summaryrefslogtreecommitdiff
path: root/libpod
Commit message (Collapse)AuthorAge
* Ensure that tmpfs mounts do not have symlinksMatthew Heon2019-03-11
| | | | | | | | | | | | When mounting a tmpfs, runc attempts to make the directory it will be mounted at. Unfortunately, Golang's os.MkdirAll deals very poorly with symlinks being part of the path. I looked into fixing this in runc, but it's honestly much easier to just ensure we don't trigger the issue on our end. Fixes BZ #1686610 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Buffer stdin to a file when importing "-"Nalin Dahyabhai2019-03-11
| | | | | | | | When importing an image from a file somewhere, we already know how to download data from a URL to a file, so do the same for stdin, in case it's unexpectedly large. Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
* Merge pull request #2583 from giuseppe/rootless-fix-pod-rmOpenShift Merge Robot2019-03-11
|\ | | | | rootless: fix stop and rm when the container is running with uid != 0
| * errors: fix error cause comparisonGiuseppe Scrivano2019-03-11
| | | | | | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | Merge pull request #2538 from giuseppe/slirp4netns-pathOpenShift Merge Robot2019-03-11
|\ \ | | | | | | libpod: allow to configure path to the slirp4netns binary
| * | libpod: allow to configure path to the network-cmd binaryGiuseppe Scrivano2019-03-11
| |/ | | | | | | | | | | | | | | | | | | | | | | | | allow to configure the path to the network-cmd binary, either via an option flag --network-cmd-path or through the libpod.conf configuration file. This is currently used to customize the path to the slirp4netns binary. Closes: https://github.com/containers/libpod/issues/2506 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* / pull: promote debug statement to errorGiuseppe Scrivano2019-03-11
|/ | | | | | print an error if there is any failure pulling an image. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Fix generation of infra container commandMatthew Heon2019-03-10
| | | | | | | | | | | | When sourcing from an image, we need to grab its entrypoint first and then add command on to mimic the behavior of Docker. The default Kube pause image just sets ENTRYPOINT, and not CMD, so nothing changes there, but this ought to fix other images (for example, nginx would try to run the pause command instead of an nginx process without this patch) Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Remove an unused if statement I addedMatthew Heon2019-03-10
| | | | Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Don't delete another container's resolv and hosts filesMatthew Heon2019-03-10
| | | | | | | | | | | The logic of deleting and recreating /etc/hosts and /etc/resolv.conf only makes sense when we're the one that creates the files - when we don't, it just removes them, and there's nothing left to use. Fixes #2602 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Fix a potential segfault during infra container createMatthew Heon2019-03-10
| | | | | | | | | I was seeing some segfaults where image config was being passed as nil, causing a nil dereference segfault. Fix the apparent cause and add some safety fencing to try and ensure it doesn't happen again. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Merge pull request #2516 from rhatdan/secretsOpenShift Merge Robot2019-03-09
|\ | | | | Move secrets package to buildah
| * Move secrets package to buildahDaniel J Walsh2019-03-08
| | | | | | | | | | | | | | | | Trying to remove circular dependencies between libpod and buildah. First step to move pkg content from libpod to buildah. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Merge pull request #2590 from haircommander/pause_entry_cmdOpenShift Merge Robot2019-03-08
|\ \ | |/ |/| Default to image entrypoint for infra container
| * Default to image entrypoint for infra containerPeter Hunt2019-03-08
| | | | | | | | | | | | | | If the pod infra container is overriden, we want to run the entry point of the image, instead of the default infra command. This allows users to override the infra-image with greater ease. Also use process environment variables from image Signed-off-by: Peter Hunt <pehunt@redhat.com>
* | rootless: propagate errors from infoGiuseppe Scrivano2019-03-08
|/ | | | | | | | | we use "podman info" to reconfigure the runtime after a reboot, but we don't propagate the error message back if something goes wrong. Closes: https://github.com/containers/libpod/issues/2584 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Merge pull request #2573 from giuseppe/exec-extra-filesOpenShift Merge Robot2019-03-07
|\ | | | | oci: make explicit the extra files to the exec
| * oci: make explicit the extra files to the execGiuseppe Scrivano2019-03-07
| | | | | | | | | | | | | | | | | | In the previous version I forgot to add the fds to preserve into AdditionalFiles. It doesn't make a difference as the files were still preserved, but this seems to be the correct way of making it explicit. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | Merge pull request #2550 from wking/language-dot-splitOpenShift Merge Robot2019-03-07
|\ \ | |/ |/| libpod/container_internal: Split locale at the first dot, etc.
| * libpod/container_internal: Split locale at the first dot, etc.W. Trevor King2019-03-05
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | We're going to feed this into Go's BCP 47 language parser. Language tags have the form [1]: language ["-" script] ["-" region] *("-" variant) *("-" extension) ["-" privateuse] and locales have the form [2]: [language[_territory][.codeset][@modifier]] The modifier is useful for collation, but Go's language-based API [3] does not provide a way for us to supply it. This code converts our locale to a BCP 47 language by stripping the dot and later and replacing the first underscore, if any, with a hyphen. This will avoid errors like [4]: WARN[0000] failed to parse language "en_US.UTF-8": language: tag is not well-formed when feeding language.Parse(...). [1]: https://tools.ietf.org/html/bcp47#section-2.1 [2]: http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap08.html#tag_08_02 [3]: https://github.com/golang/go/issues/25340 [4]: https://github.com/containers/libpod/issues/2494 Signed-off-by: W. Trevor King <wking@tremily.us>
* | Merge pull request #2563 from mheon/lookup_double_match_always_returns_nameOpenShift Merge Robot2019-03-07
|\ \ | | | | | | Change LookupContainer logic to match Docker
| * | Change LookupContainer logic to match DockerMatthew Heon2019-03-06
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When looking up a container or pod by from user input, we handle collisions between names and IDs differently than Docker at present. In Docker, when there is a container with an ID starting with "c1" and a container named "c1", commands on "c1" will always act on the container named "c1". For the same scenario in podman, we throw an error about name collision. Change Podman to follow Docker, by returning the named container or pod instead of erroring. This should also have a positive effect on performance in the lookup-by-full-name case, which no longer needs to fully traverse the list of all pods or containers. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | | Merge pull request #2545 from haircommander/weird_pod_bugOpenShift Merge Robot2019-03-06
|\ \ \ | | | | | | | | Fix pod create failure
| * | | Fix incorrect pod create failurePeter Hunt2019-03-06
| | |/ | |/| | | | | | | | | | | | | Before, a pod create would fail if it was set to share no namespaces, but had an infra container. While inefficient (you add a container for no reason), it shouldn't be a fatal failure. Fix this by only failing if the pod was set to share namespaces, but had no infra container, and writing a warning if vice versa. Signed-off-by: Peter Hunt <pehunt@redhat.com>
* | | Merge pull request #2491 from baude/healtcheckphase1OpenShift Merge Robot2019-03-06
|\ \ \ | |/ / |/| | podman healthcheck run (phase 1)
| * | podman healthcheck run (phase 1)baude2019-03-05
| | | | | | | | | | | | | | | | | | | | | | | | | | | Add the ability to manually run a container's healthcheck command. This is only the first phase of implementing the healthcheck. Subsequent pull requests will deal with the exposing the results and history of healthchecks as well as the scheduling. Signed-off-by: baude <bbaude@redhat.com>
* | | Merge pull request #2518 from haircommander/pod_hostOpenShift Merge Robot2019-03-05
|\ \ \ | |_|/ |/| | Append hosts to dependency container's /etc/hosts file
| * | Append hosts to dependency container's /etc/hosts filePeter Hunt2019-03-05
| |/ | | | | | | | | | | Before, any container with a netNS dependency simply used its dependency container's hosts file, and didn't abide its configuration (mainly --add-host). Fix this by always appending to the dependency container's hosts file, creating one if necessary. Signed-off-by: Peter Hunt <pehunt@redhat.com>
* | Merge pull request #2537 from giuseppe/rootless-storage-configOpenShift Merge Robot2019-03-05
|\ \ | |/ |/| rootless: fill in correct storage conf default
| * rootless: fill in correct storage conf defaultGiuseppe Scrivano2019-03-05
| | | | | | | | | | | | | | | | | | When the configuration file is specified, be sure to fill rootless compatible values in the default configuration. Closes: https://github.com/containers/libpod/issues/2510 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | Merge pull request #2426 from giuseppe/exec-preserve-fdsOpenShift Merge Robot2019-03-05
|\ \ | |/ |/| exec: support --preserve-fds
| * exec: support --preserve-fdsGiuseppe Scrivano2019-03-02
| | | | | | | | | | | | | | | | Allow to pass additional FDs to the process being executed. Closes: https://github.com/containers/libpod/issues/2372 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | runtime: fill a proper default tmpdir when --config is usedGiuseppe Scrivano2019-03-04
|/ | | | | | Closes: https://github.com/containers/libpod/issues/2408 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Merge pull request #2485 from adrianreber/oci-checkOpenShift Merge Robot2019-03-01
|\ | | | | Verify that used OCI runtime supports checkpoint
| * Verify that used OCI runtime supports checkpointAdrian Reber2019-03-01
| | | | | | | | | | | | | | | | | | | | To be able to use OCI runtimes which do not implement checkpoint/restore this adds a check to the checkpoint code path and the checkpoint/restore tests to see if it knows about the checkpoint subcommand. If the used OCI runtime does not implement checkpoint/restore the tests are skipped and the actual 'podman container checkpoint' returns an error. Signed-off-by: Adrian Reber <areber@redhat.com>
* | Allow Exec API user to override streamsPeter Hunt2019-02-28
|/ | | | | | Allow passing in of AttachStreams to libpod.Exec() for usage in podman healthcheck. An API caller can now specify different streams for stdout, stderr and stdin, or no streams at all. Signed-off-by: Peter Hunt <pehunt@redhat.com>
* Centralize setting default volume pathMatthew Heon2019-02-26
| | | | | | | | No reason to do it in util/ anymore. It's always going to be a subdirectory of c/storage graph root by default, so we can just set it after the return. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Move all storage configuration defaults into libpodMatthew Heon2019-02-26
| | | | | | | | | | | Instead of passing in defaults via WithStorageConfig after computing them in cmd/podman/libpodruntime, do all defaults in libpod itself. This can alleviate ordering issues which caused settings in the libpod config (most notably, volume path) to be ignored. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Only remove image volumes when removing containersMatthew Heon2019-02-26
| | | | | | | | | | | | When removing volumes with rm --volumes we want to only remove volumes that were created with the container. Volumes created separately via 'podman volume create' should not be removed. Also ensure that --rm implies volumes will be removed. Fixes #2441 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Record when volume path is explicitly set in configMatthew Heon2019-02-26
| | | | | | | This ensures we won't overwrite it when it's set in the config we load from disk. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Add debug information when overriding paths with the DBMatthew Heon2019-02-26
| | | | Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Add path for named volumes to `podman info`Matthew Heon2019-02-26
| | | | Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Validate VolumePath against DB configurationMatthew Heon2019-02-26
| | | | | | | | | If this doesn't match, we end up not being able to access named volumes mounted into containers, which is bad. Use the same validation that we use for other critical paths to ensure this one also matches. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* When location of c/storage root changes, set VolumePathMatthew Heon2019-02-26
| | | | | | | | | | | | | | | We want named volumes to be created in a subdirectory of the c/storage graph root, the same as the libpod root directory is now. As such, we need to adjust its location when the graph root changes location. Also, make a change to how we set the default. There's no need to explicitly set it every time we initialize via an option - that might conflict with WithStorageConfig setting it based on graph root changes. Instead, just initialize it in the default config like our other settings. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Merge pull request #2382 from adrianreber/selinuxOpenShift Merge Robot2019-02-26
|\ | | | | Fix one (of two) SELinux denials during checkpointing
| * Label CRIU log files correctlyAdrian Reber2019-02-26
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | CRIU creates a log file during checkpointing in .../userdata/dump.log. The problem with this file is, is that CRIU injects a parasite code into the container processes and this parasite code also writes to the same log file. At this point a process from the inside of the container is trying to access the log file on the outside of the container and SELinux prohibits this. To enable writing to the log file from the injected parasite code, this commit creates an empty log file and labels the log file with c.MountLabel(). CRIU uses existing files when writing it logs so the log file label persists and now, with the correct label, SELinux no longer blocks access to the log file. Signed-off-by: Adrian Reber <areber@redhat.com>
* | oci: improve error message when the OCI runtime is not foundGiuseppe Scrivano2019-02-26
|/ | | | | | | We were previously returning the not so nice error directly from conmon. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Merge pull request #2358 from rhatdan/namespaceOpenShift Merge Robot2019-02-25
|\ | | | | Fix up handling of user defined network namespaces
| * Fix up handling of user defined network namespacesDaniel J Walsh2019-02-23
| | | | | | | | | | | | | | | | | | If user specifies network namespace and the /etc/netns/XXX/resolv.conf exists, we should use this rather then /etc/resolv.conf Also fail cleaner if the user specifies an invalid Network Namespace. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Merge pull request #2417 from rhatdan/resolv.confOpenShift Merge Robot2019-02-25
|\ \ | | | | | | In shared networkNS /etc/resolv.conf&/etc/hosts should be shared