summaryrefslogtreecommitdiff
path: root/pkg
Commit message (Collapse)AuthorAge
* Merge pull request #2225 from cevich/enable_apparmorOpenShift Merge Robot2019-01-30
|\ | | | | Cirrus: Enable AppArmor build and test
| * apparmor: don't load default profile in rootless modeValentin Rothberg2019-01-29
| | | | | | | | | | | | | | | | | | AppArmor requires root privileges, so skip loading the default profile in rootless mode. Also add a log to ease debugging. Fixes: #2223 Reported-by: @dmacvicar Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | podman image prune -- implement all flagbaude2019-01-29
|/ | | | | | | | | | | we now, by default, only prune dangling images. if --all is passed, we prune dangling images AND images that do not have an associated containers. also went ahead and enabled the podman-remote image prune side of things. Fixes: #2192 Signed-off-by: baude <bbaude@redhat.com>
* enable podman-remote versionbaude2019-01-21
| | | | | | | | | | initial enablement of podman-remote version. includes add a APIVersion const that will allow us to check compatibility between host/client when connections are made. also added client related information to podman info. Signed-off-by: baude <bbaude@redhat.com>
* Merge pull request #2142 from giuseppe/expose-portsOpenShift Merge Robot2019-01-20
|\ | | | | rootless: support port redirection from the host
| * rootless: support port redirection from the hostGiuseppe Scrivano2019-01-19
| | | | | | | | | | | | | | | | | | | | add support for ports redirection from the host. It needs slirp4netns v0.3.0-alpha.1. Closes: https://github.com/containers/libpod/issues/2081 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | podman-remote inspectbaude2019-01-18
| | | | | | | | | | | | base enablement of the inspect command. Signed-off-by: baude <bbaude@redhat.com>
* | rootless: fix --pid=host without --privilegedGiuseppe Scrivano2019-01-18
| | | | | | | | | | | | | | When using --pid=host don't try to cover /proc paths, as they are coming from the /proc bind mounted from the host. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | Cleanup coverity scan issuesDaniel J Walsh2019-01-15
|/ | | | | | If realloc fails, then buffer will be leaked, this change frees up the buffer. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Merge pull request #2141 from baude/remotetagOpenShift Merge Robot2019-01-13
|\ | | | | Add darwin support for remote-client
| * Add darwin support for remote-clientbaude2019-01-11
| | | | | | | | | | | | | | | | Add the ability to cross-compile podman remote for OSX. Also, add image exists and tag to remote-client. Signed-off-by: baude <bbaude@redhat.com>
* | podman play kube: add containers to podbaude2019-01-11
|/ | | | | | | | | when defining containers, we missed the conditional logic to allow the container to be defined with "WithPod" and so forth. I had to slightly modify the createcontainer process to pass a libpod.Pod that could override things; use nil as no pod. Signed-off-by: baude <bbaude@redhat.com>
* Merge pull request #2135 from baude/varlinkpruneOpenShift Merge Robot2019-01-11
|\ | | | | Add varlink support for prune
| * Add varlink support for prunebaude2019-01-10
| | | | | | | | | | | | | | Add the ability to prune unused images using the varlink API. Signed-off-by: baude <bbaude@redhat.com>
* | Merge pull request #2113 from baude/remoteimagesOpenShift Merge Robot2019-01-11
|\ \ | |/ |/| remote-client support for images
| * remote-client support for imagesbaude2019-01-10
| | | | | | | | Signed-off-by: baude <bbaude@redhat.com>
* | Merge pull request #2131 from mheon/restore_storage_defaultsOpenShift Merge Robot2019-01-10
|\ \ | | | | | | Use defaults if paths are not specified in storage.conf
| * | Use defaults if paths are not specified in storage.confMatthew Heon2019-01-10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | For rootless Podman, if storage.conf exists but does not specify one or both of RunRoot and GraphRoot, set them to rootless defaults so we don't end up with an unusable configuration. Fixes #2125 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | | Merge pull request #2108 from QiWang19/from1899OpenShift Merge Robot2019-01-10
|\ \ \ | |_|/ |/| | Fix 'image trust' from PR1899
| * | Fix 'image trust' from PR1899Qi Wang2019-01-09
| | | | | | | | | | | | Signed-off-by: Qi Wang <qiwan@redhat.com>
* | | createconfig: always cleanup a rootless containerGiuseppe Scrivano2019-01-10
| |/ |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | the rootless container storage is always mounted in a different mount namespace, owned by the unprivileged user. Even if it is mounted, a process running in another namespace cannot reuse the already mounted storage. Make sure the storage is always cleaned up once the container terminates. This has worked with vfs since there is no real mounted storage. Closes: https://github.com/containers/libpod/issues/2112 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | Merge pull request #2114 from vrothberg/issue-2107OpenShift Merge Robot2019-01-10
|\ \ | | | | | | apparmor: apply default profile at container initialization
| * | apparmor: apply default profile at container initializationValentin Rothberg2019-01-09
| |/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Apply the default AppArmor profile at container initialization to cover all possible code paths (i.e., podman-{start,run}) before executing the runtime. This allows moving most of the logic into pkg/apparmor. Also make the loading and application of the default AppArmor profile versio-indepenent by checking for the `libpod-default-` prefix and over-writing the profile in the run-time spec if needed. The intitial run-time spec of the container differs a bit from the applied one when having started the container, which results in displaying a potentially outdated AppArmor profile when inspecting a container. To fix that, load the container config from the file system if present and use it to display the data. Fixes: #2107 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* / libpod/image: Use ParseNormalizedNamed in RepoDigestsW. Trevor King2019-01-09
|/ | | | | | | | | | | | | | | | Avoid generating quay.io/openshift-release-dev/ocp-release@sha256@sha256:239... and similar when the image name is already digest-based [1]. It's not clear exactly how we get into this state, but as shown by the unit tests, the new code handles this case correctly (while the previous code does not). [1]: https://github.com/containers/libpod/issues/2086 Signed-off-by: W. Trevor King <wking@tremily.us> Closes: #2106 Approved by: rhatdan
* pkg/hooks/exec: Include failed command in hook errorsW. Trevor King2019-01-08
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | For example: $ cat /etc/containers/oci/hooks.d/test.json { "version": "1.0.0", "hook": { "path": "/bin/sh", "args": ["sh", "-c", "echo 'oh, noes!' >&2; exit 1"] }, "when": { "always": true }, "stages": ["precreate"] } $ podman run --rm docker.io/library/alpine echo 'successful container' error setting up OCI Hooks: executing [sh -c echo 'oh, noes!' >&2; exit 1]: exit status 1 The rendered command isn't in in the right syntax for copy/pasting into a shell, but it should be enough for the user to be able to locate the failing hook. They'll need to know their hook directories, but with the previous commits requiring explicit hook directories it's more likely that the caller is aware of them. And if they run at a debug level, they can see the lookups in the logs: $ podman --log-level=debug --hooks-dir=/etc/containers/oci/hooks.d run --rm docker.io/library/alpine echo 'successful container' 2>&1 | grep -i hook time="2018-12-02T22:15:16-08:00" level=debug msg="reading hooks from /etc/containers/oci/hooks.d" time="2018-12-02T22:15:16-08:00" level=debug msg="added hook /etc/containers/oci/hooks.d/test.json" time="2018-12-02T22:15:16-08:00" level=debug msg="hook test.json matched; adding to stages [precreate]" time="2018-12-02T22:15:16-08:00" level=warning msg="container 3695c6ba0cc961918bd3e4a769c52bd08b82afea5cd79e9749e9c7a63b5e7100: precreate hook: executing [sh -c echo 'oh, noes!' >&2; exit 1]: exit status 1" time="2018-12-02T22:15:16-08:00" level=error msg="error setting up OCI Hooks: executing [sh -c echo 'oh, noes!' >&2; exit 1]: exit status 1" Signed-off-by: W. Trevor King <wking@tremily.us>
* hooks/exec/runtimeconfigfilter: Log config changesW. Trevor King2019-01-08
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | To make it easier to notice and track down errors (or other surprising behavior) due to precreate hooks. With this commit, the logged messages look like: time="2018-11-19T13:35:18-08:00" level=debug msg="precreate hook 0 made configuration changes: --- Old +++ New @@ -18,3 +18,3 @@ Namespaces: ([]specs.LinuxNamespace) <nil>, - Devices: ([]specs.LinuxDevice) (len=1) { + Devices: ([]specs.LinuxDevice) (len=2) { (specs.LinuxDevice) { @@ -24,2 +24,11 @@ Minor: (int64) 229, + FileMode: (*os.FileMode)(-rw-------), + UID: (*uint32)(0), + GID: (*uint32)(0) + }, + (specs.LinuxDevice) { + Path: (string) (len=8) "/dev/sda", + Type: (string) (len=1) "b", + Major: (int64) 8, + Minor: (int64) 0, FileMode: (*os.FileMode)(-rw-------), " time="2018-11-19T13:35:18-08:00" level=debug msg="precreate hook 1 made configuration changes: --- Old +++ New @@ -29,3 +29,3 @@ (specs.LinuxDevice) { - Path: (string) (len=8) "/dev/sda", + Path: (string) (len=8) "/dev/sdb", Type: (string) (len=1) "b", " Ideally those logs would include the container ID, but we don't have access to that down at this level. I'm not sure if it's worth teaching RuntimeConfigFilter to accept a *logrus.Entry (so the caller could use WithFields [1]) or to use a generic logging interface (like go-log [2]). For now, I've left the container ID unlogged here. The spew/difflib implementation is based on stretchr/testify/assert, but I think the ~10 lines I'm borrowing are probably small enough to stay under the "all copies or substantial portions" condition in its MIT license. [1]: https://godoc.org/github.com/sirupsen/logrus#WithFields [2]: https://github.com/go-log/log Signed-off-by: W. Trevor King <wking@tremily.us>
* hooks: Add pre-create hooks for runtime-config manipulationW. Trevor King2019-01-08
| | | | | | | | | | | | | | | | | | | | | | | There's been a lot of discussion over in [1] about how to support the NVIDIA folks and others who want to be able to create devices (possibly after having loaded kernel modules) and bind userspace libraries into the container. Currently that's happening in the middle of runc's create-time mount handling before the container pivots to its new root directory with runc's incorrectly-timed prestart hook trigger [2]. With this commit, we extend hooks with a 'precreate' stage to allow trusted parties to manipulate the config JSON before calling the runtime's 'create'. I'm recycling the existing Hook schema from pkg/hooks for this, because we'll want Timeout for reliability and When to avoid the expense of fork/exec when a given hook does not need to make config changes [3]. [1]: https://github.com/opencontainers/runc/pull/1811 [2]: https://github.com/opencontainers/runc/issues/1710 [3]: https://github.com/containers/libpod/issues/1828#issuecomment-439888059 Signed-off-by: W. Trevor King <wking@tremily.us>
* Merge pull request #2076 from rhatdan/storage.confOpenShift Merge Robot2019-01-08
|\ | | | | If local storage file exists, then use it rather then defau…
| * If local storage file exists, then use it rather then defaults.Daniel J Walsh2019-01-03
| | | | | | | | | | | | | | Currently we always force overlay if it exists even though a user might want vfs. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Merge pull request #2078 from rhatdan/config.fileOpenShift Merge Robot2019-01-07
|\ \ | | | | | | Add the configuration file used to setup storage to podman info
| * | Add the configuration file used to setup storage to podman infoDaniel J Walsh2019-01-07
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Users have no idea what storage configuration file is used to setup storage, so adding this to podman info, should make it easier to discover. This requires a revendor of containers/storage Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | Merge pull request #2098 from baude/remoteOpenShift Merge Robot2019-01-07
|\ \ \ | |/ / |/| | Add ability to build golang remote client
| * | Add ability to build golang remote clientbaude2019-01-07
| |/ | | | | | | | | | | | | | | | | | | | | Add the ability to build a remote client in golang that uses all the same front-end cli code and output code. The initial limitations here are that it can only be a local client while the bridge and resolver code is being written for the golang varlink client. Tests and docs will be added in subsequent PRs. Signed-off-by: baude <bbaude@redhat.com>
* | Merge pull request #2082 from rhatdan/runcOpenShift Merge Robot2019-01-06
|\ \ | | | | | | Update vendor of runc
| * | Update vendor of runcDaniel J Walsh2019-01-04
| |/ | | | | | | | | | | | | | | | | | | | | | | | | | | Updating the vendor or runc to pull in some fixes that we need. In order to get this vendor to work, we needed to update the vendor of docker/docker, which causes all sorts of issues, just to fix the docker/pkg/sysinfo. Rather then doing this, I pulled in pkg/sysinfo into libpod and fixed the code locally. I then switched the use of docker/pkg/sysinfo to libpod/pkg/sysinfo. I also switched out the docker/pkg/mount to containers/storage/pkg/mount Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* / add container-init supportValentin Rothberg2019-01-04
|/ | | | | | | | | | | | | | | | | | | Add support for executing an init binary as PID 1 in a container to forward signals and reap processes. When the `--init` flag is set for podman-create or podman-run, the init binary is bind-mounted to `/dev/init` in the container and "/dev/init --" is prepended to the container's command. The default base path of the container-init binary is `/usr/libexec/podman` while the default binary is catatonit [1]. This default can be changed permanently via the `init_path` field in the `libpod.conf` configuration file (which is recommended for packaging) or temporarily via the `--init-path` flag of podman-create and podman-run. [1] https://github.com/openSUSE/catatonit Fixes: #1670 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* Fix handling of symbolic linksDaniel J Walsh2018-12-28
| | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Fixes to handle /dev/shm correctly.Daniel J Walsh2018-12-24
| | | | | | | | | | | | | | | | | | We had two problems with /dev/shm, first, you mount the container read/only then /dev/shm was mounted read/only. This is a bug a tmpfs directory should be read/write within a read-only container. The second problem is we were ignoring users mounted /dev/shm from the host. If user specified podman run -d -v /dev/shm:/dev/shm ... We were dropping this mount and still using the internal mount. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Refactor: use idtools.ParseIDMap instead of bundling own versionŠimon Lukašík2018-12-23
| | | | | | | | | | | ParseIDMap function was extracted to idtools in https://github.com/containers/storage/pull/236 it is already used in containers/storage and buildah, it should be used in libpod as well. Signed-off-by: Šimon Lukašík <isimluk@fedoraproject.org>
* Switch all referencs to image.ContainerConfig to image.ConfigDaniel J Walsh2018-12-21
| | | | | | This will more closely match what Docker is doing. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Allow users to specify a directory for additonal devicesDaniel J Walsh2018-12-21
| | | | | | | Podman will search through the directory and will add any device nodes that it finds. If no devices are found we return an error. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Change all 'can not' to 'cannot' for proper usageDaniel J Walsh2018-12-21
| | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Invalid index for arrayDaniel J Walsh2018-12-21
| | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* rootless: add function to join user and mount namespaceGiuseppe Scrivano2018-12-21
| | | | | | | | | | Add the possibility to join directly the user and mount namespace without looking up the parent of the user namespace. We need this in order to be able the conmon process, as the mount namespace is kept alive only there. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Support podman image trust commandQi Wang2018-12-19
| | | | | | Display the trust policy of the host system. The trust policy is stored in the /etc/containers/policy.json file and defines a scope of registries or repositories. Signed-off-by: Qi Wang <qiwan@redhat.com>
* Clean up some existing varlink endpointsbaude2018-12-12
| | | | | | | | Going through and adding options (like tls-verify, signature option, etc) to some varlink endpoints (like push/pull) many of which had not been updated since their original authoring. Signed-off-by: baude <bbaude@redhat.com>
* add more example usage to varlink endpointsbaude2018-12-09
| | | | Signed-off-by: baude <bbaude@redhat.com>
* add timeout to pod stopbaude2018-12-07
| | | | | | | | like podman stop of containers, we should allow the user to specify a timeout override when stopping pods; otherwise they have to wait the full timeout time specified during the pod/container creation. Signed-off-by: baude <bbaude@redhat.com>
* Remove the forceSecure parameter on the pull call stackMiloslav Trmač2018-12-06
| | | | | | | DockerRegistryOptions.DockerInsecureSkipTLSVerify as an types.OptionalBool can now represent that value, so forceSecure is redundant. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
* Factor out the registries.conf location code in pkg/registriesMiloslav Trmač2018-12-06
| | | | | | | | | The newly introduced SystemRegistriesConfPath somewhat decreases duplication, but more importantly will allow future callers to set just a types.SystemContext.SystemRegistriesConfPath and not call GetRegistries / GetInsecureRegistries at all. Signed-off-by: Miloslav Trmač <mitr@redhat.com>