| Commit message (Collapse) | Author | Age |
|\
| |
| | |
rootlessport: fix potential hang
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
there is a race condition where the child process is immediately
killed:
[pid 2576752] arch_prctl(0x3001 /* ARCH_??? */, 0x7ffdf612f170) = -1 EINVAL (Invalid argument)
[pid 2576752] access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory)
[pid 2576752] --- SIGTERM {si_signo=SIGTERM, si_code=SI_USER, si_pid=2576742, si_uid=0} ---
[pid 2576752] +++ killed by SIGTERM +++
this happens because the parent process here really means the "parent
thread".
Since there is no way of running it on the main thread,
let's skip this functionality altogether and use kill(2).
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
write to the error pipe only in case of an error. Otherwise we may
end up in a race condition in the select statement below as the read
from errChan happens before initComplete and the function returns
immediately nil.
Closes: https://github.com/containers/libpod/issues/5182
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
|\ \
| | |
| | | |
support device-cgroup-rule
|
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
fix #4876
Add `--device-cgroup-rule` to podman create and run. This enables to add device rules after the container has been created.
Signed-off-by: Qi Wang <qiwan@redhat.com>
|
|\ \ \
| | | |
| | | | |
Fix container filters
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
container filters were being double encoded (maybe triple) which resulted in the wrong encoding representation of filters being sent by the go-bindings. Also, on the server side, Filter needed to be changed to Filter to decode properly. Finally, due to the changed return type of List Containers, the go bindings return values needed to be changed.
Signed-off-by: Brent Baude <bbaude@redhat.com>
|
|\ \ \ \
| | | | |
| | | | | |
add pkg/seccomp
|
| | |_|/
| |/| |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Add pkg/seccomp to consolidate all seccomp-policy related code which is
currently scattered across multiple packages and complicating the
creatconfig refactoring.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
|
|/ / /
| | |
| | |
| | | |
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
|
|\ \ \
| | | |
| | | | |
apiv2 stream events
|
| |/ /
| | |
| | |
| | |
| | |
| | | |
the events endpoint should be stream-based. it also needed to be registered to answer and not produce 404s.
Signed-off-by: Brent Baude <bbaude@redhat.com>
|
| |/
|/|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Even after #5169, my test logs kept showing:
ERRO[0004] unable to write json: "http: request method or response status code does not allow body"
Cause: overly-helpful code trying to treat condition as an
error and include a diagnostic message. This is forbidden
per rfc2616.
This PR fixes the faulty response, as well as three others
found via:
$ ack 'Error.*NotMod' (4 hits total)
$ ack 'Error.*NoCont' (no hits)
Signed-off-by: Ed Santiago <santiago@redhat.com>
|
|\ \
| | |
| | | |
API v2: pods: fix two incorrect return codes
|
| |/
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
1) /pods/<X>/exists - is documented to return 204, and that's
the correct value, but until now it has been returning 200.
2) /pods/create - return 409 (conflict), not 500, when pod
already exists
Also: in WriteResponse(), if code is 204 (No Content) or 304
(Not Modified), emit the status code only but no content-type
headers nor content.
Signed-off-by: Ed Santiago <santiago@redhat.com>
|
|\ \
| | |
| | | |
v2 api: /libpod/images/{import,load,pull}
|
| | |
| | |
| | |
| | | |
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Implement the /libpod/images/import endpoint
Tested manually with curl:
curl -X POST --data-binary "@image.tar" --header "Content-Type: application/x-tar"
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Implement the /libpod/images/load endpoint.
Tested manually with curl:
curl -X POST --data-binary "@image.tar" --header "Content-Type: application/x-tar"
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Implement the /libpod/images/pull endpoint and correct the swagger docs.
The reference parameter is mandatory and must either be a
c/image/docker/reference or a reference to the "docker://" transport as
the pull endpoint is meant to only support pulling images from a
registry.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
|
|\ \ \
| |_|/
|/| | |
Add test cases to validate remove and list images api.
|
| |/
| |
| |
| |
| |
| |
| | |
Includes testcase to validate list image api count as we create and delete images
Include testcase to validate remove image api responses with container instance, etc.
Signed-off-by: Sujil02 <sushah@redhat.com>
|
|/
|
|
|
|
|
|
|
|
| |
consumers of the api remarked how they would prefer a more strongly typed data structure from list containers oon the libpod side of things. for example, events should be consumable and consistent timestamps. also, for the sake of compatibility, it is helpful to have the json named atttributes for Id to not be ID.
listcontainers on the libpod side no longer strongly uses the the ps cli to obtain information but we do benefit from turning on the ability to list the last X containers, something CLI does not have yet. we also flipped the bit on defaulting to truncated output in the return.
thanks to the efforts of the cockpit team to help us here.
Signed-off-by: Brent Baude <bbaude@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
When we finish building an image, we try to look up its ID by looking up
the image using the name that we were asked to assign to the image. If
we weren't asked to assign a name to the image, that would produce an
error. The BuildImage() API we're using returns the image's ID anyway,
so we can skip the lookup and just return the ID directly.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
|
|
|
|
| |
Signed-off-by: Brent Baude <bbaude@redhat.com>
|
|\
| |
| | |
[CI:DOCS] Spec proposal
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
warning: the naming of this might change as well as the location.
this is a build on a PR from mheon from last year that proposes a shift from our current approach of creating containers based on the arbitrarily made createconfig. the new approach would be to have a specification that is detached from the podman cli. the spec could then be generated and used to make a container. this theoretically is the beginning of a long-needed refactor involving how we get from the cli -> libpod | apiv2 -> libpod with code re-use and less duplication.
the intent is to build the apiv2 container creation based on this approach only. wiring to the podman cli will happen after the fact.
Signed-off-by: Brent Baude <bbaude@redhat.com>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The current Libpod pkg/spec has become a victim of the better
part of three years of development that tied it extremely closely
to the current Podman CLI. Defaults are spread across multiple
places, there is no easy way to produce a CreateConfig that will
actually produce a valid container, and the logic for generating
configs has sprawled across at least three packages.
This is an initial pass at a package that generates OCI specs
that will supersede large parts of the current pkg/spec. The
CreateConfig will still exist, but will effectively turn into a
parsed CLI. This will be compiled down into the new SpecGenerator
struct, which will generate the OCI spec and Libpod create
options.
The preferred integration point for plugging into Podman's Go API
to create containers will be the new CreateConfig, as it's less
tied to Podman's command line. CRI-O, for example, will likely
tie in here.
Signed-off-by: Matthew Heon <mheon@redhat.com>
|
|\ \
| | |
| | | |
Adding test to check Tag and list images endpoints in apis.
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Include testcase to validate tag api responses and check if
all the image instaces are shown list command.
Also, Update the binding process and the response
Signed-off-by: Sujil02 <sushah@redhat.com>
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Note: this commit is merely adding swagger documentation and the golang
stubs and types for the proposed endpoints. The implementation will
follow in separate individual changes in the future.
The ultimate goal is to prevent the libpod API from exposing the rather
complex /images/create endpoint from Docker and split it into easier to
implement, use and comprehend endpoints with a more narrow focus.
# Import
Add the v2 swagger documentation for the libpod/images/import endpoint.
Note that we have intend to have separate backend and not mix it up with
load since import allows for specifying a URL instead of a local
tarball.
# Load
Complete the v2 swagger documentation for the libpod/images/load
endpoint. Note that we are accounting for future plans to be able to
load multiple images from one oci/docker archive by returning an array
of image-load responses.
Also move the (incomplete) implementation of the generic endpoint to the
corresponding package and create a stub for the libpod handler, which
will be implemented once there's an agreement on the proposed API.
# Pull
Add the v2 swagger documentation for the libpod/images/pull endpoint.
Similar to the load endpoint, we return an array since more than one
image can be pulled when the `all-tags` parameter is set.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
|
|\ \ \
| |_|/
|/| | |
[CI:DOCS]add apiv2 endpoints for exec
|
| |/
| |
| |
| |
| |
| |
| |
| | |
add the openapi/swagger documentation for exec. The subcommands added are create, inspect, resize, and start.
at the time of this writing, no structure is declared for the inspect response. once the libpod work for this is complete, we can inherit and swaggerize it.
Signed-off-by: Brent Baude <bbaude@redhat.com>
|
|/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Add swagger support and documentation
* Promote handler as there can only ever be one
* Update swagger tags
Between verbs and paths there are four endpoints for /_ping. I've
attempted to document them well without four copies of the details.
Time will tell.
Clients will use the headers `Libpod-API-Version` and
`Libpod-Buildha-Version` to determine if they are connecting to a Podman
service or some other compatible engine.
Client calls GET(/_ping):
* VARLINK engines will fail with error message
* Compatible engines will return 200 without Libpod headers
* Podman engines will return 200 and Libpod headers
Signed-off-by: Jhon Honce <jhonce@redhat.com>
|
|\
| |
| | |
sigproxy: return after closing the channel
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
When stopping signal handling (e.g., to properly handle ^C) we are also
closing the signal channel. We should really return from the go-routine
instead of continuing and risking double-closing the channel which leads
to a panic.
Fixes: #5034
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
|
|/
|
|
|
|
| |
the api needs to account for image input where the image is encoded as a fqd image name.
Signed-off-by: Brent Baude <bbaude@redhat.com>
|
|\
| |
| | |
Bindingtestrootless
|
| |
| |
| |
| |
| |
| |
| | |
disable joining automatically the user namespace if the process is not
podman.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
| |
| |
| |
| | |
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
|\ \
| | |
| | | |
Assure validate includes lint
|
| |/
| |
| |
| |
| |
| | |
Fixed issue where lint was not run on CI, so we missed to prevent regressions.
Signed-off-by: Sorin Sbarnea <ssbarnea@redhat.com>
|
|/
|
|
|
|
| |
when using the apiv2, containers names are preceeded with a /. fixing this for inspect and listcontainers.
Signed-off-by: Brent Baude <bbaude@redhat.com>
|
|\
| |
| | |
apiv2 binding test fixes
|
| |
| |
| |
| |
| |
| | |
a recent refactor in the bindings broke the tests. quick fixes to get them working again.
Signed-off-by: Brent Baude <bbaude@redhat.com>
|
|/
|
|
|
|
|
| |
if one of the cni conf files is badly formatted or cannot be loaded, we now display the error as well as the filename.
Fixes: #2909
Signed-off-by: Brent Baude <bbaude@redhat.com>
|
|\
| |
| | |
honor pull policy in play kube
|
| |
| |
| |
| |
| |
| |
| |
| | |
When a container specification has a pull policy, we should honor it when recreating the pods/containers from yaml. furthermore, ini kube, if a tag is :latest, then the always pull policy is automatically instituted.
Fixes: #4880
Signed-off-by: Brent Baude <bbaude@redhat.com>
|
|\ \
| | |
| | | |
apparmor: allow receiving of signals from 'podman kill'
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
In newer kernels, AppArmor will reject attempts to send signals to a
container because the signal originated from outside of that AppArmor
profile. Correct this by allowing all unconfined signals to be received.
Signed-off-by: Sascha Grunert <sgrunert@suse.com>
|