summaryrefslogtreecommitdiff
path: root/libpod/container.go
Commit message (Collapse)AuthorAge
* rootless: use RootlessKit port forwarderAkihiro Suda2020-01-08
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | RootlessKit port forwarder has a lot of advantages over the slirp4netns port forwarder: * Very high throughput. Benchmark result on Travis: socat: 5.2 Gbps, slirp4netns: 8.3 Gbps, RootlessKit: 27.3 Gbps (https://travis-ci.org/rootless-containers/rootlesskit/builds/597056377) * Connections from the host are treated as 127.0.0.1 rather than 10.0.2.2 in the namespace. No UDP issue (#4586) * No tcp_rmem issue (#4537) * Probably works with IPv6. Even if not, it is trivial to support IPv6. (#4311) * Easily extensible for future support of SCTP * Easily extensible for future support of `lxc-user-nic` SUID network RootlessKit port forwarder has been already adopted as the default port forwarder by Rootless Docker/Moby, and no issue has been reported AFAIK. As the port forwarder is imported as a Go package, no `rootlesskit` binary is required for Podman. Fix #4586 May-fix #4559 Fix #4537 May-fix #4311 See https://github.com/rootless-containers/rootlesskit/blob/v0.7.0/pkg/port/builtin/builtin.go Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
* container config: add CreateCommandValentin Rothberg2019-12-13
| | | | | | | | | | | | | | | | | | Store the full command plus arguments of the process the container has been created with. Expose this data as a `Config.CreateCommand` field in the container-inspect data as well. This information can be useful for debugging, as we can find out which command has created the container, and, if being created via the Podman CLI, we know exactly with which flags the container has been created with. The immediate motivation for this change is to use this information for `podman-generate-systemd` to generate systemd-service files that allow for creating new containers (in contrast to only starting existing ones). Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* libpod: fix stats for rootless podsGiuseppe Scrivano2019-12-04
| | | | | | | | honor the systemd parent directory when specified. Closes: https://github.com/containers/libpod/issues/4634 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Allow chained network namespace containersMatthew Heon2019-12-03
| | | | | | | | | | | | | The code currently assumes that the container we delegate network namespace to will never further delegate to another container, so when looking up things like /etc/hosts and /etc/resolv.conf we won't pull the correct files from the chained dependency. The changes to resolve this are relatively simple - just need to keep looking until we find a container without NetNsCtr set. Fixes #4626 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* podman: add support for specifying MACJakub Filak2019-11-06
| | | | | | | | I basically copied and adapted the statements for setting IP. Closes #1136 Signed-off-by: Jakub Filak <jakub.filak@sap.com>
* add libpod/configValentin Rothberg2019-10-31
| | | | | | | | | | | | Refactor the `RuntimeConfig` along with related code from libpod into libpod/config. Note that this is a first step of consolidating code into more coherent packages to make the code more maintainable and less prone to regressions on the long runs. Some libpod definitions were moved to `libpod/define` to resolve circular dependencies. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* bump containers/image to v5.0.0, buildah to v1.11.4Nalin Dahyabhai2019-10-29
| | | | | | | | | Move to containers/image v5 and containers/buildah to v1.11.4. Replace an equality check with a type assertion when checking for a docker.ErrUnauthorizedForCredentials in `podman login`. Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
* Add ensureState helper for checking container stateMatthew Heon2019-10-28
| | | | | | | | | | | | | | | | We have a lot of checks for container state scattered throughout libpod. Many of these need to ensure the container is in one of a given set of states so an operation may safely proceed. Previously there was no set way of doing this, so we'd use unique boolean logic for each one. Introduce a helper to standardize state checks. Note that this is only intended to replace checks for multiple states. A simple check for one state (ContainerStateRunning, for example) should remain a straight equality, and not use this new helper. Signed-off-by: Matthew Heon <mheon@redhat.com>
* Move OCI runtime implementation behind an interfaceMatthew Heon2019-10-10
| | | | | | | | | | | | For future work, we need multiple implementations of the OCI runtime, not just a Conmon-wrapped runtime matching the runc CLI. As part of this, do some refactoring on the interface for exec (move to a struct, not a massive list of arguments). Also, add 'all' support to Kill and Stop (supported by runc and used a bit internally for removing containers). Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Update c/image to v4.0.1 and buildah to 1.11.3Miloslav Trmač2019-10-04
| | | | | | | | | | | | | | This requires updating all import paths throughout, and a matching buildah update to interoperate. I can't figure out the reason for go.mod tracking github.com/containers/image v3.0.2+incompatible // indirect ((go mod graph) lists it as a direct dependency of libpod, but (go list -json -m all) lists it as an indirect dependency), but at least looking at the vendor subdirectory, it doesn't seem to be actually used in the built binaries. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
* Add support for launching containers without CGroupsMatthew Heon2019-09-10
| | | | | | | This is mostly used with Systemd, which really wants to manage CGroups itself when managing containers via unit file. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Add comment to describe postConfigureNetNSGabi Beyer2019-07-30
| | | | | | | Provide information stating what the postConfigureNetNS option is used for. Signed-off-by: Gabi Beyer <gabrielle.n.beyer@intel.com>
* golangci-lint round #3baude2019-07-21
| | | | | | | this is the third round of preparing to use the golangci-lint on our code base. Signed-off-by: baude <bbaude@redhat.com>
* golangci-lint pass number 2baude2019-07-11
| | | | | | clean up and prepare to migrate to the golangci-linter Signed-off-by: baude <bbaude@redhat.com>
* Merge pull request #3425 from adrianreber/restore-mount-labelOpenShift Merge Robot2019-07-08
|\ | | | | Set correct SELinux label on restored containers
| * Track if a container is restored from an exported checkpointAdrian Reber2019-06-25
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Instead of only tracking that a container is restored from a checkpoint locally in runtime_ctr.go this adds a flag to the Container structure. Upcoming patches to correctly label the root file-system mount-point need also to know if a container is restored from a checkpoint. Instead of passing a parameter around a lot of functions, this adds that information to the Container structure. Signed-off-by: Adrian Reber <areber@redhat.com>
* | Store Conmon's PID in our state and display in inspectMatthew Heon2019-07-02
| | | | | | | | Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | libpod removal from main (phase 2)baude2019-06-27
| | | | | | | | | | | | this is phase 2 for the removal of libpod from main. Signed-off-by: baude <bbaude@redhat.com>
* | stats: fix cgroup path for rootless containersGiuseppe Scrivano2019-06-26
| | | | | | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | remove libpod from mainbaude2019-06-25
|/ | | | | | | | | | | | | the compilation demands of having libpod in main is a burden for the remote client compilations. to combat this, we should move the use of libpod structs, vars, constants, and functions into the adapter code where it will only be compiled by the local client. this should result in cleaner code organization and smaller binaries. it should also help if we ever need to compile the remote client on non-Linux operating systems natively (not cross-compiled). Signed-off-by: baude <bbaude@redhat.com>
* Begin adding support for multiple OCI runtimesMatthew Heon2019-06-19
| | | | | | | | | | | | | Allow Podman containers to request to use a specific OCI runtime if multiple runtimes are configured. This is the first step to properly supporting containers in a multi-runtime environment. The biggest changes are that all OCI runtimes are now initialized when Podman creates its runtime, and containers now use the runtime requested in their configuration (instead of always the default runtime). Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Purge all use of easyjson and ffjson in libpodMatthew Heon2019-06-13
| | | | | | | | | We're no longer using either of these JSON libraries, dropped them in favor of jsoniter. We can't completely remove ffjson as c/storage uses it and can't easily migrate, but we can make sure that libpod itself isn't doing anything with them anymore. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Address commentsPeter Hunt2019-05-28
| | | | Signed-off-by: Peter Hunt <pehunt@redhat.com>
* Added --log-driver and journald loggingPeter Hunt2019-05-28
| | | | Signed-off-by: Peter Hunt <pehunt@redhat.com>
* Move to using constants for valid restart policy typesMatthew Heon2019-05-03
| | | | Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Add support for retry count with --restart flagMatthew Heon2019-05-03
| | | | | | | | | The on-failure restart option supports restarting only a given number of times. To do this, we need one additional field in the DB to track restart count (which conveniently fills a field in Inspect we weren't populating), plus some plumbing logic. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Add container restart policy to Libpod & PodmanMatthew Heon2019-05-03
| | | | | | | This initial version does not support restart count, but it works as advertised otherwise. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Add a StoppedByUser field to the DBMatthew Heon2019-05-03
| | | | | | | | This field indicates that a container was explciitly stopped by an API call, and did not exit naturally. It's used when implementing restart policy for containers. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Use GetContainer instead of LookupContainer for full IDMatthew Heon2019-04-12
| | | | | | | | | | All IDs in libpod are stored as a full container ID. We can get a container by full ID faster with GetContainer (which directly retrieves) than LookupContainer (which finds a match, then retrieves). No reason to use Lookup when we have full IDs present and available. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* (minor): fix misspelled 'Healthcheck'Ed Santiago2019-04-10
| | | | Signed-off-by: Ed Santiago <santiago@redhat.com>
* podman-remote psbaude2019-04-09
| | | | | | add the ability to run ps on containers using the remote client. Signed-off-by: baude <bbaude@redhat.com>
* Drop LocalVolumes from our the databaseMatthew Heon2019-04-04
| | | | | | | | We were never using it. It's actually a potentially quite sizable field (very expensive to decode an array of structs!). Removing it should do no harm. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Switch Libpod over to new explicit named volumesMatthew Heon2019-04-04
| | | | | | | | | | | | | This swaps the previous handling (parse all volume mounts on the container and look for ones that might refer to named volumes) for the new, explicit named volume lists stored per-container. It also deprecates force-removing volumes that are in use. I don't know how we want to handle this yet, but leaving containers that depend on a volume that no longer exists is definitely not correct. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Add named volumes for each container to databaseMatthew Heon2019-04-04
| | | | Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* userns: do not use an intermediate mount namespaceGiuseppe Scrivano2019-03-29
| | | | | | | | | | | | | | We have an issue in the current implementation where the cleanup process is not able to umount the storage as it is running in a separate namespace. Simplify the implementation for user namespaces by not using an intermediate mount namespace. For doing it, we need to relax the permissions on the parent directories and allow browsing them. Containers that are running without a user namespace, will still maintain mode 0700 on their directory. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Remove ulele/deepcopier in favor of JSON deep copyMatthew Heon2019-03-27
| | | | | | | | | | | | | We have a very high performance JSON library that doesn't need to perform code generation. Let's use it instead of our questionably performant, reflection-dependent deep copy library. Most changes because some functions can now return errors. Also converts cmd/podman to use jsoniter, instead of pkg/json, for increased performance. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Resolve review commentsMatthew Heon2019-03-27
| | | | Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Add support to disable creation of network config filesMatthew Heon2019-03-27
| | | | | | | | Specifically, we want to be able to specify whether resolv.conf and /etc/hosts will be create and bind-mounted into the container. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* healtcheck phase 2baude2019-03-12
| | | | | | | | | | | | | | | | | | | | | | | | | | integration of healthcheck into create and run as well as inspect. healthcheck enhancements are as follows: * add the following options to create|run so that non-docker images can define healthchecks at the container level. * --healthcheck-command * --healthcheck-retries * --healthcheck-interval * --healthcheck-start-period * podman create|run --healthcheck-command=none disables healthcheck as described by an image. * the healthcheck itself and the healthcheck "history" can now be observed in podman inspect * added the wiring for healthcheck history which logs the health history of the container, the current failed streak attempts, and log entries for the last five attempts which themselves have start and stop times, result, and a 500 character truncated (if needed) log of stderr/stdout. The timings themselves are not implemented in this PR but will be in future enablement (i.e. next). Signed-off-by: baude <bbaude@redhat.com>
* podman healthcheck run (phase 1)baude2019-03-05
| | | | | | | | | Add the ability to manually run a container's healthcheck command. This is only the first phase of implementing the healthcheck. Subsequent pull requests will deal with the exposing the results and history of healthchecks as well as the scheduling. Signed-off-by: baude <bbaude@redhat.com>
* Fix volume handling in podmanDaniel J Walsh2019-02-14
| | | | | | | | | | | | | | | | | | iFix builtin volumes to work with podman volume Currently builtin volumes are not recored in podman volumes when they are created automatically. This patch fixes this. Remove container volumes when requested Currently the --volume option on podman remove does nothing. This will implement the changes needed to remove the volumes if the user requests it. When removing a volume make sure that no container uses the volume. Signed-off-by: Daniel J Walsh dwalsh@redhat.com Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* show container ports of network namespacebaude2019-02-13
| | | | | | | | | | in cases where a container is part of a network namespace, we should show the network namespace's ports when dealing with ports. this impacts ps, kube, and port. fixes: #846 Signed-off-by: baude <bbaude@redhat.com>
* podman-remote inspectbaude2019-01-18
| | | | | | base enablement of the inspect command. Signed-off-by: baude <bbaude@redhat.com>
* Do not unmarshal into c.config.SpecMatthew Heon2019-01-18
| | | | | | | | | | | | | We try to keep c.config immutable, but Go doesn't really agree with me that things other than strings and ints can be immutable, so occasionally things like this slip through. When unmarshalling the OCI spec from disk, do it into a separate struct, to ensure we don't make lasting modifications to the spec in the Container struct (which could affect container restart). Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* config: store the runtime used to create each containerGiuseppe Scrivano2019-01-14
| | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Move all libpod/ JSON references over to jsoniterMatthew Heon2019-01-10
| | | | Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* apparmor: apply default profile at container initializationValentin Rothberg2019-01-09
| | | | | | | | | | | | | | | | | | | Apply the default AppArmor profile at container initialization to cover all possible code paths (i.e., podman-{start,run}) before executing the runtime. This allows moving most of the logic into pkg/apparmor. Also make the loading and application of the default AppArmor profile versio-indepenent by checking for the `libpod-default-` prefix and over-writing the profile in the run-time spec if needed. The intitial run-time spec of the container differs a bit from the applied one when having started the container, which results in displaying a potentially outdated AppArmor profile when inspecting a container. To fix that, load the container config from the file system if present and use it to display the data. Fixes: #2107 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* Use existing interface to request IP address during restoreAdrian Reber2019-01-09
| | | | | | | | | | | | | | | | | | The initial implementation to request the same IP address for a container during a restore was based on environment variables influencing CNI. With this commit the IP address selection switches to Podman's internal static IP API. This commit does a comment change in libpod/container_easyjson.go to avoid unnecessary re-generation of libpod/container_easyjson.go during build as this fails in CI. The reason for this is that make sees that libpod/container_easyjson.go needs to be re-created. The commit, however, only changes a part of libpod/container.go which is marked as 'ffjson: skip'. Signed-off-by: Adrian Reber <areber@redhat.com>
* Rename libpod.Config back to ContainerConfigMatthew Heon2019-01-07
| | | | | | | | | | During an earlier bugfix, we swapped all instances of ContainerConfig to Config, which was meant to fix some data we were returning from Inspect. This unfortunately also renamed a libpod internal struct for container configs. Undo the rename here. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Convert containers to SHM lockingMatthew Heon2019-01-04
| | | | Signed-off-by: Matthew Heon <matthew.heon@gmail.com>