summaryrefslogtreecommitdiff
path: root/libpod
Commit message (Collapse)AuthorAge
* cleanup: always delete netns mountPaul Holzinger2022-09-30
| | | | | | | | | | | | | | We should not keep the netns if there was a cleanup problem. Deleting the netns will also delete the virtual links inside and thus make the IPs available again for the next use. context: https://github.com/containers/netavark/issues/302 [NO NEW TESTS NEEDED] This is very hard to trigger reliable and it would need to work with cni and netavark. This mostly happens because of specic bugs but those will be fixed and then this test would fail. Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* container inspect: include image digestValentin Rothberg2022-09-30
| | | | | | | | | Include the digest of the image in `podman container inspect`. The image digest is a key information for auditing as it defines the identify of an image. This way, it can be determined whether a container used an image with a given CVE etc. Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
* libpod: Add volume support for FreeBSDDoug Rabson2022-09-27
| | | | | | [NO NEW TESTS NEEDED] Signed-off-by: Doug Rabson <dfr@rabson.org>
* libpod: Factor out usage of unix.MNT_DETACH from (*Volume).unmountDoug Rabson2022-09-27
| | | | | | | | | | | There is an existing wrapper for unix.Unmount(..., MNT_DETACH) in util_linux.go but that filters all errors and for volumes, we only want to filter EINVAL. The existing libpod.Unmount seems to only have one call site so perhaps these can be merged. [NO NEW TESTS NEEDED] Signed-off-by: Doug Rabson <dfr@rabson.org>
* libpod: Move volume_internal_linux.go to volume_internal_common.goDoug Rabson2022-09-27
| | | | | | [NO NEW TESTS NEEDED] Signed-off-by: Doug Rabson <dfr@rabson.org>
* libpod: Move runtime_volume_linux.go to runtime_volume_common.goDoug Rabson2022-09-27
| | | | | | [NO NEW TESTS NEEDED] Signed-off-by: Doug Rabson <dfr@rabson.org>
* auto-update: validate container imageValentin Rothberg2022-09-26
| | | | | | | | | | | Auto updates using the "registry" policy require container to be created with a fully-qualified image reference. Short names are not supported due the ambiguity of their source registry. Initially, container creation errored out for non FQN images but it seems that Podman has regressed. Fixes: #15879 Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
* Merge pull request #15463 from mheon/fix_15408OpenShift Merge Robot2022-09-23
|\ | | | | Events for containers in pods now include the pod's ID
| * Events for containers in pods now include the pod's IDMatthew Heon2022-09-22
| | | | | | | | | | | | | | | | | | | | This allows tools like Cockpit to know that the pod in question has also been updated, so they can refresh the list of containers in the pod. Fixes #15408 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | Add support for 'image' volume driverMatthew Heon2022-09-22
|/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | We added the concept of image volumes in 2.2.0, to support inspecting an image from within a container. However, this is a strictly read-only mount, with no modification allowed. By contrast, the new `image` volume driver creates a c/storage container as its underlying storage, so we have a read/write layer. This, in and of itself, is not especially interesting, but what it will enable in the future is. If we add a new command to allow these image volumes to be committed, we can now distribute volumes - and changes to them - via a standard OCI image registry (which is rather new and quite exciting). Future work in this area: - Add support for `podman volume push` (commit volume changes and push resulting image to OCI registry). - Add support for `podman volume pull` (currently, we require that the image a volume is created from be already pulled; it would be simpler if we had a dedicated command that did the pull and made a volume from it) - Add support for scratch images (make an empty image on demand to use as the base of the volume) - Add UOR support to `podman volume push` and `podman volume pull` to enable both with non-image volume drivers Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Don't mount /dev/tty* inside privileged containers running systemdDan Čermák2022-09-22
| | | | | | | | | | | | | | According to https://systemd.io/CONTAINER_INTERFACE/, systemd will try take control over /dev/ttyN if exported, which can cause conflicts with the host's tty in privileged containers. Thus we will not expose these to privileged containers in systemd mode, as this is a bad idea according to systemd's maintainers. Additionally, this commit adds a bats regression test to check that no /dev/ttyN are present in a privileged container in systemd mode This fixes https://github.com/containers/podman/issues/15878 Signed-off-by: Dan Čermák <dcermak@suse.com>
* Merge pull request #15871 from cevich/replace_ioutilOpenShift Merge Robot2022-09-21
|\ | | | | Replace deprecated ioutil
| * Replace deprecated ioutilChris Evich2022-09-20
| | | | | | | | | | | | | | | | | | | | Package `io/ioutil` was deprecated in golang 1.16, preventing podman from building under Fedora 37. Fortunately, functionality identical replacements are provided by the packages `io` and `os`. Replace all usage of all `io/ioutil` symbols with appropriate substitutions according to the golang docs. Signed-off-by: Chris Evich <cevich@redhat.com>
* | libpod: Implement 'podman cp' for FreeBSDDoug Rabson2022-09-20
| | | | | | | | | | | | [NO NEW TESTS NEEDED] Signed-off-by: Doug Rabson <dfr@rabson.org>
* | libpod: Move jointMountAndExec to container_copy_linux.goDoug Rabson2022-09-20
| | | | | | | | | | | | | | | | | | | | | | | | | | This also moves the logic for resolving paths in running and stopped containers tp container_copy_linux.go. On FreeBSD, we can execute the function argument to joinMountAndExec directly using host-relative paths since the host mount namespace includes all the container mounts. [NO NEW TESTS NEEDED] Signed-off-by: Doug Rabson <dfr@rabson.org>
* | libpod: Move part of (*Container).stat to container_stat_linux.goDoug Rabson2022-09-20
| | | | | | | | | | | | | | | | | | | | The logic that treats running containers differently from stopped containers is not needed on FreeBSD where the container mounts live in a global mount namespace. [NO NEW TESTS NEEDED] Signed-off-by: Doug Rabson <dfr@rabson.org>
* | libpod: Move container_copy_linux.go to container_copy_common.goDoug Rabson2022-09-20
| | | | | | | | | | | | [NO NEW TESTS NEEDED] Signed-off-by: Doug Rabson <dfr@rabson.org>
* | libpod: Move container_stat_linux.go to container_stat_common.goDoug Rabson2022-09-20
|/ | | | | | [NO NEW TESTS NEEDED] Signed-off-by: Doug Rabson <dfr@rabson.org>
* label.Relabel third option is shared not recurseDaniel J Walsh2022-09-17
| | | | | | | | | | | There is no option in Selinux labeling to only relabel the top level of a directory. The option is to either label the path shared or not shared. Changing to make sure future engineers do not assume that recurse can work. [NO NEW TESTS NEEDED] Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Merge pull request #15757 from mheon/fix_15526OpenShift Merge Robot2022-09-15
|\ | | | | Introduce graph-based pod container removal
| * Introduce graph-based pod container removalMatthew Heon2022-09-14
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Originally, during pod removal, we locked every container in the pod at once, did a number of validity checks to ensure everything was safe, and then removed all the containers in the pod. A deadlock was recently discovered with this approach. In brief, we cannot lock the entire pod (or much more than a single container at a time) without causing a deadlock. As such, we converted to an approach where we just looped over each container in the pod, removing them individually. Unfortunately, this removed a lot of the validity checking of the earlier approach, allowing for a lot of unintended bad things. Infra containers could be removed while containers in the pod still depended on them, for example. There's no easy way to do validity checks while in a simple loop, so I implemented a version of our graph-traversal logic that currently handles pod start. This version acts in the reverse order of startup: startup starts from containers which depend on nothing and moves outwards, while removal acts on containers which have nothing depend on them and moves inwards. By doing graph traversal, we can guarantee that nothing is removed while something that depends on it still exists - so the infra container should be the last thing in a pod that is removed, for example. In the (unlikely) case that a graph of the pod's containers cannot be built (most likely impossible without database editing) the old method of pod removal has been retained to ensure that even misbehaving pods can be forcibly evicted from the state. I'm fairly confident that this resolves the problem, but there are a lot of assumptions around dependency structure built into the original pod removal code and I am not 100% sure I have captured all of them. Fixes #15526 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | libpod: Make getContainerInspectData work on FreeBSDDoug Rabson2022-09-15
| | | | | | | | | | | | | | | | | | | | This makes setting EffectiveCaps and BoundingCaps conditional on whether the capabilites field in the spec is non-nil. This allows 'podman inspect' to work on FreeBSD. [NO NEW TESTS NEEDED] Signed-off-by: Doug Rabson <dfr@rabson.org>
* | libpod: Factor out platform-specfic code from generateInspectContainerHostConfigDoug Rabson2022-09-15
| | | | | | | | | | | | [NO NEW TESTS NEEDED] Signed-off-by: Doug Rabson <dfr@rabson.org>
* | Merge pull request #15799 from mheon/fix_2126697OpenShift Merge Robot2022-09-14
|\ \ | | | | | | Ensure that a broken OCI spec does not break inspect
| * | Ensure that a broken OCI spec does not break inspectMatthew Heon2022-09-14
| |/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The process of saving the OCI spec is not particularly reboot-safe. Normally, this doesn't matter, because we recreate the spec every time a container starts, but if one was to reboot (or SIGKILL, or otherwise fatally interrupt) Podman in the middle of writing the spec to disk, we can end up with a malformed spec that sticks around until the container is next started. Some Podman commands want to read the latest version of the spec off disk (to get information only populated after a container is started), and will break in the case that a partially populated spec is present. Swap to just ignoring these errors (with a logged warning, to let folks know something went wrong) so we don't break important commands like `podman inspect` in these cases. [NO NEW TESTS NEEDED] Provided reproducer involves repeatedly rebooting the system Signed-off-by: Matthew Heon <mheon@redhat.com>
* | libpod: fix lookup for subpath in volumesGiuseppe Scrivano2022-09-14
| | | | | | | | | | | | | | | | | | a subdirectory that is below a mount destination is detected as a subpath. Closes: https://github.com/containers/podman/issues/15789 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | libpod: rename functionGiuseppe Scrivano2022-09-14
|/ | | | | | | the function checks if a path is under any mount, not just bind mounts. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Merge pull request #15788 from kolyshkin/non-crypto-idOpenShift Merge Robot2022-09-14
|\ | | | | all: stop using deprecated GenerateNonCryptoID
| * all: stop using deprecated GenerateNonCryptoIDKir Kolyshkin2022-09-13
| | | | | | | | | | | | | | | | | | | | In view of https://github.com/containers/storage/pull/1337, do this: for f in $(git grep -l stringid.GenerateNonCryptoID | grep -v '^vendor/'); do sed -i 's/stringid.GenerateNonCryptoID/stringid.GenerateRandomID/g' $f; done Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
* | libpod: Add support for 'podman stats' on FreeBSDDoug Rabson2022-09-14
| | | | | | | | | | | | [NO NEW TESTS NEEDED] Signed-off-by: Doug Rabson <dfr@rabson.org>
* | libpod: Split out the common code from GetContainerStatsDoug Rabson2022-09-14
| | | | | | | | | | | | | | | | This moves the cgroups code to a new method getPlatformContainerStats. [NO NEW TESTS NEEDED] Signed-off-by: Doug Rabson <dfr@rabson.org>
* | libpod: Move stats.go to stats_linux.go for consistencyDoug Rabson2022-09-14
|/ | | | | | [NO NEW TESTS NEEDED] Signed-off-by: Doug Rabson <dfr@rabson.org>
* Merge pull request #15752 from vrothberg/fix-15691OpenShift Merge Robot2022-09-13
|\ | | | | health checks: restart timers
| * health checks: restart timersValentin Rothberg2022-09-13
| | | | | | | | | | | | | | | | | | | | | | | | Restart the health-check timers instead of starting them. This will surpress annoying errors stating that an already running timer cannot be started anymore. Also make sure that the transient units/timers are stopped and removed when stopping a container. Fixes: #15691 Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
* | events: Fix spelling of newNullEventerDoug Rabson2022-09-13
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This function changed from public to private which broke the FreeBSD build. Sadly, adding FreeBSD to the cross build isn't currently possible since github.com/godbus/dbus relies on cgo on FreeBSD. I've tried to fix this upstream but my PR is going nowhere - I think this dependency is only needed for systemd which isn't a thing on FreeBSD so it might be possible to work around the problem in libpod by making the systemd code conditional on linux. [NO NEW TESTS NEEDED] Signed-off-by: Doug Rabson <dfr@rabson.org>
* | Merge pull request #15749 from dfr/freebsd-networkingOpenShift Merge Robot2022-09-12
|\ \ | | | | | | Add support for networking on FreeBSD
| * | libpod: Move ocicniPortsToNetTypesPorts and compareOCICNIPorts to ↵Doug Rabson2022-09-12
| | | | | | | | | | | | | | | | | | | | | | | | networking_common.go [NO NEW TESTS NEEDED] Signed-off-by: Doug Rabson <dfr@rabson.org>
| * | libpod: Move NetworkDisconnect and NetworkConnect to networking_common.goDoug Rabson2022-09-12
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This also moves Runtime methods ConnectContainerToNetwork and DisconnectContainerFromNetwork as well as support functions getFreeInterfaceName and normalizeNetworkName. [NO NEW TESTS NEEDED] Signed-off-by: Doug Rabson <dfr@rabson.org> libpod: Move (Connect|Disconnect)Container(To|From)Network and normalizeNetworkName to networking_common.go [NO NEW TESTS NEEDED] Signed-off-by: Doug Rabson <dfr@rabson.org>
| * | libpod: Move resultToBasicNetworkConfig to networking_common.goDoug Rabson2022-09-12
| | | | | | | | | | | | | | | | | | [NO NEW TESTS NEEDED] Signed-off-by: Doug Rabson <dfr@rabson.org>
| * | libpod: Add support for getContainerNetworkInfo on FreeBSDDoug Rabson2022-09-12
| | | | | | | | | | | | | | | | | | [NO NEW TESTS NEEDED] Signed-off-by: Doug Rabson <dfr@rabson.org>
| * | libpod: Move getContainerNetworkInfo to networking_common.goDoug Rabson2022-09-12
| | | | | | | | | | | | | | | | | | [NO NEW TESTS NEEDED] Signed-off-by: Doug Rabson <dfr@rabson.org>
| * | libpod: Move isBridgeNetMode and reloadContainerNetwork to networking_common.goDoug Rabson2022-09-12
| | | | | | | | | | | | | | | | | | [NO NEW TESTS NEEDED] Signed-off-by: Doug Rabson <dfr@rabson.org>
| * | libpod: Move teardownNetwork and teardownCNI to networking_common.goDoug Rabson2022-09-12
| | | | | | | | | | | | | | | | | | [NO NEW TESTS NEEDED] Signed-off-by: Doug Rabson <dfr@rabson.org>
| * | libpod: Move setUpNetwork and getCNIPodName to networking_common.goDoug Rabson2022-09-12
| | | | | | | | | | | | | | | | | | [NO NEW TESTS NEEDED] Signed-off-by: Doug Rabson <dfr@rabson.org>
| * | libpod: Move convertPortMappings and getNetworkOptions to networking_common.goDoug Rabson2022-09-12
| | | | | | | | | | | | | | | | | | [NO NEW TESTS NEEDED] Signed-off-by: Doug Rabson <dfr@rabson.org>
| * | libpod: Add FreeBSD implementation of container networkingDoug Rabson2022-09-12
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This uses a jail to manage the container's network. Container jails for all containers in a pod are nested within this and share the network resources. There is some code in networking_freebsd.go which is common with networking_linux.go. Subsequent commits will move the shared code to networking_common.go to reduce this duplication. [NO NEW TESTS NEEDED] Signed-off-by: Doug Rabson <dfr@rabson.org>
| * | libpod: Re-work the container's network state to help code sharingDoug Rabson2022-09-12
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This replaces the NetworkJail string field with a struct pointer named NetNS. This does not try to emulate the complete NetNS interface but does help to re-use code that just refers to c.state.NetNS. [NO NEW TESTS NEEDED] Signed-off-by: Doug Rabson <dfr@rabson.org>
| * | libpod: Move platform-specific bind mounts to a per-platform methodDoug Rabson2022-09-12
| | | | | | | | | | | | | | | | | | | | | | | | | | | This adds a new per-platform method makePlatformBindMounts and moves the /etc/hostname mount. This file is only needed on Linux. [NO NEW TESTS NEEDED] Signed-off-by: Doug Rabson <dfr@rabson.org>
| * | libpod: Avoid a nil dereference when generating resolv.conf on FreeBSDDoug Rabson2022-09-12
| | | | | | | | | | | | | | | | | | | | | | | | | | | The code which generates resolv.conf dereferenced c.config.Spec.Linux and this field is not set for FreeBSD containers. [NO NEW TESTS NEEDED] Signed-off-by: Doug Rabson <dfr@rabson.org>
* | | set default EventsLogFilePath on first runPaul Holzinger2022-09-12
| | | | | | | | | | | | | | | | | | | | | | | | The current code only sets EventsLogFilePath when the tmp is overwritten from the db. We should always set the default when no path was set in containers.conf. Signed-off-by: Paul Holzinger <pholzing@redhat.com>