265 Commits

Author SHA1 Message Date
8fe22d48fb Inherit rootless init_path from system libpod.conf
Signed-off-by: Lawrence Chan <element103@gmail.com>
2019-06-03 18:44:36 -05:00
6ddf47ca38 runtime: unlock the alive lock only once
Unlock the alive lock only once in the deferred func call.

Fixes: #3207
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
2019-05-28 15:54:26 +02:00
791d53a214 rootless: use a pause process
use a pause process to keep the user and mount namespace alive.

The pause process is created immediately on reload, and all successive
Podman processes will refer to it for joining the user&mount
namespace.

This solves all the race conditions we had on joining the correct
namespaces using the conmon processes.

As a fallback if the join fails for any reason (e.g. the pause process
was killed), then we try to join the running containers as we were
doing before.

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
2019-05-17 20:48:24 +02:00
2e0fef51b3 migrate: not create a new namespace
this leaves the containers stopped but we won't risk to use the wrong
user namespace.

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
2019-05-17 20:47:55 +02:00
7a58c6601b set default event logger based on build tags
once the default event logger was removed from libpod.conf, we need to
set the default based on whether the systemd build tag is used or not.

Signed-off-by: baude <bbaude@redhat.com>
2019-05-14 16:17:11 -05:00
bc7b1ca03d enable integration tests for remote-client
first pass at enabling a swath of integration tests for the
remote-client.

Signed-off-by: baude <bbaude@redhat.com>
2019-05-07 14:06:02 -05:00
d1a7378aa0 change from sysregistries to sysregistriesv2
We want to start supporting the registries.conf format.
Also start showing blocked registries in podman info
Fix sorting so all registries are listed together in podman info.

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
2019-05-03 10:38:51 -04:00
416cc20c68 Small fixes for #2950
We merged #2950 with some nits still remaining, as Giuseppe was
going on PTO. This addresses those small requested changes.

Signed-off-by: Matthew Heon <matthew.heon@pm.me>
2019-05-01 15:07:30 -04:00
f49e0c19ed runtime: pass down the context
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
2019-04-26 22:23:49 +02:00
525f0b30ac system: add new subcommand "migrate"
it is useful to migrate existing containers to a new version of
podman.  Currently, it is needed to migrate rootless containers that
were created with podman <= 1.2 to a newer version which requires all
containers to be running in the same user namespace.

Closes: https://github.com/containers/libpod/issues/2935

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
2019-04-26 22:23:45 +02:00
04d6ff0582 Add System event type and renumber, refresh events
Also, re-add locking to file eventer Write() to protect against
concurrent events.

Signed-off-by: Matthew Heon <mheon@redhat.com>
2019-04-25 16:23:09 -04:00
a01c62fcbd Merge pull request #3013 from mheon/logging_for_refresh
Logging for refresh
2019-04-25 12:43:43 -07:00
0df9f6f9fe Add a debug message indicating that a refresh occurred
Signed-off-by: Matthew Heon <mheon@redhat.com>
2019-04-25 11:29:16 -04:00
7bf7c177ab journald event logging
add the ability for podman to read and write events to journald instead
of just a logfile.  This can be controlled in libpod.conf with the
`events_logger` attribute of `journald` or `file`.  The default will be
set to `journald`.

Signed-off-by: baude <bbaude@redhat.com>
2019-04-24 16:00:04 -05:00
09532c8cc0 rootless: fix segfault on refresh if there are containers
create immediately a namespace if we need a refresh.  This is
necessary to access the rootless storage.

Closes: https://github.com/containers/libpod/issues/2894

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
2019-04-10 23:12:37 +02:00
72382a12a7 rootless: use a single user namespace
simplify the rootless implementation to use a single user namespace
for all the running containers.

This makes the rootless implementation behave more like root Podman,
where each container is created in the host environment.

There are multiple advantages to it: 1) much simpler implementation as
there is only one namespace to join.  2) we can join namespaces owned
by different containers.  3) commands like ps won't be limited to what
container they can access as previously we either had access to the
storage from a new namespace or access to /proc when running from the
host.  4) rootless varlink works.  5) there are only two ways to enter
in a namespace, either by creating a new one if no containers are
running or joining the existing one from any container.

Containers created by older Podman versions must be restarted.

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
2019-04-01 15:32:58 +02:00
ed326206f2 rootless: remove SkipStorageSetup()
in the few places where we care about skipping the storage
initialization, we can simply use the process effective UID, instead
of relying on a global boolean flag.

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
2019-04-01 13:24:04 +02:00
2fa9861d78 rootless: set sticky bit on rundir
it prevents the directory to be auto pruned, according to the XDG
specifications.

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
2019-03-29 12:01:12 +01:00
a5443a532b vendor buildah, image, storage, cni
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
2019-03-28 15:12:26 +01:00
5ed62991dc Remove ulele/deepcopier in favor of JSON deep copy
We have a very high performance JSON library that doesn't need to
perform code generation. Let's use it instead of our questionably
performant, reflection-dependent deep copy library.

Most changes because some functions can now return errors.

Also converts cmd/podman to use jsoniter, instead of pkg/json,
for increased performance.

Signed-off-by: Matthew Heon <matthew.heon@pm.me>
2019-03-27 20:00:31 -04:00
232b46a374 utils: split generation and writing of storage.conf
split the generation for the default storage.conf and when we write it
if not existing for a rootless user.

This is necessary because during the startup we might be overriding
the default configuration through --storage-driver and --storage-opt,
that would not be written down to the storage.conf file we generated.

Closes: https://github.com/containers/libpod/issues/2659

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
2019-03-17 10:45:51 +01:00
7efefde3bc rootless: write the custom config file before reload
so that when we do a rootlessReload we inherit the correct settings
from the command line.

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
2019-03-15 17:05:06 +01:00
dd8edd639f rootless: do not override user settings
if the settings are available in the user config file, do not override
them with the global configuration.

Closes: https://github.com/containers/libpod/issues/2614

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
2019-03-15 10:39:40 +01:00
14cfc63631 runtime: refactor NewRuntime and NewRuntimeFromConfig
we had two functions NewRuntimeFromConfig and NewRuntime that differed
only for the config file they use.

Move comon logic to newRuntimeFromConfig and let it lookup the
configuration file to use when one is not specified.

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
2019-03-15 10:39:39 +01:00
ca1e76ff63 Add event logging to libpod, even display to podman
In lipod, we now log major events that occurr.  These events
can be displayed using the `podman events` command. Each
event contains:

* Type (container, image, volume, pod...)
* Status (create, rm, stop, kill, ....)
* Timestamp in RFC3339Nano format
* Name (if applicable)
* Image (if applicable)

The format of the event and the varlink endpoint are to not
be considered stable until cockpit has done its enablement.

Signed-off-by: baude <bbaude@redhat.com>
2019-03-11 15:08:59 -05:00
e02393ba70 libpod: allow to configure path to the network-cmd binary
allow to configure the path to the network-cmd binary, either via an
option flag --network-cmd-path or through the libpod.conf
configuration file.

This is currently used to customize the path to the slirp4netns
binary.

Closes: https://github.com/containers/libpod/issues/2506

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
2019-03-11 09:29:04 +01:00
cc411dd98f rootless: propagate errors from info
we use "podman info" to reconfigure the runtime after a reboot, but we
don't propagate the error message back if something goes wrong.

Closes: https://github.com/containers/libpod/issues/2584

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
2019-03-08 19:42:20 +01:00
2ac7991d1b rootless: fill in correct storage conf default
When the configuration file is specified, be sure to fill rootless
compatible values in the default configuration.

Closes: https://github.com/containers/libpod/issues/2510

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
2019-03-05 16:09:41 +01:00
9bf8bd7bcb runtime: fill a proper default tmpdir when --config is used
Closes: https://github.com/containers/libpod/issues/2408

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
2019-03-04 10:35:04 +01:00
f68a243f8e Centralize setting default volume path
No reason to do it in util/ anymore. It's always going to be a
subdirectory of c/storage graph root by default, so we can just
set it after the return.

Signed-off-by: Matthew Heon <matthew.heon@pm.me>
2019-02-26 15:44:46 -05:00
b8e6ef618b Move all storage configuration defaults into libpod
Instead of passing in defaults via WithStorageConfig after
computing them in cmd/podman/libpodruntime, do all defaults in
libpod itself.

This can alleviate ordering issues which caused settings in the
libpod config (most notably, volume path) to be ignored.

Signed-off-by: Matthew Heon <matthew.heon@pm.me>
2019-02-26 15:32:53 -05:00
ba6f1acf07 Record when volume path is explicitly set in config
This ensures we won't overwrite it when it's set in the config we
load from disk.

Signed-off-by: Matthew Heon <matthew.heon@pm.me>
2019-02-26 09:38:02 -05:00
5a0a9dfa23 Add debug information when overriding paths with the DB
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
2019-02-26 09:38:02 -05:00
d41d8d090e Validate VolumePath against DB configuration
If this doesn't match, we end up not being able to access named
volumes mounted into containers, which is bad. Use the same
validation that we use for other critical paths to ensure this
one also matches.

Signed-off-by: Matthew Heon <matthew.heon@pm.me>
2019-02-26 09:37:00 -05:00
da70c9db6f When location of c/storage root changes, set VolumePath
We want named volumes to be created in a subdirectory of the
c/storage graph root, the same as the libpod root directory is
now. As such, we need to adjust its location when the graph root
changes location.

Also, make a change to how we set the default. There's no need to
explicitly set it every time we initialize via an option - that
might conflict with WithStorageConfig setting it based on graph
root changes. Instead, just initialize it in the default config
like our other settings.

Signed-off-by: Matthew Heon <matthew.heon@pm.me>
2019-02-26 09:37:00 -05:00
446d333783 oci: improve error message when the OCI runtime is not found
We were previously returning the not so nice error directly from
conmon.

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
2019-02-26 11:40:34 +01:00
d2b77f8b33 Do not make renumber shut down the runtime
The original intent behind the requirement was to ensure that, if
two SHM lock structs were open at the same time, we should not
make such a runtime available to the user, and should clean it up
instead.

It turns out that we don't even need to open a second SHM lock
struct - if we get an error mapping the first one due to a lock
count mismatch, we can just delete it, and it cleans itself up
when it errors. So there's no reason not to return a valid
runtime.

Signed-off-by: Matthew Heon <matthew.heon@pm.me>
2019-02-21 10:51:42 -05:00
f9c548219b Recreate SHM locks when renumbering on count mismatch
When we're renumbering locks, we're destroying all existing
allocations anyways, so destroying the old lock struct is not a
particularly big deal. Existing long-lived libpod instances will
continue to use the old locks, but that will be solved in a
followon.

Also, solve an issue with returning error values in the C code.
There were a few places where we return ERRNO where it was not
set, so make them return actual error codes).

Signed-off-by: Matthew Heon <matthew.heon@pm.me>
2019-02-21 10:51:42 -05:00
a72025d6fd Move RenumberLocks into runtime init
We can't do renumbering after init - we need to open a
potentially invalid locks file (too many/too few locks), and then
potentially delete the old locks and make new ones.

We need to be in init to bypass the checks that would otherwise
make this impossible.

This leaves us with two choices: make RenumberLocks a separate
entrypoint from NewRuntime, duplicating a lot of configuration
load code (we need to know where the locks live, how many there
are, etc) - or modify NewRuntime to allow renumbering during it.
Previous experience says the first is not really a viable option
and produces massive code bloat, so the second it is.

Signed-off-by: Matthew Heon <matthew.heon@pm.me>
2019-02-21 10:51:42 -05:00
8aa9b85fa7 libpod: honor runtime_path from libpod.conf
Add backward compatibility for `runtime_path` that was used by older
versions of Podman.

The issue was introduced with: 650cf122e1b33f4d8f4426ee1cc1a4bf00c14798

If `runtime_path` is specified, it overrides any other configuration
and a warning is printed.

It should be considered deprecated and will be removed in future.

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
2019-02-15 11:41:17 +01:00
71782812fe rootless: open the correct file
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
2019-02-15 10:53:50 +01:00
61979d8ac2 rootless: copy some settings from the global configuration
if some paths are overriden in the global configuration file, be sure
that rootless podman honors them.

Closes: https://github.com/containers/libpod/issues/2174

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
2019-02-05 11:37:33 +01:00
c9e1f365e2 Merge pull request #2069 from mheon/warn_on_overriding_driver
Warn on overriding user-specified storage driver w/ DB
2019-01-23 22:15:16 +01:00
61216937e7 Show a better error message when podman info fails during a refresh
Signed-off-by: Ryan Gonzalez <rymg19@gmail.com>
2019-01-21 15:24:10 -06:00
50c86ae389 oci: allow to define multiple OCI runtimes
we can define multiple OCI runtimes that can be chosen with
--runtime.

in libpod.conf is possible to specify them with:

[runtimes]
foo = [
             "/usr/bin/foo",
	     "/usr/sbin/foo",
]
bar = [
             "/usr/bin/foo",
	     "/usr/sbin/foo",
]

If the argument to --runtime is an absolute path then it is used
directly without any lookup in the configuration.

Closes: https://github.com/containers/libpod/issues/1750

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
2019-01-14 10:22:18 +01:00
650cf122e1 libpod: allow multiple oci runtimes
This deprecates the libpod.conf variable of `runtime_path=`, and now has
`runtimes=`, like a map for naming the runtime, preparing for a
`--runtime` flag to `podman run` (i.e. runc, kata, etc.)

Reference: https://github.com/containers/libpod/issues/1750

Signed-off-by: Vincent Batts <vbatts@hashbangbash.com>
2019-01-14 10:03:40 +01:00
8c25a645ac If you fail to open shm lock then attempt to create it
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
2019-01-09 14:57:24 -05:00
a76256834a Rootless with shmlocks was not working.
This patch makes the path unigue to each UID.

Also cleans up some return code to return the path it is trying to lock.

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
2019-01-05 07:37:21 -05:00
97681a5f2b Move lock init after tmp dir is populated properly
Don't initialize the lock manager until almost the end of libpod
init, so we can guarantee our tmp dir is properly set up and
exists. This wasn't an issue on systems that had previously run
Podman, but CI caught it.

Signed-off-by: Matthew Heon <matthew.heon@pm.me>
2019-01-04 09:51:09 -05:00
16a5cbfac5 When refreshing libpod, if SHM locks exist, remove them
This will hopefully help cases where libpod is initialized
multiple times on the same system (as on our CI tests).

We still run into potential issues where multiple Podmans with
multiple tmp paths try to run on the same system - we could end
up thrashing the locks.

I think we need a file locks driver for situations like that. We
can also see about storing paths in the SHM segment, to make sure
multiple libpod instances aren't using the same one.

Signed-off-by: Matthew Heon <matthew.heon@pm.me>
2019-01-04 09:51:09 -05:00