summaryrefslogtreecommitdiff
path: root/pkg
Commit message (Collapse)AuthorAge
* Fix: Hijacking v2 endpoints to follow rfc 7230 semanticsKorhonen Sami (Samlink)2020-07-09
| | | | | | | | | | | | | | | | | | | | | | | | After this patch v2 hijacking endpoints, exec/start and containers/attach follow rfc 7230 specification. Connection will only be upgraded, if client specifies upgrade headers: For tcp connections: Connection: Upgrade Upgrade: tcp For unix socket connections: Connection: Upgrade Upgrade: sock There are currently no checks if upgrade type actually matches with available protocols. Implementation just protocol that client requested Signed-off-by: Sami Korhonen <skorhone@gmail.com>
* Remove hijacked connections from active connections listKorhonen Sami (Samlink)2020-07-09
| | | | | | | | | | | | | | | | | | | | | | | StateHijacked is a terminal state. If hijacked connection is registered as an active connection, connection will never be unregistered. This causes two issues First issue is that active connection counters are off. Second issue is a resource leak caused by connection object that is stored to a map. After this patch hijacked connections are no longer visible in counters. If a counter for hijacked connections is required, podman must track connections returned by Hijacker.Hijack() It might make sense to develop abstraction layer for hijacking - and move all hijacking related code to a separate package. Hijacking code is prone to resource leaks and it should be thoroughly tested. Signed-off-by: Sami Korhonen <skorhone@gmail.com>
* Merge pull request #6906 from rhatdan/VENDOROpenShift Merge Robot2020-07-09
|\ | | | | Vendor in new version of Buildah
| * Vendor in new version of BuildahDaniel J Walsh2020-07-09
| | | | | | | | | | | | This also pulls in latest runc and containers/common Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
| * Remove dependency on github.com/opencontainers/libpod/configsDaniel J Walsh2020-07-09
| | | | | | | | | | | | | | | | | | We are using these dependencies just to get the device from path. These dependencies no longer build on Windows, so simply cloning the deviceFromPath function, we can eliminate the need for this vendoring. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Merge pull request #6835 from zhangguanzhang/masterOpenShift Merge Robot2020-07-09
|\ \ | | | | | | fix API: Create container with an invalid configuration
| * | fix API: Create container with an invalid configurationzhangguanzhang2020-07-09
| |/ | | | | | | Signed-off-by: zhangguanzhang <zhangguanzhang@qq.com>
* / log API: add context to allow for cancellingValentin Rothberg2020-07-09
|/ | | | | | | | | Add a `context.Context` to the log APIs to allow for cancelling streaming (e.g., via `podman logs -f`). This fixes issues for the remote API where some go routines of the server will continue writing and produce nothing but heat and waste CPU cycles. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* Merge pull request #6829 from rhatdan/keepidOpenShift Merge Robot2020-07-07
|\ | | | | Add username to /etc/passwd inside of container if --userns keep-id
| * Add username to /etc/passwd inside of container if --userns keep-idDaniel J Walsh2020-07-07
| | | | | | | | | | | | | | | | | | | | If I enter a continer with --userns keep-id, my UID will be present inside of the container, but most likely my user will not be defined. This patch will take information about the user and stick it into the container. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Add support for Filter query parameter to list images apiKorhonen Sami (Samlink)2020-07-07
|/ | | | | | | | | | | | Docker api version 1.24 uses a query parameter named Filter for filtering images by names. In more recent versions of api name filter is in filters query parameter with other filters This patch adds a mapping that translates Filter query parameter to Filters={"reference": [""]} Signed-off-by: Sami Korhonen <skorhone@gmail.com>
* Implement --sdnotify cmdline option to control sd-notify behaviorJoseph Gooch2020-07-06
| | | | | | | | | | | | | | | | | | | --sdnotify container|conmon|ignore With "conmon", we send the MAINPID, and clear the NOTIFY_SOCKET so the OCI runtime doesn't pass it into the container. We also advertise "ready" when the OCI runtime finishes to advertise the service as ready. With "container", we send the MAINPID, and leave the NOTIFY_SOCKET so the OCI runtime passes it into the container for initialization, and let the container advertise further metadata. This is the default, which is closest to the behavior podman has done in the past. The "ignore" option removes NOTIFY_SOCKET from the environment, so neither podman nor any child processes will talk to systemd. This removes the need for hardcoded CID and PID files in the command line, and the PIDFile directive, as the pid is advertised directly through sd-notify. Signed-off-by: Joseph Gooch <mrwizard@dok.org>
* Merge pull request #6836 from ashley-cui/tzlibpodOpenShift Merge Robot2020-07-06
|\ | | | | Add --tz flag to create, run
| * Add --tz flag to create, runAshley Cui2020-07-02
| | | | | | | | | | | | | | --tz flag sets timezone inside container Can be set to IANA timezone as well as `local` to match host machine Signed-off-by: Ashley Cui <acui@redhat.com>
* | move go module to v2Valentin Rothberg2020-07-06
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | With the advent of Podman 2.0.0 we crossed the magical barrier of go modules. While we were able to continue importing all packages inside of the project, the project could not be vendored anymore from the outside. Move the go module to new major version and change all imports to `github.com/containers/libpod/v2`. The renaming of the imports was done via `gomove` [1]. [1] https://github.com/KSubedi/gomove Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | Merge pull request #6846 from mheon/fix_pod_errorsOpenShift Merge Robot2020-07-06
|\ \ | | | | | | Print errors from individual containers in pods
| * | Print errors from individual containers in podsMatthew Heon2020-07-02
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The infra/abi code for pods was written in a flawed way, assuming that the map[string]error containing individual container errors was only set when the global error for the pod function was nil; that is not accurate, and we are actually *guaranteed* to set the global error when any individual container errors. Thus, we'd never actually include individual container errors, because the infra code assumed that err being set meant everything failed and no container operations were attempted. We were originally setting the cause of the error to something nonsensical ("container already exists"), so I made a new error indicating that some containers in the pod failed. We can then ignore that error when building the report on the pod operation and actually return errors from individual containers. Unfortunately, this exposed another weakness of the infra code, which was discarding the container IDs. Errors from individual containers are not guaranteed to identify which container they came from, hence the use of map[string]error in the Pod API functions. Rather than restructuring the structs we return from pkg/infra, I just wrapped the returned errors with a message including the ID of the container. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | | Merge pull request #6852 from skorhone/fix/6803_null_portsOpenShift Merge Robot2020-07-05
|\ \ \ | | | | | | | | Fix container inspect endpoint returning null for network settings / ports
| * | | Fix issue #6803 Container inspect endpoint returns null for ↵Korhonen Sami (Samlink)2020-07-03
| |/ / | | | | | | | | | | | | | | | | | | | | | NetworkSettings/Ports Implement mapping for NetworkSettings/Ports for Container inspect endpoint Signed-off-by: Sami Korhonen <skorhone@gmail.com>
* | | Merge pull request #6838 from mheon/fix_panic_eventsOpenShift Merge Robot2020-07-02
|\ \ \ | |/ / |/| | Fix `system service` panic from early hangup in events
| * | Fix `system service` panic from early hangup in eventsMatthew Heon2020-07-02
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | We weren't actually halting the goroutine that sent events, so it would continue sending even when the channel closed (the most notable cause being early hangup - e.g. Control-c on a curl session). Use a context to cancel the events goroutine and stop sending events. Fixes #6805 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | | APIv2:fix: Handle docker volume force as expectedmaybe-sybr2020-07-02
| | | | | | | | | | | | | | | | | | | | | | | | | | | In response to input regarding the semantic difference for the `force` parameter for volume removal between Docker and us, this change ensures that we emulate the Dockr behaviour correctly when this parameter is specified. Signed-off-by: Matt Brindley <58414429+maybe-sybr@users.noreply.github.com>
* | | APIv2: Add docker compatible volume endpointsmaybe-sybr2020-07-02
| |/ |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | This change implements docker compatibile endpoint for interacting with volumes. The code is mostly lifted from the `libpod` API handlers but decodes and constructs data using types defined in the docker API package. Some notable support caveats with the current implementation: * we don't return the nullable `Status` or `UsageData` keys when returning volume information for inspect and create endpoints * we don't support filters when pruning * we return a fixed `0` for the `SpaceReclaimed` key when pruning since we have no insight into how much space was freed from runtime Signed-off-by: Matt Brindley <58414429+maybe-sybr@users.noreply.github.com>
* | Created timestamp returned by imagelist should be in unix formatDaniel J Walsh2020-06-30
|/ | | | | | | | In the API, we are currently returning the image time of creation as a string, in time.Time format. The API is for a 64 bit integer representing Unix time. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Merge pull request #6747 from giuseppe/fix-user-volumesOpenShift Merge Robot2020-06-30
|\ | | | | container: move volume chown after spec generation
| * container: move volume chown after spec generationGiuseppe Scrivano2020-06-29
| | | | | | | | | | | | | | | | | | move the chown for newly created volumes after the spec generation so the correct UID/GID are known. Closes: https://github.com/containers/libpod/issues/5698 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | fix: Don't override entrypoint if it's `nil`maybe-sybr2020-06-30
| | | | | | | | | | | | | | This change ensures that we only override a container's entrypoint if it is set to something other than `nil`. Signed-off-by: Matt Brindley <58414429+maybe-sybr@users.noreply.github.com>
* | Merge pull request #6808 from mheon/allow_empty_hostportOpenShift Merge Robot2020-06-29
|\ \ | | | | | | Allow empty host port in --publish flag
| * | Allow empty host port in --publish flagMatthew Heon2020-06-29
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | I didn't believe that this was actually legal, but it looks like it is. And, unlike our previous understanding (host port being empty means just use container port), empty host port actually carries the same meaning as `--expose` + `--publish-all` (that is, assign a random host port to the given container port). This requires a significant rework of our port handling code to handle this new case. I don't foresee this being commonly used, so I optimized having a fixed port number as fast path, which this random assignment code running after the main port handling code only if necessary. Fixes #6806 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | | Set console mode for windowsBrent Baude2020-06-29
| | | | | | | | | | | | | | | | | | Windows terminal handling is different than darwin and linux. It needs to have the terminal mode set to enable virtual terminal processing. This allows colors and other things to work. Signed-off-by: Brent Baude <bbaude@redhat.com>
* | | Merge pull request #6763 from maxm123/masterOpenShift Merge Robot2020-06-29
|\ \ \ | | | | | | | | Fix error handling problem in APIv2 network remove
| * | | Fix a bug with APIv2 compat network remove to log an ErrNetworkNotFound ↵Maximilian Müller2020-06-27
| |/ / | | | | | | | | | | | | | | | instead of nil Signed-off-by: Maximilian Müller <maxm123@techie.com>
* | | Merge pull request #6768 from vrothberg/fix-6766OpenShift Merge Robot2020-06-29
|\ \ \ | | | | | | | | generate systemd: improve pod-flags filter
| * | | generate systemd: improve pod-flags filterValentin Rothberg2020-06-25
| | |/ | |/| | | | | | | | | | | | | | | | | | | | | | | | | When generating systemd unit for pods, we need to remove certain pod-related flags from the containers' create commands. Make sure to account for all the syntax including a single argument with key and value being split by `=`. Fixes: #6766 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | | Ensure umask is set appropriately for 'system service'Matthew Heon2020-06-26
| |/ |/| | | | | | | | | | | | | | | | | | | | | We need a umask of 0022 to ensure containers are created correctly, but we set a different one prior to starting the server (to ensure the unix socket has the right permissions). Thus, we need to set the umask after the socket has been bound, but before the server begins accepting requests. Fixes #6787 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | specgen: fix order for setting rlimitsRalf Haferkamp2020-06-26
| | | | | | | | | | | | | | | | | | | | | | | | Also make sure that the limits we set for rootless are not higher than what we'd set for root containers. Rootless containers failed to start when the calling user already had ulimit (e.g. on NOFILE) set. This is basically a cherry-pick of 76f8efc0d0d into specgen Signed-off-by: Ralf Haferkamp <rhafer@suse.com>
* | Merge pull request #6756 from mheon/add_dangling_filterOpenShift Merge Robot2020-06-26
|\ \ | | | | | | Add support for dangling filter to volumes
| * | Add support for dangling filter to volumesMatthew Heon2020-06-24
| | | | | | | | | | | | | | | | | | | | | | | | | | | The dangling filter determine whether a volume is dangling - IE, it has no containers attached using it. Unlike our other filters, this one is a boolean - must be true or false, not arbitrary values. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | | Merge pull request #6761 from mheon/fix_ps_portmappingsOpenShift Merge Robot2020-06-25
|\ \ \ | | | | | | | | Print port mappings in `ps` for ctrs sharing network
| * | | Print port mappings in `ps` for ctrs sharing networkMatthew Heon2020-06-24
| |/ / | | | | | | | | | | | | | | | | | | | | | | | | In Podman v1.9, we printed port mappings for the container, even if it shared its network namespace (and thus ports) with another container. We regressed on this in Podman v2.0, which is fixed here. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | / systemd generate: allow manual restart of container units in podsValentin Rothberg2020-06-25
| |/ |/| | | | | | | | | | | | | Allow manual restarts of container units that are part of a pod. This allows for configuring these containers for auto updates. Fixes: #6770 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | Merge pull request #6713 from mheon/debug_levelOpenShift Merge Robot2020-06-25
|\ \ | |/ |/| Set syslog for exit commands on log-level=debug
| * Set syslog for exit commands on log-level=debugMatthew Heon2020-06-24
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | We have a flag, --syslog, for telling logrus to log to syslog as well as to the terminal. Previously, this flag also set the exit command for containers to use `--syslog` (otherwise all output from exit commands is lost). I attempted to replicate this with Podman v2.0, but quickly ran into circular import hell (the flag is defined in cmd/podman, I needed it in cmd/podman/containers, cmd/podman imports cmd/podman/containers already, etc). Instead, let's just set the syslog flag automatically on `--log-level=debug` so we log exit commands automatically when debug-level logs are requested. This is consistent with Conmon and seems to make sense. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | utils: drop default mapping when running uid!=0Giuseppe Scrivano2020-06-24
|/ | | | | | | | | | this is a leftover from the first implementation of rootless. This code is never hit by podman rootless anymore as podman automatically creates a user namespace now. Fixes an issue with podman remote when used with uid != 0. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Merge pull request #6741 from maybe-sybr/maybe/apiv2/fix-volume-create-codeOpenShift Merge Robot2020-06-24
|\ | | | | APIv2: Return `StatusCreated` from volume creation
| * APIv2: Return `StatusCreated` from volume creationmaybe-sybr2020-06-24
| | | | | | | | | | | | | | | | The swagdoc in `register_volumes.go` already correctly notes that a 201 should be returned upon success, so we only need to change the handler to match the spec. Signed-off-by: Matt Brindley <58414429+maybe-sybr@users.noreply.github.com>
* | Merge pull request #6738 from maybe-sybr/maybe/apiv2/fix-network-compat-urlsOpenShift Merge Robot2020-06-24
|\ \ | | | | | | APIv2:fix: Remove `/json` from compat network EPs
| * | APIv2:fix: Remove `/json` from compat network EPsmaybe-sybr2020-06-24
| |/ | | | | | | Signed-off-by: Matt Brindley <58414429+maybe-sybr@users.noreply.github.com>
* | Merge pull request #6739 from jwhonce/wip/connectionOpenShift Merge Robot2020-06-24
|\ \ | | | | | | Fix ssh-agent support
| * | Fix ssh-agent supportJhon Honce2020-06-23
| |/ | | | | | | | | | | | | * An identity of "" implies ssh-agent and user/password to be used * Fixed example Signed-off-by: Jhon Honce <jhonce@redhat.com>