summaryrefslogtreecommitdiff
path: root/libpod
Commit message (Collapse)AuthorAge
* Merge pull request #4380 from giuseppe/rootless-create-cgroup-for-conmonOpenShift Merge Robot2019-10-30
|\ | | | | libpod, rootless: create cgroup for conmon
| * libpod, rootless: create cgroup for conmonGiuseppe Scrivano2019-10-30
| | | | | | | | | | | | | | | | always create a new cgroup for conmon also when running as rootless. We were previously creating one only when necessary, but that behaves differently than root containers. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | Merge pull request #4305 from mheon/fix_volume_mountOpenShift Merge Robot2019-10-30
|\ \ | | | | | | Wait for `mount` command to finish when mounting volume
| * | Wait for `mount` command to finish when mounting volumeMatthew Heon2019-10-30
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | command.Start() just starts the command. That catches some errors, but the nasty ones - bad options and similar - happen when the command runs. Use CombinedOutput() instead - it waits for the command to exit, and thus catches non-0 exit of the `mount` command (invalid options, for example). STDERR from the `mount` command is directly used, which isn't necessarily the best, but we can't really get much more info on what went wrong. Fixes #4303 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | | Merge pull request #4372 from rhatdan/execOpenShift Merge Robot2019-10-30
|\ \ \ | |_|/ |/| | Processes execed into container should match container label
| * | Processes execed into container should match container labelDaniel J Walsh2019-10-29
| | | | | | | | | | | | | | | | | | Processes execed into a container were not being run with the correct label. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | Set default seccomp.json file for podman play kubeDaniel J Walsh2019-10-29
| | | | | | | | | | | | | | | | | | | | | Currently podman play kube is not using the system default seccomp.json file. This PR will use the default or override location for podman play. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | images: distinguish between tags and digestsNalin Dahyabhai2019-10-29
| | | | | | | | | | | | | | | | | | | | | | | | Generate an image's RepoDigests list using all applicable digests, and refrain from outputting a digest in the tag column of the "images" output. Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
* | | API: report multiple digests for imagesNalin Dahyabhai2019-10-29
| | | | | | | | | | | | | | | | | | | | | | | | Be prepared to report multiple image digests for images which contain multiple manifests but, because they continue to have the same set of layers and the same configuration, are considered to be the same image. Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
* | | pull/create: add --override-arch/--override-os flagsNalin Dahyabhai2019-10-29
| | | | | | | | | | | | | | | | | | | | | | | | Add --override-arch and --override-os as hidden flags, in line with the global flag names that skopeo uses, so that we can test behavior around manifest lists without having to conditionalize more of it by arch. Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
* | | image: don't get confused by listsNalin Dahyabhai2019-10-29
| | | | | | | | | | | | | | | | | | | | | | | | | | | When an image can be opened as an ImageSource but not an Image, handle the case where it's an image list all by itself, the case where it's an image for a different architecture/OS combination, or the case where it's both. Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
* | | bump containers/image to v5.0.0, buildah to v1.11.4Nalin Dahyabhai2019-10-29
|/ / | | | | | | | | | | | | | | | | Move to containers/image v5 and containers/buildah to v1.11.4. Replace an equality check with a type assertion when checking for a docker.ErrUnauthorizedForCredentials in `podman login`. Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
* | Merge pull request #3792 from haircommander/minimum-conmonOpenShift Merge Robot2019-10-29
|\ \ | | | | | | require conmon v2.0.1
| * | require conmon v2.0.1Peter Hunt2019-10-28
| | | | | | | | | | | | Signed-off-by: Peter Hunt <pehunt@redhat.com>
| * | require conmon v2.0.0Peter Hunt2019-10-28
| | | | | | | | | | | | Signed-off-by: Peter Hunt <pehunt@redhat.com>
* | | Merge pull request #4350 from giuseppe/slirp4netnslogOpenShift Merge Robot2019-10-29
|\ \ \ | | | | | | | | libpod: if slirp4netns fails, return its stderr
| * | | libpod: if slirp4netns fails, return its outputGiuseppe Scrivano2019-10-29
| | |/ | |/| | | | | | | | | | | | | | | | | | | | | | read the slirp4netns stderr and propagate it in the error when the process fails. Replace: https://github.com/containers/libpod/pull/4338 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | | Merge pull request #4355 from mheon/ensure_stateOpenShift Merge Robot2019-10-28
|\ \ \ | | | | | | | | Add ensureState helper for checking container state
| * | | Add ensureState helper for checking container stateMatthew Heon2019-10-28
| |/ / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | We have a lot of checks for container state scattered throughout libpod. Many of these need to ensure the container is in one of a given set of states so an operation may safely proceed. Previously there was no set way of doing this, so we'd use unique boolean logic for each one. Introduce a helper to standardize state checks. Note that this is only intended to replace checks for multiple states. A simple check for one state (ContainerStateRunning, for example) should remain a straight equality, and not use this new helper. Signed-off-by: Matthew Heon <mheon@redhat.com>
* | | Merge pull request #4331 from mheon/sane_rename_errorOpenShift Merge Robot2019-10-28
|\ \ \ | |/ / |/| | Return a better error for volume name conflicts
| * | Return a better error for volume name conflictsMatthew Heon2019-10-23
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When you try and create a new volume with the name of a volume that already exists, you presently get a thoroughly unhelpful error from `mkdir` as the volume attempts to create the directory it will be mounted at. An EEXIST out of mkdir is not particularly helpful to Podman users - it doesn't explain that the name is already taken by another volume. The solution here is potentially racy as the runtime is not locked, so someone else could take the name while we're still getting things set up, but that's a narrow timing window, and we will still return an error - just an error that's not as good as this one. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | | systemd: mask /sys/fs/cgroup/systemd/release_agentGiuseppe Scrivano2019-10-25
| | | | | | | | | | | | | | | | | | | | | | | | when running in systemd mode on cgroups v1, make sure the /sys/fs/cgroup/systemd/release_agent is masked otherwise the container is able to modify it and execute scripts on the host. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | | Merge pull request #4333 from giuseppe/error-rootless-cniOpenShift Merge Robot2019-10-24
|\ \ \ | | | | | | | | rootless: raise an error with --network=
| * | | rootless: raise an error with --network=Giuseppe Scrivano2019-10-24
| |/ / | | | | | | | | | | | | | | | Closes: https://github.com/containers/libpod/issues/4332 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | | Merge pull request #4228 from giuseppe/detect-no-systemd-sessionOpenShift Merge Robot2019-10-24
|\ \ \ | | | | | | | | rootless: detect no system session with --cgroup-manager=systemd
| * | | rootless: detect no system session with --cgroup-manager=systemdGiuseppe Scrivano2019-10-23
| | |/ | |/| | | | | | | | | | | | | | | | if the cgroup manager is set to systemd, detect if dbus is available, otherwise fallback to --cgroup-manager=cgroupfs. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | | Add parsing for UID, GID in volume "o" optionMatthew Heon2019-10-22
| |/ |/| | | | | | | | | | | Everything else is a flag to mount, but "uid" and "gid" are not. We need to parse them out of "o" and handle them separately. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | Merge pull request #4287 from mheon/anonymous_volumesOpenShift Merge Robot2019-10-22
|\ \ | | | | | | Add support for anonymous volumes to `podman run -v`
| * | Add support for anonymous volumes to `podman run -v`Matthew Heon2019-10-17
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Previously, when `podman run` encountered a volume mount without separate source and destination (e.g. `-v /run`) we would assume that both were the same - a bind mount of `/run` on the host to `/run` in the container. However, this does not match Docker's behavior - in Docker, this makes an anonymous named volume that will be mounted at `/run`. We already have (more limited) support for these anonymous volumes in the form of image volumes. Extend this support to allow it to be used with user-created volumes coming in from the `-v` flag. This change also affects how named volumes created by the container but given names are treated by `podman run --rm` and `podman rm -v`. Previously, they would be removed with the container in these cases, but this did not match Docker's behaviour. Docker only removed anonymous volumes. With this patch we move to that model as well; `podman run -v testvol:/test` will not have `testvol` survive the container being removed by `podman rm -v`. The sum total of these changes let us turn on volume removal in `--rm` by default. Fixes: #4276 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | | Merge pull request #4313 from haircommander/unused-varOpenShift Merge Robot2019-10-22
|\ \ \ | | | | | | | | exec: remove unused var
| * | | exec: remove unused varPeter Hunt2019-10-21
| | |/ | |/| | | | | | | Signed-off-by: Peter Hunt <pehunt@redhat.com>
* | | Merge pull request #4284 from mheon/fix_vol_inspectOpenShift Merge Robot2019-10-21
|\ \ \ | | | | | | | | Show volume options in 'volume inspect'
| * | | Show volume options in 'volume inspect'Matthew Heon2019-10-18
| | |/ | |/| | | | | | | | | | | | | | | | We initialized the map to show them, but didn't actually copy them in, so they weren't being displayed. Signed-off-by: Matthew Heon <mheon@redhat.com>
* | | Merge pull request #4309 from giuseppe/write-storage-overridesOpenShift Merge Robot2019-10-21
|\ \ \ | |_|/ |/| | rootless: write storage overrides to the conf file
| * | rootless: write storage overrides to the conf fileGiuseppe Scrivano2019-10-21
| |/ | | | | | | | | | | | | | | | | make sure the user overrides are stored in the configuration file when first created. Closes: https://github.com/containers/libpod/issues/2659 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* / rootless: do not enable lingering modeGiuseppe Scrivano2019-10-17
|/ | | | | | | | do not automatically enable lingering mode. Closes: https://github.com/containers/libpod/issues/4224 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Merge pull request #4273 from mheon/no_runtimeOpenShift Merge Robot2019-10-16
|\ | | | | Add a MissingRuntime implementation
| * Add a MissingRuntime implementationMatthew Heon2019-10-15
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When a container is created with a given OCI runtime, but then it is uninstalled or removed from the configuration file, Libpod presently reacts very poorly. The EvictContainer code can potentially remove these containers, but we still can't see them in `podman ps` (aside from the massive logrus.Errorf messages they create). Providing a minimal OCI runtime implementation for missing runtimes allows us to behave better. We'll be able to retrieve containers from the database, though we still pop up an error for each missing runtime. For containers which are stopped, we can remove them as normal. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | Merge pull request #4272 from baude/rootlesstatsnetOpenShift Merge Robot2019-10-16
|\ \ | | | | | | rootless v2 cannot collect network stats
| * | rootless v2 cannot collect network statsbaude2019-10-15
| |/ | | | | | | | | | | | | | | | | | | network statistics cannot be collected for rootless network devices with the current implementation. for now, we return nil so that stats will at least for users. Fixes:#4268 Signed-off-by: baude <bbaude@redhat.com>
* | Merge pull request #4256 from mheon/fix_volumesOpenShift Merge Robot2019-10-16
|\ \ | |/ |/| Ensure volumes can be removed when they fail to unmount
| * Ensure volumes can be removed when they fail to unmountMatthew Heon2019-10-14
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Also, ensure that we don't try to mount them without root - it appears that it can somehow not error and report that mount was successful when it clearly did not succeed, which can induce this case. We reuse the `--force` flag to indicate that a volume should be removed even after unmount errors. It seems fairly natural to expect that --force will remove a volume that is otherwise presenting problems. Finally, ignore EINVAL on unmount - if the mount point no longer exists our job is done. Fixes: #4247 Fixes: #4248 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | inspect: rename ImageID go field to ImageValentin Rothberg2019-10-15
| | | | | | | | | | | | | | | | | | | | | | | | | | | | The json field is called `Image` while the go field is called `ImageID`, tricking users into filtering for `Image` which ultimately results in an error. Hence, rename the field to `Image` to align json and go. To prevent podman users from regressing, rename `Image` to `ImageID` in the specified filters. Add tests to prevent us from regressing. Note that consumers of the go API that are using `ImageID` are regressing; ultimately we consider it to be a bug fix. Fixes: #4193 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | Merge pull request #4262 from nalind/error-causeDaniel J Walsh2019-10-15
|\ \ | | | | | | Unwrap errors before comparing them
| * | Unwrap errors before comparing themNalin Dahyabhai2019-10-14
| |/ | | | | | | | | | | | | Unwrap errors before directly comparing them with errors defined by the storage and image libraries. Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
* / change error wording when conmon fails without logsValentin Rothberg2019-10-14
|/ | | | | | | | | | | | | | In some cases, conmon can fail without writing logs. Change the wording of the error message from "error reading container (probably exited) json message" to "container create failed (no logs from conmon)" to have a more helpful error message that is more consistent with other errors at that stage of execution. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* Merge pull request #4220 from mheon/null_runtimeOpenShift Merge Robot2019-10-11
|\ | | | | Move OCI runtime implementation behind an interface
| * When restoring containers, reset cgroup pathMatthew Heon2019-10-10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Previously, `podman checkport restore` with exported containers, when told to create a new container based on the exported checkpoint, would create a new container, with a new container ID, but not reset CGroup path - which contained the ID of the original container. If this was done multiple times, the result was two containers with the same cgroup paths. Operations on these containers would this have a chance of crossing over to affect the other one; the most notable was `podman rm` once it was changed to use the --all flag when stopping the container; all processes in the cgroup, including the ones in the other container, would be stopped. Reset cgroups on restore to ensure that the path matches the ID of the container actually being run. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
| * Move OCI runtime implementation behind an interfaceMatthew Heon2019-10-10
| | | | | | | | | | | | | | | | | | | | | | | | For future work, we need multiple implementations of the OCI runtime, not just a Conmon-wrapped runtime matching the runc CLI. As part of this, do some refactoring on the interface for exec (move to a struct, not a massive list of arguments). Also, add 'all' support to Kill and Stop (supported by runc and used a bit internally for removing containers). Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | Merge pull request #4221 from mheon/reset_runtimeOpenShift Merge Robot2019-10-11
|\ \ | | | | | | Migrate can move containers to a user-defined runtime