summaryrefslogtreecommitdiff
path: root/pkg
Commit message (Collapse)AuthorAge
* Return empty runtime directory if we're not rootlessJonathan Dieter2019-12-07
| | | | | | | | | | | | | | | | | | | Currently, we return a runtime directory of the form `/run/user/<uid>`, even when running as root. Depending on configuration, that directory may be deleted when the user logs out, which is quite awkward when the container is started as a systemd service and then someone logs in and out as root. This patch fixes the problem by returning an empty runtime directory if the container is being started by root. The runtime should automatically use the default runtime directory (`/run/crun` when crun is used), which should be accessible to root. Tested in Fedora 31 by running containers under both root and a regular user. State for root containers is stored in `/run/crun`, while state for rootless containers is in `/run/user/<uid>/crun`. Signed-off-by: Jonathan Dieter <jdieter@gmail.com>
* Merge pull request #4563 from mheon/fix_change_parsingOpenShift Merge Robot2019-12-06
|\ | | | | Fix parsing for arrays of values in image changes
| * Add ONBUILD support to --changeMatthew Heon2019-12-05
| | | | | | | | | | | | | | | | | | | | | | Return types had to change a bit for this, but since we can wrap the old v1.ImageConfig, changes are overall not particularly bad. At present, I believe this only works with commit, not import. This matches how things were before we changed to the new parsing so I think this is fine. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
| * Completely rework --change parsingMatthew Heon2019-12-04
| | | | | | | | | | | | | | | | | | | | | | | | The way we were trying to parse was very broken. I originally attempted to use Buildah's Dockerfile parser here, but dealing with it (and convincing it to accept only a limited subset, and only one instruction at a time) was challenging, so I rewrote a subset of Dockerfile parsing. This should handle most common cases well, though there are definitely unhandled edge cases for ENV and LABEL. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | Use terminal detach keys sequence specified in the config fileMarco Vedovati2019-12-06
|/ | | | | | Fixes: #4556 Signed-off-by: Marco Vedovati <mv@sba.lat>
* rootless: add fallback for renameat2 at runtimeGiuseppe Scrivano2019-12-04
| | | | | | | | | | | | the renameat2 syscall might be defined in the C library but lacking support in the kernel. In such case, let it fallback to open(O_CREAT)+rename as it does on systems lacking the definition for renameat2. Closes: https://github.com/containers/libpod/issues/4570 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Ignore ErrCtrRemoved when removing a containerDaniel J Walsh2019-12-03
| | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Merge pull request #4596 from kunalkushwaha/container-pruneOpenShift Merge Robot2019-12-02
|\ | | | | container prune command fixed as per docker prune command
| * filter added to container prune commandKunal Kushwaha2019-11-29
| | | | | | | | | | | | | | filter flag helps to filter the containers based on labels, until(time), name, etc for prune command. Signed-off-by: Kunal Kushwaha <kunal.kushwaha@gmail.com>
* | Add podman system reset commandDaniel J Walsh2019-11-29
|/ | | | | | | This command will destroy all data created via podman. It will remove containers, images, volumes, pods. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Merge pull request #4568 from openSUSE/historyOpenShift Merge Robot2019-11-27
|\ | | | | Add support for image name history
| * Add support for image name historySascha Grunert2019-11-27
| | | | | | | | | | | | | | | | We leverage the containers/storage image history tracking feature to show the previously used image names when running: `podman images --history` Signed-off-by: Sascha Grunert <sgrunert@suse.com>
* | Remove containers when pruning a stopped pod.Qi Wang2019-11-26
|/ | | | | | | This path allows pod prune & pod rm to remove stopped containers in the pod before deleting the pod. PrunePods and RemovePod should be able to remove containers without force removal of stopped pods. Signed-off-by: Qi Wang <qiwan@redhat.com>
* podman {pod,} rm/stop: add --ignore flagValentin Rothberg2019-11-25
| | | | | | | | | | | | Add an --ignore flag to podman rm and stop. When specified, Podman will ignore "no such {container,pod}" errors that occur when a specified container/pod is not present in the store (anymore). The motivation behind adding this flag is to write more robust systemd services using Podman. A user might have manually decided to remove a container/pod which would lead to a failure during the `ExecStop` directive of a systemd service referencing that container/pod. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* Merge pull request #4512 from kunalkushwaha/prune-filterOpenShift Merge Robot2019-11-22
|\ | | | | image prune command fixed as per docker image prune.
| * filter added to image pruge command.Kunal Kushwaha2019-11-22
| | | | | | | | | | | | | | | | | | | | filter option accepts two filters. - label - until label supports "label=value" or "label=key=value" format until supports all golang compatible time/duration formats. Signed-off-by: Kunal Kushwaha <kunal.kushwaha@gmail.com>
| * timestamp related functions addedKunal Kushwaha2019-11-14
| | | | | | | | | | | | | | | | timetype package include functions for calculating time input in string as one of golang duration format and calculate as unix timestamp Signed-off-by: Kunal Kushwaha <kunal.kushwaha@gmail.com>
* | Merge pull request #4528 from haircommander/kube-seccompOpenShift Merge Robot2019-11-22
|\ \ | | | | | | Handle seccomp annotations in play kube
| * | play kube: handle seccomp labelsPeter Hunt2019-11-18
| | | | | | | | | | | | | | | | | | | | | Add handling of seccomp annotations to play kube at both container and pod levels. also add a test Signed-off-by: Peter Hunt <pehunt@redhat.com>
* | | Merge pull request #4523 from vrothberg/systemd-improvementsOpenShift Merge Robot2019-11-19
|\ \ \ | |/ / |/| | podman rm/stop --cidfile
| * | podman rm/stop --cidfileValentin Rothberg2019-11-18
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Add a --cidfile flag to podman rm/stop to pass a container ID via a file. Podman run already provides the functionaly to store the ID in a specified file which we now complete with rm/stop. This allows for a better life-cycle management in systemd services. Note that --cdifile can be specified multiple times to rm/stop. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | | Merge pull request #4368 from haircommander/pod-annotationsOpenShift Merge Robot2019-11-15
|\ \ \ | |/ / |/| | Add pod annotations to container
| * | Add annotations in play kubePeter Hunt2019-11-08
| |/ | | | | | | Signed-off-by: Peter Hunt <pehunt@redhat.com>
* / codespell: spelling correctionsDmitry Smirnov2019-11-13
|/ | | | Signed-off-by: Dmitry Smirnov <onlyjob@member.fsf.org>
* Split up create config handling of namespaces and securityPeter Hunt2019-11-07
| | | | | | | | As it stands, createconfig is a huge struct. This works fine when the only caller is when we create a container with a fully created config. However, if we wish to share code for security and namespace configuration, a single large struct becomes unweildy, as well as difficult to configure with the single createConfigToOCISpec function. This PR breaks up namespace and security configuration into their own structs, with the eventual goal of allowing the namespace/security fields to be configured by the pod create cli, and allow the infra container to share this with the pod's containers. Signed-off-by: Peter Hunt <pehunt@redhat.com>
* Merge pull request #4466 from giuseppe/notmpcopyupOpenShift Merge Robot2019-11-07
|\ | | | | mount: add new options nocopyup|copyup for tmpfs
| * mount: add new options nocopyup|copyup for tmpfsGiuseppe Scrivano2019-11-07
| | | | | | | | | | | | add a way to disable tmpcopyup for tmpfs. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | Merge pull request #4451 from giuseppe/set-macOpenShift Merge Robot2019-11-07
|\ \ | | | | | | podman: add support for specifying MAC
| * | podman: add support for specifying MACJakub Filak2019-11-06
| | | | | | | | | | | | | | | | | | | | | | | | I basically copied and adapted the statements for setting IP. Closes #1136 Signed-off-by: Jakub Filak <jakub.filak@sap.com>
* | | Merge pull request #4447 from rhatdan/runasuserOpenShift Merge Robot2019-11-07
|\ \ \ | | | | | | | | Add support for RunAsUser and RunAsGroup
| * | | Add support for RunAsUser and RunAsGroupDaniel J Walsh2019-11-06
| | |/ | |/| | | | | | | | | | | | | | | | | | | | | | | | | Currently podman generate kube does not generate the correct RunAsUser and RunAsGroup options in the yaml file. This patch fixes this. This patch also make `podman play kube` use the RunAdUser and RunAsGroup options if they are specified in the yaml file. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | Merge pull request #4441 from rhatdan/detachOpenShift Merge Robot2019-11-07
|\ \ \ | |/ / |/| | Allow users to disable detach keys
| * | Allow users to disable detach keysDaniel J Walsh2019-11-05
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | If user specifies --detach-keys="", this will disable the feature. Adding define.DefaultDetachKeys to help screen to help identify detach keys. Updated man pages with additonal information. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | Merge pull request #4459 from giuseppe/fix-renameat-definitionOpenShift Merge Robot2019-11-06
|\ \ \ | |_|/ |/| | rootless: use SYS_renameat2 instead of __NR_renameat2
| * | rootless: provide workaround for missing renameat2Giuseppe Scrivano2019-11-06
| | | | | | | | | | | | | | | | | | | | | | | | | | | on RHEL 7.7 renameat2 is not implemented for s390x, provide a workaround. Closes: https://bugzilla.redhat.com/show_bug.cgi?id=1768519 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
| * | rootless: use SYS_renameat2 instead of __NR_renameat2Giuseppe Scrivano2019-11-06
| | | | | | | | | | | | | | | | | | use the correct definition for the syscall number. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | | Merge pull request #4370 from rhatdan/seccompOpenShift Merge Robot2019-11-05
|\ \ \ | | | | | | | | Set SELinux labels based on the security context in the kube.yaml
| * | | Set SELinux labels based on the security context in the kube.yamlDaniel J Walsh2019-11-05
| | |/ | |/| | | | | | | | | | | | | | | | If the kube.yaml specifieds the SELinux type or Level, we need the container to be launched with the correct label. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* / | namespaces: by default create cgroupns on cgroups v2Giuseppe Scrivano2019-11-05
|/ / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | change the default on cgroups v2 and create a new cgroup namespace. When a cgroup namespace is used, processes inside the namespace are only able to see cgroup paths relative to the cgroup namespace root and not have full visibility on all the cgroups present on the system. The previous behaviour is maintained on a cgroups v1 host, where a cgroup namespace is not created by default. Closes: https://github.com/containers/libpod/issues/4363 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | Merge pull request #4423 from giuseppe/fix-cpu-statsOpenShift Merge Robot2019-11-04
|\ \ | | | | | | stats: report correctly CPU usage
| * | cgroups: read correctly the CPU statsGiuseppe Scrivano2019-11-01
| | | | | | | | | | | | | | | | | | the two values were incorrectly switched. Signed-off-by: Giuseppe Scrivano <giuseppe@scrivano.org>
* | | runtime: Fix typoRadostin Stoyanov2019-11-02
|/ / | | | | | | Signed-off-by: Radostin Stoyanov <rstoyanov1@gmail.com>
* | Merge pull request #4400 from haircommander/exec-hangOpenShift Merge Robot2019-11-01
|\ \ | | | | | | Switch to bufio Reader for exec streams
| * | Switch to bufio Reader for exec streamsPeter Hunt2019-10-31
| |/ | | | | | | | | | | | | | | There were many situations that made exec act funky with input. pipes didn't work as expected, as well as sending input before the shell opened. Thinking about it, it seemed as though the issues were because of how os.Stdin buffers (it doesn't). Dropping this input had some weird consequences. Instead, read from os.Stdin as bufio.Reader, allowing the input to buffer before passing it to the container. Signed-off-by: Peter Hunt <pehunt@redhat.com>
* | logs: support --tail 0Giuseppe Scrivano2019-10-31
| | | | | | | | | | | | | | | | | | change the default to -1, so that we can change the semantic of "--tail 0" to not print any existing log line. Closes: https://github.com/containers/libpod/issues/4396 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | Merge pull request #4352 from vrothberg/config-packageOpenShift Merge Robot2019-10-31
|\ \ | | | | | | refactor libpod config into libpod/config
| * | add libpod/configValentin Rothberg2019-10-31
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Refactor the `RuntimeConfig` along with related code from libpod into libpod/config. Note that this is a first step of consolidating code into more coherent packages to make the code more maintainable and less prone to regressions on the long runs. Some libpod definitions were moved to `libpod/define` to resolve circular dependencies. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | | container start: fix regression when using nameValentin Rothberg2019-10-31
| |/ |/| | | | | | | | | | | | | | | | | | | | | | | When starting a container by using its name as a reference, we should print the name instead of the ID. We regressed on this behaviour with commit b4124485ae7e which made it into Podman v1.6.2. Kudos to openSUSE testing for catching it. To prevent future regressions, extend the e2e tests to check the printed container name/ID. Reported-by: @sysrich Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | Merge pull request #4369 from baude/golandautocodecorrectionsOpenShift Merge Robot2019-10-30
|\ \ | |/ |/| goland autocorrections
| * goland autocorrectionsbaude2019-10-29
| | | | | | | | | | | | | | just ran the autocorrect code corrections from goland and it found a few nits. Signed-off-by: baude <bbaude@redhat.com>