summaryrefslogtreecommitdiff
path: root/libpod
Commit message (Collapse)AuthorAge
* Error on netns not exist only when ctr is runningMatthew Heon2019-11-19
| | | | | | | | | | If the container is running and we need to get its netns and can't, that is a serious bug deserving of errors. If it's not running, that's not really a big deal. Log an error and continue. Signed-off-by: Matthew Heon <mheon@redhat.com>
* Add ContainerStateRemovingMatthew Heon2019-11-19
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When Libpod removes a container, there is the possibility that removal will not fully succeed. The most notable problems are storage issues, where the container cannot be removed from c/storage. When this occurs, we were faced with a choice. We can keep the container in the state, appearing in `podman ps` and available for other API operations, but likely unable to do any of them as it's been partially removed. Or we can remove it very early and clean up after it's already gone. We have, until now, used the second approach. The problem that arises is intermittent problems removing storage. We end up removing a container, failing to remove its storage, and ending up with a container permanently stuck in c/storage that we can't remove with the normal Podman CLI, can't use the name of, and generally can't interact with. A notable cause is when Podman is hit by a SIGKILL midway through removal, which can consistently cause `podman rm` to fail to remove storage. We now add a new state for containers that are in the process of being removed, ContainerStateRemoving. We set this at the beginning of the removal process. It notifies Podman that the container cannot be used anymore, but preserves it in the DB until it is fully removed. This will allow Remove to be run on these containers again, which should successfully remove storage if it fails. Fixes #3906 Signed-off-by: Matthew Heon <mheon@redhat.com>
* Merge pull request #4502 from vrothberg/fix-3359OpenShift Merge Robot2019-11-18
|\ | | | | history: rewrite mappings
| * history: rewrite mappingsValentin Rothberg2019-11-12
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Rewrite the backend for displaying the history of an image to simplify the code and be closer to docker's behaviour. Instead of driving index-based heuristics, create a reverse mapping from top-layers to the corresponding image IDs and lookup the layers on-demand. Also use the uncompressed layer size to be closer to Docker's behaviour. Note that intermediate images from local builds are not considered for the ID lookups anymore. Fixes: #3359 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | Also delete winsz fifoPeter Hunt2019-11-15
| | | | | | | | | | | | In conmon 2.0.3, we add another fifo to handle window resizing. This needs to be cleaned up for commands like restore, where the same path is used. Signed-off-by: Peter Hunt <pehunt@redhat.com>
* | codespell: spelling correctionsDmitry Smirnov2019-11-13
|/ | | | Signed-off-by: Dmitry Smirnov <onlyjob@member.fsf.org>
* Merge pull request #4451 from giuseppe/set-macOpenShift Merge Robot2019-11-07
|\ | | | | podman: add support for specifying MAC
| * podman: add support for specifying MACJakub Filak2019-11-06
| | | | | | | | | | | | | | | | I basically copied and adapted the statements for setting IP. Closes #1136 Signed-off-by: Jakub Filak <jakub.filak@sap.com>
| * vendor: updated ocicni for MAC addressJakub Filak2019-11-06
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | `go get github.com/cri-o/ocicni@deac903fd99b6c52d781c9f42b8db3af7dcfd00a` I had to fix compilation errors in libpod/networking_linux.go --- ocicni.Networks has changed from string to the structure NetAttachment with the member Name (the former string value) and the member Ifname (optional). I don't think we can make use of Ifname here, so I just map the array of structures to array of strings - e.g. dropping Ifname. --- The function GetPodNetworkStatus no longer returns Result but it returns the wrapper structure NetResult which contains the former Result plus NetAttachment (Network name and Interface name). Again, I don't think we can make use of that information here, so I just added `.Result` to fix the build. --- Issue: #1136 Signed-off-by: Jakub Filak <jakub.filak@sap.com>
* | Merge pull request #4470 from vrothberg/fix-4463OpenShift Merge Robot2019-11-07
|\ \ | | | | | | libpod/config: default: use `crun` on Cgroups v2
| * | libpod/config: default: use `crun` on Cgroups v2Valentin Rothberg2019-11-07
| | | | | | | | | | | | | | | | | | | | | | | | | | | When running on a node with Cgroups v2, default to using `crun` instead of `runc`. Note that this only impacts the hard-coded default config. No user config will be over-written. Fixes: #4463 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | | Merge pull request #4447 from rhatdan/runasuserOpenShift Merge Robot2019-11-07
|\ \ \ | | | | | | | | Add support for RunAsUser and RunAsGroup
| * | | Add support for RunAsUser and RunAsGroupDaniel J Walsh2019-11-06
| | |/ | |/| | | | | | | | | | | | | | | | | | | | | | | | | Currently podman generate kube does not generate the correct RunAsUser and RunAsGroup options in the yaml file. This patch fixes this. This patch also make `podman play kube` use the RunAdUser and RunAsGroup options if they are specified in the yaml file. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | Merge pull request #4441 from rhatdan/detachOpenShift Merge Robot2019-11-07
|\ \ \ | |_|/ |/| | Allow users to disable detach keys
| * | Allow users to disable detach keysDaniel J Walsh2019-11-05
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | If user specifies --detach-keys="", this will disable the feature. Adding define.DefaultDetachKeys to help screen to help identify detach keys. Updated man pages with additonal information. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | Merge pull request #4461 from giuseppe/fix-hangOpenShift Merge Robot2019-11-06
|\ \ \ | |_|/ |/| | events: make sure the write channel is always closed
| * | events: make sure the write channel is always closedGiuseppe Scrivano2019-11-06
| | | | | | | | | | | | | | | | | | | | | | | | | | | in case of errors, the channel is not closed, blocking the reader indefinitely. Closes: https://bugzilla.redhat.com/show_bug.cgi?id=1767663 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | | Merge pull request #4370 from rhatdan/seccompOpenShift Merge Robot2019-11-05
|\ \ \ | |_|/ |/| | Set SELinux labels based on the security context in the kube.yaml
| * | Set SELinux labels based on the security context in the kube.yamlDaniel J Walsh2019-11-05
| | | | | | | | | | | | | | | | | | | | | If the kube.yaml specifieds the SELinux type or Level, we need the container to be launched with the correct label. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | pulling unqualified reference: make sure it's a docker referenceValentin Rothberg2019-11-05
|/ / | | | | | | | | | | | | | | | | When pulling an unqualified reference (e.g., `fedora`) make sure that the reference is not using a non-docker transport to avoid iterating over the search registries and trying to pull from them. Fixes: #4434 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | Merge pull request #4438 from giuseppe/fix-slirp4netns-timeoutOpenShift Merge Robot2019-11-05
|\ \ | | | | | | slirp4netns: fix timeout
| * | slirp4netns: fix timeoutGiuseppe Scrivano2019-11-04
| |/ | | | | | | | | | | | | | | | | the pidWaitTimeout is already a Duration so do not multiply it again by time.Millisecond. Closes: https://github.com/containers/libpod/issues/4344 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | stats: fix calculation for the CPU timeGiuseppe Scrivano2019-11-02
| | | | | | | | | | | | Closes: https://github.com/containers/libpod/issues/4409 Signed-off-by: Giuseppe Scrivano <giuseppe@scrivano.org>
* | Vendor in latest containers/buildahUrvashi Mohnani2019-11-01
| | | | | | | | | | | | | | | | Pull in changes to pkg/secrets/secrets.go that adds the logic to disable fips mode if a pod/container has a label set. Signed-off-by: Urvashi Mohnani <umohnani@redhat.com>
* | Merge pull request #4400 from haircommander/exec-hangOpenShift Merge Robot2019-11-01
|\ \ | | | | | | Switch to bufio Reader for exec streams
| * | Switch to bufio Reader for exec streamsPeter Hunt2019-10-31
| | | | | | | | | | | | | | | | | | | | | | | | There were many situations that made exec act funky with input. pipes didn't work as expected, as well as sending input before the shell opened. Thinking about it, it seemed as though the issues were because of how os.Stdin buffers (it doesn't). Dropping this input had some weird consequences. Instead, read from os.Stdin as bufio.Reader, allowing the input to buffer before passing it to the container. Signed-off-by: Peter Hunt <pehunt@redhat.com>
* | | logs: support --tail 0Giuseppe Scrivano2019-10-31
| | | | | | | | | | | | | | | | | | | | | | | | | | | change the default to -1, so that we can change the semantic of "--tail 0" to not print any existing log line. Closes: https://github.com/containers/libpod/issues/4396 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | | Merge pull request #4352 from vrothberg/config-packageOpenShift Merge Robot2019-10-31
|\ \ \ | |_|/ |/| | refactor libpod config into libpod/config
| * | add libpod/configValentin Rothberg2019-10-31
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Refactor the `RuntimeConfig` along with related code from libpod into libpod/config. Note that this is a first step of consolidating code into more coherent packages to make the code more maintainable and less prone to regressions on the long runs. Some libpod definitions were moved to `libpod/define` to resolve circular dependencies. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | | Merge pull request #4380 from giuseppe/rootless-create-cgroup-for-conmonOpenShift Merge Robot2019-10-30
|\ \ \ | | | | | | | | libpod, rootless: create cgroup for conmon
| * | | libpod, rootless: create cgroup for conmonGiuseppe Scrivano2019-10-30
| |/ / | | | | | | | | | | | | | | | | | | | | | always create a new cgroup for conmon also when running as rootless. We were previously creating one only when necessary, but that behaves differently than root containers. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | | Merge pull request #4305 from mheon/fix_volume_mountOpenShift Merge Robot2019-10-30
|\ \ \ | |_|/ |/| | Wait for `mount` command to finish when mounting volume
| * | Wait for `mount` command to finish when mounting volumeMatthew Heon2019-10-30
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | command.Start() just starts the command. That catches some errors, but the nasty ones - bad options and similar - happen when the command runs. Use CombinedOutput() instead - it waits for the command to exit, and thus catches non-0 exit of the `mount` command (invalid options, for example). STDERR from the `mount` command is directly used, which isn't necessarily the best, but we can't really get much more info on what went wrong. Fixes #4303 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | | Merge pull request #4372 from rhatdan/execOpenShift Merge Robot2019-10-30
|\ \ \ | |_|/ |/| | Processes execed into container should match container label
| * | Processes execed into container should match container labelDaniel J Walsh2019-10-29
| | | | | | | | | | | | | | | | | | Processes execed into a container were not being run with the correct label. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | Set default seccomp.json file for podman play kubeDaniel J Walsh2019-10-29
| | | | | | | | | | | | | | | | | | | | | Currently podman play kube is not using the system default seccomp.json file. This PR will use the default or override location for podman play. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | images: distinguish between tags and digestsNalin Dahyabhai2019-10-29
| | | | | | | | | | | | | | | | | | | | | | | | Generate an image's RepoDigests list using all applicable digests, and refrain from outputting a digest in the tag column of the "images" output. Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
* | | API: report multiple digests for imagesNalin Dahyabhai2019-10-29
| | | | | | | | | | | | | | | | | | | | | | | | Be prepared to report multiple image digests for images which contain multiple manifests but, because they continue to have the same set of layers and the same configuration, are considered to be the same image. Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
* | | pull/create: add --override-arch/--override-os flagsNalin Dahyabhai2019-10-29
| | | | | | | | | | | | | | | | | | | | | | | | Add --override-arch and --override-os as hidden flags, in line with the global flag names that skopeo uses, so that we can test behavior around manifest lists without having to conditionalize more of it by arch. Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
* | | image: don't get confused by listsNalin Dahyabhai2019-10-29
| | | | | | | | | | | | | | | | | | | | | | | | | | | When an image can be opened as an ImageSource but not an Image, handle the case where it's an image list all by itself, the case where it's an image for a different architecture/OS combination, or the case where it's both. Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
* | | bump containers/image to v5.0.0, buildah to v1.11.4Nalin Dahyabhai2019-10-29
|/ / | | | | | | | | | | | | | | | | Move to containers/image v5 and containers/buildah to v1.11.4. Replace an equality check with a type assertion when checking for a docker.ErrUnauthorizedForCredentials in `podman login`. Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
* | Merge pull request #3792 from haircommander/minimum-conmonOpenShift Merge Robot2019-10-29
|\ \ | | | | | | require conmon v2.0.1
| * | require conmon v2.0.1Peter Hunt2019-10-28
| | | | | | | | | | | | Signed-off-by: Peter Hunt <pehunt@redhat.com>
| * | require conmon v2.0.0Peter Hunt2019-10-28
| | | | | | | | | | | | Signed-off-by: Peter Hunt <pehunt@redhat.com>
* | | Merge pull request #4350 from giuseppe/slirp4netnslogOpenShift Merge Robot2019-10-29
|\ \ \ | | | | | | | | libpod: if slirp4netns fails, return its stderr
| * | | libpod: if slirp4netns fails, return its outputGiuseppe Scrivano2019-10-29
| | |/ | |/| | | | | | | | | | | | | | | | | | | | | | read the slirp4netns stderr and propagate it in the error when the process fails. Replace: https://github.com/containers/libpod/pull/4338 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | | Merge pull request #4355 from mheon/ensure_stateOpenShift Merge Robot2019-10-28
|\ \ \ | | | | | | | | Add ensureState helper for checking container state
| * | | Add ensureState helper for checking container stateMatthew Heon2019-10-28
| |/ / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | We have a lot of checks for container state scattered throughout libpod. Many of these need to ensure the container is in one of a given set of states so an operation may safely proceed. Previously there was no set way of doing this, so we'd use unique boolean logic for each one. Introduce a helper to standardize state checks. Note that this is only intended to replace checks for multiple states. A simple check for one state (ContainerStateRunning, for example) should remain a straight equality, and not use this new helper. Signed-off-by: Matthew Heon <mheon@redhat.com>
* | | Merge pull request #4331 from mheon/sane_rename_errorOpenShift Merge Robot2019-10-28
|\ \ \ | |/ / |/| | Return a better error for volume name conflicts
| * | Return a better error for volume name conflictsMatthew Heon2019-10-23
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When you try and create a new volume with the name of a volume that already exists, you presently get a thoroughly unhelpful error from `mkdir` as the volume attempts to create the directory it will be mounted at. An EEXIST out of mkdir is not particularly helpful to Podman users - it doesn't explain that the name is already taken by another volume. The solution here is potentially racy as the runtime is not locked, so someone else could take the name while we're still getting things set up, but that's a narrow timing window, and we will still return an error - just an error that's not as good as this one. Signed-off-by: Matthew Heon <matthew.heon@pm.me>