diff options
56 files changed, 287 insertions, 169 deletions
diff --git a/.cirrus.yml b/.cirrus.yml index c33ed9c0c..9837c2814 100644 --- a/.cirrus.yml +++ b/.cirrus.yml @@ -327,6 +327,7 @@ alt_build_task: osx_alt_build_task: name: "OSX Cross" alias: osx_alt_build + only_if: $CI != $CI # Temporarily disabled while infra. non-functional depends_on: - build env: diff --git a/cmd/podman/common/create.go b/cmd/podman/common/create.go index e95e447e1..3ce4e6731 100644 --- a/cmd/podman/common/create.go +++ b/cmd/podman/common/create.go @@ -97,7 +97,7 @@ func DefineCreateFlags(cmd *cobra.Command, cf *entities.ContainerCreateOptions, cgroupsFlagName := "cgroups" createFlags.StringVar( - &cf.CGroupsMode, + &cf.CgroupsMode, cgroupsFlagName, cgroupConfig(), `control container cgroup configuration ("enabled"|"disabled"|"no-conmon"|"split")`, ) @@ -159,7 +159,7 @@ func DefineCreateFlags(cmd *cobra.Command, cf *entities.ContainerCreateOptions, deviceCgroupRuleFlagName := "device-cgroup-rule" createFlags.StringSliceVar( - &cf.DeviceCGroupRule, + &cf.DeviceCgroupRule, deviceCgroupRuleFlagName, []string{}, "Add a rule to the cgroup allowed devices list", ) @@ -762,7 +762,7 @@ func DefineCreateFlags(cmd *cobra.Command, cf *entities.ContainerCreateOptions, cgroupParentFlagName := "cgroup-parent" createFlags.StringVar( - &cf.CGroupParent, + &cf.CgroupParent, cgroupParentFlagName, "", "Optional parent cgroup for the container", ) diff --git a/cmd/podman/common/create_opts.go b/cmd/podman/common/create_opts.go index b4641ea96..eb0d07836 100644 --- a/cmd/podman/common/create_opts.go +++ b/cmd/podman/common/create_opts.go @@ -246,7 +246,7 @@ func ContainerCreateToContainerCLIOpts(cc handlers.CreateContainerConfig, rtc *c Authfile: "", CapAdd: append(capAdd, cc.HostConfig.CapAdd...), CapDrop: append(cappDrop, cc.HostConfig.CapDrop...), - CGroupParent: cc.HostConfig.CgroupParent, + CgroupParent: cc.HostConfig.CgroupParent, CIDFile: cc.HostConfig.ContainerIDFile, CPUPeriod: uint64(cc.HostConfig.CPUPeriod), CPUQuota: cc.HostConfig.CPUQuota, @@ -259,7 +259,7 @@ func ContainerCreateToContainerCLIOpts(cc handlers.CreateContainerConfig, rtc *c // Detach: false, // don't need // DetachKeys: "", // don't need Devices: devices, - DeviceCGroupRule: nil, + DeviceCgroupRule: nil, DeviceReadBPs: readBps, DeviceReadIOPs: readIops, DeviceWriteBPs: writeBps, diff --git a/cmd/podman/containers/create.go b/cmd/podman/containers/create.go index 694b97fe5..db78c96ee 100644 --- a/cmd/podman/containers/create.go +++ b/cmd/podman/containers/create.go @@ -257,8 +257,8 @@ func CreateInit(c *cobra.Command, vals entities.ContainerCreateOptions, isInfra } vals.Env = env } - if c.Flag("cgroups").Changed && vals.CGroupsMode == "split" && registry.IsRemote() { - return vals, errors.Errorf("the option --cgroups=%q is not supported in remote mode", vals.CGroupsMode) + if c.Flag("cgroups").Changed && vals.CgroupsMode == "split" && registry.IsRemote() { + return vals, errors.Errorf("the option --cgroups=%q is not supported in remote mode", vals.CgroupsMode) } if c.Flag("pod").Changed && !strings.HasPrefix(c.Flag("pod").Value.String(), "new:") && c.Flag("userns").Changed { diff --git a/cmd/podman/containers/prune.go b/cmd/podman/containers/prune.go index e13b9e7f6..f58e37fd1 100644 --- a/cmd/podman/containers/prune.go +++ b/cmd/podman/containers/prune.go @@ -9,11 +9,11 @@ import ( "github.com/containers/common/pkg/completion" "github.com/containers/podman/v3/cmd/podman/common" + "github.com/containers/podman/v3/cmd/podman/parse" "github.com/containers/podman/v3/cmd/podman/registry" "github.com/containers/podman/v3/cmd/podman/utils" "github.com/containers/podman/v3/cmd/podman/validate" "github.com/containers/podman/v3/pkg/domain/entities" - "github.com/containers/podman/v3/pkg/specgenutil" "github.com/spf13/cobra" ) @@ -64,7 +64,7 @@ func prune(cmd *cobra.Command, args []string) error { } } - pruneOptions.Filters, err = specgenutil.ParseFilters(filter) + pruneOptions.Filters, err = parse.FilterArgumentsIntoFilters(filter) if err != nil { return err } diff --git a/cmd/podman/images/prune.go b/cmd/podman/images/prune.go index fc7451c41..e4c320a55 100644 --- a/cmd/podman/images/prune.go +++ b/cmd/podman/images/prune.go @@ -8,11 +8,11 @@ import ( "github.com/containers/common/pkg/completion" "github.com/containers/podman/v3/cmd/podman/common" + "github.com/containers/podman/v3/cmd/podman/parse" "github.com/containers/podman/v3/cmd/podman/registry" "github.com/containers/podman/v3/cmd/podman/utils" "github.com/containers/podman/v3/cmd/podman/validate" "github.com/containers/podman/v3/pkg/domain/entities" - "github.com/containers/podman/v3/pkg/specgenutil" "github.com/spf13/cobra" ) @@ -66,7 +66,7 @@ func prune(cmd *cobra.Command, args []string) error { return nil } } - filterMap, err := specgenutil.ParseFilters(filter) + filterMap, err := parse.FilterArgumentsIntoFilters(filter) if err != nil { return err } diff --git a/cmd/podman/networks/list.go b/cmd/podman/networks/list.go index b84c9f5d3..be61d72d8 100644 --- a/cmd/podman/networks/list.go +++ b/cmd/podman/networks/list.go @@ -10,10 +10,10 @@ import ( "github.com/containers/common/pkg/completion" "github.com/containers/common/pkg/report" "github.com/containers/podman/v3/cmd/podman/common" + "github.com/containers/podman/v3/cmd/podman/parse" "github.com/containers/podman/v3/cmd/podman/registry" "github.com/containers/podman/v3/cmd/podman/validate" "github.com/containers/podman/v3/pkg/domain/entities" - "github.com/pkg/errors" "github.com/spf13/cobra" "github.com/spf13/pflag" ) @@ -61,14 +61,12 @@ func init() { } func networkList(cmd *cobra.Command, args []string) error { - networkListOptions.Filters = make(map[string][]string) - for _, f := range filters { - split := strings.SplitN(f, "=", 2) - if len(split) == 1 { - return errors.Errorf("invalid filter %q", f) - } - networkListOptions.Filters[split[0]] = append(networkListOptions.Filters[split[0]], split[1]) + var err error + networkListOptions.Filters, err = parse.FilterArgumentsIntoFilters(filters) + if err != nil { + return err } + responses, err := registry.ContainerEngine().NetworkList(registry.Context(), networkListOptions) if err != nil { return err diff --git a/cmd/podman/networks/prune.go b/cmd/podman/networks/prune.go index 311d098cd..e113cd359 100644 --- a/cmd/podman/networks/prune.go +++ b/cmd/podman/networks/prune.go @@ -7,11 +7,11 @@ import ( "strings" "github.com/containers/podman/v3/cmd/podman/common" + "github.com/containers/podman/v3/cmd/podman/parse" "github.com/containers/podman/v3/cmd/podman/registry" "github.com/containers/podman/v3/cmd/podman/utils" "github.com/containers/podman/v3/cmd/podman/validate" "github.com/containers/podman/v3/pkg/domain/entities" - "github.com/containers/podman/v3/pkg/specgenutil" "github.com/spf13/cobra" "github.com/spf13/pflag" ) @@ -68,7 +68,7 @@ func networkPrune(cmd *cobra.Command, _ []string) error { return nil } } - networkPruneOptions.Filters, err = specgenutil.ParseFilters(filter) + networkPruneOptions.Filters, err = parse.FilterArgumentsIntoFilters(filter) if err != nil { return err } @@ -12,7 +12,7 @@ require ( github.com/containernetworking/cni v1.0.1 github.com/containernetworking/plugins v1.0.1 github.com/containers/buildah v1.23.1-0.20220112160421-d744ebc4b1d5 - github.com/containers/common v0.46.1-0.20220112112017-31e8cc4aeeab + github.com/containers/common v0.46.1-0.20220117145719-da777f8b15b1 github.com/containers/conmon v2.0.20+incompatible github.com/containers/image/v5 v5.18.0 github.com/containers/ocicrypt v1.1.2 @@ -315,8 +315,8 @@ github.com/containernetworking/plugins v1.0.1/go.mod h1:QHCfGpaTwYTbbH+nZXKVTxNB github.com/containers/buildah v1.23.1-0.20220112160421-d744ebc4b1d5 h1:J4ZMQgpzjClLNuRDCIYDY2KZE1yO9A1I3A/jEaFvtaY= github.com/containers/buildah v1.23.1-0.20220112160421-d744ebc4b1d5/go.mod h1:pA9nL58rY+rtoyZkzPmkv02Nwb9ifvYlChg95gKkNAY= github.com/containers/common v0.46.1-0.20220110165509-08c2c97e5e25/go.mod h1:hXUU9gtA8V9dSLHhizp/k/s0ZXBzrnUSScUfrsw8z2Y= -github.com/containers/common v0.46.1-0.20220112112017-31e8cc4aeeab h1:Pf1kwI8sZPiPMuen619noeltwtB2cIFC1iY42fE87AY= -github.com/containers/common v0.46.1-0.20220112112017-31e8cc4aeeab/go.mod h1:hXUU9gtA8V9dSLHhizp/k/s0ZXBzrnUSScUfrsw8z2Y= +github.com/containers/common v0.46.1-0.20220117145719-da777f8b15b1 h1:TGXTygk3STL+G4F1zGgSITdIEE5i+BgsSDLOmGuUYTY= +github.com/containers/common v0.46.1-0.20220117145719-da777f8b15b1/go.mod h1:lJkY5VdkdU2BEDdbO5vgi3G69KWEgWBWXi6tNgm2BlM= github.com/containers/conmon v2.0.20+incompatible h1:YbCVSFSCqFjjVwHTPINGdMX1F6JXHGTUje2ZYobNrkg= github.com/containers/conmon v2.0.20+incompatible/go.mod h1:hgwZ2mtuDrppv78a/cOBNiCm6O0UMWGx1mu7P00nu5I= github.com/containers/image/v5 v5.17.1-0.20220106205022-73f80d60f0e1/go.mod h1:daAiRXgcGIf/7eD7B2EkuHHw084/8M8Kh35rzOu56y0= diff --git a/libpod/boltdb_state.go b/libpod/boltdb_state.go index ceeb5119d..68e35f79f 100644 --- a/libpod/boltdb_state.go +++ b/libpod/boltdb_state.go @@ -215,7 +215,7 @@ func (s *BoltState) Refresh() error { return errors.Wrapf(err, "error unmarshalling state for pod %s", string(id)) } - // Clear the CGroup path + // Clear the Cgroup path state.CgroupPath = "" newStateBytes, err := json.Marshal(state) diff --git a/libpod/container.go b/libpod/container.go index 1dd2ef5f7..51a3ffd3d 100644 --- a/libpod/container.go +++ b/libpod/container.go @@ -23,7 +23,7 @@ import ( "github.com/sirupsen/logrus" ) -// CgroupfsDefaultCgroupParent is the cgroup parent for CGroupFS in libpod +// CgroupfsDefaultCgroupParent is the cgroup parent for CgroupFS in libpod const CgroupfsDefaultCgroupParent = "/libpod_parent" // SystemdDefaultCgroupParent is the cgroup parent for the systemd cgroup @@ -56,7 +56,7 @@ const ( UserNS LinuxNS = iota // UTSNS is the UTS namespace UTSNS LinuxNS = iota - // CgroupNS is the CGroup namespace + // CgroupNS is the Cgroup namespace CgroupNS LinuxNS = iota ) @@ -575,7 +575,7 @@ func (c *Container) CreatedTime() time.Time { return c.config.CreatedTime } -// CgroupParent gets the container's CGroup parent +// CgroupParent gets the container's Cgroup parent func (c *Container) CgroupParent() string { return c.config.CgroupParent } @@ -907,10 +907,10 @@ func (c *Container) CgroupManager() string { return cgroupManager } -// CGroupPath returns a cgroups "path" for the given container. +// CgroupPath returns a cgroups "path" for the given container. // Note that the container must be running. Otherwise, an error // is returned. -func (c *Container) CGroupPath() (string, error) { +func (c *Container) CgroupPath() (string, error) { if !c.batched { c.lock.Lock() defer c.lock.Unlock() diff --git a/libpod/container_config.go b/libpod/container_config.go index 102d74236..725e27c2a 100644 --- a/libpod/container_config.go +++ b/libpod/container_config.go @@ -334,7 +334,7 @@ type ContainerMiscConfig struct { // CgroupManager is the cgroup manager used to create this container. // If empty, the runtime default will be used. CgroupManager string `json:"cgroupManager,omitempty"` - // NoCgroups indicates that the container will not create CGroups. It is + // NoCgroups indicates that the container will not create Cgroups. It is // incompatible with CgroupParent. Deprecated in favor of CgroupsMode. NoCgroups bool `json:"noCgroups,omitempty"` // CgroupsMode indicates how the container will create cgroups diff --git a/libpod/container_inspect.go b/libpod/container_inspect.go index 5e63db0f2..086d51f04 100644 --- a/libpod/container_inspect.go +++ b/libpod/container_inspect.go @@ -742,7 +742,7 @@ func (c *Container) generateInspectContainerHostConfig(ctrSpec *spec.Spec, named } hostConfig.CgroupMode = cgroupMode - // CGroup parent + // Cgroup parent // Need to check if it's the default, and not print if so. defaultCgroupParent := "" switch c.CgroupManager() { diff --git a/libpod/container_internal.go b/libpod/container_internal.go index 12d6d5a18..d0c8ccc4c 100644 --- a/libpod/container_internal.go +++ b/libpod/container_internal.go @@ -1092,7 +1092,7 @@ func (c *Container) init(ctx context.Context, retainRetries bool) error { // upstream in any OCI runtime. // TODO: Remove once runc supports cgroupsv2 if strings.Contains(err.Error(), "this version of runc doesn't work on cgroups v2") { - logrus.Errorf("Oci runtime %q does not support CGroups V2: use system migrate to mitigate", c.ociRuntime.Name()) + logrus.Errorf("Oci runtime %q does not support Cgroups V2: use system migrate to mitigate", c.ociRuntime.Name()) } return err } @@ -1291,8 +1291,8 @@ func (c *Container) stop(timeout uint) error { // a pid namespace then the OCI Runtime needs to kill ALL processes in // the containers cgroup in order to make sure the container is stopped. all := !c.hasNamespace(spec.PIDNamespace) - // We can't use --all if CGroups aren't present. - // Rootless containers with CGroups v1 and NoCgroups are both cases + // We can't use --all if Cgroups aren't present. + // Rootless containers with Cgroups v1 and NoCgroups are both cases // where this can happen. if all { if c.config.NoCgroups { @@ -1400,7 +1400,7 @@ func (c *Container) stop(timeout uint) error { // Internal, non-locking function to pause a container func (c *Container) pause() error { if c.config.NoCgroups { - return errors.Wrapf(define.ErrNoCgroups, "cannot pause without using CGroups") + return errors.Wrapf(define.ErrNoCgroups, "cannot pause without using Cgroups") } if rootless.IsRootless() { @@ -1428,7 +1428,7 @@ func (c *Container) pause() error { // Internal, non-locking function to unpause a container func (c *Container) unpause() error { if c.config.NoCgroups { - return errors.Wrapf(define.ErrNoCgroups, "cannot unpause without using CGroups") + return errors.Wrapf(define.ErrNoCgroups, "cannot unpause without using Cgroups") } if err := c.ociRuntime.UnpauseContainer(c); err != nil { diff --git a/libpod/container_internal_linux.go b/libpod/container_internal_linux.go index 508a8a8cf..0f89daab0 100644 --- a/libpod/container_internal_linux.go +++ b/libpod/container_internal_linux.go @@ -2772,7 +2772,7 @@ func (c *Container) getOCICgroupPath() (string, error) { // expects cgroups to be passed as follows: // slice:prefix:name systemdCgroups := fmt.Sprintf("%s:libpod:%s", path.Base(c.config.CgroupParent), c.ID()) - logrus.Debugf("Setting CGroups for container %s to %s", c.ID(), systemdCgroups) + logrus.Debugf("Setting Cgroups for container %s to %s", c.ID(), systemdCgroups) return systemdCgroups, nil case (rootless.IsRootless() && (cgroupManager == config.CgroupfsCgroupsManager || !unified)): if c.config.CgroupParent == "" || !isRootlessCgroupSet(c.config.CgroupParent) { @@ -2781,7 +2781,7 @@ func (c *Container) getOCICgroupPath() (string, error) { fallthrough case cgroupManager == config.CgroupfsCgroupsManager: cgroupPath := filepath.Join(c.config.CgroupParent, fmt.Sprintf("libpod-%s", c.ID())) - logrus.Debugf("Setting CGroup path for container %s to %s", c.ID(), cgroupPath) + logrus.Debugf("Setting Cgroup path for container %s to %s", c.ID(), cgroupPath) return cgroupPath, nil default: return "", errors.Wrapf(define.ErrInvalidArg, "invalid cgroup manager %s requested", cgroupManager) diff --git a/libpod/container_validate.go b/libpod/container_validate.go index ca5ce8b2a..492225401 100644 --- a/libpod/container_validate.go +++ b/libpod/container_validate.go @@ -57,13 +57,13 @@ func (c *Container) validate() error { if ns.Type == spec.PIDNamespace { foundPid = true if ns.Path != "" { - return errors.Wrapf(define.ErrInvalidArg, "containers not creating CGroups must create a private PID namespace - cannot use another") + return errors.Wrapf(define.ErrInvalidArg, "containers not creating Cgroups must create a private PID namespace - cannot use another") } break } } if !foundPid { - return errors.Wrapf(define.ErrInvalidArg, "containers not creating CGroups must create a private PID namespace") + return errors.Wrapf(define.ErrInvalidArg, "containers not creating Cgroups must create a private PID namespace") } } diff --git a/libpod/define/container_inspect.go b/libpod/define/container_inspect.go index a61f9e615..804b2b143 100644 --- a/libpod/define/container_inspect.go +++ b/libpod/define/container_inspect.go @@ -350,9 +350,9 @@ type InspectContainerHostConfig struct { // populated. // TODO. Cgroup string `json:"Cgroup"` - // Cgroups contains the container's CGroup mode. - // Allowed values are "default" (container is creating CGroups) and - // "disabled" (container is not creating CGroups). + // Cgroups contains the container's Cgroup mode. + // Allowed values are "default" (container is creating Cgroups) and + // "disabled" (container is not creating Cgroups). // This is Libpod-specific and not included in `docker inspect`. Cgroups string `json:"Cgroups"` // Links is unused, and provided purely for Docker compatibility. @@ -425,7 +425,7 @@ type InspectContainerHostConfig struct { Isolation string `json:"Isolation"` // CpuShares indicates the CPU resources allocated to the container. // It is a relative weight in the scheduler for assigning CPU time - // versus other CGroups. + // versus other Cgroups. CpuShares uint64 `json:"CpuShares"` // Memory indicates the memory resources allocated to the container. // This is the limit (in bytes) of RAM the container may use. @@ -442,12 +442,12 @@ type InspectContainerHostConfig struct { // 100000, we will set both CpuQuota, CpuPeriod, and NanoCpus. If // CpuQuota is not the default, we will not set NanoCpus. NanoCpus int64 `json:"NanoCpus"` - // CgroupParent is the CGroup parent of the container. + // CgroupParent is the Cgroup parent of the container. // Only set if not default. CgroupParent string `json:"CgroupParent"` // BlkioWeight indicates the I/O resources allocated to the container. // It is a relative weight in the scheduler for assigning I/O time - // versus other CGroups. + // versus other Cgroups. BlkioWeight uint16 `json:"BlkioWeight"` // BlkioWeightDevice is an array of I/O resource priorities for // individual device nodes. diff --git a/libpod/define/errors.go b/libpod/define/errors.go index 653ef187d..f5a7c73e5 100644 --- a/libpod/define/errors.go +++ b/libpod/define/errors.go @@ -96,7 +96,7 @@ var ( ErrWillDeadlock = errors.New("deadlock due to lock mismatch") // ErrNoCgroups indicates that the container does not have its own - // CGroup. + // Cgroup. ErrNoCgroups = errors.New("this container does not have a cgroup") // ErrNoLogs indicates that this container is not creating a log so log // operations cannot be performed on it diff --git a/libpod/define/info.go b/libpod/define/info.go index 15400991f..48ad51c22 100644 --- a/libpod/define/info.go +++ b/libpod/define/info.go @@ -27,7 +27,7 @@ type HostInfo struct { Arch string `json:"arch"` BuildahVersion string `json:"buildahVersion"` CgroupManager string `json:"cgroupManager"` - CGroupsVersion string `json:"cgroupVersion"` + CgroupsVersion string `json:"cgroupVersion"` CgroupControllers []string `json:"cgroupControllers"` Conmon *ConmonInfo `json:"conmon"` CPUs int `json:"cpus"` diff --git a/libpod/define/pod_inspect.go b/libpod/define/pod_inspect.go index e7adc8700..e85a660a1 100644 --- a/libpod/define/pod_inspect.go +++ b/libpod/define/pod_inspect.go @@ -26,12 +26,12 @@ type InspectPodData struct { // Labels is a set of key-value labels that have been applied to the // pod. Labels map[string]string `json:"Labels,omitempty"` - // CreateCgroup is whether this pod will create its own CGroup to group + // CreateCgroup is whether this pod will create its own Cgroup to group // containers under. CreateCgroup bool - // CgroupParent is the parent of the pod's CGroup. + // CgroupParent is the parent of the pod's Cgroup. CgroupParent string `json:"CgroupParent,omitempty"` - // CgroupPath is the path to the pod's CGroup. + // CgroupPath is the path to the pod's Cgroup. CgroupPath string `json:"CgroupPath,omitempty"` // CreateInfra is whether this pod will create an infra container to // share namespaces. diff --git a/libpod/info.go b/libpod/info.go index 354364ccc..de675859e 100644 --- a/libpod/info.go +++ b/libpod/info.go @@ -104,7 +104,7 @@ func (r *Runtime) hostInfo() (*define.HostInfo, error) { return nil, errors.Wrapf(err, "error getting Seccomp profile path") } - // CGroups version + // Cgroups version unified, err := cgroups.IsCgroup2UnifiedMode() if err != nil { return nil, errors.Wrapf(err, "error reading cgroups mode") @@ -150,7 +150,7 @@ func (r *Runtime) hostInfo() (*define.HostInfo, error) { if unified { cgroupVersion = "v2" } - info.CGroupsVersion = cgroupVersion + info.CgroupsVersion = cgroupVersion slirp4netnsPath := r.config.Engine.NetworkCmdPath if slirp4netnsPath == "" { diff --git a/libpod/oci_conmon_linux.go b/libpod/oci_conmon_linux.go index 3440507ed..8d6a23ecc 100644 --- a/libpod/oci_conmon_linux.go +++ b/libpod/oci_conmon_linux.go @@ -1402,7 +1402,7 @@ func (r *ConmonOCIRuntime) sharedConmonArgs(ctr *Container, cuuid, bundlePath, p args = append(args, "--log-tag", logTag) } if ctr.config.NoCgroups { - logrus.Debugf("Running with no CGroups") + logrus.Debugf("Running with no Cgroups") args = append(args, "--runtime-arg", "--cgroup-manager", "--runtime-arg", "disabled") } return args diff --git a/libpod/options.go b/libpod/options.go index 5cf7609e9..f32eb279d 100644 --- a/libpod/options.go +++ b/libpod/options.go @@ -217,7 +217,7 @@ func WithCgroupManager(manager string) RuntimeOption { } if manager != config.CgroupfsCgroupsManager && manager != config.SystemdCgroupsManager { - return errors.Wrapf(define.ErrInvalidArg, "CGroup manager must be one of %s and %s", + return errors.Wrapf(define.ErrInvalidArg, "Cgroup manager must be one of %s and %s", config.CgroupfsCgroupsManager, config.SystemdCgroupsManager) } @@ -945,7 +945,7 @@ func WithUTSNSFrom(nsCtr *Container) CtrCreateOption { } } -// WithCgroupNSFrom indicates the the container should join the CGroup namespace +// WithCgroupNSFrom indicates the the container should join the Cgroup namespace // of the given container. // If the container has joined a pod, it can only join the namespaces of // containers in the same pod. @@ -1080,7 +1080,7 @@ func WithLogTag(tag string) CtrCreateOption { } } -// WithCgroupsMode disables the creation of CGroups for the conmon process. +// WithCgroupsMode disables the creation of Cgroups for the conmon process. func WithCgroupsMode(mode string) CtrCreateOption { return func(ctr *Container) error { if ctr.valid { @@ -1864,7 +1864,7 @@ func WithPodCgroupParent(path string) PodCreateOption { // WithPodCgroups tells containers in this pod to use the cgroup created for // this pod. // This can still be overridden at the container level by explicitly specifying -// a CGroup parent. +// a Cgroup parent. func WithPodCgroups() PodCreateOption { return func(pod *Pod) error { if pod.valid { diff --git a/libpod/pod.go b/libpod/pod.go index 0e5ac4906..b159f6bc7 100644 --- a/libpod/pod.go +++ b/libpod/pod.go @@ -44,9 +44,9 @@ type PodConfig struct { // Labels contains labels applied to the pod Labels map[string]string `json:"labels"` - // CgroupParent contains the pod's CGroup parent + // CgroupParent contains the pod's Cgroup parent CgroupParent string `json:"cgroupParent"` - // UsePodCgroup indicates whether the pod will create its own CGroup and + // UsePodCgroup indicates whether the pod will create its own Cgroup and // join containers to it. // If true, all containers joined to the pod will use the pod cgroup as // their cgroup parent, and cannot set a different cgroup parent @@ -77,7 +77,7 @@ type PodConfig struct { // podState represents a pod's state type podState struct { - // CgroupPath is the path to the pod's CGroup + // CgroupPath is the path to the pod's Cgroup CgroupPath string `json:"cgroupPath"` // InfraContainerID is the container that holds pod namespace information // Most often an infra container @@ -237,7 +237,7 @@ func (p *Pod) CreateCommand() []string { return p.config.CreateCommand } -// CgroupParent returns the pod's CGroup parent +// CgroupParent returns the pod's Cgroup parent func (p *Pod) CgroupParent() string { return p.config.CgroupParent } @@ -289,7 +289,7 @@ func (p *Pod) Hostname() string { return p.config.Hostname } -// CgroupPath returns the path to the pod's CGroup +// CgroupPath returns the path to the pod's Cgroup func (p *Pod) CgroupPath() (string, error) { p.lock.Lock() defer p.lock.Unlock() @@ -315,7 +315,7 @@ func (p *Pod) CgroupPath() (string, error) { } if ctr != nil { ctr.Start(context.Background(), true) - cgroupPath, err := ctr.CGroupPath() + cgroupPath, err := ctr.CgroupPath() fmt.Println(cgroupPath) if err != nil { return "", errors.Wrapf(err, "could not get container cgroup") diff --git a/libpod/pod_internal.go b/libpod/pod_internal.go index d903b8719..eaa6eb14b 100644 --- a/libpod/pod_internal.go +++ b/libpod/pod_internal.go @@ -71,7 +71,7 @@ func (p *Pod) refresh() error { case config.SystemdCgroupsManager: cgroupPath, err := systemdSliceFromPath(p.config.CgroupParent, fmt.Sprintf("libpod_pod_%s", p.ID())) if err != nil { - logrus.Errorf("Creating CGroup for pod %s: %v", p.ID(), err) + logrus.Errorf("Creating Cgroup for pod %s: %v", p.ID(), err) } p.state.CgroupPath = cgroupPath case config.CgroupfsCgroupsManager: diff --git a/libpod/runtime_ctr.go b/libpod/runtime_ctr.go index 252279485..15bca6133 100644 --- a/libpod/runtime_ctr.go +++ b/libpod/runtime_ctr.go @@ -344,8 +344,8 @@ func (r *Runtime) setupContainer(ctx context.Context, ctr *Container) (_ *Contai } } - // Check CGroup parent sanity, and set it if it was not set. - // Only if we're actually configuring CGroups. + // Check Cgroup parent sanity, and set it if it was not set. + // Only if we're actually configuring Cgroups. if !ctr.config.NoCgroups { ctr.config.CgroupManager = r.config.Engine.CgroupManager switch r.config.Engine.CgroupManager { @@ -391,7 +391,7 @@ func (r *Runtime) setupContainer(ctx context.Context, ctr *Container) (_ *Contai return nil, errors.Wrapf(define.ErrInvalidArg, "did not receive systemd slice as cgroup parent when using systemd to manage cgroups") } default: - return nil, errors.Wrapf(define.ErrInvalidArg, "unsupported CGroup manager: %s - cannot validate cgroup parent", r.config.Engine.CgroupManager) + return nil, errors.Wrapf(define.ErrInvalidArg, "unsupported Cgroup manager: %s - cannot validate cgroup parent", r.config.Engine.CgroupManager) } } @@ -411,7 +411,7 @@ func (r *Runtime) setupContainer(ctx context.Context, ctr *Container) (_ *Contai g.RemoveMount("/run/.containerenv") g.RemoveMount("/run/secrets") - // Regenerate CGroup paths so they don't point to the old + // Regenerate Cgroup paths so they don't point to the old // container ID. cgroupPath, err := ctr.getOCICgroupPath() if err != nil { diff --git a/libpod/runtime_pod_linux.go b/libpod/runtime_pod_linux.go index ee59cd8c3..ea3eb53c4 100644 --- a/libpod/runtime_pod_linux.go +++ b/libpod/runtime_pod_linux.go @@ -61,7 +61,7 @@ func (r *Runtime) NewPod(ctx context.Context, p specgen.PodSpecGenerator, option pod.valid = true - // Check CGroup parent sanity, and set it if it was not set + // Check Cgroup parent sanity, and set it if it was not set switch r.config.Engine.CgroupManager { case config.CgroupfsCgroupsManager: canUseCgroup := !rootless.IsRootless() || isRootlessCgroupSet(pod.config.CgroupParent) @@ -105,7 +105,7 @@ func (r *Runtime) NewPod(ctx context.Context, p specgen.PodSpecGenerator, option } } default: - return nil, errors.Wrapf(define.ErrInvalidArg, "unsupported CGroup manager: %s - cannot validate cgroup parent", r.config.Engine.CgroupManager) + return nil, errors.Wrapf(define.ErrInvalidArg, "unsupported Cgroup manager: %s - cannot validate cgroup parent", r.config.Engine.CgroupManager) } if pod.config.UsePodCgroup { @@ -226,12 +226,12 @@ func (r *Runtime) removePod(ctx context.Context, p *Pod, removeCtrs, force bool, } // We're going to be removing containers. - // If we are CGroupfs cgroup driver, to avoid races, we need to hit - // the pod and conmon CGroups with a PID limit to prevent them from + // If we are Cgroupfs cgroup driver, to avoid races, we need to hit + // the pod and conmon Cgroups with a PID limit to prevent them from // spawning any further processes (particularly cleanup processes) which - // would prevent removing the CGroups. + // would prevent removing the Cgroups. if p.runtime.config.Engine.CgroupManager == config.CgroupfsCgroupsManager { - // Get the conmon CGroup + // Get the conmon Cgroup conmonCgroupPath := filepath.Join(p.state.CgroupPath, "conmon") conmonCgroup, err := cgroups.Load(conmonCgroupPath) if err != nil && err != cgroups.ErrCgroupDeleted && err != cgroups.ErrCgroupV1Rootless { diff --git a/libpod/util_linux.go b/libpod/util_linux.go index ef871ef3d..9fee35823 100644 --- a/libpod/util_linux.go +++ b/libpod/util_linux.go @@ -43,7 +43,7 @@ func getDefaultSystemdCgroup() string { return SystemdDefaultCgroupParent } -// makeSystemdCgroup creates a systemd CGroup at the given location. +// makeSystemdCgroup creates a systemd Cgroup at the given location. func makeSystemdCgroup(path string) error { controller, err := cgroups.NewSystemd(getDefaultSystemdCgroup()) if err != nil { diff --git a/pkg/api/handlers/compat/containers_stats.go b/pkg/api/handlers/compat/containers_stats.go index a92fe9fe0..ad91a3a8e 100644 --- a/pkg/api/handlers/compat/containers_stats.go +++ b/pkg/api/handlers/compat/containers_stats.go @@ -109,7 +109,7 @@ streamLabel: // A label to flatten the scope return } // Cgroup stats - cgroupPath, err := ctnr.CGroupPath() + cgroupPath, err := ctnr.CgroupPath() if err != nil { logrus.Errorf("Unable to get cgroup path of container: %v", err) return diff --git a/pkg/api/handlers/compat/info.go b/pkg/api/handlers/compat/info.go index 777009f0a..dac1eb193 100644 --- a/pkg/api/handlers/compat/info.go +++ b/pkg/api/handlers/compat/info.go @@ -124,7 +124,7 @@ func GetInfo(w http.ResponseWriter, r *http.Request) { BuildahVersion: infoData.Host.BuildahVersion, CPURealtimePeriod: sysInfo.CPURealtimePeriod, CPURealtimeRuntime: sysInfo.CPURealtimeRuntime, - CgroupVersion: strings.TrimPrefix(infoData.Host.CGroupsVersion, "v"), + CgroupVersion: strings.TrimPrefix(infoData.Host.CgroupsVersion, "v"), Rootless: rootless.IsRootless(), SwapFree: infoData.Host.SwapFree, SwapTotal: infoData.Host.SwapTotal, diff --git a/pkg/api/handlers/types.go b/pkg/api/handlers/types.go index 3b821d9e7..d3a592bdf 100644 --- a/pkg/api/handlers/types.go +++ b/pkg/api/handlers/types.go @@ -148,7 +148,7 @@ type PodTopOKBody struct { // swagger:model PodCreateConfig type PodCreateConfig struct { Name string `json:"name"` - CGroupParent string `json:"cgroup-parent"` + CgroupParent string `json:"cgroup-parent"` Hostname string `json:"hostname"` Infra bool `json:"infra"` InfraCommand string `json:"infra-command"` diff --git a/pkg/domain/entities/engine.go b/pkg/domain/entities/engine.go index 055af7ff9..32faa74af 100644 --- a/pkg/domain/entities/engine.go +++ b/pkg/domain/entities/engine.go @@ -33,7 +33,7 @@ type PodmanConfig struct { *config.Config *pflag.FlagSet - CGroupUsage string // rootless code determines Usage message + CgroupUsage string // rootless code determines Usage message ConmonPath string // --conmon flag will set Engine.ConmonPath CPUProfile string // Hidden: Should CPU profile be taken EngineMode EngineMode // ABI or Tunneling mode diff --git a/pkg/domain/entities/pods.go b/pkg/domain/entities/pods.go index cc9476d79..60d171f86 100644 --- a/pkg/domain/entities/pods.go +++ b/pkg/domain/entities/pods.go @@ -118,7 +118,7 @@ type PodSpec struct { // The JSON tags below are made to match the respective field in ContainerCreateOptions for the purpose of mapping. // swagger:model PodCreateOptions type PodCreateOptions struct { - CGroupParent string `json:"cgroup_parent,omitempty"` + CgroupParent string `json:"cgroup_parent,omitempty"` CreateCommand []string `json:"create_command,omitempty"` Devices []string `json:"devices,omitempty"` DeviceReadBPs []string `json:"device_read_bps,omitempty"` @@ -159,8 +159,8 @@ type ContainerCreateOptions struct { CapAdd []string CapDrop []string CgroupNS string - CGroupsMode string - CGroupParent string `json:"cgroup_parent,omitempty"` + CgroupsMode string + CgroupParent string `json:"cgroup_parent,omitempty"` CIDFile string ConmonPIDFile string `json:"container_conmon_pidfile,omitempty"` CPUPeriod uint64 @@ -172,7 +172,7 @@ type ContainerCreateOptions struct { CPUSetCPUs string `json:"cpuset_cpus,omitempty"` CPUSetMems string Devices []string `json:"devices,omitempty"` - DeviceCGroupRule []string + DeviceCgroupRule []string DeviceReadBPs []string `json:"device_read_bps,omitempty"` DeviceReadIOPs []string DeviceWriteBPs []string @@ -345,7 +345,7 @@ func ToPodSpecGen(s specgen.PodSpecGenerator, p *PodCreateOptions) (*specgen.Pod } // Cgroup - s.CgroupParent = p.CGroupParent + s.CgroupParent = p.CgroupParent // Resource config cpuDat := p.CPULimits() diff --git a/pkg/domain/infra/abi/containers.go b/pkg/domain/infra/abi/containers.go index afd25d313..cab4c3c9a 100644 --- a/pkg/domain/infra/abi/containers.go +++ b/pkg/domain/infra/abi/containers.go @@ -989,7 +989,7 @@ func (ic *ContainerEngine) ContainerRun(ctx context.Context, opts entities.Conta report := entities.ContainerRunReport{Id: ctr.ID()} if logrus.GetLevel() == logrus.DebugLevel { - cgroupPath, err := ctr.CGroupPath() + cgroupPath, err := ctr.CgroupPath() if err == nil { logrus.Debugf("container %q has CgroupParent %q", ctr.ID(), cgroupPath) } diff --git a/pkg/specgen/generate/container.go b/pkg/specgen/generate/container.go index 2c7b3c091..7b55a0cb3 100644 --- a/pkg/specgen/generate/container.go +++ b/pkg/specgen/generate/container.go @@ -229,6 +229,10 @@ func CompleteSpec(ctx context.Context, r *libpod.Runtime, s *specgen.SpecGenerat } } + if s.CgroupsMode == "" { + s.CgroupsMode = rtc.Cgroups() + } + // If caller did not specify Pids Limits load default if s.ResourceLimits == nil || s.ResourceLimits.Pids == nil { if s.CgroupsMode != "disabled" { diff --git a/pkg/specgen/generate/oci.go b/pkg/specgen/generate/oci.go index ee3a990fc..f72ffe80c 100644 --- a/pkg/specgen/generate/oci.go +++ b/pkg/specgen/generate/oci.go @@ -152,7 +152,7 @@ func canMountSys(isRootless, isNewUserns bool, s *specgen.SpecGenerator) bool { return true } -func getCGroupPermissons(unmask []string) string { +func getCgroupPermissons(unmask []string) string { ro := "ro" rw := "rw" cgroup := "/sys/fs/cgroup" @@ -176,7 +176,7 @@ func getCGroupPermissons(unmask []string) string { // SpecGenToOCI returns the base configuration for the container. func SpecGenToOCI(ctx context.Context, s *specgen.SpecGenerator, rt *libpod.Runtime, rtc *config.Config, newImage *libimage.Image, mounts []spec.Mount, pod *libpod.Pod, finalCmd []string, compatibleOptions *libpod.InfraInherit) (*spec.Spec, error) { - cgroupPerm := getCGroupPermissons(s.Unmask) + cgroupPerm := getCgroupPermissons(s.Unmask) g, err := generate.New("linux") if err != nil { @@ -357,7 +357,7 @@ func SpecGenToOCI(ctx context.Context, s *specgen.SpecGenerator, rt *libpod.Runt // set the devices cgroup when not running in a user namespace if !inUserNS && !s.Privileged { g.AddLinuxResourcesDevice(false, "", nil, nil, "rwm") - for _, dev := range s.DeviceCGroupRule { + for _, dev := range s.DeviceCgroupRule { g.AddLinuxResourcesDevice(true, dev.Type, dev.Major, dev.Minor, dev.Access) } } diff --git a/pkg/specgen/podspecgen.go b/pkg/specgen/podspecgen.go index b6f2d6bf0..62b4725a7 100644 --- a/pkg/specgen/podspecgen.go +++ b/pkg/specgen/podspecgen.go @@ -183,7 +183,7 @@ type PodStorageConfig struct { // PodCgroupConfig contains configuration options about a pod's cgroups. // This will be expanded in future updates to pods. type PodCgroupConfig struct { - // CgroupParent is the parent for the CGroup that the pod will create. + // CgroupParent is the parent for the Cgroup that the pod will create. // This pod cgroup will, in turn, be the default cgroup parent for all // containers in the pod. // Optional. diff --git a/pkg/specgen/specgen.go b/pkg/specgen/specgen.go index 82721ba92..750fc875d 100644 --- a/pkg/specgen/specgen.go +++ b/pkg/specgen/specgen.go @@ -264,9 +264,9 @@ type ContainerStorageConfig struct { // Devices are devices that will be added to the container. // Optional. Devices []spec.LinuxDevice `json:"devices,omitempty"` - // DeviceCGroupRule are device cgroup rules that allow containers + // DeviceCgroupRule are device cgroup rules that allow containers // to use additional types of devices. - DeviceCGroupRule []spec.LinuxDeviceCgroup `json:"device_cgroup_rule,omitempty"` + DeviceCgroupRule []spec.LinuxDeviceCgroup `json:"device_cgroup_rule,omitempty"` // DevicesFrom is a way to ensure your container inherits device specific information from another container DevicesFrom []string `json:"devices_from,omitempty"` // HostDeviceList is used to recreate the mounted device on inherited containers @@ -390,7 +390,7 @@ type ContainerCgroupConfig struct { // CgroupsMode sets a policy for how cgroups will be created in the // container, including the ability to disable creation entirely. CgroupsMode string `json:"cgroups_mode,omitempty"` - // CgroupParent is the container's CGroup parent. + // CgroupParent is the container's Cgroup parent. // If not set, the default for the current cgroup driver will be used. // Optional. CgroupParent string `json:"cgroup_parent,omitempty"` diff --git a/pkg/specgenutil/specgen.go b/pkg/specgenutil/specgen.go index 70b6abff5..ee089695e 100644 --- a/pkg/specgenutil/specgen.go +++ b/pkg/specgenutil/specgen.go @@ -8,6 +8,7 @@ import ( "strings" "time" + "github.com/containers/common/pkg/config" "github.com/containers/image/v5/manifest" "github.com/containers/podman/v3/cmd/podman/parse" "github.com/containers/podman/v3/libpod/define" @@ -492,8 +493,17 @@ func FillOutSpecGen(s *specgen.SpecGenerator, c *entities.ContainerCreateOptions if ld := c.LogDriver; len(ld) > 0 { s.LogConfiguration.Driver = ld } - s.CgroupParent = c.CGroupParent - s.CgroupsMode = c.CGroupsMode + s.CgroupParent = c.CgroupParent + s.CgroupsMode = c.CgroupsMode + if s.CgroupsMode == "" { + rtc, err := config.Default() + if err != nil { + return err + } + + s.CgroupsMode = rtc.Cgroups() + } + s.Groups = c.GroupAdd s.Hostname = c.Hostname @@ -591,12 +601,12 @@ func FillOutSpecGen(s *specgen.SpecGenerator, c *entities.ContainerCreateOptions s.Devices = append(s.Devices, specs.LinuxDevice{Path: dev}) } - for _, rule := range c.DeviceCGroupRule { + for _, rule := range c.DeviceCgroupRule { dev, err := parseLinuxResourcesDeviceAccess(rule) if err != nil { return err } - s.DeviceCGroupRule = append(s.DeviceCGroupRule, dev) + s.DeviceCgroupRule = append(s.DeviceCgroupRule, dev) } s.Init = c.Init diff --git a/pkg/specgenutil/util.go b/pkg/specgenutil/util.go index 9389a98a5..0a980a576 100644 --- a/pkg/specgenutil/util.go +++ b/pkg/specgenutil/util.go @@ -38,21 +38,6 @@ func ReadPodIDFiles(files []string) ([]string, error) { return ids, nil } -// ParseFilters transforms one filter format to another and validates input -func ParseFilters(filter []string) (map[string][]string, error) { - // TODO Remove once filter refactor is finished and url.Values done. - filters := map[string][]string{} - for _, f := range filter { - t := strings.SplitN(f, "=", 2) - filters = make(map[string][]string) - if len(t) < 2 { - return map[string][]string{}, errors.Errorf("filter input must be in the form of filter=value: %s is invalid", f) - } - filters[t[0]] = append(filters[t[0]], t[1]) - } - return filters, nil -} - // CreateExpose parses user-provided exposed port definitions and converts them // into SpecGen format. // TODO: The SpecGen format should really handle ranges more sanely - we could diff --git a/podman.spec.rpkg b/podman.spec.rpkg index cff5eb3d9..5c203b24a 100644 --- a/podman.spec.rpkg +++ b/podman.spec.rpkg @@ -52,9 +52,52 @@ VCS: {{{ git_dir_vcs }}} # and returns its filename. The tarball will be used to build the rpm. Source: {{{ git_dir_pack }}} +%if 0%{?fedora} && ! 0%{?rhel} +BuildRequires: btrfs-progs-devel +%endif +BuildRequires: gcc +BuildRequires: golang >= 1.16.6 +BuildRequires: glib2-devel +BuildRequires: glibc-devel +BuildRequires: glibc-static +BuildRequires: git-core +BuildRequires: go-md2man +BuildRequires: go-rpm-macros +BuildRequires: gpgme-devel +BuildRequires: libassuan-devel +BuildRequires: libgpg-error-devel +BuildRequires: libseccomp-devel +BuildRequires: libselinux-devel +%if 0%{?fedora} >= 35 +BuildRequires: shadow-utils-subid-devel +%endif +BuildRequires: pkgconfig +BuildRequires: make +BuildRequires: ostree-devel +BuildRequires: systemd +BuildRequires: systemd-devel +Requires: conmon >= 2:2.0.30-2 +Requires: containers-common >= 4:1-30 +Requires: containernetworking-plugins >= 1.0.0-15.1 +Requires: iptables +Requires: nftables +Requires: netavark +Recommends: %{name}-plugins = %{epoch}:%{version}-%{release} +Recommends: catatonit +Suggests: qemu-user-static + # More detailed description of the package %description -This is a hello world package. +%{name} (Pod Manager) is a fully featured container engine that is a simple +daemonless tool. %{name} provides a Docker-CLI comparable command line that +eases the transition from other container engines and allows the management of +pods, containers and images. Simply put: alias docker=%{name}. +Most %{name} commands can be run as a regular user, without requiring +additional privileges. + +%{name} uses Buildah(1) internally to create container images. +Both tools share image (not container) storage, hence each can use or +manipulate images (but not containers) created by the other. %package docker Summary: Emulate Docker CLI using %{name} diff --git a/test/e2e/containers_conf_test.go b/test/e2e/containers_conf_test.go index 838221dd5..d6bf66a50 100644 --- a/test/e2e/containers_conf_test.go +++ b/test/e2e/containers_conf_test.go @@ -83,7 +83,7 @@ var _ = Describe("Podman run", func() { }) It("podman Capabilities in containers.conf", func() { - SkipIfRootlessCgroupsV1("Not supported for rootless + CGroupsV1") + SkipIfRootlessCgroupsV1("Not supported for rootless + CgroupsV1") cap := podmanTest.Podman([]string{"run", ALPINE, "grep", "CapEff", "/proc/self/status"}) cap.WaitWithDefaultTimeout() Expect(cap).Should(Exit(0)) @@ -123,7 +123,7 @@ var _ = Describe("Podman run", func() { }) verifyNSHandling := func(nspath, option string) { - SkipIfRootlessCgroupsV1("Not supported for rootless + CGroupsV1") + SkipIfRootlessCgroupsV1("Not supported for rootless + CgroupsV1") os.Setenv("CONTAINERS_CONF", "config/containers-ns.conf") if IsRemote() { podmanTest.RestartRemoteService() @@ -484,4 +484,35 @@ var _ = Describe("Podman run", func() { Expect(result).Should(Exit(125)) Expect(result.ErrorToString()).To(ContainSubstring(errorString)) }) + + It("podman containers.conf cgroups=disabled", func() { + if !strings.Contains(podmanTest.OCIRuntime, "crun") { + Skip("FIXME: requires crun") + } + conffile := filepath.Join(podmanTest.TempDir, "container.conf") + + err := ioutil.WriteFile(conffile, []byte("[containers]\ncgroups=\"disabled\"\n"), 0755) + Expect(err).To(BeNil()) + + result := podmanTest.Podman([]string{"create", ALPINE, "true"}) + result.WaitWithDefaultTimeout() + Expect(result).Should(Exit(0)) + + inspect := podmanTest.Podman([]string{"inspect", "--format", "{{ .HostConfig.Cgroups }}", result.OutputToString()}) + inspect.WaitWithDefaultTimeout() + Expect(inspect.OutputToString()).To(Not(Equal("disabled"))) + + os.Setenv("CONTAINERS_CONF", conffile) + if IsRemote() { + podmanTest.RestartRemoteService() + } + result = podmanTest.Podman([]string{"create", ALPINE, "true"}) + result.WaitWithDefaultTimeout() + Expect(result).Should(Exit(0)) + + inspect = podmanTest.Podman([]string{"inspect", "--format", "{{ .HostConfig.Cgroups }}", result.OutputToString()}) + inspect.WaitWithDefaultTimeout() + Expect(inspect.OutputToString()).To(Equal("disabled")) + }) + }) diff --git a/test/e2e/cp_test.go b/test/e2e/cp_test.go index 360b8c7fc..70b559222 100644 --- a/test/e2e/cp_test.go +++ b/test/e2e/cp_test.go @@ -94,7 +94,7 @@ var _ = Describe("Podman cp", func() { // Copy a file to the container, then back to the host in --pid=host It("podman cp --pid=host file", func() { - SkipIfRootlessCgroupsV1("Not supported for rootless + CGroupsV1") + SkipIfRootlessCgroupsV1("Not supported for rootless + CgroupsV1") srcFile, err := ioutil.TempFile("", "") Expect(err).To(BeNil()) defer srcFile.Close() diff --git a/test/e2e/pod_infra_container_test.go b/test/e2e/pod_infra_container_test.go index 4a5a8c6b0..f4b99bb6b 100644 --- a/test/e2e/pod_infra_container_test.go +++ b/test/e2e/pod_infra_container_test.go @@ -225,7 +225,7 @@ var _ = Describe("Podman pod create", func() { }) It("podman pod container can override pod pid NS", func() { - SkipIfRootlessCgroupsV1("Not supported for rootless + CGroupsV1") + SkipIfRootlessCgroupsV1("Not supported for rootless + CgroupsV1") session := podmanTest.Podman([]string{"pod", "create", "--share", "pid"}) session.WaitWithDefaultTimeout() Expect(session).Should(Exit(0)) diff --git a/test/e2e/pod_kill_test.go b/test/e2e/pod_kill_test.go index 7ab62ec5d..0bd9aa0f1 100644 --- a/test/e2e/pod_kill_test.go +++ b/test/e2e/pod_kill_test.go @@ -128,7 +128,7 @@ var _ = Describe("Podman pod kill", func() { }) It("podman pod kill all", func() { - SkipIfRootlessCgroupsV1("Not supported for rootless + CGroupsV1") + SkipIfRootlessCgroupsV1("Not supported for rootless + CgroupsV1") _, ec, podid := podmanTest.CreatePod(nil) Expect(ec).To(Equal(0)) diff --git a/test/e2e/pod_ps_test.go b/test/e2e/pod_ps_test.go index 4b2a3b66d..281aea9a9 100644 --- a/test/e2e/pod_ps_test.go +++ b/test/e2e/pod_ps_test.go @@ -174,7 +174,7 @@ var _ = Describe("Podman ps", func() { }) It("podman pod ps --ctr-names", func() { - SkipIfRootlessCgroupsV1("Not supported for rootless + CGroupsV1") + SkipIfRootlessCgroupsV1("Not supported for rootless + CgroupsV1") _, ec, podid := podmanTest.CreatePod(nil) Expect(ec).To(Equal(0)) diff --git a/test/e2e/run_ns_test.go b/test/e2e/run_ns_test.go index db81cc1a7..7f4b58c0d 100644 --- a/test/e2e/run_ns_test.go +++ b/test/e2e/run_ns_test.go @@ -36,7 +36,7 @@ var _ = Describe("Podman run ns", func() { }) It("podman run pidns test", func() { - SkipIfRootlessCgroupsV1("Not supported for rootless + CGroupsV1") + SkipIfRootlessCgroupsV1("Not supported for rootless + CgroupsV1") session := podmanTest.Podman([]string{"run", fedoraMinimal, "bash", "-c", "echo $$"}) session.WaitWithDefaultTimeout() Expect(session).Should(Exit(0)) @@ -115,7 +115,7 @@ var _ = Describe("Podman run ns", func() { }) It("podman run --ipc=host --pid=host", func() { - SkipIfRootlessCgroupsV1("Not supported for rootless + CGroupsV1") + SkipIfRootlessCgroupsV1("Not supported for rootless + CgroupsV1") cmd := exec.Command("ls", "-l", "/proc/self/ns/pid") res, err := cmd.Output() Expect(err).To(BeNil()) diff --git a/test/e2e/run_selinux_test.go b/test/e2e/run_selinux_test.go index a6672d45e..5ae49a5c2 100644 --- a/test/e2e/run_selinux_test.go +++ b/test/e2e/run_selinux_test.go @@ -260,7 +260,7 @@ var _ = Describe("Podman run", func() { }) It("podman test --pid=host", func() { - SkipIfRootlessCgroupsV1("Not supported for rootless + CGroupsV1") + SkipIfRootlessCgroupsV1("Not supported for rootless + CgroupsV1") session := podmanTest.Podman([]string{"run", "--pid=host", ALPINE, "cat", "/proc/self/attr/current"}) session.WaitWithDefaultTimeout() Expect(session).Should(Exit(0)) diff --git a/test/e2e/run_test.go b/test/e2e/run_test.go index e98f2c999..b461594c1 100644 --- a/test/e2e/run_test.go +++ b/test/e2e/run_test.go @@ -386,31 +386,31 @@ var _ = Describe("Podman run", func() { SkipIfCgroupV1("podman umask on /sys/fs/cgroup will fail with cgroups V1") SkipIfRootless("/sys/fs/cgroup rw access is needed") - rwOnCGroups := "/sys/fs/cgroup cgroup2 rw" + rwOnCgroups := "/sys/fs/cgroup cgroup2 rw" session := podmanTest.Podman([]string{"run", "--security-opt", "unmask=ALL", "--security-opt", "mask=/sys/fs/cgroup", ALPINE, "cat", "/proc/mounts"}) session.WaitWithDefaultTimeout() Expect(session).Should(Exit(0)) - Expect(session.OutputToString()).To(ContainSubstring(rwOnCGroups)) + Expect(session.OutputToString()).To(ContainSubstring(rwOnCgroups)) session = podmanTest.Podman([]string{"run", "--security-opt", "unmask=/sys/fs/cgroup", ALPINE, "cat", "/proc/mounts"}) session.WaitWithDefaultTimeout() Expect(session).Should(Exit(0)) - Expect(session.OutputToString()).To(ContainSubstring(rwOnCGroups)) + Expect(session.OutputToString()).To(ContainSubstring(rwOnCgroups)) session = podmanTest.Podman([]string{"run", "--security-opt", "unmask=/sys/fs/cgroup///", ALPINE, "cat", "/proc/mounts"}) session.WaitWithDefaultTimeout() Expect(session).Should(Exit(0)) - Expect(session.OutputToString()).To(ContainSubstring(rwOnCGroups)) + Expect(session.OutputToString()).To(ContainSubstring(rwOnCgroups)) session = podmanTest.Podman([]string{"run", "--security-opt", "unmask=ALL", ALPINE, "cat", "/proc/mounts"}) session.WaitWithDefaultTimeout() Expect(session).Should(Exit(0)) - Expect(session.OutputToString()).To(ContainSubstring(rwOnCGroups)) + Expect(session.OutputToString()).To(ContainSubstring(rwOnCgroups)) session = podmanTest.Podman([]string{"run", "--security-opt", "unmask=/sys/fs/cgroup", "--security-opt", "mask=/sys/fs/cgroup", ALPINE, "cat", "/proc/mounts"}) session.WaitWithDefaultTimeout() Expect(session).Should(Exit(0)) - Expect(session.OutputToString()).To(ContainSubstring(rwOnCGroups)) + Expect(session.OutputToString()).To(ContainSubstring(rwOnCgroups)) session = podmanTest.Podman([]string{"run", "--security-opt", "unmask=/sys/fs/cgroup", ALPINE, "ls", "/sys/fs/cgroup"}) session.WaitWithDefaultTimeout() diff --git a/test/e2e/toolbox_test.go b/test/e2e/toolbox_test.go index 40db5180a..72ada5c31 100644 --- a/test/e2e/toolbox_test.go +++ b/test/e2e/toolbox_test.go @@ -118,7 +118,7 @@ var _ = Describe("Toolbox-specific testing", func() { if podmanTest.RemoteTest { Skip("Shm size check does not work with a remote client") } - SkipIfRootlessCgroupsV1("Not supported for rootless + CGroupsV1") + SkipIfRootlessCgroupsV1("Not supported for rootless + CgroupsV1") var session *PodmanSessionIntegration var cmd *exec.Cmd var hostShmSize, containerShmSize int diff --git a/vendor/github.com/containers/common/libnetwork/network/interface.go b/vendor/github.com/containers/common/libnetwork/network/interface.go index 190e6945b..37a910a24 100644 --- a/vendor/github.com/containers/common/libnetwork/network/interface.go +++ b/vendor/github.com/containers/common/libnetwork/network/interface.go @@ -14,11 +14,24 @@ import ( "github.com/containers/common/libnetwork/types" "github.com/containers/common/pkg/config" "github.com/containers/storage" + "github.com/containers/storage/pkg/homedir" "github.com/containers/storage/pkg/ioutils" + "github.com/containers/storage/pkg/unshare" "github.com/sirupsen/logrus" ) -const defaultNetworkBackendFileName = "defaultNetworkBackend" +const ( + // defaultNetworkBackendFileName is the file name for sentinel file to store the backend + defaultNetworkBackendFileName = "defaultNetworkBackend" + // cniConfigDir is the directory where cni configuration is found + cniConfigDir = "/etc/cni/net.d/" + // cniConfigDirRootless is the directory in XDG_CONFIG_HOME for cni plugins + cniConfigDirRootless = "cni/net.d/" + // netavarkConfigDir is the config directory for the rootful network files + netavarkConfigDir = "/etc/containers/networks" + // netavarkRunDir is the run directory for the rootful temporary network files such as the ipam db + netavarkRunDir = "/run/containers/networks" +) // NetworkBackend returns the network backend name and interface // It returns either the CNI or netavark backend depending on what is set in the config. @@ -42,9 +55,24 @@ func NetworkBackend(store storage.Store, conf *config.Config, syslog bool) (type if err != nil { return "", nil, err } + + confDir := conf.Network.NetworkConfigDir + if confDir == "" { + confDir = getDefaultNetavarkConfigDir(store) + } + + // We cannot use the runroot for rootful since the network namespace is shared for all + // libpod instances they also have to share the same ipam db. + // For rootless we have our own network namespace per libpod instances, + // so this is not a problem there. + runDir := netavarkRunDir + if unshare.IsRootless() { + runDir = filepath.Join(store.RunRoot(), "networks") + } + netInt, err := netavark.NewNetworkInterface(&netavark.InitConfig{ - NetworkConfigDir: filepath.Join(store.GraphRoot(), "networks"), - NetworkRunDir: filepath.Join(store.RunRoot(), "networks"), + NetworkConfigDir: confDir, + NetworkRunDir: runDir, NetavarkBinary: netavarkBin, DefaultNetwork: conf.Network.DefaultNetwork, DefaultSubnet: conf.Network.DefaultSubnet, @@ -122,11 +150,42 @@ func defaultNetworkBackend(store storage.Store, conf *config.Config) (backend ty } func getCniInterface(conf *config.Config) (types.ContainerNetwork, error) { + confDir := conf.Network.NetworkConfigDir + if confDir == "" { + var err error + confDir, err = getDefultCNIConfigDir() + if err != nil { + return nil, err + } + } return cni.NewCNINetworkInterface(&cni.InitConfig{ - CNIConfigDir: conf.Network.NetworkConfigDir, + CNIConfigDir: confDir, CNIPluginDirs: conf.Network.CNIPluginDirs, DefaultNetwork: conf.Network.DefaultNetwork, DefaultSubnet: conf.Network.DefaultSubnet, IsMachine: conf.Engine.MachineEnabled, }) } + +func getDefultCNIConfigDir() (string, error) { + if !unshare.IsRootless() { + return cniConfigDir, nil + } + + configHome, err := homedir.GetConfigHome() + if err != nil { + return "", err + } + return filepath.Join(configHome, cniConfigDirRootless), nil +} + +// getDefaultNetavarkConfigDir return the netavark config dir. For rootful it will +// use "/etc/containers/networks" and for rootless "$graphroot/networks". We cannot +// use the graphroot for rootful since the network namespace is shared for all +// libpod instances. +func getDefaultNetavarkConfigDir(store storage.Store) string { + if !unshare.IsRootless() { + return netavarkConfigDir + } + return filepath.Join(store.GraphRoot(), "networks") +} diff --git a/vendor/github.com/containers/common/pkg/config/config.go b/vendor/github.com/containers/common/pkg/config/config.go index 7f89b9252..6837a378a 100644 --- a/vendor/github.com/containers/common/pkg/config/config.go +++ b/vendor/github.com/containers/common/pkg/config/config.go @@ -822,21 +822,6 @@ func (c *ContainersConfig) Validate() error { // execution checks. It returns an `error` on validation failure, otherwise // `nil`. func (c *NetworkConfig) Validate() error { - expectedConfigDir := _cniConfigDir - if unshare.IsRootless() { - home, err := unshare.HomeDir() - if err != nil { - return err - } - expectedConfigDir = filepath.Join(home, _cniConfigDirRootless) - } - if c.NetworkConfigDir != expectedConfigDir { - err := isDirectory(c.NetworkConfigDir) - if err != nil && !os.IsNotExist(err) { - return errors.Wrapf(err, "invalid network_config_dir: %s", c.NetworkConfigDir) - } - } - if stringsEq(c.CNIPluginDirs, DefaultCNIPluginDirs) { return nil } diff --git a/vendor/github.com/containers/common/pkg/config/containers.conf b/vendor/github.com/containers/common/pkg/config/containers.conf index 4e8ad21f8..b1e6f5435 100644 --- a/vendor/github.com/containers/common/pkg/config/containers.conf +++ b/vendor/github.com/containers/common/pkg/config/containers.conf @@ -249,9 +249,6 @@ default_sysctls = [ # #volumes = [] -# The network table contains settings pertaining to the management of -# CNI plugins. - [secrets] #driver = "file" @@ -260,9 +257,15 @@ default_sysctls = [ [network] -# Network backend to use. Default "CNI". +# Network backend determines what network driver will be used to set up and tear down container networks. +# Valid values are "cni" and "netavark". +# The default value is empty which means that it will automatically choose CNI or netavark. If there are +# already containers/images or CNI networks preset it will choose CNI. +# +# Before changing this value all containers must be stopped otherwise it is likely that +# iptables rules and network interfaces might leak on the host. A reboot will fix this. # -#network_backend = "cni" +#network_backend = "" # Path to directory where CNI plugin binaries are located. # @@ -274,18 +277,22 @@ default_sysctls = [ # "/opt/cni/bin", #] -# The network name of the default CNI network to attach pods to. +# The network name of the default network to attach pods to. # #default_network = "podman" -# The default subnet for the default CNI network given in default_network. +# The default subnet for the default network given in default_network. # If a network with that name does not exist, a new network using that name and # this subnet will be created. # Must be a valid IPv4 CIDR prefix. # #default_subnet = "10.88.0.0/16" -# Path to the directory where CNI configuration files are located. +# Path to the directory where network configuration files are located. +# For the CNI backend the default is "/etc/cni/net.d" as root +# and "$HOME/.config/cni/net.d" as rootless. +# For the netavark backend "/etc/containers/networks" is used as root +# and "$graphroot/networks" as rootless. # #network_config_dir = "/etc/cni/net.d/" @@ -351,6 +358,9 @@ default_sysctls = [ # #env = [] +# Define where event logs will be stored, when events_logger is "file". +#events_logfile_path="" + # Selects which logging mechanism to use for container engine events. # Valid values are `journald`, `file` and `none`. # diff --git a/vendor/github.com/containers/common/pkg/config/default.go b/vendor/github.com/containers/common/pkg/config/default.go index 561158b12..55e4e4b67 100644 --- a/vendor/github.com/containers/common/pkg/config/default.go +++ b/vendor/github.com/containers/common/pkg/config/default.go @@ -94,10 +94,6 @@ const ( // InstallPrefix is the prefix where podman will be installed. // It can be overridden at build time. _installPrefix = "/usr" - // _cniConfigDir is the directory where cni configuration is found - _cniConfigDir = "/etc/cni/net.d/" - // _cniConfigDirRootless is the directory in XDG_CONFIG_HOME for cni plugins - _cniConfigDirRootless = "cni/net.d/" // CgroupfsCgroupsManager represents cgroupfs native cgroup manager CgroupfsCgroupsManager = "cgroupfs" // DefaultApparmorProfile specifies the default apparmor profile for the container. @@ -141,8 +137,6 @@ func DefaultConfig() (*Config, error) { return nil, err } - cniConfig := _cniConfigDir - defaultEngineConfig.SignaturePolicyPath = DefaultSignaturePolicyPath if unshare.IsRootless() { configHome, err := homedir.GetConfigHome() @@ -156,7 +150,6 @@ func DefaultConfig() (*Config, error) { defaultEngineConfig.SignaturePolicyPath = DefaultSignaturePolicyPath } } - cniConfig = filepath.Join(configHome, _cniConfigDirRootless) } cgroupNS := "host" @@ -203,10 +196,9 @@ func DefaultConfig() (*Config, error) { UserNSSize: DefaultUserNSSize, }, Network: NetworkConfig{ - DefaultNetwork: "podman", - DefaultSubnet: DefaultSubnet, - NetworkConfigDir: cniConfig, - CNIPluginDirs: DefaultCNIPluginDirs, + DefaultNetwork: "podman", + DefaultSubnet: DefaultSubnet, + CNIPluginDirs: DefaultCNIPluginDirs, }, Engine: *defaultEngineConfig, Secrets: defaultSecretConfig(), diff --git a/vendor/modules.txt b/vendor/modules.txt index 671f37644..abf1fbbc2 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -109,7 +109,7 @@ github.com/containers/buildah/pkg/rusage github.com/containers/buildah/pkg/sshagent github.com/containers/buildah/pkg/util github.com/containers/buildah/util -# github.com/containers/common v0.46.1-0.20220112112017-31e8cc4aeeab +# github.com/containers/common v0.46.1-0.20220117145719-da777f8b15b1 ## explicit github.com/containers/common/libimage github.com/containers/common/libimage/manifests |