[WIP] Final backports and release notes updates for v2.0.5 #7345
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
openshift-ci-robot
added
the
do-not-merge/work-in-progress
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: mheon The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci-robot
added
the
approved
|
Alright, it's not worth fighting CI. Renamed |
openshift-ci-robot
added
the
needs-rebase
openshift-ci-robot
removed
the
needs-rebase
Thank you, Golint - that's such a helpful message, that. |
openshift-ci-robot
added
the
needs-rebase
podman containers using IPv6 were missing the default route, breaking deployments trying to use them. The problem is that the default route was hardcoded to IPv4, this takes into consideration the podman subnet IP family to generate the corresponding default route. Signed-off-by: Antonio Ojea <[email protected]>
Commit 2b6dd3f set the killmode of the podman.service to the systemd default which ultimately lead to the problem that systemd will kill *all* processes inside the unit's cgroup and hence kill all containers whenever the service is stopped. Fix it by setting the type to sdnotify and the killmode to process. `podman system service` will send the necessary notify messages when the NOTIFY_SOCKET is set and unset it right after to prevent the backend and container runtimes from jumping in between and send messages as well. Fixes: containers#7294 Signed-off-by: Valentin Rothberg <[email protected]>
I'm not sure if this is an OS-specific issue, but on CentOS 8, if `path` doesn't exist, this hangs while waiting to read from this socket, even though the socket is closed by the `reexec_in_user_namespace`. Switching to a pipe fixes the problem, and pipes shouldn't be an issue since this is Linux-specific code. Signed-off-by: Jonathan Dieter <[email protected]>
podman save uses named pipe as output path, not directly using /dev/stdout. fix containers#7017 Signed-off-by: Qi Wang <[email protected]> <MH: Corrected imports during cherry-pick> Signed-off-by: Matt Heon <[email protected]>
I used the wrong propagation first time around because I forgot that rprivate is the default propagation. Oops. Switch to rprivate so we're using the default. Signed-off-by: Matthew Heon <[email protected]>
upon image build completion, a new image type event is written for "build". more intricate details, like pulling an image, that might be done by build must be implemented in different vendored packages only after libpod is split from podman. Fixes: containers#7022 Signed-off-by: Brent Baude <[email protected]> <MH: Fixed imports during cherry-pick> Signed-off-by: Matt Heon <[email protected]>
Signed-off-by: zhangguanzhang <[email protected]>
the deepcopy in the remote history code path was throwing an uncaught error on a type mismatch. we now manually do the conversion and fix the type mismatch on the fly. Fixes: containers#7122 Signed-off-by: Brent Baude <[email protected]>
Podman 1.6.2 changed systemd mode auto-detection from commands ending in ``init`` to hard-coded paths ``/sbin/init`` and ``/usr/sbin/init``. This broke FreeIPA container. ``podman run`` and ``podman create`` now activate systemd mode when the command is ``/usr/local/sbin/init``. Fixes: containers#7287 Signed-off-by: Christian Heimes <[email protected]>
Signed-off-by: Christian Heimes <[email protected]>
To sync the behavior between AppArmor and seccomp it is now possible to also specify seccomp profiles for privileged containers. Signed-off-by: Sascha Grunert <[email protected]>
A recent crun change stopped the creation of the container's working directory if it does not exist. This is arguably correct for user-specified directories, to protect against typos; it is definitely not correct for image WORKDIR, where the image author definitely intended for the directory to be used. This makes Podman create the working directory and chown it to container root, if it does not already exist, and only if it was specified by an image, not the user. Signed-off-by: Matthew Heon <[email protected]>
This matches Docker behavior, and seems to make sense - the CMD may have been specific to the original entrypoint and probably does not make sense if it was changed. While we're in here, greatly simplify the logic for populating the SpecGen's Command. We create the full command when making the OCI spec, so the client should not be doing any more than setting it to the Command the user passed in, and completely ignoring ENTRYPOINT. Fixes containers#7115 Signed-off-by: Matthew Heon <[email protected]>
Buildah and podman build can create images without a working dir. FROM fedora WORKDIR /test If you build this image with caching twice, the second time the image will not have a working dir. Similarly if you execute podman run --workdir /foobar fedora It blows up since the workingdir is not created automatically. Finally there was duplicated code for getting the workingdir out of an image, that this PR removes. Signed-off-by: Daniel J Walsh <[email protected]>
Included old error + wrapped Signed-off-by: Parker Van Roy <[email protected]>
Refactor the processing of Repository and Tag fields to default to <none>
when printing via --format flag. Previously, the default format would
print <none> but --format {{.Tag}} would not in some cases.
Fixes containers#7123
Signed-off-by: Jhon Honce <[email protected]>
The ListContainers API previously had a Pod parameter, which determined if pod name was returned (but, notably, not Pod ID, which was returned unconditionally). This was fairly confusing, so we decided to deprecate/remove the parameter and return it unconditionally. To do this without serious performance implications, we need to avoid expensive JSON decodes of pod configuration in the DB. The way our Bolt tables are structured, retrieving name given ID is actually quite cheap, but we did not expose this via the Libpod API. Add a new GetName API to do this. Fixes containers#7214 Signed-off-by: Matthew Heon <[email protected]>
Addresses the multiple "default" userns values found in the podman-run(1) man page: http://docs.podman.io/en/latest/markdown/podman-run.1.html. This in response to: https://bugzilla.redhat.com/show_bug.cgi?id=1860126 which this PR wil fix. Signed-off-by: TomSweeneyRedHat <[email protected]>
Signed-off-by: Matthew Heon <[email protected]>
I was *really* hoping we didn't have to do this, but CI is utterly broken without it, so what the hell, let's do it. Signed-off-by: Matthew Heon <[email protected]>
Signed-off-by: Matthew Heon <[email protected]>
Signed-off-by: Matthew Heon <[email protected]>
When we rewrote Podman's pkg/spec, one of the things that was lost was our use of a set of default environment variables, that ensure all containers have at least $PATH and $TERM set. While we're in the process of re-adding it, change it from a variable to a function, so we can ensure the Join function does not overwrite it and corrupt the defaults. Signed-off-by: Matthew Heon <[email protected]>
openshift-ci-robot
removed
the
needs-rebase
|
Changes LGTM overall, but I'm leery about the libpod to podman change. I think it's OK, but IDK. @vrothberg any concerns in your mind with that? |
|
It looks like I'm missing something necessary to get Cirrus building with the new import paths. Will investigate further tomorrow. Also, this is still missing the |
We just published the bindings blog which is using |
|
I want to get containers/image#1025 in as well to close a BZ against podman-search. |
|
Given the difficulties CI is giving us, you should have time. Plenty of
time!
…On Tue, Aug 18, 2020, 04:32 Valentin Rothberg ***@***.***> wrote:
I want to get containers/image#1025
<containers/image#1025> in as well to close a BZ
against podman-search.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#7345 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AB3AOCDK3BHU2T7SVXZD2FLSBI4DTANCNFSM4QCEB5WQ>
.
|
Signed-off-by: Matthew Heon <[email protected]>
|
Build each commit is going to take prohibitively long to fix. I see two options:
|
Signed-off-by: Matthew Heon <[email protected]>
mheon
force-pushed
the
205_backports
branch
2 times, most recently
from
b4d29af to
f58c22c
Compare
Signed-off-by: Matthew Heon <[email protected]>
|
Disable check just for this PR. |
Signed-off-by: Matthew Heon <[email protected]>
Any idea what's going on here? |
|
ewww, hmmm, that's a new one (to me)... |
|
...Not sure why we're just seeing this now/here (and not on master), but perhaps chown'ing |
|
Closing in favor of #7363 |
github-actions
bot
added
the
locked - please file new issue/PR
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Latest batch of backports.
This is not going to pass CI - some
github.com/containers/podman/v2paths leaked in. I can't figure out how to usebuild-each-commitlocally to get find them, so I'm going to let upstream CI do it.