summaryrefslogtreecommitdiff
path: root/pkg
Commit message (Collapse)AuthorAge
* varlink buildbaude2018-06-01
| | | | | | | | | | | | Add the endpoint and methods for build so users can build an image with varlink. build can also use the more method for streaming output back more regularily; however, it looks like a bug in buildah does not output all build output to the writer provided. Tidy up some create fixes and add endpoint for GetImage requested by jhonce. Signed-off-by: baude <bbaude@redhat.com>
* return all inspect info for varlink containerinspectbaude2018-06-01
| | | | | | | | | | | when obtaining the inspect information for a container through varlink, we need to extract more container related information by parsing the data through the method 'GetCtrInspectInfo' which was previously only in podman's main. Signed-off-by: baude <bbaude@redhat.com> Closes: #866 Approved by: rhatdan
* hooks/exec: Allow successful reaps for 0s post-kill timeoutsW. Trevor King2018-06-01
| | | | | | | | | | | | | | | | | | | | | | | | | I'd been getting the failed-to-reap errors locally, but on an unrelated pull-request the FAH27 suite successfully reaped that hook [1]: --- FAIL: TestRunKillTimeout (0.50s) assertions.go:226: Error Trace: exec_test.go:210 Error: Expect "signal: killed" to match "^failed to reap process within 0s of the kill signal$" FAIL The successful-reap cases limit our coverage, but I don't think that's a big enough problem to be worth repeated polling or similar until we do get the failed-to-reap error. [1]: https://s3.amazonaws.com/aos-ci/ghprb/projectatomic/libpod/96c1535fdc11b2de24421863d7ad5d3b94338b37.0.1527811547665239762/output.log Signed-off-by: W. Trevor King <wking@tremily.us> Closes: #868 Approved by: rhatdan
* If user specifies UIDMapSlice without GIDMapSlice, set them equalDaniel J Walsh2018-05-31
| | | | | | | | | | | We need to map slices set for both UID and GID maps to be equivalent if not specified by user. Currently if you do not specify both the containers are not running. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #865 Approved by: baude
* pkg/hooks/exec: Add a new package for local hook executionW. Trevor King2018-05-31
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This wraps os/exec to: * Clear the environment when the hook doesn't set 'env'. The runtime spec has [1]: > * env (array of strings, OPTIONAL) with the same semantics as IEEE > Std 1003.1-2008's environ. And running execle or similar with NULL env results in an empty environment: $ cat test.c #include <unistd.h> int main() { return execle("/usr/bin/env", "env", NULL, NULL); } $ cc -o test test.c $ ./test ...no output... Go's Cmd.Env, on the other hand, has [2]: > If Env is nil, the new process uses the current process's environment. This commit works around that by setting []string{} in those cases to avoid leaking the runtime environment into the hooks. * Roll the 'timeout' value (if set) into the passed context. There's no need for two separate ways to cancel hook execution. * Add a configurable timeout on abandoning a post-kill wait. The waiting goroutine will continue and eventually reap the process, but this avoids blocking the Run() call when that takes inordinately long (for example, if a GPU cleanup hook is stuck in I/O sleep [3]). The 'env' output format is specified in POSIX [4]. [1]: https://github.com/opencontainers/runtime-spec/blob/v1.0.1/config.md#posix-platform-hooks [2]: https://golang.org/pkg/os/exec/#Cmd [3]: https://github.com/projectatomic/libpod/pull/857#discussion_r192191002 [4]: http://pubs.opengroup.org/onlinepubs/9699919799/utilities/env.html Signed-off-by: W. Trevor King <wking@tremily.us> Closes: #857 Approved by: mheon
* hooks: Rename Hooks() output to extensionStageHooksW. Trevor King2018-05-31
| | | | | | | | | | To more clearly distinguish between the extensionStages input to New() (a slice of strings) and the map output from Hooks(). Signed-off-by: W. Trevor King <wking@tremily.us> Closes: #855 Approved by: rhatdan
* hooks: Allow local control of OCI stages via extensionStagesW. Trevor King2018-05-31
| | | | | | | | | | | | This allows callers to avoid delegating to OCI runtimes for cases where they feel that the runtime hook handling is unreliable [1]. [1]: https://github.com/projectatomic/libpod/issues/730#issuecomment-392959938 Signed-off-by: W. Trevor King <wking@tremily.us> Closes: #855 Approved by: rhatdan
* Clear all caps, except the bounding set, when --user is specified.Daniel J Walsh2018-05-31
| | | | | | | | | | | | Currently we are giving all caps to users when running with podman run --user, They should get none by default. If the command line includes --cap-add, then we need to run with those capabilties. Similarly we need to drop caps from bounding set, if user specifies --cap-drop Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #851 Approved by: mheon
* Rename addFIPSsModeSecret to addFIPSModeSecretJhon Honce2018-05-25
| | | | | | | Signed-off-by: Jhon Honce <jhonce@redhat.com> Closes: #833 Approved by: mheon
* save and load should support multi-tag for docker-archiveumohnani82018-05-25
| | | | | | | | | | | | The docker-archive tar files can have multiple tags for the same image stored in it. Load pulls all the tags found in the archive when loading a tar file. Save can oush multiple tags of the same image to a tar archive. Signed-off-by: umohnani8 <umohnani@redhat.com> Closes: #819 Approved by: rhatdan
* Implement python podman create and startJhon Honce2018-05-25
| | | | | | | | | | | | | | | - Added alias 'container()' to image model for CreateContainer() - Fixed return in containers_create.go to wrap error in varlink exception - Added a wait time to container.kill(), number of seconds to wait for the container to change state - Refactored cached_property() to use system libraries - Refactored tests to speed up performance Signed-off-by: Jhon Honce <jhonce@redhat.com> Closes: #821 Approved by: rhatdan
* Spell check strings and commentsJhon Honce2018-05-25
| | | | | | | Signed-off-by: Jhon Honce <jhonce@redhat.com> Closes: #831 Approved by: rhatdan
* hooks/1.0.0: Error on empty process.args instead of panickingW. Trevor King2018-05-24
| | | | | | | | | | | | | | | | | | | | | | | The process property is optional [1], which this package already handled appropriately, although I've added a new test here to guard against regressions. The process.args entry is required when process is set [2], and it's also required to contain at least one entry [3]. The previous implementation here assumed that would always be satisfied, and panicked on empty process.args. With this commit, we avoid the panic and instead return an error message explaining why the input was invalid. [1]: https://github.com/opencontainers/runtime-spec/blame/v1.0.1/config.md#L145 [2]: https://github.com/opencontainers/runtime-spec/blame/v1.0.1/config.md#L157 [3]: https://github.com/opencontainers/runtime-spec/blame/v1.0.1/config.md#L158 Reported-by: Brent Baude <bbaude@redhat.com> Signed-off-by: W. Trevor King <wking@tremily.us> Closes: #829 Approved by: mheon
* podman create, start, getattachsocketbaude2018-05-21
| | | | | | | | | First pass at implement API endpoints for create and start. Signed-off-by: baude <bbaude@redhat.com> Closes: #805 Approved by: baude
* hooks/README: Fix some Markdown typos (e.g. missing runc target)W. Trevor King2018-05-21
| | | | | | | | | | I'd accidentally introduced these typos in ea415610 (hooks/docs: Add oci-hooks.5 and per-package man page building, 2018-05-15, #772). Signed-off-by: W. Trevor King <wking@tremily.us> Closes: #810 Approved by: mheon
* oci-hooks.5: Discuss directory precedence and monitoringW. Trevor King2018-05-21
| | | | | | | | | | | We've had this functionality since 68eb128f (pkg/hooks: Version the hook structure and add 1.0.0 hooks, 2018-04-27, #686), but didn't have any user-facing docs for it. Signed-off-by: W. Trevor King <wking@tremily.us> Closes: #811 Approved by: mheon
* hooks: Fix monitoring of multiple directoriesW. Trevor King2018-05-17
| | | | | | | | | | | | | | | | | | | | | | | | | | This isn't an issue with podman, which will only ever use one directory. But CRI-O generally uses two directories, and we want to make sure that changes to the fallback directory are not clobbering hooks configured in the override directory. More background in [1]. I've split the handling into a single-directory block and a multiple-directory block so we don't waste time polling the filesystem for single-directory removals. I'm using the single-directory block for the the zero-directory case as well. Managers with zero directories should not be receiving fsnotify events, so I don't think it really matters which block handles them. If we want to handle this case robustly (because we're concerned about something in the hook package adjusted the private .directories property on the fly?), then we'll probably want to add an explicit zero-directory block in future work. [1]: https://github.com/kubernetes-incubator/cri-o/pull/1470 Signed-off-by: W. Trevor King <wking@tremily.us> Closes: #757 Approved by: rhatdan
* hooks/docs: Add oci-hooks.5 and per-package man page buildingW. Trevor King2018-05-17
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This allows us to reference the hooks docs from podman(1) in a way that will survive system installation. The downside is that the GitHub rendered pages become less usable, now that we can no longer embed links as freely as we could before. I've followed the "Sections within a manual page" suggestions from [1]. locale(7) is [2], which is Linux-specific. Even section numbering is platform-dependent [3], so it's unlikely that these external man references are particularly portable. Platform packagers can adjust our local references to match their target system, but that leaves the GitHub rendering in an awkward place. For now, I think a Linux-centric GitHub rendering without clickable links may be the best we can do without moving away from go-md2man. As far as I can tell, there's not a nice way to get go-md2man to wrap the links in SEE ALSO without sometimes hyphenating a URL (which makes it harder for man-page readers to copy/paste those links into their browser). I've also fixed some "extention" -> "extension" typos. [1]: http://man7.org/linux/man-pages/man7/man-pages.7.html [2]: http://man7.org/linux/man-pages/man7/locale.7.html [3]: https://en.wikipedia.org/wiki/Man_page#Manual_sections Signed-off-by: W. Trevor King <wking@tremily.us> Closes: #772 Approved by: mheon
* chrootuser: default to GID 0 when given a numeric --userNalin Dahyabhai2018-05-17
| | | | | | | | | | | | | | | When we're given a numeric --user value, default to GID 0 if the numeric ID doesn't correspond to a user entry in /etc/passwd that can provide us with the user's primary group ID. Make sure that GetAdditionalGroupsForUser() returns wrapped errors. Also test various user:group forms. Signed-off-by: Nalin Dahyabhai <nalin@redhat.com> Closes: #728 Approved by: mheon
* implement varlink commitbaude2018-05-15
| | | | | | | Signed-off-by: baude <bbaude@redhat.com> Closes: #762 Approved by: baude
* hooks: Add package support for extension stagesW. Trevor King2018-05-14
| | | | | | | | | | | | | We aren't consuming this yet, but these pkg/hooks changes lay the groundwork for future libpod changes to support post-exit hooks [1,2]. [1]: https://github.com/projectatomic/libpod/issues/730 [2]: https://github.com/opencontainers/runc/issues/1797 Signed-off-by: W. Trevor King <wking@tremily.us> Closes: #758 Approved by: rhatdan
* hooks: Order injection by collated JSON filenameW. Trevor King2018-05-11
| | | | | | | | | | | | | | | | | | | | | | | We also considered ordering with sort.Strings, but Matthew rejected that because it uses a byte-by-byte UTF-8 comparison [1] which would fail many language-specific conventions [2]. There's some more discussion of the localeToLanguage mapping in [3]. Currently language.Parse does not handle either 'C' or 'POSIX', returning: und, language: tag is not well-formed for both. [1]: https://github.com/projectatomic/libpod/pull/686#issuecomment-387914358 [2]: https://en.wikipedia.org/wiki/Alphabetical_order#Language-specific_conventions [3]: https://github.com/golang/go/issues/25340 Signed-off-by: W. Trevor King <wking@tremily.us> Closes: #686 Approved by: mheon
* hooks/read: Ignore IsNotExist for JSON files in ReadDirW. Trevor King2018-05-11
| | | | | | | | | | | | | | | If a .json file existed when we called ioutil.ReadDir but that file has been removed by the time we get around to calling Read on it, silently ignore the file. Iterating through all the files in the directory shouldn't take particularly long, so this is an unlikely corner case. And when it happens, silently ignoring the file gives the same outcome as you'd have gotten if the parallel remove had happened slightly earlier before the ioutil.ReadDir call. Signed-off-by: W. Trevor King <wking@tremily.us> Closes: #686 Approved by: mheon
* pkg/hooks: Version the hook structure and add 1.0.0 hooksW. Trevor King2018-05-11
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This shifts the matching logic out of libpod/container_internal and into the hook package, where we can reuse it after vendoring into CRI-O. It also adds unit tests with almost-complete coverage. Now libpod is even more isolated from the hook internals, which makes it fairly straightforward to bump the hook config file to 1.0.0. I've dubbed the old format 0.1.0, although it doesn't specify an explicit version. Motivation for some of my changes with 1.0.0: * Add an explicit version field. This will make any future JSON structure migrations more straightforward by avoiding the need for version-guessing heuristics. * Collect the matching properties in a new When sub-structure. This makes the root Hook structure easier to understand, because you don't have to read over all the matching properties when wrapping your head around Hook. * Replace the old 'hook' and 'arguments' with a direct embedding of the runtime-spec's hook structure. This provides access to additional upstream properties (args[0], env, and timeout) and avoids the complication of a CRI-O-specific analog structure. * Add a 'when.always' property. You can usually accomplish this effect in another way (e.g. when.commands = [".*"]), but having a boolean explicitly for this use-case makes for easier reading and writing. * Replace the previous annotations array with an annotations map. The 0.1.0 approach matched only the values regardless of key, and that seems unreliable. * Replace 'cmds' with 'when.commands', because while there are a few ways to abbreviate "commands", there's only one way to write it out in full ;). This gives folks one less thing to remember when writing hook JSON. * Replace the old "inject if any specified condition matches" with "inject if all specified conditions match". This allows for more precise targeting. Users that need more generous targeting can recover the previous behavior by creating a separate 1.0.0 hook file for each specified 0.1.0 condition. I've added doc-compat support for the various pluralizations of the 0.1.0 properties. Previously, the docs and code were not in agreement. More on this particular facet in [1]. I've updated the docs to point out that the annotations being matched are the OCI config annotations. This differs from CRI-O, where the annotations used are the Kubernetes-supplied annotations [2,3]. For example, io.kubernetes.cri-o.Volumes [4] is part of CRI-O's runtime config annotations [5], but not part of the Kubernetes-supplied annotations CRI-O uses for matching hooks. The Monitor method supports the CRI-O use-case [6]. podman doesn't need it directly, but CRI-O will need it when we vendor this package there. I've used nvidia-container-runtime-hook for the annotation examples because Dan mentioned the Nvidia folks as the motivation behind annotation matching. The environment variables are documented in [7]. The 0.1.0 hook config, which does not allow for environment variables, only works because runc currently leaks the host environment into the hooks [8]. I haven't been able to find documentation for their usual annotation trigger or hook-install path, so I'm just guessing there. [1]: https://github.com/kubernetes-incubator/cri-o/pull/1235 [2]: https://github.com/kubernetes-incubator/cri-o/blob/v1.10.0/server/container_create.go#L760 [3]: https://github.com/kubernetes-incubator/cri-o/blob/v1.10.0/server/container_create.go#L772 [4]: https://github.com/kubernetes-incubator/cri-o/blob/v1.10.0/pkg/annotations/annotations.go#L97-L98 [5]: https://github.com/kubernetes-incubator/cri-o/blob/v1.10.0/server/container_create.go#L830-L834 [6]: https://github.com/kubernetes-incubator/cri-o/pull/1345/ [7]: https://github.com/NVIDIA/nvidia-container-runtime/tree/v1.3.0-1#environment-variables-oci-spec [8]: https://github.com/opencontainers/runc/pull/1738 Signed-off-by: W. Trevor King <wking@tremily.us> Closes: #686 Approved by: mheon
* Fix varlink remove image forcebaude2018-05-11
| | | | | | | | | | | | | Fixes a bug where the force bool was being ignored when deleting images via the varlink interface. Also, minor fix to the docs to add a line break between methods and types in the doc index. Signed-off-by: baude <bbaude@redhat.com> Closes: #753 Approved by: rhatdan
* varlink infobaude2018-05-11
| | | | | | | | | | The varlinfo info returns the same information as podman info but always includes the so-called debug information. Signed-off-by: baude <bbaude@redhat.com> Closes: #745 Approved by: baude
* Dont eat the pull error message for varlinkbaude2018-05-10
| | | | | | | | | When using varlink to pull an image, we should expose the actual error to the caller. Signed-off-by: baude <bbaude@redhat.com> Closes: #744 Approved by: rhatdan
* podman push should honor registries.confbaude2018-05-10
| | | | | | | | | | | Like podman pull, when you push an image, podman should check if the registry is listed as insecure and if so, it should --tls-verify=false unless the user overrides this. Signed-off-by: baude <bbaude@redhat.com> Closes: #738 Approved by: mheon
* Generate varlink API documentation automaticallybaude2018-05-08
| | | | | | | | | | Using varlink's idl parser, we generate API documentation for the podman API relying on the .varlink file as the source. Signed-off-by: baude <bbaude@redhat.com> Closes: #734 Approved by: baude
* Allow streaming on some varlink container methodsbaude2018-05-08
| | | | | | | | | | | | | | | The following methods should support streaming requests from the client: * GetContainerLogs A reference for a python stream implementation can be found here: https://github.com/varlink/python/blob/master/varlink/tests/test_orgexamplemore.py#L29-L42 Signed-off-by: baude <bbaude@redhat.com> Closes: #724 Approved by: mheon
* podman, userNS: configure an intermediate mount namespaceGiuseppe Scrivano2018-05-04
| | | | | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> Closes: #690 Approved by: mheon
* Begin wiring in USERNS Support into podmanDaniel J Walsh2018-05-04
| | | | | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #690 Approved by: mheon
* varlink containersbaude2018-05-03
| | | | | | | | | | | | | first pass at adding in the container related endpoints/methods for the libpod backend. Couple of important notes: * endpoints that can use a console are not going to be done until we have "remote" console * several of the container methods should probably be able to stream as opposed to a one-off return Signed-off-by: baude <bbaude@redhat.com> Closes: #708 Approved by: baude
* fix typos in the inspect json structsbaude2018-05-02
| | | | | | | | | Resolves: #633 Signed-off-by: baude <bbaude@redhat.com> Closes: #710 Approved by: rhatdan
* Fix misc stuff found by jhoncebaude2018-04-30
| | | | | | | | | | | During the python client implementation, jhonce found some return types that needed correction as well as a panic related to history which is now corrected. Signed-off-by: baude <bbaude@redhat.com> Closes: #704 Approved by: rhatdan
* Use buildah commit and bud in podmanbaude2018-04-27
| | | | | | | | | | | Vendor in buildah and use as much of commit and bug as possible for podman build and commit. Resolves #586 Signed-off-by: baude <bbaude@redhat.com> Closes: #681 Approved by: mheon
* Modify secrets pkgumohnani82018-04-27
| | | | | | | | | | | Made a mistake in my earlier patch. I though that if you add an empty string to an array, the length of the array would still be 0... Realised this when vendoring the secrets pkg into cri-o. Signed-off-by: umohnani8 <umohnani@redhat.com> Closes: #685 Approved by: mheon
* varlink imagesbaude2018-04-26
| | | | | | | | | | | | | implement varlink image functions for working with libpod with the exception of a couple due to incompletions on the libpod side of things (build). also, created a first pass at a libpodpy package which will stand as a client to working with libpod's varlink methods using python. Signed-off-by: baude <bbaude@redhat.com> Closes: #669 Approved by: baude
* Retrieve IP addresses for container from DBMatthew Heon2018-04-26
| | | | | | | | | | Instead of execing out to the host's IP, use the IP address we got back from CNI to populate Inspect's IP address information. Signed-off-by: Matthew Heon <mheon@redhat.com> Closes: #680 Approved by: umohnani8
* Add --default-mounts-file hidden flagumohnani82018-04-26
| | | | | | | | | | | The hidden flag is used to override the path of the default mounts file for testing purposes. Also modified the secrets pkg to allow for this override to happen. Signed-off-by: umohnani8 <umohnani@redhat.com> Closes: #678 Approved by: mheon
* Modify --user flag for podman create and runumohnani82018-04-24
| | | | | | | | | | If an integer is passed into the --user flag, i.e --user=1234 don't look up the user in /etc/passwd, just assign the integer as the uid. Signed-off-by: umohnani8 <umohnani@redhat.com> Closes: #652 Approved by: mheon
* Add FIPS mode secretumohnani82018-04-23
| | | | | | | | If the host is in FIPS mode and /etc/system-fips exists /run/secrets/system-fips is created in the container so that the container can run in FIPS mode as well. Signed-off-by: umohnani8 <umohnani@redhat.com>
* Initial varlink implementationbaude2018-04-23
| | | | | | | Signed-off-by: baude <bbaude@redhat.com> Closes: #627 Approved by: mheon
* regression: tls verify should be set on registries.conf if insecurebaude2018-04-18
| | | | | | | | | | | In the case where podman needs to pull an image, if that registry that the image resides on is known to be insesure (as defined in /etc/containers/registries.conf), tls-verify should be altered on the fly. Signed-off-by: baude <bbaude@redhat.com> Closes: #626 Approved by: mheon
* Fix secrets patchumohnani82018-04-13
| | | | | | | | | | | The secrets code was just tarring and copying the contents of the secrets directory on host as is. This meant it was not accounting for any symlinks inside the directory, leading up to the contents not being copied over. Signed-off-by: umohnani8 <umohnani@redhat.com> Closes: #611 Approved by: mheon
* Functionality changes to the following flagsumohnani82018-04-06
| | | | | | | | | | | | | | | | | | | --group-add --blkio-weight-device --device-read-bps --device-write-bps --device-read-iops --device-write-iops --group-add now supports group names as well as the gid associated with them. All the --device flags work now with moderate changes to the code to support both bps and iops. Added tests for all the flags. Signed-off-by: umohnani8 <umohnani@redhat.com> Closes: #590 Approved by: mheon
* Add hooks support to podmanDaniel J Walsh2018-04-05
| | | | | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #155 Approved by: mheon
* Add container dependencies to Inspect outputMatthew Heon2018-04-03
| | | | | | | Signed-off-by: Matthew Heon <matthew.heon@gmail.com> Closes: #577 Approved by: rhatdan
* Correct a godoc commentNalin Dahyabhai2018-04-02
| | | | | | | | | | Correct the names of the files in the godoc for pkg/chrootuser/GetUser(). Signed-off-by: Nalin Dahyabhai <nalin@redhat.com> Closes: #579 Approved by: rhatdan
* Add secrets patch to podmanumohnani82018-03-29
| | | | | | | | | | Adds support for mounting secrets especially on RHEL where the container can use the host subsription to run yum Signed-off-by: umohnani8 <umohnani@redhat.com> Closes: #544 Approved by: rhatdan