summaryrefslogtreecommitdiff
path: root/libpod
Commit message (Collapse)AuthorAge
* systemd: mask /sys/fs/cgroup/systemd/release_agentGiuseppe Scrivano2019-10-25
| | | | | | | | when running in systemd mode on cgroups v1, make sure the /sys/fs/cgroup/systemd/release_agent is masked otherwise the container is able to modify it and execute scripts on the host. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Merge pull request #4333 from giuseppe/error-rootless-cniOpenShift Merge Robot2019-10-24
|\ | | | | rootless: raise an error with --network=
| * rootless: raise an error with --network=Giuseppe Scrivano2019-10-24
| | | | | | | | | | | | Closes: https://github.com/containers/libpod/issues/4332 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | Merge pull request #4228 from giuseppe/detect-no-systemd-sessionOpenShift Merge Robot2019-10-24
|\ \ | | | | | | rootless: detect no system session with --cgroup-manager=systemd
| * | rootless: detect no system session with --cgroup-manager=systemdGiuseppe Scrivano2019-10-23
| | | | | | | | | | | | | | | | | | | | | if the cgroup manager is set to systemd, detect if dbus is available, otherwise fallback to --cgroup-manager=cgroupfs. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | | Add parsing for UID, GID in volume "o" optionMatthew Heon2019-10-22
| |/ |/| | | | | | | | | | | Everything else is a flag to mount, but "uid" and "gid" are not. We need to parse them out of "o" and handle them separately. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | Merge pull request #4287 from mheon/anonymous_volumesOpenShift Merge Robot2019-10-22
|\ \ | | | | | | Add support for anonymous volumes to `podman run -v`
| * | Add support for anonymous volumes to `podman run -v`Matthew Heon2019-10-17
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Previously, when `podman run` encountered a volume mount without separate source and destination (e.g. `-v /run`) we would assume that both were the same - a bind mount of `/run` on the host to `/run` in the container. However, this does not match Docker's behavior - in Docker, this makes an anonymous named volume that will be mounted at `/run`. We already have (more limited) support for these anonymous volumes in the form of image volumes. Extend this support to allow it to be used with user-created volumes coming in from the `-v` flag. This change also affects how named volumes created by the container but given names are treated by `podman run --rm` and `podman rm -v`. Previously, they would be removed with the container in these cases, but this did not match Docker's behaviour. Docker only removed anonymous volumes. With this patch we move to that model as well; `podman run -v testvol:/test` will not have `testvol` survive the container being removed by `podman rm -v`. The sum total of these changes let us turn on volume removal in `--rm` by default. Fixes: #4276 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | | Merge pull request #4313 from haircommander/unused-varOpenShift Merge Robot2019-10-22
|\ \ \ | | | | | | | | exec: remove unused var
| * | | exec: remove unused varPeter Hunt2019-10-21
| | |/ | |/| | | | | | | Signed-off-by: Peter Hunt <pehunt@redhat.com>
* | | Merge pull request #4284 from mheon/fix_vol_inspectOpenShift Merge Robot2019-10-21
|\ \ \ | | | | | | | | Show volume options in 'volume inspect'
| * | | Show volume options in 'volume inspect'Matthew Heon2019-10-18
| | |/ | |/| | | | | | | | | | | | | | | | We initialized the map to show them, but didn't actually copy them in, so they weren't being displayed. Signed-off-by: Matthew Heon <mheon@redhat.com>
* | | Merge pull request #4309 from giuseppe/write-storage-overridesOpenShift Merge Robot2019-10-21
|\ \ \ | |_|/ |/| | rootless: write storage overrides to the conf file
| * | rootless: write storage overrides to the conf fileGiuseppe Scrivano2019-10-21
| |/ | | | | | | | | | | | | | | | | make sure the user overrides are stored in the configuration file when first created. Closes: https://github.com/containers/libpod/issues/2659 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* / rootless: do not enable lingering modeGiuseppe Scrivano2019-10-17
|/ | | | | | | | do not automatically enable lingering mode. Closes: https://github.com/containers/libpod/issues/4224 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Merge pull request #4273 from mheon/no_runtimeOpenShift Merge Robot2019-10-16
|\ | | | | Add a MissingRuntime implementation
| * Add a MissingRuntime implementationMatthew Heon2019-10-15
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When a container is created with a given OCI runtime, but then it is uninstalled or removed from the configuration file, Libpod presently reacts very poorly. The EvictContainer code can potentially remove these containers, but we still can't see them in `podman ps` (aside from the massive logrus.Errorf messages they create). Providing a minimal OCI runtime implementation for missing runtimes allows us to behave better. We'll be able to retrieve containers from the database, though we still pop up an error for each missing runtime. For containers which are stopped, we can remove them as normal. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | Merge pull request #4272 from baude/rootlesstatsnetOpenShift Merge Robot2019-10-16
|\ \ | | | | | | rootless v2 cannot collect network stats
| * | rootless v2 cannot collect network statsbaude2019-10-15
| |/ | | | | | | | | | | | | | | | | | | network statistics cannot be collected for rootless network devices with the current implementation. for now, we return nil so that stats will at least for users. Fixes:#4268 Signed-off-by: baude <bbaude@redhat.com>
* | Merge pull request #4256 from mheon/fix_volumesOpenShift Merge Robot2019-10-16
|\ \ | |/ |/| Ensure volumes can be removed when they fail to unmount
| * Ensure volumes can be removed when they fail to unmountMatthew Heon2019-10-14
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Also, ensure that we don't try to mount them without root - it appears that it can somehow not error and report that mount was successful when it clearly did not succeed, which can induce this case. We reuse the `--force` flag to indicate that a volume should be removed even after unmount errors. It seems fairly natural to expect that --force will remove a volume that is otherwise presenting problems. Finally, ignore EINVAL on unmount - if the mount point no longer exists our job is done. Fixes: #4247 Fixes: #4248 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | inspect: rename ImageID go field to ImageValentin Rothberg2019-10-15
| | | | | | | | | | | | | | | | | | | | | | | | | | | | The json field is called `Image` while the go field is called `ImageID`, tricking users into filtering for `Image` which ultimately results in an error. Hence, rename the field to `Image` to align json and go. To prevent podman users from regressing, rename `Image` to `ImageID` in the specified filters. Add tests to prevent us from regressing. Note that consumers of the go API that are using `ImageID` are regressing; ultimately we consider it to be a bug fix. Fixes: #4193 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | Merge pull request #4262 from nalind/error-causeDaniel J Walsh2019-10-15
|\ \ | | | | | | Unwrap errors before comparing them
| * | Unwrap errors before comparing themNalin Dahyabhai2019-10-14
| |/ | | | | | | | | | | | | Unwrap errors before directly comparing them with errors defined by the storage and image libraries. Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
* / change error wording when conmon fails without logsValentin Rothberg2019-10-14
|/ | | | | | | | | | | | | | In some cases, conmon can fail without writing logs. Change the wording of the error message from "error reading container (probably exited) json message" to "container create failed (no logs from conmon)" to have a more helpful error message that is more consistent with other errors at that stage of execution. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* Merge pull request #4220 from mheon/null_runtimeOpenShift Merge Robot2019-10-11
|\ | | | | Move OCI runtime implementation behind an interface
| * When restoring containers, reset cgroup pathMatthew Heon2019-10-10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Previously, `podman checkport restore` with exported containers, when told to create a new container based on the exported checkpoint, would create a new container, with a new container ID, but not reset CGroup path - which contained the ID of the original container. If this was done multiple times, the result was two containers with the same cgroup paths. Operations on these containers would this have a chance of crossing over to affect the other one; the most notable was `podman rm` once it was changed to use the --all flag when stopping the container; all processes in the cgroup, including the ones in the other container, would be stopped. Reset cgroups on restore to ensure that the path matches the ID of the container actually being run. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
| * Move OCI runtime implementation behind an interfaceMatthew Heon2019-10-10
| | | | | | | | | | | | | | | | | | | | | | | | For future work, we need multiple implementations of the OCI runtime, not just a Conmon-wrapped runtime matching the runc CLI. As part of this, do some refactoring on the interface for exec (move to a struct, not a massive list of arguments). Also, add 'all' support to Kill and Stop (supported by runc and used a bit internally for removing containers). Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | Merge pull request #4221 from mheon/reset_runtimeOpenShift Merge Robot2019-10-11
|\ \ | | | | | | Migrate can move containers to a user-defined runtime
| * | Migrate can move containers to a new runtimeMatthew Heon2019-10-10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This is a horrible hack to work around issues with Fedora 31, but other distros might need it to, so we'll move it upstream. I do not recommend this functionality for general use, and the manpages and other documentation will reflect this. But for some upgrade cases, it will be the only thing that allows for a working system. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | | Merge pull request #4223 from QiWang19/uidmapOpenShift Merge Robot2019-10-10
|\ \ \ | |_|/ |/| | show uid_map in podman info
| * | show uid_map in podman infoQi Wang2019-10-09
| | | | | | | | | | | | | | | | | | show uid_map gid_map in podman info Signed-off-by: Qi Wang <qiwan@redhat.com>
* | | Merge pull request #4216 from baude/catchv2runcOpenShift Merge Robot2019-10-10
|\ \ \ | |/ / |/| | catch runc v2 error
| * | catch runc v2 errorbaude2019-10-09
| |/ | | | | | | | | | | | | when runc returns an error about not being v2 complient, catch the error and logrus an actionable message for users. Signed-off-by: baude <bbaude@redhat.com>
* / refresh: do not access network ns if not in the namespaceGiuseppe Scrivano2019-10-09
|/ | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Merge pull request #4196 from mheon/normal_remove_on_evictOpenShift Merge Robot2019-10-07
|\ | | | | When evicting containers, perform a normal remove first
| * When evicting containers, perform a normal remove firstMatthew Heon2019-10-04
| | | | | | | | | | | | | | | | This ensures that containers that didn't require an evict will be dealt with normally, and we only break out evict for containers that refuse to be removed by normal means. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | Update c/image to v4.0.1 and buildah to 1.11.3Miloslav Trmač2019-10-04
|/ | | | | | | | | | | | | | This requires updating all import paths throughout, and a matching buildah update to interoperate. I can't figure out the reason for go.mod tracking github.com/containers/image v3.0.2+incompatible // indirect ((go mod graph) lists it as a direct dependency of libpod, but (go list -json -m all) lists it as an indirect dependency), but at least looking at the vendor subdirectory, it doesn't seem to be actually used in the built binaries. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
* Merge pull request #3549 from marcov/evict-containerOpenShift Merge Robot2019-10-04
|\ | | | | Add ability to evict a container
| * rm: add containers eviction with `rm --force`Marco Vedovati2019-09-25
| | | | | | | | | | | | | | | | | | Add ability to evict a container when it becomes unusable. This may happen when the host setup changes after a container creation, making it impossible for that container to be used or removed. Evicting a container is done using the `rm --force` command. Signed-off-by: Marco Vedovati <mvedovati@suse.com>
* | podman network create: validate user inputMrigank Krishan2019-10-04
| | | | | | | | | | | | | | Disallow invalid/confusing names such as '../bar' or 'foo ' Closes #4184 Signed-off-by: Mrigank Krishan <mrigankkrishan@gmail.com>
* | rootless: set DBUS_SESSION_BUS_ADDRESS if it is not setGiuseppe Scrivano2019-10-02
| | | | | | | | | | | | | | | | | | | | if the variable is not set, make sure it has a sane value so that go-dbus won't try to connect to the wrong user session. Closes: https://github.com/containers/libpod/issues/4162 Closes: https://github.com/containers/libpod/issues/4164 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | Merge pull request #4139 from giuseppe/fix-segfault-missing-slirp4netnsOpenShift Merge Robot2019-10-01
|\ \ | | | | | | networking: fix segfault when slirp4netns is missing
| * | rootless: do not attempt a CNI refreshGiuseppe Scrivano2019-10-01
| | | | | | | | | | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
| * | networking: fix segfault when slirp4netns is missingGiuseppe Scrivano2019-10-01
| | | | | | | | | | | | | | | | | | | | | | | | | | | fixes a segfault when slirp4netns is not installed and the slirp sync pipe is not created. Closes: https://github.com/containers/libpod/issues/4113 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | | network: add workaround for slirp4netns --enable-sandbox issueGiuseppe Scrivano2019-10-01
|/ / | | | | | | | | | | add a workaround for https://github.com/rootless-containers/slirp4netns/pull/153 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | info: add cgroups2Giuseppe Scrivano2019-09-30
| | | | | | | | | | | | Closes: https://github.com/containers/libpod/issues/4080 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | Merge pull request #4065 from mheon/unconditional_conmon_rmOpenShift Merge Robot2019-09-27
|\ \ | | | | | | Unconditionally remove conmon files before starting
| * | Unconditionally remove conmon files before startingMatthew Heon2019-09-20
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | We've been seeing a lot of issues (ref: #4061, but there are others) where Podman hiccups on trying to start a container, because some temporary files have been retained and Conmon will not overwrite them. If we're calling start() we can safely assume that we really want those files gone so the container starts without error, so invoke the cleanup routine. It's relatively cheap (four file removes) so it shouldn't hurt us that much. Also contains a small simplification to the removeConmonFiles logic - we don't need to stat-then-remove when ignoring ENOENT is fine. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | | Correct use of reexec.Init()Nalin Dahyabhai2019-09-26
| | | | | | | | | | | | | | | | | | | | | A true result from reexec.Init() isn't an error, but it indicates that main() should exit with a success exit status. Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>