diff options
93 files changed, 989 insertions, 627 deletions
diff --git a/.cirrus.yml b/.cirrus.yml index bad16f345..dac41dc5f 100644 --- a/.cirrus.yml +++ b/.cirrus.yml @@ -29,9 +29,9 @@ env: #### #### Cache-image names to test with ### - FEDORA_CACHE_IMAGE_NAME: "fedora-30-libpod-5699414987898880" - PRIOR_FEDORA_CACHE_IMAGE_NAME: "fedora-29-libpod-5699414987898880" - UBUNTU_CACHE_IMAGE_NAME: "ubuntu-18-libpod-5699414987898880" + FEDORA_CACHE_IMAGE_NAME: "fedora-30-libpod-5081463649730560" + PRIOR_FEDORA_CACHE_IMAGE_NAME: "fedora-29-libpod-5081463649730560" + UBUNTU_CACHE_IMAGE_NAME: "ubuntu-18-libpod-5081463649730560" #### #### Variables for composing new cache-images (used in PR testing) from diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index b86f3e345..59b0a88da 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -48,18 +48,12 @@ First you need to fork this project on GitHub. Be sure to have [defined your `$GOPATH` environment variable](https://github.com/golang/go/wiki/GOPATH). -Create a path that correspond to your clone `mkdir -p $GOPATH/github.com/<you>`. +Create a path that corresponds to the go import paths of libpod: `mkdir -p $GOPATH/src/github.com/containers`. -Clone your fork locally: +Then clone your fork locally: ```shell -$ git clone git@github.com:<you>/libpod github.com/<you> $GOPATH/github.com/<you>/libpod -$ cd $GOPATH/github.com/<you>/libpod -``` - -You can also use `go get` to clone your fork: -```shell -$ go get github.com:<you>/libpod -$ cd $GOPATH/github.com/<you>/libpod +$ git clone git@github.com:<you>/libpod $GOPATH/src/github.com/containers/libpod +$ cd $GOPATH/src/github.com/containers/libpod ``` ### Deal with make @@ -237,6 +237,8 @@ localintegration: varlink_generate test-binaries ginkgo remoteintegration: varlink_generate test-binaries ginkgo-remote localsystem: + # Wipe existing config, database, and cache: start with clean slate. + $(RM) -rf ${HOME}/.local/share/containers ${HOME}/.config/containers if timeout -v 1 true; then PODMAN=./bin/podman bats test/system/; else echo "Skipping localsystem: 'timeout -v' unavailable'"; fi remotesystem: @@ -407,7 +409,7 @@ install.libseccomp.sudo: cmd/podman/varlink/iopodman.go: cmd/podman/varlink/io.podman.varlink - $(GO) generate ./cmd/podman/varlink/... + GO111MODULE=off $(GO) generate ./cmd/podman/varlink/... API.md: cmd/podman/varlink/io.podman.varlink $(GO) generate ./docs/... diff --git a/cmd/podman/build.go b/cmd/podman/build.go index 6e70c6540..5e2b1aa82 100644 --- a/cmd/podman/build.go +++ b/cmd/podman/build.go @@ -62,7 +62,7 @@ func init() { layerFlags := buildahcli.GetLayerFlags(&layerValues) flag = layerFlags.Lookup("layers") flag.Value.Set(useLayers()) - flag.DefValue = (useLayers()) + flag.DefValue = useLayers() flag = layerFlags.Lookup("force-rm") flag.Value.Set("true") flag.DefValue = "true" diff --git a/cmd/podman/common.go b/cmd/podman/common.go index 3cc645f95..9d7c52273 100644 --- a/cmd/podman/common.go +++ b/cmd/podman/common.go @@ -4,11 +4,11 @@ import ( "context" "fmt" "os" - "path/filepath" "strings" "github.com/containers/buildah" "github.com/containers/libpod/cmd/podman/cliconfig" + "github.com/containers/libpod/cmd/podman/shared" "github.com/containers/libpod/libpod/define" "github.com/containers/libpod/pkg/rootless" "github.com/containers/storage" @@ -112,7 +112,7 @@ func getCreateFlags(c *cliconfig.PodmanCommand) { "Attach to STDIN, STDOUT or STDERR (default [])", ) createFlags.String( - "authfile", getAuthFile(""), + "authfile", shared.GetAuthFile(""), "Path of the authentication file. Use REGISTRY_AUTH_FILE environment variable to override", ) createFlags.String( @@ -502,24 +502,6 @@ func getFormat(c *cliconfig.PodmanCommand) (string, error) { return "", errors.Errorf("unrecognized image type %q", format) } -func getAuthFile(authfile string) string { - if authfile != "" { - return authfile - } - if remote { - return "" - } - authfile = os.Getenv("REGISTRY_AUTH_FILE") - if authfile != "" { - return authfile - } - runtimeDir := os.Getenv("XDG_RUNTIME_DIR") - if runtimeDir != "" { - return filepath.Join(runtimeDir, "containers/auth.json") - } - return "" -} - // scrubServer removes 'http://' or 'https://' from the front of the // server/registry string if either is there. This will be mostly used // for user input from 'podman login' and 'podman logout'. diff --git a/cmd/podman/cp.go b/cmd/podman/cp.go index 2d92fbb47..f6ac5f8f7 100644 --- a/cmd/podman/cp.go +++ b/cmd/podman/cp.go @@ -86,7 +86,7 @@ func copyBetweenHostAndContainer(runtime *libpod.Runtime, src string, dest strin return errors.Errorf("invalid arguments %s, %s you must specify paths", src, dest) } ctr := srcCtr - isFromHostToCtr := (ctr == nil) + isFromHostToCtr := ctr == nil if isFromHostToCtr { ctr = destCtr } @@ -307,7 +307,7 @@ func copy(src, destPath, dest string, idMappingOpts storage.IDMappingOptions, ch if err != nil && !os.IsNotExist(err) { return errors.Wrapf(err, "error checking directory %q", destdir) } - destDirIsExist := (err == nil) + destDirIsExist := err == nil if err = os.MkdirAll(destdir, 0755); err != nil { return errors.Wrapf(err, "error creating directory %q", destdir) } diff --git a/cmd/podman/history.go b/cmd/podman/history.go index cebf99a9f..0998a023c 100644 --- a/cmd/podman/history.go +++ b/cmd/podman/history.go @@ -154,7 +154,7 @@ func getHistoryTemplateOutput(history []*image.History, opts historyOptions) (hi } if opts.human { - createdTime = units.HumanDuration(time.Since((*hist.Created))) + " ago" + createdTime = units.HumanDuration(time.Since(*hist.Created)) + " ago" outputSize = units.HumanSize(float64(hist.Size)) } else { createdTime = (hist.Created).Format(time.RFC3339) diff --git a/cmd/podman/images.go b/cmd/podman/images.go index 3f755efc1..33cf11ab7 100644 --- a/cmd/podman/images.go +++ b/cmd/podman/images.go @@ -280,7 +280,7 @@ func getImagesTemplateOutput(ctx context.Context, images []*adapter.ContainerIma ID: imageID, Digest: img.Digest(), CreatedTime: createdTime, - Created: units.HumanDuration(time.Since((createdTime))) + " ago", + Created: units.HumanDuration(time.Since(createdTime)) + " ago", Size: sizeStr, } imagesOutput = append(imagesOutput, params) diff --git a/cmd/podman/login.go b/cmd/podman/login.go index 3a78adadc..36262fd4d 100644 --- a/cmd/podman/login.go +++ b/cmd/podman/login.go @@ -10,6 +10,7 @@ import ( "github.com/containers/image/pkg/docker/config" "github.com/containers/image/types" "github.com/containers/libpod/cmd/podman/cliconfig" + "github.com/containers/libpod/cmd/podman/shared" "github.com/containers/libpod/libpod/image" "github.com/docker/docker-credential-helpers/credentials" "github.com/pkg/errors" @@ -52,7 +53,7 @@ func init() { flags.BoolVar(&loginCommand.StdinPassword, "password-stdin", false, "Take the password from stdin") // Disabled flags for the remote client if !remote { - flags.StringVar(&loginCommand.Authfile, "authfile", getAuthFile(""), "Path of the authentication file. Use REGISTRY_AUTH_FILE environment variable to override") + flags.StringVar(&loginCommand.Authfile, "authfile", shared.GetAuthFile(""), "Path of the authentication file. Use REGISTRY_AUTH_FILE environment variable to override") flags.StringVar(&loginCommand.CertDir, "cert-dir", "", "Pathname of a directory containing TLS certificates and keys used to connect to the registry") flags.BoolVar(&loginCommand.TlsVerify, "tls-verify", true, "Require HTTPS and verify certificates when contacting registries") } diff --git a/cmd/podman/logout.go b/cmd/podman/logout.go index 5df838bba..66dc82363 100644 --- a/cmd/podman/logout.go +++ b/cmd/podman/logout.go @@ -6,6 +6,7 @@ import ( "github.com/containers/image/docker" "github.com/containers/image/pkg/docker/config" "github.com/containers/libpod/cmd/podman/cliconfig" + "github.com/containers/libpod/cmd/podman/shared" "github.com/containers/libpod/libpod/image" "github.com/pkg/errors" "github.com/spf13/cobra" @@ -39,7 +40,7 @@ func init() { logoutCommand.SetUsageTemplate(UsageTemplate()) flags := logoutCommand.Flags() flags.BoolVarP(&logoutCommand.All, "all", "a", false, "Remove the cached credentials for all registries in the auth file") - flags.StringVar(&logoutCommand.Authfile, "authfile", getAuthFile(""), "Path of the authentication file. Use REGISTRY_AUTH_FILE environment variable to override") + flags.StringVar(&logoutCommand.Authfile, "authfile", shared.GetAuthFile(""), "Path of the authentication file. Use REGISTRY_AUTH_FILE environment variable to override") markFlagHiddenForRemoteClient("authfile", flags) } diff --git a/cmd/podman/main.go b/cmd/podman/main.go index 248d63753..a8478bda6 100644 --- a/cmd/podman/main.go +++ b/cmd/podman/main.go @@ -2,11 +2,12 @@ package main import ( "context" - "github.com/containers/libpod/libpod" "io" "os" + "path" "github.com/containers/libpod/cmd/podman/cliconfig" + "github.com/containers/libpod/libpod" _ "github.com/containers/libpod/pkg/hooks/0.1.0" "github.com/containers/libpod/pkg/rootless" "github.com/containers/libpod/version" @@ -68,7 +69,7 @@ var mainCommands = []*cobra.Command{ } var rootCmd = &cobra.Command{ - Use: "podman", + Use: path.Base(os.Args[0]), Long: "manage pods and images", RunE: commandRunE(), PersistentPreRunE: func(cmd *cobra.Command, args []string) error { diff --git a/cmd/podman/play_kube.go b/cmd/podman/play_kube.go index 8a611dffa..afdb6cc9b 100644 --- a/cmd/podman/play_kube.go +++ b/cmd/podman/play_kube.go @@ -4,6 +4,7 @@ import ( "fmt" "github.com/containers/libpod/cmd/podman/cliconfig" + "github.com/containers/libpod/cmd/podman/shared" "github.com/containers/libpod/pkg/adapter" "github.com/pkg/errors" "github.com/spf13/cobra" @@ -40,7 +41,7 @@ func init() { flags.BoolVarP(&playKubeCommand.Quiet, "quiet", "q", false, "Suppress output information when pulling images") // Disabled flags for the remote client if !remote { - flags.StringVar(&playKubeCommand.Authfile, "authfile", getAuthFile(""), "Path of the authentication file. Use REGISTRY_AUTH_FILE environment variable to override") + flags.StringVar(&playKubeCommand.Authfile, "authfile", shared.GetAuthFile(""), "Path of the authentication file. Use REGISTRY_AUTH_FILE environment variable to override") flags.StringVar(&playKubeCommand.CertDir, "cert-dir", "", "`Pathname` of a directory containing TLS certificates and keys") flags.StringVar(&playKubeCommand.SignaturePolicy, "signature-policy", "", "`Pathname` of signature policy file (not usually used)") flags.BoolVar(&playKubeCommand.TlsVerify, "tls-verify", true, "Require HTTPS and verify certificates when contacting registries") diff --git a/cmd/podman/pod_kill.go b/cmd/podman/pod_kill.go index c1ea66126..6be79363a 100644 --- a/cmd/podman/pod_kill.go +++ b/cmd/podman/pod_kill.go @@ -55,7 +55,7 @@ func podKillCmd(c *cliconfig.PodKillValues) error { } defer runtime.Shutdown(false) - var killSignal uint = uint(syscall.SIGTERM) + killSignal := uint(syscall.SIGTERM) if c.Signal != "" { // Check if the signalString provided by the user is valid diff --git a/cmd/podman/pod_stats.go b/cmd/podman/pod_stats.go index c33c97602..97aa52f5d 100644 --- a/cmd/podman/pod_stats.go +++ b/cmd/podman/pod_stats.go @@ -271,7 +271,7 @@ func printPSFormat(format string, stats []*podStatOut, headerNames map[string]st func outputToStdOut(stats []*podStatOut) { w := tabwriter.NewWriter(os.Stdout, 0, 0, 2, ' ', 0) - outFormat := ("%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\n") + outFormat := "%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\n" fmt.Fprintf(w, outFormat, "POD", "CID", "NAME", "CPU %", "MEM USAGE/ LIMIT", "MEM %", "NET IO", "BLOCK IO", "PIDS") for _, i := range stats { if len(stats) == 0 { diff --git a/cmd/podman/ps.go b/cmd/podman/ps.go index eb5181126..75e07d325 100644 --- a/cmd/podman/ps.go +++ b/cmd/podman/ps.go @@ -197,7 +197,11 @@ func init() { } func psCmd(c *cliconfig.PsValues) error { - var watch bool + var ( + watch bool + runtime *adapter.LocalRuntime + err error + ) if c.Watch > 0 { watch = true @@ -210,8 +214,11 @@ func psCmd(c *cliconfig.PsValues) error { if err := checkFlagsPassed(c); err != nil { return errors.Wrapf(err, "error with flags passed") } - - runtime, err := adapter.GetRuntime(getContext(), &c.PodmanCommand) + if !c.Size { + runtime, err = adapter.GetRuntimeNoStore(getContext(), &c.PodmanCommand) + } else { + runtime, err = adapter.GetRuntime(getContext(), &c.PodmanCommand) + } if err != nil { return errors.Wrapf(err, "error creating libpod runtime") } @@ -308,57 +315,6 @@ func sortPsOutput(sortBy string, psOutput psSorted) (psSorted, error) { return psOutput, nil } -// getLabels converts the labels to a string of the form "key=value, key2=value2" -func formatLabels(labels map[string]string) string { - var arr []string - if len(labels) > 0 { - for key, val := range labels { - temp := key + "=" + val - arr = append(arr, temp) - } - return strings.Join(arr, ",") - } - return "" -} - -// getMounts converts the volumes mounted to a string of the form "mount1, mount2" -// it truncates it if noTrunc is false -func getMounts(mounts []string, noTrunc bool) string { - return strings.Join(getMountsArray(mounts, noTrunc), ",") -} - -func getMountsArray(mounts []string, noTrunc bool) []string { - var arr []string - if len(mounts) == 0 { - return mounts - } - for _, mount := range mounts { - splitArr := strings.Split(mount, ":") - if len(splitArr[0]) > mountTruncLength && !noTrunc { - arr = append(arr, splitArr[0][:mountTruncLength]+"...") - continue - } - arr = append(arr, splitArr[0]) - } - return arr -} - -// portsToString converts the ports used to a string of the from "port1, port2" -func portsToString(ports []ocicni.PortMapping) string { - var portDisplay []string - if len(ports) == 0 { - return "" - } - for _, v := range ports { - hostIP := v.HostIP - if hostIP == "" { - hostIP = "0.0.0.0" - } - portDisplay = append(portDisplay, fmt.Sprintf("%s:%d->%d/%s", hostIP, v.HostPort, v.ContainerPort, v.Protocol)) - } - return strings.Join(portDisplay, ", ") -} - func printFormat(format string, containers []shared.PsContainerOutput) error { // return immediately if no containers are present if len(containers) == 0 { diff --git a/cmd/podman/pull.go b/cmd/podman/pull.go index 115f437d8..61cf1fd4d 100644 --- a/cmd/podman/pull.go +++ b/cmd/podman/pull.go @@ -11,10 +11,11 @@ import ( "github.com/containers/image/transports/alltransports" "github.com/containers/image/types" "github.com/containers/libpod/cmd/podman/cliconfig" + "github.com/containers/libpod/cmd/podman/shared" "github.com/containers/libpod/libpod/image" "github.com/containers/libpod/pkg/adapter" "github.com/containers/libpod/pkg/util" - opentracing "github.com/opentracing/opentracing-go" + "github.com/opentracing/opentracing-go" "github.com/pkg/errors" "github.com/sirupsen/logrus" "github.com/spf13/cobra" @@ -55,7 +56,7 @@ func init() { flags.BoolVarP(&pullCommand.Quiet, "quiet", "q", false, "Suppress output information when pulling images") // Disabled flags for the remote client if !remote { - flags.StringVar(&pullCommand.Authfile, "authfile", getAuthFile(""), "Path of the authentication file. Use REGISTRY_AUTH_FILE environment variable to override") + flags.StringVar(&pullCommand.Authfile, "authfile", shared.GetAuthFile(""), "Path of the authentication file. Use REGISTRY_AUTH_FILE environment variable to override") flags.StringVar(&pullCommand.CertDir, "cert-dir", "", "`Pathname` of a directory containing TLS certificates and keys") flags.StringVar(&pullCommand.SignaturePolicy, "signature-policy", "", "`Pathname` of signature policy file (not usually used)") flags.BoolVar(&pullCommand.TlsVerify, "tls-verify", true, "Require HTTPS and verify certificates when contacting registries") diff --git a/cmd/podman/push.go b/cmd/podman/push.go index 497820156..a15d8e699 100644 --- a/cmd/podman/push.go +++ b/cmd/podman/push.go @@ -10,6 +10,7 @@ import ( "github.com/containers/image/manifest" "github.com/containers/image/types" "github.com/containers/libpod/cmd/podman/cliconfig" + "github.com/containers/libpod/cmd/podman/shared" "github.com/containers/libpod/libpod/image" "github.com/containers/libpod/pkg/adapter" "github.com/containers/libpod/pkg/util" @@ -57,7 +58,7 @@ func init() { // Disabled flags for the remote client if !remote { - flags.StringVar(&pushCommand.Authfile, "authfile", getAuthFile(""), "Path of the authentication file. Use REGISTRY_AUTH_FILE environment variable to override") + flags.StringVar(&pushCommand.Authfile, "authfile", shared.GetAuthFile(""), "Path of the authentication file. Use REGISTRY_AUTH_FILE environment variable to override") flags.StringVar(&pushCommand.CertDir, "cert-dir", "", "`Pathname` of a directory containing TLS certificates and keys") flags.BoolVar(&pushCommand.Compress, "compress", false, "Compress tarball image layers when pushing to a directory using the 'dir' transport. (default is same compression type as source)") flags.StringVar(&pushCommand.SignaturePolicy, "signature-policy", "", "`Pathname` of signature policy file (not usually used)") diff --git a/cmd/podman/run.go b/cmd/podman/run.go index 7d84d716b..6f089e5a4 100644 --- a/cmd/podman/run.go +++ b/cmd/podman/run.go @@ -3,7 +3,7 @@ package main import ( "github.com/containers/libpod/cmd/podman/cliconfig" "github.com/containers/libpod/pkg/adapter" - opentracing "github.com/opentracing/opentracing-go" + "github.com/opentracing/opentracing-go" "github.com/pkg/errors" "github.com/spf13/cobra" ) diff --git a/cmd/podman/runlabel.go b/cmd/podman/runlabel.go index be5d29139..fdbf7fa8f 100644 --- a/cmd/podman/runlabel.go +++ b/cmd/podman/runlabel.go @@ -61,7 +61,7 @@ func init() { flags.BoolVarP(&runlabelCommand.Quiet, "quiet", "q", false, "Suppress output information when installing images") // Disabled flags for the remote client if !remote { - flags.StringVar(&runlabelCommand.Authfile, "authfile", getAuthFile(""), "Path of the authentication file. Use REGISTRY_AUTH_FILE environment variable to override") + flags.StringVar(&runlabelCommand.Authfile, "authfile", shared.GetAuthFile(""), "Path of the authentication file. Use REGISTRY_AUTH_FILE environment variable to override") flags.StringVar(&runlabelCommand.CertDir, "cert-dir", "", "`Pathname` of a directory containing TLS certificates and keys") flags.StringVar(&runlabelCommand.SignaturePolicy, "signature-policy", "", "`Pathname` of signature policy file (not usually used)") flags.BoolVar(&runlabelCommand.TlsVerify, "tls-verify", true, "Require HTTPS and verify certificates when contacting registries") diff --git a/cmd/podman/search.go b/cmd/podman/search.go index ba04002f6..f1c625ee1 100644 --- a/cmd/podman/search.go +++ b/cmd/podman/search.go @@ -7,6 +7,7 @@ import ( "github.com/containers/buildah/pkg/formats" "github.com/containers/image/types" "github.com/containers/libpod/cmd/podman/cliconfig" + "github.com/containers/libpod/cmd/podman/shared" "github.com/containers/libpod/libpod/image" "github.com/pkg/errors" "github.com/spf13/cobra" @@ -49,7 +50,7 @@ func init() { flags.BoolVar(&searchCommand.NoTrunc, "no-trunc", false, "Do not truncate the output") // Disabled flags for the remote client if !remote { - flags.StringVar(&searchCommand.Authfile, "authfile", getAuthFile(""), "Path of the authentication file. Use REGISTRY_AUTH_FILE environment variable to override") + flags.StringVar(&searchCommand.Authfile, "authfile", shared.GetAuthFile(""), "Path of the authentication file. Use REGISTRY_AUTH_FILE environment variable to override") flags.BoolVar(&searchCommand.TlsVerify, "tls-verify", true, "Require HTTPS and verify certificates when contacting registries") } } diff --git a/cmd/podman/shared/container.go b/cmd/podman/shared/container.go index de850a7c3..df4583be6 100644 --- a/cmd/podman/shared/container.go +++ b/cmd/podman/shared/container.go @@ -279,8 +279,8 @@ func generateContainerFilterFuncs(filter, filterValue string, r *libpod.Runtime) return strings.Contains(c.ID(), filterValue) }, nil case "label": - var filterArray []string = strings.SplitN(filterValue, "=", 2) - var filterKey string = filterArray[0] + var filterArray = strings.SplitN(filterValue, "=", 2) + var filterKey = filterArray[0] if len(filterArray) > 1 { filterValue = filterArray[1] } else { diff --git a/cmd/podman/shared/container_inspect.go b/cmd/podman/shared/container_inspect.go index c89daf6bb..a8094466e 100644 --- a/cmd/podman/shared/container_inspect.go +++ b/cmd/podman/shared/container_inspect.go @@ -4,7 +4,7 @@ import ( "github.com/containers/libpod/libpod" cc "github.com/containers/libpod/pkg/spec" "github.com/docker/go-connections/nat" - specs "github.com/opencontainers/runtime-spec/specs-go" + "github.com/opencontainers/runtime-spec/specs-go" ) // InspectContainer holds all inspect data for a container. diff --git a/cmd/podman/shared/create.go b/cmd/podman/shared/create.go index 31ac9a3a1..64cef1e89 100644 --- a/cmd/podman/shared/create.go +++ b/cmd/podman/shared/create.go @@ -77,7 +77,7 @@ func CreateContainer(ctx context.Context, c *GenericCLIResults, runtime *libpod. writer = os.Stderr } - newImage, err := runtime.ImageRuntime().New(ctx, c.InputArgs[0], rtc.SignaturePolicyPath, "", writer, nil, image.SigningOptions{}, false, nil) + newImage, err := runtime.ImageRuntime().New(ctx, c.InputArgs[0], rtc.SignaturePolicyPath, GetAuthFile(""), writer, nil, image.SigningOptions{}, false, nil) if err != nil { return nil, nil, err } diff --git a/cmd/podman/shared/funcs.go b/cmd/podman/shared/funcs.go index c189cceeb..2ceb9cdcb 100644 --- a/cmd/podman/shared/funcs.go +++ b/cmd/podman/shared/funcs.go @@ -9,6 +9,21 @@ import ( "github.com/google/shlex" ) +func GetAuthFile(authfile string) string { + if authfile != "" { + return authfile + } + authfile = os.Getenv("REGISTRY_AUTH_FILE") + if authfile != "" { + return authfile + } + runtimeDir := os.Getenv("XDG_RUNTIME_DIR") + if runtimeDir != "" { + return filepath.Join(runtimeDir, "containers/auth.json") + } + return "" +} + func substituteCommand(cmd string) (string, error) { var ( newCommand string diff --git a/cmd/podman/tree.go b/cmd/podman/tree.go index 0f62858e8..48e192990 100644 --- a/cmd/podman/tree.go +++ b/cmd/podman/tree.go @@ -127,7 +127,7 @@ func printImageChildren(layerMap map[string]*image.LayerInfo, layerID string, pr } fmt.Printf("%sID: %s Size: %7v%s\n", intend, ll.ID[:12], units.HumanSizeWithPrecision(float64(ll.Size), 4), tags) for count, childID := range ll.ChildID { - if err := printImageChildren(layerMap, childID, prefix, (count == len(ll.ChildID)-1)); err != nil { + if err := printImageChildren(layerMap, childID, prefix, count == len(ll.ChildID)-1); err != nil { return err } } diff --git a/contrib/cirrus/build_vm_images.sh b/contrib/cirrus/build_vm_images.sh index 805aba428..f5d53a92e 100755 --- a/contrib/cirrus/build_vm_images.sh +++ b/contrib/cirrus/build_vm_images.sh @@ -3,13 +3,11 @@ set -e source $(dirname $0)/lib.sh -ENV_VARS='CNI_COMMIT CONMON_COMMIT PACKER_BUILDS BUILT_IMAGE_SUFFIX UBUNTU_BASE_IMAGE FEDORA_BASE_IMAGE PRIOR_FEDORA_BASE_IMAGE SERVICE_ACCOUNT GCE_SSH_USERNAME GCP_PROJECT_ID PACKER_VER SCRIPT_BASE PACKER_BASE' +ENV_VARS='PACKER_BUILDS BUILT_IMAGE_SUFFIX UBUNTU_BASE_IMAGE FEDORA_BASE_IMAGE PRIOR_FEDORA_BASE_IMAGE SERVICE_ACCOUNT GCE_SSH_USERNAME GCP_PROJECT_ID PACKER_VER SCRIPT_BASE PACKER_BASE' req_env_var $ENV_VARS # Must also be made available through make, into packer process export $ENV_VARS -show_env_vars - # Everything here is running on the 'image-builder-image' GCE image # Assume basic dependencies are all met, but there could be a newer version # of the packer binary @@ -27,21 +25,12 @@ fi cd "$GOSRC/$PACKER_BASE" -# Separate PR-produced images from those produced on master. -if [[ "${CIRRUS_BRANCH:-}" == "master" ]] -then - POST_MERGE_BUCKET_SUFFIX="-master" -else - POST_MERGE_BUCKET_SUFFIX="" -fi - make libpod_images \ PACKER_BUILDS=$PACKER_BUILDS \ PACKER_VER=$PACKER_VER \ GOSRC=$GOSRC \ SCRIPT_BASE=$SCRIPT_BASE \ PACKER_BASE=$PACKER_BASE \ - POST_MERGE_BUCKET_SUFFIX=$POST_MERGE_BUCKET_SUFFIX \ BUILT_IMAGE_SUFFIX=$BUILT_IMAGE_SUFFIX # When successful, upload manifest of produced images using a filename unique diff --git a/contrib/cirrus/integration_test.sh b/contrib/cirrus/integration_test.sh index 1b731cb9c..cfaf33b85 100755 --- a/contrib/cirrus/integration_test.sh +++ b/contrib/cirrus/integration_test.sh @@ -1,6 +1,7 @@ #!/bin/bash set -e + source $(dirname $0)/lib.sh req_env_var GOSRC SCRIPT_BASE OS_RELEASE_ID OS_RELEASE_VER CONTAINER_RUNTIME diff --git a/contrib/cirrus/lib.sh b/contrib/cirrus/lib.sh index 67e858526..ea0f9e326 100644 --- a/contrib/cirrus/lib.sh +++ b/contrib/cirrus/lib.sh @@ -54,16 +54,24 @@ PACKER_VER="1.3.5" # CSV of cache-image names to build (see $PACKER_BASE/libpod_images.json) # Base-images rarely change, define them here so they're out of the way. -PACKER_BUILDS="${PACKER_BUILDS:-ubuntu-18,fedora-30,fedora-29}" +export PACKER_BUILDS="${PACKER_BUILDS:-ubuntu-18,fedora-30,fedora-29}" # Google-maintained base-image names -UBUNTU_BASE_IMAGE="ubuntu-1804-bionic-v20181203a" +export UBUNTU_BASE_IMAGE="ubuntu-1804-bionic-v20181203a" # Manually produced base-image names (see $SCRIPT_BASE/README.md) -FEDORA_BASE_IMAGE="fedora-cloud-base-30-1-2-1559164849" -PRIOR_FEDORA_BASE_IMAGE="fedora-cloud-base-29-1-2-1559164849" -BUILT_IMAGE_SUFFIX="${BUILT_IMAGE_SUFFIX:--$CIRRUS_REPO_NAME-${CIRRUS_BUILD_ID}}" +export FEDORA_BASE_IMAGE="fedora-cloud-base-30-1-2-1559164849" +export PRIOR_FEDORA_BASE_IMAGE="fedora-cloud-base-29-1-2-1559164849" +export BUILT_IMAGE_SUFFIX="${BUILT_IMAGE_SUFFIX:--$CIRRUS_REPO_NAME-${CIRRUS_BUILD_ID}}" # IN_PODMAN container image IN_PODMAN_IMAGE="quay.io/libpod/in_podman:latest" +# Avoid getting stuck waiting for user input +export DEBIAN_FRONTEND="noninteractive" +SUDOAPTGET="ooe.sh sudo -E apt-get -qq --yes" +SUDOAPTADD="ooe.sh sudo -E add-apt-repository --yes" +# Short-cuts for retrying/timeout calls +LILTO="timeout_attempt_delay_command 24s 5 30s" +BIGTO="timeout_attempt_delay_command 300s 5 30s" + # Safe env. vars. to transfer from root -> $ROOTLESS_USER (go env handled separetly) ROOTLESS_ENV_RE='(CIRRUS_.+)|(ROOTLESS_.+)|(.+_IMAGE.*)|(.+_BASE)|(.*DIRPATH)|(.*FILEPATH)|(SOURCE.*)|(DEPEND.*)|(.+_DEPS_.+)|(OS_REL.*)|(.+_ENV_RE)|(TRAVIS)|(CI.+)|(TEST_REMOTE.*)' # Unsafe env. vars for display @@ -147,9 +155,6 @@ show_env_vars() { # Supports older BASH versions printf " ${_env_var_name}=%q\n" "$(printenv $_env_var_name)" done - echo "" - echo "##### $(go version) #####" - echo "" } die() { @@ -173,6 +178,35 @@ stub() { echo "STUB: Pretending to do $1" } +timeout_attempt_delay_command() { + TIMEOUT=$1 + ATTEMPTS=$2 + DELAY=$3 + shift 3 + STDOUTERR=$(mktemp -p '' $(basename $0)_XXXXX) + req_env_var ATTEMPTS DELAY + echo "Retrying $ATTEMPTS times with a $DELAY delay, and $TIMEOUT timeout for command: $@" + for (( COUNT=1 ; COUNT <= $ATTEMPTS ; COUNT++ )) + do + echo "##### (attempt #$COUNT)" &>> "$STDOUTERR" + if timeout --foreground $TIMEOUT "$@" &>> "$STDOUTERR" + then + echo "##### (success after #$COUNT attempts)" &>> "$STDOUTERR" + break + else + echo "##### (failed with exit: $?)" &>> "$STDOUTERR" + sleep $DELAY + fi + done + cat "$STDOUTERR" + rm -f "$STDOUTERR" + if (( COUNT > $ATTEMPTS )) + then + echo "##### (exceeded $ATTEMPTS attempts)" + exit 125 + fi +} + ircmsg() { req_env_var CIRRUS_TASK_ID IRCID [[ -n "$*" ]] || die 9 "ircmsg() invoked without message text argument" @@ -187,7 +221,7 @@ ircmsg() { } setup_rootless() { - req_env_var ROOTLESS_USER GOSRC + req_env_var ROOTLESS_USER GOSRC SECRET_ENV_RE ROOTLESS_ENV_RE # Only do this once if passwd --status $ROOTLESS_USER @@ -261,7 +295,7 @@ setup_rootless() { install_ooe() { req_env_var SCRIPT_BASE echo "Installing script to mask stdout/stderr unless non-zero exit." - sudo install -D -m 755 "/tmp/libpod/$SCRIPT_BASE/ooe.sh" /usr/local/bin/ooe.sh + sudo install -D -m 755 "$GOSRC/$SCRIPT_BASE/ooe.sh" /usr/local/bin/ooe.sh } # Grab a newer version of git from software collections @@ -278,110 +312,34 @@ EOF sudo chmod 755 /usr/bin/git } -install_cni_plugins() { - echo "Installing CNI Plugins from commit $CNI_COMMIT" - req_env_var GOPATH CNI_COMMIT - DEST="$GOPATH/src/github.com/containernetworking/plugins" - rm -rf "$DEST" - ooe.sh git clone "https://github.com/containernetworking/plugins.git" "$DEST" - cd "$DEST" - ooe.sh git checkout -q "$CNI_COMMIT" - ooe.sh ./build.sh - sudo mkdir -p /usr/libexec/cni - sudo cp bin/* /usr/libexec/cni +install_test_configs(){ + echo "Installing cni config, policy and registry config" + req_env_var GOSRC + sudo install -D -m 755 $GOSRC/cni/87-podman-bridge.conflist \ + /etc/cni/net.d/87-podman-bridge.conflist + sudo install -D -m 755 $GOSRC/test/policy.json \ + /etc/containers/policy.json + sudo install -D -m 755 $GOSRC/test/registries.conf \ + /etc/containers/registries.conf } -install_runc_from_git(){ - req_env_var GOPATH OS_RELEASE_ID RUNC_COMMIT - wd=$(pwd) - DEST="$GOPATH/src/github.com/opencontainers/runc" - rm -rf "$DEST" - ooe.sh git clone https://github.com/opencontainers/runc.git "$DEST" - cd "$DEST" - ooe.sh git fetch origin --tags - ooe.sh git checkout -q "$RUNC_COMMIT" - if [[ "${OS_RELEASE_ID}" == "ubuntu" ]] +remove_packaged_podman_files(){ + show_and_store_warning "Removing packaged podman files to prevent conflicts with source build and testing." + req_env_var OS_RELEASE_ID + if [[ "$OS_RELEASE_ID" =~ "ubuntu" ]] then - ooe.sh make static BUILDTAGS="seccomp apparmor" + LISTING_CMD="sudo -E dpkg-query -L podman" else - ooe.sh make BUILDTAGS="seccomp selinux" + LISTING_CMD='sudo rpm -ql podman' fi - sudo install -m 755 runc /usr/bin/runc - cd $wd -} -install_runc(){ - echo "Installing RunC from commit $RUNC_COMMIT" - echo "Platform is $OS_RELEASE_ID" - req_env_var GOPATH RUNC_COMMIT OS_RELEASE_ID - if [[ "$OS_RELEASE_ID" =~ "ubuntu" ]]; then - echo "Running make install.libseccomp.sudo for ubuntu" - if ! [[ -d "/tmp/libpod" ]] - then - echo "Expecting a copy of libpod repository in /tmp/libpod" - exit 5 - fi - mkdir -p "$GOPATH/src/github.com/containers/" - # Symlinks don't work with Go - cp -a /tmp/libpod "$GOPATH/src/github.com/containers/" - cd "$GOPATH/src/github.com/containers/libpod" - ooe.sh sudo make install.libseccomp.sudo - fi - install_runc_from_git -} - -install_buildah() { - echo "Installing buildah from latest upstream master" - req_env_var GOPATH - DEST="$GOPATH/src/github.com/containers/buildah" - rm -rf "$DEST" - ooe.sh git clone https://github.com/containers/buildah "$DEST" - cd "$DEST" - ooe.sh make - ooe.sh sudo make install -} - -# Requires $GOPATH and $CONMON_COMMIT to be set -install_conmon(){ - echo "Installing conmon from commit $CONMON_COMMIT" - req_env_var GOPATH CONMON_COMMIT - DEST="$GOPATH/src/github.com/containers/conmon.git" - rm -rf "$DEST" - ooe.sh git clone https://github.com/containers/conmon.git "$DEST" - cd "$DEST" - ooe.sh git fetch origin --tags - ooe.sh git checkout -q "$CONMON_COMMIT" - ooe.sh make - sudo install -D -m 755 bin/conmon /usr/libexec/podman/conmon -} - -install_criu(){ - echo "Installing CRIU" - echo "Installing CRIU from commit $CRIU_COMMIT" - echo "Platform is $OS_RELEASE_ID" - req_env_var CRIU_COMMIT - - if [[ "$OS_RELEASE_ID" =~ "ubuntu" ]]; then - ooe.sh sudo -E add-apt-repository -y ppa:criu/ppa - ooe.sh sudo -E apt-get -qq -y update - ooe.sh sudo -E apt-get -qq -y install criu - elif [[ "$OS_RELEASE_ID" =~ "fedora" ]]; then - echo "Using CRIU from distribution" - else - DEST="/tmp/criu" - rm -rf "$DEST" - ooe.sh git clone https://github.com/checkpoint-restore/criu.git "$DEST" - cd $DEST - ooe.sh git fetch origin --tags - ooe.sh git checkout -q "$CRIU_COMMIT" - ooe.sh make - sudo install -D -m 755 criu/criu /usr/sbin/ - fi -} - -install_varlink() { - echo "Installing varlink from the cheese-factory" - ooe.sh sudo -H pip3 install varlink + # yum/dnf/dpkg may list system directories, only remove files + $LISTING_CMD | while read fullpath + do + # TODO: This can go away when conmon gets it's own package + if [[ -d "$fullpath" ]] || [[ $(basename "$fullpath") == "conmon" ]] ; then continue; fi + ooe.sh sudo rm -vf "$fullpath" + done } _finalize(){ @@ -394,7 +352,7 @@ _finalize(){ sudo rm -rf /home/* sudo rm -rf /tmp/* sudo rm -rf /tmp/.??* - sync + sudo sync sudo fstrim -av } @@ -417,6 +375,7 @@ rh_finalize(){ ubuntu_finalize(){ set +e # Don't fail at the very end echo "Resetting to fresh-state for usage as cloud-image." + $LILTO $SUDOAPTGET autoremove sudo rm -rf /var/cache/apt _finalize } diff --git a/contrib/cirrus/packer/fedora_setup.sh b/contrib/cirrus/packer/fedora_setup.sh index 4388dc992..eb95db907 100644 --- a/contrib/cirrus/packer/fedora_setup.sh +++ b/contrib/cirrus/packer/fedora_setup.sh @@ -8,7 +8,7 @@ set -e # Load in library (copied by packer, before this script was run) source /tmp/libpod/$SCRIPT_BASE/lib.sh -req_env_var SCRIPT_BASE FEDORA_CNI_COMMIT CNI_COMMIT CONMON_COMMIT CRIU_COMMIT +req_env_var SCRIPT_BASE install_ooe @@ -17,11 +17,16 @@ trap "sudo rm -rf $GOPATH" EXIT ooe.sh sudo dnf update -y +echo "Installing general build/test dependencies" ooe.sh sudo dnf install -y \ atomic-registries \ bats \ + bridge-utils \ btrfs-progs-devel \ bzip2 \ + container-selinux \ + containernetworking-plugins \ + containers-common \ criu \ device-mapper-devel \ emacs-nox \ @@ -32,22 +37,24 @@ ooe.sh sudo dnf install -y \ gnupg \ golang \ golang-github-cpuguy83-go-md2man \ - golang-github-cpuguy83-go-md2man \ gpgme-devel \ - iptables \ iproute \ + iptables \ jq \ libassuan-devel \ libcap-devel \ libnet \ libnet-devel \ libnl3-devel \ + libseccomp \ libseccomp-devel \ libselinux-devel \ lsof \ make \ nmap-ncat \ + ostree \ ostree-devel \ + podman \ procps-ng \ protobuf \ protobuf-c \ @@ -61,7 +68,7 @@ ooe.sh sudo dnf install -y \ python3-psutil \ python3-pytoml \ runc \ - skopeo-containers \ + selinux-policy-devel \ slirp4netns \ unzip \ vim \ @@ -69,15 +76,8 @@ ooe.sh sudo dnf install -y \ xz \ zip -install_varlink - -install_conmon - -CNI_COMMIT=$FEDORA_CNI_COMMIT -install_cni_plugins - sudo /tmp/libpod/hack/install_catatonit.sh -rh_finalize # N/B: Halts system! +rh_finalize echo "SUCCESS!" diff --git a/contrib/cirrus/packer/libpod_images.yml b/contrib/cirrus/packer/libpod_images.yml index c25da25ac..91ed3b474 100644 --- a/contrib/cirrus/packer/libpod_images.yml +++ b/contrib/cirrus/packer/libpod_images.yml @@ -7,13 +7,6 @@ variables: FEDORA_BASE_IMAGE: '{{env `FEDORA_BASE_IMAGE`}}' PRIOR_FEDORA_BASE_IMAGE: '{{env `PRIOR_FEDORA_BASE_IMAGE`}}' - # libpod dependencies to build and install into images - FEDORA_CNI_COMMIT: "{{env `FEDORA_CNI_COMMIT`}}" - CNI_COMMIT: "{{env `CNI_COMMIT`}}" - CONMON_COMMIT: "{{env `CONMON_COMMIT`}}" - CRIU_COMMIT: "{{env `CRIU_COMMIT`}}" - RUNC_COMMIT: "{{env `RUNC_COMMIT`}}" - BUILT_IMAGE_SUFFIX: '{{env `BUILT_IMAGE_SUFFIX`}}' GOSRC: '{{env `GOSRC`}}' PACKER_BASE: '{{env `PACKER_BASE`}}' @@ -25,10 +18,6 @@ variables: SERVICE_ACCOUNT: '{{env `SERVICE_ACCOUNT`}}' GOOGLE_APPLICATION_CREDENTIALS: '{{env `GOOGLE_APPLICATION_CREDENTIALS`}}' - # Used to separate images produced during PR testing from those - # produced from post-merge testing. Must be empty for PR testing. - POST_MERGE_BUCKET_SUFFIX: '' - # Don't leak sensitive values in error messages / output sensitive-variables: - 'GCE_SSH_USERNAME' @@ -72,12 +61,7 @@ provisioners: script: '{{user `GOSRC`}}/{{user `PACKER_BASE`}}/{{split build_name "-" 0}}_setup.sh' environment_vars: - 'GOSRC=/tmp/libpod' - - 'CNI_COMMIT={{user `CNI_COMMIT`}}' - - 'FEDORA_CNI_COMMIT={{user `FEDORA_CNI_COMMIT`}}' - - 'CONMON_COMMIT={{user `CONMON_COMMIT`}}' - - 'CRIU_COMMIT={{user `CRIU_COMMIT`}}' - - 'RUNC_COMMIT={{user `RUNC_COMMIT`}}' - 'SCRIPT_BASE={{user `SCRIPT_BASE`}}' post-processors: - - - type: 'manifest' # writes packer-manifest.json + - type: 'manifest' # writes packer-manifest.json diff --git a/contrib/cirrus/packer/ubuntu_setup.sh b/contrib/cirrus/packer/ubuntu_setup.sh index f183932c1..6209f2f89 100644 --- a/contrib/cirrus/packer/ubuntu_setup.sh +++ b/contrib/cirrus/packer/ubuntu_setup.sh @@ -6,31 +6,28 @@ set -e # Load in library (copied by packer, before this script was run) -source /tmp/libpod/$SCRIPT_BASE/lib.sh +source $GOSRC/$SCRIPT_BASE/lib.sh -req_env_var SCRIPT_BASE CNI_COMMIT CONMON_COMMIT CRIU_COMMIT +req_env_var SCRIPT_BASE install_ooe export GOPATH="$(mktemp -d)" trap "sudo rm -rf $GOPATH" EXIT -# Avoid getting stuck waiting for user input -export DEBIAN_FRONTEND=noninteractive +echo "Updating/configuring package repositories." +$LILTO $SUDOAPTGET update +$LILTO $SUDOAPTGET install software-properties-common +$LILTO $SUDOAPTADD ppa:longsleep/golang-backports +$LILTO $SUDOAPTADD ppa:projectatomic/ppa +$LILTO $SUDOAPTADD ppa:criu/ppa -# Try twice as workaround for minor networking problems -echo "Updating system and installing package dependencies" -ooe.sh sudo -E apt-get -qq update || sudo -E apt-get -qq update -ooe.sh sudo -E apt-get -qq upgrade || sudo -E apt-get -qq upgrade -ooe.sh sudo -E apt-get -qq install software-properties-common +echo "Upgrading all packages" +$LILTO $SUDOAPTGET update +$BIGTO $SUDOAPTGET upgrade -# Required to have Go 1.11 on Ubuntu 18.0.4 -ooe.sh sudo -E add-apt-repository --yes ppa:longsleep/golang-backports -ooe.sh sudo -E add-apt-repository --yes ppa:projectatomic/ppa -ooe.sh sudo -E add-apt-repository --yes ppa:criu/ppa -ooe.sh sudo -E apt-get -qq update || sudo -E apt-get -qq update - -ooe.sh sudo -E apt-get -qq install \ +echo "Installing general testing and system dependencies" +$BIGTO $SUDOAPTGET install \ apparmor \ autoconf \ automake \ @@ -38,6 +35,8 @@ ooe.sh sudo -E apt-get -qq install \ bison \ btrfs-tools \ build-essential \ + containernetworking-plugins \ + containers-common \ cri-o-runc \ criu \ curl \ @@ -73,6 +72,7 @@ ooe.sh sudo -E apt-get -qq install \ lsof \ netcat \ pkg-config \ + podman \ protobuf-c-compiler \ protobuf-compiler \ python-future \ @@ -83,29 +83,22 @@ ooe.sh sudo -E apt-get -qq install \ python3-psutil \ python3-pytoml \ python3-setuptools \ + slirp4netns \ + skopeo \ socat \ unzip \ vim \ xz-utils \ zip -echo "Fixing Ubuntu kernel not enabling swap accounting by default" +echo "Forced Ubuntu 18 kernel to enable cgroup swap accounting." SEDCMD='s/^GRUB_CMDLINE_LINUX="(.*)"/GRUB_CMDLINE_LINUX="\1 cgroup_enable=memory swapaccount=1"/g' ooe.sh sudo sed -re "$SEDCMD" -i /etc/default/grub.d/* ooe.sh sudo sed -re "$SEDCMD" -i /etc/default/grub ooe.sh sudo update-grub -install_conmon - -install_cni_plugins - sudo /tmp/libpod/hack/install_catatonit.sh - -install_varlink - -sudo mkdir -p /etc/containers -sudo curl https://raw.githubusercontent.com/projectatomic/registries/master/registries.fedora\ - -o /etc/containers/registries.conf +ooe.sh sudo make -C /tmp/libpod install.libseccomp.sudo ubuntu_finalize diff --git a/contrib/cirrus/setup_environment.sh b/contrib/cirrus/setup_environment.sh index 7592afbc1..f312e593a 100755 --- a/contrib/cirrus/setup_environment.sh +++ b/contrib/cirrus/setup_environment.sh @@ -6,12 +6,13 @@ source $(dirname $0)/lib.sh req_env_var USER HOME GOSRC SCRIPT_BASE SETUP_MARKER_FILEPATH +show_env_vars + # Ensure this script only executes successfully once and always logs ending timestamp [[ ! -e "$SETUP_MARKER_FILEPATH" ]] || exit 0 exithandler() { RET=$? - set +e - show_env_vars + echo "." echo "$(basename $0) exit status: $RET" [[ "$RET" -eq "0" ]] && date +%s >> "$SETUP_MARKER_FILEPATH" } @@ -31,6 +32,7 @@ done # Anything externally dependent, should be made fixed-in-time by adding to # contrib/cirrus/packer/*_setup.sh to be incorporated into VM cache-images # (see docs). +cd "${GOSRC}/" case "${OS_REL_VER}" in ubuntu-18) ;; fedora-30) ;; @@ -42,20 +44,10 @@ case "${OS_REL_VER}" in *) bad_os_id_ver ;; esac -cd "${GOSRC}/" # Reload to incorporate any changes from above source "$SCRIPT_BASE/lib.sh" -echo "Installing cni config, policy and registry config" -req_env_var GOSRC -sudo install -D -m 755 $GOSRC/cni/87-podman-bridge.conflist \ - /etc/cni/net.d/87-podman-bridge.conflist -sudo install -D -m 755 $GOSRC/test/policy.json \ - /etc/containers/policy.json -sudo install -D -m 755 $GOSRC/test/registries.conf \ - /etc/containers/registries.conf -# cri-o if installed will mess with testing in non-obvious ways -rm -f /etc/cni/net.d/*cri* +install_test_configs make install.tools diff --git a/contrib/cirrus/unit_test.sh b/contrib/cirrus/unit_test.sh index 50801a8e4..004839f17 100755 --- a/contrib/cirrus/unit_test.sh +++ b/contrib/cirrus/unit_test.sh @@ -1,11 +1,11 @@ #!/bin/bash set -e + source $(dirname $0)/lib.sh req_env_var GOSRC -set -x cd "$GOSRC" make install.tools make localunit diff --git a/docs/podman-create.1.md b/docs/podman-create.1.md index e22666402..9cf3e038d 100644 --- a/docs/podman-create.1.md +++ b/docs/podman-create.1.md @@ -268,7 +268,7 @@ The following example maps uids 0-2000 in the container to the uids 30000-31999 Add additional groups to run as -**--healthcheck**=*command* +**--healthcheck-command**=*command* Set or alter a healthcheck command for a container. The command is a command to be executed inside your container that determines your container health. The command is required for other healthcheck options diff --git a/docs/podman-generate-systemd.1.md b/docs/podman-generate-systemd.1.md index 09752480d..64e68a69a 100644 --- a/docs/podman-generate-systemd.1.md +++ b/docs/podman-generate-systemd.1.md @@ -39,7 +39,7 @@ ExecStart=/usr/bin/podman start c21da63c4783be2ac2cd3487ef8d2ec15ee2a28f63dd8f14 ExecStop=/usr/bin/podman stop -t 10 c21da63c4783be2ac2cd3487ef8d2ec15ee2a28f63dd8f145e3b05607f31cffc KillMode=none Type=forking -PIDFile=/var/lib/containers/storage/overlay-containers/c21da63c4783be2ac2cd3487ef8d2ec15ee2a28f63dd8f145e3b05607f31cffc/userdata/c21da63c4783be2ac2cd3487ef8d2ec15ee2a28f63dd8f145e3b05607f31cffc.pid +PIDFile=/var/run/containers/storage/overlay-containers/c21da63c4783be2ac2cd3487ef8d2ec15ee2a28f63dd8f145e3b05607f31cffc/userdata/conmon.pid [Install] WantedBy=multi-user.target ``` @@ -55,7 +55,7 @@ ExecStart=/usr/bin/podman start c21da63c4783be2ac2cd3487ef8d2ec15ee2a28f63dd8f14 ExecStop=/usr/bin/podman stop -t 1 c21da63c4783be2ac2cd3487ef8d2ec15ee2a28f63dd8f145e3b05607f31cffc KillMode=none Type=forking -PIDFile=/var/lib/containers/storage/overlay-containers/c21da63c4783be2ac2cd3487ef8d2ec15ee2a28f63dd8f145e3b05607f31cffc/userdata/c21da63c4783be2ac2cd3487ef8d2ec15ee2a28f63dd8f145e3b05607f31cffc.pid +PIDFile=/var/run/containers/storage/overlay-containers/c21da63c4783be2ac2cd3487ef8d2ec15ee2a28f63dd8f145e3b05607f31cffc/userdata/conmon.pid [Install] WantedBy=multi-user.target ``` diff --git a/docs/podman-run.1.md b/docs/podman-run.1.md index 30242080b..4889e5755 100644 --- a/docs/podman-run.1.md +++ b/docs/podman-run.1.md @@ -275,7 +275,7 @@ The example maps gids 0-2000 in the container to the gids 30000-31999 on the hos Add additional groups to run as -**--healthcheck**=*command* +**--healthcheck-command**=*command* Set or alter a healthcheck command for a container. The command is a command to be executed inside your container that determines your container health. The command is required for other healthcheck options diff --git a/libpod/boltdb_state_internal.go b/libpod/boltdb_state_internal.go index 122bb5935..ee2784cdd 100644 --- a/libpod/boltdb_state_internal.go +++ b/libpod/boltdb_state_internal.go @@ -339,7 +339,6 @@ func getRuntimeConfigBucket(tx *bolt.Tx) (*bolt.Bucket, error) { } func (s *BoltState) getContainerFromDB(id []byte, ctr *Container, ctrsBkt *bolt.Bucket) error { - valid := true ctrBkt := ctrsBkt.Bucket(id) if ctrBkt == nil { return errors.Wrapf(define.ErrNoSuchCtr, "container %s not found in DB", string(id)) @@ -386,7 +385,7 @@ func (s *BoltState) getContainerFromDB(id []byte, ctr *Container, ctrsBkt *bolt. } ctr.runtime = s.runtime - ctr.valid = valid + ctr.valid = true return nil } @@ -639,7 +638,7 @@ func (s *BoltState) addContainer(ctr *Container, pod *Pod) error { } // Add ctr to pod - if pod != nil { + if pod != nil && podCtrs != nil { if err := podCtrs.Put(ctrID, ctrName); err != nil { return errors.Wrapf(err, "error adding container %s to pod %s", ctr.ID(), pod.ID()) } @@ -737,7 +736,7 @@ func (s *BoltState) removeContainer(ctr *Container, pod *Pod, tx *bolt.Tx) error } } - if podDB != nil { + if podDB != nil && pod != nil { // Check if the container is in the pod, remove it if it is podCtrs := podDB.Bucket(containersBkt) if podCtrs == nil { diff --git a/libpod/common_test.go b/libpod/common_test.go index ae3cb1c87..93ca7bc71 100644 --- a/libpod/common_test.go +++ b/libpod/common_test.go @@ -89,13 +89,13 @@ func getTestContainer(id, name string, manager lock.Manager) (*Container, error) ctr.config.Labels["test"] = "testing" - // Allocate a lock for the container - lock, err := manager.AllocateLock() + // Allocate a containerLock for the container + containerLock, err := manager.AllocateLock() if err != nil { return nil, err } - ctr.lock = lock - ctr.config.LockID = lock.ID() + ctr.lock = containerLock + ctr.config.LockID = containerLock.ID() return ctr, nil } @@ -114,13 +114,13 @@ func getTestPod(id, name string, manager lock.Manager) (*Pod, error) { valid: true, } - // Allocate a lock for the pod - lock, err := manager.AllocateLock() + // Allocate a podLock for the pod + podLock, err := manager.AllocateLock() if err != nil { return nil, err } - pod.lock = lock - pod.config.LockID = lock.ID() + pod.lock = podLock + pod.config.LockID = podLock.ID() return pod, nil } diff --git a/libpod/container.go b/libpod/container.go index bfbc47d76..a9b512de9 100644 --- a/libpod/container.go +++ b/libpod/container.go @@ -138,6 +138,9 @@ type Container struct { // being checkpointed. If requestedIP is set it will be used instead // of config.StaticIP. requestedIP net.IP + + // This is true if a container is restored from a checkpoint. + restoreFromCheckpoint bool } // ContainerState contains the current state of the container diff --git a/libpod/container_attach_linux.go b/libpod/container_attach_linux.go index fc53268c3..17b09fccc 100644 --- a/libpod/container_attach_linux.go +++ b/libpod/container_attach_linux.go @@ -145,7 +145,9 @@ func redirectResponseToOutputStreams(outputStream, errorStream io.Writer, writeO default: logrus.Infof("Received unexpected attach type %+d", buf[0]) } - + if dst == nil { + return errors.New("output destination cannot be nil") + } if doWrite { nw, ew := dst.Write(buf[1:nr]) if ew != nil { diff --git a/libpod/container_inspect.go b/libpod/container_inspect.go index 938a5b210..2de78254c 100644 --- a/libpod/container_inspect.go +++ b/libpod/container_inspect.go @@ -206,12 +206,12 @@ func (c *Container) Inspect(size bool) (*InspectContainerData, error) { func (c *Container) getContainerInspectData(size bool, driverData *driver.Data) (*InspectContainerData, error) { config := c.config runtimeInfo := c.state - spec, err := c.specFromState() + stateSpec, err := c.specFromState() if err != nil { return nil, err } - // Process is allowed to be nil in the spec + // Process is allowed to be nil in the stateSpec args := []string{} if config.Spec.Process != nil { args = config.Spec.Process.Args @@ -244,7 +244,7 @@ func (c *Container) getContainerInspectData(size bool, driverData *driver.Data) } } - mounts, err := c.getInspectMounts(spec) + mounts, err := c.getInspectMounts(stateSpec) if err != nil { return nil, err } @@ -255,7 +255,7 @@ func (c *Container) getContainerInspectData(size bool, driverData *driver.Data) Path: path, Args: args, State: &InspectContainerState{ - OciVersion: spec.Version, + OciVersion: stateSpec.Version, Status: runtimeInfo.State.String(), Running: runtimeInfo.State == define.ContainerStateRunning, Paused: runtimeInfo.State == define.ContainerStatePaused, @@ -285,9 +285,9 @@ func (c *Container) getContainerInspectData(size bool, driverData *driver.Data) Driver: driverData.Name, MountLabel: config.MountLabel, ProcessLabel: config.ProcessLabel, - EffectiveCaps: spec.Process.Capabilities.Effective, - BoundingCaps: spec.Process.Capabilities.Bounding, - AppArmorProfile: spec.Process.ApparmorProfile, + EffectiveCaps: stateSpec.Process.Capabilities.Effective, + BoundingCaps: stateSpec.Process.Capabilities.Bounding, + AppArmorProfile: stateSpec.Process.ApparmorProfile, ExecIDs: execIDs, GraphDriver: driverData, Mounts: mounts, @@ -338,7 +338,7 @@ func (c *Container) getContainerInspectData(size bool, driverData *driver.Data) // Get information on the container's network namespace (if present) data = c.getContainerNetworkInfo(data) - inspectConfig, err := c.generateInspectContainerConfig(spec) + inspectConfig, err := c.generateInspectContainerConfig(stateSpec) if err != nil { return nil, err } @@ -370,58 +370,41 @@ func (c *Container) getInspectMounts(ctrSpec *spec.Spec) ([]InspectMount, error) return inspectMounts, nil } - // We need to parse all named volumes and mounts into maps, so we don't - // end up with repeated lookups for each user volume. - // Map destination to struct, as destination is what is stored in - // UserVolumes. - namedVolumes := make(map[string]*ContainerNamedVolume) - mounts := make(map[string]spec.Mount) - for _, namedVol := range c.config.NamedVolumes { - namedVolumes[namedVol.Dest] = namedVol - } - for _, mount := range ctrSpec.Mounts { - mounts[mount.Destination] = mount - } + namedVolumes, mounts := c.sortUserVolumes(ctrSpec) + for _, volume := range namedVolumes { + mountStruct := InspectMount{} + mountStruct.Type = "volume" + mountStruct.Destination = volume.Dest + mountStruct.Name = volume.Name + + // For src and driver, we need to look up the named + // volume. + volFromDB, err := c.runtime.state.Volume(volume.Name) + if err != nil { + return nil, errors.Wrapf(err, "error looking up volume %s in container %s config", volume.Name, c.ID()) + } + mountStruct.Driver = volFromDB.Driver() + mountStruct.Source = volFromDB.MountPoint() - for _, vol := range c.config.UserVolumes { - // We need to look up the volumes. - // First: is it a named volume? - if volume, ok := namedVolumes[vol]; ok { - mountStruct := InspectMount{} - mountStruct.Type = "volume" - mountStruct.Destination = volume.Dest - mountStruct.Name = volume.Name - - // For src and driver, we need to look up the named - // volume. - volFromDB, err := c.runtime.state.Volume(volume.Name) - if err != nil { - return nil, errors.Wrapf(err, "error looking up volume %s in container %s config", volume.Name, c.ID()) - } - mountStruct.Driver = volFromDB.Driver() - mountStruct.Source = volFromDB.MountPoint() - - parseMountOptionsForInspect(volume.Options, &mountStruct) - - inspectMounts = append(inspectMounts, mountStruct) - } else if mount, ok := mounts[vol]; ok { - // It's a mount. - // Is it a tmpfs? If so, discard. - if mount.Type == "tmpfs" { - continue - } - - mountStruct := InspectMount{} - mountStruct.Type = "bind" - mountStruct.Source = mount.Source - mountStruct.Destination = mount.Destination - - parseMountOptionsForInspect(mount.Options, &mountStruct) - - inspectMounts = append(inspectMounts, mountStruct) + parseMountOptionsForInspect(volume.Options, &mountStruct) + + inspectMounts = append(inspectMounts, mountStruct) + } + for _, mount := range mounts { + // It's a mount. + // Is it a tmpfs? If so, discard. + if mount.Type == "tmpfs" { + continue } - // We couldn't find a mount. Log a warning. - logrus.Warnf("Could not find mount at destination %q when building inspect output for container %s", vol, c.ID()) + + mountStruct := InspectMount{} + mountStruct.Type = "bind" + mountStruct.Source = mount.Source + mountStruct.Destination = mount.Destination + + parseMountOptionsForInspect(mount.Options, &mountStruct) + + inspectMounts = append(inspectMounts, mountStruct) } return inspectMounts, nil diff --git a/libpod/container_internal.go b/libpod/container_internal.go index cb6c35049..c409da96a 100644 --- a/libpod/container_internal.go +++ b/libpod/container_internal.go @@ -352,6 +352,16 @@ func (c *Container) setupStorage(ctx context.Context) error { }, LabelOpts: c.config.LabelOpts, } + if c.restoreFromCheckpoint { + // If restoring from a checkpoint, the root file-system + // needs to be mounted with the same SELinux labels as + // it was mounted previously. + if options.Flags == nil { + options.Flags = make(map[string]interface{}) + } + options.Flags["ProcessLabel"] = c.config.ProcessLabel + options.Flags["MountLabel"] = c.config.MountLabel + } if c.config.Privileged { privOpt := func(opt string) bool { for _, privopt := range []string{"nodev", "nosuid", "noexec"} { @@ -555,7 +565,7 @@ func (c *Container) removeConmonFiles() error { if !os.IsNotExist(err) { return errors.Wrapf(err, "error running stat on container %s exit file", c.ID()) } - } else if err == nil { + } else { // Rename should replace the old exit file (if it exists) if err := os.Rename(exitFile, oldExitFile); err != nil { return errors.Wrapf(err, "error renaming container %s exit file", c.ID()) @@ -568,11 +578,11 @@ func (c *Container) removeConmonFiles() error { func (c *Container) export(path string) error { mountPoint := c.state.Mountpoint if !c.state.Mounted { - mount, err := c.runtime.store.Mount(c.ID(), c.config.MountLabel) + containerMount, err := c.runtime.store.Mount(c.ID(), c.config.MountLabel) if err != nil { return errors.Wrapf(err, "error mounting container %q", c.ID()) } - mountPoint = mount + mountPoint = containerMount defer func() { if _, err := c.runtime.store.Unmount(c.ID(), false); err != nil { logrus.Errorf("error unmounting container %q: %v", c.ID(), err) @@ -610,7 +620,7 @@ func (c *Container) isStopped() (bool, error) { if err != nil { return true, err } - return (c.state.State != define.ContainerStateRunning && c.state.State != define.ContainerStatePaused), nil + return c.state.State != define.ContainerStateRunning && c.state.State != define.ContainerStatePaused, nil } // save container state to the database @@ -856,18 +866,18 @@ func (c *Container) init(ctx context.Context, retainRetries bool) error { span.SetTag("struct", "container") defer span.Finish() - // Generate the OCI spec - spec, err := c.generateSpec(ctx) + // Generate the OCI newSpec + newSpec, err := c.generateSpec(ctx) if err != nil { return err } - // Save the OCI spec to disk - if err := c.saveSpec(spec); err != nil { + // Save the OCI newSpec to disk + if err := c.saveSpec(newSpec); err != nil { return err } - // With the spec complete, do an OCI create + // With the newSpec complete, do an OCI create if err := c.ociRuntime.createContainer(c, c.config.CgroupParent, nil); err != nil { return err } @@ -1167,8 +1177,8 @@ func (c *Container) cleanupStorage() error { return nil } - for _, mount := range c.config.Mounts { - if err := c.unmountSHM(mount); err != nil { + for _, containerMount := range c.config.Mounts { + if err := c.unmountSHM(containerMount); err != nil { return err } } @@ -1399,14 +1409,14 @@ func (c *Container) setupOCIHooks(ctx context.Context, config *spec.Spec) (exten } return nil, err } - hooks, err := manager.Hooks(config, c.Spec().Annotations, len(c.config.UserVolumes) > 0) + ociHooks, err := manager.Hooks(config, c.Spec().Annotations, len(c.config.UserVolumes) > 0) if err != nil { return nil, err } - if len(hooks) > 0 || config.Hooks != nil { - logrus.Warnf("implicit hook directories are deprecated; set --hooks-dir=%q explicitly to continue to load hooks from this directory", hDir) + if len(ociHooks) > 0 || config.Hooks != nil { + logrus.Warnf("implicit hook directories are deprecated; set --ociHooks-dir=%q explicitly to continue to load ociHooks from this directory", hDir) } - for i, hook := range hooks { + for i, hook := range ociHooks { allHooks[i] = hook } } @@ -1537,3 +1547,34 @@ func (c *Container) prepareCheckpointExport() (err error) { return nil } + +// sortUserVolumes sorts the volumes specified for a container +// between named and normal volumes +func (c *Container) sortUserVolumes(ctrSpec *spec.Spec) ([]*ContainerNamedVolume, []spec.Mount) { + namedUserVolumes := []*ContainerNamedVolume{} + userMounts := []spec.Mount{} + + // We need to parse all named volumes and mounts into maps, so we don't + // end up with repeated lookups for each user volume. + // Map destination to struct, as destination is what is stored in + // UserVolumes. + namedVolumes := make(map[string]*ContainerNamedVolume) + mounts := make(map[string]spec.Mount) + for _, namedVol := range c.config.NamedVolumes { + namedVolumes[namedVol.Dest] = namedVol + } + for _, mount := range ctrSpec.Mounts { + mounts[mount.Destination] = mount + } + + for _, vol := range c.config.UserVolumes { + if volume, ok := namedVolumes[vol]; ok { + namedUserVolumes = append(namedUserVolumes, volume) + } else if mount, ok := mounts[vol]; ok { + userMounts = append(userMounts, mount) + } else { + logrus.Warnf("Could not find mount at destination %q when parsing user volumes for container %s", vol, c.ID()) + } + } + return namedUserVolumes, userMounts +} diff --git a/libpod/container_internal_linux.go b/libpod/container_internal_linux.go index fad45233a..686a595de 100644 --- a/libpod/container_internal_linux.go +++ b/libpod/container_internal_linux.go @@ -185,9 +185,13 @@ func (c *Container) generateSpec(ctx context.Context) (*spec.Spec, error) { // If network namespace was requested, add it now if c.config.CreateNetNS { if c.config.PostConfigureNetNS { - g.AddOrReplaceLinuxNamespace(spec.NetworkNamespace, "") + if err := g.AddOrReplaceLinuxNamespace(spec.NetworkNamespace, ""); err != nil { + return nil, err + } } else { - g.AddOrReplaceLinuxNamespace(spec.NetworkNamespace, c.state.NetNS.Path()) + if err := g.AddOrReplaceLinuxNamespace(spec.NetworkNamespace, c.state.NetNS.Path()); err != nil { + return nil, err + } } } @@ -415,7 +419,9 @@ func (c *Container) generateSpec(ctx context.Context) (*spec.Spec, error) { if rootPropagation != "" { logrus.Debugf("set root propagation to %q", rootPropagation) - g.SetLinuxRootPropagation(rootPropagation) + if err := g.SetLinuxRootPropagation(rootPropagation); err != nil { + return nil, err + } } // Warning: precreate hooks may alter g.Config in place. @@ -561,7 +567,9 @@ func (c *Container) checkpointRestoreLabelLog(fileName string) (err error) { if err != nil { return errors.Wrapf(err, "failed to create CRIU log file %q", dumpLog) } - logFile.Close() + if err := logFile.Close(); err != nil { + logrus.Errorf("unable to close log file: %q", err) + } if err = label.SetFileLabel(dumpLog, c.MountLabel()); err != nil { return errors.Wrapf(err, "failed to label CRIU log file %q", dumpLog) } @@ -620,9 +628,11 @@ func (c *Container) checkpoint(ctx context.Context, options ContainerCheckpointO "config.dump", "spec.dump", } - for _, delete := range cleanup { - file := filepath.Join(c.bundlePath(), delete) - os.Remove(file) + for _, del := range cleanup { + file := filepath.Join(c.bundlePath(), del) + if err := os.Remove(file); err != nil { + logrus.Debugf("unable to remove file %s", file) + } } } @@ -702,7 +712,9 @@ func (c *Container) restore(ctx context.Context, options ContainerCheckpointOpti if err != nil { return err } - json.Unmarshal(networkJSON, &networkStatus) + if err := json.Unmarshal(networkJSON, &networkStatus); err != nil { + return err + } // Take the first IP address var IP net.IP if len(networkStatus) > 0 { @@ -744,7 +756,9 @@ func (c *Container) restore(ctx context.Context, options ContainerCheckpointOpti // We want to have the same network namespace as before. if c.config.CreateNetNS { - g.AddOrReplaceLinuxNamespace(spec.NetworkNamespace, c.state.NetNS.Path()) + if err := g.AddOrReplaceLinuxNamespace(spec.NetworkNamespace, c.state.NetNS.Path()); err != nil { + return err + } } if err := c.makeBindMounts(); err != nil { @@ -769,7 +783,9 @@ func (c *Container) restore(ctx context.Context, options ContainerCheckpointOpti } // Cleanup for a working restore. - c.removeConmonFiles() + if err := c.removeConmonFiles(); err != nil { + return err + } // Save the OCI spec to disk if err := c.saveSpec(g.Spec()); err != nil { @@ -793,8 +809,8 @@ func (c *Container) restore(ctx context.Context, options ContainerCheckpointOpti logrus.Debugf("Non-fatal: removal of checkpoint directory (%s) failed: %v", c.CheckpointPath(), err) } cleanup := [...]string{"restore.log", "dump.log", "stats-dump", "stats-restore", "network.status"} - for _, delete := range cleanup { - file := filepath.Join(c.bundlePath(), delete) + for _, del := range cleanup { + file := filepath.Join(c.bundlePath(), del) err = os.Remove(file) if err != nil { logrus.Debugf("Non-fatal: removal of checkpoint file (%s) failed: %v", file, err) @@ -824,14 +840,14 @@ func (c *Container) makeBindMounts() error { // will recreate. Only do this if we aren't sharing them with // another container. if c.config.NetNsCtr == "" { - if path, ok := c.state.BindMounts["/etc/resolv.conf"]; ok { - if err := os.Remove(path); err != nil && !os.IsNotExist(err) { + if resolvePath, ok := c.state.BindMounts["/etc/resolv.conf"]; ok { + if err := os.Remove(resolvePath); err != nil && !os.IsNotExist(err) { return errors.Wrapf(err, "error removing container %s resolv.conf", c.ID()) } delete(c.state.BindMounts, "/etc/resolv.conf") } - if path, ok := c.state.BindMounts["/etc/hosts"]; ok { - if err := os.Remove(path); err != nil && !os.IsNotExist(err) { + if hostsPath, ok := c.state.BindMounts["/etc/hosts"]; ok { + if err := os.Remove(hostsPath); err != nil && !os.IsNotExist(err) { return errors.Wrapf(err, "error removing container %s hosts", c.ID()) } delete(c.state.BindMounts, "/etc/hosts") @@ -968,10 +984,10 @@ func (c *Container) makeBindMounts() error { // generateResolvConf generates a containers resolv.conf func (c *Container) generateResolvConf() (string, error) { resolvConf := "/etc/resolv.conf" - for _, ns := range c.config.Spec.Linux.Namespaces { - if ns.Type == spec.NetworkNamespace { - if ns.Path != "" && !strings.HasPrefix(ns.Path, "/proc/") { - definedPath := filepath.Join("/etc/netns", filepath.Base(ns.Path), "resolv.conf") + for _, namespace := range c.config.Spec.Linux.Namespaces { + if namespace.Type == spec.NetworkNamespace { + if namespace.Path != "" && !strings.HasPrefix(namespace.Path, "/proc/") { + definedPath := filepath.Join("/etc/netns", filepath.Base(namespace.Path), "resolv.conf") _, err := os.Stat(definedPath) if err == nil { resolvConf = definedPath @@ -1096,10 +1112,10 @@ func (c *Container) generatePasswd() (string, error) { if c.config.User == "" { return "", nil } - spec := strings.SplitN(c.config.User, ":", 2) - userspec := spec[0] - if len(spec) > 1 { - groupspec = spec[1] + splitSpec := strings.SplitN(c.config.User, ":", 2) + userspec := splitSpec[0] + if len(splitSpec) > 1 { + groupspec = splitSpec[1] } // If a non numeric User, then don't generate passwd uid, err := strconv.ParseUint(userspec, 10, 32) @@ -1137,7 +1153,7 @@ func (c *Container) generatePasswd() (string, error) { if err != nil { return "", errors.Wrapf(err, "failed to create temporary passwd file") } - if os.Chmod(passwdFile, 0644); err != nil { + if err := os.Chmod(passwdFile, 0644); err != nil { return "", err } return passwdFile, nil diff --git a/libpod/events.go b/libpod/events.go index 13bb5bdde..be21e510a 100644 --- a/libpod/events.go +++ b/libpod/events.go @@ -1,7 +1,10 @@ package libpod import ( + "fmt" + "github.com/containers/libpod/libpod/events" + "github.com/pkg/errors" "github.com/sirupsen/logrus" ) @@ -79,3 +82,55 @@ func (r *Runtime) Events(options events.ReadOptions) error { } return eventer.Read(options) } + +// GetEvents reads the event log and returns events based on input filters +func (r *Runtime) GetEvents(filters []string) ([]*events.Event, error) { + var ( + logEvents []*events.Event + readErr error + ) + eventChannel := make(chan *events.Event) + options := events.ReadOptions{ + EventChannel: eventChannel, + Filters: filters, + FromStart: true, + Stream: false, + } + eventer, err := r.newEventer() + if err != nil { + return nil, err + } + go func() { + readErr = eventer.Read(options) + }() + if readErr != nil { + return nil, readErr + } + for e := range eventChannel { + logEvents = append(logEvents, e) + } + return logEvents, nil +} + +// GetLastContainerEvent takes a container name or ID and an event status and returns +// the last occurrence of the container event +func (r *Runtime) GetLastContainerEvent(nameOrID string, containerEvent events.Status) (*events.Event, error) { + // check to make sure the event.Status is valid + if _, err := events.StringToStatus(containerEvent.String()); err != nil { + return nil, err + } + filters := []string{ + fmt.Sprintf("container=%s", nameOrID), + fmt.Sprintf("event=%s", containerEvent), + "type=container", + } + containerEvents, err := r.GetEvents(filters) + if err != nil { + return nil, err + } + if len(containerEvents) < 1 { + return nil, errors.Wrapf(events.ErrEventNotFound, "%s not found", containerEvent.String()) + } + // return the last element in the slice + return containerEvents[len(containerEvents)-1], nil +} diff --git a/libpod/events/config.go b/libpod/events/config.go index 810988205..b9f01f3a5 100644 --- a/libpod/events/config.go +++ b/libpod/events/config.go @@ -2,6 +2,8 @@ package events import ( "time" + + "github.com/pkg/errors" ) // EventerType ... @@ -158,3 +160,12 @@ const ( // EventFilter for filtering events type EventFilter func(*Event) bool + +var ( + // ErrEventTypeBlank indicates the event log found something done by podman + // but it isnt likely an event + ErrEventTypeBlank = errors.New("event type blank") + + // ErrEventNotFound indicates that the event was not found in the event log + ErrEventNotFound = errors.New("unable to find event") +) diff --git a/libpod/events/events.go b/libpod/events/events.go index 1ec79bcd7..2bebff162 100644 --- a/libpod/events/events.go +++ b/libpod/events/events.go @@ -95,6 +95,8 @@ func StringToType(name string) (Type, error) { return System, nil case Volume.String(): return Volume, nil + case "": + return "", ErrEventTypeBlank } return "", errors.Errorf("unknown event type %q", name) } diff --git a/libpod/events/journal_linux.go b/libpod/events/journal_linux.go index 78a630e9a..d5bce4334 100644 --- a/libpod/events/journal_linux.go +++ b/libpod/events/journal_linux.go @@ -101,7 +101,9 @@ func (e EventJournalD) Read(options ReadOptions) error { // We can't decode this event. // Don't fail hard - that would make events unusable. // Instead, log and continue. - logrus.Errorf("Unable to decode event: %v", err) + if errors.Cause(err) != ErrEventTypeBlank { + logrus.Errorf("Unable to decode event: %v", err) + } continue } include := true diff --git a/libpod/healthcheck_linux.go b/libpod/healthcheck_linux.go index d47a3b7cd..53fb271d1 100644 --- a/libpod/healthcheck_linux.go +++ b/libpod/healthcheck_linux.go @@ -4,13 +4,50 @@ import ( "fmt" "os" "os/exec" + "path/filepath" + "strconv" "strings" + "github.com/containers/libpod/pkg/rootless" "github.com/coreos/go-systemd/dbus" + godbus "github.com/godbus/dbus" "github.com/pkg/errors" "github.com/sirupsen/logrus" ) +func dbusAuthRootlessConnection(createBus func(opts ...godbus.ConnOption) (*godbus.Conn, error)) (*godbus.Conn, error) { + conn, err := createBus() + if err != nil { + return nil, err + } + + methods := []godbus.Auth{godbus.AuthExternal(strconv.Itoa(rootless.GetRootlessUID()))} + + err = conn.Auth(methods) + if err != nil { + conn.Close() + return nil, err + } + + return conn, nil +} + +func newRootlessConnection() (*dbus.Conn, error) { + return dbus.NewConnection(func() (*godbus.Conn, error) { + return dbusAuthRootlessConnection(func(opts ...godbus.ConnOption) (*godbus.Conn, error) { + path := filepath.Join(os.Getenv("XDG_RUNTIME_DIR"), "systemd/private") + return godbus.Dial(fmt.Sprintf("unix:path=%s", path)) + }) + }) +} + +func getConnection() (*dbus.Conn, error) { + if rootless.IsRootless() { + return newRootlessConnection() + } + return dbus.NewSystemdConnection() +} + // createTimer systemd timers for healthchecks of a container func (c *Container) createTimer() error { if c.disableHealthCheckSystemd() { @@ -21,9 +58,13 @@ func (c *Container) createTimer() error { return errors.Wrapf(err, "failed to get path for podman for a health check timer") } - var cmd = []string{"--unit", fmt.Sprintf("%s", c.ID()), fmt.Sprintf("--on-unit-inactive=%s", c.HealthCheckConfig().Interval.String()), "--timer-property=AccuracySec=1s", podman, "healthcheck", "run", c.ID()} + var cmd = []string{} + if rootless.IsRootless() { + cmd = append(cmd, "--user") + } + cmd = append(cmd, "--unit", fmt.Sprintf("%s", c.ID()), fmt.Sprintf("--on-unit-inactive=%s", c.HealthCheckConfig().Interval.String()), "--timer-property=AccuracySec=1s", podman, "healthcheck", "run", c.ID()) - conn, err := dbus.NewSystemdConnection() + conn, err := getConnection() if err != nil { return errors.Wrapf(err, "unable to get systemd connection to add healthchecks") } @@ -42,7 +83,7 @@ func (c *Container) startTimer() error { if c.disableHealthCheckSystemd() { return nil } - conn, err := dbus.NewSystemdConnection() + conn, err := getConnection() if err != nil { return errors.Wrapf(err, "unable to get systemd connection to start healthchecks") } @@ -57,7 +98,7 @@ func (c *Container) removeTimer() error { if c.disableHealthCheckSystemd() { return nil } - conn, err := dbus.NewSystemdConnection() + conn, err := getConnection() if err != nil { return errors.Wrapf(err, "unable to get systemd connection to remove healthchecks") } diff --git a/libpod/image/pull.go b/libpod/image/pull.go index 644a9ae86..e5765febc 100644 --- a/libpod/image/pull.go +++ b/libpod/image/pull.go @@ -19,8 +19,8 @@ import ( "github.com/containers/image/types" "github.com/containers/libpod/libpod/events" "github.com/containers/libpod/pkg/registries" - multierror "github.com/hashicorp/go-multierror" - opentracing "github.com/opentracing/opentracing-go" + "github.com/hashicorp/go-multierror" + "github.com/opentracing/opentracing-go" "github.com/pkg/errors" "github.com/sirupsen/logrus" ) diff --git a/libpod/kube.go b/libpod/kube.go index 1622246d5..409937010 100644 --- a/libpod/kube.go +++ b/libpod/kube.go @@ -3,6 +3,7 @@ package libpod import ( "fmt" "math/rand" + "os" "strconv" "strings" "time" @@ -16,7 +17,6 @@ import ( "github.com/pkg/errors" "github.com/sirupsen/logrus" "k8s.io/api/core/v1" - "k8s.io/apimachinery/pkg/api/resource" v12 "k8s.io/apimachinery/pkg/apis/meta/v1" ) @@ -132,32 +132,43 @@ func (p *Pod) podWithContainers(containers []*Container, ports []v1.ContainerPor var ( podContainers []v1.Container ) + deDupPodVolumes := make(map[string]*v1.Volume) first := true for _, ctr := range containers { if !ctr.IsInfra() { - result, err := containerToV1Container(ctr) + ctr, volumes, err := containerToV1Container(ctr) if err != nil { return nil, err } // Since port bindings for the pod are handled by the // infra container, wipe them here. - result.Ports = nil + ctr.Ports = nil // We add the original port declarations from the libpod infra container // to the first kubernetes container description because otherwise we loose // the original container/port bindings. if first && len(ports) > 0 { - result.Ports = ports + ctr.Ports = ports first = false } - podContainers = append(podContainers, result) + podContainers = append(podContainers, ctr) + // Deduplicate volumes, so if containers in the pod share a volume, it's only + // listed in the volumes section once + for _, vol := range volumes { + deDupPodVolumes[vol.Name] = &vol + } } } - return addContainersToPodObject(podContainers, p.Name()), nil + podVolumes := make([]v1.Volume, 0, len(deDupPodVolumes)) + for _, vol := range deDupPodVolumes { + podVolumes = append(podVolumes, *vol) + } + + return addContainersAndVolumesToPodObject(podContainers, podVolumes, p.Name()), nil } -func addContainersToPodObject(containers []v1.Container, podName string) *v1.Pod { +func addContainersAndVolumesToPodObject(containers []v1.Container, volumes []v1.Volume, podName string) *v1.Pod { tm := v12.TypeMeta{ Kind: "Pod", APIVersion: "v1", @@ -177,6 +188,7 @@ func addContainersToPodObject(containers []v1.Container, podName string) *v1.Pod } ps := v1.PodSpec{ Containers: containers, + Volumes: volumes, } p := v1.Pod{ TypeMeta: tm, @@ -190,56 +202,58 @@ func addContainersToPodObject(containers []v1.Container, podName string) *v1.Pod // for a single container. we "insert" that container description in a pod. func simplePodWithV1Container(ctr *Container) (*v1.Pod, error) { var containers []v1.Container - result, err := containerToV1Container(ctr) + kubeCtr, kubeVols, err := containerToV1Container(ctr) if err != nil { return nil, err } - containers = append(containers, result) - return addContainersToPodObject(containers, ctr.Name()), nil + containers = append(containers, kubeCtr) + return addContainersAndVolumesToPodObject(containers, kubeVols, ctr.Name()), nil } // containerToV1Container converts information we know about a libpod container // to a V1.Container specification. -func containerToV1Container(c *Container) (v1.Container, error) { +func containerToV1Container(c *Container) (v1.Container, []v1.Volume, error) { kubeContainer := v1.Container{} + kubeVolumes := []v1.Volume{} kubeSec, err := generateKubeSecurityContext(c) if err != nil { - return kubeContainer, err + return kubeContainer, kubeVolumes, err } if len(c.config.Spec.Linux.Devices) > 0 { // TODO Enable when we can support devices and their names devices, err := generateKubeVolumeDeviceFromLinuxDevice(c.Spec().Linux.Devices) if err != nil { - return kubeContainer, err + return kubeContainer, kubeVolumes, err } kubeContainer.VolumeDevices = devices - return kubeContainer, errors.Wrapf(define.ErrNotImplemented, "linux devices") + return kubeContainer, kubeVolumes, errors.Wrapf(define.ErrNotImplemented, "linux devices") } if len(c.config.UserVolumes) > 0 { // TODO When we until we can resolve what the volume name should be, this is disabled // Volume names need to be coordinated "globally" in the kube files. - volumes, err := libpodMountsToKubeVolumeMounts(c) + volumeMounts, volumes, err := libpodMountsToKubeVolumeMounts(c) if err != nil { - return kubeContainer, err + return kubeContainer, kubeVolumes, err } - kubeContainer.VolumeMounts = volumes + kubeContainer.VolumeMounts = volumeMounts + kubeVolumes = append(kubeVolumes, volumes...) } envVariables, err := libpodEnvVarsToKubeEnvVars(c.config.Spec.Process.Env) if err != nil { - return kubeContainer, err + return kubeContainer, kubeVolumes, err } portmappings, err := c.PortMappings() if err != nil { - return kubeContainer, err + return kubeContainer, kubeVolumes, err } ports, err := ocicniPortMappingToContainerPort(portmappings) if err != nil { - return kubeContainer, err + return kubeContainer, kubeVolumes, err } containerCommands := c.Command() @@ -263,7 +277,7 @@ func containerToV1Container(c *Container) (v1.Container, error) { kubeContainer.StdinOnce = false kubeContainer.TTY = c.config.Spec.Process.Terminal - return kubeContainer, nil + return kubeContainer, kubeVolumes, nil } // ocicniPortMappingToContainerPort takes an ocicni portmapping and converts @@ -309,52 +323,82 @@ func libpodEnvVarsToKubeEnvVars(envs []string) ([]v1.EnvVar, error) { return envVars, nil } -// Is this worth it? -func libpodMaxAndMinToResourceList(c *Container) (v1.ResourceList, v1.ResourceList) { //nolint - // It does not appear we can properly calculate CPU resources from the information - // we know in libpod. Libpod knows CPUs by time, shares, etc. +// libpodMountsToKubeVolumeMounts converts the containers mounts to a struct kube understands +func libpodMountsToKubeVolumeMounts(c *Container) ([]v1.VolumeMount, []v1.Volume, error) { + var vms []v1.VolumeMount + var vos []v1.Volume - // We also only know about a memory limit; no memory minimum - maxResources := make(map[v1.ResourceName]resource.Quantity) - minResources := make(map[v1.ResourceName]resource.Quantity) - config := c.Config() - maxMem := config.Spec.Linux.Resources.Memory.Limit + // TjDO when named volumes are supported in play kube, also parse named volumes here + _, mounts := c.sortUserVolumes(c.config.Spec) + for _, m := range mounts { + vm, vo, err := generateKubeVolumeMount(m) + if err != nil { + return vms, vos, err + } + vms = append(vms, vm) + vos = append(vos, vo) + } + return vms, vos, nil +} - _ = maxMem +// generateKubeVolumeMount takes a user specfied mount and returns +// a kubernetes VolumeMount (to be added to the container) and a kubernetes Volume +// (to be added to the pod) +func generateKubeVolumeMount(m specs.Mount) (v1.VolumeMount, v1.Volume, error) { + vm := v1.VolumeMount{} + vo := v1.Volume{} - return maxResources, minResources + name, err := convertVolumePathToName(m.Source) + if err != nil { + return vm, vo, err + } + vm.Name = name + vm.MountPath = m.Destination + if util.StringInSlice("ro", m.Options) { + vm.ReadOnly = true + } + + vo.Name = name + vo.HostPath = &v1.HostPathVolumeSource{} + vo.HostPath.Path = m.Source + isDir, err := isHostPathDirectory(m.Source) + // neither a directory or a file lives here, default to creating a directory + // TODO should this be an error instead? + var hostPathType v1.HostPathType + if err != nil { + hostPathType = v1.HostPathDirectoryOrCreate + } else if isDir { + hostPathType = v1.HostPathDirectory + } else { + hostPathType = v1.HostPathFile + } + vo.HostPath.Type = &hostPathType + + return vm, vo, nil } -func generateKubeVolumeMount(hostSourcePath string, mounts []specs.Mount) (v1.VolumeMount, error) { - vm := v1.VolumeMount{} - for _, m := range mounts { - if m.Source == hostSourcePath { - // TODO Name is not provided and is required by Kube; therefore, this is disabled earlier - //vm.Name = - vm.MountPath = m.Source - vm.SubPath = m.Destination - if util.StringInSlice("ro", m.Options) { - vm.ReadOnly = true - } - return vm, nil - } +func isHostPathDirectory(hostPathSource string) (bool, error) { + info, err := os.Stat(hostPathSource) + if err != nil { + return false, err } - return vm, errors.New("unable to find mount source") + return info.Mode().IsDir(), nil } -// libpodMountsToKubeVolumeMounts converts the containers mounts to a struct kube understands -func libpodMountsToKubeVolumeMounts(c *Container) ([]v1.VolumeMount, error) { - // At this point, I dont think we can distinguish between the default - // volume mounts and user added ones. For now, we pass them all. - var vms []v1.VolumeMount - for _, hostSourcePath := range c.config.UserVolumes { - vm, err := generateKubeVolumeMount(hostSourcePath, c.config.Spec.Mounts) - if err != nil { - continue +func convertVolumePathToName(hostSourcePath string) (string, error) { + if len(hostSourcePath) == 0 { + return "", errors.Errorf("hostSourcePath must be specified to generate volume name") + } + if len(hostSourcePath) == 1 { + if hostSourcePath != "/" { + return "", errors.Errorf("hostSourcePath malformatted: %s", hostSourcePath) } - vms = append(vms, vm) + // add special case name + return "root", nil } - return vms, nil + // First, trim trailing slashes, then replace slashes with dashes. + // Thus, /mnt/data/ will become mnt-data + return strings.Replace(strings.Trim(hostSourcePath, "/"), "/", "-", -1), nil } func determineCapAddDropFromCapabilities(defaultCaps, containerCaps []string) *v1.Capabilities { @@ -366,16 +410,14 @@ func determineCapAddDropFromCapabilities(defaultCaps, containerCaps []string) *v // those indicate a dropped cap for _, capability := range defaultCaps { if !util.StringInSlice(capability, containerCaps) { - cap := v1.Capability(capability) - drop = append(drop, cap) + drop = append(drop, v1.Capability(capability)) } } // Find caps in the container but not in the defaults; those indicate // an added cap for _, capability := range containerCaps { if !util.StringInSlice(capability, defaultCaps) { - cap := v1.Capability(capability) - add = append(add, cap) + add = append(add, v1.Capability(capability)) } } diff --git a/libpod/lock/shm/shm_lock.go b/libpod/lock/shm/shm_lock.go index 37c8dea7d..322e92a8f 100644 --- a/libpod/lock/shm/shm_lock.go +++ b/libpod/lock/shm/shm_lock.go @@ -22,7 +22,7 @@ var ( // BitmapSize is the size of the bitmap used when managing SHM locks. // an SHM lock manager's max locks will be rounded up to a multiple of // this number. - BitmapSize uint32 = uint32(C.bitmap_size_c) + BitmapSize = uint32(C.bitmap_size_c) ) // SHMLocks is a struct enabling POSIX semaphore locking in a shared memory diff --git a/libpod/networking_linux.go b/libpod/networking_linux.go index 27585b8d5..d978bceed 100644 --- a/libpod/networking_linux.go +++ b/libpod/networking_linux.go @@ -294,14 +294,14 @@ func (r *Runtime) setupRootlessNetNS(ctr *Container) (err error) { return errors.Wrapf(err, "cannot shutdown the socket %s", apiSocket) } buf := make([]byte, 2048) - len, err := conn.Read(buf) + readLength, err := conn.Read(buf) if err != nil { return errors.Wrapf(err, "cannot read from control socket %s", apiSocket) } // if there is no 'error' key in the received JSON data, then the operation was // successful. var y map[string]interface{} - if err := json.Unmarshal(buf[0:len], &y); err != nil { + if err := json.Unmarshal(buf[0:readLength], &y); err != nil { return errors.Wrapf(err, "error parsing error status from slirp4netns") } if e, found := y["error"]; found { @@ -332,7 +332,9 @@ func (r *Runtime) setupNetNS(ctr *Container) (err error) { if err != nil { return errors.Wrapf(err, "cannot open %s", nsPath) } - mountPointFd.Close() + if err := mountPointFd.Close(); err != nil { + return err + } if err := unix.Mount(nsProcess, nsPath, "none", unix.MS_BIND, ""); err != nil { return errors.Wrapf(err, "cannot mount %s", nsPath) @@ -352,12 +354,12 @@ func (r *Runtime) setupNetNS(ctr *Container) (err error) { // Join an existing network namespace func joinNetNS(path string) (ns.NetNS, error) { - ns, err := ns.GetNS(path) + netNS, err := ns.GetNS(path) if err != nil { return nil, errors.Wrapf(err, "error retrieving network namespace at %s", path) } - return ns, nil + return netNS, nil } // Close a network namespace. diff --git a/libpod/oci.go b/libpod/oci.go index fdd783100..6aad79cdf 100644 --- a/libpod/oci.go +++ b/libpod/oci.go @@ -263,7 +263,9 @@ func (r *OCIRuntime) updateContainerStatus(ctr *Container, useRuntime bool) erro return errors.Wrapf(err, "error getting container %s state", ctr.ID()) } if strings.Contains(string(out), "does not exist") { - ctr.removeConmonFiles() + if err := ctr.removeConmonFiles(); err != nil { + logrus.Debugf("unable to remove conmon files for container %s", ctr.ID()) + } ctr.state.ExitCode = -1 ctr.state.FinishedTime = time.Now() ctr.state.State = define.ContainerStateExited @@ -273,7 +275,9 @@ func (r *OCIRuntime) updateContainerStatus(ctr *Container, useRuntime bool) erro } defer cmd.Wait() - errPipe.Close() + if err := errPipe.Close(); err != nil { + return err + } out, err := ioutil.ReadAll(outPipe) if err != nil { return errors.Wrapf(err, "error reading stdout: %s", ctr.ID()) @@ -433,8 +437,8 @@ func (r *OCIRuntime) execContainer(c *Container, cmd, capAdd, env []string, tty args = append(args, "--no-new-privs") } - for _, cap := range capAdd { - args = append(args, "--cap", cap) + for _, capabilityAdd := range capAdd { + args = append(args, "--cap", capabilityAdd) } for _, envVar := range env { @@ -475,7 +479,9 @@ func (r *OCIRuntime) execContainer(c *Container, cmd, capAdd, env []string, tty for fd := 3; fd < 3+preserveFDs; fd++ { // These fds were passed down to the runtime. Close them // and not interfere - os.NewFile(uintptr(fd), fmt.Sprintf("fd-%d", fd)).Close() + if err := os.NewFile(uintptr(fd), fmt.Sprintf("fd-%d", fd)).Close(); err != nil { + logrus.Debugf("unable to close file fd-%d", fd) + } } } @@ -484,7 +490,9 @@ func (r *OCIRuntime) execContainer(c *Container, cmd, capAdd, env []string, tty // checkpointContainer checkpoints the given container func (r *OCIRuntime) checkpointContainer(ctr *Container, options ContainerCheckpointOptions) error { - label.SetSocketLabel(ctr.ProcessLabel()) + if err := label.SetSocketLabel(ctr.ProcessLabel()); err != nil { + return err + } // imagePath is used by CRIU to store the actual checkpoint files imagePath := ctr.CheckpointPath() // workPath will be used to store dump.log and stats-dump diff --git a/libpod/oci_linux.go b/libpod/oci_linux.go index 24502ef4f..802f4311b 100644 --- a/libpod/oci_linux.go +++ b/libpod/oci_linux.go @@ -342,7 +342,9 @@ func (r *OCIRuntime) createOCIContainer(ctr *Container, cgroupParent string, res ) plabel, err = selinux.CurrentLabel() if err != nil { - childPipe.Close() + if err := childPipe.Close(); err != nil { + logrus.Errorf("failed to close child pipe: %q", err) + } return errors.Wrapf(err, "Failed to get current SELinux label") } diff --git a/libpod/options.go b/libpod/options.go index 78634e953..4f8bb42df 100644 --- a/libpod/options.go +++ b/libpod/options.go @@ -325,7 +325,7 @@ func WithMaxLogSize(limit int64) RuntimeOption { // WithNoPivotRoot sets the runtime to use MS_MOVE instead of PIVOT_ROOT when // starting containers. -func WithNoPivotRoot(noPivot bool) RuntimeOption { +func WithNoPivotRoot() RuntimeOption { return func(rt *Runtime) error { if rt.valid { return config2.ErrRuntimeFinalized diff --git a/libpod/runtime.go b/libpod/runtime.go index 6c61e15d3..53c9a1209 100644 --- a/libpod/runtime.go +++ b/libpod/runtime.go @@ -245,7 +245,7 @@ type RuntimeConfig struct { // EventsLogger determines where events should be logged EventsLogger string `toml:"events_logger"` // EventsLogFilePath is where the events log is stored. - EventsLogFilePath string `toml:-"events_logfile_path"` + EventsLogFilePath string `toml:"-events_logfile_path"` //DetachKeys is the sequence of keys used to detach a container DetachKeys string `toml:"detach_keys"` } @@ -643,7 +643,9 @@ func newRuntimeFromConfig(ctx context.Context, userConfigPath string, options .. } if configPath != "" { - os.MkdirAll(filepath.Dir(configPath), 0755) + if err := os.MkdirAll(filepath.Dir(configPath), 0755); err != nil { + return nil, err + } file, err := os.OpenFile(configPath, os.O_RDWR|os.O_CREATE|os.O_EXCL, 0666) if err != nil && !os.IsExist(err) { return nil, errors.Wrapf(err, "cannot open file %s", configPath) @@ -652,7 +654,9 @@ func newRuntimeFromConfig(ctx context.Context, userConfigPath string, options .. defer file.Close() enc := toml.NewEncoder(file) if err := enc.Encode(runtime.config); err != nil { - os.Remove(configPath) + if removeErr := os.Remove(configPath); removeErr != nil { + logrus.Debugf("unable to remove %s: %q", configPath, err) + } } } } diff --git a/libpod/runtime_ctr.go b/libpod/runtime_ctr.go index 9daac161c..ae9b3e5bc 100644 --- a/libpod/runtime_ctr.go +++ b/libpod/runtime_ctr.go @@ -52,7 +52,7 @@ func (r *Runtime) RestoreContainer(ctx context.Context, rSpec *spec.Spec, config if err != nil { return nil, errors.Wrapf(err, "error initializing container variables") } - return r.setupContainer(ctx, ctr, true) + return r.setupContainer(ctx, ctr) } func (r *Runtime) initContainerVariables(rSpec *spec.Spec, config *ContainerConfig) (c *Container, err error) { @@ -68,6 +68,7 @@ func (r *Runtime) initContainerVariables(rSpec *spec.Spec, config *ContainerConf ctr.config.ShmSize = DefaultShmSize } else { // This is a restore from an imported checkpoint + ctr.restoreFromCheckpoint = true if err := JSONDeepCopy(config, ctr.config); err != nil { return nil, errors.Wrapf(err, "error copying container config for restore") } @@ -119,10 +120,10 @@ func (r *Runtime) newContainer(ctx context.Context, rSpec *spec.Spec, options .. return nil, errors.Wrapf(err, "error running container create option") } } - return r.setupContainer(ctx, ctr, false) + return r.setupContainer(ctx, ctr) } -func (r *Runtime) setupContainer(ctx context.Context, ctr *Container, restore bool) (c *Container, err error) { +func (r *Runtime) setupContainer(ctx context.Context, ctr *Container) (c *Container, err error) { // Allocate a lock for the container lock, err := r.lockManager.AllocateLock() if err != nil { @@ -211,7 +212,7 @@ func (r *Runtime) setupContainer(ctx context.Context, ctr *Container, restore bo return nil, errors.Wrapf(config2.ErrInvalidArg, "unsupported CGroup manager: %s - cannot validate cgroup parent", r.config.CgroupManager) } - if restore { + if ctr.restoreFromCheckpoint { // Remove information about bind mount // for new container from imported checkpoint g := generate.Generator{Config: ctr.config.Spec} @@ -236,7 +237,7 @@ func (r *Runtime) setupContainer(ctx context.Context, ctr *Container, restore bo } }() - if rootless.IsRootless() && ctr.config.ConmonPidFile == "" { + if ctr.config.ConmonPidFile == "" { ctr.config.ConmonPidFile = filepath.Join(ctr.state.RunDir, "conmon.pid") } @@ -430,22 +431,17 @@ func (r *Runtime) removeContainer(ctx context.Context, c *Container, force bool, // If we're removing the pod, the container will be evicted // from the state elsewhere if !removePod { - if err := r.state.RemoveContainerFromPod(pod, c); err != nil { - if cleanupErr == nil { - cleanupErr = err - } else { - logrus.Errorf("removing container from pod: %v", err) - } - } - } - } else { - if err := r.state.RemoveContainer(c); err != nil { if cleanupErr == nil { cleanupErr = err } else { - logrus.Errorf("removing container: %v", err) + logrus.Errorf("removing container from pod: %v", err) } } + } else { + if err := r.state.RemoveContainer(c); err != nil { + cleanupErr = err + } + logrus.Errorf("removing container: %v", err) } // Set container as invalid so it can no longer be used diff --git a/libpod/runtime_migrate.go b/libpod/runtime_migrate.go index ad45579d3..c363991e6 100644 --- a/libpod/runtime_migrate.go +++ b/libpod/runtime_migrate.go @@ -37,7 +37,9 @@ func stopPauseProcess() error { if err := os.Remove(pausePidPath); err != nil { return errors.Wrapf(err, "cannot delete pause pid file %s", pausePidPath) } - syscall.Kill(pausePid, syscall.SIGKILL) + if err := syscall.Kill(pausePid, syscall.SIGKILL); err != nil { + return err + } } return nil } diff --git a/libpod/stats.go b/libpod/stats.go index eb5ed95c4..52af824bb 100644 --- a/libpod/stats.go +++ b/libpod/stats.go @@ -46,10 +46,6 @@ func (c *Container) GetContainerStats(previousStats *ContainerStats) (*Container return stats, errors.Wrapf(err, "unable to obtain cgroup stats") } conState := c.state.State - if err != nil { - return stats, errors.Wrapf(err, "unable to determine container state") - } - netStats, err := getContainerNetIO(c) if err != nil { return nil, err diff --git a/libpod/util.go b/libpod/util.go index b0c25074b..b60575264 100644 --- a/libpod/util.go +++ b/libpod/util.go @@ -9,8 +9,6 @@ import ( "strings" "time" - "github.com/containers/image/signature" - "github.com/containers/image/types" "github.com/containers/libpod/libpod/define" "github.com/fsnotify/fsnotify" spec "github.com/opencontainers/runtime-spec/specs-go" @@ -32,24 +30,6 @@ func FuncTimer(funcName string) { fmt.Printf("%s executed in %d ms\n", funcName, elapsed) } -// CopyStringStringMap deep copies a map[string]string and returns the result -func CopyStringStringMap(m map[string]string) map[string]string { - n := map[string]string{} - for k, v := range m { - n[k] = v - } - return n -} - -// GetPolicyContext creates a signature policy context for the given signature policy path -func GetPolicyContext(path string) (*signature.PolicyContext, error) { - policy, err := signature.DefaultPolicy(&types.SystemContext{SignaturePolicyPath: path}) - if err != nil { - return nil, err - } - return signature.NewPolicyContext(policy) -} - // RemoveScientificNotationFromFloat returns a float without any // scientific notation if the number has any. // golang does not handle conversion of float64s that have scientific diff --git a/pkg/adapter/containers.go b/pkg/adapter/containers.go index 10720886b..0ea89a72c 100644 --- a/pkg/adapter/containers.go +++ b/pkg/adapter/containers.go @@ -1058,7 +1058,14 @@ func (r *LocalRuntime) GenerateSystemd(c *cliconfig.GenerateSystemdValues) (stri if c.Name { name = ctr.Name() } - return systemdgen.CreateSystemdUnitAsString(name, ctr.ID(), c.RestartPolicy, ctr.Config().StaticDir, timeout) + + config := ctr.Config() + conmonPidFile := config.ConmonPidFile + if conmonPidFile == "" { + return "", errors.Errorf("conmon PID file path is empty, try to recreate the container with --conmon-pidfile flag") + } + + return systemdgen.CreateSystemdUnitAsString(name, ctr.ID(), c.RestartPolicy, conmonPidFile, timeout) } // GetNamespaces returns namespace information about a container for PS diff --git a/pkg/cgroups/blkio.go b/pkg/cgroups/blkio.go index ca9107d97..9c2a811d9 100644 --- a/pkg/cgroups/blkio.go +++ b/pkg/cgroups/blkio.go @@ -30,7 +30,7 @@ func (c *blkioHandler) Apply(ctr *CgroupControl, res *spec.LinuxResources) error // Create the cgroup func (c *blkioHandler) Create(ctr *CgroupControl) (bool, error) { if ctr.cgroup2 { - return false, fmt.Errorf("io create not implemented for cgroup v2") + return false, nil } return ctr.createCgroupDirectory(Blkio) } diff --git a/pkg/cgroups/cgroups.go b/pkg/cgroups/cgroups.go index d6c19212b..1dad45d7f 100644 --- a/pkg/cgroups/cgroups.go +++ b/pkg/cgroups/cgroups.go @@ -149,6 +149,51 @@ func (c *CgroupControl) getCgroupv1Path(name string) string { return filepath.Join(cgroupRoot, name, c.path) } +// createCgroupv2Path creates the cgroupv2 path and enables all the available controllers +func createCgroupv2Path(path string) (Err error) { + content, err := ioutil.ReadFile("/sys/fs/cgroup/cgroup.controllers") + if err != nil { + return errors.Wrapf(err, "read /sys/fs/cgroup/cgroup.controllers") + } + if !filepath.HasPrefix(path, "/sys/fs/cgroup") { + return fmt.Errorf("invalid cgroup path %s", path) + } + + res := "" + for i, c := range strings.Split(strings.TrimSpace(string(content)), " ") { + if i == 0 { + res = fmt.Sprintf("+%s", c) + } else { + res = res + fmt.Sprintf(" +%s", c) + } + } + resByte := []byte(res) + + current := "/sys/fs" + elements := strings.Split(path, "/") + for i, e := range elements[3:] { + current = filepath.Join(current, e) + if i > 0 { + if err := os.Mkdir(current, 0755); err != nil { + if !os.IsExist(err) { + return errors.Wrapf(err, "mkdir %s", path) + } + } else { + // If the directory was created, be sure it is not left around on errors. + defer func() { + if Err != nil { + os.Remove(current) + } + }() + } + } + if err := ioutil.WriteFile(filepath.Join(current, "cgroup.subtree_control"), resByte, 0755); err != nil { + return errors.Wrapf(err, "write %s", filepath.Join(current, "cgroup.subtree_control")) + } + } + return nil +} + // initialize initializes the specified hierarchy func (c *CgroupControl) initialize() (err error) { createdSoFar := map[string]controllerHandler{} @@ -161,6 +206,11 @@ func (c *CgroupControl) initialize() (err error) { } } }() + if c.cgroup2 { + if err := createCgroupv2Path(filepath.Join(cgroupRoot, c.path)); err != nil { + return errors.Wrapf(err, "error creating cgroup path %s", c.path) + } + } for name, handler := range handlers { created, err := handler.Create(c) if err != nil { @@ -341,7 +391,7 @@ func (c *CgroupControl) AddPid(pid int) error { pidString := []byte(fmt.Sprintf("%d\n", pid)) if c.cgroup2 { - p := filepath.Join(cgroupRoot, c.path, "tasks") + p := filepath.Join(cgroupRoot, c.path, "cgroup.procs") if err := ioutil.WriteFile(p, pidString, 0644); err != nil { return errors.Wrapf(err, "write %s", p) } diff --git a/pkg/cgroups/cpu.go b/pkg/cgroups/cpu.go index 8640d490e..1c8610cc4 100644 --- a/pkg/cgroups/cpu.go +++ b/pkg/cgroups/cpu.go @@ -61,7 +61,7 @@ func (c *cpuHandler) Apply(ctr *CgroupControl, res *spec.LinuxResources) error { // Create the cgroup func (c *cpuHandler) Create(ctr *CgroupControl) (bool, error) { if ctr.cgroup2 { - return false, fmt.Errorf("cpu create not implemented for cgroup v2") + return false, nil } return ctr.createCgroupDirectory(CPU) } @@ -98,15 +98,24 @@ func (c *cpuHandler) Stat(ctr *CgroupControl, m *Metrics) error { } else { usage.Total, err = readAcct(ctr, "cpuacct.usage") if err != nil { - return err + if !os.IsNotExist(errors.Cause(err)) { + return err + } + usage.Total = 0 } usage.Kernel, err = readAcct(ctr, "cpuacct.usage_sys") if err != nil { - return err + if !os.IsNotExist(errors.Cause(err)) { + return err + } + usage.Kernel = 0 } usage.PerCPU, err = readAcctList(ctr, "cpuacct.usage_percpu") if err != nil { - return err + if !os.IsNotExist(errors.Cause(err)) { + return err + } + usage.PerCPU = nil } } m.CPU = CPUMetrics{Usage: usage} diff --git a/pkg/cgroups/cpuset.go b/pkg/cgroups/cpuset.go index 9aef493c9..25d2f7f76 100644 --- a/pkg/cgroups/cpuset.go +++ b/pkg/cgroups/cpuset.go @@ -14,19 +14,23 @@ import ( type cpusetHandler struct { } -func cpusetCopyFileFromParent(dir, file string) ([]byte, error) { +func cpusetCopyFileFromParent(dir, file string, cgroupv2 bool) ([]byte, error) { if dir == cgroupRoot { return nil, fmt.Errorf("could not find parent to initialize cpuset %s", file) } path := filepath.Join(dir, file) - data, err := ioutil.ReadFile(path) + parentPath := path + if cgroupv2 { + parentPath = fmt.Sprintf("%s.effective", parentPath) + } + data, err := ioutil.ReadFile(parentPath) if err != nil { return nil, errors.Wrapf(err, "open %s", path) } if len(strings.Trim(string(data), "\n")) != 0 { return data, nil } - data, err = cpusetCopyFileFromParent(filepath.Dir(dir), file) + data, err = cpusetCopyFileFromParent(filepath.Dir(dir), file, cgroupv2) if err != nil { return nil, err } @@ -36,9 +40,9 @@ func cpusetCopyFileFromParent(dir, file string) ([]byte, error) { return data, nil } -func cpusetCopyFromParent(path string) error { +func cpusetCopyFromParent(path string, cgroupv2 bool) error { for _, file := range []string{"cpuset.cpus", "cpuset.mems"} { - if _, err := cpusetCopyFileFromParent(path, file); err != nil { + if _, err := cpusetCopyFileFromParent(path, file, cgroupv2); err != nil { return err } } @@ -60,14 +64,15 @@ func (c *cpusetHandler) Apply(ctr *CgroupControl, res *spec.LinuxResources) erro // Create the cgroup func (c *cpusetHandler) Create(ctr *CgroupControl) (bool, error) { if ctr.cgroup2 { - return false, fmt.Errorf("cpuset create not implemented for cgroup v2") + path := filepath.Join(cgroupRoot, ctr.path) + return true, cpusetCopyFromParent(path, true) } created, err := ctr.createCgroupDirectory(CPUset) if !created || err != nil { return created, err } - return true, cpusetCopyFromParent(ctr.getCgroupv1Path(CPUset)) + return true, cpusetCopyFromParent(ctr.getCgroupv1Path(CPUset), false) } // Destroy the cgroup diff --git a/pkg/cgroups/memory.go b/pkg/cgroups/memory.go index 0505eac40..80e88d17c 100644 --- a/pkg/cgroups/memory.go +++ b/pkg/cgroups/memory.go @@ -26,7 +26,7 @@ func (c *memHandler) Apply(ctr *CgroupControl, res *spec.LinuxResources) error { // Create the cgroup func (c *memHandler) Create(ctr *CgroupControl) (bool, error) { if ctr.cgroup2 { - return false, fmt.Errorf("memory create not implemented for cgroup v2") + return false, nil } return ctr.createCgroupDirectory(Memory) } diff --git a/pkg/cgroups/pids.go b/pkg/cgroups/pids.go index c90dc1c02..ffbde100d 100644 --- a/pkg/cgroups/pids.go +++ b/pkg/cgroups/pids.go @@ -35,9 +35,6 @@ func (c *pidHandler) Apply(ctr *CgroupControl, res *spec.LinuxResources) error { // Create the cgroup func (c *pidHandler) Create(ctr *CgroupControl) (bool, error) { - if ctr.cgroup2 { - return false, fmt.Errorf("pid create not implemented for cgroup v2") - } return ctr.createCgroupDirectory(Pids) } diff --git a/pkg/hooks/0.1.0/hook.go b/pkg/hooks/0.1.0/hook.go index ba68b0f10..88a387647 100644 --- a/pkg/hooks/0.1.0/hook.go +++ b/pkg/hooks/0.1.0/hook.go @@ -6,7 +6,7 @@ import ( "errors" "strings" - hooks "github.com/containers/libpod/pkg/hooks" + "github.com/containers/libpod/pkg/hooks" current "github.com/containers/libpod/pkg/hooks/1.0.0" rspec "github.com/opencontainers/runtime-spec/specs-go" ) diff --git a/pkg/hooks/1.0.0/when_test.go b/pkg/hooks/1.0.0/when_test.go index 7187b297b..a749063ff 100644 --- a/pkg/hooks/1.0.0/when_test.go +++ b/pkg/hooks/1.0.0/when_test.go @@ -30,7 +30,7 @@ func TestAlways(t *testing.T) { for _, always := range []bool{true, false} { for _, or := range []bool{true, false} { for _, process := range []*rspec.Process{processStruct, nil} { - t.Run(fmt.Sprintf("always %t, or %t, has process %t", always, or, (process != nil)), func(t *testing.T) { + t.Run(fmt.Sprintf("always %t, or %t, has process %t", always, or, process != nil), func(t *testing.T) { config.Process = process when := When{Always: &always, Or: or} match, err := when.Match(config, map[string]string{}, false) diff --git a/pkg/logs/logs.go b/pkg/logs/logs.go index 1f0ede6f0..0f684750e 100644 --- a/pkg/logs/logs.go +++ b/pkg/logs/logs.go @@ -135,7 +135,7 @@ func parseCRILog(log []byte, msg *logMessage) error { } // Keep this forward compatible. tags := bytes.Split(log[:idx], tagDelimiter) - partial := (LogTag(tags[0]) == LogTagPartial) + partial := LogTag(tags[0]) == LogTagPartial // Trim the tailing new line if this is a partial line. if partial && len(log) > 0 && log[len(log)-1] == '\n' { log = log[:len(log)-1] diff --git a/pkg/rootless/rootless_linux.go b/pkg/rootless/rootless_linux.go index f3b9a8fd5..8028a359c 100644 --- a/pkg/rootless/rootless_linux.go +++ b/pkg/rootless/rootless_linux.go @@ -215,7 +215,7 @@ func EnableLinger() (string, error) { // If we have a D-BUS connection, attempt to read the LINGER property from it. if conn != nil { - path := dbus.ObjectPath((fmt.Sprintf("/org/freedesktop/login1/user/_%s", uid))) + path := dbus.ObjectPath(fmt.Sprintf("/org/freedesktop/login1/user/_%s", uid)) ret, err := conn.Object("org.freedesktop.login1", path).GetProperty("org.freedesktop.login1.User.Linger") if err == nil && ret.Value().(bool) { lingerEnabled = true @@ -265,7 +265,7 @@ func EnableLinger() (string, error) { // If we have a D-BUS connection, attempt to read the RUNTIME PATH from it. if conn != nil { - path := dbus.ObjectPath((fmt.Sprintf("/org/freedesktop/login1/user/_%s", uid))) + path := dbus.ObjectPath(fmt.Sprintf("/org/freedesktop/login1/user/_%s", uid)) ret, err := conn.Object("org.freedesktop.login1", path).GetProperty("org.freedesktop.login1.User.RuntimePath") if err == nil { return strings.Trim(ret.String(), "\"\n"), nil diff --git a/pkg/sysinfo/sysinfo_test.go b/pkg/sysinfo/sysinfo_test.go index b61fbcf54..895828f26 100644 --- a/pkg/sysinfo/sysinfo_test.go +++ b/pkg/sysinfo/sysinfo_test.go @@ -20,7 +20,7 @@ func TestIsCpusetListAvailable(t *testing.T) { for _, c := range cases { r, err := isCpusetListAvailable(c.provided, c.available) if (c.err && err == nil) && r != c.res { - t.Fatalf("Expected pair: %v, %v for %s, %s. Got %v, %v instead", c.res, c.err, c.provided, c.available, (c.err && err == nil), r) + t.Fatalf("Expected pair: %v, %v for %s, %s. Got %v, %v instead", c.res, c.err, c.provided, c.available, c.err && err == nil, r) } } } diff --git a/pkg/systemdgen/systemdgen.go b/pkg/systemdgen/systemdgen.go index 3d1c31b5d..06c5ebde5 100644 --- a/pkg/systemdgen/systemdgen.go +++ b/pkg/systemdgen/systemdgen.go @@ -2,17 +2,18 @@ package systemdgen import ( "fmt" - "path/filepath" + "os" "github.com/pkg/errors" + "github.com/sirupsen/logrus" ) var template = `[Unit] Description=%s Podman Container [Service] Restart=%s -ExecStart=/usr/bin/podman start %s -ExecStop=/usr/bin/podman stop -t %d %s +ExecStart=%s start %s +ExecStop=%s stop -t %d %s KillMode=none Type=forking PIDFile=%s @@ -33,11 +34,26 @@ func ValidateRestartPolicy(restart string) error { // CreateSystemdUnitAsString takes variables to create a systemd unit file used to control // a libpod container -func CreateSystemdUnitAsString(name, cid, restart, pidPath string, stopTimeout int) (string, error) { +func CreateSystemdUnitAsString(name, cid, restart, pidFile string, stopTimeout int) (string, error) { + podmanExe := getPodmanExecutable() + return createSystemdUnitAsString(podmanExe, name, cid, restart, pidFile, stopTimeout) +} + +func createSystemdUnitAsString(exe, name, cid, restart, pidFile string, stopTimeout int) (string, error) { if err := ValidateRestartPolicy(restart); err != nil { return "", err } - pidFile := filepath.Join(pidPath, fmt.Sprintf("%s.pid", cid)) - unit := fmt.Sprintf(template, name, restart, name, stopTimeout, name, pidFile) + + unit := fmt.Sprintf(template, name, restart, exe, name, exe, stopTimeout, name, pidFile) return unit, nil } + +func getPodmanExecutable() string { + podmanExe, err := os.Executable() + if err != nil { + podmanExe = "/usr/bin/podman" + logrus.Warnf("Could not obtain podman executable location, using default %s", podmanExe) + } + + return podmanExe +} diff --git a/pkg/systemdgen/systemdgen_test.go b/pkg/systemdgen/systemdgen_test.go index f2f49e750..e413b24ce 100644 --- a/pkg/systemdgen/systemdgen_test.go +++ b/pkg/systemdgen/systemdgen_test.go @@ -41,7 +41,7 @@ ExecStart=/usr/bin/podman start 639c53578af4d84b8800b4635fa4e680ee80fd67e0e6a2d4 ExecStop=/usr/bin/podman stop -t 10 639c53578af4d84b8800b4635fa4e680ee80fd67e0e6a2d4eea48d1e3230f401 KillMode=none Type=forking -PIDFile=/var/lib/containers/storage/overlay-containers/639c53578af4d84b8800b4635fa4e680ee80fd67e0e6a2d4eea48d1e3230f401/userdata/639c53578af4d84b8800b4635fa4e680ee80fd67e0e6a2d4eea48d1e3230f401.pid +PIDFile=/var/run/containers/storage/overlay-containers/639c53578af4d84b8800b4635fa4e680ee80fd67e0e6a2d4eea48d1e3230f401/userdata/conmon.pid [Install] WantedBy=multi-user.target` @@ -53,15 +53,16 @@ ExecStart=/usr/bin/podman start foobar ExecStop=/usr/bin/podman stop -t 10 foobar KillMode=none Type=forking -PIDFile=/var/lib/containers/storage/overlay-containers/639c53578af4d84b8800b4635fa4e680ee80fd67e0e6a2d4eea48d1e3230f401/userdata/639c53578af4d84b8800b4635fa4e680ee80fd67e0e6a2d4eea48d1e3230f401.pid +PIDFile=/var/run/containers/storage/overlay-containers/639c53578af4d84b8800b4635fa4e680ee80fd67e0e6a2d4eea48d1e3230f401/userdata/conmon.pid [Install] WantedBy=multi-user.target` type args struct { + exe string name string cid string restart string - pidPath string + pidFile string stopTimeout int } tests := []struct { @@ -73,10 +74,11 @@ WantedBy=multi-user.target` {"good with id", args{ + "/usr/bin/podman", "639c53578af4d84b8800b4635fa4e680ee80fd67e0e6a2d4eea48d1e3230f401", "639c53578af4d84b8800b4635fa4e680ee80fd67e0e6a2d4eea48d1e3230f401", "always", - "/var/lib/containers/storage/overlay-containers/639c53578af4d84b8800b4635fa4e680ee80fd67e0e6a2d4eea48d1e3230f401/userdata/", + "/var/run/containers/storage/overlay-containers/639c53578af4d84b8800b4635fa4e680ee80fd67e0e6a2d4eea48d1e3230f401/userdata/conmon.pid", 10, }, goodID, @@ -84,10 +86,11 @@ WantedBy=multi-user.target` }, {"good with name", args{ + "/usr/bin/podman", "foobar", "639c53578af4d84b8800b4635fa4e680ee80fd67e0e6a2d4eea48d1e3230f401", "always", - "/var/lib/containers/storage/overlay-containers/639c53578af4d84b8800b4635fa4e680ee80fd67e0e6a2d4eea48d1e3230f401/userdata/", + "/var/run/containers/storage/overlay-containers/639c53578af4d84b8800b4635fa4e680ee80fd67e0e6a2d4eea48d1e3230f401/userdata/conmon.pid", 10, }, goodName, @@ -95,10 +98,11 @@ WantedBy=multi-user.target` }, {"bad restart policy", args{ + "/usr/bin/podman", "639c53578af4d84b8800b4635fa4e680ee80fd67e0e6a2d4eea48d1e3230f401", "639c53578af4d84b8800b4635fa4e680ee80fd67e0e6a2d4eea48d1e3230f401", "never", - "/var/lib/containers/storage/overlay-containers/639c53578af4d84b8800b4635fa4e680ee80fd67e0e6a2d4eea48d1e3230f401/userdata/", + "/var/run/containers/storage/overlay-containers/639c53578af4d84b8800b4635fa4e680ee80fd67e0e6a2d4eea48d1e3230f401/userdata/conmon.pid", 10, }, "", @@ -107,7 +111,7 @@ WantedBy=multi-user.target` } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - got, err := CreateSystemdUnitAsString(tt.args.name, tt.args.cid, tt.args.restart, tt.args.pidPath, tt.args.stopTimeout) + got, err := createSystemdUnitAsString(tt.args.exe, tt.args.name, tt.args.cid, tt.args.restart, tt.args.pidFile, tt.args.stopTimeout) if (err != nil) != tt.wantErr { t.Errorf("CreateSystemdUnitAsString() error = %v, wantErr %v", err, tt.wantErr) return diff --git a/pkg/tracing/tracing.go b/pkg/tracing/tracing.go index cae76dee8..d028ddf8f 100644 --- a/pkg/tracing/tracing.go +++ b/pkg/tracing/tracing.go @@ -4,9 +4,9 @@ import ( "fmt" "io" - opentracing "github.com/opentracing/opentracing-go" - jaeger "github.com/uber/jaeger-client-go" - config "github.com/uber/jaeger-client-go/config" + "github.com/opentracing/opentracing-go" + "github.com/uber/jaeger-client-go" + "github.com/uber/jaeger-client-go/config" ) // Init returns an instance of Jaeger Tracer that samples 100% of traces and logs all spans to stdout. diff --git a/pkg/trust/trust.go b/pkg/trust/trust.go index 9a75474ae..3bfe4bda1 100644 --- a/pkg/trust/trust.go +++ b/pkg/trust/trust.go @@ -14,7 +14,7 @@ import ( "github.com/containers/image/types" "github.com/pkg/errors" "github.com/sirupsen/logrus" - yaml "gopkg.in/yaml.v2" + "gopkg.in/yaml.v2" ) // PolicyContent struct for policy.json file diff --git a/rootless.md b/rootless.md index d397ae857..bdbc1becc 100644 --- a/rootless.md +++ b/rootless.md @@ -16,9 +16,9 @@ can easily fail * Cgroups V2 development for container support is ongoing. * Can not share container images with CRI-O or other users * Difficult to use additional stores for sharing content -* Does not work on NFS homedirs - * NFS enforces file creation on different UIDs on the server side and does not understand User Namespace. - * When a container root process like YUM attempts to create a file owned by a different UID, NFS Server denies the creation. +* Does not work on NFS or parallel filesystem homedirs (e.g. [GPFS](https://www.ibm.com/support/knowledgecenter/en/SSFKCN/gpfs_welcome.html)) + * NFS and parallel filesystems enforce file creation on different UIDs on the server side and does not understand User Namespace. + * When a container root process like YUM attempts to create a file owned by a different UID, NFS Server/GPFS denies the creation. * Does not work with homedirs mounted with noexec/nodev * User can setup storage to point to other directories they can write to that are not mounted noexec/nodev * Can not use overlayfs driver, but does support fuse-overlayfs @@ -26,7 +26,7 @@ can easily fail * Only other supported driver is VFS. * No KATA Container support * No CNI Support - * CNI wants to modify IPTables, plus other network manipulation that I requires CAP_SYS_ADMIN. + * CNI wants to modify IPTables, plus other network manipulation that requires CAP_SYS_ADMIN. * There is potential we could probably do some sort of blacklisting of the relevant plugins, and add a new plugin for rootless networking - slirp4netns as one example and there may be others * Cannot use ping * [(Can be fixed by setting sysctl on host)](https://github.com/containers/libpod/blob/master/troubleshooting.md#5-rootless-containers-cannot-ping-hosts) diff --git a/test/e2e/checkpoint_test.go b/test/e2e/checkpoint_test.go index d452a062b..65daf5e94 100644 --- a/test/e2e/checkpoint_test.go +++ b/test/e2e/checkpoint_test.go @@ -3,9 +3,12 @@ package integration import ( + "math/rand" "net" "os" "os/exec" + "strconv" + "time" "github.com/containers/libpod/pkg/criu" . "github.com/containers/libpod/test/utils" @@ -13,6 +16,16 @@ import ( . "github.com/onsi/gomega" ) +func getRunString(input []string) []string { + // To avoid IP collisions of initialize random seed for random IP addresses + rand.Seed(time.Now().UnixNano()) + ip3 := strconv.Itoa(rand.Intn(230) + GinkgoParallelNode()) + ip4 := strconv.Itoa(rand.Intn(230) + GinkgoParallelNode()) + // CRIU does not work with seccomp correctly on RHEL7 : seccomp=unconfined + runString := []string{"run", "-it", "--security-opt", "seccomp=unconfined", "-d", "--ip", "10.88." + ip3 + "." + ip4} + return append(runString, input...) +} + var _ = Describe("Podman checkpoint", func() { var ( tempdir string @@ -49,7 +62,6 @@ var _ = Describe("Podman checkpoint", func() { if hostInfo.Distribution == "fedora" && hostInfo.Version < "29" { Skip("Checkpoint/Restore with SELinux only works on Fedora >= 29") } - }) AfterEach(func() { @@ -72,8 +84,8 @@ var _ = Describe("Podman checkpoint", func() { }) It("podman checkpoint a running container by id", func() { - // CRIU does not work with seccomp correctly on RHEL7 - session := podmanTest.Podman([]string{"run", "-it", "--security-opt", "seccomp=unconfined", "-d", ALPINE, "top"}) + localRunString := getRunString([]string{ALPINE, "top"}) + session := podmanTest.Podman(localRunString) session.WaitWithDefaultTimeout() Expect(session.ExitCode()).To(Equal(0)) cid := session.OutputToString() @@ -94,7 +106,8 @@ var _ = Describe("Podman checkpoint", func() { }) It("podman checkpoint a running container by name", func() { - session := podmanTest.Podman([]string{"run", "-it", "--security-opt", "seccomp=unconfined", "--name", "test_name", "-d", ALPINE, "top"}) + localRunString := getRunString([]string{"--name", "test_name", ALPINE, "top"}) + session := podmanTest.Podman(localRunString) session.WaitWithDefaultTimeout() Expect(session.ExitCode()).To(Equal(0)) @@ -114,7 +127,8 @@ var _ = Describe("Podman checkpoint", func() { }) It("podman pause a checkpointed container by id", func() { - session := podmanTest.Podman([]string{"run", "-it", "--security-opt", "seccomp=unconfined", "-d", ALPINE, "top"}) + localRunString := getRunString([]string{ALPINE, "top"}) + session := podmanTest.Podman(localRunString) session.WaitWithDefaultTimeout() Expect(session.ExitCode()).To(Equal(0)) cid := session.OutputToString() @@ -151,11 +165,13 @@ var _ = Describe("Podman checkpoint", func() { }) It("podman checkpoint latest running container", func() { - session1 := podmanTest.Podman([]string{"run", "-it", "--security-opt", "seccomp=unconfined", "--name", "first", "-d", ALPINE, "top"}) + localRunString := getRunString([]string{"--name", "first", ALPINE, "top"}) + session1 := podmanTest.Podman(localRunString) session1.WaitWithDefaultTimeout() Expect(session1.ExitCode()).To(Equal(0)) - session2 := podmanTest.Podman([]string{"run", "-it", "--security-opt", "seccomp=unconfined", "--name", "second", "-d", ALPINE, "top"}) + localRunString = getRunString([]string{"--name", "second", ALPINE, "top"}) + session2 := podmanTest.Podman(localRunString) session2.WaitWithDefaultTimeout() Expect(session2.ExitCode()).To(Equal(0)) @@ -186,11 +202,13 @@ var _ = Describe("Podman checkpoint", func() { }) It("podman checkpoint all running container", func() { - session1 := podmanTest.Podman([]string{"run", "-it", "--security-opt", "seccomp=unconfined", "--name", "first", "-d", ALPINE, "top"}) + localRunString := getRunString([]string{"--name", "first", ALPINE, "top"}) + session1 := podmanTest.Podman(localRunString) session1.WaitWithDefaultTimeout() Expect(session1.ExitCode()).To(Equal(0)) - session2 := podmanTest.Podman([]string{"run", "-it", "--security-opt", "seccomp=unconfined", "--name", "second", "-d", ALPINE, "top"}) + localRunString = getRunString([]string{"--name", "second", ALPINE, "top"}) + session2 := podmanTest.Podman(localRunString) session2.WaitWithDefaultTimeout() Expect(session2.ExitCode()).To(Equal(0)) @@ -221,7 +239,8 @@ var _ = Describe("Podman checkpoint", func() { }) It("podman checkpoint container with established tcp connections", func() { - session := podmanTest.Podman([]string{"run", "-it", "--security-opt", "seccomp=unconfined", "-d", redis}) + localRunString := getRunString([]string{redis}) + session := podmanTest.Podman(localRunString) session.WaitWithDefaultTimeout() Expect(session.ExitCode()).To(Equal(0)) @@ -275,7 +294,8 @@ var _ = Describe("Podman checkpoint", func() { }) It("podman checkpoint with --leave-running", func() { - session := podmanTest.Podman([]string{"run", "-it", "--security-opt", "seccomp=unconfined", "-d", ALPINE, "top"}) + localRunString := getRunString([]string{ALPINE, "top"}) + session := podmanTest.Podman(localRunString) session.WaitWithDefaultTimeout() Expect(session.ExitCode()).To(Equal(0)) cid := session.OutputToString() @@ -312,7 +332,8 @@ var _ = Describe("Podman checkpoint", func() { }) It("podman checkpoint and restore container with same IP", func() { - session := podmanTest.Podman([]string{"run", "-it", "--security-opt", "seccomp=unconfined", "--name", "test_name", "-d", ALPINE, "top"}) + localRunString := getRunString([]string{"--name", "test_name", ALPINE, "top"}) + session := podmanTest.Podman(localRunString) session.WaitWithDefaultTimeout() Expect(session.ExitCode()).To(Equal(0)) @@ -355,8 +376,10 @@ var _ = Describe("Podman checkpoint", func() { session.WaitWithDefaultTimeout() Expect(session.ExitCode()).To(Equal(0)) Expect(podmanTest.NumberOfContainersRunning()).To(Equal(1)) + cid := session.OutputToString() + fileName := "/tmp/checkpoint-" + cid + ".tar.gz" - result := podmanTest.Podman([]string{"container", "checkpoint", "-l", "-e", "/tmp/checkpoint.tar.gz"}) + result := podmanTest.Podman([]string{"container", "checkpoint", "-l", "-e", fileName}) result.WaitWithDefaultTimeout() Expect(result.ExitCode()).To(Equal(0)) @@ -369,7 +392,7 @@ var _ = Describe("Podman checkpoint", func() { Expect(result.ExitCode()).To(Equal(0)) Expect(podmanTest.NumberOfContainersRunning()).To(Equal(0)) - result = podmanTest.Podman([]string{"container", "restore", "-i", "/tmp/checkpoint.tar.gz"}) + result = podmanTest.Podman([]string{"container", "restore", "-i", fileName}) result.WaitWithDefaultTimeout() Expect(result.ExitCode()).To(Equal(0)) @@ -377,7 +400,7 @@ var _ = Describe("Podman checkpoint", func() { Expect(podmanTest.GetContainerStatus()).To(ContainSubstring("Up")) // Restore container a second time with different name - result = podmanTest.Podman([]string{"container", "restore", "-i", "/tmp/checkpoint.tar.gz", "-n", "restore_again"}) + result = podmanTest.Podman([]string{"container", "restore", "-i", fileName, "-n", "restore_again"}) result.WaitWithDefaultTimeout() Expect(result.ExitCode()).To(Equal(0)) @@ -390,6 +413,47 @@ var _ = Describe("Podman checkpoint", func() { Expect(podmanTest.NumberOfContainersRunning()).To(Equal(0)) // Remove exported checkpoint - os.Remove("/tmp/checkpoint.tar.gz") + os.Remove(fileName) + }) + + It("podman checkpoint and run exec in restored container", func() { + // Start the container + localRunString := getRunString([]string{"--rm", ALPINE, "top"}) + session := podmanTest.Podman(localRunString) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(Equal(0)) + Expect(podmanTest.NumberOfContainersRunning()).To(Equal(1)) + cid := session.OutputToString() + fileName := "/tmp/checkpoint-" + cid + ".tar.gz" + + // Checkpoint the container + result := podmanTest.Podman([]string{"container", "checkpoint", "-l", "-e", fileName}) + result.WaitWithDefaultTimeout() + + Expect(result.ExitCode()).To(Equal(0)) + Expect(podmanTest.NumberOfContainersRunning()).To(Equal(0)) + Expect(podmanTest.NumberOfContainers()).To(Equal(0)) + + // Restore the container + result = podmanTest.Podman([]string{"container", "restore", "-i", fileName}) + result.WaitWithDefaultTimeout() + + Expect(result.ExitCode()).To(Equal(0)) + Expect(podmanTest.NumberOfContainersRunning()).To(Equal(1)) + Expect(podmanTest.NumberOfContainers()).To(Equal(1)) + Expect(podmanTest.GetContainerStatus()).To(ContainSubstring("Up")) + + // Exec in the container + result = podmanTest.Podman([]string{"exec", "-l", "/bin/sh", "-c", "echo " + cid + " > /test.output"}) + result.WaitWithDefaultTimeout() + Expect(result.ExitCode()).To(Equal(0)) + + result = podmanTest.Podman([]string{"exec", "-l", "cat", "/test.output"}) + result.WaitWithDefaultTimeout() + Expect(result.ExitCode()).To(Equal(0)) + Expect(result.OutputToString()).To(ContainSubstring(cid)) + + // Remove exported checkpoint + os.Remove(fileName) }) }) diff --git a/test/e2e/common_test.go b/test/e2e/common_test.go index c3a37236b..21afc4b84 100644 --- a/test/e2e/common_test.go +++ b/test/e2e/common_test.go @@ -530,6 +530,19 @@ func (p *PodmanTestIntegration) RunHealthCheck(cid string) error { if hc.ExitCode() == 0 { return nil } + // Restart container if it's not running + ps := p.Podman([]string{"ps", "--no-trunc", "--q", "--filter", fmt.Sprintf("id=%s", cid)}) + ps.WaitWithDefaultTimeout() + if ps.ExitCode() == 0 { + if !strings.Contains(ps.OutputToString(), cid) { + fmt.Printf("Container %s is not running, restarting", cid) + restart := p.Podman([]string{"restart", cid}) + restart.WaitWithDefaultTimeout() + if restart.ExitCode() != 0 { + return errors.Errorf("unable to restart %s", cid) + } + } + } fmt.Printf("Waiting for %s to pass healthcheck\n", cid) time.Sleep(1 * time.Second) } diff --git a/test/e2e/generate_kube_test.go b/test/e2e/generate_kube_test.go index 1df54f753..49d2c12a8 100644 --- a/test/e2e/generate_kube_test.go +++ b/test/e2e/generate_kube_test.go @@ -207,4 +207,35 @@ var _ = Describe("Podman generate kube", func() { Expect(psOut).To(ContainSubstring("test1")) Expect(psOut).To(ContainSubstring("test2")) }) + + It("podman generate kube with volume", func() { + vol1 := filepath.Join(podmanTest.TempDir, "vol-test1") + err := os.MkdirAll(vol1, 0755) + Expect(err).To(BeNil()) + + // we need a container name because IDs don't persist after rm/play + ctrName := "test-ctr" + + session1 := podmanTest.Podman([]string{"run", "-d", "--pod", "new:test1", "--name", ctrName, "-v", vol1 + ":/volume/:z", "alpine", "top"}) + session1.WaitWithDefaultTimeout() + Expect(session1.ExitCode()).To(Equal(0)) + + outputFile := filepath.Join(podmanTest.RunRoot, "pod.yaml") + kube := podmanTest.Podman([]string{"generate", "kube", "test1", "-f", outputFile}) + kube.WaitWithDefaultTimeout() + Expect(kube.ExitCode()).To(Equal(0)) + + rm := podmanTest.Podman([]string{"pod", "rm", "-f", "test1"}) + rm.WaitWithDefaultTimeout() + Expect(rm.ExitCode()).To(Equal(0)) + + play := podmanTest.Podman([]string{"play", "kube", outputFile}) + play.WaitWithDefaultTimeout() + Expect(play.ExitCode()).To(Equal(0)) + + inspect := podmanTest.Podman([]string{"inspect", ctrName}) + inspect.WaitWithDefaultTimeout() + Expect(inspect.ExitCode()).To(Equal(0)) + Expect(inspect.OutputToString()).To(ContainSubstring(vol1)) + }) }) diff --git a/test/e2e/push_test.go b/test/e2e/push_test.go index de2416868..cf6279f2f 100644 --- a/test/e2e/push_test.go +++ b/test/e2e/push_test.go @@ -8,6 +8,7 @@ import ( "path/filepath" "strings" + "github.com/containers/libpod/pkg/rootless" . "github.com/containers/libpod/test/utils" . "github.com/onsi/ginkgo" . "github.com/onsi/gomega" @@ -59,6 +60,9 @@ var _ = Describe("Podman push", func() { if podmanTest.Host.Arch == "ppc64le" { Skip("No registry image for ppc64le") } + if rootless.IsRootless() { + podmanTest.RestoreArtifact(registry) + } lock := GetPortLock("5000") defer lock.Unlock() session := podmanTest.PodmanNoCache([]string{"run", "-d", "--name", "registry", "-p", "5000:5000", registry, "/entrypoint.sh", "/etc/docker/registry/config.yml"}) diff --git a/test/e2e/rmi_test.go b/test/e2e/rmi_test.go index 1687bf764..1b0329a83 100644 --- a/test/e2e/rmi_test.go +++ b/test/e2e/rmi_test.go @@ -55,7 +55,7 @@ var _ = Describe("Podman rmi", func() { }) It("podman rmi all images", func() { - podmanTest.PullImages([]string{nginx}) + podmanTest.RestoreArtifact(nginx) session := podmanTest.PodmanNoCache([]string{"rmi", "-a"}) session.WaitWithDefaultTimeout() images := podmanTest.PodmanNoCache([]string{"images"}) @@ -66,7 +66,7 @@ var _ = Describe("Podman rmi", func() { }) It("podman rmi all images forcibly with short options", func() { - podmanTest.PullImages([]string{nginx}) + podmanTest.RestoreArtifact(nginx) session := podmanTest.PodmanNoCache([]string{"rmi", "-fa"}) session.WaitWithDefaultTimeout() Expect(session.ExitCode()).To(Equal(0)) diff --git a/test/e2e/run_cleanup_test.go b/test/e2e/run_cleanup_test.go index 73647b6bb..86790e726 100644 --- a/test/e2e/run_cleanup_test.go +++ b/test/e2e/run_cleanup_test.go @@ -4,6 +4,7 @@ package integration import ( "os" + "strings" . "github.com/containers/libpod/test/utils" . "github.com/onsi/ginkgo" @@ -35,18 +36,32 @@ var _ = Describe("Podman run exit", func() { }) It("podman run -d mount cleanup test", func() { + result := podmanTest.Podman([]string{"run", "-dt", ALPINE, "top"}) + result.WaitWithDefaultTimeout() + cid := result.OutputToString() + Expect(result.ExitCode()).To(Equal(0)) + mount := SystemExec("mount", nil) Expect(mount.ExitCode()).To(Equal(0)) + Expect(strings.Contains(mount.OutputToString(), cid)) - out1 := mount.OutputToString() - result := podmanTest.Podman([]string{"create", "-dt", ALPINE, "echo", "hello"}) - result.WaitWithDefaultTimeout() - Expect(result.ExitCode()).To(Equal(0)) + pmount := podmanTest.Podman([]string{"mount", "--notruncate"}) + pmount.WaitWithDefaultTimeout() + Expect(strings.Contains(pmount.OutputToString(), cid)) + Expect(pmount.ExitCode()).To(Equal(0)) + + stop := podmanTest.Podman([]string{"stop", cid}) + stop.WaitWithDefaultTimeout() + Expect(stop.ExitCode()).To(Equal(0)) mount = SystemExec("mount", nil) Expect(mount.ExitCode()).To(Equal(0)) + Expect(!strings.Contains(mount.OutputToString(), cid)) + + pmount = podmanTest.Podman([]string{"mount", "--notruncate"}) + pmount.WaitWithDefaultTimeout() + Expect(!strings.Contains(pmount.OutputToString(), cid)) + Expect(pmount.ExitCode()).To(Equal(0)) - out2 := mount.OutputToString() - Expect(out1).To(Equal(out2)) }) }) diff --git a/test/e2e/run_signal_test.go b/test/e2e/run_signal_test.go index 3a5ed483c..1dbac1dc9 100644 --- a/test/e2e/run_signal_test.go +++ b/test/e2e/run_signal_test.go @@ -11,6 +11,7 @@ import ( "syscall" "time" + "github.com/containers/libpod/pkg/rootless" . "github.com/containers/libpod/test/utils" . "github.com/onsi/ginkgo" . "github.com/onsi/gomega" @@ -53,7 +54,9 @@ var _ = Describe("Podman run with --sig-proxy", func() { os.Mkdir(udsDir, 0700) udsPath := filepath.Join(udsDir, "fifo") syscall.Mkfifo(udsPath, 0600) - + if rootless.IsRootless() { + podmanTest.RestoreArtifact(fedoraMinimal) + } _, pid := podmanTest.PodmanPID([]string{"run", "-it", "-v", fmt.Sprintf("%s:/h:Z", udsDir), fedoraMinimal, "bash", "-c", sigCatch}) uds, _ := os.OpenFile(udsPath, os.O_RDONLY|syscall.O_NONBLOCK, 0600) @@ -108,6 +111,9 @@ var _ = Describe("Podman run with --sig-proxy", func() { Specify("signals are not forwarded to container with sig-proxy false", func() { signal := syscall.SIGPOLL + if rootless.IsRootless() { + podmanTest.RestoreArtifact(fedoraMinimal) + } session, pid := podmanTest.PodmanPID([]string{"run", "--name", "test2", "--sig-proxy=false", fedoraMinimal, "bash", "-c", sigCatch}) ok := WaitForContainer(podmanTest) diff --git a/test/e2e/run_staticip_test.go b/test/e2e/run_staticip_test.go index 9753cfc9c..b9698cdd9 100644 --- a/test/e2e/run_staticip_test.go +++ b/test/e2e/run_staticip_test.go @@ -56,10 +56,10 @@ var _ = Describe("Podman run with --ip flag", func() { }) It("Podman run with specified static IP has correct IP", func() { - result := podmanTest.Podman([]string{"run", "-ti", "--ip", "10.88.64.128", ALPINE, "ip", "addr"}) + result := podmanTest.Podman([]string{"run", "-ti", "--ip", "10.88.63.2", ALPINE, "ip", "addr"}) result.WaitWithDefaultTimeout() Expect(result.ExitCode()).To(Equal(0)) - Expect(result.OutputToString()).To(ContainSubstring("10.88.64.128/16")) + Expect(result.OutputToString()).To(ContainSubstring("10.88.63.2/16")) }) It("Podman run two containers with the same IP", func() { diff --git a/test/e2e/tree_test.go b/test/e2e/tree_test.go index 2db7aeb5e..c445328fa 100644 --- a/test/e2e/tree_test.go +++ b/test/e2e/tree_test.go @@ -37,10 +37,6 @@ var _ = Describe("Podman image tree", func() { if podmanTest.RemoteTest { Skip("Does not work on remote client") } - session := podmanTest.PodmanNoCache([]string{"pull", "docker.io/library/busybox:latest"}) - session.WaitWithDefaultTimeout() - Expect(session.ExitCode()).To(Equal(0)) - dockerfile := `FROM docker.io/library/busybox:latest RUN mkdir hello RUN touch test.txt @@ -48,7 +44,7 @@ ENV foo=bar ` podmanTest.BuildImage(dockerfile, "test:latest", "true") - session = podmanTest.PodmanNoCache([]string{"image", "tree", "test:latest"}) + session := podmanTest.PodmanNoCache([]string{"image", "tree", "test:latest"}) session.WaitWithDefaultTimeout() Expect(session.ExitCode()).To(Equal(0)) session = podmanTest.PodmanNoCache([]string{"image", "tree", "--whatrequires", "docker.io/library/busybox:latest"}) diff --git a/test/system/070-build.bats b/test/system/070-build.bats index 53acf6edd..c1e7c7ec4 100644 --- a/test/system/070-build.bats +++ b/test/system/070-build.bats @@ -20,15 +20,16 @@ load helpers dockerfile=$tmpdir/Dockerfile cat >$dockerfile <<EOF FROM $IMAGE +RUN apk add nginx RUN echo $rand_content > /$rand_filename EOF run_podman build -t build_test --format=docker $tmpdir + is "$output" ".*STEP 4: COMMIT" "COMMIT seen in log" run_podman run --rm build_test cat /$rand_filename is "$output" "$rand_content" "reading generated file in image" run_podman rmi build_test } - # vim: filetype=sh diff --git a/test/system/250-generate-systemd.bats b/test/system/250-generate-systemd.bats new file mode 100644 index 000000000..80199af5f --- /dev/null +++ b/test/system/250-generate-systemd.bats @@ -0,0 +1,46 @@ +#!/usr/bin/env bats -*- bats -*- +# +# Tests generated configurations for systemd. +# + +load helpers + +# Be extra paranoid in naming to avoid collisions. +SERVICE_NAME="podman_test_$(random_string)" +UNIT_DIR="$HOME/.config/systemd/user" +UNIT_FILE="$UNIT_DIR/$SERVICE_NAME.service" + +function setup() { + skip_if_not_systemd + skip_if_remote + + basic_setup + + if [ ! -d "$UNIT_DIR" ]; then + mkdir -p "$UNIT_DIR" + systemctl --user daemon-reload + fi +} + +function teardown() { + rm -f "$UNIT_FILE" + systemctl --user stop "$SERVICE_NAME" + basic_teardown +} + +@test "podman generate - systemd - basic" { + run_podman create $IMAGE echo "I'm alive!" + cid="$output" + + run_podman generate systemd $cid > "$UNIT_FILE" + + run systemctl --user start "$SERVICE_NAME" + if [ $status -ne 0 ]; then + die "The systemd service $SERVICE_NAME did not start correctly, output: $output" + fi + + run_podman logs $cid + is "$output" "I'm alive!" "Container output" +} + +# vim: filetype=sh diff --git a/test/system/README.md b/test/system/README.md index 6ac408f4e..d98b1c0fe 100644 --- a/test/system/README.md +++ b/test/system/README.md @@ -42,6 +42,15 @@ should be reserved for a first-pass fail-fast subset of tests: without having to wait for the entire test suite. +Running tests +============= +To run the tests locally in your sandbox, you can use one of these methods: +* make;PODMAN=./bin/podman bats ./test/system/070-build.bats # runs just the specified test +* make;PODMAN=./bin/podman bats ./test/system # runs all + +To test as root: +* $ PODMAN=./bin/podman sudo --preserve-env=PODMAN bats test/system + Analyzing test failures ======================= diff --git a/test/system/helpers.bash b/test/system/helpers.bash index 29ef19ecc..1db80f111 100644 --- a/test/system/helpers.bash +++ b/test/system/helpers.bash @@ -236,6 +236,17 @@ function skip_if_remote() { skip "${1:-test does not work with podman-remote}" } +######################### +# skip_if_not_systemd # ...with an optional message +######################### +function skip_if_not_systemd() { + if systemctl --user >/dev/null 2>&1; then + return + fi + + skip "${1:-no systemd or daemon does not respond}" +} + ######### # die # Abort with helpful message ######### diff --git a/test/test_podman_baseline.sh b/test/test_podman_baseline.sh index 92bc8e20c..d205f544a 100755 --- a/test/test_podman_baseline.sh +++ b/test/test_podman_baseline.sh @@ -536,6 +536,28 @@ EOF fi ######## +# Build Dockerfile for RUN with priv'd command test +######## +FILE=./Dockerfile +/bin/cat <<EOM >$FILE +FROM alpine +RUN apk add nginx +EOM +chmod +x $FILE + +######## +# Build with the Dockerfile +######## +podman build -f Dockerfile -t build-priv + +######## +# Cleanup +######## +podman rm -a -f +podman rmi -a -f +rm ./Dockerfile + +######## # Build Dockerfile for WhaleSays test ######## FILE=./Dockerfile diff --git a/utils/utils.go b/utils/utils.go index 0ac6bc6d3..3c8c0a9b0 100644 --- a/utils/utils.go +++ b/utils/utils.go @@ -48,11 +48,6 @@ func ExecCmdWithStdStreams(stdin io.Reader, stdout, stderr io.Writer, env []stri return nil } -// StatusToExitCode converts wait status code to an exit code -func StatusToExitCode(status int) int { - return ((status) & 0xff00) >> 8 -} - // ErrDetach is an error indicating that the user manually detached from the // container. var ErrDetach = errors.New("detached from container") diff --git a/vendor/modules.txt b/vendor/modules.txt index 6a7c04267..62d2ebc9d 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -538,11 +538,11 @@ gopkg.in/yaml.v2 k8s.io/api/core/v1 # k8s.io/apimachinery v0.0.0-20190624085041-961b39a1baa0 k8s.io/apimachinery/pkg/fields -k8s.io/apimachinery/pkg/api/resource k8s.io/apimachinery/pkg/apis/meta/v1 k8s.io/apimachinery/pkg/util/wait k8s.io/apimachinery/pkg/util/runtime k8s.io/apimachinery/pkg/selection +k8s.io/apimachinery/pkg/api/resource k8s.io/apimachinery/pkg/runtime k8s.io/apimachinery/pkg/runtime/schema k8s.io/apimachinery/pkg/types |