Add a new --rootless-cni option to podman unshare to also join the
rootless-cni network namespace. This is useful if you want to connect
to a rootless container via IP address. This is only possible from the
rootless-cni namespace and not from the host namespace. This option also
helps to debug problems in the rootless-cni namespace.
Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
Handle go pseudoversions, e.g. a custom non-released buildah
used during testing of a PR. This will be something like:
v1.20.1-0.20210402144408-36a37402d0c8
...and it makes it impossible (AFAIK) to do a shallow checkout;
we need to do a full clone of buildah, then git-checkout the
SHA (last element of the long string above).
FIXME: this is great for testing, but we almost certainly
want some way to block this PR from merging, don't we?
And, while testing this, found and fixed three bugs:
- quote "$failhint" when echoing it on failure; otherwise
we lose original whitespace.
- invoke git-am with --reject! This makes it SO MUCH EASIER
to identify the failing part of our patch!
- sigh: generate the make-new-buildah-diffs helper *BEFORE*
we try git-am! Otherwise, duh, if git-am fails we have no
way to help the developer create a new diff file.
Signed-off-by: Ed Santiago <santiago@redhat.com>
The compose port test is flaking with an empty curl result. The curl retry
does not work properly. Given the the tests never expect an empty result
lets just wait one second and retry again.
Unfortunately there is no way for me to actually verify if this will fix
the flake.
Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
The CNI plugins need access to iptables in $PATH. On debian /usr/sbin
is not added to $PATH for rootless users. This will break rootless
cni completely. To prevent breaking existing users add /usr/sbin to
$PATH in podman if needed.
Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
As discussed in watercooler 2021-04-06: make sure that RHEL8
and CentOS are using runc. Using crun is probably a packaging
error that should be caught early.
Signed-off-by: Ed Santiago <santiago@redhat.com>
Podman has, for a long time, had an internal concept of
dependency management, used mainly to ensure that pod infra
containers are started before any other container in the pod. We
also have the ability to recursively start these dependencies,
which we use to ensure that `podman start` on a container in a
pod will not fail because the infra container is stopped. We have
not, however, exposed these via the command line until now.
Add a `--requires` flag to `podman run` and `podman create` to
allow users to manually specify dependency containers. These
containers must be running before the container will start. Also,
make recursive starting with `podman start` default so we can
start these containers and their dependencies easily.
Fixes#9250
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
Until now we've only compared operations when called with the
non-default --pedantic flag, because there were way too many
exceptions.
With the merge of #9944 the rules have become much cleaner.
Still not perfect, but it's now possible to have simple
general rules with a (semi-)manageable list of exceptions.
Signed-off-by: Ed Santiago <santiago@redhat.com>
- Bugfix `make nixpkgs` which pin with branch `nixos-20.09`
- Code lint with `nixpkgs-fmt`
- Code sync between x86\_64 and aarch64
Signed-off-by: Wong Hoi Sing Edison <hswong3i@pantarei-design.com>
One of the side-effects of the `--userns=keep-id` command is
switching the default user of the container to the UID of the
user running Podman (though this can still be overridden by the
`--user` flag). However, it did this by setting the UID and GID
in the OCI spec, and not by informing Libpod of its intention to
switch users via the `WithUser()` option. Because of this, a lot
of the code that should have triggered when the container ran
with a non-root user was not triggering. In the case of the issue
that this fixed, the code to remove capabilities from non-root
users was not triggering. Adjust the keep-id code to properly
inform Libpod of our intention to use a non-root user to fix
this.
Also, fix an annoying race around short-running exec sessions
where Podman would always print a warning that the exec session
had already stopped.
Fixes#9919
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
Libpod operation id's changed to better match compatibile id
Builds on https://github.com/containers/podman/pull/9123 and corrects
a duplicated ID.
Signed-off-by: Jhon Honce <jhonce@redhat.com>
Docker does not relabel this content, and openstack is running
containers in this manner. There is a penalty for doing this
on each container, that is not worth taking on a disable SELinux
container.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
We define in the man page that this overrides the default storage
options, but the code was appending to the existing options.
This PR also makes a change to allow users to specify --storage-opt="".
This will turn off all storage options.
https://github.com/containers/podman/issues/9852
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
So rootless setup could use this condition in parent and child, child
podman should adjust LISTEN_PID to its self PID.
Add system test for systemd socket activation
Signed-off-by: pendulm <lonependulm@gmail.com>
