Add pkg/capabibilities to deal with capabilities. The code has been
copied from Docker (and attributed with the copyright) but changed
significantly to only do what we really need. The code has also been
simplified and will perform better due to removed redundancy.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
If we attempt to label a volume and the file system
does not support labeling, then just warn. SELinux
may or may not work, on the volume.
There is no way to setup a private label on a newly
created volume without using the container mountlabel.
If we don't have a mount label at the time of creation of
the volume, the only option we have is to create a shared
label.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
I saw some bad formatting when reading "man podman-run" and
proceeded to fix it. I have now opened a can of worms...
This commit tries to fix some of the formatting, wording and
other bugs I came across (unfortunately not all of them).
Can't list every fix that I made here, but in general:
- format lists as such (prepend items with "- ");
- format examples as such (enclose in ```...```);
- format literal values (option names, literal values) as **bold**;
- format man page references as **page**(1).
- format replacements (option values) and file names as _italic_;
- remove some duplicate info (such as what's the default value);
- move option value description to option syntax;
- end sentences with a period.
To test:
```console
$ make docs
$ man ./docs/build/man/podman-run.1 ### check terminal formatting
$ man -Tps ./docs/build/man/podman-run.1 > podman-run.ps
$ ps2pdf podman-run.ps ### optional
$ evince podman-run.pdf ### check printer formatting (or use ps viewr
```
NOTE
- there is much more to do here;
- I haven't checked any factual contents, this is about formatting
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
fix#5166
This patch enables `--detach-keys ""` to disable the feature. "ctrl-p, ctrl-q" will not work after this command.
Signed-off-by: Qi Wang <qiwan@redhat.com>
When I input podman start in bash , and then type tab , cannot automatically complete container name , this pr will fix the bug .
Signed-off-by: 李俊杰 <phpor@users.noreply.github.com>
The `fuse-overlayfs` package provided by Ubuntu up to 19.10, is not
recent enough and causes errors on `buildah commit`, for instance.
Adjust the rootless tutorial to point this out and to provide more
detailed instructions on how to obtain `fuse-overlayfs` and configure it
for use by `libpod`.
Signed-off-by: Leonardo Rochael Almeida <leorochael@gmail.com>
The changes in #5075 turn out to be too aggressive; we should
only be setting --all if a status= filter is given. Otherwise
only running containers are filtered.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
when filtering containers, if a status= is provided as an input filter, then we should override the all to always be true.
Signed-off-by: Brent Baude <bbaude@redhat.com>
fix#4876
Add `--device-cgroup-rule` to podman create and run. This enables to add device rules after the container has been created.
Signed-off-by: Qi Wang <qiwan@redhat.com>
there is a race condition where the child process is immediately
killed:
[pid 2576752] arch_prctl(0x3001 /* ARCH_??? */, 0x7ffdf612f170) = -1 EINVAL (Invalid argument)
[pid 2576752] access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory)
[pid 2576752] --- SIGTERM {si_signo=SIGTERM, si_code=SI_USER, si_pid=2576742, si_uid=0} ---
[pid 2576752] +++ killed by SIGTERM +++
this happens because the parent process here really means the "parent
thread".
Since there is no way of running it on the main thread,
let's skip this functionality altogether and use kill(2).
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
write to the error pipe only in case of an error. Otherwise we may
end up in a race condition in the select statement below as the read
from errChan happens before initComplete and the function returns
immediately nil.
Closes: https://github.com/containers/libpod/issues/5182
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Add pkg/seccomp to consolidate all seccomp-policy related code which is
currently scattered across multiple packages and complicating the
creatconfig refactoring.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
When Docker performs a copy up, it first verifies that the volume
being copied into is empty; thus, for volumes that have been
modified elsewhere (e.g. manually copying into then), the copy up
will not be performed at all. Duplicate this behavior in Podman
by checking if the volume is empty before copying.
Furthermore, move setting copyup to false further up. This will
prevent a potential race where copy up could happen more than
once if Podman was killed after some files had been copied but
before the DB was updated.
This resolves CVE-2020-1726.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
Refactor and simplify the code in cmd/podman/pull.go to address a couple
of issues w.r.t. how the arguments were passed. Also make sure to
always use the c/image API for parsing instead of working around it.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
Even after #5169, my test logs kept showing:
ERRO[0004] unable to write json: "http: request method or response status code does not allow body"
Cause: overly-helpful code trying to treat condition as an
error and include a diagnostic message. This is forbidden
per rfc2616.
This PR fixes the faulty response, as well as three others
found via:
$ ack 'Error.*NotMod' (4 hits total)
$ ack 'Error.*NoCont' (no hits)
Signed-off-by: Ed Santiago <santiago@redhat.com>
Lots has changed since I first checked this in:
* Switch to new podman system service invocation
* /containers API has changed drastically
* /pods API has some fixes; check for them (e.g.
container-exists is now 409 Conflict, not 500)
* One test ('?invalidparam=x') still doesn't work;
comment it out so we can get everything passing.
Also, some work on the test framework itself:
* Cleaner port-open testing (the bash /dev/tcp check).
* Add a 'podman' function to invoke local podman and
log its output.
The above two allow us to:
* Get rid of stderr special-casing
Furthermore:
* t() no longer needs leading '.'; this allows jq
features such as 'length' and perhaps other filters
* special-case handling of 204 and 304: rfc2616 demands
that they return no message body; assert that it is so.
* new root & rootless helper functions (check server)
* remove the "unlikely to work" message for rootless;
it seems to be working fine
* fix pod tests for rootless
* BUT: add a bolder FIXME because the ID field seems wrong
Signed-off-by: Ed Santiago <santiago@redhat.com>
the events endpoint should be stream-based. it also needed to be registered to answer and not produce 404s.
Signed-off-by: Brent Baude <bbaude@redhat.com>
