summaryrefslogtreecommitdiff
path: root/libpod
Commit message (Collapse)AuthorAge
* Merge pull request #7999 from mheon/signal_handlerOpenShift Merge Robot2020-10-20
|\ | | | | Add a shutdown signal handler
| * Enforce LIFO ordering for shutdown handlersMatthew Heon2020-10-13
| | | | | | | | | | | | | | | | | | | | | | This allows us to run both the Libpod and Server handlers at the same time without unregistering one. Also, pass the signal that killed us into the handlers, in case they want to use it to determine what to do (e.g. what exit code to set). Signed-off-by: Matthew Heon <mheon@redhat.com>
| * Enable masking stop signals within container creationMatthew Heon2020-10-12
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Expand the use of the Shutdown package such that we now use it to handle signals any time we run Libpod. From there, add code to container creation to use the Inhibit function to prevent a shutdown from occuring during the critical parts of container creation. We also need to turn off signal handling when --sig-proxy is invoked - we don't want to catch the signals ourselves then, but instead to forward them into the container via the existing sig-proxy handler. Fixes #7941 Signed-off-by: Matthew Heon <mheon@redhat.com>
| * Add a shutdown handler packageMatthew Heon2020-10-12
| | | | | | | | | | | | | | | | | | | | | | | | | | We need a unified package for handling signals that shut down Libpod and Podman. We need to be able to do different things on receiving such a signal (`system service` wants to shut down the service gracefully, while most other commands just want to exit) and we need to be able to inhibit this shutdown signal while we are waiting for some critical operations (e.g. creating a container) to finish. This takes the first step by defining the package that will handle this. Signed-off-by: Matthew Heon <mheon@redhat.com>
* | Merge pull request #7908 from rhatdan/diffOpenShift Merge Robot2020-10-19
|\ \ | | | | | | fix podman container exists and diff for storage containers
| * | fix podman container exists and diff for storage containersDaniel J Walsh2020-10-15
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Current these commands only check if a container exists in libpod. With this fix, the commands will also check if they are in containers/storage. This allows users to look at differences within a buildah or CRI-O container. Currently buildah diff does not exists, so this helps out in that situation as well as in CRI-O since the cri does not implement a diff command. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | Always add the dnsname plugin to the config for rootlessPaul Holzinger2020-10-17
| | | | | | | | | | | | | | | | | | | | | | | | The rootless-cni-infra container always has the dnsname plugin installed. It makes no sense to check if it is present on the host. Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
* | | Fix possible panic in libpod container restorePaul Holzinger2020-10-15
|/ / | | | | | | | | | | | | | | | | We need to do a length check before we can access the networkStatus slice by index to prevent a runtime panic. Fixes #8026 Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
* / Setup HOME environment when using --userns=keep-idDaniel J Walsh2020-10-14
|/ | | | | | | | | | | Currently the HOME environment is set to /root if the user does not override it. Also walk the parent directories of users homedir to see if it is volume mounted into the container, if yes, then set it correctly. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Merge pull request #7983 from mheon/inspect_network_not_runningOpenShift Merge Robot2020-10-12
|\ | | | | Include CNI networks in inspect output when not running
| * Include CNI networks in inspect output when not runningMatthew Heon2020-10-09
| | | | | | | | | | | | | | | | | | | | | | We were only including the CNI Network fields in the output of `podman inspect` when the container was not running. It's simple enough to fix (populate with empty structs, since we can't fill anything without a CNI response to get IP address assigned, etc). This is necessary for Docker compatibility. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | Search repository tags using --list-tagsQi Wang2020-10-09
|/ | | | | | | For fix of BZ: https://bugzilla.redhat.com/show_bug.cgi?id=1684263 Add --list-tags to podman search to return a table the repository tags. Signed-off-by: Qi Wang <qiwan@redhat.com>
* Merge pull request #7974 from ↵OpenShift Merge Robot2020-10-09
|\ | | | | | | | | andylibrian/kube-generate-support-resource-limits-7855 Add support for resource cpu limit to generate kube
| * Add support for resource cpu limit to generate kubeAndy Librian2020-10-09
| | | | | | | | | | | | fixes #7855 Signed-off-by: Andy Librian <andylibrian@gmail.com>
* | Merge pull request #7971 from rhatdan/blobOpenShift Merge Robot2020-10-09
|\ \ | |/ |/| BlobInfoCacheDir is set incorrectly when copying images
| * BlobInfoCacheDir is set incorrectly when copying imagesDaniel J Walsh2020-10-08
| | | | | | | | | | | | | | | | It is not set based on the root image directory, and always points at the defaults. This change will get it to follow filepath.Join(ir.store.GraphRoot(), "cache") set from libpod. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Store cgroup manager on a per-container basisMatthew Heon2020-10-08
|/ | | | | | | | | | | | | | | | | | | | | When we create a container, we assign a cgroup parent based on the current cgroup manager in use. This parent is only usable with the cgroup manager the container is created with, so if the default cgroup manager is later changed or overridden, the container will not be able to start. To solve this, store the cgroup manager that created the container in container configuration, so we can guarantee a container with a systemd cgroup parent will always be started with systemd cgroups. Unfortunately, this is very difficult to test in CI, due to the fact that we hard-code cgroup manager on all invocations of Podman in CI. Fixes #7830 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Merge pull request #7382 from mheon/pod_parallelOpenShift Merge Robot2020-10-07
|\ | | | | Move pod jobs to parallel execution
| * Move pod jobs to parallel executionMatthew Heon2020-10-07
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Make Podman pod operations that do not involve starting containers (which needs to be done in a specific order) use the same parallel operation code we use to make `podman stop` on large numbers of containers fast. We were previously stopping containers in a pod serially, which could take up to the timeout (default 15 seconds) for each container - stopping 100 containers that do not respond to SIGTERM would take 25 minutes. To do this, refactor the parallel operation code a bit to remove its dependency on libpod (damn circular import restrictions...) and use parallel functions that just re-use the standard container API operations - maximizes code reuse (previously each pod handler had a separate implementation of the container function it performed). This is a bit of a palate cleanser after fighting CI for two days - nice to be able to return to a land of sanity. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | Merge pull request #7943 from baude/issue7807OpenShift Merge Robot2020-10-07
|\ \ | | | | | | prevent unpredictable results with network create|remove
| * | prevent unpredictable results with network create|removebaude2020-10-07
| |/ | | | | | | | | | | | | | | | | | | due to a lack of "locking" on cni operations, we could get ourselves in trouble when doing rapid creation or removal of networks. added a simple file lock to deal with the collision and because it is not considered a performent path, use of the file lock should be ok. if proven otherwise in the future, some generic shared memory lock should be implemented for libpod and also used here. moved pkog/network to libpod/network because libpod is now being pulled into the package and it has therefore lost its generic nature. this will make it easier to absorb into libpod as we try to make the network closer to core operations. Fixes: #7807 Signed-off-by: baude <bbaude@redhat.com>
* / Populate /etc/hosts file when run in a user namespaceDaniel J Walsh2020-10-07
|/ | | | | | | | | We do not populate the hostname field with the IP Address when running within a user namespace. Fixes https://github.com/containers/podman/issues/7490 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Merge pull request #7929 from kolyshkin/nits-errOpenShift Merge Robot2020-10-06
|\ | | | | Nits
| * Lowercase some errorsKir Kolyshkin2020-10-05
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This commit is courtesy of ``` for f in $(git ls-files *.go | grep -v ^vendor/); do \ sed -i 's/\(errors\..*\)"Error /\1"error /' $f; done for f in $(git ls-files *.go | grep -v ^vendor/); do \ sed -i 's/\(errors\..*\)"Failed to /\1"failed to /' $f; done ``` etc. Self-reviewed using `git diff --word-diff`, found no issues. Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
| * Remove excessive error wrappingKir Kolyshkin2020-10-05
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | In case os.Open[File], os.Mkdir[All], ioutil.ReadFile and the like fails, the error message already contains the file name and the operation that fails, so there is no need to wrap the error with something like "open %s failed". While at it - replace a few places with os.Open, ioutil.ReadAll with ioutil.ReadFile. - replace errors.Wrapf with errors.Wrap for cases where there are no %-style arguments. Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
* | Support max_size logoptionsDaniel J Walsh2020-10-05
|/ | | | | | | | Docker supports log-opt max_size and so does conmon (ALthough poorly). Adding support for this allows users to at least make sure their containers logs do not become a DOS vector. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Merge pull request #7913 from ↵OpenShift Merge Robot2020-10-05
|\ | | | | | | | | andylibrian/kube-generate-support-resource-limits-7855 Add support for resource memory limit to generate kube
| * Add TODO for adding CPU limit supportAndy Librian2020-10-05
| | | | | | | | Signed-off-by: Andy Librian <andylibrian@gmail.com>
| * Add support for resource memory limit to generate kubeAndy Librian2020-10-04
| | | | | | | | | | | | addresses #7855 Signed-off-by: Andy Librian <andylibrian@gmail.com>
* | Add SELinux support for podsDaniel J Walsh2020-10-02
| | | | | | | | | | | | | | | | | | | | All containers within a Pod need to run with the same SELinux label, unless overwritten by the user. Also added a bunch of SELinux tests to make sure selinux labels are correct on namespaces. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Merge pull request #7882 from giuseppe/check-for-gids-before-adding-themOpenShift Merge Robot2020-10-02
|\ \ | | | | | | libpod: check there are enough gids before adding them
| * | libpod: check the gid is present before adding itGiuseppe Scrivano2020-10-02
| | | | | | | | | | | | | | | | | | | | | | | | | | | check there are enough gids in the user namespace before adding supplementary gids from /etc/group. Follow-up for baede7cd2776b1f722dcbb65cff6228eeab5db44 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | | Merge pull request #7893 from ashley-cui/journaldOpenShift Merge Robot2020-10-02
|\ \ \ | | | | | | | | Fix Podman logs reading journald
| * | | Fix Podman logs reading journaldAshley Cui2020-10-02
| | | | | | | | | | | | | | | | | | | | | | | | | | | | A podman could not read logs written to journald properly, due to a tail config bug. Added a system test to check this - since e2e tests don't like journald Signed-off-by: Ashley Cui <acui@redhat.com>
* | | | Merge pull request #7887 from vrothberg/fix-7872OpenShift Merge Robot2020-10-02
|\ \ \ \ | | | | | | | | | | image prune: remove all candidates
| * | | | image prune: remove all candidatesValentin Rothberg2020-10-02
| | |/ / | |/| | | | | | | | | | | | | | | | | | | | | | | | | | Make sure to remove images until there's nothing left to prune. A single iteration may not be sufficient. Fixes: #7872 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | | | Merge pull request #7622 from hxtk/masterOpenShift Merge Robot2020-10-02
|\ \ \ \ | |/ / / |/| | | Fix for incorrect evaluation of error condition within libpod.LabelVolumePath.
| * | | Fix mismatch between log messages and behavior of libpod.LabelVolumePath.Peter2020-09-13
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | A reading of LabelVolumePath suggests that the intended behavior upon encountering ENOTSUP is to log the issue and continue without error, while all other errors in the Relabeling operation should be considered errors of LabelVolumePath and passed up accordingly. This is not the behavior that is encountered, as this test shows: it is instead considered an error if and only if the Relabeling operation returns ENOTSUP, spitting out a somewhat incongruous error message, while all other error types that may be returned are logged without being propogated, with an even more incongruous error message saying that the operation was not supported. The comparison was changed to match the behavior documented by the log messages, and a test was added that will simulate executing this function on a path where the mounted filesystem does not support SELinux labels, with the assertion that the function should not return an error in order to highlight the condition these changes seek to alleviate. Signed-off-by: Peter <peter@psanders.me>
* | | | Add additionalGIDs from users in rootless modeDaniel J Walsh2020-10-01
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | There is a risk here, that if the GID does not exists within the User Namespace the container will fail to start. This is only likely to happen in HPC Envioronments, and I think we should add a field to disable it for this environment, Added a FIXME for this issue. We currently have this problem with running a rootfull container within a user namespace, it will fail if the GID is not available. I looked at potentially checking the usernamespace that you are assigned to, but I believe this will be very difficult to code up and to figure out. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | | image look up: consult registries.confValentin Rothberg2020-09-30
| |_|/ |/| | | | | | | | | | | | | | | | | | | | | | | | | | When looking up local images, take the unqualified-serach registries of the registries.conf into account (on top of "localhost/"). Also extend the integration tests to prevent future regressions. Fixes: #6381 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | | Merge pull request #7841 from AkihiroSuda/fix-7789OpenShift Merge Robot2020-09-30
|\ \ \ | | | | | | | | rootless-cni-infra v3: fix cleaning up DNS entries
| * | | libpod: bump up rootless-cni-infra to v3Akihiro Suda2020-09-30
| | | | | | | | | | | | | | | | Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
* | | | Merge pull request #7825 from rhatdan/exitcodeOpenShift Merge Robot2020-09-30
|\ \ \ \ | | | | | | | | | | Fix handling of remove of bogus volumes, networks and Pods
| * | | | Fix handling of remove of bogus volumes, networks and PodsDaniel J Walsh2020-09-29
| |/ / / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | In podman containers rm and podman images rm, the commands exit with error code 1 if the object does not exists. This PR implements similar functionality to volumes, networks, and Pods. Similarly if volumes or Networks are in use by other containers, and return exit code 2. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | | Merge pull request #7827 from vrothberg/systemd-run-errorOpenShift Merge Robot2020-09-30
|\ \ \ \ | |/ / / |/| | | healthchecks: return systemd-run error
| * | | healthchecks: return systemd-run errorValentin Rothberg2020-09-29
| | |/ | |/| | | | | | | | | | | | | | | | | | | | | | In case `systemd-run` errors when creating transient unit files (and timers), create an error based on the combined output from stdout and stderr. Using the error from `exec.Command` contains the exit code only which is not useful to debug (see #7484). Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | | Merge pull request #7783 from ashley-cui/slirpOpenShift Merge Robot2020-09-29
|\ \ \ | |/ / |/| | Add support for slirp network for pods
| * | Add support for slirp network for podsAshley Cui2020-09-25
| | | | | | | | | | | | | | | | | | flag --network=slirp4netns[options] for root and rootless pods Signed-off-by: Ashley Cui <acui@redhat.com>
* | | Properly handle podman run --pull commandDaniel J Walsh2020-09-27
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Currently the --pull missing|always|never is ignored This PR implements this for local API. For remote we need to default to pullpolicy specified in the containers.conf file. Also fixed an issue when images were matching other images names based on prefix, causing images to always be pulled. I had named an image myfedora and when ever I pulled fedora, the system thought that it there were two images named fedora since it was checking for the name fedora as well as the prefix fedora. I changed it to check for fedora and the prefix /fedora, to prefent failures like I had. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | HTTP Attach: Wait until both STDIN and STDOUT finishMatthew Heon2020-09-24
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | In the old code, there was a chance that we could return when only one of STDIN or STDOUT had finished - this could lead to us dropping either input to the container, or output from it, in the case that one stream terminated early. To resolve this, use separate channels to return STDOUT and STDIN errors, and track which ones have returned cleanly to ensure that we need bith in order to return from the HTTP attach function and pass control back to the HTTP handler (which would assume we exited cleanly and close the client's attach connection). Signed-off-by: Matthew Heon <mheon@redhat.com>