aboutsummaryrefslogtreecommitdiff
path: root/cmd
Commit message (Collapse)AuthorAge
* Re-add resource limit warnings to SpecgenMatthew Heon2020-06-16
| | | | | | | | | | | | | | | | | | | | | | These were part of Podman v1.9, but were lost in the transition to using Specgen to create containers. Most resource limits are checked via the sysinfo package to ensure they are safe to use (the cgroup is mounted, kernel support is present, etc) and removed if not safe. Further, bounds checks are performed to ensure that values are valid. Ensure these warnings are printed client-side when they occur. This part is a little bit gross, as it happens in pkg/infra and not cmd/podman, which is largely down to how we implemented `podman run` - all the work is done in pkg/infra and it returns only once the container has exited, and we need warnings to print *before* the container runs. The solution here, while inelegant, avoid the need to extensively refactor our handling of run. Should fix blkio-limit warnings that were identified by the FCOS test suite. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Add deprecated message to varlink commandJhon Honce2020-06-15
| | | | | | | * Remove varlink references from the man pages * Fix signature for extractTarFile() Signed-off-by: Jhon Honce <jhonce@redhat.com>
* pod create --replaceValentin Rothberg2020-06-15
| | | | | | | | | | | | | | | Add a `--replace` flag to the `pod create` command. If another pod with the same name already exists, it will be replaced and removed. Adding this flag is motivated by #5485 to make running Podman in systemd units (or any other scripts/automation) more robust. In case of a crash, a pod may not be removed by a sytemd unit anymore. The `--replace` flag allows for supporting crashes. Note that the `--replace` flag does not require the `--name` flag to be set, so it can be set unconditionally in `podman generate systemd`. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* {create,run} --replaceValentin Rothberg2020-06-15
| | | | | | | | | | | | | Add a `--replace` flag to the `container {create,run}` commands. If another container with the same name already exists, it will be replaced and removed. Adding this flag is motivated by #5485 to make running Podman in systemd units (or any other scripts/automation) more robust. In case of a crash, a container may not be removed by a sytemd unit anymore. The `--replace` flag allows for supporting crashes. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* Turn on More lintersDaniel J Walsh2020-06-15
| | | | | | | | | - misspell - prealloc - unparam - nakedret Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Do not default WorkingDir to / on client sideDaniel J Walsh2020-06-12
| | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Merge pull request #6415 from vrothberg/systemd-new-podOpenShift Merge Robot2020-06-11
|\ | | | | podman-generate-systemd --new for pods
| * pod create: add `--infra-conmon-pidfile`Valentin Rothberg2020-06-11
| | | | | | | | | | | | | | | | | | | | | | Add an `--infra-conmon-pidfile` flag to `podman-pod-create` to write the infra container's conmon process ID to a specified path. Several container sub-commands already support `--conmon-pidfile` which is especially helpful to allow for systemd to access and track the conmon processes. This allows for easily tracking the conmon process of a pod's infra container. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
| * container-{create,run}: add `--pod-id-file`Valentin Rothberg2020-06-11
| | | | | | | | | | | | | | | | Allow containers to join an existing pod via the `--pod-id-file` which is already supported by a number of `podman-pod` subcommands. Also add tests to make sure it's working and to prevent future regressions. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
| * podman-pod{rm,start,stop}: support --pod-id-fileValentin Rothberg2020-06-11
| | | | | | | | | | | | | | | | | | | | Support the `--pod-id-file` flag in the rm, start and stop pod commands. This completes the already support flag in pod-create and is another prerequisite for generating generic systemd unit files for pods. Also add completions, docs and tests. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | Merge pull request #6256 from theunrealgeek/play_kube_deploymentOpenShift Merge Robot2020-06-11
|\ \ | | | | | | Support k8s Deployment in play kube
| * | Fix play kube report printing when no containers are createdtheunrealgeek2020-06-05
| | | | | | | | | | | | Signed-off-by: Aditya Kamath <theunrealgeek@gmail.com>
| * | Add tests for Deployment Kind and minor fix for play kube outputtheunrealgeek2020-06-02
| | | | | | | | | | | | Signed-off-by: Aditya Kamath <theunrealgeek@gmail.com>
| * | Modify PlayKubeReport to preserve pod->container mappingtheunrealgeek2020-06-02
| | | | | | | | | | | | Signed-off-by: Aditya Kamath <theunrealgeek@gmail.com>
| * | supporting k8s Deployment objectstheunrealgeek2020-06-02
| | | | | | | | | | | | Signed-off-by: Aditya Kamath <theunrealgeek@gmail.com>
* | | Enable IPv6 port bindingMatthew Heon2020-06-10
| |/ |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Two areas needed tweaking to accomplish this: port parsing and binding ports on the host. Parsing is an obvious problem - we have to accomodate an IPv6 address enclosed by [] as well as a normal IPv4 address. It was slightly complicated by the fact that we previously just counted the number of colons in the whole port definition (a thousand curses on whoever in the IPv6 standard body decided to reuse colons for address separators), but did not end up being that bad. Libpod also (optionally) binds ports on the host to prevent their reuse by host processes. This code was IPv4 only for TCP, and bound to both for UDP (which I'm fairly certain is not correct, and has been adjusted). This just needed protocols adjusted to read "tcp4"/"tcp6" and "udp4"/"udp6" based on what we wanted to bind to. Fixes #5715 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | Merge pull request #6537 from vrothberg/events-docsOpenShift Merge Robot2020-06-10
|\ \ | | | | | | podman-events: clarify streaming behaviour
| * | podman-events: clarify streaming behaviourValentin Rothberg2020-06-10
| | | | | | | | | | | | | | | | | | | | | | | | | | | Unless `--since` or `--until` is specified, `podman events` will stream new events. Clarify this behavior in the `--help` message and man page to avoid confusion. Fixes: #6536 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | | Fix Id->ID where possible for lintDaniel J Walsh2020-06-10
| | | | | | | | | | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | Fixup issues found by golintDaniel J Walsh2020-06-10
|/ / | | | | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Add parallel operation to `podman stop`Matthew Heon2020-06-05
| | | | | | | | | | | | | | | | | | | | | | | | This is the other command that benefits greatly from being run in parallel, due to the potential 15-second timeout for containers that ignore SIGTERM. While we're at it, also clean up how stop timeout is set. This needs to be an optional parameter, so that the value set when the container is created with `--stop-timeout` will be respected. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | Fix handling of systemd.Daniel J Walsh2020-06-05
| | | | | | | | | | | | | | | | | | | | Systemd enablement has to happen on the server side, since we need check if the image is running systemd. Also need to make sure user setting the StopSignal is not overriden on the server side. But if not set and using systemd, we set it correctly. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Merge pull request #6495 from mheon/parallel_executionOpenShift Merge Robot2020-06-05
|\ \ | | | | | | Add parallel execution code for container operations
| * | Add parallel execution code for container operationsMatthew Heon2020-06-05
| | | | | | | | | | | | | | | | | | | | | | | | This code will run container operations in parallel, up to a given maximum number of threads. Currently, it has only been enabled for local `podman rm` as a proof of concept. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | | Strip defaults from namespace flagsMatthew Heon2020-06-04
|/ / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | We were picking up defaults from the client's containers.conf, which broke pod namespaces. The server-side code already checks containers.conf when not explicitly overridden by the user, or by the container being part of a pod (the last bit being our bug). This only manifested on systems with a containers.conf installed, so RHEL 8 and Fedora 32 (which means our F32 CI VMs likely should have caught it, but didn't, which is concerning). This prevents defaults for these flags being shown, but they were incorrect anyways for `podman-remote`, so I'm not terribly concerned. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | Merge pull request #6484 from rhatdan/namespaceOpenShift Merge Robot2020-06-04
|\ \ | | | | | | Namespace fields were set with bogus values
| * | Namespace fields were set with bogus valuesDaniel J Walsh2020-06-03
| | | | | | | | | | | | | | | | | | | | | | | | Namespace fields were being set with their option names unless overriden by the user. This was causing issues with podman-remote on userns. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | Merge pull request #6482 from mheon/split_inspectOpenShift Merge Robot2020-06-04
|\ \ \ | | | | | | | | Ensure that image/container inspect are specialized
| * | | Ensure that image/container inspect are specializedMatthew Heon2020-06-03
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | We are currently able to inspect images with `podman container inspect` and containers with `podman image inspect` and neither of those seem correct. This ensures that the appropriate flags, and only the appropriate flags, are available for each specialized exec, and they can only inspect the specific type they were intended to. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | | | Merge pull request #6478 from rhatdan/abisupportOpenShift Merge Robot2020-06-03
|\ \ \ \ | |_|/ / |/| | | Remove use of ABISupport buildtag
| * | | Remove use of ABISupport buildtagDaniel J Walsh2020-06-03
| | |/ | |/| | | | | | | | | | | | | | | | | | | | | | | | | We need to default to building podman. If you specify no build tags you will not build podman, not podman-remote. Just using remote flag to indicate podman-remote and !remote for podman. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | Merge pull request #6465 from rhatdan/remoteOpenShift Merge Robot2020-06-03
|\ \ \ | |_|/ |/| | Add more Remote tests
| * | Add more Remote testsDaniel J Walsh2020-06-03
| |/ | | | | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* / V2 Add support for ssh authentication methodsJhon Honce2020-06-03
|/ | | | | | | | | | | | | | | | | * podman --remote ssh://<user>:<password>@<host>:<port><path> * podman --remote ssh://<user>:<password>@<host>:<port><path> \ --identity <path> --passphrase <phrase> * ssh-add <key> podman --remote ssh://<user>@<host><path> * Fix `podman help` to run even if podman missing components * Prompt for passphrase on stdin IFF key is protected and passphrase not given via any other configuration * cobra flags do not support optional value flags therefore refactored --remote to be a boolean and --url will now contain the URI to Podman service Signed-off-by: Jhon Honce <jhonce@redhat.com>
* Merge pull request #6435 from QiWang19/uidOpenShift Merge Robot2020-06-02
|\ | | | | check --user range for rootless containers
| * check --user range for rootless containersQi Wang2020-06-02
| | | | | | | | | | | | Check --user range if it's a uid for rootless containers. Returns error if it is out of the range. From https://github.com/containers/libpod/issues/6431#issuecomment-636124686 Signed-off-by: Qi Wang <qiwan@redhat.com>
* | Merge pull request #6460 from vrothberg/no-truncOpenShift Merge Robot2020-06-02
|\ \ | | | | | | images --no-trunc: fix ID formatting
| * | images --no-trunc: fix ID formattingValentin Rothberg2020-06-02
| | | | | | | | | | | | | | | | | | | | | Remove the redundant `sha256:` prefix from the image IDs. Fixes: #6459 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | | Merge pull request #6411 from mheon/exec_bindingsOpenShift Merge Robot2020-06-02
|\ \ \ | | | | | | | | Add bindings for exec and enable attached remote exec
| * | | Add bindings for exec and enable attached remoteMatthew Heon2020-06-01
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This adds bindings for starting exec sessions, and then uses them to wire up detached exec. Code is heavily based on Attach code for containers, slightly modified to handle exec sessions. Bindings are presently attached-only, detached is pending on a Conmon update landing in CI. I'll probably get to that next. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | | | Combine the code of dealing with 'readonly' and 'ro'.Charles Shih2020-06-02
| |/ / |/| | | | | | | | | | | | | | https://github.com/containers/libpod/pull/6380#discussion_r432391376 Signed-off-by: Charles Shih <schrht@gmail.com>
* | | Merge pull request #6350 from rhatdan/buildOpenShift Merge Robot2020-06-01
|\ \ \ | |/ / |/| | Don't build code on remoteclient
| * | Don't build code on remoteclientDaniel J Walsh2020-05-29
| | | | | | | | | | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | Add support for format {{.Label}}Brent Baude2020-06-01
| |/ |/| | | | | | | | | | | | | the pod ps man page says .Label is valid go template format. i dont think the function was actually ever implemented. Fixes #6448 Signed-off-by: Brent Baude <bbaude@redhat.com>
* | compat handlers: add X-Registry-Auth header supportValentin Rothberg2020-05-29
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * Support the `X-Registry-Auth` http-request header. * The content of the header is a base64 encoded JSON payload which can either be a single auth config or a map of auth configs (user+pw or token) with the corresponding registries being the keys. Vanilla Docker, projectatomic Docker and the bindings are transparantly supported. * Add a hidden `--registries-conf` flag. Buildah exposes the same flag, mostly for testing purposes. * Do all credential parsing in the client (i.e., `cmd/podman`) pass the username and password in the backend instead of unparsed credentials. * Add a `pkg/auth` which handles most of the heavy lifting. * Go through the authentication-handling code of most commands, bindings and endpoints. Migrate them to the new code and fix issues as seen. A final evaluation and more tests is still required *after* this change. * The manifest-push endpoint is missing certain parameters and should use the ABI function instead. Adding auth-support isn't really possible without these parts working. * The container commands and endpoints (i.e., create and run) have not been changed yet. The APIs don't yet account for the authfile. * Add authentication tests to `pkg/bindings`. Fixes: #6384 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | Merge pull request #6380 from mheon/fix_mount_readonlyOpenShift Merge Robot2020-05-29
|\ \ | |/ |/| Add support for `readonly` option to --mount
| * Add support for `readonly` option to --mountMatthew Heon2020-05-26
| | | | | | | | | | | | | | | | | | This is just an alias to the `ro` option, but it's already in the manpages (and Docker) so we might as well add support for it. Fixes #6379 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | Merge pull request #6372 from boaz0/gh_6283OpenShift Merge Robot2020-05-27
|\ \ | | | | | | Add --format to pod inspect
| * | Add --format to pod inspectBoaz Shuster2020-05-27
| |/ | | | | | | Signed-off-by: Boaz Shuster <boaz.shuster.github@gmail.com>
* / container stats: fix --no-stream raceValentin Rothberg2020-05-27
|/ | | | | | | | | Fix a race in `podman container stats` by waiting for the client to consume the data in the channel. This requires a `sync.WaitGroup` (or semaphore) in the client and to also close the channel the backend. Fixes: #6405 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>