127 Commits

Author SHA1 Message Date
8f6a0243f4 podman diff accept two images or containers
First, make podman diff accept optionally a second argument. This allows
the user to specify a second image/container to compare the first with.
If it is not set the parent layer will be used as before.

Second, podman container diff should only use containers and podman
image diff should only use images. Previously, podman container diff
would use the image when both an image and container with this name
exists.

To make this work two new parameters have been added to the api. If they
are not used the previous behaviour is used. The same applies to the
bindings.

Fixes #10649

Signed-off-by: Paul Holzinger <pholzing@redhat.com>
2021-07-02 17:11:56 +02:00
3f3feaa015 Merge pull request #10716 from cdoern/podFlags
Podman Pod Create --cpus and --cpuset-cpus flags
2021-06-23 15:51:29 -04:00
bbd085ad1e Podman Pod Create --cpus and --cpuset-cpus flags
Added logic and handling for two new Podman pod create Flags.

--cpus specifies the total number of cores on which the pod can execute, this
is a combination of the period and quota for the CPU.

 --cpuset-cpus is a string value which determines of these available cores,
how many we will truly execute on.

Signed-off-by: cdoern <cbdoer23@g.holycross.edu>
2021-06-23 13:47:57 -04:00
f26fa53921 Podman Stats additional features
added Avg Cpu calculation and CPU up time to podman stats. Adding different feature sets in different PRs, CPU first.

resolves #9258

Signed-off-by: cdoern <cbdoer23@g.holycross.edu>
2021-06-23 09:23:40 -04:00
a6f0ac229f Merge pull request #10436 from rhatdan/errors
Improve OCI Runtime error
2021-05-24 19:17:29 +02:00
2f5552c32d Podman info add support for status of cgroup controllers
Signed-off-by: flouthoc <flouthoc.git@gmail.com>
2021-05-24 16:55:23 +05:30
4c095aa7e2 Improve OCI Runtime error
ErrOCIRuntimeNotFound error is misleading. Try to make it more
understandable to the user that the OCI Runtime IE crun or runc is not
missing, but the command they attempted to run within the container is
missing.

[NO TESTS NEEDED] Regular tests should handle this.

Fixes: https://github.com/containers/podman/issues/10432

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
2021-05-22 04:58:48 -04:00
9a9118b831 Merge pull request #10366 from ashley-cui/secretoptions
Support uid,gid,mode options for secrets
2021-05-17 16:24:20 -04:00
cf30f160ad Support uid,gid,mode options for secrets
Support UID, GID, Mode options for mount type secrets. Also, change
default secret permissions to 444 so all users can read secret.

Signed-off-by: Ashley Cui <acui@redhat.com>
2021-05-17 14:35:55 -04:00
4462113c5e podman network reload add rootless support
Allow podman network reload to be run as rootless user. While it is
unlikely that the iptable rules are flushed inside the rootless cni
namespace, it could still happen. Also fix podman network reload --all
to ignore errors when a container does not have the bridge network mode,
e.g. slirp4netns.

Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
2021-05-17 10:55:02 +02:00
8ad40a85d5 Add host.serviceIsRemote to podman info results
Developers asked for a deterministic field to verify if podman is
running via API or linked directly to libpod library.

$ podman info --format '{{.Host.ServiceIsRemote}}'
false
$ podman-remote info --format '{{.Host.ServiceIsRemote}}'
true
$ podman --remote info --format '{{.Host.ServiceIsRemote}}'
true

* docs/conf.py formatted via black

Signed-off-by: Jhon Honce <jhonce@redhat.com>
2021-05-10 14:13:15 -07:00
efdc7d8465 Add restart-policy to container filters & --filter to podman start
Signed-off-by: Boaz Shuster <boaz.shuster.github@gmail.com>
2021-05-06 14:35:15 +03:00
0d1ebc180e codespell cleanup
[NO TESTS NEEDED] This is just running codespell on podman

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
2021-05-05 15:50:59 -04:00
0f7d54b026 migrate Podman to containers/common/libimage
Migrate the Podman code base over to `common/libimage` which replaces
`libpod/image` and a lot of glue code entirely.

Note that I tried to leave bread crumbs for changed tests.

Miscellaneous changes:

 * Some errors yield different messages which required to alter some
   tests.

 * I fixed some pre-existing issues in the code.  Others were marked as
   `//TODO`s to prevent the PR from exploding.

 * The `NamesHistory` of an image is returned as is from the storage.
   Previously, we did some filtering which I think is undesirable.
   Instead we should return the data as stored in the storage.

 * Touched handlers use the ABI interfaces where possible.

 * Local image resolution: previously Podman would match "foo" on
   "myfoo".  This behaviour has been changed and Podman will now
   only match on repository boundaries such that "foo" would match
   "my/foo" but not "myfoo".  I consider the old behaviour to be a
   bug, at the very least an exotic corner case.

 * Futhermore, "foo:none" does *not* resolve to a local image "foo"
   without tag anymore.  It's a hill I am (almost) willing to die on.

 * `image prune` prints the IDs of pruned images.  Previously, in some
   cases, the names were printed instead.  The API clearly states ID,
   so we should stick to it.

 * Compat endpoint image removal with _force_ deletes the entire not
   only the specified tag.

Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
2021-05-05 11:30:12 +02:00
18cb17ffeb Use seccomp_profile as default profile if defined in containers.conf
Edits `podman info` to provide the default seccomp profile
detected in the output

Signed-off-by: Pablo Correa Gómez <ablocorrea@hotmail.com>
2021-04-28 15:19:48 +02:00
3538815c5b Add podman run --timeout option
This option allows users to specify the maximum amount of time to run
before conmon sends the kill signal to the container.

Fixes: https://github.com/containers/podman/issues/6412

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
2021-04-23 11:18:05 -04:00
9c8277247d Fixes from make codespell
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
2021-04-21 13:16:33 -04:00
41677b192a Merge pull request #8979 from haircommander/full-attach-path
Use full attach path, rather than a symlink
2021-04-21 05:25:19 -04:00
a1002beb78 fix start it
Signed-off-by: chenkang <kongchen28@gmail.com>
2021-04-17 23:35:27 +08:00
b963a5eb4a add pidfile in inspection
Signed-off-by: chenkang <kongchen28@gmail.com>
2021-04-17 20:56:08 +08:00
b2c6663a9f runtime: return findConmon to libpod
I believe moving the conmon probing code to c/common wasn't the best strategy.
Different container engines have different requrements of which conmon version is required
(based on what flags they use).

Signed-off-by: Peter Hunt <pehunt@redhat.com>
2021-04-16 17:45:52 -04:00
6acd265306 Add --requires flag to podman run/create
Podman has, for a long time, had an internal concept of
dependency management, used mainly to ensure that pod infra
containers are started before any other container in the pod. We
also have the ability to recursively start these dependencies,
which we use to ensure that `podman start` on a container in a
pod will not fail because the infra container is stopped. We have
not, however, exposed these via the command line until now.

Add a `--requires` flag to `podman run` and `podman create` to
allow users to manually specify dependency containers. These
containers must be running before the container will start. Also,
make recursive starting with `podman start` default so we can
start these containers and their dependencies easily.

Fixes #9250

Signed-off-by: Matthew Heon <matthew.heon@pm.me>
2021-04-06 14:01:31 -04:00
57e8c66322 Do not leak libpod package into the remote client
Some packages used by the remote client imported the libpod package.
This is not wanted because it adds unnecessary bloat to the client and
also causes problems with platform specific code(linux only), see #9710.

The solution is to move the used functions/variables into extra packages
which do not import libpod.

This change shrinks the remote client size more than 6MB compared to the
current master.

[NO TESTS NEEDED]
I have no idea how to test this properly but with #9710 the cross
compile should fail.

Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
2021-03-15 14:02:04 +01:00
e4da5096ba separate file with mount consts in libpod/define
Signed-off-by: Jakub Guzik <jakubmguzik@gmail.com>
2021-03-07 12:01:04 +01:00
05080a12a9 Merge pull request #9593 from vrothberg/cp-tmp
podman cp: support copying on tmpfs mounts
2021-03-05 03:57:17 -05:00
a090301bbb podman cp: support copying on tmpfs mounts
Traditionally, the path resolution for containers has been resolved on
the *host*; relative to the container's mount point or relative to
specified bind mounts or volumes.

While this works nicely for non-running containers, it poses a problem
for running ones.  In that case, certain kinds of mounts (e.g., tmpfs)
will not resolve correctly.  A tmpfs is held in memory and hence cannot
be resolved relatively to the container's mount point.  A copy operation
will succeed but the data will not show up inside the container.

To support these kinds of mounts, we need to join the *running*
container's mount namespace (and PID namespace) when copying.

Note that this change implies moving the copy and stat logic into
`libpod` since we need to keep the container locked to avoid race
conditions.  The immediate benefit is that all logic is now inside
`libpod`; the code isn't scattered anymore.

Further note that Docker does not support copying to tmpfs mounts.

Tests have been extended to cover *both* path resolutions for running
and created containers.  New tests have been added to exercise the
tmpfs-mount case.

For the record: Some tests could be improved by using `start -a` instead
of a start-exec sequence.  Unfortunately, `start -a` is flaky in the CI
which forced me to use the more expensive start-exec option.

Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
2021-03-04 15:43:12 +01:00
f86d641308 Use version package to track all versions
* Server, bindings, and CLI all now pull version information from version
package.
* Current /libpod API version slaved to podman/libpod Version
* Bindings validate against libpod API Minimal version
* Remove pkg/bindings/bindings.go and updated tests

Fixes: #9207

Signed-off-by: Jhon Honce <jhonce@redhat.com>
2021-03-03 17:03:19 -07:00
24d9bda7ff prune remotecommand dependency
prune a dependency that was only being used for a simple struct.  Should
correct checksum issue on tarballs

[NO TESTS NEEDED]

Fixes: #9355

Signed-off-by: baude <bbaude@redhat.com>
2021-02-25 10:02:41 -06:00
5dded6fae7 bump go module to v3
We missed bumping the go module, so let's do it now :)

* Automated go code with github.com/sirkon/go-imports-rename
* Manually via `vgrep podman/v2` the rest

Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
2021-02-22 09:03:51 +01:00
5ccb1596b4 Display correct value for unlimited ulimit
When doing a container inspect on a container with unlimited ulimits,
the value should be -1.  But because the OCI spec requires the ulimit
value to be uint64, we were displaying the inspect values as a uint64 as
well.  Simple change to display as an int64.

Fixes: #9303

Signed-off-by: baude <bbaude@redhat.com>
2021-02-10 14:17:58 -06:00
832a69b0be Implement Secrets
Implement podman secret create, inspect, ls, rm
Implement podman run/create --secret
Secrets are blobs of data that are sensitive.
Currently, the only secret driver supported is filedriver, which means creating a secret stores it in base64 unencrypted in a file.
After creating a secret, a user can use the --secret flag to expose the secret inside the container at /run/secrets/[secretname]
This secret will not be commited to an image on a podman commit

Signed-off-by: Ashley Cui <acui@redhat.com>
2021-02-09 09:13:21 -05:00
05444cb2cc Fix per review request
Signed-off-by: Matej Vasek <mvasek@redhat.com>
2021-02-04 18:30:07 +01:00
b53cb57680 Initial implementation of volume plugins
This implements support for mounting and unmounting volumes
backed by volume plugins. Support for actually retrieving
plugins requires a pull request to land in containers.conf and
then that to be vendored, and as such is not yet ready. Given
this, this code is only compile tested. However, the code for
everything past retrieving the plugin has been written - there is
support for creating, removing, mounting, and unmounting volumes,
which should allow full functionality once the c/common PR is
merged.

A major change is the signature of the MountPoint function for
volumes, which now, by necessity, returns an error. Named volumes
managed by a plugin do not have a mountpoint we control; instead,
it is managed entirely by the plugin. As such, we need to cache
the path in the DB, and calls to retrieve it now need to access
the DB (and may fail as such).

Notably absent is support for SELinux relabelling and chowning
these volumes. Given that we don't manage the mountpoint for
these volumes, I am extremely reluctant to try and modify it - we
could easily break the plugin trying to chown or relabel it.

Also, we had no less than *5* separate implementations of
inspecting a volume floating around in pkg/infra/abi and
pkg/api/handlers/libpod. And none of them used volume.Inspect(),
the only correct way of inspecting volumes. Remove them all and
consolidate to using the correct way. Compat API is likely still
doing things the wrong way, but that is an issue for another day.

Fixes #4304

Signed-off-by: Matthew Heon <matthew.heon@pm.me>
2021-01-14 15:35:33 -05:00
a1b49749af Merge pull request #8906 from vrothberg/fix-8501
container stop: release lock before calling the runtime
2021-01-14 13:37:16 -05:00
d54478d8ea container stop: release lock before calling the runtime
Podman defers stopping the container to the runtime, which can take some
time.  Keeping the lock while waiting for the runtime to complete the
stop procedure, prevents other commands from acquiring the lock as shown
in #8501.

To improve the user experience, release the lock before invoking the
runtime, and re-acquire the lock when the runtime is finished.  Also
introduce an intermediate "stopping" to properly distinguish from
"stopped" containers etc.

Fixes: #8501
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
2021-01-14 17:45:30 +01:00
265ec914d3 Merge pull request #8950 from mheon/exorcise_driver
Exorcise Driver code from libpod/define
2021-01-12 14:02:32 -05:00
befd40b57d Exorcise Driver code from libpod/define
The libpod/define code should not import any large dependencies,
as it is intended to be structures and definitions only. It
included the libpod/driver package for information on the storage
driver, though, which brought in all of c/storage. Split the
driver package so that define has the struct, and thus does not
need to import Driver. And simplify the driver code while we're
at it.

Signed-off-by: Matthew Heon <mheon@redhat.com>
2021-01-12 11:48:53 -05:00
020abbfeab Expose security attribute errors with their own messages
This creates error objects for runtime errors that might come from the
runtime. Thus, indicating to users that the place to debug should be in
the security attributes of the container.

When creating a container with a SELinux label that doesn't exist, we
get a fairly cryptic error message:

```
$ podman run --security-opt label=type:my_container.process -it fedora bash
Error: OCI runtime error: write file `/proc/thread-self/attr/exec`: Invalid argument
```

This instead handles any errors coming from LSM's `/proc` API and
enhances the error message with a relevant indicator that it's related
to the container's security attributes.

A sample run looks as follows:

```
$ bin/podman run --security-opt label=type:my_container.process -it fedora bash
Error: `/proc/thread-self/attr/exec`: OCI runtime error: unable to assign security attribute
```

With `debug` log level enabled it would be:

```
Error: write file `/proc/thread-self/attr/exec`: Invalid argument: OCI runtime error: unable to assign security attribute
```

Note that these errors wrap ErrOCIRuntime, so it's still possible to to
compare these errors with `errors.Is/errors.As`.

One advantage of this approach is that we could start handling these
errors in a more efficient manner in the future.

e.g. If a SELinux label doesn't exist (yet), we could retry until it
becomes available.

Signed-off-by: Juan Antonio Osorio Robles <jaosorior@redhat.com>
2021-01-12 16:10:17 +02:00
4fa1fce930 Spelling
Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
2020-12-22 13:34:31 -05:00
04b43ccf64 Add Security information to podman info
When debugging issues, it would be helpful to know the
security settings of the system running into the problem.
Adding security info to `podman info` is also useful to users.

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
2020-12-22 08:13:14 -05:00
e42d920ebf Add LogSize to container inspect
Other log options are available so we need to add ability to look
up LogSize.

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
2020-12-15 17:22:06 -05:00
a3e0b7d117 add network connect|disconnect compat endpoints
this enables the ability to connect and disconnect a container from a
given network. it is only for the compatibility layer. some code had to
be refactored to avoid circular imports.

additionally, tests are being deferred temporarily due to some
incompatibility/bug in either docker-py or our stack.

Signed-off-by: baude <bbaude@redhat.com>
2020-11-19 08:16:19 -06:00
76a38fc3f2 Fix podman pod inspect show wrong MAC string
Signed-off-by: zhangguanzhang <zhangguanzhang@qq.com>
2020-11-18 18:06:06 +08:00
8d56eb5342 Add support for network connect / disconnect to DB
Convert the existing network aliases set/remove code to network
connect and disconnect. We can no longer modify aliases for an
existing network, but we can add and remove entire networks. As
part of this, we need to add a new function to retrieve current
aliases the container is connected to (we had a table for this
as of the first aliases PR, but it was not externally exposed).

At the same time, remove all deconflicting logic for aliases.
Docker does absolutely no checks of this nature, and allows two
containers to have the same aliases, aliases that conflict with
container names, etc - it's just left to DNS to return all the
IP addresses, and presumably we round-robin from there? Most
tests for the existing code had to be removed because of this.

Convert all uses of the old container config.Networks field,
which previously included all networks in the container, to use
the new DB table. This ensures we actually get an up-to-date list
of in-use networks. Also, add network aliases to the output of
`podman inspect`.

Signed-off-by: Matthew Heon <matthew.heon@pm.me>
2020-11-11 16:37:54 -05:00
4fb7378ee4 Merge pull request #8156 from mheon/add_net_aliases_db
Add network aliases for containers to DB
2020-11-04 16:53:49 +01:00
228396a99d Merge pull request #8174 from rhatdan/errors
Podman often reports OCI Runtime does not exist, even if it does
2020-10-29 22:21:17 +01:00
7485005206 Merge pull request #8178 from rhatdan/exists
NewFromLocal can return multiple images
2020-10-29 17:04:05 +01:00
0f191ad72c Podman often reports OCI Runtime does not exist, even if it does
When the OCI Runtime tries to set certain settings in cgroups
it can get the error "no such file or directory",  the wrapper
ends up reporting a bogus error like:

```
 Request Failed(Internal Server Error): open io.max: No such file or directory: OCI runtime command not found error
{"cause":"OCI runtime command not found error","message":"open io.max: No such file or directory: OCI runtime command not found error","response":500}
```

On first reading of this, you would think the OCI Runtime (crun or runc) were not found.  But the error is actually reporting

message":"open io.max: No such file or directory

Which is what we want the user to concentrate on.

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
2020-10-29 06:19:21 -04:00
99d3e2e9d7 NewFromLocal can return multiple images
If you use additional stores and pull the same image into
writable stores, you can end up with the situation where
you have the same image twice. This causes image exists
to return the wrong error.  It should return true in this
situation rather then an error.

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
2020-10-28 16:02:53 -04:00
6af7e54463 Add network aliases for containers to DB
This adds the database backend for network aliases. Aliases are
additional names for a container that are used with the CNI
dnsname plugin - the container will be accessible by these names
in addition to its name. Aliases are allowed to change over time
as the container connects to and disconnects from networks.

Aliases are implemented as another bucket in the database to
register all aliases, plus two buckets for each container (one to
hold connected CNI networks, a second to hold its aliases). The
aliases are only unique per-network, to the global and
per-container aliases buckets have a sub-bucket for each CNI
network that has aliases, and the aliases are stored within that
sub-bucket. Aliases are formatted as alias (key) to container ID
(value) in both cases.

Three DB functions are defined for aliases: retrieving current
aliases for a given network, setting aliases for a given network,
and removing all aliases for a given network.

Signed-off-by: Matthew Heon <matthew.heon@pm.me>
2020-10-27 14:17:41 -04:00