summaryrefslogtreecommitdiff
path: root/pkg/spec
Commit message (Collapse)AuthorAge
* Revert "rootless: Rearrange setup of rootless containers"baude2019-08-06
| | | | | | This reverts commit 80dcd4bebcdc8e280f6b43228561d09c194c328b. Signed-off-by: baude <bbaude@redhat.com>
* Merge pull request #3310 from gabibeyer/rootlessKataOpenShift Merge Robot2019-08-05
|\ | | | | rootless: Rearrange setup of rootless containers ***CIRRUS: TEST IMAGES***
| * rootless: Rearrange setup of rootless containersGabi Beyer2019-07-30
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | In order to run Podman with VM-based runtimes unprivileged, the network must be set up prior to the container creation. Therefore this commit modifies Podman to run rootless containers by: 1. create a network namespace 2. pass the netns persistent mount path to the slirp4netns to create the tap inferface 3. pass the netns path to the OCI spec, so the runtime can enter the netns Closes #2897 Signed-off-by: Gabi Beyer <gabrielle.n.beyer@intel.com>
* | Merge pull request #3551 from mheon/fix_memory_leakOpenShift Merge Robot2019-08-02
|\ \ | | | | | | Fix memory leak with exit files
| * | Pass on events-backend config to cleanup processesMatthew Heon2019-08-01
| |/ | | | | | | Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | Use buildah/pkg/parse volume parsing rather then internal versionDaniel J Walsh2019-08-01
| | | | | | | | | | | | | | We share this code with buildah, so we should eliminate the podman version. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Vendor in buildah 1.9.2Daniel J Walsh2019-07-30
|/ | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* podman: support --userns=ns|containerGiuseppe Scrivano2019-07-25
| | | | | | | | allow to join the user namespace of another container. Closes: https://github.com/containers/libpod/issues/3629 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* golangci-lint round #3baude2019-07-21
| | | | | | | this is the third round of preparing to use the golangci-lint on our code base. Signed-off-by: baude <bbaude@redhat.com>
* Merge pull request #3593 from giuseppe/rootless-privileged-devicesOpenShift Merge Robot2019-07-18
|\ | | | | rootless: add host devices with --privileged
| * rootless: add rw devices with --privilegedGiuseppe Scrivano2019-07-18
| | | | | | | | | | | | | | | | | | when --privileged is specified, add all the devices that are usable by the user. Closes: https://bugzilla.redhat.com/show_bug.cgi?id=1730773 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | libpod: support for cgroup namespaceGiuseppe Scrivano2019-07-18
|/ | | | | | | | | | | | | | allow a container to run in a new cgroup namespace. When running in a new cgroup namespace, the current cgroup appears to be the root, so that there is no way for the container to access cgroups outside of its own subtree. By default it uses --cgroup=host to keep the previous behavior. To create a new namespace, --cgroup=private must be provided. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Populate inspect with security-opt settingsMatthew Heon2019-07-17
| | | | | | | | We can infer no-new-privileges. For now, manually populate seccomp (can't infer what file we sourced from) and SELinux/Apparmor (hard to tell if they're enabled or not). Signed-off-by: Matthew Heon <mheon@redhat.com>
* Move the HostConfig portion of Inspect inside libpodMatthew Heon2019-07-17
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When we first began writing Podman, we ran into a major issue when implementing Inspect. Libpod deliberately does not tie its internal data structures to Docker, and stores most information about containers encoded within the OCI spec. However, Podman must present a CLI compatible with Docker, which means it must expose all the information in 'docker inspect' - most of which is not contained in the OCI spec or libpod's Config struct. Our solution at the time was the create artifact. We JSON'd the complete CreateConfig (a parsed form of the CLI arguments to 'podman run') and stored it with the container, restoring it when we needed to run commands that required the extra info. Over the past month, I've been looking more at Inspect, and refactored large portions of it into Libpod - generating them from what we know about the OCI config and libpod's (now much expanded, versus previously) container configuration. This path comes close to completing the process, moving the last part of inspect into libpod and removing the need for the create artifact. This improves libpod's compatability with non-Podman containers. We no longer require an arbitrarily-formatted JSON blob to be present to run inspect. Fixes: #3500 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* spec: rework --ulimit hostGiuseppe Scrivano2019-07-17
| | | | | | | it seems enough to not specify any ulimit block to maintain the host limits. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Merge pull request #3563 from giuseppe/fix-single-mapping-rootlessOpenShift Merge Robot2019-07-12
|\ | | | | spec: fix userns with less than 5 gids
| * spec: fix userns with less than 5 gidsGiuseppe Scrivano2019-07-12
| | | | | | | | | | | | | | when the container is running in a user namespace, check if gid=5 is available, otherwise drop the option gid=5 for /dev/pts. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | Merge pull request #3537 from QiWang19/volumeabsOpenShift Merge Robot2019-07-12
|\ \ | | | | | | fix bug convert volume host path to absolute
| * | fix bug convert volume host path to absoluteQi Wang2019-07-10
| | | | | | | | | | | | | | | | | | fix #3504 If --volume host:dest host is not a named volume, convert the host to a absolute directory path. Signed-off-by: Qi Wang <qiwan@redhat.com>
* | | Merge pull request #3491 from giuseppe/rlimit-hostOpenShift Merge Robot2019-07-11
|\ \ \ | |_|/ |/| | podman: add --ulimit host
| * | podman: add --ulimit hostGiuseppe Scrivano2019-07-08
| |/ | | | | | | | | | | | | | | | | add a simple way to copy ulimit values from the host. if --ulimit host is used then the current ulimits in place are copied to the container. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* / first pass of corrections for golangci-lintbaude2019-07-10
|/ | | | Signed-off-by: baude <bbaude@redhat.com>
* spec: move cgo stuff to their own fileGiuseppe Scrivano2019-07-02
| | | | | | so it can build without cgo since seccomp requires it. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* util: drop IsCgroup2UnifiedMode and use it from cgroupsGiuseppe Scrivano2019-06-26
| | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* remove libpod from mainbaude2019-06-25
| | | | | | | | | | | | | the compilation demands of having libpod in main is a burden for the remote client compilations. to combat this, we should move the use of libpod structs, vars, constants, and functions into the adapter code where it will only be compiled by the local client. this should result in cleaner code organization and smaller binaries. it should also help if we ever need to compile the remote client on non-Linux operating systems natively (not cross-compiled). Signed-off-by: baude <bbaude@redhat.com>
* Add tests for cached and delegated mountsMatthew Heon2019-06-19
| | | | Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Allow (but ignore) Cached and Delegated volume optionsMatthew Heon2019-06-18
| | | | | | | | | | These are only used on OS X Docker, and ignored elsewhere - but since they are ignored, they're guaranteed to be safe everywhere, and people are using them. Fixes: #3340 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Merge pull request #3328 from mheon/storage_opts_for_cleanupOpenShift Merge Robot2019-06-15
|\ | | | | When creating exit command, pass storage options on
| * When creating exit command, pass storage options onMatthew Heon2019-06-13
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | We made changes earlier that empty storage options when setting storage driver explicitly. Unfortunately, this breaks rootless cleanup commands, as they lose the fuse-overlayfs mount program path. Fix this by passing along the storage options to the cleanup process. Also, fix --syslog, which was broken a while ago (probably when we broke up main to add main_remote). Fixes #3326 Signed-off-by: Matthew Heon <mheon@redhat.com>
* | storage: support --mount type=bind,bind-nonrecursiveGiuseppe Scrivano2019-06-13
| | | | | | | | | | | | | | | | add support for not recursive bind mounts. Closes: https://github.com/containers/libpod/issues/3314 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | storage: fix typoGiuseppe Scrivano2019-06-13
|/ | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* only set log driver if it isn't emptyPeter Hunt2019-06-08
| | | | | | Now, not setting a log driver in a create config correctly takes the default (k8s-logging) Signed-off-by: Peter Hunt <pehunt@redhat.com>
* Merge pull request #3238 from mheon/no_tmpcopyup_devOpenShift Merge Robot2019-05-31
|\ | | | | Do not set tmpcopyup on /dev
| * Do not set tmpcopyup on /devMatthew Heon2019-05-30
| | | | | | | | | | | | Fixes #3229 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | Added --log-driver and journald loggingPeter Hunt2019-05-28
|/ | | | Signed-off-by: Peter Hunt <pehunt@redhat.com>
* When superceding mounts, check for opposite typesMatthew Heon2019-05-21
| | | | | | | | | | | | | | | | | | | When we supercede low-priority mounts and volumes (image volumes, and volumes sourced from --volumes-from) with higher-priority ones (the --volume and --mount flags), we always replaced lower-priority mounts of the same type (e.g. a user mount to /tmp/test1 would supercede a volumes-from mount to the same destination). However, we did not supercede the opposite type - a named volume from image volumes at /tmp/test1 would be allowed to remain and create a conflict, preventing container creation. Solve this by destroying opposite types before merging (we can't do it in the same loop, as then named volumes, which go second, might trample changes made by mounts). Fixes #3174 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* rootless: force resources to be nil on cgroup v1Giuseppe Scrivano2019-05-20
| | | | | | | | | force the resources block to be empty instead of having default values. Regression introduced by 8e88461511e81d2327e4c1a1315bb58fda1827ca Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Don't set apparmor if --priviligedDaniel J Walsh2019-05-20
| | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* rootless, spec: allow resources with cgroup v2Giuseppe Scrivano2019-05-13
| | | | | | | We were always raising an error when the rootless user attempted to setup resources, but this is not the case anymore with cgroup v2. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Add support for retry count with --restart flagMatthew Heon2019-05-03
| | | | | | | | | The on-failure restart option supports restarting only a given number of times. To do this, we need one additional field in the DB to track restart count (which conveniently fills a field in Inspect we weren't populating), plus some plumbing logic. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Add container restart policy to Libpod & PodmanMatthew Heon2019-05-03
| | | | | | | This initial version does not support restart count, but it works as advertised otherwise. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Merge pull request #2959 from mheon/merge_volume_flagsOpenShift Merge Robot2019-05-03
|\ | | | | Merge volume flags implementation
| * Move handling of ReadOnlyTmpfs into new mounts codeMatthew Heon2019-05-01
| | | | | | | | Signed-off-by: Matthew Heon <matthew.heon@pm.me>
| * Ensure that named volumes have their options parsedMatthew Heon2019-05-01
| | | | | | | | | | | | | | This involves moving some code out of pkg/spec/ into util/ so it can also be used by libpod. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
| * Add options parsing for tmpfs mountsMatthew Heon2019-05-01
| | | | | | | | | | | | | | | | | | This ensures that all tmpfs mounts added by the user, even with the --mount flag, share a few common options (nosuid, noexec, nodev), and options for tmpfs mounts are properly validated to ensure they are correct. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
| * Use EqualValues instead of reflect equalityMatthew Heon2019-05-01
| | | | | | | | | | | | | | Same result, but notably better error messages when things go wrong. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
| * Hit a number of to-do comments in unified volumes codeMatthew Heon2019-05-01
| | | | | | | | | | | | | | | | As part of this, move bind mount option validity parsing and modification (adding e.g. rbind on bind mounts that are missing it), which requires test changes (expected values have changed). Signed-off-by: Matthew Heon <matthew.heon@pm.me>
| * Fix options for non-bind and non-tmpfs volumesMatthew Heon2019-05-01
| | | | | | | | | | | | | | | | | | We were unconditionally resetting volume mount options for all mount points (and by the looks of things, completely dropping tmpfs mounts), which was causing runc to refuse to run containers and all the tests to consequently fail. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
| * Migrate unit tests from cmd/podman into pkg/specMatthew Heon2019-05-01
| | | | | | | | | | | | | | | | | | | | Several changes made in the interface of pkg/spec make interacting with it without a runtime difficult to impossible, so move the existing limited testing from cmd/podman (which mostly tested pkg/spec) into pkg/spec itself where we can call individual functions that don't break things. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
| * Migrate to unified volume handling codeMatthew Heon2019-05-01
| | | | | | | | | | | | | | | | | | | | | | | | | | Unify handling for the --volume, --mount, --volumes-from, --tmpfs and --init flags into a single file and set of functions. This will greatly improve readability and maintainability. Further, properly handle superceding and conflicting mounts. Our current patchwork has serious issues when mounts conflict, or when a mount from --volumes-from or an image volume should be overwritten by a user volume or named volume. Signed-off-by: Matthew Heon <matthew.heon@pm.me>