summaryrefslogtreecommitdiff
path: root/pkg
Commit message (Collapse)AuthorAge
* Merge pull request #1715 from baude/getusergroupOpenShift Merge Robot2018-10-30
|\ | | | | get user and group information using securejoin and runc's user library
| * get user and group information using securejoin and runc's user librarybaude2018-10-29
| | | | | | | | | | | | | | | | | | | | | | for the purposes of performance and security, we use securejoin to contstruct the root fs's path so that symlinks are what they appear to be and no pointing to something naughty. then instead of chrooting to parse /etc/passwd|/etc/group, we now use the runc user/group methods which saves us quite a bit of performance. Signed-off-by: baude <bbaude@redhat.com>
* | Change to exported name in ParseDeviceQi Wang2018-10-29
|/ | | | Signed-off-by: Qi Wang <qiwan@redhat.com>
* Add helper function to read out CRIU versionAdrian Reber2018-10-23
| | | | | | | This adds a simple CRIU version check using the vendored-in CRIU go bindings. Signed-off-by: Adrian Reber <areber@redhat.com>
* Fix man page to show info on storageDaniel J Walsh2018-10-22
| | | | | | Also fix lint errors. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Move rootless directory handling to the libpod/pkg/util directoryDaniel J Walsh2018-10-22
| | | | | | This should allow us to share this code with buildah. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Mount proper cgroup for systemd to manage inside of the container.Daniel J Walsh2018-10-15
| | | | | | | | | | | | We are still requiring oci-systemd-hook to be installed in order to run systemd within a container. This patch properly mounts /sys/fs/cgroup/systemd/libpod_parent/libpod-UUID on /sys/fs/cgroup/systemd inside of container. Since we need the UUID of the container, we needed to move Systemd to be a config option of the container. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Generate a passwd file for users not in containerDaniel J Walsh2018-10-12
| | | | | | | If someone runs podman as a user (uid) that is not defined in the container we want generate a passwd file so that getpwuid() will work inside of container. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Merge pull request #1605 from mheon/syslog_cleanupOpenShift Merge Robot2018-10-11
|\ | | | | Pass along syslog variable to podman cleanup processes
| * Pass along syslog variable to podman cleanup processesMatthew Heon2018-10-11
| | | | | | | | | | | | | | | | | | As of now, there is no way to debug podman clean up processes. They are started by conmon with no stdout/stderr and log nowhere. This allows us to actually figure out what is going on when a cleanup process runs. Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
* | Merge pull request #1628 from giuseppe/rootless-fix-hang-on-setresuidOpenShift Merge Robot2018-10-11
|\ \ | | | | | | rootless: fix hang on startup with older glibc versions
| * | rootless: detect when user namespaces are not enabledGiuseppe Scrivano2018-10-11
| | | | | | | | | | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
| * | rootless: report more error messages from the startup phaseGiuseppe Scrivano2018-10-11
| | | | | | | | | | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
| * | rootless: fix an hang on older versions of setresuid/setresgidGiuseppe Scrivano2018-10-11
| |/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | the issue is caused by the Go Runtime that messes up with the process signals, overriding SIGSETXID and SIGCANCEL which are used internally by glibc. They are used to inform all the threads to update their stored uid/gid information. This causes a hang on the set*id glibc wrappers since the handler installed by glibc is never invoked. Since we are running with only one thread, we don't really need to update other threads or even the current thread as we are not using getuid/getgid before the execvp. Closes: https://github.com/containers/libpod/issues/1625 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* / Add --ip flag and plumbing into libpodMatthew Heon2018-10-11
|/ | | | | | | | | | | Add the --ip flag back with bash completions. Manpages still missing. Add plumbing to pass appropriate the appropriate option down to libpod to connect the flag to backend logic added in the previous commits. Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
* Fix lintMatthew Heon2018-10-04
| | | | Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
* Drop libnetwork vendor and move the code into pkg/Matthew Heon2018-10-04
| | | | | | | | | | | The vendoring issues with libnetwork were significant (it was dragging in massive amounts of code) and were just not worth spending the time to work through. Highly unlikely we'll ever end up needing to update this code, so move it directly into pkg/ so we don't need to vendor libnetwork. Make a few small changes to remove the need for the remainder of libnetwork. Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
* Merge pull request #1557 from rhatdan/systemdOpenShift Merge Robot2018-10-04
|\ | | | | Don't tmpcopyup on systemd cgroup
| * Don't tmpcopyup on systemd cgroupDaniel J Walsh2018-09-29
| | | | | | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Add ContainerStateExited and OCI delete() in cleanup()Matthew Heon2018-10-02
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | To work better with Kata containers, we need to delete() from the OCI runtime as a part of cleanup, to ensure resources aren't retained longer than they need to be. To enable this, we need to add a new state to containers, ContainerStateExited. Containers transition from ContainerStateStopped to ContainerStateExited via cleanupRuntime which is invoked as part of cleanup(). A container in the Exited state is identical to Stopped, except it has been removed from the OCI runtime and thus will be handled differently when initializing the container. Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
* | Merge pull request #1563 from jwhonce/wip/podsOpenShift Merge Robot2018-10-02
|\ \ | | | | | | Implement pod varlink bindings
| * | Implement pod varlink bindingsJhon Honce2018-10-01
| |/ | | | | | | | | | | | | | | | | | | | | | | * Update varlink document * Add NoContainersInPod error in go and python * Add support for varlink pod interface * New code passes pylint * Fix bug in test_runner.sh * Update integration tests for race condition on status check * Add missing port config file support Signed-off-by: Jhon Honce <jhonce@redhat.com>
* / rootless: raise an error when trying to use cgroupsGiuseppe Scrivano2018-10-01
|/ | | | | | https://github.com/containers/libpod/issues/1429#issuecomment-424040416 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Add buildah version and distribution to infobaude2018-09-28
| | | | | | | | For the sake of debug and problem reporting, we would benefit from knowing what buildah version was vendored into podman. Also, knowing the distribution and distribution version would also be handy. Signed-off-by: baude <bbaude@redhat.com>
* Add --mount option for `create` & `run` commandDaniel J Walsh2018-09-21
| | | | | | | | Signed-off-by: Kunal Kushwaha <kushwaha_kunal_v7@lab.ntt.co.jp> Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #1524 Approved by: mheon
* Refactor Wait() to not require a timeoutMatthew Heon2018-09-21
| | | | | | | | | | | We added a timeout for convenience, but most invocations don't care about it. Refactor it into WaitWithTimeout() and add a Wait() that doesn't require a timeout and uses the default. Signed-off-by: Matthew Heon <matthew.heon@gmail.com> Closes: #1527 Approved by: mheon
* Don't mount /dev/shm if the user told you --ipc=noneDaniel J Walsh2018-09-21
| | | | | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #1466 Approved by: mheon
* rootless: error out if there are not enough UIDs/GIDs availableGiuseppe Scrivano2018-09-21
| | | | | | | | | | | Most container images assume there are at least 65536 UIDs/GIDs available. Raise an error if there are not enough IDs allocated to the current user. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> Closes: #1520 Approved by: rhatdan
* rootless: skip usage of filepath.JoinGiuseppe Scrivano2018-09-21
| | | | | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> Closes: #1507 Approved by: rhatdan
* create, rootless: join the userns of ns:PATHGiuseppe Scrivano2018-09-21
| | | | | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> Closes: #1507 Approved by: rhatdan
* spec: refactor ns modes to a common interfaceGiuseppe Scrivano2018-09-21
| | | | | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> Closes: #1507 Approved by: rhatdan
* Add new field to libpod to indicate whether or not to use labellingDaniel J Walsh2018-09-20
| | | | | | | | | | | | | | | Also update some missing fields libpod.conf obtions in man pages. Fix sort order of security options and add a note about disabling labeling. When a process requests a new label. libpod needs to reserve all labels to make sure that their are no conflicts. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #1406 Approved by: mheon
* Vendor in latest containers/buildahDaniel J Walsh2018-09-18
| | | | | | Switch from projectatomic/buildah to containers/buildah Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Small updates to OCI spec generationMatthew Heon2018-09-17
| | | | | | | | | | | | | Firstly, when adding the privileged catch-all resource device, first remove the spec's default catch-all resource device. Second, remove our default rootfs propogation config - Docker does not set this by default, so I don't think we should either. Signed-off-by: Matthew Heon <matthew.heon@gmail.com> Closes: #1491 Approved by: TomSweeneyRedHat
* Merge pull request #1467 from rhatdan/devMatthew Heon2018-09-14
|\ | | | | Don't mount /dev/* if user mounted /dev
| * Don't mount /dev/* if user mounted /devDaniel J Walsh2018-09-14
| | | | | | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Merge pull request #1474 from baude/varlinkinforegistriesMatthew Heon2018-09-14
|\ \ | | | | | | add registry information to varlink info
| * | add registry information to varlink infobaude2018-09-14
| |/ | | | | | | | | | | | | when using the varlink api, we should pass on the registries information as is present in the cli info command. Signed-off-by: baude <bbaude@redhat.com>
* | Merge pull request #1434 from rhatdan/waitMatthew Heon2018-09-14
|\ \ | |/ |/| Add --interval flag to podman wait
| * Add --interval flag to podman waitDaniel J Walsh2018-09-13
| | | | | | | | | | | | | | Waiting uses a lot of CPU, so drop back to checking once/second and allow user to pass in the interval. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Swap default mount propagation from private to rprivateMatthew Heon2018-09-13
|/ | | | | | | | | | This matches Docker behavior more closely and should resolve an issue we were seeing with /sys mounts Signed-off-by: Matthew Heon <matthew.heon@gmail.com> Closes: #1465 Approved by: rhatdan
* Pass on securityOpts from podInfraContainer to container added to pod.Daniel J Walsh2018-09-11
| | | | | | | | | | This is an incomplete fix, as it would be best for the libpod library to be in charge of coordinating the container's dependencies on the infra container. A TODO was left as such. UTS is a special case, because the docker library that namespace handling is based off of doesn't recognize a UTS based on another container as valid, despite the library being able to handle it correctly. Thus, it is left in the old way. Signed-off-by: haircommander <pehunt@redhat.com> Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #1347 Approved by: mheon
* Replace existing iptables handler with firewall codeMatthew Heon2018-09-10
| | | | | | | | | | | | Use the new firewall code vendored from CNI to replace the existing iptables rule addition handler we had in place. This adds proper support for firewalld and should be much better at interacting with the firewall. Signed-off-by: Matthew Heon <matthew.heon@gmail.com> Closes: #1431 Approved by: baude
* Vendor CNI plugins firewall codeMatthew Heon2018-09-10
| | | | | | | | | | | | | | The upstream CNI project has a PR open for adding iptables and firewalld support, but this has been stalled for the better part of a year upstream. On advice of several maintainers, we are vendoring this code into libpod, to perform the relevant firewall configuration ourselves. Signed-off-by: Matthew Heon <matthew.heon@gmail.com> Closes: #1431 Approved by: baude
* Fix pod sharing for utsmodeDaniel J Walsh2018-09-07
| | | | | | | | | | | | | We should be sharing cgroups namespace by default in pods uts namespace sharing was broken in pods. Create a new libpod/pkg/namespaces for handling of namespace fields in containers Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #1418 Approved by: mheon
* Respect user-added mounts over default spec mountsMatthew Heon2018-09-07
| | | | | | | | | | | | | | When there was a conflict between a user-added volume and a mount already in the spec, we previously respected the mount already in the spec and discarded the user-added mount. This is counter to expected behavior - if I volume-mount /dev into the container, I epxect it will override the default /dev in the container, and not be ignored. Signed-off-by: Matthew Heon <matthew.heon@gmail.com> Closes: #1419 Approved by: TomSweeneyRedHat
* Ensure we do not overlap mounts in the specMatthew Heon2018-09-07
| | | | | | | | | | | When user-specified volume mounts overlap with mounts already in the spec, remove the mount in the spec to ensure there are no conflicts. Signed-off-by: Matthew Heon <matthew.heon@gmail.com> Closes: #1419 Approved by: TomSweeneyRedHat
* Change references to cri-o to point at new repositoryDaniel J Walsh2018-09-07
| | | | | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #1425 Approved by: mheon
* Add CRI logs parsing to podman logsumohnani82018-09-05
| | | | | | | | | | | Podman logs was not parsing CRI logs well, especially the F and P logs. Now using the same parsing code as in kube here. Signed-off-by: umohnani8 <umohnani@redhat.com> Closes: #1403 Approved by: rhatdan
* rootless: check uid with Geteuid() instead of Getuid()Giuseppe Scrivano2018-09-04
| | | | | | | | | | | | change the tests to use chroot to set a numeric UID/GID. Go syscall.Credential doesn't change the effective UID/GID of the process. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> Closes: #1372 Approved by: mheon