aboutsummaryrefslogtreecommitdiff
path: root/pkg
Commit message (Collapse)AuthorAge
* chrootuser: default to GID 0 when given a numeric --userNalin Dahyabhai2018-05-17
| | | | | | | | | | | | | | | When we're given a numeric --user value, default to GID 0 if the numeric ID doesn't correspond to a user entry in /etc/passwd that can provide us with the user's primary group ID. Make sure that GetAdditionalGroupsForUser() returns wrapped errors. Also test various user:group forms. Signed-off-by: Nalin Dahyabhai <nalin@redhat.com> Closes: #728 Approved by: mheon
* implement varlink commitbaude2018-05-15
| | | | | | | Signed-off-by: baude <bbaude@redhat.com> Closes: #762 Approved by: baude
* hooks: Add package support for extension stagesW. Trevor King2018-05-14
| | | | | | | | | | | | | We aren't consuming this yet, but these pkg/hooks changes lay the groundwork for future libpod changes to support post-exit hooks [1,2]. [1]: https://github.com/projectatomic/libpod/issues/730 [2]: https://github.com/opencontainers/runc/issues/1797 Signed-off-by: W. Trevor King <wking@tremily.us> Closes: #758 Approved by: rhatdan
* hooks: Order injection by collated JSON filenameW. Trevor King2018-05-11
| | | | | | | | | | | | | | | | | | | | | | | We also considered ordering with sort.Strings, but Matthew rejected that because it uses a byte-by-byte UTF-8 comparison [1] which would fail many language-specific conventions [2]. There's some more discussion of the localeToLanguage mapping in [3]. Currently language.Parse does not handle either 'C' or 'POSIX', returning: und, language: tag is not well-formed for both. [1]: https://github.com/projectatomic/libpod/pull/686#issuecomment-387914358 [2]: https://en.wikipedia.org/wiki/Alphabetical_order#Language-specific_conventions [3]: https://github.com/golang/go/issues/25340 Signed-off-by: W. Trevor King <wking@tremily.us> Closes: #686 Approved by: mheon
* hooks/read: Ignore IsNotExist for JSON files in ReadDirW. Trevor King2018-05-11
| | | | | | | | | | | | | | | If a .json file existed when we called ioutil.ReadDir but that file has been removed by the time we get around to calling Read on it, silently ignore the file. Iterating through all the files in the directory shouldn't take particularly long, so this is an unlikely corner case. And when it happens, silently ignoring the file gives the same outcome as you'd have gotten if the parallel remove had happened slightly earlier before the ioutil.ReadDir call. Signed-off-by: W. Trevor King <wking@tremily.us> Closes: #686 Approved by: mheon
* pkg/hooks: Version the hook structure and add 1.0.0 hooksW. Trevor King2018-05-11
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This shifts the matching logic out of libpod/container_internal and into the hook package, where we can reuse it after vendoring into CRI-O. It also adds unit tests with almost-complete coverage. Now libpod is even more isolated from the hook internals, which makes it fairly straightforward to bump the hook config file to 1.0.0. I've dubbed the old format 0.1.0, although it doesn't specify an explicit version. Motivation for some of my changes with 1.0.0: * Add an explicit version field. This will make any future JSON structure migrations more straightforward by avoiding the need for version-guessing heuristics. * Collect the matching properties in a new When sub-structure. This makes the root Hook structure easier to understand, because you don't have to read over all the matching properties when wrapping your head around Hook. * Replace the old 'hook' and 'arguments' with a direct embedding of the runtime-spec's hook structure. This provides access to additional upstream properties (args[0], env, and timeout) and avoids the complication of a CRI-O-specific analog structure. * Add a 'when.always' property. You can usually accomplish this effect in another way (e.g. when.commands = [".*"]), but having a boolean explicitly for this use-case makes for easier reading and writing. * Replace the previous annotations array with an annotations map. The 0.1.0 approach matched only the values regardless of key, and that seems unreliable. * Replace 'cmds' with 'when.commands', because while there are a few ways to abbreviate "commands", there's only one way to write it out in full ;). This gives folks one less thing to remember when writing hook JSON. * Replace the old "inject if any specified condition matches" with "inject if all specified conditions match". This allows for more precise targeting. Users that need more generous targeting can recover the previous behavior by creating a separate 1.0.0 hook file for each specified 0.1.0 condition. I've added doc-compat support for the various pluralizations of the 0.1.0 properties. Previously, the docs and code were not in agreement. More on this particular facet in [1]. I've updated the docs to point out that the annotations being matched are the OCI config annotations. This differs from CRI-O, where the annotations used are the Kubernetes-supplied annotations [2,3]. For example, io.kubernetes.cri-o.Volumes [4] is part of CRI-O's runtime config annotations [5], but not part of the Kubernetes-supplied annotations CRI-O uses for matching hooks. The Monitor method supports the CRI-O use-case [6]. podman doesn't need it directly, but CRI-O will need it when we vendor this package there. I've used nvidia-container-runtime-hook for the annotation examples because Dan mentioned the Nvidia folks as the motivation behind annotation matching. The environment variables are documented in [7]. The 0.1.0 hook config, which does not allow for environment variables, only works because runc currently leaks the host environment into the hooks [8]. I haven't been able to find documentation for their usual annotation trigger or hook-install path, so I'm just guessing there. [1]: https://github.com/kubernetes-incubator/cri-o/pull/1235 [2]: https://github.com/kubernetes-incubator/cri-o/blob/v1.10.0/server/container_create.go#L760 [3]: https://github.com/kubernetes-incubator/cri-o/blob/v1.10.0/server/container_create.go#L772 [4]: https://github.com/kubernetes-incubator/cri-o/blob/v1.10.0/pkg/annotations/annotations.go#L97-L98 [5]: https://github.com/kubernetes-incubator/cri-o/blob/v1.10.0/server/container_create.go#L830-L834 [6]: https://github.com/kubernetes-incubator/cri-o/pull/1345/ [7]: https://github.com/NVIDIA/nvidia-container-runtime/tree/v1.3.0-1#environment-variables-oci-spec [8]: https://github.com/opencontainers/runc/pull/1738 Signed-off-by: W. Trevor King <wking@tremily.us> Closes: #686 Approved by: mheon
* Fix varlink remove image forcebaude2018-05-11
| | | | | | | | | | | | | Fixes a bug where the force bool was being ignored when deleting images via the varlink interface. Also, minor fix to the docs to add a line break between methods and types in the doc index. Signed-off-by: baude <bbaude@redhat.com> Closes: #753 Approved by: rhatdan
* varlink infobaude2018-05-11
| | | | | | | | | | The varlinfo info returns the same information as podman info but always includes the so-called debug information. Signed-off-by: baude <bbaude@redhat.com> Closes: #745 Approved by: baude
* Dont eat the pull error message for varlinkbaude2018-05-10
| | | | | | | | | When using varlink to pull an image, we should expose the actual error to the caller. Signed-off-by: baude <bbaude@redhat.com> Closes: #744 Approved by: rhatdan
* podman push should honor registries.confbaude2018-05-10
| | | | | | | | | | | Like podman pull, when you push an image, podman should check if the registry is listed as insecure and if so, it should --tls-verify=false unless the user overrides this. Signed-off-by: baude <bbaude@redhat.com> Closes: #738 Approved by: mheon
* Generate varlink API documentation automaticallybaude2018-05-08
| | | | | | | | | | Using varlink's idl parser, we generate API documentation for the podman API relying on the .varlink file as the source. Signed-off-by: baude <bbaude@redhat.com> Closes: #734 Approved by: baude
* Allow streaming on some varlink container methodsbaude2018-05-08
| | | | | | | | | | | | | | | The following methods should support streaming requests from the client: * GetContainerLogs A reference for a python stream implementation can be found here: https://github.com/varlink/python/blob/master/varlink/tests/test_orgexamplemore.py#L29-L42 Signed-off-by: baude <bbaude@redhat.com> Closes: #724 Approved by: mheon
* podman, userNS: configure an intermediate mount namespaceGiuseppe Scrivano2018-05-04
| | | | | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> Closes: #690 Approved by: mheon
* Begin wiring in USERNS Support into podmanDaniel J Walsh2018-05-04
| | | | | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #690 Approved by: mheon
* varlink containersbaude2018-05-03
| | | | | | | | | | | | | first pass at adding in the container related endpoints/methods for the libpod backend. Couple of important notes: * endpoints that can use a console are not going to be done until we have "remote" console * several of the container methods should probably be able to stream as opposed to a one-off return Signed-off-by: baude <bbaude@redhat.com> Closes: #708 Approved by: baude
* fix typos in the inspect json structsbaude2018-05-02
| | | | | | | | | Resolves: #633 Signed-off-by: baude <bbaude@redhat.com> Closes: #710 Approved by: rhatdan
* Fix misc stuff found by jhoncebaude2018-04-30
| | | | | | | | | | | During the python client implementation, jhonce found some return types that needed correction as well as a panic related to history which is now corrected. Signed-off-by: baude <bbaude@redhat.com> Closes: #704 Approved by: rhatdan
* Use buildah commit and bud in podmanbaude2018-04-27
| | | | | | | | | | | Vendor in buildah and use as much of commit and bug as possible for podman build and commit. Resolves #586 Signed-off-by: baude <bbaude@redhat.com> Closes: #681 Approved by: mheon
* Modify secrets pkgumohnani82018-04-27
| | | | | | | | | | | Made a mistake in my earlier patch. I though that if you add an empty string to an array, the length of the array would still be 0... Realised this when vendoring the secrets pkg into cri-o. Signed-off-by: umohnani8 <umohnani@redhat.com> Closes: #685 Approved by: mheon
* varlink imagesbaude2018-04-26
| | | | | | | | | | | | | implement varlink image functions for working with libpod with the exception of a couple due to incompletions on the libpod side of things (build). also, created a first pass at a libpodpy package which will stand as a client to working with libpod's varlink methods using python. Signed-off-by: baude <bbaude@redhat.com> Closes: #669 Approved by: baude
* Retrieve IP addresses for container from DBMatthew Heon2018-04-26
| | | | | | | | | | Instead of execing out to the host's IP, use the IP address we got back from CNI to populate Inspect's IP address information. Signed-off-by: Matthew Heon <mheon@redhat.com> Closes: #680 Approved by: umohnani8
* Add --default-mounts-file hidden flagumohnani82018-04-26
| | | | | | | | | | | The hidden flag is used to override the path of the default mounts file for testing purposes. Also modified the secrets pkg to allow for this override to happen. Signed-off-by: umohnani8 <umohnani@redhat.com> Closes: #678 Approved by: mheon
* Modify --user flag for podman create and runumohnani82018-04-24
| | | | | | | | | | If an integer is passed into the --user flag, i.e --user=1234 don't look up the user in /etc/passwd, just assign the integer as the uid. Signed-off-by: umohnani8 <umohnani@redhat.com> Closes: #652 Approved by: mheon
* Add FIPS mode secretumohnani82018-04-23
| | | | | | | | If the host is in FIPS mode and /etc/system-fips exists /run/secrets/system-fips is created in the container so that the container can run in FIPS mode as well. Signed-off-by: umohnani8 <umohnani@redhat.com>
* Initial varlink implementationbaude2018-04-23
| | | | | | | Signed-off-by: baude <bbaude@redhat.com> Closes: #627 Approved by: mheon
* regression: tls verify should be set on registries.conf if insecurebaude2018-04-18
| | | | | | | | | | | In the case where podman needs to pull an image, if that registry that the image resides on is known to be insesure (as defined in /etc/containers/registries.conf), tls-verify should be altered on the fly. Signed-off-by: baude <bbaude@redhat.com> Closes: #626 Approved by: mheon
* Fix secrets patchumohnani82018-04-13
| | | | | | | | | | | The secrets code was just tarring and copying the contents of the secrets directory on host as is. This meant it was not accounting for any symlinks inside the directory, leading up to the contents not being copied over. Signed-off-by: umohnani8 <umohnani@redhat.com> Closes: #611 Approved by: mheon
* Functionality changes to the following flagsumohnani82018-04-06
| | | | | | | | | | | | | | | | | | | --group-add --blkio-weight-device --device-read-bps --device-write-bps --device-read-iops --device-write-iops --group-add now supports group names as well as the gid associated with them. All the --device flags work now with moderate changes to the code to support both bps and iops. Added tests for all the flags. Signed-off-by: umohnani8 <umohnani@redhat.com> Closes: #590 Approved by: mheon
* Add hooks support to podmanDaniel J Walsh2018-04-05
| | | | | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #155 Approved by: mheon
* Add container dependencies to Inspect outputMatthew Heon2018-04-03
| | | | | | | Signed-off-by: Matthew Heon <matthew.heon@gmail.com> Closes: #577 Approved by: rhatdan
* Correct a godoc commentNalin Dahyabhai2018-04-02
| | | | | | | | | | Correct the names of the files in the godoc for pkg/chrootuser/GetUser(). Signed-off-by: Nalin Dahyabhai <nalin@redhat.com> Closes: #579 Approved by: rhatdan
* Add secrets patch to podmanumohnani82018-03-29
| | | | | | | | | | Adds support for mounting secrets especially on RHEL where the container can use the host subsription to run yum Signed-off-by: umohnani8 <umohnani@redhat.com> Closes: #544 Approved by: rhatdan
* Remove dependency on kubernetesbaude2018-03-27
| | | | | | | | | | podman parse and attach were using a very small portion of the kubernetes code but using it caused a signficant increase in binary size. Signed-off-by: baude <bbaude@redhat.com> Closes: #559 Approved by: rhatdan
* Stage3 Image Librarybaude2018-03-14
| | | | | | | | | | | | | This represents the stage3 implementation for the image library. At this point, we are moving the image-centric functions to pkg/image including migration of args and object-oriented references. This is a not a one-for-one migration of funcs and some funcs will need to continue to reside in runtime_img as they are overly specific to libpod and probably not useful to others. Signed-off-by: baude <bbaude@redhat.com> Closes: #484 Approved by: baude
* Include tmpfs in inspectbaude2018-03-14
| | | | | | | | | | | | Other container runtimes include the tmpfs mount points in their inspect output. Podman should as well. It is under hostconfig. Resolves: #483 Signed-off-by: baude <bbaude@redhat.com> Closes: #488 Approved by: rhatdan
* Performance enhancement for podman imagesbaude2018-02-20
| | | | | | | | | | | | | Previous code was using slow routines to collect some of the information needed to output images. Specifically size was being calculated instead of using the cached, already known size already available. Also, straight- lined several of the code paths. Overall assessment is that these improvements cut the time for images in half. Signed-off-by: baude <bbaude@redhat.com> Closes: #365 Approved by: mheon
* Change json to match docker inspectDaniel J Walsh2018-02-11
| | | | | | | | | | Changing these fields caused the output of podman inspect to more closely match docker inspect. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #306 Approved by: mheon
* Merge pull request #289 from TomSweeneyRedHat/dev/tsweeney/usernameDaniel J Walsh2018-02-07
|\ | | | | Change un/pwd handling to match Buildah's
| * Change un/pwd handling to match Buildah'sTomSweeneyRedHat2018-02-06
| | | | | | | | Signed-off-by: TomSweeneyRedHat <tsweeney@redhat.com>
* | Match podman inspect output to docker inspectumohnani82018-02-06
|/ | | | | | | | | | | | Made a change to make sure that the output paths of podman inspect matches that of docker inspect. For example to get the stop signal you should be able to do podman inspect ctr --format {{.Config.StopSignal}} and the same thing in docker will give the same results. Signed-off-by: umohnani8 <umohnani@redhat.com> Closes: #292 Approved by: rhatdan
* Migrate Create|Commit to ginkgobaude2018-02-02
| | | | | | | | | | | | Migrate create and commit bats tests to the ginkgo test suite. In doing so, some structures had to be moved to pkg/podmanstructs/podmanstructs.go so we could do better verification of test results. Signed-off-by: baude <bbaude@redhat.com> Closes: #286 Approved by: rhatdan
* Remove unused pkg/storage codeMatthew Heon2018-01-11
| | | | | | | This code was refactored into libpod, so no need to keep the old version around Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
* podman create/run need to load information from the imageDaniel J Walsh2018-01-03
| | | | | | | | | | We should be pulling information out of the image to set the defaults to use when setting up the container. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #110 Approved by: mheon
* Vendor in latest upstream containers/imageumohnani82017-12-11
| | | | Signed-off-by: umohnani8 <umohnani@redhat.com>
* Enhancements to papr testsbaude2017-11-17
| | | | | | | | | | | | | | | The PR contains several enhancements to our CI testing. - enable lint testing on Fedora - add Centos Atomic as test platform - integration tests on run on the OS natively (uncontainerized) - builds are done in containers - inclusion of Vagrant file for local testing Signed-off-by: baude <bbaude@redhat.com> Closes: #18 Approved by: mheon
* Initial checkin from CRI-O repoMatthew Heon2017-11-01
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>