aboutsummaryrefslogtreecommitdiff
path: root/pkg
Commit message (Collapse)AuthorAge
* specgen: check that networks are only set with bridgePaul Holzinger2021-12-14
| | | | | | | | | | Because we cannot reqad the networking mode in the frontent because we should always use the server default we have to parse the mac and ip address to the server via a default network. Now when the server reads the default nsmode it has to reject the provided networks when the mode is not set to bridge. Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* container restore/import: store networks from dbPaul Holzinger2021-12-14
| | | | | | | | It is important that we store the current networks from the db in the config. Also make sure to properly handle aliases and ignore static ip/mac addresses. Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* play kube add support for multiple networksPaul Holzinger2021-12-14
| | | | | | Allow the same --network options for play kube as for podman run/create. Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* support advanced network configuration via cliPaul Holzinger2021-12-14
| | | | | | | | | | | | | | | | | | | | | | | | | | Rework the --network parse logic to support multiple networks with specific network configuration settings. --network can now be set multiple times. For bridge network mode the following options have been added: - **alias=name**: Add network-scoped alias for the container. - **ip=IPv4**: Specify a static ipv4 address for this container. - **ip=IPv6**: Specify a static ipv6 address for this container. - **mac=MAC**: Specify a static mac address address for this container. - **interface_name**: Specify a name for the created network interface inside the container. So now you can set --network bridge:ip=10.88.0.10,mac=44:33:22:11:00:99 for the default bridge network as well as for network names. This is better than using --ip because we can set the ip per network without any confusion which network the ip address should be assigned to. The --ip, --mac-address and --network-alias options are still supported but --ip or --mac-address can only be set when only one network is set. This limitation already existed previously. The ability to specify a custom network interface name is new Fixes #11534 Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* Add new networks format to spegecenPaul Holzinger2021-12-14
| | | | | | | | Add the new networks format to specgen. For api users cni_networks is still supported to make migration easier however the static ip and mac fields are removed. Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* fix incorrect swagger doc for network dis/connectPaul Holzinger2021-12-14
| | | | | | | The swagger api docs used the extra Body struct as part of the request which is wrong. We just want the plain type. Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* network connect allow ip, ipv6 and mac addressPaul Holzinger2021-12-14
| | | | | | | | | Network connect now supports setting a static ipv4, ipv6 and mac address for the container network. The options are added to the cli and api. Fixes #9883 Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* network db: add new strucutre to container createPaul Holzinger2021-12-14
| | | | | | | | | | Make sure we create new containers in the db with the correct structure. Also remove some unneeded code for alias handling. We no longer need this functions. The specgen format has not been changed for now. Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* remove unneeded return value from c.Networks()Paul Holzinger2021-12-14
| | | | | | We do not need to return a extra bool. Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* compat build: adhere to q/quietValentin Rothberg2021-12-13
| | | | | Fixes: #12566 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* [NO NEW TESTS NEEDED] rootless: declare TEMP_FAILURE_RETRY before usage ↵Marc Nguyen2021-12-10
| | | | | | (Fixes: #12563) Signed-off-by: Nguyen Marc <nguyen_marc@live.fr>
* --hostname should be set when using --pod new:foobarDaniel J Walsh2021-12-09
| | | | | | | | | | | | Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2030599 When you create pod, it shares the UTS namespace with Containers. Currently the --hostname is not passed to the pod created when you create a container and pod in the same command. Also fix error message on supported --share flags Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Merge pull request #12545 from vrothberg/fix-12477OpenShift Merge Robot2021-12-09
|\ | | | | generate systemd: support entrypoint JSON strings
| * generate systemd: support entrypoint JSON stringsValentin Rothberg2021-12-08
| | | | | | | | | | | | | | Make sure to preserve the quoting of entrypoint JSON strings. Fixes: #12477 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | Merge pull request #12541 from flouthoc/remote_blank_entrypointOpenShift Merge Robot2021-12-08
|\ \ | | | | | | specgen: honor empty args for entrypoint specified as `--entrypoint ""`
| * | specgen: honor empty args for entrypointAditya Rajan2021-12-08
| |/ | | | | | | | | | | | | | | | | | | | | Users should be able to override containers entrypoint using `--entrypoint ""` following works fine for podman but not for podman remote. Specgen ignores empty argument for entrypoint so make specgen honor empty arguments. Signed-off-by: Aditya Rajan <arajan@redhat.com>
* / remove runlabel test for global optsValentin Rothberg2021-12-08
|/ | | | | | | | | GLOBAL_OPTS haven't been supported for at least two major versions of Podman. The runlabel code is extremely fragile and I think it should be rewritten before adding new features. Fixes: #12436 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* Update vendor or containers/common moving pkg/cgroups thereDaniel J Walsh2021-12-07
| | | | | | | [NO NEW TESTS NEEDED] This is just moving pkg/cgroups out so existing tests should be fine. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Merge pull request #12466 from ↵OpenShift Merge Robot2021-12-03
|\ | | | | | | | | dispensable/respect_pod_yaml_spec_hostname_when_play Hostname in `spec.hostname` should be passed to infra ctr init opt
| * Hostname in `spec.hostname` should be passed to infra ctr init optwangqiang2021-12-01
| | | | | | | | | | | | Fixes https://github.com/containers/podman/issues/12393 Signed-off-by: Qiang Wang <sunsetmask@gmail.com>
* | Merge pull request #12440 from umohnani8/cmOpenShift Merge Robot2021-12-03
|\ \ | | | | | | Add support for configmap volumes to play kube
| * | Add support for configmap volumes to play kubeUrvashi Mohnani2021-12-02
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | If the k8s yaml has volumes from a configmap, play kube will now create a volume based on the data from the configmap and volume source and set it to the right path in the container accordingly. Add tests for this and update some test for ENV from configmap. Signed-off-by: Urvashi Mohnani <umohnani@redhat.com>
* | | Merge pull request #12484 from machacekondra/restartSecOpenShift Merge Robot2021-12-03
|\ \ \ | | | | | | | | Add restart-sec option to systemd generate command
| * | | Add restart-sec option to systemd generateOndra Machacek2021-12-03
| | | | | | | | | | | | | | | | Signed-off-by: Ondra Machacek <omachace@redhat.com>
* | | | Merge pull request #12486 from giuseppe/use-configured-compression-formatOpenShift Merge Robot2021-12-03
|\ \ \ \ | |/ / / |/| | | cmd, push: use the configured compression format
| * | | cmd, push: use the configured compression formatGiuseppe Scrivano2021-12-02
| | | | | | | | | | | | | | | | | | | | | | | | [NO NEW TESTS NEEDED] I am just changing the default value Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | | | Merge pull request #12483 from vrothberg/fix-12468OpenShift Merge Robot2021-12-02
|\ \ \ \ | | | | | | | | | | compat API: push: report size of manifest
| * | | | compat API: push: report size of manifestDaniel J Walsh2021-12-02
| | |_|/ | |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | We don't yet have a local registry running in the APIv2 tests. Tested manually. [NO NEW TESTS NEEDED] Fixes: https://github.com/containers/podman/issues/12468 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | | | Merge pull request #12365 from mtrmac/randomOpenShift Merge Robot2021-12-02
|\ \ \ \ | | | | | | | | | | Don't use a global RNG, and avoid conflicts, when generating NodePorts
| * | | | Allow containerPortsToServicePorts to failMiloslav Trmač2021-11-30
| |/ / / | | | | | | | | | | | | | | | | | | | | | | | | | | | | Add an error return to it and affected callers. Should not affect behavior, the function can't currently fail. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
* | | | Merge pull request #12480 from vrothberg/fix-12453OpenShift Merge Robot2021-12-02
|\ \ \ \ | | | | | | | | | | compat: images/json
| * | | | compat: images/jsonValentin Rothberg2021-12-02
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Do not list manifest lists. Docker doesn't either. Fixes: #12453 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | | | | Merge pull request #12469 from Luap99/ns-teardown-flakeOpenShift Merge Robot2021-12-02
|\ \ \ \ \ | |/ / / / |/| | | | Fix possible rootless netns cleanup race
| * | | | Fix possible rootless netns cleanup racePaul Holzinger2021-12-01
| |/ / / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | rootlessNetNS.Cleanup() has an issue with how it detects if cleanup is needed, reading the container state is not good ebough because containers are first stopped and than cleanup will be called. So at one time two containers could wait for cleanup but the second one will fail because the first one triggered already the cleanup thus making rootless netns unavailable for the second container resulting in an teardown error. Instead of checking the container state we need to check the netns state. Secondly, podman unshare --rootless-netns should not do the cleanup. This causes more issues than it is worth fixing. Users also might want to use this to setup the namespace in a special way. If unshare also cleans this up right away we cannot do this. [NO NEW TESTS NEEDED] Fixes #12459 Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* | | | Merge pull request #12425 from tnk4on/remote-build-eval-containerfileOpenShift Merge Robot2021-12-02
|\ \ \ \ | |_|/ / |/| | | Fixed the containerfile not found during remote build
| * | | Fixed the containerfile not found during remote build.Shion Tanaka2021-11-30
| | |/ | |/| | | | | | | | | | | | | [NO NEW TESTS NEEDED] Signed-off-by: Shion Tanaka <shtanaka@redhat.com>
* | | Merge pull request #12307 from hshiina/device-weightOpenShift Merge Robot2021-12-01
|\ \ \ | | | | | | | | Implement 'podman run --blkio-weight-device'
| * | | Implement 'podman run --blkio-weight-device'Hironori Shiina2021-11-30
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | `--blkio-weight-device` is not fully implemented and this causes an unexpected panic when specified because an entry is put into an uninitialized map at parsing. This fix implements the `--blkio-weight-device` and adds a system test. When creating a spec generator on a client, a major number and a minor number of a device cannot be set. So, these numbers are inspected on a server and set to a runtime spec. Signed-off-by: Hironori Shiina <shiina.hironori@jp.fujitsu.com>
* | | | Merge pull request #12450 from giuseppe/compression-formatOpenShift Merge Robot2021-12-01
|\ \ \ \ | |_|_|/ |/| | | podman, push: expose --compression-format
| * | | podman, push: expose --compression-formatGiuseppe Scrivano2021-12-01
| |/ / | | | | | | | | | | | | | | | support overriding the compression format at push time. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | | Merge pull request #12414 from flouthoc/api-allow-secretsOpenShift Merge Robot2021-11-30
|\ \ \ | | | | | | | | tunnel: allow `remote` and `API` to accept `--secrets`
| * | | podman-remote: prevent leaking secret into imageAditya Rajan2021-11-30
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Prevents temp secrets leaking into image by moving it away from context directory to parent builder directory. Builder directory automatically gets cleaned up when we are done with the build. Signed-off-by: Aditya Rajan <arajan@redhat.com>
| * | | podman-remote: copy secret to contextdir is absolute path on hostAditya Rajan2021-11-30
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Podman remote must treat build secrets as part of context directory. If secret path is absolute path on host copy it to tar file and pass it to remote server. Signed-off-by: Aditya Rajan <arajan@redhat.com>
| * | | api: allow build api to accept secretsAditya Rajan2021-11-30
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Following commit makes sure that `build` api can accept external secret and allows currently `NOOP` `podman-remote build -t tag --secret id=mysecret,src=/path/on/remote` to become functional. Just like `docker` following api is a hidden field and only exposed to `podman-remote` but could document it if it needs exposed on `swagger`. Signed-off-by: Aditya Rajan <arajan@redhat.com>
* | | | Merge pull request #12449 from vrothberg/fix-12438OpenShift Merge Robot2021-11-30
|\ \ \ \ | | | | | | | | | | systemd: replace multi-user with default.target
| * | | | systemd: replace multi-user with default.targetValentin Rothberg2021-11-30
| | |/ / | |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Replace `multi-user.target` with `default.target` across the code base. It seems like the multi-user one is not available for (rootless) users on F35 anymore is causing issues in all kinds of ways, for instance, enabling the podman.service or generated systemd units. Fixes: #12438 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* / | | compat API: allow enforcing short-names resolution to Docker HubValentin Rothberg2021-11-30
|/ / / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The Docker-compatible REST API has historically behaved just as the rest of Podman and Buildah (and the atomic Docker in older RHEL/Fedora) where `containers-registries.conf` is centrally controlling which registries a short name may resolve to during pull or local image lookups. Please refer to a blog for more details [1]. Docker, however, is only resolving short names to docker.io which has been reported (see #12320) to break certain clients who rely on this behavior. In order to support this scenario, `containers.conf(5)` received a new option to control whether Podman's compat API resolves to docker.io only or behaves as before. Most endpoints allow for directly normalizing parameters that represent an image. If set in containers.conf, Podman will then normalize the references directly to docker.io. The build endpoint is an outlier since images are also referenced in Dockerfiles. The Buildah API, however, supports specifying a custom `types.SystemContext` in which we can set a field that enforces short-name resolution to docker.io in `c/image/pkg/shortnames`. Notice that this a "hybrid" approach of doing the normalization directly in the compat endpoints *and* in `pkg/shortnames` by passing a system context. Doing such a hybrid approach is neccessary since the compat and the libpod endpoints share the same `libimage.Runtime` which makes a global enforcement via the `libimage.Runtime.systemContext` impossible. Having two separate runtimes for the compat and the libpod endpoints seems risky and not generally applicable to all endpoints. [1] https://www.redhat.com/sysadmin/container-image-short-names Fixes: #12320 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | | Merge pull request #12408 from rhatdan/stdoutOpenShift Merge Robot2021-11-30
|\ \ \ | |/ / |/| | Only open save output file with WRONLY
| * | Only open save output file with WRONLYDaniel J Walsh2021-11-29
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The previous code fails on a MAC when opening /dev/stdout Fixes: https://github.com/containers/podman/issues/12402 [NO NEW TESTS NEEDED] No easy way to test this. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | Merge pull request #12405 from flouthoc/compat-build-errorOpenShift Merge Robot2021-11-29
|\ \ \ | |/ / |/| | compat: Add compatiblity with `Docker/Moby` API for scenarios where build fails.