summaryrefslogtreecommitdiff
path: root/libpod
Commit message (Collapse)AuthorAge
* do not set empty $HOMEValentin Rothberg2021-02-16
| | | | | | | | | | | Make sure to not set an empty $HOME for containers and let it default to "/". https://github.com/containers/crun/pull/599 is required to fully address #9378. Partially-Fixes: #9378 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* Merge pull request #9341 from vrothberg/layer-tree-errorsOpenShift Merge Robot2021-02-12
|\ | | | | make layer-tree lookup errors non-fatal
| * make layer-tree lookup errors non-fatalValentin Rothberg2021-02-12
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Internally, Podman constructs a tree of layers in containers/storage to quickly compute relations among layers and hence images. To compute the tree, we intersect all local layers with all local images. So far, lookup errors have been fatal which has turned out to be a mistake since it seems fairly easy to cause storage corruptions, for instance, when killing builds. In that case, a (partial) image may list a layer which does not exist (anymore). Since the errors were fatal, there was no easy way to clean up and many commands were erroring out. To improve usability, turn the fatal errors into warnings that guide the user into resolving the issue. In this case, a `podman system reset` may be the approriate way for now. [NO TESTS NEEDED] because I have no reliable way to force it. [1] https://github.com/containers/podman/issues/8148#issuecomment-778253474 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | Enable whitespace linterPaul Holzinger2021-02-11
| | | | | | | | | | | | | | | | Use the whitespace linter and fix the reported problems. [NO TESTS NEEDED] Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
* | Enable golint linterPaul Holzinger2021-02-11
| | | | | | | | | | | | | | | | Use the golint linter and fix the reported problems. [NO TESTS NEEDED] Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
* | Enable stylecheck linterPaul Holzinger2021-02-11
|/ | | | | | | | Use the stylecheck linter and fix the reported problems. [NO TESTS NEEDED] Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
* Merge pull request #9308 from mheon/fix_6003OpenShift Merge Robot2021-02-11
|\ | | | | Rewrite copy-up to use buildah Copier
| * Rewrite copy-up to use buildah CopierMatthew Heon2021-02-10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The old copy-up implementation was very unhappy with symlinks, which could cause containers to fail to start for unclear reasons when a directory we wanted to copy-up contained one. Rewrite to use the Buildah Copier, which is more recent and should be both safer and less likely to blow up over links. At the same time, fix a deadlock in copy-up for volumes requiring mounting - the Mountpoint() function tried to take the already-acquired volume lock. Fixes #6003 Signed-off-by: Matthew Heon <mheon@redhat.com>
* | Display correct value for unlimited ulimitbaude2021-02-10
| | | | | | | | | | | | | | | | | | | | | | When doing a container inspect on a container with unlimited ulimits, the value should be -1. But because the OCI spec requires the ulimit value to be uint64, we were displaying the inspect values as a uint64 as well. Simple change to display as an int64. Fixes: #9303 Signed-off-by: baude <bbaude@redhat.com>
* | Merge pull request #9283 from vrothberg/fix-8897OpenShift Merge Robot2021-02-09
|\ \ | |/ |/| generate kube: do not set caps with --privileged
| * generate kube: support --privilegedValentin Rothberg2021-02-09
| | | | | | | | | | | | | | | | | | | | | | Do not play with capabilities for privileged containers where all capabilities will be set implicitly. Also, avoid the device check when running privileged since all of /dev/* will be mounted in any case. Fixes: #8897 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | Merge pull request #9125 from ashley-cui/secretswiringOpenShift Merge Robot2021-02-09
|\ \ | |/ |/| Implement Secrets
| * Implement SecretsAshley Cui2021-02-09
| | | | | | | | | | | | | | | | | | | | | | Implement podman secret create, inspect, ls, rm Implement podman run/create --secret Secrets are blobs of data that are sensitive. Currently, the only secret driver supported is filedriver, which means creating a secret stores it in base64 unencrypted in a file. After creating a secret, a user can use the --secret flag to expose the secret inside the container at /run/secrets/[secretname] This secret will not be commited to an image on a podman commit Signed-off-by: Ashley Cui <acui@redhat.com>
* | add network prunebaude2021-02-06
|/ | | | | | | | | add the ability to prune unused cni networks. filters are not implemented but included both compat and podman api endpoints. Fixes :#8673 Signed-off-by: baude <bbaude@redhat.com>
* Merge pull request #9231 from vrothberg/rootfs-workdirOpenShift Merge Robot2021-02-05
|\ | | | | fix logic when not creating a workdir
| * fix logic when not creating a workdirValentin Rothberg2021-02-05
| | | | | | | | | | | | | | | | | | | | | | When resolving the workdir of a container, we may need to create unless the user set it explicitly on the command line. Otherwise, we just do a presence check. Unfortunately, there was a missing return that lead us to fall through into attempting to create and chown the workdir. That caused a regression when running on a read-only root fs. Fixes: #9230 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | Merge pull request #9048 from matejvasek/apiv2_waitOpenShift Merge Robot2021-02-05
|\ \ | | | | | | Fix Docker APIv2 container wait endpoint
| * | Fix per review requestMatej Vasek2021-02-04
| | | | | | | | | | | | Signed-off-by: Matej Vasek <mvasek@redhat.com>
| * | Improve container libpod.Wait*() functionsMatej Vasek2021-02-03
| |/ | | | | | | Signed-off-by: Matej Vasek <mvasek@redhat.com>
* | Merge pull request #9235 from Luap99/fix-9234OpenShift Merge Robot2021-02-04
|\ \ | | | | | | Fix podman network disconnect wrong NetworkStatus number
| * | Fix podman network disconnect wrong NetworkStatus numberPaul Holzinger2021-02-04
| |/ | | | | | | | | | | | | | | | | | | | | | | | | The allocated `tmpNetworkStatus` must be allocated with the length 0. Otherwise append would add new elements to the end of the slice and not at the beginning of the allocated memory. This caused inspect to fail since the number of networks did not matched the number of network statuses. Fixes #9234 Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
* / generate kube: handle entrypointValentin Rothberg2021-02-04
|/ | | | | | | | | | The spec of a Kube Container has a `Command` and `Args`. While both are slices, the `Command` is the counterpart of the entrypoint of a libpod container. Kube is also happily accepting the arguments to as following items in the slice but it's cleaner to move those to `Args`. Fixes: #9211 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* Merge pull request #9174 from bitstrings/masterOpenShift Merge Robot2021-02-03
|\ | | | | Make slirp MTU configurable (network_cmd_options)
| * Make slirp MTU configurable (network_cmd_options)bitstrings2021-02-02
| | | | | | | | | | | | | | | | The mtu default value is currently forced to 65520. This let the user control it using the config key network_cmd_options, i.e.: network_cmd_options=["mtu=9000"] Signed-off-by: bitstrings <pino.silvaggio@gmail.com>
* | Merge pull request #9204 from baude/macvlanextraOpenShift Merge Robot2021-02-03
|\ \ | | | | | | Honor network options for macvlan networks
| * | Honor network options for macvlan networksbaude2021-02-02
| | | | | | | | | | | | | | | | | | | | | | | | | | | when creating a macvlan network, we should honor gateway, subnet, and mtu as provided by the user. Fixes: #9167 Signed-off-by: baude <bbaude@redhat.com>
* | | Merge pull request #9185 from mheon/pod_no_networkOpenShift Merge Robot2021-02-02
|\ \ \ | |/ / |/| | Allow pods to use --net=none
| * | Allow pods to use --net=noneMatthew Heon2021-02-02
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | We need an extra field in the pod infra container config. We may want to reevaluate that struct at some point, as storing network modes as bools will rapidly become unsustainable, but that's a discussion for another time. Otherwise, straightforward plumbing. Fixes #9165 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | | add macvlan as a supported network driverbaude2021-02-01
|/ / | | | | | | | | | | | | | | | | | | | | | | instead of using the --macvlan to indicate that you want to make a macvlan network, podman network create now honors the driver name of *macvlan*. Any options to macvlan, like the parent device, should be specified as a -o option. For example, -o parent=eth0. the --macvlan option was marked as deprecated in the man page but is still supported for the duration of 3.0. Signed-off-by: baude <bbaude@redhat.com>
* / podman generate kube ignores --network=hostMilivoje Legenovic2021-01-30
|/ | | | Signed-off-by: Milivoje Legenovic <m.legenovic@gmail.com>
* Honor custom DNS in play|generate kubebaude2021-01-29
| | | | | | | | | | | | | | | | | | when creating kubernetes yaml from containers and pods, we should honor any custom dns settings the user provided. in the case of generate kube, these would be provided by --dns, --dns-search, and --dns-opt. if multiple containers are involved in the generate, the options will be cumulative and unique with the exception of dns-opt. when replaying a kube file that has kubernetes dns information, we now also add that information to the pod creation. the options for dnspolicy is not enabled as there seemed to be no direct correlation between kubernetes and podman. Fixes: #9132 Signed-off-by: baude <bbaude@redhat.com>
* Merge pull request #8585 from Luap99/rootless-net-aliasOpenShift Merge Robot2021-01-28
|\ | | | | Add support for rootless network-aliases and static ip/mac
| * Add support for rootless network-aliasesPaul Holzinger2021-01-27
| | | | | | | | | | | | | | | | | | | | Make sure we pass the network aliases as capability args to the cnitool in the rootless-cni-infra container. Also update the dnsname plugin in the cni-infra container. Fixes #8567 Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
| * Allow static ip and mac with rootless cni networkPaul Holzinger2021-01-27
| | | | | | | | | | | | | | | | Make sure we pass the ip and mac address as CNI_ARGS to the cnitool which is executed in the rootless-cni-infra container. Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
* | Merge pull request #9105 from vrothberg/fix-8281OpenShift Merge Robot2021-01-27
|\ \ | |/ |/| remote exec: write conmon error on hijacked connection
| * remote exec: write conmon error on hijacked connectionValentin Rothberg2021-01-27
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Make sure to write error from conmon on the hijacked http connection. This fixes issues where errors were not reported on the client side, for instance, when specified command was not found on the container. To future generations: I am sorry. The code is complex, and there are many interdependencies among the concurrent goroutines. I added more complexity on top but I don't have a good idea of how to reduce complexity in the available time. Fixes: #8281 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | Add default net info in container inspectbaude2021-01-26
|/ | | | | | | | | | | | | | when inspecting a container that is only connected to the default network, we should populate the default network in the container inspect information. Fixes: #6618 Signed-off-by: baude <bbaude@redhat.com> MH: Small fixes, added another test Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Merge pull request #9054 from vrothberg/fix-9040OpenShift Merge Robot2021-01-26
|\ | | | | make sure the workdir exists on container mount
| * workdir presence checksValentin Rothberg2021-01-26
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | A container's workdir can be specified via the CLI via `--workdir` and via an image config with the CLI having precedence. Since images have a tendency to specify workdirs without necessarily shipping the paths with the root FS, make sure that Podman creates the workdir. When specified via the CLI, do not create the path, but check for its existence and return a human-friendly error. NOTE: `crun` is performing a similar check that would yield exit code 127. With this change, however, Podman performs the check and yields exit code 126. Since this is specific to `crun`, I do not consider it to be a breaking change of Podman. Fixes: #9040 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
| * libpod: add (*Container).ResolvePath()Valentin Rothberg2021-01-26
| | | | | | | | | | | | | | | | | | Add an API to libpod to resolve a path on the container. We can refactor the code that was originally written for copy. Other functions are requiring a proper path resolution, so libpod seems like a reasonable home for sharing that code. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | Merge pull request #9070 from rhatdan/searchOpenShift Merge Robot2021-01-26
|\ \ | |/ |/| Fixup search
| * Fixup searchDaniel J Walsh2021-01-25
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | podman-remote search had some FIXMEs in tests that were failing. So I reworked the search handler to use the local abi. This means the podman search and podman-remote search will use the same functions. While doing this, I noticed we were just outputing errors via logrus.Error rather then returning them, which works ok for podman but the messages get lost on podman-remote. Changed the code to actually return the error messages to the caller. This allows us to turn on the remaining podman-remote FIXME tests. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Ensure shutdown handler access is syncronizedMatthew Heon2021-01-25
| | | | | | | | | | | | | | | | | | | | | | | | | | | | There was a potential race where two handlers could be added at the same time. Go Maps are not thread-safe, so that could do unpleasant things. Add a mutex to keep things safe. Also, swap the order or Register and Start for the handlers in Libpod runtime created. As written, there was a small gap between Start and Register where SIGTERM/SIGINT would be completely ignored, instead of stopping Podman. Swapping the two closes this gap. Signed-off-by: Matthew Heon <mheon@redhat.com>
* | Merge pull request #9057 from baude/dnsnameinternalOpenShift Merge Robot2021-01-25
|\ \ | | | | | | disable dnsname when --internal
| * | disable dnsname when --internalbaude2021-01-25
| |/ | | | | | | | | | | | | | | when doing a network creation, the dnsname plugin should be disabled when the --internal bool is set. a warning is displayed if this happens and docs are updated. Signed-off-by: baude <bbaude@redhat.com>
* / networking: lookup child IP in networksGiuseppe Scrivano2021-01-23
|/ | | | | | | | | | | | if a CNI network is added to the container, use the IP address in that network instead of hard-coding the slirp4netns default. commit 5e65f0ba30f3fca73f8c207825632afef08378c1 introduced this regression. Closes: https://github.com/containers/podman/issues/9065 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* podman manifest existsPaul Holzinger2021-01-22
| | | | | | Add podman manifest exists command with remote support. Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
* libpod: move slirp magic IPs to constsGiuseppe Scrivano2021-01-22
| | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* rootlessport: set source IP to slirp4netns deviceGiuseppe Scrivano2021-01-22
| | | | | | | | | set the source IP to the slirp4netns address instead of 127.0.0.1 when using rootlesskit. Closes: https://github.com/containers/podman/issues/5138 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Move the cni lock file into the cni config dirPaul Holzinger2021-01-21
| | | | | | | | | | | | | | Commit(fe3faa517e1b) introduced a lock file for network create/rm calls. There is a problem with the location of the lock file. The lock file was stored in the tmpdir. Running multiple podman network create/remove commands in parallel with different tmpdirs made the lockfile inaccessible to the other process, and so parallel read/write operations to the cni config directory continued to occur. This scenario happened frequently during the e2e tests and caused some flakes. Fixes #9041 Signed-off-by: Paul Holzinger <paul.holzinger@web.de>