summaryrefslogtreecommitdiff
path: root/libpod
Commit message (Collapse)AuthorAge
* rootless: automatically create a systemd scopeGiuseppe Scrivano2019-09-12
| | | | | | | | | | | | | | | | | | | | | when running in rootless mode and using systemd as cgroup manager create automatically a systemd scope when the user doesn't own the current cgroup. This solves a couple of issues: on cgroup v2 it is necessary that a process before it can moved to a different cgroup tree must be in a directory owned by the unprivileged user. This is not always true, e.g. when creating a session with su -l. Closes: https://github.com/containers/libpod/issues/3937 Also, for running systemd in a container it was before necessary to specify "systemd-run --scope --user podman ...", now this is done automatically as part of this PR. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Volume lookup needs to include state to unmarshal intoMatthew Heon2019-09-11
| | | | | | | | | Lookup was written before volume states merged, but merged after, and CI didn't catch the obvious failure here. Without a valid state, we try to unmarshall into a null pointer, and 'volume rm' is completely broken because of it. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Merge pull request #3984 from mheon/prune_no_in_use_errorOpenShift Merge Robot2019-09-11
|\ | | | | Do not prune images being used by a container
| * Do not prune images being used by a containerMatthew Heon2019-09-10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Podman is not the only user of containers/storage, and as such we cannot rely on our database as the sole source of truth when pruning images. If images do not show as in use from Podman's perspective, but subsequently fail to remove because they are being used by a container, they're probably being used by Buildah or another c/storage client. Since the images in question are in use, we shouldn't error on failure to prune them - we weren't supposed to prune them in the first place. Fixes: #3983 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | Merge pull request #3927 from openSUSE/manager-annotationsOpenShift Merge Robot2019-09-11
|\ \ | | | | | | Add `ContainerManager` annotation to created containers
| * | Add `ContainerManager` annotation to created containersSascha Grunert2019-09-10
| |/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This change adds the following annotation to every container created by podman: ```json "Annotations": { "io.containers.manager": "libpod" } ``` Target of this annotaions is to indicate which project in the containers ecosystem is the major manager of a container when applications share the same storage paths. This way projects can decide if they want to manipulate the container or not. For example, since CRI-O and podman are not using the same container library (libpod), CRI-O can skip podman containers and provide the end user more useful information. A corresponding end-to-end test has been adapted as well. Relates to: https://github.com/cri-o/cri-o/pull/2761 Signed-off-by: Sascha Grunert <sgrunert@suse.com>
* | Merge pull request #3581 from mheon/no_cgroupsOpenShift Merge Robot2019-09-11
|\ \ | | | | | | Support running containers without CGroups
| * | Add support for launching containers without CGroupsMatthew Heon2019-09-10
| | | | | | | | | | | | | | | | | | | | | This is mostly used with Systemd, which really wants to manage CGroups itself when managing containers via unit file. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | | Merge pull request #3961 from mheon/copy_volume_contentsOpenShift Merge Robot2019-09-10
|\ \ \ | |_|/ |/| | When first mounting any named volume, copy up
| * | When first mounting any named volume, copy upMatthew Heon2019-09-09
| |/ | | | | | | | | | | | | | | | | | | | | Previously, we only did this for volumes created at the same time as the container. However, this is not correct behavior - Docker does so for all named volumes, even those made with 'podman volume create' and mounted into a container later. Fixes #3945 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* / Add function for looking up volumes by partial nameMatthew Heon2019-09-09
|/ | | | | | | | | | This isn't included in Docker, but seems handy enough. Use the new API for 'volume rm' and 'volume inspect'. Fixes #3891 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Merge pull request #3960 from mheon/ignore_umount_enoentOpenShift Merge Robot2019-09-06
|\ | | | | Ignore ENOENT on umount of SHM
| * Ignore ENOENT on umount of SHMMatthew Heon2019-09-06
| | | | | | | | Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | Merge pull request #3918 from rhatdan/infoOpenShift Merge Robot2019-09-06
|\ \ | |/ |/| Return information about mount_program (fuse-overlayfs)
| * Return information about mount_program (fuse-overlayfs)Daniel J Walsh2019-09-06
| | | | | | | | | | | | | | | | | | | | We want to get podman info to tell us about the version of the mount program to help us diagnose issues users are having. Also if in rootless mode and slirp4netns is installed reveal package info on slirp4netns. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Merge pull request #3954 from mheon/hardcode_default_storepathsOpenShift Merge Robot2019-09-06
|\ \ | | | | | | Ensure good defaults on blank c/storage configuration
| * | Ensure good defaults on blank c/storage configurationMatthew Heon2019-09-05
| |/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | If c/storage paths are explicitly set to "" (the empty string) it will use compiled-in defaults. However, it won't tell us this via `storage.GetDefaultStoreOptions()` - we just get the empty string (which can put our defaults, some of which are relative to c/storage, in a bad spot). Hardcode a sane default for cases like this. Furthermore, add some sanity checks to paths, to ensure we don't use relative paths for core parts of libpod. Fixes #3952 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | Correctly report errors on unmounting SHMMatthew Heon2019-09-05
| | | | | | | | | | | | | | | | | | | | | | When we fail to remove a container's SHM, that's an error, and we need to report it as such. This may be part of our lingering storage woes. Also, remove MNT_DETACH. It may be another cause of the storage removal failures. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | Add ability for volumes with options to mount/umountMatthew Heon2019-09-05
| | | | | | | | | | | | | | | | | | | | | | | | | | When volume options and the local volume driver are specified, the volume is intended to be mounted using the 'mount' command. Supported options will be used to volume the volume before the first container using it starts, and unmount the volume after the last container using it dies. This should work for any local filesystem, though at present I've only tested with tmpfs and btrfs. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | Add volume stateMatthew Heon2019-09-05
| | | | | | | | | | | | | | | | | | | | | | | | We need to be able to track the number of times a volume has been mounted for tmpfs/nfs/etc volumes. As such, we need a mutable state for volumes. Add one, with the expected update/save methods in both states. There is backwards compat here, in that older volumes without a state will still be accepted. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | Change volume driver and options JSON tagsMatthew Heon2019-09-05
|/ | | | | | | | | | | | | | | | In upcoming commits, we're going to turn on the backends for these fields. Volumes with these set will act fundamentally differently from other volumes. There will probably be validation required for each field. Until now, though, we've freely allowed creation of volumes with these set - they just did nothing. So we have no idea what could be in the DB with old volumes. Change the struct tags so we don't have to worry about old, unvalidated data. We'll start fresh with new volumes. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Merge pull request #3876 from mheon/fix_mount_flagsOpenShift Merge Robot2019-09-04
|\ | | | | Allow suid, exec, dev mount options to cancel nosuid/noexec/nodev
| * Set base mount options for bind mounts from base systemMatthew Heon2019-08-28
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | If I mount, say, /usr/bin into my container - I expect to be able to run the executables in that mount. Unconditionally applying noexec would be a bad idea. Before my patches to change mount options and allow exec/dev/suid being set explicitly, we inferred the mount options from where on the base system the mount originated, and the options it had there. Implement the same functionality for the new option handling. There's a lot of performance left on the table here, but I don't know that this is ever going to take enough time to make it worth optimizing. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
| * Add support for 'exec', 'suid', 'dev' mount flagsMatthew Heon2019-08-28
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Previously, we explicitly set noexec/nosuid/nodev on every mount, with no ability to disable them. The 'mount' command on Linux will accept their inverses without complaint, though - 'noexec' is counteracted by 'exec', 'nosuid' by 'suid', etc. Add support for passing these options at the command line to disable our explicit forcing of security options. This also cleans up mount option handling significantly. We are still parsing options in more than one place, which isn't good, but option parsing for bind and tmpfs mounts has been unified. Fixes: #3819 Fixes: #3803 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | Merge pull request #3933 from giuseppe/skip-polling-on-runOpenShift Merge Robot2019-09-04
|\ \ | | | | | | libpod: avoid polling container status
| * | libpod: avoid polling container statusGiuseppe Scrivano2019-09-04
| |/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | use the inotify backend to be notified on the container exit instead of polling continuosly the runtime. Polling the runtime slowns significantly down the podman execution time for short lived processes: $ time bin/podman run --rm -ti fedora true real 0m0.324s user 0m0.088s sys 0m0.064s from: $ time podman run --rm -ti fedora true real 0m4.199s user 0m5.339s sys 0m0.344s Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* / handle dns response from cnibaude2019-09-03
|/ | | | | | | | | | | | | when cni returns a list of dns servers, we should add them under the right conditions. the defined conditions are as follows: - if the user provides dns, it and only it are added. - if not above and you get a cni name server, it is added and a forwarding dns instance is created for what was in resolv.conf. - if not either above, the entries from the host's resolv.conf are used. Signed-off-by: baude <bbaude@redhat.com> Signed-off-by: baude <bbaude@redhat.com>
* Merge pull request #3893 from mheon/readd_volume_locksOpenShift Merge Robot2019-08-28
|\ | | | | Re-add volume locks
| * Re-add locks to volumes.Matthew Heon2019-08-28
| | | | | | | | | | | | | | | | | | | | This will require a 'podman system renumber' after being applied to get lock numbers for existing volumes. Add the DB backend code for rewriting volume configs and use it for updating lock numbers as part of 'system renumber'. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | Merge pull request #3728 from mheon/systemd_container_testOpenShift Merge Robot2019-08-28
|\ \ | | | | | | Add an integration test for systemd in a container
| * | Add an integration test for systemd in a containerMatthew Heon2019-08-28
| |/ | | | | | | Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* / image: remove unused Decompose methodDan Williams2019-08-28
|/ | | | | | | Decompose() returns an error defined in CNI which has been removed upstream because it had no in-tree (eg in CNI) users. Signed-off-by: Dan Williams <dcbw@redhat.com>
* Merge pull request #3800 from vrothberg/generate-podOpenShift Merge Robot2019-08-22
|\ | | | | generate systemd pod
| * generate systemd: support pods and geneartig filesValentin Rothberg2019-08-21
| | | | | | | | | | | | | | | | | | | | | | Support generating systemd unit files for a pod. Podman generates one unit file for the pod including the PID file for the infra container's conmon process and one unit file for each container (excluding the infra container). Note that this change implies refactorings in the `pkg/systemdgen` API. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | Merge pull request #3863 from TomSweeneyRedHat/dev/tsweeney/digestfile2OpenShift Merge Robot2019-08-21
|\ \ | | | | | | Add --digestfile option to push
| * | Add --digestfile option to pushTomSweeneyRedHat2019-08-21
| |/ | | | | | | | | | | | | | | | | | | Add the digestfile option to the push command so the digest can be stored away in a file when requested by the user. Also have added a debug statement to show the completion of the push. Emulates Buildah's https://github.com/containers/buildah/pull/1799/files Signed-off-by: TomSweeneyRedHat <tsweeney@redhat.com>
* | Merge pull request #2940 from giuseppe/drop-firewallOpenShift Merge Robot2019-08-21
|\ \ | |/ |/| networking: use firewall plugin
| * networking: use firewall pluginGiuseppe Scrivano2019-08-19
| | | | | | | | | | | | | | drop the pkg/firewall module and start using the firewall CNI plugin. It requires an updated package for CNI plugins. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | Merge pull request #3858 from haircommander/exec-userOpenShift Merge Robot2019-08-20
|\ \ | | | | | | exec: run with user specified on container start
| * | exec: run with user specified on container startPeter Hunt2019-08-20
| | | | | | | | | | | | | | | | | | | | | Before, if the container was run with a specified user that wasn't root, exec would fail because it always set to root unless respecified by user. instead, inherit the user from the container start. Signed-off-by: Peter Hunt <pehunt@redhat.com>
* | | Merge pull request #3569 from rhatdan/cgroupsv1OpenShift Merge Robot2019-08-20
|\ \ \ | |/ / |/| | Fix error message on podman stats on cgroups v1 rootless environments
| * | Fix error message on podman stats on cgroups v1 rootless environmentsDaniel J Walsh2019-08-19
| | | | | | | | | | | | | | | | | | | | | podman stats does not work in rootless environments with cgroups V1. Fix error message and document this fact. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | Merge pull request #3760 from rhatdan/authOpenShift Merge Robot2019-08-19
|\ \ \ | | | | | | | | Use GetRuntimeDir to setup auth.json for login
| * | | Use GetRuntimeDir to setup auth.json for loginDaniel J Walsh2019-08-12
| | | | | | | | | | | | | | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | | Merge pull request #3849 from openSUSE/directory-pullOpenShift Merge Robot2019-08-19
|\ \ \ \ | | | | | | | | | | Fix directory pull image name for OCI images
| * | | | Fix directory pull image name for OCI imagesSascha Grunert2019-08-19
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This is a breaking change and modifies the resulting image name when pulling from an directory via `oci:...`. Without this patch, the image names pulled via a local directory got processed incorrectly, like this: ``` > podman pull oci:alpine > podman images REPOSITORY TAG IMAGE ID CREATED SIZE localhost/oci alpine 4fa153a82426 5 weeks ago 5.85 MB ``` We now use the same approach as in the corresponding [buildah fix][1] to adapt the behavior for correct `localhost/` prefixing. [1]: https://github.com/containers/buildah/pull/1800 After applying the patch the same OCI image pull looks like this: ``` > ./bin/podman pull oci:alpine > podman images REPOSITORY TAG IMAGE ID CREATED SIZE localhost/alpine latest 4fa153a82426 5 weeks ago 5.85 MB ``` End-to-end tests have been adapted as well to cover the added scenario. Relates to: https://github.com/containers/buildah/issues/1797 Signed-off-by: Sascha Grunert <sgrunert@suse.com>
* | | | | Merge pull request #3848 from giuseppe/enable-all-tests-crunOpenShift Merge Robot2019-08-19
|\ \ \ \ \ | |_|_|_|/ |/| | | | tests: enable all tests for crun
| * | | | libpod, pkg: lookup also for crun failuresGiuseppe Scrivano2019-08-19
| | | | | | | | | | | | | | | | | | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
| * | | | libpod: still attempt to read the oci log file if not outputGiuseppe Scrivano2019-08-19
| |/ / / | | | | | | | | | | | | | | | | | | | | | | | | if we didn't receive any data on the pipe, still attempt to read the specified log file. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | | | Merge pull request #3709 from mheon/volume_inspectOpenShift Merge Robot2019-08-19
|\ \ \ \ | |_|_|/ |/| | | Change backend code for 'volume inspect'