| Commit message (Collapse) | Author | Age |
|\
| |
| | |
conditionally send stdin on remote run
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
when running a container remotely, we should only be sending stdin when
running with --interactive; otherwise use nil.
Fixes: #4095
Signed-off-by: baude <bbaude@redhat.com>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
When a named volume is mounted on any of the tmpfs filesystems
created by read-only tmpfs, it caused a conflict that was not
resolved prior to this.
Fixes BZ1755119
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
|\ \
| | |
| | | |
play kube: Only support pod kind in k8s yaml
|
| |/
| |
| |
| |
| |
| | |
Since we only really support playing pods, and no other kubernetes types
Signed-off-by: Peter Hunt <pehunt@redhat.com>
|
| |
| |
| |
| |
| |
| |
| |
| | |
To 'avoid unknown FS magic on "/run/user/1000/netns/...": 1021994'
make the network namespace bind-mount recursively shared, so the
mount is back-propogated to the host.
Signed-off-by: gabi beyer <gabrielle.n.beyer@intel.com>
|
|/
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In order to run Podman with VM-based runtimes unprivileged, the
network must be set up prior to the container creation. Therefore
this commit modifies Podman to run rootless containers by:
1. create a network namespace
2. pass the netns persistent mount path to the slirp4netns
to create the tap inferface
3. pass the netns path to the OCI spec, so the runtime can
enter the netns
Closes #2897
Signed-off-by: Gabi Beyer <gabrielle.n.beyer@intel.com>
|
|
|
|
|
|
|
|
|
| |
look if there are bind mounts that can shadow the /etc/passwd and
/etc/group files. In that case, look at the bind mount source.
Closes: https://github.com/containers/libpod/pull/4068#issuecomment-533782941
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We identify and resolve conflicts in paths using destination path
matches. We require exact matches, largely for performance
reasons (we use maps to efficiently access, keyed by
destination). This usually works fine, until you get mounts that
are targetted at /output and /output/ - the same path, but not
the same string.
Use filepath.Clean() aggressively to try and solve this.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
|
|
|
|
|
|
|
|
|
| |
when using the remote client, users may need to specify a non-standard
port for ssh connections. we can do so on the command line and within
the remote-client configuration file.
Fixes: #3987
Signed-off-by: baude <bbaude@redhat.com>
|
|\
| |
| | |
Add 'relabel' to --mount options
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Currently if a user specifies a --mount option, their is no way to tell SELinux
to relabel the mount point.
This patch addes the relabel=shared and relabel=private options.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
| |
| |
| |
| | |
Signed-off-by: Danila Kiver <danila.kiver@mail.ru>
|
|/
|
|
| |
Signed-off-by: Danila Kiver <danila.kiver@mail.ru>
|
|\
| |
| | |
Report errors when trying to pause rootless containers
|
| |
| |
| |
| |
| |
| |
| |
| | |
If you are running a rootless container on cgroupV1
you can not pause the container. We need to report the proper error
if this happens.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
|\ \
| |/
|/| |
Podman-remote run should wait for exit code
|
| |
| |
| |
| |
| |
| |
| |
| | |
This change matches what is happening on the podman local side
and should eliminate a race condition.
Also exit commands on the server side should start to return to client.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
| |
| |
| |
| |
| |
| |
| | |
We have leaked the exit number codess all over the code, this patch
removes the numbers to constants.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
|/
|
|
|
|
|
|
|
|
| |
when removing a podman network, we need to make sure we delete the
network interface if one was ever created (by running a container).
also, when removing networks, we check if any containers are using the
network. if they are, we error out unless the user provides a 'force'
option which will remove the containers in question.
Signed-off-by: baude <bbaude@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
when running in rootless mode and using systemd as cgroup manager
create automatically a systemd scope when the user doesn't own the
current cgroup.
This solves a couple of issues:
on cgroup v2 it is necessary that a process before it can moved to a
different cgroup tree must be in a directory owned by the unprivileged
user. This is not always true, e.g. when creating a session with su
-l.
Closes: https://github.com/containers/libpod/issues/3937
Also, for running systemd in a container it was before necessary to
specify "systemd-run --scope --user podman ...", now this is done
automatically as part of this PR.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
|\
| |
| | |
Add `ContainerManager` annotation to created containers
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This change adds the following annotation to every container created by
podman:
```json
"Annotations": {
"io.containers.manager": "libpod"
}
```
Target of this annotaions is to indicate which project in the containers
ecosystem is the major manager of a container when applications share
the same storage paths. This way projects can decide if they want to
manipulate the container or not. For example, since CRI-O and podman are
not using the same container library (libpod), CRI-O can skip podman
containers and provide the end user more useful information.
A corresponding end-to-end test has been adapted as well.
Relates to: https://github.com/cri-o/cri-o/pull/2761
Signed-off-by: Sascha Grunert <sgrunert@suse.com>
|
|\ \
| |/
|/| |
Support running containers without CGroups
|
| |
| |
| |
| |
| |
| |
| | |
This is mostly used with Systemd, which really wants to manage
CGroups itself when managing containers via unit file.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
|\ \
| | |
| | | |
Add ability to look up volumes by unambiguous partial name
|
| |/
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This isn't included in Docker, but seems handy enough.
Use the new API for 'volume rm' and 'volume inspect'.
Fixes #3891
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
|\ \
| |/
|/| |
podman network create
|
| |
| |
| |
| |
| |
| |
| | |
initial implementation of network create. we only support bridging
networks with this first pass.
Signed-off-by: baude <bbaude@redhat.com>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Do not require 0755 permissons for the ~/.config directory but require
at least 0700 which should be sufficient. The current implementation
internally creates this directory with 0755 if it does not exist, but if the
directory already exists with different perissions the current code returns
an empty string.
Signed-off-by: Christian Felder <c.felder@fz-juelich.de>
|
|/
|
|
|
|
|
|
| |
Pass down the cgroup manager to use to buildah.
Closes: https://github.com/containers/libpod/issues/3938
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
|\
| |
| | |
Return information about mount_program (fuse-overlayfs)
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
We want to get podman info to tell us about the version of
the mount program to help us diagnose issues users are having.
Also if in rootless mode and slirp4netns is installed reveal package
info on slirp4netns.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
|\ \
| | |
| | | |
play kube: fix segfault
|
| |/
| |
| |
| |
| |
| |
| | |
when securityContext wasn't specified in yaml.
add a test as well
Signed-off-by: Peter Hunt <pehunt@redhat.com>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
When we fail to remove a container's SHM, that's an error, and we
need to report it as such. This may be part of our lingering
storage woes.
Also, remove MNT_DETACH. It may be another cause of the storage
removal failures.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
|/
|
|
|
|
|
|
|
|
|
|
|
| |
When volume options and the local volume driver are specified,
the volume is intended to be mounted using the 'mount' command.
Supported options will be used to volume the volume before the
first container using it starts, and unmount the volume after the
last container using it dies.
This should work for any local filesystem, though at present I've
only tested with tmpfs and btrfs.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
|\
| |
| | |
Allow suid, exec, dev mount options to cancel nosuid/noexec/nodev
|
| |
| |
| |
| |
| |
| |
| |
| | |
For read-only containers set to create tmpfs filesystems over
/run and other common destinations, we were incorrectly setting
mount options, resulting in duplicate mount options.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
| |
| |
| |
| | |
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
If I mount, say, /usr/bin into my container - I expect to be able
to run the executables in that mount. Unconditionally applying
noexec would be a bad idea.
Before my patches to change mount options and allow exec/dev/suid
being set explicitly, we inferred the mount options from where on
the base system the mount originated, and the options it had
there. Implement the same functionality for the new option
handling.
There's a lot of performance left on the table here, but I don't
know that this is ever going to take enough time to make it worth
optimizing.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
| |
| |
| |
| |
| |
| |
| |
| | |
We already process the options on all tmpfs filesystems during
final addition of mounts to the spec. We don't need to do it
before that in parseVolumes.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Previously, we explicitly set noexec/nosuid/nodev on every mount,
with no ability to disable them. The 'mount' command on Linux
will accept their inverses without complaint, though - 'noexec'
is counteracted by 'exec', 'nosuid' by 'suid', etc. Add support
for passing these options at the command line to disable our
explicit forcing of security options.
This also cleans up mount option handling significantly. We are
still parsing options in more than one place, which isn't good,
but option parsing for bind and tmpfs mounts has been unified.
Fixes: #3819
Fixes: #3803
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
| |
| |
| |
| |
| |
| |
| | |
make pkg/rootless.GetConfiguredMappings public so that it can be used
from pkg/util.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
detect if the current user namespace doesn't match the configuration
in the /etc/subuid and /etc/subgid files.
If there is a mismatch, raise a warning and suggest the user to
recreate the user namespace with "system migrate", that also restarts
the containers.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
provide an implementation for getDevices that skip unreadable
directories for the current user.
Based on the implementation from runc/libcontainer.
Closes: https://github.com/containers/libpod/issues/3919
Signed-off-by: Giuseppe Scrivano <giuseppe@scrivano.org>
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
| |
| |
| |
| |
| |
| | |
eBPF requires to be root in the init namespace.
Signed-off-by: Giuseppe Scrivano <giuseppe@scrivano.org>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
when running in rootless mode, --device creates a bind mount from the
host instead of specifying the device in the OCI configuration. This
is required as an unprivileged user cannot use mknod, even when root
in a user namespace.
Closes: https://github.com/containers/libpod/issues/3905
Signed-off-by: Giuseppe Scrivano <giuseppe@scrivano.org>
|
|/
|
|
|
|
|
|
|
| |
when using an upper case image name for container commit, we observed
panics due to a channel closing early.
Fixes: #3897
Signed-off-by: baude <bbaude@redhat.com>
|
|
|
|
|
|
|
|
| |
* Improved error message
* Added documentation
* Updated messages to include missing data
Signed-off-by: Jhon Honce <jhonce@redhat.com>
|