summaryrefslogtreecommitdiff
path: root/libpod
Commit message (Collapse)AuthorAge
* create libimage-events channel in main routineValentin Rothberg2021-05-27
| | | | | | | | | | | Move the creation of the channel outside of the sub-routine to fix a data race between writing the channel (implicitly by calling EventChannel()) and using that channel in libimage. [NO TESTS NEEDED] Fixes: #10459 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* Merge pull request #10476 from mheon/ensure_exists_on_removeOpenShift Merge Robot2021-05-27
|\ | | | | Ensure that container still exists when removing
| * Ensure that container still exists when removingMatthew Heon2021-05-26
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | After #8906, there is a potential race condition in container removal of running containers with `--rm`. Running containers must first be stopped, which was changed to unlock the container to allow commands like `podman ps` to continue to run while stopping; however, this also means that the cleanup process can potentially run before we re-lock, and remove the container from under us, resulting in error messages from `podman rm`. The end result is unchanged, the container is still cleanly removed, but the `podman rm` command will seem to have failed. Work around this by pinging the database after we stop the container to make sure it still exists. If it doesn't, our job is done and we can exit cleanly. Signed-off-by: Matthew Heon <mheon@redhat.com>
* | Merge pull request #10447 from mheon/rootlesscni_defaultOpenShift Merge Robot2021-05-26
|\ \ | | | | | | Add the option of Rootless CNI networking by default
| * | Add the option of Rootless CNI networking by defaultMatthew Heon2021-05-26
| |/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When the containers.conf field "NetNS" is set to "Bridge" and the "RootlessNetworking" field is set to "cni", Podman will now handle rootless in the same way it does root - all containers will be joined to a default CNI network, instead of exclusively using slirp4netns. If no CNI default network config is present for the user, one will be auto-generated (this also works for root, but it won't be nearly as common there since the package should already ship a config). I eventually hope to remove the "NetNS=Bridge" bit from containers.conf, but let's get something in for Brent to work with. Signed-off-by: Matthew Heon <mheon@redhat.com>
* | Merge pull request #10431 from vrothberg/journald-logsOpenShift Merge Robot2021-05-26
|\ \ | |/ |/| journald logger: fix race condition
| * journald logger: fix race conditionValentin Rothberg2021-05-26
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fix a race in journald driver. Following the logs implies streaming until the container is dead. Streaming happened in one goroutine, waiting for the container to exit/die and signaling that event happened in another goroutine. The nature of having two goroutines running simultaneously is pretty much the core of the race condition. When the streaming goroutines received the signal that the container has exitted, the routine may not have read and written all of the container's logs. Fix this race by reading both, the logs and the events, of the container and stop streaming when the died/exited event has been read. The died event is guaranteed to be after all logs in the journal which guarantees not only consistencty but also a deterministic behavior. Note that the journald log driver now requires the journald event backend to be set. Fixes: #10323 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | Merge pull request #10466 from vrothberg/fix-10459OpenShift Merge Robot2021-05-26
|\ \ | |/ |/| libimage-events channel: fix data race
| * libimage-events channel: fix data raceValentin Rothberg2021-05-26
| | | | | | | | | | | | | | | | | | | | Fix a data race between creating and using the libimage-events channel. [NO TESTS NEEDED] since it really depends on the scheduler and we couldn't hit the race so far. Fixes: #10459 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | Merge pull request #10408 from Luap99/fix-10283OpenShift Merge Robot2021-05-25
|\ \ | |/ |/| Fix network create macvlan with subnet option
| * Fix network create macvlan with subnet optionPaul Holzinger2021-05-20
| | | | | | | | | | | | | | | | | | | | Creating a macvlan network with the subnet or ipRange option should set the ipam plugin type to `host-local`. We also have to insert the default route. Fixes #10283 Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
* | Merge pull request #10436 from rhatdan/errorsOpenShift Merge Robot2021-05-24
|\ \ | | | | | | Improve OCI Runtime error
| * | Improve OCI Runtime errorDaniel J Walsh2021-05-22
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | ErrOCIRuntimeNotFound error is misleading. Try to make it more understandable to the user that the OCI Runtime IE crun or runc is not missing, but the command they attempted to run within the container is missing. [NO TESTS NEEDED] Regular tests should handle this. Fixes: https://github.com/containers/podman/issues/10432 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | Podman info add support for status of cgroup controllersflouthoc2021-05-24
|/ / | | | | | | Signed-off-by: flouthoc <flouthoc.git@gmail.com>
* | add libimage eventsValentin Rothberg2021-05-20
| | | | | | | | | | | | | | libimage now supports events which `libpod.Runtime` now uses for image events. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | Fix problem copying files when container is in host pid namespaceDaniel J Walsh2021-05-19
|/ | | | | | | | | | | | | | When attempting to copy files into and out of running containers within the host pidnamespace, the code was attempting to join the host pidns again, and getting an error. This was causing the podman cp command to fail. Since we are already in the host pid namespace, we should not be attempting to join. This PR adds a check to see if the container is in NOT host pid namespace, and only then attempts to join. Fixes: https://github.com/containers/podman/issues/9985 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Merge pull request #10334 from mheon/add_relabel_vol_pluginOpenShift Merge Robot2021-05-17
|\ | | | | Ensure that :Z/:z/:U can be used with named volumes
| * Ensure that :Z/:z/:U can be used with named volumesMatthew Heon2021-05-17
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Docker allows relabeling of any volume passed in via -v, even including named volumes. This normally isn't an issue at all, given named volumes get the right label for container access automatically, but this becomes an issue when volume plugins are involved - these aren't managed by Podman, and may well be unaware of SELinux labelling. We could automatically relabel these volumes on creation, but I'm still reluctant to do that (feels like it could break things). Instead, let's allow :z and :Z to be used with named volumes, so users can explicitly request relabel of a volume plugin-backed volume. We also get :U at the same time. I don't see any real need for it but it also doesn't seem to hurt, so I didn't bother disabling it. Fixes #10273 Signed-off-by: Matthew Heon <mheon@redhat.com>
* | Merge pull request #10366 from ashley-cui/secretoptionsOpenShift Merge Robot2021-05-17
|\ \ | | | | | | Support uid,gid,mode options for secrets
| * | Support uid,gid,mode options for secretsAshley Cui2021-05-17
| |/ | | | | | | | | | | | | Support UID, GID, Mode options for mount type secrets. Also, change default secret permissions to 444 so all users can read secret. Signed-off-by: Ashley Cui <acui@redhat.com>
* | Merge pull request #10270 from rhatdan/mtabOpenShift Merge Robot2021-05-17
|\ \ | | | | | | Create the /etc/mtab file if does not exists
| * | Create the /etc/mtab file if does not existsDaniel J Walsh2021-05-15
| |/ | | | | | | | | | | | | | | | | | | | | We should create the /etc/mtab->/proc/mountinfo link so that mount command will work within the container. Docker does this by default. Fixes: https://github.com/containers/podman/issues/10263 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Merge pull request #9972 from bblenard/issue-5651-hostname-for-container-gatewayOpenShift Merge Robot2021-05-17
|\ \ | | | | | | Add host.containers.internal entry into container's etc/hosts
| * | Add host.containers.internal entry into container's etc/hostsBaron Lenardson2021-05-17
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This change adds the entry `host.containers.internal` to the `/etc/hosts` file within a new containers filesystem. The ip address is determined by the containers networking configuration and points to the gateway address for the containers networking namespace. Closes #5651 Signed-off-by: Baron Lenardson <lenardson.baron@gmail.com>
* | | podman network reload add rootless supportPaul Holzinger2021-05-17
| |/ |/| | | | | | | | | | | | | | | | | Allow podman network reload to be run as rootless user. While it is unlikely that the iptable rules are flushed inside the rootless cni namespace, it could still happen. Also fix podman network reload --all to ignore errors when a container does not have the bridge network mode, e.g. slirp4netns. Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
* | Merge pull request #10300 from jwhonce/issues/10289OpenShift Merge Robot2021-05-12
|\ \ | | | | | | Add host.serviceIsRemote to podman info results
| * | Add host.serviceIsRemote to podman info resultsJhon Honce2021-05-10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Developers asked for a deterministic field to verify if podman is running via API or linked directly to libpod library. $ podman info --format '{{.Host.ServiceIsRemote}}' false $ podman-remote info --format '{{.Host.ServiceIsRemote}}' true $ podman --remote info --format '{{.Host.ServiceIsRemote}}' true * docs/conf.py formatted via black Signed-off-by: Jhon Honce <jhonce@redhat.com>
* | | podman image tree: restore previous behaviorValentin Rothberg2021-05-12
| |/ |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The initial version of libimage changed the order of layers which has now been restored to remain backwards compatible. Further changes: * Fix a bug in the journald logging which requires to strip trailing new lines from the message. The system tests did not pass due to empty new lines. Triggered by changing the default logger to journald in containers/common. * Fix another bug in the journald logging which embedded the container ID inside the message rather than the specifid field. That surfaced in a preceeding whitespace of each log line which broke the system tests. * Alter the system tests to make sure that the k8s-file and the journald logging drivers are executed. * A number of e2e tests have been changed to force the k8s-file driver to make them pass when running inside a root container. * Increase the timeout in a kill test which seems to take longer now. Reasons are unknown. Tests passed earlier and no signal-related changes happend. It may be CI VM flake since some system tests but other flaked. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | fix restart always with slirp4netnsPaul Holzinger2021-05-11
|/ | | | | | | | | | | | When a container is automatically restarted due its restart policy and the container used the slirp4netns netmode, the slirp4netns process died. This caused the container to lose network connectivity. To fix this we have to start a new slirp4netns process. Fixes #8047 Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
* fix container startup for empty pidfilePaul Holzinger2021-05-10
| | | | | | | | | | | | | | Commit 728b73d7c418 introduced a regression. Containers created with a previous version do no longer start successfully. The problem is that the PidFile in the container config is empty for those containers. If the PidFile is empty we have to set it to the previous default. [NO TESTS NEEDED] We should investigate why the system upgrade test did not caught this. Fixes #10274 Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
* Merge pull request #10202 from EduardoVega/9763-kube-auto-updateOpenShift Merge Robot2021-05-07
|\ | | | | Add support to preserve auto-update labels in play / generate kube
| * Adds support to preserve auto update labels in generate and play kubeEduardo Vega2021-05-06
| | | | | | | | | | | | In the case of generate kube the auto-update labels will be converted into kube annotations and for play kube they will be converted back to labels since that's what podman understands Signed-off-by: Eduardo Vega <edvegavalerio@gmail.com>
* | Merge pull request #10221 from ashley-cui/envsecOpenShift Merge Robot2021-05-07
|\ \ | | | | | | Add support for environment variable secrets
| * | Add support for environment variable secretsAshley Cui2021-05-06
| | | | | | | | | | | | | | | | | | | | | | | | Env var secrets are env vars that are set inside the container but not commited to and image. Also support reading from env var when creating a secret. Signed-off-by: Ashley Cui <acui@redhat.com>
* | | Merge pull request #10238 from bacher09/fix-inf-loopOpenShift Merge Robot2021-05-07
|\ \ \ | | | | | | | | Fix infinite loop in isPathOnVolume
| * | | Fix infinite loop in isPathOnVolumeSlava Bacherikov2021-05-06
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | filepath.Dir in some cases returns `.` symbol and calling this function again returns same result. In such cases this function never returns and causes some operations to stuck forever. Closes #10216 Signed-off-by: Slava Bacherikov <slava@bacher09.org>
* | | | Revert Patch to relabel if selinux not enabledDaniel J Walsh2021-05-06
| |_|/ |/| | | | | | | | | | | | | | | | | | | | | | | | | | Revert : https://github.com/containers/podman/pull/9895 Turns out that if Docker is in --selinux-enabeled, it still relabels if the user tells the system to, even if running a --privileged container or if the selinux separation is disabled --security-opt label=disable. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | Merge pull request #9689 from boaz0/boaz-1OpenShift Merge Robot2021-05-06
|\ \ \ | | | | | | | | add restart-policy to container filters & --filter to podman start
| * | | Add restart-policy to container filters & --filter to podman startBoaz Shuster2021-05-06
| | | | | | | | | | | | | | | | Signed-off-by: Boaz Shuster <boaz.shuster.github@gmail.com>
* | | | cgroup: fix rootless --cgroup-parent with podsGiuseppe Scrivano2021-05-06
|/ / / | | | | | | | | | | | | | | | | | | | | | | | | | | | extend to pods the existing check whether the cgroup is usable when running as rootless with cgroupfs. commit 17ce567c6827abdcd517699bc07e82ccf48f7619 introduced the regression. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* / / codespell cleanupDaniel J Walsh2021-05-05
|/ / | | | | | | | | | | [NO TESTS NEEDED] This is just running codespell on podman Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Merge pull request #10220 from giuseppe/rm-volatileOpenShift Merge Robot2021-05-05
|\ \ | | | | | | podman: set volatile storage flag for --rm containers
| * | podman: set volatile storage flag for --rm containersGiuseppe Scrivano2021-05-05
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | volatile containers are a storage optimization that disables *sync() syscalls for the container rootfs. If a container is created with --rm, then automatically set the volatile storage flag as anyway the container won't persist after a reboot or machine crash. [NO TESTS NEEDED] Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | | migrate Podman to containers/common/libimageValentin Rothberg2021-05-05
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Migrate the Podman code base over to `common/libimage` which replaces `libpod/image` and a lot of glue code entirely. Note that I tried to leave bread crumbs for changed tests. Miscellaneous changes: * Some errors yield different messages which required to alter some tests. * I fixed some pre-existing issues in the code. Others were marked as `//TODO`s to prevent the PR from exploding. * The `NamesHistory` of an image is returned as is from the storage. Previously, we did some filtering which I think is undesirable. Instead we should return the data as stored in the storage. * Touched handlers use the ABI interfaces where possible. * Local image resolution: previously Podman would match "foo" on "myfoo". This behaviour has been changed and Podman will now only match on repository boundaries such that "foo" would match "my/foo" but not "myfoo". I consider the old behaviour to be a bug, at the very least an exotic corner case. * Futhermore, "foo:none" does *not* resolve to a local image "foo" without tag anymore. It's a hill I am (almost) willing to die on. * `image prune` prints the IDs of pruned images. Previously, in some cases, the names were printed instead. The API clearly states ID, so we should stick to it. * Compat endpoint image removal with _force_ deletes the entire not only the specified tag. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | | Merge pull request #10177 from giuseppe/always-honor-cgroup-parentOpenShift Merge Robot2021-05-03
|\ \ \ | | | | | | | | cgroup: always honor --cgroup-parent
| * | | cgroup: always honor --cgroup-parent with cgroupfsGiuseppe Scrivano2021-05-03
| |/ / | | | | | | | | | | | | | | | | | | | | | | | | if --cgroup-parent is specified, always honor it without doing any detection whether cgroups are supported or not. Closes: https://github.com/containers/podman/issues/10173 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* / / Detect if in podman machine virtual vmBrent Baude2021-04-30
|/ / | | | | | | | | | | | | | | | | | | | | | | When in podman machine virtual machines, podman needs to be able to detect as such. One implementation for this is when creating networks, the podman-machine cni plugin needs to be added to the configuration. This PR also includes the latest containers-common. [NO TESTS NEEDED] Signed-off-by: Brent Baude <bbaude@redhat.com>
* | Use seccomp_profile as default profile if defined in containers.confPablo Correa Gómez2021-04-28
| | | | | | | | | | | | | | Edits `podman info` to provide the default seccomp profile detected in the output Signed-off-by: Pablo Correa Gómez <ablocorrea@hotmail.com>
* | Merge pull request #10119 from rhatdan/timeoutOpenShift Merge Robot2021-04-27
|\ \ | | | | | | Add podman run --timeout option
| * | Add podman run --timeout optionDaniel J Walsh2021-04-23
| | | | | | | | | | | | | | | | | | | | | | | | | | | This option allows users to specify the maximum amount of time to run before conmon sends the kill signal to the container. Fixes: https://github.com/containers/podman/issues/6412 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>