summaryrefslogtreecommitdiff
path: root/libpod
Commit message (Collapse)AuthorAge
* Network interfacePaul Holzinger2021-08-24
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Implement a new network interface to abstract CNI from libpod. The interface is implemented for the CNI backend but in the future we can add more backends. The code is structured in three new packages: - `libpod/network/types`: contains the interface definition and the necessary types for it. - `libpod/network/cni` contains the interface implementation for the CNI backend. - `libpod/network/util` a set of utility functions related to networking. The CNI package uses ginkgo style unit tests. To test Setup/Teardown the test must be run as root. Each test will run in their own namespace to make the test independent from the host environment. New features with the CNI backend: - The default network will be created in memory if it does not exists on disk. - It can set more than one static IP per container network. - Networks are loaded once from disk and only if this interface is used, e.g. for commands such as `podman info` networks are not loaded. This reduces unnecessary disk IO. This commit only adds the interface it is not wired into libpod. This requires a lot of breaking changes which will be done in a followup commit. Once this is integrated into libpod the current network code under `libpod/network` should be removed. Also the dependency on OCICNI should be dropped. Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* Merge pull request #11290 from flouthoc/volume-exportOpenShift Merge Robot2021-08-23
|\ | | | | volumes: Add support for `volume export` which allows exporting content to external path.
| * volumes: Add support for exporting volumes to external tarflouthoc2021-08-23
| | | | | | | | | | | | | | Adds support for transferring data between systems and backing up systems. Use cases: recover from disasters or move data between machines. Signed-off-by: flouthoc <flouthoc.git@gmail.com>
* | Merge pull request #11286 from jwhonce/issues/11227OpenShift Merge Robot2021-08-20
|\ \ | | | | | | Update /version endpoint to add components
| * | Update /version endpoint to add componentsJhon Honce2021-08-19
| | | | | | | | | | | | | | | | | | | | | | | | * Include OCI and conmon information as components Fixes #11227 Signed-off-by: Jhon Honce <jhonce@redhat.com>
* | | Merge pull request #11289 from Luap99/net-alias-idOpenShift Merge Robot2021-08-20
|\ \ \ | | | | | | | | Fix network aliases with network id
| * | | Fix network aliases with network idPaul Holzinger2021-08-20
| | |/ | |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When a network id is used to create a container we translate it to use the name internally for the db. The network aliases are also stored with the network name as key so we have to also translate them for the db. Also removed some outdated skips from the e2e tests. Fixes #11285 Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* / | Implement SD-NOTIFY proxy in conmonDaniel J Walsh2021-08-20
|/ / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This leverages conmon's ability to proxy the SD-NOTIFY socket. This prevents locking caused by OCI runtime blocking, waiting for SD-NOTIFY messages, and instead passes the messages directly up to the host. NOTE: Also re-enable the auto-update tests which has been disabled due to flakiness. With this change, Podman properly integrates into systemd. Fixes: #7316 Signed-off-by: Joseph Gooch <mrwizard@dok.org> Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* / Podman info output plugin informationPaul Holzinger2021-08-19
|/ | | | | | | | | For docker compat include information about available volume, log and network drivers which should be listed under the plugins key. Fixes #11265 Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* Volumes: Only remove from DB if plugin removal succeedsMatthew Heon2021-08-18
| | | | | | | | | | | | | | | | | | Originally, Podman would unconditionally remove volumes from the DB, even if they failed to be removed from the volume plugin; this was a safety measure to ensure that `volume rm` can always remove a volume from the database, even if the plugin is misbehaving. However, this is a significant deivation from Docker, which refuses to remove if the plugin errors. These errors can be legitimate configuration issues which the user should address before the volume is removed, so Podman should also use this behaviour. Fixes #11214 Signed-off-by: Matthew Heon <mheon@redhat.com>
* Merge pull request #11212 from flouthoc/check-valid-systemd-sessionopenshift-ci[bot]2021-08-17
|\ | | | | cgroup-manager-systemd: Warn early if user is rootless and no relevent user session is present.
| * cgroup-manager-systemd:Fail early if user:rootless and relevent session is ↵flouthoc2021-08-17
| | | | | | | | | | | | | | | | not present. [NO TESTS NEEDED] Signed-off-by: flouthoc <flouthoc.git@gmail.com>
* | Merge pull request #11231 from flouthoc/move-volume-dest-to-serveropenshift-ci[bot]2021-08-17
|\ \ | | | | | | volume: move validating volume dest from client to server.
| * | libpod/option.go remove error stutter from wrap/wrafflouthoc2021-08-17
| | | | | | | | | | | | | | | [NO TESTS NEEDED] Signed-off-by: flouthoc <flouthoc.git@gmail.com>
| * | volume: move validating volume dest from client to server.flouthoc2021-08-16
| | | | | | | | | | | | | | | | | | [NO TESTS NEEDED] Signed-off-by: flouthoc <flouthoc.git@gmail.com>
* | | make sure that signal buffers are sufficiently bigValentin Rothberg2021-08-17
| |/ |/| | | | | | | | | | | | | | | | | | | | | | | | | | | Dealing with os.Signal channels seems more like an art than science since signals may get lost. os.Notify doesn't block on an unbuffered channel, so users are expected to know what they're doing or hope for the best. In the recent past, I've seen a number of flakes and BZs on non-amd64 architectures where I was under the impression that signals may got lost, for instance, during stop and exec. [NO TESTS NEEDED] since this is art. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | Fix rootless cni dns without systemd stub resolverPaul Holzinger2021-08-16
|/ | | | | | | | | | | | | | | | | When a host uses systemd-resolved but not the resolved stub resolver the following symlinks are created: `/etc/resolv.conf` -> `/run/systemd/resolve/stub-resolv.conf` -> `/run/systemd/resolve/resolv.conf`. Because the code uses filepath.EvalSymlinks we put the new resolv.conf to `/run/systemd/resolve/resolv.conf` but the `/run/systemd/resolve/stub-resolv.conf` link does not exists in the mount ns. To fix this we will walk the symlinks manually until we reach the first one under `/run` and use this for the resolv.conf file destination. This fixes a regression which was introduced in e73d4829900c. Fixes #11222 Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* rename oneshot initcontainers to onceBrent Baude2021-08-12
| | | | | | | | | | after the init containers pr merged, it was suggested to use `once` instead of `oneshot` containers as it is more aligned with other terminiology used similarily. [NO TESTS NEEDED] Signed-off-by: Brent Baude <bbaude@redhat.com>
* Run codespell to fix spellingDaniel J Walsh2021-08-11
| | | | | | [NO TESTS NEEDED] Just fixing spelling. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Add support for pod inside of user namespace.Daniel J Walsh2021-08-09
| | | | | | | | | | | | | Add the --userns flag to podman pod create and keep track of the userns setting that pod was created with so that all containers created within the pod will inherit that userns setting. Specifically we need to be able to launch a pod with --userns=keep-id Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Signed-off-by: Urvashi Mohnani <umohnani@redhat.com>
* podman info show correct slirp4netns pathPaul Holzinger2021-08-09
| | | | | | | | | The slirp4netns path can be set in the config file or with --network-cmd-path. Podman info should read the version information correctly and not use PATH in this case. Also show the slirp4netns version information to root users. Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* Merge pull request #11011 from baude/initcontainersopenshift-ci[bot]2021-08-05
|\ | | | | implement init containers in podman
| * implement init containers in podmanBrent Baude2021-08-04
| | | | | | | | | | | | | | | | | | | | | | | | | | | | this is the first pass at implementing init containers for podman pods. init containersare made popular by k8s as a way to run setup for pods before the pods standard containers run. unlike k8s, we support two styles of init containers: always and oneshot. always means the container stays in the pod and starts whenever a pod is started. this does not apply to pods restarting. oneshot means the container runs onetime when the pod starts and then is removed. Signed-off-by: Brent Baude <bbaude@redhat.com>
* | Merge pull request #11128 from rhatdan/timezoneopenshift-ci[bot]2021-08-04
|\ \ | | | | | | Handle timezone on server containers.conf
| * | Handle timezone on server containers.confDaniel J Walsh2021-08-04
| | | | | | | | | | | | | | | | | | | | | | | | Fixes: https://github.com/containers/podman/issues/11124 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Signed-off-by: Daniel J Walsh <dwalsh@localhost.localdomain> Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | Merge pull request #11118 from mheon/use_host_resolveconfopenshift-ci[bot]2021-08-04
|\ \ \ | | | | | | | | Do not add an entry to /etc/hosts with `--net=host`
| * | | Do not add an entry to /etc/hosts with `--net=host`Matthew Heon2021-08-04
| | |/ | |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | To match Docker's behavior, in the `--net=host` case, we need to use the host's `/etc/hosts` file, unmodified (without adding an entry for the container). We will still respect hosts from `--add-host` but will not make any automatic changes. Fortuntely, this is strictly a matter of removal and refactoring as we already base our `/etc/hosts` on the host's version - just need to remove the code that added entries when net=host was set. Fixes #10319 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | | Merge pull request #10973 from rhatdan/quotaopenshift-ci[bot]2021-08-04
|\ \ \ | |_|/ |/| | Support size options on builtin volumes
| * | Support size and inode options on builtin volumesDaniel J Walsh2021-08-02
| | | | | | | | | | | | | | | | | | | | | | | | [NO TESTS NEEDED] Since it is difficult to setup xfs quota Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1982164 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | podman info: try qfile before equeryEd Santiago2021-08-03
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | podman info takes >20s on Gentoo, because equery is s..l..o..w. qfile is much faster and, I suspect, present in most Gentoo installations, so let's try it first. And, because packageVersion() was scarily unmaintainable, refactor it. Define a simple (string) list of packaging tools to query (rpm, dpkg, ...) and iterate until we find one that works. IMPORTANT NOTE: the Debian (and, presumably, Ubuntu) query does not include version number! There is no standard way on Debian to get a package version from a file path, you can only do it via pipes of chained commands, and I have no desire to implement that. Signed-off-by: Ed Santiago <santiago@redhat.com>
* | | Merge pull request #11091 from Luap99/connect-disconnectopenshift-ci[bot]2021-08-03
|\ \ \ | |_|/ |/| | fix rootless port forwarding with network dis-/connect
| * | fix rootless port forwarding with network dis-/connectPaul Holzinger2021-08-03
| |/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The rootlessport forwarder requires a child IP to be set. This must be a valid ip in the container network namespace. The problem is that after a network disconnect and connect the eth0 ip changed. Therefore the packages are dropped since the source ip does no longer exists in the netns. One solution is to set the child IP to 127.0.0.1, however this is a security problem. [1] To fix this we have to recreate the ports after network connect and disconnect. To make this work the rootlessport process exposes a socket where podman network connect/disconnect connect to and send to new child IP to rootlessport. The rootlessport process will remove all ports and recreate them with the new correct child IP. Also bump rootlesskit to v0.14.3 to fix a race with RemovePort(). Fixes #10052 [1] https://nvd.nist.gov/vuln/detail/CVE-2021-20199 Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* / Fix handling of user specified container labelsDaniel J Walsh2021-08-02
|/ | | | | | | | | | | Currently we override the SELinux labels specified by the user if the container is runing a kata container or systemd container. This PR fixes to use the label specified by the user. Fixes: https://github.com/containers/podman/issues/11100 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* ps: support the container notation for ps --filter network=...flouthoc2021-07-30
| | | | Signed-off-by: flouthoc <flouthoc.git@gmail.com>
* Merge pull request #10910 from ↵OpenShift Merge Robot2021-07-28
|\ | | | | | | | | adrianreber/2021-07-12-checkpoint-restore-into-pod Add support for checkpoint/restore into and out of pods
| * Support checkpoint/restore with podsAdrian Reber2021-07-27
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This adds support to checkpoint containers out of pods and restore container into pods. It is only possible to restore a container into a pod if it has been checkpointed out of pod. It is also not possible to restore a non pod container into a pod. The main reason this does not work is the PID namespace. If a non pod container is being restored in a pod with a shared PID namespace, at least one process in the restored container uses PID 1 which is already in use by the infrastructure container. If someone tries to restore container from a pod with a shared PID namespace without a shared PID namespace it will also fail because the resulting PID namespace will not have a PID 1. Signed-off-by: Adrian Reber <areber@redhat.com>
| * Prepare CRIU version check to work with multiple versionsAdrian Reber2021-07-27
| | | | | | | | | | | | | | | | The upcoming commit to support checkpointing out of Pods requires CRIU 3.16. This changes the CRIU version check to support checking for different versions. Signed-off-by: Adrian Reber <areber@redhat.com>
* | support container to container copyMehul Arora2021-07-27
|/ | | | | | | | | Implement container to container copy. Previously data could only be copied from/to the host. Fixes: #7370 Co-authored-by: Mehul Arora <aroram18@mcmaster.ca> Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* dual-stack network: fix duplicated subnet assignmentPaul Holzinger2021-07-26
| | | | | | | | | Make sure podman network create reads all subnets from existing cni configs and not only the first one. Fixes #11032 Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* Merge pull request #10996 from cdoern/untilLogOpenShift Merge Robot2021-07-24
|\ | | | | Implemented --until flag for Libpod's Container Logs
| * Implemented --until flag for libpod's container logscdoern2021-07-22
| | | | | | | | | | | | | | compat containers/logs was missing actual usage of until query param. This led me to implement the until param for libpod's container logs as well. Added e2e tests. Signed-off-by: cdoern <cdoern@redhat.com>
* | Merge pull request #10999 from rhatdan/quota1OpenShift Merge Robot2021-07-21
|\ \ | | | | | | Drop support for the --storage-opt container flag
| * | Drop podman create --storage-opt container flagDaniel J Walsh2021-07-20
| |/ | | | | | | | | | | | | | | | | | | | | | | | | The global flag will work in either location, and this flag just breaks users expectations, and is basically a noop. Also fix global storage-opt so that podman-remote can use it. [NO TESTS NEEDED] Since it would be difficult to test in ci/cd. Fixes: https://github.com/containers/podman/issues/10264 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* / Copy the content from the underlying image into the newly created volume.Vikas Goel2021-07-20
|/ | | | | | Fixes: #10262 Signed-off-by: Vikas Goel <vikas.goel@gmail.com>
* Merge pull request #10848 from vrothberg/update-libimageOpenShift Merge Robot2021-07-16
|\ | | | | vendor containers/common@main
| * vendor containers/common@mainValentin Rothberg2021-07-16
| | | | | | | | | | | | | | | | | | | | | | | | | | The `IgnorePlatform` options has been removed from the `LookupImageOptions` in libimage to properly support multi-arch images. Skip one buildah-bud test which requires updated CI images. This is currently being done in github.com/containers/podman/pull/10829 but we need to unblock merging common and buildah into podman. [NO TESTS NEEDED] Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | --infra-name command line argumentJosé Guilherme Vanz2021-07-15
|/ | | | | | | | | Adds the new --infra-name command line argument allowing users to define the name of the infra container Issue #10794 Signed-off-by: José Guilherme Vanz <jvanz@jvanz.com>
* Merge pull request #10894 from cdoern/pidPodOpenShift Merge Robot2021-07-15
|\ | | | | podman pod create --pid flag
| * podman pod create --pid flagcdoern2021-07-15
| | | | | | | | | | | | | | | | added support for --pid flag. User can specify ns:file, pod, private, or host. container returns an error since you cannot point the ns of the pods infra container to a container outside of the pod. Signed-off-by: cdoern <cdoern@redhat.com>
* | Merge pull request #10939 from Luap99/rootless-cniOpenShift Merge Robot2021-07-15
|\ \ | | | | | | Fix race conditions in rootless cni setup