diff options
| -rw-r--r-- | Makefile | 4 | ||||
| -rw-r--r-- | cmd/podman/common/create_opts.go | 1 | ||||
| -rw-r--r-- | cmd/podman/common/specgen.go | 1 | ||||
| -rw-r--r-- | cmd/podman/containers/create.go | 4 | ||||
| -rw-r--r-- | cmd/podman/containers/run.go | 3 | ||||
| -rw-r--r-- | completions/bash/podman | 1 | ||||
| -rw-r--r-- | docs/source/markdown/podman-generate-systemd.1.md | 8 | ||||
| -rw-r--r-- | docs/source/markdown/podman-run.1.md | 4 | ||||
| -rw-r--r-- | go.mod | 2 | ||||
| -rw-r--r-- | libpod/container.go | 5 | ||||
| -rw-r--r-- | libpod/container_log.go | 29 | ||||
| -rw-r--r-- | libpod/oci_conmon_linux.go | 24 | ||||
| -rw-r--r-- | libpod/options.go | 12 | ||||
| -rw-r--r-- | pkg/domain/entities/containers.go | 1 | ||||
| -rw-r--r-- | pkg/rootless/rootless_linux.go | 3 | ||||
| -rw-r--r-- | pkg/specgen/container_validate.go | 4 | ||||
| -rw-r--r-- | pkg/specgen/generate/container_create.go | 4 | ||||
| -rw-r--r-- | pkg/specgen/specgen.go | 6 | ||||
| -rw-r--r-- | test/e2e/logs_test.go | 12 | ||||
| -rw-r--r-- | test/e2e/run_test.go | 12 | ||||
| -rw-r--r-- | test/system/030-run.bats | 12 |
21 files changed, 135 insertions, 17 deletions
@@ -38,10 +38,10 @@ PRE_COMMIT = $(shell command -v bin/venv/bin/pre-commit ~/.local/bin/pre-commit SOURCES = $(shell find . -path './.*' -prune -o -name "*.go") -GO_BUILD=$(GO) build +GO_BUILD ?= $(GO) build # Go module support: set `-mod=vendor` to use the vendored sources ifeq ($(shell go help mod >/dev/null 2>&1 && echo true), true) - GO_BUILD=GO111MODULE=on $(GO) build -mod=vendor + GO_BUILD ?= GO111MODULE=on $(GO) build -mod=vendor endif BUILDTAGS_CROSS ?= containers_image_openpgp exclude_graphdriver_btrfs exclude_graphdriver_devicemapper exclude_graphdriver_overlay diff --git a/cmd/podman/common/create_opts.go b/cmd/podman/common/create_opts.go index 49052704e..4f3b8b322 100644 --- a/cmd/podman/common/create_opts.go +++ b/cmd/podman/common/create_opts.go @@ -69,6 +69,7 @@ type ContainerCLIOpts struct { PIDsLimit int64 Pod string PodIDFile string + PreserveFDs uint Privileged bool PublishAll bool Pull string diff --git a/cmd/podman/common/specgen.go b/cmd/podman/common/specgen.go index e6a524358..599e003e8 100644 --- a/cmd/podman/common/specgen.go +++ b/cmd/podman/common/specgen.go @@ -609,6 +609,7 @@ func FillOutSpecGen(s *specgen.SpecGenerator, c *ContainerCLIOpts, args []string } s.LogConfiguration.Options = logOpts s.Name = c.Name + s.PreserveFDs = c.PreserveFDs s.OOMScoreAdj = &c.OOMScoreAdj if c.Restart != "" { diff --git a/cmd/podman/containers/create.go b/cmd/podman/containers/create.go index 6269ec781..45ce00c86 100644 --- a/cmd/podman/containers/create.go +++ b/cmd/podman/containers/create.go @@ -156,10 +156,6 @@ func replaceContainer(name string) error { } func createInit(c *cobra.Command) error { - if c.Flag("privileged").Changed && c.Flag("security-opt").Changed { - logrus.Warn("setting security options with --privileged has no effect") - } - if c.Flag("shm-size").Changed { cliVals.ShmSize = c.Flag("shm-size").Value.String() } diff --git a/cmd/podman/containers/run.go b/cmd/podman/containers/run.go index b9c196b64..cb307c38f 100644 --- a/cmd/podman/containers/run.go +++ b/cmd/podman/containers/run.go @@ -61,10 +61,12 @@ func runFlags(flags *pflag.FlagSet) { flags.SetNormalizeFunc(common.AliasFlags) flags.BoolVar(&runOpts.SigProxy, "sig-proxy", true, "Proxy received signals to the process") flags.BoolVar(&runRmi, "rmi", false, "Remove container image unless used by other containers") + flags.UintVar(&runOpts.PreserveFDs, "preserve-fds", 0, "Pass a number of additional file descriptors into the container") if registry.IsRemote() { _ = flags.MarkHidden("authfile") _ = flags.MarkHidden("env-host") _ = flags.MarkHidden("http-proxy") + _ = flags.MarkHidden("preserve-fds") } // Not sure we want these exposed yet. If we do, they need to be documented in man pages _ = flags.MarkHidden("override-arch") @@ -163,6 +165,7 @@ func run(cmd *cobra.Command, args []string) error { } runOpts.Detach = cliVals.Detach runOpts.DetachKeys = cliVals.DetachKeys + cliVals.PreserveFDs = runOpts.PreserveFDs s := specgen.NewSpecGenerator(args[0], cliVals.RootFS) if err := common.FillOutSpecGen(s, &cliVals, args); err != nil { return err diff --git a/completions/bash/podman b/completions/bash/podman index 5e990ec41..595739abf 100644 --- a/completions/bash/podman +++ b/completions/bash/podman @@ -2103,6 +2103,7 @@ _podman_container_run() { --pids-limit --pod --pod-id-file + --preserve-fds --publish -p --pull --runtime diff --git a/docs/source/markdown/podman-generate-systemd.1.md b/docs/source/markdown/podman-generate-systemd.1.md index dc10a583d..466c7e2bf 100644 --- a/docs/source/markdown/podman-generate-systemd.1.md +++ b/docs/source/markdown/podman-generate-systemd.1.md @@ -163,10 +163,10 @@ $ podman generate systemd --files --name systemd-pod # Copy all the generated files. $ sudo cp pod-systemd-pod.service container-great_payne.service /usr/lib/systemd/system -$ systemctl enable pod-systemd-po.service -Created symlink /etc/systemd/system/multi-user.target.wants/pod-systemd-po.service → /usr/lib/systemd/system/pod-systemd-po.service. -Created symlink /etc/systemd/system/default.target.wants/pod-systemd-po.service → /usr/lib/systemd/system/pod-systemd-po.service. -$ systemctl is-enabled pod-systemd-po.service +$ systemctl enable pod-systemd-pod.service +Created symlink /etc/systemd/system/multi-user.target.wants/pod-systemd-pod.service → /usr/lib/systemd/system/pod-systemd-pod.service. +Created symlink /etc/systemd/system/default.target.wants/pod-systemd-pod.service → /usr/lib/systemd/system/pod-systemd-pod.service. +$ systemctl is-enabled pod-systemd-pod.service enabled ``` To run the user services placed in `$HOME/.config/systemd/user/` on first login of that user, enable the service with --user flag. diff --git a/docs/source/markdown/podman-run.1.md b/docs/source/markdown/podman-run.1.md index 7e91a06a3..88666d595 100644 --- a/docs/source/markdown/podman-run.1.md +++ b/docs/source/markdown/podman-run.1.md @@ -609,6 +609,10 @@ If a container is run with a pod, and the pod has an infra-container, the infra- Run container in an existing pod and read the pod's ID from the specified file. If a container is run within a pod, and the pod has an infra-container, the infra-container will be started before the container is. +**--preserve-fds**=*N* + +Pass down to the process N additional file descriptors (in addition to 0, 1, 2). The total FDs will be 3+N. + **--privileged**=**true**|**false** Give extended privileges to this container. The default is **false**. @@ -1,6 +1,6 @@ module github.com/containers/libpod -go 1.12 +go 1.13 require ( github.com/BurntSushi/toml v0.3.1 diff --git a/libpod/container.go b/libpod/container.go index 20702903e..c85249676 100644 --- a/libpod/container.go +++ b/libpod/container.go @@ -418,6 +418,11 @@ type ContainerConfig struct { // HealthCheckConfig has the health check command and related timings HealthCheckConfig *manifest.Schema2HealthConfig `json:"healthcheck"` + + // PreserveFDs is a number of additional file descriptors (in addition + // to 0, 1, 2) that will be passed to the executed process. The total FDs + // passed will be 3 + PreserveFDs. + PreserveFDs uint `json:"preserveFds,omitempty"` } // ContainerNamedVolume is a named volume that will be mounted into the diff --git a/libpod/container_log.go b/libpod/container_log.go index 071882bc2..67380397a 100644 --- a/libpod/container_log.go +++ b/libpod/container_log.go @@ -1,10 +1,13 @@ package libpod import ( + "fmt" "os" + "time" "github.com/containers/libpod/libpod/define" "github.com/containers/libpod/libpod/logs" + "github.com/hpcloud/tail/watch" "github.com/pkg/errors" "github.com/sirupsen/logrus" ) @@ -81,5 +84,31 @@ func (c *Container) readFromLogFile(options *logs.LogOptions, logChannel chan *l } options.WaitGroup.Done() }() + // Check if container is still running or paused + if options.Follow { + go func() { + for { + state, err := c.State() + time.Sleep(watch.POLL_DURATION) + if err != nil { + tailError := t.StopAtEOF() + if tailError != nil && fmt.Sprintf("%v", tailError) != "tail: stop at eof" { + logrus.Error(tailError) + } + if errors.Cause(err) != define.ErrNoSuchCtr { + logrus.Error(err) + } + break + } + if state != define.ContainerStateRunning && state != define.ContainerStatePaused { + tailError := t.StopAtEOF() + if tailError != nil && fmt.Sprintf("%v", tailError) != "tail: stop at eof" { + logrus.Error(tailError) + } + break + } + } + }() + } return nil } diff --git a/libpod/oci_conmon_linux.go b/libpod/oci_conmon_linux.go index 625a5bf70..d8a89047e 100644 --- a/libpod/oci_conmon_linux.go +++ b/libpod/oci_conmon_linux.go @@ -904,6 +904,10 @@ func (r *ConmonOCIRuntime) createOCIContainer(ctr *Container, restoreOptions *Co } } + if ctr.config.PreserveFDs > 0 { + args = append(args, formatRuntimeOpts("--preserve-fds", fmt.Sprintf("%d", ctr.config.PreserveFDs))...) + } + if restoreOptions != nil { args = append(args, "--restore", ctr.CheckpointPath()) if restoreOptions.TCPEstablished { @@ -935,8 +939,16 @@ func (r *ConmonOCIRuntime) createOCIContainer(ctr *Container, restoreOptions *Co return err } + if ctr.config.PreserveFDs > 0 { + for fd := 3; fd < int(3+ctr.config.PreserveFDs); fd++ { + cmd.ExtraFiles = append(cmd.ExtraFiles, os.NewFile(uintptr(fd), fmt.Sprintf("fd-%d", fd))) + } + } + cmd.Env = r.conmonEnv - cmd.Env = append(cmd.Env, fmt.Sprintf("_OCI_SYNCPIPE=%d", 3), fmt.Sprintf("_OCI_STARTPIPE=%d", 4)) + // we don't want to step on users fds they asked to preserve + // Since 0-2 are used for stdio, start the fds we pass in at preserveFDs+3 + cmd.Env = append(cmd.Env, fmt.Sprintf("_OCI_SYNCPIPE=%d", ctr.config.PreserveFDs+3), fmt.Sprintf("_OCI_STARTPIPE=%d", ctr.config.PreserveFDs+4)) cmd.Env = append(cmd.Env, conmonEnv...) cmd.ExtraFiles = append(cmd.ExtraFiles, childSyncPipe, childStartPipe) cmd.ExtraFiles = append(cmd.ExtraFiles, envFiles...) @@ -1018,6 +1030,16 @@ func (r *ConmonOCIRuntime) createOCIContainer(ctr *Container, restoreOptions *Co ctr.state.ConmonPID = conmonPID } + if ctr.config.PreserveFDs > 0 { + for fd := 3; fd < int(3+ctr.config.PreserveFDs); fd++ { + // These fds were passed down to the runtime. Close them + // and not interfere + if err := os.NewFile(uintptr(fd), fmt.Sprintf("fd-%d", fd)).Close(); err != nil { + logrus.Debugf("unable to close file fd-%d", fd) + } + } + } + return nil } diff --git a/libpod/options.go b/libpod/options.go index ffc9c1018..7a60870a0 100644 --- a/libpod/options.go +++ b/libpod/options.go @@ -1369,6 +1369,18 @@ func WithHealthCheck(healthCheck *manifest.Schema2HealthConfig) CtrCreateOption } } +// WithPreserveFDs forwards from the process running Libpod into the container +// the given number of extra FDs (starting after the standard streams) to the created container +func WithPreserveFDs(fd uint) CtrCreateOption { + return func(ctr *Container) error { + if ctr.valid { + return define.ErrCtrFinalized + } + ctr.config.PreserveFDs = fd + return nil + } +} + // WithCreateCommand adds the full command plus arguments of the current // process to the container config. func WithCreateCommand() CtrCreateOption { diff --git a/pkg/domain/entities/containers.go b/pkg/domain/entities/containers.go index b4d8e6c29..9ea572293 100644 --- a/pkg/domain/entities/containers.go +++ b/pkg/domain/entities/containers.go @@ -294,6 +294,7 @@ type ContainerRunOptions struct { ErrorStream *os.File InputStream *os.File OutputStream *os.File + PreserveFDs uint Rm bool SigProxy bool Spec *specgen.SpecGenerator diff --git a/pkg/rootless/rootless_linux.go b/pkg/rootless/rootless_linux.go index 3de136f12..01f5b1206 100644 --- a/pkg/rootless/rootless_linux.go +++ b/pkg/rootless/rootless_linux.go @@ -166,7 +166,8 @@ func GetConfiguredMappings() ([]idtools.IDMap, []idtools.IDMap, error) { } mappings, err := idtools.NewIDMappings(username, username) if err != nil { - logrus.Errorf("cannot find mappings for user %s: %v", username, err) + logrus.Errorf( + "cannot find UID/GID for user %s: %v - check rootless mode in man pages.", username, err) } else { uids = mappings.UIDs() gids = mappings.GIDs() diff --git a/pkg/specgen/container_validate.go b/pkg/specgen/container_validate.go index 45179343b..33bacecaf 100644 --- a/pkg/specgen/container_validate.go +++ b/pkg/specgen/container_validate.go @@ -61,10 +61,6 @@ func (s *SpecGenerator) Validate() error { // // ContainerSecurityConfig // - // groups and privileged are exclusive - if len(s.Groups) > 0 && s.Privileged { - return exclusiveOptions("Groups", "privileged") - } // capadd and privileged are exclusive if len(s.CapAdd) > 0 && s.Privileged { return exclusiveOptions("CapAdd", "privileged") diff --git a/pkg/specgen/generate/container_create.go b/pkg/specgen/generate/container_create.go index 2f7100e7e..ea6f938a8 100644 --- a/pkg/specgen/generate/container_create.go +++ b/pkg/specgen/generate/container_create.go @@ -104,6 +104,10 @@ func MakeContainer(ctx context.Context, rt *libpod.Runtime, s *specgen.SpecGener return nil, err } + if s.PreserveFDs > 0 { + options = append(options, libpod.WithPreserveFDs(s.PreserveFDs)) + } + opts, err := createContainerOptions(ctx, rt, s, pod, finalVolumes, newImage) if err != nil { return nil, err diff --git a/pkg/specgen/specgen.go b/pkg/specgen/specgen.go index bb01a5d14..46ff8c716 100644 --- a/pkg/specgen/specgen.go +++ b/pkg/specgen/specgen.go @@ -130,6 +130,11 @@ type ContainerBasicConfig struct { // Remove indicates if the container should be removed once it has been started // and exits Remove bool `json:"remove"` + // PreserveFDs is a number of additional file descriptors (in addition + // to 0, 1, 2) that will be passed to the executed process. The total FDs + // passed will be 3 + PreserveFDs. + // set tags as `json:"-"` for not supported remote + PreserveFDs uint `json:"-"` } // ContainerStorageConfig contains information on the storage configuration of a @@ -207,6 +212,7 @@ type ContainerSecurityConfig struct { // - Adds all devices on the system to the container. // - Adds all capabilities to the container. // - Disables Seccomp, SELinux, and Apparmor confinement. + // (Though SELinux can be manually re-enabled). // TODO: this conflicts with things. // TODO: this does more. Privileged bool `json:"privileged,omitempty"` diff --git a/test/e2e/logs_test.go b/test/e2e/logs_test.go index a4a59acb2..cf69cbd3e 100644 --- a/test/e2e/logs_test.go +++ b/test/e2e/logs_test.go @@ -311,4 +311,16 @@ var _ = Describe("Podman logs", func() { logs.WaitWithDefaultTimeout() Expect(logs).To(Not(Exit(0))) }) + + It("follow output stopped container", func() { + containerName := "logs-f" + + logc := podmanTest.Podman([]string{"run", "--name", containerName, "-d", ALPINE, "true"}) + logc.WaitWithDefaultTimeout() + Expect(logc).To(Exit(0)) + + results := podmanTest.Podman([]string{"logs", "-f", containerName}) + results.WaitWithDefaultTimeout() + Expect(results).To(Exit(0)) + }) }) diff --git a/test/e2e/run_test.go b/test/e2e/run_test.go index 7e75e2605..90179964d 100644 --- a/test/e2e/run_test.go +++ b/test/e2e/run_test.go @@ -1027,4 +1027,16 @@ USER mail` Expect(session.ExitCode()).To(Equal(0)) } }) + + It("podman run --preserve-fds", func() { + devNull, err := os.Open("/dev/null") + Expect(err).To(BeNil()) + defer devNull.Close() + files := []*os.File{ + devNull, + } + session := podmanTest.PodmanExtraFiles([]string{"run", "--preserve-fds", "1", ALPINE, "ls"}, files) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(Equal(0)) + }) }) diff --git a/test/system/030-run.bats b/test/system/030-run.bats index aa9ace332..eeecea2e5 100644 --- a/test/system/030-run.bats +++ b/test/system/030-run.bats @@ -61,6 +61,18 @@ echo $rand | 0 | $rand is "$tests_run" "$(grep . <<<$tests | wc -l)" "Ran the full set of tests" } +# 'run --preserve-fds' passes a number of additional file descriptors into the container +@test "podman run --preserve-fds" { + skip "enable this once #6653 is fixed" + skip_if_remote + + content=$(random_string 20) + echo "$content" > $PODMAN_TMPDIR/tempfile + + run_podman run --rm -i --preserve-fds=2 $IMAGE sh -c "cat <&4" 4<$PODMAN_TMPDIR/tempfile + is "$output" "$content" "container read input from fd 4" +} + @test "podman run - uidmapping has no /sys/kernel mounts" { skip_if_rootless "cannot umount as rootless" skip_if_remote "TODO Fix this for remote case" |