summaryrefslogtreecommitdiff
path: root/pkg
Commit message (Collapse)AuthorAge
* rootless: exec handle processes that create an user namespaceGiuseppe Scrivano2018-08-26
| | | | | | | | | | | | | | Manage the case where the main process of the container creates and joins a new user namespace. In this case we want to join only the first child in the new hierarchy, which is the user namespace that was used to create the container. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> Closes: #1331 Approved by: rhatdan
* rootless: fix execGiuseppe Scrivano2018-08-26
| | | | | | | | | | | | | | | | | | | | | We cannot re-exec into a new user namespace to gain privileges and access an existing as the new namespace is not the owner of the existing container. "unshare" is used to join the user namespace of the target container. The current implementation assumes that the main process of the container didn't create a new user namespace. Since in the setup phase we are not running with euid=0, we must skip the setup for containers/storage. Closes: https://github.com/containers/libpod/issues/1329 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> Closes: #1331 Approved by: rhatdan
* exposes tcp port only if no proto specified.Kunal Kushwaha2018-08-24
| | | | | | | | | | Also it fix the issue of exposing both tc/udp port even if only one proto specified. Signed-off-by: Kunal Kushwaha <kushwaha_kunal_v7@lab.ntt.co.jp> Closes: #1325 Approved by: mheon
* Reveal information about container capabilitiesDaniel J Walsh2018-08-24
| | | | | | | | | | | I am often asked about the list of capabilities availabel to a container. We should be listing this data in the inspect command for effective capabilities and the bounding set. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #1335 Approved by: TomSweeneyRedHat
* Fixing network ns segfaulthaircommander2018-08-23
| | | | | | | | | As well as small style corrections, update pod_top_test to use CreatePod, and move handling of adding a container to the pod's namespace from container_internal_linux to libpod/option. Signed-off-by: haircommander <pehunt@redhat.com> Closes: #1187 Approved by: mheon
* Change pause container to infra containerhaircommander2018-08-23
| | | | | | | Signed-off-by: haircommander <pehunt@redhat.com> Closes: #1187 Approved by: mheon
* Support pause containers in varlinkhaircommander2018-08-23
| | | | | | | Signed-off-by: haircommander <pehunt@redhat.com> Closes: #1187 Approved by: mheon
* Added option to share kernel namespaces in libpod and podmanhaircommander2018-08-23
| | | | | | | | | A pause container is added to the pod if the user opts in. The default pause image and command can be overridden. Pause containers are ignored in ps unless the -a option is present. Pod inspect and pod ps show shared namespaces and pause container. A pause container can't be removed with podman rm, and a pod can be removed if it only has a pause container. Signed-off-by: haircommander <pehunt@redhat.com> Closes: #1187 Approved by: mheon
* Changed GetContainerStats to return ErrCtrStateInvalidhaircommander2018-08-23
| | | | | | | | | | | | | | This results in some functionality changes: If a ErrCtrStateInvalid is returned to GetPodStats, the container is ommitted from the stats. As such, if an empty slice of Container stats are returned to GetPodStats in varlink, an error will occur. GetContainerStats will return the ErrCtrStateInvalid as well. Finally, if ErrCtrStateInvalid is returned to the podman stats call, the container will be ommitted from the stats. Signed-off-by: haircommander <pehunt@redhat.com> Closes: #1319 Approved by: baude
* Add GetPodStats to varlinkhaircommander2018-08-23
| | | | | | | Signed-off-by: haircommander <pehunt@redhat.com> Closes: #1319 Approved by: baude
* rootless: fix --net host --privilegedGiuseppe Scrivano2018-08-22
| | | | | | | | | Closes: https://github.com/containers/libpod/issues/1313 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> Closes: #1323 Approved by: umohnani8
* Fix a bug with hook ALWAYS matching with a processMatthew Heon2018-08-22
| | | | | | | | | | | | When a non-nil process was used and a hook was set to match always, this would not actually match. Fix this. Fixes: #1308 Signed-off-by: Matthew Heon <matthew.heon@gmail.com> Closes: #1311 Approved by: rhatdan
* Fix handling of devicesDaniel J Walsh2018-08-20
| | | | | | | | | | | | | | Devices are supposed to be able to be passed in via the form of --device /dev/foo --device /dev/foo:/dev/bar --device /dev/foo:rwm --device /dev/foo:/dev/bar:rwm Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #1299 Approved by: umohnani8
* podman: fix --uts=hostGiuseppe Scrivano2018-08-17
| | | | | | | | | | | | | | | Do not set any hostname value in the OCI configuration when --uts=host is used and the user didn't specify any value. This prevents an error from the OCI runtime as it cannot set the hostname without a new UTS namespace. Differently, the HOSTNAME environment variable is always set. When --uts=host is used, HOSTNAME gets the value from the host. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> Closes: #1280 Approved by: baude
* Added helper function for libpod pod api callshaircommander2018-08-16
| | | | | | | Signed-off-by: haircommander <pehunt@redhat.com> Closes: #1275 Approved by: mheon
* CreatePod args now PodCreate structurehaircommander2018-08-16
| | | | | | | Signed-off-by: haircommander <pehunt@redhat.com> Closes: #1275 Approved by: mheon
* Added reason to PodContainerErrorhaircommander2018-08-16
| | | | | | | Signed-off-by: haircommander <pehunt@redhat.com> Closes: #1275 Approved by: mheon
* Change batchcontainer to sharedhaircommander2018-08-16
| | | | | | | | | To better reflect it's usage: to share functions between podman and varlink. Signed-off-by: haircommander <pehunt@redhat.com> Closes: #1275 Approved by: mheon
* Add Pod API to varlink.haircommander2018-08-16
| | | | | | | | | Including: GetPod, StartPod, StopPod, RestartPod, KillPod, PausePod, UnpausePod, CreatePod, RemovePod, and InspectPod Signed-off-by: haircommander <pehunt@redhat.com> Closes: #1275 Approved by: mheon
* switch projectatomic to containersDaniel J Walsh2018-08-16
| | | | | | | | | | Need to get some small changes into libpod to pull back into buildah to complete buildah transition. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #1270 Approved by: mheon
* Revert "spec: bind mount /sys only for rootless containers"Giuseppe Scrivano2018-08-16
| | | | | | | | | It breaks "podman run --net=host --uidmap=0:1:70000 --gidmap=0:20000:70000 busybox echo hi" Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> Closes: #1285 Approved by: rhatdan
* Suport format param for varlink CommitQi Wang2018-08-16
| | | | | | | | | We need to pass the image format OCI or docker in the varlink commit command. Signed-off-by: Qi Wang <qiwan@redhat.com> Closes: #1281 Approved by: mheon
* spec: bind mount /sys only for rootless containersGiuseppe Scrivano2018-08-15
| | | | | | | | | root can always mount a new instance. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> Closes: #1279 Approved by: rhatdan
* Fix handling of hostname in --net=hostDaniel J Walsh2018-08-15
| | | | | | | | | Hostname should be set to the hosts hostname when network is none. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #1274 Approved by: giuseppe
* pkg/apparmor: use a pipe instead of a tmp fileValentin Rothberg2018-08-14
| | | | | | | | | | Use a pipe instead of a temporary file to load the apparmor profile. This change has a measurable speed improvement for apparmor users. Signed-off-by: Valentin Rothberg <vrothberg@suse.com> Closes: #1262 Approved by: mheon
* pkg/apparmor: move data under Linux/apparmor buildtagsValentin Rothberg2018-08-14
| | | | | | | | | | Move all Linux-related data under the corresponding buildtags to reduce the memory footprint and speed up compilation for non-apparmor builds. Signed-off-by: Valentin Rothberg <vrothberg@suse.com> Closes: #1262 Approved by: mheon
* pkg/apparmor: move all linux-code into apparmor_linux*Valentin Rothberg2018-08-14
| | | | | | | | | For easier maintenance and clearer structure of the code. Signed-off-by: Valentin Rothberg <vrothberg@suse.com> Closes: #1262 Approved by: mheon
* when searching, survive errors for multiple registriesbaude2018-08-14
| | | | | | | | | | | | | when searching multiple registries for images, if we get an error on one of the searches, we should keep going and complete the search. if there is only one search registry however, we will return an error. Resolves: #1255 Signed-off-by: baude <bbaude@redhat.com> Closes: #1257 Approved by: mheon
* rootless: fix user lookup if USER= is not setGiuseppe Scrivano2018-08-08
| | | | | | | | | | | | Lookup the current username by UID if the USER env variable is not set. Reported in: https://github.com/projectatomic/libpod/issues/1092 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> Closes: #1217 Approved by: rhatdan
* Rename varlink socket and interfacebaude2018-08-06
| | | | | | | | | io.projectatomic.podman -> io.podman Signed-off-by: baude <bbaude@redhat.com> Closes: #1204 Approved by: mheon
* Make one runtime for the varlink servicebaude2018-08-05
| | | | | | | | | | | | | Rather than making a runtime each time a client hits a varlink endpoint, we now make a single runtime when the varlink service starts up. This fixes a problem where we hit a max inotify limit from CNI. Resolves: #1211 Signed-off-by: baude <bbaude@redhat.com> Closes: #1215 Approved by: rhatdan
* Check for missing arguments in /proc/self/cmdlineAnders F Björklund2018-08-03
| | | | | Closes: #1206 Approved by: giuseppe
* rootless: do not set setgroups to deny when using newuidmapGiuseppe Scrivano2018-08-02
| | | | | | | | | It is required only when directly configuring the user namespace. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> Closes: #1200 Approved by: rhatdan
* Merge pull request #1201 from giuseppe/fix-segfault-rootlessDaniel J Walsh2018-08-02
|\ | | | | rootless: do not segfault if the parent already died
| * rootless: do not segfault if the parent already diedGiuseppe Scrivano2018-08-02
| | | | | | | | | | | | Closes: https://github.com/projectatomic/libpod/issues/1189 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | RFC: Rename Image.PushImage to Image.PushImageToHeuristicDestinationMiloslav Trmač2018-08-01
|/ | | | | | | | | | | | | | | | | | | | | | The goal is to be very explicit about which functions try to heuristically guess what is the expected format of the string. Not quite "shaming" the users, but making sure they stand out. RFC: - Is this at all acceptable? Desirable? - varlink ExportImage says "destination must have transport type"; should it be using alltransports.ParseImageReference + PushImageToReference, then? (While touching the call in cmd/podman, also remove a commented-out older version of the call.) Should not change behavior (but does not add unit tests). Signed-off-by: Miloslav Trmač <mitr@redhat.com> Closes: #1176 Approved by: rhatdan
* network: add support for rootless network with slirp4netnsGiuseppe Scrivano2018-07-31
| | | | | | | | | | | slirp4netns is required to setup the network namespace: https://github.com/rootless-containers/slirp4netns Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> Closes: #1156 Approved by: rhatdan
* varlink ImageRemove should always return image IDbaude2018-07-31
| | | | | | | | | | | | | When removing an image via varlink, we should always return the ID of the image even in the case where the image has multiple repository names and one was only untagged. Reported by jhonce during integration testing. Signed-off-by: baude <bbaude@redhat.com> Closes: #1191 Approved by: jwhonce
* Fix godoc comment in pkg/netnsMatthew Heon2018-07-27
| | | | | | | Signed-off-by: Matthew Heon <matthew.heon@gmail.com> Closes: #1165 Approved by: baude
* Fix handling of Linux network namespacesMatthew Heon2018-07-27
| | | | | | | | | | | | | | | | | | | The CNI plugins upstream removed their network namespace creation code, making it a test package only. Copy it into our repository and slightly modify it for our use (most notably, use MNT_DETACH when unmounting namespaces). This new CNI code splits closing and unmounting network namespaces, which allows us to greatly reduce the number of occasions on which we call teardownNetwork() and make more errors in that function fatal instead of warnings. Instead, we can call Close() and just close the open file descriptor in cases where the namespace has already been cleaned up. Signed-off-by: Matthew Heon <matthew.heon@gmail.com> Closes: #1165 Approved by: baude
* Clear variables used to store options after parsing for every volumeumohnani82018-07-25
| | | | | | | | | | | | If more than one volume was mounted using the --volume flag in podman run, the second and onwards volumes were picking up options of the previous volume mounts defined. Found out that the options were not be cleared out after every volume was parsed. Signed-off-by: umohnani8 <umohnani@redhat.com> Closes: #1142 Approved by: mheon
* Merge pull request #1116 from mheon/namespacesDaniel J Walsh2018-07-25
|\ | | | | Add Pod and Container namespaces
| * Add missing runtime.go lines to set namespaceMatthew Heon2018-07-24
| | | | | | | | | | | | Also add namespace to inspect output to verify its presence Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
* | Merge pull request #1153 from jwhonce/bug/psgoMatthew Heon2018-07-24
|\ \ | | | | | | Fix varlink API usage of psgo
| * | Fix varlink API usage of psgoJhon Honce2018-07-24
| |/ | | | | | | Signed-off-by: Jhon Honce <jhonce@redhat.com>
* | podman: allow to specify the IPC namespace to joinGiuseppe Scrivano2018-07-24
| | | | | | | | | | | | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> Closes: #1145 Approved by: rhatdan
* | podman: allow to specify the UTS namespace to joinGiuseppe Scrivano2018-07-24
| | | | | | | | | | | | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> Closes: #1145 Approved by: rhatdan
* | podman: allow to specify the PID namespace to joinGiuseppe Scrivano2018-07-24
| | | | | | | | | | | | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> Closes: #1145 Approved by: rhatdan
* | podman: allow to specify the userns to joinGiuseppe Scrivano2018-07-24
| | | | | | | | | | | | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> Closes: #1145 Approved by: rhatdan
* | network: support ns: prefix to join existing namespaceGiuseppe Scrivano2018-07-24
| | | | | | | | | | | | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> Closes: #1145 Approved by: rhatdan