Commit Graph

5751 Commits

Author SHA1 Message Date
Peter Hunt dcf3c742b1 Split up create config handling of namespaces and security
As it stands, createconfig is a huge struct. This works fine when the only caller is when we create a container with a fully created config. However, if we wish to share code for security and namespace configuration, a single large struct becomes unweildy, as well as difficult to configure with the single createConfigToOCISpec function.

This PR breaks up namespace and security configuration into their own structs, with the eventual goal of allowing the namespace/security fields to be configured by the pod create cli, and allow the infra container to share this with the pod's containers.

Signed-off-by: Peter Hunt <pehunt@redhat.com>
2019-11-07 21:23:23 -05:00
OpenShift Merge Robot 3463a7194c
Merge pull request #4444 from TomSweeneyRedHat/dev/tsweeney/readthedocs
Add links to readthedocs on docs/readme
2019-11-08 01:25:14 +01:00
OpenShift Merge Robot 3ec9ee090e
Merge pull request #4466 from giuseppe/notmpcopyup
mount: add new options nocopyup|copyup for tmpfs
2019-11-07 21:23:54 +01:00
OpenShift Merge Robot d919961f62
Merge pull request #4451 from giuseppe/set-mac
podman: add support for specifying MAC
2019-11-07 20:26:14 +01:00
OpenShift Merge Robot 347499778c
Merge pull request #4378 from containers/dependabot/go_modules/github.com/json-iterator/go-1.1.8
Bump github.com/json-iterator/go from 1.1.7 to 1.1.8
2019-11-07 18:49:19 +01:00
Giuseppe Scrivano 82e4116e57
test: add tests for --mac-address
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
2019-11-07 18:38:02 +01:00
OpenShift Merge Robot 20c8a01af1
Merge pull request #4413 from containers/dependabot/go_modules/github.com/onsi/gomega-1.7.1
Bump github.com/onsi/gomega from 1.7.0 to 1.7.1
2019-11-07 18:34:33 +01:00
Giuseppe Scrivano 4e5e9dbec2
mount: add new options nocopyup|copyup for tmpfs
add a way to disable tmpcopyup for tmpfs.

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
2019-11-07 18:24:02 +01:00
OpenShift Merge Robot 8f3b0f0d9e
Merge pull request #4471 from containers/dependabot/go_modules/github.com/uber/jaeger-client-go-2.20.0+incompatible
Bump github.com/uber/jaeger-client-go from 2.19.0+incompatible to 2.20.0+incompatible
2019-11-07 18:16:49 +01:00
OpenShift Merge Robot 769d4218ff
Merge pull request #4468 from nalind/image-digests
podman images --digest: always list a digest
2019-11-07 18:16:41 +01:00
OpenShift Merge Robot 24efb5e4eb
Merge pull request #4470 from vrothberg/fix-4463
libpod/config: default: use `crun` on Cgroups v2
2019-11-07 16:26:22 +01:00
OpenShift Merge Robot b4a83bf9ae
Merge pull request #4447 from rhatdan/runasuser
Add support for RunAsUser and RunAsGroup
2019-11-07 16:05:03 +01:00
OpenShift Merge Robot a889fd397a
Merge pull request #4441 from rhatdan/detach
Allow users to disable detach keys
2019-11-07 15:16:36 +01:00
dependabot-preview[bot] 75d67c4920 Bump github.com/uber/jaeger-client-go
Bumps [github.com/uber/jaeger-client-go](https://github.com/uber/jaeger-client-go) from 2.19.0+incompatible to 2.20.0+incompatible.
- [Release notes](https://github.com/uber/jaeger-client-go/releases)
- [Changelog](https://github.com/jaegertracing/jaeger-client-go/blob/master/CHANGELOG.md)
- [Commits](https://github.com/uber/jaeger-client-go/compare/v2.19.0...v2.20.0)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
2019-11-07 14:05:10 +00:00
OpenShift Merge Robot aad2904553
Merge pull request #4308 from openSUSE/kata
Add Kata Containers runtimes to libpod.conf
2019-11-07 14:58:57 +01:00
Valentin Rothberg 709ad91035 libpod/config: default: use `crun` on Cgroups v2
When running on a node with Cgroups v2, default to using `crun` instead
of `runc`.  Note that this only impacts the hard-coded default config.
No user config will be over-written.

Fixes: #4463
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
2019-11-07 13:55:41 +00:00
Nalin Dahyabhai 5e3e41daee podman images --digest: always list a digest
When we're asked to display image digests, always provide them if we
have values that we can provide.

Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
2019-11-06 17:36:04 -05:00
OpenShift Merge Robot 2e2d82ce76
Merge pull request #4461 from giuseppe/fix-hang
events: make sure the write channel is always closed
2019-11-06 22:10:11 +01:00
Giuseppe Scrivano 276d68c8f5
events: make sure the write channel is always closed
in case of errors, the channel is not closed, blocking the reader
indefinitely.

Closes: https://bugzilla.redhat.com/show_bug.cgi?id=1767663

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
2019-11-06 17:14:44 +01:00
Daniel J Walsh a6108f1c19
Add support for RunAsUser and RunAsGroup
Currently podman generate kube does not generate the correct RunAsUser and RunAsGroup
options in the yaml file.  This patch fixes this.

This patch also make `podman play kube` use the RunAdUser and RunAsGroup options if
they are specified in the yaml file.

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
2019-11-06 10:35:37 -05:00
OpenShift Merge Robot 581a7ec298
Merge pull request #4459 from giuseppe/fix-renameat-definition
rootless: use SYS_renameat2 instead of __NR_renameat2
2019-11-06 16:28:46 +01:00
Giuseppe Scrivano e379f7eda1
cni: enable tuning plugin
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
2019-11-06 16:22:20 +01:00
Jakub Filak 2497b6c77b
podman: add support for specifying MAC
I basically copied and adapted the statements for setting IP.

Closes #1136

Signed-off-by: Jakub Filak <jakub.filak@sap.com>
2019-11-06 16:22:19 +01:00
Jakub Filak 455f5b7616
vendor: updated ocicni for MAC address
`go get github.com/cri-o/ocicni@deac903fd99b6c52d781c9f42b8db3af7dcfd00a`

I had to fix compilation errors in libpod/networking_linux.go

---

ocicni.Networks has changed from string to the structure NetAttachment
with the member Name (the former string value) and the member Ifname
(optional).

I don't think we can make use of Ifname here, so I just map the array of
structures to array of strings - e.g. dropping Ifname.

---

The function GetPodNetworkStatus no longer returns Result but it returns
the wrapper structure NetResult which contains the former Result plus
NetAttachment (Network name and Interface name).

Again, I don't think we can make use of that information here, so I
just added `.Result` to fix the build.

---

Issue: #1136

Signed-off-by: Jakub Filak <jakub.filak@sap.com>
2019-11-06 16:22:18 +01:00
Giuseppe Scrivano 16cb2b38a8
Makefile: add vendor-in-container
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
2019-11-06 16:22:17 +01:00
Giuseppe Scrivano 0a8dcd7112
rootless: provide workaround for missing renameat2
on RHEL 7.7 renameat2 is not implemented for s390x, provide a
workaround.

Closes: https://bugzilla.redhat.com/show_bug.cgi?id=1768519

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
2019-11-06 15:27:46 +01:00
Giuseppe Scrivano a114e9059a
rootless: use SYS_renameat2 instead of __NR_renameat2
use the correct definition for the syscall number.

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
2019-11-06 13:41:15 +01:00
OpenShift Merge Robot 6f7c290f70
Merge pull request #4439 from junaruga/feature/install-ubuntu
Update installation - Ubuntu. [skip ci]
2019-11-06 13:10:30 +01:00
OpenShift Merge Robot cee2c1b048
Merge pull request #4457 from vrothberg/fix-4456
help message: don't parse the config for cgroup-manager default
2019-11-06 12:50:47 +01:00
Sascha Grunert 9fe9c4181a
Add Kata Containers runtimes to libpod.conf
This adds the Kata Containers runtimes to the libpod.conf and adds
additional documentation to it.

Signed-off-by: Sascha Grunert <sgrunert@suse.com>
2019-11-06 09:45:39 +01:00
Valentin Rothberg eb9235fc63 help message: don't parse the config for cgroup-manager default
Do not generate an entire `config.Config` for displaying the default
value for the --cgroup-manager flag and just default to systemd. Not
using the `config.Config` is okay as 1) the value may change at runtime
in any case (rootless, DBUS access, etc.), 2) it avoids to redundantly
parse the system config files and to generate the hard-coded default
config, and 3) the log-level and other attributes are not yet set during
init() causing undesirable side effects.

Fixes: #4456
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
2019-11-06 09:00:12 +01:00
OpenShift Merge Robot b4b727256c
Merge pull request #4370 from rhatdan/seccomp
Set SELinux labels based on the security context in the kube.yaml
2019-11-05 21:52:22 +01:00
OpenShift Merge Robot 7eda1b0840
Merge pull request #4374 from giuseppe/create-cgroupns-by-default-on-cgroupsv2
namespaces: by default create cgroupns on cgroups v2
2019-11-05 20:24:13 +01:00
Daniel J Walsh 7c623bd41f
Allow users to disable detach keys
If user specifies --detach-keys="", this will disable the feature.

Adding define.DefaultDetachKeys to help screen to help identify detach keys.

Updated man pages with additonal information.

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
2019-11-05 14:10:43 -05:00
Giuseppe Scrivano b8514ca6f3
namespaces: by default create cgroupns on cgroups v2
change the default on cgroups v2 and create a new cgroup namespace.

When a cgroup namespace is used, processes inside the namespace are
only able to see cgroup paths relative to the cgroup namespace root
and not have full visibility on all the cgroups present on the
system.

The previous behaviour is maintained on a cgroups v1 host, where a
cgroup namespace is not created by default.

Closes: https://github.com/containers/libpod/issues/4363

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
2019-11-05 17:29:01 +01:00
Jun Aruga 1f74f6cadd Update installation - Ubuntu. [skip ci]
Current podman deb package does not install /etc/containers/registries.conf .
The added line is for compatibility of use cases with docker.

Signed-off-by: Jun Aruga <jaruga@redhat.com>
2019-11-05 16:11:55 +01:00
OpenShift Merge Robot a904e21cf0
Merge pull request #4449 from vrothberg/fix-4434
pulling unqualified reference: make sure it's a docker reference
2019-11-05 15:25:48 +01:00
OpenShift Merge Robot 08c5c546dc
Merge pull request #4448 from containers/dependabot/go_modules/gopkg.in/yaml.v2-2.2.5
Bump gopkg.in/yaml.v2 from 2.2.4 to 2.2.5
2019-11-05 15:04:57 +01:00
Valentin Rothberg 274fe57d3e pulling unqualified reference: make sure it's a docker reference
When pulling an unqualified reference (e.g., `fedora`) make sure that
the reference is not using a non-docker transport to avoid iterating
over the search registries and trying to pull from them.

Fixes: #4434
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
2019-11-05 12:16:43 +01:00
dependabot-preview[bot] 9ab16311b0 Bump gopkg.in/yaml.v2 from 2.2.4 to 2.2.5
Bumps [gopkg.in/yaml.v2](https://github.com/go-yaml/yaml) from 2.2.4 to 2.2.5.
- [Release notes](https://github.com/go-yaml/yaml/releases)
- [Commits](https://github.com/go-yaml/yaml/compare/v2.2.4...v2.2.5)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
2019-11-05 11:36:42 +01:00
Daniel J Walsh 65ed819932
Set SELinux labels based on the security context in the kube.yaml
If the kube.yaml specifieds the SELinux type or Level, we need the container
to be launched with the correct label.

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
2019-11-05 04:09:01 -05:00
OpenShift Merge Robot cc19b09b44
Merge pull request #4442 from mheon/release_notes_add
Add release notes for v1.6.3
2019-11-05 09:38:56 +01:00
OpenShift Merge Robot 1db4556d42
Merge pull request #4438 from giuseppe/fix-slirp4netns-timeout
slirp4netns: fix timeout
2019-11-05 08:55:01 +01:00
TomSweeneyRedHat c2a4e0105c Add links to readthedocs on docs/readme
Add a couple of links to the new ReadTheDocs site
for the libpod man pages from the docs/readme.md.  Many users
go to github.com/{project}/docs looking for the man pages for
the project and their location is not evident on the current
readme.md.

Signed-off-by: TomSweeneyRedHat <tsweeney@redhat.com>
2019-11-04 18:22:41 -05:00
Matthew Heon 830808cba7 Bump development version to 1.6.4-dev
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
2019-11-04 17:50:14 -05:00
Matthew Heon 23058842f2 Bump version in README to v1.6.3
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
2019-11-04 16:07:00 -05:00
Matthew Heon 6dedc919d4 Add release notes for v1.6.3
Signed-off-by: Matthew Heon <mheon@redhat.com>
2019-11-04 16:06:06 -05:00
OpenShift Merge Robot 17eadda68b
Merge pull request #4415 from rhatdan/rootless
Update rootless shortcomings with cgroup V2 information
2019-11-04 17:26:35 +01:00
Giuseppe Scrivano 31a5827856
slirp4netns: fix timeout
the pidWaitTimeout is already a Duration so do not multiply it again
by time.Millisecond.

Closes: https://github.com/containers/libpod/issues/4344

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
2019-11-04 17:06:52 +01:00
OpenShift Merge Robot 700d701498
Merge pull request #4430 from rst0git/logo-light-source
logo: correct light source reflection
2019-11-04 16:49:11 +01:00