summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAge
* pkg/hooks/exec: Add a new package for local hook executionW. Trevor King2018-05-31
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This wraps os/exec to: * Clear the environment when the hook doesn't set 'env'. The runtime spec has [1]: > * env (array of strings, OPTIONAL) with the same semantics as IEEE > Std 1003.1-2008's environ. And running execle or similar with NULL env results in an empty environment: $ cat test.c #include <unistd.h> int main() { return execle("/usr/bin/env", "env", NULL, NULL); } $ cc -o test test.c $ ./test ...no output... Go's Cmd.Env, on the other hand, has [2]: > If Env is nil, the new process uses the current process's environment. This commit works around that by setting []string{} in those cases to avoid leaking the runtime environment into the hooks. * Roll the 'timeout' value (if set) into the passed context. There's no need for two separate ways to cancel hook execution. * Add a configurable timeout on abandoning a post-kill wait. The waiting goroutine will continue and eventually reap the process, but this avoids blocking the Run() call when that takes inordinately long (for example, if a GPU cleanup hook is stuck in I/O sleep [3]). The 'env' output format is specified in POSIX [4]. [1]: https://github.com/opencontainers/runtime-spec/blob/v1.0.1/config.md#posix-platform-hooks [2]: https://golang.org/pkg/os/exec/#Cmd [3]: https://github.com/projectatomic/libpod/pull/857#discussion_r192191002 [4]: http://pubs.opengroup.org/onlinepubs/9699919799/utilities/env.html Signed-off-by: W. Trevor King <wking@tremily.us> Closes: #857 Approved by: mheon
* Remove --net flag and make it an alias for --networkMatthew Heon2018-05-31
| | | | | | | Signed-off-by: Matthew Heon <mheon@redhat.com> Closes: #862 Approved by: rhatdan
* Catch does not exist errorDaniel J Walsh2018-05-31
| | | | | | | | | | There was a new line at the end of does not exist which was causing this to fail. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #863 Approved by: baude
* hooks: Rename Hooks() output to extensionStageHooksW. Trevor King2018-05-31
| | | | | | | | | | To more clearly distinguish between the extensionStages input to New() (a slice of strings) and the map output from Hooks(). Signed-off-by: W. Trevor King <wking@tremily.us> Closes: #855 Approved by: rhatdan
* hooks: Allow local control of OCI stages via extensionStagesW. Trevor King2018-05-31
| | | | | | | | | | | | This allows callers to avoid delegating to OCI runtimes for cases where they feel that the runtime hook handling is unreliable [1]. [1]: https://github.com/projectatomic/libpod/issues/730#issuecomment-392959938 Signed-off-by: W. Trevor King <wking@tremily.us> Closes: #855 Approved by: rhatdan
* We need to change the SELinux label of the conmon process to s0Daniel J Walsh2018-05-31
| | | | | | | | | | | | | If SELinux is enabled, we are leaking in pipes into the container owned by conmon. The container processes are not allowed to use these pipes, if the calling process is fully ranged. By changing the level of the conmon process to s0, this allows container processes to use the pipes. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #854 Approved by: mheon
* Clear all caps, except the bounding set, when --user is specified.Daniel J Walsh2018-05-31
| | | | | | | | | | | | Currently we are giving all caps to users when running with podman run --user, They should get none by default. If the command line includes --cap-add, then we need to run with those capabilties. Similarly we need to drop caps from bounding set, if user specifies --cap-drop Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #851 Approved by: mheon
* Makefile: Add stderr redirect to HAS_PYTHON3 definitionW. Trevor King2018-05-31
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | For two reasons: * When a system is missing python3, we don't need to spam them with "Command not found" in their stderr. * Without the redirect, GNU Make (at least version 4.2.1) is overly clever and tries to invoke the command itself, not realizing that it's a shell builtin [1]. $ make --version GNU Make 4.2.1 Built for aarch64-unknown-linux-gnu Copyright (C) 1988-2016 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. $ cat Makefile PYTHON3_A := $(shell command -v python3) PYTHON3_B := $(shell command -v python3 2>/dev/null) test: @echo "SHELL: '$(SHELL)'" @echo "PYTHON3_A: '$(PYTHON3_A)'" @echo "PYTHON3_B: '$(PYTHON3_B)'" $ make make: command: Command not found SHELL: '/bin/sh' PYTHON3_A: '' PYTHON3_B: '/usr/bin/python3' By adding the redirect we actually hit the shell and can successfully invoke command. [1]: https://stackoverflow.com/a/17550243 Signed-off-by: W. Trevor King <wking@tremily.us> Closes: #856 Approved by: rhatdan
* Force update of API.mdMatthew Heon2018-05-30
| | | | | | | Signed-off-by: Matthew Heon <mheon@redhat.com> Closes: #849 Approved by: rhatdan
* do not allow port related args to be used with --network=container:Daniel J Walsh2018-05-30
| | | | | | | | | | | we cannot set additional ports on an existing container namespace, so we should not allow --network=container with publish or publish-all. Signed-off-by: baude <bbaude@redhat.com> Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #853 Approved by: baude
* Update .gitignore for Varlink code and gopathokMatthew Heon2018-05-30
| | | | | | | Signed-off-by: Matthew Heon <mheon@redhat.com> Closes: #847 Approved by: rhatdan
* sort containers and images by create timebaude2018-05-30
| | | | | | | | | | | | When running podman ps or podman images, the containers and images should be sorted by newest to oldest. Resolves: #830 Signed-off-by: baude <bbaude@redhat.com> Closes: #848 Approved by: mheon
* Cleanup man pagesDaniel J Walsh2018-05-30
| | | | | | | | | | Format md files to work properly when converted to man pages. Add sed command to cleanup table in podman man page. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #842 Approved by: mheon
* add go generate varlink to copr specbaude2018-05-29
| | | | | | | | | | Now that we make the varlink .go file on the fly, we need to have the spec call go generate on it to build properly. Signed-off-by: baude <bbaude@redhat.com> Closes: #843 Approved by: baude
* Remove varlink's generated Go filebaude2018-05-29
| | | | | | | Signed-off-by: baude <bbaude@redhat.com> Closes: #840 Approved by: baude
* Merge pull request #834 from mheon/bump_0_5_4Matthew Heon2018-05-25
|\ | | | | Bump 0 5 4
| * Bump gitvalidation epochMatthew Heon2018-05-25
| | | | | | | | Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
| * Bump to v0.6.1-devMatthew Heon2018-05-25
| | | | | | | | Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
| * Bump to v0.5.4v0.5.4Matthew Heon2018-05-25
|/ | | | Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
* Vendor in latest projectatomic/buildahumohnani82018-05-25
| | | | | | | | | | | buildah fixed its probelm where it was not pulling in the ENV of the base image. This pulls that change into libpod as well. Signed-off-by: umohnani8 <umohnani@redhat.com> Closes: #832 Approved by: mheon
* Rename addFIPSsModeSecret to addFIPSModeSecretJhon Honce2018-05-25
| | | | | | | Signed-off-by: Jhon Honce <jhonce@redhat.com> Closes: #833 Approved by: mheon
* Make references to the Process part of Spec conditionalMatthew Heon2018-05-25
| | | | | | | | | | | The OCI runtime spec does not require Process to be passed (IE, it can be nil). Make most of our references to it conditional on it existing. Signed-off-by: Matthew Heon <mheon@redhat.com> Closes: #828 Approved by: mheon
* save and load should support multi-tag for docker-archiveumohnani82018-05-25
| | | | | | | | | | | | The docker-archive tar files can have multiple tags for the same image stored in it. Load pulls all the tags found in the archive when loading a tar file. Save can oush multiple tags of the same image to a tar archive. Signed-off-by: umohnani8 <umohnani@redhat.com> Closes: #819 Approved by: rhatdan
* Implement python podman create and startJhon Honce2018-05-25
| | | | | | | | | | | | | | | - Added alias 'container()' to image model for CreateContainer() - Fixed return in containers_create.go to wrap error in varlink exception - Added a wait time to container.kill(), number of seconds to wait for the container to change state - Refactored cached_property() to use system libraries - Refactored tests to speed up performance Signed-off-by: Jhon Honce <jhonce@redhat.com> Closes: #821 Approved by: rhatdan
* Spell check strings and commentsJhon Honce2018-05-25
| | | | | | | Signed-off-by: Jhon Honce <jhonce@redhat.com> Closes: #831 Approved by: rhatdan
* hooks/1.0.0: Error on empty process.args instead of panickingW. Trevor King2018-05-24
| | | | | | | | | | | | | | | | | | | | | | | The process property is optional [1], which this package already handled appropriately, although I've added a new test here to guard against regressions. The process.args entry is required when process is set [2], and it's also required to contain at least one entry [3]. The previous implementation here assumed that would always be satisfied, and panicked on empty process.args. With this commit, we avoid the panic and instead return an error message explaining why the input was invalid. [1]: https://github.com/opencontainers/runtime-spec/blame/v1.0.1/config.md#L145 [2]: https://github.com/opencontainers/runtime-spec/blame/v1.0.1/config.md#L157 [3]: https://github.com/opencontainers/runtime-spec/blame/v1.0.1/config.md#L158 Reported-by: Brent Baude <bbaude@redhat.com> Signed-off-by: W. Trevor King <wking@tremily.us> Closes: #829 Approved by: mheon
* Set Entrypoint from image only if not already setMatthew Heon2018-05-24
| | | | | | | Signed-off-by: Matthew Heon <mheon@redhat.com> Closes: #827 Approved by: rhatdan
* Update podman build to match buildah bud functionalityDaniel J Walsh2018-05-23
| | | | | | | | | Add --label, --annotations, --idfile, --squash Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #824 Approved by: TomSweeneyRedHat
* Fix test_runner call of podman varlinkJhon Honce2018-05-23
| | | | | | | | | | - Updated some tests due to slippage between tests and code - Skipped tests will be reinstated in a separate PR Signed-off-by: Jhon Honce <jhonce@redhat.com> Closes: #825 Approved by: rhatdan
* Fix handling of command in imagesDaniel J Walsh2018-05-23
| | | | | | | | | | | Currently we are dropping the command entry from the create line and using the image Cmd. This change will only use the image Cmd if the user did not specify a Cmd. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #823 Approved by: umohnani8
* Add support for Zulu timestamp parsingJhon Honce2018-05-23
| | | | | | | | | - Improve error message when podman varlink service is not running Signed-off-by: Jhon Honce <jhonce@redhat.com> Closes: #800 Approved by: rhatdan
* Clarify using podman build with a URL, Git repo, or archive.Joe Doss2018-05-23
| | | | | | | Signed-off-by: Joe Doss <joe@solidadmin.com> Closes: #822 Approved by: rhatdan
* Vendor in latest container/storage for devicemapper supportDaniel J Walsh2018-05-22
| | | | | | | | | | container/storage now supports devicemapper options that allow you to configure it. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #808 Approved by: mheon
* set varlink timeout to 1 secondsbaude2018-05-22
| | | | | | | | | Add option to varlink for --timeout. Input for this option is in milliseconds Signed-off-by: baude <bbaude@redhat.com> Closes: #814 Approved by: baude
* podman create, start, getattachsocketbaude2018-05-21
| | | | | | | | | First pass at implement API endpoints for create and start. Signed-off-by: baude <bbaude@redhat.com> Closes: #805 Approved by: baude
* use $GO env-var instead of hard-coded go binaryLokesh Mandvekar2018-05-21
| | | | | | | Signed-off-by: Lokesh Mandvekar <lsm5@fedoraproject.org> Closes: #817 Approved by: TomSweeneyRedHat
* tidy up the copr specbaude2018-05-21
| | | | | | | | | | | | on os's (like centos) where python3 might not be installed, do not attempt to build the python3 varlink client. varlink python is only supported on python3. also, change the conditions for f28 to match the fedora official specs. Signed-off-by: baude <bbaude@redhat.com> Closes: #813 Approved by: baude
* honor multiple change valuesbaude2018-05-21
| | | | | | | | | | | | In the case where changes are made to Env, Expose, Volumes, or labels, we should honor that multiple values are valid. Resolves: #795 Signed-off-by: baude <bbaude@redhat.com> Closes: #815 Approved by: mheon
* hooks/README: Fix some Markdown typos (e.g. missing runc target)W. Trevor King2018-05-21
| | | | | | | | | | I'd accidentally introduced these typos in ea415610 (hooks/docs: Add oci-hooks.5 and per-package man page building, 2018-05-15, #772). Signed-off-by: W. Trevor King <wking@tremily.us> Closes: #810 Approved by: mheon
* oci-hooks.5: Discuss directory precedence and monitoringW. Trevor King2018-05-21
| | | | | | | | | | | We've had this functionality since 68eb128f (pkg/hooks: Version the hook structure and add 1.0.0 hooks, 2018-04-27, #686), but didn't have any user-facing docs for it. Signed-off-by: W. Trevor King <wking@tremily.us> Closes: #811 Approved by: mheon
* Merge pull request #809 from baude/changevarlinkpathBrent Baude2018-05-19
|\ | | | | finish changing the path for varlink
| * finish changing the path for varlinkbaude2018-05-19
|/ | | | | | | cleanup the last references to /run/io.projectatomic... and make sure /run/podman/projectatomic... is used. Signed-off-by: baude <bbaude@redhat.com>
* Tighten the security on the podman varlink socketDaniel J Walsh2018-05-19
| | | | | | | | | | | We only want root to be allowed to access this socket. Also move socket to /run/podman directory. This requires us to drop a podman.conf tmpfiles.d file. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #806 Approved by: mheon
* Implement podman.containers.commit()Jhon Honce2018-05-18
| | | | | | | | | | | - Add API support - Update tests - Make changes from reviews Signed-off-by: Jhon Honce <jhonce@redhat.com> Closes: #798 Approved by: mheon
* Merge pull request #803 from mheon/bump_0_5_3Matthew Heon2018-05-18
|\ | | | | Bump to v0.5.3
| * Update gitvalidation epochMatthew Heon2018-05-18
| | | | | | | | Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
| * Bump to v0.5.4-devMatthew Heon2018-05-18
| | | | | | | | Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
| * Bump to v0.5.3v0.5.3Matthew Heon2018-05-18
|/ | | | Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
* remove hooks files reference and no varlink-python on f27 or epelbaude2018-05-18
| | | | | | | Signed-off-by: baude <bbaude@redhat.com> Closes: #802 Approved by: baude
* contrib/spec/podman.spec.in: Drop README-hooksW. Trevor King2018-05-18
| | | | | | | | | | | | | I'd tried to drop it here with ea415610 (hooks/docs: Add oci-hooks.5 and per-package man page building, 2018-05-15, #772), but had missed the reference added in 796d6c89 (Add python3 package to podman, 2018-05-17, #791) when rebasing around that package. With this commit, I'm killing it again ;). Signed-off-by: W. Trevor King <wking@tremily.us> Closes: #801 Approved by: rhatdan