summaryrefslogtreecommitdiff
path: root/libpod
Commit message (Collapse)AuthorAge
* rootless: detect no system session with --cgroup-manager=systemdGiuseppe Scrivano2019-10-23
| | | | | | | if the cgroup manager is set to systemd, detect if dbus is available, otherwise fallback to --cgroup-manager=cgroupfs. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* rootless: do not enable lingering modeGiuseppe Scrivano2019-10-17
| | | | | | | | do not automatically enable lingering mode. Closes: https://github.com/containers/libpod/issues/4224 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Merge pull request #4273 from mheon/no_runtimeOpenShift Merge Robot2019-10-16
|\ | | | | Add a MissingRuntime implementation
| * Add a MissingRuntime implementationMatthew Heon2019-10-15
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When a container is created with a given OCI runtime, but then it is uninstalled or removed from the configuration file, Libpod presently reacts very poorly. The EvictContainer code can potentially remove these containers, but we still can't see them in `podman ps` (aside from the massive logrus.Errorf messages they create). Providing a minimal OCI runtime implementation for missing runtimes allows us to behave better. We'll be able to retrieve containers from the database, though we still pop up an error for each missing runtime. For containers which are stopped, we can remove them as normal. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | Merge pull request #4272 from baude/rootlesstatsnetOpenShift Merge Robot2019-10-16
|\ \ | | | | | | rootless v2 cannot collect network stats
| * | rootless v2 cannot collect network statsbaude2019-10-15
| |/ | | | | | | | | | | | | | | | | | | network statistics cannot be collected for rootless network devices with the current implementation. for now, we return nil so that stats will at least for users. Fixes:#4268 Signed-off-by: baude <bbaude@redhat.com>
* | Merge pull request #4256 from mheon/fix_volumesOpenShift Merge Robot2019-10-16
|\ \ | |/ |/| Ensure volumes can be removed when they fail to unmount
| * Ensure volumes can be removed when they fail to unmountMatthew Heon2019-10-14
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Also, ensure that we don't try to mount them without root - it appears that it can somehow not error and report that mount was successful when it clearly did not succeed, which can induce this case. We reuse the `--force` flag to indicate that a volume should be removed even after unmount errors. It seems fairly natural to expect that --force will remove a volume that is otherwise presenting problems. Finally, ignore EINVAL on unmount - if the mount point no longer exists our job is done. Fixes: #4247 Fixes: #4248 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | inspect: rename ImageID go field to ImageValentin Rothberg2019-10-15
| | | | | | | | | | | | | | | | | | | | | | | | | | | | The json field is called `Image` while the go field is called `ImageID`, tricking users into filtering for `Image` which ultimately results in an error. Hence, rename the field to `Image` to align json and go. To prevent podman users from regressing, rename `Image` to `ImageID` in the specified filters. Add tests to prevent us from regressing. Note that consumers of the go API that are using `ImageID` are regressing; ultimately we consider it to be a bug fix. Fixes: #4193 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | Merge pull request #4262 from nalind/error-causeDaniel J Walsh2019-10-15
|\ \ | | | | | | Unwrap errors before comparing them
| * | Unwrap errors before comparing themNalin Dahyabhai2019-10-14
| |/ | | | | | | | | | | | | Unwrap errors before directly comparing them with errors defined by the storage and image libraries. Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
* / change error wording when conmon fails without logsValentin Rothberg2019-10-14
|/ | | | | | | | | | | | | | In some cases, conmon can fail without writing logs. Change the wording of the error message from "error reading container (probably exited) json message" to "container create failed (no logs from conmon)" to have a more helpful error message that is more consistent with other errors at that stage of execution. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* Merge pull request #4220 from mheon/null_runtimeOpenShift Merge Robot2019-10-11
|\ | | | | Move OCI runtime implementation behind an interface
| * When restoring containers, reset cgroup pathMatthew Heon2019-10-10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Previously, `podman checkport restore` with exported containers, when told to create a new container based on the exported checkpoint, would create a new container, with a new container ID, but not reset CGroup path - which contained the ID of the original container. If this was done multiple times, the result was two containers with the same cgroup paths. Operations on these containers would this have a chance of crossing over to affect the other one; the most notable was `podman rm` once it was changed to use the --all flag when stopping the container; all processes in the cgroup, including the ones in the other container, would be stopped. Reset cgroups on restore to ensure that the path matches the ID of the container actually being run. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
| * Move OCI runtime implementation behind an interfaceMatthew Heon2019-10-10
| | | | | | | | | | | | | | | | | | | | | | | | For future work, we need multiple implementations of the OCI runtime, not just a Conmon-wrapped runtime matching the runc CLI. As part of this, do some refactoring on the interface for exec (move to a struct, not a massive list of arguments). Also, add 'all' support to Kill and Stop (supported by runc and used a bit internally for removing containers). Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | Merge pull request #4221 from mheon/reset_runtimeOpenShift Merge Robot2019-10-11
|\ \ | | | | | | Migrate can move containers to a user-defined runtime
| * | Migrate can move containers to a new runtimeMatthew Heon2019-10-10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This is a horrible hack to work around issues with Fedora 31, but other distros might need it to, so we'll move it upstream. I do not recommend this functionality for general use, and the manpages and other documentation will reflect this. But for some upgrade cases, it will be the only thing that allows for a working system. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | | Merge pull request #4223 from QiWang19/uidmapOpenShift Merge Robot2019-10-10
|\ \ \ | |_|/ |/| | show uid_map in podman info
| * | show uid_map in podman infoQi Wang2019-10-09
| | | | | | | | | | | | | | | | | | show uid_map gid_map in podman info Signed-off-by: Qi Wang <qiwan@redhat.com>
* | | Merge pull request #4216 from baude/catchv2runcOpenShift Merge Robot2019-10-10
|\ \ \ | |/ / |/| | catch runc v2 error
| * | catch runc v2 errorbaude2019-10-09
| |/ | | | | | | | | | | | | when runc returns an error about not being v2 complient, catch the error and logrus an actionable message for users. Signed-off-by: baude <bbaude@redhat.com>
* / refresh: do not access network ns if not in the namespaceGiuseppe Scrivano2019-10-09
|/ | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Merge pull request #4196 from mheon/normal_remove_on_evictOpenShift Merge Robot2019-10-07
|\ | | | | When evicting containers, perform a normal remove first
| * When evicting containers, perform a normal remove firstMatthew Heon2019-10-04
| | | | | | | | | | | | | | | | This ensures that containers that didn't require an evict will be dealt with normally, and we only break out evict for containers that refuse to be removed by normal means. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | Update c/image to v4.0.1 and buildah to 1.11.3Miloslav Trmač2019-10-04
|/ | | | | | | | | | | | | | This requires updating all import paths throughout, and a matching buildah update to interoperate. I can't figure out the reason for go.mod tracking github.com/containers/image v3.0.2+incompatible // indirect ((go mod graph) lists it as a direct dependency of libpod, but (go list -json -m all) lists it as an indirect dependency), but at least looking at the vendor subdirectory, it doesn't seem to be actually used in the built binaries. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
* Merge pull request #3549 from marcov/evict-containerOpenShift Merge Robot2019-10-04
|\ | | | | Add ability to evict a container
| * rm: add containers eviction with `rm --force`Marco Vedovati2019-09-25
| | | | | | | | | | | | | | | | | | Add ability to evict a container when it becomes unusable. This may happen when the host setup changes after a container creation, making it impossible for that container to be used or removed. Evicting a container is done using the `rm --force` command. Signed-off-by: Marco Vedovati <mvedovati@suse.com>
* | podman network create: validate user inputMrigank Krishan2019-10-04
| | | | | | | | | | | | | | Disallow invalid/confusing names such as '../bar' or 'foo ' Closes #4184 Signed-off-by: Mrigank Krishan <mrigankkrishan@gmail.com>
* | rootless: set DBUS_SESSION_BUS_ADDRESS if it is not setGiuseppe Scrivano2019-10-02
| | | | | | | | | | | | | | | | | | | | if the variable is not set, make sure it has a sane value so that go-dbus won't try to connect to the wrong user session. Closes: https://github.com/containers/libpod/issues/4162 Closes: https://github.com/containers/libpod/issues/4164 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | Merge pull request #4139 from giuseppe/fix-segfault-missing-slirp4netnsOpenShift Merge Robot2019-10-01
|\ \ | | | | | | networking: fix segfault when slirp4netns is missing
| * | rootless: do not attempt a CNI refreshGiuseppe Scrivano2019-10-01
| | | | | | | | | | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
| * | networking: fix segfault when slirp4netns is missingGiuseppe Scrivano2019-10-01
| | | | | | | | | | | | | | | | | | | | | | | | | | | fixes a segfault when slirp4netns is not installed and the slirp sync pipe is not created. Closes: https://github.com/containers/libpod/issues/4113 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | | network: add workaround for slirp4netns --enable-sandbox issueGiuseppe Scrivano2019-10-01
|/ / | | | | | | | | | | add a workaround for https://github.com/rootless-containers/slirp4netns/pull/153 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | info: add cgroups2Giuseppe Scrivano2019-09-30
| | | | | | | | | | | | Closes: https://github.com/containers/libpod/issues/4080 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | Merge pull request #4065 from mheon/unconditional_conmon_rmOpenShift Merge Robot2019-09-27
|\ \ | | | | | | Unconditionally remove conmon files before starting
| * | Unconditionally remove conmon files before startingMatthew Heon2019-09-20
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | We've been seeing a lot of issues (ref: #4061, but there are others) where Podman hiccups on trying to start a container, because some temporary files have been retained and Conmon will not overwrite them. If we're calling start() we can safely assume that we really want those files gone so the container starts without error, so invoke the cleanup routine. It's relatively cheap (four file removes) so it shouldn't hurt us that much. Also contains a small simplification to the removeConmonFiles logic - we don't need to stat-then-remove when ignoring ENOENT is fine. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | | Correct use of reexec.Init()Nalin Dahyabhai2019-09-26
| | | | | | | | | | | | | | | | | | | | | A true result from reexec.Init() isn't an error, but it indicates that main() should exit with a success exit status. Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
* | | Merge pull request #4086 from mheon/cni_del_on_refreshOpenShift Merge Robot2019-09-25
|\ \ \ | | | | | | | | Force a CNI Delete on refreshing containers
| * | | Force a CNI Delete on refreshing containersMatthew Heon2019-09-24
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | CNI expects that a DELETE be run before re-creating container networks. If a reboot occurs quickly enough that containers can't stop and clean up, that DELETE never happens, and Podman currently wipes the old network info and thinks the state has been entirely cleared. Unfortunately, that may not be the case on the CNI side. Some things - like IP address reservations - may not have been cleared. To solve this, manually re-run CNI Delete on refresh. If the container has already been deleted this seems harmless. If not, it should clear lingering state. Fixes: #3759 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | | | rootless: Rearrange setup of rootless containersGabi Beyer2019-09-24
| |_|/ |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | In order to run Podman with VM-based runtimes unprivileged, the network must be set up prior to the container creation. Therefore this commit modifies Podman to run rootless containers by: 1. create a network namespace 2. pass the netns persistent mount path to the slirp4netns to create the tap inferface 3. pass the netns path to the OCI spec, so the runtime can enter the netns Closes #2897 Signed-off-by: Gabi Beyer <gabrielle.n.beyer@intel.com>
* | | exec: set HOME also with exec sessionsGiuseppe Scrivano2019-09-21
| | | | | | | | | | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | | execuser: look at the source for /etc/{passwd,group} overridesGiuseppe Scrivano2019-09-21
|/ / | | | | | | | | | | | | | | | | look if there are bind mounts that can shadow the /etc/passwd and /etc/group files. In that case, look at the bind mount source. Closes: https://github.com/containers/libpod/pull/4068#issuecomment-533782941 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | We need to convert libpod.conf files in user homedir for cgroupv2Daniel J Walsh2019-09-21
| | | | | | | | | | | | | | | | | | | | | | If a user upgrades to a machine that defaults to a cgroups V2 machine and has a libpod.conf file in their homedir that defaults to OCI Runtime runc, then we want to change it one time to crun. runc as of this point does not work on cgroupV2 systems. This patch will eventually be removed but is needed until runc has support. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | container: make sure $HOME is always setGiuseppe Scrivano2019-09-20
|/ | | | | | | | | | | | | If the HOME environment variable is not set, make sure it is set to the configuration found in the container /etc/passwd file. It was previously depending on a runc behavior that always set HOME when it is not set. The OCI runtime specifications do not require HOME to be set so move the logic to libpod. Closes: https://github.com/debarshiray/toolbox/issues/266 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* fix trivial type for event loggerbaude2019-09-19
| | | | | | Fixes: #4062 Signed-off-by: baude <bbaude@redhat.com>
* Fix exit code failureDaniel J Walsh2019-09-17
| | | | | | Be less precise on the exit code and lot the exit code to the journal when it fails. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Merge pull request #4035 from mheon/unmount_unmounted_is_safeOpenShift Merge Robot2019-09-16
|\ | | | | Unmounting a container that is already unmounted is OK
| * Unmounting a container that is already unmounted is OKMatthew Heon2019-09-16
| | | | | | | | | | | | | | | | | | | | | | | | We should not be throwing errors because the operation we wanted to perform is already done. Now, it is definitely strange that a container is actually unmounted, but shows as mounted in the DB - if this reoccurs in a way where we can investigate, it's worth tearing into. Fixes #4033 Signed-off-by: Matthew Heon <mheon@redhat.com>
* | Merge pull request #4043 from haircommander/preserve-fd-fixOpenShift Merge Robot2019-09-16
|\ \ | | | | | | exec: fix --preserve-fds
| * | exec: fix --preserve-fdsPeter Hunt2019-09-16
| |/ | | | | | | | | | | | | | | | | | | | | | | There were two problems with preserve fds. libpod didn't open the fds before passing _OCI*PIPE to conmon. This caused libpod to talk on the preserved fds, rather than the pipes, with conmon talking on the pipes. This caused a hang. Libpod also didn't convert an int to string correctly, so it would further fail. Fix these and add a unit test to make sure we don't regress in the future Note: this test will not pass on crun until crun supports --preserve-fds Signed-off-by: Peter Hunt <pehunt@redhat.com>