| Commit message (Collapse) | Author | Age |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Make users of libpod more secure by adding the libpod/apparmor package
to load a pre-defined AppArmor profile. Large chunks of libpod/apparmor
come from github.com/moby/moby.
Also check if a specified AppArmor profile is actually loaded and throw
an error if necessary.
The default profile is loaded only on Linux builds with the `apparmor`
buildtag enabled.
Signed-off-by: Valentin Rothberg <vrothberg@suse.com>
Closes: #1063
Approved by: rhatdan
|
|
|
|
|
|
|
|
|
|
|
|
| |
use execvp instead of exec so that we keep the PATH environment
variable and the lookup for the "podman" executable works.
Closes: https://github.com/projectatomic/libpod/issues/1070
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Closes: #1072
Approved by: mheon
|
|
|
|
|
|
|
| |
Signed-off-by: Matthew Heon <mheon@redhat.com>
Closes: #1068
Approved by: baude
|
|
|
|
|
|
|
|
|
|
|
| |
Add the actual argument, not the one we're looking for when searching
the to-be-translated short-opt string. Otherwise, we're likely to hit
an infinite loop.
Signed-off-by: Valentin Rothberg <vrothberg@suse.com>
Closes: #1066
Approved by: rhatdan
|
|
|
|
|
|
|
|
|
|
| |
podman now supports --volumes-from flag, which allows users
to add all the volumes an existing container has to a new one.
Signed-off-by: umohnani8 <umohnani@redhat.com>
Closes: #931
Approved by: mheon
|
|
|
|
|
|
|
| |
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #1062
Approved by: baude
|
|
|
|
|
|
|
| |
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #1061
Approved by: baude
|
|
|
|
|
|
|
| |
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #1060
Approved by: mheon
|
|
|
|
|
|
|
|
|
|
|
| |
We added the explicit int64 casts for 32-bit builds in 35e1ad78 (Make
libpod build on 32-bit systems, 2018-02-12, #324), but the explicit
casts work fine on 64-bit systems too.
Signed-off-by: W. Trevor King <wking@tremily.us>
Closes: #1058
Approved by: mheon
|
|
|
|
|
|
|
| |
Signed-off-by: haircommander <pehunt@redhat.com>
Closes: #1031
Approved by: rhatdan
|
|
|
|
|
|
|
|
|
|
|
| |
* test_images.TestImages.test_history changed to allow
'<missing>' as legal image ID. Previously all layers
used the image ID. Now layer 0 reports '<missing>'.
Signed-off-by: Jhon Honce <jhonce@redhat.com>
Closes: #1056
Approved by: jwhonce
|
|\
| |
| | |
Bump to 0.7.1
|
| |
| |
| |
| | |
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
|
| |
| |
| |
| | |
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
|
|/
|
|
| |
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This removes some boilerplate from the libpod package, so we can focus
on container stuff there. And it gives us a tidy sub-package for
focusing on ctime extraction, so we can focus on unit testing and
portability of the extraction utility there.
For the unsupported implementation, I'm falling back to Go's ModTime
[1]. That's obviously not the creation time, but it's likely to be
closer than the uninitialized Time structure from cc6f0e85 (more
changes to compile darwin, 2018-07-04, #1047). Especially for our use
case in libpod/oci, where we're looking at write-once exit files.
The test is more complicated than I initially expected, because on
Linux filesystem timestamps come from a truncated clock without
interpolation [2] (and network filesystems can be completely decoupled
[3]). So even for local disks, creation times can be up to a jiffie
earlier than 'before'. This test ensures at least monotonicity by
creating two files and ensuring the reported creation time for the
second is greater than or equal to the reported creation time for the
first. It also checks that both creation times are within the window
from one second earlier than 'before' through 'after'. That should be
enough of a window for local disks, even if the kernel for those
systems has an abnormally large jiffie. It might be ok on network
filesystems, although it will not be very resilient to network clock
lagging behind the local system clock.
[1]: https://golang.org/pkg/os/#FileInfo
[2]: https://groups.google.com/d/msg/linux.kernel/mdeXx2TBYZA/_4eJEuJoAQAJ
Subject: Re: Apparent backward time travel in timestamps on file creation
Date: Thu, 30 Mar 2017 20:20:02 +0200
Message-ID: <tqMPU-1Sb-21@gated-at.bofh.it>
[3]: https://groups.google.com/d/msg/linux.kernel/mdeXx2TBYZA/cTKj4OBuAQAJ
Subject: Re: Apparent backward time travel in timestamps on file creation
Date: Thu, 30 Mar 2017 22:10:01 +0200
Message-ID: <tqOyl-36A-1@gated-at.bofh.it>
Signed-off-by: W. Trevor King <wking@tremily.us>
Closes: #1050
Approved by: mheon
|
|
|
|
|
|
|
| |
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #1053
Approved by: mheon
|
|
|
|
|
|
|
|
|
|
|
| |
if we snip the requirement to use a buildah const in the libpod image library,
we can save something on the order of 85 vendored files in consumers of the
the library.
Signed-off-by: baude <bbaude@redhat.com>
Closes: #1054
Approved by: mheon
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Catching the tests up with 60427ab3 (add podman remote client,
2018-06-22, #986) to avoid non-fatal smoketest failures like [1]:
======================================================================
FAIL: test_tunnel (test.test_tunnel.TestTunnel)
----------------------------------------------------------------------
Traceback (most recent call last):
File "/usr/lib64/python3.6/unittest/mock.py", line 1179, in patched
return func(*args, **keywargs)
File "/go/src/github.com/projectatomic/libpod/contrib/python/test/test_tunnel.py", line 79, in test_tunnel
mock_Popen.assert_called_once_with(cmd, close_fds=True)
File "/usr/lib64/python3.6/unittest/mock.py", line 825, in assert_called_once_with
return self.assert_called_with(*args, **kwargs)
File "/usr/lib64/python3.6/unittest/mock.py", line 814, in assert_called_with
raise AssertionError(_error_message()) from cause
AssertionError: Expected call: Popen(['ssh', '-nNT', '-L', '/tmp/user/socket:/run/podman/socket', '-i', '~/.ssh/id_rsa', 'ssh://user@hostname'], close_fds=True)
Actual call: Popen(['ssh', '-nNTq', '-L', '/tmp/user/socket:/run/podman/socket', '-i', '~/.ssh/id_rsa', 'ssh://user@hostname'], close_fds=True)
[1]: https://s3.amazonaws.com/aos-ci/ghprb/projectatomic/libpod/0d792d5c92900ebd07c75bc3c0cb11753319682e.1.1529764423989739036/output.log
Signed-off-by: W. Trevor King <wking@tremily.us>
Closes: #1035
Approved by: mheon
|
|
|
|
|
|
|
|
|
|
|
| |
Use a single function startAttachCtr() to handle both container start
with attach and attach to running containers, as the code handling the
attach is common for the 2 use cases.
Signed-off-by: Marco Vedovati <mvedovati@suse.com>
Closes: #1025
Approved by: rhatdan
|
|
|
|
|
|
|
| |
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
Closes: #1051
Approved by: umohnani8
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Originally, it seemed like a good idea to place Conmon and the
container it managed under a shared CGroup, so we could manage
the two together. It's become increasingly clear that this is a
potential performance sore point, gains us little practical
benefit in managing Conmon, and adds extra steps to container
cleanup that interfere with Conmon postrun hooks.
Revert back to a shared CGroup for conmon processes under the
CGroup parent. This will retain per-pod conmon CGroups as well if
the pod is set to create a CGroup and act as CGroup parent for
its containers.
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
Closes: #1051
Approved by: umohnani8
|
|
|
|
|
|
|
| |
Signed-off-by: TomSweeneyRedHat <tsweeney@redhat.com>
Closes: #1052
Approved by: baude
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
b96be3af (changes to allow for darwin compilation, 2018-06-20, #1015)
made AddPrivilegedDevices per-platform and cc6f0e85 (more changes to
compile darwin, 2018-07-04, #1047) made CreateBlockIO per-platform.
But both left but left out docs for the unsupported version [1]:
pkg/spec/config_unsupported.go:18:1:warning: exported method
CreateConfig.AddPrivilegedDevices should have comment or be
unexported (golint)
pkg/spec/config_unsupported.go:22:1:warning: exported method
CreateConfig.CreateBlockIO should have comment or be unexported
(golint)
To keep the docs DRY, I've restored the public methods and their docs,
and I've added new, internal methods for the per-platform
implementations.
[1]: https://travis-ci.org/projectatomic/libpod/jobs/400555937#L160
Signed-off-by: W. Trevor King <wking@tremily.us>
Closes: #1034
Approved by: baude
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
b96be3af (changes to allow for darwin compilation, 2018-06-20, #1015)
made RemovePod per-platform, but left out docs for the unsupported
version [1]:
libpod/runtime_pod_unsupported.go:14:1:warning: exported method
Runtime.RemovePod should have comment or be unexported (golint)
To keep the docs DRY, I've restored RemovePod and its docs to their
previous location, and named a new, internal removePod for the
per-platform implementations.
[1]: https://travis-ci.org/projectatomic/libpod/jobs/400555937#L159
Signed-off-by: W. Trevor King <wking@tremily.us>
Closes: #1034
Approved by: baude
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This function was added in cc6f0e85 (more changes to compile darwin,
2018-07-04, #1047), but it has no consumers and no Linux analog.
Remove it, which also fixes the [1]:
libpod/networking_unsupported.go:9:1:warning: exported function
JoinNetworkNameSpace should have comment or be unexported (golint)
lint issue.
[1]: https://travis-ci.org/projectatomic/libpod/jobs/400555937#L158
Signed-off-by: W. Trevor King <wking@tremily.us>
Closes: #1034
Approved by: baude
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Just in case their output depends on the target GOOS. Lint, at least,
does care, because it can pass on Linux [1] and fail on OS X [2] with
the same code.
[1]: https://travis-ci.org/projectatomic/libpod/jobs/400555936#L856
[2]: https://travis-ci.org/projectatomic/libpod/jobs/400555937#L153
Signed-off-by: W. Trevor King <wking@tremily.us>
Closes: #1034
Approved by: baude
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The files were split apart by b96be3af (changes to allow for darwin
compilation, 2018-06-20, #1015), but the C import and two functions
left in rootless.go are all Linux-specific as well. This commit moves
all of the pre-b96be3af rootless.go into rootless_linux.go, just
adding the '// +build linux' header (b96be3af also scrambled the + in
that header) and keeping the new GetRootlessUID from a1545fe6
(rootless: add function to retrieve the original UID, 2018-07-05, #1048).
Signed-off-by: W. Trevor King <wking@tremily.us>
Closes: #1034
Approved by: baude
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Pattern-rule documentation is in [1]. This commit follows the basic
approach from [2], with the portable build tags from [3].
Using --keep-going allows folks to see errors for multiple target
platforms. For example, if the Darwin target dies, we'll still
attempt to build the Linux target before erroring out.
I've added an ALLOWED_TO_FAIL environment variable to mark script
blocks for the the allow_failures block. Currently we're requiring
builds from Linux for Linux and OS X to succeed, but allowing builds
from OS X to both targets to fail.
[1]: https://www.gnu.org/software/make/manual/html_node/Pattern-Intro.html#Pattern-Intro
[2]: https://github.com/kubernetes-incubator/cri-o/commit/e5031fcf9af7d6c78d21e38ab9f82d2392ba05e8
[3]: https://github.com/kubernetes-incubator/cri-o/pull/1653
Signed-off-by: W. Trevor King <wking@tremily.us>
Closes: #1034
Approved by: baude
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
this should represent the last major changes to get darwin to **compile**. again,
the purpose here is to get darwin to compile so that we can eventually implement a
ci task that would protect against regressions for darwin compilation.
i have left the manual darwin compilation largely static still and in fact now only
interject (manually) two build tags to assist with the build. trevor king has great
ideas on how to make this better and i will defer final implementation of those
to him.
Signed-off-by: baude <bbaude@redhat.com>
Closes: #1047
Approved by: rhatdan
|
|
|
|
|
|
|
|
|
|
|
| |
Building our own image to test built-in volume and user
instead of using the mariadb one.
Solves timeout issue in travis tests.
Signed-off-by: umohnani8 <umohnani@redhat.com>
Closes: #1044
Approved by: mheon
|
|
|
|
|
|
|
|
|
|
| |
when XDG_RUNTIME_DIR is not set, still attempt to use /run/user/$UID
before looking up other directories.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Closes: #1048
Approved by: mheon
|
|
|
|
|
|
|
|
|
|
| |
After we re-exec in the userNS os.Getuid() returns the new UID (= 0)
which is not what we want to use.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Closes: #1048
Approved by: mheon
|
|
|
|
|
|
|
|
|
| |
containers/image uses XDG_RUNTIME_DIR to locate the auth file.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Closes: #1048
Approved by: mheon
|
|
|
|
|
|
|
| |
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Closes: #1048
Approved by: mheon
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This way we don't need to stub in structures for other OSes (e.g. the
Darwin stub in a Linux-only file). Matthew was concerned about errors
unmarshalling, say, a Linux state object on a Windows box [1], but we
can address that in checks when loading the database [2].
[1]: https://github.com/projectatomic/libpod/pull/1015#discussion_r198649043
[2]: https://github.com/projectatomic/libpod/pull/1015#discussion_r198802956
Signed-off-by: W. Trevor King <wking@tremily.us>
Closes: #1033
Approved by: mheon
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Vendor an updated version of urfave/cli to fix the parsing of short
options. Until the fix is merged upstream, vendor the code from
github.com/vrothberg/cli containing both, the latest urfave/cli and
the bug fix.
Fixes: #714
Signed-off-by: Valentin Rothberg <vrothberg@suse.com>
Closes: #1046
Approved by: rhatdan
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
man-pages(7) has [1]:
> For commands, this shows the syntax of the command and its arguments
> (including options); boldface is used for as-is text and italics are
> used to indicate replaceable arguments. Brackets ([]) surround
> optional arguments, vertical bars (|) separate choices, and ellipses
> (...) can be repeated.
I've adjusted our SYNOPSIS entries to match that formatting, and
generally tried to make them more consistent with the precedent set by
the man-pages project. Outside of the SYNOPSIS entry, I prefer using
backticks for literals, although in some places I've left the **
bolding to keep things visually similar to a nearby SYNOPSIS entry.
[1]: http://man7.org/linux/man-pages/man7/man-pages.7.html
Signed-off-by: W. Trevor King <wking@tremily.us>
Closes: #1027
Approved by: rhatdan
|
|
|
|
|
|
|
| |
Signed-off-by: TomSweeneyRedHat <tsweeney@redhat.com>
Closes: #1030
Approved by: rhatdan
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This makes fixing errors easier. Before this commit, errors looked
like [1]:
$ make gofmt
libpod/container_linux.go:1::warning: file is not gofmted with -s (gofmt)
make: *** [gofmt] Error 1
But that's not very helpful when your local gofmt thinks the file is
fine. With this commit, errors will look like:
$ make gofmt
find . -name '*.go' ! -path './vendor/*' -exec gofmt -s -w {} \+
git diff --exit-code
diff --git a/libpod/container_internal.go b/libpod/container_internal.go
index df4de3fe..22b39870 100644
--- a/libpod/container_internal.go
+++ b/libpod/container_internal.go
@@ -1,7 +1,7 @@
package libpod
import (
-"bytes"
+ "bytes"
"context"
"encoding/json"
"fmt"
make: *** [Makefile:87: gofmt] Error 1
(or whatever, I just stuffed in a formatting error for demonstration
purposes).
Also remove the helper script in favor of direct Makefile calls,
because with Git handling difference reporting and exit status, this
becomes a simpler check. find's -exec, !, and -path arguments are
specified in POSIX [2].
[1]: https://travis-ci.org/kubernetes-incubator/cri-o/jobs/331949394#L1075
[2]: http://pubs.opengroup.org/onlinepubs/9699919799/utilities/find.html
Signed-off-by: W. Trevor King <wking@tremily.us>
Closes: #1038
Approved by: rhatdan
|
|
|
|
|
|
|
| |
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
Closes: #1041
Approved by: rhatdan
|
|
|
|
|
|
|
| |
Signed-off-by: baude <bbaude@redhat.com>
Closes: #1037
Approved by: baude
|
|
|
|
|
|
|
| |
Signed-off-by: baude <bbaude@redhat.com>
Closes: #1036
Approved by: rhatdan
|
|
|
|
|
|
|
| |
Signed-off-by: baude <bbaude@redhat.com>
Closes: #1015
Approved by: baude
|
|\
| |
| | |
Bump to v0.6.5
|
| |
| |
| |
| | |
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
|
| |
| |
| |
| | |
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
|
|/
|
|
| |
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The destination path of the built-in volume was not being created
but a relabel was being attempted on it, this was causing issues
with all images that have built-in volumes.
This patch fixes that and ensures the destination volume path
is created.
Signed-off-by: umohnani8 <umohnani@redhat.com>
Closes: #1026
Approved by: mheon
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When we run containers in detach mode, nothing cleans up the network stack or
the mount points. This patch will tell conmon to execute the cleanup code when
the container exits.
It can also be called to attempt to cleanup previously running containers.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #942
Approved by: mheon
|