summaryrefslogtreecommitdiff
path: root/cmd
Commit message (Collapse)AuthorAge
* Swap from map to channels for podman stop workersMatthew Heon2018-10-11
| | | | | | | We were encountering sync issues with the map, so swap to a thread-safe channel and convert into a map when we output Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
* Merge pull request #1605 from mheon/syslog_cleanupOpenShift Merge Robot2018-10-11
|\ | | | | Pass along syslog variable to podman cleanup processes
| * Pass along syslog variable to podman cleanup processesMatthew Heon2018-10-11
| | | | | | | | | | | | | | | | | | As of now, there is no way to debug podman clean up processes. They are started by conmon with no stdout/stderr and log nowhere. This allows us to actually figure out what is going on when a cleanup process runs. Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
* | Merge pull request #1619 from QiWang19/issus1610OpenShift Merge Robot2018-10-11
|\ \ | | | | | | Sort all CLI flags in podman commands
| * | Sort all command flagsQi Wang2018-10-11
| |/ | | | | | | Signed-off-by: Qi Wang <qiwan@redhat.com>
* | Merge pull request #1614 from baude/parastopOpenShift Merge Robot2018-10-11
|\ \ | | | | | | Stop containers in parallel fashion
| * | Stop containers in parallel fashionbaude2018-10-11
| | | | | | | | | | | | | | | | | | | | | | | | | | | Prior, we were stopping containers serially. So if a container had a default timeout of 10 seconds and there were five containers being stopped, the operation would take roughly 50 seconds. If we stop these containers in parallel, the operation should be roughly 10 seconds and change which is a significant speed up at scale. Signed-off-by: baude <bbaude@redhat.com>
* | | Merge pull request #1623 from mheon/static_ipOpenShift Merge Robot2018-10-11
|\ \ \ | |_|/ |/| | Add ability to specify static IPs with --ip flag
| * | Add --ip flag and plumbing into libpodMatthew Heon2018-10-11
| |/ | | | | | | | | | | | | | | | | | | | | Add the --ip flag back with bash completions. Manpages still missing. Add plumbing to pass appropriate the appropriate option down to libpod to connect the flag to backend logic added in the previous commits. Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
* / fix runlabel functions based on QA feedbackbaude2018-10-11
|/ | | | Signed-off-by: baude <bbaude@redhat.com>
* Merge pull request #1587 from mheon/fix_pod_statusOpenShift Merge Robot2018-10-08
|\ | | | | Fix pod status reporting for new Exited state
| * Fix pod status reporting for new Exited stateMatthew Heon2018-10-03
| | | | | | | | Signed-off-by: Matthew Heon <mheon@redhat.com>
* | runlabel: execute /proc/self/exe and avoid recursionValentin Rothberg2018-10-05
| | | | | | | | | | | | | | | | | | | | | | | | | | Execute /proc/self/exe instead of podman. This makes the runlabel command more portable as it works for binaries outside the path as well as for local builds. Also, avoid redundantly executing the runlabel command by setting the PODMAN_RUNLABEL_NESTED environment variable to "1". Podman now checks for this variable before executing the runlabel command and will throw an error in case the variable is set. Signed-off-by: Valentin Rothberg <vrothberg@suse.com>
* | Add support to checkpoint/restore containersAdrian Reber2018-10-03
|/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | runc uses CRIU to support checkpoint and restore of containers. This brings an initial checkpoint/restore implementation to podman. None of the additional runc flags are yet supported and container migration optimization (pre-copy/post-copy) is also left for the future. The current status is that it is possible to checkpoint and restore a container. I am testing on RHEL-7.x and as the combination of RHEL-7 and CRIU has seccomp troubles I have to create the container without seccomp. With the following steps I am able to checkpoint and restore a container: # podman run --security-opt="seccomp=unconfined" -d registry.fedoraproject.org/f27/httpd # curl -I 10.22.0.78:8080 HTTP/1.1 403 Forbidden # <-- this is actually a good answer # podman container checkpoint <container> # curl -I 10.22.0.78:8080 curl: (7) Failed connect to 10.22.0.78:8080; No route to host # podman container restore <container> # curl -I 10.22.0.78:8080 HTTP/1.1 403 Forbidden I am using CRIU, runc and conmon from git. All required changes for checkpoint/restore support in podman have been merged in the corresponding projects. To have the same IP address in the restored container as before checkpointing, CNI is told which IP address to use. If the saved network configuration cannot be found during restore, the container is restored with a new IP address. For CRIU to restore established TCP connections the IP address of the network namespace used for restore needs to be the same. For TCP connections in the listening state the IP address can change. During restore only one network interface with one IP address is handled correctly. Support to restore containers with more advanced network configuration will be implemented later. v2: * comment typo * print debug messages during cleanup of restore files * use createContainer() instead of createOCIContainer() * introduce helper CheckpointPath() * do not try to restore a container that is paused * use existing helper functions for cleanup * restructure code flow for better readability * do not try to restore if checkpoint/inventory.img is missing * git add checkpoint.go restore.go v3: * move checkpoint/restore under 'podman container' v4: * incorporated changes from latest reviews Signed-off-by: Adrian Reber <areber@redhat.com>
* Merge pull request #1580 from giuseppe/rootless-always-set-XDG_RUNTIME_DIROpenShift Merge Robot2018-10-03
|\ | | | | rootless: always set XDG_RUNTIME_DIR
| * rootless: always set XDG_RUNTIME_DIRGiuseppe Scrivano2018-10-03
| | | | | | | | | | | | | | | | it is used internally by containers/image to locate the auth file. Closes: https://github.com/containers/libpod/issues/1457 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | Merge pull request #1531 from mheon/add_exited_stateOpenShift Merge Robot2018-10-03
|\ \ | |/ |/| Add ContainerStateExited and OCI delete() in cleanup()
| * Address review comments and fix ps outputMatthew Heon2018-10-02
| | | | | | | | Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
| * Add ContainerStateExited and OCI delete() in cleanup()Matthew Heon2018-10-02
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | To work better with Kata containers, we need to delete() from the OCI runtime as a part of cleanup, to ensure resources aren't retained longer than they need to be. To enable this, we need to add a new state to containers, ContainerStateExited. Containers transition from ContainerStateStopped to ContainerStateExited via cleanupRuntime which is invoked as part of cleanup(). A container in the Exited state is identical to Stopped, except it has been removed from the OCI runtime and thus will be handled differently when initializing the container. Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
* | Merge pull request #1528 from baude/runlabelOpenShift Merge Robot2018-10-02
|\ \ | | | | | | Add container runlabel command
| * | Add container runlabel commandbaude2018-09-28
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Execute the command as described by a container image. The value of the label is processed into a command by: 1. Ensuring the first argument of the command is podman. 2. Substituting any variables with those defined by the environment or otherwise. If no label exists in the container image, nothing is done. podman container runlabel LABEL IMAGE extra_args Signed-off-by: baude <bbaude@redhat.com>
* | | Merge pull request #1576 from rhatdan/labelOpenShift Merge Robot2018-10-02
|\ \ \ | |_|/ |/| | Disable SELinux labeling if --privileged
| * | Disable SELinux labeling if --privilegedDaniel J Walsh2018-10-02
| | | | | | | | | | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | Merge pull request #1563 from jwhonce/wip/podsOpenShift Merge Robot2018-10-02
|\ \ \ | |/ / |/| | Implement pod varlink bindings
| * | * Update documenationJhon Honce2018-10-01
| | | | | | | | | | | | Signed-off-by: Jhon Honce <jhonce@redhat.com>
| * | Implement pod varlink bindingsJhon Honce2018-10-01
| |/ | | | | | | | | | | | | | | | | | | | | | | * Update varlink document * Add NoContainersInPod error in go and python * Add support for varlink pod interface * New code passes pylint * Fix bug in test_runner.sh * Update integration tests for race condition on status check * Add missing port config file support Signed-off-by: Jhon Honce <jhonce@redhat.com>
* / Add --all flag to podman killDaniel J Walsh2018-09-30
|/ | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Add buildah version and distribution to infobaude2018-09-28
| | | | | | | | For the sake of debug and problem reporting, we would benefit from knowing what buildah version was vendored into podman. Also, knowing the distribution and distribution version would also be handy. Signed-off-by: baude <bbaude@redhat.com>
* Add --mount option for `create` & `run` commandDaniel J Walsh2018-09-21
| | | | | | | | Signed-off-by: Kunal Kushwaha <kushwaha_kunal_v7@lab.ntt.co.jp> Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #1524 Approved by: mheon
* Refactor Wait() to not require a timeoutMatthew Heon2018-09-21
| | | | | | | | | | | We added a timeout for convenience, but most invocations don't care about it. Refactor it into WaitWithTimeout() and add a Wait() that doesn't require a timeout and uses the default. Signed-off-by: Matthew Heon <matthew.heon@gmail.com> Closes: #1527 Approved by: mheon
* Don't mount /dev/shm if the user told you --ipc=noneDaniel J Walsh2018-09-21
| | | | | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #1466 Approved by: mheon
* rootless: fix create with images not in the storageGiuseppe Scrivano2018-09-21
| | | | | | | | | | | | This chunk was mistakenly removed with ecec1a5430885baf96d2e3d6153c7454c41a4617 Introduce it back as it solves the pull of an image that is not yet in the storage when using create/run. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> Closes: #1521 Approved by: baude
* create, rootless: join the userns of ns:PATHGiuseppe Scrivano2018-09-21
| | | | | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> Closes: #1507 Approved by: rhatdan
* create, rootless: join the userns of container:CONTAINERGiuseppe Scrivano2018-09-21
| | | | | | | | | | | so that we can also join the requested namespace. Closes: https://github.com/containers/libpod/issues/1453 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> Closes: #1507 Approved by: rhatdan
* Add new field to libpod to indicate whether or not to use labellingDaniel J Walsh2018-09-20
| | | | | | | | | | | | | | | Also update some missing fields libpod.conf obtions in man pages. Fix sort order of security options and add a note about disabling labeling. When a process requests a new label. libpod needs to reserve all labels to make sure that their are no conflicts. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #1406 Approved by: mheon
* report when rootlessbaude2018-09-20
| | | | | | | | | | when running as rootless, report as such. resolves: #1509 Signed-off-by: baude <bbaude@redhat.com> Closes: #1514 Approved by: rhatdan
* Vendor in latest containers/buildahDaniel J Walsh2018-09-18
| | | | | | Switch from projectatomic/buildah to containers/buildah Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Don't crash if an image has no namesDaniel J Walsh2018-09-18
| | | | | | | | | | When image is not tagged, we should just set the imageName to the image.ID. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #1501 Approved by: mheon
* Hooks supports two directories, process default and overrideDaniel J Walsh2018-09-17
| | | | | | | | | | | | | ALso cleanup files section or podman man page Add description of policy.json Sort alphabetically. Add more info on oci hooks Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #1487 Approved by: umohnani8
* Merge pull request #1472 from giuseppe/rootless-fix-entrypointMatthew Heon2018-09-14
|\ | | | | rootless: do not raise an error if the entrypoint is specified
| * rootless: do not raise an error if the entrypoint is specifiedGiuseppe Scrivano2018-09-14
| | | | | | | | | | | | | | | | | | | | do not error out when the storage is not initialized and the entrypoint command is not available for the specified image. Check it when we re-exec in an user namespace and can access the storage. Closes: https://github.com/containers/libpod/issues/1452 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | Merge pull request #1461 from rhatdan/runMatthew Heon2018-09-14
|\ \ | | | | | | Remove duplicate code between create.go and run.go
| * | Remove duplicate code between create.go and run.goDaniel J Walsh2018-09-13
| |/ | | | | | | | | | | | | | | | | | | | | Create two new createInit for checking if the cotnainer is initialized correctly. createContainer which creates the actual container and containerConfig Also added libpodruntime.GetContainerRuntime to put common runtime code into separate function. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Merge pull request #1434 from rhatdan/waitMatthew Heon2018-09-14
|\ \ | | | | | | Add --interval flag to podman wait
| * | Add --interval flag to podman waitDaniel J Walsh2018-09-13
| |/ | | | | | | | | | | | | Waiting uses a lot of CPU, so drop back to checking once/second and allow user to pass in the interval. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Do not set rlimits if we are rootlessMatthew Heon2018-09-13
| | | | | | | | | | | | | | Signed-off-by: Matthew Heon <matthew.heon@gmail.com> Closes: #1437 Approved by: rhatdan
* | Up default Podman rlimits to avoid max open filesMatthew Heon2018-09-13
| | | | | | | | | | | | | | | | | | | | | | Every port we open consumes an open FD. This can easily consume all available FDs for the podman process. Set rlimits to resolve this. Signed-off-by: Matthew Heon <matthew.heon@gmail.com> Closes: #1437 Approved by: rhatdan
* | Search registries with an empty queryUrvashi Mohnani2018-09-13
|/ | | | | | | | | | | | | | Adds functionality to search registries implementing the v2 endpoint with an empty query, that is the results will be all the available images on the registries. If this is tried with a v1 registry an error will occur. To search a whole registry, there needs to be a trailing slash at the end, i.e `podman search registry.fedoraproject.org/`. Signed-off-by: Urvashi Mohnani <umohnani@redhat.com> Closes: #1444 Approved by: rhatdan
* Add `podman rm --volumes` flagDaniel J Walsh2018-09-13
| | | | | | | | | | While this is not implemented yet, it is needed for working with existing docker scripts. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #1460 Approved by: mheon
* Pass on securityOpts from podInfraContainer to container added to pod.Daniel J Walsh2018-09-11
| | | | | | | | | | This is an incomplete fix, as it would be best for the libpod library to be in charge of coordinating the container's dependencies on the infra container. A TODO was left as such. UTS is a special case, because the docker library that namespace handling is based off of doesn't recognize a UTS based on another container as valid, despite the library being able to handle it correctly. Thus, it is left in the old way. Signed-off-by: haircommander <pehunt@redhat.com> Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #1347 Approved by: mheon