summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAge
* podman/libpod: add default AppArmor profileValentin Rothberg2018-07-11
| | | | | | | | | | | | | | | | | Make users of libpod more secure by adding the libpod/apparmor package to load a pre-defined AppArmor profile. Large chunks of libpod/apparmor come from github.com/moby/moby. Also check if a specified AppArmor profile is actually loaded and throw an error if necessary. The default profile is loaded only on Linux builds with the `apparmor` buildtag enabled. Signed-off-by: Valentin Rothberg <vrothberg@suse.com> Closes: #1063 Approved by: rhatdan
* rootless: fix when argv[0] is not an absolute pathGiuseppe Scrivano2018-07-10
| | | | | | | | | | | | use execvp instead of exec so that we keep the PATH environment variable and the lookup for the "podman" executable works. Closes: https://github.com/projectatomic/libpod/issues/1070 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> Closes: #1072 Approved by: mheon
* Allow Init() on stopped containersMatthew Heon2018-07-09
| | | | | | | Signed-off-by: Matthew Heon <mheon@redhat.com> Closes: #1068 Approved by: baude
* urfave/cli: fix regression in short-opts parsingValentin Rothberg2018-07-09
| | | | | | | | | | | Add the actual argument, not the one we're looking for when searching the to-be-translated short-opt string. Otherwise, we're likely to hit an infinite loop. Signed-off-by: Valentin Rothberg <vrothberg@suse.com> Closes: #1066 Approved by: rhatdan
* Add --volumes-from flag to podman run and createumohnani82018-07-09
| | | | | | | | | | podman now supports --volumes-from flag, which allows users to add all the volumes an existing container has to a new one. Signed-off-by: umohnani8 <umohnani@redhat.com> Closes: #931 Approved by: mheon
* Vendor in latest buildah to add masks for /proc/keys and /proc/acpiDaniel J Walsh2018-07-09
| | | | | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #1062 Approved by: baude
* Vendor in latest containers/storageDaniel J Walsh2018-07-08
| | | | | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #1061 Approved by: baude
* Mask /proc/keys to protect information leak about keys on hostDaniel J Walsh2018-07-08
| | | | | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #1060 Approved by: mheon
* ctime: Drop 32-/64-bit distinction on LinuxW. Trevor King2018-07-07
| | | | | | | | | | | We added the explicit int64 casts for 32-bit builds in 35e1ad78 (Make libpod build on 32-bit systems, 2018-02-12, #324), but the explicit casts work fine on 64-bit systems too. Signed-off-by: W. Trevor King <wking@tremily.us> Closes: #1058 Approved by: mheon
* Podman stats with no containers listed is the same as podman stats --allhaircommander2018-07-07
| | | | | | | Signed-off-by: haircommander <pehunt@redhat.com> Closes: #1031 Approved by: rhatdan
* Refactor unittest for change in history APIJhon Honce2018-07-06
| | | | | | | | | | | * test_images.TestImages.test_history changed to allow '<missing>' as legal image ID. Previously all layers used the image ID. Now layer 0 reports '<missing>'. Signed-off-by: Jhon Honce <jhonce@redhat.com> Closes: #1056 Approved by: jwhonce
* Merge pull request #1059 from mheon/bump-0.7.1Matthew Heon2018-07-06
|\ | | | | Bump to 0.7.1
| * Bump gitvalidation epochMatthew Heon2018-07-06
| | | | | | | | Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
| * Bump to v0.7.2-devMatthew Heon2018-07-06
| | | | | | | | Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
| * Bump to v0.7.1v0.7.1Matthew Heon2018-07-06
|/ | | | Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
* pkg/ctime: Factor libpod/finished* into a separate packageW. Trevor King2018-07-06
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This removes some boilerplate from the libpod package, so we can focus on container stuff there. And it gives us a tidy sub-package for focusing on ctime extraction, so we can focus on unit testing and portability of the extraction utility there. For the unsupported implementation, I'm falling back to Go's ModTime [1]. That's obviously not the creation time, but it's likely to be closer than the uninitialized Time structure from cc6f0e85 (more changes to compile darwin, 2018-07-04, #1047). Especially for our use case in libpod/oci, where we're looking at write-once exit files. The test is more complicated than I initially expected, because on Linux filesystem timestamps come from a truncated clock without interpolation [2] (and network filesystems can be completely decoupled [3]). So even for local disks, creation times can be up to a jiffie earlier than 'before'. This test ensures at least monotonicity by creating two files and ensuring the reported creation time for the second is greater than or equal to the reported creation time for the first. It also checks that both creation times are within the window from one second earlier than 'before' through 'after'. That should be enough of a window for local disks, even if the kernel for those systems has an abnormally large jiffie. It might be ok on network filesystems, although it will not be very resilient to network clock lagging behind the local system clock. [1]: https://golang.org/pkg/os/#FileInfo [2]: https://groups.google.com/d/msg/linux.kernel/mdeXx2TBYZA/_4eJEuJoAQAJ Subject: Re: Apparent backward time travel in timestamps on file creation Date: Thu, 30 Mar 2017 20:20:02 +0200 Message-ID: <tqMPU-1Sb-21@gated-at.bofh.it> [3]: https://groups.google.com/d/msg/linux.kernel/mdeXx2TBYZA/cTKj4OBuAQAJ Subject: Re: Apparent backward time travel in timestamps on file creation Date: Thu, 30 Mar 2017 22:10:01 +0200 Message-ID: <tqOyl-36A-1@gated-at.bofh.it> Signed-off-by: W. Trevor King <wking@tremily.us> Closes: #1050 Approved by: mheon
* Block use of /proc/acpi from inside containersDaniel J Walsh2018-07-06
| | | | | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #1053 Approved by: mheon
* remove buildah requirement for the libpod image librarybaude2018-07-06
| | | | | | | | | | | if we snip the requirement to use a buildah const in the libpod image library, we can save something on the order of 85 vendored files in consumers of the the library. Signed-off-by: baude <bbaude@redhat.com> Closes: #1054 Approved by: mheon
* contrib/python/test/test_tunnel: Fix -nNT -> -nNTqW. Trevor King2018-07-06
| | | | | | | | | | | | | | | | | | | | | | | | | | | Catching the tests up with 60427ab3 (add podman remote client, 2018-06-22, #986) to avoid non-fatal smoketest failures like [1]: ====================================================================== FAIL: test_tunnel (test.test_tunnel.TestTunnel) ---------------------------------------------------------------------- Traceback (most recent call last): File "/usr/lib64/python3.6/unittest/mock.py", line 1179, in patched return func(*args, **keywargs) File "/go/src/github.com/projectatomic/libpod/contrib/python/test/test_tunnel.py", line 79, in test_tunnel mock_Popen.assert_called_once_with(cmd, close_fds=True) File "/usr/lib64/python3.6/unittest/mock.py", line 825, in assert_called_once_with return self.assert_called_with(*args, **kwargs) File "/usr/lib64/python3.6/unittest/mock.py", line 814, in assert_called_with raise AssertionError(_error_message()) from cause AssertionError: Expected call: Popen(['ssh', '-nNT', '-L', '/tmp/user/socket:/run/podman/socket', '-i', '~/.ssh/id_rsa', 'ssh://user@hostname'], close_fds=True) Actual call: Popen(['ssh', '-nNTq', '-L', '/tmp/user/socket:/run/podman/socket', '-i', '~/.ssh/id_rsa', 'ssh://user@hostname'], close_fds=True) [1]: https://s3.amazonaws.com/aos-ci/ghprb/projectatomic/libpod/0d792d5c92900ebd07c75bc3c0cb11753319682e.1.1529764423989739036/output.log Signed-off-by: W. Trevor King <wking@tremily.us> Closes: #1035 Approved by: mheon
* Refactor podman/utils with a single container start and attach functionMarco Vedovati2018-07-06
| | | | | | | | | | | Use a single function startAttachCtr() to handle both container start with attach and attach to running containers, as the code handling the attach is common for the 2 use cases. Signed-off-by: Marco Vedovati <mvedovati@suse.com> Closes: #1025 Approved by: rhatdan
* Remove now-unneeded cleanupCgroup() for unsupported OSMatthew Heon2018-07-06
| | | | | | | Signed-off-by: Matthew Heon <matthew.heon@gmail.com> Closes: #1051 Approved by: umohnani8
* Remove per-container CGroup parentsMatthew Heon2018-07-06
| | | | | | | | | | | | | | | | | | | Originally, it seemed like a good idea to place Conmon and the container it managed under a shared CGroup, so we could manage the two together. It's become increasingly clear that this is a potential performance sore point, gains us little practical benefit in managing Conmon, and adds extra steps to container cleanup that interfere with Conmon postrun hooks. Revert back to a shared CGroup for conmon processes under the CGroup parent. This will retain per-pod conmon CGroups as well if the pod is set to create a CGroup and act as CGroup parent for its containers. Signed-off-by: Matthew Heon <matthew.heon@gmail.com> Closes: #1051 Approved by: umohnani8
* Fix nits and GOPATH in tutorialTomSweeneyRedHat2018-07-06
| | | | | | | Signed-off-by: TomSweeneyRedHat <tsweeney@redhat.com> Closes: #1052 Approved by: baude
* spec: Make addPrivilegedDevices and createBlockIO per-platformW. Trevor King2018-07-06
| | | | | | | | | | | | | | | | | | | | | | | | | b96be3af (changes to allow for darwin compilation, 2018-06-20, #1015) made AddPrivilegedDevices per-platform and cc6f0e85 (more changes to compile darwin, 2018-07-04, #1047) made CreateBlockIO per-platform. But both left but left out docs for the unsupported version [1]: pkg/spec/config_unsupported.go:18:1:warning: exported method CreateConfig.AddPrivilegedDevices should have comment or be unexported (golint) pkg/spec/config_unsupported.go:22:1:warning: exported method CreateConfig.CreateBlockIO should have comment or be unexported (golint) To keep the docs DRY, I've restored the public methods and their docs, and I've added new, internal methods for the per-platform implementations. [1]: https://travis-ci.org/projectatomic/libpod/jobs/400555937#L160 Signed-off-by: W. Trevor King <wking@tremily.us> Closes: #1034 Approved by: baude
* libpod/runtime_pod: Make removePod per-platformW. Trevor King2018-07-06
| | | | | | | | | | | | | | | | | | | | b96be3af (changes to allow for darwin compilation, 2018-06-20, #1015) made RemovePod per-platform, but left out docs for the unsupported version [1]: libpod/runtime_pod_unsupported.go:14:1:warning: exported method Runtime.RemovePod should have comment or be unexported (golint) To keep the docs DRY, I've restored RemovePod and its docs to their previous location, and named a new, internal removePod for the per-platform implementations. [1]: https://travis-ci.org/projectatomic/libpod/jobs/400555937#L159 Signed-off-by: W. Trevor King <wking@tremily.us> Closes: #1034 Approved by: baude
* libpod/networking_unsupported: Remove JoinNetworkNameSpaceW. Trevor King2018-07-06
| | | | | | | | | | | | | | | | | | This function was added in cc6f0e85 (more changes to compile darwin, 2018-07-04, #1047), but it has no consumers and no Linux analog. Remove it, which also fixes the [1]: libpod/networking_unsupported.go:9:1:warning: exported function JoinNetworkNameSpace should have comment or be unexported (golint) lint issue. [1]: https://travis-ci.org/projectatomic/libpod/jobs/400555937#L158 Signed-off-by: W. Trevor King <wking@tremily.us> Closes: #1034 Approved by: baude
* .travis: Run gofmt and lint on OS XW. Trevor King2018-07-06
| | | | | | | | | | | | | | Just in case their output depends on the target GOOS. Lint, at least, does care, because it can pass on Linux [1] and fail on OS X [2] with the same code. [1]: https://travis-ci.org/projectatomic/libpod/jobs/400555936#L856 [2]: https://travis-ci.org/projectatomic/libpod/jobs/400555937#L153 Signed-off-by: W. Trevor King <wking@tremily.us> Closes: #1034 Approved by: baude
* rootless: Merge rootless.go back into rootless_linux.goW. Trevor King2018-07-06
| | | | | | | | | | | | | | | The files were split apart by b96be3af (changes to allow for darwin compilation, 2018-06-20, #1015), but the C import and two functions left in rootless.go are all Linux-specific as well. This commit moves all of the pre-b96be3af rootless.go into rootless_linux.go, just adding the '// +build linux' header (b96be3af also scrambled the + in that header) and keeping the new GetRootlessUID from a1545fe6 (rootless: add function to retrieve the original UID, 2018-07-05, #1048). Signed-off-by: W. Trevor King <wking@tremily.us> Closes: #1034 Approved by: baude
* Makefile: Use a pattern rule for cross-compilationW. Trevor King2018-07-06
| | | | | | | | | | | | | | | | | | | | | | | Pattern-rule documentation is in [1]. This commit follows the basic approach from [2], with the portable build tags from [3]. Using --keep-going allows folks to see errors for multiple target platforms. For example, if the Darwin target dies, we'll still attempt to build the Linux target before erroring out. I've added an ALLOWED_TO_FAIL environment variable to mark script blocks for the the allow_failures block. Currently we're requiring builds from Linux for Linux and OS X to succeed, but allowing builds from OS X to both targets to fail. [1]: https://www.gnu.org/software/make/manual/html_node/Pattern-Intro.html#Pattern-Intro [2]: https://github.com/kubernetes-incubator/cri-o/commit/e5031fcf9af7d6c78d21e38ab9f82d2392ba05e8 [3]: https://github.com/kubernetes-incubator/cri-o/pull/1653 Signed-off-by: W. Trevor King <wking@tremily.us> Closes: #1034 Approved by: baude
* more changes to compile darwinbaude2018-07-05
| | | | | | | | | | | | | | | | this should represent the last major changes to get darwin to **compile**. again, the purpose here is to get darwin to compile so that we can eventually implement a ci task that would protect against regressions for darwin compilation. i have left the manual darwin compilation largely static still and in fact now only interject (manually) two build tags to assist with the build. trevor king has great ideas on how to make this better and i will defer final implementation of those to him. Signed-off-by: baude <bbaude@redhat.com> Closes: #1047 Approved by: rhatdan
* Fix timeout issue with built-in volume testumohnani82018-07-05
| | | | | | | | | | | Building our own image to test built-in volume and user instead of using the mariadb one. Solves timeout issue in travis tests. Signed-off-by: umohnani8 <umohnani@redhat.com> Closes: #1044 Approved by: mheon
* rootless: add /run/user/$UID to the lookup pathsGiuseppe Scrivano2018-07-05
| | | | | | | | | | when XDG_RUNTIME_DIR is not set, still attempt to use /run/user/$UID before looking up other directories. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> Closes: #1048 Approved by: mheon
* rootless: add function to retrieve the original UIDGiuseppe Scrivano2018-07-05
| | | | | | | | | | After we re-exec in the userNS os.Getuid() returns the new UID (= 0) which is not what we want to use. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> Closes: #1048 Approved by: mheon
* rootless: always set XDG_RUNTIME_DIRGiuseppe Scrivano2018-07-05
| | | | | | | | | containers/image uses XDG_RUNTIME_DIR to locate the auth file. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> Closes: #1048 Approved by: mheon
* rootless: set XDG_RUNTIME_DIR also for state and execGiuseppe Scrivano2018-07-05
| | | | | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> Closes: #1048 Approved by: mheon
* libpod/container: Replace containerState* with containerPlatformStateW. Trevor King2018-07-05
| | | | | | | | | | | | | | | This way we don't need to stub in structures for other OSes (e.g. the Darwin stub in a Linux-only file). Matthew was concerned about errors unmarshalling, say, a Linux state object on a Windows box [1], but we can address that in checks when loading the database [2]. [1]: https://github.com/projectatomic/libpod/pull/1015#discussion_r198649043 [2]: https://github.com/projectatomic/libpod/pull/1015#discussion_r198802956 Signed-off-by: W. Trevor King <wking@tremily.us> Closes: #1033 Approved by: mheon
* urfave/cli: fix parsing of short optsValentin Rothberg2018-07-05
| | | | | | | | | | | | | Vendor an updated version of urfave/cli to fix the parsing of short options. Until the fix is merged upstream, vendor the code from github.com/vrothberg/cli containing both, the latest urfave/cli and the bug fix. Fixes: #714 Signed-off-by: Valentin Rothberg <vrothberg@suse.com> Closes: #1046 Approved by: rhatdan
* docs: Follow man-pages(7) suggestions for SYNOPSISW. Trevor King2018-07-04
| | | | | | | | | | | | | | | | | | | | | | | man-pages(7) has [1]: > For commands, this shows the syntax of the command and its arguments > (including options); boldface is used for as-is text and italics are > used to indicate replaceable arguments. Brackets ([]) surround > optional arguments, vertical bars (|) separate choices, and ellipses > (...) can be repeated. I've adjusted our SYNOPSIS entries to match that formatting, and generally tried to make them more consistent with the precedent set by the man-pages project. Outside of the SYNOPSIS entry, I prefer using backticks for literals, although in some places I've left the ** bolding to keep things visually similar to a nearby SYNOPSIS entry. [1]: http://man7.org/linux/man-pages/man7/man-pages.7.html Signed-off-by: W. Trevor King <wking@tremily.us> Closes: #1027 Approved by: rhatdan
* Allow multiple mountsTomSweeneyRedHat2018-07-03
| | | | | | | Signed-off-by: TomSweeneyRedHat <tsweeney@redhat.com> Closes: #1030 Approved by: rhatdan
* Makefile: Use 'git diff' to show gofmt changesW. Trevor King2018-07-03
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This makes fixing errors easier. Before this commit, errors looked like [1]: $ make gofmt libpod/container_linux.go:1::warning: file is not gofmted with -s (gofmt) make: *** [gofmt] Error 1 But that's not very helpful when your local gofmt thinks the file is fine. With this commit, errors will look like: $ make gofmt find . -name '*.go' ! -path './vendor/*' -exec gofmt -s -w {} \+ git diff --exit-code diff --git a/libpod/container_internal.go b/libpod/container_internal.go index df4de3fe..22b39870 100644 --- a/libpod/container_internal.go +++ b/libpod/container_internal.go @@ -1,7 +1,7 @@ package libpod import ( -"bytes" + "bytes" "context" "encoding/json" "fmt" make: *** [Makefile:87: gofmt] Error 1 (or whatever, I just stuffed in a formatting error for demonstration purposes). Also remove the helper script in favor of direct Makefile calls, because with Git handling difference reporting and exit status, this becomes a simpler check. find's -exec, !, and -path arguments are specified in POSIX [2]. [1]: https://travis-ci.org/kubernetes-incubator/cri-o/jobs/331949394#L1075 [2]: http://pubs.opengroup.org/onlinepubs/9699919799/utilities/find.html Signed-off-by: W. Trevor King <wking@tremily.us> Closes: #1038 Approved by: rhatdan
* Skip a test in Travis that has timeout issuesMatthew Heon2018-07-03
| | | | | | | Signed-off-by: Matthew Heon <matthew.heon@gmail.com> Closes: #1041 Approved by: rhatdan
* vendor in selinux and buildah for darwin compilationbaude2018-07-02
| | | | | | | Signed-off-by: baude <bbaude@redhat.com> Closes: #1037 Approved by: baude
* add image user to inspect databaude2018-07-02
| | | | | | | Signed-off-by: baude <bbaude@redhat.com> Closes: #1036 Approved by: rhatdan
* changes to allow for darwin compilationbaude2018-06-29
| | | | | | | Signed-off-by: baude <bbaude@redhat.com> Closes: #1015 Approved by: baude
* Merge pull request #1029 from mheon/bump-0.6.5Matthew Heon2018-06-29
|\ | | | | Bump to v0.6.5
| * Bump gitvalidation epochMatthew Heon2018-06-29
| | | | | | | | Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
| * Bump to v0.7.1-devMatthew Heon2018-06-29
| | | | | | | | Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
| * Bump to v0.6.5v0.6.5Matthew Heon2018-06-29
|/ | | | Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
* Fix built-in volume issue with podman run/createumohnani82018-06-29
| | | | | | | | | | | | | The destination path of the built-in volume was not being created but a relabel was being attempted on it, this was causing issues with all images that have built-in volumes. This patch fixes that and ensures the destination volume path is created. Signed-off-by: umohnani8 <umohnani@redhat.com> Closes: #1026 Approved by: mheon
* Add `podman container cleanup` to CLIDaniel J Walsh2018-06-29
| | | | | | | | | | | | | When we run containers in detach mode, nothing cleans up the network stack or the mount points. This patch will tell conmon to execute the cleanup code when the container exits. It can also be called to attempt to cleanup previously running containers. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #942 Approved by: mheon