| Commit message (Collapse) | Author | Age |
|---|
| |
|
|
|
|
|
|
|
| |
This involves a new test binary (a basic implementation of the
volume plugin protocol) and a new image on quay.io (Containerfile
to produce it and all sources located in this commit). The image
is used to run a containerized plugin we can test against.
Signed-off-by: Matthew Heon <mheon@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This implements support for mounting and unmounting volumes
backed by volume plugins. Support for actually retrieving
plugins requires a pull request to land in containers.conf and
then that to be vendored, and as such is not yet ready. Given
this, this code is only compile tested. However, the code for
everything past retrieving the plugin has been written - there is
support for creating, removing, mounting, and unmounting volumes,
which should allow full functionality once the c/common PR is
merged.
A major change is the signature of the MountPoint function for
volumes, which now, by necessity, returns an error. Named volumes
managed by a plugin do not have a mountpoint we control; instead,
it is managed entirely by the plugin. As such, we need to cache
the path in the DB, and calls to retrieve it now need to access
the DB (and may fail as such).
Notably absent is support for SELinux relabelling and chowning
these volumes. Given that we don't manage the mountpoint for
these volumes, I am extremely reluctant to try and modify it - we
could easily break the plugin trying to chown or relabel it.
Also, we had no less than *5* separate implementations of
inspecting a volume floating around in pkg/infra/abi and
pkg/api/handlers/libpod. And none of them used volume.Inspect(),
the only correct way of inspecting volumes. Remove them all and
consolidate to using the correct way. Compat API is likely still
doing things the wrong way, but that is an issue for another day.
Fixes #4304
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
| |\
| |
| | |
network: disallow CNI networks with user namespaces
|
| | |
| |
| |
| | |
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
it solves a segfault when running as rootless a command like:
$ podman run --uidmap 0:0:1 --net foo --rm fedora true
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x30 pc=0x5629bccc407c]
goroutine 1 [running]:
panic(0x5629bd3d39e0, 0x5629be0ab8e0)
/usr/lib/golang/src/runtime/panic.go:1064 +0x545 fp=0xc0004592c0 sp=0xc0004591f8 pc=0x5629bbd35d85
runtime.panicmem(...)
/usr/lib/golang/src/runtime/panic.go:212
runtime.sigpanic()
/usr/lib/golang/src/runtime/signal_unix.go:742 +0x413 fp=0xc0004592f0 sp=0xc0004592c0 pc=0x5629bbd4cd33
github.com/containers/podman/libpod.(*Runtime).setupRootlessNetNS(0xc0003fe9c0, 0xc0003d74a0, 0x0, 0x0)
/builddir/build/BUILD/podman-2.2.1/_build/src/github.com/containers/podman/libpod/networking_linux.go:238 +0xdc fp=0xc000459338 sp=0xc0004592f0 pc=0x5629bccc407c
github.com/containers/podman/libpod.(*Container).completeNetworkSetup(0xc0003d74a0, 0x0, 0x0)
/builddir/build/BUILD/podman-2.2.1/_build/src/github.com/containers/podman/libpod/container_internal.go:965 +0xb72 fp=0xc0004594d8 sp=0xc000459338 pc=0x5629bcc81732
[.....]
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
| |\ \
| | |
| | | |
play kube: set entrypoint when interpreting Command
|
| | |/
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
We now set Entrypoint when interpeting the image Entrypoint (or yaml.Command)
and Command when interpreting image Cmd (or yaml.Args)
This change is kind of breaking because now checking Config.Cmd won't return
the full command, but only the {cmd,args}.
Adapt the tests to this change as well
Signed-off-by: Peter Hunt <pehunt@redhat.com>
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
| |/
|
|
| |
Signed-off-by: zhangguanzhang <zhangguanzhang@qq.com>
|
| |\
| |
| | |
Make podman generate systemd --new flag parsing more robust
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
First, use the pflag library to parse the flags. With this we can
handle all corner cases such as -td or --detach=false.
Second, preserve the root args with --new. They are used for all podman
commands in the unit file. (e.g. podman --root /tmp run alpine)
Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
|
| |\ \
| | |
| | | |
Adding json formatting to `--list-tags` option in `podman search` command.
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | | |
Adding another check in the `podman search --list-tags --format json` test case.
Replacing an anonymous struct by \`listEntryTag\` struct.
Signed-off-by: Alexandre Fourcat <afourcat@gmail.com>
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
command.
Data is formatted following this JSON structure:
```json
{
"Name": "...",
"Tags": ["...", "...", "..."]
}
```
Closes: #8740.
Signed-off-by: Alexandre Fourcat <afourcat@gmail.com>
|
| |\ \ \
| | | |
| | | | |
Add pre-checkpoint and restore with previous
|
| | |/ /
| | |
| | |
| | | |
Signed-off-by: Zhuohan Chen <chen_zhuohan@163.com>
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | | |
`podman ps --format {{.Networks}}` will show all connected networks for
this container. For `pod ps` it will show the infra container networks.
Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
|
| |/ /
| |
| |
| |
| |
| |
| | |
Allow to filter on the network name or full id.
For pod ps it will filter on the infra container networks.
Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
|
| |\ \
| | |
| | | |
Add support for checkpoint/restore of containers with volumes
|
| | |/
| |
| |
| | |
Signed-off-by: Radostin Stoyanov <rstoyanov@fedoraproject.org>
|
| | |
| |
| |
| | |
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
| |/
|
|
|
|
|
|
|
|
|
|
| |
When I launch a container with --userns=keep-id the rootless processes
should have no caps by default even if I launch the container with
--privileged. It should only get the caps if I specify by hand the
caps I want leaked to the process.
Currently we turn off capeff and capamb, but not capinh. This patch
treats capinh the same way as capeff and capamb.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
| |\
| |
| | |
Fix e2e test for `podman build --logfile`
|
| | |
| |
| |
| |
| |
| | |
Type casting is necessary to see if the logfile size is not equal to 0.
Signed-off-by: Hironori Shiina <Hironori.Shiina@fujitsu.com>
|
| |\ \
| | |
| | | |
Ensure that user-specified HOSTNAME is honored
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
When adding the HOSTNAME environment variable, only do so if it
is not already present in the spec. If it is already present, it
was likely added by the user, and we should honor their requested
value.
Fixes #8886
Signed-off-by: Matthew Heon <mheon@redhat.com>
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | | |
The issue requiring these tests be disabled should be resolved.
Reenable the tests as such.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
| |/ /
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
`KillMode=none` has been deprecated in systemd and is now throwing big
warnings when being used. Users have reported the issues upstream
(see #8615) and on the mailing list.
This deprecation was mainly motivated by an abusive use of third-party
vendors causing all kinds of undesired side-effects. For instance, busy
mounts that delay reboot.
After talking to the systemd team, we came up with the following plan:
**Short term**: we can use TimeoutStopSec and remove KillMode=none which
will default to cgroup.
**Long term**: we want to change the type to sdnotify. The plumbing for
Podman is done but we need it for conmon. Once sdnotify is working, we
can get rid of the pidfile handling etc. and let Podman handle it.
Michal Seklatar came up with a nice idea that Podman increase the time
out on demand. That's a much cleaner way than hard-coding the time out
in the unit as suggest in the short-term solution.
This change is executing the short-term plan and sets a minimum timeout
of 60 seconds. User-specified timeouts are added to that.
Fixes: #8615
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
|
| |\ \
| | |
| | | |
systemd: make rundir always accessible
|
| | | |
| | |
| | |
| | | |
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
so that the PIDFile can be accessed also without being in the rootless
user namespace.
Closes: https://github.com/containers/podman/issues/8506
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
| |\ \ \
| |/ /
|/| | |
Disable seccomp by default when creating a privileged container.
|
| | |/
| |
| |
| |
| |
| |
| |
| |
| | |
When running a privileged container and `SeccompProfilePath` is empty no seccomp profile should be applied.
(Previously this was the case only if `SeccompProfilePath` was set to a non-empty default path.)
Closes #8849
Signed-off-by: Max Goltzsche <max.goltzsche@gmail.com>
|
| | |
| |
| |
| | |
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
| |/
|
|
|
|
|
| |
write the capabilities to the configuration passed to the OCI
runtime.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
| |\
| |
| | |
Set NetNS mode instead of value
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
when HostNetwork is true in the pod spec.
Also propagate whether host network namespace should be used for containers.
Add test for HostNetwork setting in kubeYaml.
The infra configuration should reflect the setting.
Signed-off-by: Benedikt Ziemons <ben@rs485.network>
|
| |\ \
| | |
| | | |
add --cidfile to container kill
|
| | |/
| |
| |
| |
| |
| |
| |
| |
| | |
Add the ability to read container ids from one or more files for the
kill command.
Fixes: #8443
Signed-off-by: baude <bbaude@redhat.com>
|
| |\ \
| |/
|/| |
Prefer read/write images over read/only images
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
With additional stores there is a risk that you could have
multiple images with the same name. IE An older image in a
read/only store versus a newer version in the read/write store.
This patch will ignore multiple images with the same name iff
one is read/write and all of the others are read/only.
Fixes: https://github.com/containers/podman/issues/8176
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
| |\ \
| | |
| | | |
Spelling
|
| | | |
| | |
| | |
| | | |
Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
|
| |\ \ \
| | | |
| | | | |
Fix missing options in volume's display while setting uid and gid
|
| | | |/
| |/|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
```
$ podman volume create testvol --opt o=uid=1001,gid=1001
$ ./bin/podman volume create testvol2 --opt o=uid=1001,gid=1001
$ podman volume inspect testvol
"Options": {},
$ podman volume inspect testvol2
"Options": {
"GID": "1001",
"UID": "1001",
"o": "uid=1001,gid=1001"
},
```
Signed-off-by: zhangguanzhang <zhangguanzhang@qq.com>
|
| |\ \ \
| | | |
| | | | |
add pod filter for ps
|
| | |/ /
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
adds the ability to filter containers based on the filter "pod". the
value can be a pod name or its full or partial id.
Fixes: #8512
Signed-off-by: baude <bbaude@redhat.com>
|
| | |/
|/|
| |
| |
| |
| |
| |
| |
| |
| | |
when neither yaml.Args nor yaml.Command are specified, we should use the entrypoint and cmd from the image.
update the tests to cover this and another case (both args and command are specified).
use the registry image instead of redis, as it has both an entrypoint and command specified.
update the documentation around this handling to hopefully prevent regressions and confusion.
Signed-off-by: Peter Hunt <pehunt@redhat.com>
|
| |/
|
|
|
|
|
|
|
|
|
|
|
| |
This change was missed in pull/8689. Now that volume pruneing supports
filters system pruneing can pass its filters down to the volume
pruneing. Additionally this change adds tests for the following components
* podman system prune subcommand with `--volumes` & `--filter` options
* apiv2 api tests for `/system/` and `/libpod/system` endpoints
Relates to #8453, #8672
Signed-off-by: Baron Lenardson <lenardson.baron@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Implement `podman-remote cp` and break out the logic from the previously
added `pkg/copy` into it's basic building blocks and move them up into
the `ContainerEngine` interface and `cmd/podman`.
The `--pause` and `--extract` flags are now deprecated and turned into
nops.
Note that this commit is vendoring a non-release version of Buildah to
pull in updates to the copier package.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
`podman network create` should always add a gateway to the cni config.
If no gateway is given use the first ip in the subnet. CNI does not require
the gateway field but we need it because of network inspect.
This worked with previous version but was dropped in Commit(e7a72d72fd59).
Fixes #8748
Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
|
