summaryrefslogtreecommitdiff
path: root/pkg/domain/infra/tunnel
Commit message (Collapse)AuthorAge
* remote: fix name and ID collisions of containers and podsValentin Rothberg2020-10-01
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fix the look up of containers and pods in the remote client. User input can refer to both, names or IDs of containers and pods, so there is a fair chance of collisions (e.g., "c1" name with a "c1...." ID). Those collisions are well handled (and battle tested) in the local client which is directly using the libpod backend. Hence, the remote client should not attempt to introduce its own logic to prevent bugs and divergence between the local and the remote clients. To prevent collisions such as in #7837, do a container/pod inspect on the user-provided input to find the corresponding ID and eventually do full ID comparisons to avoid potential collisions with names. Note that this has a cost that I am not entirely happy with. Looking at issue #7837, the collisions are happening when removing the two containers. Remote container removal is now very chatty with the server as it first queries for all containers, then iterates over the provided names or IDs and does a remote inspect to figure out the IDs and find a matching container object. However, remote removal could just pass the names and IDs directly to the batch removal endpoint. Querying for all containers could be prevented if the batch removal endpoint would remove all if the slice is empty. In other words, the bug is fixed but there's room for performance improvements. Fixes: #7837 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* fix remote untagValentin Rothberg2020-09-30
| | | | | | | | | | | | | | Fix the remote client to untag all tags of the specified image. Instead of querying the image on the client side, support the case where both, repo and tag, are empty and remove all tags. Reuse the ABI implementation where possible. In retrospective, the libpod untag endpoint should support a slice of strings to batch remove tags rather than reaching out for each tag individually. Enable the skipped test. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* Fix network remove for the podman remote clientPaul Holzinger2020-09-28
| | | | | | | | The podman remote client ignored the force option due a typo. If an error occured the remote client would panic with an index out of range error. Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
* Merge pull request #7741 from vrothberg/remote-load-dir-checkOpenShift Merge Robot2020-09-24
|\ | | | | remote load: check if input is directory
| * remote load: check if input is directoryValentin Rothberg2020-09-24
| | | | | | | | | | | | | | | | The remote client does not support loading directories yet. To prevent confusing error messages and to make the behaviour more explicit, check if the input points to a directory and throw an error if needed. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | Merge pull request #7753 from vrothberg/fix-7689OpenShift Merge Robot2020-09-24
|\ \ | |/ |/| remote stats
| * stats: break out CLI optionsValentin Rothberg2020-09-24
| | | | | | | | | | | | | | | | Have a clear separation of concerns for the CLI-only options (and their logic) from the backend. The backend logic is now easier to understand (e.g., `stream` instead of `noStream`). Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
| * new endpoint: /libpod/containers/statsValentin Rothberg2020-09-24
| | | | | | | | | | | | | | | | | | Add a new endpoint for container stats allowing for batch operations on more than one container. The new endpoint deprecates the single-container endpoint which will eventually be removed with the next major release. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
| * stats refactorValentin Rothberg2020-09-23
| | | | | | | | | | | | | | | | | | | | | | | | Refactor the entities' stats API to simplify using it and reduce the risk of running into concurrency issues at the call sites. Further simplify the stats code by de-spaghetti-ing the logic and reducing duplicate code. `ContainerStats` now returns a data channel and an error. If the error is nil, callers can read from the channel. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | Remove final v2remotefail failuresDaniel J Walsh2020-09-23
|/ | | | | | | | | Most have been fixed, others I replaced with SkipIfRemote Fix ContainerStart on tunnel, it needs to wait for the exit status before returning. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Fix up attach tests for podman remoteDaniel J Walsh2020-09-22
| | | | | | | | | | | When we execute podman-remote attach, we were not checking if the container was in the correct state, this is leading to timeouts and we had turned off remote testing. Also added an IfRemote() function so we can turn on more tests when using the "-l" flag for local, but use container name for remote. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Fix handling of podman-remote stop --ignoreDaniel J Walsh2020-09-19
| | | | | | This patch simplifies the hanlding of rhe --ignore flag, for podman stop, rm Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* enable --iidfile for podman-remote buildbaude2020-09-17
| | | | | | for podman-remote build operations, the iidfile, when used, needs to write the file to the client's local filesystem. Signed-off-by: baude <bbaude@redhat.com>
* Refactor API build endpoint to be more compliantJhon Honce2020-09-14
| | | | | | | | | | | | | | | | | * Refactor/Rename channel.WriteCloser() to encapsulate the channel * Refactor build endpoint to "live" stream buildah output channels over API rather then buffering output * Refactor bindings/tunnel build because endpoint changes * building tar file now in bindings rather then depending on caller * Cleanup initiating extra image engine * Remove setting fields to zero values (less noise in code) * Update tests to support remote builds Fixes #7136 Fixes #7137 Signed-off-by: Jhon Honce <jhonce@redhat.com>
* remote run: fix error checksValentin Rothberg2020-09-11
| | | | | | | | | | | | As error types are not preserved on the client side (due to marshaling), we cannot use `errors.Cause(...)` and friends but, unfortunately, have to fall back to looking for substring the error messages. Change the error checks in remote run to do substring matches and fix issue #7340. Fixes: #7340 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* Merge pull request #7574 from vrothberg/fix-7117OpenShift Merge Robot2020-09-10
|\ | | | | remote run: consult events for exit code
| * remote run: consult events for exit codeValentin Rothberg2020-09-10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | After attaching to a container, we wait for the container to finish and return its exit code. Waiting for the container may not always succeed, for instance, when the container has been force removed by another process. In such case, we have to look at the *last* container-exit event. Also refactor the `ContainerRun` method a bit to return early on errors and de-spaghetti the code. Enable the remote-disabled system test. Fixes: #7117 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | Merge pull request #7536 from Luap99/api-network-filterOpenShift Merge Robot2020-09-10
|\ \ | |/ |/| APIv2 Add network list filtering
| * APIv2 Add network list filteringPaul Holzinger2020-09-07
| | | | | | | | | | | | | | | | | | | | Add the filter option to the libpod endpoint. Add support for the name filter on the docker endpoint. Add apiv2 tests for the network list endpoints. Enable podman network integration tests for remote. Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
* | support multi-image (docker) archivesValentin Rothberg2020-09-08
| | | | | | | | | | | | | | | | | | | | | | | | | | Support loading and saving tarballs with more than one image. Add a new `/libpod/images/export` endpoint to the rest API to allow for exporting/saving multiple images into an archive. Note that a non-release version of containers/image is vendored. A release version must be vendored before cutting a new Podman release. We force the containers/image version via a replace in the go.mod file; this way go won't try to match the versions. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | APIv2 add generate systemd endpointPaul Holzinger2020-09-02
|/ | | | | | | | | | | | | Add support for generating systemd units via the api and podman-remote. Change the GenerateSystemdReport type to return the units as map[string]string with the unit name as key. Add `--format` flag to `podman generate systemd` to allow the output to be formatted as json. Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
* Replace deepcopy on history resultsBrent Baude2020-08-11
| | | | | | | | the deepcopy in the remote history code path was throwing an uncaught error on a type mismatch. we now manually do the conversion and fix the type mismatch on the fly. Fixes: #7122 Signed-off-by: Brent Baude <bbaude@redhat.com>
* Unconditionally retrieve pod names via APIMatthew Heon2020-08-10
| | | | | | | | | | | | | | | | | | The ListContainers API previously had a Pod parameter, which determined if pod name was returned (but, notably, not Pod ID, which was returned unconditionally). This was fairly confusing, so we decided to deprecate/remove the parameter and return it unconditionally. To do this without serious performance implications, we need to avoid expensive JSON decodes of pod configuration in the DB. The way our Bolt tables are structured, retrieving name given ID is actually quite cheap, but we did not expose this via the Libpod API. Add a new GetName API to do this. Fixes #7214 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Merge pull request #7220 from baude/issue7124OpenShift Merge Robot2020-08-05
|\ | | | | podman-remote send name and tag
| * podman-remote send name and tagBrent Baude2020-08-05
| | | | | | | | | | | | | | | | when loading an image with podman-remote load, we need to send a name and a tag to the endpoint Fixes: #7124 Signed-off-by: Brent Baude <bbaude@redhat.com>
* | Handle podman-remote run --rmDaniel J Walsh2020-08-04
|/ | | | | | | | We need to remove the container after it has exited for podman-remote run --rm commands. If we don't remove this container at this step, we open ourselves up to race conditions. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Add podman image mountDaniel J Walsh2020-07-28
| | | | | | | | | | | | | There are many use cases where you want to just mount an image without creating a container on it. For example you might want to just examine the content in an image after you pull it for security analysys. Or you might want to just use the executables on the image without running it in a container. The image is mounted readonly since we do not want people changing images. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Switch all references to github.com/containers/libpod -> podmanDaniel J Walsh2020-07-28
| | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* move go module to v2Valentin Rothberg2020-07-06
| | | | | | | | | | | | | | | With the advent of Podman 2.0.0 we crossed the magical barrier of go modules. While we were able to continue importing all packages inside of the project, the project could not be vendored anymore from the outside. Move the go module to new major version and change all imports to `github.com/containers/libpod/v2`. The renaming of the imports was done via `gomove` [1]. [1] https://github.com/KSubedi/gomove Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* Merge pull request #6634 from baude/v2buildfixesOpenShift Merge Robot2020-06-17
|\ | | | | fix misc remote build issues
| * fix misc remote build issuesBrent Baude2020-06-17
| | | | | | | | | | | | | | | | | | address problem when multiple -t were sent. and rework remote build's tarball if a context dir is given other than ".". Fixes: #6578 Fixes: #6577 Signed-off-by: Brent Baude <bbaude@redhat.com>
* | Merge pull request #6636 from mheon/add_warningsOpenShift Merge Robot2020-06-17
|\ \ | | | | | | Re-add resource limit warnings to Specgen
| * | Re-add resource limit warnings to SpecgenMatthew Heon2020-06-16
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | These were part of Podman v1.9, but were lost in the transition to using Specgen to create containers. Most resource limits are checked via the sysinfo package to ensure they are safe to use (the cgroup is mounted, kernel support is present, etc) and removed if not safe. Further, bounds checks are performed to ensure that values are valid. Ensure these warnings are printed client-side when they occur. This part is a little bit gross, as it happens in pkg/infra and not cmd/podman, which is largely down to how we implemented `podman run` - all the work is done in pkg/infra and it returns only once the container has exited, and we need warnings to print *before* the container runs. The solution here, while inelegant, avoid the need to extensively refactor our handling of run. Should fix blkio-limit warnings that were identified by the FCOS test suite. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | | Merge pull request #6583 from mheon/inspect_ctr_before_imgOpenShift Merge Robot2020-06-17
|\ \ \ | |_|/ |/| | Fix podman inspect on overlapping/missing objects
| * | Fix podman inspect on overlapping/missing objectsMatthew Heon2020-06-16
| |/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This started as a small fix to `podman inspect` where a container and image, with the same name/tag, were present, and `podman inspect` was run on that name. `podman inspect` in 1.9 (and `docker inspect`) will give you the container; in v2.0, we gave the image. This was an easy fix (just reorder how we check for image/container). Unfortunately, in the process of testing this fix, I determined that we regressed in a different area. When you run inspect on a number of containers, some of which do not exist, `podman inspect` should return an array of inspect results for the objects that exist, then print a number of errors, one for each object that could not be found. We were bailing after the first error, and not printing output for the containers that succeeded. (For reference, this applied to images as well). This required a much more substantial set of changes to properly handle - signatures for the inspect functions in ContainerEngine and ImageEngine, plus the implementations of these interfaces, plus the actual inspect frontend code needed to be adjusted to use this. Fixes #6556 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | Add <return> to lines returen in podman-remote logsDaniel J Walsh2020-06-16
| | | | | | | | | | | | | | Every line is sent back individually over the APIv2 as logs, but we are not adding the '\n' to give us line breaks. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Fix podman-remote imagesDaniel J Walsh2020-06-16
|/ | | | | | Looks like we went too far with the linters. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Handle errors on attach properlyDaniel J Walsh2020-06-15
| | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Turn on More lintersDaniel J Walsh2020-06-15
| | | | | | | | | - misspell - prealloc - unparam - nakedret Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Merge pull request #6546 from rhatdan/lintOpenShift Merge Robot2020-06-10
|\ | | | | Turn on golint
| * Fix Id->ID where possible for lintDaniel J Walsh2020-06-10
| | | | | | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
| * Fixup issues found by golintDaniel J Walsh2020-06-10
| | | | | | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Ensure signal validation happens first in pod killMatthew Heon2020-06-09
|/ | | | | | | | | | | | | This fixes an error in the system tests, which expect that when you try and kill a nonexistent pod with an incorrect signal, you receive an error about the signal, not the pod. At the same time, fix a missing return statement in the bindings, which could also have caused us grief. Fixes #6540 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Add parallel operation to `podman stop`Matthew Heon2020-06-05
| | | | | | | | | | | | This is the other command that benefits greatly from being run in parallel, due to the potential 15-second timeout for containers that ignore SIGTERM. While we're at it, also clean up how stop timeout is set. This needs to be an optional parameter, so that the value set when the container is created with `--stop-timeout` will be respected. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Merge pull request #6485 from QiWang19/remote-ignoreOpenShift Merge Robot2020-06-04
|\ | | | | fix remote test --ignore & turn on more tests
| * fix remote test --ignore & turn on more testsQi Wang2020-06-03
| | | | | | | | | | | | fix remote test --ignore & turn on more tests Signed-off-by: Qi Wang <qiwan@redhat.com>
* | turn on remote stop_testQi Wang2020-06-03
|/ | | | | | turn on stop_test --cidfile Signed-off-by: Qi Wang <qiwan@redhat.com>
* Turn on remote rm_test --cidfileQi Wang2020-06-02
| | | | | | Turn on remote rm_test --cidfile Signed-off-by: Qi Wang <qiwan@redhat.com>
* Enable detached exec for remoteMatthew Heon2020-06-02
| | | | | | | | | | | | | | | | | | | | | | | The biggest obstacle here was cleanup - we needed a way to remove detached exec sessions after they exited, but there's no way to tell if an exec session will be attached or detached when it's created, and that's when we must add the exit command that would do the removal. The solution was adding a delay to the exit command (5 minutes), which gives sufficient time for attached exec sessions to retrieve the exit code of the session after it exits, but still guarantees that they will be removed, even for detached sessions. This requires Conmon 2.0.17, which has the new `--exit-delay` flag. As part of the exit command rework, we can drop the hack we were using to clean up exec sessions (remove them as part of inspect). This is a lot cleaner, and I'm a lot happier about it. Otherwise, this is just plumbing - we need a bindings call for detached exec, and that needed to be added to the tunnel mode backend for entities. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Add bindings for exec and enable attached remoteMatthew Heon2020-06-01
| | | | | | | | | | | This adds bindings for starting exec sessions, and then uses them to wire up detached exec. Code is heavily based on Attach code for containers, slightly modified to handle exec sessions. Bindings are presently attached-only, detached is pending on a Conmon update landing in CI. I'll probably get to that next. Signed-off-by: Matthew Heon <matthew.heon@pm.me>