331 Commits

Author SHA1 Message Date
7676cd4b12 Add extra debug so we can tell apart postdelete hooks
Ensure we can identify what hook is running so we can tell which
are erroring.

Signed-off-by: Matthew Heon <matthew.heon@gmail.com>

Closes: #960
Approved by: rhatdan
2018-06-19 11:40:33 +00:00
Wim
4d3db1b4a9 Add MacAddress to inspect
Signed-off-by: Wim <wim@42.be>

Closes: #955
Approved by: rhatdan
2018-06-18 14:20:30 +00:00
4086a0f737 podman: use a different store for the rootless case
so that the user has rw access to it.

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>

Closes: #871
Approved by: mheon
2018-06-15 14:53:18 +00:00
a1ec6747f1 container: do not set any mapping when using a rootfs
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>

Closes: #871
Approved by: mheon
2018-06-15 14:53:18 +00:00
5e699e28a7 podman: do not use Chown in rootless mode
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>

Closes: #871
Approved by: mheon
2018-06-15 14:53:18 +00:00
c976d49805 network: do not attempt to create a network in rootless mode
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>

Closes: #871
Approved by: mheon
2018-06-15 14:53:18 +00:00
de71441700 oci: do not use hooks in rootless mode
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>

Closes: #871
Approved by: mheon
2018-06-15 14:53:18 +00:00
1e8ef3c897 container: do not add shm in rootless mode
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>

Closes: #871
Approved by: mheon
2018-06-15 14:53:18 +00:00
7bdfb4f9b3 podman: accept option --rootfs to use exploded images
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>

Closes: #871
Approved by: mheon
2018-06-15 14:53:18 +00:00
8f1b7be275 Fix cleaning up network namespaces on detached ctrs
The containernetworking/plugins ns package does not support
unmounting and removing namespaces that were opened by another
process. Work around this by doing it ourself.

Closes: #858

Signed-off-by: Matthew Heon <matthew.heon@gmail.com>

Closes: #949
Approved by: rhatdan
2018-06-15 09:15:58 +00:00
1e9e530714 Remove container from state before cleaning up.
Attempt to cleanup as much of the container as possible, even if one
of the cleanup stages fails.

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>

Closes: #895
Approved by: mheon
2018-06-10 11:10:11 +00:00
c9f763456c libpod: Execute poststop hooks locally
Instead of delegating to the runtime, since some runtimes do not seem
to handle these reliably [1].

[1]: https://github.com/projectatomic/libpod/issues/730#issuecomment-392959938

Signed-off-by: W. Trevor King <wking@tremily.us>

Closes: #864
Approved by: rhatdan
2018-06-04 18:36:40 +00:00
684b544e9c Spell check strings and comments
Signed-off-by: Jhon Honce <jhonce@redhat.com>

Closes: #831
Approved by: rhatdan
2018-05-25 08:45:15 +00:00
b09fca74af Set Entrypoint from image only if not already set
Signed-off-by: Matthew Heon <mheon@redhat.com>

Closes: #827
Approved by: rhatdan
2018-05-24 17:36:37 +00:00
05bc77f0cb Fix handling of command in images
Currently we are dropping the command entry from the create
line and using the image Cmd.  This change will only use the
image Cmd if the user did not specify a Cmd.

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>

Closes: #823
Approved by: umohnani8
2018-05-23 18:39:06 +00:00
82feafecdd podman create, start, getattachsocket
First pass at implement API endpoints for create and start.

Signed-off-by: baude <bbaude@redhat.com>

Closes: #805
Approved by: baude
2018-05-21 19:26:56 +00:00
20bceb787d Use container cleanup() functions when removing
Instead of manually calling the individual functions that cleanup
uses to tear down a container's resources, just call the cleanup
function to make sure that cleanup only needs to happen in one
place.

Signed-off-by: Matthew Heon <matthew.heon@gmail.com>

Closes: #790
Approved by: rhatdan
2018-05-17 18:55:59 +00:00
e686269da3 chrootuser: default to GID 0 when given a numeric --user
When we're given a numeric --user value, default to GID 0 if the numeric
ID doesn't correspond to a user entry in /etc/passwd that can provide us
with the user's primary group ID.

Make sure that GetAdditionalGroupsForUser() returns wrapped errors.

Also test various user:group forms.

Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>

Closes: #728
Approved by: mheon
2018-05-17 17:05:44 +00:00
45838b9561 hooks: Add package support for extension stages
We aren't consuming this yet, but these pkg/hooks changes lay the
groundwork for future libpod changes to support post-exit hooks [1,2].

[1]: https://github.com/projectatomic/libpod/issues/730
[2]: https://github.com/opencontainers/runc/issues/1797

Signed-off-by: W. Trevor King <wking@tremily.us>

Closes: #758
Approved by: rhatdan
2018-05-14 21:36:48 +00:00
69a6cb255c Gracefully handle containers removed from c/storage
Allow containers that no longer exist in storage to be evicted
from the state instead of erroring.

Signed-off-by: Matthew Heon <matthew.heon@gmail.com>

Closes: #764
Approved by: rhatdan
2018-05-14 19:44:33 +00:00
89430ffe65 hooks: Order injection by collated JSON filename
We also considered ordering with sort.Strings, but Matthew rejected
that because it uses a byte-by-byte UTF-8 comparison [1] which would
fail many language-specific conventions [2].

There's some more discussion of the localeToLanguage mapping in [3].
Currently language.Parse does not handle either 'C' or 'POSIX',
returning:

  und, language: tag is not well-formed

for both.

[1]: https://github.com/projectatomic/libpod/pull/686#issuecomment-387914358
[2]: https://en.wikipedia.org/wiki/Alphabetical_order#Language-specific_conventions
[3]: https://github.com/golang/go/issues/25340

Signed-off-by: W. Trevor King <wking@tremily.us>

Closes: #686
Approved by: mheon
2018-05-11 16:26:35 +00:00
4b22913e11 libpod: Add HooksDirNotExistFatal
And add an argument to WithHooksDir to set it.

If the hook dir doesn't exist, the new hooks package considers that a
fatal error.  When a podman caller sets
--hooks-dir-path=/some/typoed/directory, a fatal error is more helpful
than silently not loading any hooks.  However, callers who call podman
without setting --hooks-dir-path may not need hooks at all.  We don't
want to pester those callers with not-exist errors.  With this commit,
we:

* Assume the caller knows what they're doing if they set
  --hooks-dir-path and set HooksDirNotExistFatal.

* If the caller does not explicitly set --hooks-dir-path, assume they
  won't mind if the hook directory is missing and set
  HooksDirNotExistFatal false.

We also considered checking for the directory's existence in the code
calling WithHooksDir or from within WithHooksDir, but checks there
would race with the underlying ioutil.ReadDir in the hooks package.
By pushing the warn/error decision down into libpod's implementation,
we avoid a racy "do we expect this to work once libpod gets to it?"
pre-check.

I've also added a check to error if WithHooksDir is called with an
empty-string argument, because we haven't defined the semantics of
that (is it clearing a previous value?  Is it effectively the same as
the current directory?).  I agree with Matthew that a separate
WithNoHooks, or a *string argument to WithHooks, or some such would be
a better API for clearing previous values [1].  But for now, I'm just
erroring out to fail early for callers who might otherwise be
surprised that libpod ignores empty-string HooksDir.

[1]: https://github.com/projectatomic/libpod/pull/686#issuecomment-385119370

Signed-off-by: W. Trevor King <wking@tremily.us>

Closes: #686
Approved by: mheon
2018-05-11 16:26:35 +00:00
68eb128fb0 pkg/hooks: Version the hook structure and add 1.0.0 hooks
This shifts the matching logic out of libpod/container_internal and
into the hook package, where we can reuse it after vendoring into
CRI-O.  It also adds unit tests with almost-complete coverage.  Now
libpod is even more isolated from the hook internals, which makes it
fairly straightforward to bump the hook config file to 1.0.0.  I've
dubbed the old format 0.1.0, although it doesn't specify an explicit
version.  Motivation for some of my changes with 1.0.0:

* Add an explicit version field.  This will make any future JSON
  structure migrations more straightforward by avoiding the need for
  version-guessing heuristics.

* Collect the matching properties in a new When sub-structure.  This
  makes the root Hook structure easier to understand, because you
  don't have to read over all the matching properties when wrapping
  your head around Hook.

* Replace the old 'hook' and 'arguments' with a direct embedding of
  the runtime-spec's hook structure.  This provides access to
  additional upstream properties (args[0], env, and timeout) and
  avoids the complication of a CRI-O-specific analog structure.

* Add a 'when.always' property.  You can usually accomplish this
  effect in another way (e.g. when.commands = [".*"]), but having a
  boolean explicitly for this use-case makes for easier reading and
  writing.

* Replace the previous annotations array with an annotations map.  The
  0.1.0 approach matched only the values regardless of key, and that
  seems unreliable.

* Replace 'cmds' with 'when.commands', because while there are a few
  ways to abbreviate "commands", there's only one way to write it out
  in full ;).  This gives folks one less thing to remember when
  writing hook JSON.

* Replace the old "inject if any specified condition matches" with
  "inject if all specified conditions match".  This allows for more
  precise targeting.  Users that need more generous targeting can
  recover the previous behavior by creating a separate 1.0.0 hook file
  for each specified 0.1.0 condition.

I've added doc-compat support for the various pluralizations of the
0.1.0 properties.  Previously, the docs and code were not in
agreement.  More on this particular facet in [1].

I've updated the docs to point out that the annotations being matched
are the OCI config annotations.  This differs from CRI-O, where the
annotations used are the Kubernetes-supplied annotations [2,3].  For
example, io.kubernetes.cri-o.Volumes [4] is part of CRI-O's runtime
config annotations [5], but not part of the Kubernetes-supplied
annotations CRI-O uses for matching hooks.

The Monitor method supports the CRI-O use-case [6].  podman doesn't
need it directly, but CRI-O will need it when we vendor this package
there.

I've used nvidia-container-runtime-hook for the annotation examples
because Dan mentioned the Nvidia folks as the motivation behind
annotation matching.  The environment variables are documented in [7].
The 0.1.0 hook config, which does not allow for environment variables,
only works because runc currently leaks the host environment into the
hooks [8].  I haven't been able to find documentation for their usual
annotation trigger or hook-install path, so I'm just guessing there.

[1]: https://github.com/kubernetes-incubator/cri-o/pull/1235
[2]: https://github.com/kubernetes-incubator/cri-o/blob/v1.10.0/server/container_create.go#L760
[3]: https://github.com/kubernetes-incubator/cri-o/blob/v1.10.0/server/container_create.go#L772
[4]: https://github.com/kubernetes-incubator/cri-o/blob/v1.10.0/pkg/annotations/annotations.go#L97-L98
[5]: https://github.com/kubernetes-incubator/cri-o/blob/v1.10.0/server/container_create.go#L830-L834
[6]: https://github.com/kubernetes-incubator/cri-o/pull/1345/
[7]: https://github.com/NVIDIA/nvidia-container-runtime/tree/v1.3.0-1#environment-variables-oci-spec
[8]: https://github.com/opencontainers/runc/pull/1738

Signed-off-by: W. Trevor King <wking@tremily.us>

Closes: #686
Approved by: mheon
2018-05-11 16:26:35 +00:00
177c27e75d Do not error trying to remove cgroups that don't exist
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>

Closes: #507
Approved by: baude
2018-05-11 14:43:57 +00:00
c4c5c1a3e1 Remove parent cgroup we create with cgroupfs
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>

Closes: #507
Approved by: baude
2018-05-11 14:43:57 +00:00
853c5c41f1 Add --cgroup-manager flag to Podman binary
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>

Closes: #507
Approved by: baude
2018-05-11 14:43:57 +00:00
df83d361e4 Major fixes to systemd cgroup handling
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>

Closes: #507
Approved by: baude
2018-05-11 14:43:57 +00:00
15ca5f2687 Add validation for CGroup parents. Pass CGroups path into runc
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>

Closes: #507
Approved by: baude
2018-05-11 14:43:57 +00:00
522a7197a8 podman, userNS: configure an intermediate mount namespace
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>

Closes: #690
Approved by: mheon
2018-05-04 17:15:55 +00:00
73078fabcf networking, userNS: configure the network namespace after create
so that the OCI runtime creates the network namespace from the correct
userNS.

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>

Closes: #690
Approved by: mheon
2018-05-04 17:15:55 +00:00
b51d737998 Begin wiring in USERNS Support into podman
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>

Closes: #690
Approved by: mheon
2018-05-04 17:15:55 +00:00
8dfebd4607 varlink containers
first pass at adding in the container related endpoints/methods for the libpod
backend. Couple of important notes:

* endpoints that can use a console are not going to be done until we have "remote" console
* several of the container methods should probably be able to stream as opposed to a one-off return

Signed-off-by: baude <bbaude@redhat.com>

Closes: #708
Approved by: baude
2018-05-03 17:31:33 +00:00
ab7e2a6956 Store user Volumes, Entrypoint, Command in database
We need these for commit, and they cannot be properly deduced
from just the OCI spec, so save them in the database so we can
retrieve them for commit.

Signed-off-by: Matthew Heon <matthew.heon@gmail.com>

Closes: #700
Approved by: rhatdan
2018-05-03 12:23:12 +00:00
1ece5d3db7 Update hooks to use config bool to detect volume mounts
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>

Closes: #700
Approved by: rhatdan
2018-05-03 12:23:12 +00:00
6ac8a24db4 Add --default-mounts-file hidden flag
The hidden flag is used to override the path of the default mounts file
for testing purposes.
Also modified the secrets pkg to allow for this override to happen.

Signed-off-by: umohnani8 <umohnani@redhat.com>

Closes: #678
Approved by: mheon
2018-04-26 16:33:25 +00:00
cf41dc70b3 Modify --user flag for podman create and run
If an integer is passed into the --user flag, i.e --user=1234
don't look up the user in /etc/passwd, just assign the integer as the uid.

Signed-off-by: umohnani8 <umohnani@redhat.com>

Closes: #652
Approved by: mheon
2018-04-24 14:28:33 +00:00
57afb7514d Add FIPS mode secret
If the host is in FIPS mode and /etc/system-fips exists
/run/secrets/system-fips is created in the container so that
the container can run in FIPS mode as well.

Signed-off-by: umohnani8 <umohnani@redhat.com>
2018-04-23 13:17:12 -04:00
27107fdac1 Vendor in latest containers/image and contaners/storage
Made necessary changes to functions to include contex.Context wherever needed

Signed-off-by: umohnani8 <umohnani@redhat.com>

Closes: #640
Approved by: baude
2018-04-19 14:08:47 +00:00
94f20cdd00 - reverse host field order (ip goes first)
- fix host string split to permit IPv6

Signed-off-by: Nathan Williams <nath.e.will@gmail.com>

Closes: #635
Approved by: rhatdan
2018-04-18 10:58:24 +00:00
6c5ebb0315 Change container.locked to batched
Signed-off-by: TomSweeneyRedHat <tsweeney@redhat.com>

Closes: #619
Approved by: mheon
2018-04-16 15:18:38 +00:00
998fd2ece0 Functionality changes to the following flags
--group-add
	--blkio-weight-device
	--device-read-bps
	--device-write-bps
	--device-read-iops
	--device-write-iops

--group-add now supports group names as well as the gid associated with them.
All the --device flags work now with moderate changes to the code to support both
bps and iops.
Added tests for all the flags.

Signed-off-by: umohnani8 <umohnani@redhat.com>

Closes: #590
Approved by: mheon
2018-04-06 00:09:46 +00:00
fdcf633a33 Add hooks support to podman
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>

Closes: #155
Approved by: mheon
2018-04-05 14:13:49 +00:00
98b19aeb0c Refactor dependency checks from init() into public API
Instead of checking during init(), which could result in major
locking issues when used with pods, make our dependency checks in
the public API instead. This avoids doing them when we start pods
(where, because of the dependency graph, we can reasonably say
all dependencies are up before we start a container).

Signed-off-by: Matthew Heon <matthew.heon@gmail.com>

Closes: #577
Approved by: rhatdan
2018-04-03 14:57:16 +00:00
489d977b22 Ensure dependencies are running before initializing containers
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>

Closes: #577
Approved by: rhatdan
2018-04-03 14:57:16 +00:00
0edfce5269 Change errorf to warnf in warning removing ctr storage
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>

Closes: #571
Approved by: rhatdan
2018-04-02 14:22:57 +00:00
4553f2914c More gracefully handle unexpected storage deletion
We have other tools using containers/storage. They can delete our
containers in c/storage without us knowing. Try and handle this
better by warning instead of erroring when delete our storage and
it is already gone.

This does not handle cases where libpod thinks the container is
mounted, but it is not. This is harder to check for, because
c/storage Mount() and Unmount() take a layer, image, or container
and that complicates our "container no longer exists" question.
Further work is needed here.

Signed-off-by: Matthew Heon <matthew.heon@gmail.com>

Closes: #571
Approved by: rhatdan
2018-04-02 14:22:57 +00:00
8a96b4acbc Add secrets patch to podman
Adds support for mounting secrets especially on RHEL where the container
can use the host subsription to run yum

Signed-off-by: umohnani8 <umohnani@redhat.com>

Closes: #544
Approved by: rhatdan
2018-03-29 14:15:27 +00:00
c54816dfc3 Check for duplicate names when generating new container and pod names.
This fixes the situation where we fail to create a container when a name already exists.

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>

Closes: #517
Approved by: baude
2018-03-29 01:55:20 +00:00
3f5da4d0dd Make container env variable conditional
Add only when it's not already present.

Add a more specific version in podman spec generation
so we get 'container=podman' not 'container=libpod'

Signed-off-by: Matthew Heon <matthew.heon@gmail.com>

Closes: #540
Approved by: baude
2018-03-23 17:28:09 +00:00
8ca3bcc85d Add CONTAINER environment variable
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>

Closes: #533
Approved by: baude
2018-03-23 15:22:01 +00:00