summaryrefslogtreecommitdiff
path: root/libpod
Commit message (Collapse)AuthorAge
* Add support for selecting kvm and systemd labelsDaniel J Walsh2020-04-15
| | | | | | | | | | | | In order to better support kata containers and systemd containers container-selinux has added new types. Podman should execute the container with an SELinux process label to match the container type. Traditional Container process : container_t KVM Container Process: containre_kvm_t PID 1 Init process: container_init_t Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Improve APIv2 support for AttachMatthew Heon2020-04-13
| | | | | | | | | | | | | | A few major fixes here: - Support for attaching to Configured containers, to match Docker behavior. - Support for stream parameter has been improved (we now properly handle cases where it is not set). - Initial support for logs parameter has been added. - Setting attach streams when the container has a terminal is now supported. - Errors are properly reported once the hijack has begun. Signed-off-by: Matthew Heon <mheon@redhat.com>
* Merge pull request #5478 from giuseppe/auto-usernsOpenShift Merge Robot2020-04-06
|\ | | | | userns: support --userns=auto
| * userns: support --userns=autoGiuseppe Scrivano2020-04-06
| | | | | | | | | | | | | | automatically pick an empty range and create an user namespace for the container. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | Merge pull request #5716 from baude/v2psOpenShift Merge Robot2020-04-06
|\ \ | | | | | | podmanv2 ps
| * | podmanv2 psBrent Baude2020-04-06
| |/ | | | | | | | | | | add the ability to list containers Signed-off-by: Brent Baude <bbaude@redhat.com>
* / refactor infoBrent Baude2020-04-06
|/ | | | | | the current implementation of info, while typed, is very loosely done so. we need stronger types for our apiv2 implmentation and bindings. Signed-off-by: Brent Baude <bbaude@redhat.com>
* v2podman attach and execBrent Baude2020-04-05
| | | | | | | | add the ability to attach to a running container. the tunnel side of this is not enabled yet as we have work on the endpoints and plumbing to do yet. add the ability to exec a command in a running container. the tunnel side is also being deferred for same reason. Signed-off-by: Brent Baude <bbaude@redhat.com>
* Merge pull request #5672 from baude/v2saveOpenShift Merge Robot2020-04-03
|\ | | | | podmanv2 save image
| * podmanv2 save imageBrent Baude2020-04-03
| | | | | | | | | | | | add ability to save an image for podman v2 Signed-off-by: Brent Baude <bbaude@redhat.com>
* | Merge pull request #5707 from adrianreber/crun-checkpoint-1OpenShift Merge Robot2020-04-03
|\ \ | | | | | | Prepare for crun checkpoint support
| * | checkpoint: handle XDG_RUNTIME_DIRAdrian Reber2020-04-03
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | For (almost) all commands which podman passes on to a OCI runtime XDG_RUNTIME_DIR is set to the same value. This does not happen for the checkpoint command. Using crun to checkpoint a container without this change will lead to crun using XDG_RUNTIME_DIR of the currently logged in user and so it will not find the container Podman wants to checkpoint. This bascially just copies a few lines from on of the other commands to handle 'checkpoint' as all the other commands. Thanks to Giuseppe for helping me with this. For 'restore' it is not needed as restore goes through conmon and for calling conmon Podman already configures XDG_RUNTIME_DIR correctly. Signed-off-by: Adrian Reber <areber@redhat.com>
| * | checkpoint: change runtime checkpoint support testAdrian Reber2020-04-03
| |/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Podman was checking if the runtime support checkpointing by running 'runtime checkpoint -h'. That works for runc. crun, however, does not use '-h, --help' for help output but, '-?, --help'. This commit switches both checkpoint support detection from 'runtime checkpoint -h' to 'runtime checkpoint --help'. Podman can now correctly detect if 'crun' also support checkpointing. Signed-off-by: Adrian Reber <areber@redhat.com>
* | Merge pull request #5712 from rhatdan/pathOpenShift Merge Robot2020-04-03
|\ \ | | | | | | Pass path environment down to the OCI runtime
| * | Pass path environment down to the OCI runtimeDaniel J Walsh2020-04-03
| |/ | | | | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Merge pull request #5676 from kolyshkin/volume-flags-altOpenShift Merge Robot2020-04-03
|\ \ | |/ |/| Fix/improve pkg/storage.InitFSMounts
| * pkg/spec.InitFSMounts: optimizeKir Kolyshkin2020-04-02
| | | | | | | | | | | | | | | | | | | | Instead of getting mount options from /proc/self/mountinfo, which is very costly to read/parse (and can even be unreliable), let's use statfs(2) to figure out the flags we need. [v2: move getting default options to pkg/util, make it linux-specific] Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
* | attach: skip shutdown on errorsGiuseppe Scrivano2020-04-02
| | | | | | | | | | | | | | skip doing a socket shutdown on an error, since we are not sure the socket was already closed and we end up using the wrong fd. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | attach: fix hang if control path is deletedGiuseppe Scrivano2020-04-02
| | | | | | | | | | | | | | | | if the control path file is deleted, libpod hangs waiting for a reader to open it. Attempt to open it as non blocking until it returns an error different than EINTR or EAGAIN. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | podmanv2 loadBrent Baude2020-04-01
| | | | | | | | | | | | | | | | | | | | enable podman load for v2 add reexec into main add systemd build flag to v2 makefile Signed-off-by: Brent Baude <bbaude@redhat.com>
* | podmanv2 pod psBrent Baude2020-03-31
|/ | | | | | add the ability to list pods in podmanv2 Signed-off-by: Brent Baude <bbaude@redhat.com>
* Revert "Default CPUShares in Inspect are 1024"Sagi Shnaidman2020-03-30
| | | | | | | | | cpu-share is 0 in docker inspect, see https://github.com/moby/moby/issues/35452 This reverts commit eb229d526c04f17ca8b7e65abba745fd5b465a6c. Signed-off-by: Sagi Shnaidman <sshnaidm@redhat.com>
* Merge pull request #5602 from rhatdan/vendorOpenShift Merge Robot2020-03-30
|\ | | | | Update vendor of boltdb and containers/image
| * Update vendor of boltdb and containers/imageDaniel J Walsh2020-03-29
| | | | | | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | podmanv2: implement pod topValentin Rothberg2020-03-28
|/ | | | | | Implement `podman pod top` for podmanV2. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* Add support for containers.confDaniel J Walsh2020-03-27
| | | | | | | vendor in c/common config pkg for containers.conf Signed-off-by: Qi Wang qiwan@redhat.com Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* podmanv2 pod create using podspecgenBrent Baude2020-03-27
| | | | | | | | using the factory approach similar to container, we now create pods based on a pod spec generator. wired up the podmanv2 pod create command, podcreatewithspec binding, simple binding test, and apiv2 endpoint. also included some code refactoring as it introduced as easy circular import. Signed-off-by: Brent Baude <bbaude@redhat.com>
* use `pause:3.2` image for infra containersValentin Rothberg2020-03-27
| | | | | | | | | | The `pause:3.1` has wrong configs for non-amd64 images as they all claim to be for amd64. The issue has now been fixed in the latest `pause:3.2`. [1] https://github.com/kubernetes/kubernetes/issues/87325 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* podmanv2 container inspectBrent Baude2020-03-26
| | | | | | add ability to inspect a container Signed-off-by: Brent Baude <bbaude@redhat.com>
* Merge pull request #5573 from mheon/add_basic_exec_endpointsOpenShift Merge Robot2020-03-26
|\ | | | | Implement APIv2 Exec Create and Inspect Endpoints
| * Add bindings for Container Exec Create + InspectMatthew Heon2020-03-26
| | | | | | | | | | | | | | Also adds some basic tests for these two. More tests are needed but will have to wait for state to be finished. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
| * Implement APIv2 Exec Create and Inspect EndpointsMatthew Heon2020-03-23
| | | | | | | | | | | | Start and Resize require further implementation work. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | slirp: enable seccomp filterGiuseppe Scrivano2020-03-26
| | | | | | | | | | | | | | add a check for --enable-seccomp support in slirp4netns. If it is supported, always enable it. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | Ensure that exec sends resize eventsMatthew Heon2020-03-25
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | We previously tried to send resize events only after the exec session successfully started, which makes sense (we might drop an event or two that came in before the exec session started otherwise). However, the start function blocks, so waiting actually means we send no resize events at all, which is obviously worse than losing a few.. Sending resizes before attach starts seems to work fine in my testing, so let's do that until we get bug reports that it doesn't work. Fixes #5584 Signed-off-by: Matthew Heon <mheon@redhat.com>
* | podmanv2 volumesBrent Baude2020-03-24
|/ | | | | | add volume commands: create, inspect, ls, prune, and rm Signed-off-by: Brent Baude <bbaude@redhat.com>
* Merge pull request #5434 from mheon/force_delete_cni_netregOpenShift Merge Robot2020-03-23
|\ | | | | Attempt manual removal of CNI IP allocations on refresh
| * Attempt manual removal of CNI IP allocations on refreshMatthew Heon2020-03-19
| | | | | | | | | | | | | | | | | | | | | | | | | | | | We previously attempted to work within CNI to do this, without success. So let's do it manually, instead. We know where the files should live, so we can remove them ourselves instead. This solves issues around sudden reboots where containers do not have time to fully tear themselves down, and leave IP address allocations which, for various reasons, are not stored in tmpfs and persist through reboot. Fixes #5433 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | Make libpod/lock/shm completely Linux-onlyMiloslav Trmač2020-03-21
| | | | | | | | | | | | | | If the tests are not Linux-only, (go test ./...) still tries to build and test the package. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
* | Add a stub for libpod.Container.TopMiloslav Trmač2020-03-21
| | | | | | | | Signed-off-by: Miloslav Trmač <mitr@redhat.com>
* | Fix the libpod.LabelVolumePath stubMiloslav Trmač2020-03-21
|/ | | | Signed-off-by: Miloslav Trmač <mitr@redhat.com>
* Merge pull request #5088 from mheon/begin_exec_reworkOpenShift Merge Robot2020-03-19
|\ | | | | Begin exec rework
| * Add inspect for exec sessionsMatthew Heon2020-03-18
| | | | | | | | | | | | | | This produces detailed information about the configuration of an exec session in a format suitable for the new HTTP API. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
| * Add structure for new exec session tracking to DBMatthew Heon2020-03-18
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | As part of the rework of exec sessions, we need to address them independently of containers. In the new API, we need to be able to fetch them by their ID, regardless of what container they are associated with. Unfortunately, our existing exec sessions are tied to individual containers; there's no way to tell what container a session belongs to and retrieve it without getting every exec session for every container. This adds a pointer to the container an exec session is associated with to the database. The sessions themselves are still stored in the container. Exec-related APIs have been restructured to work with the new database representation. The originally monolithic API has been split into a number of smaller calls to allow more fine-grained control of lifecycle. Support for legacy exec sessions has been retained, but in a deprecated fashion; we should remove this in a few releases. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
| * Populate ExecSession with all required fieldsMatthew Heon2020-03-18
| | | | | | | | | | | | | | | | | | As part of the rework of exec sessions, we want to split Create and Start - and, as a result, we need to keep everything needed to start exec sessions in the struct, not just the bare minimum for tracking running ones. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | Merge pull request #5445 from sujil02/podFilter-newOpenShift Merge Robot2020-03-19
|\ \ | | | | | | Filter pods through pod list api
| * | Filter pods through pod list apiSujil022020-03-17
| | | | | | | | | | | | | | | | | | | | | Refactored current filter pods flow through the shared pod functions so filter pod functionalities can be shared between api and cmd. Signed-off-by: Sujil02 <sushah@redhat.com>
* | | Merge pull request #5480 from vrothberg/auto-updatesOpenShift Merge Robot2020-03-18
|\ \ \ | |_|/ |/| | auto update containers in systemd units
| * | auto updatesValentin Rothberg2020-03-17
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Add support to auto-update containers running in systemd units as generated with `podman generate systemd --new`. `podman auto-update` looks up containers with a specified "io.containers.autoupdate" label (i.e., the auto-update policy). If the label is present and set to "image", Podman reaches out to the corresponding registry to check if the image has been updated. We consider an image to be updated if the digest in the local storage is different than the one of the remote image. If an image must be updated, Podman pulls it down and restarts the container. Note that the restarting sequence relies on systemd. At container-creation time, Podman looks up the "PODMAN_SYSTEMD_UNIT" environment variables and stores it verbatim in the container's label. This variable is now set by all systemd units generated by `podman-generate-systemd` and is set to `%n` (i.e., the name of systemd unit starting the container). This data is then being used in the auto-update sequence to instruct systemd (via DBUS) to restart the unit and hence to restart the container. Note that this implementation of auto-updates relies on systemd and requires a fully-qualified image reference to be used to create the container. This enforcement is necessary to know which image to actually check and pull. If we used an image ID, we would not know which image to check/pull anymore. Fixes: #3575 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
| * | pkg/systemd: add dbus supportValentin Rothberg2020-03-17
| | | | | | | | | | | | | | | | | | | | | Move the dbus-connection code from libpod's healthcheck to pkg/systemd to allow for sharing the logic. Needed for the auto-updates work. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | | Merge pull request #5536 from giuseppe/avoid-conmon-zombieOpenShift Merge Robot2020-03-18
|\ \ \ | |_|/ |/| | podman: avoid conmon zombie on exec