54 Commits

Author SHA1 Message Date
6da97c8631 Pod Volumes From Support
added support for a volumes from container. this flag just required movement of the volumes-from flag declaration
out of the !IsInfra block, and minor modificaions to container_create.go

Signed-off-by: cdoern <cdoern@redhat.com>
2021-10-01 14:09:11 -04:00
81aabc8054 Merge pull request #11686 from cdoern/podDeviceOptions
Pod Device-Read-BPS support
2021-10-01 10:53:14 -04:00
2d86051893 Pod Device-Read-BPS support
added the option for the user to specify a rate, in bytes, at which they would like to be able
to read from the device being added to the pod. This is the first in a line of pod device options.

WARNING: changed pod name json tag to pod_name to avoid confusion when marshaling with the containerspec's name

Signed-off-by: cdoern <cdoern@redhat.com>
2021-09-28 21:20:01 -04:00
5d6ea90e75 libpod: do not call (*container).Config()
Access the container's config field directly inside of libpod instead of
calling `Config()` which in turn creates expensive JSON deep copies.

Accessing the field directly drops memory consumption of a simple
`podman run --rm busybox true` from 1245kB to 410kB.

[NO TESTS NEEDED]

Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
2021-09-28 17:18:02 +02:00
1c4e6d8624 standardize logrus messages to upper case
Remove ERROR: Error stutter from logrus messages also.

[ NO TESTS NEEDED] This is just code cleanup.

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
2021-09-22 15:29:34 -04:00
8fac34b8ff Pod Device Support
added support for pod devices. The device gets added to the infra container and
recreated in all containers that join the pod.

This required a new container config item to keep track of the original device passed in by the user before
the path was parsed into the container device.

Signed-off-by: cdoern <cdoern@redhat.com>
2021-09-20 23:22:43 -04:00
84005330aa Pod Volumes Support
added support for the --volume flag in pods using the new infra container design.
users can specify all volume options they can with regular containers

resolves #10379

Signed-off-by: cdoern <cdoern@redhat.com>
2021-09-14 08:32:07 -04:00
d28e85741f InfraContainer Rework
InfraContainer should go through the same creation process as regular containers. This change was from the cmd level
down, involving new container CLI opts and specgen creating functions. What now happens is that both container and pod
cli options are populated in cmd and used to create a podSpecgen and a containerSpecgen. The process then goes as follows

FillOutSpecGen (infra) -> MapSpec (podOpts -> infraOpts) -> PodCreate -> MakePod -> createPodOptions -> NewPod -> CompleteSpec (infra) -> MakeContainer -> NewContainer -> newContainer -> AddInfra (to pod state)

Signed-off-by: cdoern <cdoern@redhat.com>
2021-08-26 16:05:16 -04:00
4b2dc48d0b podman inspect show exposed ports
Podman inspect has to show exposed ports to match docker. This requires
storing the exposed ports in the container config.
A exposed port is shown as `"80/tcp": null` while a forwarded port is
shown as `"80/tcp": [{"HostIp": "", "HostPort": "8080" }]`.

Also make sure to add the exposed ports to the new image when the
container is commited.

Fixes #10777

Signed-off-by: Paul Holzinger <pholzing@redhat.com>
2021-08-24 15:44:26 +02:00
bef26f2582 rename oneshot initcontainers to once
after the init containers pr merged, it was suggested to use `once`
instead of `oneshot` containers as it is more aligned with other
terminiology used similarily.

[NO TESTS NEEDED]

Signed-off-by: Brent Baude <bbaude@redhat.com>
2021-08-12 12:57:15 -05:00
221b1add74 Add support for pod inside of user namespace.
Add the --userns flag to podman pod create and keep
track of the userns setting that pod was created with
so that all containers created within the pod will inherit
that userns setting.

Specifically we need to be able to launch a pod with
--userns=keep-id

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Signed-off-by: Urvashi Mohnani <umohnani@redhat.com>
2021-08-09 15:17:22 -04:00
3c3fa6fac4 implement init containers in podman
this is the first pass at implementing init containers for podman pods.
init containersare made popular by k8s as a way to run setup for pods
before the pods standard containers run.

unlike k8s, we support two styles of init containers: always and
oneshot.  always means the container stays in the pod and starts
whenever a pod is started.  this does not apply to pods restarting.
oneshot means the container runs onetime when the pod starts and then is
removed.

Signed-off-by: Brent Baude <bbaude@redhat.com>
2021-08-04 14:14:36 -05:00
f7321681d0 podman pod create --pid flag
added support for --pid flag. User can specify ns:file, pod, private, or host.
container returns an error since you cannot point the ns of the pods infra container
to a container outside of the pod.

Signed-off-by: cdoern <cdoern@redhat.com>
2021-07-15 10:34:09 -04:00
bbd085ad1e Podman Pod Create --cpus and --cpuset-cpus flags
Added logic and handling for two new Podman pod create Flags.

--cpus specifies the total number of cores on which the pod can execute, this
is a combination of the period and quota for the CPU.

 --cpuset-cpus is a string value which determines of these available cores,
how many we will truly execute on.

Signed-off-by: cdoern <cbdoer23@g.holycross.edu>
2021-06-23 13:47:57 -04:00
5dded6fae7 bump go module to v3
We missed bumping the go module, so let's do it now :)

* Automated go code with github.com/sirkon/go-imports-rename
* Manually via `vgrep podman/v2` the rest

Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
2021-02-22 09:03:51 +01:00
76a38fc3f2 Fix podman pod inspect show wrong MAC string
Signed-off-by: zhangguanzhang <zhangguanzhang@qq.com>
2020-11-18 18:06:06 +08:00
cddfe3983b Add a Degraded state to pods
Make a distinction between pods that are completely running (all
containers running) and those that have some containers going,
but not all, by introducing an intermediate state between Stopped
and Running called Degraded. A Degraded pod has at least one, but
not all, containers running; a Running pod has all containers
running.

First step to a solution for #7213.

Signed-off-by: Matthew Heon <matthew.heon@pm.me>
2020-10-21 13:31:40 -04:00
2bb2425704 Move pod jobs to parallel execution
Make Podman pod operations that do not involve starting
containers (which needs to be done in a specific order) use the
same parallel operation code we use to make `podman stop` on
large numbers of containers fast. We were previously stopping
containers in a pod serially, which could take up to the timeout
(default 15 seconds) for each container - stopping 100 containers
that do not respond to SIGTERM would take 25 minutes.

To do this, refactor the parallel operation code a bit to remove
its dependency on libpod (damn circular import restrictions...)
and use parallel functions that just re-use the standard
container API operations - maximizes code reuse (previously each
pod handler had a separate implementation of the container
function it performed).

This is a bit of a palate cleanser after fighting CI for two
days - nice to be able to return to a land of sanity.

Signed-off-by: Matthew Heon <matthew.heon@pm.me>
2020-10-07 10:00:11 -04:00
b6176d8987 Add support for slirp network for pods
flag --network=slirp4netns[options] for root and rootless pods

Signed-off-by: Ashley Cui <acui@redhat.com>
2020-09-25 21:34:23 -04:00
c4b2078508 Clean up pods before returning from Pod Stop API call
This should help alleviate races where the pod is not fully
cleaned up before subsequent API calls happen.

Signed-off-by: Matthew Heon <mheon@redhat.com>
2020-08-17 11:04:26 -04:00
a5e37ad280 Switch all references to github.com/containers/libpod -> podman
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
2020-07-28 08:23:45 -04:00
fbc1167c4d Fix lint
Signed-off-by: Matthew Heon <mheon@redhat.com>
2020-07-14 13:24:12 -04:00
1fdfd52eeb Populate remaining unused fields in pod inspect
We were hard-coding two fields to false, instead of grabbing
their value from the pod config, which means that `pod inspect`
would print the wrong value always.

Fixes #6968

Signed-off-by: Matthew Heon <mheon@redhat.com>
2020-07-14 12:03:11 -04:00
41457b5a28 Include infra container information in pod inspect
We had a field for this in the inspect data, but it was never
being populated. Because of this, `podman pod inspect` stopped
showing port bindings (and other infra container settings). Add
code to populate the infra container inspect data, and add a test
to ensure we don't regress again.

Signed-off-by: Matthew Heon <mheon@redhat.com>
2020-07-14 12:03:11 -04:00
8489dc4345 move go module to v2
With the advent of Podman 2.0.0 we crossed the magical barrier of go
modules.  While we were able to continue importing all packages inside
of the project, the project could not be vendored anymore from the
outside.

Move the go module to new major version and change all imports to
`github.com/containers/libpod/v2`.  The renaming of the imports
was done via `gomove` [1].

[1] https://github.com/KSubedi/gomove

Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
2020-07-06 15:50:12 +02:00
e996bb583d Print errors from individual containers in pods
The infra/abi code for pods was written in a flawed way, assuming
that the map[string]error containing individual container errors
was only set when the global error for the pod function was nil;
that is not accurate, and we are actually *guaranteed* to set the
global error when any individual container errors. Thus, we'd
never actually include individual container errors, because the
infra code assumed that err being set meant everything failed and
no container operations were attempted.

We were originally setting the cause of the error to something
nonsensical ("container already exists"), so I made a new error
indicating that some containers in the pod failed. We can then
ignore that error when building the report on the pod operation
and actually return errors from individual containers.

Unfortunately, this exposed another weakness of the infra code,
which was discarding the container IDs. Errors from individual
containers are not guaranteed to identify which container they
came from, hence the use of map[string]error in the Pod API
functions. Rather than restructuring the structs we return from
pkg/infra, I just wrapped the returned errors with a message
including the ID of the container.

Signed-off-by: Matthew Heon <matthew.heon@pm.me>
2020-07-02 12:59:10 -04:00
200cfa41a4 Turn on More linters
- misspell
    - prealloc
    - unparam
    - nakedret

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
2020-06-15 07:05:56 -04:00
636881ece5 pod config: add a CreateCommand field
Add a `CreateCommand` field to the pod config which includes the entire
`os.Args` at pod-creation.  Similar to the already existing field in a
container config, we need this information to properly generate generic
systemd unit files for pods.  It's a prerequisite to support the `--new`
flag for pods.

Also add the `CreateCommand` to the pod-inspect data, which can come in
handy for debugging, general inspection and certainly for the tests that
are added along with the other changes.

Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
2020-06-11 11:01:13 +02:00
644a7b78ff Ensure that containers in pods properly set hostname
When we moved to the new Namespace types in Specgen, we made a
distinction between taking a namespace from a pod, and taking it
from another container. Due to this new distinction, some code
that previously worked for both `--pod=$ID` and
`--uts=container:$ID` has accidentally become conditional on only
the latter case. This happened for Hostname - we weren't properly
setting it in cases where the container joined a pod.
Fortunately, this is an easy fix once we know to check the
condition.

Also, ensure that `podman pod inspect` actually prints hostname.

Fixes #6494

Signed-off-by: Matthew Heon <matthew.heon@pm.me>
2020-06-04 16:32:10 -04:00
c57c560d90 Fix bug where pods would unintentionally share cgroupns
This one was a massive pain to track down.

The original symptom was an error message from rootless Podman
trying to make a container in a pod. I unfortunately did not look
at the error message closely enough to realize that the namespace
in question was the cgroup namespace (the reproducer pod was
explicitly set to only share the network namespace), else this
would have been quite a bit shorter.

I spent considerable effort trying to track down differences
between the inspect output of the two containers, and when that
failed I was forced to resort to diffing the OCI specs. That
finally proved fruitful, and I was able to determine what should
have been obvious all along: the container was joining the cgroup
namespace of the infra container when it really ought not to
have.

From there, I discovered a variable collision in pod config. The
UsePodCgroup variable means "create a parent cgroup for the pod
and join containers in the pod to it". Unfortunately, it is very
similar to UsePodUTS, UsePodNet, etc, which mean "the pod shares
this namespace", so an accessor was accidentally added for it
that indicated the pod shared the cgroup namespace when it really
did not. Once I realized that, it was a quick fix - add a bool to
the pod's configuration to indicate whether the cgroup ns was
shared (distinct from UsePodCgroup) and use that for the
accessor.

Also included are fixes for `podman inspect` and
`podman pod inspect` that fix them to actually display the state
of the cgroup namespace (for container inspect) and what
namespaces are shared (for pod inspect). Either of those would
have made tracking this down considerably quicker.

Fixes #6149

Signed-off-by: Matthew Heon <mheon@redhat.com>
2020-05-08 18:00:42 -04:00
838df56bcf Update pod inspect report to hold current pod status.
Added status field in pod inspect report.
Fixed pod tests to use it.

Signed-off-by: Sujil02 <sushah@redhat.com>
2020-04-20 07:05:25 -04:00
ba430bfe5e podman v2 remove bloat v2
rid ourseleves of libpod references in v2 client

Signed-off-by: Brent Baude <bbaude@redhat.com>
2020-04-16 12:04:46 -05:00
bbda410526 Update pod bindings and Add test to validate prune pod apiv2 binding.
Modify the pod inspect bindings to hold current pod status.
Includes test to validate on pod status and added test to check
no or few pods are pruned,if the pods are in exited state.

Signed-off-by: Sujil02 <sushah@redhat.com>
2020-02-28 11:51:02 -05:00
123b8c627d if container is not in a pid namespace, stop all processes
When a container is in a PID namespace, it is enought to send
the stop signal to the PID 1 of the namespace, only send signals
to all processes in the container when the container is not in
a pid namespace.

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
2019-12-19 13:33:17 -05:00
8d928d525f codespell: spelling corrections
Signed-off-by: Dmitry Smirnov <onlyjob@member.fsf.org>
2019-11-13 08:15:00 +11:00
6f630bc09b Move OCI runtime implementation behind an interface
For future work, we need multiple implementations of the OCI
runtime, not just a Conmon-wrapped runtime matching the runc CLI.

As part of this, do some refactoring on the interface for exec
(move to a struct, not a massive list of arguments). Also, add
'all' support to Kill and Stop (supported by runc and used a bit
internally for removing containers).

Signed-off-by: Matthew Heon <matthew.heon@pm.me>
2019-10-10 10:19:32 -04:00
88ebc33840 Report errors when trying to pause rootless containers
If you are running a rootless container on cgroupV1
you can not pause the container.  We need to report the proper error
if this happens.

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
2019-09-13 08:29:46 -04:00
56a65cffac generate systemd: support pods and geneartig files
Support generating systemd unit files for a pod.  Podman generates one
unit file for the pod including the PID file for the infra container's
conmon process and one unit file for each container (excluding the infra
container).

Note that this change implies refactorings in the `pkg/systemdgen` API.

Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
2019-08-21 17:28:30 +02:00
8561b99644 libpod removal from main (phase 2)
this is phase 2 for the removal of libpod from main.

Signed-off-by: baude <bbaude@redhat.com>
2019-06-27 07:56:24 -05:00
dd81a44ccf remove libpod from main
the compilation demands of having libpod in main is a burden for the
remote client compilations.  to combat this, we should move the use of
libpod structs, vars, constants, and functions into the adapter code
where it will only be compiled by the local client.

this should result in cleaner code organization and smaller binaries. it
should also help if we ever need to compile the remote client on
non-Linux operating systems natively (not cross-compiled).

Signed-off-by: baude <bbaude@redhat.com>
2019-06-25 13:51:24 -05:00
92bae8d308 Begin adding support for multiple OCI runtimes
Allow Podman containers to request to use a specific OCI runtime
if multiple runtimes are configured. This is the first step to
properly supporting containers in a multi-runtime environment.

The biggest changes are that all OCI runtimes are now initialized
when Podman creates its runtime, and containers now use the
runtime requested in their configuration (instead of always the
default runtime).

Signed-off-by: Matthew Heon <matthew.heon@pm.me>
2019-06-19 17:08:43 -04:00
dc42304f38 Sending signals to containers prevents restart policy
Noticed this when testing some behavior with Docker.

Signed-off-by: Matthew Heon <matthew.heon@pm.me>
2019-05-03 10:36:16 -04:00
5ed62991dc Remove ulele/deepcopier in favor of JSON deep copy
We have a very high performance JSON library that doesn't need to
perform code generation. Let's use it instead of our questionably
performant, reflection-dependent deep copy library.

Most changes because some functions can now return errors.

Also converts cmd/podman to use jsoniter, instead of pkg/json,
for increased performance.

Signed-off-by: Matthew Heon <matthew.heon@pm.me>
2019-03-27 20:00:31 -04:00
ca1e76ff63 Add event logging to libpod, even display to podman
In lipod, we now log major events that occurr.  These events
can be displayed using the `podman events` command. Each
event contains:

* Type (container, image, volume, pod...)
* Status (create, rm, stop, kill, ....)
* Timestamp in RFC3339Nano format
* Name (if applicable)
* Image (if applicable)

The format of the event and the varlink endpoint are to not
be considered stable until cockpit has done its enablement.

Signed-off-by: baude <bbaude@redhat.com>
2019-03-11 15:08:59 -05:00
5209894100 add timeout to pod stop
like podman stop of containers, we should allow the user to specify
a timeout override when stopping pods; otherwise they have to wait
the full timeout time specified during the pod/container creation.

Signed-off-by: baude <bbaude@redhat.com>
2018-12-07 10:27:41 -06:00
2c7f97d5a7 Add ContainerStateExited and OCI delete() in cleanup()
To work better with Kata containers, we need to delete() from the
OCI runtime as a part of cleanup, to ensure resources aren't
retained longer than they need to be.

To enable this, we need to add a new state to containers,
ContainerStateExited. Containers transition from
ContainerStateStopped to ContainerStateExited via cleanupRuntime
which is invoked as part of cleanup(). A container in the Exited
state is identical to Stopped, except it has been removed from
the OCI runtime and thus will be handled differently when
initializing the container.

Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
2018-10-02 12:05:22 -04:00
0e6266858a Fixing network ns segfault
As well as small style corrections, update pod_top_test to use CreatePod, and move handling of adding a container to the pod's namespace from container_internal_linux to libpod/option.

Signed-off-by: haircommander <pehunt@redhat.com>

Closes: #1187
Approved by: mheon
2018-08-23 18:16:28 +00:00
2a7449362f Change pause container to infra container
Signed-off-by: haircommander <pehunt@redhat.com>

Closes: #1187
Approved by: mheon
2018-08-23 18:16:28 +00:00
d5e690914d Added option to share kernel namespaces in libpod and podman
A pause container is added to the pod if the user opts in. The default pause image and command can be overridden. Pause containers are ignored in ps unless the -a option is present. Pod inspect and pod ps show shared namespaces and pause container. A pause container can't be removed with podman rm, and a pod can be removed if it only has a pause container.

Signed-off-by: haircommander <pehunt@redhat.com>

Closes: #1187
Approved by: mheon
2018-08-23 18:16:28 +00:00
8d5e0108d7 Change batchcontainer to shared
To better reflect it's usage: to share functions between podman and varlink.

Signed-off-by: haircommander <pehunt@redhat.com>

Closes: #1275
Approved by: mheon
2018-08-16 20:31:50 +00:00