summaryrefslogtreecommitdiff
path: root/pkg
Commit message (Collapse)AuthorAge
* utils: avoid too long tmp directoryGiuseppe Scrivano2019-03-16
| | | | | | or we will easily pass the 108 chars limits for unix paths. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* rootless: use Geteuid instead of GetuidGiuseppe Scrivano2019-03-15
| | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* rootless: use /tmp/libpod-rundir-$EUID for fallbackGiuseppe Scrivano2019-03-15
| | | | | | | | | | | | when the fallback is in place, the first user creating /tmp/user/$EUID prevents other users for creating other directories since /tmp/user is created with mode 0700. Since there is no way for an unprivileged user to initialize the /tmp/user directory correctly (we would need it to be owned by root with the sticky bit set), let's just use /tmp/libpod-rundir-$EUID. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Merge pull request #2622 from baude/protectdarwinOpenShift Merge Robot2019-03-13
|\ | | | | Add gating tasks
| * Add gating tasksbaude2019-03-13
| | | | | | | | | | | | | | | | | | | | | | to protect against regressions, we need to add a few gating tasks: * build with varlink * build podman-remote * build podman-remote-darwin we already have a gating task for building without varlink Signed-off-by: baude <bbaude@redhat.com>
* | Vendor docker/docker, fsouza and more #2TomSweeneyRedHat2019-03-13
|/ | | | | | | | | | | | Signed-off-by: TomSweeneyRedHat <tsweeney@redhat.com> Vendors in fsouza/docker-client, docker/docker and a few more related. Of particular note, changes to the TweakCapabilities() function from docker/docker along with the parse.IDMappingOptions() function from Buildah. Please pay particular attention to the related changes in the call from libpod to those functions during the review. Passes baseline tests.
* Update vendor of Buildah and imagebuilderDaniel J Walsh2019-03-13
| | | | | | Fixes the testing issues we are hitting. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Merge pull request #2562 from baude/healtcheckphase2OpenShift Merge Robot2019-03-12
|\ | | | | healthcheck phase 2
| * healtcheck phase 2baude2019-03-12
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | integration of healthcheck into create and run as well as inspect. healthcheck enhancements are as follows: * add the following options to create|run so that non-docker images can define healthchecks at the container level. * --healthcheck-command * --healthcheck-retries * --healthcheck-interval * --healthcheck-start-period * podman create|run --healthcheck-command=none disables healthcheck as described by an image. * the healthcheck itself and the healthcheck "history" can now be observed in podman inspect * added the wiring for healthcheck history which logs the health history of the container, the current failed streak attempts, and log entries for the last five attempts which themselves have start and stop times, result, and a 500 character truncated (if needed) log of stderr/stdout. The timings themselves are not implemented in this PR but will be in future enablement (i.e. next). Signed-off-by: baude <bbaude@redhat.com>
* | Merge pull request #2527 from baude/eventsOpenShift Merge Robot2019-03-11
|\ \ | | | | | | Add event logging to libpod, even display to podman
| * | Add event logging to libpod, even display to podmanbaude2019-03-11
| |/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | In lipod, we now log major events that occurr. These events can be displayed using the `podman events` command. Each event contains: * Type (container, image, volume, pod...) * Status (create, rm, stop, kill, ....) * Timestamp in RFC3339Nano format * Name (if applicable) * Image (if applicable) The format of the event and the varlink endpoint are to not be considered stable until cockpit has done its enablement. Signed-off-by: baude <bbaude@redhat.com>
* / Fix SELinux on host shared systems in usernsDaniel J Walsh2019-03-11
|/ | | | | | | | | | | | | Currently if you turn on --net=host on a rootless container and have selinux-policy installed in the image, tools running with SELinux will see that the system is SELinux enabled in rootless mode. This patch mounts a tmpfs over /sys/fs/selinux blocking this behaviour. This patch also fixes the fact that if you shared --pid=host we were not masking over certin /proc paths. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Merge pull request #2583 from giuseppe/rootless-fix-pod-rmOpenShift Merge Robot2019-03-11
|\ | | | | rootless: fix stop and rm when the container is running with uid != 0
| * rootless: fix pod stop|rm if uid in the container != 0Giuseppe Scrivano2019-03-11
| | | | | | | | | | | | | | | | | | | | join the user namespace where the pod is running, so that we can both manage the storage and correctly send the kill signal to a process which is not running as root in the namespace. Closes: https://github.com/containers/libpod/issues/2577 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
| * rootless: support a custom arg to the new processGiuseppe Scrivano2019-03-11
| | | | | | | | | | | | | | | | | | let the process running as euid != 0 pass down an argument to the process running in the user namespace. This will be useful for commands like rm -a that needs to join different namespaces, so that we can re-exec separately for each of them. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | Merge pull request #2597 from jwhonce/issue/2016OpenShift Merge Robot2019-03-11
|\ \ | | | | | | Initialize field in InfoHost struct
| * | Initialize field in InfoHost structJhon Honce2019-03-11
| |/ | | | | | | | | | | Fixes #2016 Signed-off-by: Jhon Honce <jhonce@redhat.com>
* / rootless: allow single mappingsGiuseppe Scrivano2019-03-11
|/ | | | | | | | | | | | | | | | | | | | | | we were playing safe and not allowed any container to have less than 65536 mappings. There are a couple of reasons to change it: - it blocked libpod to work in an environment where newuidmap/newgidmap are not available, or not configured. - not allowed to use different partitions of subuids, where each user has less than 65536 ids available. Hopefully this change in containers/storage: https://github.com/containers/storage/pull/303 will make error clearers if there are not enough IDs for the image that is being used. Closes: https://github.com/containers/libpod/issues/1651 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Move secrets package to buildahDaniel J Walsh2019-03-08
| | | | | | | | Trying to remove circular dependencies between libpod and buildah. First step to move pkg content from libpod to buildah. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* rootless: propagate errors from infoGiuseppe Scrivano2019-03-08
| | | | | | | | | we use "podman info" to reconfigure the runtime after a reboot, but we don't propagate the error message back if something goes wrong. Closes: https://github.com/containers/libpod/issues/2584 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Merge pull request #2534 from jwhonce/wip/remote_waitOpenShift Merge Robot2019-03-06
|\ | | | | Implement podman-remote wait command and container subcommand
| * Implement podman-remote wait command and container subcommandJhon Honce2019-03-06
| | | | | | | | Signed-off-by: Jhon Honce <jhonce@redhat.com>
* | Merge pull request #2442 from baude/remotepodtopOpenShift Merge Robot2019-03-06
|\ \ | | | | | | podman-remote pod top|stats
| * | podman-remote pod top|statsbaude2019-03-06
| | | | | | | | | | | | | | | | | | | | | this is the final enablement for the pod subcommand. it includes the ability to run podman-remote pod top and stats. Signed-off-by: baude <bbaude@redhat.com>
* | | Merge pull request #2412 from QiWang19/iss2380OpenShift Merge Robot2019-03-06
|\ \ \ | |_|/ |/| | Enable specifying directory as device on container with --device
| * | fix bug --device enable specifying directory as deviceQi Wang2019-03-06
| |/ | | | | | | Signed-off-by: Qi Wang <qiwan@redhat.com>
* | Merge pull request #2491 from baude/healtcheckphase1OpenShift Merge Robot2019-03-06
|\ \ | |/ |/| podman healthcheck run (phase 1)
| * podman healthcheck run (phase 1)baude2019-03-05
| | | | | | | | | | | | | | | | | | Add the ability to manually run a container's healthcheck command. This is only the first phase of implementing the healthcheck. Subsequent pull requests will deal with the exposing the results and history of healthchecks as well as the scheduling. Signed-off-by: baude <bbaude@redhat.com>
* | Merge pull request #2543 from giuseppe/fix-rootless-s390x-crisOpenShift Merge Robot2019-03-06
|\ \ | | | | | | rootless: fix clone syscall on s390 and cris archs
| * | rootless: fix clone syscall on s390 and cris archsGiuseppe Scrivano2019-03-05
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | from the clone man page: On the cris and s390 architectures, the order of the first two arguments is reversed: long clone(void *child_stack, unsigned long flags, int *ptid, int *ctid, unsigned long newtls); Closes: https://bugzilla.redhat.com/show_bug.cgi?id=1672714 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | | Merge pull request #2519 from jwhonce/wip/remote_killOpenShift Merge Robot2019-03-05
|\ \ \ | |_|/ |/| | Support podman-remote kill container(s)
| * | Support podman-remote kill container(s)Jhon Honce2019-03-04
| | | | | | | | | | | | Signed-off-by: Jhon Honce <jhonce@redhat.com>
* | | Merge pull request #2426 from giuseppe/exec-preserve-fdsOpenShift Merge Robot2019-03-05
|\ \ \ | |_|/ |/| | exec: support --preserve-fds
| * | exec: support --preserve-fdsGiuseppe Scrivano2019-03-02
| | | | | | | | | | | | | | | | | | | | | | | | Allow to pass additional FDs to the process being executed. Closes: https://github.com/containers/libpod/issues/2372 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | | Merge pull request #2522 from mheon/fix_timestamp_format_logsOpenShift Merge Robot2019-03-04
|\ \ \ | | | | | | | | Change timestamp format for podman logs
| * | | Change timestamp format for podman logsMatthew Heon2019-03-04
| |/ / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The Golang standard library implementation of RFC3339Nano will trim trailing 0s from the nanoseconds portion of timestamps. This is undesirable for lining everything up nicely during terminal output. As the Golang developers have not seen fit to give us a better way, use the one that was proposed on the issue tracker but rejected. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | | Merge pull request #2523 from jwhonce/bug/2521OpenShift Merge Robot2019-03-04
|\ \ \ | | | | | | | | Fix #2521
| * | | Fix #2521Jhon Honce2019-03-04
| | |/ | |/| | | | | | | | | | | | | * Bad merge against podman stop, restored overwritten code Signed-off-by: Jhon Honce <jhonce@redhat.com>
* | | Merge pull request #2513 from mheon/log_timestamps_newlineOpenShift Merge Robot2019-03-04
|\ \ \ | |/ / |/| | Ensure that each log line is newline-terminated
| * | Add additional defense against 0-length log segfaultsMatthew Heon2019-03-03
| | | | | | | | | | | | Signed-off-by: Matthew Heon <mheon@redhat.com>
| * | When logging with timestamps, append only until newlineMatthew Heon2019-03-03
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When we log time timestamps, don't print a new timestamp for each input - instead, print one at the start of every line, and then wait until we hit a newline to print a new timestamp. This still doesn't exactly mirror the Docker behavior (they don't print until they receive an entire line, while we print any time the logs file is appended to - so you can see partial lines being typed in our system). Also, timestamps are recorded as the start of a line being typed, as opposed to when the enter key is pressed (on Docker). (Worth noting that, while characters are printed as they are typed, logs does respect the backspace key - so you'll also see them disappear as the person typing realizes they've made a mistake and retypes their command). This is the closest we can get to Docker without major surgery on the Kubernetes log-printing library, so I'm content to call this an adequate solution. Signed-off-by: Matthew Heon <mheon@redhat.com>
| * | Ensure that each log line is newline-terminatedMatthew Heon2019-03-03
| | | | | | | | | | | | | | | | | | | | | | | | | | | When writing logs with timestamps to the terminal, ensure that each line is newline-terminated, so we don't end up with an unreadable mess with timestamps interspersed with the actual content being displayed. Signed-off-by: Matthew Heon <mheon@redhat.com>
* | | Support podman-remote stop container(s)Jhon Honce2019-03-02
| |/ |/| | | | | | | | | | | | | | | | | * Clean up adapter code * Add GetContainersByContext to Varlink API * Add missing comments * Restore save command * Restore error type mapping when using varlink Signed-off-by: Jhon Honce <jhonce@redhat.com>
* | rootless, new[ug]idmap: on failure add outputGiuseppe Scrivano2019-02-28
|/ | | | | | | if any of the mapping tools for setting up the user namespace fail, then include their output in the error message. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* secrets: fix fips-mode with user namespacesGiuseppe Scrivano2019-02-27
| | | | | | | | | | When using a user namespace, we create the mount point under `mountPrefix` so that the uid != 0 can access that directory. Change the addFIPSModeSecret code to honor that, and also ensure we are creating the directories with the right ownership. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Fix build for non-Varlink-tagged PodmanMatthew Heon2019-02-27
| | | | | | Fixes #2459 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Centralize setting default volume pathMatthew Heon2019-02-26
| | | | | | | | No reason to do it in util/ anymore. It's always going to be a subdirectory of c/storage graph root by default, so we can just set it after the return. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Ensure volume path is set appropriately by defaultMatthew Heon2019-02-26
| | | | | | | | There are some cases where we might not be properly adjusting the volume path after setting the storage graph root. Ensure that we always set volume path to be a child of graph root. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* volume: do not create a volume if there is a bindGiuseppe Scrivano2019-02-26
| | | | | | | | | | | if there is already a bind mount specified for the target, do not create a new volume. Regression introduced by 52df1fa7e054d577e8416d1d46db1741ad324d4a Closes: https://github.com/containers/libpod/issues/2441 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* podman-remote pod pause|unpause|restartbaude2019-02-25
| | | | | | | enable the ability for the remote client to pause, unpause, and restart pods. Signed-off-by: baude <bbaude@redhat.com>