summaryrefslogtreecommitdiff
path: root/cmd/podman/common
Commit message (Collapse)AuthorAge
* podman: add option --cgroup-confGiuseppe Scrivano2020-08-21
| | | | | | | | | | | | | | | it allows to manually tweak the configuration for cgroup v2. we will expose some of the options in future as single options (e.g. the new memory knobs), but for now add the more generic --cgroup-conf mechanism for maximum control on the cgroup configuration. OCI specs change: https://github.com/opencontainers/runtime-spec/pull/1040 Requires: https://github.com/containers/crun/pull/459 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Don't limit the size on /run for systemd based containersDaniel J Walsh2020-08-18
| | | | | | | | | | | | | | We had a customer incident where they ran out of space on /run. If you don't specify size, it will be still limited to 50% or memory available in the cgroup the container is running in. If the cgroup is unlimited then the /run will be limited to 50% of the total memory on the system. Also /run is mounted on the host as exec, so no reason for us to mount it noexec. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* run, create: add new security-opt proc-optsGiuseppe Scrivano2020-08-12
| | | | | | | it allows to customize the options passed down to the OCI runtime for setting up the /proc mount. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Do not use image CMD if user gave ENTRYPOINTMatthew Heon2020-08-10
| | | | | | | | | | | | | | | | This matches Docker behavior, and seems to make sense - the CMD may have been specific to the original entrypoint and probably does not make sense if it was changed. While we're in here, greatly simplify the logic for populating the SpecGen's Command. We create the full command when making the OCI spec, so the client should not be doing any more than setting it to the Command the user passed in, and completely ignoring ENTRYPOINT. Fixes #7115 Signed-off-by: Matthew Heon <mheon@redhat.com>
* Remove duplicated codeDaniel J Walsh2020-08-04
| | | | | | We have duplicated alias handling, removing. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Merge pull request #7209 from giuseppe/support-mount-devptsOpenShift Merge Robot2020-08-04
|\ | | | | podman: support --mount type=devpts
| * podman: support --mount type=devptsGiuseppe Scrivano2020-08-03
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Allow to create a devpts mount. This is useful for containers that bind mount /dev/ from the host but at the same time want to create a terminal. It can be used as: podman run -v /dev:/dev --mount type=devpts,target=/dev/pts ... Closes: https://github.com/containers/podman/issues/6804 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | Do not set host IP on ports when 0.0.0.0 requestedMatthew Heon2020-08-03
|/ | | | | | | | | | | | | | | | Docker and CNI have very different ideas of what 0.0.0.0 means. Docker takes it to be 0.0.0.0/0 - that is, bind to every IPv4 address on the host. CNI (and, thus, root Podman) take it to mean the literal IP 0.0.0.0. Instead, CNI interprets the empty string ("") as "bind to all IPs". We could ask CNI to change, but given this is established behavior, that's unlikely. Instead, let's just catch 0.0.0.0 and turn it into "" when we parse ports. Fixes #7014 Signed-off-by: Matthew Heon <mheon@redhat.com>
* Specifying --ipc=host --pid=host is brokenDaniel J Walsh2020-07-28
| | | | | | | | For some reason we were overwriting memory when handling both --pid=host and --ipc=host. Simplified the code to handle this correctly, and add test to make sure it does not happen again. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Switch all references to github.com/containers/libpod -> podmanDaniel J Walsh2020-07-28
| | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Support default profile for apparmorDaniel J Walsh2020-07-22
| | | | | | | | | | | | | | Currently you can not apply an ApparmorProfile if you specify --privileged. This patch will allow both to be specified simultaniosly. By default Apparmor should be disabled if the user specifies --privileged, but if the user specifies --security apparmor:PROFILE, with --privileged, we should do both. Added e2e run_apparmor_test.go Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Merge pull request #7006 from ashley-cui/umaskOpenShift Merge Robot2020-07-22
|\ | | | | Add --umask flag for create, run
| * Add --umask flag for create, runAshley Cui2020-07-21
| | | | | | | | | | | | | | | | --umask sets the umask inside the container Defaults to 0022 Co-authored-by: Daniel J Walsh <dwalsh@redhat.com> Signed-off-by: Ashley Cui <acui@redhat.com>
* | Add noop function disable-content-trustDaniel J Walsh2020-07-21
|/ | | | | | | | People who use docker scripts with Podman see failures if they use disable-content-trust flag. This flag already existed for podman build, adding it to pull/push/create/run. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Add support for overlay volume mounts in podman.Qi Wang2020-07-20
| | | | | | | | Add support -v for overlay volume mounts in podman. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Signed-off-by: Qi Wang <qiwan@redhat.com>
* libpod: pass down network optionsGiuseppe Scrivano2020-07-16
| | | | | | do not pass network specific options through the network namespace. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Fix handling of entrypointDaniel J Walsh2020-07-14
| | | | | | | If a user specifies an entrypoint of "" then we should not use the images entrypoint. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Merge pull request #6842 from rhatdan/pids-limitOpenShift Merge Robot2020-07-13
|\ | | | | Pids-limit should only be set if the user set it
| * Pids-limit should only be set if the user set itDaniel J Walsh2020-07-10
| | | | | | | | | | | | | | | | | | | | Currently we are sending over pids-limits from the user even if they never modified the defaults. The pids limit should be set at the server side unless modified by the user. This issue has led to failures on systems that were running with cgroups V1. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Merge pull request #6896 from mheon/fix_remote_createcommandOpenShift Merge Robot2020-07-13
|\ \ | | | | | | Fix container and pod create commands for remote create
| * | Fix container and pod create commands for remote createMatthew Heon2020-07-10
| |/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | In `podman inspect` output for containers and pods, we include the command that was used to create the container. This is also used by `podman generate systemd --new` to generate unit files. With remote podman, the generated create commands were incorrect since we sourced directly from os.Args on the server side, which was guaranteed to be `podman system service` (or some variant thereof). The solution is to pass the command along in the Specgen or PodSpecgen, where we can source it from the client's os.Args. This will still be VERY iffy for mixed local/remote use (doing a `podman --remote run ...` on a remote client then a `podman generate systemd --new` on the server on the same container will not work, because the `--remote` flag will slip in) but at the very least the output of `podman inspect` will be correct. We can look into properly handling `--remote` (parsing it out would be a little iffy) in a future PR. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* / Don't setup AppArmor provile for privileged podsRalf Haferkamp2020-07-10
|/ | | | | | This is essentially db218e7162c2 forward-ported to specgen Signed-off-by: Ralf Haferkamp <rhafer@suse.com>
* Add username to /etc/passwd inside of container if --userns keep-idDaniel J Walsh2020-07-07
| | | | | | | | | | If I enter a continer with --userns keep-id, my UID will be present inside of the container, but most likely my user will not be defined. This patch will take information about the user and stick it into the container. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Implement --sdnotify cmdline option to control sd-notify behaviorJoseph Gooch2020-07-06
| | | | | | | | | | | | | | | | | | | --sdnotify container|conmon|ignore With "conmon", we send the MAINPID, and clear the NOTIFY_SOCKET so the OCI runtime doesn't pass it into the container. We also advertise "ready" when the OCI runtime finishes to advertise the service as ready. With "container", we send the MAINPID, and leave the NOTIFY_SOCKET so the OCI runtime passes it into the container for initialization, and let the container advertise further metadata. This is the default, which is closest to the behavior podman has done in the past. The "ignore" option removes NOTIFY_SOCKET from the environment, so neither podman nor any child processes will talk to systemd. This removes the need for hardcoded CID and PID files in the command line, and the PIDFile directive, as the pid is advertised directly through sd-notify. Signed-off-by: Joseph Gooch <mrwizard@dok.org>
* Merge pull request #6836 from ashley-cui/tzlibpodOpenShift Merge Robot2020-07-06
|\ | | | | Add --tz flag to create, run
| * Add --tz flag to create, runAshley Cui2020-07-02
| | | | | | | | | | | | | | --tz flag sets timezone inside container Can be set to IANA timezone as well as `local` to match host machine Signed-off-by: Ashley Cui <acui@redhat.com>
* | move go module to v2Valentin Rothberg2020-07-06
|/ | | | | | | | | | | | | | | With the advent of Podman 2.0.0 we crossed the magical barrier of go modules. While we were able to continue importing all packages inside of the project, the project could not be vendored anymore from the outside. Move the go module to new major version and change all imports to `github.com/containers/libpod/v2`. The renaming of the imports was done via `gomove` [1]. [1] https://github.com/KSubedi/gomove Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* Merge pull request #6808 from mheon/allow_empty_hostportOpenShift Merge Robot2020-06-29
|\ | | | | Allow empty host port in --publish flag
| * Allow empty host port in --publish flagMatthew Heon2020-06-29
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | I didn't believe that this was actually legal, but it looks like it is. And, unlike our previous understanding (host port being empty means just use container port), empty host port actually carries the same meaning as `--expose` + `--publish-all` (that is, assign a random host port to the given container port). This requires a significant rework of our port handling code to handle this new case. I don't foresee this being commonly used, so I optimized having a fixed port number as fast path, which this random assignment code running after the main port handling code only if necessary. Fixes #6806 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | podman: add new cgroup mode splitGiuseppe Scrivano2020-06-25
|/ | | | | | | | | | | | | | | | | | | When running under systemd there is no need to create yet another cgroup for the container. With conmon-delegated the current cgroup will be split in two sub cgroups: - supervisor - container The supervisor cgroup will hold conmon and the podman process, while the container cgroup is used by the OCI runtime (using the cgroupfs backend). Closes: https://github.com/containers/libpod/issues/6400 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Merge pull request #6752 from rhatdan/inspectOpenShift Merge Robot2020-06-24
|\ | | | | Fix inspect to display multiple label: changes
| * Fix inspect to display multiple label: changesDaniel J Walsh2020-06-24
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | If the user runs a container like podman run --security-opt seccomp=unconfined --security-opt label=type:spc_t --security-opt label=level:s0 ... Podman inspect was only showing the second option This change will show "SecurityOpt": [ "label=type:spc_t,label=level:s0:c60", "seccomp=unconfined" ], Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Set stop signal to 15 when not explicitly setMatthew Heon2020-06-24
|/ | | | | | | | | | | | | | | | When going through the output of `podman inspect` to try and identify another issue, I noticed that Podman 2.0 was setting StopSignal to 0 on containers by default. After chasing it through the command line and SpecGen, I determined that we were actually not setting a default in Libpod, which is strange because I swear we used to do that. I re-added the disappeared default and now all is well again. Also, while I was looking for the bug in SpecGen, I found a bunch of TODOs that have already been done. Eliminate the comments for these. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Merge pull request #6712 from mheon/readd_userns_envvarOpenShift Merge Robot2020-06-23
|\ | | | | Re-add PODMAN_USERNS environment variable
| * Re-add PODMAN_USERNS environment variableMatthew Heon2020-06-22
| | | | | | | | | | | | | | | | | | | | This was lost during the Podman 2.0 migration. Turns out to be a very easy fix, fortunately - we want to use the environment var if not explicitly overridden. Fixes #6705 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | Add --preservefds to podman runQi Wang2020-06-19
|/ | | | | | Add --preservefds to podman run. close https://github.com/containers/libpod/issues/6458 Signed-off-by: Qi Wang <qiwan@redhat.com>
* Merge pull request #6636 from mheon/add_warningsOpenShift Merge Robot2020-06-17
|\ | | | | Re-add resource limit warnings to Specgen
| * Re-add resource limit warnings to SpecgenMatthew Heon2020-06-16
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | These were part of Podman v1.9, but were lost in the transition to using Specgen to create containers. Most resource limits are checked via the sysinfo package to ensure they are safe to use (the cgroup is mounted, kernel support is present, etc) and removed if not safe. Further, bounds checks are performed to ensure that values are valid. Ensure these warnings are printed client-side when they occur. This part is a little bit gross, as it happens in pkg/infra and not cmd/podman, which is largely down to how we implemented `podman run` - all the work is done in pkg/infra and it returns only once the container has exited, and we need warnings to print *before* the container runs. The solution here, while inelegant, avoid the need to extensively refactor our handling of run. Should fix blkio-limit warnings that were identified by the FCOS test suite. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | Merge pull request #6583 from mheon/inspect_ctr_before_imgOpenShift Merge Robot2020-06-17
|\ \ | | | | | | Fix podman inspect on overlapping/missing objects
| * | Fix podman inspect on overlapping/missing objectsMatthew Heon2020-06-16
| |/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This started as a small fix to `podman inspect` where a container and image, with the same name/tag, were present, and `podman inspect` was run on that name. `podman inspect` in 1.9 (and `docker inspect`) will give you the container; in v2.0, we gave the image. This was an easy fix (just reorder how we check for image/container). Unfortunately, in the process of testing this fix, I determined that we regressed in a different area. When you run inspect on a number of containers, some of which do not exist, `podman inspect` should return an array of inspect results for the objects that exist, then print a number of errors, one for each object that could not be found. We were bailing after the first error, and not printing output for the containers that succeeded. (For reference, this applied to images as well). This required a much more substantial set of changes to properly handle - signatures for the inspect functions in ContainerEngine and ImageEngine, plus the implementations of these interfaces, plus the actual inspect frontend code needed to be adjusted to use this. Fixes #6556 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* / Fix --init and --init-pathJoseph Gooch2020-06-16
|/ | | | | | | Init properly passed into specgen Allow --init with --systemd=true but not --systemd=always. Signed-off-by: Joseph Gooch <mrwizard@dok.org>
* {create,run} --replaceValentin Rothberg2020-06-15
| | | | | | | | | | | | | Add a `--replace` flag to the `container {create,run}` commands. If another container with the same name already exists, it will be replaced and removed. Adding this flag is motivated by #5485 to make running Podman in systemd units (or any other scripts/automation) more robust. In case of a crash, a container may not be removed by a sytemd unit anymore. The `--replace` flag allows for supporting crashes. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* Turn on More lintersDaniel J Walsh2020-06-15
| | | | | | | | | - misspell - prealloc - unparam - nakedret Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Do not default WorkingDir to / on client sideDaniel J Walsh2020-06-12
| | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Merge pull request #6415 from vrothberg/systemd-new-podOpenShift Merge Robot2020-06-11
|\ | | | | podman-generate-systemd --new for pods
| * container-{create,run}: add `--pod-id-file`Valentin Rothberg2020-06-11
| | | | | | | | | | | | | | | | Allow containers to join an existing pod via the `--pod-id-file` which is already supported by a number of `podman-pod` subcommands. Also add tests to make sure it's working and to prevent future regressions. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | Enable IPv6 port bindingMatthew Heon2020-06-10
|/ | | | | | | | | | | | | | | | | | | | | | | | Two areas needed tweaking to accomplish this: port parsing and binding ports on the host. Parsing is an obvious problem - we have to accomodate an IPv6 address enclosed by [] as well as a normal IPv4 address. It was slightly complicated by the fact that we previously just counted the number of colons in the whole port definition (a thousand curses on whoever in the IPv6 standard body decided to reuse colons for address separators), but did not end up being that bad. Libpod also (optionally) binds ports on the host to prevent their reuse by host processes. This code was IPv4 only for TCP, and bound to both for UDP (which I'm fairly certain is not correct, and has been adjusted). This just needed protocols adjusted to read "tcp4"/"tcp6" and "udp4"/"udp6" based on what we wanted to bind to. Fixes #5715 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Fixup issues found by golintDaniel J Walsh2020-06-10
| | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Fix handling of systemd.Daniel J Walsh2020-06-05
| | | | | | | | | | Systemd enablement has to happen on the server side, since we need check if the image is running systemd. Also need to make sure user setting the StopSignal is not overriden on the server side. But if not set and using systemd, we set it correctly. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Strip defaults from namespace flagsMatthew Heon2020-06-04
| | | | | | | | | | | | | | | | | We were picking up defaults from the client's containers.conf, which broke pod namespaces. The server-side code already checks containers.conf when not explicitly overridden by the user, or by the container being part of a pod (the last bit being our bug). This only manifested on systems with a containers.conf installed, so RHEL 8 and Fedora 32 (which means our F32 CI VMs likely should have caught it, but didn't, which is concerning). This prevents defaults for these flags being shown, but they were incorrect anyways for `podman-remote`, so I'm not terribly concerned. Signed-off-by: Matthew Heon <matthew.heon@pm.me>