summaryrefslogtreecommitdiff
path: root/pkg
Commit message (Collapse)AuthorAge
* Merge pull request #4370 from rhatdan/seccompOpenShift Merge Robot2019-11-05
|\ | | | | Set SELinux labels based on the security context in the kube.yaml
| * Set SELinux labels based on the security context in the kube.yamlDaniel J Walsh2019-11-05
| | | | | | | | | | | | | | If the kube.yaml specifieds the SELinux type or Level, we need the container to be launched with the correct label. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | namespaces: by default create cgroupns on cgroups v2Giuseppe Scrivano2019-11-05
|/ | | | | | | | | | | | | | | | change the default on cgroups v2 and create a new cgroup namespace. When a cgroup namespace is used, processes inside the namespace are only able to see cgroup paths relative to the cgroup namespace root and not have full visibility on all the cgroups present on the system. The previous behaviour is maintained on a cgroups v1 host, where a cgroup namespace is not created by default. Closes: https://github.com/containers/libpod/issues/4363 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Merge pull request #4423 from giuseppe/fix-cpu-statsOpenShift Merge Robot2019-11-04
|\ | | | | stats: report correctly CPU usage
| * cgroups: read correctly the CPU statsGiuseppe Scrivano2019-11-01
| | | | | | | | | | | | the two values were incorrectly switched. Signed-off-by: Giuseppe Scrivano <giuseppe@scrivano.org>
* | runtime: Fix typoRadostin Stoyanov2019-11-02
|/ | | | Signed-off-by: Radostin Stoyanov <rstoyanov1@gmail.com>
* Merge pull request #4400 from haircommander/exec-hangOpenShift Merge Robot2019-11-01
|\ | | | | Switch to bufio Reader for exec streams
| * Switch to bufio Reader for exec streamsPeter Hunt2019-10-31
| | | | | | | | | | | | | | | | There were many situations that made exec act funky with input. pipes didn't work as expected, as well as sending input before the shell opened. Thinking about it, it seemed as though the issues were because of how os.Stdin buffers (it doesn't). Dropping this input had some weird consequences. Instead, read from os.Stdin as bufio.Reader, allowing the input to buffer before passing it to the container. Signed-off-by: Peter Hunt <pehunt@redhat.com>
* | logs: support --tail 0Giuseppe Scrivano2019-10-31
| | | | | | | | | | | | | | | | | | change the default to -1, so that we can change the semantic of "--tail 0" to not print any existing log line. Closes: https://github.com/containers/libpod/issues/4396 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | Merge pull request #4352 from vrothberg/config-packageOpenShift Merge Robot2019-10-31
|\ \ | | | | | | refactor libpod config into libpod/config
| * | add libpod/configValentin Rothberg2019-10-31
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Refactor the `RuntimeConfig` along with related code from libpod into libpod/config. Note that this is a first step of consolidating code into more coherent packages to make the code more maintainable and less prone to regressions on the long runs. Some libpod definitions were moved to `libpod/define` to resolve circular dependencies. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | | container start: fix regression when using nameValentin Rothberg2019-10-31
| |/ |/| | | | | | | | | | | | | | | | | | | | | | | When starting a container by using its name as a reference, we should print the name instead of the ID. We regressed on this behaviour with commit b4124485ae7e which made it into Podman v1.6.2. Kudos to openSUSE testing for catching it. To prevent future regressions, extend the e2e tests to check the printed container name/ID. Reported-by: @sysrich Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | Merge pull request #4369 from baude/golandautocodecorrectionsOpenShift Merge Robot2019-10-30
|\ \ | |/ |/| goland autocorrections
| * goland autocorrectionsbaude2019-10-29
| | | | | | | | | | | | | | just ran the autocorrect code corrections from goland and it found a few nits. Signed-off-by: baude <bbaude@redhat.com>
* | seccomp: use github.com/seccomp/containers-golangValentin Rothberg2019-10-30
| | | | | | | | | | | | | | | | Use the github.com/seccomp/containers-golang library instead of the docker package. The docker package has changed and silently broke on F31. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | Set default seccomp.json file for podman play kubeDaniel J Walsh2019-10-29
| | | | | | | | | | | | | | Currently podman play kube is not using the system default seccomp.json file. This PR will use the default or override location for podman play. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | API: report multiple digests for imagesNalin Dahyabhai2019-10-29
| | | | | | | | | | | | | | | | Be prepared to report multiple image digests for images which contain multiple manifests but, because they continue to have the same set of layers and the same configuration, are considered to be the same image. Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
* | bump containers/image to v5.0.0, buildah to v1.11.4Nalin Dahyabhai2019-10-29
|/ | | | | | | | | Move to containers/image v5 and containers/buildah to v1.11.4. Replace an equality check with a type assertion when checking for a docker.ErrUnauthorizedForCredentials in `podman login`. Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
* Merge pull request #4360 from rhatdan/spellOpenShift Merge Robot2019-10-29
|\ | | | | Fix spelling mistakes
| * Fix spelling mistakesDaniel J Walsh2019-10-29
| | | | | | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Merge pull request #4187 from baude/dnspluginenableOpenShift Merge Robot2019-10-29
|\ \ | |/ |/| enable dnsplugin for network create
| * enable dnsplugin for network createbaude2019-10-28
| | | | | | | | | | | | | | | | | | | | | | when users create a new network and the dnsname plugin can be found by podman, we will enable container name resolution on the new network. there is an option to opt *out* as well. tests cannot be added until we solve the packaging portion of the dnsname plugin. Signed-off-by: baude <bbaude@redhat.com>
* | Merge pull request #4347 from tylarb/Warn_NoSuchCtrDaniel J Walsh2019-10-28
|\ \ | | | | | | Log warn instead of error for removing nonexistant container
| * | Log warn instead of error for removing nonexistant containerTyler Ramer2019-10-25
| |/ | | | | | | | | | | | | | | | | | | In event of a container removal that is no longer in database, log a warning instead of an error, as there is not any problem continuing execution. Resolves #4314 Signed-off-by: Tyler Ramer <tyaramer@gmail.com>
* | Merge pull request #4291 from baude/networkcreatecheckbridgeDaniel J Walsh2019-10-28
|\ \ | |/ |/| check existing bridge names when creating networks
| * check existing bridge names when creating networksbaude2019-10-17
| | | | | | | | | | | | | | | | when creating a new networking, we should check existing networks for their bridge names and make sure the proposed new name is not part of this. reported by QE. Signed-off-by: baude <bbaude@redhat.com>
* | Merge pull request #4228 from giuseppe/detect-no-systemd-sessionOpenShift Merge Robot2019-10-24
|\ \ | | | | | | rootless: detect no system session with --cgroup-manager=systemd
| * | rootless: detect no system session with --cgroup-manager=systemdGiuseppe Scrivano2019-10-23
| | | | | | | | | | | | | | | | | | | | | if the cgroup manager is set to systemd, detect if dbus is available, otherwise fallback to --cgroup-manager=cgroupfs. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | | Merge pull request #4329 from mheon/no_noexec_image_volumeOpenShift Merge Robot2019-10-24
|\ \ \ | | | | | | | | Image volumes should not be mounted noexec
| * | | Image volumes should not be mounted noexecMatthew Heon2019-10-23
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This matches Docker more closely, but retains the more important protections of nosuid/nodev. Fixes #4318 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | | | Add parsing for UID, GID in volume "o" optionMatthew Heon2019-10-22
|/ / / | | | | | | | | | | | | | | | | | | Everything else is a flag to mount, but "uid" and "gid" are not. We need to parse them out of "o" and handle them separately. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | | Merge pull request #4287 from mheon/anonymous_volumesOpenShift Merge Robot2019-10-22
|\ \ \ | | | | | | | | Add support for anonymous volumes to `podman run -v`
| * | | Add support for anonymous volumes to `podman run -v`Matthew Heon2019-10-17
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Previously, when `podman run` encountered a volume mount without separate source and destination (e.g. `-v /run`) we would assume that both were the same - a bind mount of `/run` on the host to `/run` in the container. However, this does not match Docker's behavior - in Docker, this makes an anonymous named volume that will be mounted at `/run`. We already have (more limited) support for these anonymous volumes in the form of image volumes. Extend this support to allow it to be used with user-created volumes coming in from the `-v` flag. This change also affects how named volumes created by the container but given names are treated by `podman run --rm` and `podman rm -v`. Previously, they would be removed with the container in these cases, but this did not match Docker's behaviour. Docker only removed anonymous volumes. With this patch we move to that model as well; `podman run -v testvol:/test` will not have `testvol` survive the container being removed by `podman rm -v`. The sum total of these changes let us turn on volume removal in `--rm` by default. Fixes: #4276 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | | | Merge pull request #4284 from mheon/fix_vol_inspectOpenShift Merge Robot2019-10-21
|\ \ \ \ | | | | | | | | | | Show volume options in 'volume inspect'
| * | | | Rewrite backend for remote 'volume inspect'Matthew Heon2019-10-21
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | We need to use the new Inspect() endpoint instead of trying to JSON the actual volume structs. Currently, the output seems completely nonsensical; it seems like we're JSONing the struct for the Varlink connection itself? This should restore sanity and match the format of remote and local inspect on volumes. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | | | | Merge pull request #4309 from giuseppe/write-storage-overridesOpenShift Merge Robot2019-10-21
|\ \ \ \ \ | |_|_|/ / |/| | | | rootless: write storage overrides to the conf file
| * | | | rootless: write storage overrides to the conf fileGiuseppe Scrivano2019-10-21
| | |_|/ | |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | make sure the user overrides are stored in the configuration file when first created. Closes: https://github.com/containers/libpod/issues/2659 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | | | Merge pull request #4125 from baude/remotestdinOpenShift Merge Robot2019-10-20
|\ \ \ \ | | | | | | | | | | Add ability to redirect bash for run -i
| * | | | Add ability to redirect bash for run -ibaude2019-10-15
| | | | | | | | | | | | | | | | | | | | Signed-off-by: baude <bbaude@redhat.com>
* | | | | rootless: do not enable lingering modeGiuseppe Scrivano2019-10-17
| |/ / / |/| | | | | | | | | | | | | | | | | | | | | | | | | | | do not automatically enable lingering mode. Closes: https://github.com/containers/libpod/issues/4224 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | | | Merge pull request #4271 from tylarb/stdin_attachOpenShift Merge Robot2019-10-17
|\ \ \ \ | |_|_|/ |/| | | Attach to container if it was created with --interactive
| * | | Attach stdin to container at start if it was created with --interactiveTyler Ramer2019-10-15
| |/ / | | | | | | | | | | | | | | | | | | | | | | | | Check to see if the container's start config includes the interactive flag when determining to attach or ignore stdin stream. This is in line with behavior of Docker CLI and engine Signed-off-by: Tyler Ramer <tyaramer@gmail.com>
* | | Merge pull request #4279 from giuseppe/rootless-drop-dep-dockerOpenShift Merge Robot2019-10-17
|\ \ \ | |_|/ |/| | rootless: drop dependency on docker
| * | rootless: drop dependency on dockerGiuseppe Scrivano2019-10-16
| |/ | | | | | | | | | | use the definition from "golang.org/x/sys/unix". Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* / start: print full container IDbklimenko2019-10-16
|/ | | | | | | Now the "podman start" command prints the full ID and has the same behaviour as other commands. Signed-off-by: Boris Klimenko <2@borisklimenko.ru>
* Fix sample's JSON syntax error in oci-hooks.5.mdKenta Tada2019-10-14
| | | | Signed-off-by: Kenta Tada <Kenta.Tada@sony.com>
* Merge pull request #4233 from mheon/fix_ccOpenShift Merge Robot2019-10-12
|\ | | | | Allow giving path to Podman for cleanup command
| * Allow giving path to Podman for cleanup commandMatthew Heon2019-10-11
| | | | | | | | | | | | | | | | For non-Podman users of Libpod, we don't want to force the exit command to use ARGV[0], which probably does not support a cleanup command. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | Merge pull request #4220 from mheon/null_runtimeOpenShift Merge Robot2019-10-11
|\ \ | | | | | | Move OCI runtime implementation behind an interface
| * | Move OCI runtime implementation behind an interfaceMatthew Heon2019-10-10
| |/ | | | | | | | | | | | | | | | | | | | | | | For future work, we need multiple implementations of the OCI runtime, not just a Conmon-wrapped runtime matching the runc CLI. As part of this, do some refactoring on the interface for exec (move to a struct, not a massive list of arguments). Also, add 'all' support to Kill and Stop (supported by runc and used a bit internally for removing containers). Signed-off-by: Matthew Heon <matthew.heon@pm.me>