diff options
| -rw-r--r-- | cmd/podman/images.go | 7 | ||||
| -rw-r--r-- | cmd/podman/main.go | 127 | ||||
| -rw-r--r-- | cmd/podman/main_local.go | 155 | ||||
| -rw-r--r-- | cmd/podman/main_remote.go | 43 | ||||
| -rw-r--r-- | cmd/podman/pull.go | 10 | ||||
| -rw-r--r-- | cmd/podman/push.go | 12 | ||||
| -rw-r--r-- | commands.md | 6 | ||||
| -rw-r--r-- | libpod/container_internal.go | 8 | ||||
| -rw-r--r-- | libpod/oci_linux.go | 53 | ||||
| -rw-r--r-- | libpod/runtime.go | 14 | ||||
| -rw-r--r-- | libpod/runtime_ctr.go | 7 | ||||
| -rw-r--r-- | pkg/spec/spec.go | 3 | ||||
| -rw-r--r-- | test/e2e/images_test.go | 11 | ||||
| -rw-r--r-- | test/e2e/prune_test.go | 4 | ||||
| -rw-r--r-- | test/e2e/rmi_test.go | 2 | ||||
| -rw-r--r-- | test/system/030-run.bats | 8 |
16 files changed, 330 insertions, 140 deletions
diff --git a/cmd/podman/images.go b/cmd/podman/images.go index 6133450be..bea27e2ff 100644 --- a/cmd/podman/images.go +++ b/cmd/podman/images.go @@ -318,13 +318,14 @@ func getImagesJSONOutput(ctx context.Context, images []*adapter.ContainerImage) func generateImagesOutput(ctx context.Context, images []*adapter.ContainerImage, opts imagesOptions) error { templateMap := GenImageOutputMap() - if len(images) == 0 { - return nil - } var out formats.Writer switch opts.format { case formats.JSONString: + // If 0 images are present, print nothing for JSON + if len(images) == 0 { + return nil + } imagesOutput := getImagesJSONOutput(ctx, images) out = formats.JSONStructArray{Output: imagesToGeneric([]imagesTemplateParams{}, imagesOutput)} default: diff --git a/cmd/podman/main.go b/cmd/podman/main.go index 35cef793d..35a94b3db 100644 --- a/cmd/podman/main.go +++ b/cmd/podman/main.go @@ -3,26 +3,18 @@ package main import ( "context" "io" - "io/ioutil" - "log/syslog" "os" - "runtime/pprof" - "strconv" - "strings" "syscall" "github.com/containers/libpod/cmd/podman/cliconfig" - "github.com/containers/libpod/cmd/podman/libpodruntime" "github.com/containers/libpod/libpod" _ "github.com/containers/libpod/pkg/hooks/0.1.0" "github.com/containers/libpod/pkg/rootless" - "github.com/containers/libpod/pkg/tracing" "github.com/containers/libpod/version" "github.com/containers/storage/pkg/reexec" "github.com/opentracing/opentracing-go" "github.com/pkg/errors" "github.com/sirupsen/logrus" - lsyslog "github.com/sirupsen/logrus/hooks/syslog" "github.com/spf13/cobra" ) @@ -89,40 +81,13 @@ func init() { cobra.OnInitialize(initConfig) rootCmd.TraverseChildren = true rootCmd.Version = version.Version - rootCmd.PersistentFlags().StringVar(&MainGlobalOpts.CGroupManager, "cgroup-manager", "", "Cgroup manager to use (cgroupfs or systemd, default systemd)") - // -c is deprecated due to conflict with -c on subcommands - rootCmd.PersistentFlags().StringVar(&MainGlobalOpts.CpuProfile, "cpu-profile", "", "Path for the cpu profiling results") - rootCmd.PersistentFlags().StringVar(&MainGlobalOpts.Config, "config", "", "Path of a libpod config file detailing container server configuration options") - rootCmd.PersistentFlags().StringVar(&MainGlobalOpts.ConmonPath, "conmon", "", "Path of the conmon binary") - rootCmd.PersistentFlags().StringVar(&MainGlobalOpts.NetworkCmdPath, "network-cmd-path", "", "Path to the command for configuring the network") - rootCmd.PersistentFlags().StringVar(&MainGlobalOpts.CniConfigDir, "cni-config-dir", "", "Path of the configuration directory for CNI networks") - rootCmd.PersistentFlags().StringVar(&MainGlobalOpts.DefaultMountsFile, "default-mounts-file", "", "Path to default mounts file") - rootCmd.PersistentFlags().MarkHidden("defaults-mount-file") - // Override default --help information of `--help` global flag - var dummyHelp bool - rootCmd.PersistentFlags().BoolVar(&dummyHelp, "help", false, "Help for podman") - rootCmd.PersistentFlags().StringSliceVar(&MainGlobalOpts.HooksDir, "hooks-dir", []string{}, "Set the OCI hooks directory path (may be set multiple times)") - rootCmd.PersistentFlags().StringVar(&MainGlobalOpts.LogLevel, "log-level", "error", "Log messages above specified level: debug, info, warn, error, fatal or panic") - rootCmd.PersistentFlags().IntVar(&MainGlobalOpts.MaxWorks, "max-workers", 0, "The maximum number of workers for parallel operations") - rootCmd.PersistentFlags().MarkHidden("max-workers") - rootCmd.PersistentFlags().StringVar(&MainGlobalOpts.Namespace, "namespace", "", "Set the libpod namespace, used to create separate views of the containers and pods on the system") - rootCmd.PersistentFlags().StringVar(&MainGlobalOpts.Root, "root", "", "Path to the root directory in which data, including images, is stored") - rootCmd.PersistentFlags().StringVar(&MainGlobalOpts.Runroot, "runroot", "", "Path to the 'run directory' where all state information is stored") - rootCmd.PersistentFlags().StringVar(&MainGlobalOpts.Runtime, "runtime", "", "Path to the OCI-compatible binary used to run containers, default is /usr/bin/runc") - // -s is depracated due to conflict with -s on subcommands - rootCmd.PersistentFlags().StringVar(&MainGlobalOpts.StorageDriver, "storage-driver", "", "Select which storage driver is used to manage storage of images and containers (default is overlay)") - rootCmd.PersistentFlags().StringSliceVar(&MainGlobalOpts.StorageOpts, "storage-opt", []string{}, "Used to pass an option to the storage driver") - rootCmd.PersistentFlags().BoolVar(&MainGlobalOpts.Syslog, "syslog", false, "Output logging information to syslog as well as the console") - - rootCmd.PersistentFlags().StringVar(&MainGlobalOpts.TmpDir, "tmpdir", "", "Path to the tmp directory") - rootCmd.PersistentFlags().BoolVar(&MainGlobalOpts.Trace, "trace", false, "Enable opentracing output") // Override default --help information of `--version` global flag var dummyVersion bool rootCmd.PersistentFlags().BoolVar(&dummyVersion, "version", false, "Version for podman") rootCmd.AddCommand(mainCommands...) rootCmd.AddCommand(getMainCommands()...) - } + func initConfig() { // we can do more stuff in here. } @@ -132,63 +97,16 @@ func before(cmd *cobra.Command, args []string) error { logrus.Errorf(err.Error()) os.Exit(1) } - if os.Geteuid() != 0 && cmd != _searchCommand && cmd != _versionCommand && !strings.HasPrefix(cmd.Use, "help") { - podmanCmd := cliconfig.PodmanCommand{ - cmd, - args, - MainGlobalOpts, - } - runtime, err := libpodruntime.GetRuntime(&podmanCmd) - if err != nil { - return errors.Wrapf(err, "could not get runtime") - } - defer runtime.Shutdown(false) - - ctrs, err := runtime.GetRunningContainers() - if err != nil { - logrus.Errorf(err.Error()) - os.Exit(1) - } - var became bool - var ret int - if len(ctrs) == 0 { - became, ret, err = rootless.BecomeRootInUserNS() - } else { - for _, ctr := range ctrs { - data, err := ioutil.ReadFile(ctr.Config().ConmonPidFile) - if err != nil { - logrus.Errorf(err.Error()) - os.Exit(1) - } - conmonPid, err := strconv.Atoi(string(data)) - if err != nil { - logrus.Errorf(err.Error()) - os.Exit(1) - } - became, ret, err = rootless.JoinUserAndMountNS(uint(conmonPid)) - if err == nil { - break - } - } - } - if err != nil { - logrus.Errorf(err.Error()) - os.Exit(1) - } - if became { - os.Exit(ret) - } + if err := setupRootless(cmd, args); err != nil { + return err } - if MainGlobalOpts.Syslog { - hook, err := lsyslog.NewSyslogHook("", "", syslog.LOG_INFO, "") - if err == nil { - logrus.AddHook(hook) - } + // Set log level; if not log-level is provided, default to error + logLevel := MainGlobalOpts.LogLevel + if logLevel == "" { + logLevel = "error" } - - // Set log level - level, err := logrus.ParseLevel(MainGlobalOpts.LogLevel) + level, err := logrus.ParseLevel(logLevel) if err != nil { return err } @@ -213,36 +131,11 @@ func before(cmd *cobra.Command, args []string) error { // Be sure we can create directories with 0755 mode. syscall.Umask(0022) - - if cmd.Flag("cpu-profile").Changed { - f, err := os.Create(MainGlobalOpts.CpuProfile) - if err != nil { - return errors.Wrapf(err, "unable to create cpu profiling file %s", - MainGlobalOpts.CpuProfile) - } - pprof.StartCPUProfile(f) - } - if cmd.Flag("trace").Changed { - var tracer opentracing.Tracer - tracer, closer = tracing.Init("podman") - opentracing.SetGlobalTracer(tracer) - - span = tracer.StartSpan("before-context") - - Ctx = opentracing.ContextWithSpan(context.Background(), span) - } - return nil + return profileOn(cmd) } func after(cmd *cobra.Command, args []string) error { - if cmd.Flag("cpu-profile").Changed { - pprof.StopCPUProfile() - } - if cmd.Flag("trace").Changed { - span.Finish() - closer.Close() - } - return nil + return profileOff(cmd) } func main() { diff --git a/cmd/podman/main_local.go b/cmd/podman/main_local.go new file mode 100644 index 000000000..e008a4617 --- /dev/null +++ b/cmd/podman/main_local.go @@ -0,0 +1,155 @@ +// +build !remoteclient + +package main + +import ( + "context" + "github.com/containers/libpod/cmd/podman/cliconfig" + "github.com/containers/libpod/cmd/podman/libpodruntime" + "github.com/containers/libpod/pkg/rootless" + "io/ioutil" + "log/syslog" + "os" + "runtime/pprof" + "strconv" + "strings" + + "github.com/containers/libpod/pkg/tracing" + "github.com/opentracing/opentracing-go" + "github.com/pkg/errors" + "github.com/sirupsen/logrus" + lsyslog "github.com/sirupsen/logrus/hooks/syslog" + "github.com/spf13/cobra" +) + +const remote = false + +func init() { + + rootCmd.PersistentFlags().StringVar(&MainGlobalOpts.CGroupManager, "cgroup-manager", "", "Cgroup manager to use (cgroupfs or systemd, default systemd)") + // -c is deprecated due to conflict with -c on subcommands + rootCmd.PersistentFlags().StringVar(&MainGlobalOpts.CpuProfile, "cpu-profile", "", "Path for the cpu profiling results") + rootCmd.PersistentFlags().StringVar(&MainGlobalOpts.Config, "config", "", "Path of a libpod config file detailing container server configuration options") + rootCmd.PersistentFlags().StringVar(&MainGlobalOpts.ConmonPath, "conmon", "", "Path of the conmon binary") + rootCmd.PersistentFlags().StringVar(&MainGlobalOpts.NetworkCmdPath, "network-cmd-path", "", "Path to the command for configuring the network") + rootCmd.PersistentFlags().StringVar(&MainGlobalOpts.CniConfigDir, "cni-config-dir", "", "Path of the configuration directory for CNI networks") + rootCmd.PersistentFlags().StringVar(&MainGlobalOpts.DefaultMountsFile, "default-mounts-file", "", "Path to default mounts file") + rootCmd.PersistentFlags().MarkHidden("defaults-mount-file") + // Override default --help information of `--help` global flag + var dummyHelp bool + rootCmd.PersistentFlags().BoolVar(&dummyHelp, "help", false, "Help for podman") + rootCmd.PersistentFlags().StringSliceVar(&MainGlobalOpts.HooksDir, "hooks-dir", []string{}, "Set the OCI hooks directory path (may be set multiple times)") + rootCmd.PersistentFlags().StringVar(&MainGlobalOpts.LogLevel, "log-level", "error", "Log messages above specified level: debug, info, warn, error, fatal or panic") + rootCmd.PersistentFlags().IntVar(&MainGlobalOpts.MaxWorks, "max-workers", 0, "The maximum number of workers for parallel operations") + rootCmd.PersistentFlags().MarkHidden("max-workers") + rootCmd.PersistentFlags().StringVar(&MainGlobalOpts.Namespace, "namespace", "", "Set the libpod namespace, used to create separate views of the containers and pods on the system") + rootCmd.PersistentFlags().StringVar(&MainGlobalOpts.Root, "root", "", "Path to the root directory in which data, including images, is stored") + rootCmd.PersistentFlags().StringVar(&MainGlobalOpts.Runroot, "runroot", "", "Path to the 'run directory' where all state information is stored") + rootCmd.PersistentFlags().StringVar(&MainGlobalOpts.Runtime, "runtime", "", "Path to the OCI-compatible binary used to run containers, default is /usr/bin/runc") + // -s is depracated due to conflict with -s on subcommands + rootCmd.PersistentFlags().StringVar(&MainGlobalOpts.StorageDriver, "storage-driver", "", "Select which storage driver is used to manage storage of images and containers (default is overlay)") + rootCmd.PersistentFlags().StringSliceVar(&MainGlobalOpts.StorageOpts, "storage-opt", []string{}, "Used to pass an option to the storage driver") + rootCmd.PersistentFlags().BoolVar(&MainGlobalOpts.Syslog, "syslog", false, "Output logging information to syslog as well as the console") + + rootCmd.PersistentFlags().StringVar(&MainGlobalOpts.TmpDir, "tmpdir", "", "Path to the tmp directory") + rootCmd.PersistentFlags().BoolVar(&MainGlobalOpts.Trace, "trace", false, "Enable opentracing output") +} + +func setSyslog() error { + if MainGlobalOpts.Syslog { + hook, err := lsyslog.NewSyslogHook("", "", syslog.LOG_INFO, "") + if err == nil { + logrus.AddHook(hook) + return nil + } + return err + } + return nil +} + +func profileOn(cmd *cobra.Command) error { + if cmd.Flag("cpu-profile").Changed { + f, err := os.Create(MainGlobalOpts.CpuProfile) + if err != nil { + return errors.Wrapf(err, "unable to create cpu profiling file %s", + MainGlobalOpts.CpuProfile) + } + if err := pprof.StartCPUProfile(f); err != nil { + return err + } + } + + if cmd.Flag("trace").Changed { + var tracer opentracing.Tracer + tracer, closer = tracing.Init("podman") + opentracing.SetGlobalTracer(tracer) + + span = tracer.StartSpan("before-context") + + Ctx = opentracing.ContextWithSpan(context.Background(), span) + } + return nil +} + +func profileOff(cmd *cobra.Command) error { + if cmd.Flag("cpu-profile").Changed { + pprof.StopCPUProfile() + } + if cmd.Flag("trace").Changed { + span.Finish() + closer.Close() + } + return nil +} + +func setupRootless(cmd *cobra.Command, args []string) error { + if os.Geteuid() == 0 || cmd == _searchCommand || cmd == _versionCommand || strings.HasPrefix(cmd.Use, "help") { + return nil + } + podmanCmd := cliconfig.PodmanCommand{ + cmd, + args, + MainGlobalOpts, + } + runtime, err := libpodruntime.GetRuntime(&podmanCmd) + if err != nil { + return errors.Wrapf(err, "could not get runtime") + } + defer runtime.Shutdown(false) + + ctrs, err := runtime.GetRunningContainers() + if err != nil { + logrus.Errorf(err.Error()) + os.Exit(1) + } + var became bool + var ret int + if len(ctrs) == 0 { + became, ret, err = rootless.BecomeRootInUserNS() + } else { + for _, ctr := range ctrs { + data, err := ioutil.ReadFile(ctr.Config().ConmonPidFile) + if err != nil { + logrus.Errorf(err.Error()) + os.Exit(1) + } + conmonPid, err := strconv.Atoi(string(data)) + if err != nil { + logrus.Errorf(err.Error()) + os.Exit(1) + } + became, ret, err = rootless.JoinUserAndMountNS(uint(conmonPid)) + if err == nil { + break + } + } + } + if err != nil { + logrus.Errorf(err.Error()) + os.Exit(1) + } + if became { + os.Exit(ret) + } + return nil +} diff --git a/cmd/podman/main_remote.go b/cmd/podman/main_remote.go new file mode 100644 index 000000000..2a7d184cd --- /dev/null +++ b/cmd/podman/main_remote.go @@ -0,0 +1,43 @@ +// +build remoteclient + +package main + +import ( + "os" + + "github.com/containers/libpod/pkg/rootless" + "github.com/sirupsen/logrus" + "github.com/spf13/cobra" +) + +const remote = true + +func init() { + // remote client specific flags can go here. +} + +func setSyslog() error { + return nil +} + +func profileOn(cmd *cobra.Command) error { + return nil +} + +func profileOff(cmd *cobra.Command) error { + return nil +} + +func setupRootless(cmd *cobra.Command, args []string) error { + if rootless.IsRootless() { + became, ret, err := rootless.BecomeRootInUserNS() + if err != nil { + logrus.Errorf(err.Error()) + os.Exit(1) + } + if became { + os.Exit(ret) + } + } + return nil +} diff --git a/cmd/podman/pull.go b/cmd/podman/pull.go index 2aac28642..491d3a8c2 100644 --- a/cmd/podman/pull.go +++ b/cmd/podman/pull.go @@ -46,12 +46,16 @@ func init() { pullCommand.SetUsageTemplate(UsageTemplate()) flags := pullCommand.Flags() flags.BoolVar(&pullCommand.AllTags, "all-tags", false, "All tagged images inthe repository will be pulled") - flags.StringVar(&pullCommand.Authfile, "authfile", "", "Path of the authentication file. Default is ${XDG_RUNTIME_DIR}/containers/auth.json. Use REGISTRY_AUTH_FILE environment variable to override") flags.StringVar(&pullCommand.CertDir, "cert-dir", "", "`Pathname` of a directory containing TLS certificates and keys") flags.StringVar(&pullCommand.Creds, "creds", "", "`Credentials` (USERNAME:PASSWORD) to use for authenticating to a registry") flags.BoolVarP(&pullCommand.Quiet, "quiet", "q", false, "Suppress output information when pulling images") - flags.StringVar(&pullCommand.SignaturePolicy, "signature-policy", "", "`Pathname` of signature policy file (not usually used)") - flags.BoolVar(&pullCommand.TlsVerify, "tls-verify", true, "Require HTTPS and verify certificates when contacting registries") + + // Disabled flags for the remote client + if !remote { + flags.StringVar(&pullCommand.Authfile, "authfile", "", "Path of the authentication file. Default is ${XDG_RUNTIME_DIR}/containers/auth.json. Use REGISTRY_AUTH_FILE environment variable to override") + flags.StringVar(&pullCommand.SignaturePolicy, "signature-policy", "", "`Pathname` of signature policy file (not usually used)") + flags.BoolVar(&pullCommand.TlsVerify, "tls-verify", true, "Require HTTPS and verify certificates when contacting registries") + } } diff --git a/cmd/podman/push.go b/cmd/podman/push.go index a1dac24ae..a5638a698 100644 --- a/cmd/podman/push.go +++ b/cmd/podman/push.go @@ -45,16 +45,20 @@ func init() { pushCommand.SetUsageTemplate(UsageTemplate()) flags := pushCommand.Flags() flags.MarkHidden("signature-policy") - flags.StringVar(&pushCommand.Authfile, "authfile", "", "Path of the authentication file. Default is ${XDG_RUNTIME_DIR}/containers/auth.json. Use REGISTRY_AUTH_FILE environment variable to override") flags.StringVar(&pushCommand.CertDir, "cert-dir", "", "`Pathname` of a directory containing TLS certificates and keys") - flags.BoolVar(&pushCommand.Compress, "compress", false, "Compress tarball image layers when pushing to a directory using the 'dir' transport. (default is same compression type as source)") flags.StringVar(&pushCommand.Creds, "creds", "", "`Credentials` (USERNAME:PASSWORD) to use for authenticating to a registry") flags.StringVarP(&pushCommand.Format, "format", "f", "", "Manifest type (oci, v2s1, or v2s2) to use when pushing an image using the 'dir:' transport (default is manifest type of source)") flags.BoolVarP(&pushCommand.Quiet, "quiet", "q", false, "Don't output progress information when pushing images") flags.BoolVar(&pushCommand.RemoveSignatures, "remove-signatures", false, "Discard any pre-existing signatures in the image") - flags.StringVar(&pushCommand.SignaturePolicy, "signature-policy", "", "`Pathname` of signature policy file (not usually used)") flags.StringVar(&pushCommand.SignBy, "sign-by", "", "Add a signature at the destination using the specified key") - flags.BoolVar(&pushCommand.TlsVerify, "tls-verify", true, "Require HTTPS and verify certificates when contacting registries") + + // Disabled flags for the remote client + if !remote { + flags.StringVar(&pushCommand.Authfile, "authfile", "", "Path of the authentication file. Default is ${XDG_RUNTIME_DIR}/containers/auth.json. Use REGISTRY_AUTH_FILE environment variable to override") + flags.BoolVar(&pushCommand.Compress, "compress", false, "Compress tarball image layers when pushing to a directory using the 'dir' transport. (default is same compression type as source)") + flags.StringVar(&pushCommand.SignaturePolicy, "signature-policy", "", "`Pathname` of signature policy file (not usually used)") + flags.BoolVar(&pushCommand.TlsVerify, "tls-verify", true, "Require HTTPS and verify certificates when contacting registries") + } } func pushCmd(c *cliconfig.PushValues) error { diff --git a/commands.md b/commands.md index 156a1cdf6..1c05640f2 100644 --- a/commands.md +++ b/commands.md @@ -4,8 +4,8 @@ ## Podman Commands -Command | Description | Demo -:----------------------------------------------------------------------- | :------------------------------------------------------------------------- | :-------------------------------------------------------------------------- +Command | Description | Demo | Script +:----------------------------------------------------------------------- | :------------------------------------------------------------------------- | :-------------------------------------------------------------------------- | :-------------------------------------------------------------------------- [podman(1)](/docs/podman.1.md) | Simple management tool for pods and images | [podman-attach(1)](/docs/podman-attach.1.md) | Attach to a running container | [podman-build(1)](/docs/podman-build.1.md) | Build an image using instructions from Dockerfiles | @@ -31,7 +31,7 @@ Command | Descr [podman-image-prune(1)](/docs/podman-image-prune.1.md) | Remove all unused images | [podman-image-sign(1)](/docs/podman-image-sign.1.md) | Create a signature for an image | [podman-image-trust(1)](/docs/podman-image-trust.1.md) | Manage container registry image trust policy | -[podman-images(1)](/docs/podman-images.1.md) | List images in local storage | [](https://asciinema.org/a/133649) +[podman-images(1)](/docs/podman-images.1.md) | List images in local storage | [](https://podman.io/asciinema/podman/images/) | [Here](https://github.com/containers/Demos/blob/master/podman_cli/podman_images.sh) [podman-import(1)](/docs/podman-import.1.md) | Import a tarball and save it as a filesystem image | [podman-info(1)](/docs/podman-info.1.md) | Display system information | [podman-inspect(1)](/docs/podman-inspect.1.md) | Display the configuration of a container or image | [](https://asciinema.org/a/133418) diff --git a/libpod/container_internal.go b/libpod/container_internal.go index 3c7319963..36b5e01df 100644 --- a/libpod/container_internal.go +++ b/libpod/container_internal.go @@ -350,7 +350,7 @@ func (c *Container) teardownStorage() error { artifacts := filepath.Join(c.config.StaticDir, artifactsDir) if err := os.RemoveAll(artifacts); err != nil { - return errors.Wrapf(err, "error removing artifacts %q", artifacts) + return errors.Wrapf(err, "error removing container %s artifacts %q", c.ID(), artifacts) } if err := c.cleanupStorage(); err != nil { @@ -1113,13 +1113,13 @@ func (c *Container) cleanup(ctx context.Context) error { // Remove healthcheck unit/timer file if it execs if c.config.HealthCheckConfig != nil { if err := c.removeTimer(); err != nil { - logrus.Error(err) + logrus.Errorf("Error removing timer for container %s healthcheck: %v", c.ID(), err) } } // Clean up network namespace, if present if err := c.cleanupNetwork(); err != nil { - lastError = err + lastError = errors.Wrapf(err, "error removing container %s network", c.ID()) } // Unmount storage @@ -1127,7 +1127,7 @@ func (c *Container) cleanup(ctx context.Context) error { if lastError != nil { logrus.Errorf("Error unmounting container %s storage: %v", c.ID(), err) } else { - lastError = err + lastError = errors.Wrapf(err, "error unmounting container %s storage", c.ID()) } } diff --git a/libpod/oci_linux.go b/libpod/oci_linux.go index 8c0abad80..01f7c3649 100644 --- a/libpod/oci_linux.go +++ b/libpod/oci_linux.go @@ -3,15 +3,20 @@ package libpod import ( + "fmt" "os" "os/exec" "path/filepath" + "runtime" "strings" "syscall" "github.com/containerd/cgroups" + "github.com/containers/libpod/pkg/rootless" "github.com/containers/libpod/utils" + pmount "github.com/containers/storage/pkg/mount" spec "github.com/opencontainers/runtime-spec/specs-go" + "github.com/pkg/errors" "github.com/sirupsen/logrus" "golang.org/x/sys/unix" ) @@ -91,6 +96,54 @@ func (r *OCIRuntime) createContainer(ctr *Container, cgroupParent string, restor return err } } + + // if we are running a non privileged container, be sure to umount some kernel paths so they are not + // bind mounted inside the container at all. + if !ctr.config.Privileged && !rootless.IsRootless() { + ch := make(chan error) + go func() { + runtime.LockOSThread() + err := func() error { + fd, err := os.Open(fmt.Sprintf("/proc/%d/task/%d/ns/mnt", os.Getpid(), unix.Gettid())) + if err != nil { + return err + } + defer fd.Close() + + // create a new mountns on the current thread + if err = unix.Unshare(unix.CLONE_NEWNS); err != nil { + return err + } + defer unix.Setns(int(fd.Fd()), unix.CLONE_NEWNS) + + // don't spread our mounts around. We are setting only /sys to be slave + // so that the cleanup process is still able to umount the storage and the + // changes are propagated to the host. + err = unix.Mount("/sys", "/sys", "none", unix.MS_REC|unix.MS_SLAVE, "") + if err != nil { + return errors.Wrapf(err, "cannot make /sys slave") + } + + mounts, err := pmount.GetMounts() + if err != nil { + return err + } + for _, m := range mounts { + if !strings.HasPrefix(m.Mountpoint, "/sys/kernel") { + continue + } + err = unix.Unmount(m.Mountpoint, 0) + if err != nil { + return errors.Wrapf(err, "cannot unmount %s", m.Mountpoint) + } + } + return r.createOCIContainer(ctr, cgroupParent, restoreOptions) + }() + ch <- err + }() + err := <-ch + return err + } } return r.createOCIContainer(ctr, cgroupParent, restoreOptions) } diff --git a/libpod/runtime.go b/libpod/runtime.go index 4dd2707e8..3b1c2be98 100644 --- a/libpod/runtime.go +++ b/libpod/runtime.go @@ -870,6 +870,20 @@ func makeRuntime(runtime *Runtime) (err error) { _, err = os.Stat(runtimeAliveFile) if err != nil { + // If we need to refresh, then it is safe to assume there are + // no containers running. Create immediately a namespace, as + // we will need to access the storage. + if os.Geteuid() != 0 { + aliveLock.Unlock() + became, ret, err := rootless.BecomeRootInUserNS() + if err != nil { + return err + } + if became { + os.Exit(ret) + } + + } // If the file doesn't exist, we need to refresh the state // This will trigger on first use as well, but refreshing an // empty state only creates a single file diff --git a/libpod/runtime_ctr.go b/libpod/runtime_ctr.go index 800b42851..85b860268 100644 --- a/libpod/runtime_ctr.go +++ b/libpod/runtime_ctr.go @@ -372,7 +372,7 @@ func (r *Runtime) removeContainer(ctx context.Context, c *Container, force bool, // Clean up network namespace, cgroups, mounts if err := c.cleanup(ctx); err != nil { if cleanupErr == nil { - cleanupErr = err + cleanupErr = errors.Wrapf(err, "error cleaning up container %s", c.ID()) } else { logrus.Errorf("cleanup network, cgroups, mounts: %v", err) } @@ -404,12 +404,14 @@ func (r *Runtime) removeContainer(ctx context.Context, c *Container, force bool, // Deallocate the container's lock if err := c.lock.Free(); err != nil { if cleanupErr == nil { - cleanupErr = err + cleanupErr = errors.Wrapf(err, "error freeing lock for container %s", c.ID()) } else { logrus.Errorf("free container lock: %v", err) } } + c.newContainerEvent(events.Remove) + if !removeVolume { return cleanupErr } @@ -425,7 +427,6 @@ func (r *Runtime) removeContainer(ctx context.Context, c *Container, force bool, } } - c.newContainerEvent(events.Remove) return cleanupErr } diff --git a/pkg/spec/spec.go b/pkg/spec/spec.go index 9b6bd089e..0371b6d4d 100644 --- a/pkg/spec/spec.go +++ b/pkg/spec/spec.go @@ -132,6 +132,9 @@ func CreateConfigToOCISpec(config *CreateConfig) (*spec.Spec, error) { //nolint Options: []string{"rprivate", "nosuid", "noexec", "nodev", r, "rbind"}, } g.AddMount(sysMnt) + if !config.Privileged && isRootless { + g.AddLinuxMaskedPaths("/sys/kernel") + } } if isRootless { nGids, err := getAvailableGids() diff --git a/test/e2e/images_test.go b/test/e2e/images_test.go index a253dff63..48a964db4 100644 --- a/test/e2e/images_test.go +++ b/test/e2e/images_test.go @@ -43,6 +43,17 @@ var _ = Describe("Podman images", func() { Expect(session.LineInOuputStartsWith("docker.io/library/busybox")).To(BeTrue()) }) + It("podman images with no images prints header", func() { + rmi := podmanTest.Podman([]string{"rmi", "-a"}) + rmi.WaitWithDefaultTimeout() + Expect(rmi.ExitCode()).To(Equal(0)) + + session := podmanTest.Podman([]string{"images"}) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(Equal(0)) + Expect(len(session.OutputToStringArray())).To(Equal(1)) + }) + It("podman image List", func() { session := podmanTest.Podman([]string{"image", "list"}) session.WaitWithDefaultTimeout() diff --git a/test/e2e/prune_test.go b/test/e2e/prune_test.go index 869ca3289..682f7ff2b 100644 --- a/test/e2e/prune_test.go +++ b/test/e2e/prune_test.go @@ -82,7 +82,7 @@ var _ = Describe("Podman rm", func() { prune.WaitWithDefaultTimeout() Expect(prune.ExitCode()).To(Equal(0)) - images := podmanTest.Podman([]string{"images", "-a"}) + images := podmanTest.Podman([]string{"images", "-aq"}) images.WaitWithDefaultTimeout() // all images are unused, so they all should be deleted! Expect(len(images.OutputToStringArray())).To(Equal(0)) @@ -95,7 +95,7 @@ var _ = Describe("Podman rm", func() { prune.WaitWithDefaultTimeout() Expect(prune.ExitCode()).To(Equal(0)) - images := podmanTest.Podman([]string{"images", "-a"}) + images := podmanTest.Podman([]string{"images", "-aq"}) images.WaitWithDefaultTimeout() // all images are unused, so they all should be deleted! Expect(len(images.OutputToStringArray())).To(Equal(0)) diff --git a/test/e2e/rmi_test.go b/test/e2e/rmi_test.go index 78d175637..e034f24cf 100644 --- a/test/e2e/rmi_test.go +++ b/test/e2e/rmi_test.go @@ -270,7 +270,7 @@ RUN find $LOCAL fmt.Println(session.OutputToString()) Expect(session.ExitCode()).To(Equal(0)) - images := podmanTest.Podman([]string{"images", "--all"}) + images := podmanTest.Podman([]string{"images", "-aq"}) images.WaitWithDefaultTimeout() Expect(images.ExitCode()).To(Equal(0)) Expect(len(images.OutputToStringArray())).To(Equal(0)) diff --git a/test/system/030-run.bats b/test/system/030-run.bats index 8ae68f33d..188070550 100644 --- a/test/system/030-run.bats +++ b/test/system/030-run.bats @@ -31,4 +31,12 @@ echo $rand | 0 | $rand done < <(parse_table "$tests") } +@test "podman run - uidmapping has no /sys/kernel mounts" { + run_podman $expected_rc run --uidmapping 0:100:10000 $IMAGE mount | grep /sys/kernel + is "$output" "" "podman run $cmd - output" + + run_podman $expected_rc run --net host --uidmapping 0:100:10000 $IMAGE mount | grep /sys/kernel + is "$output" "" "podman run $cmd - output" +} + # vim: filetype=sh |