aboutsummaryrefslogtreecommitdiff
path: root/pkg
Commit message (Collapse)AuthorAge
* Initial implementation of volume pluginsMatthew Heon2021-01-14
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This implements support for mounting and unmounting volumes backed by volume plugins. Support for actually retrieving plugins requires a pull request to land in containers.conf and then that to be vendored, and as such is not yet ready. Given this, this code is only compile tested. However, the code for everything past retrieving the plugin has been written - there is support for creating, removing, mounting, and unmounting volumes, which should allow full functionality once the c/common PR is merged. A major change is the signature of the MountPoint function for volumes, which now, by necessity, returns an error. Named volumes managed by a plugin do not have a mountpoint we control; instead, it is managed entirely by the plugin. As such, we need to cache the path in the DB, and calls to retrieve it now need to access the DB (and may fail as such). Notably absent is support for SELinux relabelling and chowning these volumes. Given that we don't manage the mountpoint for these volumes, I am extremely reluctant to try and modify it - we could easily break the plugin trying to chown or relabel it. Also, we had no less than *5* separate implementations of inspecting a volume floating around in pkg/infra/abi and pkg/api/handlers/libpod. And none of them used volume.Inspect(), the only correct way of inspecting volumes. Remove them all and consolidate to using the correct way. Compat API is likely still doing things the wrong way, but that is an issue for another day. Fixes #4304 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Makefile: add target to generate bindingsValentin Rothberg2021-01-14
| | | | | | | | | | | Add a `.generate-bindings` make target that only runs in the absence of the `.generate-bindings` file or when a `types.go` file below `pkg/bindings` has changed. This will regenerate the go bindings and make sure the code is up2date. Signed-off-by: Valentin Rothberg <rothberg@redhat.com> Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Merge pull request #8960 from giuseppe/bridge-no-post-configOpenShift Merge Robot2021-01-13
|\ | | | | network: disallow CNI networks with user namespaces
| * network: disallow CNI networks with user namespacesGiuseppe Scrivano2021-01-13
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | it solves a segfault when running as rootless a command like: $ podman run --uidmap 0:0:1 --net foo --rm fedora true panic: runtime error: invalid memory address or nil pointer dereference [signal SIGSEGV: segmentation violation code=0x1 addr=0x30 pc=0x5629bccc407c] goroutine 1 [running]: panic(0x5629bd3d39e0, 0x5629be0ab8e0) /usr/lib/golang/src/runtime/panic.go:1064 +0x545 fp=0xc0004592c0 sp=0xc0004591f8 pc=0x5629bbd35d85 runtime.panicmem(...) /usr/lib/golang/src/runtime/panic.go:212 runtime.sigpanic() /usr/lib/golang/src/runtime/signal_unix.go:742 +0x413 fp=0xc0004592f0 sp=0xc0004592c0 pc=0x5629bbd4cd33 github.com/containers/podman/libpod.(*Runtime).setupRootlessNetNS(0xc0003fe9c0, 0xc0003d74a0, 0x0, 0x0) /builddir/build/BUILD/podman-2.2.1/_build/src/github.com/containers/podman/libpod/networking_linux.go:238 +0xdc fp=0xc000459338 sp=0xc0004592f0 pc=0x5629bccc407c github.com/containers/podman/libpod.(*Container).completeNetworkSetup(0xc0003d74a0, 0x0, 0x0) /builddir/build/BUILD/podman-2.2.1/_build/src/github.com/containers/podman/libpod/container_internal.go:965 +0xb72 fp=0xc0004594d8 sp=0xc000459338 pc=0x5629bcc81732 [.....] Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | Merge pull request #8954 from baude/reducebindingsizeOpenShift Merge Robot2021-01-13
|\ \ | | | | | | Reduce general binding binary size
| * | Reduce general binding binary sizebaude2021-01-13
| |/ | | | | | | | | | | | | | | when using the bindings to *only* make a connection, the binary was rough 28MB. This PR reduces it down to 11. There is more work to do but it will come in a secondary PR. Signed-off-by: baude <bbaude@redhat.com>
* | Merge pull request #8961 from rhatdan/kubeOpenShift Merge Robot2021-01-13
|\ \ | |/ |/| play kube: set entrypoint when interpreting Command
| * play kube: set entrypoint when interpreting CommandDaniel J Walsh2021-01-13
| | | | | | | | | | | | | | | | | | | | | | | | | | We now set Entrypoint when interpeting the image Entrypoint (or yaml.Command) and Command when interpreting image Cmd (or yaml.Args) This change is kind of breaking because now checking Config.Cmd won't return the full command, but only the {cmd,args}. Adapt the tests to this change as well Signed-off-by: Peter Hunt <pehunt@redhat.com> Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Merge pull request #8957 from srcshelton/feature/issue-8945OpenShift Merge Robot2021-01-13
|\ \ | | | | | | Add 'MemUsageBytes' format option
| * | Merge branch 'master' into feature/issue-8945Stuart Shelton2021-01-13
| |\| | | | | | | | | | Signed-off-by: Stuart Shelton <stuart@shelton.me>
| | * Merge pull request #8953 from edsantiago/var_run_againOpenShift Merge Robot2021-01-12
| | |\ | | | | | | | | More /var/run -> /run
| | | * More /var/run -> /runEd Santiago2021-01-12
| | | | | | | | | | | | | | | | | | | | | | | | | | | | PR #8851 broke CI: it included "/var/run" strings that, per #8771, should have been just "/run". Signed-off-by: Ed Santiago <santiago@redhat.com>
| * | | Add 'MemUsageBytes' format optionStuart Shelton2021-01-12
| |/ / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Although storage is more human-readable when expressed in SI units, IEC/JEDEC (Bytes) units are more pertinent for memory-related values (and match the format of the --memory* command-line options). (To prevent possible compatibility issues, the default SI display is left unchanged) See https://github.com/containers/podman/issues/8945 Signed-off-by: Stuart Shelton <stuart@shelton.me>
* | | Remove the ability to use [name:tag] in podman load commandDaniel J Walsh2021-01-12
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Docker does not support this, and it is confusing what to do if the image has more then one tag. We are dropping support for this in podman 3.0 Fixes: https://github.com/containers/podman/issues/7387 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | More /var/run -> /runEd Santiago2021-01-12
|/ / | | | | | | | | | | | | PR #8851 broke CI: it included "/var/run" strings that, per #8771, should have been just "/run". Signed-off-by: Ed Santiago <santiago@redhat.com>
* | Merge pull request #8950 from mheon/exorcise_driverOpenShift Merge Robot2021-01-12
|\ \ | |/ |/| Exorcise Driver code from libpod/define
| * Exorcise Driver code from libpod/defineMatthew Heon2021-01-12
| | | | | | | | | | | | | | | | | | | | | | | | The libpod/define code should not import any large dependencies, as it is intended to be structures and definitions only. It included the libpod/driver package for information on the storage driver, though, which brought in all of c/storage. Split the driver package so that define has the struct, and thus does not need to import Driver. And simplify the driver code while we're at it. Signed-off-by: Matthew Heon <mheon@redhat.com>
* | Merge pull request #8947 from Luap99/cleanup-codeOpenShift Merge Robot2021-01-12
|\ \ | | | | | | Fix problems reported by staticcheck
| * | Fix problems reported by staticcheckPaul Holzinger2021-01-12
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | `staticcheck` is a golang code analysis tool. https://staticcheck.io/ This commit fixes a lot of problems found in our code. Common problems are: - unnecessary use of fmt.Sprintf - duplicated imports with different names - unnecessary check that a key exists before a delete call There are still a lot of reported problems in the test files but I have not looked at those. Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
* | | Merge pull request #8851 from Luap99/fix-generate-systemd-flag-parsingOpenShift Merge Robot2021-01-12
|\ \ \ | | | | | | | | Make podman generate systemd --new flag parsing more robust
| * | | Make podman generate systemd --new flag parsing more robustPaul Holzinger2021-01-07
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | First, use the pflag library to parse the flags. With this we can handle all corner cases such as -td or --detach=false. Second, preserve the root args with --new. They are used for all podman commands in the unit file. (e.g. podman --root /tmp run alpine) Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
* | | | Merge pull request #8905 from rhatdan/proxyOpenShift Merge Robot2021-01-12
|\ \ \ \ | | | | | | | | | | Use HTTPProxy settings from containers.conf
| * | | | Use HTTPProxy settings from containers.confDaniel J Walsh2021-01-11
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This PR takes the settings from containers.conf and uses them. This works on the podman local but does not fix the issue for podman remote or for APIv2. We need a way to specify optionalbooleans when creating containers. Fixes: https://github.com/containers/podman/issues/8843 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | | | Merge pull request #8819 from chen-zhuohan/add-pre-checkpointOpenShift Merge Robot2021-01-12
|\ \ \ \ \ | |_|_|/ / |/| | | | Add pre-checkpoint and restore with previous
| * | | | add pre checkpointunknown2021-01-10
| | | | | | | | | | | | | | | | | | | | Signed-off-by: Zhuohan Chen <chen_zhuohan@163.com>
* | | | | Merge pull request #8934 from vrothberg/fix-8931OpenShift Merge Robot2021-01-11
|\ \ \ \ \ | |_|/ / / |/| | | | image list: ignore bare manifest list
| * | | | image list: ignore bare manifest listValentin Rothberg2021-01-11
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Handle empty/bare manifest lists when listing images. Fixes: #8931 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | | | | Merge pull request #8917 from mheon/actually_report_play_kube_errorsOpenShift Merge Robot2021-01-11
|\ \ \ \ \ | |/ / / / |/| | | | Ensure that `podman play kube` actually reports errors
| * | | | Ensure that `podman play kube` actually reports errorsMatthew Heon2021-01-11
| |/ / / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | In 2.2.x, we moved `play kube` to use the Start() API for pods, which reported errors in a different way (all containers are started in parallel, and then results reported as a block). The migration attempted to preserve compatibility by returning only one error, but that's not really a viable option as it can obscure the real reason that a pod is failing. Further, the code was not correctly handling the API's errors - Pod Start() will, on any container error, return a map of container ID to error populated for all container errors *and* return ErrPodPartialFail for overall error - the existing code did not handle the partial failure error and thus would never return container errors. Refactor the `play kube` API to include a set of errors for containers in each pod, so we can return all errors that occurred to the frontend and print them for the user, and correct the backend code so container errors are actually forwarded. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | | | Use abi PodPs implementation for libpod/pods/json endpointPaul Holzinger2021-01-09
| | | | | | | | | | | | | | | | | | | | | | | | This removes unnecessary code duplication. Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
* | | | Add Networks format placeholder to podman ps and pod psPaul Holzinger2021-01-09
| | | | | | | | | | | | | | | | | | | | | | | | | | | | `podman ps --format {{.Networks}}` will show all connected networks for this container. For `pod ps` it will show the infra container networks. Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
* | | | Add network filter for podman ps and pod psPaul Holzinger2021-01-09
|/ / / | | | | | | | | | | | | | | | | | | Allow to filter on the network name or full id. For pod ps it will filter on the infra container networks. Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
* | | Merge pull request #8781 from rst0git/cr-volumesOpenShift Merge Robot2021-01-08
|\ \ \ | | | | | | | | Add support for checkpoint/restore of containers with volumes
| * | | Include named volumes in container migrationRadostin Stoyanov2021-01-07
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When migrating a container with associated volumes, the content of these volumes should be made available on the destination machine. This patch enables container checkpoint/restore with named volumes by including the content of volumes in checkpoint file. On restore, volumes associated with container are created and their content is restored. The --ignore-volumes option is introduced to disable this feature. Example: # podman container checkpoint --export checkpoint.tar.gz <container> The content of all volumes associated with the container are included in `checkpoint.tar.gz` # podman container checkpoint --export checkpoint.tar.gz --ignore-volumes <container> The content of volumes is not included in `checkpoint.tar.gz`. This is useful, for example, when the checkpoint/restore is performed on the same machine. # podman container restore --import checkpoint.tar.gz The associated volumes will be created and their content will be restored. Podman will exit with an error if volumes with the same name already exist on the system or the content of volumes is not included in checkpoint.tar.gz # podman container restore --ignore-volumes --import checkpoint.tar.gz Volumes associated with container must already exist. Podman will not create them or restore their content. Signed-off-by: Radostin Stoyanov <rstoyanov@fedoraproject.org>
| * | | Use Options as CRImportCheckpoint() argumentRadostin Stoyanov2021-01-07
| |/ / | | | | | | | | | | | | | | | | | | | | | | | | Instead of specifying restore option arguments individually from RestoreOptions, provide the 'options' object to the CRImportCheckpoint method. This change makes the code in CRImportCheckpoint easier to extend as it doesn't require excessive number of function parameters. Signed-off-by: Radostin Stoyanov <rstoyanov@fedoraproject.org>
* | | Restore compatible API for prune endpointsJhon Honce2021-01-07
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * Restore correct API endpoint payloads including reclaimed space numbers * Include tests for API prune endpoints * Clean up function signatures with unused parameters * Update swagger for /networks/prune Fixes #8891 Signed-off-by: Jhon Honce <jhonce@redhat.com>
* | | Merge pull request #8907 from Luap99/fix-mips-buildOpenShift Merge Robot2021-01-07
|\ \ \ | | | | | | | | Fix build for mips architecture follow-up
| * | | Fix build for mips architecture follow-upPaul Holzinger2021-01-07
| |/ / | | | | | | | | | | | | | | | | | | | | | Follow-up to commit (1ad796677e1c). The build on mips is still failing because SIGWINCH was not defined in the signal pkg. Also stat_t.Rdev is unit32 on mips so we need to typecast. Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
* | | Merge pull request #8771 from rhatdan/runOpenShift Merge Robot2021-01-07
|\ \ \ | | | | | | | | Switch references of /var/run -> /run
| * | | Switch references of /var/run -> /runDaniel J Walsh2021-01-07
| |/ / | | | | | | | | | | | | | | | | | | | | | | | | | | | Systemd is now complaining or mentioning /var/run as a legacy directory. It has been many years where /var/run is a symlink to /run on all most distributions, make the change to the default. Partial fix for https://github.com/containers/podman/issues/8369 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | Merge pull request #8821 from rhatdan/capsOpenShift Merge Robot2021-01-07
|\ \ \ | | | | | | | | Containers should not get inheritable caps by default
| * | | Containers should not get inheritable caps by defaultDaniel J Walsh2021-01-07
| |/ / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When I launch a container with --userns=keep-id the rootless processes should have no caps by default even if I launch the container with --privileged. It should only get the caps if I specify by hand the caps I want leaked to the process. Currently we turn off capeff and capamb, but not capinh. This patch treats capinh the same way as capeff and capamb. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | rootless: automatically split userns rangesGiuseppe Scrivano2021-01-07
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | writing to the id map fails when an extent overlaps multiple mappings in the parent user namespace: $ cat /proc/self/uid_map 0 1000 1 1 100000 65536 $ unshare -U sleep 100 & [1] 1029703 $ printf "0 0 100\n" | tee /proc/$!/uid_map 0 0 100 tee: /proc/1029703/uid_map: Operation not permitted This limitation is particularly annoying when working with rootless containers as each container runs in the rootless user namespace, so a command like: $ podman run --uidmap 0:0:2 --rm fedora echo hi Error: writing file `/proc/664087/gid_map`: Operation not permitted: OCI permission denied would fail since the specified mapping overlaps the first mapping (where the user id is mapped to root) and the second extent with the additional IDs available. Detect such cases and automatically split the specified mapping with the equivalent of: $ podman run --uidmap 0:0:1 --uidmap 1:1:1 --rm fedora echo hi hi A fix has already been proposed for the kernel[1], but even if it accepted it will take time until it is available in a released kernel, so fix it also in pkg/rootless. [1] https://lkml.kernel.org/lkml/20201203150252.1229077-1-gscrivan@redhat.com/ Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | | rootless: add function to retrieve uid mappingsGiuseppe Scrivano2021-01-07
| | | | | | | | | | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | | rootless: add function to retrieve gid mappingsGiuseppe Scrivano2021-01-07
|/ / | | | | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | Merge pull request #8892 from mheon/fix_8886OpenShift Merge Robot2021-01-06
|\ \ | | | | | | Ensure that user-specified HOSTNAME is honored
| * | Ensure that user-specified HOSTNAME is honoredMatthew Heon2021-01-06
| |/ | | | | | | | | | | | | | | | | | | | | When adding the HOSTNAME environment variable, only do so if it is not already present in the spec. If it is already present, it was likely added by the user, and we should honor their requested value. Fixes #8886 Signed-off-by: Matthew Heon <mheon@redhat.com>
* | Merge pull request #8685 from mheon/ignore_containersconf_sysctls_shared_netOpenShift Merge Robot2021-01-05
|\ \ | | | | | | Ignore containers.conf sysctls when sharing namespaces
| * | Ignore containers.conf sysctls when sharing namespacesMatthew Heon2020-12-10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The existing code prevents containers.conf default sysctls from being added if the container uses a host namespace. This patch expands that to not just host namespaces, but also *shared* namespaces - so we never modify another container's (or a pod's) namespaces without being explicitly directed to do so by the user. Signed-off-by: Matthew Heon <mheon@redhat.com>
* | | Merge pull request #8889 from vrothberg/run-1138OpenShift Merge Robot2021-01-05
|\ \ \ | | | | | | | | generate systemd: do not set `KillMode`