summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAge
* Update vendored version of runc,buildah,containers/imageDaniel J Walsh2018-07-27
| | | | | | | | | | | | | | | There is a compiler warning that has been fixed in the upstream, so I figured we should update to fix. Also vendor in latest buildah to get better support for running builds in rootless mode. Vendor in latest containers/image to allow daemon support to be pluggable. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #1169 Approved by: mheon
* Refactored method of getting podshaircommander2018-07-27
| | | | | | | | | Now, for commands that have --latest and --all, the context flags are checked, and pods are grabbed in a single function Signed-off-by: haircommander <pehunt@redhat.com> Closes: #1161 Approved by: rhatdan
* Fix godoc comment in pkg/netnsMatthew Heon2018-07-27
| | | | | | | Signed-off-by: Matthew Heon <matthew.heon@gmail.com> Closes: #1165 Approved by: baude
* Fix handling of Linux network namespacesMatthew Heon2018-07-27
| | | | | | | | | | | | | | | | | | | The CNI plugins upstream removed their network namespace creation code, making it a test package only. Copy it into our repository and slightly modify it for our use (most notably, use MNT_DETACH when unmounting namespaces). This new CNI code splits closing and unmounting network namespaces, which allows us to greatly reduce the number of occasions on which we call teardownNetwork() and make more errors in that function fatal instead of warnings. Instead, we can call Close() and just close the open file descriptor in cases where the namespace has already been cleaned up. Signed-off-by: Matthew Heon <matthew.heon@gmail.com> Closes: #1165 Approved by: baude
* Update containernetworking/plugins to current masterMatthew Heon2018-07-27
| | | | | | | | | | We need to pick up changes to the netns packages that are not yet in a released tag. Signed-off-by: Matthew Heon <matthew.heon@gmail.com> Closes: #1165 Approved by: baude
* Cleanup descriptions and help informationDaniel J Walsh2018-07-27
| | | | | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #1167 Approved by: baude
* Skip seccomp-dependent tests on non-LinuxMiloslav Trmač2018-07-26
| | | | | | | | | | | | | | | | | Currently, getRuntimeSpec always fails on non-Linux because spec.CreateConfigToOCISpec always fails, because the podman CLI sets up a seccomp path, and processing that on non-Linux is not supported. This breaks testing of entirely unrelated options. We can either skip the tests on non-Linux, or explicitly disable seccomp inside the tests. Linux testing matters much more than other platforms, and the tests are more reliable when they don't change supposedly unrelated options; so, skip the tests on non-Linux. Signed-off-by: Miloslav Trmač <mitr@redhat.com> Closes: #1115 Approved by: rhatdan
* Use the Linux version BoltState.getContainerFromDB on all platforms.Miloslav Trmač2018-07-26
| | | | | | | | | | | | | | | This just muves the Linux implementation, unchanged, to the platform-agnostic file. Should not change behavior on Linux. On non-Linux platforms, reading containers from BoltDB now works (and rejects containers with namespace data). The checkRuntimeConfig validation ensures that each BoltDB database is only used on one platform, so network namespaces should never exist in non-Linux BoltDB files. Signed-off-by: Miloslav Trmač <mitr@redhat.com> Closes: #1115 Approved by: rhatdan
* Split parseNetNSBoltData from BoltState.getContainerFromDBMiloslav Trmač2018-07-26
| | | | | | | | | | | | | | This is the actual platform-specific part of getContainerFromDB. Factor it out, unchanged, on Linux. On other platforms, introduce a stub which fails if any data exists; this stub is not yet called. Should not change behavior. Signed-off-by: Miloslav Trmač <mitr@redhat.com> Closes: #1115 Approved by: rhatdan
* Use testify/require in a few places to avoid panics in testsMiloslav Trmač2018-07-26
| | | | | | | Signed-off-by: Miloslav Trmač <mitr@redhat.com> Closes: #1115 Approved by: rhatdan
* Skip unit tests which require storage when not running as rootMiloslav Trmač2018-07-26
| | | | | | | | | | | | | | | | On macOS NewImageRuntimeFromOptions fails with chown EPERM because the "vfs" driver tries to chown its home to root:root 0700; in fact running as root seems to be a generic requirement. So, skip the tests if not running as root. (This could maybe benefit from an extra state, maybe an environment variable like RUNNING_IN_CI, to make sure the tests are actually run often enough.) Signed-off-by: Miloslav Trmač <mitr@redhat.com> Closes: #1115 Approved by: rhatdan
* Don't pollute the build output with failures to build checkseccompMiloslav Trmač2018-07-26
| | | | | | | | | | | | (make localunit) complains about the unbuildable subpackage; silence that. Actually, I can't find any user of checkseccomp in this repo; maybe it is entirely unused? Signed-off-by: Miloslav Trmač <mitr@redhat.com> Closes: #1115 Approved by: rhatdan
* Remove cmd/podman/user.goMiloslav Trmač2018-07-26
| | | | | | | | | | | | None of the functions are used within the package, and it does not build on non-Linux systems. (Similar code continues to exist in pkg/chrootuser, and is unaffected.) Signed-off-by: Miloslav Trmač <mitr@redhat.com> Closes: #1115 Approved by: rhatdan
* double papr timeout for all ci testsbaude2018-07-26
| | | | | | | Signed-off-by: baude <bbaude@redhat.com> Closes: #1163 Approved by: baude
* vendor latest containers/psgoValentin Rothberg2018-07-26
| | | | | | | Signed-off-by: Valentin Rothberg <vrothberg@suse.com> Closes: #1162 Approved by: rhatdan
* Merge pull request #1158 from mheon/prevent_multiple_boltdb_connsMatthew Heon2018-07-26
|\ | | | | Add a mutex to BoltDB state to prevent lock issues
| * Add a mutex to BoltDB state to prevent lock issuesMatthew Heon2018-07-25
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Per https://www.sqlite.org/src/artifact/c230a7a24?ln=994-1081, POSIX file advisory locks are unsafe to use within a single process if multiple file descriptors are open for the same file. Unfortunately, this has a strong potential to happen for multithreaded usage of libpod, and could result in DB corruption. To prevent this, wrap all access to BoltDB within a single libpod instance in a mutex to ensure concurrent access cannot occur. Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
* | Vendor latest container/storage to fix overlay mountoptDaniel J Walsh2018-07-25
| | | | | | | | | | | | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #1160 Approved by: mheon
* | Add pod killhaircommander2018-07-25
| | | | | | | | | | | | | | | | | | With tests, man page, and completions. Signed-off-by: haircommander <pehunt@redhat.com> Closes: #1125 Approved by: rhatdan
* | Added pod restarthaircommander2018-07-25
| | | | | | | | | | | | | | | | | | With tests, man page and completions. Signed-off-by: haircommander <pehunt@redhat.com> Closes: #1152 Approved by: rhatdan
* | Added pod.Restart() functionality to libpod.haircommander2018-07-25
| | | | | | | | | | | | | | | | | | | | | | Moved contents of RestartWithTimeout to restartWithTimeout in container_internal to be able to call restart without locking in function. Refactored startNode to be able to either start or restart a node. Built pod Restart() with new startNode with refresh true. Signed-off-by: haircommander <pehunt@redhat.com> Closes: #1152 Approved by: rhatdan
* | Clear variables used to store options after parsing for every volumeumohnani82018-07-25
|/ | | | | | | | | | | | If more than one volume was mounted using the --volume flag in podman run, the second and onwards volumes were picking up options of the previous volume mounts defined. Found out that the options were not be cleared out after every volume was parsed. Signed-off-by: umohnani8 <umohnani@redhat.com> Closes: #1142 Approved by: mheon
* Merge pull request #1116 from mheon/namespacesDaniel J Walsh2018-07-25
|\ | | | | Add Pod and Container namespaces
| * Update comments in BoltDB and In-Memory statesMatthew Heon2018-07-24
| | | | | | | | | | | | | | Better explain the inner workings of both state types in comments to make reviews and changes easier. Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
| * Add an E2E test to verify basic namespace functionalityMatthew Heon2018-07-24
| | | | | | | | Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
| * Add libpod namespace to configMatthew Heon2018-07-24
| | | | | | | | Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
| * Add missing runtime.go lines to set namespaceMatthew Heon2018-07-24
| | | | | | | | | | | | Also add namespace to inspect output to verify its presence Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
| * Address first round of review commentsMatthew Heon2018-07-24
| | | | | | | | Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
| * Set namespace for new pods/containers based on runtimeMatthew Heon2018-07-24
| | | | | | | | | | | | | | | | New containers and pods will default to the namespace of the runtime, but this can be overridden by With... options if desired. Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
| * Add --namespace flag to PodmanMatthew Heon2018-07-24
| | | | | | | | | | | | | | Allows joining libpod to a specific namespace when running a Podman command. Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
| * Update documentation for the State interfaceMatthew Heon2018-07-24
| | | | | | | | | | | | | | Include details on how namespaces interact with the state. Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
| * Ensure pods are part of the set namespace when addedMatthew Heon2018-07-24
| | | | | | | | Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
| * Enforce namespace checks on container addMatthew Heon2018-07-24
| | | | | | | | Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
| * Add tests for state namespacingMatthew Heon2018-07-24
| | | | | | | | Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
| * Add namespaces to in memory stateMatthew Heon2018-07-24
| | | | | | | | Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
| * Untested implementation of namespaced BoltDB accessMatthew Heon2018-07-24
| | | | | | | | | | | | | | | | | | | | | | All BoltDB access and update functions now understand namespaces. Accessing containers outside of your namespace will produce errors, except for Lookup and All functions, which will perform their tasks only on containers within your namespace. The "" namespace remains a reserved, no-restrictions namespace. Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
| * Add constraint that dependencies must be in the same nsMatthew Heon2018-07-24
| | | | | | | | | | | | | | Dependency containers must be in the same namespace, to ensure there are never problems resolving a dependency. Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
| * Add namespaces and initial constraints to databaseMatthew Heon2018-07-24
| | | | | | | | | | | | | | | | Add basic awareness of namespaces to the database. As part of this, add constraints so containers can only be added to pods in the same namespace. Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
| * Add container and pod namespaces to configsMatthew Heon2018-07-24
| | | | | | | | | | | | | | Libpod namespaces are a way to logically separate groups of pods and containers within the state. Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
* | Clean up pylint warnings and errorsJhon Honce2018-07-25
| | | | | | | | | | | | | | | | | | | | * Some of the pedantic errors were not corrected * Clean up prep for porting to MacOS and PyPi hosting Signed-off-by: Jhon Honce <jhonce@redhat.com> Closes: #1155 Approved by: baude
* | Merge pull request #1153 from jwhonce/bug/psgoMatthew Heon2018-07-24
|\ \ | | | | | | Fix varlink API usage of psgo
| * | Fix varlink API usage of psgoJhon Honce2018-07-24
| |/ | | | | | | Signed-off-by: Jhon Honce <jhonce@redhat.com>
* | podman: allow to specify the IPC namespace to joinGiuseppe Scrivano2018-07-24
| | | | | | | | | | | | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> Closes: #1145 Approved by: rhatdan
* | podman: allow to specify the UTS namespace to joinGiuseppe Scrivano2018-07-24
| | | | | | | | | | | | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> Closes: #1145 Approved by: rhatdan
* | podman: allow to specify the PID namespace to joinGiuseppe Scrivano2018-07-24
| | | | | | | | | | | | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> Closes: #1145 Approved by: rhatdan
* | podman: allow to specify the userns to joinGiuseppe Scrivano2018-07-24
| | | | | | | | | | | | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> Closes: #1145 Approved by: rhatdan
* | network: support ns: prefix to join existing namespaceGiuseppe Scrivano2018-07-24
| | | | | | | | | | | | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> Closes: #1145 Approved by: rhatdan
* | spec: allow container:NAME network modeGiuseppe Scrivano2018-07-24
|/ | | | | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> Closes: #1145 Approved by: rhatdan
* Update issue template to point build bugs at buildahMatthew Heon2018-07-24
| | | | | | | Signed-off-by: Matthew Heon <matthew.heon@gmail.com> Closes: #1150 Approved by: rhatdan
* We don't currently support --mac-addressDaniel J Walsh2018-07-24
| | | | | | | | | Make this clear in the docs and Command. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #1138 Approved by: mheon