In libpod/image.Image.Remove(), if the attempt to find the image's
parent fails for any reason, log a warning and proceed as though it
didn't have one instead of failing, which would leave us unable to
remove the image without resetting everything.
In libpod/Runtime.RemoveImage(), if we can't determine if an image has
children, log a warning, and assume that it doesn't have any instead of
failing, which would leave us unable to remove the image without
resetting everything.
In pkg/domain/infra/abi.ImageEngine.Remove(), when attempting to remove
all images, if we encounter an error checking if a given image has
children, log a warning, and assume that it doesn't have any instead of
failing, which would leave us unable to remove the image without
resetting everything.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Docker does not relabel this content, and openstack is running
containers in this manner. There is a penalty for doing this
on each container, that is not worth taking on a disable SELinux
container.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
We define in the man page that this overrides the default storage
options, but the code was appending to the existing options.
This PR also makes a change to allow users to specify --storage-opt="".
This will turn off all storage options.
https://github.com/containers/podman/issues/9852
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
One of the side-effects of the `--userns=keep-id` command is
switching the default user of the container to the UID of the
user running Podman (though this can still be overridden by the
`--user` flag). However, it did this by setting the UID and GID
in the OCI spec, and not by informing Libpod of its intention to
switch users via the `WithUser()` option. Because of this, a lot
of the code that should have triggered when the container ran
with a non-root user was not triggering. In the case of the issue
that this fixed, the code to remove capabilities from non-root
users was not triggering. Adjust the keep-id code to properly
inform Libpod of our intention to use a non-root user to fix
this.
Also, fix an annoying race around short-running exec sessions
where Podman would always print a warning that the exec session
had already stopped.
Fixes#9919
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
do not set the cgroup parent when running as rootless with cgroupfs,
even if cgroup v2 is used.
Closes: https://bugzilla.redhat.com/show_bug.cgi?id=1947999
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
10 lines above we had
// Set ContainerStateRemoving
c.state.State = define.ContainerStateRemoving
Which causes the state to not be the two checked states. Since the
c.cleanup call already deleted the OCI state, this meant that we were
calling cleanup, and hence the postHook hook twice.
Fixes: https://github.com/containers/podman/issues/9983
[NO TESTS NEEDED] Since it would be difficult to tests this. Main tests
should handle that the container is being deleted successfully.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Currently the debug line shows every runtime up until it finds
the correct one, confusing users on which runtime it is using.
Also move missing OCI runtime from containers/conf down to Debug level
and improved the debug message, to not report error.
[NO TESTS NEEDED] Since this is just debug.
Triggered by https://github.com/containers/podman/issues/4854
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
podman image prune paniced locally for me. The error handling was not
done correctly and we could end up with a nil pointer dereference.
[NO TESTS NEEDED] I have no idea how I could force an error in img.Size().
Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
Erik Sjolund reported an issue where a badly formated file
could be passed into the `--tz` option and then the date in the container
would be badly messed up:
```
erik@laptop:~$ echo Hello > file.txt
erik@laptop:~$ podman run --tz=../../../home/erik/file.txt --rm -ti
docker.io/library/alpine cat /etc/localtime
Hello
erik@laptop:~$ podman --version
podman version 3.0.0-rc1
erik@laptop:~$
```
This fix checks to make sure the TZ passed in is a valid
value and then proceeds with the rest of the processing.
This was first reported as a potential security issue, but it
was thought not to be. However, I thought closing the hole
sooner rather than later would be good.
Signed-off-by: TomSweeneyRedHat <tsweeney@redhat.com>
Fixes#5788
This commit adds support for named volumes in podman-generate-kube.
Named volumes are output in the YAML as PersistentVolumeClaims.
To avoid naming conflicts, the volume name is suffixed with "-pvc".
This commit adds a corresponding suffix for host path mounts.
Host path volumes are suffixed with "-host".
Signed-off-by: Jordan Williams <jordan@jwillikers.com>
Since some unit tests use "busybox", we need to point it to some alias
if we want it to pass CI on F34 where we're running in enforced mode.
Furthermore, make sure that the registries.conf can actually be
overridden in the code.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
In contrast to `assert.NoError`, `require.NoError` treats mismatches
fatally which in many cases is necessary to prevent subsequent checks
from segfaulting.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
As part of a fix for an earlier bug (#5698) we added the ability
for Podman to chown volumes to correctly match the user running
in the container, even in adverse circumstances (where we don't
know the right UID/GID until very late in the process). However,
we only did this for volumes created automatically by a
`podman run` or `podman create`. Volumes made by
`podman volume create` do not get this chown, so their
permissions may not be correct. I've looked, and I don't think
there's a good reason not to do this chwon for all volumes the
first time the container is started.
I would prefer to do this as part of volume copy-up, but I don't
think that's really possible (copy-up happens earlier in the
process and we don't have a spec). There is a small chance, as
things stand, that a copy-up happens for one container and then
a chown for a second, unrelated container, but the odds of this
are astronomically small (we'd need a very close race between two
starting containers).
Fixes#9608
Signed-off-by: Matthew Heon <mheon@redhat.com>
Fixes: https://github.com/containers/podman/issues/9825
Currently we are using TMPDIR for storaing temporary files
when building images, but not when you directly commit the images.
This change simply uses the TMPDIR environment variable if set
to store temporary files.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Remove orphaned code
* Add meaningful error from LoadImageFromSingleImageArchive() when
heuristic fails to determine payload format
* Correct swagger to output correct types and headers
Signed-off-by: Jhon Honce <jhonce@redhat.com>
when --privileged is used, make sure to not request more capabilities
than currently available in the current context.
[NO TESTS NEEDED] since it fixes existing tests.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Some packages used by the remote client imported the libpod package.
This is not wanted because it adds unnecessary bloat to the client and
also causes problems with platform specific code(linux only), see #9710.
The solution is to move the used functions/variables into extra packages
which do not import libpod.
This change shrinks the remote client size more than 6MB compared to the
current master.
[NO TESTS NEEDED]
I have no idea how to test this properly but with #9710 the cross
compile should fail.
Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
The `libpod/network` package should only be used on the backend and not the
client. The client used this package only for two functions so move them
into a new `pkg/network` package.
This is needed so we can put linux only code into `libpod/network`, see #9710.
[NO TESTS NEEDED]
Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
Currently we were overwrapping error returned from removal
of a non existing container.
$ podman rm bogus -f
Error: failed to evict container: "": failed to find container "bogus" in state: no container with name or ID bogus found: no such container
Removal of wraps gets us to.
./bin/podman rm bogus -f
Error: no container with name or ID "bogus" found: no such container
Finally also added quotes around container name to help make it standout
when you get an error, currently it gets lost in the error.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
if --storage-opt are specified on the CLI append them after what is
specified in the configuration files instead of overriding it.
Closes: https://github.com/containers/podman/issues/9657
[NO TESTS NEEDED]
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
When copying from a container, make sure to evaluate the symlinks
correctly. Add tests copying a symlinked directory from a running and
a non-running container to execute both path-resolution paths.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
Make sure the files are chowned to the host/container user, depending on
where things are being copied to.
Fixes: #9626
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
Ignore permission errors when copying from a rootless container.
TTY devices inside rootless containers are owned by the host's
root user which is "nobody" inside the container's user namespace
rendering us unable to even read them.
Enable the integration test which was temporarily disabled for rootless
users.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
Sometimes if the system crashes while an image is being pulled
containers/storage can get into a bad state. This PR allows the
user to call into container storage to remove the image.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Currently if you attempt to create a kube.yaml file off of a non running
container where the container runs as a specific User, the creation
fails because the storage container is not mounted. Podman is supposed to
read the /etc/passwd entry inside of the container but since the
container is not mounted, the c.State.Mountpoint == "". Podman
incorrectly attempts to read /etc/passwd on the host, and fails if the
specified user is not in the hosts /etc/passwd.
This PR mounts the storage container, if it was not mounted so the read
succeeds.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
The --trace has helped in early stages analyze Podman code. However,
it's contributing to dependency and binary bloat. The standard go
tooling can also help in profiling, so let's turn `--trace` into a NOP.
[NO TESTS NEEDED]
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
Unlocking an already unlocked lock is a panic. As such, we have
to make sure that the deferred c.lock.Unlock() in
c.StopWithTimeout() always runs on a locked container. There was
a case in c.stop() where we could return an error after we unlock
the container to stop it, but before we re-lock it - thus
allowing for a double-unlock to occur. Fix the error return to
not happen until after the lock has been re-acquired.
Fixes#9615
Signed-off-by: Matthew Heon <mheon@redhat.com>
