| Commit message (Collapse) | Author | Age |
|\
| |
| | |
Set default network driver for APIv2 networks
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Recent changes in networking require that the cni network driver be set.
If the user provides no driver, we set the driver to the
defaultnetworkdriver which currently is "bridge".
Fixes: #8294
Signed-off-by: baude <bbaude@redhat.com>
|
|\ \
| |/
|/| |
migrate play kube to spec gen
|
| |
| |
| |
| |
| |
| |
| |
| | |
we need to migrate play kube away from using the old container creation
method. the new approach is specgen and this aligns play kube with
container creation in the rest of podman.
Signed-off-by: baude <bbaude@redhat.com>
|
|\ \
| | |
| | | |
network aliases for container creation
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
podman can now support adding network aliases when running containers
(--network-alias). It requires an updated dnsname plugin as well as an
updated ocicni to work properly.
Signed-off-by: baude <bbaude@redhat.com>
|
|\ \ \
| |_|/
|/| | |
enable ipv6 networks
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
enable the ipv6 flag in podman network to be able to create
dual-stack networks for containers.
This is required to be compatible with docker, where --ipv6
really means dual stack.
podman, unlike docker, support IPv6 only containers since
07e3f1bba9674c0cb93a0fa260930bfebbf75728.
Signed-off-by: Antonio Ojea <aojea@redhat.com>
|
|\ \ \
| |/ /
|/| | |
Add --log-driver to play kube
|
| | |
| | |
| | |
| | |
| | |
| | | |
addresses #6604
Signed-off-by: Andy Librian <andylibrian@gmail.com>
|
|\ \ \
| |_|/
|/| | |
Update CI tests to run python docker library against API
|
| |/
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* Update reference to docker-py to docker to reflect change in library
name
* Update tests to create storage sandbox
* Enable all tests that endpoints support
* Refactor containers/{id}/rename to return 404 not 500
* Refactor tests to use quay.io vs. docker.io
Signed-off-by: Jhon Honce <jhonce@redhat.com>
|
|\ \
| | |
| | | |
Stop binding layer from changing line endings
|
| |/
| |
| |
| |
| |
| |
| | |
The binding layer attempted to help the CLI, which just made things
worse.
Signed-off-by: Jhon Honce <jhonce@redhat.com>
|
|\ \
| |/
|/| |
rootless container creation settings
|
| |
| |
| |
| |
| |
| |
| |
| | |
when running container creation as rootless on the compatibility layer,
we need to make sure settings are not being done for memory and memory
swappiness.
Signed-off-by: baude <bbaude@redhat.com>
|
|\ \
| |/
|/| |
Use /tmp/podman-run-* for backup XDG_RUNTIME_DIR
|
| |
| |
| |
| |
| |
| |
| | |
We need to block systemd from cleaning up this directory
by dropping a /usr/lib/tmpfiles.d/podman.conf file in place.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
|/
|
|
|
|
|
|
|
| |
Continue progress on use of external containers.
This PR adds the ability to mount, umount and list the
storage containers whether they are in libpod or not.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
|\
| |
| | |
Change http ConnState actions between new and active
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Currently it double counts connections because it's incrementing the
total for both the new and active states. Based on the comments, we
should only count new connections for the total count and perform the
timer stop actions when the connection has transitioned to an active
state.
Closes #8208
Signed-off-by: Alex Schultz <aschultz@redhat.com>
|
|\ \
| | |
| | | |
specgen: add support for ambient capabilities
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
if --userns=keep-id is specified and not --user is specified, take the
unprivileged capabilities code path so that ambient capabilities are
honored in the container.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
if the username is specified in the USER:GROUP form, make sure we only
check for USER.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
| |/
| |
| |
| |
| |
| |
| |
| |
| |
| | |
if the kernel supports ambient capabilities (Linux 4.3+), also set
them when running with euid != 0.
This is different that what Moby does, as ambient capabilities are
never set.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
|\ \
| | |
| | | |
Allow users to mount with unbindable flag
|
| |/
| |
| |
| |
| |
| |
| |
| | |
Allow users to specify unbindable on volume command line
Switch internal mounts to rprivate to help prevent leaks.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
|/
|
|
| |
Signed-off-by: Jordan Christiansen <xordspar0@gmail.com>
|
|\
| |
| | |
specgen, cgroup2: check whether memory swap is enabled
|
| |
| |
| |
| |
| |
| | |
add a similar check to what we do on cgroup v1.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
| |
| |
| |
| |
| |
| | |
refactor function into two separate ones.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
|\ \
| | |
| | | |
manifest list inspect single image
|
| |/
| |
| |
| |
| |
| | |
If the image name not a manifest list type, enable manifest inspect to return manifest of single image manifest type vnd.docker.distribution.manifest.v2+json.
Signed-off-by: Qi Wang <qiwan@redhat.com>
|
|\ \
| | |
| | | |
Stop excessive wrapping of errors
|
| |/
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Most of the builtin golang functions like os.Stat and
os.Open report errors including the file system object
path. We should not wrap these errors and put the file path
in a second time, causing stuttering of errors when they
get presented to the user.
This patch tries to cleanup a bunch of these errors.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
|\ \
| | |
| | | |
spec: protect against segfault
|
| |/
| |
| |
| |
| |
| | |
when the user passes in "/dev/null::w"
Signed-off-by: Peter Hunt <pehunt@redhat.com>
|
|\ \
| | |
| | | |
specgen: fix error message
|
| |/
| |
| |
| |
| |
| | |
drop spurious comma.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
|\ \
| | |
| | | |
When container stops, drop sig-proxy errors to infos
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
The sig-proxy code is set up to error on failing to forward
signals to a container. This is reasonable in cases where the
container is running, but something strange went wrong - but when
the Kill fails because the container is stopped, we shouldn't
bother with aggressive Error logging since this is an expected
part of the container lifecycle - it stops, and then `podman run`
also stops, but there is a timing window in between where signals
will fail to be proxied, and we should not print angry errors
during that.
Signed-off-by: Matthew Heon <mheon@redhat.com>
|
| |/
|/|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Containers that share IPC Namespaces share each others
/dev/shm, which means a private /dev/shm needs to be setup
for the infra container.
Added a system test and an e2e test to make sure the
/dev/shm is shared.
Fixes: https://github.com/containers/podman/issues/8181
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
|\ \
| | |
| | | |
new "image" mount type
|
| |/
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Add a new "image" mount type to `--mount`. The source of the mount is
the name or ID of an image. The destination is the path inside the
container. Image mounts further support an optional `rw,readwrite`
parameter which if set to "true" will yield the mount writable inside
the container. Note that no changes are propagated to the image mount
on the host (which in any case is read only).
Mounts are overlay mounts. To support read-only overlay mounts, vendor
a non-release version of Buildah.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
|
|\ \
| | |
| | | |
Move from docker.io
|
| |/
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Followon to #7965 (mirror registry). mirror.gcr.io doesn't
cache all the images we need, and I can't find a way to
add to its cache, so let's just use quay.io for those
images that it can't serve.
Tools used:
skopeo copy --all docker://docker.io/library/alpine:3.10.2 \
docker://quay.io/libpod/alpine:3.10.2
...and also:
docker.io/library/alpine:3.2
docker.io/library/busybox:latest
docker.io/library/busybox:glibc
docker.io/library/busybox:1.30.1
docker.io/library/redis:alpine
docker.io/libpod/alpine-with-bogus-seccomp:label
docker.io/libpod/alpine-with-seccomp:label
docker.io/libpod/alpine_healthcheck:latest
docker.io/libpod/badhealthcheck:latest
Since most of those were new quay.io/libpod images, they required
going in through the quay.io GUI, image, settings, Make Public.
Signed-off-by: Ed Santiago <santiago@redhat.com>
|
|\ \
| | |
| | | |
NewFromLocal can return multiple images
|
| |/
| |
| |
| |
| |
| |
| |
| |
| |
| | |
If you use additional stores and pull the same image into
writable stores, you can end up with the situation where
you have the same image twice. This causes image exists
to return the wrong error. It should return true in this
situation rather then an error.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
|\ \
| | |
| | | |
rootless: improve error message if cannot join namespaces
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
if podman failed to join the rootless namespaces, give users a better
errror message and possible solution.
Closes: https://bugzilla.redhat.com/show_bug.cgi?id=1891220
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|