summaryrefslogtreecommitdiff
path: root/pkg/specgen/generate
Commit message (Collapse)AuthorAge
* Enable detached exec for remoteMatthew Heon2020-06-02
| | | | | | | | | | | | | | | | | | | | | | | The biggest obstacle here was cleanup - we needed a way to remove detached exec sessions after they exited, but there's no way to tell if an exec session will be attached or detached when it's created, and that's when we must add the exit command that would do the removal. The solution was adding a delay to the exit command (5 minutes), which gives sufficient time for attached exec sessions to retrieve the exit code of the session after it exits, but still guarantees that they will be removed, even for detached sessions. This requires Conmon 2.0.17, which has the new `--exit-delay` flag. As part of the exit command rework, we can drop the hack we were using to clean up exec sessions (remove them as part of inspect). This is a lot cleaner, and I'm a lot happier about it. Otherwise, this is just plumbing - we need a bindings call for detached exec, and that needed to be added to the tunnel mode backend for entities. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* specgen: fix segfaultPeter Hunt2020-05-27
| | | | | | we should not access the devices without checking if the resources are there Signed-off-by: Peter Hunt <pehunt@redhat.com>
* Attempt to turn on build_without_cgo testsDaniel J Walsh2020-05-22
| | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Enable cleanup processes for detached execMatthew Heon2020-05-20
| | | | | | | | | | | | | | | | | | | | | | The cleanup command creation logic is made public as part of this and wired such that we can call it both within SpecGen (to make container exit commands) and from the ABI detached exec handler. Exit commands are presently only used for detached exec, but theoretically could be turned on for all exec sessions if we wanted (I'm declining to do this because of potential overhead). I also forgot to copy the exit command from the exec config into the ExecOptions struct used by the OCI runtime, so it was not being added. There are also two significant bugfixes for exec in here. One is for updating the status of running exec sessions - this was always failing as I had coded it to remove the exit file *before* reading it, instead of after (oops). The second was that removing a running exec session would always fail because I inverted the check to see if it was running. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Add remaining annotations for `podman inspect`Matthew Heon2020-05-08
| | | | | | This should finish support for `podman inspect` in APIv2. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Fix `podman pod create --infra=false`Matthew Heon2020-05-08
| | | | | | | | We were accidentally setting incorrect defaults for the network namespace for rootless `pod create` when infra containers were not being created. This should resolve that issue. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* set binding tests to requiredBrent Baude2020-05-08
| | | | | | | | | | | | | | | | | some small fix ups for binding tests and then make them required. update containers-common V2 bindings tests were failing because of changes introduced in commit a2ad5bb. Fix some typos. Signed-off-by: Lokesh Mandvekar <lsm5@fedoraproject.org> in the case where the specgen attribute for Env and Labels are nil, we should should then make the map IF we have labels and envs that need to be added. Signed-off-by: Brent Baude <bbaude@redhat.com>
* podman: split env variables in env and overridesGiuseppe Scrivano2020-05-07
| | | | | | | | | | | | | | There are three different priorities for applying env variables: 1) environment/config file environment variables 2) image's config 3) user overrides (--env) The third kind are known to the client, while the default config and image's config is handled by the backend. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* add {generate,play} kubeValentin Rothberg2020-05-06
| | | | | | | | | | | | | | | | | | | Add the `podman generate kube` and `podman play kube` command. The code has largely been copied from Podman v1 but restructured to not leak the K8s core API into the (remote) client. Both commands are added in the same commit to allow for enabling the tests at the same time. Move some exports from `cmd/podman/common` to the appropriate places in the backend to avoid circular dependencies. Move definitions of label annotations to `libpod/define` and set the security-opt labels in the frontend to make kube tests pass. Implement rest endpoints, bindings and the tunnel interface. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* Add small fixes for 'podman run' from diffing inspectMatthew Heon2020-05-05
| | | | | | | | | | | | | | | | | | | | | | | | To try and identify differences between Podman v1.9 and master, I ran a series of `podman run` commands with various flags through each, then inspecting the resulting containers and diffed the inspect JSON between each. This identified a number of issues which are fixed in this PR. In order of discovery: - Podman v2 gave short names for images, where Podman v1 gave the fully-qualified name. Simple enough fix (get image tags and use the first one if they're available) - The --restart flag was not being parsed correctly when a number of retries was specified. Parsing has been corrected. - The -m flag was not setting the swap limit (simple fix to set swap in that case if it's not explicitly set by the user) - The --cpus flag was completely nonfunctional (wired in its logic) Tests have been added for all of these to catch future regressions. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Rework port parsing to support --expose and -PMatthew Heon2020-05-04
| | | | | | | | | | | | | | | | | | | | | As part of this, make a major change to the type we use to represent port mappings in SpecGen (from using existing OCICNI structs to using our own custom one). This struct has the advantage of supporting ranges, massively reducing traffic over the wire for Podman commands using them (for example, the `podman run -p 5000-6000` command will now send only one struct instead of 1000). This struct also allows us to easily validate which ports are in use, and which are not, which is necessary for --expose. Once we have parsed the ports from the new struct, we can produce an accurate map including all currently requested ports, and use that to determine what ports need to be exposed (some requested exposed ports may already be included in a mapping from --publish and will be ignored) and what open ports on the host we can map them to. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* cgroupsns was not following containers.confDaniel J Walsh2020-05-01
| | | | | | Implement ParseCgroupsNamespace to handle defaults. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Properly handle default capabilities listed in containers.confDaniel J Walsh2020-05-01
| | | | | | | If user/admin specifies a different list of default capabilties we need to honor these. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Properly handle containers.conf devicesDaniel J Walsh2020-05-01
| | | | | | We need to add the default devices listed in containers.conf Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Merge pull request #6004 from rhatdan/ulimitsOpenShift Merge Robot2020-05-01
|\ | | | | Set up ulimits for rootless containers.
| * Set up ulimits for rootless containers.Daniel J Walsh2020-04-28
| | | | | | | | | | | | | | Currently we are setting the maximum limits for rootful podman containers, no reason not to set them by default for rootless users as well Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | cmd, podman: do not override entrypoint if unsetGiuseppe Scrivano2020-04-30
| | | | | | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | cmd, podman: handle --pod new:PODGiuseppe Scrivano2020-04-30
| | | | | | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | generate systemdValentin Rothberg2020-04-29
| | | | | | | | | | | | | | Implement `podman generate systemd` for Podman v2 and enable associated tests. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | Merge pull request #6024 from baude/v2checkmediatypewOpenShift Merge Robot2020-04-28
|\ \ | | | | | | check image media/manifest type for healthchecks
| * | check image media/manifest type for healthchecksBrent Baude2020-04-28
| |/ | | | | | | | | | | before looking up a healthcheck in an image, check to make sure it is a dockerv2schema image. Signed-off-by: Brent Baude <bbaude@redhat.com>
* / pkg, specgen: do not hardcode user=0 in the config if not specifiedGiuseppe Scrivano2020-04-28
|/ | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Improve Entrypoint and Command supportMatthew Heon2020-04-27
| | | | | | | | | | | | | We should not be overwriting the Specgen's Command and Entrypoint when building the final command to pass in the OCI spec. Both of these will be provided to Libpod for use in `podman inspect` and committing containers, and both must be set to the user's input, not overwritten by the image if unset. Fix this by moving command generation into OCI spec generation and not modifying the SpecGenerator when we do so. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Add support for volumes-from, image volumes, initMatthew Heon2020-04-27
| | | | | | | | | | | This should complete Podmanv2's support for volume-related flags. Most code was sourced from the old pkg/spec implementation with modifications to account for the split between frontend flags (volume, mount, tmpfs) and the backend flags implemented here. Also enables tests for podman run with volumes Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Merge pull request #5994 from giuseppe/fix-healthchecksOpenShift Merge Robot2020-04-27
|\ | | | | v2, podman: fix healthchecks
| * specgen: read healthchecks from the imageGiuseppe Scrivano2020-04-27
| | | | | | | | | | | | | | if there is no healthcheck configuration specified, read it from the image. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | spec, pod: honor --dnsGiuseppe Scrivano2020-04-27
|/ | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Merge pull request #5971 from giuseppe/fix-userns-testsOpenShift Merge Robot2020-04-24
|\ | | | | v2, podman: fix and enable all run_userns_test.go tests
| * podman: implement userns=keep-idGiuseppe Scrivano2020-04-24
| | | | | | | | | | | | | | add missing implementation for userns=keep-id and enable the user namespaces tests. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | Merge pull request #5967 from giuseppe/run-test-fixesOpenShift Merge Robot2020-04-24
|\ \ | | | | | | v2, tests: fix various run_test.go failures
| * | podman: add support for --rootfsGiuseppe Scrivano2020-04-24
| | | | | | | | | | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
| * | create: move validate after setting default nsGiuseppe Scrivano2020-04-24
| |/ | | | | | | | | | | validate the configuration only after we set the default namespaces. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* / Do not join pod namespaces without an infra ctrMatthew Heon2020-04-24
|/ | | | | | | | | | | We do not want to join pod namespaces if no infra container is present. A pod may claim it shares namespaces without an infra container (I'll take an action item to fix that - it really should not be allowed), which was tripping up our default namespace code and forcing us to try and join the namespaces of the nonexistant infra container. Signed-off-by: Matthew Heon <mheon@redhat.com>
* podman: handle namespaces specified on the CLIGiuseppe Scrivano2020-04-23
| | | | | | | and handle differently the user namespace as it supports additional options. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Enable basic volumes support in Podmanv2Matthew Heon2020-04-22
| | | | | | | | This enables the --volume, --mount, and --tmpfs flags in Podmanv2. It does not enable init-related flags, image volumes, and --volumes-from. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Modify namespace generation code for specgenMatthew Heon2020-04-21
| | | | | | | | | | | | Namespaces have now been changed to properly handle all cases. Spec handling code for namespaces was consolidated in a single function. Still missing: - Image ports - Pod namespaces likely still broken in Podmanv2 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Merge pull request #5921 from baude/v2imageepOpenShift Merge Robot2020-04-21
|\ | | | | add entrypoint from image where needed
| * add entrypoint from image where neededBrent Baude2020-04-21
| | | | | | | | | | | | if the image specifies both the image and entrypoint, we need to account for that and preprend the entrypoint to the command. this only happens if no user command and entrypoint were supplied. Signed-off-by: Brent Baude <bbaude@redhat.com>
* | Merge pull request #5912 from giuseppe/v2-rlimitsOpenShift Merge Robot2020-04-21
|\ \ | |/ |/| v2, pkg: implement rlimits
| * pkg: implement rlimitsGiuseppe Scrivano2020-04-21
| | | | | | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | Handle annotations passed in via the clientDaniel J Walsh2020-04-21
| | | | | | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Merge pull request #5875 from rhatdan/networkOpenShift Merge Robot2020-04-21
|\ \ | |/ |/| Cleanup network option parsing
| * Cleanup network option parsingDaniel J Walsh2020-04-19
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | We were not handling the parsing of --ip. This pr adds validation checks and now will support the flag. Move validation to the actual parsing of the network flags. We should only parse the dns flags if the user changed them. We don't want to pass default options if set in containers.conf to the server. Potential for duplicating defaults. Add support for --dns-opt flag passing Begin handling of --network flag, although we don't have a way right now to translate a string into a specgen.Namespace. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Handle Linux Capabilities correctlyDaniel J Walsh2020-04-20
| | | | | | | | | | | | | | | | If user sets capabilities list we need handle minimal capabilities. Also handle seccomp-policy being passed in. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Add functions to return image informationsDaniel J Walsh2020-04-20
|/ | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* podman v2 remove bloat v2Brent Baude2020-04-16
| | | | | | rid ourseleves of libpod references in v2 client Signed-off-by: Brent Baude <bbaude@redhat.com>
* Fix up SELinux labelingDaniel J Walsh2020-04-15
| | | | | | SELinux label options processing fixes, should allow system tests to pass. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* v2specgen prune libpodBrent Baude2020-04-14
| | | | | | use libpod only in the specgen/generate package so that the remote clients do not inherit libpod bloat. Signed-off-by: Brent Baude <bbaude@redhat.com>
* v2podman container createBrent Baude2020-04-03
create a container in podmanv2 using specgen approach. this is the core implementation and still has quite a bit of code commented out specifically around volumes, devices, and namespaces. need contributions from smes on these parts. Signed-off-by: Brent Baude <bbaude@redhat.com>