summaryrefslogtreecommitdiff
path: root/cmd/podman/shared
Commit message (Collapse)AuthorAge
* Add support for containers.confDaniel J Walsh2020-03-27
| | | | | | | vendor in c/common config pkg for containers.conf Signed-off-by: Qi Wang qiwan@redhat.com Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Support label filters for podman pod ps.Stefano Pogliani2020-03-26
| | | | | | | | Update the podman pod ps command to support filtering by labels. This brings the command in line with the documentation as well as the functionality by the containers equivalent podman ps. Signed-off-by: Stefano Pogliani <stefano@spogliani.net>
* Make cmd/podman/shared.GenerateCommand tests Linux-onlyMiloslav Trmač2020-03-21
| | | | | | They rely on existence of /proc/self/exe . Signed-off-by: Miloslav Trmač <mitr@redhat.com>
* Merge pull request #5445 from sujil02/podFilter-newOpenShift Merge Robot2020-03-19
|\ | | | | Filter pods through pod list api
| * Filter pods through pod list apiSujil022020-03-17
| | | | | | | | | | | | | | Refactored current filter pods flow through the shared pod functions so filter pod functionalities can be shared between api and cmd. Signed-off-by: Sujil02 <sushah@redhat.com>
* | auto updatesValentin Rothberg2020-03-17
|/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Add support to auto-update containers running in systemd units as generated with `podman generate systemd --new`. `podman auto-update` looks up containers with a specified "io.containers.autoupdate" label (i.e., the auto-update policy). If the label is present and set to "image", Podman reaches out to the corresponding registry to check if the image has been updated. We consider an image to be updated if the digest in the local storage is different than the one of the remote image. If an image must be updated, Podman pulls it down and restarts the container. Note that the restarting sequence relies on systemd. At container-creation time, Podman looks up the "PODMAN_SYSTEMD_UNIT" environment variables and stores it verbatim in the container's label. This variable is now set by all systemd units generated by `podman-generate-systemd` and is set to `%n` (i.e., the name of systemd unit starting the container). This data is then being used in the auto-update sequence to instruct systemd (via DBUS) to restart the unit and hence to restart the container. Note that this implementation of auto-updates relies on systemd and requires a fully-qualified image reference to be used to create the container. This enforcement is necessary to know which image to actually check and pull. If we used an image ID, we would not know which image to check/pull anymore. Fixes: #3575 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* Merge pull request #5469 from giuseppe/no-size-create-containerOpenShift Merge Robot2020-03-12
|\ | | | | create: do not calculate image size
| * create: do not calculate image sizeGiuseppe Scrivano2020-03-12
| | | | | | | | | | | | | | calculating the image size can be an expensive operation. Avoid doing it when creating a new container since the size is not needed. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | Fix spelling mistakes in code found by codespellDaniel J Walsh2020-03-07
|/ | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* env: don't set "container" envValentin Rothberg2020-03-04
| | | | | | | | Leave setting the "container" variable to consumers of pkg/env. Podman is now hard-setting it to "podman" while "libpod" will set it internally to "libpod" if it's unset. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* consolidate env handling into pkg/envValentin Rothberg2020-03-03
| | | | | | | | | Env-variable related code is scattered across several packages making it hard to maintain and extend. Consolidate the code into a new pkg/env package. Signed-off-by: Valentin Rothberg <rothberg@redhat.com> Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Add --no-healthcheck command to create/runBrent Baude2020-02-22
| | | | | | | | Now support --no-healthcheck option to disable defined healthchecks in a container image. --health-cmd=none remains supported as well. Fixes: #5299 Signed-off-by: Brent Baude <bbaude@redhat.com>
* set process labels in pkg/specValentin Rothberg2020-02-19
| | | | | | | | Set the (default) process labels in `pkg/spec`. This way, we can also query libpod.conf and disable labeling if needed. Fixes: #5087 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* podman-ps: support image IDsValentin Rothberg2020-02-17
| | | | | | | Support printing image IDs via `--format "{{.ImageID}}"`. Fixes: #5160 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* Rework label parsingMatthew Heon2020-02-14
| | | | | | | | | | | | | | | We attempted to share all logic for parsing labels and environment variables, which on the surface makes lots of sense (both are formatted key=value so parsing logic should be identical) but has begun to fall apart now that we have added additional logic to environment variable handling. Environment variables that are unset, for example, are looked up against environment variables set for the process. We don't want this for labels, so we have to split parsing logic. Fixes #3854 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Merge pull request #5152 from QiWang19/device-cgroup-ruleOpenShift Merge Robot2020-02-13
|\ | | | | support device-cgroup-rule
| * support device-cgroup-ruleQi Wang2020-02-12
| | | | | | | | | | | | | | fix #4876 Add `--device-cgroup-rule` to podman create and run. This enables to add device rules after the container has been created. Signed-off-by: Qi Wang <qiwan@redhat.com>
* | add pkg/seccompValentin Rothberg2020-02-12
|/ | | | | | | | Add pkg/seccomp to consolidate all seccomp-policy related code which is currently scattered across multiple packages and complicating the creatconfig refactoring. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* Merge pull request #5159 from baude/apiv2cockpit1OpenShift Merge Robot2020-02-11
|\ | | | | Rewire ListContainers for APIv2 libpod
| * Rewire ListContainers for APIv2 libpodBrent Baude2020-02-11
| | | | | | | | | | | | | | | | | | | | consumers of the api remarked how they would prefer a more strongly typed data structure from list containers oon the libpod side of things. for example, events should be consumable and consistent timestamps. also, for the sake of compatibility, it is helpful to have the json named atttributes for Id to not be ID. listcontainers on the libpod side no longer strongly uses the the ps cli to obtain information but we do benefit from turning on the ability to list the last X containers, something CLI does not have yet. we also flipped the bit on defaulting to truncated output in the return. thanks to the efforts of the cockpit team to help us here. Signed-off-by: Brent Baude <bbaude@redhat.com>
* | container create: relax os/arch checksValentin Rothberg2020-02-11
|/ | | | | | | | | | Relax the os/arch checks when creating a container and only info-log mismatches instead of erroring out. There are too many images used in the wild which do not set their arch correctly correctly. Erroring out has hit users sufficiently enough to justify relaxing the errors and only log to at least inform the users and image vendors. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* Special case memory-swap=-1Daniel J Walsh2020-02-05
| | | | | | | We document that memory-swap==-1 means unlimited, but currently we won't allow the user to specify the -1 value. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* APIv2 review corrections #3Brent Baude2020-01-25
| | | | | | The third pass of corrections for the APIv2. Signed-off-by: Brent Baude <bbaude@redhat.com>
* seccomp policy: expect profile in config labelValentin Rothberg2020-01-23
| | | | | | | | Move the seccomp profile from a manifest annotation to a config label. This way, we can support it for Docker images as well and provide an easy way to add that data via Dockerfiles. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* Remove c.String(net)Daniel J Walsh2020-01-16
| | | | | | | We have a lot of cludgy code trying to make --net and --network equivalent. This will allow --net to still exists but will eliminate the help and confusion. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Merge pull request #4806 from vrothberg/seccompOpenShift Merge Robot2020-01-15
|\ | | | | policy for seccomp-profile selection
| * policy for seccomp-profile selectionValentin Rothberg2020-01-09
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Implement a policy for selecting a seccomp profile. In addition to the default behaviour (default profile unless --security-opt seccomp is set) add a second policy doing a lookup in the image annotation. If the image has the "io.containers.seccomp.profile" set its value will be interpreted as a seccomp profile. The policy can be selected via the new --seccomp-policy CLI flag. Once the containers.conf support is merged into libpod, we can add an option there as well. Note that this feature is marked as experimental and may change in the future. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
| * shared/create.go: s/data/imageData/Valentin Rothberg2020-01-09
| | | | | | | | | | | | | | Rename `data` to `imageData` to make it more obvious which kind of data the variable refers to. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | Merge pull request #4850 from vrothberg/fix-lintingOpenShift Merge Robot2020-01-13
|\ \ | | | | | | Fix linting
| * | make lint: enable gocriticValentin Rothberg2020-01-13
| |/ | | | | | | | | | | | | `gocritic` is a powerful linter that helps in preventing certain kinds of errors as well as enforcing a coding style. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* / Add codespell to validate spelling mistakes in code.Daniel J Walsh2020-01-11
|/ | | | | | Fix all errors found by codespell Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Merge pull request #4748 from NevilleC/nc-podnameOpenShift Merge Robot2019-12-29
|\ | | | | [Issue #4703] Add the pod name when we use `podman ps -p`
| * Add the pod name when we use `podman ps -p`Neville Cain2019-12-28
| | | | | | | | | | | | | | | | | | | | | | | | The pod name does not appear when doing `podman ps -p`. It is missing as the documentation says: -p, --pod Print the ID and name of the pod the containers are associated with The pod name is added in the ps output and checked in unit tests. Closes #4703 Signed-off-by: NevilleC <neville.cain@qonto.eu>
* | signal parsing - better input validationEd Santiago2019-12-26
|/ | | | | | | | | | | | | | | | | | | | | | The helper function we use for signal name mapping does not check for negative numbers nor invalid (too-high) ones. This can yield unexpected error messages: # podman kill -s -1 foo ERRO[0000] unknown signal "18446744073709551615" This PR introduces a small wrapper for it that: 1) Strips off a leading dash, allowing '-1' or '-HUP' as valid inputs; and 2) Rejects numbers <1 or >64 (SIGRTMAX) Also adds a test suite checking signal handling as well as ensuring that invalid signals are rejected by the command line. Fixes: #4746 Signed-off-by: Ed Santiago <santiago@redhat.com>
* Merge pull request #4722 from giuseppe/drop-arbitrary-limitOpenShift Merge Robot2019-12-19
|\ | | | | libpod: drop arbitrary memory limit of 4M
| * libpod: drop arbitrary memory limit of 4MGiuseppe Scrivano2019-12-17
| | | | | | | | | | | | drop the arbitrary limit of 4M for creating a container. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | container config: add CreateCommandValentin Rothberg2019-12-13
|/ | | | | | | | | | | | | | | | | | Store the full command plus arguments of the process the container has been created with. Expose this data as a `Config.CreateCommand` field in the container-inspect data as well. This information can be useful for debugging, as we can find out which command has created the container, and, if being created via the Podman CLI, we know exactly with which flags the container has been created with. The immediate motivation for this change is to use this information for `podman-generate-systemd` to generate systemd-service files that allow for creating new containers (in contrast to only starting existing ones). Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* Merge pull request #4596 from kunalkushwaha/container-pruneOpenShift Merge Robot2019-12-02
|\ | | | | container prune command fixed as per docker prune command
| * filter added to container prune commandKunal Kushwaha2019-11-29
| | | | | | | | | | | | | | filter flag helps to filter the containers based on labels, until(time), name, etc for prune command. Signed-off-by: Kunal Kushwaha <kunal.kushwaha@gmail.com>
* | Add ContainerStateRemovingMatthew Heon2019-11-19
|/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When Libpod removes a container, there is the possibility that removal will not fully succeed. The most notable problems are storage issues, where the container cannot be removed from c/storage. When this occurs, we were faced with a choice. We can keep the container in the state, appearing in `podman ps` and available for other API operations, but likely unable to do any of them as it's been partially removed. Or we can remove it very early and clean up after it's already gone. We have, until now, used the second approach. The problem that arises is intermittent problems removing storage. We end up removing a container, failing to remove its storage, and ending up with a container permanently stuck in c/storage that we can't remove with the normal Podman CLI, can't use the name of, and generally can't interact with. A notable cause is when Podman is hit by a SIGKILL midway through removal, which can consistently cause `podman rm` to fail to remove storage. We now add a new state for containers that are in the process of being removed, ContainerStateRemoving. We set this at the beginning of the removal process. It notifies Podman that the container cannot be used anymore, but preserves it in the DB until it is fully removed. This will allow Remove to be run on these containers again, which should successfully remove storage if it fails. Fixes #3906 Signed-off-by: Matthew Heon <mheon@redhat.com>
* Merge pull request #4505 from vrothberg/archOpenShift Merge Robot2019-11-16
|\ | | | | container create: os/arch check
| * container create: os/arch checkValentin Rothberg2019-11-12
| | | | | | | | | | | | | | Unless explicitely overridden, check if the image's OS and architecture and throw an errors in case of a mismatch. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | Merge pull request #4368 from haircommander/pod-annotationsOpenShift Merge Robot2019-11-15
|\ \ | | | | | | Add pod annotations to container
| * | Add pod annotations to containerPeter Hunt2019-11-08
| | | | | | | | | | | | | | | | | | We have the annotations SandboxID, let's use them. This also allows kata containers to be created in pods and share a VM with the infra container. Note: as of now, this sharing only works if the pod has an infra container Signed-off-by: Peter Hunt <pehunt@redhat.com>
* | | codespell: spelling correctionsDmitry Smirnov2019-11-13
| |/ |/| | | | | Signed-off-by: Dmitry Smirnov <onlyjob@member.fsf.org>
* | Merge pull request #4337 from QiWang19/check_auth_pathOpenShift Merge Robot2019-11-08
|\ \ | |/ |/| fix bug check nonexist authfile
| * fix bug check nonexist authfileQi Wang2019-11-05
| | | | | | | | | | | | | | | | | | Use GetDefaultAuthFile() from buildah. For podman command(except login), if authfile does not exist returns error. close #4328 Signed-off-by: Qi Wang <qiwan@redhat.com>
* | Split up create config handling of namespaces and securityPeter Hunt2019-11-07
| | | | | | | | | | | | | | | | As it stands, createconfig is a huge struct. This works fine when the only caller is when we create a container with a fully created config. However, if we wish to share code for security and namespace configuration, a single large struct becomes unweildy, as well as difficult to configure with the single createConfigToOCISpec function. This PR breaks up namespace and security configuration into their own structs, with the eventual goal of allowing the namespace/security fields to be configured by the pod create cli, and allow the infra container to share this with the pod's containers. Signed-off-by: Peter Hunt <pehunt@redhat.com>
* | podman: add support for specifying MACJakub Filak2019-11-06
|/ | | | | | | | I basically copied and adapted the statements for setting IP. Closes #1136 Signed-off-by: Jakub Filak <jakub.filak@sap.com>
* Set default seccomp.json file for podman play kubeDaniel J Walsh2019-10-29
| | | | | | | Currently podman play kube is not using the system default seccomp.json file. This PR will use the default or override location for podman play. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>