summaryrefslogtreecommitdiff
path: root/libpod
Commit message (Collapse)AuthorAge
* Merge pull request #1939 from mheon/no_firewall_if_rootlessOpenShift Merge Robot2018-12-04
|\ | | | | Don't initialize CNI when running as rootless
| * Don't initialize CNI when running as rootlessMatthew Heon2018-12-04
| | | | | | | | | | | | | | | | We don't use CNI to configure networks for rootless containers, so no need to set it up. It may also cause issues with inotify, so disabling it resolves some potential problems. Signed-off-by: Matthew Heon <mheon@redhat.com>
* | libpod/container_internal: Deprecate implicit hook directoriesW. Trevor King2018-12-03
|/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Part of the motivation for 800eb863 (Hooks supports two directories, process default and override, 2018-09-17, #1487) was [1]: > We only use this for override. The reason this was caught is people > are trying to get hooks to work with CoreOS. You are not allowed to > write to /usr/share... on CoreOS, so they wanted podman to also look > at /etc, where users and third parties can write. But we'd also been disabling hooks completely for rootless users. And even for root users, the override logic was tricky when folks actually had content in both directories. For example, if you wanted to disable a hook from the default directory, you'd have to add a no-op hook to the override directory. Also, the previous implementation failed to handle the case where there hooks defined in the override directory but the default directory did not exist: $ podman version Version: 0.11.2-dev Go Version: go1.10.3 Git Commit: "6df7409cb5a41c710164c42ed35e33b28f3f7214" Built: Sun Dec 2 21:30:06 2018 OS/Arch: linux/amd64 $ ls -l /etc/containers/oci/hooks.d/test.json -rw-r--r--. 1 root root 184 Dec 2 16:27 /etc/containers/oci/hooks.d/test.json $ podman --log-level=debug run --rm docker.io/library/alpine echo 'successful container' 2>&1 | grep -i hook time="2018-12-02T21:31:19-08:00" level=debug msg="reading hooks from /usr/share/containers/oci/hooks.d" time="2018-12-02T21:31:19-08:00" level=warning msg="failed to load hooks: {}%!(EXTRA *os.PathError=open /usr/share/containers/oci/hooks.d: no such file or directory)" With this commit: $ podman --log-level=debug run --rm docker.io/library/alpine echo 'successful container' 2>&1 | grep -i hook time="2018-12-02T21:33:07-08:00" level=debug msg="reading hooks from /usr/share/containers/oci/hooks.d" time="2018-12-02T21:33:07-08:00" level=debug msg="reading hooks from /etc/containers/oci/hooks.d" time="2018-12-02T21:33:07-08:00" level=debug msg="added hook /etc/containers/oci/hooks.d/test.json" time="2018-12-02T21:33:07-08:00" level=debug msg="hook test.json matched; adding to stages [prestart]" time="2018-12-02T21:33:07-08:00" level=warning msg="implicit hook directories are deprecated; set --hooks-dir="/etc/containers/oci/hooks.d" explicitly to continue to load hooks from this directory" time="2018-12-02T21:33:07-08:00" level=error msg="container create failed: container_linux.go:336: starting container process caused "process_linux.go:399: container init caused \"process_linux.go:382: running prestart hook 0 caused \\\"error running hook: exit status 1, stdout: , stderr: oh, noes!\\\\n\\\"\"" (I'd setup the hook to error out). You can see that it's silenly ignoring the ENOENT for /usr/share/containers/oci/hooks.d and continuing on to load hooks from /etc/containers/oci/hooks.d. When it loads the hook, it also logs a warning-level message suggesting that callers explicitly configure their hook directories. That will help consumers migrate, so we can drop the implicit hook directories in some future release. When folks *do* explicitly configure hook directories (via the newly-public --hooks-dir and hooks_dir options), we error out if they're missing: $ podman --hooks-dir /does/not/exist run --rm docker.io/library/alpine echo 'successful container' error setting up OCI Hooks: open /does/not/exist: no such file or directory I've dropped the trailing "path" from the old, hidden --hooks-dir-path and hooks_dir_path because I think "dir(ectory)" is already enough context for "we expect a path argument". I consider this name change non-breaking because the old forms were undocumented. Coming back to rootless users, I've enabled hooks now. I expect they were previously disabled because users had no way to avoid /usr/share/containers/oci/hooks.d which might contain hooks that required root permissions. But now rootless users will have to explicitly configure hook directories, and since their default config is from ~/.config/containers/libpod.conf, it's a misconfiguration if it contains hooks_dir entries which point at directories with hooks that require root access. We error out so they can fix their libpod.conf. [1]: https://github.com/containers/libpod/pull/1487#discussion_r218149355 Signed-off-by: W. Trevor King <wking@tremily.us>
* rootless: propagate XDG_RUNTIME_DIR to the OCI runtimeGiuseppe Scrivano2018-11-30
| | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Merge pull request #1317 from rhatdan/privilegedOpenShift Merge Robot2018-11-30
|\ | | | | Disable mount options when running --privileged
| * Disable mount options when running --privilegedDaniel J Walsh2018-11-28
| | | | | | | | | | | | | | | | We now default to setting storage options to "nodev", when running privileged containers, we need to turn this off so the processes can manipulate the image. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | /dev/shm should be mounted even in rootless mode.Daniel J Walsh2018-11-28
| | | | | | | | | | | | | | | | Currently we are mounting /dev/shm from disk, it should be from a tmpfs. User Namespace supports tmpfs mounts for nonroot users, so this section of code should work fine in bother root and rootless mode. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Merge pull request #1798 from giuseppe/fix-notify-socketOpenShift Merge Robot2018-11-28
|\ \ | | | | | | systemd: fix NOTIFY_SOCKET with patched runc
| * | oci: propagate NOTIFY_SOCKET on runtime startGiuseppe Scrivano2018-11-28
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | with https://github.com/opencontainers/runc/pull/1807 we moved the systemd notify initialization from "create" to "start", so that the OCI runtime doesn't hang while waiting on reading from the notify socket. This means we also need to set the correct NOTIFY_SOCKET when start'ing the container. Closes: https://github.com/containers/libpod/issues/746 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | | Merge pull request #1880 from baude/f29fixesOpenShift Merge Robot2018-11-28
|\ \ \ | | | | | | | | Fix golang formatting issues
| * | | Fix golang formatting issuesbaude2018-11-28
| |/ / | | | | | | | | | | | | | | | | | | Whe running unittests on newer golang versions, we observe failures with some formatting types when no declared correctly. Signed-off-by: baude <bbaude@redhat.com>
* | | Merge pull request #1846 from cgwalters/netns-dns-localhostOpenShift Merge Robot2018-11-28
|\ \ \ | |/ / |/| | Use host's resolv.conf if no network namespace enabled
| * | Use host's resolv.conf if no network namespace enabledColin Walters2018-11-27
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | My host system runs Fedora Silverblue 29 and I have NetworkManager's `dns=dnsmasq` setting enabled, so my `/etc/resolv.conf` only has `127.0.0.1`. I also run my development podman containers with `--net=host` for various reasons. If we have a host network namespace, there's no reason not to just use the host's nameserver configuration either. This fixes e.g. accessing content on a VPN, and is also faster since the container is using cached DNS. I know this doesn't solve the bigger picture issue of localhost-DNS conflicting with bridged networking, but that's far more involved, probably requiring a DNS proxy in the container. This patch makes my workflow a lot nicer and was easy to write. Signed-off-by: Colin Walters <walters@verbum.org>
* | | Merge pull request #1848 from adrianreber/masterOpenShift Merge Robot2018-11-28
|\ \ \ | | | | | | | | Add tcp-established to checkpoint/restore
| * | | Added tcp-established to checkpoint/restoreAdrian Reber2018-11-28
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | CRIU can checkpoint and restore processes/containers with established TCP connections if the correct option is specified. To implement checkpoint and restore with support for established TCP connections with Podman this commit adds the necessary options to runc during checkpoint and also tells conmon during restore to use 'runc restore' with '--tcp-established'. For this Podman feature to work a corresponding conmon change is required. Example: $ podman run --tmpfs /tmp --name podman-criu-test -d docker://docker.io/yovfiatbeb/podman-criu-test $ nc `podman inspect -l | jq -r '.[0].NetworkSettings.IPAddress'` 8080 GET /examples/servlets/servlet/HelloWorldExample Connection: keep-alive 1 GET /examples/servlets/servlet/HelloWorldExample Connection: keep-alive 2 $ # Using HTTP keep-alive multiple requests are send to the server in the container $ # Different terminal: $ podman container checkpoint -l criu failed: type NOTIFY errno 0 $ # Looking at the log file would show errors because of established TCP connections $ podman container checkpoint -l --tcp-established $ # This works now and after the restore the same connection as above can be used for requests $ podman container restore -l --tcp-established The restore would fail without '--tcp-established' as the checkpoint image contains established TCP connections. Signed-off-by: Adrian Reber <areber@redhat.com>
| * | | Use also a struct to pass options to Restore()Adrian Reber2018-11-28
| |/ / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This is basically the same change as ff47a4c2d5485fc49f937f3ce0c4e2fd6bdb1956 (Use a struct to pass options to Checkpoint()) just for the Restore() function. It is used to pass multiple restore options to the API and down to conmon which is used to restore containers. This is for the upcoming changes to support checkpointing and restoring containers with '--tcp-established'. Signed-off-by: Adrian Reber <areber@redhat.com>
* | | Merge pull request #1849 from giuseppe/report-rootless-netmodeOpenShift Merge Robot2018-11-28
|\ \ \ | | | | | | | | rootless: add new netmode "slirp4netns"
| * | | network: allow slirp4netns mode also for root containersGiuseppe Scrivano2018-11-28
| |/ / | | | | | | | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | | Merge pull request #1833 from giuseppe/remove-exec-pollingOpenShift Merge Robot2018-11-28
|\ \ \ | |_|/ |/| | exec: remove polling for PID file
| * | util: use fsnotify to wait for fileGiuseppe Scrivano2018-11-28
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | prefer a fsnotify watcher to polling the file, we take advantage of inotify on Linux and react more promptly to the PID file being created. If the watcher cannot be created, then fallback to the old polling mechanism. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
| * | exec: don't wait for pidfile when the runtime exitedGiuseppe Scrivano2018-11-27
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | don't wait for the timeout to expire if the runtime process exited. I've noticed podman to hang on exit and keeping the container lock taken when the OCI runtime already exited. Additionally, it reduces the waiting time as we won't hit the 25 milliseconds waiting time in the worst case. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | | rootless: fix cleanupGiuseppe Scrivano2018-11-28
| |/ |/| | | | | | | | | | | | | | | | | | | | | | | The conmon exit command is running inside of a namespace where the process is running with uid=0. When it launches again podman for the cleanup, podman is not running in rootless mode as the uid=0. Export some more env variables to tell podman we are in rootless mode. Closes: https://github.com/containers/libpod/issues/1859 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | Merge pull request #1832 from giuseppe/always-make-explicit-tty-to-execOpenShift Merge Robot2018-11-27
|\ \ | |/ |/| exec: always make explicit the tty value
| * exec: always make explicit the tty valueGiuseppe Scrivano2018-11-20
| | | | | | | | | | | | | | | | | | | | otherwise runc will take by default the value used for creating the container. Setting it explicit overrides its default value and we won't end up trying to use a terminal when not available. Closes: https://bugzilla.redhat.com/show_bug.cgi?id=1625876 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | Merge pull request #1850 from vrothberg/mount-propagationOpenShift Merge Robot2018-11-27
|\ \ | | | | | | set root propagation based on volume properties
| * | set root propagation based on volume propertiesValentin Rothberg2018-11-26
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Set the root propagation based on the properties of volumes and default mounts. To remain compatibility, follow the semantics of Docker. If a volume is shared, keep the root propagation shared which works for slave and private volumes too. For slave volumes, it can either be shared or rshared. Do not change the root propagation for private volumes and stick with the default. Fixes: #1834 Signed-off-by: Valentin Rothberg <vrothberg@suse.com>
* | | Merge pull request #1734 from rhatdan/networkOpenShift Merge Robot2018-11-27
|\ \ \ | | | | | | | | libpod should know if the network is disabled
| * | | libpod should know if the network is disabledDaniel J Walsh2018-11-13
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | /etc/resolv.conf and /etc/hosts should not be created and mounted when the network is disabled. We should not be calling the network setup and cleanup functions when it is disabled either. In doing this patch, I found that all of the bind mounts were particular to Linux along with the generate functions, so I moved them to container_internal_linux.go Since we are checking if we are using a network namespace, we need to check after the network namespaces has been created in the spec. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | | Merge pull request #1868 from QiWang19/issue860OpenShift Merge Robot2018-11-26
|\ \ \ \ | | | | | | | | | | Add history field to image inspect
| * | | | Add history and namespaceoptions to image inspectQi Wang2018-11-26
| | |/ / | |/| | | | | | | | | | Signed-off-by: Qi Wang <qiwan@redhat.com>
* / | | add podman container|image existsbaude2018-11-26
|/ / / | | | | | | | | | | | | | | | | | | | | | | | | | | | Add an exists subcommand to podman container and podman image that allows users to verify the existence of a container or image by ID or name. The return code can be 0 (success), 1 (failed to find), or 125 (failed to work with runtime). Issue #1845 Signed-off-by: baude <bbaude@redhat.com>
* | | Merge pull request #1835 from adrianreber/masterOpenShift Merge Robot2018-11-21
|\ \ \ | | | | | | | | Added option to keep container running after checkpointing
| * | | Added option to keep containers running after checkpointingAdrian Reber2018-11-20
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | CRIU supports to leave processes running after checkpointing: -R|--leave-running leave tasks in running state after checkpoint runc also support to leave containers running after checkpointing: --leave-running leave the process running after checkpointing With this commit the support to leave a container running after checkpointing is brought to Podman: --leave-running, -R leave the container running after writing checkpoint to disk Now it is possible to checkpoint a container at some point in time without stopping the container. This can be used to rollback the container to an early state: $ podman run --tmpfs /tmp --name podman-criu-test -d docker://docker.io/yovfiatbeb/podman-criu-test $ curl 10.88.64.253:8080/examples/servlets/servlet/HelloWorldExample 3 $ podman container checkpoint -R -l $ curl 10.88.64.253:8080/examples/servlets/servlet/HelloWorldExample 4 $ curl 10.88.64.253:8080/examples/servlets/servlet/HelloWorldExample 5 $ podman stop -l $ podman container restore -l $ curl 10.88.64.253:8080/examples/servlets/servlet/HelloWorldExample 4 So after checkpointing the container kept running and was stopped after some time. Restoring this container will restore the state right at the checkpoint. Signed-off-by: Adrian Reber <areber@redhat.com>
| * | | Use a struct to pass options to Checkpoint()Adrian Reber2018-11-20
| | |/ | |/| | | | | | | | | | | | | | | | | | | | | | For upcoming changes to the Checkpoint() functions this commit switches checkpoint options from a boolean to a struct, so that additional options can be passed easily to Checkpoint() without changing the function parameters all the time. Signed-off-by: Adrian Reber <areber@redhat.com>
* | | Merge pull request #1810 from baude/inspectToKubeOpenShift Merge Robot2018-11-20
|\ \ \ | | | | | | | | generate kubernetes YAML from a libpod container
| * | | output libpod container to kubernetes yamlbaude2018-11-19
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | scope out new kube subcommand where we can add generate. you can now generate kubernetes YAML that will allow you to run the container in a kubernetes environment. When The YAML description will always "wrap" a container in a simple v1.Pod description. Tests and further documentation will be added in additional PRs. This function should be considered very much "under heavy development" at this point. Signed-off-by: baude <bbaude@redhat.com>
* | | | Merge pull request #1829 from baude/enableportbindinginpodsOpenShift Merge Robot2018-11-20
|\ \ \ \ | |_|/ / |/| | | Allow users to expose ports from the pod to the host
| * | | Allow users to expose ports from the pod to the hostbaude2018-11-20
| |/ / | | | | | | | | | | | | | | | | | | | | | | | | | | | we need to allow users to expose ports to the host for the purposes of networking, like a webserver. the port exposure must be done at the time the pod is created. strictly speaking, the port exposure occurs on the infra container. Signed-off-by: baude <bbaude@redhat.com>
* / / rootless: create libpod.conf when it doesn't existGiuseppe Scrivano2018-11-19
|/ / | | | | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | Merge pull request #1756 from isimluk/update-dependent-metalinterOpenShift Merge Robot2018-11-16
|\ \ | | | | | | Update metalinter dependency
| * | Lint: Extract constant unknownPackageŠimon Lukašík2018-11-10
| | | | | | | | | | | | | | | | | | Addressing goconst warning: 3 other occurrence(s) of "Unknown" found Signed-off-by: Šimon Lukašík <slukasik@redhat.com>
| * | Lint: Tests: add missing assertionsŠimon Lukašík2018-11-10
| | | | | | | | | | | | | | | | | | | | | Addressing: ineffectual assignment to err (ineffassign) Signed-off-by: Šimon Lukašík <slukasik@redhat.com>
| * | Lint: Do not ignore errors from docker run command when selinux enabledŠimon Lukašík2018-11-10
| |/ | | | | | | | | | | | | | | | | Redefining err by := operator within block makes this err variable block local. Addressing lint: libpod/oci.go:368:3:warning: ineffectual assignment to err (ineffassign) Signed-off-by: Šimon Lukašík <slukasik@redhat.com>
* / Increase pidWaitTimeout to 60sEmilien Macchi2018-11-15
|/ | | | | | | | | | | At scale, it appears that we sometimes hit the 1000ms timeout to create the PID file when a container is created or executed. Increasing the value to 60s should help when running a lot of containers in heavy-loaded environment. Related #1495 Fixes #1816 Signed-off-by: Emilien Macchi <emilien@redhat.com>
* Merge pull request #1772 from baude/rmdelpausedOpenShift Merge Robot2018-11-09
|\ | | | | rm -f now removes a paused container
| * rm -f now removes a paused containerbaude2018-11-08
| | | | | | | | | | | | | | | | | | | | | | | | We now can remove a paused container by sending it a kill signal while it is paused. We then unpause the container and it is immediately killed. Also, reworked how the parallelWorker results are handled to provide a more consistent approach to how each subcommand implements it. It also fixes a bug where if one container errors, the error message is duplicated when printed out. Signed-off-by: baude <bbaude@redhat.com>
* | Merge pull request #1789 from mheon/fix_add_hosts_testOpenShift Merge Robot2018-11-09
|\ \ | | | | | | Accurately update state if prepare() partially fails
| * | Accurately update state if prepare() partially failsMatthew Heon2018-11-08
| |/ | | | | | | | | | | | | | | | | We are seeing some issues where, when part of prepare() fails (originally noticed due to a bad static IP), the other half does not successfully clean up, and the state can be left in a bad place (not knowing about an active SHM mount for example). Signed-off-by: Matthew Heon <mheon@redhat.com>
* | info: add rootless fieldValentin Rothberg2018-11-09
| | | | | | | | | | | | | | | | | | Add a rootless field to the info data (e.g., `podman info`) to indicate if the executing user is root or not. In most cases, this can be guessed but now it is clear and may aid in debugging, reporting and understanding certain issues. Signed-off-by: Valentin Rothberg <vrothberg@suse.com>
* | Merge pull request #1787 from baude/netstatusreworkOpenShift Merge Robot2018-11-08
|\ \ | | | | | | correct assignment of networkStatus