summaryrefslogtreecommitdiff
path: root/pkg/spec
Commit message (Collapse)AuthorAge
* add pkg/capabilitiesValentin Rothberg2020-02-14
| | | | | | | | | Add pkg/capabibilities to deal with capabilities. The code has been copied from Docker (and attributed with the copyright) but changed significantly to only do what we really need. The code has also been simplified and will perform better due to removed redundancy. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* Merge pull request #5152 from QiWang19/device-cgroup-ruleOpenShift Merge Robot2020-02-13
|\ | | | | support device-cgroup-rule
| * support device-cgroup-ruleQi Wang2020-02-12
| | | | | | | | | | | | | | fix #4876 Add `--device-cgroup-rule` to podman create and run. This enables to add device rules after the container has been created. Signed-off-by: Qi Wang <qiwan@redhat.com>
* | add pkg/seccompValentin Rothberg2020-02-12
|/ | | | | | | | Add pkg/seccomp to consolidate all seccomp-policy related code which is currently scattered across multiple packages and complicating the creatconfig refactoring. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* podman: add new option --cgroups=no-conmonGiuseppe Scrivano2020-01-16
| | | | | | | | it allows to disable cgroups creation only for the conmon process. A new cgroup is created for the container payload. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Merge pull request #4806 from vrothberg/seccompOpenShift Merge Robot2020-01-15
|\ | | | | policy for seccomp-profile selection
| * policy for seccomp-profile selectionValentin Rothberg2020-01-09
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Implement a policy for selecting a seccomp profile. In addition to the default behaviour (default profile unless --security-opt seccomp is set) add a second policy doing a lookup in the image annotation. If the image has the "io.containers.seccomp.profile" set its value will be interpreted as a seccomp profile. The policy can be selected via the new --seccomp-policy CLI flag. Once the containers.conf support is merged into libpod, we can add an option there as well. Note that this feature is marked as experimental and may change in the future. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | make lint: enable gocriticValentin Rothberg2020-01-13
| | | | | | | | | | | | | | `gocritic` is a powerful linter that helps in preventing certain kinds of errors as well as enforcing a coding style. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | log: support --log-opt tag=Giuseppe Scrivano2020-01-10
|/ | | | | | | | | | support a custom tag to add to each log for the container. It is currently supported only by the journald backend. Closes: https://github.com/containers/libpod/issues/3653 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* fix lint - pkg/specValentin Rothberg2020-01-08
| | | | Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* codespell: spelling correctionsDmitry Smirnov2019-11-13
| | | | Signed-off-by: Dmitry Smirnov <onlyjob@member.fsf.org>
* Split up create config handling of namespaces and securityPeter Hunt2019-11-07
| | | | | | | | As it stands, createconfig is a huge struct. This works fine when the only caller is when we create a container with a fully created config. However, if we wish to share code for security and namespace configuration, a single large struct becomes unweildy, as well as difficult to configure with the single createConfigToOCISpec function. This PR breaks up namespace and security configuration into their own structs, with the eventual goal of allowing the namespace/security fields to be configured by the pod create cli, and allow the infra container to share this with the pod's containers. Signed-off-by: Peter Hunt <pehunt@redhat.com>
* Merge pull request #4466 from giuseppe/notmpcopyupOpenShift Merge Robot2019-11-07
|\ | | | | mount: add new options nocopyup|copyup for tmpfs
| * mount: add new options nocopyup|copyup for tmpfsGiuseppe Scrivano2019-11-07
| | | | | | | | | | | | add a way to disable tmpcopyup for tmpfs. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | podman: add support for specifying MACJakub Filak2019-11-06
|/ | | | | | | | I basically copied and adapted the statements for setting IP. Closes #1136 Signed-off-by: Jakub Filak <jakub.filak@sap.com>
* namespaces: by default create cgroupns on cgroups v2Giuseppe Scrivano2019-11-05
| | | | | | | | | | | | | | | | change the default on cgroups v2 and create a new cgroup namespace. When a cgroup namespace is used, processes inside the namespace are only able to see cgroup paths relative to the cgroup namespace root and not have full visibility on all the cgroups present on the system. The previous behaviour is maintained on a cgroups v1 host, where a cgroup namespace is not created by default. Closes: https://github.com/containers/libpod/issues/4363 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* add libpod/configValentin Rothberg2019-10-31
| | | | | | | | | | | | Refactor the `RuntimeConfig` along with related code from libpod into libpod/config. Note that this is a first step of consolidating code into more coherent packages to make the code more maintainable and less prone to regressions on the long runs. Some libpod definitions were moved to `libpod/define` to resolve circular dependencies. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* seccomp: use github.com/seccomp/containers-golangValentin Rothberg2019-10-30
| | | | | | | | Use the github.com/seccomp/containers-golang library instead of the docker package. The docker package has changed and silently broke on F31. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* bump containers/image to v5.0.0, buildah to v1.11.4Nalin Dahyabhai2019-10-29
| | | | | | | | | Move to containers/image v5 and containers/buildah to v1.11.4. Replace an equality check with a type assertion when checking for a docker.ErrUnauthorizedForCredentials in `podman login`. Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
* Merge pull request #4228 from giuseppe/detect-no-systemd-sessionOpenShift Merge Robot2019-10-24
|\ | | | | rootless: detect no system session with --cgroup-manager=systemd
| * rootless: detect no system session with --cgroup-manager=systemdGiuseppe Scrivano2019-10-23
| | | | | | | | | | | | | | if the cgroup manager is set to systemd, detect if dbus is available, otherwise fallback to --cgroup-manager=cgroupfs. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | Image volumes should not be mounted noexecMatthew Heon2019-10-23
| | | | | | | | | | | | | | | | | | This matches Docker more closely, but retains the more important protections of nosuid/nodev. Fixes #4318 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | Add support for anonymous volumes to `podman run -v`Matthew Heon2019-10-17
|/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Previously, when `podman run` encountered a volume mount without separate source and destination (e.g. `-v /run`) we would assume that both were the same - a bind mount of `/run` on the host to `/run` in the container. However, this does not match Docker's behavior - in Docker, this makes an anonymous named volume that will be mounted at `/run`. We already have (more limited) support for these anonymous volumes in the form of image volumes. Extend this support to allow it to be used with user-created volumes coming in from the `-v` flag. This change also affects how named volumes created by the container but given names are treated by `podman run --rm` and `podman rm -v`. Previously, they would be removed with the container in these cases, but this did not match Docker's behaviour. Docker only removed anonymous volumes. With this patch we move to that model as well; `podman run -v testvol:/test` will not have `testvol` survive the container being removed by `podman rm -v`. The sum total of these changes let us turn on volume removal in `--rm` by default. Fixes: #4276 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Merge pull request #4233 from mheon/fix_ccOpenShift Merge Robot2019-10-12
|\ | | | | Allow giving path to Podman for cleanup command
| * Allow giving path to Podman for cleanup commandMatthew Heon2019-10-11
| | | | | | | | | | | | | | | | For non-Podman users of Libpod, we don't want to force the exit command to use ARGV[0], which probably does not support a cleanup command. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | Merge pull request #4235 from giuseppe/no-pids-cgroupfsOpenShift Merge Robot2019-10-11
|\ \ | | | | | | rootless: do not set PIDs limit if --cgroup-manager=cgroupfs
| * | rootless: do not set PIDs limit if --cgroup-manager=cgroupfsGiuseppe Scrivano2019-10-11
| |/ | | | | | | | | | | | | even if the system is using cgroups v2, rootless is not able to setup limits when the cgroup-manager is not systemd. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* / systemd: expect full path /usr/sbin/initGiuseppe Scrivano2019-10-09
|/ | | | | | | | | | | | "init" is a quite common name for the command executed in a container image and Podman ends up using the systemd mode also when not required. Be stricter on enabling the systemd mode and not enable it automatically when the basename is "init" but expect the full path "/usr/sbin/init". Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Merge pull request #4032 from rhatdan/pids-limitOpenShift Merge Robot2019-10-07
|\ | | | | Setup a reasonable default for pids-limit 4096
| * Setup a reasonable default for pids-limit 4096Daniel J Walsh2019-10-04
| | | | | | | | | | | | | | | | | | | | | | CRI-O defaults to 1024 for the maximum pids in a container. Podman should have a similar limit. Once we have a containers.conf, we can set the limit in this file, and have it easily customizable. Currently the documentation says that -1 sets pids-limit=max, but -1 fails. This patch allows -1, but also indicates that 0 also sets the max pids limit. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Update c/image to v4.0.1 and buildah to 1.11.3Miloslav Trmač2019-10-04
|/ | | | | | | | | | | | | | This requires updating all import paths throughout, and a matching buildah update to interoperate. I can't figure out the reason for go.mod tracking github.com/containers/image v3.0.2+incompatible // indirect ((go mod graph) lists it as a direct dependency of libpod, but (go list -json -m all) lists it as an indirect dependency), but at least looking at the vendor subdirectory, it doesn't seem to be actually used in the built binaries. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
* rootless: allow cgroupfs manager on cgroups v2Giuseppe Scrivano2019-10-02
| | | | | | | if there are no resources specified, make sure the OCI resources block is empty so that the OCI runtime won't complain. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Handle conflict between volumes and --read-only-tmpfsMatthew Heon2019-09-24
| | | | | | | | | | When a named volume is mounted on any of the tmpfs filesystems created by read-only tmpfs, it caused a conflict that was not resolved prior to this. Fixes BZ1755119 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* rootless: Rearrange setup of rootless containersGabi Beyer2019-09-24
| | | | | | | | | | | | | | | In order to run Podman with VM-based runtimes unprivileged, the network must be set up prior to the container creation. Therefore this commit modifies Podman to run rootless containers by: 1. create a network namespace 2. pass the netns persistent mount path to the slirp4netns to create the tap inferface 3. pass the netns path to the OCI spec, so the runtime can enter the netns Closes #2897 Signed-off-by: Gabi Beyer <gabrielle.n.beyer@intel.com>
* Clean destination paths during mount generationMatthew Heon2019-09-19
| | | | | | | | | | | | | We identify and resolve conflicts in paths using destination path matches. We require exact matches, largely for performance reasons (we use maps to efficiently access, keyed by destination). This usually works fine, until you get mounts that are targetted at /output and /output/ - the same path, but not the same string. Use filepath.Clean() aggressively to try and solve this. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Merge pull request #4034 from rhatdan/relabelOpenShift Merge Robot2019-09-17
|\ | | | | Add 'relabel' to --mount options
| * Add 'relabel' to --mount optionsDaniel J Walsh2019-09-16
| | | | | | | | | | | | | | | | | | Currently if a user specifies a --mount option, their is no way to tell SELinux to relabel the mount point. This patch addes the relabel=shared and relabel=private options. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Check for rootless before checking cgroups version in spec_test.Danila Kiver2019-09-15
| | | | | | | | Signed-off-by: Danila Kiver <danila.kiver@mail.ru>
* | Skip spec_test for rootless envs without cgroup v2.Danila Kiver2019-09-14
|/ | | | Signed-off-by: Danila Kiver <danila.kiver@mail.ru>
* Add support for launching containers without CGroupsMatthew Heon2019-09-10
| | | | | | | This is mostly used with Systemd, which really wants to manage CGroups itself when managing containers via unit file. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Merge pull request #3876 from mheon/fix_mount_flagsOpenShift Merge Robot2019-09-04
|\ | | | | Allow suid, exec, dev mount options to cancel nosuid/noexec/nodev
| * Fix addition of mount options when using RO tmpfsMatthew Heon2019-08-28
| | | | | | | | | | | | | | | | For read-only containers set to create tmpfs filesystems over /run and other common destinations, we were incorrectly setting mount options, resulting in duplicate mount options. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
| * Set base mount options for bind mounts from base systemMatthew Heon2019-08-28
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | If I mount, say, /usr/bin into my container - I expect to be able to run the executables in that mount. Unconditionally applying noexec would be a bad idea. Before my patches to change mount options and allow exec/dev/suid being set explicitly, we inferred the mount options from where on the base system the mount originated, and the options it had there. Implement the same functionality for the new option handling. There's a lot of performance left on the table here, but I don't know that this is ever going to take enough time to make it worth optimizing. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
| * Don't double-process tmpfs optionsMatthew Heon2019-08-28
| | | | | | | | | | | | | | | | We already process the options on all tmpfs filesystems during final addition of mounts to the spec. We don't need to do it before that in parseVolumes. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
| * Add support for 'exec', 'suid', 'dev' mount flagsMatthew Heon2019-08-28
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Previously, we explicitly set noexec/nosuid/nodev on every mount, with no ability to disable them. The 'mount' command on Linux will accept their inverses without complaint, though - 'noexec' is counteracted by 'exec', 'nosuid' by 'suid', etc. Add support for passing these options at the command line to disable our explicit forcing of security options. This also cleans up mount option handling significantly. We are still parsing options in more than one place, which isn't good, but option parsing for bind and tmpfs mounts has been unified. Fixes: #3819 Fixes: #3803 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | spec: provide custom implementation for getDevicesGiuseppe Scrivano2019-09-02
| | | | | | | | | | | | | | | | | | | | | | | | provide an implementation for getDevices that skip unreadable directories for the current user. Based on the implementation from runc/libcontainer. Closes: https://github.com/containers/libpod/issues/3919 Signed-off-by: Giuseppe Scrivano <giuseppe@scrivano.org> Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | spec: do not set devices cgroup when rootlessGiuseppe Scrivano2019-09-02
| | | | | | | | | | | | eBPF requires to be root in the init namespace. Signed-off-by: Giuseppe Scrivano <giuseppe@scrivano.org>
* | rootless: bind mount devices instead of creating themGiuseppe Scrivano2019-09-02
|/ | | | | | | | | | | when running in rootless mode, --device creates a bind mount from the host instead of specifying the device in the OCI configuration. This is required as an unprivileged user cannot use mknod, even when root in a user namespace. Closes: https://github.com/containers/libpod/issues/3905 Signed-off-by: Giuseppe Scrivano <giuseppe@scrivano.org>
* Remove --tmpfs size defaultAshley Cui2019-08-14
| | | | | | | Docker has unlimited tmpfs size where Podman had it set to 64mb. Should be standard between the two. Remove noexec default Signed-off-by: Ashley Cui <ashleycui16@gmail.com>
* storage: drop unused geteuid checkGiuseppe Scrivano2019-08-12
| | | | | | it is always running with euid==0 at this point. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>