summaryrefslogtreecommitdiff
path: root/libpod
Commit message (Collapse)AuthorAge
* Move lock init after tmp dir is populated properlyMatthew Heon2019-01-04
| | | | | | | | | Don't initialize the lock manager until almost the end of libpod init, so we can guarantee our tmp dir is properly set up and exists. This wasn't an issue on systems that had previously run Podman, but CI caught it. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* When refreshing libpod, if SHM locks exist, remove themMatthew Heon2019-01-04
| | | | | | | | | | | | | | | This will hopefully help cases where libpod is initialized multiple times on the same system (as on our CI tests). We still run into potential issues where multiple Podmans with multiple tmp paths try to run on the same system - we could end up thrashing the locks. I think we need a file locks driver for situations like that. We can also see about storing paths in the SHM segment, to make sure multiple libpod instances aren't using the same one. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Ensure different error messages and creating/opening locksMatthew Heon2019-01-04
| | | | Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
* Update unit tests to use in-memory lock managerMatthew Heon2019-01-04
| | | | Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
* Remove runtime lockDir and add in-memory lock managerMatthew Heon2019-01-04
| | | | | | | | | Remove runtime's lockDir as it is no longer needed after the lock rework. Add a trivial in-memory lock manager for unit testing Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
* Convert pods to SHM locksMatthew Heon2019-01-04
| | | | Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
* Convert containers to SHM lockingMatthew Heon2019-01-04
| | | | Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
* Add lock manager to libpod runtimeMatthew Heon2019-01-04
| | | | Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
* Move to POSIX mutexes for SHM locksMatthew Heon2019-01-04
| | | | Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
* Disable lint on SHMLock structMatthew Heon2019-01-04
| | | | | | | | Golint wants to rename the struct. I think the name is fine. I can disable golint. Golint will no longer complain about the name. Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
* Refactor locks package to build on non-LinuxMatthew Heon2019-01-04
| | | | | | | | Move SHM specific code into a subpackage. Within the main locks package, move the manager to be linux-only and add a non-Linux unsupported build file. Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
* Add an SHM-backed Lock Manager implementationMatthew Heon2019-01-04
| | | | Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
* Add interface for libpod multiprocess locksMatthew Heon2019-01-04
| | | | Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
* Improve documentation and unit tests for SHM locksMatthew Heon2019-01-04
| | | | Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
* Propogate error codes from SHM lock creation and openMatthew Heon2019-01-04
| | | | | | Also add a few more unit tests Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
* Add mutex invariant to SHM semaphores.Matthew Heon2019-01-04
| | | | | | | | | | | | Check value of semaphores when incrementing to ensure we never go beyond 1, preserving mutex invariants. Also, add cleanup code to the lock tests, ensuring that we never leave the locks in a bad state after a test. We aren't destroying and recreating the SHM every time, so we have to be careful not to leak state between test runs. Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
* Initial skeleton of in-memory locksMatthew Heon2019-01-04
| | | | Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
* add container-init supportValentin Rothberg2019-01-04
| | | | | | | | | | | | | | | | | | | Add support for executing an init binary as PID 1 in a container to forward signals and reap processes. When the `--init` flag is set for podman-create or podman-run, the init binary is bind-mounted to `/dev/init` in the container and "/dev/init --" is prepended to the container's command. The default base path of the container-init binary is `/usr/libexec/podman` while the default binary is catatonit [1]. This default can be changed permanently via the `init_path` field in the `libpod.conf` configuration file (which is recommended for packaging) or temporarily via the `--init-path` flag of podman-create and podman-run. [1] https://github.com/openSUSE/catatonit Fixes: #1670 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* Merge pull request #2068 from mheon/log_container_commandOpenShift Merge Robot2019-01-02
|\ | | | | Log container command before starting the container
| * Log container command before starting the containerMatthew Heon2019-01-02
| | | | | | | | | | | | | | Runc does not produce helpful error messages when the container's command is not found, so print the command ourselves. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | Use sprintf to generate port numbers while committingMatthew Heon2019-01-02
|/ | | | | | | | | Casting integers to strings is definitely not correct, so let the standard library handle matters. Fixes #2066 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* podman build is not using the default oci-runtimeDaniel J Walsh2018-12-28
| | | | | | | | | | Currently if the user installs runc in an alternative path podman run uses it but podman build does not. This patch will pass the default oci runtime to be used by podman down to the image builder. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Fixes to handle /dev/shm correctly.Daniel J Walsh2018-12-24
| | | | | | | | | | | | | | | | | | We had two problems with /dev/shm, first, you mount the container read/only then /dev/shm was mounted read/only. This is a bug a tmpfs directory should be read/write within a read-only container. The second problem is we were ignoring users mounted /dev/shm from the host. If user specified podman run -d -v /dev/shm:/dev/shm ... We were dropping this mount and still using the internal mount. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Switch all referencs to image.ContainerConfig to image.ConfigDaniel J Walsh2018-12-21
| | | | | | This will more closely match what Docker is doing. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* libpod: always store the conmon pid fileGiuseppe Scrivano2018-12-21
| | | | | | | we need this information to later be able to join the conmon process. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Merge pull request #1967 from baude/kubereplayOpenShift Merge Robot2018-12-20
|\ | | | | Add Play
| * Add Playbaude2018-12-19
| | | | | | | | | | | | | | podman play kube adds the ability for the user to recreate pods and containers from a Kubernetes YAML file in libpod. Signed-off-by: baude <bbaude@redhat.com>
* | Support podman image trust commandQi Wang2018-12-19
|/ | | | | | Display the trust policy of the host system. The trust policy is stored in the /etc/containers/policy.json file and defines a scope of registries or repositories. Signed-off-by: Qi Wang <qiwan@redhat.com>
* Merge pull request #1988 from mheon/use_dependency_resolvOpenShift Merge Robot2018-12-13
|\ | | | | Containers sharing a netns should share resolv/hosts
| * Containers sharing a netns should share resolv/hostsMatthew Heon2018-12-11
| | | | | | | | | | | | | | | | | | | | | | | | | | When sharing a network namespace, containers should also share resolv.conf and /etc/hosts in case a container process made changes to either (for example, if I set up a VPN client in container A and join container B to its network namespace, I expect container B to use the DNS servers from A to ensure it can see everything on the VPN). Resolves: #1546 Signed-off-by: Matthew Heon <mheon@redhat.com>
* | Merge pull request #1990 from kunalkushwaha/bugfix-NamedVolumeCheckOpenShift Merge Robot2018-12-13
|\ \ | | | | | | condition fixed for adding volume to boltdb.
| * | condition fixed for adding volume to boltdb.Kunal Kushwaha2018-12-13
| |/ | | | | | | Signed-off-by: Kunal Kushwaha <kushwaha_kunal_v7@lab.ntt.co.jp>
* | Merge pull request #1962 from rhatdan/criuOpenShift Merge Robot2018-12-12
|\ \ | |/ |/| Set Socket label for contianer
| * Set Socket label for contianerDaniel J Walsh2018-12-12
| | | | | | | | | | | | | | This will allow container processes to write to the CRIU socket that gets injected into the container. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Merge pull request #1978 from mheon/only_one_execuserOpenShift Merge Robot2018-12-11
|\ \ | | | | | | Prevent a second lookup of user for image volumes
| * | Prevent a second lookup of user for image volumesMatthew Heon2018-12-11
| |/ | | | | | | | | | | | | | | | | | | Instead of forcing another user lookup when mounting image volumes, just use the information we looked up when we started generating the spec. This may resolve #1817 Signed-off-by: Matthew Heon <mheon@redhat.com>
* | Merge pull request #1966 from mheon/ensure_storage_opts_initOpenShift Merge Robot2018-12-11
|\ \ | | | | | | Ensure storage options are properly initialized
| * | Ensure storage options are properly initializedMatthew Heon2018-12-10
| |/ | | | | | | | | | | | | | | | | If one of storage GraphRoot or RunRoot are specified, but the other is not, c/storage will not use the default, and will throw an error instead. Ensure that in cases where this would happen, we populate the fields with the c/storage defaults ourselves. Signed-off-by: Matthew Heon <mheon@redhat.com>
* / Add capabilities to generate kubebaude2018-12-10
|/ | | | | | | Using the default capabilities, we can determine which caps were added and dropped. Now added them to the security context structure. Signed-off-by: baude <bbaude@redhat.com>
* Merge pull request #1955 from mheon/fix_hooks_not_existOpenShift Merge Robot2018-12-07
|\ | | | | Fix errors where OCI hooks directory does not exist
| * Fix errors where OCI hooks directory does not existMatthew Heon2018-12-07
| | | | | | | | Signed-off-by: Matthew Heon <mheon@redhat.com>
* | Merge pull request #1953 from baude/podstoptimeoutOpenShift Merge Robot2018-12-07
|\ \ | | | | | | add timeout to pod stop
| * | add timeout to pod stopbaude2018-12-07
| | | | | | | | | | | | | | | | | | | | | | | | like podman stop of containers, we should allow the user to specify a timeout override when stopping pods; otherwise they have to wait the full timeout time specified during the pod/container creation. Signed-off-by: baude <bbaude@redhat.com>
* | | Merge pull request #1928 from baude/podtokubeOpenShift Merge Robot2018-12-07
|\ \ \ | |/ / |/| | generate kube
| * | generate kubebaude2018-12-04
| | | | | | | | | | | | | | | | | | | | | add the ability to generate kubernetes pod and service yaml representations of libpod containers and pods. Signed-off-by: baude <bbaude@redhat.com>
* | | Fix reporting the registries.conf path on errorMiloslav Trmač2018-12-06
| | | | | | | | | | | | | | | | | | | | | i.e. actually reflect the environment variable and/or rootless mode instead of always using the default path. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
* | | Remove manual handling of insecure registries in doPullImageMiloslav Trmač2018-12-06
| | | | | | | | | | | | | | | | | | Instead, just set SystemRegistriesConfPath and let the transport do it. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
* | | Remove the forceSecure parameter on the pull call stackMiloslav Trmač2018-12-06
| | | | | | | | | | | | | | | | | | | | | DockerRegistryOptions.DockerInsecureSkipTLSVerify as an types.OptionalBool can now represent that value, so forceSecure is redundant. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
* | | Remove manual handling of insecure registries in PushImageToReferenceMiloslav Trmač2018-12-06
| | | | | | | | | | | | | | | | | | Instead, just set SystemRegistriesConfPath and let the transport do it. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
* | | Remove the forceSecure parameter of Image.PushImageTo*Miloslav Trmač2018-12-06
| | | | | | | | | | | | | | | | | | | | | DockerRegistryOptions.DockerInsecureSkipTLSVerify as an types.OptionalBool can now represent that value, so forceSecure is redundant. Signed-off-by: Miloslav Trmač <mitr@redhat.com>