summaryrefslogtreecommitdiff
path: root/libpod
Commit message (Collapse)AuthorAge
* Reap exec sessions on cleanup and removalMatthew Heon2019-12-12
| | | | | | | | | | | | | | | | | | | | | | We currently rely on exec sessions being removed from the state by the Exec() API itself, on detecting the session stopping. This is not a reliable method, though. The Podman frontend for exec could be killed before the session ended, or another Podman process could be holding the lock and prevent update (most notable in `run --rm`, when a container with an active exec session is stopped). To resolve this, add a function to reap active exec sessions from the state, and use it on cleanup (to clear sessions after the container stops) and remove (to do the same when --rm is passed). This is a bit more complicated than it ought to be because Kata and company exist, and we can't guarantee the exec session has a PID on the host, so we have to plumb this through to the OCI runtime. Fixes #4666 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Merge pull request #4563 from mheon/fix_change_parsingOpenShift Merge Robot2019-12-06
|\ | | | | Fix parsing for arrays of values in image changes
| * Add ONBUILD support to --changeMatthew Heon2019-12-05
| | | | | | | | | | | | | | | | | | | | | | Return types had to change a bit for this, but since we can wrap the old v1.ImageConfig, changes are overall not particularly bad. At present, I believe this only works with commit, not import. This matches how things were before we changed to the new parsing so I think this is fine. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
| * Move Commit() to new parsing for --changeMatthew Heon2019-12-05
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | It turns out we had two independent parsing impkementations for Dockerfile instructions out of --change. My previous commit fixed the one used in --change, but as I discovered to my dismay, commit used a different implementation. Remove that and use the new parsing implementation instead. While we're at it, fix some bugs in the current commit code. The addition of anonymous named volumes to Libpod recently means we can now include those in the image config when committing. Some changes (VOLUME, ENV, EXPOSE, LABEL) previously cleared the config of the former image when used; Docker does not do this, so I removed that behavior. Still needs fixing: the new implementation does not support ONBUILD, while the old one did. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | libpod: fix stats for rootless podsGiuseppe Scrivano2019-12-04
|/ | | | | | | | honor the systemd parent directory when specified. Closes: https://github.com/containers/libpod/issues/4634 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Merge pull request #4629 from mheon/fix_indirect_netnsctr_lookupOpenShift Merge Robot2019-12-03
|\ | | | | Allow chained network namespace containers
| * Allow chained network namespace containersMatthew Heon2019-12-03
| | | | | | | | | | | | | | | | | | | | | | | | | | The code currently assumes that the container we delegate network namespace to will never further delegate to another container, so when looking up things like /etc/hosts and /etc/resolv.conf we won't pull the correct files from the chained dependency. The changes to resolve this are relatively simple - just need to keep looking until we find a container without NetNsCtr set. Fixes #4626 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | Ensure volumes reacquire locks on state refreshMatthew Heon2019-12-02
|/ | | | | | | | | | | | | | | | | | | | | | | | After a restart, pods and containers both run a refresh() function to prepare to run after a reboot. Until now, volumes have not had a similar function, because they had no per-boot setup to perform. Unfortunately, this was not noticed when in-memory locking was introduced to volumes. The refresh() routine is, among other things, responsible for ensuring that locks are reserved after a reboot, ensuring they cannot be taken by a freshly-created container, pod, or volume. If this reservation is not done, we can end up with two objects using the same lock, potentially needing to lock each other for some operations - classic recipe for deadlocks. Add a refresh() function to volumes to perform lock reservation and ensure it is called as part of overall refresh(). Fixes #4605 Fixes #4621 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* libpod: fix case for executable file not found errorsGiuseppe Scrivano2019-12-02
| | | | | | | | | | do not change the runtime error to be lowercase, but use a case insensitive regex matching. In this way the original error from the OCI runtime is reported back. regression introduced by bc485bce47f55135d6ead80537bc145edb779ae9 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Merge pull request #4493 from mheon/add_removing_stateOpenShift Merge Robot2019-12-02
|\ | | | | Add ContainerStateRemoving
| * Error on netns not exist only when ctr is runningMatthew Heon2019-11-19
| | | | | | | | | | | | | | | | | | | | If the container is running and we need to get its netns and can't, that is a serious bug deserving of errors. If it's not running, that's not really a big deal. Log an error and continue. Signed-off-by: Matthew Heon <mheon@redhat.com>
| * Add ContainerStateRemovingMatthew Heon2019-11-19
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When Libpod removes a container, there is the possibility that removal will not fully succeed. The most notable problems are storage issues, where the container cannot be removed from c/storage. When this occurs, we were faced with a choice. We can keep the container in the state, appearing in `podman ps` and available for other API operations, but likely unable to do any of them as it's been partially removed. Or we can remove it very early and clean up after it's already gone. We have, until now, used the second approach. The problem that arises is intermittent problems removing storage. We end up removing a container, failing to remove its storage, and ending up with a container permanently stuck in c/storage that we can't remove with the normal Podman CLI, can't use the name of, and generally can't interact with. A notable cause is when Podman is hit by a SIGKILL midway through removal, which can consistently cause `podman rm` to fail to remove storage. We now add a new state for containers that are in the process of being removed, ContainerStateRemoving. We set this at the beginning of the removal process. It notifies Podman that the container cannot be used anymore, but preserves it in the DB until it is fully removed. This will allow Remove to be run on these containers again, which should successfully remove storage if it fails. Fixes #3906 Signed-off-by: Matthew Heon <mheon@redhat.com>
* | Merge pull request #4558 from rhatdan/resetOpenShift Merge Robot2019-11-29
|\ \ | | | | | | Add podman system reset command
| * | Add podman system reset commandDaniel J Walsh2019-11-29
| | | | | | | | | | | | | | | | | | | | | This command will destroy all data created via podman. It will remove containers, images, volumes, pods. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | Merge pull request #4576 from giuseppe/oci-errors-only-matchOpenShift Merge Robot2019-11-29
|\ \ \ | |/ / |/| | oci: print only matching part for the errors
| * | oci: print only matching part for the errorsGiuseppe Scrivano2019-11-28
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | when parsing the OCI error, be sure to discard any other output that is not matched. The full output is still printed with --log-level=debug. Closes: https://github.com/containers/libpod/issues/4574 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | | Disable checkpointing of containers started with --rmAdrian Reber2019-11-28
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Trying to checkpoint a container started with --rm works, but it makes no sense as the container, including the checkpoint, will be deleted after writing the checkpoint. This commit inhibits checkpointing containers started with '--rm' unless '--export' is used. If the checkpoint is exported it can easily be restored from the exported checkpoint, even if '--rm' is used. To restore a container from a checkpoint it is even necessary to manually run 'podman rm' if the container is not started with '--rm'. Signed-off-by: Adrian Reber <areber@redhat.com>
* | | Merge pull request #4568 from openSUSE/historyOpenShift Merge Robot2019-11-27
|\ \ \ | | | | | | | | Add support for image name history
| * | | Add support for image name historySascha Grunert2019-11-27
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | We leverage the containers/storage image history tracking feature to show the previously used image names when running: `podman images --history` Signed-off-by: Sascha Grunert <sgrunert@suse.com>
* | | | Allow --ip and --mac to be set when joining a CNI netMatthew Heon2019-11-26
|/ / / | | | | | | | | | | | | | | | | | | | | | | | | | | | These only conflict when joining more than one network. We can still set a single CNI network and set a static IP and/or static MAC. Fixes #4500 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | | Merge pull request #4512 from kunalkushwaha/prune-filterOpenShift Merge Robot2019-11-22
|\ \ \ | | | | | | | | image prune command fixed as per docker image prune.
| * | | filter added to image pruge command.Kunal Kushwaha2019-11-22
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | filter option accepts two filters. - label - until label supports "label=value" or "label=key=value" format until supports all golang compatible time/duration formats. Signed-off-by: Kunal Kushwaha <kunal.kushwaha@gmail.com>
* | | | Merge pull request #4525 from rst0git/uns-restore-fixOpenShift Merge Robot2019-11-22
|\ \ \ \ | |_|/ / |/| | | container-restore: Fix restore with user namespace
| * | | container-restore: Fix restore with user namespaceRadostin Stoyanov2019-11-17
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When restoring a container with user namespace, the user namespace is created by the OCI runtime, and the network namespace is created after the user namespace to ensure correct ownership. In this case PostConfigureNetNS will be set and the value of c.state.NetNS would be nil. Hence, the following error occurs: $ sudo podman run --name cr \ --uidmap 0:1000:500 \ -d docker.io/library/alpine \ /bin/sh -c 'i=0; while true; do echo $i; i=$(expr $i + 1); sleep 1; done' $ sudo podman container checkpoint cr $ sudo podman container restore cr ... panic: runtime error: invalid memory address or nil pointer dereference [signal SIGSEGV: segmentation violation code=0x1 addr=0x30 pc=0x13a5e3c] Signed-off-by: Radostin Stoyanov <rstoyanov1@gmail.com>
* | | | config: use EventsLogger=file without systemdGiuseppe Scrivano2019-11-21
| |_|/ |/| | | | | | | | | | | | | | if systemd is not available, use the file events logger backend. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | | Merge pull request #4502 from vrothberg/fix-3359OpenShift Merge Robot2019-11-18
|\ \ \ | | | | | | | | history: rewrite mappings
| * | | history: rewrite mappingsValentin Rothberg2019-11-12
| | |/ | |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Rewrite the backend for displaying the history of an image to simplify the code and be closer to docker's behaviour. Instead of driving index-based heuristics, create a reverse mapping from top-layers to the corresponding image IDs and lookup the layers on-demand. Also use the uncompressed layer size to be closer to Docker's behaviour. Note that intermediate images from local builds are not considered for the ID lookups anymore. Fixes: #3359 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | | Also delete winsz fifoPeter Hunt2019-11-15
| |/ |/| | | | | | | | | In conmon 2.0.3, we add another fifo to handle window resizing. This needs to be cleaned up for commands like restore, where the same path is used. Signed-off-by: Peter Hunt <pehunt@redhat.com>
* | codespell: spelling correctionsDmitry Smirnov2019-11-13
|/ | | | Signed-off-by: Dmitry Smirnov <onlyjob@member.fsf.org>
* Merge pull request #4451 from giuseppe/set-macOpenShift Merge Robot2019-11-07
|\ | | | | podman: add support for specifying MAC
| * podman: add support for specifying MACJakub Filak2019-11-06
| | | | | | | | | | | | | | | | I basically copied and adapted the statements for setting IP. Closes #1136 Signed-off-by: Jakub Filak <jakub.filak@sap.com>
| * vendor: updated ocicni for MAC addressJakub Filak2019-11-06
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | `go get github.com/cri-o/ocicni@deac903fd99b6c52d781c9f42b8db3af7dcfd00a` I had to fix compilation errors in libpod/networking_linux.go --- ocicni.Networks has changed from string to the structure NetAttachment with the member Name (the former string value) and the member Ifname (optional). I don't think we can make use of Ifname here, so I just map the array of structures to array of strings - e.g. dropping Ifname. --- The function GetPodNetworkStatus no longer returns Result but it returns the wrapper structure NetResult which contains the former Result plus NetAttachment (Network name and Interface name). Again, I don't think we can make use of that information here, so I just added `.Result` to fix the build. --- Issue: #1136 Signed-off-by: Jakub Filak <jakub.filak@sap.com>
* | Merge pull request #4470 from vrothberg/fix-4463OpenShift Merge Robot2019-11-07
|\ \ | | | | | | libpod/config: default: use `crun` on Cgroups v2
| * | libpod/config: default: use `crun` on Cgroups v2Valentin Rothberg2019-11-07
| | | | | | | | | | | | | | | | | | | | | | | | | | | When running on a node with Cgroups v2, default to using `crun` instead of `runc`. Note that this only impacts the hard-coded default config. No user config will be over-written. Fixes: #4463 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | | Merge pull request #4447 from rhatdan/runasuserOpenShift Merge Robot2019-11-07
|\ \ \ | | | | | | | | Add support for RunAsUser and RunAsGroup
| * | | Add support for RunAsUser and RunAsGroupDaniel J Walsh2019-11-06
| | |/ | |/| | | | | | | | | | | | | | | | | | | | | | | | | Currently podman generate kube does not generate the correct RunAsUser and RunAsGroup options in the yaml file. This patch fixes this. This patch also make `podman play kube` use the RunAdUser and RunAsGroup options if they are specified in the yaml file. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | Merge pull request #4441 from rhatdan/detachOpenShift Merge Robot2019-11-07
|\ \ \ | |_|/ |/| | Allow users to disable detach keys
| * | Allow users to disable detach keysDaniel J Walsh2019-11-05
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | If user specifies --detach-keys="", this will disable the feature. Adding define.DefaultDetachKeys to help screen to help identify detach keys. Updated man pages with additonal information. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | Merge pull request #4461 from giuseppe/fix-hangOpenShift Merge Robot2019-11-06
|\ \ \ | |_|/ |/| | events: make sure the write channel is always closed
| * | events: make sure the write channel is always closedGiuseppe Scrivano2019-11-06
| | | | | | | | | | | | | | | | | | | | | | | | | | | in case of errors, the channel is not closed, blocking the reader indefinitely. Closes: https://bugzilla.redhat.com/show_bug.cgi?id=1767663 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | | Merge pull request #4370 from rhatdan/seccompOpenShift Merge Robot2019-11-05
|\ \ \ | |_|/ |/| | Set SELinux labels based on the security context in the kube.yaml
| * | Set SELinux labels based on the security context in the kube.yamlDaniel J Walsh2019-11-05
| | | | | | | | | | | | | | | | | | | | | If the kube.yaml specifieds the SELinux type or Level, we need the container to be launched with the correct label. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | pulling unqualified reference: make sure it's a docker referenceValentin Rothberg2019-11-05
|/ / | | | | | | | | | | | | | | | | When pulling an unqualified reference (e.g., `fedora`) make sure that the reference is not using a non-docker transport to avoid iterating over the search registries and trying to pull from them. Fixes: #4434 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | Merge pull request #4438 from giuseppe/fix-slirp4netns-timeoutOpenShift Merge Robot2019-11-05
|\ \ | | | | | | slirp4netns: fix timeout
| * | slirp4netns: fix timeoutGiuseppe Scrivano2019-11-04
| |/ | | | | | | | | | | | | | | | | the pidWaitTimeout is already a Duration so do not multiply it again by time.Millisecond. Closes: https://github.com/containers/libpod/issues/4344 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | stats: fix calculation for the CPU timeGiuseppe Scrivano2019-11-02
| | | | | | | | | | | | Closes: https://github.com/containers/libpod/issues/4409 Signed-off-by: Giuseppe Scrivano <giuseppe@scrivano.org>
* | Vendor in latest containers/buildahUrvashi Mohnani2019-11-01
| | | | | | | | | | | | | | | | Pull in changes to pkg/secrets/secrets.go that adds the logic to disable fips mode if a pod/container has a label set. Signed-off-by: Urvashi Mohnani <umohnani@redhat.com>
* | Merge pull request #4400 from haircommander/exec-hangOpenShift Merge Robot2019-11-01
|\ \ | | | | | | Switch to bufio Reader for exec streams
| * | Switch to bufio Reader for exec streamsPeter Hunt2019-10-31
| | | | | | | | | | | | | | | | | | | | | | | | There were many situations that made exec act funky with input. pipes didn't work as expected, as well as sending input before the shell opened. Thinking about it, it seemed as though the issues were because of how os.Stdin buffers (it doesn't). Dropping this input had some weird consequences. Instead, read from os.Stdin as bufio.Reader, allowing the input to buffer before passing it to the container. Signed-off-by: Peter Hunt <pehunt@redhat.com>
* | | logs: support --tail 0Giuseppe Scrivano2019-10-31
| | | | | | | | | | | | | | | | | | | | | | | | | | | change the default to -1, so that we can change the semantic of "--tail 0" to not print any existing log line. Closes: https://github.com/containers/libpod/issues/4396 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>