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Merge pull request #12600 from rhatdan/externalOpenShift Merge Robot2021-12-15
|\ | | | | Show --external containers even without --all option
| * Show --external containers even without --all optionDaniel J Walsh2021-12-14
| | | | | | | | | | | | | | | | | | | | | | We currently do not show --external containers when the user specifies it, unless they also specify the --all flag. This has led to confusion. I see no reason not to list them without the --all flag if the user specifies the option. Fixes: https://github.com/containers/podman/issues/12353 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Merge pull request #12534 from Luap99/network-dbOpenShift Merge Robot2021-12-15
|\ \ | |/ |/| network db rewrite
| * specgen: check that networks are only set with bridgePaul Holzinger2021-12-14
| | | | | | | | | | | | | | | | | | | | Because we cannot reqad the networking mode in the frontent because we should always use the server default we have to parse the mac and ip address to the server via a default network. Now when the server reads the default nsmode it has to reject the provided networks when the mode is not set to bridge. Signed-off-by: Paul Holzinger <pholzing@redhat.com>
| * container restore/import: store networks from dbPaul Holzinger2021-12-14
| | | | | | | | | | | | | | | | It is important that we store the current networks from the db in the config. Also make sure to properly handle aliases and ignore static ip/mac addresses. Signed-off-by: Paul Holzinger <pholzing@redhat.com>
| * play kube add support for multiple networksPaul Holzinger2021-12-14
| | | | | | | | | | | | Allow the same --network options for play kube as for podman run/create. Signed-off-by: Paul Holzinger <pholzing@redhat.com>
| * support advanced network configuration via cliPaul Holzinger2021-12-14
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Rework the --network parse logic to support multiple networks with specific network configuration settings. --network can now be set multiple times. For bridge network mode the following options have been added: - **alias=name**: Add network-scoped alias for the container. - **ip=IPv4**: Specify a static ipv4 address for this container. - **ip=IPv6**: Specify a static ipv6 address for this container. - **mac=MAC**: Specify a static mac address address for this container. - **interface_name**: Specify a name for the created network interface inside the container. So now you can set --network bridge:ip=10.88.0.10,mac=44:33:22:11:00:99 for the default bridge network as well as for network names. This is better than using --ip because we can set the ip per network without any confusion which network the ip address should be assigned to. The --ip, --mac-address and --network-alias options are still supported but --ip or --mac-address can only be set when only one network is set. This limitation already existed previously. The ability to specify a custom network interface name is new Fixes #11534 Signed-off-by: Paul Holzinger <pholzing@redhat.com>
| * Add new networks format to spegecenPaul Holzinger2021-12-14
| | | | | | | | | | | | | | | | Add the new networks format to specgen. For api users cni_networks is still supported to make migration easier however the static ip and mac fields are removed. Signed-off-by: Paul Holzinger <pholzing@redhat.com>
| * fix incorrect swagger doc for network dis/connectPaul Holzinger2021-12-14
| | | | | | | | | | | | | | The swagger api docs used the extra Body struct as part of the request which is wrong. We just want the plain type. Signed-off-by: Paul Holzinger <pholzing@redhat.com>
| * network connect allow ip, ipv6 and mac addressPaul Holzinger2021-12-14
| | | | | | | | | | | | | | | | | | Network connect now supports setting a static ipv4, ipv6 and mac address for the container network. The options are added to the cli and api. Fixes #9883 Signed-off-by: Paul Holzinger <pholzing@redhat.com>
| * network db: add new strucutre to container createPaul Holzinger2021-12-14
| | | | | | | | | | | | | | | | | | | | Make sure we create new containers in the db with the correct structure. Also remove some unneeded code for alias handling. We no longer need this functions. The specgen format has not been changed for now. Signed-off-by: Paul Holzinger <pholzing@redhat.com>
| * remove unneeded return value from c.Networks()Paul Holzinger2021-12-14
| | | | | | | | | | | | We do not need to return a extra bool. Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* | Merge pull request #12595 from Luap99/network-idOpenShift Merge Robot2021-12-14
|\ \ | | | | | | fix network id handling
| * | fix network id handlingPaul Holzinger2021-12-14
| |/ | | | | | | | | | | | | | | | | We have to get the network ID from the network backend. With the netavark backend we no longer use the sha from the name as ID. [NO NEW TESTS NEEDED] Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* / Fixes #12063 Add docker compatible output after image build.Ananth Bhaskararaman2021-12-14
|/ | | | Signed-off-by: Ananth Bhaskararaman <antsub@gmail.com>
* compat build: adhere to q/quietValentin Rothberg2021-12-13
| | | | | Fixes: #12566 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* [NO NEW TESTS NEEDED] rootless: declare TEMP_FAILURE_RETRY before usage ↵Marc Nguyen2021-12-10
| | | | | | (Fixes: #12563) Signed-off-by: Nguyen Marc <nguyen_marc@live.fr>
* --hostname should be set when using --pod new:foobarDaniel J Walsh2021-12-09
| | | | | | | | | | | | Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2030599 When you create pod, it shares the UTS namespace with Containers. Currently the --hostname is not passed to the pod created when you create a container and pod in the same command. Also fix error message on supported --share flags Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Merge pull request #12545 from vrothberg/fix-12477OpenShift Merge Robot2021-12-09
|\ | | | | generate systemd: support entrypoint JSON strings
| * generate systemd: support entrypoint JSON stringsValentin Rothberg2021-12-08
| | | | | | | | | | | | | | Make sure to preserve the quoting of entrypoint JSON strings. Fixes: #12477 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | Merge pull request #12541 from flouthoc/remote_blank_entrypointOpenShift Merge Robot2021-12-08
|\ \ | | | | | | specgen: honor empty args for entrypoint specified as `--entrypoint ""`
| * | specgen: honor empty args for entrypointAditya Rajan2021-12-08
| |/ | | | | | | | | | | | | | | | | | | | | Users should be able to override containers entrypoint using `--entrypoint ""` following works fine for podman but not for podman remote. Specgen ignores empty argument for entrypoint so make specgen honor empty arguments. Signed-off-by: Aditya Rajan <arajan@redhat.com>
* / remove runlabel test for global optsValentin Rothberg2021-12-08
|/ | | | | | | | | GLOBAL_OPTS haven't been supported for at least two major versions of Podman. The runlabel code is extremely fragile and I think it should be rewritten before adding new features. Fixes: #12436 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* Update vendor or containers/common moving pkg/cgroups thereDaniel J Walsh2021-12-07
| | | | | | | [NO NEW TESTS NEEDED] This is just moving pkg/cgroups out so existing tests should be fine. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Merge pull request #12466 from ↵OpenShift Merge Robot2021-12-03
|\ | | | | | | | | dispensable/respect_pod_yaml_spec_hostname_when_play Hostname in `spec.hostname` should be passed to infra ctr init opt
| * Hostname in `spec.hostname` should be passed to infra ctr init optwangqiang2021-12-01
| | | | | | | | | | | | Fixes https://github.com/containers/podman/issues/12393 Signed-off-by: Qiang Wang <sunsetmask@gmail.com>
* | Merge pull request #12440 from umohnani8/cmOpenShift Merge Robot2021-12-03
|\ \ | | | | | | Add support for configmap volumes to play kube
| * | Add support for configmap volumes to play kubeUrvashi Mohnani2021-12-02
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | If the k8s yaml has volumes from a configmap, play kube will now create a volume based on the data from the configmap and volume source and set it to the right path in the container accordingly. Add tests for this and update some test for ENV from configmap. Signed-off-by: Urvashi Mohnani <umohnani@redhat.com>
* | | Merge pull request #12484 from machacekondra/restartSecOpenShift Merge Robot2021-12-03
|\ \ \ | | | | | | | | Add restart-sec option to systemd generate command
| * | | Add restart-sec option to systemd generateOndra Machacek2021-12-03
| | | | | | | | | | | | | | | | Signed-off-by: Ondra Machacek <omachace@redhat.com>
* | | | Merge pull request #12486 from giuseppe/use-configured-compression-formatOpenShift Merge Robot2021-12-03
|\ \ \ \ | |/ / / |/| | | cmd, push: use the configured compression format