As of now, there is no way to debug podman clean up processes.
They are started by conmon with no stdout/stderr and log nowhere.
This allows us to actually figure out what is going on when a
cleanup process runs.
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
This chunk was mistakenly removed with ecec1a5430
Introduce it back as it solves the pull of an image that is not yet in
the storage when using create/run.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Closes: #1521
Approved by: baude
Also update some missing fields libpod.conf obtions in man pages.
Fix sort order of security options and add a note about disabling
labeling.
When a process requests a new label. libpod needs to reserve all
labels to make sure that their are no conflicts.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #1406
Approved by: mheon
When image is not tagged, we should just set the imageName to the
image.ID.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #1501
Approved by: mheon
do not error out when the storage is not initialized and the
entrypoint command is not available for the specified image. Check it
when we re-exec in an user namespace and can access the storage.
Closes: https://github.com/containers/libpod/issues/1452
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Create two new createInit for checking if the cotnainer is initialized
correctly.
createContainer which creates the actual container and containerConfig
Also added libpodruntime.GetContainerRuntime to put common runtime code
into separate function.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
This is an incomplete fix, as it would be best for the libpod library to be in charge of coordinating the container's dependencies on the infra container. A TODO was left as such. UTS is a special case, because the docker library that namespace handling is based off of doesn't recognize a UTS based on another container as valid, despite the library being able to handle it correctly. Thus, it is left in the old way.
Signed-off-by: haircommander <pehunt@redhat.com>
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #1347
Approved by: mheon
We should be sharing cgroups namespace by default in pods
uts namespace sharing was broken in pods.
Create a new libpod/pkg/namespaces for handling of namespace fields
in containers
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #1418
Approved by: mheon
change the tests to use chroot to set a numeric UID/GID.
Go syscall.Credential doesn't change the effective UID/GID of the
process.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Closes: #1372
Approved by: mheon
move re-exec later on, so that we can check whether we need to join
the infra container user namespace or we need to create another one.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Closes: #1372
Approved by: mheon
Don't print potentially verbose help messages in case of usage errors,
but print only the usage error followed by a pointer to the command's
help. This aligns with Docker.
```
$ podman run -h
flag needs an argument: -h
See 'podman run --help'.
```
Signed-off-by: Valentin Rothberg <vrothberg@suse.com>
Closes: #1379
Approved by: rhatdan
Move the `-h` short flag from `--help` to `--hostname` for podman-run,
podman-create and podman-pod-create to be compatible with Docker.
Fixes: #1367
Signed-off-by: Valentin Rothberg <vrothberg@suse.com>
Closes: #1373
Approved by: rhatdan
When in rootless mode it's not possible to load profiles or
check which profiles are loaded.
Added a few baseline tests to check all possible cases.
Signed-off-by: Marco Vedovati <mvedovati@suse.com>
Closes: #1250
Approved by: mheon
As well as small style corrections, update pod_top_test to use CreatePod, and move handling of adding a container to the pod's namespace from container_internal_linux to libpod/option.
Signed-off-by: haircommander <pehunt@redhat.com>
Closes: #1187
Approved by: mheon
A pause container is added to the pod if the user opts in. The default pause image and command can be overridden. Pause containers are ignored in ps unless the -a option is present. Pod inspect and pod ps show shared namespaces and pause container. A pause container can't be removed with podman rm, and a pod can be removed if it only has a pause container.
Signed-off-by: haircommander <pehunt@redhat.com>
Closes: #1187
Approved by: mheon
Need to get some small changes into libpod to pull back into buildah
to complete buildah transition.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #1270
Approved by: mheon
The "unconfined" profile must be treated specially to turn off apparmor
confinement and to avoid applying any other profile.
Signed-off-by: Valentin Rothberg <vrothberg@suse.com>
Closes: #1241
Approved by: mheon
Make users of libpod more secure by adding the libpod/apparmor package
to load a pre-defined AppArmor profile. Large chunks of libpod/apparmor
come from github.com/moby/moby.
Also check if a specified AppArmor profile is actually loaded and throw
an error if necessary.
The default profile is loaded only on Linux builds with the `apparmor`
buildtag enabled.
Signed-off-by: Valentin Rothberg <vrothberg@suse.com>
Closes: #1063
Approved by: rhatdan
podman now supports --volumes-from flag, which allows users
to add all the volumes an existing container has to a new one.
Signed-off-by: umohnani8 <umohnani@redhat.com>
Closes: #931
Approved by: mheon
When we run containers in detach mode, nothing cleans up the network stack or
the mount points. This patch will tell conmon to execute the cleanup code when
the container exits.
It can also be called to attempt to cleanup previously running containers.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #942
Approved by: mheon
Everytime we add a new option for create, we end up having to also
add it to run, this makes it error prone. Moving these to the same
function makes it easier to develop and prevents user mistakes.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #975
Approved by: mheon
Also add annotations from the image the container was created
from.
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
Closes: #886
Approved by: rhatdan
we cannot set additional ports on an existing container namespace, so we should
not allow --network=container with publish or publish-all.
Signed-off-by: baude <bbaude@redhat.com>
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #853
Approved by: baude
If the user does not provide a host port when adding -p to create/run, podman should inject an available random port.
podman run -p 80 .... podman should assign a random port to the host and expose the container port 80 to it
Signed-off-by: baude <bbaude@redhat.com>
Closes: #703
Approved by: rhatdan
implement varlink image functions for working with libpod with the exception of a
couple due to incompletions on the libpod side of things (build).
also, created a first pass at a libpodpy package which will stand as a client to
working with libpod's varlink methods using python.
Signed-off-by: baude <bbaude@redhat.com>
Closes: #669
Approved by: baude
Made necessary changes to functions to include contex.Context wherever needed
Signed-off-by: umohnani8 <umohnani@redhat.com>
Closes: #640
Approved by: baude
In the case where podman needs to pull an image, if that registry that the image
resides on is known to be insesure (as defined in /etc/containers/registries.conf),
tls-verify should be altered on the fly.
Signed-off-by: baude <bbaude@redhat.com>
Closes: #626
Approved by: mheon
In the case where you have an image local, if the the user runs
podman pull, we should always attempt to pull an updated image.
Added a forceRemote bool to New (image) so we can differentiate
between "pull" or run because the actions differ. Run does not
need to pull the latest -- only run.
Signed-off-by: baude <bbaude@redhat.com>
Closes: #618
Approved by: baude
--group-add
--blkio-weight-device
--device-read-bps
--device-write-bps
--device-read-iops
--device-write-iops
--group-add now supports group names as well as the gid associated with them.
All the --device flags work now with moderate changes to the code to support both
bps and iops.
Added tests for all the flags.
Signed-off-by: umohnani8 <umohnani@redhat.com>
Closes: #590
Approved by: mheon
In our ezrly development, we always allocated a tty when not -d. Now we should only allocated when the user asks for it.
Resolves: #573
Signed-off-by: baude <bbaude@redhat.com>
Closes: #574
Approved by: rhatdan
Adds support for mounting secrets especially on RHEL where the container
can use the host subsription to run yum
Signed-off-by: umohnani8 <umohnani@redhat.com>
Closes: #544
Approved by: rhatdan
so that it is possible to use systemd to automatically restart the
container:
[Service]
Type=forking
PIDFile=/run/awesome-service.pid
ExecStart=/usr/bin/podman run --conmon-pidfile=/run/awesome-service.pid --name awesome -d IMAGE /usr/bin/do-something
ExecStopPost=/usr/bin/podman rm awesome
Restart=always
Closes: https://github.com/projectatomic/libpod/issues/534
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Closes: #549
Approved by: rhatdan
Both podman run and create have an option to write the container ID to a file. The option
is called cidfile. If the cidfile exists, we should not create or run a container but rather
output a sensical error message.
Resolves: #530
Signed-off-by: baude <bbaude@redhat.com>
Closes: #531
Approved by: rhatdan
Migrate the podman create and commit subcommandis to leverage the images library. I also had
to migrate the cmd/ portions of run and rmi.
Signed-off-by: baude <bbaude@redhat.com>
Closes: #498
Approved by: mheon
Having a default workdir is causing us not to use the
container images workdir.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #501
Approved by: mheon
This represents the stage3 implementation for the image library. At this point, we
are moving the image-centric functions to pkg/image including migration of args and
object-oriented references. This is a not a one-for-one migration of funcs and some
funcs will need to continue to reside in runtime_img as they are overly specific to
libpod and probably not useful to others.
Signed-off-by: baude <bbaude@redhat.com>
Closes: #484
Approved by: baude
--image-volumes tells podman what to do with the image volumes in the image config
There are 3 options: bind, tmpfs, and ignore
bind puts the volume contents in /var/lib/containers/storage/container-id/volumes/vol-dir
and bind mounts it into the container at /vol-dir
tmpfs mounts /vol-dir as a tmps into the container
ignore doesn't mount the image volumes onto the container
Signed-off-by: umohnani8 <umohnani@redhat.com>
Closes: #377
Approved by: rhatdan
podman save would write the progress bar to the image tar file
when the output was redirected with >.
Fixed the writer to write to stderr for all commands using writer
Signed-off-by: umohnani8 <umohnani@redhat.com>
Closes: #362
Approved by: mheon
When an image does not have an ENTRYPOINT nor a CMD and the
user does not provide a command in the CLI, we should fail
gracefully.
This resolves issue #328
Signed-off-by: baude <bbaude@redhat.com>
Closes: #333
Approved by: mheon
Changing these fields caused the output of podman inspect to more
closely match docker inspect.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #306
Approved by: mheon
When an image has an ENTRYPOINT defined, we should be honoring it. The
problem is described in issue #321.
Also, added buildah binary to test runtimes for testing entrypoint and
will also allow us to test podman build as well.
Signed-off-by: baude <bbaude@redhat.com>
Closes: #322
Approved by: rhatdan
Rework port code for generalized clean up and to address
issue #269 where additional portbindings between host
and containers we being introduced by error.
Signed-off-by: baude <bbaude@redhat.com>
Closes: #308
Approved by: mheon
Migrate create and commit bats tests to the ginkgo
test suite. In doing so, some structures had to be
moved to pkg/podmanstructs/podmanstructs.go so we
could do better verification of test results.
Signed-off-by: baude <bbaude@redhat.com>
Closes: #286
Approved by: rhatdan
Migrate ps, pull, push, and rm from bats to ginkgo.
Also, fixed a conditional issue with adding ports
when an image defines the port and the user wants
to override it.
Signed-off-by: baude <bbaude@redhat.com>
Closes: #277
Approved by: baude
When trying to determine if a user-provided string that describes
an image (ID, fq name, shortname, tagged), there were some
inefficiencies where we looked up images multiple times to derive
information about local images.
Signed-off-by: baude <bbaude@redhat.com>
When an image has a port to expose, we need to expose it. User's input overrides the
image's port information.
Also, enable port information in ps so we can see which random port is assigned.
Signed-off-by: baude <bbaude@redhat.com>
Closes: #249
Approved by: rhatdan
Set up nbetworking ports for the following use cases:
* bind the same port between host and container
* bind a specific host port to a different container port
* bind a random host port to a specific container port
Signed-off-by: baude <bbaude@redhat.com>
Closes: #214
Approved by: baude
Each of these options are destructive in nature, meaning if the user
adds one of them, all current ones are removed from the produced
resolv.conf.
* dns-server allows the user to specify dns servers.
* dns-opt allows the user to specify special resolv.conf options
* dns-search allows the user to specify search domains
The add-host option is not destructive and truly just adds the host
to /etc/hosts.
Signed-off-by: baude <bbaude@redhat.com>
Closes: #231
Approved by: mheon
If user does not specify seccomp file or seccomp file does not exist,
then use the default seccomp settings.
Still need to not hard code /etc/crio/seccomp.json, should move this to
/usr/share/seccomp/seccomp.json
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #233
Approved by: baude
podman command has storage options as a global option,
these should be set there, rather then in the create and
run commands.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #234
Approved by: baude
A compatibility option of --net should alias the --network
option. The --net option will only override --network if
--network is not explicitly set and --net is. Both default
to 'bridge'.
Signed-off-by: baude <bbaude@redhat.com>
Closes: #228
Approved by: mheon
Create a mocked CLI instance so we can test that user-input
functions to run (create) end up in the spec correctly. It will
also help protect against regression include type changes.
We can decide if we want to test items one at a time or several
at a time.
Signed-off-by: baude <bbaude@redhat.com>
While pulling by shortname (fedora-minimal) worked, running a container
by the short name did not due to a logic error.
Signed-off-by: baude <bbaude@redhat.com>
Closes: #182
Approved by: rhatdan
We should be pulling information out of the image to set the
defaults to use when setting up the container.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #110
Approved by: mheon
podman run/create have the ability to set the stop timeout flag.
We need to stop it in the database.
Also Allowing negative time for stop timeout makes no sense, so switching
to timeout of uint, allows user to specify huge timeout values.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #158
Approved by: TomSweeneyRedHat
Stop Signal from kpod create/run was not fully plumbed in,
This will pass the stopsignal into the container database on
create and run of containers.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #156
Approved by: mheon
Also add --quiet option to kpod create/run since
this will help with writing tests.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #140
Approved by: TomSweeneyRedHat
OpenShift Merge Robot
Matthew Heon
Qi Wang
Daniel J Walsh
Giuseppe Scrivano
Valentin Rothberg
Marco Vedovati
haircommander
umohnani8
Matthew Heon
Jhon Honce
baude