selinux-policy-34.9-1.fc34 breaks a behavior we've relied on
since (at least) January 2020:
- Revert "Add permission open to files_read_inherited_tmp_files()
interface"
That's probably the correct thing to do, but it breaks our
existing tests. Solution: add ':Z' where needed.
Tested on Ed's laptop, which has the offending selinux-policy
as of 2021-05-31. Tests pass root and rootless. (I mention
this because tests will obviously pass in CI, which has a
much older selinux-policy).
Also: add a 'podman rmi' for cleanup in one test, to avoid
noise in test logs.
Fixes: #10522
Signed-off-by: Ed Santiago <santiago@redhat.com>
Using the gvproxy application on the host, we can now port forward from
the machine vm on the host. It requires that 'gvproxy' be installed in
an executable location. gvproxy can be found in the
containers/gvisor-tap-vsock github repo.
[NO TESTS NEEDED]
Signed-off-by: Brent Baude <bbaude@redhat.com>
The code for mounts.conf including the man page lives in
containers/common, so remove it from Podman to prevent
divergence among the two repositories.
Fixes: #10512
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
This fixes a goroutine leak. Previously if request was cancelled the
image pulling goroutine kept running regardless.
[NO TESTS NEEDED]
Signed-off-by: Matej Vasek <mvasek@redhat.com>
Commit 748826fc88fc fixed a bug where slow mounting of the runroot was
causing issues when the units are started at boot. The fix was to add
the container's runroot to the required mounts; the graph root has been
added as well.
Hard-coding the run- and graphroot to the required mounts, however,
breaks the portability of units generated with --now. Those units are
intended to be running on any machine as, theoreticaly, any user.
Make the mounts portable by using the `%t` macro for the run root.
Since the graphroot's location varies across root and ordinary users,
drop it from the list of required mounts. The graphroot was not causing
issues.
Fixes: #10493
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
Project IRC comms are moving to Libera. Update docs.
Confirmation cookie: libera-ieVeeGahbiaf1einguw1xav6bahquie
Signed-off-by: Ed Santiago <santiago@redhat.com>
I looked at the man pages and found that while they are consistent in their basic concept, many things concerning formatting are not.
For example, it is not consistent that options are behind an H4 header.
The biggest criticism, however, is how commands and options are handled when referencing them in a text.
There is no clear structure between the man pages regarding this. Sometimes backticks are used and sometimes they are written in italic.
Also, the formatting regarding the appearance of the commands is not consistent either.
I would like to propose a uniform formatting and, if accepted, apply it to all man pages.
Uniformity is very important to me and it should be clear to the user when reading several man pages what exactly their content and references are about.
Signed-off-by: Alexander Richter <67486332+Procyhon@users.noreply.github.com>
[NO TESTS NEEDED]
This commit cleans up two issues:
* Most commands support all EngineModes so default to that. Let
outlayers declare their intent.
* Use cobra.Annotations to set supported EngineMode. This simplies
instantiating commands as there is now one method to communicate a
commands requirements rather than two.
* Combined aliased commands into one file
* Fixed aliased commands where Args field did not match
* Updated examples in README.md for writing commands
* Remove redundant flag DisableFlagsInUseLine in cobra.Command
initialization.
Signed-off-by: Jhon Honce <jhonce@redhat.com>
Move the creation of the channel outside of the sub-routine to fix a
data race between writing the channel (implicitly by calling
EventChannel()) and using that channel in libimage.
[NO TESTS NEEDED]
Fixes: #10459
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
Currently if a user runs an image with a user specified or
exposed ports with podman play kube, the fields are ignored.
Fixed: https://github.com/containers/podman/issues/9609
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
After #8906, there is a potential race condition in container
removal of running containers with `--rm`. Running containers
must first be stopped, which was changed to unlock the container
to allow commands like `podman ps` to continue to run while
stopping; however, this also means that the cleanup process can
potentially run before we re-lock, and remove the container from
under us, resulting in error messages from `podman rm`. The end
result is unchanged, the container is still cleanly removed, but
the `podman rm` command will seem to have failed.
Work around this by pinging the database after we stop the
container to make sure it still exists. If it doesn't, our job is
done and we can exit cleanly.
Signed-off-by: Matthew Heon <mheon@redhat.com>
When the containers.conf field "NetNS" is set to "Bridge" and the
"RootlessNetworking" field is set to "cni", Podman will now
handle rootless in the same way it does root - all containers
will be joined to a default CNI network, instead of exclusively
using slirp4netns.
If no CNI default network config is present for the user, one
will be auto-generated (this also works for root, but it won't be
nearly as common there since the package should already ship a
config).
I eventually hope to remove the "NetNS=Bridge" bit from
containers.conf, but let's get something in for Brent to work
with.
Signed-off-by: Matthew Heon <mheon@redhat.com>
Fix a race in journald driver. Following the logs implies streaming
until the container is dead. Streaming happened in one goroutine,
waiting for the container to exit/die and signaling that event happened
in another goroutine.
The nature of having two goroutines running simultaneously is pretty
much the core of the race condition. When the streaming goroutines
received the signal that the container has exitted, the routine may not
have read and written all of the container's logs.
Fix this race by reading both, the logs and the events, of the container
and stop streaming when the died/exited event has been read. The died
event is guaranteed to be after all logs in the journal which guarantees
not only consistencty but also a deterministic behavior.
Note that the journald log driver now requires the journald event
backend to be set.
Fixes: #10323
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
Fix a data race between creating and using the libimage-events channel.
[NO TESTS NEEDED] since it really depends on the scheduler and we
couldn't hit the race so far.
Fixes: #10459
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
