summaryrefslogtreecommitdiff
path: root/libpod
Commit message (Collapse)AuthorAge
* rootlessport: set source IP to slirp4netns deviceGiuseppe Scrivano2021-01-22
| | | | | | | | | set the source IP to the slirp4netns address instead of 127.0.0.1 when using rootlesskit. Closes: https://github.com/containers/podman/issues/5138 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Move the cni lock file into the cni config dirPaul Holzinger2021-01-21
| | | | | | | | | | | | | | Commit(fe3faa517e1b) introduced a lock file for network create/rm calls. There is a problem with the location of the lock file. The lock file was stored in the tmpdir. Running multiple podman network create/remove commands in parallel with different tmpdirs made the lockfile inaccessible to the other process, and so parallel read/write operations to the cni config directory continued to occur. This scenario happened frequently during the e2e tests and caused some flakes. Fixes #9041 Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
* Merge pull request #8955 from mheon/renameOpenShift Merge Robot2021-01-14
|\ | | | | Container Rename
| * Initial implementation of renaming containersMatthew Heon2021-01-14
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Basic theory: We remove the container, but *only from the DB*. We leave it in c/storage, we leave the lock allocated, we leave it running (if it is). Then we create an identical container with an altered name, and add that back to the database. Theoretically we now have a renamed container. The advantage of this approach is that it doesn't just apply to rename - we can use this to make *any* configuration change to a container that does not alter its container ID. Potential problems are numerous. This process is *THOROUGHLY* non-atomic at present - if you `kill -9` Podman mid-rename things will be in a bad place, for example. Also, we can't rename containers that can't be removed normally - IE, containers with dependencies (pod infra containers, for example). The largest potential improvement will be to move the majority of the work into the DB, with a `RecreateContainer()` method - that will add atomicity, and let us remove the container without worrying about depencies and similar issues. Potential problems: long-running processes that edit the DB and may have an older version of the configuration around. Most notable example is `podman run --rm` - the removal command needed to be manually edited to avoid this one. This begins to get at the heart of me not wanting to do this in the first place... This provides CLI and API implementations for frontend, but no tunnel implementation. It will be added in a future release (just held back for time now - we need this in 3.0 and are running low on time). This is honestly kind of horrifying, but I think it will work. Signed-off-by: Matthew Heon <mheon@redhat.com>
* | Initial implementation of volume pluginsMatthew Heon2021-01-14
|/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This implements support for mounting and unmounting volumes backed by volume plugins. Support for actually retrieving plugins requires a pull request to land in containers.conf and then that to be vendored, and as such is not yet ready. Given this, this code is only compile tested. However, the code for everything past retrieving the plugin has been written - there is support for creating, removing, mounting, and unmounting volumes, which should allow full functionality once the c/common PR is merged. A major change is the signature of the MountPoint function for volumes, which now, by necessity, returns an error. Named volumes managed by a plugin do not have a mountpoint we control; instead, it is managed entirely by the plugin. As such, we need to cache the path in the DB, and calls to retrieve it now need to access the DB (and may fail as such). Notably absent is support for SELinux relabelling and chowning these volumes. Given that we don't manage the mountpoint for these volumes, I am extremely reluctant to try and modify it - we could easily break the plugin trying to chown or relabel it. Also, we had no less than *5* separate implementations of inspecting a volume floating around in pkg/infra/abi and pkg/api/handlers/libpod. And none of them used volume.Inspect(), the only correct way of inspecting volumes. Remove them all and consolidate to using the correct way. Compat API is likely still doing things the wrong way, but that is an issue for another day. Fixes #4304 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Merge pull request #8906 from vrothberg/fix-8501OpenShift Merge Robot2021-01-14
|\ | | | | container stop: release lock before calling the runtime
| * container stop: release lock before calling the runtimeValentin Rothberg2021-01-14
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Podman defers stopping the container to the runtime, which can take some time. Keeping the lock while waiting for the runtime to complete the stop procedure, prevents other commands from acquiring the lock as shown in #8501. To improve the user experience, release the lock before invoking the runtime, and re-acquire the lock when the runtime is finished. Also introduce an intermediate "stopping" to properly distinguish from "stopped" containers etc. Fixes: #8501 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | Merge pull request #8958 from zhangguanzhang/duplicated-hostsOpenShift Merge Robot2021-01-13
|\ \ | | | | | | Fixes /etc/hosts duplicated every time after container restarted in a pod
| * | Fxes /etc/hosts duplicated every time after container restarted in a podzhangguanzhang2021-01-13
| | | | | | | | | | | | Signed-off-by: zhangguanzhang <zhangguanzhang@qq.com>
* | | Remove the ability to use [name:tag] in podman load commandDaniel J Walsh2021-01-12
|/ / | | | | | | | | | | | | | | | | | | Docker does not support this, and it is confusing what to do if the image has more then one tag. We are dropping support for this in podman 3.0 Fixes: https://github.com/containers/podman/issues/7387 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Merge pull request #8950 from mheon/exorcise_driverOpenShift Merge Robot2021-01-12
|\ \ | | | | | | Exorcise Driver code from libpod/define
| * | Exorcise Driver code from libpod/defineMatthew Heon2021-01-12
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The libpod/define code should not import any large dependencies, as it is intended to be structures and definitions only. It included the libpod/driver package for information on the storage driver, though, which brought in all of c/storage. Split the driver package so that define has the struct, and thus does not need to import Driver. And simplify the driver code while we're at it. Signed-off-by: Matthew Heon <mheon@redhat.com>
* | | Merge pull request #8946 from JAORMX/sec-errorsOpenShift Merge Robot2021-01-12
|\ \ \ | | | | | | | | Expose security attribute errors with their own messages
| * | | Expose security attribute errors with their own messagesJuan Antonio Osorio Robles2021-01-12
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This creates error objects for runtime errors that might come from the runtime. Thus, indicating to users that the place to debug should be in the security attributes of the container. When creating a container with a SELinux label that doesn't exist, we get a fairly cryptic error message: ``` $ podman run --security-opt label=type:my_container.process -it fedora bash Error: OCI runtime error: write file `/proc/thread-self/attr/exec`: Invalid argument ``` This instead handles any errors coming from LSM's `/proc` API and enhances the error message with a relevant indicator that it's related to the container's security attributes. A sample run looks as follows: ``` $ bin/podman run --security-opt label=type:my_container.process -it fedora bash Error: `/proc/thread-self/attr/exec`: OCI runtime error: unable to assign security attribute ``` With `debug` log level enabled it would be: ``` Error: write file `/proc/thread-self/attr/exec`: Invalid argument: OCI runtime error: unable to assign security attribute ``` Note that these errors wrap ErrOCIRuntime, so it's still possible to to compare these errors with `errors.Is/errors.As`. One advantage of this approach is that we could start handling these errors in a more efficient manner in the future. e.g. If a SELinux label doesn't exist (yet), we could retry until it becomes available. Signed-off-by: Juan Antonio Osorio Robles <jaosorior@redhat.com>
* | | | Merge pull request #8947 from Luap99/cleanup-codeOpenShift Merge Robot2021-01-12
|\ \ \ \ | |/ / / |/| | | Fix problems reported by staticcheck
| * | | Fix problems reported by staticcheckPaul Holzinger2021-01-12
| | |/ | |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | `staticcheck` is a golang code analysis tool. https://staticcheck.io/ This commit fixes a lot of problems found in our code. Common problems are: - unnecessary use of fmt.Sprintf - duplicated imports with different names - unnecessary check that a key exists before a delete call There are still a lot of reported problems in the test files but I have not looked at those. Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
* | | Merge pull request #8819 from chen-zhuohan/add-pre-checkpointOpenShift Merge Robot2021-01-12
|\ \ \ | | | | | | | | Add pre-checkpoint and restore with previous
| * | | add pre checkpointunknown2021-01-10
| | | | | | | | | | | | | | | | Signed-off-by: Zhuohan Chen <chen_zhuohan@163.com>
* | | | Merge pull request #8933 from giuseppe/use-O_PATH-for-unix-sockOpenShift Merge Robot2021-01-12
|\ \ \ \ | |_|/ / |/| | | oci: use /proc/self/fd/FD to open unix socket
| * | | oci: use /proc/self/fd/FD to open unix socketGiuseppe Scrivano2021-01-12
| |/ / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | instead of opening directly the UNIX socket path, grab a reference to it through a O_PATH file descriptor and use the fixed size string "/proc/self/fd/%d" to open the UNIX socket. In this way it won't hit the 108 chars length limit. Closes: https://github.com/containers/podman/issues/8798 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* / / oci: keep LC_ env variables to conmonGiuseppe Scrivano2021-01-11
|/ / | | | | | | | | | | | | | | | | | | it is necessary for conmon to deal with the correct locale, otherwise it uses C as a fallback. Closes: https://bugzilla.redhat.com/show_bug.cgi?id=1893567 Requires: https://github.com/containers/conmon/pull/215 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | Merge pull request #8781 from rst0git/cr-volumesOpenShift Merge Robot2021-01-08
|\ \ | | | | | | Add support for checkpoint/restore of containers with volumes
| * | Include named volumes in container migrationRadostin Stoyanov2021-01-07
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When migrating a container with associated volumes, the content of these volumes should be made available on the destination machine. This patch enables container checkpoint/restore with named volumes by including the content of volumes in checkpoint file. On restore, volumes associated with container are created and their content is restored. The --ignore-volumes option is introduced to disable this feature. Example: # podman container checkpoint --export checkpoint.tar.gz <container> The content of all volumes associated with the container are included in `checkpoint.tar.gz` # podman container checkpoint --export checkpoint.tar.gz --ignore-volumes <container> The content of volumes is not included in `checkpoint.tar.gz`. This is useful, for example, when the checkpoint/restore is performed on the same machine. # podman container restore --import checkpoint.tar.gz The associated volumes will be created and their content will be restored. Podman will exit with an error if volumes with the same name already exist on the system or the content of volumes is not included in checkpoint.tar.gz # podman container restore --ignore-volumes --import checkpoint.tar.gz Volumes associated with container must already exist. Podman will not create them or restore their content. Signed-off-by: Radostin Stoyanov <rstoyanov@fedoraproject.org>
| * | Use Options as exportCheckpoint() argumentRadostin Stoyanov2021-01-07
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Instead of individual values from ContainerCheckpointOptions, provide the options object. This is a preparation for the next patch where one more value of the options object is required in exportCheckpoint(). Signed-off-by: Radostin Stoyanov <rstoyanov@fedoraproject.org>
* | | Merge pull request #8771 from rhatdan/runOpenShift Merge Robot2021-01-07
|\ \ \ | | | | | | | | Switch references of /var/run -> /run
| * | | Switch references of /var/run -> /runDaniel J Walsh2021-01-07
| |/ / | | | | | | | | | | | | | | | | | | | | | | | | | | | Systemd is now complaining or mentioning /var/run as a legacy directory. It has been many years where /var/run is a symlink to /run on all most distributions, make the change to the default. Partial fix for https://github.com/containers/podman/issues/8369 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | Merge pull request #8821 from rhatdan/capsOpenShift Merge Robot2021-01-07
|\ \ \ | | | | | | | | Containers should not get inheritable caps by default
| * | | Handle podman exec capabilities correctlyDaniel J Walsh2021-01-07
| |/ / | | | | | | | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | Merge pull request #8816 from giuseppe/automatically-split-userns-mappingsOpenShift Merge Robot2021-01-07
|\ \ \ | | | | | | | | rootless: automatically split userns ranges
| * | | rootless: automatically split userns rangesGiuseppe Scrivano2021-01-07
| |/ / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | writing to the id map fails when an extent overlaps multiple mappings in the parent user namespace: $ cat /proc/self/uid_map 0 1000 1 1 100000 65536 $ unshare -U sleep 100 & [1] 1029703 $ printf "0 0 100\n" | tee /proc/$!/uid_map 0 0 100 tee: /proc/1029703/uid_map: Operation not permitted This limitation is particularly annoying when working with rootless containers as each container runs in the rootless user namespace, so a command like: $ podman run --uidmap 0:0:2 --rm fedora echo hi Error: writing file `/proc/664087/gid_map`: Operation not permitted: OCI permission denied would fail since the specified mapping overlaps the first mapping (where the user id is mapped to root) and the second extent with the additional IDs available. Detect such cases and automatically split the specified mapping with the equivalent of: $ podman run --uidmap 0:0:1 --uidmap 1:1:1 --rm fedora echo hi hi A fix has already been proposed for the kernel[1], but even if it accepted it will take time until it is available in a released kernel, so fix it also in pkg/rootless. [1] https://lkml.kernel.org/lkml/20201203150252.1229077-1-gscrivan@redhat.com/ Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* / / Fix podman logs read partial log linesPaul Holzinger2021-01-07
|/ / | | | | | | | | | | | | | | If a partial log line has the length 1 it was ignored by podman logs. Fixes #8879 Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
* | Merge pull request #8805 from giuseppe/single-user-mapped-rootOpenShift Merge Robot2021-01-06
|\ \ | | | | | | libpod: handle single user mapped as root
| * | libpod: handle single user mapped as rootGiuseppe Scrivano2020-12-24
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | if a single user is mapped in the user namespace, handle it as root. It is needed for running unprivileged containers with a single user available without being forced to run with euid and egid set to 0. Needs: https://github.com/containers/storage/pull/794 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | | Merge pull request #8892 from mheon/fix_8886OpenShift Merge Robot2021-01-06
|\ \ \ | | | | | | | | Ensure that user-specified HOSTNAME is honored
| * | | Ensure that user-specified HOSTNAME is honoredMatthew Heon2021-01-06
| | |/ | |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | When adding the HOSTNAME environment variable, only do so if it is not already present in the spec. If it is already present, it was likely added by the user, and we should honor their requested value. Fixes #8886 Signed-off-by: Matthew Heon <mheon@redhat.com>
* | | Merge pull request #8685 from mheon/ignore_containersconf_sysctls_shared_netOpenShift Merge Robot2021-01-05
|\ \ \ | | | | | | | | Ignore containers.conf sysctls when sharing namespaces
| * | | Add default sysctls for pod infra containersMatthew Heon2021-01-04
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Ensure that infra containers for pods will grab default sysctls from containers.conf, to match how other containers are created. This mostly affects the other containers in the pod, which will inherit those sysctls when they join the pod's namespaces. Signed-off-by: Matthew Heon <mheon@redhat.com>
* | | | Merge pull request #8831 from bblenard/issue-8658-system-prune-reclaimed-spaceOpenShift Merge Robot2021-01-05
|\ \ \ \ | |_|/ / |/| | | Rework pruning to report reclaimed space
| * | | Rework pruning to report reclaimed spaceBaron Lenardson2020-12-30
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This change adds code to report the reclaimed space after a prune. Reclaimed space from volumes, images, and containers is recorded during the prune call in a PruneReport struct. These structs are collected into a slice during a system prune and processed afterwards to calculate the total reclaimed space. Closes #8658 Signed-off-by: Baron Lenardson <lenardson.baron@gmail.com>
* | | | Merge pull request #8873 from baude/issue8864OpenShift Merge Robot2021-01-05
|\ \ \ \ | | | | | | | | | | close journald when reading
| * | | | close journald when readingbaude2021-01-04
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | when reading from journald, we need to close the journal handler for events and logging. Fixes: #8864 Signed-off-by: baude <bbaude@redhat.com>
* | | | | Merge pull request #8878 from mheon/no_edit_configOpenShift Merge Robot2021-01-04
|\ \ \ \ \ | | | | | | | | | | | | Ensure we do not edit container config in Exec
| * | | | | Ensure we do not edit container config in ExecMatthew Heon2021-01-04
| |/ / / / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The existing code grabs the base container's process, and then modifies it for use with the exec session. This could cause errors in `podman inspect` or similar on the container, as the definition of its OCI spec has been changed by the exec session. The change never propagates to the DB, so it's limited to a single process, but we should still avoid it when possible - so deep-copy it before use. Signed-off-by: Matthew Heon <mheon@redhat.com>
* | | | | Merge pull request #8875 from rhatdan/imageOpenShift Merge Robot2021-01-04
|\ \ \ \ \ | | | | | | | | | | | | Allow image errors to bubble up from lower level functions.
| * | | | | Allow image errors to bubble up from lower level functions.Daniel J Walsh2021-01-04
| |/ / / / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Currently we ignore ErrMultipleImages being returned from findImageInRepoTags. Fixes: https://github.com/containers/podman/issues/8868 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* / / / / systemd: make rundir always accessibleGiuseppe Scrivano2021-01-04
|/ / / / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | so that the PIDFile can be accessed also without being in the rootless user namespace. Closes: https://github.com/containers/podman/issues/8506 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | | | Merge pull request #8823 from giuseppe/exec-honor-privilegedOpenShift Merge Robot2021-01-04
|\ \ \ \ | |/ / / |/| | | exec: honor --privileged
| * | | exec: honor --privilegedGiuseppe Scrivano2020-12-24
| | | | | | | | | | | | | | | | | | | | | | | | | | | | write the capabilities to the configuration passed to the OCI runtime. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
| * | | libpod: change function to accept ExecOptionsGiuseppe Scrivano2020-12-24
| | |/ | |/| | | | | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | | Merge pull request #8852 from afbjorklund/slirp_sandbox-no_pivot_rootOpenShift Merge Robot2020-12-30
|\ \ \ | | | | | | | | The slirp4netns sandbox requires pivot_root