summaryrefslogtreecommitdiff
path: root/libpod
Commit message (Collapse)AuthorAge
* Ensure resolv.conf has the right label and pathMatthew Heon2018-10-04
| | | | | | | | Adds a few missing things from writeStringToRundir() to the new resolv.conf function, specifically relabelling and returning a path compatible with rootless podman Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
* Drop libnetwork vendor and move the code into pkg/Matthew Heon2018-10-04
| | | | | | | | | | | The vendoring issues with libnetwork were significant (it was dragging in massive amounts of code) and were just not worth spending the time to work through. Highly unlikely we'll ever end up needing to update this code, so move it directly into pkg/ so we don't need to vendor libnetwork. Make a few small changes to remove the need for the remainder of libnetwork. Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
* Switch to using libnetwork's resolvconf packageMatthew Heon2018-10-04
| | | | | | | | | Libnetwork provides a well-tested package for generating resolv.conf from the host's that has some features our current implementation does not. Swap to using their code and remove our built-in implementation. Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
* Merge pull request #1570 from giuseppe/fix-gvisorOpenShift Merge Robot2018-10-04
|\ | | | | podman: allow usage of gVisor as OCI runtime
| * oci: split the stdout and stderr pipesGiuseppe Scrivano2018-10-03
| | | | | | | | | | | | | | read the OCI status from stdout, not the combined stdout+stderr stream. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
| * oci: always set XDG_RUNTIME_DIRGiuseppe Scrivano2018-10-03
| | | | | | | | | | | | | | | | | | Fix an issue when using gVisor that couldn't start the container since the XDG_RUNTIME_DIR env variable used for the "create" and "start" commands is different. Set the environment variable for each command so that the OCI runtime gets always the same value. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | Add support to checkpoint/restore containersAdrian Reber2018-10-03
|/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | runc uses CRIU to support checkpoint and restore of containers. This brings an initial checkpoint/restore implementation to podman. None of the additional runc flags are yet supported and container migration optimization (pre-copy/post-copy) is also left for the future. The current status is that it is possible to checkpoint and restore a container. I am testing on RHEL-7.x and as the combination of RHEL-7 and CRIU has seccomp troubles I have to create the container without seccomp. With the following steps I am able to checkpoint and restore a container: # podman run --security-opt="seccomp=unconfined" -d registry.fedoraproject.org/f27/httpd # curl -I 10.22.0.78:8080 HTTP/1.1 403 Forbidden # <-- this is actually a good answer # podman container checkpoint <container> # curl -I 10.22.0.78:8080 curl: (7) Failed connect to 10.22.0.78:8080; No route to host # podman container restore <container> # curl -I 10.22.0.78:8080 HTTP/1.1 403 Forbidden I am using CRIU, runc and conmon from git. All required changes for checkpoint/restore support in podman have been merged in the corresponding projects. To have the same IP address in the restored container as before checkpointing, CNI is told which IP address to use. If the saved network configuration cannot be found during restore, the container is restored with a new IP address. For CRIU to restore established TCP connections the IP address of the network namespace used for restore needs to be the same. For TCP connections in the listening state the IP address can change. During restore only one network interface with one IP address is handled correctly. Support to restore containers with more advanced network configuration will be implemented later. v2: * comment typo * print debug messages during cleanup of restore files * use createContainer() instead of createOCIContainer() * introduce helper CheckpointPath() * do not try to restore a container that is paused * use existing helper functions for cleanup * restructure code flow for better readability * do not try to restore if checkpoint/inventory.img is missing * git add checkpoint.go restore.go v3: * move checkpoint/restore under 'podman container' v4: * incorporated changes from latest reviews Signed-off-by: Adrian Reber <areber@redhat.com>
* Merge pull request #1578 from baude/addubuntuciOpenShift Merge Robot2018-10-03
|\ | | | | Add Ubuntu-18.04 to CI testing
| * Add ability for ubuntu to be testedbaude2018-10-03
| | | | | | | | | | | | | | | | unfortunately the papr CI system cannot test ubuntu as a VM; therefore, this PR still keeps travis. but it does include fixes that will be required for running on modern versions of ubuntu. Signed-off-by: baude <bbaude@redhat.com>
* | selinux: drop superflous relabelGiuseppe Scrivano2018-10-03
|/ | | | | | | | | | The same relabel is already done in writeStringToRundir so we don't need to do it twice. The version in writeStringToRundir takes into account the correct file path when using user namespaces. Closes: https://github.com/containers/libpod/pull/1584 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Merge pull request #1580 from giuseppe/rootless-always-set-XDG_RUNTIME_DIROpenShift Merge Robot2018-10-03
|\ | | | | rootless: always set XDG_RUNTIME_DIR
| * rootless: always set XDG_RUNTIME_DIRGiuseppe Scrivano2018-10-03
| | | | | | | | | | | | | | | | it is used internally by containers/image to locate the auth file. Closes: https://github.com/containers/libpod/issues/1457 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | Merge pull request #1531 from mheon/add_exited_stateOpenShift Merge Robot2018-10-03
|\ \ | |/ |/| Add ContainerStateExited and OCI delete() in cleanup()
| * Fix Wait() to allow Exited state as well as StoppedMatthew Heon2018-10-02
| | | | | | | | Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
| * Fix cleanupRuntime to only save if container is validMatthew Heon2018-10-02
| | | | | | | | | | | | | | | | | | | | | | We call cleanup() (which calls cleanupRuntime()) as part of removing containers, after the container has already been removed from the database. cleanupRuntime() tries to update and save the state, which obviously fails if the container no longer exists. Make the save() conditional on the container not being in the process of being removed. Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
| * Fix bug with exited state and container removeMatthew Heon2018-10-02
| | | | | | | | Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
| * Address review comments and fix ps outputMatthew Heon2018-10-02
| | | | | | | | Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
| * Add ContainerStateExited and OCI delete() in cleanup()Matthew Heon2018-10-02
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | To work better with Kata containers, we need to delete() from the OCI runtime as a part of cleanup, to ensure resources aren't retained longer than they need to be. To enable this, we need to add a new state to containers, ContainerStateExited. Containers transition from ContainerStateStopped to ContainerStateExited via cleanupRuntime which is invoked as part of cleanup(). A container in the Exited state is identical to Stopped, except it has been removed from the OCI runtime and thus will be handled differently when initializing the container. Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
* | Merge pull request #1528 from baude/runlabelOpenShift Merge Robot2018-10-02
|\ \ | | | | | | Add container runlabel command
| * | Add container runlabel commandbaude2018-09-28
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Execute the command as described by a container image. The value of the label is processed into a command by: 1. Ensuring the first argument of the command is podman. 2. Substituting any variables with those defined by the environment or otherwise. If no label exists in the container image, nothing is done. podman container runlabel LABEL IMAGE extra_args Signed-off-by: baude <bbaude@redhat.com>
* | | Merge pull request #1562 from mheon/update_install_instructionsOpenShift Merge Robot2018-10-02
|\ \ \ | |_|/ |/| | Update docs to build a runc that works with systemd
| * | Update docs to build a runc that works with systemdMatthew Heon2018-10-01
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Runc disables systemd cgroup support when build statically, so don't tell people to do that now that we're defaulting to systemd for cgroup management. Also, fix some error messages to use the proper ID() call for containers. Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
* | | Need to allocate memory for hook structDaniel J Walsh2018-10-02
|/ / | | | | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* / runtime: fix message which assumes the runtime is runcGiuseppe Scrivano2018-10-01
|/ | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Merge pull request #1551 from baude/complexnamesOpenShift Merge Robot2018-09-28
|\ | | | | run complex image names with short names
| * run complex image names with short namesbaude2018-09-28
| | | | | | | | | | | | | | | | | | | | | | | | | | In cases where the image name is more complex like: quay/baude/alpine_nginx:latest and is not from the docker registry, we need to be able to run the image by its shortname such as baude/alpine_nginx. The same goes when the image is not from a registry but instead has the localhost repository. This resolves buildah issue #1034 Signed-off-by: baude <bbaude@redhat.com>
* | Add buildah version and distribution to infobaude2018-09-28
|/ | | | | | | | For the sake of debug and problem reporting, we would benefit from knowing what buildah version was vendored into podman. Also, knowing the distribution and distribution version would also be handy. Signed-off-by: baude <bbaude@redhat.com>
* Disable problematic SELinux code causing runc issuesMatthew Heon2018-09-25
| | | | | | | Signed-off-by: Matthew Heon <matthew.heon@gmail.com> Closes: #1541 Approved by: baude
* Add --mount option for `create` & `run` commandDaniel J Walsh2018-09-21
| | | | | | | | Signed-off-by: Kunal Kushwaha <kushwaha_kunal_v7@lab.ntt.co.jp> Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #1524 Approved by: mheon
* Refactor Wait() to not require a timeoutMatthew Heon2018-09-21
| | | | | | | | | | | We added a timeout for convenience, but most invocations don't care about it. Refactor it into WaitWithTimeout() and add a Wait() that doesn't require a timeout and uses the default. Signed-off-by: Matthew Heon <matthew.heon@gmail.com> Closes: #1527 Approved by: mheon
* Don't output inodes created to run a containerDaniel J Walsh2018-09-21
| | | | | | | | | | | | | | | | | | | | | | | | | | There is a group of inodes that get created when running a container if they do not exist. containerMounts = map[string]bool{ "/dev": true, "/etc/hostname": true, "/etc/hosts": true, "/etc/resolv.conf": true, "/proc": true, "/run": true, "/run/.containerenv": true, "/run/secrets": true, "/sys": true, } If the destination inode does not exist, libpod/runc will create the inode. This can cause programs like podman diff to see the image as having changed, when actually it has not. This patch ignores changes in these inodes. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #1508 Approved by: giuseppe
* Add new field to libpod to indicate whether or not to use labellingDaniel J Walsh2018-09-20
| | | | | | | | | | | | | | | Also update some missing fields libpod.conf obtions in man pages. Fix sort order of security options and add a note about disabling labeling. When a process requests a new label. libpod needs to reserve all labels to make sure that their are no conflicts. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #1406 Approved by: mheon
* Bind Mounts should be mounted read-only when in read-only modeDaniel J Walsh2018-09-20
| | | | | | | | | | We don't want to allow users to write to /etc/resolv.conf or /etc/hosts if in read only mode. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #1510 Approved by: TomSweeneyRedHat
* Vendor in latest containers/buildahDaniel J Walsh2018-09-18
| | | | | | Switch from projectatomic/buildah to containers/buildah Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Increase pidWaitTimeout to 1000msEmilien Macchi2018-09-18
| | | | | | | | | | | | | | | | | When managing the containers with systemd, it takes a bit more than 250ms to have podman creating the pidfile. Increasing the value to 1 second will avoid timeout issues when running a lot of containers managed by systemd. This patch was tested in a VM with 56 services (OpenStack) deployed by TripleO and managed by systemd. Fixes #1495 Signed-off-by: Emilien Macchi <emilien@redhat.com> Closes: #1497 Approved by: rhatdan
* Hooks supports two directories, process default and overrideDaniel J Walsh2018-09-17
| | | | | | | | | | | | | ALso cleanup files section or podman man page Add description of policy.json Sort alphabetically. Add more info on oci hooks Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #1487 Approved by: umohnani8
* Merge pull request #1464 from mheon/optionally_disable_port_reservationMatthew Heon2018-09-14
|\ | | | | Add a way to disable port reservation
| * Add a way to disable port reservationMatthew Heon2018-09-13
| | | | | | | | | | | | | | | | | | | | | | We've increased the default rlimits to allow Podman to hold many ports open without hitting limits and crashing, but this doesn't solve the amount of memory that holding open potentially thousands of ports will use. Offer a switch to optionally disable port reservation for performance- and memory-constrained use cases. Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
* | Merge pull request #1434 from rhatdan/waitMatthew Heon2018-09-14
|\ \ | | | | | | Add --interval flag to podman wait
| * | Add --interval flag to podman waitDaniel J Walsh2018-09-13
| |/ | | | | | | | | | | | | Waiting uses a lot of CPU, so drop back to checking once/second and allow user to pass in the interval. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* / libpod/image/pull: Return image-pulling errors from doPullImageW. Trevor King2018-09-14
|/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | We were already writing these to our debug logs. But collecting them and including them in the error message will make it easier for callers who don't have debugging enabled to figure out what's going wrong. Using multierror gives us both pretty formatting (when we print this for the user) and programmatic access (for any callers that need to inspect the constituent errors). With this commit and a config like: $ cat /etc/containers/registries.conf [registries.search] registries = ['registry.access.redhat.com', 'quay.io', 'docker.io'] pulling an unqualified missing image looks like: $ podman pull does-not/exist Trying to pull registry.access.redhat.com/does-not/exist:latest...Failed Trying to pull quay.io/does-not/exist:latest...Failed Trying to pull docker.io/does-not/exist:latest...Failed error pulling image "does-not/exist": unable to pull does-not/exist: 3 errors occurred: * Error determining manifest MIME type for docker://registry.access.redhat.com/does-not/exist:latest: Error reading manifest latest in registry.access.redhat.com/does-not/exist: unknown: Not Found * Error determining manifest MIME type for docker://quay.io/does-not/exist:latest: Error reading manifest latest in quay.io/does-not/exist: unauthorized: access to the requested resource is not authorized * Error determining manifest MIME type for docker://does-not/exist:latest: Error reading manifest latest in docker.io/does-not/exist: errors: denied: requested access to the resource is denied unauthorized: authentication required A qualified image looks like: $ podman pull quay.io/does-not/exist Trying to pull quay.io/does-not/exist...Failed error pulling image "quay.io/does-not/exist": unable to pull quay.io/does-not/exist: unable to pull image: Error determining manifest MIME type for docker://quay.io/does-not/exist:latest: Error reading manifest latest in quay.io/does-not/exist: unauthorized: access to the requested resource is not authorized If one of the searched repositories was offline, you'd get a more useful routing error for that specific registry. For example: $ cat /etc/hosts 127.0.0.1 quay.io $ podman pull does-not/exist Trying to pull registry.access.redhat.com/does-not/exist:latest...Failed Trying to pull quay.io/does-not/exist:latest...Failed Trying to pull docker.io/does-not/exist:latest...Failed error pulling image "does-not/exist": unable to pull does-not/exist: 3 errors occurred: * Error determining manifest MIME type for docker://registry.access.redhat.com/does-not/exist:latest: Error reading manifest latest in registry.access.redhat.com/does-not/exist: unknown: Not Found * Error determining manifest MIME type for docker://quay.io/does-not/exist:latest: pinging docker registry returned: Get https://quay.io/v2/: dial tcp 127.0.0.1:443: connect: connection refused * Error determining manifest MIME type for docker://does-not/exist:latest: Error reading manifest latest in docker.io/does-not/exist: errors: denied: requested access to the resource is denied unauthorized: authentication required This is our first direct dependency on multierror, but we've been vendoring it for a while now because opencontainers/runtime-tools uses it for config validation. Signed-off-by: W. Trevor King <wking@tremily.us> Closes: #1456 Approved by: rhatdan
* Explicitly set default CNI network name in libpod.confMatthew Heon2018-09-12
| | | | | | | Signed-off-by: Matthew Heon <matthew.heon@gmail.com> Closes: #1438 Approved by: TomSweeneyRedHat
* Pass on securityOpts from podInfraContainer to container added to pod.Daniel J Walsh2018-09-11
| | | | | | | | | | This is an incomplete fix, as it would be best for the libpod library to be in charge of coordinating the container's dependencies on the infra container. A TODO was left as such. UTS is a special case, because the docker library that namespace handling is based off of doesn't recognize a UTS based on another container as valid, despite the library being able to handle it correctly. Thus, it is left in the old way. Signed-off-by: haircommander <pehunt@redhat.com> Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #1347 Approved by: mheon
* Replace existing iptables handler with firewall codeMatthew Heon2018-09-10
| | | | | | | | | | | | Use the new firewall code vendored from CNI to replace the existing iptables rule addition handler we had in place. This adds proper support for firewalld and should be much better at interacting with the firewall. Signed-off-by: Matthew Heon <matthew.heon@gmail.com> Closes: #1431 Approved by: baude
* Vendor CNI plugins firewall codeMatthew Heon2018-09-10
| | | | | | | | | | | | | | The upstream CNI project has a PR open for adding iptables and firewalld support, but this has been stalled for the better part of a year upstream. On advice of several maintainers, we are vendoring this code into libpod, to perform the relevant firewall configuration ourselves. Signed-off-by: Matthew Heon <matthew.heon@gmail.com> Closes: #1431 Approved by: baude
* Start pod infra container when pod is createdbaude2018-09-06
| | | | | | | | | | | When we create a pod that also has an infra container, we should start the infra container automatically. This allows users to add running containers to the pod immediately. Signed-off-by: baude <bbaude@redhat.com> Closes: #1415 Approved by: rhatdan
* vendor containerd/cgroupsbaude2018-09-06
| | | | | | | | | | | We need to vendor in the latest containerd/cgroups for a fix related to slice delegation and systemd <= 239. The opencontainer/runtime-spec is brought along for the ride. Signed-off-by: baude <bbaude@redhat.com> Closes: #1414 Approved by: mheon
* Print errors from individual pull attemptsMatthew Heon2018-09-05
| | | | | | | | | | | Right now, we don't print errors from c/image while trying to pull images. This prints the errors when log-level=debug is set so we can debug errors while pulling. Signed-off-by: Matthew Heon <mheon@redhat.com> Closes: #1409 Approved by: baude
* rootless: check uid with Geteuid() instead of Getuid()Giuseppe Scrivano2018-09-04
| | | | | | | | | | | | change the tests to use chroot to set a numeric UID/GID. Go syscall.Credential doesn't change the effective UID/GID of the process. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> Closes: #1372 Approved by: mheon
* rootless: create compatible pod infra containerGiuseppe Scrivano2018-09-04
| | | | | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> Closes: #1372 Approved by: mheon