Podman wants to guarantee that exec sessions retain the groups of
the container they are started in, unless explicitly overridden
by the user. This guarantee was broken for containers where the
`--user` flag was specified; this patch resolves that.
Somewhere in the Exec rewrite for APIv2, I changed the location
where the container's User is passed into the exec session
(similar to groups, we also want to preserve user unless
overridden). The lower-level Exec APIs already handled setting
user and group appropriately if not specified when the exec
session was created, but I added duplicate code to handle this
higher in the stack - and that code only handled setting user,
not supplemental groups, breaking support in that specific case.
Two things conspired to make this one hard to track down: first,
things were only broken if the container explicitly set a user;
otherwise, the container user would still appear to be unset to
the lower-level code, which would properly set supplemental
groups (this tricked our existing test into passing). Also, the
`crun` OCI runtime will add the groups without prompting, which
further masked the problem there. I debated making `runc` do the
same, but in the end it's better to fix this in Podman - it's
better to be explicit about what we want done so we will work
with all OCI runtimes.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
Installing bats to /usr/local requires root privileges. Without this,
`make install.tools` fails. However, if I do `sudo make install.tools`,
then all of the other dependencies and git clones in the current
directory end up owned by root. This limits root privileges to the part
that needs it.
Signed-off-by: Jordan Christiansen <xordspar0@gmail.com>
The configuration for this container has moved to the
`containers/automation_images` repository. Leverage the
image built from the new location to guarantee synchronization
with images used in CI.
Also, remove several other targets that haven't worked for a really
long time. Upon discussion, they seem to apply to a minority of
users. Remove them to clean up the `Makefile` and reduce
maintenance burden.
Signed-off-by: Chris Evich <cevich@redhat.com>
for podman-remote build operations, the iidfile, when used, needs to write the file to the client's local filesystem.
Signed-off-by: baude <bbaude@redhat.com>
* Use the BUILDFLAGS variable for all Go builds
* Use `go install` instead of manually specifying the GOBIN path
Signed-off-by: Jordan Christiansen <xordspar0@gmail.com>
dependabot seems to submit PRs without running 'make vendor'.
This script automates (with some safety checks) the manual
process for pulling the PR, running 'make vendor-in-container',
and force-pushing the PR.
Usage: ./contrib/dependabot-dance
It should take care of identifying your github repo, finding
all active dependabot branches, running the make, git-add,
and commit, then git-pushing.
Signed-off-by: Ed Santiago <santiago@redhat.com>
Always return all associated names / repo tags of an image and fix a bug
with malformed repo tags.
Previously, Podman returned all names only with `--all` but this flag
only instructs to list intermediate images and should not alter
associated names. With `--all` Podman queried the repo tags of an image
which splits all *tagged* names into repository and tag which is then
reassembled to eventually be parsed again in the frontend. Lot's of
redundant CPU heat and buggy as the reassembly didn't consider digests
which ultimately broke parsing in the frontend.
Fixes: #7651
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
When using `podman play kube` with a YAML file that has pod labels,
apply those labels to the pods that podman makes.
For example, this Deployment spec has labels on a pod:
apiVersion: apps/v1
kind: Deployment
metadata:
name: myapp
labels:
app: myapp
spec:
selector:
matchLabels:
app: myapp
template:
metadata:
labels:
app: myapp
spec:
containers:
- name: web
image: nginx
ports:
- containerPort: 80
The pods that podman creates will have the label "app" set to "myapp" so
that these pods can be found with `podman pods ps --filter label=app`.
Signed-off-by: Jordan Christiansen <xordspar0@gmail.com>
podman and podman-remote do not exactly match as the lower layer code
checks if the output is destined for a TTY before creating the progress
bars. A future PR for containers/images could change this behavior.
Fixes#7543
Tested with:
$ (echo '# start'; podman-remote pull nginx ) 2>&1 | ts '[%Y-%m-%d %H:%M:%.S]'
$ (echo '# start'; podman pull nginx ) 2>&1 | ts '[%Y-%m-%d %H:%M:%.S]'
Signed-off-by: Jhon Honce <jhonce@redhat.com>
Support an arbitrary order in which arguments are specified to the
`--mount` flag. Previously, Podman expected `type=...` to come
first which was breaking compatibility with Docker.
Note that this is the ground work to default to "volume" (again Docker
compat). However, this will require some further massaging as we have
to assign a name.
Fixes: #7628
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
Currently infr-command and --infra-image commands are ignored
from the user. This PR instruments them and adds tests for
each combination.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Daniel J Walsh
Jhon Honce
Matthew Heon
Jordan Christiansen
Chris Evich
OpenShift Merge Robot
Valentin Rothberg
zhangguanzhang
Wong Hoi Sing Edison
Qi Wang
Matthew Heon
baude
Akihiro Suda
Ed Santiago
dependabot-preview[bot]
Ashley Cui