summaryrefslogtreecommitdiff
path: root/libpod
Commit message (Collapse)AuthorAge
* Set SELinux labels based on the security context in the kube.yamlDaniel J Walsh2019-11-05
| | | | | | | If the kube.yaml specifieds the SELinux type or Level, we need the container to be launched with the correct label. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Merge pull request #4438 from giuseppe/fix-slirp4netns-timeoutOpenShift Merge Robot2019-11-05
|\ | | | | slirp4netns: fix timeout
| * slirp4netns: fix timeoutGiuseppe Scrivano2019-11-04
| | | | | | | | | | | | | | | | | | the pidWaitTimeout is already a Duration so do not multiply it again by time.Millisecond. Closes: https://github.com/containers/libpod/issues/4344 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | stats: fix calculation for the CPU timeGiuseppe Scrivano2019-11-02
| | | | | | | | | | | | Closes: https://github.com/containers/libpod/issues/4409 Signed-off-by: Giuseppe Scrivano <giuseppe@scrivano.org>
* | Vendor in latest containers/buildahUrvashi Mohnani2019-11-01
| | | | | | | | | | | | | | | | Pull in changes to pkg/secrets/secrets.go that adds the logic to disable fips mode if a pod/container has a label set. Signed-off-by: Urvashi Mohnani <umohnani@redhat.com>
* | Merge pull request #4400 from haircommander/exec-hangOpenShift Merge Robot2019-11-01
|\ \ | | | | | | Switch to bufio Reader for exec streams
| * | Switch to bufio Reader for exec streamsPeter Hunt2019-10-31
| | | | | | | | | | | | | | | | | | | | | | | | There were many situations that made exec act funky with input. pipes didn't work as expected, as well as sending input before the shell opened. Thinking about it, it seemed as though the issues were because of how os.Stdin buffers (it doesn't). Dropping this input had some weird consequences. Instead, read from os.Stdin as bufio.Reader, allowing the input to buffer before passing it to the container. Signed-off-by: Peter Hunt <pehunt@redhat.com>
* | | logs: support --tail 0Giuseppe Scrivano2019-10-31
| | | | | | | | | | | | | | | | | | | | | | | | | | | change the default to -1, so that we can change the semantic of "--tail 0" to not print any existing log line. Closes: https://github.com/containers/libpod/issues/4396 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | | Merge pull request #4352 from vrothberg/config-packageOpenShift Merge Robot2019-10-31
|\ \ \ | |_|/ |/| | refactor libpod config into libpod/config
| * | add libpod/configValentin Rothberg2019-10-31
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Refactor the `RuntimeConfig` along with related code from libpod into libpod/config. Note that this is a first step of consolidating code into more coherent packages to make the code more maintainable and less prone to regressions on the long runs. Some libpod definitions were moved to `libpod/define` to resolve circular dependencies. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | | Merge pull request #4380 from giuseppe/rootless-create-cgroup-for-conmonOpenShift Merge Robot2019-10-30
|\ \ \ | | | | | | | | libpod, rootless: create cgroup for conmon
| * | | libpod, rootless: create cgroup for conmonGiuseppe Scrivano2019-10-30
| |/ / | | | | | | | | | | | | | | | | | | | | | always create a new cgroup for conmon also when running as rootless. We were previously creating one only when necessary, but that behaves differently than root containers. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | | Merge pull request #4305 from mheon/fix_volume_mountOpenShift Merge Robot2019-10-30
|\ \ \ | |_|/ |/| | Wait for `mount` command to finish when mounting volume
| * | Wait for `mount` command to finish when mounting volumeMatthew Heon2019-10-30
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | command.Start() just starts the command. That catches some errors, but the nasty ones - bad options and similar - happen when the command runs. Use CombinedOutput() instead - it waits for the command to exit, and thus catches non-0 exit of the `mount` command (invalid options, for example). STDERR from the `mount` command is directly used, which isn't necessarily the best, but we can't really get much more info on what went wrong. Fixes #4303 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | | Merge pull request #4372 from rhatdan/execOpenShift Merge Robot2019-10-30
|\ \ \ | |_|/ |/| | Processes execed into container should match container label
| * | Processes execed into container should match container labelDaniel J Walsh2019-10-29
| | | | | | | | | | | | | | | | | | Processes execed into a container were not being run with the correct label. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | Set default seccomp.json file for podman play kubeDaniel J Walsh2019-10-29
| | | | | | | | | | | | | | | | | | | | | Currently podman play kube is not using the system default seccomp.json file. This PR will use the default or override location for podman play. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | images: distinguish between tags and digestsNalin Dahyabhai2019-10-29
| | | | | | | | | | | | | | | | | | | | | | | | Generate an image's RepoDigests list using all applicable digests, and refrain from outputting a digest in the tag column of the "images" output. Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
* | | API: report multiple digests for imagesNalin Dahyabhai2019-10-29
| | | | | | | | | | | | | | | | | | | | | | | | Be prepared to report multiple image digests for images which contain multiple manifests but, because they continue to have the same set of layers and the same configuration, are considered to be the same image. Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
* | | pull/create: add --override-arch/--override-os flagsNalin Dahyabhai2019-10-29
| | | | | | | | | | | | | | | | | | | | | | | | Add --override-arch and --override-os as hidden flags, in line with the global flag names that skopeo uses, so that we can test behavior around manifest lists without having to conditionalize more of it by arch. Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
* | | image: don't get confused by listsNalin Dahyabhai2019-10-29
| | | | | | | | | | | | | | | | | | | | | | | | | | | When an image can be opened as an ImageSource but not an Image, handle the case where it's an image list all by itself, the case where it's an image for a different architecture/OS combination, or the case where it's both. Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
* | | bump containers/image to v5.0.0, buildah to v1.11.4Nalin Dahyabhai2019-10-29
|/ / | | | | | | | | | | | | | | | | Move to containers/image v5 and containers/buildah to v1.11.4. Replace an equality check with a type assertion when checking for a docker.ErrUnauthorizedForCredentials in `podman login`. Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
* | Merge pull request #3792 from haircommander/minimum-conmonOpenShift Merge Robot2019-10-29
|\ \ | | | | | | require conmon v2.0.1
| * | require conmon v2.0.1Peter Hunt2019-10-28
| | | | | | | | | | | | Signed-off-by: Peter Hunt <pehunt@redhat.com>
| * | require conmon v2.0.0Peter Hunt2019-10-28
| | | | | | | | | | | | Signed-off-by: Peter Hunt <pehunt@redhat.com>
* | | Merge pull request #4350 from giuseppe/slirp4netnslogOpenShift Merge Robot2019-10-29
|\ \ \ | | | | | | | | libpod: if slirp4netns fails, return its stderr
| * | | libpod: if slirp4netns fails, return its outputGiuseppe Scrivano2019-10-29
| | |/ | |/| | | | | | | | | | | | | | | | | | | | | | read the slirp4netns stderr and propagate it in the error when the process fails. Replace: https://github.com/containers/libpod/pull/4338 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | | Merge pull request #4355 from mheon/ensure_stateOpenShift Merge Robot2019-10-28
|\ \ \ | | | | | | | | Add ensureState helper for checking container state
| * | | Add ensureState helper for checking container stateMatthew Heon2019-10-28
| |/ / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | We have a lot of checks for container state scattered throughout libpod. Many of these need to ensure the container is in one of a given set of states so an operation may safely proceed. Previously there was no set way of doing this, so we'd use unique boolean logic for each one. Introduce a helper to standardize state checks. Note that this is only intended to replace checks for multiple states. A simple check for one state (ContainerStateRunning, for example) should remain a straight equality, and not use this new helper. Signed-off-by: Matthew Heon <mheon@redhat.com>
* | | Merge pull request #4331 from mheon/sane_rename_errorOpenShift Merge Robot2019-10-28
|\ \ \ | |/ / |/| | Return a better error for volume name conflicts
| * | Return a better error for volume name conflictsMatthew Heon2019-10-23
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When you try and create a new volume with the name of a volume that already exists, you presently get a thoroughly unhelpful error from `mkdir` as the volume attempts to create the directory it will be mounted at. An EEXIST out of mkdir is not particularly helpful to Podman users - it doesn't explain that the name is already taken by another volume. The solution here is potentially racy as the runtime is not locked, so someone else could take the name while we're still getting things set up, but that's a narrow timing window, and we will still return an error - just an error that's not as good as this one. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | | systemd: mask /sys/fs/cgroup/systemd/release_agentGiuseppe Scrivano2019-10-25
| | | | | | | | | | | | | | | | | | | | | | | | when running in systemd mode on cgroups v1, make sure the /sys/fs/cgroup/systemd/release_agent is masked otherwise the container is able to modify it and execute scripts on the host. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | | Merge pull request #4333 from giuseppe/error-rootless-cniOpenShift Merge Robot2019-10-24
|\ \ \ | | | | | | | | rootless: raise an error with --network=
| * | | rootless: raise an error with --network=Giuseppe Scrivano2019-10-24
| |/ / | | | | | | | | | | | | | | | Closes: https://github.com/containers/libpod/issues/4332 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | | Merge pull request #4228 from giuseppe/detect-no-systemd-sessionOpenShift Merge Robot2019-10-24
|\ \ \ | | | | | | | | rootless: detect no system session with --cgroup-manager=systemd
| * | | rootless: detect no system session with --cgroup-manager=systemdGiuseppe Scrivano2019-10-23
| | |/ | |/| | | | | | | | | | | | | | | | if the cgroup manager is set to systemd, detect if dbus is available, otherwise fallback to --cgroup-manager=cgroupfs. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | | Add parsing for UID, GID in volume "o" optionMatthew Heon2019-10-22
| |/ |/| | | | | | | | | | | Everything else is a flag to mount, but "uid" and "gid" are not. We need to parse them out of "o" and handle them separately. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | Merge pull request #4287 from mheon/anonymous_volumesOpenShift Merge Robot2019-10-22
|\ \ | | | | | | Add support for anonymous volumes to `podman run -v`
| * | Add support for anonymous volumes to `podman run -v`Matthew Heon2019-10-17
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Previously, when `podman run` encountered a volume mount without separate source and destination (e.g. `-v /run`) we would assume that both were the same - a bind mount of `/run` on the host to `/run` in the container. However, this does not match Docker's behavior - in Docker, this makes an anonymous named volume that will be mounted at `/run`. We already have (more limited) support for these anonymous volumes in the form of image volumes. Extend this support to allow it to be used with user-created volumes coming in from the `-v` flag. This change also affects how named volumes created by the container but given names are treated by `podman run --rm` and `podman rm -v`. Previously, they would be removed with the container in these cases, but this did not match Docker's behaviour. Docker only removed anonymous volumes. With this patch we move to that model as well; `podman run -v testvol:/test` will not have `testvol` survive the container being removed by `podman rm -v`. The sum total of these changes let us turn on volume removal in `--rm` by default. Fixes: #4276 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | | Merge pull request #4313 from haircommander/unused-varOpenShift Merge Robot2019-10-22
|\ \ \ | | | | | | | | exec: remove unused var
| * | | exec: remove unused varPeter Hunt2019-10-21
| | |/ | |/| | | | | | | Signed-off-by: Peter Hunt <pehunt@redhat.com>
* | | Merge pull request #4284 from mheon/fix_vol_inspectOpenShift Merge Robot2019-10-21
|\ \ \ | | | | | | | | Show volume options in 'volume inspect'
| * | | Show volume options in 'volume inspect'Matthew Heon2019-10-18
| | |/ | |/| | | | | | | | | | | | | | | | We initialized the map to show them, but didn't actually copy them in, so they weren't being displayed. Signed-off-by: Matthew Heon <mheon@redhat.com>
* | | Merge pull request #4309 from giuseppe/write-storage-overridesOpenShift Merge Robot2019-10-21
|\ \ \ | |_|/ |/| | rootless: write storage overrides to the conf file
| * | rootless: write storage overrides to the conf fileGiuseppe Scrivano2019-10-21
| |/ | | | | | | | | | | | | | | | | make sure the user overrides are stored in the configuration file when first created. Closes: https://github.com/containers/libpod/issues/2659 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* / rootless: do not enable lingering modeGiuseppe Scrivano2019-10-17
|/ | | | | | | | do not automatically enable lingering mode. Closes: https://github.com/containers/libpod/issues/4224 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Merge pull request #4273 from mheon/no_runtimeOpenShift Merge Robot2019-10-16
|\ | | | | Add a MissingRuntime implementation
| * Add a MissingRuntime implementationMatthew Heon2019-10-15
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When a container is created with a given OCI runtime, but then it is uninstalled or removed from the configuration file, Libpod presently reacts very poorly. The EvictContainer code can potentially remove these containers, but we still can't see them in `podman ps` (aside from the massive logrus.Errorf messages they create). Providing a minimal OCI runtime implementation for missing runtimes allows us to behave better. We'll be able to retrieve containers from the database, though we still pop up an error for each missing runtime. For containers which are stopped, we can remove them as normal. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | Merge pull request #4272 from baude/rootlesstatsnetOpenShift Merge Robot2019-10-16
|\ \ | | | | | | rootless v2 cannot collect network stats
| * | rootless v2 cannot collect network statsbaude2019-10-15
| |/ | | | | | | | | | | | | | | | | | | network statistics cannot be collected for rootless network devices with the current implementation. for now, we return nil so that stats will at least for users. Fixes:#4268 Signed-off-by: baude <bbaude@redhat.com>