aboutsummaryrefslogtreecommitdiff
path: root/cmd/podman/shared/create.go
Commit message (Collapse)AuthorAge
* set process labels in pkg/specValentin Rothberg2020-02-19
| | | | | | | | Set the (default) process labels in `pkg/spec`. This way, we can also query libpod.conf and disable labeling if needed. Fixes: #5087 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* Rework label parsingMatthew Heon2020-02-14
| | | | | | | | | | | | | | | We attempted to share all logic for parsing labels and environment variables, which on the surface makes lots of sense (both are formatted key=value so parsing logic should be identical) but has begun to fall apart now that we have added additional logic to environment variable handling. Environment variables that are unset, for example, are looked up against environment variables set for the process. We don't want this for labels, so we have to split parsing logic. Fixes #3854 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Merge pull request #5152 from QiWang19/device-cgroup-ruleOpenShift Merge Robot2020-02-13
|\ | | | | support device-cgroup-rule
| * support device-cgroup-ruleQi Wang2020-02-12
| | | | | | | | | | | | | | fix #4876 Add `--device-cgroup-rule` to podman create and run. This enables to add device rules after the container has been created. Signed-off-by: Qi Wang <qiwan@redhat.com>
* | add pkg/seccompValentin Rothberg2020-02-12
|/ | | | | | | | Add pkg/seccomp to consolidate all seccomp-policy related code which is currently scattered across multiple packages and complicating the creatconfig refactoring. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* container create: relax os/arch checksValentin Rothberg2020-02-11
| | | | | | | | | | Relax the os/arch checks when creating a container and only info-log mismatches instead of erroring out. There are too many images used in the wild which do not set their arch correctly correctly. Erroring out has hit users sufficiently enough to justify relaxing the errors and only log to at least inform the users and image vendors. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* Special case memory-swap=-1Daniel J Walsh2020-02-05
| | | | | | | We document that memory-swap==-1 means unlimited, but currently we won't allow the user to specify the -1 value. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* seccomp policy: expect profile in config labelValentin Rothberg2020-01-23
| | | | | | | | Move the seccomp profile from a manifest annotation to a config label. This way, we can support it for Docker images as well and provide an easy way to add that data via Dockerfiles. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* Remove c.String(net)Daniel J Walsh2020-01-16
| | | | | | | We have a lot of cludgy code trying to make --net and --network equivalent. This will allow --net to still exists but will eliminate the help and confusion. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Merge pull request #4806 from vrothberg/seccompOpenShift Merge Robot2020-01-15
|\ | | | | policy for seccomp-profile selection
| * policy for seccomp-profile selectionValentin Rothberg2020-01-09
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Implement a policy for selecting a seccomp profile. In addition to the default behaviour (default profile unless --security-opt seccomp is set) add a second policy doing a lookup in the image annotation. If the image has the "io.containers.seccomp.profile" set its value will be interpreted as a seccomp profile. The policy can be selected via the new --seccomp-policy CLI flag. Once the containers.conf support is merged into libpod, we can add an option there as well. Note that this feature is marked as experimental and may change in the future. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
| * shared/create.go: s/data/imageData/Valentin Rothberg2020-01-09
| | | | | | | | | | | | | | Rename `data` to `imageData` to make it more obvious which kind of data the variable refers to. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | make lint: enable gocriticValentin Rothberg2020-01-13
|/ | | | | | | `gocritic` is a powerful linter that helps in preventing certain kinds of errors as well as enforcing a coding style. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* signal parsing - better input validationEd Santiago2019-12-26
| | | | | | | | | | | | | | | | | | | | | | The helper function we use for signal name mapping does not check for negative numbers nor invalid (too-high) ones. This can yield unexpected error messages: # podman kill -s -1 foo ERRO[0000] unknown signal "18446744073709551615" This PR introduces a small wrapper for it that: 1) Strips off a leading dash, allowing '-1' or '-HUP' as valid inputs; and 2) Rejects numbers <1 or >64 (SIGRTMAX) Also adds a test suite checking signal handling as well as ensuring that invalid signals are rejected by the command line. Fixes: #4746 Signed-off-by: Ed Santiago <santiago@redhat.com>
* container config: add CreateCommandValentin Rothberg2019-12-13
| | | | | | | | | | | | | | | | | | Store the full command plus arguments of the process the container has been created with. Expose this data as a `Config.CreateCommand` field in the container-inspect data as well. This information can be useful for debugging, as we can find out which command has created the container, and, if being created via the Podman CLI, we know exactly with which flags the container has been created with. The immediate motivation for this change is to use this information for `podman-generate-systemd` to generate systemd-service files that allow for creating new containers (in contrast to only starting existing ones). Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* Merge pull request #4505 from vrothberg/archOpenShift Merge Robot2019-11-16
|\ | | | | container create: os/arch check
| * container create: os/arch checkValentin Rothberg2019-11-12
| | | | | | | | | | | | | | Unless explicitely overridden, check if the image's OS and architecture and throw an errors in case of a mismatch. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | Merge pull request #4368 from haircommander/pod-annotationsOpenShift Merge Robot2019-11-15
|\ \ | | | | | | Add pod annotations to container
| * | Add pod annotations to containerPeter Hunt2019-11-08
| | | | | | | | | | | | | | | | | | We have the annotations SandboxID, let's use them. This also allows kata containers to be created in pods and share a VM with the infra container. Note: as of now, this sharing only works if the pod has an infra container Signed-off-by: Peter Hunt <pehunt@redhat.com>
* | | codespell: spelling correctionsDmitry Smirnov2019-11-13
| |/ |/| | | | | Signed-off-by: Dmitry Smirnov <onlyjob@member.fsf.org>
* | Merge pull request #4337 from QiWang19/check_auth_pathOpenShift Merge Robot2019-11-08
|\ \ | |/ |/| fix bug check nonexist authfile
| * fix bug check nonexist authfileQi Wang2019-11-05
| | | | | | | | | | | | | | | | | | Use GetDefaultAuthFile() from buildah. For podman command(except login), if authfile does not exist returns error. close #4328 Signed-off-by: Qi Wang <qiwan@redhat.com>
* | Split up create config handling of namespaces and securityPeter Hunt2019-11-07
| | | | | | | | | | | | | | | | As it stands, createconfig is a huge struct. This works fine when the only caller is when we create a container with a fully created config. However, if we wish to share code for security and namespace configuration, a single large struct becomes unweildy, as well as difficult to configure with the single createConfigToOCISpec function. This PR breaks up namespace and security configuration into their own structs, with the eventual goal of allowing the namespace/security fields to be configured by the pod create cli, and allow the infra container to share this with the pod's containers. Signed-off-by: Peter Hunt <pehunt@redhat.com>
* | podman: add support for specifying MACJakub Filak2019-11-06
|/ | | | | | | | I basically copied and adapted the statements for setting IP. Closes #1136 Signed-off-by: Jakub Filak <jakub.filak@sap.com>
* Set default seccomp.json file for podman play kubeDaniel J Walsh2019-10-29
| | | | | | | Currently podman play kube is not using the system default seccomp.json file. This PR will use the default or override location for podman play. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* pull/create: add --override-arch/--override-os flagsNalin Dahyabhai2019-10-29
| | | | | | | | Add --override-arch and --override-os as hidden flags, in line with the global flag names that skopeo uses, so that we can test behavior around manifest lists without having to conditionalize more of it by arch. Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
* bump containers/image to v5.0.0, buildah to v1.11.4Nalin Dahyabhai2019-10-29
| | | | | | | | | Move to containers/image v5 and containers/buildah to v1.11.4. Replace an equality check with a type assertion when checking for a docker.ErrUnauthorizedForCredentials in `podman login`. Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
* systemd: accept also /sbin/initGiuseppe Scrivano2019-10-15
| | | | | | | | | it is a regression caused by 3ba3e1c7510d1780b6527a4aa52e40ac2c5b576a. Closes: https://bugzilla.redhat.com/show_bug.cgi?id=1761514 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* cli: support --systemd=alwaysGiuseppe Scrivano2019-10-09
| | | | | | | it enforces the systemd mode also when the command name doesn't match /usr/sbin/init or systemd. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* systemd: expect full path /usr/sbin/initGiuseppe Scrivano2019-10-09
| | | | | | | | | | | | "init" is a quite common name for the command executed in a container image and Podman ends up using the systemd mode also when not required. Be stricter on enabling the systemd mode and not enable it automatically when the basename is "init" but expect the full path "/usr/sbin/init". Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Merge pull request #4032 from rhatdan/pids-limitOpenShift Merge Robot2019-10-07
|\ | | | | Setup a reasonable default for pids-limit 4096
| * Setup a reasonable default for pids-limit 4096Daniel J Walsh2019-10-04
| | | | | | | | | | | | | | | | | | | | | | CRI-O defaults to 1024 for the maximum pids in a container. Podman should have a similar limit. Once we have a containers.conf, we can set the limit in this file, and have it easily customizable. Currently the documentation says that -1 sets pids-limit=max, but -1 fails. This patch allows -1, but also indicates that 0 also sets the max pids limit. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Update c/image to v4.0.1 and buildah to 1.11.3Miloslav Trmač2019-10-04
|/ | | | | | | | | | | | | | This requires updating all import paths throughout, and a matching buildah update to interoperate. I can't figure out the reason for go.mod tracking github.com/containers/image v3.0.2+incompatible // indirect ((go mod graph) lists it as a direct dependency of libpod, but (go list -json -m all) lists it as an indirect dependency), but at least looking at the vendor subdirectory, it doesn't seem to be actually used in the built binaries. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
* Add support for launching containers without CGroupsMatthew Heon2019-09-10
| | | | | | | This is mostly used with Systemd, which really wants to manage CGroups itself when managing containers via unit file. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Update varlink doc and codeJhon Honce2019-08-26
| | | | | | | | * Improved error message * Added documentation * Updated messages to include missing data Signed-off-by: Jhon Honce <jhonce@redhat.com>
* Merge pull request #3617 from QiWang19/create_pullOpenShift Merge Robot2019-08-17
|\ | | | | add --pull flag for podman create&run
| * add --pull flag for podman create&runQi Wang2019-08-09
| | | | | | | | | | | | | | | | | | | | | | Requirement from https://github.com/containers/libpod/issues/3575#issuecomment-512238393 Added --pull for podman create and pull to match the newly added flag in docker CLI. `missing`: default value, podman will pull the image if it does not exist in the local. `always`: podman will always pull the image. `never`: podman will never pull the image. Signed-off-by: Qi Wang <qiwan@redhat.com>
* | cmd: drop check for euid==0Giuseppe Scrivano2019-08-12
|/ | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Merge pull request #3737 from QiWang19/create_authOpenShift Merge Robot2019-08-09
|\ | | | | fix create&run getting --authfile from cli
| * fix create&run getting --authfile from cliQi Wang2019-08-09
| | | | | | | | | | | | Add flag `--authfile` to create and run so Podman can read authfile path from not only environemnt variable REGISTRY_AUTH_FILE but also CLI Signed-off-by: Qi Wang <qiwan@redhat.com>
* | Improve dns-search validation, empty domains now return an errorJhon Honce2019-08-09
|/ | | | | | Fixes #3426 Signed-off-by: Jhon Honce <jhonce@redhat.com>
* Allow the passing of '.' to --dns-searchDaniel J Walsh2019-08-08
| | | | | | --dns-search is defined to remove all search domains from a container. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* When populating CMD, do not include EntrypointMatthew Heon2019-08-06
| | | | | | | | | | | | | | | Previously, we use CreateConfig's Command to populate container Command (which is used as CMD for Inspect and Commit). Unfortunately, CreateConfig's Command is the container's full command, including a prepend of Entrypoint - so we duplicate Entrypoint for images that include it. Maintain a separate UserCommand in CreateConfig that does not include the entrypoint, and use that instead. Fixes #3708 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Touch up input argument error on createTomSweeneyRedHat2019-07-30
| | | | | | | Add an error when there are not enough input arguments for remote create. Addresses comments in #3656 Signed-off-by: TomSweeneyRedHat <tsweeney@redhat.com>
* Fix commit --changes env=X=YJhon Honce2019-07-26
| | | | Signed-off-by: Jhon Honce <jhonce@redhat.com>
* pods: do not to join a userns if there is not anyGiuseppe Scrivano2019-07-25
| | | | | | | do not attempt to join the user namespace if the pod is running in the host user namespace. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* golangci-lint round #3baude2019-07-21
| | | | | | | this is the third round of preparing to use the golangci-lint on our code base. Signed-off-by: baude <bbaude@redhat.com>
* libpod: support for cgroup namespaceGiuseppe Scrivano2019-07-18
| | | | | | | | | | | | | | allow a container to run in a new cgroup namespace. When running in a new cgroup namespace, the current cgroup appears to be the root, so that there is no way for the container to access cgroups outside of its own subtree. By default it uses --cgroup=host to keep the previous behavior. To create a new namespace, --cgroup=private must be provided. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Move the HostConfig portion of Inspect inside libpodMatthew Heon2019-07-17
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When we first began writing Podman, we ran into a major issue when implementing Inspect. Libpod deliberately does not tie its internal data structures to Docker, and stores most information about containers encoded within the OCI spec. However, Podman must present a CLI compatible with Docker, which means it must expose all the information in 'docker inspect' - most of which is not contained in the OCI spec or libpod's Config struct. Our solution at the time was the create artifact. We JSON'd the complete CreateConfig (a parsed form of the CLI arguments to 'podman run') and stored it with the container, restoring it when we needed to run commands that required the extra info. Over the past month, I've been looking more at Inspect, and refactored large portions of it into Libpod - generating them from what we know about the OCI config and libpod's (now much expanded, versus previously) container configuration. This path comes close to completing the process, moving the last part of inspect into libpod and removing the need for the create artifact. This improves libpod's compatability with non-Podman containers. We no longer require an arbitrarily-formatted JSON blob to be present to run inspect. Fixes: #3500 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* create: ignore check if image has HEALTHCHECK NONEStefan Becker2019-07-16
| | | | | | | | | | | | | | If the image was built with "HEALTHCHECK NONE" then we should create a container without healthcheck configuration. Otherwise executing the healthcheck on the container will return "unhealthy" instead of the correct error message that the container doesn't have a healthcheck. We also ignore the healthcheck configuration if the command list is empty or the command string is empty. Fixes #3525 Signed-off-by: Stefan Becker <chemobejk@gmail.com>