Currently the pull message on failure is UGLY. This patch removes a lot of the noice
when pulling an image from multiple registries to make the user experience better.
Our current messages are way too verbose and need to be dampened down. Still has
verbose mode if you turn on log-level=debug.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Cirrus-CI automatically sets `$CIRRUS_BASE_BRANCH` during PR testing.
This is used for the `build_each_commit` task, in order to compute the
commit-chain properly. However, prior to this commit and after a PR
merges, the post-merge `build_each_commit` task would fail with
something similar to:
```
make build-all-new-commits GIT_BASE_BRANCH=origin/$CIRRUS_BASE_BRANCH |& ${TIMESTAMP}
[12:28:59] START - All [+xxxx] lines that follow are relative to right now.
[+0000s] # Validate that all the commits build on top of origin/
[+0000s] git rebase origin/ -x make
[+0000s] fatal: invalid upstream 'origin/'
[+0000s] make: *** [Makefile:426: build-all-new-commits] Error 128
[12:28:59] END - [+0000s] total duration since START
Exit status: 2
```
This is because `$CIRRUS_BASE_BRANCH` is undefined when CI runs against
a branch (by design). This commit fixes the problem by referring to
`$DEST_BRANCH` instead. This variable must always point at the intended
destination branch for testing, and so can be used in this context as
well.
Also updated a few comments to help steer understanding of the
`$DEST_BRANCH` purpose.
Signed-off-by: Chris Evich <cevich@redhat.com>
When removing --all images prune images only attempt to remove read/write images,
ignore read/only images
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Close#3553
This PR makes --dns, --dns-option, --dns-search, and --network not set to host flag mutually exclusive for podman build and create. Returns conflict error if both flags are set.
Signed-off-by: Qi Wang <qiwan@redhat.com>
We have another patch running to do the same for exit files, with
a much more in-depth explanation of why it's necessary. Suffice
to say that persistent files in tmpfs tied to container CGroups
lead to significant memory allocations that last for the lifetime
of the file.
Based on a patch by Andrea Arcangeli (aarcange@redhat.com).
Signed-off-by: Matthew Heon <mheon@redhat.com>
The default apparmor profile is not stored on disk which causes
confusion when debugging the content of the profile. To solve this, we
now add an additional API which returns the profile as byte slice.
Signed-off-by: Sascha Grunert <sgrunert@suse.com>
allow a container to run in a new cgroup namespace.
When running in a new cgroup namespace, the current cgroup appears to
be the root, so that there is no way for the container to access
cgroups outside of its own subtree.
By default it uses --cgroup=host to keep the previous behavior.
To create a new namespace, --cgroup=private must be provided.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
This change tweaks the symlink commands that are invoked when libpod is
not on GOPATH. This has the following effects:
- If the working directory is not "libpod", it will still create the
symlink at the correct github.com/containers/libpod path.
- If the github.com/varlink directory/symlink already exists, it will
still create the symlink at the intended path.
Signed-off-by: Lawrence Chan <element103@gmail.com>
We can infer no-new-privileges. For now, manually populate
seccomp (can't infer what file we sourced from) and
SELinux/Apparmor (hard to tell if they're enabled or not).
Signed-off-by: Matthew Heon <mheon@redhat.com>
Our previous method (just read the PID that we spawned) doesn't
work - Conmon double-forks to daemonize, so we end up with a PID
pointing to the first process, which dies almost immediately.
Reading from the PID file gets us the real PID.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
When we first began writing Podman, we ran into a major issue
when implementing Inspect. Libpod deliberately does not tie its
internal data structures to Docker, and stores most information
about containers encoded within the OCI spec. However, Podman
must present a CLI compatible with Docker, which means it must
expose all the information in 'docker inspect' - most of which is
not contained in the OCI spec or libpod's Config struct.
Our solution at the time was the create artifact. We JSON'd the
complete CreateConfig (a parsed form of the CLI arguments to
'podman run') and stored it with the container, restoring it when
we needed to run commands that required the extra info.
Over the past month, I've been looking more at Inspect, and
refactored large portions of it into Libpod - generating them
from what we know about the OCI config and libpod's (now much
expanded, versus previously) container configuration. This path
comes close to completing the process, moving the last part of
inspect into libpod and removing the need for the create
artifact.
This improves libpod's compatability with non-Podman containers.
We no longer require an arbitrarily-formatted JSON blob to be
present to run inspect.
Fixes: #3500
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
Before, play kube wasn't properly setting the command. Fix this
Also, begin a dedicated test suite for play kube to catch regressions like this in the future
Signed-off-by: Peter Hunt <pehunt@redhat.com>
For CI testing, it's important to remove as much variability from the
overall system as possible. This permits focusing just on problems
closely related to code-changes. To this end, and because VMs are very
short-lived (2 hours at most), disable all systemd services and timers
which perform periodic activities.
Signed-off-by: Chris Evich <cevich@redhat.com>
Change the script to generate two files. One including direct
dependencies, the other including direct and transitive dependencies.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
Move the analyses scripts to the dependencies directory to avoid
scattering of the dependency management.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
