| Commit message (Collapse) | Author | Age |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In order to run Podman with VM-based runtimes unprivileged, the
network must be set up prior to the container creation. Therefore
this commit modifies Podman to run rootless containers by:
1. create a network namespace
2. pass the netns persistent mount path to the slirp4netns
to create the tap inferface
3. pass the netns path to the OCI spec, so the runtime can
enter the netns
Closes #2897
Signed-off-by: Gabi Beyer <gabrielle.n.beyer@intel.com>
|
|
|
|
|
|
|
| |
This is mostly used with Systemd, which really wants to manage
CGroups itself when managing containers via unit file.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Previously, we use CreateConfig's Command to populate container
Command (which is used as CMD for Inspect and Commit).
Unfortunately, CreateConfig's Command is the container's full
command, including a prepend of Entrypoint - so we duplicate
Entrypoint for images that include it.
Maintain a separate UserCommand in CreateConfig that does not
include the entrypoint, and use that instead.
Fixes #3708
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
|
|
|
|
|
| |
This reverts commit 80dcd4bebcdc8e280f6b43228561d09c194c328b.
Signed-off-by: baude <bbaude@redhat.com>
|
|\
| |
| | |
rootless: Rearrange setup of rootless containers ***CIRRUS: TEST IMAGES***
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
In order to run Podman with VM-based runtimes unprivileged, the
network must be set up prior to the container creation. Therefore
this commit modifies Podman to run rootless containers by:
1. create a network namespace
2. pass the netns persistent mount path to the slirp4netns
to create the tap inferface
3. pass the netns path to the OCI spec, so the runtime can
enter the netns
Closes #2897
Signed-off-by: Gabi Beyer <gabrielle.n.beyer@intel.com>
|
|/
|
|
| |
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
|
|
|
|
|
|
|
| |
allow to join the user namespace of another container.
Closes: https://github.com/containers/libpod/issues/3629
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
allow a container to run in a new cgroup namespace.
When running in a new cgroup namespace, the current cgroup appears to
be the root, so that there is no way for the container to access
cgroups outside of its own subtree.
By default it uses --cgroup=host to keep the previous behavior.
To create a new namespace, --cgroup=private must be provided.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
the compilation demands of having libpod in main is a burden for the
remote client compilations. to combat this, we should move the use of
libpod structs, vars, constants, and functions into the adapter code
where it will only be compiled by the local client.
this should result in cleaner code organization and smaller binaries. it
should also help if we ever need to compile the remote client on
non-Linux operating systems natively (not cross-compiled).
Signed-off-by: baude <bbaude@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We made changes earlier that empty storage options when setting
storage driver explicitly. Unfortunately, this breaks rootless
cleanup commands, as they lose the fuse-overlayfs mount program
path.
Fix this by passing along the storage options to the cleanup
process.
Also, fix --syslog, which was broken a while ago (probably when
we broke up main to add main_remote).
Fixes #3326
Signed-off-by: Matthew Heon <mheon@redhat.com>
|
|
|
|
|
|
| |
Now, not setting a log driver in a create config correctly takes the default (k8s-logging)
Signed-off-by: Peter Hunt <pehunt@redhat.com>
|
|
|
|
| |
Signed-off-by: Peter Hunt <pehunt@redhat.com>
|
|
|
|
|
|
|
|
|
| |
The on-failure restart option supports restarting only a given
number of times. To do this, we need one additional field in the
DB to track restart count (which conveniently fills a field in
Inspect we weren't populating), plus some plumbing logic.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
|
|
|
|
|
|
| |
This initial version does not support restart count, but it works
as advertised otherwise.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
|\
| |
| | |
Merge volume flags implementation
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Unify handling for the --volume, --mount, --volumes-from, --tmpfs
and --init flags into a single file and set of functions. This
will greatly improve readability and maintainability.
Further, properly handle superceding and conflicting mounts. Our
current patchwork has serious issues when mounts conflict, or
when a mount from --volumes-from or an image volume should be
overwritten by a user volume or named volume.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
| |
| |
| |
| |
| |
| |
| |
| | |
Play kube was passing the pod, but CreateConfig was not. Unify it
so they both do, so we can remove some unnecessary duplicate
lookup code.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The goal here is to keep only the configuration directly used to
build the container in CreateConfig, and scrub temporary state
and helpers that we need to generate. We'll keep those internally
in MakeContainerConfig.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Right now, there are two major API calls necessary to turn a
filled-in CreateConfig into the options and OCI spec necessary to
make a libpod Container. I'm intending on refactoring both of
these extensively to unify a few things, so make a common
frontend to both that will prevent API changes from leaking out
of the package.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
|\ \
| |/
|/| |
enable podman-remote on windows
|
| |
| |
| |
| |
| |
| |
| | |
build a podman-remote binary for windows that allows users to use the
remote client on windows and interact with podman on linux system.
Signed-off-by: baude <bbaude@redhat.com>
|
|/
|
|
| |
Signed-off-by: James Cassell <code@james.cassell.me>
|
|
|
|
|
|
|
|
|
|
|
| |
The --read-only-tmpfs option caused podman to mount tmpfs on /run, /tmp, /var/tmp
if the container is running int read-only mode.
The default is true, so you would need to execute a command like
--read-only --read-only-tmpfs=false to turn off this behaviour.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
|
|
|
|
|
|
|
| |
We were never using it. It's actually a potentially quite sizable
field (very expensive to decode an array of structs!). Removing
it should do no harm.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
|
|
|
|
|
|
|
|
|
| |
The flag should be substantially more durable, and no longer
relies on the create artifact.
This should allow it to properly handle our new named volume
implementation.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
|
|
|
|
|
|
|
|
| |
Now that named volumes must be explicitly enumerated rather than
passed in with all other volumes, we need to split normal and
named volumes up before passing them into libpod. This PR does
this.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
|
|
|
|
|
|
|
| |
in the few places where we care about skipping the storage
initialization, we can simply use the process effective UID, instead
of relying on a global boolean flag.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We accidentally patched this out trying to enable ns:/path/to/ns
This should restore the ability to configure nondefault CNI
networks with Podman, by ensuring that they request creation of a
network namespace.
Completely remove the WithNetNS() call when we do use an explicit
namespace from a path. We use that call to indicate that a netns
is going to be created - there should not be any question about
whether it actually does.
Fixes #2795
Signed-off-by: Matthew Heon <mheon@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We have a very high performance JSON library that doesn't need to
perform code generation. Let's use it instead of our questionably
performant, reflection-dependent deep copy library.
Most changes because some functions can now return errors.
Also converts cmd/podman to use jsoniter, instead of pkg/json,
for increased performance.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
|
|
|
| |
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
|
|
|
| |
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
|
|
|
|
|
|
| |
Support in libpod was added in the previous commit. Wire it into
the frontend here.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
|
|
|
|
|
|
|
|
| |
Currently cobra can not handle a boolean option without a vailue.
This change fixes an issue if you want syslog information to show up
based on the cleanup call.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
integration of healthcheck into create and run as well as inspect.
healthcheck enhancements are as follows:
* add the following options to create|run so that non-docker images can
define healthchecks at the container level.
* --healthcheck-command
* --healthcheck-retries
* --healthcheck-interval
* --healthcheck-start-period
* podman create|run --healthcheck-command=none disables healthcheck as
described by an image.
* the healthcheck itself and the healthcheck "history" can now be
observed in podman inspect
* added the wiring for healthcheck history which logs the health history
of the container, the current failed streak attempts, and log entries
for the last five attempts which themselves have start and stop times,
result, and a 500 character truncated (if needed) log of stderr/stdout.
The timings themselves are not implemented in this PR but will be in
future enablement (i.e. next).
Signed-off-by: baude <bbaude@redhat.com>
|
|
|
|
|
|
|
|
|
| |
Add the ability to manually run a container's healthcheck command.
This is only the first phase of implementing the healthcheck.
Subsequent pull requests will deal with the exposing the results and
history of healthchecks as well as the scheduling.
Signed-off-by: baude <bbaude@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
if there is already a bind mount specified for the target, do not
create a new volume.
Regression introduced by 52df1fa7e054d577e8416d1d46db1741ad324d4a
Closes: https://github.com/containers/libpod/issues/2441
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
|
|
|
|
|
|
|
|
| |
If user specifies network namespace and the /etc/netns/XXX/resolv.conf
exists, we should use this rather then /etc/resolv.conf
Also fail cleaner if the user specifies an invalid Network Namespace.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
iFix builtin volumes to work with podman volume
Currently builtin volumes are not recored in podman volumes when
they are created automatically. This patch fixes this.
Remove container volumes when requested
Currently the --volume option on podman remove does nothing.
This will implement the changes needed to remove the volumes
if the user requests it.
When removing a volume make sure that no container uses the volume.
Signed-off-by: Daniel J Walsh dwalsh@redhat.com
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
At present, when manually detaching from an attached container
(using the detach hotkeys, default C-p C-q), Podman will still
wait for the container to exit to obtain its exit code (so we can
set Podman's exit code to match). This is correct in the case
where attach finished because the container exited, but very
wrong for the manual detach case.
As a result of this, we can no longer guarantee that the cleanup
and --rm functions will fire at the end of 'podman run' - we may
be exiting before we get that far. Cleanup is easy enough - we
swap to unconditionally using the cleanup processes we've used
for detached and rootless containers all along. To duplicate --rm
we need to also teach 'podman cleanup' to optionally remove
containers instead of cleaning them up.
(There is an argument for just using 'podman rm' instead of
'podman cleanup --rm', but cleanup does have different semantics
given that we only ever expect it to run when the container has
just exited. I think it might be useful to keep the two separate
for things like 'podman events'...)
Signed-off-by: Matthew Heon <mheon@redhat.com>
|
|
|
|
|
|
|
| |
make sure "containers cleanup" uses the correct runtime if it was
overriden.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
add support for ports redirection from the host.
It needs slirp4netns v0.3.0-alpha.1.
Closes: https://github.com/containers/libpod/issues/2081
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
|
|
|
|
|
|
|
|
| |
when defining containers, we missed the conditional logic to allow
the container to be defined with "WithPod" and so forth. I had to
slightly modify the createcontainer process to pass a libpod.Pod
that could override things; use nil as no pod.
Signed-off-by: baude <bbaude@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
the rootless container storage is always mounted in a different mount
namespace, owned by the unprivileged user. Even if it is mounted, a
process running in another namespace cannot reuse the already mounted
storage.
Make sure the storage is always cleaned up once the container
terminates.
This has worked with vfs since there is no real mounted storage.
Closes: https://github.com/containers/libpod/issues/2112
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add support for executing an init binary as PID 1 in a container to
forward signals and reap processes. When the `--init` flag is set for
podman-create or podman-run, the init binary is bind-mounted to
`/dev/init` in the container and "/dev/init --" is prepended to the
container's command.
The default base path of the container-init binary is `/usr/libexec/podman`
while the default binary is catatonit [1]. This default can be changed
permanently via the `init_path` field in the `libpod.conf` configuration
file (which is recommended for packaging) or temporarily via the
`--init-path` flag of podman-create and podman-run.
[1] https://github.com/openSUSE/catatonit
Fixes: #1670
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
when a user specifies --pod to podman create|run, we should create that pod
automatically. the port bindings from the container are then inherited by
the infra container. this signicantly improves the workflow of running
containers inside pods with podman. the user is still encouraged to use
podman pod create to have more granular control of the pod create options.
Signed-off-by: baude <bbaude@redhat.com>
|
|
|
|
| |
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
we need to allow users to expose ports to the host for the purposes
of networking, like a webserver. the port exposure must be done at
the time the pod is created.
strictly speaking, the port exposure occurs on the infra container.
Signed-off-by: baude <bbaude@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
We are still requiring oci-systemd-hook to be installed in order to run
systemd within a container. This patch properly mounts
/sys/fs/cgroup/systemd/libpod_parent/libpod-UUID on /sys/fs/cgroup/systemd inside of container.
Since we need the UUID of the container, we needed to move Systemd to be a config option of the
container.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
|\
| |
| | |
Pass along syslog variable to podman cleanup processes
|