unshare the mount namespace as well when creating an user namespace so
that we are the owner of the mount namespace and we can mount FUSE
file systems on Linux 4.18. Tested on Fedora Rawhide:
podman --storage-opt overlay.fuse_program=/usr/bin/fuse-overlayfs run alpine echo hello
hello
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
This fixes a race condition where conmon is still writing the exit
file and the container is exiting.
Also we should not be ignoring the -a stdin flag if the user specifies
--interactive mode.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #1086
Approved by: baude
This way ^c will actually kill the host process if the container is not
actually running.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #1086
Approved by: baude
when pulling an image that includes a sha such as:
centos/nginx-112-centos7@sha256:42330f7f29ba1ad67819f4ff3ae2472f62de13a827a74736a5098728462212e7
the final image name in libpod should not contain portions of the sha itself nor the sha
identifier. and like docker, we provide a 'none' tag as well.
this should fix#877
Signed-off-by: baude <bbaude@redhat.com>
Closes: #1085
Approved by: mheon
This is a refresh of Dan William's PR #974 with a rebase and proper
vendoring of ocicni and containernetworking/cni. It adds the ability
to define multiple networks as so:
podman run --network=net1,net2,foobar ...
Signed-off-by: baude <bbaude@redhat.com>
Closes: #1082
Approved by: baude
podman rmi was deleting an image even if it was a parent of
another image. This fix just untags the image instead.
This also fixes podman rmi to remove intermediate images of
an image when the image is removed.
Signed-off-by: umohnani8 <umohnani@redhat.com>
Closes: #1055
Approved by: mheon
when using the getattachsockets endpoint, which returns the sockets needed
to create and use a terminal, we should check if the container is just in the
configured state. if so, we need to perform a container init to have conmon
create the required sockets so we can attach to them prior to starting the container.
Signed-off-by: baude <bbaude@redhat.com>
Closes: #1067
Approved by: jwhonce
Make users of libpod more secure by adding the libpod/apparmor package
to load a pre-defined AppArmor profile. Large chunks of libpod/apparmor
come from github.com/moby/moby.
Also check if a specified AppArmor profile is actually loaded and throw
an error if necessary.
The default profile is loaded only on Linux builds with the `apparmor`
buildtag enabled.
Signed-off-by: Valentin Rothberg <vrothberg@suse.com>
Closes: #1063
Approved by: rhatdan
use execvp instead of exec so that we keep the PATH environment
variable and the lookup for the "podman" executable works.
Closes: https://github.com/projectatomic/libpod/issues/1070
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Closes: #1072
Approved by: mheon
Add the actual argument, not the one we're looking for when searching
the to-be-translated short-opt string. Otherwise, we're likely to hit
an infinite loop.
Signed-off-by: Valentin Rothberg <vrothberg@suse.com>
Closes: #1066
Approved by: rhatdan
podman now supports --volumes-from flag, which allows users
to add all the volumes an existing container has to a new one.
Signed-off-by: umohnani8 <umohnani@redhat.com>
Closes: #931
Approved by: mheon
We added the explicit int64 casts for 32-bit builds in 35e1ad78 (Make
libpod build on 32-bit systems, 2018-02-12, #324), but the explicit
casts work fine on 64-bit systems too.
Signed-off-by: W. Trevor King <wking@tremily.us>
Closes: #1058
Approved by: mheon
This removes some boilerplate from the libpod package, so we can focus
on container stuff there. And it gives us a tidy sub-package for
focusing on ctime extraction, so we can focus on unit testing and
portability of the extraction utility there.
For the unsupported implementation, I'm falling back to Go's ModTime
[1]. That's obviously not the creation time, but it's likely to be
closer than the uninitialized Time structure from cc6f0e85 (more
changes to compile darwin, 2018-07-04, #1047). Especially for our use
case in libpod/oci, where we're looking at write-once exit files.
The test is more complicated than I initially expected, because on
Linux filesystem timestamps come from a truncated clock without
interpolation [2] (and network filesystems can be completely decoupled
[3]). So even for local disks, creation times can be up to a jiffie
earlier than 'before'. This test ensures at least monotonicity by
creating two files and ensuring the reported creation time for the
second is greater than or equal to the reported creation time for the
first. It also checks that both creation times are within the window
from one second earlier than 'before' through 'after'. That should be
enough of a window for local disks, even if the kernel for those
systems has an abnormally large jiffie. It might be ok on network
filesystems, although it will not be very resilient to network clock
lagging behind the local system clock.
[1]: https://golang.org/pkg/os/#FileInfo
[2]: https://groups.google.com/d/msg/linux.kernel/mdeXx2TBYZA/_4eJEuJoAQAJ
Subject: Re: Apparent backward time travel in timestamps on file creation
Date: Thu, 30 Mar 2017 20:20:02 +0200
Message-ID: <tqMPU-1Sb-21@gated-at.bofh.it>
[3]: https://groups.google.com/d/msg/linux.kernel/mdeXx2TBYZA/cTKj4OBuAQAJ
Subject: Re: Apparent backward time travel in timestamps on file creation
Date: Thu, 30 Mar 2017 22:10:01 +0200
Message-ID: <tqOyl-36A-1@gated-at.bofh.it>
Signed-off-by: W. Trevor King <wking@tremily.us>
Closes: #1050
Approved by: mheon
if we snip the requirement to use a buildah const in the libpod image library,
we can save something on the order of 85 vendored files in consumers of the
the library.
Signed-off-by: baude <bbaude@redhat.com>
Closes: #1054
Approved by: mheon
Use a single function startAttachCtr() to handle both container start
with attach and attach to running containers, as the code handling the
attach is common for the 2 use cases.
Signed-off-by: Marco Vedovati <mvedovati@suse.com>
Closes: #1025
Approved by: rhatdan
Originally, it seemed like a good idea to place Conmon and the
container it managed under a shared CGroup, so we could manage
the two together. It's become increasingly clear that this is a
potential performance sore point, gains us little practical
benefit in managing Conmon, and adds extra steps to container
cleanup that interfere with Conmon postrun hooks.
Revert back to a shared CGroup for conmon processes under the
CGroup parent. This will retain per-pod conmon CGroups as well if
the pod is set to create a CGroup and act as CGroup parent for
its containers.
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
Closes: #1051
Approved by: umohnani8
b96be3af (changes to allow for darwin compilation, 2018-06-20, #1015)
made AddPrivilegedDevices per-platform and cc6f0e85 (more changes to
compile darwin, 2018-07-04, #1047) made CreateBlockIO per-platform.
But both left but left out docs for the unsupported version [1]:
pkg/spec/config_unsupported.go:18:1⚠️ exported method
CreateConfig.AddPrivilegedDevices should have comment or be
unexported (golint)
pkg/spec/config_unsupported.go:22:1⚠️ exported method
CreateConfig.CreateBlockIO should have comment or be unexported
(golint)
To keep the docs DRY, I've restored the public methods and their docs,
and I've added new, internal methods for the per-platform
implementations.
[1]: https://travis-ci.org/projectatomic/libpod/jobs/400555937#L160
Signed-off-by: W. Trevor King <wking@tremily.us>
Closes: #1034
Approved by: baude
b96be3af (changes to allow for darwin compilation, 2018-06-20, #1015)
made RemovePod per-platform, but left out docs for the unsupported
version [1]:
libpod/runtime_pod_unsupported.go:14:1⚠️ exported method
Runtime.RemovePod should have comment or be unexported (golint)
To keep the docs DRY, I've restored RemovePod and its docs to their
previous location, and named a new, internal removePod for the
per-platform implementations.
[1]: https://travis-ci.org/projectatomic/libpod/jobs/400555937#L159
Signed-off-by: W. Trevor King <wking@tremily.us>
Closes: #1034
Approved by: baude
