summaryrefslogtreecommitdiff
path: root/pkg
Commit message (Collapse)AuthorAge
* Merge pull request #8693 from giuseppe/drop-valid-id-in-userns-checkOpenShift Merge Robot2020-12-14
|\ | | | | podman: drop checking valid rootless UID
| * podman: drop checking valid rootless UIDGiuseppe Scrivano2020-12-11
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | do not check whether the specified ID is valid in the user namespace. crun handles this case[1], so the check in Podman prevents to get to the OCI runtime at all. $ podman run --user 10:0 --uidmap 0:0:1 --rm -ti fedora:33 sh -c 'id; cat /proc/self/uid_map' uid=10(10) gid=0(root) groups=0(root),65534(nobody) 10 0 1 [1] https://github.com/containers/crun/pull/556 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | Merge pull request #8689 from bblenard/issue-8672-volume-pruneOpenShift Merge Robot2020-12-14
|\ \ | | | | | | Add volume prune --filter support
| * | Add volume prune --filter supportBaron Lenardson2020-12-12
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This change adds support for the `--filter` / `?filters` arguments on the `podman volume prune` subcommand. * Adds ParseFilterArgumentsIntoFilters helper for consistent Filter string slice handling * Adds `--filter` support to podman volume prune cli * Adds `?filters...` support to podman volume prune api * Updates apiv2 / e2e tests Closes #8672 Signed-off-by: Baron Lenardson <lenardson.baron@gmail.com>
* | | Merge pull request #7718 from QiWang19/sign-multi-archOpenShift Merge Robot2020-12-12
|\ \ \ | | | | | | | | Sign multi-arch images
| * | | Sign multi-arch imagesQi Wang2020-12-11
| | | | | | | | | | | | | | | | | | | | | | | | | | | | podman image sign handles muti-arch images. --all option to create signature for each manifest from the image manifest list. Signed-off-by: Qi Wang <qiwan@redhat.com>
* | | | Merge pull request #8676 from jwhonce/issues/7806OpenShift Merge Robot2020-12-11
|\ \ \ \ | | | | | | | | | | Refine public key usage when remote
| * | | | Refine public key usage when remoteJhon Honce2020-12-10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * Move all public key handling into one AuthMethod. Prioritize ssh-agent keys over identity files. * Cache server connection when tunneling, saves one RoundTrip on ssh handshake Signed-off-by: Jhon Honce <jhonce@redhat.com>
* | | | | Merge pull request #8688 from rhatdan/startOpenShift Merge Robot2020-12-11
|\ \ \ \ \ | |_|/ / / |/| | | | Handle --rm when starting a container
| * | | | Handle --rm when starting a containerDaniel J Walsh2020-12-11
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | podman start should follow the same behaviour as podman run when removing a container. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | | | Merge pull request #8686 from Luap99/logs-stderrOpenShift Merge Robot2020-12-11
|\ \ \ \ \ | | | | | | | | | | | | podman logs honor stderr correctly
| * | | | | podman logs honor stderr correctlyPaul Holzinger2020-12-10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Make the ContainerLogsOptions support two io.Writers, one for stdout and the other for stderr. The logline already includes the information to which Writer it has to be written. Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
* | | | | | Merge pull request #8690 from zhangguanzhang/apiv2-wrong-ImgNameOpenShift Merge Robot2020-12-11
|\ \ \ \ \ \ | | | | | | | | | | | | | | Fix Wrong img name used when creating a container from an image which had multi names
| * | | | | | Fix Wrong image tag is used when creating a container from an image with ↵zhangguanzhang2020-12-11
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | multiple tags Signed-off-by: zhangguanzhang <zhangguanzhang@qq.com>
* | | | | | | Fix some network compat api problemsPaul Holzinger2020-12-11
| |_|/ / / / |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Network create could panic when used with a json body like this: `{"Name":"net","IPAM":{"Config":[]}}` The network scope for list and inspect should not be empty. It can be swarm, global or local. We only support local networks so hardcode this field to local. Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
* | | | | | Merge pull request #8633 from baude/bindings3OpenShift Merge Robot2020-12-11
|\ \ \ \ \ \ | |_|_|/ / / |/| | | | | Bindings refactor
| * | | | | Bindings refactorbaude2020-12-10
| | |/ / / | |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | this is step one of refactoring our golang binaries. we will no be using structs to pass optional options. required options will still arguments to the binding itself. the structs then have a generator to create helper functions which should then be added to the git repo. Signed-off-by: baude <bbaude@redhat.com>
* | | | | Merge pull request #8664 from rhatdan/pruneOpenShift Merge Robot2020-12-10
|\ \ \ \ \ | |/ / / / |/| | | | Add --filter to podman system prune
| * | | | Add --filter to podman system pruneDaniel J Walsh2020-12-09
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Also document the allowable filters in podman system prune, podman image prune and podman container prune. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | | | Fix panic in libpod images exists endpointPaul Holzinger2020-12-10
| |_|_|/ |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The libpod images exists endpoint panics when called with a non existing image and therefore returns 500 as status code instead of the expected 404. A test is added to ensure it is working. Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
* | | | Merge pull request #8641 from umohnani8/playOpenShift Merge Robot2020-12-10
|\ \ \ \ | |_|_|/ |/| | | Do not pull if image domain is localhost
| * | | Do not pull if image domain is localhostUrvashi Mohnani2020-12-07
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | With podman play kube, podman would always attempt to pull if the image has the :latest tag. But this would fail if the image was built locally and given latest as the tag. Images build with podman and buildah have localhost as the domain, so check if the domain is localhost. If that is the case, then don't attempt a pull. Signed-off-by: Urvashi Mohnani <umohnani@redhat.com>
* | | | Merge pull request #8670 from rhatdan/capsOpenShift Merge Robot2020-12-09
|\ \ \ \ | |_|/ / |/| | | Properly handle --cap-add all when running with a --user flag
| * | | Properly handle --cap-add all when running with a --user flagDaniel J Walsh2020-12-09
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Handle the ALL Flag when running with an account as a user. Currently we throw an error when the user specifies podman run --user bin --cap-add all fedora echo hello Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | | Merge pull request #8669 from giuseppe/unmask-also-cover-ro-pathsOpenShift Merge Robot2020-12-09
|\ \ \ \ | | | | | | | | | | security: honor systempaths=unconfined for ro paths
| * | | | security: honor systempaths=unconfined for ro pathsGiuseppe Scrivano2020-12-09
| | |_|/ | |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | we must honor systempaths=unconfined also for read-only paths, as Docker does: proc /proc proc rw,nosuid,nodev,noexec,relatime 0 0 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | | | Merge pull request #8653 from rhatdan/buildahOpenShift Merge Robot2020-12-09
|\ \ \ \ | |_|/ / |/| | | Honor the --layers flag
| * | | Honor the --layers flagDaniel J Walsh2020-12-09
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Currently the --layers flag set by the user is ignored, and only the BUILDAH_LAYERS environment variable being set is observed. Fixes: https://github.com/containers/podman/issues/8643 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | | Merge pull request #8663 from vrothberg/run-950OpenShift Merge Robot2020-12-09
|\ \ \ \ | | | | | | | | | | archive endpoint massaging
| * | | | pkg/copy: introduce a CopierValentin Rothberg2020-12-09
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Introduce a `Copier` object to separate the copy-rule enforcement from copying. That allows for a better error reporting of the REST API. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
| * | | | archive: move stat-header handling into copy packageValentin Rothberg2020-12-09
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Move handling the stat header into `pkg/copy`. All copy-related should ideally be located in this package to increase locality and reduce scattering where possible. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
| * | | | pkg/copy: add parsing APIValentin Rothberg2020-12-09
| |/ / / | | | | | | | | | | | | | | | | | | | | | | | | | | | | Add an API for parsing user input into a possibly specified container and path. This allows for sharing the parsing code between the local and the remote client (and bindings) in the future. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | | | Merge pull request #8661 from rhatdan/codespellOpenShift Merge Robot2020-12-09
|\ \ \ \ | |_|/ / |/| | | Fix spelling mistakes
| * | | Fix spelling mistakesDaniel J Walsh2020-12-09
| |/ / | | | | | | | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | Merge pull request #8599 from rhatdan/pruneOpenShift Merge Robot2020-12-09
|\ \ \ | | | | | | | | Repeat system pruning until there is nothing removed
| * | | Repeat system pruning until there is nothing removedDaniel J Walsh2020-12-09
| |/ / | | | | | | | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* / / make podman play use ENVs from imageChristopher J. Ruwe2020-12-09
|/ / | | | | | | | | | | fixes #8608. Signed-off-by: Christopher J. Ruwe <cjr@cruwe.de>
* | Correct port range logic for port generationMatthew Heon2020-12-08
| | | | | | | | | | | | | | | | | | | | | | | | | | The existing logic (Range > 0) always triggered, because range is guaranteed to be at least 1 (a single port has a range of 1, a two port range (e.g. 80-81) has a range of 2, and so on). As such this could cause ports that had a host port assigned to them by the user to randomly assign one instead. Fixes #8650 Fixes #8651 Signed-off-by: Matthew Heon <mheon@redhat.com>
* | Merge pull request #8571 from Luap99/podman-network-reloadOpenShift Merge Robot2020-12-08
|\ \ | | | | | | Implement pod-network-reload
| * | Implement pod-network-reloadMatthew Heon2020-12-07
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This adds a new command, 'podman network reload', to reload the networks of existing containers, forcing recreation of firewall rules after e.g. `firewall-cmd --reload` wipes them out. Under the hood, this works by calling CNI to tear down the existing network, then recreate it using identical settings. We request that CNI preserve the old IP and MAC address in most cases (where the container only had 1 IP/MAC), but there will be some downtime inherent to the teardown/bring-up approach. The architecture of CNI doesn't really make doing this without downtime easy (or maybe even possible...). At present, this only works for root Podman, and only locally. I don't think there is much of a point to adding remote support (this is very much a local debugging command), but I think adding rootless support (to kill/recreate slirp4netns) could be valuable. Signed-off-by: Matthew Heon <matthew.heon@pm.me> Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
* | | Merge pull request #8581 from baude/kubegenOpenShift Merge Robot2020-12-07
|\ \ \ | |_|/ |/| | generate kube on multiple containers
| * | generate kube on multiple containersbaude2020-12-07
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | add the ability to add multiple containers into a single k8s pod instead of just one. also fixed some bugs in the resulting yaml where an empty service description was being added on error causing the k8s validation to fail. Signed-off-by: baude <bbaude@redhat.com>
* | | Merge pull request #7357 from QiWang19/rootless-signOpenShift Merge Robot2020-12-07
|\ \ \ | | | | | | | | image sign using per user registries.d
| * | | image sign using per user registries.dQi Wang2020-12-07
| | | | | | | | | | | | | | | | | | | | | | | | Support per user ~/.config/containers/registries.d to allow rootless image sign configurations. Signed-off-by: Qi Wang <qiwan@redhat.com>
* | | | Merge pull request #8561 from mheon/fix_gatingOpenShift Merge Robot2020-12-07
|\ \ \ \ | |_|/ / |/| | | Do not mount sysfs as rootless in more cases
| * | | Do not mount sysfs as rootless in more casesMatthew Heon2020-12-04
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | We can't mount sysfs as rootless unless we manage the network namespace. Problem: slirp4netns is now creating and managing a network namespace separate from the OCI runtime, so we can't mount sysfs in many circumstances. The `crun` OCI runtime will automatically handle this by falling back to a bind mount, but `runc` will not, so we didn't notice until RHEL gating tests ran on the new branch. Signed-off-by: Matthew Heon <mheon@redhat.com>
* | | | Merge pull request #8624 from mlegenovic/masterOpenShift Merge Robot2020-12-07
|\ \ \ \ | |_|/ / |/| | | Docker compat API - containers create ignores the name
| * | | Docker compat API - containers create ignores the nameMilivoje Legenovic2020-12-07
| | | | | | | | | | | | | | | | | | | | | | | | /containers/create compat endpoint does not set the name correctly (#7857) Signed-off-by: Milivoje Legenovic <m.legenovic@gmail.com>
* | | | container create: do not clear image nameValentin Rothberg2020-12-07
|/ / / | | | | | | | | | | | | | | | | | | | | | When creating a container, do not clear the input-image name before looking up image names. Also add a regression test. Fixes: #8558 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | | Jira RUN-1106 System handlers updatesJhon Honce2020-12-05
| | | | | | | | | | | | | | | | | | | | | | | | * Update tests to reflect system endpoints * First implementation of compat /system/df, only fields that are populated by libpod are set Signed-off-by: Jhon Honce <jhonce@redhat.com>