summaryrefslogtreecommitdiff
path: root/cmd/podman/shared
Commit message (Collapse)AuthorAge
* Merge pull request #5152 from QiWang19/device-cgroup-ruleOpenShift Merge Robot2020-02-13
|\ | | | | support device-cgroup-rule
| * support device-cgroup-ruleQi Wang2020-02-12
| | | | | | | | | | | | | | fix #4876 Add `--device-cgroup-rule` to podman create and run. This enables to add device rules after the container has been created. Signed-off-by: Qi Wang <qiwan@redhat.com>
* | add pkg/seccompValentin Rothberg2020-02-12
|/ | | | | | | | Add pkg/seccomp to consolidate all seccomp-policy related code which is currently scattered across multiple packages and complicating the creatconfig refactoring. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* Merge pull request #5159 from baude/apiv2cockpit1OpenShift Merge Robot2020-02-11
|\ | | | | Rewire ListContainers for APIv2 libpod
| * Rewire ListContainers for APIv2 libpodBrent Baude2020-02-11
| | | | | | | | | | | | | | | | | | | | consumers of the api remarked how they would prefer a more strongly typed data structure from list containers oon the libpod side of things. for example, events should be consumable and consistent timestamps. also, for the sake of compatibility, it is helpful to have the json named atttributes for Id to not be ID. listcontainers on the libpod side no longer strongly uses the the ps cli to obtain information but we do benefit from turning on the ability to list the last X containers, something CLI does not have yet. we also flipped the bit on defaulting to truncated output in the return. thanks to the efforts of the cockpit team to help us here. Signed-off-by: Brent Baude <bbaude@redhat.com>
* | container create: relax os/arch checksValentin Rothberg2020-02-11
|/ | | | | | | | | | Relax the os/arch checks when creating a container and only info-log mismatches instead of erroring out. There are too many images used in the wild which do not set their arch correctly correctly. Erroring out has hit users sufficiently enough to justify relaxing the errors and only log to at least inform the users and image vendors. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* Special case memory-swap=-1Daniel J Walsh2020-02-05
| | | | | | | We document that memory-swap==-1 means unlimited, but currently we won't allow the user to specify the -1 value. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* APIv2 review corrections #3Brent Baude2020-01-25
| | | | | | The third pass of corrections for the APIv2. Signed-off-by: Brent Baude <bbaude@redhat.com>
* seccomp policy: expect profile in config labelValentin Rothberg2020-01-23
| | | | | | | | Move the seccomp profile from a manifest annotation to a config label. This way, we can support it for Docker images as well and provide an easy way to add that data via Dockerfiles. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* Remove c.String(net)Daniel J Walsh2020-01-16
| | | | | | | We have a lot of cludgy code trying to make --net and --network equivalent. This will allow --net to still exists but will eliminate the help and confusion. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Merge pull request #4806 from vrothberg/seccompOpenShift Merge Robot2020-01-15
|\ | | | | policy for seccomp-profile selection
| * policy for seccomp-profile selectionValentin Rothberg2020-01-09
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Implement a policy for selecting a seccomp profile. In addition to the default behaviour (default profile unless --security-opt seccomp is set) add a second policy doing a lookup in the image annotation. If the image has the "io.containers.seccomp.profile" set its value will be interpreted as a seccomp profile. The policy can be selected via the new --seccomp-policy CLI flag. Once the containers.conf support is merged into libpod, we can add an option there as well. Note that this feature is marked as experimental and may change in the future. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
| * shared/create.go: s/data/imageData/Valentin Rothberg2020-01-09
| | | | | | | | | | | | | | Rename `data` to `imageData` to make it more obvious which kind of data the variable refers to. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | Merge pull request #4850 from vrothberg/fix-lintingOpenShift Merge Robot2020-01-13
|\ \ | | | | | | Fix linting
| * | make lint: enable gocriticValentin Rothberg2020-01-13
| |/ | | | | | | | | | | | | `gocritic` is a powerful linter that helps in preventing certain kinds of errors as well as enforcing a coding style. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* / Add codespell to validate spelling mistakes in code.Daniel J Walsh2020-01-11
|/ | | | | | Fix all errors found by codespell Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Merge pull request #4748 from NevilleC/nc-podnameOpenShift Merge Robot2019-12-29
|\ | | | | [Issue #4703] Add the pod name when we use `podman ps -p`
| * Add the pod name when we use `podman ps -p`Neville Cain2019-12-28
| | | | | | | | | | | | | | | | | | | | | | | | The pod name does not appear when doing `podman ps -p`. It is missing as the documentation says: -p, --pod Print the ID and name of the pod the containers are associated with The pod name is added in the ps output and checked in unit tests. Closes #4703 Signed-off-by: NevilleC <neville.cain@qonto.eu>
* | signal parsing - better input validationEd Santiago2019-12-26
|/ | | | | | | | | | | | | | | | | | | | | | The helper function we use for signal name mapping does not check for negative numbers nor invalid (too-high) ones. This can yield unexpected error messages: # podman kill -s -1 foo ERRO[0000] unknown signal "18446744073709551615" This PR introduces a small wrapper for it that: 1) Strips off a leading dash, allowing '-1' or '-HUP' as valid inputs; and 2) Rejects numbers <1 or >64 (SIGRTMAX) Also adds a test suite checking signal handling as well as ensuring that invalid signals are rejected by the command line. Fixes: #4746 Signed-off-by: Ed Santiago <santiago@redhat.com>
* Merge pull request #4722 from giuseppe/drop-arbitrary-limitOpenShift Merge Robot2019-12-19
|\ | | | | libpod: drop arbitrary memory limit of 4M
| * libpod: drop arbitrary memory limit of 4MGiuseppe Scrivano2019-12-17
| | | | | | | | | | | | drop the arbitrary limit of 4M for creating a container. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | container config: add CreateCommandValentin Rothberg2019-12-13
|/ | | | | | | | | | | | | | | | | | Store the full command plus arguments of the process the container has been created with. Expose this data as a `Config.CreateCommand` field in the container-inspect data as well. This information can be useful for debugging, as we can find out which command has created the container, and, if being created via the Podman CLI, we know exactly with which flags the container has been created with. The immediate motivation for this change is to use this information for `podman-generate-systemd` to generate systemd-service files that allow for creating new containers (in contrast to only starting existing ones). Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* Merge pull request #4596 from kunalkushwaha/container-pruneOpenShift Merge Robot2019-12-02
|\ | | | | container prune command fixed as per docker prune command
| * filter added to container prune commandKunal Kushwaha2019-11-29
| | | | | | | | | | | | | | filter flag helps to filter the containers based on labels, until(time), name, etc for prune command. Signed-off-by: Kunal Kushwaha <kunal.kushwaha@gmail.com>
* | Add ContainerStateRemovingMatthew Heon2019-11-19
|/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When Libpod removes a container, there is the possibility that removal will not fully succeed. The most notable problems are storage issues, where the container cannot be removed from c/storage. When this occurs, we were faced with a choice. We can keep the container in the state, appearing in `podman ps` and available for other API operations, but likely unable to do any of them as it's been partially removed. Or we can remove it very early and clean up after it's already gone. We have, until now, used the second approach. The problem that arises is intermittent problems removing storage. We end up removing a container, failing to remove its storage, and ending up with a container permanently stuck in c/storage that we can't remove with the normal Podman CLI, can't use the name of, and generally can't interact with. A notable cause is when Podman is hit by a SIGKILL midway through removal, which can consistently cause `podman rm` to fail to remove storage. We now add a new state for containers that are in the process of being removed, ContainerStateRemoving. We set this at the beginning of the removal process. It notifies Podman that the container cannot be used anymore, but preserves it in the DB until it is fully removed. This will allow Remove to be run on these containers again, which should successfully remove storage if it fails. Fixes #3906 Signed-off-by: Matthew Heon <mheon@redhat.com>
* Merge pull request #4505 from vrothberg/archOpenShift Merge Robot2019-11-16
|\ | | | | container create: os/arch check
| * container create: os/arch checkValentin Rothberg2019-11-12
| | | | | | | | | | | | | | Unless explicitely overridden, check if the image's OS and architecture and throw an errors in case of a mismatch. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | Merge pull request #4368 from haircommander/pod-annotationsOpenShift Merge Robot2019-11-15
|\ \ | | | | | | Add pod annotations to container
| * | Add pod annotations to containerPeter Hunt2019-11-08
| | | | | | | | | | | | | | | | | | We have the annotations SandboxID, let's use them. This also allows kata containers to be created in pods and share a VM with the infra container. Note: as of now, this sharing only works if the pod has an infra container Signed-off-by: Peter Hunt <pehunt@redhat.com>
* | | codespell: spelling correctionsDmitry Smirnov2019-11-13
| |/ |/| | | | | Signed-off-by: Dmitry Smirnov <onlyjob@member.fsf.org>
* | Merge pull request #4337 from QiWang19/check_auth_pathOpenShift Merge Robot2019-11-08
|\ \ | |/ |/| fix bug check nonexist authfile
| * fix bug check nonexist authfileQi Wang2019-11-05
| | | | | | | | | | | | | | | | | | Use GetDefaultAuthFile() from buildah. For podman command(except login), if authfile does not exist returns error. close #4328 Signed-off-by: Qi Wang <qiwan@redhat.com>
* | Split up create config handling of namespaces and securityPeter Hunt2019-11-07
| | | | | | | | | | | | | | | | As it stands, createconfig is a huge struct. This works fine when the only caller is when we create a container with a fully created config. However, if we wish to share code for security and namespace configuration, a single large struct becomes unweildy, as well as difficult to configure with the single createConfigToOCISpec function. This PR breaks up namespace and security configuration into their own structs, with the eventual goal of allowing the namespace/security fields to be configured by the pod create cli, and allow the infra container to share this with the pod's containers. Signed-off-by: Peter Hunt <pehunt@redhat.com>
* | podman: add support for specifying MACJakub Filak2019-11-06
|/ | | | | | | | I basically copied and adapted the statements for setting IP. Closes #1136 Signed-off-by: Jakub Filak <jakub.filak@sap.com>
* Set default seccomp.json file for podman play kubeDaniel J Walsh2019-10-29
| | | | | | | Currently podman play kube is not using the system default seccomp.json file. This PR will use the default or override location for podman play. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* pull/create: add --override-arch/--override-os flagsNalin Dahyabhai2019-10-29
| | | | | | | | Add --override-arch and --override-os as hidden flags, in line with the global flag names that skopeo uses, so that we can test behavior around manifest lists without having to conditionalize more of it by arch. Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
* bump containers/image to v5.0.0, buildah to v1.11.4Nalin Dahyabhai2019-10-29
| | | | | | | | | Move to containers/image v5 and containers/buildah to v1.11.4. Replace an equality check with a type assertion when checking for a docker.ErrUnauthorizedForCredentials in `podman login`. Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
* Add parsing for UID, GID in volume "o" optionMatthew Heon2019-10-22
| | | | | | | Everything else is a flag to mount, but "uid" and "gid" are not. We need to parse them out of "o" and handle them separately. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* systemd: accept also /sbin/initGiuseppe Scrivano2019-10-15
| | | | | | | | | it is a regression caused by 3ba3e1c7510d1780b6527a4aa52e40ac2c5b576a. Closes: https://bugzilla.redhat.com/show_bug.cgi?id=1761514 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Merge pull request #4237 from giuseppe/ps-not-nullOpenShift Merge Robot2019-10-11
|\ | | | | container: initialize results list
| * container: initialize results listGiuseppe Scrivano2019-10-11
| | | | | | | | | | | | | | | | | | it solves: $ podman ps --format=json null Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | Merge pull request #4232 from csomh/auth-file-pathOpenShift Merge Robot2019-10-11
|\ \ | | | | | | Fix default path for auth.json
| * | Fix default path for auth.jsonHunor Csomortáni2019-10-10
| |/ | | | | | | | | | | | | | | | | | | | | Default path should be ${XDG_RUNTIME_DIR}/containers/auth.json according to the docs. This regressed to ${XDG_RUNTIME_DIR}/auth.json in #3760. Fixes: #4227 Signed-off-by: Hunor Csomortáni <csomh@redhat.com>
* | cli: support --systemd=alwaysGiuseppe Scrivano2019-10-09
| | | | | | | | | | | | | | it enforces the systemd mode also when the command name doesn't match /usr/sbin/init or systemd. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | systemd: expect full path /usr/sbin/initGiuseppe Scrivano2019-10-09
|/ | | | | | | | | | | | "init" is a quite common name for the command executed in a container image and Podman ends up using the systemd mode also when not required. Be stricter on enabling the systemd mode and not enable it automatically when the basename is "init" but expect the full path "/usr/sbin/init". Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Merge pull request #4032 from rhatdan/pids-limitOpenShift Merge Robot2019-10-07
|\ | | | | Setup a reasonable default for pids-limit 4096
| * Setup a reasonable default for pids-limit 4096Daniel J Walsh2019-10-04
| | | | | | | | | | | | | | | | | | | | | | CRI-O defaults to 1024 for the maximum pids in a container. Podman should have a similar limit. Once we have a containers.conf, we can set the limit in this file, and have it easily customizable. Currently the documentation says that -1 sets pids-limit=max, but -1 fails. This patch allows -1, but also indicates that 0 also sets the max pids limit. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Update c/image to v4.0.1 and buildah to 1.11.3Miloslav Trmač2019-10-04
|/ | | | | | | | | | | | | | This requires updating all import paths throughout, and a matching buildah update to interoperate. I can't figure out the reason for go.mod tracking github.com/containers/image v3.0.2+incompatible // indirect ((go mod graph) lists it as a direct dependency of libpod, but (go list -json -m all) lists it as an indirect dependency), but at least looking at the vendor subdirectory, it doesn't seem to be actually used in the built binaries. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
* Merge pull request #3581 from mheon/no_cgroupsOpenShift Merge Robot2019-09-11
|\ | | | | Support running containers without CGroups
| * Add support for launching containers without CGroupsMatthew Heon2019-09-10
| | | | | | | | | | | | | | This is mostly used with Systemd, which really wants to manage CGroups itself when managing containers via unit file. Signed-off-by: Matthew Heon <matthew.heon@pm.me>