summaryrefslogtreecommitdiff
path: root/libpod
Commit message (Collapse)AuthorAge
* Merge pull request #7306 from mheon/private_mountOpenShift Merge Robot2020-08-12
|\ | | | | Change /sys/fs/cgroup/systemd mount to rprivate
| * Change /sys/fs/cgroup/systemd mount to rprivateMatthew Heon2020-08-12
| | | | | | | | | | | | | | | | I used the wrong propagation first time around because I forgot that rprivate is the default propagation. Oops. Switch to rprivate so we're using the default. Signed-off-by: Matthew Heon <mheon@redhat.com>
* | Merge pull request #7308 from hamzadis/slirp4netns-cidrOpenShift Merge Robot2020-08-12
|\ \ | | | | | | Add support for setting the CIDR when using slirp4netns
| * | Add support for setting the CIDR when using slirp4netnsAdis Hamzić2020-08-12
| |/ | | | | | | | | | | | | | | This adds support for the --cidr parameter that is supported by slirp4netns since v0.3.0. This allows the user to change the ip range that is used for the network inside the container. Signed-off-by: Adis Hamzić <adis@hamzadis.com>
* / add event for image buildBrent Baude2020-08-12
|/ | | | | | | | upon image build completion, a new image type event is written for "build". more intricate details, like pulling an image, that might be done by build must be implemented in different vendored packages only after libpod is split from podman. Fixes: #7022 Signed-off-by: Brent Baude <bbaude@redhat.com>
* Ensure correct propagation for cgroupsv1 systemd cgroupMatthew Heon2020-08-11
| | | | | | | | | | | | | | | | On cgroups v1 systems, we need to mount /sys/fs/cgroup/systemd into the container. We were doing this with no explicit mount propagation tag, which means that, under some circumstances, the shared mount propagation could be chosen - which, combined with the fact that we need a mount to mask /sys/fs/cgroup/systemd/release_agent in the container, means we would leak a never-ending set of mounts under /sys/fs/cgroup/systemd/ on container restart. Fortunately, the fix is very simple - hardcode mount propagation to something that won't leak. Signed-off-by: Matthew Heon <mheon@redhat.com>
* Unconditionally retrieve pod names via APIMatthew Heon2020-08-10
| | | | | | | | | | | | | | | | | | The ListContainers API previously had a Pod parameter, which determined if pod name was returned (but, notably, not Pod ID, which was returned unconditionally). This was fairly confusing, so we decided to deprecate/remove the parameter and return it unconditionally. To do this without serious performance implications, we need to avoid expensive JSON decodes of pod configuration in the DB. The way our Bolt tables are structured, retrieving name given ID is actually quite cheap, but we did not expose this via the Libpod API. Add a new GetName API to do this. Fixes #7214 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Merge pull request #7216 from 5eraph/masterOpenShift Merge Robot2020-08-09
|\ | | | | support outbound-addr
| * changes to support outbound-addr5eraph2020-08-07
| | | | | | | | | | | | Fixes #6064 Signed-off-by: Bohumil Cervenka <5eraph@protonmail.com>
* | Merge pull request #7215 from vrothberg/flatten-the-curveOpenShift Merge Robot2020-08-08
|\ \ | | | | | | images: speed up lists
| * | image list: speed upValentin Rothberg2020-08-07
| |/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Listing images has shown increasing performance penalties with an increasing number of images. Unless `--all` is specified, Podman will filter intermediate images. Determining intermediate images has been done by finding (and comparing!) parent images which is expensive. We had to query the storage many times which turned it into a bottleneck. Instead, create a layer tree and assign one or more images to nodes that match the images' top layer. Determining the children of an image is now exponentially faster as we already know the child images from the layer graph and the images using the same top layer, which may also be considered child images based on their history. On my system with 510 images, a rootful image list drops from 6 secs down to 0.3 secs. Also use the tree to compute parent nodes, and to filter intermediate images for pruning. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | Merge pull request #7232 from Luap99/podman-logs-tailOpenShift Merge Robot2020-08-07
|\ \ | | | | | | fix podman logs --tail when log is bigger than pagesize
| * | fix podman logs --tail when log is bigger than pagesizePaul Holzinger2020-08-06
| | | | | | | | | | | | Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
* | | Merge pull request #7236 from mheon/write_error_to_inspectOpenShift Merge Robot2020-08-05
|\ \ \ | | | | | | | | Ensure that exec errors write exit codes to the DB
| * | | Ensure that exec errors write exit codes to the DBMatthew Heon2020-08-05
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | In local Podman, the frontend interprets the error and exit code given by the Exec API to determine the appropriate exit code to set for Podman itself; special cases like a missing executable receive special exit codes. Exec for the remote API, however, has to do this inside Libpod itself, as Libpod will be directly queried (via the Inspect API for exec sessions) to get the exit code. This was done correctly when the exec session started properly, but we did not properly handle cases where the OCI runtime fails before the exec session can properly start. Making two error returns that would otherwise not set exit code actually do so should resolve the issue. Fixes #6893 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | | | Merge pull request #7176 from mheon/make_entrypointOpenShift Merge Robot2020-08-05
|\ \ \ \ | | | | | | | | | | Ensure WORKDIR from images is created
| * | | | Ensure WORKDIR from images is createdMatthew Heon2020-08-03
| |/ / / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | A recent crun change stopped the creation of the container's working directory if it does not exist. This is arguably correct for user-specified directories, to protect against typos; it is definitely not correct for image WORKDIR, where the image author definitely intended for the directory to be used. This makes Podman create the working directory and chown it to container root, if it does not already exist, and only if it was specified by an image, not the user. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | / / Retry pulling imageQi Wang2020-08-04
| |/ / |/| | | | | | | | | | | | | | Wrap the inner helper in the retry function. Functions pullimage failed with retriable error will default maxretry 3 times using exponential backoff. Signed-off-by: Qi Wang <qiwan@redhat.com>
* | | Improve error message when creating a pod/ctr with the same namePaul Holzinger2020-08-04
| |/ |/| | | | | | | | | | | | | | | Check if there is an pod or container an return the appropriate error message instead of blindly return 'container exists' with `podman create` and 'pod exists' with `podman pod create`. Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
* | Merge pull request #7188 from zhangguanzhang/network-404OpenShift Merge Robot2020-08-03
|\ \ | | | | | | API returns 500 in case network is not found instead of 404
| * | API returns 500 in case network is not found instead of 404zhangguanzhang2020-08-02
| | | | | | | | | | | | Signed-off-by: zhangguanzhang <zhangguanzhang@qq.com>
* | | Remove some unnecessary []byte to string conversionsSascha Grunert2020-08-03
|/ / | | | | | | | | | | | | Some calls to `Sprintf("%s")` can be avoided by using direct string type assertions. Signed-off-by: Sascha Grunert <sgrunert@suse.com>
* / Ensure libpod/define does not include libpod/imageMatthew Heon2020-07-31
|/ | | | | | | | | | | | | The define package under Libpod is intended to be an extremely minimal package, including constants and very little else. However, as a result of some legacy code, it was dragging in all of libpod/image (and, less significantly, the util package). Fortunately, this was just to ensure that error constants were not duplicating, and there's nothing preventing us from importing in the other direction and keeping libpod/define free of dependencies. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Merge pull request #7168 from QiWang19/exec-fdsOpenShift Merge Robot2020-07-31
|\ | | | | Fix close fds of exec --preserve-fds
| * Fix close fds of exec --preserve-fdsQi Wang2020-07-31
| | | | | | | | | | | | Fix the closing of fds from --preserve-fds to avoid the operation on unrelated fds. Signed-off-by: Qi Wang <qiwan@redhat.com>
* | Merge pull request #7120 from QiWang19/preserve-fdOpenShift Merge Robot2020-07-31
|\ \ | |/ |/| Fix close fds of run --preserve-fds
| * fix close fds of run --preserve-fdsQi Wang2020-07-30
| | | | | | | | | | | | | | Test flakes mentioned in #6987 might be caused by uncorrect closing of file descriptor. Fix the code to close file descriptors for podman run since it may close those used by other processes. Signed-off-by: Qi Wang <qiwan@redhat.com>
* | volumes: do not recurse when chowningGiuseppe Scrivano2020-07-31
|/ | | | | | | | | keep the file ownership when chowning and honor the user namespace mappings. Closes: https://github.com/containers/podman/issues/7130 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Ensure that 'rmi --force' evicts Podman containersMatthew Heon2020-07-30
| | | | | | | | | | | | | | | | | | | | | The logic for `podman rmi --force` includes a bit of code that will remove Libpod containers using Libpod's container removal logic - this ensures that they're cleanly and completely removed. For other containers (Buildah, CRI-O, etc) we fall back to manually removing the containers using the image from c/storage. Unfortunately, our logic for invoking the Podman removal function had an error, and it did not properly handle cases where we were force-removing an image with >1 name. Force-removing such images by ID guarantees their removal, not just an untag of a single name; our code for identifying whether to remove containers did not proper detect this case, so we fell through and deleted the Podman containers as storage containers, leaving traces of them in the Libpod DB. Fixes #7153 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Merge pull request #6991 from mheon/change_passwd_ondiskOpenShift Merge Robot2020-07-29
|\ | | | | Make changes to /etc/passwd on disk for non-read only
| * Make changes to /etc/passwd on disk for non-read onlyMatthew Heon2020-07-23
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Bind-mounting /etc/passwd into the container is problematic becuase of how system utilities like `useradd` work. They want to make a copy and then rename to try to prevent breakage; this is, unfortunately, impossible when the file they want to rename is a bind mount. The current behavior is fine for read-only containers, though, because we expect useradd to fail in those cases. Instead of bind-mounting, we can edit /etc/passwd in the container's rootfs. This is kind of gross, because the change will show up in `podman diff` and similar tools, and will be included in images made by `podman commit`. However, it's a lot better than breaking important system tools. Fixes #6953 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | Add podman image mountDaniel J Walsh2020-07-28
| | | | | | | | | | | | | | | | | | | | | | | | | | There are many use cases where you want to just mount an image without creating a container on it. For example you might want to just examine the content in an image after you pull it for security analysys. Or you might want to just use the executables on the image without running it in a container. The image is mounted readonly since we do not want people changing images. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Switch all references to github.com/containers/libpod -> podmanDaniel J Walsh2020-07-28
| | | | | | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Merge pull request #7094 from rhatdan/volumeOpenShift Merge Robot2020-07-27
|\ \ | | | | | | When chowning we should not follow symbolic link
| * | When chowning we should not follow symbolic linkDaniel J Walsh2020-07-27
| | | | | | | | | | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | Refactor container configlouis2020-07-23
|/ / | | | | | | | | | | | | This commit handle the TODO task of breaking the Container config into smaller sub-configs Signed-off-by: ldelossa <ldelossa@redhat.com>
* | Support default profile for apparmorDaniel J Walsh2020-07-22
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Currently you can not apply an ApparmorProfile if you specify --privileged. This patch will allow both to be specified simultaniosly. By default Apparmor should be disabled if the user specifies --privileged, but if the user specifies --security apparmor:PROFILE, with --privileged, we should do both. Added e2e run_apparmor_test.go Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Merge pull request #7006 from ashley-cui/umaskOpenShift Merge Robot2020-07-22
|\ \ | | | | | | Add --umask flag for create, run
| * | Add --umask flag for create, runAshley Cui2020-07-21
| | | | | | | | | | | | | | | | | | | | | | | | --umask sets the umask inside the container Defaults to 0022 Co-authored-by: Daniel J Walsh <dwalsh@redhat.com> Signed-off-by: Ashley Cui <acui@redhat.com>
* | | Do not print an error message on non-0 exec exit codeMatthew Heon2020-07-21
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This was added with an earlier exec rework, and honestly is very confusing. Podman is printing an error message, but the error had nothing to do with Podman; it was the executable we ran inside the container that errored, and per `podman run` convention we should set the Podman exit code to the process's exit code and print no error. Signed-off-by: Matthew Heon <mheon@redhat.com>
* | | Merge pull request #6902 from vrothberg/events-endpointOpenShift Merge Robot2020-07-21
|\ \ \ | |/ / |/| | events endpoint: fix panic and race condition
| * | events endpoint: fix panic and race conditionValentin Rothberg2020-07-20
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fix a potential panic in the events endpoint when parsing the filters parameter. Values of the filters map might be empty, so we need to account for that instead of uncondtitionally accessing the first item. Also apply a similar for race conditions as done in commit f4a2d25c0fca: Fix a race that could cause read errors to be masked. Masking such errors is likely to report red herrings since users don't see that reading failed for some reasons but that a given event could not be found. Another race was the handler closing event channel, which could lead to two kinds of panics: double close, send to close channel. The backend takes care of that. However, make sure that the backend stops working in case the context has been cancelled. Fixes: #6899 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | | Switch references from libpod.conf to containers.confDaniel J Walsh2020-07-20
| | | | | | | | | | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | Add support for overlay volume mounts in podman.Qi Wang2020-07-20
|/ / | | | | | | | | | | | | | | Add support -v for overlay volume mounts in podman. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Signed-off-by: Qi Wang <qiwan@redhat.com>
* | abi: set default umask and rlimitsGiuseppe Scrivano2020-07-17
| | | | | | | | | | | | | | | | the code got lost in the migration to podman 2.0, reintroduce it. Closes: https://github.com/containers/podman/issues/6989 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | Merge pull request #6965 from giuseppe/followup-pr6324OpenShift Merge Robot2020-07-17
|\ \ | |/ |/| allow switching of port-forward approaches in rootless/using slirp4netns
| * network, slirp4netns: add option to allow host loopbackGiuseppe Scrivano2020-07-16
| | | | | | | | | | | | Closes: https://github.com/containers/podman/issues/6912 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
| * libpod: pass down network optionsGiuseppe Scrivano2020-07-16
| | | | | | | | | | | | do not pass network specific options through the network namespace. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
| * allow switching of port-forward approaches in rootless/using slirp4netnsaleks-mariusz2020-07-15
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | As of podman 1.8.0, because of commit da7595a, the default approach of providing port-forwarding in rootless mode has switched (and been hard-coded) to rootlessport, for the purpose of providing super performance. The side-effect of this switch is source within the container to the port-forwarded service always appears to originate from 127.0.0.1 (see issue #5138). This commit allows a user to specify if they want to revert to the previous approach of leveraging slirp4netns add_hostfwd() api which, although not as stellar performance, restores usefulness of seeing incoming traffic origin IP addresses. The change should be transparent; when not specified, rootlessport will continue to be used, however if specifying --net slirp4netns:slirplisten the old approach will be used. Note: the above may imply the restored port-forwarding via slirp4netns is not as performant as the new rootlessport approach, however the figures shared in the original commit that introduced rootlessport are as follows: slirp4netns: 8.3 Gbps, RootlessKit: 27.3 Gbps, which are more than sufficient for many use cases where the origin of traffic is more important than limits that cannot be reached due to bottlenecks elsewhere. Signed-off-by: Aleks Mariusz <m.k@alek.cx> Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | Preserve passwd on container restartMatthew Heon2020-07-15
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | We added code to create a `/etc/passwd` file that we bind-mount into the container in some cases (most notably, `--userns=keep-id` containers). This, unfortunately, was not persistent, so user-added users would be dropped on container restart. Changing where we store the file should fix this. Further, we want to ensure that lookups of users in the container use the right /etc/passwd if we replaced it. There was already logic to do this, but it only worked for user-added mounts; it's easy enough to alter it to use our mounts as well. Signed-off-by: Matthew Heon <matthew.heon@pm.me>