summaryrefslogtreecommitdiff
path: root/pkg
Commit message (Collapse)AuthorAge
* rootless: report more error messages from the startup phaseGiuseppe Scrivano2018-10-11
| | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* rootless: fix an hang on older versions of setresuid/setresgidGiuseppe Scrivano2018-10-11
| | | | | | | | | | | | | | | | the issue is caused by the Go Runtime that messes up with the process signals, overriding SIGSETXID and SIGCANCEL which are used internally by glibc. They are used to inform all the threads to update their stored uid/gid information. This causes a hang on the set*id glibc wrappers since the handler installed by glibc is never invoked. Since we are running with only one thread, we don't really need to update other threads or even the current thread as we are not using getuid/getgid before the execvp. Closes: https://github.com/containers/libpod/issues/1625 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Fix lintMatthew Heon2018-10-04
| | | | Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
* Drop libnetwork vendor and move the code into pkg/Matthew Heon2018-10-04
| | | | | | | | | | | The vendoring issues with libnetwork were significant (it was dragging in massive amounts of code) and were just not worth spending the time to work through. Highly unlikely we'll ever end up needing to update this code, so move it directly into pkg/ so we don't need to vendor libnetwork. Make a few small changes to remove the need for the remainder of libnetwork. Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
* Merge pull request #1557 from rhatdan/systemdOpenShift Merge Robot2018-10-04
|\ | | | | Don't tmpcopyup on systemd cgroup
| * Don't tmpcopyup on systemd cgroupDaniel J Walsh2018-09-29
| | | | | | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Add ContainerStateExited and OCI delete() in cleanup()Matthew Heon2018-10-02
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | To work better with Kata containers, we need to delete() from the OCI runtime as a part of cleanup, to ensure resources aren't retained longer than they need to be. To enable this, we need to add a new state to containers, ContainerStateExited. Containers transition from ContainerStateStopped to ContainerStateExited via cleanupRuntime which is invoked as part of cleanup(). A container in the Exited state is identical to Stopped, except it has been removed from the OCI runtime and thus will be handled differently when initializing the container. Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
* | Merge pull request #1563 from jwhonce/wip/podsOpenShift Merge Robot2018-10-02
|\ \ | | | | | | Implement pod varlink bindings
| * | Implement pod varlink bindingsJhon Honce2018-10-01
| |/ | | | | | | | | | | | | | | | | | | | | | | * Update varlink document * Add NoContainersInPod error in go and python * Add support for varlink pod interface * New code passes pylint * Fix bug in test_runner.sh * Update integration tests for race condition on status check * Add missing port config file support Signed-off-by: Jhon Honce <jhonce@redhat.com>
* / rootless: raise an error when trying to use cgroupsGiuseppe Scrivano2018-10-01
|/ | | | | | https://github.com/containers/libpod/issues/1429#issuecomment-424040416 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Add buildah version and distribution to infobaude2018-09-28
| | | | | | | | For the sake of debug and problem reporting, we would benefit from knowing what buildah version was vendored into podman. Also, knowing the distribution and distribution version would also be handy. Signed-off-by: baude <bbaude@redhat.com>
* Add --mount option for `create` & `run` commandDaniel J Walsh2018-09-21
| | | | | | | | Signed-off-by: Kunal Kushwaha <kushwaha_kunal_v7@lab.ntt.co.jp> Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #1524 Approved by: mheon
* Refactor Wait() to not require a timeoutMatthew Heon2018-09-21
| | | | | | | | | | | We added a timeout for convenience, but most invocations don't care about it. Refactor it into WaitWithTimeout() and add a Wait() that doesn't require a timeout and uses the default. Signed-off-by: Matthew Heon <matthew.heon@gmail.com> Closes: #1527 Approved by: mheon
* Don't mount /dev/shm if the user told you --ipc=noneDaniel J Walsh2018-09-21
| | | | | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #1466 Approved by: mheon
* rootless: error out if there are not enough UIDs/GIDs availableGiuseppe Scrivano2018-09-21
| | | | | | | | | | | Most container images assume there are at least 65536 UIDs/GIDs available. Raise an error if there are not enough IDs allocated to the current user. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> Closes: #1520 Approved by: rhatdan
* rootless: skip usage of filepath.JoinGiuseppe Scrivano2018-09-21
| | | | | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> Closes: #1507 Approved by: rhatdan
* create, rootless: join the userns of ns:PATHGiuseppe Scrivano2018-09-21
| | | | | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> Closes: #1507 Approved by: rhatdan
* spec: refactor ns modes to a common interfaceGiuseppe Scrivano2018-09-21
| | | | | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> Closes: #1507 Approved by: rhatdan
* Add new field to libpod to indicate whether or not to use labellingDaniel J Walsh2018-09-20
| | | | | | | | | | | | | | | Also update some missing fields libpod.conf obtions in man pages. Fix sort order of security options and add a note about disabling labeling. When a process requests a new label. libpod needs to reserve all labels to make sure that their are no conflicts. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #1406 Approved by: mheon
* Vendor in latest containers/buildahDaniel J Walsh2018-09-18
| | | | | | Switch from projectatomic/buildah to containers/buildah Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Small updates to OCI spec generationMatthew Heon2018-09-17
| | | | | | | | | | | | | Firstly, when adding the privileged catch-all resource device, first remove the spec's default catch-all resource device. Second, remove our default rootfs propogation config - Docker does not set this by default, so I don't think we should either. Signed-off-by: Matthew Heon <matthew.heon@gmail.com> Closes: #1491 Approved by: TomSweeneyRedHat
* Merge pull request #1467 from rhatdan/devMatthew Heon2018-09-14
|\ | | | | Don't mount /dev/* if user mounted /dev
| * Don't mount /dev/* if user mounted /devDaniel J Walsh2018-09-14
| | | | | | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Merge pull request #1474 from baude/varlinkinforegistriesMatthew Heon2018-09-14
|\ \ | | | | | | add registry information to varlink info
| * | add registry information to varlink infobaude2018-09-14
| |/ | | | | | | | | | | | | when using the varlink api, we should pass on the registries information as is present in the cli info command. Signed-off-by: baude <bbaude@redhat.com>
* | Merge pull request #1434 from rhatdan/waitMatthew Heon2018-09-14
|\ \ | |/ |/| Add --interval flag to podman wait
| * Add --interval flag to podman waitDaniel J Walsh2018-09-13
| | | | | | | | | | | | | | Waiting uses a lot of CPU, so drop back to checking once/second and allow user to pass in the interval. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Swap default mount propagation from private to rprivateMatthew Heon2018-09-13
|/ | | | | | | | | | This matches Docker behavior more closely and should resolve an issue we were seeing with /sys mounts Signed-off-by: Matthew Heon <matthew.heon@gmail.com> Closes: #1465 Approved by: rhatdan
* Pass on securityOpts from podInfraContainer to container added to pod.Daniel J Walsh2018-09-11
| | | | | | | | | | This is an incomplete fix, as it would be best for the libpod library to be in charge of coordinating the container's dependencies on the infra container. A TODO was left as such. UTS is a special case, because the docker library that namespace handling is based off of doesn't recognize a UTS based on another container as valid, despite the library being able to handle it correctly. Thus, it is left in the old way. Signed-off-by: haircommander <pehunt@redhat.com> Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #1347 Approved by: mheon
* Replace existing iptables handler with firewall codeMatthew Heon2018-09-10
| | | | | | | | | | | | Use the new firewall code vendored from CNI to replace the existing iptables rule addition handler we had in place. This adds proper support for firewalld and should be much better at interacting with the firewall. Signed-off-by: Matthew Heon <matthew.heon@gmail.com> Closes: #1431 Approved by: baude
* Vendor CNI plugins firewall codeMatthew Heon2018-09-10
| | | | | | | | | | | | | | The upstream CNI project has a PR open for adding iptables and firewalld support, but this has been stalled for the better part of a year upstream. On advice of several maintainers, we are vendoring this code into libpod, to perform the relevant firewall configuration ourselves. Signed-off-by: Matthew Heon <matthew.heon@gmail.com> Closes: #1431 Approved by: baude
* Fix pod sharing for utsmodeDaniel J Walsh2018-09-07
| | | | | | | | | | | | | We should be sharing cgroups namespace by default in pods uts namespace sharing was broken in pods. Create a new libpod/pkg/namespaces for handling of namespace fields in containers Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #1418 Approved by: mheon
* Respect user-added mounts over default spec mountsMatthew Heon2018-09-07
| | | | | | | | | | | | | | When there was a conflict between a user-added volume and a mount already in the spec, we previously respected the mount already in the spec and discarded the user-added mount. This is counter to expected behavior - if I volume-mount /dev into the container, I epxect it will override the default /dev in the container, and not be ignored. Signed-off-by: Matthew Heon <matthew.heon@gmail.com> Closes: #1419 Approved by: TomSweeneyRedHat
* Ensure we do not overlap mounts in the specMatthew Heon2018-09-07
| | | | | | | | | | | When user-specified volume mounts overlap with mounts already in the spec, remove the mount in the spec to ensure there are no conflicts. Signed-off-by: Matthew Heon <matthew.heon@gmail.com> Closes: #1419 Approved by: TomSweeneyRedHat
* Change references to cri-o to point at new repositoryDaniel J Walsh2018-09-07
| | | | | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #1425 Approved by: mheon
* Add CRI logs parsing to podman logsumohnani82018-09-05
| | | | | | | | | | | Podman logs was not parsing CRI logs well, especially the F and P logs. Now using the same parsing code as in kube here. Signed-off-by: umohnani8 <umohnani@redhat.com> Closes: #1403 Approved by: rhatdan
* rootless: check uid with Geteuid() instead of Getuid()Giuseppe Scrivano2018-09-04
| | | | | | | | | | | | change the tests to use chroot to set a numeric UID/GID. Go syscall.Credential doesn't change the effective UID/GID of the process. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> Closes: #1372 Approved by: mheon
* Add proper support for systemd inside of podmanDaniel J Walsh2018-08-31
| | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* rootless: unexport GetUserNSForPidGiuseppe Scrivano2018-08-29
| | | | | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> Closes: #1371 Approved by: rhatdan
* rootless: add new function to join existing namespaceGiuseppe Scrivano2018-08-29
| | | | | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> Closes: #1371 Approved by: rhatdan
* Vendor in latest projectatomic/buildahDaniel J Walsh2018-08-29
| | | | | | | | | | | | This will help document the defaults in podman build. podman build --help will now show the defaults and mention the environment variables that can be set to change them. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #1364 Approved by: mheon
* Set nproc in containers unless explicitly overriddenMatthew Heon2018-08-28
| | | | | | | Signed-off-by: Matthew Heon <matthew.heon@gmail.com> Closes: #1355 Approved by: rhatdan
* Do not set max open files by default if we are rootlessMatthew Heon2018-08-28
| | | | | | | Signed-off-by: Matthew Heon <matthew.heon@gmail.com> Closes: #1355 Approved by: rhatdan
* Set default max open files in specMatthew Heon2018-08-28
| | | | | | | Signed-off-by: Matthew Heon <matthew.heon@gmail.com> Closes: #1355 Approved by: rhatdan
* Ensure return errors match API docsbaude2018-08-28
| | | | | | | | | | | In the API docs, we generally state the type of error that should be returned if a container or image cannot be found. In several cases, the code did not match the API doc, when the API doc was correct. Signed-off-by: baude <bbaude@redhat.com> Closes: #1353 Approved by: rhatdan
* Fix Mount PropagationGiuseppe Scrivano2018-08-27
| | | | | | | | | Default mount propagation inside of containes should be private Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #1305 Approved by: mheon
* rootless: fix --pid=hostGiuseppe Scrivano2018-08-27
| | | | | | | | | | | | Unfortunately this is not enough to get it working as runc doesn't allow to bind mount /proc. Depends on: https://github.com/opencontainers/runc/pull/1832 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> Closes: #1349 Approved by: rhatdan
* rootless: fix --ipc=hostGiuseppe Scrivano2018-08-27
| | | | | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> Closes: #1349 Approved by: rhatdan
* spec: bind mount /sys only when userNS are enabledGiuseppe Scrivano2018-08-27
| | | | | | | | | | | Fix the test for checking when /sys must be bind mounted from the host. It should be done only when userNS are enabled (the !UsernsMode.IsHost() check is not enough for that). Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> Closes: #1349 Approved by: rhatdan
* rootless: exec handle processes that create an user namespaceGiuseppe Scrivano2018-08-26
| | | | | | | | | | | | | | Manage the case where the main process of the container creates and joins a new user namespace. In this case we want to join only the first child in the new hierarchy, which is the user namespace that was used to create the container. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> Closes: #1331 Approved by: rhatdan