summaryrefslogtreecommitdiff
path: root/libpod
Commit message (Collapse)AuthorAge
* Merge pull request #6560 from mheon/fix_exec_logdriverOpenShift Merge Robot2020-06-17
|\ | | | | Do not share container log driver for exec
| * Do not share container log driver for execMatthew Heon2020-06-17
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When the container uses journald logging, we don't want to automatically use the same driver for its exec sessions. If we do we will pollute the journal (particularly in the case of healthchecks) with large amounts of undesired logs. Instead, force exec sessions logs to file for now; we can add a log-driver flag later (we'll probably want to add a `podman logs` command that reads exec session logs at the same time). As part of this, add support for the new 'none' logs driver in Conmon. It will be the default log driver for exec sessions, and can be optionally selected for containers. Great thanks to Joe Gooch (mrwizard@dok.org) for adding support to Conmon for a null log driver, and wiring it in here. Fixes #6555 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | Merge pull request #6522 from mheon/unless-stoppedOpenShift Merge Robot2020-06-17
|\ \ | | | | | | Add support for the unless-stopped restart policy
| * | Add support for the unless-stopped restart policyMatthew Heon2020-06-17
| |/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | We initially believed that implementing this required support for restarting containers after reboot, but this is not the case. The unless-stopped restart policy acts identically to the always restart policy except in cases related to reboot (which we do not support yet), but it does not require that support for us to implement it. Changes themselves are quite simple, we need a new restart policy constant, we need to remove existing checks that block creation of containers when unless-stopped was used, and we need to update the manpages. Fixes #6508 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* / Revert #6591 to fix issue with failed testsjgallucci322020-06-17
|/ | | | Signed-off-by: jgallucci32 <john.gallucci.iv@gmail.com>
* Fix podman-remote imagesDaniel J Walsh2020-06-16
| | | | | | Looks like we went too far with the linters. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Merge pull request #6591 from jgallucci32/patch-1OpenShift Merge Robot2020-06-15
|\ | | | | Merged request to fix -f to stop following logs
| * Remove redundant break in for loop.jgallucci322020-06-15
| | | | | | | | | | | | | | Remove redundant `break` call in for loop. Co-authored-by: Qi Wang <qiwan@redhat.com> Signed-off-by: jgallucci32 <john.gallucci.iv@gmail.com>
| * Do not print error message when container does not existjgallucci322020-06-12
| | | | | | | | | | | | | | | | This fixes a condition when a container is removed while following the logs and prints an error when the container is removed forcefully. Signed-off-by: jgallucci32 <john.gallucci.iv@gmail.com>
| * Changed from t.StopAtEOF() to t.Stop() and added error checkjgallucci322020-06-12
| | | | | | | | Signed-off-by: jgallucci32 <john.gallucci.iv@gmail.com>
| * Fix -f logs to stop when a container exitsjgallucci322020-06-12
| | | | | | | | | | | | | | | | | | | | | | Fixes an issue with the previous PR where a container would exit while following logs and the log tail continued to follow. This creates a subroutine which checks the state of the container and instructs the tailLog to stop when it reaches EOF. Tested the following conditions: * Tail and follow logs of running container * Tail and follow logs of stopped container * Tail and follow logs of running container which exits after some time Signed-off-by: jgallucci32 <john.gallucci.iv@gmail.com>
| * Fix -f logs follow with stopped containerQi Wang2020-06-11
| | | | | | | | | | | | Fix -f logs follow with stopped container. Close #6531 Signed-off-by: Qi Wang <qiwan@redhat.com>
* | Turn on More lintersDaniel J Walsh2020-06-15
|/ | | | | | | | | - misspell - prealloc - unparam - nakedret Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Merge pull request #6415 from vrothberg/systemd-new-podOpenShift Merge Robot2020-06-11
|\ | | | | podman-generate-systemd --new for pods
| * generate systemd: create pod templateValentin Rothberg2020-06-11
| | | | | | | | | | | | | | | | | | | | Create a new template for generating a pod unit file. Eventually, this allows for treating and extending pod and container generation seprately. The `--new` flag now also works on pods. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
| * generate systemd: refactorValentin Rothberg2020-06-11
| | | | | | | | | | | | | | | | | | | | | | | | Refactor the systemd-unit generation code and move all the logic into `pkg/systemd/generate`. The code was already hard to maintain but I found it impossible to wire the `--new` logic for pods in all the chaos. The code refactoring in this commit will make maintaining the code easier and should make it easier to extend as well. Further changes and refactorings may still be needed but they will easier. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
| * add (*Pod).CreateCommand()Valentin Rothberg2020-06-11
| | | | | | | | | | | | Add a method to Pod to easily access its .config.CreateCommand. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
| * pod create: add `--infra-conmon-pidfile`Valentin Rothberg2020-06-11
| | | | | | | | | | | | | | | | | | | | | | Add an `--infra-conmon-pidfile` flag to `podman-pod-create` to write the infra container's conmon process ID to a specified path. Several container sub-commands already support `--conmon-pidfile` which is especially helpful to allow for systemd to access and track the conmon processes. This allows for easily tracking the conmon process of a pod's infra container. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
| * pod config: add a `CreateCommand` fieldValentin Rothberg2020-06-11
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Add a `CreateCommand` field to the pod config which includes the entire `os.Args` at pod-creation. Similar to the already existing field in a container config, we need this information to properly generate generic systemd unit files for pods. It's a prerequisite to support the `--new` flag for pods. Also add the `CreateCommand` to the pod-inspect data, which can come in handy for debugging, general inspection and certainly for the tests that are added along with the other changes. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | Merge pull request #6568 from giuseppe/fix-check-for-rootless-netOpenShift Merge Robot2020-06-11
|\ \ | | | | | | libpod: fix check for slirp4netns netns
| * | libpod: fix check for slirp4netns netnsGiuseppe Scrivano2020-06-11
| |/ | | | | | | | | | | | | | | | | | | fix the check for c.state.NetNS == nil. Its value is changed in the first code block, so the condition is always true in the second one and we end up running slirp4netns twice. Closes: https://github.com/containers/libpod/issues/6538 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | Merge pull request #6529 from mheon/v6_portsOpenShift Merge Robot2020-06-11
|\ \ | |/ |/| Enable IPv6 port binding
| * Enable IPv6 port bindingMatthew Heon2020-06-10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Two areas needed tweaking to accomplish this: port parsing and binding ports on the host. Parsing is an obvious problem - we have to accomodate an IPv6 address enclosed by [] as well as a normal IPv4 address. It was slightly complicated by the fact that we previously just counted the number of colons in the whole port definition (a thousand curses on whoever in the IPv6 standard body decided to reuse colons for address separators), but did not end up being that bad. Libpod also (optionally) binds ports on the host to prevent their reuse by host processes. This code was IPv4 only for TCP, and bound to both for UDP (which I'm fairly certain is not correct, and has been adjusted). This just needed protocols adjusted to read "tcp4"/"tcp6" and "udp4"/"udp6" based on what we wanted to bind to. Fixes #5715 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | Fixed bug where 'podman log <container>' would truncate some lines.Will Haines2020-06-10
| | | | | | | | Signed-off-by: Will Haines <william.haines@colorado.edu>
* | container: do not set hostname when joining utsGiuseppe Scrivano2020-06-10
| | | | | | | | | | | | | | do not set the hostname when joining an UTS namespace, as it could be owned by a different userns. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | container: make resolv.conf and hosts accessible in usernsGiuseppe Scrivano2020-06-10
|/ | | | | | | | when running in a new userns, make sure the resolv.conf and hosts files bind mounted from another container are accessible to root in the userns. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Fixup issues found by golintDaniel J Walsh2020-06-10
| | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Ensure Conmon is alive before waiting for exit fileMatthew Heon2020-06-08
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This came out of a conversation with Valentin about systemd-managed Podman. He discovered that unit files did not properly handle cases where Conmon was dead - the ExecStopPost `podman rm --force` line was not actually removing the container, but interestingly, adding a `podman cleanup --rm` line would remove it. Both of these commands do the same thing (minus the `podman cleanup --rm` command not force-removing running containers). Without a running Conmon instance, the container process is still running (assuming you killed Conmon with SIGKILL and it had no chance to kill the container it managed), but you can still kill the container itself with `podman stop` - Conmon is not involved, only the OCI Runtime. (`podman rm --force` and `podman stop` use the same code to kill the container). The problem comes when we want to get the container's exit code - we expect Conmon to make us an exit file, which it's obviously not going to do, being dead. The first `podman rm` would fail because of this, but importantly, it would (after failing to retrieve the exit code correctly) set container status to Exited, so that the second `podman cleanup` process would succeed. To make sure the first `podman rm --force` succeeds, we need to catch the case where Conmon is already dead, and instead of waiting for an exit file that will never come, immediately set the Stopped state and remove an error that can be caught and handled. Signed-off-by: Matthew Heon <mheon@redhat.com>
* Ensure that containers in pods properly set hostnameMatthew Heon2020-06-04
| | | | | | | | | | | | | | | | | | When we moved to the new Namespace types in Specgen, we made a distinction between taking a namespace from a pod, and taking it from another container. Due to this new distinction, some code that previously worked for both `--pod=$ID` and `--uts=container:$ID` has accidentally become conditional on only the latter case. This happened for Hostname - we weren't properly setting it in cases where the container joined a pod. Fortunately, this is an easy fix once we know to check the condition. Also, ensure that `podman pod inspect` actually prints hostname. Fixes #6494 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Merge pull request #6470 from mheon/fix_stats_nonetOpenShift Merge Robot2020-06-04
|\ | | | | Properly follow linked namespace container for stats
| * Properly follow linked namespace container for statsMatthew Heon2020-06-02
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Podman containers can specify that they get their network namespace from another container. This is automatic in pods, but any container can do it. The problem is that these containers are not guaranteed to have a network namespace of their own; it is perfectly valid to join the network namespace of a --net=host container, and both containers will end up in the host namespace. The code for obtaining network stats did not account for this, and could cause segfaults as a result. Fortunately, the fix is simple - the function we use to get said stats already performs appropriate checks, so we just need to recursively call it. Fixes #5652 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | add socket information to podman infoBrent Baude2020-06-03
| | | | | | | | | | | | | | this is step 1 to self-discovery of remote ssh connections. we add a remotesocket struct to info to detect what the socket path might be. Co-authored-by: Jhon Honce <jhonce@redhat.com> Signed-off-by: Brent Baude <bbaude@redhat.com>
* | Merge pull request #6468 from mheon/remote_detached_execOpenShift Merge Robot2020-06-03
|\ \ | |/ |/| Enable detached exec for remote
| * Enable detached exec for remoteMatthew Heon2020-06-02
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The biggest obstacle here was cleanup - we needed a way to remove detached exec sessions after they exited, but there's no way to tell if an exec session will be attached or detached when it's created, and that's when we must add the exit command that would do the removal. The solution was adding a delay to the exit command (5 minutes), which gives sufficient time for attached exec sessions to retrieve the exit code of the session after it exits, but still guarantees that they will be removed, even for detached sessions. This requires Conmon 2.0.17, which has the new `--exit-delay` flag. As part of the exit command rework, we can drop the hack we were using to clean up exec sessions (remove them as part of inspect). This is a lot cleaner, and I'm a lot happier about it. Otherwise, this is just plumbing - we need a bindings call for detached exec, and that needed to be added to the tunnel mode backend for entities. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | check --user range for rootless containersQi Wang2020-06-02
|/ | | | | | Check --user range if it's a uid for rootless containers. Returns error if it is out of the range. From https://github.com/containers/libpod/issues/6431#issuecomment-636124686 Signed-off-by: Qi Wang <qiwan@redhat.com>
* compat handlers: add X-Registry-Auth header supportValentin Rothberg2020-05-29
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * Support the `X-Registry-Auth` http-request header. * The content of the header is a base64 encoded JSON payload which can either be a single auth config or a map of auth configs (user+pw or token) with the corresponding registries being the keys. Vanilla Docker, projectatomic Docker and the bindings are transparantly supported. * Add a hidden `--registries-conf` flag. Buildah exposes the same flag, mostly for testing purposes. * Do all credential parsing in the client (i.e., `cmd/podman`) pass the username and password in the backend instead of unparsed credentials. * Add a `pkg/auth` which handles most of the heavy lifting. * Go through the authentication-handling code of most commands, bindings and endpoints. Migrate them to the new code and fix issues as seen. A final evaluation and more tests is still required *after* this change. * The manifest-push endpoint is missing certain parameters and should use the ABI function instead. Adding auth-support isn't really possible without these parts working. * The container commands and endpoints (i.e., create and run) have not been changed yet. The APIs don't yet account for the authfile. * Add authentication tests to `pkg/bindings`. Fixes: #6384 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* podman version --format ... was not workingDaniel J Walsh2020-05-21
| | | | | | This patch fixes the podman --version --format command. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Display human build date in podman infoDaniel J Walsh2020-05-21
| | | | | | | Currently we are displaying the Seconds since EPOCH this will change to displaying date, similar to `podman version` Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Merge pull request #6323 from rhatdan/shrinkOpenShift Merge Robot2020-05-21
|\ | | | | Remove github.com/libpod/libpod from cmd/pkg/podman
| * Remove github.com/libpod/libpod from cmd/pkg/podmanDaniel J Walsh2020-05-21
| | | | | | | | | | | | | | By moving a couple of variables from libpod/libpod to libpod/libpod/define I am able shrink the podman-remote-* executables by another megabyte. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Merge pull request #6312 from rhatdan/imageOpenShift Merge Robot2020-05-21
|\ \ | | | | | | Fix remote handling of podman images calls
| * | Fix remote handling of podman images callsDaniel J Walsh2020-05-21
| | | | | | | | | | | | | | | | | | | | | Enable three more tests Fix handling of image filters Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | Merge pull request #6281 from rhatdan/fipsOpenShift Merge Robot2020-05-21
|\ \ \ | | | | | | | | Fix mountpont in SecretMountsWithUIDGID
| * | | Fix mountpont in SecretMountsWithUIDGIDDaniel J Walsh2020-05-19
| | | | | | | | | | | | | | | | | | | | | | | | | | | | In FIPS Mode we expect to work off of the Mountpath not the Rundir path. This is causing FIPS Mode checks to fail. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | | vendor: update seccomp/containers-golang to v0.4.1Giuseppe Scrivano2020-05-21
| | | | | | | | | | | | | | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | | | Merge pull request #6304 from baude/v2remotehctestsOpenShift Merge Robot2020-05-21
|\ \ \ \ | |_|_|/ |/| | | Fix remote integration for healthchecks
| * | | Fix remote integration for healthchecksBrent Baude2020-05-20
| |/ / | | | | | | | | | | | | | | | the one remaining test that is still skipped do to missing exec function Signed-off-by: Brent Baude <bbaude@redhat.com>
* | | Enable cleanup processes for detached execMatthew Heon2020-05-20
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The cleanup command creation logic is made public as part of this and wired such that we can call it both within SpecGen (to make container exit commands) and from the ABI detached exec handler. Exit commands are presently only used for detached exec, but theoretically could be turned on for all exec sessions if we wanted (I'm declining to do this because of potential overhead). I also forgot to copy the exit command from the exec config into the ExecOptions struct used by the OCI runtime, so it was not being added. There are also two significant bugfixes for exec in here. One is for updating the status of running exec sessions - this was always failing as I had coded it to remove the exit file *before* reading it, instead of after (oops). The second was that removing a running exec session would always fail because I inverted the check to see if it was running. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | | Add ability to clean up exec sessions with cleanupMatthew Heon2020-05-20
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | We need to be able to use cleanup processes to remove exec sessions as part of detached exec. This PR adds that ability. A new flag is added to `podman container cleanup`, `--exec`, to specify an exec session to be cleaned up. As part of this, ensure that `ExecCleanup` can clean up exec sessions that were running, but have since exited. This ensures that we can come back to an exec session that was running but has since stopped, and clean it up. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | | Add backend code for detached execMatthew Heon2020-05-20
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | As part of the massive exec rework, I stubbed out a function for non-detached exec, which is implemented here. It's largely similar to the existing exec functions, but missing a few pieces. This also involves implemented a new OCI runtime call for detached exec. Again, very similar to the other functions, but with a few missing pieces. Signed-off-by: Matthew Heon <matthew.heon@pm.me>