| Commit message (Collapse) | Author | Age |
|\
| |
| | |
oci: make explicit the extra files to the exec
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
In the previous version I forgot to add the fds to preserve into
AdditionalFiles. It doesn't make a difference as the files were still
preserved, but this seems to be the correct way of making it
explicit.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
|\ \
| |/
|/| |
libpod/container_internal: Split locale at the first dot, etc.
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
We're going to feed this into Go's BCP 47 language parser. Language
tags have the form [1]:
language
["-" script]
["-" region]
*("-" variant)
*("-" extension)
["-" privateuse]
and locales have the form [2]:
[language[_territory][.codeset][@modifier]]
The modifier is useful for collation, but Go's language-based API
[3] does not provide a way for us to supply it. This code converts
our locale to a BCP 47 language by stripping the dot and later and
replacing the first underscore, if any, with a hyphen. This will
avoid errors like [4]:
WARN[0000] failed to parse language "en_US.UTF-8": language: tag is not well-formed
when feeding language.Parse(...).
[1]: https://tools.ietf.org/html/bcp47#section-2.1
[2]: http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap08.html#tag_08_02
[3]: https://github.com/golang/go/issues/25340
[4]: https://github.com/containers/libpod/issues/2494
Signed-off-by: W. Trevor King <wking@tremily.us>
|
|\ \
| | |
| | | |
Change LookupContainer logic to match Docker
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
When looking up a container or pod by from user input, we handle
collisions between names and IDs differently than Docker at
present.
In Docker, when there is a container with an ID starting with
"c1" and a container named "c1", commands on "c1" will always act
on the container named "c1". For the same scenario in podman, we
throw an error about name collision.
Change Podman to follow Docker, by returning the named container
or pod instead of erroring.
This should also have a positive effect on performance in the
lookup-by-full-name case, which no longer needs to fully traverse
the list of all pods or containers.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
|\ \ \
| | | |
| | | | |
Fix pod create failure
|
| | |/
| |/|
| | |
| | |
| | |
| | | |
Before, a pod create would fail if it was set to share no namespaces, but had an infra container. While inefficient (you add a container for no reason), it shouldn't be a fatal failure. Fix this by only failing if the pod was set to share namespaces, but had no infra container, and writing a warning if vice versa.
Signed-off-by: Peter Hunt <pehunt@redhat.com>
|
|\ \ \
| |/ /
|/| | |
podman healthcheck run (phase 1)
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Add the ability to manually run a container's healthcheck command.
This is only the first phase of implementing the healthcheck.
Subsequent pull requests will deal with the exposing the results and
history of healthchecks as well as the scheduling.
Signed-off-by: baude <bbaude@redhat.com>
|
|\ \ \
| |_|/
|/| | |
Append hosts to dependency container's /etc/hosts file
|
| |/
| |
| |
| |
| |
| | |
Before, any container with a netNS dependency simply used its dependency container's hosts file, and didn't abide its configuration (mainly --add-host). Fix this by always appending to the dependency container's hosts file, creating one if necessary.
Signed-off-by: Peter Hunt <pehunt@redhat.com>
|
|\ \
| |/
|/| |
rootless: fill in correct storage conf default
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
When the configuration file is specified, be sure to fill rootless
compatible values in the default configuration.
Closes: https://github.com/containers/libpod/issues/2510
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
|\ \
| |/
|/| |
exec: support --preserve-fds
|
| |
| |
| |
| |
| |
| |
| |
| | |
Allow to pass additional FDs to the process being executed.
Closes: https://github.com/containers/libpod/issues/2372
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
|/
|
|
|
|
| |
Closes: https://github.com/containers/libpod/issues/2408
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
|\
| |
| | |
Verify that used OCI runtime supports checkpoint
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
To be able to use OCI runtimes which do not implement checkpoint/restore
this adds a check to the checkpoint code path and the checkpoint/restore
tests to see if it knows about the checkpoint subcommand. If the used
OCI runtime does not implement checkpoint/restore the tests are skipped
and the actual 'podman container checkpoint' returns an error.
Signed-off-by: Adrian Reber <areber@redhat.com>
|
|/
|
|
|
|
| |
Allow passing in of AttachStreams to libpod.Exec() for usage in podman healthcheck. An API caller can now specify different streams for stdout, stderr and stdin, or no streams at all.
Signed-off-by: Peter Hunt <pehunt@redhat.com>
|
|
|
|
|
|
|
|
| |
No reason to do it in util/ anymore. It's always going to be a
subdirectory of c/storage graph root by default, so we can just
set it after the return.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
|
|
|
|
|
|
|
|
|
|
| |
Instead of passing in defaults via WithStorageConfig after
computing them in cmd/podman/libpodruntime, do all defaults in
libpod itself.
This can alleviate ordering issues which caused settings in the
libpod config (most notably, volume path) to be ignored.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
|
|
|
|
|
|
|
|
|
|
|
| |
When removing volumes with rm --volumes we want to only remove
volumes that were created with the container. Volumes created
separately via 'podman volume create' should not be removed.
Also ensure that --rm implies volumes will be removed.
Fixes #2441
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
|
|
|
|
|
|
| |
This ensures we won't overwrite it when it's set in the config we
load from disk.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
|
|
|
| |
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
|
|
|
| |
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
|
|
|
|
|
|
|
|
| |
If this doesn't match, we end up not being able to access named
volumes mounted into containers, which is bad. Use the same
validation that we use for other critical paths to ensure this
one also matches.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We want named volumes to be created in a subdirectory of the
c/storage graph root, the same as the libpod root directory is
now. As such, we need to adjust its location when the graph root
changes location.
Also, make a change to how we set the default. There's no need to
explicitly set it every time we initialize via an option - that
might conflict with WithStorageConfig setting it based on graph
root changes. Instead, just initialize it in the default config
like our other settings.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
|\
| |
| | |
Fix one (of two) SELinux denials during checkpointing
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
CRIU creates a log file during checkpointing in .../userdata/dump.log.
The problem with this file is, is that CRIU injects a parasite code into
the container processes and this parasite code also writes to the same
log file. At this point a process from the inside of the container is
trying to access the log file on the outside of the container and
SELinux prohibits this. To enable writing to the log file from the
injected parasite code, this commit creates an empty log file and labels
the log file with c.MountLabel(). CRIU uses existing files when writing
it logs so the log file label persists and now, with the correct label,
SELinux no longer blocks access to the log file.
Signed-off-by: Adrian Reber <areber@redhat.com>
|
|/
|
|
|
|
|
| |
We were previously returning the not so nice error directly from
conmon.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
|\
| |
| | |
Fix up handling of user defined network namespaces
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
If user specifies network namespace and the /etc/netns/XXX/resolv.conf
exists, we should use this rather then /etc/resolv.conf
Also fail cleaner if the user specifies an invalid Network Namespace.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
|\ \
| | |
| | | |
In shared networkNS /etc/resolv.conf&/etc/hosts should be shared
|
| |/
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
We should just bind mount the original containers /etc/resolv.conf and /etchosts
into the new container. Changes in the resolv.conf and hosts should be seen
by all containers, This matches Docker behaviour.
In order to make this work the labels on these files need to have a shared
SELinux label.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
|\ \
| |/
|/| |
Enable more podman-remote pod commands
|
| |
| |
| |
| |
| |
| | |
enable pod start, stop, and kill subcommands for the remote-client.
Signed-off-by: baude <bbaude@redhat.com>
|
|/
|
|
|
|
|
|
|
|
| |
Signed-off-by: TomSweeneyRedHat <tsweeney@redhat.com>
Vendors in Buildah 1.7 into Podman.
Also the latest imagebuilder and changes for
`build --target`
Signed-off-by: TomSweeneyRedHat <tsweeney@redhat.com>
|
|\
| |
| | |
podman: --runtime has higher priority on runtime_path
|
| |
| |
| |
| |
| |
| |
| | |
if --runtime is specified, then it has higher priority on the
runtime_path option, which was added for backward compatibility.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
|\ \
| |/
|/| |
podman-remote pod inspect|exists
|
| |
| |
| |
| |
| |
| |
| |
| | |
enable the remote client to be able to inspect a pod. also, bonus of
enabling the podman pod exists command which returns a 0 or 1 depending
on whether the given pod exists.
Signed-off-by: baude <bbaude@redhat.com>
|
|\ \
| |/
|/| |
Add lock renumbering
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The original intent behind the requirement was to ensure that, if
two SHM lock structs were open at the same time, we should not
make such a runtime available to the user, and should clean it up
instead.
It turns out that we don't even need to open a second SHM lock
struct - if we get an error mapping the first one due to a lock
count mismatch, we can just delete it, and it cleans itself up
when it errors. So there's no reason not to return a valid
runtime.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
When we're renumbering locks, we're destroying all existing
allocations anyways, so destroying the old lock struct is not a
particularly big deal. Existing long-lived libpod instances will
continue to use the old locks, but that will be solved in a
followon.
Also, solve an issue with returning error values in the C code.
There were a few places where we return ERRNO where it was not
set, so make them return actual error codes).
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
We can't do renumbering after init - we need to open a
potentially invalid locks file (too many/too few locks), and then
potentially delete the old locks and make new ones.
We need to be in init to bypass the checks that would otherwise
make this impossible.
This leaves us with two choices: make RenumberLocks a separate
entrypoint from NewRuntime, duplicating a lot of configuration
load code (we need to know where the locks live, how many there
are, etc) - or modify NewRuntime to allow renumbering during it.
Previous experience says the first is not really a viable option
and produces massive code bloat, so the second it is.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
I was looking into why we have locks in volumes, and I'm fairly
convinced they're unnecessary.
We don't have a state whose accesses we need to guard with locks
and syncs. The only real purpose for the lock was to prevent
concurrent removal of the same volume.
Looking at the code, concurrent removal ought to be fine with a
bit of reordering - one or the other might fail, but we will
successfully evict the volume from the state.
Also, remove the 'prune' bool from RemoveVolume. None of our
other API functions accept it, and it only served to toggle off
more verbose error messages.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
| |
| |
| |
| | |
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
| |
| |
| |
| |
| |
| | |
Necessary for rewriting lock IDs as part of renumber.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Renumber is a way of renumbering container locks after the number
of locks available has changed.
For now, renumber only works with containers.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|