summaryrefslogtreecommitdiff
path: root/pkg
Commit message (Collapse)AuthorAge
* Handle conflict between volumes and --read-only-tmpfsMatthew Heon2019-09-24
| | | | | | | | | | When a named volume is mounted on any of the tmpfs filesystems created by read-only tmpfs, it caused a conflict that was not resolved prior to this. Fixes BZ1755119 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Merge pull request #4094 from haircommander/play-only-podOpenShift Merge Robot2019-09-24
|\ | | | | play kube: Only support pod kind in k8s yaml
| * play kube: Only support pod kind in k8s yamlPeter Hunt2019-09-24
| | | | | | | | | | | | Since we only really support playing pods, and no other kubernetes types Signed-off-by: Peter Hunt <pehunt@redhat.com>
* | Make netns bind mount sharedgabi beyer2019-09-24
| | | | | | | | | | | | | | | | To 'avoid unknown FS magic on "/run/user/1000/netns/...": 1021994' make the network namespace bind-mount recursively shared, so the mount is back-propogated to the host. Signed-off-by: gabi beyer <gabrielle.n.beyer@intel.com>
* | rootless: Rearrange setup of rootless containersGabi Beyer2019-09-24
|/ | | | | | | | | | | | | | | In order to run Podman with VM-based runtimes unprivileged, the network must be set up prior to the container creation. Therefore this commit modifies Podman to run rootless containers by: 1. create a network namespace 2. pass the netns persistent mount path to the slirp4netns to create the tap inferface 3. pass the netns path to the OCI spec, so the runtime can enter the netns Closes #2897 Signed-off-by: Gabi Beyer <gabrielle.n.beyer@intel.com>
* execuser: look at the source for /etc/{passwd,group} overridesGiuseppe Scrivano2019-09-21
| | | | | | | | | look if there are bind mounts that can shadow the /etc/passwd and /etc/group files. In that case, look at the bind mount source. Closes: https://github.com/containers/libpod/pull/4068#issuecomment-533782941 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Clean destination paths during mount generationMatthew Heon2019-09-19
| | | | | | | | | | | | | We identify and resolve conflicts in paths using destination path matches. We require exact matches, largely for performance reasons (we use maps to efficiently access, keyed by destination). This usually works fine, until you get mounts that are targetted at /output and /output/ - the same path, but not the same string. Use filepath.Clean() aggressively to try and solve this. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* support non-standard ssh port for remote-clientbaude2019-09-17
| | | | | | | | | | when using the remote client, users may need to specify a non-standard port for ssh connections. we can do so on the command line and within the remote-client configuration file. Fixes: #3987 Signed-off-by: baude <bbaude@redhat.com>
* Merge pull request #4034 from rhatdan/relabelOpenShift Merge Robot2019-09-17
|\ | | | | Add 'relabel' to --mount options
| * Add 'relabel' to --mount optionsDaniel J Walsh2019-09-16
| | | | | | | | | | | | | | | | | | Currently if a user specifies a --mount option, their is no way to tell SELinux to relabel the mount point. This patch addes the relabel=shared and relabel=private options. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Check for rootless before checking cgroups version in spec_test.Danila Kiver2019-09-15
| | | | | | | | Signed-off-by: Danila Kiver <danila.kiver@mail.ru>
* | Skip spec_test for rootless envs without cgroup v2.Danila Kiver2019-09-14
|/ | | | Signed-off-by: Danila Kiver <danila.kiver@mail.ru>
* Merge pull request #4006 from rhatdan/rootlessOpenShift Merge Robot2019-09-13
|\ | | | | Report errors when trying to pause rootless containers
| * Report errors when trying to pause rootless containersDaniel J Walsh2019-09-13
| | | | | | | | | | | | | | | | If you are running a rootless container on cgroupV1 you can not pause the container. We need to report the proper error if this happens. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Merge pull request #3934 from rhatdan/waitOpenShift Merge Robot2019-09-13
|\ \ | |/ |/| Podman-remote run should wait for exit code
| * Podman-remote run should wait for exit codeDaniel J Walsh2019-09-12
| | | | | | | | | | | | | | | | This change matches what is happening on the podman local side and should eliminate a race condition. Also exit commands on the server side should start to return to client. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
| * Use exit code constantsDaniel J Walsh2019-09-12
| | | | | | | | | | | | | | We have leaked the exit number codess all over the code, this patch removes the numbers to constants. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | enhance podman network rmbaude2019-09-12
|/ | | | | | | | | | when removing a podman network, we need to make sure we delete the network interface if one was ever created (by running a container). also, when removing networks, we check if any containers are using the network. if they are, we error out unless the user provides a 'force' option which will remove the containers in question. Signed-off-by: baude <bbaude@redhat.com>
* rootless: automatically create a systemd scopeGiuseppe Scrivano2019-09-12
| | | | | | | | | | | | | | | | | | | | | when running in rootless mode and using systemd as cgroup manager create automatically a systemd scope when the user doesn't own the current cgroup. This solves a couple of issues: on cgroup v2 it is necessary that a process before it can moved to a different cgroup tree must be in a directory owned by the unprivileged user. This is not always true, e.g. when creating a session with su -l. Closes: https://github.com/containers/libpod/issues/3937 Also, for running systemd in a container it was before necessary to specify "systemd-run --scope --user podman ...", now this is done automatically as part of this PR. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Merge pull request #3927 from openSUSE/manager-annotationsOpenShift Merge Robot2019-09-11
|\ | | | | Add `ContainerManager` annotation to created containers
| * Add `ContainerManager` annotation to created containersSascha Grunert2019-09-10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This change adds the following annotation to every container created by podman: ```json "Annotations": { "io.containers.manager": "libpod" } ``` Target of this annotaions is to indicate which project in the containers ecosystem is the major manager of a container when applications share the same storage paths. This way projects can decide if they want to manipulate the container or not. For example, since CRI-O and podman are not using the same container library (libpod), CRI-O can skip podman containers and provide the end user more useful information. A corresponding end-to-end test has been adapted as well. Relates to: https://github.com/cri-o/cri-o/pull/2761 Signed-off-by: Sascha Grunert <sgrunert@suse.com>
* | Merge pull request #3581 from mheon/no_cgroupsOpenShift Merge Robot2019-09-11
|\ \ | |/ |/| Support running containers without CGroups
| * Add support for launching containers without CGroupsMatthew Heon2019-09-10
| | | | | | | | | | | | | | This is mostly used with Systemd, which really wants to manage CGroups itself when managing containers via unit file. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | Merge pull request #3896 from mheon/volume_lookupOpenShift Merge Robot2019-09-09
|\ \ | | | | | | Add ability to look up volumes by unambiguous partial name
| * | Add function for looking up volumes by partial nameMatthew Heon2019-09-09
| |/ | | | | | | | | | | | | | | | | | | This isn't included in Docker, but seems handy enough. Use the new API for 'volume rm' and 'volume inspect'. Fixes #3891 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | Merge pull request #3862 from baude/networkcreateOpenShift Merge Robot2019-09-09
|\ \ | |/ |/| podman network create
| * podman network createbaude2019-09-09
| | | | | | | | | | | | | | initial implementation of network create. we only support bridging networks with this first pass. Signed-off-by: baude <bbaude@redhat.com>
* | Fixup `util.GetRootlessConfigHomeDir` permission requirementsChristian Felder2019-09-09
| | | | | | | | | | | | | | | | | | | | Do not require 0755 permissons for the ~/.config directory but require at least 0700 which should be sufficient. The current implementation internally creates this directory with 0755 if it does not exist, but if the directory already exists with different perissions the current code returns an empty string. Signed-off-by: Christian Felder <c.felder@fz-juelich.de>
* | build: pass down the cgroup manager to buildahGiuseppe Scrivano2019-09-06
|/ | | | | | | | Pass down the cgroup manager to use to buildah. Closes: https://github.com/containers/libpod/issues/3938 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Merge pull request #3918 from rhatdan/infoOpenShift Merge Robot2019-09-06
|\ | | | | Return information about mount_program (fuse-overlayfs)
| * Return information about mount_program (fuse-overlayfs)Daniel J Walsh2019-09-06
| | | | | | | | | | | | | | | | | | | | We want to get podman info to tell us about the version of the mount program to help us diagnose issues users are having. Also if in rootless mode and slirp4netns is installed reveal package info on slirp4netns. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Merge pull request #3958 from haircommander/play-kube-secOpenShift Merge Robot2019-09-06
|\ \ | | | | | | play kube: fix segfault
| * | play kube: fix segfaultPeter Hunt2019-09-06
| |/ | | | | | | | | | | | | when securityContext wasn't specified in yaml. add a test as well Signed-off-by: Peter Hunt <pehunt@redhat.com>
* | Correctly report errors on unmounting SHMMatthew Heon2019-09-05
| | | | | | | | | | | | | | | | | | | | | | When we fail to remove a container's SHM, that's an error, and we need to report it as such. This may be part of our lingering storage woes. Also, remove MNT_DETACH. It may be another cause of the storage removal failures. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | Add ability for volumes with options to mount/umountMatthew Heon2019-09-05
|/ | | | | | | | | | | | | When volume options and the local volume driver are specified, the volume is intended to be mounted using the 'mount' command. Supported options will be used to volume the volume before the first container using it starts, and unmount the volume after the last container using it dies. This should work for any local filesystem, though at present I've only tested with tmpfs and btrfs. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Merge pull request #3876 from mheon/fix_mount_flagsOpenShift Merge Robot2019-09-04
|\ | | | | Allow suid, exec, dev mount options to cancel nosuid/noexec/nodev
| * Fix addition of mount options when using RO tmpfsMatthew Heon2019-08-28
| | | | | | | | | | | | | | | | For read-only containers set to create tmpfs filesystems over /run and other common destinations, we were incorrectly setting mount options, resulting in duplicate mount options. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
| * Allow :z and :Z with ProcessOptionsMatthew Heon2019-08-28
| | | | | | | | Signed-off-by: Matthew Heon <matthew.heon@pm.me>
| * Set base mount options for bind mounts from base systemMatthew Heon2019-08-28
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | If I mount, say, /usr/bin into my container - I expect to be able to run the executables in that mount. Unconditionally applying noexec would be a bad idea. Before my patches to change mount options and allow exec/dev/suid being set explicitly, we inferred the mount options from where on the base system the mount originated, and the options it had there. Implement the same functionality for the new option handling. There's a lot of performance left on the table here, but I don't know that this is ever going to take enough time to make it worth optimizing. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
| * Don't double-process tmpfs optionsMatthew Heon2019-08-28
| | | | | | | | | | | | | | | | We already process the options on all tmpfs filesystems during final addition of mounts to the spec. We don't need to do it before that in parseVolumes. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
| * Add support for 'exec', 'suid', 'dev' mount flagsMatthew Heon2019-08-28
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Previously, we explicitly set noexec/nosuid/nodev on every mount, with no ability to disable them. The 'mount' command on Linux will accept their inverses without complaint, though - 'noexec' is counteracted by 'exec', 'nosuid' by 'suid', etc. Add support for passing these options at the command line to disable our explicit forcing of security options. This also cleans up mount option handling significantly. We are still parsing options in more than one place, which isn't good, but option parsing for bind and tmpfs mounts has been unified. Fixes: #3819 Fixes: #3803 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | pkg/util: use rootless function to read additional usersGiuseppe Scrivano2019-09-03
| | | | | | | | | | | | | | make pkg/rootless.GetConfiguredMappings public so that it can be used from pkg/util. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | rootless: detect user namespace configuration changesGiuseppe Scrivano2019-09-03
| | | | | | | | | | | | | | | | | | | | | | detect if the current user namespace doesn't match the configuration in the /etc/subuid and /etc/subgid files. If there is a mismatch, raise a warning and suggest the user to recreate the user namespace with "system migrate", that also restarts the containers. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | spec: provide custom implementation for getDevicesGiuseppe Scrivano2019-09-02
| | | | | | | | | | | | | | | | | | | | | | | | provide an implementation for getDevices that skip unreadable directories for the current user. Based on the implementation from runc/libcontainer. Closes: https://github.com/containers/libpod/issues/3919 Signed-off-by: Giuseppe Scrivano <giuseppe@scrivano.org> Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | spec: do not set devices cgroup when rootlessGiuseppe Scrivano2019-09-02
| | | | | | | | | | | | eBPF requires to be root in the init namespace. Signed-off-by: Giuseppe Scrivano <giuseppe@scrivano.org>
* | rootless: bind mount devices instead of creating themGiuseppe Scrivano2019-09-02
| | | | | | | | | | | | | | | | | | | | | | when running in rootless mode, --device creates a bind mount from the host instead of specifying the device in the OCI configuration. This is required as an unprivileged user cannot use mknod, even when root in a user namespace. Closes: https://github.com/containers/libpod/issues/3905 Signed-off-by: Giuseppe Scrivano <giuseppe@scrivano.org>
* | dont panic when using varlink commit and uppercase image namesbaude2019-08-29
|/ | | | | | | | | when using an upper case image name for container commit, we observed panics due to a channel closing early. Fixes: #3897 Signed-off-by: baude <bbaude@redhat.com>
* Update varlink doc and codeJhon Honce2019-08-26
| | | | | | | | * Improved error message * Added documentation * Updated messages to include missing data Signed-off-by: Jhon Honce <jhonce@redhat.com>
* clean up after remote buildbaude2019-08-25
| | | | | | | | | | when performing an image build over a varlink connection, we should clean up tmp files that are a result of sending the file to the host and untarring it for the build. Fixes: #3869 Signed-off-by: baude <bbaude@redhat.com>
* Merge pull request #3800 from vrothberg/generate-podOpenShift Merge Robot2019-08-22
|\ | | | | generate systemd pod