summaryrefslogtreecommitdiff
path: root/pkg/spec/spec.go
Commit message (Collapse)AuthorAge
* rootless: fix --pid=host without --privilegedGiuseppe Scrivano2019-01-18
| | | | | | | When using --pid=host don't try to cover /proc paths, as they are coming from the /proc bind mounted from the host. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* apparmor: apply default profile at container initializationValentin Rothberg2019-01-09
| | | | | | | | | | | | | | | | | | | Apply the default AppArmor profile at container initialization to cover all possible code paths (i.e., podman-{start,run}) before executing the runtime. This allows moving most of the logic into pkg/apparmor. Also make the loading and application of the default AppArmor profile versio-indepenent by checking for the `libpod-default-` prefix and over-writing the profile in the run-time spec if needed. The intitial run-time spec of the container differs a bit from the applied one when having started the container, which results in displaying a potentially outdated AppArmor profile when inspecting a container. To fix that, load the container config from the file system if present and use it to display the data. Fixes: #2107 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* Update vendor of runcDaniel J Walsh2019-01-04
| | | | | | | | | | | | | | Updating the vendor or runc to pull in some fixes that we need. In order to get this vendor to work, we needed to update the vendor of docker/docker, which causes all sorts of issues, just to fix the docker/pkg/sysinfo. Rather then doing this, I pulled in pkg/sysinfo into libpod and fixed the code locally. I then switched the use of docker/pkg/sysinfo to libpod/pkg/sysinfo. I also switched out the docker/pkg/mount to containers/storage/pkg/mount Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Fixes to handle /dev/shm correctly.Daniel J Walsh2018-12-24
| | | | | | | | | | | | | | | | | | We had two problems with /dev/shm, first, you mount the container read/only then /dev/shm was mounted read/only. This is a bug a tmpfs directory should be read/write within a read-only container. The second problem is we were ignoring users mounted /dev/shm from the host. If user specified podman run -d -v /dev/shm:/dev/shm ... We were dropping this mount and still using the internal mount. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Allow users to specify a directory for additonal devicesDaniel J Walsh2018-12-21
| | | | | | | Podman will search through the directory and will add any device nodes that it finds. If no devices are found we return an error. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* rootless: add new netmode "slirp4netns"Giuseppe Scrivano2018-11-27
| | | | | | | | so that inspect reports the correct network configuration. Closes: https://github.com/containers/libpod/issues/1453 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Mount proper cgroup for systemd to manage inside of the container.Daniel J Walsh2018-10-15
| | | | | | | | | | | | We are still requiring oci-systemd-hook to be installed in order to run systemd within a container. This patch properly mounts /sys/fs/cgroup/systemd/libpod_parent/libpod-UUID on /sys/fs/cgroup/systemd inside of container. Since we need the UUID of the container, we needed to move Systemd to be a config option of the container. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Merge pull request #1557 from rhatdan/systemdOpenShift Merge Robot2018-10-04
|\ | | | | Don't tmpcopyup on systemd cgroup
| * Don't tmpcopyup on systemd cgroupDaniel J Walsh2018-09-29
| | | | | | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | rootless: raise an error when trying to use cgroupsGiuseppe Scrivano2018-10-01
|/ | | | | | https://github.com/containers/libpod/issues/1429#issuecomment-424040416 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Add --mount option for `create` & `run` commandDaniel J Walsh2018-09-21
| | | | | | | | Signed-off-by: Kunal Kushwaha <kushwaha_kunal_v7@lab.ntt.co.jp> Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #1524 Approved by: mheon
* Add new field to libpod to indicate whether or not to use labellingDaniel J Walsh2018-09-20
| | | | | | | | | | | | | | | Also update some missing fields libpod.conf obtions in man pages. Fix sort order of security options and add a note about disabling labeling. When a process requests a new label. libpod needs to reserve all labels to make sure that their are no conflicts. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #1406 Approved by: mheon
* Small updates to OCI spec generationMatthew Heon2018-09-17
| | | | | | | | | | | | | Firstly, when adding the privileged catch-all resource device, first remove the spec's default catch-all resource device. Second, remove our default rootfs propogation config - Docker does not set this by default, so I don't think we should either. Signed-off-by: Matthew Heon <matthew.heon@gmail.com> Closes: #1491 Approved by: TomSweeneyRedHat
* Don't mount /dev/* if user mounted /devDaniel J Walsh2018-09-14
| | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Swap default mount propagation from private to rprivateMatthew Heon2018-09-13
| | | | | | | | | | This matches Docker behavior more closely and should resolve an issue we were seeing with /sys mounts Signed-off-by: Matthew Heon <matthew.heon@gmail.com> Closes: #1465 Approved by: rhatdan
* Respect user-added mounts over default spec mountsMatthew Heon2018-09-07
| | | | | | | | | | | | | | When there was a conflict between a user-added volume and a mount already in the spec, we previously respected the mount already in the spec and discarded the user-added mount. This is counter to expected behavior - if I volume-mount /dev into the container, I epxect it will override the default /dev in the container, and not be ignored. Signed-off-by: Matthew Heon <matthew.heon@gmail.com> Closes: #1419 Approved by: TomSweeneyRedHat
* Ensure we do not overlap mounts in the specMatthew Heon2018-09-07
| | | | | | | | | | | When user-specified volume mounts overlap with mounts already in the spec, remove the mount in the spec to ensure there are no conflicts. Signed-off-by: Matthew Heon <matthew.heon@gmail.com> Closes: #1419 Approved by: TomSweeneyRedHat
* Add proper support for systemd inside of podmanDaniel J Walsh2018-08-31
| | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Set nproc in containers unless explicitly overriddenMatthew Heon2018-08-28
| | | | | | | Signed-off-by: Matthew Heon <matthew.heon@gmail.com> Closes: #1355 Approved by: rhatdan
* Do not set max open files by default if we are rootlessMatthew Heon2018-08-28
| | | | | | | Signed-off-by: Matthew Heon <matthew.heon@gmail.com> Closes: #1355 Approved by: rhatdan
* Set default max open files in specMatthew Heon2018-08-28
| | | | | | | Signed-off-by: Matthew Heon <matthew.heon@gmail.com> Closes: #1355 Approved by: rhatdan
* Fix Mount PropagationGiuseppe Scrivano2018-08-27
| | | | | | | | | Default mount propagation inside of containes should be private Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #1305 Approved by: mheon
* rootless: fix --pid=hostGiuseppe Scrivano2018-08-27
| | | | | | | | | | | | Unfortunately this is not enough to get it working as runc doesn't allow to bind mount /proc. Depends on: https://github.com/opencontainers/runc/pull/1832 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> Closes: #1349 Approved by: rhatdan
* rootless: fix --ipc=hostGiuseppe Scrivano2018-08-27
| | | | | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> Closes: #1349 Approved by: rhatdan
* spec: bind mount /sys only when userNS are enabledGiuseppe Scrivano2018-08-27
| | | | | | | | | | | Fix the test for checking when /sys must be bind mounted from the host. It should be done only when userNS are enabled (the !UsernsMode.IsHost() check is not enough for that). Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> Closes: #1349 Approved by: rhatdan
* Added option to share kernel namespaces in libpod and podmanhaircommander2018-08-23
| | | | | | | | | A pause container is added to the pod if the user opts in. The default pause image and command can be overridden. Pause containers are ignored in ps unless the -a option is present. Pod inspect and pod ps show shared namespaces and pause container. A pause container can't be removed with podman rm, and a pod can be removed if it only has a pause container. Signed-off-by: haircommander <pehunt@redhat.com> Closes: #1187 Approved by: mheon
* rootless: fix --net host --privilegedGiuseppe Scrivano2018-08-22
| | | | | | | | | Closes: https://github.com/containers/libpod/issues/1313 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> Closes: #1323 Approved by: umohnani8
* podman: fix --uts=hostGiuseppe Scrivano2018-08-17
| | | | | | | | | | | | | | | Do not set any hostname value in the OCI configuration when --uts=host is used and the user didn't specify any value. This prevents an error from the OCI runtime as it cannot set the hostname without a new UTS namespace. Differently, the HOSTNAME environment variable is always set. When --uts=host is used, HOSTNAME gets the value from the host. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> Closes: #1280 Approved by: baude
* switch projectatomic to containersDaniel J Walsh2018-08-16
| | | | | | | | | | Need to get some small changes into libpod to pull back into buildah to complete buildah transition. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #1270 Approved by: mheon
* Revert "spec: bind mount /sys only for rootless containers"Giuseppe Scrivano2018-08-16
| | | | | | | | | It breaks "podman run --net=host --uidmap=0:1:70000 --gidmap=0:20000:70000 busybox echo hi" Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> Closes: #1285 Approved by: rhatdan
* spec: bind mount /sys only for rootless containersGiuseppe Scrivano2018-08-15
| | | | | | | | | root can always mount a new instance. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> Closes: #1279 Approved by: rhatdan
* Fix handling of hostname in --net=hostDaniel J Walsh2018-08-15
| | | | | | | | | Hostname should be set to the hosts hostname when network is none. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #1274 Approved by: giuseppe
* podman: allow to specify the IPC namespace to joinGiuseppe Scrivano2018-07-24
| | | | | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> Closes: #1145 Approved by: rhatdan
* podman: allow to specify the UTS namespace to joinGiuseppe Scrivano2018-07-24
| | | | | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> Closes: #1145 Approved by: rhatdan
* podman: allow to specify the PID namespace to joinGiuseppe Scrivano2018-07-24
| | | | | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> Closes: #1145 Approved by: rhatdan
* podman: allow to specify the userns to joinGiuseppe Scrivano2018-07-24
| | | | | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> Closes: #1145 Approved by: rhatdan
* network: support ns: prefix to join existing namespaceGiuseppe Scrivano2018-07-24
| | | | | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> Closes: #1145 Approved by: rhatdan
* spec: allow container:NAME network modeGiuseppe Scrivano2018-07-24
| | | | | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> Closes: #1145 Approved by: rhatdan
* Support multiple networksbaude2018-07-12
| | | | | | | | | | | | | This is a refresh of Dan William's PR #974 with a rebase and proper vendoring of ocicni and containernetworking/cni. It adds the ability to define multiple networks as so: podman run --network=net1,net2,foobar ... Signed-off-by: baude <bbaude@redhat.com> Closes: #1082 Approved by: baude
* Add --volumes-from flag to podman run and createumohnani82018-07-09
| | | | | | | | | | podman now supports --volumes-from flag, which allows users to add all the volumes an existing container has to a new one. Signed-off-by: umohnani8 <umohnani@redhat.com> Closes: #931 Approved by: mheon
* Mask /proc/keys to protect information leak about keys on hostDaniel J Walsh2018-07-08
| | | | | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #1060 Approved by: mheon
* Block use of /proc/acpi from inside containersDaniel J Walsh2018-07-06
| | | | | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #1053 Approved by: mheon
* changes to allow for darwin compilationbaude2018-06-29
| | | | | | | Signed-off-by: baude <bbaude@redhat.com> Closes: #1015 Approved by: baude
* Start using github.com/seccomp/containers-golangDaniel J Walsh2018-06-29
| | | | | | | | | User newer seccomp bindings from the seccomp upstream Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #1021 Approved by: giuseppe
* *: Replace Generator.Spec() with Generator.ConfigW. Trevor King2018-06-27
| | | | | | | | | | | | Catching up with opencontainers/runtime-tools@84a62c6a (generate: Move Generator.spec to Generator.Config, 2016-11-06, #266, v0.6.0), now that we've bumped runtime-tools in f6c0fc1a (Vendor in latest runtime-tools, 2018-06-26, #1007). Signed-off-by: W. Trevor King <wking@tremily.us> Closes: #1008 Approved by: mheon
* generator.New() requires an OS string input variablebaude2018-06-27
| | | | | | | Signed-off-by: baude <bbaude@redhat.com> Closes: #1007 Approved by: baude
* rootless: add management for the userNSGiuseppe Scrivano2018-06-27
| | | | | | | | | | When running podman as non root user always create an userNS and let the OCI runtime use it. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> Closes: #936 Approved by: rhatdan
* spec: remove dead codeGiuseppe Scrivano2018-06-15
| | | | | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> Closes: #871 Approved by: mheon
* oci: do not set resources in rootless modeGiuseppe Scrivano2018-06-15
| | | | | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> Closes: #871 Approved by: mheon
* spec: change mount options for /dev/pts in rootless modeGiuseppe Scrivano2018-06-15
| | | | | | | | | | The default /dev/pts has the option gid=5 that might not be mapped in the rootless case. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> Closes: #871 Approved by: mheon