summaryrefslogtreecommitdiff
path: root/pkg
Commit message (Collapse)AuthorAge
* add container-init supportValentin Rothberg2019-01-04
| | | | | | | | | | | | | | | | | | | Add support for executing an init binary as PID 1 in a container to forward signals and reap processes. When the `--init` flag is set for podman-create or podman-run, the init binary is bind-mounted to `/dev/init` in the container and "/dev/init --" is prepended to the container's command. The default base path of the container-init binary is `/usr/libexec/podman` while the default binary is catatonit [1]. This default can be changed permanently via the `init_path` field in the `libpod.conf` configuration file (which is recommended for packaging) or temporarily via the `--init-path` flag of podman-create and podman-run. [1] https://github.com/openSUSE/catatonit Fixes: #1670 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* Fix handling of symbolic linksDaniel J Walsh2018-12-28
| | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Fixes to handle /dev/shm correctly.Daniel J Walsh2018-12-24
| | | | | | | | | | | | | | | | | | We had two problems with /dev/shm, first, you mount the container read/only then /dev/shm was mounted read/only. This is a bug a tmpfs directory should be read/write within a read-only container. The second problem is we were ignoring users mounted /dev/shm from the host. If user specified podman run -d -v /dev/shm:/dev/shm ... We were dropping this mount and still using the internal mount. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Refactor: use idtools.ParseIDMap instead of bundling own versionŠimon Lukašík2018-12-23
| | | | | | | | | | | ParseIDMap function was extracted to idtools in https://github.com/containers/storage/pull/236 it is already used in containers/storage and buildah, it should be used in libpod as well. Signed-off-by: Šimon Lukašík <isimluk@fedoraproject.org>
* Switch all referencs to image.ContainerConfig to image.ConfigDaniel J Walsh2018-12-21
| | | | | | This will more closely match what Docker is doing. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Allow users to specify a directory for additonal devicesDaniel J Walsh2018-12-21
| | | | | | | Podman will search through the directory and will add any device nodes that it finds. If no devices are found we return an error. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Change all 'can not' to 'cannot' for proper usageDaniel J Walsh2018-12-21
| | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Invalid index for arrayDaniel J Walsh2018-12-21
| | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* rootless: add function to join user and mount namespaceGiuseppe Scrivano2018-12-21
| | | | | | | | | | Add the possibility to join directly the user and mount namespace without looking up the parent of the user namespace. We need this in order to be able the conmon process, as the mount namespace is kept alive only there. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Support podman image trust commandQi Wang2018-12-19
| | | | | | Display the trust policy of the host system. The trust policy is stored in the /etc/containers/policy.json file and defines a scope of registries or repositories. Signed-off-by: Qi Wang <qiwan@redhat.com>
* Clean up some existing varlink endpointsbaude2018-12-12
| | | | | | | | Going through and adding options (like tls-verify, signature option, etc) to some varlink endpoints (like push/pull) many of which had not been updated since their original authoring. Signed-off-by: baude <bbaude@redhat.com>
* add more example usage to varlink endpointsbaude2018-12-09
| | | | Signed-off-by: baude <bbaude@redhat.com>
* add timeout to pod stopbaude2018-12-07
| | | | | | | | like podman stop of containers, we should allow the user to specify a timeout override when stopping pods; otherwise they have to wait the full timeout time specified during the pod/container creation. Signed-off-by: baude <bbaude@redhat.com>
* Remove the forceSecure parameter on the pull call stackMiloslav Trmač2018-12-06
| | | | | | | DockerRegistryOptions.DockerInsecureSkipTLSVerify as an types.OptionalBool can now represent that value, so forceSecure is redundant. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
* Factor out the registries.conf location code in pkg/registriesMiloslav Trmač2018-12-06
| | | | | | | | | The newly introduced SystemRegistriesConfPath somewhat decreases duplication, but more importantly will allow future callers to set just a types.SystemContext.SystemRegistriesConfPath and not call GetRegistries / GetInsecureRegistries at all. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
* Remove the forceSecure parameter of Image.PushImageTo*Miloslav Trmač2018-12-06
| | | | | | | DockerRegistryOptions.DockerInsecureSkipTLSVerify as an types.OptionalBool can now represent that value, so forceSecure is redundant. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
* Minimally update for the DockerInsecureSkipTLSVerify type changeMiloslav Trmač2018-12-06
| | | | | | | | | | | | | | | | | Following SystemContext.DockerInsecureSkipTLSVerify, make the DockerRegistryOne also an OptionalBool, and update callers. Explicitly document that --tls-verify=true and --tls-verify unset have different behavior in those commands where the behavior changed (or where it hasn't changed but the documentation needed updating). Also make the --tls-verify man page sections a tiny bit more consistent throughout. This is a minimal fix, without changing the existing "--tls-verify=true" paths nor existing manual insecure registry lookups. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
* Add "podman volume" commandumohnani82018-12-06
| | | | | | | | | | | | | | | Add support for podman volume and its subcommands. The commands supported are: podman volume create podman volume inspect podman volume ls podman volume rm podman volume prune This is a tool to manage volumes used by podman. For now it only handle named volumes, but eventually it will handle all volumes used by podman. Signed-off-by: umohnani8 <umohnani@redhat.com>
* Merge pull request #1924 from baude/mroevarlinkendpointsOpenShift Merge Robot2018-12-05
|\ | | | | Adding more varlink endpoints
| * Adding more varlink endpointsbaude2018-12-03
| | | | | | | | | | | | | | | | | | | | | | * runlabel * checkpoint * restore * container|image exists * mount * unmount Signed-off-by: baude <bbaude@redhat.com>
* | Merge pull request #1940 from wking/numeric-gidOpenShift Merge Robot2018-12-05
|\ \ | | | | | | libpod/container_internal_linux: Allow gids that aren't in the group file
| * | pkg/lookup: Return ID-only pointers on ErrNo*EntriesW. Trevor King2018-12-04
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Callers that only care about the IDs should try to convert the identifier to an integer before calling the Get* functions, so they can save the cost of hitting the filesystem and maybe or maybe not finding the other fields (User.Name, etc.). But callers that *want* the other fields but only actually need the ID can, with this commit, just call the Get* function and ignore ErrNo*Entries responses: user, err := lookup.GetUser(mount, userIDorName) if err != nil && err != ErrNoPasswdEntries { return err } Previously, they'd have to perform their own integer-conversion attempt in Get* error handling, with logic like: user, err := lookup.GetUser(mount, userIDorName) if err == ErrNoPasswdEntries { uuid, err := strconv.ParseUint(userIDorName, 10, 32) if err == nil { user.Uid = int(uuid) } } else if err != nil { return err } Signed-off-by: W. Trevor King <wking@tremily.us>
* | | Merge pull request #1918 from mheon/use_db_pathsOpenShift Merge Robot2018-12-05
|\ \ \ | |/ / |/| | Use paths written in DB instead if they differ from our defaults
| * | Revert changes to GetDefaultStoreOptionsMatthew Heon2018-12-03
| | | | | | | | | | | | | | | | | | | | | | | | We don't need this for anything more than rootless work in Libpod now, but Buildah still uses it as it was originally written, so leave it intact as part of our API. Signed-off-by: Matthew Heon <mheon@redhat.com>
| * | Fix gofmt and lintMatthew Heon2018-12-02
| | | | | | | | | | | | Signed-off-by: Matthew Heon <mheon@redhat.com>
| * | Move rootless storage config into libpodMatthew Heon2018-12-02
| |/ | | | | | | | | | | | | | | | | | | | | | | | | | | Previous commits ensured that we would use database-configured paths if not explicitly overridden. However, our runtime generation did unconditionally override storage config, which made this useless. Move rootless storage configuration setup to libpod, and change storage setup so we only override if a setting is explicitly set, so we can still override what we want. Signed-off-by: Matthew Heon <mheon@redhat.com>
* | create pod on the flybaude2018-12-03
| | | | | | | | | | | | | | | | | | | | when a user specifies --pod to podman create|run, we should create that pod automatically. the port bindings from the container are then inherited by the infra container. this signicantly improves the workflow of running containers inside pods with podman. the user is still encouraged to use podman pod create to have more granular control of the pod create options. Signed-off-by: baude <bbaude@redhat.com>
* | rootless: raise error if newuidmap/newgidmap are not installedGiuseppe Scrivano2018-12-03
|/ | | | | | | | | | it was reported on IRC that Podman on Ubuntu failed as newuidmap/newgidmap were not installed by default. Raise an error if we are not allowing single mappings (used only by the tests suite) and any of the binaries is not present. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Merge pull request #1846 from cgwalters/netns-dns-localhostOpenShift Merge Robot2018-11-28
|\ | | | | Use host's resolv.conf if no network namespace enabled
| * Use host's resolv.conf if no network namespace enabledColin Walters2018-11-27
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | My host system runs Fedora Silverblue 29 and I have NetworkManager's `dns=dnsmasq` setting enabled, so my `/etc/resolv.conf` only has `127.0.0.1`. I also run my development podman containers with `--net=host` for various reasons. If we have a host network namespace, there's no reason not to just use the host's nameserver configuration either. This fixes e.g. accessing content on a VPN, and is also faster since the container is using cached DNS. I know this doesn't solve the bigger picture issue of localhost-DNS conflicting with bridged networking, but that's far more involved, probably requiring a DNS proxy in the container. This patch makes my workflow a lot nicer and was easy to write. Signed-off-by: Colin Walters <walters@verbum.org>
* | Merge pull request #1849 from giuseppe/report-rootless-netmodeOpenShift Merge Robot2018-11-28
|\ \ | | | | | | rootless: add new netmode "slirp4netns"
| * | network: allow slirp4netns mode also for root containersGiuseppe Scrivano2018-11-28
| | | | | | | | | | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
| * | rootless: add new netmode "slirp4netns"Giuseppe Scrivano2018-11-27
| |/ | | | | | | | | | | | | | | so that inspect reports the correct network configuration. Closes: https://github.com/containers/libpod/issues/1453 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* / rootless: store only subset of storage.confGiuseppe Scrivano2018-11-28
|/ | | | | | | | | do not store the entire file but only the subset of what we have modified. Also, we were not writing the correct data. Since it is not trivial to serialize storage.conf correctly and all the various supported options, serialize only what we care about. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Add history and namespaceoptions to image inspectQi Wang2018-11-26
| | | | Signed-off-by: Qi Wang <qiwan@redhat.com>
* Merge pull request #1829 from baude/enableportbindinginpodsOpenShift Merge Robot2018-11-20
|\ | | | | Allow users to expose ports from the pod to the host
| * Allow users to expose ports from the pod to the hostbaude2018-11-20
| | | | | | | | | | | | | | | | | | | | we need to allow users to expose ports to the host for the purposes of networking, like a webserver. the port exposure must be done at the time the pod is created. strictly speaking, the port exposure occurs on the infra container. Signed-off-by: baude <bbaude@redhat.com>
* | rootless: create empty mounts.conf if it doesn't existGiuseppe Scrivano2018-11-19
| | | | | | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | registries: check user registries file only in rootless modeGiuseppe Scrivano2018-11-19
| | | | | | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | rootless: create storage.conf when it doesn't existGiuseppe Scrivano2018-11-19
|/ | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Merge pull request #1756 from isimluk/update-dependent-metalinterOpenShift Merge Robot2018-11-16
|\ | | | | Update metalinter dependency
| * Lint: InspectImage varlink api should return errors that occurredŠimon Lukašík2018-11-10
| | | | | | | | | | | | | | | | | | Not just nil. Addressing: pkg/varlinkapi/images.go:273:15:warning: ineffectual assignment to err (ineffassign) Signed-off-by: Šimon Lukašík <slukasik@redhat.com>
* | rootless: call IsRootless just onceGiuseppe Scrivano2018-11-14
| | | | | | | | | | | | | | we are calling this function several times, it is worth to store its result and re-use it. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | Better document rootless containersDaniel J Walsh2018-11-10
|/ | | | | | | | | Need to return an error pointing user in right direction if rootless podman fails, because of no /etc/subuid or /etc/subgid files. Also fix up man pages to better describe rootless podman. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* rootless: default to fuse-overlayfs when availableGiuseppe Scrivano2018-11-08
| | | | | | | | | If fuse-overlayfs is present, rootless containers default to use it. This can still be overriden either via the command line with --storage-driver or in the ~/.config/containers/storage.conf configuration file. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Don't fail if /etc/passwd or /etc/group does not existsDaniel J Walsh2018-11-07
| | | | | | | | | | | Container images can be created without passwd or group file, currently if one of these containers gets run with a --user flag the container blows up complaining about t a missing /etc/passwd file. We just need to check if the error on read is ENOEXIST then allow the read to return, not fail. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Merge pull request #1736 from giuseppe/rootless-drop-run-postfixOpenShift Merge Robot2018-10-31
|\ | | | | rootless: do not add an additional /run to runroot
| * rootless: do not add an additional /run to runrootGiuseppe Scrivano2018-10-31
| | | | | | | | | | | | | | | | | | we are currently using something like /run/user/UID/run as runroot, as it is already done by Buildah. This ends up with /run/user/UID/run/runc for the runc directory. Change to drop the additional /run so that runc will use /run/user/UID/runc. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | Merge pull request #1731 from afbjorklund/versionOpenShift Merge Robot2018-10-31
|\ \ | |/ |/| Fix setting of version information
| * Fix setting of version informationAnders F Björklund2018-10-31
| | | | | | | | | | | | | | It was setting the wrong variable (CamelCase) in the wrong module ("main", not "libpod")... Signed-off-by: Anders F Björklund <anders.f.bjorklund@gmail.com>