diff options
| -rw-r--r-- | .cirrus.yml | 2 | ||||
| -rwxr-xr-x | contrib/cirrus/check_image.sh | 3 | ||||
| -rw-r--r-- | contrib/cirrus/container_test.sh | 2 | ||||
| -rwxr-xr-x | contrib/cirrus/integration_test.sh | 2 | ||||
| -rwxr-xr-x | contrib/cirrus/networking.sh | 2 | ||||
| -rw-r--r-- | contrib/cirrus/packer/README.how-to-update-cirrus-vms | 89 | ||||
| -rw-r--r-- | contrib/cirrus/packer/fedora_packaging.sh | 9 | ||||
| -rwxr-xr-x | contrib/cirrus/rootless_test.sh | 4 | ||||
| -rwxr-xr-x | contrib/cirrus/setup_environment.sh | 3 | ||||
| -rw-r--r-- | contrib/cirrus/timestamp.awk | 4 | ||||
| -rw-r--r-- | libpod/common_test.go | 62 | ||||
| -rw-r--r-- | libpod/container.go | 231 | ||||
| -rw-r--r-- | libpod/container_config.go | 256 | ||||
| -rw-r--r-- | libpod/container_internal_linux_test.go | 4 | ||||
| -rw-r--r-- | libpod/container_internal_test.go | 4 | ||||
| -rw-r--r-- | transfer.md | 7 |
16 files changed, 412 insertions, 272 deletions
diff --git a/.cirrus.yml b/.cirrus.yml index 37c9108eb..fce9d2ac3 100644 --- a/.cirrus.yml +++ b/.cirrus.yml @@ -39,7 +39,7 @@ env: UBUNTU_NAME: "ubuntu-20" PRIOR_UBUNTU_NAME: "ubuntu-19" - _BUILT_IMAGE_SUFFIX: "podman-5869602141896704" + _BUILT_IMAGE_SUFFIX: "podman-6439450735542272" FEDORA_CACHE_IMAGE_NAME: "${FEDORA_NAME}-${_BUILT_IMAGE_SUFFIX}" PRIOR_FEDORA_CACHE_IMAGE_NAME: "${PRIOR_FEDORA_NAME}-${_BUILT_IMAGE_SUFFIX}" UBUNTU_CACHE_IMAGE_NAME: "${UBUNTU_NAME}-${_BUILT_IMAGE_SUFFIX}" diff --git a/contrib/cirrus/check_image.sh b/contrib/cirrus/check_image.sh index 0d33e55bf..39c2be3f8 100755 --- a/contrib/cirrus/check_image.sh +++ b/contrib/cirrus/check_image.sh @@ -25,9 +25,6 @@ item_test 'Minimum available memory' $MEM_FREE -ge $MIN_MEM_MB || let "NFAILS+=1 remove_packaged_podman_files item_test "remove_packaged_podman_files() does it's job" -z "$(type -P podman)" || let "NFAILS+=1" -# Integration Tests require varlink in Fedora -item_test "The varlink executable is present" -x "$(type -P varlink)" || let "NFAILS+=1" - MIN_ZIP_VER='3.0' VER_RE='.+([[:digit:]]+\.[[:digit:]]+).+' ACTUAL_VER=$(zip --version 2>&1 | egrep -m 1 "Zip$VER_RE" | sed -r -e "s/$VER_RE/\\1/") diff --git a/contrib/cirrus/container_test.sh b/contrib/cirrus/container_test.sh index bf0a0d3f1..f8d14c0e4 100644 --- a/contrib/cirrus/container_test.sh +++ b/contrib/cirrus/container_test.sh @@ -18,6 +18,8 @@ if [ "${ID}" != "fedora" ] || [ "${CONTAINER_RUNTIME}" != "" ]; then INTEGRATION_TEST_ENVS="SKIP_USERNS=1" fi +echo "$(date --rfc-3339=seconds) $(basename $0) started with '$*' and TEST_REMOTE_CLIENT='${TEST_REMOTE_CLIENT}'" + pwd # -i install diff --git a/contrib/cirrus/integration_test.sh b/contrib/cirrus/integration_test.sh index 33e9fbc6b..692d5a236 100755 --- a/contrib/cirrus/integration_test.sh +++ b/contrib/cirrus/integration_test.sh @@ -16,7 +16,7 @@ fi # but pr2947 intends to add 'system'. TESTSUITE=$(expr $(basename $0) : '\(.*\)_test') if [[ -z $TESTSUITE ]]; then - die 1 "Script name is not of the form xxxx_test.sh" + die 1 "Script name ($basename $0) is not of the form xxxx_test.sh" fi cd "$GOSRC" diff --git a/contrib/cirrus/networking.sh b/contrib/cirrus/networking.sh index aeaf74035..2546fab71 100755 --- a/contrib/cirrus/networking.sh +++ b/contrib/cirrus/networking.sh @@ -10,7 +10,7 @@ while read host port do if [[ "$port" -eq "443" ]] then - item_test "SSL/TLS to $host:$port" "$(echo -n '' | openssl s_client -quiet -no_ign_eof -connect $host:$port &> /dev/null; echo $?)" -eq "0" + item_test "SSL/TLS to $host:$port" "$(echo -n '' | timeout 60 openssl s_client -quiet -no_ign_eof -connect $host:$port &> /dev/null; echo $?)" -eq "0" else item_test "Connect to $host:$port" "$(nc -zv -w 13 $host $port &> /dev/null; echo $?)" -eq 0 fi diff --git a/contrib/cirrus/packer/README.how-to-update-cirrus-vms b/contrib/cirrus/packer/README.how-to-update-cirrus-vms new file mode 100644 index 000000000..ac2902ffb --- /dev/null +++ b/contrib/cirrus/packer/README.how-to-update-cirrus-vms @@ -0,0 +1,89 @@ +This document briefly describes how to update VMs on Cirrus. + +Examples of when you need to do this: + + - to update crun, conmon, or some other package(s) + - to add and/or remove an OS (eg drop f31, add f33) + - to change system config (eg containers.conf or other /etc files) + - to change kernel command-line (boot time) options + +This is a TWO-STEP process: you need to submit a PR with a magic [CI:IMG] +description string, wait for it to finish, grab a magic string from the +results, then resubmit without [CI:IMG]. + +Procedure, Part One of Two: + + 1) Create a working branch: + + $ git co -b my_branch_name + + 2) Make your changes. Typically, zero or more of the following files: + + .cirrus.yml + contrib/cirrus/packer/*_packaging.sh + + I said zero because sometimes you just want to update VMs + with the latest in dnf or ubuntu repos. That doesn't require + changing anything here, simply running new dnf/apt installs. + + 3) Commit your changes. Be sure to include the magic [CI:IMG] string: + + $ git commit -asm'[CI:IMG] this is my commit message' + + 4) Submit your PR: + + $ gh pr create --fill --web + + + -------------------------- INTERMISSION -------------------------- + ...in which we wait for CI to turn green. In particular, although + we only really need 'test_build_cache_images' (45 minutes or so) + to get the required magic number strings, please be a decent + human being and wait for 'verify_test_built_images' (another hour) + so we can all have confidence in our process. Thank you. + -------------------------- INTERMISSION -------------------------- + + +Procedure, Part Two of Two: + + 1) When 'test_build_cache_images' completes, click it, then click + 'View more details on Cirrus CI', then expand the 'Run build_vm_image' + accordion. This gives you a garishly colorful display of lines. + Each color is a different VM. + + 2) Verify that each VM has the packages you require. (The garish log + doesn't actually list this for all packages, so you may need to + look in the 'verify_test_built_images' log for each individual + VM. Click the 'package_versions' accordion.) + + 3) At the bottom of this log you will see a block like: + + Builds finished. The artifacts of successful builds are: + ubuntu-19: A disk image was created: ubuntu-19-podman-6439450735542272 + fedora-31: A disk image was created: fedora-31-podman-6439450735542272 + ..... + + The long numbers at the end should (MUST!) be all identical. + + 4) Edit .cirrus.yml locally. Find '_BUILT_IMAGE_SUFFIX' near the + top. Copy that long number ("6439450735542272", above) and paste + it here, replacing the previous long number. + + 5) Wait for CI to turn green. I know you might have skipped that, + because 'test_build_cache_images' finishes long before 'verify', + and maybe you're in a hurry, but come on. Be responsible. + + 6) Edit the PR description in github: remove '[CI:IMG]' from the + title. Again, *in github*, in the web UI, use the 'Edit' button + at top right next to the PR title. Remove the '[CI:IMG]' string + from the PR title, press Save. If you forget to do this, the + VM-building steps will run again (taking a long time) but it + will be a waste of time. + + 7) Update your PR: + + $ git add .cirrus.yml (to get the new magic IMAGE_SUFFIX string) + $ git commit --amend (remove [CI:IMG] for consistency with 6) + $ git push --force + +You can probably take it from here. diff --git a/contrib/cirrus/packer/fedora_packaging.sh b/contrib/cirrus/packer/fedora_packaging.sh index b4a3a2062..f19932a9f 100644 --- a/contrib/cirrus/packer/fedora_packaging.sh +++ b/contrib/cirrus/packer/fedora_packaging.sh @@ -153,6 +153,15 @@ DOWNLOAD_PACKAGES=(\ echo "Installing general build/test dependencies for Fedora '$OS_RELEASE_VER'" $BIGTO ooe.sh $SUDO dnf install -y ${INSTALL_PACKAGES[@]} +# AD-HOC CODE FOR SPECIAL-CASE SITUATIONS! +# On 2020-07-23 we needed this code to upgrade crun on f31, a build +# that is not yet in stable. Since CI:IMG PRs are a two-step process, +# the key part is that we UN-COMMENT-THIS-OUT during the first step, +# then re-comment it on the second (once we have the built images). +# That way this will be dead code in future CI:IMG PRs but will +# serve as an example for anyone in a similar future situation. +# $BIGTO ooe.sh $SUDO dnf --enablerepo=updates-testing -y upgrade crun + [[ ${#REMOVE_PACKAGES[@]} -eq 0 ]] || \ $LILTO ooe.sh $SUDO dnf erase -y ${REMOVE_PACKAGES[@]} diff --git a/contrib/cirrus/rootless_test.sh b/contrib/cirrus/rootless_test.sh index 9e1b1d911..63cbec69b 100755 --- a/contrib/cirrus/rootless_test.sh +++ b/contrib/cirrus/rootless_test.sh @@ -2,11 +2,13 @@ set -e +echo "$(date --rfc-3339=seconds) $(basename $0) started with '$*'" + source $(dirname $0)/lib.sh if [[ "$UID" == "0" ]] then - echo "Error: Expected to be running as a regular user" + echo "$(basename $0): Error: Expected to be running as a regular user" exit 1 fi diff --git a/contrib/cirrus/setup_environment.sh b/contrib/cirrus/setup_environment.sh index fbdae83fa..437a83c4b 100755 --- a/contrib/cirrus/setup_environment.sh +++ b/contrib/cirrus/setup_environment.sh @@ -57,9 +57,6 @@ case "${OS_RELEASE_ID}" in workaround_bfq_bug - # HACK: Need Conmon 2.0.17, currently in updates-testing on F31. - dnf update -y --enablerepo=updates-testing conmon - if [[ "$ADD_SECOND_PARTITION" == "true" ]]; then bash "$SCRIPT_BASE/add_second_partition.sh" fi diff --git a/contrib/cirrus/timestamp.awk b/contrib/cirrus/timestamp.awk index 95b312e51..b3663b303 100644 --- a/contrib/cirrus/timestamp.awk +++ b/contrib/cirrus/timestamp.awk @@ -7,7 +7,7 @@ BEGIN { STARTTIME=systime() printf "[%s] START", strftime("%T") - printf " - All [+xxxx] lines that follow are relative to right now.\n" + printf " - All [+xxxx] lines that follow are relative to %s.\n", strftime("%FT%T") } { @@ -16,5 +16,5 @@ BEGIN { END { printf "[%s] END", strftime("%T") - printf " - [%+05ds] total duration since START\n", systime()-STARTTIME + printf " - [%+05ds] total duration since %s\n", systime()-STARTTIME, strftime("%FT%T") } diff --git a/libpod/common_test.go b/libpod/common_test.go index dff04af5c..e15e3e7a7 100644 --- a/libpod/common_test.go +++ b/libpod/common_test.go @@ -19,33 +19,41 @@ import ( func getTestContainer(id, name string, manager lock.Manager) (*Container, error) { ctr := &Container{ config: &ContainerConfig{ - ID: id, - Name: name, - RootfsImageID: id, - RootfsImageName: "testimg", - StaticDir: "/does/not/exist/", - LogPath: "/does/not/exist/", - Stdin: true, - Labels: map[string]string{"a": "b", "c": "d"}, - StopSignal: 0, - StopTimeout: 0, - CreatedTime: time.Now(), - Privileged: true, - Mounts: []string{"/does/not/exist"}, - DNSServer: []net.IP{net.ParseIP("192.168.1.1"), net.ParseIP("192.168.2.2")}, - DNSSearch: []string{"example.com", "example.example.com"}, - PortMappings: []ocicni.PortMapping{ - { - HostPort: 80, - ContainerPort: 90, - Protocol: "tcp", - HostIP: "192.168.3.3", - }, - { - HostPort: 100, - ContainerPort: 110, - Protocol: "udp", - HostIP: "192.168.4.4", + ID: id, + Name: name, + ContainerRootFSConfig: ContainerRootFSConfig{ + RootfsImageID: id, + RootfsImageName: "testimg", + StaticDir: "/does/not/exist/", + Mounts: []string{"/does/not/exist"}, + }, + ContainerMiscConfig: ContainerMiscConfig{ + LogPath: "/does/not/exist/", + Stdin: true, + Labels: map[string]string{"a": "b", "c": "d"}, + StopSignal: 0, + StopTimeout: 0, + CreatedTime: time.Now(), + }, + ContainerSecurityConfig: ContainerSecurityConfig{ + Privileged: true, + }, + ContainerNetworkConfig: ContainerNetworkConfig{ + DNSServer: []net.IP{net.ParseIP("192.168.1.1"), net.ParseIP("192.168.2.2")}, + DNSSearch: []string{"example.com", "example.example.com"}, + PortMappings: []ocicni.PortMapping{ + { + HostPort: 80, + ContainerPort: 90, + Protocol: "tcp", + HostIP: "192.168.3.3", + }, + { + HostPort: 100, + ContainerPort: 110, + Protocol: "udp", + HostIP: "192.168.4.4", + }, }, }, }, diff --git a/libpod/container.go b/libpod/container.go index 8a69df685..03358ebdc 100644 --- a/libpod/container.go +++ b/libpod/container.go @@ -15,7 +15,6 @@ import ( "github.com/containers/image/v5/manifest" "github.com/containers/libpod/v2/libpod/define" "github.com/containers/libpod/v2/libpod/lock" - "github.com/containers/libpod/v2/pkg/namespaces" "github.com/containers/libpod/v2/pkg/rootless" "github.com/containers/libpod/v2/utils" "github.com/containers/storage" @@ -215,233 +214,6 @@ type ContainerState struct { containerPlatformState } -// ContainerConfig contains all information that was used to create the -// container. It may not be changed once created. -// It is stored, read-only, on disk -type ContainerConfig struct { - Spec *spec.Spec `json:"spec"` - ID string `json:"id"` - Name string `json:"name"` - // Full ID of the pood the container belongs to - Pod string `json:"pod,omitempty"` - // Namespace the container is in - Namespace string `json:"namespace,omitempty"` - // ID of this container's lock - LockID uint32 `json:"lockID"` - - // CreateCommand is the full command plus arguments of the process the - // container has been created with. - CreateCommand []string `json:"CreateCommand,omitempty"` - - // RawImageName is the raw and unprocessed name of the image when creating - // the container (as specified by the user). May or may not be set. One - // use case to store this data are auto-updates where we need the _exact_ - // name and not some normalized instance of it. - RawImageName string `json:"RawImageName,omitempty"` - - // TODO consider breaking these subsections up into smaller structs - - // UID/GID mappings used by the storage - IDMappings storage.IDMappingOptions `json:"idMappingsOptions,omitempty"` - - // Information on the image used for the root filesystem - RootfsImageID string `json:"rootfsImageID,omitempty"` - RootfsImageName string `json:"rootfsImageName,omitempty"` - // Rootfs to use for the container, this conflicts with RootfsImageID - Rootfs string `json:"rootfs,omitempty"` - // Src path to be mounted on /dev/shm in container. - ShmDir string `json:"ShmDir,omitempty"` - // Size of the container's SHM. - ShmSize int64 `json:"shmSize"` - // Static directory for container content that will persist across - // reboot. - StaticDir string `json:"staticDir"` - // Mounts list contains all additional mounts into the container rootfs. - // These include the SHM mount. - // These must be unmounted before the container's rootfs is unmounted. - Mounts []string `json:"mounts,omitempty"` - // NamedVolumes lists the named volumes to mount into the container. - NamedVolumes []*ContainerNamedVolume `json:"namedVolumes,omitempty"` - // OverlayVolumes lists the overlay volumes to mount into the container. - OverlayVolumes []*ContainerOverlayVolume `json:"overlayVolumes,omitempty"` - - // Security Config - - // Whether the container is privileged - Privileged bool `json:"privileged"` - // SELinux process label for container - ProcessLabel string `json:"ProcessLabel,omitempty"` - // SELinux mount label for root filesystem - MountLabel string `json:"MountLabel,omitempty"` - // LabelOpts are options passed in by the user to setup SELinux labels - LabelOpts []string `json:"labelopts,omitempty"` - // User and group to use in the container - // Can be specified by name or UID/GID - User string `json:"user,omitempty"` - // Additional groups to add - Groups []string `json:"groups,omitempty"` - // AddCurrentUserPasswdEntry indicates that the current user passwd entry - // should be added to the /etc/passwd within the container - AddCurrentUserPasswdEntry bool `json:"addCurrentUserPasswdEntry,omitempty"` - - // Namespace Config - // IDs of container to share namespaces with - // NetNsCtr conflicts with the CreateNetNS bool - // These containers are considered dependencies of the given container - // They must be started before the given container is started - IPCNsCtr string `json:"ipcNsCtr,omitempty"` - MountNsCtr string `json:"mountNsCtr,omitempty"` - NetNsCtr string `json:"netNsCtr,omitempty"` - PIDNsCtr string `json:"pidNsCtr,omitempty"` - UserNsCtr string `json:"userNsCtr,omitempty"` - UTSNsCtr string `json:"utsNsCtr,omitempty"` - CgroupNsCtr string `json:"cgroupNsCtr,omitempty"` - - // IDs of dependency containers. - // These containers must be started before this container is started. - Dependencies []string - - // Network Config - - // CreateNetNS indicates that libpod should create and configure a new - // network namespace for the container. - // This cannot be set if NetNsCtr is also set. - CreateNetNS bool `json:"createNetNS"` - // StaticIP is a static IP to request for the container. - // This cannot be set unless CreateNetNS is set. - // If not set, the container will be dynamically assigned an IP by CNI. - StaticIP net.IP `json:"staticIP"` - // StaticMAC is a static MAC to request for the container. - // This cannot be set unless CreateNetNS is set. - // If not set, the container will be dynamically assigned a MAC by CNI. - StaticMAC net.HardwareAddr `json:"staticMAC"` - // PortMappings are the ports forwarded to the container's network - // namespace - // These are not used unless CreateNetNS is true - PortMappings []ocicni.PortMapping `json:"portMappings,omitempty"` - // UseImageResolvConf indicates that resolv.conf should not be - // bind-mounted inside the container. - // Conflicts with DNSServer, DNSSearch, DNSOption. - UseImageResolvConf bool - // DNS servers to use in container resolv.conf - // Will override servers in host resolv if set - DNSServer []net.IP `json:"dnsServer,omitempty"` - // DNS Search domains to use in container resolv.conf - // Will override search domains in host resolv if set - DNSSearch []string `json:"dnsSearch,omitempty"` - // DNS options to be set in container resolv.conf - // With override options in host resolv if set - DNSOption []string `json:"dnsOption,omitempty"` - // UseImageHosts indicates that /etc/hosts should not be - // bind-mounted inside the container. - // Conflicts with HostAdd. - UseImageHosts bool - // Hosts to add in container - // Will be appended to host's host file - HostAdd []string `json:"hostsAdd,omitempty"` - // Network names (CNI) to add container to. Empty to use default network. - Networks []string `json:"networks,omitempty"` - // Network mode specified for the default network. - NetMode namespaces.NetworkMode `json:"networkMode,omitempty"` - // NetworkOptions are additional options for each network - NetworkOptions map[string][]string `json:"network_options,omitempty"` - - // Image Config - - // UserVolumes contains user-added volume mounts in the container. - // These will not be added to the container's spec, as it is assumed - // they are already present in the spec given to Libpod. Instead, it is - // used when committing containers to generate the VOLUMES field of the - // image that is created, and for triggering some OCI hooks which do not - // fire unless user-added volume mounts are present. - UserVolumes []string `json:"userVolumes,omitempty"` - // Entrypoint is the container's entrypoint. - // It is not used in spec generation, but will be used when the - // container is committed to populate the entrypoint of the new image. - Entrypoint []string `json:"entrypoint,omitempty"` - // Command is the container's command. - // It is not used in spec generation, but will be used when the - // container is committed to populate the command of the new image. - Command []string `json:"command,omitempty"` - - // Misc Options - - // Whether to keep container STDIN open - Stdin bool `json:"stdin,omitempty"` - // Labels is a set of key-value pairs providing additional information - // about a container - Labels map[string]string `json:"labels,omitempty"` - // StopSignal is the signal that will be used to stop the container - StopSignal uint `json:"stopSignal,omitempty"` - // StopTimeout is the signal that will be used to stop the container - StopTimeout uint `json:"stopTimeout,omitempty"` - // Time container was created - CreatedTime time.Time `json:"createdTime"` - // NoCgroups indicates that the container will not create CGroups. It is - // incompatible with CgroupParent. Deprecated in favor of CgroupsMode. - NoCgroups bool `json:"noCgroups,omitempty"` - // CgroupsMode indicates how the container will create cgroups - // (disabled, no-conmon, enabled). It supersedes NoCgroups. - CgroupsMode string `json:"cgroupsMode,omitempty"` - // Cgroup parent of the container - CgroupParent string `json:"cgroupParent"` - // LogPath log location - LogPath string `json:"logPath"` - // LogTag is the tag used for logging - LogTag string `json:"logTag"` - // LogDriver driver for logs - LogDriver string `json:"logDriver"` - // File containing the conmon PID - ConmonPidFile string `json:"conmonPidFile,omitempty"` - // RestartPolicy indicates what action the container will take upon - // exiting naturally. - // Allowed options are "no" (take no action), "on-failure" (restart on - // non-zero exit code, up an a maximum of RestartRetries times), - // and "always" (always restart the container on any exit code). - // The empty string is treated as the default ("no") - RestartPolicy string `json:"restart_policy,omitempty"` - // RestartRetries indicates the number of attempts that will be made to - // restart the container. Used only if RestartPolicy is set to - // "on-failure". - RestartRetries uint `json:"restart_retries,omitempty"` - // TODO log options for log drivers - - // PostConfigureNetNS needed when a user namespace is created by an OCI runtime - // if the network namespace is created before the user namespace it will be - // owned by the wrong user namespace. - PostConfigureNetNS bool `json:"postConfigureNetNS"` - - // OCIRuntime used to create the container - OCIRuntime string `json:"runtime,omitempty"` - - // ExitCommand is the container's exit command. - // This Command will be executed when the container exits - ExitCommand []string `json:"exitCommand,omitempty"` - // IsInfra is a bool indicating whether this container is an infra container used for - // sharing kernel namespaces in a pod - IsInfra bool `json:"pause"` - - // SdNotifyMode tells libpod what to do with a NOTIFY_SOCKET if passed - SdNotifyMode string `json:"sdnotifyMode,omitempty"` - // Systemd tells libpod to setup the container in systemd mode - Systemd bool `json:"systemd"` - - // HealthCheckConfig has the health check command and related timings - HealthCheckConfig *manifest.Schema2HealthConfig `json:"healthcheck"` - - // PreserveFDs is a number of additional file descriptors (in addition - // to 0, 1, 2) that will be passed to the executed process. The total FDs - // passed will be 3 + PreserveFDs. - PreserveFDs uint `json:"preserveFds,omitempty"` - - // Timezone is the timezone inside the container. - // Local means it has the same timezone as the host machine - Timezone string `json:"timezone,omitempty"` - - // Umask is the umask inside the container. - Umask string `json:"umask,omitempty"` -} - // ContainerNamedVolume is a named volume that will be mounted into the // container. Each named volume is a libpod Volume present in the state. type ContainerNamedVolume struct { @@ -1277,10 +1049,13 @@ func (c *Container) AutoRemove() bool { return c.Spec().Annotations[define.InspectAnnotationAutoremove] == define.InspectResponseTrue } +// Timezone returns the timezone configured inside the container. +// Local means it has the same timezone as the host machine func (c *Container) Timezone() string { return c.config.Timezone } +// Umask returns the Umask bits configured inside the container. func (c *Container) Umask() string { return c.config.Umask } diff --git a/libpod/container_config.go b/libpod/container_config.go new file mode 100644 index 000000000..8a98d6341 --- /dev/null +++ b/libpod/container_config.go @@ -0,0 +1,256 @@ +package libpod + +import ( + "net" + "time" + + "github.com/containers/image/v5/manifest" + "github.com/containers/libpod/v2/pkg/namespaces" + "github.com/containers/storage" + "github.com/cri-o/ocicni/pkg/ocicni" + spec "github.com/opencontainers/runtime-spec/specs-go" +) + +// ContainerConfig contains all information that was used to create the +// container. It may not be changed once created. +// It is stored, read-only, on disk +type ContainerConfig struct { + Spec *spec.Spec `json:"spec"` + + ID string `json:"id"` + + Name string `json:"name"` + + // Full ID of the pood the container belongs to + Pod string `json:"pod,omitempty"` + + // Namespace the container is in + Namespace string `json:"namespace,omitempty"` + + // ID of this container's lock + LockID uint32 `json:"lockID"` + + // CreateCommand is the full command plus arguments of the process the + // container has been created with. + CreateCommand []string `json:"CreateCommand,omitempty"` + + // RawImageName is the raw and unprocessed name of the image when creating + // the container (as specified by the user). May or may not be set. One + // use case to store this data are auto-updates where we need the _exact_ + // name and not some normalized instance of it. + RawImageName string `json:"RawImageName,omitempty"` + + // UID/GID mappings used by the storage + IDMappings storage.IDMappingOptions `json:"idMappingsOptions,omitempty"` + + // IDs of dependency containers. + // These containers must be started before this container is started. + Dependencies []string + + // embedded sub-configs + ContainerRootFSConfig + ContainerSecurityConfig + ContainerNameSpaceConfig + ContainerNetworkConfig + ContainerImageConfig + ContainerMiscConfig +} + +// ContainerRootFSConfig is an embedded sub-config providing config info +// about the container's root fs. +type ContainerRootFSConfig struct { + RootfsImageID string `json:"rootfsImageID,omitempty"` + RootfsImageName string `json:"rootfsImageName,omitempty"` + // Rootfs to use for the container, this conflicts with RootfsImageID + Rootfs string `json:"rootfs,omitempty"` + // Src path to be mounted on /dev/shm in container. + ShmDir string `json:"ShmDir,omitempty"` + // Size of the container's SHM. + ShmSize int64 `json:"shmSize"` + // Static directory for container content that will persist across + // reboot. + StaticDir string `json:"staticDir"` + // Mounts list contains all additional mounts into the container rootfs. + // These include the SHM mount. + // These must be unmounted before the container's rootfs is unmounted. + Mounts []string `json:"mounts,omitempty"` + // NamedVolumes lists the named volumes to mount into the container. + NamedVolumes []*ContainerNamedVolume `json:"namedVolumes,omitempty"` + // OverlayVolumes lists the overlay volumes to mount into the container. + OverlayVolumes []*ContainerOverlayVolume `json:"overlayVolumes,omitempty"` +} + +// ContainerSecurityConfig is an embedded sub-config providing security configuration +// to the container. +type ContainerSecurityConfig struct { + // Whether the container is privileged + Privileged bool `json:"privileged"` + // SELinux process label for container + ProcessLabel string `json:"ProcessLabel,omitempty"` + // SELinux mount label for root filesystem + MountLabel string `json:"MountLabel,omitempty"` + // LabelOpts are options passed in by the user to setup SELinux labels + LabelOpts []string `json:"labelopts,omitempty"` + // User and group to use in the container + // Can be specified by name or UID/GID + User string `json:"user,omitempty"` + // Additional groups to add + Groups []string `json:"groups,omitempty"` + // AddCurrentUserPasswdEntry indicates that the current user passwd entry + // should be added to the /etc/passwd within the container + AddCurrentUserPasswdEntry bool `json:"addCurrentUserPasswdEntry,omitempty"` +} + +// ContainerNameSpaceConfig is an embedded sub-config providing +// namespace configuration to the container. +type ContainerNameSpaceConfig struct { + // IDs of container to share namespaces with + // NetNsCtr conflicts with the CreateNetNS bool + // These containers are considered dependencies of the given container + // They must be started before the given container is started + IPCNsCtr string `json:"ipcNsCtr,omitempty"` + MountNsCtr string `json:"mountNsCtr,omitempty"` + NetNsCtr string `json:"netNsCtr,omitempty"` + PIDNsCtr string `json:"pidNsCtr,omitempty"` + UserNsCtr string `json:"userNsCtr,omitempty"` + UTSNsCtr string `json:"utsNsCtr,omitempty"` + CgroupNsCtr string `json:"cgroupNsCtr,omitempty"` +} + +// ContainerNetworkConfig is an embedded sub-config providing network configuration +// to the container. +type ContainerNetworkConfig struct { + // CreateNetNS indicates that libpod should create and configure a new + // network namespace for the container. + // This cannot be set if NetNsCtr is also set. + CreateNetNS bool `json:"createNetNS"` + // StaticIP is a static IP to request for the container. + // This cannot be set unless CreateNetNS is set. + // If not set, the container will be dynamically assigned an IP by CNI. + StaticIP net.IP `json:"staticIP"` + // StaticMAC is a static MAC to request for the container. + // This cannot be set unless CreateNetNS is set. + // If not set, the container will be dynamically assigned a MAC by CNI. + StaticMAC net.HardwareAddr `json:"staticMAC"` + // PortMappings are the ports forwarded to the container's network + // namespace + // These are not used unless CreateNetNS is true + PortMappings []ocicni.PortMapping `json:"portMappings,omitempty"` + // UseImageResolvConf indicates that resolv.conf should not be + // bind-mounted inside the container. + // Conflicts with DNSServer, DNSSearch, DNSOption. + UseImageResolvConf bool + // DNS servers to use in container resolv.conf + // Will override servers in host resolv if set + DNSServer []net.IP `json:"dnsServer,omitempty"` + // DNS Search domains to use in container resolv.conf + // Will override search domains in host resolv if set + DNSSearch []string `json:"dnsSearch,omitempty"` + // DNS options to be set in container resolv.conf + // With override options in host resolv if set + DNSOption []string `json:"dnsOption,omitempty"` + // UseImageHosts indicates that /etc/hosts should not be + // bind-mounted inside the container. + // Conflicts with HostAdd. + UseImageHosts bool + // Hosts to add in container + // Will be appended to host's host file + HostAdd []string `json:"hostsAdd,omitempty"` + // Network names (CNI) to add container to. Empty to use default network. + Networks []string `json:"networks,omitempty"` + // Network mode specified for the default network. + NetMode namespaces.NetworkMode `json:"networkMode,omitempty"` + // NetworkOptions are additional options for each network + NetworkOptions map[string][]string `json:"network_options,omitempty"` +} + +// ContainerImageConfig is an embedded sub-config providing image configuration +// to the container. +type ContainerImageConfig struct { + // UserVolumes contains user-added volume mounts in the container. + // These will not be added to the container's spec, as it is assumed + // they are already present in the spec given to Libpod. Instead, it is + // used when committing containers to generate the VOLUMES field of the + // image that is created, and for triggering some OCI hooks which do not + // fire unless user-added volume mounts are present. + UserVolumes []string `json:"userVolumes,omitempty"` + // Entrypoint is the container's entrypoint. + // It is not used in spec generation, but will be used when the + // container is committed to populate the entrypoint of the new image. + Entrypoint []string `json:"entrypoint,omitempty"` + // Command is the container's command. + // It is not used in spec generation, but will be used when the + // container is committed to populate the command of the new image. + Command []string `json:"command,omitempty"` +} + +// ContainerMiscConfig is an embedded sub-config providing misc configuration +// to the container. +type ContainerMiscConfig struct { + // Whether to keep container STDIN open + Stdin bool `json:"stdin,omitempty"` + // Labels is a set of key-value pairs providing additional information + // about a container + Labels map[string]string `json:"labels,omitempty"` + // StopSignal is the signal that will be used to stop the container + StopSignal uint `json:"stopSignal,omitempty"` + // StopTimeout is the signal that will be used to stop the container + StopTimeout uint `json:"stopTimeout,omitempty"` + // Time container was created + CreatedTime time.Time `json:"createdTime"` + // NoCgroups indicates that the container will not create CGroups. It is + // incompatible with CgroupParent. Deprecated in favor of CgroupsMode. + NoCgroups bool `json:"noCgroups,omitempty"` + // CgroupsMode indicates how the container will create cgroups + // (disabled, no-conmon, enabled). It supersedes NoCgroups. + CgroupsMode string `json:"cgroupsMode,omitempty"` + // Cgroup parent of the container + CgroupParent string `json:"cgroupParent"` + // LogPath log location + LogPath string `json:"logPath"` + // LogTag is the tag used for logging + LogTag string `json:"logTag"` + // LogDriver driver for logs + LogDriver string `json:"logDriver"` + // File containing the conmon PID + ConmonPidFile string `json:"conmonPidFile,omitempty"` + // RestartPolicy indicates what action the container will take upon + // exiting naturally. + // Allowed options are "no" (take no action), "on-failure" (restart on + // non-zero exit code, up an a maximum of RestartRetries times), + // and "always" (always restart the container on any exit code). + // The empty string is treated as the default ("no") + RestartPolicy string `json:"restart_policy,omitempty"` + // RestartRetries indicates the number of attempts that will be made to + // restart the container. Used only if RestartPolicy is set to + // "on-failure". + RestartRetries uint `json:"restart_retries,omitempty"` + // TODO log options for log drivers + // PostConfigureNetNS needed when a user namespace is created by an OCI runtime + // if the network namespace is created before the user namespace it will be + // owned by the wrong user namespace. + PostConfigureNetNS bool `json:"postConfigureNetNS"` + // OCIRuntime used to create the container + OCIRuntime string `json:"runtime,omitempty"` + // ExitCommand is the container's exit command. + // This Command will be executed when the container exits + ExitCommand []string `json:"exitCommand,omitempty"` + // IsInfra is a bool indicating whether this container is an infra container used for + // sharing kernel namespaces in a pod + IsInfra bool `json:"pause"` + // SdNotifyMode tells libpod what to do with a NOTIFY_SOCKET if passed + SdNotifyMode string `json:"sdnotifyMode,omitempty"` + // Systemd tells libpod to setup the container in systemd mode + Systemd bool `json:"systemd"` + // HealthCheckConfig has the health check command and related timings + HealthCheckConfig *manifest.Schema2HealthConfig `json:"healthcheck"` + // PreserveFDs is a number of additional file descriptors (in addition + // to 0, 1, 2) that will be passed to the executed process. The total FDs + // passed will be 3 + PreserveFDs. + PreserveFDs uint `json:"preserveFds,omitempty"` + // Timezone is the timezone inside the container. + // Local means it has the same timezone as the host machine + Timezone string `json:"timezone,omitempty"` + // Umask is the umask inside the container. + Umask string `json:"umask,omitempty"` +} diff --git a/libpod/container_internal_linux_test.go b/libpod/container_internal_linux_test.go index 078cc53a7..41c22fb45 100644 --- a/libpod/container_internal_linux_test.go +++ b/libpod/container_internal_linux_test.go @@ -20,8 +20,10 @@ func TestGenerateUserPasswdEntry(t *testing.T) { c := Container{ config: &ContainerConfig{ - User: "123:456", Spec: &spec.Spec{}, + ContainerSecurityConfig: ContainerSecurityConfig{ + User: "123:456", + }, }, state: &ContainerState{ Mountpoint: "/does/not/exist/tmp/", diff --git a/libpod/container_internal_test.go b/libpod/container_internal_test.go index fdf7c2e20..2b50093b2 100644 --- a/libpod/container_internal_test.go +++ b/libpod/container_internal_test.go @@ -35,7 +35,9 @@ func TestPostDeleteHooks(t *testing.T) { "a": "b", }, }, - StaticDir: dir, // not the bundle, but good enough for this test + ContainerRootFSConfig: ContainerRootFSConfig{ + StaticDir: dir, // not the bundle, but good enough for this test + }, }, state: &ContainerState{ ExtensionStageHooks: map[string][]rspec.Hook{ diff --git a/transfer.md b/transfer.md index a9cc8a756..9aa271c37 100644 --- a/transfer.md +++ b/transfer.md @@ -54,6 +54,10 @@ There are other equivalents for these tools | `docker load` | [`podman load`](./docs/source/markdown/podman-load.1.md) | | `docker login` | [`podman login`](./docs/source/markdown/podman-login.1.md) | | `docker logout` | [`podman logout`](./docs/source/markdown/podman-logout.1.md) | +| `docker network create` | [`podman network create`](./docs/source/markdown/podman-network-create.1.md) | +| `docker network inspect` | [`podman network inspect`](./docs/source/markdown/podman-network-inspect.1.md) | +| `docker network ls` | [`podman network ls`](./docs/source/markdown/podman-network-ls.1.md) | +| `docker network rm` | [`podman network rm`](./docs.source/markdown/podman-network-rm.1.md) | | `docker pause` | [`podman pause`](./docs/source/markdown/podman-pause.1.md) | | `docker ps` | [`podman ps`](./docs/source/markdown/podman-ps.1.md) | | `docker pull` | [`podman pull`](./docs/source/markdown/podman-pull.1.md) | @@ -93,14 +97,12 @@ Those Docker commands currently do not have equivalents in `podman`: | :--- | :--- | | `docker container update` | podman does not support altering running containers. We recommend recreating containers with the correct arguments.| | `docker container rename` | podman does not support `container rename` - or the `rename` shorthand. We recommend using `podman rm` and `podman create` to create a container with a specific name.| -| `docker network` || | `docker node` || | `docker plugin` | podman does not support plugins. We recommend you use alternative OCI Runtimes or OCI Runtime Hooks to alter behavior of podman.| | `docker secret` || | `docker service` || | `docker stack` || | `docker swarm` | podman does not support swarm. We support Kubernetes for orchestration using [CRI-O](https://github.com/cri-o/cri-o).| -| `docker volume` | podman currently supports file volumes. Future enhancement planned to support Docker Volumes Plugins ## Missing commands in Docker @@ -134,5 +136,4 @@ The following podman commands do not have a Docker equivalent: * [`podman pod stop`](./docs/source/markdown/podman-pod-stop.1.md) * [`podman pod top`](./docs/source/markdown/podman-pod-top.1.md) * [`podman pod unpause`](./docs/source/markdown/podman-pod-unpause.1.md) -* [`podman varlink`](./docs/source/markdown/podman-varlink.1.md) * [`podman umount`](./docs/source/markdown/podman-umount.1.md) |