diff options
46 files changed, 587 insertions, 337 deletions
diff --git a/.cirrus.yml b/.cirrus.yml index 37c9108eb..fce9d2ac3 100644 --- a/.cirrus.yml +++ b/.cirrus.yml @@ -39,7 +39,7 @@ env: UBUNTU_NAME: "ubuntu-20" PRIOR_UBUNTU_NAME: "ubuntu-19" - _BUILT_IMAGE_SUFFIX: "podman-5869602141896704" + _BUILT_IMAGE_SUFFIX: "podman-6439450735542272" FEDORA_CACHE_IMAGE_NAME: "${FEDORA_NAME}-${_BUILT_IMAGE_SUFFIX}" PRIOR_FEDORA_CACHE_IMAGE_NAME: "${PRIOR_FEDORA_NAME}-${_BUILT_IMAGE_SUFFIX}" UBUNTU_CACHE_IMAGE_NAME: "${UBUNTU_NAME}-${_BUILT_IMAGE_SUFFIX}" diff --git a/cmd/podman/containers/mount.go b/cmd/podman/containers/mount.go index 186c4df16..b578daa49 100644 --- a/cmd/podman/containers/mount.go +++ b/cmd/podman/containers/mount.go @@ -10,6 +10,7 @@ import ( "github.com/containers/libpod/v2/cmd/podman/utils" "github.com/containers/libpod/v2/cmd/podman/validate" "github.com/containers/libpod/v2/pkg/domain/entities" + "github.com/pkg/errors" "github.com/spf13/cobra" "github.com/spf13/pflag" ) @@ -31,7 +32,8 @@ var ( return validate.CheckAllLatestAndCIDFile(cmd, args, true, false) }, Annotations: map[string]string{ - registry.ParentNSRequired: "", + registry.UnshareNSRequired: "", + registry.ParentNSRequired: "", }, } @@ -51,7 +53,7 @@ var ( func mountFlags(flags *pflag.FlagSet) { flags.BoolVarP(&mountOpts.All, "all", "a", false, "Mount all containers") - flags.StringVar(&mountOpts.Format, "format", "", "Change the output format to Go template") + flags.StringVar(&mountOpts.Format, "format", "", "Print the mounted containers in specified format (json)") flags.BoolVar(&mountOpts.NoTruncate, "notruncate", false, "Do not truncate output") } @@ -90,14 +92,21 @@ func mount(_ *cobra.Command, args []string) error { } return errs.PrintErrors() } - if mountOpts.Format == "json" { + + switch mountOpts.Format { + case "json": return printJSON(reports) + case "": + // do nothing + default: + return errors.Errorf("unknown --format argument: %s", mountOpts.Format) } + mrs := make([]mountReporter, 0, len(reports)) for _, r := range reports { mrs = append(mrs, mountReporter{r}) } - row := "{{.ID}} {{.Path}}" + row := "{{.ID}} {{.Path}}\n" format := "{{range . }}" + row + "{{end}}" tmpl, err := template.New("mounts").Parse(format) if err != nil { diff --git a/cmd/podman/containers/unmount.go b/cmd/podman/containers/unmount.go index c40c2be7e..6556a6510 100644 --- a/cmd/podman/containers/unmount.go +++ b/cmd/podman/containers/unmount.go @@ -18,31 +18,32 @@ var ( An unmount can be forced with the --force flag. ` - umountCommand = &cobra.Command{ - Use: "umount [flags] CONTAINER [CONTAINER...]", - Aliases: []string{"unmount"}, + unmountCommand = &cobra.Command{ + Use: "unmount [flags] CONTAINER [CONTAINER...]", + Aliases: []string{"umount"}, Short: "Unmounts working container's root filesystem", Long: description, RunE: unmount, Args: func(cmd *cobra.Command, args []string) error { return validate.CheckAllLatestAndCIDFile(cmd, args, false, false) }, - Example: `podman umount ctrID - podman umount ctrID1 ctrID2 ctrID3 - podman umount --all`, + Example: `podman unmount ctrID + podman unmount ctrID1 ctrID2 ctrID3 + podman unmount --all`, } containerUnmountCommand = &cobra.Command{ - Use: umountCommand.Use, - Short: umountCommand.Short, - Long: umountCommand.Long, - RunE: umountCommand.RunE, + Use: unmountCommand.Use, + Short: unmountCommand.Short, + Aliases: unmountCommand.Aliases, + Long: unmountCommand.Long, + RunE: unmountCommand.RunE, Args: func(cmd *cobra.Command, args []string) error { return validate.CheckAllLatestAndCIDFile(cmd, args, false, false) }, - Example: `podman container umount ctrID - podman container umount ctrID1 ctrID2 ctrID3 - podman container umount --all`, + Example: `podman container unmount ctrID + podman container unmount ctrID1 ctrID2 ctrID3 + podman container unmount --all`, } ) @@ -50,25 +51,25 @@ var ( unmountOpts entities.ContainerUnmountOptions ) -func umountFlags(flags *pflag.FlagSet) { - flags.BoolVarP(&unmountOpts.All, "all", "a", false, "Umount all of the currently mounted containers") - flags.BoolVarP(&unmountOpts.Force, "force", "f", false, "Force the complete umount all of the currently mounted containers") +func unmountFlags(flags *pflag.FlagSet) { + flags.BoolVarP(&unmountOpts.All, "all", "a", false, "Unmount all of the currently mounted containers") + flags.BoolVarP(&unmountOpts.Force, "force", "f", false, "Force the complete unmount of the specified mounted containers") } func init() { registry.Commands = append(registry.Commands, registry.CliCommand{ Mode: []entities.EngineMode{entities.ABIMode}, - Command: umountCommand, + Command: unmountCommand, }) - umountFlags(umountCommand.Flags()) - validate.AddLatestFlag(umountCommand, &unmountOpts.Latest) + unmountFlags(unmountCommand.Flags()) + validate.AddLatestFlag(unmountCommand, &unmountOpts.Latest) registry.Commands = append(registry.Commands, registry.CliCommand{ Mode: []entities.EngineMode{entities.ABIMode}, Command: containerUnmountCommand, Parent: containerCmd, }) - umountFlags(containerUnmountCommand.Flags()) + unmountFlags(containerUnmountCommand.Flags()) validate.AddLatestFlag(containerUnmountCommand, &unmountOpts.Latest) } diff --git a/cmd/podman/main.go b/cmd/podman/main.go index f46f74547..d0e89c2f5 100644 --- a/cmd/podman/main.go +++ b/cmd/podman/main.go @@ -40,13 +40,21 @@ func main() { for _, m := range c.Mode { if cfg.EngineMode == m { // Command cannot be run rootless - _, found := c.Command.Annotations[registry.ParentNSRequired] - if rootless.IsRootless() && found { - c.Command.RunE = func(cmd *cobra.Command, args []string) error { - return fmt.Errorf("cannot run command %q in rootless mode", cmd.CommandPath()) + _, found := c.Command.Annotations[registry.UnshareNSRequired] + if found { + if rootless.IsRootless() && found && os.Getuid() != 0 { + c.Command.RunE = func(cmd *cobra.Command, args []string) error { + return fmt.Errorf("cannot run command %q in rootless mode, must execute `podman unshare` first", cmd.CommandPath()) + } + } + } else { + _, found = c.Command.Annotations[registry.ParentNSRequired] + if rootless.IsRootless() && found { + c.Command.RunE = func(cmd *cobra.Command, args []string) error { + return fmt.Errorf("cannot run command %q in rootless mode", cmd.CommandPath()) + } } } - parent := rootCmd if c.Parent != nil { parent = c.Parent diff --git a/cmd/podman/networks/inspect.go b/cmd/podman/networks/inspect.go index bf2c7a5e0..bfbb09cb8 100644 --- a/cmd/podman/networks/inspect.go +++ b/cmd/podman/networks/inspect.go @@ -3,10 +3,10 @@ package network import ( "encoding/json" "fmt" - "html/template" "io" "os" "strings" + "text/template" "github.com/containers/libpod/v2/cmd/podman/registry" "github.com/containers/libpod/v2/pkg/domain/entities" diff --git a/cmd/podman/networks/list.go b/cmd/podman/networks/list.go index ad2ee98b1..105bd25c6 100644 --- a/cmd/podman/networks/list.go +++ b/cmd/podman/networks/list.go @@ -3,10 +3,10 @@ package network import ( "encoding/json" "fmt" - "html/template" "os" "strings" "text/tabwriter" + "text/template" "github.com/containers/libpod/v2/cmd/podman/registry" "github.com/containers/libpod/v2/cmd/podman/validate" diff --git a/cmd/podman/registry/config.go b/cmd/podman/registry/config.go index f5a231172..a62a41c12 100644 --- a/cmd/podman/registry/config.go +++ b/cmd/podman/registry/config.go @@ -15,7 +15,8 @@ import ( ) const ( - ParentNSRequired = "ParentNSRequired" + ParentNSRequired = "ParentNSRequired" + UnshareNSRequired = "UnshareNSRequired" ) var ( diff --git a/cmd/podman/system/df.go b/cmd/podman/system/df.go index c2308f0cc..a242c4f66 100644 --- a/cmd/podman/system/df.go +++ b/cmd/podman/system/df.go @@ -2,11 +2,11 @@ package system import ( "fmt" - "html/template" "io" "os" "strings" "text/tabwriter" + "text/template" "time" "github.com/containers/libpod/v2/cmd/podman/registry" diff --git a/cmd/podman/system/events.go b/cmd/podman/system/events.go index 246611c1a..0a46a4042 100644 --- a/cmd/podman/system/events.go +++ b/cmd/podman/system/events.go @@ -3,9 +3,9 @@ package system import ( "bufio" "context" - "html/template" "os" "strings" + "text/template" "github.com/containers/buildah/pkg/formats" "github.com/containers/libpod/v2/cmd/podman/registry" diff --git a/cmd/podman/volumes/inspect.go b/cmd/podman/volumes/inspect.go index 9a8f4049b..235137fc7 100644 --- a/cmd/podman/volumes/inspect.go +++ b/cmd/podman/volumes/inspect.go @@ -2,9 +2,9 @@ package volumes import ( "fmt" - "html/template" "os" "strings" + "text/template" "github.com/containers/buildah/pkg/formats" "github.com/containers/libpod/v2/cmd/podman/registry" diff --git a/cmd/podman/volumes/list.go b/cmd/podman/volumes/list.go index 9e3a8f77b..804b9f319 100644 --- a/cmd/podman/volumes/list.go +++ b/cmd/podman/volumes/list.go @@ -3,11 +3,11 @@ package volumes import ( "context" "fmt" - "html/template" "io" "os" "strings" "text/tabwriter" + "text/template" "github.com/containers/libpod/v2/cmd/podman/registry" "github.com/containers/libpod/v2/cmd/podman/validate" diff --git a/contrib/cirrus/check_image.sh b/contrib/cirrus/check_image.sh index 0d33e55bf..39c2be3f8 100755 --- a/contrib/cirrus/check_image.sh +++ b/contrib/cirrus/check_image.sh @@ -25,9 +25,6 @@ item_test 'Minimum available memory' $MEM_FREE -ge $MIN_MEM_MB || let "NFAILS+=1 remove_packaged_podman_files item_test "remove_packaged_podman_files() does it's job" -z "$(type -P podman)" || let "NFAILS+=1" -# Integration Tests require varlink in Fedora -item_test "The varlink executable is present" -x "$(type -P varlink)" || let "NFAILS+=1" - MIN_ZIP_VER='3.0' VER_RE='.+([[:digit:]]+\.[[:digit:]]+).+' ACTUAL_VER=$(zip --version 2>&1 | egrep -m 1 "Zip$VER_RE" | sed -r -e "s/$VER_RE/\\1/") diff --git a/contrib/cirrus/container_test.sh b/contrib/cirrus/container_test.sh index bf0a0d3f1..f8d14c0e4 100644 --- a/contrib/cirrus/container_test.sh +++ b/contrib/cirrus/container_test.sh @@ -18,6 +18,8 @@ if [ "${ID}" != "fedora" ] || [ "${CONTAINER_RUNTIME}" != "" ]; then INTEGRATION_TEST_ENVS="SKIP_USERNS=1" fi +echo "$(date --rfc-3339=seconds) $(basename $0) started with '$*' and TEST_REMOTE_CLIENT='${TEST_REMOTE_CLIENT}'" + pwd # -i install diff --git a/contrib/cirrus/integration_test.sh b/contrib/cirrus/integration_test.sh index 33e9fbc6b..692d5a236 100755 --- a/contrib/cirrus/integration_test.sh +++ b/contrib/cirrus/integration_test.sh @@ -16,7 +16,7 @@ fi # but pr2947 intends to add 'system'. TESTSUITE=$(expr $(basename $0) : '\(.*\)_test') if [[ -z $TESTSUITE ]]; then - die 1 "Script name is not of the form xxxx_test.sh" + die 1 "Script name ($basename $0) is not of the form xxxx_test.sh" fi cd "$GOSRC" diff --git a/contrib/cirrus/networking.sh b/contrib/cirrus/networking.sh index aeaf74035..2546fab71 100755 --- a/contrib/cirrus/networking.sh +++ b/contrib/cirrus/networking.sh @@ -10,7 +10,7 @@ while read host port do if [[ "$port" -eq "443" ]] then - item_test "SSL/TLS to $host:$port" "$(echo -n '' | openssl s_client -quiet -no_ign_eof -connect $host:$port &> /dev/null; echo $?)" -eq "0" + item_test "SSL/TLS to $host:$port" "$(echo -n '' | timeout 60 openssl s_client -quiet -no_ign_eof -connect $host:$port &> /dev/null; echo $?)" -eq "0" else item_test "Connect to $host:$port" "$(nc -zv -w 13 $host $port &> /dev/null; echo $?)" -eq 0 fi diff --git a/contrib/cirrus/packer/README.how-to-update-cirrus-vms b/contrib/cirrus/packer/README.how-to-update-cirrus-vms new file mode 100644 index 000000000..ac2902ffb --- /dev/null +++ b/contrib/cirrus/packer/README.how-to-update-cirrus-vms @@ -0,0 +1,89 @@ +This document briefly describes how to update VMs on Cirrus. + +Examples of when you need to do this: + + - to update crun, conmon, or some other package(s) + - to add and/or remove an OS (eg drop f31, add f33) + - to change system config (eg containers.conf or other /etc files) + - to change kernel command-line (boot time) options + +This is a TWO-STEP process: you need to submit a PR with a magic [CI:IMG] +description string, wait for it to finish, grab a magic string from the +results, then resubmit without [CI:IMG]. + +Procedure, Part One of Two: + + 1) Create a working branch: + + $ git co -b my_branch_name + + 2) Make your changes. Typically, zero or more of the following files: + + .cirrus.yml + contrib/cirrus/packer/*_packaging.sh + + I said zero because sometimes you just want to update VMs + with the latest in dnf or ubuntu repos. That doesn't require + changing anything here, simply running new dnf/apt installs. + + 3) Commit your changes. Be sure to include the magic [CI:IMG] string: + + $ git commit -asm'[CI:IMG] this is my commit message' + + 4) Submit your PR: + + $ gh pr create --fill --web + + + -------------------------- INTERMISSION -------------------------- + ...in which we wait for CI to turn green. In particular, although + we only really need 'test_build_cache_images' (45 minutes or so) + to get the required magic number strings, please be a decent + human being and wait for 'verify_test_built_images' (another hour) + so we can all have confidence in our process. Thank you. + -------------------------- INTERMISSION -------------------------- + + +Procedure, Part Two of Two: + + 1) When 'test_build_cache_images' completes, click it, then click + 'View more details on Cirrus CI', then expand the 'Run build_vm_image' + accordion. This gives you a garishly colorful display of lines. + Each color is a different VM. + + 2) Verify that each VM has the packages you require. (The garish log + doesn't actually list this for all packages, so you may need to + look in the 'verify_test_built_images' log for each individual + VM. Click the 'package_versions' accordion.) + + 3) At the bottom of this log you will see a block like: + + Builds finished. The artifacts of successful builds are: + ubuntu-19: A disk image was created: ubuntu-19-podman-6439450735542272 + fedora-31: A disk image was created: fedora-31-podman-6439450735542272 + ..... + + The long numbers at the end should (MUST!) be all identical. + + 4) Edit .cirrus.yml locally. Find '_BUILT_IMAGE_SUFFIX' near the + top. Copy that long number ("6439450735542272", above) and paste + it here, replacing the previous long number. + + 5) Wait for CI to turn green. I know you might have skipped that, + because 'test_build_cache_images' finishes long before 'verify', + and maybe you're in a hurry, but come on. Be responsible. + + 6) Edit the PR description in github: remove '[CI:IMG]' from the + title. Again, *in github*, in the web UI, use the 'Edit' button + at top right next to the PR title. Remove the '[CI:IMG]' string + from the PR title, press Save. If you forget to do this, the + VM-building steps will run again (taking a long time) but it + will be a waste of time. + + 7) Update your PR: + + $ git add .cirrus.yml (to get the new magic IMAGE_SUFFIX string) + $ git commit --amend (remove [CI:IMG] for consistency with 6) + $ git push --force + +You can probably take it from here. diff --git a/contrib/cirrus/packer/fedora_packaging.sh b/contrib/cirrus/packer/fedora_packaging.sh index b4a3a2062..f19932a9f 100644 --- a/contrib/cirrus/packer/fedora_packaging.sh +++ b/contrib/cirrus/packer/fedora_packaging.sh @@ -153,6 +153,15 @@ DOWNLOAD_PACKAGES=(\ echo "Installing general build/test dependencies for Fedora '$OS_RELEASE_VER'" $BIGTO ooe.sh $SUDO dnf install -y ${INSTALL_PACKAGES[@]} +# AD-HOC CODE FOR SPECIAL-CASE SITUATIONS! +# On 2020-07-23 we needed this code to upgrade crun on f31, a build +# that is not yet in stable. Since CI:IMG PRs are a two-step process, +# the key part is that we UN-COMMENT-THIS-OUT during the first step, +# then re-comment it on the second (once we have the built images). +# That way this will be dead code in future CI:IMG PRs but will +# serve as an example for anyone in a similar future situation. +# $BIGTO ooe.sh $SUDO dnf --enablerepo=updates-testing -y upgrade crun + [[ ${#REMOVE_PACKAGES[@]} -eq 0 ]] || \ $LILTO ooe.sh $SUDO dnf erase -y ${REMOVE_PACKAGES[@]} diff --git a/contrib/cirrus/rootless_test.sh b/contrib/cirrus/rootless_test.sh index 9e1b1d911..63cbec69b 100755 --- a/contrib/cirrus/rootless_test.sh +++ b/contrib/cirrus/rootless_test.sh @@ -2,11 +2,13 @@ set -e +echo "$(date --rfc-3339=seconds) $(basename $0) started with '$*'" + source $(dirname $0)/lib.sh if [[ "$UID" == "0" ]] then - echo "Error: Expected to be running as a regular user" + echo "$(basename $0): Error: Expected to be running as a regular user" exit 1 fi diff --git a/contrib/cirrus/setup_environment.sh b/contrib/cirrus/setup_environment.sh index fbdae83fa..437a83c4b 100755 --- a/contrib/cirrus/setup_environment.sh +++ b/contrib/cirrus/setup_environment.sh @@ -57,9 +57,6 @@ case "${OS_RELEASE_ID}" in workaround_bfq_bug - # HACK: Need Conmon 2.0.17, currently in updates-testing on F31. - dnf update -y --enablerepo=updates-testing conmon - if [[ "$ADD_SECOND_PARTITION" == "true" ]]; then bash "$SCRIPT_BASE/add_second_partition.sh" fi diff --git a/contrib/cirrus/timestamp.awk b/contrib/cirrus/timestamp.awk index 95b312e51..b3663b303 100644 --- a/contrib/cirrus/timestamp.awk +++ b/contrib/cirrus/timestamp.awk @@ -7,7 +7,7 @@ BEGIN { STARTTIME=systime() printf "[%s] START", strftime("%T") - printf " - All [+xxxx] lines that follow are relative to right now.\n" + printf " - All [+xxxx] lines that follow are relative to %s.\n", strftime("%FT%T") } { @@ -16,5 +16,5 @@ BEGIN { END { printf "[%s] END", strftime("%T") - printf " - [%+05ds] total duration since START\n", systime()-STARTTIME + printf " - [%+05ds] total duration since %s\n", systime()-STARTTIME, strftime("%FT%T") } diff --git a/docs/source/markdown/links/podman-container-umount.1 b/docs/source/markdown/links/podman-container-umount.1 index 789dabbb0..aa4add453 100644 --- a/docs/source/markdown/links/podman-container-umount.1 +++ b/docs/source/markdown/links/podman-container-umount.1 @@ -1 +1 @@ -.so man1/podman-umount.1 +.so man1/podman-unmount.1 diff --git a/docs/source/markdown/links/podman-container-unmount.1 b/docs/source/markdown/links/podman-container-unmount.1 index 789dabbb0..aa4add453 100644 --- a/docs/source/markdown/links/podman-container-unmount.1 +++ b/docs/source/markdown/links/podman-container-unmount.1 @@ -1 +1 @@ -.so man1/podman-umount.1 +.so man1/podman-unmount.1 diff --git a/docs/source/markdown/links/podman-umount.1 b/docs/source/markdown/links/podman-umount.1 new file mode 100644 index 000000000..aa4add453 --- /dev/null +++ b/docs/source/markdown/links/podman-umount.1 @@ -0,0 +1 @@ +.so man1/podman-unmount.1 diff --git a/docs/source/markdown/links/podman-unmount.1 b/docs/source/markdown/links/podman-unmount.1 deleted file mode 100644 index 789dabbb0..000000000 --- a/docs/source/markdown/links/podman-unmount.1 +++ /dev/null @@ -1 +0,0 @@ -.so man1/podman-umount.1 diff --git a/docs/source/markdown/podman-container.1.md b/docs/source/markdown/podman-container.1.md index 4ea7c7acc..0a6ceea33 100644 --- a/docs/source/markdown/podman-container.1.md +++ b/docs/source/markdown/podman-container.1.md @@ -41,7 +41,7 @@ The container command allows you to manage containers | stats | [podman-stats(1)](podman-stats.1.md) | Display a live stream of one or more container's resource usage statistics. | | stop | [podman-stop(1)](podman-stop.1.md) | Stop one or more running containers. | | top | [podman-top(1)](podman-top.1.md) | Display the running processes of a container. | -| umount | [podman-umount(1)](podman-umount.1.md) | Unmount a working container's root filesystem.(Alias unmount) | +| unmount | [podman-unmount(1)](podman-unmount.1.md) | Unmount a working container's root filesystem.(Alias unmount) | | unpause | [podman-unpause(1)](podman-unpause.1.md) | Unpause one or more containers. | | wait | [podman-wait(1)](podman-wait.1.md) | Wait on one or more containers to stop and print their exit codes. | diff --git a/docs/source/markdown/podman-mount.1.md b/docs/source/markdown/podman-mount.1.md index eaed1051e..33c5aece8 100644 --- a/docs/source/markdown/podman-mount.1.md +++ b/docs/source/markdown/podman-mount.1.md @@ -12,9 +12,12 @@ podman\-mount - Mount a working container's root filesystem Mounts the specified containers' root file system in a location which can be accessed from the host, and returns its location. -If you execute the command without any arguments, the tool will list all of the +If you execute the command without any arguments, Podman will list all of the currently mounted containers. +Rootless mode only supports mounting VFS driver, unless you enter the user namespace +via the `podman unshare` command. All other storage drivers will fail to mount. + ## RETURN VALUE The location of the mounted file system. On error an empty string and errno is returned. @@ -27,7 +30,7 @@ Mount all containers. **--format**=*format* -Print the mounted containers in specified format (json) +Print the mounted containers in specified format (json). **--latest**, **-l** @@ -70,4 +73,4 @@ a7060253093b /var/lib/containers/storage/overlay/0ff7d7ca68bed1ace424f9df154d2dd ``` ## SEE ALSO -podman(1), podman-umount(1), mount(8) +podman(1), podman-umount(1), mount(8), podman-unshare(1) diff --git a/docs/source/markdown/podman-umount.1.md b/docs/source/markdown/podman-unmount.1.md index 31a213f28..47c55cc0b 100644 --- a/docs/source/markdown/podman-umount.1.md +++ b/docs/source/markdown/podman-unmount.1.md @@ -1,23 +1,23 @@ -% podman-umount(1) +% podman-unmount(1) ## NAME -podman\-umount - Unmount a working container's root filesystem +podman\-unmount - Unmount a working container's root filesystem ## SYNOPSIS -**podman umount** [*options*] *container* [...] +**podman unmount** [*options*] *container* [...] -**podman container umount** [*options*] *container* [...] +**podman umount** [*options*] *container* [...] **podman container unmount** [*options*] *container* [...] -**podman unmount** [*options*] *container* [...] +**podman container umount** [*options*] *container* [...] ## DESCRIPTION Unmounts the specified containers' root file system, if no other processes are using it. Container storage increments a mount counter each time a container is mounted. -When a container is unmounted, the mount counter is decremented and the +When a container is unmounted, the mount counter is decremented, and the container's root filesystem is physically unmounted only when the mount counter reaches zero indicating no other processes are using the mount. An unmount can be forced with the --force flag. @@ -45,11 +45,11 @@ The latest option is not supported on the remote client. ## EXAMPLE -podman umount containerID +podman container unmount containerID -podman umount containerID1 containerID2 containerID3 +podman unmount containerID1 containerID2 containerID3 -podman umount --all +podman unmount --all ## SEE ALSO -podman(1), podman-mount(1) +podman(1), podman-container-mount(1), podman-image-mount(1) diff --git a/docs/source/markdown/podman.1.md b/docs/source/markdown/podman.1.md index 74f02d147..e1f176869 100644 --- a/docs/source/markdown/podman.1.md +++ b/docs/source/markdown/podman.1.md @@ -207,7 +207,7 @@ the exit codes follow the `chroot` standard, see below: | [podman-system(1)](podman-system.1.md) | Manage podman. | | [podman-tag(1)](podman-tag.1.md) | Add an additional name to a local image. | | [podman-top(1)](podman-top.1.md) | Display the running processes of a container. | -| [podman-umount(1)](podman-umount.1.md) | Unmount a working container's root filesystem. | +| [podman-unmount(1)](podman-unmount.1.md) | Unmount a working container's root filesystem. | | [podman-unpause(1)](podman-unpause.1.md) | Unpause one or more containers. | | [podman-unshare(1)](podman-unshare.1.md) | Run a command inside of a modified user namespace. | | [podman-untag(1)](podman-untag.1.md) | Removes one or more names from a locally-stored image. | diff --git a/docs/tutorials/rootless_tutorial.md b/docs/tutorials/rootless_tutorial.md index ba28655f6..b53b67647 100644 --- a/docs/tutorials/rootless_tutorial.md +++ b/docs/tutorials/rootless_tutorial.md @@ -58,7 +58,7 @@ The number of user namespaces that are allowed on the system is specified in the ### /etc/subuid and /etc/subgid configuration -Rootless Podman requires the user running it to have a range of UIDs listed in /etc/subuid and /etc/subgid files. The `shadows-utils` or `newuid` package provides these files on different distributions and they must be installed on the system. These files will need someone with root privileges on the system to add or update the entries within them. The following is a summarization from the [How does rootless Podman work?](https://opensource.com/article/19/2/how-does-rootless-podman-work) article by Dan Walsh on [opensource.com](https://opensource.com) +Rootless Podman requires the user running it to have a range of UIDs listed in /etc/subuid and /etc/subgid files. The `shadow-utils` or `newuid` package provides these files on different distributions and they must be installed on the system. These files will need someone with root privileges on the system to add or update the entries within them. The following is a summarization from the [How does rootless Podman work?](https://opensource.com/article/19/2/how-does-rootless-podman-work) article by Dan Walsh on [opensource.com](https://opensource.com) Update the /etc/subuid and /etc/subgid with fields for each user that will be allowed to create containers that look like the following. Note that the values for each user must be unique and without any overlap. If there is an overlap, there is a potential for a user to use another’s namespace and they could corrupt it. @@ -46,7 +46,7 @@ require ( github.com/opentracing/opentracing-go v1.2.0 github.com/pkg/errors v0.9.1 github.com/pmezard/go-difflib v1.0.0 - github.com/rootless-containers/rootlesskit v0.9.5 + github.com/rootless-containers/rootlesskit v0.10.0 github.com/seccomp/containers-golang v0.5.0 github.com/sirupsen/logrus v1.6.0 github.com/spf13/cobra v0.0.7 @@ -391,8 +391,8 @@ github.com/prometheus/procfs v0.0.5 h1:3+auTFlqw+ZaQYJARz6ArODtkaIwtvBTx3N2NehQl github.com/prometheus/procfs v0.0.5/go.mod h1:4A/X28fw3Fc593LaREMrKMqOKvUAntwMDaekg4FpcdQ= github.com/prometheus/tsdb v0.7.1/go.mod h1:qhTCs0VvXwvX/y3TZrWD7rabWM+ijKTux40TwIPHuXU= github.com/rogpeppe/fastuuid v0.0.0-20150106093220-6724a57986af/go.mod h1:XWv6SoW27p1b0cqNHllgS5HIMJraePCO15w5zCzIWYg= -github.com/rootless-containers/rootlesskit v0.9.5 h1:ygvFn6ms/14MlRQmMK8OSLKwwtHeRLFNblm+rOIndA0= -github.com/rootless-containers/rootlesskit v0.9.5/go.mod h1:OZQfuRPb+2MA1p+hmjHmSmDRv9SdTzlQ3taNA/0d7XM= +github.com/rootless-containers/rootlesskit v0.10.0 h1:62HHP8s8qYYcolEtAsuo4GU6qau6pWmcQ1Te+TZTFds= +github.com/rootless-containers/rootlesskit v0.10.0/go.mod h1:OZQfuRPb+2MA1p+hmjHmSmDRv9SdTzlQ3taNA/0d7XM= github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= github.com/safchain/ethtool v0.0.0-20190326074333-42ed695e3de8 h1:2c1EFnZHIPCW8qKWgHMH/fX2PkSabFc5mrVzfUNdg5U= github.com/safchain/ethtool v0.0.0-20190326074333-42ed695e3de8/go.mod h1:Z0q5wiBQGYcxhMZ6gUqHn6pYNLypFAvaL3UvgZLR0U4= diff --git a/libpod/common_test.go b/libpod/common_test.go index dff04af5c..e15e3e7a7 100644 --- a/libpod/common_test.go +++ b/libpod/common_test.go @@ -19,33 +19,41 @@ import ( func getTestContainer(id, name string, manager lock.Manager) (*Container, error) { ctr := &Container{ config: &ContainerConfig{ - ID: id, - Name: name, - RootfsImageID: id, - RootfsImageName: "testimg", - StaticDir: "/does/not/exist/", - LogPath: "/does/not/exist/", - Stdin: true, - Labels: map[string]string{"a": "b", "c": "d"}, - StopSignal: 0, - StopTimeout: 0, - CreatedTime: time.Now(), - Privileged: true, - Mounts: []string{"/does/not/exist"}, - DNSServer: []net.IP{net.ParseIP("192.168.1.1"), net.ParseIP("192.168.2.2")}, - DNSSearch: []string{"example.com", "example.example.com"}, - PortMappings: []ocicni.PortMapping{ - { - HostPort: 80, - ContainerPort: 90, - Protocol: "tcp", - HostIP: "192.168.3.3", - }, - { - HostPort: 100, - ContainerPort: 110, - Protocol: "udp", - HostIP: "192.168.4.4", + ID: id, + Name: name, + ContainerRootFSConfig: ContainerRootFSConfig{ + RootfsImageID: id, + RootfsImageName: "testimg", + StaticDir: "/does/not/exist/", + Mounts: []string{"/does/not/exist"}, + }, + ContainerMiscConfig: ContainerMiscConfig{ + LogPath: "/does/not/exist/", + Stdin: true, + Labels: map[string]string{"a": "b", "c": "d"}, + StopSignal: 0, + StopTimeout: 0, + CreatedTime: time.Now(), + }, + ContainerSecurityConfig: ContainerSecurityConfig{ + Privileged: true, + }, + ContainerNetworkConfig: ContainerNetworkConfig{ + DNSServer: []net.IP{net.ParseIP("192.168.1.1"), net.ParseIP("192.168.2.2")}, + DNSSearch: []string{"example.com", "example.example.com"}, + PortMappings: []ocicni.PortMapping{ + { + HostPort: 80, + ContainerPort: 90, + Protocol: "tcp", + HostIP: "192.168.3.3", + }, + { + HostPort: 100, + ContainerPort: 110, + Protocol: "udp", + HostIP: "192.168.4.4", + }, }, }, }, diff --git a/libpod/container.go b/libpod/container.go index 8a69df685..03358ebdc 100644 --- a/libpod/container.go +++ b/libpod/container.go @@ -15,7 +15,6 @@ import ( "github.com/containers/image/v5/manifest" "github.com/containers/libpod/v2/libpod/define" "github.com/containers/libpod/v2/libpod/lock" - "github.com/containers/libpod/v2/pkg/namespaces" "github.com/containers/libpod/v2/pkg/rootless" "github.com/containers/libpod/v2/utils" "github.com/containers/storage" @@ -215,233 +214,6 @@ type ContainerState struct { containerPlatformState } -// ContainerConfig contains all information that was used to create the -// container. It may not be changed once created. -// It is stored, read-only, on disk -type ContainerConfig struct { - Spec *spec.Spec `json:"spec"` - ID string `json:"id"` - Name string `json:"name"` - // Full ID of the pood the container belongs to - Pod string `json:"pod,omitempty"` - // Namespace the container is in - Namespace string `json:"namespace,omitempty"` - // ID of this container's lock - LockID uint32 `json:"lockID"` - - // CreateCommand is the full command plus arguments of the process the - // container has been created with. - CreateCommand []string `json:"CreateCommand,omitempty"` - - // RawImageName is the raw and unprocessed name of the image when creating - // the container (as specified by the user). May or may not be set. One - // use case to store this data are auto-updates where we need the _exact_ - // name and not some normalized instance of it. - RawImageName string `json:"RawImageName,omitempty"` - - // TODO consider breaking these subsections up into smaller structs - - // UID/GID mappings used by the storage - IDMappings storage.IDMappingOptions `json:"idMappingsOptions,omitempty"` - - // Information on the image used for the root filesystem - RootfsImageID string `json:"rootfsImageID,omitempty"` - RootfsImageName string `json:"rootfsImageName,omitempty"` - // Rootfs to use for the container, this conflicts with RootfsImageID - Rootfs string `json:"rootfs,omitempty"` - // Src path to be mounted on /dev/shm in container. - ShmDir string `json:"ShmDir,omitempty"` - // Size of the container's SHM. - ShmSize int64 `json:"shmSize"` - // Static directory for container content that will persist across - // reboot. - StaticDir string `json:"staticDir"` - // Mounts list contains all additional mounts into the container rootfs. - // These include the SHM mount. - // These must be unmounted before the container's rootfs is unmounted. - Mounts []string `json:"mounts,omitempty"` - // NamedVolumes lists the named volumes to mount into the container. - NamedVolumes []*ContainerNamedVolume `json:"namedVolumes,omitempty"` - // OverlayVolumes lists the overlay volumes to mount into the container. - OverlayVolumes []*ContainerOverlayVolume `json:"overlayVolumes,omitempty"` - - // Security Config - - // Whether the container is privileged - Privileged bool `json:"privileged"` - // SELinux process label for container - ProcessLabel string `json:"ProcessLabel,omitempty"` - // SELinux mount label for root filesystem - MountLabel string `json:"MountLabel,omitempty"` - // LabelOpts are options passed in by the user to setup SELinux labels - LabelOpts []string `json:"labelopts,omitempty"` - // User and group to use in the container - // Can be specified by name or UID/GID - User string `json:"user,omitempty"` - // Additional groups to add - Groups []string `json:"groups,omitempty"` - // AddCurrentUserPasswdEntry indicates that the current user passwd entry - // should be added to the /etc/passwd within the container - AddCurrentUserPasswdEntry bool `json:"addCurrentUserPasswdEntry,omitempty"` - - // Namespace Config - // IDs of container to share namespaces with - // NetNsCtr conflicts with the CreateNetNS bool - // These containers are considered dependencies of the given container - // They must be started before the given container is started - IPCNsCtr string `json:"ipcNsCtr,omitempty"` - MountNsCtr string `json:"mountNsCtr,omitempty"` - NetNsCtr string `json:"netNsCtr,omitempty"` - PIDNsCtr string `json:"pidNsCtr,omitempty"` - UserNsCtr string `json:"userNsCtr,omitempty"` - UTSNsCtr string `json:"utsNsCtr,omitempty"` - CgroupNsCtr string `json:"cgroupNsCtr,omitempty"` - - // IDs of dependency containers. - // These containers must be started before this container is started. - Dependencies []string - - // Network Config - - // CreateNetNS indicates that libpod should create and configure a new - // network namespace for the container. - // This cannot be set if NetNsCtr is also set. - CreateNetNS bool `json:"createNetNS"` - // StaticIP is a static IP to request for the container. - // This cannot be set unless CreateNetNS is set. - // If not set, the container will be dynamically assigned an IP by CNI. - StaticIP net.IP `json:"staticIP"` - // StaticMAC is a static MAC to request for the container. - // This cannot be set unless CreateNetNS is set. - // If not set, the container will be dynamically assigned a MAC by CNI. - StaticMAC net.HardwareAddr `json:"staticMAC"` - // PortMappings are the ports forwarded to the container's network - // namespace - // These are not used unless CreateNetNS is true - PortMappings []ocicni.PortMapping `json:"portMappings,omitempty"` - // UseImageResolvConf indicates that resolv.conf should not be - // bind-mounted inside the container. - // Conflicts with DNSServer, DNSSearch, DNSOption. - UseImageResolvConf bool - // DNS servers to use in container resolv.conf - // Will override servers in host resolv if set - DNSServer []net.IP `json:"dnsServer,omitempty"` - // DNS Search domains to use in container resolv.conf - // Will override search domains in host resolv if set - DNSSearch []string `json:"dnsSearch,omitempty"` - // DNS options to be set in container resolv.conf - // With override options in host resolv if set - DNSOption []string `json:"dnsOption,omitempty"` - // UseImageHosts indicates that /etc/hosts should not be - // bind-mounted inside the container. - // Conflicts with HostAdd. - UseImageHosts bool - // Hosts to add in container - // Will be appended to host's host file - HostAdd []string `json:"hostsAdd,omitempty"` - // Network names (CNI) to add container to. Empty to use default network. - Networks []string `json:"networks,omitempty"` - // Network mode specified for the default network. - NetMode namespaces.NetworkMode `json:"networkMode,omitempty"` - // NetworkOptions are additional options for each network - NetworkOptions map[string][]string `json:"network_options,omitempty"` - - // Image Config - - // UserVolumes contains user-added volume mounts in the container. - // These will not be added to the container's spec, as it is assumed - // they are already present in the spec given to Libpod. Instead, it is - // used when committing containers to generate the VOLUMES field of the - // image that is created, and for triggering some OCI hooks which do not - // fire unless user-added volume mounts are present. - UserVolumes []string `json:"userVolumes,omitempty"` - // Entrypoint is the container's entrypoint. - // It is not used in spec generation, but will be used when the - // container is committed to populate the entrypoint of the new image. - Entrypoint []string `json:"entrypoint,omitempty"` - // Command is the container's command. - // It is not used in spec generation, but will be used when the - // container is committed to populate the command of the new image. - Command []string `json:"command,omitempty"` - - // Misc Options - - // Whether to keep container STDIN open - Stdin bool `json:"stdin,omitempty"` - // Labels is a set of key-value pairs providing additional information - // about a container - Labels map[string]string `json:"labels,omitempty"` - // StopSignal is the signal that will be used to stop the container - StopSignal uint `json:"stopSignal,omitempty"` - // StopTimeout is the signal that will be used to stop the container - StopTimeout uint `json:"stopTimeout,omitempty"` - // Time container was created - CreatedTime time.Time `json:"createdTime"` - // NoCgroups indicates that the container will not create CGroups. It is - // incompatible with CgroupParent. Deprecated in favor of CgroupsMode. - NoCgroups bool `json:"noCgroups,omitempty"` - // CgroupsMode indicates how the container will create cgroups - // (disabled, no-conmon, enabled). It supersedes NoCgroups. - CgroupsMode string `json:"cgroupsMode,omitempty"` - // Cgroup parent of the container - CgroupParent string `json:"cgroupParent"` - // LogPath log location - LogPath string `json:"logPath"` - // LogTag is the tag used for logging - LogTag string `json:"logTag"` - // LogDriver driver for logs - LogDriver string `json:"logDriver"` - // File containing the conmon PID - ConmonPidFile string `json:"conmonPidFile,omitempty"` - // RestartPolicy indicates what action the container will take upon - // exiting naturally. - // Allowed options are "no" (take no action), "on-failure" (restart on - // non-zero exit code, up an a maximum of RestartRetries times), - // and "always" (always restart the container on any exit code). - // The empty string is treated as the default ("no") - RestartPolicy string `json:"restart_policy,omitempty"` - // RestartRetries indicates the number of attempts that will be made to - // restart the container. Used only if RestartPolicy is set to - // "on-failure". - RestartRetries uint `json:"restart_retries,omitempty"` - // TODO log options for log drivers - - // PostConfigureNetNS needed when a user namespace is created by an OCI runtime - // if the network namespace is created before the user namespace it will be - // owned by the wrong user namespace. - PostConfigureNetNS bool `json:"postConfigureNetNS"` - - // OCIRuntime used to create the container - OCIRuntime string `json:"runtime,omitempty"` - - // ExitCommand is the container's exit command. - // This Command will be executed when the container exits - ExitCommand []string `json:"exitCommand,omitempty"` - // IsInfra is a bool indicating whether this container is an infra container used for - // sharing kernel namespaces in a pod - IsInfra bool `json:"pause"` - - // SdNotifyMode tells libpod what to do with a NOTIFY_SOCKET if passed - SdNotifyMode string `json:"sdnotifyMode,omitempty"` - // Systemd tells libpod to setup the container in systemd mode - Systemd bool `json:"systemd"` - - // HealthCheckConfig has the health check command and related timings - HealthCheckConfig *manifest.Schema2HealthConfig `json:"healthcheck"` - - // PreserveFDs is a number of additional file descriptors (in addition - // to 0, 1, 2) that will be passed to the executed process. The total FDs - // passed will be 3 + PreserveFDs. - PreserveFDs uint `json:"preserveFds,omitempty"` - - // Timezone is the timezone inside the container. - // Local means it has the same timezone as the host machine - Timezone string `json:"timezone,omitempty"` - - // Umask is the umask inside the container. - Umask string `json:"umask,omitempty"` -} - // ContainerNamedVolume is a named volume that will be mounted into the // container. Each named volume is a libpod Volume present in the state. type ContainerNamedVolume struct { @@ -1277,10 +1049,13 @@ func (c *Container) AutoRemove() bool { return c.Spec().Annotations[define.InspectAnnotationAutoremove] == define.InspectResponseTrue } +// Timezone returns the timezone configured inside the container. +// Local means it has the same timezone as the host machine func (c *Container) Timezone() string { return c.config.Timezone } +// Umask returns the Umask bits configured inside the container. func (c *Container) Umask() string { return c.config.Umask } diff --git a/libpod/container_config.go b/libpod/container_config.go new file mode 100644 index 000000000..8a98d6341 --- /dev/null +++ b/libpod/container_config.go @@ -0,0 +1,256 @@ +package libpod + +import ( + "net" + "time" + + "github.com/containers/image/v5/manifest" + "github.com/containers/libpod/v2/pkg/namespaces" + "github.com/containers/storage" + "github.com/cri-o/ocicni/pkg/ocicni" + spec "github.com/opencontainers/runtime-spec/specs-go" +) + +// ContainerConfig contains all information that was used to create the +// container. It may not be changed once created. +// It is stored, read-only, on disk +type ContainerConfig struct { + Spec *spec.Spec `json:"spec"` + + ID string `json:"id"` + + Name string `json:"name"` + + // Full ID of the pood the container belongs to + Pod string `json:"pod,omitempty"` + + // Namespace the container is in + Namespace string `json:"namespace,omitempty"` + + // ID of this container's lock + LockID uint32 `json:"lockID"` + + // CreateCommand is the full command plus arguments of the process the + // container has been created with. + CreateCommand []string `json:"CreateCommand,omitempty"` + + // RawImageName is the raw and unprocessed name of the image when creating + // the container (as specified by the user). May or may not be set. One + // use case to store this data are auto-updates where we need the _exact_ + // name and not some normalized instance of it. + RawImageName string `json:"RawImageName,omitempty"` + + // UID/GID mappings used by the storage + IDMappings storage.IDMappingOptions `json:"idMappingsOptions,omitempty"` + + // IDs of dependency containers. + // These containers must be started before this container is started. + Dependencies []string + + // embedded sub-configs + ContainerRootFSConfig + ContainerSecurityConfig + ContainerNameSpaceConfig + ContainerNetworkConfig + ContainerImageConfig + ContainerMiscConfig +} + +// ContainerRootFSConfig is an embedded sub-config providing config info +// about the container's root fs. +type ContainerRootFSConfig struct { + RootfsImageID string `json:"rootfsImageID,omitempty"` + RootfsImageName string `json:"rootfsImageName,omitempty"` + // Rootfs to use for the container, this conflicts with RootfsImageID + Rootfs string `json:"rootfs,omitempty"` + // Src path to be mounted on /dev/shm in container. + ShmDir string `json:"ShmDir,omitempty"` + // Size of the container's SHM. + ShmSize int64 `json:"shmSize"` + // Static directory for container content that will persist across + // reboot. + StaticDir string `json:"staticDir"` + // Mounts list contains all additional mounts into the container rootfs. + // These include the SHM mount. + // These must be unmounted before the container's rootfs is unmounted. + Mounts []string `json:"mounts,omitempty"` + // NamedVolumes lists the named volumes to mount into the container. + NamedVolumes []*ContainerNamedVolume `json:"namedVolumes,omitempty"` + // OverlayVolumes lists the overlay volumes to mount into the container. + OverlayVolumes []*ContainerOverlayVolume `json:"overlayVolumes,omitempty"` +} + +// ContainerSecurityConfig is an embedded sub-config providing security configuration +// to the container. +type ContainerSecurityConfig struct { + // Whether the container is privileged + Privileged bool `json:"privileged"` + // SELinux process label for container + ProcessLabel string `json:"ProcessLabel,omitempty"` + // SELinux mount label for root filesystem + MountLabel string `json:"MountLabel,omitempty"` + // LabelOpts are options passed in by the user to setup SELinux labels + LabelOpts []string `json:"labelopts,omitempty"` + // User and group to use in the container + // Can be specified by name or UID/GID + User string `json:"user,omitempty"` + // Additional groups to add + Groups []string `json:"groups,omitempty"` + // AddCurrentUserPasswdEntry indicates that the current user passwd entry + // should be added to the /etc/passwd within the container + AddCurrentUserPasswdEntry bool `json:"addCurrentUserPasswdEntry,omitempty"` +} + +// ContainerNameSpaceConfig is an embedded sub-config providing +// namespace configuration to the container. +type ContainerNameSpaceConfig struct { + // IDs of container to share namespaces with + // NetNsCtr conflicts with the CreateNetNS bool + // These containers are considered dependencies of the given container + // They must be started before the given container is started + IPCNsCtr string `json:"ipcNsCtr,omitempty"` + MountNsCtr string `json:"mountNsCtr,omitempty"` + NetNsCtr string `json:"netNsCtr,omitempty"` + PIDNsCtr string `json:"pidNsCtr,omitempty"` + UserNsCtr string `json:"userNsCtr,omitempty"` + UTSNsCtr string `json:"utsNsCtr,omitempty"` + CgroupNsCtr string `json:"cgroupNsCtr,omitempty"` +} + +// ContainerNetworkConfig is an embedded sub-config providing network configuration +// to the container. +type ContainerNetworkConfig struct { + // CreateNetNS indicates that libpod should create and configure a new + // network namespace for the container. + // This cannot be set if NetNsCtr is also set. + CreateNetNS bool `json:"createNetNS"` + // StaticIP is a static IP to request for the container. + // This cannot be set unless CreateNetNS is set. + // If not set, the container will be dynamically assigned an IP by CNI. + StaticIP net.IP `json:"staticIP"` + // StaticMAC is a static MAC to request for the container. + // This cannot be set unless CreateNetNS is set. + // If not set, the container will be dynamically assigned a MAC by CNI. + StaticMAC net.HardwareAddr `json:"staticMAC"` + // PortMappings are the ports forwarded to the container's network + // namespace + // These are not used unless CreateNetNS is true + PortMappings []ocicni.PortMapping `json:"portMappings,omitempty"` + // UseImageResolvConf indicates that resolv.conf should not be + // bind-mounted inside the container. + // Conflicts with DNSServer, DNSSearch, DNSOption. + UseImageResolvConf bool + // DNS servers to use in container resolv.conf + // Will override servers in host resolv if set + DNSServer []net.IP `json:"dnsServer,omitempty"` + // DNS Search domains to use in container resolv.conf + // Will override search domains in host resolv if set + DNSSearch []string `json:"dnsSearch,omitempty"` + // DNS options to be set in container resolv.conf + // With override options in host resolv if set + DNSOption []string `json:"dnsOption,omitempty"` + // UseImageHosts indicates that /etc/hosts should not be + // bind-mounted inside the container. + // Conflicts with HostAdd. + UseImageHosts bool + // Hosts to add in container + // Will be appended to host's host file + HostAdd []string `json:"hostsAdd,omitempty"` + // Network names (CNI) to add container to. Empty to use default network. + Networks []string `json:"networks,omitempty"` + // Network mode specified for the default network. + NetMode namespaces.NetworkMode `json:"networkMode,omitempty"` + // NetworkOptions are additional options for each network + NetworkOptions map[string][]string `json:"network_options,omitempty"` +} + +// ContainerImageConfig is an embedded sub-config providing image configuration +// to the container. +type ContainerImageConfig struct { + // UserVolumes contains user-added volume mounts in the container. + // These will not be added to the container's spec, as it is assumed + // they are already present in the spec given to Libpod. Instead, it is + // used when committing containers to generate the VOLUMES field of the + // image that is created, and for triggering some OCI hooks which do not + // fire unless user-added volume mounts are present. + UserVolumes []string `json:"userVolumes,omitempty"` + // Entrypoint is the container's entrypoint. + // It is not used in spec generation, but will be used when the + // container is committed to populate the entrypoint of the new image. + Entrypoint []string `json:"entrypoint,omitempty"` + // Command is the container's command. + // It is not used in spec generation, but will be used when the + // container is committed to populate the command of the new image. + Command []string `json:"command,omitempty"` +} + +// ContainerMiscConfig is an embedded sub-config providing misc configuration +// to the container. +type ContainerMiscConfig struct { + // Whether to keep container STDIN open + Stdin bool `json:"stdin,omitempty"` + // Labels is a set of key-value pairs providing additional information + // about a container + Labels map[string]string `json:"labels,omitempty"` + // StopSignal is the signal that will be used to stop the container + StopSignal uint `json:"stopSignal,omitempty"` + // StopTimeout is the signal that will be used to stop the container + StopTimeout uint `json:"stopTimeout,omitempty"` + // Time container was created + CreatedTime time.Time `json:"createdTime"` + // NoCgroups indicates that the container will not create CGroups. It is + // incompatible with CgroupParent. Deprecated in favor of CgroupsMode. + NoCgroups bool `json:"noCgroups,omitempty"` + // CgroupsMode indicates how the container will create cgroups + // (disabled, no-conmon, enabled). It supersedes NoCgroups. + CgroupsMode string `json:"cgroupsMode,omitempty"` + // Cgroup parent of the container + CgroupParent string `json:"cgroupParent"` + // LogPath log location + LogPath string `json:"logPath"` + // LogTag is the tag used for logging + LogTag string `json:"logTag"` + // LogDriver driver for logs + LogDriver string `json:"logDriver"` + // File containing the conmon PID + ConmonPidFile string `json:"conmonPidFile,omitempty"` + // RestartPolicy indicates what action the container will take upon + // exiting naturally. + // Allowed options are "no" (take no action), "on-failure" (restart on + // non-zero exit code, up an a maximum of RestartRetries times), + // and "always" (always restart the container on any exit code). + // The empty string is treated as the default ("no") + RestartPolicy string `json:"restart_policy,omitempty"` + // RestartRetries indicates the number of attempts that will be made to + // restart the container. Used only if RestartPolicy is set to + // "on-failure". + RestartRetries uint `json:"restart_retries,omitempty"` + // TODO log options for log drivers + // PostConfigureNetNS needed when a user namespace is created by an OCI runtime + // if the network namespace is created before the user namespace it will be + // owned by the wrong user namespace. + PostConfigureNetNS bool `json:"postConfigureNetNS"` + // OCIRuntime used to create the container + OCIRuntime string `json:"runtime,omitempty"` + // ExitCommand is the container's exit command. + // This Command will be executed when the container exits + ExitCommand []string `json:"exitCommand,omitempty"` + // IsInfra is a bool indicating whether this container is an infra container used for + // sharing kernel namespaces in a pod + IsInfra bool `json:"pause"` + // SdNotifyMode tells libpod what to do with a NOTIFY_SOCKET if passed + SdNotifyMode string `json:"sdnotifyMode,omitempty"` + // Systemd tells libpod to setup the container in systemd mode + Systemd bool `json:"systemd"` + // HealthCheckConfig has the health check command and related timings + HealthCheckConfig *manifest.Schema2HealthConfig `json:"healthcheck"` + // PreserveFDs is a number of additional file descriptors (in addition + // to 0, 1, 2) that will be passed to the executed process. The total FDs + // passed will be 3 + PreserveFDs. + PreserveFDs uint `json:"preserveFds,omitempty"` + // Timezone is the timezone inside the container. + // Local means it has the same timezone as the host machine + Timezone string `json:"timezone,omitempty"` + // Umask is the umask inside the container. + Umask string `json:"umask,omitempty"` +} diff --git a/libpod/container_internal.go b/libpod/container_internal.go index b2e23b3a8..80b160919 100644 --- a/libpod/container_internal.go +++ b/libpod/container_internal.go @@ -1557,7 +1557,7 @@ func (c *Container) chownVolume(volumeName string) error { if err != nil { return err } - if err := os.Chown(path, uid, gid); err != nil { + if err := os.Lchown(path, uid, gid); err != nil { return err } return nil diff --git a/libpod/container_internal_linux_test.go b/libpod/container_internal_linux_test.go index 078cc53a7..41c22fb45 100644 --- a/libpod/container_internal_linux_test.go +++ b/libpod/container_internal_linux_test.go @@ -20,8 +20,10 @@ func TestGenerateUserPasswdEntry(t *testing.T) { c := Container{ config: &ContainerConfig{ - User: "123:456", Spec: &spec.Spec{}, + ContainerSecurityConfig: ContainerSecurityConfig{ + User: "123:456", + }, }, state: &ContainerState{ Mountpoint: "/does/not/exist/tmp/", diff --git a/libpod/container_internal_test.go b/libpod/container_internal_test.go index fdf7c2e20..2b50093b2 100644 --- a/libpod/container_internal_test.go +++ b/libpod/container_internal_test.go @@ -35,7 +35,9 @@ func TestPostDeleteHooks(t *testing.T) { "a": "b", }, }, - StaticDir: dir, // not the bundle, but good enough for this test + ContainerRootFSConfig: ContainerRootFSConfig{ + StaticDir: dir, // not the bundle, but good enough for this test + }, }, state: &ContainerState{ ExtensionStageHooks: map[string][]rspec.Hook{ diff --git a/pkg/api/handlers/compat/events.go b/pkg/api/handlers/compat/events.go index 9d5cb5045..8c4ad575b 100644 --- a/pkg/api/handlers/compat/events.go +++ b/pkg/api/handlers/compat/events.go @@ -29,8 +29,14 @@ func filtersFromRequest(r *http.Request) ([]string, error) { compatFilters map[string]map[string]bool filters map[string][]string libpodFilters []string + raw []byte ) - raw := []byte(r.Form.Get("filters")) + + if _, found := r.URL.Query()["filters"]; found { + raw = []byte(r.Form.Get("filters")) + } else { + return []string{}, nil + } // Backwards compat with older versions of Docker. if err := json.Unmarshal(raw, &compatFilters); err == nil { diff --git a/pkg/api/server/docs.go b/pkg/api/server/docs.go index 124c16092..1aaf31117 100644 --- a/pkg/api/server/docs.go +++ b/pkg/api/server/docs.go @@ -1,8 +1,10 @@ -// Package api Provides a container compatible interface. (Experimental) +// Package api Provides a container compatible interface. // -// This documentation describes the HTTP Libpod interface. It is to be considered -// only as experimental as this point. The endpoints, parameters, inputs, and -// return values can all change. +// This documentation describes the Podman v2.0 RESTful API. +// It replaces the Podman v1.0 API and was initially delivered +// along with Podman v2.0. It consists of a Docker-compatible +// API and a Libpod API providing support for Podman’s unique +// features such as pods. // // To start the service and keep it running for 5,000 seconds (-t 0 runs forever): // diff --git a/pkg/rootless/rootless_linux.c b/pkg/rootless/rootless_linux.c index 716db81dc..8e0151496 100644 --- a/pkg/rootless/rootless_linux.c +++ b/pkg/rootless/rootless_linux.c @@ -210,6 +210,13 @@ can_use_shortcut () ret = false; break; } + + if (argv[argc+1] != NULL && strcmp (argv[argc], "container") == 0 && + strcmp (argv[argc+1], "mount") == 0) + { + ret = false; + break; + } } free (argv[0]); diff --git a/test/apiv2/01-basic.at b/test/apiv2/01-basic.at index 18ec9bbe8..79dac990a 100644 --- a/test/apiv2/01-basic.at +++ b/test/apiv2/01-basic.at @@ -68,4 +68,8 @@ else _show_ok 0 "Time for ten /info requests" "<= 5 seconds" "$delta_t seconds" fi +# Simple events test (see #7078) +t GET "events?stream=false" 200 +t GET "libpod/events?stream=false" 200 + # vim: filetype=sh diff --git a/test/e2e/mount_rootless_test.go b/test/e2e/mount_rootless_test.go new file mode 100644 index 000000000..986c11c16 --- /dev/null +++ b/test/e2e/mount_rootless_test.go @@ -0,0 +1,62 @@ +// +build !remote + +package integration + +import ( + "os" + + . "github.com/containers/libpod/v2/test/utils" + . "github.com/onsi/ginkgo" + . "github.com/onsi/gomega" +) + +var _ = Describe("Podman mount", func() { + var ( + tempdir string + err error + podmanTest *PodmanTestIntegration + ) + + BeforeEach(func() { + if os.Geteuid() == 0 { + Skip("This function is not enabled for rootfull podman") + } + tempdir, err = CreateTempDirInTempDir() + if err != nil { + os.Exit(1) + } + podmanTest = PodmanTestCreate(tempdir) + podmanTest.Setup() + podmanTest.SeedImages() + }) + + AfterEach(func() { + podmanTest.Cleanup() + f := CurrentGinkgoTestDescription() + processTestResult(f) + + }) + + It("podman mount", func() { + setup := podmanTest.Podman([]string{"create", ALPINE, "ls"}) + setup.WaitWithDefaultTimeout() + Expect(setup.ExitCode()).To(Equal(0)) + cid := setup.OutputToString() + + mount := podmanTest.Podman([]string{"mount", cid}) + mount.WaitWithDefaultTimeout() + Expect(mount.ExitCode()).ToNot(Equal(0)) + Expect(mount.ErrorToString()).To(ContainSubstring("podman unshare")) + }) + + It("podman unshare podman mount", func() { + setup := podmanTest.Podman([]string{"create", ALPINE, "ls"}) + setup.WaitWithDefaultTimeout() + Expect(setup.ExitCode()).To(Equal(0)) + cid := setup.OutputToString() + + session := podmanTest.Podman([]string{"unshare", PODMAN_BINARY, "mount", cid}) + session.WaitWithDefaultTimeout() + Expect(setup.ExitCode()).To(Equal(0)) + }) +}) diff --git a/test/e2e/mount_test.go b/test/e2e/mount_test.go index 36d1f856d..0b1667fd3 100644 --- a/test/e2e/mount_test.go +++ b/test/e2e/mount_test.go @@ -80,6 +80,11 @@ var _ = Describe("Podman mount", func() { Expect(j.ExitCode()).To(Equal(0)) Expect(j.IsJSONOutputValid()).To(BeTrue()) + j = podmanTest.Podman([]string{"mount", "--format='{{.foobar}}'"}) + j.WaitWithDefaultTimeout() + Expect(j.ExitCode()).ToNot(Equal(0)) + Expect(j.ErrorToString()).To(ContainSubstring("unknown --format")) + umount := podmanTest.Podman([]string{"umount", cid}) umount.WaitWithDefaultTimeout() Expect(umount.ExitCode()).To(Equal(0)) diff --git a/transfer.md b/transfer.md index a9cc8a756..9aa271c37 100644 --- a/transfer.md +++ b/transfer.md @@ -54,6 +54,10 @@ There are other equivalents for these tools | `docker load` | [`podman load`](./docs/source/markdown/podman-load.1.md) | | `docker login` | [`podman login`](./docs/source/markdown/podman-login.1.md) | | `docker logout` | [`podman logout`](./docs/source/markdown/podman-logout.1.md) | +| `docker network create` | [`podman network create`](./docs/source/markdown/podman-network-create.1.md) | +| `docker network inspect` | [`podman network inspect`](./docs/source/markdown/podman-network-inspect.1.md) | +| `docker network ls` | [`podman network ls`](./docs/source/markdown/podman-network-ls.1.md) | +| `docker network rm` | [`podman network rm`](./docs.source/markdown/podman-network-rm.1.md) | | `docker pause` | [`podman pause`](./docs/source/markdown/podman-pause.1.md) | | `docker ps` | [`podman ps`](./docs/source/markdown/podman-ps.1.md) | | `docker pull` | [`podman pull`](./docs/source/markdown/podman-pull.1.md) | @@ -93,14 +97,12 @@ Those Docker commands currently do not have equivalents in `podman`: | :--- | :--- | | `docker container update` | podman does not support altering running containers. We recommend recreating containers with the correct arguments.| | `docker container rename` | podman does not support `container rename` - or the `rename` shorthand. We recommend using `podman rm` and `podman create` to create a container with a specific name.| -| `docker network` || | `docker node` || | `docker plugin` | podman does not support plugins. We recommend you use alternative OCI Runtimes or OCI Runtime Hooks to alter behavior of podman.| | `docker secret` || | `docker service` || | `docker stack` || | `docker swarm` | podman does not support swarm. We support Kubernetes for orchestration using [CRI-O](https://github.com/cri-o/cri-o).| -| `docker volume` | podman currently supports file volumes. Future enhancement planned to support Docker Volumes Plugins ## Missing commands in Docker @@ -134,5 +136,4 @@ The following podman commands do not have a Docker equivalent: * [`podman pod stop`](./docs/source/markdown/podman-pod-stop.1.md) * [`podman pod top`](./docs/source/markdown/podman-pod-top.1.md) * [`podman pod unpause`](./docs/source/markdown/podman-pod-unpause.1.md) -* [`podman varlink`](./docs/source/markdown/podman-varlink.1.md) * [`podman umount`](./docs/source/markdown/podman-umount.1.md) diff --git a/vendor/github.com/rootless-containers/rootlesskit/pkg/port/builtin/child/child.go b/vendor/github.com/rootless-containers/rootlesskit/pkg/port/builtin/child/child.go index 7cce235a6..112a926c3 100644 --- a/vendor/github.com/rootless-containers/rootlesskit/pkg/port/builtin/child/child.go +++ b/vendor/github.com/rootless-containers/rootlesskit/pkg/port/builtin/child/child.go @@ -119,11 +119,13 @@ func (d *childDriver) handleConnectRequest(c *net.UnixConn, req *msg.Request) er if err != nil { return err } + defer targetConnFile.Close() oob := unix.UnixRights(int(targetConnFile.Fd())) f, err := c.File() if err != nil { return err } + defer f.Close() for { err = unix.Sendmsg(int(f.Fd()), []byte("dummy"), oob, nil, 0) if err != unix.EINTR { diff --git a/vendor/modules.txt b/vendor/modules.txt index 7cd0f86df..1c1865e23 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -468,7 +468,7 @@ github.com/prometheus/common/model github.com/prometheus/procfs github.com/prometheus/procfs/internal/fs github.com/prometheus/procfs/internal/util -# github.com/rootless-containers/rootlesskit v0.9.5 +# github.com/rootless-containers/rootlesskit v0.10.0 github.com/rootless-containers/rootlesskit/pkg/msgutil github.com/rootless-containers/rootlesskit/pkg/port github.com/rootless-containers/rootlesskit/pkg/port/builtin |