summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAge
* specgen: improve heuristic for /sys bind mountGiuseppe Scrivano2021-01-15
| | | | | | | | | | | | | partially revert 95c45773d7dbca2880152de681c81f0a2afec99b restrict the cases where /sys is bind mounted from the host. The heuristic doesn't detect all the cases where the bind mount is not necessary, but it is an improvement on the previous version where /sys was always bind mounted for rootless containers unless --net none was specified. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Merge pull request #8955 from mheon/renameOpenShift Merge Robot2021-01-14
|\ | | | | Container Rename
| * Initial implementation of renaming containersMatthew Heon2021-01-14
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Basic theory: We remove the container, but *only from the DB*. We leave it in c/storage, we leave the lock allocated, we leave it running (if it is). Then we create an identical container with an altered name, and add that back to the database. Theoretically we now have a renamed container. The advantage of this approach is that it doesn't just apply to rename - we can use this to make *any* configuration change to a container that does not alter its container ID. Potential problems are numerous. This process is *THOROUGHLY* non-atomic at present - if you `kill -9` Podman mid-rename things will be in a bad place, for example. Also, we can't rename containers that can't be removed normally - IE, containers with dependencies (pod infra containers, for example). The largest potential improvement will be to move the majority of the work into the DB, with a `RecreateContainer()` method - that will add atomicity, and let us remove the container without worrying about depencies and similar issues. Potential problems: long-running processes that edit the DB and may have an older version of the configuration around. Most notable example is `podman run --rm` - the removal command needed to be manually edited to avoid this one. This begins to get at the heart of me not wanting to do this in the first place... This provides CLI and API implementations for frontend, but no tunnel implementation. It will be added in a future release (just held back for time now - we need this in 3.0 and are running low on time). This is honestly kind of horrifying, but I think it will work. Signed-off-by: Matthew Heon <mheon@redhat.com>
* | Merge pull request #8604 from mheon/volume_plugin_implOpenShift Merge Robot2021-01-14
|\ \ | |/ |/| Initial implementation of volume plugins
| * Add tests for volume pluginsMatthew Heon2021-01-14
| | | | | | | | | | | | | | | | | | This involves a new test binary (a basic implementation of the volume plugin protocol) and a new image on quay.io (Containerfile to produce it and all sources located in this commit). The image is used to run a containerized plugin we can test against. Signed-off-by: Matthew Heon <mheon@redhat.com>
| * Initial implementation of volume pluginsMatthew Heon2021-01-14
|/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This implements support for mounting and unmounting volumes backed by volume plugins. Support for actually retrieving plugins requires a pull request to land in containers.conf and then that to be vendored, and as such is not yet ready. Given this, this code is only compile tested. However, the code for everything past retrieving the plugin has been written - there is support for creating, removing, mounting, and unmounting volumes, which should allow full functionality once the c/common PR is merged. A major change is the signature of the MountPoint function for volumes, which now, by necessity, returns an error. Named volumes managed by a plugin do not have a mountpoint we control; instead, it is managed entirely by the plugin. As such, we need to cache the path in the DB, and calls to retrieve it now need to access the DB (and may fail as such). Notably absent is support for SELinux relabelling and chowning these volumes. Given that we don't manage the mountpoint for these volumes, I am extremely reluctant to try and modify it - we could easily break the plugin trying to chown or relabel it. Also, we had no less than *5* separate implementations of inspecting a volume floating around in pkg/infra/abi and pkg/api/handlers/libpod. And none of them used volume.Inspect(), the only correct way of inspecting volumes. Remove them all and consolidate to using the correct way. Compat API is likely still doing things the wrong way, but that is an issue for another day. Fixes #4304 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Merge pull request #8956 from rhatdan/MakefileOpenShift Merge Robot2021-01-14
|\ | | | | Makefile: add target to generate bindings
| * Makefile: add target to generate bindingsValentin Rothberg2021-01-14
| | | | | | | | | | | | | | | | | | | | | | Add a `.generate-bindings` make target that only runs in the absence of the `.generate-bindings` file or when a `types.go` file below `pkg/bindings` has changed. This will regenerate the go bindings and make sure the code is up2date. Signed-off-by: Valentin Rothberg <rothberg@redhat.com> Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Merge pull request #8906 from vrothberg/fix-8501OpenShift Merge Robot2021-01-14
|\ \ | | | | | | container stop: release lock before calling the runtime
| * | container stop: release lock before calling the runtimeValentin Rothberg2021-01-14
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Podman defers stopping the container to the runtime, which can take some time. Keeping the lock while waiting for the runtime to complete the stop procedure, prevents other commands from acquiring the lock as shown in #8501. To improve the user experience, release the lock before invoking the runtime, and re-acquire the lock when the runtime is finished. Also introduce an intermediate "stopping" to properly distinguish from "stopped" containers etc. Fixes: #8501 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | | Merge pull request #8974 from Luap99/vendor-ocicniOpenShift Merge Robot2021-01-14
|\ \ \ | |_|/ |/| | Bump github.com/cri-o/ocicni to latest master
| * | Bump github.com/cri-o/ocicni to latest masterPaul Holzinger2021-01-14
|/ / | | | | | | | | | | | | | | | | The changes from https://github.com/cri-o/ocicni/pull/83 are needed to improve the user experience when using the new network reload command. see: https://github.com/containers/podman/pull/8571#discussion_r535167473 Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
* | Merge pull request #8973 from cevich/no_check_mirrorMatthew Heon2021-01-14
|\ \ | | | | | | [CI:DOCS] Cirrus: Upd. ext. service check host list
| * | Cirrus: Upd. ext. service check host listChris Evich2021-01-14
|/ / | | | | | | | | | | | | | | Since CI doesn't depend heavily on installing packages at runtime (there is some minor use) there's no need to exhaustively check repository mirror hosts. Remove them from the list. Signed-off-by: Chris Evich <cevich@redhat.com>
* | Merge pull request #8969 from ↵OpenShift Merge Robot2021-01-14
|\ \ | | | | | | | | | | | | containers/dependabot/go_modules/github.com/stretchr/testify-1.7.0 Bump github.com/stretchr/testify from 1.6.1 to 1.7.0
| * | Bump github.com/stretchr/testify from 1.6.1 to 1.7.0dependabot-preview[bot]2021-01-14
| | | | | | | | | | | | | | | | | | | | | | | | | | | Bumps [github.com/stretchr/testify](https://github.com/stretchr/testify) from 1.6.1 to 1.7.0. - [Release notes](https://github.com/stretchr/testify/releases) - [Commits](https://github.com/stretchr/testify/compare/v1.6.1...v1.7.0) Signed-off-by: dependabot-preview[bot] <support@dependabot.com> Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | Merge pull request #8968 from ↵OpenShift Merge Robot2021-01-14
|\ \ \ | | | | | | | | | | | | | | | | containers/dependabot/go_modules/k8s.io/apimachinery-0.20.2 Bump k8s.io/apimachinery from 0.20.1 to 0.20.2
| * | | Bump k8s.io/apimachinery from 0.20.1 to 0.20.2dependabot-preview[bot]2021-01-14
| |/ / | | | | | | | | | | | | | | | | | | | | | | | | Bumps [k8s.io/apimachinery](https://github.com/kubernetes/apimachinery) from 0.20.1 to 0.20.2. - [Release notes](https://github.com/kubernetes/apimachinery/releases) - [Commits](https://github.com/kubernetes/apimachinery/compare/v0.20.1...v0.20.2) Signed-off-by: dependabot-preview[bot] <support@dependabot.com> Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | Merge pull request #8967 from cevich/install_tools_for_alt_buildOpenShift Merge Robot2021-01-14
|\ \ \ | |/ / |/| | Ensure install.tools for alt build task
| * | Cirrus: Utilize $GOPATH cache for alt_build taskChris Evich2021-01-13
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Specifically, the result of 'make install.tools' is needed. Part of that target installs tooling into `$GOPATH/bin`. A future commit requires this tooling for the `Build Each Commit` item of the alt_build matrix. Re-use the cache of this directory for this task to ensure the necessary tooling/libraries are available. Signed-off-by: Chris Evich <cevich@redhat.com>
* | | Merge pull request #8962 from rhatdan/manOpenShift Merge Robot2021-01-13
|\ \ \ | | | | | | | | [CI:DOCS] Add more information and examples on podman and pipes
| * | | Add more information and examples on podman and pipesDaniel J Walsh2021-01-13
| |/ / | | | | | | | | | | | | | | | | | | | | | | | | Improve the documentation to help users to know proper way to use podman within a pipe. Helps Prevent: https://github.com/containers/podman/issues/8916 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | Merge pull request #8966 from ashley-cui/common33OpenShift Merge Robot2021-01-13
|\ \ \ | |/ / |/| | Vendor in common 0.33.1
| * | Vendor in common 0.33.1Ashley Cui2021-01-13
| | | | | | | | | | | | | | | | | | As per title Signed-off-by: Ashley Cui <acui@redhat.com>
* | | Merge pull request #8960 from giuseppe/bridge-no-post-configOpenShift Merge Robot2021-01-13
|\ \ \ | | | | | | | | network: disallow CNI networks with user namespaces
| * | | test: use stringid.GenerateNonCryptoID() in more testsGiuseppe Scrivano2021-01-13
| | | | | | | | | | | | | | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
| * | | network: disallow CNI networks with user namespacesGiuseppe Scrivano2021-01-13
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | it solves a segfault when running as rootless a command like: $ podman run --uidmap 0:0:1 --net foo --rm fedora true panic: runtime error: invalid memory address or nil pointer dereference [signal SIGSEGV: segmentation violation code=0x1 addr=0x30 pc=0x5629bccc407c] goroutine 1 [running]: panic(0x5629bd3d39e0, 0x5629be0ab8e0) /usr/lib/golang/src/runtime/panic.go:1064 +0x545 fp=0xc0004592c0 sp=0xc0004591f8 pc=0x5629bbd35d85 runtime.panicmem(...) /usr/lib/golang/src/runtime/panic.go:212 runtime.sigpanic() /usr/lib/golang/src/runtime/signal_unix.go:742 +0x413 fp=0xc0004592f0 sp=0xc0004592c0 pc=0x5629bbd4cd33 github.com/containers/podman/libpod.(*Runtime).setupRootlessNetNS(0xc0003fe9c0, 0xc0003d74a0, 0x0, 0x0) /builddir/build/BUILD/podman-2.2.1/_build/src/github.com/containers/podman/libpod/networking_linux.go:238 +0xdc fp=0xc000459338 sp=0xc0004592f0 pc=0x5629bccc407c github.com/containers/podman/libpod.(*Container).completeNetworkSetup(0xc0003d74a0, 0x0, 0x0) /builddir/build/BUILD/podman-2.2.1/_build/src/github.com/containers/podman/libpod/container_internal.go:965 +0xb72 fp=0xc0004594d8 sp=0xc000459338 pc=0x5629bcc81732 [.....] Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | | | Merge pull request #8951 from edsantiago/fix_dev_diagnosticOpenShift Merge Robot2021-01-13
|\ \ \ \ | | | | | | | | | | CI: fix broken diagnostic message for -dev check
| * | | | CI: fix broken diagnostic message for -dev checkEd Santiago2021-01-13
| | |/ / | |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | There's a CI check for the presence of "-dev" in podman-info output (it should not appear). This test is unlikely to fail, but if it ever does, the diagnostic output is unhelpful. This makes it helpful. Tested via: $ ln -s /bin/echo ~/bin/msg $ ln -s /bin/echo ~/bin/die $ TEST_FLAVOR=release ./contrib/cirrus/runner.sh ... Releases must never contain '-dev' in output of 'podman info' ( buildahVersion: 1.19.0-dev Version: 3.0.0-dev) Signed-off-by: Ed Santiago <santiago@redhat.com>
* | | | Merge pull request #8954 from baude/reducebindingsizeOpenShift Merge Robot2021-01-13
|\ \ \ \ | |/ / / |/| | | Reduce general binding binary size
| * | | Reduce general binding binary sizebaude2021-01-13
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | when using the bindings to *only* make a connection, the binary was rough 28MB. This PR reduces it down to 11. There is more work to do but it will come in a secondary PR. Signed-off-by: baude <bbaude@redhat.com>
* | | | Merge pull request #8961 from rhatdan/kubeOpenShift Merge Robot2021-01-13
|\ \ \ \ | |/ / / |/| | | play kube: set entrypoint when interpreting Command
| * | | play kube: set entrypoint when interpreting CommandDaniel J Walsh2021-01-13
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | We now set Entrypoint when interpeting the image Entrypoint (or yaml.Command) and Command when interpreting image Cmd (or yaml.Args) This change is kind of breaking because now checking Config.Cmd won't return the full command, but only the {cmd,args}. Adapt the tests to this change as well Signed-off-by: Peter Hunt <pehunt@redhat.com> Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | | Merge pull request #8958 from zhangguanzhang/duplicated-hostsOpenShift Merge Robot2021-01-13
|\ \ \ \ | |_|/ / |/| | | Fixes /etc/hosts duplicated every time after container restarted in a pod
| * | | Fxes /etc/hosts duplicated every time after container restarted in a podzhangguanzhang2021-01-13
| |/ / | | | | | | | | | Signed-off-by: zhangguanzhang <zhangguanzhang@qq.com>
* | | Merge pull request #8957 from srcshelton/feature/issue-8945OpenShift Merge Robot2021-01-13
|\ \ \ | | | | | | | | Add 'MemUsageBytes' format option
| * | | Merge branch 'master' into feature/issue-8945Stuart Shelton2021-01-13
| |\| | | | | | | | | | | | | | Signed-off-by: Stuart Shelton <stuart@shelton.me>
| * | | Add 'MemUsageBytes' format optionStuart Shelton2021-01-12
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Although storage is more human-readable when expressed in SI units, IEC/JEDEC (Bytes) units are more pertinent for memory-related values (and match the format of the --memory* command-line options). (To prevent possible compatibility issues, the default SI display is left unchanged) See https://github.com/containers/podman/issues/8945 Signed-off-by: Stuart Shelton <stuart@shelton.me>
* | | | Merge pull request #8877 from rhatdan/loadOpenShift Merge Robot2021-01-13
|\ \ \ \ | |_|/ / |/| | | Remove the ability to use [name:tag] in podman load command
| * | | Remove the ability to use [name:tag] in podman load commandDaniel J Walsh2021-01-12
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Docker does not support this, and it is confusing what to do if the image has more then one tag. We are dropping support for this in podman 3.0 Fixes: https://github.com/containers/podman/issues/7387 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
| * | | More /var/run -> /runEd Santiago2021-01-12
| |/ / | | | | | | | | | | | | | | | | | | PR #8851 broke CI: it included "/var/run" strings that, per #8771, should have been just "/run". Signed-off-by: Ed Santiago <santiago@redhat.com>
* | | Merge pull request #8953 from edsantiago/var_run_againOpenShift Merge Robot2021-01-12
|\ \ \ | |/ / |/| | More /var/run -> /run
| * | More /var/run -> /runEd Santiago2021-01-12
| | | | | | | | | | | | | | | | | | | | | PR #8851 broke CI: it included "/var/run" strings that, per #8771, should have been just "/run". Signed-off-by: Ed Santiago <santiago@redhat.com>
* | | Merge pull request #8950 from mheon/exorcise_driverOpenShift Merge Robot2021-01-12
|\ \ \ | | | | | | | | Exorcise Driver code from libpod/define
| * | | Exorcise Driver code from libpod/defineMatthew Heon2021-01-12
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The libpod/define code should not import any large dependencies, as it is intended to be structures and definitions only. It included the libpod/driver package for information on the storage driver, though, which brought in all of c/storage. Split the driver package so that define has the struct, and thus does not need to import Driver. And simplify the driver code while we're at it. Signed-off-by: Matthew Heon <mheon@redhat.com>
* | | | Merge pull request #8946 from JAORMX/sec-errorsOpenShift Merge Robot2021-01-12
|\ \ \ \ | |_|/ / |/| | | Expose security attribute errors with their own messages
| * | | Expose security attribute errors with their own messagesJuan Antonio Osorio Robles2021-01-12
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This creates error objects for runtime errors that might come from the runtime. Thus, indicating to users that the place to debug should be in the security attributes of the container. When creating a container with a SELinux label that doesn't exist, we get a fairly cryptic error message: ``` $ podman run --security-opt label=type:my_container.process -it fedora bash Error: OCI runtime error: write file `/proc/thread-self/attr/exec`: Invalid argument ``` This instead handles any errors coming from LSM's `/proc` API and enhances the error message with a relevant indicator that it's related to the container's security attributes. A sample run looks as follows: ``` $ bin/podman run --security-opt label=type:my_container.process -it fedora bash Error: `/proc/thread-self/attr/exec`: OCI runtime error: unable to assign security attribute ``` With `debug` log level enabled it would be: ``` Error: write file `/proc/thread-self/attr/exec`: Invalid argument: OCI runtime error: unable to assign security attribute ``` Note that these errors wrap ErrOCIRuntime, so it's still possible to to compare these errors with `errors.Is/errors.As`. One advantage of this approach is that we could start handling these errors in a more efficient manner in the future. e.g. If a SELinux label doesn't exist (yet), we could retry until it becomes available. Signed-off-by: Juan Antonio Osorio Robles <jaosorior@redhat.com>
* | | | Merge pull request #8900 from cevich/no_tag_testingOpenShift Merge Robot2021-01-12
|\ \ \ \ | | | | | | | | | | Cirrus: Skip most tests on tag-push
| * | | | Cirrus: Skip most tests on tag-pushChris Evich2021-01-07
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Due to various reasons, CI results (esp. testing tasks) are completely ignored for builds triggered by a new tag-push. Additionally, since many of the automation scripts are in the repo., any related failures/flakes would require code changes (therefore a new tag). Resolve this by skipping every testing-type task for builds triggered by tag-push. Only retain tasks which build things intended for consumption associated with a possible official release. Signed-off-by: Chris Evich <cevich@redhat.com>
* | | | | Merge pull request #8947 from Luap99/cleanup-codeOpenShift Merge Robot2021-01-12
|\ \ \ \ \ | | | | | | | | | | | | Fix problems reported by staticcheck