aboutsummaryrefslogtreecommitdiff
path: root/libpod/container_inspect.go
Commit message (Collapse)AuthorAge
* health check: add on-failure actionsValentin Rothberg2022-09-09
| | | | | | | | | | | | | | | | | | | | | | | | | | For systems that have extreme robustness requirements (edge devices, particularly those in difficult to access environments), it is important that applications continue running in all circumstances. When the application fails, Podman must restart it automatically to provide this robustness. Otherwise, these devices may require customer IT to physically gain access to restart, which can be prohibitively difficult. Add a new `--on-failure` flag that supports four actions: - **none**: Take no action. - **kill**: Kill the container. - **restart**: Restart the container. Do not combine the `restart` action with the `--restart` flag. When running inside of a systemd unit, consider using the `kill` or `stop` action instead to make use of systemd's restart policy. - **stop**: Stop the container. To remain backwards compatible, **none** is the default action. Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
* libpod: allow the notify socket to be passed programaticallyValentin Rothberg2022-08-10
| | | | | | | | | The notify socket can now either be specified via an environment variable or programatically (where the env is ignored). The notify mode and the socket are now also displayed in `container inspect` which comes in handy for debugging and allows for propper testing. Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
* Merge pull request #14501 from cdoern/podUTSopenshift-ci[bot]2022-07-06
|\ | | | | podman pod create --uts support
| * podman pod create --uts supportcdoern2022-07-05
| | | | | | | | | | | | | | | | | | | | | | | | add support for the --uts flag in pod create, allowing users to avoid issues with default values in containers.conf. uts follows the same format as other namespace flags: --uts=private (default), --uts=host, --uts=ns:PATH resolves #13714 Signed-off-by: Charlie Doern <cdoern@redhat.com>
* | libpod: switch to golang native error wrappingSascha Grunert2022-07-05
|/ | | | | | | | | We now use the golang error wrapping format specifier `%w` instead of the deprecated github.com/pkg/errors package. [NO NEW TESTS NEEDED] Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
* k8systemd: run k8s workloads in systemdValentin Rothberg2022-05-17
| | | | | | | | | | | | | | | | | | | | Support running `podman play kube` in systemd by exploiting the previously added "service containers". During `play kube`, a service container is started before all the pods and containers, and is stopped last. The service container communicates its conmon PID via sdnotify. Add a new systemd template to dispatch such k8s workloads. The argument of the template is the path to the k8s file. Note that the path must be escaped for systemd not to bark: Let's assume we have a `top.yaml` file in the home directory: ``` $ escaped=$(systemd-escape ~/top.yaml) $ systemctl --user start podman-play-kube@$escaped.service ``` Closes: https://issues.redhat.com/browse/RUN-1287 Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
* play kube: service containerValentin Rothberg2022-05-12
| | | | | | | | | | | | | | | | | | | | Add the notion of a "service container" to play kube. A service container is started before the pods in play kube and is (reverse) linked to them. The service container is stopped/removed *after* all pods it is associated with are stopped/removed. In other words, a service container tracks the entire life cycle of a service started via `podman play kube`. This is required to enable `play kube` in a systemd unit file. The service container is only used when the `--service-container` flag is set on the CLI. This flag has been marked as hidden as it is not meant to be used outside the context of `play kube`. It is further not supported on the remote client. The wiring with systemd will be done in a later commit. Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
* enable staticcheck linterPaul Holzinger2022-04-22
| | | | | | | Fix many problems reported by the staticcheck linter, including many real bugs! Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* Revert "container,inspect: convert Entrypoint to array instead of a string"Aditya R2022-04-22
| | | | | | | | | | | | | | It seems this breaks older version of `podman-remote` users hence it looks like this patch would be a better candidate for podman `5.0` Problem * Client with `4.0` cannot interact with a server of `4.1` Plan this patch for podman `5.0` This reverts commit 0cebd158b6d8da1828b1255982e27fe9224310d0. Signed-off-by: Aditya R <arajan@redhat.com>
* Add support for ipc namespace modes "none, private, sharable"Daniel J Walsh2022-04-12
| | | | | | Fixes: #13265 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* container,inspect: convert Entrypoint to array instead of a stringAditya R2022-04-08
| | | | | | | Convert container entrypoint from string to an array inorder to make sure there is parity between `podman inspect` and `docker inspect` Signed-off-by: Aditya R <arajan@redhat.com>
* fix pod volume passing and alter infra inheritancecdoern2022-03-29
| | | | | | | | | | | | | the infra Inherit function was not properly passing pod volume information to new containers alter the inherit function and struct to use the new `ConfigToSpec` function used in clone pick and choose the proper entities from a temp spec and validate them on the spegen side rather than passing directly to a config resolves #13548 Signed-off-by: cdoern <cbdoer23@g.holycross.edu> Signed-off-by: cdoern <cdoern@redhat.com> Signed-off-by: cdoern <cbdoer23@g.holycross.edu>
* Add support for --chrootdirsLStandman2022-03-14
| | | | Signed-off-by: LStandman <65296484+LStandman@users.noreply.github.com>
* Merge pull request #13232 from rhatdan/volumesOpenShift Merge Robot2022-02-23
|\ | | | | Don't log errors on removing volumes inuse, if container --volumes-from
| * Don't log errors on removing volumes inuse, if container --volumes-fromDaniel J Walsh2022-02-21
| | | | | | | | | | | | | | | | | | | | | | When removing a container created with a --volumes-from a container created with a built in volume, we complain if the original container still exists. Since this is an expected state, we should not complain about it. Fixes: https://github.com/containers/podman/issues/12808 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Implement Podman Container Clonecdoern2022-02-20
|/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | podman container clone takes the id of an existing continer and creates a specgen from the given container's config recreating all proper namespaces and overriding spec options like resource limits and the container name if given in the cli options this command utilizes the common function DefineCreateFlags meaning that we can funnel as many create options as we want into clone over time allowing the user to clone with as much or as little of the original config as they want. container clone takes a second argument which is a new name and a third argument which is an image name to use instead of the original container's the current supported flags are: --destroy (remove the original container) --name (new ctr name) --cpus (sets cpu period and quota) --cpuset-cpus --cpu-period --cpu-rt-period --cpu-rt-runtime --cpu-shares --cpuset-mems --memory --run resolves #10875 Signed-off-by: cdoern <cdoern@redhat.com> Signed-off-by: cdoern <cbdoer23@g.holycross.edu> Signed-off-by: cdoern <cdoern@redhat.com>
* Run codespell on codeDaniel J Walsh2022-01-21
| | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* bump go module to version 4Valentin Rothberg2022-01-18
| | | | | | | | | | | | | Automated for .go files via gomove [1]: `gomove github.com/containers/podman/v3 github.com/containers/podman/v4` Remaining files via vgrep [2]: `vgrep github.com/containers/podman/v3` [1] https://github.com/KSubedi/gomove [2] https://github.com/vrothberg/vgrep Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* Merge pull request #12870 from rhatdan/userns1OpenShift Merge Robot2022-01-18
|\ | | | | Use PODMAN_USERNS environment variable when running as a service
| * Use PODMAN_USERNS environment variable when running as a serviceDaniel J Walsh2022-01-17
| | | | | | | | | | | | | | | | Fixes: https://github.com/containers/podman/issues/11350#issuecomment-1011562526 Also add inspect information about the idmappings if they exists. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Standardize on capatalized CgroupsDaniel J Walsh2022-01-14
|/ | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Pod Security Option supportcdoern2021-12-27
| | | | | | | | | | | | | Added support for pod security options. These are applied to infra and passed down to the containers as added (unless overridden). Modified the inheritance process from infra, creating a new function Inherit() which reads the config, and marshals the compatible options into an intermediate struct `InfraInherit` This is then unmarshaled into a container config and all of this is added to the CtrCreateOptions. Removes the need (mostly) for special additons which complicate the Container_create code and pod creation. resolves #12173 Signed-off-by: cdoern <cdoern@redhat.com>
* Warn on use of --kernel-memoryDaniel J Walsh2021-12-22
| | | | | | | | | It has been deprecated and is no longer supported. Fully remove it and only print a warning if a user uses it. Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2011695 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Podman run --passwdcdoern2021-12-21
| | | | | | | | | added support for a new flag --passwd which, when false prohibits podman from creating entries in /etc/passwd and /etc/groups allowing users to modify those files in the container entrypoint resolves #11805 Signed-off-by: cdoern <cdoern@redhat.com>
* Add more checkpoint/restore information to 'inspect'Adrian Reber2021-12-17
| | | | | | | | | | | | | | | | | | | | | | | | This adds the following information to the output of 'podman inspect': * CheckpointedAt - time the container was checkpointed Only set if the container has been checkpointed * RestoredAt - time the container was restored Only set if the container has been restored * CheckpointLog - path to the checkpoint log file (CRIU's dump.log) Only set if the log file exists (--keep) * RestoreLog - path to the restore log file (CRIU's restore.log) Only set if the log file exists (--keep) * CheckpointPath - path to the actual (CRIU) checkpoint files Only set if the checkpoint files exists (--keep) * Restored - set to true if the container has been restored Only set if the container has been restored Signed-off-by: Adrian Reber <areber@redhat.com>
* libpod, inspect: export cgroup pathGiuseppe Scrivano2021-11-24
| | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Do not store the exit command in container configPaul Holzinger2021-11-18
| | | | | | | | | | | | | | | | | | | There is a problem with creating and storing the exit command when the container was created. It only contains the options the container was created with but NOT the options the container is started with. One example would be a CNI network config. If I start a container once, then change the cni config dir with `--cni-config-dir` ans start it a second time it will start successfully. However the exit command still contains the wrong `--cni-config-dir` because it was not updated. To fix this we do not want to store the exit command at all. Instead we create it every time the conmon process for the container is startet. This guarantees us that the container cleanup process is startet with the correct settings. [NO NEW TESTS NEEDED] Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* Add --unsetenv & --unsetenv-all to remove def environment variablesDaniel J Walsh2021-11-15
| | | | | | | | | | | | | | | | Podman adds a few environment variables by default, and currently there is no way to get rid of them from your container. This option will allow you to specify which defaults you don't want. --unsetenv-all will remove all default environment variables. Default environment variables can come from podman builtin, containers.conf or from the container image. Fixes: https://github.com/containers/podman/issues/11836 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Merge pull request #11686 from cdoern/podDeviceOptionsOpenShift Merge Robot2021-10-01
|\ | | | | Pod Device-Read-BPS support
| * Pod Device-Read-BPS supportcdoern2021-09-28
| | | | | | | | | | | | | | | | | | added the option for the user to specify a rate, in bytes, at which they would like to be able to read from the device being added to the pod. This is the first in a line of pod device options. WARNING: changed pod name json tag to pod_name to avoid confusion when marshaling with the containerspec's name Signed-off-by: cdoern <cdoern@redhat.com>
* | Merge pull request #11654 from Luap99/health-dockerOpenShift Merge Robot2021-09-23
|\ \ | | | | | | podman inspect add State.Health field for docker compat
| * | podman inspect add State.Health field for docker compatPaul Holzinger2021-09-23
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | podman inspect shows the healthcheck status in `.State.Healthcheck`, docker uses `.State.Health`. To make sure docker scripts work we should add the `Health` key. Because we do not want to display both keys by default we only use the new `Health` key. This is a breaking change for podman users but matches what docker does. To provide some form of compatibility users can still use `--format {{.State.Healthcheck}}`. IT is just not shown by default. Fixes #11645 Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* | | standardize logrus messages to upper caseDaniel J Walsh2021-09-22
|/ / | | | | | | | | | | | | | | Remove ERROR: Error stutter from logrus messages also. [ NO TESTS NEEDED] This is just code cleanup. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* / sync container state before reading the healthcheckPaul Holzinger2021-09-22
|/ | | | | | | | | | The health check result is stored in the container state. Since the state can change or might not even be set we have to retrive the current state before we try to read the health check result. Fixes #11687 Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* Pod Device Supportcdoern2021-09-20
| | | | | | | | | | added support for pod devices. The device gets added to the infra container and recreated in all containers that join the pod. This required a new container config item to keep track of the original device passed in by the user before the path was parsed into the container device. Signed-off-by: cdoern <cdoern@redhat.com>
* Pod Volumes Supportcdoern2021-09-14
| | | | | | | | | added support for the --volume flag in pods using the new infra container design. users can specify all volume options they can with regular containers resolves #10379 Signed-off-by: cdoern <cdoern@redhat.com>
* Add Checkpointed bool to InspectMatthew Heon2021-09-07
| | | | | | | | When inspecting a container, we now report whether the container was stopped by a `podman checkpoint` operation via a new bool in the State portion of inspected, `Checkpointed`. Signed-off-by: Matthew Heon <mheon@redhat.com>
* podman inspect show exposed portsPaul Holzinger2021-08-24
| | | | | | | | | | | | | | Podman inspect has to show exposed ports to match docker. This requires storing the exposed ports in the container config. A exposed port is shown as `"80/tcp": null` while a forwarded port is shown as `"80/tcp": [{"HostIp": "", "HostPort": "8080" }]`. Also make sure to add the exposed ports to the new image when the container is commited. Fixes #10777 Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* ps: support the container notation for ps --filter network=...flouthoc2021-07-30
| | | | Signed-off-by: flouthoc <flouthoc.git@gmail.com>
* Fix problem copying files when container is in host pid namespaceDaniel J Walsh2021-05-19
| | | | | | | | | | | | | | When attempting to copy files into and out of running containers within the host pidnamespace, the code was attempting to join the host pidns again, and getting an error. This was causing the podman cp command to fail. Since we are already in the host pid namespace, we should not be attempting to join. This PR adds a check to see if the container is in NOT host pid namespace, and only then attempts to join. Fixes: https://github.com/containers/podman/issues/9985 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Support uid,gid,mode options for secretsAshley Cui2021-05-17
| | | | | | | Support UID, GID, Mode options for mount type secrets. Also, change default secret permissions to 444 so all users can read secret. Signed-off-by: Ashley Cui <acui@redhat.com>
* Add podman run --timeout optionDaniel J Walsh2021-04-23
| | | | | | | | | This option allows users to specify the maximum amount of time to run before conmon sends the kill signal to the container. Fixes: https://github.com/containers/podman/issues/6412 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* fix start itchenkang2021-04-17
| | | | Signed-off-by: chenkang <kongchen28@gmail.com>
* add pidfile in inspectionchenkang2021-04-17
| | | | Signed-off-by: chenkang <kongchen28@gmail.com>
* Sort CapDrop in inspect to guarantee orderMatthew Heon2021-02-23
| | | | | | | | | | The order of CapAdd when inspecting containers is deterministic. However, the order of CapDrop is not (for unclear reasons). Add a quick sort on the final array to guarantee a consistent order. Fixes #9490 Signed-off-by: Matthew Heon <mheon@redhat.com>
* bump go module to v3Valentin Rothberg2021-02-22
| | | | | | | | | We missed bumping the go module, so let's do it now :) * Automated go code with github.com/sirkon/go-imports-rename * Manually via `vgrep podman/v2` the rest Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* Enable whitespace linterPaul Holzinger2021-02-11
| | | | | | | | Use the whitespace linter and fix the reported problems. [NO TESTS NEEDED] Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
* Display correct value for unlimited ulimitbaude2021-02-10
| | | | | | | | | | | When doing a container inspect on a container with unlimited ulimits, the value should be -1. But because the OCI spec requires the ulimit value to be uint64, we were displaying the inspect values as a uint64 as well. Simple change to display as an int64. Fixes: #9303 Signed-off-by: baude <bbaude@redhat.com>
* Implement SecretsAshley Cui2021-02-09
| | | | | | | | | | | Implement podman secret create, inspect, ls, rm Implement podman run/create --secret Secrets are blobs of data that are sensitive. Currently, the only secret driver supported is filedriver, which means creating a secret stores it in base64 unencrypted in a file. After creating a secret, a user can use the --secret flag to expose the secret inside the container at /run/secrets/[secretname] This secret will not be commited to an image on a podman commit Signed-off-by: Ashley Cui <acui@redhat.com>
* Initial implementation of volume pluginsMatthew Heon2021-01-14
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This implements support for mounting and unmounting volumes backed by volume plugins. Support for actually retrieving plugins requires a pull request to land in containers.conf and then that to be vendored, and as such is not yet ready. Given this, this code is only compile tested. However, the code for everything past retrieving the plugin has been written - there is support for creating, removing, mounting, and unmounting volumes, which should allow full functionality once the c/common PR is merged. A major change is the signature of the MountPoint function for volumes, which now, by necessity, returns an error. Named volumes managed by a plugin do not have a mountpoint we control; instead, it is managed entirely by the plugin. As such, we need to cache the path in the DB, and calls to retrieve it now need to access the DB (and may fail as such). Notably absent is support for SELinux relabelling and chowning these volumes. Given that we don't manage the mountpoint for these volumes, I am extremely reluctant to try and modify it - we could easily break the plugin trying to chown or relabel it. Also, we had no less than *5* separate implementations of inspecting a volume floating around in pkg/infra/abi and pkg/api/handlers/libpod. And none of them used volume.Inspect(), the only correct way of inspecting volumes. Remove them all and consolidate to using the correct way. Compat API is likely still doing things the wrong way, but that is an issue for another day. Fixes #4304 Signed-off-by: Matthew Heon <matthew.heon@pm.me>