| Commit message (Collapse) | Author | Age |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This shifts the matching logic out of libpod/container_internal and
into the hook package, where we can reuse it after vendoring into
CRI-O. It also adds unit tests with almost-complete coverage. Now
libpod is even more isolated from the hook internals, which makes it
fairly straightforward to bump the hook config file to 1.0.0. I've
dubbed the old format 0.1.0, although it doesn't specify an explicit
version. Motivation for some of my changes with 1.0.0:
* Add an explicit version field. This will make any future JSON
structure migrations more straightforward by avoiding the need for
version-guessing heuristics.
* Collect the matching properties in a new When sub-structure. This
makes the root Hook structure easier to understand, because you
don't have to read over all the matching properties when wrapping
your head around Hook.
* Replace the old 'hook' and 'arguments' with a direct embedding of
the runtime-spec's hook structure. This provides access to
additional upstream properties (args[0], env, and timeout) and
avoids the complication of a CRI-O-specific analog structure.
* Add a 'when.always' property. You can usually accomplish this
effect in another way (e.g. when.commands = [".*"]), but having a
boolean explicitly for this use-case makes for easier reading and
writing.
* Replace the previous annotations array with an annotations map. The
0.1.0 approach matched only the values regardless of key, and that
seems unreliable.
* Replace 'cmds' with 'when.commands', because while there are a few
ways to abbreviate "commands", there's only one way to write it out
in full ;). This gives folks one less thing to remember when
writing hook JSON.
* Replace the old "inject if any specified condition matches" with
"inject if all specified conditions match". This allows for more
precise targeting. Users that need more generous targeting can
recover the previous behavior by creating a separate 1.0.0 hook file
for each specified 0.1.0 condition.
I've added doc-compat support for the various pluralizations of the
0.1.0 properties. Previously, the docs and code were not in
agreement. More on this particular facet in [1].
I've updated the docs to point out that the annotations being matched
are the OCI config annotations. This differs from CRI-O, where the
annotations used are the Kubernetes-supplied annotations [2,3]. For
example, io.kubernetes.cri-o.Volumes [4] is part of CRI-O's runtime
config annotations [5], but not part of the Kubernetes-supplied
annotations CRI-O uses for matching hooks.
The Monitor method supports the CRI-O use-case [6]. podman doesn't
need it directly, but CRI-O will need it when we vendor this package
there.
I've used nvidia-container-runtime-hook for the annotation examples
because Dan mentioned the Nvidia folks as the motivation behind
annotation matching. The environment variables are documented in [7].
The 0.1.0 hook config, which does not allow for environment variables,
only works because runc currently leaks the host environment into the
hooks [8]. I haven't been able to find documentation for their usual
annotation trigger or hook-install path, so I'm just guessing there.
[1]: https://github.com/kubernetes-incubator/cri-o/pull/1235
[2]: https://github.com/kubernetes-incubator/cri-o/blob/v1.10.0/server/container_create.go#L760
[3]: https://github.com/kubernetes-incubator/cri-o/blob/v1.10.0/server/container_create.go#L772
[4]: https://github.com/kubernetes-incubator/cri-o/blob/v1.10.0/pkg/annotations/annotations.go#L97-L98
[5]: https://github.com/kubernetes-incubator/cri-o/blob/v1.10.0/server/container_create.go#L830-L834
[6]: https://github.com/kubernetes-incubator/cri-o/pull/1345/
[7]: https://github.com/NVIDIA/nvidia-container-runtime/tree/v1.3.0-1#environment-variables-oci-spec
[8]: https://github.com/opencontainers/runc/pull/1738
Signed-off-by: W. Trevor King <wking@tremily.us>
Closes: #686
Approved by: mheon
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Fixes a bug where the force bool was being ignored when deleting images
via the varlink interface.
Also, minor fix to the docs to add a line break between methods and types in
the doc index.
Signed-off-by: baude <bbaude@redhat.com>
Closes: #753
Approved by: rhatdan
|
| |
|
|
|
|
|
| |
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
Closes: #754
Approved by: baude
|
| |
|
|
|
|
|
| |
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
Closes: #754
Approved by: baude
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
containernetworking/plugins@a0eac8d7 (pkg/ns: remove namespace
creation, 2018-03-16) removed NewNS, which we use in
libpod/networking.go. Pinning to the previous commit,
containernetworking/plugins@1fb94a42 (Merge pull request #96 from
DennisDenuto/denuto/master, 2018-03-14), allows us to run vndr without
breaking our build. This is a short term fix; moving forward we'll
want to either drop this dependency or catch up with the new upstream
API.
The upstream package seems to have been fairly stable in the meantime,
because even with the new pinned version, a vndr re-vendor generates
no changes:
$ vndr github.com/containernetworking/plugins
Signed-off-by: W. Trevor King <wking@tremily.us>
Closes: #751
Approved by: mheon
|
| |
|
|
|
|
|
| |
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
Closes: #507
Approved by: baude
|
| |
|
|
|
|
|
| |
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
Closes: #507
Approved by: baude
|
| |
|
|
|
|
|
| |
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
Closes: #507
Approved by: baude
|
| |
|
|
|
|
|
| |
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
Closes: #507
Approved by: baude
|
| |
|
|
|
|
|
| |
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
Closes: #507
Approved by: baude
|
| |
|
|
|
|
|
|
|
|
| |
Until we get Systemd cgroup manager working, this will
cause a validation error.
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
Closes: #507
Approved by: baude
|
| |
|
|
|
|
|
| |
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
Closes: #507
Approved by: baude
|
| |
|
|
|
|
|
| |
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
Closes: #507
Approved by: baude
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This directory just had Markdown and vendor.conf. I'm not sure why we
have it in our version control, maybe old versions of vndr kept it?
Or maybe folk dropped it into vendor/ by hand without using vndr? The
history of that vendored directory is:
* 619637a9 (Handle Linux Capabilities from command line, 2017-11-03,
#17) added the three files to our version control.
* c344fe61 (Update vendoring, 2017-11-22, #60) bumped hack/README.md.
* af64e104 (Vendor in lots of kubernetes stuff to shrink image size,
2018-03-26, #554) bumped hack/README.md.
* 27107fda (Vendor in latest containers/image and contaners/storage,
2018-04-18, #509) removed the files.
* a824186a (Use buildah commit and bud in podman, 2018-04-25, #681)
added the files back.
* I'm removing them again in this commit.
With this commit,
$ vndr github.com/docker/docker
becomes a no-op.
Signed-off-by: W. Trevor King <wking@tremily.us>
Closes: #752
Approved by: baude
|
| |
|
|
|
|
|
|
|
|
| |
The varlinfo info returns the same information as podman info but always includes
the so-called debug information.
Signed-off-by: baude <bbaude@redhat.com>
Closes: #745
Approved by: baude
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
vendor.conf has been pinned at containerd/cgroups@7a5fdd83 (Merge pull
request #26 from onorua/error-ignore-example, 2017-08-24) since libpod
forked from CRI-O with a031b83a (Initial checkin from CRI-O repo,
2017-11-01). The content in vendor/github.com/containerd/cgroups was
bumped to containerd/cgroups@77e62851 (Use /proc/diskstats to get
device names, 2018-01-31) in ae89dc28 (Update containerd/cgroups repo
fix perf issue, 2018-02-01, #284), but ae89dc28 forgot to update
vendor.conf. With this commit:
$ vndr github.com/containerd/cgroups
no longer changes anything under vendor/github.com/containerd/cgroups.
Signed-off-by: W. Trevor King <wking@tremily.us>
Closes: #749
Approved by: mheon
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Neither the nominal version nor vendored content had changed since
a031b83a (Initial checkin from CRI-O repo, 2017-11-01):
$ git ls-tree origin/master -- vendor/github.com/containernetworking/cni
040000 tree 744c091cc1dbb869b2cf714cf6b5e8d33fe17d9c vendor/github.com/containernetworking/cni
$ git ls-tree a031b83a -- vendor/github.com/containernetworking/cni
040000 tree 744c091cc1dbb869b2cf714cf6b5e8d33fe17d9c vendor/github.com/containernetworking/cni
$ git grep /cni a031b83a -- vendor.conf
a031b83a:vendor.conf:github.com/containernetworking/cni v0.4.0
I'm not quite sure which upstream version the old vendored content
came from, but it certainly wasn't v0.4.0. I've bumped our nominal
version to v0.6.0 and re-vendored with:
$ vndr github.com/containernetworking/cni
$ git add -A vendor/github.com/containernetworking/cni
to generate this commit. The only change to the vendored content is
text in the README (unlikely to break anything ;), and sitting on an
upstream tag is nice, so I think this is good enough.
Signed-off-by: W. Trevor King <wking@tremily.us>
Closes: #750
Approved by: mheon
|
| |
|
|
|
|
|
|
|
| |
When using varlink to pull an image, we should expose the actual error to the caller.
Signed-off-by: baude <bbaude@redhat.com>
Closes: #744
Approved by: rhatdan
|
| |
|
|
|
|
|
|
|
|
|
| |
Like podman pull, when you push an image, podman should check
if the registry is listed as insecure and if so, it should
--tls-verify=false unless the user overrides this.
Signed-off-by: baude <bbaude@redhat.com>
Closes: #738
Approved by: mheon
|
| |
|
|
|
|
|
|
|
|
|
|
| |
We have decided to alphabetize things in the API documentation to help users
find things easier. It also solves an issue where when being made, the API.md doc
would remake itself in a different order resulting in massive diffs in the pull
requests but no new content.
Signed-off-by: baude <bbaude@redhat.com>
Closes: #739
Approved by: baude
|
| |
|
|
|
|
|
| |
Signed-off-by: Matthew Heon <mheon@redhat.com>
Closes: #741
Approved by: giuseppe
|
| |
|
|
|
|
|
|
|
|
| |
Using varlink's idl parser, we generate API documentation for the podman
API relying on the .varlink file as the source.
Signed-off-by: baude <bbaude@redhat.com>
Closes: #734
Approved by: baude
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The following methods should support streaming requests from the client:
* GetContainerLogs
A reference for a python stream implementation can be found here:
https://github.com/varlink/python/blob/master/varlink/tests/test_orgexamplemore.py#L29-L42
Signed-off-by: baude <bbaude@redhat.com>
Closes: #724
Approved by: mheon
|
| |
|
|
|
|
|
| |
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
Closes: #733
Approved by: umohnani8
|
| |
|
|
|
|
|
| |
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #732
Approved by: mheon
|
| |
|
|
|
|
|
|
|
|
|
| |
the error was:
libpod/container.go:219::error: struct field tag `json:"groups, omitempty"` not compatible with reflect.StructTag.Get: suspicious space in struct tag value (vet)
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Closes: #729
Approved by: baude
|
| |
|
|
|
|
|
| |
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Closes: #729
Approved by: baude
|
| |
|
|
|
|
|
| |
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
Closes: #727
Approved by: rhatdan
|
| |
|
|
|
|
|
|
|
|
| |
This prevents you from cleaning up the container database, if
some how runc and friends db gets screwed up.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #725
Approved by: mheon
|
| |
|
|
|
|
|
| |
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
Closes: #726
Approved by: baude
|
| |
|
|
|
|
|
| |
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Closes: #690
Approved by: mheon
|
| |
|
|
|
|
|
| |
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Closes: #690
Approved by: mheon
|
| |
|
|
|
|
|
|
|
|
|
| |
so that the OCI runtime creates the network namespace from the correct
userNS.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #690
Approved by: mheon
|
| |
|
|
|
|
|
| |
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #690
Approved by: mheon
|
| |\
| |
| | |
Bump to v0.5.1
|
| | |
| |
| |
| | |
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
|
| | |
| |
| |
| | |
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
|
| |/
|
|
| |
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
|
| |
|
|
|
|
|
|
|
|
| |
when pulling from a secure registry that is documented in registries.conf, we
should be able to pull without tls-verify=false
Signed-off-by: baude <bbaude@redhat.com>
Closes: #718
Approved by: rhatdan
|
| |
|
|
|
|
|
|
|
|
|
| |
This allows us to restart containers that have never been started
without error. This makes RestartWithTimeout work with running,
stopped, and created containers.
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
Closes: #719
Approved by: rhatdan
|
| |
|
|
|
|
|
|
|
|
|
| |
* now all podman subcommands can be completed
* images can be completed when run as root (not sudo)
* bug corrected that made podman_top and podman_tag
Signed-off-by: baude <bbaude@redhat.com>
Closes: #716
Approved by: mheon
|
| |
|
|
|
|
|
| |
Signed-off-by: TomSweeneyRedHat <tsweeney@redhat.com>
Closes: #717
Approved by: baude
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
first pass at adding in the container related endpoints/methods for the libpod
backend. Couple of important notes:
* endpoints that can use a console are not going to be done until we have "remote" console
* several of the container methods should probably be able to stream as opposed to a one-off return
Signed-off-by: baude <bbaude@redhat.com>
Closes: #708
Approved by: baude
|
| |
|
|
|
|
|
| |
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #715
Approved by: mheon
|
| |
|
|
|
|
|
| |
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
Closes: #700
Approved by: rhatdan
|
| |
|
|
|
|
|
|
|
|
| |
We want to make sure we don't add anything but the host volume,
and the volumes can include options and container locations.
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
Closes: #700
Approved by: rhatdan
|
| |
|
|
|
|
|
| |
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
Closes: #700
Approved by: rhatdan
|
| |
|
|
|
|
|
|
|
|
|
| |
We need these for commit, and they cannot be properly deduced
from just the OCI spec, so save them in the database so we can
retrieve them for commit.
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
Closes: #700
Approved by: rhatdan
|
| |
|
|
|
|
|
| |
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
Closes: #700
Approved by: rhatdan
|
| |
|
|
|
|
|
| |
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
Closes: #700
Approved by: rhatdan
|
