aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rwxr-xr-xAPI.md94
-rw-r--r--README.md2
-rw-r--r--cmd/podman/cliconfig/commands.go4
-rw-r--r--cmd/podman/cliconfig/config.go13
-rw-r--r--cmd/podman/commit.go17
-rw-r--r--cmd/podman/create.go2
-rw-r--r--cmd/podman/imagefilters/filters.go7
-rw-r--r--cmd/podman/images.go17
-rw-r--r--cmd/podman/run.go2
-rw-r--r--cmd/podman/run_test.go2
-rw-r--r--cmd/podman/shared/intermediate.go8
-rw-r--r--cmd/podman/varlink/io.podman.varlink4
-rw-r--r--commands.md6
-rw-r--r--docs/podman-commit.1.md4
-rw-r--r--install.md1
-rw-r--r--libpod/container_commit.go17
-rw-r--r--libpod/container_internal.go8
-rw-r--r--libpod/oci_linux.go53
-rw-r--r--libpod/runtime_ctr.go7
-rw-r--r--pkg/adapter/containers.go4
-rw-r--r--pkg/adapter/containers_remote.go24
-rw-r--r--pkg/spec/spec.go3
-rw-r--r--pkg/varlinkapi/attach.go76
-rw-r--r--test/e2e/commit_test.go19
-rw-r--r--test/e2e/images_test.go11
-rw-r--r--test/e2e/prune_test.go4
-rw-r--r--test/e2e/rmi_test.go2
-rw-r--r--test/system/005-info.bats4
-rw-r--r--test/system/010-images.bats3
-rw-r--r--test/system/015-help.bats2
-rw-r--r--test/system/030-run.bats14
-rw-r--r--test/system/035-logs.bats2
-rw-r--r--test/system/060-mount.bats1
-rw-r--r--test/system/070-build.bats2
-rw-r--r--test/system/075-exec.bats2
-rw-r--r--test/system/110-history.bats2
-rw-r--r--test/system/400-unprivileged-access.bats1
-rw-r--r--test/system/helpers.bash10
38 files changed, 360 insertions, 94 deletions
diff --git a/API.md b/API.md
index 95507d189..738449f43 100755
--- a/API.md
+++ b/API.md
@@ -3,7 +3,7 @@ Podman Service Interface and API description. The master version of this docume
in the [API.md](https://github.com/containers/libpod/blob/master/API.md) file in the upstream libpod repository.
## Index
-[func Attach(name: string) ](#Attach)
+[func Attach(name: string, detachKeys: string, start: bool) ](#Attach)
[func AttachControl(name: string) ](#AttachControl)
@@ -119,6 +119,8 @@ in the [API.md](https://github.com/containers/libpod/blob/master/API.md) file in
[func PodStateData(name: string) string](#PodStateData)
+[func Ps(opts: PsOpts) PsContainer](#Ps)
+
[func PullImage(name: string, certDir: string, creds: string, signaturePolicy: string, tlsVerify: ) MoreResponse](#PullImage)
[func PushImage(name: string, tag: string, tlsverify: , signaturePolicy: string, creds: string, certDir: string, compress: bool, format: string, removeSignatures: bool, signBy: string) MoreResponse](#PushImage)
@@ -225,6 +227,10 @@ in the [API.md](https://github.com/containers/libpod/blob/master/API.md) file in
[type PodmanInfo](#PodmanInfo)
+[type PsContainer](#PsContainer)
+
+[type PsOpts](#PsOpts)
+
[type Runlabel](#Runlabel)
[type Sockets](#Sockets)
@@ -261,8 +267,9 @@ in the [API.md](https://github.com/containers/libpod/blob/master/API.md) file in
### <a name="Attach"></a>func Attach
<div style="background-color: #E8E8E8; padding: 15px; margin: 10px; border-radius: 10px;">
-method Attach(name: [string](https://godoc.org/builtin#string)) </div>
-
+method Attach(name: [string](https://godoc.org/builtin#string), detachKeys: [string](https://godoc.org/builtin#string), start: [bool](https://godoc.org/builtin#bool)) </div>
+Attach takes the name or ID of a container and sets up a the ability to remotely attach to its console. The start
+bool is whether you wish to start the container in question first.
### <a name="AttachControl"></a>func AttachControl
<div style="background-color: #E8E8E8; padding: 15px; margin: 10px; border-radius: 10px;">
@@ -857,6 +864,11 @@ $ varlink call -m unix:/run/podman/io.podman/io.podman.PausePod '{"name": "fooba
method PodStateData(name: [string](https://godoc.org/builtin#string)) [string](https://godoc.org/builtin#string)</div>
PodStateData returns inspectr level information of a given pod in string form. This call is for
development of Podman only and generally should not be used.
+### <a name="Ps"></a>func Ps
+<div style="background-color: #E8E8E8; padding: 15px; margin: 10px; border-radius: 10px;">
+
+method Ps(opts: [PsOpts](#PsOpts)) [PsContainer](#PsContainer)</div>
+
### <a name="PullImage"></a>func PullImage
<div style="background-color: #E8E8E8; padding: 15px; margin: 10px; border-radius: 10px;">
@@ -1749,6 +1761,82 @@ insecure_registries [[]string](#[]string)
store [InfoStore](#InfoStore)
podman [InfoPodmanBinary](#InfoPodmanBinary)
+### <a name="PsContainer"></a>type PsContainer
+
+
+
+id [string](https://godoc.org/builtin#string)
+
+image [string](https://godoc.org/builtin#string)
+
+command [string](https://godoc.org/builtin#string)
+
+created [string](https://godoc.org/builtin#string)
+
+ports [string](https://godoc.org/builtin#string)
+
+names [string](https://godoc.org/builtin#string)
+
+isInfra [bool](https://godoc.org/builtin#bool)
+
+status [string](https://godoc.org/builtin#string)
+
+state [string](https://godoc.org/builtin#string)
+
+pidNum [int](https://godoc.org/builtin#int)
+
+rootFsSize [int](https://godoc.org/builtin#int)
+
+rwSize [int](https://godoc.org/builtin#int)
+
+pod [string](https://godoc.org/builtin#string)
+
+createdAt [string](https://godoc.org/builtin#string)
+
+exitedAt [string](https://godoc.org/builtin#string)
+
+startedAt [string](https://godoc.org/builtin#string)
+
+labels [map[string]](#map[string])
+
+nsPid [string](https://godoc.org/builtin#string)
+
+cgroup [string](https://godoc.org/builtin#string)
+
+ipc [string](https://godoc.org/builtin#string)
+
+mnt [string](https://godoc.org/builtin#string)
+
+net [string](https://godoc.org/builtin#string)
+
+pidNs [string](https://godoc.org/builtin#string)
+
+user [string](https://godoc.org/builtin#string)
+
+uts [string](https://godoc.org/builtin#string)
+
+mounts [string](https://godoc.org/builtin#string)
+### <a name="PsOpts"></a>type PsOpts
+
+
+
+all [bool](https://godoc.org/builtin#bool)
+
+filters [](#)
+
+last [](#)
+
+latest [](#)
+
+noTrunc [](#)
+
+pod [](#)
+
+quiet [](#)
+
+sort [](#)
+
+sync [](#)
### <a name="Runlabel"></a>type Runlabel
Runlabel describes the required input for container runlabel
diff --git a/README.md b/README.md
index 742c6238c..73a7057ea 100644
--- a/README.md
+++ b/README.md
@@ -29,7 +29,7 @@ This project tests all builds against each supported version of Fedora, the late
1. Further work on the podman pod command
1. Further improvements on rootless containers
-## [Shortcomings of Rootless Podman](https://github.com/containers/libpod/blob/master/docs/rootless.md)
+## [Shortcomings of Rootless Podman](https://github.com/containers/libpod/blob/master/rootless.md)
## Out of scope
diff --git a/cmd/podman/cliconfig/commands.go b/cmd/podman/cliconfig/commands.go
index 3361c14b8..00b66e32a 100644
--- a/cmd/podman/cliconfig/commands.go
+++ b/cmd/podman/cliconfig/commands.go
@@ -1,6 +1,8 @@
package cliconfig
-import "github.com/sirupsen/logrus"
+import (
+ "github.com/sirupsen/logrus"
+)
// GlobalIsSet is a compatibility method for urfave
func (p *PodmanCommand) GlobalIsSet(opt string) bool {
diff --git a/cmd/podman/cliconfig/config.go b/cmd/podman/cliconfig/config.go
index f7ac0de6c..2692ace36 100644
--- a/cmd/podman/cliconfig/config.go
+++ b/cmd/podman/cliconfig/config.go
@@ -88,12 +88,13 @@ type CheckpointValues struct {
type CommitValues struct {
PodmanCommand
- Change []string
- Format string
- Message string
- Author string
- Pause bool
- Quiet bool
+ Change []string
+ Format string
+ Message string
+ Author string
+ Pause bool
+ Quiet bool
+ IncludeVolumes bool
}
type ContainersPrune struct {
diff --git a/cmd/podman/commit.go b/cmd/podman/commit.go
index f7e206856..0077ff297 100644
--- a/cmd/podman/commit.go
+++ b/cmd/podman/commit.go
@@ -2,19 +2,19 @@ package main
import (
"fmt"
- "github.com/containers/libpod/cmd/podman/cliconfig"
- "github.com/spf13/cobra"
"io"
"os"
"strings"
"github.com/containers/buildah"
"github.com/containers/image/manifest"
+ "github.com/containers/libpod/cmd/podman/cliconfig"
"github.com/containers/libpod/cmd/podman/libpodruntime"
"github.com/containers/libpod/libpod"
"github.com/containers/libpod/libpod/image"
"github.com/containers/libpod/pkg/util"
"github.com/pkg/errors"
+ "github.com/spf13/cobra"
)
var (
@@ -47,7 +47,7 @@ func init() {
flags.StringVarP(&commitCommand.Author, "author", "a", "", "Set the author for the image committed")
flags.BoolVarP(&commitCommand.Pause, "pause", "p", false, "Pause container during commit")
flags.BoolVarP(&commitCommand.Quiet, "quiet", "q", false, "Suppress output")
-
+ flags.BoolVar(&commitCommand.IncludeVolumes, "include-volumes", false, "Include container volumes as image volumes")
}
func commitCmd(c *cliconfig.CommitValues) error {
@@ -109,11 +109,12 @@ func commitCmd(c *cliconfig.CommitValues) error {
PreferredManifestType: mimeType,
}
options := libpod.ContainerCommitOptions{
- CommitOptions: coptions,
- Pause: c.Pause,
- Message: c.Message,
- Changes: c.Change,
- Author: c.Author,
+ CommitOptions: coptions,
+ Pause: c.Pause,
+ IncludeVolumes: c.IncludeVolumes,
+ Message: c.Message,
+ Changes: c.Change,
+ Author: c.Author,
}
newImage, err := ctr.Commit(getContext(), reference, options)
if err != nil {
diff --git a/cmd/podman/create.go b/cmd/podman/create.go
index 1af3920dd..3267e5b7b 100644
--- a/cmd/podman/create.go
+++ b/cmd/podman/create.go
@@ -66,7 +66,7 @@ func createCmd(c *cliconfig.CreateValues) error {
}
func createInit(c *cliconfig.PodmanCommand) error {
- if c.Bool("trace") {
+ if !remote && c.Bool("trace") {
span, _ := opentracing.StartSpanFromContext(Ctx, "createInit")
defer span.Finish()
}
diff --git a/cmd/podman/imagefilters/filters.go b/cmd/podman/imagefilters/filters.go
index 2932d61c0..aa5776599 100644
--- a/cmd/podman/imagefilters/filters.go
+++ b/cmd/podman/imagefilters/filters.go
@@ -37,9 +37,12 @@ func CreatedAfterFilter(createTime time.Time) ResultFilter {
}
// DanglingFilter allows you to filter images for dangling images
-func DanglingFilter() ResultFilter {
+func DanglingFilter(danglingImages bool) ResultFilter {
return func(i *adapter.ContainerImage) bool {
- return i.Dangling()
+ if danglingImages {
+ return i.Dangling()
+ }
+ return !i.Dangling()
}
}
diff --git a/cmd/podman/images.go b/cmd/podman/images.go
index 6133450be..c38d7035d 100644
--- a/cmd/podman/images.go
+++ b/cmd/podman/images.go
@@ -5,6 +5,7 @@ import (
"fmt"
"reflect"
"sort"
+ "strconv"
"strings"
"time"
"unicode"
@@ -318,13 +319,14 @@ func getImagesJSONOutput(ctx context.Context, images []*adapter.ContainerImage)
func generateImagesOutput(ctx context.Context, images []*adapter.ContainerImage, opts imagesOptions) error {
templateMap := GenImageOutputMap()
- if len(images) == 0 {
- return nil
- }
var out formats.Writer
switch opts.format {
case formats.JSONString:
+ // If 0 images are present, print nothing for JSON
+ if len(images) == 0 {
+ return nil
+ }
imagesOutput := getImagesJSONOutput(ctx, images)
out = formats.JSONStructArray{Output: imagesToGeneric([]imagesTemplateParams{}, imagesOutput)}
default:
@@ -359,6 +361,9 @@ func CreateFilterFuncs(ctx context.Context, r *adapter.LocalRuntime, filters []s
var filterFuncs []imagefilters.ResultFilter
for _, filter := range filters {
splitFilter := strings.Split(filter, "=")
+ if len(splitFilter) != 2 {
+ return nil, errors.Errorf("invalid filter syntax %s", filter)
+ }
switch splitFilter[0] {
case "before":
before, err := r.NewImageFromLocal(splitFilter[1])
@@ -373,7 +378,11 @@ func CreateFilterFuncs(ctx context.Context, r *adapter.LocalRuntime, filters []s
}
filterFuncs = append(filterFuncs, imagefilters.CreatedAfterFilter(after.Created()))
case "dangling":
- filterFuncs = append(filterFuncs, imagefilters.DanglingFilter())
+ danglingImages, err := strconv.ParseBool(splitFilter[1])
+ if err != nil {
+ return nil, errors.Wrapf(err, "invalid filter dangling=%s", splitFilter[1])
+ }
+ filterFuncs = append(filterFuncs, imagefilters.DanglingFilter(danglingImages))
case "label":
labelFilter := strings.Join(splitFilter[1:], "=")
filterFuncs = append(filterFuncs, imagefilters.LabelFilter(ctx, labelFilter))
diff --git a/cmd/podman/run.go b/cmd/podman/run.go
index bac5c3c18..d3158de6b 100644
--- a/cmd/podman/run.go
+++ b/cmd/podman/run.go
@@ -38,7 +38,7 @@ func init() {
}
func runCmd(c *cliconfig.RunValues) error {
- if c.Bool("trace") {
+ if !remote && c.Bool("trace") {
span, _ := opentracing.StartSpanFromContext(Ctx, "runCmd")
defer span.Finish()
}
diff --git a/cmd/podman/run_test.go b/cmd/podman/run_test.go
index 27b34c323..af9e6923c 100644
--- a/cmd/podman/run_test.go
+++ b/cmd/podman/run_test.go
@@ -83,7 +83,7 @@ func getRuntimeSpec(c *cliconfig.PodmanCommand) (*spec.Spec, error) {
createConfig, err := parseCreateOpts(c, runtime, "alpine", generateAlpineImageData())
*/
ctx := getContext()
- genericResults := shared.NewIntermediateLayer(c)
+ genericResults := shared.NewIntermediateLayer(c, false)
createConfig, err := shared.ParseCreateOpts(ctx, &genericResults, nil, "alpine", generateAlpineImageData())
if err != nil {
return nil, err
diff --git a/cmd/podman/shared/intermediate.go b/cmd/podman/shared/intermediate.go
index 9afbd68c8..2e1827561 100644
--- a/cmd/podman/shared/intermediate.go
+++ b/cmd/podman/shared/intermediate.go
@@ -360,7 +360,7 @@ func newCRStringArray(c *cliconfig.PodmanCommand, flag string) CRStringArray {
}
// NewIntermediateLayer creates a GenericCLIResults from a create or run cli-command
-func NewIntermediateLayer(c *cliconfig.PodmanCommand) GenericCLIResults {
+func NewIntermediateLayer(c *cliconfig.PodmanCommand, remote bool) GenericCLIResults {
m := make(map[string]GenericCLIResult)
m["add-host"] = newCRStringSlice(c, "add-host")
@@ -458,8 +458,10 @@ func NewIntermediateLayer(c *cliconfig.PodmanCommand) GenericCLIResults {
m["volumes-from"] = newCRStringSlice(c, "volumes-from")
m["workdir"] = newCRString(c, "workdir")
// global flag
- m["trace"] = newCRBool(c, "trace")
- m["syslog"] = newCRBool(c, "syslog")
+ if !remote {
+ m["trace"] = newCRBool(c, "trace")
+ m["syslog"] = newCRBool(c, "syslog")
+ }
return GenericCLIResults{m, c.InputArgs}
}
diff --git a/cmd/podman/varlink/io.podman.varlink b/cmd/podman/varlink/io.podman.varlink
index ae830f3e6..c6997cd3f 100644
--- a/cmd/podman/varlink/io.podman.varlink
+++ b/cmd/podman/varlink/io.podman.varlink
@@ -658,7 +658,9 @@ method PauseContainer(name: string) -> (container: string)
# See also [PauseContainer](#PauseContainer).
method UnpauseContainer(name: string) -> (container: string)
-method Attach(name: string) -> ()
+# Attach takes the name or ID of a container and sets up a the ability to remotely attach to its console. The start
+# bool is whether you wish to start the container in question first.
+method Attach(name: string, detachKeys: string, start: bool) -> ()
method AttachControl(name: string) -> ()
diff --git a/commands.md b/commands.md
index 156a1cdf6..1c05640f2 100644
--- a/commands.md
+++ b/commands.md
@@ -4,8 +4,8 @@
## Podman Commands
-Command | Description | Demo
-:----------------------------------------------------------------------- | :------------------------------------------------------------------------- | :--------------------------------------------------------------------------
+Command | Description | Demo | Script
+:----------------------------------------------------------------------- | :------------------------------------------------------------------------- | :-------------------------------------------------------------------------- | :--------------------------------------------------------------------------
[podman(1)](/docs/podman.1.md) | Simple management tool for pods and images |
[podman-attach(1)](/docs/podman-attach.1.md) | Attach to a running container |
[podman-build(1)](/docs/podman-build.1.md) | Build an image using instructions from Dockerfiles |
@@ -31,7 +31,7 @@ Command | Descr
[podman-image-prune(1)](/docs/podman-image-prune.1.md) | Remove all unused images |
[podman-image-sign(1)](/docs/podman-image-sign.1.md) | Create a signature for an image |
[podman-image-trust(1)](/docs/podman-image-trust.1.md) | Manage container registry image trust policy |
-[podman-images(1)](/docs/podman-images.1.md) | List images in local storage | [![...](/docs/play.png)](https://asciinema.org/a/133649)
+[podman-images(1)](/docs/podman-images.1.md) | List images in local storage | [![...](/docs/play.png)](https://podman.io/asciinema/podman/images/) | [Here](https://github.com/containers/Demos/blob/master/podman_cli/podman_images.sh)
[podman-import(1)](/docs/podman-import.1.md) | Import a tarball and save it as a filesystem image |
[podman-info(1)](/docs/podman-info.1.md) | Display system information |
[podman-inspect(1)](/docs/podman-inspect.1.md) | Display the configuration of a container or image | [![...](/docs/play.png)](https://asciinema.org/a/133418)
diff --git a/docs/podman-commit.1.md b/docs/podman-commit.1.md
index acde51859..7c74d7a33 100644
--- a/docs/podman-commit.1.md
+++ b/docs/podman-commit.1.md
@@ -39,6 +39,10 @@ not specifically set, the default format used is _oci_.
Write the image ID to the file.
+**--include-volumes**
+
+Include in the committed image any volumes added to the container by the `--volume` or `--mount` options to the `podman create` and `podman run` commands.
+
**--message, -m**
Set commit message for committed image. The message field is not supported in _oci_ format.
diff --git a/install.md b/install.md
index 5fe150db2..80ae03208 100644
--- a/install.md
+++ b/install.md
@@ -57,6 +57,7 @@ sudo yum module install -y container-tools:1.0
sudo apt-get update -qq
sudo apt-get install -qq -y software-properties-common
sudo add-apt-repository -y ppa:projectatomic/ppa
+sudo apt-get update -qq
sudo apt-get -qq -y install podman
```
diff --git a/libpod/container_commit.go b/libpod/container_commit.go
index 0604a550b..db67f7a30 100644
--- a/libpod/container_commit.go
+++ b/libpod/container_commit.go
@@ -20,10 +20,11 @@ import (
//libpod
type ContainerCommitOptions struct {
buildah.CommitOptions
- Pause bool
- Author string
- Message string
- Changes []string
+ Pause bool
+ IncludeVolumes bool
+ Author string
+ Message string
+ Changes []string
}
// ChangeCmds is the list of valid Changes commands to passed to the Commit call
@@ -113,9 +114,11 @@ func (c *Container) Commit(ctx context.Context, destImage string, options Contai
// User
importBuilder.SetUser(c.User())
// Volumes
- for _, v := range c.config.UserVolumes {
- if v != "" {
- importBuilder.AddVolume(v)
+ if options.IncludeVolumes {
+ for _, v := range c.config.UserVolumes {
+ if v != "" {
+ importBuilder.AddVolume(v)
+ }
}
}
// Workdir
diff --git a/libpod/container_internal.go b/libpod/container_internal.go
index 1d371966b..aa6448f4a 100644
--- a/libpod/container_internal.go
+++ b/libpod/container_internal.go
@@ -350,7 +350,7 @@ func (c *Container) teardownStorage() error {
artifacts := filepath.Join(c.config.StaticDir, artifactsDir)
if err := os.RemoveAll(artifacts); err != nil {
- return errors.Wrapf(err, "error removing artifacts %q", artifacts)
+ return errors.Wrapf(err, "error removing container %s artifacts %q", c.ID(), artifacts)
}
if err := c.cleanupStorage(); err != nil {
@@ -1113,13 +1113,13 @@ func (c *Container) cleanup(ctx context.Context) error {
// Remove healthcheck unit/timer file if it execs
if c.config.HealthCheckConfig != nil {
if err := c.removeTimer(); err != nil {
- logrus.Error(err)
+ logrus.Errorf("Error removing timer for container %s healthcheck: %v", c.ID(), err)
}
}
// Clean up network namespace, if present
if err := c.cleanupNetwork(); err != nil {
- lastError = err
+ lastError = errors.Wrapf(err, "error removing container %s network", c.ID())
}
// Unmount storage
@@ -1127,7 +1127,7 @@ func (c *Container) cleanup(ctx context.Context) error {
if lastError != nil {
logrus.Errorf("Error unmounting container %s storage: %v", c.ID(), err)
} else {
- lastError = err
+ lastError = errors.Wrapf(err, "error unmounting container %s storage", c.ID())
}
}
diff --git a/libpod/oci_linux.go b/libpod/oci_linux.go
index 8c0abad80..01f7c3649 100644
--- a/libpod/oci_linux.go
+++ b/libpod/oci_linux.go
@@ -3,15 +3,20 @@
package libpod
import (
+ "fmt"
"os"
"os/exec"
"path/filepath"
+ "runtime"
"strings"
"syscall"
"github.com/containerd/cgroups"
+ "github.com/containers/libpod/pkg/rootless"
"github.com/containers/libpod/utils"
+ pmount "github.com/containers/storage/pkg/mount"
spec "github.com/opencontainers/runtime-spec/specs-go"
+ "github.com/pkg/errors"
"github.com/sirupsen/logrus"
"golang.org/x/sys/unix"
)
@@ -91,6 +96,54 @@ func (r *OCIRuntime) createContainer(ctr *Container, cgroupParent string, restor
return err
}
}
+
+ // if we are running a non privileged container, be sure to umount some kernel paths so they are not
+ // bind mounted inside the container at all.
+ if !ctr.config.Privileged && !rootless.IsRootless() {
+ ch := make(chan error)
+ go func() {
+ runtime.LockOSThread()
+ err := func() error {
+ fd, err := os.Open(fmt.Sprintf("/proc/%d/task/%d/ns/mnt", os.Getpid(), unix.Gettid()))
+ if err != nil {
+ return err
+ }
+ defer fd.Close()
+
+ // create a new mountns on the current thread
+ if err = unix.Unshare(unix.CLONE_NEWNS); err != nil {
+ return err
+ }
+ defer unix.Setns(int(fd.Fd()), unix.CLONE_NEWNS)
+
+ // don't spread our mounts around. We are setting only /sys to be slave
+ // so that the cleanup process is still able to umount the storage and the
+ // changes are propagated to the host.
+ err = unix.Mount("/sys", "/sys", "none", unix.MS_REC|unix.MS_SLAVE, "")
+ if err != nil {
+ return errors.Wrapf(err, "cannot make /sys slave")
+ }
+
+ mounts, err := pmount.GetMounts()
+ if err != nil {
+ return err
+ }
+ for _, m := range mounts {
+ if !strings.HasPrefix(m.Mountpoint, "/sys/kernel") {
+ continue
+ }
+ err = unix.Unmount(m.Mountpoint, 0)
+ if err != nil {
+ return errors.Wrapf(err, "cannot unmount %s", m.Mountpoint)
+ }
+ }
+ return r.createOCIContainer(ctr, cgroupParent, restoreOptions)
+ }()
+ ch <- err
+ }()
+ err := <-ch
+ return err
+ }
}
return r.createOCIContainer(ctr, cgroupParent, restoreOptions)
}
diff --git a/libpod/runtime_ctr.go b/libpod/runtime_ctr.go
index 704dce492..48c254c0f 100644
--- a/libpod/runtime_ctr.go
+++ b/libpod/runtime_ctr.go
@@ -372,7 +372,7 @@ func (r *Runtime) removeContainer(ctx context.Context, c *Container, force bool,
// Clean up network namespace, cgroups, mounts
if err := c.cleanup(ctx); err != nil {
if cleanupErr == nil {
- cleanupErr = err
+ cleanupErr = errors.Wrapf(err, "error cleaning up container %s", c.ID())
} else {
logrus.Errorf("cleanup network, cgroups, mounts: %v", err)
}
@@ -404,12 +404,14 @@ func (r *Runtime) removeContainer(ctx context.Context, c *Container, force bool,
// Deallocate the container's lock
if err := c.lock.Free(); err != nil {
if cleanupErr == nil {
- cleanupErr = err
+ cleanupErr = errors.Wrapf(err, "error freeing lock for container %s", c.ID())
} else {
logrus.Errorf("free container lock: %v", err)
}
}
+ c.newContainerEvent(events.Remove)
+
if !removeVolume {
return cleanupErr
}
@@ -425,7 +427,6 @@ func (r *Runtime) removeContainer(ctx context.Context, c *Container, force bool,
}
}
- c.newContainerEvent(events.Remove)
return cleanupErr
}
diff --git a/pkg/adapter/containers.go b/pkg/adapter/containers.go
index a9b3232e7..d4e8e30d9 100644
--- a/pkg/adapter/containers.go
+++ b/pkg/adapter/containers.go
@@ -255,14 +255,14 @@ func (r *LocalRuntime) Log(c *cliconfig.LogsValues, options *libpod.LogOptions)
// CreateContainer creates a libpod container
func (r *LocalRuntime) CreateContainer(ctx context.Context, c *cliconfig.CreateValues) (string, error) {
- results := shared.NewIntermediateLayer(&c.PodmanCommand)
+ results := shared.NewIntermediateLayer(&c.PodmanCommand, false)
ctr, _, err := shared.CreateContainer(ctx, &results, r.Runtime)
return ctr.ID(), err
}
// Run a libpod container
func (r *LocalRuntime) Run(ctx context.Context, c *cliconfig.RunValues, exitCode int) (int, error) {
- results := shared.NewIntermediateLayer(&c.PodmanCommand)
+ results := shared.NewIntermediateLayer(&c.PodmanCommand, false)
ctr, createConfig, err := shared.CreateContainer(ctx, &results, r.Runtime)
if err != nil {
diff --git a/pkg/adapter/containers_remote.go b/pkg/adapter/containers_remote.go
index 1ae39749f..9ca823760 100644
--- a/pkg/adapter/containers_remote.go
+++ b/pkg/adapter/containers_remote.go
@@ -331,7 +331,7 @@ func (r *LocalRuntime) CreateContainer(ctx context.Context, c *cliconfig.CreateV
// TODO need to add attach when that function becomes available
return "", errors.New("the remote client only supports detached containers")
}
- results := shared.NewIntermediateLayer(&c.PodmanCommand)
+ results := shared.NewIntermediateLayer(&c.PodmanCommand, true)
return iopodman.CreateContainer().Call(r.Conn, results.MakeVarlink())
}
@@ -344,23 +344,21 @@ func (r *LocalRuntime) Run(ctx context.Context, c *cliconfig.RunValues, exitCode
// being run.
// TODO the exit codes for run need to be figured out for remote connections
- results := shared.NewIntermediateLayer(&c.PodmanCommand)
+ results := shared.NewIntermediateLayer(&c.PodmanCommand, true)
cid, err := iopodman.CreateContainer().Call(r.Conn, results.MakeVarlink())
if err != nil {
return 0, err
}
- _, err = iopodman.StartContainer().Call(r.Conn, cid)
- if err != nil {
+ if c.Bool("detach") {
+ _, err := iopodman.StartContainer().Call(r.Conn, cid)
+ fmt.Println(cid)
return 0, err
}
- errChan, err := r.attach(ctx, os.Stdin, os.Stdout, cid)
+
+ errChan, err := r.attach(ctx, os.Stdin, os.Stdout, cid, true)
if err != nil {
return 0, err
}
- if c.Bool("detach") {
- fmt.Println(cid)
- return 0, err
- }
finalError := <-errChan
return 0, finalError
}
@@ -441,7 +439,7 @@ func (r *LocalRuntime) Ps(c *cliconfig.PsValues, opts shared.PsOptions) ([]share
return psContainers, nil
}
-func (r *LocalRuntime) attach(ctx context.Context, stdin, stdout *os.File, cid string) (chan error, error) {
+func (r *LocalRuntime) attach(ctx context.Context, stdin, stdout *os.File, cid string, start bool) (chan error, error) {
var (
oldTermState *term.State
)
@@ -471,8 +469,8 @@ func (r *LocalRuntime) attach(ctx context.Context, stdin, stdout *os.File, cid s
term.SetRawTerminal(os.Stdin.Fd())
}
-
- _, err = iopodman.Attach().Send(r.Conn, varlink.Upgrade, cid)
+ // TODO add detach keys support
+ _, err = iopodman.Attach().Send(r.Conn, varlink.Upgrade, cid, "", start)
if err != nil {
restoreTerminal(oldTermState)
return nil, err
@@ -533,7 +531,7 @@ func (r *LocalRuntime) Attach(ctx context.Context, c *cliconfig.AttachValues) er
if c.NoStdin {
inputStream = nil
}
- errChan, err := r.attach(ctx, inputStream, os.Stdout, c.InputArgs[0])
+ errChan, err := r.attach(ctx, inputStream, os.Stdout, c.InputArgs[0], false)
if err != nil {
return err
}
diff --git a/pkg/spec/spec.go b/pkg/spec/spec.go
index 9b6bd089e..0371b6d4d 100644
--- a/pkg/spec/spec.go
+++ b/pkg/spec/spec.go
@@ -132,6 +132,9 @@ func CreateConfigToOCISpec(config *CreateConfig) (*spec.Spec, error) { //nolint
Options: []string{"rprivate", "nosuid", "noexec", "nodev", r, "rbind"},
}
g.AddMount(sysMnt)
+ if !config.Privileged && isRootless {
+ g.AddLinuxMaskedPaths("/sys/kernel")
+ }
}
if isRootless {
nGids, err := getAvailableGids()
diff --git a/pkg/varlinkapi/attach.go b/pkg/varlinkapi/attach.go
index 53c4d1ff6..9e2a265be 100644
--- a/pkg/varlinkapi/attach.go
+++ b/pkg/varlinkapi/attach.go
@@ -3,29 +3,17 @@
package varlinkapi
import (
+ "bufio"
"io"
"github.com/containers/libpod/cmd/podman/varlink"
"github.com/containers/libpod/libpod"
"github.com/containers/libpod/pkg/varlinkapi/virtwriter"
+ "github.com/sirupsen/logrus"
"k8s.io/client-go/tools/remotecommand"
)
-// Close is method to close the writer
-
-// Attach ...
-func (i *LibpodAPI) Attach(call iopodman.VarlinkCall, name string) error {
- var finalErr error
- resize := make(chan remotecommand.TerminalSize)
- errChan := make(chan error)
-
- if !call.WantsUpgrade() {
- return call.ReplyErrorOccurred("client must use upgraded connection to attach")
- }
- ctr, err := i.Runtime.LookupContainer(name)
- if err != nil {
- return call.ReplyErrorOccurred(err.Error())
- }
+func setupStreams(call iopodman.VarlinkCall) (*bufio.Reader, *bufio.Writer, *io.PipeReader, *io.PipeWriter, *libpod.AttachStreams) {
// These are the varlink sockets
reader := call.Call.Reader
@@ -49,6 +37,24 @@ func (i *LibpodAPI) Attach(call iopodman.VarlinkCall, name string) error {
// Runc eats the error stream
AttachError: true,
}
+ return reader, writer, pr, pw, &streams
+}
+
+// Attach connects to a containers console
+func (i *LibpodAPI) Attach(call iopodman.VarlinkCall, name string, detachKeys string, start bool) error {
+ var finalErr error
+ resize := make(chan remotecommand.TerminalSize)
+ errChan := make(chan error)
+
+ if !call.WantsUpgrade() {
+ return call.ReplyErrorOccurred("client must use upgraded connection to attach")
+ }
+ ctr, err := i.Runtime.LookupContainer(name)
+ if err != nil {
+ return call.ReplyErrorOccurred(err.Error())
+ }
+
+ reader, writer, _, pw, streams := setupStreams(call)
go func() {
if err := virtwriter.Reader(reader, nil, nil, pw, resize); err != nil {
@@ -56,20 +62,42 @@ func (i *LibpodAPI) Attach(call iopodman.VarlinkCall, name string) error {
}
}()
+ if start {
+ finalErr = startAndAttach(ctr, streams, detachKeys, resize, errChan)
+ } else {
+ finalErr = attach(ctr, streams, detachKeys, resize, errChan)
+ }
+
+ if finalErr != libpod.ErrDetach && finalErr != nil {
+ logrus.Error(finalErr)
+ }
+ quitWriter := virtwriter.NewVirtWriteCloser(writer, virtwriter.Quit)
+ _, err = quitWriter.Write([]byte("HANG-UP"))
+ // TODO error handling is not quite right here yet
+ return call.Writer.Flush()
+}
+
+func attach(ctr *libpod.Container, streams *libpod.AttachStreams, detachKeys string, resize chan remotecommand.TerminalSize, errChan chan error) error {
go func() {
- // TODO allow for customizable detach keys
- if err := ctr.Attach(&streams, "", resize); err != nil {
+ if err := ctr.Attach(streams, detachKeys, resize); err != nil {
errChan <- err
}
}()
+ attachError := <-errChan
+ return attachError
+}
+func startAndAttach(ctr *libpod.Container, streams *libpod.AttachStreams, detachKeys string, resize chan remotecommand.TerminalSize, errChan chan error) error {
+ var finalErr error
+ attachChan, err := ctr.StartAndAttach(getContext(), streams, detachKeys, resize, false)
+ if err != nil {
+ return err
+ }
select {
- // Blocking on an error
- case finalErr = <-errChan:
- // Need to close up shop
- _ = finalErr
+ case attachChanErr := <-attachChan:
+ finalErr = attachChanErr
+ case chanError := <-errChan:
+ finalErr = chanError
}
- quitWriter := virtwriter.NewVirtWriteCloser(writer, virtwriter.Quit)
- _, err = quitWriter.Write([]byte("HANG-UP"))
- return call.Writer.Flush()
+ return finalErr
}
diff --git a/test/e2e/commit_test.go b/test/e2e/commit_test.go
index fe4ae64cf..93e1ea7af 100644
--- a/test/e2e/commit_test.go
+++ b/test/e2e/commit_test.go
@@ -131,7 +131,7 @@ var _ = Describe("Podman commit", func() {
Expect(check.ExitCode()).To(Equal(0))
})
- It("podman commit with volume mounts", func() {
+ It("podman commit with volumes mounts and no include-volumes", func() {
s := podmanTest.Podman([]string{"run", "--name", "test1", "-v", "/tmp:/foo", "alpine", "date"})
s.WaitWithDefaultTimeout()
Expect(s.ExitCode()).To(Equal(0))
@@ -145,6 +145,23 @@ var _ = Describe("Podman commit", func() {
Expect(inspect.ExitCode()).To(Equal(0))
image := inspect.InspectImageJSON()
_, ok := image[0].Config.Volumes["/foo"]
+ Expect(ok).To(BeFalse())
+ })
+
+ It("podman commit with volume mounts and --include-volumes", func() {
+ s := podmanTest.Podman([]string{"run", "--name", "test1", "-v", "/tmp:/foo", "alpine", "date"})
+ s.WaitWithDefaultTimeout()
+ Expect(s.ExitCode()).To(Equal(0))
+
+ c := podmanTest.Podman([]string{"commit", "--include-volumes", "test1", "newimage"})
+ c.WaitWithDefaultTimeout()
+ Expect(c.ExitCode()).To(Equal(0))
+
+ inspect := podmanTest.Podman([]string{"inspect", "newimage"})
+ inspect.WaitWithDefaultTimeout()
+ Expect(inspect.ExitCode()).To(Equal(0))
+ image := inspect.InspectImageJSON()
+ _, ok := image[0].Config.Volumes["/foo"]
Expect(ok).To(BeTrue())
r := podmanTest.Podman([]string{"run", "newimage"})
diff --git a/test/e2e/images_test.go b/test/e2e/images_test.go
index a253dff63..48a964db4 100644
--- a/test/e2e/images_test.go
+++ b/test/e2e/images_test.go
@@ -43,6 +43,17 @@ var _ = Describe("Podman images", func() {
Expect(session.LineInOuputStartsWith("docker.io/library/busybox")).To(BeTrue())
})
+ It("podman images with no images prints header", func() {
+ rmi := podmanTest.Podman([]string{"rmi", "-a"})
+ rmi.WaitWithDefaultTimeout()
+ Expect(rmi.ExitCode()).To(Equal(0))
+
+ session := podmanTest.Podman([]string{"images"})
+ session.WaitWithDefaultTimeout()
+ Expect(session.ExitCode()).To(Equal(0))
+ Expect(len(session.OutputToStringArray())).To(Equal(1))
+ })
+
It("podman image List", func() {
session := podmanTest.Podman([]string{"image", "list"})
session.WaitWithDefaultTimeout()
diff --git a/test/e2e/prune_test.go b/test/e2e/prune_test.go
index 869ca3289..682f7ff2b 100644
--- a/test/e2e/prune_test.go
+++ b/test/e2e/prune_test.go
@@ -82,7 +82,7 @@ var _ = Describe("Podman rm", func() {
prune.WaitWithDefaultTimeout()
Expect(prune.ExitCode()).To(Equal(0))
- images := podmanTest.Podman([]string{"images", "-a"})
+ images := podmanTest.Podman([]string{"images", "-aq"})
images.WaitWithDefaultTimeout()
// all images are unused, so they all should be deleted!
Expect(len(images.OutputToStringArray())).To(Equal(0))
@@ -95,7 +95,7 @@ var _ = Describe("Podman rm", func() {
prune.WaitWithDefaultTimeout()
Expect(prune.ExitCode()).To(Equal(0))
- images := podmanTest.Podman([]string{"images", "-a"})
+ images := podmanTest.Podman([]string{"images", "-aq"})
images.WaitWithDefaultTimeout()
// all images are unused, so they all should be deleted!
Expect(len(images.OutputToStringArray())).To(Equal(0))
diff --git a/test/e2e/rmi_test.go b/test/e2e/rmi_test.go
index 78d175637..e034f24cf 100644
--- a/test/e2e/rmi_test.go
+++ b/test/e2e/rmi_test.go
@@ -270,7 +270,7 @@ RUN find $LOCAL
fmt.Println(session.OutputToString())
Expect(session.ExitCode()).To(Equal(0))
- images := podmanTest.Podman([]string{"images", "--all"})
+ images := podmanTest.Podman([]string{"images", "-aq"})
images.WaitWithDefaultTimeout()
Expect(images.ExitCode()).To(Equal(0))
Expect(len(images.OutputToStringArray())).To(Equal(0))
diff --git a/test/system/005-info.bats b/test/system/005-info.bats
index 7dcc78838..c64b011bd 100644
--- a/test/system/005-info.bats
+++ b/test/system/005-info.bats
@@ -3,6 +3,8 @@
load helpers
@test "podman info - basic test" {
+ skip_if_remote
+
run_podman info
expected_keys="
@@ -26,6 +28,8 @@ RunRoot:
}
@test "podman info - json" {
+ skip_if_remote
+
run_podman info --format=json
expr_nvr="[a-z0-9-]\\\+-[a-z0-9.]\\\+-[a-z0-9]\\\+\."
diff --git a/test/system/010-images.bats b/test/system/010-images.bats
index 1c9577e34..380623078 100644
--- a/test/system/010-images.bats
+++ b/test/system/010-images.bats
@@ -25,11 +25,12 @@ load helpers
@test "podman images - json" {
+ # 'created': podman includes fractional seconds, podman-remote does not
tests="
names[0] | $PODMAN_TEST_IMAGE_FQN
id | [0-9a-f]\\\{64\\\}
digest | sha256:[0-9a-f]\\\{64\\\}
-created | [0-9-]\\\+T[0-9:]\\\+\\\.[0-9]\\\+Z
+created | [0-9-]\\\+T[0-9:.]\\\+Z
size | [0-9]\\\+
"
diff --git a/test/system/015-help.bats b/test/system/015-help.bats
index 8e07b8822..a987f04bc 100644
--- a/test/system/015-help.bats
+++ b/test/system/015-help.bats
@@ -87,6 +87,8 @@ function check_help() {
@test "podman help - basic tests" {
+ skip_if_remote
+
# Called with no args -- start with 'podman --help'. check_help() will
# recurse for any subcommands.
check_help
diff --git a/test/system/030-run.bats b/test/system/030-run.bats
index 8ae68f33d..bdbe724ef 100644
--- a/test/system/030-run.bats
+++ b/test/system/030-run.bats
@@ -3,6 +3,8 @@
load helpers
@test "podman run - basic tests" {
+ skip_if_remote
+
rand=$(random_string 30)
tests="
true | 0 |
@@ -31,4 +33,16 @@ echo $rand | 0 | $rand
done < <(parse_table "$tests")
}
+@test "podman run - uidmapping has no /sys/kernel mounts" {
+ skip_if_rootless "cannot umount as rootless"
+
+ run_podman run --rm --uidmap 0:100:10000 $IMAGE mount
+ run grep /sys/kernel <(echo "$output")
+ is "$output" "" "unwanted /sys/kernel in 'mount' output"
+
+ run_podman run --rm --net host --uidmap 0:100:10000 $IMAGE mount
+ run grep /sys/kernel <(echo "$output")
+ is "$output" "" "unwanted /sys/kernel in 'mount' output (with --net=host)"
+}
+
# vim: filetype=sh
diff --git a/test/system/035-logs.bats b/test/system/035-logs.bats
index 055865c8d..5736e0939 100644
--- a/test/system/035-logs.bats
+++ b/test/system/035-logs.bats
@@ -6,6 +6,8 @@
load helpers
@test "podman logs - basic test" {
+ skip_if_remote
+
rand_string=$(random_string 40)
run_podman create $IMAGE echo $rand_string
diff --git a/test/system/060-mount.bats b/test/system/060-mount.bats
index e249b2883..7570f3ac4 100644
--- a/test/system/060-mount.bats
+++ b/test/system/060-mount.bats
@@ -6,6 +6,7 @@ load helpers
@test "podman mount - basic test" {
# Only works with root (FIXME: does it work with rootless + vfs?)
skip_if_rootless "mount does not work rootless"
+ skip_if_remote
f_path=/tmp/tmpfile_$(random_string 8)
f_content=$(random_string 30)
diff --git a/test/system/070-build.bats b/test/system/070-build.bats
index 25eb36c58..c6a25093f 100644
--- a/test/system/070-build.bats
+++ b/test/system/070-build.bats
@@ -6,6 +6,8 @@
load helpers
@test "podman build - basic test" {
+ skip_if_remote
+
rand_filename=$(random_string 20)
rand_content=$(random_string 50)
diff --git a/test/system/075-exec.bats b/test/system/075-exec.bats
index a12d28b32..11cb98269 100644
--- a/test/system/075-exec.bats
+++ b/test/system/075-exec.bats
@@ -6,6 +6,8 @@
load helpers
@test "podman exec - basic test" {
+ skip_if_remote
+
rand_filename=$(random_string 20)
rand_content=$(random_string 50)
diff --git a/test/system/110-history.bats b/test/system/110-history.bats
index 84a1e42b4..5dc221d61 100644
--- a/test/system/110-history.bats
+++ b/test/system/110-history.bats
@@ -24,7 +24,7 @@ load helpers
@test "podman history - json" {
tests="
id | [0-9a-f]\\\{64\\\}
-created | [0-9-]\\\+T[0-9:]\\\+\\\.[0-9]\\\+Z
+created | [0-9-]\\\+T[0-9:.]\\\+Z
size | -\\\?[0-9]\\\+
"
diff --git a/test/system/400-unprivileged-access.bats b/test/system/400-unprivileged-access.bats
index c195d71eb..0358b3beb 100644
--- a/test/system/400-unprivileged-access.bats
+++ b/test/system/400-unprivileged-access.bats
@@ -7,6 +7,7 @@ load helpers
@test "podman container storage is not accessible by unprivileged users" {
skip_if_rootless "test meaningless without suid"
+ skip_if_remote
run_podman run --name c_uidmap --uidmap 0:10000:10000 $IMAGE true
run_podman run --name c_uidmap_v --uidmap 0:10000:10000 -v foo:/foo $IMAGE true
diff --git a/test/system/helpers.bash b/test/system/helpers.bash
index 431228498..29ef19ecc 100644
--- a/test/system/helpers.bash
+++ b/test/system/helpers.bash
@@ -225,6 +225,16 @@ function skip_if_rootless() {
skip "${1:-not applicable under rootless podman}"
}
+####################
+# skip_if_remote # ...with an optional message
+####################
+function skip_if_remote() {
+ if [[ ! "$PODMAN" =~ -remote ]]; then
+ return
+ fi
+
+ skip "${1:-test does not work with podman-remote}"
+}
#########
# die # Abort with helpful message