summaryrefslogtreecommitdiff
path: root/libpod
Commit message (Collapse)AuthorAge
* Fix image volumes access and mount problems on restartMarco Vedovati2018-06-22
| | | | | | | | | | | | | | | | | | | Signed-off-by: Marco Vedovati <mvedovati@suse.com> - Set srcPath permissions so that the container user can R/W it. - Fix uninitialized spec.Mount when restarting a container. - Check for srcPath instead of volumePath existence when setting up a volume mount point for a container. - Set the overlay volumePath with the same owner and permissions as srcPath to allow proper access by the container user. Closes #844 Closes: #951 Approved by: rhatdan
* We are using err in defer function, needs to be defined nameDaniel J Walsh2018-06-22
| | | | | | | | | | Since we are checking if err is non nil in defer function we need to define it, so that the check will work correctly. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #985 Approved by: mheon
* libpod: fix race with attach/startGiuseppe Scrivano2018-06-20
| | | | | | | | | | | Move the StartContainer call after the attach to the UNIX socket. It solves a race where the StartContainer could be done earlier and a short-lived container could already exit by the time we tried to attach to the socket. Closes: https://github.com/projectatomic/libpod/issues/835 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Errors from closing a netns on removal from DB are nonfatalMatthew Heon2018-06-19
| | | | | | | | | | | | | | | | Upon updating a container, if its network namespace has been removed, we attempt to clean up the network namespace locally, to ensure we don't leave hanging file descriptors. This triggers cleanup code which assumes the network namespace still exists, but it almost certainly was removed by whoever removed it from the database. As such, we end up with unavoidable errors if we don't want to leak FDs. Make these errors nonfatal and log them because of this. Signed-off-by: Matthew Heon <matthew.heon@gmail.com> Closes: #962 Approved by: rhatdan
* Add extra debug so we can tell apart postdelete hooksMatthew Heon2018-06-19
| | | | | | | | | | Ensure we can identify what hook is running so we can tell which are erroring. Signed-off-by: Matthew Heon <matthew.heon@gmail.com> Closes: #960 Approved by: rhatdan
* Add --all,-a flag to podman imagesumohnani82018-06-18
| | | | | | | | | | | podman images will not show intermediate images by default. To view all images, including intermediate images created during a build, use the --all flag. Signed-off-by: umohnani8 <umohnani@redhat.com> Closes: #947 Approved by: rhatdan
* Add MacAddress to inspectWim2018-06-18
| | | | | | | Signed-off-by: Wim <wim@42.be> Closes: #955 Approved by: rhatdan
* top: make output tabularValentin Rothberg2018-06-18
| | | | | | | | | | | | | | Make the output of top tabular to be compatible with Docker. Please note, that any user-input for `GetContainerPidInformation(...)` will be ignored until we have found a way to generically and reliably parse ps-1 output or until there is a go-lib to extract all the data from /proc in a ps-1 compatible fashion. Fixes: #458 Signed-off-by: Valentin Rothberg <vrothberg@suse.com> Closes: #939 Approved by: rhatdan
* Add more network info ipv4/ipv6 and be more compatible with dockerWim2018-06-17
| | | | | | | Signed-off-by: Wim <wim@42.be> Closes: #953 Approved by: mheon
* Do not run iptablesDNS workaround on IPv6 addressesWim2018-06-17
| | | | | Closes: #954 Approved by: mheon
* container: specify path to error messageGiuseppe Scrivano2018-06-15
| | | | | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> Closes: #871 Approved by: mheon
* podman: use a different store for the rootless caseGiuseppe Scrivano2018-06-15
| | | | | | | | | so that the user has rw access to it. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> Closes: #871 Approved by: mheon
* container: do not set any mapping when using a rootfsGiuseppe Scrivano2018-06-15
| | | | | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> Closes: #871 Approved by: mheon
* podman: do not use Chown in rootless modeGiuseppe Scrivano2018-06-15
| | | | | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> Closes: #871 Approved by: mheon
* network: do not attempt to create a network in rootless modeGiuseppe Scrivano2018-06-15
| | | | | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> Closes: #871 Approved by: mheon
* oci: do not use hooks in rootless modeGiuseppe Scrivano2018-06-15
| | | | | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> Closes: #871 Approved by: mheon
* oci: do not set the cgroup path in Rootless modeGiuseppe Scrivano2018-06-15
| | | | | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> Closes: #871 Approved by: mheon
* container: do not add shm in rootless modeGiuseppe Scrivano2018-06-15
| | | | | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> Closes: #871 Approved by: mheon
* oci: pass XDG_RUNTIME_DIR down to the OCI runtimeGiuseppe Scrivano2018-06-15
| | | | | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> Closes: #871 Approved by: mheon
* podman: accept option --rootfs to use exploded imagesGiuseppe Scrivano2018-06-15
| | | | | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> Closes: #871 Approved by: mheon
* Fix cleaning up network namespaces on detached ctrsMatthew Heon2018-06-15
| | | | | | | | | | | | | The containernetworking/plugins ns package does not support unmounting and removing namespaces that were opened by another process. Work around this by doing it ourself. Closes: #858 Signed-off-by: Matthew Heon <matthew.heon@gmail.com> Closes: #949 Approved by: rhatdan
* Correctly report errors retrieving containers in psMatthew Heon2018-06-14
| | | | | | | Signed-off-by: Matthew Heon <matthew.heon@gmail.com> Closes: #944 Approved by: rhatdan
* Remove container from state before cleaning up.Daniel J Walsh2018-06-10
| | | | | | | | | | Attempt to cleanup as much of the container as possible, even if one of the cleanup stages fails. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #895 Approved by: mheon
* Remove SELinux transition rule after conmon is started.Daniel J Walsh2018-06-06
| | | | | | | | | | | | We have an issue where iptables command is being executed by podman and attempted to run with a different label. This fix changes podman to only change the label on the conmon command and then set the SELinux interface back to the default. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #906 Approved by: giuseppe
* Added a defer to an Unlock that immediately followed a Lockhaircommander2018-06-05
| | | | Signed-off-by: haircommander <pehunt@redhat.com>
* libpod: Execute poststop hooks locallyW. Trevor King2018-06-04
| | | | | | | | | | | | Instead of delegating to the runtime, since some runtimes do not seem to handle these reliably [1]. [1]: https://github.com/projectatomic/libpod/issues/730#issuecomment-392959938 Signed-off-by: W. Trevor King <wking@tremily.us> Closes: #864 Approved by: rhatdan
* Merge pull request #859 from rhatdan/onbuildDaniel J Walsh2018-06-01
|\ | | | | Add OnBuild support for podman build
| * Add OnBuild support for podman buildDaniel J Walsh2018-06-01
| | | | | | | | | | | | Only supported for docker formated images. OCI Does not support this flag. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | runtime: add /usr/libexec/podman/conmon to the conmon pathsGiuseppe Scrivano2018-06-01
|/ | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* fix panic with podman pullbaude2018-05-31
| | | | | | | | | | when there are no registries configured for the system and the user provided a short image name, we panic'd due a logic bug in recent image pull changes. Signed-off-by: baude <bbaude@redhat.com> Closes: #841 Approved by: rhatdan
* Catch does not exist errorDaniel J Walsh2018-05-31
| | | | | | | | | | There was a new line at the end of does not exist which was causing this to fail. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #863 Approved by: baude
* We need to change the SELinux label of the conmon process to s0Daniel J Walsh2018-05-31
| | | | | | | | | | | | | If SELinux is enabled, we are leaking in pipes into the container owned by conmon. The container processes are not allowed to use these pipes, if the calling process is fully ranged. By changing the level of the conmon process to s0, this allows container processes to use the pipes. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #854 Approved by: mheon
* Make references to the Process part of Spec conditionalMatthew Heon2018-05-25
| | | | | | | | | | | The OCI runtime spec does not require Process to be passed (IE, it can be nil). Make most of our references to it conditional on it existing. Signed-off-by: Matthew Heon <mheon@redhat.com> Closes: #828 Approved by: mheon
* save and load should support multi-tag for docker-archiveumohnani82018-05-25
| | | | | | | | | | | | The docker-archive tar files can have multiple tags for the same image stored in it. Load pulls all the tags found in the archive when loading a tar file. Save can oush multiple tags of the same image to a tar archive. Signed-off-by: umohnani8 <umohnani@redhat.com> Closes: #819 Approved by: rhatdan
* Spell check strings and commentsJhon Honce2018-05-25
| | | | | | | Signed-off-by: Jhon Honce <jhonce@redhat.com> Closes: #831 Approved by: rhatdan
* Set Entrypoint from image only if not already setMatthew Heon2018-05-24
| | | | | | | Signed-off-by: Matthew Heon <mheon@redhat.com> Closes: #827 Approved by: rhatdan
* Fix handling of command in imagesDaniel J Walsh2018-05-23
| | | | | | | | | | | Currently we are dropping the command entry from the create line and using the image Cmd. This change will only use the image Cmd if the user did not specify a Cmd. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #823 Approved by: umohnani8
* podman create, start, getattachsocketbaude2018-05-21
| | | | | | | | | First pass at implement API endpoints for create and start. Signed-off-by: baude <bbaude@redhat.com> Closes: #805 Approved by: baude
* honor multiple change valuesbaude2018-05-21
| | | | | | | | | | | | In the case where changes are made to Env, Expose, Volumes, or labels, we should honor that multiple values are valid. Resolves: #795 Signed-off-by: baude <bbaude@redhat.com> Closes: #815 Approved by: mheon
* Refresh pods when refreshing podman stateMatthew Heon2018-05-17
| | | | | | | Signed-off-by: Matthew Heon <matthew.heon@gmail.com> Closes: #784 Approved by: rhatdan
* Add per-pod CGroupsMatthew Heon2018-05-17
| | | | | | | | | | | | | Pods can now create their own (cgroupfs) cgroups which containers in them can (optionally) use. This presently only works with CGroupFS, systemd cgroups are still WIP Signed-off-by: Matthew Heon <matthew.heon@gmail.com> Closes: #784 Approved by: rhatdan
* Add pod stateMatthew Heon2018-05-17
| | | | | | | | | | Add a mutable state to pods, and database backend sutable for modifying and updating said state. Signed-off-by: Matthew Heon <matthew.heon@gmail.com> Closes: #784 Approved by: rhatdan
* Use container cleanup() functions when removingMatthew Heon2018-05-17
| | | | | | | | | | | | Instead of manually calling the individual functions that cleanup uses to tear down a container's resources, just call the cleanup function to make sure that cleanup only needs to happen in one place. Signed-off-by: Matthew Heon <matthew.heon@gmail.com> Closes: #790 Approved by: rhatdan
* chrootuser: default to GID 0 when given a numeric --userNalin Dahyabhai2018-05-17
| | | | | | | | | | | | | | | When we're given a numeric --user value, default to GID 0 if the numeric ID doesn't correspond to a user entry in /etc/passwd that can provide us with the user's primary group ID. Make sure that GetAdditionalGroupsForUser() returns wrapped errors. Also test various user:group forms. Signed-off-by: Nalin Dahyabhai <nalin@redhat.com> Closes: #728 Approved by: mheon
* Allow push/save without image referenceumohnani82018-05-16
| | | | | | | | | | | | If the user uses the image ID when saving to either docker-archive or oci-archive, then do not save a reference in the manifest/index.json. If the user chooses to push without an image reference, i.e <transport>:<path> it should be valid and succeed. Signed-off-by: umohnani8 <umohnani@redhat.com> Closes: #782 Approved by: rhatdan
* implement varlink commitbaude2018-05-15
| | | | | | | Signed-off-by: baude <bbaude@redhat.com> Closes: #762 Approved by: baude
* hooks: Add package support for extension stagesW. Trevor King2018-05-14
| | | | | | | | | | | | | We aren't consuming this yet, but these pkg/hooks changes lay the groundwork for future libpod changes to support post-exit hooks [1,2]. [1]: https://github.com/projectatomic/libpod/issues/730 [2]: https://github.com/opencontainers/runc/issues/1797 Signed-off-by: W. Trevor King <wking@tremily.us> Closes: #758 Approved by: rhatdan
* Gracefully handle containers removed from c/storageMatthew Heon2018-05-14
| | | | | | | | | | Allow containers that no longer exist in storage to be evicted from the state instead of erroring. Signed-off-by: Matthew Heon <matthew.heon@gmail.com> Closes: #764 Approved by: rhatdan
* hooks: Order injection by collated JSON filenameW. Trevor King2018-05-11
| | | | | | | | | | | | | | | | | | | | | | | We also considered ordering with sort.Strings, but Matthew rejected that because it uses a byte-by-byte UTF-8 comparison [1] which would fail many language-specific conventions [2]. There's some more discussion of the localeToLanguage mapping in [3]. Currently language.Parse does not handle either 'C' or 'POSIX', returning: und, language: tag is not well-formed for both. [1]: https://github.com/projectatomic/libpod/pull/686#issuecomment-387914358 [2]: https://en.wikipedia.org/wiki/Alphabetical_order#Language-specific_conventions [3]: https://github.com/golang/go/issues/25340 Signed-off-by: W. Trevor King <wking@tremily.us> Closes: #686 Approved by: mheon
* libpod: Add HooksDirNotExistFatalW. Trevor King2018-05-11
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | And add an argument to WithHooksDir to set it. If the hook dir doesn't exist, the new hooks package considers that a fatal error. When a podman caller sets --hooks-dir-path=/some/typoed/directory, a fatal error is more helpful than silently not loading any hooks. However, callers who call podman without setting --hooks-dir-path may not need hooks at all. We don't want to pester those callers with not-exist errors. With this commit, we: * Assume the caller knows what they're doing if they set --hooks-dir-path and set HooksDirNotExistFatal. * If the caller does not explicitly set --hooks-dir-path, assume they won't mind if the hook directory is missing and set HooksDirNotExistFatal false. We also considered checking for the directory's existence in the code calling WithHooksDir or from within WithHooksDir, but checks there would race with the underlying ioutil.ReadDir in the hooks package. By pushing the warn/error decision down into libpod's implementation, we avoid a racy "do we expect this to work once libpod gets to it?" pre-check. I've also added a check to error if WithHooksDir is called with an empty-string argument, because we haven't defined the semantics of that (is it clearing a previous value? Is it effectively the same as the current directory?). I agree with Matthew that a separate WithNoHooks, or a *string argument to WithHooks, or some such would be a better API for clearing previous values [1]. But for now, I'm just erroring out to fail early for callers who might otherwise be surprised that libpod ignores empty-string HooksDir. [1]: https://github.com/projectatomic/libpod/pull/686#issuecomment-385119370 Signed-off-by: W. Trevor King <wking@tremily.us> Closes: #686 Approved by: mheon
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2024-11-05 06:47:23 +0000