summaryrefslogtreecommitdiff
path: root/pkg
Commit message (Collapse)AuthorAge
* abi: set default umask and rlimitsGiuseppe Scrivano2020-07-17
| | | | | | | | the code got lost in the migration to podman 2.0, reintroduce it. Closes: https://github.com/containers/podman/issues/6989 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Merge pull request #6965 from giuseppe/followup-pr6324OpenShift Merge Robot2020-07-17
|\ | | | | allow switching of port-forward approaches in rootless/using slirp4netns
| * libpod: pass down network optionsGiuseppe Scrivano2020-07-16
| | | | | | | | | | | | do not pass network specific options through the network namespace. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
| * allow switching of port-forward approaches in rootless/using slirp4netnsaleks-mariusz2020-07-15
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | As of podman 1.8.0, because of commit da7595a, the default approach of providing port-forwarding in rootless mode has switched (and been hard-coded) to rootlessport, for the purpose of providing super performance. The side-effect of this switch is source within the container to the port-forwarded service always appears to originate from 127.0.0.1 (see issue #5138). This commit allows a user to specify if they want to revert to the previous approach of leveraging slirp4netns add_hostfwd() api which, although not as stellar performance, restores usefulness of seeing incoming traffic origin IP addresses. The change should be transparent; when not specified, rootlessport will continue to be used, however if specifying --net slirp4netns:slirplisten the old approach will be used. Note: the above may imply the restored port-forwarding via slirp4netns is not as performant as the new rootlessport approach, however the figures shared in the original commit that introduced rootlessport are as follows: slirp4netns: 8.3 Gbps, RootlessKit: 27.3 Gbps, which are more than sufficient for many use cases where the origin of traffic is more important than limits that cannot be reached due to bottlenecks elsewhere. Signed-off-by: Aleks Mariusz <m.k@alek.cx> Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | The compat create endpoint should 404 on no such imageMatthew Heon2020-07-16
| | | | | | | | | | | | | | | | | | | | This matches Docker behavior, and will make the Docker frontend work with `podman system service` (Docker tries to create, then if that fails with 404 sends a request to pull the image). Fixes #6960 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | Merge pull request #6903 from ashley-cui/problemlangOpenShift Merge Robot2020-07-15
|\ \ | | | | | | Fix & add notes regarding problematic language in codebase
| * | Fix & add notes regarding problematic language in codebaseAshley Cui2020-07-15
| | | | | | | | | | | | | | | | | | | | | | | | Podman is committed to inclusivity, a core value of open source. Historically, there have been technology terms that are problematic and divisive, and should be changed. We are currently taking time to audit our repository in order to eliminate such terminology, and replace it with more inclusive terms. We are starting where we can, with our own code, comments, and documentation. However, such terms may be used in dependencies, and must be used in our repositories at the current moment for compatibility. Podman will change these terms in our repo as soon as new and better terminology is available to us via our dependencies. For more information: https://www.redhat.com/en/blog/making-open-source-more-inclusive-eradicating-problematic-language?sc_cid=701600000011gf0AAA Signed-off-by: Ashley Cui <acui@redhat.com>
* | | Error on rootless mac and ip addressesBrent Baude2020-07-15
|/ / | | | | | | | | | | | | | | When creating a pod or container where a static MAC or IP address is provided, we should return a proper error and exit as 125. Fixes: #6972 Signed-off-by: Brent Baude <bbaude@redhat.com>
* | Merge pull request #6949 from AkihiroSuda/fix-6948OpenShift Merge Robot2020-07-15
|\ \ | | | | | | Fix "Error: unrecognized protocol \"TCP\" in port mapping"
| * | Fix "Error: unrecognized protocol \"TCP\" in port mapping"Akihiro Suda2020-07-15
| |/ | | | | | | | | | | | | | | "TCP" in upper characters was not recognized as a valid protocol name. Fix #6948 Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
* | Merge pull request #6971 from TristanCacqueray/masterOpenShift Merge Robot2020-07-15
|\ \ | |/ |/| play-kube: add suport for "IfNotPresent" pull type
| * play-kube: add suport for "IfNotPresent" pull typeTristan Cacqueray2020-07-14
| | | | | | | | | | | | | | | | This change prevents this exception when loading a pod spec using the "IfNotPresent" pull policy: Error: invalid pull type "IfNotPresent" Signed-off-by: Tristan Cacqueray <tdecacqu@redhat.com>
* | Merge pull request #6957 from rhatdan/sysdevOpenShift Merge Robot2020-07-14
|\ \ | | | | | | Mask out /sys/dev to prevent information leak from the host
| * | Mask out /sys/dev to prevent information leak from the hostDaniel J Walsh2020-07-14
| |/ | | | | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Merge pull request #6939 from rhatdan/entrypointOpenShift Merge Robot2020-07-14
|\ \ | | | | | | Fix handling of entrypoint
| * | Fix handling of entrypointDaniel J Walsh2020-07-14
| |/ | | | | | | | | | | | | If a user specifies an entrypoint of "" then we should not use the images entrypoint. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* / When determining systemd mode, use full commandMatthew Heon2020-07-14
|/ | | | | | | | | | | | | | We were only using the Command field in specgen when determining whether to enable systemd if systemd=true (the default) was used. This does not include the entrypoint, and does not include any entrypoint/command sourced from the image - so an image could be running systemd and we'd not correctly detect this. Using the full, final command resolves this and matches Podman v1.9.x behavior. Fixes #6920 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Merge pull request #6842 from rhatdan/pids-limitOpenShift Merge Robot2020-07-13
|\ | | | | Pids-limit should only be set if the user set it
| * Pids-limit should only be set if the user set itDaniel J Walsh2020-07-10
| | | | | | | | | | | | | | | | | | | | Currently we are sending over pids-limits from the user even if they never modified the defaults. The pids limit should be set at the server side unless modified by the user. This issue has led to failures on systems that were running with cgroups V1. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Merge pull request #6896 from mheon/fix_remote_createcommandOpenShift Merge Robot2020-07-13
|\ \ | | | | | | Fix container and pod create commands for remote create
| * | Fix container and pod create commands for remote createMatthew Heon2020-07-10
| |/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | In `podman inspect` output for containers and pods, we include the command that was used to create the container. This is also used by `podman generate systemd --new` to generate unit files. With remote podman, the generated create commands were incorrect since we sourced directly from os.Args on the server side, which was guaranteed to be `podman system service` (or some variant thereof). The solution is to pass the command along in the Specgen or PodSpecgen, where we can source it from the client's os.Args. This will still be VERY iffy for mixed local/remote use (doing a `podman --remote run ...` on a remote client then a `podman generate systemd --new` on the server on the same container will not work, because the `--remote` flag will slip in) but at the very least the output of `podman inspect` will be correct. We can look into properly handling `--remote` (parsing it out would be a little iffy) in a future PR. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | Merge pull request #6936 from mheon/matt_cant_countOpenShift Merge Robot2020-07-11
|\ \ | | | | | | Correctly print STDOUT on non-terminal remote exec
| * | Correctly print STDOUT on non-terminal remote execMatthew Heon2020-07-10
| |/ | | | | | | | | | | | | | | | | | | | | | | | | | | I confused STDIN and STDOUT's file descriptors (it's 0 and 1, I thought they were 1 and 0). As such, we were looking at whether we wanted to print STDIN when we looked to print STDOUT. This bool was set when `-i` was set in at the `podman exec` command line, which masked the problem when it was set. Fixes #6890 Fixes #6891 Fixes #6892 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | Fix: Correct connection counters for hijacked connectionsKorhonen Sami (Samlink)2020-07-09
| | | | | | | | | | | | | | | | | | | | This patch fixes connection counters for v2 endpoints Idletracker was moved to a new package to prevent package cycle. Hijacking code still remains in wrong place and should be moved later to isolated package Signed-off-by: Sami Korhonen <skorhone@gmail.com>
* | Fix: Hijacking v2 endpoints to follow rfc 7230 semanticsKorhonen Sami (Samlink)2020-07-09
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | After this patch v2 hijacking endpoints, exec/start and containers/attach follow rfc 7230 specification. Connection will only be upgraded, if client specifies upgrade headers: For tcp connections: Connection: Upgrade Upgrade: tcp For unix socket connections: Connection: Upgrade Upgrade: sock There are currently no checks if upgrade type actually matches with available protocols. Implementation just protocol that client requested Signed-off-by: Sami Korhonen <skorhone@gmail.com>
* | Remove hijacked connections from active connections listKorhonen Sami (Samlink)2020-07-09
|/ | | | | | | | | | | | | | | | | | | | | | | StateHijacked is a terminal state. If hijacked connection is registered as an active connection, connection will never be unregistered. This causes two issues First issue is that active connection counters are off. Second issue is a resource leak caused by connection object that is stored to a map. After this patch hijacked connections are no longer visible in counters. If a counter for hijacked connections is required, podman must track connections returned by Hijacker.Hijack() It might make sense to develop abstraction layer for hijacking - and move all hijacking related code to a separate package. Hijacking code is prone to resource leaks and it should be thoroughly tested. Signed-off-by: Sami Korhonen <skorhone@gmail.com>
* Merge pull request #6906 from rhatdan/VENDOROpenShift Merge Robot2020-07-09
|\ | | | | Vendor in new version of Buildah
| * Vendor in new version of BuildahDaniel J Walsh2020-07-09
| | | | | | | | | | | | This also pulls in latest runc and containers/common Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
| * Remove dependency on github.com/opencontainers/libpod/configsDaniel J Walsh2020-07-09
| | | | | | | | | | | | | | | | | | We are using these dependencies just to get the device from path. These dependencies no longer build on Windows, so simply cloning the deviceFromPath function, we can eliminate the need for this vendoring. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Merge pull request #6835 from zhangguanzhang/masterOpenShift Merge Robot2020-07-09
|\ \ | | | | | | fix API: Create container with an invalid configuration
| * | fix API: Create container with an invalid configurationzhangguanzhang2020-07-09
| |/ | | | | | | Signed-off-by: zhangguanzhang <zhangguanzhang@qq.com>
* / log API: add context to allow for cancellingValentin Rothberg2020-07-09
|/ | | | | | | | | Add a `context.Context` to the log APIs to allow for cancelling streaming (e.g., via `podman logs -f`). This fixes issues for the remote API where some go routines of the server will continue writing and produce nothing but heat and waste CPU cycles. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* Merge pull request #6829 from rhatdan/keepidOpenShift Merge Robot2020-07-07
|\ | | | | Add username to /etc/passwd inside of container if --userns keep-id
| * Add username to /etc/passwd inside of container if --userns keep-idDaniel J Walsh2020-07-07
| | | | | | | | | | | | | | | | | | | | If I enter a continer with --userns keep-id, my UID will be present inside of the container, but most likely my user will not be defined. This patch will take information about the user and stick it into the container. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Add support for Filter query parameter to list images apiKorhonen Sami (Samlink)2020-07-07
|/ | | | | | | | | | | | Docker api version 1.24 uses a query parameter named Filter for filtering images by names. In more recent versions of api name filter is in filters query parameter with other filters This patch adds a mapping that translates Filter query parameter to Filters={"reference": [""]} Signed-off-by: Sami Korhonen <skorhone@gmail.com>
* Implement --sdnotify cmdline option to control sd-notify behaviorJoseph Gooch2020-07-06
| | | | | | | | | | | | | | | | | | | --sdnotify container|conmon|ignore With "conmon", we send the MAINPID, and clear the NOTIFY_SOCKET so the OCI runtime doesn't pass it into the container. We also advertise "ready" when the OCI runtime finishes to advertise the service as ready. With "container", we send the MAINPID, and leave the NOTIFY_SOCKET so the OCI runtime passes it into the container for initialization, and let the container advertise further metadata. This is the default, which is closest to the behavior podman has done in the past. The "ignore" option removes NOTIFY_SOCKET from the environment, so neither podman nor any child processes will talk to systemd. This removes the need for hardcoded CID and PID files in the command line, and the PIDFile directive, as the pid is advertised directly through sd-notify. Signed-off-by: Joseph Gooch <mrwizard@dok.org>
* Merge pull request #6836 from ashley-cui/tzlibpodOpenShift Merge Robot2020-07-06
|\ | | | | Add --tz flag to create, run
| * Add --tz flag to create, runAshley Cui2020-07-02
| | | | | | | | | | | | | | --tz flag sets timezone inside container Can be set to IANA timezone as well as `local` to match host machine Signed-off-by: Ashley Cui <acui@redhat.com>
* | move go module to v2Valentin Rothberg2020-07-06
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | With the advent of Podman 2.0.0 we crossed the magical barrier of go modules. While we were able to continue importing all packages inside of the project, the project could not be vendored anymore from the outside. Move the go module to new major version and change all imports to `github.com/containers/libpod/v2`. The renaming of the imports was done via `gomove` [1]. [1] https://github.com/KSubedi/gomove Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | Merge pull request #6846 from mheon/fix_pod_errorsOpenShift Merge Robot2020-07-06
|\ \ | | | | | | Print errors from individual containers in pods
| * | Print errors from individual containers in podsMatthew Heon2020-07-02
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The infra/abi code for pods was written in a flawed way, assuming that the map[string]error containing individual container errors was only set when the global error for the pod function was nil; that is not accurate, and we are actually *guaranteed* to set the global error when any individual container errors. Thus, we'd never actually include individual container errors, because the infra code assumed that err being set meant everything failed and no container operations were attempted. We were originally setting the cause of the error to something nonsensical ("container already exists"), so I made a new error indicating that some containers in the pod failed. We can then ignore that error when building the report on the pod operation and actually return errors from individual containers. Unfortunately, this exposed another weakness of the infra code, which was discarding the container IDs. Errors from individual containers are not guaranteed to identify which container they came from, hence the use of map[string]error in the Pod API functions. Rather than restructuring the structs we return from pkg/infra, I just wrapped the returned errors with a message including the ID of the container. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | | Merge pull request #6852 from skorhone/fix/6803_null_portsOpenShift Merge Robot2020-07-05
|\ \ \ | | | | | | | | Fix container inspect endpoint returning null for network settings / ports
| * | | Fix issue #6803 Container inspect endpoint returns null for ↵Korhonen Sami (Samlink)2020-07-03
| |/ / | | | | | | | | | | | | | | | | | | | | | NetworkSettings/Ports Implement mapping for NetworkSettings/Ports for Container inspect endpoint Signed-off-by: Sami Korhonen <skorhone@gmail.com>
* | | Merge pull request #6838 from mheon/fix_panic_eventsOpenShift Merge Robot2020-07-02
|\ \ \ | |/ / |/| | Fix `system service` panic from early hangup in events
| * | Fix `system service` panic from early hangup in eventsMatthew Heon2020-07-02
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | We weren't actually halting the goroutine that sent events, so it would continue sending even when the channel closed (the most notable cause being early hangup - e.g. Control-c on a curl session). Use a context to cancel the events goroutine and stop sending events. Fixes #6805 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | | APIv2:fix: Handle docker volume force as expectedmaybe-sybr2020-07-02
| | | | | | | | | | | | | | | | | | | | | | | | | | | In response to input regarding the semantic difference for the `force` parameter for volume removal between Docker and us, this change ensures that we emulate the Dockr behaviour correctly when this parameter is specified. Signed-off-by: Matt Brindley <58414429+maybe-sybr@users.noreply.github.com>
* | | APIv2: Add docker compatible volume endpointsmaybe-sybr2020-07-02
| |/ |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | This change implements docker compatibile endpoint for interacting with volumes. The code is mostly lifted from the `libpod` API handlers but decodes and constructs data using types defined in the docker API package. Some notable support caveats with the current implementation: * we don't return the nullable `Status` or `UsageData` keys when returning volume information for inspect and create endpoints * we don't support filters when pruning * we return a fixed `0` for the `SpaceReclaimed` key when pruning since we have no insight into how much space was freed from runtime Signed-off-by: Matt Brindley <58414429+maybe-sybr@users.noreply.github.com>
* | Created timestamp returned by imagelist should be in unix formatDaniel J Walsh2020-06-30
|/ | | | | | | | In the API, we are currently returning the image time of creation as a string, in time.Time format. The API is for a 64 bit integer representing Unix time. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Merge pull request #6747 from giuseppe/fix-user-volumesOpenShift Merge Robot2020-06-30
|\ | | | | container: move volume chown after spec generation
| * container: move volume chown after spec generationGiuseppe Scrivano2020-06-29
| | | | | | | | | | | | | | | | | | move the chown for newly created volumes after the spec generation so the correct UID/GID are known. Closes: https://github.com/containers/libpod/issues/5698 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>