diff options
Diffstat (limited to 'libpod')
| -rw-r--r-- | libpod/container.log.go | 2 | ||||
| -rw-r--r-- | libpod/container_api.go | 5 | ||||
| -rw-r--r-- | libpod/container_inspect.go | 100 | ||||
| -rw-r--r-- | libpod/container_internal.go | 3 | ||||
| -rw-r--r-- | libpod/container_internal_linux.go | 5 | ||||
| -rw-r--r-- | libpod/define/errors.go | 5 | ||||
| -rw-r--r-- | libpod/logs/log.go | 15 | ||||
| -rw-r--r-- | libpod/networking_linux.go | 118 | ||||
| -rw-r--r-- | libpod/networking_unsupported.go | 4 | ||||
| -rw-r--r-- | libpod/oci_conmon_linux.go | 25 | ||||
| -rw-r--r-- | libpod/runtime_ctr.go | 3 | ||||
| -rw-r--r-- | libpod/runtime_volume.go | 3 | ||||
| -rw-r--r-- | libpod/runtime_volume_linux.go | 3 | ||||
| -rw-r--r-- | libpod/volume.go | 7 |
14 files changed, 217 insertions, 81 deletions
diff --git a/libpod/container.log.go b/libpod/container.log.go index 7c46dde9a..514edb8c8 100644 --- a/libpod/container.log.go +++ b/libpod/container.log.go @@ -41,6 +41,7 @@ func (c *Container) readFromLogFile(options *logs.LogOptions, logChannel chan *l if len(tailLog) > 0 { for _, nll := range tailLog { nll.CID = c.ID() + nll.CName = c.Name() if nll.Since(options.Since) { logChannel <- nll } @@ -63,6 +64,7 @@ func (c *Container) readFromLogFile(options *logs.LogOptions, logChannel chan *l partial = "" } nll.CID = c.ID() + nll.CName = c.Name() if nll.Since(options.Since) { logChannel <- nll } diff --git a/libpod/container_api.go b/libpod/container_api.go index d612341bc..dabbe27dc 100644 --- a/libpod/container_api.go +++ b/libpod/container_api.go @@ -270,11 +270,6 @@ func (c *Container) Exec(tty, privileged bool, env map[string]string, cmd []stri } }() - // if the user is empty, we should inherit the user that the container is currently running with - if user == "" { - user = c.config.User - } - opts := new(ExecOptions) opts.Cmd = cmd opts.CapAdd = capList diff --git a/libpod/container_inspect.go b/libpod/container_inspect.go index 641bc8a91..a543a19c0 100644 --- a/libpod/container_inspect.go +++ b/libpod/container_inspect.go @@ -606,11 +606,45 @@ type InspectContainerState struct { Healthcheck HealthCheckResults `json:"Healthcheck,omitempty"` } +// InspectBasicNetworkConfig holds basic configuration information (e.g. IP +// addresses, MAC address, subnet masks, etc) that are common for all networks +// (both additional and main). +type InspectBasicNetworkConfig struct { + // EndpointID is unused, maintained exclusively for compatibility. + EndpointID string `json:"EndpointID"` + // Gateway is the IP address of the gateway this network will use. + Gateway string `json:"Gateway"` + // IPAddress is the IP address for this network. + IPAddress string `json:"IPAddress"` + // IPPrefixLen is the length of the subnet mask of this network. + IPPrefixLen int `json:"IPPrefixLen"` + // SecondaryIPAddresses is a list of extra IP Addresses that the + // container has been assigned in this network. + SecondaryIPAddresses []string `json:"SecondaryIPAddresses,omitempty"` + // IPv6Gateway is the IPv6 gateway this network will use. + IPv6Gateway string `json:"IPv6Gateway"` + // GlobalIPv6Address is the global-scope IPv6 Address for this network. + GlobalIPv6Address string `json:"GlobalIPv6Address"` + // GlobalIPv6PrefixLen is the length of the subnet mask of this network. + GlobalIPv6PrefixLen int `json:"GlobalIPv6PrefixLen"` + // SecondaryIPv6Addresses is a list of extra IPv6 Addresses that the + // container has been assigned in this networ. + SecondaryIPv6Addresses []string `json:"SecondaryIPv6Addresses,omitempty"` + // MacAddress is the MAC address for the interface in this network. + MacAddress string `json:"MacAddress"` + // AdditionalMacAddresses is a set of additional MAC Addresses beyond + // the first. CNI may configure more than one interface for a single + // network, which can cause this. + AdditionalMacAddresses []string `json:"AdditionalMACAddresses,omitempty"` +} + // InspectNetworkSettings holds information about the network settings of the // container. // Many fields are maintained only for compatibility with `docker inspect` and // are unused within Libpod. type InspectNetworkSettings struct { + InspectBasicNetworkConfig + Bridge string `json:"Bridge"` SandboxID string `json:"SandboxID"` HairpinMode bool `json:"HairpinMode"` @@ -618,16 +652,30 @@ type InspectNetworkSettings struct { LinkLocalIPv6PrefixLen int `json:"LinkLocalIPv6PrefixLen"` Ports []ocicni.PortMapping `json:"Ports"` SandboxKey string `json:"SandboxKey"` - SecondaryIPAddresses []string `json:"SecondaryIPAddresses"` - SecondaryIPv6Addresses []string `json:"SecondaryIPv6Addresses"` - EndpointID string `json:"EndpointID"` - Gateway string `json:"Gateway"` - GlobalIPv6Address string `json:"GlobalIPv6Address"` - GlobalIPv6PrefixLen int `json:"GlobalIPv6PrefixLen"` - IPAddress string `json:"IPAddress"` - IPPrefixLen int `json:"IPPrefixLen"` - IPv6Gateway string `json:"IPv6Gateway"` - MacAddress string `json:"MacAddress"` + // Networks contains information on non-default CNI networks this + // container has joined. + // It is a map of network name to network information. + Networks map[string]*InspectAdditionalNetwork `json:"Networks,omitempty"` +} + +// InspectAdditionalNetwork holds information about non-default CNI networks the +// container has been connected to. +// As with InspectNetworkSettings, many fields are unused and maintained only +// for compatibility with Docker. +type InspectAdditionalNetwork struct { + InspectBasicNetworkConfig + + // Name of the network we're connecting to. + NetworkID string `json:"NetworkID,omitempty"` + // DriverOpts is presently unused and maintained exclusively for + // compatibility. + DriverOpts map[string]string `json:"DriverOpts"` + // IPAMConfig is presently unused and maintained exlusively for + // compabitility. + IPAMConfig map[string]string `json:"IPAMConfig"` + // Links is presently unused and maintained exclusively for + // compatibility. + Links []string `json:"Links"` } // inspectLocked inspects a container for low-level information. @@ -754,27 +802,7 @@ func (c *Container) getContainerInspectData(size bool, driverData *driver.Data) GraphDriver: driverData, Mounts: inspectMounts, Dependencies: c.Dependencies(), - NetworkSettings: &InspectNetworkSettings{ - Bridge: "", // TODO - SandboxID: "", // TODO - is this even relevant? - HairpinMode: false, // TODO - LinkLocalIPv6Address: "", // TODO - do we even support IPv6? - LinkLocalIPv6PrefixLen: 0, // TODO - do we even support IPv6? - - Ports: []ocicni.PortMapping{}, // TODO - maybe worth it to put this in Docker format? - SandboxKey: "", // Network namespace path - SecondaryIPAddresses: nil, // TODO - do we support this? - SecondaryIPv6Addresses: nil, // TODO - do we support this? - EndpointID: "", // TODO - is this even relevant? - Gateway: "", // TODO - GlobalIPv6Address: "", - GlobalIPv6PrefixLen: 0, - IPAddress: "", - IPPrefixLen: 0, - IPv6Gateway: "", - MacAddress: "", // TODO - }, - IsInfra: c.IsInfra(), + IsInfra: c.IsInfra(), } if c.state.ConfigPath != "" { @@ -792,13 +820,11 @@ func (c *Container) getContainerInspectData(size bool, driverData *driver.Data) } } - // Copy port mappings into network settings - if config.PortMappings != nil { - data.NetworkSettings.Ports = config.PortMappings + networkConfig, err := c.getContainerNetworkInfo() + if err != nil { + return nil, err } - - // Get information on the container's network namespace (if present) - data = c.getContainerNetworkInfo(data) + data.NetworkSettings = networkConfig inspectConfig, err := c.generateInspectContainerConfig(ctrSpec) if err != nil { diff --git a/libpod/container_internal.go b/libpod/container_internal.go index 11f9721dc..ff43bfc8f 100644 --- a/libpod/container_internal.go +++ b/libpod/container_internal.go @@ -1401,6 +1401,9 @@ func (c *Container) mountNamedVolume(v *ContainerNamedVolume, mountpoint string) return nil, errors.Wrapf(err, "error retrieving named volume %s for container %s", v.Name, c.ID()) } + if vol.config.LockID == c.config.LockID { + return nil, errors.Wrapf(define.ErrWillDeadlock, "container %s and volume %s share lock ID %d", c.ID(), vol.Name(), c.config.LockID) + } vol.lock.Lock() defer vol.lock.Unlock() if vol.needsMount() { diff --git a/libpod/container_internal_linux.go b/libpod/container_internal_linux.go index 739026264..63968918c 100644 --- a/libpod/container_internal_linux.go +++ b/libpod/container_internal_linux.go @@ -330,7 +330,10 @@ func (c *Container) generateSpec(ctx context.Context) (*spec.Spec, error) { // Add addition groups if c.config.GroupAdd is not empty if len(c.config.Groups) > 0 { - gids, _ := lookup.GetContainerGroups(c.config.Groups, c.state.Mountpoint, nil) + gids, err := lookup.GetContainerGroups(c.config.Groups, c.state.Mountpoint, overrides) + if err != nil { + return nil, errors.Wrapf(err, "error looking up supplemental groups for container %s", c.ID()) + } for _, gid := range gids { g.AddProcessAdditionalGid(gid) } diff --git a/libpod/define/errors.go b/libpod/define/errors.go index 523062866..b79cf08dc 100644 --- a/libpod/define/errors.go +++ b/libpod/define/errors.go @@ -61,6 +61,11 @@ var ( // the user. ErrDetach = utils.ErrDetach + // ErrWillDeadlock indicates that the requested operation will cause a + // deadlock. This is usually caused by upgrade issues, and is resolved + // by renumbering the locks. + ErrWillDeadlock = errors.New("deadlock due to lock mismatch") + // ErrNoCgroups indicates that the container does not have its own // CGroup. ErrNoCgroups = errors.New("this container does not have a cgroup") diff --git a/libpod/logs/log.go b/libpod/logs/log.go index bd918abae..200ef3e99 100644 --- a/libpod/logs/log.go +++ b/libpod/logs/log.go @@ -38,6 +38,7 @@ type LogOptions struct { Timestamps bool Multi bool WaitGroup *sync.WaitGroup + UseName bool } // LogLine describes the information for each line of a log @@ -47,6 +48,7 @@ type LogLine struct { Time time.Time Msg string CID string + CName string } // GetLogFile returns an hp tail for a container given options @@ -164,11 +166,16 @@ func getTailLog(path string, tail int) ([]*LogLine, error) { func (l *LogLine) String(options *LogOptions) string { var out string if options.Multi { - cid := l.CID - if len(cid) > 12 { - cid = cid[:12] + if options.UseName { + cname := l.CName + out = fmt.Sprintf("%s ", cname) + } else { + cid := l.CID + if len(cid) > 12 { + cid = cid[:12] + } + out = fmt.Sprintf("%s ", cid) } - out = fmt.Sprintf("%s ", cid) } if options.Timestamps { out += fmt.Sprintf("%s ", l.Time.Format(LogTimeFormat)) diff --git a/libpod/networking_linux.go b/libpod/networking_linux.go index fa8593f20..d57b1a8eb 100644 --- a/libpod/networking_linux.go +++ b/libpod/networking_linux.go @@ -12,13 +12,13 @@ import ( "os" "os/exec" "path/filepath" - "strconv" "strings" "syscall" "time" cnitypes "github.com/containernetworking/cni/pkg/types/current" "github.com/containernetworking/plugins/pkg/ns" + "github.com/containers/libpod/libpod/define" "github.com/containers/libpod/pkg/errorhandling" "github.com/containers/libpod/pkg/netns" "github.com/containers/libpod/pkg/rootless" @@ -556,37 +556,105 @@ func getContainerNetIO(ctr *Container) (*netlink.LinkStatistics, error) { return netStats, err } -func (c *Container) getContainerNetworkInfo(data *InspectContainerData) *InspectContainerData { - if c.state.NetNS != nil && len(c.state.NetworkStatus) > 0 { - // Report network settings from the first pod network - result := c.state.NetworkStatus[0] - // Go through our IP addresses - for _, ctrIP := range result.IPs { - ipWithMask := ctrIP.Address.String() - splitIP := strings.Split(ipWithMask, "/") - mask, _ := strconv.Atoi(splitIP[1]) - if ctrIP.Version == "4" { - data.NetworkSettings.IPAddress = splitIP[0] - data.NetworkSettings.IPPrefixLen = mask - data.NetworkSettings.Gateway = ctrIP.Gateway.String() - } else { - data.NetworkSettings.GlobalIPv6Address = splitIP[0] - data.NetworkSettings.GlobalIPv6PrefixLen = mask - data.NetworkSettings.IPv6Gateway = ctrIP.Gateway.String() +// Produce an InspectNetworkSettings containing information on the container +// network. +func (c *Container) getContainerNetworkInfo() (*InspectNetworkSettings, error) { + settings := new(InspectNetworkSettings) + settings.Ports = []ocicni.PortMapping{} + if c.config.PortMappings != nil { + // TODO: This may not be safe. + settings.Ports = c.config.PortMappings + } + + // We can't do more if the network is down. + if c.state.NetNS == nil { + return settings, nil + } + + // Set network namespace path + settings.SandboxKey = c.state.NetNS.Path() + + // If this is empty, we're probably slirp4netns + if len(c.state.NetworkStatus) == 0 { + return settings, nil + } + + // If we have CNI networks - handle that here + if len(c.config.Networks) > 0 { + if len(c.config.Networks) != len(c.state.NetworkStatus) { + return nil, errors.Wrapf(define.ErrInternal, "network inspection mismatch: asked to join %d CNI networks but have information on %d networks", len(c.config.Networks), len(c.state.NetworkStatus)) + } + + settings.Networks = make(map[string]*InspectAdditionalNetwork) + + // CNI results should be in the same order as the list of + // networks we pass into CNI. + for index, name := range c.config.Networks { + cniResult := c.state.NetworkStatus[index] + addedNet := new(InspectAdditionalNetwork) + addedNet.NetworkID = name + + basicConfig, err := resultToBasicNetworkConfig(cniResult) + if err != nil { + return nil, err } + addedNet.InspectBasicNetworkConfig = basicConfig + + settings.Networks[name] = addedNet } - // Set network namespace path - data.NetworkSettings.SandboxKey = c.state.NetNS.Path() + return settings, nil + } + + // If not joining networks, we should have at most 1 result + if len(c.state.NetworkStatus) > 1 { + return nil, errors.Wrapf(define.ErrInternal, "should have at most 1 CNI result if not joining networks, instead got %d", len(c.state.NetworkStatus)) + } + + if len(c.state.NetworkStatus) == 1 { + basicConfig, err := resultToBasicNetworkConfig(c.state.NetworkStatus[0]) + if err != nil { + return nil, err + } - // Set MAC address of interface linked with network namespace path - for _, i := range result.Interfaces { - if i.Sandbox == data.NetworkSettings.SandboxKey { - data.NetworkSettings.MacAddress = i.Mac + settings.InspectBasicNetworkConfig = basicConfig + } + + return settings, nil +} + +// resultToBasicNetworkConfig produces an InspectBasicNetworkConfig from a CNI +// result +func resultToBasicNetworkConfig(result *cnitypes.Result) (InspectBasicNetworkConfig, error) { + config := InspectBasicNetworkConfig{} + + for _, ctrIP := range result.IPs { + size, _ := ctrIP.Address.Mask.Size() + switch { + case ctrIP.Version == "4" && config.IPAddress == "": + config.IPAddress = ctrIP.Address.IP.String() + config.IPPrefixLen = size + config.Gateway = ctrIP.Gateway.String() + if ctrIP.Interface != nil && *ctrIP.Interface < len(result.Interfaces) && *ctrIP.Interface > 0 { + config.MacAddress = result.Interfaces[*ctrIP.Interface].Mac + } + case ctrIP.Version == "4" && config.IPAddress != "": + config.SecondaryIPAddresses = append(config.SecondaryIPAddresses, ctrIP.Address.String()) + if ctrIP.Interface != nil && *ctrIP.Interface < len(result.Interfaces) && *ctrIP.Interface > 0 { + config.AdditionalMacAddresses = append(config.AdditionalMacAddresses, result.Interfaces[*ctrIP.Interface].Mac) } + case ctrIP.Version == "6" && config.IPAddress == "": + config.GlobalIPv6Address = ctrIP.Address.IP.String() + config.GlobalIPv6PrefixLen = size + config.IPv6Gateway = ctrIP.Gateway.String() + case ctrIP.Version == "6" && config.IPAddress != "": + config.SecondaryIPv6Addresses = append(config.SecondaryIPv6Addresses, ctrIP.Address.String()) + default: + return config, errors.Wrapf(define.ErrInternal, "unrecognized IP version %q", ctrIP.Version) } } - return data + + return config, nil } type logrusDebugWriter struct { diff --git a/libpod/networking_unsupported.go b/libpod/networking_unsupported.go index d9b3730aa..7f343cf35 100644 --- a/libpod/networking_unsupported.go +++ b/libpod/networking_unsupported.go @@ -20,6 +20,6 @@ func (r *Runtime) createNetNS(ctr *Container) (err error) { return define.ErrNotImplemented } -func (c *Container) getContainerNetworkInfo(data *InspectContainerData) *InspectContainerData { - return nil +func (c *Container) getContainerNetworkInfo() (*InspectNetworkSettings, error) { + return nil, define.ErrNotImplemented } diff --git a/libpod/oci_conmon_linux.go b/libpod/oci_conmon_linux.go index 07d38693f..800f89603 100644 --- a/libpod/oci_conmon_linux.go +++ b/libpod/oci_conmon_linux.go @@ -1252,18 +1252,35 @@ func prepareProcessExec(c *Container, cmd, env []string, tty bool, cwd, user, se } + var addGroups []string + var sgids []uint32 + + // if the user is empty, we should inherit the user that the container is currently running with + if user == "" { + user = c.config.User + addGroups = c.config.Groups + } + overrides := c.getUserOverrides() execUser, err := lookup.GetUserGroupInfo(c.state.Mountpoint, user, overrides) if err != nil { return nil, err } + if len(addGroups) > 0 { + sgids, err = lookup.GetContainerGroups(addGroups, c.state.Mountpoint, overrides) + if err != nil { + return nil, errors.Wrapf(err, "error looking up supplemental groups for container %s exec session %s", c.ID(), sessionID) + } + } + // If user was set, look it up in the container to get a UID to use on // the host - if user != "" { - sgids := make([]uint32, 0, len(execUser.Sgids)) - for _, sgid := range execUser.Sgids { - sgids = append(sgids, uint32(sgid)) + if user != "" || len(sgids) > 0 { + if user != "" { + for _, sgid := range execUser.Sgids { + sgids = append(sgids, uint32(sgid)) + } } processUser := spec.User{ UID: uint32(execUser.Uid), diff --git a/libpod/runtime_ctr.go b/libpod/runtime_ctr.go index 3ad09f27c..39284026c 100644 --- a/libpod/runtime_ctr.go +++ b/libpod/runtime_ctr.go @@ -412,6 +412,9 @@ func (r *Runtime) removeContainer(ctx context.Context, c *Container, force bool, } // Lock the pod while we're removing container + if pod.config.LockID == c.config.LockID { + return errors.Wrapf(define.ErrWillDeadlock, "container %s and pod %s share lock ID %d", c.ID(), pod.ID(), c.config.LockID) + } pod.lock.Lock() defer pod.lock.Unlock() if err := pod.updatePod(); err != nil { diff --git a/libpod/runtime_volume.go b/libpod/runtime_volume.go index 835dccf9c..efc3c5bd9 100644 --- a/libpod/runtime_volume.go +++ b/libpod/runtime_volume.go @@ -36,9 +36,6 @@ func (r *Runtime) RemoveVolume(ctx context.Context, v *Volume, force bool) error } } - v.lock.Lock() - defer v.lock.Unlock() - return r.removeVolume(ctx, v, force) } diff --git a/libpod/runtime_volume_linux.go b/libpod/runtime_volume_linux.go index 037cf4cc2..e9cfda9d4 100644 --- a/libpod/runtime_volume_linux.go +++ b/libpod/runtime_volume_linux.go @@ -124,6 +124,9 @@ func (r *Runtime) removeVolume(ctx context.Context, v *Volume, force bool) error return define.ErrVolumeRemoved } + v.lock.Lock() + defer v.lock.Unlock() + // Update volume status to pick up a potential removal from state if err := v.update(); err != nil { return err diff --git a/libpod/volume.go b/libpod/volume.go index 1ffed872e..70099d6f4 100644 --- a/libpod/volume.go +++ b/libpod/volume.go @@ -126,3 +126,10 @@ func (v *Volume) GID() int { func (v *Volume) CreatedTime() time.Time { return v.config.CreatedTime } + +// Config returns the volume's configuration. +func (v *Volume) Config() (*VolumeConfig, error) { + config := VolumeConfig{} + err := JSONDeepCopy(v.config, &config) + return &config, err +} |