summaryrefslogtreecommitdiff
path: root/pkg
Commit message (Collapse)AuthorAge
* rootless: Merge rootless.go back into rootless_linux.goW. Trevor King2018-07-06
| | | | | | | | | | | | | | | The files were split apart by b96be3af (changes to allow for darwin compilation, 2018-06-20, #1015), but the C import and two functions left in rootless.go are all Linux-specific as well. This commit moves all of the pre-b96be3af rootless.go into rootless_linux.go, just adding the '// +build linux' header (b96be3af also scrambled the + in that header) and keeping the new GetRootlessUID from a1545fe6 (rootless: add function to retrieve the original UID, 2018-07-05, #1048). Signed-off-by: W. Trevor King <wking@tremily.us> Closes: #1034 Approved by: baude
* more changes to compile darwinbaude2018-07-05
| | | | | | | | | | | | | | | | this should represent the last major changes to get darwin to **compile**. again, the purpose here is to get darwin to compile so that we can eventually implement a ci task that would protect against regressions for darwin compilation. i have left the manual darwin compilation largely static still and in fact now only interject (manually) two build tags to assist with the build. trevor king has great ideas on how to make this better and i will defer final implementation of those to him. Signed-off-by: baude <bbaude@redhat.com> Closes: #1047 Approved by: rhatdan
* rootless: add function to retrieve the original UIDGiuseppe Scrivano2018-07-05
| | | | | | | | | | After we re-exec in the userNS os.Getuid() returns the new UID (= 0) which is not what we want to use. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> Closes: #1048 Approved by: mheon
* add image user to inspect databaude2018-07-02
| | | | | | | Signed-off-by: baude <bbaude@redhat.com> Closes: #1036 Approved by: rhatdan
* changes to allow for darwin compilationbaude2018-06-29
| | | | | | | Signed-off-by: baude <bbaude@redhat.com> Closes: #1015 Approved by: baude
* Add `podman container cleanup` to CLIDaniel J Walsh2018-06-29
| | | | | | | | | | | | | When we run containers in detach mode, nothing cleans up the network stack or the mount points. This patch will tell conmon to execute the cleanup code when the container exits. It can also be called to attempt to cleanup previously running containers. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #942 Approved by: mheon
* Start using github.com/seccomp/containers-golangDaniel J Walsh2018-06-29
| | | | | | | | | User newer seccomp bindings from the seccomp upstream Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #1021 Approved by: giuseppe
* conmon no longer writes to syslogDaniel J Walsh2018-06-29
| | | | | | | | | | | If the caller sets up the app to be in logrus.DebugLevel, then we will add the --syslog flag to conmon to get all of the messages. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #1014 Approved by: TomSweeneyRedHat
* *: Replace Generator.Spec() with Generator.ConfigW. Trevor King2018-06-27
| | | | | | | | | | | | Catching up with opencontainers/runtime-tools@84a62c6a (generate: Move Generator.spec to Generator.Config, 2016-11-06, #266, v0.6.0), now that we've bumped runtime-tools in f6c0fc1a (Vendor in latest runtime-tools, 2018-06-26, #1007). Signed-off-by: W. Trevor King <wking@tremily.us> Closes: #1008 Approved by: mheon
* generator.New() requires an OS string input variablebaude2018-06-27
| | | | | | | Signed-off-by: baude <bbaude@redhat.com> Closes: #1007 Approved by: baude
* rootless: do not configure additional groupsGiuseppe Scrivano2018-06-27
| | | | | | | | | Additional groups are not allowed in an userNS. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> Closes: #936 Approved by: rhatdan
* rootless: add management for the userNSGiuseppe Scrivano2018-06-27
| | | | | | | | | | When running podman as non root user always create an userNS and let the OCI runtime use it. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> Closes: #936 Approved by: rhatdan
* Podman history now prints out intermediate image IDsumohnani82018-06-22
| | | | | | | | | | If the intermediate image exists in the store, podman history will show the IDs of the intermediate image of each layer. Signed-off-by: umohnani8 <umohnani@redhat.com> Closes: #982 Approved by: mheon
* Option handling has become large and should be a shared functionDaniel J Walsh2018-06-22
| | | | | | | | | | | Everytime we add a new option for create, we end up having to also add it to run, this makes it error prone. Moving these to the same function makes it easier to develop and prevents user mistakes. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #975 Approved by: mheon
* Add more network info ipv4/ipv6 and be more compatible with dockerWim2018-06-17
| | | | | | | Signed-off-by: Wim <wim@42.be> Closes: #953 Approved by: mheon
* spec: remove dead codeGiuseppe Scrivano2018-06-15
| | | | | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> Closes: #871 Approved by: mheon
* network: do not attempt to create a network in rootless modeGiuseppe Scrivano2018-06-15
| | | | | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> Closes: #871 Approved by: mheon
* oci: do not set resources in rootless modeGiuseppe Scrivano2018-06-15
| | | | | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> Closes: #871 Approved by: mheon
* spec: change mount options for /dev/pts in rootless modeGiuseppe Scrivano2018-06-15
| | | | | | | | | | The default /dev/pts has the option gid=5 that might not be mapped in the rootless case. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> Closes: #871 Approved by: mheon
* podman: provide a default UID mapping when non rootGiuseppe Scrivano2018-06-15
| | | | | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> Closes: #871 Approved by: mheon
* podman: accept option --rootfs to use exploded imagesGiuseppe Scrivano2018-06-15
| | | | | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> Closes: #871 Approved by: mheon
* When setting a memory limit, also set a swap limitMatthew Heon2018-06-15
| | | | | | | | | Closes #940 Signed-off-by: Matthew Heon <matthew.heon@gmail.com> Closes: #946 Approved by: rhatdan
* varlink build fixesbaude2018-06-05
| | | | | | | | | | | | the varlink build was not working as designed and required some touch-ups: * return a struct that includes logs and the new image ID * pass namespaceoption so that networking in buildah works Signed-off-by: baude <bbaude@redhat.com> Closes: #903 Approved by: rhatdan
* libpod: Execute poststop hooks locallyW. Trevor King2018-06-04
| | | | | | | | | | | | Instead of delegating to the runtime, since some runtimes do not seem to handle these reliably [1]. [1]: https://github.com/projectatomic/libpod/issues/730#issuecomment-392959938 Signed-off-by: W. Trevor King <wking@tremily.us> Closes: #864 Approved by: rhatdan
* Add flag to add annotations to a containerMatthew Heon2018-06-04
| | | | | | | | | | Also add annotations from the image the container was created from. Signed-off-by: Matthew Heon <matthew.heon@gmail.com> Closes: #886 Approved by: rhatdan
* Want to change the log level on buildah by default to warnfDaniel J Walsh2018-06-04
| | | | | | | | | | | | | | | Change the level of missing /etc/containers/mount.conf to a debug, since this is expected on most machines. Also raised the level of some warnings to errors, so they will be better seen, even if we are skipping. Fixed the wording of one error, since stating is not the correct word. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #882 Approved by: mheon
* hooks: Add debug logging for initial hook loadingW. Trevor King2018-06-04
| | | | | | | | | | | | | We've had logrus logging in the monitor code since it landed in 68eb128f (pkg/hooks: Version the hook structure and add 1.0.0 hooks, 2018-04-27, #686). This commit adds similar logging to the initial hook.New() and Manager.Hooks() calls to make it easier to see if those are working as expected. Signed-off-by: W. Trevor King <wking@tremily.us> Closes: #887 Approved by: rhatdan
* hooks/docs: Fix 1.0.0 Nvidia example (adding version, etc.)W. Trevor King2018-06-04
| | | | | | | | | | | | | Reported by Gary Edwards [1]. Both typos are originally from 68eb128f (pkg/hooks: Version the hook structure and add 1.0.0 hooks, 2018-04-27, #686). [1]: https://github.com/projectatomic/libpod/issues/884#issuecomment-394174571 Signed-off-by: W. Trevor King <wking@tremily.us> Closes: #887 Approved by: rhatdan
* hooks/1.0.0/when_test: Fix "both, and" -> "both, or" name typoW. Trevor King2018-06-04
| | | | | | | | | | The typo is a copy/paste error from 68eb128f (pkg/hooks: Version the hook structure and add 1.0.0 hooks, 2018-04-27, #686). Signed-off-by: W. Trevor King <wking@tremily.us> Closes: #887 Approved by: rhatdan
* hooks/1.0.0: Fix 'annotation' -> 'annotations' in JSONW. Trevor King2018-06-04
| | | | | | | | | | | This typo from 68eb128f (pkg/hooks: Version the hook structure and add 1.0.0 hooks, 2018-04-27, #686) was causing any 'annotations' entries in hook JSON to be silently ignored. Signed-off-by: W. Trevor King <wking@tremily.us> Closes: #887 Approved by: rhatdan
* hooks: Fail ReadDir if a configured hook executable is missingW. Trevor King2018-06-04
| | | | | | | | | | | | | | | | The continue here is from 5676597f (hooks/read: Ignore IsNotExist for JSON files in ReadDir, 2018-04-27, #686), where it was intended to silently ignore missing JSON files. However, the old logic was also silently ignoring not-exist errors from the os.Stat(hook.Hook.Path) from 68eb128f (pkg/hooks: Version the hook structure and add 1.0.0 hooks, 2018-04-27, #686). This commit adjusts the check so JSON not-exist errors continue to be silently ignored while hook executable not-exist errors become fatal. Signed-off-by: W. Trevor King <wking@tremily.us> Closes: #887 Approved by: rhatdan
* varlink buildbaude2018-06-01
| | | | | | | | | | | | Add the endpoint and methods for build so users can build an image with varlink. build can also use the more method for streaming output back more regularily; however, it looks like a bug in buildah does not output all build output to the writer provided. Tidy up some create fixes and add endpoint for GetImage requested by jhonce. Signed-off-by: baude <bbaude@redhat.com>
* return all inspect info for varlink containerinspectbaude2018-06-01
| | | | | | | | | | | when obtaining the inspect information for a container through varlink, we need to extract more container related information by parsing the data through the method 'GetCtrInspectInfo' which was previously only in podman's main. Signed-off-by: baude <bbaude@redhat.com> Closes: #866 Approved by: rhatdan
* hooks/exec: Allow successful reaps for 0s post-kill timeoutsW. Trevor King2018-06-01
| | | | | | | | | | | | | | | | | | | | | | | | | I'd been getting the failed-to-reap errors locally, but on an unrelated pull-request the FAH27 suite successfully reaped that hook [1]: --- FAIL: TestRunKillTimeout (0.50s) assertions.go:226: Error Trace: exec_test.go:210 Error: Expect "signal: killed" to match "^failed to reap process within 0s of the kill signal$" FAIL The successful-reap cases limit our coverage, but I don't think that's a big enough problem to be worth repeated polling or similar until we do get the failed-to-reap error. [1]: https://s3.amazonaws.com/aos-ci/ghprb/projectatomic/libpod/96c1535fdc11b2de24421863d7ad5d3b94338b37.0.1527811547665239762/output.log Signed-off-by: W. Trevor King <wking@tremily.us> Closes: #868 Approved by: rhatdan
* If user specifies UIDMapSlice without GIDMapSlice, set them equalDaniel J Walsh2018-05-31
| | | | | | | | | | | We need to map slices set for both UID and GID maps to be equivalent if not specified by user. Currently if you do not specify both the containers are not running. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #865 Approved by: baude
* pkg/hooks/exec: Add a new package for local hook executionW. Trevor King2018-05-31
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This wraps os/exec to: * Clear the environment when the hook doesn't set 'env'. The runtime spec has [1]: > * env (array of strings, OPTIONAL) with the same semantics as IEEE > Std 1003.1-2008's environ. And running execle or similar with NULL env results in an empty environment: $ cat test.c #include <unistd.h> int main() { return execle("/usr/bin/env", "env", NULL, NULL); } $ cc -o test test.c $ ./test ...no output... Go's Cmd.Env, on the other hand, has [2]: > If Env is nil, the new process uses the current process's environment. This commit works around that by setting []string{} in those cases to avoid leaking the runtime environment into the hooks. * Roll the 'timeout' value (if set) into the passed context. There's no need for two separate ways to cancel hook execution. * Add a configurable timeout on abandoning a post-kill wait. The waiting goroutine will continue and eventually reap the process, but this avoids blocking the Run() call when that takes inordinately long (for example, if a GPU cleanup hook is stuck in I/O sleep [3]). The 'env' output format is specified in POSIX [4]. [1]: https://github.com/opencontainers/runtime-spec/blob/v1.0.1/config.md#posix-platform-hooks [2]: https://golang.org/pkg/os/exec/#Cmd [3]: https://github.com/projectatomic/libpod/pull/857#discussion_r192191002 [4]: http://pubs.opengroup.org/onlinepubs/9699919799/utilities/env.html Signed-off-by: W. Trevor King <wking@tremily.us> Closes: #857 Approved by: mheon
* hooks: Rename Hooks() output to extensionStageHooksW. Trevor King2018-05-31
| | | | | | | | | | To more clearly distinguish between the extensionStages input to New() (a slice of strings) and the map output from Hooks(). Signed-off-by: W. Trevor King <wking@tremily.us> Closes: #855 Approved by: rhatdan
* hooks: Allow local control of OCI stages via extensionStagesW. Trevor King2018-05-31
| | | | | | | | | | | | This allows callers to avoid delegating to OCI runtimes for cases where they feel that the runtime hook handling is unreliable [1]. [1]: https://github.com/projectatomic/libpod/issues/730#issuecomment-392959938 Signed-off-by: W. Trevor King <wking@tremily.us> Closes: #855 Approved by: rhatdan
* Clear all caps, except the bounding set, when --user is specified.Daniel J Walsh2018-05-31
| | | | | | | | | | | | Currently we are giving all caps to users when running with podman run --user, They should get none by default. If the command line includes --cap-add, then we need to run with those capabilties. Similarly we need to drop caps from bounding set, if user specifies --cap-drop Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #851 Approved by: mheon
* Rename addFIPSsModeSecret to addFIPSModeSecretJhon Honce2018-05-25
| | | | | | | Signed-off-by: Jhon Honce <jhonce@redhat.com> Closes: #833 Approved by: mheon
* save and load should support multi-tag for docker-archiveumohnani82018-05-25
| | | | | | | | | | | | The docker-archive tar files can have multiple tags for the same image stored in it. Load pulls all the tags found in the archive when loading a tar file. Save can oush multiple tags of the same image to a tar archive. Signed-off-by: umohnani8 <umohnani@redhat.com> Closes: #819 Approved by: rhatdan
* Implement python podman create and startJhon Honce2018-05-25
| | | | | | | | | | | | | | | - Added alias 'container()' to image model for CreateContainer() - Fixed return in containers_create.go to wrap error in varlink exception - Added a wait time to container.kill(), number of seconds to wait for the container to change state - Refactored cached_property() to use system libraries - Refactored tests to speed up performance Signed-off-by: Jhon Honce <jhonce@redhat.com> Closes: #821 Approved by: rhatdan
* Spell check strings and commentsJhon Honce2018-05-25
| | | | | | | Signed-off-by: Jhon Honce <jhonce@redhat.com> Closes: #831 Approved by: rhatdan
* hooks/1.0.0: Error on empty process.args instead of panickingW. Trevor King2018-05-24
| | | | | | | | | | | | | | | | | | | | | | | The process property is optional [1], which this package already handled appropriately, although I've added a new test here to guard against regressions. The process.args entry is required when process is set [2], and it's also required to contain at least one entry [3]. The previous implementation here assumed that would always be satisfied, and panicked on empty process.args. With this commit, we avoid the panic and instead return an error message explaining why the input was invalid. [1]: https://github.com/opencontainers/runtime-spec/blame/v1.0.1/config.md#L145 [2]: https://github.com/opencontainers/runtime-spec/blame/v1.0.1/config.md#L157 [3]: https://github.com/opencontainers/runtime-spec/blame/v1.0.1/config.md#L158 Reported-by: Brent Baude <bbaude@redhat.com> Signed-off-by: W. Trevor King <wking@tremily.us> Closes: #829 Approved by: mheon
* podman create, start, getattachsocketbaude2018-05-21
| | | | | | | | | First pass at implement API endpoints for create and start. Signed-off-by: baude <bbaude@redhat.com> Closes: #805 Approved by: baude
* hooks/README: Fix some Markdown typos (e.g. missing runc target)W. Trevor King2018-05-21
| | | | | | | | | | I'd accidentally introduced these typos in ea415610 (hooks/docs: Add oci-hooks.5 and per-package man page building, 2018-05-15, #772). Signed-off-by: W. Trevor King <wking@tremily.us> Closes: #810 Approved by: mheon
* oci-hooks.5: Discuss directory precedence and monitoringW. Trevor King2018-05-21
| | | | | | | | | | | We've had this functionality since 68eb128f (pkg/hooks: Version the hook structure and add 1.0.0 hooks, 2018-04-27, #686), but didn't have any user-facing docs for it. Signed-off-by: W. Trevor King <wking@tremily.us> Closes: #811 Approved by: mheon
* hooks: Fix monitoring of multiple directoriesW. Trevor King2018-05-17
| | | | | | | | | | | | | | | | | | | | | | | | | | This isn't an issue with podman, which will only ever use one directory. But CRI-O generally uses two directories, and we want to make sure that changes to the fallback directory are not clobbering hooks configured in the override directory. More background in [1]. I've split the handling into a single-directory block and a multiple-directory block so we don't waste time polling the filesystem for single-directory removals. I'm using the single-directory block for the the zero-directory case as well. Managers with zero directories should not be receiving fsnotify events, so I don't think it really matters which block handles them. If we want to handle this case robustly (because we're concerned about something in the hook package adjusted the private .directories property on the fly?), then we'll probably want to add an explicit zero-directory block in future work. [1]: https://github.com/kubernetes-incubator/cri-o/pull/1470 Signed-off-by: W. Trevor King <wking@tremily.us> Closes: #757 Approved by: rhatdan
* hooks/docs: Add oci-hooks.5 and per-package man page buildingW. Trevor King2018-05-17
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This allows us to reference the hooks docs from podman(1) in a way that will survive system installation. The downside is that the GitHub rendered pages become less usable, now that we can no longer embed links as freely as we could before. I've followed the "Sections within a manual page" suggestions from [1]. locale(7) is [2], which is Linux-specific. Even section numbering is platform-dependent [3], so it's unlikely that these external man references are particularly portable. Platform packagers can adjust our local references to match their target system, but that leaves the GitHub rendering in an awkward place. For now, I think a Linux-centric GitHub rendering without clickable links may be the best we can do without moving away from go-md2man. As far as I can tell, there's not a nice way to get go-md2man to wrap the links in SEE ALSO without sometimes hyphenating a URL (which makes it harder for man-page readers to copy/paste those links into their browser). I've also fixed some "extention" -> "extension" typos. [1]: http://man7.org/linux/man-pages/man7/man-pages.7.html [2]: http://man7.org/linux/man-pages/man7/locale.7.html [3]: https://en.wikipedia.org/wiki/Man_page#Manual_sections Signed-off-by: W. Trevor King <wking@tremily.us> Closes: #772 Approved by: mheon
* chrootuser: default to GID 0 when given a numeric --userNalin Dahyabhai2018-05-17
| | | | | | | | | | | | | | | When we're given a numeric --user value, default to GID 0 if the numeric ID doesn't correspond to a user entry in /etc/passwd that can provide us with the user's primary group ID. Make sure that GetAdditionalGroupsForUser() returns wrapped errors. Also test various user:group forms. Signed-off-by: Nalin Dahyabhai <nalin@redhat.com> Closes: #728 Approved by: mheon