summaryrefslogtreecommitdiff
path: root/libpod/runtime.go
Commit message (Collapse)AuthorAge
* podman: use a different store for the rootless caseGiuseppe Scrivano2018-06-15
| | | | | | | | | so that the user has rw access to it. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> Closes: #871 Approved by: mheon
* oci: do not set the cgroup path in Rootless modeGiuseppe Scrivano2018-06-15
| | | | | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> Closes: #871 Approved by: mheon
* runtime: add /usr/libexec/podman/conmon to the conmon pathsGiuseppe Scrivano2018-06-01
| | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Spell check strings and commentsJhon Honce2018-05-25
| | | | | | | Signed-off-by: Jhon Honce <jhonce@redhat.com> Closes: #831 Approved by: rhatdan
* Refresh pods when refreshing podman stateMatthew Heon2018-05-17
| | | | | | | Signed-off-by: Matthew Heon <matthew.heon@gmail.com> Closes: #784 Approved by: rhatdan
* libpod: Add HooksDirNotExistFatalW. Trevor King2018-05-11
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | And add an argument to WithHooksDir to set it. If the hook dir doesn't exist, the new hooks package considers that a fatal error. When a podman caller sets --hooks-dir-path=/some/typoed/directory, a fatal error is more helpful than silently not loading any hooks. However, callers who call podman without setting --hooks-dir-path may not need hooks at all. We don't want to pester those callers with not-exist errors. With this commit, we: * Assume the caller knows what they're doing if they set --hooks-dir-path and set HooksDirNotExistFatal. * If the caller does not explicitly set --hooks-dir-path, assume they won't mind if the hook directory is missing and set HooksDirNotExistFatal false. We also considered checking for the directory's existence in the code calling WithHooksDir or from within WithHooksDir, but checks there would race with the underlying ioutil.ReadDir in the hooks package. By pushing the warn/error decision down into libpod's implementation, we avoid a racy "do we expect this to work once libpod gets to it?" pre-check. I've also added a check to error if WithHooksDir is called with an empty-string argument, because we haven't defined the semantics of that (is it clearing a previous value? Is it effectively the same as the current directory?). I agree with Matthew that a separate WithNoHooks, or a *string argument to WithHooks, or some such would be a better API for clearing previous values [1]. But for now, I'm just erroring out to fail early for callers who might otherwise be surprised that libpod ignores empty-string HooksDir. [1]: https://github.com/projectatomic/libpod/pull/686#issuecomment-385119370 Signed-off-by: W. Trevor King <wking@tremily.us> Closes: #686 Approved by: mheon
* pkg/hooks: Version the hook structure and add 1.0.0 hooksW. Trevor King2018-05-11
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This shifts the matching logic out of libpod/container_internal and into the hook package, where we can reuse it after vendoring into CRI-O. It also adds unit tests with almost-complete coverage. Now libpod is even more isolated from the hook internals, which makes it fairly straightforward to bump the hook config file to 1.0.0. I've dubbed the old format 0.1.0, although it doesn't specify an explicit version. Motivation for some of my changes with 1.0.0: * Add an explicit version field. This will make any future JSON structure migrations more straightforward by avoiding the need for version-guessing heuristics. * Collect the matching properties in a new When sub-structure. This makes the root Hook structure easier to understand, because you don't have to read over all the matching properties when wrapping your head around Hook. * Replace the old 'hook' and 'arguments' with a direct embedding of the runtime-spec's hook structure. This provides access to additional upstream properties (args[0], env, and timeout) and avoids the complication of a CRI-O-specific analog structure. * Add a 'when.always' property. You can usually accomplish this effect in another way (e.g. when.commands = [".*"]), but having a boolean explicitly for this use-case makes for easier reading and writing. * Replace the previous annotations array with an annotations map. The 0.1.0 approach matched only the values regardless of key, and that seems unreliable. * Replace 'cmds' with 'when.commands', because while there are a few ways to abbreviate "commands", there's only one way to write it out in full ;). This gives folks one less thing to remember when writing hook JSON. * Replace the old "inject if any specified condition matches" with "inject if all specified conditions match". This allows for more precise targeting. Users that need more generous targeting can recover the previous behavior by creating a separate 1.0.0 hook file for each specified 0.1.0 condition. I've added doc-compat support for the various pluralizations of the 0.1.0 properties. Previously, the docs and code were not in agreement. More on this particular facet in [1]. I've updated the docs to point out that the annotations being matched are the OCI config annotations. This differs from CRI-O, where the annotations used are the Kubernetes-supplied annotations [2,3]. For example, io.kubernetes.cri-o.Volumes [4] is part of CRI-O's runtime config annotations [5], but not part of the Kubernetes-supplied annotations CRI-O uses for matching hooks. The Monitor method supports the CRI-O use-case [6]. podman doesn't need it directly, but CRI-O will need it when we vendor this package there. I've used nvidia-container-runtime-hook for the annotation examples because Dan mentioned the Nvidia folks as the motivation behind annotation matching. The environment variables are documented in [7]. The 0.1.0 hook config, which does not allow for environment variables, only works because runc currently leaks the host environment into the hooks [8]. I haven't been able to find documentation for their usual annotation trigger or hook-install path, so I'm just guessing there. [1]: https://github.com/kubernetes-incubator/cri-o/pull/1235 [2]: https://github.com/kubernetes-incubator/cri-o/blob/v1.10.0/server/container_create.go#L760 [3]: https://github.com/kubernetes-incubator/cri-o/blob/v1.10.0/server/container_create.go#L772 [4]: https://github.com/kubernetes-incubator/cri-o/blob/v1.10.0/pkg/annotations/annotations.go#L97-L98 [5]: https://github.com/kubernetes-incubator/cri-o/blob/v1.10.0/server/container_create.go#L830-L834 [6]: https://github.com/kubernetes-incubator/cri-o/pull/1345/ [7]: https://github.com/NVIDIA/nvidia-container-runtime/tree/v1.3.0-1#environment-variables-oci-spec [8]: https://github.com/opencontainers/runc/pull/1738 Signed-off-by: W. Trevor King <wking@tremily.us> Closes: #686 Approved by: mheon
* Add --cgroup-manager flag to Podman binaryMatthew Heon2018-05-11
| | | | | | | Signed-off-by: Matthew Heon <matthew.heon@gmail.com> Closes: #507 Approved by: baude
* podman, userNS: configure an intermediate mount namespaceGiuseppe Scrivano2018-05-04
| | | | | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> Closes: #690 Approved by: mheon
* Modify secrets pkgumohnani82018-04-27
| | | | | | | | | | | Made a mistake in my earlier patch. I though that if you add an empty string to an array, the length of the array would still be 0... Realised this when vendoring the secrets pkg into cri-o. Signed-off-by: umohnani8 <umohnani@redhat.com> Closes: #685 Approved by: mheon
* Add --default-mounts-file hidden flagumohnani82018-04-26
| | | | | | | | | | | The hidden flag is used to override the path of the default mounts file for testing purposes. Also modified the secrets pkg to allow for this override to happen. Signed-off-by: umohnani8 <umohnani@redhat.com> Closes: #678 Approved by: mheon
* regression: tls verify should be set on registries.conf if insecurebaude2018-04-18
| | | | | | | | | | | In the case where podman needs to pull an image, if that registry that the image resides on is known to be insesure (as defined in /etc/containers/registries.conf), tls-verify should be altered on the fly. Signed-off-by: baude <bbaude@redhat.com> Closes: #626 Approved by: mheon
* Add hooks support to podmanDaniel J Walsh2018-04-05
| | | | | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #155 Approved by: mheon
* Check for duplicate names when generating new container and pod names.Daniel J Walsh2018-03-29
| | | | | | | | | This fixes the situation where we fail to create a container when a name already exists. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #517 Approved by: baude
* Remove current SQLite DB driverMatthew Heon2018-03-26
| | | | | | | | | | | | The SQLite DB backend has become an unmanageable nightmare. I like having the option for DB work, but it's become an active hindrance to further development, and it's definitely not in any shape to be actively used. Signed-off-by: Matthew Heon <matthew.heon@gmail.com> Closes: #548 Approved by: baude
* Image library stage 4 - create and commitbaude2018-03-20
| | | | | | | | | | Migrate the podman create and commit subcommandis to leverage the images library. I also had to migrate the cmd/ portions of run and rmi. Signed-off-by: baude <bbaude@redhat.com> Closes: #498 Approved by: mheon
* Fix review commentsMatthew Heon2018-03-06
| | | | | | | Signed-off-by: Matthew Heon <matthew.heon@gmail.com> Closes: #430 Approved by: rhatdan
* Change standard config path and add override configMatthew Heon2018-03-06
| | | | | | | | | | | | | | The standard config has moved to /usr/share/containers/ per discussion. An override configuration file is allowed at the previous /etc/containers/ location. This override will be used in place of the normal config if both are present, and exists to override distro packaged configs without modifying the standard config. Signed-off-by: Matthew Heon <matthew.heon@gmail.com> Closes: #430 Approved by: rhatdan
* Fix Conmon error to display Conmon pathsMatthew Heon2018-03-06
| | | | | | | Signed-off-by: Matthew Heon <matthew.heon@gmail.com> Closes: #430 Approved by: rhatdan
* Add support to load runtime configuration from config fileMatthew Heon2018-03-06
| | | | | | | Signed-off-by: Matthew Heon <matthew.heon@gmail.com> Closes: #430 Approved by: rhatdan
* Add ability to dump config to file as TOMLMatthew Heon2018-03-06
| | | | | | | Signed-off-by: Matthew Heon <matthew.heon@gmail.com> Closes: #430 Approved by: rhatdan
* Change conmon and runtime paths to arraysMatthew Heon2018-03-06
| | | | | | | | | | This allows more graceful handling of multiple paths in a config file. Signed-off-by: Matthew Heon <matthew.heon@gmail.com> Closes: #430 Approved by: rhatdan
* podman info add registriesbaude2018-02-28
| | | | | | | | | | | | add registries and insecure registries to the podman info output. this gives us some capatibility with other container runtimes. Resolves issue #420 Signed-off-by: baude <bbaude@redhat.com> Closes: #422 Approved by: mheon
* CNIPluginDir: check "/usr/lib/cni"Valentin Rothberg2018-02-28
| | | | | | | | | | | Also consider "/usr/lib/cni" as a potential directory for CNI plugins. On some distributions, e.g., on openSUSE, %{_libexecdir} evaluates to "/usr/lib". Signed-off-by: Valentin Rothberg <vrothberg@suse.com> Closes: #416 Approved by: mheon
* Add ubuntu pathsbaude2018-02-26
| | | | | | | | | | | The packages in Lokesh's ppa that is currently used for podman puts the conmon and runc binaries in /usr/lib/crio/bin/conmon and /usr/lib/cri-o-runc/sbin/runc respectively. Signed-off-by: baude <bbaude@redhat.com> Closes: #406 Approved by: baude
* Remove unused registry related options from libpodMatthew Heon2018-02-19
| | | | | | | Signed-off-by: Matthew Heon <matthew.heon@gmail.com> Closes: #349 Approved by: rhatdan
* Add implementation for BoltDB-backed stateMatthew Heon2018-02-12
| | | | | | | Signed-off-by: Matthew Heon <matthew.heon@gmail.com> Closes: #184 Approved by: baude
* libpod/runtime.go: Stick paths in arraysbaude2018-01-31
| | | | | | | | | | | To account for more path possibilities, we now iterate a string array of possible paths to try and find paths to runc and conmon. Signed-off-by: baude <bbaude@redhat.com> Closes: #278 Approved by: baude
* libpod/runtime.go: runtime pathbaude2018-01-31
| | | | | | | | | | | | Ubuntu installs runc to /usr/sbin/runc so we now account for that. Also, added small check when creating a new runtime that if we cannot find the runc binary, we bail out. Signed-off-by: baude <bbaude@redhat.com> Closes: #276 Approved by: baude
* Add StopWithTimeout API function for containersMatthew Heon2018-01-30
| | | | | | | | | | Normal Stop should not need a timeout, and should use the default Add a function that does accept a timeout aside it Signed-off-by: Matthew Heon <mheon@redhat.com> Closes: #272 Approved by: rhatdan
* Fix seccomp supportDaniel J Walsh2018-01-18
| | | | | | | | | | | | | If user does not specify seccomp file or seccomp file does not exist, then use the default seccomp settings. Still need to not hard code /etc/crio/seccomp.json, should move this to /usr/share/seccomp/seccomp.json Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #233 Approved by: baude
* Address review commentsMatthew Heon2018-01-17
| | | | | | | Signed-off-by: Matthew Heon <matthew.heon@gmail.com> Closes: #229 Approved by: rhatdan
* Wire in logic for selecting backing state implMatthew Heon2018-01-17
| | | | | | | Signed-off-by: Matthew Heon <matthew.heon@gmail.com> Closes: #229 Approved by: rhatdan
* Remove unused fields from runtime configMatthew Heon2018-01-12
| | | | | | | Signed-off-by: Matthew Heon <matthew.heon@gmail.com> Closes: #212 Approved by: rhatdan
* Update CNI plugin directories to search default location as wellMatthew Heon2018-01-11
| | | | Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
* Remove vendored files unnecessary after Kube hostport removalMatthew Heon2018-01-08
| | | | | | | Signed-off-by: Matthew Heon <matthew.heon@gmail.com> Closes: #189 Approved by: mheon
* Remove Kubernetes hostport supportMatthew Heon2018-01-08
| | | | | | | | | | This can now be handled by CNI plugins, so let them manage ports instead. Signed-off-by: Matthew Heon <matthew.heon@gmail.com> Closes: #189 Approved by: mheon
* Extend search path for conmonbaude2018-01-02
| | | | | | | | | | Adding /usr/libexec/crio/conmon to the list of places to look for conmon. Signed-off-by: baude <bbaude@redhat.com> Closes: #172 Approved by: rhatdan
* Plumb through the --stop-timeout signal handlingDaniel J Walsh2017-12-20
| | | | | | | | | | | | | podman run/create have the ability to set the stop timeout flag. We need to stop it in the database. Also Allowing negative time for stop timeout makes no sense, so switching to timeout of uint, allows user to specify huge timeout values. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #158 Approved by: TomSweeneyRedHat
* Change default directory for CNI pluginsMatthew Heon2017-12-14
| | | | | | | Signed-off-by: Matthew Heon <matthew.heon@gmail.com> Closes: #109 Approved by: mheon
* Add iptables integration to network codeMatthew Heon2017-12-14
| | | | | | | Signed-off-by: Matthew Heon <matthew.heon@gmail.com> Closes: #109 Approved by: mheon
* Wire in net plugin into libpodMatthew Heon2017-12-14
| | | | | | | Signed-off-by: Matthew Heon <matthew.heon@gmail.com> Closes: #109 Approved by: mheon
* Remove lock existence checks when creating pods/containersMatthew Heon2017-12-14
| | | | | | | | | | | | | | Given that we don't have a good way of cleaning up locks, these could potential cause issues if we ever reuse a container or pod ID Also changes locks dir to use tmpfs, as we can't directly clean up locks Signed-off-by: Matthew Heon <matthew.heon@gmail.com> Closes: #138 Approved by: rhatdan
* Update kpod info to use new libpod apiumohnani82017-12-14
| | | | | | | Signed-off-by: umohnani8 <umohnani@redhat.com> Closes: #124 Approved by: mheon
* Merge pull request #72 from mheon/file_lockingDaniel J Walsh2017-12-11
|\ | | | | Move containers to file locks from c/storage
| * Remove SQL state locking and rely on sqlite lockingMatthew Heon2017-12-04
| | | | | | | | | | | | | | Also renames some parameters from locksDir -> lockDir for consistency. Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
| * Move containers to file locks from c/storageMatthew Heon2017-12-04
| | | | | | | | Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
* | Add ability to refresh state in DBMatthew Heon2017-12-07
| | | | | | | | | | | | | | Also, ensure we always recreate runtime spec so our net namespace paths will be correct Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
* | Fix potential race condition in initializing libpodMatthew Heon2017-12-04
| | | | | | | | Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
* | Add handling for system restart in libpodMatthew Heon2017-12-04
|/ | | | Signed-off-by: Matthew Heon <matthew.heon@gmail.com>