summaryrefslogtreecommitdiff
path: root/pkg/specgen
Commit message (Collapse)AuthorAge
* run/create: record raw imageValentin Rothberg2020-09-15
| | | | | | | | | | | | | | | | | | | | | | Record the user-specified "raw" image name in the SpecGenerator, so we can pass it along to the config when creating a container. We need a separate field as the image name in the generator may be set to the ID of the previously pulled image - ultimately the cause of #7404. Reverting the image name from the ID to the user input would not work since "alpine" for pulling iterates over the search registries in the registries.conf but looking up "alpine" normalizes to "localhost/alpine". Recording the raw-image name directly in the generator was the best of the options I considered as no hidden magic from search registries or normalizations (that may or may not change in the future) can interfere. The auto-update backend enforces that the raw-image name is a fully-qualified reference, so we need to worry about that in the front end. Fixes: #7407 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* Fix up errors found by codespellDaniel J Walsh2020-09-11
| | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Make oom-score-adj actually workDaniel J Walsh2020-09-09
| | | | | | | | | | | During the redesign of podman 2.0, we dropped the support for --oom-score-adj. Test for this flag was bogus and thus passing when it was broken. Basically just need to set the value in the spec. Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1877187 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Fix unconfined AppArmor profile usage for unsupported systemsSascha Grunert2020-09-07
| | | | | | | | If we select "unconfined" as AppArmor profile, then we should not error even if the host does not support it at all. This behavior has been fixed and a corresponding e2e test has been added as well. Signed-off-by: Sascha Grunert <sgrunert@suse.com>
* Merge pull request #7355 from rhatdan/envOpenShift Merge Robot2020-08-28
|\ | | | | Use environment from containers.conf
| * Use environment from containers.confDaniel J Walsh2020-08-28
| | | | | | | | | | | | | | | | | | | | podman needs to use the environment settings in containers.conf when setting up the containers. Also host environment variables should be relative to server side not the client. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Merge pull request #7427 from mheon/update_error_messagesOpenShift Merge Robot2020-08-28
|\ \ | |/ |/| Fix up some error messages
| * Fix up some error messagesMatthew Heon2020-08-27
| | | | | | | | | | | | | | | | | | We have a lot of 'cannot stat %s' errors in our codebase. These are terrible and confusing and utterly useless without context. Add some context to a few of them so we actually know what part of the code is failing. Signed-off-by: Matthew Heon <mheon@redhat.com>
* | Switch to containers/common for seccompSascha Grunert2020-08-27
|/ | | | | | | The seccomp/containers-golang library is not maintained any more and we should stick to containers/common. Signed-off-by: Sascha Grunert <sgrunert@suse.com>
* Merge pull request #7372 from giuseppe/add-unified-configurationOpenShift Merge Robot2020-08-24
|\ | | | | podman: add option --cgroup-conf
| * podman: add option --cgroup-confGiuseppe Scrivano2020-08-21
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | it allows to manually tweak the configuration for cgroup v2. we will expose some of the options in future as single options (e.g. the new memory knobs), but for now add the more generic --cgroup-conf mechanism for maximum control on the cgroup configuration. OCI specs change: https://github.com/opencontainers/runtime-spec/pull/1040 Requires: https://github.com/containers/crun/pull/459 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | Merge pull request #7274 from rhatdan/capsOpenShift Merge Robot2020-08-23
|\ \ | |/ |/| In podman 1.* regression on --cap-add
| * In podman 1.* regression on --cap-addDaniel J Walsh2020-08-21
| | | | | | | | | | | | | | | | | | | | | | | | In podman 1.0 if you executed a command like: podman run --user dwalsh --cap-add net_bind_service alpine nc -l 80 It would work, and the user dwalsh would get the capability, in podman 2.0, only root and the binding set gets the capability. This change restores us back to the way podman 1.0 worked. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | error when adding container to pod with network informationBrent Baude2020-08-21
|/ | | | | | | | | | | | because a pod's network information is dictated by the infra container at creation, a container cannot be created with network attributes. this has been difficult for users to understand. we now return an error when a container is being created inside a pod and passes any of the following attributes: * static IP (v4 and v6) * static mac * ports -p (i.e. -p 8080:80) * exposed ports (i.e. 222-225) * publish ports from image -P Signed-off-by: Brent Baude <bbaude@redhat.com>
* fix podman create/run UTS NS docsPaul Holzinger2020-08-18
| | | | | | | | Add better error message when using `--pod` and `--hostname`. Improve the docs to better explain the uts hostname relation. Add more valid options for the `--uts` flag. Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
* Merge pull request #7283 from mheon/pod_infra_has_exit_cmdOpenShift Merge Robot2020-08-17
|\ | | | | Ensure pod infra containers have an exit command
| * Ensure pod infra containers have an exit commandMatthew Heon2020-08-13
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Most Libpod containers are made via `pkg/specgen/generate` which includes code to generate an appropriate exit command which will handle unmounting the container's storage, cleaning up the container's network, etc. There is one notable exception: pod infra containers, which are made entirely within Libpod and do not touch pkg/specgen. As such, no cleanup process, network never cleaned up, bad things can happen. There is good news, though - it's not that difficult to add this, and it's done in this PR. Generally speaking, we don't allow passing options directly to the infra container at create time, but we do (optionally) proxy a pre-approved set of options into it when we create it. Add ExitCommand to these options, and set it at time of pod creation using the same code we use to generate exit commands for normal containers. Fixes #7103 Signed-off-by: Matthew Heon <mheon@redhat.com>
* | run, create: add new security-opt proc-optsGiuseppe Scrivano2020-08-12
| | | | | | | | | | | | | | it allows to customize the options passed down to the OCI runtime for setting up the /proc mount. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | Merge pull request #7288 from tiran/systemd_local_initOpenShift Merge Robot2020-08-11
|\ \ | |/ |/| Enable systemd mode for /usr/local/sbin/init
| * Use set for systemd commandsChristian Heimes2020-08-11
| | | | | | | | Signed-off-by: Christian Heimes <cheimes@redhat.com>
| * Enable systemd mode for /usr/local/sbin/initChristian Heimes2020-08-11
| | | | | | | | | | | | | | | | | | | | Podman 1.6.2 changed systemd mode auto-detection from commands ending in ``init`` to hard-coded paths ``/sbin/init`` and ``/usr/sbin/init``. This broke FreeIPA container. ``podman run`` and ``podman create`` now activate systemd mode when the command is ``/usr/local/sbin/init``. Fixes: https://github.com/containers/podman/issues/7287 Signed-off-by: Christian Heimes <cheimes@redhat.com>
* | Merge pull request #7269 from openSUSE/seccompOpenShift Merge Robot2020-08-11
|\ \ | | | | | | Allow specifying seccomp profiles for privileged containers
| * | Allow specifying seccomp profiles for privileged containersSascha Grunert2020-08-11
| | | | | | | | | | | | | | | | | | | | | To sync the behavior between AppArmor and seccomp it is now possible to also specify seccomp profiles for privileged containers. Signed-off-by: Sascha Grunert <sgrunert@suse.com>
* | | Merge pull request #7239 from rhatdan/workingOpenShift Merge Robot2020-08-11
|\ \ \ | |_|/ |/| | Fix handling of working dir
| * | Fix handling of working dirDaniel J Walsh2020-08-10
| |/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Buildah and podman build can create images without a working dir. FROM fedora WORKDIR /test If you build this image with caching twice, the second time the image will not have a working dir. Similarly if you execute podman run --workdir /foobar fedora It blows up since the workingdir is not created automatically. Finally there was duplicated code for getting the workingdir out of an image, that this PR removes. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* / Do not use image CMD if user gave ENTRYPOINTMatthew Heon2020-08-10
|/ | | | | | | | | | | | | | | | This matches Docker behavior, and seems to make sense - the CMD may have been specific to the original entrypoint and probably does not make sense if it was changed. While we're in here, greatly simplify the logic for populating the SpecGen's Command. We create the full command when making the OCI spec, so the client should not be doing any more than setting it to the Command the user passed in, and completely ignoring ENTRYPOINT. Fixes #7115 Signed-off-by: Matthew Heon <mheon@redhat.com>
* Merge pull request #7176 from mheon/make_entrypointOpenShift Merge Robot2020-08-05
|\ | | | | Ensure WORKDIR from images is created
| * Ensure WORKDIR from images is createdMatthew Heon2020-08-03
| | | | | | | | | | | | | | | | | | | | | | | | | | | | A recent crun change stopped the creation of the container's working directory if it does not exist. This is arguably correct for user-specified directories, to protect against typos; it is definitely not correct for image WORKDIR, where the image author definitely intended for the directory to be used. This makes Podman create the working directory and chown it to container root, if it does not already exist, and only if it was specified by an image, not the user. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | fix pod creation with "new:" syntaxPaul Holzinger2020-07-31
|/ | | | | | | | | | | When you execute podman create/run with the --pod new:<name> syntax the pod was created but the namespaces where not shared and therefore containers could not communicate over localhost. Add the default namespaces and pass the network options to the pod create options. Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
* Binding the same container port to >1 host port is OKMatthew Heon2020-07-29
| | | | | | | | | | | The initial version of the new port code mistakenly restricted this, so un-restrict it. We still need to maintain the map of container ports, unfortunately (need to verify if the port in question is a duplicate, for example). Fixes #7062 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Switch all references to github.com/containers/libpod -> podmanDaniel J Walsh2020-07-28
| | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Support default profile for apparmorDaniel J Walsh2020-07-22
| | | | | | | | | | | | | | Currently you can not apply an ApparmorProfile if you specify --privileged. This patch will allow both to be specified simultaniosly. By default Apparmor should be disabled if the user specifies --privileged, but if the user specifies --security apparmor:PROFILE, with --privileged, we should do both. Added e2e run_apparmor_test.go Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Add --umask flag for create, runAshley Cui2020-07-21
| | | | | | | | --umask sets the umask inside the container Defaults to 0022 Co-authored-by: Daniel J Walsh <dwalsh@redhat.com> Signed-off-by: Ashley Cui <acui@redhat.com>
* Add support for overlay volume mounts in podman.Qi Wang2020-07-20
| | | | | | | | Add support -v for overlay volume mounts in podman. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Signed-off-by: Qi Wang <qiwan@redhat.com>
* abi: set default umask and rlimitsGiuseppe Scrivano2020-07-17
| | | | | | | | the code got lost in the migration to podman 2.0, reintroduce it. Closes: https://github.com/containers/podman/issues/6989 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Merge pull request #6965 from giuseppe/followup-pr6324OpenShift Merge Robot2020-07-17
|\ | | | | allow switching of port-forward approaches in rootless/using slirp4netns
| * libpod: pass down network optionsGiuseppe Scrivano2020-07-16
| | | | | | | | | | | | do not pass network specific options through the network namespace. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
| * allow switching of port-forward approaches in rootless/using slirp4netnsaleks-mariusz2020-07-15
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | As of podman 1.8.0, because of commit da7595a, the default approach of providing port-forwarding in rootless mode has switched (and been hard-coded) to rootlessport, for the purpose of providing super performance. The side-effect of this switch is source within the container to the port-forwarded service always appears to originate from 127.0.0.1 (see issue #5138). This commit allows a user to specify if they want to revert to the previous approach of leveraging slirp4netns add_hostfwd() api which, although not as stellar performance, restores usefulness of seeing incoming traffic origin IP addresses. The change should be transparent; when not specified, rootlessport will continue to be used, however if specifying --net slirp4netns:slirplisten the old approach will be used. Note: the above may imply the restored port-forwarding via slirp4netns is not as performant as the new rootlessport approach, however the figures shared in the original commit that introduced rootlessport are as follows: slirp4netns: 8.3 Gbps, RootlessKit: 27.3 Gbps, which are more than sufficient for many use cases where the origin of traffic is more important than limits that cannot be reached due to bottlenecks elsewhere. Signed-off-by: Aleks Mariusz <m.k@alek.cx> Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | Error on rootless mac and ip addressesBrent Baude2020-07-15
| | | | | | | | | | | | | | | | When creating a pod or container where a static MAC or IP address is provided, we should return a proper error and exit as 125. Fixes: #6972 Signed-off-by: Brent Baude <bbaude@redhat.com>
* | Fix "Error: unrecognized protocol \"TCP\" in port mapping"Akihiro Suda2020-07-15
|/ | | | | | | | "TCP" in upper characters was not recognized as a valid protocol name. Fix #6948 Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
* Merge pull request #6957 from rhatdan/sysdevOpenShift Merge Robot2020-07-14
|\ | | | | Mask out /sys/dev to prevent information leak from the host
| * Mask out /sys/dev to prevent information leak from the hostDaniel J Walsh2020-07-14
| | | | | | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Merge pull request #6939 from rhatdan/entrypointOpenShift Merge Robot2020-07-14
|\ \ | | | | | | Fix handling of entrypoint
| * | Fix handling of entrypointDaniel J Walsh2020-07-14
| |/ | | | | | | | | | | | | If a user specifies an entrypoint of "" then we should not use the images entrypoint. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* / When determining systemd mode, use full commandMatthew Heon2020-07-14
|/ | | | | | | | | | | | | | We were only using the Command field in specgen when determining whether to enable systemd if systemd=true (the default) was used. This does not include the entrypoint, and does not include any entrypoint/command sourced from the image - so an image could be running systemd and we'd not correctly detect this. Using the full, final command resolves this and matches Podman v1.9.x behavior. Fixes #6920 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Merge pull request #6842 from rhatdan/pids-limitOpenShift Merge Robot2020-07-13
|\ | | | | Pids-limit should only be set if the user set it
| * Pids-limit should only be set if the user set itDaniel J Walsh2020-07-10
| | | | | | | | | | | | | | | | | | | | Currently we are sending over pids-limits from the user even if they never modified the defaults. The pids limit should be set at the server side unless modified by the user. This issue has led to failures on systems that were running with cgroups V1. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Fix container and pod create commands for remote createMatthew Heon2020-07-10
|/ | | | | | | | | | | | | | | | | | | | | | | In `podman inspect` output for containers and pods, we include the command that was used to create the container. This is also used by `podman generate systemd --new` to generate unit files. With remote podman, the generated create commands were incorrect since we sourced directly from os.Args on the server side, which was guaranteed to be `podman system service` (or some variant thereof). The solution is to pass the command along in the Specgen or PodSpecgen, where we can source it from the client's os.Args. This will still be VERY iffy for mixed local/remote use (doing a `podman --remote run ...` on a remote client then a `podman generate systemd --new` on the server on the same container will not work, because the `--remote` flag will slip in) but at the very least the output of `podman inspect` will be correct. We can look into properly handling `--remote` (parsing it out would be a little iffy) in a future PR. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Remove dependency on github.com/opencontainers/libpod/configsDaniel J Walsh2020-07-09
| | | | | | | | | We are using these dependencies just to get the device from path. These dependencies no longer build on Windows, so simply cloning the deviceFromPath function, we can eliminate the need for this vendoring. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Add username to /etc/passwd inside of container if --userns keep-idDaniel J Walsh2020-07-07
| | | | | | | | | | If I enter a continer with --userns keep-id, my UID will be present inside of the container, but most likely my user will not be defined. This patch will take information about the user and stick it into the container. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>