aboutsummaryrefslogtreecommitdiff
path: root/libpod
Commit message (Collapse)AuthorAge
* pkg/hooks: Version the hook structure and add 1.0.0 hooksW. Trevor King2018-05-11
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This shifts the matching logic out of libpod/container_internal and into the hook package, where we can reuse it after vendoring into CRI-O. It also adds unit tests with almost-complete coverage. Now libpod is even more isolated from the hook internals, which makes it fairly straightforward to bump the hook config file to 1.0.0. I've dubbed the old format 0.1.0, although it doesn't specify an explicit version. Motivation for some of my changes with 1.0.0: * Add an explicit version field. This will make any future JSON structure migrations more straightforward by avoiding the need for version-guessing heuristics. * Collect the matching properties in a new When sub-structure. This makes the root Hook structure easier to understand, because you don't have to read over all the matching properties when wrapping your head around Hook. * Replace the old 'hook' and 'arguments' with a direct embedding of the runtime-spec's hook structure. This provides access to additional upstream properties (args[0], env, and timeout) and avoids the complication of a CRI-O-specific analog structure. * Add a 'when.always' property. You can usually accomplish this effect in another way (e.g. when.commands = [".*"]), but having a boolean explicitly for this use-case makes for easier reading and writing. * Replace the previous annotations array with an annotations map. The 0.1.0 approach matched only the values regardless of key, and that seems unreliable. * Replace 'cmds' with 'when.commands', because while there are a few ways to abbreviate "commands", there's only one way to write it out in full ;). This gives folks one less thing to remember when writing hook JSON. * Replace the old "inject if any specified condition matches" with "inject if all specified conditions match". This allows for more precise targeting. Users that need more generous targeting can recover the previous behavior by creating a separate 1.0.0 hook file for each specified 0.1.0 condition. I've added doc-compat support for the various pluralizations of the 0.1.0 properties. Previously, the docs and code were not in agreement. More on this particular facet in [1]. I've updated the docs to point out that the annotations being matched are the OCI config annotations. This differs from CRI-O, where the annotations used are the Kubernetes-supplied annotations [2,3]. For example, io.kubernetes.cri-o.Volumes [4] is part of CRI-O's runtime config annotations [5], but not part of the Kubernetes-supplied annotations CRI-O uses for matching hooks. The Monitor method supports the CRI-O use-case [6]. podman doesn't need it directly, but CRI-O will need it when we vendor this package there. I've used nvidia-container-runtime-hook for the annotation examples because Dan mentioned the Nvidia folks as the motivation behind annotation matching. The environment variables are documented in [7]. The 0.1.0 hook config, which does not allow for environment variables, only works because runc currently leaks the host environment into the hooks [8]. I haven't been able to find documentation for their usual annotation trigger or hook-install path, so I'm just guessing there. [1]: https://github.com/kubernetes-incubator/cri-o/pull/1235 [2]: https://github.com/kubernetes-incubator/cri-o/blob/v1.10.0/server/container_create.go#L760 [3]: https://github.com/kubernetes-incubator/cri-o/blob/v1.10.0/server/container_create.go#L772 [4]: https://github.com/kubernetes-incubator/cri-o/blob/v1.10.0/pkg/annotations/annotations.go#L97-L98 [5]: https://github.com/kubernetes-incubator/cri-o/blob/v1.10.0/server/container_create.go#L830-L834 [6]: https://github.com/kubernetes-incubator/cri-o/pull/1345/ [7]: https://github.com/NVIDIA/nvidia-container-runtime/tree/v1.3.0-1#environment-variables-oci-spec [8]: https://github.com/opencontainers/runc/pull/1738 Signed-off-by: W. Trevor King <wking@tremily.us> Closes: #686 Approved by: mheon
* Do not error trying to remove cgroups that don't existMatthew Heon2018-05-11
| | | | | | | Signed-off-by: Matthew Heon <matthew.heon@gmail.com> Closes: #507 Approved by: baude
* Remove parent cgroup we create with cgroupfsMatthew Heon2018-05-11
| | | | | | | Signed-off-by: Matthew Heon <matthew.heon@gmail.com> Closes: #507 Approved by: baude
* Place Conmon and Container in separate CGroupsMatthew Heon2018-05-11
| | | | | | | Signed-off-by: Matthew Heon <matthew.heon@gmail.com> Closes: #507 Approved by: baude
* Add --cgroup-manager flag to Podman binaryMatthew Heon2018-05-11
| | | | | | | Signed-off-by: Matthew Heon <matthew.heon@gmail.com> Closes: #507 Approved by: baude
* Major fixes to systemd cgroup handlingMatthew Heon2018-05-11
| | | | | | | Signed-off-by: Matthew Heon <matthew.heon@gmail.com> Closes: #507 Approved by: baude
* Alter CGroup path handling for 'podman top'Matthew Heon2018-05-11
| | | | | | | Signed-off-by: Matthew Heon <matthew.heon@gmail.com> Closes: #507 Approved by: baude
* Add validation for CGroup parents. Pass CGroups path into runcMatthew Heon2018-05-11
| | | | | | | Signed-off-by: Matthew Heon <matthew.heon@gmail.com> Closes: #507 Approved by: baude
* podman push should honor registries.confbaude2018-05-10
| | | | | | | | | | | Like podman pull, when you push an image, podman should check if the registry is listed as insecure and if so, it should --tls-verify=false unless the user overrides this. Signed-off-by: baude <bbaude@redhat.com> Closes: #738 Approved by: mheon
* container.go: fix lint errorGiuseppe Scrivano2018-05-05
| | | | | | | | | | | the error was: libpod/container.go:219::error: struct field tag `json:"groups, omitempty"` not compatible with reflect.StructTag.Get: suspicious space in struct tag value (vet) Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> Closes: #729 Approved by: baude
* Should not error out if container no longer exists in ociDaniel J Walsh2018-05-04
| | | | | | | | | | This prevents you from cleaning up the container database, if some how runc and friends db gets screwed up. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #725 Approved by: mheon
* podman, userNS: configure an intermediate mount namespaceGiuseppe Scrivano2018-05-04
| | | | | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> Closes: #690 Approved by: mheon
* networking, userNS: configure the network namespace after createGiuseppe Scrivano2018-05-04
| | | | | | | | | | | so that the OCI runtime creates the network namespace from the correct userNS. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #690 Approved by: mheon
* Begin wiring in USERNS Support into podmanDaniel J Walsh2018-05-04
| | | | | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #690 Approved by: mheon
* Fix pulling from secure registrybaude2018-05-04
| | | | | | | | | | when pulling from a secure registry that is documented in registries.conf, we should be able to pull without tls-verify=false Signed-off-by: baude <bbaude@redhat.com> Closes: #718 Approved by: rhatdan
* Optionally init() during container restartMatthew Heon2018-05-04
| | | | | | | | | | | This allows us to restart containers that have never been started without error. This makes RestartWithTimeout work with running, stopped, and created containers. Signed-off-by: Matthew Heon <matthew.heon@gmail.com> Closes: #719 Approved by: rhatdan
* varlink containersbaude2018-05-03
| | | | | | | | | | | | | first pass at adding in the container related endpoints/methods for the libpod backend. Couple of important notes: * endpoints that can use a console are not going to be done until we have "remote" console * several of the container methods should probably be able to stream as opposed to a one-off return Signed-off-by: baude <bbaude@redhat.com> Closes: #708 Approved by: baude
* Make podman commit to localhost rather then docker.ioDaniel J Walsh2018-05-03
| | | | | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #715 Approved by: mheon
* Add accessors for new image fields in container configMatthew Heon2018-05-03
| | | | | | | Signed-off-by: Matthew Heon <matthew.heon@gmail.com> Closes: #700 Approved by: rhatdan
* Store user Volumes, Entrypoint, Command in databaseMatthew Heon2018-05-03
| | | | | | | | | | | We need these for commit, and they cannot be properly deduced from just the OCI spec, so save them in the database so we can retrieve them for commit. Signed-off-by: Matthew Heon <matthew.heon@gmail.com> Closes: #700 Approved by: rhatdan
* Further fix Godoc comments in options.goMatthew Heon2018-05-03
| | | | | | | Signed-off-by: Matthew Heon <matthew.heon@gmail.com> Closes: #700 Approved by: rhatdan
* Update hooks to use config bool to detect volume mountsMatthew Heon2018-05-03
| | | | | | | Signed-off-by: Matthew Heon <matthew.heon@gmail.com> Closes: #700 Approved by: rhatdan
* Fix Godoc comments in options.goMatthew Heon2018-05-03
| | | | | | | Signed-off-by: Matthew Heon <matthew.heon@gmail.com> Closes: #700 Approved by: rhatdan
* Add config bool to indicate there are user volumesMatthew Heon2018-05-03
| | | | | | | | | | This allows us to accurately trigger OCI hooks that trigger on the presence of volume mounts. Signed-off-by: Matthew Heon <matthew.heon@gmail.com> Closes: #700 Approved by: rhatdan
* Print the Buildah comment from commit to given writerMatthew Heon2018-05-03
| | | | | | | | | Much better than unconditionally dumping to stdout Signed-off-by: Matthew Heon <matthew.heon@gmail.com> Closes: #706 Approved by: rhatdan
* Do not print unnecessary Buildah details during commitMatthew Heon2018-05-03
| | | | | | | Signed-off-by: Matthew Heon <matthew.heon@gmail.com> Closes: #706 Approved by: rhatdan
* do not commit default volumes from containerbaude2018-04-30
| | | | | | | | | | | when performing a container commit, we should not add the default list of volumes for a container to the resulting image. it will cause the resulting image to crash when run subsequently. Signed-off-by: baude <bbaude@redhat.com> Closes: #699 Approved by: mheon
* Use buildah commit and bud in podmanbaude2018-04-27
| | | | | | | | | | | Vendor in buildah and use as much of commit and bug as possible for podman build and commit. Resolves #586 Signed-off-by: baude <bbaude@redhat.com> Closes: #681 Approved by: mheon
* Modify secrets pkgumohnani82018-04-27
| | | | | | | | | | | Made a mistake in my earlier patch. I though that if you add an empty string to an array, the length of the array would still be 0... Realised this when vendoring the secrets pkg into cri-o. Signed-off-by: umohnani8 <umohnani@redhat.com> Closes: #685 Approved by: mheon
* varlink imagesbaude2018-04-26
| | | | | | | | | | | | | implement varlink image functions for working with libpod with the exception of a couple due to incompletions on the libpod side of things (build). also, created a first pass at a libpodpy package which will stand as a client to working with libpod's varlink methods using python. Signed-off-by: baude <bbaude@redhat.com> Closes: #669 Approved by: baude
* Retrieve IP addresses for container from DBMatthew Heon2018-04-26
| | | | | | | | | | Instead of execing out to the host's IP, use the IP address we got back from CNI to populate Inspect's IP address information. Signed-off-by: Matthew Heon <mheon@redhat.com> Closes: #680 Approved by: umohnani8
* Add --default-mounts-file hidden flagumohnani82018-04-26
| | | | | | | | | | | The hidden flag is used to override the path of the default mounts file for testing purposes. Also modified the secrets pkg to allow for this override to happen. Signed-off-by: umohnani8 <umohnani@redhat.com> Closes: #678 Approved by: mheon
* Strip transport from image name when looking for local imagebaude2018-04-26
| | | | | | | | | | | When a user pulls an image using a transport, like docker-daemon, we try to lookup the new image in storage by the input name after the pull. Because the input name has a transport (different than local storage), that lookup would fail. Signed-off-by: baude <bbaude@redhat.com> Closes: #644 Approved by: rhatdan
* Remove more Errorf in favor of WrapfMatthew Heon2018-04-25
| | | | | | | Signed-off-by: Matthew Heon <mheon@redhat.com> Closes: #668 Approved by: rhatdan
* Do not eat error messages from pullImageMatthew Heon2018-04-25
| | | | | | | Signed-off-by: Matthew Heon <mheon@redhat.com> Closes: #668 Approved by: rhatdan
* Modify --user flag for podman create and runumohnani82018-04-24
| | | | | | | | | | If an integer is passed into the --user flag, i.e --user=1234 don't look up the user in /etc/passwd, just assign the integer as the uid. Signed-off-by: umohnani8 <umohnani@redhat.com> Closes: #652 Approved by: mheon
* Add FIPS mode secretumohnani82018-04-23
| | | | | | | | If the host is in FIPS mode and /etc/system-fips exists /run/secrets/system-fips is created in the container so that the container can run in FIPS mode as well. Signed-off-by: umohnani8 <umohnani@redhat.com>
* Initial varlink implementationbaude2018-04-23
| | | | | | | Signed-off-by: baude <bbaude@redhat.com> Closes: #627 Approved by: mheon
* Vendor in latest containers/image and contaners/storageumohnani82018-04-19
| | | | | | | | | Made necessary changes to functions to include contex.Context wherever needed Signed-off-by: umohnani8 <umohnani@redhat.com> Closes: #640 Approved by: baude
* regression: tls verify should be set on registries.conf if insecurebaude2018-04-18
| | | | | | | | | | | In the case where podman needs to pull an image, if that registry that the image resides on is known to be insesure (as defined in /etc/containers/registries.conf), tls-verify should be altered on the fly. Signed-off-by: baude <bbaude@redhat.com> Closes: #626 Approved by: mheon
* - reverse host field order (ip goes first)Nathan Williams2018-04-18
| | | | | | | | | - fix host string split to permit IPv6 Signed-off-by: Nathan Williams <nath.e.will@gmail.com> Closes: #635 Approved by: rhatdan
* Change container.locked to batchedTomSweeneyRedHat2018-04-16
| | | | | | | Signed-off-by: TomSweeneyRedHat <tsweeney@redhat.com> Closes: #619 Approved by: mheon
* podman pull should always try to pullbaude2018-04-14
| | | | | | | | | | | | | | In the case where you have an image local, if the the user runs podman pull, we should always attempt to pull an updated image. Added a forceRemote bool to New (image) so we can differentiate between "pull" or run because the actions differ. Run does not need to pull the latest -- only run. Signed-off-by: baude <bbaude@redhat.com> Closes: #618 Approved by: baude
* Fix another comparison of a Go interface against nilMatthew Heon2018-04-13
| | | | | | | Signed-off-by: Matthew Heon <matthew.heon@gmail.com> Closes: #608 Approved by: baude
* Allowing attaching stdin to non-interactive containersMatthew Heon2018-04-13
| | | | | | | | | Mimics docker's behavior Signed-off-by: Matthew Heon <matthew.heon@gmail.com> Closes: #608 Approved by: baude
* Change attach to accept a struct containing streamsMatthew Heon2018-04-13
| | | | | | | | | | | Comparing Go interfaces, like io.Reader, to nil does not work. As such, we need to include a bool with each stream telling whether to attach to it. Signed-off-by: Matthew Heon <matthew.heon@gmail.com> Closes: #608 Approved by: baude
* Changes to attach to enable per-stream attachingMatthew Heon2018-04-13
| | | | | | | | | | This allows us to attach to attach to just stdout or stderr or stdin, or any combination of these. Signed-off-by: Matthew Heon <matthew.heon@gmail.com> Closes: #608 Approved by: baude
* Fix locking interaction in batched Exec() on containerMatthew Heon2018-04-13
| | | | | | | Signed-off-by: Matthew Heon <mheon@redhat.com> Closes: #610 Approved by: giuseppe
* Force host UID/GID mapping when creating containersNalin Dahyabhai2018-04-12
| | | | | | | | | | Until we can handle running containers which use UID/GID mappings, make sure that we always create containers that use the host mappings. Signed-off-by: Nalin Dahyabhai <nalin@redhat.com> Closes: #609 Approved by: baude
* Do not lock all containers during pod killMatthew Heon2018-04-12
| | | | | | | Signed-off-by: Matthew Heon <matthew.heon@gmail.com> Closes: #600 Approved by: rhatdan