summaryrefslogtreecommitdiff
path: root/libpod/oci.go
Commit message (Collapse)AuthorAge
* Add an API for Attach over HTTP APIMatthew Heon2020-01-16
| | | | | | | | | | | | | | | | | | | | | | | | | | The new APIv2 branch provides an HTTP-based remote API to Podman. The requirements of this are, unfortunately, incompatible with the existing Attach API. For non-terminal attach, we need append a header to what was copied from the container, to multiplex STDOUT and STDERR; to do this with the old API, we'd need to copy into an intermediate buffer first, to handle the headers. To avoid this, provide a new API to handle all aspects of terminal and non-terminal attach, including closing the hijacked HTTP connection. This might be a bit too specific, but for now, it seems to be the simplest approach. At the same time, add a Resize endpoint. This needs to be a separate endpoint, so our existing channel approach does not work here. I wanted to rework the rest of attach at the same time (some parts of it, particularly how we start the Attach session and how we do resizing, are (in my opinion) handled much better here. That may still be on the table, but I wanted to avoid breaking existing APIs in this already massive change. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Reap exec sessions on cleanup and removalMatthew Heon2019-12-12
| | | | | | | | | | | | | | | | | | | | | | We currently rely on exec sessions being removed from the state by the Exec() API itself, on detecting the session stopping. This is not a reliable method, though. The Podman frontend for exec could be killed before the session ended, or another Podman process could be holding the lock and prevent update (most notable in `run --rm`, when a container with an active exec session is stopped). To resolve this, add a function to reap active exec sessions from the state, and use it on cleanup (to clear sessions after the container stops) and remove (to do the same when --rm is passed). This is a bit more complicated than it ought to be because Kata and company exist, and we can't guarantee the exec session has a PID on the host, so we have to plumb this through to the OCI runtime. Fixes #4666 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Add a MissingRuntime implementationMatthew Heon2019-10-15
| | | | | | | | | | | | | | | | | When a container is created with a given OCI runtime, but then it is uninstalled or removed from the configuration file, Libpod presently reacts very poorly. The EvictContainer code can potentially remove these containers, but we still can't see them in `podman ps` (aside from the massive logrus.Errorf messages they create). Providing a minimal OCI runtime implementation for missing runtimes allows us to behave better. We'll be able to retrieve containers from the database, though we still pop up an error for each missing runtime. For containers which are stopped, we can remove them as normal. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Move OCI runtime implementation behind an interfaceMatthew Heon2019-10-10
| | | | | | | | | | | | For future work, we need multiple implementations of the OCI runtime, not just a Conmon-wrapped runtime matching the runc CLI. As part of this, do some refactoring on the interface for exec (move to a struct, not a massive list of arguments). Also, add 'all' support to Kill and Stop (supported by runc and used a bit internally for removing containers). Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Add support for launching containers without CGroupsMatthew Heon2019-09-10
| | | | | | | This is mostly used with Systemd, which really wants to manage CGroups itself when managing containers via unit file. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Merge pull request #3760 from rhatdan/authOpenShift Merge Robot2019-08-19
|\ | | | | Use GetRuntimeDir to setup auth.json for login
| * Use GetRuntimeDir to setup auth.json for loginDaniel J Walsh2019-08-12
| | | | | | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | do not activate sd_notify support when varlinkbaude2019-08-15
|/ | | | | | | | | add ability to not activate sd_notify when running under varlink as it causes deadlocks and hangs. Fixes: #3572 Signed-off-by: baude <bbaude@redhat.com>
* Add runtime and conmon path discoverySascha Grunert2019-08-01
| | | | | | | | The `$PATH` environment variable will now used as fallback if no valid runtime or conmon path matches. The debug logs has been updated to state the used executable. Signed-off-by: Sascha Grunert <sgrunert@suse.com>
* Implement conmon execPeter Hunt2019-07-22
| | | | | | | | | | | | | | | | | | | | | | This includes: Implement exec -i and fix some typos in description of -i docs pass failed runtime status to caller Add resize handling for a terminal connection Customize exec systemd-cgroup slice fix healthcheck fix top add --detach-keys Implement podman-remote exec (jhonce) * Cleanup some orphaned code (jhonce) adapt remote exec for conmon exec (pehunt) Fix healthcheck and exec to match docs Introduce two new OCIRuntime errors to more comprehensively describe situations in which the runtime can error Use these different errors in branching for exit code in healthcheck and exec Set conmon to use new api version Signed-off-by: Jhon Honce <jhonce@redhat.com> Signed-off-by: Peter Hunt <pehunt@redhat.com>
* golangci-lint round #3baude2019-07-21
| | | | | | | this is the third round of preparing to use the golangci-lint on our code base. Signed-off-by: baude <bbaude@redhat.com>
* golangci-lint pass number 2baude2019-07-11
| | | | | | clean up and prepare to migrate to the golangci-linter Signed-off-by: baude <bbaude@redhat.com>
* code cleanupbaude2019-07-08
| | | | | | clean up code identified as problematic by golands inspection Signed-off-by: baude <bbaude@redhat.com>
* Wipe PID and ConmonPID in state after container stopsMatthew Heon2019-07-02
| | | | | | Matches the behavior of Docker. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* libpod removal from main (phase 2)baude2019-06-27
| | | | | | this is phase 2 for the removal of libpod from main. Signed-off-by: baude <bbaude@redhat.com>
* remove libpod from mainbaude2019-06-25
| | | | | | | | | | | | | the compilation demands of having libpod in main is a burden for the remote client compilations. to combat this, we should move the use of libpod structs, vars, constants, and functions into the adapter code where it will only be compiled by the local client. this should result in cleaner code organization and smaller binaries. it should also help if we ever need to compile the remote client on non-Linux operating systems natively (not cross-compiled). Signed-off-by: baude <bbaude@redhat.com>
* Begin adding support for multiple OCI runtimesMatthew Heon2019-06-19
| | | | | | | | | | | | | Allow Podman containers to request to use a specific OCI runtime if multiple runtimes are configured. This is the first step to properly supporting containers in a multi-runtime environment. The biggest changes are that all OCI runtimes are now initialized when Podman creates its runtime, and containers now use the runtime requested in their configuration (instead of always the default runtime). Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* oci: allow to specify what runtimes support JSONGiuseppe Scrivano2019-06-13
| | | | | | | | | add a new configuration `runtime_supports_json` to list what OCI runtimes support the --log-format=json option. If the runtime is not listed here, libpod will redirect stdout/stderr from the runtime process. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* oci: use json formatted errors from the runtimeGiuseppe Scrivano2019-06-13
| | | | | | | request json formatted error messages from the OCI runtime so that we can nicely print them. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Address commentsPeter Hunt2019-05-28
| | | | Signed-off-by: Peter Hunt <pehunt@redhat.com>
* Implement podman logs with log-driver journaldPeter Hunt2019-05-28
| | | | | | | | Add a journald reader that translates the journald entry to a k8s-file formatted line, to be added as a log line Note: --follow with journald hasn't been implemented. It's going to be a larger undertaking that can wait. Signed-off-by: Peter Hunt <pehunt@redhat.com>
* Added --log-driver and journald loggingPeter Hunt2019-05-28
| | | | Signed-off-by: Peter Hunt <pehunt@redhat.com>
* libpod: prefer WaitForFile to pollingGiuseppe Scrivano2019-05-21
| | | | | | | replace two usage of kwait.ExponentialBackoff in favor of WaitForFile that uses inotify when possible. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* enable podman-remote on windowsbaude2019-04-30
| | | | | | | build a podman-remote binary for windows that allows users to use the remote client on windows and interact with podman on linux system. Signed-off-by: baude <bbaude@redhat.com>
* Implement podman-remote rmJhon Honce2019-04-09
| | | | | | | | | * refactor command output to use one function * Add new worker pool parallel operations * Implement podman-remote umount * Refactored podman wait to use printCmdOutput() Signed-off-by: Jhon Honce <jhonce@redhat.com>
* oci: drop reference to runcGiuseppe Scrivano2019-03-29
| | | | | | it can be any OCI runtime. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* rootless: change env prefixGiuseppe Scrivano2019-03-28
| | | | | | | | | | from _LIBPOD to _CONTAINERS. The same change was done in buildah unshare. This is necessary for podman to detect we are running in a rootless environment and work properly from a "buildah unshare" session. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Add support for SCTP port forwardingMatthew Heon2019-03-15
| | | | | | | | | | | | | | | SCTP is already present and enabled in the CNI plugins, so all we need to do to add support is not error on attempting to bind ports to reserve them. I investigated adding this binding for SCTP, but support for SCTP in Go is honestly a mess - there's no widely-supported library for doing it that will do what we need. For now, warn that port reservation for SCTP is not supported and forward the ports. Signed-off-by: Matthew Heon <mheon@redhat.com>
* Add event on container deathMatthew Heon2019-03-13
| | | | Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* oci: make explicit the extra files to the execGiuseppe Scrivano2019-03-07
| | | | | | | | | In the previous version I forgot to add the fds to preserve into AdditionalFiles. It doesn't make a difference as the files were still preserved, but this seems to be the correct way of making it explicit. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* exec: support --preserve-fdsGiuseppe Scrivano2019-03-02
| | | | | | | | Allow to pass additional FDs to the process being executed. Closes: https://github.com/containers/libpod/issues/2372 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Merge pull request #2485 from adrianreber/oci-checkOpenShift Merge Robot2019-03-01
|\ | | | | Verify that used OCI runtime supports checkpoint
| * Verify that used OCI runtime supports checkpointAdrian Reber2019-03-01
| | | | | | | | | | | | | | | | | | | | To be able to use OCI runtimes which do not implement checkpoint/restore this adds a check to the checkpoint code path and the checkpoint/restore tests to see if it knows about the checkpoint subcommand. If the used OCI runtime does not implement checkpoint/restore the tests are skipped and the actual 'podman container checkpoint' returns an error. Signed-off-by: Adrian Reber <areber@redhat.com>
* | Allow Exec API user to override streamsPeter Hunt2019-02-28
|/ | | | | | Allow passing in of AttachStreams to libpod.Exec() for usage in podman healthcheck. An API caller can now specify different streams for stdout, stderr and stdin, or no streams at all. Signed-off-by: Peter Hunt <pehunt@redhat.com>
* oci: do not set XDG_RUNTIME_DIR twiceGiuseppe Scrivano2019-02-11
| | | | | | we are doing it few lines above. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Merge pull request #2187 from rhatdan/selinuxOpenShift Merge Robot2019-01-21
|\ | | | | Vendor in latest opencontainers/selinux
| * Vendor in latest opencontainers/selinuxDaniel J Walsh2019-01-18
| | | | | | | | | | | | | | | | | | | | | | This will now verify labels passed in by the user. Will also prevent users from accidently relabeling their homedir. podman run -ti -v ~/home/user:Z fedora sh Is not a good idea. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Merge pull request #2142 from giuseppe/expose-portsOpenShift Merge Robot2019-01-20
|\ \ | |/ |/| rootless: support port redirection from the host
| * rootless: support port redirection from the hostGiuseppe Scrivano2019-01-19
| | | | | | | | | | | | | | | | | | | | add support for ports redirection from the host. It needs slirp4netns v0.3.0-alpha.1. Closes: https://github.com/containers/libpod/issues/2081 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | libpod: allow multiple oci runtimesVincent Batts2019-01-14
|/ | | | | | | | | | This deprecates the libpod.conf variable of `runtime_path=`, and now has `runtimes=`, like a map for naming the runtime, preparing for a `--runtime` flag to `podman run` (i.e. runc, kata, etc.) Reference: https://github.com/containers/libpod/issues/1750 Signed-off-by: Vincent Batts <vbatts@hashbangbash.com>
* Move all libpod/ JSON references over to jsoniterMatthew Heon2019-01-10
| | | | Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Add a --workdir option to 'podman exec'Debarshi Ray2019-01-08
| | | | Signed-off-by: Debarshi Ray <rishi@fedoraproject.org>
* Set Socket label for contianerDaniel J Walsh2018-12-12
| | | | | | | This will allow container processes to write to the CRIU socket that gets injected into the container. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* rootless: propagate XDG_RUNTIME_DIR to the OCI runtimeGiuseppe Scrivano2018-11-30
| | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* oci: propagate NOTIFY_SOCKET on runtime startGiuseppe Scrivano2018-11-28
| | | | | | | | | | | | with https://github.com/opencontainers/runc/pull/1807 we moved the systemd notify initialization from "create" to "start", so that the OCI runtime doesn't hang while waiting on reading from the notify socket. This means we also need to set the correct NOTIFY_SOCKET when start'ing the container. Closes: https://github.com/containers/libpod/issues/746 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Merge pull request #1848 from adrianreber/masterOpenShift Merge Robot2018-11-28
|\ | | | | Add tcp-established to checkpoint/restore
| * Added tcp-established to checkpoint/restoreAdrian Reber2018-11-28
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | CRIU can checkpoint and restore processes/containers with established TCP connections if the correct option is specified. To implement checkpoint and restore with support for established TCP connections with Podman this commit adds the necessary options to runc during checkpoint and also tells conmon during restore to use 'runc restore' with '--tcp-established'. For this Podman feature to work a corresponding conmon change is required. Example: $ podman run --tmpfs /tmp --name podman-criu-test -d docker://docker.io/yovfiatbeb/podman-criu-test $ nc `podman inspect -l | jq -r '.[0].NetworkSettings.IPAddress'` 8080 GET /examples/servlets/servlet/HelloWorldExample Connection: keep-alive 1 GET /examples/servlets/servlet/HelloWorldExample Connection: keep-alive 2 $ # Using HTTP keep-alive multiple requests are send to the server in the container $ # Different terminal: $ podman container checkpoint -l criu failed: type NOTIFY errno 0 $ # Looking at the log file would show errors because of established TCP connections $ podman container checkpoint -l --tcp-established $ # This works now and after the restore the same connection as above can be used for requests $ podman container restore -l --tcp-established The restore would fail without '--tcp-established' as the checkpoint image contains established TCP connections. Signed-off-by: Adrian Reber <areber@redhat.com>
| * Use also a struct to pass options to Restore()Adrian Reber2018-11-28
| | | | | | | | | | | | | | | | | | | | | | | | | | This is basically the same change as ff47a4c2d5485fc49f937f3ce0c4e2fd6bdb1956 (Use a struct to pass options to Checkpoint()) just for the Restore() function. It is used to pass multiple restore options to the API and down to conmon which is used to restore containers. This is for the upcoming changes to support checkpointing and restoring containers with '--tcp-established'. Signed-off-by: Adrian Reber <areber@redhat.com>
* | Merge pull request #1849 from giuseppe/report-rootless-netmodeOpenShift Merge Robot2018-11-28
|\ \ | | | | | | rootless: add new netmode "slirp4netns"
| * | network: allow slirp4netns mode also for root containersGiuseppe Scrivano2018-11-28
| |/ | | | | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>