| Commit message (Collapse) | Author | Age |
|---|
| |
|
|
|
|
|
|
|
| |
Add pkg/capabibilities to deal with capabilities. The code has been
copied from Docker (and attributed with the copyright) but changed
significantly to only do what we really need. The code has also been
simplified and will perform better due to removed redundancy.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
|
| |\
| |
| | |
api: fix the CPU stats reported
|
| | |
| |
| |
| | |
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
| | |
| |
| |
| | |
Signed-off-by: Brent Baude <bbaude@redhat.com>
|
| |/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When Docker performs a copy up, it first verifies that the volume
being copied into is empty; thus, for volumes that have been
modified elsewhere (e.g. manually copying into then), the copy up
will not be performed at all. Duplicate this behavior in Podman
by checking if the volume is empty before copying.
Furthermore, move setting copyup to false further up. This will
prevent a potential race where copy up could happen more than
once if Podman was killed after some files had been copied but
before the DB was updated.
This resolves CVE-2020-1726.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
| |\
| |
| | |
Simplify image object creation
|
| | |
| |
| |
| |
| |
| |
| | |
... because both callers only care about that aspect of the
return value.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
|
| | |
| |
| |
| |
| |
| | |
Should not change behavior.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
... so that _all_ Image objects are created in a single place
that is easy to update.
Should not change behavior.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Instead of the function updating image.InputName (the only reason for it
to need an image), have it return the updated value separately.
This will allow simplifying the constructors of Image further.
Should not change behavior.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
All ways to create an Image{} have a non-nil .image field, and it
is never set to nil, so this is dead code.
Should not change behavior.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
All code creating an Image by looking up a name now uses
Runtime.NewFromLocal.
Should not change behavior.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
|
| | |
| |
| |
| |
| |
| | |
Should not change behavior.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This is not _trivially_ safe because newImage.getLocalImage()
modifies newImage.ImageName, but we overwrite that value anyway.
So, this should not change behavior, and it will make future refactoring
easier to verify.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
|
| | |
| |
| |
| |
| |
| |
| |
| | |
... so that there ultimately is only one constructor.
Should not change behavior.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
|
| |\ \
| |/
|/| |
Add backend code for pod network options
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This adds network-related options to the pod in the database. We
are going to add the CLI frontend in further patches.
In short, this should greatly improve the ability of pods to
configure networking, once the CLI parsing is added.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
If there are no running containers - for example, if the pod was
just created - the cgroup in question may not exist (under
certain circumstances that we're not 100% sure about). However,
regardless, we don't need to set a PID limit, as nothing will be
making cleanup processes (no running conmon processes), so not
changing the cgroup is safe regardless.
Fixes #5072
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
| |\ \
| | |
| | | |
Tear down network when restarting containers
|
| | |/
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This makes restart a bit slower for root containers, but it does
make it more consistent with `podman stop` and `podman start` on
a container. Importantly, `podman restart` will now recreate
firewall rules if they were somehow purged.
Fixes #5051
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
| |\ \
| | |
| | | |
Close tarSource when finished using it
|
| | | |
| | |
| | |
| | |
| | |
| | | |
Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1797599
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
| |\ \ \
| |/ /
|/| | |
[CI:DOCS] Spec proposal
|
| | |/
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The current Libpod pkg/spec has become a victim of the better
part of three years of development that tied it extremely closely
to the current Podman CLI. Defaults are spread across multiple
places, there is no easy way to produce a CreateConfig that will
actually produce a valid container, and the logic for generating
configs has sprawled across at least three packages.
This is an initial pass at a package that generates OCI specs
that will supersede large parts of the current pkg/spec. The
CreateConfig will still exist, but will effectively turn into a
parsed CLI. This will be compiled down into the new SpecGenerator
struct, which will generate the OCI spec and Libpod create
options.
The preferred integration point for plugging into Podman's Go API
to create containers will be the new CreateConfig, as it's less
tied to Podman's command line. CRI-O, for example, will likely
tie in here.
Signed-off-by: Matthew Heon <mheon@redhat.com>
|
| |/
|
|
| |
Signed-off-by: Sascha Grunert <sgrunert@suse.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In Podman 1.6.3, we added support for anonymous volumes - fixing
our old, broken support for named volumes that were created with
containers. Unfortunately, this reused the database field we used
for the old implementation, and toggled volume removal on for
`podman run --rm` - so now, we were removing *named* volumes
created with older versions of Podman.
We can't modify these old volumes in the DB, so the next-safest
thing to do is swap to a new field to indicate volumes should be
removed. Problem: Volumes created with 1.6.3 and up until this
lands, even anonymous volumes, will not be removed. However, this
is safer than removing too many volumes, as we were doing before.
Fixes #5009
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
| |
|
|
|
|
|
|
|
| |
Get the layer's size whether it relates to the first history entry or
not. This fixes issues where the first entry would always be shown
to be of size 0.
Fixes: #4916
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
|
| |
|
|
|
|
|
|
| |
When a container specification has a pull policy, we should honor it when recreating the pods/containers from yaml. furthermore, ini kube, if a tag is :latest, then the always pull policy is automatically instituted.
Fixes: #4880
Signed-off-by: Brent Baude <bbaude@redhat.com>
|
| |
|
|
|
|
|
| |
when a docker image has a defined healthcheck, it should be displayed with inspect. this is only valid for docker images as oci images are not aware of healthchecks.
Fixes: #4799
Signed-off-by: Brent Baude <bbaude@redhat.com>
|
| |\
| |
| | |
APIv2 review corrections #3
|
| | |
| |
| |
| |
| |
| | |
The third pass of corrections for the APIv2.
Signed-off-by: Brent Baude <bbaude@redhat.com>
|
| |\ \
| |/
|/| |
Default CPUShares in Inspect are 1024
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This is purely a display change - we weren't initializing the
default value to display for the CPUShares field, which defaults
to 1024.
Fixes #4822
Signed-off-by: Matthew Heon <mheon@redhat.com>
|
| |/
|
|
|
|
| |
Add API review comments to correct documentation and endpoints. Also, add a libpode prune method to reduce code duplication. Only used right now for the API but when the remote client is wired, we will switch over there too.
Signed-off-by: Brent Baude <bbaude@redhat.com>
|
| |\
| |
| | |
oci_conmon: do not create a cgroup under systemd
|
| | |
| |
| |
| |
| |
| |
| |
| | |
Detect whether we are running under systemd (if the INVOCATION_ID is
set). If Podman is running under a systemd service, we do not need to
create a cgroup for conmon.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
| | |
| |
| |
| |
| |
| |
| |
| | |
it allows to disable cgroups creation only for the conmon process.
A new cgroup is created for the container payload.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
| |/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The new APIv2 branch provides an HTTP-based remote API to Podman.
The requirements of this are, unfortunately, incompatible with
the existing Attach API. For non-terminal attach, we need append
a header to what was copied from the container, to multiplex
STDOUT and STDERR; to do this with the old API, we'd need to copy
into an intermediate buffer first, to handle the headers.
To avoid this, provide a new API to handle all aspects of
terminal and non-terminal attach, including closing the hijacked
HTTP connection. This might be a bit too specific, but for now,
it seems to be the simplest approach.
At the same time, add a Resize endpoint. This needs to be a
separate endpoint, so our existing channel approach does not work
here.
I wanted to rework the rest of attach at the same time (some
parts of it, particularly how we start the Attach session and how
we do resizing, are (in my opinion) handled much better here.
That may still be on the table, but I wanted to avoid breaking
existing APIs in this already massive change.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
| |
|
|
|
|
|
|
| |
Move the top logic from pkg/adapter into the (*libpod.Container).Top().
This way, we drop the dependency from pkg/api on pkg/adapters and have
a clearer separation of concerns.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
|
| |\
| |
| | |
oci_conmon: not make accessible dirs if not needed
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
do not change the permissions mask for the rundir and the tmpdir when
running a container with a user namespace and the current user is
mapped inside the user namespace.
The change was introduced with
849548ffb8e958e901317eceffdcc2d918cafd8d, that dropped the
intermediate mount namespace in favor of allowing root into the user
namespace to access these directories.
Closes: https://github.com/containers/libpod/issues/4846
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
| |/
|
|
|
|
|
| |
Include the unit tests (i.e., _test.go files) for linting to make the
tests more robust and enforce the linters' coding styles etc.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
|
| |\
| |
| | |
Fix linting
|
| | |
| |
| |
| |
| |
| |
| | |
`gocritic` is a powerful linter that helps in preventing certain kinds
of errors as well as enforcing a coding style.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
|
| |\ \
| | |
| | | |
Do not configure CNI when slirp4netns is requested
|
| | |/
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Our networking code bakes in a lot of assumptions about how
networking should work - that CNI is *always* used with root, and
that slirp4netns is *always* used only with rootless. These are
not safe assumptions. This fixes one particular issue, which
would cause CNI to also be run when slirp4netns was requested as
root.
Fixes: #4687
Signed-off-by: Matthew Heon <mheon@redhat.com>
|
| |\ \
| |/
|/| |
Add codespell to validate spelling mistakes in code.
|
| | |
| |
| |
| |
| |
| | |
Fix all errors found by codespell
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
| |\ \
| |/
|/| |
Add history names to image inspect data
|
| | |
| |
| |
| |
| |
| |
| | |
During writing the tests I found it would be probably useful to have the
tag history part of the inspect data.
Signed-off-by: Sascha Grunert <sgrunert@suse.com>
|
