summaryrefslogtreecommitdiff
path: root/pkg
Commit message (Collapse)AuthorAge
* Containers should not get inheritable caps by defaultDaniel J Walsh2021-01-07
| | | | | | | | | | | | When I launch a container with --userns=keep-id the rootless processes should have no caps by default even if I launch the container with --privileged. It should only get the caps if I specify by hand the caps I want leaked to the process. Currently we turn off capeff and capamb, but not capinh. This patch treats capinh the same way as capeff and capamb. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Merge pull request #8892 from mheon/fix_8886OpenShift Merge Robot2021-01-06
|\ | | | | Ensure that user-specified HOSTNAME is honored
| * Ensure that user-specified HOSTNAME is honoredMatthew Heon2021-01-06
| | | | | | | | | | | | | | | | | | | | | | When adding the HOSTNAME environment variable, only do so if it is not already present in the spec. If it is already present, it was likely added by the user, and we should honor their requested value. Fixes #8886 Signed-off-by: Matthew Heon <mheon@redhat.com>
* | Merge pull request #8685 from mheon/ignore_containersconf_sysctls_shared_netOpenShift Merge Robot2021-01-05
|\ \ | | | | | | Ignore containers.conf sysctls when sharing namespaces
| * | Ignore containers.conf sysctls when sharing namespacesMatthew Heon2020-12-10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The existing code prevents containers.conf default sysctls from being added if the container uses a host namespace. This patch expands that to not just host namespaces, but also *shared* namespaces - so we never modify another container's (or a pod's) namespaces without being explicitly directed to do so by the user. Signed-off-by: Matthew Heon <mheon@redhat.com>
* | | Merge pull request #8889 from vrothberg/run-1138OpenShift Merge Robot2021-01-05
|\ \ \ | | | | | | | | generate systemd: do not set `KillMode`
| * | | generate systemd: do not set `KillMode`Valentin Rothberg2021-01-05
| | |/ | |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | `KillMode=none` has been deprecated in systemd and is now throwing big warnings when being used. Users have reported the issues upstream (see #8615) and on the mailing list. This deprecation was mainly motivated by an abusive use of third-party vendors causing all kinds of undesired side-effects. For instance, busy mounts that delay reboot. After talking to the systemd team, we came up with the following plan: **Short term**: we can use TimeoutStopSec and remove KillMode=none which will default to cgroup. **Long term**: we want to change the type to sdnotify. The plumbing for Podman is done but we need it for conmon. Once sdnotify is working, we can get rid of the pidfile handling etc. and let Podman handle it. Michal Seklatar came up with a nice idea that Podman increase the time out on demand. That's a much cleaner way than hard-coding the time out in the unit as suggest in the short-term solution. This change is executing the short-term plan and sets a minimum timeout of 60 seconds. User-specified timeouts are added to that. Fixes: #8615 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | | Merge pull request #8831 from bblenard/issue-8658-system-prune-reclaimed-spaceOpenShift Merge Robot2021-01-05
|\ \ \ | |/ / |/| | Rework pruning to report reclaimed space
| * | Rework pruning to report reclaimed spaceBaron Lenardson2020-12-30
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This change adds code to report the reclaimed space after a prune. Reclaimed space from volumes, images, and containers is recorded during the prune call in a PruneReport struct. These structs are collected into a slice during a system prune and processed afterwards to calculate the total reclaimed space. Closes #8658 Signed-off-by: Baron Lenardson <lenardson.baron@gmail.com>
* | | libpod API: pull: fix channel raceValentin Rothberg2021-01-04
| | | | | | | | | | | | | | | | | | | | | | | | | | | Fix a race condition in the pull endpoint caused by buffered channels. Using buffered channels can lead to the context's cancel function to be executed prior to the items being read from the channel. Fixes: #8870 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | | Merge pull request #8863 from mgoltzsche/fix_seccomp_when_privilegedOpenShift Merge Robot2021-01-04
|\ \ \ | | | | | | | | Disable seccomp by default when creating a privileged container.
| * | | fix: disable seccomp by default when privileged.Max Goltzsche2021-01-02
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When running a privileged container and `SeccompProfilePath` is empty no seccomp profile should be applied. (Previously this was the case only if `SeccompProfilePath` was set to a non-empty default path.) Closes #8849 Signed-off-by: Max Goltzsche <max.goltzsche@gmail.com>
* | | | Compat api containers/json add support for filtersPaul Holzinger2021-01-01
|/ / / | | | | | | | | | | | | | | | Fixes #8860 Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
* / / Expose Height/Width fields to decoderJhon Honce2020-12-30
|/ / | | | | | | | | | | Fixes #7102 Signed-off-by: Jhon Honce <jhonce@redhat.com>
* | Consolidate filter logic to pkg subdirectoryBaron Lenardson2020-12-24
| | | | | | | | | | | | | | Per the conversation on pull/8724 I am consolidating filter logic and helper functions under the pkg/domain/filters dir. Signed-off-by: Baron Lenardson <lenardson.baron@gmail.com>
* | Refactor kube.ToSpecGen parameters to structBenedikt Ziemons2020-12-23
| | | | | | | | | | | | | | Create kube.CtrSpecGenOptions and document parameters. Follow-up on https://github.com/containers/podman/pull/8792#discussion_r546673758 Signed-off-by: Benedikt Ziemons <ben@rs485.network>
* | Merge pull request #8792 from bziemons/patch-host-network-spec-8790OpenShift Merge Robot2020-12-23
|\ \ | | | | | | Set NetNS mode instead of value
| * | Set NetNS mode instead of valueBenedikt Ziemons2020-12-23
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | when HostNetwork is true in the pod spec. Also propagate whether host network namespace should be used for containers. Add test for HostNetwork setting in kubeYaml. The infra configuration should reflect the setting. Signed-off-by: Benedikt Ziemons <ben@rs485.network>
* | | add --cidfile to container killbaude2020-12-23
|/ / | | | | | | | | | | | | | | | | Add the ability to read container ids from one or more files for the kill command. Fixes: #8443 Signed-off-by: baude <bbaude@redhat.com>
* | Merge pull request #8787 from jsoref/spellingOpenShift Merge Robot2020-12-23
|\ \ | | | | | | Spelling
| * | SpellingJosh Soref2020-12-22
| | | | | | | | | | | | Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
* | | Merge pull request #8793 from zhangguanzhang/vol-opOpenShift Merge Robot2020-12-23
|\ \ \ | | | | | | | | Fix missing options in volume's display while setting uid and gid
| * | | Fix missing options in volumes display while setting uid and gidzhangguanzhang2020-12-23
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | ``` $ podman volume create testvol --opt o=uid=1001,gid=1001 $ ./bin/podman volume create testvol2 --opt o=uid=1001,gid=1001 $ podman volume inspect testvol "Options": {}, $ podman volume inspect testvol2 "Options": { "GID": "1001", "UID": "1001", "o": "uid=1001,gid=1001" }, ``` Signed-off-by: zhangguanzhang <zhangguanzhang@qq.com>
* | | | Merge pull request #8804 from baude/issue8512Daniel J Walsh2020-12-23
|\ \ \ \ | | | | | | | | | | add pod filter for ps
| * | | | add pod filter for psbaude2020-12-22
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | adds the ability to filter containers based on the filter "pod". the value can be a pod name or its full or partial id. Fixes: #8512 Signed-off-by: baude <bbaude@redhat.com>
* | | | | play kube: fix args/command handlingPeter Hunt2020-12-22
| |_|/ / |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | when neither yaml.Args nor yaml.Command are specified, we should use the entrypoint and cmd from the image. update the tests to cover this and another case (both args and command are specified). use the registry image instead of redis, as it has both an entrypoint and command specified. update the documentation around this handling to hopefully prevent regressions and confusion. Signed-off-by: Peter Hunt <pehunt@redhat.com>
* | | | Merge pull request #8724 from bblenard/support-volume-filters-in-system-pruneOpenShift Merge Robot2020-12-22
|\ \ \ \ | | | | | | | | | | Add volume filters to system prune
| * | | | Add volume filters to system pruneBaron Lenardson2020-12-21
| | |/ / | |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This change was missed in pull/8689. Now that volume pruneing supports filters system pruneing can pass its filters down to the volume pruneing. Additionally this change adds tests for the following components * podman system prune subcommand with `--volumes` & `--filter` options * apiv2 api tests for `/system/` and `/libpod/system` endpoints Relates to #8453, #8672 Signed-off-by: Baron Lenardson <lenardson.baron@gmail.com>
* | | | Merge pull request #8797 from Luap99/fix-mips-buildOpenShift Merge Robot2020-12-22
|\ \ \ \ | |_|/ / |/| | | Fix build for mips architecture
| * | | Fix build for mips architecturePaul Holzinger2020-12-21
| |/ / | | | | | | | | | | | | | | | | | | | | | | | | The signal SIGSTKFLT does not exists on mips architectures. Also RTMIN and RTMAX are different. This code is copied from docker. Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
* / / podman v3 container bindingsbaude2020-12-21
|/ / | | | | | | | | | | | | convert the golang container bindings to all use options so that changes in the future are more managable. Signed-off-by: baude <bbaude@redhat.com>
* | Merge pull request #8747 from vrothberg/run-950OpenShift Merge Robot2020-12-18
|\ \ | | | | | | remote copy
| * | remote copyValentin Rothberg2020-12-18
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Implement `podman-remote cp` and break out the logic from the previously added `pkg/copy` into it's basic building blocks and move them up into the `ContainerEngine` interface and `cmd/podman`. The `--pause` and `--extract` flags are now deprecated and turned into nops. Note that this commit is vendoring a non-release version of Buildah to pull in updates to the copier package. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | | podman v3 pod bindingsbaude2020-12-17
|/ / | | | | | | | | | | add options to each pod binding for future wiggle room Signed-off-by: baude <bbaude@redhat.com>
* | Merge pull request #8752 from baude/bindings3volumesOpenShift Merge Robot2020-12-17
|\ \ | | | | | | misc bindings to podman v3
| * | misc bindings to podman v3baude2020-12-17
| | | | | | | | | | | | | | | | | | | | | manifest, system, info, volumes, play, and generate bindings are updated to always have binding options. Signed-off-by: baude <bbaude@redhat.com>
* | | Docker compat API - /images/search returns wrong structure (#7857)Milivoje Legenovic2020-12-17
|/ / | | | | | | Signed-off-by: Milivoje Legenovic <m.legenovic@gmail.com>
* | Merge pull request #8715 from baude/bindings3imagesOpenShift Merge Robot2020-12-16
|\ \ | | | | | | Podman image bindings for 3.0
| * | Podman image bindings for 3.0baude2020-12-15
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Begin the migration of the image bindings for podman 3.0. this includes the use of options for each binding. build was intentionally not converted as I believe it needs more discussion before migration. specifically, the build options themselves. also noteworthly is that the remove image and remove images bindings were merged into one. the remove images (or batch remove) has one downside in that the errors return no longer adhere to http return codes. this should be discussed and reimplemented in subsequent code. Signed-off-by: baude <bbaude@redhat.com>
* | | Clean up temporary file.Matej Vasek2020-12-15
|/ / | | | | | | Signed-off-by: Matej Vasek <mvasek@redhat.com>
* | Merge pull request #8696 from Luap99/podman-events-untilOpenShift Merge Robot2020-12-14
|\ \ | | | | | | podman events allow future time for --until
| * | podman events allow future time for --untilPaul Holzinger2020-12-11
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The podman events aren't read until the given timestamp if the timestamp is in the future. It just reads all events until now and exits afterwards. This does not make sense and does not match docker. The correct behavior is to read all events until the given time is reached. This fixes a bug where the wrong event log file path was used when running first time with a new storage location. Fixes #8694 This also fixes the events api endpoint which only exited when an error occurred. Otherwise it just hung after reading all events. Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
* | | Merge pull request #8693 from giuseppe/drop-valid-id-in-userns-checkOpenShift Merge Robot2020-12-14
|\ \ \ | | | | | | | | podman: drop checking valid rootless UID
| * | | podman: drop checking valid rootless UIDGiuseppe Scrivano2020-12-11
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | do not check whether the specified ID is valid in the user namespace. crun handles this case[1], so the check in Podman prevents to get to the OCI runtime at all. $ podman run --user 10:0 --uidmap 0:0:1 --rm -ti fedora:33 sh -c 'id; cat /proc/self/uid_map' uid=10(10) gid=0(root) groups=0(root),65534(nobody) 10 0 1 [1] https://github.com/containers/crun/pull/556 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | | | Merge pull request #8689 from bblenard/issue-8672-volume-pruneOpenShift Merge Robot2020-12-14
|\ \ \ \ | | | | | | | | | | Add volume prune --filter support
| * | | | Add volume prune --filter supportBaron Lenardson2020-12-12
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This change adds support for the `--filter` / `?filters` arguments on the `podman volume prune` subcommand. * Adds ParseFilterArgumentsIntoFilters helper for consistent Filter string slice handling * Adds `--filter` support to podman volume prune cli * Adds `?filters...` support to podman volume prune api * Updates apiv2 / e2e tests Closes #8672 Signed-off-by: Baron Lenardson <lenardson.baron@gmail.com>
* | | | | Merge pull request #7718 from QiWang19/sign-multi-archOpenShift Merge Robot2020-12-12
|\ \ \ \ \ | | | | | | | | | | | | Sign multi-arch images
| * | | | | Sign multi-arch imagesQi Wang2020-12-11
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | podman image sign handles muti-arch images. --all option to create signature for each manifest from the image manifest list. Signed-off-by: Qi Wang <qiwan@redhat.com>
* | | | | | Merge pull request #8676 from jwhonce/issues/7806OpenShift Merge Robot2020-12-11
|\ \ \ \ \ \ | | | | | | | | | | | | | | Refine public key usage when remote
| * | | | | | Refine public key usage when remoteJhon Honce2020-12-10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * Move all public key handling into one AuthMethod. Prioritize ssh-agent keys over identity files. * Cache server connection when tunneling, saves one RoundTrip on ssh handshake Signed-off-by: Jhon Honce <jhonce@redhat.com>