summaryrefslogtreecommitdiff
path: root/pkg
Commit message (Collapse)AuthorAge
* Merge pull request #12414 from flouthoc/api-allow-secretsOpenShift Merge Robot2021-11-30
|\ | | | | tunnel: allow `remote` and `API` to accept `--secrets`
| * podman-remote: prevent leaking secret into imageAditya Rajan2021-11-30
| | | | | | | | | | | | | | | | Prevents temp secrets leaking into image by moving it away from context directory to parent builder directory. Builder directory automatically gets cleaned up when we are done with the build. Signed-off-by: Aditya Rajan <arajan@redhat.com>
| * podman-remote: copy secret to contextdir is absolute path on hostAditya Rajan2021-11-30
| | | | | | | | | | | | | | | | Podman remote must treat build secrets as part of context directory. If secret path is absolute path on host copy it to tar file and pass it to remote server. Signed-off-by: Aditya Rajan <arajan@redhat.com>
| * api: allow build api to accept secretsAditya Rajan2021-11-30
| | | | | | | | | | | | | | | | | | | | | | Following commit makes sure that `build` api can accept external secret and allows currently `NOOP` `podman-remote build -t tag --secret id=mysecret,src=/path/on/remote` to become functional. Just like `docker` following api is a hidden field and only exposed to `podman-remote` but could document it if it needs exposed on `swagger`. Signed-off-by: Aditya Rajan <arajan@redhat.com>
* | Merge pull request #12449 from vrothberg/fix-12438OpenShift Merge Robot2021-11-30
|\ \ | | | | | | systemd: replace multi-user with default.target
| * | systemd: replace multi-user with default.targetValentin Rothberg2021-11-30
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Replace `multi-user.target` with `default.target` across the code base. It seems like the multi-user one is not available for (rootless) users on F35 anymore is causing issues in all kinds of ways, for instance, enabling the podman.service or generated systemd units. Fixes: #12438 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | | compat API: allow enforcing short-names resolution to Docker HubValentin Rothberg2021-11-30
|/ / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The Docker-compatible REST API has historically behaved just as the rest of Podman and Buildah (and the atomic Docker in older RHEL/Fedora) where `containers-registries.conf` is centrally controlling which registries a short name may resolve to during pull or local image lookups. Please refer to a blog for more details [1]. Docker, however, is only resolving short names to docker.io which has been reported (see #12320) to break certain clients who rely on this behavior. In order to support this scenario, `containers.conf(5)` received a new option to control whether Podman's compat API resolves to docker.io only or behaves as before. Most endpoints allow for directly normalizing parameters that represent an image. If set in containers.conf, Podman will then normalize the references directly to docker.io. The build endpoint is an outlier since images are also referenced in Dockerfiles. The Buildah API, however, supports specifying a custom `types.SystemContext` in which we can set a field that enforces short-name resolution to docker.io in `c/image/pkg/shortnames`. Notice that this a "hybrid" approach of doing the normalization directly in the compat endpoints *and* in `pkg/shortnames` by passing a system context. Doing such a hybrid approach is neccessary since the compat and the libpod endpoints share the same `libimage.Runtime` which makes a global enforcement via the `libimage.Runtime.systemContext` impossible. Having two separate runtimes for the compat and the libpod endpoints seems risky and not generally applicable to all endpoints. [1] https://www.redhat.com/sysadmin/container-image-short-names Fixes: #12320 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | Merge pull request #12408 from rhatdan/stdoutOpenShift Merge Robot2021-11-30
|\ \ | |/ |/| Only open save output file with WRONLY
| * Only open save output file with WRONLYDaniel J Walsh2021-11-29
| | | | | | | | | | | | | | | | | | | | The previous code fails on a MAC when opening /dev/stdout Fixes: https://github.com/containers/podman/issues/12402 [NO NEW TESTS NEEDED] No easy way to test this. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Merge pull request #12405 from flouthoc/compat-build-errorOpenShift Merge Robot2021-11-29
|\ \ | |/ |/| compat: Add compatiblity with `Docker/Moby` API for scenarios where build fails.
| * compat: Add compatiblity with Docker/Moby API for scenarios where build failsAditya Rajan2021-11-24
| | | | | | | | | | | | | | | | | | | | | | | | | | | | In order to maintain compatiblity with `moby API` we must the field `errorDetail` which is primary error reporting field with stream. Currently podman is using `error` which is already deprecated by moby. Check: https://github.com/moby/moby/blob/master/pkg/jsonmessage/jsonmessage.go#L147 [NO NEW TESTS NEEDED] We can't test this in podman CI since we dont have a docker client. Signed-off-by: Aditya Rajan <arajan@redhat.com>
* | e2e tests: enable golintEd Santiago2021-11-29
| | | | | | | | | | | | ...and fix problems found therewith. Signed-off-by: Ed Santiago <santiago@redhat.com>
* | fix: error reporting for archive endpointMatej Vasek2021-11-28
|/ | | | | | Returning 500 when copying to read-only destination. Signed-off-by: Matej Vasek <mvasek@redhat.com>
* Merge pull request #12371 from jakub-dzon/env-config-mapsOpenShift Merge Robot2021-11-23
|\ | | | | Support env variables based on ConfigMaps sent in payload
| * Support env variables based on ConfigMaps sent in payloadJakub Dzon2021-11-23
| | | | | | | | | | | | Fixes #12363 Signed-off-by: Jakub Dzon <jdzon@redhat.com>
* | Merge pull request #12328 from serverwentdown/fix-compat-ipaddressDaniel J Walsh2021-11-23
|\ \ | |/ |/| compat: Add subnet mask behind IP address to match Docker API
| * compat: Add subnet mask behind IP address to match Docker APIAmbrose Chua2021-11-20
| | | | | | | | Signed-off-by: Ambrose Chua <ambrose@hey.com>
* | generate systemd: add --start-timeout flagValentin Rothberg2021-11-23
| | | | | | | | | | | | | | | | | | Add a new flag to set the start timeout for a generated systemd unit. To make naming consistent, add a new --stop-timeout flag as well and let the previous --time map to it. Fixes: #11618 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | Merge pull request #12352 from Luap99/netavark-errDaniel J Walsh2021-11-22
|\ \ | | | | | | Fix netavark error handling and teardown issue
| * | Fix netavark error handling and teardown issuePaul Holzinger2021-11-22
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The return error was not returned by podman , instead a different error was created. Also make sure to free assigned ips on an error to not leak them. Lastly podman container cleanup uses the default network backend instead of the provided one, we need to add `--network-backend` to the exit command. [NO NEW TESTS NEEDED] Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* | | Merge pull request #12301 from umohnani8/tableOpenShift Merge Robot2021-11-22
|\ \ \ | | | | | | | | Add note about volume with unprivileged container
| * | | Add note about volume with unprivileged containerUrvashi Mohnani2021-11-21
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Add a note to the generated kube yaml if we detect a volume is being mounted. The note lets the user know what needs to be done to avoid permission denied error when trying to access the volume for an unprivileged container. Add the same note to the man pages. NO NEW TESTS NEEDED Signed-off-by: Urvashi Mohnani <umohnani@redhat.com>
* | | | Merge pull request #12381 from flouthoc/build-layer-docker-compatOpenShift Merge Robot2021-11-22
|\ \ \ \ | |_|/ / |/| | | compat: add layer caching compatiblity for `non-podman` clients.
| * | | swagger: add layers to build api docsAditya Rajan2021-11-22
| | | | | | | | | | | | | | | | | | | | | | | | Add missing `layer` entry to swagger docs for `/build`. Signed-off-by: Aditya Rajan <arajan@redhat.com>
| * | | compat: add layer caching compatiblity for non podman clientsAditya Rajan2021-11-22
| |/ / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Non-podman clients do not set `layers` while making request. This is supposed to be `true` bydefault but `non-podman-clients i.e Docker` dont know about this field as a result they end up setting this values to `false`. Causing builds to never use cache for layers. Adds compatiblity for `docker SDK`. [NO NEW TESTS NEEDED] Signed-off-by: Aditya Rajan <arajan@redhat.com>
* | | Merge pull request #12372 from Luap99/syslog-netavarkOpenShift Merge Robot2021-11-22
|\ \ \ | | | | | | | | Make sure netavark output is logged to the syslog
| * | | Make sure netavark output is logged to the syslogPaul Holzinger2021-11-19
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Create a custom writer which logs the netavark output to logrus. This will log to the syslog when it is enabled. Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* | | | Merge pull request #12351 from ↵OpenShift Merge Robot2021-11-22
|\ \ \ \ | |_|/ / |/| | | | | | | | | | | adrianreber/2021-11-18-restore-runtime-verification Restore runtime verification
| * | | Use same runtime to restore a container as during checkpointingAdrian Reber2021-11-19
| |/ / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | There are at least two runtimes that support checkpoint and restore: runc and crun. Although the checkpoints created by these are almost compatible, it is not (yet) possible to restore a checkpoint created with one runtime with the other runtime. To make checkpoint/restore usage more comfortable this adds code to look into the checkpoint archive during restore and to set the runtime to the one used during checkpointing. This also adds a check, if the user explicitly sets a runtime during restore, that the runtime is also the same as used during checkpointing. If a different runtime is selected than the one used during checkpointing the restore will fail early. If runc and crun will create compatible checkpoints in the future the check can be changed to treat crun and runc as compatible checkpoint/restore runtimes. Signed-off-by: Adrian Reber <areber@redhat.com>
* | / Support EXPOSE with port rangesColin Bendell2021-11-20
| |/ |/| | | | | | | | | | | | | Fixes issue #12293. EXPOSE directive in images should mirror the --expose parameter. Specifically `EXPOSE 20000-20100/tcp` should work the same as `--expose 20000-20100/tcp` Signed-off-by: Colin Bendell <colin@bendell.ca>
* | filter: use filepath.Match to maintain consistency with other patternAditya Rajan2021-11-19
|/ | | | | | | | | | | | | | | matching in podman Following commit ensures that we maintain consistency with how pattern matching is being carried out everywhere else in podman. Switch from `regexp` to `filepath.Match` For example https://github.com/containers/common/blob/main/libimage/filters.go#L162 [NO NEW TESTS NEEDED] Signed-off-by: Aditya Rajan <arajan@redhat.com>
* api/handlers: Add checkpoint/restore FileLocksRadostin Stoyanov2021-11-19
| | | | Signed-off-by: Radostin Stoyanov <radostin@redhat.com>
* Merge pull request #12318 from mscherer/2nd_tryOpenShift Merge Robot2021-11-19
|\ | | | | Change error message for compatibility with docker
| * Change error message for compatibility with dockerMichael Scherer2021-11-16
| | | | | | | | | | | | Fix #12315 Signed-off-by: Michael Scherer <misc@redhat.com>
* | Merge pull request #11795 from cevich/update_to_f35OpenShift Merge Robot2021-11-18
|\ \ | | | | | | Cirrus: Bump Fedora to release 35
| * | Cirrus: Fix bindings test hang b/c logging config mismatchChris Evich2021-11-18
| | | | | | | | | | | | | | | | | | | | | | | | Massive thanks to @edsantiago for tracking this down. Ref: https://github.com/containers/podman/issues/12175 Signed-off-by: Chris Evich <cevich@redhat.com>
* | | Merge pull request #12354 from Luap99/exit-commandOpenShift Merge Robot2021-11-18
|\ \ \ | | | | | | | | Do not store the exit command in container config
| * | | Do not store the exit command in container configPaul Holzinger2021-11-18
| |/ / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | There is a problem with creating and storing the exit command when the container was created. It only contains the options the container was created with but NOT the options the container is started with. One example would be a CNI network config. If I start a container once, then change the cni config dir with `--cni-config-dir` ans start it a second time it will start successfully. However the exit command still contains the wrong `--cni-config-dir` because it was not updated. To fix this we do not want to store the exit command at all. Instead we create it every time the conmon process for the container is startet. This guarantees us that the container cleanup process is startet with the correct settings. [NO NEW TESTS NEEDED] Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* | | Merge pull request #12295 from flouthoc/filter-label-patternOpenShift Merge Robot2021-11-18
|\ \ \ | | | | | | | | filters: add basic pattern matching for label keys i.e `--filter label=<pattern>`
| * | | filter: add basic pattern matching for label keysAditya Rajan2021-11-15
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Following PR adds basic pattern matching to filter by labels for `keys`. Adds support for use-cases like `--filter label=some.prefix.com/key/*` where end-users want to match a pattern for keys as compared to exact value. Signed-off-by: Aditya Rajan <arajan@redhat.com>
* | | | Merge pull request #12298 from giuseppe/idmapped-bind-mountsOpenShift Merge Robot2021-11-18
|\ \ \ \ | | | | | | | | | | volumes: add new option idmap
| * | | | volumes: add new option idmapGiuseppe Scrivano2021-11-18
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | pass down the "idmap" mount option to the OCI runtime. Needs: https://github.com/containers/crun/pull/780 Closes: https://github.com/containers/podman/issues/12154 [NO NEW TESTS NEEDED] there is no crun version yet that support the new feature. Test case (must run as root): podman run --rm -v foo:/foo alpine touch /foo/bar podman run --uidmap 0:1:1000 --rm -v foo:/foo:idmap alpine ls -l /foo total 0 -rw-r--r-- 1 root root 0 Nov 15 14:01 bar Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | | | | Merge pull request #12314 from Luap99/machine-wait-sshdOpenShift Merge Robot2021-11-18
|\ \ \ \ \ | | | | | | | | | | | | podman machine start wait for ssh
| * | | | | podman machine start wait for sshPaul Holzinger2021-11-16
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Wait for sshd to be ready before we return from start. This should make podman machine ssh immediately available without any race conditions. Fixes #11532 [NO NEW TESTS NEEDED] I could not reproduce the issue so I am not sure if this fixes it. Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* | | | | | Add --file-locks checkpoint/restore optionRadostin Stoyanov2021-11-18
| |_|_|/ / |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | CRIU supports checkpoint/restore of file locks. This feature is required to checkpoint/restore containers running applications such as MySQL. Signed-off-by: Radostin Stoyanov <radostin@redhat.com>
* | | | | remote checkpoint/restore: more fixesValentin Rothberg2021-11-18
| |/ / / |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * Support `checkpoint --pre-checkpoint` * Support `checkpoint --with-previous` * Disable `restore --import-previous` for the remote client since we had to send two files which in turn would require to tar them up and hence be a breaking change. Podman 4.0 would be the chance and I hope we'll find time before that to remote-restore prettier. Note that I did not run over swagger yet to check whether all parameters are actually documented due to time constraints. Fixes: #12334 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | | | Merge pull request #12330 from etenzy/mainOpenShift Merge Robot2021-11-18
|\ \ \ \ | | | | | | | | | | fix: take absolute path for dd on apple silicon
| * | | | fix: take absolute path for dd on apple siliconetenzy2021-11-17
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fixes #12329 [NO NEW TESTS NEEDED] podman machine Signed-off-by: Michael Rödel <hello@mroedel.de>
* | | | | Merge pull request #12325 from giuseppe/rootless-use-auto-cleanupOpenShift Merge Robot2021-11-17
|\ \ \ \ \ | | | | | | | | | | | | rootless: use auto cleanup functions
| * | | | | rootless: drop strerror(errno) callsGiuseppe Scrivano2021-11-17
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | *printf functions already support printing the errno string with %m Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>