summaryrefslogtreecommitdiff
path: root/libpod/oci.go
Commit message (Collapse)AuthorAge
* Handle podman exec capabilities correctlyDaniel J Walsh2021-01-07
| | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* SpellingJosh Soref2020-12-22
| | | | Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
* Send HTTP Hijack headers after successful attachMatthew Heon2020-08-27
| | | | | | | | | | | | | | | | | | | | | | | | | Our previous flow was to perform a hijack before passing a connection into Libpod, and then Libpod would attach to the container's attach socket and begin forwarding traffic. A problem emerges: we write the attach header as soon as the attach complete. As soon as we write the header, the client assumes that all is ready, and sends a Start request. This Start may be processed *before* we successfully finish attaching, causing us to lose output. The solution is to handle hijacking inside Libpod. Unfortunately, this requires a downright extensive refactor of the Attach and HTTP Exec StartAndAttach code. I think the result is an improvement in some places (a lot more errors will be handled with a proper HTTP error code, before the hijack occurs) but other parts, like the relocation of printing container logs, are just *bad*. Still, we need this fixed now to get CI back into good shape... Fixes #7195 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Switch all references to github.com/containers/libpod -> podmanDaniel J Walsh2020-07-28
| | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* move go module to v2Valentin Rothberg2020-07-06
| | | | | | | | | | | | | | | With the advent of Podman 2.0.0 we crossed the magical barrier of go modules. While we were able to continue importing all packages inside of the project, the project could not be vendored anymore from the outside. Move the go module to new major version and change all imports to `github.com/containers/libpod/v2`. The renaming of the imports was done via `gomove` [1]. [1] https://github.com/KSubedi/gomove Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* Ensure Conmon is alive before waiting for exit fileMatthew Heon2020-06-08
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This came out of a conversation with Valentin about systemd-managed Podman. He discovered that unit files did not properly handle cases where Conmon was dead - the ExecStopPost `podman rm --force` line was not actually removing the container, but interestingly, adding a `podman cleanup --rm` line would remove it. Both of these commands do the same thing (minus the `podman cleanup --rm` command not force-removing running containers). Without a running Conmon instance, the container process is still running (assuming you killed Conmon with SIGKILL and it had no chance to kill the container it managed), but you can still kill the container itself with `podman stop` - Conmon is not involved, only the OCI Runtime. (`podman rm --force` and `podman stop` use the same code to kill the container). The problem comes when we want to get the container's exit code - we expect Conmon to make us an exit file, which it's obviously not going to do, being dead. The first `podman rm` would fail because of this, but importantly, it would (after failing to retrieve the exit code correctly) set container status to Exited, so that the second `podman cleanup` process would succeed. To make sure the first `podman rm --force` succeeds, we need to catch the case where Conmon is already dead, and instead of waiting for an exit file that will never come, immediately set the Stopped state and remove an error that can be caught and handled. Signed-off-by: Matthew Heon <mheon@redhat.com>
* Enable detached exec for remoteMatthew Heon2020-06-02
| | | | | | | | | | | | | | | | | | | | | | | The biggest obstacle here was cleanup - we needed a way to remove detached exec sessions after they exited, but there's no way to tell if an exec session will be attached or detached when it's created, and that's when we must add the exit command that would do the removal. The solution was adding a delay to the exit command (5 minutes), which gives sufficient time for attached exec sessions to retrieve the exit code of the session after it exits, but still guarantees that they will be removed, even for detached sessions. This requires Conmon 2.0.17, which has the new `--exit-delay` flag. As part of the exit command rework, we can drop the hack we were using to clean up exec sessions (remove them as part of inspect). This is a lot cleaner, and I'm a lot happier about it. Otherwise, this is just plumbing - we need a bindings call for detached exec, and that needed to be added to the tunnel mode backend for entities. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Add backend code for detached execMatthew Heon2020-05-20
| | | | | | | | | | | | As part of the massive exec rework, I stubbed out a function for non-detached exec, which is implemented here. It's largely similar to the existing exec functions, but missing a few pieces. This also involves implemented a new OCI runtime call for detached exec. Again, very similar to the other functions, but with a few missing pieces. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Add exit commands to exec sessionsMatthew Heon2020-05-20
| | | | | | | | | | | These are required for detached exec, where they will be used to clean up and remove exec sessions when they exit. As part of this, move all Exec related functionality for the Conmon OCI runtime into a separate file; the existing one was around 2000 lines. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Add an initial implementation of HTTP-forwarded execMatthew Heon2020-05-14
| | | | | | | | | | | | | | | This is heavily based off the existing exec implementation, but does not presently share code with it, to try and ensure we don't break anything. Still to do: - Add code sharing with existing exec implementation - Wire in the frontend (exec HTTP endpoint) - Move all exec-related code in oci_conmon_linux.go into a new file - Investigate code sharing between HTTP attach and HTTP exec. Signed-off-by: Matthew Heon <mheon@redhat.com>
* Add support for selecting kvm and systemd labelsDaniel J Walsh2020-04-15
| | | | | | | | | | | | In order to better support kata containers and systemd containers container-selinux has added new types. Podman should execute the container with an SELinux process label to match the container type. Traditional Container process : container_t KVM Container Process: containre_kvm_t PID 1 Init process: container_init_t Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* refactor infoBrent Baude2020-04-06
| | | | | | the current implementation of info, while typed, is very loosely done so. we need stronger types for our apiv2 implmentation and bindings. Signed-off-by: Brent Baude <bbaude@redhat.com>
* v2podman attach and execBrent Baude2020-04-05
| | | | | | | | add the ability to attach to a running container. the tunnel side of this is not enabled yet as we have work on the endpoints and plumbing to do yet. add the ability to exec a command in a running container. the tunnel side is also being deferred for same reason. Signed-off-by: Brent Baude <bbaude@redhat.com>
* Add structure for new exec session tracking to DBMatthew Heon2020-03-18
| | | | | | | | | | | | | | | | | | | | | | | As part of the rework of exec sessions, we need to address them independently of containers. In the new API, we need to be able to fetch them by their ID, regardless of what container they are associated with. Unfortunately, our existing exec sessions are tied to individual containers; there's no way to tell what container a session belongs to and retrieve it without getting every exec session for every container. This adds a pointer to the container an exec session is associated with to the database. The sessions themselves are still stored in the container. Exec-related APIs have been restructured to work with the new database representation. The originally monolithic API has been split into a number of smaller calls to allow more fine-grained control of lifecycle. Support for legacy exec sessions has been retained, but in a deprecated fashion; we should remove this in a few releases. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Revert "exec: get the exit code from sync pipe instead of file"Matthew Heon2020-03-09
| | | | | | | | | This reverts commit 4b72f9e4013411208751df2a92ab9f322d4da5b2. Continues what began with revert of d3d97a25e8c87cf741b2e24ac01ef84962137106 in previous commit. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Fix spelling mistakes in code found by codespellDaniel J Walsh2020-03-07
| | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* exec: get the exit code from sync pipe instead of filePeter Hunt2020-03-03
| | | | | | | | Before, we were getting the exit code from the file, in which we waited an arbitrary amount of time (5 seconds) for the file, and segfaulted if we didn't find it. instead, we should be a bit more certain conmon has sent the exit code. Luckily, it sends the exit code along the sync pipe fd, so we can read it from there Adapt the ExecContainer interface to pass along a channel to get the pid and exit code from conmon, to be able to read both from the pipe Signed-off-by: Peter Hunt <pehunt@redhat.com>
* Add an API for Attach over HTTP APIMatthew Heon2020-01-16
| | | | | | | | | | | | | | | | | | | | | | | | | | The new APIv2 branch provides an HTTP-based remote API to Podman. The requirements of this are, unfortunately, incompatible with the existing Attach API. For non-terminal attach, we need append a header to what was copied from the container, to multiplex STDOUT and STDERR; to do this with the old API, we'd need to copy into an intermediate buffer first, to handle the headers. To avoid this, provide a new API to handle all aspects of terminal and non-terminal attach, including closing the hijacked HTTP connection. This might be a bit too specific, but for now, it seems to be the simplest approach. At the same time, add a Resize endpoint. This needs to be a separate endpoint, so our existing channel approach does not work here. I wanted to rework the rest of attach at the same time (some parts of it, particularly how we start the Attach session and how we do resizing, are (in my opinion) handled much better here. That may still be on the table, but I wanted to avoid breaking existing APIs in this already massive change. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Reap exec sessions on cleanup and removalMatthew Heon2019-12-12
| | | | | | | | | | | | | | | | | | | | | | We currently rely on exec sessions being removed from the state by the Exec() API itself, on detecting the session stopping. This is not a reliable method, though. The Podman frontend for exec could be killed before the session ended, or another Podman process could be holding the lock and prevent update (most notable in `run --rm`, when a container with an active exec session is stopped). To resolve this, add a function to reap active exec sessions from the state, and use it on cleanup (to clear sessions after the container stops) and remove (to do the same when --rm is passed). This is a bit more complicated than it ought to be because Kata and company exist, and we can't guarantee the exec session has a PID on the host, so we have to plumb this through to the OCI runtime. Fixes #4666 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Add a MissingRuntime implementationMatthew Heon2019-10-15
| | | | | | | | | | | | | | | | | When a container is created with a given OCI runtime, but then it is uninstalled or removed from the configuration file, Libpod presently reacts very poorly. The EvictContainer code can potentially remove these containers, but we still can't see them in `podman ps` (aside from the massive logrus.Errorf messages they create). Providing a minimal OCI runtime implementation for missing runtimes allows us to behave better. We'll be able to retrieve containers from the database, though we still pop up an error for each missing runtime. For containers which are stopped, we can remove them as normal. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Move OCI runtime implementation behind an interfaceMatthew Heon2019-10-10
| | | | | | | | | | | | For future work, we need multiple implementations of the OCI runtime, not just a Conmon-wrapped runtime matching the runc CLI. As part of this, do some refactoring on the interface for exec (move to a struct, not a massive list of arguments). Also, add 'all' support to Kill and Stop (supported by runc and used a bit internally for removing containers). Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Add support for launching containers without CGroupsMatthew Heon2019-09-10
| | | | | | | This is mostly used with Systemd, which really wants to manage CGroups itself when managing containers via unit file. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Merge pull request #3760 from rhatdan/authOpenShift Merge Robot2019-08-19
|\ | | | | Use GetRuntimeDir to setup auth.json for login
| * Use GetRuntimeDir to setup auth.json for loginDaniel J Walsh2019-08-12
| | | | | | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | do not activate sd_notify support when varlinkbaude2019-08-15
|/ | | | | | | | | add ability to not activate sd_notify when running under varlink as it causes deadlocks and hangs. Fixes: #3572 Signed-off-by: baude <bbaude@redhat.com>
* Add runtime and conmon path discoverySascha Grunert2019-08-01
| | | | | | | | The `$PATH` environment variable will now used as fallback if no valid runtime or conmon path matches. The debug logs has been updated to state the used executable. Signed-off-by: Sascha Grunert <sgrunert@suse.com>
* Implement conmon execPeter Hunt2019-07-22
| | | | | | | | | | | | | | | | | | | | | | This includes: Implement exec -i and fix some typos in description of -i docs pass failed runtime status to caller Add resize handling for a terminal connection Customize exec systemd-cgroup slice fix healthcheck fix top add --detach-keys Implement podman-remote exec (jhonce) * Cleanup some orphaned code (jhonce) adapt remote exec for conmon exec (pehunt) Fix healthcheck and exec to match docs Introduce two new OCIRuntime errors to more comprehensively describe situations in which the runtime can error Use these different errors in branching for exit code in healthcheck and exec Set conmon to use new api version Signed-off-by: Jhon Honce <jhonce@redhat.com> Signed-off-by: Peter Hunt <pehunt@redhat.com>
* golangci-lint round #3baude2019-07-21
| | | | | | | this is the third round of preparing to use the golangci-lint on our code base. Signed-off-by: baude <bbaude@redhat.com>
* golangci-lint pass number 2baude2019-07-11
| | | | | | clean up and prepare to migrate to the golangci-linter Signed-off-by: baude <bbaude@redhat.com>
* code cleanupbaude2019-07-08
| | | | | | clean up code identified as problematic by golands inspection Signed-off-by: baude <bbaude@redhat.com>
* Wipe PID and ConmonPID in state after container stopsMatthew Heon2019-07-02
| | | | | | Matches the behavior of Docker. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* libpod removal from main (phase 2)baude2019-06-27
| | | | | | this is phase 2 for the removal of libpod from main. Signed-off-by: baude <bbaude@redhat.com>
* remove libpod from mainbaude2019-06-25
| | | | | | | | | | | | | the compilation demands of having libpod in main is a burden for the remote client compilations. to combat this, we should move the use of libpod structs, vars, constants, and functions into the adapter code where it will only be compiled by the local client. this should result in cleaner code organization and smaller binaries. it should also help if we ever need to compile the remote client on non-Linux operating systems natively (not cross-compiled). Signed-off-by: baude <bbaude@redhat.com>
* Begin adding support for multiple OCI runtimesMatthew Heon2019-06-19
| | | | | | | | | | | | | Allow Podman containers to request to use a specific OCI runtime if multiple runtimes are configured. This is the first step to properly supporting containers in a multi-runtime environment. The biggest changes are that all OCI runtimes are now initialized when Podman creates its runtime, and containers now use the runtime requested in their configuration (instead of always the default runtime). Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* oci: allow to specify what runtimes support JSONGiuseppe Scrivano2019-06-13
| | | | | | | | | add a new configuration `runtime_supports_json` to list what OCI runtimes support the --log-format=json option. If the runtime is not listed here, libpod will redirect stdout/stderr from the runtime process. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* oci: use json formatted errors from the runtimeGiuseppe Scrivano2019-06-13
| | | | | | | request json formatted error messages from the OCI runtime so that we can nicely print them. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Address commentsPeter Hunt2019-05-28
| | | | Signed-off-by: Peter Hunt <pehunt@redhat.com>
* Implement podman logs with log-driver journaldPeter Hunt2019-05-28
| | | | | | | | Add a journald reader that translates the journald entry to a k8s-file formatted line, to be added as a log line Note: --follow with journald hasn't been implemented. It's going to be a larger undertaking that can wait. Signed-off-by: Peter Hunt <pehunt@redhat.com>
* Added --log-driver and journald loggingPeter Hunt2019-05-28
| | | | Signed-off-by: Peter Hunt <pehunt@redhat.com>
* libpod: prefer WaitForFile to pollingGiuseppe Scrivano2019-05-21
| | | | | | | replace two usage of kwait.ExponentialBackoff in favor of WaitForFile that uses inotify when possible. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* enable podman-remote on windowsbaude2019-04-30
| | | | | | | build a podman-remote binary for windows that allows users to use the remote client on windows and interact with podman on linux system. Signed-off-by: baude <bbaude@redhat.com>
* Implement podman-remote rmJhon Honce2019-04-09
| | | | | | | | | * refactor command output to use one function * Add new worker pool parallel operations * Implement podman-remote umount * Refactored podman wait to use printCmdOutput() Signed-off-by: Jhon Honce <jhonce@redhat.com>
* oci: drop reference to runcGiuseppe Scrivano2019-03-29
| | | | | | it can be any OCI runtime. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* rootless: change env prefixGiuseppe Scrivano2019-03-28
| | | | | | | | | | from _LIBPOD to _CONTAINERS. The same change was done in buildah unshare. This is necessary for podman to detect we are running in a rootless environment and work properly from a "buildah unshare" session. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Add support for SCTP port forwardingMatthew Heon2019-03-15
| | | | | | | | | | | | | | | SCTP is already present and enabled in the CNI plugins, so all we need to do to add support is not error on attempting to bind ports to reserve them. I investigated adding this binding for SCTP, but support for SCTP in Go is honestly a mess - there's no widely-supported library for doing it that will do what we need. For now, warn that port reservation for SCTP is not supported and forward the ports. Signed-off-by: Matthew Heon <mheon@redhat.com>
* Add event on container deathMatthew Heon2019-03-13
| | | | Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* oci: make explicit the extra files to the execGiuseppe Scrivano2019-03-07
| | | | | | | | | In the previous version I forgot to add the fds to preserve into AdditionalFiles. It doesn't make a difference as the files were still preserved, but this seems to be the correct way of making it explicit. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* exec: support --preserve-fdsGiuseppe Scrivano2019-03-02
| | | | | | | | Allow to pass additional FDs to the process being executed. Closes: https://github.com/containers/libpod/issues/2372 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Merge pull request #2485 from adrianreber/oci-checkOpenShift Merge Robot2019-03-01
|\ | | | | Verify that used OCI runtime supports checkpoint
| * Verify that used OCI runtime supports checkpointAdrian Reber2019-03-01
| | | | | | | | | | | | | | | | | | | | To be able to use OCI runtimes which do not implement checkpoint/restore this adds a check to the checkpoint code path and the checkpoint/restore tests to see if it knows about the checkpoint subcommand. If the used OCI runtime does not implement checkpoint/restore the tests are skipped and the actual 'podman container checkpoint' returns an error. Signed-off-by: Adrian Reber <areber@redhat.com>