summaryrefslogtreecommitdiff
path: root/libpod
Commit message (Collapse)AuthorAge
* add macvlan as a supported network driverbaude2021-02-02
| | | | | | | | | | | | instead of using the --macvlan to indicate that you want to make a macvlan network, podman network create now honors the driver name of *macvlan*. Any options to macvlan, like the parent device, should be specified as a -o option. For example, -o parent=eth0. the --macvlan option was marked as deprecated in the man page but is still supported for the duration of 3.0. Signed-off-by: baude <bbaude@redhat.com>
* Ensure shutdown handler access is syncronizedMatthew Heon2021-01-29
| | | | | | | | | | | | | | There was a potential race where two handlers could be added at the same time. Go Maps are not thread-safe, so that could do unpleasant things. Add a mutex to keep things safe. Also, swap the order or Register and Start for the handlers in Libpod runtime created. As written, there was a small gap between Start and Register where SIGTERM/SIGINT would be completely ignored, instead of stopping Podman. Swapping the two closes this gap. Signed-off-by: Matthew Heon <mheon@redhat.com>
* workdir presence checksValentin Rothberg2021-01-29
| | | | | | | | | | | | | | | | | | A container's workdir can be specified via the CLI via `--workdir` and via an image config with the CLI having precedence. Since images have a tendency to specify workdirs without necessarily shipping the paths with the root FS, make sure that Podman creates the workdir. When specified via the CLI, do not create the path, but check for its existence and return a human-friendly error. NOTE: `crun` is performing a similar check that would yield exit code 127. With this change, however, Podman performs the check and yields exit code 126. Since this is specific to `crun`, I do not consider it to be a breaking change of Podman. Fixes: #9040 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* libpod: add (*Container).ResolvePath()Valentin Rothberg2021-01-29
| | | | | | | | | Add an API to libpod to resolve a path on the container. We can refactor the code that was originally written for copy. Other functions are requiring a proper path resolution, so libpod seems like a reasonable home for sharing that code. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* Add default net info in container inspectbaude2021-01-29
| | | | | | | | | | | | | | when inspecting a container that is only connected to the default network, we should populate the default network in the container inspect information. Fixes: #6618 Signed-off-by: baude <bbaude@redhat.com> MH: Small fixes, added another test Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* remote exec: write conmon error on hijacked connectionValentin Rothberg2021-01-29
| | | | | | | | | | | | | | Make sure to write error from conmon on the hijacked http connection. This fixes issues where errors were not reported on the client side, for instance, when specified command was not found on the container. To future generations: I am sorry. The code is complex, and there are many interdependencies among the concurrent goroutines. I added more complexity on top but I don't have a good idea of how to reduce complexity in the available time. Fixes: #8281 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* Add support for rootless network-aliasesPaul Holzinger2021-01-28
| | | | | | | | | | Make sure we pass the network aliases as capability args to the cnitool in the rootless-cni-infra container. Also update the dnsname plugin in the cni-infra container. Fixes #8567 Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
* Allow static ip and mac with rootless cni networkPaul Holzinger2021-01-28
| | | | | | | | Make sure we pass the ip and mac address as CNI_ARGS to the cnitool which is executed in the rootless-cni-infra container. Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
* disable dnsname when --internalbaude2021-01-26
| | | | | | | | when doing a network creation, the dnsname plugin should be disabled when the --internal bool is set. a warning is displayed if this happens and docs are updated. Signed-off-by: baude <bbaude@redhat.com>
* Merge pull request #8955 from mheon/renameOpenShift Merge Robot2021-01-14
|\ | | | | Container Rename
| * Initial implementation of renaming containersMatthew Heon2021-01-14
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Basic theory: We remove the container, but *only from the DB*. We leave it in c/storage, we leave the lock allocated, we leave it running (if it is). Then we create an identical container with an altered name, and add that back to the database. Theoretically we now have a renamed container. The advantage of this approach is that it doesn't just apply to rename - we can use this to make *any* configuration change to a container that does not alter its container ID. Potential problems are numerous. This process is *THOROUGHLY* non-atomic at present - if you `kill -9` Podman mid-rename things will be in a bad place, for example. Also, we can't rename containers that can't be removed normally - IE, containers with dependencies (pod infra containers, for example). The largest potential improvement will be to move the majority of the work into the DB, with a `RecreateContainer()` method - that will add atomicity, and let us remove the container without worrying about depencies and similar issues. Potential problems: long-running processes that edit the DB and may have an older version of the configuration around. Most notable example is `podman run --rm` - the removal command needed to be manually edited to avoid this one. This begins to get at the heart of me not wanting to do this in the first place... This provides CLI and API implementations for frontend, but no tunnel implementation. It will be added in a future release (just held back for time now - we need this in 3.0 and are running low on time). This is honestly kind of horrifying, but I think it will work. Signed-off-by: Matthew Heon <mheon@redhat.com>
* | Initial implementation of volume pluginsMatthew Heon2021-01-14
|/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This implements support for mounting and unmounting volumes backed by volume plugins. Support for actually retrieving plugins requires a pull request to land in containers.conf and then that to be vendored, and as such is not yet ready. Given this, this code is only compile tested. However, the code for everything past retrieving the plugin has been written - there is support for creating, removing, mounting, and unmounting volumes, which should allow full functionality once the c/common PR is merged. A major change is the signature of the MountPoint function for volumes, which now, by necessity, returns an error. Named volumes managed by a plugin do not have a mountpoint we control; instead, it is managed entirely by the plugin. As such, we need to cache the path in the DB, and calls to retrieve it now need to access the DB (and may fail as such). Notably absent is support for SELinux relabelling and chowning these volumes. Given that we don't manage the mountpoint for these volumes, I am extremely reluctant to try and modify it - we could easily break the plugin trying to chown or relabel it. Also, we had no less than *5* separate implementations of inspecting a volume floating around in pkg/infra/abi and pkg/api/handlers/libpod. And none of them used volume.Inspect(), the only correct way of inspecting volumes. Remove them all and consolidate to using the correct way. Compat API is likely still doing things the wrong way, but that is an issue for another day. Fixes #4304 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Merge pull request #8906 from vrothberg/fix-8501OpenShift Merge Robot2021-01-14
|\ | | | | container stop: release lock before calling the runtime
| * container stop: release lock before calling the runtimeValentin Rothberg2021-01-14
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Podman defers stopping the container to the runtime, which can take some time. Keeping the lock while waiting for the runtime to complete the stop procedure, prevents other commands from acquiring the lock as shown in #8501. To improve the user experience, release the lock before invoking the runtime, and re-acquire the lock when the runtime is finished. Also introduce an intermediate "stopping" to properly distinguish from "stopped" containers etc. Fixes: #8501 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | Merge pull request #8958 from zhangguanzhang/duplicated-hostsOpenShift Merge Robot2021-01-13
|\ \ | | | | | | Fixes /etc/hosts duplicated every time after container restarted in a pod
| * | Fxes /etc/hosts duplicated every time after container restarted in a podzhangguanzhang2021-01-13
| | | | | | | | | | | | Signed-off-by: zhangguanzhang <zhangguanzhang@qq.com>
* | | Remove the ability to use [name:tag] in podman load commandDaniel J Walsh2021-01-12
|/ / | | | | | | | | | | | | | | | | | | Docker does not support this, and it is confusing what to do if the image has more then one tag. We are dropping support for this in podman 3.0 Fixes: https://github.com/containers/podman/issues/7387 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Merge pull request #8950 from mheon/exorcise_driverOpenShift Merge Robot2021-01-12
|\ \ | | | | | | Exorcise Driver code from libpod/define
| * | Exorcise Driver code from libpod/defineMatthew Heon2021-01-12
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The libpod/define code should not import any large dependencies, as it is intended to be structures and definitions only. It included the libpod/driver package for information on the storage driver, though, which brought in all of c/storage. Split the driver package so that define has the struct, and thus does not need to import Driver. And simplify the driver code while we're at it. Signed-off-by: Matthew Heon <mheon@redhat.com>
* | | Merge pull request #8946 from JAORMX/sec-errorsOpenShift Merge Robot2021-01-12
|\ \ \ | | | | | | | | Expose security attribute errors with their own messages
| * | | Expose security attribute errors with their own messagesJuan Antonio Osorio Robles2021-01-12
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This creates error objects for runtime errors that might come from the runtime. Thus, indicating to users that the place to debug should be in the security attributes of the container. When creating a container with a SELinux label that doesn't exist, we get a fairly cryptic error message: ``` $ podman run --security-opt label=type:my_container.process -it fedora bash Error: OCI runtime error: write file `/proc/thread-self/attr/exec`: Invalid argument ``` This instead handles any errors coming from LSM's `/proc` API and enhances the error message with a relevant indicator that it's related to the container's security attributes. A sample run looks as follows: ``` $ bin/podman run --security-opt label=type:my_container.process -it fedora bash Error: `/proc/thread-self/attr/exec`: OCI runtime error: unable to assign security attribute ``` With `debug` log level enabled it would be: ``` Error: write file `/proc/thread-self/attr/exec`: Invalid argument: OCI runtime error: unable to assign security attribute ``` Note that these errors wrap ErrOCIRuntime, so it's still possible to to compare these errors with `errors.Is/errors.As`. One advantage of this approach is that we could start handling these errors in a more efficient manner in the future. e.g. If a SELinux label doesn't exist (yet), we could retry until it becomes available. Signed-off-by: Juan Antonio Osorio Robles <jaosorior@redhat.com>
* | | | Merge pull request #8947 from Luap99/cleanup-codeOpenShift Merge Robot2021-01-12
|\ \ \ \ | |/ / / |/| | | Fix problems reported by staticcheck
| * | | Fix problems reported by staticcheckPaul Holzinger2021-01-12
| | |/ | |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | `staticcheck` is a golang code analysis tool. https://staticcheck.io/ This commit fixes a lot of problems found in our code. Common problems are: - unnecessary use of fmt.Sprintf - duplicated imports with different names - unnecessary check that a key exists before a delete call There are still a lot of reported problems in the test files but I have not looked at those. Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
* | | Merge pull request #8819 from chen-zhuohan/add-pre-checkpointOpenShift Merge Robot2021-01-12
|\ \ \ | | | | | | | | Add pre-checkpoint and restore with previous
| * | | add pre checkpointunknown2021-01-10
| | | | | | | | | | | | | | | | Signed-off-by: Zhuohan Chen <chen_zhuohan@163.com>
* | | | Merge pull request #8933 from giuseppe/use-O_PATH-for-unix-sockOpenShift Merge Robot2021-01-12
|\ \ \ \ | |_|/ / |/| | | oci: use /proc/self/fd/FD to open unix socket
| * | | oci: use /proc/self/fd/FD to open unix socketGiuseppe Scrivano2021-01-12
| |/ / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | instead of opening directly the UNIX socket path, grab a reference to it through a O_PATH file descriptor and use the fixed size string "/proc/self/fd/%d" to open the UNIX socket. In this way it won't hit the 108 chars length limit. Closes: https://github.com/containers/podman/issues/8798 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* / / oci: keep LC_ env variables to conmonGiuseppe Scrivano2021-01-11
|/ / | | | | | | | | | | | | | | | | | | it is necessary for conmon to deal with the correct locale, otherwise it uses C as a fallback. Closes: https://bugzilla.redhat.com/show_bug.cgi?id=1893567 Requires: https://github.com/containers/conmon/pull/215 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | Merge pull request #8781 from rst0git/cr-volumesOpenShift Merge Robot2021-01-08
|\ \ | | | | | | Add support for checkpoint/restore of containers with volumes
| * | Include named volumes in container migrationRadostin Stoyanov2021-01-07
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When migrating a container with associated volumes, the content of these volumes should be made available on the destination machine. This patch enables container checkpoint/restore with named volumes by including the content of volumes in checkpoint file. On restore, volumes associated with container are created and their content is restored. The --ignore-volumes option is introduced to disable this feature. Example: # podman container checkpoint --export checkpoint.tar.gz <container> The content of all volumes associated with the container are included in `checkpoint.tar.gz` # podman container checkpoint --export checkpoint.tar.gz --ignore-volumes <container> The content of volumes is not included in `checkpoint.tar.gz`. This is useful, for example, when the checkpoint/restore is performed on the same machine. # podman container restore --import checkpoint.tar.gz The associated volumes will be created and their content will be restored. Podman will exit with an error if volumes with the same name already exist on the system or the content of volumes is not included in checkpoint.tar.gz # podman container restore --ignore-volumes --import checkpoint.tar.gz Volumes associated with container must already exist. Podman will not create them or restore their content. Signed-off-by: Radostin Stoyanov <rstoyanov@fedoraproject.org>
| * | Use Options as exportCheckpoint() argumentRadostin Stoyanov2021-01-07
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Instead of individual values from ContainerCheckpointOptions, provide the options object. This is a preparation for the next patch where one more value of the options object is required in exportCheckpoint(). Signed-off-by: Radostin Stoyanov <rstoyanov@fedoraproject.org>
* | | Merge pull request #8771 from rhatdan/runOpenShift Merge Robot2021-01-07
|\ \ \ | | | | | | | | Switch references of /var/run -> /run
| * | | Switch references of /var/run -> /runDaniel J Walsh2021-01-07
| |/ / | | | | | | | | | | | | | | | | | | | | | | | | | | | Systemd is now complaining or mentioning /var/run as a legacy directory. It has been many years where /var/run is a symlink to /run on all most distributions, make the change to the default. Partial fix for https://github.com/containers/podman/issues/8369 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | Merge pull request #8821 from rhatdan/capsOpenShift Merge Robot2021-01-07
|\ \ \ | | | | | | | | Containers should not get inheritable caps by default
| * | | Handle podman exec capabilities correctlyDaniel J Walsh2021-01-07
| |/ / | | | | | | | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | Merge pull request #8816 from giuseppe/automatically-split-userns-mappingsOpenShift Merge Robot2021-01-07
|\ \ \ | | | | | | | | rootless: automatically split userns ranges
| * | | rootless: automatically split userns rangesGiuseppe Scrivano2021-01-07
| |/ / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | writing to the id map fails when an extent overlaps multiple mappings in the parent user namespace: $ cat /proc/self/uid_map 0 1000 1 1 100000 65536 $ unshare -U sleep 100 & [1] 1029703 $ printf "0 0 100\n" | tee /proc/$!/uid_map 0 0 100 tee: /proc/1029703/uid_map: Operation not permitted This limitation is particularly annoying when working with rootless containers as each container runs in the rootless user namespace, so a command like: $ podman run --uidmap 0:0:2 --rm fedora echo hi Error: writing file `/proc/664087/gid_map`: Operation not permitted: OCI permission denied would fail since the specified mapping overlaps the first mapping (where the user id is mapped to root) and the second extent with the additional IDs available. Detect such cases and automatically split the specified mapping with the equivalent of: $ podman run --uidmap 0:0:1 --uidmap 1:1:1 --rm fedora echo hi hi A fix has already been proposed for the kernel[1], but even if it accepted it will take time until it is available in a released kernel, so fix it also in pkg/rootless. [1] https://lkml.kernel.org/lkml/20201203150252.1229077-1-gscrivan@redhat.com/ Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* / / Fix podman logs read partial log linesPaul Holzinger2021-01-07
|/ / | | | | | | | | | | | | | | If a partial log line has the length 1 it was ignored by podman logs. Fixes #8879 Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
* | Merge pull request #8805 from giuseppe/single-user-mapped-rootOpenShift Merge Robot2021-01-06
|\ \ | | | | | | libpod: handle single user mapped as root
| * | libpod: handle single user mapped as rootGiuseppe Scrivano2020-12-24
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | if a single user is mapped in the user namespace, handle it as root. It is needed for running unprivileged containers with a single user available without being forced to run with euid and egid set to 0. Needs: https://github.com/containers/storage/pull/794 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | | Merge pull request #8892 from mheon/fix_8886OpenShift Merge Robot2021-01-06
|\ \ \ | | | | | | | | Ensure that user-specified HOSTNAME is honored
| * | | Ensure that user-specified HOSTNAME is honoredMatthew Heon2021-01-06
| | |/ | |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | When adding the HOSTNAME environment variable, only do so if it is not already present in the spec. If it is already present, it was likely added by the user, and we should honor their requested value. Fixes #8886 Signed-off-by: Matthew Heon <mheon@redhat.com>
* | | Merge pull request #8685 from mheon/ignore_containersconf_sysctls_shared_netOpenShift Merge Robot2021-01-05
|\ \ \ | | | | | | | | Ignore containers.conf sysctls when sharing namespaces
| * | | Add default sysctls for pod infra containersMatthew Heon2021-01-04
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Ensure that infra containers for pods will grab default sysctls from containers.conf, to match how other containers are created. This mostly affects the other containers in the pod, which will inherit those sysctls when they join the pod's namespaces. Signed-off-by: Matthew Heon <mheon@redhat.com>
* | | | Merge pull request #8831 from bblenard/issue-8658-system-prune-reclaimed-spaceOpenShift Merge Robot2021-01-05
|\ \ \ \ | |_|/ / |/| | | Rework pruning to report reclaimed space
| * | | Rework pruning to report reclaimed spaceBaron Lenardson2020-12-30
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This change adds code to report the reclaimed space after a prune. Reclaimed space from volumes, images, and containers is recorded during the prune call in a PruneReport struct. These structs are collected into a slice during a system prune and processed afterwards to calculate the total reclaimed space. Closes #8658 Signed-off-by: Baron Lenardson <lenardson.baron@gmail.com>
* | | | Merge pull request #8873 from baude/issue8864OpenShift Merge Robot2021-01-05
|\ \ \ \ | | | | | | | | | | close journald when reading
| * | | | close journald when readingbaude2021-01-04
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | when reading from journald, we need to close the journal handler for events and logging. Fixes: #8864 Signed-off-by: baude <bbaude@redhat.com>
* | | | | Merge pull request #8878 from mheon/no_edit_configOpenShift Merge Robot2021-01-04
|\ \ \ \ \ | | | | | | | | | | | | Ensure we do not edit container config in Exec
| * | | | | Ensure we do not edit container config in ExecMatthew Heon2021-01-04
| |/ / / / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The existing code grabs the base container's process, and then modifies it for use with the exec session. This could cause errors in `podman inspect` or similar on the container, as the definition of its OCI spec has been changed by the exec session. The change never propagates to the DB, so it's limited to a single process, but we should still avoid it when possible - so deep-copy it before use. Signed-off-by: Matthew Heon <mheon@redhat.com>