provide an implementation for getDevices that skip unreadable
directories for the current user.
Based on the implementation from runc/libcontainer.
Closes: https://github.com/containers/libpod/issues/3919
Signed-off-by: Giuseppe Scrivano <giuseppe@scrivano.org>
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
when running in rootless mode, --device creates a bind mount from the
host instead of specifying the device in the OCI configuration. This
is required as an unprivileged user cannot use mknod, even when root
in a user namespace.
Closes: https://github.com/containers/libpod/issues/3905
Signed-off-by: Giuseppe Scrivano <giuseppe@scrivano.org>
The files under docs/links reference another man page, e.g.
`man podman-container-list` displays `podman-ps(1)`. This adds
the alias to the in the displayed page's SYNOPSIS section.
Signed-off-by: Ryan Whalen <rj.whalen@gmail.com>
Rather than spamming the podman channel with impersonal success
messages referring to PR numbers, mention the author by nick name
and include the PR title and link.
Also avoid needless logging of all bot-script interactions with
IRC when there is no error detected.
Signed-off-by: Chris Evich <cevich@redhat.com>
Rather than hard-coding all four base-image env. var name,
load the values based on the shared variable name suffix.
Thanks to Ed Santiago <santiago@redhat.com> for the suggestion.
Signed-off-by: Chris Evich <cevich@redhat.com>
Originally when written, the image_prune_task was passing incorrect
credentials into it's container. This was traced back to mishandling of
a YAML-alias, and worked-around (including a comment). However,
as of this commit, it appear YAML-alias substitution problem has
been addressed. Restore the (correct) use of a YAML-alias so
the correct credentials are passed into the prune container.
Signed-off-by: Chris Evich <cevich@redhat.com>
Use GOPROXY=https://proxy.golang.org to speed up fetching dependencies.
Setting it makes `make vendor` three times faster in my local env.
For details please refer to https://proxy.golang.org/.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
when using an upper case image name for container commit, we observed
panics due to a channel closing early.
Fixes: #3897
Signed-off-by: baude <bbaude@redhat.com>
For read-only containers set to create tmpfs filesystems over
/run and other common destinations, we were incorrectly setting
mount options, resulting in duplicate mount options.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
If I mount, say, /usr/bin into my container - I expect to be able
to run the executables in that mount. Unconditionally applying
noexec would be a bad idea.
Before my patches to change mount options and allow exec/dev/suid
being set explicitly, we inferred the mount options from where on
the base system the mount originated, and the options it had
there. Implement the same functionality for the new option
handling.
There's a lot of performance left on the table here, but I don't
know that this is ever going to take enough time to make it worth
optimizing.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
We already process the options on all tmpfs filesystems during
final addition of mounts to the spec. We don't need to do it
before that in parseVolumes.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
Previously, we explicitly set noexec/nosuid/nodev on every mount,
with no ability to disable them. The 'mount' command on Linux
will accept their inverses without complaint, though - 'noexec'
is counteracted by 'exec', 'nosuid' by 'suid', etc. Add support
for passing these options at the command line to disable our
explicit forcing of security options.
This also cleans up mount option handling significantly. We are
still parsing options in more than one place, which isn't good,
but option parsing for bind and tmpfs mounts has been unified.
Fixes: #3819Fixes: #3803
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
The initial implementation was far more complicated than necessary.
Strip out the complexities in favor of a simpler and more direct
approach.
Signed-off-by: Chris Evich <cevich@redhat.com>
This will require a 'podman system renumber' after being applied
to get lock numbers for existing volumes.
Add the DB backend code for rewriting volume configs and use it
for updating lock numbers as part of 'system renumber'.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
Decompose() returns an error defined in CNI which has been removed
upstream because it had no in-tree (eg in CNI) users.
Signed-off-by: Dan Williams <dcbw@redhat.com>
when performing an image build over a varlink connection, we should
clean up tmp files that are a result of sending the file to the host and
untarring it for the build.
Fixes: #3869
Signed-off-by: baude <bbaude@redhat.com>
Specifically pertaining to executing tests in google cloud, there are
default, pre-allocated class-a subnetworks for each region (data-center).
Each includes a gateway using a `.1` LSB and all are routable from other
regions in google cloud via these gateways.
Because the default CNI configuration also utilizes class-a subnetworks,
this creates the possibility for IPv4 address-space clashes. Since the
default regional cloud subnets are pre-defined/known, preventing clashes
can be accomplished by seeding these subnets in a dummy CNI configuration.
The default behavior of podman is to grab the highest priority CNI
configuration. Name the dummy config. appropriate so it always loads
last. Also name the bridge itself with an obvious name `do-not-use`,
such that any related testing errors should be easier to debug.
Also:
* Minor cleanup of `install_test_configs()`
* Move install_test_configs in `setup_environment.sh` to after possible
run of `remove_packaged_podman_files()` because that also strips out
`/etc/cni/net.d/87-podman-bridge.conflist`.
Signed-off-by: Chris Evich <cevich@redhat.com>
