aboutsummaryrefslogtreecommitdiff
path: root/pkg/spec
Commit message (Collapse)AuthorAge
* spec: mask /sys/kernel when bind mounting /sysGiuseppe Scrivano2019-04-11
| | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* oci: add /sys/kernel to the masked pathsGiuseppe Scrivano2019-04-11
| | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Drop LocalVolumes from our the databaseMatthew Heon2019-04-04
| | | | | | | | We were never using it. It's actually a potentially quite sizable field (very expensive to decode an array of structs!). Removing it should do no harm. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Major rework of --volumes-from flagMatthew Heon2019-04-04
| | | | | | | | | | The flag should be substantially more durable, and no longer relies on the create artifact. This should allow it to properly handle our new named volume implementation. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Add handling for new named volumes code in pkg/specMatthew Heon2019-04-04
| | | | | | | | | Now that named volumes must be explicitly enumerated rather than passed in with all other volumes, we need to split normal and named volumes up before passing them into libpod. This PR does this. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* rootless: remove SkipStorageSetup()Giuseppe Scrivano2019-04-01
| | | | | | | | in the few places where we care about skipping the storage initialization, we can simply use the process effective UID, instead of relying on a global boolean flag. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Ensure that we make a netns for CNI non-default netsMatthew Heon2019-03-28
| | | | | | | | | | | | | | | | | We accidentally patched this out trying to enable ns:/path/to/ns This should restore the ability to configure nondefault CNI networks with Podman, by ensuring that they request creation of a network namespace. Completely remove the WithNetNS() call when we do use an explicit namespace from a path. We use that call to indicate that a netns is going to be created - there should not be any question about whether it actually does. Fixes #2795 Signed-off-by: Matthew Heon <mheon@redhat.com>
* Remove ulele/deepcopier in favor of JSON deep copyMatthew Heon2019-03-27
| | | | | | | | | | | | | We have a very high performance JSON library that doesn't need to perform code generation. Let's use it instead of our questionably performant, reflection-dependent deep copy library. Most changes because some functions can now return errors. Also converts cmd/podman to use jsoniter, instead of pkg/json, for increased performance. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Resolve review commentsMatthew Heon2019-03-27
| | | | Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Add --no-hosts flag to disable management of /etc/hostsMatthew Heon2019-03-27
| | | | Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Add for --dns=none to disable creation of resolv.confMatthew Heon2019-03-27
| | | | | | | Support in libpod was added in the previous commit. Wire it into the frontend here. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Need to pass the true paramater with --syslog in cobraDaniel J Walsh2019-03-20
| | | | | | | | | Currently cobra can not handle a boolean option without a vailue. This change fixes an issue if you want syslog information to show up based on the cleanup call. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Vendor docker/docker, fsouza and more #2TomSweeneyRedHat2019-03-13
| | | | | | | | | | | | Signed-off-by: TomSweeneyRedHat <tsweeney@redhat.com> Vendors in fsouza/docker-client, docker/docker and a few more related. Of particular note, changes to the TweakCapabilities() function from docker/docker along with the parse.IDMappingOptions() function from Buildah. Please pay particular attention to the related changes in the call from libpod to those functions during the review. Passes baseline tests.
* Merge pull request #2562 from baude/healtcheckphase2OpenShift Merge Robot2019-03-12
|\ | | | | healthcheck phase 2
| * healtcheck phase 2baude2019-03-12
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | integration of healthcheck into create and run as well as inspect. healthcheck enhancements are as follows: * add the following options to create|run so that non-docker images can define healthchecks at the container level. * --healthcheck-command * --healthcheck-retries * --healthcheck-interval * --healthcheck-start-period * podman create|run --healthcheck-command=none disables healthcheck as described by an image. * the healthcheck itself and the healthcheck "history" can now be observed in podman inspect * added the wiring for healthcheck history which logs the health history of the container, the current failed streak attempts, and log entries for the last five attempts which themselves have start and stop times, result, and a 500 character truncated (if needed) log of stderr/stdout. The timings themselves are not implemented in this PR but will be in future enablement (i.e. next). Signed-off-by: baude <bbaude@redhat.com>
* | Fix SELinux on host shared systems in usernsDaniel J Walsh2019-03-11
|/ | | | | | | | | | | | | Currently if you turn on --net=host on a rootless container and have selinux-policy installed in the image, tools running with SELinux will see that the system is SELinux enabled in rootless mode. This patch mounts a tmpfs over /sys/fs/selinux blocking this behaviour. This patch also fixes the fact that if you shared --pid=host we were not masking over certin /proc paths. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Merge pull request #2412 from QiWang19/iss2380OpenShift Merge Robot2019-03-06
|\ | | | | Enable specifying directory as device on container with --device
| * fix bug --device enable specifying directory as deviceQi Wang2019-03-06
| | | | | | | | Signed-off-by: Qi Wang <qiwan@redhat.com>
* | podman healthcheck run (phase 1)baude2019-03-05
|/ | | | | | | | | Add the ability to manually run a container's healthcheck command. This is only the first phase of implementing the healthcheck. Subsequent pull requests will deal with the exposing the results and history of healthchecks as well as the scheduling. Signed-off-by: baude <bbaude@redhat.com>
* volume: do not create a volume if there is a bindGiuseppe Scrivano2019-02-26
| | | | | | | | | | | if there is already a bind mount specified for the target, do not create a new volume. Regression introduced by 52df1fa7e054d577e8416d1d46db1741ad324d4a Closes: https://github.com/containers/libpod/issues/2441 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Merge pull request #2358 from rhatdan/namespaceOpenShift Merge Robot2019-02-25
|\ | | | | Fix up handling of user defined network namespaces
| * Fix up handling of user defined network namespacesDaniel J Walsh2019-02-23
| | | | | | | | | | | | | | | | | | If user specifies network namespace and the /etc/netns/XXX/resolv.conf exists, we should use this rather then /etc/resolv.conf Also fail cleaner if the user specifies an invalid Network Namespace. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | podman: fix ro bind mounts if no* opts are on the sourceGiuseppe Scrivano2019-02-25
|/ | | | | | | | | | | | | | This is a workaround for the runc issue: https://github.com/opencontainers/runc/issues/1247 If the source of a bind mount has any of nosuid, noexec or nodev, be sure to propagate them to the bind mount so that when runc tries to remount using MS_RDONLY, these options are also used. Closes: https://github.com/containers/libpod/issues/2312 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Fix volume handling in podmanDaniel J Walsh2019-02-14
| | | | | | | | | | | | | | | | | | iFix builtin volumes to work with podman volume Currently builtin volumes are not recored in podman volumes when they are created automatically. This patch fixes this. Remove container volumes when requested Currently the --volume option on podman remove does nothing. This will implement the changes needed to remove the volumes if the user requests it. When removing a volume make sure that no container uses the volume. Signed-off-by: Daniel J Walsh dwalsh@redhat.com Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Fix manual detach from containers to not wait for exitMatthew Heon2019-02-12
| | | | | | | | | | | | | | | | | | | | | | | | | At present, when manually detaching from an attached container (using the detach hotkeys, default C-p C-q), Podman will still wait for the container to exit to obtain its exit code (so we can set Podman's exit code to match). This is correct in the case where attach finished because the container exited, but very wrong for the manual detach case. As a result of this, we can no longer guarantee that the cleanup and --rm functions will fire at the end of 'podman run' - we may be exiting before we get that far. Cleanup is easy enough - we swap to unconditionally using the cleanup processes we've used for detached and rootless containers all along. To duplicate --rm we need to also teach 'podman cleanup' to optionally remove containers instead of cleaning them up. (There is an argument for just using 'podman rm' instead of 'podman cleanup --rm', but cleanup does have different semantics given that we only ever expect it to run when the container has just exited. I think it might be useful to keep the two separate for things like 'podman events'...) Signed-off-by: Matthew Heon <mheon@redhat.com>
* cleanup: use the correct runtimeGiuseppe Scrivano2019-02-07
| | | | | | | make sure "containers cleanup" uses the correct runtime if it was overriden. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* rootless: do not override /dev/pts if not neededGiuseppe Scrivano2019-02-06
| | | | | | | | | | when running in rootless mode we were unconditionally overriding /dev/pts to take ride of gid=5. This is not needed when multiple gids are present in the namespace, which is always the case except when running the tests suite with only one mapping. So change it to check how many gids are present before overriding the default mount. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Merge pull request #2142 from giuseppe/expose-portsOpenShift Merge Robot2019-01-20
|\ | | | | rootless: support port redirection from the host
| * rootless: support port redirection from the hostGiuseppe Scrivano2019-01-19
| | | | | | | | | | | | | | | | | | | | add support for ports redirection from the host. It needs slirp4netns v0.3.0-alpha.1. Closes: https://github.com/containers/libpod/issues/2081 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | rootless: fix --pid=host without --privilegedGiuseppe Scrivano2019-01-18
|/ | | | | | | When using --pid=host don't try to cover /proc paths, as they are coming from the /proc bind mounted from the host. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Merge pull request #2141 from baude/remotetagOpenShift Merge Robot2019-01-13
|\ | | | | Add darwin support for remote-client
| * Add darwin support for remote-clientbaude2019-01-11
| | | | | | | | | | | | | | | | Add the ability to cross-compile podman remote for OSX. Also, add image exists and tag to remote-client. Signed-off-by: baude <bbaude@redhat.com>
* | podman play kube: add containers to podbaude2019-01-11
|/ | | | | | | | | when defining containers, we missed the conditional logic to allow the container to be defined with "WithPod" and so forth. I had to slightly modify the createcontainer process to pass a libpod.Pod that could override things; use nil as no pod. Signed-off-by: baude <bbaude@redhat.com>
* createconfig: always cleanup a rootless containerGiuseppe Scrivano2019-01-10
| | | | | | | | | | | | | | | | the rootless container storage is always mounted in a different mount namespace, owned by the unprivileged user. Even if it is mounted, a process running in another namespace cannot reuse the already mounted storage. Make sure the storage is always cleaned up once the container terminates. This has worked with vfs since there is no real mounted storage. Closes: https://github.com/containers/libpod/issues/2112 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* apparmor: apply default profile at container initializationValentin Rothberg2019-01-09
| | | | | | | | | | | | | | | | | | | Apply the default AppArmor profile at container initialization to cover all possible code paths (i.e., podman-{start,run}) before executing the runtime. This allows moving most of the logic into pkg/apparmor. Also make the loading and application of the default AppArmor profile versio-indepenent by checking for the `libpod-default-` prefix and over-writing the profile in the run-time spec if needed. The intitial run-time spec of the container differs a bit from the applied one when having started the container, which results in displaying a potentially outdated AppArmor profile when inspecting a container. To fix that, load the container config from the file system if present and use it to display the data. Fixes: #2107 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* Merge pull request #2082 from rhatdan/runcOpenShift Merge Robot2019-01-06
|\ | | | | Update vendor of runc
| * Update vendor of runcDaniel J Walsh2019-01-04
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Updating the vendor or runc to pull in some fixes that we need. In order to get this vendor to work, we needed to update the vendor of docker/docker, which causes all sorts of issues, just to fix the docker/pkg/sysinfo. Rather then doing this, I pulled in pkg/sysinfo into libpod and fixed the code locally. I then switched the use of docker/pkg/sysinfo to libpod/pkg/sysinfo. I also switched out the docker/pkg/mount to containers/storage/pkg/mount Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | add container-init supportValentin Rothberg2019-01-04
|/ | | | | | | | | | | | | | | | | | | Add support for executing an init binary as PID 1 in a container to forward signals and reap processes. When the `--init` flag is set for podman-create or podman-run, the init binary is bind-mounted to `/dev/init` in the container and "/dev/init --" is prepended to the container's command. The default base path of the container-init binary is `/usr/libexec/podman` while the default binary is catatonit [1]. This default can be changed permanently via the `init_path` field in the `libpod.conf` configuration file (which is recommended for packaging) or temporarily via the `--init-path` flag of podman-create and podman-run. [1] https://github.com/openSUSE/catatonit Fixes: #1670 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* Fix handling of symbolic linksDaniel J Walsh2018-12-28
| | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Fixes to handle /dev/shm correctly.Daniel J Walsh2018-12-24
| | | | | | | | | | | | | | | | | | We had two problems with /dev/shm, first, you mount the container read/only then /dev/shm was mounted read/only. This is a bug a tmpfs directory should be read/write within a read-only container. The second problem is we were ignoring users mounted /dev/shm from the host. If user specified podman run -d -v /dev/shm:/dev/shm ... We were dropping this mount and still using the internal mount. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Allow users to specify a directory for additonal devicesDaniel J Walsh2018-12-21
| | | | | | | Podman will search through the directory and will add any device nodes that it finds. If no devices are found we return an error. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Invalid index for arrayDaniel J Walsh2018-12-21
| | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* create pod on the flybaude2018-12-03
| | | | | | | | | | when a user specifies --pod to podman create|run, we should create that pod automatically. the port bindings from the container are then inherited by the infra container. this signicantly improves the workflow of running containers inside pods with podman. the user is still encouraged to use podman pod create to have more granular control of the pod create options. Signed-off-by: baude <bbaude@redhat.com>
* network: allow slirp4netns mode also for root containersGiuseppe Scrivano2018-11-28
| | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* rootless: add new netmode "slirp4netns"Giuseppe Scrivano2018-11-27
| | | | | | | | so that inspect reports the correct network configuration. Closes: https://github.com/containers/libpod/issues/1453 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Allow users to expose ports from the pod to the hostbaude2018-11-20
| | | | | | | | | | we need to allow users to expose ports to the host for the purposes of networking, like a webserver. the port exposure must be done at the time the pod is created. strictly speaking, the port exposure occurs on the infra container. Signed-off-by: baude <bbaude@redhat.com>
* Change to exported name in ParseDeviceQi Wang2018-10-29
| | | | Signed-off-by: Qi Wang <qiwan@redhat.com>
* Mount proper cgroup for systemd to manage inside of the container.Daniel J Walsh2018-10-15
| | | | | | | | | | | | We are still requiring oci-systemd-hook to be installed in order to run systemd within a container. This patch properly mounts /sys/fs/cgroup/systemd/libpod_parent/libpod-UUID on /sys/fs/cgroup/systemd inside of container. Since we need the UUID of the container, we needed to move Systemd to be a config option of the container. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Merge pull request #1605 from mheon/syslog_cleanupOpenShift Merge Robot2018-10-11
|\ | | | | Pass along syslog variable to podman cleanup processes
| * Pass along syslog variable to podman cleanup processesMatthew Heon2018-10-11
| | | | | | | | | | | | | | | | | | As of now, there is no way to debug podman clean up processes. They are started by conmon with no stdout/stderr and log nowhere. This allows us to actually figure out what is going on when a cleanup process runs. Signed-off-by: Matthew Heon <matthew.heon@gmail.com>