summaryrefslogtreecommitdiff
path: root/libpod
Commit message (Collapse)AuthorAge
* container stop: release lock before calling the runtimeValentin Rothberg2021-01-14
| | | | | | | | | | | | | | | Podman defers stopping the container to the runtime, which can take some time. Keeping the lock while waiting for the runtime to complete the stop procedure, prevents other commands from acquiring the lock as shown in #8501. To improve the user experience, release the lock before invoking the runtime, and re-acquire the lock when the runtime is finished. Also introduce an intermediate "stopping" to properly distinguish from "stopped" containers etc. Fixes: #8501 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* oci: keep LC_ env variables to conmonGiuseppe Scrivano2021-01-11
| | | | | | | | | | it is necessary for conmon to deal with the correct locale, otherwise it uses C as a fallback. Closes: https://bugzilla.redhat.com/show_bug.cgi?id=1893567 Requires: https://github.com/containers/conmon/pull/215 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Merge pull request #8781 from rst0git/cr-volumesOpenShift Merge Robot2021-01-08
|\ | | | | Add support for checkpoint/restore of containers with volumes
| * Include named volumes in container migrationRadostin Stoyanov2021-01-07
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When migrating a container with associated volumes, the content of these volumes should be made available on the destination machine. This patch enables container checkpoint/restore with named volumes by including the content of volumes in checkpoint file. On restore, volumes associated with container are created and their content is restored. The --ignore-volumes option is introduced to disable this feature. Example: # podman container checkpoint --export checkpoint.tar.gz <container> The content of all volumes associated with the container are included in `checkpoint.tar.gz` # podman container checkpoint --export checkpoint.tar.gz --ignore-volumes <container> The content of volumes is not included in `checkpoint.tar.gz`. This is useful, for example, when the checkpoint/restore is performed on the same machine. # podman container restore --import checkpoint.tar.gz The associated volumes will be created and their content will be restored. Podman will exit with an error if volumes with the same name already exist on the system or the content of volumes is not included in checkpoint.tar.gz # podman container restore --ignore-volumes --import checkpoint.tar.gz Volumes associated with container must already exist. Podman will not create them or restore their content. Signed-off-by: Radostin Stoyanov <rstoyanov@fedoraproject.org>
| * Use Options as exportCheckpoint() argumentRadostin Stoyanov2021-01-07
| | | | | | | | | | | | | | | | | | | | Instead of individual values from ContainerCheckpointOptions, provide the options object. This is a preparation for the next patch where one more value of the options object is required in exportCheckpoint(). Signed-off-by: Radostin Stoyanov <rstoyanov@fedoraproject.org>
* | Merge pull request #8771 from rhatdan/runOpenShift Merge Robot2021-01-07
|\ \ | | | | | | Switch references of /var/run -> /run
| * | Switch references of /var/run -> /runDaniel J Walsh2021-01-07
| |/ | | | | | | | | | | | | | | | | | | Systemd is now complaining or mentioning /var/run as a legacy directory. It has been many years where /var/run is a symlink to /run on all most distributions, make the change to the default. Partial fix for https://github.com/containers/podman/issues/8369 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Merge pull request #8821 from rhatdan/capsOpenShift Merge Robot2021-01-07
|\ \ | | | | | | Containers should not get inheritable caps by default
| * | Handle podman exec capabilities correctlyDaniel J Walsh2021-01-07
| |/ | | | | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Merge pull request #8816 from giuseppe/automatically-split-userns-mappingsOpenShift Merge Robot2021-01-07
|\ \ | | | | | | rootless: automatically split userns ranges
| * | rootless: automatically split userns rangesGiuseppe Scrivano2021-01-07
| |/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | writing to the id map fails when an extent overlaps multiple mappings in the parent user namespace: $ cat /proc/self/uid_map 0 1000 1 1 100000 65536 $ unshare -U sleep 100 & [1] 1029703 $ printf "0 0 100\n" | tee /proc/$!/uid_map 0 0 100 tee: /proc/1029703/uid_map: Operation not permitted This limitation is particularly annoying when working with rootless containers as each container runs in the rootless user namespace, so a command like: $ podman run --uidmap 0:0:2 --rm fedora echo hi Error: writing file `/proc/664087/gid_map`: Operation not permitted: OCI permission denied would fail since the specified mapping overlaps the first mapping (where the user id is mapped to root) and the second extent with the additional IDs available. Detect such cases and automatically split the specified mapping with the equivalent of: $ podman run --uidmap 0:0:1 --uidmap 1:1:1 --rm fedora echo hi hi A fix has already been proposed for the kernel[1], but even if it accepted it will take time until it is available in a released kernel, so fix it also in pkg/rootless. [1] https://lkml.kernel.org/lkml/20201203150252.1229077-1-gscrivan@redhat.com/ Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* / Fix podman logs read partial log linesPaul Holzinger2021-01-07
|/ | | | | | | | If a partial log line has the length 1 it was ignored by podman logs. Fixes #8879 Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
* Merge pull request #8805 from giuseppe/single-user-mapped-rootOpenShift Merge Robot2021-01-06
|\ | | | | libpod: handle single user mapped as root
| * libpod: handle single user mapped as rootGiuseppe Scrivano2020-12-24
| | | | | | | | | | | | | | | | | | | | | | if a single user is mapped in the user namespace, handle it as root. It is needed for running unprivileged containers with a single user available without being forced to run with euid and egid set to 0. Needs: https://github.com/containers/storage/pull/794 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | Merge pull request #8892 from mheon/fix_8886OpenShift Merge Robot2021-01-06
|\ \ | | | | | | Ensure that user-specified HOSTNAME is honored
| * | Ensure that user-specified HOSTNAME is honoredMatthew Heon2021-01-06
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When adding the HOSTNAME environment variable, only do so if it is not already present in the spec. If it is already present, it was likely added by the user, and we should honor their requested value. Fixes #8886 Signed-off-by: Matthew Heon <mheon@redhat.com>
* | | Merge pull request #8685 from mheon/ignore_containersconf_sysctls_shared_netOpenShift Merge Robot2021-01-05
|\ \ \ | | | | | | | | Ignore containers.conf sysctls when sharing namespaces
| * | | Add default sysctls for pod infra containersMatthew Heon2021-01-04
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Ensure that infra containers for pods will grab default sysctls from containers.conf, to match how other containers are created. This mostly affects the other containers in the pod, which will inherit those sysctls when they join the pod's namespaces. Signed-off-by: Matthew Heon <mheon@redhat.com>
* | | | Merge pull request #8831 from bblenard/issue-8658-system-prune-reclaimed-spaceOpenShift Merge Robot2021-01-05
|\ \ \ \ | |_|/ / |/| | | Rework pruning to report reclaimed space
| * | | Rework pruning to report reclaimed spaceBaron Lenardson2020-12-30
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This change adds code to report the reclaimed space after a prune. Reclaimed space from volumes, images, and containers is recorded during the prune call in a PruneReport struct. These structs are collected into a slice during a system prune and processed afterwards to calculate the total reclaimed space. Closes #8658 Signed-off-by: Baron Lenardson <lenardson.baron@gmail.com>
* | | | Merge pull request #8873 from baude/issue8864OpenShift Merge Robot2021-01-05
|\ \ \ \ | | | | | | | | | | close journald when reading
| * | | | close journald when readingbaude2021-01-04
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | when reading from journald, we need to close the journal handler for events and logging. Fixes: #8864 Signed-off-by: baude <bbaude@redhat.com>
* | | | | Merge pull request #8878 from mheon/no_edit_configOpenShift Merge Robot2021-01-04
|\ \ \ \ \ | | | | | | | | | | | | Ensure we do not edit container config in Exec
| * | | | | Ensure we do not edit container config in ExecMatthew Heon2021-01-04
| |/ / / / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The existing code grabs the base container's process, and then modifies it for use with the exec session. This could cause errors in `podman inspect` or similar on the container, as the definition of its OCI spec has been changed by the exec session. The change never propagates to the DB, so it's limited to a single process, but we should still avoid it when possible - so deep-copy it before use. Signed-off-by: Matthew Heon <mheon@redhat.com>
* | | | | Merge pull request #8875 from rhatdan/imageOpenShift Merge Robot2021-01-04
|\ \ \ \ \ | | | | | | | | | | | | Allow image errors to bubble up from lower level functions.
| * | | | | Allow image errors to bubble up from lower level functions.Daniel J Walsh2021-01-04
| |/ / / / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Currently we ignore ErrMultipleImages being returned from findImageInRepoTags. Fixes: https://github.com/containers/podman/issues/8868 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* / / / / systemd: make rundir always accessibleGiuseppe Scrivano2021-01-04
|/ / / / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | so that the PIDFile can be accessed also without being in the rootless user namespace. Closes: https://github.com/containers/podman/issues/8506 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | | | Merge pull request #8823 from giuseppe/exec-honor-privilegedOpenShift Merge Robot2021-01-04
|\ \ \ \ | |/ / / |/| | | exec: honor --privileged
| * | | exec: honor --privilegedGiuseppe Scrivano2020-12-24
| | | | | | | | | | | | | | | | | | | | | | | | | | | | write the capabilities to the configuration passed to the OCI runtime. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
| * | | libpod: change function to accept ExecOptionsGiuseppe Scrivano2020-12-24
| | |/ | |/| | | | | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | | Merge pull request #8852 from afbjorklund/slirp_sandbox-no_pivot_rootOpenShift Merge Robot2020-12-30
|\ \ \ | | | | | | | | The slirp4netns sandbox requires pivot_root
| * | | The slirp4netns sandbox requires pivot_rootAnders F Björklund2020-12-29
| |/ / | | | | | | | | | | | | | | | Disable the sandbox, when running on rootfs Signed-off-by: Anders F Björklund <anders.f.bjorklund@gmail.com>
* | | Merge pull request #8853 from jubalh/gentooOpenShift Merge Robot2020-12-30
|\ \ \ | | | | | | | | Add support for Gentoo file to package query
| * | | Add support for Gentoo file to package queryMichael Vetter2020-12-29
| |/ / | | | | | | | | | | | | | | | | | | | | | On Gentoo systems where `app-portage/gentoolkit` is installed the binary `equery` is used to query for information on which package a file belongs to. Signed-off-by: Michael Vetter <jubalh@iodoru.org>
* / / Consolidate filter logic to pkg subdirectoryBaron Lenardson2020-12-24
|/ / | | | | | | | | | | | | Per the conversation on pull/8724 I am consolidating filter logic and helper functions under the pkg/domain/filters dir. Signed-off-by: Baron Lenardson <lenardson.baron@gmail.com>
* | Merge pull request #8822 from baude/issue8733OpenShift Merge Robot2020-12-24
|\ \ | | | | | | re-open container log files
| * | re-open container log filesbaude2020-12-23
| | | | | | | | | | | | | | | | | | | | | | | | | | | when following container log files, if the file gets rotated due to something like size limit, re-open it and keep following. Fixes: #8733 Signed-off-by: baude <bbaude@redhat.com>
* | | Merge pull request #8806 from rhatdan/keyringOpenShift Merge Robot2020-12-23
|\ \ \ | | | | | | | | Pass down EnableKeyring from containers.conf to conmon
| * | | Pass down EnableKeyring from containers.conf to conmonDaniel J Walsh2020-12-22
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | We have a new field in containers.conf that tells whether or not we want to generate a new keyring in a container. This field was being ignored. It now will be followed and passed down to conmon. Fixes: https://github.com/containers/podman/issues/8384 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | | Merge pull request #8609 from rhatdan/imageOpenShift Merge Robot2020-12-23
|\ \ \ \ | |_|/ / |/| | | Prefer read/write images over read/only images
| * | | Prefer read/write images over read/only imagesDaniel J Walsh2020-12-22
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | With additional stores there is a risk that you could have multiple images with the same name. IE An older image in a read/only store versus a newer version in the read/write store. This patch will ignore multiple images with the same name iff one is read/write and all of the others are read/only. Fixes: https://github.com/containers/podman/issues/8176 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | | Merge pull request #8787 from jsoref/spellingOpenShift Merge Robot2020-12-23
|\ \ \ \ | | | | | | | | | | Spelling
| * | | | SpellingJosh Soref2020-12-22
| | |/ / | |/| | | | | | | | | | Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
* | | | Merge pull request #8793 from zhangguanzhang/vol-opOpenShift Merge Robot2020-12-23
|\ \ \ \ | | | | | | | | | | Fix missing options in volume's display while setting uid and gid
| * | | | Fix missing options in volumes display while setting uid and gidzhangguanzhang2020-12-23
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | ``` $ podman volume create testvol --opt o=uid=1001,gid=1001 $ ./bin/podman volume create testvol2 --opt o=uid=1001,gid=1001 $ podman volume inspect testvol "Options": {}, $ podman volume inspect testvol2 "Options": { "GID": "1001", "UID": "1001", "o": "uid=1001,gid=1001" }, ``` Signed-off-by: zhangguanzhang <zhangguanzhang@qq.com>
* | | | | Merge pull request #8804 from baude/issue8512Daniel J Walsh2020-12-23
|\ \ \ \ \ | |_|/ / / |/| | | | add pod filter for ps
| * | | | add pod filter for psbaude2020-12-22
| |/ / / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | adds the ability to filter containers based on the filter "pod". the value can be a pod name or its full or partial id. Fixes: #8512 Signed-off-by: baude <bbaude@redhat.com>
* | | | Merge pull request #8724 from bblenard/support-volume-filters-in-system-pruneOpenShift Merge Robot2020-12-22
|\ \ \ \ | |_|/ / |/| | | Add volume filters to system prune
| * | | Add volume filters to system pruneBaron Lenardson2020-12-21
| |/ / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This change was missed in pull/8689. Now that volume pruneing supports filters system pruneing can pass its filters down to the volume pruneing. Additionally this change adds tests for the following components * podman system prune subcommand with `--volumes` & `--filter` options * apiv2 api tests for `/system/` and `/libpod/system` endpoints Relates to #8453, #8672 Signed-off-by: Baron Lenardson <lenardson.baron@gmail.com>
* / / Add Security information to podman infoDaniel J Walsh2020-12-22
|/ / | | | | | | | | | | | | | | When debugging issues, it would be helpful to know the security settings of the system running into the problem. Adding security info to `podman info` is also useful to users. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>