summaryrefslogtreecommitdiff
path: root/libpod
Commit message (Collapse)AuthorAge
* Merge pull request #8156 from mheon/add_net_aliases_dbOpenShift Merge Robot2020-11-04
|\ | | | | Add network aliases for containers to DB
| * Add tests for network aliasesMatthew Heon2020-11-03
| | | | | | | | | | | | | | | | | | | | | | | | As part of this, we need two new functions, for retrieving all aliases for a network and removing all aliases for a network, both required to test. Also, rework handling for some things the tests discovered were broken (notably conflicts between container name and existing aliases). Signed-off-by: Matthew Heon <matthew.heon@pm.me>
| * Add a way to retrieve all network aliases for a ctrMatthew Heon2020-10-27
| | | | | | | | | | | | | | | | | | The original interface only allowed retrieving aliases for a specific network, not for all networks. This will allow aliases to be retrieved for every network the container is present in, in a single DB operation. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
| * Add network aliases for containers to DBMatthew Heon2020-10-27
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This adds the database backend for network aliases. Aliases are additional names for a container that are used with the CNI dnsname plugin - the container will be accessible by these names in addition to its name. Aliases are allowed to change over time as the container connects to and disconnects from networks. Aliases are implemented as another bucket in the database to register all aliases, plus two buckets for each container (one to hold connected CNI networks, a second to hold its aliases). The aliases are only unique per-network, to the global and per-container aliases buckets have a sub-bucket for each CNI network that has aliases, and the aliases are stored within that sub-bucket. Aliases are formatted as alias (key) to container ID (value) in both cases. Three DB functions are defined for aliases: retrieving current aliases for a given network, setting aliases for a given network, and removing all aliases for a given network. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | Make volume filters inclusiveAshley Cui2020-11-03
| | | | | | | | | | | | | | | | When using multiple filters, return a volume that matches any one of the used filters, rather than matching both of the filters. This is for compatibility with docker's cli, and more importantly, the apiv2 compat endpoint Closes #6765 Signed-off-by: Ashley Cui <acui@redhat.com>
* | Merge pull request #8166 from rhatdan/unbindableOpenShift Merge Robot2020-11-02
|\ \ | | | | | | Allow users to mount with unbindable flag
| * | Add better support for unbindable volume mountsDaniel J Walsh2020-11-02
| | | | | | | | | | | | | | | | | | | | | | | | Allow users to specify unbindable on volume command line Switch internal mounts to rprivate to help prevent leaks. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | Centralize cores and period/quota conversion codeJordan Christiansen2020-10-31
|/ / | | | | | | Signed-off-by: Jordan Christiansen <xordspar0@gmail.com>
* | Merge pull request #8203 from Luap99/fix-8194OpenShift Merge Robot2020-10-31
|\ \ | | | | | | Fix dnsname when joining a different network namespace in a pod
| * | Fix dnsname when joining a different network namespace in a podPaul Holzinger2020-10-30
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When creating a container in a pod the podname was always set as the dns entry. This is incorrect when the container is not part of the pods network namespace. This happend both rootful and rootless. To fix this check if we are part of the pods network namespace and if not use the container name as dns entry. Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
* | | Merge pull request #8177 from rhatdan/wrapOpenShift Merge Robot2020-10-30
|\ \ \ | | | | | | | | Stop excessive wrapping of errors
| * | | Stop excessive wrapping of errorsDaniel J Walsh2020-10-30
| |/ / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Most of the builtin golang functions like os.Stat and os.Open report errors including the file system object path. We should not wrap these errors and put the file path in a second time, causing stuttering of errors when they get presented to the user. This patch tries to cleanup a bunch of these errors. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | Merge pull request #8127 from ↵OpenShift Merge Robot2020-10-30
|\ \ \ | | | | | | | | | | | | | | | | andylibrian/grab-systemd-mount-flags-from-the-host-7661 Improve setupSystemd, grab mount options from the host
| * | | Improve setupSystemd, grab mount options from the hostAndy Librian2020-10-30
| |/ / | | | | | | | | | | | | | | | fixes #7661 Signed-off-by: Andy Librian <andylibrian@gmail.com>
* / / Pod's that share the IPC Namespace need to share /dev/shmDaniel J Walsh2020-10-30
|/ / | | | | | | | | | | | | | | | | | | | | | | | | Containers that share IPC Namespaces share each others /dev/shm, which means a private /dev/shm needs to be setup for the infra container. Added a system test and an e2e test to make sure the /dev/shm is shared. Fixes: https://github.com/containers/podman/issues/8181 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Merge pull request #8174 from rhatdan/errorsOpenShift Merge Robot2020-10-29
|\ \ | | | | | | Podman often reports OCI Runtime does not exist, even if it does
| * | Podman often reports OCI Runtime does not exist, even if it doesDaniel J Walsh2020-10-29
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When the OCI Runtime tries to set certain settings in cgroups it can get the error "no such file or directory", the wrapper ends up reporting a bogus error like: ``` Request Failed(Internal Server Error): open io.max: No such file or directory: OCI runtime command not found error {"cause":"OCI runtime command not found error","message":"open io.max: No such file or directory: OCI runtime command not found error","response":500} ``` On first reading of this, you would think the OCI Runtime (crun or runc) were not found. But the error is actually reporting message":"open io.max: No such file or directory Which is what we want the user to concentrate on. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | Merge pull request #8146 from vrothberg/image-mountsOpenShift Merge Robot2020-10-29
|\ \ \ | | | | | | | | new "image" mount type
| * | | new "image" mount typeValentin Rothberg2020-10-29
| |/ / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Add a new "image" mount type to `--mount`. The source of the mount is the name or ID of an image. The destination is the path inside the container. Image mounts further support an optional `rw,readwrite` parameter which if set to "true" will yield the mount writable inside the container. Note that no changes are propagated to the image mount on the host (which in any case is read only). Mounts are overlay mounts. To support read-only overlay mounts, vendor a non-release version of Buildah. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | | Merge pull request #8178 from rhatdan/existsOpenShift Merge Robot2020-10-29
|\ \ \ | |/ / |/| | NewFromLocal can return multiple images
| * | NewFromLocal can return multiple imagesDaniel J Walsh2020-10-28
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | If you use additional stores and pull the same image into writable stores, you can end up with the situation where you have the same image twice. This causes image exists to return the wrong error. It should return true in this situation rather then an error. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | Merge pull request #8163 from giuseppe/clean-pathOpenShift Merge Robot2020-10-29
|\ \ \ | | | | | | | | libpod: clean paths before check
| * | | libpod: clean paths before checkGiuseppe Scrivano2020-10-28
| |/ / | | | | | | | | | | | | | | | | | | | | | | | | clean the paths before checking whether its value is different than what is stored in the db. Closes: https://github.com/containers/podman/issues/8160 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | | Merge pull request #8081 from mheon/pod_degradedOpenShift Merge Robot2020-10-28
|\ \ \ | |/ / |/| | Add a Degraded state to pods
| * | Add a Degraded state to podsMatthew Heon2020-10-21
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Make a distinction between pods that are completely running (all containers running) and those that have some containers going, but not all, by introducing an intermediate state between Stopped and Running called Degraded. A Degraded pod has at least one, but not all, containers running; a Running pod has all containers running. First step to a solution for #7213. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | | Ensure that attach ready channel does not blockMatthew Heon2020-10-28
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | We only use this channel in terminal attach, and it was not a buffered channel originally, so it would block on trying to send unless a receiver was ready. In the non-terminal case, there was no receiver, so attach blocked forever. Buffer the channel for a single bool so that it will never block, even if unused. Fixes #8154 Signed-off-by: Matthew Heon <mheon@redhat.com>
* | | Improve the journal event readingPaul Holzinger2020-10-27
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fix the AddMatch/SeekTail conflict. This prevents reading unnecessary journal entries which could cause errors. Also wrap the sdjournal errors to provide better error messages. Fixes #8125 Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
* | | filter events by labelsbaude2020-10-23
| |/ |/| | | | | | | | | adding the ability to filter evens by the container labels. this requires that container labels be added to the events data being recorded and subsequently read. Signed-off-by: baude <bbaude@redhat.com>
* | Merge pull request #8111 from Luap99/fix-missing-resolv.confOpenShift Merge Robot2020-10-22
|\ \ | | | | | | Don't error if resolv.conf does not exists
| * | Don't error if resolv.conf does not existsPaul Holzinger2020-10-22
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | If the resolv.conf file is empty we provide default dns servers. If the file does not exists we error and don't create the container. We should also provide the default entries in this case. This is also what docker does. Fixes #8089 Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
* | | Merge pull request #8078 from baude/networkdisconnectOpenShift Merge Robot2020-10-22
|\ \ \ | |/ / |/| | APIv2 compatibility network connect|disconnect
| * | APIv2 compatibility network connect|disconnectbaude2020-10-22
| | | | | | | | | | | | | | | | | | Add endpoints for the compat layer for network connect and disconnect. As of now, these two endpoints do nothing to change the network state of a container. They do some basic data verification and return the proper 200 response. This at least allows for scripts to work on the compatibility layer instead of getting 404s. Signed-off-by: baude <bbaude@redhat.com>
* | | Merge pull request #8101 from mheon/net_none_hostnameOpenShift Merge Robot2020-10-22
|\ \ \ | | | | | | | | Add hostname to /etc/hosts for --net=none
| * | | Add hostname to /etc/hosts for --net=noneMatthew Heon2020-10-21
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This does not match Docker, which does not add hostname in this case, but it seems harmless enough. Fixes #8095 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | | | Merge pull request #8098 from vrothberg/fix-8082OpenShift Merge Robot2020-10-22
|\ \ \ \ | | | | | | | | | | container create: record correct image name
| * | | | container create: record correct image nameValentin Rothberg2020-10-21
| |/ / / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Record the correct image name when creating a container by using the resolved image name if present. Otherwise, default to using the first available name or an empty string in which case the image must have been referenced by ID. Fixes: #8082 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | | | Merge pull request #7956 from QiWang19/save-rm-sigOpenShift Merge Robot2020-10-22
|\ \ \ \ | |_|/ / |/| | | Allow save image remove-signatures
| * | | save image remove signaturesQi Wang2020-10-21
| |/ / | | | | | | | | | | | | | | | | | | remove signatures to podman save since the image formats do not support signatures Close: #7659 Signed-off-by: Qi Wang <qiwan@redhat.com>
* | | Merge pull request #7772 from TomSweeneyRedHat/dev/tsweeney/splitnOpenShift Merge Robot2020-10-21
|\ \ \ | |/ / |/| | Convert Split() calls with an equal sign to SplitN()
| * | Convert Split() calls with an equal sign to SplitN()TomSweeneyRedHat2020-10-13
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | After seeing #7759, I decided to look at the calls in Podman and Buildah to see if we had issues with strings.Split() calls where an "=" (equals) sign was in play and we expected to split on only the first one. There were only one or two that I found in here that I think might have been troubling, the remainder are just adding some extra safety. I also had another half dozen or so that were checking length expectations appropriately, those I left alone. Signed-off-by: TomSweeneyRedHat <tsweeney@redhat.com>
* | | Merge pull request #8075 from mheon/fix_8073OpenShift Merge Robot2020-10-20
|\ \ \ | | | | | | | | Retrieve network inspect info from dependency container
| * | | Retrieve network inspect info from dependency containerMatthew Heon2020-10-20
| | |/ | |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When a container either joins a pod that shares the network namespace or uses `--net=container:` to share the network namespace of another container, it does not have its own copy of the CNI results used to generate `podman inspect` output. As such, to inspect these containers, we should be going to the container we share the namespace with for network info. Fixes #8073 Signed-off-by: Matthew Heon <mheon@redhat.com>
* | | Merge pull request #8067 from mheon/net_host_hostsOpenShift Merge Robot2020-10-20
|\ \ \ | |/ / |/| | Ensure that hostname is added to hosts with net=host
| * | Ensure that hostname is added to hosts with net=hostMatthew Heon2020-10-20
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When a container uses --net=host the default hostname is set to the host's hostname. However, we were not creating any entries in `/etc/hosts` despite having a hostname, which is incorrect. This hostname, for Docker compat, will always be the hostname of the host system, not the container, and will be assigned to IP 127.0.1.1 (not the standard localhost address). Also, when `--hostname` and `--net=host` are both passed, still use the hostname from `--hostname`, not the host's hostname (we still use the host's hostname by default in this case if the `--hostname` flag is not passed). Fixes #8054 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | | Merge pull request #7126 from mheon/fix_missing_ociruntimeOpenShift Merge Robot2020-10-20
|\ \ \ | | | | | | | | Fix missing OCI Runtime
| * | | Re-create OCI runtimes by path when it is missingMatthew Heon2020-10-20
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When an OCI runtime is given by full path, we need to ensure we use the same runtime on subsequent use. Unfortunately, users are often not considerate enough to use the same `--runtime` flag every time they invoke runtime - and if the runtime was not in containers.conf, that means we don't have it stored inn the libpod Runtime. Fortunately, since we have the full path, we can initialize the OCI runtime for use at the point where we pull the container from the database. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
| * | | When given OCI runtime by path, use path as nameMatthew Heon2020-10-20
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Say I start a container with the flag `--runtime /usr/local/sbin/crun`. I then stop the container, and restart it without the flag. We previously stored the runtime in use by a container only by basename when given a path, so the container only knows that it's using the `crun` OCI runtime - and on being restarted without the flag, it will use the system crun, not my special crun build. Using the full path as the name in these cases ensures we will still use the correct runtime, even on subsequent runs of Podman. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | | | Merge pull request #7999 from mheon/signal_handlerOpenShift Merge Robot2020-10-20
|\ \ \ \ | |/ / / |/| | | Add a shutdown signal handler
| * | | Enforce LIFO ordering for shutdown handlersMatthew Heon2020-10-13
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This allows us to run both the Libpod and Server handlers at the same time without unregistering one. Also, pass the signal that killed us into the handlers, in case they want to use it to determine what to do (e.g. what exit code to set). Signed-off-by: Matthew Heon <mheon@redhat.com>
| * | | Enable masking stop signals within container creationMatthew Heon2020-10-12
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Expand the use of the Shutdown package such that we now use it to handle signals any time we run Libpod. From there, add code to container creation to use the Inhibit function to prevent a shutdown from occuring during the critical parts of container creation. We also need to turn off signal handling when --sig-proxy is invoked - we don't want to catch the signals ourselves then, but instead to forward them into the container via the existing sig-proxy handler. Fixes #7941 Signed-off-by: Matthew Heon <mheon@redhat.com>