aboutsummaryrefslogtreecommitdiff
path: root/pkg/util
Commit message (Collapse)AuthorAge
* podman: drop checking valid rootless UIDGiuseppe Scrivano2020-12-11
| | | | | | | | | | | | | | | do not check whether the specified ID is valid in the user namespace. crun handles this case[1], so the check in Podman prevents to get to the OCI runtime at all. $ podman run --user 10:0 --uidmap 0:0:1 --rm -ti fedora:33 sh -c 'id; cat /proc/self/uid_map' uid=10(10) gid=0(root) groups=0(root),65534(nobody) 10 0 1 [1] https://github.com/containers/crun/pull/556 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Support Unix timestamps for `podman logs --since`Chih-Hsuan Yen2020-12-04
| | | | | | To match what podman-logs(1) describes --since Signed-off-by: Chih-Hsuan Yen <yan12125@gmail.com>
* Use Libpod tmpdir for pause pathMatthew Heon2020-12-02
| | | | | | | | | | | | | | | | | | | | | Previously, we always computed pause path from the Rootless runtime directory. Problem: this does not match the behavior of Libpod when the directory changes. Libpod will continue to use the previous directory, cached in the database; Pause pidfiles will swap to the new path. This is problematic when the directory needs to exist to write the pidfile, and Libpod is what creates the directory. There are two potential solutions - allow the pause pidfile to move and just make the directory when we want to write it, or use the cached Libpod paths for a guaranteed location. This patch does the second, because it seems safer - we will never miss a previously-existing pidfile because the location is now consistent. Fixes #8539 Signed-off-by: Matthew Heon <mheon@redhat.com>
* Align the podman ps --filter behavior with dockerPaul Holzinger2020-11-18
| | | | | | | | | | All of our filters worked exclusive resulting in `--filter status=created --filter status=exited` to return nothing. In docker filters with the same key work inclusive with the only exception being `label` which is exclusive. Filters with different keys always work exclusive. This PR aims to match the docker behavior with podman. Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
* Use /tmp/podman-run-* for backup XDG_RUNTIME_DIRDaniel J Walsh2020-11-04
| | | | | | | We need to block systemd from cleaning up this directory by dropping a /usr/lib/tmpfiles.d/podman.conf file in place. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Merge pull request #8166 from rhatdan/unbindableOpenShift Merge Robot2020-11-02
|\ | | | | Allow users to mount with unbindable flag
| * Add better support for unbindable volume mountsDaniel J Walsh2020-11-02
| | | | | | | | | | | | | | | | Allow users to specify unbindable on volume command line Switch internal mounts to rprivate to help prevent leaks. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Centralize cores and period/quota conversion codeJordan Christiansen2020-10-31
|/ | | | Signed-off-by: Jordan Christiansen <xordspar0@gmail.com>
* The cidfile should be created when the container is createdDaniel J Walsh2020-10-26
| | | | | | | | | | | Currently if you run an interactive session of podman run and specifiy the --cidfile option, the cidfile will not get created until the container finishes running. If you run a detached container, it will get created right away. This Patch creates the cidfile as soon as the container is created. This could allow other tools to use the cidefile on all running containers. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Convert Split() calls with an equal sign to SplitN()TomSweeneyRedHat2020-10-13
| | | | | | | | | | | | | | | | After seeing #7759, I decided to look at the calls in Podman and Buildah to see if we had issues with strings.Split() calls where an "=" (equals) sign was in play and we expected to split on only the first one. There were only one or two that I found in here that I think might have been troubling, the remainder are just adding some extra safety. I also had another half dozen or so that were checking length expectations appropriately, those I left alone. Signed-off-by: TomSweeneyRedHat <tsweeney@redhat.com>
* Merge pull request #7929 from kolyshkin/nits-errOpenShift Merge Robot2020-10-06
|\ | | | | Nits
| * Remove excessive error wrappingKir Kolyshkin2020-10-05
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | In case os.Open[File], os.Mkdir[All], ioutil.ReadFile and the like fails, the error message already contains the file name and the operation that fails, so there is no need to wrap the error with something like "open %s failed". While at it - replace a few places with os.Open, ioutil.ReadAll with ioutil.ReadFile. - replace errors.Wrapf with errors.Wrap for cases where there are no %-style arguments. Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
* | Fix handling of CheckRootlessUIDRangeDaniel J Walsh2020-10-05
|/ | | | | | | If I have multiple ranges of UIDs specified in the /etc/subuid, this check blows up and incorrectly blocks the use of --user flag. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* pull types allow initial capsDaniel J Walsh2020-09-12
| | | | | | | | | | validate pulltype will allow initial caps form cli or yaml file passed to i play kube. Use code related with pullpolicy from containers/common. Signed-off-by: Qi Wang <qiwan@redhat.com> Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Fix up errors found by codespellDaniel J Walsh2020-09-11
| | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Don't create ~/.config after removing storage.confjjzmajic2020-09-02
| | | | | | | | Fixes #7509. There is no need to create a ~/.config directory now that ~/.config/containers/storage.conf is not created automatically. Podman has no use for it if it does not exist already. Signed-off-by: jjzmajic <uros.m.perisic@gmail.com>
* Switch all references to github.com/containers/libpod -> podmanDaniel J Walsh2020-07-28
| | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Add support for overlay volume mounts in podman.Qi Wang2020-07-20
| | | | | | | | Add support -v for overlay volume mounts in podman. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Signed-off-by: Qi Wang <qiwan@redhat.com>
* Fix & add notes regarding problematic language in codebaseAshley Cui2020-07-15
| | | | | | | | Podman is committed to inclusivity, a core value of open source. Historically, there have been technology terms that are problematic and divisive, and should be changed. We are currently taking time to audit our repository in order to eliminate such terminology, and replace it with more inclusive terms. We are starting where we can, with our own code, comments, and documentation. However, such terms may be used in dependencies, and must be used in our repositories at the current moment for compatibility. Podman will change these terms in our repo as soon as new and better terminology is available to us via our dependencies. For more information: https://www.redhat.com/en/blog/making-open-source-more-inclusive-eradicating-problematic-language?sc_cid=701600000011gf0AAA Signed-off-by: Ashley Cui <acui@redhat.com>
* play-kube: add suport for "IfNotPresent" pull typeTristan Cacqueray2020-07-14
| | | | | | | | This change prevents this exception when loading a pod spec using the "IfNotPresent" pull policy: Error: invalid pull type "IfNotPresent" Signed-off-by: Tristan Cacqueray <tdecacqu@redhat.com>
* move go module to v2Valentin Rothberg2020-07-06
| | | | | | | | | | | | | | | With the advent of Podman 2.0.0 we crossed the magical barrier of go modules. While we were able to continue importing all packages inside of the project, the project could not be vendored anymore from the outside. Move the go module to new major version and change all imports to `github.com/containers/libpod/v2`. The renaming of the imports was done via `gomove` [1]. [1] https://github.com/KSubedi/gomove Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* utils: drop default mapping when running uid!=0Giuseppe Scrivano2020-06-24
| | | | | | | | | | this is a leftover from the first implementation of rootless. This code is never hit by podman rootless anymore as podman automatically creates a user namespace now. Fixes an issue with podman remote when used with uid != 0. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Turn on More lintersDaniel J Walsh2020-06-15
| | | | | | | | | - misspell - prealloc - unparam - nakedret Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* check --user range for rootless containersQi Wang2020-06-02
| | | | | | Check --user range if it's a uid for rootless containers. Returns error if it is out of the range. From https://github.com/containers/libpod/issues/6431#issuecomment-636124686 Signed-off-by: Qi Wang <qiwan@redhat.com>
* Turn off 'noexec' option by default for named volumesMatthew Heon2020-05-20
| | | | | | | | | We previously enforced this for security reasons, but as Dan has explained on several occasions, it's not very valuable there (it's trivially easy to bypass) and it does seriously annoy folks trying to use named volumes. Flip the default from 'on' to 'off'. Signed-off-by: Matthew Heon <mheon@redhat.com>
* Fix errors found in coverity scanDaniel J Walsh2020-05-01
| | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* podman: implement userns=keep-idGiuseppe Scrivano2020-04-24
| | | | | | | add missing implementation for userns=keep-id and enable the user namespaces tests. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Move selinux labeling support from pkg/util to pkg/selinuxDaniel J Walsh2020-04-22
| | | | | | | The goal here is to make the package less heavy and not overload the pkg/util. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Update podman to use containers.confDaniel J Walsh2020-04-20
| | | | | | | | Add more default options parsing Switch to using --time as opposed to --timeout to better match Docker. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Merge pull request #5690 from rhatdan/selinuxOpenShift Merge Robot2020-04-16
|\ | | | | Add support for selecting kvm and systemd labels
| * Add support for selecting kvm and systemd labelsDaniel J Walsh2020-04-15
| | | | | | | | | | | | | | | | | | | | | | | | In order to better support kata containers and systemd containers container-selinux has added new types. Podman should execute the container with an SELinux process label to match the container type. Traditional Container process : container_t KVM Container Process: containre_kvm_t PID 1 Init process: container_init_t Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | v2 bloat pruning phase 2Brent Baude2020-04-15
|/ | | | | | this is second phase of removing unneeded bloat in the remote client. this is important to be able to reduce the client size as well as possible native compilation for windows/mac. Signed-off-by: Brent Baude <bbaude@redhat.com>
* Add support for the global flags and config filesJhon Honce2020-04-14
| | | | | | | Note: This PR doesn't provide full rootless support that will be addressed in a future PR Signed-off-by: Jhon Honce <jhonce@redhat.com>
* userns: support --userns=autoGiuseppe Scrivano2020-04-06
| | | | | | | automatically pick an empty range and create an user namespace for the container. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* pkg/spec.InitFSMounts: optimizeKir Kolyshkin2020-04-02
| | | | | | | | | | Instead of getting mount options from /proc/self/mountinfo, which is very costly to read/parse (and can even be unreliable), let's use statfs(2) to figure out the flags we need. [v2: move getting default options to pkg/util, make it linux-specific] Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
* Add support for containers.confDaniel J Walsh2020-03-27
| | | | | | | vendor in c/common config pkg for containers.conf Signed-off-by: Qi Wang qiwan@redhat.com Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* podmanv2 add core container commandsBrent Baude2020-03-22
| | | | | | add core container commands for podmanv2: kill, pause, restart, rm, stop, unpause Signed-off-by: Brent Baude <bbaude@redhat.com>
* Only run TestGetImageConfigStopSignal on LinuxMiloslav Trmač2020-03-21
| | | | | | ... because the implementation requires Linux-only pkg/signal Signed-off-by: Miloslav Trmač <mitr@redhat.com>
* Allow users to set TMPDIR environmentDaniel J Walsh2020-03-06
| | | | | | | Some users have small /var/tmp directories and need to be able to specify a different location for temporary files, which includes more space. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* utils: relax check for directory to useGiuseppe Scrivano2020-02-24
| | | | | | | | | | when we use namespaces, we set the run directory to 0711 to allow other users to access it. without this relaxation, the /run/user/$UID directory would be skipped. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* add pkg/signalValentin Rothberg2020-02-14
| | | | | | | | | Add pkg/signal to deal with parts of signal processing and translating signals from string to numeric representations. The code has been copied from docker/docker (and attributed with the copyright) but been reduced to only what libpod needs (on Linux). Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* camelcase: fix lint reportsValentin Rothberg2020-01-25
| | | | Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* fork fatih/camelcaseValentin Rothberg2020-01-25
| | | | | | | | | faith/camelcase has been archived and is no longer maintained. The package is sufficiently small and self-contained enough to maintain it in libpod. Fixes: #4783 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* make lint: enable gocriticValentin Rothberg2020-01-13
| | | | | | | `gocritic` is a powerful linter that helps in preventing certain kinds of errors as well as enforcing a coding style. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* libpod: fix --userns=keep-id with big UIDsGiuseppe Scrivano2020-01-10
| | | | | | | | | | | | | | | | | | | | | | | | | | | when creating a keep-id namespace, we split the original user namespace in: inner ns | outer ns | size: 0 | 1 | ID ID | 0 | 1 ID+1 | ID+1 | availableIds - ID When the user ID is bigger than the number of available subuids/subgids we fail to create the user namespace because the first slice is bigger than the available number of IDs and the third one has a negative size. Fix it by not using more than the available number of IDs in the first slice and creating the third one only if there are other IDs left. When the user ID is bigger than the number of additional IDs, there will be a gap between the two mappings so the IDs between the maximum additional ID and the user ID won't be present inside of the namespace. Closes: https://github.com/containers/libpod/issues/4838 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* fix lint - pkg/util: func commentValentin Rothberg2020-01-08
| | | | Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* signal parsing - better input validationEd Santiago2019-12-26
| | | | | | | | | | | | | | | | | | | | | | The helper function we use for signal name mapping does not check for negative numbers nor invalid (too-high) ones. This can yield unexpected error messages: # podman kill -s -1 foo ERRO[0000] unknown signal "18446744073709551615" This PR introduces a small wrapper for it that: 1) Strips off a leading dash, allowing '-1' or '-HUP' as valid inputs; and 2) Rejects numbers <1 or >64 (SIGRTMAX) Also adds a test suite checking signal handling as well as ensuring that invalid signals are rejected by the command line. Fixes: #4746 Signed-off-by: Ed Santiago <santiago@redhat.com>
* Return empty runtime directory if we're not rootlessJonathan Dieter2019-12-07
| | | | | | | | | | | | | | | | | | | Currently, we return a runtime directory of the form `/run/user/<uid>`, even when running as root. Depending on configuration, that directory may be deleted when the user logs out, which is quite awkward when the container is started as a systemd service and then someone logs in and out as root. This patch fixes the problem by returning an empty runtime directory if the container is being started by root. The runtime should automatically use the default runtime directory (`/run/crun` when crun is used), which should be accessible to root. Tested in Fedora 31 by running containers under both root and a regular user. State for root containers is stored in `/run/crun`, while state for rootless containers is in `/run/user/<uid>/crun`. Signed-off-by: Jonathan Dieter <jdieter@gmail.com>
* Add ONBUILD support to --changeMatthew Heon2019-12-05
| | | | | | | | | | | Return types had to change a bit for this, but since we can wrap the old v1.ImageConfig, changes are overall not particularly bad. At present, I believe this only works with commit, not import. This matches how things were before we changed to the new parsing so I think this is fine. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Completely rework --change parsingMatthew Heon2019-12-04
| | | | | | | | | | | | The way we were trying to parse was very broken. I originally attempted to use Buildah's Dockerfile parser here, but dealing with it (and convincing it to accept only a limited subset, and only one instruction at a time) was challenging, so I rewrote a subset of Dockerfile parsing. This should handle most common cases well, though there are definitely unhandled edge cases for ENV and LABEL. Signed-off-by: Matthew Heon <matthew.heon@pm.me>