aboutsummaryrefslogtreecommitdiff
path: root/libpod/runtime_ctr.go
Commit message (Collapse)AuthorAge
...
* rootless: use a single user namespaceGiuseppe Scrivano2019-04-01
| | | | | | | | | | | | | | | | | | | | | simplify the rootless implementation to use a single user namespace for all the running containers. This makes the rootless implementation behave more like root Podman, where each container is created in the host environment. There are multiple advantages to it: 1) much simpler implementation as there is only one namespace to join. 2) we can join namespaces owned by different containers. 3) commands like ps won't be limited to what container they can access as previously we either had access to the storage from a new namespace or access to /proc when running from the host. 4) rootless varlink works. 5) there are only two ways to enter in a namespace, either by creating a new one if no containers are running or joining the existing one from any container. Containers created by older Podman versions must be restarted. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* userns: do not use an intermediate mount namespaceGiuseppe Scrivano2019-03-29
| | | | | | | | | | | | | | We have an issue in the current implementation where the cleanup process is not able to umount the storage as it is running in a separate namespace. Simplify the implementation for user namespaces by not using an intermediate mount namespace. For doing it, we need to relax the permissions on the parent directories and allow browsing them. Containers that are running without a user namespace, will still maintain mode 0700 on their directory. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* volumes: push the chown logic to runtime_volume_linux.goGiuseppe Scrivano2019-03-29
| | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Remove ulele/deepcopier in favor of JSON deep copyMatthew Heon2019-03-27
| | | | | | | | | | | | | We have a very high performance JSON library that doesn't need to perform code generation. Let's use it instead of our questionably performant, reflection-dependent deep copy library. Most changes because some functions can now return errors. Also converts cmd/podman to use jsoniter, instead of pkg/json, for increased performance. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* volume: create new volumes with right ownershipGiuseppe Scrivano2019-03-21
| | | | | | | when we create a new volume we must be sure it is owned by root in the container. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* rootless: change default path for conmon.pidGiuseppe Scrivano2019-03-15
| | | | | | | | | | | | We cannot use the RunDir for writing the conmon.pid file as we might not be able to read it before we join a namespace, since it is owned by the root in the container which can be a different uid when using uidmap. To avoid completely the issue, we will just write it to the static dir which is always readable by the unprivileged user. Closes: https://github.com/containers/libpod/issues/2673 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Add event logging to libpod, even display to podmanbaude2019-03-11
| | | | | | | | | | | | | | | | | In lipod, we now log major events that occurr. These events can be displayed using the `podman events` command. Each event contains: * Type (container, image, volume, pod...) * Status (create, rm, stop, kill, ....) * Timestamp in RFC3339Nano format * Name (if applicable) * Image (if applicable) The format of the event and the varlink endpoint are to not be considered stable until cockpit has done its enablement. Signed-off-by: baude <bbaude@redhat.com>
* Only remove image volumes when removing containersMatthew Heon2019-02-26
| | | | | | | | | | | | When removing volumes with rm --volumes we want to only remove volumes that were created with the container. Volumes created separately via 'podman volume create' should not be removed. Also ensure that --rm implies volumes will be removed. Fixes #2441 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Remove locks from volumesMatthew Heon2019-02-21
| | | | | | | | | | | | | | | | | | | I was looking into why we have locks in volumes, and I'm fairly convinced they're unnecessary. We don't have a state whose accesses we need to guard with locks and syncs. The only real purpose for the lock was to prevent concurrent removal of the same volume. Looking at the code, concurrent removal ought to be fine with a bit of reordering - one or the other might fail, but we will successfully evict the volume from the state. Also, remove the 'prune' bool from RemoveVolume. None of our other API functions accept it, and it only served to toggle off more verbose error messages. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* OpenTracing support added to start, stop, run, create, pull, and psSebastian Jug2019-02-18
| | | | | | Drop context.Context field from cli.Context Signed-off-by: Sebastian Jug <sejug@redhat.com>
* Fix volume handling in podmanDaniel J Walsh2019-02-14
| | | | | | | | | | | | | | | | | | iFix builtin volumes to work with podman volume Currently builtin volumes are not recored in podman volumes when they are created automatically. This patch fixes this. Remove container volumes when requested Currently the --volume option on podman remove does nothing. This will implement the changes needed to remove the volumes if the user requests it. When removing a volume make sure that no container uses the volume. Signed-off-by: Daniel J Walsh dwalsh@redhat.com Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Remove container from storage on --forceDaniel J Walsh2019-02-09
| | | | | | | | | Currently we can get into a state where a container exists in storage but does not exist in libpod. If the user forces a removal of this container, then we should remove it from storage even if the container is owned by another tool. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* podman-remote import|exportbaude2019-02-05
| | | | | | | | addition of import and export for the podman-remote client. This includes the ability to send and receive files between the remote-client and the "podman" host using an upgraded varlink connection. Signed-off-by: baude <bbaude@redhat.com>
* podman-remote inspectbaude2019-01-18
| | | | | | base enablement of the inspect command. Signed-off-by: baude <bbaude@redhat.com>
* config: store the runtime used to create each containerGiuseppe Scrivano2019-01-14
| | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Rename libpod.Config back to ContainerConfigMatthew Heon2019-01-07
| | | | | | | | | | During an earlier bugfix, we swapped all instances of ContainerConfig to Config, which was meant to fix some data we were returning from Inspect. This unfortunately also renamed a libpod internal struct for container configs. Undo the rename here. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Move lock init after tmp dir is populated properlyMatthew Heon2019-01-04
| | | | | | | | | Don't initialize the lock manager until almost the end of libpod init, so we can guarantee our tmp dir is properly set up and exists. This wasn't an issue on systems that had previously run Podman, but CI caught it. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Convert pods to SHM locksMatthew Heon2019-01-04
| | | | Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
* Convert containers to SHM lockingMatthew Heon2019-01-04
| | | | Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
* Fixes to handle /dev/shm correctly.Daniel J Walsh2018-12-24
| | | | | | | | | | | | | | | | | | We had two problems with /dev/shm, first, you mount the container read/only then /dev/shm was mounted read/only. This is a bug a tmpfs directory should be read/write within a read-only container. The second problem is we were ignoring users mounted /dev/shm from the host. If user specified podman run -d -v /dev/shm:/dev/shm ... We were dropping this mount and still using the internal mount. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Switch all referencs to image.ContainerConfig to image.ConfigDaniel J Walsh2018-12-21
| | | | | | This will more closely match what Docker is doing. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* libpod: always store the conmon pid fileGiuseppe Scrivano2018-12-21
| | | | | | | we need this information to later be able to join the conmon process. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Add "podman volume" commandumohnani82018-12-06
| | | | | | | | | | | | | | | Add support for podman volume and its subcommands. The commands supported are: podman volume create podman volume inspect podman volume ls podman volume rm podman volume prune This is a tool to manage volumes used by podman. For now it only handle named volumes, but eventually it will handle all volumes used by podman. Signed-off-by: umohnani8 <umohnani@redhat.com>
* rm -f now removes a paused containerbaude2018-11-08
| | | | | | | | | | | | We now can remove a paused container by sending it a kill signal while it is paused. We then unpause the container and it is immediately killed. Also, reworked how the parallelWorker results are handled to provide a more consistent approach to how each subcommand implements it. It also fixes a bug where if one container errors, the error message is duplicated when printed out. Signed-off-by: baude <bbaude@redhat.com>
* EXPERIMENTAL: Do not call out to runc for syncMatthew Heon2018-11-07
| | | | | | | | | | | | | | | When syncing container state, we normally call out to runc to see the container's status. This does have significant performance implications, though, and we've seen issues with large amounts of runc processes being spawned. This patch attempts to use stat calls on the container exit file created by Conmon instead to sync state. This massively decreases the cost of calling updateContainer (it has gone from an almost-unconditional fork/exec of runc to a single stat call that can be avoided in most states). Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
* Allow containers/storage to handle on SELinux labelingDaniel J Walsh2018-10-23
| | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Fix bug with exited state and container removeMatthew Heon2018-10-02
| | | | Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
* Address review comments and fix ps outputMatthew Heon2018-10-02
| | | | Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
* Add ContainerStateExited and OCI delete() in cleanup()Matthew Heon2018-10-02
| | | | | | | | | | | | | | | | To work better with Kata containers, we need to delete() from the OCI runtime as a part of cleanup, to ensure resources aren't retained longer than they need to be. To enable this, we need to add a new state to containers, ContainerStateExited. Containers transition from ContainerStateStopped to ContainerStateExited via cleanupRuntime which is invoked as part of cleanup(). A container in the Exited state is identical to Stopped, except it has been removed from the OCI runtime and thus will be handled differently when initializing the container. Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
* Add new field to libpod to indicate whether or not to use labellingDaniel J Walsh2018-09-20
| | | | | | | | | | | | | | | Also update some missing fields libpod.conf obtions in man pages. Fix sort order of security options and add a note about disabling labeling. When a process requests a new label. libpod needs to reserve all labels to make sure that their are no conflicts. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #1406 Approved by: mheon
* Fixing network ns segfaulthaircommander2018-08-23
| | | | | | | | | As well as small style corrections, update pod_top_test to use CreatePod, and move handling of adding a container to the pod's namespace from container_internal_linux to libpod/option. Signed-off-by: haircommander <pehunt@redhat.com> Closes: #1187 Approved by: mheon
* Change pause container to infra containerhaircommander2018-08-23
| | | | | | | Signed-off-by: haircommander <pehunt@redhat.com> Closes: #1187 Approved by: mheon
* Added option to share kernel namespaces in libpod and podmanhaircommander2018-08-23
| | | | | | | | | A pause container is added to the pod if the user opts in. The default pause image and command can be overridden. Pause containers are ignored in ps unless the -a option is present. Pod inspect and pod ps show shared namespaces and pause container. A pause container can't be removed with podman rm, and a pod can be removed if it only has a pause container. Signed-off-by: haircommander <pehunt@redhat.com> Closes: #1187 Approved by: mheon
* removeContainer: fix deadlockValentin Rothberg2018-08-10
| | | | | | | | | | | | When checking if the container has already been removed, use c.state.HasContainer() instead of the runtime's API to avoid trying to take the already acquired lock. Fixes: #1245 Signed-off-by: Valentin Rothberg <vrothberg@suse.com> Closes: #1251 Approved by: baude
* Fix CGroupFS cgroup manager cgroup creation for podsMatthew Heon2018-08-08
| | | | | | | Signed-off-by: Matthew Heon <matthew.heon@gmail.com> Closes: #1237 Approved by: rhatdan
* Set namespace for new pods/containers based on runtimeMatthew Heon2018-07-24
| | | | | | | | New containers and pods will default to the namespace of the runtime, but this can be overridden by With... options if desired. Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
* Returning joining namespace error should not be fatalDaniel J Walsh2018-06-29
| | | | | | | | | | | | | | | | | | | | | | I got my database state in a bad way by killing a hanging container. It did not setup the network namespace correctly listing/remove bad containers becomes impossible. podman run alpine/nginx ^c got me in this state. I got into a state in the database where podman ps -a was returning errors and I could not get out of it, Makeing joining the network namespace a non fatal error fixes the issue. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #918 Approved by: mheon
* Mark containers invalid earlier during removalMatthew Heon2018-06-27
| | | | | | | | | | | Fixes a bug where we might try saving back to the database during cleanup, which would fail as the container was already removed from the database. Signed-off-by: Matthew Heon <mheon@redhat.com> Closes: #1001 Approved by: rhatdan
* Remove container from state before cleaning up.Daniel J Walsh2018-06-10
| | | | | | | | | | Attempt to cleanup as much of the container as possible, even if one of the cleanup stages fails. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #895 Approved by: mheon
* libpod: Execute poststop hooks locallyW. Trevor King2018-06-04
| | | | | | | | | | | | Instead of delegating to the runtime, since some runtimes do not seem to handle these reliably [1]. [1]: https://github.com/projectatomic/libpod/issues/730#issuecomment-392959938 Signed-off-by: W. Trevor King <wking@tremily.us> Closes: #864 Approved by: rhatdan
* Add per-pod CGroupsMatthew Heon2018-05-17
| | | | | | | | | | | | | Pods can now create their own (cgroupfs) cgroups which containers in them can (optionally) use. This presently only works with CGroupFS, systemd cgroups are still WIP Signed-off-by: Matthew Heon <matthew.heon@gmail.com> Closes: #784 Approved by: rhatdan
* Use container cleanup() functions when removingMatthew Heon2018-05-17
| | | | | | | | | | | | Instead of manually calling the individual functions that cleanup uses to tear down a container's resources, just call the cleanup function to make sure that cleanup only needs to happen in one place. Signed-off-by: Matthew Heon <matthew.heon@gmail.com> Closes: #790 Approved by: rhatdan
* Remove parent cgroup we create with cgroupfsMatthew Heon2018-05-11
| | | | | | | Signed-off-by: Matthew Heon <matthew.heon@gmail.com> Closes: #507 Approved by: baude
* Add validation for CGroup parents. Pass CGroups path into runcMatthew Heon2018-05-11
| | | | | | | Signed-off-by: Matthew Heon <matthew.heon@gmail.com> Closes: #507 Approved by: baude
* podman, userNS: configure an intermediate mount namespaceGiuseppe Scrivano2018-05-04
| | | | | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> Closes: #690 Approved by: mheon
* Vendor in latest containers/image and contaners/storageumohnani82018-04-19
| | | | | | | | | Made necessary changes to functions to include contex.Context wherever needed Signed-off-by: umohnani8 <umohnani@redhat.com> Closes: #640 Approved by: baude
* Error is already wrapped properly.Daniel J Walsh2018-03-29
| | | | | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #517 Approved by: baude
* Check for duplicate names when generating new container and pod names.Daniel J Walsh2018-03-29
| | | | | | | | | This fixes the situation where we fail to create a container when a name already exists. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #517 Approved by: baude
* Handle removing containers with active exec sessionsMatthew Heon2018-03-01
| | | | | | | | | | | | | For containers without --force set, an error will be returned For containers with --force, all pids in the container will be stopped, first with SIGTERM and then with SIGKILL after a timeout (this mimics the behavior of stopping a container). Signed-off-by: Matthew Heon <matthew.heon@gmail.com> Closes: #412 Approved by: baude
* Add implementation for BoltDB-backed stateMatthew Heon2018-02-12
| | | | | | | Signed-off-by: Matthew Heon <matthew.heon@gmail.com> Closes: #184 Approved by: baude