diff options
68 files changed, 2123 insertions, 403 deletions
diff --git a/.cirrus.yml b/.cirrus.yml new file mode 100644 index 000000000..e69de29bb --- /dev/null +++ b/.cirrus.yml diff --git a/.travis.yml b/.travis.yml index 2ede77a93..86744f728 100644 --- a/.travis.yml +++ b/.travis.yml @@ -28,35 +28,12 @@ jobs: include: - stage: Build and Verify script: - - make gofmt - - make lint - go: 1.10.x - - script: - - make gofmt - - make lint - go: 1.10.x - os: osx - - script: - - make testunit - go: 1.9.x - - stage: Build and Verify - script: - make testunit go: 1.10.x - - script: - - make --keep-going local-cross - go: 1.10.x - - script: - - make --keep-going local-cross - go: 1.10.x - os: osx - env: ALLOWED_TO_FAIL=true - stage: Integration Test script: - make integration go: 1.9.x - allow_failures: - - env: ALLOWED_TO_FAIL=true notifications: irc: "chat.freenode.net#podman" diff --git a/.ubuntu_prepare.sh b/.ubuntu_prepare.sh new file mode 100644 index 000000000..7b7dd1bb1 --- /dev/null +++ b/.ubuntu_prepare.sh @@ -0,0 +1,71 @@ +#!/bin/bash +set -xeuo pipefail + +export GOPATH=/go +export PATH=$HOME/gopath/bin:$PATH:$GOPATH/bin + +runc=0 +conmon=0 +cni=0 +podman_conf=0 + +conmon_source=/go/src/github.com/containers/conmon +cni_source=/go/src/github.com/containernetworking/plugins +runc_source=/go/src/github.com/opencontainers/runc +podman_source=/var/tmp/checkout + +while getopts "cnrf" opt; do + case "$opt" in + c) conmon=1 + ;; + f) podman_conf=1 + ;; + n) cni=1 + ;; + r) runc=1 + ;; + *) echo "Nothing to do ... exiting." + exit 0 + ;; + esac +done + +if [ $conmon -eq 1 ]; then + # Build and install conmon from source + echo "Building conmon ..." + git clone http://github.com/containers/conmon $conmon_source + cd $conmon_source && make install PREFIX=/usr +fi + + +if [ $cni -eq 1 ]; then + # Build and install containernetworking plugins from source + echo "Building containernetworking-plugins..." + git clone http://github.com/containernetworking/plugins $cni_source + cd $cni_source + ./build.sh + mkdir -p /usr/libexec/cni + cp -v bin/* /usr/libexec/cni/ +fi + + +if [ $runc -eq 1 ]; then + # Build and install runc + echo "Building runc..." + git clone http://github.com/opencontainers/runc $runc_source + cd $runc_source + make install PREFIX=/usr +fi + +if [ $podman_conf -eq 1 ]; then + # Install various configuration files required by libpod + + # Install CNI conf file for podman + mkdir -p /etc/cni/net.d + cp -v $podman_source/cni/87-podman-bridge.conflist /etc/cni/net.d/ + + # Install registries.conf + mkdir -p /etc/containers + cp -v $podman_source/test/registries.conf /etc/containers/ + cp -v $podman_source/test/policy.json /etc/containers/ +fi @@ -179,6 +179,8 @@ in the [API.md](https://github.com/containers/libpod/blob/master/API.md) file in [error NoContainerRunning](#NoContainerRunning) +[error NoContainersInPod](#NoContainersInPod) + [error PodContainerError](#PodContainerError) [error PodNotFound](#PodNotFound) @@ -1332,6 +1334,10 @@ ImageNotFound means the image could not be found by the provided name or ID in l ### <a name="NoContainerRunning"></a>type NoContainerRunning NoContainerRunning means none of the containers requested are running in a command that requires a running container. +### <a name="NoContainersInPod"></a>type NoContainersInPod + +NoContainersInPod means a pod has no containers on which to perform operation. It contains +the pod ID. ### <a name="PodContainerError"></a>type PodContainerError PodContainerError means a container associated with a pod failed to preform an operation. It contains @@ -35,6 +35,8 @@ The plan is to use OCI projects and best of breed libraries for different aspect ## Podman Information for Developers +For blogs, release announcements and more, please checkout the [podman.io](https://podman.io) website! + **[Installation notes](install.md)** Information on how to install Podman in your environment. diff --git a/cmd/podman/cleanup.go b/cmd/podman/cleanup.go index 6ebb682ed..316704f91 100644 --- a/cmd/podman/cleanup.go +++ b/cmd/podman/cleanup.go @@ -46,6 +46,8 @@ func cleanupCmd(c *cli.Context) error { args := c.Args() + ctx := getContext() + var lastError error var cleanupContainers []*libpod.Container if c.Bool("all") { @@ -80,7 +82,7 @@ func cleanupCmd(c *cli.Context) error { } } for _, ctr := range cleanupContainers { - if err = ctr.Cleanup(); err != nil { + if err = ctr.Cleanup(ctx); err != nil { if lastError != nil { fmt.Fprintln(os.Stderr, lastError) } diff --git a/cmd/podman/container.go b/cmd/podman/container.go index b73fb7a94..82c1c824d 100644 --- a/cmd/podman/container.go +++ b/cmd/podman/container.go @@ -25,6 +25,7 @@ var ( restartCommand, rmCommand, runCommand, + runlabelCommand, startCommand, statsCommand, stopCommand, diff --git a/cmd/podman/create.go b/cmd/podman/create.go index fc0c71536..574137271 100644 --- a/cmd/podman/create.go +++ b/cmd/podman/create.go @@ -784,7 +784,9 @@ func parseCreateOpts(ctx context.Context, c *cli.Context, runtime *libpod.Runtim VolumesFrom: c.StringSlice("volumes-from"), } - if !config.Privileged { + if config.Privileged { + config.LabelOpts = label.DisableSecOpt() + } else { if err := parseSecurityOpt(config, c.StringSlice("security-opt")); err != nil { return nil, err } diff --git a/cmd/podman/kill.go b/cmd/podman/kill.go index f80d77b8f..db3300984 100644 --- a/cmd/podman/kill.go +++ b/cmd/podman/kill.go @@ -6,6 +6,7 @@ import ( "fmt" "github.com/containers/libpod/cmd/podman/libpodruntime" + "github.com/containers/libpod/libpod" "github.com/containers/libpod/pkg/rootless" "github.com/docker/docker/pkg/signal" "github.com/pkg/errors" @@ -14,6 +15,10 @@ import ( var ( killFlags = []cli.Flag{ + cli.BoolFlag{ + Name: "all, a", + Usage: "Signal all running containers", + }, cli.StringFlag{ Name: "signal, s", Usage: "Signal to send to the container", @@ -28,7 +33,7 @@ var ( Description: killDescription, Flags: killFlags, Action: killCmd, - ArgsUsage: "[CONTAINER_NAME_OR_ID]", + ArgsUsage: "CONTAINER-NAME [CONTAINER-NAME ...]", UseShortOptionHandling: true, OnUsageError: usageErrorHandler, } @@ -37,11 +42,17 @@ var ( // killCmd kills one or more containers with a signal func killCmd(c *cli.Context) error { args := c.Args() - if len(args) == 0 && !c.Bool("latest") { - return errors.Errorf("specify one or more containers to kill") + if (!c.Bool("all") && !c.Bool("latest")) && len(args) == 0 { + return errors.Errorf("you must specify one or more containers to kill") + } + if (c.Bool("all") || c.Bool("latest")) && len(args) > 0 { + return errors.Errorf("you cannot specify any containers to kill with --latest or --all") + } + if c.Bool("all") && c.Bool("latest") { + return errors.Errorf("--all and --latest cannot be used together") } - if len(args) > 0 && c.Bool("latest") { - return errors.Errorf("you cannot specific any containers to kill with --latest") + if len(args) < 1 && !c.Bool("all") && !c.Bool("latest") { + return errors.Errorf("you must provide at least one container name or id") } if err := validateFlags(c, killFlags); err != nil { return err @@ -65,30 +76,45 @@ func killCmd(c *cli.Context) error { killSignal = uint(sysSignal) } - if c.Bool("latest") { - latestCtr, err := runtime.GetLatestContainer() + var filterFuncs []libpod.ContainerFilter + var containers []*libpod.Container + var lastError error + if c.Bool("all") { + // only get running containers + filterFuncs = append(filterFuncs, func(c *libpod.Container) bool { + state, _ := c.State() + return state == libpod.ContainerStateRunning + }) + containers, err = runtime.GetContainers(filterFuncs...) if err != nil { - return errors.Wrapf(err, "unable to get latest container") + return errors.Wrapf(err, "unable to get running containers") } - args = append(args, latestCtr.ID()) - } - - var lastError error - for _, container := range args { - ctr, err := runtime.LookupContainer(container) + } else if c.Bool("latest") { + lastCtr, err := runtime.GetLatestContainer() if err != nil { - if lastError != nil { - fmt.Fprintln(os.Stderr, lastError) + return errors.Wrapf(err, "unable to get last created container") + } + containers = append(containers, lastCtr) + } else { + for _, i := range args { + container, err := runtime.LookupContainer(i) + if err != nil { + if lastError != nil { + fmt.Fprintln(os.Stderr, lastError) + } + lastError = errors.Wrapf(err, "unable to find container %s", i) + continue } - lastError = errors.Wrapf(err, "unable to find container %v", container) - continue + containers = append(containers, container) } + } + for _, ctr := range containers { if err := ctr.Kill(killSignal); err != nil { if lastError != nil { fmt.Fprintln(os.Stderr, lastError) } - lastError = errors.Wrapf(err, "unable to find container %v", container) + lastError = errors.Wrapf(err, "unable to find container %v", ctr.ID()) } else { fmt.Println(ctr.ID()) } diff --git a/cmd/podman/main.go b/cmd/podman/main.go index 840650a3f..d4c8454a8 100644 --- a/cmd/podman/main.go +++ b/cmd/podman/main.go @@ -7,6 +7,7 @@ import ( "runtime/pprof" "syscall" + "github.com/containers/libpod/libpod" "github.com/containers/libpod/pkg/hooks" _ "github.com/containers/libpod/pkg/hooks/0.1.0" "github.com/containers/libpod/pkg/rootless" @@ -109,6 +110,10 @@ func main() { } app.Before = func(c *cli.Context) error { + if err := libpod.SetXdgRuntimeDir(""); err != nil { + logrus.Errorf(err.Error()) + os.Exit(1) + } args := c.Args() if args.Present() { if _, notRequireRootless := cmdsNotRequiringRootless[args.First()]; !notRequireRootless { diff --git a/cmd/podman/pod_stop.go b/cmd/podman/pod_stop.go index 03d04a3ec..6dc6a2b2d 100644 --- a/cmd/podman/pod_stop.go +++ b/cmd/podman/pod_stop.go @@ -50,9 +50,11 @@ func podStopCmd(c *cli.Context) error { // in which case the following loop will be skipped. pods, lastError := getPodsFromContext(c, runtime) + ctx := getContext() + for _, pod := range pods { // set cleanup to true to clean mounts and namespaces - ctr_errs, err := pod.Stop(true) + ctr_errs, err := pod.Stop(ctx, true) if ctr_errs != nil { for ctr, err := range ctr_errs { if lastError != nil { diff --git a/cmd/podman/ps.go b/cmd/podman/ps.go index d36c929e8..e53afe1bf 100644 --- a/cmd/podman/ps.go +++ b/cmd/podman/ps.go @@ -548,6 +548,8 @@ func getTemplateOutput(psParams []psJSONParams, opts shared.PsOptions) ([]psTemp labels := formatLabels(psParam.Labels) switch psParam.Status { + case libpod.ContainerStateExited.String(): + fallthrough case libpod.ContainerStateStopped.String(): exitedSince := units.HumanDuration(time.Since(psParam.ExitedAt)) status = fmt.Sprintf("Exited (%d) %s ago", psParam.ExitCode, exitedSince) diff --git a/cmd/podman/run.go b/cmd/podman/run.go index f9a96e4a6..fbad4237d 100644 --- a/cmd/podman/run.go +++ b/cmd/podman/run.go @@ -140,7 +140,7 @@ func runCmd(c *cli.Context) error { return runtime.RemoveContainer(ctx, ctr, true) } - if err := ctr.Cleanup(); err != nil { + if err := ctr.Cleanup(ctx); err != nil { // If the container has been removed already, no need to error on cleanup // Also, if it was restarted, don't error either if errors.Cause(err) == libpod.ErrNoSuchCtr || diff --git a/cmd/podman/runlabel.go b/cmd/podman/runlabel.go new file mode 100644 index 000000000..c5dd98ee6 --- /dev/null +++ b/cmd/podman/runlabel.go @@ -0,0 +1,188 @@ +package main + +import ( + "fmt" + "io" + "os" + "strings" + + "github.com/containers/libpod/cmd/podman/libpodruntime" + "github.com/containers/libpod/cmd/podman/shared" + "github.com/containers/libpod/libpod/image" + "github.com/containers/libpod/utils" + "github.com/pkg/errors" + "github.com/sirupsen/logrus" + "github.com/urfave/cli" +) + +var ( + runlabelFlags = []cli.Flag{ + cli.StringFlag{ + Name: "authfile", + Usage: "Path of the authentication file. Default is ${XDG_RUNTIME_DIR}/containers/auth.json", + }, + cli.BoolFlag{ + Name: "display", + Usage: "preview the command that `podman install` would execute", + }, + cli.StringFlag{ + Name: "cert-dir", + Usage: "`pathname` of a directory containing TLS certificates and keys", + }, + cli.StringFlag{ + Name: "creds", + Usage: "`credentials` (USERNAME:PASSWORD) to use for authenticating to a registry", + }, + cli.StringFlag{ + Name: "name", + Usage: "Assign a name to the container", + }, + cli.StringFlag{ + Name: "opt1", + Usage: "Optional parameter to pass for install", + Hidden: true, + }, + cli.StringFlag{ + Name: "opt2", + Usage: "Optional parameter to pass for install", + Hidden: true, + }, + cli.StringFlag{ + Name: "opt3", + Usage: "Optional parameter to pass for install", + Hidden: true, + }, + cli.BoolFlag{ + Name: "quiet, q", + Usage: "Suppress output information when installing images", + }, + cli.BoolFlag{ + Name: "pull, p", + Usage: "pull the image if it does not exist locally prior to executing the label contents", + }, + cli.StringFlag{ + Name: "signature-policy", + Usage: "`pathname` of signature policy file (not usually used)", + }, + cli.BoolTFlag{ + Name: "tls-verify", + Usage: "require HTTPS and verify certificates when contacting registries (default: true)", + }, + } + + runlabelDescription = ` +Executes a command as described by a container image label. +` + runlabelCommand = cli.Command{ + Name: "runlabel", + Usage: "Execute the command described by an image label", + Description: runlabelDescription, + Flags: runlabelFlags, + Action: runlabelCmd, + ArgsUsage: "", + OnUsageError: usageErrorHandler, + } +) + +// installCmd gets the data from the command line and calls installImage +// to copy an image from a registry to a local machine +func runlabelCmd(c *cli.Context) error { + var ( + imageName string + stdErr, stdOut io.Writer + stdIn io.Reader + newImage *image.Image + ) + + opts := make(map[string]string) + runtime, err := libpodruntime.GetRuntime(c) + if err != nil { + return errors.Wrapf(err, "could not get runtime") + } + defer runtime.Shutdown(false) + + args := c.Args() + if len(args) == 0 { + logrus.Errorf("an image name must be specified") + return nil + } + if len(args) < 2 { + logrus.Errorf("the runlabel command requires at least 2 arguments") + return nil + } + if err := validateFlags(c, runlabelFlags); err != nil { + return err + } + if c.Bool("display") && c.Bool("quiet") { + return errors.Errorf("the display and quiet flags cannot be used together.") + } + + pull := c.Bool("pull") + label := args[0] + + runlabelImage := args[1] + + if c.IsSet("opts1") { + opts["opts1"] = c.String("opts1") + } + if c.IsSet("opts2") { + opts["opts2"] = c.String("opts2") + } + if c.IsSet("opts3") { + opts["opts3"] = c.String("opts3") + } + + ctx := getContext() + rtc := runtime.GetConfig() + + stdErr = os.Stderr + stdOut = os.Stdout + stdIn = os.Stdin + + if c.Bool("quiet") { + stdErr = nil + stdOut = nil + stdIn = nil + } + + if pull { + newImage, err = runtime.ImageRuntime().New(ctx, runlabelImage, rtc.SignaturePolicyPath, "", stdOut, nil, image.SigningOptions{}, false, false) + } else { + newImage, err = runtime.ImageRuntime().NewFromLocal(runlabelImage) + } + if err != nil { + return errors.Wrapf(err, "unable to find image") + } + + if len(newImage.Names()) < 1 { + imageName = newImage.ID() + } else { + imageName = newImage.Names()[0] + } + + runLabel, err := newImage.GetLabel(ctx, label) + if err != nil { + return err + } + + // If no label to execute, we return + if runLabel == "" { + return nil + } + + // The user provided extra arguments that need to be tacked onto the label's command + if len(args) > 2 { + runLabel = fmt.Sprintf("%s %s", runLabel, strings.Join(args[2:], " ")) + } + + cmd := shared.GenerateCommand(runLabel, imageName, c.String("name")) + env := shared.GenerateRunEnvironment(c.String("name"), imageName, opts) + + if !c.Bool("quiet") { + fmt.Printf("Command: %s\n", strings.Join(cmd, " ")) + if c.Bool("display") { + return nil + } + } + return utils.ExecCmdWithStdStreams(stdIn, stdOut, stdErr, env, cmd[0], cmd[1:]...) +} diff --git a/cmd/podman/shared/funcs.go b/cmd/podman/shared/funcs.go new file mode 100644 index 000000000..5c401634c --- /dev/null +++ b/cmd/podman/shared/funcs.go @@ -0,0 +1,57 @@ +package shared + +import ( + "fmt" + "os" + "strings" +) + +// GenerateCommand takes a label (string) and converts it to an executable command +func GenerateCommand(command, imageName, name string) []string { + var ( + newCommand []string + ) + if name == "" { + name = imageName + } + cmd := strings.Split(command, " ") + // Replace the first position of cmd with podman whether + // it is docker, /usr/bin/docker, or podman + newCommand = append(newCommand, "podman") + for _, arg := range cmd[1:] { + var newArg string + switch arg { + case "IMAGE": + newArg = imageName + case "IMAGE=IMAGE": + newArg = fmt.Sprintf("IMAGE=%s", imageName) + case "NAME": + newArg = name + case "NAME=NAME": + newArg = fmt.Sprintf("NAME=%s", name) + default: + newArg = arg + } + newCommand = append(newCommand, newArg) + } + return newCommand +} + +// GenerateRunEnvironment merges the current environment variables with optional +// environment variables provided by the user +func GenerateRunEnvironment(name, imageName string, opts map[string]string) []string { + newEnv := os.Environ() + newEnv = append(newEnv, fmt.Sprintf("NAME=%s", name)) + newEnv = append(newEnv, fmt.Sprintf("IMAGE=%s", imageName)) + + if opts["opt1"] != "" { + newEnv = append(newEnv, fmt.Sprintf("OPT1=%s", opts["opt1"])) + } + if opts["opt2"] != "" { + newEnv = append(newEnv, fmt.Sprintf("OPT2=%s", opts["opt2"])) + } + if opts["opt3"] != "" { + newEnv = append(newEnv, fmt.Sprintf("OPT3=%s", opts["opt3"])) + } + return newEnv +} diff --git a/cmd/podman/shared/funcs_test.go b/cmd/podman/shared/funcs_test.go new file mode 100644 index 000000000..3d0ac005f --- /dev/null +++ b/cmd/podman/shared/funcs_test.go @@ -0,0 +1,89 @@ +package shared + +import ( + "strings" + "testing" + + "github.com/containers/libpod/pkg/util" + "github.com/stretchr/testify/assert" +) + +var ( + name = "foo" + imageName = "bar" +) + +func TestGenerateCommand(t *testing.T) { + inputCommand := "docker run -it --name NAME -e NAME=NAME -e IMAGE=IMAGE IMAGE echo install" + correctCommand := "podman run -it --name bar -e NAME=bar -e IMAGE=foo foo echo install" + newCommand := GenerateCommand(inputCommand, "foo", "bar") + assert.Equal(t, correctCommand, strings.Join(newCommand, " ")) +} + +func TestGenerateCommandPath(t *testing.T) { + inputCommand := "/usr/bin/docker run -it --name NAME -e NAME=NAME -e IMAGE=IMAGE IMAGE echo install" + correctCommand := "podman run -it --name bar -e NAME=bar -e IMAGE=foo foo echo install" + newCommand := GenerateCommand(inputCommand, "foo", "bar") + assert.Equal(t, correctCommand, strings.Join(newCommand, " ")) +} + +func TestGenerateCommandNoSetName(t *testing.T) { + inputCommand := "docker run -it --name NAME -e NAME=NAME -e IMAGE=IMAGE IMAGE echo install" + correctCommand := "podman run -it --name foo -e NAME=foo -e IMAGE=foo foo echo install" + newCommand := GenerateCommand(inputCommand, "foo", "") + assert.Equal(t, correctCommand, strings.Join(newCommand, " ")) +} + +func TestGenerateCommandNoName(t *testing.T) { + inputCommand := "docker run -it -e IMAGE=IMAGE IMAGE echo install" + correctCommand := "podman run -it -e IMAGE=foo foo echo install" + newCommand := GenerateCommand(inputCommand, "foo", "") + assert.Equal(t, correctCommand, strings.Join(newCommand, " ")) +} + +func TestGenerateCommandAlreadyPodman(t *testing.T) { + inputCommand := "podman run -it --name NAME -e NAME=NAME -e IMAGE=IMAGE IMAGE echo install" + correctCommand := "podman run -it --name bar -e NAME=bar -e IMAGE=foo foo echo install" + newCommand := GenerateCommand(inputCommand, "foo", "bar") + assert.Equal(t, correctCommand, strings.Join(newCommand, " ")) +} + +func TestGenerateRunEnvironment(t *testing.T) { + opts := make(map[string]string) + opts["opt1"] = "one" + opts["opt2"] = "two" + opts["opt3"] = "three" + envs := GenerateRunEnvironment(name, imageName, opts) + assert.True(t, util.StringInSlice("OPT1=one", envs)) + assert.True(t, util.StringInSlice("OPT2=two", envs)) + assert.True(t, util.StringInSlice("OPT3=three", envs)) +} + +func TestGenerateRunEnvironmentNoOpts(t *testing.T) { + opts := make(map[string]string) + envs := GenerateRunEnvironment(name, imageName, opts) + assert.False(t, util.StringInSlice("OPT1=", envs)) + assert.False(t, util.StringInSlice("OPT2=", envs)) + assert.False(t, util.StringInSlice("OPT3=", envs)) +} + +func TestGenerateRunEnvironmentSingleOpt(t *testing.T) { + opts := make(map[string]string) + opts["opt1"] = "one" + envs := GenerateRunEnvironment(name, imageName, opts) + assert.True(t, util.StringInSlice("OPT1=one", envs)) + assert.False(t, util.StringInSlice("OPT2=", envs)) + assert.False(t, util.StringInSlice("OPT3=", envs)) +} + +func TestGenerateRunEnvironmentName(t *testing.T) { + opts := make(map[string]string) + envs := GenerateRunEnvironment(name, imageName, opts) + assert.True(t, util.StringInSlice("NAME=foo", envs)) +} + +func TestGenerateRunEnvironmentImage(t *testing.T) { + opts := make(map[string]string) + envs := GenerateRunEnvironment(name, imageName, opts) + assert.True(t, util.StringInSlice("IMAGE=bar", envs)) +} diff --git a/cmd/podman/start.go b/cmd/podman/start.go index cb65ec6d4..a34f6df5d 100644 --- a/cmd/podman/start.go +++ b/cmd/podman/start.go @@ -81,6 +81,9 @@ func startCmd(c *cli.Context) error { } args = append(args, lastCtr.ID()) } + + ctx := getContext() + var lastError error for _, container := range args { ctr, err := runtime.LookupContainer(container) @@ -121,14 +124,14 @@ func startCmd(c *cli.Context) error { exitCode = int(ecode) } - return ctr.Cleanup() + return ctr.Cleanup(ctx) } if ctrRunning { fmt.Println(ctr.ID()) continue } // Handle non-attach start - if err := ctr.Start(getContext()); err != nil { + if err := ctr.Start(ctx); err != nil { if lastError != nil { fmt.Fprintln(os.Stderr, lastError) } diff --git a/cmd/podman/varlink/io.podman.varlink b/cmd/podman/varlink/io.podman.varlink index 810f757ca..4a4a1854c 100644 --- a/cmd/podman/varlink/io.podman.varlink +++ b/cmd/podman/varlink/io.podman.varlink @@ -820,6 +820,10 @@ error PodNotFound (name: string) # a container ID of the container that failed. error PodContainerError (podname: string, errors: []PodContainerErrorData) +# NoContainersInPod means a pod has no containers on which to perform the operation. It contains +# the pod ID. +error NoContainersInPod (name: string) + # ErrorOccurred is a generic error for an error that occurs during the execution. The actual error message # is includes as part of the error's text. error ErrorOccurred (reason: string) diff --git a/commands.md b/commands.md index a0a97f9de..c84938e64 100644 --- a/commands.md +++ b/commands.md @@ -50,6 +50,7 @@ | [podman-rm(1)](/docs/podman-rm.1.md) | Removes one or more containers |[](https://asciinema.org/a/7EMk22WrfGtKWmgHJX9Nze1Qp)| | [podman-rmi(1)](/docs/podman-rmi.1.md) | Removes one or more images |[](https://asciinema.org/a/133799)| | [podman-run(1)](/docs/podman-run.1.md) | Run a command in a container || +| [podman-runlabel(1)](/docs/podman-container-runlabel.1.md) | Executes the command of a container image's label || | [podman-save(1)](/docs/podman-save.1.md) | Saves an image to an archive |[](https://asciinema.org/a/kp8kOaexEhEa20P1KLZ3L5X4g)| | [podman-search(1)](/docs/podman-search.1.md) | Search a registry for an image || | [podman-start(1)](/docs/podman-start.1.md) | Starts one or more containers diff --git a/completions/bash/podman b/completions/bash/podman index b97c4b0d5..f63bf4469 100644 --- a/completions/bash/podman +++ b/completions/bash/podman @@ -1282,6 +1282,8 @@ _podman_kill() { --signal -s " local boolean_options=" + --all + -a --help -h --latest @@ -2084,6 +2086,36 @@ _podman_logout() { _complete_ "$options_with_args" "$boolean_options" } +_podman_container_runlabel() { + local options_with_args=" + --authfile + --cert-dir + --creds + --name + --signature-policy + " + + local boolean_options=" + --display + --help + -h + -p + --pull + -q + --quiet + --tls-verify + " + + case "$cur" in + -*) + COMPREPLY=($(compgen -W "$boolean_options $options_with_args" -- "$cur")) + ;; + *) + __podman_complete_images --id + ;; + esac +} + _podman_pod_create() { local options_with_args=" --cgroup-parent diff --git a/contrib/python/podman/.pylintrc b/contrib/python/podman/.pylintrc new file mode 100644 index 000000000..a5628a6cf --- /dev/null +++ b/contrib/python/podman/.pylintrc @@ -0,0 +1,564 @@ +[MASTER] + +# A comma-separated list of package or module names from where C extensions may +# be loaded. Extensions are loading into the active Python interpreter and may +# run arbitrary code. +extension-pkg-whitelist= + +# Add files or directories to the blacklist. They should be base names, not +# paths. +ignore=CVS + +# Add files or directories matching the regex patterns to the blacklist. The +# regex matches against base names, not paths. +ignore-patterns= + +# Python code to execute, usually for sys.path manipulation such as +# pygtk.require(). +#init-hook= + +# Use multiple processes to speed up Pylint. Specifying 0 will auto-detect the +# number of processors available to use. +jobs=0 + +# Control the amount of potential inferred values when inferring a single +# object. This can help the performance when dealing with large functions or +# complex, nested conditions. +limit-inference-results=100 + +# List of plugins (as comma separated values of python modules names) to load, +# usually to register additional checkers. +load-plugins= + +# Pickle collected data for later comparisons. +persistent=yes + +# Specify a configuration file. +#rcfile= + +# When enabled, pylint would attempt to guess common misconfiguration and emit +# user-friendly hints instead of false-positive error messages. +suggestion-mode=yes + +# Allow loading of arbitrary C extensions. Extensions are imported into the +# active Python interpreter and may run arbitrary code. +unsafe-load-any-extension=no + + +[MESSAGES CONTROL] + +# Only show warnings with the listed confidence levels. Leave empty to show +# all. Valid levels: HIGH, INFERENCE, INFERENCE_FAILURE, UNDEFINED. +confidence= + +# Disable the message, report, category or checker with the given id(s). You +# can either give multiple identifiers separated by comma (,) or put this +# option multiple times (only on the command line, not in the configuration +# file where it should appear only once). You can also use "--disable=all" to +# disable everything first and then reenable specific checks. For example, if +# you want to run only the similarities checker, you can use "--disable=all +# --enable=similarities". If you want to run only the classes checker, but have +# no Warning level messages displayed, use "--disable=all --enable=classes +# --disable=W". +disable=print-statement, + parameter-unpacking, + unpacking-in-except, + old-raise-syntax, + backtick, + long-suffix, + old-ne-operator, + old-octal-literal, + import-star-module-level, + non-ascii-bytes-literal, + raw-checker-failed, + bad-inline-option, + locally-disabled, + locally-enabled, + file-ignored, + suppressed-message, + useless-suppression, + deprecated-pragma, + use-symbolic-message-instead, + apply-builtin, + basestring-builtin, + buffer-builtin, + cmp-builtin, + coerce-builtin, + execfile-builtin, + file-builtin, + long-builtin, + raw_input-builtin, + reduce-builtin, + standarderror-builtin, + unicode-builtin, + xrange-builtin, + coerce-method, + delslice-method, + getslice-method, + setslice-method, + no-absolute-import, + old-division, + dict-iter-method, + dict-view-method, + next-method-called, + metaclass-assignment, + indexing-exception, + raising-string, + reload-builtin, + oct-method, + hex-method, + nonzero-method, + cmp-method, + input-builtin, + round-builtin, + intern-builtin, + unichr-builtin, + map-builtin-not-iterating, + zip-builtin-not-iterating, + range-builtin-not-iterating, + filter-builtin-not-iterating, + using-cmp-argument, + eq-without-hash, + div-method, + idiv-method, + rdiv-method, + exception-message-attribute, + invalid-str-codec, + sys-max-int, + bad-python3-import, + deprecated-string-function, + deprecated-str-translate-call, + deprecated-itertools-function, + deprecated-types-field, + next-method-defined, + dict-items-not-iterating, + dict-keys-not-iterating, + dict-values-not-iterating, + deprecated-operator-function, + deprecated-urllib-function, + xreadlines-attribute, + deprecated-sys-function, + exception-escape, + comprehension-escape + +# Enable the message, report, category or checker with the given id(s). You can +# either give multiple identifier separated by comma (,) or put this option +# multiple time (only on the command line, not in the configuration file where +# it should appear only once). See also the "--disable" option for examples. +enable=c-extension-no-member + + +[REPORTS] + +# Python expression which should return a note less than 10 (10 is the highest +# note). You have access to the variables errors warning, statement which +# respectively contain the number of errors / warnings messages and the total +# number of statements analyzed. This is used by the global evaluation report +# (RP0004). +evaluation=10.0 - ((float(5 * error + warning + refactor + convention) / statement) * 10) + +# Template used to display messages. This is a python new-style format string +# used to format the message information. See doc for all details. +#msg-template= + +# Set the output format. Available formats are text, parseable, colorized, json +# and msvs (visual studio). You can also give a reporter class, e.g. +# mypackage.mymodule.MyReporterClass. +output-format=text + +# Tells whether to display a full report or only the messages. +reports=no + +# Activate the evaluation score. +score=yes + + +[REFACTORING] + +# Maximum number of nested blocks for function / method body +max-nested-blocks=5 + +# Complete name of functions that never returns. When checking for +# inconsistent-return-statements if a never returning function is called then +# it will be considered as an explicit return statement and no message will be +# printed. +never-returning-functions=sys.exit + + +[TYPECHECK] + +# List of decorators that produce context managers, such as +# contextlib.contextmanager. Add to this list to register other decorators that +# produce valid context managers. +contextmanager-decorators=contextlib.contextmanager + +# List of members which are set dynamically and missed by pylint inference +# system, and so shouldn't trigger E1101 when accessed. Python regular +# expressions are accepted. +generated-members= + +# Tells whether missing members accessed in mixin class should be ignored. A +# mixin class is detected if its name ends with "mixin" (case insensitive). +ignore-mixin-members=yes + +# Tells whether to warn about missing members when the owner of the attribute +# is inferred to be None. +ignore-none=yes + +# This flag controls whether pylint should warn about no-member and similar +# checks whenever an opaque object is returned when inferring. The inference +# can return multiple potential results while evaluating a Python object, but +# some branches might not be evaluated, which results in partial inference. In +# that case, it might be useful to still emit no-member and other checks for +# the rest of the inferred objects. +ignore-on-opaque-inference=yes + +# List of class names for which member attributes should not be checked (useful +# for classes with dynamically set attributes). This supports the use of +# qualified names. +ignored-classes=optparse.Values,thread._local,_thread._local + +# List of module names for which member attributes should not be checked +# (useful for modules/projects where namespaces are manipulated during runtime +# and thus existing member attributes cannot be deduced by static analysis. It +# supports qualified module names, as well as Unix pattern matching. +ignored-modules= + +# Show a hint with possible names when a member name was not found. The aspect +# of finding the hint is based on edit distance. +missing-member-hint=yes + +# The minimum edit distance a name should have in order to be considered a +# similar match for a missing member name. +missing-member-hint-distance=1 + +# The total number of similar names that should be taken in consideration when +# showing a hint for a missing member. +missing-member-max-choices=1 + + +[SPELLING] + +# Limits count of emitted suggestions for spelling mistakes. +max-spelling-suggestions=4 + +# Spelling dictionary name. Available dictionaries: none. To make it working +# install python-enchant package.. +spelling-dict= + +# List of comma separated words that should not be checked. +spelling-ignore-words= + +# A path to a file that contains private dictionary; one word per line. +spelling-private-dict-file= + +# Tells whether to store unknown words to indicated private dictionary in +# --spelling-private-dict-file option instead of raising a message. +spelling-store-unknown-words=no + + +[MISCELLANEOUS] + +# List of note tags to take in consideration, separated by a comma. +notes=FIXME, + XXX, + TODO + + +[FORMAT] + +# Expected format of line ending, e.g. empty (any line ending), LF or CRLF. +expected-line-ending-format= + +# Regexp for a line that is allowed to be longer than the limit. +ignore-long-lines=^\s*(# )?<?https?://\S+>?$ + +# Number of spaces of indent required inside a hanging or continued line. +indent-after-paren=4 + +# String used as indentation unit. This is usually " " (4 spaces) or "\t" (1 +# tab). +indent-string=' ' + +# Maximum number of characters on a single line. +max-line-length=100 + +# Maximum number of lines in a module. +max-module-lines=1000 + +# List of optional constructs for which whitespace checking is disabled. `dict- +# separator` is used to allow tabulation in dicts, etc.: {1 : 1,\n222: 2}. +# `trailing-comma` allows a space between comma and closing bracket: (a, ). +# `empty-line` allows space-only lines. +no-space-check=trailing-comma, + dict-separator + +# Allow the body of a class to be on the same line as the declaration if body +# contains single statement. +single-line-class-stmt=no + +# Allow the body of an if to be on the same line as the test if there is no +# else. +single-line-if-stmt=no + + +[BASIC] + +# Naming style matching correct argument names. +#argument-naming-style=snake_case + +# Regular expression matching correct argument names. Overrides argument- +# naming-style. +argument-rgx=[a-z_][a-z0-9_]{1,30}$ +argument-name-hint=[a-z_][a-z0-9_]{1,30}$ + +# Naming style matching correct attribute names. +attr-naming-style=snake_case + +# Regular expression matching correct attribute names. Overrides attr-naming- +# style. +#attr-rgx= + +# Bad variable names which should always be refused, separated by a comma. +bad-names=foo, + bar, + baz, + toto, + tutu, + tata + +# Naming style matching correct class attribute names. +class-attribute-naming-style=any + +# Regular expression matching correct class attribute names. Overrides class- +# attribute-naming-style. +#class-attribute-rgx= + +# Naming style matching correct class names. +class-naming-style=PascalCase + +# Regular expression matching correct class names. Overrides class-naming- +# style. +#class-rgx= + +# Naming style matching correct constant names. +const-naming-style=UPPER_CASE + +# Regular expression matching correct constant names. Overrides const-naming- +# style. +#const-rgx= + +# Minimum line length for functions/classes that require docstrings, shorter +# ones are exempt. +docstring-min-length=-1 + +# Naming style matching correct function names. +function-naming-style=snake_case + +# Regular expression matching correct function names. Overrides function- +# naming-style. +#function-rgx= + +# Good variable names which should always be accepted, separated by a comma. +good-names=c, + e, + i, + j, + k, + r, + v, + ex, + Run, + _ + +# Include a hint for the correct naming format with invalid-name. +include-naming-hint=no + +# Naming style matching correct inline iteration names. +inlinevar-naming-style=any + +# Regular expression matching correct inline iteration names. Overrides +# inlinevar-naming-style. +#inlinevar-rgx= + +# Naming style matching correct method names. +method-naming-style=snake_case + +# Regular expression matching correct method names. Overrides method-naming- +# style. +#method-rgx= + +# Naming style matching correct module names. +module-naming-style=snake_case + +# Regular expression matching correct module names. Overrides module-naming- +# style. +#module-rgx= + +# Colon-delimited sets of names that determine each other's naming style when +# the name regexes allow several styles. +name-group= + +# Regular expression which should only match function or class names that do +# not require a docstring. +no-docstring-rgx=^_ + +# List of decorators that produce properties, such as abc.abstractproperty. Add +# to this list to register other decorators that produce valid properties. +# These decorators are taken in consideration only for invalid-name. +property-classes=abc.abstractproperty + +# Naming style matching correct variable names. +#variable-naming-style=snake_case + +# Regular expression matching correct variable names. Overrides variable- +# naming-style. +variable-rgx=[a-z_][a-z0-9_]{2,30}$ +variable-name-hint=[a-z_][a-z0-9_]{2,30}$ + +[SIMILARITIES] + +# Ignore comments when computing similarities. +ignore-comments=yes + +# Ignore docstrings when computing similarities. +ignore-docstrings=yes + +# Ignore imports when computing similarities. +ignore-imports=no + +# Minimum lines number of a similarity. +min-similarity-lines=4 + + +[VARIABLES] + +# List of additional names supposed to be defined in builtins. Remember that +# you should avoid to define new builtins when possible. +additional-builtins= + +# Tells whether unused global variables should be treated as a violation. +allow-global-unused-variables=yes + +# List of strings which can identify a callback function by name. A callback +# name must start or end with one of those strings. +callbacks=cb_, + _cb + +# A regular expression matching the name of dummy variables (i.e. expected to +# not be used). +dummy-variables-rgx=_+$|(_[a-zA-Z0-9_]*[a-zA-Z0-9]+?$)|dummy|^ignored_|^unused_ + +# Argument names that match this expression will be ignored. Default to name +# with leading underscore. +ignored-argument-names=_.*|^ignored_|^unused_ + +# Tells whether we should check for unused import in __init__ files. +init-import=no + +# List of qualified module names which can have objects that can redefine +# builtins. +redefining-builtins-modules=six.moves,past.builtins,future.builtins,builtins,io + + +[LOGGING] + +# Logging modules to check that the string format arguments are in logging +# function parameter format. +logging-modules=logging + + +[IMPORTS] + +# Allow wildcard imports from modules that define __all__. +allow-wildcard-with-all=no + +# Analyse import fallback blocks. This can be used to support both Python 2 and +# 3 compatible code, which means that the block might have code that exists +# only in one or another interpreter, leading to false positives when analysed. +analyse-fallback-blocks=no + +# Deprecated modules which should not be used, separated by a comma. +deprecated-modules=optparse,tkinter.tix + +# Create a graph of external dependencies in the given file (report RP0402 must +# not be disabled). +ext-import-graph= + +# Create a graph of every (i.e. internal and external) dependencies in the +# given file (report RP0402 must not be disabled). +import-graph= + +# Create a graph of internal dependencies in the given file (report RP0402 must +# not be disabled). +int-import-graph= + +# Force import order to recognize a module as part of the standard +# compatibility libraries. +known-standard-library= + +# Force import order to recognize a module as part of a third party library. +known-third-party=enchant + + +[DESIGN] + +# Support argparse.Action constructor API +# Maximum number of arguments for function / method. +max-args=12 + +# Maximum number of attributes for a class (see R0902). +max-attributes=7 + +# Maximum number of boolean expressions in an if statement. +max-bool-expr=5 + +# Maximum number of branch for function / method body. +max-branches=12 + +# Maximum number of locals for function / method body. +max-locals=15 + +# Maximum number of parents for a class (see R0901). +max-parents=10 + +# Maximum number of public methods for a class (see R0904). +max-public-methods=20 + +# Maximum number of return / yield for function / method body. +max-returns=6 + +# Maximum number of statements in function / method body. +max-statements=50 + +# Minimum number of public methods for a class (see R0903). +min-public-methods=2 + + +[CLASSES] + +# List of method names used to declare (i.e. assign) instance attributes. +defining-attr-methods=__init__, + __new__, + setUp + +# List of member names, which should be excluded from the protected access +# warning. +exclude-protected=_asdict, + _fields, + _replace, + _source, + _make + +# List of valid names for the first argument in a class method. +valid-classmethod-first-arg=cls + +# List of valid names for the first argument in a metaclass class method. +valid-metaclass-classmethod-first-arg=cls + + +[EXCEPTIONS] + +# Exceptions that will emit a warning when being caught. Defaults to +# "Exception". +overgeneral-exceptions=Exception diff --git a/contrib/python/podman/podman/__init__.py b/contrib/python/podman/podman/__init__.py index 3b083f007..1cdb72773 100644 --- a/contrib/python/podman/podman/__init__.py +++ b/contrib/python/podman/podman/__init__.py @@ -2,9 +2,12 @@ import pkg_resources from .client import Client -from .libs import datetime_format, datetime_parse +from .libs import FoldedString, datetime_format, datetime_parse from .libs.errors import (ContainerNotFound, ErrorOccurred, ImageNotFound, - PodmanError) + NoContainerRunning, NoContainersInPod, + PodContainerError, PodmanError, PodNotFound) + +assert FoldedString try: __version__ = pkg_resources.get_distribution('podman').version @@ -18,5 +21,9 @@ __all__ = [ 'datetime_parse', 'ErrorOccurred', 'ImageNotFound', + 'NoContainerRunning', + 'NoContainersInPod', + 'PodContainerError', 'PodmanError', + 'PodNotFound', ] diff --git a/contrib/python/podman/podman/client.py b/contrib/python/podman/podman/client.py index 24df65e23..ad603166e 100644 --- a/contrib/python/podman/podman/client.py +++ b/contrib/python/podman/podman/client.py @@ -13,6 +13,7 @@ from .libs.errors import error_factory from .libs.images import Images from .libs.system import System from .libs.tunnel import Context, Portal, Tunnel +from .libs.pods import Pods class BaseClient(): @@ -204,3 +205,8 @@ class Client(): def containers(self): """Manage containers model for libpod.""" return Containers(self._client) + + @cached_property + def pods(self): + """Manage pods model for libpod.""" + return Pods(self._client) diff --git a/contrib/python/podman/podman/libs/__init__.py b/contrib/python/podman/podman/libs/__init__.py index e9859bee5..5193313ed 100644 --- a/contrib/python/podman/podman/libs/__init__.py +++ b/contrib/python/podman/podman/libs/__init__.py @@ -7,8 +7,9 @@ from dateutil.parser import parse as dateutil_parse __all__ = [ 'cached_property', - 'datetime_parse', 'datetime_format', + 'datetime_parse', + 'fold_keys', ] @@ -17,12 +18,12 @@ def cached_property(fn): return property(functools.lru_cache(maxsize=8)(fn)) -class Config(collections.UserDict): +class ConfigDict(collections.UserDict): """Silently ignore None values, only take key once.""" def __init__(self, **kwargs): """Construct dictionary.""" - super(Config, self).__init__(kwargs) + super().__init__(kwargs) def __setitem__(self, key, value): """Store unique, not None values.""" @@ -35,6 +36,25 @@ class Config(collections.UserDict): super().__setitem__(key, value) +class FoldedString(collections.UserString): + """Foldcase sequences value.""" + + def __init__(self, seq): + super().__init__(seq) + self.data.casefold() + + +def fold_keys(): # noqa: D202 + """Fold case of dictionary keys.""" + + @functools.wraps(fold_keys) + def wrapped(mapping): + """Fold case of dictionary keys.""" + return {k.casefold(): v for (k, v) in mapping.items()} + + return wrapped + + def datetime_parse(string): """Convert timestamps to datetime. diff --git a/contrib/python/podman/podman/libs/errors.py b/contrib/python/podman/podman/libs/errors.py index 9d7559c84..2821d3597 100644 --- a/contrib/python/podman/podman/libs/errors.py +++ b/contrib/python/podman/podman/libs/errors.py @@ -23,15 +23,27 @@ class VarlinkErrorProxy(VarlinkError): class ContainerNotFound(VarlinkErrorProxy): - """Raised when Client can not find requested container.""" - - pass + """Raised when Client cannot find requested container.""" class ImageNotFound(VarlinkErrorProxy): - """Raised when Client can not find requested image.""" + """Raised when Client cannot find requested image.""" + + +class PodNotFound(VarlinkErrorProxy): + """Raised when Client cannot find requested image.""" + + +class PodContainerError(VarlinkErrorProxy): + """Raised when a container fails requested pod operation.""" + - pass +class NoContainerRunning(VarlinkErrorProxy): + """Raised when no container is running in pod.""" + + +class NoContainersInPod(VarlinkErrorProxy): + """Raised when Client fails to connect to runtime.""" class ErrorOccurred(VarlinkErrorProxy): @@ -40,19 +52,19 @@ class ErrorOccurred(VarlinkErrorProxy): See error() to see actual error text. """ - pass - class PodmanError(VarlinkErrorProxy): """Raised when Client fails to connect to runtime.""" - pass - ERROR_MAP = { 'io.podman.ContainerNotFound': ContainerNotFound, 'io.podman.ErrorOccurred': ErrorOccurred, 'io.podman.ImageNotFound': ImageNotFound, + 'io.podman.NoContainerRunning': NoContainerRunning, + 'io.podman.NoContainersInPod': NoContainersInPod, + 'io.podman.PodContainerError': PodContainerError, + 'io.podman.PodNotFound': PodNotFound, 'io.podman.RuntimeError': PodmanError, } diff --git a/contrib/python/podman/podman/libs/images.py b/contrib/python/podman/podman/libs/images.py index 547994798..325ee46f4 100644 --- a/contrib/python/podman/podman/libs/images.py +++ b/contrib/python/podman/podman/libs/images.py @@ -5,7 +5,7 @@ import functools import json import logging -from . import Config +from . import ConfigDict from .containers import Container @@ -40,7 +40,7 @@ class Image(collections.UserDict): """ details = self.inspect() - config = Config(image_id=self._id, **kwargs) + config = ConfigDict(image_id=self._id, **kwargs) config['command'] = details.containerconfig['cmd'] config['env'] = self._split_token(details.containerconfig['env']) config['image'] = copy.deepcopy(details.repotags[0]) @@ -134,7 +134,7 @@ class Images(): elif not hasattr(tags, '__iter__'): raise ValueError('"tags" is required to be an iter.') - config = Config(dockerfile=dockerfile, tags=tags, **kwargs) + config = ConfigDict(dockerfile=dockerfile, tags=tags, **kwargs) with self._client() as podman: result = podman.BuildImage(config) return self.get(result['image']['id']), \ diff --git a/contrib/python/podman/podman/libs/pods.py b/contrib/python/podman/podman/libs/pods.py new file mode 100644 index 000000000..b14a13dd2 --- /dev/null +++ b/contrib/python/podman/podman/libs/pods.py @@ -0,0 +1,164 @@ +"""Model for accessing details of Pods from podman service.""" +import collections +import json +import signal +import time + +from . import ConfigDict, FoldedString, fold_keys + + +class Pod(collections.UserDict): + """Model for a Pod.""" + + def __init__(self, client, ident, data): + """Construct Pod model.""" + super().__init__(data) + + self._ident = ident + self._client = client + + with client() as podman: + self._refresh(podman) + + def _refresh(self, podman): + pod = podman.GetPod(self._ident) + super().update(pod['pod']) + + for k, v in self.data.items(): + setattr(self, k, v) + return self + + def inspect(self): + """Retrieve details about pod.""" + with self._client() as podman: + results = podman.InspectPod(self._ident) + obj = json.loads(results['pod'], object_hook=fold_keys()) + obj['id'] = obj['config']['id'] + return collections.namedtuple('PodInspect', obj.keys())(**obj) + + def kill(self, signal_=signal.SIGTERM, wait=25): + """Send signal to all containers in pod. + + default signal is signal.SIGTERM. + wait n of seconds, 0 waits forever. + """ + running = FoldedString(self.status) + + with self._client() as podman: + podman.KillPod(self._ident, signal_) + timeout = time.time() + wait + while True: + # pylint: disable=maybe-no-member + self._refresh(podman) + if running != 'running': + return self + + if wait and timeout < time.time(): + raise TimeoutError() + + time.sleep(0.5) + return self + + def pause(self): + """Pause all containers in the pod.""" + with self._client() as podman: + podman.PausePod(self._ident) + return self._refresh(podman) + + def refresh(self): + """Refresh status fields for this pod.""" + with self._client() as podman: + return self._refresh(podman) + + def remove(self, force=False): + """Remove pod and its containers returning pod ident. + + force=True, stop any running container. + """ + with self._client() as podman: + results = podman.RemovePod(self._ident, force) + return results['pod'] + + def restart(self): + """Restart all containers in the pod.""" + with self._client() as podman: + podman.RestartPod(self._ident) + return self._refresh(podman) + + def stats(self): + """Stats on all containers in the pod.""" + with self._client() as podman: + results = podman.GetPodStats(self._ident) + for obj in results['containers']: + yield collections.namedtuple('ContainerStats', obj.keys())(**obj) + + def start(self): + """Start all containers in the pod.""" + with self._client() as podman: + podman.StartPod(self._ident) + return self._refresh(podman) + + def stop(self): + """Stop all containers in the pod.""" + with self._client() as podman: + podman.StopPod(self._ident) + return self._refresh(podman) + + def top(self): + """Display stats for all containers.""" + with self._client() as podman: + results = podman.TopPod(self._ident) + return results['pod'] + + def unpause(self): + """Unpause all containers in the pod.""" + with self._client() as podman: + podman.UnpausePod(self._ident) + return self._refresh(podman) + + def wait(self): + """Wait for all containers to exit.""" + with self._client() as podman: + results = podman.WaitPod(self._ident) + return results['pod'] + + +class Pods(): + """Model for accessing pods.""" + + def __init__(self, client): + """Construct pod model.""" + self._client = client + + def create(self, + ident, + cgroupparent=None, + labels=None, + share=None, + infra=False): + """Create a new empty pod.""" + config = ConfigDict( + name=ident, + cgroupParent=cgroupparent, + labels=labels, + share=share, + infra=infra, + ) + + with self._client() as podman: + result = podman.CreatePod(config) + details = podman.GetPod(result['pod']) + return Pod(self._client, result['pod'], details['pod']) + + def get(self, ident): + """Get Pod from ident.""" + with self._client() as podman: + result = podman.GetPod(ident) + return Pod(self._client, result['pod']['id'], result['pod']) + + def list(self): + """List all pods.""" + with self._client() as podman: + results = podman.ListPods() + for pod in results['pods']: + yield Pod(self._client, pod['id'], pod) diff --git a/contrib/python/podman/test/test_pods_ctnrs.py b/contrib/python/podman/test/test_pods_ctnrs.py new file mode 100644 index 000000000..14ce95c8a --- /dev/null +++ b/contrib/python/podman/test/test_pods_ctnrs.py @@ -0,0 +1,65 @@ +import os +from test.podman_testcase import PodmanTestCase + +import podman +from podman import FoldedString + +pod = None + + +class TestPodsCtnrs(PodmanTestCase): + @classmethod + def setUpClass(cls): + # Populate storage + super().setUpClass() + + @classmethod + def tearDownClass(cls): + super().tearDownClass() + + def setUp(self): + self.tmpdir = os.environ['TMPDIR'] + self.host = os.environ['PODMAN_HOST'] + + self.pclient = podman.Client(self.host) + + def test_010_populate(self): + global pod + + pod = self.pclient.pods.create('pod1') + self.assertEqual('pod1', pod.name) + + img = self.pclient.images.get('docker.io/library/alpine:latest') + ctnr = img.container(pod=pod.id) + + pod.refresh() + self.assertEqual('1', pod.numberofcontainers) + self.assertEqual(ctnr.id, pod.containersinfo[0]['id']) + + def test_015_one_shot(self): + global pod + + details = pod.inspect() + state = FoldedString(details.containers[0]['state']) + self.assertEqual(state, 'configured') + + pod = pod.start() + status = FoldedString(pod.containersinfo[0]['status']) + # Race on whether container is still running or finished + self.assertIn(status, ('stopped', 'exited', 'running')) + + pod = pod.restart() + status = FoldedString(pod.containersinfo[0]['status']) + self.assertIn(status, ('stopped', 'exited', 'running')) + + killed = pod.kill() + self.assertEqual(pod, killed) + + def test_999_remove(self): + global pod + + ident = pod.remove(force=True) + self.assertEqual(ident, pod.id) + + with self.assertRaises(StopIteration): + next(self.pclient.pods.list()) diff --git a/contrib/python/podman/test/test_pods_no_ctnrs.py b/contrib/python/podman/test/test_pods_no_ctnrs.py new file mode 100644 index 000000000..48b4f74e4 --- /dev/null +++ b/contrib/python/podman/test/test_pods_no_ctnrs.py @@ -0,0 +1,94 @@ +import os +import unittest + +import podman +import varlink + +ident = None +pod = None + + +class TestPodsNoCtnrs(unittest.TestCase): + def setUp(self): + self.tmpdir = os.environ['TMPDIR'] + self.host = os.environ['PODMAN_HOST'] + + self.pclient = podman.Client(self.host) + + def test_010_create(self): + global ident + + actual = self.pclient.pods.create('pod0') + self.assertIsNotNone(actual) + ident = actual.id + + def test_015_list(self): + global ident, pod + + actual = next(self.pclient.pods.list()) + self.assertEqual('pod0', actual.name) + self.assertEqual(ident, actual.id) + self.assertEqual('Created', actual.status) + self.assertEqual('0', actual.numberofcontainers) + self.assertFalse(actual.containersinfo) + pod = actual + + def test_020_get(self): + global ident, pod + + actual = self.pclient.pods.get(pod.id) + self.assertEqual('pod0', actual.name) + self.assertEqual(ident, actual.id) + self.assertEqual('Created', actual.status) + self.assertEqual('0', actual.numberofcontainers) + self.assertFalse(actual.containersinfo) + + def test_025_inspect(self): + global ident, pod + + details = pod.inspect() + self.assertEqual(ident, details.id) + self.assertEqual('pod0', details.config['name']) + self.assertIsNone(details.containers) + + def test_030_ident_no_ctnrs(self): + global ident, pod + + actual = pod.kill() + self.assertEqual(pod, actual) + + actual = pod.pause() + self.assertEqual(pod, actual) + + actual = pod.unpause() + self.assertEqual(pod, actual) + + actual = pod.stop() + self.assertEqual(pod, actual) + + def test_045_raises_no_ctnrs(self): + global ident, pod + + with self.assertRaises(podman.NoContainersInPod): + pod.start() + + with self.assertRaises(podman.NoContainersInPod): + pod.restart() + + with self.assertRaises(podman.NoContainerRunning): + next(pod.stats()) + + with self.assertRaises(varlink.error.MethodNotImplemented): + pod.top() + + with self.assertRaises(varlink.error.MethodNotImplemented): + pod.wait() + + def test_999_remove(self): + global ident, pod + + actual = pod.remove() + self.assertEqual(ident, actual) + + with self.assertRaises(StopIteration): + next(self.pclient.pods.list()) diff --git a/contrib/python/podman/test/test_runner.sh b/contrib/python/podman/test/test_runner.sh index 76432cf47..ce518e7ed 100755 --- a/contrib/python/podman/test/test_runner.sh +++ b/contrib/python/podman/test/test_runner.sh @@ -14,7 +14,7 @@ fi export PATH=../../../bin:$PATH function usage { - echo 1>&2 $0 [-v] [-h] [test.TestCase|test.TestCase.step] + echo 1>&2 $0 '[-v] [-h] [test.<TestCase>|test.<TestCase>.<step>]' } while getopts "vh" arg; do diff --git a/contrib/python/pypodman/pypodman/lib/podman_parser.py b/contrib/python/pypodman/pypodman/lib/podman_parser.py index 4150e5d50..a7c869a98 100644 --- a/contrib/python/pypodman/pypodman/lib/podman_parser.py +++ b/contrib/python/pypodman/pypodman/lib/podman_parser.py @@ -69,8 +69,8 @@ class PodmanArgumentParser(argparse.ArgumentParser): self.add_argument( '--username', '-l', - default=getpass.getuser(), - help='Authenicating user on remote host. (default: %(default)s)') + help='Authenicating user on remote host. (default: {})'.format( + getpass.getuser())) self.add_argument( '--host', help='name of remote host. (default: None)') self.add_argument( @@ -175,6 +175,13 @@ class PodmanArgumentParser(argparse.ArgumentParser): ) # yapf:disable reqattr( + 'port', + getattr(args, 'port') + or os.environ.get('PORT') + or config['default'].get('port', None) + ) # yapf:disable + + reqattr( 'remote_socket_path', getattr(args, 'remote_socket_path') or os.environ.get('REMOTE_SOCKET_PATH') diff --git a/docs/podman-container-runlabel.1.md b/docs/podman-container-runlabel.1.md new file mode 100644 index 000000000..889a5fb03 --- /dev/null +++ b/docs/podman-container-runlabel.1.md @@ -0,0 +1,102 @@ +% PODMAN(1) Podman Man Pages +% Brent Baude +% September 2018 +# NAME +podman-container-runlabel - Execute Image Label Method + +# SYNOPSIS +**podman container runlabel** +[**-h**|**--help**] +[**--display**] +[**-n**][**--name**[=*NAME*]] +[**-p**][[**--pull**]] +[**--rootfs**=*ROOTFS*] +[**--set**=*NAME*=*VALUE*] +[**--storage**] +LABEL IMAGE [ARG...] + +# DESCRIPTION +**podman container runlabel** reads the provided `LABEL` field in the container +IMAGE and executes the provided value for the label as a command. If this field does not +exist, `podman container runlabel` will just exit. + +If the container image has a LABEL INSTALL instruction like the following: + +`LABEL INSTALL /usr/bin/podman run -t -i --rm \${OPT1} --privileged -v /:/host --net=host --ipc=host --pid=host -e HOST=/host -e NAME=\${NAME} -e IMAGE=\${IMAGE} -e CONFDIR=\/etc/${NAME} -e LOGDIR=/var/log/\${NAME} -e DATADIR=/var/lib/\${NAME} \${IMAGE} \${OPT2} /bin/install.sh \${OPT3}` + +`podman container runlabel` will set the following environment variables for use in the command: + +Note: Podman will always ensure that `podman` is the first argument of the command being executed. + +**NAME** +The name specified via the command. NAME will be replaced with IMAGE if it is not specified. + +**IMAGE** +Image name specified via the command. + +**SUDO_UID** +The `SUDO_UID` environment variable. This is useful with the podman +`-u` option for user space tools. If the environment variable is +not available, the value of `/proc/self/loginuid` is used. + +**SUDO_GID** +The `SUDO_GID` environment variable. This is useful with the podman +`-u` option for user space tools. If the environment variable is +not available, the default GID of the value for `SUDO_UID` is used. +If this value is not available, the value of `/proc/self/loginuid` +is used. + +Any additional arguments will be appended to the command. + +# OPTIONS: +**--authfile** + +Path of the authentication file. Default is ${XDG_RUNTIME\_DIR}/containers/auth.json, which is set using `podman login`. +If the authorization state is not found there, $HOME/.docker/config.json is checked, which is set using `docker login`. + +**--display** + +Display the label's value of the image having populated its environment variables. +The runlabel command will not execute if --display is specified. + +**--cert-dir** *path* + +Use certificates at *path* (\*.crt, \*.cert, \*.key) to connect to the registry. +Default certificates directory is _/etc/containers/certs.d_. + +**--creds** + +The [username[:password]] to use to authenticate with the registry if required. +If one or both values are not supplied, a command line prompt will appear and the +value can be entered. The password is entered without echo. + +**-h** **--help** +Print usage statement + +**-n** **--name**="" + Use this name for creating content for the container. NAME will default to the IMAGENAME if it is not specified. + +**p** **--pull** + Pull the image if it cannot be found in local storage. + +**--quiet, -q** + +Suppress output information when pulling images + +**--signature-policy="PATHNAME"** + +Pathname of a signature policy file to use. It is not recommended that this +option be used, as the default behavior of using the system-wide default policy +(frequently */etc/containers/policy.json*) is most often preferred + +**--tls-verify** + +Require HTTPS and verify certificates when contacting registries (default: true). If explicitly set to true, +then tls verification will be used, If set to false then tls verification will not be used. If not specified +tls verification will be used unless the target registry is listed as an insecure registry in registries.conf + +## SEE ALSO +podman(1) + +# HISTORY +September 2018, Originally compiled by Brent Baude (bbaude at redhat dot com) diff --git a/docs/podman-kill.1.md b/docs/podman-kill.1.md index 79449fc57..14066d151 100644 --- a/docs/podman-kill.1.md +++ b/docs/podman-kill.1.md @@ -10,6 +10,10 @@ podman\-kill - Kills one or more containers with a signal The main process inside each container specified will be sent SIGKILL, or any signal specified with option --signal. ## OPTIONS +**--all, -a** + +Signal all running containers. This does not include paused containers. + **--latest, -l** Instead of providing the container name or ID, use the last created container. If you use methods other than Podman @@ -30,6 +34,8 @@ podman kill --signal TERM 860a4b23 podman kill --latest +podman kill --signal KILL -a + ## SEE ALSO podman(1), podman-stop(1) diff --git a/docs/podman-stop.1.md b/docs/podman-stop.1.md index 98f74f269..813f0ef9e 100644 --- a/docs/podman-stop.1.md +++ b/docs/podman-stop.1.md @@ -15,10 +15,6 @@ container and also via command line when creating the container. ## OPTIONS -**--timeout, --time, t** - -Timeout to wait before forcibly stopping the container - **--all, -a** Stop all running containers. This does not include paused containers. @@ -28,6 +24,10 @@ Stop all running containers. This does not include paused containers. Instead of providing the container name or ID, use the last created container. If you use methods other than Podman to run containers such as CRI-O, the last started container could be from either of those methods. +**--timeout, --time, t** + +Timeout to wait before forcibly stopping the container + ## EXAMPLE podman stop mywebserver diff --git a/docs/tutorials/podman_tutorial.md b/docs/tutorials/podman_tutorial.md index 9a6cf3e9d..a866b8eed 100644 --- a/docs/tutorials/podman_tutorial.md +++ b/docs/tutorials/podman_tutorial.md @@ -85,7 +85,7 @@ $ sudo cp bin/* /usr/libexec/cni ```console $ git clone https://github.com/opencontainers/runc.git $GOPATH/src/github.com/opencontainers/runc $ cd $GOPATH/src/github.com/opencontainers/runc -$ make static BUILDTAGS="seccomp selinux" +$ make BUILDTAGS="seccomp" $ sudo cp runc /usr/bin/runc ``` diff --git a/install.md b/install.md index a6b912a87..33224c810 100644 --- a/install.md +++ b/install.md @@ -72,7 +72,7 @@ apt-get install -y \ Debian, Ubuntu, and related distributions will also need to do the following setup: - * A copy of the development libraries for `ostree`, either in the form of the `libostree-dev` package from the [flatpak](https://launchpad.net/~alexlarsson/+archive/ubuntu/flatpak) PPA, or built [from source](https://github.com/ostreedev/ostree) (more on that [here](https://ostree.readthedocs.io/en/latest/#building)). + * A copy of the development libraries for `ostree`, either in the form of the `libostree-dev` package from the [flatpak](https://launchpad.net/~alexlarsson/+archive/ubuntu/flatpak) PPA, or built [from source](https://github.com/ostreedev/ostree) (more on that [here](https://ostree.readthedocs.io/en/latest/#building)). As of Ubuntu 18.04, `libostree-dev` is available in the main repositories, and the PPA is no longer required. * [Add required configuration files](https://github.com/containers/libpod/blob/master/docs/tutorials/podman_tutorial.md#adding-required-configuration-files) * Install conmon, CNI plugins and runc * [Install conmon](https://github.com/containers/libpod/blob/master/docs/tutorials/podman_tutorial.md#building-and-installing-conmon) diff --git a/libpod/container.go b/libpod/container.go index 0b1879208..55a0f3a2c 100644 --- a/libpod/container.go +++ b/libpod/container.go @@ -36,6 +36,9 @@ const ( ContainerStateStopped ContainerStatus = iota // ContainerStatePaused indicates that the container has been paused ContainerStatePaused ContainerStatus = iota + // ContainerStateExited indicates the the container has stopped and been + // cleaned up + ContainerStateExited ContainerStatus = iota ) // CgroupfsDefaultCgroupParent is the cgroup parent for CGroupFS in libpod @@ -354,9 +357,11 @@ func (t ContainerStatus) String() string { case ContainerStateRunning: return "running" case ContainerStateStopped: - return "exited" + return "stopped" case ContainerStatePaused: return "paused" + case ContainerStateExited: + return "exited" } return "bad state" } diff --git a/libpod/container_api.go b/libpod/container_api.go index fc2058de6..192ccd347 100644 --- a/libpod/container_api.go +++ b/libpod/container_api.go @@ -32,7 +32,8 @@ func (c *Container) Init(ctx context.Context) (err error) { } if !(c.state.State == ContainerStateConfigured || - c.state.State == ContainerStateStopped) { + c.state.State == ContainerStateStopped || + c.state.State == ContainerStateExited) { return errors.Wrapf(ErrCtrExists, "container %s has already been created in runtime", c.ID()) } @@ -50,7 +51,7 @@ func (c *Container) Init(ctx context.Context) (err error) { } defer func() { if err != nil { - if err2 := c.cleanup(); err2 != nil { + if err2 := c.cleanup(ctx); err2 != nil { logrus.Errorf("error cleaning up container %s: %v", c.ID(), err2) } } @@ -84,7 +85,8 @@ func (c *Container) Start(ctx context.Context) (err error) { // Container must be created or stopped to be started if !(c.state.State == ContainerStateConfigured || c.state.State == ContainerStateCreated || - c.state.State == ContainerStateStopped) { + c.state.State == ContainerStateStopped || + c.state.State == ContainerStateExited) { return errors.Wrapf(ErrCtrStateInvalid, "container %s must be in Created or Stopped state to be started", c.ID()) } @@ -102,7 +104,7 @@ func (c *Container) Start(ctx context.Context) (err error) { } defer func() { if err != nil { - if err2 := c.cleanup(); err2 != nil { + if err2 := c.cleanup(ctx); err2 != nil { logrus.Errorf("error cleaning up container %s: %v", c.ID(), err2) } } @@ -113,8 +115,9 @@ func (c *Container) Start(ctx context.Context) (err error) { if err := c.reinit(ctx); err != nil { return err } - } else if c.state.State == ContainerStateConfigured { - // Or initialize it for the first time if necessary + } else if c.state.State == ContainerStateConfigured || + c.state.State == ContainerStateExited { + // Or initialize it if necessary if err := c.init(ctx); err != nil { return err } @@ -147,7 +150,8 @@ func (c *Container) StartAndAttach(ctx context.Context, streams *AttachStreams, // Container must be created or stopped to be started if !(c.state.State == ContainerStateConfigured || c.state.State == ContainerStateCreated || - c.state.State == ContainerStateStopped) { + c.state.State == ContainerStateStopped || + c.state.State == ContainerStateExited) { return nil, errors.Wrapf(ErrCtrStateInvalid, "container %s must be in Created or Stopped state to be started", c.ID()) } @@ -165,7 +169,7 @@ func (c *Container) StartAndAttach(ctx context.Context, streams *AttachStreams, } defer func() { if err != nil { - if err2 := c.cleanup(); err2 != nil { + if err2 := c.cleanup(ctx); err2 != nil { logrus.Errorf("error cleaning up container %s: %v", c.ID(), err2) } } @@ -176,8 +180,9 @@ func (c *Container) StartAndAttach(ctx context.Context, streams *AttachStreams, if err := c.reinit(ctx); err != nil { return nil, err } - } else if c.state.State == ContainerStateConfigured { - // Or initialize it for the first time if necessary + } else if c.state.State == ContainerStateConfigured || + c.state.State == ContainerStateExited { + // Or initialize it if necessary if err := c.init(ctx); err != nil { return nil, err } @@ -202,26 +207,8 @@ func (c *Container) StartAndAttach(ctx context.Context, streams *AttachStreams, // Default stop timeout is 10 seconds, but can be overridden when the container // is created func (c *Container) Stop() error { - if !c.batched { - c.lock.Lock() - defer c.lock.Unlock() - - if err := c.syncContainer(); err != nil { - return err - } - } - - if c.state.State == ContainerStateConfigured || - c.state.State == ContainerStateUnknown || - c.state.State == ContainerStatePaused { - return errors.Wrapf(ErrCtrStateInvalid, "can only stop created, running, or stopped containers") - } - - if c.state.State == ContainerStateStopped { - return ErrCtrStopped - } - - return c.stop(c.config.StopTimeout) + // Stop with the container's given timeout + return c.StopWithTimeout(c.config.StopTimeout) } // StopWithTimeout is a version of Stop that allows a timeout to be specified @@ -243,7 +230,8 @@ func (c *Container) StopWithTimeout(timeout uint) error { return errors.Wrapf(ErrCtrStateInvalid, "can only stop created, running, or stopped containers") } - if c.state.State == ContainerStateStopped { + if c.state.State == ContainerStateStopped || + c.state.State == ContainerStateExited { return ErrCtrStopped } @@ -431,7 +419,8 @@ func (c *Container) Attach(streams *AttachStreams, keys string, resize <-chan re } if c.state.State != ContainerStateCreated && - c.state.State != ContainerStateRunning { + c.state.State != ContainerStateRunning && + c.state.State != ContainerStateExited { return errors.Wrapf(ErrCtrStateInvalid, "can only attach to created or running containers") } @@ -626,7 +615,7 @@ func (c *Container) WaitWithInterval(waitTimeout time.Duration) (int32, error) { // Cleanup unmounts all mount points in container and cleans up container storage // It also cleans up the network stack -func (c *Container) Cleanup() error { +func (c *Container) Cleanup(ctx context.Context) error { if !c.batched { c.lock.Lock() defer c.lock.Unlock() @@ -645,7 +634,7 @@ func (c *Container) Cleanup() error { return errors.Wrapf(ErrCtrStateInvalid, "container %s has active exec sessions, refusing to clean up", c.ID()) } - return c.cleanup() + return c.cleanup(ctx) } // Batch starts a batch operation on the given container @@ -800,7 +789,7 @@ func (c *Container) Refresh(ctx context.Context) error { // Fire cleanup code one more time unconditionally to ensure we are good // to refresh - if err := c.cleanup(); err != nil { + if err := c.cleanup(ctx); err != nil { return err } diff --git a/libpod/container_internal.go b/libpod/container_internal.go index c88794212..033426817 100644 --- a/libpod/container_internal.go +++ b/libpod/container_internal.go @@ -150,7 +150,8 @@ func (c *Container) syncContainer() error { // If runtime knows about the container, update its status in runtime // And then save back to disk if (c.state.State != ContainerStateUnknown) && - (c.state.State != ContainerStateConfigured) { + (c.state.State != ContainerStateConfigured) && + (c.state.State != ContainerStateExited) { oldState := c.state.State // TODO: optionally replace this with a stat for the exit file if err := c.runtime.ociRuntime.updateContainerStatus(c); err != nil { @@ -422,7 +423,7 @@ func (c *Container) isStopped() (bool, error) { if err != nil { return true, err } - return c.state.State == ContainerStateStopped, nil + return (c.state.State == ContainerStateStopped || c.state.State == ContainerStateExited), nil } // save container state to the database @@ -528,6 +529,8 @@ func (c *Container) init(ctx context.Context) error { logrus.Debugf("Created container %s in OCI runtime", c.ID()) + c.state.ExitCode = 0 + c.state.Exited = false c.state.State = ContainerStateCreated if err := c.save(); err != nil { @@ -537,11 +540,14 @@ func (c *Container) init(ctx context.Context) error { return c.completeNetworkSetup() } -// Reinitialize a container -// Deletes and recreates a container in the runtime -// Should only be done on ContainerStateStopped containers -func (c *Container) reinit(ctx context.Context) error { - logrus.Debugf("Recreating container %s in OCI runtime", c.ID()) +// Clean up a container in the OCI runtime. +// Deletes the container in the runtime, and resets its state to Exited. +// The container can be restarted cleanly after this. +func (c *Container) cleanupRuntime(ctx context.Context) error { + // If the container is not ContainerStateStopped, do nothing + if c.state.State != ContainerStateStopped { + return nil + } // If necessary, delete attach and ctl files if err := c.removeConmonFiles(); err != nil { @@ -552,19 +558,33 @@ func (c *Container) reinit(ctx context.Context) error { return err } - // Our state is now Configured, as we've removed ourself from - // the runtime - // Set and save now to make sure that, if the init() below fails - // we still have a valid state - c.state.State = ContainerStateConfigured - c.state.ExitCode = 0 - c.state.Exited = false - if err := c.save(); err != nil { - return err + // Our state is now Exited, as we've removed ourself from + // the runtime. + c.state.State = ContainerStateExited + + if c.valid { + if err := c.save(); err != nil { + return err + } } logrus.Debugf("Successfully cleaned up container %s", c.ID()) + return nil +} + +// Reinitialize a container. +// Deletes and recreates a container in the runtime. +// Should only be done on ContainerStateStopped containers. +// Not necessary for ContainerStateExited - the container has already been +// removed from the runtime, so init() can proceed freely. +func (c *Container) reinit(ctx context.Context) error { + logrus.Debugf("Recreating container %s in OCI runtime", c.ID()) + + if err := c.cleanupRuntime(ctx); err != nil { + return err + } + // Initialize the container again return c.init(ctx) } @@ -592,7 +612,7 @@ func (c *Container) initAndStart(ctx context.Context) (err error) { } defer func() { if err != nil { - if err2 := c.cleanup(); err2 != nil { + if err2 := c.cleanup(ctx); err2 != nil { logrus.Errorf("error cleaning up container %s: %v", c.ID(), err2) } } @@ -603,28 +623,11 @@ func (c *Container) initAndStart(ctx context.Context) (err error) { if c.state.State == ContainerStateStopped { logrus.Debugf("Recreating container %s in OCI runtime", c.ID()) - // If necessary, delete attach and ctl files - if err := c.removeConmonFiles(); err != nil { - return err - } - - // Delete the container in the runtime - if err := c.runtime.ociRuntime.deleteContainer(c); err != nil { - return errors.Wrapf(err, "error removing container %s from runtime", c.ID()) - } - - // Our state is now Configured, as we've removed ourself from - // the runtime - // Set and save now to make sure that, if the init() below fails - // we still have a valid state - c.state.State = ContainerStateConfigured - if err := c.save(); err != nil { + if err := c.reinit(ctx); err != nil { return err } - } - - // If we are ContainerStateConfigured we need to init() - if c.state.State == ContainerStateConfigured { + } else if c.state.State == ContainerStateConfigured || + c.state.State == ContainerStateExited { if err := c.init(ctx); err != nil { return err } @@ -705,7 +708,7 @@ func (c *Container) restartWithTimeout(ctx context.Context, timeout uint) (err e } defer func() { if err != nil { - if err2 := c.cleanup(); err2 != nil { + if err2 := c.cleanup(ctx); err2 != nil { logrus.Errorf("error cleaning up container %s: %v", c.ID(), err2) } } @@ -716,8 +719,9 @@ func (c *Container) restartWithTimeout(ctx context.Context, timeout uint) (err e if err := c.reinit(ctx); err != nil { return err } - } else if c.state.State == ContainerStateConfigured { - // Initialize the container if it has never been initialized + } else if c.state.State == ContainerStateConfigured || + c.state.State == ContainerStateExited { + // Initialize the container if err := c.init(ctx); err != nil { return err } @@ -826,7 +830,7 @@ func (c *Container) cleanupStorage() error { } // Unmount the a container and free its resources -func (c *Container) cleanup() error { +func (c *Container) cleanup(ctx context.Context) error { var lastError error logrus.Debugf("Cleaning up container %s", c.ID()) @@ -845,6 +849,15 @@ func (c *Container) cleanup() error { } } + // Remove the container from the runtime, if necessary + if err := c.cleanupRuntime(ctx); err != nil { + if lastError != nil { + logrus.Errorf("Error removing container %s from OCI runtime: %v", c.ID(), err) + } else { + lastError = err + } + } + return lastError } @@ -926,9 +939,6 @@ func (c *Container) makeBindMounts() error { if err != nil { return errors.Wrapf(err, "error creating resolv.conf for container %s", c.ID()) } - if err = label.Relabel(newResolv, c.config.MountLabel, false); err != nil { - return errors.Wrapf(err, "error relabeling %q for container %q", newResolv, c.ID) - } c.state.BindMounts["/etc/resolv.conf"] = newResolv // Make /etc/hosts @@ -940,9 +950,6 @@ func (c *Container) makeBindMounts() error { if err != nil { return errors.Wrapf(err, "error creating hosts file for container %s", c.ID()) } - if err = label.Relabel(newHosts, c.config.MountLabel, false); err != nil { - return errors.Wrapf(err, "error relabeling %q for container %q", newHosts, c.ID) - } c.state.BindMounts["/etc/hosts"] = newHosts // Make /etc/hostname @@ -952,9 +959,6 @@ func (c *Container) makeBindMounts() error { if err != nil { return errors.Wrapf(err, "error creating hostname file for container %s", c.ID()) } - if err = label.Relabel(hostnamePath, c.config.MountLabel, false); err != nil { - return errors.Wrapf(err, "error relabeling %q for container %q", hostnamePath, c.ID) - } c.state.BindMounts["/etc/hostname"] = hostnamePath } @@ -1286,7 +1290,7 @@ func (c *Container) setupOCIHooks(ctx context.Context, config *spec.Spec) (exten } } - var allHooks map[string][]spec.Hook + allHooks := make(map[string][]spec.Hook) for _, hDir := range c.runtime.config.HooksDir { manager, err := hooks.New(ctx, []string{hDir}, []string{"poststop"}, lang) if err != nil { @@ -1329,3 +1333,10 @@ func (c *Container) unmount(force bool) error { return nil } + +// getExcludedCGroups returns a string slice of cgroups we want to exclude +// because runc or other components are unaware of them. +func getExcludedCGroups() (excludes []string) { + excludes = []string{"rdma"} + return +} diff --git a/libpod/image/image.go b/libpod/image/image.go index 197a83dc1..f39b1d78d 100644 --- a/libpod/image/image.go +++ b/libpod/image/image.go @@ -744,6 +744,20 @@ func (i *Image) Labels(ctx context.Context) (map[string]string, error) { return imgInspect.Labels, nil } +// GetLabel Returns a case-insensitive match of a given label +func (i *Image) GetLabel(ctx context.Context, label string) (string, error) { + imageLabels, err := i.Labels(ctx) + if err != nil { + return "", err + } + for k, v := range imageLabels { + if strings.ToLower(k) == strings.ToLower(label) { + return v, nil + } + } + return "", nil +} + // Annotations returns the annotations of an image func (i *Image) Annotations(ctx context.Context) (map[string]string, error) { manifest, manifestType, err := i.Manifest(ctx) diff --git a/libpod/oci.go b/libpod/oci.go index 3838394cb..e5db06540 100644 --- a/libpod/oci.go +++ b/libpod/oci.go @@ -457,7 +457,7 @@ func (r *OCIRuntime) updateContainerStatus(ctr *Container) error { if err != nil { if strings.Contains(string(out), "does not exist") { ctr.removeConmonFiles() - ctr.state.State = ContainerStateConfigured + ctr.state.State = ContainerStateExited return nil } return errors.Wrapf(err, "error getting container %s state. stderr/out: %s", ctr.ID(), out) @@ -535,7 +535,7 @@ func (r *OCIRuntime) updateContainerStatus(ctr *Container) error { // Sets time the container was started, but does not save it. func (r *OCIRuntime) startContainer(ctr *Container) error { // TODO: streams should probably *not* be our STDIN/OUT/ERR - redirect to buffers? - if err := utils.ExecCmdWithStdStreams(os.Stdin, os.Stdout, os.Stderr, r.path, "start", ctr.ID()); err != nil { + if err := utils.ExecCmdWithStdStreams(os.Stdin, os.Stdout, os.Stderr, nil, r.path, "start", ctr.ID()); err != nil { return err } @@ -547,7 +547,7 @@ func (r *OCIRuntime) startContainer(ctr *Container) error { // killContainer sends the given signal to the given container func (r *OCIRuntime) killContainer(ctr *Container, signal uint) error { logrus.Debugf("Sending signal %d to container %s", signal, ctr.ID()) - if err := utils.ExecCmdWithStdStreams(os.Stdin, os.Stdout, os.Stderr, r.path, "kill", ctr.ID(), fmt.Sprintf("%d", signal)); err != nil { + if err := utils.ExecCmdWithStdStreams(os.Stdin, os.Stdout, os.Stderr, nil, r.path, "kill", ctr.ID(), fmt.Sprintf("%d", signal)); err != nil { return errors.Wrapf(err, "error sending signal to container %s", ctr.ID()) } @@ -605,7 +605,7 @@ func (r *OCIRuntime) stopContainer(ctr *Container, timeout uint) error { args = []string{"kill", "--all", ctr.ID(), "KILL"} } - if err := utils.ExecCmdWithStdStreams(os.Stdin, os.Stdout, os.Stderr, r.path, args...); err != nil { + if err := utils.ExecCmdWithStdStreams(os.Stdin, os.Stdout, os.Stderr, nil, r.path, args...); err != nil { // Again, check if the container is gone. If it is, exit cleanly. err := unix.Kill(ctr.state.PID, 0) if err == unix.ESRCH { @@ -631,12 +631,12 @@ func (r *OCIRuntime) deleteContainer(ctr *Container) error { // pauseContainer pauses the given container func (r *OCIRuntime) pauseContainer(ctr *Container) error { - return utils.ExecCmdWithStdStreams(os.Stdin, os.Stdout, os.Stderr, r.path, "pause", ctr.ID()) + return utils.ExecCmdWithStdStreams(os.Stdin, os.Stdout, os.Stderr, nil, r.path, "pause", ctr.ID()) } // unpauseContainer unpauses the given container func (r *OCIRuntime) unpauseContainer(ctr *Container) error { - return utils.ExecCmdWithStdStreams(os.Stdin, os.Stdout, os.Stderr, r.path, "resume", ctr.ID()) + return utils.ExecCmdWithStdStreams(os.Stdin, os.Stdout, os.Stderr, nil, r.path, "resume", ctr.ID()) } // execContainer executes a command in a running container @@ -740,7 +740,7 @@ func (r *OCIRuntime) execStopContainer(ctr *Container, timeout uint) error { // Stop using SIGTERM by default // Use SIGSTOP after a timeout logrus.Debugf("Killing all processes in container %s with SIGTERM", ctr.ID()) - if err := utils.ExecCmdWithStdStreams(os.Stdin, os.Stdout, os.Stderr, r.path, "kill", "--all", ctr.ID(), "TERM"); err != nil { + if err := utils.ExecCmdWithStdStreams(os.Stdin, os.Stdout, os.Stderr, nil, r.path, "kill", "--all", ctr.ID(), "TERM"); err != nil { return errors.Wrapf(err, "error sending SIGTERM to container %s processes", ctr.ID()) } @@ -755,7 +755,7 @@ func (r *OCIRuntime) execStopContainer(ctr *Container, timeout uint) error { // Send SIGKILL logrus.Debugf("Killing all processes in container %s with SIGKILL", ctr.ID()) - if err := utils.ExecCmdWithStdStreams(os.Stdin, os.Stdout, os.Stderr, r.path, "kill", "--all", ctr.ID(), "KILL"); err != nil { + if err := utils.ExecCmdWithStdStreams(os.Stdin, os.Stdout, os.Stderr, nil, r.path, "kill", "--all", ctr.ID(), "KILL"); err != nil { return errors.Wrapf(err, "error sending SIGKILL to container %s processes", ctr.ID()) } diff --git a/libpod/pod_api.go b/libpod/pod_api.go index 0c518da0d..3d5512e8c 100644 --- a/libpod/pod_api.go +++ b/libpod/pod_api.go @@ -77,7 +77,7 @@ func (p *Pod) Start(ctx context.Context) (map[string]error, error) { // containers. The container ID is mapped to the error encountered. The error is // set to ErrCtrExists // If both error and the map are nil, all containers were stopped without error -func (p *Pod) Stop(cleanup bool) (map[string]error, error) { +func (p *Pod) Stop(ctx context.Context, cleanup bool) (map[string]error, error) { p.lock.Lock() defer p.lock.Unlock() @@ -118,7 +118,7 @@ func (p *Pod) Stop(cleanup bool) (map[string]error, error) { } if cleanup { - if err := ctr.cleanup(); err != nil { + if err := ctr.cleanup(ctx); err != nil { ctrErrors[ctr.ID()] = err } } diff --git a/libpod/runtime.go b/libpod/runtime.go index fbd4c7529..985af2849 100644 --- a/libpod/runtime.go +++ b/libpod/runtime.go @@ -261,6 +261,25 @@ func getDefaultTmpDir() (string, error) { return filepath.Join(rootlessRuntimeDir, "libpod", "tmp"), nil } +// SetXdgRuntimeDir ensures the XDG_RUNTIME_DIR env variable is set +// containers/image uses XDG_RUNTIME_DIR to locate the auth file. +func SetXdgRuntimeDir(val string) error { + if !rootless.IsRootless() { + return nil + } + if val == "" { + var err error + val, err = GetRootlessRuntimeDir() + if err != nil { + return err + } + } + if err := os.Setenv("XDG_RUNTIME_DIR", val); err != nil { + return errors.Wrapf(err, "cannot set XDG_RUNTIME_DIR") + } + return nil +} + // NewRuntime creates a new container runtime // Options can be passed to override the default configuration for the runtime func NewRuntime(options ...RuntimeOption) (runtime *Runtime, err error) { @@ -297,7 +316,7 @@ func NewRuntime(options ...RuntimeOption) (runtime *Runtime, err error) { // containers/image uses XDG_RUNTIME_DIR to locate the auth file. // So make sure the env variable is set. - err = os.Setenv("XDG_RUNTIME_DIR", runtimeDir) + err = SetXdgRuntimeDir(runtimeDir) if err != nil { return nil, errors.Wrapf(err, "cannot set XDG_RUNTIME_DIR") } @@ -395,7 +414,7 @@ func makeRuntime(runtime *Runtime) (err error) { } if !foundRuntime { return errors.Wrapf(ErrInvalidArg, - "could not find a working runc binary (configured options: %v)", + "could not find a working binary (configured options: %v)", runtime.config.RuntimePath) } diff --git a/libpod/runtime_ctr.go b/libpod/runtime_ctr.go index 6c487e367..4256a84a0 100644 --- a/libpod/runtime_ctr.go +++ b/libpod/runtime_ctr.go @@ -262,7 +262,8 @@ func (r *Runtime) removeContainer(ctx context.Context, c *Container, force bool) } } else if !(c.state.State == ContainerStateConfigured || c.state.State == ContainerStateCreated || - c.state.State == ContainerStateStopped) { + c.state.State == ContainerStateStopped || + c.state.State == ContainerStateExited) { return errors.Wrapf(ErrCtrStateInvalid, "cannot remove container %s as it is %s - running or paused containers cannot be removed", c.ID(), c.state.State.String()) } @@ -311,7 +312,7 @@ func (r *Runtime) removeContainer(ctx context.Context, c *Container, force bool) c.valid = false // Clean up network namespace, cgroups, mounts - if err := c.cleanup(); err != nil { + if err := c.cleanup(ctx); err != nil { if cleanupErr == nil { cleanupErr = err } else { @@ -332,10 +333,11 @@ func (r *Runtime) removeContainer(ctx context.Context, c *Container, force bool) label.ReleaseLabel(c.ProcessLabel()) r.reserveLabels() } - // Delete the container - // Only do this if we're not ContainerStateConfigured - if we are, - // we haven't been created in the runtime yet - if c.state.State != ContainerStateConfigured { + // Delete the container. + // Not needed in Configured and Exited states, where the container + // doesn't exist in the runtime + if c.state.State != ContainerStateConfigured && + c.state.State != ContainerStateExited { if err := c.delete(ctx); err != nil { if cleanupErr == nil { cleanupErr = err diff --git a/libpod/runtime_pod_linux.go b/libpod/runtime_pod_linux.go index dd57007e0..eb3d471dd 100644 --- a/libpod/runtime_pod_linux.go +++ b/libpod/runtime_pod_linux.go @@ -222,7 +222,7 @@ func (r *Runtime) removePod(ctx context.Context, p *Pod, removeCtrs, force bool) // As we have guaranteed their dependencies are in the pod for _, ctr := range ctrs { // Clean up network namespace, cgroups, mounts - if err := ctr.cleanup(); err != nil { + if err := ctr.cleanup(ctx); err != nil { return err } @@ -233,7 +233,8 @@ func (r *Runtime) removePod(ctx context.Context, p *Pod, removeCtrs, force bool) // Delete the container from runtime (only if we are not // ContainerStateConfigured) - if ctr.state.State != ContainerStateConfigured { + if ctr.state.State != ContainerStateConfigured && + ctr.state.State != ContainerStateExited { if err := ctr.delete(ctx); err != nil { return err } @@ -264,7 +265,8 @@ func (r *Runtime) removePod(ctx context.Context, p *Pod, removeCtrs, force bool) } case CgroupfsCgroupsManager: // Delete the cgroupfs cgroup - cgroup, err := cgroups.Load(cgroups.V1, cgroups.StaticPath(p.state.CgroupPath)) + v1CGroups := GetV1CGroups(getExcludedCGroups()) + cgroup, err := cgroups.Load(v1CGroups, cgroups.StaticPath(p.state.CgroupPath)) if err != nil && err != cgroups.ErrCgroupDeleted { return err } else if err == nil { diff --git a/libpod/stats.go b/libpod/stats.go index 9d5efd993..c58a46135 100644 --- a/libpod/stats.go +++ b/libpod/stats.go @@ -33,13 +33,14 @@ func (c *Container) GetContainerStats(previousStats *ContainerStats) (*Container if err != nil { return nil, err } - - cgroup, err := cgroups.Load(cgroups.V1, cgroups.StaticPath(cgroupPath)) + v1CGroups := GetV1CGroups(getExcludedCGroups()) + cgroup, err := cgroups.Load(v1CGroups, cgroups.StaticPath(cgroupPath)) if err != nil { return stats, errors.Wrapf(err, "unable to load cgroup at %s", cgroupPath) } - cgroupStats, err := cgroup.Stat() + // Ubuntu does not have swap memory in cgroups because swap is often not enabled. + cgroupStats, err := cgroup.Stat(cgroups.IgnoreNotExist) if err != nil { return stats, errors.Wrapf(err, "unable to obtain cgroup stats") } diff --git a/libpod/util.go b/libpod/util.go index 17325f6e4..3b51e4fcc 100644 --- a/libpod/util.go +++ b/libpod/util.go @@ -9,8 +9,10 @@ import ( "strings" "time" + "github.com/containerd/cgroups" "github.com/containers/image/signature" "github.com/containers/image/types" + "github.com/containers/libpod/pkg/util" spec "github.com/opencontainers/runtime-spec/specs-go" "github.com/pkg/errors" ) @@ -160,3 +162,26 @@ func validPodNSOption(p *Pod, ctrPod string) error { } return nil } + +// GetV1CGroups gets the V1 cgroup subsystems and then "filters" +// out any subsystems that are provided by the caller. Passing nil +// for excludes will return the subsystems unfiltered. +//func GetV1CGroups(excludes []string) ([]cgroups.Subsystem, error) { +func GetV1CGroups(excludes []string) cgroups.Hierarchy { + return func() ([]cgroups.Subsystem, error) { + var filtered []cgroups.Subsystem + + subSystem, err := cgroups.V1() + if err != nil { + return nil, err + } + for _, s := range subSystem { + // If the name of the subsystem is not in the list of excludes, then + // add it as a keeper. + if !util.StringInSlice(string(s.Name()), excludes) { + filtered = append(filtered, s) + } + } + return filtered, nil + } +} diff --git a/pkg/spec/config_linux.go b/pkg/spec/config_linux.go index 6c0a99419..20cdcc458 100644 --- a/pkg/spec/config_linux.go +++ b/pkg/spec/config_linux.go @@ -91,18 +91,23 @@ func getSeccompConfig(config *CreateConfig, configSpec *spec.Spec) (*spec.LinuxS } func (c *CreateConfig) createBlockIO() (*spec.LinuxBlockIO, error) { + var ret *spec.LinuxBlockIO bio := &spec.LinuxBlockIO{} - bio.Weight = &c.Resources.BlkioWeight + if c.Resources.BlkioWeight > 0 { + ret = bio + bio.Weight = &c.Resources.BlkioWeight + } if len(c.Resources.BlkioWeightDevice) > 0 { var lwds []spec.LinuxWeightDevice + ret = bio for _, i := range c.Resources.BlkioWeightDevice { wd, err := validateweightDevice(i) if err != nil { - return bio, errors.Wrapf(err, "invalid values for blkio-weight-device") + return ret, errors.Wrapf(err, "invalid values for blkio-weight-device") } wdStat, err := getStatFromPath(wd.path) if err != nil { - return bio, errors.Wrapf(err, "error getting stat from path %q", wd.path) + return ret, errors.Wrapf(err, "error getting stat from path %q", wd.path) } lwd := spec.LinuxWeightDevice{ Weight: &wd.weight, @@ -114,34 +119,38 @@ func (c *CreateConfig) createBlockIO() (*spec.LinuxBlockIO, error) { bio.WeightDevice = lwds } if len(c.Resources.DeviceReadBps) > 0 { + ret = bio readBps, err := makeThrottleArray(c.Resources.DeviceReadBps, bps) if err != nil { - return bio, err + return ret, err } bio.ThrottleReadBpsDevice = readBps } if len(c.Resources.DeviceWriteBps) > 0 { + ret = bio writeBpds, err := makeThrottleArray(c.Resources.DeviceWriteBps, bps) if err != nil { - return bio, err + return ret, err } bio.ThrottleWriteBpsDevice = writeBpds } if len(c.Resources.DeviceReadIOps) > 0 { + ret = bio readIOps, err := makeThrottleArray(c.Resources.DeviceReadIOps, iops) if err != nil { - return bio, err + return ret, err } bio.ThrottleReadIOPSDevice = readIOps } if len(c.Resources.DeviceWriteIOps) > 0 { + ret = bio writeIOps, err := makeThrottleArray(c.Resources.DeviceWriteIOps, iops) if err != nil { - return bio, err + return ret, err } bio.ThrottleWriteIOPSDevice = writeIOps } - return bio, nil + return ret, nil } func makeThrottleArray(throttleInput []string, rateType int) ([]spec.LinuxThrottleDevice, error) { diff --git a/pkg/spec/spec.go b/pkg/spec/spec.go index fb072dbd5..4c855d659 100644 --- a/pkg/spec/spec.go +++ b/pkg/spec/spec.go @@ -159,73 +159,86 @@ func CreateConfigToOCISpec(config *CreateConfig) (*spec.Spec, error) { //nolint } g.AddProcessEnv("container", "podman") - canAddResources := !rootless.IsRootless() - - if canAddResources { - // RESOURCES - MEMORY - if config.Resources.Memory != 0 { - g.SetLinuxResourcesMemoryLimit(config.Resources.Memory) - // If a swap limit is not explicitly set, also set a swap limit - // Default to double the memory limit - if config.Resources.MemorySwap == 0 { - g.SetLinuxResourcesMemorySwap(2 * config.Resources.Memory) - } - } - if config.Resources.MemoryReservation != 0 { - g.SetLinuxResourcesMemoryReservation(config.Resources.MemoryReservation) - } - if config.Resources.MemorySwap != 0 { - g.SetLinuxResourcesMemorySwap(config.Resources.MemorySwap) - } - if config.Resources.KernelMemory != 0 { - g.SetLinuxResourcesMemoryKernel(config.Resources.KernelMemory) - } - if config.Resources.MemorySwappiness != -1 { - g.SetLinuxResourcesMemorySwappiness(uint64(config.Resources.MemorySwappiness)) - } - g.SetLinuxResourcesMemoryDisableOOMKiller(config.Resources.DisableOomKiller) - g.SetProcessOOMScoreAdj(config.Resources.OomScoreAdj) - - // RESOURCES - CPU - if config.Resources.CPUShares != 0 { - g.SetLinuxResourcesCPUShares(config.Resources.CPUShares) - } - if config.Resources.CPUQuota != 0 { - g.SetLinuxResourcesCPUQuota(config.Resources.CPUQuota) - } - if config.Resources.CPUPeriod != 0 { - g.SetLinuxResourcesCPUPeriod(config.Resources.CPUPeriod) - } - if config.Resources.CPUs != 0 { - g.SetLinuxResourcesCPUPeriod(cpuPeriod) - g.SetLinuxResourcesCPUQuota(int64(config.Resources.CPUs * cpuPeriod)) - } - if config.Resources.CPURtRuntime != 0 { - g.SetLinuxResourcesCPURealtimeRuntime(config.Resources.CPURtRuntime) - } - if config.Resources.CPURtPeriod != 0 { - g.SetLinuxResourcesCPURealtimePeriod(config.Resources.CPURtPeriod) - } - if config.Resources.CPUsetCPUs != "" { - g.SetLinuxResourcesCPUCpus(config.Resources.CPUsetCPUs) - } - if config.Resources.CPUsetMems != "" { - g.SetLinuxResourcesCPUMems(config.Resources.CPUsetMems) - } - - // Devices - if config.Privileged { - // If privileged, we need to add all the host devices to the - // spec. We do not add the user provided ones because we are - // already adding them all. + addedResources := false + + // RESOURCES - MEMORY + if config.Resources.Memory != 0 { + g.SetLinuxResourcesMemoryLimit(config.Resources.Memory) + // If a swap limit is not explicitly set, also set a swap limit + // Default to double the memory limit + if config.Resources.MemorySwap == 0 { + g.SetLinuxResourcesMemorySwap(2 * config.Resources.Memory) + } + addedResources = true + } + if config.Resources.MemoryReservation != 0 { + g.SetLinuxResourcesMemoryReservation(config.Resources.MemoryReservation) + addedResources = true + } + if config.Resources.MemorySwap != 0 { + g.SetLinuxResourcesMemorySwap(config.Resources.MemorySwap) + addedResources = true + } + if config.Resources.KernelMemory != 0 { + g.SetLinuxResourcesMemoryKernel(config.Resources.KernelMemory) + addedResources = true + } + if config.Resources.MemorySwappiness != -1 { + g.SetLinuxResourcesMemorySwappiness(uint64(config.Resources.MemorySwappiness)) + addedResources = true + } + g.SetLinuxResourcesMemoryDisableOOMKiller(config.Resources.DisableOomKiller) + g.SetProcessOOMScoreAdj(config.Resources.OomScoreAdj) + + // RESOURCES - CPU + if config.Resources.CPUShares != 0 { + g.SetLinuxResourcesCPUShares(config.Resources.CPUShares) + addedResources = true + } + if config.Resources.CPUQuota != 0 { + g.SetLinuxResourcesCPUQuota(config.Resources.CPUQuota) + addedResources = true + } + if config.Resources.CPUPeriod != 0 { + g.SetLinuxResourcesCPUPeriod(config.Resources.CPUPeriod) + addedResources = true + } + if config.Resources.CPUs != 0 { + g.SetLinuxResourcesCPUPeriod(cpuPeriod) + g.SetLinuxResourcesCPUQuota(int64(config.Resources.CPUs * cpuPeriod)) + addedResources = true + } + if config.Resources.CPURtRuntime != 0 { + g.SetLinuxResourcesCPURealtimeRuntime(config.Resources.CPURtRuntime) + addedResources = true + } + if config.Resources.CPURtPeriod != 0 { + g.SetLinuxResourcesCPURealtimePeriod(config.Resources.CPURtPeriod) + addedResources = true + } + if config.Resources.CPUsetCPUs != "" { + g.SetLinuxResourcesCPUCpus(config.Resources.CPUsetCPUs) + addedResources = true + } + if config.Resources.CPUsetMems != "" { + g.SetLinuxResourcesCPUMems(config.Resources.CPUsetMems) + addedResources = true + } + + // Devices + if config.Privileged { + // If privileged, we need to add all the host devices to the + // spec. We do not add the user provided ones because we are + // already adding them all. + if !rootless.IsRootless() { if err := config.AddPrivilegedDevices(&g); err != nil { return nil, err } - } else { - for _, device := range config.Devices { - if err := addDevice(&g, device); err != nil { - return nil, err - } + } + } else { + for _, device := range config.Devices { + if err := addDevice(&g, device); err != nil { + return nil, err } } } @@ -240,13 +253,12 @@ func CreateConfigToOCISpec(config *CreateConfig) (*spec.Spec, error) { //nolint g.SetProcessNoNewPrivileges(config.NoNewPrivs) g.SetProcessApparmorProfile(config.ApparmorProfile) - if canAddResources { - blockAccessToKernelFilesystems(config, &g) + blockAccessToKernelFilesystems(config, &g) - // RESOURCES - PIDS - if config.Resources.PidsLimit != 0 { - g.SetLinuxResourcesPidsLimit(config.Resources.PidsLimit) - } + // RESOURCES - PIDS + if config.Resources.PidsLimit != 0 { + g.SetLinuxResourcesPidsLimit(config.Resources.PidsLimit) + addedResources = true } if config.Systemd && (strings.HasSuffix(config.Command[0], "init") || @@ -347,21 +359,23 @@ func CreateConfigToOCISpec(config *CreateConfig) (*spec.Spec, error) { //nolint configSpec.Mounts = supercedeUserMounts(volumeMounts, configSpec.Mounts) //--mount configSpec.Mounts = supercedeUserMounts(config.initFSMounts(), configSpec.Mounts) - if canAddResources { - // BLOCK IO - blkio, err := config.CreateBlockIO() - if err != nil { - return nil, errors.Wrapf(err, "error creating block io") - } - if blkio != nil { - configSpec.Linux.Resources.BlockIO = blkio - } + // BLOCK IO + blkio, err := config.CreateBlockIO() + if err != nil { + return nil, errors.Wrapf(err, "error creating block io") + } + if blkio != nil { + configSpec.Linux.Resources.BlockIO = blkio + addedResources = true } - // If we cannot add resources be sure everything is cleared out - if !canAddResources { + if rootless.IsRootless() { + if addedResources { + return nil, errors.New("invalid configuration, cannot set resources with rootless containers") + } configSpec.Linux.Resources = &spec.LinuxResources{} } + return configSpec, nil } diff --git a/pkg/varlinkapi/pods.go b/pkg/varlinkapi/pods.go index d95b631f2..7930a956f 100644 --- a/pkg/varlinkapi/pods.go +++ b/pkg/varlinkapi/pods.go @@ -104,6 +104,13 @@ func (i *LibpodAPI) StartPod(call iopodman.VarlinkCall, name string) error { if err != nil { return call.ReplyPodNotFound(name) } + ctnrs, err := pod.AllContainers() + if err != nil { + return call.ReplyErrorOccurred(err.Error()) + } + if 0 == len(ctnrs) { + return call.ReplyNoContainersInPod(name) + } ctrErrs, err := pod.Start(getContext()) callErr := handlePodCall(call, pod, ctrErrs, err) if callErr != nil { @@ -118,7 +125,7 @@ func (i *LibpodAPI) StopPod(call iopodman.VarlinkCall, name string) error { if err != nil { return call.ReplyPodNotFound(name) } - ctrErrs, err := pod.Stop(true) + ctrErrs, err := pod.Stop(getContext(), true) callErr := handlePodCall(call, pod, ctrErrs, err) if callErr != nil { return err @@ -132,6 +139,13 @@ func (i *LibpodAPI) RestartPod(call iopodman.VarlinkCall, name string) error { if err != nil { return call.ReplyPodNotFound(name) } + ctnrs, err := pod.AllContainers() + if err != nil { + return call.ReplyErrorOccurred(err.Error()) + } + if 0 == len(ctnrs) { + return call.ReplyNoContainersInPod(name) + } ctrErrs, err := pod.Restart(getContext()) callErr := handlePodCall(call, pod, ctrErrs, err) if callErr != nil { diff --git a/test/e2e/libpod_suite_test.go b/test/e2e/libpod_suite_test.go index a1e9ba57a..d521632d7 100644 --- a/test/e2e/libpod_suite_test.go +++ b/test/e2e/libpod_suite_test.go @@ -31,7 +31,7 @@ var ( CGROUP_MANAGER = "systemd" STORAGE_OPTIONS = "--storage-driver vfs" ARTIFACT_DIR = "/tmp/.artifacts" - CACHE_IMAGES = []string{ALPINE, BB, fedoraMinimal, nginx, redis, registry, infra} + CACHE_IMAGES = []string{ALPINE, BB, fedoraMinimal, nginx, redis, registry, infra, labels} RESTORE_IMAGES = []string{ALPINE, BB} ALPINE = "docker.io/library/alpine:latest" BB = "docker.io/library/busybox:latest" @@ -41,6 +41,7 @@ var ( redis = "docker.io/library/redis:alpine" registry = "docker.io/library/registry:2" infra = "k8s.gcr.io/pause:3.1" + labels = "quay.io/baude/alpine_labels:latest" defaultWaitTimeout = 90 ) @@ -62,6 +63,7 @@ type PodmanTest struct { ArtifactPath string TempDir string CgroupManager string + Host HostOS } // HostOS is a simple struct for the test os @@ -125,6 +127,7 @@ func CreateTempDirInTempDir() (string, error) { // PodmanCreate creates a PodmanTest instance for the tests func PodmanCreate(tempDir string) PodmanTest { + host := GetHostDistributionInfo() cwd, _ := os.Getwd() podmanBinary := filepath.Join(cwd, "../../bin/podman") @@ -148,7 +151,19 @@ func PodmanCreate(tempDir string) PodmanTest { cgroupManager = os.Getenv("CGROUP_MANAGER") } - runCBinary := "/usr/bin/runc" + // Ubuntu doesn't use systemd cgroups + if host.Distribution == "ubuntu" { + cgroupManager = "cgroupfs" + } + + runCBinary, err := exec.LookPath("runc") + // If we cannot find the runc binary, setting to something static as we have no way + // to return an error. The tests will fail and point out that the runc binary could + // not be found nicely. + if err != nil { + runCBinary = "/usr/bin/runc" + } + CNIConfigDir := "/etc/cni/net.d" p := PodmanTest{ @@ -163,6 +178,7 @@ func PodmanCreate(tempDir string) PodmanTest { ArtifactPath: ARTIFACT_DIR, TempDir: tempDir, CgroupManager: cgroupManager, + Host: host, } // Setup registries.conf ENV variable diff --git a/test/e2e/run_cgroup_parent_test.go b/test/e2e/run_cgroup_parent_test.go index 00b8d952d..f266fafa4 100644 --- a/test/e2e/run_cgroup_parent_test.go +++ b/test/e2e/run_cgroup_parent_test.go @@ -45,7 +45,7 @@ var _ = Describe("Podman run with --cgroup-parent", func() { Specify("no --cgroup-parent", func() { cgroup := "/libpod_parent" - if !containerized() { + if !containerized() && podmanTest.CgroupManager != "cgroupfs" { cgroup = "/machine.slice" } run := podmanTest.Podman([]string{"run", fedoraMinimal, "cat", "/proc/self/cgroup"}) @@ -56,7 +56,7 @@ var _ = Describe("Podman run with --cgroup-parent", func() { }) Specify("valid --cgroup-parent using slice", func() { - if containerized() { + if containerized() || podmanTest.CgroupManager == "cgroupfs" { Skip("Requires Systemd cgroup manager support") } cgroup := "aaaa.slice" diff --git a/test/e2e/run_memory_test.go b/test/e2e/run_memory_test.go index cc2b969a9..d1768138b 100644 --- a/test/e2e/run_memory_test.go +++ b/test/e2e/run_memory_test.go @@ -39,6 +39,9 @@ var _ = Describe("Podman run memory", func() { }) It("podman run memory-reservation test", func() { + if podmanTest.Host.Distribution == "ubuntu" { + Skip("Unable to perform test on Ubuntu distributions due to memory management") + } session := podmanTest.Podman([]string{"run", "--memory-reservation=40m", ALPINE, "cat", "/sys/fs/cgroup/memory/memory.soft_limit_in_bytes"}) session.WaitWithDefaultTimeout() Expect(session.ExitCode()).To(Equal(0)) diff --git a/test/e2e/run_selinux_test.go b/test/e2e/run_selinux_test.go new file mode 100644 index 000000000..ebe6604cc --- /dev/null +++ b/test/e2e/run_selinux_test.go @@ -0,0 +1,87 @@ +package integration + +import ( + "fmt" + "os" + + . "github.com/onsi/ginkgo" + . "github.com/onsi/gomega" + "github.com/opencontainers/selinux/go-selinux" +) + +var _ = Describe("Podman run", func() { + var ( + tempdir string + err error + podmanTest PodmanTest + ) + + BeforeEach(func() { + tempdir, err = CreateTempDirInTempDir() + if err != nil { + os.Exit(1) + } + podmanTest = PodmanCreate(tempdir) + podmanTest.RestoreAllArtifacts() + if !selinux.GetEnabled() { + Skip("SELinux not enabled") + } + }) + + AfterEach(func() { + podmanTest.Cleanup() + f := CurrentGinkgoTestDescription() + timedResult := fmt.Sprintf("Test: %s completed in %f seconds", f.TestText, f.Duration.Seconds()) + GinkgoWriter.Write([]byte(timedResult)) + }) + + It("podman run selinux", func() { + session := podmanTest.Podman([]string{"run", ALPINE, "cat", "/proc/self/attr/current"}) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(Equal(0)) + match, _ := session.GrepString("container_t") + Expect(match).Should(BeTrue()) + }) + + It("podman run selinux grep test", func() { + session := podmanTest.Podman([]string{"run", "-it", "--security-opt", "label=level:s0:c1,c2", ALPINE, "cat", "/proc/self/attr/current"}) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(Equal(0)) + match, _ := session.GrepString("s0:c1,c2") + Expect(match).Should(BeTrue()) + }) + + It("podman run selinux disable test", func() { + session := podmanTest.Podman([]string{"run", "-it", "--security-opt", "label=disable", ALPINE, "cat", "/proc/self/attr/current"}) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(Equal(0)) + match, _ := session.GrepString("spc_t") + Expect(match).Should(BeTrue()) + }) + + It("podman run selinux type check test", func() { + session := podmanTest.Podman([]string{"run", "-it", ALPINE, "cat", "/proc/self/attr/current"}) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(Equal(0)) + match1, _ := session.GrepString("container_t") + match2, _ := session.GrepString("svirt_lxc_net_t") + Expect(match1 || match2).Should(BeTrue()) + }) + + It("podman run selinux type setup test", func() { + session := podmanTest.Podman([]string{"run", "-it", "--security-opt", "label=type:spc_t", ALPINE, "cat", "/proc/self/attr/current"}) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(Equal(0)) + match, _ := session.GrepString("spc_t") + Expect(match).Should(BeTrue()) + }) + + It("podman privileged selinux", func() { + session := podmanTest.Podman([]string{"run", "--privileged", ALPINE, "cat", "/proc/self/attr/current"}) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(Equal(0)) + match, _ := session.GrepString("spc_t") + Expect(match).Should(BeTrue()) + }) + +}) diff --git a/test/e2e/run_test.go b/test/e2e/run_test.go index 777b49cd8..a443d4ca5 100644 --- a/test/e2e/run_test.go +++ b/test/e2e/run_test.go @@ -10,7 +10,6 @@ import ( "github.com/mrunalp/fileutils" . "github.com/onsi/ginkgo" . "github.com/onsi/gomega" - "github.com/opencontainers/selinux/go-selinux" ) var _ = Describe("Podman run", func() { @@ -85,59 +84,6 @@ var _ = Describe("Podman run", func() { Expect(session.ExitCode()).To(Equal(0)) }) - It("podman run selinux grep test", func() { - if !selinux.GetEnabled() { - Skip("SELinux not enabled") - } - session := podmanTest.Podman([]string{"run", "-it", "--security-opt", "label=level:s0:c1,c2", ALPINE, "cat", "/proc/self/attr/current"}) - session.WaitWithDefaultTimeout() - Expect(session.ExitCode()).To(Equal(0)) - match, _ := session.GrepString("s0:c1,c2") - Expect(match).Should(BeTrue()) - }) - - It("podman run selinux disable test", func() { - if !selinux.GetEnabled() { - Skip("SELinux not enabled") - } - session := podmanTest.Podman([]string{"run", "-it", "--security-opt", "label=disable", ALPINE, "cat", "/proc/self/attr/current"}) - session.WaitWithDefaultTimeout() - Expect(session.ExitCode()).To(Equal(0)) - match, _ := session.GrepString("spc_t") - Expect(match).Should(BeTrue()) - }) - - It("podman run selinux type check test", func() { - if !selinux.GetEnabled() { - Skip("SELinux not enabled") - } - session := podmanTest.Podman([]string{"run", "-it", ALPINE, "cat", "/proc/self/attr/current"}) - session.WaitWithDefaultTimeout() - Expect(session.ExitCode()).To(Equal(0)) - match1, _ := session.GrepString("container_t") - match2, _ := session.GrepString("svirt_lxc_net_t") - Expect(match1 || match2).Should(BeTrue()) - }) - - It("podman run selinux type setup test", func() { - if !selinux.GetEnabled() { - Skip("SELinux not enabled") - } - session := podmanTest.Podman([]string{"run", "-it", "--security-opt", "label=type:spc_t", ALPINE, "cat", "/proc/self/attr/current"}) - session.WaitWithDefaultTimeout() - Expect(session.ExitCode()).To(Equal(0)) - match, _ := session.GrepString("spc_t") - Expect(match).Should(BeTrue()) - }) - - It("podman run seccomp undefine test", func() { - session := podmanTest.Podman([]string{"run", "-it", "--security-opt", "seccomp=unconfined", ALPINE, "echo", "hello"}) - session.WaitWithDefaultTimeout() - Expect(session.ExitCode()).To(Equal(0)) - match, _ := session.GrepString("hello") - Expect(match).Should(BeTrue()) - }) - It("podman run seccomp test", func() { jsonFile := filepath.Join(podmanTest.TempDir, "seccomp.json") in := []byte(`{"defaultAction":"SCMP_ACT_ALLOW","syscalls":[{"name":"getcwd","action":"SCMP_ACT_ERRNO"}]}`) diff --git a/test/e2e/search_test.go b/test/e2e/search_test.go index 1f06bf4a1..2848da259 100644 --- a/test/e2e/search_test.go +++ b/test/e2e/search_test.go @@ -60,10 +60,10 @@ var _ = Describe("Podman search", func() { }) It("podman search single registry flag", func() { - search := podmanTest.Podman([]string{"search", "registry.fedoraproject.org/fedora"}) + search := podmanTest.Podman([]string{"search", "registry.access.redhat.com/rhel7"}) search.WaitWithDefaultTimeout() Expect(search.ExitCode()).To(Equal(0)) - Expect(search.LineInOutputContains("fedoraproject.org/fedora")).To(BeTrue()) + Expect(search.LineInOutputContains("registry.access.redhat.com/rhel7")).To(BeTrue()) }) It("podman search format flag", func() { diff --git a/utils/utils.go b/utils/utils.go index 9b7cebfea..c7c5ab5cf 100644 --- a/utils/utils.go +++ b/utils/utils.go @@ -29,11 +29,14 @@ func ExecCmd(name string, args ...string) (string, error) { } // ExecCmdWithStdStreams execute a command with the specified standard streams. -func ExecCmdWithStdStreams(stdin io.Reader, stdout, stderr io.Writer, name string, args ...string) error { +func ExecCmdWithStdStreams(stdin io.Reader, stdout, stderr io.Writer, env []string, name string, args ...string) error { cmd := exec.Command(name, args...) cmd.Stdin = stdin cmd.Stdout = stdout cmd.Stderr = stderr + if env != nil { + cmd.Env = env + } err := cmd.Run() if err != nil { diff --git a/vendor.conf b/vendor.conf index 1f28159cd..ccad28c0b 100644 --- a/vendor.conf +++ b/vendor.conf @@ -10,8 +10,8 @@ github.com/containerd/cgroups 58556f5ad8448d99a6f7bea69ea4bdb7747cfeb0 github.com/containerd/continuity master github.com/containernetworking/cni v0.7.0-alpha1 github.com/containernetworking/plugins 1562a1e60ed101aacc5e08ed9dbeba8e9f3d4ec1 -github.com/containers/image 85d7559d44fd71f30e46e43d809bfbf88d11d916 -github.com/containers/storage 243c4cd616afdf06b4a975f18c4db083d26b1641 +github.com/containers/image 8f11f3ad8912d8bc43a7d25992b8f313ffefd430 +github.com/containers/storage 68332c059156eae970a03245cfcd4d717fb66ecd github.com/containers/psgo 5dde6da0bc8831b35243a847625bcf18183bd1ee github.com/coreos/go-systemd v14 github.com/cri-o/ocicni master @@ -90,7 +90,7 @@ k8s.io/kube-openapi 275e2ce91dec4c05a4094a7b1daee5560b555ac9 https://github.com/ k8s.io/utils 258e2a2fa64568210fbd6267cf1d8fd87c3cb86e https://github.com/kubernetes/utils github.com/mrunalp/fileutils master github.com/varlink/go master -github.com/containers/buildah 53b05ae20fdd801f33cad5e01789898dba31029d +github.com/containers/buildah cf87f0947ef719872816cc5d6a5ba4db1c261365 github.com/Nvveen/Gotty master github.com/fsouza/go-dockerclient master github.com/openshift/imagebuilder master diff --git a/vendor/github.com/containers/buildah/image.go b/vendor/github.com/containers/buildah/image.go index df50d95bd..fb2e87f93 100644 --- a/vendor/github.com/containers/buildah/image.go +++ b/vendor/github.com/containers/buildah/image.go @@ -329,20 +329,19 @@ func (i *containerImageRef) NewImageSource(ctx context.Context, sc *types.System if err != nil { return nil, err } - defer rc.Close() } else { // Extract this layer, one of possibly many. rc, err = i.store.Diff("", layerID, diffOptions) if err != nil { return nil, errors.Wrapf(err, "error extracting %s", what) } - defer rc.Close() } srcHasher := digest.Canonical.Digester() reader := io.TeeReader(rc, srcHasher.Hash()) // Set up to write the possibly-recompressed blob. layerFile, err := os.OpenFile(filepath.Join(path, "layer"), os.O_CREATE|os.O_WRONLY, 0600) if err != nil { + rc.Close() return nil, errors.Wrapf(err, "error opening file for %s", what) } destHasher := digest.Canonical.Digester() @@ -351,14 +350,17 @@ func (i *containerImageRef) NewImageSource(ctx context.Context, sc *types.System // Compress the layer, if we're recompressing it. writer, err := archive.CompressStream(multiWriter, i.compression) if err != nil { + layerFile.Close() + rc.Close() return nil, errors.Wrapf(err, "error compressing %s", what) } size, err := io.Copy(writer, reader) + writer.Close() + layerFile.Close() + rc.Close() if err != nil { return nil, errors.Wrapf(err, "error storing %s to file", what) } - writer.Close() - layerFile.Close() if i.compression == archive.Uncompressed { if size != counter.Count { return nil, errors.Errorf("error storing %s to file: inconsistent layer size (copied %d, wrote %d)", what, size, counter.Count) diff --git a/vendor/github.com/containers/buildah/imagebuildah/build.go b/vendor/github.com/containers/buildah/imagebuildah/build.go index 4bcd38c05..9b4c6f635 100644 --- a/vendor/github.com/containers/buildah/imagebuildah/build.go +++ b/vendor/github.com/containers/buildah/imagebuildah/build.go @@ -648,20 +648,25 @@ func (b *Executor) Prepare(ctx context.Context, ib *imagebuilder.Builder, node * for _, v := range builder.Volumes() { volumes[v] = struct{}{} } + ports := map[docker.Port]struct{}{} + for _, p := range builder.Ports() { + ports[docker.Port(p)] = struct{}{} + } dConfig := docker.Config{ - Hostname: builder.Hostname(), - Domainname: builder.Domainname(), - User: builder.User(), - Env: builder.Env(), - Cmd: builder.Cmd(), - Image: from, - Volumes: volumes, - WorkingDir: builder.WorkDir(), - Entrypoint: builder.Entrypoint(), - Labels: builder.Labels(), - Shell: builder.Shell(), - StopSignal: builder.StopSignal(), - OnBuild: builder.OnBuild(), + Hostname: builder.Hostname(), + Domainname: builder.Domainname(), + User: builder.User(), + Env: builder.Env(), + Cmd: builder.Cmd(), + Image: from, + Volumes: volumes, + WorkingDir: builder.WorkDir(), + Entrypoint: builder.Entrypoint(), + Labels: builder.Labels(), + Shell: builder.Shell(), + StopSignal: builder.StopSignal(), + OnBuild: builder.OnBuild(), + ExposedPorts: ports, } var rootfs *docker.RootFS if builder.Docker.RootFS != nil { @@ -751,6 +756,7 @@ func (b *Executor) Execute(ctx context.Context, ib *imagebuilder.Builder, node * checkForLayers := true children := node.Children commitName := b.output + b.containerIDs = nil for i, node := range node.Children { step := ib.Step() if err := step.Resolve(node); err != nil { diff --git a/vendor/github.com/containers/buildah/unshare/unshare.c b/vendor/github.com/containers/buildah/unshare/unshare.c index 83864359b..47d775c73 100644 --- a/vendor/github.com/containers/buildah/unshare/unshare.c +++ b/vendor/github.com/containers/buildah/unshare/unshare.c @@ -31,7 +31,7 @@ static int _buildah_unshare_parse_envint(const char *envname) { void _buildah_unshare(void) { - int flags, pidfd, continuefd, n, pgrp, sid, ctty, allow_setgroups; + int flags, pidfd, continuefd, n, pgrp, sid, ctty; char buf[2048]; flags = _buildah_unshare_parse_envint("_Buildah-unshare"); @@ -83,14 +83,7 @@ void _buildah_unshare(void) _exit(1); } } - allow_setgroups = _buildah_unshare_parse_envint("_Buildah-allow-setgroups"); if ((flags & CLONE_NEWUSER) != 0) { - if (allow_setgroups == 1) { - if (setgroups(0, NULL) != 0) { - fprintf(stderr, "Error during setgroups(0, NULL): %m\n"); - _exit(1); - } - } if (setresgid(0, 0, 0) != 0) { fprintf(stderr, "Error during setresgid(0): %m\n"); _exit(1); diff --git a/vendor/github.com/containers/buildah/unshare/unshare.go b/vendor/github.com/containers/buildah/unshare/unshare.go index d89dfc053..74b107e44 100644 --- a/vendor/github.com/containers/buildah/unshare/unshare.go +++ b/vendor/github.com/containers/buildah/unshare/unshare.go @@ -84,11 +84,6 @@ func (c *Cmd) Start() error { c.Env = append(c.Env, fmt.Sprintf("_Buildah-ctty=%d", len(c.ExtraFiles)+3)) c.ExtraFiles = append(c.ExtraFiles, c.Ctty) } - if c.GidMappingsEnableSetgroups { - c.Env = append(c.Env, "_Buildah-allow-setgroups=1") - } else { - c.Env = append(c.Env, "_Buildah-allow-setgroups=0") - } // Make sure we clean up our pipes. defer func() { diff --git a/vendor/github.com/containers/buildah/vendor.conf b/vendor/github.com/containers/buildah/vendor.conf index e69c92496..92c3be927 100644 --- a/vendor/github.com/containers/buildah/vendor.conf +++ b/vendor/github.com/containers/buildah/vendor.conf @@ -3,9 +3,9 @@ github.com/blang/semver master github.com/BurntSushi/toml master github.com/containerd/continuity master github.com/containernetworking/cni v0.7.0-alpha1 -github.com/seccomp/containers-golang master -github.com/containers/image 85d7559d44fd71f30e46e43d809bfbf88d11d916 -github.com/containers/storage 243c4cd616afdf06b4a975f18c4db083d26b1641 +github.com/containers/image 8f11f3ad8912d8bc43a7d25992b8f313ffefd430 +github.com/containers/libpod 2afadeec6696fefac468a49c8ba24b0bc275aa75 +github.com/containers/storage 68332c059156eae970a03245cfcd4d717fb66ecd github.com/docker/distribution 5f6282db7d65e6d72ad7c2cc66310724a57be716 github.com/docker/docker 86f080cff0914e9694068ed78d503701667c4c00 github.com/docker/docker-credential-helpers d68f9aeca33f5fd3f08eeae5e9d175edf4e731d1 @@ -42,7 +42,7 @@ github.com/ostreedev/ostree-go aeb02c6b6aa2889db3ef62f7855650755befd460 github.com/pborman/uuid master github.com/pkg/errors master github.com/pquerna/ffjson d49c2bc1aa135aad0c6f4fc2056623ec78f5d5ac -github.com/containers/libpod 2afadeec6696fefac468a49c8ba24b0bc275aa75 +github.com/seccomp/containers-golang master github.com/sirupsen/logrus master github.com/syndtr/gocapability master github.com/tchap/go-patricia master diff --git a/vendor/github.com/containers/image/storage/storage_image.go b/vendor/github.com/containers/image/storage/storage_image.go index 6ae525df4..d1b010a76 100644 --- a/vendor/github.com/containers/image/storage/storage_image.go +++ b/vendor/github.com/containers/image/storage/storage_image.go @@ -313,6 +313,10 @@ func (s storageImageDestination) DesiredLayerCompression() types.LayerCompressio return types.PreserveOriginal } +func (s *storageImageDestination) computeNextBlobCacheFile() string { + return filepath.Join(s.directory, fmt.Sprintf("%d", atomic.AddInt32(&s.nextTempFileID, 1))) +} + // PutBlob stores a layer or data blob in our temporary directory, checking that any information // in the blobinfo matches the incoming data. func (s *storageImageDestination) PutBlob(ctx context.Context, stream io.Reader, blobinfo types.BlobInfo, isConfig bool) (types.BlobInfo, error) { @@ -328,7 +332,7 @@ func (s *storageImageDestination) PutBlob(ctx context.Context, stream io.Reader, } } diffID := digest.Canonical.Digester() - filename := filepath.Join(s.directory, fmt.Sprintf("%d", atomic.AddInt32(&s.nextTempFileID, 1))) + filename := s.computeNextBlobCacheFile() file, err := os.OpenFile(filename, os.O_CREATE|os.O_TRUNC|os.O_WRONLY|os.O_EXCL, 0600) if err != nil { return errorBlobInfo, errors.Wrapf(err, "error creating temporary file %q", filename) @@ -504,7 +508,6 @@ func (s *storageImageDestination) Commit(ctx context.Context) error { continue } - var diff io.ReadCloser // Check if there's already a layer with the ID that we'd give to the result of applying // this layer blob to its parent, if it has one, or the blob's hex value otherwise. diffID, haveDiffID := s.blobDiffIDs[blob.Digest] @@ -533,19 +536,11 @@ func (s *storageImageDestination) Commit(ctx context.Context) error { lastLayer = layer.ID continue } - // Check if we cached a file with that blobsum. If we didn't already have a layer with - // the blob's contents, we should have gotten a copy. - if filename, ok := s.filenames[blob.Digest]; ok { - // Use the file's contents to initialize the layer. - file, err2 := os.Open(filename) - if err2 != nil { - return errors.Wrapf(err2, "error opening file %q", filename) - } - defer file.Close() - diff = file - } - if diff == nil { - // Try to find a layer with contents matching that blobsum. + // Check if we previously cached a file with that blob's contents. If we didn't, + // then we need to read the desired contents from a layer. + filename, ok := s.filenames[blob.Digest] + if !ok { + // Try to find the layer with contents matching that blobsum. layer := "" layers, err2 := s.imageRef.transport.store.LayersByUncompressedDigest(blob.Digest) if err2 == nil && len(layers) > 0 { @@ -559,25 +554,48 @@ func (s *storageImageDestination) Commit(ctx context.Context) error { if layer == "" { return errors.Wrapf(err2, "error locating layer for blob %q", blob.Digest) } - // Use the layer's contents to initialize the new layer. + // Read the layer's contents. noCompression := archive.Uncompressed diffOptions := &storage.DiffOptions{ Compression: &noCompression, } - diff, err2 = s.imageRef.transport.store.Diff("", layer, diffOptions) + diff, err2 := s.imageRef.transport.store.Diff("", layer, diffOptions) if err2 != nil { return errors.Wrapf(err2, "error reading layer %q for blob %q", layer, blob.Digest) } - defer diff.Close() + // Copy the layer diff to a file. Diff() takes a lock that it holds + // until the ReadCloser that it returns is closed, and PutLayer() wants + // the same lock, so the diff can't just be directly streamed from one + // to the other. + filename = s.computeNextBlobCacheFile() + file, err := os.OpenFile(filename, os.O_CREATE|os.O_TRUNC|os.O_WRONLY|os.O_EXCL, 0600) + if err != nil { + diff.Close() + return errors.Wrapf(err, "error creating temporary file %q", filename) + } + // Copy the data to the file. + // TODO: This can take quite some time, and should ideally be cancellable using + // ctx.Done(). + _, err = io.Copy(file, diff) + diff.Close() + file.Close() + if err != nil { + return errors.Wrapf(err, "error storing blob to file %q", filename) + } + // Make sure that we can find this file later, should we need the layer's + // contents again. + s.filenames[blob.Digest] = filename } - if diff == nil { - // This shouldn't have happened. - return errors.Errorf("error applying blob %q: content not found", blob.Digest) + // Read the cached blob and use it as a diff. + file, err := os.Open(filename) + if err != nil { + return errors.Wrapf(err, "error opening file %q", filename) } + defer file.Close() // Build the new layer using the diff, regardless of where it came from. // TODO: This can take quite some time, and should ideally be cancellable using ctx.Done(). - layer, _, err := s.imageRef.transport.store.PutLayer(id, lastLayer, nil, "", false, nil, diff) - if err != nil { + layer, _, err := s.imageRef.transport.store.PutLayer(id, lastLayer, nil, "", false, nil, file) + if err != nil && errors.Cause(err) != storage.ErrDuplicateID { return errors.Wrapf(err, "error adding layer with blob %q", blob.Digest) } lastLayer = layer.ID diff --git a/vendor/github.com/containers/storage/drivers/chown_unix.go b/vendor/github.com/containers/storage/drivers/chown_unix.go index 5454657ec..b37a9271a 100644 --- a/vendor/github.com/containers/storage/drivers/chown_unix.go +++ b/vendor/github.com/containers/storage/drivers/chown_unix.go @@ -45,10 +45,20 @@ func platformLChown(path string, info os.FileInfo, toHost, toContainer *idtools. uid, gid = mappedPair.UID, mappedPair.GID } if uid != int(st.Uid) || gid != int(st.Gid) { + stat, err := os.Lstat(path) + if err != nil { + return fmt.Errorf("%s: lstat(%q): %v", os.Args[0], path, err) + } // Make the change. if err := syscall.Lchown(path, uid, gid); err != nil { return fmt.Errorf("%s: chown(%q): %v", os.Args[0], path, err) } + // Restore the SUID and SGID bits if they were originally set. + if (stat.Mode()&os.ModeSymlink == 0) && stat.Mode()&(os.ModeSetuid|os.ModeSetgid) != 0 { + if err := os.Chmod(path, stat.Mode()); err != nil { + return fmt.Errorf("%s: chmod(%q): %v", os.Args[0], path, err) + } + } } } return nil diff --git a/vendor/github.com/containers/storage/layers.go b/vendor/github.com/containers/storage/layers.go index 9989bd6be..fe263ba63 100644 --- a/vendor/github.com/containers/storage/layers.go +++ b/vendor/github.com/containers/storage/layers.go @@ -558,13 +558,22 @@ func (r *layerStore) Put(id string, parentLayer *Layer, names []string, mountLab StorageOpt: options, } if writeable { - err = r.driver.CreateReadWrite(id, parent, &opts) + if err = r.driver.CreateReadWrite(id, parent, &opts); err != nil { + if id != "" { + return nil, -1, errors.Wrapf(err, "error creating read-write layer with ID %q", id) + } + return nil, -1, errors.Wrapf(err, "error creating read-write layer") + } } else { - err = r.driver.Create(id, parent, &opts) + if err = r.driver.Create(id, parent, &opts); err != nil { + if id != "" { + return nil, -1, errors.Wrapf(err, "error creating layer with ID %q", id) + } + return nil, -1, errors.Wrapf(err, "error creating layer") + } } if !reflect.DeepEqual(parentMappings.UIDs(), idMappings.UIDs()) || !reflect.DeepEqual(parentMappings.GIDs(), idMappings.GIDs()) { - err = r.driver.UpdateLayerIDMap(id, parentMappings, idMappings, mountLabel) - if err != nil { + if err = r.driver.UpdateLayerIDMap(id, parentMappings, idMappings, mountLabel); err != nil { // We don't have a record of this layer, but at least // try to clean it up underneath us. r.driver.Remove(id) diff --git a/vendor/github.com/containers/storage/layers_ffjson.go b/vendor/github.com/containers/storage/layers_ffjson.go index 125b5d8c9..09b5d0f33 100644 --- a/vendor/github.com/containers/storage/layers_ffjson.go +++ b/vendor/github.com/containers/storage/layers_ffjson.go @@ -1,5 +1,5 @@ // Code generated by ffjson <https://github.com/pquerna/ffjson>. DO NOT EDIT. -// source: layers.go +// source: ./layers.go package storage diff --git a/vendor/github.com/containers/storage/store.go b/vendor/github.com/containers/storage/store.go index e0deb2c30..94cf1f0a7 100644 --- a/vendor/github.com/containers/storage/store.go +++ b/vendor/github.com/containers/storage/store.go @@ -2369,13 +2369,23 @@ func (s *store) Diff(from, to string, options *DiffOptions) (io.ReadCloser, erro } for _, store := range append([]ROLayerStore{lstore}, lstores...) { store.Lock() - defer store.Unlock() if modified, err := store.Modified(); modified || err != nil { store.Load() } if store.Exists(to) { - return store.Diff(from, to, options) + rc, err := store.Diff(from, to, options) + if rc != nil && err == nil { + wrapped := ioutils.NewReadCloserWrapper(rc, func() error { + err := rc.Close() + store.Unlock() + return err + }) + return wrapped, nil + } + store.Unlock() + return rc, err } + store.Unlock() } return nil, ErrLayerUnknown } |