summaryrefslogtreecommitdiff
path: root/libpod
Commit message (Collapse)AuthorAge
* apparmor: apply default profile at container initializationValentin Rothberg2019-01-09
| | | | | | | | | | | | | | | | | | | Apply the default AppArmor profile at container initialization to cover all possible code paths (i.e., podman-{start,run}) before executing the runtime. This allows moving most of the logic into pkg/apparmor. Also make the loading and application of the default AppArmor profile versio-indepenent by checking for the `libpod-default-` prefix and over-writing the profile in the run-time spec if needed. The intitial run-time spec of the container differs a bit from the applied one when having started the container, which results in displaying a potentially outdated AppArmor profile when inspecting a container. To fix that, load the container config from the file system if present and use it to display the data. Fixes: #2107 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* Merge pull request #2061 from adrianreber/static-ipOpenShift Merge Robot2019-01-09
|\ | | | | Use existing interface to request IP address during restore
| * Use existing interface to request IP address during restoreAdrian Reber2019-01-09
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The initial implementation to request the same IP address for a container during a restore was based on environment variables influencing CNI. With this commit the IP address selection switches to Podman's internal static IP API. This commit does a comment change in libpod/container_easyjson.go to avoid unnecessary re-generation of libpod/container_easyjson.go during build as this fails in CI. The reason for this is that make sees that libpod/container_easyjson.go needs to be re-created. The commit, however, only changes a part of libpod/container.go which is marked as 'ffjson: skip'. Signed-off-by: Adrian Reber <areber@redhat.com>
* | hooks: Add pre-create hooks for runtime-config manipulationW. Trevor King2019-01-08
|/ | | | | | | | | | | | | | | | | | | | | | | There's been a lot of discussion over in [1] about how to support the NVIDIA folks and others who want to be able to create devices (possibly after having loaded kernel modules) and bind userspace libraries into the container. Currently that's happening in the middle of runc's create-time mount handling before the container pivots to its new root directory with runc's incorrectly-timed prestart hook trigger [2]. With this commit, we extend hooks with a 'precreate' stage to allow trusted parties to manipulate the config JSON before calling the runtime's 'create'. I'm recycling the existing Hook schema from pkg/hooks for this, because we'll want Timeout for reliability and When to avoid the expense of fork/exec when a given hook does not need to make config changes [3]. [1]: https://github.com/opencontainers/runc/pull/1811 [2]: https://github.com/opencontainers/runc/issues/1710 [3]: https://github.com/containers/libpod/issues/1828#issuecomment-439888059 Signed-off-by: W. Trevor King <wking@tremily.us>
* Add a --workdir option to 'podman exec'Debarshi Ray2019-01-08
| | | | Signed-off-by: Debarshi Ray <rishi@fedoraproject.org>
* Merge pull request #2099 from mheon/config_to_containerconfigOpenShift Merge Robot2019-01-08
|\ | | | | Rename libpod.Config back to ContainerConfig
| * Rename libpod.Config back to ContainerConfigMatthew Heon2019-01-07
| | | | | | | | | | | | | | | | | | | | During an earlier bugfix, we swapped all instances of ContainerConfig to Config, which was meant to fix some data we were returning from Inspect. This unfortunately also renamed a libpod internal struct for container configs. Undo the rename here. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | Merge pull request #2078 from rhatdan/config.fileOpenShift Merge Robot2019-01-07
|\ \ | | | | | | Add the configuration file used to setup storage to podman info
| * | Add the configuration file used to setup storage to podman infoDaniel J Walsh2019-01-07
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Users have no idea what storage configuration file is used to setup storage, so adding this to podman info, should make it easier to discover. This requires a revendor of containers/storage Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | Merge pull request #2098 from baude/remoteOpenShift Merge Robot2019-01-07
|\ \ \ | |_|/ |/| | Add ability to build golang remote client
| * | Add ability to build golang remote clientbaude2019-01-07
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Add the ability to build a remote client in golang that uses all the same front-end cli code and output code. The initial limitations here are that it can only be a local client while the bridge and resolver code is being written for the golang varlink client. Tests and docs will be added in subsequent PRs. Signed-off-by: baude <bbaude@redhat.com>
* | | Merge pull request #2075 from baude/runlabelnameOpenShift Merge Robot2019-01-07
|\ \ \ | | | | | | | | container runlabel NAME implementation
| * | | container runlabel NAME implementationbaude2019-01-04
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | when using container runlabel, if a --name is not provided, we must deduce the container name from the base name of the image to maintain parity with the atomic cli. fixed small bug where we split the cmd on " " rather than using fields could lead to extra spaces in command output. Signed-off-by: baude <bbaude@redhat.com>
* | | | Address lingering review comments from SHM locking PRMatthew Heon2019-01-07
| |_|/ |/| | | | | | | | Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | | Rootless with shmlocks was not working.Daniel J Walsh2019-01-05
| | | | | | | | | | | | | | | | | | | | | | | | This patch makes the path unigue to each UID. Also cleans up some return code to return the path it is trying to lock. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | Move lock init after tmp dir is populated properlyMatthew Heon2019-01-04
| | | | | | | | | | | | | | | | | | | | | | | | | | | Don't initialize the lock manager until almost the end of libpod init, so we can guarantee our tmp dir is properly set up and exists. This wasn't an issue on systems that had previously run Podman, but CI caught it. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | | When refreshing libpod, if SHM locks exist, remove themMatthew Heon2019-01-04
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This will hopefully help cases where libpod is initialized multiple times on the same system (as on our CI tests). We still run into potential issues where multiple Podmans with multiple tmp paths try to run on the same system - we could end up thrashing the locks. I think we need a file locks driver for situations like that. We can also see about storing paths in the SHM segment, to make sure multiple libpod instances aren't using the same one. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | | Ensure different error messages and creating/opening locksMatthew Heon2019-01-04
| | | | | | | | | | | | Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
* | | Update unit tests to use in-memory lock managerMatthew Heon2019-01-04
| | | | | | | | | | | | Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
* | | Remove runtime lockDir and add in-memory lock managerMatthew Heon2019-01-04
| | | | | | | | | | | | | | | | | | | | | | | | | | | Remove runtime's lockDir as it is no longer needed after the lock rework. Add a trivial in-memory lock manager for unit testing Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
* | | Convert pods to SHM locksMatthew Heon2019-01-04
| | | | | | | | | | | | Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
* | | Convert containers to SHM lockingMatthew Heon2019-01-04
| | | | | | | | | | | | Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
* | | Add lock manager to libpod runtimeMatthew Heon2019-01-04
| | | | | | | | | | | | Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
* | | Move to POSIX mutexes for SHM locksMatthew Heon2019-01-04
| | | | | | | | | | | | Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
* | | Disable lint on SHMLock structMatthew Heon2019-01-04
| | | | | | | | | | | | | | | | | | | | | | | | Golint wants to rename the struct. I think the name is fine. I can disable golint. Golint will no longer complain about the name. Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
* | | Refactor locks package to build on non-LinuxMatthew Heon2019-01-04
| | | | | | | | | | | | | | | | | | | | | | | | Move SHM specific code into a subpackage. Within the main locks package, move the manager to be linux-only and add a non-Linux unsupported build file. Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
* | | Add an SHM-backed Lock Manager implementationMatthew Heon2019-01-04
| | | | | | | | | | | | Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
* | | Add interface for libpod multiprocess locksMatthew Heon2019-01-04
| | | | | | | | | | | | Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
* | | Improve documentation and unit tests for SHM locksMatthew Heon2019-01-04
| | | | | | | | | | | | Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
* | | Propogate error codes from SHM lock creation and openMatthew Heon2019-01-04
| | | | | | | | | | | | | | | | | | Also add a few more unit tests Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
* | | Add mutex invariant to SHM semaphores.Matthew Heon2019-01-04
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Check value of semaphores when incrementing to ensure we never go beyond 1, preserving mutex invariants. Also, add cleanup code to the lock tests, ensuring that we never leave the locks in a bad state after a test. We aren't destroying and recreating the SHM every time, so we have to be careful not to leak state between test runs. Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
* | | Initial skeleton of in-memory locksMatthew Heon2019-01-04
| | | | | | | | | | | | Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
* | | add container-init supportValentin Rothberg2019-01-04
|/ / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Add support for executing an init binary as PID 1 in a container to forward signals and reap processes. When the `--init` flag is set for podman-create or podman-run, the init binary is bind-mounted to `/dev/init` in the container and "/dev/init --" is prepended to the container's command. The default base path of the container-init binary is `/usr/libexec/podman` while the default binary is catatonit [1]. This default can be changed permanently via the `init_path` field in the `libpod.conf` configuration file (which is recommended for packaging) or temporarily via the `--init-path` flag of podman-create and podman-run. [1] https://github.com/openSUSE/catatonit Fixes: #1670 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | Merge pull request #2068 from mheon/log_container_commandOpenShift Merge Robot2019-01-02
|\ \ | |/ |/| Log container command before starting the container
| * Log container command before starting the containerMatthew Heon2019-01-02
| | | | | | | | | | | | | | Runc does not produce helpful error messages when the container's command is not found, so print the command ourselves. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | Use sprintf to generate port numbers while committingMatthew Heon2019-01-02
|/ | | | | | | | | Casting integers to strings is definitely not correct, so let the standard library handle matters. Fixes #2066 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* podman build is not using the default oci-runtimeDaniel J Walsh2018-12-28
| | | | | | | | | | Currently if the user installs runc in an alternative path podman run uses it but podman build does not. This patch will pass the default oci runtime to be used by podman down to the image builder. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Fixes to handle /dev/shm correctly.Daniel J Walsh2018-12-24
| | | | | | | | | | | | | | | | | | We had two problems with /dev/shm, first, you mount the container read/only then /dev/shm was mounted read/only. This is a bug a tmpfs directory should be read/write within a read-only container. The second problem is we were ignoring users mounted /dev/shm from the host. If user specified podman run -d -v /dev/shm:/dev/shm ... We were dropping this mount and still using the internal mount. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Switch all referencs to image.ContainerConfig to image.ConfigDaniel J Walsh2018-12-21
| | | | | | This will more closely match what Docker is doing. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* libpod: always store the conmon pid fileGiuseppe Scrivano2018-12-21
| | | | | | | we need this information to later be able to join the conmon process. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Merge pull request #1967 from baude/kubereplayOpenShift Merge Robot2018-12-20
|\ | | | | Add Play
| * Add Playbaude2018-12-19
| | | | | | | | | | | | | | podman play kube adds the ability for the user to recreate pods and containers from a Kubernetes YAML file in libpod. Signed-off-by: baude <bbaude@redhat.com>
* | Support podman image trust commandQi Wang2018-12-19
|/ | | | | | Display the trust policy of the host system. The trust policy is stored in the /etc/containers/policy.json file and defines a scope of registries or repositories. Signed-off-by: Qi Wang <qiwan@redhat.com>
* Merge pull request #1988 from mheon/use_dependency_resolvOpenShift Merge Robot2018-12-13
|\ | | | | Containers sharing a netns should share resolv/hosts
| * Containers sharing a netns should share resolv/hostsMatthew Heon2018-12-11
| | | | | | | | | | | | | | | | | | | | | | | | | | When sharing a network namespace, containers should also share resolv.conf and /etc/hosts in case a container process made changes to either (for example, if I set up a VPN client in container A and join container B to its network namespace, I expect container B to use the DNS servers from A to ensure it can see everything on the VPN). Resolves: #1546 Signed-off-by: Matthew Heon <mheon@redhat.com>
* | Merge pull request #1990 from kunalkushwaha/bugfix-NamedVolumeCheckOpenShift Merge Robot2018-12-13
|\ \ | | | | | | condition fixed for adding volume to boltdb.
| * | condition fixed for adding volume to boltdb.Kunal Kushwaha2018-12-13
| |/ | | | | | | Signed-off-by: Kunal Kushwaha <kushwaha_kunal_v7@lab.ntt.co.jp>
* | Merge pull request #1962 from rhatdan/criuOpenShift Merge Robot2018-12-12
|\ \ | |/ |/| Set Socket label for contianer
| * Set Socket label for contianerDaniel J Walsh2018-12-12
| | | | | | | | | | | | | | This will allow container processes to write to the CRIU socket that gets injected into the container. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Merge pull request #1978 from mheon/only_one_execuserOpenShift Merge Robot2018-12-11
|\ \ | | | | | | Prevent a second lookup of user for image volumes