Before, we were using -1 as a bogus value in podman to signify something went wrong when reading from a conmon pipe. However, conmon uses negative values to indicate the runtime failed, and return the runtime's exit code.
instead, we should use a bogus value that is actually bogus. Define that value in the define package as MinInt32 (-1<< 31 - 1), which is outside of the range of possible pids (-1 << 31)
Signed-off-by: Peter Hunt <pehunt@redhat.com>
Before, we were getting the exit code from the file, in which we waited an arbitrary amount of time (5 seconds) for the file, and segfaulted if we didn't find it. instead, we should be a bit more certain conmon has sent the exit code. Luckily, it sends the exit code along the sync pipe fd, so we can read it from there
Adapt the ExecContainer interface to pass along a channel to get the pid and exit code from conmon, to be able to read both from the pipe
Signed-off-by: Peter Hunt <pehunt@redhat.com>
This patch allows users to specify the list of capabilities required
to run their container image.
Setting a image/container label "io.containers.capabilities=setuid,setgid"
tells podman that the contained image should work fine with just these two
capabilties, instead of running with the default capabilities, podman will
launch the container with just these capabilties.
If the user or image specified capabilities that are not in the default set,
the container will print an error message and will continue to run with the
default capabilities.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Until now, we've been validating every part of container
configuration through the With... functions that set the options.
This if fine when we are just validating the options to an
individual function, but things get complicated once we need to
validate conflicts between different options. We don't know the
order in which things were passed, so we need the validation on
both of the potential options that can conflict, resulting in
significant code duplication. To solve this, add a validate()
function for containers, and use this to check whether everything
is in a good state.
We can probably move more into this function (there are other
parts of container creation that also do validation of a sort)
but this is a good start to simplifying our options.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
Modify the pod inspect bindings to hold current pod status.
Includes test to validate on pod status and added test to check
no or few pods are pruned,if the pods are in exited state.
Signed-off-by: Sujil02 <sushah@redhat.com>
This corrects a regression from Podman 1.4.x where container exec
sessions inherited supplemental groups from the container, iff
the exec session did not specify a user.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
added the ability to wait on a condition (stopped, running, paused...) for a container. if a condition is not provided, wait will default to the stopped condition which uses the original wait code paths. if the condition is stopped, the container exit code will be returned.
also, correct a mux issue we discovered.
Signed-off-by: Brent Baude <bbaude@redhat.com>
add binding tests for volumes: inspect(get), create, remove, prune, and list
implement filters ability for volumes
Signed-off-by: Brent Baude <bbaude@redhat.com>
When inspecting containers, info on CNI networks added to the
container by name (e.g. --net=name1) should be displayed
separately from the configuration of the default network, in a
separate map called Networks.
This patch adds this separation, improving our Docker
compatibility and also adding the ability to see if a container
has more than one IPv4 and IPv6 address and more than one MAC
address.
Fixes#4907
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
We can easily tell if we're going to deadlock by comparing lock
IDs before actually taking the lock. Add a few checks for this in
common places where deadlocks might occur.
This does not yet cover pod operations, where detection is more
difficult (and costly) due to the number of locks being involved
being higher than 2.
Also, add some error wrapping on the Podman side, so we can tell
people to use `system renumber` when it occurs.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
Before Libpod supported named volumes, we approximated image
volumes by bind-mounting in per-container temporary directories.
This was handled by Libpod, and had a corresponding database
entry to enable/disable it.
However, when we enabled named volumes, we completely rewrote the
old implementation; none of the old bind mount implementation
still exists, save one flag in the database. With nothing
remaining to use it, it has no further purpose.
Signed-off-by: Matthew Heon <mheon@redhat.com>
in cases where the log file exceeds the available memory of a system, we had a bug that triggered an oom because the entire logfile was being read when the tail parameter was given. this reads in chunks and is more or less memory safe.
fixes: #5131
Signed-off-by: Brent Baude <bbaude@redhat.com>
Looks like a bit of a misunderstanding from early on.
Docker implements --filter=since=IMAGE. Podman implements 'after'
instead of 'since'. Add an equivalent case statement to handle
both, keeping 'after' because we have no way of knowing if it
is used in the field.
Update documentation ... and fix what looks like a complete
misinterpretation of what the code actually does: the man page
claimed that these were time fields, but I don't see any
possible incantation in which a time value works or could
work. Updated docs to reflect IMAGE usage. Also changed
nonworking '==' to single '='.
Added tests. [UPDATE: skip with broken podman-remote]
Fixes: #5040
Signed-off-by: Ed Santiago <santiago@redhat.com>
when using usernamespace, dnsname respondes from cni were not making it into the containers /etc/resolv.conf because of a timing issue. this corrects that behavior.
Fixes: #5256
Signed-off-by: Brent Baude <bbaude@redhat.com>
Enables most of the network-related functionality from
`podman run` in `podman pod create`. Custom CNI networks can be
specified, host networking is supported, DNS options can be
configured.
Also enables host networking in `podman play kube`.
Fixes#2808Fixes#3837Fixes#4432Fixes#4718Fixes#4770
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
Instead of manually merging the configs, use the built-in features of
TOMP to merge/extend the fields of a data type when encoding a file.
This erases the need for the merge code in libpod/config and also
addresses issues when merging booleans.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
when using -d and port mapping, make sure the correct fd is injected
into conmon.
Move the pipe creation earlier as the fd must be known at the time we
create the container through conmon.
Closes: https://github.com/containers/libpod/issues/5167
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Add pkg/capabibilities to deal with capabilities. The code has been
copied from Docker (and attributed with the copyright) but changed
significantly to only do what we really need. The code has also been
simplified and will perform better due to removed redundancy.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
If we attempt to label a volume and the file system
does not support labeling, then just warn. SELinux
may or may not work, on the volume.
There is no way to setup a private label on a newly
created volume without using the container mountlabel.
If we don't have a mount label at the time of creation of
the volume, the only option we have is to create a shared
label.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
When Docker performs a copy up, it first verifies that the volume
being copied into is empty; thus, for volumes that have been
modified elsewhere (e.g. manually copying into then), the copy up
will not be performed at all. Duplicate this behavior in Podman
by checking if the volume is empty before copying.
Furthermore, move setting copyup to false further up. This will
prevent a potential race where copy up could happen more than
once if Podman was killed after some files had been copied but
before the DB was updated.
This resolves CVE-2020-1726.
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
... so that _all_ Image objects are created in a single place
that is easy to update.
Should not change behavior.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
Instead of the function updating image.InputName (the only reason for it
to need an image), have it return the updated value separately.
This will allow simplifying the constructors of Image further.
Should not change behavior.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
All ways to create an Image{} have a non-nil .image field, and it
is never set to nil, so this is dead code.
Should not change behavior.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
All code creating an Image by looking up a name now uses
Runtime.NewFromLocal.
Should not change behavior.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
