| Commit message (Collapse) | Author | Age |
|
|
|
|
|
|
|
|
|
| |
Currently podman generate kube does not generate the correct RunAsUser and RunAsGroup
options in the yaml file. This patch fixes this.
This patch also make `podman play kube` use the RunAdUser and RunAsGroup options if
they are specified in the yaml file.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
|\
| |
| | |
Set SELinux labels based on the security context in the kube.yaml
|
| |
| |
| |
| |
| |
| |
| | |
If the kube.yaml specifieds the SELinux type or Level, we need the container
to be launched with the correct label.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
|/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
change the default on cgroups v2 and create a new cgroup namespace.
When a cgroup namespace is used, processes inside the namespace are
only able to see cgroup paths relative to the cgroup namespace root
and not have full visibility on all the cgroups present on the
system.
The previous behaviour is maintained on a cgroups v1 host, where a
cgroup namespace is not created by default.
Closes: https://github.com/containers/libpod/issues/4363
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
|
|
|
|
|
|
|
|
| |
change the default to -1, so that we can change the semantic of
"--tail 0" to not print any existing log line.
Closes: https://github.com/containers/libpod/issues/4396
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
|\
| |
| | |
container start: fix regression when using name
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
When starting a container by using its name as a reference, we should
print the name instead of the ID. We regressed on this behaviour
with commit b4124485ae7e which made it into Podman v1.6.2.
Kudos to openSUSE testing for catching it. To prevent future
regressions, extend the e2e tests to check the printed container
name/ID.
Reported-by: @sysrich
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
|
|/
|
|
|
|
| |
We want to make sure that the process label of pid 1 is the same as the process label of a process execed into the container.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
|\
| |
| | |
Wait for `mount` command to finish when mounting volume
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
command.Start() just starts the command. That catches some
errors, but the nasty ones - bad options and similar - happen
when the command runs. Use CombinedOutput() instead - it waits
for the command to exit, and thus catches non-0 exit of the
`mount` command (invalid options, for example).
STDERR from the `mount` command is directly used, which isn't
necessarily the best, but we can't really get much more info on
what went wrong.
Fixes #4303
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
|\ \
| | |
| | | |
build: drop support for ostree
|
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
it is going to be removed from containers/image as well, so no longer
depend on it.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
|\ \ \
| | | |
| | | | |
Processes execed into container should match container label
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Processes execed into a container were not being run with the correct label.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
|\ \ \ \
| |_|/ /
|/| | | |
goland autocorrections
|
| |/ /
| | |
| | |
| | |
| | |
| | |
| | | |
just ran the autocorrect code corrections from goland and it found a few
nits.
Signed-off-by: baude <bbaude@redhat.com>
|
|/ /
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Test that when we pull using tag or digest references from locations
that are manifest lists, that we can inspect using the references that
we used for pulling, that the tags show up in the RepoTag list when we
inspect an image that was pulled using a tag, and that the list and
instance digests always both show up in the RepoDigest list.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
|
|\ \
| |/
|/| |
Fix sig-proxy=false test and use image cache
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Pulling fedora-minimal was potentially causing timeouts, which is
bad. Using the cache avoids that.
Sig-proxy=false test was entirely nonfunctional - I think we
didn't update it when we fixed sig-proxy=true to be less racy.
It was still passing, which is concerning.
Signed-off-by: Matthew Heon <mheon@redhat.com>
|
|\ \
| | |
| | | |
Image volumes should not be mounted noexec
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
This matches Docker more closely, but retains the more important
protections of nosuid/nodev.
Fixes #4318
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
|\ \ \
| |/ /
|/| | |
Add parsing for UID, GID in volume "o" option
|
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Everything else is a flag to mount, but "uid" and "gid" are not.
We need to parse them out of "o" and handle them separately.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
|/ /
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Unless specified otherwise by --all, --latest or via arguments, list all
running containers. This matches the behaviour of Docker and is also
illustrated in the man pages where containers and options are marked to
be optional.
Fixes: #4274
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
|
|\ \
| | |
| | | |
Add support for anonymous volumes to `podman run -v`
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Previously, when `podman run` encountered a volume mount without
separate source and destination (e.g. `-v /run`) we would assume
that both were the same - a bind mount of `/run` on the host to
`/run` in the container. However, this does not match Docker's
behavior - in Docker, this makes an anonymous named volume that
will be mounted at `/run`.
We already have (more limited) support for these anonymous
volumes in the form of image volumes. Extend this support to
allow it to be used with user-created volumes coming in from the
`-v` flag.
This change also affects how named volumes created by the
container but given names are treated by `podman run --rm` and
`podman rm -v`. Previously, they would be removed with the
container in these cases, but this did not match Docker's
behaviour. Docker only removed anonymous volumes. With this patch
we move to that model as well; `podman run -v testvol:/test` will
not have `testvol` survive the container being removed by `podman
rm -v`.
The sum total of these changes let us turn on volume removal in
`--rm` by default.
Fixes: #4276
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
|\ \ \
| | | |
| | | | |
Show volume options in 'volume inspect'
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
We initialized the map to show them, but didn't actually copy
them in, so they weren't being displayed.
Signed-off-by: Matthew Heon <mheon@redhat.com>
|
|\ \ \ \
| | | | |
| | | | | |
play kube: refactor test suite
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
for berevity
Signed-off-by: Peter Hunt <pehunt@redhat.com>
|
| | |_|/
| |/| |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
The play kube test suite has many different cases to cover, and should only grow in coverage over time
The old design was difficult to extend, and there was lots of duplicated code.
The largest pain point was the Container struct needed to be changed often, and doing so caused changes every test case
Instead, adopt the `withOption` idiom. Now, adding a new option for customizing just involves adding a new withOption function, and changing the struct definition and initialization in one place.
Signed-off-by: Peter Hunt <pehunt@redhat.com>
|
| |_|/
|/| |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
podman exec leaks an exec_pid_<hash> file for every exec in tmpfs,
it's known rhbz#1731117, this case makes sure leakage issue has
been fixed.
rhbz: https://bugzilla.redhat.com/show_bug.cgi?id=1731117
Signed-off-by: Alex Jia <chuanchang.jia@gmail.com>
|
| |/
|/|
| |
| |
| |
| |
| | |
Rather than checking for non-zero, we need to check for >0 to
distinguish between timeouts and error exit codes.
Signed-off-by: Jhon Honce <jhonce@redhat.com>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
When a container is created with a given OCI runtime, but then it
is uninstalled or removed from the configuration file, Libpod
presently reacts very poorly. The EvictContainer code can
potentially remove these containers, but we still can't see them
in `podman ps` (aside from the massive logrus.Errorf messages
they create).
Providing a minimal OCI runtime implementation for missing
runtimes allows us to behave better. We'll be able to retrieve
containers from the database, though we still pop up an error for
each missing runtime. For containers which are stopped, we can
remove them as normal.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The json field is called `Image` while the go field is called `ImageID`,
tricking users into filtering for `Image` which ultimately results in an
error. Hence, rename the field to `Image` to align json and go.
To prevent podman users from regressing, rename `Image` to `ImageID` in
the specified filters. Add tests to prevent us from regressing. Note
that consumers of the go API that are using `ImageID` are regressing;
ultimately we consider it to be a bug fix.
Fixes: #4193
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
similar change to f7d55d64e7040cdad149684234ea150b0a90cf0e
with images --format=json, be sure the output is valid json also when
it is an empty list.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
|\ \
| | |
| | | |
tests: enable ps --size tests for rootless
|
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
rootless podman is using a single user namespace for all the containers
so it can safely access the storage for all of them.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
|\ \ \
| |/ /
|/| | |
container: initialize results list
|
| |/
| |
| |
| |
| |
| |
| |
| |
| | |
it solves:
$ podman ps --format=json
null
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
|\ \
| | |
| | | |
systemd: expect full path /usr/sbin/init
|
| |/
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
"init" is a quite common name for the command executed in a container
image and Podman ends up using the systemd mode also when not
required.
Be stricter on enabling the systemd mode and not enable it
automatically when the basename is "init" but expect the full path
"/usr/sbin/init".
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
|\ \
| |/
|/| |
Raise start_test polling interval
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
According to the documentation
https://onsi.github.io/gomega/#eventually
> the default value for the polling interval is 10 milliseconds
That is excessively fast given the observed failures in
issue #4021 are always using podman-remote. Lower the interval to
3-seconds, which should be plenty long enough for container removal.
Signed-off-by: Chris Evich <cevich@redhat.com>
|
| |
| |
| |
| |
| |
| |
| | |
Disallow invalid/confusing names such as '../bar' or 'foo '
Closes #4184
Signed-off-by: Mrigank Krishan <mrigankkrishan@gmail.com>
|
|\ \
| | |
| | | |
System-tests: Use bash explicitly
|
| |/
| |
| |
| |
| |
| |
| | |
On Ubuntu, /bin/sh != /bin/bash. Update system-tests to only use
bash for testing consistency across platforms.
Signed-off-by: Chris Evich <cevich@redhat.com>
|
|/
|
|
|
|
|
|
| |
...e.g. cloud-user. 9822f54ac was intended to fix this,
but it doesn't. Simple and standard solution is to
move the dash to the end of the character class.
Signed-off-by: Ed Santiago <santiago@redhat.com>
|
|
|
|
|
|
|
|
|
| |
Issue #3829 (cp symlinks) has been fixed: enable tests for it
And, it looks like podman-remote is now handling exit status
of a force-rm'ed container. Enable that test too.
Signed-off-by: Ed Santiago <santiago@redhat.com>
|
|\
| |
| | |
podman import syntax fix
|