* If possible, update each dependency to the latest available version.
* Use releases over commit IDs and avoid vendoring branches.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
Add a `make vendor` target calls `vndr` with a specified whitelist to
avoid deleting important files (currently the varlink/go project).
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
When --pod is specified then join both the user and mount namespace
for the pod so we can initialize the storage.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
The json-iterator package will panic on attempting to use
MarshalIndent with a non-space indentation. This is sort of silly
but swapping from tabs to spaces is not a big issue for us, so
let's work around the silly panic.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
We already have it vendored for a Kube package we import, but we
want a more recent version with additional bugfixes over the 1.0
release we originally had.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
The jsoniter library does not require code generation, which is a
massive advantage over easyjson (it's also about the same in
performance). Begin moving over to it by removing the existing
easyjson code.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
For rootless Podman, if storage.conf exists but does not specify
one or both of RunRoot and GraphRoot, set them to rootless
defaults so we don't end up with an unusable configuration.
Fixes#2125
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
If we are not able to make arbitrary changes to the RLIMIT_NOFILE when
lacking CAP_SYS_RESOURCE, don't fail but bump the limit to the maximum
allowed. In this way the same code path works with rootless mode.
Closes: https://github.com/containers/libpod/issues/2123
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
the rootless container storage is always mounted in a different mount
namespace, owned by the unprivileged user. Even if it is mounted, a
process running in another namespace cannot reuse the already mounted
storage.
Make sure the storage is always cleaned up once the container
terminates.
This has worked with vfs since there is no real mounted storage.
Closes: https://github.com/containers/libpod/issues/2112
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Avoid generating
quay.io/openshift-release-dev/ocp-release@sha256@sha256:239... and
similar when the image name is already digest-based [1]. It's not
clear exactly how we get into this state, but as shown by the unit
tests, the new code handles this case correctly (while the previous
code does not).
[1]: https://github.com/containers/libpod/issues/2086
Signed-off-by: W. Trevor King <wking@tremily.us>
Closes: #2106
Approved by: rhatdan
Apply the default AppArmor profile at container initialization to cover
all possible code paths (i.e., podman-{start,run}) before executing the
runtime. This allows moving most of the logic into pkg/apparmor.
Also make the loading and application of the default AppArmor profile
versio-indepenent by checking for the `libpod-default-` prefix and
over-writing the profile in the run-time spec if needed.
The intitial run-time spec of the container differs a bit from the
applied one when having started the container, which results in
displaying a potentially outdated AppArmor profile when inspecting
a container. To fix that, load the container config from the file
system if present and use it to display the data.
Fixes: #2107
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
