summaryrefslogtreecommitdiff
path: root/libpod
Commit message (Collapse)AuthorAge
* userns: do not use an intermediate mount namespaceGiuseppe Scrivano2019-03-29
| | | | | | | | | | | | | | We have an issue in the current implementation where the cleanup process is not able to umount the storage as it is running in a separate namespace. Simplify the implementation for user namespaces by not using an intermediate mount namespace. For doing it, we need to relax the permissions on the parent directories and allow browsing them. Containers that are running without a user namespace, will still maintain mode 0700 on their directory. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* volumes: push the chown logic to runtime_volume_linux.goGiuseppe Scrivano2019-03-29
| | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Merge pull request #2575 from haircommander/hotfix_play_kubeOpenShift Merge Robot2019-03-29
|\ | | | | Default to SELinux private label for play kube mounts
| * Default to SELinux private label for play kube mountsPeter Hunt2019-03-28
| | | | | | | | | | | | | | | | | | | | Before, there were SELinux denials when a volume was bind-mounted by podman play kube. Partially fix this by setting the default private label for mounts created by play kube (with DirectoryOrCreate) For volumes mounted as Directory, the user will have to set their own SELinux permissions on the mount point also remove left over debugging print statement Signed-off-by: Peter Hunt <pehunt@redhat.com>
* | Merge pull request #2796 from mheon/fix_cni_multinetworkOpenShift Merge Robot2019-03-29
|\ \ | | | | | | Ensure that we make a netns for CNI non-default nets
| * | Ensure that we make a netns for CNI non-default netsMatthew Heon2019-03-28
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | We accidentally patched this out trying to enable ns:/path/to/ns This should restore the ability to configure nondefault CNI networks with Podman, by ensuring that they request creation of a network namespace. Completely remove the WithNetNS() call when we do use an explicit namespace from a path. We use that call to indicate that a netns is going to be created - there should not be any question about whether it actually does. Fixes #2795 Signed-off-by: Matthew Heon <mheon@redhat.com>
* | | Merge pull request #2786 from giuseppe/change-rootless-env-namesOpenShift Merge Robot2019-03-28
|\ \ \ | |/ / |/| | rootless: change env prefix
| * | rootless: change env prefixGiuseppe Scrivano2019-03-28
| |/ | | | | | | | | | | | | | | | | | | from _LIBPOD to _CONTAINERS. The same change was done in buildah unshare. This is necessary for podman to detect we are running in a rootless environment and work properly from a "buildah unshare" session. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | vendor buildah, image, storage, cniValentin Rothberg2019-03-28
| | | | | | | | Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | Remove ulele/deepcopier in favor of JSON deep copyMatthew Heon2019-03-27
|/ | | | | | | | | | | | | We have a very high performance JSON library that doesn't need to perform code generation. Let's use it instead of our questionably performant, reflection-dependent deep copy library. Most changes because some functions can now return errors. Also converts cmd/podman to use jsoniter, instead of pkg/json, for increased performance. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Resolve review commentsMatthew Heon2019-03-27
| | | | Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Add support to disable creation of network config filesMatthew Heon2019-03-27
| | | | | | | | Specifically, we want to be able to specify whether resolv.conf and /etc/hosts will be create and bind-mounted into the container. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Add "died" eventbaude2019-03-25
| | | | | | | | | | We have a new event for container 'Exited' which has been renamed to 'died'. also removed the stream bool from the varlink endpoint for events because it can be determined by the varlink more value. Signed-off-by: baude <bbaude@redhat.com>
* podman health check phase3baude2019-03-22
| | | | | | | | | | | | | | | | podman will not start a transient service and timer for healthchecks. this handles the tracking of the timing for health checks. added the 'started' status which represents the time that a container is in its start-period. the systemd timing can be disabled with an env variable of DISABLE_HC_SYSTEMD="true". added filter for ps where --filter health=[starting, healthy, unhealthy] can now be used. Signed-off-by: baude <bbaude@redhat.com>
* userns: use the intermediate mountns for volumesGiuseppe Scrivano2019-03-21
| | | | | | | | | | | when --uidmap is used, the user won't be able to access /var/lib/containers/storage/volumes. Use the intermediate mount namespace, that is accessible to root in the container, for mounting the volumes inside the container. Closes: https://github.com/containers/libpod/issues/2713 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* volume: create new volumes with right ownershipGiuseppe Scrivano2019-03-21
| | | | | | | when we create a new volume we must be sure it is owned by root in the container. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* fix Bug 1688041-podman image save removes existing imageQi Wang2019-03-20
| | | | Signed-off-by: Qi Wang <qiwan@redhat.com>
* ps: fix segfault if the store is not initializedGiuseppe Scrivano2019-03-19
| | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Export ConmonPidFile in 'podman inspect' for containersDebarshi Ray2019-03-18
| | | | | | | | | This can help scripts provide a more meaningful message when coming across issues [1] which require the container to be re-created. [1] eg., https://github.com/containers/libpod/issues/2673 Signed-off-by: Debarshi Ray <rishi@fedoraproject.org>
* podman logs on created container should exitbaude2019-03-18
| | | | | | | | | | | when running podman logs on a created container (which has no logs), podman should return gracefully (like docker) with a 0 return code. if multiple containers are provided and one is only in the created state (and no follow is used), we still display the logs for the other ids. fixes issue #2677 Signed-off-by: baude <bbaude@redhat.com>
* Merge pull request #2670 from giuseppe/runtime-write-rootless-conf-before-reloadOpenShift Merge Robot2019-03-18
|\ | | | | rootless: write the custom config file before reload
| * utils: split generation and writing of storage.confGiuseppe Scrivano2019-03-17
| | | | | | | | | | | | | | | | | | | | | | | | | | split the generation for the default storage.conf and when we write it if not existing for a rootless user. This is necessary because during the startup we might be overriding the default configuration through --storage-driver and --storage-opt, that would not be written down to the storage.conf file we generated. Closes: https://github.com/containers/libpod/issues/2659 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
| * rootless: write the custom config file before reloadGiuseppe Scrivano2019-03-15
| | | | | | | | | | | | | | so that when we do a rootlessReload we inherit the correct settings from the command line. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | Merge pull request #2620 from baude/multilogsOpenShift Merge Robot2019-03-16
|\ \ | | | | | | display logs for multiple containers at the same time
| * | Integration test tweaksbaude2019-03-15
| | | | | | | | | | | | | | | | | | | | | Wait for more than 1 second on podman info to complete. Also, add clarification to why slirp fails. Signed-off-by: baude <bbaude@redhat.com>
| * | display logs for multiple containers at the same timebaude2019-03-15
| |/ | | | | | | | | | | | | | | | | | | | | | | | | | | add the ability for users to specify more than one container at a time while using podman logs. If more than one container is being displayed, podman will also prepend a shortened container id of the container on the log line. also, enabled the podman-remote logs command during the refactoring of the above ability. fixes issue #2219 Signed-off-by: baude <bbaude@redhat.com>
* | Merge pull request #2658 from mheon/sctpOpenShift Merge Robot2019-03-16
|\ \ | | | | | | Add support for SCTP port forwarding
| * | Add support for SCTP port forwardingMatthew Heon2019-03-15
| |/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | SCTP is already present and enabled in the CNI plugins, so all we need to do to add support is not error on attempting to bind ports to reserve them. I investigated adding this binding for SCTP, but support for SCTP in Go is honestly a mess - there's no widely-supported library for doing it that will do what we need. For now, warn that port reservation for SCTP is not supported and forward the ports. Signed-off-by: Matthew Heon <mheon@redhat.com>
* | Merge pull request #2675 from giuseppe/rootless-use-readable-path-for-conmonOpenShift Merge Robot2019-03-16
|\ \ | | | | | | rootless: change default path for conmon.pid
| * | rootless: change default path for conmon.pidGiuseppe Scrivano2019-03-15
| |/ | | | | | | | | | | | | | | | | | | | | | | We cannot use the RunDir for writing the conmon.pid file as we might not be able to read it before we join a namespace, since it is owned by the root in the container which can be a different uid when using uidmap. To avoid completely the issue, we will just write it to the static dir which is always readable by the unprivileged user. Closes: https://github.com/containers/libpod/issues/2673 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* / Make sure buildin volumes have the same ownership and permissions as imageDaniel J Walsh2019-03-15
|/ | | | | | | | | | | | When creating a new image volume to be mounted into a container, we need to make sure the new volume matches the Ownership and permissions of the path that it will be mounted on. For example if a volume inside of a containre image is owned by the database UID, we want the volume to be mounted onto the image to be owned by the database UID. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Merge pull request #2617 from giuseppe/fix-with-configOpenShift Merge Robot2019-03-15
|\ | | | | runtime: fill the runtime config with sane defaults
| * rootless: do not override user settingsGiuseppe Scrivano2019-03-15
| | | | | | | | | | | | | | | | | | if the settings are available in the user config file, do not override them with the global configuration. Closes: https://github.com/containers/libpod/issues/2614 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
| * runtime: refactor NewRuntime and NewRuntimeFromConfigGiuseppe Scrivano2019-03-15
| | | | | | | | | | | | | | | | | | | | we had two functions NewRuntimeFromConfig and NewRuntime that differed only for the config file they use. Move comon logic to newRuntimeFromConfig and let it lookup the configuration file to use when one is not specified. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
| * events: use os.SEEK_END instead of its valueGiuseppe Scrivano2019-03-15
| | | | | | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | container: check containerInfo.Config before accessing itGiuseppe Scrivano2019-03-15
|/ | | | | | | | | check that containerInfo.Config is not nil before trying to access it. Closes: https://github.com/containers/libpod/issues/2654 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* rootless: fix CI regression when using slirp4netnsGiuseppe Scrivano2019-03-14
| | | | | | | | | | Older versions of slirp4netns do not have the --disable-host-loopback flag. Remove the check once we are sure the updated version is available everywhere. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Merge pull request #1642 from kunalkushwaha/image-treeOpenShift Merge Robot2019-03-14
|\ | | | | Tree implementation for podman images
| * Tree implementation for podman imagesKunal Kushwaha2019-03-14
| | | | | | | | Signed-off-by: Kunal Kushwaha <kushwaha_kunal_v7@lab.ntt.co.jp>
* | slirp4netns: use --disable-host-loopbackGiuseppe Scrivano2019-03-14
| | | | | | | | | | | | Closes: https://github.com/containers/libpod/issues/2642 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | slirp4netns: set mtu to 65520Giuseppe Scrivano2019-03-14
| | | | | | | | | | | | | | | | | | | | it improves significantly the performance of the slirp4netns network: https://github.com/rootless-containers/slirp4netns/tree/777bdccceffa5bee38dbfd9eefc06628cc160ff6#iperf3-netns---host Closes: https://github.com/containers/libpod/issues/1732 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | Merge pull request #2621 from mheon/event_on_deathOpenShift Merge Robot2019-03-13
|\ \ | | | | | | Add event on container death
| * | Add event on container deathMatthew Heon2019-03-13
| |/ | | | | | | Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | Merge pull request #2622 from baude/protectdarwinOpenShift Merge Robot2019-03-13
|\ \ | | | | | | Add gating tasks
| * | Add gating tasksbaude2019-03-13
| |/ | | | | | | | | | | | | | | | | | | | | to protect against regressions, we need to add a few gating tasks: * build with varlink * build podman-remote * build podman-remote-darwin we already have a gating task for building without varlink Signed-off-by: baude <bbaude@redhat.com>
* / Vendor docker/docker, fsouza and more #2TomSweeneyRedHat2019-03-13
|/ | | | | | | | | | | | Signed-off-by: TomSweeneyRedHat <tsweeney@redhat.com> Vendors in fsouza/docker-client, docker/docker and a few more related. Of particular note, changes to the TweakCapabilities() function from docker/docker along with the parse.IDMappingOptions() function from Buildah. Please pay particular attention to the related changes in the call from libpod to those functions during the review. Passes baseline tests.
* Merge pull request #2562 from baude/healtcheckphase2OpenShift Merge Robot2019-03-12
|\ | | | | healthcheck phase 2
| * healtcheck phase 2baude2019-03-12
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | integration of healthcheck into create and run as well as inspect. healthcheck enhancements are as follows: * add the following options to create|run so that non-docker images can define healthchecks at the container level. * --healthcheck-command * --healthcheck-retries * --healthcheck-interval * --healthcheck-start-period * podman create|run --healthcheck-command=none disables healthcheck as described by an image. * the healthcheck itself and the healthcheck "history" can now be observed in podman inspect * added the wiring for healthcheck history which logs the health history of the container, the current failed streak attempts, and log entries for the last five attempts which themselves have start and stop times, result, and a 500 character truncated (if needed) log of stderr/stdout. The timings themselves are not implemented in this PR but will be in future enablement (i.e. next). Signed-off-by: baude <bbaude@redhat.com>
* | Merge pull request #2585 from giuseppe/build-honor-netOpenShift Merge Robot2019-03-12
|\ \ | | | | | | build: honor --net
| * | slirp4netns: add builtin DNS server to resolv.confGiuseppe Scrivano2019-03-11
| | | | | | | | | | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>