summaryrefslogtreecommitdiff
path: root/libpod/container_inspect.go
Commit message (Collapse)AuthorAge
* Ensure `podman inspect` output for NetworkMode is rightMatthew Heon2020-05-08
| | | | | | | | | | | I realized that setting NetworkMode to private when we are making a network namespace but not configuring it with CNI or Slirp is wrong; that's considered `--net=none` not `--net=private`. At the same time, realized that we actually store whether Slirp is in use, so we can be more specific than just "default" and instead say slirp4netns or bridge. Signed-off-by: Matthew Heon <mheon@redhat.com>
* Fix bug where pods would unintentionally share cgroupnsMatthew Heon2020-05-08
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This one was a massive pain to track down. The original symptom was an error message from rootless Podman trying to make a container in a pod. I unfortunately did not look at the error message closely enough to realize that the namespace in question was the cgroup namespace (the reproducer pod was explicitly set to only share the network namespace), else this would have been quite a bit shorter. I spent considerable effort trying to track down differences between the inspect output of the two containers, and when that failed I was forced to resort to diffing the OCI specs. That finally proved fruitful, and I was able to determine what should have been obvious all along: the container was joining the cgroup namespace of the infra container when it really ought not to have. From there, I discovered a variable collision in pod config. The UsePodCgroup variable means "create a parent cgroup for the pod and join containers in the pod to it". Unfortunately, it is very similar to UsePodUTS, UsePodNet, etc, which mean "the pod shares this namespace", so an accessor was accidentally added for it that indicated the pod shared the cgroup namespace when it really did not. Once I realized that, it was a quick fix - add a bool to the pod's configuration to indicate whether the cgroup ns was shared (distinct from UsePodCgroup) and use that for the accessor. Also included are fixes for `podman inspect` and `podman pod inspect` that fix them to actually display the state of the cgroup namespace (for container inspect) and what namespaces are shared (for pod inspect). Either of those would have made tracking this down considerably quicker. Fixes #6149 Signed-off-by: Matthew Heon <mheon@redhat.com>
* add {generate,play} kubeValentin Rothberg2020-05-06
| | | | | | | | | | | | | | | | | | | Add the `podman generate kube` and `podman play kube` command. The code has largely been copied from Podman v1 but restructured to not leak the K8s core API into the (remote) client. Both commands are added in the same commit to allow for enabling the tests at the same time. Move some exports from `cmd/podman/common` to the appropriate places in the backend to avoid circular dependencies. Move definitions of label annotations to `libpod/define` and set the security-opt labels in the frontend to make kube tests pass. Implement rest endpoints, bindings and the tunnel interface. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* Fix errors found in coverity scanDaniel J Walsh2020-05-01
| | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Revert "Default CPUShares in Inspect are 1024"Sagi Shnaidman2020-03-30
| | | | | | | | | cpu-share is 0 in docker inspect, see https://github.com/moby/moby/issues/35452 This reverts commit eb229d526c04f17ca8b7e65abba745fd5b465a6c. Signed-off-by: Sagi Shnaidman <sshnaidm@redhat.com>
* Add support for containers.confDaniel J Walsh2020-03-27
| | | | | | | vendor in c/common config pkg for containers.conf Signed-off-by: Qi Wang qiwan@redhat.com Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* podmanv2 container inspectBrent Baude2020-03-26
| | | | | | add ability to inspect a container Signed-off-by: Brent Baude <bbaude@redhat.com>
* Fix spelling mistakes in code found by codespellDaniel J Walsh2020-03-07
| | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Add support for multiple CNI networks in podman inspectMatthew Heon2020-02-25
| | | | | | | | | | | | | | | | When inspecting containers, info on CNI networks added to the container by name (e.g. --net=name1) should be displayed separately from the configuration of the default network, in a separate map called Networks. This patch adds this separation, improving our Docker compatibility and also adding the ability to see if a container has more than one IPv4 and IPv6 address and more than one MAC address. Fixes #4907 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Default CPUShares in Inspect are 1024Matthew Heon2020-01-23
| | | | | | | | | | This is purely a display change - we weren't initializing the default value to display for the CPUShares field, which defaults to 1024. Fixes #4822 Signed-off-by: Matthew Heon <mheon@redhat.com>
* make lint: enable gocriticValentin Rothberg2020-01-13
| | | | | | | `gocritic` is a powerful linter that helps in preventing certain kinds of errors as well as enforcing a coding style. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* log: support --log-opt tag=Giuseppe Scrivano2020-01-10
| | | | | | | | | | support a custom tag to add to each log for the container. It is currently supported only by the journald backend. Closes: https://github.com/containers/libpod/issues/3653 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Ensure SizeRw is shown when a user does 'inspect --size -t container'.Neville Cain2019-12-27
| | | | | | | | | | | | | | Currently, if a user requests the size on a container (inspect --size -t container), the SizeRw does not show up if the value is 0. It's because InspectContainerData is defined as int64 and there is an omit when empty. We do want to display it even if the value is empty. I have changed the type of SizeRw to be a pointer to an int64 instead of an int64. It will allow us todistinguish the empty value to the missing value. I updated the test "podman inspect container with size" to ensure we check thatSizeRw is displayed correctly. Closes #4744 Signed-off-by: NevilleC <neville.cain@qonto.eu>
* container config: add CreateCommandValentin Rothberg2019-12-13
| | | | | | | | | | | | | | | | | | Store the full command plus arguments of the process the container has been created with. Expose this data as a `Config.CreateCommand` field in the container-inspect data as well. This information can be useful for debugging, as we can find out which command has created the container, and, if being created via the Podman CLI, we know exactly with which flags the container has been created with. The immediate motivation for this change is to use this information for `podman-generate-systemd` to generate systemd-service files that allow for creating new containers (in contrast to only starting existing ones). Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* add libpod/configValentin Rothberg2019-10-31
| | | | | | | | | | | | Refactor the `RuntimeConfig` along with related code from libpod into libpod/config. Note that this is a first step of consolidating code into more coherent packages to make the code more maintainable and less prone to regressions on the long runs. Some libpod definitions were moved to `libpod/define` to resolve circular dependencies. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* bump containers/image to v5.0.0, buildah to v1.11.4Nalin Dahyabhai2019-10-29
| | | | | | | | | Move to containers/image v5 and containers/buildah to v1.11.4. Replace an equality check with a type assertion when checking for a docker.ErrUnauthorizedForCredentials in `podman login`. Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
* inspect: rename ImageID go field to ImageValentin Rothberg2019-10-15
| | | | | | | | | | | | | | The json field is called `Image` while the go field is called `ImageID`, tricking users into filtering for `Image` which ultimately results in an error. Hence, rename the field to `Image` to align json and go. To prevent podman users from regressing, rename `Image` to `ImageID` in the specified filters. Add tests to prevent us from regressing. Note that consumers of the go API that are using `ImageID` are regressing; ultimately we consider it to be a bug fix. Fixes: #4193 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* Update c/image to v4.0.1 and buildah to 1.11.3Miloslav Trmač2019-10-04
| | | | | | | | | | | | | | This requires updating all import paths throughout, and a matching buildah update to interoperate. I can't figure out the reason for go.mod tracking github.com/containers/image v3.0.2+incompatible // indirect ((go mod graph) lists it as a direct dependency of libpod, but (go list -json -m all) lists it as an indirect dependency), but at least looking at the vendor subdirectory, it doesn't seem to be actually used in the built binaries. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
* Add support for launching containers without CGroupsMatthew Heon2019-09-10
| | | | | | | This is mostly used with Systemd, which really wants to manage CGroups itself when managing containers via unit file. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Print Pod ID in `podman inspect` outputMatthew Heon2019-08-01
| | | | | | | Somehow this managed to slip through the cracks, but this is definitely something inspect should print. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* golangci-lint phase 4baude2019-07-22
| | | | | | | | | | | clean up some final linter issues and add a make target for golangci-lint. in addition, begin running the tests are part of the gating tasks in cirrus ci. we cannot fully shift over to the new linter until we fix the image on the openshift side. for short term, we will use both Signed-off-by: baude <bbaude@redhat.com>
* Populate inspect with security-opt settingsMatthew Heon2019-07-17
| | | | | | | | We can infer no-new-privileges. For now, manually populate seccomp (can't infer what file we sourced from) and SELinux/Apparmor (hard to tell if they're enabled or not). Signed-off-by: Matthew Heon <mheon@redhat.com>
* Move the HostConfig portion of Inspect inside libpodMatthew Heon2019-07-17
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When we first began writing Podman, we ran into a major issue when implementing Inspect. Libpod deliberately does not tie its internal data structures to Docker, and stores most information about containers encoded within the OCI spec. However, Podman must present a CLI compatible with Docker, which means it must expose all the information in 'docker inspect' - most of which is not contained in the OCI spec or libpod's Config struct. Our solution at the time was the create artifact. We JSON'd the complete CreateConfig (a parsed form of the CLI arguments to 'podman run') and stored it with the container, restoring it when we needed to run commands that required the extra info. Over the past month, I've been looking more at Inspect, and refactored large portions of it into Libpod - generating them from what we know about the OCI config and libpod's (now much expanded, versus previously) container configuration. This path comes close to completing the process, moving the last part of inspect into libpod and removing the need for the create artifact. This improves libpod's compatability with non-Podman containers. We no longer require an arbitrarily-formatted JSON blob to be present to run inspect. Fixes: #3500 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* golangci-lint pass number 2baude2019-07-11
| | | | | | clean up and prepare to migrate to the golangci-linter Signed-off-by: baude <bbaude@redhat.com>
* code cleanupbaude2019-07-08
| | | | | | clean up code identified as problematic by golands inspection Signed-off-by: baude <bbaude@redhat.com>
* Merge pull request #3472 from haircommander/generate-volumesOpenShift Merge Robot2019-07-04
|\ | | | | generate kube with volumes
| * Improve parsing of mountsPeter Hunt2019-07-02
| | | | | | | | | | | | Specifically, we were needlessly doing a double lookup to find which config mounts were user volumes. Improve this by refactoring a bit of code from inspect Signed-off-by: Peter Hunt <pehunt@redhat.com>
* | Store Conmon's PID in our state and display in inspectMatthew Heon2019-07-02
|/ | | | Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* libpod removal from main (phase 2)baude2019-06-27
| | | | | | this is phase 2 for the removal of libpod from main. Signed-off-by: baude <bbaude@redhat.com>
* Fix gofmtMatthew Heon2019-06-21
| | | | Signed-off-by: Matthew Heon <mheon@redhat.com>
* Adjust names to match struct tags in InspectMatthew Heon2019-06-21
| | | | | | | | In Go templating, we use the names of fields, not the JSON struct tags. To ensure templating works are expected, we need the two to match. Signed-off-by: Matthew Heon <mheon@redhat.com>
* Fix inspect --format '{{.Mounts}}.Matthew Heon2019-06-21
| | | | | | | | Go templating is incapable of dealing with pointers, so when we moved to Docker compatible mounts JSON, we broke it. The solution is to not use pointers in this part of inspect. Signed-off-by: Matthew Heon <mheon@redhat.com>
* Merge pull request #3378 from mheon/multiple_runtimesOpenShift Merge Robot2019-06-21
|\ | | | | Begin adding support for multiple OCI runtimes
| * Print container's OCI runtime in `inspect`Matthew Heon2019-06-19
| | | | | | | | Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | Merge pull request #3358 from mheon/use_disk_specOpenShift Merge Robot2019-06-18
|\ \ | |/ |/| Swap to using the on-disk spec for inspect mounts
| * Swap to using the on-disk spec for inspect mountsMatthew Heon2019-06-18
| | | | | | | | | | | | | | | | | | | | When available, using the on-disk spec will show full mount options in use when the container is running, which can differ from mount options provided in the original spec - on generating the final spec, for example, we ensure that some form of root propagation is set. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | Move the Config portion of Inspect into libpodMatthew Heon2019-06-17
|/ | | | | | | | While we're at it, rewrite how we populate it. There were several potential segfaults in the optional spec.Process block, and a few fields not being populated correctly versus 'docker inspect'. Signed-off-by: Matthew Heon <mheon@redhat.com>
* Split mount options in inspect furtherMatthew Heon2019-06-13
| | | | | | | Docker only uses Mode for :z/:Z, so move other options out into a new field. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Make Inspect's mounts struct accurate to DockerMatthew Heon2019-06-12
| | | | | | | | | | | We were formerly dumping spec.Mount structs, with no care as to whether it was user-generated or not - a relic of the very early days when we didn't know whether a user made a mount or not. Now that we do, match our output to Docker's dedicated mount struct. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Provide OCI spec path in `podman inspect` outputMatthew Heon2019-06-12
| | | | Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Begin to break up pkg/inspectMatthew Heon2019-06-03
| | | | | | | | | | Let's put inspect structs where they're actually being used. We originally made pkg/inspect to solve circular import issues. There are no more circular import issues. Image structs remain for now, I'm focusing on container inspect. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Add support for retry count with --restart flagMatthew Heon2019-05-03
| | | | | | | | | The on-failure restart option supports restarting only a given number of times. To do this, we need one additional field in the DB to track restart count (which conveniently fills a field in Inspect we weren't populating), plus some plumbing logic. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Export ConmonPidFile in 'podman inspect' for containersDebarshi Ray2019-03-18
| | | | | | | | | This can help scripts provide a more meaningful message when coming across issues [1] which require the container to be re-created. [1] eg., https://github.com/containers/libpod/issues/2673 Signed-off-by: Debarshi Ray <rishi@fedoraproject.org>
* healtcheck phase 2baude2019-03-12
| | | | | | | | | | | | | | | | | | | | | | | | | | integration of healthcheck into create and run as well as inspect. healthcheck enhancements are as follows: * add the following options to create|run so that non-docker images can define healthchecks at the container level. * --healthcheck-command * --healthcheck-retries * --healthcheck-interval * --healthcheck-start-period * podman create|run --healthcheck-command=none disables healthcheck as described by an image. * the healthcheck itself and the healthcheck "history" can now be observed in podman inspect * added the wiring for healthcheck history which logs the health history of the container, the current failed streak attempts, and log entries for the last five attempts which themselves have start and stop times, result, and a 500 character truncated (if needed) log of stderr/stdout. The timings themselves are not implemented in this PR but will be in future enablement (i.e. next). Signed-off-by: baude <bbaude@redhat.com>
* apparmor: apply default profile at container initializationValentin Rothberg2019-01-09
| | | | | | | | | | | | | | | | | | | Apply the default AppArmor profile at container initialization to cover all possible code paths (i.e., podman-{start,run}) before executing the runtime. This allows moving most of the logic into pkg/apparmor. Also make the loading and application of the default AppArmor profile versio-indepenent by checking for the `libpod-default-` prefix and over-writing the profile in the run-time spec if needed. The intitial run-time spec of the container differs a bit from the applied one when having started the container, which results in displaying a potentially outdated AppArmor profile when inspecting a container. To fix that, load the container config from the file system if present and use it to display the data. Fixes: #2107 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* Add "podman volume" commandumohnani82018-12-06
| | | | | | | | | | | | | | | Add support for podman volume and its subcommands. The commands supported are: podman volume create podman volume inspect podman volume ls podman volume rm podman volume prune This is a tool to manage volumes used by podman. For now it only handle named volumes, but eventually it will handle all volumes used by podman. Signed-off-by: umohnani8 <umohnani@redhat.com>
* Allow containers/storage to handle on SELinux labelingDaniel J Walsh2018-10-23
| | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Reveal information about container capabilitiesDaniel J Walsh2018-08-24
| | | | | | | | | | | I am often asked about the list of capabilities availabel to a container. We should be listing this data in the inspect command for effective capabilities and the bounding set. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #1335 Approved by: TomSweeneyRedHat
* Change pause container to infra containerhaircommander2018-08-23
| | | | | | | Signed-off-by: haircommander <pehunt@redhat.com> Closes: #1187 Approved by: mheon
* Added option to share kernel namespaces in libpod and podmanhaircommander2018-08-23
| | | | | | | | | A pause container is added to the pod if the user opts in. The default pause image and command can be overridden. Pause containers are ignored in ps unless the -a option is present. Pod inspect and pod ps show shared namespaces and pause container. A pause container can't be removed with podman rm, and a pod can be removed if it only has a pause container. Signed-off-by: haircommander <pehunt@redhat.com> Closes: #1187 Approved by: mheon