when pulling from a secure registry that is documented in registries.conf, we
should be able to pull without tls-verify=false
Signed-off-by: baude <bbaude@redhat.com>
Closes: #718
Approved by: rhatdan
This allows us to restart containers that have never been started
without error. This makes RestartWithTimeout work with running,
stopped, and created containers.
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
Closes: #719
Approved by: rhatdan
first pass at adding in the container related endpoints/methods for the libpod
backend. Couple of important notes:
* endpoints that can use a console are not going to be done until we have "remote" console
* several of the container methods should probably be able to stream as opposed to a one-off return
Signed-off-by: baude <bbaude@redhat.com>
Closes: #708
Approved by: baude
We need these for commit, and they cannot be properly deduced
from just the OCI spec, so save them in the database so we can
retrieve them for commit.
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
Closes: #700
Approved by: rhatdan
This allows us to accurately trigger OCI hooks that trigger on
the presence of volume mounts.
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
Closes: #700
Approved by: rhatdan
when performing a container commit, we should not add the default list of volumes
for a container to the resulting image. it will cause the resulting image to crash
when run subsequently.
Signed-off-by: baude <bbaude@redhat.com>
Closes: #699
Approved by: mheon
Vendor in buildah and use as much of commit and bug as possible for podman
build and commit.
Resolves#586
Signed-off-by: baude <bbaude@redhat.com>
Closes: #681
Approved by: mheon
Made a mistake in my earlier patch. I though that if you add an empty string
to an array, the length of the array would still be 0...
Realised this when vendoring the secrets pkg into cri-o.
Signed-off-by: umohnani8 <umohnani@redhat.com>
Closes: #685
Approved by: mheon
implement varlink image functions for working with libpod with the exception of a
couple due to incompletions on the libpod side of things (build).
also, created a first pass at a libpodpy package which will stand as a client to
working with libpod's varlink methods using python.
Signed-off-by: baude <bbaude@redhat.com>
Closes: #669
Approved by: baude
Instead of execing out to the host's IP, use the IP address we
got back from CNI to populate Inspect's IP address information.
Signed-off-by: Matthew Heon <mheon@redhat.com>
Closes: #680
Approved by: umohnani8
The hidden flag is used to override the path of the default mounts file
for testing purposes.
Also modified the secrets pkg to allow for this override to happen.
Signed-off-by: umohnani8 <umohnani@redhat.com>
Closes: #678
Approved by: mheon
When a user pulls an image using a transport, like docker-daemon, we try to lookup
the new image in storage by the input name after the pull. Because the input name
has a transport (different than local storage), that lookup would fail.
Signed-off-by: baude <bbaude@redhat.com>
Closes: #644
Approved by: rhatdan
If an integer is passed into the --user flag, i.e --user=1234
don't look up the user in /etc/passwd, just assign the integer as the uid.
Signed-off-by: umohnani8 <umohnani@redhat.com>
Closes: #652
Approved by: mheon
If the host is in FIPS mode and /etc/system-fips exists
/run/secrets/system-fips is created in the container so that
the container can run in FIPS mode as well.
Signed-off-by: umohnani8 <umohnani@redhat.com>
Made necessary changes to functions to include contex.Context wherever needed
Signed-off-by: umohnani8 <umohnani@redhat.com>
Closes: #640
Approved by: baude
In the case where podman needs to pull an image, if that registry that the image
resides on is known to be insesure (as defined in /etc/containers/registries.conf),
tls-verify should be altered on the fly.
Signed-off-by: baude <bbaude@redhat.com>
Closes: #626
Approved by: mheon
In the case where you have an image local, if the the user runs
podman pull, we should always attempt to pull an updated image.
Added a forceRemote bool to New (image) so we can differentiate
between "pull" or run because the actions differ. Run does not
need to pull the latest -- only run.
Signed-off-by: baude <bbaude@redhat.com>
Closes: #618
Approved by: baude
Comparing Go interfaces, like io.Reader, to nil does not work. As
such, we need to include a bool with each stream telling whether
to attach to it.
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
Closes: #608
Approved by: baude
This allows us to attach to attach to just stdout or stderr or
stdin, or any combination of these.
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
Closes: #608
Approved by: baude
Until we can handle running containers which use UID/GID mappings, make
sure that we always create containers that use the host mappings.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #609
Approved by: baude
This solves a nasty locking issue with getting the path of
namespaces for dependencies
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
Closes: #600
Approved by: rhatdan
When a container is transitioning from running to stopped and stats is runnings,
we should not break stats if we are unable to get stats for that container.
Resolves: #598
Signed-off-by: baude <bbaude@redhat.com>
Closes: #599
Approved by: mheon
--group-add
--blkio-weight-device
--device-read-bps
--device-write-bps
--device-read-iops
--device-write-iops
--group-add now supports group names as well as the gid associated with them.
All the --device flags work now with moderate changes to the code to support both
bps and iops.
Added tests for all the flags.
Signed-off-by: umohnani8 <umohnani@redhat.com>
Closes: #590
Approved by: mheon
If sending a signal fails, check if the container is alive. If it
is not, it probably stopped on its own before we could send the
signal, so don't error out.
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
Closes: #591
Approved by: rhatdan
In our ezrly development, we always allocated a tty when not -d. Now we should only allocated when the user asks for it.
Resolves: #573
Signed-off-by: baude <bbaude@redhat.com>
Closes: #574
Approved by: rhatdan
Instead of checking during init(), which could result in major
locking issues when used with pods, make our dependency checks in
the public API instead. This avoids doing them when we start pods
(where, because of the dependency graph, we can reasonably say
all dependencies are up before we start a container).
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
Closes: #577
Approved by: rhatdan
