Need to get some small changes into libpod to pull back into buildah
to complete buildah transition.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #1270
Approved by: mheon
Currently we add mounts from images, volumes and internal.
We can accidently over mount an existing mount. This patch sorts the mounts
to make sure a parent directory is always mounted before its content.
Had to change the default propagation on image volume mounts from shared
to private to stop mount points from leaking out of the container.
Also switched from using some docker/docker/pkg to container/storage/pkg
to remove some dependencies on Docker.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #1243
Approved by: mheon
podman umount will currently only unmount file system if not other
process is using it, otherwise the umount decrements the container
storage to indicate that the caller is no longer using the mount
point, once the count gets to 0, the file system is actually unmounted.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #1184
Approved by: TomSweeneyRedHat
refresh() is the only major command we had that did not perform a
sync before running, and thus was not guaranteed to pick up a
good copy of the state. Fix this by updating the state before a
refresh().
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
Closes: #1186
Approved by: rhatdan
Moved contents of RestartWithTimeout to restartWithTimeout in container_internal to be able to call restart without locking in function.
Refactored startNode to be able to either start or restart a node.
Built pod Restart() with new startNode with refresh true.
Signed-off-by: haircommander <pehunt@redhat.com>
Closes: #1152
Approved by: rhatdan
Currently we unmount storage that is still in use.
We should not be unmounting storeage that we mounted
via a different command or by podman mount. This
change relies on containers/storage to umount keep track of
how many times the storage was mounted before really unmounting
it from the system.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
vendor in containers/storage
vendor in containers/image
vendor in projectatomic/buildah
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #1114
Approved by: mheon
Use this to supplement exit codes returned from containers, to
make sure we know when exit codes are invalid (as the container
has not yet exited)
Signed-off-by: Matthew Heon <mheon@redhat.com>
This is a refresh of Dan William's PR #974 with a rebase and proper
vendoring of ocicni and containernetworking/cni. It adds the ability
to define multiple networks as so:
podman run --network=net1,net2,foobar ...
Signed-off-by: baude <bbaude@redhat.com>
Closes: #1082
Approved by: baude
podman now supports --volumes-from flag, which allows users
to add all the volumes an existing container has to a new one.
Signed-off-by: umohnani8 <umohnani@redhat.com>
Closes: #931
Approved by: mheon
Originally, it seemed like a good idea to place Conmon and the
container it managed under a shared CGroup, so we could manage
the two together. It's become increasingly clear that this is a
potential performance sore point, gains us little practical
benefit in managing Conmon, and adds extra steps to container
cleanup that interfere with Conmon postrun hooks.
Revert back to a shared CGroup for conmon processes under the
CGroup parent. This will retain per-pod conmon CGroups as well if
the pod is set to create a CGroup and act as CGroup parent for
its containers.
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
Closes: #1051
Approved by: umohnani8
this should represent the last major changes to get darwin to **compile**. again,
the purpose here is to get darwin to compile so that we can eventually implement a
ci task that would protect against regressions for darwin compilation.
i have left the manual darwin compilation largely static still and in fact now only
interject (manually) two build tags to assist with the build. trevor king has great
ideas on how to make this better and i will defer final implementation of those
to him.
Signed-off-by: baude <bbaude@redhat.com>
Closes: #1047
Approved by: rhatdan
The destination path of the built-in volume was not being created
but a relabel was being attempted on it, this was causing issues
with all images that have built-in volumes.
This patch fixes that and ensures the destination volume path
is created.
Signed-off-by: umohnani8 <umohnani@redhat.com>
Closes: #1026
Approved by: mheon
When we run containers in detach mode, nothing cleans up the network stack or
the mount points. This patch will tell conmon to execute the cleanup code when
the container exits.
It can also be called to attempt to cleanup previously running containers.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #942
Approved by: mheon
Catching up with opencontainers/runtime-tools@84a62c6a (generate: Move
Generator.spec to Generator.Config, 2016-11-06, #266, v0.6.0), now
that we've bumped runtime-tools in f6c0fc1a (Vendor in latest
runtime-tools, 2018-06-26, #1007).
Signed-off-by: W. Trevor King <wking@tremily.us>
Closes: #1008
Approved by: mheon
When running podman as non root user always create an userNS and let
the OCI runtime use it.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Closes: #936
Approved by: rhatdan
The Refresh() function is used to reset a container's state after
a database format change to state is made that requires migration
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
Closes: #981
Approved by: baude
Signed-off-by: Marco Vedovati <mvedovati@suse.com>
- Set srcPath permissions so that the container user can R/W it.
- Fix uninitialized spec.Mount when restarting a container.
- Check for srcPath instead of volumePath existence when setting up a
volume mount point for a container.
- Set the overlay volumePath with the same owner and permissions as
srcPath to allow proper access by the container user.
Closes#844Closes: #951
Approved by: rhatdan
Ensure we can identify what hook is running so we can tell which
are erroring.
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
Closes: #960
Approved by: rhatdan
The containernetworking/plugins ns package does not support
unmounting and removing namespaces that were opened by another
process. Work around this by doing it ourself.
Closes: #858
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
Closes: #949
Approved by: rhatdan
Attempt to cleanup as much of the container as possible, even if one
of the cleanup stages fails.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #895
Approved by: mheon
Currently we are dropping the command entry from the create
line and using the image Cmd. This change will only use the
image Cmd if the user did not specify a Cmd.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #823
Approved by: umohnani8
Instead of manually calling the individual functions that cleanup
uses to tear down a container's resources, just call the cleanup
function to make sure that cleanup only needs to happen in one
place.
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
Closes: #790
Approved by: rhatdan
When we're given a numeric --user value, default to GID 0 if the numeric
ID doesn't correspond to a user entry in /etc/passwd that can provide us
with the user's primary group ID.
Make sure that GetAdditionalGroupsForUser() returns wrapped errors.
Also test various user:group forms.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #728
Approved by: mheon
Allow containers that no longer exist in storage to be evicted
from the state instead of erroring.
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
Closes: #764
Approved by: rhatdan
And add an argument to WithHooksDir to set it.
If the hook dir doesn't exist, the new hooks package considers that a
fatal error. When a podman caller sets
--hooks-dir-path=/some/typoed/directory, a fatal error is more helpful
than silently not loading any hooks. However, callers who call podman
without setting --hooks-dir-path may not need hooks at all. We don't
want to pester those callers with not-exist errors. With this commit,
we:
* Assume the caller knows what they're doing if they set
--hooks-dir-path and set HooksDirNotExistFatal.
* If the caller does not explicitly set --hooks-dir-path, assume they
won't mind if the hook directory is missing and set
HooksDirNotExistFatal false.
We also considered checking for the directory's existence in the code
calling WithHooksDir or from within WithHooksDir, but checks there
would race with the underlying ioutil.ReadDir in the hooks package.
By pushing the warn/error decision down into libpod's implementation,
we avoid a racy "do we expect this to work once libpod gets to it?"
pre-check.
I've also added a check to error if WithHooksDir is called with an
empty-string argument, because we haven't defined the semantics of
that (is it clearing a previous value? Is it effectively the same as
the current directory?). I agree with Matthew that a separate
WithNoHooks, or a *string argument to WithHooks, or some such would be
a better API for clearing previous values [1]. But for now, I'm just
erroring out to fail early for callers who might otherwise be
surprised that libpod ignores empty-string HooksDir.
[1]: https://github.com/projectatomic/libpod/pull/686#issuecomment-385119370
Signed-off-by: W. Trevor King <wking@tremily.us>
Closes: #686
Approved by: mheon
This shifts the matching logic out of libpod/container_internal and
into the hook package, where we can reuse it after vendoring into
CRI-O. It also adds unit tests with almost-complete coverage. Now
libpod is even more isolated from the hook internals, which makes it
fairly straightforward to bump the hook config file to 1.0.0. I've
dubbed the old format 0.1.0, although it doesn't specify an explicit
version. Motivation for some of my changes with 1.0.0:
* Add an explicit version field. This will make any future JSON
structure migrations more straightforward by avoiding the need for
version-guessing heuristics.
* Collect the matching properties in a new When sub-structure. This
makes the root Hook structure easier to understand, because you
don't have to read over all the matching properties when wrapping
your head around Hook.
* Replace the old 'hook' and 'arguments' with a direct embedding of
the runtime-spec's hook structure. This provides access to
additional upstream properties (args[0], env, and timeout) and
avoids the complication of a CRI-O-specific analog structure.
* Add a 'when.always' property. You can usually accomplish this
effect in another way (e.g. when.commands = [".*"]), but having a
boolean explicitly for this use-case makes for easier reading and
writing.
* Replace the previous annotations array with an annotations map. The
0.1.0 approach matched only the values regardless of key, and that
seems unreliable.
* Replace 'cmds' with 'when.commands', because while there are a few
ways to abbreviate "commands", there's only one way to write it out
in full ;). This gives folks one less thing to remember when
writing hook JSON.
* Replace the old "inject if any specified condition matches" with
"inject if all specified conditions match". This allows for more
precise targeting. Users that need more generous targeting can
recover the previous behavior by creating a separate 1.0.0 hook file
for each specified 0.1.0 condition.
I've added doc-compat support for the various pluralizations of the
0.1.0 properties. Previously, the docs and code were not in
agreement. More on this particular facet in [1].
I've updated the docs to point out that the annotations being matched
are the OCI config annotations. This differs from CRI-O, where the
annotations used are the Kubernetes-supplied annotations [2,3]. For
example, io.kubernetes.cri-o.Volumes [4] is part of CRI-O's runtime
config annotations [5], but not part of the Kubernetes-supplied
annotations CRI-O uses for matching hooks.
The Monitor method supports the CRI-O use-case [6]. podman doesn't
need it directly, but CRI-O will need it when we vendor this package
there.
I've used nvidia-container-runtime-hook for the annotation examples
because Dan mentioned the Nvidia folks as the motivation behind
annotation matching. The environment variables are documented in [7].
The 0.1.0 hook config, which does not allow for environment variables,
only works because runc currently leaks the host environment into the
hooks [8]. I haven't been able to find documentation for their usual
annotation trigger or hook-install path, so I'm just guessing there.
[1]: https://github.com/kubernetes-incubator/cri-o/pull/1235
[2]: https://github.com/kubernetes-incubator/cri-o/blob/v1.10.0/server/container_create.go#L760
[3]: https://github.com/kubernetes-incubator/cri-o/blob/v1.10.0/server/container_create.go#L772
[4]: https://github.com/kubernetes-incubator/cri-o/blob/v1.10.0/pkg/annotations/annotations.go#L97-L98
[5]: https://github.com/kubernetes-incubator/cri-o/blob/v1.10.0/server/container_create.go#L830-L834
[6]: https://github.com/kubernetes-incubator/cri-o/pull/1345/
[7]: https://github.com/NVIDIA/nvidia-container-runtime/tree/v1.3.0-1#environment-variables-oci-spec
[8]: https://github.com/opencontainers/runc/pull/1738
Signed-off-by: W. Trevor King <wking@tremily.us>
Closes: #686
Approved by: mheon