diff options
233 files changed, 5138 insertions, 2280 deletions
diff --git a/.cirrus.yml b/.cirrus.yml index 28aa528a4..4b3b6f626 100644 --- a/.cirrus.yml +++ b/.cirrus.yml @@ -21,19 +21,17 @@ env: CIRRUS_SHELL: "/bin/bash" # Save a little typing (path relative to $CIRRUS_WORKING_DIR) SCRIPT_BASE: "./contrib/cirrus" - # Command to prefix every output line with a timestamp + CIRRUS_CLONE_DEPTH: 50 + # Command to prefix output lines with timing information # (can't do inline awk script, Cirrus-CI or YAML mangles quoting) TIMESTAMP: "awk --file ${CIRRUS_WORKING_DIR}/${SCRIPT_BASE}/timestamp.awk" - # Command to log critical filesystems, types, and sizes. - DFCMD: "df -lhTx tmpfs" - CIRRUS_CLONE_DEPTH: 50 #### #### Cache-image names to test with ### - FEDORA_CACHE_IMAGE_NAME: "fedora-29-libpod-5171433328607232" - PRIOR_FEDORA_CACHE_IMAGE_NAME: "fedora-28-libpod-5171433328607232" - UBUNTU_CACHE_IMAGE_NAME: "ubuntu-18-libpod-5171433328607232" + FEDORA_CACHE_IMAGE_NAME: "fedora-29-libpod-4844850202017792" + PRIOR_FEDORA_CACHE_IMAGE_NAME: "fedora-28-libpod-4844850202017792" + UBUNTU_CACHE_IMAGE_NAME: "ubuntu-18-libpod-4844850202017792" #### #### Variables for composing new cache-images (used in PR testing) from @@ -43,7 +41,7 @@ env: # Git commits to use while building dependencies into cache-images FEDORA_CNI_COMMIT: "412b6d31280682bb4fab4446f113c22ff1886554" CNI_COMMIT: "7480240de9749f9a0a5c8614b17f1f03e0c06ab9" - CONMON_COMMIT: "f02c053eb37010fc76d1e2966de7f2cb9f969ef2" + CONMON_COMMIT: "8455ce1ef385120deb827d0f0588c04357bad4c4" CRIU_COMMIT: "c74b83cd49c00589c0c0468ba5fe685b67fdbd0a" # Special image w/ nested-libvirt + tools for creating new cache and base images IMAGE_BUILDER_CACHE_IMAGE_NAME: "image-builder-image-1541772081" @@ -223,6 +221,9 @@ meta_task: depends_on: - "gating" + - "vendor" + - "varlink_api" + - "build_each_commit" container: image: "quay.io/libpod/imgts:latest" # see contrib/imgts @@ -253,8 +254,8 @@ testing_task: depends_on: - "gating" - - "varlink_api" - "vendor" + - "varlink_api" - "build_each_commit" # Only test build cache-images, if that's what's requested @@ -264,7 +265,7 @@ testing_task: matrix: # Images are generated separately, from build_images_task (below) image_name: "${FEDORA_CACHE_IMAGE_NAME}" - image_name: "${PRIOR_FEDORA_CACHE_IMAGE_NAME}" + #image_name: "${PRIOR_FEDORA_CACHE_IMAGE_NAME}" image_name: "${UBUNTU_CACHE_IMAGE_NAME}" timeout_in: 120m @@ -277,18 +278,15 @@ testing_task: setup_environment_script: '$SCRIPT_BASE/setup_environment.sh |& ${TIMESTAMP}' unit_test_script: '$SCRIPT_BASE/unit_test.sh |& ${TIMESTAMP}' integration_test_script: '$SCRIPT_BASE/integration_test.sh |& ${TIMESTAMP}' - ginkgo_node_logs_script: 'cat $CIRRUS_WORKING_DIR/test/e2e/ginkgo-node-*.log || echo "Ginkgo node logs not found"' - df_script: '${DFCMD}' - audit_log_script: 'cat /var/log/audit/audit.log || cat /var/log/kern.log' - journalctl_b_script: 'journalctl -b' on_failure: failed_master_script: '$CIRRUS_WORKING_DIR/$SCRIPT_BASE/notice_master_failure.sh' - # Job has already failed, don't fail again and miss collecting data - failed_ginkgo_node_logs_script: 'cat $CIRRUS_WORKING_DIR/test/e2e/ginkgo-node-*.log || echo "Ginkgo node logs not found"' - failed_df_script: '${DFCMD}' - failed_audit_log_script: 'cat /var/log/audit/audit.log || cat /var/log/kern.log || echo "Uh oh, cat audit.log failed"' - failed_journalctl_b_script: 'journalctl -b || echo "Uh oh, journalctl -b failed"' + + always: &standardlogs + ginkgo_node_logs_script: '$SCRIPT_BASE/logcollector.sh ginkgo' + df_script: '$SCRIPT_BASE/logcollector.sh df' + audit_log_script: '$SCRIPT_BASE/logcollector.sh audit' + journal_script: '$SCRIPT_BASE/logcollector.sh journal' # This task executes tests under unique environments/conditions @@ -313,16 +311,13 @@ special_testing_rootless_task: setup_environment_script: '$SCRIPT_BASE/setup_environment.sh |& ${TIMESTAMP}' integration_test_script: '$SCRIPT_BASE/integration_test.sh |& ${TIMESTAMP}' - df_script: '${DFCMD}' - audit_log_script: 'cat /var/log/audit/audit.log || cat /var/log/kern.log' - journalctl_b_script: 'journalctl -b' on_failure: failed_master_script: '$CIRRUS_WORKING_DIR/$SCRIPT_BASE/notice_master_failure.sh' - # Job has already failed, don't fail again and miss collecting data - failed_df_script: '${DFCMD}' - failed_audit_log_script: 'cat /var/log/audit/audit.log || cat /var/log/kern.log || echo "Uh oh, cat audit.log failed"' - failed_journalctl_b_script: 'journalctl -b || echo "Uh oh, journalctl -b failed"' + + always: + <<: *standardlogs + special_testing_in_podman_task: @@ -341,42 +336,12 @@ special_testing_in_podman_task: setup_environment_script: '$SCRIPT_BASE/setup_environment.sh |& ${TIMESTAMP}' integration_test_script: '$SCRIPT_BASE/integration_test.sh |& ${TIMESTAMP}' - df_script: '${DFCMD}' - audit_log_script: 'cat /var/log/audit/audit.log || cat /var/log/kern.log' - journalctl_b_script: 'journalctl -b' on_failure: failed_master_script: '$CIRRUS_WORKING_DIR/$SCRIPT_BASE/notice_master_failure.sh' - # Job has already failed, don't fail again and miss collecting data - failed_df_script: '${DFCMD}' - failed_audit_log_script: 'cat /var/log/audit/audit.log || cat /var/log/kern.log || echo "Uh oh, cat audit.log failed"' - failed_journalctl_b_script: 'journalctl -b || echo "Uh oh, journalctl -b failed"' -# Because system tests are stored within the repository, it is sometimes -# necessary to execute them within a PR to validate changes. -optional_testing_task: - - depends_on: - - "gating" - - # Only run system tests in PRs (not on merge) if magic string is present - # in the PR description. Post-merge system testing is assumed to happen - # later from OS distribution's build systems. - only_if: >- - $CIRRUS_BRANCH != 'master' && - $CIRRUS_CHANGE_MESSAGE !=~ '.*\*\*\*\s*CIRRUS:\s*TEST\s*IMAGES\s*\*\*\*.*' && - $CIRRUS_CHANGE_MESSAGE =~ '.*\*\*\*\s*CIRRUS:\s*SYSTEM\s*TEST\s*\*\*\*.*' - - gce_instance: - matrix: - image_name: "${FEDORA_CACHE_IMAGE_NAME}" - image_name: "${PRIOR_FEDORA_CACHE_IMAGE_NAME}" - image_name: "${UBUNTU_CACHE_IMAGE_NAME}" - - timeout_in: 60m - - setup_environment_script: '$SCRIPT_BASE/setup_environment.sh |& ${TIMESTAMP}' - system_test_script: '$SCRIPT_BASE/system_test.sh |& ${TIMESTAMP}' + always: + <<: *standardlogs # Test building of new cache-images for future PR testing, in this PR. @@ -424,7 +389,7 @@ verify_test_built_images_task: gce_instance: matrix: # Images are generated separately, from build_images_task (below) - image_name: "fedora-28${BUILT_IMAGE_SUFFIX}" + #image_name: "fedora-28${BUILT_IMAGE_SUFFIX}" image_name: "fedora-29${BUILT_IMAGE_SUFFIX}" image_name: "ubuntu-18${BUILT_IMAGE_SUFFIX}" @@ -439,16 +404,9 @@ verify_test_built_images_task: environment_script: '$SCRIPT_BASE/setup_environment.sh |& ${TIMESTAMP}' integration_test_script: '$SCRIPT_BASE/integration_test.sh |& ${TIMESTAMP}' - ginkgo_node_logs_script: 'cat $CIRRUS_WORKING_DIR/test/e2e/ginkgo-node-*.log || echo "Ginkgo node logs not found"' - df_script: '${DFCMD}' - audit_log_script: 'cat /var/log/audit/audit.log || cat /var/log/kern.log' - journalctl_b_script: 'journalctl -b' - on_failure: - # Job has already failed, don't fail again and miss collecting data - failed_ginkgo_node_logs_script: 'cat $CIRRUS_WORKING_DIR/test/e2e/ginkgo-node-*.log || echo "Ginkgo node logs not found"' - failed_df_script: '${DFCMD}' - failed_audit_log_script: 'cat /var/log/audit/audit.log || cat /var/log/kern.log || echo "Uh oh, cat audit.log failed"' - failed_journalctl_b_script: 'journalctl -b || echo "Uh oh, journalctl -b failed"' + + always: + <<: *standardlogs # Build new cache-images for future PR testing, but only after a PR merge. @@ -508,12 +466,13 @@ success_task: depends_on: # ignores any dependent task conditions - "gating" - - "build_each_commit" - "vendor" - "varlink_api" + - "build_each_commit" + - "meta" - "testing" - - "special_testing" - - "optional_testing" + - "special_testing_rootless" + - "special_testing_in_podman" - "test_build_cache_images" - "verify_test_built_images" - "build_cache_images" diff --git a/.copr/prepare.sh b/.copr/prepare.sh index 57c380b02..d7c5083ca 100644 --- a/.copr/prepare.sh +++ b/.copr/prepare.sh @@ -29,4 +29,4 @@ fi mkdir build/ git archive --prefix "libpod-${COMMIT_SHORT}/" --format "tar.gz" HEAD -o "build/libpod-${COMMIT_SHORT}.tar.gz" git clone https://github.com/containers/conmon -cd conmon && git checkout 59952292a3b07ac125575024ae21956efe0ecdfb && git archive --prefix "conmon/" --format "tar.gz" HEAD -o "../build/conmon.tar.gz" +cd conmon && git checkout 8455ce1ef385120deb827d0f0588c04357bad4c4 && git archive --prefix "conmon/" --format "tar.gz" HEAD -o "../build/conmon.tar.gz" diff --git a/.tool/lint b/.tool/lint index 01f44311d..67dfd4b28 100755 --- a/.tool/lint +++ b/.tool/lint @@ -39,7 +39,6 @@ ${LINTER} \ --exclude='.*_test\.go:.*error return value not checked.*\(errcheck\)$'\ --exclude='duplicate of.*_test.go.*\(dupl\)$'\ --exclude='cmd\/client\/.*\.go.*\(dupl\)$'\ - --exclude='libpod\/.*_easyjson.go:.*'\ --exclude='vendor\/.*'\ --exclude='podman\/.*'\ --exclude='server\/seccomp\/.*\.go.*$'\ @@ -286,7 +286,7 @@ in the [API.md](https://github.com/containers/libpod/blob/master/API.md) file in <div style="background-color: #E8E8E8; padding: 15px; margin: 10px; border-radius: 10px;"> method Attach(name: [string](https://godoc.org/builtin#string), detachKeys: [string](https://godoc.org/builtin#string), start: [bool](https://godoc.org/builtin#bool)) </div> -Attach takes the name or ID of a container and sets up a the ability to remotely attach to its console. The start +Attach takes the name or ID of a container and sets up the ability to remotely attach to its console. The start bool is whether you wish to start the container in question first. ### <a name="AttachControl"></a>func AttachControl <div style="background-color: #E8E8E8; padding: 15px; margin: 10px; border-radius: 10px;"> @@ -459,7 +459,7 @@ $ varlink call -m unix:/run/podman/io.podman/io.podman.ExportContainer '{"name": method ExportImage(name: [string](https://godoc.org/builtin#string), destination: [string](https://godoc.org/builtin#string), compress: [bool](https://godoc.org/builtin#bool), tags: [[]string](#[]string)) [string](https://godoc.org/builtin#string)</div> ExportImage takes the name or ID of an image and exports it to a destination like a tarball. There is also -a booleon option to force compression. It also takes in a string array of tags to be able to save multiple +a boolean option to force compression. It also takes in a string array of tags to be able to save multiple tags of the same image to a tarball (each tag should be of the form <image>:<tag>). Upon completion, the ID of the image is returned. If the image cannot be found in local storage, an [ImageNotFound](#ImageNotFound) error will be returned. See also [ImportImage](ImportImage). @@ -729,14 +729,14 @@ error will be returned if the container cannot be found. See also [InspectImage] <div style="background-color: #E8E8E8; padding: 15px; margin: 10px; border-radius: 10px;"> method InspectImage(name: [string](https://godoc.org/builtin#string)) [string](https://godoc.org/builtin#string)</div> -InspectImage takes the name or ID of an image and returns a string respresentation of data associated with the +InspectImage takes the name or ID of an image and returns a string representation of data associated with the mage. You must serialize the string into JSON to use it further. An [ImageNotFound](#ImageNotFound) error will be returned if the image cannot be found. ### <a name="InspectPod"></a>func InspectPod <div style="background-color: #E8E8E8; padding: 15px; margin: 10px; border-radius: 10px;"> method InspectPod(name: [string](https://godoc.org/builtin#string)) [string](https://godoc.org/builtin#string)</div> -InspectPod takes the name or ID of an image and returns a string respresentation of data associated with the +InspectPod takes the name or ID of an image and returns a string representation of data associated with the pod. You must serialize the string into JSON to use it further. A [PodNotFound](#PodNotFound) error will be returned if the pod cannot be found. ### <a name="KillContainer"></a>func KillContainer @@ -1650,7 +1650,7 @@ name [string](https://godoc.org/builtin#string) star_count [int](https://godoc.org/builtin#int) ### <a name="InfoDistribution"></a>type InfoDistribution -InfoDistribution describes the the host's distribution +InfoDistribution describes the host's distribution distribution [string](https://godoc.org/builtin#string) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 3778d6d7d..b86f3e345 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -8,6 +8,7 @@ that we follow. * [Reporting Issues](#reporting-issues) * [Contributing to libpod](#contributing-to-libpod) +* [Continuous Integration](#continuous-integration) [](https://cirrus-ci.com/github/containers/libpod/master) * [Submitting Pull Requests](#submitting-pull-requests) * [Communications](#communications) @@ -296,6 +297,48 @@ be provided with PRs. For details on how to run the tests for Podman in your test environment, see the Integration Tests [README.md](test/README.md). +## Continuous Integration + +All pull requests and branch-merges automatically run: + +* Go format/lint checking +* Unit testing +* Integration Testing +* Special testing (like running inside a container, or as a regular user) + +For a more in-depth reference of the CI system, please [refer to it's dedicated +documentation.](contrib/cirrus/README.md) + +There is always additional complexity added by automation, and so it sometimes +can fail for any number of reasons. This includes post-merge testing on all +branches, which you may occasionally see [red bars on the status graph +.](https://cirrus-ci.com/github/containers/libpod/master) + +When the graph shows mostly green bars on the right, it's a good indication +the master branch is currently stable. Alternating red/green bars is indicative +of a testing "flake", and should be examined (anybody can do this): + +* *One or a small handful of tests, on a single task, (i.e. specific distro/version) + where all others ran successfully:* Frequently the cause is networking or a brief + external service outage. The failed tasks may simply be re-run by pressing the + corresponding button on the task details page. + +* *Multiple tasks failing*: Logically this should be due to some shared/common element. + If that element is identifiable as a networking or external service (e.g. packaging + repository outage), a re-run should be attempted. + +* *All tasks are failing*: If a common element is **not** identifiable as + temporary (i.e. container registry outage), please seek assistance via + [the methods below](#communications) as this may be early indication of + a more serious problem. + +In the (hopefully) rare case there are multiple, contiguous red bars, this is +a ***very bad*** sign. It means additional merges are occurring despite an uncorrected +or persistently faulty condition. This risks additional bugs being introduced +and further complication of necessary corrective measures. Most likely people +are aware and working on this, but it doesn't hurt [to confirm and/or try and help +if possible.](#communications) + ## Communications For general questions and discussion, please use the @@ -307,6 +350,9 @@ and [PRs](https://github.com/containers/libpod/pulls) tracking system. +There is also a [mailing list](https://lists.podman.io/archives/) at `lists.podman.io`. +You can subscribe by sending a message to `podman@lists.podman.io` with the subject `subscribe`. + [owners]: https://github.com/kubernetes/community/blob/master/contributors/guide/owners.md#owners diff --git a/Dockerfile b/Dockerfile index 4fc85e959..214fbeb34 100644 --- a/Dockerfile +++ b/Dockerfile @@ -56,7 +56,7 @@ RUN set -x \ && rm -rf "$GOPATH" # Install conmon -ENV CONMON_COMMIT 59952292a3b07ac125575024ae21956efe0ecdfb +ENV CONMON_COMMIT 8455ce1ef385120deb827d0f0588c04357bad4c4 RUN set -x \ && export GOPATH="$(mktemp -d)" \ && git clone https://github.com/containers/conmon.git "$GOPATH/src/github.com/containers/conmon.git" \ @@ -79,14 +79,6 @@ RUN set -x \ && cp bin/* /usr/libexec/cni \ && rm -rf "$GOPATH" -# Install buildah -RUN set -x \ - && export GOPATH=/go \ - && git clone https://github.com/containers/buildah "$GOPATH/src/github.com/containers/buildah" \ - && cd "$GOPATH/src/github.com/containers/buildah" \ - && make \ - && make install - # Install ginkgo RUN set -x \ && export GOPATH=/go \ @@ -98,12 +90,6 @@ RUN set -x \ && export GOPATH=/go \ && go get github.com/onsi/gomega/... -# Install easyjson -RUN set -x \ - && export GOPATH=/go \ - && go get -u github.com/mailru/easyjson/... \ - && install -D -m 755 "$GOPATH"/bin/easyjson /usr/bin/ - # Install latest stable criu version RUN set -x \ && cd /tmp \ diff --git a/Dockerfile.centos b/Dockerfile.centos index 159449c63..72b926bff 100644 --- a/Dockerfile.centos +++ b/Dockerfile.centos @@ -38,14 +38,6 @@ RUN set -x \ && cp bin/* /usr/libexec/cni \ && rm -rf "$GOPATH" -# Install buildah -RUN set -x \ - && export GOPATH=/go \ - && git clone https://github.com/containers/buildah "$GOPATH/src/github.com/containers/buildah" \ - && cd "$GOPATH/src/github.com/containers/buildah" \ - && make \ - && make install - # Install ginkgo RUN set -x \ && export GOPATH=/go \ @@ -57,14 +49,8 @@ RUN set -x \ && export GOPATH=/go \ && go get github.com/onsi/gomega/... -# Install easyjson -RUN set -x \ - && export GOPATH=/go \ - && go get -u github.com/mailru/easyjson/... \ - && install -D -m 755 "$GOPATH"/bin/easyjson /usr/bin/ - # Install conmon -ENV CONMON_COMMIT 59952292a3b07ac125575024ae21956efe0ecdfb +ENV CONMON_COMMIT 8455ce1ef385120deb827d0f0588c04357bad4c4 RUN set -x \ && export GOPATH="$(mktemp -d)" \ && git clone https://github.com/containers/conmon.git "$GOPATH/src/github.com/containers/conmon.git" \ diff --git a/Dockerfile.fedora b/Dockerfile.fedora index 74a770a90..c34d4bb16 100644 --- a/Dockerfile.fedora +++ b/Dockerfile.fedora @@ -42,14 +42,6 @@ RUN set -x \ && cp bin/* /usr/libexec/cni \ && rm -rf "$GOPATH" -# Install buildah -RUN set -x \ - && export GOPATH=/go \ - && git clone https://github.com/containers/buildah "$GOPATH/src/github.com/containers/buildah" \ - && cd "$GOPATH/src/github.com/containers/buildah" \ - && make \ - && make install - # Install ginkgo RUN set -x \ && export GOPATH=/go \ @@ -61,14 +53,8 @@ RUN set -x \ && export GOPATH=/go \ && go get github.com/onsi/gomega/... -# Install easyjson -RUN set -x \ - && export GOPATH=/go \ - && go get -u github.com/mailru/easyjson/... \ - && install -D -m 755 "$GOPATH"/bin/easyjson /usr/bin/ - # Install conmon -ENV CONMON_COMMIT 59952292a3b07ac125575024ae21956efe0ecdfb +ENV CONMON_COMMIT 8455ce1ef385120deb827d0f0588c04357bad4c4 RUN set -x \ && export GOPATH="$(mktemp -d)" \ && git clone https://github.com/containers/conmon.git "$GOPATH/src/github.com/containers/conmon.git" \ @@ -1,6 +1,6 @@ GO ?= go -DESTDIR ?= / -EPOCH_TEST_COMMIT ?= 8161802f7df857e0850f842261079c83290f9891 +DESTDIR ?= +EPOCH_TEST_COMMIT ?= 90e3c9002b2293569e0cec168a30ecb962b00034 HEAD ?= HEAD CHANGELOG_BASE ?= HEAD~ CHANGELOG_TARGET ?= HEAD @@ -10,12 +10,12 @@ GIT_BRANCH ?= $(shell git rev-parse --abbrev-ref HEAD 2>/dev/null) GIT_BRANCH_CLEAN ?= $(shell echo $(GIT_BRANCH) | sed -e "s/[^[:alnum:]]/-/g") LIBPOD_IMAGE ?= libpod_dev$(if $(GIT_BRANCH_CLEAN),:$(GIT_BRANCH_CLEAN)) LIBPOD_INSTANCE := libpod_dev -PREFIX ?= ${DESTDIR}/usr/local +PREFIX ?= /usr/local BINDIR ?= ${PREFIX}/bin LIBEXECDIR ?= ${PREFIX}/libexec MANDIR ?= ${PREFIX}/share/man SHAREDIR_CONTAINERS ?= ${PREFIX}/share/containers -ETCDIR ?= ${DESTDIR}/etc +ETCDIR ?= /etc TMPFILESDIR ?= ${PREFIX}/lib/tmpfiles.d SYSTEMDDIR ?= ${PREFIX}/lib/systemd/system BUILDTAGS ?= \ @@ -51,7 +51,11 @@ COMMIT_NO ?= $(shell git rev-parse HEAD 2> /dev/null || true) GIT_COMMIT ?= $(if $(shell git status --porcelain --untracked-files=no),${COMMIT_NO}-dirty,${COMMIT_NO}) BUILD_INFO ?= $(shell date +%s) LIBPOD := ${PROJECT}/libpod -LDFLAGS_PODMAN ?= $(LDFLAGS) -X $(LIBPOD).gitCommit=$(GIT_COMMIT) -X $(LIBPOD).buildInfo=$(BUILD_INFO) +LDFLAGS_PODMAN ?= $(LDFLAGS) \ + -X $(LIBPOD).gitCommit=$(GIT_COMMIT) \ + -X $(LIBPOD).buildInfo=$(BUILD_INFO) \ + -X $(LIBPOD).installPrefix=$(PREFIX) \ + -X $(LIBPOD).etcDir=$(ETCDIR) ISODATE ?= $(shell date --iso-8601) #Update to LIBSECCOMP_COMMIT should reflect in Dockerfile too. LIBSECCOMP_COMMIT := release-2.3 @@ -262,54 +266,54 @@ changelog: ## Generate changelog install: .gopathok install.bin install.remote install.man install.cni install.systemd ## Install binaries to system locations install.remote: - install ${SELINUXOPT} -d -m 755 $(BINDIR) - install ${SELINUXOPT} -m 755 bin/podman-remote $(BINDIR)/podman-remote - test -z "${SELINUXOPT}" || chcon --verbose --reference=$(BINDIR)/podman bin/podman-remote + install ${SELINUXOPT} -d -m 755 $(DESTDIR)$(BINDIR) + install ${SELINUXOPT} -m 755 bin/podman-remote $(DESTDIR)$(BINDIR)/podman-remote + test -z "${SELINUXOPT}" || chcon --verbose --reference=$(DESTDIR)$(BINDIR)/podman bin/podman-remote install.bin: - install ${SELINUXOPT} -d -m 755 $(BINDIR) - install ${SELINUXOPT} -m 755 bin/podman $(BINDIR)/podman - test -z "${SELINUXOPT}" || chcon --verbose --reference=$(BINDIR)/podman bin/podman + install ${SELINUXOPT} -d -m 755 $(DESTDIR)$(BINDIR) + install ${SELINUXOPT} -m 755 bin/podman $(DESTDIR)$(BINDIR)/podman + test -z "${SELINUXOPT}" || chcon --verbose --reference=$(DESTDIR)$(BINDIR)/podman bin/podman install.man: docs - install ${SELINUXOPT} -d -m 755 $(MANDIR)/man1 - install ${SELINUXOPT} -d -m 755 $(MANDIR)/man5 - install ${SELINUXOPT} -m 644 $(filter %.1,$(MANPAGES)) -t $(MANDIR)/man1 - install ${SELINUXOPT} -m 644 $(filter %.5,$(MANPAGES)) -t $(MANDIR)/man5 - install ${SELINUXOPT} -m 644 docs/links/*1 -t $(MANDIR)/man1 + install ${SELINUXOPT} -d -m 755 $(DESTDIR)$(MANDIR)/man1 + install ${SELINUXOPT} -d -m 755 $(DESTDIR)$(MANDIR)/man5 + install ${SELINUXOPT} -m 644 $(filter %.1,$(MANPAGES)) -t $(DESTDIR)$(MANDIR)/man1 + install ${SELINUXOPT} -m 644 $(filter %.5,$(MANPAGES)) -t $(DESTDIR)$(MANDIR)/man5 + install ${SELINUXOPT} -m 644 docs/links/*1 -t $(DESTDIR)$(MANDIR)/man1 install.config: - install ${SELINUXOPT} -d -m 755 $(SHAREDIR_CONTAINERS) - install ${SELINUXOPT} -m 644 libpod.conf $(SHAREDIR_CONTAINERS)/libpod.conf - install ${SELINUXOPT} -m 644 seccomp.json $(SHAREDIR_CONTAINERS)/seccomp.json + install ${SELINUXOPT} -d -m 755 $(DESTDIR)$(SHAREDIR_CONTAINERS) + install ${SELINUXOPT} -m 644 libpod.conf $(DESTDIR)$(SHAREDIR_CONTAINERS)/libpod.conf + install ${SELINUXOPT} -m 644 seccomp.json $(DESTDIR)$(SHAREDIR_CONTAINERS)/seccomp.json install.completions: - install ${SELINUXOPT} -d -m 755 ${BASHINSTALLDIR} - install ${SELINUXOPT} -m 644 completions/bash/podman ${BASHINSTALLDIR} - install ${SELINUXOPT} -d -m 755 ${ZSHINSTALLDIR} - install ${SELINUXOPT} -m 644 completions/zsh/_podman ${ZSHINSTALLDIR} + install ${SELINUXOPT} -d -m 755 ${DESTDIR}${BASHINSTALLDIR} + install ${SELINUXOPT} -m 644 completions/bash/podman ${DESTDIR}${BASHINSTALLDIR} + install ${SELINUXOPT} -d -m 755 ${DESTDIR}${ZSHINSTALLDIR} + install ${SELINUXOPT} -m 644 completions/zsh/_podman ${DESTDIR}${ZSHINSTALLDIR} install.cni: - install ${SELINUXOPT} -d -m 755 ${ETCDIR}/cni/net.d/ - install ${SELINUXOPT} -m 644 cni/87-podman-bridge.conflist ${ETCDIR}/cni/net.d/87-podman-bridge.conflist + install ${SELINUXOPT} -d -m 755 ${DESTDIR}${ETCDIR}/cni/net.d/ + install ${SELINUXOPT} -m 644 cni/87-podman-bridge.conflist ${DESTDIR}${ETCDIR}/cni/net.d/87-podman-bridge.conflist install.docker: docker-docs - install ${SELINUXOPT} -d -m 755 $(BINDIR) $(MANDIR)/man1 - install ${SELINUXOPT} -m 755 docker $(BINDIR)/docker - install ${SELINUXOPT} -m 644 docs/docker*.1 -t $(MANDIR)/man1 + install ${SELINUXOPT} -d -m 755 $(DESTDIR)$(BINDIR) $(DESTDIR)$(MANDIR)/man1 + install ${SELINUXOPT} -m 755 docker $(DESTDIR)$(BINDIR)/docker + install ${SELINUXOPT} -m 644 docs/docker*.1 -t $(DESTDIR)$(MANDIR)/man1 install.systemd: - install ${SELINUXOPT} -m 755 -d ${SYSTEMDDIR} ${TMPFILESDIR} - install ${SELINUXOPT} -m 644 contrib/varlink/io.podman.socket ${SYSTEMDDIR}/io.podman.socket - install ${SELINUXOPT} -m 644 contrib/varlink/io.podman.service ${SYSTEMDDIR}/io.podman.service - install ${SELINUXOPT} -m 644 contrib/varlink/podman.conf ${TMPFILESDIR}/podman.conf + install ${SELINUXOPT} -m 755 -d ${DESTDIR}${SYSTEMDDIR} ${DESTDIR}${TMPFILESDIR} + install ${SELINUXOPT} -m 644 contrib/varlink/io.podman.socket ${DESTDIR}${SYSTEMDDIR}/io.podman.socket + install ${SELINUXOPT} -m 644 contrib/varlink/io.podman.service ${DESTDIR}${SYSTEMDDIR}/io.podman.service + install ${SELINUXOPT} -m 644 contrib/varlink/podman.conf ${DESTDIR}${TMPFILESDIR}/podman.conf uninstall: for i in $(filter %.1,$(MANPAGES)); do \ - rm -f $(MANDIR)/man1/$$(basename $${i}); \ + rm -f $(DESTDIR)$(MANDIR)/man1/$$(basename $${i}); \ done; \ for i in $(filter %.5,$(MANPAGES)); do \ - rm -f $(MANDIR)/man5/$$(basename $${i}); \ + rm -f $(DESTDIR)$(MANDIR)/man5/$$(basename $${i}); \ done .PHONY: .gitvalidation @@ -5,7 +5,7 @@ Libpod provides a library for applications looking to use the Container Pod concept, popularized by Kubernetes. Libpod also contains the Pod Manager tool `(Podman)`. Podman manages pods, containers, container images, and container volumes. -* [Latest Version: 1.3.1](https://github.com/containers/libpod/releases/latest) +* [Latest Version: 1.4.0](https://github.com/containers/libpod/releases/latest) * [Continuous Integration:](contrib/cirrus/README.md) [](https://cirrus-ci.com/github/containers/libpod/master) ## Overview and scope diff --git a/RELEASE_NOTES.md b/RELEASE_NOTES.md index 5eb85d0bc..d5717f7db 100644 --- a/RELEASE_NOTES.md +++ b/RELEASE_NOTES.md @@ -1,5 +1,57 @@ # Release Notes +## 1.4.1 +### Features +- The `podman exec` command now sets its error code differently based on whether the container does not exist, and the command in the container does not exist +- The `podman inspect` command on containers now outputs Mounts JSON that matches that of `docker inspect`, only including user-specified volumes and differentiating bind mounts and named volumes +- The `podman inspect` command now reports the path to a container's OCI spec with the `OCIConfigPath` key (only included when the container is initialized or running) +- The `podman run --mount` command now supports the `bind-nonrecursive` option for bind mounts ([#3314](https://github.com/containers/libpod/issues/3314)) + +### Bugfixes +- Fixed a bug where `podman play kube` would fail to create containers due to an unspecified log driver +- Fixed a bug where Podman would fail to build with [musl libc](https://www.musl-libc.org/) ([#3284](https://github.com/containers/libpod/issues/3284)) +- Fixed a bug where rootless Podman using `slirp4netns` networking in an environment with no nameservers on the host other than localhost would result in nonfunctional networking ([#3277](https://github.com/containers/libpod/issues/3277)) +- Fixed a bug where `podman import` would not properly set environment variables, discarding their values and retaining only keys +- Fixed a bug where Podman would fail to run when built with Apparmor support but run on systems without the Apparmor kernel module loaded ([#3331](https://github.com/containers/libpod/issues/3331)) + +### Misc +- Remote Podman will now default the username it uses to log in to remote systems to the username of the current user +- Podman now uses JSON logging with OCI runtimes that support it, allowing for better error reporting +- Updated vendored Buildah to v1.8.4 +- Updated vendored containers/image to v2.0 + +## 1.4.0 +### Features +- The `podman checkpoint` and `podman restore` commands can now be used to migrate containers between Podman installations on different systems ([#1618](https://github.com/containers/libpod/issues/1618)) +- The `podman cp` command now supports a `pause` flag to pause containers while copying into them +- The remote client now supports a configuration file for pre-configuring connections to remote Podman installations + +### Bugfixes +- Fixed CVE-2019-10152 - The `podman cp` command improperly dereferenced symlinks in host context +- Fixed a bug where `podman commit` could improperly set environment variables that contained `=` characters ([#3132](https://github.com/containers/libpod/issues/3132)) +- Fixed a bug where rootless Podman would sometimes fail to start containers with forwarded ports ([#2942](https://github.com/containers/libpod/issues/2942)) +- Fixed a bug where `podman version` on the remote client could segfault ([#3145](https://github.com/containers/libpod/issues/3145)) +- Fixed a bug where `podman container runlabel` would use `/proc/self/exe` instead of the path of the Podman command when printing the command being executed +- Fixed a bug where filtering images by label did not work ([#3163](https://github.com/containers/libpod/issues/3163)) +- Fixed a bug where specifying a bing mount or tmpfs mount over an image volume would cause a container to be unable to start ([#3174](https://github.com/containers/libpod/issues/3174)) +- Fixed a bug where `podman generate kube` did not work with containers with named volumes +- Fixed a bug where rootless Podman would receive `permission denied` errors accessing `conmon.pid` ([#3187](https://github.com/containers/libpod/issues/3187)) +- Fixed a bug where `podman cp` with a folder specified as target would replace the folder, as opposed to copying into it ([#3184](https://github.com/containers/libpod/issues/3184)) +- Fixed a bug where rootless Podman commands could double-unlock a lock, causing a crash ([#3207](https://github.com/containers/libpod/issues/3207)) +- Fixed a bug where Podman incorrectly set `tmpcopyup` on `/dev/` mounts, causing errors when using the Kata containers runtime ([#3229](https://github.com/containers/libpod/issues/3229)) +- Fixed a bug where `podman exec` would fail on older kernels ([#2968](https://github.com/containers/libpod/issues/2968)) + +### Misc +- The `podman inspect` command on containers now uses the `Id` key (instead of `ID`) for the container's ID, for better compatability with the output of `docker inspect` +- The `podman commit` command is now usable with the Podman remote client +- The `--signature-policy` flag (used with several image-related commands) has been deprecated +- The `podman unshare` command now defines two environment variables in the spawned shell: `CONTAINERS_RUNROOT` and `CONTAINERS_GRAPHROOT`, pointing to temporary and permanent storage for rootless containers +- Updated vendored containers/storage and containers/image libraries with numerous bugfixes +- Updated vendored Buildah to v1.8.3 +- Podman now requires [Conmon v0.2.0](https://github.com/containers/conmon/releases/tag/v0.2.0) +- The `podman cp` command is now aliased as `podman container cp` +- Rootless Podman will now default `init_path` using root Podman's configuration files (`/etc/containers/libpod.conf` and `/usr/share/containers/libpod.conf`) if not overridden in the rootless configuration + ## 1.3.1 ### Features - The `podman cp` command can now read input redirected to `STDIN`, and output to `STDOUT` instead of a file, using `-` instead of an argument. diff --git a/changelog.txt b/changelog.txt index ec0a62f26..3b1260c90 100644 --- a/changelog.txt +++ b/changelog.txt @@ -1,3 +1,187 @@ +- Changelog for v1.4.1 (2019-06-14) + * Completely disable global options test + * Update release notes for 1.4.1 + * Skip runlabel global options test for podman-in-podman + * pkg/apparmor: fix when AA is disabled + * Fix ENV parsing on `podman import` + * Fix storage-opts type in Cobra + * Use the logical registry location instead of the physical one in (podman info) + * Update containers/image to v2.0.0, and buildah to v1.8.4 + * Document exit codes for podman exec + * Add --storage flag to 'podman rm' (local only) + * When creating exit command, pass storage options on + * Bump cirrus images + * Mention the new Podman mailing list in contributing.md + * Update 1.4.0 release notes with ID -> Id in inspect + * Bump conmon to 0.3.0 + * Cirrus: Guarantee ssh is running for rootless + * Purge all use of easyjson and ffjson in libpod + * Split mount options in inspect further + * storage: support --mount type=bind,bind-nonrecursive + * oci: allow to specify what runtimes support JSON + * storage: fix typo + * oci: use json formatted errors from the runtime + * Make Inspect's mounts struct accurate to Docker + * Provide OCI spec path in `podman inspect` output + * If container is not in correct state podman exec should exit with 126 + * rootless: use the slirp4netns builtin DNS first + * Add --filename option to generate kube + * Fix podman-remote to user default username + * Prohibit use of positional args with --import + * BATS tests - get working again + * Add a test for 'podman play kube' to prevent regression + * Cirrus: New images w/o buildah + * Remove source-built buildah from CI + * standardize documentation formatting + * Touchup upstream Dockerfile + * only set log driver if it isn't empty + * Fix cgo includes for musl + * When you change the storage driver we ignore the storage-options + * Update vendor on containers/storage to v1.12.10 + * Bump gitvalidation epoch + * Bump to v1.4.1-dev + * Default 'pause' to false for 'podman cp' + * Update c/storage to 9b10041d7b2ef767ce9c42b5862b6c51eeb82214 + * Fix spelling + * fix tutorial link to install.md + * Cirrus: Minor cleanup of dependencies and docs + * Begin to break up pkg/inspect + * docs: Add CI section and links + +- Changelog for v1.4.0 (2019-06-07) + * Update release notes for v1.4.0 + * Update release notes for v1.4.0 + * Disable a very badly flaking healthcheck test + * rootless: skip NS_GET_PARENT on old kernels + * Cirrus: Track VM Image calling GCE project + * remove -c for podman remote global options + * Vendor Buildah v1.8.3 + * Cirrus: Disable testing on F28 (EOL) + * migration: add possibility to restore a container with a new name + * Inherit rootless init_path from system libpod.conf + * Also download container images during restore + * Include container migration into tutorial + * Add man-pages for container migration + * Added bash completion for container migration + * Add test case for container migration + * Added support to migrate containers + * Added helper functions for container migration + * Fix restore options help text and comments + * fix timing issues with some tests + * pkg/varlinkapi/virtwriter/virtwriter.go: simplify func Reader + * rootless: block signals on re-exec + * cirrus: minor cleanup and refactoring + * manpage: podman-tool table: un-confuse version and varlink + * Create Dockerfiles for podmanimage + * rootless: use TEMP_FAILURE_RETRY macro + * rootless: fix return type + * rootless: make sure the buffer is NUL terminated + * split rootless local and remote testing + * Fix podman cp test by reordering operations + * Small fix to readme to force tests to run + * Do not set tmpcopyup on /dev + * do not run remote tests inside container + * podman remote-client commit + * Fix podman cp tests + * podman-remote.conf enablement + * Error when trying to copy into a running rootless ctr + * rootless: skip check fo /etc/containers/registries.conf + * We can't pause rootless containers during cp + * Fix bug in e2e tests for podman cp + * Tolerate non-running containers in paused cp + * Add test to ensure symlinks are resolved in ctr scope + * Add --pause to podman cp manpage and bash completions + * Pause containers while copying into them + * Use securejoin to merge paths in `podman cp` + * use imagecaches for local tests + * add dns flags to docs + * add missing container cp command + * Podman logs man page shouldn't include timestamps + * Fix the varlink upgraded calls + * hack: support setting local region/zone + * document missing container update command + * Add --follow to journald ctr logging + * Address comments + * Implement podman logs with log-driver journald + * bump go-systemd version + * Added --log-driver and journald logging + * Update completions and docs to use k8s file as log driver + * bump conmon to v0.2.0 + * runtime: unlock the alive lock only once + * rootless: make JoinUserAndMountNS private + * Revert "rootless: change default path for conmon.pid" + * rootless: enable loginctl linger + * rootless: new function to join existing conmon processes + * rootless: block signals for pause + * Update install.md ostree Debian dependencies. + * fix bug dest path of copying tar + * podman: honor env variable PODMAN_USERNS + * userns: add new option --userns=keep-id + * warn when --security-opt and --privileged + * baseline tests: apparmor with --privileged + * rootless: store also the original GID in the host + * Fix a potential flake in the tests for podman cp + * cirrus: update images w/ zip pkg + * Cirrus: Add zip package to images + * rootless: fix top huser and hgroup + * vendor: update psgo to v1.3.0 + * apparmor: don't load/set profile in privileged mode + * hack: ignore from all VCS files when tarballing + * hack: shrink xfer tarball size + * hack: Display IP address of VM from script + * document nullable types + * Add test cases for login and logout + * Remove unused return statement in kube volume code + * Fix play kube when a pod is specified + * Fix a 'generate kube' bug on ctrs with named volumes + * Add test for image volume conflict with user volume + * Cirrus: Fix missing CRIO_COMMIT -> CONMON_COMMIT + * When superceding mounts, check for opposite types + * make remote resize channel buffered + * Cirrus: workaround root expand failure + * Cirrus: Stub in F30 support + * Cirrus: fixups based on review feedback + * Cirrus: Overhaul/Simplify env. var setup + * Cirrus: Run tests on test-built cache-images + * Cirrus: Support testing of VM cache-image changes + * Cirrus: Remove "too new" runc hack + * libpod: prefer WaitForFile to polling + * Remove conmon from fedora install instructions + * rootless: force resources to be nil on cgroup v1 + * Fixup Flags + * Minor fix filtering images by label + * container: move channel close to its writer + * util: fix race condition in WaitForFile + * Update vendor of buildah and containers/images + * Add Jhon Honce (@jwhonce on github) to OWNERS + * Don't set apparmor if --priviliged + * docs/libpod.conf.5: Add "have" to "higher precedence" typo + * Output name of process on runlabel command + * Minor fix splitting env vars in podman-commit + * Fixup conmon documentation + * troubleshooting.md: add note about updating subuid/subgid + * system: migrate stops the pause process + * rootless: join namespace immediately when possible + * rootless: use a pause process + * migrate: not create a new namespace + * install.remote should be separate for install.bin + * Cirrus: Confirm networking is working + * Use containers/conmon + * Fix a typo in release notes, and bump README version + * s|kubernetes-sigs/cri-o|cri-o/cri-o|g + * Bump github.com/containers/storage to v1.12.7 + * remote: version: fix nil dereference + * Bump gitvalidation epoch + * Bump to v1.3.2-dev + * Add connection information to podman-remote info + * unshare: define CONTAINERS_GRAPHROOT and CONTAINERS_RUNROOT + * Touchup run man page + * unshare: use rootless from libpod + * Replace root-based rootless tests + * rootless: default --cgroup-manager=systemd in unified mode + * create: skip resources validation with cgroup v2 + * rootless, spec: allow resources with cgroup v2 + - Changelog for v1.3.1 (2019-05-16) * More release notes * Add unshare to podman diff --git a/cmd/podman/checkpoint.go b/cmd/podman/checkpoint.go index 234d683bb..86bc8b973 100644 --- a/cmd/podman/checkpoint.go +++ b/cmd/podman/checkpoint.go @@ -46,6 +46,7 @@ func init() { flags.BoolVar(&checkpointCommand.TcpEstablished, "tcp-established", false, "Checkpoint a container with established TCP connections") flags.BoolVarP(&checkpointCommand.All, "all", "a", false, "Checkpoint all running containers") flags.BoolVarP(&checkpointCommand.Latest, "latest", "l", false, "Act on the latest container podman is aware of") + flags.StringVarP(&checkpointCommand.Export, "export", "e", "", "Export the checkpoint image to a tar.gz") markFlagHiddenForRemoteClient("latest", flags) } @@ -64,6 +65,7 @@ func checkpointCmd(c *cliconfig.CheckpointValues) error { Keep: c.Keep, KeepRunning: c.LeaveRunning, TCPEstablished: c.TcpEstablished, + TargetFile: c.Export, } return runtime.Checkpoint(c, options) } diff --git a/cmd/podman/cliconfig/config.go b/cmd/podman/cliconfig/config.go index aaa4513d8..4a4c839cc 100644 --- a/cmd/podman/cliconfig/config.go +++ b/cmd/podman/cliconfig/config.go @@ -33,9 +33,11 @@ type MainFlags struct { LogLevel string TmpDir string - RemoteUserName string - RemoteHost string - VarlinkAddress string + RemoteUserName string + RemoteHost string + VarlinkAddress string + ConnectionName string + RemoteConfigFilePath string } type AttachValues struct { @@ -89,6 +91,7 @@ type CheckpointValues struct { TcpEstablished bool All bool Latest bool + Export string } type CommitValues struct { @@ -142,7 +145,8 @@ type ExportValues struct { } type GenerateKubeValues struct { PodmanCommand - Service bool + Service bool + Filename string } type GenerateSystemdValues struct { @@ -426,6 +430,8 @@ type RestoreValues struct { Keep bool Latest bool TcpEstablished bool + Import string + Name string } type RmValues struct { @@ -433,6 +439,7 @@ type RmValues struct { All bool Force bool Latest bool + Storage bool Volumes bool } diff --git a/cmd/podman/cp.go b/cmd/podman/cp.go index 907bde4b9..a9418e6e0 100644 --- a/cmd/podman/cp.go +++ b/cmd/podman/cp.go @@ -51,7 +51,7 @@ func init() { cpCommand.Command = _cpCommand flags := cpCommand.Flags() flags.BoolVar(&cpCommand.Extract, "extract", false, "Extract the tar file into the destination directory.") - flags.BoolVar(&cpCommand.Pause, "pause", true, "Pause the container while copying") + flags.BoolVar(&cpCommand.Pause, "pause", false, "Pause the container while copying") cpCommand.SetHelpTemplate(HelpTemplate()) cpCommand.SetUsageTemplate(UsageTemplate()) rootCmd.AddCommand(cpCommand.Command) @@ -145,7 +145,19 @@ func copyBetweenHostAndContainer(runtime *libpod.Runtime, src string, dest strin var glob []string if isFromHostToCtr { - if filepath.IsAbs(destPath) { + if isVol, volDestName, volName := isVolumeDestName(destPath, ctr); isVol { + path, err := pathWithVolumeMount(ctr, runtime, volDestName, volName, destPath) + if err != nil { + return errors.Wrapf(err, "error getting destination path from volume %s", volDestName) + } + destPath = path + } else if isBindMount, mount := isBindMountDestName(destPath, ctr); isBindMount { + path, err := pathWithBindMountSource(mount, destPath) + if err != nil { + return errors.Wrapf(err, "error getting destination path from bind mount %s", mount.Destination) + } + destPath = path + } else if filepath.IsAbs(destPath) { cleanedPath, err := securejoin.SecureJoin(mountPoint, destPath) if err != nil { return err @@ -166,7 +178,19 @@ func copyBetweenHostAndContainer(runtime *libpod.Runtime, src string, dest strin destPath = cleanedPath } } else { - if filepath.IsAbs(srcPath) { + if isVol, volDestName, volName := isVolumeDestName(srcPath, ctr); isVol { + path, err := pathWithVolumeMount(ctr, runtime, volDestName, volName, srcPath) + if err != nil { + return errors.Wrapf(err, "error getting source path from volume %s", volDestName) + } + srcPath = path + } else if isBindMount, mount := isBindMountDestName(srcPath, ctr); isBindMount { + path, err := pathWithBindMountSource(mount, srcPath) + if err != nil { + return errors.Wrapf(err, "error getting source path from bind moutn %s", mount.Destination) + } + srcPath = path + } else if filepath.IsAbs(srcPath) { cleanedPath, err := securejoin.SecureJoin(mountPoint, srcPath) if err != nil { return err @@ -211,7 +235,7 @@ func copyBetweenHostAndContainer(runtime *libpod.Runtime, src string, dest strin } func getUser(mountPoint string, userspec string) (specs.User, error) { - uid, gid, err := chrootuser.GetUser(mountPoint, userspec) + uid, gid, _, err := chrootuser.GetUser(mountPoint, userspec) u := specs.User{ UID: uid, GID: gid, @@ -407,3 +431,72 @@ func streamFileToStdout(srcPath string, srcfi os.FileInfo) error { } return nil } + +func isVolumeDestName(path string, ctr *libpod.Container) (bool, string, string) { + separator := string(os.PathSeparator) + if filepath.IsAbs(path) { + path = strings.TrimPrefix(path, separator) + } + if path == "" { + return false, "", "" + } + for _, vol := range ctr.Config().NamedVolumes { + volNamePath := strings.TrimPrefix(vol.Dest, separator) + if matchVolumePath(path, volNamePath) { + return true, vol.Dest, vol.Name + } + } + return false, "", "" +} + +// if SRCPATH or DESTPATH is from volume mount's destination -v or --mount type=volume, generates the path with volume mount point +func pathWithVolumeMount(ctr *libpod.Container, runtime *libpod.Runtime, volDestName, volName, path string) (string, error) { + destVolume, err := runtime.GetVolume(volName) + if err != nil { + return "", errors.Wrapf(err, "error getting volume destination %s", volName) + } + if !filepath.IsAbs(path) { + path = filepath.Join(string(os.PathSeparator), path) + } + path, err = securejoin.SecureJoin(destVolume.MountPoint(), strings.TrimPrefix(path, volDestName)) + return path, err +} + +func isBindMountDestName(path string, ctr *libpod.Container) (bool, specs.Mount) { + separator := string(os.PathSeparator) + if filepath.IsAbs(path) { + path = strings.TrimPrefix(path, string(os.PathSeparator)) + } + if path == "" { + return false, specs.Mount{} + } + for _, m := range ctr.Config().Spec.Mounts { + if m.Type != "bind" { + continue + } + mDest := strings.TrimPrefix(m.Destination, separator) + if matchVolumePath(path, mDest) { + return true, m + } + } + return false, specs.Mount{} +} + +func matchVolumePath(path, target string) bool { + pathStr := filepath.Clean(path) + target = filepath.Clean(target) + for len(pathStr) > len(target) && strings.Contains(pathStr, string(os.PathSeparator)) { + pathStr = pathStr[:strings.LastIndex(pathStr, string(os.PathSeparator))] + } + if pathStr == target { + return true + } + return false +} + +func pathWithBindMountSource(m specs.Mount, path string) (string, error) { + if !filepath.IsAbs(path) { + path = filepath.Join(string(os.PathSeparator), path) + } + return securejoin.SecureJoin(m.Source, strings.TrimPrefix(path, m.Destination)) +} diff --git a/cmd/podman/exec.go b/cmd/podman/exec.go index deff44a92..0684da842 100644 --- a/cmd/podman/exec.go +++ b/cmd/podman/exec.go @@ -125,5 +125,10 @@ func execCmd(c *cliconfig.ExecValues) error { streams.AttachError = true streams.AttachInput = true - return ctr.Exec(c.Tty, c.Privileged, envs, cmd, c.User, c.Workdir, streams, c.PreserveFDs) + err = ctr.Exec(c.Tty, c.Privileged, envs, cmd, c.User, c.Workdir, streams, c.PreserveFDs) + if errors.Cause(err) == libpod.ErrCtrStateInvalid { + exitCode = 126 + } + + return err } diff --git a/cmd/podman/generate_kube.go b/cmd/podman/generate_kube.go index 318dd0771..3969e3132 100644 --- a/cmd/podman/generate_kube.go +++ b/cmd/podman/generate_kube.go @@ -2,6 +2,9 @@ package main import ( "fmt" + "io/ioutil" + "os" + "github.com/containers/libpod/cmd/podman/cliconfig" "github.com/containers/libpod/pkg/adapter" podmanVersion "github.com/containers/libpod/version" @@ -37,6 +40,7 @@ func init() { containerKubeCommand.SetUsageTemplate(UsageTemplate()) flags := containerKubeCommand.Flags() flags.BoolVarP(&containerKubeCommand.Service, "service", "s", false, "Generate YAML for kubernetes service object") + flags.StringVarP(&containerKubeCommand.Filename, "filename", "f", "", "Filename to output to") } func generateKubeYAMLCmd(c *cliconfig.GenerateKubeValues) error { @@ -88,8 +92,19 @@ func generateKubeYAMLCmd(c *cliconfig.GenerateKubeValues) error { output = append(output, []byte("---\n")...) output = append(output, marshalledService...) } - // Output the v1.Pod with the v1.Container - fmt.Println(string(output)) + + if c.Filename != "" { + if _, err := os.Stat(c.Filename); err == nil { + return errors.Errorf("cannot write to %q - file exists", c.Filename) + } + + if err := ioutil.WriteFile(c.Filename, output, 0644); err != nil { + return err + } + } else { + // Output the v1.Pod with the v1.Container + fmt.Println(string(output)) + } return nil } diff --git a/cmd/podman/libpodruntime/runtime.go b/cmd/podman/libpodruntime/runtime.go index 898c81515..d83a71250 100644 --- a/cmd/podman/libpodruntime/runtime.go +++ b/cmd/podman/libpodruntime/runtime.go @@ -67,7 +67,10 @@ func getRuntime(ctx context.Context, c *cliconfig.PodmanCommand, renumber bool, if c.Flags().Changed("storage-driver") { storageSet = true storageOpts.GraphDriverName = c.GlobalFlags.StorageDriver + // Overriding the default storage driver caused GraphDriverOptions from storage.conf to be ignored + storageOpts.GraphDriverOptions = []string{} } + // This should always be checked after storage-driver is checked if len(c.GlobalFlags.StorageOpts) > 0 { storageSet = true storageOpts.GraphDriverOptions = c.GlobalFlags.StorageOpts diff --git a/cmd/podman/main.go b/cmd/podman/main.go index a149a47f9..cbca32cc8 100644 --- a/cmd/podman/main.go +++ b/cmd/podman/main.go @@ -104,6 +104,9 @@ func before(cmd *cobra.Command, args []string) error { logrus.Errorf(err.Error()) os.Exit(1) } + if err := setSyslog(); err != nil { + return err + } if err := setupRootless(cmd, args); err != nil { return err } diff --git a/cmd/podman/main_local.go b/cmd/podman/main_local.go index b4f21bd0c..132f35ab5 100644 --- a/cmd/podman/main_local.go +++ b/cmd/podman/main_local.go @@ -48,7 +48,7 @@ func init() { rootCmd.PersistentFlags().StringVar(&MainGlobalOpts.Runtime, "runtime", "", "Path to the OCI-compatible binary used to run containers, default is /usr/bin/runc") // -s is depracated due to conflict with -s on subcommands rootCmd.PersistentFlags().StringVar(&MainGlobalOpts.StorageDriver, "storage-driver", "", "Select which storage driver is used to manage storage of images and containers (default is overlay)") - rootCmd.PersistentFlags().StringSliceVar(&MainGlobalOpts.StorageOpts, "storage-opt", []string{}, "Used to pass an option to the storage driver") + rootCmd.PersistentFlags().StringArrayVar(&MainGlobalOpts.StorageOpts, "storage-opt", []string{}, "Used to pass an option to the storage driver") rootCmd.PersistentFlags().BoolVar(&MainGlobalOpts.Syslog, "syslog", false, "Output logging information to syslog as well as the console") rootCmd.PersistentFlags().StringVar(&MainGlobalOpts.TmpDir, "tmpdir", "", "Path to the tmp directory") diff --git a/cmd/podman/main_remote.go b/cmd/podman/main_remote.go index c8bb3ad3e..1b9430e92 100644 --- a/cmd/podman/main_remote.go +++ b/cmd/podman/main_remote.go @@ -3,13 +3,21 @@ package main import ( + "os/user" + "github.com/spf13/cobra" ) const remote = true func init() { - rootCmd.PersistentFlags().StringVar(&MainGlobalOpts.RemoteUserName, "username", "", "username on the remote host") + var username string + if curruser, err := user.Current(); err == nil { + username = curruser.Username + } + rootCmd.PersistentFlags().StringVar(&MainGlobalOpts.ConnectionName, "connection", "", "remote connection name") + rootCmd.PersistentFlags().StringVar(&MainGlobalOpts.RemoteConfigFilePath, "remote-config-path", "", "alternate path for configuration file") + rootCmd.PersistentFlags().StringVar(&MainGlobalOpts.RemoteUserName, "username", username, "username on the remote host") rootCmd.PersistentFlags().StringVar(&MainGlobalOpts.RemoteHost, "remote-host", "", "remote host") // TODO maybe we allow the altering of this for bridge connections? //rootCmd.PersistentFlags().StringVar(&MainGlobalOpts.VarlinkAddress, "varlink-address", adapter.DefaultAddress, "address of the varlink socket") diff --git a/cmd/podman/remoteclientconfig/config.go b/cmd/podman/remoteclientconfig/config.go new file mode 100644 index 000000000..01f293ec3 --- /dev/null +++ b/cmd/podman/remoteclientconfig/config.go @@ -0,0 +1,21 @@ +package remoteclientconfig + +const remoteConfigFileName string = "podman-remote.conf" + +// RemoteConfig describes the podman remote configuration file +type RemoteConfig struct { + Connections map[string]RemoteConnection +} + +// RemoteConnection describes the attributes of a podman-remote endpoint +type RemoteConnection struct { + Destination string `toml:"destination"` + Username string `toml:"username"` + IsDefault bool `toml:"default"` +} + +// GetConfigFilePath is a simple helper to export the configuration file's +// path based on arch, etc +func GetConfigFilePath() string { + return getConfigFilePath() +} diff --git a/cmd/podman/remoteclientconfig/config_darwin.go b/cmd/podman/remoteclientconfig/config_darwin.go new file mode 100644 index 000000000..b94941381 --- /dev/null +++ b/cmd/podman/remoteclientconfig/config_darwin.go @@ -0,0 +1,12 @@ +package remoteclientconfig + +import ( + "path/filepath" + + "github.com/docker/docker/pkg/homedir" +) + +func getConfigFilePath() string { + homeDir := homedir.Get() + return filepath.Join(homeDir, ".config", "containers", remoteConfigFileName) +} diff --git a/cmd/podman/remoteclientconfig/config_linux.go b/cmd/podman/remoteclientconfig/config_linux.go new file mode 100644 index 000000000..b94941381 --- /dev/null +++ b/cmd/podman/remoteclientconfig/config_linux.go @@ -0,0 +1,12 @@ +package remoteclientconfig + +import ( + "path/filepath" + + "github.com/docker/docker/pkg/homedir" +) + +func getConfigFilePath() string { + homeDir := homedir.Get() + return filepath.Join(homeDir, ".config", "containers", remoteConfigFileName) +} diff --git a/cmd/podman/remoteclientconfig/config_windows.go b/cmd/podman/remoteclientconfig/config_windows.go new file mode 100644 index 000000000..fa6ffca63 --- /dev/null +++ b/cmd/podman/remoteclientconfig/config_windows.go @@ -0,0 +1,12 @@ +package remoteclientconfig + +import ( + "path/filepath" + + "github.com/docker/docker/pkg/homedir" +) + +func getConfigFilePath() string { + homeDir := homedir.Get() + return filepath.Join(homeDir, "AppData", "podman", remoteConfigFileName) +} diff --git a/cmd/podman/remoteclientconfig/configfile.go b/cmd/podman/remoteclientconfig/configfile.go new file mode 100644 index 000000000..aa3e82a31 --- /dev/null +++ b/cmd/podman/remoteclientconfig/configfile.go @@ -0,0 +1,62 @@ +package remoteclientconfig + +import ( + "io" + + "github.com/BurntSushi/toml" + "github.com/pkg/errors" +) + +// ReadRemoteConfig takes an io.Reader representing the remote configuration +// file and returns a remoteconfig +func ReadRemoteConfig(reader io.Reader) (*RemoteConfig, error) { + var remoteConfig RemoteConfig + // the configuration file does not exist + if reader == nil { + return &remoteConfig, ErrNoConfigationFile + } + _, err := toml.DecodeReader(reader, &remoteConfig) + if err != nil { + return nil, err + } + // We need to validate each remote connection has fields filled out + for name, conn := range remoteConfig.Connections { + if len(conn.Destination) < 1 { + return nil, errors.Errorf("connection %s has no destination defined", name) + } + } + return &remoteConfig, err +} + +// GetDefault returns the default RemoteConnection. If there is only one +// connection, we assume it is the default as well +func (r *RemoteConfig) GetDefault() (*RemoteConnection, error) { + if len(r.Connections) == 0 { + return nil, ErrNoDefinedConnections + } + for _, v := range r.Connections { + if len(r.Connections) == 1 { + // if there is only one defined connection, we assume it is + // the default whether tagged as such or not + return &v, nil + } + if v.IsDefault { + return &v, nil + } + } + return nil, ErrNoDefaultConnection +} + +// GetRemoteConnection "looks up" a remote connection by name and returns it in the +// form of a RemoteConnection +func (r *RemoteConfig) GetRemoteConnection(name string) (*RemoteConnection, error) { + if len(r.Connections) == 0 { + return nil, ErrNoDefinedConnections + } + for k, v := range r.Connections { + if k == name { + return &v, nil + } + } + return nil, errors.Wrap(ErrConnectionNotFound, name) +} diff --git a/cmd/podman/remoteclientconfig/configfile_test.go b/cmd/podman/remoteclientconfig/configfile_test.go new file mode 100644 index 000000000..66e0a4693 --- /dev/null +++ b/cmd/podman/remoteclientconfig/configfile_test.go @@ -0,0 +1,201 @@ +package remoteclientconfig + +import ( + "io" + "reflect" + "strings" + "testing" +) + +var goodConfig = ` +[connections] + +[connections.homer] +destination = "192.168.1.1" +username = "myuser" +default = true + +[connections.bart] +destination = "foobar.com" +username = "root" +` +var noDest = ` +[connections] + +[connections.homer] +destination = "192.168.1.1" +username = "myuser" +default = true + +[connections.bart] +username = "root" +` + +var noUser = ` +[connections] + +[connections.homer] +destination = "192.168.1.1" +` + +func makeGoodResult() *RemoteConfig { + var goodConnections = make(map[string]RemoteConnection) + goodConnections["homer"] = RemoteConnection{ + Destination: "192.168.1.1", + Username: "myuser", + IsDefault: true, + } + goodConnections["bart"] = RemoteConnection{ + Destination: "foobar.com", + Username: "root", + } + var goodResult = RemoteConfig{ + Connections: goodConnections, + } + return &goodResult +} + +func makeNoUserResult() *RemoteConfig { + var goodConnections = make(map[string]RemoteConnection) + goodConnections["homer"] = RemoteConnection{ + Destination: "192.168.1.1", + } + var goodResult = RemoteConfig{ + Connections: goodConnections, + } + return &goodResult +} + +func TestReadRemoteConfig(t *testing.T) { + type args struct { + reader io.Reader + } + tests := []struct { + name string + args args + want *RemoteConfig + wantErr bool + }{ + // good test should pass + {"good", args{reader: strings.NewReader(goodConfig)}, makeGoodResult(), false}, + // a connection with no destination is an error + {"nodest", args{reader: strings.NewReader(noDest)}, nil, true}, + // a connnection with no user is OK + {"nouser", args{reader: strings.NewReader(noUser)}, makeNoUserResult(), false}, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + got, err := ReadRemoteConfig(tt.args.reader) + if (err != nil) != tt.wantErr { + t.Errorf("ReadRemoteConfig() error = %v, wantErr %v", err, tt.wantErr) + return + } + if !reflect.DeepEqual(got, tt.want) { + t.Errorf("ReadRemoteConfig() = %v, want %v", got, tt.want) + } + }) + } +} + +func TestRemoteConfig_GetDefault(t *testing.T) { + good := make(map[string]RemoteConnection) + good["homer"] = RemoteConnection{ + Username: "myuser", + Destination: "192.168.1.1", + IsDefault: true, + } + good["bart"] = RemoteConnection{ + Username: "root", + Destination: "foobar.com", + } + noDefault := make(map[string]RemoteConnection) + noDefault["homer"] = RemoteConnection{ + Username: "myuser", + Destination: "192.168.1.1", + } + noDefault["bart"] = RemoteConnection{ + Username: "root", + Destination: "foobar.com", + } + single := make(map[string]RemoteConnection) + single["homer"] = RemoteConnection{ + Username: "myuser", + Destination: "192.168.1.1", + } + + none := make(map[string]RemoteConnection) + + type fields struct { + Connections map[string]RemoteConnection + } + tests := []struct { + name string + fields fields + want *RemoteConnection + wantErr bool + }{ + // A good toml should return the connection that is marked isDefault + {"good", fields{Connections: makeGoodResult().Connections}, &RemoteConnection{"192.168.1.1", "myuser", true}, false}, + // If nothing is marked as isDefault and there is more than one connection, error should occur + {"nodefault", fields{Connections: noDefault}, nil, true}, + // if nothing is marked as isDefault but there is only one connection, the one connection is considered the default + {"single", fields{Connections: none}, nil, true}, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + r := &RemoteConfig{ + Connections: tt.fields.Connections, + } + got, err := r.GetDefault() + if (err != nil) != tt.wantErr { + t.Errorf("RemoteConfig.GetDefault() error = %v, wantErr %v", err, tt.wantErr) + return + } + if !reflect.DeepEqual(got, tt.want) { + t.Errorf("RemoteConfig.GetDefault() = %v, want %v", got, tt.want) + } + }) + } +} + +func TestRemoteConfig_GetRemoteConnection(t *testing.T) { + type fields struct { + Connections map[string]RemoteConnection + } + type args struct { + name string + } + + blank := make(map[string]RemoteConnection) + tests := []struct { + name string + fields fields + args args + want *RemoteConnection + wantErr bool + }{ + // Good connection + {"goodhomer", fields{Connections: makeGoodResult().Connections}, args{name: "homer"}, &RemoteConnection{"192.168.1.1", "myuser", true}, false}, + // Good connection + {"goodbart", fields{Connections: makeGoodResult().Connections}, args{name: "bart"}, &RemoteConnection{"foobar.com", "root", false}, false}, + // Getting an unknown connection should result in error + {"noexist", fields{Connections: makeGoodResult().Connections}, args{name: "foobar"}, nil, true}, + // Getting a connection when there are none should result in an error + {"none", fields{Connections: blank}, args{name: "foobar"}, nil, true}, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + r := &RemoteConfig{ + Connections: tt.fields.Connections, + } + got, err := r.GetRemoteConnection(tt.args.name) + if (err != nil) != tt.wantErr { + t.Errorf("RemoteConfig.GetRemoteConnection() error = %v, wantErr %v", err, tt.wantErr) + return + } + if !reflect.DeepEqual(got, tt.want) { + t.Errorf("RemoteConfig.GetRemoteConnection() = %v, want %v", got, tt.want) + } + }) + } +} diff --git a/cmd/podman/remoteclientconfig/errors.go b/cmd/podman/remoteclientconfig/errors.go new file mode 100644 index 000000000..2689d3b49 --- /dev/null +++ b/cmd/podman/remoteclientconfig/errors.go @@ -0,0 +1,14 @@ +package remoteclientconfig + +import "errors" + +var ( + // ErrNoDefaultConnection no default connection is defined in the podman-remote.conf file + ErrNoDefaultConnection = errors.New("no default connection is defined") + // ErrNoDefinedConnections no connections are defined in the podman-remote.conf file + ErrNoDefinedConnections = errors.New("no remote connections have been defined") + // ErrConnectionNotFound unable to lookup connection by name + ErrConnectionNotFound = errors.New("remote connection not found by name") + // ErrNoConfigationFile no config file found + ErrNoConfigationFile = errors.New("no configuration file found") +) diff --git a/cmd/podman/restore.go b/cmd/podman/restore.go index 8cfd5ca0d..6e445e5df 100644 --- a/cmd/podman/restore.go +++ b/cmd/podman/restore.go @@ -24,10 +24,10 @@ var ( restoreCommand.InputArgs = args restoreCommand.GlobalFlags = MainGlobalOpts restoreCommand.Remote = remoteclient - return restoreCmd(&restoreCommand) + return restoreCmd(&restoreCommand, cmd) }, Args: func(cmd *cobra.Command, args []string) error { - return checkAllAndLatest(cmd, args, false) + return checkAllAndLatest(cmd, args, true) }, Example: `podman container restore ctrID podman container restore --latest @@ -43,13 +43,14 @@ func init() { flags.BoolVarP(&restoreCommand.All, "all", "a", false, "Restore all checkpointed containers") flags.BoolVarP(&restoreCommand.Keep, "keep", "k", false, "Keep all temporary checkpoint files") flags.BoolVarP(&restoreCommand.Latest, "latest", "l", false, "Act on the latest container podman is aware of") - // TODO: add ContainerStateCheckpointed - flags.BoolVar(&restoreCommand.TcpEstablished, "tcp-established", false, "Checkpoint a container with established TCP connections") + flags.BoolVar(&restoreCommand.TcpEstablished, "tcp-established", false, "Restore a container with established TCP connections") + flags.StringVarP(&restoreCommand.Import, "import", "i", "", "Restore from exported checkpoint archive (tar.gz)") + flags.StringVarP(&restoreCommand.Name, "name", "n", "", "Specify new name for container restored from exported checkpoint (only works with --import)") markFlagHiddenForRemoteClient("latest", flags) } -func restoreCmd(c *cliconfig.RestoreValues) error { +func restoreCmd(c *cliconfig.RestoreValues, cmd *cobra.Command) error { if rootless.IsRootless() { return errors.New("restoring a container requires root") } @@ -63,6 +64,34 @@ func restoreCmd(c *cliconfig.RestoreValues) error { options := libpod.ContainerCheckpointOptions{ Keep: c.Keep, TCPEstablished: c.TcpEstablished, + TargetFile: c.Import, + Name: c.Name, } - return runtime.Restore(c, options) + + if c.Import == "" && c.Name != "" { + return errors.Errorf("--name can only used with --import") + } + + if c.Name != "" && c.TcpEstablished { + return errors.Errorf("--tcp-established cannot be used with --name") + } + + argLen := len(c.InputArgs) + if c.Import != "" { + if c.All || c.Latest { + return errors.Errorf("Cannot use --import with --all or --latest") + } + if argLen > 0 { + return errors.Errorf("Cannot use --import with positional arguments") + } + } + + if (c.All || c.Latest) && argLen > 0 { + return errors.Errorf("no arguments are needed with --all or --latest") + } + if argLen < 1 && !c.All && !c.Latest && c.Import == "" { + return errors.Errorf("you must provide at least one name or id") + } + + return runtime.Restore(getContext(), c, options) } diff --git a/cmd/podman/rm.go b/cmd/podman/rm.go index 1bf56b782..2710a8194 100644 --- a/cmd/podman/rm.go +++ b/cmd/podman/rm.go @@ -42,7 +42,9 @@ func init() { flags.BoolVarP(&rmCommand.All, "all", "a", false, "Remove all containers") flags.BoolVarP(&rmCommand.Force, "force", "f", false, "Force removal of a running container. The default is false") flags.BoolVarP(&rmCommand.Latest, "latest", "l", false, "Act on the latest container podman is aware of") + flags.BoolVar(&rmCommand.Storage, "storage", false, "Remove container from storage library") flags.BoolVarP(&rmCommand.Volumes, "volumes", "v", false, "Remove the volumes associated with the container") + markFlagHiddenForRemoteClient("storage", flags) markFlagHiddenForRemoteClient("latest", flags) } @@ -54,6 +56,13 @@ func rmCmd(c *cliconfig.RmValues) error { } defer runtime.Shutdown(false) + // Storage conflicts with --all/--latest/--volumes + if c.Storage { + if c.All || c.Latest || c.Volumes { + return errors.Errorf("--storage conflicts with --volumes, --all, and --latest") + } + } + ok, failures, err := runtime.RemoveContainers(getContext(), c) if err != nil { if errors.Cause(err) == libpod.ErrNoSuchCtr { diff --git a/cmd/podman/shared/container.go b/cmd/podman/shared/container.go index 55cc529e0..c97eaa290 100644 --- a/cmd/podman/shared/container.go +++ b/cmd/podman/shared/container.go @@ -4,7 +4,6 @@ import ( "context" "fmt" "io" - v1 "k8s.io/api/core/v1" "os" "path/filepath" "regexp" @@ -17,15 +16,13 @@ import ( "github.com/containers/image/types" "github.com/containers/libpod/libpod" "github.com/containers/libpod/libpod/image" - "github.com/containers/libpod/pkg/inspect" - cc "github.com/containers/libpod/pkg/spec" "github.com/containers/libpod/pkg/util" "github.com/cri-o/ocicni/pkg/ocicni" "github.com/docker/go-units" "github.com/google/shlex" - "github.com/opencontainers/runtime-spec/specs-go" "github.com/pkg/errors" "github.com/sirupsen/logrus" + v1 "k8s.io/api/core/v1" ) const ( @@ -621,145 +618,6 @@ func getStrFromSquareBrackets(cmd string) string { return strings.Join(arr, ",") } -// GetCtrInspectInfo takes container inspect data and collects all its info into a ContainerData -// structure for inspection related methods -func GetCtrInspectInfo(config *libpod.ContainerConfig, ctrInspectData *inspect.ContainerInspectData, createArtifact *cc.CreateConfig) (*inspect.ContainerData, error) { - spec := config.Spec - - cpus, mems, period, quota, realtimePeriod, realtimeRuntime, shares := getCPUInfo(spec) - blkioWeight, blkioWeightDevice, blkioReadBps, blkioWriteBps, blkioReadIOPS, blkioeWriteIOPS := getBLKIOInfo(spec) - memKernel, memReservation, memSwap, memSwappiness, memDisableOOMKiller := getMemoryInfo(spec) - pidsLimit := getPidsInfo(spec) - cgroup := getCgroup(spec) - logConfig := inspect.LogConfig{ - config.LogDriver, - make(map[string]string), - } - - data := &inspect.ContainerData{ - ctrInspectData, - &inspect.HostConfig{ - ConsoleSize: spec.Process.ConsoleSize, - OomScoreAdj: spec.Process.OOMScoreAdj, - CPUShares: shares, - BlkioWeight: blkioWeight, - BlkioWeightDevice: blkioWeightDevice, - BlkioDeviceReadBps: blkioReadBps, - BlkioDeviceWriteBps: blkioWriteBps, - BlkioDeviceReadIOps: blkioReadIOPS, - BlkioDeviceWriteIOps: blkioeWriteIOPS, - CPUPeriod: period, - CPUQuota: quota, - CPURealtimePeriod: realtimePeriod, - CPURealtimeRuntime: realtimeRuntime, - CPUSetCPUs: cpus, - CPUSetMems: mems, - Devices: spec.Linux.Devices, - KernelMemory: memKernel, - MemoryReservation: memReservation, - MemorySwap: memSwap, - MemorySwappiness: memSwappiness, - OomKillDisable: memDisableOOMKiller, - PidsLimit: pidsLimit, - Privileged: config.Privileged, - ReadOnlyRootfs: spec.Root.Readonly, - ReadOnlyTmpfs: createArtifact.ReadOnlyTmpfs, - Runtime: config.OCIRuntime, - NetworkMode: string(createArtifact.NetMode), - IpcMode: string(createArtifact.IpcMode), - Cgroup: cgroup, - UTSMode: string(createArtifact.UtsMode), - UsernsMode: string(createArtifact.UsernsMode), - GroupAdd: spec.Process.User.AdditionalGids, - ContainerIDFile: createArtifact.CidFile, - AutoRemove: createArtifact.Rm, - CapAdd: createArtifact.CapAdd, - CapDrop: createArtifact.CapDrop, - DNS: createArtifact.DNSServers, - DNSOptions: createArtifact.DNSOpt, - DNSSearch: createArtifact.DNSSearch, - PidMode: string(createArtifact.PidMode), - CgroupParent: createArtifact.CgroupParent, - ShmSize: createArtifact.Resources.ShmSize, - Memory: createArtifact.Resources.Memory, - Ulimits: createArtifact.Resources.Ulimit, - SecurityOpt: createArtifact.SecurityOpts, - Tmpfs: createArtifact.Tmpfs, - LogConfig: &logConfig, - }, - &inspect.CtrConfig{ - Hostname: spec.Hostname, - User: spec.Process.User, - Env: spec.Process.Env, - Image: config.RootfsImageName, - WorkingDir: spec.Process.Cwd, - Labels: config.Labels, - Annotations: spec.Annotations, - Tty: spec.Process.Terminal, - OpenStdin: config.Stdin, - StopSignal: config.StopSignal, - Cmd: config.Spec.Process.Args, - Entrypoint: strings.Join(createArtifact.Entrypoint, " "), - Healthcheck: config.HealthCheckConfig, - }, - } - return data, nil -} - -func getCPUInfo(spec *specs.Spec) (string, string, *uint64, *int64, *uint64, *int64, *uint64) { - if spec.Linux.Resources == nil { - return "", "", nil, nil, nil, nil, nil - } - cpu := spec.Linux.Resources.CPU - if cpu == nil { - return "", "", nil, nil, nil, nil, nil - } - return cpu.Cpus, cpu.Mems, cpu.Period, cpu.Quota, cpu.RealtimePeriod, cpu.RealtimeRuntime, cpu.Shares -} - -func getBLKIOInfo(spec *specs.Spec) (*uint16, []specs.LinuxWeightDevice, []specs.LinuxThrottleDevice, []specs.LinuxThrottleDevice, []specs.LinuxThrottleDevice, []specs.LinuxThrottleDevice) { - if spec.Linux.Resources == nil { - return nil, nil, nil, nil, nil, nil - } - blkio := spec.Linux.Resources.BlockIO - if blkio == nil { - return nil, nil, nil, nil, nil, nil - } - return blkio.Weight, blkio.WeightDevice, blkio.ThrottleReadBpsDevice, blkio.ThrottleWriteBpsDevice, blkio.ThrottleReadIOPSDevice, blkio.ThrottleWriteIOPSDevice -} - -func getMemoryInfo(spec *specs.Spec) (*int64, *int64, *int64, *uint64, *bool) { - if spec.Linux.Resources == nil { - return nil, nil, nil, nil, nil - } - memory := spec.Linux.Resources.Memory - if memory == nil { - return nil, nil, nil, nil, nil - } - return memory.Kernel, memory.Reservation, memory.Swap, memory.Swappiness, memory.DisableOOMKiller -} - -func getPidsInfo(spec *specs.Spec) *int64 { - if spec.Linux.Resources == nil { - return nil - } - pids := spec.Linux.Resources.Pids - if pids == nil { - return nil - } - return &pids.Limit -} - -func getCgroup(spec *specs.Spec) string { - cgroup := "host" - for _, ns := range spec.Linux.Namespaces { - if ns.Type == specs.CgroupNamespace && ns.Path != "" { - cgroup = "container" - } - } - return cgroup -} - func comparePorts(i, j ocicni.PortMapping) bool { if i.ContainerPort != j.ContainerPort { return i.ContainerPort < j.ContainerPort diff --git a/cmd/podman/shared/container_inspect.go b/cmd/podman/shared/container_inspect.go new file mode 100644 index 000000000..97a1d0238 --- /dev/null +++ b/cmd/podman/shared/container_inspect.go @@ -0,0 +1,255 @@ +package shared + +import ( + "strings" + + "github.com/containers/image/manifest" + "github.com/containers/libpod/libpod" + cc "github.com/containers/libpod/pkg/spec" + "github.com/docker/go-connections/nat" + specs "github.com/opencontainers/runtime-spec/specs-go" +) + +// InspectContainer holds all inspect data for a container. +// The format of individual components is fixed so the overall structure, when +// JSON encoded, matches the output of `docker inspect`. +// It combines Libpod-source inspect data with Podman-specific inspect data. +type InspectContainer struct { + *libpod.InspectContainerData + HostConfig *InspectContainerHostConfig `json:"HostConfig"` + Config *InspectContainerConfig `json:"Config"` +} + +// InspectContainerHostConfig holds Container configuration that is not specific +// to Libpod. This information is (mostly) stored by Podman as an artifact. +// This struct is matched to the output of `docker inspect`. +type InspectContainerHostConfig struct { + ContainerIDFile string `json:"ContainerIDFile"` + LogConfig *InspectLogConfig `json:"LogConfig"` //TODO + NetworkMode string `json:"NetworkMode"` + PortBindings nat.PortMap `json:"PortBindings"` //TODO + AutoRemove bool `json:"AutoRemove"` + CapAdd []string `json:"CapAdd"` + CapDrop []string `json:"CapDrop"` + DNS []string `json:"DNS"` + DNSOptions []string `json:"DNSOptions"` + DNSSearch []string `json:"DNSSearch"` + ExtraHosts []string `json:"ExtraHosts"` + GroupAdd []uint32 `json:"GroupAdd"` + IpcMode string `json:"IpcMode"` + Cgroup string `json:"Cgroup"` + OomScoreAdj *int `json:"OomScoreAdj"` + PidMode string `json:"PidMode"` + Privileged bool `json:"Privileged"` + PublishAllPorts bool `json:"PublishAllPorts"` //TODO + ReadOnlyRootfs bool `json:"ReadonlyRootfs"` + ReadOnlyTmpfs bool `json:"ReadonlyTmpfs"` + SecurityOpt []string `json:"SecurityOpt"` + UTSMode string `json:"UTSMode"` + UsernsMode string `json:"UsernsMode"` + ShmSize int64 `json:"ShmSize"` + Runtime string `json:"Runtime"` + ConsoleSize *specs.Box `json:"ConsoleSize"` + CPUShares *uint64 `json:"CpuShares"` + Memory int64 `json:"Memory"` + NanoCPUs int `json:"NanoCpus"` + CgroupParent string `json:"CgroupParent"` + BlkioWeight *uint16 `json:"BlkioWeight"` + BlkioWeightDevice []specs.LinuxWeightDevice `json:"BlkioWeightDevice"` + BlkioDeviceReadBps []specs.LinuxThrottleDevice `json:"BlkioDeviceReadBps"` + BlkioDeviceWriteBps []specs.LinuxThrottleDevice `json:"BlkioDeviceWriteBps"` + BlkioDeviceReadIOps []specs.LinuxThrottleDevice `json:"BlkioDeviceReadIOps"` + BlkioDeviceWriteIOps []specs.LinuxThrottleDevice `json:"BlkioDeviceWriteIOps"` + CPUPeriod *uint64 `json:"CpuPeriod"` + CPUQuota *int64 `json:"CpuQuota"` + CPURealtimePeriod *uint64 `json:"CpuRealtimePeriod"` + CPURealtimeRuntime *int64 `json:"CpuRealtimeRuntime"` + CPUSetCPUs string `json:"CpuSetCpus"` + CPUSetMems string `json:"CpuSetMems"` + Devices []specs.LinuxDevice `json:"Devices"` + DiskQuota int `json:"DiskQuota"` //check type, TODO + KernelMemory *int64 `json:"KernelMemory"` + MemoryReservation *int64 `json:"MemoryReservation"` + MemorySwap *int64 `json:"MemorySwap"` + MemorySwappiness *uint64 `json:"MemorySwappiness"` + OomKillDisable *bool `json:"OomKillDisable"` + PidsLimit *int64 `json:"PidsLimit"` + Ulimits []string `json:"Ulimits"` + CPUCount int `json:"CpuCount"` + CPUPercent int `json:"CpuPercent"` + IOMaximumIOps int `json:"IOMaximumIOps"` //check type, TODO + IOMaximumBandwidth int `json:"IOMaximumBandwidth"` //check type, TODO + Tmpfs []string `json:"Tmpfs"` +} + +// InspectContainerConfig holds further data about a container, again mostly +// not directly stored in Libpod. This struct is matched to the output of +// `docker inspect`. +type InspectContainerConfig struct { + Hostname string `json:"Hostname"` + DomainName string `json:"Domainname"` //TODO + User specs.User `json:"User"` + AttachStdin bool `json:"AttachStdin"` //TODO + AttachStdout bool `json:"AttachStdout"` //TODO + AttachStderr bool `json:"AttachStderr"` //TODO + Tty bool `json:"Tty"` + OpenStdin bool `json:"OpenStdin"` + StdinOnce bool `json:"StdinOnce"` //TODO + Env []string `json:"Env"` + Cmd []string `json:"Cmd"` + Image string `json:"Image"` + Volumes map[string]struct{} `json:"Volumes"` + WorkingDir string `json:"WorkingDir"` + Entrypoint string `json:"Entrypoint"` + Labels map[string]string `json:"Labels"` + Annotations map[string]string `json:"Annotations"` + StopSignal uint `json:"StopSignal"` + Healthcheck *manifest.Schema2HealthConfig `json:"Healthcheck,omitempty"` +} + +// InspectLogConfig holds information about a container's configured log driver +// and is presently unused. It is retained for Docker compatability. +type InspectLogConfig struct { + Type string `json:"Type"` + Config map[string]string `json:"Config"` //idk type, TODO +} + +// GetCtrInspectInfo inspects a container, combining Libpod inspect information +// with other information not stored in Libpod and returning a struct that, when +// formatted for JSON output, is compatible with `docker inspect`. +func GetCtrInspectInfo(config *libpod.ContainerConfig, ctrInspectData *libpod.InspectContainerData, createArtifact *cc.CreateConfig) (*InspectContainer, error) { + spec := config.Spec + + cpus, mems, period, quota, realtimePeriod, realtimeRuntime, shares := getCPUInfo(spec) + blkioWeight, blkioWeightDevice, blkioReadBps, blkioWriteBps, blkioReadIOPS, blkioeWriteIOPS := getBLKIOInfo(spec) + memKernel, memReservation, memSwap, memSwappiness, memDisableOOMKiller := getMemoryInfo(spec) + pidsLimit := getPidsInfo(spec) + cgroup := getCgroup(spec) + logConfig := InspectLogConfig{ + config.LogDriver, + make(map[string]string), + } + + data := &InspectContainer{ + ctrInspectData, + &InspectContainerHostConfig{ + ConsoleSize: spec.Process.ConsoleSize, + OomScoreAdj: spec.Process.OOMScoreAdj, + CPUShares: shares, + BlkioWeight: blkioWeight, + BlkioWeightDevice: blkioWeightDevice, + BlkioDeviceReadBps: blkioReadBps, + BlkioDeviceWriteBps: blkioWriteBps, + BlkioDeviceReadIOps: blkioReadIOPS, + BlkioDeviceWriteIOps: blkioeWriteIOPS, + CPUPeriod: period, + CPUQuota: quota, + CPURealtimePeriod: realtimePeriod, + CPURealtimeRuntime: realtimeRuntime, + CPUSetCPUs: cpus, + CPUSetMems: mems, + Devices: spec.Linux.Devices, + KernelMemory: memKernel, + LogConfig: &logConfig, + MemoryReservation: memReservation, + MemorySwap: memSwap, + MemorySwappiness: memSwappiness, + OomKillDisable: memDisableOOMKiller, + PidsLimit: pidsLimit, + Privileged: config.Privileged, + ReadOnlyRootfs: spec.Root.Readonly, + ReadOnlyTmpfs: createArtifact.ReadOnlyTmpfs, + Runtime: config.OCIRuntime, + NetworkMode: string(createArtifact.NetMode), + IpcMode: string(createArtifact.IpcMode), + Cgroup: cgroup, + UTSMode: string(createArtifact.UtsMode), + UsernsMode: string(createArtifact.UsernsMode), + GroupAdd: spec.Process.User.AdditionalGids, + ContainerIDFile: createArtifact.CidFile, + AutoRemove: createArtifact.Rm, + CapAdd: createArtifact.CapAdd, + CapDrop: createArtifact.CapDrop, + DNS: createArtifact.DNSServers, + DNSOptions: createArtifact.DNSOpt, + DNSSearch: createArtifact.DNSSearch, + PidMode: string(createArtifact.PidMode), + CgroupParent: createArtifact.CgroupParent, + ShmSize: createArtifact.Resources.ShmSize, + Memory: createArtifact.Resources.Memory, + Ulimits: createArtifact.Resources.Ulimit, + SecurityOpt: createArtifact.SecurityOpts, + Tmpfs: createArtifact.Tmpfs, + }, + &InspectContainerConfig{ + Hostname: spec.Hostname, + User: spec.Process.User, + Env: spec.Process.Env, + Image: config.RootfsImageName, + WorkingDir: spec.Process.Cwd, + Labels: config.Labels, + Annotations: spec.Annotations, + Tty: spec.Process.Terminal, + OpenStdin: config.Stdin, + StopSignal: config.StopSignal, + Cmd: config.Spec.Process.Args, + Entrypoint: strings.Join(createArtifact.Entrypoint, " "), + Healthcheck: config.HealthCheckConfig, + }, + } + return data, nil +} + +func getCPUInfo(spec *specs.Spec) (string, string, *uint64, *int64, *uint64, *int64, *uint64) { + if spec.Linux.Resources == nil { + return "", "", nil, nil, nil, nil, nil + } + cpu := spec.Linux.Resources.CPU + if cpu == nil { + return "", "", nil, nil, nil, nil, nil + } + return cpu.Cpus, cpu.Mems, cpu.Period, cpu.Quota, cpu.RealtimePeriod, cpu.RealtimeRuntime, cpu.Shares +} + +func getBLKIOInfo(spec *specs.Spec) (*uint16, []specs.LinuxWeightDevice, []specs.LinuxThrottleDevice, []specs.LinuxThrottleDevice, []specs.LinuxThrottleDevice, []specs.LinuxThrottleDevice) { + if spec.Linux.Resources == nil { + return nil, nil, nil, nil, nil, nil + } + blkio := spec.Linux.Resources.BlockIO + if blkio == nil { + return nil, nil, nil, nil, nil, nil + } + return blkio.Weight, blkio.WeightDevice, blkio.ThrottleReadBpsDevice, blkio.ThrottleWriteBpsDevice, blkio.ThrottleReadIOPSDevice, blkio.ThrottleWriteIOPSDevice +} + +func getMemoryInfo(spec *specs.Spec) (*int64, *int64, *int64, *uint64, *bool) { + if spec.Linux.Resources == nil { + return nil, nil, nil, nil, nil + } + memory := spec.Linux.Resources.Memory + if memory == nil { + return nil, nil, nil, nil, nil + } + return memory.Kernel, memory.Reservation, memory.Swap, memory.Swappiness, memory.DisableOOMKiller +} + +func getPidsInfo(spec *specs.Spec) *int64 { + if spec.Linux.Resources == nil { + return nil + } + pids := spec.Linux.Resources.Pids + if pids == nil { + return nil + } + return &pids.Limit +} + +func getCgroup(spec *specs.Spec) string { + cgroup := "host" + for _, ns := range spec.Linux.Namespaces { + if ns.Type == specs.CgroupNamespace && ns.Path != "" { + cgroup = "container" + } + } + return cgroup +} diff --git a/cmd/podman/varlink/io.podman.varlink b/cmd/podman/varlink/io.podman.varlink index 5b3d5ae4c..9410b9459 100644 --- a/cmd/podman/varlink/io.podman.varlink +++ b/cmd/podman/varlink/io.podman.varlink @@ -207,7 +207,7 @@ type ContainerNameSpace ( ipc: string ) -# InfoDistribution describes the the host's distribution +# InfoDistribution describes the host's distribution type InfoDistribution ( distribution: string, version: string @@ -671,7 +671,7 @@ method PauseContainer(name: string) -> (container: string) # See also [PauseContainer](#PauseContainer). method UnpauseContainer(name: string) -> (container: string) -# Attach takes the name or ID of a container and sets up a the ability to remotely attach to its console. The start +# Attach takes the name or ID of a container and sets up the ability to remotely attach to its console. The start # bool is whether you wish to start the container in question first. method Attach(name: string, detachKeys: string, start: bool) -> () @@ -744,7 +744,7 @@ method BuildImage(build: BuildInfo) -> (image: MoreResponse) # This function is not implemented yet. # method CreateImage() -> (notimplemented: NotImplemented) -# InspectImage takes the name or ID of an image and returns a string respresentation of data associated with the +# InspectImage takes the name or ID of an image and returns a string representation of data associated with the #image. You must serialize the string into JSON to use it further. An [ImageNotFound](#ImageNotFound) error will # be returned if the image cannot be found. method InspectImage(name: string) -> (image: string) @@ -810,7 +810,7 @@ method Commit(name: string, image_name: string, changes: []string, author: strin method ImportImage(source: string, reference: string, message: string, changes: []string, delete: bool) -> (image: string) # ExportImage takes the name or ID of an image and exports it to a destination like a tarball. There is also -# a booleon option to force compression. It also takes in a string array of tags to be able to save multiple +# a boolean option to force compression. It also takes in a string array of tags to be able to save multiple # tags of the same image to a tarball (each tag should be of the form <image>:<tag>). Upon completion, the ID # of the image is returned. If the image cannot be found in local storage, an [ImageNotFound](#ImageNotFound) # error will be returned. See also [ImportImage](ImportImage). @@ -915,7 +915,7 @@ method ListPods() -> (pods: []ListPodData) # ~~~ method GetPod(name: string) -> (pod: ListPodData) -# InspectPod takes the name or ID of an image and returns a string respresentation of data associated with the +# InspectPod takes the name or ID of an image and returns a string representation of data associated with the # pod. You must serialize the string into JSON to use it further. A [PodNotFound](#PodNotFound) error will # be returned if the pod cannot be found. method InspectPod(name: string) -> (pod: string) diff --git a/completions/bash/podman b/completions/bash/podman index 49c8c0e52..65c6308cc 100644 --- a/completions/bash/podman +++ b/completions/bash/podman @@ -742,6 +742,10 @@ _podman_container_attach() { } _podman_container_checkpoint() { + local options_with_args=" + -e + --export + " local boolean_options=" -a --all @@ -755,9 +759,15 @@ _podman_container_checkpoint() { --leave-running --tcp-established " + case "$prev" in + -e|--export) + _filedir + return + ;; + esac case "$cur" in -*) - COMPREPLY=($(compgen -W "$boolean_options" -- "$cur")) + COMPREPLY=($(compgen -W "$boolean_options $options_with_args" -- "$cur")) ;; *) __podman_complete_containers_running @@ -844,6 +854,12 @@ _podman_container_restart() { } _podman_container_restore() { + local options_with_args=" + -i + --import + -n + --name + " local boolean_options=" -a --all @@ -855,9 +871,15 @@ _podman_container_restore() { --latest --tcp-established " + case "$prev" in + -i|--import) + _filedir + return + ;; + esac case "$cur" in -*) - COMPREPLY=($(compgen -W "$boolean_options" -- "$cur")) + COMPREPLY=($(compgen -W "$boolean_options $options_with_args" -- "$cur")) ;; *) __podman_complete_containers_created @@ -2019,6 +2041,7 @@ _podman_rm() { -h --latest -l + --storage --volumes -v " @@ -2445,7 +2468,9 @@ _podman_healthcheck_run() { } _podman_generate_kube() { - local options_with_args="" + local options_with_args=" + --filename -f + " local boolean_options=" -h diff --git a/contrib/cirrus/README.md b/contrib/cirrus/README.md index 69d8653fe..94494a558 100644 --- a/contrib/cirrus/README.md +++ b/contrib/cirrus/README.md @@ -63,41 +63,6 @@ task (pass or fail) is set based on the exit status of the last script to execut Total execution time is capped at 2-hours (includes all the above) but this script normally completes in less than an hour. -### ``special_testing`` Task - -This task exercises podman under specialized environments or conditions. -The specific differences from the ``testing`` task depend upon the -contents of the ``$SPECIALMODE`` environment variable. - -| Value | Meaning | -| rootless | Setup a regular user to build/run integration tests. | -| in_podman | Setup a container image, build/run integration tests inside container | - -***N/B: Steps below are performed by automation*** - -1. After `gating` passes, spin up one VM per - `matrix: image_name` item. - -2. ``setup_environment.sh``: Mostly the same as - in ``testing`` task, then specialized depending on ``$SPECIALMODE``. - -3. Which tests and how they execute depends on ``$SPECIALMODE``. - - -### ``optional_testing`` Task - -***N/B: Steps below are performed by automation*** - -1. Optionally executes in parallel with ``testing``. Requires - **prior** to job-start, the magic string ``***CIRRUS: SYSTEM TEST***`` - is found in the pull-request *description*. The *description* is the first - text-box under the main *summary* line in the github WebUI. - -2. ``setup_environment.sh``: Same as for other tasks. - -3. ``system_test.sh``: Build both dependencies and libpod, install them, - then execute `make localsystem` from the repository root. - ### ``test_build_cache_images_task`` Task diff --git a/contrib/cirrus/lib.sh b/contrib/cirrus/lib.sh index 462fa332a..97901cfc7 100644 --- a/contrib/cirrus/lib.sh +++ b/contrib/cirrus/lib.sh @@ -211,6 +211,8 @@ setup_rootless() { # Works with older versions of bash printf "${_env_var_name}=%q\n" "$(printenv $_env_var_name)" >> "/home/$ROOTLESS_USER/.bashrc" done + echo "Ensure the systems ssh process is up and running" + systemctl --wait restart sshd # a regular 'start' could hang forever } # Helper/wrapper script to only show stderr/stdout on non-zero exit diff --git a/contrib/cirrus/logcollector.sh b/contrib/cirrus/logcollector.sh new file mode 100755 index 000000000..425a619b0 --- /dev/null +++ b/contrib/cirrus/logcollector.sh @@ -0,0 +1,36 @@ +#!/bin/bash + +set -e + +source $(dirname $0)/lib.sh + +req_env_var CIRRUS_WORKING_DIR OS_RELEASE_ID + +# Assume there are other log collection commands to follow - Don't +# let one break another that may be useful, but also keep any +# actual script-problems fatal so they are noticed right away. +showrun() { + echo '+ '$(printf " %q" "$@") + set +e + echo '------------------------------------------------------------' + "$@" + local status=$? + [[ $status -eq 0 ]] || \ + echo "[ rc = $status -- proceeding anyway ]" + echo '------------------------------------------------------------' + set -e +} + +case $1 in + audit) + case $OS_RELEASE_ID in + ubuntu) showrun cat /var/log/kern.log ;; + fedora) showrun cat /var/log/audit/audit.log ;; + *) bad_os_id_ver ;; + esac + ;; + df) showrun df -lhTx tmpfs ;; + ginkgo) showrun cat $CIRRUS_WORKING_DIR/test/e2e/ginkgo-node-*.log ;; + journal) showrun journalctl -b ;; + *) die 1 "Warning, $(basename $0) doesn't know how to handle the parameter '$1'" +esac diff --git a/contrib/cirrus/packer/fedora_setup.sh b/contrib/cirrus/packer/fedora_setup.sh index 33e240895..4388dc992 100644 --- a/contrib/cirrus/packer/fedora_setup.sh +++ b/contrib/cirrus/packer/fedora_setup.sh @@ -76,8 +76,6 @@ install_conmon CNI_COMMIT=$FEDORA_CNI_COMMIT install_cni_plugins -install_buildah - sudo /tmp/libpod/hack/install_catatonit.sh rh_finalize # N/B: Halts system! diff --git a/contrib/cirrus/packer/ubuntu_setup.sh b/contrib/cirrus/packer/ubuntu_setup.sh index 17e274d97..f183932c1 100644 --- a/contrib/cirrus/packer/ubuntu_setup.sh +++ b/contrib/cirrus/packer/ubuntu_setup.sh @@ -99,8 +99,6 @@ install_conmon install_cni_plugins -install_buildah - sudo /tmp/libpod/hack/install_catatonit.sh install_varlink diff --git a/contrib/gate/Dockerfile b/contrib/gate/Dockerfile index 9a6f5dc8d..630371c76 100644 --- a/contrib/gate/Dockerfile +++ b/contrib/gate/Dockerfile @@ -2,7 +2,6 @@ FROM fedora:29 RUN dnf -y install \ atomic-registries \ btrfs-progs-devel \ - buildah \ bzip2 \ conmon \ container-selinux \ diff --git a/contrib/imgts/entrypoint.sh b/contrib/imgts/entrypoint.sh index 65a76d8e4..610e1f3b6 100755 --- a/contrib/imgts/entrypoint.sh +++ b/contrib/imgts/entrypoint.sh @@ -32,6 +32,7 @@ ARGS="--update-labels=last-used=$(date +%s)" # optional [[ -z "$BUILDID" ]] || ARGS="$ARGS --update-labels=build-id=$BUILDID" [[ -z "$REPOREF" ]] || ARGS="$ARGS --update-labels=repo-ref=$REPOREF" +[[ -z "$GCPPROJECT" ]] || ARGS="$ARGS --update-labels=project=$GCPPROJECT" gcloud config set account "$GCPNAME" gcloud config set project "$GCPPROJECT" diff --git a/contrib/podmanimage/README.md b/contrib/podmanimage/README.md new file mode 100644 index 000000000..79484d4a3 --- /dev/null +++ b/contrib/podmanimage/README.md @@ -0,0 +1,44 @@ + + +# podmanimage + +## Overview + +This directory contains the Dockerfiles necessary to create the three podmanimage container +images that are housed on quay.io under the podman account. All three repositories where +the images live are public and can be pulled without credentials. These container images are secured and the +resulting containers can run safely with privileges within the container. The container images are built +using the latest Fedora and then Podman is installed into them: + + * quay.io/podman/stable - This image is built using the latest stable version of Podman in a Fedora based container. Built with podman/stable/Dockerfile. + * quay.io/podman/upstream - This image is built using the latest code found in this GitHub repository. When someone creates a commit and pushes it, the image is created. Due to that the image changes frequently and is not guaranteed to be stable. Built with podmanimage/upstream/Dockerfile. + * quay.io/podman/testing - This image is built using the latest version of Podman that is or was in updates testing for Fedora. At times this may be the same as the stable image. This container image will primarily be used by the development teams for verification testing when a new package is created. Built with podmanimage/testing/Dockerfile. + +## Sample Usage + + +``` +podman pull docker://quay.io/podman/stable:latest + +podman run --privileged stable podman version + +# Create a directory on the host to mount the container's +# /var/lib/container directory to so containers can be +# run within the container. +mkdir /var/lib/mycontainer + +# Run the image detached using the host's network in a container name +# podmanctr, turn off label and seccomp confinement in the container +# and then do a little shell hackery to keep the container up and running. +podman run --detach --name=podmanctr --net=host --security-opt label=disable --security-opt seccomp=unconfined --device /dev/fuse:rw -v /var/lib/mycontainer:/var/lib/containers:Z --privileged stable sh -c 'while true ;do wait; done' + +podman exec -it podmanctr /bin/sh + +# Now inside of the container + +podman pull alpine + +podman images + +exit +``` diff --git a/contrib/podmanimage/stable/Dockerfile b/contrib/podmanimage/stable/Dockerfile new file mode 100644 index 000000000..056f62624 --- /dev/null +++ b/contrib/podmanimage/stable/Dockerfile @@ -0,0 +1,26 @@ +# stable/Dockerfile +# +# Build a Podman container image from the latest +# stable version of Podman on the Fedoras Updates System. +# https://bodhi.fedoraproject.org/updates/?search=podman +# This image can be used to create a secured container +# that runs safely with privileges within the container. +# +FROM fedora:latest + +# Don't include container-selinux and remove +# directories used by dnf that are just taking +# up space. +RUN yum -y install podman fuse-overlayfs --exclude container-selinux; rm -rf /var/cache /var/log/dnf* /var/log/yum.* + +# Adjust storage.conf to enable Fuse storage. +RUN sed -i -e 's|^#mount_program|mount_program|g' -e '/additionalimage.*/a "/var/lib/shared",' /etc/containers/storage.conf +RUN mkdir -p /var/lib/shared/overlay-images /var/lib/shared/overlay-layers; touch /var/lib/shared/overlay-images/images.lock; touch /var/lib/shared/overlay-layers/layers.lock + +# Adjust libpod.conf to write logging to a file +RUN sed -i 's/events_logger = "journald"/events_logger = "file"/g' /usr/share/containers/libpod.conf + +# Set up environment variables to note that this is +# not starting with usernamespace and default to +# isolate the filesystem with chroot. +ENV _BUILDAH_STARTED_IN_USERNS="" BUILDAH_ISOLATION=chroot diff --git a/contrib/podmanimage/testing/Dockerfile b/contrib/podmanimage/testing/Dockerfile new file mode 100644 index 000000000..50d8ed7f2 --- /dev/null +++ b/contrib/podmanimage/testing/Dockerfile @@ -0,0 +1,28 @@ +# testing/Dockerfile +# +# Build a Podman image using the latest +# version of Podman that is in updates-testing +# on the Fedoras Updates System. At times this +# may be the same the latest stable version. +# https://bodhi.fedoraproject.org/updates/?search=podman +# This image can be used to create a secured container +# that runs safely with privileges within the container. +# +FROM fedora:latest + +# Don't include container-selinux and remove +# directories used by dnf that are just taking +# up space. +RUN yum -y install podman fuse-overlayfs --exclude container-selinux --enablerepo updates-testing; rm -rf /var/cache /var/log/dnf* /var/log/yum.* + +# Adjust storage.conf to enable Fuse storage. +RUN sed -i -e 's|^#mount_program|mount_program|g' -e '/additionalimage.*/a "/var/lib/shared",' /etc/containers/storage.conf +RUN mkdir -p /var/lib/shared/overlay-images /var/lib/shared/overlay-layers; touch /var/lib/shared/overlay-images/images.lock; touch /var/lib/shared/overlay-layers/layers.lock + +# Adjust libpod.conf to write logging to a file +RUN sed -i 's/events_logger = "journald"/events_logger = "file"/g' /usr/share/containers/libpod.conf + +# Set up environment variables to note that this is +# not starting with usernamespace and default to +# isolate the filesystem with chroot. +ENV _BUILDAH_STARTED_IN_USERNS="" BUILDAH_ISOLATION=chroot diff --git a/contrib/podmanimage/upstream/Dockerfile b/contrib/podmanimage/upstream/Dockerfile new file mode 100644 index 000000000..3583e1c54 --- /dev/null +++ b/contrib/podmanimage/upstream/Dockerfile @@ -0,0 +1,77 @@ +# git/Dockerfile +# +# Build a Podman container image from the latest +# upstream version of Podman on GitHub. +# https://github.com/containers/libpod +# This image can be used to create a secured container +# that runs safely with privileges within the container. +# The containers created by this image also come with a +# Podman development environment in /root/podman. +# +FROM fedora:latest +ENV GOPATH=/root/podman + +# Install the software required to build Podman. +# Then create a directory and clone from the Podman +# GitHub repository, make and install Podman +# to the container. +# Finally remove the podman directory and a few other packages +# that are needed for building but not running Podman +RUN dnf -y install --exclude container-selinux \ + --enablerepo=updates-testing \ + atomic-registries \ + btrfs-progs-devel \ + containernetworking-cni \ + device-mapper-devel \ + git \ + glib2-devel \ + glibc-devel \ + glibc-static \ + go \ + golang-github-cpuguy83-go-md2man \ + gpgme-devel \ + iptables \ + libassuan-devel \ + libgpg-error-devel \ + libseccomp-devel \ + libselinux-devel \ + make \ + ostree-devel \ + pkgconfig \ + runc \ + fuse-overlayfs \ + fuse3 \ + containers-common; \ + mkdir /root/podman; \ + git clone https://github.com/containers/libpod /root/podman/src/github.com/containers/libpod; \ + cd /root/podman/src/github.com/containers/libpod; \ + make BUILDTAGS="selinux seccomp"; \ + make install PREFIX=/usr; \ + cd /root/podman; \ + git clone https://github.com/containers/conmon /root/podman/conmon; \ + cd conmon; \ + make; \ + install -D -m 755 bin/conmon /usr/libexec/podman/conmon; \ + git clone https://github.com/containernetworking/plugins.git $GOPATH/src/github.com/containernetworking/plugins; \ + cd $GOPATH/src/github.com/containernetworking/plugins; \ + ./build_linux.sh; \ + mkdir -p /usr/libexec/cni; \ + \cp -fR bin/* /usr/libexec/cni; \ + mkdir -p /etc/cni/net.d; \ + curl -qsSL https://raw.githubusercontent.com/containers/libpod/master/cni/87-podman-bridge.conflist | tee /etc/cni/net.d/99-loopback.conf; \ + mkdir -p /usr/share/containers; \ + cp $GOPATH/src/github.com/containers/libpod/libpod.conf /usr/share/containers; \ + # Adjust libpod.conf to write logging to a file + sed -i 's/events_logger = "journald"/events_logger = "file"/g' /usr/share/containers/libpod.conf; \ + rm -rf /root/podman/*; \ + dnf -y remove git golang go-md2man make; \ + dnf clean all; + +# Adjust storage.conf to enable Fuse storage. +RUN sed -i -e 's|^#mount_program|mount_program|g' -e '/additionalimage.*/a "/var/lib/shared",' /etc/containers/storage.conf +RUN mkdir -p /var/lib/shared/overlay-images /var/lib/shared/overlay-layers; touch /var/lib/shared/overlay-images/images.lock; touch /var/lib/shared/overlay-layers/layers.lock + +# Set up environment variables to note that this is +# not starting with usernamespace and default to +# isolate the filesystem with chroot. +ENV _BUILDAH_STARTED_IN_USERNS="" BUILDAH_ISOLATION=chroot diff --git a/contrib/spec/podman.spec.in b/contrib/spec/podman.spec.in index a1c11a5a6..d0ad07044 100644 --- a/contrib/spec/podman.spec.in +++ b/contrib/spec/podman.spec.in @@ -35,11 +35,11 @@ # People want conmon packaged with the copr rpm %global import_path_conmon github.com/containers/conmon %global git_conmon https://%{import_path_conmon} -%global commit_conmon 59952292a3b07ac125575024ae21956efe0ecdfb +%global commit_conmon 8455ce1ef385120deb827d0f0588c04357bad4c4 %global shortcommit_conmon %(c=%{commit_conmon}; echo ${c:0:7}) Name: podman -Version: 1.3.2 +Version: 1.4.2 Release: #COMMITDATE#.git%{shortcommit0}%{?dist} Summary: Manage Pods, Containers and Container Images License: ASL 2.0 diff --git a/docs/podman-attach.1.md b/docs/podman-attach.1.md index 11cecc16c..b8d2fa9a1 100644 --- a/docs/podman-attach.1.md +++ b/docs/podman-attach.1.md @@ -14,11 +14,11 @@ You can detach from the container (and leave it running) using a configurable ke sequence is `ctrl-p,ctrl-q`. You configure the key sequence using the --detach-keys option ## OPTIONS -**--detach-keys**="" +**--detach-keys**=*char* Override the key sequence for detaching a container. Format is a single character `[a-Z]` or `ctrl-<value>` where `<value>` is one of: `a-z`, `@`, `^`, `[`, `\\`, `]`, `^` or `_`. -**--latest, -l** +**--latest**, **-l** Instead of providing the container name or ID, use the last created container. If you use methods other than Podman to run containers such as CRI-O, the last started container could be from either of those methods. @@ -33,7 +33,7 @@ Do not attach STDIN. The default is false. Proxy received signals to the process (non-TTY mode only). SIGCHLD, SIGSTOP, and SIGKILL are not proxied. The default is *true*. -## EXAMPLES ## +## EXAMPLES ``` $ podman attach foobar diff --git a/docs/podman-build.1.md b/docs/podman-build.1.md index e2769c2a9..12e8c3bf0 100644 --- a/docs/podman-build.1.md +++ b/docs/podman-build.1.md @@ -21,19 +21,19 @@ When a Git repository is set as the URL, the repository is cloned locally and th ## OPTIONS -**--add-host**=[] +**--add-host**=*host* Add a custom host-to-IP mapping (host:ip) Add a line to /etc/hosts. The format is hostname:ip. The **--add-host** option can be set multiple times. -**--annotation** *annotation* +**--annotation**=*annotation* Add an image *annotation* (e.g. annotation=*value*) to the image metadata. Can be used multiple times. Note: this information is not present in Docker image formats, so it is discarded when writing images in Docker formats. -**--authfile** *path* +**--authfile**=*path* Path of the authentication file. Default is ${XDG\_RUNTIME\_DIR}/containers/auth.json, which is set using `podman login`. If the authorization state is not found there, $HOME/.docker/config.json is checked, which is set using `docker login`. (Not available for remote commands) @@ -41,7 +41,7 @@ If the authorization state is not found there, $HOME/.docker/config.json is chec Note: You can also override the default path of the authentication file by setting the REGISTRY\_AUTH\_FILE environment variable. `export REGISTRY_AUTH_FILE=path` -**--build-arg** *arg=value* +**--build-arg**=*arg=value* Specifies a build argument and its value, which will be interpolated in instructions read from the Dockerfiles in the same way that environment @@ -72,12 +72,12 @@ If a capability is specified to both the **--cap-add** and **--cap-drop** options, it will be dropped, regardless of the order in which the options were given. -**--cert-dir** *path* +**--cert-dir**=*path* Use certificates at *path* (\*.crt, \*.cert, \*.key) to connect to the registry. Default certificates directory is _/etc/containers/certs.d_. (Not available for remote commands) -**--cgroup-parent**="" +**--cgroup-parent**=*path* Path to cgroups under which the cgroup for the container will be created. If the path is not absolute, the path is considered to be relative to the cgroups path of the init process. Cgroups will be created if they do not already exist. @@ -99,13 +99,13 @@ network namespaces, and networking is not disabled. List of directories in which the CNI plugins which will be used for configuring network namespaces can be found. -**--cpu-period**=*0* +**--cpu-period**=*limit* Limit the CPU CFS (Completely Fair Scheduler) period Limit the container's CPU usage. This flag tell the kernel to restrict the container's CPU usage to the period you specify. -**--cpu-quota**=*0* +**--cpu-quota**=*limit* Limit the CPU CFS (Completely Fair Scheduler) quota @@ -113,7 +113,7 @@ Limit the container's CPU usage. By default, containers run with the full CPU resource. This flag tell the kernel to restrict the container's CPU usage to the quota you specify. -**--cpu-shares, -c**=*0* +**--cpu-shares**, **-c**=*shares* CPU shares (relative weight) @@ -150,11 +150,11 @@ division of CPU shares: 101 {C1} 1 100% of CPU1 102 {C1} 2 100% of CPU2 -**--cpuset-cpus**="" +**--cpuset-cpus**=*num* CPUs in which to allow execution (0-3, 0,1) -**--cpuset-mems**="" +**--cpuset-mems**=*nodes* Memory nodes (MEMs) in which to allow execution (0-3, 0,1). Only effective on NUMA systems. @@ -162,7 +162,7 @@ If you have four memory nodes on your system (0-3), use `--cpuset-mems=0,1` then processes in your container will only use memory from the first two memory nodes. -**--creds** *creds* +**--creds**=*creds* The [username[:password]] to use to authenticate with the registry if required. If one or both values are not supplied, a command line prompt will appear and the @@ -174,19 +174,19 @@ This is a Docker specific option to disable image verification to a Docker registry and is not supported by Podman. This flag is a NOOP and provided soley for scripting compatibility. -**--dns**=[] +**--dns**=*dns* Set custom DNS servers -**--dns-option**=[] +**--dns-option**=*option* Set custom DNS options -**--dns-search**=[] +**--dns-search**=*domain* Set custom DNS search domains -**--file, -f** *Dockerfile* +**--file**, **-f**=*Dockerfile* Specifies a Dockerfile which contains instructions for building the image, either a local file or an **http** or **https** URL. If more than one @@ -199,7 +199,7 @@ context. If you specify `-f -`, the Dockerfile contents will be read from stdin. -**--force-rm** *bool-value* +**--force-rm**=*true|false* Always remove intermediate containers after a build, even if the build is unsuccessful. @@ -212,11 +212,15 @@ Recognized formats include *oci* (OCI image-spec v1.0, the default) and Note: You can also override the default format by setting the BUILDAH\_FORMAT environment variable. `export BUILDAH_FORMAT=docker` -**--iidfile** *ImageIDfile* +**-h**, **--help** + +Print usage statement + +**--iidfile**=*ImageIDfile* Write the image ID to the file. -**--ipc** *how* +**--ipc**=*how* Sets the configuration for IPC namespaces when handling `RUN` instructions. The configured value can be "" (the empty string) or "container" to indicate @@ -225,7 +229,7 @@ that the IPC namespace in which `podman` itself is being run should be reused, or it can be the path to an IPC namespace which is already in use by another process. -**--isolation** *type* +**--isolation**=*type* Controls what type of isolation is used for running processes as part of `RUN` instructions. Recognized types include *oci* (OCI-compatible runtime, the @@ -239,7 +243,7 @@ chroot(1) than container technology). Note: You can also override the default isolation type by setting the BUILDAH\_ISOLATION environment variable. `export BUILDAH_ISOLATION=oci` -**--label** *label* +**--label**=*label* Add an image *label* (e.g. label=*value*) to the image metadata. Can be used multiple times. @@ -250,12 +254,12 @@ Cache intermediate images during the build process (Default is `true`). Note: You can also override the default value of layers by setting the BUILDAH\_LAYERS environment variable. `export BUILDAH_LAYERS=true` -**--logfile** *filename* +**--logfile**=*filename* Log output which would be sent to standard output and standard error to the specified file instead of to standard output and standard error. -**--memory, -m**="" +**--memory**, **-m**=*LIMIT* Memory limit (format: <number>[<unit>], where unit = b, k, m or g) Allows you to constrain the memory available to a container. If the host @@ -264,7 +268,7 @@ RAM. If a limit of 0 is specified (not using **-m**), the container's memory is not limited. The actual limit may be rounded up to a multiple of the operating system's page size (the value would be very large, that's millions of trillions). -**--memory-swap**="LIMIT" +**--memory-swap**=*LIMIT* A limit value equal to memory plus swap. Must be used with the **-m** (**--memory**) flag. The swap `LIMIT` should always be larger than **-m** @@ -275,8 +279,7 @@ The format of `LIMIT` is `<number>[<unit>]`. Unit can be `b` (bytes), `k` (kilobytes), `m` (megabytes), or `g` (gigabytes). If you don't specify a unit, `b` is used. Set LIMIT to `-1` to enable unlimited swap. -**--net** *how* -**--network** *how* +**--net**, **--network**=*string* Sets the configuration for network namespaces when handling `RUN` instructions. The configured value can be "" (the empty string) or "container" to indicate @@ -289,7 +292,7 @@ another process. Do not use existing cached images for the container build. Build from the start with a new set of cached layers. -**--pid** *how* +**--pid**=*pid* Sets the configuration for PID namespaces when handling `RUN` instructions. The configured value can be "" (the empty string) or "container" to indicate @@ -316,17 +319,17 @@ Defaults to *true*. Pull the image from the first registry it is found in as listed in registries.conf. Raise an error if not found in the registries, even if the image is present locally. -**--quiet, -q** +**--quiet**, **-q** Suppress output messages which indicate which instruction is being processed, and of progress when pulling images from a registry, and when writing the output image. -**--rm** *bool-value* +**--rm**=*true|false* Remove intermediate containers after a successful build (default true). -**--runtime** *path* +**--runtime**=*path* The *path* to an alternate OCI-compatible runtime, which will be used to run commands specified by the **RUN** instruction. @@ -334,7 +337,7 @@ commands specified by the **RUN** instruction. Note: You can also override the default runtime by setting the BUILDAH\_RUNTIME environment variable. `export BUILDAH_RUNTIME=/usr/local/bin/runc` -**--runtime-flag** *flag* +**--runtime-flag**=*flag* Adds global flags for the container rutime. To list the supported flags, please consult the manpages of the selected container runtime (`runc` is the default @@ -343,7 +346,7 @@ runtime, the manpage to consult is `runc(8)`). Note: Do not pass the leading `--` to the flag. To pass the runc flag `--log-format json` to podman build, the option given would be `--runtime-flag log-format=json`. -**--security-opt**=[] +**--security-opt**=*option* Security Options @@ -360,7 +363,7 @@ Security Options "apparmor=unconfined" : Turn off apparmor confinement for the container "apparmor=your-profile" : Set the apparmor confinement profile for the container -**--shm-size**="" +**--shm-size**=*size* Size of `/dev/shm`. The format is `<number><unit>`. `number` must be greater than `0`. Unit is optional and can be `b` (bytes), `k` (kilobytes), `m`(megabytes), or `g` (gigabytes). @@ -370,19 +373,19 @@ If you omit the unit, the system uses bytes. If you omit the size entirely, the Squash all of the new image's layers (including those inherited from a base image) into a single new layer. -**--tag, -t** *imageName* +**--tag**, **-t**=*imageName* Specifies the name which will be assigned to the resulting image if the build process completes successfully. If _imageName_ does not include a registry name, the registry name *localhost* will be prepended to the image name. -**--target** *stageName* +**--target**=*stageName* Set the target build stage to build. When building a Dockerfile with multiple build stages, --target can be used to specify an intermediate build stage by name as the final stage for the resulting image. Commands after the target stage will be skipped. -**--tls-verify** *bool-value* +**--tls-verify**=*true|false* Require HTTPS and verify certificates when talking to container registries (defaults to true). (Not available for remote commands) @@ -407,7 +410,7 @@ include: "sigpending": maximum number of pending signals (ulimit -i) "stack": maximum stack size (ulimit -s) -**--userns** *how* +**--userns**=*how* Sets the configuration for user namespaces when handling `RUN` instructions. The configured value can be "" (the empty string) or "container" to indicate @@ -416,7 +419,7 @@ the user namespace in which `podman` itself is being run should be reused, or it can be the path to an user namespace which is already in use by another process. -**--userns-uid-map** *mapping* +**--userns-uid-map**=*mapping* Directly specifies a UID mapping which should be used to set ownership, at the filesytem level, on the working container's contents. @@ -437,7 +440,7 @@ If none of --userns-uid-map-user, --userns-gid-map-group, or --userns-uid-map are specified, but --userns-gid-map is specified, the UID map will be set to use the same numeric values as the GID map. -**--userns-gid-map** *mapping* +**--userns-gid-map**=*mapping* Directly specifies a GID mapping which should be used to set ownership, at the filesytem level, on the working container's contents. @@ -458,7 +461,7 @@ If none of --userns-uid-map-user, --userns-gid-map-group, or --userns-gid-map are specified, but --userns-uid-map is specified, the GID map will be set to use the same numeric values as the UID map. -**--userns-uid-map-user** *user* +**--userns-uid-map-user**=*user* Specifies that a UID mapping which should be used to set ownership, at the filesytem level, on the working container's contents, can be found in entries @@ -469,7 +472,7 @@ If --userns-gid-map-group is specified, but --userns-uid-map-user is not specified, `podman` will assume that the specified group name is also a suitable user name to use as the default setting for this option. -**--userns-gid-map-group** *group* +**--userns-gid-map-group**=*group* Specifies that a GID mapping which should be used to set ownership, at the filesytem level, on the working container's contents, can be found in entries @@ -480,7 +483,7 @@ If --userns-uid-map-user is specified, but --userns-gid-map-group is not specified, `podman` will assume that the specified user name is also a suitable group name to use as the default setting for this option. -**--uts** *how* +**--uts**=*how* Sets the configuration for UTS namespaces when the handling `RUN` instructions. The configured value can be "" (the empty string) or "container" to indicate @@ -489,7 +492,7 @@ that the UTS namespace in which `podman` itself is being run should be reused, or it can be the path to a UTS namespace which is already in use by another process. -**--volume, -v**[=*[HOST-DIR:CONTAINER-DIR[:OPTIONS]]*] +**--volume**, **-v**[=*[HOST-DIR:CONTAINER-DIR[:OPTIONS]]*] Create a bind mount. If you specify, ` -v /HOST-DIR:/CONTAINER-DIR`, podman bind mounts `/HOST-DIR` in the host to `/CONTAINER-DIR` in the podman @@ -529,7 +532,7 @@ Only the current container can use a private volume. `Overlay Volume Mounts` - The `:O` flag tells Buildah to mount the directory from the host as a temporary storage using the Overlay file system. The `RUN` command containers are allowed to modify contents within the mountpoint and are stored in the container storage in a separate directory. In Ovelay FS terms the source directory will be the lower, and the container storage directory will be the upper. Modifications to the mount point are destroyed when the `RUN` command finishes executing, similar to a tmpfs mount point. + The `:O` flag tells Buildah to mount the directory from the host as a temporary storage using the Overlay file system. The `RUN` command containers are allowed to modify contents within the mountpoint and are stored in the container storage in a separate directory. In Overlay FS terms the source directory will be the lower, and the container storage directory will be the upper. Modifications to the mount point are destroyed when the `RUN` command finishes executing, similar to a tmpfs mount point. Any subsequent execution of `RUN` commands sees the original source directory content, any changes from previous RUN commands no longer exists. diff --git a/docs/podman-commit.1.md b/docs/podman-commit.1.md index 7c74d7a33..bf0df0dda 100644 --- a/docs/podman-commit.1.md +++ b/docs/podman-commit.1.md @@ -7,7 +7,7 @@ podman\-commit - Create new image based on the changed container **podman commit** [*options*] *container* *image* ## DESCRIPTION -`podman commit` creates an image based on a changed container. The author of the +**podman commit** creates an image based on a changed container. The author of the image can be set using the `--author` flag. Various image instructions can be configured with the `--change` flag and a commit message can be set using the `--message` flag. The container and its processes are paused while the image is @@ -19,23 +19,23 @@ If *image* does not begin with a registry name component, `localhost` will be ad ## OPTIONS -**--author, -a** +**--author**, **-a**=*author* Set the author for the committed image -**--change, -c** +**--change**, **-c**=*instruction* Apply the following possible instructions to the created image: **CMD** | **ENTRYPOINT** | **ENV** | **EXPOSE** | **LABEL** | **ONBUILD** | **STOPSIGNAL** | **USER** | **VOLUME** | **WORKDIR** Can be set multiple times -**--format, -f** +**--format**, **-f**=*format* Set the format of the image manifest and metadata. The currently supported formats are _oci_ and _docker_. If not specifically set, the default format used is _oci_. -**--iidfile** *ImageIDfile* +**--iidfile**=*ImageIDfile* Write the image ID to the file. @@ -43,15 +43,15 @@ Write the image ID to the file. Include in the committed image any volumes added to the container by the `--volume` or `--mount` options to the `podman create` and `podman run` commands. -**--message, -m** +**--message**, **-m**=*message* Set commit message for committed image. The message field is not supported in _oci_ format. -**--pause, -p** +**--pause**, **-p** Pause the container when creating an image -**--quiet, -q** +**--quiet**, **-q** Suppress output diff --git a/docs/podman-container-checkpoint.1.md b/docs/podman-container-checkpoint.1.md index 79dc12261..90c3919a9 100644 --- a/docs/podman-container-checkpoint.1.md +++ b/docs/podman-container-checkpoint.1.md @@ -17,17 +17,17 @@ are not deleted if checkpointing fails for further debugging. If checkpointing s files are theoretically not needed, but if these files are needed Podman can keep the files for further analysis. -**--all, -a** +**--all**, **-a** Checkpoint all running containers. -**--latest, -l** +**--latest**, **-l** Instead of providing the container name or ID, checkpoint the last created container. The latest option is not supported on the remote client. -**--leave-running, -R** +**--leave-running**, **-R** Leave the container running after checkpointing instead of stopping it. @@ -38,6 +38,12 @@ image contains established TCP connections, this options is required during restore. Defaults to not checkpointing containers with established TCP connections. +**--export, -e** + +Export the checkpoint to a tar.gz file. The exported checkpoint can be used +to import the container on another system and thus enabling container live +migration. + ## EXAMPLE podman container checkpoint mywebserver diff --git a/docs/podman-container-cleanup.1.md b/docs/podman-container-cleanup.1.md index 2ad39d214..f6bb84113 100644 --- a/docs/podman-container-cleanup.1.md +++ b/docs/podman-container-cleanup.1.md @@ -7,16 +7,16 @@ podman\-container\-cleanup - Cleanup Container storage and networks **podman container cleanup** [*options*] *container* ## DESCRIPTION -`podman container cleanup` cleans up exited containers by removing all mountpoints and network configuration from the host. The container name or ID can be used. The cleanup command does not remove the containers. Running containers will not be cleaned up. +**podman container cleanup** cleans up exited containers by removing all mountpoints and network configuration from the host. The container name or ID can be used. The cleanup command does not remove the containers. Running containers will not be cleaned up. Sometimes container's mount points and network stacks can remain if the podman command was killed or the container ran in daemon mode. This command is automatically executed when you run containers in daemon mode by the conmon process when the container exits. ## OPTIONS -**--all, a** +**--all**, **a** Cleanup all containers. -**--latest, -l** +**--latest**, **-l** Instead of providing the container name or ID, use the last created container. If you use methods other than Podman to run containers such as CRI-O, the last started container could be from either of those methods. diff --git a/docs/podman-container-exists.1.md b/docs/podman-container-exists.1.md index 8feb736f8..4d988132b 100644 --- a/docs/podman-container-exists.1.md +++ b/docs/podman-container-exists.1.md @@ -1,19 +1,23 @@ -% PODMAN(1) Podman Man Pages -% Brent Baude -% November 2018 -# NAME +% podman-container-exists(1) + +## NAME podman-container-exists - Check if a container exists in local storage -# SYNOPSIS -**podman container exists** [*-h*|*--help*] *container* +## SYNOPSIS +**podman container exists** [*options*] *container* -# DESCRIPTION +## DESCRIPTION **podman container exists** checks if a container exists in local storage. The **ID** or **Name** of the container may be used as input. Podman will return an exit code of `0` when the container is found. A `1` will be returned otherwise. An exit code of `125` indicates there was an issue accessing the local storage. -## Examples ## +## OPTIONS + +**-h**, **--help** +Print usage statement + +## Examples Check if an container called `webclient` exists in local storage (the container does actually exist). ``` @@ -34,5 +38,5 @@ $ ## SEE ALSO podman(1) -# HISTORY +## HISTORY November 2018, Originally compiled by Brent Baude (bbaude at redhat dot com) diff --git a/docs/podman-container-prune.1.md b/docs/podman-container-prune.1.md index 6fd741a3d..26c6b0b49 100644 --- a/docs/podman-container-prune.1.md +++ b/docs/podman-container-prune.1.md @@ -1,16 +1,21 @@ -% podman-container-prune (1) -% Brent Baude -% December 2018 -# NAME +% podman-container-prune(1) + +## NAME podman-container-prune - Remove all stopped containers -# SYNOPSIS -**podman container prune** [*-h*|*--help*] +## SYNOPSIS +**podman container prune** [*options*] -# DESCRIPTION +## DESCRIPTION **podman container prune** removes all stopped containers from local storage. -## Examples ## +## OPTIONS + +**-h**, **--help** + +Print usage statement + +## Examples Remove all stopped containers from local storage ``` @@ -26,5 +31,5 @@ fff1c5b6c3631746055ec40598ce8ecaa4b82aef122f9e3a85b03b55c0d06c23 ## SEE ALSO podman(1), podman-ps -# HISTORY +## HISTORY December 2018, Originally compiled by Brent Baude (bbaude at redhat dot com) diff --git a/docs/podman-container-restore.1.md b/docs/podman-container-restore.1.md index e41f7c1d8..c96a37f80 100644 --- a/docs/podman-container-restore.1.md +++ b/docs/podman-container-restore.1.md @@ -24,11 +24,11 @@ processes in the checkpointed container. Without the **-k**, **--keep** option the checkpoint will be consumed and cannot be used again. -**--all, -a** +**--all**, **-a** Restore all checkpointed containers. -**--latest, -l** +**--latest**, **-l** Instead of providing the container name or ID, restore the last created container. @@ -42,6 +42,24 @@ If the checkpoint image does not contain established TCP connections this option is ignored. Defaults to not restoring containers with established TCP connections. +**--import, -i** + +Import a checkpoint tar.gz file, which was exported by Podman. This can be used +to import a checkpointed container from another host. Do not specify a *container* +argument when using this option. + +**--name, -n** + +This is only available in combination with **--import, -i**. If a container is restored +from a checkpoint tar.gz file it is possible to rename it with **--name, -n**. This +way it is possible to restore a container from a checkpoint multiple times with different +names. + +If the **--name, -n** option is used, Podman will not attempt to assign the same IP +address to the container it was using before checkpointing as each IP address can only +be used once and the restored container will have another IP address. This also means +that **--name, -n** cannot be used in combination with **--tcp-established**. + ## EXAMPLE podman container restore mywebserver diff --git a/docs/podman-container-runlabel.1.md b/docs/podman-container-runlabel.1.md index a54d5c68e..aabeb092d 100644 --- a/docs/podman-container-runlabel.1.md +++ b/docs/podman-container-runlabel.1.md @@ -1,21 +1,12 @@ -% PODMAN(1) Podman Man Pages -% Brent Baude -% September 2018 -# NAME +% podman-container-runlabel(1) + +## NAME podman-container-runlabel - Execute Image Label Method -# SYNOPSIS -**podman container runlabel** -[**-h**|**--help**] -[**--display**] -[**-n**][**--name**[=*NAME*]] -[**--rootfs**=*ROOTFS*] -[**--set**=*NAME*=*VALUE*] -[**--storage**] -[**--replace**] -LABEL IMAGE [ARG...] - -# DESCRIPTION +## SYNOPSIS +**podman container runlabel** [*options*] *LABEL* *IMAGE* [ARG...] + +## DESCRIPTION **podman container runlabel** reads the provided `LABEL` field in the container IMAGE and executes the provided value for the label as a command. If this field does not exist, `podman container runlabel` will just exit. @@ -51,8 +42,8 @@ is used. Any additional arguments will be appended to the command. -# OPTIONS: -**--authfile** +## OPTIONS: +**--authfile**=*path* Path of the authentication file. Default is ${XDG_RUNTIME\_DIR}/containers/auth.json, which is set using `podman login`. If the authorization state is not found there, $HOME/.docker/config.json is checked, which is set using `docker login`. (Not available for remote commands) @@ -65,25 +56,25 @@ environment variable. `export REGISTRY_AUTH_FILE=path` Display the label's value of the image having populated its environment variables. The runlabel command will not execute if --display is specified. -**--cert-dir** *path* +**--cert-dir**=*path* Use certificates at *path* (\*.crt, \*.cert, \*.key) to connect to the registry. Default certificates directory is _/etc/containers/certs.d_. (Not available for remote commands) -**--creds** +**--creds**=*[username[:password]]* The [username[:password]] to use to authenticate with the registry if required. If one or both values are not supplied, a command line prompt will appear and the value can be entered. The password is entered without echo. -**--help** **-h** +**--help**, **-h** Print usage statement -**--name** **-n**="" +**--name**, **-n**=*name* Use this name for creating content for the container. NAME will default to the IMAGENAME if it is not specified. -**--quiet, -q** +**--quiet**, **-q** Suppress output information when pulling images @@ -92,13 +83,24 @@ Suppress output information when pulling images If a container exists of the default or given name, as needed it will be stopped, deleted and a new container will be created from this image. +**--rootfs**=*ROOTFS* + +Set rootfs + +**--set**=*NAME*=*VALUE* + +Set name & value + +**--storage** +Use storage + **--tls-verify** Require HTTPS and verify certificates when contacting registries (default: true). If explicitly set to true, then TLS verification will be used. If set to false, then TLS verification will not be used. If not specified, TLS verification will be used unless the target registry is listed as an insecure registry in registries.conf (Not available for remote commands) -## Examples ## +## Examples Execute the run label of an image called foobar. ``` @@ -118,5 +120,5 @@ $ sudo podman container runlabel --display run foobar ## SEE ALSO podman(1) -# HISTORY +## HISTORY September 2018, Originally compiled by Brent Baude (bbaude at redhat dot com) diff --git a/docs/podman-cp.1.md b/docs/podman-cp.1.md index 76fe57a9e..bc9f17520 100644 --- a/docs/podman-cp.1.md +++ b/docs/podman-cp.1.md @@ -4,7 +4,7 @@ podman\-cp - Copy files/folders between a container and the local filesystem ## SYNOPSIS -**podman cp** [*container*:]*src_path* [*container*:]*dest_path* +**podman cp** [*options*] [*container*:]*src_path* [*container*:]*dest_path* ## DESCRIPTION Copies the contents of **src_path** to the **dest_path**. You can copy from the containers's filesystem to the local machine or the reverse, from the local filesystem to the container. @@ -63,7 +63,7 @@ Extract the tar file into the destination directory. If the destination director **--pause** -Pause the container while copying into it to avoid potential security issues around symlinks. Defaults to *true*. +Pause the container while copying into it to avoid potential security issues around symlinks. Defaults to *false*. ## ALTERNATIVES diff --git a/docs/podman-create.1.md b/docs/podman-create.1.md index eafc6e27f..a4eebef4c 100644 --- a/docs/podman-create.1.md +++ b/docs/podman-create.1.md @@ -17,19 +17,19 @@ any point. The initial status of the container created with **podman create** is 'created'. ## OPTIONS -**--add-host**=[] +**--add-host**=*host* Add a custom host-to-IP mapping (host:ip) Add a line to /etc/hosts. The format is hostname:ip. The **--add-host** option can be set multiple times. -**--annotation**=[] +**--annotation**=*key=value* Add an annotation to the container. The format is key=value. The **--annotation** option can be set multiple times. -**--attach**, **-a**=[] +**--attach**, **-a**=*location* Attach to STDIN, STDOUT or STDERR. @@ -40,42 +40,42 @@ error. It can even pretend to be a TTY (this is what most commandline executables expect) and pass along signals. The **-a** option can be set for each of stdin, stdout, and stderr. -**--authfile** +**--authfile**=*path* Path of the authentication file. Default is ${XDG_\RUNTIME\_DIR}/containers/auth.json Note: You can also override the default path of the authentication file by setting the REGISTRY\_AUTH\_FILE environment variable. `export REGISTRY_AUTH_FILE=path` (Not available for remote commands) -**--blkio-weight**=*0* +**--blkio-weight**=*weight* Block IO weight (relative weight) accepts a weight value between 10 and 1000. -**--blkio-weight-device**=[] +**--blkio-weight-device**=*weight* Block IO weight (relative device weight, format: `DEVICE_NAME:WEIGHT`). -**--cap-add**=[] +**--cap-add**=*capabilitiy* Add Linux capabilities -**--cap-drop**=[] +**--cap-drop**=*capabilitiy* Drop Linux capabilities -**--cgroup-parent**="" +**--cgroup-parent**=*path* Path to cgroups under which the cgroup for the container will be created. If the path is not absolute, the path is considered to be relative to the cgroups path of the init process. Cgroups will be created if they do not already exist. -**--cidfile**="" +**--cidfile**=*id* Write the container ID to the file -**--conmon-pidfile**="" +**--conmon-pidfile**=*path* Write the pid of the `conmon` process to a file. `conmon` runs in a separate process than Podman, so this is necessary when using systemd to restart Podman containers. -**--cpu-count**=*0* +**--cpu-count**=*limit* Limit the number of CPUs available for execution by the container. @@ -83,13 +83,13 @@ On Windows Server containers, this is approximated as a percentage of total CPU On Windows Server containers, the processor resource controls are mutually exclusive, the order of precedence is CPUCount first, then CPUShares, and CPUPercent last. -**--cpu-period**=*0* +**--cpu-period**=*limit* Limit the CPU CFS (Completely Fair Scheduler) period Limit the container's CPU usage. This flag tell the kernel to restrict the container's CPU usage to the period you specify. -**--cpu-quota**=*0* +**--cpu-quota**=*limit* Limit the CPU CFS (Completely Fair Scheduler) quota @@ -97,13 +97,13 @@ Limit the container's CPU usage. By default, containers run with the full CPU resource. This flag tell the kernel to restrict the container's CPU usage to the quota you specify. -**--cpu-rt-period**=0 +**--cpu-rt-period**=*microseconds* Limit the CPU real-time period in microseconds Limit the container's Real Time CPU usage. This flag tell the kernel to restrict the container's Real Time CPU usage to the period you specify. -**--cpu-rt-runtime**=0 +**--cpu-rt-runtime**=*microseconds* Limit the CPU real-time runtime in microseconds @@ -112,7 +112,7 @@ Period of 1,000,000us and Runtime of 950,000us means that this container could c The sum of all runtimes across containers cannot exceed the amount allotted to the parent cgroup. -**--cpu-shares**=*0* +**--cpu-shares**=*shares* CPU shares (relative weight) @@ -149,15 +149,15 @@ PID container CPU CPU share 101 {C1} 1 100% of CPU1 102 {C1} 2 100% of CPU2 -**--cpus**=0.0 +**--cpus**=*number* Number of CPUs. The default is *0.0* which means no limit. -**--cpuset-cpus**="" +**--cpuset-cpus**=*cpus* CPUs in which to allow execution (0-3, 0,1) -**--cpuset-mems**="" +**--cpuset-mems**=*nodes* Memory nodes (MEMs) in which to allow execution (0-3, 0,1). Only effective on NUMA systems. @@ -165,7 +165,7 @@ If you have four memory nodes on your system (0-3), use `--cpuset-mems=0,1` then processes in your container will only use memory from the first two memory nodes. -**--detach**, **-d**=*true*|*false* +**--detach**, **-d**=*true|false* Detached mode: run the container in the background and print the new container ID. The default is *false*. @@ -178,31 +178,31 @@ running) using a configurable key sequence. The default sequence is `ctrl-p,ctrl You configure the key sequence using the **--detach-keys** option or a configuration file. See **config-json(5)** for documentation on using a configuration file. -**--detach-keys**="" +**--detach-keys**=*char* Override the key sequence for detaching a container. Format is a single character `[a-Z]` or `ctrl-<value>` where `<value>` is one of: `a-z`, `@`, `^`, `[`, `\\`, `]`, `^` or `_`. -**--device**=[] +**--device**=*device* Add a host device to the container. The format is `<device-on-host>[:<device-on-container>][:<permissions>]` (e.g. --device=/dev/sdc:/dev/xvdc:rwm) -**--device-read-bps**=[] +**--device-read-bps**=*path* Limit read rate (bytes per second) from a device (e.g. --device-read-bps=/dev/sda:1mb) -**--device-read-iops**=[] +**--device-read-iops**=*path* Limit read rate (IO per second) from a device (e.g. --device-read-iops=/dev/sda:1000) -**--device-write-bps**=[] +**--device-write-bps**=*path* Limit write rate (bytes per second) to a device (e.g. --device-write-bps=/dev/sda:1mb) -**--device-write-iops**=[] +**--device-write-iops**=*path* Limit write rate (IO per second) to a device (e.g. --device-write-iops=/dev/sda:1000) -**--dns**=[] +**--dns**=*dns* Set custom DNS servers @@ -214,15 +214,15 @@ is the case the **--dns** flags is necessary for every run. The special value **none** can be specified to disable creation of **/etc/resolv.conf** in the container by Podman. The **/etc/resolv.conf** file in the image will be used without changes. -**--dns-option**=[] +**--dns-option**=*option* Set custom DNS options -**--dns-search**=[] +**--dns-search**=*domain* Set custom DNS search domains (Use --dns-search=. if you don't wish to set the search domain) -**--entrypoint** *"command"* | *'["command", "arg1", ...]'* +**--entrypoint**=*"command"* | *'["command", "arg1", ...]'* Overwrite the default ENTRYPOINT of the image @@ -239,7 +239,7 @@ ENTRYPOINT. You need to specify multi option commands in the form of a json string. -**--env**, **-e**=[] +**--env**, **-e**=*env* Set environment variables @@ -247,50 +247,50 @@ This option allows you to specify arbitrary environment variables that are available for the process that will be launched inside of the container. -**--env-file**=[] +**--env-file**=*file* Read in a line delimited file of environment variables -**--expose**=[] +**--expose**=*port* Expose a port, or a range of ports (e.g. --expose=3300-3310) to set up port redirection on the host system. -**--gidmap**=map +**--gidmap**=*container_gid:host_gid:amount* GID map for the user namespace. Using this flag will run the container with user namespace enabled. It conflicts with the `--userns` and `--subgidname` flags. -The following example maps uids 0-2000 in the container to the uids 30000-31999 on the host and gids 0-2000 in the container to the gids 30000-31999 on the host. +The following example maps uids 0-2000 in the container to the uids 30000-31999 on the host and gids 0-2000 in the container to the gids 30000-31999 on the host. `--gidmap=0:30000:2000` -**--group-add**=[] +**--group-add**=*group* Add additional groups to run as -**--healthcheck**="" +**--healthcheck**=*command* Set or alter a healthcheck command for a container. The command is a command to be executed inside your container that determines your container health. The command is required for other healthcheck options to be applied. A value of `none` disables existing healthchecks. -**--healthcheck-interval**="" +**--healthcheck-interval**=*interval* Set an interval for the healthchecks (a value of `disable` results in no automatic timer setup) (default "30s") -**--healthcheck-retries=** +**--healthcheck-retries**=*retries* The number of retries allowed before a healthcheck is considered to be unhealthy. The default value is `3`. -**--healthcheck-start-period**="" +**--healthcheck-start-period**=*period* The initialization time needed for a container to bootstrap. The value can be expressed in time format like `2m3s`. The default value is `0s` -**--healthcheck-timeout**="" +**--healthcheck-timeout**=*timeout* The maximum time allowed to complete the healthcheck before an interval is considered failed. Like start-period, the value can be expressed in a time format such as `1m22s`. The default value is `30s`. -**--hostname**="" +**--hostname**=*name* Container host name @@ -300,7 +300,7 @@ Sets the container host name that is available inside the container. Print usage statement -**--http-proxy**=*true*|*false* +**--http-proxy**=*true|false* By default proxy environment variables are passed into the container if set for the podman process. This can be disabled by setting the `--http-proxy` @@ -320,7 +320,7 @@ container: Defaults to `true` -**--image-volume**, **builtin-volume**=*bind*|*tmpfs*|*ignore* +**--image-volume**, **builtin-volume**=*bind|tmpfs|ignore* Tells podman how to handle the builtin image volumes. The options are: 'bind', 'tmpfs', or 'ignore' (default 'bind'). bind: A directory is created inside the container state directory and bind mounted into @@ -333,32 +333,32 @@ ignore: All volumes are just ignored and no action is taken. Run an init inside the container that forwards signals and reaps processes. -**--init-path**="" +**--init-path**=*path* Path to the container-init binary. -**--interactive**, **-i**=*true*|*false* +**--interactive**, **i**=*true|false* Keep STDIN open even if not attached. The default is *false*. -**--ip6**="" +**--ip6**=*ip* Not implemented -**--ip**="" +**--ip**=*ip* Specify a static IP address for the container, for example '10.88.64.128'. Can only be used if no additional CNI networks to join were specified via '--network=<network-name>', and if the container is not joining another container's network namespace via '--network=container:<name|id>'. The address must be within the default CNI network's pool (default 10.88.0.0/16). -**--ipc**="" +**--ipc**=*ipc* Default is to create a private IPC namespace (POSIX SysV IPC) for the container 'container:<name|id>': reuses another container shared memory, semaphores and message queues 'host': use the host shared memory,semaphores and message queues inside the container. Note: the host mode gives the container full access to local shared memory and is therefore considered insecure. 'ns:<path>' path to an IPC namespace to join. -**--kernel-memory**="" +**--kernel-memory**=*number[unit]* Kernel memory limit (format: `<number>[<unit>]`, where unit = b, k, m or g) @@ -368,15 +368,15 @@ is not limited. If you specify a limit, it may be rounded up to a multiple of the operating system's page size and the value can be very large, millions of trillions. -**--label**, **-l**=[] +**--label**, **-l**=*label* Add metadata to a container (e.g., --label com.example.key=value) -**--label-file**=[] +**--label-file**=*file* Read in a line delimited file of labels -**--link-local-ip**=[] +**--link-local-ip**=*ip* Not implemented @@ -384,13 +384,13 @@ Not implemented Logging driver for the container. Currently not supported. This flag is a NOOP provided soley for scripting compatibility. -**--log-opt**=[] +**--log-opt**=*path* Logging driver specific options. Used to set the path to the container log file. For example: `--log-opt path=/var/log/container/mycontainer.json` -**--mac-address**="" +**--mac-address**=*address* Container MAC address (e.g. 92:d0:c6:0a:29:33) @@ -400,7 +400,7 @@ according to RFC4862. Not currently supported -**--memory**, **-m**="" +**--memory**, **-m**=*limit* Memory limit (format: <number>[<unit>], where unit = b, k, m or g) @@ -410,7 +410,7 @@ RAM. If a limit of 0 is specified (not using **-m**), the container's memory is not limited. The actual limit may be rounded up to a multiple of the operating system's page size (the value would be very large, that's millions of trillions). -**--memory-reservation**="" +**--memory-reservation**=*limit* Memory soft limit (format: <number>[<unit>], where unit = b, k, m or g) @@ -420,7 +420,7 @@ reservation. So you should always set the value below **--memory**, otherwise th hard limit will take precedence. By default, memory reservation will be the same as memory limit. -**--memory-swap**="LIMIT" +**--memory-swap**=*limit* A limit value equal to memory plus swap. Must be used with the **-m** (**--memory**) flag. The swap `LIMIT` should always be larger than **-m** @@ -431,7 +431,7 @@ The format of `LIMIT` is `<number>[<unit>]`. Unit can be `b` (bytes), `k` (kilobytes), `m` (megabytes), or `g` (gigabytes). If you don't specify a unit, `b` is used. Set LIMIT to `-1` to enable unlimited swap. -**--memory-swappiness**="" +**--memory-swappiness**=*number* Tune a container's memory swappiness behavior. Accepts an integer between 0 and 100. @@ -458,6 +458,7 @@ Current supported mount TYPES are bind, and tmpfs. Options specific to bind: · bind-propagation: shared, slave, private, rshared, rslave, or rprivate(default). See also mount(2). + . bind-nonrecursive: do not setup a recursive bind mount. By default it is recursive. Options specific to tmpfs: @@ -465,7 +466,7 @@ Current supported mount TYPES are bind, and tmpfs. · tmpfs-mode: File mode of the tmpfs in octal. (e.g. 700 or 0700.) Defaults to 1777 in Linux. -**--name**="" +**--name**=*name* Assign a name to the container @@ -490,26 +491,26 @@ Set the Network mode for the container 'ns:<path>': path to a network namespace to join 'slirp4netns': use slirp4netns to create a user network stack. This is the default for rootless containers -**--network-alias**=[] +**--network-alias**=*alias* Not implemented -**--no-hosts**=*true*|*false* +**--no-hosts**=*true|false* Do not create /etc/hosts for the container. By default, Podman will manage /etc/hosts, adding the container's own IP address and any hosts from **--add-host**. **--no-hosts** disables this, and the image's **/etc/host** will be preserved unmodified. This option conflicts with **--add-host**. -**--oom-kill-disable**=*true*|*false* +**--oom-kill-disable**=*true|false* Whether to disable OOM Killer for the container or not. -**--oom-score-adj**="" +**--oom-score-adj**=*num* Tune the host's OOM preferences for containers (accepts -1000 to 1000) -**--pid**="" +**--pid**=*pid* Set the PID mode for the container Default is to create a private PID namespace for the container @@ -517,16 +518,16 @@ Default is to create a private PID namespace for the container 'host': use the host's PID namespace for the container. Note: the host mode gives the container full access to local PID and is therefore considered insecure. 'ns': join the specified PID namespace -**--pids-limit**="" +**--pids-limit**=*limit* Tune the container's pids limit. Set `-1` to have unlimited pids for the container. -**--pod**="" +**--pod**=*name* Run container in an existing pod. If you want podman to make the pod for you, preference the pod name with `new:`. To make a pod with more granular options, use the `podman pod create` command before creating a container. -**--privileged**=*true*|*false* +**--privileged**=*true|false* Give extended privileges to this container. The default is *false*. @@ -540,7 +541,7 @@ to all devices on the host, turns off graphdriver mount options, as well as turning off most of the security measures protecting the host from the container. -**--publish**, **-p**=[] +**--publish**, **-p**=*port* Publish a container's port, or range of ports, to the host @@ -552,7 +553,7 @@ but not `podman run -p 1230-1236:1230-1240 --name RangeContainerPortsBiggerThanR With ip: `podman run -p 127.0.0.1:$HOSTPORT:$CONTAINERPORT --name CONTAINER -t someimage` Use `podman port` to see the actual mapping: `podman port CONTAINER $CONTAINERPORT` -**--publish-all**, **-P**=*true*|*false* +**--publish-all**, **-P**=*true|false* Publish all exposed ports to random ports on the host interfaces. The default is *false*. @@ -564,11 +565,11 @@ port to a random port on the host within an *ephemeral port range* defined by `/proc/sys/net/ipv4/ip_local_port_range`. To find the mapping between the host ports and the exposed ports, use `podman port`. -**--quiet, -q** +**--quiet**, **-q** Suppress output information when pulling images -**--read-only**=*true*|*false* +**--read-only**=*true|false* Mount the container's root filesystem as read only. @@ -576,10 +577,11 @@ By default a container will have its root filesystem writable allowing processes to write files anywhere. By specifying the `--read-only` flag the container will have its root filesystem mounted as read only prohibiting any writes. -**--read-only-tmpfs**=*true*|*false* +**--read-only-tmpfs**=*true|false* + If container is running in --read-only mode, then mount a read-write tmpfs on /run, /tmp, and /var/tmp. The default is *true* -**--restart=""** +**--restart**=*policy* Restart policy to follow when containers exit. Restart policy will not take effect if a container is stopped via the `podman kill` or `podman stop` commands. @@ -593,7 +595,7 @@ Please note that restart will not restart containers after a system reboot. If this functionality is required in your environment, you can invoke Podman from a systemd unit file, or create an init script for whichever init system is in use. To generate systemd unit files, please see *podman generate systemd* -**--rm**=*true*|*false* +**--rm**=*true|false* Automatically remove the container when it exits. The default is *false*. @@ -608,7 +610,7 @@ If specified, the first argument refers to an exploded container on the file sys This is useful to run a container without requiring any image management, the rootfs of the container is assumed to be managed externally. -**--security-opt**=[] +**--security-opt**=*option* Security Options @@ -628,7 +630,7 @@ Security Options Note: Labelling can be disabled for all containers by setting label=false in the **libpod.conf** (`/etc/containers/libpod.conf`) file. -**--shm-size**="" +**--shm-size**=*size* Size of `/dev/shm`. The format is `<number><unit>`. `number` must be greater than `0`. Unit is optional and can be `b` (bytes), `k` (kilobytes), `m`(megabytes), or `g` (gigabytes). @@ -638,19 +640,19 @@ If you omit the unit, the system uses bytes. If you omit the size entirely, the Signal to stop a container. Default is SIGTERM. -**--stop-timeout**=*10* +**--stop-timeout**=*seconds* Timeout (in seconds) to stop a container. Default is 10. -**--subgidname**=name +**--subgidname**=*name* Name for GID map from the `/etc/subgid` file. Using this flag will run the container with user namespace enabled. This flag conflicts with `--userns` and `--gidmap`. -**--subuidname**=name +**--subuidname**=*name* Name for UID map from the `/etc/subuid` file. Using this flag will run the container with user namespace enabled. This flag conflicts with `--userns` and `--uidmap`. -**--sysctl**=SYSCTL +**--sysctl**=*SYSCTL* Configure namespaced kernel parameters at runtime @@ -666,7 +668,7 @@ Network Namespace - current sysctls allowed: Note: if you use the --network=host option these sysctls will not be allowed. -**--systemd**=*true*|*false* +**--systemd**=*true|false* Run container in systemd mode. The default is *true*. @@ -685,7 +687,9 @@ The `container_manage_cgroup` boolean must be enabled for this to be allowed on `setsebool -P container_manage_cgroup true` -**--tmpfs**=[] Create a tmpfs mount +**--tmpfs**=*fs* + +Create a tmpfs mount Mount a temporary filesystem (`tmpfs`) mount into a container, for example: @@ -696,7 +700,7 @@ options are the same as the Linux default `mount` flags. If you do not specify any options, the systems uses the following options: `rw,noexec,nosuid,nodev,size=65536k`. -**--tty**, **-t**=*true*|*false* +**--tty**, **-t**=*true|false* Allocate a pseudo-TTY. The default is *false*. @@ -707,17 +711,17 @@ interactive shell. The default is false. Note: The **-t** option is incompatible with a redirection of the podman client standard input. -**--uidmap**=map +**--uidmap**=*container_uid:host_uid:amount* UID map for the user namespace. Using this flag will run the container with user namespace enabled. It conflicts with the `--userns` and `--subuidname` flags. -The following example maps uids 0-2000 in the container to the uids 30000-31999 on the host and gids 0-2000 in the container to the gids 30000-31999 on the host. +The following example maps uids 0-2000 in the container to the uids 30000-31999 on the host and gids 0-2000 in the container to the gids 30000-31999 on the host. `--uidmap=0:30000:2000` -**--ulimit**=[] +**--ulimit**=*option* Ulimit options -**--user**, **-u**="" +**--user**, **-u**=*user* Sets the username or UID used and optionally the groupname or GID for the specified command. @@ -726,9 +730,9 @@ The followings examples are all valid: Without this argument the command will be run as root in the container. -**--userns**=host -**--userns**=keep-id -**--userns**=ns:my_namespace +**--userns**=*host* +**--userns**=*keep-id* +**--userns**=*ns:my_namespace* Set the user namespace mode for the container. It defaults to the **PODMAN_USERNS** environment variable. An empty value means user namespaces are disabled. @@ -844,7 +848,7 @@ If the location of the volume from the source container overlaps with data residing on a target container, then the volume hides that data on the target. -**--workdir**, **-w**="" +**--workdir**, **-w**=*dir* Working directory inside the container diff --git a/docs/podman-diff.1.md b/docs/podman-diff.1.md index 8837b744f..8d67ed82c 100644 --- a/docs/podman-diff.1.md +++ b/docs/podman-diff.1.md @@ -15,7 +15,7 @@ Displays changes on a container or image's filesystem. The container or image w Alter the output into a different format. The only valid format for diff is `json`. -**--latest, -l** +**--latest**, **-l** Instead of providing the container name or ID, use the last created container. If you use methods other than Podman to run containers such as CRI-O, the last started container could be from either of those methods. diff --git a/docs/podman-events.1.md b/docs/podman-events.1.md index 3ccecac28..2097bb1f9 100644 --- a/docs/podman-events.1.md +++ b/docs/podman-events.1.md @@ -71,7 +71,7 @@ Print usage statement. Format the output using the given Go template. An output value of *json* is not supported. -**--filter**=[] +**--filter**=*filter* Filter events that are displayed. They must be in the format of "filter=value". The following filters are supported: @@ -84,12 +84,12 @@ filters are supported: In the case where an ID is used, the ID may be in its full or shortened form. -**--since**=[] +**--since**=*timestamp* Show all events created since the given timestamp -**--until**=[] +**--until**=*timestamp* Show all events created until the given timestamp diff --git a/docs/podman-exec.1.md b/docs/podman-exec.1.md index b74713b0b..07d24e295 100644 --- a/docs/podman-exec.1.md +++ b/docs/podman-exec.1.md @@ -10,23 +10,23 @@ podman\-exec - Execute a command in a running container **podman exec** executes a command in a running container. ## OPTIONS -**--env, -e** +**--env**, **-e** You may specify arbitrary environment variables that are available for the command to be executed. -**--interactive, -i** +**--interactive**, **-i** Not supported. All exec commands are interactive by default. -**--latest, -l** +**--latest**, **-l** Instead of providing the container name or ID, use the last created container. If you use methods other than Podman to run containers such as CRI-O, the last started container could be from either of those methods. The latest option is not supported on the remote client. -**--preserve-fds=N** +**--preserve-fds**=*N* Pass down to the process N additional file descriptors (in addition to 0, 1, 2). The total FDs will be 3+N. @@ -34,17 +34,17 @@ Pass down to the process N additional file descriptors (in addition to 0, 1, 2). Give the process extended Linux capabilities when running the command in container. -**--tty, -t** +**--tty**, **-t** Allocate a pseudo-TTY. -**--user, -u** +**--user**, **-u** Sets the username or UID used and optionally the groupname or GID for the specified command. The following examples are all valid: --user [user | user:group | uid | uid:gid | user:gid | uid:group ] -**--workdir**, **-w**="" +**--workdir**, **-w**=*path* Working directory inside the container @@ -52,6 +52,34 @@ The default working directory for running binaries within a container is the roo The image developer can set a different default with the WORKDIR instruction, which can be overridden when creating the container. +## Exit Status + +The exit code from `podman exec` gives information about why the command within the container failed to run or why it exited. When `podman exec` exits with a +non-zero code, the exit codes follow the `chroot` standard, see below: + +**_125_** if the error is with podman **_itself_** + + $ podman exec --foo ctrID /bin/sh; echo $? + Error: unknown flag: --foo + 125 + +**_126_** if the **_contained command_** cannot be invoked + + $ podman exec ctrID /etc; echo $? + Error: container_linux.go:346: starting container process caused "exec: \"/etc\": permission denied": OCI runtime error + 126 + +**_127_** if the **_contained command_** cannot be found + + $ podman exec ctrID foo; echo $? + Error: container_linux.go:346: starting container process caused "exec: \"foo\": executable file not found in $PATH": OCI runtime error + 127 + +**_Exit code_** of **_contained command_** otherwise + + $ podman exec ctrID /bin/sh -c 'exit 3' + # 3 + ## EXAMPLES $ podman exec -it ctrID ls diff --git a/docs/podman-export.1.md b/docs/podman-export.1.md index 5928a8080..27ebc724f 100644 --- a/docs/podman-export.1.md +++ b/docs/podman-export.1.md @@ -20,7 +20,7 @@ Note: `:` is a restricted character and cannot be part of the file name. ## OPTIONS -**--output, -o** +**--output**, **-o** Write to a file, default is STDOUT diff --git a/docs/podman-generate-kube.1.md b/docs/podman-generate-kube.1.md index 99029be90..88d8e9627 100644 --- a/docs/podman-generate-kube.1.md +++ b/docs/podman-generate-kube.1.md @@ -1,30 +1,29 @@ -% podman-generate Podman Man Pages -% Brent Baude -% December 2018 -# NAME +% podman-generate-kube(1) +## NAME podman-generate-kube - Generate Kubernetes YAML -# SYNOPSIS -**podman generate kube** [*-s*|*--service*] *container* | *pod* +## SYNOPSIS +**podman generate kube** [*options*] *container* | *pod* -# DESCRIPTION +## DESCRIPTION **podman generate kube** will generate Kubernetes Pod YAML (v1 specification) from a podman container or pod. Whether the input is for a container or pod, Podman will always generate the specification as a Pod. The input may be in the form of a pod or container name or ID. -The **service** option can be used to generate a Service specification for the corresponding Pod ouput. In particular, -if the object has portmap bindings, the service specification will include a NodePort declaration to expose the service. A -random port is assigned by Podman in the specification. - Note that the generated Kubernetes YAML file can be used to re-run the deployment via podman-play-kube(1). -# OPTIONS: +## OPTIONS: + +**--filename**, **-f**=**filename** -**--service** **-s** +Output to the given file, instead of STDOUT. If the file already exists, `generate kube` will refuse to replace it and return an error. -Generate a Kubernetes service object in addition to the Pods. +**--service**, **-s** + +Generate a Kubernetes service object in addition to the Pods. Used to generate a Service specification for the corresponding Pod ouput. In particular, if the object has portmap bindings, the service specification will include a NodePort declaration to expose the service. A +random port is assigned by Podman in the specification. -## Examples ## +## Examples Create Kubernetes Pod YAML for a container called `some-mariadb` . ``` @@ -147,5 +146,5 @@ status: ## SEE ALSO podman(1), podman-container(1), podman-pod(1), podman-play-kube(1) -# HISTORY +## HISTORY Decemeber 2018, Originally compiled by Brent Baude (bbaude at redhat dot com) diff --git a/docs/podman-generate-systemd.1.md b/docs/podman-generate-systemd.1.md index cc3f098a6..09752480d 100644 --- a/docs/podman-generate-systemd.1.md +++ b/docs/podman-generate-systemd.1.md @@ -1,34 +1,32 @@ -% podman-generate Podman Man Pages -% Brent Baude -% April 2019 -# NAME +% podman-generate-systemd(1) + +## NAME podman-generate-systemd- Generate Systemd Unit file -# SYNOPSIS -**podman generate systemd** [*-n*|*--name*] [*-t*|*--timeout*] [*--restart-policy*] *container* +## SYNOPSIS +**podman generate systemd** [*options*] *container* -# DESCRIPTION +## DESCRIPTION **podman generate systemd** will create a Systemd unit file that can be used to control a container. The command will dynamically create the unit file and output it to stdout where it can be piped by the user to a file. The options can be used to influence the results of the output as well. -# OPTIONS: +## OPTIONS: -**--name** **-n** +**--name**, **-n** Use the name of the container for the start, stop, and description in the unit file -**--timeout** **-t** +**--timeout**, **-t**=*value* Override the default stop timeout for the container with the given value. -**--restart-policy** +**--restart-policy**=*policy* Set the SystemD restart policy. The restart-policy must be one of: "no", "on-success", "on-failure", "on-abnormal", "on-watchdog", "on-abort", or "always". The default policy is *on-failure*. -## Examples ## - +## Examples Create a systemd unit file for a container running nginx: ``` @@ -65,5 +63,5 @@ WantedBy=multi-user.target ## SEE ALSO podman(1), podman-container(1) -# HISTORY +## HISTORY April 2019, Originally compiled by Brent Baude (bbaude at redhat dot com) diff --git a/docs/podman-history.1.md b/docs/podman-history.1.md index b8f86026b..5ee87c185 100644 --- a/docs/podman-history.1.md +++ b/docs/podman-history.1.md @@ -27,7 +27,7 @@ Valid placeholders for the Go template are listed below: ## OPTIONS -**--human, -H** +**--human**, **-H** Display sizes and dates in human readable format @@ -35,11 +35,11 @@ Display sizes and dates in human readable format Do not truncate the output -**--quiet, -q** +**--quiet**, **-q** Print the numeric IDs only -**--format** +**--format**=*format* Alter the output for a format like 'json' or a Go template. diff --git a/docs/podman-image-exists.1.md b/docs/podman-image-exists.1.md index 1dc264a6b..f6a89e2aa 100644 --- a/docs/podman-image-exists.1.md +++ b/docs/podman-image-exists.1.md @@ -1,19 +1,24 @@ -% PODMAN(1) Podman Man Pages -% Brent Baude -% November 2018 -# NAME +% podman-image-exists(1) + +## NAME podman-image-exists - Check if an image exists in local storage -# SYNOPSIS -**podman image exists** [*-h*|*--help*] *image* +## SYNOPSIS +**podman image exists** [*options*] *image* -# DESCRIPTION +## DESCRIPTION **podman image exists** checks if an image exists in local storage. The **ID** or **Name** of the image may be used as input. Podman will return an exit code of `0` when the image is found. A `1` will be returned otherwise. An exit code of `125` indicates there was an issue accessing the local storage. -## Examples ## +## OPTIONS + +**--help**, **-h** + +Print usage statement + +## Examples Check if an image called `webclient` exists in local storage (the image does actually exist). ``` @@ -34,5 +39,5 @@ $ ## SEE ALSO podman(1) -# HISTORY +## HISTORY November 2018, Originally compiled by Brent Baude (bbaude at redhat dot com) diff --git a/docs/podman-image-prune.1.md b/docs/podman-image-prune.1.md index 7d5fd2fc8..52278746d 100644 --- a/docs/podman-image-prune.1.md +++ b/docs/podman-image-prune.1.md @@ -1,22 +1,25 @@ -% PODMAN(1) Podman Man Pages -% Brent Baude -% December 2018 -# NAME +% podman-image-prune(1) + +## NAME podman-image-prune - Remove all unused images -# SYNOPSIS -**podman image prune** [*-a*|*--all*] [*-h*|*--help*] +## SYNOPSIS +**podman image prune** [*options*] -# DESCRIPTION +## DESCRIPTION **podman image prune** removes all dangling images from local storage. With the `all` option, you can delete all unused images. Unused images are dangling images as well as any image that does not have any containers based on it. ## OPTIONS -**--all, -a** +**--all**, **-a** Remove dangling images and images that have no associated containers. +**--help**, **-h** + +Print usage statement + ## Examples ## Remove all dangling images from local storage @@ -41,5 +44,5 @@ e4e5109420323221f170627c138817770fb64832da7d8fe2babd863148287fca ## SEE ALSO podman(1), podman-images -# HISTORY +## HISTORY December 2018, Originally compiled by Brent Baude (bbaude at redhat dot com) diff --git a/docs/podman-image-sign.1.md b/docs/podman-image-sign.1.md index 804ee03db..c425fcf2e 100644 --- a/docs/podman-image-sign.1.md +++ b/docs/podman-image-sign.1.md @@ -1,36 +1,32 @@ % podman-image-sign(1) -# NAME +## NAME podman-image-sign - Create a signature for an image -# SYNOPSIS -**podman image sign** -[**--help**|**-h**] -[**--directory**|**-d**] -[**--sign-by**] -[ IMAGE... ] +## SYNOPSIS +**podman image sign** [*options*] *image* [*image* ...] -# DESCRIPTION +## DESCRIPTION **podmain image sign** will create a local signature for one or more local images that have been pulled from a registry. The signature will be written to a directory derived from the registry configuration files in /etc/containers/registries.d. By default, the signature will be written into /var/lib/containers/sigstore directory. -# OPTIONS -**--help** **-h** +## OPTIONS +**--help**, **-h** Print usage statement. -**--directory** **-d** +**--directory**, **-d**=*dir* Store the signatures in the specified directory. Default: /var/lib/containers/sigstore -**--sign-by** +**--sign-by**=*identity* Override the default identity of the signature. -# EXAMPLES +## EXAMPLES Sign the busybox image with the identify of foo@bar.com with a user's keyring and save the signature in /tmp/signatures/. sudo podman image sign --sign-by foo@bar.com --directory /tmp/signatures docker://privateregistry.example.com/foobar -# RELATED CONFIGURATION +## RELATED CONFIGURATION The write (and read) location for signatures is defined in YAML-based configuration files in /etc/containers/registries.d/. When you sign @@ -48,5 +44,5 @@ the signature will be written into subdirectories of /var/lib/containers/sigstore/privateregistry.example.com. The use of 'sigstore' also means the signature will be 'read' from that same location on a pull-related function. -# HISTORY +## HISTORY November 2018, Originally compiled by Qi Wang (qiwan at redhat dot com) diff --git a/docs/podman-image-tree.1.md b/docs/podman-image-tree.1.md index 3920aabde..5ffd995f6 100644 --- a/docs/podman-image-tree.1.md +++ b/docs/podman-image-tree.1.md @@ -4,8 +4,8 @@ podman\-image\-tree - Prints layer hierarchy of an image in a tree format ## SYNOPSIS -**podman image tree** [*image*:*tag*]|[*image-id*] -[**--help**|**-h**] +**podman image tree** [*options*] *image:tag*|*image-id* + ## DESCRIPTION Prints layer hierarchy of an image in a tree format. diff --git a/docs/podman-image-trust.1.md b/docs/podman-image-trust.1.md index f96a7996f..7c5b70833 100644 --- a/docs/podman-image-trust.1.md +++ b/docs/podman-image-trust.1.md @@ -1,19 +1,13 @@ -% podman-image-trust "1" +% podman-image-trust(1) -# NAME +## NAME podman\-image\-trust - Manage container registry image trust policy -# SYNOPSIS -**podman image trust** set|show -[**-h**|**--help**] -[**-j**|**--json**] -[**--raw**] -[**-f**|**--pubkeysfile** KEY1 [**-f**|**--pubkeysfile** KEY2,...]] -[**-t**|**--type** signedBy|accept|reject] -REGISTRY[/REPOSITORY] +## SYNOPSIS +**podman image trust** set|show [*options*] *REGISTRY[/REPOSITORY]* -# DESCRIPTION +## DESCRIPTION Manages which registries you trust as a source of container images based on its location. The location is determined by the transport and the registry host of the image. Using this container image `docker://docker.io/library/busybox` as an example, `docker` is the transport and `docker.io` is the registry host. @@ -40,32 +34,33 @@ Require signature (“signedBy”). Trust may be updated using the command **podman image trust set** for an existing trust scope. -# OPTIONS -**-h** **--help** +## OPTIONS +**-h**, **--help** Print usage statement. -**-f** **--pubkeysfile** +**-f**, **--pubkeysfile**=*KEY1* A path to an exported public key on the local system. Key paths will be referenced in policy.json. Any path to a file may be used but locating the file in **/etc/pki/containers** is recommended. Options may be used multiple times to require an image be signed by multiple keys. The **--pubkeysfile** option is required for the **signedBy** type. -**-t** **--type** - The trust type for this policy entry. Accepted values: +**-t**, **--type**=*value* + The trust type for this policy entry. + Accepted values: **signedBy** (default): Require signatures with corresponding list of public keys **accept**: do not require any signatures for this registry scope **reject**: do not accept images for this registry scope -# show OPTIONS +## show OPTIONS **--raw** Output trust policy file as raw JSON -**-j** **--json** +**-j**, **--json** Output trust as JSON for machine parsing -# EXAMPLES +## EXAMPLES Accept all unsigned images from a registry @@ -87,10 +82,10 @@ Display trust as JSON sudo podman image trust show --json -# SEE ALSO +## SEE ALSO policy-json(5) -# HISTORY +## HISTORY January 2019, updated by Tom Sweeney (tsweeney at redhat dot com) December 2018, originally compiled by Qi Wang (qiwan at redhat dot com) diff --git a/docs/podman-images.1.md b/docs/podman-images.1.md index 832df0e23..2a732de57 100644 --- a/docs/podman-images.1.md +++ b/docs/podman-images.1.md @@ -4,14 +4,14 @@ podman\-images - List images in local storage ## SYNOPSIS -**podman** **images** [*options*] +**podman images** [*options*] ## DESCRIPTION Displays locally stored images, their names, and their IDs. ## OPTIONS -**--all, -a** +**-a**, **--all** Show all images (by default filter out the intermediate image layers). The default is false. @@ -19,28 +19,28 @@ Show all images (by default filter out the intermediate image layers). The defau Show image digests -**--filter, -f=[]** +**-f**, **--filter**=*filter* -Filter output based on conditions provided (default []) +Filter output based on conditions provided -**--format** +**--format**=*format* Change the default output format. This can be of a supported type like 'json' or a Go template. -**--noheading, -n** +**--noheading**, **-n** Omit the table headings from the listing of images. -**--no-trunc, --notruncate** +**--no-trunc**, **--notruncate** Do not truncate output. -**--quiet, -q** +**--quiet**, **-q** Lists only the image IDs. -**--sort** +**--sort**=*sort* Sort by created, id, repository, size or tag (default: created) diff --git a/docs/podman-import.1.md b/docs/podman-import.1.md index d9720f81d..6c625bc8d 100644 --- a/docs/podman-import.1.md +++ b/docs/podman-import.1.md @@ -16,17 +16,17 @@ Note: `:` is a restricted character and cannot be part of the file name. ## OPTIONS -**--change, -c** +**-c**, **--change**=*instruction* Apply the following possible instructions to the created image: **CMD** | **ENTRYPOINT** | **ENV** | **EXPOSE** | **LABEL** | **STOPSIGNAL** | **USER** | **VOLUME** | **WORKDIR** Can be set multiple times -**--message, -m** +**--message**, **-m**=*message* Set commit message for imported image -**--quiet, -q** +**--quiet**, **-q** Shows progress on the import diff --git a/docs/podman-info.1.md b/docs/podman-info.1.md index edd0252f6..a7b259c95 100644 --- a/docs/podman-info.1.md +++ b/docs/podman-info.1.md @@ -15,11 +15,11 @@ Displays information pertinent to the host, current storage stats, configured co ## OPTIONS -**--debug, -D** +**-D**, **--debug** Show additional information -**--format, -f** +**-f**, **--format**=*format* Change output format to "json" or a Go template. diff --git a/docs/podman-init.1.md b/docs/podman-init.1.md index f43757f62..a6bb391ec 100644 --- a/docs/podman-init.1.md +++ b/docs/podman-init.1.md @@ -4,7 +4,7 @@ podman\-init - Initialize one or more containers ## SYNOPSIS -**podman init** [*options*] *container* ... +**podman init** [*options*] *container* [*container*...] ## DESCRIPTION Initialize one or more containers. @@ -16,11 +16,12 @@ This can be used to inspect the container before it runs, or debug why a contain ## OPTIONS -**--all, -a** +**--all**, **-a** Initialize all containers. Containers that have already initialized (including containers that have been started and are running) are ignored. -**--latest, -l** +**--latest**, **-l** + Instead of providing the container name or ID, use the last created container. If you use methods other than Podman to run containers such as CRI-O, the last started container could be from either of those methods. diff --git a/docs/podman-inspect.1.md b/docs/podman-inspect.1.md index 8b67c7dac..f1630c713 100644 --- a/docs/podman-inspect.1.md +++ b/docs/podman-inspect.1.md @@ -4,7 +4,7 @@ podman\-inspect - Display a container or image's configuration ## SYNOPSIS -**podman inspect** [*options*] *name* ... +**podman inspect** [*options*] *name* [...] **podman image inspect** [*options*] *image* @@ -17,24 +17,24 @@ unspecified type. If a format is specified, the given template will be executed ## OPTIONS -**--type, -t="TYPE"** +**--type**, **-t**=*type* Return JSON for the specified type. Type can be 'container', 'image' or 'all' (default: all) (Only meaningful when invoked as *podman inspect*) -**--format, -f="FORMAT"** +**--format**, **-f**=*format* Format the output using the given Go template. The keys of the returned JSON can be used as the values for the --format flag (see examples below). -**--latest, -l** +**--latest**, **-l** Instead of providing the container name or ID, use the last created container. If you use methods other than Podman to run containers such as CRI-O, the last started container could be from either of those methods. The latest option is not supported on the remote client or when invoked as *podman image inspect*. -**--size, -s** +**--size**, **-s** Display the total file size if the type is a container diff --git a/docs/podman-kill.1.md b/docs/podman-kill.1.md index 1c14b71d5..118246fdb 100644 --- a/docs/podman-kill.1.md +++ b/docs/podman-kill.1.md @@ -10,18 +10,18 @@ podman\-kill - Kills one or more containers with a signal The main process inside each container specified will be sent SIGKILL, or any signal specified with option --signal. ## OPTIONS -**--all, -a** +**--all**, **-a** Signal all running containers. This does not include paused containers. -**--latest, -l** +**--latest**, **-l** Instead of providing the container name or ID, use the last created container. If you use methods other than Podman to run containers such as CRI-O, the last started container could be from either of those methods. The latest option is not supported on the remote client. -**--signal, s** +**--signal**, **s** Signal to send to the container. For more information on Linux signals, refer to *man signal(7)*. diff --git a/docs/podman-load.1.md b/docs/podman-load.1.md index a3443a229..0a47c18c1 100644 --- a/docs/podman-load.1.md +++ b/docs/podman-load.1.md @@ -4,7 +4,7 @@ podman\-load - Load an image from a container image archive into container storage ## SYNOPSIS -**podman load** [*name*[:*tag*]] +**podman load** [*options*] [*name*[:*tag*]] ## DESCRIPTION **podman load** loads an image from either an **oci-archive** or **docker-archive** stored on the local machine into container storage. **podman load** reads from stdin by default or a file if the **input** option is set. @@ -22,13 +22,13 @@ Note: `:` is a restricted character and cannot be part of the file name. ## OPTIONS -**--input, -i** +**--input**, **-i**=*input* Read from archive file, default is STDIN. The remote client requires the use of this option. -**--quiet, -q** +**--quiet**, **-q** Suppress the progress output diff --git a/docs/podman-login.1.md b/docs/podman-login.1.md index f96803c58..9be67e5a4 100644 --- a/docs/podman-login.1.md +++ b/docs/podman-login.1.md @@ -21,7 +21,7 @@ flag. The default path used is **${XDG\_RUNTIME_DIR}/containers/auth.json**. ## OPTIONS -**--password, -p** +**--password**, **-p**=*password* Password for registry @@ -29,11 +29,11 @@ Password for registry Take the password from stdin -**--username, -u** +**--username**, **-u=***username* Username for registry -**--authfile** +**--authfile**=*path* Path of the authentication file. Default is ${XDG_\RUNTIME\_DIR}/containers/auth.json (Not available for remote commands) @@ -44,12 +44,12 @@ environment variable. `export REGISTRY_AUTH_FILE=path` Return the logged-in user for the registry. Return error if no login is found. -**--cert-dir** *path* +**--cert-dir**=*path* Use certificates at *path* (\*.crt, \*.cert, \*.key) to connect to the registry. Default certificates directory is _/etc/containers/certs.d_. (Not available for remote commands) -**--tls-verify** +**--tls-verify**=*true|false* Require HTTPS and verify certificates when contacting registries (default: true). If explicitly set to true, then TLS verification will be used. If set to false, then TLS verification will not be used. If not specified, diff --git a/docs/podman-logout.1.md b/docs/podman-logout.1.md index b30328d5b..56d661309 100644 --- a/docs/podman-logout.1.md +++ b/docs/podman-logout.1.md @@ -20,14 +20,14 @@ All the cached credentials can be removed by setting the **all** flag. ## OPTIONS -**--authfile** +**--authfile**=*path* Path of the authentication file. Default is ${XDG_\RUNTIME\_DIR}/containers/auth.json (Not available for remote commands) Note: You can also override the default path of the authentication file by setting the REGISTRY\_AUTH\_FILE environment variable. `export REGISTRY_AUTH_FILE=path` -**--all, -a** +**--all**, **-a** Remove the cached credentials for all registries in the auth file diff --git a/docs/podman-logs.1.md b/docs/podman-logs.1.md index 7feae1b76..310eff438 100644 --- a/docs/podman-logs.1.md +++ b/docs/podman-logs.1.md @@ -1,12 +1,12 @@ -% podman-container-logs(1) +% podman-logs(1) ## NAME podman\-container\-logs (podman\-logs) - Fetch the logs of one or more containers ## SYNOPSIS -**podman** **container** **logs** [*options*] *container* [*container...*] +**podman container logs** [*options*] *container* [*container...*] -**podman** **logs** [*options*] *container* [*container...*] +**podman logs** [*options*] *container* [*container...*] ## DESCRIPTION The podman logs command batch-retrieves whatever logs are present for one or more containers at the time of execution. @@ -15,7 +15,7 @@ any logs at the time you execute podman logs ## OPTIONS -**--follow, -f** +**--follow**, **-f** Follow log output. Default is false. @@ -23,26 +23,26 @@ Note: If you are following a container which is removed `podman container rm` or removed on exit `podman run --rm ...`, then there is a chance the the log file will be removed before `podman logs` reads the final content. -**--latest, -l** +**--latest**, **-l** Instead of providing the container name or ID, use the last created container. If you use methods other than Podman to run containers such as CRI-O, the last started container could be from either of those methods. The latest option is not supported on the remote client. -**--since=TIMESTAMP** +**--since**=*TIMESTAMP* Show logs since TIMESTAMP. The --since option can be Unix timestamps, date formatted timestamps, or Go duration strings (e.g. 10m, 1h30m) computed relative to the client machine's time. Supported formats for date formatted time stamps include RFC3339Nano, RFC3339, 2006-01-02T15:04:05, 2006-01-02T15:04:05.999999999, 2006-01-02Z07:00, and 2006-01-02. -**--tail=LINES** +**--tail**=*LINES* Output the specified number of LINES at the end of the logs. LINES must be a positive integer. Defaults to 0, which prints all lines -**--timestamps, -t** +**--timestamps**, **-t** Show timestamps in the log outputs. The default is false diff --git a/docs/podman-mount.1.md b/docs/podman-mount.1.md index e244e5daf..6b8eb77d9 100644 --- a/docs/podman-mount.1.md +++ b/docs/podman-mount.1.md @@ -4,7 +4,7 @@ podman\-mount - Mount the specifed working containers' root filesystem ## SYNOPSIS -**podman** **mount** [*container* ...] +**podman mount** [*container* ...] ## DESCRIPTION Mounts the specified containers' root file system in a location which can be @@ -19,15 +19,15 @@ returned. ## OPTIONS -**--all, a** +**--all**, **a** Mount all containers. -**--format** +**--format**=*format* Print the mounted containers in specified format (json) -**--latest, -l** +**--latest**, **-l** Instead of providing the container name or ID, use the last created container. If you use methods other than Podman to run containers such as CRI-O, the last diff --git a/docs/podman-pause.1.md b/docs/podman-pause.1.md index f19fa5d6a..18080ec04 100644 --- a/docs/podman-pause.1.md +++ b/docs/podman-pause.1.md @@ -11,7 +11,7 @@ Pauses all the processes in one or more containers. You may use container IDs o ## OPTIONS -**--all, -a** +**--all**, **-a** Pause all running containers. diff --git a/docs/podman-play-kube.1.md b/docs/podman-play-kube.1.md index a3a6abbe7..f9a867b44 100644 --- a/docs/podman-play-kube.1.md +++ b/docs/podman-play-kube.1.md @@ -1,20 +1,12 @@ -% podman-play-kube Podman Man Pages -% Brent Baude -% December 2018 -# NAME +% podman-play-kube(1) + +## NAME podman-play-kube - Create pods and containers based on Kubernetes YAML -# SYNOPSIS -**podman play kube** -[**-h**|**--help**] -[**--authfile**] -[**--cert-dir**] -[**--creds**] -[***-q** | **--quiet**] -[**--tls-verify**] -kubernetes_input.yml - -# DESCRIPTION +## SYNOPSIS +**podman play kube** [*options*] *file***.yml** + +## DESCRIPTION **podman play kube** will read in a structured file of Kubernetes YAML. It will then recreate the pod and containers described in the YAML. The containers within the pod are then started and the ID of the new Pod is output. @@ -23,9 +15,9 @@ Ideally the input file would be one created by Podman (see podman-generate-kube( Note: HostPath volume types created by play kube will be given an SELinux private label (Z) -# OPTIONS: +## OPTIONS: -**--authfile** +**--authfile**=*path* Path of the authentication file. Default is ${XDG_RUNTIME\_DIR}/containers/auth.json, which is set using `podman login`. If the authorization state is not found there, $HOME/.docker/config.json is checked, which is set using `docker login`. (Not available for remote commands) @@ -33,7 +25,7 @@ If the authorization state is not found there, $HOME/.docker/config.json is chec Note: You can also override the default path of the authentication file by setting the REGISTRY\_AUTH\_FILE environment variable. `export REGISTRY_AUTH_FILE=path` -**--cert-dir** *path* +**--cert-dir**=*path* Use certificates at *path* (\*.crt, \*.cert, \*.key) to connect to the registry. Default certificates directory is _/etc/containers/certs.d_. (Not available for remote commands) @@ -44,11 +36,11 @@ The [username[:password]] to use to authenticate with the registry if required. If one or both values are not supplied, a command line prompt will appear and the value can be entered. The password is entered without echo. -**--quiet, -q** +**--quiet**, **-q** Suppress output information when pulling images -**--tls-verify** +**--tls-verify**=*true|false* Require HTTPS and verify certificates when contacting registries (default: true). If explicitly set to true, then TLS verification will be used. If set to false, then TLS verification will not be used. If not specified, @@ -58,7 +50,7 @@ TLS verification will be used unless the target registry is listed as an insecur Print usage statement -## Examples ## +## Examples Recreate the pod and containers as described in a file called `demo.yml` ``` @@ -69,5 +61,5 @@ $ podman play kube demo.yml ## SEE ALSO podman(1), podman-container(1), podman-pod(1), podman-generate-kube(1), podman-play(1) -# HISTORY +## HISTORY Decemeber 2018, Originally compiled by Brent Baude (bbaude at redhat dot com) diff --git a/docs/podman-pod-create.1.md b/docs/podman-pod-create.1.md index 02fdebfbd..009a93019 100644 --- a/docs/podman-pod-create.1.md +++ b/docs/podman-pod-create.1.md @@ -15,7 +15,7 @@ containers added to it. The pod id is printed to STDOUT. You can then use ## OPTIONS -**--cgroup-parent**="" +**--cgroup-parent**=*path* Path to cgroups under which the cgroup for the pod will be created. If the path is not absolute, the path is considered to be relative to the cgroups path of the init process. Cgroups will be created if they do not already exist. @@ -27,31 +27,31 @@ Print usage statement Create an infra container and associate it with the pod. An infra container is a lightweight container used to coordinate the shared kernel namespace of a pod. Default: true -**--infra-command**="" +**--infra-command**=*command* The command that will be run to start the infra container. Default: "/pause" -**--infra-image**="" +**--infra-image**=*image* The image that will be created for the infra container. Default: "k8s.gcr.io/pause:3.1" -**-l**, **--label**=[] +**-l**, **--label**=*label* Add metadata to a pod (e.g., --label com.example.key=value) -**--label-file**=[] +**--label-file**=*label* Read in a line delimited file of labels -**-n**, **--name**="" +**-n**, **--name**=*name* Assign a name to the pod -**--podidfile**="" +**--podidfile**=*podid* Write the pod ID to the file -**-p**, **--publish**=[] +**-p**, **--publish**=*port* Publish a port or range of ports from the pod to the host @@ -62,7 +62,7 @@ Use `podman port` to see the actual mapping: `podman port CONTAINER $CONTAINERPO NOTE: This cannot be modified once the pod is created. -**--share**="" +**--share**=*namespace* A comma deliminated list of kernel namespaces to share. If none or "" is specified, no namespaces will be shared. The namespaces to choose from are ipc, net, pid, user, uts. diff --git a/docs/podman-pod-exists.1.md b/docs/podman-pod-exists.1.md index da3947511..cf2852934 100644 --- a/docs/podman-pod-exists.1.md +++ b/docs/podman-pod-exists.1.md @@ -1,13 +1,12 @@ -% podman-pod-exits(1) Podman Man Pages -% Brent Baude -% December 2018 -# NAME +% podman-pod-exists(1) + +## NAME podman-pod-exists - Check if a pod exists in local storage -# SYNOPSIS -**podman pod exists** [*-h*|*--help*] *pod* +## SYNOPSIS +**podman pod exists** *pod* -# DESCRIPTION +## DESCRIPTION **podman pod exists** checks if a pod exists in local storage. The **ID** or **Name** of the pod may be used as input. Podman will return an exit code of `0` when the pod is found. A `1` will be returned otherwise. An exit code of `125` indicates there @@ -34,5 +33,5 @@ $ ## SEE ALSO podman-pod(1), podman(1) -# HISTORY +## HISTORY December 2018, Originally compiled by Brent Baude (bbaude at redhat dot com) diff --git a/docs/podman-pod-inspect.1.md b/docs/podman-pod-inspect.1.md index a4e6a5559..831d28259 100644 --- a/docs/podman-pod-inspect.1.md +++ b/docs/podman-pod-inspect.1.md @@ -11,7 +11,7 @@ Displays configuration and state information about a given pod. It also display that belong to the pod. ## OPTIONS -**--latest, -l** +**--latest**, **-l** Instead of providing the pod name or ID, use the last created pod. If you use methods other than Podman to run pods such as CRI-O, the last started pod could be from either of those methods. diff --git a/docs/podman-pod-kill.1.md b/docs/podman-pod-kill.1.md index d617acd66..069db70d2 100644 --- a/docs/podman-pod-kill.1.md +++ b/docs/podman-pod-kill.1.md @@ -10,18 +10,18 @@ podman\-pod\-kill - Kills all containers in one or more pods with a signal The main process of each container inside the pods specified will be sent SIGKILL, or any signal specified with option --signal. ## OPTIONS -**--all, -a** +**--all**, **-a** Sends signal to all containers associated with a pod. -**--latest, -l** +**--latest**, **-l** Instead of providing the pod name or ID, use the last created pod. If you use methods other than Podman to run pods such as CRI-O, the last started pod could be from either of those methods. The latest option is not supported on the remote client. -**--signal, -s** +**--signal**, **-s** Signal to send to the containers in the pod. For more information on Linux signals, refer to *man signal(7)*. diff --git a/docs/podman-pod-pause.1.md b/docs/podman-pod-pause.1.md index 0ed63a7f8..9533ed4a1 100644 --- a/docs/podman-pod-pause.1.md +++ b/docs/podman-pod-pause.1.md @@ -11,11 +11,11 @@ Pauses all the running processes in the containers of one or more pods. You may ## OPTIONS -**--all, -a** +**--all**, **-a** Pause all pods. -**--latest, -l** +**--latest**, **-l** Instead of providing the pod name or ID, pause the last created pod. diff --git a/docs/podman-pod-prune.1.md b/docs/podman-pod-prune.1.md index 121198de7..f79961b2f 100644 --- a/docs/podman-pod-prune.1.md +++ b/docs/podman-pod-prune.1.md @@ -1,17 +1,15 @@ -% % podman-pod-prune (1) -% Peter Hunt -% April 2019 -# NAME +% podman-pod-prune(1) + +## NAME podman-pod-prune - Remove all stopped pods -# SYNOPSIS -**podman pod prune** [*-h*|*--help*] +## SYNOPSIS +**podman pod prune** -# DESCRIPTION +## DESCRIPTION **podman pod prune** removes all stopped pods from local storage. -## Examples ## - +## EXAMPLES Remove all stopped pods from local storage ``` $ sudo podman pod prune @@ -25,5 +23,5 @@ $ sudo podman pod prune ## SEE ALSO podman-pod(1), podman-pod-ps(1), podman-pod-rm(1) -# HISTORY +## HISTORY April 2019, Originally compiled by Peter Hunt (pehunt at redhat dot com) diff --git a/docs/podman-pod-ps.1.md b/docs/podman-pod-ps.1.md index ee215154a..65a7072ab 100644 --- a/docs/podman-pod-ps.1.md +++ b/docs/podman-pod-ps.1.md @@ -38,7 +38,7 @@ Includes the container IDs in the container info field Includes the container statuses in the container info field -**--latest, -l** +**--latest**,**-l** Show the latest pod created (all states) @@ -48,11 +48,11 @@ The latest option is not supported on the remote client. Display the extended information -**--quiet, -q** +**--quiet**, **-q** Print the numeric IDs of the pods only -**--format** +**--format**=*format* Pretty-print containers to JSON or using a Go template @@ -75,7 +75,7 @@ Sort by created, ID, name, status, or number of containers Default: created -**--filter, -f** +**--filter**, **-f=***filter* Filter output based on conditions given diff --git a/docs/podman-pod-restart.1.md b/docs/podman-pod-restart.1.md index cd6e5c8ce..57f479102 100644 --- a/docs/podman-pod-restart.1.md +++ b/docs/podman-pod-restart.1.md @@ -14,11 +14,11 @@ When restarting multiple pods, an error from restarting one pod will not effect ## OPTIONS -**--all, -a** +**--all**, **-a** Restarts all pods -**--latest, -l** +**--latest**, **-l** Instead of providing the pod name or ID, restart the last created pod. diff --git a/docs/podman-pod-rm.1.md b/docs/podman-pod-rm.1.md index 7cd7c26bc..6659534b4 100644 --- a/docs/podman-pod-rm.1.md +++ b/docs/podman-pod-rm.1.md @@ -11,17 +11,17 @@ podman\-pod\-rm - Remove one or more pods ## OPTIONS -**--all, -a** +**--all**, **-a** Remove all pods. Can be used in conjunction with \-f as well. -**--latest, -l** +**--latest**, **-l** Instead of providing the pod name or ID, remove the last created pod. The latest option is not supported on the remote client. -**--force, -f** +**--force**, **-f** Stop running containers and delete all stopped containers before removal of pod. diff --git a/docs/podman-pod-start.1.md b/docs/podman-pod-start.1.md index 27e40740f..29960d6aa 100644 --- a/docs/podman-pod-start.1.md +++ b/docs/podman-pod-start.1.md @@ -12,11 +12,11 @@ to be started. ## OPTIONS -**--all, -a** +**--all**, **-a** Starts all pods -**--latest, -l** +**--latest**, **-l** Instead of providing the pod name or ID, start the last created pod. diff --git a/docs/podman-pod-stats.1.md b/docs/podman-pod-stats.1.md index be32f05be..d081c91cb 100644 --- a/docs/podman-pod-stats.1.md +++ b/docs/podman-pod-stats.1.md @@ -1,4 +1,4 @@ -% podman-pod-stats "1" +% podman-pod-stats(1) ## NAME podman\-pod\-stats - Display a live stream of resource usage statistics for the containers in one or more pods @@ -11,11 +11,11 @@ Display a live stream of containers in one or more pods resource usage statistic ## OPTIONS -**--all, -a** +**--all**, **-a** Show all containers. Only running containers are shown by default -**--latest, -l** +**--latest**, **-l** Instead of providing the pod name or ID, use the last created pod. @@ -29,7 +29,7 @@ Do not clear the terminal/screen in between reporting intervals Disable streaming pod stats and only pull the first result, default setting is false -**--format="TEMPLATE"** +**--format**=*template* Pretty-print container statistics to JSON or using a Go template @@ -80,7 +80,7 @@ a9f807ffaacd frosty_hodgkin -- 3.092MB / 16.7GB 0.02% -- / -- -- ``` ``` -# podman pod-stats --no-stream --format "table {{.ID}} {{.Name}} {{.MemUsage}}" 6eae +# podman pod stats --no-stream --format "table {{.ID}} {{.Name}} {{.MemUsage}}" 6eae ID NAME MEM USAGE / LIMIT 6eae9e25a564 clever_bassi 3.031MB / 16.7GB ``` diff --git a/docs/podman-pod-stop.1.md b/docs/podman-pod-stop.1.md index 787c672bd..b3ce47d72 100644 --- a/docs/podman-pod-stop.1.md +++ b/docs/podman-pod-stop.1.md @@ -11,17 +11,17 @@ Stop containers in one or more pods. You may use pod IDs or names as input. ## OPTIONS -**--all, -a** +**--all**, **-a** Stops all pods -**--latest, -l** +**--latest**, **-l** Instead of providing the pod name or ID, stop the last created pod. The latest option is not supported on the remote client. -**--timeout, --time, -t** +**--timeout**, **--time**, **-t**=*time* Timeout to wait before forcibly stopping the containers in the pod. diff --git a/docs/podman-pod-top.1.md b/docs/podman-pod-top.1.md index fbab6bc09..48f10055a 100644 --- a/docs/podman-pod-top.1.md +++ b/docs/podman-pod-top.1.md @@ -11,11 +11,11 @@ Display the running processes of containers in a pod. The *format-descriptors* a ## OPTIONS -**--help, -h** +**--help**, **-h** Print usage statement -**--latest, -l** +**--latest**, **-l** Instead of providing the pod name or ID, use the last created pod. @@ -25,7 +25,7 @@ The latest option is not supported on the remote client. The following descriptors are supported in addition to the AIX format descriptors mentioned in ps (1): -**args, capbnd, capeff, capinh, capprm, comm, etime, group, hgroup, hpid, huser, label, nice, pcpu, pgid, pid, ppid, rgroup, ruser, seccomp, state, time, tty, user, vsz** +**args**, **capbnd**, **capeff**, **capinh**, **capprm**, **comm**, **etime**, **group**, **hgroup**, **hpid**, **huser**, **label**, **nice**, **pcpu**, **pgid**, **pid**, **ppid**, **rgroup**, **ruser**, **seccomp**, **state**, **time**, **tty**, **user**, **vsz** **capbnd** diff --git a/docs/podman-pod-unpause.1.md b/docs/podman-pod-unpause.1.md index 8930fde32..e0a88c2e3 100644 --- a/docs/podman-pod-unpause.1.md +++ b/docs/podman-pod-unpause.1.md @@ -11,11 +11,11 @@ Unpauses all the paused processes in the containers of one or more pods. You ma ## OPTIONS -**--all, -a** +**--all**, **-a** Unpause all pods. -**--latest, -l** +**--latest**, **-l** Instead of providing the pod name or ID, unpause the last created pod. diff --git a/docs/podman-port.1.md b/docs/podman-port.1.md index 5adfae5f3..bee15c881 100644 --- a/docs/podman-port.1.md +++ b/docs/podman-port.1.md @@ -11,12 +11,12 @@ List port mappings for the *container* or lookup the public-facing port that is ## OPTIONS -**--all, -a** +**--all**, **-a** List all known port mappings for running containers. When using this option, you cannot pass any container names or private ports/protocols as filters. -**--latest, -l** +**--latest**, **-l** Instead of providing the container name or ID, use the last created container. If you use methods other than Podman to run containers such as CRI-O, the last started container could be from either of those methods. diff --git a/docs/podman-ps.1.md b/docs/podman-ps.1.md index 8d35c8254..e3aaf93e2 100644 --- a/docs/podman-ps.1.md +++ b/docs/podman-ps.1.md @@ -20,11 +20,11 @@ all the containers information. By default it lists: ## OPTIONS -**--all, -a** +**--all**, **-a** Show all the containers, default is only running containers -**--pod, -p** +**--pod**, **-p** Display the pods the containers are associated with @@ -32,11 +32,11 @@ Display the pods the containers are associated with Display the extended information -**--quiet, -q** +**--quiet**, **-q** Print the numeric IDs of the containers only -**--format** +**--format**=*format* Pretty-print containers to JSON or using a Go template @@ -63,25 +63,25 @@ Sort by command, created, id, image, names, runningfor, size, or status", Note: Choosing size will sort by size of rootFs, not alphabetically like the rest of the options Default: created -**--size, -s** +**--size**, **-s** Display the total file size -**--last, -n** +**--last**, **-n** Print the n last created containers (all states) -**--latest, -l** +**--latest**, **-l** Show the latest container created (all states) The latest option is not supported on the remote client. -**--namespace, --ns** +**--namespace**, **--ns** Display namespace information -**--filter, -f** +**--filter**, **-f** Filter what containers are shown in the output. Multiple filters can be given with multiple uses of the --filter flag. @@ -113,7 +113,7 @@ In some cases, a container's state in the runtime can become out of sync with Po This will update Podman's state based on what the OCI runtime reports. Forcibly syncing is much slower, but can resolve inconsistent state issues. -**--watch, -w** +**--watch**, **-w** Refresh the output with current containers on an interval in seconds. diff --git a/docs/podman-pull.1.md b/docs/podman-pull.1.md index f5b6539e9..2d6d42959 100644 --- a/docs/podman-pull.1.md +++ b/docs/podman-pull.1.md @@ -45,13 +45,13 @@ Image stored in local container/storage ## OPTIONS -**--all-tags, a** +**--all-tags**, **a** All tagged images in the repository will be pulled. Note: When using the all-tags flag, Podman will not iterate over the search registries in the containers-registries.conf(5) but will always use docker.io for unqualified image names. -**--authfile** +**--authfile**=*path* Path of the authentication file. Default is ${XDG_RUNTIME\_DIR}/containers/auth.json, which is set using `podman login`. If the authorization state is not found there, $HOME/.docker/config.json is checked, which is set using `docker login`. (Not available for remote commands) @@ -59,22 +59,22 @@ If the authorization state is not found there, $HOME/.docker/config.json is chec Note: You can also override the default path of the authentication file by setting the REGISTRY\_AUTH\_FILE environment variable. `export REGISTRY_AUTH_FILE=path` -**--cert-dir** *path* +**--cert-dir**=*path* Use certificates at *path* (\*.crt, \*.cert, \*.key) to connect to the registry. Default certificates directory is _/etc/containers/certs.d_. (Not available for remote commands) -**--creds** +**--creds**=*[username[:password]]* The [username[:password]] to use to authenticate with the registry if required. If one or both values are not supplied, a command line prompt will appear and the value can be entered. The password is entered without echo. -**--quiet, -q** +**--quiet**, **-q** Suppress output information when pulling images -**--tls-verify** +**--tls-verify**=*true|false* Require HTTPS and verify certificates when contacting registries (default: true). If explicitly set to true, then TLS verification will be used. If set to false, then TLS verification will not be used. If not specified, diff --git a/docs/podman-push.1.md b/docs/podman-push.1.md index ceb42fa28..4ac901919 100644 --- a/docs/podman-push.1.md +++ b/docs/podman-push.1.md @@ -44,7 +44,7 @@ Image stored in local container/storage ## OPTIONS -**--authfile** +**--authfile**=*path* Path of the authentication file. Default is ${XDG_RUNTIME\_DIR}/containers/auth.json, which is set using `podman login`. If the authorization state is not found there, $HOME/.docker/config.json is checked, which is set using `docker login`. (Not available for remote commands) @@ -52,13 +52,13 @@ If the authorization state is not found there, $HOME/.docker/config.json is chec Note: You can also override the default path of the authentication file by setting the REGISTRY\_AUTH\_FILE environment variable. `export REGISTRY_AUTH_FILE=path` -**--creds="CREDENTIALS"** +**--creds**=*[username[:password]]* The [username[:password]] to use to authenticate with the registry if required. If one or both values are not supplied, a command line prompt will appear and the value can be entered. The password is entered without echo. -**--cert-dir** *path* +**--cert-dir**=*path* Use certificates at *path* (\*.crt, \*.cert, \*.key) to connect to the registry. Default certificates directory is _/etc/containers/certs.d_. (Not available for remote commands) (Not available for remote commands) @@ -68,12 +68,12 @@ Default certificates directory is _/etc/containers/certs.d_. (Not available for Compress tarball image layers when pushing to a directory using the 'dir' transport. (default is same compression type, compressed or uncompressed, as source) Note: This flag can only be set when using the **dir** transport -**--format, -f** +**--format**, **-f**=*format* Manifest Type (oci, v2s1, or v2s2) to use when pushing an image to a directory using the 'dir:' transport (default is manifest type of source) Note: This flag can only be set when using the **dir** transport -**--quiet, -q** +**--quiet**, **-q** When writing the output image, suppress progress output @@ -81,11 +81,11 @@ When writing the output image, suppress progress output Discard any pre-existing signatures in the image -**--sign-by="KEY"** +**--sign-by**=*key* Add a signature at the destination using the specified key -**--tls-verify** +**--tls-verify**=*true|false* Require HTTPS and verify certificates when contacting registries (default: true). If explicitly set to true, then TLS verification will be used. If set to false, then TLS verification will not be used. If not specified, diff --git a/docs/podman-remote.conf.5.md b/docs/podman-remote.conf.5.md new file mode 100644 index 000000000..3e1cffb02 --- /dev/null +++ b/docs/podman-remote.conf.5.md @@ -0,0 +1,47 @@ +% podman-remote.conf(5) + +## NAME +podman-remote.conf - configuration file for the podman remote client + +## DESCRIPTION +The libpod.conf file is the default configuration file for all tools using +libpod to manage containers. + +The podman-remote.conf file is the default configuration file for the podman +remote client. It is in the TOML format. It is primarily used to keep track +of the user's remote connections. + +## CONNECTION OPTIONS +**destination** = "" + The hostname or IP address of the remote system + +**username** = "" + The username to use when connecting to the remote system + +**default** = bool + Denotes whether the connection is the default connection for the user. The default connection + is used when the user does not specify a destination or connection name to `podman`. + + +## EXAMPLE + +The following example depicts a configuration file with two connections. One of the connections +is designated as the default connection. +``` +[connections] + [connections.host1] + destination = "host1" + username = "homer" + default = true + + [connections.host2] + destination = "192.168.122.133" + username = "fedora" +``` + +## FILES + `/$HOME/.config/containers/podman-remote.conf`, default location for the podman remote +configuration file + +## HISTORY +May 2019, Originally compiled by Brent Baude<bbaude@redhat.com> diff --git a/docs/podman-restart.1.md b/docs/podman-restart.1.md index a20eee243..643eb1b03 100644 --- a/docs/podman-restart.1.md +++ b/docs/podman-restart.1.md @@ -12,10 +12,10 @@ Containers will be stopped if they are running and then restarted. Stopped containers will not be stopped and will only be started. ## OPTIONS -**--all, -a** +**--all**, **-a** Restart all containers regardless of their current state. -**--latest, -l** +**--latest**, **-l** Instead of providing the container name or ID, use the last created container. If you use methods other than Podman to run containers such as CRI-O, the last started container could be from either of those methods. @@ -24,7 +24,7 @@ The latest option is not supported on the remote client. **--running** Restart all containers that are already in the *running* state. -**--timeout** +**--timeout**=*time* Timeout to wait before forcibly stopping the container. diff --git a/docs/podman-rm.1.md b/docs/podman-rm.1.md index 16d4027c9..32a8c2943 100644 --- a/docs/podman-rm.1.md +++ b/docs/podman-rm.1.md @@ -1,4 +1,4 @@ -% podman-container-rm(1) +% podman-rm(1) ## NAME podman\-container\-rm (podman\-rm) - Remove one or more containers @@ -13,24 +13,31 @@ podman\-container\-rm (podman\-rm) - Remove one or more containers ## OPTIONS -**--all, -a** +**--all**, **-a** Remove all containers. Can be used in conjunction with -f as well. -**--force, -f** +**--force**, **-f** Force the removal of running and paused containers. Forcing a containers removal also removes containers from container storage even if the container is not known to podman. Containers could have been created by a different container engine. -**--latest, -l** +**--latest**, **-l** Instead of providing the container name or ID, use the last created container. If you use methods other than Podman to run containers such as CRI-O, the last started container could be from either of those methods. The latest option is not supported on the remote client. -**--volumes, -v** +**--storage** + +Remove the container from the storage library only. +This is only possible with containers that are not present in libpod (cannot be seen by `podman ps`). +It is used to remove containers from `podman build` and `buildah`, and orphan containers which were only partially removed by `podman rm`. +The storage option conflicts with the **--all**, **--latest**, and **--volumes** options. + +**--volumes**, **-v** Remove the volumes associated with the container. diff --git a/docs/podman-rmi.1.md b/docs/podman-rmi.1.md index 8c22bba2c..2cba8a22d 100644 --- a/docs/podman-rmi.1.md +++ b/docs/podman-rmi.1.md @@ -1,12 +1,12 @@ -% podman-image-rm(1) +% podman-rmi(1) ## NAME podman\-image\-rm (podman\-rmi) - Removes one or more images ## SYNOPSIS -**podman image rm** *image* ... +**podman image rm** *image* [...] -**podman rmi** *image* ... +**podman rmi** *image* [...] ## DESCRIPTION Removes one or more locally stored images. diff --git a/docs/podman-run.1.md b/docs/podman-run.1.md index a7091e89a..123f7ee5f 100644 --- a/docs/podman-run.1.md +++ b/docs/podman-run.1.md @@ -31,19 +31,19 @@ is located at `/run/.containerenv`. When running from a user defined network namespace, the /etc/netns/NSNAME/resolv.conf will be used if it exists, otherwise /etc/resolv.conf will be used. ## OPTIONS -**--add-host**=[] +**--add-host**=*host:ip* Add a custom host-to-IP mapping (host:ip) Add a line to /etc/hosts. The format is hostname:ip. The **--add-host** option can be set multiple times. -**--annotation**=[] +**--annotation**=*key=value* Add an annotation to the container. The format is key=value. The **--annotation** option can be set multiple times. -**--attach**, **-a**=[] +**--attach**, **-a**=*stdio* Attach to STDIN, STDOUT or STDERR. @@ -54,48 +54,48 @@ error. It can even pretend to be a TTY (this is what most commandline executables expect) and pass along signals. The **-a** option can be set for each of stdin, stdout, and stderr. -**--authfile** +**--authfile**[=*path*] Path of the authentication file. Default is ${XDG_\RUNTIME\_DIR}/containers/auth.json (Not available for remote commands) Note: You can also override the default path of the authentication file by setting the REGISTRY\_AUTH\_FILE environment variable. `export REGISTRY_AUTH_FILE=path` -**--blkio-weight**=*0* +**--blkio-weight**=*weight* Block IO weight (relative weight) accepts a weight value between 10 and 1000. -**--blkio-weight-device**=[] +**--blkio-weight-device**=*DEVICE_NAME:WEIGHT* Block IO weight (relative device weight, format: `DEVICE_NAME:WEIGHT`). -**--cap-add**=[] +**--cap-add**=*capability* Add Linux capabilities -**--cap-drop**=[] +**--cap-drop**=*capability* Drop Linux capabilities -**--cgroup-parent**="" +**--cgroup-parent**=*cgroup* Path to cgroups under which the cgroup for the container will be created. If the path is not absolute, the path is considered to be relative to the cgroups path of the init process. Cgroups will be created if they do not already exist. -**--cidfile**="" +**--cidfile**=*file* Write the container ID to the file -**--conmon-pidfile**="" +**--conmon-pidfile**=*file* Write the pid of the `conmon` process to a file. `conmon` runs in a separate process than Podman, so this is necessary when using systemd to restart Podman containers. -**--cpu-period**=*0* +**--cpu-period**=*limit* Limit the CPU CFS (Completely Fair Scheduler) period Limit the container's CPU usage. This flag tell the kernel to restrict the container's CPU usage to the period you specify. -**--cpu-quota**=*0* +**--cpu-quota**=*limit* Limit the CPU CFS (Completely Fair Scheduler) quota @@ -103,13 +103,13 @@ Limit the container's CPU usage. By default, containers run with the full CPU resource. This flag tell the kernel to restrict the container's CPU usage to the quota you specify. -**--cpu-rt-period**=0 +**--cpu-rt-period**=*microseconds* Limit the CPU real-time period in microseconds Limit the container's Real Time CPU usage. This flag tell the kernel to restrict the container's Real Time CPU usage to the period you specify. -**--cpu-rt-runtime**=0 +**--cpu-rt-runtime**=*microseconds* Limit the CPU real-time runtime in microseconds @@ -118,7 +118,7 @@ Period of 1,000,000us and Runtime of 950,000us means that this container could c The sum of all runtimes across containers cannot exceed the amount allotted to the parent cgroup. -**--cpu-shares**=*0* +**--cpu-shares**=*shares* CPU shares (relative weight) @@ -155,15 +155,15 @@ PID container CPU CPU share 101 {C1} 1 100% of CPU1 102 {C1} 2 100% of CPU2 -**--cpus**=0.0 +**--cpus**=*number* Number of CPUs. The default is *0.0* which means no limit. -**--cpuset-cpus**="" +**--cpuset-cpus**=*number* CPUs in which to allow execution (0-3, 0,1) -**--cpuset-mems**="" +**--cpuset-mems**=*nodes* Memory nodes (MEMs) in which to allow execution (0-3, 0,1). Only effective on NUMA systems. @@ -171,7 +171,7 @@ If you have four memory nodes on your system (0-3), use `--cpuset-mems=0,1` then processes in your container will only use memory from the first two memory nodes. -**--detach**, **-d**=*true*|*false* +**--detach**, **-d**=*true|false* Detached mode: run the container in the background and print the new container ID. The default is *false*. @@ -184,31 +184,31 @@ running) using a configurable key sequence. The default sequence is `ctrl-p,ctrl You configure the key sequence using the **--detach-keys** option or a configuration file. See **config-json(5)** for documentation on using a configuration file. -**--detach-keys**="" +**--detach-keys**=*char* Override the key sequence for detaching a container. Format is a single character `[a-Z]` or `ctrl-<value>` where `<value>` is one of: `a-z`, `@`, `^`, `[`, `,` or `_`. -**--device**=[] +**--device**=*device* Add a host device to the container. The format is `<device-on-host>[:<device-on-container>][:<permissions>]` (e.g. --device=/dev/sdc:/dev/xvdc:rwm) -**--device-read-bps**=[] +**--device-read-bps**=*path* Limit read rate (bytes per second) from a device (e.g. --device-read-bps=/dev/sda:1mb) -**--device-read-iops**=[] +**--device-read-iops**=*path* Limit read rate (IO per second) from a device (e.g. --device-read-iops=/dev/sda:1000) -**--device-write-bps**=[] +**--device-write-bps**=*path* Limit write rate (bytes per second) to a device (e.g. --device-write-bps=/dev/sda:1mb) -**--device-write-iops**=[] +**--device-write-iops**=*path* Limit write rate (IO per second) to a device (e.g. --device-write-iops=/dev/sda:1000) -**--dns**=[] +**--dns**=*dns* Set custom DNS servers @@ -220,15 +220,15 @@ is the case the **--dns** flags is necessary for every run. The special value **none** can be specified to disable creation of **/etc/resolv.conf** in the container by Podman. The **/etc/resolv.conf** file in the image will be used without changes. -**--dns-option**=[] +**--dns-option**=*option* Set custom DNS options -**--dns-search**=[] +**--dns-search**=*domain* Set custom DNS search domains (Use --dns-search=. if you don't wish to set the search domain) -**--entrypoint** *"command"* | *'["command", "arg1", ...]'* +**--entrypoint**=*"command"* | *'["command", "arg1", ...]'* Overwrite the default ENTRYPOINT of the image @@ -246,7 +246,7 @@ ENTRYPOINT. You need to specify multi option commands in the form of a json string. -**--env**, **-e**=[] +**--env**, **-e**=*env* Set environment variables @@ -254,46 +254,45 @@ This option allows you to specify arbitrary environment variables that are available for the process that will be launched inside of the container. -**--env-file**=[] +**--env-file**=*file* Read in a line delimited file of environment variables -**--expose**=[] +**--expose**=*port* Expose a port, or a range of ports (e.g. --expose=3300-3310) to set up port redirection on the host system. -**--gidmap**=container_gid:host_gid:amount -**--gidmap**=0:30000:2000 +**--gidmap**=*container_gid:host_gid:amount* Run the container in a new user namespace using the supplied mapping. This option conflicts with the --userns and --subgidname flags. This option can be passed several times to map different ranges. If calling podman run as an unprivileged user, the user needs to have the right to use the mapping. See `subuid(5)`. -The example maps gids 0-2000 in the container to the gids 30000-31999 on the host. +The example maps gids 0-2000 in the container to the gids 30000-31999 on the host. `--gidmap=0:30000:2000` -**--group-add**=[] +**--group-add**=*group* Add additional groups to run as -**--healthcheck**="" +**--healthcheck**=*command* Set or alter a healthcheck command for a container. The command is a command to be executed inside your container that determines your container health. The command is required for other healthcheck options to be applied. A value of `none` disables existing healthchecks. -**--healthcheck-interval**="" +**--healthcheck-interval**=*interval* Set an interval for the healthchecks (a value of `disable` results in no automatic timer setup) (default "30s") -**--healthcheck-retries=** +**--healthcheck-retries**=*retries* The number of retries allowed before a healthcheck is considered to be unhealthy. The default value is `3`. -**--healthcheck-start-period**="" +**--healthcheck-start-period**=*period* The initialization time needed for a container to bootstrap. The value can be expressed in time format like `2m3s`. The default value is `0s` -**--healthcheck-timeout**="" +**--healthcheck-timeout**=*timeout* The maximum time allowed to complete the healthcheck before an interval is considered failed. Like start-period, the value can be expressed in a time format such as `1m22s`. The default value is `30s`. @@ -302,13 +301,13 @@ value can be expressed in a time format such as `1m22s`. The default value is ` Print usage statement -**--hostname**="" +**--hostname**=*name* Container host name Sets the container host name that is available inside the container. -**--http-proxy**=*true*|*false* +**--http-proxy**=*true|false* By default proxy environment variables are passed into the container if set for the podman process. This can be disabled by setting the `--http-proxy` @@ -328,7 +327,7 @@ container: Defaults to `true` -**--image-volume**, **builtin-volume**=*bind*|*tmpfs*|*ignore* +**--image-volume**, **builtin-volume**=*bind|tmpfs|ignore* Tells podman how to handle the builtin image volumes. @@ -344,27 +343,27 @@ content that disappears when the container is stopped. Run an init inside the container that forwards signals and reaps processes. -**--init-path**="" +**--init-path**=*path* Path to the container-init binary. -**--interactive**, **-i**=*true*|*false* +**--interactive**, **-i**=*true|false* Keep STDIN open even if not attached. The default is *false*. When set to true, keep stdin open even if not attached. The default is false. -**--ip6**="" +**--ip6**=*ip* Not implemented -**--ip**="" +**--ip**=*ip* Specify a static IP address for the container, for example '10.88.64.128'. Can only be used if no additional CNI networks to join were specified via '--network=<network-name>', and if the container is not joining another container's network namespace via '--network=container:<name|id>'. The address must be within the default CNI network's pool (default 10.88.0.0/16). -**--ipc**="" +**--ipc**=*ipc* Default is to create a private IPC namespace (POSIX SysV IPC) for the container @@ -372,7 +371,7 @@ Default is to create a private IPC namespace (POSIX SysV IPC) for the container - `host`: use the host shared memory,semaphores and message queues inside the container. Note: the host mode gives the container full access to local shared memory and is therefore considered insecure. - `ns:<path>` path to an IPC namespace to join. -**--kernel-memory**="" +**--kernel-memory**=*number[unit]* Kernel memory limit (format: `<number>[<unit>]`, where unit = b, k, m or g) @@ -382,15 +381,15 @@ is not limited. If you specify a limit, it may be rounded up to a multiple of the operating system's page size and the value can be very large, millions of trillions. -**--label**, **-l**=[] +**--label**, **-l**=*label* Add metadata to a container (e.g., --label com.example.key=value) -**--label-file**=[] +**--label-file**=*file* Read in a line delimited file of labels -**--link-local-ip**=[] +**--link-local-ip**=*ip* Not implemented @@ -398,13 +397,13 @@ Not implemented Logging driver for the container. Currently not supported. This flag is a NOOP provided soley for scripting compatibility. -**--log-opt**=[] +**--log-opt**=*path* Logging driver specific options. Used to set the path to the container log file. For example: `--log-opt path=/var/log/container/mycontainer.json` -**--mac-address**="" +**--mac-address**=*address* Container MAC address (e.g. `92:d0:c6:0a:29:33`) @@ -414,7 +413,7 @@ according to RFC4862. Not currently supported -**--memory**, **-m**="" +**--memory**, **-m**=*limit* Memory limit (format: <number>[<unit>], where unit = b, k, m or g) @@ -424,7 +423,7 @@ RAM. If a limit of 0 is specified (not using **-m**), the container's memory is not limited. The actual limit may be rounded up to a multiple of the operating system's page size (the value would be very large, that's millions of trillions). -**--memory-reservation**="" +**--memory-reservation**=*limit* Memory soft limit (format: <number>[<unit>], where unit = b, k, m or g) @@ -434,7 +433,7 @@ reservation. So you should always set the value below **--memory**, otherwise th hard limit will take precedence. By default, memory reservation will be the same as memory limit. -**--memory-swap**="LIMIT" +**--memory-swap**=*limit* A limit value equal to memory plus swap. Must be used with the **-m** (**--memory**) flag. The swap `LIMIT` should always be larger than **-m** @@ -445,7 +444,7 @@ The format of `LIMIT` is `<number>[<unit>]`. Unit can be `b` (bytes), `k` (kilobytes), `m` (megabytes), or `g` (gigabytes). If you don't specify a unit, `b` is used. Set LIMIT to `-1` to enable unlimited swap. -**--memory-swappiness**="" +**--memory-swappiness**=*number* Tune a container's memory swappiness behavior. Accepts an integer between 0 and 100. @@ -472,6 +471,7 @@ Current supported mount TYPES are bind, and tmpfs. Options specific to bind: · bind-propagation: Z, z, shared, slave, private, rshared, rslave, or rprivate(default). See also mount(2). + . bind-nonrecursive: do not setup a recursive bind mount. By default it is recursive. Options specific to tmpfs: @@ -479,7 +479,7 @@ Current supported mount TYPES are bind, and tmpfs. · tmpfs-mode: File mode of the tmpfs in octal. (e.g. 700 or 0700.) Defaults to 1777 in Linux. -**--name**="" +**--name**=*name* Assign a name to the container @@ -493,7 +493,7 @@ to the container with **--name** then it will generate a random string name. The name is useful any place you need to identify a container. This works for both background and foreground containers. -**--network**, **--net**="*bridge*" +**--network**, **--net**=*mode* Set the Network mode for the container: - `bridge`: create a network stack on the default bridge @@ -504,26 +504,26 @@ Set the Network mode for the container: - `ns:<path>`: path to a network namespace to join - `slirp4netns`: use slirp4netns to create a user network stack. This is the default for rootless containers -**--network-alias**=[] +**--network-alias**=*alias* Not implemented -**--no-hosts**=*true*|*false* +**--no-hosts**=*true|false* Do not create /etc/hosts for the container. By default, Podman will manage /etc/hosts, adding the container's own IP address and any hosts from **--add-host**. **--no-hosts** disables this, and the image's **/etc/host** will be preserved unmodified. This option conflicts with **--add-host**. -**--oom-kill-disable**=*true*|*false* +**--oom-kill-disable**=*true|false* Whether to disable OOM Killer for the container or not. -**--oom-score-adj**="" +**--oom-score-adj**=*num* Tune the host's OOM preferences for containers (accepts -1000 to 1000) -**--pid**="" +**--pid**=*pid* Set the PID mode for the container @@ -533,17 +533,17 @@ Default is to create a private PID namespace for the container - `host`: use the host's PID namespace for the container. Note: the host mode gives the container full access to local PID and is therefore considered insecure. - `ns`: join the specified PID namespace -**--pids-limit**="" +**--pids-limit**=*limit* Tune the container's pids limit. Set `-1` to have unlimited pids for the container. -**--pod**="" +**--pod**=*name* Run container in an existing pod. If you want podman to make the pod for you, preference the pod name with `new:`. To make a pod with more granular options, use the `podman pod create` command before creating a container. If a container is run with a pod, and the pod has an infra-container, the infra-container will be started before the container is. -**--privileged**=*true*|*false* +**--privileged**=*true|false* Give extended privileges to this container. The default is *false*. @@ -557,7 +557,7 @@ to all devices on the host, turns off graphdriver mount options, as well as turning off most of the security measures protecting the host from the container. -**--publish**, **-p**=[] +**--publish**, **-p**=*port* Publish a container's port, or range of ports, to the host @@ -573,7 +573,7 @@ With ip: `podman run -p 127.0.0.1:$HOSTPORT:$CONTAINERPORT --name CONTAINER -t s Use `podman port` to see the actual mapping: `podman port CONTAINER $CONTAINERPORT` -**--publish-all**, **-P**=*true*|*false* +**--publish-all**, **-P**=*true|false* Publish all exposed ports to random ports on the host interfaces. The default is *false*. @@ -586,11 +586,11 @@ When using -P, podman will bind any exposed port to a random port on the host within an *ephemeral port range* defined by `/proc/sys/net/ipv4/ip_local_port_range`. To find the mapping between the host ports and the exposed ports, use `podman port`. -**--quiet, -q** +**--quiet**, **-q** Suppress output information when pulling images -**--read-only**=*true*|*false* +**--read-only**=*true|false* Mount the container's root filesystem as read only. @@ -598,10 +598,11 @@ By default a container will have its root filesystem writable allowing processes to write files anywhere. By specifying the `--read-only` flag the container will have its root filesystem mounted as read only prohibiting any writes. -**--read-only-tmpfs**=*true*|*false* +**--read-only-tmpfs**=*true|false* + If container is running in --read-only mode, then mount a read-write tmpfs on /run, /tmp, and /var/tmp. The default is *true* -**--restart=""** +**--restart**=*policy* Restart policy to follow when containers exit. Restart policy will not take effect if a container is stopped via the `podman kill` or `podman stop` commands. @@ -615,7 +616,7 @@ Please note that restart will not restart containers after a system reboot. If this functionality is required in your environment, you can invoke Podman from a systemd unit file, or create an init script for whichever init system is in use. To generate systemd unit files, please see *podman generate systemd* -**--rm**=*true*|*false* +**--rm**=*true|false* Automatically remove the container when it exits. The default is *false*. @@ -630,7 +631,7 @@ If specified, the first argument refers to an exploded container on the file sys This is useful to run a container without requiring any image management, the rootfs of the container is assumed to be managed externally. -**--security-opt**=[] +**--security-opt**=*option* Security Options @@ -650,13 +651,13 @@ Security Options Note: Labelling can be disabled for all containers by setting label=false in the **libpod.conf** (`/etc/containers/libpod.conf`) file. -**--shm-size**="" +**--shm-size**=*size* Size of `/dev/shm`. The format is `<number><unit>`. `number` must be greater than `0`. Unit is optional and can be `b` (bytes), `k` (kilobytes), `m`(megabytes), or `g` (gigabytes). If you omit the unit, the system uses bytes. If you omit the size entirely, the system uses `64m`. -**--sig-proxy**=*true*|*false* +**--sig-proxy**=*true|false* Proxy signals sent to the `podman run` command to the container process. SIGCHLD, SIGSTOP, and SIGKILL are not proxied. The default is *true*. @@ -664,16 +665,18 @@ Proxy signals sent to the `podman run` command to the container process. SIGCHLD Signal to stop a container. Default is SIGTERM. -**--stop-timeout**=*10* +**--stop-timeout**=*seconds* Timeout (in seconds) to stop a container. Default is 10. -**--subgidname**=name +**--subgidname**=*name* + Run the container in a new user namespace using the map with 'name' in the `/etc/subgid` file. If calling podman run as an unprivileged user, the user needs to have the right to use the mapping. See `subgid(5)`. This flag conflicts with `--userns` and `--gidmap`. -**--subuidname**=name +**--subuidname**=*name* + Run the container in a new user namespace using the map with 'name' in the `/etc/subuid` file. If calling podman run as an unprivileged user, the user needs to have the right to use the mapping. See `subuid(5)`. This flag conflicts with `--userns` and `--uidmap`. @@ -701,7 +704,7 @@ Network Namespace - current sysctls allowed: Note: if you use the `--network=host` option these sysctls will not be allowed. -**--systemd**=*true*|*false* +**--systemd**=*true|false* Run container in systemd mode. The default is *true*. @@ -720,7 +723,9 @@ The `container_manage_cgroup` boolean must be enabled for this to be allowed on `setsebool -P container_manage_cgroup true` -**--tmpfs**=[] Create a tmpfs mount +**--tmpfs**=*fs* + +Create a tmpfs mount Mount a temporary filesystem (`tmpfs`) mount into a container, for example: @@ -731,7 +736,7 @@ options are the same as the Linux default `mount` flags. If you do not specify any options, the systems uses the following options: `rw,noexec,nosuid,nodev,size=65536k`. -**--tty**, **-t**=*true*|*false* +**--tty**, **-t**=*true|false* Allocate a pseudo-TTY. The default is *false*. @@ -742,18 +747,17 @@ interactive shell. The default is false. **NOTE**: The **-t** option is incompatible with a redirection of the podman client standard input. -**--uidmap**=container_uid:host_uid:amount -**--uidmap**=0:30000:2000 +**--uidmap**=*container_uid:host_uid:amount* Run the container in a new user namespace using the supplied mapping. This option conflicts with the --userns and --subuidname flags. This option can be passed several times to map different ranges. If calling podman run as an unprivileged user, the user needs to have the right to use the mapping. See `subuid(5)`. -The example maps uids 0-2000 in the container to the uids 30000-31999 on the host. +The example maps uids 0-2000 in the container to the uids 30000-31999 on the host. `--uidmap=0:30000:2000` -**--ulimit**=[] +**--ulimit**=*option* Ulimit options -**--user**, **-u**="" +**--user**, **-u**=*user* Sets the username or UID used and optionally the groupname or GID for the specified command. @@ -882,7 +886,7 @@ If the location of the volume from the source container overlaps with data residing on a target container, then the volume hides that data on the target. -**--workdir**, **-w**="" +**--workdir**, **-w**=*dir* Working directory inside the container @@ -899,28 +903,25 @@ the exit codes follow the `chroot` standard, see below: **_125_** if the error is with podman **_itself_** $ podman run --foo busybox; echo $? - # flag provided but not defined: --foo - See 'podman run --help'. - 125 + Error: unknown flag: --foo + 125 **_126_** if the **_contained command_** cannot be invoked $ podman run busybox /etc; echo $? - # exec: "/etc": permission denied - podman: Error response from daemon: Contained command could not be invoked - 126 + Error: container_linux.go:346: starting container process caused "exec: \"/etc\": permission denied": OCI runtime error + 126 **_127_** if the **_contained command_** cannot be found $ podman run busybox foo; echo $? - # exec: "foo": executable file not found in $PATH - podman: Error response from daemon: Contained command not found or does not exist - 127 + Error: container_linux.go:346: starting container process caused "exec: \"foo\": executable file not found in $PATH": OCI runtime error + 127 **_Exit code_** of **_contained command_** otherwise $ podman run busybox /bin/sh -c 'exit 3' - # 3 + 3 ## EXAMPLES diff --git a/docs/podman-save.1.md b/docs/podman-save.1.md index 8e01c230d..034d2696f 100644 --- a/docs/podman-save.1.md +++ b/docs/podman-save.1.md @@ -25,20 +25,20 @@ Note: `:` is a restricted character and cannot be part of the file name. Compress tarball image layers when pushing to a directory using the 'dir' transport. (default is same compression type, compressed or uncompressed, as source) Note: This flag can only be set when using the **dir** transport i.e --format=oci-dir or --format-docker-dir -**--output, -o** +**--output**, **-o**=*file* Write to a file, default is STDOUT -**--format** +**--format**=*format* -Save image to **oci-archive**, **oci-dir** (directory with oci manifest type), or **docker-dir** (directory with v2s2 manifest type) +Save image to **oci-archive, oci-dir** (directory with oci manifest type), or **docker-dir** (directory with v2s2 manifest type) ``` --format oci-archive --format oci-dir --format docker-dir ``` -**--quiet, -q** +**--quiet**, **-q** Suppress the output diff --git a/docs/podman-search.1.md b/docs/podman-search.1.md index 8d315086e..f0a696494 100644 --- a/docs/podman-search.1.md +++ b/docs/podman-search.1.md @@ -25,14 +25,14 @@ Note, searching without a search term will only work for registries that impleme ## OPTIONS -**--authfile** +**--authfile**=*path* Path of the authentication file. Default is ${XDG_\RUNTIME\_DIR}/containers/auth.json (Not available for remote commands) Note: You can also override the default path of the authentication file by setting the REGISTRY\_AUTH\_FILE environment variable. `export REGISTRY_AUTH_FILE=path` -**--filter, -f** +**--filter**, **-f**=*filter* Filter output based on conditions provided (default []) @@ -42,7 +42,7 @@ Supported filters are: * is-automated (boolean - true | false) - is the image automated or not * is-official (boolean - true | false) - is the image official or not -**--format** +**--format**=*format* Change the output format to a Go template @@ -57,7 +57,7 @@ Valid placeholders for the Go template are listed below: | .Official | "[OK]" if image is official | | .Automated | "[OK]" if image is automated | -**--limit** +**--limit**=*limit* Limit the number of results Note: The results from each registry will be limited to this value. @@ -69,7 +69,7 @@ The order of the search results is the order in which the API endpoint returns t Do not truncate the output -**--tls-verify** +**--tls-verify**=*true|false* Require HTTPS and verify certificates when contacting registries (default: true). If explicitly set to true, then TLS verification will be used. If set to false, then TLS verification will not be used if needed. If not specified, diff --git a/docs/podman-start.1.md b/docs/podman-start.1.md index aa5362046..af7094bca 100644 --- a/docs/podman-start.1.md +++ b/docs/podman-start.1.md @@ -14,27 +14,27 @@ attach to the container. ## OPTIONS -**--attach, -a** +**--attach**, **-a** Attach container's STDOUT and STDERR. The default is false. This option cannot be used when starting multiple containers. -**--detach-keys** +**--detach-keys**=*char* Override the key sequence for detaching a container. Format is a single character `[a-Z]` or `ctrl-<value>` where `<value>` is one of: `a-z`, `@`, `^`, `[`, `\\`, `]`, `^` or `_`. -**--interactive, -i** +**--interactive**, **-i** Attach container's STDIN. The default is false. -**--latest, -l** +**--latest**, **-l** Instead of providing the container name or ID, use the last created container. If you use methods other than Podman to run containers such as CRI-O, the last started container could be from either of those methods. The latest option is not supported on the remote client. -**--sig-proxy**=*true*|*false* +**--sig-proxy**=*true|false* Proxy received signals to the process (non-TTY mode only). SIGCHLD, SIGSTOP, and SIGKILL are not proxied. The default is *true* when attaching, *false* otherwise. diff --git a/docs/podman-stats.1.md b/docs/podman-stats.1.md index 97a9be961..b817662a8 100644 --- a/docs/podman-stats.1.md +++ b/docs/podman-stats.1.md @@ -1,4 +1,4 @@ -% podman-stats "1" +% podman-stats(1) ## NAME podman\-stats - Display a live stream of 1 or more containers' resource usage statistics @@ -11,11 +11,11 @@ Display a live stream of one or more containers' resource usage statistics ## OPTIONS -**--all, -a** +**--all**, **-a** Show all containers. Only running containers are shown by default -**--latest, -l** +**--latest**, **-l** Instead of providing the container name or ID, use the last created container. If you use methods other than Podman to run containers such as CRI-O, the last started container could be from either of those methods. @@ -30,7 +30,7 @@ Do not clear the terminal/screen in between reporting intervals Disable streaming stats and only pull the first result, default setting is false -**--format="TEMPLATE"** +**--format**=*template* Pretty-print container statistics to JSON or using a Go template @@ -49,6 +49,7 @@ Valid placeholders for the Go template are listed below: | .PIDS | Number of PIDs | When using a GO template, you may preceed the format with `table` to print headers. + ## EXAMPLE ``` diff --git a/docs/podman-stop.1.md b/docs/podman-stop.1.md index 2016a7301..e2c4e8b44 100644 --- a/docs/podman-stop.1.md +++ b/docs/podman-stop.1.md @@ -1,4 +1,4 @@ -% podman-stop "1" +% podman-stop(1) ## NAME podman\-stop - Stop one or more containers @@ -15,18 +15,18 @@ container and also via command line when creating the container. ## OPTIONS -**--all, -a** +**--all**, **-a** Stop all running containers. This does not include paused containers. -**--latest, -l** +**--latest**, **-l** Instead of providing the container name or ID, use the last created container. If you use methods other than Podman to run containers such as CRI-O, the last started container could be from either of those methods. The latest option is not supported on the remote client. -**--timeout, --time, t** +**--timeout**, **--time**, **t**=*time* Timeout to wait before forcibly stopping the container diff --git a/docs/podman-system-df.1.md b/docs/podman-system-df.1.md index b6d71c634..425796f50 100644 --- a/docs/podman-system-df.1.md +++ b/docs/podman-system-df.1.md @@ -1,4 +1,4 @@ -% podman-system-df(1) podman +% podman-system-df(1) ## NAME podman\-system\-df - Show podman disk usage @@ -10,11 +10,11 @@ podman\-system\-df - Show podman disk usage Show podman disk usage ## OPTIONS -**--format**="" +**--format=***format* Pretty-print images using a Go template -**-v, --verbose**[=false] +**-v**, **--verbose**[=*true|false*] Show detailed information on space usage ## EXAMPLE @@ -53,5 +53,5 @@ Local Volumes 1 ## SEE ALSO podman-system(1) -# HISTORY +## HISTORY March 2019, Originally compiled by Qi Wang (qiwan at redhat dot com) diff --git a/docs/podman-system-migrate.1.md b/docs/podman-system-migrate.1.md index 7c2d1823c..48f3bca8f 100644 --- a/docs/podman-system-migrate.1.md +++ b/docs/podman-system-migrate.1.md @@ -1,4 +1,4 @@ -% podman-system-migrate(1) podman +% podman-system-migrate(1) ## NAME podman\-system\-migrate - Migrate container to the latest version of podman @@ -17,5 +17,5 @@ podman\-system\-migrate - Migrate container to the latest version of podman ## SEE ALSO `podman(1)`, `libpod.conf(5)` -# HISTORY +## HISTORY April 2019, Originally compiled by Giuseppe Scrivano (gscrivan at redhat dot com) diff --git a/docs/podman-system-prune.1.md b/docs/podman-system-prune.1.md index 6a284a110..e6297dc0b 100644 --- a/docs/podman-system-prune.1.md +++ b/docs/podman-system-prune.1.md @@ -1,14 +1,10 @@ -% podman-system-prune(1) podman +% podman-system-prune(1) ## NAME podman\-system\-prune - Remove all unused container, image and volume data ## SYNOPSIS -**podman system prune** -[**-all**|**--a**] -[**-force**|**--f**] -[**-help**|**--h**] -[**-volumes**|**--v**] +**podman system prune** [*options*] ## DESCRIPTION **podman system prune** removes all unused containers (both dangling and unreferenced), pods and optionally, volumes from local storage. @@ -18,14 +14,18 @@ With the `all` option, you can delete all unused images. Unused images are dang By default, volumes are not removed to prevent important data from being deleted if there is currently no container using the volume. Use the --volumes flag when running the command to prune volumes as well. ## OPTIONS -**--all, -a** +**--all**, **-a** Remove all unused images not just dangling ones. -**--force, -f** +**--force**, **-f** Do not prompt for confirmation +**--help**, **-h** + +Print usage statement + **--volumes** Prune volumes not used by at least one container @@ -33,5 +33,5 @@ Prune volumes not used by at least one container ## SEE ALSO podman(1), podman-image-prune(1), podman-container-prune(1), podman-pod-prune(1), podman-volume-prune(1) -# HISTORY +## HISTORY February 2019, Originally compiled by Dan Walsh (dwalsh at redhat dot com) diff --git a/docs/podman-system-renumber.1.md b/docs/podman-system-renumber.1.md index a88640d63..af498f270 100644 --- a/docs/podman-system-renumber.1.md +++ b/docs/podman-system-renumber.1.md @@ -1,13 +1,13 @@ -% podman-system-renumber(1) podman +% podman-system-renumber(1) ## NAME podman\-system\-renumber - Renumber container locks ## SYNOPSIS -** podman system renumber** +**podman system renumber** ## DESCRIPTION -** podman system renumber** renumbers locks used by containers and pods. +**podman system renumber** renumbers locks used by containers and pods. Each Podman container and pod is allocated a lock at creation time, up to a maximum number controlled by the **num_locks** parameter in **libpod.conf**. @@ -19,11 +19,8 @@ When all available locks are exhausted, no further containers and pods can be cr If possible, avoid calling **podman system renumber** while there are other Podman processes running. -## SYNOPSIS -**podman system renumber** - ## SEE ALSO `podman(1)`, `libpod.conf(5)` -# HISTORY +## HISTORY February 2019, Originally compiled by Matt Heon (mheon at redhat dot com) diff --git a/docs/podman-tag.1.md b/docs/podman-tag.1.md index 05bcc5fbc..f3851d8b6 100644 --- a/docs/podman-tag.1.md +++ b/docs/podman-tag.1.md @@ -1,11 +1,11 @@ -% podman-tag "1" +% podman-tag(1) ## NAME podman\-tag - Add an additional name to a local image ## SYNOPSIS -**podman tag** *image*[:*tag*] *target-name*[:*tag*] -[**--help**|**-h**] +**podman tag** *image*[:*tag*] *target-name*[:*tag*] [*options*] + ## DESCRIPTION Assigns a new alias to an image. An alias refers to the entire image name, including the optional diff --git a/docs/podman-top.1.md b/docs/podman-top.1.md index 74175b753..564c2f067 100644 --- a/docs/podman-top.1.md +++ b/docs/podman-top.1.md @@ -1,4 +1,4 @@ -% podman-top "1" +% podman-top(1) ## NAME podman\-top - Display the running processes of a container @@ -11,11 +11,11 @@ Display the running processes of the container. The *format-descriptors* are ps ## OPTIONS -**--help, -h** +**--help**, **-h** - Print usage statement +Print usage statement -**--latest, -l** +**--latest**, **-l** Instead of providing the container name or ID, use the last created container. If you use methods other than Podman to run containers such as CRI-O, the last started container could be from either of those methods. diff --git a/docs/podman-umount.1.md b/docs/podman-umount.1.md index 795f0402d..8ef7b20ac 100644 --- a/docs/podman-umount.1.md +++ b/docs/podman-umount.1.md @@ -1,10 +1,10 @@ -% podman-umount "1" +% podman-umount(1) ## NAME podman\-umount - Unmount the specified working containers' root file system. ## SYNOPSIS -**podman umount** *container* ... +**podman umount** *container* [...] ## DESCRIPTION Unmounts the specified containers' root file system, if no other processes @@ -17,11 +17,11 @@ counter reaches zero indicating no other processes are using the mount. An unmount can be forced with the --force flag. ## OPTIONS -**--all, -a** +**--all**, **-a** All of the currently mounted containers will be unmounted. -**--force, -f** +**--force**, **-f** Force the unmounting of specified containers' root file system, even if other processes have mounted it. @@ -29,7 +29,7 @@ processes have mounted it. Note: This could cause other processes that are using the file system to fail, as the mount point could be removed without their knowledge. -**--latest, -l** +**--latest**, **-l** Instead of providing the container name or ID, use the last created container. If you use methods other than Podman to run containers such as CRI-O, the last diff --git a/docs/podman-unpause.1.md b/docs/podman-unpause.1.md index acfab0930..ef8a4cdb6 100644 --- a/docs/podman-unpause.1.md +++ b/docs/podman-unpause.1.md @@ -1,17 +1,17 @@ -% podman-unpause "1" +% podman-unpause(1) ## NAME podman\-unpause - Unpause one or more containers ## SYNOPSIS -**podman unpause** [*options*] [*container*...] +**podman unpause** [*options*]|[*container* ...] ## DESCRIPTION Unpauses the processes in one or more containers. You may use container IDs or names as input. ## OPTIONS -**--all, -a** +**--all**, **-a** Unpause all paused containers. diff --git a/docs/podman-unshare.1.md b/docs/podman-unshare.1.md index a10fb40f9..d7fefb774 100644 --- a/docs/podman-unshare.1.md +++ b/docs/podman-unshare.1.md @@ -1,4 +1,4 @@ -% podman-unshare "1" +% podman-unshare(1) ## NAME podman\-unshare - Run a command inside of a modified user namespace. diff --git a/docs/podman-varlink.1.md b/docs/podman-varlink.1.md index 0501d853f..0d2ab1668 100644 --- a/docs/podman-varlink.1.md +++ b/docs/podman-varlink.1.md @@ -1,4 +1,4 @@ -% podman-varlink "1" +% podman-varlink(1) ## NAME podman\-varlink - Runs the varlink backend interface @@ -12,13 +12,14 @@ URI will be used depending on the user calling the varlink service. The default users will have a default *uri* of `$XDG_RUNTIME_DIR/podman/io.podman`. For example, `unix:/run/user/1000/podman/io.podman` The varlink service should generally be done with systemd. See _Configuration_ below. -## GLOBAL OPTIONS -**--help, -h** +## OPTIONS + +**--help**, **-h** + Print usage statement -## OPTIONS -**--timeout, -t** +**--timeout**, **-t** The time until the varlink session expires in _milliseconds_. The default is 1 second. A value of `0` means no timeout and the session will not expire. diff --git a/docs/podman-version.1.md b/docs/podman-version.1.md index 97977d94b..cb0a3785f 100644 --- a/docs/podman-version.1.md +++ b/docs/podman-version.1.md @@ -1,4 +1,4 @@ -% podman-version "1" +% podman-version(1) ## NAME podman\-version - Display the PODMAN Version Information @@ -16,7 +16,7 @@ OS, and Architecture. Print usage statement -**--format**, **-f** +**--format**, **-f**=*format* Change output format to "json" or a Go template. diff --git a/docs/podman-volume-create.1.md b/docs/podman-volume-create.1.md index 795d7b449..3d3eb68b8 100644 --- a/docs/podman-volume-create.1.md +++ b/docs/podman-volume-create.1.md @@ -15,7 +15,7 @@ driver options can be set using the **--opt** flag. ## OPTIONS -**--driver**="" +**--driver**=*driver* Specify the volume driver name (default local). @@ -23,11 +23,11 @@ Specify the volume driver name (default local). Print usage statement -**-l**, **--label**=[] +**-l**, **-label**=*label* Set metadata for a volume (e.g., --label mykey=value). -**-o**, **--opt**=[] +**-o**, **--opt**=*option* Set driver specific options. diff --git a/docs/podman-volume-inspect.1.md b/docs/podman-volume-inspect.1.md index 88cc3cf3e..4900e2feb 100644 --- a/docs/podman-volume-inspect.1.md +++ b/docs/podman-volume-inspect.1.md @@ -4,7 +4,7 @@ podman\-volume\-inspect - Inspect one or more volumes ## SYNOPSIS -**podman volume inspect** [*options*] *volume*... +**podman volume inspect** [*options*] *volume* [...] ## DESCRIPTION @@ -19,7 +19,7 @@ existing volumes, use the **--all** flag. Inspect all volumes. -**--format**="" +**--format**=*format* Format volume output using Go template diff --git a/docs/podman-volume-ls.1.md b/docs/podman-volume-ls.1.md index c061e27fe..ef1582153 100644 --- a/docs/podman-volume-ls.1.md +++ b/docs/podman-volume-ls.1.md @@ -14,11 +14,11 @@ flag. Use the **--quiet** flag to print only the volume names. ## OPTIONS -**--filter**="" +**--filter**=*filter* Filter volume output. -**--format**="" +**--format**=*format* Format volume output using Go template. @@ -26,7 +26,7 @@ Format volume output using Go template. Print usage statement. -**-q**, **--quiet**=[] +**-q**, **--quiet** Print volume output in quiet mode. Only print the volume names. diff --git a/docs/podman-volume-prune.1.md b/docs/podman-volume-prune.1.md index 437cad4e5..25ea701a3 100644 --- a/docs/podman-volume-prune.1.md +++ b/docs/podman-volume-prune.1.md @@ -14,7 +14,7 @@ unused volumes. To bypass the confirmation, use the **--force** flag. ## OPTIONS -**-f**, **--force**="" +**-f**, **--force** Do not prompt for confirmation. diff --git a/docs/podman-volume-rm.1.md b/docs/podman-volume-rm.1.md index 8c3765235..fe047e7da 100644 --- a/docs/podman-volume-rm.1.md +++ b/docs/podman-volume-rm.1.md @@ -15,11 +15,11 @@ flag is being used. To remove all the volumes, use the **--all** flag. ## OPTIONS -**-a**, **--all**="" +**-a**, **--all** Remove all volumes. -**-f**, **--force**="" +**-f**, **--force** Remove a volume by force. If it is being used by containers, the containers will be removed first. diff --git a/docs/podman-wait.1.md b/docs/podman-wait.1.md index 9ae4f668e..e1a810ff1 100644 --- a/docs/podman-wait.1.md +++ b/docs/podman-wait.1.md @@ -1,4 +1,4 @@ -% podman-wait "1" +% podman-wait(1) ## NAME podman\-wait - Wait on one or more containers to stop and print their exit codes @@ -13,14 +13,14 @@ After the container stops, the container's return code is printed. ## OPTIONS -**--help, -h** +**--help**, **-h** - Print usage statement + Print usage statement -**--interval, -i**" +**--interval**, **-i**=*microseconds* Microseconds to wait before polling for completion -**--latest, -l** +**--latest**, **-l** Instead of providing the container name or ID, use the last created container. If you use methods other than Podman to run containers such as CRI-O, the last started container could be from either of those methods. diff --git a/docs/podman.1.md b/docs/podman.1.md index b51cdb854..e1dc1d1f1 100644 --- a/docs/podman.1.md +++ b/docs/podman.1.md @@ -21,19 +21,19 @@ created by the other. ## GLOBAL OPTIONS -**--help, -h** +**--help**, **-h** Print usage statement -**--cgroup-manager** +**--cgroup-manager**=*manager* CGroup manager to use for container cgroups. Supported values are cgroupfs or systemd (default). Setting this flag can cause certain commands to break when called on containers created by the other CGroup manager type. -**--cpu-profile** +**--cpu-profile**=*path* Path to where the cpu performance results should be written -**--hooks-dir**=**path** +**--hooks-dir**=*path* Each `*.json` file in the path configures a hook for Podman containers. For more details on the syntax of the JSON files and the semantics of hook injection, see `oci-hooks(5)`. Podman and libpod currently support both the 1.0.0 and 0.1.0 hook schemas, although the 0.1.0 schema is deprecated. @@ -49,40 +49,40 @@ Podman and libpod currently support an additional `precreate` state which is cal **WARNING**: the `precreate` hook lets you do powerful things, such as adding additional mounts to the runtime configuration. That power also makes it easy to break things. Before reporting libpod errors, try running your container with `precreate` hooks disabled to see if the problem is due to one of your hooks. -**--log-level** +**--log-level**=*level* Log messages above specified level: debug, info, warn, error (default), fatal or panic -**--namespace** +**--namespace**=*namespace* Set libpod namespace. Namespaces are used to separate groups of containers and pods in libpod's state. When namespace is set, created containers and pods will join the given namespace, and only containers and pods in the given namespace will be visible to Podman. -**--root**=**value** +**--root=***value* Storage root dir in which data, including images, is stored (default: "/var/lib/containers/storage" for UID 0, "$HOME/.local/share/containers/storage" for other users). Default root dir is configured in /etc/containers/storage.conf. -**--runroot**=**value** +**--runroot**=*value* Storage state directory where all state information is stored (default: "/var/run/containers/storage" for UID 0, "/var/run/user/$UID/run" for other users). Default state dir is configured in /etc/containers/storage.conf. -**--runtime**=**value** +**--runtime**=*value* Name of the OCI runtime as specified in libpod.conf or absolute path to the OCI compatible binary used to run containers. -**--network-cmd-path**=**path** +**--network-cmd-path**=*path* Path to the command binary to use for setting up a network. It is currently only used for setting up a slirp4netns network. If "" is used then the binary is looked up using the $PATH environment variable. -**--storage-driver**=**value** +**--storage-driver**=*value* Storage driver. The default storage driver for UID 0 is configured in /etc/containers/storage.conf (`$HOME/.config/containers/storage.conf` in rootless mode), and is *vfs* for non-root users when *fuse-overlayfs* is not available. The `STORAGE_DRIVER` environment variable overrides the default. The --storage-driver specified driver overrides all. Overriding this option will cause the *storage-opt* settings in /etc/containers/storage.conf to be ignored. The user must specify additional options via the `--storage-opt` flag. -**--storage-opt**=**value** +**--storage-opt**=*value* Storage driver option, Default storage driver options are configured in /etc/containers/storage.conf (`$HOME/.config/containers/storage.conf` in rootless mode). The `STORAGE_OPTS` environment variable overrides the default. The --storage-opt specified options overrides all. @@ -90,7 +90,7 @@ Storage driver option, Default storage driver options are configured in /etc/con output logging information to syslog as well as the console -**--version, -v** +**--version**, **-v** Print the version @@ -103,24 +103,21 @@ the exit codes follow the `chroot` standard, see below: **_125_** if the error is with podman **_itself_** $ podman run --foo busybox; echo $? - # flag provided but not defined: --foo - See 'podman run --help'. + Error: unknown flag: --foo 125 -**_126_** if executing a **_container command_** and the the **_command_** cannot be invoked +**_126_** if executing a **_contained command_** and the **_command_** cannot be invoked $ podman run busybox /etc; echo $? - # exec: "/etc": permission denied - podman: Error response from daemon: Contained command could not be invoked + Error: container_linux.go:346: starting container process caused "exec: \"/etc\": permission denied": OCI runtime error 126 -**_127_** if executing a **_container command_** and the the **_command_** cannot be found +**_127_** if executing a **_contained command_** and the **_command_** cannot be found $ podman run busybox foo; echo $? - # exec: "foo": executable file not found in $PATH - podman: Error response from daemon: Contained command not found or does not exist + Error: container_linux.go:346: starting container process caused "exec: \"foo\": executable file not found in $PATH": OCI runtime error 127 -**_Exit code_** of **_container command_** otherwise +**_Exit code_** of **_contained command_** otherwise $ podman run busybox /bin/sh -c 'exit 3' # 3 diff --git a/docs/tutorials/podman_tutorial.md b/docs/tutorials/podman_tutorial.md index 032b7c851..d2f8e08fa 100644 --- a/docs/tutorials/podman_tutorial.md +++ b/docs/tutorials/podman_tutorial.md @@ -10,7 +10,7 @@ root escalation is required. ## Installing Podman -For installing or building Podman, please see the [installation instructions](install.md). +For installing or building Podman, please see the [installation instructions](https://github.com/containers/libpod/blob/master/install.md). ## Familiarizing yourself with Podman @@ -96,6 +96,28 @@ After being restored, the container will answer requests again as it did before curl http://<IP_address>:8080 ``` +### Migrate the container +To live migrate a container from one host to another the container is checkpointed on the source +system of the migration, transferred to the destination system and then restored on the destination +system. When transferring the checkpoint, it is possible to specify an output-file. + +On the source system: +```console +sudo podman container checkpoint <container_id> -e /tmp/checkpoint.tar.gz +scp /tmp/checkpoint.tar.gz <destination_system>:/tmp +``` + +On the destination system: +```console +sudo podman container restore -i /tmp/checkpoint.tar.gz +``` + +After being restored, the container will answer requests again as it did before checkpointing. This +time the container will continue to run on the destination system. +```console +curl http://<IP_address>:8080 +``` + ### Stopping the container To stop the httpd container: ```console diff --git a/install.md b/install.md index 94de2ea74..4b2c5a119 100644 --- a/install.md +++ b/install.md @@ -273,7 +273,7 @@ First, ensure that the go version that is found first on the $PATH (in case you git clone https://github.com/containers/libpod/ $GOPATH/src/github.com/containers/libpod cd $GOPATH/src/github.com/containers/libpod make BUILDTAGS="selinux seccomp" -sudo make install PREFIX= +sudo make install PREFIX=/usr ``` #### Build Tags diff --git a/libpod.conf b/libpod.conf index ce6b95cda..45e955c36 100644 --- a/libpod.conf +++ b/libpod.conf @@ -106,6 +106,10 @@ num_locks = 2048 # Default OCI runtime runtime = "runc" +# List of the OCI runtimes that support --format=json. When json is supported +# libpod will use it for reporting nicer errors. +runtime_supports_json = ["runc"] + # Paths to look for a valid OCI runtime (runc, runv, etc) [runtimes] runc = [ diff --git a/libpod/container.go b/libpod/container.go index c8ab42fc3..68c4cd6b0 100644 --- a/libpod/container.go +++ b/libpod/container.go @@ -135,7 +135,6 @@ const ( // assume that their callers handled this requirement. Generally speaking, if a // function takes the container lock and accesses any part of state, it should // syncContainer() immediately after locking. -// ffjson: skip type Container struct { config *ContainerConfig @@ -161,7 +160,6 @@ type Container struct { // ContainerState contains the current state of the container // It is stored on disk in a tmpfs and recreated on reboot -// easyjson:json type ContainerState struct { // The current state of the running container State ContainerStatus `json:"state"` @@ -222,7 +220,6 @@ type ContainerState struct { } // ExecSession contains information on an active exec session -// easyjson:json type ExecSession struct { ID string `json:"id"` Command []string `json:"command"` @@ -232,7 +229,6 @@ type ExecSession struct { // ContainerConfig contains all information that was used to create the // container. It may not be changed once created. // It is stored, read-only, on disk -// easyjson:json type ContainerConfig struct { Spec *spec.Spec `json:"spec"` ID string `json:"id"` diff --git a/libpod/container_api.go b/libpod/container_api.go index eff5bfe5f..0e877d04e 100644 --- a/libpod/container_api.go +++ b/libpod/container_api.go @@ -10,9 +10,7 @@ import ( "sync" "time" - "github.com/containers/libpod/libpod/driver" "github.com/containers/libpod/libpod/events" - "github.com/containers/libpod/pkg/inspect" "github.com/containers/libpod/pkg/lookup" "github.com/containers/storage/pkg/stringid" "github.com/docker/docker/oci/caps" @@ -182,7 +180,7 @@ func (c *Container) StopWithTimeout(timeout uint) error { if c.state.State == ContainerStateConfigured || c.state.State == ContainerStateUnknown || c.state.State == ContainerStatePaused { - return errors.Wrapf(ErrCtrStateInvalid, "can only stop created, running, or stopped containers. %s in state %s", c.ID(), c.state.State.String()) + return errors.Wrapf(ErrCtrStateInvalid, "can only stop created, running, or stopped containers. %s is in state %s", c.ID(), c.state.State.String()) } if c.state.State == ContainerStateStopped || @@ -205,7 +203,7 @@ func (c *Container) Kill(signal uint) error { } if c.state.State != ContainerStateRunning { - return errors.Wrapf(ErrCtrStateInvalid, "can only kill running containers") + return errors.Wrapf(ErrCtrStateInvalid, "can only kill running containers. %s is in state %s", c.ID(), c.state.State.String()) } defer c.newContainerEvent(events.Kill) @@ -243,7 +241,7 @@ func (c *Container) Exec(tty, privileged bool, env, cmd []string, user, workDir // TODO can probably relax this once we track exec sessions if conState != ContainerStateRunning { - return errors.Errorf("cannot exec into container that is not running") + return errors.Wrapf(ErrCtrStateInvalid, "cannot exec into container that is not running") } if privileged || c.config.Privileged { capList = caps.GetAllCapabilities() @@ -535,32 +533,6 @@ func (c *Container) RemoveArtifact(name string) error { return os.Remove(c.getArtifactPath(name)) } -// Inspect a container for low-level information -func (c *Container) Inspect(size bool) (*inspect.ContainerInspectData, error) { - if !c.batched { - c.lock.Lock() - defer c.lock.Unlock() - - if err := c.syncContainer(); err != nil { - return nil, err - } - } - - storeCtr, err := c.runtime.store.Container(c.ID()) - if err != nil { - return nil, errors.Wrapf(err, "error getting container from store %q", c.ID()) - } - layer, err := c.runtime.store.Layer(storeCtr.LayerID) - if err != nil { - return nil, errors.Wrapf(err, "error reading information about layer %q", storeCtr.LayerID) - } - driverData, err := driver.GetDriverData(c.runtime.store, layer.ID) - if err != nil { - return nil, errors.Wrapf(err, "error getting graph driver info %q", c.ID()) - } - return c.getContainerInspectData(size, driverData) -} - // Wait blocks until the container exits and returns its exit code. func (c *Container) Wait() (int32, error) { return c.WaitWithInterval(DefaultWaitInterval) @@ -815,11 +787,27 @@ type ContainerCheckpointOptions struct { // TCPEstablished tells the API to checkpoint a container // even if it contains established TCP connections TCPEstablished bool + // Export tells the API to write the checkpoint image to + // the filename set in TargetFile + // Import tells the API to read the checkpoint image from + // the filename set in TargetFile + TargetFile string + // Name tells the API that during restore from an exported + // checkpoint archive a new name should be used for the + // restored container + Name string } // Checkpoint checkpoints a container func (c *Container) Checkpoint(ctx context.Context, options ContainerCheckpointOptions) error { logrus.Debugf("Trying to checkpoint container %s", c.ID()) + + if options.TargetFile != "" { + if err := c.prepareCheckpointExport(); err != nil { + return err + } + } + if !c.batched { c.lock.Lock() defer c.lock.Unlock() diff --git a/libpod/container_inspect.go b/libpod/container_inspect.go index a7369bfdd..0a62ceb7c 100644 --- a/libpod/container_inspect.go +++ b/libpod/container_inspect.go @@ -1,15 +1,157 @@ package libpod import ( - "strings" + "time" - "github.com/containers/libpod/pkg/inspect" + "github.com/containers/libpod/libpod/driver" "github.com/cri-o/ocicni/pkg/ocicni" - specs "github.com/opencontainers/runtime-spec/specs-go" + spec "github.com/opencontainers/runtime-spec/specs-go" + "github.com/pkg/errors" "github.com/sirupsen/logrus" ) -func (c *Container) getContainerInspectData(size bool, driverData *inspect.Data) (*inspect.ContainerInspectData, error) { +// InspectContainerData provides a detailed record of a container's configuration +// and state as viewed by Libpod. +// Large portions of this structure are defined such that the output is +// compatible with `docker inspect` JSON, but additional fields have been added +// as required to share information not in the original output. +type InspectContainerData struct { + ID string `json:"Id"` + Created time.Time `json:"Created"` + Path string `json:"Path"` + Args []string `json:"Args"` + State *InspectContainerState `json:"State"` + ImageID string `json:"Image"` + ImageName string `json:"ImageName"` + Rootfs string `json:"Rootfs"` + ResolvConfPath string `json:"ResolvConfPath"` + HostnamePath string `json:"HostnamePath"` + HostsPath string `json:"HostsPath"` + StaticDir string `json:"StaticDir"` + OCIConfigPath string `json:"OCIConfigPath,omitempty"` + LogPath string `json:"LogPath"` + ConmonPidFile string `json:"ConmonPidFile"` + Name string `json:"Name"` + RestartCount int32 `json:"RestartCount"` + Driver string `json:"Driver"` + MountLabel string `json:"MountLabel"` + ProcessLabel string `json:"ProcessLabel"` + AppArmorProfile string `json:"AppArmorProfile"` + EffectiveCaps []string `json:"EffectiveCaps"` + BoundingCaps []string `json:"BoundingCaps"` + ExecIDs []string `json:"ExecIDs"` + GraphDriver *driver.Data `json:"GraphDriver"` + SizeRw int64 `json:"SizeRw,omitempty"` + SizeRootFs int64 `json:"SizeRootFs,omitempty"` + Mounts []*InspectMount `json:"Mounts"` + Dependencies []string `json:"Dependencies"` + NetworkSettings *InspectNetworkSettings `json:"NetworkSettings"` //TODO + ExitCommand []string `json:"ExitCommand"` + Namespace string `json:"Namespace"` + IsInfra bool `json:"IsInfra"` +} + +// InspectMount provides a record of a single mount in a container. It contains +// fields for both named and normal volumes. Only user-specified volumes will be +// included, and tmpfs volumes are not included even if the user specified them. +type InspectMount struct { + // Whether the mount is a volume or bind mount. Allowed values are + // "volume" and "bind". + Type string `json:"Type"` + // The name of the volume. Empty for bind mounts. + Name string `json:"Name,omptempty"` + // The source directory for the volume. + Src string `json:"Source"` + // The destination directory for the volume. Specified as a path within + // the container, as it would be passed into the OCI runtime. + Dst string `json:"Destination"` + // The driver used for the named volume. Empty for bind mounts. + Driver string `json:"Driver"` + // Contains SELinux :z/:Z mount options. Unclear what, if anything, else + // goes in here. + Mode string `json:"Mode"` + // All remaining mount options. Additional data, not present in the + // original output. + Options []string `json:"Options"` + // Whether the volume is read-write + RW bool `json:"RW"` + // Mount propagation for the mount. Can be empty if not specified, but + // is always printed - no omitempty. + Propagation string `json:"Propagation"` +} + +// InspectContainerState provides a detailed record of a container's current +// state. It is returned as part of InspectContainerData. +// As with InspectContainerData, many portions of this struct are matched to +// Docker, but here we see more fields that are unused (nonsensical in the +// context of Libpod). +type InspectContainerState struct { + OciVersion string `json:"OciVersion"` + Status string `json:"Status"` + Running bool `json:"Running"` + Paused bool `json:"Paused"` + Restarting bool `json:"Restarting"` // TODO + OOMKilled bool `json:"OOMKilled"` + Dead bool `json:"Dead"` + Pid int `json:"Pid"` + ExitCode int32 `json:"ExitCode"` + Error string `json:"Error"` // TODO + StartedAt time.Time `json:"StartedAt"` + FinishedAt time.Time `json:"FinishedAt"` + Healthcheck HealthCheckResults `json:"Healthcheck,omitempty"` +} + +// InspectNetworkSettings holds information about the network settings of the +// container. +// Many fields are maintained only for compatibility with `docker inspect` and +// are unused within Libpod. +type InspectNetworkSettings struct { + Bridge string `json:"Bridge"` + SandboxID string `json:"SandboxID"` + HairpinMode bool `json:"HairpinMode"` + LinkLocalIPv6Address string `json:"LinkLocalIPv6Address"` + LinkLocalIPv6PrefixLen int `json:"LinkLocalIPv6PrefixLen"` + Ports []ocicni.PortMapping `json:"Ports"` + SandboxKey string `json:"SandboxKey"` + SecondaryIPAddresses []string `json:"SecondaryIPAddresses"` + SecondaryIPv6Addresses []string `json:"SecondaryIPv6Addresses"` + EndpointID string `json:"EndpointID"` + Gateway string `json:"Gateway"` + GlobalIPv6Address string `json:"GlobalIPv6Address"` + GlobalIPv6PrefixLen int `json:"GlobalIPv6PrefixLen"` + IPAddress string `json:"IPAddress"` + IPPrefixLen int `json:"IPPrefixLen"` + IPv6Gateway string `json:"IPv6Gateway"` + MacAddress string `json:"MacAddress"` +} + +// Inspect a container for low-level information +func (c *Container) Inspect(size bool) (*InspectContainerData, error) { + if !c.batched { + c.lock.Lock() + defer c.lock.Unlock() + + if err := c.syncContainer(); err != nil { + return nil, err + } + } + + storeCtr, err := c.runtime.store.Container(c.ID()) + if err != nil { + return nil, errors.Wrapf(err, "error getting container from store %q", c.ID()) + } + layer, err := c.runtime.store.Layer(storeCtr.LayerID) + if err != nil { + return nil, errors.Wrapf(err, "error reading information about layer %q", storeCtr.LayerID) + } + driverData, err := driver.GetDriverData(c.runtime.store, layer.ID) + if err != nil { + return nil, errors.Wrapf(err, "error getting graph driver info %q", c.ID()) + } + return c.getContainerInspectData(size, driverData) +} + +func (c *Container) getContainerInspectData(size bool, driverData *driver.Data) (*InspectContainerData, error) { config := c.config runtimeInfo := c.state spec, err := c.specFromState() @@ -35,42 +177,32 @@ func (c *Container) getContainerInspectData(size bool, driverData *inspect.Data) execIDs = append(execIDs, id) } - if c.state.BindMounts == nil { - c.state.BindMounts = make(map[string]string) - } - resolvPath := "" - if getPath, ok := c.state.BindMounts["/etc/resolv.conf"]; ok { - resolvPath = getPath - } - hostsPath := "" - if getPath, ok := c.state.BindMounts["/etc/hosts"]; ok { - hostsPath = getPath - } - hostnamePath := "" - if getPath, ok := c.state.BindMounts["/etc/hostname"]; ok { - hostnamePath = getPath - } - - var mounts []specs.Mount - for i, mnt := range spec.Mounts { - mounts = append(mounts, mnt) - // We only want to show the name of the named volume in the inspect - // output, so split the path and get the name out of it. - if strings.Contains(mnt.Source, c.runtime.config.VolumePath) { - split := strings.Split(mnt.Source[len(c.runtime.config.VolumePath)+1:], "/") - mounts[i].Source = split[0] + if c.state.BindMounts != nil { + if getPath, ok := c.state.BindMounts["/etc/resolv.conf"]; ok { + resolvPath = getPath + } + if getPath, ok := c.state.BindMounts["/etc/hosts"]; ok { + hostsPath = getPath + } + if getPath, ok := c.state.BindMounts["/etc/hostname"]; ok { + hostnamePath = getPath } } - data := &inspect.ContainerInspectData{ + mounts, err := c.getInspectMounts() + if err != nil { + return nil, err + } + + data := &InspectContainerData{ ID: config.ID, Created: config.CreatedTime, Path: path, Args: args, - State: &inspect.ContainerInspectState{ + State: &InspectContainerState{ OciVersion: spec.Version, Status: runtimeInfo.State.String(), Running: runtimeInfo.State == ContainerStateRunning, @@ -106,7 +238,7 @@ func (c *Container) getContainerInspectData(size bool, driverData *inspect.Data) GraphDriver: driverData, Mounts: mounts, Dependencies: c.Dependencies(), - NetworkSettings: &inspect.NetworkSettings{ + NetworkSettings: &InspectNetworkSettings{ Bridge: "", // TODO SandboxID: "", // TODO - is this even relevant? HairpinMode: false, // TODO @@ -129,8 +261,12 @@ func (c *Container) getContainerInspectData(size bool, driverData *inspect.Data) IsInfra: c.IsInfra(), } + if c.state.ConfigPath != "" { + data.OCIConfigPath = c.state.ConfigPath + } + if c.config.HealthCheckConfig != nil { - // This container has a healthcheck defined in it; we need to add it's state + // This container has a healthcheck defined in it; we need to add it's state healthCheckState, err := c.GetHealthCheckLog() if err != nil { // An error here is not considered fatal; no health state will be displayed @@ -162,3 +298,106 @@ func (c *Container) getContainerInspectData(size bool, driverData *inspect.Data) } return data, nil } + +// Get inspect-formatted mounts list. +// Only includes user-specified mounts. Only includes bind mounts and named +// volumes, not tmpfs volumes. +func (c *Container) getInspectMounts() ([]*InspectMount, error) { + inspectMounts := []*InspectMount{} + + // No mounts, return early + if len(c.config.UserVolumes) == 0 { + return inspectMounts, nil + } + + // We need to parse all named volumes and mounts into maps, so we don't + // end up with repeated lookups for each user volume. + // Map destination to struct, as destination is what is stored in + // UserVolumes. + namedVolumes := make(map[string]*ContainerNamedVolume) + mounts := make(map[string]spec.Mount) + for _, namedVol := range c.config.NamedVolumes { + namedVolumes[namedVol.Dest] = namedVol + } + for _, mount := range c.config.Spec.Mounts { + mounts[mount.Destination] = mount + } + + for _, vol := range c.config.UserVolumes { + // We need to look up the volumes. + // First: is it a named volume? + if volume, ok := namedVolumes[vol]; ok { + mountStruct := new(InspectMount) + mountStruct.Type = "volume" + mountStruct.Dst = volume.Dest + mountStruct.Name = volume.Name + + // For src and driver, we need to look up the named + // volume. + volFromDB, err := c.runtime.state.Volume(volume.Name) + if err != nil { + return nil, errors.Wrapf(err, "error looking up volume %s in container %s config", volume.Name, c.ID()) + } + mountStruct.Driver = volFromDB.Driver() + mountStruct.Src = volFromDB.MountPoint() + + parseMountOptionsForInspect(volume.Options, mountStruct) + + inspectMounts = append(inspectMounts, mountStruct) + } else if mount, ok := mounts[vol]; ok { + // It's a mount. + // Is it a tmpfs? If so, discard. + if mount.Type == "tmpfs" { + continue + } + + mountStruct := new(InspectMount) + mountStruct.Type = "bind" + mountStruct.Src = mount.Source + mountStruct.Dst = mount.Destination + + parseMountOptionsForInspect(mount.Options, mountStruct) + + inspectMounts = append(inspectMounts, mountStruct) + } + // We couldn't find a mount. Log a warning. + logrus.Warnf("Could not find mount at destination %q when building inspect output for container %s", vol, c.ID()) + } + + return inspectMounts, nil +} + +// Parse mount options so we can populate them in the mount structure. +// The mount passed in will be modified. +func parseMountOptionsForInspect(options []string, mount *InspectMount) { + isRW := true + mountProp := "" + zZ := "" + otherOpts := []string{} + + // Some of these may be overwritten if the user passes us garbage opts + // (for example, [ro,rw]) + // We catch these on the Podman side, so not a problem there, but other + // users of libpod who do not properly validate mount options may see + // this. + // Not really worth dealing with on our end - garbage in, garbage out. + for _, opt := range options { + switch opt { + case "ro": + isRW = false + case "rw": + // Do nothing, silently discard + case "shared", "slave", "private", "rshared", "rslave", "rprivate": + mountProp = opt + case "z", "Z": + zZ = opt + default: + otherOpts = append(otherOpts, opt) + } + } + + mount.RW = isRW + mount.Propagation = mountProp + mount.Mode = zZ + mount.Options = otherOpts +} diff --git a/libpod/container_internal.go b/libpod/container_internal.go index 5f8dd1c72..9245a8840 100644 --- a/libpod/container_internal.go +++ b/libpod/container_internal.go @@ -21,6 +21,7 @@ import ( "github.com/containers/storage/pkg/archive" "github.com/containers/storage/pkg/mount" spec "github.com/opencontainers/runtime-spec/specs-go" + "github.com/opencontainers/runtime-tools/generate" "github.com/opencontainers/selinux/go-selinux/label" opentracing "github.com/opentracing/opentracing-go" "github.com/pkg/errors" @@ -359,7 +360,8 @@ func (c *Container) setupStorage(ctx context.Context) error { } return false } - defOptions, err := storage.GetDefaultMountOptions() + + defOptions, err := storage.GetMountOptions(c.runtime.store.GraphDriverName(), c.runtime.store.GraphOptions()) if err != nil { return errors.Wrapf(err, "error getting default mount options") } @@ -1345,7 +1347,7 @@ func (c *Container) appendStringToRundir(destFile, output string) (string, error return filepath.Join(c.state.RunDir, destFile), nil } -// Save OCI spec to disk, replacing any existing specs for the container +// saveSpec saves the OCI spec to disk, replacing any existing specs for the container func (c *Container) saveSpec(spec *spec.Spec) error { // If the OCI spec already exists, we need to replace it // Cannot guarantee some things, e.g. network namespaces, have the same @@ -1501,3 +1503,40 @@ func (c *Container) checkReadyForRemoval() error { return nil } + +// writeJSONFile marshalls and writes the given data to a JSON file +// in the bundle path +func (c *Container) writeJSONFile(v interface{}, file string) (err error) { + fileJSON, err := json.MarshalIndent(v, "", " ") + if err != nil { + return errors.Wrapf(err, "error writing JSON to %s for container %s", file, c.ID()) + } + file = filepath.Join(c.bundlePath(), file) + if err := ioutil.WriteFile(file, fileJSON, 0644); err != nil { + return err + } + + return nil +} + +// prepareCheckpointExport writes the config and spec to +// JSON files for later export +func (c *Container) prepareCheckpointExport() (err error) { + // save live config + if err := c.writeJSONFile(c.Config(), "config.dump"); err != nil { + return err + } + + // save spec + jsonPath := filepath.Join(c.bundlePath(), "config.json") + g, err := generate.NewFromFile(jsonPath) + if err != nil { + logrus.Debugf("generating spec for container %q failed with %v", c.ID(), err) + return err + } + if err := c.writeJSONFile(g.Spec(), "spec.dump"); err != nil { + return err + } + + return nil +} diff --git a/libpod/container_internal_linux.go b/libpod/container_internal_linux.go index f25f76092..55cc5089b 100644 --- a/libpod/container_internal_linux.go +++ b/libpod/container_internal_linux.go @@ -5,6 +5,7 @@ package libpod import ( "context" "fmt" + "io" "io/ioutil" "net" "os" @@ -25,6 +26,7 @@ import ( "github.com/containers/libpod/pkg/lookup" "github.com/containers/libpod/pkg/resolvconf" "github.com/containers/libpod/pkg/rootless" + "github.com/containers/storage/pkg/archive" securejoin "github.com/cyphar/filepath-securejoin" "github.com/opencontainers/runc/libcontainer/user" spec "github.com/opencontainers/runtime-spec/specs-go" @@ -422,7 +424,7 @@ func (c *Container) generateSpec(ctx context.Context) (*spec.Spec, error) { // It also expects to be able to write to /sys/fs/cgroup/systemd and /var/log/journal func (c *Container) setupSystemd(mounts []spec.Mount, g generate.Generator) error { options := []string{"rw", "rprivate", "noexec", "nosuid", "nodev"} - for _, dest := range []string{"/run"} { + for _, dest := range []string{"/run", "/run/lock"} { if MountExists(mounts, dest) { continue } @@ -496,6 +498,45 @@ func (c *Container) addNamespaceContainer(g *generate.Generator, ns LinuxNS, ctr return nil } +func (c *Container) exportCheckpoint(dest string) (err error) { + if (len(c.config.NamedVolumes) > 0) || (len(c.Dependencies()) > 0) { + return errors.Errorf("Cannot export checkpoints of containers with named volumes or dependencies") + } + logrus.Debugf("Exporting checkpoint image of container %q to %q", c.ID(), dest) + input, err := archive.TarWithOptions(c.bundlePath(), &archive.TarOptions{ + Compression: archive.Gzip, + IncludeSourceDir: true, + IncludeFiles: []string{ + "checkpoint", + "artifacts", + "ctr.log", + "config.dump", + "spec.dump", + "network.status"}, + }) + + if err != nil { + return errors.Wrapf(err, "error reading checkpoint directory %q", c.ID()) + } + + outFile, err := os.Create(dest) + if err != nil { + return errors.Wrapf(err, "error creating checkpoint export file %q", dest) + } + defer outFile.Close() + + if err := os.Chmod(dest, 0600); err != nil { + return errors.Wrapf(err, "cannot chmod %q", dest) + } + + _, err = io.Copy(outFile, input) + if err != nil { + return err + } + + return nil +} + func (c *Container) checkpointRestoreSupported() (err error) { if !criu.CheckForCriu() { return errors.Errorf("Checkpoint/Restore requires at least CRIU %d", criu.MinCriuVersion) @@ -549,6 +590,12 @@ func (c *Container) checkpoint(ctx context.Context, options ContainerCheckpointO return err } + if options.TargetFile != "" { + if err = c.exportCheckpoint(options.TargetFile); err != nil { + return err + } + } + logrus.Debugf("Checkpointed container %s", c.ID()) if !options.KeepRunning { @@ -561,15 +608,50 @@ func (c *Container) checkpoint(ctx context.Context, options ContainerCheckpointO } if !options.Keep { - // Remove log file - os.Remove(filepath.Join(c.bundlePath(), "dump.log")) - // Remove statistic file - os.Remove(filepath.Join(c.bundlePath(), "stats-dump")) + cleanup := []string{ + "dump.log", + "stats-dump", + "config.dump", + "spec.dump", + } + for _, delete := range cleanup { + file := filepath.Join(c.bundlePath(), delete) + os.Remove(file) + } } return c.save() } +func (c *Container) importCheckpoint(input string) (err error) { + archiveFile, err := os.Open(input) + if err != nil { + return errors.Wrapf(err, "Failed to open checkpoint archive %s for import", input) + } + + defer archiveFile.Close() + options := &archive.TarOptions{ + ExcludePatterns: []string{ + // config.dump and spec.dump are only required + // container creation + "config.dump", + "spec.dump", + }, + } + err = archive.Untar(archiveFile, c.bundlePath(), options) + if err != nil { + return errors.Wrapf(err, "Unpacking of checkpoint archive %s failed", input) + } + + // Make sure the newly created config.json exists on disk + g := generate.NewFromSpec(c.config.Spec) + if err = c.saveSpec(g.Spec()); err != nil { + return errors.Wrap(err, "Saving imported container specification for restore failed") + } + + return nil +} + func (c *Container) restore(ctx context.Context, options ContainerCheckpointOptions) (err error) { if err := c.checkpointRestoreSupported(); err != nil { @@ -580,6 +662,12 @@ func (c *Container) restore(ctx context.Context, options ContainerCheckpointOpti return errors.Wrapf(ErrCtrStateInvalid, "container %s is running or paused, cannot restore", c.ID()) } + if options.TargetFile != "" { + if err = c.importCheckpoint(options.TargetFile); err != nil { + return err + } + } + // Let's try to stat() CRIU's inventory file. If it does not exist, it makes // no sense to try a restore. This is a minimal check if a checkpoint exist. if _, err := os.Stat(filepath.Join(c.CheckpointPath(), "inventory.img")); os.IsNotExist(err) { @@ -593,7 +681,13 @@ func (c *Container) restore(ctx context.Context, options ContainerCheckpointOpti // Read network configuration from checkpoint // Currently only one interface with one IP is supported. networkStatusFile, err := os.Open(filepath.Join(c.bundlePath(), "network.status")) - if err == nil { + // If the restored container should get a new name, the IP address of + // the container will not be restored. This assumes that if a new name is + // specified, the container is restored multiple times. + // TODO: This implicit restoring with or without IP depending on an + // unrelated restore parameter (--name) does not seem like the + // best solution. + if err == nil && options.Name == "" { // The file with the network.status does exist. Let's restore the // container with the same IP address as during checkpointing. defer networkStatusFile.Close() @@ -637,23 +731,44 @@ func (c *Container) restore(ctx context.Context, options ContainerCheckpointOpti return err } + // Restoring from an import means that we are doing migration + if options.TargetFile != "" { + g.SetRootPath(c.state.Mountpoint) + } + // We want to have the same network namespace as before. if c.config.CreateNetNS { g.AddOrReplaceLinuxNamespace(spec.NetworkNamespace, c.state.NetNS.Path()) } - // Save the OCI spec to disk - if err := c.saveSpec(g.Spec()); err != nil { + if err := c.makeBindMounts(); err != nil { return err } - if err := c.makeBindMounts(); err != nil { - return err + if options.TargetFile != "" { + for dstPath, srcPath := range c.state.BindMounts { + newMount := spec.Mount{ + Type: "bind", + Source: srcPath, + Destination: dstPath, + Options: []string{"bind", "private"}, + } + if c.IsReadOnly() && dstPath != "/dev/shm" { + newMount.Options = append(newMount.Options, "ro", "nosuid", "noexec", "nodev") + } + if !MountExists(g.Mounts(), dstPath) { + g.AddMount(newMount) + } + } } // Cleanup for a working restore. c.removeConmonFiles() + // Save the OCI spec to disk + if err := c.saveSpec(g.Spec()); err != nil { + return err + } if err := c.runtime.ociRuntime.createContainer(c, c.config.CgroupParent, &options); err != nil { return err } @@ -885,7 +1000,7 @@ func (c *Container) generateResolvConf() (string, error) { nameservers := resolvconf.GetNameservers(resolv.Content) // slirp4netns has a built in DNS server. if c.config.NetMode.IsSlirp4netns() { - nameservers = append(nameservers, "10.0.2.3") + nameservers = append([]string{"10.0.2.3"}, nameservers...) } if len(c.config.DNSServer) > 0 { // We store DNS servers as net.IP, so need to convert to string diff --git a/libpod/driver/driver.go b/libpod/driver/driver.go index 717ac2a4d..f9442fa21 100644 --- a/libpod/driver/driver.go +++ b/libpod/driver/driver.go @@ -1,10 +1,15 @@ package driver import ( - "github.com/containers/libpod/pkg/inspect" cstorage "github.com/containers/storage" ) +// Data handles the data for a storage driver +type Data struct { + Name string `json:"Name"` + Data map[string]string `json:"Data"` +} + // GetDriverName returns the name of the driver for the given store func GetDriverName(store cstorage.Store) (string, error) { driver, err := store.GraphDriver() @@ -24,7 +29,7 @@ func GetDriverMetadata(store cstorage.Store, layerID string) (map[string]string, } // GetDriverData returns the Data struct with information of the driver used by the store -func GetDriverData(store cstorage.Store, layerID string) (*inspect.Data, error) { +func GetDriverData(store cstorage.Store, layerID string) (*Data, error) { name, err := GetDriverName(store) if err != nil { return nil, err @@ -33,7 +38,7 @@ func GetDriverData(store cstorage.Store, layerID string) (*inspect.Data, error) if err != nil { return nil, err } - return &inspect.Data{ + return &Data{ Name: name, Data: metaData, }, nil diff --git a/libpod/errors.go b/libpod/errors.go index dd82d0796..cca0935ec 100644 --- a/libpod/errors.go +++ b/libpod/errors.go @@ -96,4 +96,7 @@ var ( // ErrOSNotSupported indicates the function is not available on the particular // OS. ErrOSNotSupported = errors.New("No support for this OS yet") + + // ErrOCIRuntime indicates an error from the OCI runtime + ErrOCIRuntime = errors.New("OCI runtime error") ) diff --git a/libpod/healthcheck.go b/libpod/healthcheck.go index 5c48cc8ee..3e36a2c95 100644 --- a/libpod/healthcheck.go +++ b/libpod/healthcheck.go @@ -9,7 +9,6 @@ import ( "strings" "time" - "github.com/containers/libpod/pkg/inspect" "github.com/pkg/errors" "github.com/sirupsen/logrus" ) @@ -53,6 +52,28 @@ const ( HealthCheckStarting string = "starting" ) +// HealthCheckResults describes the results/logs from a healthcheck +type HealthCheckResults struct { + // Status healthy or unhealthy + Status string `json:"Status"` + // FailingStreak is the number of consecutive failed healthchecks + FailingStreak int `json:"FailingStreak"` + // Log describes healthcheck attempts and results + Log []HealthCheckLog `json:"Log"` +} + +// HealthCheckLog describes the results of a single healthcheck +type HealthCheckLog struct { + // Start time as string + Start string `json:"Start"` + // End time as a string + End string `json:"End"` + // Exitcode is 0 or 1 + ExitCode int `json:"ExitCode"` + // Output is the stdout/stderr from the healthcheck command + Output string `json:"Output"` +} + // hcWriteCloser allows us to use bufio as a WriteCloser type hcWriteCloser struct { *bufio.Writer @@ -157,8 +178,8 @@ func checkHealthCheckCanBeRun(c *Container) (HealthCheckStatus, error) { return HealthCheckDefined, nil } -func newHealthCheckLog(start, end time.Time, exitCode int, log string) inspect.HealthCheckLog { - return inspect.HealthCheckLog{ +func newHealthCheckLog(start, end time.Time, exitCode int, log string) HealthCheckLog { + return HealthCheckLog{ Start: start.Format(time.RFC3339Nano), End: end.Format(time.RFC3339Nano), ExitCode: exitCode, @@ -182,7 +203,7 @@ func (c *Container) updateHealthStatus(status string) error { } // UpdateHealthCheckLog parses the health check results and writes the log -func (c *Container) updateHealthCheckLog(hcl inspect.HealthCheckLog, inStartPeriod bool) error { +func (c *Container) updateHealthCheckLog(hcl HealthCheckLog, inStartPeriod bool) error { healthCheck, err := c.GetHealthCheckLog() if err != nil { return err @@ -223,8 +244,8 @@ func (c *Container) healthCheckLogPath() string { // GetHealthCheckLog returns HealthCheck results by reading the container's // health check log file. If the health check log file does not exist, then // an empty healthcheck struct is returned -func (c *Container) GetHealthCheckLog() (inspect.HealthCheckResults, error) { - var healthCheck inspect.HealthCheckResults +func (c *Container) GetHealthCheckLog() (HealthCheckResults, error) { + var healthCheck HealthCheckResults if _, err := os.Stat(c.healthCheckLogPath()); os.IsNotExist(err) { return healthCheck, nil } diff --git a/libpod/image/image.go b/libpod/image/image.go index b965a4640..89a68a1bd 100644 --- a/libpod/image/image.go +++ b/libpod/image/image.go @@ -659,7 +659,7 @@ func (i *Image) Size(ctx context.Context) (*uint64, error) { } // DriverData gets the driver data from the store on a layer -func (i *Image) DriverData() (*inspect.Data, error) { +func (i *Image) DriverData() (*driver.Data, error) { topLayer, err := i.Layer() if err != nil { return nil, err diff --git a/libpod/networking_linux.go b/libpod/networking_linux.go index b8a916de3..ed9ad5f0d 100644 --- a/libpod/networking_linux.go +++ b/libpod/networking_linux.go @@ -17,7 +17,6 @@ import ( cnitypes "github.com/containernetworking/cni/pkg/types/current" "github.com/containernetworking/plugins/pkg/ns" "github.com/containers/libpod/pkg/firewall" - "github.com/containers/libpod/pkg/inspect" "github.com/containers/libpod/pkg/netns" "github.com/containers/libpod/pkg/rootless" "github.com/cri-o/ocicni/pkg/ocicni" @@ -470,7 +469,7 @@ func getContainerNetIO(ctr *Container) (*netlink.LinkStatistics, error) { return netStats, err } -func (c *Container) getContainerNetworkInfo(data *inspect.ContainerInspectData) *inspect.ContainerInspectData { +func (c *Container) getContainerNetworkInfo(data *InspectContainerData) *InspectContainerData { if c.state.NetNS != nil && len(c.state.NetworkStatus) > 0 { // Report network settings from the first pod network result := c.state.NetworkStatus[0] diff --git a/libpod/networking_unsupported.go b/libpod/networking_unsupported.go index 3a8ac4455..1e46ca40b 100644 --- a/libpod/networking_unsupported.go +++ b/libpod/networking_unsupported.go @@ -2,10 +2,6 @@ package libpod -import ( - "github.com/containers/libpod/pkg/inspect" -) - func (r *Runtime) setupRootlessNetNS(ctr *Container) (err error) { return ErrNotImplemented } @@ -22,6 +18,6 @@ func (r *Runtime) createNetNS(ctr *Container) (err error) { return ErrNotImplemented } -func (c *Container) getContainerNetworkInfo(data *inspect.ContainerInspectData) *inspect.ContainerInspectData { +func (c *Container) getContainerNetworkInfo(data *InspectContainerData) *InspectContainerData { return nil } diff --git a/libpod/oci.go b/libpod/oci.go index 7138108c5..dcb72fc1b 100644 --- a/libpod/oci.go +++ b/libpod/oci.go @@ -58,6 +58,7 @@ type OCIRuntime struct { logSizeMax int64 noPivot bool reservePorts bool + supportsJSON bool } // syncInfo is used to return data from monitor process to daemon @@ -66,8 +67,16 @@ type syncInfo struct { Message string `json:"message,omitempty"` } +// ociError is used to parse the OCI runtime JSON log. It is not part of the +// OCI runtime specifications, it follows what runc does +type ociError struct { + Level string `json:"level,omitempty"` + Time string `json:"time,omitempty"` + Msg string `json:"msg,omitempty"` +} + // Make a new OCI runtime with provided options -func newOCIRuntime(oruntime OCIRuntimePath, conmonPath string, conmonEnv []string, cgroupManager string, tmpDir string, logSizeMax int64, noPivotRoot bool, reservePorts bool) (*OCIRuntime, error) { +func newOCIRuntime(oruntime OCIRuntimePath, conmonPath string, conmonEnv []string, cgroupManager string, tmpDir string, logSizeMax int64, noPivotRoot bool, reservePorts bool, supportsJSON bool) (*OCIRuntime, error) { runtime := new(OCIRuntime) runtime.name = oruntime.Name runtime.path = oruntime.Paths[0] @@ -78,6 +87,7 @@ func newOCIRuntime(oruntime OCIRuntimePath, conmonPath string, conmonEnv []strin runtime.logSizeMax = logSizeMax runtime.noPivot = noPivotRoot runtime.reservePorts = reservePorts + runtime.supportsJSON = supportsJSON runtime.exitsDir = filepath.Join(runtime.tmpDir, "exits") runtime.socketsDir = filepath.Join(runtime.tmpDir, "socket") diff --git a/libpod/oci_linux.go b/libpod/oci_linux.go index 7c1c18052..9bbefdb06 100644 --- a/libpod/oci_linux.go +++ b/libpod/oci_linux.go @@ -6,6 +6,7 @@ import ( "bufio" "bytes" "fmt" + "io/ioutil" "os" "os/exec" "path/filepath" @@ -208,6 +209,9 @@ func (r *OCIRuntime) createOCIContainer(ctr *Container, cgroupParent string, res defer parentPipe.Close() defer parentStartPipe.Close() + ociLog := filepath.Join(ctr.state.RunDir, "oci-log") + logLevel := logrus.GetLevel() + args := []string{} if r.cgroupManager == SystemdCgroupsManager { args = append(args, "-s") @@ -219,6 +223,9 @@ func (r *OCIRuntime) createOCIContainer(ctr *Container, cgroupParent string, res args = append(args, "-b", ctr.bundlePath()) args = append(args, "-p", filepath.Join(ctr.state.RunDir, "pidfile")) args = append(args, "--exit-dir", r.exitsDir) + if logLevel != logrus.DebugLevel && r.supportsJSON { + args = append(args, "--runtime-arg", "--log-format=json", "--runtime-arg", "--log", fmt.Sprintf("--runtime-arg=%s", ociLog)) + } if ctr.config.ConmonPidFile != "" { args = append(args, "--conmon-pidfile", ctr.config.ConmonPidFile) } @@ -248,7 +255,6 @@ func (r *OCIRuntime) createOCIContainer(ctr *Container, cgroupParent string, res args = append(args, "--no-pivot") } - logLevel := logrus.GetLevel() args = append(args, "--log-level", logLevel.String()) if logLevel == logrus.DebugLevel { @@ -417,8 +423,18 @@ func (r *OCIRuntime) createOCIContainer(ctr *Container, cgroupParent string, res } logrus.Debugf("Received container pid: %d", ss.si.Pid) if ss.si.Pid == -1 { + if r.supportsJSON { + data, err := ioutil.ReadFile(ociLog) + if err == nil { + var ociErr ociError + if err := json.Unmarshal(data, &ociErr); err == nil { + return errors.Wrapf(ErrOCIRuntime, "%s", strings.Trim(ociErr.Msg, "\n")) + } + } + } + // If we failed to parse the JSON errors, then print the output as it is if ss.si.Message != "" { - return errors.Wrapf(ErrInternal, "container create failed: %s", ss.si.Message) + return errors.Wrapf(ErrOCIRuntime, "%s", ss.si.Message) } return errors.Wrapf(ErrInternal, "container create failed") } diff --git a/libpod/options.go b/libpod/options.go index 20aa51981..cdac09654 100644 --- a/libpod/options.go +++ b/libpod/options.go @@ -1127,6 +1127,8 @@ func WithGroups(groups []string) CtrCreateOption { // These are not added to the container's spec, but will instead be used during // commit to populate the volumes of the new image, and to trigger some OCI // hooks that are only added if volume mounts are present. +// Furthermore, they are used in the output of inspect, to filter volumes - +// only volumes included in this list will be included in the output. // Unless explicitly set, committed images will have no volumes. // The given volumes slice must not be nil. func WithUserVolumes(volumes []string) CtrCreateOption { diff --git a/libpod/pod.go b/libpod/pod.go index 4ce697402..c319c449f 100644 --- a/libpod/pod.go +++ b/libpod/pod.go @@ -18,7 +18,6 @@ import ( // assume their callers handled this requirement. Generally speaking, if a // function takes the pod lock and accesses any part of state, it should // updatePod() immediately after locking. -// ffjson: skip // Pod represents a group of containers that may share namespaces type Pod struct { config *PodConfig @@ -30,7 +29,6 @@ type Pod struct { } // PodConfig represents a pod's static configuration -// easyjson:json type PodConfig struct { ID string `json:"id"` Name string `json:"name"` @@ -66,7 +64,6 @@ type PodConfig struct { } // podState represents a pod's state -// easyjson:json type podState struct { // CgroupPath is the path to the pod's CGroup CgroupPath string `json:"cgroupPath"` @@ -77,7 +74,6 @@ type podState struct { // PodInspect represents the data we want to display for // podman pod inspect -// easyjson:json type PodInspect struct { Config *PodConfig State *PodInspectState @@ -85,14 +81,12 @@ type PodInspect struct { } // PodInspectState contains inspect data on the pod's state -// easyjson:json type PodInspectState struct { CgroupPath string `json:"cgroupPath"` InfraContainerID string `json:"infraContainerID"` } // PodContainerInfo keeps information on a container in a pod -// easyjson:json type PodContainerInfo struct { ID string `json:"id"` State string `json:"state"` diff --git a/libpod/runtime.go b/libpod/runtime.go index 1f8dd98b4..2c50fce85 100644 --- a/libpod/runtime.go +++ b/libpod/runtime.go @@ -42,11 +42,20 @@ const ( SQLiteStateStore RuntimeStateStore = iota // BoltDBStateStore is a state backed by a BoltDB database BoltDBStateStore RuntimeStateStore = iota +) + +var ( + // InstallPrefix is the prefix where podman will be installed. + // It can be overridden at build time. + installPrefix = "/usr/local" + // EtcDir is the sysconfdir where podman should look for system config files. + // It can be overridden at build time. + etcDir = "/etc" // SeccompDefaultPath defines the default seccomp path - SeccompDefaultPath = "/usr/share/containers/seccomp.json" + SeccompDefaultPath = installPrefix + "/share/containers/seccomp.json" // SeccompOverridePath if this exists it overrides the default seccomp path - SeccompOverridePath = "/etc/crio/seccomp.json" + SeccompOverridePath = etcDir + "/crio/seccomp.json" // ConfigPath is the path to the libpod configuration file // This file is loaded to replace the builtin default config before @@ -54,11 +63,11 @@ const ( // If it is not present, the builtin default config is used instead // This path can be overridden when the runtime is created by using // NewRuntimeFromConfig() instead of NewRuntime() - ConfigPath = "/usr/share/containers/libpod.conf" + ConfigPath = installPrefix + "/share/containers/libpod.conf" // OverrideConfigPath is the path to an override for the default libpod // configuration file. If OverrideConfigPath exists, it will be used in // place of the configuration file pointed to by ConfigPath. - OverrideConfigPath = "/etc/containers/libpod.conf" + OverrideConfigPath = etcDir + "/containers/libpod.conf" // DefaultInfraImage to use for infra container DefaultInfraImage = "k8s.gcr.io/pause:3.1" @@ -151,6 +160,8 @@ type RuntimeConfig struct { OCIRuntime string `toml:"runtime"` // OCIRuntimes are the set of configured OCI runtimes (default is runc) OCIRuntimes map[string][]string `toml:"runtimes"` + // RuntimeSupportsJSON is the list of the OCI runtimes that support --format=json + RuntimeSupportsJSON []string `toml:"runtime_supports_json"` // RuntimePath is the path to OCI runtime binary for launching // containers. // The first path pointing to a valid file will be used @@ -250,6 +261,7 @@ type runtimeConfiguredFrom struct { volPathSet bool conmonPath bool conmonEnvVars bool + initPath bool ociRuntimes bool runtimePath bool cniPluginDir bool @@ -297,7 +309,7 @@ func defaultRuntimeConfig() (RuntimeConfig, error) { TmpDir: "", MaxLogSize: -1, NoPivotRoot: false, - CNIConfigDir: "/etc/cni/net.d/", + CNIConfigDir: etcDir + "/cni/net.d/", CNIPluginDir: []string{"/usr/libexec/cni", "/usr/lib/cni", "/usr/local/lib/cni", "/opt/cni/bin"}, InfraCommand: DefaultInfraCommand, InfraImage: DefaultInfraImage, @@ -475,6 +487,9 @@ func newRuntimeFromConfig(ctx context.Context, userConfigPath string, options .. if tmpConfig.ConmonEnvVars != nil { runtime.configuredFrom.conmonEnvVars = true } + if tmpConfig.InitPath != "" { + runtime.configuredFrom.initPath = true + } if tmpConfig.OCIRuntimes != nil { runtime.configuredFrom.ociRuntimes = true } @@ -512,6 +527,9 @@ func newRuntimeFromConfig(ctx context.Context, userConfigPath string, options .. if !runtime.configuredFrom.conmonEnvVars { runtime.config.ConmonEnvVars = tmpConfig.ConmonEnvVars } + if !runtime.configuredFrom.initPath { + runtime.config.InitPath = tmpConfig.InitPath + } if !runtime.configuredFrom.ociRuntimes { runtime.config.OCIRuntimes = tmpConfig.OCIRuntimes } @@ -823,12 +841,21 @@ func makeRuntime(ctx context.Context, runtime *Runtime) (err error) { } } + supportsJSON := false + for _, r := range runtime.config.RuntimeSupportsJSON { + if r == runtime.config.OCIRuntime { + supportsJSON = true + break + } + } + // Make an OCI runtime to perform container operations ociRuntime, err := newOCIRuntime(runtime.ociRuntimePath, runtime.conmonPath, runtime.config.ConmonEnvVars, runtime.config.CgroupManager, runtime.config.TmpDir, runtime.config.MaxLogSize, runtime.config.NoPivotRoot, - runtime.config.EnablePortReservation) + runtime.config.EnablePortReservation, + supportsJSON) if err != nil { return err } diff --git a/libpod/runtime_cstorage.go b/libpod/runtime_cstorage.go new file mode 100644 index 000000000..569f63322 --- /dev/null +++ b/libpod/runtime_cstorage.go @@ -0,0 +1,118 @@ +package libpod + +import ( + "github.com/containers/storage" + "github.com/pkg/errors" + "github.com/sirupsen/logrus" +) + +// StorageContainer represents a container present in c/storage but not in +// libpod. +type StorageContainer struct { + ID string + Names []string + PresentInLibpod bool +} + +// ListStorageContainers lists all containers visible to c/storage. +func (r *Runtime) ListStorageContainers() ([]*StorageContainer, error) { + r.lock.RLock() + defer r.lock.RUnlock() + + finalCtrs := []*StorageContainer{} + + ctrs, err := r.store.Containers() + if err != nil { + return nil, err + } + + for _, ctr := range ctrs { + storageCtr := new(StorageContainer) + storageCtr.ID = ctr.ID + storageCtr.Names = ctr.Names + + // Look up if container is in state + hasCtr, err := r.state.HasContainer(ctr.ID) + if err != nil { + return nil, errors.Wrapf(err, "error looking up container %s in state", ctr.ID) + } + + storageCtr.PresentInLibpod = hasCtr + + finalCtrs = append(finalCtrs, storageCtr) + } + + return finalCtrs, nil +} + +// RemoveStorageContainer removes a container from c/storage. +// The container WILL NOT be removed if it exists in libpod. +// Accepts ID or full name of container. +// If force is set, the container will be unmounted first to ensure removal. +func (r *Runtime) RemoveStorageContainer(idOrName string, force bool) error { + r.lock.Lock() + defer r.lock.Unlock() + + targetID, err := r.store.Lookup(idOrName) + if err != nil { + if err == storage.ErrLayerUnknown { + return errors.Wrapf(ErrNoSuchCtr, "no container with ID or name %q found", idOrName) + } + return errors.Wrapf(err, "error looking up container %q", idOrName) + } + + // Lookup returns an ID but it's not guaranteed to be a container ID. + // So we can still error here. + ctr, err := r.store.Container(targetID) + if err != nil { + if err == storage.ErrContainerUnknown { + return errors.Wrapf(ErrNoSuchCtr, "%q does not refer to a container", idOrName) + } + return errors.Wrapf(err, "error retrieving container %q", idOrName) + } + + // Error out if the container exists in libpod + exists, err := r.state.HasContainer(ctr.ID) + if err != nil { + return err + } + if exists { + return errors.Wrapf(ErrCtrExists, "refusing to remove %q as it exists in libpod as container %s", idOrName, ctr.ID) + } + + if !force { + timesMounted, err := r.store.Mounted(ctr.ID) + if err != nil { + if err == storage.ErrContainerUnknown { + // Container was removed from under us. + // It's gone, so don't bother erroring. + logrus.Warnf("Storage for container %s already removed", ctr.ID) + return nil + } + return errors.Wrapf(err, "error looking up container %q mounts", idOrName) + } + if timesMounted > 0 { + return errors.Wrapf(ErrCtrStateInvalid, "container %q is mounted and cannot be removed without using force", idOrName) + } + } else { + if _, err := r.store.Unmount(ctr.ID, true); err != nil { + if err == storage.ErrContainerUnknown { + // Container again gone, no error + logrus.Warnf("Storage for container %s already removed", ctr.ID) + return nil + } + return errors.Wrapf(err, "error unmounting container %q", idOrName) + } + } + + if err := r.store.DeleteContainer(ctr.ID); err != nil { + if err == storage.ErrContainerUnknown { + // Container again gone, no error + logrus.Warnf("Storage for container %s already removed", ctr.ID) + return nil + } + return errors.Wrapf(err, "error removing storage for container %q", idOrName) + } + + return nil +} diff --git a/libpod/runtime_ctr.go b/libpod/runtime_ctr.go index 0c8d3edab..0871b83a7 100644 --- a/libpod/runtime_ctr.go +++ b/libpod/runtime_ctr.go @@ -9,11 +9,10 @@ import ( "time" "github.com/containers/libpod/libpod/events" - "github.com/containers/libpod/libpod/image" "github.com/containers/libpod/pkg/rootless" - "github.com/containers/storage" "github.com/containers/storage/pkg/stringid" spec "github.com/opencontainers/runtime-spec/specs-go" + "github.com/opencontainers/runtime-tools/generate" opentracing "github.com/opentracing/opentracing-go" "github.com/pkg/errors" "github.com/sirupsen/logrus" @@ -34,7 +33,7 @@ type CtrCreateOption func(*Container) error // A true return will include the container, a false return will exclude it. type ContainerFilter func(*Container) bool -// NewContainer creates a new container from a given OCI config +// NewContainer creates a new container from a given OCI config. func (r *Runtime) NewContainer(ctx context.Context, rSpec *spec.Spec, options ...CtrCreateOption) (c *Container, err error) { r.lock.Lock() defer r.lock.Unlock() @@ -44,20 +43,46 @@ func (r *Runtime) NewContainer(ctx context.Context, rSpec *spec.Spec, options .. return r.newContainer(ctx, rSpec, options...) } -func (r *Runtime) newContainer(ctx context.Context, rSpec *spec.Spec, options ...CtrCreateOption) (c *Container, err error) { - span, _ := opentracing.StartSpanFromContext(ctx, "newContainer") - span.SetTag("type", "runtime") - defer span.Finish() +// RestoreContainer re-creates a container from an imported checkpoint +func (r *Runtime) RestoreContainer(ctx context.Context, rSpec *spec.Spec, config *ContainerConfig) (c *Container, err error) { + r.lock.Lock() + defer r.lock.Unlock() + if !r.valid { + return nil, ErrRuntimeStopped + } + + ctr, err := r.initContainerVariables(rSpec, config) + if err != nil { + return nil, errors.Wrapf(err, "error initializing container variables") + } + return r.setupContainer(ctx, ctr, true) +} +func (r *Runtime) initContainerVariables(rSpec *spec.Spec, config *ContainerConfig) (c *Container, err error) { if rSpec == nil { return nil, errors.Wrapf(ErrInvalidArg, "must provide a valid runtime spec to create container") } - ctr := new(Container) ctr.config = new(ContainerConfig) ctr.state = new(ContainerState) - ctr.config.ID = stringid.GenerateNonCryptoID() + if config == nil { + ctr.config.ID = stringid.GenerateNonCryptoID() + ctr.config.ShmSize = DefaultShmSize + } else { + // This is a restore from an imported checkpoint + if err := JSONDeepCopy(config, ctr.config); err != nil { + return nil, errors.Wrapf(err, "error copying container config for restore") + } + // If the ID is empty a new name for the restored container was requested + if ctr.config.ID == "" { + ctr.config.ID = stringid.GenerateNonCryptoID() + // Fixup ExitCommand with new ID + ctr.config.ExitCommand[len(ctr.config.ExitCommand)-1] = ctr.config.ID + } + // Reset the log path to point to the default + ctr.config.LogPath = "" + } ctr.config.Spec = new(spec.Spec) if err := JSONDeepCopy(rSpec, ctr.config.Spec); err != nil { @@ -65,8 +90,6 @@ func (r *Runtime) newContainer(ctx context.Context, rSpec *spec.Spec, options .. } ctr.config.CreatedTime = time.Now() - ctr.config.ShmSize = DefaultShmSize - ctr.state.BindMounts = make(map[string]string) ctr.config.StopTimeout = CtrRemoveTimeout @@ -80,12 +103,29 @@ func (r *Runtime) newContainer(ctx context.Context, rSpec *spec.Spec, options .. } ctr.runtime = r + + return ctr, nil +} + +func (r *Runtime) newContainer(ctx context.Context, rSpec *spec.Spec, options ...CtrCreateOption) (c *Container, err error) { + span, _ := opentracing.StartSpanFromContext(ctx, "newContainer") + span.SetTag("type", "runtime") + defer span.Finish() + + ctr, err := r.initContainerVariables(rSpec, nil) + if err != nil { + return nil, errors.Wrapf(err, "error initializing container variables") + } + for _, option := range options { if err := option(ctr); err != nil { return nil, errors.Wrapf(err, "error running container create option") } } + return r.setupContainer(ctx, ctr, false) +} +func (r *Runtime) setupContainer(ctx context.Context, ctr *Container, restore bool) (c *Container, err error) { // Allocate a lock for the container lock, err := r.lockManager.AllocateLock() if err != nil { @@ -154,6 +194,19 @@ func (r *Runtime) newContainer(ctx context.Context, rSpec *spec.Spec, options .. return nil, errors.Wrapf(ErrInvalidArg, "unsupported CGroup manager: %s - cannot validate cgroup parent", r.config.CgroupManager) } + if restore { + // Remove information about bind mount + // for new container from imported checkpoint + g := generate.Generator{Config: ctr.config.Spec} + g.RemoveMount("/dev/shm") + ctr.config.ShmDir = "" + g.RemoveMount("/etc/resolv.conf") + g.RemoveMount("/etc/hostname") + g.RemoveMount("/etc/hosts") + g.RemoveMount("/run/.containerenv") + g.RemoveMount("/run/secrets") + } + // Set up storage for the container if err := ctr.setupStorage(ctx); err != nil { return nil, err @@ -559,16 +612,3 @@ func (r *Runtime) GetLatestContainer() (*Container, error) { } return ctrs[lastCreatedIndex], nil } - -// RemoveContainersFromStorage attempt to remove containers from storage that do not exist in libpod database -func (r *Runtime) RemoveContainersFromStorage(ctrs []string) { - for _, i := range ctrs { - // if the container does not exist in database, attempt to remove it from storage - if _, err := r.LookupContainer(i); err != nil && errors.Cause(err) == image.ErrNoSuchCtr { - r.storageService.UnmountContainerImage(i, true) - if err := r.storageService.DeleteContainer(i); err != nil && errors.Cause(err) != storage.ErrContainerUnknown { - logrus.Errorf("Failed to remove container %q from storage: %s", i, err) - } - } - } -} diff --git a/libpod/volume.go b/libpod/volume.go index 0b37d44ef..9ed2ff087 100644 --- a/libpod/volume.go +++ b/libpod/volume.go @@ -10,7 +10,6 @@ type Volume struct { } // VolumeConfig holds the volume's config information -//easyjson:json type VolumeConfig struct { // Name of the volume Name string `json:"name"` diff --git a/pkg/adapter/checkpoint_restore.go b/pkg/adapter/checkpoint_restore.go new file mode 100644 index 000000000..97ba5ecf7 --- /dev/null +++ b/pkg/adapter/checkpoint_restore.go @@ -0,0 +1,145 @@ +// +build !remoteclient + +package adapter + +import ( + "context" + "github.com/containers/libpod/libpod" + "github.com/containers/libpod/libpod/image" + "github.com/containers/storage/pkg/archive" + jsoniter "github.com/json-iterator/go" + spec "github.com/opencontainers/runtime-spec/specs-go" + "github.com/pkg/errors" + "io" + "io/ioutil" + "os" + "path/filepath" +) + +// Prefixing the checkpoint/restore related functions with 'cr' + +// crImportFromJSON imports the JSON files stored in the exported +// checkpoint tarball +func crImportFromJSON(filePath string, v interface{}) error { + jsonFile, err := os.Open(filePath) + if err != nil { + return errors.Wrapf(err, "Failed to open container definition %s for restore", filePath) + } + defer jsonFile.Close() + + content, err := ioutil.ReadAll(jsonFile) + if err != nil { + return errors.Wrapf(err, "Failed to read container definition %s for restore", filePath) + } + json := jsoniter.ConfigCompatibleWithStandardLibrary + if err = json.Unmarshal([]byte(content), v); err != nil { + return errors.Wrapf(err, "Failed to unmarshal container definition %s for restore", filePath) + } + + return nil +} + +// crImportCheckpoint it the function which imports the information +// from checkpoint tarball and re-creates the container from that information +func crImportCheckpoint(ctx context.Context, runtime *libpod.Runtime, input string, name string) ([]*libpod.Container, error) { + // First get the container definition from the + // tarball to a temporary directory + archiveFile, err := os.Open(input) + if err != nil { + return nil, errors.Wrapf(err, "Failed to open checkpoint archive %s for import", input) + } + defer archiveFile.Close() + options := &archive.TarOptions{ + // Here we only need the files config.dump and spec.dump + ExcludePatterns: []string{ + "checkpoint", + "artifacts", + "ctr.log", + "network.status", + }, + } + dir, err := ioutil.TempDir("", "checkpoint") + if err != nil { + return nil, err + } + defer os.RemoveAll(dir) + err = archive.Untar(archiveFile, dir, options) + if err != nil { + return nil, errors.Wrapf(err, "Unpacking of checkpoint archive %s failed", input) + } + + // Load spec.dump from temporary directory + spec := new(spec.Spec) + if err := crImportFromJSON(filepath.Join(dir, "spec.dump"), spec); err != nil { + return nil, err + } + + // Load config.dump from temporary directory + config := new(libpod.ContainerConfig) + if err = crImportFromJSON(filepath.Join(dir, "config.dump"), config); err != nil { + return nil, err + } + + // This should not happen as checkpoints with these options are not exported. + if (len(config.Dependencies) > 0) || (len(config.NamedVolumes) > 0) { + return nil, errors.Errorf("Cannot import checkpoints of containers with named volumes or dependencies") + } + + ctrID := config.ID + newName := false + + // Check if the restored container gets a new name + if name != "" { + config.ID = "" + config.Name = name + newName = true + } + + ctrName := config.Name + + // The code to load the images is copied from create.go + var writer io.Writer + // In create.go this only set if '--quiet' does not exist. + writer = os.Stderr + rtc, err := runtime.GetConfig() + if err != nil { + return nil, err + } + + _, err = runtime.ImageRuntime().New(ctx, config.RootfsImageName, rtc.SignaturePolicyPath, "", writer, nil, image.SigningOptions{}, false, nil) + if err != nil { + return nil, err + } + + // Now create a new container from the just loaded information + container, err := runtime.RestoreContainer(ctx, spec, config) + if err != nil { + return nil, err + } + + var containers []*libpod.Container + if container == nil { + return nil, nil + } + + containerConfig := container.Config() + if containerConfig.Name != ctrName { + return nil, errors.Errorf("Name of restored container (%s) does not match requested name (%s)", containerConfig.Name, ctrName) + } + + if newName == false { + // Only check ID for a restore with the same name. + // Using -n to request a new name for the restored container, will also create a new ID + if containerConfig.ID != ctrID { + return nil, errors.Errorf("ID of restored container (%s) does not match requested ID (%s)", containerConfig.ID, ctrID) + } + } + + // Check if the ExitCommand points to the correct container ID + if containerConfig.ExitCommand[len(containerConfig.ExitCommand)-1] != containerConfig.ID { + return nil, errors.Errorf("'ExitCommandID' uses ID %s instead of container ID %s", containerConfig.ExitCommand[len(containerConfig.ExitCommand)-1], containerConfig.ID) + } + + containers = append(containers, container) + return containers, nil +} diff --git a/pkg/adapter/client.go b/pkg/adapter/client.go index 01914834f..69aa3220a 100644 --- a/pkg/adapter/client.go +++ b/pkg/adapter/client.go @@ -6,42 +6,52 @@ import ( "fmt" "os" + "github.com/containers/libpod/cmd/podman/remoteclientconfig" "github.com/pkg/errors" + "github.com/sirupsen/logrus" "github.com/varlink/go/varlink" ) var remoteEndpoint *Endpoint func (r RemoteRuntime) RemoteEndpoint() (remoteEndpoint *Endpoint, err error) { - if remoteEndpoint == nil { - remoteEndpoint = &Endpoint{Unknown, ""} - } else { - return remoteEndpoint, nil - } + remoteConfigConnections, _ := remoteclientconfig.ReadRemoteConfig(r.config) - // I'm leaving this here for now as a document of the birdge format. It can be removed later once the bridge - // function is more flushed out. - // bridge := `ssh -T root@192.168.122.1 "/usr/bin/varlink -A '/usr/bin/podman varlink \$VARLINK_ADDRESS' bridge"` - if len(r.cmd.RemoteHost) > 0 { - // The user has provided a remote host endpoint + // If the user defines an env variable for podman_varlink_bridge + // we use that as passed. + if bridge := os.Getenv("PODMAN_VARLINK_BRIDGE"); bridge != "" { + logrus.Debug("creating a varlink bridge based on env variable") + remoteEndpoint, err = newBridgeConnection(bridge, nil, r.cmd.LogLevel) + // if an environment variable for podman_varlink_address is defined, + // we used that as passed + } else if address := os.Getenv("PODMAN_VARLINK_ADDRESS"); address != "" { + logrus.Debug("creating a varlink address based on env variable: %s", address) + remoteEndpoint, err = newSocketConnection(address) + // if the user provides a remote host, we use it to configure a bridge connection + } else if len(r.cmd.RemoteHost) > 0 { + logrus.Debug("creating a varlink bridge based on user input") if len(r.cmd.RemoteUserName) < 1 { return nil, errors.New("you must provide a username when providing a remote host name") } - remoteEndpoint.Type = BridgeConnection - remoteEndpoint.Connection = fmt.Sprintf( - `ssh -T %s@%s /usr/bin/varlink -A \'/usr/bin/podman --log-level=%s varlink \\\$VARLINK_ADDRESS\' bridge`, - r.cmd.RemoteUserName, r.cmd.RemoteHost, r.cmd.LogLevel) - - } else if bridge := os.Getenv("PODMAN_VARLINK_BRIDGE"); bridge != "" { - remoteEndpoint.Type = BridgeConnection - remoteEndpoint.Connection = bridge - } else { - address := os.Getenv("PODMAN_VARLINK_ADDRESS") - if address == "" { - address = DefaultAddress + rc := remoteclientconfig.RemoteConnection{r.cmd.RemoteHost, r.cmd.RemoteUserName, false} + remoteEndpoint, err = newBridgeConnection("", &rc, r.cmd.LogLevel) + // if the user has a config file with connections in it + } else if len(remoteConfigConnections.Connections) > 0 { + logrus.Debug("creating a varlink bridge based configuration file") + var rc *remoteclientconfig.RemoteConnection + if len(r.cmd.ConnectionName) > 0 { + rc, err = remoteConfigConnections.GetRemoteConnection(r.cmd.ConnectionName) + } else { + rc, err = remoteConfigConnections.GetDefault() + } + if err != nil { + return nil, err } - remoteEndpoint.Type = DirectConnection - remoteEndpoint.Connection = address + remoteEndpoint, err = newBridgeConnection("", rc, r.cmd.LogLevel) + // last resort is to make a socket connection with the default varlink address for root user + } else { + logrus.Debug("creating a varlink address based default root address") + remoteEndpoint, err = newSocketConnection(DefaultAddress) } return } @@ -72,3 +82,12 @@ func (r RemoteRuntime) RefreshConnection() error { r.Conn = newConn return nil } + +// newSocketConnection returns an endpoint for a uds based connection +func newSocketConnection(address string) (*Endpoint, error) { + endpoint := Endpoint{ + Type: DirectConnection, + Connection: address, + } + return &endpoint, nil +} diff --git a/pkg/adapter/client_unix.go b/pkg/adapter/client_unix.go new file mode 100644 index 000000000..e0406567c --- /dev/null +++ b/pkg/adapter/client_unix.go @@ -0,0 +1,30 @@ +// +build linux darwin +// +build remoteclient + +package adapter + +import ( + "fmt" + + "github.com/containers/libpod/cmd/podman/remoteclientconfig" + "github.com/pkg/errors" +) + +// newBridgeConnection creates a bridge type endpoint with username, destination, and log-level +func newBridgeConnection(formattedBridge string, remoteConn *remoteclientconfig.RemoteConnection, logLevel string) (*Endpoint, error) { + endpoint := Endpoint{ + Type: BridgeConnection, + } + + if len(formattedBridge) < 1 && remoteConn == nil { + return nil, errors.New("bridge connections must either be created by string or remoteconnection") + } + if len(formattedBridge) > 0 { + endpoint.Connection = formattedBridge + return &endpoint, nil + } + endpoint.Connection = fmt.Sprintf( + `ssh -T %s@%s -- /usr/bin/varlink -A \'/usr/bin/podman --log-level=%s varlink \\\$VARLINK_ADDRESS\' bridge`, + remoteConn.Username, remoteConn.Destination, logLevel) + return &endpoint, nil +} diff --git a/pkg/adapter/client_windows.go b/pkg/adapter/client_windows.go new file mode 100644 index 000000000..088550667 --- /dev/null +++ b/pkg/adapter/client_windows.go @@ -0,0 +1,15 @@ +// +build remoteclient + +package adapter + +import ( + "github.com/containers/libpod/cmd/podman/remoteclientconfig" + "github.com/containers/libpod/libpod" +) + +func newBridgeConnection(formattedBridge string, remoteConn *remoteclientconfig.RemoteConnection, logLevel string) (*Endpoint, error) { + // TODO + // Unix and Windows appear to quote their ssh implementations differently therefore once we figure out what + // windows ssh is doing here, we can then get the format correct. + return nil, libpod.ErrNotImplemented +} diff --git a/pkg/adapter/containers.go b/pkg/adapter/containers.go index 34ee70d3d..40b1e6b43 100644 --- a/pkg/adapter/containers.go +++ b/pkg/adapter/containers.go @@ -190,12 +190,18 @@ func (r *LocalRuntime) RemoveContainers(ctx context.Context, cli *cliconfig.RmVa } logrus.Debugf("Setting maximum rm workers to %d", maxWorkers) + if cli.Storage { + for _, ctr := range cli.InputArgs { + if err := r.RemoveStorageContainer(ctr, cli.Force); err != nil { + failures[ctr] = err + } + ok = append(ok, ctr) + } + return ok, failures, nil + } + ctrs, err := shortcuts.GetContainersByContext(cli.All, cli.Latest, cli.InputArgs, r.Runtime) if err != nil { - // Force may be used to remove containers no longer found in the database - if cli.Force && len(cli.InputArgs) > 0 && errors.Cause(err) == libpod.ErrNoSuchCtr { - r.RemoveContainersFromStorage(cli.InputArgs) - } return ok, failures, err } @@ -526,7 +532,7 @@ func (r *LocalRuntime) Checkpoint(c *cliconfig.CheckpointValues, options libpod. } // Restore one or more containers -func (r *LocalRuntime) Restore(c *cliconfig.RestoreValues, options libpod.ContainerCheckpointOptions) error { +func (r *LocalRuntime) Restore(ctx context.Context, c *cliconfig.RestoreValues, options libpod.ContainerCheckpointOptions) error { var ( containers []*libpod.Container err, lastError error @@ -538,7 +544,9 @@ func (r *LocalRuntime) Restore(c *cliconfig.RestoreValues, options libpod.Contai return state == libpod.ContainerStateExited }) - if c.All { + if c.Import != "" { + containers, err = crImportCheckpoint(ctx, r.Runtime, c.Import, c.Name) + } else if c.All { containers, err = r.GetContainers(filterFuncs...) } else { containers, err = shortcuts.GetContainersByContext(false, c.Latest, c.InputArgs, r.Runtime) diff --git a/pkg/adapter/containers_remote.go b/pkg/adapter/containers_remote.go index bc6a9cfcd..cf0b90b3a 100644 --- a/pkg/adapter/containers_remote.go +++ b/pkg/adapter/containers_remote.go @@ -16,7 +16,6 @@ import ( "github.com/containers/libpod/cmd/podman/shared" iopodman "github.com/containers/libpod/cmd/podman/varlink" "github.com/containers/libpod/libpod" - "github.com/containers/libpod/pkg/inspect" "github.com/containers/libpod/pkg/varlinkapi/virtwriter" "github.com/cri-o/ocicni/pkg/ocicni" "github.com/docker/docker/pkg/term" @@ -29,12 +28,12 @@ import ( ) // Inspect returns an inspect struct from varlink -func (c *Container) Inspect(size bool) (*inspect.ContainerInspectData, error) { +func (c *Container) Inspect(size bool) (*libpod.InspectContainerData, error) { reply, err := iopodman.ContainerInspectData().Call(c.Runtime.Conn, c.ID(), size) if err != nil { return nil, err } - data := inspect.ContainerInspectData{} + data := libpod.InspectContainerData{} if err := json.Unmarshal([]byte(reply), &data); err != nil { return nil, err } @@ -664,6 +663,10 @@ func (r *LocalRuntime) Attach(ctx context.Context, c *cliconfig.AttachValues) er // Checkpoint one or more containers func (r *LocalRuntime) Checkpoint(c *cliconfig.CheckpointValues, options libpod.ContainerCheckpointOptions) error { + if c.Export != "" { + return errors.New("the remote client does not support exporting checkpoints") + } + var lastError error ids, err := iopodman.GetContainersByContext().Call(r.Conn, c.All, c.Latest, c.InputArgs) if err != nil { @@ -699,7 +702,11 @@ func (r *LocalRuntime) Checkpoint(c *cliconfig.CheckpointValues, options libpod. } // Restore one or more containers -func (r *LocalRuntime) Restore(c *cliconfig.RestoreValues, options libpod.ContainerCheckpointOptions) error { +func (r *LocalRuntime) Restore(ctx context.Context, c *cliconfig.RestoreValues, options libpod.ContainerCheckpointOptions) error { + if c.Import != "" { + return errors.New("the remote client does not support importing checkpoints") + } + var lastError error ids, err := iopodman.GetContainersByContext().Call(r.Conn, c.All, c.Latest, c.InputArgs) if err != nil { diff --git a/pkg/adapter/runtime_remote.go b/pkg/adapter/runtime_remote.go index e0c0898bd..a1d358f68 100644 --- a/pkg/adapter/runtime_remote.go +++ b/pkg/adapter/runtime_remote.go @@ -20,6 +20,7 @@ import ( "github.com/containers/image/docker/reference" "github.com/containers/image/types" "github.com/containers/libpod/cmd/podman/cliconfig" + "github.com/containers/libpod/cmd/podman/remoteclientconfig" "github.com/containers/libpod/cmd/podman/varlink" "github.com/containers/libpod/libpod" "github.com/containers/libpod/libpod/events" @@ -40,6 +41,7 @@ type RemoteRuntime struct { Conn *varlink.Connection Remote bool cmd cliconfig.MainFlags + config io.Reader } // LocalRuntime describes a typical libpod runtime @@ -49,10 +51,35 @@ type LocalRuntime struct { // GetRuntime returns a LocalRuntime struct with the actual runtime embedded in it func GetRuntime(ctx context.Context, c *cliconfig.PodmanCommand) (*LocalRuntime, error) { + var ( + customConfig bool + err error + f *os.File + ) runtime := RemoteRuntime{ Remote: true, cmd: c.GlobalFlags, } + configPath := remoteclientconfig.GetConfigFilePath() + if len(c.GlobalFlags.RemoteConfigFilePath) > 0 { + configPath = c.GlobalFlags.RemoteConfigFilePath + customConfig = true + } + + f, err = os.Open(configPath) + if err != nil { + // If user does not explicitly provide a configuration file path and we cannot + // find a default, no error should occur. + if os.IsNotExist(err) && !customConfig { + logrus.Debugf("unable to load configuration file at %s", configPath) + runtime.config = nil + } else { + return nil, errors.Wrapf(err, "unable to load configuration file at %s", configPath) + } + } else { + // create the io reader for the remote client + runtime.config = bufio.NewReader(f) + } conn, err := runtime.Connect() if err != nil { return nil, err diff --git a/pkg/apparmor/apparmor_linux.go b/pkg/apparmor/apparmor_linux.go index 2c5022c1f..0d01f41e9 100644 --- a/pkg/apparmor/apparmor_linux.go +++ b/pkg/apparmor/apparmor_linux.go @@ -225,8 +225,13 @@ func CheckProfileAndLoadDefault(name string) (string, error) { } } - if name != "" && !runcaa.IsEnabled() { - return "", fmt.Errorf("profile %q specified but AppArmor is disabled on the host", name) + // Check if AppArmor is disabled and error out if a profile is to be set. + if !runcaa.IsEnabled() { + if name == "" { + return "", nil + } else { + return "", fmt.Errorf("profile %q specified but AppArmor is disabled on the host", name) + } } // If the specified name is not empty or is not a default libpod one, diff --git a/pkg/inspect/inspect.go b/pkg/inspect/inspect.go index 2082bb3a6..ec3d98613 100644 --- a/pkg/inspect/inspect.go +++ b/pkg/inspect/inspect.go @@ -3,110 +3,11 @@ package inspect import ( "time" - "github.com/containers/image/manifest" - "github.com/cri-o/ocicni/pkg/ocicni" - "github.com/docker/go-connections/nat" + "github.com/containers/libpod/libpod/driver" "github.com/opencontainers/go-digest" "github.com/opencontainers/image-spec/specs-go/v1" - "github.com/opencontainers/runtime-spec/specs-go" ) -// ContainerData holds the podman inspect data for a container -type ContainerData struct { - *ContainerInspectData - HostConfig *HostConfig `json:"HostConfig"` - Config *CtrConfig `json:"Config"` -} - -// HostConfig represents the host configuration for the container -type HostConfig struct { - ContainerIDFile string `json:"ContainerIDFile"` - LogConfig *LogConfig `json:"LogConfig"` //TODO - NetworkMode string `json:"NetworkMode"` - PortBindings nat.PortMap `json:"PortBindings"` //TODO - AutoRemove bool `json:"AutoRemove"` - CapAdd []string `json:"CapAdd"` - CapDrop []string `json:"CapDrop"` - DNS []string `json:"DNS"` - DNSOptions []string `json:"DNSOptions"` - DNSSearch []string `json:"DNSSearch"` - ExtraHosts []string `json:"ExtraHosts"` - GroupAdd []uint32 `json:"GroupAdd"` - IpcMode string `json:"IpcMode"` - Cgroup string `json:"Cgroup"` - OomScoreAdj *int `json:"OomScoreAdj"` - PidMode string `json:"PidMode"` - Privileged bool `json:"Privileged"` - PublishAllPorts bool `json:"PublishAllPorts"` //TODO - ReadOnlyRootfs bool `json:"ReadonlyRootfs"` - ReadOnlyTmpfs bool `json:"ReadonlyTmpfs"` - SecurityOpt []string `json:"SecurityOpt"` - UTSMode string `json:"UTSMode"` - UsernsMode string `json:"UsernsMode"` - ShmSize int64 `json:"ShmSize"` - Runtime string `json:"Runtime"` - ConsoleSize *specs.Box `json:"ConsoleSize"` - CPUShares *uint64 `json:"CpuShares"` - Memory int64 `json:"Memory"` - NanoCPUs int `json:"NanoCpus"` - CgroupParent string `json:"CgroupParent"` - BlkioWeight *uint16 `json:"BlkioWeight"` - BlkioWeightDevice []specs.LinuxWeightDevice `json:"BlkioWeightDevice"` - BlkioDeviceReadBps []specs.LinuxThrottleDevice `json:"BlkioDeviceReadBps"` - BlkioDeviceWriteBps []specs.LinuxThrottleDevice `json:"BlkioDeviceWriteBps"` - BlkioDeviceReadIOps []specs.LinuxThrottleDevice `json:"BlkioDeviceReadIOps"` - BlkioDeviceWriteIOps []specs.LinuxThrottleDevice `json:"BlkioDeviceWriteIOps"` - CPUPeriod *uint64 `json:"CpuPeriod"` - CPUQuota *int64 `json:"CpuQuota"` - CPURealtimePeriod *uint64 `json:"CpuRealtimePeriod"` - CPURealtimeRuntime *int64 `json:"CpuRealtimeRuntime"` - CPUSetCPUs string `json:"CpuSetCpus"` - CPUSetMems string `json:"CpuSetMems"` - Devices []specs.LinuxDevice `json:"Devices"` - DiskQuota int `json:"DiskQuota"` //check type, TODO - KernelMemory *int64 `json:"KernelMemory"` - MemoryReservation *int64 `json:"MemoryReservation"` - MemorySwap *int64 `json:"MemorySwap"` - MemorySwappiness *uint64 `json:"MemorySwappiness"` - OomKillDisable *bool `json:"OomKillDisable"` - PidsLimit *int64 `json:"PidsLimit"` - Ulimits []string `json:"Ulimits"` - CPUCount int `json:"CpuCount"` - CPUPercent int `json:"CpuPercent"` - IOMaximumIOps int `json:"IOMaximumIOps"` //check type, TODO - IOMaximumBandwidth int `json:"IOMaximumBandwidth"` //check type, TODO - Tmpfs []string `json:"Tmpfs"` -} - -// CtrConfig holds information about the container configuration -type CtrConfig struct { - Hostname string `json:"Hostname"` - DomainName string `json:"Domainname"` //TODO - User specs.User `json:"User"` - AttachStdin bool `json:"AttachStdin"` //TODO - AttachStdout bool `json:"AttachStdout"` //TODO - AttachStderr bool `json:"AttachStderr"` //TODO - Tty bool `json:"Tty"` - OpenStdin bool `json:"OpenStdin"` - StdinOnce bool `json:"StdinOnce"` //TODO - Env []string `json:"Env"` - Cmd []string `json:"Cmd"` - Image string `json:"Image"` - Volumes map[string]struct{} `json:"Volumes"` - WorkingDir string `json:"WorkingDir"` - Entrypoint string `json:"Entrypoint"` - Labels map[string]string `json:"Labels"` - Annotations map[string]string `json:"Annotations"` - StopSignal uint `json:"StopSignal"` - Healthcheck *manifest.Schema2HealthConfig `json:"Healthcheck,omitempty"` -} - -// LogConfig holds the log information for a container -type LogConfig struct { - Type string `json:"Type"` - Config map[string]string `json:"Config"` //idk type, TODO -} - // ImageData holds the inspect information of an image type ImageData struct { ID string `json:"Id"` @@ -123,7 +24,7 @@ type ImageData struct { Os string `json:"Os"` Size int64 `json:"Size"` VirtualSize int64 `json:"VirtualSize"` - GraphDriver *Data `json:"GraphDriver"` + GraphDriver *driver.Data `json:"GraphDriver"` RootFS *RootFS `json:"RootFS"` Labels map[string]string `json:"Labels"` Annotations map[string]string `json:"Annotations"` @@ -138,86 +39,6 @@ type RootFS struct { Layers []digest.Digest `json:"Layers"` } -// Data handles the data for a storage driver -type Data struct { - Name string `json:"Name"` - Data map[string]string `json:"Data"` -} - -// ContainerInspectData handles the data used when inspecting a container -type ContainerInspectData struct { - ID string `json:"ID"` - Created time.Time `json:"Created"` - Path string `json:"Path"` - Args []string `json:"Args"` - State *ContainerInspectState `json:"State"` - ImageID string `json:"Image"` - ImageName string `json:"ImageName"` - Rootfs string `json:"Rootfs"` - ResolvConfPath string `json:"ResolvConfPath"` - HostnamePath string `json:"HostnamePath"` - HostsPath string `json:"HostsPath"` - StaticDir string `json:"StaticDir"` - LogPath string `json:"LogPath"` - ConmonPidFile string `json:"ConmonPidFile"` - Name string `json:"Name"` - RestartCount int32 `json:"RestartCount"` - Driver string `json:"Driver"` - MountLabel string `json:"MountLabel"` - ProcessLabel string `json:"ProcessLabel"` - AppArmorProfile string `json:"AppArmorProfile"` - EffectiveCaps []string `json:"EffectiveCaps"` - BoundingCaps []string `json:"BoundingCaps"` - ExecIDs []string `json:"ExecIDs"` - GraphDriver *Data `json:"GraphDriver"` - SizeRw int64 `json:"SizeRw,omitempty"` - SizeRootFs int64 `json:"SizeRootFs,omitempty"` - Mounts []specs.Mount `json:"Mounts"` - Dependencies []string `json:"Dependencies"` - NetworkSettings *NetworkSettings `json:"NetworkSettings"` //TODO - ExitCommand []string `json:"ExitCommand"` - Namespace string `json:"Namespace"` - IsInfra bool `json:"IsInfra"` -} - -// ContainerInspectState represents the state of a container. -type ContainerInspectState struct { - OciVersion string `json:"OciVersion"` - Status string `json:"Status"` - Running bool `json:"Running"` - Paused bool `json:"Paused"` - Restarting bool `json:"Restarting"` // TODO - OOMKilled bool `json:"OOMKilled"` - Dead bool `json:"Dead"` - Pid int `json:"Pid"` - ExitCode int32 `json:"ExitCode"` - Error string `json:"Error"` // TODO - StartedAt time.Time `json:"StartedAt"` - FinishedAt time.Time `json:"FinishedAt"` - Healthcheck HealthCheckResults `json:"Healthcheck,omitempty"` -} - -// NetworkSettings holds information about the newtwork settings of the container -type NetworkSettings struct { - Bridge string `json:"Bridge"` - SandboxID string `json:"SandboxID"` - HairpinMode bool `json:"HairpinMode"` - LinkLocalIPv6Address string `json:"LinkLocalIPv6Address"` - LinkLocalIPv6PrefixLen int `json:"LinkLocalIPv6PrefixLen"` - Ports []ocicni.PortMapping `json:"Ports"` - SandboxKey string `json:"SandboxKey"` - SecondaryIPAddresses []string `json:"SecondaryIPAddresses"` - SecondaryIPv6Addresses []string `json:"SecondaryIPv6Addresses"` - EndpointID string `json:"EndpointID"` - Gateway string `json:"Gateway"` - GlobalIPv6Address string `json:"GlobalIPv6Address"` - GlobalIPv6PrefixLen int `json:"GlobalIPv6PrefixLen"` - IPAddress string `json:"IPAddress"` - IPPrefixLen int `json:"IPPrefixLen"` - IPv6Gateway string `json:"IPv6Gateway"` - MacAddress string `json:"MacAddress"` -} - // ImageResult is used for podman images for collection and output type ImageResult struct { Tag string @@ -232,25 +53,3 @@ type ImageResult struct { Labels map[string]string Dangling bool } - -// HealthCheckResults describes the results/logs from a healthcheck -type HealthCheckResults struct { - // Status healthy or unhealthy - Status string `json:"Status"` - // FailingStreak is the number of consecutive failed healthchecks - FailingStreak int `json:"FailingStreak"` - // Log describes healthcheck attempts and results - Log []HealthCheckLog `json:"Log"` -} - -// HealthCheckLog describes the results of a single healthcheck -type HealthCheckLog struct { - // Start time as string - Start string `json:"Start"` - // End time as a string - End string `json:"End"` - // Exitcode is 0 or 1 - ExitCode int `json:"ExitCode"` - // Output is the stdout/stderr from the healthcheck command - Output string `json:"Output"` -} diff --git a/pkg/registries/registries.go b/pkg/registries/registries.go index 5c4ecd020..de63dcbf1 100644 --- a/pkg/registries/registries.go +++ b/pkg/registries/registries.go @@ -44,17 +44,7 @@ func getRegistries() ([]sysregistriesv2.Registry, error) { // GetRegistries obtains the list of search registries defined in the global registries file. func GetRegistries() ([]string, error) { - var searchRegistries []string - registries, err := getRegistries() - if err != nil { - return nil, err - } - for _, reg := range registries { - if reg.Search { - searchRegistries = append(searchRegistries, reg.Location) - } - } - return searchRegistries, nil + return sysregistriesv2.UnqualifiedSearchRegistries(&types.SystemContext{SystemRegistriesConfPath: SystemRegistriesConfPath()}) } // GetBlockedRegistries obtains the list of blocked registries defined in the global registries file. @@ -66,7 +56,7 @@ func GetBlockedRegistries() ([]string, error) { } for _, reg := range registries { if reg.Blocked { - blockedRegistries = append(blockedRegistries, reg.Location) + blockedRegistries = append(blockedRegistries, reg.Prefix) } } return blockedRegistries, nil @@ -81,7 +71,7 @@ func GetInsecureRegistries() ([]string, error) { } for _, reg := range registries { if reg.Insecure { - insecureRegistries = append(insecureRegistries, reg.Location) + insecureRegistries = append(insecureRegistries, reg.Prefix) } } return insecureRegistries, nil diff --git a/pkg/rootless/rootless_linux.c b/pkg/rootless/rootless_linux.c index a2425c83e..eb62d55e9 100644 --- a/pkg/rootless/rootless_linux.c +++ b/pkg/rootless/rootless_linux.c @@ -489,6 +489,7 @@ reexec_userns_join (int userns, int mountns, char *pause_pid_file_path) char **argv; int pid; char *cwd = getcwd (NULL, 0); + sigset_t sigset, oldsigset; if (cwd == NULL) { @@ -522,6 +523,22 @@ reexec_userns_join (int userns, int mountns, char *pause_pid_file_path) return pid; } + if (sigfillset (&sigset) < 0) + { + fprintf (stderr, "cannot fill sigset: %s\n", strerror (errno)); + _exit (EXIT_FAILURE); + } + if (sigdelset (&sigset, SIGCHLD) < 0) + { + fprintf (stderr, "cannot sigdelset(SIGCHLD): %s\n", strerror (errno)); + _exit (EXIT_FAILURE); + } + if (sigprocmask (SIG_BLOCK, &sigset, &oldsigset) < 0) + { + fprintf (stderr, "cannot block signals: %s\n", strerror (errno)); + _exit (EXIT_FAILURE); + } + setenv ("_CONTAINERS_USERNS_CONFIGURED", "init", 1); setenv ("_CONTAINERS_ROOTLESS_UID", uid, 1); setenv ("_CONTAINERS_ROOTLESS_GID", gid, 1); @@ -570,6 +587,11 @@ reexec_userns_join (int userns, int mountns, char *pause_pid_file_path) /* We ignore errors here as we didn't create the namespace anyway. */ create_pause_process (pause_pid_file_path, argv); } + if (sigprocmask (SIG_SETMASK, &oldsigset, NULL) < 0) + { + fprintf (stderr, "cannot block signals: %s\n", strerror (errno)); + _exit (EXIT_FAILURE); + } execvp (argv[0], argv); diff --git a/pkg/rootless/rootless_linux.go b/pkg/rootless/rootless_linux.go index d302b1777..3f78ffc67 100644 --- a/pkg/rootless/rootless_linux.go +++ b/pkg/rootless/rootless_linux.go @@ -24,6 +24,7 @@ import ( /* #cgo remoteclient CFLAGS: -DDISABLE_JOIN_SHORTCUT #include <stdlib.h> +#include <sys/types.h> extern uid_t rootless_uid(); extern uid_t rootless_gid(); extern int reexec_in_user_namespace(int ready, char *pause_pid_file_path, char *file_to_read, int fd); @@ -169,6 +170,9 @@ func getUserNSFirstChild(fd uintptr) (*os.File, error) { for { nextFd, err := getParentUserNs(fd) if err != nil { + if err == syscall.ENOTTY { + return os.NewFile(fd, "userns child"), nil + } return nil, errors.Wrapf(err, "cannot get parent user namespace") } diff --git a/pkg/spec/createconfig.go b/pkg/spec/createconfig.go index e4501aaac..a8413d6c7 100644 --- a/pkg/spec/createconfig.go +++ b/pkg/spec/createconfig.go @@ -162,6 +162,10 @@ func (c *CreateConfig) createExitCommand(runtime *libpod.Runtime) ([]string, err if config.StorageConfig.GraphDriverName != "" { command = append(command, []string{"--storage-driver", config.StorageConfig.GraphDriverName}...) } + for _, opt := range config.StorageConfig.GraphDriverOptions { + command = append(command, []string{"--storage-opt", opt}...) + } + if c.Syslog { command = append(command, "--syslog", "true") } @@ -320,7 +324,9 @@ func (c *CreateConfig) getContainerCreateOptions(runtime *libpod.Runtime, pod *l options = append(options, libpod.WithLogPath(logPath)) } - options = append(options, libpod.WithLogDriver(c.LogDriver)) + if c.LogDriver != "" { + options = append(options, libpod.WithLogDriver(c.LogDriver)) + } if c.IPAddress != "" { ip := net.ParseIP(c.IPAddress) diff --git a/pkg/spec/storage.go b/pkg/spec/storage.go index e221b5cb5..283585ef8 100644 --- a/pkg/spec/storage.go +++ b/pkg/spec/storage.go @@ -384,7 +384,7 @@ func (config *CreateConfig) getMounts() (map[string]spec.Mount, map[string]*libp } finalNamedVolumes[volume.Dest] = volume default: - return nil, nil, errors.Errorf("invalid fylesystem type %q", kv[1]) + return nil, nil, errors.Errorf("invalid filesystem type %q", kv[1]) } } @@ -403,6 +403,8 @@ func getBindMount(args []string) (spec.Mount, error) { for _, val := range args { kv := strings.Split(val, "=") switch kv[0] { + case "bind-nonrecursive": + newMount.Options = append(newMount.Options, "bind") case "ro", "nosuid", "nodev", "noexec": // TODO: detect duplication of these options. // (Is this necessary?) @@ -574,7 +576,7 @@ func ValidateVolumeCtrDir(ctrDir string) error { // ValidateVolumeOpts validates a volume's options func ValidateVolumeOpts(options []string) error { - var foundRootPropagation, foundRWRO, foundLabelChange int + var foundRootPropagation, foundRWRO, foundLabelChange, bindType int for _, opt := range options { switch opt { case "rw", "ro": @@ -592,6 +594,11 @@ func ValidateVolumeOpts(options []string) error { if foundRootPropagation > 1 { return errors.Errorf("invalid options %q, can only specify 1 '[r]shared', '[r]private' or '[r]slave' option", strings.Join(options, ", ")) } + case "bind", "rbind": + bindType++ + if bindType > 1 { + return errors.Errorf("invalid options %q, can only specify 1 '[r]bind' option", strings.Join(options, ", ")) + } default: return errors.Errorf("invalid option type %q", opt) } diff --git a/pkg/util/mountOpts.go b/pkg/util/mountOpts.go index 59459807c..489e7eeef 100644 --- a/pkg/util/mountOpts.go +++ b/pkg/util/mountOpts.go @@ -17,10 +17,19 @@ var ( // sensible and follow convention. func ProcessOptions(options []string) []string { var ( - foundrw, foundro bool - rootProp string + foundbind, foundrw, foundro bool + rootProp string ) - options = append(options, "rbind") + for _, opt := range options { + switch opt { + case "bind", "rbind": + foundbind = true + break + } + } + if !foundbind { + options = append(options, "rbind") + } for _, opt := range options { switch opt { case "rw": diff --git a/pkg/util/utils.go b/pkg/util/utils.go index a074f276c..61cdbbf38 100644 --- a/pkg/util/utils.go +++ b/pkg/util/utils.go @@ -99,7 +99,10 @@ func GetImageConfig(changes []string) (v1.ImageConfig, error) { var st struct{} exposedPorts[pair[1]] = st case "ENV": - env = append(env, pair[1]) + if len(pair) < 3 { + return v1.ImageConfig{}, errors.Errorf("no value given for environment variable %q", pair[1]) + } + env = append(env, strings.Join(pair[1:], "=")) case "ENTRYPOINT": entrypoint = append(entrypoint, pair[1]) case "CMD": diff --git a/pkg/varlinkapi/virtwriter/virtwriter.go b/pkg/varlinkapi/virtwriter/virtwriter.go index 3adaf6e17..e747984c7 100644 --- a/pkg/varlinkapi/virtwriter/virtwriter.go +++ b/pkg/varlinkapi/virtwriter/virtwriter.go @@ -91,65 +91,65 @@ func (v VirtWriteCloser) Write(input []byte) (int, error) { // Reader decodes the content that comes over the wire and directs it to the proper destination. func Reader(r *bufio.Reader, output, errput *os.File, input *io.PipeWriter, resize chan remotecommand.TerminalSize) error { - var saveb []byte - var eom int + var messageSize int64 + headerBytes := make([]byte, 8) + for { - readb := make([]byte, 32*1024) - n, err := r.Read(readb) - // TODO, later may be worth checking in len of the read is 0 + n, err := io.ReadFull(r, headerBytes) if err != nil { return err } - b := append(saveb, readb[0:n]...) - // no sense in reading less than the header len - for len(b) > 7 { - eom = int(binary.BigEndian.Uint32(b[4:8])) + 8 - // The message and header are togther - if len(b) >= eom { - out := append([]byte{}, b[8:eom]...) - - switch IntToSocketDest(int(b[0])) { - case ToStdout: - n, err := output.Write(out) - if err != nil { - return err - } - if n < len(out) { - return errors.New("short write error occurred on stdout") - } - case ToStderr: - n, err := errput.Write(out) - if err != nil { - return err - } - if n < len(out) { - return errors.New("short write error occurred on stderr") - } - case ToStdin: - n, err := input.Write(out) - if err != nil { - return err - } - if n < len(out) { - return errors.New("short write error occurred on stdin") - } - case TerminalResize: - // Resize events come over in bytes, need to be reserialized - resizeEvent := remotecommand.TerminalSize{} - if err := json.Unmarshal(out, &resizeEvent); err != nil { - return err - } - resize <- resizeEvent - case Quit: - return nil + if n < 8 { + return errors.New("short read and no full header read") + } + + messageSize = int64(binary.BigEndian.Uint32(headerBytes[4:8])) + + switch IntToSocketDest(int(headerBytes[0])) { + case ToStdout: + _, err := io.CopyN(output, r, messageSize) + if err != nil { + return err + } + case ToStderr: + _, err := io.CopyN(errput, r, messageSize) + if err != nil { + return err + } + case ToStdin: + _, err := io.CopyN(input, r, messageSize) + if err != nil { + return err + } + case TerminalResize: + out := make([]byte, messageSize) + if messageSize > 0 { + _, err = io.ReadFull(r, out) + + if err != nil { + return err } - b = b[eom:] - } else { - // We do not have the header and full message, need to slurp again - saveb = b - break } + // Resize events come over in bytes, need to be reserialized + resizeEvent := remotecommand.TerminalSize{} + if err := json.Unmarshal(out, &resizeEvent); err != nil { + return err + } + resize <- resizeEvent + case Quit: + out := make([]byte, messageSize) + if messageSize > 0 { + _, err = io.ReadFull(r, out) + + if err != nil { + return err + } + } + return nil + + default: + // Something really went wrong + return errors.New("Unknown multiplex destination") } } - return nil } diff --git a/test/e2e/checkpoint_test.go b/test/e2e/checkpoint_test.go index 95ec21433..d452a062b 100644 --- a/test/e2e/checkpoint_test.go +++ b/test/e2e/checkpoint_test.go @@ -347,4 +347,49 @@ var _ = Describe("Podman checkpoint", func() { Expect(podmanTest.NumberOfContainersRunning()).To(Equal(0)) }) + // This test does the same steps which are necessary for migrating + // a container from one host to another + It("podman checkpoint container with export (migration)", func() { + // CRIU does not work with seccomp correctly on RHEL7 + session := podmanTest.Podman([]string{"run", "-it", "--security-opt", "seccomp=unconfined", "-d", ALPINE, "top"}) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(Equal(0)) + Expect(podmanTest.NumberOfContainersRunning()).To(Equal(1)) + + result := podmanTest.Podman([]string{"container", "checkpoint", "-l", "-e", "/tmp/checkpoint.tar.gz"}) + result.WaitWithDefaultTimeout() + + Expect(result.ExitCode()).To(Equal(0)) + Expect(podmanTest.NumberOfContainersRunning()).To(Equal(0)) + Expect(podmanTest.GetContainerStatus()).To(ContainSubstring("Exited")) + + // Remove all containers to simulate migration + result = podmanTest.Podman([]string{"rm", "-fa"}) + result.WaitWithDefaultTimeout() + Expect(result.ExitCode()).To(Equal(0)) + Expect(podmanTest.NumberOfContainersRunning()).To(Equal(0)) + + result = podmanTest.Podman([]string{"container", "restore", "-i", "/tmp/checkpoint.tar.gz"}) + result.WaitWithDefaultTimeout() + + Expect(result.ExitCode()).To(Equal(0)) + Expect(podmanTest.NumberOfContainersRunning()).To(Equal(1)) + Expect(podmanTest.GetContainerStatus()).To(ContainSubstring("Up")) + + // Restore container a second time with different name + result = podmanTest.Podman([]string{"container", "restore", "-i", "/tmp/checkpoint.tar.gz", "-n", "restore_again"}) + result.WaitWithDefaultTimeout() + + Expect(result.ExitCode()).To(Equal(0)) + Expect(podmanTest.NumberOfContainersRunning()).To(Equal(2)) + Expect(podmanTest.GetContainerStatus()).To(ContainSubstring("Up")) + + result = podmanTest.Podman([]string{"rm", "-fa"}) + result.WaitWithDefaultTimeout() + Expect(result.ExitCode()).To(Equal(0)) + Expect(podmanTest.NumberOfContainersRunning()).To(Equal(0)) + + // Remove exported checkpoint + os.Remove("/tmp/checkpoint.tar.gz") + }) }) diff --git a/test/e2e/common_test.go b/test/e2e/common_test.go index 0a388dc42..9529346b4 100644 --- a/test/e2e/common_test.go +++ b/test/e2e/common_test.go @@ -11,6 +11,7 @@ import ( "strings" "testing" + "github.com/containers/libpod/cmd/podman/shared" "github.com/containers/libpod/libpod" "github.com/containers/libpod/pkg/inspect" "github.com/containers/libpod/pkg/rootless" @@ -319,7 +320,7 @@ func (s *PodmanSessionIntegration) InspectImageJSON() []inspect.ImageData { } // InspectContainer returns a container's inspect data in JSON format -func (p *PodmanTestIntegration) InspectContainer(name string) []inspect.ContainerData { +func (p *PodmanTestIntegration) InspectContainer(name string) []shared.InspectContainer { cmd := []string{"inspect", name} session := p.Podman(cmd) session.WaitWithDefaultTimeout() @@ -466,8 +467,8 @@ func (p *PodmanTestIntegration) PullImage(image string) error { // InspectContainerToJSON takes the session output of an inspect // container and returns json -func (s *PodmanSessionIntegration) InspectContainerToJSON() []inspect.ContainerData { - var i []inspect.ContainerData +func (s *PodmanSessionIntegration) InspectContainerToJSON() []shared.InspectContainer { + var i []shared.InspectContainer err := json.Unmarshal(s.Out.Contents(), &i) Expect(err).To(BeNil()) return i diff --git a/test/e2e/cp_test.go b/test/e2e/cp_test.go index 597d0aef7..f7596d77d 100644 --- a/test/e2e/cp_test.go +++ b/test/e2e/cp_test.go @@ -184,4 +184,25 @@ var _ = Describe("Podman cp", func() { _, err = os.Stat("/tmp/cp_test.txt") Expect(err).To(Not(BeNil())) }) + It("podman cp volume", func() { + session := podmanTest.Podman([]string{"volume", "create", "data"}) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(Equal(0)) + + session = podmanTest.Podman([]string{"create", "-v", "data:/data", "--name", "container1", ALPINE}) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(Equal(0)) + + err = ioutil.WriteFile("cp_vol", []byte("copy to the volume"), 0644) + if err != nil { + os.Exit(1) + } + session = podmanTest.Podman([]string{"cp", "cp_vol", "container1" + ":/data/cp_vol1"}) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(Equal(0)) + + session = podmanTest.Podman([]string{"cp", "container1" + ":/data/cp_vol1", "cp_vol2"}) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(Equal(0)) + }) }) diff --git a/test/e2e/generate_kube_test.go b/test/e2e/generate_kube_test.go index 95d46476d..40cc534c2 100644 --- a/test/e2e/generate_kube_test.go +++ b/test/e2e/generate_kube_test.go @@ -4,6 +4,7 @@ package integration import ( "os" + "path/filepath" . "github.com/containers/libpod/test/utils" "github.com/ghodss/yaml" @@ -104,4 +105,43 @@ var _ = Describe("Podman generate kube", func() { _, err := yaml.Marshal(kube.OutputToString()) Expect(err).To(BeNil()) }) + + It("podman generate and reimport kube on pod", func() { + podName := "toppod" + _, rc, _ := podmanTest.CreatePod(podName) + Expect(rc).To(Equal(0)) + + session := podmanTest.Podman([]string{"create", "--pod", podName, "--name", "test1", ALPINE, "top"}) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(Equal(0)) + + session2 := podmanTest.Podman([]string{"create", "--pod", podName, "--name", "test2", ALPINE, "top"}) + session2.WaitWithDefaultTimeout() + Expect(session2.ExitCode()).To(Equal(0)) + + outputFile := filepath.Join(podmanTest.RunRoot, "pod.yaml") + kube := podmanTest.Podman([]string{"generate", "kube", "-f", outputFile, podName}) + kube.WaitWithDefaultTimeout() + Expect(kube.ExitCode()).To(Equal(0)) + + session3 := podmanTest.Podman([]string{"pod", "rm", "-af"}) + session3.WaitWithDefaultTimeout() + Expect(session3.ExitCode()).To(Equal(0)) + + session4 := podmanTest.Podman([]string{"play", "kube", outputFile}) + session4.WaitWithDefaultTimeout() + Expect(session4.ExitCode()).To(Equal(0)) + + session5 := podmanTest.Podman([]string{"pod", "ps"}) + session5.WaitWithDefaultTimeout() + Expect(session5.ExitCode()).To(Equal(0)) + Expect(session5.OutputToString()).To(ContainSubstring(podName)) + + session6 := podmanTest.Podman([]string{"ps", "-a"}) + session6.WaitWithDefaultTimeout() + Expect(session6.ExitCode()).To(Equal(0)) + psOut := session6.OutputToString() + Expect(psOut).To(ContainSubstring("test1")) + Expect(psOut).To(ContainSubstring("test2")) + }) }) diff --git a/test/e2e/healthcheck_run_test.go b/test/e2e/healthcheck_run_test.go index be54cf1bd..125002bf9 100644 --- a/test/e2e/healthcheck_run_test.go +++ b/test/e2e/healthcheck_run_test.go @@ -5,6 +5,7 @@ package integration import ( "fmt" "os" + "time" . "github.com/containers/libpod/test/utils" . "github.com/onsi/ginkgo" @@ -43,13 +44,24 @@ var _ = Describe("Podman healthcheck run", func() { }) It("podman healthcheck on valid container", func() { + Skip("Extremely consistent flake - reenable on debugging") session := podmanTest.Podman([]string{"run", "-dt", "--name", "hc", healthcheck}) session.WaitWithDefaultTimeout() Expect(session.ExitCode()).To(Equal(0)) - hc := podmanTest.Podman([]string{"healthcheck", "run", "hc"}) - hc.WaitWithDefaultTimeout() - Expect(hc.ExitCode()).To(Equal(0)) + exitCode := 999 + + // Buy a little time to get container running + for i := 0; i < 5; i++ { + hc := podmanTest.Podman([]string{"healthcheck", "run", "hc"}) + hc.WaitWithDefaultTimeout() + exitCode = hc.ExitCode() + if exitCode == 0 || i == 4 { + break + } + time.Sleep(1 * time.Second) + } + Expect(exitCode).To(Equal(0)) }) It("podman healthcheck that should fail", func() { diff --git a/test/e2e/logs_test.go b/test/e2e/logs_test.go index cc50c4d95..d17f60a5d 100644 --- a/test/e2e/logs_test.go +++ b/test/e2e/logs_test.go @@ -218,4 +218,21 @@ var _ = Describe("Podman logs", func() { Expect(results.ExitCode()).To(Equal(0)) Expect(len(results.OutputToStringArray())).To(Equal(3)) }) + + It("podman logs -f two lines", func() { + containerName := "logs-f-rm" + + logc := podmanTest.Podman([]string{"run", "--rm", "--name", containerName, "-dt", ALPINE, "sh", "-c", "echo podman; sleep 1; echo podman"}) + logc.WaitWithDefaultTimeout() + Expect(logc.ExitCode()).To(Equal(0)) + + results := podmanTest.Podman([]string{"logs", "-f", containerName}) + results.WaitWithDefaultTimeout() + Expect(results.ExitCode()).To(Equal(0)) + + // Verify that the cleanup process worked correctly and we can recreate a container with the same name + logc = podmanTest.Podman([]string{"run", "--rm", "--name", containerName, "-dt", ALPINE, "true"}) + logc.WaitWithDefaultTimeout() + Expect(logc.ExitCode()).To(Equal(0)) + }) }) diff --git a/test/e2e/run_test.go b/test/e2e/run_test.go index 31720ea04..3ba3c2bb3 100644 --- a/test/e2e/run_test.go +++ b/test/e2e/run_test.go @@ -659,6 +659,14 @@ USER mail` Expect(isSharedOnly).Should(BeTrue()) }) + It("podman run --mount type=bind,bind-nonrecursive", func() { + SkipIfRootless() + session := podmanTest.Podman([]string{"run", "--mount", "type=bind,bind-nonrecursive,slave,src=/,target=/host", fedoraMinimal, "findmnt", "-nR", "/host"}) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(Equal(0)) + Expect(len(session.OutputToStringArray())).To(Equal(1)) + }) + It("podman run --pod automatically", func() { session := podmanTest.Podman([]string{"run", "--pod", "new:foobar", ALPINE, "ls"}) session.WaitWithDefaultTimeout() diff --git a/test/e2e/runlabel_test.go b/test/e2e/runlabel_test.go index 5ef68603e..4e2cb501e 100644 --- a/test/e2e/runlabel_test.go +++ b/test/e2e/runlabel_test.go @@ -85,6 +85,7 @@ var _ = Describe("podman container runlabel", func() { }) It("podman container runlabel global options", func() { + Skip("Test nonfunctional for podman-in-podman testing") image := "podman-global-test:ls" podmanTest.BuildImage(GlobalDockerfile, image, "false") result := podmanTest.Podman([]string{"--syslog", "--log-level", "debug", "container", "runlabel", "RUN", image}) diff --git a/test/system/005-info.bats b/test/system/005-info.bats index 47c7a52fc..0068e35a9 100644 --- a/test/system/005-info.bats +++ b/test/system/005-info.bats @@ -14,7 +14,7 @@ Distribution: OCIRuntime:\\\s\\\+package: os: rootless: -insecure registries: +registries: store: GraphDriverName: GraphRoot: @@ -37,9 +37,7 @@ RunRoot: tests=" host.BuildahVersion | [0-9.] -host.Conmon.package | $expr_nvr host.Conmon.path | $expr_path -host.OCIRuntime.package | $expr_nvr host.OCIRuntime.path | $expr_path store.ConfigFile | $expr_path store.GraphDriverName | [a-z0-9]\\\+\\\$ diff --git a/test/system/120-load.bats b/test/system/120-load.bats index dedfe6172..f2dedb73f 100644 --- a/test/system/120-load.bats +++ b/test/system/120-load.bats @@ -87,6 +87,10 @@ verify_iid_and_name() { @test "podman load - will not read from tty" { + if [ ! -t 0 ]; then + skip "STDIN is not a tty" + fi + run_podman 125 load is "$output" \ "Error: cannot read from terminal. Use command-line redirection" \ diff --git a/vendor.conf b/vendor.conf index 65bfcd77a..9b9044b66 100644 --- a/vendor.conf +++ b/vendor.conf @@ -3,7 +3,7 @@ # # TODO: no release, can we find an alternative? github.com/Azure/go-ansiterm d6e3b3328b783f23731bc4d058875b0371ff8109 -github.com/BurntSushi/toml v0.2.0 +github.com/BurntSushi/toml v0.3.1 github.com/Microsoft/go-winio v0.4.11 github.com/Microsoft/hcsshim v0.8.3 github.com/blang/semver v3.5.0 @@ -15,11 +15,11 @@ github.com/containerd/cgroups 4994991857f9b0ae8dc439551e8bebdbb4bf66c1 github.com/containerd/continuity 004b46473808b3e7a4a3049c20e4376c91eb966d github.com/containernetworking/cni v0.7.0-rc2 github.com/containernetworking/plugins v0.7.4 -github.com/containers/image 2c0349c99af7d90694b3faa0e9bde404d407b145 +github.com/containers/image v2.0.0 github.com/vbauerster/mpb v3.3.4 github.com/mattn/go-isatty v0.0.4 github.com/VividCortex/ewma v1.1.1 -github.com/containers/storage v1.12.7 +github.com/containers/storage v1.12.10 github.com/containers/psgo v1.3.0 github.com/coreos/go-systemd v17 github.com/coreos/pkg v4 @@ -93,7 +93,7 @@ k8s.io/api kubernetes-1.10.13-beta.0 https://github.com/kubernetes/api k8s.io/apimachinery kubernetes-1.10.13-beta.0 https://github.com/kubernetes/apimachinery k8s.io/client-go kubernetes-1.10.13-beta.0 https://github.com/kubernetes/client-go github.com/mrunalp/fileutils 7d4729fb36185a7c1719923406c9d40e54fb93c7 -github.com/containers/buildah bcc5e51a948c1847fab1c932f1a343696a96cafd +github.com/containers/buildah v1.8.4 github.com/varlink/go 0f1d566d194b9d6d48e0d47c5e4d822628919066 # TODO: Gotty has not been updated since 2012. Can we find replacement? github.com/Nvveen/Gotty cd527374f1e5bff4938207604a14f2e38a9cf512 diff --git a/vendor/github.com/BurntSushi/toml/COPYING b/vendor/github.com/BurntSushi/toml/COPYING index 5a8e33254..01b574320 100644 --- a/vendor/github.com/BurntSushi/toml/COPYING +++ b/vendor/github.com/BurntSushi/toml/COPYING @@ -1,14 +1,21 @@ - DO WHAT THE FUCK YOU WANT TO PUBLIC LICENSE - Version 2, December 2004 +The MIT License (MIT) - Copyright (C) 2004 Sam Hocevar <sam@hocevar.net> +Copyright (c) 2013 TOML authors - Everyone is permitted to copy and distribute verbatim or modified - copies of this license document, and changing it is allowed as long - as the name is changed. +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: - DO WHAT THE FUCK YOU WANT TO PUBLIC LICENSE - TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION - - 0. You just DO WHAT THE FUCK YOU WANT TO. +The above copyright notice and this permission notice shall be included in +all copies or substantial portions of the Software. +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN +THE SOFTWARE. diff --git a/vendor/github.com/BurntSushi/toml/README.md b/vendor/github.com/BurntSushi/toml/README.md index 5a5df6370..7c1b37ecc 100644 --- a/vendor/github.com/BurntSushi/toml/README.md +++ b/vendor/github.com/BurntSushi/toml/README.md @@ -1,17 +1,17 @@ ## TOML parser and encoder for Go with reflection TOML stands for Tom's Obvious, Minimal Language. This Go package provides a -reflection interface similar to Go's standard library `json` and `xml` +reflection interface similar to Go's standard library `json` and `xml` packages. This package also supports the `encoding.TextUnmarshaler` and -`encoding.TextMarshaler` interfaces so that you can define custom data +`encoding.TextMarshaler` interfaces so that you can define custom data representations. (There is an example of this below.) -Spec: https://github.com/mojombo/toml +Spec: https://github.com/toml-lang/toml Compatible with TOML version -[v0.2.0](https://github.com/toml-lang/toml/blob/master/versions/en/toml-v0.2.0.md) +[v0.4.0](https://github.com/toml-lang/toml/blob/master/versions/en/toml-v0.4.0.md) -Documentation: http://godoc.org/github.com/BurntSushi/toml +Documentation: https://godoc.org/github.com/BurntSushi/toml Installation: @@ -26,8 +26,7 @@ go get github.com/BurntSushi/toml/cmd/tomlv tomlv some-toml-file.toml ``` -[](https://travis-ci.org/BurntSushi/toml) - +[](https://travis-ci.org/BurntSushi/toml) [](https://godoc.org/github.com/BurntSushi/toml) ### Testing @@ -87,7 +86,7 @@ type TOML struct { ### Using the `encoding.TextUnmarshaler` interface -Here's an example that automatically parses duration strings into +Here's an example that automatically parses duration strings into `time.Duration` values: ```toml @@ -120,7 +119,7 @@ for _, s := range favorites.Song { } ``` -And you'll also need a `duration` type that satisfies the +And you'll also need a `duration` type that satisfies the `encoding.TextUnmarshaler` interface: ```go @@ -217,4 +216,3 @@ Note that a case insensitive match will be tried if an exact match can't be found. A working example of the above can be found in `_examples/example.{go,toml}`. - diff --git a/vendor/github.com/BurntSushi/toml/decode.go b/vendor/github.com/BurntSushi/toml/decode.go index c26b00c01..b0fd51d5b 100644 --- a/vendor/github.com/BurntSushi/toml/decode.go +++ b/vendor/github.com/BurntSushi/toml/decode.go @@ -10,7 +10,9 @@ import ( "time" ) -var e = fmt.Errorf +func e(format string, args ...interface{}) error { + return fmt.Errorf("toml: "+format, args...) +} // Unmarshaler is the interface implemented by objects that can unmarshal a // TOML description of themselves. @@ -103,6 +105,13 @@ func (md *MetaData) PrimitiveDecode(primValue Primitive, v interface{}) error { // This decoder will not handle cyclic types. If a cyclic type is passed, // `Decode` will not terminate. func Decode(data string, v interface{}) (MetaData, error) { + rv := reflect.ValueOf(v) + if rv.Kind() != reflect.Ptr { + return MetaData{}, e("Decode of non-pointer %s", reflect.TypeOf(v)) + } + if rv.IsNil() { + return MetaData{}, e("Decode of nil %s", reflect.TypeOf(v)) + } p, err := parse(data) if err != nil { return MetaData{}, err @@ -111,7 +120,7 @@ func Decode(data string, v interface{}) (MetaData, error) { p.mapping, p.types, p.ordered, make(map[string]bool, len(p.ordered)), nil, } - return md, md.unify(p.mapping, rvalue(v)) + return md, md.unify(p.mapping, indirect(rv)) } // DecodeFile is just like Decode, except it will automatically read the @@ -211,7 +220,7 @@ func (md *MetaData) unify(data interface{}, rv reflect.Value) error { case reflect.Interface: // we only support empty interfaces. if rv.NumMethod() > 0 { - return e("Unsupported type '%s'.", rv.Kind()) + return e("unsupported type %s", rv.Type()) } return md.unifyAnything(data, rv) case reflect.Float32: @@ -219,7 +228,7 @@ func (md *MetaData) unify(data interface{}, rv reflect.Value) error { case reflect.Float64: return md.unifyFloat64(data, rv) } - return e("Unsupported type '%s'.", rv.Kind()) + return e("unsupported type %s", rv.Kind()) } func (md *MetaData) unifyStruct(mapping interface{}, rv reflect.Value) error { @@ -228,7 +237,8 @@ func (md *MetaData) unifyStruct(mapping interface{}, rv reflect.Value) error { if mapping == nil { return nil } - return mismatch(rv, "map", mapping) + return e("type mismatch for %s: expected table but found %T", + rv.Type().String(), mapping) } for key, datum := range tmap { @@ -253,14 +263,13 @@ func (md *MetaData) unifyStruct(mapping interface{}, rv reflect.Value) error { md.decoded[md.context.add(key).String()] = true md.context = append(md.context, key) if err := md.unify(datum, subv); err != nil { - return e("Type mismatch for '%s.%s': %s", - rv.Type().String(), f.name, err) + return err } md.context = md.context[0 : len(md.context)-1] } else if f.name != "" { // Bad user! No soup for you! - return e("Field '%s.%s' is unexported, and therefore cannot "+ - "be loaded with reflection.", rv.Type().String(), f.name) + return e("cannot write unexported field %s.%s", + rv.Type().String(), f.name) } } } @@ -378,15 +387,15 @@ func (md *MetaData) unifyInt(data interface{}, rv reflect.Value) error { // No bounds checking necessary. case reflect.Int8: if num < math.MinInt8 || num > math.MaxInt8 { - return e("Value '%d' is out of range for int8.", num) + return e("value %d is out of range for int8", num) } case reflect.Int16: if num < math.MinInt16 || num > math.MaxInt16 { - return e("Value '%d' is out of range for int16.", num) + return e("value %d is out of range for int16", num) } case reflect.Int32: if num < math.MinInt32 || num > math.MaxInt32 { - return e("Value '%d' is out of range for int32.", num) + return e("value %d is out of range for int32", num) } } rv.SetInt(num) @@ -397,15 +406,15 @@ func (md *MetaData) unifyInt(data interface{}, rv reflect.Value) error { // No bounds checking necessary. case reflect.Uint8: if num < 0 || unum > math.MaxUint8 { - return e("Value '%d' is out of range for uint8.", num) + return e("value %d is out of range for uint8", num) } case reflect.Uint16: if num < 0 || unum > math.MaxUint16 { - return e("Value '%d' is out of range for uint16.", num) + return e("value %d is out of range for uint16", num) } case reflect.Uint32: if num < 0 || unum > math.MaxUint32 { - return e("Value '%d' is out of range for uint32.", num) + return e("value %d is out of range for uint32", num) } } rv.SetUint(unum) @@ -471,7 +480,7 @@ func rvalue(v interface{}) reflect.Value { // interest to us (like encoding.TextUnmarshaler). func indirect(v reflect.Value) reflect.Value { if v.Kind() != reflect.Ptr { - if v.CanAddr() { + if v.CanSet() { pv := v.Addr() if _, ok := pv.Interface().(TextUnmarshaler); ok { return pv @@ -496,10 +505,5 @@ func isUnifiable(rv reflect.Value) bool { } func badtype(expected string, data interface{}) error { - return e("Expected %s but found '%T'.", expected, data) -} - -func mismatch(user reflect.Value, expected string, data interface{}) error { - return e("Type mismatch for %s. Expected %s but found '%T'.", - user.Type().String(), expected, data) + return e("cannot load TOML value of type %T into a Go %s", data, expected) } diff --git a/vendor/github.com/BurntSushi/toml/decode_meta.go b/vendor/github.com/BurntSushi/toml/decode_meta.go index ef6f545fa..b9914a679 100644 --- a/vendor/github.com/BurntSushi/toml/decode_meta.go +++ b/vendor/github.com/BurntSushi/toml/decode_meta.go @@ -77,9 +77,8 @@ func (k Key) maybeQuoted(i int) string { } if quote { return "\"" + strings.Replace(k[i], "\"", "\\\"", -1) + "\"" - } else { - return k[i] } + return k[i] } func (k Key) add(piece string) Key { diff --git a/vendor/github.com/BurntSushi/toml/doc.go b/vendor/github.com/BurntSushi/toml/doc.go index fe2680004..b371f396e 100644 --- a/vendor/github.com/BurntSushi/toml/doc.go +++ b/vendor/github.com/BurntSushi/toml/doc.go @@ -4,7 +4,7 @@ files via reflection. There is also support for delaying decoding with the Primitive type, and querying the set of keys in a TOML document with the MetaData type. -The specification implemented: https://github.com/mojombo/toml +The specification implemented: https://github.com/toml-lang/toml The sub-command github.com/BurntSushi/toml/cmd/tomlv can be used to verify whether a file is a valid TOML document. It can also be used to print the diff --git a/vendor/github.com/BurntSushi/toml/encode.go b/vendor/github.com/BurntSushi/toml/encode.go index 4e4c97aed..d905c21a2 100644 --- a/vendor/github.com/BurntSushi/toml/encode.go +++ b/vendor/github.com/BurntSushi/toml/encode.go @@ -16,17 +16,17 @@ type tomlEncodeError struct{ error } var ( errArrayMixedElementTypes = errors.New( - "can't encode array with mixed element types") + "toml: cannot encode array with mixed element types") errArrayNilElement = errors.New( - "can't encode array with nil element") + "toml: cannot encode array with nil element") errNonString = errors.New( - "can't encode a map with non-string key type") + "toml: cannot encode a map with non-string key type") errAnonNonStruct = errors.New( - "can't encode an anonymous field that is not a struct") + "toml: cannot encode an anonymous field that is not a struct") errArrayNoTable = errors.New( - "TOML array element can't contain a table") + "toml: TOML array element cannot contain a table") errNoKey = errors.New( - "top-level values must be a Go map or struct") + "toml: top-level values must be Go maps or structs") errAnything = errors.New("") // used in testing ) @@ -148,7 +148,7 @@ func (enc *Encoder) encode(key Key, rv reflect.Value) { case reflect.Struct: enc.eTable(key, rv) default: - panic(e("Unsupported type for key '%s': %s", key, k)) + panic(e("unsupported type for key '%s': %s", key, k)) } } @@ -160,7 +160,7 @@ func (enc *Encoder) eElement(rv reflect.Value) { // Special case time.Time as a primitive. Has to come before // TextMarshaler below because time.Time implements // encoding.TextMarshaler, but we need to always use UTC. - enc.wf(v.In(time.FixedZone("UTC", 0)).Format("2006-01-02T15:04:05Z")) + enc.wf(v.UTC().Format("2006-01-02T15:04:05Z")) return case TextMarshaler: // Special case. Use text marshaler if it's available for this value. @@ -191,7 +191,7 @@ func (enc *Encoder) eElement(rv reflect.Value) { case reflect.String: enc.writeQuoted(rv.String()) default: - panic(e("Unexpected primitive type: %s", rv.Kind())) + panic(e("unexpected primitive type: %s", rv.Kind())) } } @@ -241,7 +241,7 @@ func (enc *Encoder) eArrayOfTables(key Key, rv reflect.Value) { func (enc *Encoder) eTable(key Key, rv reflect.Value) { panicIfInvalidKey(key) if len(key) == 1 { - // Output an extra new line between top-level tables. + // Output an extra newline between top-level tables. // (The newline isn't written if nothing else has been written though.) enc.newline() } @@ -315,10 +315,16 @@ func (enc *Encoder) eStruct(key Key, rv reflect.Value) { t := f.Type switch t.Kind() { case reflect.Struct: - addFields(t, frv, f.Index) - continue + // Treat anonymous struct fields with + // tag names as though they are not + // anonymous, like encoding/json does. + if getOptions(f.Tag).name == "" { + addFields(t, frv, f.Index) + continue + } case reflect.Ptr: - if t.Elem().Kind() == reflect.Struct { + if t.Elem().Kind() == reflect.Struct && + getOptions(f.Tag).name == "" { if !frv.IsNil() { addFields(t.Elem(), frv.Elem(), f.Index) } @@ -347,17 +353,18 @@ func (enc *Encoder) eStruct(key Key, rv reflect.Value) { continue } - tag := sft.Tag.Get("toml") - if tag == "-" { + opts := getOptions(sft.Tag) + if opts.skip { continue } - keyName, opts := getOptions(tag) - if keyName == "" { - keyName = sft.Name + keyName := sft.Name + if opts.name != "" { + keyName = opts.name } - if _, ok := opts["omitempty"]; ok && isEmpty(sf) { + if opts.omitempty && isEmpty(sf) { continue - } else if _, ok := opts["omitzero"]; ok && isZero(sf) { + } + if opts.omitzero && isZero(sf) { continue } @@ -392,9 +399,8 @@ func tomlTypeOfGo(rv reflect.Value) tomlType { case reflect.Array, reflect.Slice: if typeEqual(tomlHash, tomlArrayType(rv)) { return tomlArrayHash - } else { - return tomlArray } + return tomlArray case reflect.Ptr, reflect.Interface: return tomlTypeOfGo(rv.Elem()) case reflect.String: @@ -451,17 +457,30 @@ func tomlArrayType(rv reflect.Value) tomlType { return firstType } -func getOptions(keyName string) (string, map[string]struct{}) { - opts := make(map[string]struct{}) - ss := strings.Split(keyName, ",") - name := ss[0] - if len(ss) > 1 { - for _, opt := range ss { - opts[opt] = struct{}{} +type tagOptions struct { + skip bool // "-" + name string + omitempty bool + omitzero bool +} + +func getOptions(tag reflect.StructTag) tagOptions { + t := tag.Get("toml") + if t == "-" { + return tagOptions{skip: true} + } + var opts tagOptions + parts := strings.Split(t, ",") + opts.name = parts[0] + for _, s := range parts[1:] { + switch s { + case "omitempty": + opts.omitempty = true + case "omitzero": + opts.omitzero = true } } - - return name, opts + return opts } func isZero(rv reflect.Value) bool { diff --git a/vendor/github.com/BurntSushi/toml/lex.go b/vendor/github.com/BurntSushi/toml/lex.go index 9b20b3a81..e0a742a88 100644 --- a/vendor/github.com/BurntSushi/toml/lex.go +++ b/vendor/github.com/BurntSushi/toml/lex.go @@ -3,6 +3,7 @@ package toml import ( "fmt" "strings" + "unicode" "unicode/utf8" ) @@ -29,24 +30,28 @@ const ( itemArrayTableEnd itemKeyStart itemCommentStart + itemInlineTableStart + itemInlineTableEnd ) const ( - eof = 0 - tableStart = '[' - tableEnd = ']' - arrayTableStart = '[' - arrayTableEnd = ']' - tableSep = '.' - keySep = '=' - arrayStart = '[' - arrayEnd = ']' - arrayValTerm = ',' - commentStart = '#' - stringStart = '"' - stringEnd = '"' - rawStringStart = '\'' - rawStringEnd = '\'' + eof = 0 + comma = ',' + tableStart = '[' + tableEnd = ']' + arrayTableStart = '[' + arrayTableEnd = ']' + tableSep = '.' + keySep = '=' + arrayStart = '[' + arrayEnd = ']' + commentStart = '#' + stringStart = '"' + stringEnd = '"' + rawStringStart = '\'' + rawStringEnd = '\'' + inlineTableStart = '{' + inlineTableEnd = '}' ) type stateFn func(lx *lexer) stateFn @@ -55,11 +60,18 @@ type lexer struct { input string start int pos int - width int line int state stateFn items chan item + // Allow for backing up up to three runes. + // This is necessary because TOML contains 3-rune tokens (""" and '''). + prevWidths [3]int + nprev int // how many of prevWidths are in use + // If we emit an eof, we can still back up, but it is not OK to call + // next again. + atEOF bool + // A stack of state functions used to maintain context. // The idea is to reuse parts of the state machine in various places. // For example, values can appear at the top level or within arbitrarily @@ -87,7 +99,7 @@ func (lx *lexer) nextItem() item { func lex(input string) *lexer { lx := &lexer{ - input: input + "\n", + input: input, state: lexTop, line: 1, items: make(chan item, 10), @@ -102,7 +114,7 @@ func (lx *lexer) push(state stateFn) { func (lx *lexer) pop() stateFn { if len(lx.stack) == 0 { - return lx.errorf("BUG in lexer: no states to pop.") + return lx.errorf("BUG in lexer: no states to pop") } last := lx.stack[len(lx.stack)-1] lx.stack = lx.stack[0 : len(lx.stack)-1] @@ -124,16 +136,25 @@ func (lx *lexer) emitTrim(typ itemType) { } func (lx *lexer) next() (r rune) { + if lx.atEOF { + panic("next called after EOF") + } if lx.pos >= len(lx.input) { - lx.width = 0 + lx.atEOF = true return eof } if lx.input[lx.pos] == '\n' { lx.line++ } - r, lx.width = utf8.DecodeRuneInString(lx.input[lx.pos:]) - lx.pos += lx.width + lx.prevWidths[2] = lx.prevWidths[1] + lx.prevWidths[1] = lx.prevWidths[0] + if lx.nprev < 3 { + lx.nprev++ + } + r, w := utf8.DecodeRuneInString(lx.input[lx.pos:]) + lx.prevWidths[0] = w + lx.pos += w return r } @@ -142,9 +163,20 @@ func (lx *lexer) ignore() { lx.start = lx.pos } -// backup steps back one rune. Can be called only once per call of next. +// backup steps back one rune. Can be called only twice between calls to next. func (lx *lexer) backup() { - lx.pos -= lx.width + if lx.atEOF { + lx.atEOF = false + return + } + if lx.nprev < 1 { + panic("backed up too far") + } + w := lx.prevWidths[0] + lx.prevWidths[0] = lx.prevWidths[1] + lx.prevWidths[1] = lx.prevWidths[2] + lx.nprev-- + lx.pos -= w if lx.pos < len(lx.input) && lx.input[lx.pos] == '\n' { lx.line-- } @@ -166,9 +198,22 @@ func (lx *lexer) peek() rune { return r } +// skip ignores all input that matches the given predicate. +func (lx *lexer) skip(pred func(rune) bool) { + for { + r := lx.next() + if pred(r) { + continue + } + lx.backup() + lx.ignore() + return + } +} + // errorf stops all lexing by emitting an error and returning `nil`. // Note that any value that is a character is escaped if it's a special -// character (new lines, tabs, etc.). +// character (newlines, tabs, etc.). func (lx *lexer) errorf(format string, values ...interface{}) stateFn { lx.items <- item{ itemError, @@ -184,7 +229,6 @@ func lexTop(lx *lexer) stateFn { if isWhitespace(r) || isNL(r) { return lexSkip(lx, lexTop) } - switch r { case commentStart: lx.push(lexTop) @@ -193,7 +237,7 @@ func lexTop(lx *lexer) stateFn { return lexTableStart case eof: if lx.pos > lx.start { - return lx.errorf("Unexpected EOF.") + return lx.errorf("unexpected EOF") } lx.emit(itemEOF) return nil @@ -208,12 +252,12 @@ func lexTop(lx *lexer) stateFn { // lexTopEnd is entered whenever a top-level item has been consumed. (A value // or a table.) It must see only whitespace, and will turn back to lexTop -// upon a new line. If it sees EOF, it will quit the lexer successfully. +// upon a newline. If it sees EOF, it will quit the lexer successfully. func lexTopEnd(lx *lexer) stateFn { r := lx.next() switch { case r == commentStart: - // a comment will read to a new line for us. + // a comment will read to a newline for us. lx.push(lexTop) return lexCommentStart case isWhitespace(r): @@ -222,11 +266,11 @@ func lexTopEnd(lx *lexer) stateFn { lx.ignore() return lexTop case r == eof: - lx.ignore() - return lexTop + lx.emit(itemEOF) + return nil } - return lx.errorf("Expected a top-level item to end with a new line, "+ - "comment or EOF, but got %q instead.", r) + return lx.errorf("expected a top-level item to end with a newline, "+ + "comment, or EOF, but got %q instead", r) } // lexTable lexes the beginning of a table. Namely, it makes sure that @@ -253,21 +297,22 @@ func lexTableEnd(lx *lexer) stateFn { func lexArrayTableEnd(lx *lexer) stateFn { if r := lx.next(); r != arrayTableEnd { - return lx.errorf("Expected end of table array name delimiter %q, "+ - "but got %q instead.", arrayTableEnd, r) + return lx.errorf("expected end of table array name delimiter %q, "+ + "but got %q instead", arrayTableEnd, r) } lx.emit(itemArrayTableEnd) return lexTopEnd } func lexTableNameStart(lx *lexer) stateFn { + lx.skip(isWhitespace) switch r := lx.peek(); { case r == tableEnd || r == eof: - return lx.errorf("Unexpected end of table name. (Table names cannot " + - "be empty.)") + return lx.errorf("unexpected end of table name " + + "(table names cannot be empty)") case r == tableSep: - return lx.errorf("Unexpected table separator. (Table names cannot " + - "be empty.)") + return lx.errorf("unexpected table separator " + + "(table names cannot be empty)") case r == stringStart || r == rawStringStart: lx.ignore() lx.push(lexTableNameEnd) @@ -277,24 +322,22 @@ func lexTableNameStart(lx *lexer) stateFn { } } -// lexTableName lexes the name of a table. It assumes that at least one +// lexBareTableName lexes the name of a table. It assumes that at least one // valid character for the table has already been read. func lexBareTableName(lx *lexer) stateFn { - switch r := lx.next(); { - case isBareKeyChar(r): + r := lx.next() + if isBareKeyChar(r) { return lexBareTableName - case r == tableSep || r == tableEnd: - lx.backup() - lx.emitTrim(itemText) - return lexTableNameEnd - default: - return lx.errorf("Bare keys cannot contain %q.", r) } + lx.backup() + lx.emit(itemText) + return lexTableNameEnd } // lexTableNameEnd reads the end of a piece of a table name, optionally // consuming whitespace. func lexTableNameEnd(lx *lexer) stateFn { + lx.skip(isWhitespace) switch r := lx.next(); { case isWhitespace(r): return lexTableNameEnd @@ -304,8 +347,8 @@ func lexTableNameEnd(lx *lexer) stateFn { case r == tableEnd: return lx.pop() default: - return lx.errorf("Expected '.' or ']' to end table name, but got %q "+ - "instead.", r) + return lx.errorf("expected '.' or ']' to end table name, "+ + "but got %q instead", r) } } @@ -315,7 +358,7 @@ func lexKeyStart(lx *lexer) stateFn { r := lx.peek() switch { case r == keySep: - return lx.errorf("Unexpected key separator %q.", keySep) + return lx.errorf("unexpected key separator %q", keySep) case isWhitespace(r) || isNL(r): lx.next() return lexSkip(lx, lexKeyStart) @@ -338,14 +381,15 @@ func lexBareKey(lx *lexer) stateFn { case isBareKeyChar(r): return lexBareKey case isWhitespace(r): - lx.emitTrim(itemText) + lx.backup() + lx.emit(itemText) return lexKeyEnd case r == keySep: lx.backup() - lx.emitTrim(itemText) + lx.emit(itemText) return lexKeyEnd default: - return lx.errorf("Bare keys cannot contain %q.", r) + return lx.errorf("bare keys cannot contain %q", r) } } @@ -358,7 +402,7 @@ func lexKeyEnd(lx *lexer) stateFn { case isWhitespace(r): return lexSkip(lx, lexKeyEnd) default: - return lx.errorf("Expected key separator %q, but got %q instead.", + return lx.errorf("expected key separator %q, but got %q instead", keySep, r) } } @@ -367,20 +411,26 @@ func lexKeyEnd(lx *lexer) stateFn { // lexValue will ignore whitespace. // After a value is lexed, the last state on the next is popped and returned. func lexValue(lx *lexer) stateFn { - // We allow whitespace to precede a value, but NOT new lines. - // In array syntax, the array states are responsible for ignoring new - // lines. + // We allow whitespace to precede a value, but NOT newlines. + // In array syntax, the array states are responsible for ignoring newlines. r := lx.next() - if isWhitespace(r) { + switch { + case isWhitespace(r): return lexSkip(lx, lexValue) + case isDigit(r): + lx.backup() // avoid an extra state and use the same as above + return lexNumberOrDateStart } - - switch { - case r == arrayStart: + switch r { + case arrayStart: lx.ignore() lx.emit(itemArray) return lexArrayValue - case r == stringStart: + case inlineTableStart: + lx.ignore() + lx.emit(itemInlineTableStart) + return lexInlineTableValue + case stringStart: if lx.accept(stringStart) { if lx.accept(stringStart) { lx.ignore() // Ignore """ @@ -390,7 +440,7 @@ func lexValue(lx *lexer) stateFn { } lx.ignore() // ignore the '"' return lexString - case r == rawStringStart: + case rawStringStart: if lx.accept(rawStringStart) { if lx.accept(rawStringStart) { lx.ignore() // Ignore """ @@ -400,23 +450,24 @@ func lexValue(lx *lexer) stateFn { } lx.ignore() // ignore the "'" return lexRawString - case r == 't': - return lexTrue - case r == 'f': - return lexFalse - case r == '-': + case '+', '-': return lexNumberStart - case isDigit(r): - lx.backup() // avoid an extra state and use the same as above - return lexNumberOrDateStart - case r == '.': // special error case, be kind to users - return lx.errorf("Floats must start with a digit, not '.'.") + case '.': // special error case, be kind to users + return lx.errorf("floats must start with a digit, not '.'") + } + if unicode.IsLetter(r) { + // Be permissive here; lexBool will give a nice error if the + // user wrote something like + // x = foo + // (i.e. not 'true' or 'false' but is something else word-like.) + lx.backup() + return lexBool } - return lx.errorf("Expected value but found %q instead.", r) + return lx.errorf("expected value but found %q instead", r) } // lexArrayValue consumes one value in an array. It assumes that '[' or ',' -// have already been consumed. All whitespace and new lines are ignored. +// have already been consumed. All whitespace and newlines are ignored. func lexArrayValue(lx *lexer) stateFn { r := lx.next() switch { @@ -425,10 +476,11 @@ func lexArrayValue(lx *lexer) stateFn { case r == commentStart: lx.push(lexArrayValue) return lexCommentStart - case r == arrayValTerm: - return lx.errorf("Unexpected array value terminator %q.", - arrayValTerm) + case r == comma: + return lx.errorf("unexpected comma") case r == arrayEnd: + // NOTE(caleb): The spec isn't clear about whether you can have + // a trailing comma or not, so we'll allow it. return lexArrayEnd } @@ -437,8 +489,9 @@ func lexArrayValue(lx *lexer) stateFn { return lexValue } -// lexArrayValueEnd consumes the cruft between values of an array. Namely, -// it ignores whitespace and expects either a ',' or a ']'. +// lexArrayValueEnd consumes everything between the end of an array value and +// the next value (or the end of the array): it ignores whitespace and newlines +// and expects either a ',' or a ']'. func lexArrayValueEnd(lx *lexer) stateFn { r := lx.next() switch { @@ -447,31 +500,88 @@ func lexArrayValueEnd(lx *lexer) stateFn { case r == commentStart: lx.push(lexArrayValueEnd) return lexCommentStart - case r == arrayValTerm: + case r == comma: lx.ignore() return lexArrayValue // move on to the next value case r == arrayEnd: return lexArrayEnd } - return lx.errorf("Expected an array value terminator %q or an array "+ - "terminator %q, but got %q instead.", arrayValTerm, arrayEnd, r) + return lx.errorf( + "expected a comma or array terminator %q, but got %q instead", + arrayEnd, r, + ) } -// lexArrayEnd finishes the lexing of an array. It assumes that a ']' has -// just been consumed. +// lexArrayEnd finishes the lexing of an array. +// It assumes that a ']' has just been consumed. func lexArrayEnd(lx *lexer) stateFn { lx.ignore() lx.emit(itemArrayEnd) return lx.pop() } +// lexInlineTableValue consumes one key/value pair in an inline table. +// It assumes that '{' or ',' have already been consumed. Whitespace is ignored. +func lexInlineTableValue(lx *lexer) stateFn { + r := lx.next() + switch { + case isWhitespace(r): + return lexSkip(lx, lexInlineTableValue) + case isNL(r): + return lx.errorf("newlines not allowed within inline tables") + case r == commentStart: + lx.push(lexInlineTableValue) + return lexCommentStart + case r == comma: + return lx.errorf("unexpected comma") + case r == inlineTableEnd: + return lexInlineTableEnd + } + lx.backup() + lx.push(lexInlineTableValueEnd) + return lexKeyStart +} + +// lexInlineTableValueEnd consumes everything between the end of an inline table +// key/value pair and the next pair (or the end of the table): +// it ignores whitespace and expects either a ',' or a '}'. +func lexInlineTableValueEnd(lx *lexer) stateFn { + r := lx.next() + switch { + case isWhitespace(r): + return lexSkip(lx, lexInlineTableValueEnd) + case isNL(r): + return lx.errorf("newlines not allowed within inline tables") + case r == commentStart: + lx.push(lexInlineTableValueEnd) + return lexCommentStart + case r == comma: + lx.ignore() + return lexInlineTableValue + case r == inlineTableEnd: + return lexInlineTableEnd + } + return lx.errorf("expected a comma or an inline table terminator %q, "+ + "but got %q instead", inlineTableEnd, r) +} + +// lexInlineTableEnd finishes the lexing of an inline table. +// It assumes that a '}' has just been consumed. +func lexInlineTableEnd(lx *lexer) stateFn { + lx.ignore() + lx.emit(itemInlineTableEnd) + return lx.pop() +} + // lexString consumes the inner contents of a string. It assumes that the // beginning '"' has already been consumed and ignored. func lexString(lx *lexer) stateFn { r := lx.next() switch { + case r == eof: + return lx.errorf("unexpected EOF") case isNL(r): - return lx.errorf("Strings cannot contain new lines.") + return lx.errorf("strings cannot contain newlines") case r == '\\': lx.push(lexString) return lexStringEscape @@ -488,11 +598,12 @@ func lexString(lx *lexer) stateFn { // lexMultilineString consumes the inner contents of a string. It assumes that // the beginning '"""' has already been consumed and ignored. func lexMultilineString(lx *lexer) stateFn { - r := lx.next() - switch { - case r == '\\': + switch lx.next() { + case eof: + return lx.errorf("unexpected EOF") + case '\\': return lexMultilineStringEscape - case r == stringEnd: + case stringEnd: if lx.accept(stringEnd) { if lx.accept(stringEnd) { lx.backup() @@ -516,8 +627,10 @@ func lexMultilineString(lx *lexer) stateFn { func lexRawString(lx *lexer) stateFn { r := lx.next() switch { + case r == eof: + return lx.errorf("unexpected EOF") case isNL(r): - return lx.errorf("Strings cannot contain new lines.") + return lx.errorf("strings cannot contain newlines") case r == rawStringEnd: lx.backup() lx.emit(itemRawString) @@ -529,12 +642,13 @@ func lexRawString(lx *lexer) stateFn { } // lexMultilineRawString consumes a raw string. Nothing can be escaped in such -// a string. It assumes that the beginning "'" has already been consumed and +// a string. It assumes that the beginning "'''" has already been consumed and // ignored. func lexMultilineRawString(lx *lexer) stateFn { - r := lx.next() - switch { - case r == rawStringEnd: + switch lx.next() { + case eof: + return lx.errorf("unexpected EOF") + case rawStringEnd: if lx.accept(rawStringEnd) { if lx.accept(rawStringEnd) { lx.backup() @@ -559,11 +673,10 @@ func lexMultilineStringEscape(lx *lexer) stateFn { // Handle the special case first: if isNL(lx.next()) { return lexMultilineString - } else { - lx.backup() - lx.push(lexMultilineString) - return lexStringEscape(lx) } + lx.backup() + lx.push(lexMultilineString) + return lexStringEscape(lx) } func lexStringEscape(lx *lexer) stateFn { @@ -588,10 +701,9 @@ func lexStringEscape(lx *lexer) stateFn { case 'U': return lexLongUnicodeEscape } - return lx.errorf("Invalid escape character %q. Only the following "+ + return lx.errorf("invalid escape character %q; only the following "+ "escape characters are allowed: "+ - "\\b, \\t, \\n, \\f, \\r, \\\", \\/, \\\\, "+ - "\\uXXXX and \\UXXXXXXXX.", r) + `\b, \t, \n, \f, \r, \", \\, \uXXXX, and \UXXXXXXXX`, r) } func lexShortUnicodeEscape(lx *lexer) stateFn { @@ -599,8 +711,8 @@ func lexShortUnicodeEscape(lx *lexer) stateFn { for i := 0; i < 4; i++ { r = lx.next() if !isHexadecimal(r) { - return lx.errorf("Expected four hexadecimal digits after '\\u', "+ - "but got '%s' instead.", lx.current()) + return lx.errorf(`expected four hexadecimal digits after '\u', `+ + "but got %q instead", lx.current()) } } return lx.pop() @@ -611,40 +723,43 @@ func lexLongUnicodeEscape(lx *lexer) stateFn { for i := 0; i < 8; i++ { r = lx.next() if !isHexadecimal(r) { - return lx.errorf("Expected eight hexadecimal digits after '\\U', "+ - "but got '%s' instead.", lx.current()) + return lx.errorf(`expected eight hexadecimal digits after '\U', `+ + "but got %q instead", lx.current()) } } return lx.pop() } -// lexNumberOrDateStart consumes either a (positive) integer, float or -// datetime. It assumes that NO negative sign has been consumed. +// lexNumberOrDateStart consumes either an integer, a float, or datetime. func lexNumberOrDateStart(lx *lexer) stateFn { r := lx.next() - if !isDigit(r) { - if r == '.' { - return lx.errorf("Floats must start with a digit, not '.'.") - } else { - return lx.errorf("Expected a digit but got %q.", r) - } + if isDigit(r) { + return lexNumberOrDate } - return lexNumberOrDate + switch r { + case '_': + return lexNumber + case 'e', 'E': + return lexFloat + case '.': + return lx.errorf("floats must start with a digit, not '.'") + } + return lx.errorf("expected a digit but got %q", r) } -// lexNumberOrDate consumes either a (positive) integer, float or datetime. +// lexNumberOrDate consumes either an integer, float or datetime. func lexNumberOrDate(lx *lexer) stateFn { r := lx.next() - switch { - case r == '-': - if lx.pos-lx.start != 5 { - return lx.errorf("All ISO8601 dates must be in full Zulu form.") - } - return lexDateAfterYear - case isDigit(r): + if isDigit(r) { return lexNumberOrDate - case r == '.': - return lexFloatStart + } + switch r { + case '-': + return lexDatetime + case '_': + return lexNumber + case '.', 'e', 'E': + return lexFloat } lx.backup() @@ -652,46 +767,34 @@ func lexNumberOrDate(lx *lexer) stateFn { return lx.pop() } -// lexDateAfterYear consumes a full Zulu Datetime in ISO8601 format. -// It assumes that "YYYY-" has already been consumed. -func lexDateAfterYear(lx *lexer) stateFn { - formats := []rune{ - // digits are '0'. - // everything else is direct equality. - '0', '0', '-', '0', '0', - 'T', - '0', '0', ':', '0', '0', ':', '0', '0', - 'Z', +// lexDatetime consumes a Datetime, to a first approximation. +// The parser validates that it matches one of the accepted formats. +func lexDatetime(lx *lexer) stateFn { + r := lx.next() + if isDigit(r) { + return lexDatetime } - for _, f := range formats { - r := lx.next() - if f == '0' { - if !isDigit(r) { - return lx.errorf("Expected digit in ISO8601 datetime, "+ - "but found %q instead.", r) - } - } else if f != r { - return lx.errorf("Expected %q in ISO8601 datetime, "+ - "but found %q instead.", f, r) - } + switch r { + case '-', 'T', ':', '.', 'Z', '+': + return lexDatetime } + + lx.backup() lx.emit(itemDatetime) return lx.pop() } -// lexNumberStart consumes either an integer or a float. It assumes that -// a negative sign has already been read, but that *no* digits have been -// consumed. lexNumberStart will move to the appropriate integer or float -// states. +// lexNumberStart consumes either an integer or a float. It assumes that a sign +// has already been read, but that *no* digits have been consumed. +// lexNumberStart will move to the appropriate integer or float states. func lexNumberStart(lx *lexer) stateFn { - // we MUST see a digit. Even floats have to start with a digit. + // We MUST see a digit. Even floats have to start with a digit. r := lx.next() if !isDigit(r) { if r == '.' { - return lx.errorf("Floats must start with a digit, not '.'.") - } else { - return lx.errorf("Expected a digit but got %q.", r) + return lx.errorf("floats must start with a digit, not '.'") } + return lx.errorf("expected a digit but got %q", r) } return lexNumber } @@ -699,11 +802,14 @@ func lexNumberStart(lx *lexer) stateFn { // lexNumber consumes an integer or a float after seeing the first digit. func lexNumber(lx *lexer) stateFn { r := lx.next() - switch { - case isDigit(r): + if isDigit(r) { return lexNumber - case r == '.': - return lexFloatStart + } + switch r { + case '_': + return lexNumber + case '.', 'e', 'E': + return lexFloat } lx.backup() @@ -711,60 +817,42 @@ func lexNumber(lx *lexer) stateFn { return lx.pop() } -// lexFloatStart starts the consumption of digits of a float after a '.'. -// Namely, at least one digit is required. -func lexFloatStart(lx *lexer) stateFn { - r := lx.next() - if !isDigit(r) { - return lx.errorf("Floats must have a digit after the '.', but got "+ - "%q instead.", r) - } - return lexFloat -} - -// lexFloat consumes the digits of a float after a '.'. -// Assumes that one digit has been consumed after a '.' already. +// lexFloat consumes the elements of a float. It allows any sequence of +// float-like characters, so floats emitted by the lexer are only a first +// approximation and must be validated by the parser. func lexFloat(lx *lexer) stateFn { r := lx.next() if isDigit(r) { return lexFloat } + switch r { + case '_', '.', '-', '+', 'e', 'E': + return lexFloat + } lx.backup() lx.emit(itemFloat) return lx.pop() } -// lexConst consumes the s[1:] in s. It assumes that s[0] has already been -// consumed. -func lexConst(lx *lexer, s string) stateFn { - for i := range s[1:] { - if r := lx.next(); r != rune(s[i+1]) { - return lx.errorf("Expected %q, but found %q instead.", s[:i+1], - s[:i]+string(r)) +// lexBool consumes a bool string: 'true' or 'false. +func lexBool(lx *lexer) stateFn { + var rs []rune + for { + r := lx.next() + if !unicode.IsLetter(r) { + lx.backup() + break } + rs = append(rs, r) } - return nil -} - -// lexTrue consumes the "rue" in "true". It assumes that 't' has already -// been consumed. -func lexTrue(lx *lexer) stateFn { - if fn := lexConst(lx, "true"); fn != nil { - return fn - } - lx.emit(itemBool) - return lx.pop() -} - -// lexFalse consumes the "alse" in "false". It assumes that 'f' has already -// been consumed. -func lexFalse(lx *lexer) stateFn { - if fn := lexConst(lx, "false"); fn != nil { - return fn + s := string(rs) + switch s { + case "true", "false": + lx.emit(itemBool) + return lx.pop() } - lx.emit(itemBool) - return lx.pop() + return lx.errorf("expected value but found %q instead", s) } // lexCommentStart begins the lexing of a comment. It will emit @@ -776,7 +864,7 @@ func lexCommentStart(lx *lexer) stateFn { } // lexComment lexes an entire comment. It assumes that '#' has been consumed. -// It will consume *up to* the first new line character, and pass control +// It will consume *up to* the first newline character, and pass control // back to the last state on the stack. func lexComment(lx *lexer) stateFn { r := lx.peek() @@ -834,13 +922,7 @@ func (itype itemType) String() string { return "EOF" case itemText: return "Text" - case itemString: - return "String" - case itemRawString: - return "String" - case itemMultilineString: - return "String" - case itemRawMultilineString: + case itemString, itemRawString, itemMultilineString, itemRawMultilineString: return "String" case itemBool: return "Bool" diff --git a/vendor/github.com/BurntSushi/toml/parse.go b/vendor/github.com/BurntSushi/toml/parse.go index 6a82e84f6..50869ef92 100644 --- a/vendor/github.com/BurntSushi/toml/parse.go +++ b/vendor/github.com/BurntSushi/toml/parse.go @@ -2,7 +2,6 @@ package toml import ( "fmt" - "log" "strconv" "strings" "time" @@ -81,7 +80,7 @@ func (p *parser) next() item { } func (p *parser) bug(format string, v ...interface{}) { - log.Panicf("BUG: %s\n\n", fmt.Sprintf(format, v...)) + panic(fmt.Sprintf("BUG: "+format+"\n\n", v...)) } func (p *parser) expect(typ itemType) item { @@ -179,10 +178,18 @@ func (p *parser) value(it item) (interface{}, tomlType) { } p.bug("Expected boolean value, but got '%s'.", it.val) case itemInteger: - num, err := strconv.ParseInt(it.val, 10, 64) + if !numUnderscoresOK(it.val) { + p.panicf("Invalid integer %q: underscores must be surrounded by digits", + it.val) + } + val := strings.Replace(it.val, "_", "", -1) + num, err := strconv.ParseInt(val, 10, 64) if err != nil { - // See comment below for floats describing why we make a - // distinction between a bug and a user error. + // Distinguish integer values. Normally, it'd be a bug if the lexer + // provides an invalid integer, but it's possible that the number is + // out of range of valid values (which the lexer cannot determine). + // So mark the former as a bug but the latter as a legitimate user + // error. if e, ok := err.(*strconv.NumError); ok && e.Err == strconv.ErrRange { @@ -194,29 +201,57 @@ func (p *parser) value(it item) (interface{}, tomlType) { } return num, p.typeOfPrimitive(it) case itemFloat: - num, err := strconv.ParseFloat(it.val, 64) + parts := strings.FieldsFunc(it.val, func(r rune) bool { + switch r { + case '.', 'e', 'E': + return true + } + return false + }) + for _, part := range parts { + if !numUnderscoresOK(part) { + p.panicf("Invalid float %q: underscores must be "+ + "surrounded by digits", it.val) + } + } + if !numPeriodsOK(it.val) { + // As a special case, numbers like '123.' or '1.e2', + // which are valid as far as Go/strconv are concerned, + // must be rejected because TOML says that a fractional + // part consists of '.' followed by 1+ digits. + p.panicf("Invalid float %q: '.' must be followed "+ + "by one or more digits", it.val) + } + val := strings.Replace(it.val, "_", "", -1) + num, err := strconv.ParseFloat(val, 64) if err != nil { - // Distinguish float values. Normally, it'd be a bug if the lexer - // provides an invalid float, but it's possible that the float is - // out of range of valid values (which the lexer cannot determine). - // So mark the former as a bug but the latter as a legitimate user - // error. - // - // This is also true for integers. if e, ok := err.(*strconv.NumError); ok && e.Err == strconv.ErrRange { p.panicf("Float '%s' is out of the range of 64-bit "+ "IEEE-754 floating-point numbers.", it.val) } else { - p.bug("Expected float value, but got '%s'.", it.val) + p.panicf("Invalid float value: %q", it.val) } } return num, p.typeOfPrimitive(it) case itemDatetime: - t, err := time.Parse("2006-01-02T15:04:05Z", it.val) - if err != nil { - p.panicf("Invalid RFC3339 Zulu DateTime: '%s'.", it.val) + var t time.Time + var ok bool + var err error + for _, format := range []string{ + "2006-01-02T15:04:05Z07:00", + "2006-01-02T15:04:05", + "2006-01-02", + } { + t, err = time.ParseInLocation(format, it.val, time.Local) + if err == nil { + ok = true + break + } + } + if !ok { + p.panicf("Invalid TOML Datetime: %q.", it.val) } return t, p.typeOfPrimitive(it) case itemArray: @@ -234,11 +269,75 @@ func (p *parser) value(it item) (interface{}, tomlType) { types = append(types, typ) } return array, p.typeOfArray(types) + case itemInlineTableStart: + var ( + hash = make(map[string]interface{}) + outerContext = p.context + outerKey = p.currentKey + ) + + p.context = append(p.context, p.currentKey) + p.currentKey = "" + for it := p.next(); it.typ != itemInlineTableEnd; it = p.next() { + if it.typ != itemKeyStart { + p.bug("Expected key start but instead found %q, around line %d", + it.val, p.approxLine) + } + if it.typ == itemCommentStart { + p.expect(itemText) + continue + } + + // retrieve key + k := p.next() + p.approxLine = k.line + kname := p.keyString(k) + + // retrieve value + p.currentKey = kname + val, typ := p.value(p.next()) + // make sure we keep metadata up to date + p.setType(kname, typ) + p.ordered = append(p.ordered, p.context.add(p.currentKey)) + hash[kname] = val + } + p.context = outerContext + p.currentKey = outerKey + return hash, tomlHash } p.bug("Unexpected value type: %s", it.typ) panic("unreachable") } +// numUnderscoresOK checks whether each underscore in s is surrounded by +// characters that are not underscores. +func numUnderscoresOK(s string) bool { + accept := false + for _, r := range s { + if r == '_' { + if !accept { + return false + } + accept = false + continue + } + accept = true + } + return accept +} + +// numPeriodsOK checks whether every period in s is followed by a digit. +func numPeriodsOK(s string) bool { + period := false + for _, r := range s { + if period && !isDigit(r) { + return false + } + period = r == '.' + } + return !period +} + // establishContext sets the current context of the parser, // where the context is either a hash or an array of hashes. Which one is // set depends on the value of the `array` parameter. diff --git a/vendor/github.com/BurntSushi/toml/type_fields.go b/vendor/github.com/BurntSushi/toml/type_fields.go index 6da608af4..608997c22 100644 --- a/vendor/github.com/BurntSushi/toml/type_fields.go +++ b/vendor/github.com/BurntSushi/toml/type_fields.go @@ -95,8 +95,8 @@ func typeFields(t reflect.Type) []field { if sf.PkgPath != "" && !sf.Anonymous { // unexported continue } - name, _ := getOptions(sf.Tag.Get("toml")) - if name == "-" { + opts := getOptions(sf.Tag) + if opts.skip { continue } index := make([]int, len(f.index)+1) @@ -110,8 +110,9 @@ func typeFields(t reflect.Type) []field { } // Record found field and index sequence. - if name != "" || !sf.Anonymous || ft.Kind() != reflect.Struct { - tagged := name != "" + if opts.name != "" || !sf.Anonymous || ft.Kind() != reflect.Struct { + tagged := opts.name != "" + name := opts.name if name == "" { name = sf.Name } diff --git a/vendor/github.com/containers/buildah/add.go b/vendor/github.com/containers/buildah/add.go index 589e090a8..b03aa65b2 100644 --- a/vendor/github.com/containers/buildah/add.go +++ b/vendor/github.com/containers/buildah/add.go @@ -14,6 +14,7 @@ import ( "github.com/containers/buildah/pkg/chrootuser" "github.com/containers/buildah/util" "github.com/containers/storage/pkg/archive" + "github.com/containers/storage/pkg/fileutils" "github.com/containers/storage/pkg/idtools" "github.com/containers/storage/pkg/system" "github.com/opencontainers/runtime-spec/specs-go" @@ -33,10 +34,14 @@ type AddAndCopyOptions struct { // If the sources include directory trees, Hasher will be passed // tar-format archives of the directory trees. Hasher io.Writer - // Exludes contents in the .dockerignore file + // Excludes is the contents of the .dockerignore file Excludes []string - // current directory on host + // The base directory for Excludes and data to copy in ContextDir string + // ID mapping options to use when contents to be copied are part of + // another container, and need ownerships to be mapped from the host to + // that container's values before copying them into the container. + IDMappingOptions *IDMappingOptions } // addURL copies the contents of the source URL to the destination. This is @@ -89,7 +94,10 @@ func addURL(destination, srcurl string, owner idtools.IDPair, hasher io.Writer) // filesystem, optionally extracting contents of local files that look like // non-empty archives. func (b *Builder) Add(destination string, extract bool, options AddAndCopyOptions, source ...string) error { - excludes := dockerIgnoreHelper(options.Excludes, options.ContextDir) + excludes, err := dockerIgnoreMatcher(options.Excludes, options.ContextDir) + if err != nil { + return err + } mountPoint, err := b.Mount(b.MountLabel) if err != nil { return err @@ -100,7 +108,7 @@ func (b *Builder) Add(destination string, extract bool, options AddAndCopyOption } }() // Find out which user (and group) the destination should belong to. - user, err := b.user(mountPoint, options.Chown) + user, _, err := b.user(mountPoint, options.Chown) if err != nil { return err } @@ -112,6 +120,12 @@ func (b *Builder) Add(destination string, extract bool, options AddAndCopyOption hostOwner := idtools.IDPair{UID: int(hostUID), GID: int(hostGID)} dest := mountPoint if destination != "" && filepath.IsAbs(destination) { + dir := filepath.Dir(destination) + if dir != "." && dir != "/" { + if err = idtools.MkdirAllAndChownNew(filepath.Join(dest, dir), 0755, hostOwner); err != nil { + return errors.Wrapf(err, "error creating directory %q", filepath.Join(dest, dir)) + } + } dest = filepath.Join(dest, destination) } else { if err = idtools.MkdirAllAndChownNew(filepath.Join(dest, b.WorkDir()), 0755, hostOwner); err != nil { @@ -142,8 +156,8 @@ func (b *Builder) Add(destination string, extract bool, options AddAndCopyOption if len(source) > 1 && (destfi == nil || !destfi.IsDir()) { return errors.Errorf("destination %q is not a directory", dest) } - copyFileWithTar := b.copyFileWithTar(&containerOwner, options.Hasher) - copyWithTar := b.copyWithTar(&containerOwner, options.Hasher) + copyFileWithTar := b.copyFileWithTar(options.IDMappingOptions, &containerOwner, options.Hasher) + copyWithTar := b.copyWithTar(options.IDMappingOptions, &containerOwner, options.Hasher) untarPath := b.untarPath(nil, options.Hasher) err = addHelper(excludes, extract, dest, destfi, hostOwner, options, copyFileWithTar, copyWithTar, untarPath, source...) if err != nil { @@ -153,12 +167,12 @@ func (b *Builder) Add(destination string, extract bool, options AddAndCopyOption } // user returns the user (and group) information which the destination should belong to. -func (b *Builder) user(mountPoint string, userspec string) (specs.User, error) { +func (b *Builder) user(mountPoint string, userspec string) (specs.User, string, error) { if userspec == "" { userspec = b.User() } - uid, gid, err := chrootuser.GetUser(mountPoint, userspec) + uid, gid, homeDir, err := chrootuser.GetUser(mountPoint, userspec) u := specs.User{ UID: uid, GID: gid, @@ -175,45 +189,48 @@ func (b *Builder) user(mountPoint string, userspec string) (specs.User, error) { } } - return u, err + return u, homeDir, err } -// dockerIgnore struct keep info from .dockerignore -type dockerIgnore struct { - ExcludePath string - IsExcluded bool -} - -// dockerIgnoreHelper returns the lines from .dockerignore file without the comments -// and reverses the order -func dockerIgnoreHelper(lines []string, contextDir string) []dockerIgnore { - var excludes []dockerIgnore - // the last match of a file in the .dockerignmatches determines whether it is included or excluded - // reverse the order - for i := len(lines) - 1; i >= 0; i-- { - exclude := lines[i] - // ignore the comment in .dockerignore - if strings.HasPrefix(exclude, "#") || len(exclude) == 0 { +// dockerIgnoreMatcher returns a matcher based on the contents of the .dockerignore file under contextDir +func dockerIgnoreMatcher(lines []string, contextDir string) (*fileutils.PatternMatcher, error) { + // if there's no context dir, there's no .dockerignore file to consult + if contextDir == "" { + return nil, nil + } + patterns := []string{".dockerignore"} + for _, ignoreSpec := range lines { + ignoreSpec = strings.TrimSpace(ignoreSpec) + // ignore comments passed back from .dockerignore + if ignoreSpec == "" || ignoreSpec[0] == '#' { continue } - excludeFlag := true - if strings.HasPrefix(exclude, "!") { - exclude = strings.TrimPrefix(exclude, "!") - excludeFlag = false + // if the spec starts with '!' it means the pattern + // should be included. make a note so that we can move + // it to the front of the updated pattern + includeFlag := "" + if strings.HasPrefix(ignoreSpec, "!") { + includeFlag = "!" + ignoreSpec = ignoreSpec[1:] + } + if ignoreSpec == "" { + continue } - excludes = append(excludes, dockerIgnore{ExcludePath: filepath.Join(contextDir, exclude), IsExcluded: excludeFlag}) + patterns = append(patterns, includeFlag+filepath.Join(contextDir, ignoreSpec)) } - if len(excludes) != 0 { - excludes = append(excludes, dockerIgnore{ExcludePath: filepath.Join(contextDir, ".dockerignore"), IsExcluded: true}) + // if there are no patterns, save time by not constructing the object + if len(patterns) == 0 { + return nil, nil } - return excludes -} - -func addHelper(excludes []dockerIgnore, extract bool, dest string, destfi os.FileInfo, hostOwner idtools.IDPair, options AddAndCopyOptions, copyFileWithTar, copyWithTar, untarPath func(src, dest string) error, source ...string) error { - dirsInDockerignore, err := getDirsInDockerignore(options.ContextDir, excludes) + // return a matcher object + matcher, err := fileutils.NewPatternMatcher(patterns) if err != nil { - return errors.Wrapf(err, "error checking directories in .dockerignore") + return nil, errors.Wrapf(err, "error creating file matcher using patterns %v", patterns) } + return matcher, nil +} + +func addHelper(excludes *fileutils.PatternMatcher, extract bool, dest string, destfi os.FileInfo, hostOwner idtools.IDPair, options AddAndCopyOptions, copyFileWithTar, copyWithTar, untarPath func(src, dest string) error, source ...string) error { for _, src := range source { if strings.HasPrefix(src, "http://") || strings.HasPrefix(src, "https://") { // We assume that source is a file, and we're copying @@ -242,7 +259,7 @@ func addHelper(excludes []dockerIgnore, extract bool, dest string, destfi os.Fil if len(glob) == 0 { return errors.Wrapf(syscall.ENOENT, "no files found matching %q", src) } - outer: + for _, gsrc := range glob { esrc, err := filepath.EvalSymlinks(gsrc) if err != nil { @@ -261,7 +278,7 @@ func addHelper(excludes []dockerIgnore, extract bool, dest string, destfi os.Fil return errors.Wrapf(err, "error creating directory %q", dest) } logrus.Debugf("copying %q to %q", esrc+string(os.PathSeparator)+"*", dest+string(os.PathSeparator)+"*") - if len(excludes) == 0 { + if excludes == nil { if err = copyWithTar(esrc, dest); err != nil { return errors.Wrapf(err, "error copying %q to %q", esrc, dest) } @@ -271,23 +288,12 @@ func addHelper(excludes []dockerIgnore, extract bool, dest string, destfi os.Fil if err != nil { return err } - for _, exclude := range excludes { - match, err := filepath.Match(filepath.Clean(exclude.ExcludePath), filepath.Clean(path)) - if err != nil { - return err - } - prefix, exist := dirsInDockerignore[exclude.ExcludePath] - hasPrefix := false - if exist { - hasPrefix = filepath.HasPrefix(path, prefix) - } - if !(match || hasPrefix) { - continue - } - if (hasPrefix && exclude.IsExcluded) || (match && exclude.IsExcluded) { - return nil - } - break + skip, err := excludes.Matches(path) + if err != nil { + return errors.Wrapf(err, "error checking if %s is an excluded path", path) + } + if skip { + return nil } // combine the filename with the dest directory fpath, err := filepath.Rel(esrc, path) @@ -297,8 +303,8 @@ func addHelper(excludes []dockerIgnore, extract bool, dest string, destfi os.Fil mtime := info.ModTime() atime := mtime times := []syscall.Timespec{ - {Sec: atime.Unix(), Nsec: atime.UnixNano() % 1000000000}, - {Sec: mtime.Unix(), Nsec: mtime.UnixNano() % 1000000000}, + syscall.NsecToTimespec(atime.Unix()), + syscall.NsecToTimespec(mtime.Unix()), } if info.IsDir() { return addHelperDirectory(esrc, path, filepath.Join(dest, fpath), info, hostOwner, times) @@ -320,20 +326,6 @@ func addHelper(excludes []dockerIgnore, extract bool, dest string, destfi os.Fil continue } - for _, exclude := range excludes { - match, err := filepath.Match(filepath.Clean(exclude.ExcludePath), esrc) - if err != nil { - return err - } - if !match { - continue - } - if exclude.IsExcluded { - continue outer - } - break - } - if !extract || !archive.IsArchivePath(esrc) { // This source is a file, and either it's not an // archive, or we don't care whether or not it's an @@ -349,6 +341,7 @@ func addHelper(excludes []dockerIgnore, extract bool, dest string, destfi os.Fil } continue } + // We're extracting an archive into the destination directory. logrus.Debugf("extracting contents of %q into %q", esrc, dest) if err = untarPath(esrc, dest); err != nil { @@ -381,7 +374,15 @@ func addHelperSymlink(src, dest string, info os.FileInfo, hostOwner idtools.IDPa return errors.Wrapf(err, "error reading contents of symbolic link at %q", src) } if err = os.Symlink(linkContents, dest); err != nil { - return errors.Wrapf(err, "error creating symbolic link to %q at %q", linkContents, dest) + if !os.IsExist(err) { + return errors.Wrapf(err, "error creating symbolic link to %q at %q", linkContents, dest) + } + if err = os.RemoveAll(dest); err != nil { + return errors.Wrapf(err, "error clearing symbolic link target %q", dest) + } + if err = os.Symlink(linkContents, dest); err != nil { + return errors.Wrapf(err, "error creating symbolic link to %q at %q (second try)", linkContents, dest) + } } if err = idtools.SafeLchown(dest, hostOwner.UID, hostOwner.GID); err != nil { return errors.Wrapf(err, "error setting owner of symbolic link %q to %d:%d", dest, hostOwner.UID, hostOwner.GID) @@ -392,35 +393,3 @@ func addHelperSymlink(src, dest string, info os.FileInfo, hostOwner idtools.IDPa logrus.Debugf("Symlink(%s, %s)", linkContents, dest) return nil } - -func getDirsInDockerignore(srcAbsPath string, excludes []dockerIgnore) (map[string]string, error) { - visitedDir := make(map[string]string) - if len(excludes) == 0 { - return visitedDir, nil - } - err := filepath.Walk(srcAbsPath, func(path string, info os.FileInfo, err error) error { - if err != nil { - return err - } - if info.IsDir() { - for _, exclude := range excludes { - match, err := filepath.Match(filepath.Clean(exclude.ExcludePath), filepath.Clean(path)) - if err != nil { - return err - } - if !match { - continue - } - if _, exist := visitedDir[exclude.ExcludePath]; exist { - continue - } - visitedDir[exclude.ExcludePath] = path - } - } - return nil - }) - if err != nil { - return visitedDir, err - } - return visitedDir, nil -} diff --git a/vendor/github.com/containers/buildah/buildah.go b/vendor/github.com/containers/buildah/buildah.go index 33b7afccd..b97e048cc 100644 --- a/vendor/github.com/containers/buildah/buildah.go +++ b/vendor/github.com/containers/buildah/buildah.go @@ -26,7 +26,7 @@ const ( Package = "buildah" // Version for the Package. Bump version in contrib/rpm/buildah.spec // too. - Version = "1.9.0-dev" + Version = "1.8.4" // The value we use to identify what type of information, currently a // serialized Builder structure, we are using as per-container state. // This should only be changed when we make incompatible changes to diff --git a/vendor/github.com/containers/buildah/chroot/run.go b/vendor/github.com/containers/buildah/chroot/run.go index c65926c8e..ae60d9bbe 100644 --- a/vendor/github.com/containers/buildah/chroot/run.go +++ b/vendor/github.com/containers/buildah/chroot/run.go @@ -84,9 +84,18 @@ type runUsingChrootExecSubprocOptions struct { // RunUsingChroot runs a chrooted process, using some of the settings from the // passed-in spec, and using the specified bundlePath to hold temporary files, // directories, and mountpoints. -func RunUsingChroot(spec *specs.Spec, bundlePath string, stdin io.Reader, stdout, stderr io.Writer) (err error) { +func RunUsingChroot(spec *specs.Spec, bundlePath, homeDir string, stdin io.Reader, stdout, stderr io.Writer) (err error) { var confwg sync.WaitGroup - + var homeFound bool + for _, env := range spec.Process.Env { + if strings.HasPrefix(env, "HOME=") { + homeFound = true + break + } + } + if !homeFound { + spec.Process.Env = append(spec.Process.Env, fmt.Sprintf("HOME=%s", homeDir)) + } runtime.LockOSThread() defer runtime.UnlockOSThread() @@ -211,7 +220,6 @@ func runUsingChrootMain() { var stdout io.Writer var stderr io.Writer fdDesc := make(map[int]string) - deferred := func() {} if options.Spec.Process.Terminal { // Create a pseudo-terminal -- open a copy of the master side. ptyMasterFd, err := unix.Open("/dev/ptmx", os.O_RDWR, 0600) @@ -361,12 +369,16 @@ func runUsingChrootMain() { return } } + if err := unix.SetNonblock(relays[unix.Stdin], true); err != nil { + logrus.Errorf("error setting %d to nonblocking: %v", relays[unix.Stdin], err) + } go func() { buffers := make(map[int]*bytes.Buffer) for _, writeFd := range relays { buffers[writeFd] = new(bytes.Buffer) } pollTimeout := -1 + stdinClose := false for len(relays) > 0 { fds := make([]unix.PollFd, 0, len(relays)) for fd := range relays { @@ -386,6 +398,9 @@ func runUsingChrootMain() { removeFds[int(rfd.Fd)] = struct{}{} } if rfd.Revents&unix.POLLIN == 0 { + if stdinClose && stdinCopy == nil { + continue + } continue } b := make([]byte, 8192) @@ -440,8 +455,19 @@ func runUsingChrootMain() { if buffer.Len() > 0 { pollTimeout = 100 } + if wfd == relays[unix.Stdin] && stdinClose && buffer.Len() == 0 { + stdinCopy.Close() + delete(relays, unix.Stdin) + } } for rfd := range removeFds { + if rfd == unix.Stdin { + buffer, found := buffers[relays[unix.Stdin]] + if found && buffer.Len() > 0 { + stdinClose = true + continue + } + } if !options.Spec.Process.Terminal && rfd == unix.Stdin { stdinCopy.Close() } @@ -452,7 +478,6 @@ func runUsingChrootMain() { // Set up mounts and namespaces, and run the parent subprocess. status, err := runUsingChroot(options.Spec, options.BundlePath, ctty, stdin, stdout, stderr, closeOnceRunning) - deferred() if err != nil { fmt.Fprintf(os.Stderr, "error running subprocess: %v\n", err) os.Exit(1) diff --git a/vendor/github.com/containers/buildah/config.go b/vendor/github.com/containers/buildah/config.go index 05b0abb23..234f93259 100644 --- a/vendor/github.com/containers/buildah/config.go +++ b/vendor/github.com/containers/buildah/config.go @@ -3,7 +3,6 @@ package buildah import ( "context" "encoding/json" - "os" "runtime" "strings" "time" @@ -269,21 +268,11 @@ func (b *Builder) Env() []string { // built using an image built from this container. func (b *Builder) SetEnv(k string, v string) { reset := func(s *[]string) { - getenv := func(name string) string { - for i := range *s { - val := strings.SplitN((*s)[i], "=", 2) - if len(val) == 2 && val[0] == name { - return val[1] - } - } - return name - } n := []string{} for i := range *s { if !strings.HasPrefix((*s)[i], k+"=") { n = append(n, (*s)[i]) } - v = os.Expand(v, getenv) } n = append(n, k+"="+v) *s = n diff --git a/vendor/github.com/containers/buildah/image.go b/vendor/github.com/containers/buildah/image.go index 215920cc3..dc2d323d4 100644 --- a/vendor/github.com/containers/buildah/image.go +++ b/vendor/github.com/containers/buildah/image.go @@ -707,7 +707,7 @@ func (b *Builder) makeImageRef(options CommitOptions, exporting bool) (types.Ima exporting: exporting, squash: options.Squash, emptyLayer: options.EmptyLayer, - tarPath: b.tarPath(), + tarPath: b.tarPath(&b.IDMappingOptions), parent: parent, blobDirectory: options.BlobDirectory, preEmptyLayers: b.PrependedEmptyLayers, diff --git a/vendor/github.com/containers/buildah/imagebuildah/build.go b/vendor/github.com/containers/buildah/imagebuildah/build.go index b8b9db0f3..20d6715f5 100644 --- a/vendor/github.com/containers/buildah/imagebuildah/build.go +++ b/vendor/github.com/containers/buildah/imagebuildah/build.go @@ -27,7 +27,7 @@ import ( "github.com/containers/image/types" "github.com/containers/storage" "github.com/containers/storage/pkg/archive" - "github.com/cyphar/filepath-securejoin" + securejoin "github.com/cyphar/filepath-securejoin" docker "github.com/fsouza/go-dockerclient" v1 "github.com/opencontainers/image-spec/specs-go/v1" "github.com/opencontainers/runtime-spec/specs-go" @@ -210,7 +210,6 @@ type Executor struct { annotations []string onbuild []string layers bool - topLayers []string useCache bool removeIntermediateCtrs bool forceRmIntermediateCtrs bool @@ -487,6 +486,7 @@ func (s *StageExecutor) Copy(excludes []string, copies ...imagebuilder.Copy) err // Check the file and see if part of it is a symlink. // Convert it to the target if so. To be ultrasafe // do the same for the mountpoint. + hadFinalPathSeparator := len(copy.Dest) > 0 && copy.Dest[len(copy.Dest)-1] == os.PathSeparator secureMountPoint, err := securejoin.SecureJoin("", s.mountPoint) finalPath, err := securejoin.SecureJoin(secureMountPoint, copy.Dest) if err != nil { @@ -496,6 +496,11 @@ func (s *StageExecutor) Copy(excludes []string, copies ...imagebuilder.Copy) err return errors.Wrapf(err, "error resolving copy destination %s", copy.Dest) } copy.Dest = strings.TrimPrefix(finalPath, secureMountPoint) + if len(copy.Dest) == 0 || copy.Dest[len(copy.Dest)-1] != os.PathSeparator { + if hadFinalPathSeparator { + copy.Dest += string(os.PathSeparator) + } + } if copy.Download { logrus.Debugf("ADD %#v, %#v", excludes, copy) @@ -507,29 +512,61 @@ func (s *StageExecutor) Copy(excludes []string, copies ...imagebuilder.Copy) err } sources := []string{} for _, src := range copy.Src { + contextDir := s.executor.contextDir + copyExcludes := excludes + var idMappingOptions *buildah.IDMappingOptions if strings.HasPrefix(src, "http://") || strings.HasPrefix(src, "https://") { sources = append(sources, src) } else if len(copy.From) > 0 { + var srcRoot string if other, ok := s.executor.stages[copy.From]; ok && other.index < s.index { - sources = append(sources, filepath.Join(other.mountPoint, src)) + srcRoot = other.mountPoint + contextDir = other.mountPoint + idMappingOptions = &other.builder.IDMappingOptions } else if builder, ok := s.executor.containerMap[copy.From]; ok { - sources = append(sources, filepath.Join(builder.MountPoint, src)) + srcRoot = builder.MountPoint + contextDir = builder.MountPoint + idMappingOptions = &builder.IDMappingOptions } else { return errors.Errorf("the stage %q has not been built", copy.From) } + srcSecure, err := securejoin.SecureJoin(srcRoot, src) + if err != nil { + return err + } + // If destination is a folder, we need to take extra care to + // ensure that files are copied with correct names (since + // resolving a symlink may result in a different name). + if hadFinalPathSeparator { + _, srcName := filepath.Split(src) + _, srcNameSecure := filepath.Split(srcSecure) + if srcName != srcNameSecure { + options := buildah.AddAndCopyOptions{ + Chown: copy.Chown, + ContextDir: contextDir, + Excludes: copyExcludes, + } + if err := s.builder.Add(filepath.Join(copy.Dest, srcName), copy.Download, options, srcSecure); err != nil { + return err + } + continue + } + } + sources = append(sources, srcSecure) + } else { sources = append(sources, filepath.Join(s.executor.contextDir, src)) + copyExcludes = append(s.executor.excludes, excludes...) + } + options := buildah.AddAndCopyOptions{ + Chown: copy.Chown, + ContextDir: contextDir, + Excludes: copyExcludes, + IDMappingOptions: idMappingOptions, + } + if err := s.builder.Add(copy.Dest, copy.Download, options, sources...); err != nil { + return err } - } - - options := buildah.AddAndCopyOptions{ - Chown: copy.Chown, - ContextDir: s.executor.contextDir, - Excludes: s.executor.excludes, - } - - if err := s.builder.Add(copy.Dest, copy.Download, options, sources...); err != nil { - return err } } return nil @@ -590,7 +627,11 @@ func (s *StageExecutor) Run(run imagebuilder.Run, config docker.Config) error { args := run.Args if run.Shell { - args = append([]string{"/bin/sh", "-c"}, args...) + if len(config.Shell) > 0 && s.builder.Format == buildah.Dockerv2ImageManifest { + args = append(config.Shell, args...) + } else { + args = append([]string{"/bin/sh", "-c"}, args...) + } } if err := s.volumeCacheSave(); err != nil { return err @@ -847,9 +888,6 @@ func (s *StageExecutor) prepare(ctx context.Context, stage imagebuilder.Stage, f // Make this our "current" working container. s.mountPoint = mountPoint s.builder = builder - // Add the top layer of this image to b.topLayers so we can - // keep track of them when building with cached images. - s.executor.topLayers = append(s.executor.topLayers, builder.TopLayer) } logrus.Debugln("Container ID:", builder.ContainerID) return builder, nil @@ -954,7 +992,7 @@ func (s *StageExecutor) Execute(ctx context.Context, stage imagebuilder.Stage, b } logImageID := func(imgID string) { if s.executor.iidfile == "" { - fmt.Fprintf(s.executor.out, "--> %s\n", imgID) + fmt.Fprintf(s.executor.out, "%s\n", imgID) } } @@ -972,7 +1010,7 @@ func (s *StageExecutor) Execute(ctx context.Context, stage imagebuilder.Stage, b // We don't need to squash the base image, so just // reuse the base image. logCommit(s.output, -1) - if imgID, ref, err = s.copyExistingImage(ctx, s.builder.FromImageID, s.output); err != nil { + if imgID, ref, err = s.tagExistingImage(ctx, s.builder.FromImageID, s.output); err != nil { return "", nil, err } } @@ -1097,7 +1135,7 @@ func (s *StageExecutor) Execute(ctx context.Context, stage imagebuilder.Stage, b imgID = cacheID if commitName != "" { logCommit(commitName, i) - if imgID, ref, err = s.copyExistingImage(ctx, cacheID, commitName); err != nil { + if imgID, ref, err = s.tagExistingImage(ctx, cacheID, commitName); err != nil { return "", nil, err } logImageID(imgID) @@ -1166,8 +1204,8 @@ func (s *StageExecutor) Execute(ctx context.Context, stage imagebuilder.Stage, b return imgID, ref, nil } -// copyExistingImage creates a copy of an image already in the store -func (s *StageExecutor) copyExistingImage(ctx context.Context, cacheID, output string) (string, reference.Canonical, error) { +// tagExistingImage adds names to an image already in the store +func (s *StageExecutor) tagExistingImage(ctx context.Context, cacheID, output string) (string, reference.Canonical, error) { // If we don't need to attach a name to the image, just return the cache ID. if output == "" { return cacheID, nil, nil @@ -1234,11 +1272,11 @@ func (s *StageExecutor) layerExists(ctx context.Context, currNode *parser.Node, return "", errors.Wrapf(err, "error getting top layer info") } } - // If the parent of the top layer of an image is equal to the last entry in b.topLayers + // If the parent of the top layer of an image is equal to the current build image's top layer, // it means that this image is potentially a cached intermediate image from a previous // build. Next we double check that the history of this image is equivalent to the previous // lines in the Dockerfile up till the point we are at in the build. - if imageTopLayer == nil || imageTopLayer.Parent == s.executor.topLayers[len(s.executor.topLayers)-1] || imageTopLayer.ID == s.executor.topLayers[len(s.executor.topLayers)-1] { + if imageTopLayer == nil || (s.builder.TopLayer != "" && (imageTopLayer.Parent == s.builder.TopLayer || imageTopLayer.ID == s.builder.TopLayer)) { history, err := s.executor.getImageHistory(ctx, image.ID) if err != nil { return "", errors.Wrapf(err, "error getting history of %q", image.ID) @@ -1327,26 +1365,8 @@ func (b *Executor) historyMatches(baseHistory []v1.History, child *parser.Node, return false } } - instruction := child.Original - switch strings.ToUpper(child.Value) { - case "RUN": - instruction = instruction[4:] - buildArgs := b.getBuildArgs() - // If a previous image was built with some build-args but the new build process doesn't have any build-args - // specified, the command might be expanded differently, so compare the lengths of the old instruction with - // the current one. 11 is the length of "/bin/sh -c " that is used to run the run commands. - if buildArgs == "" && len(history[len(baseHistory)].CreatedBy) > len(instruction)+11 { - return false - } - // There are build-args, so check if anything with the build-args has changed - if buildArgs != "" && !strings.Contains(history[len(baseHistory)].CreatedBy, buildArgs) { - return false - } - fallthrough - default: - if !strings.Contains(history[len(baseHistory)].CreatedBy, instruction) { - return false - } + if history[len(baseHistory)].CreatedBy != b.getCreatedBy(child) { + return false } return true } @@ -1360,6 +1380,7 @@ func (b *Executor) getBuildArgs() string { buildArgs = append(buildArgs, k+"="+v) } } + sort.Strings(buildArgs) return strings.Join(buildArgs, " ") } @@ -1532,7 +1553,6 @@ func (s *StageExecutor) commit(ctx context.Context, ib *imagebuilder.Builder, cr options := buildah.CommitOptions{ Compression: s.executor.compression, SignaturePolicyPath: s.executor.signaturePolicyPath, - AdditionalTags: s.executor.additionalTags, ReportWriter: writer, PreferredManifestType: s.executor.outputFormat, SystemContext: s.executor.systemContext, @@ -1718,6 +1738,24 @@ func (b *Executor) Build(ctx context.Context, stages imagebuilder.Stages) (image fmt.Fprintf(b.out, "[Warning] one or more build args were not consumed: %v\n", unusedList) } + if len(b.additionalTags) > 0 { + if dest, err := b.resolveNameToImageRef(b.output); err == nil { + switch dest.Transport().Name() { + case is.Transport.Name(): + img, err := is.Transport.GetStoreImage(b.store, dest) + if err != nil { + return imageID, ref, errors.Wrapf(err, "error locating just-written image %q", transports.ImageName(dest)) + } + if err = util.AddImageNames(b.store, "", b.systemContext, img, b.additionalTags); err != nil { + return imageID, ref, errors.Wrapf(err, "error setting image names to %v", append(img.Names, b.additionalTags...)) + } + logrus.Debugf("assigned names %v to image %q", img.Names, img.ID) + default: + logrus.Warnf("don't know how to add tags to images stored in %q transport", dest.Transport().Name()) + } + } + } + if err := cleanup(); err != nil { return "", nil, err } diff --git a/vendor/github.com/containers/buildah/imagebuildah/util.go b/vendor/github.com/containers/buildah/imagebuildah/util.go index f982fcebf..3962d1a9d 100644 --- a/vendor/github.com/containers/buildah/imagebuildah/util.go +++ b/vendor/github.com/containers/buildah/imagebuildah/util.go @@ -17,7 +17,7 @@ import ( ) func cloneToDirectory(url, dir string) error { - if !strings.HasPrefix(url, "git://") { + if !strings.HasPrefix(url, "git://") && !strings.HasSuffix(url, ".git") { url = "git://" + url } logrus.Debugf("cloning %q to %q", url, dir) @@ -72,7 +72,7 @@ func TempDirForURL(dir, prefix, url string) (name string, subdir string, err err if err != nil { return "", "", errors.Wrapf(err, "error creating temporary directory for %q", url) } - if strings.HasPrefix(url, "git://") { + if strings.HasPrefix(url, "git://") || strings.HasSuffix(url, ".git") { err = cloneToDirectory(url, name) if err != nil { if err2 := os.Remove(name); err2 != nil { diff --git a/vendor/github.com/containers/buildah/pkg/chrootuser/user.go b/vendor/github.com/containers/buildah/pkg/chrootuser/user.go index c83dcc230..26a67c35a 100644 --- a/vendor/github.com/containers/buildah/pkg/chrootuser/user.go +++ b/vendor/github.com/containers/buildah/pkg/chrootuser/user.go @@ -18,7 +18,7 @@ var ( // it will use the /etc/passwd and /etc/group files inside of the rootdir // to return this information. // userspec format [user | user:group | uid | uid:gid | user:gid | uid:group ] -func GetUser(rootdir, userspec string) (uint32, uint32, error) { +func GetUser(rootdir, userspec string) (uint32, uint32, string, error) { var gid64 uint64 var gerr error = user.UnknownGroupError("error looking up group") @@ -26,7 +26,7 @@ func GetUser(rootdir, userspec string) (uint32, uint32, error) { userspec = spec[0] groupspec := "" if userspec == "" { - return 0, 0, nil + return 0, 0, "/", nil } if len(spec) > 1 { groupspec = spec[1] @@ -65,15 +65,21 @@ func GetUser(rootdir, userspec string) (uint32, uint32, error) { } } + homedir, err := lookupHomedirInContainer(rootdir, uid64) + if err != nil { + homedir = "/" + } + if uerr == nil && gerr == nil { - return uint32(uid64), uint32(gid64), nil + return uint32(uid64), uint32(gid64), homedir, nil } - err := errors.Wrapf(uerr, "error determining run uid") + err = errors.Wrapf(uerr, "error determining run uid") if uerr == nil { err = errors.Wrapf(gerr, "error determining run gid") } - return 0, 0, err + + return 0, 0, homedir, err } // GetGroup returns the gid by looking it up in the /etc/group file diff --git a/vendor/github.com/containers/buildah/pkg/chrootuser/user_basic.go b/vendor/github.com/containers/buildah/pkg/chrootuser/user_basic.go index 79b0b24b5..6c997c4c9 100644 --- a/vendor/github.com/containers/buildah/pkg/chrootuser/user_basic.go +++ b/vendor/github.com/containers/buildah/pkg/chrootuser/user_basic.go @@ -25,3 +25,7 @@ func lookupAdditionalGroupsForUIDInContainer(rootdir string, userid uint64) (gid func lookupUIDInContainer(rootdir string, uid uint64) (string, uint64, error) { return "", 0, errors.New("UID lookup not supported") } + +func lookupHomedirInContainer(rootdir string, uid uint64) (string, error) { + return "", errors.New("Home directory lookup not supported") +} diff --git a/vendor/github.com/containers/buildah/pkg/chrootuser/user_linux.go b/vendor/github.com/containers/buildah/pkg/chrootuser/user_linux.go index 583eca569..ea20fca80 100644 --- a/vendor/github.com/containers/buildah/pkg/chrootuser/user_linux.go +++ b/vendor/github.com/containers/buildah/pkg/chrootuser/user_linux.go @@ -84,6 +84,7 @@ type lookupPasswdEntry struct { name string uid uint64 gid uint64 + home string } type lookupGroupEntry struct { name string @@ -135,6 +136,7 @@ func parseNextPasswd(rc *bufio.Reader) *lookupPasswdEntry { name: fields[0], uid: uid, gid: gid, + home: fields[5], } } @@ -291,3 +293,29 @@ func lookupUIDInContainer(rootdir string, uid uint64) (string, uint64, error) { return "", 0, user.UnknownUserError(fmt.Sprintf("error looking up uid %q", uid)) } + +func lookupHomedirInContainer(rootdir string, uid uint64) (string, error) { + cmd, f, err := openChrootedFile(rootdir, "/etc/passwd") + if err != nil { + return "", err + } + defer func() { + _ = cmd.Wait() + }() + rc := bufio.NewReader(f) + defer f.Close() + + lookupUser.Lock() + defer lookupUser.Unlock() + + pwd := parseNextPasswd(rc) + for pwd != nil { + if pwd.uid != uid { + pwd = parseNextPasswd(rc) + continue + } + return pwd.home, nil + } + + return "", user.UnknownUserError(fmt.Sprintf("error looking up uid %q for homedir", uid)) +} diff --git a/vendor/github.com/containers/buildah/pkg/overlay/overlay.go b/vendor/github.com/containers/buildah/pkg/overlay/overlay.go index 31f0c2cec..14d29a25b 100644 --- a/vendor/github.com/containers/buildah/pkg/overlay/overlay.go +++ b/vendor/github.com/containers/buildah/pkg/overlay/overlay.go @@ -2,6 +2,7 @@ package overlay import ( "fmt" + "io/ioutil" "os" "path/filepath" "strings" @@ -15,13 +16,27 @@ import ( // MountTemp creates a subdir of the contentDir based on the source directory // from the source system. It then mounds up the source directory on to the // generated mount point and returns the mount point to the caller. -func MountTemp(store storage.Store, containerId, source, dest string, rootUID, rootGID int) (specs.Mount, string, error) { - mount := specs.Mount{} +func MountTemp(store storage.Store, containerId, source, dest string, rootUID, rootGID int) (mount specs.Mount, contentDir string, Err error) { - contentDir, err := store.ContainerDirectory(containerId) + containerDir, err := store.ContainerDirectory(containerId) if err != nil { return mount, "", err } + contentDir = filepath.Join(containerDir, "overlay") + if err := idtools.MkdirAllAs(contentDir, 0700, rootUID, rootGID); err != nil { + return mount, "", errors.Wrapf(err, "failed to create the overlay %s directory", contentDir) + } + + contentDir, err = ioutil.TempDir(contentDir, "") + if err != nil { + return mount, "", errors.Wrapf(err, "failed to create TempDir in the overlay %s directory", contentDir) + } + defer func() { + if Err != nil { + os.RemoveAll(contentDir) + } + }() + upperDir := filepath.Join(contentDir, "upper") workDir := filepath.Join(contentDir, "work") if err := idtools.MkdirAllAs(upperDir, 0700, rootUID, rootGID); err != nil { @@ -44,3 +59,13 @@ func MountTemp(store storage.Store, containerId, source, dest string, rootUID, r func RemoveTemp(contentDir string) error { return os.RemoveAll(contentDir) } + +// CleanupContent removes all temporary mountpoint and all content from +// directory +func CleanupContent(containerDir string) (Err error) { + contentDir := filepath.Join(containerDir, "overlay") + if err := os.RemoveAll(contentDir); err != nil && !os.IsNotExist(err) { + return errors.Wrapf(err, "failed to cleanup overlay %s directory", contentDir) + } + return nil +} diff --git a/vendor/github.com/containers/buildah/pkg/parse/parse.go b/vendor/github.com/containers/buildah/pkg/parse/parse.go index 6c58f1194..61e70cdd3 100644 --- a/vendor/github.com/containers/buildah/pkg/parse/parse.go +++ b/vendor/github.com/containers/buildah/pkg/parse/parse.go @@ -37,6 +37,7 @@ func CommonBuildOptions(c *cobra.Command) (*buildah.CommonBuildOptions, error) { var ( memoryLimit int64 memorySwap int64 + noDNS bool err error ) @@ -67,9 +68,26 @@ func CommonBuildOptions(c *cobra.Command) (*buildah.CommonBuildOptions, error) { } } + noDNS = false dnsServers, _ := c.Flags().GetStringSlice("dns") + for _, server := range dnsServers { + if strings.ToLower(server) == "none" { + noDNS = true + } + } + if noDNS && len(dnsServers) > 1 { + return nil, errors.Errorf("invalid --dns, --dns=none may not be used with any other --dns options") + } + dnsSearch, _ := c.Flags().GetStringSlice("dns-search") + if noDNS && len(dnsSearch) > 0 { + return nil, errors.Errorf("invalid --dns-search, --dns-search may not be used with --dns=none") + } + dnsOptions, _ := c.Flags().GetStringSlice("dns-option") + if noDNS && len(dnsOptions) > 0 { + return nil, errors.Errorf("invalid --dns-option, --dns-option may not be used with --dns=none") + } if _, err := units.FromHumanSize(c.Flag("shm-size").Value.String()); err != nil { return nil, errors.Wrapf(err, "invalid --shm-size") @@ -80,7 +98,7 @@ func CommonBuildOptions(c *cobra.Command) (*buildah.CommonBuildOptions, error) { } cpuPeriod, _ := c.Flags().GetUint64("cpu-period") cpuQuota, _ := c.Flags().GetInt64("cpu-quota") - cpuShares, _ := c.Flags().GetUint64("cpu-shared") + cpuShares, _ := c.Flags().GetUint64("cpu-shares") httpProxy, _ := c.Flags().GetBool("http-proxy") ulimit, _ := c.Flags().GetStringSlice("ulimit") commonOpts := &buildah.CommonBuildOptions{ diff --git a/vendor/github.com/containers/buildah/pkg/secrets/secrets.go b/vendor/github.com/containers/buildah/pkg/secrets/secrets.go index 97b681125..70bd6a4b7 100644 --- a/vendor/github.com/containers/buildah/pkg/secrets/secrets.go +++ b/vendor/github.com/containers/buildah/pkg/secrets/secrets.go @@ -117,7 +117,12 @@ func getMounts(filePath string) []string { } var mounts []string for scanner.Scan() { - mounts = append(mounts, scanner.Text()) + if strings.HasPrefix(strings.TrimSpace(scanner.Text()), "/") { + mounts = append(mounts, scanner.Text()) + } else { + logrus.Debugf("skipping unrecognized mount in %v: %q", + filePath, scanner.Text()) + } } return mounts } @@ -190,58 +195,79 @@ func addSecretsFromMountsFile(filePath, mountLabel, containerWorkingDir, mountPr var mounts []rspec.Mount defaultMountsPaths := getMounts(filePath) for _, path := range defaultMountsPaths { - hostDir, ctrDir, err := getMountsMap(path) + hostDirOrFile, ctrDirOrFile, err := getMountsMap(path) if err != nil { return nil, err } - // skip if the hostDir path doesn't exist - if _, err = os.Stat(hostDir); err != nil { + // skip if the hostDirOrFile path doesn't exist + fileInfo, err := os.Stat(hostDirOrFile) + if err != nil { if os.IsNotExist(err) { - logrus.Warnf("Path %q from %q doesn't exist, skipping", hostDir, filePath) + logrus.Warnf("Path %q from %q doesn't exist, skipping", hostDirOrFile, filePath) continue } - return nil, errors.Wrapf(err, "failed to stat %q", hostDir) + return nil, errors.Wrapf(err, "failed to stat %q", hostDirOrFile) } - ctrDirOnHost := filepath.Join(containerWorkingDir, ctrDir) + ctrDirOrFileOnHost := filepath.Join(containerWorkingDir, ctrDirOrFile) - // In the event of a restart, don't want to copy secrets over again as they already would exist in ctrDirOnHost - _, err = os.Stat(ctrDirOnHost) + // In the event of a restart, don't want to copy secrets over again as they already would exist in ctrDirOrFileOnHost + _, err = os.Stat(ctrDirOrFileOnHost) if os.IsNotExist(err) { - if err = os.MkdirAll(ctrDirOnHost, 0755); err != nil { - return nil, errors.Wrapf(err, "making container directory %q failed", ctrDirOnHost) - } - hostDir, err = resolveSymbolicLink(hostDir) + + hostDirOrFile, err = resolveSymbolicLink(hostDirOrFile) if err != nil { return nil, err } - data, err := getHostSecretData(hostDir) - if err != nil { - return nil, errors.Wrapf(err, "getting host secret data failed") - } - for _, s := range data { - if err := s.saveTo(ctrDirOnHost); err != nil { - return nil, errors.Wrapf(err, "error saving data to container filesystem on host %q", ctrDirOnHost) + switch mode := fileInfo.Mode(); { + case mode.IsDir(): + if err = os.MkdirAll(ctrDirOrFileOnHost, 0755); err != nil { + return nil, errors.Wrapf(err, "making container directory %q failed", ctrDirOrFileOnHost) + } + data, err := getHostSecretData(hostDirOrFile) + if err != nil { + return nil, errors.Wrapf(err, "getting host secret data failed") + } + for _, s := range data { + if err := s.saveTo(ctrDirOrFileOnHost); err != nil { + return nil, errors.Wrapf(err, "error saving data to container filesystem on host %q", ctrDirOrFileOnHost) + } + } + case mode.IsRegular(): + data, err := readFile("", hostDirOrFile) + if err != nil { + return nil, errors.Wrapf(err, "error reading file %q", hostDirOrFile) + + } + for _, s := range data { + if err := os.MkdirAll(filepath.Dir(ctrDirOrFileOnHost), 0700); err != nil { + return nil, err + } + if err := ioutil.WriteFile(ctrDirOrFileOnHost, s.data, 0700); err != nil { + return nil, errors.Wrapf(err, "error saving data to container filesystem on host %q", ctrDirOrFileOnHost) + } } + default: + return nil, errors.Errorf("unsupported file type for: %q", hostDirOrFile) } - err = label.Relabel(ctrDirOnHost, mountLabel, false) + err = label.Relabel(ctrDirOrFileOnHost, mountLabel, false) if err != nil { return nil, errors.Wrap(err, "error applying correct labels") } if uid != 0 || gid != 0 { - if err := rchown(ctrDirOnHost, uid, gid); err != nil { + if err := rchown(ctrDirOrFileOnHost, uid, gid); err != nil { return nil, err } } } else if err != nil { - return nil, errors.Wrapf(err, "error getting status of %q", ctrDirOnHost) + return nil, errors.Wrapf(err, "error getting status of %q", ctrDirOrFileOnHost) } m := rspec.Mount{ - Source: filepath.Join(mountPrefix, ctrDir), - Destination: ctrDir, + Source: filepath.Join(mountPrefix, ctrDirOrFile), + Destination: ctrDirOrFile, Type: "bind", Options: []string{"bind", "rprivate"}, } diff --git a/vendor/github.com/containers/buildah/pkg/unshare/unshare.c b/vendor/github.com/containers/buildah/pkg/unshare/unshare.c index 67a3e0e4d..fd0d48d43 100644 --- a/vendor/github.com/containers/buildah/pkg/unshare/unshare.c +++ b/vendor/github.com/containers/buildah/pkg/unshare/unshare.c @@ -3,7 +3,7 @@ #include <sys/ioctl.h> #include <sys/stat.h> #include <sys/syscall.h> -#include <linux/memfd.h> +#include <sys/mman.h> #include <fcntl.h> #include <grp.h> #include <sched.h> @@ -14,6 +14,17 @@ #include <errno.h> #include <unistd.h> +/* Open Source projects like conda-forge, want to package podman and are based + off of centos:6, Conda-force has minimal libc requirements and is lacking + the memfd.h file, so we use mmam.h +*/ +#ifndef MFD_ALLOW_SEALING +#define MFD_ALLOW_SEALING 2U +#endif +#ifndef MFD_CLOEXEC +#define MFD_CLOEXEC 1U +#endif + #ifndef F_LINUX_SPECIFIC_BASE #define F_LINUX_SPECIFIC_BASE 1024 #endif diff --git a/vendor/github.com/containers/buildah/pkg/unshare/unshare.go b/vendor/github.com/containers/buildah/pkg/unshare/unshare.go index 33232740e..21b102cf5 100644 --- a/vendor/github.com/containers/buildah/pkg/unshare/unshare.go +++ b/vendor/github.com/containers/buildah/pkg/unshare/unshare.go @@ -64,6 +64,7 @@ func (c *Cmd) Start() error { if os.Geteuid() != 0 { c.Env = append(c.Env, "_CONTAINERS_USERNS_CONFIGURED=done") c.Env = append(c.Env, fmt.Sprintf("_CONTAINERS_ROOTLESS_UID=%d", os.Geteuid())) + c.Env = append(c.Env, fmt.Sprintf("_CONTAINERS_ROOTLESS_GID=%d", os.Getegid())) } // Create the pipe for reading the child's PID. @@ -183,6 +184,7 @@ func (c *Cmd) Start() error { for _, m := range c.GidMappings { fmt.Fprintf(g, "%d %d %d\n", m.ContainerID, m.HostID, m.Size) } + gidmapSet := false // Set the GID map. if c.UseNewgidmap { cmd := exec.Command("newgidmap", append([]string{pidString}, strings.Fields(strings.Replace(g.String(), "\n", " ", -1))...)...) @@ -190,11 +192,28 @@ func (c *Cmd) Start() error { cmd.Stdout = g cmd.Stderr = g err := cmd.Run() - if err != nil { - fmt.Fprintf(continueWrite, "error running newgidmap: %v: %s", err, g.String()) - return errors.Wrapf(err, "error running newgidmap: %s", g.String()) + if err == nil { + gidmapSet = true + } else { + logrus.Warnf("error running newgidmap: %v: %s", err, g.String()) + logrus.Warnf("falling back to single mapping") + g.Reset() + g.Write([]byte(fmt.Sprintf("0 %d 1\n", os.Getegid()))) + } + } + if !gidmapSet { + if c.UseNewgidmap { + setgroups, err := os.OpenFile(fmt.Sprintf("/proc/%s/setgroups", pidString), os.O_TRUNC|os.O_WRONLY, 0) + if err != nil { + fmt.Fprintf(continueWrite, "error opening /proc/%s/setgroups: %v", pidString, err) + return errors.Wrapf(err, "error opening /proc/%s/setgroups", pidString) + } + defer setgroups.Close() + if _, err := fmt.Fprintf(setgroups, "deny"); err != nil { + fmt.Fprintf(continueWrite, "error writing 'deny' to /proc/%s/setgroups: %v", pidString, err) + return errors.Wrapf(err, "error writing 'deny' to /proc/%s/setgroups", pidString) + } } - } else { gidmap, err := os.OpenFile(fmt.Sprintf("/proc/%s/gid_map", pidString), os.O_TRUNC|os.O_WRONLY, 0) if err != nil { fmt.Fprintf(continueWrite, "error opening /proc/%s/gid_map: %v", pidString, err) @@ -214,6 +233,7 @@ func (c *Cmd) Start() error { for _, m := range c.UidMappings { fmt.Fprintf(u, "%d %d %d\n", m.ContainerID, m.HostID, m.Size) } + uidmapSet := false // Set the GID map. if c.UseNewuidmap { cmd := exec.Command("newuidmap", append([]string{pidString}, strings.Fields(strings.Replace(u.String(), "\n", " ", -1))...)...) @@ -221,11 +241,16 @@ func (c *Cmd) Start() error { cmd.Stdout = u cmd.Stderr = u err := cmd.Run() - if err != nil { - fmt.Fprintf(continueWrite, "error running newuidmap: %v: %s", err, u.String()) - return errors.Wrapf(err, "error running newuidmap: %s", u.String()) + if err == nil { + uidmapSet = true + } else { + logrus.Warnf("error running newuidmap: %v: %s", err, u.String()) + logrus.Warnf("falling back to single mapping") + u.Reset() + u.Write([]byte(fmt.Sprintf("0 %d 1\n", os.Geteuid()))) } - } else { + } + if !uidmapSet { uidmap, err := os.OpenFile(fmt.Sprintf("/proc/%s/uid_map", pidString), os.O_TRUNC|os.O_WRONLY, 0) if err != nil { fmt.Fprintf(continueWrite, "error opening /proc/%s/uid_map: %v", pidString, err) @@ -354,7 +379,9 @@ func MaybeReexecUsingUserNamespace(evenForRoot bool) { // range in /etc/subuid and /etc/subgid file is a starting host // ID and a range size. uidmap, gidmap, err = GetSubIDMappings(me.Username, me.Username) - bailOnError(err, "error reading allowed ID mappings") + if err != nil { + logrus.Warnf("error reading allowed ID mappings: %v", err) + } if len(uidmap) == 0 { logrus.Warnf("Found no UID ranges set aside for user %q in /etc/subuid.", me.Username) } diff --git a/vendor/github.com/containers/buildah/run_linux.go b/vendor/github.com/containers/buildah/run_linux.go index 81ce2b944..55f9502b2 100644 --- a/vendor/github.com/containers/buildah/run_linux.go +++ b/vendor/github.com/containers/buildah/run_linux.go @@ -131,7 +131,8 @@ func (b *Builder) Run(command []string, options RunOptions) error { return err } - if err := b.configureUIDGID(g, mountPoint, options); err != nil { + homeDir, err := b.configureUIDGID(g, mountPoint, options) + if err != nil { return err } @@ -173,7 +174,7 @@ func (b *Builder) Run(command []string, options RunOptions) error { bindFiles["/etc/hosts"] = hostFile } - if !contains(volumes, "/etc/resolv.conf") { + if !(contains(volumes, "/etc/resolv.conf") || (len(b.CommonBuildOpts.DNSServers) == 1 && strings.ToLower(b.CommonBuildOpts.DNSServers[0]) == "none")) { resolvFile, err := b.addNetworkConfig(path, "/etc/resolv.conf", rootIDPair, b.CommonBuildOpts.DNSServers, b.CommonBuildOpts.DNSSearch, b.CommonBuildOpts.DNSOptions) if err != nil { return err @@ -210,7 +211,7 @@ func (b *Builder) Run(command []string, options RunOptions) error { } err = b.runUsingRuntimeSubproc(isolation, options, configureNetwork, configureNetworks, moreCreateArgs, spec, mountPoint, path, Package+"-"+filepath.Base(path)) case IsolationChroot: - err = chroot.RunUsingChroot(spec, path, options.Stdin, options.Stdout, options.Stderr) + err = chroot.RunUsingChroot(spec, path, homeDir, options.Stdin, options.Stdout, options.Stderr) case IsolationOCIRootless: moreCreateArgs := []string{"--no-new-keyring"} if options.NoPivot { @@ -433,7 +434,7 @@ func (b *Builder) setupMounts(mountPoint string, spec *specs.Spec, bundlePath st // Add temporary copies of the contents of volume locations at the // volume locations, unless we already have something there. - copyWithTar := b.copyWithTar(nil, nil) + copyWithTar := b.copyWithTar(nil, nil, nil) builtins, err := runSetupBuiltinVolumes(b.MountLabel, mountPoint, cdir, copyWithTar, builtinVolumes, int(rootUID), int(rootGID)) if err != nil { return err @@ -1048,6 +1049,18 @@ func runConfigureNetwork(isolation Isolation, options RunOptions, configureNetwo return teardown, nil } +func setNonblock(fd int, description string, nonblocking bool) error { + err := unix.SetNonblock(fd, nonblocking) + if err != nil { + if nonblocking { + logrus.Errorf("error setting %s to nonblocking: %v", description, err) + } else { + logrus.Errorf("error setting descriptor %s blocking: %v", description, err) + } + } + return err +} + func runCopyStdio(stdio *sync.WaitGroup, copyPipes bool, stdioPipe [][]int, copyConsole bool, consoleListener *net.UnixListener, finishCopy []int, finishedCopy chan struct{}, spec *specs.Spec) { defer func() { unix.Close(finishCopy[0]) @@ -1115,14 +1128,16 @@ func runCopyStdio(stdio *sync.WaitGroup, copyPipes bool, stdioPipe [][]int, copy } // Set our reading descriptors to non-blocking. for rfd, wfd := range relayMap { - if err := unix.SetNonblock(rfd, true); err != nil { - logrus.Errorf("error setting %s to nonblocking: %v", readDesc[rfd], err) + if err := setNonblock(rfd, readDesc[rfd], true); err != nil { return } - if err := unix.SetNonblock(wfd, false); err != nil { - logrus.Errorf("error setting descriptor %d (%s) blocking: %v", wfd, writeDesc[wfd], err) - } + setNonblock(wfd, writeDesc[wfd], false) } + + setNonblock(stdioPipe[unix.Stdin][1], writeDesc[stdioPipe[unix.Stdin][1]], true) + + closeStdin := false + // Pass data back and forth. pollTimeout := -1 for len(relayMap) > 0 { @@ -1154,12 +1169,6 @@ func runCopyStdio(stdio *sync.WaitGroup, copyPipes bool, stdioPipe [][]int, copy } // If the POLLIN flag isn't set, then there's no data to be read from this descriptor. if pollFd.Revents&unix.POLLIN == 0 { - // If we're using pipes and it's our stdin and it's closed, close the writing - // end of the corresponding pipe. - if copyPipes && int(pollFd.Fd) == unix.Stdin && pollFd.Revents&unix.POLLHUP != 0 { - unix.Close(stdioPipe[unix.Stdin][1]) - stdioPipe[unix.Stdin][1] = -1 - } continue } // Read whatever there is to be read. @@ -1174,10 +1183,8 @@ func runCopyStdio(stdio *sync.WaitGroup, copyPipes bool, stdioPipe [][]int, copy // using pipes, it's an EOF, so close the stdin // pipe's writing end. if n == 0 && copyPipes && int(pollFd.Fd) == unix.Stdin { - unix.Close(stdioPipe[unix.Stdin][1]) - stdioPipe[unix.Stdin][1] = -1 - } - if n > 0 { + removes[int(pollFd.Fd)] = struct{}{} + } else if n > 0 { // Buffer the data in case we get blocked on where they need to go. nwritten, err := relayBuffer[writeFD].Write(buf[:n]) if err != nil { @@ -1221,6 +1228,11 @@ func runCopyStdio(stdio *sync.WaitGroup, copyPipes bool, stdioPipe [][]int, copy if n > 0 { relayBuffer[writeFD].Next(n) } + if closeStdin && writeFD == stdioPipe[unix.Stdin][1] && stdioPipe[unix.Stdin][1] >= 0 && relayBuffer[stdioPipe[unix.Stdin][1]].Len() == 0 { + logrus.Debugf("closing stdin") + unix.Close(stdioPipe[unix.Stdin][1]) + stdioPipe[unix.Stdin][1] = -1 + } } if relayBuffer[writeFD].Len() > 0 { pollTimeout = 100 @@ -1228,6 +1240,14 @@ func runCopyStdio(stdio *sync.WaitGroup, copyPipes bool, stdioPipe [][]int, copy } // Remove any descriptors which we don't need to poll any more from the poll descriptor list. for remove := range removes { + if copyPipes && remove == unix.Stdin { + closeStdin = true + if relayBuffer[stdioPipe[unix.Stdin][1]].Len() == 0 { + logrus.Debugf("closing stdin") + unix.Close(stdioPipe[unix.Stdin][1]) + stdioPipe[unix.Stdin][1] = -1 + } + } delete(relayMap, remove) } // If the we-can-return pipe had anything for us, we're done. @@ -1452,9 +1472,20 @@ func setupNamespaces(g *generate.Generator, namespaceOptions NamespaceOptions, i } } } - if configureNetwork { + if configureNetwork && !unshare.IsRootless() { for name, val := range util.DefaultNetworkSysctl { - g.AddLinuxSysctl(name, val) + // Check that the sysctl we are adding is actually supported + // by the kernel + p := filepath.Join("/proc/sys", strings.Replace(name, ".", "/", -1)) + _, err := os.Stat(p) + if err != nil && !os.IsNotExist(err) { + return false, nil, false, errors.Wrapf(err, "cannot stat %s", p) + } + if err == nil { + g.AddLinuxSysctl(name, val) + } else { + logrus.Warnf("ignoring sysctl %s since %s doesn't exist", name, p) + } } } return configureNetwork, configureNetworks, configureUTS, nil @@ -1552,6 +1583,15 @@ func (b *Builder) cleanupTempVolumes() { func (b *Builder) runSetupVolumeMounts(mountLabel string, volumeMounts []string, optionMounts []specs.Mount, rootUID, rootGID int) (mounts []specs.Mount, Err error) { + // Make sure the overlay directory is clean before running + containerDir, err := b.store.ContainerDirectory(b.ContainerID) + if err != nil { + return nil, errors.Wrapf(err, "error looking up container directory for %s", b.ContainerID) + } + if err := overlay.CleanupContent(containerDir); err != nil { + return nil, errors.Wrapf(err, "error cleaning up overlay content for %s", b.ContainerID) + } + parseMount := func(host, container string, options []string) (specs.Mount, error) { var foundrw, foundro, foundz, foundZ, foundO bool var rootProp string @@ -1775,14 +1815,14 @@ func getDNSIP(dnsServers []string) (dns []net.IP, err error) { return dns, nil } -func (b *Builder) configureUIDGID(g *generate.Generator, mountPoint string, options RunOptions) error { +func (b *Builder) configureUIDGID(g *generate.Generator, mountPoint string, options RunOptions) (string, error) { // Set the user UID/GID/supplemental group list/capabilities lists. - user, err := b.user(mountPoint, options.User) + user, homeDir, err := b.user(mountPoint, options.User) if err != nil { - return err + return "", err } if err := setupCapabilities(g, b.AddCapabilities, b.DropCapabilities, options.AddCapabilities, options.DropCapabilities); err != nil { - return err + return "", err } g.SetProcessUID(user.UID) g.SetProcessGID(user.GID) @@ -1797,7 +1837,7 @@ func (b *Builder) configureUIDGID(g *generate.Generator, mountPoint string, opti g.Config.Process.Capabilities.Bounding = bounding } - return nil + return homeDir, nil } func (b *Builder) configureEnvironment(g *generate.Generator, options RunOptions) { diff --git a/vendor/github.com/containers/buildah/util.go b/vendor/github.com/containers/buildah/util.go index 08fb99706..ce21d2651 100644 --- a/vendor/github.com/containers/buildah/util.go +++ b/vendor/github.com/containers/buildah/util.go @@ -1,9 +1,12 @@ package buildah import ( + "archive/tar" "io" "os" + "path/filepath" + "github.com/containers/buildah/util" "github.com/containers/image/docker/reference" "github.com/containers/image/pkg/sysregistries" "github.com/containers/image/pkg/sysregistriesv2" @@ -12,7 +15,9 @@ import ( "github.com/containers/storage/pkg/archive" "github.com/containers/storage/pkg/chrootarchive" "github.com/containers/storage/pkg/idtools" + "github.com/containers/storage/pkg/pools" "github.com/containers/storage/pkg/reexec" + "github.com/containers/storage/pkg/system" "github.com/opencontainers/image-spec/specs-go/v1" rspec "github.com/opencontainers/runtime-spec/specs-go" "github.com/opencontainers/selinux/go-selinux" @@ -105,19 +110,108 @@ func convertRuntimeIDMaps(UIDMap, GIDMap []rspec.LinuxIDMapping) ([]idtools.IDMa } // copyFileWithTar returns a function which copies a single file from outside -// of any container into our working container, mapping permissions using the -// container's ID maps, possibly overridden using the passed-in chownOpts -func (b *Builder) copyFileWithTar(chownOpts *idtools.IDPair, hasher io.Writer) func(src, dest string) error { - convertedUIDMap, convertedGIDMap := convertRuntimeIDMaps(b.IDMappingOptions.UIDMap, b.IDMappingOptions.GIDMap) - return chrootarchive.CopyFileWithTarAndChown(chownOpts, hasher, convertedUIDMap, convertedGIDMap) +// of any container, or another container, into our working container, mapping +// read permissions using the passed-in ID maps, writing using the container's +// ID mappings, possibly overridden using the passed-in chownOpts +func (b *Builder) copyFileWithTar(tarIDMappingOptions *IDMappingOptions, chownOpts *idtools.IDPair, hasher io.Writer) func(src, dest string) error { + if tarIDMappingOptions == nil { + tarIDMappingOptions = &IDMappingOptions{ + HostUIDMapping: true, + HostGIDMapping: true, + } + } + return func(src, dest string) error { + logrus.Debugf("copyFileWithTar(%s, %s)", src, dest) + f, err := os.Open(src) + if err != nil { + return errors.Wrapf(err, "error opening %q to copy its contents", src) + } + defer func() { + if f != nil { + f.Close() + } + }() + + sysfi, err := system.Lstat(src) + if err != nil { + return errors.Wrapf(err, "error reading attributes of %q", src) + } + + hostUID := sysfi.UID() + hostGID := sysfi.GID() + containerUID, containerGID, err := util.GetContainerIDs(tarIDMappingOptions.UIDMap, tarIDMappingOptions.GIDMap, hostUID, hostGID) + if err != nil { + return errors.Wrapf(err, "error mapping owner IDs of %q: %d/%d", src, hostUID, hostGID) + } + + fi, err := os.Lstat(src) + if err != nil { + return errors.Wrapf(err, "error reading attributes of %q", src) + } + + hdr, err := tar.FileInfoHeader(fi, filepath.Base(src)) + if err != nil { + return errors.Wrapf(err, "error generating tar header for: %q", src) + } + hdr.Name = filepath.Base(dest) + hdr.Uid = int(containerUID) + hdr.Gid = int(containerGID) + + pipeReader, pipeWriter := io.Pipe() + writer := tar.NewWriter(pipeWriter) + var copyErr error + go func(srcFile *os.File) { + err := writer.WriteHeader(hdr) + if err != nil { + logrus.Debugf("error writing header for %s: %v", srcFile.Name(), err) + copyErr = err + } + n, err := pools.Copy(writer, srcFile) + if n != hdr.Size { + logrus.Debugf("expected to write %d bytes for %s, wrote %d instead", hdr.Size, srcFile.Name(), n) + } + if err != nil { + logrus.Debugf("error reading %s: %v", srcFile.Name(), err) + copyErr = err + } + if err = writer.Close(); err != nil { + logrus.Debugf("error closing write pipe for %s: %v", srcFile.Name(), err) + } + if err = srcFile.Close(); err != nil { + logrus.Debugf("error closing %s: %v", srcFile.Name(), err) + } + pipeWriter.Close() + pipeWriter = nil + return + }(f) + + untar := b.untar(chownOpts, hasher) + err = untar(pipeReader, filepath.Dir(dest)) + if err == nil { + err = copyErr + } + f = nil + if pipeWriter != nil { + pipeWriter.Close() + } + return err + } } // copyWithTar returns a function which copies a directory tree from outside of -// any container into our working container, mapping permissions using the -// container's ID maps, possibly overridden using the passed-in chownOpts -func (b *Builder) copyWithTar(chownOpts *idtools.IDPair, hasher io.Writer) func(src, dest string) error { - convertedUIDMap, convertedGIDMap := convertRuntimeIDMaps(b.IDMappingOptions.UIDMap, b.IDMappingOptions.GIDMap) - return chrootarchive.CopyWithTarAndChown(chownOpts, hasher, convertedUIDMap, convertedGIDMap) +// our container or from another container, into our working container, mapping +// permissions at read-time using the container's ID maps, with ownership at +// write-time possibly overridden using the passed-in chownOpts +func (b *Builder) copyWithTar(tarIDMappingOptions *IDMappingOptions, chownOpts *idtools.IDPair, hasher io.Writer) func(src, dest string) error { + tar := b.tarPath(tarIDMappingOptions) + untar := b.untar(chownOpts, hasher) + return func(src, dest string) error { + rc, err := tar(src) + if err != nil { + return errors.Wrapf(err, "error archiving %q for copy", src) + } + return untar(rc, dest) + } } // untarPath returns a function which extracts an archive in a specified @@ -128,12 +222,58 @@ func (b *Builder) untarPath(chownOpts *idtools.IDPair, hasher io.Writer) func(sr return chrootarchive.UntarPathAndChown(chownOpts, hasher, convertedUIDMap, convertedGIDMap) } -// tarPath returns a function which creates an archive of a specified +// tarPath returns a function which creates an archive of a specified location, +// which is often somewhere in the container's filesystem, mapping permissions +// using the container's ID maps, or the passed-in maps if specified +func (b *Builder) tarPath(idMappingOptions *IDMappingOptions) func(path string) (io.ReadCloser, error) { + var uidmap, gidmap []idtools.IDMap + if idMappingOptions == nil { + idMappingOptions = &IDMappingOptions{ + HostUIDMapping: true, + HostGIDMapping: true, + } + } + convertedUIDMap, convertedGIDMap := convertRuntimeIDMaps(idMappingOptions.UIDMap, idMappingOptions.GIDMap) + tarMappings := idtools.NewIDMappingsFromMaps(convertedUIDMap, convertedGIDMap) + uidmap = tarMappings.UIDs() + gidmap = tarMappings.GIDs() + options := &archive.TarOptions{ + Compression: archive.Uncompressed, + UIDMaps: uidmap, + GIDMaps: gidmap, + } + return func(path string) (io.ReadCloser, error) { + return archive.TarWithOptions(path, options) + } +} + +// untar returns a function which extracts an archive stream to a specified // location in the container's filesystem, mapping permissions using the -// container's ID maps -func (b *Builder) tarPath() func(path string) (io.ReadCloser, error) { +// container's ID maps, possibly overridden using the passed-in chownOpts +func (b *Builder) untar(chownOpts *idtools.IDPair, hasher io.Writer) func(tarArchive io.ReadCloser, dest string) error { convertedUIDMap, convertedGIDMap := convertRuntimeIDMaps(b.IDMappingOptions.UIDMap, b.IDMappingOptions.GIDMap) - return archive.TarPath(convertedUIDMap, convertedGIDMap) + untarMappings := idtools.NewIDMappingsFromMaps(convertedUIDMap, convertedGIDMap) + options := &archive.TarOptions{ + UIDMaps: untarMappings.UIDs(), + GIDMaps: untarMappings.GIDs(), + ChownOpts: chownOpts, + } + untar := chrootarchive.Untar + if hasher != nil { + originalUntar := untar + untar = func(tarArchive io.Reader, dest string, options *archive.TarOptions) error { + return originalUntar(io.TeeReader(tarArchive, hasher), dest, options) + } + } + return func(tarArchive io.ReadCloser, dest string) error { + err := untar(tarArchive, dest, options) + if err2 := tarArchive.Close(); err2 != nil { + if err == nil { + err = err2 + } + } + return err + } } // isRegistryBlocked checks if the named registry is marked as blocked diff --git a/vendor/github.com/containers/buildah/util/util.go b/vendor/github.com/containers/buildah/util/util.go index 30afe8313..4736d7b77 100644 --- a/vendor/github.com/containers/buildah/util/util.go +++ b/vendor/github.com/containers/buildah/util/util.go @@ -106,13 +106,19 @@ func ResolveName(name string, firstRegistry string, sc *types.SystemContext, sto // Figure out the list of registries. var registries []string - searchRegistries, err := sysregistriesv2.FindUnqualifiedSearchRegistries(sc) + searchRegistries, err := sysregistriesv2.UnqualifiedSearchRegistries(sc) if err != nil { logrus.Debugf("unable to read configured registries to complete %q: %v", name, err) + searchRegistries = nil } for _, registry := range searchRegistries { - if !registry.Blocked { - registries = append(registries, registry.Location) + reg, err := sysregistriesv2.FindRegistry(sc, registry) + if err != nil { + logrus.Debugf("unable to read registry configuraitno for %#v: %v", registry, err) + continue + } + if reg == nil || !reg.Blocked { + registries = append(registries, registry) } } searchRegistriesAreEmpty := len(registries) == 0 @@ -257,6 +263,36 @@ func StringInSlice(s string, slice []string) bool { return false } +// GetContainerIDs uses ID mappings to compute the container-level IDs that will +// correspond to a UID/GID pair on the host. +func GetContainerIDs(uidmap, gidmap []specs.LinuxIDMapping, uid, gid uint32) (uint32, uint32, error) { + uidMapped := true + for _, m := range uidmap { + uidMapped = false + if uid >= m.HostID && uid < m.HostID+m.Size { + uid = (uid - m.HostID) + m.ContainerID + uidMapped = true + break + } + } + if !uidMapped { + return 0, 0, errors.Errorf("container uses ID mappings (%#v), but doesn't map UID %d", uidmap, uid) + } + gidMapped := true + for _, m := range gidmap { + gidMapped = false + if gid >= m.HostID && gid < m.HostID+m.Size { + gid = (gid - m.HostID) + m.ContainerID + gidMapped = true + break + } + } + if !gidMapped { + return 0, 0, errors.Errorf("container uses ID mappings (%#v), but doesn't map GID %d", gidmap, gid) + } + return uid, gid, nil +} + // GetHostIDs uses ID mappings to compute the host-level IDs that will // correspond to a UID/GID pair in the container. func GetHostIDs(uidmap, gidmap []specs.LinuxIDMapping, uid, gid uint32) (uint32, uint32, error) { @@ -270,7 +306,7 @@ func GetHostIDs(uidmap, gidmap []specs.LinuxIDMapping, uid, gid uint32) (uint32, } } if !uidMapped { - return 0, 0, errors.Errorf("container uses ID mappings, but doesn't map UID %d", uid) + return 0, 0, errors.Errorf("container uses ID mappings (%#v), but doesn't map UID %d", uidmap, uid) } gidMapped := true for _, m := range gidmap { @@ -282,7 +318,7 @@ func GetHostIDs(uidmap, gidmap []specs.LinuxIDMapping, uid, gid uint32) (uint32, } } if !gidMapped { - return 0, 0, errors.Errorf("container uses ID mappings, but doesn't map GID %d", gid) + return 0, 0, errors.Errorf("container uses ID mappings (%#v), but doesn't map GID %d", gidmap, gid) } return uid, gid, nil } diff --git a/vendor/github.com/containers/buildah/vendor.conf b/vendor/github.com/containers/buildah/vendor.conf index 0c982626a..88148947a 100644 --- a/vendor/github.com/containers/buildah/vendor.conf +++ b/vendor/github.com/containers/buildah/vendor.conf @@ -3,12 +3,12 @@ github.com/blang/semver v3.5.0 github.com/BurntSushi/toml v0.2.0 github.com/containerd/continuity 004b46473808b3e7a4a3049c20e4376c91eb966d github.com/containernetworking/cni v0.7.0-rc2 -github.com/containers/image 9467ac9cfd92c545aa389f22f27e552de053c0f2 +github.com/containers/image v2.0.0 github.com/cyphar/filepath-securejoin v0.2.1 github.com/vbauerster/mpb v3.3.4 github.com/mattn/go-isatty v0.0.4 github.com/VividCortex/ewma v1.1.1 -github.com/containers/storage v1.12.7 +github.com/containers/storage v1.12.10 github.com/docker/distribution 5f6282db7d65e6d72ad7c2cc66310724a57be716 github.com/docker/docker 54dddadc7d5d89fe0be88f76979f6f6ab0dede83 github.com/docker/docker-credential-helpers v0.6.1 diff --git a/vendor/github.com/containers/image/docker/docker_image_src.go b/vendor/github.com/containers/image/docker/docker_image_src.go index c8fdb407c..c43e6e7ca 100644 --- a/vendor/github.com/containers/image/docker/docker_image_src.go +++ b/vendor/github.com/containers/image/docker/docker_image_src.go @@ -29,44 +29,16 @@ type dockerImageSource struct { cachedManifestMIMEType string // Only valid if cachedManifest != nil } -// newImageSource creates a new `ImageSource` for the specified image reference -// `ref`. -// -// The following steps will be done during the instance creation: -// -// - Lookup the registry within the configured location in -// `sys.SystemRegistriesConfPath`. If there is no configured registry available, -// we fallback to the provided docker reference `ref`. -// -// - References which contain a configured prefix will be automatically rewritten -// to the correct target reference. For example, if the configured -// `prefix = "example.com/foo"`, `location = "example.com"` and the image will be -// pulled from the ref `example.com/foo/image`, then the resulting pull will -// effectively point to `example.com/image`. -// -// - If the rewritten reference succeeds, it will be used as the `dockerRef` -// in the client. If the rewrite fails, the function immediately returns an error. -// -// - Each mirror will be used (in the configured order) to test the -// availability of the image manifest on the remote location. For example, -// if the manifest is not reachable due to connectivity issues, then the next -// mirror will be tested instead. If no mirror is configured or contains the -// target manifest, then the initial `ref` will be tested as fallback. The -// creation of the new `dockerImageSource` only succeeds if a remote -// location with the available manifest was found. -// -// A cleanup call to `.Close()` is needed if the caller is done using the returned -// `ImageSource`. +// newImageSource creates a new ImageSource for the specified image reference. +// The caller must call .Close() on the returned ImageSource. func newImageSource(ctx context.Context, sys *types.SystemContext, ref dockerReference) (*dockerImageSource, error) { registry, err := sysregistriesv2.FindRegistry(sys, ref.ref.Name()) if err != nil { return nil, errors.Wrapf(err, "error loading registries configuration") } - if registry == nil { - // No configuration was found for the provided reference, so we create - // a fallback registry by hand to make the client creation below work - // as intended. + // No configuration was found for the provided reference, so use the + // equivalent of a default configuration. registry = &sysregistriesv2.Registry{ Endpoint: sysregistriesv2.Endpoint{ Location: ref.ref.String(), @@ -76,18 +48,19 @@ func newImageSource(ctx context.Context, sys *types.SystemContext, ref dockerRef } primaryDomain := reference.Domain(ref.ref) - // Found the registry within the sysregistriesv2 configuration. Now we test - // all endpoints for the manifest availability. If a working image source - // was found, it will be used for all future pull actions. + // Check all endpoints for the manifest availability. If we find one that does + // contain the image, it will be used for all future pull actions. Always try the + // non-mirror original location last; this both transparently handles the case + // of no mirrors configured, and ensures we return the error encountered when + // acessing the upstream location if all endpoints fail. manifestLoadErr := errors.New("Internal error: newImageSource returned without trying any endpoint") - for _, endpoint := range append(registry.Mirrors, registry.Endpoint) { - logrus.Debugf("Trying to pull %q from endpoint %q", ref.ref, endpoint.Location) - - newRef, err := endpoint.RewriteReference(ref.ref, registry.Prefix) - if err != nil { - return nil, err - } - dockerRef, err := newReference(newRef) + pullSources, err := registry.PullSourcesFromReference(ref.ref) + if err != nil { + return nil, err + } + for _, pullSource := range pullSources { + logrus.Debugf("Trying to pull %q", pullSource.Reference) + dockerRef, err := newReference(pullSource.Reference) if err != nil { return nil, err } @@ -104,7 +77,7 @@ func newImageSource(ctx context.Context, sys *types.SystemContext, ref dockerRef if err != nil { return nil, err } - client.tlsClientConfig.InsecureSkipVerify = endpoint.Insecure + client.tlsClientConfig.InsecureSkipVerify = pullSource.Endpoint.Insecure testImageSource := &dockerImageSource{ ref: dockerRef, diff --git a/vendor/github.com/containers/image/docker/reference/README.md b/vendor/github.com/containers/image/docker/reference/README.md index 53a88de82..3c4d74eb4 100644 --- a/vendor/github.com/containers/image/docker/reference/README.md +++ b/vendor/github.com/containers/image/docker/reference/README.md @@ -1,2 +1,2 @@ -This is a copy of github.com/docker/distribution/reference as of commit fb0bebc4b64e3881cc52a2478d749845ed76d2a8, +This is a copy of github.com/docker/distribution/reference as of commit 3226863cbcba6dbc2f6c83a37b28126c934af3f8, except that ParseAnyReferenceWithSet has been removed to drop the dependency on github.com/docker/distribution/digestset.
\ No newline at end of file diff --git a/vendor/github.com/containers/image/docker/reference/normalize.go b/vendor/github.com/containers/image/docker/reference/normalize.go index fcc436a39..6a86ec64f 100644 --- a/vendor/github.com/containers/image/docker/reference/normalize.go +++ b/vendor/github.com/containers/image/docker/reference/normalize.go @@ -55,6 +55,35 @@ func ParseNormalizedNamed(s string) (Named, error) { return named, nil } +// ParseDockerRef normalizes the image reference following the docker convention. This is added +// mainly for backward compatibility. +// The reference returned can only be either tagged or digested. For reference contains both tag +// and digest, the function returns digested reference, e.g. docker.io/library/busybox:latest@ +// sha256:7cc4b5aefd1d0cadf8d97d4350462ba51c694ebca145b08d7d41b41acc8db5aa will be returned as +// docker.io/library/busybox@sha256:7cc4b5aefd1d0cadf8d97d4350462ba51c694ebca145b08d7d41b41acc8db5aa. +func ParseDockerRef(ref string) (Named, error) { + named, err := ParseNormalizedNamed(ref) + if err != nil { + return nil, err + } + if _, ok := named.(NamedTagged); ok { + if canonical, ok := named.(Canonical); ok { + // The reference is both tagged and digested, only + // return digested. + newNamed, err := WithName(canonical.Name()) + if err != nil { + return nil, err + } + newCanonical, err := WithDigest(newNamed, canonical.Digest()) + if err != nil { + return nil, err + } + return newCanonical, nil + } + } + return TagNameOnly(named), nil +} + // splitDockerDomain splits a repository name to domain and remotename string. // If no valid domain is found, the default domain is used. Repository name // needs to be already validated before. diff --git a/vendor/github.com/containers/image/docker/reference/reference.go b/vendor/github.com/containers/image/docker/reference/reference.go index fd3510e9e..8c0c23b2f 100644 --- a/vendor/github.com/containers/image/docker/reference/reference.go +++ b/vendor/github.com/containers/image/docker/reference/reference.go @@ -15,7 +15,7 @@ // tag := /[\w][\w.-]{0,127}/ // // digest := digest-algorithm ":" digest-hex -// digest-algorithm := digest-algorithm-component [ digest-algorithm-separator digest-algorithm-component ] +// digest-algorithm := digest-algorithm-component [ digest-algorithm-separator digest-algorithm-component ]* // digest-algorithm-separator := /[+.-_]/ // digest-algorithm-component := /[A-Za-z][A-Za-z0-9]*/ // digest-hex := /[0-9a-fA-F]{32,}/ ; At least 128 bit digest value @@ -205,7 +205,7 @@ func Parse(s string) (Reference, error) { var repo repository nameMatch := anchoredNameRegexp.FindStringSubmatch(matches[1]) - if nameMatch != nil && len(nameMatch) == 3 { + if len(nameMatch) == 3 { repo.domain = nameMatch[1] repo.path = nameMatch[2] } else { diff --git a/vendor/github.com/containers/image/docker/reference/regexp.go b/vendor/github.com/containers/image/docker/reference/regexp.go index 405e995db..786034932 100644 --- a/vendor/github.com/containers/image/docker/reference/regexp.go +++ b/vendor/github.com/containers/image/docker/reference/regexp.go @@ -20,15 +20,15 @@ var ( optional(repeated(separatorRegexp, alphaNumericRegexp))) // domainComponentRegexp restricts the registry domain component of a - // repository name to start with a component as defined by domainRegexp + // repository name to start with a component as defined by DomainRegexp // and followed by an optional port. domainComponentRegexp = match(`(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])`) - // domainRegexp defines the structure of potential domain components + // DomainRegexp defines the structure of potential domain components // that may be part of image names. This is purposely a subset of what is // allowed by DNS to ensure backwards compatibility with Docker image // names. - domainRegexp = expression( + DomainRegexp = expression( domainComponentRegexp, optional(repeated(literal(`.`), domainComponentRegexp)), optional(literal(`:`), match(`[0-9]+`))) @@ -51,14 +51,14 @@ var ( // regexp has capturing groups for the domain and name part omitting // the separating forward slash from either. NameRegexp = expression( - optional(domainRegexp, literal(`/`)), + optional(DomainRegexp, literal(`/`)), nameComponentRegexp, optional(repeated(literal(`/`), nameComponentRegexp))) // anchoredNameRegexp is used to parse a name value, capturing the // domain and trailing components. anchoredNameRegexp = anchored( - optional(capture(domainRegexp), literal(`/`)), + optional(capture(DomainRegexp), literal(`/`)), capture(nameComponentRegexp, optional(repeated(literal(`/`), nameComponentRegexp)))) diff --git a/vendor/github.com/containers/image/pkg/sysregistriesv2/system_registries_v2.go b/vendor/github.com/containers/image/pkg/sysregistriesv2/system_registries_v2.go index 99ae65774..361e6fc60 100644 --- a/vendor/github.com/containers/image/pkg/sysregistriesv2/system_registries_v2.go +++ b/vendor/github.com/containers/image/pkg/sysregistriesv2/system_registries_v2.go @@ -5,6 +5,7 @@ import ( "io/ioutil" "os" "path/filepath" + "regexp" "strings" "sync" @@ -35,10 +36,10 @@ type Endpoint struct { Insecure bool `toml:"insecure"` } -// RewriteReference will substitute the provided reference `prefix` to the +// rewriteReference will substitute the provided reference `prefix` to the // endpoints `location` from the `ref` and creates a new named reference from it. // The function errors if the newly created reference is not parsable. -func (e *Endpoint) RewriteReference(ref reference.Named, prefix string) (reference.Named, error) { +func (e *Endpoint) rewriteReference(ref reference.Named, prefix string) (reference.Named, error) { refString := ref.String() if !refMatchesPrefix(refString, prefix) { return nil, fmt.Errorf("invalid prefix '%v' for reference '%v'", prefix, refString) @@ -61,8 +62,10 @@ type Registry struct { Mirrors []Endpoint `toml:"mirror"` // If true, pulling from the registry will be blocked. Blocked bool `toml:"blocked"` - // If true, the registry can be used when pulling an unqualified image. - Search bool `toml:"unqualified-search"` + // If true, mirrors will only be used for digest pulls. Pulling images by + // tag can potentially yield different images, depending on which endpoint + // we pull from. Forcing digest-pulls for mirrors avoids that issue. + MirrorByDigestOnly bool `toml:"mirror-by-digest-only"` // Prefix is used for matching images, and to translate one namespace to // another. If `Prefix="example.com/bar"`, `location="example.com/foo/bar"` // and we pull from "example.com/bar/myimage:latest", the image will @@ -71,6 +74,41 @@ type Registry struct { Prefix string `toml:"prefix"` } +// PullSource consists of an Endpoint and a Reference. Note that the reference is +// rewritten according to the registries prefix and the Endpoint's location. +type PullSource struct { + Endpoint Endpoint + Reference reference.Named +} + +// PullSourcesFromReference returns a slice of PullSource's based on the passed +// reference. +func (r *Registry) PullSourcesFromReference(ref reference.Named) ([]PullSource, error) { + var endpoints []Endpoint + + if r.MirrorByDigestOnly { + // Only use mirrors when the reference is a digest one. + if _, isDigested := ref.(reference.Canonical); isDigested { + endpoints = append(r.Mirrors, r.Endpoint) + } else { + endpoints = []Endpoint{r.Endpoint} + } + } else { + endpoints = append(r.Mirrors, r.Endpoint) + } + + sources := []PullSource{} + for _, ep := range endpoints { + rewritten, err := ep.rewriteReference(ref, r.Prefix) + if err != nil { + return nil, err + } + sources = append(sources, PullSource{Endpoint: ep, Reference: rewritten}) + } + + return sources, nil +} + // V1TOMLregistries is for backwards compatibility to sysregistries v1 type V1TOMLregistries struct { Registries []string `toml:"registries"` @@ -83,11 +121,35 @@ type V1TOMLConfig struct { Block V1TOMLregistries `toml:"block"` } +// V1RegistriesConf is the sysregistries v1 configuration format. +type V1RegistriesConf struct { + V1TOMLConfig `toml:"registries"` +} + +// Nonempty returns true if config contains at least one configuration entry. +func (config *V1RegistriesConf) Nonempty() bool { + return (len(config.V1TOMLConfig.Search.Registries) != 0 || + len(config.V1TOMLConfig.Insecure.Registries) != 0 || + len(config.V1TOMLConfig.Block.Registries) != 0) +} + +// V2RegistriesConf is the sysregistries v2 configuration format. +type V2RegistriesConf struct { + Registries []Registry `toml:"registry"` + // An array of host[:port] (not prefix!) entries to use for resolving unqualified image references + UnqualifiedSearchRegistries []string `toml:"unqualified-search-registries"` +} + +// Nonempty returns true if config contains at least one configuration entry. +func (config *V2RegistriesConf) Nonempty() bool { + return (len(config.Registries) != 0 || + len(config.UnqualifiedSearchRegistries) != 0) +} + // tomlConfig is the data type used to unmarshal the toml config. type tomlConfig struct { - Registries []Registry `toml:"registry"` - // backwards compatability to sysregistries v1 - V1TOMLConfig `toml:"registries"` + V2RegistriesConf + V1RegistriesConf // for backwards compatibility with sysregistries v1 } // InvalidRegistries represents an invalid registry configurations. An example @@ -120,12 +182,10 @@ func parseLocation(input string) (string, error) { return trimmed, nil } -// getV1Registries transforms v1 registries in the config into an array of v2 -// registries of type Registry. -func getV1Registries(config *tomlConfig) ([]Registry, error) { +// ConvertToV2 returns a v2 config corresponding to a v1 one. +func (config *V1RegistriesConf) ConvertToV2() (*V2RegistriesConf, error) { regMap := make(map[string]*Registry) - // We must preserve the order of config.V1Registries.Search.Registries at least. The order of the - // other registries is not really important, but make it deterministic (the same for the same config file) + // The order of the registries is not really important, but make it deterministic (the same for the same config file) // to minimize behavior inconsistency and not contribute to difficult-to-reproduce situations. registryOrder := []string{} @@ -148,15 +208,6 @@ func getV1Registries(config *tomlConfig) ([]Registry, error) { return reg, nil } - // Note: config.V1Registries.Search needs to be processed first to ensure registryOrder is populated in the right order - // if one of the search registries is also in one of the other lists. - for _, search := range config.V1TOMLConfig.Search.Registries { - reg, err := getRegistry(search) - if err != nil { - return nil, err - } - reg.Search = true - } for _, blocked := range config.V1TOMLConfig.Block.Registries { reg, err := getRegistry(blocked) if err != nil { @@ -172,28 +223,31 @@ func getV1Registries(config *tomlConfig) ([]Registry, error) { reg.Insecure = true } - registries := []Registry{} + res := &V2RegistriesConf{ + UnqualifiedSearchRegistries: config.V1TOMLConfig.Search.Registries, + } for _, location := range registryOrder { reg := regMap[location] - registries = append(registries, *reg) + res.Registries = append(res.Registries, *reg) } - return registries, nil + return res, nil } -// postProcessRegistries checks the consistency of all registries (e.g., set -// the Prefix to Location if not set) and applies conflict checks. It returns an -// array of cleaned registries and error in case of conflicts. -func postProcessRegistries(regs []Registry) ([]Registry, error) { - var registries []Registry - regMap := make(map[string][]Registry) +// anchoredDomainRegexp is an internal implementation detail of postProcess, defining the valid values of elements of UnqualifiedSearchRegistries. +var anchoredDomainRegexp = regexp.MustCompile("^" + reference.DomainRegexp.String() + "$") - for _, reg := range regs { - var err error +// postProcess checks the consistency of all the configuration, looks for conflicts, +// and normalizes the configuration (e.g., sets the Prefix to Location if not set). +func (config *V2RegistriesConf) postProcess() error { + regMap := make(map[string][]*Registry) + for i := range config.Registries { + reg := &config.Registries[i] // make sure Location and Prefix are valid + var err error reg.Location, err = parseLocation(reg.Location) if err != nil { - return nil, err + return err } if reg.Prefix == "" { @@ -201,7 +255,7 @@ func postProcessRegistries(regs []Registry) ([]Registry, error) { } else { reg.Prefix, err = parseLocation(reg.Prefix) if err != nil { - return nil, err + return err } } @@ -209,10 +263,9 @@ func postProcessRegistries(regs []Registry) ([]Registry, error) { for _, mir := range reg.Mirrors { mir.Location, err = parseLocation(mir.Location) if err != nil { - return nil, err + return err } } - registries = append(registries, reg) regMap[reg.Location] = append(regMap[reg.Location], reg) } @@ -222,22 +275,32 @@ func postProcessRegistries(regs []Registry) ([]Registry, error) { // // Note: we need to iterate over the registries array to ensure a // deterministic behavior which is not guaranteed by maps. - for _, reg := range registries { + for _, reg := range config.Registries { others, _ := regMap[reg.Location] for _, other := range others { if reg.Insecure != other.Insecure { msg := fmt.Sprintf("registry '%s' is defined multiple times with conflicting 'insecure' setting", reg.Location) - - return nil, &InvalidRegistries{s: msg} + return &InvalidRegistries{s: msg} } if reg.Blocked != other.Blocked { msg := fmt.Sprintf("registry '%s' is defined multiple times with conflicting 'blocked' setting", reg.Location) - return nil, &InvalidRegistries{s: msg} + return &InvalidRegistries{s: msg} } } } - return registries, nil + for i := range config.UnqualifiedSearchRegistries { + registry, err := parseLocation(config.UnqualifiedSearchRegistries[i]) + if err != nil { + return err + } + if !anchoredDomainRegexp.MatchString(registry) { + return &InvalidRegistries{fmt.Sprintf("Invalid unqualified-search-registries entry %#v", registry)} + } + config.UnqualifiedSearchRegistries[i] = registry + } + + return nil } // getConfigPath returns the system-registries config path if specified. @@ -260,7 +323,7 @@ var configMutex = sync.Mutex{} // configCache caches already loaded configs with config paths as keys and is // used to avoid redudantly parsing configs. Concurrent accesses to the cache // are synchronized via configMutex. -var configCache = make(map[string][]Registry) +var configCache = make(map[string]*V2RegistriesConf) // InvalidateCache invalidates the registry cache. This function is meant to be // used for long-running processes that need to reload potential changes made to @@ -268,20 +331,18 @@ var configCache = make(map[string][]Registry) func InvalidateCache() { configMutex.Lock() defer configMutex.Unlock() - configCache = make(map[string][]Registry) + configCache = make(map[string]*V2RegistriesConf) } -// GetRegistries loads and returns the registries specified in the config. -// Note the parsed content of registry config files is cached. For reloading, -// use `InvalidateCache` and re-call `GetRegistries`. -func GetRegistries(ctx *types.SystemContext) ([]Registry, error) { +// getConfig returns the config object corresponding to ctx, loading it if it is not yet cached. +func getConfig(ctx *types.SystemContext) (*V2RegistriesConf, error) { configPath := getConfigPath(ctx) configMutex.Lock() defer configMutex.Unlock() // if the config has already been loaded, return the cached registries - if registries, inCache := configCache[configPath]; inCache { - return registries, nil + if config, inCache := configCache[configPath]; inCache { + return config, nil } // load the config @@ -292,51 +353,53 @@ func GetRegistries(ctx *types.SystemContext) ([]Registry, error) { // isn't set. Note: if ctx.SystemRegistriesConfPath points to // the default config, we will still return an error. if os.IsNotExist(err) && (ctx == nil || ctx.SystemRegistriesConfPath == "") { - return []Registry{}, nil + return &V2RegistriesConf{Registries: []Registry{}}, nil } return nil, err } - registries := config.Registries + v2Config := &config.V2RegistriesConf // backwards compatibility for v1 configs - v1Registries, err := getV1Registries(config) - if err != nil { - return nil, err - } - if len(v1Registries) > 0 { - if len(registries) > 0 { + if config.V1RegistriesConf.Nonempty() { + if config.V2RegistriesConf.Nonempty() { return nil, &InvalidRegistries{s: "mixing sysregistry v1/v2 is not supported"} } - registries = v1Registries + v2, err := config.V1RegistriesConf.ConvertToV2() + if err != nil { + return nil, err + } + v2Config = v2 } - registries, err = postProcessRegistries(registries) - if err != nil { + if err := v2Config.postProcess(); err != nil { return nil, err } // populate the cache - configCache[configPath] = registries - - return registries, err + configCache[configPath] = v2Config + return v2Config, nil } -// FindUnqualifiedSearchRegistries returns all registries that are configured -// for unqualified image search (i.e., with Registry.Search == true). -func FindUnqualifiedSearchRegistries(ctx *types.SystemContext) ([]Registry, error) { - registries, err := GetRegistries(ctx) +// GetRegistries loads and returns the registries specified in the config. +// Note the parsed content of registry config files is cached. For reloading, +// use `InvalidateCache` and re-call `GetRegistries`. +func GetRegistries(ctx *types.SystemContext) ([]Registry, error) { + config, err := getConfig(ctx) if err != nil { return nil, err } + return config.Registries, nil +} - unqualified := []Registry{} - for _, reg := range registries { - if reg.Search { - unqualified = append(unqualified, reg) - } +// UnqualifiedSearchRegistries returns a list of host[:port] entries to try +// for unqualified image search, in the returned order) +func UnqualifiedSearchRegistries(ctx *types.SystemContext) ([]string, error) { + config, err := getConfig(ctx) + if err != nil { + return nil, err } - return unqualified, nil + return config.UnqualifiedSearchRegistries, nil } // refMatchesPrefix returns true iff ref, @@ -371,14 +434,14 @@ func refMatchesPrefix(ref, prefix string) bool { // — note that this requires the name to start with an explicit hostname!). // If no Registry prefixes the image, nil is returned. func FindRegistry(ctx *types.SystemContext, ref string) (*Registry, error) { - registries, err := GetRegistries(ctx) + config, err := getConfig(ctx) if err != nil { return nil, err } reg := Registry{} prefixLen := 0 - for _, r := range registries { + for _, r := range config.Registries { if refMatchesPrefix(ref, r.Prefix) { length := len(r.Prefix) if length > prefixLen { @@ -393,21 +456,12 @@ func FindRegistry(ctx *types.SystemContext, ref string) (*Registry, error) { return nil, nil } -// Reads the global registry file from the filesystem. Returns a byte array. -func readRegistryConf(configPath string) ([]byte, error) { - configBytes, err := ioutil.ReadFile(configPath) - return configBytes, err -} - -// Used in unittests to parse custom configs without a types.SystemContext. -var readConf = readRegistryConf - // Loads the registry configuration file from the filesystem and then unmarshals // it. Returns the unmarshalled object. func loadRegistryConf(configPath string) (*tomlConfig, error) { config := &tomlConfig{} - configBytes, err := readConf(configPath) + configBytes, err := ioutil.ReadFile(configPath) if err != nil { return nil, err } diff --git a/vendor/github.com/containers/image/version/version.go b/vendor/github.com/containers/image/version/version.go index 184274736..62b2c8bc5 100644 --- a/vendor/github.com/containers/image/version/version.go +++ b/vendor/github.com/containers/image/version/version.go @@ -4,14 +4,14 @@ import "fmt" const ( // VersionMajor is for an API incompatible changes - VersionMajor = 1 + VersionMajor = 2 // VersionMinor is for functionality in a backwards-compatible manner - VersionMinor = 7 + VersionMinor = 0 // VersionPatch is for backwards-compatible bug fixes VersionPatch = 0 // VersionDev indicates development branch. Releases will be empty string. - VersionDev = "-dev" + VersionDev = "" ) // Version is the specification version that the package types support. diff --git a/vendor/github.com/containers/storage/containers.go b/vendor/github.com/containers/storage/containers.go index bbac78b60..e69552361 100644 --- a/vendor/github.com/containers/storage/containers.go +++ b/vendor/github.com/containers/storage/containers.go @@ -572,6 +572,10 @@ func (r *containerStore) Lock() { r.lockfile.Lock() } +func (r *containerStore) RecursiveLock() { + r.lockfile.RecursiveLock() +} + func (r *containerStore) RLock() { r.lockfile.RLock() } diff --git a/vendor/github.com/containers/storage/drivers/aufs/aufs.go b/vendor/github.com/containers/storage/drivers/aufs/aufs.go index e821bc0c5..353d1707a 100644 --- a/vendor/github.com/containers/storage/drivers/aufs/aufs.go +++ b/vendor/github.com/containers/storage/drivers/aufs/aufs.go @@ -255,6 +255,9 @@ func (a *Driver) AdditionalImageStores() []string { // CreateFromTemplate creates a layer with the same contents and parent as another layer. func (a *Driver) CreateFromTemplate(id, template string, templateIDMappings *idtools.IDMappings, parent string, parentIDMappings *idtools.IDMappings, opts *graphdriver.CreateOpts, readWrite bool) error { + if opts == nil { + opts = &graphdriver.CreateOpts{} + } return graphdriver.NaiveCreateFromTemplate(a, id, template, templateIDMappings, parent, parentIDMappings, opts, readWrite) } diff --git a/vendor/github.com/containers/storage/drivers/chown.go b/vendor/github.com/containers/storage/drivers/chown.go index 4d4011ee0..f2f1ec386 100644 --- a/vendor/github.com/containers/storage/drivers/chown.go +++ b/vendor/github.com/containers/storage/drivers/chown.go @@ -55,6 +55,9 @@ func chownByMapsMain() { if err != nil { return fmt.Errorf("error walking to %q: %v", path, err) } + if path == "." { + return nil + } return platformLChown(path, info, toHost, toContainer) } if err := filepath.Walk(".", chown); err != nil { diff --git a/vendor/github.com/containers/storage/images.go b/vendor/github.com/containers/storage/images.go index 38b5a3ef3..6f487504a 100644 --- a/vendor/github.com/containers/storage/images.go +++ b/vendor/github.com/containers/storage/images.go @@ -82,6 +82,9 @@ type Image struct { // is set before using it. Created time.Time `json:"created,omitempty"` + // ReadOnly is true if this image resides in a read-only layer store. + ReadOnly bool `json:"-"` + Flags map[string]interface{} `json:"flags,omitempty"` } @@ -159,6 +162,7 @@ func copyImage(i *Image) *Image { BigDataSizes: copyStringInt64Map(i.BigDataSizes), BigDataDigests: copyStringDigestMap(i.BigDataDigests), Created: i.Created, + ReadOnly: i.ReadOnly, Flags: copyStringInterfaceMap(i.Flags), } } @@ -269,6 +273,7 @@ func (r *imageStore) Load() error { list := digests[digest] digests[digest] = append(list, image) } + image.ReadOnly = !r.IsReadWrite() } } if shouldSave && (!r.IsReadWrite() || !r.Locked()) { @@ -739,6 +744,10 @@ func (r *imageStore) Lock() { r.lockfile.Lock() } +func (r *imageStore) RecursiveLock() { + r.lockfile.RecursiveLock() +} + func (r *imageStore) RLock() { r.lockfile.RLock() } diff --git a/vendor/github.com/containers/storage/layers.go b/vendor/github.com/containers/storage/layers.go index a35dd476b..fb79238cd 100644 --- a/vendor/github.com/containers/storage/layers.go +++ b/vendor/github.com/containers/storage/layers.go @@ -103,6 +103,9 @@ type Layer struct { // for use inside of a user namespace where UID mapping is being used. UIDMap []idtools.IDMap `json:"uidmap,omitempty"` GIDMap []idtools.IDMap `json:"gidmap,omitempty"` + + // ReadOnly is true if this layer resides in a read-only layer store. + ReadOnly bool `json:"-"` } type layerMountPoint struct { @@ -259,6 +262,7 @@ func copyLayer(l *Layer) *Layer { UncompressedDigest: l.UncompressedDigest, UncompressedSize: l.UncompressedSize, CompressionType: l.CompressionType, + ReadOnly: l.ReadOnly, Flags: copyStringInterfaceMap(l.Flags), UIDMap: copyIDMap(l.UIDMap), GIDMap: copyIDMap(l.GIDMap), @@ -318,6 +322,7 @@ func (r *layerStore) Load() error { if layer.MountLabel != "" { label.ReserveLabel(layer.MountLabel) } + layer.ReadOnly = !r.IsReadWrite() } err = nil } @@ -1304,6 +1309,10 @@ func (r *layerStore) Lock() { r.lockfile.Lock() } +func (r *layerStore) RecursiveLock() { + r.lockfile.RecursiveLock() +} + func (r *layerStore) RLock() { r.lockfile.RLock() } diff --git a/vendor/github.com/containers/storage/layers_ffjson.go b/vendor/github.com/containers/storage/layers_ffjson.go index 09b5d0f33..125b5d8c9 100644 --- a/vendor/github.com/containers/storage/layers_ffjson.go +++ b/vendor/github.com/containers/storage/layers_ffjson.go @@ -1,5 +1,5 @@ // Code generated by ffjson <https://github.com/pquerna/ffjson>. DO NOT EDIT. -// source: ./layers.go +// source: layers.go package storage diff --git a/vendor/github.com/containers/storage/lockfile.go b/vendor/github.com/containers/storage/lockfile.go index ed8753337..c4f1b5549 100644 --- a/vendor/github.com/containers/storage/lockfile.go +++ b/vendor/github.com/containers/storage/lockfile.go @@ -15,6 +15,10 @@ type Locker interface { // Acquire a writer lock. Lock() + // Acquire a writer lock recursively, allowing for recursive acquisitions + // within the same process space. + RecursiveLock() + // Unlock the lock. Unlock() diff --git a/vendor/github.com/containers/storage/lockfile_linux.go b/vendor/github.com/containers/storage/lockfile_linux.go deleted file mode 100644 index 903387c66..000000000 --- a/vendor/github.com/containers/storage/lockfile_linux.go +++ /dev/null @@ -1,20 +0,0 @@ -// +build linux solaris - -package storage - -import ( - "time" - - "golang.org/x/sys/unix" -) - -// TouchedSince indicates if the lock file has been touched since the specified time -func (l *lockfile) TouchedSince(when time.Time) bool { - st := unix.Stat_t{} - err := unix.Fstat(int(l.fd), &st) - if err != nil { - return true - } - touched := time.Unix(st.Mtim.Unix()) - return when.Before(touched) -} diff --git a/vendor/github.com/containers/storage/lockfile_otherunix.go b/vendor/github.com/containers/storage/lockfile_otherunix.go deleted file mode 100644 index 041d54c05..000000000 --- a/vendor/github.com/containers/storage/lockfile_otherunix.go +++ /dev/null @@ -1,19 +0,0 @@ -// +build darwin freebsd - -package storage - -import ( - "time" - - "golang.org/x/sys/unix" -) - -func (l *lockfile) TouchedSince(when time.Time) bool { - st := unix.Stat_t{} - err := unix.Fstat(int(l.fd), &st) - if err != nil { - return true - } - touched := time.Unix(st.Mtimespec.Unix()) - return when.Before(touched) -} diff --git a/vendor/github.com/containers/storage/lockfile_unix.go b/vendor/github.com/containers/storage/lockfile_unix.go index 8e0f22cb5..00215e928 100644 --- a/vendor/github.com/containers/storage/lockfile_unix.go +++ b/vendor/github.com/containers/storage/lockfile_unix.go @@ -9,6 +9,7 @@ import ( "time" "github.com/containers/storage/pkg/stringid" + "github.com/containers/storage/pkg/system" "github.com/pkg/errors" "golang.org/x/sys/unix" ) @@ -25,6 +26,7 @@ type lockfile struct { locktype int16 locked bool ro bool + recursive bool } // openLock opens the file at path and returns the corresponding file @@ -75,7 +77,7 @@ func createLockerForPath(path string, ro bool) (Locker, error) { // lock locks the lockfile via FCTNL(2) based on the specified type and // command. -func (l *lockfile) lock(l_type int16) { +func (l *lockfile) lock(l_type int16, recursive bool) { lk := unix.Flock_t{ Type: l_type, Whence: int16(os.SEEK_SET), @@ -86,7 +88,13 @@ func (l *lockfile) lock(l_type int16) { case unix.F_RDLCK: l.rwMutex.RLock() case unix.F_WRLCK: - l.rwMutex.Lock() + if recursive { + // NOTE: that's okay as recursive is only set in RecursiveLock(), so + // there's no need to protect against hypothetical RDLCK cases. + l.rwMutex.RLock() + } else { + l.rwMutex.Lock() + } default: panic(fmt.Sprintf("attempted to acquire a file lock of unrecognized type %d", l_type)) } @@ -110,6 +118,7 @@ func (l *lockfile) lock(l_type int16) { } l.locktype = l_type l.locked = true + l.recursive = recursive l.counter++ } @@ -119,13 +128,24 @@ func (l *lockfile) Lock() { if l.ro { l.RLock() } else { - l.lock(unix.F_WRLCK) + l.lock(unix.F_WRLCK, false) + } +} + +// RecursiveLock locks the lockfile as a writer but allows for recursive +// acquisitions within the same process space. Note that RLock() will be called +// if it's a lockTypReader lock. +func (l *lockfile) RecursiveLock() { + if l.ro { + l.RLock() + } else { + l.lock(unix.F_WRLCK, true) } } // LockRead locks the lockfile as a reader. func (l *lockfile) RLock() { - l.lock(unix.F_RDLCK) + l.lock(unix.F_RDLCK, false) } // Unlock unlocks the lockfile. @@ -161,7 +181,7 @@ func (l *lockfile) Unlock() { // Close the file descriptor on the last unlock. unix.Close(int(l.fd)) } - if l.locktype == unix.F_RDLCK { + if l.locktype == unix.F_RDLCK || l.recursive { l.rwMutex.RUnlock() } else { l.rwMutex.Unlock() @@ -232,3 +252,14 @@ func (l *lockfile) Modified() (bool, error) { func (l *lockfile) IsReadWrite() bool { return !l.ro } + +// TouchedSince indicates if the lock file has been touched since the specified time +func (l *lockfile) TouchedSince(when time.Time) bool { + st, err := system.Fstat(int(l.fd)) + if err != nil { + return true + } + mtim := st.Mtim() + touched := time.Unix(mtim.Unix()) + return when.Before(touched) +} diff --git a/vendor/github.com/containers/storage/lockfile_windows.go b/vendor/github.com/containers/storage/lockfile_windows.go index c02069495..caf7c184a 100644 --- a/vendor/github.com/containers/storage/lockfile_windows.go +++ b/vendor/github.com/containers/storage/lockfile_windows.go @@ -36,6 +36,12 @@ func (l *lockfile) Lock() { l.locked = true } +func (l *lockfile) RecursiveLock() { + // We don't support Windows but a recursive writer-lock in one process-space + // is really a writer lock, so just panic. + panic("not supported") +} + func (l *lockfile) RLock() { l.mu.Lock() l.locked = true diff --git a/vendor/github.com/containers/storage/pkg/chrootarchive/archive.go b/vendor/github.com/containers/storage/pkg/chrootarchive/archive.go index a36ff1cb1..33ba6a128 100644 --- a/vendor/github.com/containers/storage/pkg/chrootarchive/archive.go +++ b/vendor/github.com/containers/storage/pkg/chrootarchive/archive.go @@ -1,7 +1,7 @@ package chrootarchive import ( - "archive/tar" + stdtar "archive/tar" "fmt" "io" "io/ioutil" @@ -34,18 +34,34 @@ func NewArchiverWithChown(tarIDMappings *idtools.IDMappings, chownOpts *idtools. // The archive may be compressed with one of the following algorithms: // identity (uncompressed), gzip, bzip2, xz. func Untar(tarArchive io.Reader, dest string, options *archive.TarOptions) error { - return untarHandler(tarArchive, dest, options, true) + return untarHandler(tarArchive, dest, options, true, dest) +} + +// UntarWithRoot is the same as `Untar`, but allows you to pass in a root directory +// The root directory is the directory that will be chrooted to. +// `dest` must be a path within `root`, if it is not an error will be returned. +// +// `root` should set to a directory which is not controlled by any potentially +// malicious process. +// +// This should be used to prevent a potential attacker from manipulating `dest` +// such that it would provide access to files outside of `dest` through things +// like symlinks. Normally `ResolveSymlinksInScope` would handle this, however +// sanitizing symlinks in this manner is inherrently racey: +// ref: CVE-2018-15664 +func UntarWithRoot(tarArchive io.Reader, dest string, options *archive.TarOptions, root string) error { + return untarHandler(tarArchive, dest, options, true, root) } // UntarUncompressed reads a stream of bytes from `archive`, parses it as a tar archive, // and unpacks it into the directory at `dest`. // The archive must be an uncompressed stream. func UntarUncompressed(tarArchive io.Reader, dest string, options *archive.TarOptions) error { - return untarHandler(tarArchive, dest, options, false) + return untarHandler(tarArchive, dest, options, false, dest) } // Handler for teasing out the automatic decompression -func untarHandler(tarArchive io.Reader, dest string, options *archive.TarOptions, decompress bool) error { +func untarHandler(tarArchive io.Reader, dest string, options *archive.TarOptions, decompress bool, root string) error { if tarArchive == nil { return fmt.Errorf("Empty archive") } @@ -77,7 +93,15 @@ func untarHandler(tarArchive io.Reader, dest string, options *archive.TarOptions r = decompressedArchive } - return invokeUnpack(r, dest, options) + return invokeUnpack(r, dest, options, root) +} + +// Tar tars the requested path while chrooted to the specified root. +func Tar(srcPath string, options *archive.TarOptions, root string) (io.ReadCloser, error) { + if options == nil { + options = &archive.TarOptions{} + } + return invokePack(srcPath, options, root) } // CopyFileWithTarAndChown returns a function which copies a single file from outside @@ -99,7 +123,7 @@ func CopyFileWithTarAndChown(chownOpts *idtools.IDPair, hasher io.Writer, uidmap var hashWorker sync.WaitGroup hashWorker.Add(1) go func() { - t := tar.NewReader(contentReader) + t := stdtar.NewReader(contentReader) _, err := t.Next() if err != nil { hashError = err diff --git a/vendor/github.com/containers/storage/pkg/chrootarchive/archive_unix.go b/vendor/github.com/containers/storage/pkg/chrootarchive/archive_unix.go index e04ed787c..ca9fb10d7 100644 --- a/vendor/github.com/containers/storage/pkg/chrootarchive/archive_unix.go +++ b/vendor/github.com/containers/storage/pkg/chrootarchive/archive_unix.go @@ -10,10 +10,13 @@ import ( "io" "io/ioutil" "os" + "path/filepath" "runtime" + "strings" "github.com/containers/storage/pkg/archive" "github.com/containers/storage/pkg/reexec" + "github.com/pkg/errors" ) // untar is the entry-point for storage-untar on re-exec. This is not used on @@ -23,18 +26,28 @@ func untar() { runtime.LockOSThread() flag.Parse() - var options *archive.TarOptions + var options archive.TarOptions //read the options from the pipe "ExtraFiles" if err := json.NewDecoder(os.NewFile(3, "options")).Decode(&options); err != nil { fatal(err) } - if err := chroot(flag.Arg(0)); err != nil { + dst := flag.Arg(0) + var root string + if len(flag.Args()) > 1 { + root = flag.Arg(1) + } + + if root == "" { + root = dst + } + + if err := chroot(root); err != nil { fatal(err) } - if err := archive.Unpack(os.Stdin, "/", options); err != nil { + if err := archive.Unpack(os.Stdin, dst, &options); err != nil { fatal(err) } // fully consume stdin in case it is zero padded @@ -45,7 +58,10 @@ func untar() { os.Exit(0) } -func invokeUnpack(decompressedArchive io.Reader, dest string, options *archive.TarOptions) error { +func invokeUnpack(decompressedArchive io.Reader, dest string, options *archive.TarOptions, root string) error { + if root == "" { + return errors.New("must specify a root to chroot to") + } // We can't pass a potentially large exclude list directly via cmd line // because we easily overrun the kernel's max argument/environment size @@ -57,7 +73,21 @@ func invokeUnpack(decompressedArchive io.Reader, dest string, options *archive.T return fmt.Errorf("Untar pipe failure: %v", err) } - cmd := reexec.Command("storage-untar", dest) + if root != "" { + relDest, err := filepath.Rel(root, dest) + if err != nil { + return err + } + if relDest == "." { + relDest = "/" + } + if relDest[0] != '/' { + relDest = "/" + relDest + } + dest = relDest + } + + cmd := reexec.Command("storage-untar", dest, root) cmd.Stdin = decompressedArchive cmd.ExtraFiles = append(cmd.ExtraFiles, r) @@ -68,6 +98,7 @@ func invokeUnpack(decompressedArchive io.Reader, dest string, options *archive.T if err := cmd.Start(); err != nil { return fmt.Errorf("Untar error on re-exec cmd: %v", err) } + //write the options to the pipe for the untar exec to read if err := json.NewEncoder(w).Encode(options); err != nil { return fmt.Errorf("Untar json encode to pipe failed: %v", err) @@ -84,3 +115,92 @@ func invokeUnpack(decompressedArchive io.Reader, dest string, options *archive.T } return nil } + +func tar() { + runtime.LockOSThread() + flag.Parse() + + src := flag.Arg(0) + var root string + if len(flag.Args()) > 1 { + root = flag.Arg(1) + } + + if root == "" { + root = src + } + + if err := realChroot(root); err != nil { + fatal(err) + } + + var options archive.TarOptions + if err := json.NewDecoder(os.Stdin).Decode(&options); err != nil { + fatal(err) + } + + rdr, err := archive.TarWithOptions(src, &options) + if err != nil { + fatal(err) + } + defer rdr.Close() + + if _, err := io.Copy(os.Stdout, rdr); err != nil { + fatal(err) + } + + os.Exit(0) +} + +func invokePack(srcPath string, options *archive.TarOptions, root string) (io.ReadCloser, error) { + if root == "" { + return nil, errors.New("root path must not be empty") + } + + relSrc, err := filepath.Rel(root, srcPath) + if err != nil { + return nil, err + } + if relSrc == "." { + relSrc = "/" + } + if relSrc[0] != '/' { + relSrc = "/" + relSrc + } + + // make sure we didn't trim a trailing slash with the call to `Rel` + if strings.HasSuffix(srcPath, "/") && !strings.HasSuffix(relSrc, "/") { + relSrc += "/" + } + + cmd := reexec.Command("storage-tar", relSrc, root) + + errBuff := bytes.NewBuffer(nil) + cmd.Stderr = errBuff + + tarR, tarW := io.Pipe() + cmd.Stdout = tarW + + stdin, err := cmd.StdinPipe() + if err != nil { + return nil, errors.Wrap(err, "error getting options pipe for tar process") + } + + if err := cmd.Start(); err != nil { + return nil, errors.Wrap(err, "tar error on re-exec cmd") + } + + go func() { + err := cmd.Wait() + err = errors.Wrapf(err, "error processing tar file: %s", errBuff) + tarW.CloseWithError(err) + }() + + if err := json.NewEncoder(stdin).Encode(options); err != nil { + stdin.Close() + return nil, errors.Wrap(err, "tar json encode to pipe failed") + } + stdin.Close() + + return tarR, nil +} diff --git a/vendor/github.com/containers/storage/pkg/chrootarchive/archive_windows.go b/vendor/github.com/containers/storage/pkg/chrootarchive/archive_windows.go index 93fde4220..8a5c680b1 100644 --- a/vendor/github.com/containers/storage/pkg/chrootarchive/archive_windows.go +++ b/vendor/github.com/containers/storage/pkg/chrootarchive/archive_windows.go @@ -14,9 +14,16 @@ func chroot(path string) error { func invokeUnpack(decompressedArchive io.ReadCloser, dest string, - options *archive.TarOptions) error { + options *archive.TarOptions, root string) error { // Windows is different to Linux here because Windows does not support // chroot. Hence there is no point sandboxing a chrooted process to // do the unpack. We call inline instead within the daemon process. return archive.Unpack(decompressedArchive, longpath.AddPrefix(dest), options) } + +func invokePack(srcPath string, options *archive.TarOptions, root string) (io.ReadCloser, error) { + // Windows is different to Linux here because Windows does not support + // chroot. Hence there is no point sandboxing a chrooted process to + // do the pack. We call inline instead within the daemon process. + return archive.TarWithOptions(srcPath, options) +} diff --git a/vendor/github.com/containers/storage/pkg/chrootarchive/chroot_unix.go b/vendor/github.com/containers/storage/pkg/chrootarchive/chroot_unix.go index f9b5dece8..83278ee50 100644 --- a/vendor/github.com/containers/storage/pkg/chrootarchive/chroot_unix.go +++ b/vendor/github.com/containers/storage/pkg/chrootarchive/chroot_unix.go @@ -4,9 +4,13 @@ package chrootarchive import "golang.org/x/sys/unix" -func chroot(path string) error { +func realChroot(path string) error { if err := unix.Chroot(path); err != nil { return err } return unix.Chdir("/") } + +func chroot(path string) error { + return realChroot(path) +} diff --git a/vendor/github.com/containers/storage/pkg/chrootarchive/init_unix.go b/vendor/github.com/containers/storage/pkg/chrootarchive/init_unix.go index 21cd87992..ea08135e4 100644 --- a/vendor/github.com/containers/storage/pkg/chrootarchive/init_unix.go +++ b/vendor/github.com/containers/storage/pkg/chrootarchive/init_unix.go @@ -14,6 +14,7 @@ import ( func init() { reexec.Register("storage-applyLayer", applyLayer) reexec.Register("storage-untar", untar) + reexec.Register("storage-tar", tar) } func fatal(err error) { diff --git a/vendor/github.com/containers/storage/pkg/system/stat_unix.go b/vendor/github.com/containers/storage/pkg/system/stat_unix.go index 91c7d121c..f9a1b4877 100644 --- a/vendor/github.com/containers/storage/pkg/system/stat_unix.go +++ b/vendor/github.com/containers/storage/pkg/system/stat_unix.go @@ -58,3 +58,15 @@ func Stat(path string) (*StatT, error) { } return fromStatT(s) } + +// Fstat takes an open file descriptor and returns +// a system.StatT type pertaining to that file. +// +// Throws an error if the file descriptor is invalid +func Fstat(fd int) (*StatT, error) { + s := &syscall.Stat_t{} + if err := syscall.Fstat(fd, s); err != nil { + return nil, err + } + return fromStatT(s) +} diff --git a/vendor/github.com/containers/storage/store.go b/vendor/github.com/containers/storage/store.go index 9b967db6d..d70848dc5 100644 --- a/vendor/github.com/containers/storage/store.go +++ b/vendor/github.com/containers/storage/store.go @@ -3398,12 +3398,18 @@ func init() { ReloadConfigurationFile(defaultConfigFile, &defaultStoreOptions) } +// GetDefaultMountOptions returns the default mountoptions defined in container/storage func GetDefaultMountOptions() ([]string, error) { + return GetMountOptions(defaultStoreOptions.GraphDriverName, defaultStoreOptions.GraphDriverOptions) +} + +// GetMountOptions returns the mountoptions for the specified driver and graphDriverOptions +func GetMountOptions(driver string, graphDriverOptions []string) ([]string, error) { mountOpts := []string{ ".mountopt", - fmt.Sprintf("%s.mountopt", defaultStoreOptions.GraphDriverName), + fmt.Sprintf("%s.mountopt", driver), } - for _, option := range defaultStoreOptions.GraphDriverOptions { + for _, option := range graphDriverOptions { key, val, err := parsers.ParseKeyValueOpt(option) if err != nil { return nil, err diff --git a/vendor/github.com/containers/storage/utils.go b/vendor/github.com/containers/storage/utils.go index 6c9f163a3..fafaaab5e 100644 --- a/vendor/github.com/containers/storage/utils.go +++ b/vendor/github.com/containers/storage/utils.go @@ -71,14 +71,16 @@ func ParseIDMapping(UIDMapSlice, GIDMapSlice []string, subUIDMap, subGIDMap stri // GetRootlessRuntimeDir returns the runtime directory when running as non root func GetRootlessRuntimeDir(rootlessUid int) (string, error) { runtimeDir := os.Getenv("XDG_RUNTIME_DIR") - if runtimeDir == "" { - tmpDir := fmt.Sprintf("/run/user/%d", rootlessUid) - st, err := system.Stat(tmpDir) - if err == nil && int(st.UID()) == os.Getuid() && st.Mode()&0700 == 0700 && st.Mode()&0066 == 0000 { - return tmpDir, nil - } + + if runtimeDir != "" { + return runtimeDir, nil + } + tmpDir := fmt.Sprintf("/run/user/%d", rootlessUid) + st, err := system.Stat(tmpDir) + if err == nil && int(st.UID()) == os.Getuid() && st.Mode()&0700 == 0700 && st.Mode()&0066 == 0000 { + return tmpDir, nil } - tmpDir := fmt.Sprintf("%s/%d", os.TempDir(), rootlessUid) + tmpDir = fmt.Sprintf("%s/%d", os.TempDir(), rootlessUid) if err := os.MkdirAll(tmpDir, 0700); err != nil { logrus.Errorf("failed to create %s: %v", tmpDir, err) } else { diff --git a/version/version.go b/version/version.go index a917931b7..2ef7a9c65 100644 --- a/version/version.go +++ b/version/version.go @@ -4,7 +4,7 @@ package version // NOTE: remember to bump the version at the top // of the top-level README.md file when this is // bumped. -const Version = "1.3.2-dev" +const Version = "1.4.2-dev" // RemoteAPIVersion is the version for the remote // client API. It is used to determine compatibility |