I am often asked about the list of capabilities availabel to a container.
We should be listing this data in the inspect command for effective
capabilities and the bounding set.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #1335
Approved by: TomSweeneyRedHat
Fixes to podman build for unknown image and ADD with url
when doing --layers.
Signed-off-by: umohnani8 <umohnani@redhat.com>
Closes: #1330
Approved by: mheon
As well as small style corrections, update pod_top_test to use CreatePod, and move handling of adding a container to the pod's namespace from container_internal_linux to libpod/option.
Signed-off-by: haircommander <pehunt@redhat.com>
Closes: #1187
Approved by: mheon
A pause container is added to the pod if the user opts in. The default pause image and command can be overridden. Pause containers are ignored in ps unless the -a option is present. Pod inspect and pod ps show shared namespaces and pause container. A pause container can't be removed with podman rm, and a pod can be removed if it only has a pause container.
Signed-off-by: haircommander <pehunt@redhat.com>
Closes: #1187
Approved by: mheon
This results in some functionality changes:
If a ErrCtrStateInvalid is returned to GetPodStats, the container is ommitted from the stats.
As such, if an empty slice of Container stats are returned to GetPodStats in varlink, an error will occur.
GetContainerStats will return the ErrCtrStateInvalid as well.
Finally, if ErrCtrStateInvalid is returned to the podman stats call, the container will be ommitted from the stats.
Signed-off-by: haircommander <pehunt@redhat.com>
Closes: #1319
Approved by: baude
Using the vendored changes from psgo, incorporate JoinNamespaceAndProcessInfoByPids to get process information for each pid namespace of running containers in the pod. Also added a man page, and tests.
Signed-off-by: haircommander <pehunt@redhat.com>
Closes: #1298
Approved by: mheon
Runc exec expects the --user flag to be formatted as UID:GID.
Use chrootuser code to translate whatever user is passed to exec
into this format.
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
Closes: #1315
Approved by: vrothberg
This ensures that we can still use Podman even if a container or
pod with bad config JSON makes it into the state. We still can't
remove these containers, but at least we can do our best to make
things usable.
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
Closes: #1294
Approved by: rhatdan
Do not set any hostname value in the OCI configuration when --uts=host
is used and the user didn't specify any value. This prevents an error
from the OCI runtime as it cannot set the hostname without a new UTS
namespace.
Differently, the HOSTNAME environment variable is always set. When
--uts=host is used, HOSTNAME gets the value from the host.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Closes: #1280
Approved by: baude
To better reflect it's usage: to share functions between podman and varlink.
Signed-off-by: haircommander <pehunt@redhat.com>
Closes: #1275
Approved by: mheon
Need to get some small changes into libpod to pull back into buildah
to complete buildah transition.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #1270
Approved by: mheon
Specifically, pod.Start() always returned CtrErrors, even if none failed. This cause podman start to not return the successfully started pod id.
Also, pod.Kill() didn't return an error along with ctrErrors.
Signed-off-by: haircommander <pehunt@redhat.com>
Closes: #1272
Approved by: rhatdan
Also, don't return the internal podState struct - instead return
a public inspect struct.
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
Closes: #1258
Approved by: rhatdan
Currently we add mounts from images, volumes and internal.
We can accidently over mount an existing mount. This patch sorts the mounts
to make sure a parent directory is always mounted before its content.
Had to change the default propagation on image volume mounts from shared
to private to stop mount points from leaking out of the container.
Also switched from using some docker/docker/pkg to container/storage/pkg
to remove some dependencies on Docker.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #1243
Approved by: mheon
This removes anything but structs and simple accessors from
pod.go itself, which is a target file for FFJSON generation. This
should reduce the amount of times FFJSON needs to run.
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
Closes: #1247
Approved by: rhatdan
During refresh, we cannot hard-fail, as that would mean leaving a
partially-configured state behind, leaving libpod unable to start
without manual intervention.
Instead, log errors refreshing individual containers and pods and
continue. Individual containers and pods may be unusable and need
to be removed manually, but libpod itself will continue to
function.
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
Closes: #1252
Approved by: rhatdan
When checking if the container has already been removed, use
c.state.HasContainer() instead of the runtime's API to avoid
trying to take the already acquired lock.
Fixes: #1245
Signed-off-by: Valentin Rothberg <vrothberg@suse.com>
Closes: #1251
Approved by: baude
If the stdout and stderr are not attach, podman will at least get
a messsage that the container has completed and finish.
This fixes the
`podman run -a stdin fedora true`
Hang issue.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #1239
Approved by: mheon
...and some naming decisions.
This change ensures podman save doesn't incorrectly prepend localhost when saving an image.
Signed-off-by: haircommander <pehunt@redhat.com>
Closes: #1140
Approved by: rhatdan
When pulling a fully-qualified image that fails, we should not be talking about
registries/search registries in the the error message as it is not applicable. If
a image that is fq'd and fails to pull, the error should be simplified.
```
$ sudo podman pull this-does-not-exist.example.com/foo
Trying to pull this-does-not-exist.example.com/foo...Failed
error pulling image "this-does-not-exist.example.com/foo": unable to pull this-does-not-exist.example.com/foo: unable to pull image, or you do not have pull access
$
```
Resolves: #1212
Signed-off-by: baude <bbaude@redhat.com>
Closes: #1216
Approved by: mheon
It will be handy to know the runc and conmon versions as our
code gets into the wild.
Signed-off-by: baude <bbaude@redhat.com>
Closes: #1207
Approved by: rhatdan
when pulling, we can fail to find an image (i.e. it doesn't exist) or we
can not have authority/access to pull it. the registries don't tell us
one way or another so the error message needs to cover both.
Resolves#1194
Signed-off-by: baude <bbaude@redhat.com>
Closes: #1195
Approved by: rhatdan
Again, we only needed them split for tests; so, integrate them back.
Then drop all remaining references to pullRefName and pullGoalNames,
which are not used for anything.
Should not change behavior
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
Closes: #1198
Approved by: mheon
This more or less reverts 9c9401a96c
"Replace getPullRefPair with getPullRefName"; now that tests don't require
us to use pullRefName, move creation of storage references deeper into the
calls stack to reduce string use.
ir.getSinglePullRefNameGoal is accordingly updated to ir.getSinglePullRefPairGoal,
and we need to add a ~duplicate singlePullRefPairGoal; that duplication
of singlePullRefNameGoal will soon be resolved by dropping singlePullRefNameGoal.
Should not change behavior.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
Closes: #1198
Approved by: mheon
Now that we don't need a separate pullGoalNamesFromImageReference for
running tests, inline it back.
This forces us to add some glue code to getSinglePullRefNameGoal
and to convert between pullGoal and *pullGoal; that is temporary
and will be cleaned up soon.
Should not change behavior.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
Closes: #1198
Approved by: mheon
This merely wraps the
> return singlePullRefNameGoal(getPullRefName(... reference)), nil
pattern which is used for almost all getPullRefName uses. For now
it seems not really worth it, but it will result in shorter code
(and smaller migration) after we replace getPullRefName with
getPullRefPair, which can fail, again - the pullGoalNamesFromImageReference
will not have to add any error handling.
Should not change behavior.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
Closes: #1198
Approved by: mheon
Similarly to pullGoalNamesFromImageReference, use a storage.Store and
test the actually created references; that is more representative,
and clearly shows the impact of further normalization in
storageReference (like defaulting to :latest on NameOnly references).
Only modifies tests, so does not change behavior.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
Closes: #1198
Approved by: mheon
pullGoalNamesFromImageReference has been added only to allow testing without
a storage.Store, because I thought that a storage.Store can only be created
by root.
It turns out that non-root stores, at least good enough for reference
parsing and formatting, are possible (and have existed in c/image/storage
tests), so this creates such a store, and modifies the existing
test to test the created c/image/storage.storageReference values
instead of strings; that is more representative, and clearly shows
the impact of further normalization in storageReference (like
defaulting to :latest on NameOnly references).
Eventually we will want to get rid of pullGoalNames / pullRefName.
Only modifies tests, so does not change behavior.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
Closes: #1198
Approved by: mheon
