summaryrefslogtreecommitdiff
path: root/pkg
Commit message (Collapse)AuthorAge
* create pod on the flybaude2018-12-03
| | | | | | | | | | when a user specifies --pod to podman create|run, we should create that pod automatically. the port bindings from the container are then inherited by the infra container. this signicantly improves the workflow of running containers inside pods with podman. the user is still encouraged to use podman pod create to have more granular control of the pod create options. Signed-off-by: baude <bbaude@redhat.com>
* rootless: raise error if newuidmap/newgidmap are not installedGiuseppe Scrivano2018-12-03
| | | | | | | | | | it was reported on IRC that Podman on Ubuntu failed as newuidmap/newgidmap were not installed by default. Raise an error if we are not allowing single mappings (used only by the tests suite) and any of the binaries is not present. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Merge pull request #1846 from cgwalters/netns-dns-localhostOpenShift Merge Robot2018-11-28
|\ | | | | Use host's resolv.conf if no network namespace enabled
| * Use host's resolv.conf if no network namespace enabledColin Walters2018-11-27
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | My host system runs Fedora Silverblue 29 and I have NetworkManager's `dns=dnsmasq` setting enabled, so my `/etc/resolv.conf` only has `127.0.0.1`. I also run my development podman containers with `--net=host` for various reasons. If we have a host network namespace, there's no reason not to just use the host's nameserver configuration either. This fixes e.g. accessing content on a VPN, and is also faster since the container is using cached DNS. I know this doesn't solve the bigger picture issue of localhost-DNS conflicting with bridged networking, but that's far more involved, probably requiring a DNS proxy in the container. This patch makes my workflow a lot nicer and was easy to write. Signed-off-by: Colin Walters <walters@verbum.org>
* | Merge pull request #1849 from giuseppe/report-rootless-netmodeOpenShift Merge Robot2018-11-28
|\ \ | | | | | | rootless: add new netmode "slirp4netns"
| * | network: allow slirp4netns mode also for root containersGiuseppe Scrivano2018-11-28
| | | | | | | | | | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
| * | rootless: add new netmode "slirp4netns"Giuseppe Scrivano2018-11-27
| |/ | | | | | | | | | | | | | | so that inspect reports the correct network configuration. Closes: https://github.com/containers/libpod/issues/1453 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* / rootless: store only subset of storage.confGiuseppe Scrivano2018-11-28
|/ | | | | | | | | do not store the entire file but only the subset of what we have modified. Also, we were not writing the correct data. Since it is not trivial to serialize storage.conf correctly and all the various supported options, serialize only what we care about. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Add history and namespaceoptions to image inspectQi Wang2018-11-26
| | | | Signed-off-by: Qi Wang <qiwan@redhat.com>
* Merge pull request #1829 from baude/enableportbindinginpodsOpenShift Merge Robot2018-11-20
|\ | | | | Allow users to expose ports from the pod to the host
| * Allow users to expose ports from the pod to the hostbaude2018-11-20
| | | | | | | | | | | | | | | | | | | | we need to allow users to expose ports to the host for the purposes of networking, like a webserver. the port exposure must be done at the time the pod is created. strictly speaking, the port exposure occurs on the infra container. Signed-off-by: baude <bbaude@redhat.com>
* | rootless: create empty mounts.conf if it doesn't existGiuseppe Scrivano2018-11-19
| | | | | | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | registries: check user registries file only in rootless modeGiuseppe Scrivano2018-11-19
| | | | | | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | rootless: create storage.conf when it doesn't existGiuseppe Scrivano2018-11-19
|/ | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Merge pull request #1756 from isimluk/update-dependent-metalinterOpenShift Merge Robot2018-11-16
|\ | | | | Update metalinter dependency
| * Lint: InspectImage varlink api should return errors that occurredŠimon Lukašík2018-11-10
| | | | | | | | | | | | | | | | | | Not just nil. Addressing: pkg/varlinkapi/images.go:273:15:warning: ineffectual assignment to err (ineffassign) Signed-off-by: Šimon Lukašík <slukasik@redhat.com>
* | rootless: call IsRootless just onceGiuseppe Scrivano2018-11-14
| | | | | | | | | | | | | | we are calling this function several times, it is worth to store its result and re-use it. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | Better document rootless containersDaniel J Walsh2018-11-10
|/ | | | | | | | | Need to return an error pointing user in right direction if rootless podman fails, because of no /etc/subuid or /etc/subgid files. Also fix up man pages to better describe rootless podman. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* rootless: default to fuse-overlayfs when availableGiuseppe Scrivano2018-11-08
| | | | | | | | | If fuse-overlayfs is present, rootless containers default to use it. This can still be overriden either via the command line with --storage-driver or in the ~/.config/containers/storage.conf configuration file. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Don't fail if /etc/passwd or /etc/group does not existsDaniel J Walsh2018-11-07
| | | | | | | | | | | Container images can be created without passwd or group file, currently if one of these containers gets run with a --user flag the container blows up complaining about t a missing /etc/passwd file. We just need to check if the error on read is ENOEXIST then allow the read to return, not fail. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Merge pull request #1736 from giuseppe/rootless-drop-run-postfixOpenShift Merge Robot2018-10-31
|\ | | | | rootless: do not add an additional /run to runroot
| * rootless: do not add an additional /run to runrootGiuseppe Scrivano2018-10-31
| | | | | | | | | | | | | | | | | | we are currently using something like /run/user/UID/run as runroot, as it is already done by Buildah. This ends up with /run/user/UID/run/runc for the runc directory. Change to drop the additional /run so that runc will use /run/user/UID/runc. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | Merge pull request #1731 from afbjorklund/versionOpenShift Merge Robot2018-10-31
|\ \ | |/ |/| Fix setting of version information
| * Fix setting of version informationAnders F Björklund2018-10-31
| | | | | | | | | | | | | | It was setting the wrong variable (CamelCase) in the wrong module ("main", not "libpod")... Signed-off-by: Anders F Björklund <anders.f.bjorklund@gmail.com>
* | Merge pull request #1715 from baude/getusergroupOpenShift Merge Robot2018-10-30
|\ \ | |/ |/| get user and group information using securejoin and runc's user library
| * get user and group information using securejoin and runc's user librarybaude2018-10-29
| | | | | | | | | | | | | | | | | | | | | | for the purposes of performance and security, we use securejoin to contstruct the root fs's path so that symlinks are what they appear to be and no pointing to something naughty. then instead of chrooting to parse /etc/passwd|/etc/group, we now use the runc user/group methods which saves us quite a bit of performance. Signed-off-by: baude <bbaude@redhat.com>
* | Change to exported name in ParseDeviceQi Wang2018-10-29
|/ | | | Signed-off-by: Qi Wang <qiwan@redhat.com>
* Add helper function to read out CRIU versionAdrian Reber2018-10-23
| | | | | | | This adds a simple CRIU version check using the vendored-in CRIU go bindings. Signed-off-by: Adrian Reber <areber@redhat.com>
* Fix man page to show info on storageDaniel J Walsh2018-10-22
| | | | | | Also fix lint errors. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Move rootless directory handling to the libpod/pkg/util directoryDaniel J Walsh2018-10-22
| | | | | | This should allow us to share this code with buildah. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Mount proper cgroup for systemd to manage inside of the container.Daniel J Walsh2018-10-15
| | | | | | | | | | | | We are still requiring oci-systemd-hook to be installed in order to run systemd within a container. This patch properly mounts /sys/fs/cgroup/systemd/libpod_parent/libpod-UUID on /sys/fs/cgroup/systemd inside of container. Since we need the UUID of the container, we needed to move Systemd to be a config option of the container. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Generate a passwd file for users not in containerDaniel J Walsh2018-10-12
| | | | | | | If someone runs podman as a user (uid) that is not defined in the container we want generate a passwd file so that getpwuid() will work inside of container. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Merge pull request #1605 from mheon/syslog_cleanupOpenShift Merge Robot2018-10-11
|\ | | | | Pass along syslog variable to podman cleanup processes
| * Pass along syslog variable to podman cleanup processesMatthew Heon2018-10-11
| | | | | | | | | | | | | | | | | | As of now, there is no way to debug podman clean up processes. They are started by conmon with no stdout/stderr and log nowhere. This allows us to actually figure out what is going on when a cleanup process runs. Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
* | Merge pull request #1628 from giuseppe/rootless-fix-hang-on-setresuidOpenShift Merge Robot2018-10-11
|\ \ | | | | | | rootless: fix hang on startup with older glibc versions
| * | rootless: detect when user namespaces are not enabledGiuseppe Scrivano2018-10-11
| | | | | | | | | | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
| * | rootless: report more error messages from the startup phaseGiuseppe Scrivano2018-10-11
| | | | | | | | | | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
| * | rootless: fix an hang on older versions of setresuid/setresgidGiuseppe Scrivano2018-10-11
| |/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | the issue is caused by the Go Runtime that messes up with the process signals, overriding SIGSETXID and SIGCANCEL which are used internally by glibc. They are used to inform all the threads to update their stored uid/gid information. This causes a hang on the set*id glibc wrappers since the handler installed by glibc is never invoked. Since we are running with only one thread, we don't really need to update other threads or even the current thread as we are not using getuid/getgid before the execvp. Closes: https://github.com/containers/libpod/issues/1625 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* / Add --ip flag and plumbing into libpodMatthew Heon2018-10-11
|/ | | | | | | | | | | Add the --ip flag back with bash completions. Manpages still missing. Add plumbing to pass appropriate the appropriate option down to libpod to connect the flag to backend logic added in the previous commits. Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
* Fix lintMatthew Heon2018-10-04
| | | | Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
* Drop libnetwork vendor and move the code into pkg/Matthew Heon2018-10-04
| | | | | | | | | | | The vendoring issues with libnetwork were significant (it was dragging in massive amounts of code) and were just not worth spending the time to work through. Highly unlikely we'll ever end up needing to update this code, so move it directly into pkg/ so we don't need to vendor libnetwork. Make a few small changes to remove the need for the remainder of libnetwork. Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
* Merge pull request #1557 from rhatdan/systemdOpenShift Merge Robot2018-10-04
|\ | | | | Don't tmpcopyup on systemd cgroup
| * Don't tmpcopyup on systemd cgroupDaniel J Walsh2018-09-29
| | | | | | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Add ContainerStateExited and OCI delete() in cleanup()Matthew Heon2018-10-02
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | To work better with Kata containers, we need to delete() from the OCI runtime as a part of cleanup, to ensure resources aren't retained longer than they need to be. To enable this, we need to add a new state to containers, ContainerStateExited. Containers transition from ContainerStateStopped to ContainerStateExited via cleanupRuntime which is invoked as part of cleanup(). A container in the Exited state is identical to Stopped, except it has been removed from the OCI runtime and thus will be handled differently when initializing the container. Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
* | Merge pull request #1563 from jwhonce/wip/podsOpenShift Merge Robot2018-10-02
|\ \ | | | | | | Implement pod varlink bindings
| * | Implement pod varlink bindingsJhon Honce2018-10-01
| |/ | | | | | | | | | | | | | | | | | | | | | | * Update varlink document * Add NoContainersInPod error in go and python * Add support for varlink pod interface * New code passes pylint * Fix bug in test_runner.sh * Update integration tests for race condition on status check * Add missing port config file support Signed-off-by: Jhon Honce <jhonce@redhat.com>
* / rootless: raise an error when trying to use cgroupsGiuseppe Scrivano2018-10-01
|/ | | | | | https://github.com/containers/libpod/issues/1429#issuecomment-424040416 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Add buildah version and distribution to infobaude2018-09-28
| | | | | | | | For the sake of debug and problem reporting, we would benefit from knowing what buildah version was vendored into podman. Also, knowing the distribution and distribution version would also be handy. Signed-off-by: baude <bbaude@redhat.com>
* Add --mount option for `create` & `run` commandDaniel J Walsh2018-09-21
| | | | | | | | Signed-off-by: Kunal Kushwaha <kushwaha_kunal_v7@lab.ntt.co.jp> Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #1524 Approved by: mheon
* Refactor Wait() to not require a timeoutMatthew Heon2018-09-21
| | | | | | | | | | | We added a timeout for convenience, but most invocations don't care about it. Refactor it into WaitWithTimeout() and add a Wait() that doesn't require a timeout and uses the default. Signed-off-by: Matthew Heon <matthew.heon@gmail.com> Closes: #1527 Approved by: mheon