summaryrefslogtreecommitdiff
path: root/libpod
Commit message (Collapse)AuthorAge
* Merge pull request #2573 from giuseppe/exec-extra-filesOpenShift Merge Robot2019-03-07
|\ | | | | oci: make explicit the extra files to the exec
| * oci: make explicit the extra files to the execGiuseppe Scrivano2019-03-07
| | | | | | | | | | | | | | | | | | In the previous version I forgot to add the fds to preserve into AdditionalFiles. It doesn't make a difference as the files were still preserved, but this seems to be the correct way of making it explicit. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | Merge pull request #2550 from wking/language-dot-splitOpenShift Merge Robot2019-03-07
|\ \ | |/ |/| libpod/container_internal: Split locale at the first dot, etc.
| * libpod/container_internal: Split locale at the first dot, etc.W. Trevor King2019-03-05
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | We're going to feed this into Go's BCP 47 language parser. Language tags have the form [1]: language ["-" script] ["-" region] *("-" variant) *("-" extension) ["-" privateuse] and locales have the form [2]: [language[_territory][.codeset][@modifier]] The modifier is useful for collation, but Go's language-based API [3] does not provide a way for us to supply it. This code converts our locale to a BCP 47 language by stripping the dot and later and replacing the first underscore, if any, with a hyphen. This will avoid errors like [4]: WARN[0000] failed to parse language "en_US.UTF-8": language: tag is not well-formed when feeding language.Parse(...). [1]: https://tools.ietf.org/html/bcp47#section-2.1 [2]: http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap08.html#tag_08_02 [3]: https://github.com/golang/go/issues/25340 [4]: https://github.com/containers/libpod/issues/2494 Signed-off-by: W. Trevor King <wking@tremily.us>
* | Merge pull request #2563 from mheon/lookup_double_match_always_returns_nameOpenShift Merge Robot2019-03-07
|\ \ | | | | | | Change LookupContainer logic to match Docker
| * | Change LookupContainer logic to match DockerMatthew Heon2019-03-06
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When looking up a container or pod by from user input, we handle collisions between names and IDs differently than Docker at present. In Docker, when there is a container with an ID starting with "c1" and a container named "c1", commands on "c1" will always act on the container named "c1". For the same scenario in podman, we throw an error about name collision. Change Podman to follow Docker, by returning the named container or pod instead of erroring. This should also have a positive effect on performance in the lookup-by-full-name case, which no longer needs to fully traverse the list of all pods or containers. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | | Merge pull request #2545 from haircommander/weird_pod_bugOpenShift Merge Robot2019-03-06
|\ \ \ | | | | | | | | Fix pod create failure
| * | | Fix incorrect pod create failurePeter Hunt2019-03-06
| | |/ | |/| | | | | | | | | | | | | Before, a pod create would fail if it was set to share no namespaces, but had an infra container. While inefficient (you add a container for no reason), it shouldn't be a fatal failure. Fix this by only failing if the pod was set to share namespaces, but had no infra container, and writing a warning if vice versa. Signed-off-by: Peter Hunt <pehunt@redhat.com>
* | | Merge pull request #2491 from baude/healtcheckphase1OpenShift Merge Robot2019-03-06
|\ \ \ | |/ / |/| | podman healthcheck run (phase 1)
| * | podman healthcheck run (phase 1)baude2019-03-05
| | | | | | | | | | | | | | | | | | | | | | | | | | | Add the ability to manually run a container's healthcheck command. This is only the first phase of implementing the healthcheck. Subsequent pull requests will deal with the exposing the results and history of healthchecks as well as the scheduling. Signed-off-by: baude <bbaude@redhat.com>
* | | Merge pull request #2518 from haircommander/pod_hostOpenShift Merge Robot2019-03-05
|\ \ \ | |_|/ |/| | Append hosts to dependency container's /etc/hosts file
| * | Append hosts to dependency container's /etc/hosts filePeter Hunt2019-03-05
| |/ | | | | | | | | | | Before, any container with a netNS dependency simply used its dependency container's hosts file, and didn't abide its configuration (mainly --add-host). Fix this by always appending to the dependency container's hosts file, creating one if necessary. Signed-off-by: Peter Hunt <pehunt@redhat.com>
* | Merge pull request #2537 from giuseppe/rootless-storage-configOpenShift Merge Robot2019-03-05
|\ \ | |/ |/| rootless: fill in correct storage conf default
| * rootless: fill in correct storage conf defaultGiuseppe Scrivano2019-03-05
| | | | | | | | | | | | | | | | | | When the configuration file is specified, be sure to fill rootless compatible values in the default configuration. Closes: https://github.com/containers/libpod/issues/2510 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | Merge pull request #2426 from giuseppe/exec-preserve-fdsOpenShift Merge Robot2019-03-05
|\ \ | |/ |/| exec: support --preserve-fds
| * exec: support --preserve-fdsGiuseppe Scrivano2019-03-02
| | | | | | | | | | | | | | | | Allow to pass additional FDs to the process being executed. Closes: https://github.com/containers/libpod/issues/2372 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | runtime: fill a proper default tmpdir when --config is usedGiuseppe Scrivano2019-03-04
|/ | | | | | Closes: https://github.com/containers/libpod/issues/2408 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Merge pull request #2485 from adrianreber/oci-checkOpenShift Merge Robot2019-03-01
|\ | | | | Verify that used OCI runtime supports checkpoint
| * Verify that used OCI runtime supports checkpointAdrian Reber2019-03-01
| | | | | | | | | | | | | | | | | | | | To be able to use OCI runtimes which do not implement checkpoint/restore this adds a check to the checkpoint code path and the checkpoint/restore tests to see if it knows about the checkpoint subcommand. If the used OCI runtime does not implement checkpoint/restore the tests are skipped and the actual 'podman container checkpoint' returns an error. Signed-off-by: Adrian Reber <areber@redhat.com>
* | Allow Exec API user to override streamsPeter Hunt2019-02-28
|/ | | | | | Allow passing in of AttachStreams to libpod.Exec() for usage in podman healthcheck. An API caller can now specify different streams for stdout, stderr and stdin, or no streams at all. Signed-off-by: Peter Hunt <pehunt@redhat.com>
* Centralize setting default volume pathMatthew Heon2019-02-26
| | | | | | | | No reason to do it in util/ anymore. It's always going to be a subdirectory of c/storage graph root by default, so we can just set it after the return. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Move all storage configuration defaults into libpodMatthew Heon2019-02-26
| | | | | | | | | | | Instead of passing in defaults via WithStorageConfig after computing them in cmd/podman/libpodruntime, do all defaults in libpod itself. This can alleviate ordering issues which caused settings in the libpod config (most notably, volume path) to be ignored. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Only remove image volumes when removing containersMatthew Heon2019-02-26
| | | | | | | | | | | | When removing volumes with rm --volumes we want to only remove volumes that were created with the container. Volumes created separately via 'podman volume create' should not be removed. Also ensure that --rm implies volumes will be removed. Fixes #2441 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Record when volume path is explicitly set in configMatthew Heon2019-02-26
| | | | | | | This ensures we won't overwrite it when it's set in the config we load from disk. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Add debug information when overriding paths with the DBMatthew Heon2019-02-26
| | | | Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Add path for named volumes to `podman info`Matthew Heon2019-02-26
| | | | Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Validate VolumePath against DB configurationMatthew Heon2019-02-26
| | | | | | | | | If this doesn't match, we end up not being able to access named volumes mounted into containers, which is bad. Use the same validation that we use for other critical paths to ensure this one also matches. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* When location of c/storage root changes, set VolumePathMatthew Heon2019-02-26
| | | | | | | | | | | | | | | We want named volumes to be created in a subdirectory of the c/storage graph root, the same as the libpod root directory is now. As such, we need to adjust its location when the graph root changes location. Also, make a change to how we set the default. There's no need to explicitly set it every time we initialize via an option - that might conflict with WithStorageConfig setting it based on graph root changes. Instead, just initialize it in the default config like our other settings. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Merge pull request #2382 from adrianreber/selinuxOpenShift Merge Robot2019-02-26
|\ | | | | Fix one (of two) SELinux denials during checkpointing
| * Label CRIU log files correctlyAdrian Reber2019-02-26
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | CRIU creates a log file during checkpointing in .../userdata/dump.log. The problem with this file is, is that CRIU injects a parasite code into the container processes and this parasite code also writes to the same log file. At this point a process from the inside of the container is trying to access the log file on the outside of the container and SELinux prohibits this. To enable writing to the log file from the injected parasite code, this commit creates an empty log file and labels the log file with c.MountLabel(). CRIU uses existing files when writing it logs so the log file label persists and now, with the correct label, SELinux no longer blocks access to the log file. Signed-off-by: Adrian Reber <areber@redhat.com>
* | oci: improve error message when the OCI runtime is not foundGiuseppe Scrivano2019-02-26
|/ | | | | | | We were previously returning the not so nice error directly from conmon. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Merge pull request #2358 from rhatdan/namespaceOpenShift Merge Robot2019-02-25
|\ | | | | Fix up handling of user defined network namespaces
| * Fix up handling of user defined network namespacesDaniel J Walsh2019-02-23
| | | | | | | | | | | | | | | | | | If user specifies network namespace and the /etc/netns/XXX/resolv.conf exists, we should use this rather then /etc/resolv.conf Also fail cleaner if the user specifies an invalid Network Namespace. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Merge pull request #2417 from rhatdan/resolv.confOpenShift Merge Robot2019-02-25
|\ \ | | | | | | In shared networkNS /etc/resolv.conf&/etc/hosts should be shared
| * | In shared networkNS /etc/resolv.conf&/etc/hosts should be sharedDaniel J Walsh2019-02-23
| |/ | | | | | | | | | | | | | | | | | | | | We should just bind mount the original containers /etc/resolv.conf and /etchosts into the new container. Changes in the resolv.conf and hosts should be seen by all containers, This matches Docker behaviour. In order to make this work the labels on these files need to have a shared SELinux label. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Merge pull request #2413 from baude/remotepodstopOpenShift Merge Robot2019-02-24
|\ \ | |/ |/| Enable more podman-remote pod commands
| * Enable more podman-remote pod commandsbaude2019-02-22
| | | | | | | | | | | | enable pod start, stop, and kill subcommands for the remote-client. Signed-off-by: baude <bbaude@redhat.com>
* | Vendor Buildah v1.7TomSweeneyRedHat2019-02-22
|/ | | | | | | | | | Signed-off-by: TomSweeneyRedHat <tsweeney@redhat.com> Vendors in Buildah 1.7 into Podman. Also the latest imagebuilder and changes for `build --target` Signed-off-by: TomSweeneyRedHat <tsweeney@redhat.com>
* Merge pull request #2403 from giuseppe/fix-runtimeOpenShift Merge Robot2019-02-22
|\ | | | | podman: --runtime has higher priority on runtime_path
| * podman: --runtime has higher priority on runtime_pathGiuseppe Scrivano2019-02-22
| | | | | | | | | | | | | | if --runtime is specified, then it has higher priority on the runtime_path option, which was added for backward compatibility. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | Merge pull request #2402 from baude/remotepodinspectOpenShift Merge Robot2019-02-22
|\ \ | |/ |/| podman-remote pod inspect|exists
| * podman-remote pod inspect|existsbaude2019-02-22
| | | | | | | | | | | | | | | | enable the remote client to be able to inspect a pod. also, bonus of enabling the podman pod exists command which returns a 0 or 1 depending on whether the given pod exists. Signed-off-by: baude <bbaude@redhat.com>
* | Merge pull request #2350 from mheon/lock_renumberOpenShift Merge Robot2019-02-21
|\ \ | |/ |/| Add lock renumbering
| * Do not make renumber shut down the runtimeMatthew Heon2019-02-21
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The original intent behind the requirement was to ensure that, if two SHM lock structs were open at the same time, we should not make such a runtime available to the user, and should clean it up instead. It turns out that we don't even need to open a second SHM lock struct - if we get an error mapping the first one due to a lock count mismatch, we can just delete it, and it cleans itself up when it errors. So there's no reason not to return a valid runtime. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
| * Recreate SHM locks when renumbering on count mismatchMatthew Heon2019-02-21
| | | | | | | | | | | | | | | | | | | | | | | | | | | | When we're renumbering locks, we're destroying all existing allocations anyways, so destroying the old lock struct is not a particularly big deal. Existing long-lived libpod instances will continue to use the old locks, but that will be solved in a followon. Also, solve an issue with returning error values in the C code. There were a few places where we return ERRNO where it was not set, so make them return actual error codes). Signed-off-by: Matthew Heon <matthew.heon@pm.me>
| * Move RenumberLocks into runtime initMatthew Heon2019-02-21
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | We can't do renumbering after init - we need to open a potentially invalid locks file (too many/too few locks), and then potentially delete the old locks and make new ones. We need to be in init to bypass the checks that would otherwise make this impossible. This leaves us with two choices: make RenumberLocks a separate entrypoint from NewRuntime, duplicating a lot of configuration load code (we need to know where the locks live, how many there are, etc) - or modify NewRuntime to allow renumbering during it. Previous experience says the first is not really a viable option and produces massive code bloat, so the second it is. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
| * Remove locks from volumesMatthew Heon2019-02-21
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | I was looking into why we have locks in volumes, and I'm fairly convinced they're unnecessary. We don't have a state whose accesses we need to guard with locks and syncs. The only real purpose for the lock was to prevent concurrent removal of the same volume. Looking at the code, concurrent removal ought to be fine with a bit of reordering - one or the other might fail, but we will successfully evict the volume from the state. Also, remove the 'prune' bool from RemoveVolume. None of our other API functions accept it, and it only served to toggle off more verbose error messages. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
| * Expand renumber to also renumber pod locksMatthew Heon2019-02-21
| | | | | | | | Signed-off-by: Matthew Heon <matthew.heon@pm.me>
| * Add ability to rewrite pod configs in the databaseMatthew Heon2019-02-21
| | | | | | | | | | | | Necessary for rewriting lock IDs as part of renumber. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
| * Add initial version of renumber backendMatthew Heon2019-02-21
| | | | | | | | | | | | | | | | | | Renumber is a way of renumbering container locks after the number of locks available has changed. For now, renumber only works with containers. Signed-off-by: Matthew Heon <matthew.heon@pm.me>