Commit Graph

98 Commits

Author SHA1 Message Date
Daniel J Walsh 4352d58549
Add support for containers.conf
vendor in c/common config pkg for containers.conf

Signed-off-by: Qi Wang qiwan@redhat.com
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
2020-03-27 14:36:03 -04:00
Valentin Rothberg f4e873c4e1 auto updates
Add support to auto-update containers running in systemd units as
generated with `podman generate systemd --new`.

`podman auto-update` looks up containers with a specified
"io.containers.autoupdate" label (i.e., the auto-update policy).

If the label is present and set to "image", Podman reaches out to the
corresponding registry to check if the image has been updated.  We
consider an image to be updated if the digest in the local storage is
different than the one of the remote image.  If an image must be
updated, Podman pulls it down and restarts the container.  Note that the
restarting sequence relies on systemd.

At container-creation time, Podman looks up the "PODMAN_SYSTEMD_UNIT"
environment variables and stores it verbatim in the container's label.
This variable is now set by all systemd units generated by
`podman-generate-systemd` and is set to `%n` (i.e., the name of systemd
unit starting the container).  This data is then being used in the
auto-update sequence to instruct systemd (via DBUS) to restart the unit
and hence to restart the container.

Note that this implementation of auto-updates relies on systemd and
requires a fully-qualified image reference to be used to create the
container.  This enforcement is necessary to know which image to
actually check and pull.  If we used an image ID, we would not know
which image to check/pull anymore.

Fixes: #3575
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
2020-03-17 17:18:56 +01:00
OpenShift Merge Robot 235f367861
Merge pull request #5469 from giuseppe/no-size-create-container
create: do not calculate image size
2020-03-12 10:20:02 -04:00
Giuseppe Scrivano 8741eb8a92
create: do not calculate image size
calculating the image size can be an expensive operation.  Avoid doing
it when creating a new container since the size is not needed.

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
2020-03-12 09:51:17 +01:00
Daniel J Walsh ac354ac94a
Fix spelling mistakes in code found by codespell
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
2020-03-07 10:30:44 -05:00
Valentin Rothberg 6d2d6898f8 env: don't set "container" env
Leave setting the "container" variable to consumers of pkg/env.
Podman is now hard-setting it to "podman" while "libpod" will
set it internally to "libpod" if it's unset.

Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
2020-03-04 17:07:47 +01:00
Valentin Rothberg ad8e0e5e49 consolidate env handling into pkg/env
Env-variable related code is scattered across several packages making it
hard to maintain and extend.  Consolidate the code into a new pkg/env
package.

Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
2020-03-03 11:47:24 +01:00
Brent Baude 0184714a82 Add --no-healthcheck command to create/run
Now support --no-healthcheck option to disable defined healthchecks in a container image.  --health-cmd=none remains supported as well.

Fixes: #5299

Signed-off-by: Brent Baude <bbaude@redhat.com>
2020-02-22 12:45:15 -06:00
Valentin Rothberg 58cbbbc56e set process labels in pkg/spec
Set the (default) process labels in `pkg/spec`. This way, we can also
query libpod.conf and disable labeling if needed.

Fixes: #5087
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
2020-02-19 11:04:02 +01:00
Matthew Heon 36a0ed9702 Rework label parsing
We attempted to share all logic for parsing labels and
environment variables, which on the surface makes lots of sense
(both are formatted key=value so parsing logic should be
identical) but has begun to fall apart now that we have added
additional logic to environment variable handling. Environment
variables that are unset, for example, are looked up against
environment variables set for the process. We don't want this for
labels, so we have to split parsing logic.

Fixes #3854

Signed-off-by: Matthew Heon <matthew.heon@pm.me>
2020-02-14 16:06:20 -05:00
OpenShift Merge Robot a65f6b888a
Merge pull request #5152 from QiWang19/device-cgroup-rule
support device-cgroup-rule
2020-02-13 02:34:42 +01:00
Qi Wang d3260738d3 support device-cgroup-rule
fix #4876
Add `--device-cgroup-rule` to podman create and run. This enables to add device rules after the container has been created.

Signed-off-by: Qi Wang <qiwan@redhat.com>
2020-02-12 14:30:23 -05:00
Valentin Rothberg 65d10ffab3 add pkg/seccomp
Add pkg/seccomp to consolidate all seccomp-policy related code which is
currently scattered across multiple packages and complicating the
creatconfig refactoring.

Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
2020-02-12 17:10:18 +01:00
Valentin Rothberg b0abd1c36e container create: relax os/arch checks
Relax the os/arch checks when creating a container and only info-log
mismatches instead of erroring out.  There are too many images used
in the wild which do not set their arch correctly correctly.  Erroring
out has hit users sufficiently enough to justify relaxing the errors
and only log to at least inform the users and image vendors.

Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
2020-02-11 09:48:26 +01:00
Daniel J Walsh 100d2fdcfd
Special case memory-swap=-1
We document that memory-swap==-1 means unlimited, but currently we
won't allow the user to specify the -1 value.

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
2020-02-05 10:37:51 -05:00
Valentin Rothberg 1531509542 seccomp policy: expect profile in config label
Move the seccomp profile from a manifest annotation to a config label.
This way, we can support it for Docker images as well and provide an
easy way to add that data via Dockerfiles.

Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
2020-01-23 10:06:43 +01:00
Daniel J Walsh 45e9a6b12e
Remove c.String(net)
We have a lot of cludgy code trying to make --net and --network equivalent.
This will allow --net to still exists but will eliminate the help and confusion.

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
2020-01-16 09:23:32 -05:00
OpenShift Merge Robot 0aa9dba3e1
Merge pull request #4806 from vrothberg/seccomp
policy for seccomp-profile selection
2020-01-15 01:16:07 +01:00
Valentin Rothberg 67165b7675 make lint: enable gocritic
`gocritic` is a powerful linter that helps in preventing certain kinds
of errors as well as enforcing a coding style.

Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
2020-01-13 14:27:02 +01:00
Valentin Rothberg f3f4c54f2a policy for seccomp-profile selection
Implement a policy for selecting a seccomp profile.  In addition to the
default behaviour (default profile unless --security-opt seccomp is set)
add a second policy doing a lookup in the image annotation.

If the image has the "io.containers.seccomp.profile" set its value will be
interpreted as a seccomp profile.  The policy can be selected via the
new --seccomp-policy CLI flag.

Once the containers.conf support is merged into libpod, we can add an
option there as well.

Note that this feature is marked as experimental and may change in the
future.

Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
2020-01-09 17:57:58 +01:00
Valentin Rothberg 7ccf412f70 shared/create.go: s/data/imageData/
Rename `data` to `imageData` to make it more obvious which kind of data
the variable refers to.

Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
2020-01-09 11:09:23 +01:00
Ed Santiago 40f55ca3fe signal parsing - better input validation
The helper function we use for signal name mapping does not
check for negative numbers nor invalid (too-high) ones. This
can yield unexpected error messages:

   # podman kill -s -1 foo
   ERRO[0000] unknown signal "18446744073709551615"

This PR introduces a small wrapper for it that:

  1) Strips off a leading dash, allowing '-1' or '-HUP'
     as valid inputs; and
  2) Rejects numbers <1 or >64 (SIGRTMAX)

Also adds a test suite checking signal handling as well as
ensuring that invalid signals are rejected by the command line.

Fixes: #4746

Signed-off-by: Ed Santiago <santiago@redhat.com>
2019-12-26 16:50:21 -07:00
Valentin Rothberg 437bc61f4e container config: add CreateCommand
Store the full command plus arguments of the process the container has
been created with.  Expose this data as a `Config.CreateCommand` field
in the container-inspect data as well.

This information can be useful for debugging, as we can find out which
command has created the container, and, if being created via the Podman
CLI, we know exactly with which flags the container has been created
with.

The immediate motivation for this change is to use this information for
`podman-generate-systemd` to generate systemd-service files that allow
for creating new containers (in contrast to only starting existing
ones).

Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
2019-12-13 14:39:45 +01:00
OpenShift Merge Robot c6f2383213
Merge pull request #4505 from vrothberg/arch
container create: os/arch check
2019-11-16 17:36:12 +01:00
OpenShift Merge Robot 51c08f3be6
Merge pull request #4368 from haircommander/pod-annotations
Add pod annotations to container
2019-11-15 19:41:39 +01:00
Valentin Rothberg 96ab0c64b4 container create: os/arch check
Unless explicitely overridden, check if the image's OS and architecture
and throw an errors in case of a mismatch.

Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
2019-11-12 17:57:31 -05:00
Dmitry Smirnov 8d928d525f codespell: spelling corrections
Signed-off-by: Dmitry Smirnov <onlyjob@member.fsf.org>
2019-11-13 08:15:00 +11:00
OpenShift Merge Robot f456ce90f9
Merge pull request #4337 from QiWang19/check_auth_path
fix bug check nonexist authfile
2019-11-08 22:06:34 +01:00
Peter Hunt 900a04fcfd Add pod annotations to container
We have the annotations SandboxID, let's use them. This also allows kata containers to be created in pods and share a VM with the infra container. Note: as of now, this sharing only works if the pod has an infra container

Signed-off-by: Peter Hunt <pehunt@redhat.com>
2019-11-08 13:53:38 -05:00
Peter Hunt dcf3c742b1 Split up create config handling of namespaces and security
As it stands, createconfig is a huge struct. This works fine when the only caller is when we create a container with a fully created config. However, if we wish to share code for security and namespace configuration, a single large struct becomes unweildy, as well as difficult to configure with the single createConfigToOCISpec function.

This PR breaks up namespace and security configuration into their own structs, with the eventual goal of allowing the namespace/security fields to be configured by the pod create cli, and allow the infra container to share this with the pod's containers.

Signed-off-by: Peter Hunt <pehunt@redhat.com>
2019-11-07 21:23:23 -05:00
Jakub Filak 2497b6c77b
podman: add support for specifying MAC
I basically copied and adapted the statements for setting IP.

Closes #1136

Signed-off-by: Jakub Filak <jakub.filak@sap.com>
2019-11-06 16:22:19 +01:00
Qi Wang d7c0f968ca fix bug check nonexist authfile
Use GetDefaultAuthFile() from buildah.
For podman command(except login), if authfile does not exist returns error.

close #4328

Signed-off-by: Qi Wang <qiwan@redhat.com>
2019-11-05 21:32:18 -05:00
Daniel J Walsh 66c126d6de Set default seccomp.json file for podman play kube
Currently podman play kube is not using the system default seccomp.json file.
This PR will use the default or override location for podman play.

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
2019-10-29 13:43:45 -04:00
Nalin Dahyabhai b9313d355e pull/create: add --override-arch/--override-os flags
Add --override-arch and --override-os as hidden flags, in line with the
global flag names that skopeo uses, so that we can test behavior around
manifest lists without having to conditionalize more of it by arch.

Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
2019-10-29 13:35:19 -04:00
Nalin Dahyabhai a4a70b4506 bump containers/image to v5.0.0, buildah to v1.11.4
Move to containers/image v5 and containers/buildah to v1.11.4.

Replace an equality check with a type assertion when checking for a
docker.ErrUnauthorizedForCredentials in `podman login`.

Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
2019-10-29 13:35:18 -04:00
Giuseppe Scrivano 38a6a2000a
systemd: accept also /sbin/init
it is a regression caused by
3ba3e1c751.

Closes: https://bugzilla.redhat.com/show_bug.cgi?id=1761514

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
2019-10-15 11:14:21 +02:00
Giuseppe Scrivano 5963077e93
cli: support --systemd=always
it enforces the systemd mode also when the command name doesn't match
/usr/sbin/init or systemd.

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
2019-10-09 23:39:18 +02:00
Giuseppe Scrivano 3ba3e1c751
systemd: expect full path /usr/sbin/init
"init" is a quite common name for the command executed in a container
image and Podman ends up using the systemd mode also when not
required.

Be stricter on enabling the systemd mode and not enable it
automatically when the basename is "init" but expect the full path
"/usr/sbin/init".

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
2019-10-09 23:38:45 +02:00
OpenShift Merge Robot c817ea1b33
Merge pull request #4032 from rhatdan/pids-limit
Setup a reasonable default for pids-limit 4096
2019-10-07 15:01:27 -07:00
Daniel J Walsh 118cf1fc63
Setup a reasonable default for pids-limit 4096
CRI-O defaults to 1024 for the maximum pids in a container.  Podman
should have a similar limit. Once we have a containers.conf, we can
set the limit in this file, and have it easily customizable.

Currently the documentation says that -1 sets pids-limit=max, but -1 fails.
This patch allows -1, but also indicates that 0 also sets the max pids limit.

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
2019-10-04 16:09:13 -04:00
Miloslav Trmač d3f59bedb3 Update c/image to v4.0.1 and buildah to 1.11.3
This requires updating all import paths throughout, and a matching
buildah update to interoperate.

I can't figure out the reason for go.mod tracking
	github.com/containers/image v3.0.2+incompatible // indirect
((go mod graph) lists it as a direct dependency of libpod, but
(go list -json -m all) lists it as an indirect dependency),
but at least looking at the vendor subdirectory, it doesn't seem
to be actually used in the built binaries.

Signed-off-by: Miloslav Trmač <mitr@redhat.com>
2019-10-04 20:18:23 +02:00
Matthew Heon c2284962c7 Add support for launching containers without CGroups
This is mostly used with Systemd, which really wants to manage
CGroups itself when managing containers via unit file.

Signed-off-by: Matthew Heon <matthew.heon@pm.me>
2019-09-10 10:52:37 -04:00
Jhon Honce 02cda4066d Update varlink doc and code
* Improved error message
* Added documentation
* Updated messages to include missing data

Signed-off-by: Jhon Honce <jhonce@redhat.com>
2019-08-26 16:45:49 -07:00
OpenShift Merge Robot 76f327f73f
Merge pull request #3617 from QiWang19/create_pull
add --pull flag for podman create&run
2019-08-17 14:55:14 +02:00
Giuseppe Scrivano 9e2f9c8b78
cmd: drop check for euid==0
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
2019-08-12 12:33:28 +02:00
Qi Wang decfea65be add --pull flag for podman create&run
Requirement from https://github.com/containers/libpod/issues/3575#issuecomment-512238393

Added --pull for podman create and pull to match the newly added flag in docker CLI.
`missing`: default value, podman will pull the image if it does not exist in the local.
`always`: podman will always pull the image.
`never`: podman will never pull the image.

Signed-off-by: Qi Wang <qiwan@redhat.com>
2019-08-09 15:21:34 -04:00
OpenShift Merge Robot 492b4f65f6
Merge pull request #3737 from QiWang19/create_auth
fix create&run getting --authfile from cli
2019-08-09 21:09:50 +02:00
Jhon Honce f070913c6a Improve dns-search validation, empty domains now return an error
Fixes #3426

Signed-off-by: Jhon Honce <jhonce@redhat.com>
2019-08-09 09:58:39 -07:00
Qi Wang cfdf891552 fix create&run getting --authfile from cli
Add flag `--authfile` to create and run so Podman can read authfile path from not only environemnt variable REGISTRY_AUTH_FILE but also CLI

Signed-off-by: Qi Wang <qiwan@redhat.com>
2019-08-09 12:27:32 -04:00
Daniel J Walsh 5270cd89d3
Allow the passing of '.' to --dns-search
--dns-search is defined to remove all search domains from a container.

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
2019-08-08 15:25:50 -04:00