summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAge
* libpod: Add HooksDirNotExistFatalW. Trevor King2018-05-11
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | And add an argument to WithHooksDir to set it. If the hook dir doesn't exist, the new hooks package considers that a fatal error. When a podman caller sets --hooks-dir-path=/some/typoed/directory, a fatal error is more helpful than silently not loading any hooks. However, callers who call podman without setting --hooks-dir-path may not need hooks at all. We don't want to pester those callers with not-exist errors. With this commit, we: * Assume the caller knows what they're doing if they set --hooks-dir-path and set HooksDirNotExistFatal. * If the caller does not explicitly set --hooks-dir-path, assume they won't mind if the hook directory is missing and set HooksDirNotExistFatal false. We also considered checking for the directory's existence in the code calling WithHooksDir or from within WithHooksDir, but checks there would race with the underlying ioutil.ReadDir in the hooks package. By pushing the warn/error decision down into libpod's implementation, we avoid a racy "do we expect this to work once libpod gets to it?" pre-check. I've also added a check to error if WithHooksDir is called with an empty-string argument, because we haven't defined the semantics of that (is it clearing a previous value? Is it effectively the same as the current directory?). I agree with Matthew that a separate WithNoHooks, or a *string argument to WithHooks, or some such would be a better API for clearing previous values [1]. But for now, I'm just erroring out to fail early for callers who might otherwise be surprised that libpod ignores empty-string HooksDir. [1]: https://github.com/projectatomic/libpod/pull/686#issuecomment-385119370 Signed-off-by: W. Trevor King <wking@tremily.us> Closes: #686 Approved by: mheon
* hooks/read: Ignore IsNotExist for JSON files in ReadDirW. Trevor King2018-05-11
| | | | | | | | | | | | | | | If a .json file existed when we called ioutil.ReadDir but that file has been removed by the time we get around to calling Read on it, silently ignore the file. Iterating through all the files in the directory shouldn't take particularly long, so this is an unlikely corner case. And when it happens, silently ignoring the file gives the same outcome as you'd have gotten if the parallel remove had happened slightly earlier before the ioutil.ReadDir call. Signed-off-by: W. Trevor King <wking@tremily.us> Closes: #686 Approved by: mheon
* pkg/hooks: Version the hook structure and add 1.0.0 hooksW. Trevor King2018-05-11
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This shifts the matching logic out of libpod/container_internal and into the hook package, where we can reuse it after vendoring into CRI-O. It also adds unit tests with almost-complete coverage. Now libpod is even more isolated from the hook internals, which makes it fairly straightforward to bump the hook config file to 1.0.0. I've dubbed the old format 0.1.0, although it doesn't specify an explicit version. Motivation for some of my changes with 1.0.0: * Add an explicit version field. This will make any future JSON structure migrations more straightforward by avoiding the need for version-guessing heuristics. * Collect the matching properties in a new When sub-structure. This makes the root Hook structure easier to understand, because you don't have to read over all the matching properties when wrapping your head around Hook. * Replace the old 'hook' and 'arguments' with a direct embedding of the runtime-spec's hook structure. This provides access to additional upstream properties (args[0], env, and timeout) and avoids the complication of a CRI-O-specific analog structure. * Add a 'when.always' property. You can usually accomplish this effect in another way (e.g. when.commands = [".*"]), but having a boolean explicitly for this use-case makes for easier reading and writing. * Replace the previous annotations array with an annotations map. The 0.1.0 approach matched only the values regardless of key, and that seems unreliable. * Replace 'cmds' with 'when.commands', because while there are a few ways to abbreviate "commands", there's only one way to write it out in full ;). This gives folks one less thing to remember when writing hook JSON. * Replace the old "inject if any specified condition matches" with "inject if all specified conditions match". This allows for more precise targeting. Users that need more generous targeting can recover the previous behavior by creating a separate 1.0.0 hook file for each specified 0.1.0 condition. I've added doc-compat support for the various pluralizations of the 0.1.0 properties. Previously, the docs and code were not in agreement. More on this particular facet in [1]. I've updated the docs to point out that the annotations being matched are the OCI config annotations. This differs from CRI-O, where the annotations used are the Kubernetes-supplied annotations [2,3]. For example, io.kubernetes.cri-o.Volumes [4] is part of CRI-O's runtime config annotations [5], but not part of the Kubernetes-supplied annotations CRI-O uses for matching hooks. The Monitor method supports the CRI-O use-case [6]. podman doesn't need it directly, but CRI-O will need it when we vendor this package there. I've used nvidia-container-runtime-hook for the annotation examples because Dan mentioned the Nvidia folks as the motivation behind annotation matching. The environment variables are documented in [7]. The 0.1.0 hook config, which does not allow for environment variables, only works because runc currently leaks the host environment into the hooks [8]. I haven't been able to find documentation for their usual annotation trigger or hook-install path, so I'm just guessing there. [1]: https://github.com/kubernetes-incubator/cri-o/pull/1235 [2]: https://github.com/kubernetes-incubator/cri-o/blob/v1.10.0/server/container_create.go#L760 [3]: https://github.com/kubernetes-incubator/cri-o/blob/v1.10.0/server/container_create.go#L772 [4]: https://github.com/kubernetes-incubator/cri-o/blob/v1.10.0/pkg/annotations/annotations.go#L97-L98 [5]: https://github.com/kubernetes-incubator/cri-o/blob/v1.10.0/server/container_create.go#L830-L834 [6]: https://github.com/kubernetes-incubator/cri-o/pull/1345/ [7]: https://github.com/NVIDIA/nvidia-container-runtime/tree/v1.3.0-1#environment-variables-oci-spec [8]: https://github.com/opencontainers/runc/pull/1738 Signed-off-by: W. Trevor King <wking@tremily.us> Closes: #686 Approved by: mheon
* Fix varlink remove image forcebaude2018-05-11
| | | | | | | | | | | | | Fixes a bug where the force bool was being ignored when deleting images via the varlink interface. Also, minor fix to the docs to add a line break between methods and types in the doc index. Signed-off-by: baude <bbaude@redhat.com> Closes: #753 Approved by: rhatdan
* Update Podman-specific readmeMatthew Heon2018-05-11
| | | | | | | Signed-off-by: Matthew Heon <matthew.heon@gmail.com> Closes: #754 Approved by: baude
* Update main READMEMatthew Heon2018-05-11
| | | | | | | Signed-off-by: Matthew Heon <matthew.heon@gmail.com> Closes: #754 Approved by: baude
* vendor.conf: Pin containernetworking/plugins to 1fb94a42W. Trevor King2018-05-11
| | | | | | | | | | | | | | | | | | | | | | containernetworking/plugins@a0eac8d7 (pkg/ns: remove namespace creation, 2018-03-16) removed NewNS, which we use in libpod/networking.go. Pinning to the previous commit, containernetworking/plugins@1fb94a42 (Merge pull request #96 from DennisDenuto/denuto/master, 2018-03-14), allows us to run vndr without breaking our build. This is a short term fix; moving forward we'll want to either drop this dependency or catch up with the new upstream API. The upstream package seems to have been fairly stable in the meantime, because even with the new pinned version, a vndr re-vendor generates no changes: $ vndr github.com/containernetworking/plugins Signed-off-by: W. Trevor King <wking@tremily.us> Closes: #751 Approved by: mheon
* Do not error trying to remove cgroups that don't existMatthew Heon2018-05-11
| | | | | | | Signed-off-by: Matthew Heon <matthew.heon@gmail.com> Closes: #507 Approved by: baude
* Remove parent cgroup we create with cgroupfsMatthew Heon2018-05-11
| | | | | | | Signed-off-by: Matthew Heon <matthew.heon@gmail.com> Closes: #507 Approved by: baude
* Place Conmon and Container in separate CGroupsMatthew Heon2018-05-11
| | | | | | | Signed-off-by: Matthew Heon <matthew.heon@gmail.com> Closes: #507 Approved by: baude
* Add --cgroup-manager flag to Podman binaryMatthew Heon2018-05-11
| | | | | | | Signed-off-by: Matthew Heon <matthew.heon@gmail.com> Closes: #507 Approved by: baude
* Major fixes to systemd cgroup handlingMatthew Heon2018-05-11
| | | | | | | Signed-off-by: Matthew Heon <matthew.heon@gmail.com> Closes: #507 Approved by: baude
* Skip systemd-style CGroups testMatthew Heon2018-05-11
| | | | | | | | | | Until we get Systemd cgroup manager working, this will cause a validation error. Signed-off-by: Matthew Heon <matthew.heon@gmail.com> Closes: #507 Approved by: baude
* Alter CGroup path handling for 'podman top'Matthew Heon2018-05-11
| | | | | | | Signed-off-by: Matthew Heon <matthew.heon@gmail.com> Closes: #507 Approved by: baude
* Add validation for CGroup parents. Pass CGroups path into runcMatthew Heon2018-05-11
| | | | | | | Signed-off-by: Matthew Heon <matthew.heon@gmail.com> Closes: #507 Approved by: baude
* vendor/github.com/docker/docker/hack: Remove unused directoryW. Trevor King2018-05-11
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | This directory just had Markdown and vendor.conf. I'm not sure why we have it in our version control, maybe old versions of vndr kept it? Or maybe folk dropped it into vendor/ by hand without using vndr? The history of that vendored directory is: * 619637a9 (Handle Linux Capabilities from command line, 2017-11-03, #17) added the three files to our version control. * c344fe61 (Update vendoring, 2017-11-22, #60) bumped hack/README.md. * af64e104 (Vendor in lots of kubernetes stuff to shrink image size, 2018-03-26, #554) bumped hack/README.md. * 27107fda (Vendor in latest containers/image and contaners/storage, 2018-04-18, #509) removed the files. * a824186a (Use buildah commit and bud in podman, 2018-04-25, #681) added the files back. * I'm removing them again in this commit. With this commit, $ vndr github.com/docker/docker becomes a no-op. Signed-off-by: W. Trevor King <wking@tremily.us> Closes: #752 Approved by: baude
* varlink infobaude2018-05-11
| | | | | | | | | | The varlinfo info returns the same information as podman info but always includes the so-called debug information. Signed-off-by: baude <bbaude@redhat.com> Closes: #745 Approved by: baude
* vendor.conf: Bump containerd/cgroups to 77e62851W. Trevor King2018-05-11
| | | | | | | | | | | | | | | | | | | | vendor.conf has been pinned at containerd/cgroups@7a5fdd83 (Merge pull request #26 from onorua/error-ignore-example, 2017-08-24) since libpod forked from CRI-O with a031b83a (Initial checkin from CRI-O repo, 2017-11-01). The content in vendor/github.com/containerd/cgroups was bumped to containerd/cgroups@77e62851 (Use /proc/diskstats to get device names, 2018-01-31) in ae89dc28 (Update containerd/cgroups repo fix perf issue, 2018-02-01, #284), but ae89dc28 forgot to update vendor.conf. With this commit: $ vndr github.com/containerd/cgroups no longer changes anything under vendor/github.com/containerd/cgroups. Signed-off-by: W. Trevor King <wking@tremily.us> Closes: #749 Approved by: mheon
* vendor.conf: Bump CNI to v0.6.0W. Trevor King2018-05-11
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Neither the nominal version nor vendored content had changed since a031b83a (Initial checkin from CRI-O repo, 2017-11-01): $ git ls-tree origin/master -- vendor/github.com/containernetworking/cni 040000 tree 744c091cc1dbb869b2cf714cf6b5e8d33fe17d9c vendor/github.com/containernetworking/cni $ git ls-tree a031b83a -- vendor/github.com/containernetworking/cni 040000 tree 744c091cc1dbb869b2cf714cf6b5e8d33fe17d9c vendor/github.com/containernetworking/cni $ git grep /cni a031b83a -- vendor.conf a031b83a:vendor.conf:github.com/containernetworking/cni v0.4.0 I'm not quite sure which upstream version the old vendored content came from, but it certainly wasn't v0.4.0. I've bumped our nominal version to v0.6.0 and re-vendored with: $ vndr github.com/containernetworking/cni $ git add -A vendor/github.com/containernetworking/cni to generate this commit. The only change to the vendored content is text in the README (unlikely to break anything ;), and sitting on an upstream tag is nice, so I think this is good enough. Signed-off-by: W. Trevor King <wking@tremily.us> Closes: #750 Approved by: mheon
* Dont eat the pull error message for varlinkbaude2018-05-10
| | | | | | | | | When using varlink to pull an image, we should expose the actual error to the caller. Signed-off-by: baude <bbaude@redhat.com> Closes: #744 Approved by: rhatdan
* podman push should honor registries.confbaude2018-05-10
| | | | | | | | | | | Like podman pull, when you push an image, podman should check if the registry is listed as insecure and if so, it should --tls-verify=false unless the user overrides this. Signed-off-by: baude <bbaude@redhat.com> Closes: #738 Approved by: mheon
* alphabetize the varlink methods, types, and errors in the docsbaude2018-05-10
| | | | | | | | | | | | We have decided to alphabetize things in the API documentation to help users find things easier. It also solves an issue where when being made, the API.md doc would remake itself in a different order resulting in massive diffs in the pull requests but no new content. Signed-off-by: baude <bbaude@redhat.com> Closes: #739 Approved by: baude
* Add missing newline to podman portMatthew Heon2018-05-10
| | | | | | | Signed-off-by: Matthew Heon <mheon@redhat.com> Closes: #741 Approved by: giuseppe
* Generate varlink API documentation automaticallybaude2018-05-08
| | | | | | | | | | Using varlink's idl parser, we generate API documentation for the podman API relying on the .varlink file as the source. Signed-off-by: baude <bbaude@redhat.com> Closes: #734 Approved by: baude
* Allow streaming on some varlink container methodsbaude2018-05-08
| | | | | | | | | | | | | | | The following methods should support streaming requests from the client: * GetContainerLogs A reference for a python stream implementation can be found here: https://github.com/varlink/python/blob/master/varlink/tests/test_orgexamplemore.py#L29-L42 Signed-off-by: baude <bbaude@redhat.com> Closes: #724 Approved by: mheon
* Remove extra close from attach resize channelMatthew Heon2018-05-08
| | | | | | | Signed-off-by: Matthew Heon <matthew.heon@gmail.com> Closes: #733 Approved by: umohnani8
* Vendor in latest containers/storage fix for UserNSDaniel J Walsh2018-05-07
| | | | | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #732 Approved by: mheon
* container.go: fix lint errorGiuseppe Scrivano2018-05-05
| | | | | | | | | | | the error was: libpod/container.go:219::error: struct field tag `json:"groups, omitempty"` not compatible with reflect.StructTag.Get: suspicious space in struct tag value (vet) Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> Closes: #729 Approved by: baude
* Dockerfile.Fedora: use fedora:28 instead of fedora:27Giuseppe Scrivano2018-05-05
| | | | | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> Closes: #729 Approved by: baude
* Fix calculation of RunningFor in ps json outputMatthew Heon2018-05-05
| | | | | | | Signed-off-by: Matthew Heon <matthew.heon@gmail.com> Closes: #727 Approved by: rhatdan
* Should not error out if container no longer exists in ociDaniel J Walsh2018-05-04
| | | | | | | | | | This prevents you from cleaning up the container database, if some how runc and friends db gets screwed up. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #725 Approved by: mheon
* Make invalid state nonfatal when cleaning up in runMatthew Heon2018-05-04
| | | | | | | Signed-off-by: Matthew Heon <matthew.heon@gmail.com> Closes: #726 Approved by: baude
* test/e2e/run_userns_test.go: new fileGiuseppe Scrivano2018-05-04
| | | | | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> Closes: #690 Approved by: mheon
* podman, userNS: configure an intermediate mount namespaceGiuseppe Scrivano2018-05-04
| | | | | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> Closes: #690 Approved by: mheon
* networking, userNS: configure the network namespace after createGiuseppe Scrivano2018-05-04
| | | | | | | | | | | so that the OCI runtime creates the network namespace from the correct userNS. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #690 Approved by: mheon
* Begin wiring in USERNS Support into podmanDaniel J Walsh2018-05-04
| | | | | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #690 Approved by: mheon
* Merge pull request #722 from mheon/bump_0_5_1Matthew Heon2018-05-04
|\ | | | | Bump to v0.5.1
| * Bump gitvalidation epochMatthew Heon2018-05-04
| | | | | | | | Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
| * Bump to v0.5.2-devMatthew Heon2018-05-04
| | | | | | | | Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
| * Bump to v0.5.1v0.5.1Matthew Heon2018-05-04
|/ | | | Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
* Fix pulling from secure registrybaude2018-05-04
| | | | | | | | | | when pulling from a secure registry that is documented in registries.conf, we should be able to pull without tls-verify=false Signed-off-by: baude <bbaude@redhat.com> Closes: #718 Approved by: rhatdan
* Optionally init() during container restartMatthew Heon2018-05-04
| | | | | | | | | | | This allows us to restart containers that have never been started without error. This makes RestartWithTimeout work with running, stopped, and created containers. Signed-off-by: Matthew Heon <matthew.heon@gmail.com> Closes: #719 Approved by: rhatdan
* bashcompletion enhancementsbaude2018-05-03
| | | | | | | | | | | * now all podman subcommands can be completed * images can be completed when run as root (not sudo) * bug corrected that made podman_top and podman_tag Signed-off-by: baude <bbaude@redhat.com> Closes: #716 Approved by: mheon
* Add directory for systemd socket and service if not presentTomSweeneyRedHat2018-05-03
| | | | | | | Signed-off-by: TomSweeneyRedHat <tsweeney@redhat.com> Closes: #717 Approved by: baude
* varlink containersbaude2018-05-03
| | | | | | | | | | | | | first pass at adding in the container related endpoints/methods for the libpod backend. Couple of important notes: * endpoints that can use a console are not going to be done until we have "remote" console * several of the container methods should probably be able to stream as opposed to a one-off return Signed-off-by: baude <bbaude@redhat.com> Closes: #708 Approved by: baude
* Make podman commit to localhost rather then docker.ioDaniel J Walsh2018-05-03
| | | | | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #715 Approved by: mheon
* Trivial refactor on volume additionMatthew Heon2018-05-03
| | | | | | | Signed-off-by: Matthew Heon <matthew.heon@gmail.com> Closes: #700 Approved by: rhatdan
* When adding volumes to DB, handle nontrivial casesMatthew Heon2018-05-03
| | | | | | | | | | We want to make sure we don't add anything but the host volume, and the volumes can include options and container locations. Signed-off-by: Matthew Heon <matthew.heon@gmail.com> Closes: #700 Approved by: rhatdan
* Add accessors for new image fields in container configMatthew Heon2018-05-03
| | | | | | | Signed-off-by: Matthew Heon <matthew.heon@gmail.com> Closes: #700 Approved by: rhatdan
* Store user Volumes, Entrypoint, Command in databaseMatthew Heon2018-05-03
| | | | | | | | | | | We need these for commit, and they cannot be properly deduced from just the OCI spec, so save them in the database so we can retrieve them for commit. Signed-off-by: Matthew Heon <matthew.heon@gmail.com> Closes: #700 Approved by: rhatdan