summaryrefslogtreecommitdiff
path: root/pkg
Commit message (Collapse)AuthorAge
* Remove 'experimental' from API docTomSweeneyRedHat2020-07-25
| | | | | | | | | The v2.0 reference [page](http://docs.podman.io/en/latest/Reference.html) lists the API as experimental. Removed that word and reworked the first paragraph a bit based on verbiage that @mheon put together for the API intro blog. Signed-off-by: TomSweeneyRedHat <tsweeney@redhat.com>
* Merge pull request #6742 from ↵OpenShift Merge Robot2020-07-24
|\ | | | | | | | | maybe-sybr/maybe/apiv2/fix-container-create-with-volumes APIv2:fix: Get volumes from `Binds` when creating
| * APIv2:fix: Get volumes from `Binds` when creatingmaybe-sybr2020-07-09
| | | | | | | | | | | | | | | | | | | | | | This change ensures that we pull volume bind specification strings from the correct spot in the POSTed data when creating containers. We should probably canity check that the mapping keys in `Volumes` are a superset of the binds listed in `HostConfig.Binds` but this cheap change removes an annoying behaviour where named volumes or host mount would be silently replaced with newly created anonymous volumes. Signed-off-by: Matt Brindley <58414429+maybe-sybr@users.noreply.github.com>
* | Publish IP from YAML (podman play kube)Ashley Cui2020-07-22
| | | | | | | | | | | | podman play kube didn't set host ip correctly from YAML Signed-off-by: Ashley Cui <acui@redhat.com>
* | Support default profile for apparmorDaniel J Walsh2020-07-22
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Currently you can not apply an ApparmorProfile if you specify --privileged. This patch will allow both to be specified simultaniosly. By default Apparmor should be disabled if the user specifies --privileged, but if the user specifies --security apparmor:PROFILE, with --privileged, we should do both. Added e2e run_apparmor_test.go Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Merge pull request #7006 from ashley-cui/umaskOpenShift Merge Robot2020-07-22
|\ \ | | | | | | Add --umask flag for create, run
| * | Add --umask flag for create, runAshley Cui2020-07-21
| | | | | | | | | | | | | | | | | | | | | | | | --umask sets the umask inside the container Defaults to 0022 Co-authored-by: Daniel J Walsh <dwalsh@redhat.com> Signed-off-by: Ashley Cui <acui@redhat.com>
* | | fix play kube doesn't override dockerfile ENTRYPOINTzhangguanzhang2020-07-22
| | | | | | | | | | | | Signed-off-by: zhangguanzhang <zhangguanzhang@qq.com>
* | | Merge pull request #7035 from ashley-cui/api_genOpenShift Merge Robot2020-07-21
|\ \ \ | | | | | | | | Fix Generate API swagger title/description
| * | | Fix Generate API title/descriptionAshley Cui2020-07-21
| | | | | | | | | | | | | | | | | | | | | | | | generate kube title and descritopn was same as play kube for apiv2 docs Signed-off-by: Ashley Cui <acui@redhat.com>
* | | | Merge pull request #6902 from vrothberg/events-endpointOpenShift Merge Robot2020-07-21
|\ \ \ \ | |_|/ / |/| | | events endpoint: fix panic and race condition
| * | | events endpoint: backwards compat to old typeValentin Rothberg2020-07-20
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The versions Docker that the compat endpoints currently support are using another type for the `filters` parameter than later versions of Docker, which the libpod/events endpoint is also using. To prevent existing deplopyments from breaking while still achieving backward compat, we now support both types for the filters parameter. Tested manually. Fixes: #6899 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
| * | | events endpoint: fix panic and race conditionValentin Rothberg2020-07-20
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fix a potential panic in the events endpoint when parsing the filters parameter. Values of the filters map might be empty, so we need to account for that instead of uncondtitionally accessing the first item. Also apply a similar for race conditions as done in commit f4a2d25c0fca: Fix a race that could cause read errors to be masked. Masking such errors is likely to report red herrings since users don't see that reading failed for some reasons but that a given event could not be found. Another race was the handler closing event channel, which could lead to two kinds of panics: double close, send to close channel. The backend takes care of that. However, make sure that the backend stops working in case the context has been cancelled. Fixes: #6899 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | | | Switch references from libpod.conf to containers.confDaniel J Walsh2020-07-20
| | | | | | | | | | | | | | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | | Add support for overlay volume mounts in podman.Qi Wang2020-07-20
| |/ / |/| | | | | | | | | | | | | | | | | | | | Add support -v for overlay volume mounts in podman. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Signed-off-by: Qi Wang <qiwan@redhat.com>
* | | fix: system df error when an image has no namePaul Holzinger2020-07-19
|/ / | | | | | | | | | | | | | | | | | | | | | | | | When an image has no name/tag system df will error because it tries to parse an empty name. This commit makes sure we only parse non empty names and set the repository and tag to "<none>" otherwise. Closes #7015 Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
* | abi: set default umask and rlimitsGiuseppe Scrivano2020-07-17
| | | | | | | | | | | | | | | | the code got lost in the migration to podman 2.0, reintroduce it. Closes: https://github.com/containers/podman/issues/6989 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | Merge pull request #6965 from giuseppe/followup-pr6324OpenShift Merge Robot2020-07-17
|\ \ | | | | | | allow switching of port-forward approaches in rootless/using slirp4netns
| * | libpod: pass down network optionsGiuseppe Scrivano2020-07-16
| | | | | | | | | | | | | | | | | | do not pass network specific options through the network namespace. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
| * | allow switching of port-forward approaches in rootless/using slirp4netnsaleks-mariusz2020-07-15
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | As of podman 1.8.0, because of commit da7595a, the default approach of providing port-forwarding in rootless mode has switched (and been hard-coded) to rootlessport, for the purpose of providing super performance. The side-effect of this switch is source within the container to the port-forwarded service always appears to originate from 127.0.0.1 (see issue #5138). This commit allows a user to specify if they want to revert to the previous approach of leveraging slirp4netns add_hostfwd() api which, although not as stellar performance, restores usefulness of seeing incoming traffic origin IP addresses. The change should be transparent; when not specified, rootlessport will continue to be used, however if specifying --net slirp4netns:slirplisten the old approach will be used. Note: the above may imply the restored port-forwarding via slirp4netns is not as performant as the new rootlessport approach, however the figures shared in the original commit that introduced rootlessport are as follows: slirp4netns: 8.3 Gbps, RootlessKit: 27.3 Gbps, which are more than sufficient for many use cases where the origin of traffic is more important than limits that cannot be reached due to bottlenecks elsewhere. Signed-off-by: Aleks Mariusz <m.k@alek.cx> Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | | The compat create endpoint should 404 on no such imageMatthew Heon2020-07-16
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This matches Docker behavior, and will make the Docker frontend work with `podman system service` (Docker tries to create, then if that fails with 404 sends a request to pull the image). Fixes #6960 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | | Merge pull request #6903 from ashley-cui/problemlangOpenShift Merge Robot2020-07-15
|\ \ \ | | | | | | | | Fix & add notes regarding problematic language in codebase
| * | | Fix & add notes regarding problematic language in codebaseAshley Cui2020-07-15
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Podman is committed to inclusivity, a core value of open source. Historically, there have been technology terms that are problematic and divisive, and should be changed. We are currently taking time to audit our repository in order to eliminate such terminology, and replace it with more inclusive terms. We are starting where we can, with our own code, comments, and documentation. However, such terms may be used in dependencies, and must be used in our repositories at the current moment for compatibility. Podman will change these terms in our repo as soon as new and better terminology is available to us via our dependencies. For more information: https://www.redhat.com/en/blog/making-open-source-more-inclusive-eradicating-problematic-language?sc_cid=701600000011gf0AAA Signed-off-by: Ashley Cui <acui@redhat.com>
* | | | Error on rootless mac and ip addressesBrent Baude2020-07-15
|/ / / | | | | | | | | | | | | | | | | | | | | | When creating a pod or container where a static MAC or IP address is provided, we should return a proper error and exit as 125. Fixes: #6972 Signed-off-by: Brent Baude <bbaude@redhat.com>
* | | Merge pull request #6949 from AkihiroSuda/fix-6948OpenShift Merge Robot2020-07-15
|\ \ \ | | | | | | | | Fix "Error: unrecognized protocol \"TCP\" in port mapping"
| * | | Fix "Error: unrecognized protocol \"TCP\" in port mapping"Akihiro Suda2020-07-15
| |/ / | | | | | | | | | | | | | | | | | | | | | "TCP" in upper characters was not recognized as a valid protocol name. Fix #6948 Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
* | | Merge pull request #6971 from TristanCacqueray/masterOpenShift Merge Robot2020-07-15
|\ \ \ | |/ / |/| | play-kube: add suport for "IfNotPresent" pull type
| * | play-kube: add suport for "IfNotPresent" pull typeTristan Cacqueray2020-07-14
| | | | | | | | | | | | | | | | | | | | | | | | This change prevents this exception when loading a pod spec using the "IfNotPresent" pull policy: Error: invalid pull type "IfNotPresent" Signed-off-by: Tristan Cacqueray <tdecacqu@redhat.com>
* | | Merge pull request #6957 from rhatdan/sysdevOpenShift Merge Robot2020-07-14
|\ \ \ | | | | | | | | Mask out /sys/dev to prevent information leak from the host
| * | | Mask out /sys/dev to prevent information leak from the hostDaniel J Walsh2020-07-14
| |/ / | | | | | | | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | Merge pull request #6939 from rhatdan/entrypointOpenShift Merge Robot2020-07-14
|\ \ \ | | | | | | | | Fix handling of entrypoint
| * | | Fix handling of entrypointDaniel J Walsh2020-07-14
| |/ / | | | | | | | | | | | | | | | | | | If a user specifies an entrypoint of "" then we should not use the images entrypoint. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* / / When determining systemd mode, use full commandMatthew Heon2020-07-14
|/ / | | | | | | | | | | | | | | | | | | | | | | | | | | We were only using the Command field in specgen when determining whether to enable systemd if systemd=true (the default) was used. This does not include the entrypoint, and does not include any entrypoint/command sourced from the image - so an image could be running systemd and we'd not correctly detect this. Using the full, final command resolves this and matches Podman v1.9.x behavior. Fixes #6920 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | Merge pull request #6842 from rhatdan/pids-limitOpenShift Merge Robot2020-07-13
|\ \ | | | | | | Pids-limit should only be set if the user set it
| * | Pids-limit should only be set if the user set itDaniel J Walsh2020-07-10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Currently we are sending over pids-limits from the user even if they never modified the defaults. The pids limit should be set at the server side unless modified by the user. This issue has led to failures on systems that were running with cgroups V1. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | Merge pull request #6896 from mheon/fix_remote_createcommandOpenShift Merge Robot2020-07-13
|\ \ \ | | | | | | | | Fix container and pod create commands for remote create
| * | | Fix container and pod create commands for remote createMatthew Heon2020-07-10
| |/ / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | In `podman inspect` output for containers and pods, we include the command that was used to create the container. This is also used by `podman generate systemd --new` to generate unit files. With remote podman, the generated create commands were incorrect since we sourced directly from os.Args on the server side, which was guaranteed to be `podman system service` (or some variant thereof). The solution is to pass the command along in the Specgen or PodSpecgen, where we can source it from the client's os.Args. This will still be VERY iffy for mixed local/remote use (doing a `podman --remote run ...` on a remote client then a `podman generate systemd --new` on the server on the same container will not work, because the `--remote` flag will slip in) but at the very least the output of `podman inspect` will be correct. We can look into properly handling `--remote` (parsing it out would be a little iffy) in a future PR. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | | Merge pull request #6936 from mheon/matt_cant_countOpenShift Merge Robot2020-07-11
|\ \ \ | | | | | | | | Correctly print STDOUT on non-terminal remote exec
| * | | Correctly print STDOUT on non-terminal remote execMatthew Heon2020-07-10
| |/ / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | I confused STDIN and STDOUT's file descriptors (it's 0 and 1, I thought they were 1 and 0). As such, we were looking at whether we wanted to print STDIN when we looked to print STDOUT. This bool was set when `-i` was set in at the `podman exec` command line, which masked the problem when it was set. Fixes #6890 Fixes #6891 Fixes #6892 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | | Fix: Correct connection counters for hijacked connectionsKorhonen Sami (Samlink)2020-07-09
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch fixes connection counters for v2 endpoints Idletracker was moved to a new package to prevent package cycle. Hijacking code still remains in wrong place and should be moved later to isolated package Signed-off-by: Sami Korhonen <skorhone@gmail.com>
* | | Fix: Hijacking v2 endpoints to follow rfc 7230 semanticsKorhonen Sami (Samlink)2020-07-09
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | After this patch v2 hijacking endpoints, exec/start and containers/attach follow rfc 7230 specification. Connection will only be upgraded, if client specifies upgrade headers: For tcp connections: Connection: Upgrade Upgrade: tcp For unix socket connections: Connection: Upgrade Upgrade: sock There are currently no checks if upgrade type actually matches with available protocols. Implementation just protocol that client requested Signed-off-by: Sami Korhonen <skorhone@gmail.com>
* | | Remove hijacked connections from active connections listKorhonen Sami (Samlink)2020-07-09
|/ / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | StateHijacked is a terminal state. If hijacked connection is registered as an active connection, connection will never be unregistered. This causes two issues First issue is that active connection counters are off. Second issue is a resource leak caused by connection object that is stored to a map. After this patch hijacked connections are no longer visible in counters. If a counter for hijacked connections is required, podman must track connections returned by Hijacker.Hijack() It might make sense to develop abstraction layer for hijacking - and move all hijacking related code to a separate package. Hijacking code is prone to resource leaks and it should be thoroughly tested. Signed-off-by: Sami Korhonen <skorhone@gmail.com>
* | Merge pull request #6906 from rhatdan/VENDOROpenShift Merge Robot2020-07-09
|\ \ | | | | | | Vendor in new version of Buildah
| * | Vendor in new version of BuildahDaniel J Walsh2020-07-09
| | | | | | | | | | | | | | | | | | This also pulls in latest runc and containers/common Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
| * | Remove dependency on github.com/opencontainers/libpod/configsDaniel J Walsh2020-07-09
| |/ | | | | | | | | | | | | | | | | We are using these dependencies just to get the device from path. These dependencies no longer build on Windows, so simply cloning the deviceFromPath function, we can eliminate the need for this vendoring. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Merge pull request #6835 from zhangguanzhang/masterOpenShift Merge Robot2020-07-09
|\ \ | | | | | | fix API: Create container with an invalid configuration
| * | fix API: Create container with an invalid configurationzhangguanzhang2020-07-09
| |/ | | | | | | Signed-off-by: zhangguanzhang <zhangguanzhang@qq.com>
* / log API: add context to allow for cancellingValentin Rothberg2020-07-09
|/ | | | | | | | | Add a `context.Context` to the log APIs to allow for cancelling streaming (e.g., via `podman logs -f`). This fixes issues for the remote API where some go routines of the server will continue writing and produce nothing but heat and waste CPU cycles. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* Merge pull request #6829 from rhatdan/keepidOpenShift Merge Robot2020-07-07
|\ | | | | Add username to /etc/passwd inside of container if --userns keep-id
| * Add username to /etc/passwd inside of container if --userns keep-idDaniel J Walsh2020-07-07
| | | | | | | | | | | | | | | | | | | | If I enter a continer with --userns keep-id, my UID will be present inside of the container, but most likely my user will not be defined. This patch will take information about the user and stick it into the container. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>