summaryrefslogtreecommitdiff
path: root/libpod
Commit message (Collapse)AuthorAge
* security: use the bounding caps with --privilegedGiuseppe Scrivano2021-03-19
| | | | | | | | | when --privileged is used, make sure to not request more capabilities than currently available in the current context. [NO TESTS NEEDED] since it fixes existing tests. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* network prune filters for http compat and libpod apiJakub Guzik2021-03-18
| | | | Signed-off-by: Jakub Guzik <jakubmguzik@gmail.com>
* Do not leak libpod package into the remote clientPaul Holzinger2021-03-15
| | | | | | | | | | | | | | | | | | Some packages used by the remote client imported the libpod package. This is not wanted because it adds unnecessary bloat to the client and also causes problems with platform specific code(linux only), see #9710. The solution is to move the used functions/variables into extra packages which do not import libpod. This change shrinks the remote client size more than 6MB compared to the current master. [NO TESTS NEEDED] I have no idea how to test this properly but with #9710 the cross compile should fail. Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
* Split libpod/network packagePaul Holzinger2021-03-15
| | | | | | | | | | | | The `libpod/network` package should only be used on the backend and not the client. The client used this package only for two functions so move them into a new `pkg/network` package. This is needed so we can put linux only code into `libpod/network`, see #9710. [NO TESTS NEEDED] Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
* Merge pull request #9668 from rhatdan/manOpenShift Merge Robot2021-03-10
|\ | | | | Document CONTAINERS_CONF/CONTAINERS_STORAGE_CONF Env variables
| * Document CONTAINERS_CONF/CONTAINERS_STORAGE_CONF Env variablesDaniel J Walsh2021-03-10
| | | | | | | | | | | | | | Also Switch to using CONTAINERS_REGISTRIES_CONF for registries.conf overrides. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Merge pull request #9681 from rhatdan/rmOpenShift Merge Robot2021-03-10
|\ \ | |/ |/| Removing a non existing container API should return 404
| * Removing a non existing container API should return 404Daniel J Walsh2021-03-10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Currently we were overwrapping error returned from removal of a non existing container. $ podman rm bogus -f Error: failed to evict container: "": failed to find container "bogus" in state: no container with name or ID bogus found: no such container Removal of wraps gets us to. ./bin/podman rm bogus -f Error: no container with name or ID "bogus" found: no such container Finally also added quotes around container name to help make it standout when you get an error, currently it gets lost in the error. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Merge pull request #9676 from giuseppe/cli-overrides-confOpenShift Merge Robot2021-03-10
|\ \ | |/ |/| options: append CLI graph driver options
| * options: append CLI graph driver optionsGiuseppe Scrivano2021-03-09
| | | | | | | | | | | | | | | | | | | | | | if --storage-opt are specified on the CLI append them after what is specified in the configuration files instead of overriding it. Closes: https://github.com/containers/podman/issues/9657 [NO TESTS NEEDED] Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | Merge pull request #9677 from vrothberg/fix-9672OpenShift Merge Robot2021-03-09
|\ \ | | | | | | podman load: fix error handling
| * | podman load: fix error handlingValentin Rothberg2021-03-09
| |/ | | | | | | | | | | | | | | Make sure to properly return loading errors and to set the exit code accordingly. Fixes: #9672 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | podman cp: evaluate symlink correctly when copying from containerValentin Rothberg2021-03-09
| | | | | | | | | | | | | | | | When copying from a container, make sure to evaluate the symlinks correctly. Add tests copying a symlinked directory from a running and a non-running container to execute both path-resolution paths. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | podman cp: fix ownershipValentin Rothberg2021-03-09
| | | | | | | | | | | | | | | | Make sure the files are chowned to the host/container user, depending on where things are being copied to. Fixes: #9626 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | podman cp: ignore EPERMs in rootless modeValentin Rothberg2021-03-09
|/ | | | | | | | | | | | Ignore permission errors when copying from a rootless container. TTY devices inside rootless containers are owned by the host's root user which is "nobody" inside the container's user namespace rendering us unable to even read them. Enable the integration test which was temporarily disabled for rootless users. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* allow the removal of storage imagesDaniel J Walsh2021-03-08
| | | | | | | | Sometimes if the system crashes while an image is being pulled containers/storage can get into a bad state. This PR allows the user to call into container storage to remove the image. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Merge pull request #9649 from rhatdan/kubeOpenShift Merge Robot2021-03-08
|\ | | | | Allow users to generate a kubernetes yaml off non running containers
| * Allow users to generate a kubernetes yaml off non running containersDaniel J Walsh2021-03-08
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Currently if you attempt to create a kube.yaml file off of a non running container where the container runs as a specific User, the creation fails because the storage container is not mounted. Podman is supposed to read the /etc/passwd entry inside of the container but since the container is not mounted, the c.State.Mountpoint == "". Podman incorrectly attempts to read /etc/passwd on the host, and fails if the specified user is not in the hosts /etc/passwd. This PR mounts the storage container, if it was not mounted so the read succeeds. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | turn hidden --trace into a NOPValentin Rothberg2021-03-08
|/ | | | | | | | | | The --trace has helped in early stages analyze Podman code. However, it's contributing to dependency and binary bloat. The standard go tooling can also help in profiling, so let's turn `--trace` into a NOP. [NO TESTS NEEDED] Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* Merge pull request #9647 from mlegenovic/masterOpenShift Merge Robot2021-03-07
|\ | | | | Compat API: Fix the response of 'push image' endpoint
| * Correct compat images/{name}/push responseMilivoje Legenovic2021-03-07
| | | | | | | | Signed-off-by: Milivoje Legenovic <m.legenovic@gmail.com>
* | separate file with mount consts in libpod/defineJakub Guzik2021-03-07
| | | | | | | | Signed-off-by: Jakub Guzik <jakubmguzik@gmail.com>
* | Merge pull request #9624 from mheon/fix_9615OpenShift Merge Robot2021-03-05
|\ \ | | | | | | [NO TESTS NEEDED] Do not return from c.stop() before re-locking
| * | Do not return from c.stop() before re-lockingMatthew Heon2021-03-05
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Unlocking an already unlocked lock is a panic. As such, we have to make sure that the deferred c.lock.Unlock() in c.StopWithTimeout() always runs on a locked container. There was a case in c.stop() where we could return an error after we unlock the container to stop it, but before we re-lock it - thus allowing for a double-unlock to occur. Fix the error return to not happen until after the lock has been re-acquired. Fixes #9615 Signed-off-by: Matthew Heon <mheon@redhat.com>
* | | Merge pull request #9593 from vrothberg/cp-tmpOpenShift Merge Robot2021-03-05
|\ \ \ | |_|/ |/| | podman cp: support copying on tmpfs mounts
| * | podman cp: support copying on tmpfs mountsValentin Rothberg2021-03-04
| |/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Traditionally, the path resolution for containers has been resolved on the *host*; relative to the container's mount point or relative to specified bind mounts or volumes. While this works nicely for non-running containers, it poses a problem for running ones. In that case, certain kinds of mounts (e.g., tmpfs) will not resolve correctly. A tmpfs is held in memory and hence cannot be resolved relatively to the container's mount point. A copy operation will succeed but the data will not show up inside the container. To support these kinds of mounts, we need to join the *running* container's mount namespace (and PID namespace) when copying. Note that this change implies moving the copy and stat logic into `libpod` since we need to keep the container locked to avoid race conditions. The immediate benefit is that all logic is now inside `libpod`; the code isn't scattered anymore. Further note that Docker does not support copying to tmpfs mounts. Tests have been extended to cover *both* path resolutions for running and created containers. New tests have been added to exercise the tmpfs-mount case. For the record: Some tests could be improved by using `start -a` instead of a start-exec sequence. Unfortunately, `start -a` is flaky in the CI which forced me to use the more expensive start-exec option. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | Merge pull request #9598 from rhatdan/kvmOpenShift Merge Robot2021-03-04
|\ \ | | | | | | Check for supportsKVM based on basename of the runtime
| * | Check for supportsKVM based on basename of the runtimeDaniel J Walsh2021-03-03
| |/ | | | | | | | | | | | | | | | | | | | | Fixes: https://github.com/containers/podman/issues/9582 This PR also adds tests to make sure SELinux labels match the runtime, or if init is specified works with the correct label. Add tests for selinux kvm/init labels Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Merge pull request #9601 from jwhonce/issues/9207OpenShift Merge Robot2021-03-04
|\ \ | | | | | | Use version package to track all versions
| * | Use version package to track all versionsJhon Honce2021-03-03
| |/ | | | | | | | | | | | | | | | | | | | | | | * Server, bindings, and CLI all now pull version information from version package. * Current /libpod API version slaved to podman/libpod Version * Bindings validate against libpod API Minimal version * Remove pkg/bindings/bindings.go and updated tests Fixes: #9207 Signed-off-by: Jhon Honce <jhonce@redhat.com>
* / Fix cni teardown errorsPaul Holzinger2021-03-04
|/ | | | | | | | | | | Make sure to pass the cni interface descriptions to cni teardowns. Otherwise cni cannot find the correct cache files because the interface name might not match the networks. This can only happen when network disconnect was used. Fixes #9602 Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
* Merge pull request #9575 from mheon/rewrite_renameOpenShift Merge Robot2021-03-03
|\ | | | | Rewrite Rename backend in a more atomic fashion
| * Rewrite Rename backend in a more atomic fashionMatthew Heon2021-03-02
| | | | | | | | | | | | | | | | | | | | | | | | | | Move the core of renaming logic into the DB. This guarantees a lot more atomicity than we have right now (our current solution, removing the container from the DB and re-creating it, is *VERY* not atomic and prone to leaving a corrupted state behind if things go wrong. Moving things into the DB allows us to remove most, but not all, of this - there's still a potential scenario where the c/storage rename fails but the Podman rename succeeds, and we end up with a mismatched state. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | Merge pull request #9521 from adrianreber/2021-02-25-checkpointctlOpenShift Merge Robot2021-03-03
|\ \ | | | | | | Reorder checkpoint/restore code for CRI-O
| * | Use functions and defines from checkpointctlAdrian Reber2021-03-02
| | | | | | | | | | | | | | | | | | | | | | | | No functional changes. [NO TESTS NEEDED] - only moving code around Signed-off-by: Adrian Reber <areber@redhat.com>
| * | Move checkpoint/restore code to pkg/checkpoint/crutilsAdrian Reber2021-03-02
| |/ | | | | | | | | | | | | | | | | | | | | To be able to reuse common checkpoint/restore functions this commit moves code to pkg/checkpoint/crutils. This commit has not functional changes. It only moves code around. [NO TESTS NEEDED] - only moving code around Signed-off-by: Adrian Reber <areber@redhat.com>
* / Tidy duplicate log testsAshley Cui2021-03-02
|/ | | | | | | Some log tests were duplicated, and some didn't need to be repeated for every driver. Also, added some comments Signed-off-by: Ashley Cui <acui@redhat.com>
* podman rmi: handle corrupted storage betterValentin Rothberg2021-03-01
| | | | | | | | | | | | | | | The storage can easily be corrupted when a build or pull process (or any process *writing* to the storage) has been killed. The corruption surfaces in Podman reporting that a given layer could not be found in the layer tree. Those errors must not be fatal but only logged, such that the image removal may continue. Otherwise, a user may be unable to remove an image. [NO TESTS NEEDED] as I do not yet have a reliable way to cause such a storage corruption. Reported-in: https://github.com/containers/podman/issues/8148#issuecomment-787598940 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* Merge pull request #9509 from mlegenovic/masterOpenShift Merge Robot2021-03-01
|\ | | | | Correct compat images/create?fromImage response
| * Correct compat images/create?fromImage responseMilivoje Legenovic2021-02-26
| | | | | | | | Signed-off-by: Milivoje Legenovic <m.legenovic@gmail.com>
* | prune remotecommand dependencybaude2021-02-25
|/ | | | | | | | | | | prune a dependency that was only being used for a simple struct. Should correct checksum issue on tarballs [NO TESTS NEEDED] Fixes: #9355 Signed-off-by: baude <bbaude@redhat.com>
* Merge pull request #9494 from mheon/sort_capsOpenShift Merge Robot2021-02-24
|\ | | | | Sort CapDrop in inspect to guarantee order
| * Sort CapDrop in inspect to guarantee orderMatthew Heon2021-02-23
| | | | | | | | | | | | | | | | | | | | The order of CapAdd when inspecting containers is deterministic. However, the order of CapDrop is not (for unclear reasons). Add a quick sort on the final array to guarantee a consistent order. Fixes #9490 Signed-off-by: Matthew Heon <mheon@redhat.com>
* | Add dns search domains from cni response to resolv.confPaul Holzinger2021-02-24
| | | | | | | | | | | | | | This fixes slow local host name lookups. see containers/dnsname#57 Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
* | Network connect error if net mode is not bridgePaul Holzinger2021-02-23
| | | | | | | | | | | | | | | | | | | | Only the the network mode bridge supports cni networks. Other network modes cannot use network connect/disconnect so we should throw a error. Fixes #9496 Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
* | Merge pull request #9485 from vrothberg/fix-9479OpenShift Merge Robot2021-02-23
|\ \ | |/ |/| container removal: handle already removed containers
| * container removal: handle already removed containersValentin Rothberg2021-02-23
| | | | | | | | | | | | | | | | | | | | | | | | Since commit d54478d8eaec, a container's lock is released before attempting to stop it via the OCI runtime. This opened the window for various kinds of race conditions. One of them led to #9479 where the removal+cleanup sequences of a `run --rm` session overlapped with `rm -af`. Make both execution paths more robust by handling the case of an already removed container. Fixes: #9479 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | Add U volume flag to chown source volumesEduardo Vega2021-02-22
|/ | | | Signed-off-by: Eduardo Vega <edvegavalerio@gmail.com>
* Fix podman network IDs handlingPaul Holzinger2021-02-22
| | | | | | | | | | | | | The libpod network logic knows about networks IDs but OCICNI does not. We cannot pass the network ID to OCICNI. Instead we need to make sure we only use network names internally. This is also important for libpod since we also only store the network names in the state. If we would add a ID there the same networks could accidentally be added twice. Fixes #9451 Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
* bump go module to v3Valentin Rothberg2021-02-22
| | | | | | | | | We missed bumping the go module, so let's do it now :) * Automated go code with github.com/sirkon/go-imports-rename * Manually via `vgrep podman/v2` the rest Signed-off-by: Valentin Rothberg <rothberg@redhat.com>