summaryrefslogtreecommitdiff
path: root/pkg/domain/infra
Commit message (Collapse)AuthorAge
* Allow recursive dependency start with Init()Matthew Heon2020-06-18
| | | | | | | | | | | | | | | | | | | | As part of APIv2 Attach, we need to be able to attach to freshly created containers (in ContainerStateConfigured). This isn't something Libpod is interested in supporting, so we use Init() to get the container into ContainerStateCreated, in which attach is possible. Problem: Init() will fail if dependencies are not started, so a fresh container in a fresh pod will fail. The simplest solution is to extend the existing recursive start code from Start() to Init(), allowing dependency containers to be started when we initialize the container (optionally, controlled via bool). Also, update some comments in container_api.go to make it more clear how some of our major API calls work. Fixes #6646 Signed-off-by: Matthew Heon <mheon@redhat.com>
* Merge pull request #6634 from baude/v2buildfixesOpenShift Merge Robot2020-06-17
|\ | | | | fix misc remote build issues
| * fix misc remote build issuesBrent Baude2020-06-17
| | | | | | | | | | | | | | | | | | address problem when multiple -t were sent. and rework remote build's tarball if a context dir is given other than ".". Fixes: #6578 Fixes: #6577 Signed-off-by: Brent Baude <bbaude@redhat.com>
* | Merge pull request #6636 from mheon/add_warningsOpenShift Merge Robot2020-06-17
|\ \ | | | | | | Re-add resource limit warnings to Specgen
| * | Re-add resource limit warnings to SpecgenMatthew Heon2020-06-16
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | These were part of Podman v1.9, but were lost in the transition to using Specgen to create containers. Most resource limits are checked via the sysinfo package to ensure they are safe to use (the cgroup is mounted, kernel support is present, etc) and removed if not safe. Further, bounds checks are performed to ensure that values are valid. Ensure these warnings are printed client-side when they occur. This part is a little bit gross, as it happens in pkg/infra and not cmd/podman, which is largely down to how we implemented `podman run` - all the work is done in pkg/infra and it returns only once the container has exited, and we need warnings to print *before* the container runs. The solution here, while inelegant, avoid the need to extensively refactor our handling of run. Should fix blkio-limit warnings that were identified by the FCOS test suite. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | | Merge pull request #6583 from mheon/inspect_ctr_before_imgOpenShift Merge Robot2020-06-17
|\ \ \ | |_|/ |/| | Fix podman inspect on overlapping/missing objects
| * | Fix podman inspect on overlapping/missing objectsMatthew Heon2020-06-16
| |/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This started as a small fix to `podman inspect` where a container and image, with the same name/tag, were present, and `podman inspect` was run on that name. `podman inspect` in 1.9 (and `docker inspect`) will give you the container; in v2.0, we gave the image. This was an easy fix (just reorder how we check for image/container). Unfortunately, in the process of testing this fix, I determined that we regressed in a different area. When you run inspect on a number of containers, some of which do not exist, `podman inspect` should return an array of inspect results for the objects that exist, then print a number of errors, one for each object that could not be found. We were bailing after the first error, and not printing output for the containers that succeeded. (For reference, this applied to images as well). This required a much more substantial set of changes to properly handle - signatures for the inspect functions in ContainerEngine and ImageEngine, plus the implementations of these interfaces, plus the actual inspect frontend code needed to be adjusted to use this. Fixes #6556 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | Add <return> to lines returen in podman-remote logsDaniel J Walsh2020-06-16
| | | | | | | | | | | | | | Every line is sent back individually over the APIv2 as logs, but we are not adding the '\n' to give us line breaks. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Fix podman-remote imagesDaniel J Walsh2020-06-16
|/ | | | | | Looks like we went too far with the linters. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Merge pull request #6589 from rhatdan/attachOpenShift Merge Robot2020-06-15
|\ | | | | Handle errors on attach properly
| * Handle errors on attach properlyDaniel J Walsh2020-06-15
| | | | | | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Merge pull request #6601 from zhangguanzhang/podman-cp-dirOpenShift Merge Robot2020-06-15
|\ \ | |/ |/| fix podman cp can create an extra directory when the source is the container's root directory
| * fix podman cp can create an extra directory levelzhangguanzhang2020-06-15
| | | | | | | | Signed-off-by: zhangguanzhang <zhangguanzhang@qq.com>
* | Turn on More lintersDaniel J Walsh2020-06-15
| | | | | | | | | | | | | | | | | | - misspell - prealloc - unparam - nakedret Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Merge pull request #6415 from vrothberg/systemd-new-podOpenShift Merge Robot2020-06-11
|\ \ | | | | | | podman-generate-systemd --new for pods
| * | generate systemd: wrap pod/ctr lookup errorsValentin Rothberg2020-06-11
| | | | | | | | | | | | Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
| * | generate systemd: refactorValentin Rothberg2020-06-11
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Refactor the systemd-unit generation code and move all the logic into `pkg/systemd/generate`. The code was already hard to maintain but I found it impossible to wire the `--new` logic for pods in all the chaos. The code refactoring in this commit will make maintaining the code easier and should make it easier to extend as well. Further changes and refactorings may still be needed but they will easier. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
| * | generate systemd: rephrase lookup errorValentin Rothberg2020-06-11
| | | | | | | | | | | | | | | | | | | | | | | | | | | Rephrase the lookup error when the specified name or ID does not refer to a container or pod. Until, only the pod-lookup error has been returned which can be confusing when actually looking for a container; a user might have just mistyped the ID or name. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
| * | podman-pod{rm,start,stop}: support --pod-id-fileValentin Rothberg2020-06-11
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Support the `--pod-id-file` flag in the rm, start and stop pod commands. This completes the already support flag in pod-create and is another prerequisite for generating generic systemd unit files for pods. Also add completions, docs and tests. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | | Merge pull request #6569 from giuseppe/create-slice-only-systemdOpenShift Merge Robot2020-06-11
|\ \ \ | | | | | | | | podman: create scope only if --cgroup-manager=systemd
| * | | podman: create scope only if --cgroup-manager=systemdGiuseppe Scrivano2020-06-11
| |/ / | | | | | | | | | | | | | | | | | | | | | | | | drop check for current cgroup ownership if the cgroup manager is not set to systemd. Closes: https://github.com/containers/libpod/issues/4483 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | | Merge pull request #6256 from theunrealgeek/play_kube_deploymentOpenShift Merge Robot2020-06-11
|\ \ \ | |/ / |/| | Support k8s Deployment in play kube
| * | Update comment related to seccomp profiles in play kubetheunrealgeek2020-06-03
| | | | | | | | | | | | Signed-off-by: Aditya Kamath <theunrealgeek@gmail.com>
| * | Fix existing teststheunrealgeek2020-06-02
| | | | | | | | | | | | Signed-off-by: Aditya Kamath <theunrealgeek@gmail.com>
| * | Modify PlayKubeReport to preserve pod->container mappingtheunrealgeek2020-06-02
| | | | | | | | | | | | Signed-off-by: Aditya Kamath <theunrealgeek@gmail.com>
| * | supporting k8s Deployment objectstheunrealgeek2020-06-02
| | | | | | | | | | | | Signed-off-by: Aditya Kamath <theunrealgeek@gmail.com>
* | | Merge pull request #6546 from rhatdan/lintOpenShift Merge Robot2020-06-10
|\ \ \ | | | | | | | | Turn on golint
| * | | Fix Id->ID where possible for lintDaniel J Walsh2020-06-10
| | | | | | | | | | | | | | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
| * | | Fixup issues found by golintDaniel J Walsh2020-06-10
| | | | | | | | | | | | | | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | | Ensure signal validation happens first in pod killMatthew Heon2020-06-09
|/ / / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This fixes an error in the system tests, which expect that when you try and kill a nonexistent pod with an incorrect signal, you receive an error about the signal, not the pod. At the same time, fix a missing return statement in the bindings, which could also have caused us grief. Fixes #6540 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | / Add parallel operation to `podman stop`Matthew Heon2020-06-05
| |/ |/| | | | | | | | | | | | | | | | | | | | | This is the other command that benefits greatly from being run in parallel, due to the potential 15-second timeout for containers that ignore SIGTERM. While we're at it, also clean up how stop timeout is set. This needs to be an optional parameter, so that the value set when the container is created with `--stop-timeout` will be respected. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | Add parallel execution code for container operationsMatthew Heon2020-06-05
| | | | | | | | | | | | | | | | This code will run container operations in parallel, up to a given maximum number of threads. Currently, it has only been enabled for local `podman rm` as a proof of concept. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | Merge pull request #6485 from QiWang19/remote-ignoreOpenShift Merge Robot2020-06-04
|\ \ | | | | | | fix remote test --ignore & turn on more tests
| * | fix remote test --ignore & turn on more testsQi Wang2020-06-03
| | | | | | | | | | | | | | | | | | fix remote test --ignore & turn on more tests Signed-off-by: Qi Wang <qiwan@redhat.com>
* | | Merge pull request #6481 from QiWang19/rm-test-stopOpenShift Merge Robot2020-06-04
|\ \ \ | | | | | | | | turn on remote stop_test
| * | | turn on remote stop_testQi Wang2020-06-03
| | | | | | | | | | | | | | | | | | | | | | | | turn on stop_test --cidfile Signed-off-by: Qi Wang <qiwan@redhat.com>
* | | | Merge pull request #6486 from baude/v2infoaddsocketOpenShift Merge Robot2020-06-04
|\ \ \ \ | | | | | | | | | | add socket information to podman info
| * | | | add socket information to podman infoBrent Baude2020-06-03
| | |/ / | |/| | | | | | | | | | | | | | | | | | | | | | this is step 1 to self-discovery of remote ssh connections. we add a remotesocket struct to info to detect what the socket path might be. Co-authored-by: Jhon Honce <jhonce@redhat.com> Signed-off-by: Brent Baude <bbaude@redhat.com>
* | | | Merge pull request #6478 from rhatdan/abisupportOpenShift Merge Robot2020-06-03
|\ \ \ \ | | | | | | | | | | Remove use of ABISupport buildtag
| * | | | Remove use of ABISupport buildtagDaniel J Walsh2020-06-03
| | |/ / | |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | We need to default to building podman. If you specify no build tags you will not build podman, not podman-remote. Just using remote flag to indicate podman-remote and !remote for podman. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | | When stopping containers locally, ensure cleanup runsMatthew Heon2020-06-03
| |/ / |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The cleanup process was already running and ensuring that mounts and networking configuration was cleaned up on container stop, but this was async from the actual `podman stop` command which breaks some expectations - the container is still mounted at the end of `podman stop` and will be cleaned up soon, but not immediately. Fortunately, it's a trivial change to resolve this. Fixes #5747 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | | Merge pull request #6469 from jwhonce/wip/authOpenShift Merge Robot2020-06-03
|\ \ \ | | | | | | | | V2 Add support for ssh authentication methods
| * | | V2 Add support for ssh authentication methodsJhon Honce2020-06-03
| |/ / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * podman --remote ssh://<user>:<password>@<host>:<port><path> * podman --remote ssh://<user>:<password>@<host>:<port><path> \ --identity <path> --passphrase <phrase> * ssh-add <key> podman --remote ssh://<user>@<host><path> * Fix `podman help` to run even if podman missing components * Prompt for passphrase on stdin IFF key is protected and passphrase not given via any other configuration * cobra flags do not support optional value flags therefore refactored --remote to be a boolean and --url will now contain the URI to Podman service Signed-off-by: Jhon Honce <jhonce@redhat.com>
* | | Merge pull request #6473 from mheon/fix_inspect_segfaultOpenShift Merge Robot2020-06-03
|\ \ \ | |/ / |/| | Fix a segfault in `podman inspect -l` w/ no containers
| * | Fix a segfault in `podman inspect -l` w/ no containersMatthew Heon2020-06-02
| | | | | | | | | | | | | | | | | | | | | | | | | | | We also need to rework container/image inspect to be separate, but that can happen in another PR. Fixes #6472 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | | Turn on remote rm_test --cidfileQi Wang2020-06-02
| |/ |/| | | | | | | | | Turn on remote rm_test --cidfile Signed-off-by: Qi Wang <qiwan@redhat.com>
* | Enable detached exec for remoteMatthew Heon2020-06-02
|/ | | | | | | | | | | | | | | | | | | | | | | The biggest obstacle here was cleanup - we needed a way to remove detached exec sessions after they exited, but there's no way to tell if an exec session will be attached or detached when it's created, and that's when we must add the exit command that would do the removal. The solution was adding a delay to the exit command (5 minutes), which gives sufficient time for attached exec sessions to retrieve the exit code of the session after it exits, but still guarantees that they will be removed, even for detached sessions. This requires Conmon 2.0.17, which has the new `--exit-delay` flag. As part of the exit command rework, we can drop the hack we were using to clean up exec sessions (remove them as part of inspect). This is a lot cleaner, and I'm a lot happier about it. Otherwise, this is just plumbing - we need a bindings call for detached exec, and that needed to be added to the tunnel mode backend for entities. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Add bindings for exec and enable attached remoteMatthew Heon2020-06-01
| | | | | | | | | | | This adds bindings for starting exec sessions, and then uses them to wire up detached exec. Code is heavily based on Attach code for containers, slightly modified to handle exec sessions. Bindings are presently attached-only, detached is pending on a Conmon update landing in CI. I'll probably get to that next. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Add support for format {{.Label}}Brent Baude2020-06-01
| | | | | | | | the pod ps man page says .Label is valid go template format. i dont think the function was actually ever implemented. Fixes #6448 Signed-off-by: Brent Baude <bbaude@redhat.com>
* compat handlers: add X-Registry-Auth header supportValentin Rothberg2020-05-29
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * Support the `X-Registry-Auth` http-request header. * The content of the header is a base64 encoded JSON payload which can either be a single auth config or a map of auth configs (user+pw or token) with the corresponding registries being the keys. Vanilla Docker, projectatomic Docker and the bindings are transparantly supported. * Add a hidden `--registries-conf` flag. Buildah exposes the same flag, mostly for testing purposes. * Do all credential parsing in the client (i.e., `cmd/podman`) pass the username and password in the backend instead of unparsed credentials. * Add a `pkg/auth` which handles most of the heavy lifting. * Go through the authentication-handling code of most commands, bindings and endpoints. Migrate them to the new code and fix issues as seen. A final evaluation and more tests is still required *after* this change. * The manifest-push endpoint is missing certain parameters and should use the ABI function instead. Adding auth-support isn't really possible without these parts working. * The container commands and endpoints (i.e., create and run) have not been changed yet. The APIs don't yet account for the authfile. * Add authentication tests to `pkg/bindings`. Fixes: #6384 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>