summaryrefslogtreecommitdiff
path: root/pkg
Commit message (Collapse)AuthorAge
* Merge pull request #12351 from ↵OpenShift Merge Robot2021-11-22
|\ | | | | | | | | adrianreber/2021-11-18-restore-runtime-verification Restore runtime verification
| * Use same runtime to restore a container as during checkpointingAdrian Reber2021-11-19
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | There are at least two runtimes that support checkpoint and restore: runc and crun. Although the checkpoints created by these are almost compatible, it is not (yet) possible to restore a checkpoint created with one runtime with the other runtime. To make checkpoint/restore usage more comfortable this adds code to look into the checkpoint archive during restore and to set the runtime to the one used during checkpointing. This also adds a check, if the user explicitly sets a runtime during restore, that the runtime is also the same as used during checkpointing. If a different runtime is selected than the one used during checkpointing the restore will fail early. If runc and crun will create compatible checkpoints in the future the check can be changed to treat crun and runc as compatible checkpoint/restore runtimes. Signed-off-by: Adrian Reber <areber@redhat.com>
* | Support EXPOSE with port rangesColin Bendell2021-11-20
| | | | | | | | | | | | | | | | Fixes issue #12293. EXPOSE directive in images should mirror the --expose parameter. Specifically `EXPOSE 20000-20100/tcp` should work the same as `--expose 20000-20100/tcp` Signed-off-by: Colin Bendell <colin@bendell.ca>
* | filter: use filepath.Match to maintain consistency with other patternAditya Rajan2021-11-19
|/ | | | | | | | | | | | | | | matching in podman Following commit ensures that we maintain consistency with how pattern matching is being carried out everywhere else in podman. Switch from `regexp` to `filepath.Match` For example https://github.com/containers/common/blob/main/libimage/filters.go#L162 [NO NEW TESTS NEEDED] Signed-off-by: Aditya Rajan <arajan@redhat.com>
* api/handlers: Add checkpoint/restore FileLocksRadostin Stoyanov2021-11-19
| | | | Signed-off-by: Radostin Stoyanov <radostin@redhat.com>
* Merge pull request #12318 from mscherer/2nd_tryOpenShift Merge Robot2021-11-19
|\ | | | | Change error message for compatibility with docker
| * Change error message for compatibility with dockerMichael Scherer2021-11-16
| | | | | | | | | | | | Fix #12315 Signed-off-by: Michael Scherer <misc@redhat.com>
* | Merge pull request #11795 from cevich/update_to_f35OpenShift Merge Robot2021-11-18
|\ \ | | | | | | Cirrus: Bump Fedora to release 35
| * | Cirrus: Fix bindings test hang b/c logging config mismatchChris Evich2021-11-18
| | | | | | | | | | | | | | | | | | | | | | | | Massive thanks to @edsantiago for tracking this down. Ref: https://github.com/containers/podman/issues/12175 Signed-off-by: Chris Evich <cevich@redhat.com>
* | | Merge pull request #12354 from Luap99/exit-commandOpenShift Merge Robot2021-11-18
|\ \ \ | | | | | | | | Do not store the exit command in container config
| * | | Do not store the exit command in container configPaul Holzinger2021-11-18
| |/ / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | There is a problem with creating and storing the exit command when the container was created. It only contains the options the container was created with but NOT the options the container is started with. One example would be a CNI network config. If I start a container once, then change the cni config dir with `--cni-config-dir` ans start it a second time it will start successfully. However the exit command still contains the wrong `--cni-config-dir` because it was not updated. To fix this we do not want to store the exit command at all. Instead we create it every time the conmon process for the container is startet. This guarantees us that the container cleanup process is startet with the correct settings. [NO NEW TESTS NEEDED] Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* | | Merge pull request #12295 from flouthoc/filter-label-patternOpenShift Merge Robot2021-11-18
|\ \ \ | | | | | | | | filters: add basic pattern matching for label keys i.e `--filter label=<pattern>`
| * | | filter: add basic pattern matching for label keysAditya Rajan2021-11-15
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Following PR adds basic pattern matching to filter by labels for `keys`. Adds support for use-cases like `--filter label=some.prefix.com/key/*` where end-users want to match a pattern for keys as compared to exact value. Signed-off-by: Aditya Rajan <arajan@redhat.com>
* | | | Merge pull request #12298 from giuseppe/idmapped-bind-mountsOpenShift Merge Robot2021-11-18
|\ \ \ \ | | | | | | | | | | volumes: add new option idmap
| * | | | volumes: add new option idmapGiuseppe Scrivano2021-11-18
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | pass down the "idmap" mount option to the OCI runtime. Needs: https://github.com/containers/crun/pull/780 Closes: https://github.com/containers/podman/issues/12154 [NO NEW TESTS NEEDED] there is no crun version yet that support the new feature. Test case (must run as root): podman run --rm -v foo:/foo alpine touch /foo/bar podman run --uidmap 0:1:1000 --rm -v foo:/foo:idmap alpine ls -l /foo total 0 -rw-r--r-- 1 root root 0 Nov 15 14:01 bar Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | | | | Merge pull request #12314 from Luap99/machine-wait-sshdOpenShift Merge Robot2021-11-18
|\ \ \ \ \ | | | | | | | | | | | | podman machine start wait for ssh
| * | | | | podman machine start wait for sshPaul Holzinger2021-11-16
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Wait for sshd to be ready before we return from start. This should make podman machine ssh immediately available without any race conditions. Fixes #11532 [NO NEW TESTS NEEDED] I could not reproduce the issue so I am not sure if this fixes it. Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* | | | | | Add --file-locks checkpoint/restore optionRadostin Stoyanov2021-11-18
| |_|_|/ / |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | CRIU supports checkpoint/restore of file locks. This feature is required to checkpoint/restore containers running applications such as MySQL. Signed-off-by: Radostin Stoyanov <radostin@redhat.com>
* | | | | remote checkpoint/restore: more fixesValentin Rothberg2021-11-18
| |/ / / |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * Support `checkpoint --pre-checkpoint` * Support `checkpoint --with-previous` * Disable `restore --import-previous` for the remote client since we had to send two files which in turn would require to tar them up and hence be a breaking change. Podman 4.0 would be the chance and I hope we'll find time before that to remote-restore prettier. Note that I did not run over swagger yet to check whether all parameters are actually documented due to time constraints. Fixes: #12334 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | | | Merge pull request #12330 from etenzy/mainOpenShift Merge Robot2021-11-18
|\ \ \ \ | | | | | | | | | | fix: take absolute path for dd on apple silicon
| * | | | fix: take absolute path for dd on apple siliconetenzy2021-11-17
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fixes #12329 [NO NEW TESTS NEEDED] podman machine Signed-off-by: Michael Rödel <hello@mroedel.de>
* | | | | Merge pull request #12325 from giuseppe/rootless-use-auto-cleanupOpenShift Merge Robot2021-11-17
|\ \ \ \ \ | | | | | | | | | | | | rootless: use auto cleanup functions
| * | | | | rootless: drop strerror(errno) callsGiuseppe Scrivano2021-11-17
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | *printf functions already support printing the errno string with %m Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
| * | | | | rootless: reuse existing open_namespace functionGiuseppe Scrivano2021-11-17
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | there is already a function for opening a namespace path, reuse it. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
| * | | | | rootless: use auto cleanup functionsGiuseppe Scrivano2021-11-17
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | simplify code using auto cleanup functions [NO NEW TESTS NEEDED] it is a refactoring of existing code Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | | | | | Merge pull request #12326 from giuseppe/catatonit-rootlessOpenShift Merge Robot2021-11-17
|\ \ \ \ \ \ | |_|/ / / / |/| | | | | rootless: use catatonit to maintain user+mnt namespace
| * | | | | rootless: use catatonit to maintain user+mnt namespaceGiuseppe Scrivano2021-11-17
| |/ / / / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | if catatonit is present, use it to keep the rootless user+mnt namespace alive. [NO NEW TESTS NEEDED] no new features added. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | | | | Merge pull request #12281 from vrothberg/fix-12007OpenShift Merge Robot2021-11-17
|\ \ \ \ \ | |/ / / / |/| | | | fix remote checkpoint/restore
| * | | | fix remote checkpoint/restoreValentin Rothberg2021-11-16
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Nothing was working before, and it's too much to summarize. To make sure we're not regressing in the future again, enable the remote e2e tests. Fixes: #12007 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | | | | Merge pull request #12218 from vrothberg/pause-catatonitOpenShift Merge Robot2021-11-16
|\ \ \ \ \ | |_|_|_|/ |/| | | | infra container: replace pause with catatonit
| * | | | infra container: replace pause with catatonitValentin Rothberg2021-11-15
| | |_|/ | |/| | | | | | | | | | | | | | | | | | | | | | | | | | Podman has been using catatonit for a number of years already. Thanks to @giuseppe, catatonit is now able to run as a pause process which allows us to replace the pause binary entirely. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | | | Merge pull request #12100 from rhatdan/envOpenShift Merge Robot2021-11-16
|\ \ \ \ | |_|_|/ |/| | | Add option --unsetenv to remove default environment variables
| * | | Add --unsetenv & --unsetenv-all to remove def environment variablesDaniel J Walsh2021-11-15
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Podman adds a few environment variables by default, and currently there is no way to get rid of them from your container. This option will allow you to specify which defaults you don't want. --unsetenv-all will remove all default environment variables. Default environment variables can come from podman builtin, containers.conf or from the container image. Fixes: https://github.com/containers/podman/issues/11836 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | | Merge pull request #12283 from Luap99/machine-portsOpenShift Merge Robot2021-11-16
|\ \ \ \ | |_|_|/ |/| | | podman machine improve port forwarding
| * | | podman machine improve port forwardingPaul Holzinger2021-11-15
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This commits adds port forwarding logic directly into podman. The podman-machine cni plugin is no longer needed. The following new features are supported: - works with cni, netavark and slirp4netns - ports can use the hostIP to bind instead of hard coding 0.0.0.0 - gvproxy no longer listens on 0.0.0.0:7777 (requires a new gvproxy version) - support the udp protocol With this we no longer need podman-machine-cni and should remove it from the packaging. There is also a change to make sure we are backwards compatible with old config which include this plugin. Fixes #11528 Fixes #11728 [NO NEW TESTS NEEDED] We have no podman machine test at the moment. Please test this manually on your system. Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* | | | Merge pull request #12294 from flouthoc/secret-mount-targetOpenShift Merge Robot2021-11-16
|\ \ \ \ | |_|/ / |/| | | secret: honor custom `target=` for secrets with `type=mount` for ctr.
| * | | secret: honor custom target for secrets with runAditya Rajan2021-11-15
| | |/ | |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | Honor custom `target` if specified while running or creating containers with secret `type=mount`. Example: `podman run -it --secret token,type=mount,target=TOKEN ubi8/ubi:latest bash` Signed-off-by: Aditya Rajan <arajan@redhat.com>
* | | Merge pull request #12300 from WanzenBug/fix-bindings-contextOpenShift Merge Robot2021-11-15
|\ \ \ | | | | | | | | bindings: reuse context for API requests
| * | | bindings: reuse context for API requestsMoritz "WanzenBug" Wanzenböck2021-11-15
| |/ / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | One of the main uses of context.Context is to provide cancellation for go-routines, including API requests. While all user-facing bindings already used a context parameter, it was only used to pass the client information around. This commit changes the internal DoRequest wrapper to take an additional context argument, and pass that to the http request. Previously, the context was derived from context.Background(), which made it impossible to cancel once started. All the convenience wrappers already supported the context parameter, so the only user facing change is that cancelling those context now works as one would expect. Signed-off-by: Moritz "WanzenBug" Wanzenböck <moritz@wanzenbug.xyz>
* | | Merge pull request #11076 from boaz0/closes_10275OpenShift Merge Robot2021-11-15
|\ \ \ | | | | | | | | Support template unit files in podman generate systemd
| * | | export adding id-specifier code to setContainerNameForTemplateBoaz Shuster2021-11-11
| | | | | | | | | | | | | | | | Signed-off-by: Boaz Shuster <boaz.shuster.github@gmail.com>
| * | | change from run to create in 250-systemd.batsBoaz Shuster2021-11-09
| | | | | | | | | | | | | | | | Signed-off-by: Boaz Shuster <boaz.shuster.github@gmail.com>
| * | | add unit test to containers_testBoaz Shuster2021-11-01
| | | | | | | | | | | | | | | | Signed-off-by: Boaz Shuster <boaz.shuster.github@gmail.com>
| * | | Support template unit files in podman generate systemdBoaz Shuster2021-10-22
| | | | | | | | | | | | | | | | Signed-off-by: Boaz Shuster <boaz.shuster.github@gmail.com>
* | | | Added optional container restore statisticsAdrian Reber2021-11-15
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This adds the parameter '--print-stats' to 'podman container restore'. With '--print-stats' Podman will measure how long Podman itself, the OCI runtime and CRIU requires to restore a checkpoint and print out these information. CRIU already creates process restore statistics which are just read in addition to the added measurements. In contrast to just printing out the ID of the restored container, Podman will now print out JSON: # podman container restore --latest --print-stats { "podman_restore_duration": 305871, "container_statistics": [ { "Id": "47b02e1d474b5d5fe917825e91ac653efa757c91e5a81a368d771a78f6b5ed20", "runtime_restore_duration": 140614, "criu_statistics": { "forking_time": 5, "restore_time": 67672, "pages_restored": 14 } } ] } The output contains 'podman_restore_duration' which contains the number of microseconds Podman required to restore the checkpoint. The output also includes 'runtime_restore_duration' which is the time the runtime needed to restore that specific container. Each container also includes 'criu_statistics' which displays the timing information collected by CRIU. Signed-off-by: Adrian Reber <areber@redhat.com>
* | | | Added optional container checkpointing statisticsAdrian Reber2021-11-15
| |/ / |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This adds the parameter '--print-stats' to 'podman container checkpoint'. With '--print-stats' Podman will measure how long Podman itself, the OCI runtime and CRIU requires to create a checkpoint and print out these information. CRIU already creates checkpointing statistics which are just read in addition to the added measurements. In contrast to just printing out the ID of the checkpointed container, Podman will now print out JSON: # podman container checkpoint --latest --print-stats { "podman_checkpoint_duration": 360749, "container_statistics": [ { "Id": "25244244bf2efbef30fb6857ddea8cb2e5489f07eb6659e20dda117f0c466808", "runtime_checkpoint_duration": 177222, "criu_statistics": { "freezing_time": 100657, "frozen_time": 60700, "memdump_time": 8162, "memwrite_time": 4224, "pages_scanned": 20561, "pages_written": 2129 } } ] } The output contains 'podman_checkpoint_duration' which contains the number of microseconds Podman required to create the checkpoint. The output also includes 'runtime_checkpoint_duration' which is the time the runtime needed to checkpoint that specific container. Each container also includes 'criu_statistics' which displays the timing information collected by CRIU. Signed-off-by: Adrian Reber <areber@redhat.com>
* | | Merge pull request #12272 from hshiina/memory-swappinessOpenShift Merge Robot2021-11-13
|\ \ \ | | | | | | | | Enable 'podman run --memory-swappiness=0'
| * | | Enable 'podman run --memory-swappiness=0'Hironori Shiina2021-11-12
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | '--memory-swappiness=0' used to work. This patch fixes the regression issue, which was caused by the change of infra container creation process. Signed-off-by: Hironori Shiina <shiina.hironori@jp.fujitsu.com>
* | | | Merge pull request #12270 from rhatdan/authOpenShift Merge Robot2021-11-13
|\ \ \ \ | | | | | | | | | | --authfile command line argument for image sign command.
| * | | | --authfile command line argument for image sign command.José Guilherme Vanz2021-11-11
| | |_|/ | |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Adds the --authfile command line argument to allow users to use alternative authfile paths when signing images. Replaces: https://github.com/containers/podman/pull/10975 Fixes: https://github.com/containers/podman/issues/10866 Signed-off-by: José Guilherme Vanz <jvanz@jvanz.com> Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>