summaryrefslogtreecommitdiff
path: root/pkg
Commit message (Collapse)AuthorAge
* Merge pull request #8209 from mwhahaha/issue-8208OpenShift Merge Robot2020-11-03
|\ | | | | Change http ConnState actions between new and active
| * Change http ConnState actions between new and activeAlex Schultz2020-10-31
| | | | | | | | | | | | | | | | | | | | | | | | Currently it double counts connections because it's incrementing the total for both the new and active states. Based on the comments, we should only count new connections for the total count and perform the timer stop actions when the connection has transitioned to an active state. Closes #8208 Signed-off-by: Alex Schultz <aschultz@redhat.com>
* | Merge pull request #8217 from giuseppe/caps-ambientOpenShift Merge Robot2020-11-03
|\ \ | | | | | | specgen: add support for ambient capabilities
| * | specgen: keep capabilities with --userns=keep-idGiuseppe Scrivano2020-11-02
| | | | | | | | | | | | | | | | | | | | | | | | if --userns=keep-id is specified and not --user is specified, take the unprivileged capabilities code path so that ambient capabilities are honored in the container. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
| * | specgen: fix check for root userGiuseppe Scrivano2020-11-02
| | | | | | | | | | | | | | | | | | | | | if the username is specified in the USER:GROUP form, make sure we only check for USER. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
| * | specgen: add support for ambient capabilitiesGiuseppe Scrivano2020-11-02
| |/ | | | | | | | | | | | | | | | | | | if the kernel supports ambient capabilities (Linux 4.3+), also set them when running with euid != 0. This is different that what Moby does, as ambient capabilities are never set. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | Merge pull request #8166 from rhatdan/unbindableOpenShift Merge Robot2020-11-02
|\ \ | | | | | | Allow users to mount with unbindable flag
| * | Add better support for unbindable volume mountsDaniel J Walsh2020-11-02
| |/ | | | | | | | | | | | | | | Allow users to specify unbindable on volume command line Switch internal mounts to rprivate to help prevent leaks. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* / Centralize cores and period/quota conversion codeJordan Christiansen2020-10-31
|/ | | | Signed-off-by: Jordan Christiansen <xordspar0@gmail.com>
* Merge pull request #8197 from giuseppe/check-cgroupv2-swap-enabledOpenShift Merge Robot2020-10-31
|\ | | | | specgen, cgroup2: check whether memory swap is enabled
| * specgen, cgroup2: check whether memory swap is enabledGiuseppe Scrivano2020-10-30
| | | | | | | | | | | | add a similar check to what we do on cgroup v1. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
| * specgen: split cgroup v1 and cgroup v2 codeGiuseppe Scrivano2020-10-30
| | | | | | | | | | | | refactor function into two separate ones. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | Merge pull request #8100 from QiWang19/mirror-manifestOpenShift Merge Robot2020-10-31
|\ \ | | | | | | manifest list inspect single image
| * | manifest list inspect single imageQi Wang2020-10-30
| |/ | | | | | | | | | | If the image name not a manifest list type, enable manifest inspect to return manifest of single image manifest type vnd.docker.distribution.manifest.v2+json. Signed-off-by: Qi Wang <qiwan@redhat.com>
* | Merge pull request #8177 from rhatdan/wrapOpenShift Merge Robot2020-10-30
|\ \ | | | | | | Stop excessive wrapping of errors
| * | Stop excessive wrapping of errorsDaniel J Walsh2020-10-30
| |/ | | | | | | | | | | | | | | | | | | | | | | Most of the builtin golang functions like os.Stat and os.Open report errors including the file system object path. We should not wrap these errors and put the file path in a second time, causing stuttering of errors when they get presented to the user. This patch tries to cleanup a bunch of these errors. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Merge pull request #8200 from haircommander/parse-segfaultOpenShift Merge Robot2020-10-30
|\ \ | | | | | | spec: protect against segfault
| * | spec: protect against segfaultPeter Hunt2020-10-30
| |/ | | | | | | | | | | when the user passes in "/dev/null::w" Signed-off-by: Peter Hunt <pehunt@redhat.com>
* | Merge pull request #8196 from giuseppe/specgen-swap-limit-err-messageOpenShift Merge Robot2020-10-30
|\ \ | | | | | | specgen: fix error message
| * | specgen: fix error messageGiuseppe Scrivano2020-10-30
| |/ | | | | | | | | | | drop spurious comma. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | Merge pull request #8191 from mheon/no_error_on_sigproxy_stoppedOpenShift Merge Robot2020-10-30
|\ \ | | | | | | When container stops, drop sig-proxy errors to infos
| * | When container stops, drop sig-proxy errors to infosMatthew Heon2020-10-30
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The sig-proxy code is set up to error on failing to forward signals to a container. This is reasonable in cases where the container is running, but something strange went wrong - but when the Kill fails because the container is stopped, we shouldn't bother with aggressive Error logging since this is an expected part of the container lifecycle - it stops, and then `podman run` also stops, but there is a timing window in between where signals will fail to be proxied, and we should not print angry errors during that. Signed-off-by: Matthew Heon <mheon@redhat.com>
* | | Pod's that share the IPC Namespace need to share /dev/shmDaniel J Walsh2020-10-30
| |/ |/| | | | | | | | | | | | | | | | | | | | | | | Containers that share IPC Namespaces share each others /dev/shm, which means a private /dev/shm needs to be setup for the infra container. Added a system test and an e2e test to make sure the /dev/shm is shared. Fixes: https://github.com/containers/podman/issues/8181 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Merge pull request #8146 from vrothberg/image-mountsOpenShift Merge Robot2020-10-29
|\ \ | | | | | | new "image" mount type
| * | new "image" mount typeValentin Rothberg2020-10-29
| |/ | | | | | | | | | | | | | | | | | | | | | | | | | | Add a new "image" mount type to `--mount`. The source of the mount is the name or ID of an image. The destination is the path inside the container. Image mounts further support an optional `rw,readwrite` parameter which if set to "true" will yield the mount writable inside the container. Note that no changes are propagated to the image mount on the host (which in any case is read only). Mounts are overlay mounts. To support read-only overlay mounts, vendor a non-release version of Buildah. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | Merge pull request #8165 from edsantiago/move_from_dockerioOpenShift Merge Robot2020-10-29
|\ \ | | | | | | Move from docker.io
| * | move from docker.ioEd Santiago2020-10-28
| |/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Followon to #7965 (mirror registry). mirror.gcr.io doesn't cache all the images we need, and I can't find a way to add to its cache, so let's just use quay.io for those images that it can't serve. Tools used: skopeo copy --all docker://docker.io/library/alpine:3.10.2 \ docker://quay.io/libpod/alpine:3.10.2 ...and also: docker.io/library/alpine:3.2 docker.io/library/busybox:latest docker.io/library/busybox:glibc docker.io/library/busybox:1.30.1 docker.io/library/redis:alpine docker.io/libpod/alpine-with-bogus-seccomp:label docker.io/libpod/alpine-with-seccomp:label docker.io/libpod/alpine_healthcheck:latest docker.io/libpod/badhealthcheck:latest Since most of those were new quay.io/libpod images, they required going in through the quay.io GUI, image, settings, Make Public. Signed-off-by: Ed Santiago <santiago@redhat.com>
* | Merge pull request #8178 from rhatdan/existsOpenShift Merge Robot2020-10-29
|\ \ | | | | | | NewFromLocal can return multiple images
| * | NewFromLocal can return multiple imagesDaniel J Walsh2020-10-28
| |/ | | | | | | | | | | | | | | | | | | If you use additional stores and pull the same image into writable stores, you can end up with the situation where you have the same image twice. This causes image exists to return the wrong error. It should return true in this situation rather then an error. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Merge pull request #8173 from giuseppe/improve-cannot-reexec-errorOpenShift Merge Robot2020-10-29
|\ \ | | | | | | rootless: improve error message if cannot join namespaces
| * | rootless: improve error message if cannot join namespacesGiuseppe Scrivano2020-10-29
| | | | | | | | | | | | | | | | | | | | | | | | | | | if podman failed to join the rootless namespaces, give users a better errror message and possible solution. Closes: https://bugzilla.redhat.com/show_bug.cgi?id=1891220 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | | Merge pull request #8161 from afbjorklund/podman-remote-host-hashOpenShift Merge Robot2020-10-29
|\ \ \ | |_|/ |/| | Support hashed hostnames in the known_hosts file
| * | Support hashed hostnames in the known_hosts fileAnders F Björklund2020-10-27
| | | | | | | | | | | | | | | | | | | | | | | | Some systems have "HashKnownHosts yes" in their ssh_config This causes entries in the ssh known_hosts to be hashed (|) Signed-off-by: Anders F Björklund <anders.f.bjorklund@gmail.com>
* | | Merge pull request #8102 from ashley-cui/inspectOpenShift Merge Robot2020-10-27
|\ \ \ | | | | | | | | Add pod, volume, network to inspect package
| * | | Add pod, volume, network to inspect packageAshley Cui2020-10-27
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | podman inspect only had the capabilities to inspect containers and images. if a user wanted to inspect a pod, volume, or network, they would have to use `podman network inspect`, `podman pod inspect` etc. Docker's cli allowed users to inspect both volumes and networks using regular inspect, so this commit gives the user the functionality If the inspect type is not specified using --type, the order of inspection is: containers images volumes networks pods meaning if container that has the same name as an image, podman inspect would return the container inspect. To avoid duplicate code, podman network inspect and podman volume inspect now use the inspect package as well. Podman pod inspect does not because podman pod inspect returns a single json object while podman inspect can return multiple) Signed-off-by: Ashley Cui <acui@redhat.com>
* | | | Merge pull request #8141 from afbjorklund/podman-remote-host-port-masterOpenShift Merge Robot2020-10-27
|\ \ \ \ | | | | | | | | | | Add support for host keys for non-22 ports
| * | | | Add support for host keys for non-22 portsAnders F Björklund2020-10-25
| | |/ / | |/| | | | | | | | | | | | | | | | | | | | | | | | | | When not using the standard SSH port (22), the port is appended to the hostname (in brackets) like so: "host" -> "[host]:1234" Signed-off-by: Anders F Björklund <anders.f.bjorklund@gmail.com> (cherry picked from commit 8794e8db1ce3088d633911454d6d36c4e939e126)
* | | | Merge pull request #8151 from vrothberg/fix-8148OpenShift Merge Robot2020-10-27
|\ \ \ \ | |_|/ / |/| | | image list: check for all errors
| * | | image list: check for all errorsValentin Rothberg2020-10-27
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | For unknown historical reasons, some errors were ignored when listing images. I assume that the basic assumption was that if we can properly list images, we can also successfully compute their sizes which turned out to be wrong. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | | | The cidfile should be created when the container is createdDaniel J Walsh2020-10-26
|/ / / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Currently if you run an interactive session of podman run and specifiy the --cidfile option, the cidfile will not get created until the container finishes running. If you run a detached container, it will get created right away. This Patch creates the cidfile as soon as the container is created. This could allow other tools to use the cidefile on all running containers. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* / / fix: podman-cp respects "--extract" flagMatej Vasek2020-10-25
|/ / | | | | | | Signed-off-by: Matej Vasek <mvasek@redhat.com>
* | Merge pull request #8109 from matejvasek/inspect-apiv2-rootfsOpenShift Merge Robot2020-10-23
|\ \ | | | | | | fix: /image/{name or id}/json returns RootFS layers
| * | src: nil checkMatej Vasek2020-10-22
| | | | | | | | | | | | Signed-off-by: Matej Vasek <mvasek@redhat.com>
| * | src: add nil checksMatej Vasek2020-10-22
| | | | | | | | | | | | Signed-off-by: Matej Vasek <mvasek@redhat.com>
| * | fix: /image/{name}/json returns RootFS layersMatej Vasek2020-10-22
| | | | | | | | | | | | Signed-off-by: Matej Vasek <mvasek@redhat.com>
* | | Merge pull request #8078 from baude/networkdisconnectOpenShift Merge Robot2020-10-22
|\ \ \ | |/ / |/| | APIv2 compatibility network connect|disconnect
| * | APIv2 compatibility network connect|disconnectbaude2020-10-22
| | | | | | | | | | | | | | | | | | Add endpoints for the compat layer for network connect and disconnect. As of now, these two endpoints do nothing to change the network state of a container. They do some basic data verification and return the proper 200 response. This at least allows for scripts to work on the compatibility layer instead of getting 404s. Signed-off-by: baude <bbaude@redhat.com>
* | | Merge pull request #8098 from vrothberg/fix-8082OpenShift Merge Robot2020-10-22
|\ \ \ | | | | | | | | container create: record correct image name
| * | | container create: record correct image nameValentin Rothberg2020-10-21
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Record the correct image name when creating a container by using the resolved image name if present. Otherwise, default to using the first available name or an empty string in which case the image must have been referenced by ID. Fixes: #8082 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | | | Merge pull request #7956 from QiWang19/save-rm-sigOpenShift Merge Robot2020-10-22
|\ \ \ \ | | | | | | | | | | Allow save image remove-signatures