| Commit message (Collapse) | Author | Age |
|\
| |
| | |
Change http ConnState actions between new and active
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Currently it double counts connections because it's incrementing the
total for both the new and active states. Based on the comments, we
should only count new connections for the total count and perform the
timer stop actions when the connection has transitioned to an active
state.
Closes #8208
Signed-off-by: Alex Schultz <aschultz@redhat.com>
|
|\ \
| | |
| | | |
specgen: add support for ambient capabilities
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
if --userns=keep-id is specified and not --user is specified, take the
unprivileged capabilities code path so that ambient capabilities are
honored in the container.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
if the username is specified in the USER:GROUP form, make sure we only
check for USER.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
| |/
| |
| |
| |
| |
| |
| |
| |
| |
| | |
if the kernel supports ambient capabilities (Linux 4.3+), also set
them when running with euid != 0.
This is different that what Moby does, as ambient capabilities are
never set.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
|\ \
| | |
| | | |
Allow users to mount with unbindable flag
|
| |/
| |
| |
| |
| |
| |
| |
| | |
Allow users to specify unbindable on volume command line
Switch internal mounts to rprivate to help prevent leaks.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
|/
|
|
| |
Signed-off-by: Jordan Christiansen <xordspar0@gmail.com>
|
|\
| |
| | |
specgen, cgroup2: check whether memory swap is enabled
|
| |
| |
| |
| |
| |
| | |
add a similar check to what we do on cgroup v1.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
| |
| |
| |
| |
| |
| | |
refactor function into two separate ones.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
|\ \
| | |
| | | |
manifest list inspect single image
|
| |/
| |
| |
| |
| |
| | |
If the image name not a manifest list type, enable manifest inspect to return manifest of single image manifest type vnd.docker.distribution.manifest.v2+json.
Signed-off-by: Qi Wang <qiwan@redhat.com>
|
|\ \
| | |
| | | |
Stop excessive wrapping of errors
|
| |/
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Most of the builtin golang functions like os.Stat and
os.Open report errors including the file system object
path. We should not wrap these errors and put the file path
in a second time, causing stuttering of errors when they
get presented to the user.
This patch tries to cleanup a bunch of these errors.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
|\ \
| | |
| | | |
spec: protect against segfault
|
| |/
| |
| |
| |
| |
| | |
when the user passes in "/dev/null::w"
Signed-off-by: Peter Hunt <pehunt@redhat.com>
|
|\ \
| | |
| | | |
specgen: fix error message
|
| |/
| |
| |
| |
| |
| | |
drop spurious comma.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
|\ \
| | |
| | | |
When container stops, drop sig-proxy errors to infos
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
The sig-proxy code is set up to error on failing to forward
signals to a container. This is reasonable in cases where the
container is running, but something strange went wrong - but when
the Kill fails because the container is stopped, we shouldn't
bother with aggressive Error logging since this is an expected
part of the container lifecycle - it stops, and then `podman run`
also stops, but there is a timing window in between where signals
will fail to be proxied, and we should not print angry errors
during that.
Signed-off-by: Matthew Heon <mheon@redhat.com>
|
| |/
|/|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Containers that share IPC Namespaces share each others
/dev/shm, which means a private /dev/shm needs to be setup
for the infra container.
Added a system test and an e2e test to make sure the
/dev/shm is shared.
Fixes: https://github.com/containers/podman/issues/8181
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
|\ \
| | |
| | | |
new "image" mount type
|
| |/
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Add a new "image" mount type to `--mount`. The source of the mount is
the name or ID of an image. The destination is the path inside the
container. Image mounts further support an optional `rw,readwrite`
parameter which if set to "true" will yield the mount writable inside
the container. Note that no changes are propagated to the image mount
on the host (which in any case is read only).
Mounts are overlay mounts. To support read-only overlay mounts, vendor
a non-release version of Buildah.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
|
|\ \
| | |
| | | |
Move from docker.io
|
| |/
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Followon to #7965 (mirror registry). mirror.gcr.io doesn't
cache all the images we need, and I can't find a way to
add to its cache, so let's just use quay.io for those
images that it can't serve.
Tools used:
skopeo copy --all docker://docker.io/library/alpine:3.10.2 \
docker://quay.io/libpod/alpine:3.10.2
...and also:
docker.io/library/alpine:3.2
docker.io/library/busybox:latest
docker.io/library/busybox:glibc
docker.io/library/busybox:1.30.1
docker.io/library/redis:alpine
docker.io/libpod/alpine-with-bogus-seccomp:label
docker.io/libpod/alpine-with-seccomp:label
docker.io/libpod/alpine_healthcheck:latest
docker.io/libpod/badhealthcheck:latest
Since most of those were new quay.io/libpod images, they required
going in through the quay.io GUI, image, settings, Make Public.
Signed-off-by: Ed Santiago <santiago@redhat.com>
|
|\ \
| | |
| | | |
NewFromLocal can return multiple images
|
| |/
| |
| |
| |
| |
| |
| |
| |
| |
| | |
If you use additional stores and pull the same image into
writable stores, you can end up with the situation where
you have the same image twice. This causes image exists
to return the wrong error. It should return true in this
situation rather then an error.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
|\ \
| | |
| | | |
rootless: improve error message if cannot join namespaces
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
if podman failed to join the rootless namespaces, give users a better
errror message and possible solution.
Closes: https://bugzilla.redhat.com/show_bug.cgi?id=1891220
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
|\ \ \
| |_|/
|/| | |
Support hashed hostnames in the known_hosts file
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Some systems have "HashKnownHosts yes" in their ssh_config
This causes entries in the ssh known_hosts to be hashed (|)
Signed-off-by: Anders F Björklund <anders.f.bjorklund@gmail.com>
|
|\ \ \
| | | |
| | | | |
Add pod, volume, network to inspect package
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
podman inspect only had the capabilities to inspect containers and images. if a user wanted to inspect a pod, volume, or network, they would have to use `podman network inspect`, `podman pod inspect` etc. Docker's cli allowed users to inspect both volumes and networks using regular inspect, so this commit gives the user the functionality
If the inspect type is not specified using --type, the order of inspection is:
containers
images
volumes
networks
pods
meaning if container that has the same name as an image, podman inspect would return the container inspect.
To avoid duplicate code, podman network inspect and podman volume inspect now use the inspect package as well. Podman pod inspect does not because podman pod inspect returns a single json object while podman inspect can return multiple)
Signed-off-by: Ashley Cui <acui@redhat.com>
|
|\ \ \ \
| | | | |
| | | | | |
Add support for host keys for non-22 ports
|
| | |/ /
| |/| |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
When not using the standard SSH port (22), the port is appended
to the hostname (in brackets) like so: "host" -> "[host]:1234"
Signed-off-by: Anders F Björklund <anders.f.bjorklund@gmail.com>
(cherry picked from commit 8794e8db1ce3088d633911454d6d36c4e939e126)
|
|\ \ \ \
| |_|/ /
|/| | | |
image list: check for all errors
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
For unknown historical reasons, some errors were ignored when listing
images. I assume that the basic assumption was that if we can properly
list images, we can also successfully compute their sizes which turned
out to be wrong.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
|
|/ / /
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Currently if you run an interactive session of podman run and
specifiy the --cidfile option, the cidfile will not get created
until the container finishes running. If you run a detached
container, it will get created right away. This Patch creates
the cidfile as soon as the container is created. This could allow
other tools to use the cidefile on all running containers.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
|/ /
| |
| |
| | |
Signed-off-by: Matej Vasek <mvasek@redhat.com>
|
|\ \
| | |
| | | |
fix: /image/{name or id}/json returns RootFS layers
|
| | |
| | |
| | |
| | | |
Signed-off-by: Matej Vasek <mvasek@redhat.com>
|
| | |
| | |
| | |
| | | |
Signed-off-by: Matej Vasek <mvasek@redhat.com>
|
| | |
| | |
| | |
| | | |
Signed-off-by: Matej Vasek <mvasek@redhat.com>
|
|\ \ \
| |/ /
|/| | |
APIv2 compatibility network connect|disconnect
|
| | |
| | |
| | |
| | |
| | |
| | | |
Add endpoints for the compat layer for network connect and disconnect. As of now, these two endpoints do nothing to change the network state of a container. They do some basic data verification and return the proper 200 response. This at least allows for scripts to work on the compatibility layer instead of getting 404s.
Signed-off-by: baude <bbaude@redhat.com>
|
|\ \ \
| | | |
| | | | |
container create: record correct image name
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Record the correct image name when creating a container by using the
resolved image name if present. Otherwise, default to using the first
available name or an empty string in which case the image must have been
referenced by ID.
Fixes: #8082
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
|
|\ \ \ \
| | | | |
| | | | | |
Allow save image remove-signatures
|