summaryrefslogtreecommitdiff
path: root/pkg
Commit message (Collapse)AuthorAge
* Split up create config handling of namespaces and securityPeter Hunt2019-11-07
| | | | | | | | As it stands, createconfig is a huge struct. This works fine when the only caller is when we create a container with a fully created config. However, if we wish to share code for security and namespace configuration, a single large struct becomes unweildy, as well as difficult to configure with the single createConfigToOCISpec function. This PR breaks up namespace and security configuration into their own structs, with the eventual goal of allowing the namespace/security fields to be configured by the pod create cli, and allow the infra container to share this with the pod's containers. Signed-off-by: Peter Hunt <pehunt@redhat.com>
* Merge pull request #4466 from giuseppe/notmpcopyupOpenShift Merge Robot2019-11-07
|\ | | | | mount: add new options nocopyup|copyup for tmpfs
| * mount: add new options nocopyup|copyup for tmpfsGiuseppe Scrivano2019-11-07
| | | | | | | | | | | | add a way to disable tmpcopyup for tmpfs. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | Merge pull request #4451 from giuseppe/set-macOpenShift Merge Robot2019-11-07
|\ \ | | | | | | podman: add support for specifying MAC
| * | podman: add support for specifying MACJakub Filak2019-11-06
| | | | | | | | | | | | | | | | | | | | | | | | I basically copied and adapted the statements for setting IP. Closes #1136 Signed-off-by: Jakub Filak <jakub.filak@sap.com>
* | | Merge pull request #4447 from rhatdan/runasuserOpenShift Merge Robot2019-11-07
|\ \ \ | | | | | | | | Add support for RunAsUser and RunAsGroup
| * | | Add support for RunAsUser and RunAsGroupDaniel J Walsh2019-11-06
| | |/ | |/| | | | | | | | | | | | | | | | | | | | | | | | | Currently podman generate kube does not generate the correct RunAsUser and RunAsGroup options in the yaml file. This patch fixes this. This patch also make `podman play kube` use the RunAdUser and RunAsGroup options if they are specified in the yaml file. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | Merge pull request #4441 from rhatdan/detachOpenShift Merge Robot2019-11-07
|\ \ \ | |/ / |/| | Allow users to disable detach keys
| * | Allow users to disable detach keysDaniel J Walsh2019-11-05
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | If user specifies --detach-keys="", this will disable the feature. Adding define.DefaultDetachKeys to help screen to help identify detach keys. Updated man pages with additonal information. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | Merge pull request #4459 from giuseppe/fix-renameat-definitionOpenShift Merge Robot2019-11-06
|\ \ \ | |_|/ |/| | rootless: use SYS_renameat2 instead of __NR_renameat2
| * | rootless: provide workaround for missing renameat2Giuseppe Scrivano2019-11-06
| | | | | | | | | | | | | | | | | | | | | | | | | | | on RHEL 7.7 renameat2 is not implemented for s390x, provide a workaround. Closes: https://bugzilla.redhat.com/show_bug.cgi?id=1768519 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
| * | rootless: use SYS_renameat2 instead of __NR_renameat2Giuseppe Scrivano2019-11-06
| | | | | | | | | | | | | | | | | | use the correct definition for the syscall number. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | | Merge pull request #4370 from rhatdan/seccompOpenShift Merge Robot2019-11-05
|\ \ \ | | | | | | | | Set SELinux labels based on the security context in the kube.yaml
| * | | Set SELinux labels based on the security context in the kube.yamlDaniel J Walsh2019-11-05
| | |/ | |/| | | | | | | | | | | | | | | | If the kube.yaml specifieds the SELinux type or Level, we need the container to be launched with the correct label. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* / | namespaces: by default create cgroupns on cgroups v2Giuseppe Scrivano2019-11-05
|/ / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | change the default on cgroups v2 and create a new cgroup namespace. When a cgroup namespace is used, processes inside the namespace are only able to see cgroup paths relative to the cgroup namespace root and not have full visibility on all the cgroups present on the system. The previous behaviour is maintained on a cgroups v1 host, where a cgroup namespace is not created by default. Closes: https://github.com/containers/libpod/issues/4363 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | Merge pull request #4423 from giuseppe/fix-cpu-statsOpenShift Merge Robot2019-11-04
|\ \ | | | | | | stats: report correctly CPU usage
| * | cgroups: read correctly the CPU statsGiuseppe Scrivano2019-11-01
| | | | | | | | | | | | | | | | | | the two values were incorrectly switched. Signed-off-by: Giuseppe Scrivano <giuseppe@scrivano.org>
* | | runtime: Fix typoRadostin Stoyanov2019-11-02
|/ / | | | | | | Signed-off-by: Radostin Stoyanov <rstoyanov1@gmail.com>
* | Merge pull request #4400 from haircommander/exec-hangOpenShift Merge Robot2019-11-01
|\ \ | | | | | | Switch to bufio Reader for exec streams
| * | Switch to bufio Reader for exec streamsPeter Hunt2019-10-31
| |/ | | | | | | | | | | | | | | There were many situations that made exec act funky with input. pipes didn't work as expected, as well as sending input before the shell opened. Thinking about it, it seemed as though the issues were because of how os.Stdin buffers (it doesn't). Dropping this input had some weird consequences. Instead, read from os.Stdin as bufio.Reader, allowing the input to buffer before passing it to the container. Signed-off-by: Peter Hunt <pehunt@redhat.com>
* | logs: support --tail 0Giuseppe Scrivano2019-10-31
| | | | | | | | | | | | | | | | | | change the default to -1, so that we can change the semantic of "--tail 0" to not print any existing log line. Closes: https://github.com/containers/libpod/issues/4396 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | Merge pull request #4352 from vrothberg/config-packageOpenShift Merge Robot2019-10-31
|\ \ | | | | | | refactor libpod config into libpod/config
| * | add libpod/configValentin Rothberg2019-10-31
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Refactor the `RuntimeConfig` along with related code from libpod into libpod/config. Note that this is a first step of consolidating code into more coherent packages to make the code more maintainable and less prone to regressions on the long runs. Some libpod definitions were moved to `libpod/define` to resolve circular dependencies. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | | container start: fix regression when using nameValentin Rothberg2019-10-31
| |/ |/| | | | | | | | | | | | | | | | | | | | | | | When starting a container by using its name as a reference, we should print the name instead of the ID. We regressed on this behaviour with commit b4124485ae7e which made it into Podman v1.6.2. Kudos to openSUSE testing for catching it. To prevent future regressions, extend the e2e tests to check the printed container name/ID. Reported-by: @sysrich Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | Merge pull request #4369 from baude/golandautocodecorrectionsOpenShift Merge Robot2019-10-30
|\ \ | |/ |/| goland autocorrections
| * goland autocorrectionsbaude2019-10-29
| | | | | | | | | | | | | | just ran the autocorrect code corrections from goland and it found a few nits. Signed-off-by: baude <bbaude@redhat.com>
* | seccomp: use github.com/seccomp/containers-golangValentin Rothberg2019-10-30
| | | | | | | | | | | | | | | | Use the github.com/seccomp/containers-golang library instead of the docker package. The docker package has changed and silently broke on F31. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | Set default seccomp.json file for podman play kubeDaniel J Walsh2019-10-29
| | | | | | | | | | | | | | Currently podman play kube is not using the system default seccomp.json file. This PR will use the default or override location for podman play. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | API: report multiple digests for imagesNalin Dahyabhai2019-10-29
| | | | | | | | | | | | | | | | Be prepared to report multiple image digests for images which contain multiple manifests but, because they continue to have the same set of layers and the same configuration, are considered to be the same image. Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
* | bump containers/image to v5.0.0, buildah to v1.11.4Nalin Dahyabhai2019-10-29
|/ | | | | | | | | Move to containers/image v5 and containers/buildah to v1.11.4. Replace an equality check with a type assertion when checking for a docker.ErrUnauthorizedForCredentials in `podman login`. Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
* Merge pull request #4360 from rhatdan/spellOpenShift Merge Robot2019-10-29
|\ | | | | Fix spelling mistakes
| * Fix spelling mistakesDaniel J Walsh2019-10-29
| | | | | | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Merge pull request #4187 from baude/dnspluginenableOpenShift Merge Robot2019-10-29
|\ \ | |/ |/| enable dnsplugin for network create
| * enable dnsplugin for network createbaude2019-10-28
| | | | | | | | | | | | | | | | | | | | | | when users create a new network and the dnsname plugin can be found by podman, we will enable container name resolution on the new network. there is an option to opt *out* as well. tests cannot be added until we solve the packaging portion of the dnsname plugin. Signed-off-by: baude <bbaude@redhat.com>
* | Merge pull request #4347 from tylarb/Warn_NoSuchCtrDaniel J Walsh2019-10-28
|\ \ | | | | | | Log warn instead of error for removing nonexistant container
| * | Log warn instead of error for removing nonexistant containerTyler Ramer2019-10-25
| |/ | | | | | | | | | | | | | | | | | | In event of a container removal that is no longer in database, log a warning instead of an error, as there is not any problem continuing execution. Resolves #4314 Signed-off-by: Tyler Ramer <tyaramer@gmail.com>
* | Merge pull request #4291 from baude/networkcreatecheckbridgeDaniel J Walsh2019-10-28
|\ \ | |/ |/| check existing bridge names when creating networks
| * check existing bridge names when creating networksbaude2019-10-17
| | | | | | | | | | | | | | | | when creating a new networking, we should check existing networks for their bridge names and make sure the proposed new name is not part of this. reported by QE. Signed-off-by: baude <bbaude@redhat.com>
* | Merge pull request #4228 from giuseppe/detect-no-systemd-sessionOpenShift Merge Robot2019-10-24
|\ \ | | | | | | rootless: detect no system session with --cgroup-manager=systemd
| * | rootless: detect no system session with --cgroup-manager=systemdGiuseppe Scrivano2019-10-23
| | | | | | | | | | | | | | | | | | | | | if the cgroup manager is set to systemd, detect if dbus is available, otherwise fallback to --cgroup-manager=cgroupfs. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | | Merge pull request #4329 from mheon/no_noexec_image_volumeOpenShift Merge Robot2019-10-24
|\ \ \ | | | | | | | | Image volumes should not be mounted noexec
| * | | Image volumes should not be mounted noexecMatthew Heon2019-10-23
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This matches Docker more closely, but retains the more important protections of nosuid/nodev. Fixes #4318 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | | | Add parsing for UID, GID in volume "o" optionMatthew Heon2019-10-22
|/ / / | | | | | | | | | | | | | | | | | | Everything else is a flag to mount, but "uid" and "gid" are not. We need to parse them out of "o" and handle them separately. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | | Merge pull request #4287 from mheon/anonymous_volumesOpenShift Merge Robot2019-10-22
|\ \ \ | | | | | | | | Add support for anonymous volumes to `podman run -v`
| * | | Add support for anonymous volumes to `podman run -v`Matthew Heon2019-10-17
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Previously, when `podman run` encountered a volume mount without separate source and destination (e.g. `-v /run`) we would assume that both were the same - a bind mount of `/run` on the host to `/run` in the container. However, this does not match Docker's behavior - in Docker, this makes an anonymous named volume that will be mounted at `/run`. We already have (more limited) support for these anonymous volumes in the form of image volumes. Extend this support to allow it to be used with user-created volumes coming in from the `-v` flag. This change also affects how named volumes created by the container but given names are treated by `podman run --rm` and `podman rm -v`. Previously, they would be removed with the container in these cases, but this did not match Docker's behaviour. Docker only removed anonymous volumes. With this patch we move to that model as well; `podman run -v testvol:/test` will not have `testvol` survive the container being removed by `podman rm -v`. The sum total of these changes let us turn on volume removal in `--rm` by default. Fixes: #4276 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | | | Merge pull request #4284 from mheon/fix_vol_inspectOpenShift Merge Robot2019-10-21
|\ \ \ \ | | | | | | | | | | Show volume options in 'volume inspect'
| * | | | Rewrite backend for remote 'volume inspect'Matthew Heon2019-10-21
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | We need to use the new Inspect() endpoint instead of trying to JSON the actual volume structs. Currently, the output seems completely nonsensical; it seems like we're JSONing the struct for the Varlink connection itself? This should restore sanity and match the format of remote and local inspect on volumes. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | | | | Merge pull request #4309 from giuseppe/write-storage-overridesOpenShift Merge Robot2019-10-21
|\ \ \ \ \ | |_|_|/ / |/| | | | rootless: write storage overrides to the conf file
| * | | | rootless: write storage overrides to the conf fileGiuseppe Scrivano2019-10-21
| | |_|/ | |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | make sure the user overrides are stored in the configuration file when first created. Closes: https://github.com/containers/libpod/issues/2659 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | | | Merge pull request #4125 from baude/remotestdinOpenShift Merge Robot2019-10-20
|\ \ \ \ | | | | | | | | | | Add ability to redirect bash for run -i