summaryrefslogtreecommitdiff
path: root/libpod
Commit message (Collapse)AuthorAge
* Merge pull request #7592 from mheon/force_attach_winchOpenShift Merge Robot2020-09-11
|\ | | | | Force Attach() to send a SIGWINCH and redraw
| * Force Attach() to send a SIGWINCH and redrawMatthew Heon2020-09-10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Basically, we want to force the application in the container to (iff the container was made with a terminal) redraw said terminal immediately after an attach completes, so the fresh Attach session will be able to see what's going on (e.g. will have a shell prompt). Our current attach functions are unfortunately geared more towards `podman run` than `podman attach` and will start forwarding resize events *immediately* instead of waiting until the attach session is alive (much safer for short-lived `podman run` sessions, but broken for the `podman attach` case). To avoid a major rewrite, let's just manually send a SIGWINCH after attach succeeds to force a redraw. Fixes #6253 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | Merge pull request #7591 from haircommander/play-kube-process-namespaceOpenShift Merge Robot2020-09-11
|\ \ | | | | | | play/generate: support shareProcessNamespace
| * | play/generate: support shareProcessNamespacePeter Hunt2020-09-10
| | | | | | | | | | | | | | | | | | | | | | | | | | | this is an option that allows a user to specify whether to share PID namespace in the pod for play kube and generate kube associated test added Signed-off-by: Peter Hunt <pehunt@redhat.com>
* | | Merge pull request #7587 from ParkerVR/kube-underscoresOpenShift Merge Robot2020-09-11
|\ \ \ | | | | | | | | Allowed underscores to remain in name for YAML (Kube generate)
| * | | allowed underscores to remain in name for YAMLParker Van Roy2020-09-10
| | | | | | | | | | | | | | | | Signed-off-by: Parker Van Roy <pvanroy@redhat.com>
* | | | Merge pull request #7541 from mheon/modify_groupOpenShift Merge Robot2020-09-10
|\ \ \ \ | |_|/ / |/| | | Make an entry in /etc/group when we modify /etc/passwd
| * | | Make an entry in /etc/group when we modify /etc/passwdMatthew Heon2020-09-10
| | |/ | |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | To ensure that the user running in the container ahs a valid entry in /etc/passwd so lookup functions for the current user will not error, Podman previously began adding entries to the passwd file. We did not, however, add entries to the group file, and this created problems - our passwd entries included the group the user is in, but said group might not exist. The solution is to mirror our logic for /etc/passwd modifications to also edit /etc/group in the container. Unfortunately, this is not a catch-all solution. Our logic here is only advanced enough to *add* to the group file - so if the group already exists but we add a user not a part of it, we will not modify that existing entry, and things remain inconsistent. We can look into adding this later if we absolutely need to, but it would involve adding significant complexity to this already massively complicated function. While we're here, address an edge case where Podman could add a user or group whose UID overlapped with an existing user or group. Also, let's make users able to log into users we added. Instead of generating user entries with an 'x' in the password field, indicating they have an entry in /etc/shadow, generate a '*' indicating the user has no password but can be logged into by other means e.g. ssh key, su. Fixes #7503 Fixes #7389 Fixes #7499 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | | Merge pull request #7578 from giuseppe/join-userns-reuse-mappingsOpenShift Merge Robot2020-09-10
|\ \ \ | |_|/ |/| | libpod: read mappings when joining a container userns
| * | libpod: read mappings when joining a container usernsGiuseppe Scrivano2020-09-10
| | | | | | | | | | | | | | | | | | | | | | | | | | | when joining an existing container user namespace, read the existing mappings so the storage can be created with the correct ownership. Closes: https://github.com/containers/podman/issues/7547 Signed-off-by: Giuseppe Scrivano <giuseppe@scrivano.org>
* | | Merge pull request #7460 from AkihiroSuda/allow-rootless-cniOpenShift Merge Robot2020-09-10
|\ \ \ | |/ / |/| | rootless: support `podman network create` (CNI-in-slirp4netns)
| * | rootless: support `podman network create` (CNI-in-slirp4netns)Akihiro Suda2020-09-09
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Usage: ``` $ podman network create foo $ podman run -d --name web --hostname web --network foo nginx:alpine $ podman run --rm --network foo alpine wget -O - http://web.dns.podman Connecting to web.dns.podman (10.88.4.6:80) ... <h1>Welcome to nginx!</h1> ... ``` See contrib/rootless-cni-infra for the design. Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
* | | Merge pull request #7290 from rhatdan/externalOpenShift Merge Robot2020-09-09
|\ \ \ | | | | | | | | Show c/storage (Buildah/CRI-O) containers in ps
| * | | Show c/storage (Buildah/CRI-O) containers in psDaniel J Walsh2020-09-09
| |/ / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The `podman ps --all` command will now show containers that are under the control of other c/storage container systems and the new `ps --storage` option will show only containers that are in c/storage but are not controlled by libpod. In the below examples, the '*working-container' entries were created by Buildah. ``` podman ps -a CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 9257ef8c786c docker.io/library/busybox:latest ls /etc 8 hours ago Exited (0) 8 hours ago gifted_jang d302c81856da docker.io/library/busybox:latest buildah 30 hours ago storage busybox-working-container 7a5a7b099d33 localhost/tom:latest ls -alF 30 hours ago Exited (0) 30 hours ago hopeful_hellman 01d601fca090 localhost/tom:latest ls -alf 30 hours ago Exited (1) 30 hours ago determined_panini ee58f429ff26 localhost/tom:latest buildah 33 hours ago storage alpine-working-container podman ps --external CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES d302c81856da docker.io/library/busybox:latest buildah 30 hours ago external busybox-working-container ee58f429ff26 localhost/tom:latest buildah 33 hours ago external alpine-working-container ``` Signed-off-by: TomSweeneyRedHat <tsweeney@redhat.com> Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* / / support multi-image (docker) archivesValentin Rothberg2020-09-08
|/ / | | | | | | | | | | | | | | | | | | | | | | | | Support loading and saving tarballs with more than one image. Add a new `/libpod/images/export` endpoint to the rest API to allow for exporting/saving multiple images into an archive. Note that a non-release version of containers/image is vendored. A release version must be vendored before cutting a new Podman release. We force the containers/image version via a replace in the go.mod file; this way go won't try to match the versions. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | make image parent check more robustValentin Rothberg2020-09-07
| | | | | | | | | | | | | | | | Follow up on issue #7444 and make the parent checks more robust. We can end up with an incoherent storage when, for instance, a build has been killed. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | We should not be mounting /run as noexec when run with --systemdDaniel J Walsh2020-09-02
|/ | | | | | | The system defaults /run to "exec" mode, and we default --read-only mounts on /run to "exec", so --systemd should follow suit. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Ensure rootless containers without a passwd can startMatthew Heon2020-08-31
| | | | | | | | | | | | | | | | We want to modify /etc/passwd to add an entry for the user in question, but at the same time we don't want to require the container provide a /etc/passwd (a container with a single, statically linked binary and nothing else is perfectly fine and should be allowed, for example). We could create the passwd file if it does not exist, but if the container doesn't provide one, it's probably better not to make one at all. Gate changes to /etc/passwd behind a stat() of the file in the container returning cleanly. Fixes #7515 Signed-off-by: Matthew Heon <mheon@redhat.com>
* Merge pull request #7469 from zhangguanzhang/generate-kube-with-ExtraHostsOpenShift Merge Robot2020-08-28
|\ | | | | fix podman generate kube with HostAliases
| * fix podman generate kube with HostAliaseszhangguanzhang2020-08-27
| | | | | | | | Signed-off-by: zhangguanzhang <zhangguanzhang@qq.com>
* | Merge pull request #7436 from rhatdan/variantOpenShift Merge Robot2020-08-28
|\ \ | | | | | | Add support for image pull overrides
| * | Add support for variant when pulling imagesDaniel J Walsh2020-08-28
| | | | | | | | | | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | Merge pull request #7481 from Luap99/keep-confOpenShift Merge Robot2020-08-28
|\ \ \ | | | | | | | | Don't remove config files with podman system reset
| * | | Don't remove config files with podman system resetPaul Holzinger2020-08-28
| |/ / | | | | | | | | | | | | | | | | | | Check if storage.conf exists and display a message that this file should be removed if it has not been modified. Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
* | | Merge pull request #7448 from baude/issue7444OpenShift Merge Robot2020-08-28
|\ \ \ | | | | | | | | fix panic when checking len on nil object
| * | | fix panic when checking len on nil objectBrent Baude2020-08-28
| |/ / | | | | | | | | | | | | | | | issue #7444 describes a problem where an image does not have a manifest file and cannot be processed by our library correctly. the origin of the panic is because we are checking the len of a nil object's attribute. this is a temporary fix to protect from the panic in the future. the origin of the problem is more interesting and requires more work when the code author returns from pto. Signed-off-by: Brent Baude <bbaude@redhat.com>
* / / Delete prior /dev/shm/*Lokesh Mandvekar2020-08-28
|/ / | | | | | | | | | | | | | | | | | | Currently, subsequent runs of `make localunit` fail and complain about prior existing /dev/shm/libpod_test and /dev/shm/test1. This commit deletes these files if existing already, prior to running the tests. Signed-off-by: Lokesh Mandvekar <lsm5@fedoraproject.org>
* | Fix up some error messagesMatthew Heon2020-08-27
| | | | | | | | | | | | | | | | | | We have a lot of 'cannot stat %s' errors in our codebase. These are terrible and confusing and utterly useless without context. Add some context to a few of them so we actually know what part of the code is failing. Signed-off-by: Matthew Heon <mheon@redhat.com>
* | Merge pull request #7451 from mheon/fix_7195Ed Santiago2020-08-27
|\ \ | |/ |/| Send HTTP Hijack headers after successful attach
| * Send HTTP Hijack headers after successful attachMatthew Heon2020-08-27
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Our previous flow was to perform a hijack before passing a connection into Libpod, and then Libpod would attach to the container's attach socket and begin forwarding traffic. A problem emerges: we write the attach header as soon as the attach complete. As soon as we write the header, the client assumes that all is ready, and sends a Start request. This Start may be processed *before* we successfully finish attaching, causing us to lose output. The solution is to handle hijacking inside Libpod. Unfortunately, this requires a downright extensive refactor of the Attach and HTTP Exec StartAndAttach code. I think the result is an improvement in some places (a lot more errors will be handled with a proper HTTP error code, before the hijack occurs) but other parts, like the relocation of printing container logs, are just *bad*. Still, we need this fixed now to get CI back into good shape... Fixes #7195 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | Merge pull request #7409 from ↵OpenShift Merge Robot2020-08-26
|\ \ | | | | | | | | | | | | zhangguanzhang/apiv2-create-ctr-with-invalid-entrypoint fix apiv2 will create containers with incorrect commands
| * | fix apiv2 will create containers with incorrect commandszhangguanzhang2020-08-24
| | | | | | | | | | | | Signed-off-by: zhangguanzhang <zhangguanzhang@qq.com>
* | | podman: add option --cgroup-confGiuseppe Scrivano2020-08-21
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | it allows to manually tweak the configuration for cgroup v2. we will expose some of the options in future as single options (e.g. the new memory knobs), but for now add the more generic --cgroup-conf mechanism for maximum control on the cgroup configuration. OCI specs change: https://github.com/opencontainers/runtime-spec/pull/1040 Requires: https://github.com/containers/crun/pull/459 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | | vendor: update opencontainers/runtime-specGiuseppe Scrivano2020-08-21
|/ / | | | | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* / error when adding container to pod with network informationBrent Baude2020-08-21
|/ | | | | | | | | | | | because a pod's network information is dictated by the infra container at creation, a container cannot be created with network attributes. this has been difficult for users to understand. we now return an error when a container is being created inside a pod and passes any of the following attributes: * static IP (v4 and v6) * static mac * ports -p (i.e. -p 8080:80) * exposed ports (i.e. 222-225) * publish ports from image -P Signed-off-by: Brent Baude <bbaude@redhat.com>
* Merge pull request #7383 from mheon/unmount_storage_ctrsOpenShift Merge Robot2020-08-20
|\ | | | | Unmount c/storage containers before removing them
| * Unmount c/storage containers before removing themMatthew Heon2020-08-19
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When `podman rmi --force` is run, it will remove any containers that depend on the image. This includes Podman containers, but also any other c/storage users who may be using it. With Podman containers, we use the standard Podman removal function for containers, which handles all edge cases nicely, shutting down running containers, ensuring they're unmounted, etc. Unfortunately, no such convient function exists (or can exist) for all c/storage containers. Identifying the PID of a Buildah, CRI-O, or Podman container is extremely different, and those are just the implementations under the containers org. We can't reasonably be able to know if a c/storage container is *in use* and safe for removal if it's not a Podman container. At the very least, though, we can attempt to unmount a storage container before removing it. If it is in use, this will fail (probably with a not-particularly-helpful error message), but if it is not in use but not fully cleaned up, this should make our removing it much more robust than it normally is. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | Merge pull request #7346 from rhatdan/systemdOpenShift Merge Robot2020-08-19
|\ \ | |/ |/| Don't limit the size on /run for systemd based containers
| * Don't limit the size on /run for systemd based containersDaniel J Walsh2020-08-18
| | | | | | | | | | | | | | | | | | | | | | | | | | | | We had a customer incident where they ran out of space on /run. If you don't specify size, it will be still limited to 50% or memory available in the cgroup the container is running in. If the cgroup is unlimited then the /run will be limited to 50% of the total memory on the system. Also /run is mounted on the host as exec, so no reason for us to mount it noexec. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Support sighup reload configuration filesQi Wang2020-08-18
|/ | | | | | Support podman service sighup reload configuration files(containers.conf, registries.conf, storage.conf). Signed-off-by: Qi Wang <qiwan@redhat.com>
* Merge pull request #7283 from mheon/pod_infra_has_exit_cmdOpenShift Merge Robot2020-08-17
|\ | | | | Ensure pod infra containers have an exit command
| * Clean up pods before returning from Pod Stop API callMatthew Heon2020-08-17
| | | | | | | | | | | | | | This should help alleviate races where the pod is not fully cleaned up before subsequent API calls happen. Signed-off-by: Matthew Heon <mheon@redhat.com>
| * Ensure pod infra containers have an exit commandMatthew Heon2020-08-13
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Most Libpod containers are made via `pkg/specgen/generate` which includes code to generate an appropriate exit command which will handle unmounting the container's storage, cleaning up the container's network, etc. There is one notable exception: pod infra containers, which are made entirely within Libpod and do not touch pkg/specgen. As such, no cleanup process, network never cleaned up, bad things can happen. There is good news, though - it's not that difficult to add this, and it's done in this PR. Generally speaking, we don't allow passing options directly to the infra container at create time, but we do (optionally) proxy a pre-approved set of options into it when we create it. Add ExitCommand to these options, and set it at time of pod creation using the same code we use to generate exit commands for normal containers. Fixes #7103 Signed-off-by: Matthew Heon <mheon@redhat.com>
* | Merge pull request #7306 from mheon/private_mountOpenShift Merge Robot2020-08-12
|\ \ | | | | | | Change /sys/fs/cgroup/systemd mount to rprivate
| * | Change /sys/fs/cgroup/systemd mount to rprivateMatthew Heon2020-08-12
| | | | | | | | | | | | | | | | | | | | | | | | I used the wrong propagation first time around because I forgot that rprivate is the default propagation. Oops. Switch to rprivate so we're using the default. Signed-off-by: Matthew Heon <mheon@redhat.com>
* | | Merge pull request #7308 from hamzadis/slirp4netns-cidrOpenShift Merge Robot2020-08-12
|\ \ \ | | | | | | | | Add support for setting the CIDR when using slirp4netns
| * | | Add support for setting the CIDR when using slirp4netnsAdis Hamzić2020-08-12
| |/ / | | | | | | | | | | | | | | | | | | | | | This adds support for the --cidr parameter that is supported by slirp4netns since v0.3.0. This allows the user to change the ip range that is used for the network inside the container. Signed-off-by: Adis Hamzić <adis@hamzadis.com>
* / / add event for image buildBrent Baude2020-08-12
|/ / | | | | | | | | | | | | | | upon image build completion, a new image type event is written for "build". more intricate details, like pulling an image, that might be done by build must be implemented in different vendored packages only after libpod is split from podman. Fixes: #7022 Signed-off-by: Brent Baude <bbaude@redhat.com>
* / Ensure correct propagation for cgroupsv1 systemd cgroupMatthew Heon2020-08-11
|/ | | | | | | | | | | | | | | | On cgroups v1 systems, we need to mount /sys/fs/cgroup/systemd into the container. We were doing this with no explicit mount propagation tag, which means that, under some circumstances, the shared mount propagation could be chosen - which, combined with the fact that we need a mount to mask /sys/fs/cgroup/systemd/release_agent in the container, means we would leak a never-ending set of mounts under /sys/fs/cgroup/systemd/ on container restart. Fortunately, the fix is very simple - hardcode mount propagation to something that won't leak. Signed-off-by: Matthew Heon <mheon@redhat.com>
* Unconditionally retrieve pod names via APIMatthew Heon2020-08-10
| | | | | | | | | | | | | | | | | | The ListContainers API previously had a Pod parameter, which determined if pod name was returned (but, notably, not Pod ID, which was returned unconditionally). This was fairly confusing, so we decided to deprecate/remove the parameter and return it unconditionally. To do this without serious performance implications, we need to avoid expensive JSON decodes of pod configuration in the DB. The way our Bolt tables are structured, retrieving name given ID is actually quite cheap, but we did not expose this via the Libpod API. Add a new GetName API to do this. Fixes #7214 Signed-off-by: Matthew Heon <matthew.heon@pm.me>