summaryrefslogtreecommitdiff
path: root/libpod/container_internal.go
Commit message (Collapse)AuthorAge
* Fix permissions on initially created named volumesDaniel J Walsh2021-06-14
| | | | | | | | Permission of volume should match the directory it is being mounted on. Fixes: https://github.com/containers/podman/issues/10188 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Merge pull request #10635 from adrianreber/2021-06-04-privilegedOpenShift Merge Robot2021-06-12
|\ | | | | Fix restoring of privileged containers
| * Fix restoring of privileged containersAdrian Reber2021-06-10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Checkpointed containers started with --privileged fail during restore with: Error: error creating container storage: ProcessLabel and Mountlabel must either not be specified or both specified This commit fixes it by not setting the labels when restoring a privileged container. [NO TESTS NEEDED] Signed-off-by: Adrian Reber <areber@redhat.com>
* | Fix pre-checkpointingAdrian Reber2021-06-10
|/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Unfortunately --pre-checkpointing never worked as intended and recent changes to runc have shown that it is broken. To create a pre-checkpoint CRIU expects the paths between the pre-checkpoints to be a relative path. If having a previous checkpoint it needs the be referenced like this: --prev-images-dir ../parent Unfortunately Podman was giving runc (and CRIU) an absolute path. Unfortunately, again, until March 2021 CRIU silently ignored if the path was not relative and switch back to normal checkpointing. This has been now fixed in CRIU and runc and running pre-checkpoint with the latest runc fails, because runc already sees that the path is absolute and returns an error. This commit fixes this by giving runc a relative path. This commit also fixes a second pre-checkpointing error which was just recently introduced. So summarizing: pre-checkpointing never worked correctly because CRIU ignored wrong parameters and recent changes broke it even more. Now both errors should be fixed. [NO TESTS NEEDED] Signed-off-by: Adrian Reber <areber@redhat.com> Signed-off-by: Adrian Reber <adrian@lisas.de>
* Merge pull request #10366 from ashley-cui/secretoptionsOpenShift Merge Robot2021-05-17
|\ | | | | Support uid,gid,mode options for secrets
| * Support uid,gid,mode options for secretsAshley Cui2021-05-17
| | | | | | | | | | | | | | Support UID, GID, Mode options for mount type secrets. Also, change default secret permissions to 444 so all users can read secret. Signed-off-by: Ashley Cui <acui@redhat.com>
* | Create the /etc/mtab file if does not existsDaniel J Walsh2021-05-15
|/ | | | | | | | | | | We should create the /etc/mtab->/proc/mountinfo link so that mount command will work within the container. Docker does this by default. Fixes: https://github.com/containers/podman/issues/10263 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* fix restart always with slirp4netnsPaul Holzinger2021-05-11
| | | | | | | | | | | | When a container is automatically restarted due its restart policy and the container used the slirp4netns netmode, the slirp4netns process died. This caused the container to lose network connectivity. To fix this we have to start a new slirp4netns process. Fixes #8047 Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
* Merge pull request #10220 from giuseppe/rm-volatileOpenShift Merge Robot2021-05-05
|\ | | | | podman: set volatile storage flag for --rm containers
| * podman: set volatile storage flag for --rm containersGiuseppe Scrivano2021-05-05
| | | | | | | | | | | | | | | | | | | | | | | | | | volatile containers are a storage optimization that disables *sync() syscalls for the container rootfs. If a container is created with --rm, then automatically set the volatile storage flag as anyway the container won't persist after a reboot or machine crash. [NO TESTS NEEDED] Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | migrate Podman to containers/common/libimageValentin Rothberg2021-05-05
|/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Migrate the Podman code base over to `common/libimage` which replaces `libpod/image` and a lot of glue code entirely. Note that I tried to leave bread crumbs for changed tests. Miscellaneous changes: * Some errors yield different messages which required to alter some tests. * I fixed some pre-existing issues in the code. Others were marked as `//TODO`s to prevent the PR from exploding. * The `NamesHistory` of an image is returned as is from the storage. Previously, we did some filtering which I think is undesirable. Instead we should return the data as stored in the storage. * Touched handlers use the ABI interfaces where possible. * Local image resolution: previously Podman would match "foo" on "myfoo". This behaviour has been changed and Podman will now only match on repository boundaries such that "foo" would match "my/foo" but not "myfoo". I consider the old behaviour to be a bug, at the very least an exotic corner case. * Futhermore, "foo:none" does *not* resolve to a local image "foo" without tag anymore. It's a hill I am (almost) willing to die on. * `image prune` prints the IDs of pruned images. Previously, in some cases, the names were printed instead. The API clearly states ID, so we should stick to it. * Compat endpoint image removal with _force_ deletes the entire not only the specified tag. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* Fixes from make codespellDaniel J Walsh2021-04-21
| | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* use AttachSocketPath when removing conmon filesPeter Hunt2021-04-16
| | | | Signed-off-by: Peter Hunt <pehunt@redhat.com>
* Add rootless support for cni and --uidmapPaul Holzinger2021-04-01
| | | | | | This is supported with the new rootless cni logic. Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
* Do not leak libpod package into the remote clientPaul Holzinger2021-03-15
| | | | | | | | | | | | | | | | | | Some packages used by the remote client imported the libpod package. This is not wanted because it adds unnecessary bloat to the client and also causes problems with platform specific code(linux only), see #9710. The solution is to move the used functions/variables into extra packages which do not import libpod. This change shrinks the remote client size more than 6MB compared to the current master. [NO TESTS NEEDED] I have no idea how to test this properly but with #9710 the cross compile should fail. Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
* turn hidden --trace into a NOPValentin Rothberg2021-03-08
| | | | | | | | | | The --trace has helped in early stages analyze Podman code. However, it's contributing to dependency and binary bloat. The standard go tooling can also help in profiling, so let's turn `--trace` into a NOP. [NO TESTS NEEDED] Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* Merge pull request #9624 from mheon/fix_9615OpenShift Merge Robot2021-03-05
|\ | | | | [NO TESTS NEEDED] Do not return from c.stop() before re-locking
| * Do not return from c.stop() before re-lockingMatthew Heon2021-03-05
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Unlocking an already unlocked lock is a panic. As such, we have to make sure that the deferred c.lock.Unlock() in c.StopWithTimeout() always runs on a locked container. There was a case in c.stop() where we could return an error after we unlock the container to stop it, but before we re-lock it - thus allowing for a double-unlock to occur. Fix the error return to not happen until after the lock has been re-acquired. Fixes #9615 Signed-off-by: Matthew Heon <mheon@redhat.com>
* | podman cp: support copying on tmpfs mountsValentin Rothberg2021-03-04
|/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Traditionally, the path resolution for containers has been resolved on the *host*; relative to the container's mount point or relative to specified bind mounts or volumes. While this works nicely for non-running containers, it poses a problem for running ones. In that case, certain kinds of mounts (e.g., tmpfs) will not resolve correctly. A tmpfs is held in memory and hence cannot be resolved relatively to the container's mount point. A copy operation will succeed but the data will not show up inside the container. To support these kinds of mounts, we need to join the *running* container's mount namespace (and PID namespace) when copying. Note that this change implies moving the copy and stat logic into `libpod` since we need to keep the container locked to avoid race conditions. The immediate benefit is that all logic is now inside `libpod`; the code isn't scattered anymore. Further note that Docker does not support copying to tmpfs mounts. Tests have been extended to cover *both* path resolutions for running and created containers. New tests have been added to exercise the tmpfs-mount case. For the record: Some tests could be improved by using `start -a` instead of a start-exec sequence. Unfortunately, `start -a` is flaky in the CI which forced me to use the more expensive start-exec option. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* Use functions and defines from checkpointctlAdrian Reber2021-03-02
| | | | | | | | No functional changes. [NO TESTS NEEDED] - only moving code around Signed-off-by: Adrian Reber <areber@redhat.com>
* bump go module to v3Valentin Rothberg2021-02-22
| | | | | | | | | We missed bumping the go module, so let's do it now :) * Automated go code with github.com/sirkon/go-imports-rename * Manually via `vgrep podman/v2` the rest Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* Change source path resolution for volume copy-upMatthew Heon2021-02-17
| | | | | | | | | | | | | | | Instead of using the container's mountpoint as the base of the chroot and indexing from there by the volume directory, instead use the full path of what we want to copy as the base of the chroot and copy everything in it. This resolves the bug, ends up being a bit simpler code-wise (no string concatenation, as we already have the full path calculated for other checks), and seems more understandable than trying to resolve things on the destination side of the copy-up. Fixes #9354 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Fix an issue where copyup could fail with ENOENTMatthew Heon2021-02-16
| | | | | | | | | | | | | | | | | | This one is rather bizarre because it triggers only on some systems. I've included a CI test, for example, but I'm 99% sure we use images in CI that have volumes over empty directories, and the earlier patch to change copy-up implementation passed CI without complaint. I can reproduce this on a stock F33 VM, but that's the only place I have been able to see it. Regardless, the issue: under certain as-yet-unidentified environmental conditions, the copier.Get method will return an ENOENT attempting to stream a directory that is empty. Work around this by avoiding the copy altogether in this case. Signed-off-by: Matthew Heon <mheon@redhat.com>
* Enable golint linterPaul Holzinger2021-02-11
| | | | | | | | Use the golint linter and fix the reported problems. [NO TESTS NEEDED] Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
* Rewrite copy-up to use buildah CopierMatthew Heon2021-02-10
| | | | | | | | | | | | | | | | The old copy-up implementation was very unhappy with symlinks, which could cause containers to fail to start for unclear reasons when a directory we wanted to copy-up contained one. Rewrite to use the Buildah Copier, which is more recent and should be both safer and less likely to blow up over links. At the same time, fix a deadlock in copy-up for volumes requiring mounting - the Mountpoint() function tried to take the already-acquired volume lock. Fixes #6003 Signed-off-by: Matthew Heon <mheon@redhat.com>
* Implement SecretsAshley Cui2021-02-09
| | | | | | | | | | | Implement podman secret create, inspect, ls, rm Implement podman run/create --secret Secrets are blobs of data that are sensitive. Currently, the only secret driver supported is filedriver, which means creating a secret stores it in base64 unencrypted in a file. After creating a secret, a user can use the --secret flag to expose the secret inside the container at /run/secrets/[secretname] This secret will not be commited to an image on a podman commit Signed-off-by: Ashley Cui <acui@redhat.com>
* Improve container libpod.Wait*() functionsMatej Vasek2021-02-03
| | | | Signed-off-by: Matej Vasek <mvasek@redhat.com>
* Initial implementation of volume pluginsMatthew Heon2021-01-14
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This implements support for mounting and unmounting volumes backed by volume plugins. Support for actually retrieving plugins requires a pull request to land in containers.conf and then that to be vendored, and as such is not yet ready. Given this, this code is only compile tested. However, the code for everything past retrieving the plugin has been written - there is support for creating, removing, mounting, and unmounting volumes, which should allow full functionality once the c/common PR is merged. A major change is the signature of the MountPoint function for volumes, which now, by necessity, returns an error. Named volumes managed by a plugin do not have a mountpoint we control; instead, it is managed entirely by the plugin. As such, we need to cache the path in the DB, and calls to retrieve it now need to access the DB (and may fail as such). Notably absent is support for SELinux relabelling and chowning these volumes. Given that we don't manage the mountpoint for these volumes, I am extremely reluctant to try and modify it - we could easily break the plugin trying to chown or relabel it. Also, we had no less than *5* separate implementations of inspecting a volume floating around in pkg/infra/abi and pkg/api/handlers/libpod. And none of them used volume.Inspect(), the only correct way of inspecting volumes. Remove them all and consolidate to using the correct way. Compat API is likely still doing things the wrong way, but that is an issue for another day. Fixes #4304 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Merge pull request #8906 from vrothberg/fix-8501OpenShift Merge Robot2021-01-14
|\ | | | | container stop: release lock before calling the runtime
| * container stop: release lock before calling the runtimeValentin Rothberg2021-01-14
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Podman defers stopping the container to the runtime, which can take some time. Keeping the lock while waiting for the runtime to complete the stop procedure, prevents other commands from acquiring the lock as shown in #8501. To improve the user experience, release the lock before invoking the runtime, and re-acquire the lock when the runtime is finished. Also introduce an intermediate "stopping" to properly distinguish from "stopped" containers etc. Fixes: #8501 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | Fxes /etc/hosts duplicated every time after container restarted in a podzhangguanzhang2021-01-13
| | | | | | | | Signed-off-by: zhangguanzhang <zhangguanzhang@qq.com>
* | add pre checkpointunknown2021-01-10
|/ | | | Signed-off-by: Zhuohan Chen <chen_zhuohan@163.com>
* SpellingJosh Soref2020-12-22
| | | | Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
* Drop default log-level from error to warnDaniel J Walsh2020-12-03
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Our users are missing certain warning messages that would make debugging issues with Podman easier. For example if you do a podman build with a Containerfile that contains the SHELL directive, the Derective is silently ignored. If you run with the log-level warn you get a warning message explainging what happened. $ podman build --no-cache -f /tmp/Containerfile1 /tmp/ STEP 1: FROM ubi8 STEP 2: SHELL ["/bin/bash", "-c"] STEP 3: COMMIT --> 7a207be102a 7a207be102aa8993eceb32802e6ceb9d2603ceed9dee0fee341df63e6300882e $ podman --log-level=warn build --no-cache -f /tmp/Containerfile1 /tmp/ STEP 1: FROM ubi8 STEP 2: SHELL ["/bin/bash", "-c"] STEP 3: COMMIT WARN[0000] SHELL is not supported for OCI image format, [/bin/bash -c] will be ignored. Must use `docker` format --> 7bd96fd25b9 7bd96fd25b9f755d8a045e31187e406cf889dcf3799357ec906e90767613e95f These messages will no longer be lost, when we default to WARNing level. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Merge pull request #8263 from rhatdan/restartOpenShift Merge Robot2020-11-23
|\ | | | | Allow containers to --restart on-failure with --rm
| * Allow containers to --restart on-failure with --rmDaniel J Walsh2020-11-20
| | | | | | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Make c.networks() list include the default networkMatthew Heon2020-11-20
|/ | | | | | | | | | | | | | This makes things a lot more clear - if we are actually joining a CNI network, we are guaranteed to get a non-zero length list of networks. We do, however, need to know if the network we are joining is the default network for inspecting containers as it determines how we populate the response struct. To handle this, add a bool to indicate that the network listed was the default network, and only the default network. Signed-off-by: Matthew Heon <mheon@redhat.com>
* Merge pull request #8298 from mheon/db_network_connectOpenShift Merge Robot2020-11-12
|\ | | | | Add support for network connect / disconnect to DB
| * Add support for network connect / disconnect to DBMatthew Heon2020-11-11
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Convert the existing network aliases set/remove code to network connect and disconnect. We can no longer modify aliases for an existing network, but we can add and remove entire networks. As part of this, we need to add a new function to retrieve current aliases the container is connected to (we had a table for this as of the first aliases PR, but it was not externally exposed). At the same time, remove all deconflicting logic for aliases. Docker does absolutely no checks of this nature, and allows two containers to have the same aliases, aliases that conflict with container names, etc - it's just left to DNS to return all the IP addresses, and presumably we round-robin from there? Most tests for the existing code had to be removed because of this. Convert all uses of the old container config.Networks field, which previously included all networks in the container, to use the new DB table. This ensures we actually get an up-to-date list of in-use networks. Also, add network aliases to the output of `podman inspect`. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | Ensure we do not double-lock the same volume in createMatthew Heon2020-11-11
|/ | | | | | | | | | | | | When making containers, we want to lock all named volumes we are adding the container to, to ensure they aren't removed from under us while we are working. Unfortunately, this code did not account for a container having the same volume mounted in multiple places so it could deadlock. Add a map to ensure that we don't lock the same name more than once to resolve this. Fixes #8221 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Stop excessive wrapping of errorsDaniel J Walsh2020-10-30
| | | | | | | | | | | | Most of the builtin golang functions like os.Stat and os.Open report errors including the file system object path. We should not wrap these errors and put the file path in a second time, causing stuttering of errors when they get presented to the user. This patch tries to cleanup a bunch of these errors. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* new "image" mount typeValentin Rothberg2020-10-29
| | | | | | | | | | | | | | Add a new "image" mount type to `--mount`. The source of the mount is the name or ID of an image. The destination is the path inside the container. Image mounts further support an optional `rw,readwrite` parameter which if set to "true" will yield the mount writable inside the container. Note that no changes are propagated to the image mount on the host (which in any case is read only). Mounts are overlay mounts. To support read-only overlay mounts, vendor a non-release version of Buildah. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* Populate /etc/hosts file when run in a user namespaceDaniel J Walsh2020-10-07
| | | | | | | | | We do not populate the hostname field with the IP Address when running within a user namespace. Fixes https://github.com/containers/podman/issues/7490 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Remove excessive error wrappingKir Kolyshkin2020-10-05
| | | | | | | | | | | | | | | | | In case os.Open[File], os.Mkdir[All], ioutil.ReadFile and the like fails, the error message already contains the file name and the operation that fails, so there is no need to wrap the error with something like "open %s failed". While at it - replace a few places with os.Open, ioutil.ReadAll with ioutil.ReadFile. - replace errors.Wrapf with errors.Wrap for cases where there are no %-style arguments. Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
* Fix up errors found by codespellDaniel J Walsh2020-09-11
| | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Merge pull request #7578 from giuseppe/join-userns-reuse-mappingsOpenShift Merge Robot2020-09-10
|\ | | | | libpod: read mappings when joining a container userns
| * libpod: read mappings when joining a container usernsGiuseppe Scrivano2020-09-10
| | | | | | | | | | | | | | | | | | when joining an existing container user namespace, read the existing mappings so the storage can be created with the correct ownership. Closes: https://github.com/containers/podman/issues/7547 Signed-off-by: Giuseppe Scrivano <giuseppe@scrivano.org>
* | rootless: support `podman network create` (CNI-in-slirp4netns)Akihiro Suda2020-09-09
|/ | | | | | | | | | | | | | | | | Usage: ``` $ podman network create foo $ podman run -d --name web --hostname web --network foo nginx:alpine $ podman run --rm --network foo alpine wget -O - http://web.dns.podman Connecting to web.dns.podman (10.88.4.6:80) ... <h1>Welcome to nginx!</h1> ... ``` See contrib/rootless-cni-infra for the design. Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
* fix apiv2 will create containers with incorrect commandszhangguanzhang2020-08-24
| | | | Signed-off-by: zhangguanzhang <zhangguanzhang@qq.com>
* volumes: do not recurse when chowningGiuseppe Scrivano2020-07-31
| | | | | | | | | keep the file ownership when chowning and honor the user namespace mappings. Closes: https://github.com/containers/podman/issues/7130 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>