summaryrefslogtreecommitdiff
path: root/pkg
Commit message (Collapse)AuthorAge
* Ensure that `podman play kube` actually reports errorsMatthew Heon2021-01-11
| | | | | | | | | | | | | | | | | | | | | In 2.2.x, we moved `play kube` to use the Start() API for pods, which reported errors in a different way (all containers are started in parallel, and then results reported as a block). The migration attempted to preserve compatibility by returning only one error, but that's not really a viable option as it can obscure the real reason that a pod is failing. Further, the code was not correctly handling the API's errors - Pod Start() will, on any container error, return a map of container ID to error populated for all container errors *and* return ErrPodPartialFail for overall error - the existing code did not handle the partial failure error and thus would never return container errors. Refactor the `play kube` API to include a set of errors for containers in each pod, so we can return all errors that occurred to the frontend and print them for the user, and correct the backend code so container errors are actually forwarded. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* Merge pull request #8781 from rst0git/cr-volumesOpenShift Merge Robot2021-01-08
|\ | | | | Add support for checkpoint/restore of containers with volumes
| * Include named volumes in container migrationRadostin Stoyanov2021-01-07
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When migrating a container with associated volumes, the content of these volumes should be made available on the destination machine. This patch enables container checkpoint/restore with named volumes by including the content of volumes in checkpoint file. On restore, volumes associated with container are created and their content is restored. The --ignore-volumes option is introduced to disable this feature. Example: # podman container checkpoint --export checkpoint.tar.gz <container> The content of all volumes associated with the container are included in `checkpoint.tar.gz` # podman container checkpoint --export checkpoint.tar.gz --ignore-volumes <container> The content of volumes is not included in `checkpoint.tar.gz`. This is useful, for example, when the checkpoint/restore is performed on the same machine. # podman container restore --import checkpoint.tar.gz The associated volumes will be created and their content will be restored. Podman will exit with an error if volumes with the same name already exist on the system or the content of volumes is not included in checkpoint.tar.gz # podman container restore --ignore-volumes --import checkpoint.tar.gz Volumes associated with container must already exist. Podman will not create them or restore their content. Signed-off-by: Radostin Stoyanov <rstoyanov@fedoraproject.org>
| * Use Options as CRImportCheckpoint() argumentRadostin Stoyanov2021-01-07
| | | | | | | | | | | | | | | | | | Instead of specifying restore option arguments individually from RestoreOptions, provide the 'options' object to the CRImportCheckpoint method. This change makes the code in CRImportCheckpoint easier to extend as it doesn't require excessive number of function parameters. Signed-off-by: Radostin Stoyanov <rstoyanov@fedoraproject.org>
* | Restore compatible API for prune endpointsJhon Honce2021-01-07
| | | | | | | | | | | | | | | | | | | | | | * Restore correct API endpoint payloads including reclaimed space numbers * Include tests for API prune endpoints * Clean up function signatures with unused parameters * Update swagger for /networks/prune Fixes #8891 Signed-off-by: Jhon Honce <jhonce@redhat.com>
* | Merge pull request #8907 from Luap99/fix-mips-buildOpenShift Merge Robot2021-01-07
|\ \ | | | | | | Fix build for mips architecture follow-up
| * | Fix build for mips architecture follow-upPaul Holzinger2021-01-07
| |/ | | | | | | | | | | | | | | Follow-up to commit (1ad796677e1c). The build on mips is still failing because SIGWINCH was not defined in the signal pkg. Also stat_t.Rdev is unit32 on mips so we need to typecast. Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
* | Merge pull request #8771 from rhatdan/runOpenShift Merge Robot2021-01-07
|\ \ | | | | | | Switch references of /var/run -> /run
| * | Switch references of /var/run -> /runDaniel J Walsh2021-01-07
| |/ | | | | | | | | | | | | | | | | | | Systemd is now complaining or mentioning /var/run as a legacy directory. It has been many years where /var/run is a symlink to /run on all most distributions, make the change to the default. Partial fix for https://github.com/containers/podman/issues/8369 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Merge pull request #8821 from rhatdan/capsOpenShift Merge Robot2021-01-07
|\ \ | | | | | | Containers should not get inheritable caps by default
| * | Containers should not get inheritable caps by defaultDaniel J Walsh2021-01-07
| |/ | | | | | | | | | | | | | | | | | | | | | | When I launch a container with --userns=keep-id the rootless processes should have no caps by default even if I launch the container with --privileged. It should only get the caps if I specify by hand the caps I want leaked to the process. Currently we turn off capeff and capamb, but not capinh. This patch treats capinh the same way as capeff and capamb. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | rootless: automatically split userns rangesGiuseppe Scrivano2021-01-07
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | writing to the id map fails when an extent overlaps multiple mappings in the parent user namespace: $ cat /proc/self/uid_map 0 1000 1 1 100000 65536 $ unshare -U sleep 100 & [1] 1029703 $ printf "0 0 100\n" | tee /proc/$!/uid_map 0 0 100 tee: /proc/1029703/uid_map: Operation not permitted This limitation is particularly annoying when working with rootless containers as each container runs in the rootless user namespace, so a command like: $ podman run --uidmap 0:0:2 --rm fedora echo hi Error: writing file `/proc/664087/gid_map`: Operation not permitted: OCI permission denied would fail since the specified mapping overlaps the first mapping (where the user id is mapped to root) and the second extent with the additional IDs available. Detect such cases and automatically split the specified mapping with the equivalent of: $ podman run --uidmap 0:0:1 --uidmap 1:1:1 --rm fedora echo hi hi A fix has already been proposed for the kernel[1], but even if it accepted it will take time until it is available in a released kernel, so fix it also in pkg/rootless. [1] https://lkml.kernel.org/lkml/20201203150252.1229077-1-gscrivan@redhat.com/ Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | rootless: add function to retrieve uid mappingsGiuseppe Scrivano2021-01-07
| | | | | | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | rootless: add function to retrieve gid mappingsGiuseppe Scrivano2021-01-07
|/ | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Merge pull request #8892 from mheon/fix_8886OpenShift Merge Robot2021-01-06
|\ | | | | Ensure that user-specified HOSTNAME is honored
| * Ensure that user-specified HOSTNAME is honoredMatthew Heon2021-01-06
| | | | | | | | | | | | | | | | | | | | | | When adding the HOSTNAME environment variable, only do so if it is not already present in the spec. If it is already present, it was likely added by the user, and we should honor their requested value. Fixes #8886 Signed-off-by: Matthew Heon <mheon@redhat.com>
* | Merge pull request #8685 from mheon/ignore_containersconf_sysctls_shared_netOpenShift Merge Robot2021-01-05
|\ \ | | | | | | Ignore containers.conf sysctls when sharing namespaces
| * | Ignore containers.conf sysctls when sharing namespacesMatthew Heon2020-12-10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The existing code prevents containers.conf default sysctls from being added if the container uses a host namespace. This patch expands that to not just host namespaces, but also *shared* namespaces - so we never modify another container's (or a pod's) namespaces without being explicitly directed to do so by the user. Signed-off-by: Matthew Heon <mheon@redhat.com>
* | | Merge pull request #8889 from vrothberg/run-1138OpenShift Merge Robot2021-01-05
|\ \ \ | | | | | | | | generate systemd: do not set `KillMode`
| * | | generate systemd: do not set `KillMode`Valentin Rothberg2021-01-05
| | |/ | |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | `KillMode=none` has been deprecated in systemd and is now throwing big warnings when being used. Users have reported the issues upstream (see #8615) and on the mailing list. This deprecation was mainly motivated by an abusive use of third-party vendors causing all kinds of undesired side-effects. For instance, busy mounts that delay reboot. After talking to the systemd team, we came up with the following plan: **Short term**: we can use TimeoutStopSec and remove KillMode=none which will default to cgroup. **Long term**: we want to change the type to sdnotify. The plumbing for Podman is done but we need it for conmon. Once sdnotify is working, we can get rid of the pidfile handling etc. and let Podman handle it. Michal Seklatar came up with a nice idea that Podman increase the time out on demand. That's a much cleaner way than hard-coding the time out in the unit as suggest in the short-term solution. This change is executing the short-term plan and sets a minimum timeout of 60 seconds. User-specified timeouts are added to that. Fixes: #8615 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | | Merge pull request #8831 from bblenard/issue-8658-system-prune-reclaimed-spaceOpenShift Merge Robot2021-01-05
|\ \ \ | |/ / |/| | Rework pruning to report reclaimed space
| * | Rework pruning to report reclaimed spaceBaron Lenardson2020-12-30
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This change adds code to report the reclaimed space after a prune. Reclaimed space from volumes, images, and containers is recorded during the prune call in a PruneReport struct. These structs are collected into a slice during a system prune and processed afterwards to calculate the total reclaimed space. Closes #8658 Signed-off-by: Baron Lenardson <lenardson.baron@gmail.com>
* | | libpod API: pull: fix channel raceValentin Rothberg2021-01-04
| | | | | | | | | | | | | | | | | | | | | | | | | | | Fix a race condition in the pull endpoint caused by buffered channels. Using buffered channels can lead to the context's cancel function to be executed prior to the items being read from the channel. Fixes: #8870 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | | Merge pull request #8863 from mgoltzsche/fix_seccomp_when_privilegedOpenShift Merge Robot2021-01-04
|\ \ \ | | | | | | | | Disable seccomp by default when creating a privileged container.
| * | | fix: disable seccomp by default when privileged.Max Goltzsche2021-01-02
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When running a privileged container and `SeccompProfilePath` is empty no seccomp profile should be applied. (Previously this was the case only if `SeccompProfilePath` was set to a non-empty default path.) Closes #8849 Signed-off-by: Max Goltzsche <max.goltzsche@gmail.com>
* | | | Compat api containers/json add support for filtersPaul Holzinger2021-01-01
|/ / / | | | | | | | | | | | | | | | Fixes #8860 Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
* / / Expose Height/Width fields to decoderJhon Honce2020-12-30
|/ / | | | | | | | | | | Fixes #7102 Signed-off-by: Jhon Honce <jhonce@redhat.com>
* | Consolidate filter logic to pkg subdirectoryBaron Lenardson2020-12-24
| | | | | | | | | | | | | | Per the conversation on pull/8724 I am consolidating filter logic and helper functions under the pkg/domain/filters dir. Signed-off-by: Baron Lenardson <lenardson.baron@gmail.com>
* | Refactor kube.ToSpecGen parameters to structBenedikt Ziemons2020-12-23
| | | | | | | | | | | | | | Create kube.CtrSpecGenOptions and document parameters. Follow-up on https://github.com/containers/podman/pull/8792#discussion_r546673758 Signed-off-by: Benedikt Ziemons <ben@rs485.network>
* | Merge pull request #8792 from bziemons/patch-host-network-spec-8790OpenShift Merge Robot2020-12-23
|\ \ | | | | | | Set NetNS mode instead of value
| * | Set NetNS mode instead of valueBenedikt Ziemons2020-12-23
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | when HostNetwork is true in the pod spec. Also propagate whether host network namespace should be used for containers. Add test for HostNetwork setting in kubeYaml. The infra configuration should reflect the setting. Signed-off-by: Benedikt Ziemons <ben@rs485.network>
* | | add --cidfile to container killbaude2020-12-23
|/ / | | | | | | | | | | | | | | | | Add the ability to read container ids from one or more files for the kill command. Fixes: #8443 Signed-off-by: baude <bbaude@redhat.com>
* | Merge pull request #8787 from jsoref/spellingOpenShift Merge Robot2020-12-23
|\ \ | | | | | | Spelling
| * | SpellingJosh Soref2020-12-22
| | | | | | | | | | | | Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
* | | Merge pull request #8793 from zhangguanzhang/vol-opOpenShift Merge Robot2020-12-23
|\ \ \ | | | | | | | | Fix missing options in volume's display while setting uid and gid
| * | | Fix missing options in volumes display while setting uid and gidzhangguanzhang2020-12-23
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | ``` $ podman volume create testvol --opt o=uid=1001,gid=1001 $ ./bin/podman volume create testvol2 --opt o=uid=1001,gid=1001 $ podman volume inspect testvol "Options": {}, $ podman volume inspect testvol2 "Options": { "GID": "1001", "UID": "1001", "o": "uid=1001,gid=1001" }, ``` Signed-off-by: zhangguanzhang <zhangguanzhang@qq.com>
* | | | Merge pull request #8804 from baude/issue8512Daniel J Walsh2020-12-23
|\ \ \ \ | | | | | | | | | | add pod filter for ps
| * | | | add pod filter for psbaude2020-12-22
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | adds the ability to filter containers based on the filter "pod". the value can be a pod name or its full or partial id. Fixes: #8512 Signed-off-by: baude <bbaude@redhat.com>
* | | | | play kube: fix args/command handlingPeter Hunt2020-12-22
| |_|/ / |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | when neither yaml.Args nor yaml.Command are specified, we should use the entrypoint and cmd from the image. update the tests to cover this and another case (both args and command are specified). use the registry image instead of redis, as it has both an entrypoint and command specified. update the documentation around this handling to hopefully prevent regressions and confusion. Signed-off-by: Peter Hunt <pehunt@redhat.com>
* | | | Merge pull request #8724 from bblenard/support-volume-filters-in-system-pruneOpenShift Merge Robot2020-12-22
|\ \ \ \ | | | | | | | | | | Add volume filters to system prune
| * | | | Add volume filters to system pruneBaron Lenardson2020-12-21
| | |/ / | |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This change was missed in pull/8689. Now that volume pruneing supports filters system pruneing can pass its filters down to the volume pruneing. Additionally this change adds tests for the following components * podman system prune subcommand with `--volumes` & `--filter` options * apiv2 api tests for `/system/` and `/libpod/system` endpoints Relates to #8453, #8672 Signed-off-by: Baron Lenardson <lenardson.baron@gmail.com>
* | | | Merge pull request #8797 from Luap99/fix-mips-buildOpenShift Merge Robot2020-12-22
|\ \ \ \ | |_|/ / |/| | | Fix build for mips architecture
| * | | Fix build for mips architecturePaul Holzinger2020-12-21
| |/ / | | | | | | | | | | | | | | | | | | | | | | | | The signal SIGSTKFLT does not exists on mips architectures. Also RTMIN and RTMAX are different. This code is copied from docker. Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
* / / podman v3 container bindingsbaude2020-12-21
|/ / | | | | | | | | | | | | convert the golang container bindings to all use options so that changes in the future are more managable. Signed-off-by: baude <bbaude@redhat.com>
* | Merge pull request #8747 from vrothberg/run-950OpenShift Merge Robot2020-12-18
|\ \ | | | | | | remote copy
| * | remote copyValentin Rothberg2020-12-18
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Implement `podman-remote cp` and break out the logic from the previously added `pkg/copy` into it's basic building blocks and move them up into the `ContainerEngine` interface and `cmd/podman`. The `--pause` and `--extract` flags are now deprecated and turned into nops. Note that this commit is vendoring a non-release version of Buildah to pull in updates to the copier package. Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
* | | podman v3 pod bindingsbaude2020-12-17
|/ / | | | | | | | | | | add options to each pod binding for future wiggle room Signed-off-by: baude <bbaude@redhat.com>
* | Merge pull request #8752 from baude/bindings3volumesOpenShift Merge Robot2020-12-17
|\ \ | | | | | | misc bindings to podman v3
| * | misc bindings to podman v3baude2020-12-17
| | | | | | | | | | | | | | | | | | | | | manifest, system, info, volumes, play, and generate bindings are updated to always have binding options. Signed-off-by: baude <bbaude@redhat.com>
* | | Docker compat API - /images/search returns wrong structure (#7857)Milivoje Legenovic2020-12-17
|/ / | | | | | | Signed-off-by: Milivoje Legenovic <m.legenovic@gmail.com>