diff options
26 files changed, 223 insertions, 272 deletions
diff --git a/.cirrus.yml b/.cirrus.yml index ccc78717e..b1aa1b475 100644 --- a/.cirrus.yml +++ b/.cirrus.yml @@ -61,7 +61,7 @@ env: SPECIALMODE: "none" # don't do anything special TEST_REMOTE_CLIENT: 'false' # don't test remote client by default ADD_SECOND_PARTITION: 'false' # will certainly fail inside containers - MOD_LIBPOD_CONF: 'true' # Update libpod.conf runtime if required by OS environment + MOD_CONTAINERS_CONF: 'true' # Update containers.conf runtime if required by OS environment #### #### Credentials and other secret-sauces, decrypted at runtime when authorized. @@ -286,7 +286,7 @@ build_each_commit_task: memory: "8Gb" env: - MOD_LIBPOD_CONF: 'false' + MOD_CONTAINERS_CONF: 'false' timeout_in: 30m @@ -318,7 +318,7 @@ build_without_cgo_task: memory: "8Gb" env: - MOD_LIBPOD_CONF: 'false' + MOD_CONTAINERS_CONF: 'false' timeout_in: 30m @@ -512,7 +512,7 @@ special_testing_in_podman_task: env: ADD_SECOND_PARTITION: 'true' - MOD_LIBPOD_CONF: 'false' # Use existing/native setup + MOD_CONTAINERS_CONF: 'false' # Use existing/native setup SPECIALMODE: 'in_podman' # See docs timeout_in: 60m @@ -263,6 +263,7 @@ clean: ## Clean artifacts libpod/container_easyjson.go \ libpod/pod_easyjson.go \ docs/build + make -C docs clean .PHONY: libpodimage libpodimage: ## Build the libpod image @@ -306,6 +307,7 @@ testunit: libpodimage ## Run unittest on the built image .PHONY: localunit localunit: test/goecho/goecho varlink_generate + hack/check_root.sh make localunit ginkgo \ -r \ $(TESTFLAGS) \ diff --git a/cmd/podman/registry/config.go b/cmd/podman/registry/config.go index 75e67b35d..a7e368115 100644 --- a/cmd/podman/registry/config.go +++ b/cmd/podman/registry/config.go @@ -70,7 +70,7 @@ func newPodmanConfig() { // setXdgDirs ensures the XDG_RUNTIME_DIR env and XDG_CONFIG_HOME variables are set. // containers/image uses XDG_RUNTIME_DIR to locate the auth file, XDG_CONFIG_HOME is -// use for the libpod.conf configuration file. +// use for the containers.conf configuration file. func setXdgDirs() error { if !rootless.IsRootless() { return nil diff --git a/cmd/podman/system/renumber.go b/cmd/podman/system/renumber.go index 82cf65d8f..7cec5b986 100644 --- a/cmd/podman/system/renumber.go +++ b/cmd/podman/system/renumber.go @@ -18,7 +18,7 @@ var ( podman system renumber Migrate lock numbers to handle a change in maximum number of locks. - Mandatory after the number of locks in libpod.conf is changed. + Mandatory after the number of locks in containers.conf is changed. ` renumberCommand = &cobra.Command{ diff --git a/cni/README.md b/cni/README.md index 2683df714..bc37df1eb 100644 --- a/cni/README.md +++ b/cni/README.md @@ -5,7 +5,7 @@ directory just contains an example configuration that can be used as the basis for your own configuration. To use this configuration, place it in `/etc/cni/net.d` (or the directory -specified by `cni_config_dir` in your `libpod.conf`). +specified by `cni_config_dir` in your `containers.conf`). For example a basic network configuration can be achieved with: @@ -14,4 +14,4 @@ sudo mkdir -p /etc/cni/net.d curl -qsSL https://raw.githubusercontent.com/containers/libpod/master/cni/87-podman-bridge.conflist | sudo tee /etc/cni/net.d/87-podman-bridge.conf ``` -Dependent upon your CNI configuration, you will need to install as a minimum the `port` and `bridge` [CNI plugins](https://github.com/containernetworking/plugins) into `/opt/cni/bin` (or the directory specified by `cni_plugin_dir` in libpod.conf). Please refer to the [CNI](https://github.com/containernetworking) project page in GitHub for more information. +Dependent upon your CNI configuration, you will need to install as a minimum the `port` and `bridge` [CNI plugins](https://github.com/containernetworking/plugins) into `/opt/cni/bin` (or the directory specified by `cni_plugin_dir` in containers.conf). Please refer to the [CNI](https://github.com/containernetworking) project page in GitHub for more information. diff --git a/docs/source/markdown/libpod.conf.5.md b/docs/source/markdown/libpod.conf.5.md deleted file mode 100644 index ca45bccf6..000000000 --- a/docs/source/markdown/libpod.conf.5.md +++ /dev/null @@ -1,114 +0,0 @@ -% libpod.conf(5) - -## NAME -libpod.conf - libpod configuration file - -## DESCRIPTION -The libpod.conf file is the default configuration file for all tools using -libpod to manage containers. - -## OPTIONS - -**image_default_transport**="" - Default transport method for pulling and pushing images - -**runtime**="" - Default OCI runtime to use if nothing is specified in **runtimes** - -**runtimes** - For each OCI runtime, specify a list of paths to look for. The first one found is used. If the paths are empty or no valid path was found, then the `$PATH` environment variable will be used as the fallback. - -**conmon_path**="" - Paths to search for the conmon container manager binary. If the paths are empty or no valid path was found, then the `$PATH` environment variable will be used as the fallback. - -**conmon_env_vars**="" - Environment variables to pass into Conmon - -**cgroup_manager**="" - Specify the CGroup Manager to use; valid values are "systemd" and "cgroupfs" - -**lock_type**="" - Specify the locking mechanism to use; valid values are "shm" and "file". Change the default only if you are sure of what you are doing, in general "file" is useful only on platforms where cgo is not available for using the faster "shm" lock type. You may need to run "podman system renumber" after you change the lock type. - -**init_path**="" - Path to the container-init binary, which forwards signals and reaps processes within containers. Note that the container-init binary will only be used when the `--init` for podman-create and podman-run is set. - -**hooks_dir**=["*path*", ...] - - Each `*.json` file in the path configures a hook for Podman containers. For more details on the syntax of the JSON files and the semantics of hook injection, see `oci-hooks(5)`. Podman and libpod currently support both the 1.0.0 and 0.1.0 hook schemas, although the 0.1.0 schema is deprecated. - - Paths listed later in the array have higher precedence (`oci-hooks(5)` discusses directory precedence). - - For the annotation conditions, libpod uses any annotations set in the generated OCI configuration. - - For the bind-mount conditions, only mounts explicitly requested by the caller via `--volume` are considered. Bind mounts that libpod inserts by default (e.g. `/dev/shm`) are not considered. - - Podman and libpod currently support an additional `precreate` state which is called before the runtime's `create` operation. Unlike the other stages, which receive the container state on their standard input, `precreate` hooks receive the proposed runtime configuration on their standard input. They may alter that configuration as they see fit, and write the altered form to their standard output. - - **WARNING**: the `precreate` hook lets you do powerful things, such as adding additional mounts to the runtime configuration. That power also makes it easy to break things. Before reporting libpod errors, try running your container with `precreate` hooks disabled to see if the problem is due to one of your hooks. - -**static_dir**="" - Directory for persistent libpod files (database, etc) - By default this will be configured relative to where containers/storage - stores containers - -**tmp_dir**="" - Directory for temporary files - Must be a tmpfs (wiped after reboot) - -**max_log_size**="" - Maximum size of log files (in bytes) - -**no_pivot_root**="" - Whether to use chroot instead of pivot_root in the runtime - -**cni_config_dir**="" - Directory containing CNI plugin configuration files - -**cni_plugin_dir**="" - Directories where CNI plugin binaries may be located - -**infra_image** = "" - Infra (pause) container image name for pod infra containers. When running a pod, we - start a `pause` process in a container to hold open the namespaces associated with the - pod. This container and process, basically sleep/pause for the lifetime of the pod. - -**infra_command**="" - Command to run the infra container - -**namespace**="" - Default libpod namespace. If libpod is joined to a namespace, it will see only containers and pods - that were created in the same namespace, and will create new containers and pods in that namespace. - The default namespace is "", which corresponds to no namespace. When no namespace is set, all - containers and pods are visible. - -**label**="true|false" - Indicates whether the containers should use label separation by default. - Can be overridden via `--security-opt label=...` on the CLI. - -**num_locks**="" - Number of locks available for containers and pods. Each created container or pod consumes one lock. - The default number available is 2048. - If this is changed, a lock renumbering must be performed, using the `podman system renumber` command. - -**volume_path**="" - Directory where named volumes will be created in using the default volume driver. - By default this will be configured relative to where containers/storage stores containers. - -**network_cmd_path**="" - Path to the command binary to use for setting up a network. It is currently only used for setting up - a slirp4netns network. If "" is used then the binary is looked up using the $PATH environment variable. - -**events_logger**="" - Default method to use when logging events. Valid values are "file", "journald", and "none". - -**detach_keys**="" - Keys sequence used for detaching a container - -## FILES - `/usr/share/containers/libpod.conf`, default libpod configuration path - - `/etc/containers/libpod.conf`, override libpod configuration path - -## HISTORY -Apr 2018, Originally compiled by Nathan Williams <nath.e.will@gmail.com> diff --git a/docs/source/markdown/podman-attach.1.md b/docs/source/markdown/podman-attach.1.md index 1ac2e49a9..cb3ffa92e 100644 --- a/docs/source/markdown/podman-attach.1.md +++ b/docs/source/markdown/podman-attach.1.md @@ -15,7 +15,7 @@ or name, either to view its ongoing output or to control it interactively. You can detach from the container (and leave it running) using a configurable key sequence. The default sequence is `ctrl-p,ctrl-q`. Configure the keys sequence using the **--detach-keys** option, or specifying -it in the **libpod.conf** file: see **libpod.conf(5)** for more information. +it in the **containers.conf** file: see **containers.conf(5)** for more information. ## OPTIONS **--detach-keys**=*sequence* @@ -55,4 +55,4 @@ $ podman attach 1234 $ podman attach --no-stdin foobar ``` ## SEE ALSO -podman(1), podman-exec(1), podman-run(1) +podman(1), podman-exec(1), podman-run(1), containers.conf(5) diff --git a/docs/source/markdown/podman-create.1.md b/docs/source/markdown/podman-create.1.md index 61bcec57a..94d2628b2 100644 --- a/docs/source/markdown/podman-create.1.md +++ b/docs/source/markdown/podman-create.1.md @@ -190,7 +190,7 @@ detached container with **podman attach**. When attached in the tty mode, you can detach from the container (and leave it running) using a configurable key sequence. The default sequence is `ctrl-p,ctrl-q`. Configure the keys sequence using the **--detach-keys** option, or specifying -it in the **libpod.conf** file: see **libpod.conf(5)** for more information. +it in the **containers.conf** file: see **containers.conf(5)** for more information. **--detach-keys**=*sequence* @@ -741,7 +741,7 @@ Security Options - `seccomp=unconfined` : Turn off seccomp confinement for the container - `seccomp=profile.json` : White listed syscalls seccomp Json file to be used as a seccomp filter -Note: Labeling can be disabled for all containers by setting label=false in the **libpod.conf** (`/etc/containers/libpod.conf`) file. +Note: Labeling can be disabled for all containers by setting label=false in the **containers.conf** (`/etc/containers/containers.conf` or `$HOME/.config/containers/containers.conf`) file. **--shm-size**=*size* @@ -989,7 +989,7 @@ where source dir is mounted on) has to have right propagation properties. For shared volumes, source mount point has to be shared. And for slave volumes, source mount has to be either shared or slave. <sup>[[1]](#Footnote1)</sup> -If you want to recursively mount a volume and all of it's submounts into a +If you want to recursively mount a volume and all of its submounts into a container, then you can use the `rbind` option. By default the bind option is used, and submounts of the source directory will not be mounted into the container. @@ -1149,7 +1149,7 @@ b NOTE: Use the environment variable `TMPDIR` to change the temporary storage location of downloaded container images. Podman defaults to use `/var/tmp`. ## SEE ALSO -**subgid**(5), **subuid**(5), **libpod.conf**(5), **systemd.unit**(5), **setsebool**(8), **slirp4netns**(1), **fuse-overlayfs**(1). +**subgid**(5), **subuid**(5), **containers.conf**(5), **systemd.unit**(5), **setsebool**(8), **slirp4netns**(1), **fuse-overlayfs**(1). ## HISTORY October 2017, converted from Docker documentation to Podman by Dan Walsh for Podman <dwalsh@redhat.com> diff --git a/docs/source/markdown/podman-events.1.md b/docs/source/markdown/podman-events.1.md index abfc6e9c1..0d91cdf17 100644 --- a/docs/source/markdown/podman-events.1.md +++ b/docs/source/markdown/podman-events.1.md @@ -10,7 +10,7 @@ podman\-events - Monitor Podman events Monitor and print events that occur in Podman. Each event will include a timestamp, a type, a status, name (if applicable), and image (if applicable). The default logging -mechanism is *journald*. This can be changed in libpod.conf by changing the `events_logger` +mechanism is *journald*. This can be changed in containers.conf by changing the `events_logger` value to `file`. Only `file` and `journald` are accepted. A `none` logger is also available but this logging mechanism completely disables events; nothing will be reported by `podman events`. @@ -150,7 +150,7 @@ $ podman events --format json ``` ## SEE ALSO -podman(1) +podman(1), containers.conf(5) ## HISTORY March 2019, Originally compiled by Brent Baude <bbaude@redhat.com> diff --git a/docs/source/markdown/podman-run.1.md b/docs/source/markdown/podman-run.1.md index 5c031c204..b565cdfab 100644 --- a/docs/source/markdown/podman-run.1.md +++ b/docs/source/markdown/podman-run.1.md @@ -208,7 +208,7 @@ Specify the key sequence for detaching a container; _sequence_ is a comma-delimi in which each item can be a single character from the [a-Z] range, or **ctrl**-_value_, where _value_ is one of: **a-z** or **@^[,_**. -This option can also be set in **libpod.conf**(5) file. +This option can also be set in **containers.conf**(5) file. Specifying "" will disable this feature. The default is **ctrl-p,ctrl-q**. @@ -759,7 +759,7 @@ Security Options - **seccomp=unconfined**: Turn off seccomp confinement for the container - **seccomp**=_profile.json_: Allowed syscall list seccomp JSON file to be used as a seccomp filter -Note: Labeling can be disabled for all containers by setting **label=false** in the **libpod.conf**(5) file. +Note: Labeling can be disabled for all containers by setting **label=false** in the **containers.conf**(5) file. **--shm-size**=_number_[_unit_] @@ -1255,8 +1255,8 @@ $ podman run -p 8080:80 -d -i -t fedora/httpd To mount a host directory as a container volume, specify the absolute path to the directory and the absolute path for the container directory separated by a -colon. If the source is a named volume maintained by Podman, it's recommended to -use it's name rather than the path to the volume. Otherwise the volume will be +colon. If the source is a named volume maintained by Podman, it is recommended to +use its name rather than the path to the volume. Otherwise the volume will be considered as an orphan and wiped if you execute **podman volume prune**: ``` @@ -1427,7 +1427,7 @@ b NOTE: Use the environment variable `TMPDIR` to change the temporary storage location of downloaded container images. Podman defaults to use `/var/tmp`. ## SEE ALSO -**subgid**(5), **subuid**(5), **libpod.conf**(5), **systemd.unit**(5), **setsebool**(8), **slirp4netns**(1), **fuse-overlayfs**(1). +**subgid**(5), **subuid**(5), **containers.conf**(5), **systemd.unit**(5), **setsebool**(8), **slirp4netns**(1), **fuse-overlayfs**(1). ## HISTORY September 2018, updated by Kunal Kushwaha <kushwaha_kunal_v7@lab.ntt.co.jp> diff --git a/docs/source/markdown/podman-system-migrate.1.md b/docs/source/markdown/podman-system-migrate.1.md index baabfd14b..29c0ef94b 100644 --- a/docs/source/markdown/podman-system-migrate.1.md +++ b/docs/source/markdown/podman-system-migrate.1.md @@ -33,7 +33,7 @@ This can be used after a system upgrade which changes the default OCI runtime to There are no guarantees that the containers will continue to work under the new runtime, as some runtimes support differing options and configurations. ## SEE ALSO -`podman(1)`, `libpod.conf(5)`, `usermod(8)` +`podman(1)`, `containers.conf(5)`, `usermod(8)` ## HISTORY April 2019, Originally compiled by Giuseppe Scrivano (gscrivan at redhat dot com) diff --git a/docs/source/markdown/podman-system-renumber.1.md b/docs/source/markdown/podman-system-renumber.1.md index 071eefe29..51c085606 100644 --- a/docs/source/markdown/podman-system-renumber.1.md +++ b/docs/source/markdown/podman-system-renumber.1.md @@ -9,9 +9,9 @@ podman\-system\-renumber - Migrate lock numbers to handle a change in maximum nu ## DESCRIPTION **podman system renumber** renumbers locks used by containers and pods. -Each Podman container and pod is allocated a lock at creation time, up to a maximum number controlled by the **num_locks** parameter in **libpod.conf**. +Each Podman container and pod is allocated a lock at creation time, up to a maximum number controlled by the **num_locks** parameter in **containers.conf**. -When all available locks are exhausted, no further containers and pods can be created until some existing containers and pods are removed. This can be avoided by increasing the number of locks available via modifying **libpod.conf** and subsequently running **podman system renumber** to prepare the new locks (and reallocate lock numbers to fit the new struct). +When all available locks are exhausted, no further containers and pods can be created until some existing containers and pods are removed. This can be avoided by increasing the number of locks available via modifying **containers.conf** and subsequently running **podman system renumber** to prepare the new locks (and reallocate lock numbers to fit the new struct). **podman system renumber** must be called after any changes to **num_locks** - failure to do so will result in errors starting Podman as the number of locks available conflicts with the configured number of locks. @@ -20,7 +20,7 @@ When all available locks are exhausted, no further containers and pods can be cr If possible, avoid calling **podman system renumber** while there are other Podman processes running. ## SEE ALSO -`podman(1)`, `libpod.conf(5)` +`podman(1)`, `containers.conf(5)` ## HISTORY February 2019, Originally compiled by Matt Heon (mheon at redhat dot com) diff --git a/docs/source/markdown/podman.1.md b/docs/source/markdown/podman.1.md index c45c10243..776ee7a67 100644 --- a/docs/source/markdown/podman.1.md +++ b/docs/source/markdown/podman.1.md @@ -23,7 +23,7 @@ created by the other. **--cgroup-manager**=*manager* -CGroup manager to use for container cgroups. Supported values are cgroupfs or systemd. Default is systemd unless overridden in the libpod.conf file. +The CGroup manager to use for container cgroups. Supported values are cgroupfs or systemd. Default is systemd unless overridden in the containers.conf file. Note: Setting this flag can cause certain commands to break when called on containers previously created by the other CGroup manager type. Note: CGroup manager is not supported in rootless mode when using CGroups Version V1. @@ -32,7 +32,7 @@ Note: CGroup manager is not supported in rootless mode when using CGroups Versio Path of the configuration directory for CNI networks. (Default: `/etc/cni/net.d`) **--conmon** -Path of the conmon binary (Default path is configured in `libpod.conf`) +Path of the conmon binary (Default path is configured in `containers.conf`) **--events-backend**=*type* @@ -94,7 +94,7 @@ Default state dir configured in `/etc/containers/storage.conf`. **--runtime**=*value* -Name of the OCI runtime as specified in libpod.conf or absolute path to the OCI compatible binary used to run containers. +Name of the OCI runtime as specified in containers.conf or absolute path to the OCI compatible binary used to run containers. **--storage-driver**=*value* @@ -217,11 +217,13 @@ the exit codes follow the `chroot` standard, see below: ## FILES -**libpod.conf** (`/usr/share/containers/libpod.conf`) +**containers.conf** (`/usr/share/containers/containers.conf`) - libpod.conf is the configuration file for all tools using libpod to manage containers, when run as root. Administrators can override the defaults file by creating `/etc/containers/libpod.conf`. When Podman runs in rootless mode, the file `$HOME/.config/containers/libpod.conf` is created and replaces some fields in the system configuration file. + Podman has builtin defaults for command line options. These defaults can be overridden using the containers.conf configuration files. - Podman uses builtin defaults if no libpod.conf file is found. +Distributions ship the `/usr/share/containers/containers.conf` file with their default settings. Administrators can override fields in this file by creating the `/etc/containers/containers.conf` file. Users can further modify defaults by creating the `$HOME/.config/containers/containers.conf` file. Podman merges its builtin defaults with the specified fields from these files, if they exist. Fields specified in the users file override the administrator's file, which overrides the distribution's file, which override the built-in defaults. + +Podman uses builtin defaults if no containers.conf file is found. **mounts.conf** (`/usr/share/containers/mounts.conf`) @@ -280,7 +282,7 @@ The Network File System (NFS) and other distributed file systems (for example: L For more information, please refer to the [Podman Troubleshooting Page](https://github.com/containers/libpod/blob/master/troubleshooting.md). ## SEE ALSO -`containers-mounts.conf(5)`, `containers-registries.conf(5)`, `containers-storage.conf(5)`, `buildah(1)`, `libpod.conf(5)`, `oci-hooks(5)`, `containers-policy.json(5)`, `subuid(5)`, `subgid(5)`, `slirp4netns(1)` +`containers-mounts.conf(5)`, `containers-registries.conf(5)`, `containers-storage.conf(5)`, `buildah(1)`, `containers.conf(5)`, `oci-hooks(5)`, `containers-policy.json(5)`, `subuid(5)`, `subgid(5)`, `slirp4netns(1)` ## HISTORY Dec 2016, Originally compiled by Dan Walsh <dwalsh@redhat.com> diff --git a/docs/tutorials/rootless_tutorial.md b/docs/tutorials/rootless_tutorial.md index 440e12062..821c07647 100644 --- a/docs/tutorials/rootless_tutorial.md +++ b/docs/tutorials/rootless_tutorial.md @@ -13,7 +13,7 @@ The alternative OCI runtime support for cgroup V2 can be turned on at the comma ``` sudo podman --runtime /usr/bin/crun ``` -or by changing the value for the "Default OCI runtime" in the libpod.conf file either at the system level or at the [user level](#user-configuration-files) from `runtime = "runc"` to `runtime = "crun"`. +or by changing the value for the "Default OCI runtime" in the containers.conf file either at the system level or at the [user level](#user-configuration-files) from `runtime = "runc"` to `runtime = "crun"`. ## Administrator Actions @@ -106,7 +106,7 @@ Once the Administrator has completed the setup on the machine and then the confi ### User Configuration Files -The Podman configuration files for root reside in `/usr/share/containers` with overrides in `/etc/containers`. In the rootless environment they reside in `${XDG_CONFIG_HOME}/containers` (usually `~/.config/containers`) and are owned by each individual user. The main files are `libpod.conf` and `storage.conf` and the user can modify these files as they wish. +The Podman configuration files for root reside in `/usr/share/containers` with overrides in `/etc/containers`. In the rootless environment they reside in `${XDG_CONFIG_HOME}/containers` (usually `~/.config/containers`) and are owned by each individual user. The main files are `containers.conf` and `storage.conf` and the user can modify these files as they wish. The default authorization file used by the `podman login` and `podman logout` commands reside in `${XDG_RUNTIME_DIR}/containers/auth.json`. diff --git a/hack/check_root.sh b/hack/check_root.sh new file mode 100755 index 000000000..203eae9d3 --- /dev/null +++ b/hack/check_root.sh @@ -0,0 +1,5 @@ +#!/bin/bash +if ! [ $(id -u) = 0 ]; then + echo "Please run as root! '$@' requires root privileges." + exit 1 +fi diff --git a/libpod/events/journal_linux.go b/libpod/events/journal_linux.go index d341ca7b5..7c2a3e0f2 100644 --- a/libpod/events/journal_linux.go +++ b/libpod/events/journal_linux.go @@ -90,6 +90,13 @@ func (e EventJournalD) Read(ctx context.Context, options ReadOptions) error { return err } for { + select { + case <-ctx.Done(): + // the consumer has cancelled + return nil + default: + // fallthrough + } if _, err := j.Next(); err != nil { return err } diff --git a/libpod/events/logfile.go b/libpod/events/logfile.go index 28d0dc07e..b70102450 100644 --- a/libpod/events/logfile.go +++ b/libpod/events/logfile.go @@ -63,6 +63,14 @@ func (e EventLogFile) Read(ctx context.Context, options ReadOptions) error { } }() for line := range t.Lines { + select { + case <-ctx.Done(): + // the consumer has cancelled + return nil + default: + // fallthrough + } + event, err := newEventFromJSONString(line.Text) if err != nil { return err diff --git a/libpod/runtime.go b/libpod/runtime.go index b30933b0c..96243c808 100644 --- a/libpod/runtime.go +++ b/libpod/runtime.go @@ -84,7 +84,7 @@ type Runtime struct { // SetXdgDirs ensures the XDG_RUNTIME_DIR env and XDG_CONFIG_HOME variables are set. // containers/image uses XDG_RUNTIME_DIR to locate the auth file, XDG_CONFIG_HOME is -// use for the libpod.conf configuration file. +// use for the containers.conf configuration file. func SetXdgDirs() error { if !rootless.IsRootless() { return nil diff --git a/pkg/api/handlers/compat/events.go b/pkg/api/handlers/compat/events.go index 5acc94153..9d5cb5045 100644 --- a/pkg/api/handlers/compat/events.go +++ b/pkg/api/handlers/compat/events.go @@ -1,9 +1,10 @@ package compat import ( - "context" + "encoding/json" "fmt" "net/http" + "sync" "github.com/containers/libpod/v2/libpod" "github.com/containers/libpod/v2/libpod/events" @@ -15,77 +16,132 @@ import ( "github.com/sirupsen/logrus" ) +// filtersFromRequests extracts the "filters" parameter from the specified +// http.Request. The paramater can either be a `map[string][]string` as done +// in new versions of Docker and libpod, or a `map[string]map[string]bool` as +// done in older versions of Docker. We have to do a bit of Yoga to support +// both - just as Docker does as well. +// +// Please refer to https://github.com/containers/podman/issues/6899 for some +// background. +func filtersFromRequest(r *http.Request) ([]string, error) { + var ( + compatFilters map[string]map[string]bool + filters map[string][]string + libpodFilters []string + ) + raw := []byte(r.Form.Get("filters")) + + // Backwards compat with older versions of Docker. + if err := json.Unmarshal(raw, &compatFilters); err == nil { + for filterKey, filterMap := range compatFilters { + for filterValue, toAdd := range filterMap { + if toAdd { + libpodFilters = append(libpodFilters, fmt.Sprintf("%s=%s", filterKey, filterValue)) + } + } + } + return libpodFilters, nil + } + + if err := json.Unmarshal(raw, &filters); err != nil { + return nil, err + } + + for filterKey, filterSlice := range filters { + for _, filterValue := range filterSlice { + libpodFilters = append(libpodFilters, fmt.Sprintf("%s=%s", filterKey, filterValue)) + } + } + + return libpodFilters, nil +} + +// NOTE: this endpoint serves both the docker-compatible one and the new libpod +// one. func GetEvents(w http.ResponseWriter, r *http.Request) { var ( - fromStart bool - eventsError error - decoder = r.Context().Value("decoder").(*schema.Decoder) - runtime = r.Context().Value("runtime").(*libpod.Runtime) + fromStart bool + decoder = r.Context().Value("decoder").(*schema.Decoder) + runtime = r.Context().Value("runtime").(*libpod.Runtime) + json = jsoniter.ConfigCompatibleWithStandardLibrary // FIXME: this should happen on the package level ) + // NOTE: the "filters" parameter is extracted separately for backwards + // compat via `fitlerFromRequest()`. query := struct { - Since string `schema:"since"` - Until string `schema:"until"` - Filters map[string][]string `schema:"filters"` - Stream bool `schema:"stream"` + Since string `schema:"since"` + Until string `schema:"until"` + Stream bool `schema:"stream"` }{ Stream: true, } if err := decoder.Decode(&query, r.URL.Query()); err != nil { utils.Error(w, "Failed to parse parameters", http.StatusBadRequest, errors.Wrapf(err, "Failed to parse parameters for %s", r.URL.String())) - } - - var libpodFilters = []string{} - if _, found := r.URL.Query()["filters"]; found { - for k, v := range query.Filters { - libpodFilters = append(libpodFilters, fmt.Sprintf("%s=%s", k, v[0])) - } + return } if len(query.Since) > 0 || len(query.Until) > 0 { fromStart = true } - eventCtx, eventCancel := context.WithCancel(r.Context()) - eventChannel := make(chan *events.Event) - go func() { - readOpts := events.ReadOptions{FromStart: fromStart, Stream: query.Stream, Filters: libpodFilters, EventChannel: eventChannel, Since: query.Since, Until: query.Until} - eventsError = runtime.Events(eventCtx, readOpts) - }() - if eventsError != nil { - utils.InternalServerError(w, eventsError) - eventCancel() - close(eventChannel) + libpodFilters, err := filtersFromRequest(r) + if err != nil { + utils.Error(w, "Failed to parse parameters", http.StatusBadRequest, errors.Wrapf(err, "Failed to parse parameters for %s", r.URL.String())) return } - // If client disappears we need to stop listening for events - go func(done <-chan struct{}) { - <-done - eventCancel() - if _, ok := <-eventChannel; ok { - close(eventChannel) + eventChannel := make(chan *events.Event) + errorChannel := make(chan error) + + // Start reading events. + go func() { + readOpts := events.ReadOptions{ + FromStart: fromStart, + Stream: query.Stream, + Filters: libpodFilters, + EventChannel: eventChannel, + Since: query.Since, + Until: query.Until, } - }(r.Context().Done()) + errorChannel <- runtime.Events(r.Context(), readOpts) + }() - // Headers need to be written out before turning Writer() over to json encoder - w.Header().Set("Content-Type", "application/json") - w.WriteHeader(http.StatusOK) - if flusher, ok := w.(http.Flusher); ok { - flusher.Flush() - } + var coder *jsoniter.Encoder + var writeHeader sync.Once - json := jsoniter.ConfigCompatibleWithStandardLibrary - coder := json.NewEncoder(w) - coder.SetEscapeHTML(true) + for stream := true; stream; stream = query.Stream { + select { + case err := <-errorChannel: + if err != nil { + utils.InternalServerError(w, err) + return + } + case evt := <-eventChannel: + writeHeader.Do(func() { + // Use a sync.Once so that we write the header + // only once. + w.Header().Set("Content-Type", "application/json") + w.WriteHeader(http.StatusOK) + if flusher, ok := w.(http.Flusher); ok { + flusher.Flush() + } + coder = json.NewEncoder(w) + coder.SetEscapeHTML(true) + }) - for event := range eventChannel { - e := entities.ConvertToEntitiesEvent(*event) - if err := coder.Encode(e); err != nil { - logrus.Errorf("unable to write json: %q", err) - } - if flusher, ok := w.(http.Flusher); ok { - flusher.Flush() + if evt == nil { + continue + } + + e := entities.ConvertToEntitiesEvent(*evt) + if err := coder.Encode(e); err != nil { + logrus.Errorf("unable to write json: %q", err) + } + if flusher, ok := w.(http.Flusher); ok { + flusher.Flush() + } } + } } diff --git a/pkg/api/server/register_generate.go b/pkg/api/server/register_generate.go index 82f1dc680..a1ab3f727 100644 --- a/pkg/api/server/register_generate.go +++ b/pkg/api/server/register_generate.go @@ -13,8 +13,8 @@ func (s *APIServer) registerGenerateHandlers(r *mux.Router) error { // tags: // - containers // - pods - // summary: Play a Kubernetes YAML file. - // description: Create and run pods based on a Kubernetes YAML file (pod or service kind). + // summary: Generate a Kubernetes YAML file. + // description: Generate Kubernetes YAML based on a pod or container. // parameters: // - in: path // name: name:.* diff --git a/pkg/bindings/test/system_test.go b/pkg/bindings/test/system_test.go index 93141400b..430184f4a 100644 --- a/pkg/bindings/test/system_test.go +++ b/pkg/bindings/test/system_test.go @@ -1,6 +1,7 @@ package test_bindings import ( + "sync" "time" "github.com/containers/libpod/v2/pkg/bindings" @@ -38,22 +39,28 @@ var _ = Describe("Podman system", func() { }) It("podman events", func() { - eChan := make(chan entities.Event, 1) - var messages []entities.Event - cancelChan := make(chan bool, 1) + var name = "top" + _, err := bt.RunTopContainer(&name, bindings.PFalse, nil) + Expect(err).To(BeNil()) + + filters := make(map[string][]string) + filters["container"] = []string{name} + + binChan := make(chan entities.Event) + done := sync.Mutex{} + done.Lock() + eventCounter := 0 go func() { - for e := range eChan { - messages = append(messages, e) + defer done.Unlock() + for range binChan { + eventCounter++ } }() - go func() { - system.Events(bt.conn, eChan, cancelChan, nil, nil, nil, bindings.PFalse) - }() - _, err := bt.RunTopContainer(nil, nil, nil) + err = system.Events(bt.conn, binChan, nil, nil, nil, filters, bindings.PFalse) Expect(err).To(BeNil()) - cancelChan <- true - Expect(len(messages)).To(BeNumerically("==", 5)) + done.Lock() + Expect(eventCounter).To(BeNumerically(">", 0)) }) It("podman system prune - pod,container stopped", func() { diff --git a/pkg/network/config.go b/pkg/network/config.go index e5c981419..a504e0ad0 100644 --- a/pkg/network/config.go +++ b/pkg/network/config.go @@ -6,8 +6,8 @@ import ( "net" ) -// TODO once the libpod.conf file stuff is worked out, this should be modified -// to honor defines in the libpod.conf as well as overrides? +// TODO once the containers.conf file stuff is worked out, this should be modified +// to honor defines in the containers.conf as well as overrides? const ( // CNIConfigDir is the path where CNI config files exist diff --git a/test/e2e/events_test.go b/test/e2e/events_test.go index 93c51098f..9b527b88e 100644 --- a/test/e2e/events_test.go +++ b/test/e2e/events_test.go @@ -136,6 +136,7 @@ var _ = Describe("Podman events", func() { Expect(ec).To(Equal(0)) test := podmanTest.Podman([]string{"events", "--stream=false", "--format", "json"}) test.WaitWithDefaultTimeout() + Expect(test.ExitCode()).To(BeZero()) jsonArr := test.OutputToStringArray() Expect(len(jsonArr)).To(Not(BeZero())) eventsMap := make(map[string]string) @@ -143,10 +144,10 @@ var _ = Describe("Podman events", func() { Expect(err).To(BeNil()) _, exist := eventsMap["Status"] Expect(exist).To(BeTrue()) - Expect(test.ExitCode()).To(BeZero()) test = podmanTest.Podman([]string{"events", "--stream=false", "--format", "{{json.}}"}) test.WaitWithDefaultTimeout() + Expect(test.ExitCode()).To(BeZero()) jsonArr = test.OutputToStringArray() Expect(len(jsonArr)).To(Not(BeZero())) eventsMap = make(map[string]string) @@ -154,6 +155,5 @@ var _ = Describe("Podman events", func() { Expect(err).To(BeNil()) _, exist = eventsMap["Status"] Expect(exist).To(BeTrue()) - Expect(test.ExitCode()).To(BeZero()) }) }) diff --git a/test/e2e/run_device_test.go b/test/e2e/run_device_test.go index a5e1e0269..b1a4c9cb2 100644 --- a/test/e2e/run_device_test.go +++ b/test/e2e/run_device_test.go @@ -75,11 +75,17 @@ var _ = Describe("Podman run device", func() { It("podman run device host device and container device parameter are directories", func() { SkipIfRootless() - SystemExec("mkdir", []string{"/dev/foodevdir"}) - SystemExec("mknod", []string{"/dev/foodevdir/null", "c", "1", "3"}) - session := podmanTest.Podman([]string{"run", "-q", "--device", "/dev/foodevdir:/dev/bar", ALPINE, "ls", "/dev/bar/null"}) + Expect(os.MkdirAll("/dev/foodevdir", os.ModePerm)).To(BeNil()) + defer os.RemoveAll("/dev/foodevdir") + + mknod := SystemExec("mknod", []string{"/dev/foodevdir/null", "c", "1", "3"}) + mknod.WaitWithDefaultTimeout() + Expect(mknod.ExitCode()).To(Equal(0)) + + session := podmanTest.Podman([]string{"run", "-q", "--device", "/dev/foodevdir:/dev/bar", ALPINE, "stat", "-c%t:%T", "/dev/bar/null"}) session.WaitWithDefaultTimeout() Expect(session.ExitCode()).To(Equal(0)) + Expect(session.OutputToString()).To(Equal("1:3")) }) It("podman run device host device with --privileged", func() { diff --git a/test/system/helpers.bash b/test/system/helpers.bash index 4239ef876..abca91739 100644 --- a/test/system/helpers.bash +++ b/test/system/helpers.bash @@ -404,7 +404,13 @@ function find_exec_pid_files() { # # This obviously screws us up when we look at output results. # -# This function removes the warning from $output and $lines +# This function removes the warning from $output and $lines. We don't +# do a full string match because there's another variant of that message: +# +# WARNING: Creating device "/dev/null" with same type, major and minor as existing "/dev/foodevdir/null". +# +# (We should never again see that precise error ever again, but we could +# see variants of it). # function remove_same_dev_warning() { # No input arguments. We operate in-place on $output and $lines @@ -412,7 +418,7 @@ function remove_same_dev_warning() { local i=0 local -a new_lines=() while [[ $i -lt ${#lines[@]} ]]; do - if expr "${lines[$i]}" : 'WARNING: .* same type, major.* multiple' >/dev/null; then + if expr "${lines[$i]}" : 'WARNING: .* same type, major' >/dev/null; then : else new_lines+=("${lines[$i]}") diff --git a/troubleshooting.md b/troubleshooting.md index 8175073cd..4c452404c 100644 --- a/troubleshooting.md +++ b/troubleshooting.md @@ -102,41 +102,7 @@ communicate with a registry and not use tls verification. * I.e. `podman push --tls-verify=false alpine docker://localhost:5000/myalpine:latest` --- -### 5) Rootless: could not get runtime - database configuration mismatch - -In Podman release 0.11.1, a default path for rootless containers was changed, -potentially causing rootless Podman to be unable to function. The new default -path is not a problem for new installations, but existing installations will -need to work around it with the following fix. - -#### Symptom - -```console -$ podman info -could not get runtime: database run root /run/user/1000/run does not match our run root /run/user/1000: database configuration mismatch -``` - -#### Solution - -This problem has been fixed in Podman release 0.12.1 and it is recommended -to upgrade to that version. If that is not possible use the following procedure. - -To work around the new default path, we can manually set the path Podman is -expecting in a configuration file. - -First, we need to make a new local configuration file for rootless Podman. -* `mkdir -p ~/.config/containers` -* `cp /usr/share/containers/libpod.conf ~/.config/containers` - -Next, edit the new local configuration file -(`~/.config/containers/libpod.conf`) with your favorite editor. Comment out the -line starting with `cgroup_manager` by adding a `#` character at the beginning -of the line, and change the path in the line starting with `tmp_dir` to point to -the first path in the error message Podman gave (in this case, -`/run/user/1000/tmp`). - ---- -### 6) rootless containers cannot ping hosts +### 5) rootless containers cannot ping hosts When using the ping command from a non-root container, the command may fail because of a lack of privileges. @@ -164,7 +130,7 @@ To make the change persistent, you'll need to add a file in `/etc/sysctl.d` that contains `net.ipv4.ping_group_range=0 $MAX_UID`. --- -### 7) Build hangs when the Dockerfile contains the useradd command +### 6) Build hangs when the Dockerfile contains the useradd command When the Dockerfile contains a command like `RUN useradd -u 99999000 -g users newuser` the build can hang. @@ -176,7 +142,7 @@ If you are using a useradd command within a Dockerfile with a large UID/GID, it If the entry in the Dockerfile looked like: RUN useradd -u 99999000 -g users newuser then add the `--no-log-init` parameter to change it to: `RUN useradd --no-log-init -u 99999000 -g users newuser`. This option tells useradd to stop creating the lastlog file. -### 8) Permission denied when running Podman commands +### 7) Permission denied when running Podman commands When rootless Podman attempts to execute a container on a non exec home directory a permission error will be raised. @@ -206,7 +172,7 @@ cat ~/.config/containers/storage.conf mount_program = "/bin/fuse-overlayfs" ``` -### 9) Permission denied when running systemd within a Podman container +### 8) Permission denied when running systemd within a Podman container When running systemd as PID 1 inside of a container on an SELinux separated machine, it needs to write to the cgroup file system. @@ -231,7 +197,7 @@ Only do this on systems running older versions of Podman. `setsebool -P container_manage_cgroup true` -### 10) Newuidmap missing when running rootless Podman commands +### 9) Newuidmap missing when running rootless Podman commands Rootless Podman requires the newuidmap and newgidmap programs to be installed. @@ -249,7 +215,7 @@ cannot find newuidmap: exec: "newuidmap": executable file not found in $PATH Install a version of shadow-utils that includes these executables. Note that for RHEL and CentOS 7, at least the 7.7 release must be installed for support to be available. -### 11) rootless setup user: invalid argument +### 10) rootless setup user: invalid argument Rootless Podman requires the user running it to have a range of UIDs listed in /etc/subuid and /etc/subgid. @@ -298,7 +264,7 @@ grep johndoe /etc/subuid /etc/subgid /etc/subgid:johndoe:200000:1001 ``` -### 12) Changing the location of the Graphroot leads to permission denied +### 11) Changing the location of the Graphroot leads to permission denied When I change the graphroot storage location in storage.conf, the next time I run Podman I get an error like: @@ -337,7 +303,7 @@ tells SELinux to apply the labels to the actual content. Now all new content created in these directories will automatically be created with the correct label. -### 13) Anonymous image pull fails with 'invalid username/password' +### 12) Anonymous image pull fails with 'invalid username/password' Pulling an anonymous image that doesn't require authentication can result in an `invalid username/password` error. @@ -363,7 +329,7 @@ are established locally and then the password is updated later in the container Depending upon which container tool was used to establish the credentials, use `podman logout` or `docker logout` to remove the credentials from the authentication file. -### 14) Running Podman inside a container causes container crashes and inconsistent states +### 13) Running Podman inside a container causes container crashes and inconsistent states Running Podman in a container and forwarding some, but not all, of the required host directories can cause inconsistent container behavior. @@ -381,7 +347,7 @@ This can cause Podman to reset container states and lose track of running contai For running containers on the host from inside a container, we also recommend the [Podman remote client](remote_client.md), which only requires a single socket to be mounted into the container. -### 15) Rootless 'podman build' fails EPERM on NFS: +### 14) Rootless 'podman build' fails EPERM on NFS: NFS enforces file creation on different UIDs on the server side and does not understand user namespace, which rootless Podman requires. When a container root process like YUM attempts to create a file owned by a different UID, NFS Server denies the creation. @@ -398,10 +364,10 @@ error creating build container: Error committing the finished image: error addin Choose one of the following: * Setup containers/storage in a different directory, not on an NFS share. * Create a directory on a local file system. - * Edit `~/.config/containers/libpod.conf` and point the `volume_path` option to that local directory. + * Edit `~/.config/containers/containers.conf` and point the `volume_path` option to that local directory. (Copy /usr/share/containers/containers.conf if ~/.config/containers/containers.conf does not exist) * Otherwise just run Podman as root, via `sudo podman` -### 16) Rootless 'podman build' fails when using OverlayFS: +### 15) Rootless 'podman build' fails when using OverlayFS: The Overlay file system (OverlayFS) requires the ability to call the `mknod` command when creating whiteout files when extracting an image. However, a rootless user does not have the privileges to use `mknod` in this capacity. @@ -431,7 +397,7 @@ Choose one of the following: * Install the fuse-overlayfs package for your Linux Distribution. * Add `mount_program = "/usr/bin/fuse-overlayfs"` under `[storage.options]` in your `~/.config/containers/storage.conf` file. -### 17) RHEL 7 and CentOS 7 based `init` images don't work with cgroup v2 +### 16) RHEL 7 and CentOS 7 based `init` images don't work with cgroup v2 The systemd version shipped in RHEL 7 and CentOS 7 doesn't have support for cgroup v2. Support for cgroup V2 requires version 230 of systemd or newer, which was never shipped or supported on RHEL 7 or CentOS 7. @@ -459,7 +425,7 @@ On Fedora you can do: * update the image to use an updated version of systemd. -### 18) rootless containers exit once the user session exits +### 17) rootless containers exit once the user session exits You need to set lingering mode through loginctl to prevent user processes to be killed once the user session completed. @@ -477,7 +443,7 @@ or as root if your user has not enough privileges. * sudo loginctl enable-linger $UID -### 19) `podman run` fails with "bpf create: permission denied error" +### 18) `podman run` fails with "bpf create: permission denied error" The Kernel Lockdown patches deny eBPF programs when Secure Boot is enabled in the BIOS. [Matthew Garrett's post](https://mjg59.dreamwidth.org/50577.html) describes the relationship between Lockdown and Secure Boot and [Jan-Philip Gehrcke's](https://gehrcke.de/2019/09/running-an-ebpf-program-may-require-lifting-the-kernel-lockdown/) connects this with eBPF. [RH bug 1768125](https://bugzilla.redhat.com/show_bug.cgi?id=1768125) contains some additional details. @@ -518,7 +484,7 @@ $ podman unshare cat /proc/self/uid_map Reference [subuid](http://man7.org/linux/man-pages/man5/subuid.5.html) and [subgid](http://man7.org/linux/man-pages/man5/subgid.5.html) man pages for more detail. -### 21) Passed-in device can't be accessed in rootless container +### 20) Passed-in device can't be accessed in rootless container As a non-root user you have group access rights to a device that you want to pass into a rootless container with `--device=...`. @@ -534,7 +500,7 @@ the non-root user has. If you use the `crun` runtime, 0.10.4 or newer, then you can enable a workaround by adding `--annotation io.crun.keep_original_groups=1` to the `podman` command line. -### 22) A rootless container running in detached mode is closed at logout +### 21) A rootless container running in detached mode is closed at logout When running a container with a command like `podman run --detach httpd` as a rootless user, the container is closed upon logout and is not kept running. @@ -554,7 +520,7 @@ To later revert the linger functionality, use `loginctl disable-linger`. LOGINCTL(1), SYSTEMD(1) -### 23) Containers default detach keys conflict with shell history navigation +### 22) Containers default detach keys conflict with shell history navigation Podman defaults to `ctrl-p,ctrl-q` to detach from a running containers. The bash and zsh shells default to ctrl-p for the displaying of the previous |