| Commit message (Collapse) | Author | Age |
|---|
| |
|
|
|
|
| |
this is a cosmetic change that makes sure podman returns a sane error code when conmon dies underneath it
Signed-off-by: Peter Hunt <pehunt@redhat.com>
|
| |
|
|
|
|
|
|
| |
Before, we were using -1 as a bogus value in podman to signify something went wrong when reading from a conmon pipe. However, conmon uses negative values to indicate the runtime failed, and return the runtime's exit code.
instead, we should use a bogus value that is actually bogus. Define that value in the define package as MinInt32 (-1<< 31 - 1), which is outside of the range of possible pids (-1 << 31)
Signed-off-by: Peter Hunt <pehunt@redhat.com>
|
| |
|
|
|
|
|
|
| |
Before, we were getting the exit code from the file, in which we waited an arbitrary amount of time (5 seconds) for the file, and segfaulted if we didn't find it. instead, we should be a bit more certain conmon has sent the exit code. Luckily, it sends the exit code along the sync pipe fd, so we can read it from there
Adapt the ExecContainer interface to pass along a channel to get the pid and exit code from conmon, to be able to read both from the pipe
Signed-off-by: Peter Hunt <pehunt@redhat.com>
|
| |\
| |
| | |
Allow devs to set labels in container images for default capabilities.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This patch allows users to specify the list of capabilities required
to run their container image.
Setting a image/container label "io.containers.capabilities=setuid,setgid"
tells podman that the contained image should work fine with just these two
capabilties, instead of running with the default capabilities, podman will
launch the container with just these capabilties.
If the user or image specified capabilities that are not in the default set,
the container will print an error message and will continue to run with the
default capabilities.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
| |\ \
| |/
|/| |
Add validate() for containers
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Until now, we've been validating every part of container
configuration through the With... functions that set the options.
This if fine when we are just validating the options to an
individual function, but things get complicated once we need to
validate conflicts between different options. We don't know the
order in which things were passed, so we need the validation on
both of the potential options that can conflict, resulting in
significant code duplication. To solve this, add a validate()
function for containers, and use this to check whether everything
is in a good state.
We can probably move more into this function (there are other
parts of container creation that also do validation of a sort)
but this is a good start to simplifying our options.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
| |\ \
| | |
| | | |
rework apiv2 wait endpoint|binding
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
added the ability to wait on a condition (stopped, running, paused...) for a container. if a condition is not provided, wait will default to the stopped condition which uses the original wait code paths. if the condition is stopped, the container exit code will be returned.
also, correct a mux issue we discovered.
Signed-off-by: Brent Baude <bbaude@redhat.com>
|
| |\ \ \
| |_|/
|/| | |
Add test to validate prune pod apiv2 binding.
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Modify the pod inspect bindings to hold current pod status.
Includes test to validate on pod status and added test to check
no or few pods are pruned,if the pods are in exited state.
Signed-off-by: Sujil02 <sushah@redhat.com>
|
| |\ \ \
| | | |
| | | | |
Ensure that exec sessions inherit supplemental groups
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
This corrects a regression from Podman 1.4.x where container exec
sessions inherited supplemental groups from the container, iff
the exec session did not specify a user.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
| |\ \ \ \
| |_|_|/
|/| | | |
Add cmd flag to show container name in log
|
| | | | |
| | | |
| | | |
| | | | |
Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
This flag allows user to show container name in podman log command
Fixes: #4962
Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
|
| | |/ /
|/| |
| | |
| | |
| | |
| | |
| | |
| | | |
add binding tests for volumes: inspect(get), create, remove, prune, and list
implement filters ability for volumes
Signed-off-by: Brent Baude <bbaude@redhat.com>
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
When inspecting containers, info on CNI networks added to the
container by name (e.g. --net=name1) should be displayed
separately from the configuration of the default network, in a
separate map called Networks.
This patch adds this separation, improving our Docker
compatibility and also adding the ability to see if a container
has more than one IPv4 and IPv6 address and more than one MAC
address.
Fixes #4907
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
| | |/
|/|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
We can easily tell if we're going to deadlock by comparing lock
IDs before actually taking the lock. Add a few checks for this in
common places where deadlocks might occur.
This does not yet cover pod operations, where detection is more
difficult (and costly) due to the number of locks being involved
being higher than 2.
Also, add some error wrapping on the Podman side, so we can tell
people to use `system renumber` when it occurs.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
| |\ \
| | |
| | | |
Remove ImageVolumes from database
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Before Libpod supported named volumes, we approximated image
volumes by bind-mounting in per-container temporary directories.
This was handled by Libpod, and had a corresponding database
entry to enable/disable it.
However, when we enabled named volumes, we completely rewrote the
old implementation; none of the old bind mount implementation
still exists, save one flag in the database. With nothing
remaining to use it, it has no further purpose.
Signed-off-by: Matthew Heon <mheon@redhat.com>
|
| |\ \ \
| | | |
| | | | |
implement reverse reader for log reads
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
in cases where the log file exceeds the available memory of a system, we had a bug that triggered an oom because the entire logfile was being read when the tail parameter was given. this reads in chunks and is more or less memory safe.
fixes: #5131
Signed-off-by: Brent Baude <bbaude@redhat.com>
|
| |\ \ \ \
| |_|/ /
|/| | | |
apiv2: Image filtering and fixup docs
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
It is more practical for API usage and also it is more in sync how
filtering of containers works.
Signed-off-by: Matej Marusak <mmarusak@redhat.com>
|
| |\ \ \ \
| | | | |
| | | | | |
populate resolv.conf with dnsname responses when in usernamespace
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
when using usernamespace, dnsname respondes from cni were not making it into the containers /etc/resolv.conf because of a timing issue. this corrects that behavior.
Fixes: #5256
Signed-off-by: Brent Baude <bbaude@redhat.com>
|
| |/ / / /
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Looks like a bit of a misunderstanding from early on.
Docker implements --filter=since=IMAGE. Podman implements 'after'
instead of 'since'. Add an equivalent case statement to handle
both, keeping 'after' because we have no way of knowing if it
is used in the field.
Update documentation ... and fix what looks like a complete
misinterpretation of what the code actually does: the man page
claimed that these were time fields, but I don't see any
possible incantation in which a time value works or could
work. Updated docs to reflect IMAGE usage. Also changed
nonworking '==' to single '='.
Added tests. [UPDATE: skip with broken podman-remote]
Fixes: #5040
Signed-off-by: Ed Santiago <santiago@redhat.com>
|
| |\ \ \ \
| | | | |
| | | | | |
Add network opts to pods
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Enables most of the network-related functionality from
`podman run` in `podman pod create`. Custom CNI networks can be
specified, host networking is supported, DNS options can be
configured.
Also enables host networking in `podman play kube`.
Fixes #2808
Fixes #3837
Fixes #4432
Fixes #4718
Fixes #4770
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
| | | |_|/
| |/| |
| | | |
| | | | |
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
| | |_|/
|/| |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Instead of manually merging the configs, use the built-in features of
TOMP to merge/extend the fields of a data type when encoding a file.
This erases the need for the merge code in libpod/config and also
addresses issues when merging booleans.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
|
| |\ \ \
| | | |
| | | | |
Misc typo fixes
|
| | |/ /
| | |
| | |
| | | |
Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
|
| |/ /
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
when using -d and port mapping, make sure the correct fd is injected
into conmon.
Move the pipe creation earlier as the fd must be known at the time we
create the container through conmon.
Closes: https://github.com/containers/libpod/issues/5167
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
| |/
|
|
| |
Signed-off-by: Sascha Grunert <sgrunert@suse.com>
|
| |\
| |
| | |
Fix SELinux labels of volumes
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
If we attempt to label a volume and the file system
does not support labeling, then just warn. SELinux
may or may not work, on the volume.
There is no way to setup a private label on a newly
created volume without using the container mountlabel.
If we don't have a mount label at the time of creation of
the volume, the only option we have is to create a shared
label.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
| |/
|
|
|
|
|
|
|
| |
Add pkg/capabibilities to deal with capabilities. The code has been
copied from Docker (and attributed with the copyright) but changed
significantly to only do what we really need. The code has also been
simplified and will perform better due to removed redundancy.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
|
| |\
| |
| | |
api: fix the CPU stats reported
|
| | |
| |
| |
| | |
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
| | |
| |
| |
| | |
Signed-off-by: Brent Baude <bbaude@redhat.com>
|
| |/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When Docker performs a copy up, it first verifies that the volume
being copied into is empty; thus, for volumes that have been
modified elsewhere (e.g. manually copying into then), the copy up
will not be performed at all. Duplicate this behavior in Podman
by checking if the volume is empty before copying.
Furthermore, move setting copyup to false further up. This will
prevent a potential race where copy up could happen more than
once if Podman was killed after some files had been copied but
before the DB was updated.
This resolves CVE-2020-1726.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
| |\
| |
| | |
Simplify image object creation
|
| | |
| |
| |
| |
| |
| |
| | |
... because both callers only care about that aspect of the
return value.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
|
| | |
| |
| |
| |
| |
| | |
Should not change behavior.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
... so that _all_ Image objects are created in a single place
that is easy to update.
Should not change behavior.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Instead of the function updating image.InputName (the only reason for it
to need an image), have it return the updated value separately.
This will allow simplifying the constructors of Image further.
Should not change behavior.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
All ways to create an Image{} have a non-nil .image field, and it
is never set to nil, so this is dead code.
Should not change behavior.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
All code creating an Image by looking up a name now uses
Runtime.NewFromLocal.
Should not change behavior.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
|
