Follow up on issue #7444 and make the parent checks more robust.
We can end up with an incoherent storage when, for instance, a
build has been killed.
Backport of commit a6f8586 and commit 238abf6. Squashed for easier
tracking and referencing.
Fixes: #7444
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1876576
Signed-off-by: Brent Baude <bbaude@redhat.com>
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
This will allow the passing down of the ignore_chown_errors flag from
/etc/containers/storage.conf for rootless containers.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
We want to modify /etc/passwd to add an entry for the user in
question, but at the same time we don't want to require the
container provide a /etc/passwd (a container with a single,
statically linked binary and nothing else is perfectly fine and
should be allowed, for example). We could create the passwd file
if it does not exist, but if the container doesn't provide one,
it's probably better not to make one at all. Gate changes to
/etc/passwd behind a stat() of the file in the container
returning cleanly.
Fixes#7515
Signed-off-by: Matthew Heon <mheon@redhat.com>
We added code to create a `/etc/passwd` file that we bind-mount
into the container in some cases (most notably,
`--userns=keep-id` containers). This, unfortunately, was not
persistent, so user-added users would be dropped on container
restart. Changing where we store the file should fix this.
Further, we want to ensure that lookups of users in the container
use the right /etc/passwd if we replaced it. There was already
logic to do this, but it only worked for user-added mounts; it's
easy enough to alter it to use our mounts as well.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
--remote pre-check was providing usage context, which was also being
provided by the root podman command.
Fixes#7273
Signed-off-by: Jhon Honce <jhonce@redhat.com>
- new sanity checks for podman-remote:
- first, confirm that when PODMAN is "-remote",
we actually talk to a server (validated by
presence of "Server:" string in "podman version").
- second, add test for #7212, in which we run
"podman --remote" (podman with --remote flag,
not podman-remote command) and make sure --remote
is allowed both as the first option and also
with other flag options preceding.
- new test for "podman image tree" (piggybacking on
top of a "podman build" test, because that gives
us lots of layers).
- skip "podman exec - basic test" when remote. It is consistently
causing CI failures, breaking all of CI, due to #7241.
Signed-off-by: Ed Santiago <santiago@redhat.com>
Use cobra.Command.FParseErrWhitelist to no longer require --remote to be
the first argument in flags when using CLI
Signed-off-by: Jhon Honce <jhonce@redhat.com>
Add support for multi level subcommands.
e.g. podman system connection.
Update the flags and add note for containers.conf.
Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
correct small typo that sets the path on windows via the msi xml.
in the remote client, prompt for SSH password when no identity or alternate means of authentication are provided.
Signed-off-by: Brent Baude <bbaude@redhat.com>
This includes an important patch to fix a CI issue where the
cleanup process's unmount of a container was not being
registered by `podman system service`.
Signed-off-by: Matthew Heon <mheon@redhat.com>
This reverts commit 44e5d0c1e8272f92d0fa6d41075a0127b241f003. We
temporarily disabled this for the last few backports for 2.0.5,
given how painful the libpod->podman move made things. We do not
want to keep this around long-term, each commit should be
required to build.
Signed-off-by: Matthew Heon <mheon@redhat.com>
This reverts commit ae2ee65eff71c5780e4484f1316dbbdd87bf1760.
This was a horrible hack that we did for time reasons, to get
2.0.5 out on schedule; now that it has been merged into c/storage
properly we no longer need or want it.
Signed-off-by: Matthew Heon <mheon@redhat.com>
Fixes Fedora gating test failure: if the host tests are running
under UID 1000, --userns=keep-id will (of course) add current
user as 1000, and the in-container 'adduser' will assign 1001.
To prevent that, assign UID 4242 (and hope that that's not
our calling user's UID).
Signed-off-by: Ed Santiago <santiago@redhat.com>
We need this release out by end of day, so we don't have time to
do this right. Disable the vendor task and manually add c/storage
PR #698 to the vendored copy of c/storage to make the tests pass.
Once #698 merges into c/storage, we need to remove this commit
and backport it to the v1.20 stable branch, then cut a release
there.
Signed-off-by: Matthew Heon <mheon@redhat.com>
This should help alleviate races where the pod is not fully
cleaned up before subsequent API calls happen.
Signed-off-by: Matthew Heon <mheon@redhat.com>
Most Libpod containers are made via `pkg/specgen/generate` which
includes code to generate an appropriate exit command which will
handle unmounting the container's storage, cleaning up the
container's network, etc. There is one notable exception: pod
infra containers, which are made entirely within Libpod and do
not touch pkg/specgen. As such, no cleanup process, network never
cleaned up, bad things can happen.
There is good news, though - it's not that difficult to add this,
and it's done in this PR. Generally speaking, we don't allow
passing options directly to the infra container at create time,
but we do (optionally) proxy a pre-approved set of options into
it when we create it. Add ExitCommand to these options, and set
it at time of pod creation using the same code we use to generate
exit commands for normal containers.
Fixes#7103
Signed-off-by: Matthew Heon <mheon@redhat.com>
<MH: Fixed cherry-pick conflicts>
Signed-off-by: Matthew Heon <mheon@redhat.com>
because a pod's network information is dictated by the infra container at creation, a container cannot be created with network attributes. this has been difficult for users to understand. we now return an error when a container is being created inside a pod and passes any of the following attributes:
* static IP (v4 and v6)
* static mac
* ports -p (i.e. -p 8080:80)
* exposed ports (i.e. 222-225)
* publish ports from image -P
Signed-off-by: Brent Baude <bbaude@redhat.com>
<MH: Fixed cherry pick conflicts and compile>
Signed-off-by: Matthew Heon <mheon@redhat.com>
In podman 1.0 if you executed a command like:
podman run --user dwalsh --cap-add net_bind_service alpine nc -l 80
It would work, and the user dwalsh would get the capability, in
podman 2.0, only root and the binding set gets the capability.
This change restores us back to the way podman 1.0 worked.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
