summaryrefslogtreecommitdiff
path: root/libpod
Commit message (Collapse)AuthorAge
* Merge pull request #11091 from Luap99/connect-disconnectopenshift-ci[bot]2021-08-03
|\ | | | | fix rootless port forwarding with network dis-/connect
| * fix rootless port forwarding with network dis-/connectPaul Holzinger2021-08-03
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The rootlessport forwarder requires a child IP to be set. This must be a valid ip in the container network namespace. The problem is that after a network disconnect and connect the eth0 ip changed. Therefore the packages are dropped since the source ip does no longer exists in the netns. One solution is to set the child IP to 127.0.0.1, however this is a security problem. [1] To fix this we have to recreate the ports after network connect and disconnect. To make this work the rootlessport process exposes a socket where podman network connect/disconnect connect to and send to new child IP to rootlessport. The rootlessport process will remove all ports and recreate them with the new correct child IP. Also bump rootlesskit to v0.14.3 to fix a race with RemovePort(). Fixes #10052 [1] https://nvd.nist.gov/vuln/detail/CVE-2021-20199 Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* | Fix handling of user specified container labelsDaniel J Walsh2021-08-02
|/ | | | | | | | | | | Currently we override the SELinux labels specified by the user if the container is runing a kata container or systemd container. This PR fixes to use the label specified by the user. Fixes: https://github.com/containers/podman/issues/11100 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* ps: support the container notation for ps --filter network=...flouthoc2021-07-30
| | | | Signed-off-by: flouthoc <flouthoc.git@gmail.com>
* Merge pull request #10910 from ↵OpenShift Merge Robot2021-07-28
|\ | | | | | | | | adrianreber/2021-07-12-checkpoint-restore-into-pod Add support for checkpoint/restore into and out of pods
| * Support checkpoint/restore with podsAdrian Reber2021-07-27
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This adds support to checkpoint containers out of pods and restore container into pods. It is only possible to restore a container into a pod if it has been checkpointed out of pod. It is also not possible to restore a non pod container into a pod. The main reason this does not work is the PID namespace. If a non pod container is being restored in a pod with a shared PID namespace, at least one process in the restored container uses PID 1 which is already in use by the infrastructure container. If someone tries to restore container from a pod with a shared PID namespace without a shared PID namespace it will also fail because the resulting PID namespace will not have a PID 1. Signed-off-by: Adrian Reber <areber@redhat.com>
| * Prepare CRIU version check to work with multiple versionsAdrian Reber2021-07-27
| | | | | | | | | | | | | | | | The upcoming commit to support checkpointing out of Pods requires CRIU 3.16. This changes the CRIU version check to support checking for different versions. Signed-off-by: Adrian Reber <areber@redhat.com>
* | support container to container copyMehul Arora2021-07-27
|/ | | | | | | | | Implement container to container copy. Previously data could only be copied from/to the host. Fixes: #7370 Co-authored-by: Mehul Arora <aroram18@mcmaster.ca> Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* dual-stack network: fix duplicated subnet assignmentPaul Holzinger2021-07-26
| | | | | | | | | Make sure podman network create reads all subnets from existing cni configs and not only the first one. Fixes #11032 Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* Merge pull request #10996 from cdoern/untilLogOpenShift Merge Robot2021-07-24
|\ | | | | Implemented --until flag for Libpod's Container Logs
| * Implemented --until flag for libpod's container logscdoern2021-07-22
| | | | | | | | | | | | | | compat containers/logs was missing actual usage of until query param. This led me to implement the until param for libpod's container logs as well. Added e2e tests. Signed-off-by: cdoern <cdoern@redhat.com>
* | Merge pull request #10999 from rhatdan/quota1OpenShift Merge Robot2021-07-21
|\ \ | | | | | | Drop support for the --storage-opt container flag
| * | Drop podman create --storage-opt container flagDaniel J Walsh2021-07-20
| |/ | | | | | | | | | | | | | | | | | | | | | | | | The global flag will work in either location, and this flag just breaks users expectations, and is basically a noop. Also fix global storage-opt so that podman-remote can use it. [NO TESTS NEEDED] Since it would be difficult to test in ci/cd. Fixes: https://github.com/containers/podman/issues/10264 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* / Copy the content from the underlying image into the newly created volume.Vikas Goel2021-07-20
|/ | | | | | Fixes: #10262 Signed-off-by: Vikas Goel <vikas.goel@gmail.com>
* Merge pull request #10848 from vrothberg/update-libimageOpenShift Merge Robot2021-07-16
|\ | | | | vendor containers/common@main
| * vendor containers/common@mainValentin Rothberg2021-07-16
| | | | | | | | | | | | | | | | | | | | | | | | | | The `IgnorePlatform` options has been removed from the `LookupImageOptions` in libimage to properly support multi-arch images. Skip one buildah-bud test which requires updated CI images. This is currently being done in github.com/containers/podman/pull/10829 but we need to unblock merging common and buildah into podman. [NO TESTS NEEDED] Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | --infra-name command line argumentJosé Guilherme Vanz2021-07-15
|/ | | | | | | | | Adds the new --infra-name command line argument allowing users to define the name of the infra container Issue #10794 Signed-off-by: José Guilherme Vanz <jvanz@jvanz.com>
* Merge pull request #10894 from cdoern/pidPodOpenShift Merge Robot2021-07-15
|\ | | | | podman pod create --pid flag
| * podman pod create --pid flagcdoern2021-07-15
| | | | | | | | | | | | | | | | added support for --pid flag. User can specify ns:file, pod, private, or host. container returns an error since you cannot point the ns of the pods infra container to a container outside of the pod. Signed-off-by: cdoern <cdoern@redhat.com>
* | Merge pull request #10939 from Luap99/rootless-cniOpenShift Merge Robot2021-07-15
|\ \ | | | | | | Fix race conditions in rootless cni setup
| * | Fix race conditions in rootless cni setupPaul Holzinger2021-07-15
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | There was an race condition when calling `GetRootlessCNINetNs()`. It created the rootless cni directory before it got locked. Therefore another process could have called cleanup and removed this directory before it was used resulting in errors. The lockfile got moved into the XDG_RUNTIME_DIR directory to prevent a panic when the parent dir was removed by cleanup. Fixes #10930 Fixes #10922 To make this even more robust `GetRootlessCNINetNs()` will now return locked. This guarantees that we can run `Do()` after `GetRootlessCNINetNs()` before another process could have called `Cleanup()` in between. [NO TESTS NEEDED] CI is flaking, hopefully this will fix it. Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* | | Merge pull request #10936 from AkihiroSuda/issue10929OpenShift Merge Robot2021-07-15
|\ \ \ | |/ / |/| | CNI-in-slirp4netns: fix bind-mount for /run/systemd/resolve/stub-resolv.conf
| * | CNI-in-slirp4netns: fix bind-mount for /run/systemd/resolve/stub-resolv.confAkihiro Suda2021-07-15
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fix issue 10929 : `[Regression in 3.2.0] CNI-in-slirp4netns DNS gets broken when running a rootful container after running a rootless container` When /etc/resolv.conf on the host is a symlink to /run/systemd/resolve/stub-resolv.conf, we have to mount an empty filesystem on /run/systemd/resolve in the child namespace, so as to isolate the directory from the host mount namespace. Otherwise our bind-mount for /run/systemd/resolve/stub-resolv.conf is unmounted when systemd-resolved unlinks and recreates /run/systemd/resolve/stub-resolv.conf on the host. [NO TESTS NEEDED] Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
* | | Merge pull request #10916 from mheon/fix_7360OpenShift Merge Robot2021-07-14
|\ \ \ | |/ / |/| | Perform a one-sided close of HTTP attach conn on EOF
| * | Perform a one-sided close of HTTP attach conn on EOFMatthew Heon2021-07-13
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | On EOF of STDIN, we need to perform a one-sided close of the attach connection on the client side, to ensure that STDIN finishing will also cause the exec session to terminate, instead of hang. Fixes #7360 Signed-off-by: Matthew Heon <mheon@redhat.com>
* | | fix: uid/gid for volume mounted to existing dirMatej Vasek2021-07-12
| | | | | | | | | | | | | | | | | | | | | If mounting to existing directory the uid/gid should be preserved. Primary uid/gid of container shouldn't be used. Signed-off-by: Matej Vasek <mvasek@redhat.com>
* | | Merge pull request #10868 from cdoern/untilLogOpenShift Merge Robot2021-07-10
|\ \ \ | | | | | | | | Implemented Until Query Parameter for Containers/logs
| * | | Implemented Until Query Parameter for Containers/logscdoern2021-07-09
| | |/ | |/| | | | | | | | | | | | | | | | | | | compat containers/logs was missing actual usage of until query param. fixes #10859 Signed-off-by: cdoern <cdoern@redhat.com>
* | | Remove GetStore function from LibpodMatthew Heon2021-07-08
| |/ |/| | | | | | | | | | | | | | | | | | | | | We should not be exposing the store outside of Libpod. We want to encapsulate it as an internal implementation detail - there's no reason functions outside of Libpod should directly be manipulating container storage. Convert the last use to invoke a method on Libpod instead, and remove the function. [NO TESTS NEEDED] as this is just a refactor. Signed-off-by: Matthew Heon <mheon@redhat.com>
* | Make rootless-cni setup more robustPaul Holzinger2021-07-06
|/ | | | | | | | | | | | | | | | | | | The rootless cni namespace needs a valid /etc/resolv.conf file. On some distros is a symlink to somewhere under /run. Because the kernel will follow the symlink before mounting, it is not possible to mount a file at exactly /etc/resolv.conf. We have to ensure that the link target will be available in the rootless cni mount ns. Fixes #10855 Also fixed a bug in the /var/lib/cni directory lookup logic. It used `filepath.Base` instead of `filepath.Dir` and thus looping infinitely. Fixes #10857 [NO TESTS NEEDED] Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* Merge pull request #10836 from Luap99/diffOpenShift Merge Robot2021-07-03
|\ | | | | podman diff accept two images or containers
| * podman diff accept two images or containersPaul Holzinger2021-07-02
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | First, make podman diff accept optionally a second argument. This allows the user to specify a second image/container to compare the first with. If it is not set the parent layer will be used as before. Second, podman container diff should only use containers and podman image diff should only use images. Previously, podman container diff would use the image when both an image and container with this name exists. To make this work two new parameters have been added to the api. If they are not used the previous behaviour is used. The same applies to the bindings. Fixes #10649 Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* | podman service reaperPaul Holzinger2021-07-02
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Add a new service reaper package. Podman currently does not reap all child processes. The slirp4netns and rootlesskit processes are not reaped. The is not a problem for local podman since the podman process dies before the other processes and then init will reap them for us. However with podman system service it is possible that the podman process is still alive after slirp died. In this case podman has to reap it or the slirp process will be a zombie until the service is stopped. The service reaper will listen in an extra goroutine on SIGCHLD. Once it receives this signal it will try to reap all pids that were added with `AddPID()`. While I would like to just reap all children this is not possible because many parts of the code use `os/exec` with `cmd.Wait()`. If we reap before `cmd.Wait()` things can break, so reaping everything is not an option. [NO TESTS NEEDED] Fixes #9777 Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* | Implement --archive flag for podman cpMatej Vasek2021-07-01
|/ | | | Signed-off-by: Matej Vasek <mvasek@redhat.com>
* remove `pkg/registries`Valentin Rothberg2021-06-25
| | | | | | | | | | | | | | Pull the trigger on the `pkg/registries` package which acted as a proxy for `c/image/pkg/sysregistriesv2`. Callers should be using the packages from c/image directly, if needed at all. Also make use of libimage's SystemContext() method which returns a copy of a system context, further reducing the risk of unintentionally altering global data. [NO TESTS NEEDED] Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* Merge pull request #10765 from umohnani8/mtabOpenShift Merge Robot2021-06-23
|\ | | | | Create /etc/mtab with the correct ownership
| * [NO TESTS NEEDED] Create /etc/mtab with the correct ownershipUrvashi Mohnani2021-06-23
| | | | | | | | | | | | | | | | | | | | Create the /etc and /etc/mtab directories with the correct ownership based on what the UID and GID is for the container. This was causing issue when starting the infra container with userns as the /etc directory wasn't being created with the correct ownership. Signed-off-by: Urvashi Mohnani <umohnani@redhat.com>
* | Merge pull request #10716 from cdoern/podFlagsOpenShift Merge Robot2021-06-23
|\ \ | | | | | | Podman Pod Create --cpus and --cpuset-cpus flags
| * | Podman Pod Create --cpus and --cpuset-cpus flagscdoern2021-06-23
| |/ | | | | | | | | | | | | | | | | | | | | | | Added logic and handling for two new Podman pod create Flags. --cpus specifies the total number of cores on which the pod can execute, this is a combination of the period and quota for the CPU. --cpuset-cpus is a string value which determines of these available cores, how many we will truly execute on. Signed-off-by: cdoern <cbdoer23@g.holycross.edu>
* | Merge pull request #10696 from cdoern/libpodStatsOpenShift Merge Robot2021-06-23
|\ \ | |/ |/| Podman Stats additional features
| * Podman Stats additional featurescdoern2021-06-23
| | | | | | | | | | | | | | | | added Avg Cpu calculation and CPU up time to podman stats. Adding different feature sets in different PRs, CPU first. resolves #9258 Signed-off-by: cdoern <cbdoer23@g.holycross.edu>
* | Merge pull request #10754 from Luap99/sync-lockOpenShift Merge Robot2021-06-23
|\ \ | | | | | | getContainerNetworkInfo: lock netNsCtr before sync
| * | getContainerNetworkInfo: lock netNsCtr before syncPaul Holzinger2021-06-22
| | | | | | | | | | | | | | | | | | | | | | | | | | | `syncContainer()` requires the container to be locked, otherwise we can end up with undefined behavior. [NO TESTS NEEDED] Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* | | Do not use inotify for OCICNIPaul Holzinger2021-06-22
|/ / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Podman does not need to watch the cni config directory. If a network is not found in the cache, OCICNI will reload the networks anyway and thus even podman system service should work as expected. Also include a change to not mount a "new" /var by default in the rootless cni ns, instead try to use /var/lib/cni first and then the parent dir. This allows users to store cni configs under /var/... which is the case for the CI compose test. [NO TESTS NEEDED] Fixes #10686 Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* | Merge pull request #10742 from vrothberg/fix-10675OpenShift Merge Robot2021-06-21
|\ \ | | | | | | logs: k8s-file: restore poll sleep
| * | logs: k8s-file: restore poll sleepValentin Rothberg2021-06-21
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Commit 84b55eec2796 attempted to fix a race waiting for the container died event. Previously, Podman slept for duration of the polling frequence which I considerred to be a mistake. As it turns out, I was mistaken since the file logger will, in fact, NOT read until EOF and then stop logging but stop logging immediately _after_ it woke up. [NO TESTS NEEDED] as the race condition cannot be hit reliably. Fixes: #10675 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
| * | logs: k8s-file: fix spurious error logsValentin Rothberg2021-06-21
| | | | | | | | | | | | | | | | | | | | | Fix the suprious "Error: nil" messages. Also add some more context to logged error messages which makes error sources more obvious. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | | Merge pull request #10734 from mgoltzsche/fix-dns-detectionOpenShift Merge Robot2021-06-21
|\ \ \ | |/ / |/| | Fix systemd-resolved detection.
| * | Fix systemd-resolved detection.Max Goltzsche2021-06-20
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Previously podman failed when run in an environment where 127.0.0.53 is the only nameserver but systemd-resolved is not used directly. In practice this happened when podman was run within an alpine container that used the host's network and the host was running systemd-resolved. This fix makes podman ignore a file not found error when reading /run/systemd/resolve/resolv.conf. Closes #10733 [NO TESTS NEEDED] Signed-off-by: Max Goltzsche <max.goltzsche@gmail.com>
* | | fix systemcontext to use correct TMPDIRDaniel J Walsh2021-06-18
|/ / | | | | | | | | | | | | | | | | | | | | Users are complaining about read/only /var/tmp failing even if TMPDIR=/tmp is set. This PR Fixes: https://github.com/containers/podman/issues/10698 [NO TESTS NEEDED] No way to test this. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>