summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAge
* apparmor: apply default profile at container initializationValentin Rothberg2019-01-09
| | | | | | | | | | | | | | | | | | | Apply the default AppArmor profile at container initialization to cover all possible code paths (i.e., podman-{start,run}) before executing the runtime. This allows moving most of the logic into pkg/apparmor. Also make the loading and application of the default AppArmor profile versio-indepenent by checking for the `libpod-default-` prefix and over-writing the profile in the run-time spec if needed. The intitial run-time spec of the container differs a bit from the applied one when having started the container, which results in displaying a potentially outdated AppArmor profile when inspecting a container. To fix that, load the container config from the file system if present and use it to display the data. Fixes: #2107 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* Merge pull request #2040 from QiWang19/signimgOpenShift Merge Robot2019-01-09
|\ | | | | Support podman image sign
| * [WIP]Support podman image signQi Wang2019-01-08
| | | | | | | | | | | | Generate a signature claim for an image using user keyring (--sign-by). The signature file will be stored in simple json format under the default or the given directory (--directory or yaml file in /etc/containers/registries.d/). Signed-off-by: Qi Wang <qiwan@redhat.com>
* | Merge pull request #2061 from adrianreber/static-ipOpenShift Merge Robot2019-01-09
|\ \ | | | | | | Use existing interface to request IP address during restore
| * | Use existing interface to request IP address during restoreAdrian Reber2019-01-09
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The initial implementation to request the same IP address for a container during a restore was based on environment variables influencing CNI. With this commit the IP address selection switches to Podman's internal static IP API. This commit does a comment change in libpod/container_easyjson.go to avoid unnecessary re-generation of libpod/container_easyjson.go during build as this fails in CI. The reason for this is that make sees that libpod/container_easyjson.go needs to be re-created. The commit, however, only changes a part of libpod/container.go which is marked as 'ffjson: skip'. Signed-off-by: Adrian Reber <areber@redhat.com>
| * | Added checkpoint/restore test for same IPAdrian Reber2019-01-09
| | | | | | | | | | | | | | | | | | | | | | | | Restoring a container from a checkpoint should give the container the same IP as before checkpointing. This adds a test to make sure the IP stays the same. Signed-off-by: Adrian Reber <areber@redhat.com>
| * | Enable checkpoint test with established TCP connectionsAdrian Reber2019-01-09
| | | | | | | | | | | | Signed-off-by: Adrian Reber <areber@redhat.com>
* | | Merge pull request #2087 from wking/kind-bugOpenShift Merge Robot2019-01-09
|\ \ \ | | | | | | | | .github/ISSUE_TEMPLATE: Suggest '/kind bug' and '/kind feature'
| * | | .github/ISSUE_TEMPLATE: Suggest '/kind bug' and '/kind feature'W. Trevor King2019-01-08
| |/ / | | | | | | | | | | | | | | | | | | | | | So Prow's label plugin [1] can apply the appropriate label for us. [1] https://github.com/kubernetes/test-infra/tree/master/prow/plugins/label Signed-off-by: W. Trevor King <wking@tremily.us>
* | | Merge pull request #2103 from ↵OpenShift Merge Robot2019-01-09
|\ \ \ | | | | | | | | | | | | | | | | debarshiray/wip/debarshiray/man-page-order-long-short-options List the long variant of each option before its shorter counterpart
| * | | List the long variant of each option before its shorter counterpartDebarshi Ray2019-01-09
| |/ / | | | | | | | | | | | | | | | This is the style followed in most of the other man pages. Signed-off-by: Debarshi Ray <rishi@fedoraproject.org>
* | | Merge pull request #1830 from wking/config-filter-hooksOpenShift Merge Robot2019-01-09
|\ \ \ | |/ / |/| | hooks: Add pre-create hooks for runtime-config manipulation
| * | pkg/hooks/exec: Include failed command in hook errorsW. Trevor King2019-01-08
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | For example: $ cat /etc/containers/oci/hooks.d/test.json { "version": "1.0.0", "hook": { "path": "/bin/sh", "args": ["sh", "-c", "echo 'oh, noes!' >&2; exit 1"] }, "when": { "always": true }, "stages": ["precreate"] } $ podman run --rm docker.io/library/alpine echo 'successful container' error setting up OCI Hooks: executing [sh -c echo 'oh, noes!' >&2; exit 1]: exit status 1 The rendered command isn't in in the right syntax for copy/pasting into a shell, but it should be enough for the user to be able to locate the failing hook. They'll need to know their hook directories, but with the previous commits requiring explicit hook directories it's more likely that the caller is aware of them. And if they run at a debug level, they can see the lookups in the logs: $ podman --log-level=debug --hooks-dir=/etc/containers/oci/hooks.d run --rm docker.io/library/alpine echo 'successful container' 2>&1 | grep -i hook time="2018-12-02T22:15:16-08:00" level=debug msg="reading hooks from /etc/containers/oci/hooks.d" time="2018-12-02T22:15:16-08:00" level=debug msg="added hook /etc/containers/oci/hooks.d/test.json" time="2018-12-02T22:15:16-08:00" level=debug msg="hook test.json matched; adding to stages [precreate]" time="2018-12-02T22:15:16-08:00" level=warning msg="container 3695c6ba0cc961918bd3e4a769c52bd08b82afea5cd79e9749e9c7a63b5e7100: precreate hook: executing [sh -c echo 'oh, noes!' >&2; exit 1]: exit status 1" time="2018-12-02T22:15:16-08:00" level=error msg="error setting up OCI Hooks: executing [sh -c echo 'oh, noes!' >&2; exit 1]: exit status 1" Signed-off-by: W. Trevor King <wking@tremily.us>
| * | hooks/exec/runtimeconfigfilter: Log config changesW. Trevor King2019-01-08
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | To make it easier to notice and track down errors (or other surprising behavior) due to precreate hooks. With this commit, the logged messages look like: time="2018-11-19T13:35:18-08:00" level=debug msg="precreate hook 0 made configuration changes: --- Old +++ New @@ -18,3 +18,3 @@ Namespaces: ([]specs.LinuxNamespace) <nil>, - Devices: ([]specs.LinuxDevice) (len=1) { + Devices: ([]specs.LinuxDevice) (len=2) { (specs.LinuxDevice) { @@ -24,2 +24,11 @@ Minor: (int64) 229, + FileMode: (*os.FileMode)(-rw-------), + UID: (*uint32)(0), + GID: (*uint32)(0) + }, + (specs.LinuxDevice) { + Path: (string) (len=8) "/dev/sda", + Type: (string) (len=1) "b", + Major: (int64) 8, + Minor: (int64) 0, FileMode: (*os.FileMode)(-rw-------), " time="2018-11-19T13:35:18-08:00" level=debug msg="precreate hook 1 made configuration changes: --- Old +++ New @@ -29,3 +29,3 @@ (specs.LinuxDevice) { - Path: (string) (len=8) "/dev/sda", + Path: (string) (len=8) "/dev/sdb", Type: (string) (len=1) "b", " Ideally those logs would include the container ID, but we don't have access to that down at this level. I'm not sure if it's worth teaching RuntimeConfigFilter to accept a *logrus.Entry (so the caller could use WithFields [1]) or to use a generic logging interface (like go-log [2]). For now, I've left the container ID unlogged here. The spew/difflib implementation is based on stretchr/testify/assert, but I think the ~10 lines I'm borrowing are probably small enough to stay under the "all copies or substantial portions" condition in its MIT license. [1]: https://godoc.org/github.com/sirupsen/logrus#WithFields [2]: https://github.com/go-log/log Signed-off-by: W. Trevor King <wking@tremily.us>
| * | hooks: Add pre-create hooks for runtime-config manipulationW. Trevor King2019-01-08
|/ / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | There's been a lot of discussion over in [1] about how to support the NVIDIA folks and others who want to be able to create devices (possibly after having loaded kernel modules) and bind userspace libraries into the container. Currently that's happening in the middle of runc's create-time mount handling before the container pivots to its new root directory with runc's incorrectly-timed prestart hook trigger [2]. With this commit, we extend hooks with a 'precreate' stage to allow trusted parties to manipulate the config JSON before calling the runtime's 'create'. I'm recycling the existing Hook schema from pkg/hooks for this, because we'll want Timeout for reliability and When to avoid the expense of fork/exec when a given hook does not need to make config changes [3]. [1]: https://github.com/opencontainers/runc/pull/1811 [2]: https://github.com/opencontainers/runc/issues/1710 [3]: https://github.com/containers/libpod/issues/1828#issuecomment-439888059 Signed-off-by: W. Trevor King <wking@tremily.us>
* | Merge pull request #2097 from debarshiray/wip/debarshiray/podman-exec-workdirOpenShift Merge Robot2019-01-08
|\ \ | | | | | | Add a --workdir option to 'podman exec'
| * | Add a --workdir option to 'podman exec'Debarshi Ray2019-01-08
| | | | | | | | | | | | Signed-off-by: Debarshi Ray <rishi@fedoraproject.org>
* | | Merge pull request #2094 from ↵OpenShift Merge Robot2019-01-08
|\ \ \ | |/ / |/| | | | | | | | debarshiray/wip/debarshiray/podman-start-sig-proxy-default-doc Mention the default --sig-proxy value for 'podman start'
| * | Default --sig-proxy to true for 'podman start --attach'Debarshi Ray2019-01-08
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The --sig-proxy option in both 'podman attach' and 'podman run' default to true, and there's no reason for 'podman start --attach' to be any different. However, since it only makes sense to proxy signals when the container is attached, 'podman start --sig-proxy' will continue to error if --attach isn't used. Signed-off-by: Debarshi Ray <rishi@fedoraproject.org>
| * | Test that 'podman start --sig-proxy' does not work without --attachDebarshi Ray2019-01-08
|/ / | | | | | | Signed-off-by: Debarshi Ray <rishi@fedoraproject.org>
* | Merge pull request #2099 from mheon/config_to_containerconfigOpenShift Merge Robot2019-01-08
|\ \ | | | | | | Rename libpod.Config back to ContainerConfig
| * | Rename libpod.Config back to ContainerConfigMatthew Heon2019-01-07
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | During an earlier bugfix, we swapped all instances of ContainerConfig to Config, which was meant to fix some data we were returning from Inspect. This unfortunately also renamed a libpod internal struct for container configs. Undo the rename here. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | | Merge pull request #2076 from rhatdan/storage.confOpenShift Merge Robot2019-01-08
|\ \ \ | | | | | | | | If local storage file exists, then use it rather then defau…
| * | | If local storage file exists, then use it rather then defaults.Daniel J Walsh2019-01-03
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Currently we always force overlay if it exists even though a user might want vfs. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | | Merge pull request #2101 from vrothberg/vendor-buildahOpenShift Merge Robot2019-01-08
|\ \ \ \ | |_|_|/ |/| | | vendor latest buildah
| * | | vendor latest buildahValentin Rothberg2019-01-08
|/ / / | | | | | | | | | | | | | | | Allow parallel copying from the blobcache. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | | Merge pull request #2078 from rhatdan/config.fileOpenShift Merge Robot2019-01-07
|\ \ \ | | | | | | | | Add the configuration file used to setup storage to podman info
| * | | Add the configuration file used to setup storage to podman infoDaniel J Walsh2019-01-07
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Users have no idea what storage configuration file is used to setup storage, so adding this to podman info, should make it easier to discover. This requires a revendor of containers/storage Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | | Merge pull request #2064 from afbjorklund/exec-envOpenShift Merge Robot2019-01-07
|\ \ \ \ | | | | | | | | | | Honor image environment variables with exec
| * | | | Honor image environment variables with execAnders F Björklund2019-01-07
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Was reading the "env" argument twice instead of image. Closes #2063 Signed-off-by: Anders F Björklund <anders.f.bjorklund@gmail.com>
* | | | | Merge pull request #2100 from cevich/very_small_simplificationOpenShift Merge Robot2019-01-07
|\ \ \ \ \ | |/ / / / |/| | | | Minor: Remove redundant basename command in ooe.sh
| * | | | Minor: Remove redundant basename command in ooe.shChris Evich2019-01-07
| | |_|/ | |/| | | | | | | | | | Signed-off-by: Chris Evich <cevich@redhat.com>
* | | | Merge pull request #2098 from baude/remoteOpenShift Merge Robot2019-01-07
|\ \ \ \ | | | | | | | | | | Add ability to build golang remote client
| * | | | Add ability to build golang remote clientbaude2019-01-07
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Add the ability to build a remote client in golang that uses all the same front-end cli code and output code. The initial limitations here are that it can only be a local client while the bridge and resolver code is being written for the golang varlink client. Tests and docs will be added in subsequent PRs. Signed-off-by: baude <bbaude@redhat.com>
* | | | | Merge pull request #2096 from vrothberg/vendor-buildahOpenShift Merge Robot2019-01-07
|\ \ \ \ \ | |_|/ / / |/| | | | vendor latest buildah
| * | | | vendor latest buildahValentin Rothberg2019-01-07
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Pulls in fixes for determining insecure registries by removing redundant wrapper code and instead using the API of sysregistriesv2 directly. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | | | | Merge pull request #2075 from baude/runlabelnameOpenShift Merge Robot2019-01-07
|\ \ \ \ \ | | | | | | | | | | | | container runlabel NAME implementation
| * | | | | container runlabel NAME implementationbaude2019-01-04
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | when using container runlabel, if a --name is not provided, we must deduce the container name from the base name of the image to maintain parity with the atomic cli. fixed small bug where we split the cmd on " " rather than using fields could lead to extra spaces in command output. Signed-off-by: baude <bbaude@redhat.com>
* | | | | | Merge pull request #2083 from mheon/shm_locking_fixesOpenShift Merge Robot2019-01-07
|\ \ \ \ \ \ | |_|_|_|/ / |/| | | | | Address lingering review comments from SHM locking PR
| * | | | | Address lingering review comments from SHM locking PRMatthew Heon2019-01-07
|/ / / / / | | | | | | | | | | | | | | | Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | | | | Merge pull request #2093 from vrothberg/issue-2092OpenShift Merge Robot2019-01-07
|\ \ \ \ \ | | | | | | | | | | | | podman-login: adhere to user input
| * | | | | podman-login: adhere to user inputValentin Rothberg2019-01-07
| | |/ / / | |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * Do not try to login with existing credentials when the user specifies a username or password on the CLI. * Improve error messages. * Use specified tls-verify switch and cert-dir for all requests. Fixes: #2092 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | | | | Merge pull request #2088 from giuseppe/umask-to-0OpenShift Merge Robot2019-01-07
|\ \ \ \ \ | |/ / / / |/| | | | podman: set umask to 022
| * | | | podman: set umask to 022Giuseppe Scrivano2019-01-07
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | be sure there are no bits in the umask that prevent us for creating directories with mode 0755. Set the umask very early in the program startup. Closes: https://github.com/containers/libpod/issues/2074 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | | | | Merge pull request #2089 from rhatdan/locksOpenShift Merge Robot2019-01-06
|\ \ \ \ \ | | | | | | | | | | | | Rootless with shmlocks was not working.
| * | | | | Rootless with shmlocks was not working.Daniel J Walsh2019-01-05
| |/ / / / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch makes the path unigue to each UID. Also cleans up some return code to return the path it is trying to lock. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | | | Merge pull request #2082 from rhatdan/runcOpenShift Merge Robot2019-01-06
|\ \ \ \ \ | | | | | | | | | | | | Update vendor of runc
| * | | | | Update vendor of runcDaniel J Walsh2019-01-04
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Updating the vendor or runc to pull in some fixes that we need. In order to get this vendor to work, we needed to update the vendor of docker/docker, which causes all sorts of issues, just to fix the docker/pkg/sysinfo. Rather then doing this, I pulled in pkg/sysinfo into libpod and fixed the code locally. I then switched the use of docker/pkg/sysinfo to libpod/pkg/sysinfo. I also switched out the docker/pkg/mount to containers/storage/pkg/mount Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | | | | Merge pull request #2090 from rhatdan/buildahOpenShift Merge Robot2019-01-06
|\ \ \ \ \ \ | |_|/ / / / |/| | | | | Vendor in latest containers/buildah code
| * | | | | Vendor in latest containers/buildah codeDaniel J Walsh2019-01-05
|/ / / / / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This should improve the speed of podman build. Has fixes from containres/image for parallell pull. Also vendor containers/storage and containers/image Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>