summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAge
* Cirrus: Document and codify base-image productionChris Evich2018-12-06
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | A number of images required for future testing are not present in GCE. Importing them is a long proscribed process prone to errors and complications. Improve this situation by documenting, and encoding the majority of the steps required. Due to the required complexity, these are clearly identified as 'semi-automated'. This means a discerning eye is sometimes needed to address unforeseen problems (networking issues, format or packaging changes, etc). Nevertheless, having these steps in writing, will reduce current and future maintenance burden while supporting future testing needs of RHEL, Fedora and Fedora Atomic Host. Also: * Add necessary configuration, scripts, and Makefile updates needed to prepare RHEL, Fedora, & FAH cloud images for use in GCE. This is a complex, multi-step process where the cloud image is booted un a local user-mod qemu-kvm instance, where it can be modified. From there, it's converted into a specific format, and imported into GCE. Lastly, the imported raw disk data is made available as a GCE VM image. Note: As of this commit, the RHEL base-image builds (CentOS has native image), however neither RHEL or CentOS cache-images build correctly. * Left testing on FAH disabled, the GCE/Cirrus integration needs needs more work. Specifically, the python3-based google startup script service throws a permission-denied (as root) when trying to create a temp. directory. Did not investigate further, though manually running the startup script does allow the libpod tests to start running. * Enabled Fedora 29 image to execute tests and general use. * Utilize the standardized F28-based container image for gating of more the intensive unit and integration testing. Update documentation to reflect this as the standard platform for these checks. Rename tasks with shorter names and to better reflect their purpose. * Cirrus: Trim unnecessary env vars before testing since the vast majority are only required for orchestration purposes. Since most are defined within `.cirrus.yml`, it's a good place to store the list of undesirables. Since each of the cirrus-scripts runs in it's own shell, unsetting these near the end will have no consequence. Also trim down the number of calls to show_env_vars() Signed-off-by: Chris Evich <cevich@redhat.com>
* Cirrus: Use Makefile for image-buildingChris Evich2018-12-06
| | | | | | | | | | | | | | | | | | | | The packer tool takes JSON as input for the details of producing VM images to be used for PR CI-testing. JSON is not a very human-friendly format, without support for comments and frequently containing lots of duplicate data. Fix this by using a Makefile + simple python one-liner to convert from a human-friendly YAML format into packer-native JSON. This allows use of anchors/aliases to reduce duplication, and allows inline comments for easier maintainability. This also allows separating the 'test' action from the 'build' action, for earlier and better syntax problem detection. Lastly, there are some minor ``lib.sh`` and ``integration_test.sh`` updates to support future work, and slightly improve the build and test environments. Signed-off-by: Chris Evich <cevich@redhat.com>
* Merge pull request #1905 from umohnani8/loginOpenShift Merge Robot2018-12-06
|\ | | | | Pick registry to login from full image name as well
| * Pick registry to login from full image name as wellUrvashi Mohnani2018-12-06
| | | | | | | | | | | | | | | | | | | | podman login reg.io/username/image works as well now. It picks the registry and checks for authentication, if none exist it will prompt for username and password. If the credentials exist but are not valid, it will prompt the user for new valid credentials. Signed-off-by: Urvashi Mohnani <umohnani@redhat.com>
* | Merge pull request #1904 from umohnani8/volumeOpenShift Merge Robot2018-12-06
|\ \ | | | | | | Add "podman volume" command
| * | Tests for podman volume commandsUrvashi Mohnani2018-12-06
| | | | | | | | | | | | Signed-off-by: Urvashi Mohnani <umohnani@redhat.com>
| * | Add "podman volume" commandumohnani82018-12-06
| |/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | Add support for podman volume and its subcommands. The commands supported are: podman volume create podman volume inspect podman volume ls podman volume rm podman volume prune This is a tool to manage volumes used by podman. For now it only handle named volumes, but eventually it will handle all volumes used by podman. Signed-off-by: umohnani8 <umohnani@redhat.com>
* | Merge pull request #1912 from baude/pruneOpenShift Merge Robot2018-12-06
|\ \ | | | | | | Add ability to prune containers and images
| * | Add ability to prune containers and imagesbaude2018-12-05
| |/ | | | | | | | | | | | | | | | | | | | | Allow user to prune unused/unnamed images, the layer images from building, via podman rmi --prune. Allow user to prune stopped/exiuted containers via podman rm --prune. This should resolve #1910 Signed-off-by: baude <bbaude@redhat.com>
* | Merge pull request #1887 from mheon/rm_syncOpenShift Merge Robot2018-12-06
|\ \ | | | | | | Add --sync option to podman rm
| * | Remove --sync flag from `podman rm`Matthew Heon2018-12-06
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Per discussion with Dan, it would be better to automatically handle potential runtime errors by automatically syncing if they occur. Retaining the flag for `ps` makes sense, as we won't even be calling the OCI runtime and as such won't see errors if the state desyncs, but rm can be handled automatically. The automatic desync handling code will take some additional work so we'll land this as-is (sync on ps is enough to solve most desync issues). Signed-off-by: Matthew Heon <mheon@redhat.com>
| * | Add locking to Sync() on containersMatthew Heon2018-12-06
| | | | | | | | | | | | | | | | | | | | | | | | Previously not needed as it only worked inside of Batch(), but now that it can be called anywhere we need to add mutual exclusion on its config changes. Signed-off-by: Matthew Heon <mheon@redhat.com>
| * | Add --sync flag to podman psMatthew Heon2018-12-06
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The previous commit added support for --sync to podman rm to ensure state inconsistencies would not prevent containers from being removed. Add the flag to podman ps as well, so that all containers can be forcibly synced and all state inconsistencies resolved. Signed-off-by: Matthew Heon <mheon@redhat.com>
| * | Add --sync option to podman rmMatthew Heon2018-12-06
| |/ | | | | | | | | | | | | | | | | | | | | With the changes made recently to ensure Podman does not hit the OCI runtime as often to sync state, we can find ourselves in a situation where the runtime's state does not match ours. Add a --sync flag to podman rm to ensure we can still remove containers when this happens. Signed-off-by: Matthew Heon <mheon@redhat.com>
* | Merge pull request #1944 from giuseppe/update-tutorialOpenShift Merge Robot2018-12-06
|\ \ | | | | | | tutorial: add ostree dependency
| * | tutorial: add ostree dependencyGiuseppe Scrivano2018-12-06
| |/ | | | | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | Merge pull request #1946 from rhatdan/vendorOpenShift Merge Robot2018-12-06
|\ \ | |/ |/| Vendor in latest containers/storage
| * Merge branch 'vendor' of github.com:rhatdan/libpod into vendorDaniel J Walsh2018-12-06
| |\
| | * Vendor in latest containers/storageDaniel J Walsh2018-12-05
| | | | | | | | | | | | | | | | | | This should improve performance on vfs images on top of xfs/reflink drives. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
| * | Merge branch 'master' of github.com:containers/libpod into vendorDaniel J Walsh2018-12-06
| |\ \ | |/ / |/| |
* | | Merge pull request #1945 from jwhonce/bug/1929OpenShift Merge Robot2018-12-05
|\ \ \ | | | | | | | | Invert tlsverify default in API
| * | | Invert tlsverify default in APIJhon Honce2018-12-05
| | | | | | | | | | | | | | | | | | | | | | | | Fixes #1929 Signed-off-by: Jhon Honce <jhonce@redhat.com>
* | | | Merge pull request #1924 from baude/mroevarlinkendpointsOpenShift Merge Robot2018-12-05
|\ \ \ \ | |/ / / |/| | | Adding more varlink endpoints
| * | | Adding more varlink endpointsbaude2018-12-03
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * runlabel * checkpoint * restore * container|image exists * mount * unmount Signed-off-by: baude <bbaude@redhat.com>
* | | | Merge pull request #1947 from baude/f28runcOpenShift Merge Robot2018-12-05
|\ \ \ \ | |_|_|/ |/| | | set .54 version for f28 due to memory error
| * | | set .54 version for f28 due to memory errorbaude2018-12-05
|/ / / | | | | | | | | | Signed-off-by: baude <bbaude@redhat.com>
* | | Merge pull request #1940 from wking/numeric-gidOpenShift Merge Robot2018-12-05
|\ \ \ | | | | | | | | libpod/container_internal_linux: Allow gids that aren't in the group file
| * | | pkg/lookup: Return ID-only pointers on ErrNo*EntriesW. Trevor King2018-12-04
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Callers that only care about the IDs should try to convert the identifier to an integer before calling the Get* functions, so they can save the cost of hitting the filesystem and maybe or maybe not finding the other fields (User.Name, etc.). But callers that *want* the other fields but only actually need the ID can, with this commit, just call the Get* function and ignore ErrNo*Entries responses: user, err := lookup.GetUser(mount, userIDorName) if err != nil && err != ErrNoPasswdEntries { return err } Previously, they'd have to perform their own integer-conversion attempt in Get* error handling, with logic like: user, err := lookup.GetUser(mount, userIDorName) if err == ErrNoPasswdEntries { uuid, err := strconv.ParseUint(userIDorName, 10, 32) if err == nil { user.Uid = int(uuid) } } else if err != nil { return err } Signed-off-by: W. Trevor King <wking@tremily.us>
| * | | libpod/container_internal_linux: Allow gids that aren't in the group fileW. Trevor King2018-12-04
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When an image config sets config.User [1] to a numeric group (like 1000:1000), but those values do not exist in the container's /etc/group, libpod is currently breaking: $ podman run --rm registry.svc.ci.openshift.org/ci-op-zvml7cd6/pipeline:installer --help error creating temporary passwd file for container 228f6e9943d6f18b93c19644e9b619ec4d459a3e0eb31680e064eeedf6473678: unable to get gid 1000 from group file: no matching entries in group file However, the OCI spec requires converters to copy numeric uid and gid to the runtime config verbatim [2]. With this commit, I'm frontloading the "is groupspec an integer?" check and only bothering with lookup.GetGroup when it was not. I've also removed a few .Mounted checks, which are originally from 00d38cb3 (podman create/run need to load information from the image, 2017-12-18, #110). We don't need a mounted container filesystem to translate integers. And when the lookup code needs to fall back to the mounted root to translate names, it can handle erroring out internally (and looking it over, it seems to do that already). [1]: https://github.com/opencontainers/image-spec/blame/v1.0.1/config.md#L118-L123 [2]: https://github.com/opencontainers/image-spec/blame/v1.0.1/conversion.md#L70 Signed-off-by: W. Trevor King <wking@tremily.us>
* | | | Merge pull request #1918 from mheon/use_db_pathsOpenShift Merge Robot2018-12-05
|\ \ \ \ | | | | | | | | | | Use paths written in DB instead if they differ from our defaults
| * | | | Use runtime lockDir in BoltDB stateMatthew Heon2018-12-04
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Instead of storing the runtime's file lock dir in the BoltDB state, refer to the runtime inside the Bolt state instead, and use the path stored in the runtime. This is necessary since we moved DB initialization very far up in runtime init, before the locks dir is properly initialized (and it must happen before the locks dir can be created, as we use the DB to retrieve the proper path for the locks dir now). Signed-off-by: Matthew Heon <mheon@redhat.com>
| * | | | Revert changes to GetDefaultStoreOptionsMatthew Heon2018-12-03
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | We don't need this for anything more than rootless work in Libpod now, but Buildah still uses it as it was originally written, so leave it intact as part of our API. Signed-off-by: Matthew Heon <mheon@redhat.com>
| * | | | Fix libpod static dir selection when graphroot changedMatthew Heon2018-12-03
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When graphroot is set by the user, we should set libpod's static directory to a subdirectory of that by default, to duplicate previous behavior. Signed-off-by: Matthew Heon <mheon@redhat.com>
| * | | | Ensure directory where we will make database existsMatthew Heon2018-12-03
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Ensure that the directory where we will create the Podman db exists prior to creating the database - otherwise creating the DB will fail. Signed-off-by: Matthew Heon <mheon@redhat.com>
| * | | | Fix typoMatthew Heon2018-12-03
| | | | | | | | | | | | | | | | | | | | Signed-off-by: Matthew Heon <mheon@redhat.com>
| * | | | Add better descriptions for validation errors in DBMatthew Heon2018-12-03
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When validating fields against the DB, report more verbosely the name of the field being validated if it fails. Specifically, add the name used in config files, so people will actually know what to change it errors happen. Signed-off-by: Matthew Heon <mheon@redhat.com>
| * | | | Fix gofmt and lintMatthew Heon2018-12-02
| | | | | | | | | | | | | | | | | | | | Signed-off-by: Matthew Heon <mheon@redhat.com>
| * | | | Make locks dir in unit testsMatthew Heon2018-12-02
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Ensure we don't break the unit tests by creating a locks directory (which, prior to the last commit, would be created by BoltDB state init). Signed-off-by: Matthew Heon <mheon@redhat.com>
| * | | | Do not initialize locks dir in BoltDBMatthew Heon2018-12-02
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | We already create the locks directory as part of the libpod runtime's init - no need to do it again as part of BoltDB's init. Signed-off-by: Matthew Heon <mheon@redhat.com>
| * | | | Move rootless storage config into libpodMatthew Heon2018-12-02
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Previous commits ensured that we would use database-configured paths if not explicitly overridden. However, our runtime generation did unconditionally override storage config, which made this useless. Move rootless storage configuration setup to libpod, and change storage setup so we only override if a setting is explicitly set, so we can still override what we want. Signed-off-by: Matthew Heon <mheon@redhat.com>
| * | | | Set default paths from DB if not explicitly overriddenMatthew Heon2018-12-02
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | If the DB contains default paths, and the user has not explicitly overridden them, use the paths in the DB over our own defaults. The DB validates these paths, so it would error and prevent operation if they did not match. As such, instead of erroring, we can use the DB's paths instead of our own. Signed-off-by: Matthew Heon <mheon@redhat.com>
| * | | | Add a struct indicating if some Runtime fields were setMatthew Heon2018-12-02
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | To configure runtime fields from the database, we need to know whether they were explicitly overwritten by the user (we don't want to overwrite anything that was explicitly set). Store a struct containing whether the variables we'll grab from the DB were explicitly set by the user so we know what we can and can't overwrite. This determines whether libpod runtime and static dirs were set via config file in a horribly hackish way (double TOML decode), but I can't think of a better way, and it shouldn't be that expensive as the libpod config is tiny. Signed-off-by: Matthew Heon <mheon@redhat.com>
| * | | | Make DB config validation an explicit stepMatthew Heon2018-12-02
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Previously, we implicitly validated runtime configuration against what was stored in the database as part of database init. Make this an explicit step, so we can call it after the database has been initialized. This will allow us to retrieve paths from the database and use them to overwrite our defaults if they differ. Signed-off-by: Matthew Heon <mheon@redhat.com>
| * | | | Move DB configuration up in runtime setupMatthew Heon2018-12-02
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When we configure a runtime, we now will need to hit the DB early on, so we can verify the paths we're going to use for c/storage are correct. Signed-off-by: Matthew Heon <mheon@redhat.com>
| * | | | Add ability to retrieve runtime configuration from DBMatthew Heon2018-12-02
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When we create a Libpod database, we store a number of runtime configuration fields in it. If we can retrieve those, we can use them to configure the runtime to match the DB instead of inbuilt defaults, helping to ensure that we don't error in cases where our compiled-in defaults changed. Signed-off-by: Matthew Heon <mheon@redhat.com>
* | | | | Merge pull request #1942 from baude/rmi_testOpenShift Merge Robot2018-12-04
|\ \ \ \ \ | | | | | | | | | | | | test for rmi with children
| * | | | | test for rmi with childrenbaude2018-12-04
| | | | | | | | | | | | | | | | | | | | | | | | Signed-off-by: baude <bbaude@redhat.com>
* | | | | | Merge pull request #1939 from mheon/no_firewall_if_rootlessOpenShift Merge Robot2018-12-04
|\ \ \ \ \ \ | |/ / / / / |/| | | | | Don't initialize CNI when running as rootless
| * | | | | Don't initialize CNI when running as rootlessMatthew Heon2018-12-04
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | We don't use CNI to configure networks for rootless containers, so no need to set it up. It may also cause issues with inotify, so disabling it resolves some potential problems. Signed-off-by: Matthew Heon <mheon@redhat.com>
* | | | | | Merge pull request #1920 from wking/explicit-hooks-dirsOpenShift Merge Robot2018-12-04
|\ \ \ \ \ \ | | | | | | | | | | | | | | libpod/container_internal: Deprecate implicit hook directories