summaryrefslogtreecommitdiff
path: root/libpod
Commit message (Collapse)AuthorAge
* Ensure that exec sessions inherit supplemental groupsMatthew Heon2020-02-28
| | | | | | | | This corrects a regression from Podman 1.4.x where container exec sessions inherited supplemental groups from the container, iff the exec session did not specify a user. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Add support for multiple CNI networks in podman inspectMatthew Heon2020-02-25
| | | | | | | | | | | | | | | | When inspecting containers, info on CNI networks added to the container by name (e.g. --net=name1) should be displayed separately from the configuration of the default network, in a separate map called Networks. This patch adds this separation, improving our Docker compatibility and also adding the ability to see if a container has more than one IPv4 and IPv6 address and more than one MAC address. Fixes #4907 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Add basic deadlock detection for container start/removeMatthew Heon2020-02-24
| | | | | | | | | | | | | | | We can easily tell if we're going to deadlock by comparing lock IDs before actually taking the lock. Add a few checks for this in common places where deadlocks might occur. This does not yet cover pod operations, where detection is more difficult (and costly) due to the number of locks being involved being higher than 2. Also, add some error wrapping on the Podman side, so we can tell people to use `system renumber` when it occurs. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Merge pull request #5213 from mheon/remove_db_imagevolOpenShift Merge Robot2020-02-21
|\ | | | | Remove ImageVolumes from database
| * Remove ImageVolumes from databaseMatthew Heon2020-02-21
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Before Libpod supported named volumes, we approximated image volumes by bind-mounting in per-container temporary directories. This was handled by Libpod, and had a corresponding database entry to enable/disable it. However, when we enabled named volumes, we completely rewrote the old implementation; none of the old bind mount implementation still exists, save one flag in the database. With nothing remaining to use it, it has no further purpose. Signed-off-by: Matthew Heon <mheon@redhat.com>
* | Merge pull request #5263 from baude/logsizeOpenShift Merge Robot2020-02-21
|\ \ | | | | | | implement reverse reader for log reads
| * | implement reverse reader for log readsBrent Baude2020-02-20
| | | | | | | | | | | | | | | | | | | | | | | | in cases where the log file exceeds the available memory of a system, we had a bug that triggered an oom because the entire logfile was being read when the tail parameter was given. this reads in chunks and is more or less memory safe. fixes: #5131 Signed-off-by: Brent Baude <bbaude@redhat.com>
* | | Merge pull request #5236 from marusak/filter_by_idOpenShift Merge Robot2020-02-21
|\ \ \ | |_|/ |/| | apiv2: Image filtering and fixup docs
| * | apiv2: Enable filtering images by IDMatej Marusak2020-02-17
| | | | | | | | | | | | | | | | | | | | | It is more practical for API usage and also it is more in sync how filtering of containers works. Signed-off-by: Matej Marusak <mmarusak@redhat.com>
* | | Merge pull request #5271 from baude/dnsnameusernsOpenShift Merge Robot2020-02-21
|\ \ \ | | | | | | | | populate resolv.conf with dnsname responses when in usernamespace
| * | | populate resolv.conf with dnsname responses when in usernamespaceBrent Baude2020-02-20
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | when using usernamespace, dnsname respondes from cni were not making it into the containers /etc/resolv.conf because of a timing issue. this corrects that behavior. Fixes: #5256 Signed-off-by: Brent Baude <bbaude@redhat.com>
* | | | podman images: add --filter=since=XXEd Santiago2020-02-20
|/ / / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Looks like a bit of a misunderstanding from early on. Docker implements --filter=since=IMAGE. Podman implements 'after' instead of 'since'. Add an equivalent case statement to handle both, keeping 'after' because we have no way of knowing if it is used in the field. Update documentation ... and fix what looks like a complete misinterpretation of what the code actually does: the man page claimed that these were time fields, but I don't see any possible incantation in which a time value works or could work. Updated docs to reflect IMAGE usage. Also changed nonworking '==' to single '='. Added tests. [UPDATE: skip with broken podman-remote] Fixes: #5040 Signed-off-by: Ed Santiago <santiago@redhat.com>
* | | Merge pull request #5241 from mheon/pod_network_opts_addOpenShift Merge Robot2020-02-20
|\ \ \ | | | | | | | | Add network opts to pods
| * | | Add network options to podman pod createMatthew Heon2020-02-19
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Enables most of the network-related functionality from `podman run` in `podman pod create`. Custom CNI networks can be specified, host networking is supported, DNS options can be configured. Also enables host networking in `podman play kube`. Fixes #2808 Fixes #3837 Fixes #4432 Fixes #4718 Fixes #4770 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
| * | | Add ability for pods to use the host networkMatthew Heon2020-02-17
| | | | | | | | | | | | | | | | Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | | | libpod/config: use built-in TOML instead of manually mergingValentin Rothberg2020-02-19
| |_|/ |/| | | | | | | | | | | | | | | | | | | | | | | Instead of manually merging the configs, use the built-in features of TOMP to merge/extend the fields of a data type when encoding a file. This erases the need for the merge code in libpod/config and also addresses issues when merging booleans. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | | Merge pull request #5243 from Akasurde/misc_typoOpenShift Merge Robot2020-02-18
|\ \ \ | | | | | | | | Misc typo fixes
| * | | Misc typo fixesAbhijeet Kasurde2020-02-18
| |/ / | | | | | | | | | Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
* / / rootless: fix a regression when using -dGiuseppe Scrivano2020-02-18
|/ / | | | | | | | | | | | | | | | | | | | | | | when using -d and port mapping, make sure the correct fd is injected into conmon. Move the pipe creation earlier as the fd must be known at the time we create the container through conmon. Closes: https://github.com/containers/libpod/issues/5167 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* / Refactor image tree for API usageSascha Grunert2020-02-17
|/ | | | Signed-off-by: Sascha Grunert <sgrunert@suse.com>
* Merge pull request #5207 from rhatdan/selinuxOpenShift Merge Robot2020-02-14
|\ | | | | Fix SELinux labels of volumes
| * Fix SELinux labels of volumesDaniel J Walsh2020-02-13
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | If we attempt to label a volume and the file system does not support labeling, then just warn. SELinux may or may not work, on the volume. There is no way to setup a private label on a newly created volume without using the container mountlabel. If we don't have a mount label at the time of creation of the volume, the only option we have is to create a shared label. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | add pkg/capabilitiesValentin Rothberg2020-02-14
|/ | | | | | | | | Add pkg/capabibilities to deal with capabilities. The code has been copied from Docker (and attributed with the copyright) but changed significantly to only do what we really need. The code has also been simplified and will perform better due to removed redundancy. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* Merge pull request #5172 from giuseppe/api-fix-cpu-statsOpenShift Merge Robot2020-02-13
|\ | | | | api: fix the CPU stats reported
| * api: fix the CPU stats reportedGiuseppe Scrivano2020-02-11
| | | | | | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | use quay.io/libpod/fedora-minimal for reliabilityBrent Baude2020-02-12
| | | | | | | | Signed-off-by: Brent Baude <bbaude@redhat.com>
* | Do not copy up when volume is not emptyMatthew Heon2020-02-12
|/ | | | | | | | | | | | | | | | | When Docker performs a copy up, it first verifies that the volume being copied into is empty; thus, for volumes that have been modified elsewhere (e.g. manually copying into then), the copy up will not be performed at all. Duplicate this behavior in Podman by checking if the volume is empty before copying. Furthermore, move setting copyup to false further up. This will prevent a potential race where copy up could happen more than once if Podman was killed after some files had been copied but before the DB was updated. This resolves CVE-2020-1726. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Merge pull request #5122 from mtrmac/image-object-creationOpenShift Merge Robot2020-02-10
|\ | | | | Simplify image object creation
| * Modify Runtime.getImage to return a storage.ImageMiloslav Trmač2020-02-07
| | | | | | | | | | | | | | ... because both callers only care about that aspect of the return value. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
| * Document an aspect of newFromStorage behaviorMiloslav Trmač2020-02-07
| | | | | | | | | | | | Should not change behavior. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
| * Introduce a Runtime.newImage constructorMiloslav Trmač2020-02-07
| | | | | | | | | | | | | | | | | | ... so that _all_ Image objects are created in a single place that is easy to update. Should not change behavior. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
| * Move Image.getLocalImage to Runtime.getLocalImageMiloslav Trmač2020-02-07
| | | | | | | | | | | | | | | | | | | | | | Instead of the function updating image.InputName (the only reason for it to need an image), have it return the updated value separately. This will allow simplifying the constructors of Image further. Should not change behavior. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
| * Remove the getLocalImage() call from Image.SizeMiloslav Trmač2020-02-07
| | | | | | | | | | | | | | | | | | All ways to create an Image{} have a non-nil .image field, and it is never set to nil, so this is dead code. Should not change behavior. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
| * Use Runtime.NewFromLocal instead of open-coded copiesMiloslav Trmač2020-02-07
| | | | | | | | | | | | | | | | | | All code creating an Image by looking up a name now uses Runtime.NewFromLocal. Should not change behavior. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
| * Trivial simplificationMiloslav Trmač2020-02-07
| | | | | | | | | | | | Should not change behavior. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
| * Create two separate newImage instances in Runtime.NewMiloslav Trmač2020-02-07
| | | | | | | | | | | | | | | | | | | | This is not _trivially_ safe because newImage.getLocalImage() modifies newImage.ImageName, but we overwrite that value anyway. So, this should not change behavior, and it will make future refactoring easier to verify. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
| * Call NewImageRuntimeFromStore from NewImageRuntimeFromOptionsMiloslav Trmač2020-02-07
| | | | | | | | | | | | | | | | ... so that there ultimately is only one constructor. Should not change behavior. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
* | Merge pull request #5064 from mheon/pod_network_optsOpenShift Merge Robot2020-02-10
|\ \ | |/ |/| Add backend code for pod network options
| * Add backend code for pod network optionsMatthew Heon2020-02-04
| | | | | | | | | | | | | | | | | | | | This adds network-related options to the pod in the database. We are going to add the CLI frontend in further patches. In short, this should greatly improve the ability of pods to configure networking, once the CLI parsing is added. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | Only modify conmon cgroup if we have running containersMatthew Heon2020-02-06
| | | | | | | | | | | | | | | | | | | | | | | | | | If there are no running containers - for example, if the pod was just created - the cgroup in question may not exist (under certain circumstances that we're not 100% sure about). However, regardless, we don't need to set a PID limit, as nothing will be making cleanup processes (no running conmon processes), so not changing the cgroup is safe regardless. Fixes #5072 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | Merge pull request #5052 from mheon/cleanup_net_on_restartOpenShift Merge Robot2020-02-05
|\ \ | | | | | | Tear down network when restarting containers
| * | Tear down network when restarting containersMatthew Heon2020-02-02
| |/ | | | | | | | | | | | | | | | | | | | | This makes restart a bit slower for root containers, but it does make it more consistent with `podman stop` and `podman start` on a container. Importantly, `podman restart` will now recreate firewall rules if they were somehow purged. Fixes #5051 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | Merge pull request #5085 from rhatdan/closeOpenShift Merge Robot2020-02-04
|\ \ | | | | | | Close tarSource when finished using it
| * | Close tarSource when finished using itDaniel J Walsh2020-02-04
| | | | | | | | | | | | | | | | | | Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1797599 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | Merge pull request #5082 from baude/specOpenShift Merge Robot2020-02-04
|\ \ \ | |/ / |/| | [CI:DOCS] Spec proposal
| * | Initial implementation of a spec generator packageMatthew Heon2020-02-04
| |/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The current Libpod pkg/spec has become a victim of the better part of three years of development that tied it extremely closely to the current Podman CLI. Defaults are spread across multiple places, there is no easy way to produce a CreateConfig that will actually produce a valid container, and the logic for generating configs has sprawled across at least three packages. This is an initial pass at a package that generates OCI specs that will supersede large parts of the current pkg/spec. The CreateConfig will still exist, but will effectively turn into a parsed CLI. This will be compiled down into the new SpecGenerator struct, which will generate the OCI spec and Libpod create options. The preferred integration point for plugging into Podman's Go API to create containers will be the new CreateConfig, as it's less tied to Podman's command line. CRI-O, for example, will likely tie in here. Signed-off-by: Matthew Heon <mheon@redhat.com>
* / Wrap error for failing ImageSize callsSascha Grunert2020-02-04
|/ | | | Signed-off-by: Sascha Grunert <sgrunert@suse.com>
* Deprecate & remove IsCtrSpecific in favor of IsAnonMatthew Heon2020-01-29
| | | | | | | | | | | | | | | | | | | In Podman 1.6.3, we added support for anonymous volumes - fixing our old, broken support for named volumes that were created with containers. Unfortunately, this reused the database field we used for the old implementation, and toggled volume removal on for `podman run --rm` - so now, we were removing *named* volumes created with older versions of Podman. We can't modify these old volumes in the DB, so the next-safest thing to do is swap to a new field to indicate volumes should be removed. Problem: Volumes created with 1.6.3 and up until this lands, even anonymous volumes, will not be removed. However, this is safer than removing too many volumes, as we were doing before. Fixes #5009 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* history: fix size computingValentin Rothberg2020-01-29
| | | | | | | | | Get the layer's size whether it relates to the first history entry or not. This fixes issues where the first entry would always be shown to be of size 0. Fixes: #4916 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* honor pull policy in play kubeBrent Baude2020-01-28
| | | | | | | | When a container specification has a pull policy, we should honor it when recreating the pods/containers from yaml. furthermore, ini kube, if a tag is :latest, then the always pull policy is automatically instituted. Fixes: #4880 Signed-off-by: Brent Baude <bbaude@redhat.com>