1. Check the path validity before trying to read the cgroup.controllers.
2. Do not hardcode "/sys/fs/cgroup".
3. Simplify creating the "+this +that" string.
4. Do not wrap ioutil.WriteFile error.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
This commit is courtesy of
```
for f in $(git ls-files *.go | grep -v ^vendor/); do \
sed -i 's/\(errors\..*\)"Error /\1"error /' $f;
done
for f in $(git ls-files *.go | grep -v ^vendor/); do \
sed -i 's/\(errors\..*\)"Failed to /\1"failed to /' $f;
done
```
etc.
Self-reviewed using `git diff --word-diff`, found no issues.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
In case os.Open[File], os.Mkdir[All], ioutil.ReadFile and the like
fails, the error message already contains the file name and the
operation that fails, so there is no need to wrap the error with
something like "open %s failed".
While at it
- replace a few places with os.Open, ioutil.ReadAll with
ioutil.ReadFile.
- replace errors.Wrapf with errors.Wrap for cases where there
are no %-style arguments.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Docker supports log-opt max_size and so does conmon (ALthough poorly).
Adding support for this allows users to at least make sure their containers
logs do not become a DOS vector.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
- Fixes issue where remote attach and exec only signaled the IdleTracker
on errors. Needs to done anytime after connection has been hijacked
- Fixes trying to send multiple http status codes to client
- Changes pprof and API server shutdowns to run in parallel
- Changes shutdown to run in sync.Once block
Signed-off-by: Jhon Honce <jhonce@redhat.com>
If I have multiple ranges of UIDs specified in the /etc/subuid, this check
blows up and incorrectly blocks the use of --user flag.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
All containers within a Pod need to run with the same SELinux
label, unless overwritten by the user.
Also added a bunch of SELinux tests to make sure selinux labels
are correct on namespaces.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
The `tag` parameter of the compat `images/create` endpoint can be both,
a tag and a digest. Fix parsing of the parameter to detect digests and
use the appropriate `@` separator.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
Make sure to remove images until there's nothing left to prune.
A single iteration may not be sufficient.
Fixes: #7872
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
when adding /dev to a privileged container using the compatibility API, we need to make sure we dont pass on devices that are simply symlinks. this was already being done by specgen but not on the compat. side.
the entrypoint code that was recently rewritten for the compatibility layer was also failing due to the odd inputs that docker is willing to accept in its json, specifically [] vs "". in the case of the latter, this was being made into a []string with a len of one but no content. this would then be used to prefix the command to run in the container and would fail. For example " ls" vs "ls".
Signed-off-by: baude <bbaude@redhat.com>
Fix the look up of containers and pods in the remote client. User input
can refer to both, names or IDs of containers and pods, so there is a
fair chance of collisions (e.g., "c1" name with a "c1...." ID).
Those collisions are well handled (and battle tested) in the local
client which is directly using the libpod backend. Hence, the remote
client should not attempt to introduce its own logic to prevent bugs and
divergence between the local and the remote clients. To prevent
collisions such as in #7837, do a container/pod inspect on the
user-provided input to find the corresponding ID and eventually do full
ID comparisons to avoid potential collisions with names.
Note that this has a cost that I am not entirely happy with. Looking at
issue #7837, the collisions are happening when removing the two
containers. Remote container removal is now very chatty with the server
as it first queries for all containers, then iterates over the provided
names or IDs and does a remote inspect to figure out the IDs and find a
matching container object. However, remote removal could just pass the
names and IDs directly to the batch removal endpoint. Querying for all
containers could be prevented if the batch removal endpoint would remove
all if the slice is empty.
In other words, the bug is fixed but there's room for performance
improvements.
Fixes: #7837
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
podman volume prune -f
Should just tell the prune command to not prompt for confirmation.
It should not be passing the prune flag into the API.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Fix misspelled parameter
* add http-proxy support for builds
http_proxy must be set in the podman.service unit file, for example
Environment=http_proxy=<value>
Signed-off-by: Jhon Honce <jhonce@redhat.com>
If run&create image returns error: image contains manifest list, not a runnable image, find the local image that has digest matching the digest from the list and use the image from local storage for the command.
Signed-off-by: Qi Wang <qiwan@redhat.com>
The registries package should be retired. It was introduced as an
easier to use wrapper around c/image `sysregistries` which has been
replaced by `sysregistriesv2` a long while ago.
Users should either use the `sysregistriesv2` package directly or, even
better, we cache the config in libpod's image runtime to prevent
redundant (and ~expensive) parsing of the registries.conf files.
For now, just add a note in hope we'll not forgert about it when we find
time in the future.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
change capabilities handling to reflect what docker does.
Bounding: set to caplist
Inheritable: set to caplist
Effective: if uid != 0 then clear; else set to caplist
Permitted: if uid != 0 then clear; else set to caplist
Ambient: clear
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Fix the remote client to untag all tags of the specified image.
Instead of querying the image on the client side, support the
case where both, repo and tag, are empty and remove all tags.
Reuse the ABI implementation where possible. In retrospective,
the libpod untag endpoint should support a slice of strings to
batch remove tags rather than reaching out for each tag individually.
Enable the skipped test.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
In podman containers rm and podman images rm, the commands
exit with error code 1 if the object does not exists.
This PR implements similar functionality to volumes, networks, and Pods.
Similarly if volumes or Networks are in use by other containers, and return
exit code 2.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
