Bumps
c/buildah to -> `v1.24.3-0.20220310160415-5ec70bf01ea5`
c/storage to -> `v1.38.3-0.20220308085612-93ce26691863`
c/image to -> `v5.20.1-0.20220310094651-0d8056ee346f`
Signed-off-by: Aditya R <arajan@redhat.com>
We already use v7 in c/image so podman should use the same version to
prevent duplication.
This saves 170 KB binary size.
[NO NEW TESTS NEEDED]
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
overlayfs -- the kernel's version, not fuse-overlayfs -- recently learned
(as of linux 5.16.0, I believe) how to support rootless users. Previously,
rootless users had to use these storage.conf(5) settings:
* storage.driver=vfs (aka STORAGE_DRIVER=vfs), or
* storage.driver=overlay (aka STORAGE_DRIVER=overlay),
storage.options.overlay.mount_program=/usr/bin/fuse-overlayfs
(aka STORAGE_OPTS=/usr/bin/fuse-overlayfs)
Now that a third backend is available, setting only:
* storage.driver=overlay (aka STORAGE_DRIVER=overlay)
https://github.com/containers/podman/issues/13123 reported EXDEV errors
during the normal operation of their container. Tracing it out, the
problem turned out to be that their container was being mounted without
'userxattr'; I don't fully understand why, but mount(8) mentions this is
needed for rootless users:
> userxattr
>
> Use the "user.overlay." xattr namespace instead of "trusted.overlay.".
> This is useful for unprivileged mounting of overlayfs.
https://github.com/containers/storage/pull/1156 found and fixed the issue
in podman, and this just pulls in that via
go get github.com/containers/storage@ebc90ab
go mod vendor
make vendor
Closes https://github.com/containers/podman/issues/13123
Signed-off-by: Nick Guenther <nick.guenther@polymtl.ca>
This updates the CDI dependency to the v0.3.0 tagged version instead of
relying on a pseudo version. This also addresses the fact that cgroups
are not set correctly for devices using the previous dependency.
Signed-off-by: Evan Lezar <elezar@nvidia.com>
Since containers-common package is tied to specific versions
of Podman, add tools to build the package into the contrib directory
This should help other distributions to figure out which commont
package to ship.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
update c/storage to commit 26c561f9a64585d9a25d340e1ae5479eca8008a1.
It contains an important fix for partial pulls.
[NO NEW TESTS NEEDED]
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Until podman4 is in the fcos trees, we need to pull the machine images
from a side repository. There is a hard coded bit that forces the
side repo download right now. Simple comment or removal of the bit will
revert to normal download behavior.
[NO NEW TESTS NEEDED]
Signed-off-by: Brent Baude <bbaude@redhat.com>
Bumps Buildah to v1.24.0 and adopts the new values for pull:
true, false, never, and always. The pull-never and pull-always options
for the build command are still usable, but they have been removed from
the man page documentation with this change.
Signed-off-by: tomsweeneyredhat <tsweeney@redhat.com>
This commit bumps majorly c/common so netavark features could be synced
with podman.
But there are some other vendor bumps as well
[NO NEW TESTS NEEDED]
[NO TESTS NEEDED]
Signed-off-by: Aditya R <arajan@redhat.com>
The dependabot does not update dependencies when they do not use a tag.
This patch upgrades all untagged depenencies if possible.
You can upgrade all dependencies with `go get -u ./... && make vendor`
in theory however this failed since the k8s changes do not compile on
go v1.16 so I only updated the other dependencies.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
This change updates the CDI API to commit 46367ec063fda9da931d050b308ccd768e824364
which addresses some inconistencies in the previous implementation.
Signed-off-by: Evan Lezar <elezar@nvidia.com>
The libpod/network packages were moved to c/common so that buildah can
use it as well. To prevent duplication use it in podman as well and
remove it from here.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Also update the e2e pull test to account for the changes when pulling
from the dir transport. Images pulled via the dir transport are not
tagged anymore; the path is not a reliable source.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
DevShmCheckpointTar constant has been recently introduced in
checkpointctl. This constant will be used in subsequent patch and this
patch contains auto-generated changes with the following commands:
go get github.com/checkpoint-restore/checkpointctl
go mod tidy
go mod vendor
Signed-off-by: Radostin Stoyanov <rstoyanov@fedoraproject.org>
Update the `--filter reference=...` tests to reflect recent changes in
c/common. The reference values now match as specified without
implicitly adding wildcards arounds.
Fixes: #11905
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
The Docker-compatible REST API has historically behaved just as the rest
of Podman and Buildah (and the atomic Docker in older RHEL/Fedora) where
`containers-registries.conf` is centrally controlling which registries
a short name may resolve to during pull or local image lookups. Please
refer to a blog for more details [1].
Docker, however, is only resolving short names to docker.io which has
been reported (see #12320) to break certain clients who rely on this
behavior. In order to support this scenario, `containers.conf(5)`
received a new option to control whether Podman's compat API resolves
to docker.io only or behaves as before.
Most endpoints allow for directly normalizing parameters that represent
an image. If set in containers.conf, Podman will then normalize the
references directly to docker.io. The build endpoint is an outlier
since images are also referenced in Dockerfiles. The Buildah API,
however, supports specifying a custom `types.SystemContext` in which
we can set a field that enforces short-name resolution to docker.io
in `c/image/pkg/shortnames`.
Notice that this a "hybrid" approach of doing the normalization directly
in the compat endpoints *and* in `pkg/shortnames` by passing a system
context. Doing such a hybrid approach is neccessary since the compat
and the libpod endpoints share the same `libimage.Runtime` which makes
a global enforcement via the `libimage.Runtime.systemContext`
impossible. Having two separate runtimes for the compat and the libpod
endpoints seems risky and not generally applicable to all endpoints.
[1] https://www.redhat.com/sysadmin/container-image-short-namesFixes: #12320
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
For reasons buried in the history of Podman, looking up an untagged
image would match any tag of matching image. For instance, looking up
centos would match a local image centos:foobar. Change that behavior
to only match the latest tag.
Fix: #11964
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
Fixes: https://github.com/containers/podman/issues/12296
[NO NEW TESTS NEEDED] because there is no easy way to test this.
Tests are in containers/common.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Support downloading files, for instance via
`podman load -i server.com/image.tar`. The specified URL is downloaded
in the frontend and stored as a temp file that gets passed down to the
backend.
Also vendor in c/common@main to use the new `pkg/download`.
Fixes: #11970
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
Health checks may be defined in the container config or the config of an
image. So far, Podman only looked at the container config.
The plumbing happened in libimage but add a regression test to Podman as
well to make sure the glue code will not regress.
Note that I am pinning github.com/onsi/gomega to v1.16.0 since v1.17.0
requires go 1.16 which in turn is breaking CI.
Fixes: #12226
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
There was the question about how long it takes to create a checkpoint.
CRIU already provides some statistics about how long it takes to create
a checkpoint and similar.
With this change the file 'stats-dump' is included in the checkpoint
archive and the tool checkpointctl can be used to display these
statistics:
./checkpointctl show -t /tmp/cp.tar --print-stats
Displaying container checkpoint data from /tmp/dump.tar
[...]
CRIU dump statistics
+---------------+-------------+--------------+---------------+---------------+---------------+
| FREEZING TIME | FROZEN TIME | MEMDUMP TIME | MEMWRITE TIME | PAGES SCANNED | PAGES WRITTEN |
+---------------+-------------+--------------+---------------+---------------+---------------+
| 105405 us | 1376964 us | 504399 us | 446571 us | 492153 | 88689 |
+---------------+-------------+--------------+---------------+---------------+---------------+
Signed-off-by: Adrian Reber <areber@redhat.com>
Make sure that the value is only set if specified on the CLI. c/image
already defaults to true but if set in the system context, we'd skip
settings in the registries.conf.
Fixes: #11933
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
This will change mount of /dev within container to noexec, making
containers slightly more secure.
[NO NEW TESTS NEEDED]
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Vendor the latest HEAD in c/common to pull in changes for a faster
inspection of images. Previously, only the size computation was
optional, now the one for the parent image is as well.
In many cases, the parent image is not needed but it takes around 10ms
on my local machine. With this change, we cut off 10ms from many code
paths, most importantly, container creation.
[NO NEW TESTS NEEDED]
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
Update c/common to fix a bug where broken config files could be created
via podman machine and podman system connection add.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Fixes: https://github.com/containers/podman/issues/11745
[NO TESTS NEEDED] Since this is just a revendor and a one line
change for the revendor
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
Add an option to `podman save` to allow uncompressed layers when
copying OCI images. Do the neccessary plumbing for the remote client,
add tests and vendor in the latest commit from c/common to fetch
the neccessary changes in libimage.
Closes: #11613
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
Update CNI so we can match wrapped errors. This should silence ENOENT
warnings when trying to read the cni conflist files.
Fixes#10926
Because CNI v1.0.0 contains breaking changes we have to change some
import paths. Also we cannot update the CNI version used for the
conflist files created by `podman network create` because this would
require at least containernetwork-plugins v1.0.1 and a updated dnsname
plugin. Because this will take a while until it lands in most distros
we should not use this version. So keep using v0.4.0 for now.
The update from checkpoint-restore/checkpointctl is also required to
make sure it no longer uses CNI to read the network status.
[NO TESTS NEEDED]
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
psgo added support for listing supplementary groups via
two new descriptors:
* `groups` for supplementary groups inside the container
* `hgroups` for the counterpart on the host
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
Finalizes the linked BZ to fix passing down custom authfiles during auto
updates. Also fixes the if-newer pull policy.
[NO TESTS NEEDED] for now validated manually. There's a TODO to add a
new system test that I did not find time for before PTO.
BZ: bugzilla.redhat.com/show_bug.cgi?id=2000943
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
We do not use the ocicni code anymore so let's get rid of it. Only the
port struct is used but we can copy this into libpod network types so
we can debloat the binary.
The next step is to remove the OCICNI port mapping form the container
config and use the better PortMapping struct everywhere.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Make use of the new network interface in libpod.
This commit contains several breaking changes:
- podman network create only outputs the new network name and not file
path.
- podman network ls shows the network driver instead of the cni version
and plugins.
- podman network inspect outputs the new network struct and not the cni
conflist.
- The bindings and libpod api endpoints have been changed to use the new
network structure.
The container network status is stored in a new field in the state. The
status should be received with the new `c.getNetworkStatus`. This will
migrate the old status to the new format. Therefore old containers should
contine to work correctly in all cases even when network connect/
disconnect is used.
New features:
- podman network reload keeps the ip and mac for more than one network.
- podman container restore keeps the ip and mac for more than one
network.
- The network create compat endpoint can now use more than one ipam
config.
The man pages and the swagger doc are updated to reflect the latest
changes.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* Follow https://pkg.go.dev/cmd/go#hdr-Generate_Go_files_by_processing_source
for leading comment
* Add godoc strings for all exposed methods for IDE support
* Copy field godoc strings into generated code as function godoc string
* Remove unused/unnecessary fields from generator.go structures
* Cleanup code regarding template usage
Signed-off-by: Jhon Honce <jhonce@redhat.com>
Allows users to specify a readonly rootfs with :O, in exchange podman will create a writable overlay.
bump builah to v1.22.1-0.20210823173221-da2b428c56ce
[NO TESTS NEEDED]
Signed-off-by: flouthoc <flouthoc.git@gmail.com>
Aditya R
OpenShift Merge Robot
dependabot[bot]
Paul Holzinger
Nick Guenther
Ashley Cui
Evan Lezar
Daniel J Walsh
Giuseppe Scrivano
Brent Baude
tomsweeneyredhat
Valentin Rothberg
Jason T. Greene
Adrian Reber
Radostin Stoyanov
Aditya Rajan
Jhon Honce