summaryrefslogtreecommitdiff
path: root/libpod
Commit message (Collapse)AuthorAge
* Don't output inodes created to run a containerDaniel J Walsh2018-09-21
| | | | | | | | | | | | | | | | | | | | | | | | | | There is a group of inodes that get created when running a container if they do not exist. containerMounts = map[string]bool{ "/dev": true, "/etc/hostname": true, "/etc/hosts": true, "/etc/resolv.conf": true, "/proc": true, "/run": true, "/run/.containerenv": true, "/run/secrets": true, "/sys": true, } If the destination inode does not exist, libpod/runc will create the inode. This can cause programs like podman diff to see the image as having changed, when actually it has not. This patch ignores changes in these inodes. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #1508 Approved by: giuseppe
* Add new field to libpod to indicate whether or not to use labellingDaniel J Walsh2018-09-20
| | | | | | | | | | | | | | | Also update some missing fields libpod.conf obtions in man pages. Fix sort order of security options and add a note about disabling labeling. When a process requests a new label. libpod needs to reserve all labels to make sure that their are no conflicts. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #1406 Approved by: mheon
* Bind Mounts should be mounted read-only when in read-only modeDaniel J Walsh2018-09-20
| | | | | | | | | | We don't want to allow users to write to /etc/resolv.conf or /etc/hosts if in read only mode. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #1510 Approved by: TomSweeneyRedHat
* Vendor in latest containers/buildahDaniel J Walsh2018-09-18
| | | | | | Switch from projectatomic/buildah to containers/buildah Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Increase pidWaitTimeout to 1000msEmilien Macchi2018-09-18
| | | | | | | | | | | | | | | | | When managing the containers with systemd, it takes a bit more than 250ms to have podman creating the pidfile. Increasing the value to 1 second will avoid timeout issues when running a lot of containers managed by systemd. This patch was tested in a VM with 56 services (OpenStack) deployed by TripleO and managed by systemd. Fixes #1495 Signed-off-by: Emilien Macchi <emilien@redhat.com> Closes: #1497 Approved by: rhatdan
* Hooks supports two directories, process default and overrideDaniel J Walsh2018-09-17
| | | | | | | | | | | | | ALso cleanup files section or podman man page Add description of policy.json Sort alphabetically. Add more info on oci hooks Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #1487 Approved by: umohnani8
* Merge pull request #1464 from mheon/optionally_disable_port_reservationMatthew Heon2018-09-14
|\ | | | | Add a way to disable port reservation
| * Add a way to disable port reservationMatthew Heon2018-09-13
| | | | | | | | | | | | | | | | | | | | | | We've increased the default rlimits to allow Podman to hold many ports open without hitting limits and crashing, but this doesn't solve the amount of memory that holding open potentially thousands of ports will use. Offer a switch to optionally disable port reservation for performance- and memory-constrained use cases. Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
* | Merge pull request #1434 from rhatdan/waitMatthew Heon2018-09-14
|\ \ | | | | | | Add --interval flag to podman wait
| * | Add --interval flag to podman waitDaniel J Walsh2018-09-13
| |/ | | | | | | | | | | | | Waiting uses a lot of CPU, so drop back to checking once/second and allow user to pass in the interval. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* / libpod/image/pull: Return image-pulling errors from doPullImageW. Trevor King2018-09-14
|/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | We were already writing these to our debug logs. But collecting them and including them in the error message will make it easier for callers who don't have debugging enabled to figure out what's going wrong. Using multierror gives us both pretty formatting (when we print this for the user) and programmatic access (for any callers that need to inspect the constituent errors). With this commit and a config like: $ cat /etc/containers/registries.conf [registries.search] registries = ['registry.access.redhat.com', 'quay.io', 'docker.io'] pulling an unqualified missing image looks like: $ podman pull does-not/exist Trying to pull registry.access.redhat.com/does-not/exist:latest...Failed Trying to pull quay.io/does-not/exist:latest...Failed Trying to pull docker.io/does-not/exist:latest...Failed error pulling image "does-not/exist": unable to pull does-not/exist: 3 errors occurred: * Error determining manifest MIME type for docker://registry.access.redhat.com/does-not/exist:latest: Error reading manifest latest in registry.access.redhat.com/does-not/exist: unknown: Not Found * Error determining manifest MIME type for docker://quay.io/does-not/exist:latest: Error reading manifest latest in quay.io/does-not/exist: unauthorized: access to the requested resource is not authorized * Error determining manifest MIME type for docker://does-not/exist:latest: Error reading manifest latest in docker.io/does-not/exist: errors: denied: requested access to the resource is denied unauthorized: authentication required A qualified image looks like: $ podman pull quay.io/does-not/exist Trying to pull quay.io/does-not/exist...Failed error pulling image "quay.io/does-not/exist": unable to pull quay.io/does-not/exist: unable to pull image: Error determining manifest MIME type for docker://quay.io/does-not/exist:latest: Error reading manifest latest in quay.io/does-not/exist: unauthorized: access to the requested resource is not authorized If one of the searched repositories was offline, you'd get a more useful routing error for that specific registry. For example: $ cat /etc/hosts 127.0.0.1 quay.io $ podman pull does-not/exist Trying to pull registry.access.redhat.com/does-not/exist:latest...Failed Trying to pull quay.io/does-not/exist:latest...Failed Trying to pull docker.io/does-not/exist:latest...Failed error pulling image "does-not/exist": unable to pull does-not/exist: 3 errors occurred: * Error determining manifest MIME type for docker://registry.access.redhat.com/does-not/exist:latest: Error reading manifest latest in registry.access.redhat.com/does-not/exist: unknown: Not Found * Error determining manifest MIME type for docker://quay.io/does-not/exist:latest: pinging docker registry returned: Get https://quay.io/v2/: dial tcp 127.0.0.1:443: connect: connection refused * Error determining manifest MIME type for docker://does-not/exist:latest: Error reading manifest latest in docker.io/does-not/exist: errors: denied: requested access to the resource is denied unauthorized: authentication required This is our first direct dependency on multierror, but we've been vendoring it for a while now because opencontainers/runtime-tools uses it for config validation. Signed-off-by: W. Trevor King <wking@tremily.us> Closes: #1456 Approved by: rhatdan
* Explicitly set default CNI network name in libpod.confMatthew Heon2018-09-12
| | | | | | | Signed-off-by: Matthew Heon <matthew.heon@gmail.com> Closes: #1438 Approved by: TomSweeneyRedHat
* Pass on securityOpts from podInfraContainer to container added to pod.Daniel J Walsh2018-09-11
| | | | | | | | | | This is an incomplete fix, as it would be best for the libpod library to be in charge of coordinating the container's dependencies on the infra container. A TODO was left as such. UTS is a special case, because the docker library that namespace handling is based off of doesn't recognize a UTS based on another container as valid, despite the library being able to handle it correctly. Thus, it is left in the old way. Signed-off-by: haircommander <pehunt@redhat.com> Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #1347 Approved by: mheon
* Replace existing iptables handler with firewall codeMatthew Heon2018-09-10
| | | | | | | | | | | | Use the new firewall code vendored from CNI to replace the existing iptables rule addition handler we had in place. This adds proper support for firewalld and should be much better at interacting with the firewall. Signed-off-by: Matthew Heon <matthew.heon@gmail.com> Closes: #1431 Approved by: baude
* Vendor CNI plugins firewall codeMatthew Heon2018-09-10
| | | | | | | | | | | | | | The upstream CNI project has a PR open for adding iptables and firewalld support, but this has been stalled for the better part of a year upstream. On advice of several maintainers, we are vendoring this code into libpod, to perform the relevant firewall configuration ourselves. Signed-off-by: Matthew Heon <matthew.heon@gmail.com> Closes: #1431 Approved by: baude
* Start pod infra container when pod is createdbaude2018-09-06
| | | | | | | | | | | When we create a pod that also has an infra container, we should start the infra container automatically. This allows users to add running containers to the pod immediately. Signed-off-by: baude <bbaude@redhat.com> Closes: #1415 Approved by: rhatdan
* vendor containerd/cgroupsbaude2018-09-06
| | | | | | | | | | | We need to vendor in the latest containerd/cgroups for a fix related to slice delegation and systemd <= 239. The opencontainer/runtime-spec is brought along for the ride. Signed-off-by: baude <bbaude@redhat.com> Closes: #1414 Approved by: mheon
* Print errors from individual pull attemptsMatthew Heon2018-09-05
| | | | | | | | | | | Right now, we don't print errors from c/image while trying to pull images. This prints the errors when log-level=debug is set so we can debug errors while pulling. Signed-off-by: Matthew Heon <mheon@redhat.com> Closes: #1409 Approved by: baude
* rootless: check uid with Geteuid() instead of Getuid()Giuseppe Scrivano2018-09-04
| | | | | | | | | | | | change the tests to use chroot to set a numeric UID/GID. Go syscall.Credential doesn't change the effective UID/GID of the process. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> Closes: #1372 Approved by: mheon
* rootless: create compatible pod infra containerGiuseppe Scrivano2018-09-04
| | | | | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> Closes: #1372 Approved by: mheon
* rootless: be in an userns to initialize the runtimeGiuseppe Scrivano2018-09-04
| | | | | | | | | | | be sure to be in an userns for a rootless process before initializing the runtime. In case we are not running as uid==0, take advantage of "podman info" that creates the runtime. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> Closes: #1372 Approved by: mheon
* Merge pull request #1392 from mheon/up_wait_durationMatthew Heon2018-08-31
|\ | | | | Up time between checks for podman wait
| * Up time between checks for podman waitMatthew Heon2018-08-31
| | | | | | | | | | | | | | | | | | Prior to this patch, we were polling continuously to check if a container had died. This patch changes this to poll 10 times a second, which should be more than sufficient and drastically reduce CPU utilization. Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
* | We are mistakenly seeing repos as registries.Daniel J Walsh2018-08-31
| | | | | | | | | | | | | | | | | | | | | | | | Currently `podman pull rhel7/rhel-tools` is failing because it sees rhel7 as a registry. This change will verify that the returned registry from the parser is actually a registry and not a repo, if a repo it will return the correct content, and we will pull the image. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #1387 Approved by: mtrmac
* | container: resolve rootfs symlinksGiuseppe Scrivano2018-08-31
|/ | | | | | | | | | | | Prevent a runc error that doesn't like symlinks as part of the rootfs. Closes: https://github.com/containers/libpod/issues/1389 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> Closes: #1390 Approved by: rhatdan
* rootless, exec: use the new function to join the usernsGiuseppe Scrivano2018-08-29
| | | | | | | | | | since we have a way for joining an existing userns use it instead of nsenter. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> Closes: #1371 Approved by: rhatdan
* Resolve /etc/resolv.conf before readingbaude2018-08-28
| | | | | | | | | | | | | | | | | In some cases, /etc/resolv.conf can be a symlink to something like /run/systemd/resolve/resolv.conf. We currently check for that file and if it exists, use it instead of /etc/resolv.conf. However, we are no seeing cases where the systemd resolv.conf exists but /etc/resolv.conf is NOT a symlink. Therefore, we now obtain the endpoint for /etc/resolv.conf whether it is a symlink or not. That endpoint is now what is read to generate a container's resolv.conf. Signed-off-by: baude <bbaude@redhat.com> Closes: #1368 Approved by: rhatdan
* Fix Mount PropagationGiuseppe Scrivano2018-08-27
| | | | | | | | | Default mount propagation inside of containes should be private Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #1305 Approved by: mheon
* rootless: don't use kill --allGiuseppe Scrivano2018-08-26
| | | | | | | | | | | | | The OCI runtime might use the cgroups to see what PIDs are inside the container, but that doesn't work with rootless containers. Closes: https://github.com/containers/libpod/issues/1337 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> Closes: #1331 Approved by: rhatdan
* rootless: exec handle processes that create an user namespaceGiuseppe Scrivano2018-08-26
| | | | | | | | | | | | | | Manage the case where the main process of the container creates and joins a new user namespace. In this case we want to join only the first child in the new hierarchy, which is the user namespace that was used to create the container. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> Closes: #1331 Approved by: rhatdan
* rootless: fix execGiuseppe Scrivano2018-08-26
| | | | | | | | | | | | | | | | | | | | | We cannot re-exec into a new user namespace to gain privileges and access an existing as the new namespace is not the owner of the existing container. "unshare" is used to join the user namespace of the target container. The current implementation assumes that the main process of the container didn't create a new user namespace. Since in the setup phase we are not running with euid=0, we must skip the setup for containers/storage. Closes: https://github.com/containers/libpod/issues/1329 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> Closes: #1331 Approved by: rhatdan
* Regenerate easyjson after rebaseMatthew Heon2018-08-24
| | | | | | | Signed-off-by: Matthew Heon <matthew.heon@gmail.com> Closes: #1322 Approved by: mheon
* Swap from FFJSON to easyjsonMatthew Heon2018-08-24
| | | | | | | | | | | | | | | FFJSON has serialization differences versus stock Go - namely, it does not respect the MarshalText() and UnmarshalText() methods, particularly on []byte, which causes incompatability with pre-FFJSON containers which contained DNS servers. EasyJSON does not have these issues, and might even be slightly faster. Signed-off-by: Matthew Heon <matthew.heon@gmail.com> Closes: #1322 Approved by: mheon
* rootless: allow to override policy.json by the userGiuseppe Scrivano2018-08-24
| | | | | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> Closes: #1336 Approved by: mheon
* Reveal information about container capabilitiesDaniel J Walsh2018-08-24
| | | | | | | | | | | I am often asked about the list of capabilities availabel to a container. We should be listing this data in the inspect command for effective capabilities and the bounding set. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #1335 Approved by: TomSweeneyRedHat
* Vendor in latest projectatomic/buildahumohnani82018-08-23
| | | | | | | | | | Fixes to podman build for unknown image and ADD with url when doing --layers. Signed-off-by: umohnani8 <umohnani@redhat.com> Closes: #1330 Approved by: mheon
* Refactor error checking in With*NSFromPod optionshaircommander2018-08-23
| | | | | | | Signed-off-by: haircommander <pehunt@redhat.com> Closes: #1187 Approved by: mheon
* Fixing network ns segfaulthaircommander2018-08-23
| | | | | | | | | As well as small style corrections, update pod_top_test to use CreatePod, and move handling of adding a container to the pod's namespace from container_internal_linux to libpod/option. Signed-off-by: haircommander <pehunt@redhat.com> Closes: #1187 Approved by: mheon
* Change pause container to infra containerhaircommander2018-08-23
| | | | | | | Signed-off-by: haircommander <pehunt@redhat.com> Closes: #1187 Approved by: mheon
* Support pause containers in varlinkhaircommander2018-08-23
| | | | | | | Signed-off-by: haircommander <pehunt@redhat.com> Closes: #1187 Approved by: mheon
* Added option to share kernel namespaces in libpod and podmanhaircommander2018-08-23
| | | | | | | | | A pause container is added to the pod if the user opts in. The default pause image and command can be overridden. Pause containers are ignored in ps unless the -a option is present. Pod inspect and pod ps show shared namespaces and pause container. A pause container can't be removed with podman rm, and a pod can be removed if it only has a pause container. Signed-off-by: haircommander <pehunt@redhat.com> Closes: #1187 Approved by: mheon
* Changed GetContainerStats to return ErrCtrStateInvalidhaircommander2018-08-23
| | | | | | | | | | | | | | This results in some functionality changes: If a ErrCtrStateInvalid is returned to GetPodStats, the container is ommitted from the stats. As such, if an empty slice of Container stats are returned to GetPodStats in varlink, an error will occur. GetContainerStats will return the ErrCtrStateInvalid as well. Finally, if ErrCtrStateInvalid is returned to the podman stats call, the container will be ommitted from the stats. Signed-off-by: haircommander <pehunt@redhat.com> Closes: #1319 Approved by: baude
* Add podman pod tophaircommander2018-08-23
| | | | | | | | | Using the vendored changes from psgo, incorporate JoinNamespaceAndProcessInfoByPids to get process information for each pid namespace of running containers in the pod. Also added a man page, and tests. Signed-off-by: haircommander <pehunt@redhat.com> Closes: #1298 Approved by: mheon
* Properly translate users into runc format for execMatthew Heon2018-08-23
| | | | | | | | | | | Runc exec expects the --user flag to be formatted as UID:GID. Use chrootuser code to translate whatever user is passed to exec into this format. Signed-off-by: Matthew Heon <matthew.heon@gmail.com> Closes: #1315 Approved by: vrothberg
* Fixed segfault in stats where container had netNS none or from containerhaircommander2018-08-21
| | | | | | | Signed-off-by: haircommander <pehunt@redhat.com> Closes: #1306 Approved by: rhatdan
* Make failure to retrieve individual ctrs/pods nonfatalMatthew Heon2018-08-17
| | | | | | | | | | | | This ensures that we can still use Podman even if a container or pod with bad config JSON makes it into the state. We still can't remove these containers, but at least we can do our best to make things usable. Signed-off-by: Matthew Heon <matthew.heon@gmail.com> Closes: #1294 Approved by: rhatdan
* podman: fix --uts=hostGiuseppe Scrivano2018-08-17
| | | | | | | | | | | | | | | Do not set any hostname value in the OCI configuration when --uts=host is used and the user didn't specify any value. This prevents an error from the OCI runtime as it cannot set the hostname without a new UTS namespace. Differently, the HOSTNAME environment variable is always set. When --uts=host is used, HOSTNAME gets the value from the host. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> Closes: #1280 Approved by: baude
* podman pod statsbaude2018-08-17
| | | | | | | | | add the ability to monitor container statistics in a pod. Signed-off-by: baude <bbaude@redhat.com> Closes: #1265 Approved by: rhatdan
* Change batchcontainer to sharedhaircommander2018-08-16
| | | | | | | | | To better reflect it's usage: to share functions between podman and varlink. Signed-off-by: haircommander <pehunt@redhat.com> Closes: #1275 Approved by: mheon
* Moved getPodStatus to pod API to be used in varlinkhaircommander2018-08-16
| | | | | | | Signed-off-by: haircommander <pehunt@redhat.com> Closes: #1275 Approved by: mheon