| Commit message (Collapse) | Author | Age |
|
|
|
|
|
|
|
|
| |
keep the file ownership when chowning and honor the user namespace
mappings.
Closes: https://github.com/containers/podman/issues/7130
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
|
|
|
| |
Signed-off-by: zhangguanzhang <zhangguanzhang@qq.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- New test for #6991 - passwd file is writable even when
run with --userns=keep-id
- Enable another keep-id test, commented out due to #6593
- New test for podman system df
Also, independently, removed this line:
apt-get -y upgrade conmon
...because it's causing CI failures, probably because of the
boothole CVE, probably because the Ubuntu grub update was
rushed out. I believe it is safe to remove this, because
both Ubuntu 19 and 20 report:
conmon is already the newest version (2.0.18~1).
Signed-off-by: Ed Santiago <santiago@redhat.com>
|
|\
| |
| | |
Binding the same container port to >1 host port is OK
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The initial version of the new port code mistakenly restricted
this, so un-restrict it. We still need to maintain the map of
container ports, unfortunately (need to verify if the port in
question is a duplicate, for example).
Fixes #7062
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
|\ \
| | |
| | | |
Make changes to /etc/passwd on disk for non-read only
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Bind-mounting /etc/passwd into the container is problematic
becuase of how system utilities like `useradd` work. They want
to make a copy and then rename to try to prevent breakage; this
is, unfortunately, impossible when the file they want to rename
is a bind mount. The current behavior is fine for read-only
containers, though, because we expect useradd to fail in those
cases.
Instead of bind-mounting, we can edit /etc/passwd in the
container's rootfs. This is kind of gross, because the change
will show up in `podman diff` and similar tools, and will be
included in images made by `podman commit`. However, it's a lot
better than breaking important system tools.
Fixes #6953
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
|\ \ \
| | | |
| | | | |
Fix building from http or '-' options
|
| | |/
| |/|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
When copying from a URL, podman will download and create a context
directory in a temporary file. The problem was that this directory
was being removed as soon as the function that created it was returned.
Later the build code would look for content in the temporary directory
and fail to find it, blowing up the build.
By pulling the extraction code back into the build function, we keep the
temporary directory around until the build completes.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
|\ \ \
| | | |
| | | | |
Add podman image mount
|
| |/ /
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
There are many use cases where you want to just mount an image
without creating a container on it. For example you might want
to just examine the content in an image after you pull it for
security analysys. Or you might want to just use the executables
on the image without running it in a container.
The image is mounted readonly since we do not want people changing
images.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
|\ \ \
| | | |
| | | | |
Specifying --ipc=host --pid=host is broken
|
| |/ /
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
For some reason we were overwriting memory when handling both
--pid=host and --ipc=host. Simplified the code to handle this
correctly, and add test to make sure it does not happen again.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
|/ /
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Tests for #7094, in which symlinks in a volume would
cause chown errors and nonrunnable containers.
Tests for environment variable precedence, now
include --env-host and proxy settings
Fix a bug caught by covscan in helpers.t ('source'
path would fail if path included spaces).
Fix podman-run man page: it was incorrect in stating
precedence between in-image environment and --env-host.
Fixes: #7099
Signed-off-by: Ed Santiago <santiago@redhat.com>
|
| |
| |
| |
| | |
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
We should default to the user name unmount rather then the internal
name of umount.
Also User namespace was not being handled correctly. We want to inform
the user that if they do a mount when in rootless mode that they have
to be first in the podman unshare state.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
| |
| |
| |
| |
| |
| |
| | |
Add a simple test to exercise the events API without the "filters"
parameter. Prevents regressing on #7078.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* Add support to manage multiple connections
* Add connection
* Remove connection
* Rename connection
* Set connection as default
* Add markdown/man pages
* Fix recursion in hack/xref-helpmsgs-manpages
Signed-off-by: Jhon Honce <jhonce@redhat.com>
|
|\ \
| | |
| | | |
Publish IP from YAML (podman play kube)
|
| | |
| | |
| | |
| | |
| | |
| | | |
podman play kube didn't set host ip correctly from YAML
Signed-off-by: Ashley Cui <acui@redhat.com>
|
|\ \ \
| | | |
| | | | |
Turn on a bunch more remote tests
|
| |/ /
| | |
| | |
| | |
| | |
| | | |
We need to be more specific about the remote tests we turn off.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
|\ \ \
| |/ /
|/| | |
CI: attempt to fix flake in login test
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Fixes: #5212
...or at least I hope it does. The symptom seems to be that
INTEGRATION_ROOT is not being defined in some code flows.
This PR blindly implements a suggestion from Miloslav,
setting INTEGRATION_ROOT in one more place.
We won't actually know for a long time if this works or
not, because the test failure is a flake.
Signed-off-by: Ed Santiago <santiago@redhat.com>
|
|\ \ \
| |/ /
|/| | |
Support default profile for apparmor
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Currently you can not apply an ApparmorProfile if you specify
--privileged. This patch will allow both to be specified
simultaniosly.
By default Apparmor should be disabled if the user
specifies --privileged, but if the user specifies --security apparmor:PROFILE,
with --privileged, we should do both.
Added e2e run_apparmor_test.go
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
|\ \ \
| |/ /
|/| | |
Enable a bunch of remote tests
|
| | |
| | |
| | |
| | | |
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
|\ \ \
| | | |
| | | | |
Add --umask flag for create, run
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
--umask sets the umask inside the container
Defaults to 0022
Co-authored-by: Daniel J Walsh <dwalsh@redhat.com>
Signed-off-by: Ashley Cui <acui@redhat.com>
|
| |/ /
|/| |
| | |
| | | |
Signed-off-by: zhangguanzhang <zhangguanzhang@qq.com>
|
|\ \ \
| | | |
| | | | |
BATS help-message test: improve diagnostics
|
| |/ /
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
The error messages from the 'podman xxx --help' cross-check
test are unhelpful, and cause much wasted time when they trigger.
Solution: instead of using the built-in exit-status check
in run_podman, do an explicit check outside of run_podman.
This lets us die() with a custom, hopefully useful, message.
Signed-off-by: Ed Santiago <santiago@redhat.com>
|
|\ \ \
| |/ /
|/| | |
events endpoint: fix panic and race condition
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Fix a potential panic in the events endpoint when parsing the filters
parameter. Values of the filters map might be empty, so we need to
account for that instead of uncondtitionally accessing the first item.
Also apply a similar for race conditions as done in commit f4a2d25c0fca:
Fix a race that could cause read errors to be masked. Masking
such errors is likely to report red herrings since users don't
see that reading failed for some reasons but that a given event
could not be found.
Another race was the handler closing event channel, which could lead to
two kinds of panics: double close, send to close channel. The backend
takes care of that. However, make sure that the backend stops working
in case the context has been cancelled.
Fixes: #6899
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
|
|\ \ \
| | | |
| | | | |
BATS tests: more resilient remove_same_dev_warning
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Some CI tests are flaking in the SELinux test, possibly because
there's a new variation of the "multiple devices" warning I hadn't
seen before:
WARNING: Creating device "/dev/null" with same type, major and minor as existing "/dev/foodevdir/null".
Solution: in remove_same_dev_warning(), remove "multiple" from
the match string.
Also: fix a Go test that wasn't cleaning up after itself. And
add an actual test to it, not just check-exit-status.
Signed-off-by: Ed Santiago <santiago@redhat.com>
|
|\ \ \ \
| | | | |
| | | | | |
Add support for overlay volume mounts in podman.
|
| |/ / /
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Add support -v for overlay volume mounts in podman.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Signed-off-by: Qi Wang <qiwan@redhat.com>
|
|/ / /
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
The fix was a new runc version, which we may have sucked in.
Fixes #6506
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
|/ /
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
When an image has no name/tag system df will
error because it tries to parse an empty name.
This commit makes sure we only parse non
empty names and set the repository and tag
to "<none>" otherwise.
Closes #7015
Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
|
|\ \
| | |
| | | |
allow switching of port-forward approaches in rootless/using slirp4netns
|
| | |
| | |
| | |
| | |
| | |
| | | |
Closes: https://github.com/containers/podman/issues/6912
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
| | |
| | |
| | |
| | |
| | |
| | | |
do not pass network specific options through the network namespace.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
|\ \ \
| |_|/
|/| | |
Error on rootless mac and ip addresses
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
When creating a pod or container where a static MAC or IP address is provided, we should return a proper error and exit as 125.
Fixes: #6972
Signed-off-by: Brent Baude <bbaude@redhat.com>
|
|\ \ \
| | | |
| | | | |
system tests: check for masked-device leaks
|
| | |/
| |/|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
PR #6957 added a new path (/sys/devs) to an existing list
of masked mount points which an unprivileged container
should not be able to access. Here we add a test for
those: run 'stat' on those devices in the container,
and make sure that they are dummies.
This is kind of kludgy, and relies on heuristics that
may not be 100% accurate. It also adds duplication,
a list that must be kept in sync with the original
list in pkg/specgen/generate/config_linux.go.
I'd love to hear suggestions on how to do it better.
Signed-off-by: Ed Santiago <santiago@redhat.com>
|
|\ \ \
| |_|/
|/| | |
system tests: new tests for run, exec
|
| |/
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
- Issue #6735 : problem with multiple namespaces; confirms
combinations of --userns=keep-id, --privileged, --user=XX
- Issue #6829 : --userns=keep-id will add a /etc/passwd entry
- Issue #6593 : podman exec, with --userns=keep-id, errors
(test is currently skipped because issue remains live)
...and, addendum: add new helper function, remove_same_dev_warning.
Some CI systems issue a warning on podman run --privileged:
WARNING: The same type, major and minor should not be used for multiple devices.
We already had special-case code to ignore than in the SELinux
test, but now we're seeing it in the new run tests I added, so
I've refactored the "ignore this warning" code and written
tests for the removal code.
Signed-off-by: Ed Santiago <santiago@redhat.com>
|