aboutsummaryrefslogtreecommitdiff
path: root/pkg
Commit message (Collapse)AuthorAge
* Merge pull request #3786 from giuseppe/fix-rootless-checksOpenShift Merge Robot2019-08-12
|\ | | | | rootless: drop some superflous checks
| * storage: drop unused geteuid checkGiuseppe Scrivano2019-08-12
| | | | | | | | | | | | it is always running with euid==0 at this point. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | build: use the configured runtimeGiuseppe Scrivano2019-08-11
|/ | | | | | | | Now buildah honors the runtime configured with podman. Closes: https://github.com/giuseppe/crun/issues/69 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Merge pull request #3782 from eriksjolund/fix_realloc_in_rootless_linux.cOpenShift Merge Robot2019-08-11
|\ | | | | Fix incorrect use of realloc()
| * Fix incorrect use of realloc()Erik Sjölund2019-08-11
| | | | | | | | Signed-off-by: Erik Sjölund <erik.sjolund@gmail.com>
* | Adjust read count so that a newline can be added afterwardsErik Sjölund2019-08-11
|/ | | | Signed-off-by: Erik Sjölund <erik.sjolund@gmail.com>
* Merge pull request #3748 from rhatdan/covscanOpenShift Merge Robot2019-08-10
|\ | | | | Fix a couple of errors descovered by coverity
| * Fix a couple of errors descovered by coverityDaniel J Walsh2019-08-09
| | | | | | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | enable windows remote clientbaude2019-08-08
|/ | | | | | | | | rework an error path so that users can run the windows remote client. also, create the basedir path for the podman-remote.conf file if it does not exist already. Signed-off-by: baude <bbaude@redhat.com>
* Merge pull request #3744 from mheon/fix_commandOpenShift Merge Robot2019-08-08
|\ | | | | When populating CMD, do not include Entrypoint
| * When populating CMD, do not include EntrypointMatthew Heon2019-08-06
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Previously, we use CreateConfig's Command to populate container Command (which is used as CMD for Inspect and Commit). Unfortunately, CreateConfig's Command is the container's full command, including a prepend of Entrypoint - so we duplicate Entrypoint for images that include it. Maintain a separate UserCommand in CreateConfig that does not include the entrypoint, and use that instead. Fixes #3708 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | Merge pull request #3738 from mheon/mount_opts_boolsOpenShift Merge Robot2019-08-08
|\ \ | | | | | | Allow --ro=[true|false] with mount flag
| * | Allow --ro=[true|false] with mount flagMatthew Heon2019-08-07
| |/ | | | | | | | | | | | | | | | | | | | | The 'podman run --mount' flag previously allowed the 'ro' option to be specified, but was missing the ability to set it to a bool (as is allowed by docker). Add that. While we're at it, allow setting 'rw' explicitly as well. Fixes #2980 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | namespaces: fix Container() callPeter Hunt2019-08-07
| | | | | | | | | | | | | | If we call Container(), we expect the namespace to be prefixed with "container:". Add this check, and refactor to use named const strings instead of string literals Signed-off-by: Peter Hunt <pehunt@redhat.com>
* | refer to container whose namespace we sharePeter Hunt2019-08-07
| | | | | | | | Signed-off-by: Peter Hunt <pehunt@redhat.com>
* | Properly share UTS namespaces in a podPeter Hunt2019-08-07
|/ | | | | | Sharing a UTS namespace means sharing the hostname. Fix situations where a container in a pod didn't properly share the hostname of the pod. Signed-off-by: Peter Hunt <pehunt@redhat.com>
* Merge pull request #3736 from baude/revertOpenShift Merge Robot2019-08-06
|\ | | | | Revert "rootless: Rearrange setup of rootless containers"
| * Revert "rootless: Rearrange setup of rootless containers"baude2019-08-06
| | | | | | | | | | | | This reverts commit 80dcd4bebcdc8e280f6b43228561d09c194c328b. Signed-off-by: baude <bbaude@redhat.com>
* | Merge pull request #3466 from TomSweeneyRedHat/dev/tsweeney/myhomeOpenShift Merge Robot2019-08-06
|\ \ | |/ |/| Touch up XDG, add rootless links
| * Touch up XDG, add rootless linksTomSweeneyRedHat2019-07-29
| | | | | | | | | | | | | | | | | | | | | | Touch up a number of formating issues for XDG_RUNTIME_DIRS in a number of man pages. Make use of the XDG_CONFIG_HOME environment variable in a rootless environment if available, or set it if not. Also added a number of links to the Rootless Podman config page and added the location of the auth.json files to that doc. Signed-off-by: TomSweeneyRedHat <tsweeney@redhat.com>
* | Merge pull request #3716 from baude/varlinkfixes2OpenShift Merge Robot2019-08-05
|\ \ | | | | | | various fixes for varlink endpoints
| * | various fixes for varlink endpointsbaude2019-08-03
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | when using build, require a "more" connection to get logs. when pulling a non-existent image, do not crash varlink connection. Fixes: #3714 Fixes: #3715 Signed-off-by: baude <bbaude@redhat.com>
* | | Merge pull request #3690 from adrianreber/ignore-static-ipOpenShift Merge Robot2019-08-05
|\ \ \ | | | | | | | | restore: added --ignore-static-ip option
| * | | restore: added --ignore-static-ip optionAdrian Reber2019-08-02
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | If a container is restored multiple times from an exported checkpoint with the help of '--import --name', the restore will fail if during 'podman run' a static container IP was set with '--ip'. The user can tell the restore process to ignore the static IP with '--ignore-static-ip'. Signed-off-by: Adrian Reber <areber@redhat.com>
* | | | Merge pull request #3171 from QiWang19/events_jsonOpenShift Merge Robot2019-08-05
|\ \ \ \ | | | | | | | | | | podman events format json
| * | | | podman events format jsonQi Wang2019-08-02
| | |/ / | |/| | | | | | | | | | | | | | | | | | Enable podman events to format the output as jsonline Signed-off-by: Qi Wang <qiwan@redhat.com>
* | | | Merge pull request #3691 from baude/infoeventloggerOpenShift Merge Robot2019-08-05
|\ \ \ \ | | | | | | | | | | add eventlogger to info
| * | | | add eventlogger to infobaude2019-08-02
| |/ / / | | | | | | | | | | | | | | | | | | | | | | | | to help with future debugging, we now display the type of event logger being used inside podman info -> host. Signed-off-by: baude <bbaude@redhat.com>
* | | | Merge pull request #3310 from gabibeyer/rootlessKataOpenShift Merge Robot2019-08-05
|\ \ \ \ | | | | | | | | | | rootless: Rearrange setup of rootless containers ***CIRRUS: TEST IMAGES***
| * | | | rootless: Rearrange setup of rootless containersGabi Beyer2019-07-30
| | |_|/ | |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | In order to run Podman with VM-based runtimes unprivileged, the network must be set up prior to the container creation. Therefore this commit modifies Podman to run rootless containers by: 1. create a network namespace 2. pass the netns persistent mount path to the slirp4netns to create the tap inferface 3. pass the netns path to the OCI spec, so the runtime can enter the netns Closes #2897 Signed-off-by: Gabi Beyer <gabrielle.n.beyer@intel.com>
* | | | Don't log errors to the screen when XDG_RUNTIME_DIR is not setDaniel J Walsh2019-08-04
| |/ / |/| | | | | | | | | | | | | | | | | | | | Drop errors to debug when trying to setup the runtimetmpdir. If the tool can not setup a runtime dir, it will error out with a correct message no need to put errors on the screen, when the tool actually succeeds. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | Merge pull request #3692 from haircommander/play-capsOpenShift Merge Robot2019-08-02
|\ \ \ | | | | | | | | Add Capability support to play kube
| * | | Add capability functionality to play kubePeter Hunt2019-08-01
| | |/ | |/| | | | | | | | | | | | | | | | Take capabilities written in a kube and add to a container adapt test suite and write cap-add/drop tests Signed-off-by: Peter Hunt <pehunt@redhat.com>
* | | Merge pull request #3551 from mheon/fix_memory_leakOpenShift Merge Robot2019-08-02
|\ \ \ | | | | | | | | Fix memory leak with exit files
| * | | Pass on events-backend config to cleanup processesMatthew Heon2019-08-01
| | | | | | | | | | | | | | | | Signed-off-by: Matthew Heon <matthew.heon@pm.me>
| * | | Retrieve exit codes for containers via eventsMatthew Heon2019-07-31
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | As we previously removed our exit code retrieval code to stop a memory leak, we need a new way of doing this. Fortunately, events is able to do the job for us. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
| * | | podman: fix memleak caused by renaming and not deletingMatthew Heon2019-07-31
| | |/ | |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | the exit file If the container exit code needs to be retained, it cannot be retained in tmpfs, because libpod runs in a memcg itself so it can't leave traces with a daemon-less design. This wasn't a memleak detectable by kmemleak for example. The kernel never lost track of the memory and there was no erroneous refcounting either. The reference count dependencies however are not easy to track because when a refcount is increased, there's no way to tell who's still holding the reference. In this case it was a single page of tmpfs pagecache holding a refcount that kept pinned a whole hierarchy of dying memcg, slab kmem, cgropups, unrechable kernfs nodes and the respective dentries and inodes. Such a problem wouldn't happen if the exit file was stored in a regular filesystem because the pagecache could be reclaimed in such case under memory pressure. The tmpfs page can be swapped out, but that's not enough to release the memcg with CONFIG_MEMCG_SWAP_ENABLED=y. No amount of more aggressive kernel slab shrinking could have solved this. Not even assigning slab kmem of dying cgroups to alive cgroup would fully solve this. The only way to free the memory of a dying cgroup when a struct page still references it, would be to loop over all "struct page" in the kernel to find which one is associated with the dying cgroup which is a O(N) operation (where N is the number of pages and can reach billions). Linking all the tmpfs pages to the memcg would cost less during memcg offlining, but it would waste lots of memory and CPU globally. So this can't be optimized in the kernel. A cronjob running this command can act as workaround and will allow all slab cache to be released, not just the single tmpfs pages. rm -f /run/libpod/exits/* This patch solved the memleak with a reproducer, booting with cgroup.memory=nokmem and with selinux disabled. The reason memcg kmem and selinux were disabled for testing of this fix, is because kmem greatly decreases the kernel effectiveness in reusing partial slab objects. cgroup.memory=nokmem is strongly recommended at least for workstation usage. selinux needs to be further analyzed because it causes further slab allocations. The upstream podman commit used for testing is 1fe2965e4f672674f7b66648e9973a0ed5434bb4 (v1.4.4). The upstream kernel commit used for testing is f16fea666898dbdd7812ce94068c76da3e3fcf1e (v5.2-rc6). Reported-by: Michele Baldessari <michele@redhat.com> Signed-off-by: Andrea Arcangeli <aarcange@redhat.com> <Applied with small tweaks to comments> Signed-off-by: Matthew Heon <matthew.heon@pm.me>
* | | Merge pull request #3458 from rhatdan/volumeOpenShift Merge Robot2019-08-01
|\ \ \ | |_|/ |/| | Use buildah/pkg/parse volume parsing rather then internal version
| * | Use buildah/pkg/parse volume parsing rather then internal versionDaniel J Walsh2019-08-01
| | | | | | | | | | | | | | | | | | | | | We share this code with buildah, so we should eliminate the podman version. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* | | Merge pull request #3341 from rhatdan/exitOpenShift Merge Robot2019-08-01
|\ \ \ | |/ / |/| | Add new exit codes to rm & rmi for running containers & dependencies
| * | Add new exit codes to rm & rmi for running containers & dependenciesDaniel J Walsh2019-08-01
| |/ | | | | | | | | | | | | | | | | | | | | | | This enables programs and scripts wrapping the podman command to handle 'podman rm' and 'podman rmi' failures caused by paused or running containers or due to images having other child images or dependent containers. These errors are common enough that it makes sense to have a more machine readable way of detecting them than parsing the standard error output. Signed-off-by: Ondrej Zoder <ozoder@redhat.com> Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* / Vendor in buildah 1.9.2Daniel J Walsh2019-07-30
|/ | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Merge pull request #3639 from giuseppe/user-ns-containerOpenShift Merge Robot2019-07-26
|\ | | | | podman: support --userns=ns|container
| * podman: support --userns=ns|containerGiuseppe Scrivano2019-07-25
| | | | | | | | | | | | | | | | allow to join the user namespace of another container. Closes: https://github.com/containers/libpod/issues/3629 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
| * pods: do not to join a userns if there is not anyGiuseppe Scrivano2019-07-25
| | | | | | | | | | | | | | do not attempt to join the user namespace if the pod is running in the host user namespace. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | Improved hooks monitoringsamc242019-07-25
|/ | | | | | | | | | | | | ...to work for specific edge cases with a simpler solution. Re-reads hooks directories after any changes are detected by the watchers. Added monitoring test for adding a different invalid hook to primary directory. Some issues with prior code: - ReadDir would stop when it encounters an invalid hook, rather than registering an error but continuing to read the valid hook. - Wouldn’t account for Rename and Chmod events. - After doing a mv of the hooks file instead of rm, it would still think the hooks file is in the directory, but it has been moved to another location. - If a hook file was renamed, it would register the renamed file as a separate hook and not delete the original, so it would then execute the hook twice - once for the renamed file, and once for the original name which it did not delete. Signed-off-by: samc24 <sam.chaturvedi24@gmail.com>
* Merge pull request #3624 from haircommander/conmon-exec-with-remote-execOpenShift Merge Robot2019-07-24
|\ | | | | Add remote exec
| * refactor to reduce duplicated error parsingPeter Hunt2019-07-23
| | | | | | | | Signed-off-by: Peter Hunt <pehunt@redhat.com>
| * remove debug printsPeter Hunt2019-07-23
| | | | | | | | Signed-off-by: Peter Hunt <pehunt@redhat.com>
| * always send generic error in case io failsPeter Hunt2019-07-23
| | | | | | | | Signed-off-by: Peter Hunt <pehunt@redhat.com>