| Commit message (Collapse) | Author | Age |
|\
| |
| | |
Set SELinux labels based on the security context in the kube.yaml
|
| |
| |
| |
| |
| |
| |
| | |
If the kube.yaml specifieds the SELinux type or Level, we need the container
to be launched with the correct label.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
|/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
change the default on cgroups v2 and create a new cgroup namespace.
When a cgroup namespace is used, processes inside the namespace are
only able to see cgroup paths relative to the cgroup namespace root
and not have full visibility on all the cgroups present on the
system.
The previous behaviour is maintained on a cgroups v1 host, where a
cgroup namespace is not created by default.
Closes: https://github.com/containers/libpod/issues/4363
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
|\
| |
| | |
stats: report correctly CPU usage
|
| |
| |
| |
| |
| |
| | |
the two values were incorrectly switched.
Signed-off-by: Giuseppe Scrivano <giuseppe@scrivano.org>
|
|/
|
|
| |
Signed-off-by: Radostin Stoyanov <rstoyanov1@gmail.com>
|
|\
| |
| | |
Switch to bufio Reader for exec streams
|
| |
| |
| |
| |
| |
| |
| |
| | |
There were many situations that made exec act funky with input. pipes didn't work as expected, as well as sending input before the shell opened.
Thinking about it, it seemed as though the issues were because of how os.Stdin buffers (it doesn't). Dropping this input had some weird consequences.
Instead, read from os.Stdin as bufio.Reader, allowing the input to buffer before passing it to the container.
Signed-off-by: Peter Hunt <pehunt@redhat.com>
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
change the default to -1, so that we can change the semantic of
"--tail 0" to not print any existing log line.
Closes: https://github.com/containers/libpod/issues/4396
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
|\ \
| | |
| | | |
refactor libpod config into libpod/config
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Refactor the `RuntimeConfig` along with related code from libpod into
libpod/config. Note that this is a first step of consolidating code
into more coherent packages to make the code more maintainable and less
prone to regressions on the long runs.
Some libpod definitions were moved to `libpod/define` to resolve
circular dependencies.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
|
| |/
|/|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
When starting a container by using its name as a reference, we should
print the name instead of the ID. We regressed on this behaviour
with commit b4124485ae7e which made it into Podman v1.6.2.
Kudos to openSUSE testing for catching it. To prevent future
regressions, extend the e2e tests to check the printed container
name/ID.
Reported-by: @sysrich
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
|
|\ \
| |/
|/| |
goland autocorrections
|
| |
| |
| |
| |
| |
| |
| | |
just ran the autocorrect code corrections from goland and it found a few
nits.
Signed-off-by: baude <bbaude@redhat.com>
|
| |
| |
| |
| |
| |
| |
| |
| | |
Use the github.com/seccomp/containers-golang library instead of the
docker package. The docker package has changed and silently broke
on F31.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
|
| |
| |
| |
| |
| |
| |
| | |
Currently podman play kube is not using the system default seccomp.json file.
This PR will use the default or override location for podman play.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
| |
| |
| |
| |
| |
| |
| |
| | |
Be prepared to report multiple image digests for images which contain
multiple manifests but, because they continue to have the same set of
layers and the same configuration, are considered to be the same image.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
|
|/
|
|
|
|
|
|
|
| |
Move to containers/image v5 and containers/buildah to v1.11.4.
Replace an equality check with a type assertion when checking for a
docker.ErrUnauthorizedForCredentials in `podman login`.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
|
|\
| |
| | |
Fix spelling mistakes
|
| |
| |
| |
| | |
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
|\ \
| |/
|/| |
enable dnsplugin for network create
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
when users create a new network and the dnsname plugin can be found by
podman, we will enable container name resolution on the new network.
there is an option to opt *out* as well.
tests cannot be added until we solve the packaging portion of the
dnsname plugin.
Signed-off-by: baude <bbaude@redhat.com>
|
|\ \
| | |
| | | |
Log warn instead of error for removing nonexistant container
|
| |/
| |
| |
| |
| |
| |
| |
| |
| |
| | |
In event of a container removal that is no longer in database, log a
warning instead of an error, as there is not any problem continuing
execution.
Resolves #4314
Signed-off-by: Tyler Ramer <tyaramer@gmail.com>
|
|\ \
| |/
|/| |
check existing bridge names when creating networks
|
| |
| |
| |
| |
| |
| |
| |
| | |
when creating a new networking, we should check existing networks for
their bridge names and make sure the proposed new name is not part of
this. reported by QE.
Signed-off-by: baude <bbaude@redhat.com>
|
|\ \
| | |
| | | |
rootless: detect no system session with --cgroup-manager=systemd
|
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
if the cgroup manager is set to systemd, detect if dbus is available,
otherwise fallback to --cgroup-manager=cgroupfs.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
|\ \ \
| | | |
| | | | |
Image volumes should not be mounted noexec
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
This matches Docker more closely, but retains the more important
protections of nosuid/nodev.
Fixes #4318
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
|/ / /
| | |
| | |
| | |
| | |
| | |
| | | |
Everything else is a flag to mount, but "uid" and "gid" are not.
We need to parse them out of "o" and handle them separately.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
|\ \ \
| | | |
| | | | |
Add support for anonymous volumes to `podman run -v`
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Previously, when `podman run` encountered a volume mount without
separate source and destination (e.g. `-v /run`) we would assume
that both were the same - a bind mount of `/run` on the host to
`/run` in the container. However, this does not match Docker's
behavior - in Docker, this makes an anonymous named volume that
will be mounted at `/run`.
We already have (more limited) support for these anonymous
volumes in the form of image volumes. Extend this support to
allow it to be used with user-created volumes coming in from the
`-v` flag.
This change also affects how named volumes created by the
container but given names are treated by `podman run --rm` and
`podman rm -v`. Previously, they would be removed with the
container in these cases, but this did not match Docker's
behaviour. Docker only removed anonymous volumes. With this patch
we move to that model as well; `podman run -v testvol:/test` will
not have `testvol` survive the container being removed by `podman
rm -v`.
The sum total of these changes let us turn on volume removal in
`--rm` by default.
Fixes: #4276
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
|\ \ \ \
| | | | |
| | | | | |
Show volume options in 'volume inspect'
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
We need to use the new Inspect() endpoint instead of trying to
JSON the actual volume structs. Currently, the output seems
completely nonsensical; it seems like we're JSONing the struct
for the Varlink connection itself? This should restore sanity and
match the format of remote and local inspect on volumes.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
|\ \ \ \ \
| |_|_|/ /
|/| | | | |
rootless: write storage overrides to the conf file
|
| | |_|/
| |/| |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
make sure the user overrides are stored in the configuration file when
first created.
Closes: https://github.com/containers/libpod/issues/2659
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
|\ \ \ \
| | | | |
| | | | | |
Add ability to redirect bash for run -i
|
| | | | |
| | | | |
| | | | |
| | | | | |
Signed-off-by: baude <bbaude@redhat.com>
|
| |/ / /
|/| | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
do not automatically enable lingering mode.
Closes: https://github.com/containers/libpod/issues/4224
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
|\ \ \ \
| |_|_|/
|/| | | |
Attach to container if it was created with --interactive
|
| |/ /
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Check to see if the container's start config includes the interactive
flag when determining to attach or ignore stdin stream.
This is in line with behavior of Docker CLI and engine
Signed-off-by: Tyler Ramer <tyaramer@gmail.com>
|
|\ \ \
| |_|/
|/| | |
rootless: drop dependency on docker
|
| |/
| |
| |
| |
| |
| | |
use the definition from "golang.org/x/sys/unix".
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
|/
|
|
|
|
|
| |
Now the "podman start" command prints the full ID and has the same
behaviour as other commands.
Signed-off-by: Boris Klimenko <2@borisklimenko.ru>
|
|
|
|
| |
Signed-off-by: Kenta Tada <Kenta.Tada@sony.com>
|
|\
| |
| | |
Allow giving path to Podman for cleanup command
|
| |
| |
| |
| |
| |
| |
| |
| | |
For non-Podman users of Libpod, we don't want to force the exit
command to use ARGV[0], which probably does not support a cleanup
command.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
|\ \
| | |
| | | |
Move OCI runtime implementation behind an interface
|
| |/
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
For future work, we need multiple implementations of the OCI
runtime, not just a Conmon-wrapped runtime matching the runc CLI.
As part of this, do some refactoring on the interface for exec
(move to a struct, not a massive list of arguments). Also, add
'all' support to Kill and Stop (supported by runc and used a bit
internally for removing containers).
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|