summaryrefslogtreecommitdiff
path: root/libpod
Commit message (Collapse)AuthorAge
* Add mutex invariant to SHM semaphores.Matthew Heon2019-01-04
| | | | | | | | | | | | Check value of semaphores when incrementing to ensure we never go beyond 1, preserving mutex invariants. Also, add cleanup code to the lock tests, ensuring that we never leave the locks in a bad state after a test. We aren't destroying and recreating the SHM every time, so we have to be careful not to leak state between test runs. Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
* Initial skeleton of in-memory locksMatthew Heon2019-01-04
| | | | Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
* add container-init supportValentin Rothberg2019-01-04
| | | | | | | | | | | | | | | | | | | Add support for executing an init binary as PID 1 in a container to forward signals and reap processes. When the `--init` flag is set for podman-create or podman-run, the init binary is bind-mounted to `/dev/init` in the container and "/dev/init --" is prepended to the container's command. The default base path of the container-init binary is `/usr/libexec/podman` while the default binary is catatonit [1]. This default can be changed permanently via the `init_path` field in the `libpod.conf` configuration file (which is recommended for packaging) or temporarily via the `--init-path` flag of podman-create and podman-run. [1] https://github.com/openSUSE/catatonit Fixes: #1670 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* Merge pull request #2068 from mheon/log_container_commandOpenShift Merge Robot2019-01-02
|\ | | | | Log container command before starting the container
| * Log container command before starting the containerMatthew Heon2019-01-02
| | | | | | | | | | | | | | Runc does not produce helpful error messages when the container's command is not found, so print the command ourselves. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | Use sprintf to generate port numbers while committingMatthew Heon2019-01-02
|/ | | | | | | | | Casting integers to strings is definitely not correct, so let the standard library handle matters. Fixes #2066 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* podman build is not using the default oci-runtimeDaniel J Walsh2018-12-28
| | | | | | | | | | Currently if the user installs runc in an alternative path podman run uses it but podman build does not. This patch will pass the default oci runtime to be used by podman down to the image builder. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Fixes to handle /dev/shm correctly.Daniel J Walsh2018-12-24
| | | | | | | | | | | | | | | | | | We had two problems with /dev/shm, first, you mount the container read/only then /dev/shm was mounted read/only. This is a bug a tmpfs directory should be read/write within a read-only container. The second problem is we were ignoring users mounted /dev/shm from the host. If user specified podman run -d -v /dev/shm:/dev/shm ... We were dropping this mount and still using the internal mount. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Switch all referencs to image.ContainerConfig to image.ConfigDaniel J Walsh2018-12-21
| | | | | | This will more closely match what Docker is doing. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* libpod: always store the conmon pid fileGiuseppe Scrivano2018-12-21
| | | | | | | we need this information to later be able to join the conmon process. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Merge pull request #1967 from baude/kubereplayOpenShift Merge Robot2018-12-20
|\ | | | | Add Play
| * Add Playbaude2018-12-19
| | | | | | | | | | | | | | podman play kube adds the ability for the user to recreate pods and containers from a Kubernetes YAML file in libpod. Signed-off-by: baude <bbaude@redhat.com>
* | Support podman image trust commandQi Wang2018-12-19
|/ | | | | | Display the trust policy of the host system. The trust policy is stored in the /etc/containers/policy.json file and defines a scope of registries or repositories. Signed-off-by: Qi Wang <qiwan@redhat.com>
* Merge pull request #1988 from mheon/use_dependency_resolvOpenShift Merge Robot2018-12-13
|\ | | | | Containers sharing a netns should share resolv/hosts
| * Containers sharing a netns should share resolv/hostsMatthew Heon2018-12-11
| | | | | | | | | | | | | | | | | | | | | | | | | | When sharing a network namespace, containers should also share resolv.conf and /etc/hosts in case a container process made changes to either (for example, if I set up a VPN client in container A and join container B to its network namespace, I expect container B to use the DNS servers from A to ensure it can see everything on the VPN). Resolves: #1546 Signed-off-by: Matthew Heon <mheon@redhat.com>
* | Merge pull request #1990 from kunalkushwaha/bugfix-NamedVolumeCheckOpenShift Merge Robot2018-12-13
|\ \ | | | | | | condition fixed for adding volume to boltdb.
| * | condition fixed for adding volume to boltdb.Kunal Kushwaha2018-12-13
| |/ | | | | | | Signed-off-by: Kunal Kushwaha <kushwaha_kunal_v7@lab.ntt.co.jp>
* | Merge pull request #1962 from rhatdan/criuOpenShift Merge Robot2018-12-12
|\ \ | |/ |/| Set Socket label for contianer
| * Set Socket label for contianerDaniel J Walsh2018-12-12
| | | | | | | | | | | | | | This will allow container processes to write to the CRIU socket that gets injected into the container. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Merge pull request #1978 from mheon/only_one_execuserOpenShift Merge Robot2018-12-11
|\ \ | | | | | | Prevent a second lookup of user for image volumes
| * | Prevent a second lookup of user for image volumesMatthew Heon2018-12-11
| |/ | | | | | | | | | | | | | | | | | | Instead of forcing another user lookup when mounting image volumes, just use the information we looked up when we started generating the spec. This may resolve #1817 Signed-off-by: Matthew Heon <mheon@redhat.com>
* | Merge pull request #1966 from mheon/ensure_storage_opts_initOpenShift Merge Robot2018-12-11
|\ \ | | | | | | Ensure storage options are properly initialized
| * | Ensure storage options are properly initializedMatthew Heon2018-12-10
| |/ | | | | | | | | | | | | | | | | If one of storage GraphRoot or RunRoot are specified, but the other is not, c/storage will not use the default, and will throw an error instead. Ensure that in cases where this would happen, we populate the fields with the c/storage defaults ourselves. Signed-off-by: Matthew Heon <mheon@redhat.com>
* / Add capabilities to generate kubebaude2018-12-10
|/ | | | | | | Using the default capabilities, we can determine which caps were added and dropped. Now added them to the security context structure. Signed-off-by: baude <bbaude@redhat.com>
* Merge pull request #1955 from mheon/fix_hooks_not_existOpenShift Merge Robot2018-12-07
|\ | | | | Fix errors where OCI hooks directory does not exist
| * Fix errors where OCI hooks directory does not existMatthew Heon2018-12-07
| | | | | | | | Signed-off-by: Matthew Heon <mheon@redhat.com>
* | Merge pull request #1953 from baude/podstoptimeoutOpenShift Merge Robot2018-12-07
|\ \ | | | | | | add timeout to pod stop
| * | add timeout to pod stopbaude2018-12-07
| | | | | | | | | | | | | | | | | | | | | | | | like podman stop of containers, we should allow the user to specify a timeout override when stopping pods; otherwise they have to wait the full timeout time specified during the pod/container creation. Signed-off-by: baude <bbaude@redhat.com>
* | | Merge pull request #1928 from baude/podtokubeOpenShift Merge Robot2018-12-07
|\ \ \ | |/ / |/| | generate kube
| * | generate kubebaude2018-12-04
| | | | | | | | | | | | | | | | | | | | | add the ability to generate kubernetes pod and service yaml representations of libpod containers and pods. Signed-off-by: baude <bbaude@redhat.com>
* | | Fix reporting the registries.conf path on errorMiloslav Trmač2018-12-06
| | | | | | | | | | | | | | | | | | | | | i.e. actually reflect the environment variable and/or rootless mode instead of always using the default path. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
* | | Remove manual handling of insecure registries in doPullImageMiloslav Trmač2018-12-06
| | | | | | | | | | | | | | | | | | Instead, just set SystemRegistriesConfPath and let the transport do it. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
* | | Remove the forceSecure parameter on the pull call stackMiloslav Trmač2018-12-06
| | | | | | | | | | | | | | | | | | | | | DockerRegistryOptions.DockerInsecureSkipTLSVerify as an types.OptionalBool can now represent that value, so forceSecure is redundant. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
* | | Remove manual handling of insecure registries in PushImageToReferenceMiloslav Trmač2018-12-06
| | | | | | | | | | | | | | | | | | Instead, just set SystemRegistriesConfPath and let the transport do it. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
* | | Remove the forceSecure parameter of Image.PushImageTo*Miloslav Trmač2018-12-06
| | | | | | | | | | | | | | | | | | | | | DockerRegistryOptions.DockerInsecureSkipTLSVerify as an types.OptionalBool can now represent that value, so forceSecure is redundant. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
* | | Minimally update for the DockerInsecureSkipTLSVerify type changeMiloslav Trmač2018-12-06
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Following SystemContext.DockerInsecureSkipTLSVerify, make the DockerRegistryOne also an OptionalBool, and update callers. Explicitly document that --tls-verify=true and --tls-verify unset have different behavior in those commands where the behavior changed (or where it hasn't changed but the documentation needed updating). Also make the --tls-verify man page sections a tiny bit more consistent throughout. This is a minimal fix, without changing the existing "--tls-verify=true" paths nor existing manual insecure registry lookups. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
* | | Fix build on non-LinuxMiloslav Trmač2018-12-06
| | | | | | | | | | | | | | | | | | Unrelated to the rest of the PR. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
* | | Remove some unused data structures and codeMiloslav Trmač2018-12-06
| |/ |/| | | | | | | | | ... instead of unnecessarily adapting it for the DockerInsecureSkipTLSVerify type change. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
* | bind mount /etc/resolv.conf|hosts in podsbaude2018-12-06
| | | | | | | | | | | | | | containers inside pods need to make sure they get /etc/resolv.conf and /etc/hosts bind mounted when network is expected Signed-off-by: baude <bbaude@redhat.com>
* | Merge pull request #1904 from umohnani8/volumeOpenShift Merge Robot2018-12-06
|\ \ | | | | | | Add "podman volume" command
| * | Tests for podman volume commandsUrvashi Mohnani2018-12-06
| | | | | | | | | | | | Signed-off-by: Urvashi Mohnani <umohnani@redhat.com>
| * | Add "podman volume" commandumohnani82018-12-06
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Add support for podman volume and its subcommands. The commands supported are: podman volume create podman volume inspect podman volume ls podman volume rm podman volume prune This is a tool to manage volumes used by podman. For now it only handle named volumes, but eventually it will handle all volumes used by podman. Signed-off-by: umohnani8 <umohnani@redhat.com>
* | | Merge pull request #1912 from baude/pruneOpenShift Merge Robot2018-12-06
|\ \ \ | | | | | | | | Add ability to prune containers and images
| * | | Add ability to prune containers and imagesbaude2018-12-05
| |/ / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Allow user to prune unused/unnamed images, the layer images from building, via podman rmi --prune. Allow user to prune stopped/exiuted containers via podman rm --prune. This should resolve #1910 Signed-off-by: baude <bbaude@redhat.com>
* | | Add locking to Sync() on containersMatthew Heon2018-12-06
| | | | | | | | | | | | | | | | | | | | | | | | Previously not needed as it only worked inside of Batch(), but now that it can be called anywhere we need to add mutual exclusion on its config changes. Signed-off-by: Matthew Heon <mheon@redhat.com>
* | | Add --sync option to podman rmMatthew Heon2018-12-06
|/ / | | | | | | | | | | | | | | | | | | | | With the changes made recently to ensure Podman does not hit the OCI runtime as often to sync state, we can find ourselves in a situation where the runtime's state does not match ours. Add a --sync flag to podman rm to ensure we can still remove containers when this happens. Signed-off-by: Matthew Heon <mheon@redhat.com>
* | Merge pull request #1940 from wking/numeric-gidOpenShift Merge Robot2018-12-05
|\ \ | | | | | | libpod/container_internal_linux: Allow gids that aren't in the group file
| * | libpod/container_internal_linux: Allow gids that aren't in the group fileW. Trevor King2018-12-04
| |/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When an image config sets config.User [1] to a numeric group (like 1000:1000), but those values do not exist in the container's /etc/group, libpod is currently breaking: $ podman run --rm registry.svc.ci.openshift.org/ci-op-zvml7cd6/pipeline:installer --help error creating temporary passwd file for container 228f6e9943d6f18b93c19644e9b619ec4d459a3e0eb31680e064eeedf6473678: unable to get gid 1000 from group file: no matching entries in group file However, the OCI spec requires converters to copy numeric uid and gid to the runtime config verbatim [2]. With this commit, I'm frontloading the "is groupspec an integer?" check and only bothering with lookup.GetGroup when it was not. I've also removed a few .Mounted checks, which are originally from 00d38cb3 (podman create/run need to load information from the image, 2017-12-18, #110). We don't need a mounted container filesystem to translate integers. And when the lookup code needs to fall back to the mounted root to translate names, it can handle erroring out internally (and looking it over, it seems to do that already). [1]: https://github.com/opencontainers/image-spec/blame/v1.0.1/config.md#L118-L123 [2]: https://github.com/opencontainers/image-spec/blame/v1.0.1/conversion.md#L70 Signed-off-by: W. Trevor King <wking@tremily.us>
* | Merge pull request #1918 from mheon/use_db_pathsOpenShift Merge Robot2018-12-05
|\ \ | | | | | | Use paths written in DB instead if they differ from our defaults
| * | Use runtime lockDir in BoltDB stateMatthew Heon2018-12-04
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Instead of storing the runtime's file lock dir in the BoltDB state, refer to the runtime inside the Bolt state instead, and use the path stored in the runtime. This is necessary since we moved DB initialization very far up in runtime init, before the locks dir is properly initialized (and it must happen before the locks dir can be created, as we use the DB to retrieve the proper path for the locks dir now). Signed-off-by: Matthew Heon <mheon@redhat.com>