summaryrefslogtreecommitdiff
path: root/pkg/specgen/generate
Commit message (Collapse)AuthorAge
* Merge pull request #15599 from umohnani8/gen-kubeOpenShift Merge Robot2022-09-02
|\ | | | | Fix bind-mount-option annotation in gen/play kube
| * Fix bind-mount-option annotation in gen/play kubeUrvashi Mohnani2022-09-01
| | | | | | | | | | | | | | | | | | The format used for setting the bind-mount-options annotations in the kube yaml was incorrect and caused k8s to throw an error when trying to play the generated kube yaml. Fix the annotation format to match the rules of k8s. Signed-off-by: Urvashi Mohnani <umohnani@redhat.com>
* | implement podman updateCharlie Doern2022-09-01
|/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | podman update allows users to change the cgroup configuration of an existing container using the already defined resource limits flags from podman create/run. The supported flags in crun are: this command is also now supported in the libpod api via the /libpod/containers/<CID>/update endpoint where the resource limits are passed inthe request body and follow the OCI resource spec format –memory –cpus –cpuset-cpus –cpuset-mems –memory-swap –memory-reservation –cpu-shares –cpu-quota –cpu-period –blkio-weight –cpu-rt-period –cpu-rt-runtime -device-read-bps -device-write-bps -device-read-iops -device-write-iops -memory-swappiness -blkio-weight-device resolves #15067 Signed-off-by: Charlie Doern <cdoern@redhat.com>
* Merge pull request #15560 from dfr/freebsd-specgenOpenShift Merge Robot2022-09-01
|\ | | | | Add FreeBSD support for pkg/specgen/generate
| * specgen/generate: Add support for FreeBSDDoug Rabson2022-08-30
| | | | | | | | | | | | [NO NEW TESTS NEEDED] Signed-off-by: Doug Rabson <dfr@rabson.org>
| * specgen/generate: Move specConfigNamespaces to namespace_linux.go and add stubsDoug Rabson2022-08-30
| | | | | | | | | | | | | | | | Everthing except for hostname management is linux-specific. [NO NEW TESTS NEEDED] Signed-off-by: Doug Rabson <dfr@rabson.org>
| * specgen/generate: Move SpecGenToOCI, WeightDevices to oci_linux.go and add ↵Doug Rabson2022-08-30
| | | | | | | | | | | | | | | | | | | | | | | | | | | | stubs. Almost all of SpecGenToOCI deals with linux-specific aspects of the runtime spec. Rather than try to factor this out piecemeal, I think it is cleaner to move the whole function along with its implementation helper functions. This also meams we don't need non-linux stubs for functions called from oci_linux.go [NO NEW TESTS NEEDED] Signed-off-by: Doug Rabson <dfr@rabson.org>
| * specgen/generate: Move security.go to security_linux.go and add stubsDoug Rabson2022-08-29
| | | | | | | | | | | | | | | | | | The security features (selinux, apparmor, capabilities) are linux specific. [NO NEW TESTS NEEDED] Signed-off-by: Doug Rabson <dfr@rabson.org>
* | Merge pull request #15473 from umohnani8/empty-dirOpenShift Merge Robot2022-08-31
|\ \ | | | | | | Add emptyDir volume support to kube play
| * | Add emptyDir volume support to kube playUrvashi Mohnani2022-08-30
| |/ | | | | | | | | | | | | | | | | | | | | When a kube yaml has a volume set as empty dir, podman will create an anonymous volume with the empty dir name and attach it to the containers running in the pod. When the pod is removed, the empy dir volume created is also removed. Add tests and docs for this as well. Signed-off-by: Urvashi Mohnani <umohnani@redhat.com>
* / podman: add uid and gid options to keep-idGiuseppe Scrivano2022-08-30
|/ | | | | | | | | | | | | | | | | | | | add two new options to the keep-id user namespace option: - uid: allow to override the UID used inside the container. - gid: allow to override the GID used inside the container. For example, the following command will map the rootless user (that has UID=0 inside the rootless user namespace) to the UID=11 inside the container user namespace: $ podman run --userns=keep-id:uid=11 --rm -ti fedora cat /proc/self/uid_map 0 1 11 11 0 1 12 12 65525 Closes: https://github.com/containers/podman/issues/15294 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Merge pull request #15434 from rhatdan/manifest1OpenShift Merge Robot2022-08-24
|\ | | | | Allow podman to run in an environment with keys containing spaces
| * Allow podman to run in an environment with keys containing spacesDaniel J Walsh2022-08-23
| | | | | | | | | | | | Fixes: https://github.com/containers/podman/issues/15251 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | run,create: add support for --env-merge for preprocessing varsAditya R2022-08-24
|/ | | | | | | | | | | | | | | Allow end users to preprocess default environment variables before injecting them into container using `--env-merge` Usage ``` podman run -it --rm --env-merge some=${some}-edit --env-merge some2=${some2}-edit2 myimage sh ``` Closes: https://github.com/containers/podman/issues/15288 Signed-off-by: Aditya R <arajan@redhat.com>
* Merge pull request #15415 from cdoern/cloneOpenShift Merge Robot2022-08-23
|\ | | | | pass environment variables to container clone
| * pass environment variables to container cloneCharlie Doern2022-08-22
| | | | | | | | | | | | | | | | the env vars are held in the spec rather than the config, so they need to be mapped manually. They are also of a different format so special handling needed to be added. All env from the parent container will now be passed to the clone. resolves #15242 Signed-off-by: Charlie Doern <cdoern@redhat.com>
* | Warning messages are printed and ignored if we use an unsupported optionToshiki Sonoda2022-08-23
|/ | | | | | | | | | | | | | | | | | | When an unsupported limit on cgroups V1 rootless systems is requested, podman prints an warning message and ignores the option/flag. ``` Target options/flags: --cpu-period, --cpu-quota, --cpu-rt-period, --cpu-rt-runtime, --cpus, --cpu-shares, --cpuset-cpus, --cpuset-mems, --memory, --memory-reservation, --memory-swap, --memory-swappiness, --blkio-weight, --device-read-bps, --device-write-bps, --device-read-iops, --device-write-iops, --blkio-weight-device ``` Related to https://github.com/containers/podman/discussions/10152 Signed-off-by: Toshiki Sonoda <sonoda.toshiki@fujitsu.com>
* pkg/specgen: Add stubs for non-linux buildsDoug Rabson2022-08-15
| | | | | | | | | | This introduces a local type rlimT which is used to convert runtime-spec POSIXRlimit to platform-specific Rlimit structures - on FreeBSD rlimit members are signed integers. [NO NEW TESTS NEEDED] Signed-off-by: Doug Rabson <dfr@rabson.org>
* kube play: sd-notify integrationValentin Rothberg2022-08-10
| | | | | | | | | | | | | | | | | Integrate sd-notify policies into `kube play`. The policies can be configured for all contianers via the `io.containers.sdnotify` annotation or for indidivual containers via the `io.containers.sdnotify/$name` annotation. The `kube play` process will wait for all containers to be ready by waiting for the individual `READY=1` messages which are received via the `pkg/systemd/notifyproxy` proxy mechanism. Also update the simple "container" sd-notify test as it did not fully test the expected behavior which became obvious when adding the new tests. Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
* libpod: allow the notify socket to be passed programaticallyValentin Rothberg2022-08-10
| | | | | | | | | The notify socket can now either be specified via an environment variable or programatically (where the env is ignored). The notify mode and the socket are now also displayed in `container inspect` which comes in handy for debugging and allows for propper testing. Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
* Merge pull request #14926 from cdoern/generateSpecOpenShift Merge Robot2022-08-10
|\ | | | | podman generate spec
| * podman generate specCharlie Doern2022-08-04
| | | | | | | | | | | | | | | | | | | | | | | | | | | | implement a new command `podman generate spec` which can formulate a json specgen to be consumed by both the pod and container creation API. supported flags are --verbose (default true) print output to the terminal --compact print the json output in a single line format to be piped to the API --filename put the output in a file --clone rename the pod/ctr in the spec so it won't conflict w/ an existing entity Signed-off-by: Charlie Doern <cdoern@redhat.com>
* | specgen: use sandbox id instead of name for annotationGiuseppe Scrivano2022-08-08
|/ | | | | | | | | | | use the sandbox id instead of the name for the io.kubernetes.cri-o.SandboxID annotation used by gVisor. Closes: https://github.com/containers/podman/issues/15223 [NO NEW TESTS NEEDED] it is specific to gVisor Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Merge pull request #15035 from cdoern/cgroupOpenShift Merge Robot2022-07-23
|\ | | | | fix container create/run throttle devices
| * fix container create/run throttle devicesCharlie Doern2022-07-22
| | | | | | | | | | | | pod resource limits introduced a regression where `FinishThrottleDevices` was not called for create/run Signed-off-by: Charlie Doern <cdoern@redhat.com>
* | Merge pull request #14567 from cdoern/secretsOpenShift Merge Robot2022-07-22
|\ \ | |/ |/| Implement kubernetes secret handling for podman play kube
| * kube secret handling for podman play kubecdoern2022-07-20
| | | | | | | | | | | | | | | | | | | | | | add support for both creating a secret using yaml and mounting a secret as a volume given a yaml file. Kubernetes secrets have a different structure than podman and therefore have to be handeled differently. In this PR, I have introduced the basic usecases of kube secrets with more implementations like env secrets to come! resolves #12396 Signed-off-by: Charlie Doern <cdoern@redhat.com>
* | resource limits for podsCharlie Doern2022-07-21
|/ | | | | | | | | | | | | | | | | | added the following flags and handling for podman pod create --memory-swap --cpuset-mems --device-read-bps --device-write-bps --blkio-weight --blkio-weight-device --cpu-shares given the new backend for systemd in c/common, all of these can now be exposed to pod create. most of the heavy lifting (nearly all) is done within c/common. However, some rewiring needed to be done here as well! Signed-off-by: Charlie Doern <cdoern@redhat.com>
* pkg: switch to golang native error wrappingSascha Grunert2022-07-08
| | | | | | | | | We now use the golang error wrapping format specifier `%w` instead of the deprecated github.com/pkg/errors package. [NO NEW TESTS NEEDED] Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
* Merge pull request #14501 from cdoern/podUTSopenshift-ci[bot]2022-07-06
|\ | | | | podman pod create --uts support
| * podman pod create --uts supportcdoern2022-07-05
| | | | | | | | | | | | | | | | | | | | | | | | add support for the --uts flag in pod create, allowing users to avoid issues with default values in containers.conf. uts follows the same format as other namespace flags: --uts=private (default), --uts=host, --uts=ns:PATH resolves #13714 Signed-off-by: Charlie Doern <cdoern@redhat.com>
* | Merge pull request #14626 from jakecorrenti/disable-docker-compose-health-checkopenshift-ci[bot]2022-07-05
|\ \ | |/ |/| Docker-compose disable healthcheck properly handled
| * Docker-compose disable healthcheck properly handledJake Correnti2022-07-05
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Previously, if a container had healthchecks disabled in the docker-compose.yml file and the user did a `podman inspect <container>`, they would have an incorrect output: ``` "Healthcheck":{ "Test":[ "CMD-SHELL", "NONE" ], "Interval":30000000000, "Timeout":30000000000, "Retries":3 } ``` After a quick change, the correct output is now the result: ``` "Healthcheck":{ "Test":[ "NONE" ] } ``` Additionally, I extracted the hard-coded strings that were used for comparisons into constants in `libpod/define` to prevent a similar issue from recurring. Closes: #14493 Signed-off-by: Jake Correnti <jcorrenti13@gmail.com>
* | Merge pull request #14823 from Luap99/debian-unit-testsopenshift-ci[bot]2022-07-05
|\ \ | |/ |/| envVarValueResourceFieldRef: use int64 for value
| * TestEnvVarValue: fix assertionPaul Holzinger2022-07-04
| | | | | | | | | | | | | | | | | | assert.Equal() already follows to pointer and compares by value so we can just directly pass the values. This will make errors much more obvious. Also remove the fmt.Println() since the error now contains the values. Signed-off-by: Paul Holzinger <pholzing@redhat.com>
| * envVarValueResourceFieldRef: use int64 for valuePaul Holzinger2022-07-04
| | | | | | | | | | | | | | | | | | | | int can be 32 or 64 bit depending on the architecture. The total memory is int64 so we have to use int64 for the value as well otherwise we get an overflow on 32 bit systems. Fixes #14819 Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* | specgen,run: support running container from valid manifest listAditya R2022-07-05
|/ | | | | | | | | | | | | | | | | | | | | Following PR adds support for running containers from a manifest list present on localstorage. Before this PR podman only supports running containers from valid images but not from manifest list. So `podman run -it --platform <some> <manifest-list> command` should become functional now and users should be able to resolve images on the bases of provided `--platform` string. Example ``` podman manifest create test podman build --platform linux/amd64,linux/arm64 --manifest test . podman run --rm --platform linux/arm64/v8 test uname -a ``` Closes: https://github.com/containers/podman/issues/14773 Signed-off-by: Aditya R <arajan@redhat.com>
* podman cgroup enhancementcdoern2022-06-24
| | | | | | | | | | | currently, setting any sort of resource limit in a pod does nothing. With the newly refactored creation process in c/common, podman ca now set resources at a pod level meaning that resource related flags can now be exposed to podman pod create. cgroupfs and systemd are both supported with varying completion. cgroupfs is a much simpler process and one that is virtually complete for all resource types, the flags now just need to be added. systemd on the other hand has to be handeled via the dbus api meaning that the limits need to be passed as recognized properties to systemd. The properties added so far are the ones that podman pod create supports as well as `cpuset-mems` as this will be the next flag I work on. Signed-off-by: Charlie Doern <cdoern@redhat.com>
* podman pod create --shm-sizecdoern2022-06-20
| | | | | | | | | expose the --shm-size flag to podman pod create and add proper handling and inheritance for the option. resolves #14609 Signed-off-by: Charlie Doern <cdoern@redhat.com>
* Merge pull request #14299 from cdoern/podCloneopenshift-ci[bot]2022-06-16
|\ | | | | implement podman pod clone
| * podman pod clonecdoern2022-06-10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | implement podman pod clone, a command to create an exact copy of a pod while changing certain config elements current supported flags are: --name change the pod name --destroy remove the original pod --start run the new pod on creation and all infra-container related flags from podman pod create (namespaces etc) resolves #12843 Signed-off-by: cdoern <cdoern@redhat.com>
* | golangci-lint: enable nolintlintPaul Holzinger2022-06-14
|/ | | | | | | | | | The nolintlint linter does not deny the use of `//nolint` Instead it allows us to enforce a common nolint style: - force that a linter name must be specified - do not add a space between `//` and `nolint` - make sure nolint is only used when there is actually a problem Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* Merge pull request #14480 from cdoern/infraOpenShift Merge Robot2022-06-09
|\ | | | | patch for pod host networking & other host namespace handling
| * patch for pod host networking & other host namespace handlingcdoern2022-06-09
| | | | | | | | | | | | | | | | | | this patch included additonal host namespace checks when creating a ctr as well as fixing of the tests to check /proc/self/ns/net see #14461 Signed-off-by: cdoern <cdoern@redhat.com>
* | Merge pull request #14483 from ↵OpenShift Merge Robot2022-06-07
|\ \ | | | | | | | | | | | | jakecorrenti/restart-privelaged-containers-after-host-device-change Privileged containers can now restart if the host devices change
| * | Privileged containers can now restart if the host devices changeJake Correnti2022-06-06
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | If a privileged container is running, stops, and the devices on the host change, such as a USB device is unplugged, then a container would no longer start. Previously, the devices from the host were only being added to the container once: when the container was created. Now, this happens every time the container starts. I did this by adding a boolean to the container config that indicates whether to mount all of the devices or not, which can be set via an option. During spec generation, if the `MountAllDevices` option is set in the container config, all host devices are added to the container. Additionally, a couple of functions from `pkg/specgen/generate/config_linux.go` were moved into `pkg/util/utils_linux.go` as they were needed in multiple packages. Closes #13899 Signed-off-by: Jake Correnti <jcorrenti13@gmail.com>
* | | Infra Inheritance patchcdoern2022-06-07
| |/ |/| | | | | | | | | | | | | | | infra was overriding options that it should be appending rather than resetting. fix this by appending the given container's spec to the compatible options before marshaling/unmarshaling resolves #14454 Signed-off-by: cdoern <cdoern@redhat.com>
* | fix pod network handling with a host networkcdoern2022-06-02
| | | | | | | | | | | | | | | | | | | | | | | | | | the function `GetDefaultNamespaceMode` for pods checks if we are sharing each namespace and if not, returns the default which in the case of a network is slirp. add a switch case for explicitly checking if the pod's network mode is host and if so, return specgen.Host for the container resolves #13763 Signed-off-by: cdoern <cbdoer23@g.holycross.edu> Signed-off-by: cdoern <cdoern@redhat.com>
* | pkg/specgen: parse default network mode on serverPaul Holzinger2022-06-01
|/ | | | | | | | | | | | | | | | | | | | | When podman-remote is used we should not resolve the default network mode on the client. Defaults should be set on the server. In this case this is important because we have different defaults for root/rootless. So when the client is rootless and the server is root we must pick the root default. Note that this already worked when --network was set since we did not parsed the flag in this case. To reproduce you need --network=default. Also removed a unused function. [NO NEW TESTS NEEDED] I tested it manually but I am not sure how I can hook a test like this up in CI. The client would need to run as rootless and the server as root or the other way around. Fixes #14368 Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* Merge pull request #14308 from n1hility/root-cgroupOpenShift Merge Robot2022-05-25
|\ | | | | Support running podman under a root v2 cgroup