summaryrefslogtreecommitdiff
path: root/libpod
Commit message (Collapse)AuthorAge
* Make DB config validation an explicit stepMatthew Heon2018-12-02
| | | | | | | | | | Previously, we implicitly validated runtime configuration against what was stored in the database as part of database init. Make this an explicit step, so we can call it after the database has been initialized. This will allow us to retrieve paths from the database and use them to overwrite our defaults if they differ. Signed-off-by: Matthew Heon <mheon@redhat.com>
* Move DB configuration up in runtime setupMatthew Heon2018-12-02
| | | | | | | When we configure a runtime, we now will need to hit the DB early on, so we can verify the paths we're going to use for c/storage are correct. Signed-off-by: Matthew Heon <mheon@redhat.com>
* Add ability to retrieve runtime configuration from DBMatthew Heon2018-12-02
| | | | | | | | | | When we create a Libpod database, we store a number of runtime configuration fields in it. If we can retrieve those, we can use them to configure the runtime to match the DB instead of inbuilt defaults, helping to ensure that we don't error in cases where our compiled-in defaults changed. Signed-off-by: Matthew Heon <mheon@redhat.com>
* rootless: propagate XDG_RUNTIME_DIR to the OCI runtimeGiuseppe Scrivano2018-11-30
| | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Merge pull request #1317 from rhatdan/privilegedOpenShift Merge Robot2018-11-30
|\ | | | | Disable mount options when running --privileged
| * Disable mount options when running --privilegedDaniel J Walsh2018-11-28
| | | | | | | | | | | | | | | | We now default to setting storage options to "nodev", when running privileged containers, we need to turn this off so the processes can manipulate the image. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | /dev/shm should be mounted even in rootless mode.Daniel J Walsh2018-11-28
| | | | | | | | | | | | | | | | Currently we are mounting /dev/shm from disk, it should be from a tmpfs. User Namespace supports tmpfs mounts for nonroot users, so this section of code should work fine in bother root and rootless mode. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Merge pull request #1798 from giuseppe/fix-notify-socketOpenShift Merge Robot2018-11-28
|\ \ | | | | | | systemd: fix NOTIFY_SOCKET with patched runc
| * | oci: propagate NOTIFY_SOCKET on runtime startGiuseppe Scrivano2018-11-28
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | with https://github.com/opencontainers/runc/pull/1807 we moved the systemd notify initialization from "create" to "start", so that the OCI runtime doesn't hang while waiting on reading from the notify socket. This means we also need to set the correct NOTIFY_SOCKET when start'ing the container. Closes: https://github.com/containers/libpod/issues/746 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | | Merge pull request #1880 from baude/f29fixesOpenShift Merge Robot2018-11-28
|\ \ \ | | | | | | | | Fix golang formatting issues
| * | | Fix golang formatting issuesbaude2018-11-28
| |/ / | | | | | | | | | | | | | | | | | | Whe running unittests on newer golang versions, we observe failures with some formatting types when no declared correctly. Signed-off-by: baude <bbaude@redhat.com>
* | | Merge pull request #1846 from cgwalters/netns-dns-localhostOpenShift Merge Robot2018-11-28
|\ \ \ | |/ / |/| | Use host's resolv.conf if no network namespace enabled
| * | Use host's resolv.conf if no network namespace enabledColin Walters2018-11-27
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | My host system runs Fedora Silverblue 29 and I have NetworkManager's `dns=dnsmasq` setting enabled, so my `/etc/resolv.conf` only has `127.0.0.1`. I also run my development podman containers with `--net=host` for various reasons. If we have a host network namespace, there's no reason not to just use the host's nameserver configuration either. This fixes e.g. accessing content on a VPN, and is also faster since the container is using cached DNS. I know this doesn't solve the bigger picture issue of localhost-DNS conflicting with bridged networking, but that's far more involved, probably requiring a DNS proxy in the container. This patch makes my workflow a lot nicer and was easy to write. Signed-off-by: Colin Walters <walters@verbum.org>
* | | Merge pull request #1848 from adrianreber/masterOpenShift Merge Robot2018-11-28
|\ \ \ | | | | | | | | Add tcp-established to checkpoint/restore
| * | | Added tcp-established to checkpoint/restoreAdrian Reber2018-11-28
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | CRIU can checkpoint and restore processes/containers with established TCP connections if the correct option is specified. To implement checkpoint and restore with support for established TCP connections with Podman this commit adds the necessary options to runc during checkpoint and also tells conmon during restore to use 'runc restore' with '--tcp-established'. For this Podman feature to work a corresponding conmon change is required. Example: $ podman run --tmpfs /tmp --name podman-criu-test -d docker://docker.io/yovfiatbeb/podman-criu-test $ nc `podman inspect -l | jq -r '.[0].NetworkSettings.IPAddress'` 8080 GET /examples/servlets/servlet/HelloWorldExample Connection: keep-alive 1 GET /examples/servlets/servlet/HelloWorldExample Connection: keep-alive 2 $ # Using HTTP keep-alive multiple requests are send to the server in the container $ # Different terminal: $ podman container checkpoint -l criu failed: type NOTIFY errno 0 $ # Looking at the log file would show errors because of established TCP connections $ podman container checkpoint -l --tcp-established $ # This works now and after the restore the same connection as above can be used for requests $ podman container restore -l --tcp-established The restore would fail without '--tcp-established' as the checkpoint image contains established TCP connections. Signed-off-by: Adrian Reber <areber@redhat.com>
| * | | Use also a struct to pass options to Restore()Adrian Reber2018-11-28
| |/ / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This is basically the same change as ff47a4c2d5485fc49f937f3ce0c4e2fd6bdb1956 (Use a struct to pass options to Checkpoint()) just for the Restore() function. It is used to pass multiple restore options to the API and down to conmon which is used to restore containers. This is for the upcoming changes to support checkpointing and restoring containers with '--tcp-established'. Signed-off-by: Adrian Reber <areber@redhat.com>
* | | Merge pull request #1849 from giuseppe/report-rootless-netmodeOpenShift Merge Robot2018-11-28
|\ \ \ | | | | | | | | rootless: add new netmode "slirp4netns"
| * | | network: allow slirp4netns mode also for root containersGiuseppe Scrivano2018-11-28
| |/ / | | | | | | | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | | Merge pull request #1833 from giuseppe/remove-exec-pollingOpenShift Merge Robot2018-11-28
|\ \ \ | |_|/ |/| | exec: remove polling for PID file
| * | util: use fsnotify to wait for fileGiuseppe Scrivano2018-11-28
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | prefer a fsnotify watcher to polling the file, we take advantage of inotify on Linux and react more promptly to the PID file being created. If the watcher cannot be created, then fallback to the old polling mechanism. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
| * | exec: don't wait for pidfile when the runtime exitedGiuseppe Scrivano2018-11-27
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | don't wait for the timeout to expire if the runtime process exited. I've noticed podman to hang on exit and keeping the container lock taken when the OCI runtime already exited. Additionally, it reduces the waiting time as we won't hit the 25 milliseconds waiting time in the worst case. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | | rootless: fix cleanupGiuseppe Scrivano2018-11-28
| |/ |/| | | | | | | | | | | | | | | | | | | | | | | The conmon exit command is running inside of a namespace where the process is running with uid=0. When it launches again podman for the cleanup, podman is not running in rootless mode as the uid=0. Export some more env variables to tell podman we are in rootless mode. Closes: https://github.com/containers/libpod/issues/1859 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | Merge pull request #1832 from giuseppe/always-make-explicit-tty-to-execOpenShift Merge Robot2018-11-27
|\ \ | |/ |/| exec: always make explicit the tty value
| * exec: always make explicit the tty valueGiuseppe Scrivano2018-11-20
| | | | | | | | | | | | | | | | | | | | otherwise runc will take by default the value used for creating the container. Setting it explicit overrides its default value and we won't end up trying to use a terminal when not available. Closes: https://bugzilla.redhat.com/show_bug.cgi?id=1625876 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | Merge pull request #1850 from vrothberg/mount-propagationOpenShift Merge Robot2018-11-27
|\ \ | | | | | | set root propagation based on volume properties
| * | set root propagation based on volume propertiesValentin Rothberg2018-11-26
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Set the root propagation based on the properties of volumes and default mounts. To remain compatibility, follow the semantics of Docker. If a volume is shared, keep the root propagation shared which works for slave and private volumes too. For slave volumes, it can either be shared or rshared. Do not change the root propagation for private volumes and stick with the default. Fixes: #1834 Signed-off-by: Valentin Rothberg <vrothberg@suse.com>
* | | Merge pull request #1734 from rhatdan/networkOpenShift Merge Robot2018-11-27
|\ \ \ | | | | | | | | libpod should know if the network is disabled
| * | | libpod should know if the network is disabledDaniel J Walsh2018-11-13
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | /etc/resolv.conf and /etc/hosts should not be created and mounted when the network is disabled. We should not be calling the network setup and cleanup functions when it is disabled either. In doing this patch, I found that all of the bind mounts were particular to Linux along with the generate functions, so I moved them to container_internal_linux.go Since we are checking if we are using a network namespace, we need to check after the network namespaces has been created in the spec. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | | Merge pull request #1868 from QiWang19/issue860OpenShift Merge Robot2018-11-26
|\ \ \ \ | | | | | | | | | | Add history field to image inspect
| * | | | Add history and namespaceoptions to image inspectQi Wang2018-11-26
| | |/ / | |/| | | | | | | | | | Signed-off-by: Qi Wang <qiwan@redhat.com>
* / | | add podman container|image existsbaude2018-11-26
|/ / / | | | | | | | | | | | | | | | | | | | | | | | | | | | Add an exists subcommand to podman container and podman image that allows users to verify the existence of a container or image by ID or name. The return code can be 0 (success), 1 (failed to find), or 125 (failed to work with runtime). Issue #1845 Signed-off-by: baude <bbaude@redhat.com>
* | | Merge pull request #1835 from adrianreber/masterOpenShift Merge Robot2018-11-21
|\ \ \ | | | | | | | | Added option to keep container running after checkpointing
| * | | Added option to keep containers running after checkpointingAdrian Reber2018-11-20
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | CRIU supports to leave processes running after checkpointing: -R|--leave-running leave tasks in running state after checkpoint runc also support to leave containers running after checkpointing: --leave-running leave the process running after checkpointing With this commit the support to leave a container running after checkpointing is brought to Podman: --leave-running, -R leave the container running after writing checkpoint to disk Now it is possible to checkpoint a container at some point in time without stopping the container. This can be used to rollback the container to an early state: $ podman run --tmpfs /tmp --name podman-criu-test -d docker://docker.io/yovfiatbeb/podman-criu-test $ curl 10.88.64.253:8080/examples/servlets/servlet/HelloWorldExample 3 $ podman container checkpoint -R -l $ curl 10.88.64.253:8080/examples/servlets/servlet/HelloWorldExample 4 $ curl 10.88.64.253:8080/examples/servlets/servlet/HelloWorldExample 5 $ podman stop -l $ podman container restore -l $ curl 10.88.64.253:8080/examples/servlets/servlet/HelloWorldExample 4 So after checkpointing the container kept running and was stopped after some time. Restoring this container will restore the state right at the checkpoint. Signed-off-by: Adrian Reber <areber@redhat.com>
| * | | Use a struct to pass options to Checkpoint()Adrian Reber2018-11-20
| | |/ | |/| | | | | | | | | | | | | | | | | | | | | | For upcoming changes to the Checkpoint() functions this commit switches checkpoint options from a boolean to a struct, so that additional options can be passed easily to Checkpoint() without changing the function parameters all the time. Signed-off-by: Adrian Reber <areber@redhat.com>
* | | Merge pull request #1810 from baude/inspectToKubeOpenShift Merge Robot2018-11-20
|\ \ \ | | | | | | | | generate kubernetes YAML from a libpod container
| * | | output libpod container to kubernetes yamlbaude2018-11-19
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | scope out new kube subcommand where we can add generate. you can now generate kubernetes YAML that will allow you to run the container in a kubernetes environment. When The YAML description will always "wrap" a container in a simple v1.Pod description. Tests and further documentation will be added in additional PRs. This function should be considered very much "under heavy development" at this point. Signed-off-by: baude <bbaude@redhat.com>
* | | | Merge pull request #1829 from baude/enableportbindinginpodsOpenShift Merge Robot2018-11-20
|\ \ \ \ | |_|/ / |/| | | Allow users to expose ports from the pod to the host
| * | | Allow users to expose ports from the pod to the hostbaude2018-11-20
| |/ / | | | | | | | | | | | | | | | | | | | | | | | | | | | we need to allow users to expose ports to the host for the purposes of networking, like a webserver. the port exposure must be done at the time the pod is created. strictly speaking, the port exposure occurs on the infra container. Signed-off-by: baude <bbaude@redhat.com>
* / / rootless: create libpod.conf when it doesn't existGiuseppe Scrivano2018-11-19
|/ / | | | | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | Merge pull request #1756 from isimluk/update-dependent-metalinterOpenShift Merge Robot2018-11-16
|\ \ | | | | | | Update metalinter dependency
| * | Lint: Extract constant unknownPackageŠimon Lukašík2018-11-10
| | | | | | | | | | | | | | | | | | Addressing goconst warning: 3 other occurrence(s) of "Unknown" found Signed-off-by: Šimon Lukašík <slukasik@redhat.com>
| * | Lint: Tests: add missing assertionsŠimon Lukašík2018-11-10
| | | | | | | | | | | | | | | | | | | | | Addressing: ineffectual assignment to err (ineffassign) Signed-off-by: Šimon Lukašík <slukasik@redhat.com>
| * | Lint: Do not ignore errors from docker run command when selinux enabledŠimon Lukašík2018-11-10
| |/ | | | | | | | | | | | | | | | | Redefining err by := operator within block makes this err variable block local. Addressing lint: libpod/oci.go:368:3:warning: ineffectual assignment to err (ineffassign) Signed-off-by: Šimon Lukašík <slukasik@redhat.com>
* / Increase pidWaitTimeout to 60sEmilien Macchi2018-11-15
|/ | | | | | | | | | | At scale, it appears that we sometimes hit the 1000ms timeout to create the PID file when a container is created or executed. Increasing the value to 60s should help when running a lot of containers in heavy-loaded environment. Related #1495 Fixes #1816 Signed-off-by: Emilien Macchi <emilien@redhat.com>
* Merge pull request #1772 from baude/rmdelpausedOpenShift Merge Robot2018-11-09
|\ | | | | rm -f now removes a paused container
| * rm -f now removes a paused containerbaude2018-11-08
| | | | | | | | | | | | | | | | | | | | | | | | We now can remove a paused container by sending it a kill signal while it is paused. We then unpause the container and it is immediately killed. Also, reworked how the parallelWorker results are handled to provide a more consistent approach to how each subcommand implements it. It also fixes a bug where if one container errors, the error message is duplicated when printed out. Signed-off-by: baude <bbaude@redhat.com>
* | Merge pull request #1789 from mheon/fix_add_hosts_testOpenShift Merge Robot2018-11-09
|\ \ | | | | | | Accurately update state if prepare() partially fails
| * | Accurately update state if prepare() partially failsMatthew Heon2018-11-08
| |/ | | | | | | | | | | | | | | | | We are seeing some issues where, when part of prepare() fails (originally noticed due to a bad static IP), the other half does not successfully clean up, and the state can be left in a bad place (not knowing about an active SHM mount for example). Signed-off-by: Matthew Heon <mheon@redhat.com>
* | info: add rootless fieldValentin Rothberg2018-11-09
| | | | | | | | | | | | | | | | | | Add a rootless field to the info data (e.g., `podman info`) to indicate if the executing user is root or not. In most cases, this can be guessed but now it is clear and may aid in debugging, reporting and understanding certain issues. Signed-off-by: Valentin Rothberg <vrothberg@suse.com>
* | Merge pull request #1787 from baude/netstatusreworkOpenShift Merge Robot2018-11-08
|\ \ | | | | | | correct assignment of networkStatus