| Commit message (Collapse) | Author | Age |
|
|
|
|
|
|
|
| |
As it stands, createconfig is a huge struct. This works fine when the only caller is when we create a container with a fully created config. However, if we wish to share code for security and namespace configuration, a single large struct becomes unweildy, as well as difficult to configure with the single createConfigToOCISpec function.
This PR breaks up namespace and security configuration into their own structs, with the eventual goal of allowing the namespace/security fields to be configured by the pod create cli, and allow the infra container to share this with the pod's containers.
Signed-off-by: Peter Hunt <pehunt@redhat.com>
|
|\
| |
| | |
mount: add new options nocopyup|copyup for tmpfs
|
| |
| |
| |
| |
| |
| | |
add a way to disable tmpcopyup for tmpfs.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
|\ \
| | |
| | | |
podman: add support for specifying MAC
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
I basically copied and adapted the statements for setting IP.
Closes #1136
Signed-off-by: Jakub Filak <jakub.filak@sap.com>
|
|\ \ \
| | | |
| | | | |
Add support for RunAsUser and RunAsGroup
|
| | |/
| |/|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Currently podman generate kube does not generate the correct RunAsUser and RunAsGroup
options in the yaml file. This patch fixes this.
This patch also make `podman play kube` use the RunAdUser and RunAsGroup options if
they are specified in the yaml file.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
|\ \ \
| |/ /
|/| | |
Allow users to disable detach keys
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
If user specifies --detach-keys="", this will disable the feature.
Adding define.DefaultDetachKeys to help screen to help identify detach keys.
Updated man pages with additonal information.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
|\ \ \
| |_|/
|/| | |
rootless: use SYS_renameat2 instead of __NR_renameat2
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
on RHEL 7.7 renameat2 is not implemented for s390x, provide a
workaround.
Closes: https://bugzilla.redhat.com/show_bug.cgi?id=1768519
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
| | |
| | |
| | |
| | |
| | |
| | | |
use the correct definition for the syscall number.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
|\ \ \
| | | |
| | | | |
Set SELinux labels based on the security context in the kube.yaml
|
| | |/
| |/|
| | |
| | |
| | |
| | |
| | | |
If the kube.yaml specifieds the SELinux type or Level, we need the container
to be launched with the correct label.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
|/ /
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
change the default on cgroups v2 and create a new cgroup namespace.
When a cgroup namespace is used, processes inside the namespace are
only able to see cgroup paths relative to the cgroup namespace root
and not have full visibility on all the cgroups present on the
system.
The previous behaviour is maintained on a cgroups v1 host, where a
cgroup namespace is not created by default.
Closes: https://github.com/containers/libpod/issues/4363
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
|\ \
| | |
| | | |
stats: report correctly CPU usage
|
| | |
| | |
| | |
| | |
| | |
| | | |
the two values were incorrectly switched.
Signed-off-by: Giuseppe Scrivano <giuseppe@scrivano.org>
|
|/ /
| |
| |
| | |
Signed-off-by: Radostin Stoyanov <rstoyanov1@gmail.com>
|
|\ \
| | |
| | | |
Switch to bufio Reader for exec streams
|
| |/
| |
| |
| |
| |
| |
| |
| | |
There were many situations that made exec act funky with input. pipes didn't work as expected, as well as sending input before the shell opened.
Thinking about it, it seemed as though the issues were because of how os.Stdin buffers (it doesn't). Dropping this input had some weird consequences.
Instead, read from os.Stdin as bufio.Reader, allowing the input to buffer before passing it to the container.
Signed-off-by: Peter Hunt <pehunt@redhat.com>
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
change the default to -1, so that we can change the semantic of
"--tail 0" to not print any existing log line.
Closes: https://github.com/containers/libpod/issues/4396
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
|\ \
| | |
| | | |
refactor libpod config into libpod/config
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Refactor the `RuntimeConfig` along with related code from libpod into
libpod/config. Note that this is a first step of consolidating code
into more coherent packages to make the code more maintainable and less
prone to regressions on the long runs.
Some libpod definitions were moved to `libpod/define` to resolve
circular dependencies.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
|
| |/
|/|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
When starting a container by using its name as a reference, we should
print the name instead of the ID. We regressed on this behaviour
with commit b4124485ae7e which made it into Podman v1.6.2.
Kudos to openSUSE testing for catching it. To prevent future
regressions, extend the e2e tests to check the printed container
name/ID.
Reported-by: @sysrich
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
|
|\ \
| |/
|/| |
goland autocorrections
|
| |
| |
| |
| |
| |
| |
| | |
just ran the autocorrect code corrections from goland and it found a few
nits.
Signed-off-by: baude <bbaude@redhat.com>
|
| |
| |
| |
| |
| |
| |
| |
| | |
Use the github.com/seccomp/containers-golang library instead of the
docker package. The docker package has changed and silently broke
on F31.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
|
| |
| |
| |
| |
| |
| |
| | |
Currently podman play kube is not using the system default seccomp.json file.
This PR will use the default or override location for podman play.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
| |
| |
| |
| |
| |
| |
| |
| | |
Be prepared to report multiple image digests for images which contain
multiple manifests but, because they continue to have the same set of
layers and the same configuration, are considered to be the same image.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
|
|/
|
|
|
|
|
|
|
| |
Move to containers/image v5 and containers/buildah to v1.11.4.
Replace an equality check with a type assertion when checking for a
docker.ErrUnauthorizedForCredentials in `podman login`.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
|
|\
| |
| | |
Fix spelling mistakes
|
| |
| |
| |
| | |
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
|\ \
| |/
|/| |
enable dnsplugin for network create
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
when users create a new network and the dnsname plugin can be found by
podman, we will enable container name resolution on the new network.
there is an option to opt *out* as well.
tests cannot be added until we solve the packaging portion of the
dnsname plugin.
Signed-off-by: baude <bbaude@redhat.com>
|
|\ \
| | |
| | | |
Log warn instead of error for removing nonexistant container
|
| |/
| |
| |
| |
| |
| |
| |
| |
| |
| | |
In event of a container removal that is no longer in database, log a
warning instead of an error, as there is not any problem continuing
execution.
Resolves #4314
Signed-off-by: Tyler Ramer <tyaramer@gmail.com>
|
|\ \
| |/
|/| |
check existing bridge names when creating networks
|
| |
| |
| |
| |
| |
| |
| |
| | |
when creating a new networking, we should check existing networks for
their bridge names and make sure the proposed new name is not part of
this. reported by QE.
Signed-off-by: baude <bbaude@redhat.com>
|
|\ \
| | |
| | | |
rootless: detect no system session with --cgroup-manager=systemd
|
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
if the cgroup manager is set to systemd, detect if dbus is available,
otherwise fallback to --cgroup-manager=cgroupfs.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
|\ \ \
| | | |
| | | | |
Image volumes should not be mounted noexec
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
This matches Docker more closely, but retains the more important
protections of nosuid/nodev.
Fixes #4318
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
|/ / /
| | |
| | |
| | |
| | |
| | |
| | | |
Everything else is a flag to mount, but "uid" and "gid" are not.
We need to parse them out of "o" and handle them separately.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
|\ \ \
| | | |
| | | | |
Add support for anonymous volumes to `podman run -v`
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Previously, when `podman run` encountered a volume mount without
separate source and destination (e.g. `-v /run`) we would assume
that both were the same - a bind mount of `/run` on the host to
`/run` in the container. However, this does not match Docker's
behavior - in Docker, this makes an anonymous named volume that
will be mounted at `/run`.
We already have (more limited) support for these anonymous
volumes in the form of image volumes. Extend this support to
allow it to be used with user-created volumes coming in from the
`-v` flag.
This change also affects how named volumes created by the
container but given names are treated by `podman run --rm` and
`podman rm -v`. Previously, they would be removed with the
container in these cases, but this did not match Docker's
behaviour. Docker only removed anonymous volumes. With this patch
we move to that model as well; `podman run -v testvol:/test` will
not have `testvol` survive the container being removed by `podman
rm -v`.
The sum total of these changes let us turn on volume removal in
`--rm` by default.
Fixes: #4276
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
|\ \ \ \
| | | | |
| | | | | |
Show volume options in 'volume inspect'
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
We need to use the new Inspect() endpoint instead of trying to
JSON the actual volume structs. Currently, the output seems
completely nonsensical; it seems like we're JSONing the struct
for the Varlink connection itself? This should restore sanity and
match the format of remote and local inspect on volumes.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
|\ \ \ \ \
| |_|_|/ /
|/| | | | |
rootless: write storage overrides to the conf file
|
| | |_|/
| |/| |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
make sure the user overrides are stored in the configuration file when
first created.
Closes: https://github.com/containers/libpod/issues/2659
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
|\ \ \ \
| | | | |
| | | | | |
Add ability to redirect bash for run -i
|