aboutsummaryrefslogtreecommitdiff
path: root/libpod
Commit message (Collapse)AuthorAge
...
* | | | Use imageParts.referenceWithRegistry in pullGoalFromPossiblyUnqualifiedNameMiloslav Trmač2019-01-14
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | CHANGES BEHAVIOR. This bypasses .assemble, and preserves the original lack of tag / original digest instead of adding :latest/:none (still subject to ParseStoreReference normalization). Using the original digest seems clearly correct; dropping the :latest suffix from .image strings, and adding /library to docker.io/shortname, only affects user-visible input; later uses of the return value of pullImageFrom... use ParseStoreReference, which calls reference.ParseNormalizedNamed and reference.TagNameOnly, so the image name should be processed the same way whether it contains a tag, or libray/, or not. This also allows us to drop the problematic hasShaInInputName heuristic/condition/helper. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
* | | | Use imageParts.referenceWithRegistry in getPullRefPairMiloslav Trmač2019-01-14
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | CHANGES BEHAVIOR. This bypasses .assemble, and preserves the original lack of tag / original digest instead of adding :latest/:none (still subject to ParseStoreReference normalization). Using the original digest seems clearly correct; dropping the :latest suffix from .image strings only affects user-visible input; later uses of the return value of pullImageFrom... use ParseStoreReference, which calls reference.TagNameOnly, so the image name should be processed the same way whether it contains a tag or not. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
* | | | Add imageParts.referenceWithRegistryMiloslav Trmač2019-01-14
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This is the primary goal of decompose()+assemble(), to support qualifying an image name. Does not have any users yet, so does not change behavior. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
* | | | Don't use imageParts.assemble when pulling from a qualified nameMiloslav Trmač2019-01-14
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | CHANGES BEHAVIOR. If the name is qualified, instead of decomposing it into components and re-assembling, just use the input name unmodified: - For name:tag values, .assemble() just recreates the input. - For untagged values, .assemble() adds ":latest"; we keep the input as is, but both docker.ParseReference and storage.Transport.ParseStoreReference use reference.TagNameOnly() already. - For digested references, .assemble() adds ":none", but the code was already bypassing .assemble() on that path already - for the source reference. For the destination, this replaces a :none destination with a the @digest reference, as expected. Note that while decompose() has already parsed the input, it (intentionally) bypassed the docker.io/library normalization; therefore we parse the input again (via docker.ParseReference) to ensure that the reference is normalized. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
* | | | Reorganize normalizeTagMiloslav Trmač2019-01-14
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Move the registry defaulting before tag defaulting. Should not change behavior. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
* | | | Simplify pullGoalFromPossiblyUnqualifiedNameMiloslav Trmač2019-01-14
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Both imageParts and this function implicitly assume docker.Transport troughout, so instead of pretending to be flexible about DefaultTransport, just hard-code docker.ParseReference directly. Should not change behavior. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
* | | | Remove imageParts.transportMiloslav Trmač2019-01-14
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | It is only ever set to DefaulTransport, and all of the code is docker/reference-specific anyway, so there's no point in making this a variable. Should not change behavior. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
* | | | Simplify pullGoalFromPossiblyUnqualifiedNameMiloslav Trmač2019-01-14
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | After inlining assembleWithTransport, we have two branches with the same prepending of decomposedImage.transport; move that out of the branches. Should not change behavior. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
* | | | Inline imageParts.assembleWithTransport into callersMiloslav Trmač2019-01-14
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | imageParts.transport is a constant, and the design of imageParts is not transport-independent in any sense; we will want to eliminate the transport member entirely. As a first step, drop assembleWithTransport and inline an exact equivalent into all callers. Should not change behavior. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
* | | | Record the original reference.Named in imagePartsMiloslav Trmač2019-01-14
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | We will eventually want to eliminate most members of imageParts in favor of using the c/image/docker/reference API directly. For now, just record the reference.Named value, and we will replace uses of the other members before removing them. Should not change behavior. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
* | | | Drop image.DecomposeString, make image.Parts private imageParts againMiloslav Trmač2019-01-14
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Now that DecomposeString has no users, make the type private again. Any new users of it should come with a rationale - and new users of the "none"/"latest" handling of untagged/digested names that is currently implemented should have an exceptionaly unusual rationale. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
* | | | Don't call image.DecomposeString in imageInListToContainerImageMiloslav Trmač2019-01-14
|/ / / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | - It is used to fill Repository(misnamed)/Tag members which have no users; so it's completely unclear why this is useful. - Given the mishandling of tags by imageParts.tag, at the very least all new code should primarily use reference.Named (even if after a decompose() to internally deal with unqualified names first), introducing new uses of original decompose() just reintroduces known trouble - so without any provided rationale, reverting seems a reasonable default action. - This drags in all of libpod/image into the "remote client" build, which seems undesirable. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
* | | Merge pull request #2141 from baude/remotetagOpenShift Merge Robot2019-01-13
|\ \ \ | |/ / |/| | Add darwin support for remote-client
| * | Add darwin support for remote-clientbaude2019-01-11
| | | | | | | | | | | | | | | | | | | | | | | | Add the ability to cross-compile podman remote for OSX. Also, add image exists and tag to remote-client. Signed-off-by: baude <bbaude@redhat.com>
* | | Merge pull request #2138 from giuseppe/rootless-pod-fixOpenShift Merge Robot2019-01-11
|\ \ \ | |/ / |/| | rootless: fix usage of create --pod=new:FOO
| * | spec: add nosuid,noexec,nodev to ro bind mountGiuseppe Scrivano2019-01-11
| | | | | | | | | | | | | | | | | | | | | runc fails to change the ro mode of a rootless bind mount if the other flags are not kept. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | | Merge pull request #2113 from baude/remoteimagesOpenShift Merge Robot2019-01-11
|\ \ \ | | | | | | | | remote-client support for images
| * | | remote-client support for imagesbaude2019-01-10
| | | | | | | | | | | | | | | | Signed-off-by: baude <bbaude@redhat.com>
* | | | Replace tab with spaces in MarshalIndent in libpodMatthew Heon2019-01-10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The json-iterator package will panic on attempting to use MarshalIndent with a non-space indentation. This is sort of silly but swapping from tabs to spaces is not a big issue for us, so let's work around the silly panic. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | | | Remove one more usage of encoding/json in libpodMatthew Heon2019-01-10
| | | | | | | | | | | | | | | | Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | | | Move all libpod/ JSON references over to jsoniterMatthew Heon2019-01-10
| | | | | | | | | | | | | | | | Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | | | Remove easyjson in preparation for switch to jsoniterMatthew Heon2019-01-10
| |/ / |/| | | | | | | | | | | | | | | | | | | | | | | The jsoniter library does not require code generation, which is a massive advantage over easyjson (it's also about the same in performance). Begin moving over to it by removing the existing easyjson code. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | | Merge pull request #2126 from giuseppe/set-prlimitOpenShift Merge Robot2019-01-10
|\ \ \ | |/ / |/| | podman: bump RLIMIT_NOFILE also without CAP_SYS_RESOURCE
| * | podman: bump RLIMIT_NOFILE also without CAP_SYS_RESOURCEGiuseppe Scrivano2019-01-10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | If we are not able to make arbitrary changes to the RLIMIT_NOFILE when lacking CAP_SYS_RESOURCE, don't fail but bump the limit to the maximum allowed. In this way the same code path works with rootless mode. Closes: https://github.com/containers/libpod/issues/2123 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | | Merge pull request #2114 from vrothberg/issue-2107OpenShift Merge Robot2019-01-10
|\ \ \ | |/ / |/| | apparmor: apply default profile at container initialization
| * | apparmor: apply default profile at container initializationValentin Rothberg2019-01-09
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Apply the default AppArmor profile at container initialization to cover all possible code paths (i.e., podman-{start,run}) before executing the runtime. This allows moving most of the logic into pkg/apparmor. Also make the loading and application of the default AppArmor profile versio-indepenent by checking for the `libpod-default-` prefix and over-writing the profile in the run-time spec if needed. The intitial run-time spec of the container differs a bit from the applied one when having started the container, which results in displaying a potentially outdated AppArmor profile when inspecting a container. To fix that, load the container config from the file system if present and use it to display the data. Fixes: #2107 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | | libpod/image: Use ParseNormalizedNamed in RepoDigestsW. Trevor King2019-01-09
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Avoid generating quay.io/openshift-release-dev/ocp-release@sha256@sha256:239... and similar when the image name is already digest-based [1]. It's not clear exactly how we get into this state, but as shown by the unit tests, the new code handles this case correctly (while the previous code does not). [1]: https://github.com/containers/libpod/issues/2086 Signed-off-by: W. Trevor King <wking@tremily.us> Closes: #2106 Approved by: rhatdan
* | | If you fail to open shm lock then attempt to create itDaniel J Walsh2019-01-09
|/ / | | | | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Merge pull request #2061 from adrianreber/static-ipOpenShift Merge Robot2019-01-09
|\ \ | | | | | | Use existing interface to request IP address during restore
| * | Use existing interface to request IP address during restoreAdrian Reber2019-01-09
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The initial implementation to request the same IP address for a container during a restore was based on environment variables influencing CNI. With this commit the IP address selection switches to Podman's internal static IP API. This commit does a comment change in libpod/container_easyjson.go to avoid unnecessary re-generation of libpod/container_easyjson.go during build as this fails in CI. The reason for this is that make sees that libpod/container_easyjson.go needs to be re-created. The commit, however, only changes a part of libpod/container.go which is marked as 'ffjson: skip'. Signed-off-by: Adrian Reber <areber@redhat.com>
* | | hooks: Add pre-create hooks for runtime-config manipulationW. Trevor King2019-01-08
|/ / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | There's been a lot of discussion over in [1] about how to support the NVIDIA folks and others who want to be able to create devices (possibly after having loaded kernel modules) and bind userspace libraries into the container. Currently that's happening in the middle of runc's create-time mount handling before the container pivots to its new root directory with runc's incorrectly-timed prestart hook trigger [2]. With this commit, we extend hooks with a 'precreate' stage to allow trusted parties to manipulate the config JSON before calling the runtime's 'create'. I'm recycling the existing Hook schema from pkg/hooks for this, because we'll want Timeout for reliability and When to avoid the expense of fork/exec when a given hook does not need to make config changes [3]. [1]: https://github.com/opencontainers/runc/pull/1811 [2]: https://github.com/opencontainers/runc/issues/1710 [3]: https://github.com/containers/libpod/issues/1828#issuecomment-439888059 Signed-off-by: W. Trevor King <wking@tremily.us>
* | Add a --workdir option to 'podman exec'Debarshi Ray2019-01-08
| | | | | | | | Signed-off-by: Debarshi Ray <rishi@fedoraproject.org>
* | Merge pull request #2099 from mheon/config_to_containerconfigOpenShift Merge Robot2019-01-08
|\ \ | | | | | | Rename libpod.Config back to ContainerConfig
| * | Rename libpod.Config back to ContainerConfigMatthew Heon2019-01-07
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | During an earlier bugfix, we swapped all instances of ContainerConfig to Config, which was meant to fix some data we were returning from Inspect. This unfortunately also renamed a libpod internal struct for container configs. Undo the rename here. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | | Merge pull request #2078 from rhatdan/config.fileOpenShift Merge Robot2019-01-07
|\ \ \ | | | | | | | | Add the configuration file used to setup storage to podman info
| * | | Add the configuration file used to setup storage to podman infoDaniel J Walsh2019-01-07
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Users have no idea what storage configuration file is used to setup storage, so adding this to podman info, should make it easier to discover. This requires a revendor of containers/storage Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | | Merge pull request #2098 from baude/remoteOpenShift Merge Robot2019-01-07
|\ \ \ \ | |_|/ / |/| | | Add ability to build golang remote client
| * | | Add ability to build golang remote clientbaude2019-01-07
| | |/ | |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | Add the ability to build a remote client in golang that uses all the same front-end cli code and output code. The initial limitations here are that it can only be a local client while the bridge and resolver code is being written for the golang varlink client. Tests and docs will be added in subsequent PRs. Signed-off-by: baude <bbaude@redhat.com>
* | | Merge pull request #2075 from baude/runlabelnameOpenShift Merge Robot2019-01-07
|\ \ \ | | | | | | | | container runlabel NAME implementation
| * | | container runlabel NAME implementationbaude2019-01-04
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | when using container runlabel, if a --name is not provided, we must deduce the container name from the base name of the image to maintain parity with the atomic cli. fixed small bug where we split the cmd on " " rather than using fields could lead to extra spaces in command output. Signed-off-by: baude <bbaude@redhat.com>
* | | | Address lingering review comments from SHM locking PRMatthew Heon2019-01-07
| |_|/ |/| | | | | | | | Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | | Rootless with shmlocks was not working.Daniel J Walsh2019-01-05
| | | | | | | | | | | | | | | | | | | | | | | | This patch makes the path unigue to each UID. Also cleans up some return code to return the path it is trying to lock. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | Move lock init after tmp dir is populated properlyMatthew Heon2019-01-04
| | | | | | | | | | | | | | | | | | | | | | | | | | | Don't initialize the lock manager until almost the end of libpod init, so we can guarantee our tmp dir is properly set up and exists. This wasn't an issue on systems that had previously run Podman, but CI caught it. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | | When refreshing libpod, if SHM locks exist, remove themMatthew Heon2019-01-04
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This will hopefully help cases where libpod is initialized multiple times on the same system (as on our CI tests). We still run into potential issues where multiple Podmans with multiple tmp paths try to run on the same system - we could end up thrashing the locks. I think we need a file locks driver for situations like that. We can also see about storing paths in the SHM segment, to make sure multiple libpod instances aren't using the same one. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | | Ensure different error messages and creating/opening locksMatthew Heon2019-01-04
| | | | | | | | | | | | Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
* | | Update unit tests to use in-memory lock managerMatthew Heon2019-01-04
| | | | | | | | | | | | Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
* | | Remove runtime lockDir and add in-memory lock managerMatthew Heon2019-01-04
| | | | | | | | | | | | | | | | | | | | | | | | | | | Remove runtime's lockDir as it is no longer needed after the lock rework. Add a trivial in-memory lock manager for unit testing Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
* | | Convert pods to SHM locksMatthew Heon2019-01-04
| | | | | | | | | | | | Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
* | | Convert containers to SHM lockingMatthew Heon2019-01-04
| | | | | | | | | | | | Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
* | | Add lock manager to libpod runtimeMatthew Heon2019-01-04
| | | | | | | | | | | | Signed-off-by: Matthew Heon <matthew.heon@gmail.com>