summaryrefslogtreecommitdiff
path: root/libpod
Commit message (Collapse)AuthorAge
* Fix rootlesskit port forwarder with custom slirp cidrPaul Holzinger2021-04-23
| | | | | | | | | | | | | The source ip for the rootlesskit port forwarder was hardcoded to the standard slirp4netns ip. This is incorrect since users can change the subnet used by slirp4netns with `--network slirp4netns:cidr=10.5.0.0/24`. The container interface ip is always the .100 in the subnet. Only when the rootlesskit port forwarder child ip matches the container interface ip the port forwarding will work. Fixes #9828 Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
* Fixes from make codespellDaniel J Walsh2021-04-21
| | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Merge pull request #8979 from haircommander/full-attach-pathOpenShift Merge Robot2021-04-21
|\ | | | | Use full attach path, rather than a symlink
| * runtime: bump required conmon versionPeter Hunt2021-04-16
| | | | | | | | | | | | 2.0.24 introduced the new behavior with --full-attach, allowing podman to no longer use the socketDir Signed-off-by: Peter Hunt <pehunt@redhat.com>
| * runtime: return findConmon to libpodPeter Hunt2021-04-16
| | | | | | | | | | | | | | | | I believe moving the conmon probing code to c/common wasn't the best strategy. Different container engines have different requrements of which conmon version is required (based on what flags they use). Signed-off-by: Peter Hunt <pehunt@redhat.com>
| * oci: drop ExecContainerCleanupPeter Hunt2021-04-16
| | | | | | | | | | | | without the socketsDir, we no longer need to worry about cleaning up after an exec. Signed-off-by: Peter Hunt <pehunt@redhat.com>
| * oci: use `--full-path` option for conmonPeter Hunt2021-04-16
| | | | | | | | | | | | and stop relying on socket path Signed-off-by: Peter Hunt <pehunt@redhat.com>
| * use AttachSocketPath when removing conmon filesPeter Hunt2021-04-16
| | | | | | | | Signed-off-by: Peter Hunt <pehunt@redhat.com>
* | rmi: don't break when the image is missing a manifestNalin Dahyabhai2021-04-20
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | In libpod/image.Image.Remove(), if the attempt to find the image's parent fails for any reason, log a warning and proceed as though it didn't have one instead of failing, which would leave us unable to remove the image without resetting everything. In libpod/Runtime.RemoveImage(), if we can't determine if an image has children, log a warning, and assume that it doesn't have any instead of failing, which would leave us unable to remove the image without resetting everything. In pkg/domain/infra/abi.ImageEngine.Remove(), when attempting to remove all images, if we encounter an error checking if a given image has children, log a warning, and assume that it doesn't have any instead of failing, which would leave us unable to remove the image without resetting everything. Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
* | Merge pull request #10041 from chenk008/add_pidfile_flagOpenShift Merge Robot2021-04-19
|\ \ | | | | | | Add flag "--pidfile" for podman create/run
| * | support pidfile on container restorechenkang2021-04-18
| | | | | | | | | | | | Signed-off-by: chenkang <kongchen28@gmail.com>
| * | fix start itchenkang2021-04-17
| | | | | | | | | | | | Signed-off-by: chenkang <kongchen28@gmail.com>
| * | set pidfile default value int containerconfigchenkang2021-04-17
| | | | | | | | | | | | Signed-off-by: chenkang <kongchen28@gmail.com>
| * | add pidfile in inspectionchenkang2021-04-17
| | | | | | | | | | | | Signed-off-by: chenkang <kongchen28@gmail.com>
| * | add flag "--pidfile" for podman create/runwuhua.ck2021-04-16
| | | | | | | | | | | | Signed-off-by: chenkang <kongchen28@gmail.com>
* | | Merge pull request #10056 from mheon/misc_cleanupOpenShift Merge Robot2021-04-19
|\ \ \ | |_|/ |/| | [NO TESTS NEEDED] Make an advanced layer diff function private
| * | Remove an advanced layer diff functionMatthew Heon2021-04-19
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Noticed this while I was poking around in the runtime doing DB work. The signature of this function makes me a bit uncomfortable (why should we let people apply arbitrary diffs to layers? Seems like a good way to break things...) and it's completely unused, so let's just remove it. [NO TESTS NEEDED] since this is a pure removal. Signed-off-by: Matthew Heon <mheon@redhat.com>
* | | Fix possible panic in libpod/image/prune.goPaul Holzinger2021-04-16
| |/ |/| | | | | | | | | | | | | | | podman image prune paniced locally for me. The error handling was not done correctly and we could end up with a nil pointer dereference. [NO TESTS NEEDED] I have no idea how I could force an error in img.Size(). Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
* | Merge pull request #9995 from rhatdan/debugOpenShift Merge Robot2021-04-14
|\ \ | | | | | | Fix message about runtime to show only the actual runtime
| * | Fix message about runtime to show only the actual runtimeDaniel J Walsh2021-04-13
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Currently the debug line shows every runtime up until it finds the correct one, confusing users on which runtime it is using. Also move missing OCI runtime from containers/conf down to Debug level and improved the debug message, to not report error. [NO TESTS NEEDED] Since this is just debug. Triggered by https://github.com/containers/podman/issues/4854 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | Remove in-memory state implementationMatthew Heon2021-04-13
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | We originally added this in the *very early* days of Podman, before a proper persistent state was written, so we had something to test with. It was retained after the original SQLite state (and current BoltDB state) were written so it could be used for testing Libpod in unit tests with no requirement for on-disk storage. Well, such unit tests never materialized, and if we were to write some now the requirement to have a temporary directory for storing data on disk is not that bad. I can basically guarantee there are no users of this in the wild because, even if you managed to figure out how to configure it when we don't document it, it's completely unusable with Podman since all your containers and pods will disappear every time Podman exits. Given all this, and since it's an ongoing maintenance burden I no longer wish to deal with, let's just remove it. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | | Merge pull request #10000 from rhatdan/cleanupOpenShift Merge Robot2021-04-13
|\ \ \ | |/ / |/| | Do not delete container twice
| * | Do not delete container twiceDaniel J Walsh2021-04-12
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | 10 lines above we had // Set ContainerStateRemoving c.state.State = define.ContainerStateRemoving Which causes the state to not be the two checked states. Since the c.cleanup call already deleted the OCI state, this meant that we were calling cleanup, and hence the postHook hook twice. Fixes: https://github.com/containers/podman/issues/9983 [NO TESTS NEEDED] Since it would be difficult to tests this. Main tests should handle that the container is being deleted successfully. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | cgroup: do not set cgroup parent when rootless and cgroupfsGiuseppe Scrivano2021-04-12
|/ / | | | | | | | | | | | | | | | | do not set the cgroup parent when running as rootless with cgroupfs, even if cgroup v2 is used. Closes: https://bugzilla.redhat.com/show_bug.cgi?id=1947999 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | Merge pull request #9935 from EduardoVega/5788-kube-volumeOpenShift Merge Robot2021-04-12
|\ \ | | | | | | Add support for play/generate kube PersistentVolumeClaims and Podman volumes
| * | Add support for play/generate kube volumesEduardo Vega2021-04-09
| | | | | | | | | | | | Signed-off-by: Eduardo Vega <edvegavalerio@gmail.com>
* | | podman unshare: add --rootless-cni to join the nsPaul Holzinger2021-04-07
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Add a new --rootless-cni option to podman unshare to also join the rootless-cni network namespace. This is useful if you want to connect to a rootless container via IP address. This is only possible from the rootless-cni namespace and not from the host namespace. This option also helps to debug problems in the rootless-cni namespace. Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
* | | rootless cni add /usr/sbin to PATH if not presentPaul Holzinger2021-04-06
| | | | | | | | | | | | | | | | | | | | | | | | | | | The CNI plugins need access to iptables in $PATH. On debian /usr/sbin is not added to $PATH for rootless users. This will break rootless cni completely. To prevent breaking existing users add /usr/sbin to $PATH in podman if needed. Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
* | | Merge pull request #9754 from mheon/add_depOpenShift Merge Robot2021-04-06
|\ \ \ | |_|/ |/| | Add --requires flag to podman run/create
| * | Add --requires flag to podman run/createMatthew Heon2021-04-06
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Podman has, for a long time, had an internal concept of dependency management, used mainly to ensure that pod infra containers are started before any other container in the pod. We also have the ability to recursively start these dependencies, which we use to ensure that `podman start` on a container in a pod will not fail because the infra container is stopped. We have not, however, exposed these via the command line until now. Add a `--requires` flag to `podman run` and `podman create` to allow users to manually specify dependency containers. These containers must be running before the container will start. Also, make recursive starting with `podman start` default so we can start these containers and their dependencies easily. Fixes #9250 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | | Merge pull request #9942 from mheon/fix_9919OpenShift Merge Robot2021-04-06
|\ \ \ | |_|/ |/| | Ensure that `--userns=keep-id` sets user in config
| * | Ensure that `--userns=keep-id` sets user in configMatthew Heon2021-04-06
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | One of the side-effects of the `--userns=keep-id` command is switching the default user of the container to the UID of the user running Podman (though this can still be overridden by the `--user` flag). However, it did this by setting the UID and GID in the OCI spec, and not by informing Libpod of its intention to switch users via the `WithUser()` option. Because of this, a lot of the code that should have triggered when the container ran with a non-root user was not triggering. In the case of the issue that this fixed, the code to remove capabilities from non-root users was not triggering. Adjust the keep-id code to properly inform Libpod of our intention to use a non-root user to fix this. Also, fix an annoying race around short-running exec sessions where Podman would always print a warning that the exec session had already stopped. Fixes #9919 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | | Merge pull request #9911 from rhatdan/storageOpenShift Merge Robot2021-04-05
|\ \ \ | | | | | | | | Allow users to override default storage opts with --storage-opt
| * | | Allow users to override default storage opts with --storage-optDaniel J Walsh2021-04-05
| |/ / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | We define in the man page that this overrides the default storage options, but the code was appending to the existing options. This PR also makes a change to allow users to specify --storage-opt="". This will turn off all storage options. https://github.com/containers/podman/issues/9852 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* / / Don't relabel volumes if running in a privileged containerDaniel J Walsh2021-04-05
|/ / | | | | | | | | | | | | | | | | Docker does not relabel this content, and openstack is running containers in this manner. There is a penalty for doing this on each container, that is not worth taking on a disable SELinux container. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Use the slrip4netns dns in the rootless cni nsPaul Holzinger2021-04-01
| | | | | | | | | | | | | | | | If a user only has a local dns server in the resolv.conf file the dns resolution will fail. Instead we create a new resolv.conf which will use the slirp4netns dns. Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
* | Cleanup the rootless cni namespacePaul Holzinger2021-04-01
| | | | | | | | | | | | | | Delte the network namespace and kill the slirp4netns process when it is no longer needed. Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
* | Remove unused rootless-cni-infra container filesPaul Holzinger2021-04-01
| | | | | | | | Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
* | Only use rootless RLK when the container has portsPaul Holzinger2021-04-01
| | | | | | | | | | | | | | Do not invoke the rootlesskit port forwarder when the container has no ports. Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
* | Enable rootless network connect/disconnectPaul Holzinger2021-04-01
| | | | | | | | | | | | | | With the new rootless cni supporting network connect/disconnect is easy. Combine common setps into extra functions to prevent code duplication. Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
* | Move slirp4netns functions into an extra filePaul Holzinger2021-04-01
| | | | | | | | | | | | This should make maintenance easier. Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
* | Fix pod infra container cni network setupPaul Holzinger2021-04-01
| | | | | | | | | | | | | | | | For rootless users the infra container used the slirp4netns net mode even when bridge was requested. We can support bridge networking for rootless users so we have allow this. The default is not changed. Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
* | Add rootless support for cni and --uidmapPaul Holzinger2021-04-01
| | | | | | | | | | | | This is supported with the new rootless cni logic. Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
* | rootless cni without infra containerPaul Holzinger2021-04-01
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Instead of creating an extra container create a network and mount namespace inside the podman user namespace. This ns is used to for rootless cni operations. This helps to align the rootless and rootful network code path. If we run as rootless we just have to set up a extra net ns and initialize slirp4netns in it. The ocicni lib will be called in that net ns. This design allows allows easier maintenance, no extra container with pause processes, support for rootless cni with --uidmap and possibly more. The biggest problem is backwards compatibility. I don't think live migration can be possible. If the user reboots or restart all cni containers everything should work as expected again. The user is left with the rootless-cni-infa container and image but this can safely be removed. To make the existing cni configs work we need execute the cni plugins in a extra mount namespace. This ensures that we can safely mount over /run and /var which have to be writeable for the cni plugins without removing access to these files by the main podman process. One caveat is that we need to keep the netns files at `XDG_RUNTIME_DIR/netns` accessible. `XDG_RUNTIME_DIR/rootless-cni/{run,var}` will be mounted to `/{run,var}`. To ensure that we keep the netns directory we bind mount this relative to the new root location, e.g. XDG_RUNTIME_DIR/rootless-cni/run/user/1000/netns before we mount the run directory. The run directory is mounted recursive, this makes the netns directory at the same path accessible as before. This also allows iptables-legacy to work because /run/xtables.lock is now writeable. Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
* | Should send the OCI runtime path not just the name to buildahDaniel J Walsh2021-03-31
|/ | | | | | | | | [NO TESTS NEEDED] Mainly because I have no idea how we would test this. Fixes: https://github.com/containers/podman/issues/9459 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Merge pull request #9881 from Luap99/net-reload-silence-errorsOpenShift Merge Robot2021-03-30
|\ | | | | Silence podman network reload errors with iptables-nft
| * Silence podman network reload errors with iptables-nftPaul Holzinger2021-03-30
| | | | | | | | | | | | | | | | | | | | | | | | Make sure we do not display the expected error when using podman network reload. This is already done for iptables-legacy however iptables-nft creates a slightly different error message so check for this as well. The error is logged at info level. [NO TESTS NEEDED] The test VMs do not use iptables-nft so there is no way to test this. It is already tested for iptables-legacy. Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
* | [NO TESTS NEEDED] Shrink the size of podman-remoteDaniel J Walsh2021-03-29
|/ | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* [NO TESTS NEEDED] Fix for kernel without CONFIG_USER_NSなつき2021-03-26
| | | Signed-off-by: Natsuki <i@ntk.me>
* Use TMPDIR when commiting imagesDaniel J Walsh2021-03-26
| | | | | | | | | | | | Fixes: https://github.com/containers/podman/issues/9825 Currently we are using TMPDIR for storaing temporary files when building images, but not when you directly commit the images. This change simply uses the TMPDIR environment variable if set to store temporary files. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>