When a kube yaml has a volume set as empty dir, podman
will create an anonymous volume with the empty dir name and
attach it to the containers running in the pod. When the pod
is removed, the empy dir volume created is also removed.
Add tests and docs for this as well.
Signed-off-by: Urvashi Mohnani <umohnani@redhat.com>
add two new options to the keep-id user namespace option:
- uid: allow to override the UID used inside the container.
- gid: allow to override the GID used inside the container.
For example, the following command will map the rootless user (that
has UID=0 inside the rootless user namespace) to the UID=11 inside the
container user namespace:
$ podman run --userns=keep-id:uid=11 --rm -ti fedora cat /proc/self/uid_map
0 1 11
11 0 1
12 12 65525
Closes: https://github.com/containers/podman/issues/15294
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Almost all of SpecGenToOCI deals with linux-specific aspects of the
runtime spec. Rather than try to factor this out piecemeal, I think it
is cleaner to move the whole function along with its implementation
helper functions. This also meams we don't need non-linux stubs for
functions called from oci_linux.go
[NO NEW TESTS NEEDED]
Signed-off-by: Doug Rabson <dfr@rabson.org>
Code from this dependency was replaced with a simple version. As a
result Podman's memory consumption has been reduced by ~10%.
[NO NEW TESTS NEEDED]
Signed-off-by: Mikhail Khachayants <tyler92@inbox.ru>
`podman-remote` and Libpod API does not supports build with
`--userns=auto` since `IDMappingOptions` were not implemented for API
and bindings, following PR implements passing `IDMappingOptions` via
bindings to API.
Closes: https://github.com/containers/podman/issues/15476
Signed-off-by: Aditya R <arajan@redhat.com>
I realized that `params.Del("SkipTLSVerify")` doesn't have any
effect because keys are always lowercased. So it should really
be `params.Del("skiptlsverify")`.
There's also a little bug introduced by 3bf52aa and b1d1248: if
one passes `ProgressWriter` object having `Stringer` interface
i.e. `bytes.Buffer` it ends up been serialized in query with
`util.ToParams()`.
To circumvent both problems I propose to mark non-serializable
parameters with `schema:"-"` so there's no need to delete them from
resulting `url.Values`.
Signed-off-by: Vladimir Kochnev <hashtable@yandex.ru>
Change only the compat API, so we don't force a breaking change
on Libpod API users.
Partial fix for #15485
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
We are unmarshaling and re-marshaling JSON, which can _silently_ drop data
with the Go design decision.data.
Try harder, by using json.RawMessage at least for the data we care about.
Alternatively, this could use json.Decoder.DisallowUnknownFields.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
sigstoreSigned does not have GPG IDs, so we add N/A in that column.
NOTE: this does not show the use-sigstore-attachments value from
registries.d.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
Currently
- the output uses the first entry's type, even if the requirements are different
(notably signedBy + sigstoreSIgned)
- all public keys IDs are collected to a single line, even if some of them
are interchangeable, and some are required (e.g. two signedBy requirements
could require an image to be signed by (redhatProd OR redhatBeta) AND (vendor1 OR vendor2)
So, stop collapsing the requirements, and return a separate entry for each one. Multiple
GPG IDs on a single line used to mean AND or OR, now they always mean AND.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
Do the registries.d lookup once, separately from building
an entry, so that we can share it across entries.
Also prepare a separate res to allow adding multiple entries.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
Just so that we don't have a boolean-named function returning a struct.
Also reorder the parameters to have the container first, and the lookup
key second.
Shoud not change behavior.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
Now that it is the primary return value of a small function,
the long name only makes reading harder.
Should not change behavior.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
This will evetually allow us to use it for the default scope
as well, which currently uses a simplified version.
Should not change behavior.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
Add at least a basic unit test for the various entry types.
So that we don't have to actually deal with GPG keys and /usr/bin/gpg*,
parametrize the code with a gpgIDReader , and pass a fake one
in the unit test.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
We now have only a few entrypoints that are called externally,
so make the rest private. This will make it more obvious that
we are not breaking any external users.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
This will allow us to write unit tests without setting up the complete Podman runtime
(and without the Linux dependency).
Should not change behavior.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
NOTE: This does not edit the use-sigstore-attachments value
in registries.d, similarly to how (podman image trust set) didn't
set the lookaside paths for simple signing.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
- Also reject public keys with types that don't use them
- Reject unknown trust types
- And add unit tests
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
This will allow us to write unit tests without setting up the complete Podman runtime
(and without the Linux dependency).
Also, actually add a basic smoke test of the core functionality.
Should not change behavior.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
Only process the incoming args[] (which is a single-element array
for some reason) once, and use a semantic variable name for the value
we care about.
Should not change behavior, the only caller already supposedly ensures
that len(args) == 1.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
Split the existing code into policy.go and registries.go,
depending on which files it concerns.
Only moves unchanged code, should not change behavior.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
We can always recover it from git, but it seems to serve
no purpose anyway.
Should not change behavior.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
