summaryrefslogtreecommitdiff
path: root/pkg/domain
Commit message (Collapse)AuthorAge
* Merge pull request #9125 from ashley-cui/secretswiringOpenShift Merge Robot2021-02-09
|\ | | | | Implement Secrets
| * Implement SecretsAshley Cui2021-02-09
| | | | | | | | | | | | | | | | | | | | | | Implement podman secret create, inspect, ls, rm Implement podman run/create --secret Secrets are blobs of data that are sensitive. Currently, the only secret driver supported is filedriver, which means creating a secret stores it in base64 unencrypted in a file. After creating a secret, a user can use the --secret flag to expose the secret inside the container at /run/secrets/[secretname] This secret will not be commited to an image on a podman commit Signed-off-by: Ashley Cui <acui@redhat.com>
* | Bump containers/buildah to v1.19.4Daniel J Walsh2021-02-08
| | | | | | | | | | | | Fix handling of --iidfile to happen on the client side. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Merge pull request #9266 from vrothberg/fix-6510OpenShift Merge Robot2021-02-08
|\ \ | | | | | | make `podman rmi` more robust
| * | make `podman rmi` more robustValentin Rothberg2021-02-08
| |/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The c/storage library is subject to TOCTOUs as the central container and image storage may be shared by many instances of many tools. As shown in #6510, it's fairly easy to have multiple instances of Podman running in parallel and yield image-lookup errors when removing them. The underlying issue is the TOCTOU of removal being split into multiple stages of first reading the local images and then removing them. Some images may already have been removed in between the two stages. To make image removal more robust, handle errors at stage two when a given image is not present (anymore) in the storage. Fixes: #6510 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* / add network prunebaude2021-02-06
|/ | | | | | | | | add the ability to prune unused cni networks. filters are not implemented but included both compat and podman api endpoints. Fixes :#8673 Signed-off-by: baude <bbaude@redhat.com>
* Improve ContainerEngine.ContainerWait()Matej Vasek2021-02-03
| | | | Signed-off-by: Matej Vasek <mvasek@redhat.com>
* Improve container libpod.Wait*() functionsMatej Vasek2021-02-03
| | | | Signed-off-by: Matej Vasek <mvasek@redhat.com>
* Switch podman stop/kill/wait handlers to use abiDaniel J Walsh2021-01-29
| | | | | | | | | | | | Change API Handlers to use the same functions that the local podman uses. At the same time: implement remote API for --all and --ignore flags for podman stop implement remote API for --all flags for podman stop Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Merge pull request #9149 from rhatdan/docsOpenShift Merge Robot2021-01-29
|\ | | | | Podman-remote push can support --format
| * Podman-remote push can support --formatDaniel J Walsh2021-01-29
| | | | | | | | | | | | | | | | Fix man page to document podman push --format fully. Also found that push was not handling the tlsverify so fixed this. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Merge pull request #9133 from rhatdan/pull1OpenShift Merge Robot2021-01-29
|\ \ | |/ |/| Cleanup bindings for image pull
| * Cleanup bindings for image pullDaniel J Walsh2021-01-27
| | | | | | | | | | | | | | | | | | | | Remove bindings that are not handled over the API. Leaving this one to not use image pull, since this would break progress handling. We should revisit this in the future. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Merge pull request #9115 from rhatdan/pullOpenShift Merge Robot2021-01-28
|\ \ | |/ |/| Switch podman image push handlers to use abi
| * Switch podman image push handlers to use abiDaniel J Walsh2021-01-27
| | | | | | | | | | | | | | | | | | | | | | | | Change API Handlers to use the same functions that the local podman uses. At the same time: Cleanup and pass proper bindings. Remove cli options from podman-remote push. Cleanup manifest push. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | podman-remote ps --external --pod --sort do not work.Daniel J Walsh2021-01-27
|/ | | | | | | | | | Fixup the bindings and the handling of the --external --por and --sort flags. The --storage option was renamed --external, make sure we use external up and down the stack. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Merge pull request #9054 from vrothberg/fix-9040OpenShift Merge Robot2021-01-26
|\ | | | | make sure the workdir exists on container mount
| * libpod: add (*Container).ResolvePath()Valentin Rothberg2021-01-26
| | | | | | | | | | | | | | | | | | Add an API to libpod to resolve a path on the container. We can refactor the code that was originally written for copy. Other functions are requiring a proper path resolution, so libpod seems like a reasonable home for sharing that code. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | Fix --arch and --os flags to work correctlyDaniel J Walsh2021-01-25
|/ | | | | | | | | | | | | | | Currently podman implements --override-arch and --overide-os But Podman has made these aliases for --arch and --os. No reason to have to specify --override, since it is clear what the user intends. Currently if the user specifies an --override-arch field but the image was previously pulled for a different Arch, podman run uses the different arch. This PR also fixes this issue. Fixes: https://github.com/containers/podman/issues/8001 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* podman manifest existsPaul Holzinger2021-01-22
| | | | | | Add podman manifest exists command with remote support. Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
* Merge pull request #9027 from Luap99/podman-volume-existsOpenShift Merge Robot2021-01-21
|\ | | | | Podman volume exists
| * podman volume existsPaul Holzinger2021-01-21
| | | | | | | | | | | | Add podman volume exists command with remote support. Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
* | Fix handling of container removeDaniel J Walsh2021-01-20
|/ | | | | | | | | | | | | | | | | | | | I found several problems with container remove podman-remote rm --all Was not handled podman-remote rm --ignore Was not handled Return better errors when attempting to remove an --external container. Currently we return the container does not exists, as opposed to container is an external container that is being used. This patch also consolidates the tunnel code to use the same code for removing the container, as the local API, removing duplication of code and potential problems. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Merge pull request #9021 from Luap99/podman-network-existsOpenShift Merge Robot2021-01-19
|\ | | | | podman network exists
| * podman network existsPaul Holzinger2021-01-19
| | | | | | | | | | | | Add podman network exists command with remote support. Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
* | Add binding options for container|pod existsbaude2021-01-18
|/ | | | | | | | It turns out an options was added to container exists so it makes sense to have pods and container exists calls have an optional structure for options. Signed-off-by: baude <bbaude@redhat.com>
* Merge pull request #8942 from rhatdan/pushOpenShift Merge Robot2021-01-17
|\ | | | | Allow podman push to push manifest lists
| * Allow podman push to push manifest listsDaniel J Walsh2021-01-15
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When doing a podman images, manifests lists look just like images, so it is logical that users would assume that they can just podman push them to a registry. The problem is we throw out weird errors when this happens and users need to somehow figure out this is a manifest list rather then an image, and frankly the user will not understand the difference. This PR will make podman push just do the right thing, by failing over and attempting to push the manifest if it fails to push the image. Fix up handling of manifest push Protocol should bring back a digest string, which can either be printed or stored in a file. We should not reimplement the manifest push setup code in the tunnel code but take advantage of the api path, to make sure remote and local work the same way. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Container rename bindingsPaul Holzinger2021-01-15
|/ | | | | | Add bindings and podman-remote support for container rename. Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
* Merge pull request #8955 from mheon/renameOpenShift Merge Robot2021-01-14
|\ | | | | Container Rename
| * Initial implementation of renaming containersMatthew Heon2021-01-14
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Basic theory: We remove the container, but *only from the DB*. We leave it in c/storage, we leave the lock allocated, we leave it running (if it is). Then we create an identical container with an altered name, and add that back to the database. Theoretically we now have a renamed container. The advantage of this approach is that it doesn't just apply to rename - we can use this to make *any* configuration change to a container that does not alter its container ID. Potential problems are numerous. This process is *THOROUGHLY* non-atomic at present - if you `kill -9` Podman mid-rename things will be in a bad place, for example. Also, we can't rename containers that can't be removed normally - IE, containers with dependencies (pod infra containers, for example). The largest potential improvement will be to move the majority of the work into the DB, with a `RecreateContainer()` method - that will add atomicity, and let us remove the container without worrying about depencies and similar issues. Potential problems: long-running processes that edit the DB and may have an older version of the configuration around. Most notable example is `podman run --rm` - the removal command needed to be manually edited to avoid this one. This begins to get at the heart of me not wanting to do this in the first place... This provides CLI and API implementations for frontend, but no tunnel implementation. It will be added in a future release (just held back for time now - we need this in 3.0 and are running low on time). This is honestly kind of horrifying, but I think it will work. Signed-off-by: Matthew Heon <mheon@redhat.com>
* | Initial implementation of volume pluginsMatthew Heon2021-01-14
|/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This implements support for mounting and unmounting volumes backed by volume plugins. Support for actually retrieving plugins requires a pull request to land in containers.conf and then that to be vendored, and as such is not yet ready. Given this, this code is only compile tested. However, the code for everything past retrieving the plugin has been written - there is support for creating, removing, mounting, and unmounting volumes, which should allow full functionality once the c/common PR is merged. A major change is the signature of the MountPoint function for volumes, which now, by necessity, returns an error. Named volumes managed by a plugin do not have a mountpoint we control; instead, it is managed entirely by the plugin. As such, we need to cache the path in the DB, and calls to retrieve it now need to access the DB (and may fail as such). Notably absent is support for SELinux relabelling and chowning these volumes. Given that we don't manage the mountpoint for these volumes, I am extremely reluctant to try and modify it - we could easily break the plugin trying to chown or relabel it. Also, we had no less than *5* separate implementations of inspecting a volume floating around in pkg/infra/abi and pkg/api/handlers/libpod. And none of them used volume.Inspect(), the only correct way of inspecting volumes. Remove them all and consolidate to using the correct way. Compat API is likely still doing things the wrong way, but that is an issue for another day. Fixes #4304 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Reduce general binding binary sizebaude2021-01-13
| | | | | | | | when using the bindings to *only* make a connection, the binary was rough 28MB. This PR reduces it down to 11. There is more work to do but it will come in a secondary PR. Signed-off-by: baude <bbaude@redhat.com>
* Merge pull request #8957 from srcshelton/feature/issue-8945OpenShift Merge Robot2021-01-13
|\ | | | | Add 'MemUsageBytes' format option
| * Add 'MemUsageBytes' format optionStuart Shelton2021-01-12
| | | | | | | | | | | | | | | | | | | | | | | | | | Although storage is more human-readable when expressed in SI units, IEC/JEDEC (Bytes) units are more pertinent for memory-related values (and match the format of the --memory* command-line options). (To prevent possible compatibility issues, the default SI display is left unchanged) See https://github.com/containers/podman/issues/8945 Signed-off-by: Stuart Shelton <stuart@shelton.me>
* | Remove the ability to use [name:tag] in podman load commandDaniel J Walsh2021-01-12
|/ | | | | | | | | | Docker does not support this, and it is confusing what to do if the image has more then one tag. We are dropping support for this in podman 3.0 Fixes: https://github.com/containers/podman/issues/7387 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Merge pull request #8947 from Luap99/cleanup-codeOpenShift Merge Robot2021-01-12
|\ | | | | Fix problems reported by staticcheck
| * Fix problems reported by staticcheckPaul Holzinger2021-01-12
| | | | | | | | | | | | | | | | | | | | | | | | | | | | `staticcheck` is a golang code analysis tool. https://staticcheck.io/ This commit fixes a lot of problems found in our code. Common problems are: - unnecessary use of fmt.Sprintf - duplicated imports with different names - unnecessary check that a key exists before a delete call There are still a lot of reported problems in the test files but I have not looked at those. Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
* | Merge pull request #8819 from chen-zhuohan/add-pre-checkpointOpenShift Merge Robot2021-01-12
|\ \ | |/ |/| Add pre-checkpoint and restore with previous
| * add pre checkpointunknown2021-01-10
| | | | | | | | Signed-off-by: Zhuohan Chen <chen_zhuohan@163.com>
* | Merge pull request #8934 from vrothberg/fix-8931OpenShift Merge Robot2021-01-11
|\ \ | | | | | | image list: ignore bare manifest list
| * | image list: ignore bare manifest listValentin Rothberg2021-01-11
| | | | | | | | | | | | | | | | | | | | | Handle empty/bare manifest lists when listing images. Fixes: #8931 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | | Merge pull request #8917 from mheon/actually_report_play_kube_errorsOpenShift Merge Robot2021-01-11
|\ \ \ | |/ / |/| | Ensure that `podman play kube` actually reports errors
| * | Ensure that `podman play kube` actually reports errorsMatthew Heon2021-01-11
| |/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | In 2.2.x, we moved `play kube` to use the Start() API for pods, which reported errors in a different way (all containers are started in parallel, and then results reported as a block). The migration attempted to preserve compatibility by returning only one error, but that's not really a viable option as it can obscure the real reason that a pod is failing. Further, the code was not correctly handling the API's errors - Pod Start() will, on any container error, return a map of container ID to error populated for all container errors *and* return ErrPodPartialFail for overall error - the existing code did not handle the partial failure error and thus would never return container errors. Refactor the `play kube` API to include a set of errors for containers in each pod, so we can return all errors that occurred to the frontend and print them for the user, and correct the backend code so container errors are actually forwarded. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | Add Networks format placeholder to podman ps and pod psPaul Holzinger2021-01-09
| | | | | | | | | | | | | | `podman ps --format {{.Networks}}` will show all connected networks for this container. For `pod ps` it will show the infra container networks. Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
* | Add network filter for podman ps and pod psPaul Holzinger2021-01-09
|/ | | | | | | Allow to filter on the network name or full id. For pod ps it will filter on the infra container networks. Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
* Include named volumes in container migrationRadostin Stoyanov2021-01-07
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When migrating a container with associated volumes, the content of these volumes should be made available on the destination machine. This patch enables container checkpoint/restore with named volumes by including the content of volumes in checkpoint file. On restore, volumes associated with container are created and their content is restored. The --ignore-volumes option is introduced to disable this feature. Example: # podman container checkpoint --export checkpoint.tar.gz <container> The content of all volumes associated with the container are included in `checkpoint.tar.gz` # podman container checkpoint --export checkpoint.tar.gz --ignore-volumes <container> The content of volumes is not included in `checkpoint.tar.gz`. This is useful, for example, when the checkpoint/restore is performed on the same machine. # podman container restore --import checkpoint.tar.gz The associated volumes will be created and their content will be restored. Podman will exit with an error if volumes with the same name already exist on the system or the content of volumes is not included in checkpoint.tar.gz # podman container restore --ignore-volumes --import checkpoint.tar.gz Volumes associated with container must already exist. Podman will not create them or restore their content. Signed-off-by: Radostin Stoyanov <rstoyanov@fedoraproject.org>
* Use Options as CRImportCheckpoint() argumentRadostin Stoyanov2021-01-07
| | | | | | | | | Instead of specifying restore option arguments individually from RestoreOptions, provide the 'options' object to the CRImportCheckpoint method. This change makes the code in CRImportCheckpoint easier to extend as it doesn't require excessive number of function parameters. Signed-off-by: Radostin Stoyanov <rstoyanov@fedoraproject.org>
* Rework pruning to report reclaimed spaceBaron Lenardson2020-12-30
| | | | | | | | | | | | This change adds code to report the reclaimed space after a prune. Reclaimed space from volumes, images, and containers is recorded during the prune call in a PruneReport struct. These structs are collected into a slice during a system prune and processed afterwards to calculate the total reclaimed space. Closes #8658 Signed-off-by: Baron Lenardson <lenardson.baron@gmail.com>
* Consolidate filter logic to pkg subdirectoryBaron Lenardson2020-12-24
| | | | | | | Per the conversation on pull/8724 I am consolidating filter logic and helper functions under the pkg/domain/filters dir. Signed-off-by: Baron Lenardson <lenardson.baron@gmail.com>