summaryrefslogtreecommitdiff
path: root/pkg
Commit message (Collapse)AuthorAge
* Merge pull request #7931 from rhatdan/sizeOpenShift Merge Robot2020-10-06
|\ | | | | Support max_size logoptions
| * Support max_size logoptionsDaniel J Walsh2020-10-05
| | | | | | | | | | | | | | | | Docker supports log-opt max_size and so does conmon (ALthough poorly). Adding support for this allows users to at least make sure their containers logs do not become a DOS vector. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Merge pull request #7919 from rhatdan/subuidOpenShift Merge Robot2020-10-05
|\ \ | | | | | | Fix handling of CheckRootlessUIDRange
| * | Fix handling of CheckRootlessUIDRangeDaniel J Walsh2020-10-05
| |/ | | | | | | | | | | | | If I have multiple ranges of UIDs specified in the /etc/subuid, this check blows up and incorrectly blocks the use of --user flag. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* / Fixes remote attach and exec to signal IdleTrackerJhon Honce2020-10-05
|/ | | | | | | | | | - Fixes issue where remote attach and exec only signaled the IdleTracker on errors. Needs to done anytime after connection has been hijacked - Fixes trying to send multiple http status codes to client - Changes pprof and API server shutdowns to run in parallel - Changes shutdown to run in sync.Once block Signed-off-by: Jhon Honce <jhonce@redhat.com>
* Merge pull request #7909 from zhangguanzhang/remote-ps-ns-brokenOpenShift Merge Robot2020-10-05
|\ | | | | Fix podman-remote ps --ns broken
| * Fix podman-remote ps --ns brokenzhangguanzhang2020-10-04
| | | | | | | | Signed-off-by: zhangguanzhang <zhangguanzhang@qq.com>
* | Merge pull request #7902 from rhatdan/selinuxOpenShift Merge Robot2020-10-05
|\ \ | |/ |/| Add SELinux support for pods
| * Add SELinux support for podsDaniel J Walsh2020-10-02
| | | | | | | | | | | | | | | | | | | | All containers within a Pod need to run with the same SELinux label, unless overwritten by the user. Also added a bunch of SELinux tests to make sure selinux labels are correct on namespaces. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Merge pull request #7899 from zhangguanzhang/service-panic-client-killOpenShift Merge Robot2020-10-03
|\ \ | |/ |/| [podman-remote] Fix closed connection on pull causes service panic
| * fix closed the remote connection on pull causes service paniczhangguanzhang2020-10-03
| | | | | | | | Signed-off-by: zhangguanzhang <zhangguanzhang@qq.com>
* | Merge pull request #7901 from vrothberg/fix-compat-images-createOpenShift Merge Robot2020-10-02
|\ \ | | | | | | compat: images/create: fix tag parsing
| * | compat: images/create: fix tag parsingValentin Rothberg2020-10-02
| | | | | | | | | | | | | | | | | | | | | | | | The `tag` parameter of the compat `images/create` endpoint can be both, a tag and a digest. Fix parsing of the parameter to detect digests and use the appropriate `@` separator. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | | Merge pull request #7882 from giuseppe/check-for-gids-before-adding-themOpenShift Merge Robot2020-10-02
|\ \ \ | | | | | | | | libpod: check there are enough gids before adding them
| * | | rootless: use sync.Once for GetAvailableGids()Giuseppe Scrivano2020-10-02
| | | | | | | | | | | | | | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
| * | | rootless: move GetAvailableGids to the rootless pkgGiuseppe Scrivano2020-10-02
| | | | | | | | | | | | | | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | | | Merge pull request #7887 from vrothberg/fix-7872OpenShift Merge Robot2020-10-02
|\ \ \ \ | |_|/ / |/| | | image prune: remove all candidates
| * | | image prune: remove all candidatesValentin Rothberg2020-10-02
| |/ / | | | | | | | | | | | | | | | | | | | | | Make sure to remove images until there's nothing left to prune. A single iteration may not be sufficient. Fixes: #7872 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | | Merge pull request #7456 from giuseppe/modprobe-fuseOpenShift Merge Robot2020-10-02
|\ \ \ | |_|/ |/| | spec: modprobe fuse with --device .*/fuse
| * | spec: open fuse with --device .*/fuseGiuseppe Scrivano2020-10-02
| |/ | | | | | | | | | | | | | | | | If the container uses the /dev/fuse device, attempt to load the fuse kernel module first so that nested containers can use it. Closes: https://bugzilla.redhat.com/show_bug.cgi?id=1872240 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | Merge pull request #7867 from vrothberg/fix-7837OpenShift Merge Robot2020-10-02
|\ \ | | | | | | remote: fix name and ID collisions of containers and pods
| * | remote: fix name and ID collisions of containers and podsValentin Rothberg2020-10-01
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fix the look up of containers and pods in the remote client. User input can refer to both, names or IDs of containers and pods, so there is a fair chance of collisions (e.g., "c1" name with a "c1...." ID). Those collisions are well handled (and battle tested) in the local client which is directly using the libpod backend. Hence, the remote client should not attempt to introduce its own logic to prevent bugs and divergence between the local and the remote clients. To prevent collisions such as in #7837, do a container/pod inspect on the user-provided input to find the corresponding ID and eventually do full ID comparisons to avoid potential collisions with names. Note that this has a cost that I am not entirely happy with. Looking at issue #7837, the collisions are happening when removing the two containers. Remote container removal is now very chatty with the server as it first queries for all containers, then iterates over the provided names or IDs and does a remote inspect to figure out the IDs and find a matching container object. However, remote removal could just pass the names and IDs directly to the batch removal endpoint. Querying for all containers could be prevented if the batch removal endpoint would remove all if the slice is empty. In other words, the bug is fixed but there's room for performance improvements. Fixes: #7837 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | | Merge pull request #7815 from jwhonce/wip/creds_remoteOpenShift Merge Robot2020-10-02
|\ \ \ | | | | | | | | Add X-Registry-Config support
| * | | Add X-Registry-Config supportJhon Honce2020-09-29
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * Refactor auth pkg to support X-Registry-Config * Refactor build endpoint to support X-Registry-Config. Supports: * --creds * --authfile * Added X-Reference-Id Header to http.Request to support log event correlation * Log headers from http.Request Signed-off-by: Jhon Honce <jhonce@redhat.com>
* | | | fix compat api privileged and entrypoint codebaude2020-10-01
| |_|/ |/| | | | | | | | | | | | | | | | | | | | when adding /dev to a privileged container using the compatibility API, we need to make sure we dont pass on devices that are simply symlinks. this was already being done by specgen but not on the compat. side. the entrypoint code that was recently rewritten for the compatibility layer was also failing due to the odd inputs that docker is willing to accept in its json, specifically [] vs "". in the case of the latter, this was being made into a []string with a len of one but no content. this would then be used to prefix the command to run in the container and would fail. For example " ls" vs "ls". Signed-off-by: baude <bbaude@redhat.com>
* | | Merge pull request #7735 from QiWang19/manifest-inspectOpenShift Merge Robot2020-10-01
|\ \ \ | | | | | | | | fix allowing inspect manifest of non-local image
| * | | fix allowing inspect manifest of non-local imageQi Wang2020-09-30
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Add support of `podman manifest inspect` returning manifest list of non-local manifest. Close #https://github.com/containers/podman/issues/7726 Signed-off-by: Qi Wang <qiwan@redhat.com>
* | | | Merge pull request #7864 from rhatdan/volumeOpenShift Merge Robot2020-10-01
|\ \ \ \ | | | | | | | | | | Volume prune should not pass down the force flag
| * | | | Volume prune should not pass down the force flagDaniel J Walsh2020-10-01
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | podman volume prune -f Should just tell the prune command to not prompt for confirmation. It should not be passing the prune flag into the API. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | | | Merge pull request #7851 from zhangguanzhang/fix-apiv2-ctr-workdir-and-envOpenShift Merge Robot2020-10-01
|\ \ \ \ \ | |/ / / / |/| | | | [apiv2] don't ignore the ENV and WorkDir from the image
| * | | | fix: The container created by APIV2 has an incorrect Env and WorkDirzhangguanzhang2020-10-01
| | |/ / | |/| | | | | | | | | | Signed-off-by: zhangguanzhang <zhangguanzhang@qq.com>
* | | | Merge pull request #7858 from jwhonce/wip/http_proxyOpenShift Merge Robot2020-10-01
|\ \ \ \ | |_|_|/ |/| | | Support --http-proxy for remote builds
| * | | Support --http-proxy for remote buildsJhon Honce2020-09-30
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * Fix misspelled parameter * add http-proxy support for builds http_proxy must be set in the podman.service unit file, for example Environment=http_proxy=<value> Signed-off-by: Jhon Honce <jhonce@redhat.com>
* | | | Merge pull request #7823 from vrothberg/fix-6381OpenShift Merge Robot2020-10-01
|\ \ \ \ | |/ / / |/| | | image look up: consult registries.conf
| * | | pkg/registries: add a retiring noteValentin Rothberg2020-09-30
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The registries package should be retired. It was introduced as an easier to use wrapper around c/image `sysregistries` which has been replaced by `sysregistriesv2` a long while ago. Users should either use the `sysregistriesv2` package directly or, even better, we cache the config in libpod's image runtime to prevent redundant (and ~expensive) parsing of the registries.conf files. For now, just add a note in hope we'll not forgert about it when we find time in the future. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | | | Merge pull request #7798 from QiWang19/run-manifestOpenShift Merge Robot2020-09-30
|\ \ \ \ | |_|_|/ |/| | | Use local image if input image is a manifest list
| * | | Use local image if input image is a manifest listQi Wang2020-09-30
| | |/ | |/| | | | | | | | | | | | | If run&create image returns error: image contains manifest list, not a runnable image, find the local image that has digest matching the digest from the list and use the image from local storage for the command. Signed-off-by: Qi Wang <qiwan@redhat.com>
* | | Merge pull request #7820 from giuseppe/fix-capabilities-not-rootOpenShift Merge Robot2020-09-30
|\ \ \ | | | | | | | | capabilities: always set ambient and inheritable
| * | | capabilities: always set ambient and inheritableGiuseppe Scrivano2020-09-30
| |/ / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | change capabilities handling to reflect what docker does. Bounding: set to caplist Inheritable: set to caplist Effective: if uid != 0 then clear; else set to caplist Permitted: if uid != 0 then clear; else set to caplist Ambient: clear Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | | Merge pull request #7833 from jwhonce/issues/7826OpenShift Merge Robot2020-09-30
|\ \ \ | |_|/ |/| | Refactor IdleTracker to handle StateIdle transitions
| * | Refactor IdleTracker to handle StateIdle transitionsJhon Honce2020-09-29
| |/ | | | | | | | | | | | | | | | | | | | | * Remove stutter naming for package and types * Stop treating StateIdle the same as StateClosed, rather transitions to StateIdle will keep API timeout window open * Remove redundate code Fixes #7826 Signed-off-by: Jhon Honce <jhonce@redhat.com>
* | Merge pull request #7840 from vrothberg/remote-untagOpenShift Merge Robot2020-09-30
|\ \ | | | | | | fix remote untag
| * | fix remote untagValentin Rothberg2020-09-30
| |/ | | | | | | | | | | | | | | | | | | | | | | | | | | Fix the remote client to untag all tags of the specified image. Instead of querying the image on the client side, support the case where both, repo and tag, are empty and remove all tags. Reuse the ABI implementation where possible. In retrospective, the libpod untag endpoint should support a slice of strings to batch remove tags rather than reaching out for each tag individually. Enable the skipped test. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | Merge pull request #7831 from rhatdan/envOpenShift Merge Robot2020-09-30
|\ \ | | | | | | We already set container=podman environment variable
| * | We already set container=podman environment variableDaniel J Walsh2020-09-29
| |/ | | | | | | | | | | Only need to set container, no need for containers Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* / Fix handling of remove of bogus volumes, networks and PodsDaniel J Walsh2020-09-29
|/ | | | | | | | | | | | In podman containers rm and podman images rm, the commands exit with error code 1 if the object does not exists. This PR implements similar functionality to volumes, networks, and Pods. Similarly if volumes or Networks are in use by other containers, and return exit code 2. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Merge pull request #7783 from ashley-cui/slirpOpenShift Merge Robot2020-09-29
|\ | | | | Add support for slirp network for pods
| * Add support for slirp network for podsAshley Cui2020-09-25
| | | | | | | | | | | | flag --network=slirp4netns[options] for root and rootless pods Signed-off-by: Ashley Cui <acui@redhat.com>
* | Merge pull request #7811 from rhatdan/sysctlsOpenShift Merge Robot2020-09-29
|\ \ | | | | | | Ignore containers.conf sysctl when namespaces set to host
| * | Ignore containers.conf sysctl when namespaces set to hostDaniel J Walsh2020-09-28
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | If user sets namespace to host, then default sysctls need to be ignored that are specific to that namespace. --net=host ignore sysctls that begin with net. --ipc=host ignore fs.mqueue --uts=host ignore kernel.domainname and kernel.hostname Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>