aboutsummaryrefslogtreecommitdiff
path: root/pkg
Commit message (Collapse)AuthorAge
...
* | Merge pull request #1940 from wking/numeric-gidOpenShift Merge Robot2018-12-05
|\ \ | | | | | | libpod/container_internal_linux: Allow gids that aren't in the group file
| * | pkg/lookup: Return ID-only pointers on ErrNo*EntriesW. Trevor King2018-12-04
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Callers that only care about the IDs should try to convert the identifier to an integer before calling the Get* functions, so they can save the cost of hitting the filesystem and maybe or maybe not finding the other fields (User.Name, etc.). But callers that *want* the other fields but only actually need the ID can, with this commit, just call the Get* function and ignore ErrNo*Entries responses: user, err := lookup.GetUser(mount, userIDorName) if err != nil && err != ErrNoPasswdEntries { return err } Previously, they'd have to perform their own integer-conversion attempt in Get* error handling, with logic like: user, err := lookup.GetUser(mount, userIDorName) if err == ErrNoPasswdEntries { uuid, err := strconv.ParseUint(userIDorName, 10, 32) if err == nil { user.Uid = int(uuid) } } else if err != nil { return err } Signed-off-by: W. Trevor King <wking@tremily.us>
* | | Merge pull request #1918 from mheon/use_db_pathsOpenShift Merge Robot2018-12-05
|\ \ \ | |/ / |/| | Use paths written in DB instead if they differ from our defaults
| * | Revert changes to GetDefaultStoreOptionsMatthew Heon2018-12-03
| | | | | | | | | | | | | | | | | | | | | | | | We don't need this for anything more than rootless work in Libpod now, but Buildah still uses it as it was originally written, so leave it intact as part of our API. Signed-off-by: Matthew Heon <mheon@redhat.com>
| * | Fix gofmt and lintMatthew Heon2018-12-02
| | | | | | | | | | | | Signed-off-by: Matthew Heon <mheon@redhat.com>
| * | Move rootless storage config into libpodMatthew Heon2018-12-02
| |/ | | | | | | | | | | | | | | | | | | | | | | | | | | Previous commits ensured that we would use database-configured paths if not explicitly overridden. However, our runtime generation did unconditionally override storage config, which made this useless. Move rootless storage configuration setup to libpod, and change storage setup so we only override if a setting is explicitly set, so we can still override what we want. Signed-off-by: Matthew Heon <mheon@redhat.com>
* | create pod on the flybaude2018-12-03
| | | | | | | | | | | | | | | | | | | | when a user specifies --pod to podman create|run, we should create that pod automatically. the port bindings from the container are then inherited by the infra container. this signicantly improves the workflow of running containers inside pods with podman. the user is still encouraged to use podman pod create to have more granular control of the pod create options. Signed-off-by: baude <bbaude@redhat.com>
* | rootless: raise error if newuidmap/newgidmap are not installedGiuseppe Scrivano2018-12-03
|/ | | | | | | | | | it was reported on IRC that Podman on Ubuntu failed as newuidmap/newgidmap were not installed by default. Raise an error if we are not allowing single mappings (used only by the tests suite) and any of the binaries is not present. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Merge pull request #1846 from cgwalters/netns-dns-localhostOpenShift Merge Robot2018-11-28
|\ | | | | Use host's resolv.conf if no network namespace enabled
| * Use host's resolv.conf if no network namespace enabledColin Walters2018-11-27
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | My host system runs Fedora Silverblue 29 and I have NetworkManager's `dns=dnsmasq` setting enabled, so my `/etc/resolv.conf` only has `127.0.0.1`. I also run my development podman containers with `--net=host` for various reasons. If we have a host network namespace, there's no reason not to just use the host's nameserver configuration either. This fixes e.g. accessing content on a VPN, and is also faster since the container is using cached DNS. I know this doesn't solve the bigger picture issue of localhost-DNS conflicting with bridged networking, but that's far more involved, probably requiring a DNS proxy in the container. This patch makes my workflow a lot nicer and was easy to write. Signed-off-by: Colin Walters <walters@verbum.org>
* | Merge pull request #1849 from giuseppe/report-rootless-netmodeOpenShift Merge Robot2018-11-28
|\ \ | | | | | | rootless: add new netmode "slirp4netns"
| * | network: allow slirp4netns mode also for root containersGiuseppe Scrivano2018-11-28
| | | | | | | | | | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
| * | rootless: add new netmode "slirp4netns"Giuseppe Scrivano2018-11-27
| |/ | | | | | | | | | | | | | | so that inspect reports the correct network configuration. Closes: https://github.com/containers/libpod/issues/1453 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* / rootless: store only subset of storage.confGiuseppe Scrivano2018-11-28
|/ | | | | | | | | do not store the entire file but only the subset of what we have modified. Also, we were not writing the correct data. Since it is not trivial to serialize storage.conf correctly and all the various supported options, serialize only what we care about. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Add history and namespaceoptions to image inspectQi Wang2018-11-26
| | | | Signed-off-by: Qi Wang <qiwan@redhat.com>
* Merge pull request #1829 from baude/enableportbindinginpodsOpenShift Merge Robot2018-11-20
|\ | | | | Allow users to expose ports from the pod to the host
| * Allow users to expose ports from the pod to the hostbaude2018-11-20
| | | | | | | | | | | | | | | | | | | | we need to allow users to expose ports to the host for the purposes of networking, like a webserver. the port exposure must be done at the time the pod is created. strictly speaking, the port exposure occurs on the infra container. Signed-off-by: baude <bbaude@redhat.com>
* | rootless: create empty mounts.conf if it doesn't existGiuseppe Scrivano2018-11-19
| | | | | | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | registries: check user registries file only in rootless modeGiuseppe Scrivano2018-11-19
| | | | | | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | rootless: create storage.conf when it doesn't existGiuseppe Scrivano2018-11-19
|/ | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Merge pull request #1756 from isimluk/update-dependent-metalinterOpenShift Merge Robot2018-11-16
|\ | | | | Update metalinter dependency
| * Lint: InspectImage varlink api should return errors that occurredŠimon Lukašík2018-11-10
| | | | | | | | | | | | | | | | | | Not just nil. Addressing: pkg/varlinkapi/images.go:273:15:warning: ineffectual assignment to err (ineffassign) Signed-off-by: Šimon Lukašík <slukasik@redhat.com>
* | rootless: call IsRootless just onceGiuseppe Scrivano2018-11-14
| | | | | | | | | | | | | | we are calling this function several times, it is worth to store its result and re-use it. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | Better document rootless containersDaniel J Walsh2018-11-10
|/ | | | | | | | | Need to return an error pointing user in right direction if rootless podman fails, because of no /etc/subuid or /etc/subgid files. Also fix up man pages to better describe rootless podman. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* rootless: default to fuse-overlayfs when availableGiuseppe Scrivano2018-11-08
| | | | | | | | | If fuse-overlayfs is present, rootless containers default to use it. This can still be overriden either via the command line with --storage-driver or in the ~/.config/containers/storage.conf configuration file. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Don't fail if /etc/passwd or /etc/group does not existsDaniel J Walsh2018-11-07
| | | | | | | | | | | Container images can be created without passwd or group file, currently if one of these containers gets run with a --user flag the container blows up complaining about t a missing /etc/passwd file. We just need to check if the error on read is ENOEXIST then allow the read to return, not fail. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Merge pull request #1736 from giuseppe/rootless-drop-run-postfixOpenShift Merge Robot2018-10-31
|\ | | | | rootless: do not add an additional /run to runroot
| * rootless: do not add an additional /run to runrootGiuseppe Scrivano2018-10-31
| | | | | | | | | | | | | | | | | | we are currently using something like /run/user/UID/run as runroot, as it is already done by Buildah. This ends up with /run/user/UID/run/runc for the runc directory. Change to drop the additional /run so that runc will use /run/user/UID/runc. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | Merge pull request #1731 from afbjorklund/versionOpenShift Merge Robot2018-10-31
|\ \ | |/ |/| Fix setting of version information
| * Fix setting of version informationAnders F Björklund2018-10-31
| | | | | | | | | | | | | | It was setting the wrong variable (CamelCase) in the wrong module ("main", not "libpod")... Signed-off-by: Anders F Björklund <anders.f.bjorklund@gmail.com>
* | Merge pull request #1715 from baude/getusergroupOpenShift Merge Robot2018-10-30
|\ \ | |/ |/| get user and group information using securejoin and runc's user library
| * get user and group information using securejoin and runc's user librarybaude2018-10-29
| | | | | | | | | | | | | | | | | | | | | | for the purposes of performance and security, we use securejoin to contstruct the root fs's path so that symlinks are what they appear to be and no pointing to something naughty. then instead of chrooting to parse /etc/passwd|/etc/group, we now use the runc user/group methods which saves us quite a bit of performance. Signed-off-by: baude <bbaude@redhat.com>
* | Change to exported name in ParseDeviceQi Wang2018-10-29
|/ | | | Signed-off-by: Qi Wang <qiwan@redhat.com>
* Add helper function to read out CRIU versionAdrian Reber2018-10-23
| | | | | | | This adds a simple CRIU version check using the vendored-in CRIU go bindings. Signed-off-by: Adrian Reber <areber@redhat.com>
* Fix man page to show info on storageDaniel J Walsh2018-10-22
| | | | | | Also fix lint errors. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Move rootless directory handling to the libpod/pkg/util directoryDaniel J Walsh2018-10-22
| | | | | | This should allow us to share this code with buildah. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Mount proper cgroup for systemd to manage inside of the container.Daniel J Walsh2018-10-15
| | | | | | | | | | | | We are still requiring oci-systemd-hook to be installed in order to run systemd within a container. This patch properly mounts /sys/fs/cgroup/systemd/libpod_parent/libpod-UUID on /sys/fs/cgroup/systemd inside of container. Since we need the UUID of the container, we needed to move Systemd to be a config option of the container. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Generate a passwd file for users not in containerDaniel J Walsh2018-10-12
| | | | | | | If someone runs podman as a user (uid) that is not defined in the container we want generate a passwd file so that getpwuid() will work inside of container. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Merge pull request #1605 from mheon/syslog_cleanupOpenShift Merge Robot2018-10-11
|\ | | | | Pass along syslog variable to podman cleanup processes
| * Pass along syslog variable to podman cleanup processesMatthew Heon2018-10-11
| | | | | | | | | | | | | | | | | | As of now, there is no way to debug podman clean up processes. They are started by conmon with no stdout/stderr and log nowhere. This allows us to actually figure out what is going on when a cleanup process runs. Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
* | Merge pull request #1628 from giuseppe/rootless-fix-hang-on-setresuidOpenShift Merge Robot2018-10-11
|\ \ | | | | | | rootless: fix hang on startup with older glibc versions
| * | rootless: detect when user namespaces are not enabledGiuseppe Scrivano2018-10-11
| | | | | | | | | | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
| * | rootless: report more error messages from the startup phaseGiuseppe Scrivano2018-10-11
| | | | | | | | | | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
| * | rootless: fix an hang on older versions of setresuid/setresgidGiuseppe Scrivano2018-10-11
| |/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | the issue is caused by the Go Runtime that messes up with the process signals, overriding SIGSETXID and SIGCANCEL which are used internally by glibc. They are used to inform all the threads to update their stored uid/gid information. This causes a hang on the set*id glibc wrappers since the handler installed by glibc is never invoked. Since we are running with only one thread, we don't really need to update other threads or even the current thread as we are not using getuid/getgid before the execvp. Closes: https://github.com/containers/libpod/issues/1625 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* / Add --ip flag and plumbing into libpodMatthew Heon2018-10-11
|/ | | | | | | | | | | Add the --ip flag back with bash completions. Manpages still missing. Add plumbing to pass appropriate the appropriate option down to libpod to connect the flag to backend logic added in the previous commits. Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
* Fix lintMatthew Heon2018-10-04
| | | | Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
* Drop libnetwork vendor and move the code into pkg/Matthew Heon2018-10-04
| | | | | | | | | | | The vendoring issues with libnetwork were significant (it was dragging in massive amounts of code) and were just not worth spending the time to work through. Highly unlikely we'll ever end up needing to update this code, so move it directly into pkg/ so we don't need to vendor libnetwork. Make a few small changes to remove the need for the remainder of libnetwork. Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
* Merge pull request #1557 from rhatdan/systemdOpenShift Merge Robot2018-10-04
|\ | | | | Don't tmpcopyup on systemd cgroup
| * Don't tmpcopyup on systemd cgroupDaniel J Walsh2018-09-29
| | | | | | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | Add ContainerStateExited and OCI delete() in cleanup()Matthew Heon2018-10-02
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | To work better with Kata containers, we need to delete() from the OCI runtime as a part of cleanup, to ensure resources aren't retained longer than they need to be. To enable this, we need to add a new state to containers, ContainerStateExited. Containers transition from ContainerStateStopped to ContainerStateExited via cleanupRuntime which is invoked as part of cleanup(). A container in the Exited state is identical to Stopped, except it has been removed from the OCI runtime and thus will be handled differently when initializing the container. Signed-off-by: Matthew Heon <matthew.heon@gmail.com>