summaryrefslogtreecommitdiff
path: root/pkg
Commit message (Collapse)AuthorAge
* Move OCI runtime implementation behind an interfaceMatthew Heon2019-10-10
| | | | | | | | | | | | For future work, we need multiple implementations of the OCI runtime, not just a Conmon-wrapped runtime matching the runc CLI. As part of this, do some refactoring on the interface for exec (move to a struct, not a massive list of arguments). Also, add 'all' support to Kill and Stop (supported by runc and used a bit internally for removing containers). Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* rootless: automatically recreate the pause.pid fileGiuseppe Scrivano2019-10-09
| | | | | | | if the pause process cannot be joined, remove the pause.pid while keeping a lock on it, and try to recreate it. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* rootless: do not close files twiceGiuseppe Scrivano2019-10-09
| | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Merge pull request #4032 from rhatdan/pids-limitOpenShift Merge Robot2019-10-07
|\ | | | | Setup a reasonable default for pids-limit 4096
| * Setup a reasonable default for pids-limit 4096Daniel J Walsh2019-10-04
| | | | | | | | | | | | | | | | | | | | | | CRI-O defaults to 1024 for the maximum pids in a container. Podman should have a similar limit. Once we have a containers.conf, we can set the limit in this file, and have it easily customizable. Currently the documentation says that -1 sets pids-limit=max, but -1 fails. This patch allows -1, but also indicates that 0 also sets the max pids limit. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Update c/image to v4.0.1 and buildah to 1.11.3Miloslav Trmač2019-10-04
|/ | | | | | | | | | | | | | This requires updating all import paths throughout, and a matching buildah update to interoperate. I can't figure out the reason for go.mod tracking github.com/containers/image v3.0.2+incompatible // indirect ((go mod graph) lists it as a direct dependency of libpod, but (go list -json -m all) lists it as an indirect dependency), but at least looking at the vendor subdirectory, it doesn't seem to be actually used in the built binaries. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
* Merge pull request #3549 from marcov/evict-containerOpenShift Merge Robot2019-10-04
|\ | | | | Add ability to evict a container
| * rm: add containers eviction with `rm --force`Marco Vedovati2019-09-25
| | | | | | | | | | | | | | | | | | Add ability to evict a container when it becomes unusable. This may happen when the host setup changes after a container creation, making it impossible for that container to be used or removed. Evicting a container is done using the `rm --force` command. Signed-off-by: Marco Vedovati <mvedovati@suse.com>
* | Merge pull request #4161 from afbjorklund/machine-envOpenShift Merge Robot2019-10-03
|\ \ | | | | | | Handle environment variables from podman-machine
| * | Apply changes also to the windows implementationAnders F Björklund2019-10-02
| | | | | | | | | | | | Signed-off-by: Anders F Björklund <anders.f.bjorklund@gmail.com>
| * | Avoid hard-coding path to varlink and podmanAnders F Björklund2019-10-01
| | | | | | | | | | | | Signed-off-by: Anders F Björklund <anders.f.bjorklund@gmail.com>
| * | Allow changing IdentityFile and to IgnoreHostsAnders F Björklund2019-10-01
| | | | | | | | | | | | Signed-off-by: Anders F Björklund <anders.f.bjorklund@gmail.com>
* | | rootless: allow cgroupfs manager on cgroups v2Giuseppe Scrivano2019-10-02
|/ / | | | | | | | | | | | | if there are no resources specified, make sure the OCI resources block is empty so that the OCI runtime won't complain. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | network: hide EPERM warning when rootlessGiuseppe Scrivano2019-10-01
| | | | | | | | | | | | | | | | | | | | if running rootless do not print a warning message when podman cannot rejoin the initial network namespace. The first network namespace is owned by root on the host, a rootless user cannot re-join it once it moves to a new network namespace. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | Merge pull request #4001 from kunalkushwaha/podman-import-fixOpenShift Merge Robot2019-09-30
|\ \ | | | | | | podman import syntax fix
| * | syntax updated for podman import --changeKunal Kushwaha2019-09-27
| | | | | | | | | | | | | | | | | | | | | | | | | | | currently, podman import change do not support syntax like - KEY val - KEY ["val"] This adds support for both of these syntax along with KEY=val Signed-off-by: Kunal Kushwaha <kunal.kushwaha@gmail.com>
* | | Merge pull request #4124 from mheon/set_log_level_earlyOpenShift Merge Robot2019-09-27
|\ \ \ | | | | | | | | Set log-level immediately, before rootless setup
| * | | Set log-level immediately, before rootless setupMatthew Heon2019-09-26
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | If we don't do this, we print WARN level messages that we should not be printing by default. Up one WARN message to ERROR so it still shows up by default. Fixes: #4115 Fixes: #4012 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | | | Merge pull request #4117 from mheon/pod_no_nameOpenShift Merge Robot2019-09-26
|\ \ \ \ | |/ / / |/| | | Add an error for pods without a name
| * | | Add an error for pods without a nameMatthew Heon2019-09-26
| | |/ | |/| | | | | | | Signed-off-by: Matthew Heon <mheon@redhat.com>
* | | Merge pull request #4102 from baude/remotestdinOpenShift Merge Robot2019-09-25
|\ \ \ | | | | | | | | conditionally send stdin on remote run
| * | | conditionally send stdin on remote runbaude2019-09-24
| |/ / | | | | | | | | | | | | | | | | | | | | | | | | when running a container remotely, we should only be sending stdin when running with --interactive; otherwise use nil. Fixes: #4095 Signed-off-by: baude <bbaude@redhat.com>
* | | Handle conflict between volumes and --read-only-tmpfsMatthew Heon2019-09-24
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When a named volume is mounted on any of the tmpfs filesystems created by read-only tmpfs, it caused a conflict that was not resolved prior to this. Fixes BZ1755119 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | | Merge pull request #4094 from haircommander/play-only-podOpenShift Merge Robot2019-09-24
|\ \ \ | | | | | | | | play kube: Only support pod kind in k8s yaml
| * | | play kube: Only support pod kind in k8s yamlPeter Hunt2019-09-24
| |/ / | | | | | | | | | | | | | | | Since we only really support playing pods, and no other kubernetes types Signed-off-by: Peter Hunt <pehunt@redhat.com>
* | | Make netns bind mount sharedgabi beyer2019-09-24
| | | | | | | | | | | | | | | | | | | | | | | | To 'avoid unknown FS magic on "/run/user/1000/netns/...": 1021994' make the network namespace bind-mount recursively shared, so the mount is back-propogated to the host. Signed-off-by: gabi beyer <gabrielle.n.beyer@intel.com>
* | | rootless: Rearrange setup of rootless containersGabi Beyer2019-09-24
|/ / | | | | | | | | | | | | | | | | | | | | | | | | | | | | In order to run Podman with VM-based runtimes unprivileged, the network must be set up prior to the container creation. Therefore this commit modifies Podman to run rootless containers by: 1. create a network namespace 2. pass the netns persistent mount path to the slirp4netns to create the tap inferface 3. pass the netns path to the OCI spec, so the runtime can enter the netns Closes #2897 Signed-off-by: Gabi Beyer <gabrielle.n.beyer@intel.com>
* | execuser: look at the source for /etc/{passwd,group} overridesGiuseppe Scrivano2019-09-21
| | | | | | | | | | | | | | | | | | look if there are bind mounts that can shadow the /etc/passwd and /etc/group files. In that case, look at the bind mount source. Closes: https://github.com/containers/libpod/pull/4068#issuecomment-533782941 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | Clean destination paths during mount generationMatthew Heon2019-09-19
| | | | | | | | | | | | | | | | | | | | | | | | | | We identify and resolve conflicts in paths using destination path matches. We require exact matches, largely for performance reasons (we use maps to efficiently access, keyed by destination). This usually works fine, until you get mounts that are targetted at /output and /output/ - the same path, but not the same string. Use filepath.Clean() aggressively to try and solve this. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | support non-standard ssh port for remote-clientbaude2019-09-17
| | | | | | | | | | | | | | | | | | | | when using the remote client, users may need to specify a non-standard port for ssh connections. we can do so on the command line and within the remote-client configuration file. Fixes: #3987 Signed-off-by: baude <bbaude@redhat.com>
* | Merge pull request #4034 from rhatdan/relabelOpenShift Merge Robot2019-09-17
|\ \ | | | | | | Add 'relabel' to --mount options
| * | Add 'relabel' to --mount optionsDaniel J Walsh2019-09-16
| | | | | | | | | | | | | | | | | | | | | | | | | | | Currently if a user specifies a --mount option, their is no way to tell SELinux to relabel the mount point. This patch addes the relabel=shared and relabel=private options. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | Check for rootless before checking cgroups version in spec_test.Danila Kiver2019-09-15
| | | | | | | | | | | | Signed-off-by: Danila Kiver <danila.kiver@mail.ru>
* | | Skip spec_test for rootless envs without cgroup v2.Danila Kiver2019-09-14
|/ / | | | | | | Signed-off-by: Danila Kiver <danila.kiver@mail.ru>
* | Merge pull request #4006 from rhatdan/rootlessOpenShift Merge Robot2019-09-13
|\ \ | | | | | | Report errors when trying to pause rootless containers
| * | Report errors when trying to pause rootless containersDaniel J Walsh2019-09-13
| | | | | | | | | | | | | | | | | | | | | | | | If you are running a rootless container on cgroupV1 you can not pause the container. We need to report the proper error if this happens. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | Merge pull request #3934 from rhatdan/waitOpenShift Merge Robot2019-09-13
|\ \ \ | |/ / |/| | Podman-remote run should wait for exit code
| * | Podman-remote run should wait for exit codeDaniel J Walsh2019-09-12
| | | | | | | | | | | | | | | | | | | | | | | | This change matches what is happening on the podman local side and should eliminate a race condition. Also exit commands on the server side should start to return to client. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
| * | Use exit code constantsDaniel J Walsh2019-09-12
| | | | | | | | | | | | | | | | | | | | | We have leaked the exit number codess all over the code, this patch removes the numbers to constants. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | enhance podman network rmbaude2019-09-12
|/ / | | | | | | | | | | | | | | | | | | when removing a podman network, we need to make sure we delete the network interface if one was ever created (by running a container). also, when removing networks, we check if any containers are using the network. if they are, we error out unless the user provides a 'force' option which will remove the containers in question. Signed-off-by: baude <bbaude@redhat.com>
* / rootless: automatically create a systemd scopeGiuseppe Scrivano2019-09-12
|/ | | | | | | | | | | | | | | | | | | | | when running in rootless mode and using systemd as cgroup manager create automatically a systemd scope when the user doesn't own the current cgroup. This solves a couple of issues: on cgroup v2 it is necessary that a process before it can moved to a different cgroup tree must be in a directory owned by the unprivileged user. This is not always true, e.g. when creating a session with su -l. Closes: https://github.com/containers/libpod/issues/3937 Also, for running systemd in a container it was before necessary to specify "systemd-run --scope --user podman ...", now this is done automatically as part of this PR. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Merge pull request #3927 from openSUSE/manager-annotationsOpenShift Merge Robot2019-09-11
|\ | | | | Add `ContainerManager` annotation to created containers
| * Add `ContainerManager` annotation to created containersSascha Grunert2019-09-10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This change adds the following annotation to every container created by podman: ```json "Annotations": { "io.containers.manager": "libpod" } ``` Target of this annotaions is to indicate which project in the containers ecosystem is the major manager of a container when applications share the same storage paths. This way projects can decide if they want to manipulate the container or not. For example, since CRI-O and podman are not using the same container library (libpod), CRI-O can skip podman containers and provide the end user more useful information. A corresponding end-to-end test has been adapted as well. Relates to: https://github.com/cri-o/cri-o/pull/2761 Signed-off-by: Sascha Grunert <sgrunert@suse.com>
* | Merge pull request #3581 from mheon/no_cgroupsOpenShift Merge Robot2019-09-11
|\ \ | |/ |/| Support running containers without CGroups
| * Add support for launching containers without CGroupsMatthew Heon2019-09-10
| | | | | | | | | | | | | | This is mostly used with Systemd, which really wants to manage CGroups itself when managing containers via unit file. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | Merge pull request #3896 from mheon/volume_lookupOpenShift Merge Robot2019-09-09
|\ \ | | | | | | Add ability to look up volumes by unambiguous partial name
| * | Add function for looking up volumes by partial nameMatthew Heon2019-09-09
| |/ | | | | | | | | | | | | | | | | | | This isn't included in Docker, but seems handy enough. Use the new API for 'volume rm' and 'volume inspect'. Fixes #3891 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | Merge pull request #3862 from baude/networkcreateOpenShift Merge Robot2019-09-09
|\ \ | |/ |/| podman network create
| * podman network createbaude2019-09-09
| | | | | | | | | | | | | | initial implementation of network create. we only support bridging networks with this first pass. Signed-off-by: baude <bbaude@redhat.com>
* | Fixup `util.GetRootlessConfigHomeDir` permission requirementsChristian Felder2019-09-09
| | | | | | | | | | | | | | | | | | | | Do not require 0755 permissons for the ~/.config directory but require at least 0700 which should be sufficient. The current implementation internally creates this directory with 0755 if it does not exist, but if the directory already exists with different perissions the current code returns an empty string. Signed-off-by: Christian Felder <c.felder@fz-juelich.de>