summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAge
* Merge pull request #1940 from wking/numeric-gidOpenShift Merge Robot2018-12-05
|\ | | | | libpod/container_internal_linux: Allow gids that aren't in the group file
| * pkg/lookup: Return ID-only pointers on ErrNo*EntriesW. Trevor King2018-12-04
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Callers that only care about the IDs should try to convert the identifier to an integer before calling the Get* functions, so they can save the cost of hitting the filesystem and maybe or maybe not finding the other fields (User.Name, etc.). But callers that *want* the other fields but only actually need the ID can, with this commit, just call the Get* function and ignore ErrNo*Entries responses: user, err := lookup.GetUser(mount, userIDorName) if err != nil && err != ErrNoPasswdEntries { return err } Previously, they'd have to perform their own integer-conversion attempt in Get* error handling, with logic like: user, err := lookup.GetUser(mount, userIDorName) if err == ErrNoPasswdEntries { uuid, err := strconv.ParseUint(userIDorName, 10, 32) if err == nil { user.Uid = int(uuid) } } else if err != nil { return err } Signed-off-by: W. Trevor King <wking@tremily.us>
| * libpod/container_internal_linux: Allow gids that aren't in the group fileW. Trevor King2018-12-04
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When an image config sets config.User [1] to a numeric group (like 1000:1000), but those values do not exist in the container's /etc/group, libpod is currently breaking: $ podman run --rm registry.svc.ci.openshift.org/ci-op-zvml7cd6/pipeline:installer --help error creating temporary passwd file for container 228f6e9943d6f18b93c19644e9b619ec4d459a3e0eb31680e064eeedf6473678: unable to get gid 1000 from group file: no matching entries in group file However, the OCI spec requires converters to copy numeric uid and gid to the runtime config verbatim [2]. With this commit, I'm frontloading the "is groupspec an integer?" check and only bothering with lookup.GetGroup when it was not. I've also removed a few .Mounted checks, which are originally from 00d38cb3 (podman create/run need to load information from the image, 2017-12-18, #110). We don't need a mounted container filesystem to translate integers. And when the lookup code needs to fall back to the mounted root to translate names, it can handle erroring out internally (and looking it over, it seems to do that already). [1]: https://github.com/opencontainers/image-spec/blame/v1.0.1/config.md#L118-L123 [2]: https://github.com/opencontainers/image-spec/blame/v1.0.1/conversion.md#L70 Signed-off-by: W. Trevor King <wking@tremily.us>
* | Merge pull request #1918 from mheon/use_db_pathsOpenShift Merge Robot2018-12-05
|\ \ | | | | | | Use paths written in DB instead if they differ from our defaults
| * | Use runtime lockDir in BoltDB stateMatthew Heon2018-12-04
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Instead of storing the runtime's file lock dir in the BoltDB state, refer to the runtime inside the Bolt state instead, and use the path stored in the runtime. This is necessary since we moved DB initialization very far up in runtime init, before the locks dir is properly initialized (and it must happen before the locks dir can be created, as we use the DB to retrieve the proper path for the locks dir now). Signed-off-by: Matthew Heon <mheon@redhat.com>
| * | Revert changes to GetDefaultStoreOptionsMatthew Heon2018-12-03
| | | | | | | | | | | | | | | | | | | | | | | | We don't need this for anything more than rootless work in Libpod now, but Buildah still uses it as it was originally written, so leave it intact as part of our API. Signed-off-by: Matthew Heon <mheon@redhat.com>
| * | Fix libpod static dir selection when graphroot changedMatthew Heon2018-12-03
| | | | | | | | | | | | | | | | | | | | | | | | When graphroot is set by the user, we should set libpod's static directory to a subdirectory of that by default, to duplicate previous behavior. Signed-off-by: Matthew Heon <mheon@redhat.com>
| * | Ensure directory where we will make database existsMatthew Heon2018-12-03
| | | | | | | | | | | | | | | | | | | | | | | | Ensure that the directory where we will create the Podman db exists prior to creating the database - otherwise creating the DB will fail. Signed-off-by: Matthew Heon <mheon@redhat.com>
| * | Fix typoMatthew Heon2018-12-03
| | | | | | | | | | | | Signed-off-by: Matthew Heon <mheon@redhat.com>
| * | Add better descriptions for validation errors in DBMatthew Heon2018-12-03
| | | | | | | | | | | | | | | | | | | | | | | | | | | When validating fields against the DB, report more verbosely the name of the field being validated if it fails. Specifically, add the name used in config files, so people will actually know what to change it errors happen. Signed-off-by: Matthew Heon <mheon@redhat.com>
| * | Fix gofmt and lintMatthew Heon2018-12-02
| | | | | | | | | | | | Signed-off-by: Matthew Heon <mheon@redhat.com>
| * | Make locks dir in unit testsMatthew Heon2018-12-02
| | | | | | | | | | | | | | | | | | | | | | | | Ensure we don't break the unit tests by creating a locks directory (which, prior to the last commit, would be created by BoltDB state init). Signed-off-by: Matthew Heon <mheon@redhat.com>
| * | Do not initialize locks dir in BoltDBMatthew Heon2018-12-02
| | | | | | | | | | | | | | | | | | | | | We already create the locks directory as part of the libpod runtime's init - no need to do it again as part of BoltDB's init. Signed-off-by: Matthew Heon <mheon@redhat.com>
| * | Move rootless storage config into libpodMatthew Heon2018-12-02
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Previous commits ensured that we would use database-configured paths if not explicitly overridden. However, our runtime generation did unconditionally override storage config, which made this useless. Move rootless storage configuration setup to libpod, and change storage setup so we only override if a setting is explicitly set, so we can still override what we want. Signed-off-by: Matthew Heon <mheon@redhat.com>
| * | Set default paths from DB if not explicitly overriddenMatthew Heon2018-12-02
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | If the DB contains default paths, and the user has not explicitly overridden them, use the paths in the DB over our own defaults. The DB validates these paths, so it would error and prevent operation if they did not match. As such, instead of erroring, we can use the DB's paths instead of our own. Signed-off-by: Matthew Heon <mheon@redhat.com>
| * | Add a struct indicating if some Runtime fields were setMatthew Heon2018-12-02
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | To configure runtime fields from the database, we need to know whether they were explicitly overwritten by the user (we don't want to overwrite anything that was explicitly set). Store a struct containing whether the variables we'll grab from the DB were explicitly set by the user so we know what we can and can't overwrite. This determines whether libpod runtime and static dirs were set via config file in a horribly hackish way (double TOML decode), but I can't think of a better way, and it shouldn't be that expensive as the libpod config is tiny. Signed-off-by: Matthew Heon <mheon@redhat.com>
| * | Make DB config validation an explicit stepMatthew Heon2018-12-02
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Previously, we implicitly validated runtime configuration against what was stored in the database as part of database init. Make this an explicit step, so we can call it after the database has been initialized. This will allow us to retrieve paths from the database and use them to overwrite our defaults if they differ. Signed-off-by: Matthew Heon <mheon@redhat.com>
| * | Move DB configuration up in runtime setupMatthew Heon2018-12-02
| | | | | | | | | | | | | | | | | | | | | When we configure a runtime, we now will need to hit the DB early on, so we can verify the paths we're going to use for c/storage are correct. Signed-off-by: Matthew Heon <mheon@redhat.com>
| * | Add ability to retrieve runtime configuration from DBMatthew Heon2018-12-02
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When we create a Libpod database, we store a number of runtime configuration fields in it. If we can retrieve those, we can use them to configure the runtime to match the DB instead of inbuilt defaults, helping to ensure that we don't error in cases where our compiled-in defaults changed. Signed-off-by: Matthew Heon <mheon@redhat.com>
* | | Merge pull request #1942 from baude/rmi_testOpenShift Merge Robot2018-12-04
|\ \ \ | | | | | | | | test for rmi with children
| * | | test for rmi with childrenbaude2018-12-04
| | | | | | | | | | | | | | | | Signed-off-by: baude <bbaude@redhat.com>
* | | | Merge pull request #1939 from mheon/no_firewall_if_rootlessOpenShift Merge Robot2018-12-04
|\ \ \ \ | |/ / / |/| | | Don't initialize CNI when running as rootless
| * | | Don't initialize CNI when running as rootlessMatthew Heon2018-12-04
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | We don't use CNI to configure networks for rootless containers, so no need to set it up. It may also cause issues with inotify, so disabling it resolves some potential problems. Signed-off-by: Matthew Heon <mheon@redhat.com>
* | | | Merge pull request #1920 from wking/explicit-hooks-dirsOpenShift Merge Robot2018-12-04
|\ \ \ \ | | | | | | | | | | libpod/container_internal: Deprecate implicit hook directories
| * | | | libpod/container_internal: Deprecate implicit hook directoriesW. Trevor King2018-12-03
| | |/ / | |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Part of the motivation for 800eb863 (Hooks supports two directories, process default and override, 2018-09-17, #1487) was [1]: > We only use this for override. The reason this was caught is people > are trying to get hooks to work with CoreOS. You are not allowed to > write to /usr/share... on CoreOS, so they wanted podman to also look > at /etc, where users and third parties can write. But we'd also been disabling hooks completely for rootless users. And even for root users, the override logic was tricky when folks actually had content in both directories. For example, if you wanted to disable a hook from the default directory, you'd have to add a no-op hook to the override directory. Also, the previous implementation failed to handle the case where there hooks defined in the override directory but the default directory did not exist: $ podman version Version: 0.11.2-dev Go Version: go1.10.3 Git Commit: "6df7409cb5a41c710164c42ed35e33b28f3f7214" Built: Sun Dec 2 21:30:06 2018 OS/Arch: linux/amd64 $ ls -l /etc/containers/oci/hooks.d/test.json -rw-r--r--. 1 root root 184 Dec 2 16:27 /etc/containers/oci/hooks.d/test.json $ podman --log-level=debug run --rm docker.io/library/alpine echo 'successful container' 2>&1 | grep -i hook time="2018-12-02T21:31:19-08:00" level=debug msg="reading hooks from /usr/share/containers/oci/hooks.d" time="2018-12-02T21:31:19-08:00" level=warning msg="failed to load hooks: {}%!(EXTRA *os.PathError=open /usr/share/containers/oci/hooks.d: no such file or directory)" With this commit: $ podman --log-level=debug run --rm docker.io/library/alpine echo 'successful container' 2>&1 | grep -i hook time="2018-12-02T21:33:07-08:00" level=debug msg="reading hooks from /usr/share/containers/oci/hooks.d" time="2018-12-02T21:33:07-08:00" level=debug msg="reading hooks from /etc/containers/oci/hooks.d" time="2018-12-02T21:33:07-08:00" level=debug msg="added hook /etc/containers/oci/hooks.d/test.json" time="2018-12-02T21:33:07-08:00" level=debug msg="hook test.json matched; adding to stages [prestart]" time="2018-12-02T21:33:07-08:00" level=warning msg="implicit hook directories are deprecated; set --hooks-dir="/etc/containers/oci/hooks.d" explicitly to continue to load hooks from this directory" time="2018-12-02T21:33:07-08:00" level=error msg="container create failed: container_linux.go:336: starting container process caused "process_linux.go:399: container init caused \"process_linux.go:382: running prestart hook 0 caused \\\"error running hook: exit status 1, stdout: , stderr: oh, noes!\\\\n\\\"\"" (I'd setup the hook to error out). You can see that it's silenly ignoring the ENOENT for /usr/share/containers/oci/hooks.d and continuing on to load hooks from /etc/containers/oci/hooks.d. When it loads the hook, it also logs a warning-level message suggesting that callers explicitly configure their hook directories. That will help consumers migrate, so we can drop the implicit hook directories in some future release. When folks *do* explicitly configure hook directories (via the newly-public --hooks-dir and hooks_dir options), we error out if they're missing: $ podman --hooks-dir /does/not/exist run --rm docker.io/library/alpine echo 'successful container' error setting up OCI Hooks: open /does/not/exist: no such file or directory I've dropped the trailing "path" from the old, hidden --hooks-dir-path and hooks_dir_path because I think "dir(ectory)" is already enough context for "we expect a path argument". I consider this name change non-breaking because the old forms were undocumented. Coming back to rootless users, I've enabled hooks now. I expect they were previously disabled because users had no way to avoid /usr/share/containers/oci/hooks.d which might contain hooks that required root permissions. But now rootless users will have to explicitly configure hook directories, and since their default config is from ~/.config/containers/libpod.conf, it's a misconfiguration if it contains hooks_dir entries which point at directories with hooks that require root access. We error out so they can fix their libpod.conf. [1]: https://github.com/containers/libpod/pull/1487#discussion_r218149355 Signed-off-by: W. Trevor King <wking@tremily.us>
* | | | Merge pull request #1933 from giuseppe/update-runc-againOpenShift Merge Robot2018-12-04
|\ \ \ \ | | | | | | | | | | test: update runc again
| * | | | test: update runc againGiuseppe Scrivano2018-12-04
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | the regression we noticed in runc was fixed upstream: https://github.com/opencontainers/runc/pull/1943 so we can use again runc from master. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | | | | Merge pull request #1932 from giuseppe/vendor-storageOpenShift Merge Robot2018-12-04
|\ \ \ \ \ | |_|_|/ / |/| | | | vendor: update containers/storage
| * | | | vendor: update containers/storageGiuseppe Scrivano2018-12-04
| | |/ / | |/| | | | | | | | | | | | | | | | | | | | | | inherit a change for rootless containers to ignore devices nodes inside of images. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | | | Merge pull request #1938 from baude/rmichildrenOpenShift Merge Robot2018-12-04
|\ \ \ \ | |_|_|/ |/| | | correct algorithm for deleting all images
| * | | correct algorithm for deleting all imagesbaude2018-12-04
| | |/ | |/| | | | | | | | | | | | | | | | | | | | | | when deleting all images, we need to iterate all the images deleting on those who dont have children first. And then reiterate until they are all gone. This resolves #1926 Signed-off-by: baude <bbaude@redhat.com>
* | | Merge pull request #1894 from jwhonce/bug/1876OpenShift Merge Robot2018-12-04
|\ \ \ | | | | | | | | Only include container SizeRootFs when requested
| * | | Only include container SizeRootFs when requestedJhon Honce2018-11-28
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * API always returns value, so we remove it if not asked for Fixes #1876 Signed-off-by: Jhon Honce <jhonce@redhat.com>
* | | | Merge pull request #1907 from baude/createpodautomaticallyOpenShift Merge Robot2018-12-04
|\ \ \ \ | |_|/ / |/| | | create pod on the fly
| * | | create pod on the flybaude2018-12-03
|/ / / | | | | | | | | | | | | | | | | | | | | | | | | | | | when a user specifies --pod to podman create|run, we should create that pod automatically. the port bindings from the container are then inherited by the infra container. this signicantly improves the workflow of running containers inside pods with podman. the user is still encouraged to use podman pod create to have more granular control of the pod create options. Signed-off-by: baude <bbaude@redhat.com>
* | | Merge pull request #1913 from baude/podexistsOpenShift Merge Robot2018-12-03
|\ \ \ | | | | | | | | podman pod exists
| * | | podman pod existsbaude2018-12-03
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | like containers and images, users would benefit from being able to check if a pod exists in local storage. if the pod exists, the return code is 0. if the pod does not exists, the return code is 1. Any other return code indicates a real errors, such as permissions or runtime. Signed-off-by: baude <bbaude@redhat.com>
* | | | Merge pull request #1923 from giuseppe/rootless-no-newuidmap-installedOpenShift Merge Robot2018-12-03
|\ \ \ \ | |/ / / |/| | | rootless: raise error if newuidmap/newgidmap are not installed
| * | | rootless: raise error if newuidmap/newgidmap are not installedGiuseppe Scrivano2018-12-03
| | |/ | |/| | | | | | | | | | | | | | | | | | | | | | | | | it was reported on IRC that Podman on Ubuntu failed as newuidmap/newgidmap were not installed by default. Raise an error if we are not allowing single mappings (used only by the tests suite) and any of the binaries is not present. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | | Merge pull request #1914 from baude/logslatestOpenShift Merge Robot2018-12-03
|\ \ \ | |/ / |/| | Add short-option handling to logs
| * | Add short-option handling to logsbaude2018-12-01
|/ / | | | | | | | | | | | | podman logs already supports the latest command line switch. users should be able to use the short-options combined (i.e. podman logs -lf). Signed-off-by: baude <bbaude@redhat.com>
* | Merge pull request #1903 from giuseppe/fix-rootless-testsOpenShift Merge Robot2018-12-01
|\ \ | | | | | | tests: fix rootless tests on Ubuntu
| * | tests: always install runc on UbuntuGiuseppe Scrivano2018-12-01
| | | | | | | | | | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
| * | cirrus: update ubuntu imageGiuseppe Scrivano2018-11-30
| | | | | | | | | | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
| * | cirrus: make apt noninteractiveGiuseppe Scrivano2018-11-30
| | | | | | | | | | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
| * | Dockerfile, .cirrus.yml: update runc commitGiuseppe Scrivano2018-11-30
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | we need to inherit this change from runc. commit 869add33186caff4a22e3e11a7472a2d48d77889: rootless: fix running with /proc/self/setgroups set to deny This is a regression from 06f789cf26774dd64cb2a9cc0b3c6a6ff832733b when the user namespace was configured without a privileged helper. To allow a single mapping in an user namespace, it is necessary to set /proc/self/setgroups to "deny". For a simple reproducer, the user namespace can be created with "unshare -r". Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
| * | rootless: propagate XDG_RUNTIME_DIR to the OCI runtimeGiuseppe Scrivano2018-11-30
| | | | | | | | | | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
| * | Update ubuntu VM image w/ newer runcChris Evich2018-11-30
|/ / | | | | | | Signed-off-by: Chris Evich <cevich@redhat.com>
* | Merge pull request #1896 from ypu/mount-create-testOpenShift Merge Robot2018-11-30
|\ \ | | | | | | Add create test with --mount flag
| * | Add create test with --mount flagYiqiao Pu2018-11-29
| |/ | | | | | | Signed-off-by: Yiqiao Pu <ypu@redhat.com>