diff options
Diffstat (limited to 'pkg')
26 files changed, 458 insertions, 234 deletions
diff --git a/pkg/adapter/containers.go b/pkg/adapter/containers.go index 08e19edb8..a5242270e 100644 --- a/pkg/adapter/containers.go +++ b/pkg/adapter/containers.go @@ -19,13 +19,13 @@ import ( "github.com/containers/image/v5/manifest" "github.com/containers/libpod/cmd/podman/cliconfig" "github.com/containers/libpod/cmd/podman/shared" - "github.com/containers/libpod/cmd/podman/shared/parse" "github.com/containers/libpod/libpod" "github.com/containers/libpod/libpod/define" "github.com/containers/libpod/libpod/events" "github.com/containers/libpod/libpod/image" "github.com/containers/libpod/libpod/logs" "github.com/containers/libpod/pkg/adapter/shortcuts" + envLib "github.com/containers/libpod/pkg/env" "github.com/containers/libpod/pkg/systemd/generate" "github.com/containers/storage" "github.com/pkg/errors" @@ -987,9 +987,20 @@ func (r *LocalRuntime) ExecContainer(ctx context.Context, cli *cliconfig.ExecVal // Validate given environment variables env := map[string]string{} - if err := parse.ReadKVStrings(env, cli.EnvFile, cli.Env); err != nil { - return ec, errors.Wrapf(err, "unable to process environment variables") + if len(cli.EnvFile) > 0 { + for _, f := range cli.EnvFile { + fileEnv, err := envLib.ParseFile(f) + if err != nil { + return ec, err + } + env = envLib.Join(env, fileEnv) + } } + cliEnv, err := envLib.ParseSlice(cli.Env) + if err != nil { + return ec, errors.Wrap(err, "error parsing environment variables") + } + env = envLib.Join(env, cliEnv) streams := new(libpod.AttachStreams) streams.OutputStream = os.Stdout @@ -1101,6 +1112,15 @@ func (r *LocalRuntime) CleanupContainers(ctx context.Context, cli *cliconfig.Cle } else { failures[ctr.ID()] = err } + + if cli.RemoveImage { + _, imageName := ctr.Image() + if err := removeContainerImage(ctx, ctr, r); err != nil { + failures[imageName] = err + } else { + ok = append(ok, imageName) + } + } } return ok, failures, nil } @@ -1120,6 +1140,16 @@ func cleanupContainer(ctx context.Context, ctr *libpod.Container, runtime *Local return nil } +func removeContainerImage(ctx context.Context, ctr *libpod.Container, runtime *LocalRuntime) error { + _, imageName := ctr.Image() + ctrImage, err := runtime.NewImageFromLocal(imageName) + if err != nil { + return err + } + _, err = runtime.RemoveImage(ctx, ctrImage, false) + return err +} + // Port displays port information about existing containers func (r *LocalRuntime) Port(c *cliconfig.PortValues) ([]*Container, error) { var ( diff --git a/pkg/adapter/containers_remote.go b/pkg/adapter/containers_remote.go index 60ee3cb2d..32a84b60d 100644 --- a/pkg/adapter/containers_remote.go +++ b/pkg/adapter/containers_remote.go @@ -15,11 +15,11 @@ import ( "github.com/containers/libpod/cmd/podman/cliconfig" "github.com/containers/libpod/cmd/podman/shared" - "github.com/containers/libpod/cmd/podman/shared/parse" iopodman "github.com/containers/libpod/cmd/podman/varlink" "github.com/containers/libpod/libpod" "github.com/containers/libpod/libpod/define" "github.com/containers/libpod/libpod/logs" + envLib "github.com/containers/libpod/pkg/env" "github.com/containers/libpod/pkg/varlinkapi/virtwriter" "github.com/cri-o/ocicni/pkg/ocicni" "github.com/docker/docker/pkg/term" @@ -1025,16 +1025,11 @@ func (r *LocalRuntime) ExecContainer(ctx context.Context, cli *cliconfig.ExecVal ) // default invalid command exit code // Validate given environment variables - env := map[string]string{} - if err := parse.ReadKVStrings(env, []string{}, cli.Env); err != nil { - return -1, errors.Wrapf(err, "Exec unable to process environment variables") - } - - // Build env slice of key=value strings for Exec - envs := []string{} - for k, v := range env { - envs = append(envs, fmt.Sprintf("%s=%s", k, v)) + cliEnv, err := envLib.ParseSlice(cli.Env) + if err != nil { + return 0, errors.Wrap(err, "error parsing environment variables") } + envs := envLib.Slice(cliEnv) resize := make(chan remotecommand.TerminalSize, 5) haveTerminal := terminal.IsTerminal(int(os.Stdin.Fd())) diff --git a/pkg/adapter/pods.go b/pkg/adapter/pods.go index 0d9fa7210..dc856cc8d 100644 --- a/pkg/adapter/pods.go +++ b/pkg/adapter/pods.go @@ -22,6 +22,7 @@ import ( "github.com/containers/libpod/libpod/image" "github.com/containers/libpod/pkg/adapter/shortcuts" ann "github.com/containers/libpod/pkg/annotations" + envLib "github.com/containers/libpod/pkg/env" ns "github.com/containers/libpod/pkg/namespaces" createconfig "github.com/containers/libpod/pkg/spec" "github.com/containers/libpod/pkg/util" @@ -916,9 +917,6 @@ func kubeContainerToCreateConfig(ctx context.Context, containerYAML v1.Container containerConfig.User = userConfig containerConfig.Security = securityConfig - // Set default environment variables and incorporate data from image, if necessary - envs := shared.EnvVariablesFromData(imageData) - annotations := make(map[string]string) if infraID != "" { annotations[ann.SandboxID] = infraID @@ -927,6 +925,14 @@ func kubeContainerToCreateConfig(ctx context.Context, containerYAML v1.Container containerConfig.Annotations = annotations // Environment Variables + envs := map[string]string{} + if imageData != nil { + imageEnv, err := envLib.ParseSlice(imageData.Config.Env) + if err != nil { + return nil, errors.Wrap(err, "error parsing image environment variables") + } + envs = imageEnv + } for _, e := range containerYAML.Env { envs[e.Name] = e.Value } diff --git a/pkg/api/handlers/containers.go b/pkg/api/handlers/containers.go index d7d040ce2..ee080e794 100644 --- a/pkg/api/handlers/containers.go +++ b/pkg/api/handlers/containers.go @@ -8,7 +8,6 @@ import ( "github.com/containers/libpod/libpod" "github.com/containers/libpod/libpod/define" "github.com/containers/libpod/pkg/api/handlers/utils" - "github.com/gorilla/mux" "github.com/gorilla/schema" "github.com/pkg/errors" ) @@ -179,7 +178,7 @@ func RestartContainer(w http.ResponseWriter, r *http.Request) { } timeout := con.StopTimeout() - if _, found := mux.Vars(r)["t"]; found { + if _, found := r.URL.Query()["t"]; found { timeout = uint(query.Timeout) } diff --git a/pkg/api/handlers/containers_attach.go b/pkg/api/handlers/containers_attach.go index facbd22a5..5a799a20c 100644 --- a/pkg/api/handlers/containers_attach.go +++ b/pkg/api/handlers/containers_attach.go @@ -6,7 +6,6 @@ import ( "github.com/containers/libpod/libpod" "github.com/containers/libpod/libpod/define" "github.com/containers/libpod/pkg/api/handlers/utils" - "github.com/gorilla/mux" "github.com/gorilla/schema" "github.com/pkg/errors" "github.com/sirupsen/logrus" @@ -30,12 +29,10 @@ func AttachContainer(w http.ResponseWriter, r *http.Request) { return } - muxVars := mux.Vars(r) - // Detach keys: explicitly set to "" is very different from unset // TODO: Our format for parsing these may be different from Docker. var detachKeys *string - if _, found := muxVars["detachKeys"]; found { + if _, found := r.URL.Query()["detachKeys"]; found { detachKeys = &query.DetachKeys } @@ -44,15 +41,15 @@ func AttachContainer(w http.ResponseWriter, r *http.Request) { streams.Stderr = true streams.Stdin = true useStreams := false - if _, found := muxVars["stdin"]; found { + if _, found := r.URL.Query()["stdin"]; found { streams.Stdin = query.Stdin useStreams = true } - if _, found := muxVars["stdout"]; found { + if _, found := r.URL.Query()["stdout"]; found { streams.Stdout = query.Stdout useStreams = true } - if _, found := muxVars["stderr"]; found { + if _, found := r.URL.Query()["stderr"]; found { streams.Stderr = query.Stderr useStreams = true } @@ -72,7 +69,7 @@ func AttachContainer(w http.ResponseWriter, r *http.Request) { return } // We only support stream=true or unset - if _, found := muxVars["stream"]; found && query.Stream { + if _, found := r.URL.Query()["stream"]; found && query.Stream { utils.Error(w, "Unsupported parameter", http.StatusBadRequest, errors.Errorf("the stream parameter to attach is not presently supported")) return } diff --git a/pkg/api/handlers/generic/containers.go b/pkg/api/handlers/generic/containers.go index b16b87e73..ab587ded4 100644 --- a/pkg/api/handlers/generic/containers.go +++ b/pkg/api/handlers/generic/containers.go @@ -14,7 +14,6 @@ import ( "github.com/containers/libpod/pkg/api/handlers" "github.com/containers/libpod/pkg/api/handlers/utils" "github.com/containers/libpod/pkg/util" - "github.com/gorilla/mux" "github.com/gorilla/schema" "github.com/pkg/errors" log "github.com/sirupsen/logrus" @@ -71,7 +70,7 @@ func ListContainers(w http.ResponseWriter, r *http.Request) { utils.InternalServerError(w, err) return } - if _, found := mux.Vars(r)["limit"]; found { + if _, found := r.URL.Query()["limit"]; found { last := query.Limit if len(containers) > last { containers = containers[len(containers)-last:] @@ -136,7 +135,7 @@ func WaitContainer(w http.ResponseWriter, r *http.Request) { // /{version}/containers/(name)/wait exitCode, err := utils.WaitContainer(w, r) if err != nil { - msg = err.Error() + return } utils.WriteResponse(w, http.StatusOK, handlers.ContainerWaitOKBody{ StatusCode: int(exitCode), @@ -191,7 +190,7 @@ func LogsFromContainer(w http.ResponseWriter, r *http.Request) { } var since time.Time - if _, found := mux.Vars(r)["since"]; found { + if _, found := r.URL.Query()["since"]; found { since, err = util.ParseInputTime(query.Since) if err != nil { utils.BadRequest(w, "since", query.Since, err) @@ -200,7 +199,7 @@ func LogsFromContainer(w http.ResponseWriter, r *http.Request) { } var until time.Time - if _, found := mux.Vars(r)["until"]; found { + if _, found := r.URL.Query()["until"]; found { since, err = util.ParseInputTime(query.Until) if err != nil { utils.BadRequest(w, "until", query.Until, err) @@ -233,7 +232,7 @@ func LogsFromContainer(w http.ResponseWriter, r *http.Request) { var builder strings.Builder for ok := true; ok; ok = query.Follow { for line := range logChannel { - if _, found := mux.Vars(r)["until"]; found { + if _, found := r.URL.Query()["until"]; found { if line.Time.After(until) { break } diff --git a/pkg/api/handlers/images.go b/pkg/api/handlers/images.go index 2086ce748..d4549e5b4 100644 --- a/pkg/api/handlers/images.go +++ b/pkg/api/handlers/images.go @@ -11,7 +11,6 @@ import ( "github.com/containers/libpod/libpod" "github.com/containers/libpod/libpod/image" "github.com/containers/libpod/pkg/api/handlers/utils" - "github.com/gorilla/mux" "github.com/gorilla/schema" "github.com/pkg/errors" ) @@ -87,8 +86,7 @@ func RemoveImage(w http.ResponseWriter, r *http.Request) { utils.Error(w, "Something went wrong.", http.StatusBadRequest, errors.Wrapf(err, "Failed to parse parameters for %s", r.URL.String())) return } - muxVars := mux.Vars(r) - if _, found := muxVars["noprune"]; found { + if _, found := r.URL.Query()["noprune"]; found { if query.noPrune { utils.UnSupportedParameter("noprune") } diff --git a/pkg/api/handlers/images_build.go b/pkg/api/handlers/images_build.go index b29c45574..d969e3a47 100644 --- a/pkg/api/handlers/images_build.go +++ b/pkg/api/handlers/images_build.go @@ -17,7 +17,6 @@ import ( "github.com/containers/buildah/imagebuildah" "github.com/containers/libpod/pkg/api/handlers/utils" "github.com/containers/storage/pkg/archive" - "github.com/gorilla/mux" ) func BuildImage(w http.ResponseWriter, r *http.Request) { @@ -114,24 +113,24 @@ func BuildImage(w http.ResponseWriter, r *http.Request) { tag = tokens[1] } - if t, found := mux.Vars(r)["target"]; found { - name = t + if _, found := r.URL.Query()["target"]; found { + name = query.Target } var buildArgs = map[string]string{} - if a, found := mux.Vars(r)["buildargs"]; found { - if err := json.Unmarshal([]byte(a), &buildArgs); err != nil { - utils.BadRequest(w, "buildargs", a, err) + if _, found := r.URL.Query()["buildargs"]; found { + if err := json.Unmarshal([]byte(query.BuildArgs), &buildArgs); err != nil { + utils.BadRequest(w, "buildargs", query.BuildArgs, err) return } } // convert label formats var labels = []string{} - if l, found := mux.Vars(r)["labels"]; found { + if _, found := r.URL.Query()["labels"]; found { var m = map[string]string{} - if err := json.Unmarshal([]byte(l), &m); err != nil { - utils.BadRequest(w, "labels", l, err) + if err := json.Unmarshal([]byte(query.Labels), &m); err != nil { + utils.BadRequest(w, "labels", query.Labels, err) return } @@ -141,7 +140,7 @@ func BuildImage(w http.ResponseWriter, r *http.Request) { } pullPolicy := buildah.PullIfMissing - if _, found := mux.Vars(r)["pull"]; found { + if _, found := r.URL.Query()["pull"]; found { if query.Pull { pullPolicy = buildah.PullAlways } diff --git a/pkg/api/handlers/libpod/containers.go b/pkg/api/handlers/libpod/containers.go index 752b004d8..d8dd0d69b 100644 --- a/pkg/api/handlers/libpod/containers.go +++ b/pkg/api/handlers/libpod/containers.go @@ -178,7 +178,6 @@ func KillContainer(w http.ResponseWriter, r *http.Request) { func WaitContainer(w http.ResponseWriter, r *http.Request) { exitCode, err := utils.WaitContainer(w, r) if err != nil { - utils.InternalServerError(w, err) return } utils.WriteResponse(w, http.StatusOK, strconv.Itoa(int(exitCode))) diff --git a/pkg/api/handlers/libpod/pods.go b/pkg/api/handlers/libpod/pods.go index f5700579b..e8dc5bde2 100644 --- a/pkg/api/handlers/libpod/pods.go +++ b/pkg/api/handlers/libpod/pods.go @@ -13,7 +13,6 @@ import ( "github.com/containers/libpod/pkg/api/handlers" "github.com/containers/libpod/pkg/api/handlers/utils" "github.com/containers/libpod/pkg/util" - "github.com/gorilla/mux" "github.com/gorilla/schema" "github.com/pkg/errors" ) @@ -353,7 +352,7 @@ func PodKill(w http.ResponseWriter, r *http.Request) { signal = "SIGKILL" ) query := struct { - signal string `schema:"signal"` + Signal string `schema:"signal"` }{ // override any golang type defaults } @@ -362,9 +361,8 @@ func PodKill(w http.ResponseWriter, r *http.Request) { errors.Wrapf(err, "Failed to parse parameters for %s", r.URL.String())) return } - muxVars := mux.Vars(r) - if _, found := muxVars["signal"]; found { - signal = query.signal + if _, found := r.URL.Query()["signal"]; found { + signal = query.Signal } sig, err := util.ParseSignal(signal) diff --git a/pkg/api/handlers/utils/containers.go b/pkg/api/handlers/utils/containers.go index 402005581..07efef0f5 100644 --- a/pkg/api/handlers/utils/containers.go +++ b/pkg/api/handlers/utils/containers.go @@ -78,9 +78,12 @@ func RemoveContainer(w http.ResponseWriter, r *http.Request, force, vols bool) { } func WaitContainer(w http.ResponseWriter, r *http.Request) (int32, error) { + var ( + err error + interval time.Duration + ) runtime := r.Context().Value("runtime").(*libpod.Runtime) decoder := r.Context().Value("decoder").(*schema.Decoder) - // /{version}/containers/(name)/restart query := struct { Interval string `schema:"interval"` Condition string `schema:"condition"` @@ -91,25 +94,34 @@ func WaitContainer(w http.ResponseWriter, r *http.Request) (int32, error) { Error(w, "Something went wrong.", http.StatusBadRequest, errors.Wrapf(err, "Failed to parse parameters for %s", r.URL.String())) return 0, err } - - if len(query.Condition) > 0 { - UnSupportedParameter("condition") + if _, found := r.URL.Query()["interval"]; found { + interval, err = time.ParseDuration(query.Interval) + if err != nil { + InternalServerError(w, err) + return 0, err + } + } else { + interval, err = time.ParseDuration("250ms") + if err != nil { + InternalServerError(w, err) + return 0, err + } + } + condition := define.ContainerStateStopped + if _, found := r.URL.Query()["condition"]; found { + condition, err = define.StringToContainerStatus(query.Condition) + if err != nil { + InternalServerError(w, err) + return 0, err + } } - name := GetName(r) con, err := runtime.LookupContainer(name) if err != nil { ContainerNotFound(w, name, err) return 0, err } - if len(query.Interval) > 0 { - d, err := time.ParseDuration(query.Interval) - if err != nil { - Error(w, "Something went wrong.", http.StatusBadRequest, errors.Wrapf(err, "Failed to parse %s for interval", query.Interval)) - } - return con.WaitWithInterval(d) - } - return con.Wait() + return con.WaitForConditionWithInterval(interval, condition) } // GenerateFilterFuncsFromMap is used to generate un-executed functions that can be used to filter diff --git a/pkg/api/handlers/utils/images.go b/pkg/api/handlers/utils/images.go index f68a71561..a97fd5c07 100644 --- a/pkg/api/handlers/utils/images.go +++ b/pkg/api/handlers/utils/images.go @@ -6,7 +6,6 @@ import ( "github.com/containers/libpod/libpod" "github.com/containers/libpod/libpod/image" - "github.com/gorilla/mux" "github.com/gorilla/schema" ) @@ -28,7 +27,7 @@ func GetImages(w http.ResponseWriter, r *http.Request) ([]*image.Image, error) { return nil, err } var filters = []string{} - if _, found := mux.Vars(r)["digests"]; found && query.Digests { + if _, found := r.URL.Query()["digests"]; found && query.Digests { UnSupportedParameter("digests") } diff --git a/pkg/api/server/register_containers.go b/pkg/api/server/register_containers.go index 6a2ba4b1e..6aad7ff88 100644 --- a/pkg/api/server/register_containers.go +++ b/pkg/api/server/register_containers.go @@ -436,8 +436,8 @@ func (s *APIServer) registerContainersHandlers(r *mux.Router) error { // --- // tags: // - containers (compat) - // summary: Wait on a container to exit - // description: Block until a container stops, then returns the exit code. + // summary: Wait on a container + // description: Block until a container stops or given condition is met. // parameters: // - in: path // name: name @@ -447,7 +447,14 @@ func (s *APIServer) registerContainersHandlers(r *mux.Router) error { // - in: query // name: condition // type: string - // description: not supported + // description: | + // wait until container is to a given condition. default is stopped. valid conditions are: + // - configured + // - created + // - exited + // - paused + // - running + // - stopped // produces: // - application/json // responses: @@ -1030,18 +1037,30 @@ func (s *APIServer) registerContainersHandlers(r *mux.Router) error { // --- // tags: // - containers - // summary: Wait on a container to exit + // summary: Wait on a container + // description: Wait on a container to met a given condition // parameters: // - in: path // name: name // type: string // required: true // description: the name or ID of the container + // - in: query + // name: condition + // type: string + // description: | + // wait until container is to a given condition. default is stopped. valid conditions are: + // - configured + // - created + // - exited + // - paused + // - running + // - stopped // produces: // - application/json // responses: - // 204: - // description: no error + // 200: + // $ref: "#/responses/ContainerWaitResponse" // 404: // $ref: "#/responses/NoSuchContainer" // 500: diff --git a/pkg/api/server/register_volumes.go b/pkg/api/server/register_volumes.go index d1317904b..2cf249cc3 100644 --- a/pkg/api/server/register_volumes.go +++ b/pkg/api/server/register_volumes.go @@ -25,7 +25,7 @@ func (s *APIServer) registerVolumeHandlers(r *mux.Router) error { // '500': // "$ref": "#/responses/InternalError" r.Handle(VersionedPath("/libpod/volumes/create"), s.APIHandler(libpod.CreateVolume)).Methods(http.MethodPost) - // swagger:operation POST /libpod/volumes/json volumes listVolumes + // swagger:operation GET /libpod/volumes/json volumes listVolumes // --- // summary: List volumes // description: Returns a list of networks diff --git a/pkg/bindings/containers/containers.go b/pkg/bindings/containers/containers.go index 2985787a6..670321f21 100644 --- a/pkg/bindings/containers/containers.go +++ b/pkg/bindings/containers/containers.go @@ -210,15 +210,20 @@ func Unpause(ctx context.Context, nameOrID string) error { return response.Process(nil) } -// Wait blocks until the given container exits and returns its exit code. The nameOrID can be a container name -// or a partial/full ID. -func Wait(ctx context.Context, nameOrID string) (int32, error) { +// Wait blocks until the given container reaches a condition. If not provided, the condition will +// default to stopped. If the condition is stopped, an exit code for the container will be provided. The +// nameOrID can be a container name or a partial/full ID. +func Wait(ctx context.Context, nameOrID string, condition *string) (int32, error) { var exitCode int32 conn, err := bindings.GetClient(ctx) if err != nil { return exitCode, err } - response, err := conn.DoRequest(nil, http.MethodPost, "containers/%s/wait", nil, nameOrID) + params := url.Values{} + if condition != nil { + params.Set("condition", *condition) + } + response, err := conn.DoRequest(nil, http.MethodPost, "/containers/%s/wait", params, nameOrID) if err != nil { return exitCode, err } @@ -233,7 +238,7 @@ func Exists(ctx context.Context, nameOrID string) (bool, error) { if err != nil { return false, err } - response, err := conn.DoRequest(nil, http.MethodGet, "containers/%s/exists", nil, nameOrID) + response, err := conn.DoRequest(nil, http.MethodGet, "/containers/%s/exists", nil, nameOrID) if err != nil { return false, err } diff --git a/pkg/bindings/test/containers_test.go b/pkg/bindings/test/containers_test.go index 5a0bdebe6..299a78ac2 100644 --- a/pkg/bindings/test/containers_test.go +++ b/pkg/bindings/test/containers_test.go @@ -250,4 +250,61 @@ var _ = Describe("Podman containers ", func() { Expect(isStopped(data.State.Status)).To(BeTrue()) }) + It("podman wait no condition", func() { + var ( + name = "top" + exitCode int32 = -1 + ) + _, err := containers.Wait(connText, "foobar", nil) + Expect(err).ToNot(BeNil()) + code, _ := bindings.CheckResponseCode(err) + Expect(code).To(BeNumerically("==", http.StatusNotFound)) + + errChan := make(chan error) + bt.RunTopContainer(&name, nil, nil) + go func() { + exitCode, err = containers.Wait(connText, name, nil) + errChan <- err + close(errChan) + }() + err = containers.Stop(connText, name, nil) + Expect(err).To(BeNil()) + wait := <-errChan + Expect(wait).To(BeNil()) + Expect(exitCode).To(BeNumerically("==", 143)) + }) + + It("podman wait to pause|unpause condition", func() { + var ( + name = "top" + exitCode int32 = -1 + pause = "paused" + unpause = "running" + ) + errChan := make(chan error) + bt.RunTopContainer(&name, nil, nil) + go func() { + exitCode, err = containers.Wait(connText, name, &pause) + errChan <- err + close(errChan) + }() + err := containers.Pause(connText, name) + Expect(err).To(BeNil()) + wait := <-errChan + Expect(wait).To(BeNil()) + Expect(exitCode).To(BeNumerically("==", -1)) + + errChan = make(chan error) + go func() { + exitCode, err = containers.Wait(connText, name, &unpause) + errChan <- err + close(errChan) + }() + err = containers.Unpause(connText, name) + Expect(err).To(BeNil()) + unPausewait := <-errChan + Expect(unPausewait).To(BeNil()) + Expect(exitCode).To(BeNumerically("==", -1)) + }) + }) diff --git a/pkg/bindings/test/pods_test.go b/pkg/bindings/test/pods_test.go index 4bea2f8d7..afffee4e6 100644 --- a/pkg/bindings/test/pods_test.go +++ b/pkg/bindings/test/pods_test.go @@ -13,7 +13,7 @@ import ( "github.com/onsi/gomega/gexec" ) -var _ = Describe("Podman images", func() { +var _ = Describe("Podman pods", func() { var ( bt *bindingTest s *gexec.Session @@ -120,6 +120,7 @@ var _ = Describe("Podman images", func() { err = pods.Pause(connText, newpod) Expect(err).To(BeNil()) response, err = pods.Inspect(connText, newpod) + Expect(response.State.Status).To(Equal(define.PodStatePaused)) for _, i := range response.Containers { Expect(define.StringToContainerStatus(i.State)). To(Equal(define.ContainerStatePaused)) @@ -129,6 +130,7 @@ var _ = Describe("Podman images", func() { err = pods.Unpause(connText, newpod) Expect(err).To(BeNil()) response, err = pods.Inspect(connText, newpod) + Expect(response.State.Status).To(Equal(define.PodStateRunning)) for _, i := range response.Containers { Expect(define.StringToContainerStatus(i.State)). To(Equal(define.ContainerStateRunning)) @@ -159,6 +161,7 @@ var _ = Describe("Podman images", func() { Expect(err).To(BeNil()) response, err := pods.Inspect(connText, newpod) + Expect(response.State.Status).To(Equal(define.PodStateRunning)) for _, i := range response.Containers { Expect(define.StringToContainerStatus(i.State)). To(Equal(define.ContainerStateRunning)) @@ -172,6 +175,7 @@ var _ = Describe("Podman images", func() { err = pods.Stop(connText, newpod, nil) Expect(err).To(BeNil()) response, _ = pods.Inspect(connText, newpod) + Expect(response.State.Status).To(Equal(define.PodStateExited)) for _, i := range response.Containers { Expect(define.StringToContainerStatus(i.State)). To(Equal(define.ContainerStateStopped)) @@ -184,13 +188,66 @@ var _ = Describe("Podman images", func() { err = pods.Restart(connText, newpod) Expect(err).To(BeNil()) response, _ = pods.Inspect(connText, newpod) + Expect(response.State.Status).To(Equal(define.PodStateRunning)) for _, i := range response.Containers { Expect(define.StringToContainerStatus(i.State)). To(Equal(define.ContainerStateRunning)) } }) - // Remove all stopped pods and their container to be implemented. + // Test to validate all the pods in the stopped/exited state are pruned sucessfully. It("prune pod", func() { + // Add a new pod + var newpod2 string = "newpod2" + bt.Podcreate(&newpod2) + // No pods pruned since no pod in exited state + err = pods.Prune(connText) + Expect(err).To(BeNil()) + podSummary, err := pods.List(connText, nil) + Expect(err).To(BeNil()) + Expect(len(podSummary)).To(Equal(2)) + + // Prune only one pod which is in exited state. + // Start then stop a pod. + // pod moves to exited state one pod should be pruned now. + err = pods.Start(connText, newpod) + Expect(err).To(BeNil()) + err = pods.Stop(connText, newpod, nil) + Expect(err).To(BeNil()) + response, err := pods.Inspect(connText, newpod) + Expect(response.State.Status).To(Equal(define.PodStateExited)) + err = pods.Prune(connText) + Expect(err).To(BeNil()) + podSummary, err = pods.List(connText, nil) + Expect(err).To(BeNil()) + Expect(len(podSummary)).To(Equal(1)) + + // Test prune all pods in exited state. + bt.Podcreate(&newpod) + err = pods.Start(connText, newpod) + Expect(err).To(BeNil()) + err = pods.Start(connText, newpod2) + Expect(err).To(BeNil()) + err = pods.Stop(connText, newpod, nil) + Expect(err).To(BeNil()) + response, err = pods.Inspect(connText, newpod) + Expect(response.State.Status).To(Equal(define.PodStateExited)) + for _, i := range response.Containers { + Expect(define.StringToContainerStatus(i.State)). + To(Equal(define.ContainerStateStopped)) + } + err = pods.Stop(connText, newpod2, nil) + Expect(err).To(BeNil()) + response, err = pods.Inspect(connText, newpod2) + Expect(response.State.Status).To(Equal(define.PodStateExited)) + for _, i := range response.Containers { + Expect(define.StringToContainerStatus(i.State)). + To(Equal(define.ContainerStateStopped)) + } + err = pods.Prune(connText) + Expect(err).To(BeNil()) + podSummary, err = pods.List(connText, nil) + Expect(err).To(BeNil()) + Expect(len(podSummary)).To(Equal(0)) }) }) diff --git a/pkg/capabilities/capabilities.go b/pkg/capabilities/capabilities.go deleted file mode 100644 index ea22498b8..000000000 --- a/pkg/capabilities/capabilities.go +++ /dev/null @@ -1,129 +0,0 @@ -package capabilities - -// Copyright 2013-2018 Docker, Inc. - -// NOTE: this package has been copied from github.com/docker/docker but been -// changed significantly to fit the needs of libpod. - -import ( - "strings" - - "github.com/containers/libpod/pkg/util" - "github.com/pkg/errors" - "github.com/syndtr/gocapability/capability" -) - -var ( - // Used internally and populated during init(). - capabilityList []string - - // ErrUnknownCapability is thrown when an unknown capability is processed. - ErrUnknownCapability = errors.New("unknown capability") -) - -// All is a special value used to add/drop all known capababilities. -// Useful on the CLI for `--cap-add=all` etc. -const All = "ALL" - -func init() { - last := capability.CAP_LAST_CAP - // hack for RHEL6 which has no /proc/sys/kernel/cap_last_cap - if last == capability.Cap(63) { - last = capability.CAP_BLOCK_SUSPEND - } - for _, cap := range capability.List() { - if cap > last { - continue - } - capabilityList = append(capabilityList, "CAP_"+strings.ToUpper(cap.String())) - } -} - -// AllCapabilities returns all known capabilities. -func AllCapabilities() []string { - return capabilityList -} - -// normalizeCapabilities normalizes caps by adding a "CAP_" prefix (if not yet -// present). -func normalizeCapabilities(caps []string) ([]string, error) { - normalized := make([]string, len(caps)) - for i, c := range caps { - c = strings.ToUpper(c) - if c == All { - normalized = append(normalized, c) - continue - } - if !strings.HasPrefix(c, "CAP_") { - c = "CAP_" + c - } - if !util.StringInSlice(c, capabilityList) { - return nil, errors.Wrapf(ErrUnknownCapability, "%q", c) - } - normalized[i] = c - } - return normalized, nil -} - -// ValidateCapabilities validates if caps only contains valid capabilities. -func ValidateCapabilities(caps []string) error { - for _, c := range caps { - if !util.StringInSlice(c, capabilityList) { - return errors.Wrapf(ErrUnknownCapability, "%q", c) - } - } - return nil -} - -// MergeCapabilities computes a set of capabilities by adding capapbitilities -// to or dropping them from base. -// -// Note that "ALL" will cause all known capabilities to be added/dropped but -// the ones specified to be dropped/added. -func MergeCapabilities(base, adds, drops []string) ([]string, error) { - if len(adds) == 0 && len(drops) == 0 { - // Nothing to tweak; we're done - return base, nil - } - - capDrop, err := normalizeCapabilities(drops) - if err != nil { - return nil, err - } - capAdd, err := normalizeCapabilities(adds) - if err != nil { - return nil, err - } - - // Make sure that capDrop and capAdd are distinct sets. - for _, drop := range capDrop { - if util.StringInSlice(drop, capAdd) { - return nil, errors.Errorf("capability %q cannot be dropped and added", drop) - } - } - - var caps []string - - switch { - case util.StringInSlice(All, capAdd): - // Add all capabilities except ones on capDrop - for _, c := range capabilityList { - if !util.StringInSlice(c, capDrop) { - caps = append(caps, c) - } - } - case util.StringInSlice(All, capDrop): - // "Drop" all capabilities; use what's in capAdd instead - caps = capAdd - default: - // First drop some capabilities - for _, c := range base { - if !util.StringInSlice(c, capDrop) { - caps = append(caps, c) - } - } - // Then add the list of capabilities from capAdd - caps = append(caps, capAdd...) - } - return caps, nil -} diff --git a/pkg/env/env.go b/pkg/env/env.go new file mode 100644 index 000000000..c6a1a0d28 --- /dev/null +++ b/pkg/env/env.go @@ -0,0 +1,126 @@ +// Package for processing environment variables. +package env + +// TODO: we need to add tests for this package. + +import ( + "bufio" + "fmt" + "os" + "strings" + + "github.com/pkg/errors" +) + +// DefaultEnvVariables sets $PATH and $TERM. +var DefaultEnvVariables = map[string]string{ + "PATH": "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", + "TERM": "xterm", +} + +const whiteSpaces = " \t" + +// ParseSlice parses the specified slice and transforms it into an environment +// map. +func ParseSlice(s []string) (map[string]string, error) { + env := make(map[string]string, len(s)) + for _, e := range s { + if err := parseEnv(env, e); err != nil { + return nil, err + } + } + return env, nil +} + +// Slice transforms the specified map of environment variables into a +// slice. If a value is non-empty, the key and value are joined with '='. +func Slice(m map[string]string) []string { + env := make([]string, len(m)) + for k, v := range m { + var s string + if len(v) > 0 { + s = fmt.Sprintf("%s=%s", k, v) + } else { + s = k + } + env = append(env, s) + } + return env +} + +// Join joins the two environment maps with override overriding base. +func Join(base map[string]string, override map[string]string) map[string]string { + if len(base) == 0 { + return override + } + for k, v := range override { + base[k] = v + } + return base +} + +// ParseFile parses the specified path for environment variables and returns them +// as a map. +func ParseFile(path string) (_ map[string]string, err error) { + env := make(map[string]string) + defer func() { + if err != nil { + err = errors.Wrapf(err, "error parsing env file %q", path) + } + }() + + fh, err := os.Open(path) + if err != nil { + return nil, err + } + defer fh.Close() + + scanner := bufio.NewScanner(fh) + for scanner.Scan() { + // trim the line from all leading whitespace first + line := strings.TrimLeft(scanner.Text(), whiteSpaces) + // line is not empty, and not starting with '#' + if len(line) > 0 && !strings.HasPrefix(line, "#") { + if err := parseEnv(env, line); err != nil { + return nil, err + } + } + } + return env, scanner.Err() +} + +func parseEnv(env map[string]string, line string) error { + data := strings.SplitN(line, "=", 2) + + // catch invalid variables such as "=" or "=A" + if data[0] == "" { + return errors.Errorf("invalid environment variable: %q", line) + } + + // trim the front of a variable, but nothing else + name := strings.TrimLeft(data[0], whiteSpaces) + if strings.ContainsAny(name, whiteSpaces) { + return errors.Errorf("name %q has white spaces, poorly formatted name", name) + } + + if len(data) > 1 { + env[name] = data[1] + } else { + if strings.HasSuffix(name, "*") { + name = strings.TrimSuffix(name, "*") + for _, e := range os.Environ() { + part := strings.SplitN(e, "=", 2) + if len(part) < 2 { + continue + } + if strings.HasPrefix(part[0], name) { + env[part[0]] = part[1] + } + } + } else if val, ok := os.LookupEnv(name); ok { + // if only a pass-through variable is given, clean it up. + env[name] = val + } + } + return nil +} diff --git a/pkg/inspect/inspect.go b/pkg/inspect/inspect.go index 569f208d9..b04ce71a5 100644 --- a/pkg/inspect/inspect.go +++ b/pkg/inspect/inspect.go @@ -6,7 +6,7 @@ import ( "github.com/containers/image/v5/manifest" "github.com/containers/libpod/libpod/driver" "github.com/opencontainers/go-digest" - "github.com/opencontainers/image-spec/specs-go/v1" + v1 "github.com/opencontainers/image-spec/specs-go/v1" ) // ImageData holds the inspect information of an image diff --git a/pkg/spec/createconfig.go b/pkg/spec/createconfig.go index 02678a687..9b2255d61 100644 --- a/pkg/spec/createconfig.go +++ b/pkg/spec/createconfig.go @@ -112,6 +112,7 @@ type NetworkConfig struct { type SecurityConfig struct { CapAdd []string // cap-add CapDrop []string // cap-drop + CapRequired []string // cap-required LabelOpts []string //SecurityOpts NoNewPrivs bool //SecurityOpts ApparmorProfile string //SecurityOpts @@ -156,6 +157,7 @@ type CreateConfig struct { Resources CreateResourceConfig RestartPolicy string Rm bool //rm + Rmi bool //rmi StopSignal syscall.Signal // stop-signal StopTimeout uint // stop-timeout Systemd bool @@ -233,6 +235,10 @@ func (c *CreateConfig) createExitCommand(runtime *libpod.Runtime) ([]string, err command = append(command, "--rm") } + if c.Rmi { + command = append(command, "--rmi") + } + return command, nil } diff --git a/pkg/spec/security.go b/pkg/spec/security.go index 3bad9f97a..ca025eb3e 100644 --- a/pkg/spec/security.go +++ b/pkg/spec/security.go @@ -4,11 +4,13 @@ import ( "fmt" "strings" + "github.com/containers/common/pkg/capabilities" "github.com/containers/libpod/libpod" - "github.com/containers/libpod/pkg/capabilities" + "github.com/containers/libpod/pkg/util" "github.com/opencontainers/runtime-tools/generate" "github.com/opencontainers/selinux/go-selinux/label" "github.com/pkg/errors" + "github.com/sirupsen/logrus" ) // ToCreateOptions convert the SecurityConfig to a slice of container create @@ -113,28 +115,49 @@ func (c *SecurityConfig) ConfigureGenerator(g *generate.Generator, user *UserCon configSpec := g.Config var err error - var caplist []string + var defaultCaplist []string bounding := configSpec.Process.Capabilities.Bounding if useNotRoot(user.User) { - configSpec.Process.Capabilities.Bounding = caplist + configSpec.Process.Capabilities.Bounding = defaultCaplist } - caplist, err = capabilities.MergeCapabilities(configSpec.Process.Capabilities.Bounding, c.CapAdd, c.CapDrop) + defaultCaplist, err = capabilities.MergeCapabilities(configSpec.Process.Capabilities.Bounding, c.CapAdd, c.CapDrop) if err != nil { return err } - configSpec.Process.Capabilities.Bounding = caplist - configSpec.Process.Capabilities.Permitted = caplist - configSpec.Process.Capabilities.Inheritable = caplist - configSpec.Process.Capabilities.Effective = caplist - configSpec.Process.Capabilities.Ambient = caplist + privCapRequired := []string{} + + if !c.Privileged && len(c.CapRequired) > 0 { + // Pass CapRequired in CapAdd field to normalize capabilties names + capRequired, err := capabilities.MergeCapabilities(nil, c.CapRequired, nil) + if err != nil { + logrus.Errorf("capabilties requested by user or image are not valid: %q", strings.Join(c.CapRequired, ",")) + } else { + // Verify all capRequiered are in the defaultCapList + for _, cap := range capRequired { + if !util.StringInSlice(cap, defaultCaplist) { + privCapRequired = append(privCapRequired, cap) + } + } + } + if len(privCapRequired) == 0 { + defaultCaplist = capRequired + } else { + logrus.Errorf("capabilties requested by user or image are not allowed by default: %q", strings.Join(privCapRequired, ",")) + } + } + configSpec.Process.Capabilities.Bounding = defaultCaplist + configSpec.Process.Capabilities.Permitted = defaultCaplist + configSpec.Process.Capabilities.Inheritable = defaultCaplist + configSpec.Process.Capabilities.Effective = defaultCaplist + configSpec.Process.Capabilities.Ambient = defaultCaplist if useNotRoot(user.User) { - caplist, err = capabilities.MergeCapabilities(bounding, c.CapAdd, c.CapDrop) + defaultCaplist, err = capabilities.MergeCapabilities(bounding, c.CapAdd, c.CapDrop) if err != nil { return err } } - configSpec.Process.Capabilities.Bounding = caplist + configSpec.Process.Capabilities.Bounding = defaultCaplist // HANDLE SECCOMP if c.SeccompProfilePath != "unconfined" { diff --git a/pkg/spec/spec.go b/pkg/spec/spec.go index a4ae22efd..8f0630b85 100644 --- a/pkg/spec/spec.go +++ b/pkg/spec/spec.go @@ -3,12 +3,15 @@ package createconfig import ( "strings" + "github.com/containers/common/pkg/capabilities" "github.com/containers/libpod/libpod" libpodconfig "github.com/containers/libpod/libpod/config" "github.com/containers/libpod/libpod/define" "github.com/containers/libpod/pkg/cgroups" + "github.com/containers/libpod/pkg/env" "github.com/containers/libpod/pkg/rootless" "github.com/containers/libpod/pkg/sysinfo" + "github.com/containers/libpod/pkg/util" "github.com/docker/go-units" "github.com/opencontainers/runc/libcontainer/user" spec "github.com/opencontainers/runtime-spec/specs-go" @@ -150,7 +153,6 @@ func (config *CreateConfig) createConfigToOCISpec(runtime *libpod.Runtime, userM for key, val := range config.Annotations { g.AddAnnotation(key, val) } - g.AddProcessEnv("container", "podman") addedResources := false @@ -292,6 +294,9 @@ func (config *CreateConfig) createConfigToOCISpec(runtime *libpod.Runtime, userM } } + // Make sure to always set the default variables unless overridden in the + // config. + config.Env = env.Join(env.DefaultEnvVariables, config.Env) for name, val := range config.Env { g.AddProcessEnv(name, val) } @@ -327,6 +332,18 @@ func (config *CreateConfig) createConfigToOCISpec(runtime *libpod.Runtime, userM } configSpec := g.Config + // If the container image specifies an label with a + // capabilities.ContainerImageLabel then split the comma separated list + // of capabilities and record them. This list indicates the only + // capabilities, required to run the container. + var capRequired []string + for key, val := range config.Labels { + if util.StringInSlice(key, capabilities.ContainerImageLabels) { + capRequired = strings.Split(val, ",") + } + } + config.Security.CapRequired = capRequired + if err := config.Security.ConfigureGenerator(&g, &config.User); err != nil { return nil, err } diff --git a/pkg/specgen/namespaces.go b/pkg/specgen/namespaces.go index 17b180cde..79a83819a 100644 --- a/pkg/specgen/namespaces.go +++ b/pkg/specgen/namespaces.go @@ -3,9 +3,9 @@ package specgen import ( "os" + "github.com/containers/common/pkg/capabilities" "github.com/containers/libpod/libpod" "github.com/containers/libpod/libpod/image" - "github.com/containers/libpod/pkg/capabilities" "github.com/cri-o/ocicni/pkg/ocicni" spec "github.com/opencontainers/runtime-spec/specs-go" "github.com/opencontainers/runtime-tools/generate" diff --git a/pkg/systemd/generate/systemdgen.go b/pkg/systemd/generate/systemdgen.go index 404347828..00ddc63f3 100644 --- a/pkg/systemd/generate/systemdgen.go +++ b/pkg/systemd/generate/systemdgen.go @@ -80,6 +80,8 @@ const containerTemplate = `# {{.ServiceName}}.service [Unit] Description=Podman {{.ServiceName}}.service Documentation=man:podman-generate-systemd(1) +Wants=network.target +After=network-online.target {{- if .BoundToServices}} RefuseManualStart=yes RefuseManualStop=yes @@ -94,11 +96,11 @@ Before={{- range $index, $value := .RequiredServices -}}{{if $index}} {{end}}{{ [Service] Restart={{.RestartPolicy}} {{- if .New}} -ExecStartPre=/usr/bin/rm -f /%t/%n-pid /%t/%n-cid +ExecStartPre=/usr/bin/rm -f %t/%n-pid %t/%n-cid ExecStart={{.RunCommand}} -ExecStop={{.Executable}} stop --ignore --cidfile /%t/%n-cid {{if (ge .StopTimeout 0)}}-t {{.StopTimeout}}{{end}} -ExecStopPost={{.Executable}} rm --ignore -f --cidfile /%t/%n-cid -PIDFile=/%t/%n-pid +ExecStop={{.Executable}} stop --ignore --cidfile %t/%n-cid {{if (ge .StopTimeout 0)}}-t {{.StopTimeout}}{{end}} +ExecStopPost={{.Executable}} rm --ignore -f --cidfile %t/%n-cid +PIDFile=%t/%n-pid {{- else}} ExecStart={{.Executable}} start {{.ContainerName}} ExecStop={{.Executable}} stop {{if (ge .StopTimeout 0)}}-t {{.StopTimeout}}{{end}} {{.ContainerName}} @@ -158,8 +160,8 @@ func CreateContainerSystemdUnit(info *ContainerInfo, opts Options) (string, erro command := []string{ info.Executable, "run", - "--conmon-pidfile", "/%t/%n-pid", - "--cidfile", "/%t/%n-cid", + "--conmon-pidfile", "%t/%n-pid", + "--cidfile", "%t/%n-cid", "--cgroups=no-conmon", } command = append(command, info.CreateCommand[index:]...) diff --git a/pkg/systemd/generate/systemdgen_test.go b/pkg/systemd/generate/systemdgen_test.go index b74b75258..145296ea9 100644 --- a/pkg/systemd/generate/systemdgen_test.go +++ b/pkg/systemd/generate/systemdgen_test.go @@ -40,6 +40,8 @@ func TestCreateContainerSystemdUnit(t *testing.T) { [Unit] Description=Podman container-639c53578af4d84b8800b4635fa4e680ee80fd67e0e6a2d4eea48d1e3230f401.service Documentation=man:podman-generate-systemd(1) +Wants=network.target +After=network-online.target [Service] Restart=always @@ -58,6 +60,8 @@ WantedBy=multi-user.target` [Unit] Description=Podman container-foobar.service Documentation=man:podman-generate-systemd(1) +Wants=network.target +After=network-online.target [Service] Restart=always @@ -76,6 +80,8 @@ WantedBy=multi-user.target` [Unit] Description=Podman container-foobar.service Documentation=man:podman-generate-systemd(1) +Wants=network.target +After=network-online.target RefuseManualStart=yes RefuseManualStop=yes BindsTo=a.service b.service c.service pod.service @@ -98,6 +104,8 @@ WantedBy=multi-user.target` [Unit] Description=Podman pod-123abc.service Documentation=man:podman-generate-systemd(1) +Wants=network.target +After=network-online.target Requires=container-1.service container-2.service Before=container-1.service container-2.service @@ -118,14 +126,16 @@ WantedBy=multi-user.target` [Unit] Description=Podman jadda-jadda.service Documentation=man:podman-generate-systemd(1) +Wants=network.target +After=network-online.target [Service] Restart=always -ExecStartPre=/usr/bin/rm -f /%t/%n-pid /%t/%n-cid -ExecStart=/usr/bin/podman run --conmon-pidfile /%t/%n-pid --cidfile /%t/%n-cid --cgroups=no-conmon --name jadda-jadda --hostname hello-world awesome-image:latest command arg1 ... argN -ExecStop=/usr/bin/podman stop --ignore --cidfile /%t/%n-cid -t 42 -ExecStopPost=/usr/bin/podman rm --ignore -f --cidfile /%t/%n-cid -PIDFile=/%t/%n-pid +ExecStartPre=/usr/bin/rm -f %t/%n-pid %t/%n-cid +ExecStart=/usr/bin/podman run --conmon-pidfile %t/%n-pid --cidfile %t/%n-cid --cgroups=no-conmon --name jadda-jadda --hostname hello-world awesome-image:latest command arg1 ... argN +ExecStop=/usr/bin/podman stop --ignore --cidfile %t/%n-cid -t 42 +ExecStopPost=/usr/bin/podman rm --ignore -f --cidfile %t/%n-cid +PIDFile=%t/%n-pid KillMode=none Type=forking |