summaryrefslogtreecommitdiff
path: root/libpod/oci_linux.go
Commit message (Collapse)AuthorAge
* oci: fix umount of /sys/kernelGiuseppe Scrivano2019-04-14
| | | | | | | if the mount was already umounted as part of the cleanup (i.e. being a submount), the umount would fail. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* userns: prevent /sys/kernel/* paths in the containerGiuseppe Scrivano2019-04-11
| | | | | | | | | | | | | | | | | when we run in a user namespace, there are cases where we have not enough privileges to mount a fresh sysfs on /sys. To circumvent this limitation, we rbind /sys from the host. This carries inside of the container also some mounts we probably don't want to. We are also limited by the kernel to use rbind instead of bind, as allowing a bind would uncover paths that were not previously visible. This is a slimmed down version of the intermediate mount namespace logic we had before, where we only set /sys to slave, so the umounts done to the storage by the cleanup process are propagated back to the host. We also don't setup any new directory, so there is no additional cleanup to do. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* userns: do not use an intermediate mount namespaceGiuseppe Scrivano2019-03-29
| | | | | | | | | | | | | | We have an issue in the current implementation where the cleanup process is not able to umount the storage as it is running in a separate namespace. Simplify the implementation for user namespaces by not using an intermediate mount namespace. For doing it, we need to relax the permissions on the parent directories and allow browsing them. Containers that are running without a user namespace, will still maintain mode 0700 on their directory. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* userns: use the intermediate mountns for volumesGiuseppe Scrivano2019-03-21
| | | | | | | | | | | when --uidmap is used, the user won't be able to access /var/lib/containers/storage/volumes. Use the intermediate mount namespace, that is accessible to root in the container, for mounting the volumes inside the container. Closes: https://github.com/containers/libpod/issues/2713 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Use also a struct to pass options to Restore()Adrian Reber2018-11-28
| | | | | | | | | | | | | This is basically the same change as ff47a4c2d5485fc49f937f3ce0c4e2fd6bdb1956 (Use a struct to pass options to Checkpoint()) just for the Restore() function. It is used to pass multiple restore options to the API and down to conmon which is used to restore containers. This is for the upcoming changes to support checkpointing and restoring containers with '--tcp-established'. Signed-off-by: Adrian Reber <areber@redhat.com>
* Lint: Extract constant unknownPackageŠimon Lukašík2018-11-10
| | | | | | Addressing goconst warning: 3 other occurrence(s) of "Unknown" found Signed-off-by: Šimon Lukašík <slukasik@redhat.com>
* Do not hide errors when creating container with UserNSRootŠimon Lukašík2018-11-08
| | | | | | | | | This one is tricky. By using `:=` operator we have made err variable to be local in the gorutine and different from `err` variable in the surrounding function. And thus `createContainer` function returned always nil, even in cases when some error occurred in the gorutine. Signed-off-by: Šimon Lukašík <slukasik@redhat.com>
* Add support to checkpoint/restore containersAdrian Reber2018-10-03
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | runc uses CRIU to support checkpoint and restore of containers. This brings an initial checkpoint/restore implementation to podman. None of the additional runc flags are yet supported and container migration optimization (pre-copy/post-copy) is also left for the future. The current status is that it is possible to checkpoint and restore a container. I am testing on RHEL-7.x and as the combination of RHEL-7 and CRIU has seccomp troubles I have to create the container without seccomp. With the following steps I am able to checkpoint and restore a container: # podman run --security-opt="seccomp=unconfined" -d registry.fedoraproject.org/f27/httpd # curl -I 10.22.0.78:8080 HTTP/1.1 403 Forbidden # <-- this is actually a good answer # podman container checkpoint <container> # curl -I 10.22.0.78:8080 curl: (7) Failed connect to 10.22.0.78:8080; No route to host # podman container restore <container> # curl -I 10.22.0.78:8080 HTTP/1.1 403 Forbidden I am using CRIU, runc and conmon from git. All required changes for checkpoint/restore support in podman have been merged in the corresponding projects. To have the same IP address in the restored container as before checkpointing, CNI is told which IP address to use. If the saved network configuration cannot be found during restore, the container is restored with a new IP address. For CRIU to restore established TCP connections the IP address of the network namespace used for restore needs to be the same. For TCP connections in the listening state the IP address can change. During restore only one network interface with one IP address is handled correctly. Support to restore containers with more advanced network configuration will be implemented later. v2: * comment typo * print debug messages during cleanup of restore files * use createContainer() instead of createOCIContainer() * introduce helper CheckpointPath() * do not try to restore a container that is paused * use existing helper functions for cleanup * restructure code flow for better readability * do not try to restore if checkpoint/inventory.img is missing * git add checkpoint.go restore.go v3: * move checkpoint/restore under 'podman container' v4: * incorporated changes from latest reviews Signed-off-by: Adrian Reber <areber@redhat.com>
* rootless: check uid with Geteuid() instead of Getuid()Giuseppe Scrivano2018-09-04
| | | | | | | | | | | | change the tests to use chroot to set a numeric UID/GID. Go syscall.Credential doesn't change the effective UID/GID of the process. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> Closes: #1372 Approved by: mheon
* switch projectatomic to containersDaniel J Walsh2018-08-16
| | | | | | | | | | Need to get some small changes into libpod to pull back into buildah to complete buildah transition. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #1270 Approved by: mheon
* Create pod CGroups when using the systemd cgroup driverMatthew Heon2018-08-15
| | | | | | | Signed-off-by: Matthew Heon <matthew.heon@gmail.com> Closes: #1266 Approved by: baude
* Add dpkg support for returning oci/conmon versionsDaniel J Walsh2018-08-07
| | | | | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #1224 Approved by: baude
* Have info print conmon/oci runtime informationDaniel J Walsh2018-08-07
| | | | | | | | | We need into to identify the OCI runtime and conmon used by podman. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #1224 Approved by: baude
* Remove per-container CGroup parentsMatthew Heon2018-07-06
| | | | | | | | | | | | | | | | | | | Originally, it seemed like a good idea to place Conmon and the container it managed under a shared CGroup, so we could manage the two together. It's become increasingly clear that this is a potential performance sore point, gains us little practical benefit in managing Conmon, and adds extra steps to container cleanup that interfere with Conmon postrun hooks. Revert back to a shared CGroup for conmon processes under the CGroup parent. This will retain per-pod conmon CGroups as well if the pod is set to create a CGroup and act as CGroup parent for its containers. Signed-off-by: Matthew Heon <matthew.heon@gmail.com> Closes: #1051 Approved by: umohnani8
* more changes to compile darwinbaude2018-07-05
| | | | | | | | | | | | | | | | this should represent the last major changes to get darwin to **compile**. again, the purpose here is to get darwin to compile so that we can eventually implement a ci task that would protect against regressions for darwin compilation. i have left the manual darwin compilation largely static still and in fact now only interject (manually) two build tags to assist with the build. trevor king has great ideas on how to make this better and i will defer final implementation of those to him. Signed-off-by: baude <bbaude@redhat.com> Closes: #1047 Approved by: rhatdan
* changes to allow for darwin compilationbaude2018-06-29
Signed-off-by: baude <bbaude@redhat.com> Closes: #1015 Approved by: baude