summaryrefslogtreecommitdiff
path: root/libpod
Commit message (Collapse)AuthorAge
* podman network create: validate user inputMrigank Krishan2019-10-04
| | | | | | | Disallow invalid/confusing names such as '../bar' or 'foo ' Closes #4184 Signed-off-by: Mrigank Krishan <mrigankkrishan@gmail.com>
* rootless: set DBUS_SESSION_BUS_ADDRESS if it is not setGiuseppe Scrivano2019-10-02
| | | | | | | | | | if the variable is not set, make sure it has a sane value so that go-dbus won't try to connect to the wrong user session. Closes: https://github.com/containers/libpod/issues/4162 Closes: https://github.com/containers/libpod/issues/4164 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Merge pull request #4139 from giuseppe/fix-segfault-missing-slirp4netnsOpenShift Merge Robot2019-10-01
|\ | | | | networking: fix segfault when slirp4netns is missing
| * rootless: do not attempt a CNI refreshGiuseppe Scrivano2019-10-01
| | | | | | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
| * networking: fix segfault when slirp4netns is missingGiuseppe Scrivano2019-10-01
| | | | | | | | | | | | | | | | | | fixes a segfault when slirp4netns is not installed and the slirp sync pipe is not created. Closes: https://github.com/containers/libpod/issues/4113 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | network: add workaround for slirp4netns --enable-sandbox issueGiuseppe Scrivano2019-10-01
|/ | | | | | add a workaround for https://github.com/rootless-containers/slirp4netns/pull/153 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* info: add cgroups2Giuseppe Scrivano2019-09-30
| | | | | | Closes: https://github.com/containers/libpod/issues/4080 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Merge pull request #4065 from mheon/unconditional_conmon_rmOpenShift Merge Robot2019-09-27
|\ | | | | Unconditionally remove conmon files before starting
| * Unconditionally remove conmon files before startingMatthew Heon2019-09-20
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | We've been seeing a lot of issues (ref: #4061, but there are others) where Podman hiccups on trying to start a container, because some temporary files have been retained and Conmon will not overwrite them. If we're calling start() we can safely assume that we really want those files gone so the container starts without error, so invoke the cleanup routine. It's relatively cheap (four file removes) so it shouldn't hurt us that much. Also contains a small simplification to the removeConmonFiles logic - we don't need to stat-then-remove when ignoring ENOENT is fine. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | Correct use of reexec.Init()Nalin Dahyabhai2019-09-26
| | | | | | | | | | | | | | A true result from reexec.Init() isn't an error, but it indicates that main() should exit with a success exit status. Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
* | Merge pull request #4086 from mheon/cni_del_on_refreshOpenShift Merge Robot2019-09-25
|\ \ | | | | | | Force a CNI Delete on refreshing containers
| * | Force a CNI Delete on refreshing containersMatthew Heon2019-09-24
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | CNI expects that a DELETE be run before re-creating container networks. If a reboot occurs quickly enough that containers can't stop and clean up, that DELETE never happens, and Podman currently wipes the old network info and thinks the state has been entirely cleared. Unfortunately, that may not be the case on the CNI side. Some things - like IP address reservations - may not have been cleared. To solve this, manually re-run CNI Delete on refresh. If the container has already been deleted this seems harmless. If not, it should clear lingering state. Fixes: #3759 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | | rootless: Rearrange setup of rootless containersGabi Beyer2019-09-24
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | In order to run Podman with VM-based runtimes unprivileged, the network must be set up prior to the container creation. Therefore this commit modifies Podman to run rootless containers by: 1. create a network namespace 2. pass the netns persistent mount path to the slirp4netns to create the tap inferface 3. pass the netns path to the OCI spec, so the runtime can enter the netns Closes #2897 Signed-off-by: Gabi Beyer <gabrielle.n.beyer@intel.com>
* | | exec: set HOME also with exec sessionsGiuseppe Scrivano2019-09-21
| | | | | | | | | | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | | execuser: look at the source for /etc/{passwd,group} overridesGiuseppe Scrivano2019-09-21
|/ / | | | | | | | | | | | | | | | | look if there are bind mounts that can shadow the /etc/passwd and /etc/group files. In that case, look at the bind mount source. Closes: https://github.com/containers/libpod/pull/4068#issuecomment-533782941 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | We need to convert libpod.conf files in user homedir for cgroupv2Daniel J Walsh2019-09-21
| | | | | | | | | | | | | | | | | | | | | | If a user upgrades to a machine that defaults to a cgroups V2 machine and has a libpod.conf file in their homedir that defaults to OCI Runtime runc, then we want to change it one time to crun. runc as of this point does not work on cgroupV2 systems. This patch will eventually be removed but is needed until runc has support. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | container: make sure $HOME is always setGiuseppe Scrivano2019-09-20
|/ | | | | | | | | | | | | If the HOME environment variable is not set, make sure it is set to the configuration found in the container /etc/passwd file. It was previously depending on a runc behavior that always set HOME when it is not set. The OCI runtime specifications do not require HOME to be set so move the logic to libpod. Closes: https://github.com/debarshiray/toolbox/issues/266 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* fix trivial type for event loggerbaude2019-09-19
| | | | | | Fixes: #4062 Signed-off-by: baude <bbaude@redhat.com>
* Fix exit code failureDaniel J Walsh2019-09-17
| | | | | | Be less precise on the exit code and lot the exit code to the journal when it fails. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Merge pull request #4035 from mheon/unmount_unmounted_is_safeOpenShift Merge Robot2019-09-16
|\ | | | | Unmounting a container that is already unmounted is OK
| * Unmounting a container that is already unmounted is OKMatthew Heon2019-09-16
| | | | | | | | | | | | | | | | | | | | | | | | We should not be throwing errors because the operation we wanted to perform is already done. Now, it is definitely strange that a container is actually unmounted, but shows as mounted in the DB - if this reoccurs in a way where we can investigate, it's worth tearing into. Fixes #4033 Signed-off-by: Matthew Heon <mheon@redhat.com>
* | Merge pull request #4043 from haircommander/preserve-fd-fixOpenShift Merge Robot2019-09-16
|\ \ | | | | | | exec: fix --preserve-fds
| * | exec: fix --preserve-fdsPeter Hunt2019-09-16
| |/ | | | | | | | | | | | | | | | | | | | | | | There were two problems with preserve fds. libpod didn't open the fds before passing _OCI*PIPE to conmon. This caused libpod to talk on the preserved fds, rather than the pipes, with conmon talking on the pipes. This caused a hang. Libpod also didn't convert an int to string correctly, so it would further fail. Fix these and add a unit test to make sure we don't regress in the future Note: this test will not pass on crun until crun supports --preserve-fds Signed-off-by: Peter Hunt <pehunt@redhat.com>
* / networking: use --enable-sandbox if availableGiuseppe Scrivano2019-09-16
|/ | | | | | | | | | | if slirp4netns supports sandboxing, enable it. It automatically creates a new mount namespace where slirp4netns will run and have limited access to the host resources. It needs slirp4netns 0.4.1. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Merge pull request #4006 from rhatdan/rootlessOpenShift Merge Robot2019-09-13
|\ | | | | Report errors when trying to pause rootless containers
| * Report errors when trying to pause rootless containersDaniel J Walsh2019-09-13
| | | | | | | | | | | | | | | | If you are running a rootless container on cgroupV1 you can not pause the container. We need to report the proper error if this happens. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Merge pull request #3934 from rhatdan/waitOpenShift Merge Robot2019-09-13
|\ \ | |/ |/| Podman-remote run should wait for exit code
| * Podman-remote run should wait for exit codeDaniel J Walsh2019-09-12
| | | | | | | | | | | | | | | | This change matches what is happening on the podman local side and should eliminate a race condition. Also exit commands on the server side should start to return to client. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
| * Use exit code constantsDaniel J Walsh2019-09-12
| | | | | | | | | | | | | | We have leaked the exit number codess all over the code, this patch removes the numbers to constants. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Merge pull request #4010 from haircommander/regsiter-laterOpenShift Merge Robot2019-09-13
|\ \ | | | | | | exec: Register resize func a bit later
| * | exec: Register resize func a bit laterPeter Hunt2019-09-12
| |/ | | | | | | | | | | | | | | if we register the resize func too early, it attempts to read from the 'ctl' file before it exists. this causes the func to error, and the resize to not go through. Fix this by registering resize func later for conmon. This, along with a conmon fix, will allow exec to know the terminal size at startup Signed-off-by: Peter Hunt <pehunt@redhat.com>
* | Merge pull request #4009 from baude/execrmsocketOpenShift Merge Robot2019-09-12
|\ \ | | | | | | clean up after healthcheck execs
| * | clean up after healthcheck execsbaude2019-09-12
| |/ | | | | | | | | | | | | | | | | | | when executing a healthcheck, we were not cleaning up after exec's use of a socket. we now remove the socket file and ignore if for reason it does not exist. Fixes: #3962 Signed-off-by: baude <bbaude@redhat.com>
* | Merge pull request #3989 from mheon/storage_containers_add_infoOpenShift Merge Robot2019-09-12
|\ \ | |/ |/| Add further fields to StorageContainer
| * Add further fields to StorageContainerMatthew Heon2019-09-11
| | | | | | | | | | | | | | This will be used when we allow 'podman ps' to display info on storage containers instead of Libpod containers. Signed-off-by: Matthew Heon <mheon@redhat.com>
* | Merge pull request #3959 from giuseppe/rootless-use-systemd-scopeOpenShift Merge Robot2019-09-12
|\ \ | | | | | | rootless: automatically create a systemd scope
| * | rootless: automatically create a systemd scopeGiuseppe Scrivano2019-09-12
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | when running in rootless mode and using systemd as cgroup manager create automatically a systemd scope when the user doesn't own the current cgroup. This solves a couple of issues: on cgroup v2 it is necessary that a process before it can moved to a different cgroup tree must be in a directory owned by the unprivileged user. This is not always true, e.g. when creating a session with su -l. Closes: https://github.com/containers/libpod/issues/3937 Also, for running systemd in a container it was before necessary to specify "systemd-run --scope --user podman ...", now this is done automatically as part of this PR. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | | linux: fix systemd with --cgroupns=privateGiuseppe Scrivano2019-09-12
|/ / | | | | | | | | | | | | | | | | When --cgroupns=private is used we need to mount a new cgroup file system so that it points to the correct namespace. Needs: https://github.com/containers/crun/pull/88 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | Volume lookup needs to include state to unmarshal intoMatthew Heon2019-09-11
| | | | | | | | | | | | | | | | | | Lookup was written before volume states merged, but merged after, and CI didn't catch the obvious failure here. Without a valid state, we try to unmarshall into a null pointer, and 'volume rm' is completely broken because of it. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | Merge pull request #3984 from mheon/prune_no_in_use_errorOpenShift Merge Robot2019-09-11
|\ \ | | | | | | Do not prune images being used by a container
| * | Do not prune images being used by a containerMatthew Heon2019-09-10
| |/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Podman is not the only user of containers/storage, and as such we cannot rely on our database as the sole source of truth when pruning images. If images do not show as in use from Podman's perspective, but subsequently fail to remove because they are being used by a container, they're probably being used by Buildah or another c/storage client. Since the images in question are in use, we shouldn't error on failure to prune them - we weren't supposed to prune them in the first place. Fixes: #3983 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | Merge pull request #3927 from openSUSE/manager-annotationsOpenShift Merge Robot2019-09-11
|\ \ | | | | | | Add `ContainerManager` annotation to created containers
| * | Add `ContainerManager` annotation to created containersSascha Grunert2019-09-10
| |/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This change adds the following annotation to every container created by podman: ```json "Annotations": { "io.containers.manager": "libpod" } ``` Target of this annotaions is to indicate which project in the containers ecosystem is the major manager of a container when applications share the same storage paths. This way projects can decide if they want to manipulate the container or not. For example, since CRI-O and podman are not using the same container library (libpod), CRI-O can skip podman containers and provide the end user more useful information. A corresponding end-to-end test has been adapted as well. Relates to: https://github.com/cri-o/cri-o/pull/2761 Signed-off-by: Sascha Grunert <sgrunert@suse.com>
* | Merge pull request #3581 from mheon/no_cgroupsOpenShift Merge Robot2019-09-11
|\ \ | | | | | | Support running containers without CGroups
| * | Add support for launching containers without CGroupsMatthew Heon2019-09-10
| | | | | | | | | | | | | | | | | | | | | This is mostly used with Systemd, which really wants to manage CGroups itself when managing containers via unit file. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | | Merge pull request #3961 from mheon/copy_volume_contentsOpenShift Merge Robot2019-09-10
|\ \ \ | |_|/ |/| | When first mounting any named volume, copy up
| * | When first mounting any named volume, copy upMatthew Heon2019-09-09
| |/ | | | | | | | | | | | | | | | | | | | | Previously, we only did this for volumes created at the same time as the container. However, this is not correct behavior - Docker does so for all named volumes, even those made with 'podman volume create' and mounted into a container later. Fixes #3945 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* / Add function for looking up volumes by partial nameMatthew Heon2019-09-09
|/ | | | | | | | | | This isn't included in Docker, but seems handy enough. Use the new API for 'volume rm' and 'volume inspect'. Fixes #3891 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Merge pull request #3960 from mheon/ignore_umount_enoentOpenShift Merge Robot2019-09-06
|\ | | | | Ignore ENOENT on umount of SHM
| * Ignore ENOENT on umount of SHMMatthew Heon2019-09-06
| | | | | | | | Signed-off-by: Matthew Heon <matthew.heon@pm.me>