summaryrefslogtreecommitdiff
path: root/libpod
Commit message (Collapse)AuthorAge
* Merge pull request #2899 from giuseppe/prevent-sys-fs-kernel-paths-in-usernsOpenShift Merge Robot2019-04-11
|\ | | | | userns: prevent /sys/kernel/* paths in the container
| * userns: prevent /sys/kernel/* paths in the containerGiuseppe Scrivano2019-04-11
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | when we run in a user namespace, there are cases where we have not enough privileges to mount a fresh sysfs on /sys. To circumvent this limitation, we rbind /sys from the host. This carries inside of the container also some mounts we probably don't want to. We are also limited by the kernel to use rbind instead of bind, as allowing a bind would uncover paths that were not previously visible. This is a slimmed down version of the intermediate mount namespace logic we had before, where we only set /sys to slave, so the umounts done to the storage by the cleanup process are propagated back to the host. We also don't setup any new directory, so there is no additional cleanup to do. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | rootless: fix segfault on refresh if there are containersGiuseppe Scrivano2019-04-10
|/ | | | | | | | | create immediately a namespace if we need a refresh. This is necessary to access the rootless storage. Closes: https://github.com/containers/libpod/issues/2894 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Merge pull request #2892 from edsantiago/healthcheck_typo_fixOpenShift Merge Robot2019-04-10
|\ | | | | (minor): fix misspelled 'Healthcheck'
| * (minor): fix misspelled 'Healthcheck'Ed Santiago2019-04-10
| | | | | | | | Signed-off-by: Ed Santiago <santiago@redhat.com>
* | Merge pull request #2880 from mheon/update_allowed_regex_errorOpenShift Merge Robot2019-04-10
|\ \ | |/ |/| Update invalid name errors to report the correct regex
| * Update invalid name errors to report the correct regexMatthew Heon2019-04-09
| | | | | | | | Signed-off-by: Matthew Heon <mheon@redhat.com>
* | Merge pull request #2882 from baude/remotepsOpenShift Merge Robot2019-04-10
|\ \ | | | | | | podman-remote ps
| * | podman-remote psbaude2019-04-09
| |/ | | | | | | | | | | add the ability to run ps on containers using the remote client. Signed-off-by: baude <bbaude@redhat.com>
* / Implement podman-remote rmJhon Honce2019-04-09
|/ | | | | | | | | * refactor command output to use one function * Add new worker pool parallel operations * Implement podman-remote umount * Refactored podman wait to use printCmdOutput() Signed-off-by: Jhon Honce <jhonce@redhat.com>
* add image rmi eventbaude2019-04-08
| | | | | | | when deleting a commited image, the path for deletion has an early exit and the image remove event was not being triggered. Signed-off-by: baude <bbaude@redhat.com>
* Merge pull request #2831 from baude/remotetreeOpenShift Merge Robot2019-04-04
|\ | | | | podman-remote image tree
| * podman-remote image treebaude2019-04-04
| | | | | | | | | | | | | | add the ability for the podman-remote client to be able to print an image tree. Signed-off-by: baude <bbaude@redhat.com>
* | Fix E2E testsMatthew Heon2019-04-04
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The Commit test is blatantly wrong and testing buggy behavior. We should be commiting the destination, if anything - and more likely nothing at all. When force-removing volumes, don't remove the volumes of containers we need to remove. This can lead to a chicken and the egg problem where the container removes the volume before we can. When we re-add volume locks this could lead to deadlocks. I don't really want to deal with this, and this doesn't seem a particularly harmful quirk, so we'll let this slide until we get a bug report. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | Drop LocalVolumes from our the databaseMatthew Heon2019-04-04
| | | | | | | | | | | | | | | | We were never using it. It's actually a potentially quite sizable field (very expensive to decode an array of structs!). Removing it should do no harm. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | Major rework of --volumes-from flagMatthew Heon2019-04-04
| | | | | | | | | | | | | | | | | | | | The flag should be substantially more durable, and no longer relies on the create artifact. This should allow it to properly handle our new named volume implementation. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | Volume force-remove now removed dependent containersMatthew Heon2019-04-04
| | | | | | | | Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | Add handling for new named volumes code in pkg/specMatthew Heon2019-04-04
| | | | | | | | | | | | | | | | | | Now that named volumes must be explicitly enumerated rather than passed in with all other volumes, we need to split normal and named volumes up before passing them into libpod. This PR does this. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | Create non-existing named volumes at container createMatthew Heon2019-04-04
| | | | | | | | | | | | Replaces old functionality we used for handling image volumes. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | Switch Libpod over to new explicit named volumesMatthew Heon2019-04-04
| | | | | | | | | | | | | | | | | | | | | | | | | | This swaps the previous handling (parse all volume mounts on the container and look for ones that might refer to named volumes) for the new, explicit named volume lists stored per-container. It also deprecates force-removing volumes that are in use. I don't know how we want to handle this yet, but leaving containers that depend on a volume that no longer exists is definitely not correct. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | Add named volumes for each container to databaseMatthew Heon2019-04-04
|/ | | | Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Merge pull request #2706 from giuseppe/rootless-single-usernamespaceOpenShift Merge Robot2019-04-04
|\ | | | | rootless: single user namespace
| * rootless: use a single user namespaceGiuseppe Scrivano2019-04-01
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | simplify the rootless implementation to use a single user namespace for all the running containers. This makes the rootless implementation behave more like root Podman, where each container is created in the host environment. There are multiple advantages to it: 1) much simpler implementation as there is only one namespace to join. 2) we can join namespaces owned by different containers. 3) commands like ps won't be limited to what container they can access as previously we either had access to the storage from a new namespace or access to /proc when running from the host. 4) rootless varlink works. 5) there are only two ways to enter in a namespace, either by creating a new one if no containers are running or joining the existing one from any container. Containers created by older Podman versions must be restarted. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
| * rootless: remove SkipStorageSetup()Giuseppe Scrivano2019-04-01
| | | | | | | | | | | | | | | | in the few places where we care about skipping the storage initialization, we can simply use the process effective UID, instead of relying on a global boolean flag. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | Fix a potential segfault in podman searchMatthew Heon2019-04-03
|/ | | | | | | | | | | | | When generating headers for search, we unconditionally access element 0 of an array, and I saw this segfault in our CI. There's no reason we have to do this, we're just going through it to get field names with reflect, so just make a new copy of the struct in question. Also, move this code, which is only for CLI display, into cmd/podman from libpod/image. Signed-off-by: Matthew Heon <mheon@redhat.com>
* Merge pull request #2801 from mheon/remove_wait_eventOpenShift Merge Robot2019-03-29
|\ | | | | Remove wait event
| * Remove wait eventMatthew Heon2019-03-29
| | | | | | | | | | | | | | It's not necessary to log an event for a read-only operation like wait. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | Add locking to ensure events file is concurrency-safeMatthew Heon2019-03-29
|/ | | | Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Merge pull request #2635 from rhatdan/cacheOpenShift Merge Robot2019-03-29
|\ | | | | Set blob cache directory based on GraphDriver
| * Set blob cache directory based on GraphDriverDaniel J Walsh2019-03-29
| | | | | | | | | | | | | | | | | | | | | | | | Currently in rootless containers, we end up not using the blob cache. We also don't store the blob cache based on the users specified graph storage. This change will cause the cache directory to be stored with the rest of the containe images. While doing this patch, I found that we had duplicated GetSystemContext in two places in libpod. I cleaned this up. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Merge pull request #2797 from giuseppe/rootless-set-stickyOpenShift Merge Robot2019-03-29
|\ \ | | | | | | rootless: set sticky bit on rundir
| * | rootless: set sticky bit on rundirGiuseppe Scrivano2019-03-29
| | | | | | | | | | | | | | | | | | | | | it prevents the directory to be auto pruned, according to the XDG specifications. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
| * | oci: drop reference to runcGiuseppe Scrivano2019-03-29
| | | | | | | | | | | | | | | | | | it can be any OCI runtime. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | | Merge pull request #2730 from giuseppe/userns-take-rid-of-intermediate-mountnsOpenShift Merge Robot2019-03-29
|\ \ \ | | | | | | | | userns: do not use an intermediate mount namespace
| * | | userns: do not use an intermediate mount namespaceGiuseppe Scrivano2019-03-29
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | We have an issue in the current implementation where the cleanup process is not able to umount the storage as it is running in a separate namespace. Simplify the implementation for user namespaces by not using an intermediate mount namespace. For doing it, we need to relax the permissions on the parent directories and allow browsing them. Containers that are running without a user namespace, will still maintain mode 0700 on their directory. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
| * | | volumes: push the chown logic to runtime_volume_linux.goGiuseppe Scrivano2019-03-29
| | | | | | | | | | | | | | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | | | Merge pull request #2793 from mheon/alter_name_regexOpenShift Merge Robot2019-03-29
|\ \ \ \ | |/ / / |/| | | Alter container/pod/volume name regexp to match Docker
| * | | Alter container/pod/volume name regexp to match DockerMatthew Heon2019-03-29
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Docker's upstream name validation regex has two major differences from ours that we pick up in this PR. The first requires that the first character of a name is a letter or number, not a special character. The second allows periods in names. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | | | Merge pull request #2575 from haircommander/hotfix_play_kubeOpenShift Merge Robot2019-03-29
|\ \ \ \ | |_|_|/ |/| | | Default to SELinux private label for play kube mounts
| * | | Default to SELinux private label for play kube mountsPeter Hunt2019-03-28
| |/ / | | | | | | | | | | | | | | | | | | | | | | | | | | | Before, there were SELinux denials when a volume was bind-mounted by podman play kube. Partially fix this by setting the default private label for mounts created by play kube (with DirectoryOrCreate) For volumes mounted as Directory, the user will have to set their own SELinux permissions on the mount point also remove left over debugging print statement Signed-off-by: Peter Hunt <pehunt@redhat.com>
* | | Merge pull request #2796 from mheon/fix_cni_multinetworkOpenShift Merge Robot2019-03-29
|\ \ \ | |_|/ |/| | Ensure that we make a netns for CNI non-default nets
| * | Ensure that we make a netns for CNI non-default netsMatthew Heon2019-03-28
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | We accidentally patched this out trying to enable ns:/path/to/ns This should restore the ability to configure nondefault CNI networks with Podman, by ensuring that they request creation of a network namespace. Completely remove the WithNetNS() call when we do use an explicit namespace from a path. We use that call to indicate that a netns is going to be created - there should not be any question about whether it actually does. Fixes #2795 Signed-off-by: Matthew Heon <mheon@redhat.com>
* | | Merge pull request #2786 from giuseppe/change-rootless-env-namesOpenShift Merge Robot2019-03-28
|\ \ \ | |/ / |/| | rootless: change env prefix
| * | rootless: change env prefixGiuseppe Scrivano2019-03-28
| |/ | | | | | | | | | | | | | | | | | | from _LIBPOD to _CONTAINERS. The same change was done in buildah unshare. This is necessary for podman to detect we are running in a rootless environment and work properly from a "buildah unshare" session. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | vendor buildah, image, storage, cniValentin Rothberg2019-03-28
| | | | | | | | Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | Remove ulele/deepcopier in favor of JSON deep copyMatthew Heon2019-03-27
|/ | | | | | | | | | | | | We have a very high performance JSON library that doesn't need to perform code generation. Let's use it instead of our questionably performant, reflection-dependent deep copy library. Most changes because some functions can now return errors. Also converts cmd/podman to use jsoniter, instead of pkg/json, for increased performance. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Resolve review commentsMatthew Heon2019-03-27
| | | | Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Add support to disable creation of network config filesMatthew Heon2019-03-27
| | | | | | | | Specifically, we want to be able to specify whether resolv.conf and /etc/hosts will be create and bind-mounted into the container. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Add "died" eventbaude2019-03-25
| | | | | | | | | | We have a new event for container 'Exited' which has been renamed to 'died'. also removed the stream bool from the varlink endpoint for events because it can be determined by the varlink more value. Signed-off-by: baude <bbaude@redhat.com>
* podman health check phase3baude2019-03-22
| | | | | | | | | | | | | | | | podman will not start a transient service and timer for healthchecks. this handles the tracking of the timing for health checks. added the 'started' status which represents the time that a container is in its start-period. the systemd timing can be disabled with an env variable of DISABLE_HC_SYSTEMD="true". added filter for ps where --filter health=[starting, healthy, unhealthy] can now be used. Signed-off-by: baude <bbaude@redhat.com>