summaryrefslogtreecommitdiff
path: root/pkg
Commit message (Collapse)AuthorAge
* Merge pull request #2141 from baude/remotetagOpenShift Merge Robot2019-01-13
|\ | | | | Add darwin support for remote-client
| * Add darwin support for remote-clientbaude2019-01-11
| | | | | | | | | | | | | | | | Add the ability to cross-compile podman remote for OSX. Also, add image exists and tag to remote-client. Signed-off-by: baude <bbaude@redhat.com>
* | podman play kube: add containers to podbaude2019-01-11
|/ | | | | | | | | when defining containers, we missed the conditional logic to allow the container to be defined with "WithPod" and so forth. I had to slightly modify the createcontainer process to pass a libpod.Pod that could override things; use nil as no pod. Signed-off-by: baude <bbaude@redhat.com>
* Merge pull request #2135 from baude/varlinkpruneOpenShift Merge Robot2019-01-11
|\ | | | | Add varlink support for prune
| * Add varlink support for prunebaude2019-01-10
| | | | | | | | | | | | | | Add the ability to prune unused images using the varlink API. Signed-off-by: baude <bbaude@redhat.com>
* | Merge pull request #2113 from baude/remoteimagesOpenShift Merge Robot2019-01-11
|\ \ | |/ |/| remote-client support for images
| * remote-client support for imagesbaude2019-01-10
| | | | | | | | Signed-off-by: baude <bbaude@redhat.com>
* | Merge pull request #2131 from mheon/restore_storage_defaultsOpenShift Merge Robot2019-01-10
|\ \ | | | | | | Use defaults if paths are not specified in storage.conf
| * | Use defaults if paths are not specified in storage.confMatthew Heon2019-01-10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | For rootless Podman, if storage.conf exists but does not specify one or both of RunRoot and GraphRoot, set them to rootless defaults so we don't end up with an unusable configuration. Fixes #2125 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | | Merge pull request #2108 from QiWang19/from1899OpenShift Merge Robot2019-01-10
|\ \ \ | |_|/ |/| | Fix 'image trust' from PR1899
| * | Fix 'image trust' from PR1899Qi Wang2019-01-09
| | | | | | | | | | | | Signed-off-by: Qi Wang <qiwan@redhat.com>
* | | createconfig: always cleanup a rootless containerGiuseppe Scrivano2019-01-10
| |/ |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | the rootless container storage is always mounted in a different mount namespace, owned by the unprivileged user. Even if it is mounted, a process running in another namespace cannot reuse the already mounted storage. Make sure the storage is always cleaned up once the container terminates. This has worked with vfs since there is no real mounted storage. Closes: https://github.com/containers/libpod/issues/2112 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | Merge pull request #2114 from vrothberg/issue-2107OpenShift Merge Robot2019-01-10
|\ \ | | | | | | apparmor: apply default profile at container initialization
| * | apparmor: apply default profile at container initializationValentin Rothberg2019-01-09
| |/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Apply the default AppArmor profile at container initialization to cover all possible code paths (i.e., podman-{start,run}) before executing the runtime. This allows moving most of the logic into pkg/apparmor. Also make the loading and application of the default AppArmor profile versio-indepenent by checking for the `libpod-default-` prefix and over-writing the profile in the run-time spec if needed. The intitial run-time spec of the container differs a bit from the applied one when having started the container, which results in displaying a potentially outdated AppArmor profile when inspecting a container. To fix that, load the container config from the file system if present and use it to display the data. Fixes: #2107 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* / libpod/image: Use ParseNormalizedNamed in RepoDigestsW. Trevor King2019-01-09
|/ | | | | | | | | | | | | | | | Avoid generating quay.io/openshift-release-dev/ocp-release@sha256@sha256:239... and similar when the image name is already digest-based [1]. It's not clear exactly how we get into this state, but as shown by the unit tests, the new code handles this case correctly (while the previous code does not). [1]: https://github.com/containers/libpod/issues/2086 Signed-off-by: W. Trevor King <wking@tremily.us> Closes: #2106 Approved by: rhatdan
* pkg/hooks/exec: Include failed command in hook errorsW. Trevor King2019-01-08
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | For example: $ cat /etc/containers/oci/hooks.d/test.json { "version": "1.0.0", "hook": { "path": "/bin/sh", "args": ["sh", "-c", "echo 'oh, noes!' >&2; exit 1"] }, "when": { "always": true }, "stages": ["precreate"] } $ podman run --rm docker.io/library/alpine echo 'successful container' error setting up OCI Hooks: executing [sh -c echo 'oh, noes!' >&2; exit 1]: exit status 1 The rendered command isn't in in the right syntax for copy/pasting into a shell, but it should be enough for the user to be able to locate the failing hook. They'll need to know their hook directories, but with the previous commits requiring explicit hook directories it's more likely that the caller is aware of them. And if they run at a debug level, they can see the lookups in the logs: $ podman --log-level=debug --hooks-dir=/etc/containers/oci/hooks.d run --rm docker.io/library/alpine echo 'successful container' 2>&1 | grep -i hook time="2018-12-02T22:15:16-08:00" level=debug msg="reading hooks from /etc/containers/oci/hooks.d" time="2018-12-02T22:15:16-08:00" level=debug msg="added hook /etc/containers/oci/hooks.d/test.json" time="2018-12-02T22:15:16-08:00" level=debug msg="hook test.json matched; adding to stages [precreate]" time="2018-12-02T22:15:16-08:00" level=warning msg="container 3695c6ba0cc961918bd3e4a769c52bd08b82afea5cd79e9749e9c7a63b5e7100: precreate hook: executing [sh -c echo 'oh, noes!' >&2; exit 1]: exit status 1" time="2018-12-02T22:15:16-08:00" level=error msg="error setting up OCI Hooks: executing [sh -c echo 'oh, noes!' >&2; exit 1]: exit status 1" Signed-off-by: W. Trevor King <wking@tremily.us>
* hooks/exec/runtimeconfigfilter: Log config changesW. Trevor King2019-01-08
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | To make it easier to notice and track down errors (or other surprising behavior) due to precreate hooks. With this commit, the logged messages look like: time="2018-11-19T13:35:18-08:00" level=debug msg="precreate hook 0 made configuration changes: --- Old +++ New @@ -18,3 +18,3 @@ Namespaces: ([]specs.LinuxNamespace) <nil>, - Devices: ([]specs.LinuxDevice) (len=1) { + Devices: ([]specs.LinuxDevice) (len=2) { (specs.LinuxDevice) { @@ -24,2 +24,11 @@ Minor: (int64) 229, + FileMode: (*os.FileMode)(-rw-------), + UID: (*uint32)(0), + GID: (*uint32)(0) + }, + (specs.LinuxDevice) { + Path: (string) (len=8) "/dev/sda", + Type: (string) (len=1) "b", + Major: (int64) 8, + Minor: (int64) 0, FileMode: (*os.FileMode)(-rw-------), " time="2018-11-19T13:35:18-08:00" level=debug msg="precreate hook 1 made configuration changes: --- Old +++ New @@ -29,3 +29,3 @@ (specs.LinuxDevice) { - Path: (string) (len=8) "/dev/sda", + Path: (string) (len=8) "/dev/sdb", Type: (string) (len=1) "b", " Ideally those logs would include the container ID, but we don't have access to that down at this level. I'm not sure if it's worth teaching RuntimeConfigFilter to accept a *logrus.Entry (so the caller could use WithFields [1]) or to use a generic logging interface (like go-log [2]). For now, I've left the container ID unlogged here. The spew/difflib implementation is based on stretchr/testify/assert, but I think the ~10 lines I'm borrowing are probably small enough to stay under the "all copies or substantial portions" condition in its MIT license. [1]: https://godoc.org/github.com/sirupsen/logrus#WithFields [2]: https://github.com/go-log/log Signed-off-by: W. Trevor King <wking@tremily.us>
* hooks: Add pre-create hooks for runtime-config manipulationW. Trevor King2019-01-08
| | | | | | | | | | | | | | | | | | | | | | | There's been a lot of discussion over in [1] about how to support the NVIDIA folks and others who want to be able to create devices (possibly after having loaded kernel modules) and bind userspace libraries into the container. Currently that's happening in the middle of runc's create-time mount handling before the container pivots to its new root directory with runc's incorrectly-timed prestart hook trigger [2]. With this commit, we extend hooks with a 'precreate' stage to allow trusted parties to manipulate the config JSON before calling the runtime's 'create'. I'm recycling the existing Hook schema from pkg/hooks for this, because we'll want Timeout for reliability and When to avoid the expense of fork/exec when a given hook does not need to make config changes [3]. [1]: https://github.com/opencontainers/runc/pull/1811 [2]: https://github.com/opencontainers/runc/issues/1710 [3]: https://github.com/containers/libpod/issues/1828#issuecomment-439888059 Signed-off-by: W. Trevor King <wking@tremily.us>
* Merge pull request #2076 from rhatdan/storage.confOpenShift Merge Robot2019-01-08
|\ | | | | If local storage file exists, then use it rather then defau…
| * If local storage file exists, then use it rather then defaults.Daniel J Walsh2019-01-03
| | | | | | | | | | | | | | Currently we always force overlay if it exists even though a user might want vfs. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Merge pull request #2078 from rhatdan/config.fileOpenShift Merge Robot2019-01-07
|\ \ | | | | | | Add the configuration file used to setup storage to podman info
| * | Add the configuration file used to setup storage to podman infoDaniel J Walsh2019-01-07
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Users have no idea what storage configuration file is used to setup storage, so adding this to podman info, should make it easier to discover. This requires a revendor of containers/storage Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | Merge pull request #2098 from baude/remoteOpenShift Merge Robot2019-01-07
|\ \ \ | |/ / |/| | Add ability to build golang remote client
| * | Add ability to build golang remote clientbaude2019-01-07
| |/ | | | | | | | | | | | | | | | | | | | | Add the ability to build a remote client in golang that uses all the same front-end cli code and output code. The initial limitations here are that it can only be a local client while the bridge and resolver code is being written for the golang varlink client. Tests and docs will be added in subsequent PRs. Signed-off-by: baude <bbaude@redhat.com>
* | Merge pull request #2082 from rhatdan/runcOpenShift Merge Robot2019-01-06
|\ \ | | | | | | Update vendor of runc
| * | Update vendor of runcDaniel J Walsh2019-01-04
| |/ | | | | | | | | | | | | | | | | | | | | | | | | | | Updating the vendor or runc to pull in some fixes that we need. In order to get this vendor to work, we needed to update the vendor of docker/docker, which causes all sorts of issues, just to fix the docker/pkg/sysinfo. Rather then doing this, I pulled in pkg/sysinfo into libpod and fixed the code locally. I then switched the use of docker/pkg/sysinfo to libpod/pkg/sysinfo. I also switched out the docker/pkg/mount to containers/storage/pkg/mount Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* / add container-init supportValentin Rothberg2019-01-04
|/ | | | | | | | | | | | | | | | | | | Add support for executing an init binary as PID 1 in a container to forward signals and reap processes. When the `--init` flag is set for podman-create or podman-run, the init binary is bind-mounted to `/dev/init` in the container and "/dev/init --" is prepended to the container's command. The default base path of the container-init binary is `/usr/libexec/podman` while the default binary is catatonit [1]. This default can be changed permanently via the `init_path` field in the `libpod.conf` configuration file (which is recommended for packaging) or temporarily via the `--init-path` flag of podman-create and podman-run. [1] https://github.com/openSUSE/catatonit Fixes: #1670 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* Fix handling of symbolic linksDaniel J Walsh2018-12-28
| | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Fixes to handle /dev/shm correctly.Daniel J Walsh2018-12-24
| | | | | | | | | | | | | | | | | | We had two problems with /dev/shm, first, you mount the container read/only then /dev/shm was mounted read/only. This is a bug a tmpfs directory should be read/write within a read-only container. The second problem is we were ignoring users mounted /dev/shm from the host. If user specified podman run -d -v /dev/shm:/dev/shm ... We were dropping this mount and still using the internal mount. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Refactor: use idtools.ParseIDMap instead of bundling own versionŠimon Lukašík2018-12-23
| | | | | | | | | | | ParseIDMap function was extracted to idtools in https://github.com/containers/storage/pull/236 it is already used in containers/storage and buildah, it should be used in libpod as well. Signed-off-by: Šimon Lukašík <isimluk@fedoraproject.org>
* Switch all referencs to image.ContainerConfig to image.ConfigDaniel J Walsh2018-12-21
| | | | | | This will more closely match what Docker is doing. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Allow users to specify a directory for additonal devicesDaniel J Walsh2018-12-21
| | | | | | | Podman will search through the directory and will add any device nodes that it finds. If no devices are found we return an error. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Change all 'can not' to 'cannot' for proper usageDaniel J Walsh2018-12-21
| | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Invalid index for arrayDaniel J Walsh2018-12-21
| | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* rootless: add function to join user and mount namespaceGiuseppe Scrivano2018-12-21
| | | | | | | | | | Add the possibility to join directly the user and mount namespace without looking up the parent of the user namespace. We need this in order to be able the conmon process, as the mount namespace is kept alive only there. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Support podman image trust commandQi Wang2018-12-19
| | | | | | Display the trust policy of the host system. The trust policy is stored in the /etc/containers/policy.json file and defines a scope of registries or repositories. Signed-off-by: Qi Wang <qiwan@redhat.com>
* Clean up some existing varlink endpointsbaude2018-12-12
| | | | | | | | Going through and adding options (like tls-verify, signature option, etc) to some varlink endpoints (like push/pull) many of which had not been updated since their original authoring. Signed-off-by: baude <bbaude@redhat.com>
* add more example usage to varlink endpointsbaude2018-12-09
| | | | Signed-off-by: baude <bbaude@redhat.com>
* add timeout to pod stopbaude2018-12-07
| | | | | | | | like podman stop of containers, we should allow the user to specify a timeout override when stopping pods; otherwise they have to wait the full timeout time specified during the pod/container creation. Signed-off-by: baude <bbaude@redhat.com>
* Remove the forceSecure parameter on the pull call stackMiloslav Trmač2018-12-06
| | | | | | | DockerRegistryOptions.DockerInsecureSkipTLSVerify as an types.OptionalBool can now represent that value, so forceSecure is redundant. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
* Factor out the registries.conf location code in pkg/registriesMiloslav Trmač2018-12-06
| | | | | | | | | The newly introduced SystemRegistriesConfPath somewhat decreases duplication, but more importantly will allow future callers to set just a types.SystemContext.SystemRegistriesConfPath and not call GetRegistries / GetInsecureRegistries at all. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
* Remove the forceSecure parameter of Image.PushImageTo*Miloslav Trmač2018-12-06
| | | | | | | DockerRegistryOptions.DockerInsecureSkipTLSVerify as an types.OptionalBool can now represent that value, so forceSecure is redundant. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
* Minimally update for the DockerInsecureSkipTLSVerify type changeMiloslav Trmač2018-12-06
| | | | | | | | | | | | | | | | | Following SystemContext.DockerInsecureSkipTLSVerify, make the DockerRegistryOne also an OptionalBool, and update callers. Explicitly document that --tls-verify=true and --tls-verify unset have different behavior in those commands where the behavior changed (or where it hasn't changed but the documentation needed updating). Also make the --tls-verify man page sections a tiny bit more consistent throughout. This is a minimal fix, without changing the existing "--tls-verify=true" paths nor existing manual insecure registry lookups. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
* Add "podman volume" commandumohnani82018-12-06
| | | | | | | | | | | | | | | Add support for podman volume and its subcommands. The commands supported are: podman volume create podman volume inspect podman volume ls podman volume rm podman volume prune This is a tool to manage volumes used by podman. For now it only handle named volumes, but eventually it will handle all volumes used by podman. Signed-off-by: umohnani8 <umohnani@redhat.com>
* Merge pull request #1924 from baude/mroevarlinkendpointsOpenShift Merge Robot2018-12-05
|\ | | | | Adding more varlink endpoints
| * Adding more varlink endpointsbaude2018-12-03
| | | | | | | | | | | | | | | | | | | | | | * runlabel * checkpoint * restore * container|image exists * mount * unmount Signed-off-by: baude <bbaude@redhat.com>
* | Merge pull request #1940 from wking/numeric-gidOpenShift Merge Robot2018-12-05
|\ \ | | | | | | libpod/container_internal_linux: Allow gids that aren't in the group file
| * | pkg/lookup: Return ID-only pointers on ErrNo*EntriesW. Trevor King2018-12-04
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Callers that only care about the IDs should try to convert the identifier to an integer before calling the Get* functions, so they can save the cost of hitting the filesystem and maybe or maybe not finding the other fields (User.Name, etc.). But callers that *want* the other fields but only actually need the ID can, with this commit, just call the Get* function and ignore ErrNo*Entries responses: user, err := lookup.GetUser(mount, userIDorName) if err != nil && err != ErrNoPasswdEntries { return err } Previously, they'd have to perform their own integer-conversion attempt in Get* error handling, with logic like: user, err := lookup.GetUser(mount, userIDorName) if err == ErrNoPasswdEntries { uuid, err := strconv.ParseUint(userIDorName, 10, 32) if err == nil { user.Uid = int(uuid) } } else if err != nil { return err } Signed-off-by: W. Trevor King <wking@tremily.us>
* | | Merge pull request #1918 from mheon/use_db_pathsOpenShift Merge Robot2018-12-05
|\ \ \ | |/ / |/| | Use paths written in DB instead if they differ from our defaults
| * | Revert changes to GetDefaultStoreOptionsMatthew Heon2018-12-03
| | | | | | | | | | | | | | | | | | | | | | | | We don't need this for anything more than rootless work in Libpod now, but Buildah still uses it as it was originally written, so leave it intact as part of our API. Signed-off-by: Matthew Heon <mheon@redhat.com>