Use github.com/containers/psgo instead of execing `ps (1)`. The psgo
library enables a much more flexible interface with respect to which
data to be printed (e.g., capabilities, seccomp mode, PID, PCPU, etc.)
while the output can be parsed reliably. The library does not use
ps (1) but parses /proc and /dev instead. To list the processes of a
given container, psgo will join the mount namespace of the given
container and extract all data from there.
Notice that this commit breaks compatibility with docker-top.
Signed-off-by: Valentin Rothberg <vrothberg@suse.com>
Closes: #1113
Approved by: rhatdan
vendor in containers/storage
vendor in containers/image
vendor in projectatomic/buildah
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #1114
Approved by: mheon
Bind all the specified TCP and UDP ports so that another process
cannot reuse them. The fd of the listener is then leaked into conmon
so that the socket is kept busy until the container exits.
Closes: https://github.com/projectatomic/libpod/issues/210
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Closes: #1100
Approved by: mheon
Use this to supplement exit codes returned from containers, to
make sure we know when exit codes are invalid (as the container
has not yet exited)
Signed-off-by: Matthew Heon <mheon@redhat.com>
when pulling an image that includes a sha such as:
centos/nginx-112-centos7@sha256:42330f7f29ba1ad67819f4ff3ae2472f62de13a827a74736a5098728462212e7
the final image name in libpod should not contain portions of the sha itself nor the sha
identifier. and like docker, we provide a 'none' tag as well.
this should fix#877
Signed-off-by: baude <bbaude@redhat.com>
Closes: #1085
Approved by: mheon
This is a refresh of Dan William's PR #974 with a rebase and proper
vendoring of ocicni and containernetworking/cni. It adds the ability
to define multiple networks as so:
podman run --network=net1,net2,foobar ...
Signed-off-by: baude <bbaude@redhat.com>
Closes: #1082
Approved by: baude
podman rmi was deleting an image even if it was a parent of
another image. This fix just untags the image instead.
This also fixes podman rmi to remove intermediate images of
an image when the image is removed.
Signed-off-by: umohnani8 <umohnani@redhat.com>
Closes: #1055
Approved by: mheon
podman now supports --volumes-from flag, which allows users
to add all the volumes an existing container has to a new one.
Signed-off-by: umohnani8 <umohnani@redhat.com>
Closes: #931
Approved by: mheon
This removes some boilerplate from the libpod package, so we can focus
on container stuff there. And it gives us a tidy sub-package for
focusing on ctime extraction, so we can focus on unit testing and
portability of the extraction utility there.
For the unsupported implementation, I'm falling back to Go's ModTime
[1]. That's obviously not the creation time, but it's likely to be
closer than the uninitialized Time structure from cc6f0e85 (more
changes to compile darwin, 2018-07-04, #1047). Especially for our use
case in libpod/oci, where we're looking at write-once exit files.
The test is more complicated than I initially expected, because on
Linux filesystem timestamps come from a truncated clock without
interpolation [2] (and network filesystems can be completely decoupled
[3]). So even for local disks, creation times can be up to a jiffie
earlier than 'before'. This test ensures at least monotonicity by
creating two files and ensuring the reported creation time for the
second is greater than or equal to the reported creation time for the
first. It also checks that both creation times are within the window
from one second earlier than 'before' through 'after'. That should be
enough of a window for local disks, even if the kernel for those
systems has an abnormally large jiffie. It might be ok on network
filesystems, although it will not be very resilient to network clock
lagging behind the local system clock.
[1]: https://golang.org/pkg/os/#FileInfo
[2]: https://groups.google.com/d/msg/linux.kernel/mdeXx2TBYZA/_4eJEuJoAQAJ
Subject: Re: Apparent backward time travel in timestamps on file creation
Date: Thu, 30 Mar 2017 20:20:02 +0200
Message-ID: <tqMPU-1Sb-21@gated-at.bofh.it>
[3]: https://groups.google.com/d/msg/linux.kernel/mdeXx2TBYZA/cTKj4OBuAQAJ
Subject: Re: Apparent backward time travel in timestamps on file creation
Date: Thu, 30 Mar 2017 22:10:01 +0200
Message-ID: <tqOyl-36A-1@gated-at.bofh.it>
Signed-off-by: W. Trevor King <wking@tremily.us>
Closes: #1050
Approved by: mheon
if we snip the requirement to use a buildah const in the libpod image library,
we can save something on the order of 85 vendored files in consumers of the
the library.
Signed-off-by: baude <bbaude@redhat.com>
Closes: #1054
Approved by: mheon
Originally, it seemed like a good idea to place Conmon and the
container it managed under a shared CGroup, so we could manage
the two together. It's become increasingly clear that this is a
potential performance sore point, gains us little practical
benefit in managing Conmon, and adds extra steps to container
cleanup that interfere with Conmon postrun hooks.
Revert back to a shared CGroup for conmon processes under the
CGroup parent. This will retain per-pod conmon CGroups as well if
the pod is set to create a CGroup and act as CGroup parent for
its containers.
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
Closes: #1051
Approved by: umohnani8
b96be3af (changes to allow for darwin compilation, 2018-06-20, #1015)
made RemovePod per-platform, but left out docs for the unsupported
version [1]:
libpod/runtime_pod_unsupported.go:14:1⚠️ exported method
Runtime.RemovePod should have comment or be unexported (golint)
To keep the docs DRY, I've restored RemovePod and its docs to their
previous location, and named a new, internal removePod for the
per-platform implementations.
[1]: https://travis-ci.org/projectatomic/libpod/jobs/400555937#L159
Signed-off-by: W. Trevor King <wking@tremily.us>
Closes: #1034
Approved by: baude
This function was added in cc6f0e85 (more changes to compile darwin,
2018-07-04, #1047), but it has no consumers and no Linux analog.
Remove it, which also fixes the [1]:
libpod/networking_unsupported.go:9:1⚠️ exported function
JoinNetworkNameSpace should have comment or be unexported (golint)
lint issue.
[1]: https://travis-ci.org/projectatomic/libpod/jobs/400555937#L158
Signed-off-by: W. Trevor King <wking@tremily.us>
Closes: #1034
Approved by: baude
this should represent the last major changes to get darwin to **compile**. again,
the purpose here is to get darwin to compile so that we can eventually implement a
ci task that would protect against regressions for darwin compilation.
i have left the manual darwin compilation largely static still and in fact now only
interject (manually) two build tags to assist with the build. trevor king has great
ideas on how to make this better and i will defer final implementation of those
to him.
Signed-off-by: baude <bbaude@redhat.com>
Closes: #1047
Approved by: rhatdan
when XDG_RUNTIME_DIR is not set, still attempt to use /run/user/$UID
before looking up other directories.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Closes: #1048
Approved by: mheon
The destination path of the built-in volume was not being created
but a relabel was being attempted on it, this was causing issues
with all images that have built-in volumes.
This patch fixes that and ensures the destination volume path
is created.
Signed-off-by: umohnani8 <umohnani@redhat.com>
Closes: #1026
Approved by: mheon
When we run containers in detach mode, nothing cleans up the network stack or
the mount points. This patch will tell conmon to execute the cleanup code when
the container exits.
It can also be called to attempt to cleanup previously running containers.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #942
Approved by: mheon
I got my database state in a bad way by killing a hanging container.
It did not setup the network namespace correctly
listing/remove bad containers becomes impossible.
podman run alpine/nginx
^c
got me in this state.
I got into a state in the database where
podman ps -a
was returning errors and I could not get out of it, Makeing joining the network
namespace a non fatal error fixes the issue.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #918
Approved by: mheon
If the caller sets up the app to be in logrus.DebugLevel,
then we will add the --syslog flag to conmon to get all of the
messages.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #1014
Approved by: TomSweeneyRedHat
Catching up with opencontainers/runtime-tools@84a62c6a (generate: Move
Generator.spec to Generator.Config, 2016-11-06, #266, v0.6.0), now
that we've bumped runtime-tools in f6c0fc1a (Vendor in latest
runtime-tools, 2018-06-26, #1007).
Signed-off-by: W. Trevor King <wking@tremily.us>
Closes: #1008
Approved by: mheon
When running podman as non root user always create an userNS and let
the OCI runtime use it.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Closes: #936
Approved by: rhatdan
Fixes a bug where we might try saving back to the database during
cleanup, which would fail as the container was already removed
from the database.
Signed-off-by: Matthew Heon <mheon@redhat.com>
Closes: #1001
Approved by: rhatdan
The Refresh() function is used to reset a container's state after
a database format change to state is made that requires migration
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
Closes: #981
Approved by: baude
If the intermediate image exists in the store, podman history
will show the IDs of the intermediate image of each layer.
Signed-off-by: umohnani8 <umohnani@redhat.com>
Closes: #982
Approved by: mheon
Signed-off-by: Marco Vedovati <mvedovati@suse.com>
- Set srcPath permissions so that the container user can R/W it.
- Fix uninitialized spec.Mount when restarting a container.
- Check for srcPath instead of volumePath existence when setting up a
volume mount point for a container.
- Set the overlay volumePath with the same owner and permissions as
srcPath to allow proper access by the container user.
Closes#844Closes: #951
Approved by: rhatdan
Since we are checking if err is non nil in defer function we need
to define it, so that the check will work correctly.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #985
Approved by: mheon
Move the StartContainer call after the attach to the UNIX socket. It
solves a race where the StartContainer could be done earlier and a
short-lived container could already exit by the time we tried to
attach to the socket.
Closes: https://github.com/projectatomic/libpod/issues/835
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Upon updating a container, if its network namespace has been
removed, we attempt to clean up the network namespace locally,
to ensure we don't leave hanging file descriptors. This triggers
cleanup code which assumes the network namespace still exists,
but it almost certainly was removed by whoever removed it from
the database. As such, we end up with unavoidable errors if we
don't want to leak FDs. Make these errors nonfatal and log them
because of this.
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
Closes: #962
Approved by: rhatdan
Ensure we can identify what hook is running so we can tell which
are erroring.
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
Closes: #960
Approved by: rhatdan
podman images will not show intermediate images by default.
To view all images, including intermediate images created during
a build, use the --all flag.
Signed-off-by: umohnani8 <umohnani@redhat.com>
Closes: #947
Approved by: rhatdan
Make the output of top tabular to be compatible with Docker. Please
note, that any user-input for `GetContainerPidInformation(...)` will be
ignored until we have found a way to generically and reliably parse ps-1
output or until there is a go-lib to extract all the data from /proc in
a ps-1 compatible fashion.
Fixes: #458
Signed-off-by: Valentin Rothberg <vrothberg@suse.com>
Closes: #939
Approved by: rhatdan
The containernetworking/plugins ns package does not support
unmounting and removing namespaces that were opened by another
process. Work around this by doing it ourself.
Closes: #858
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
Closes: #949
Approved by: rhatdan
Attempt to cleanup as much of the container as possible, even if one
of the cleanup stages fails.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #895
Approved by: mheon
We have an issue where iptables command is being executed by podman
and attempted to run with a different label. This fix changes podman
to only change the label on the conmon command and then set the
SELinux interface back to the default.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #906
Approved by: giuseppe
when there are no registries configured for the system and the user provided
a short image name, we panic'd due a logic bug in recent image pull changes.
Signed-off-by: baude <bbaude@redhat.com>
Closes: #841
Approved by: rhatdan
There was a new line at the end of does not exist
which was causing this to fail.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #863
Approved by: baude
If SELinux is enabled, we are leaking in pipes into the container
owned by conmon. The container processes are not allowed to use
these pipes, if the calling process is fully ranged. By changing
the level of the conmon process to s0, this allows container processes
to use the pipes.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #854
Approved by: mheon
The OCI runtime spec does not require Process to be passed (IE,
it can be nil). Make most of our references to it conditional on
it existing.
Signed-off-by: Matthew Heon <mheon@redhat.com>
Closes: #828
Approved by: mheon
The docker-archive tar files can have multiple tags for the same
image stored in it. Load pulls all the tags found in the archive
when loading a tar file. Save can oush multiple tags of the same
image to a tar archive.
Signed-off-by: umohnani8 <umohnani@redhat.com>
Closes: #819
Approved by: rhatdan
Currently we are dropping the command entry from the create
line and using the image Cmd. This change will only use the
image Cmd if the user did not specify a Cmd.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #823
Approved by: umohnani8
In the case where changes are made to Env, Expose, Volumes, or labels, we should
honor that multiple values are valid.
Resolves: #795
Signed-off-by: baude <bbaude@redhat.com>
Closes: #815
Approved by: mheon
Pods can now create their own (cgroupfs) cgroups which containers
in them can (optionally) use.
This presently only works with CGroupFS, systemd cgroups are
still WIP
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
Closes: #784
Approved by: rhatdan
Add a mutable state to pods, and database backend sutable for
modifying and updating said state.
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
Closes: #784
Approved by: rhatdan
Instead of manually calling the individual functions that cleanup
uses to tear down a container's resources, just call the cleanup
function to make sure that cleanup only needs to happen in one
place.
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
Closes: #790
Approved by: rhatdan
When we're given a numeric --user value, default to GID 0 if the numeric
ID doesn't correspond to a user entry in /etc/passwd that can provide us
with the user's primary group ID.
Make sure that GetAdditionalGroupsForUser() returns wrapped errors.
Also test various user:group forms.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #728
Approved by: mheon
If the user uses the image ID when saving to either docker-archive
or oci-archive, then do not save a reference in the manifest/index.json.
If the user chooses to push without an image reference, i.e <transport>:<path>
it should be valid and succeed.
Signed-off-by: umohnani8 <umohnani@redhat.com>
Closes: #782
Approved by: rhatdan
Allow containers that no longer exist in storage to be evicted
from the state instead of erroring.
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
Closes: #764
Approved by: rhatdan
And add an argument to WithHooksDir to set it.
If the hook dir doesn't exist, the new hooks package considers that a
fatal error. When a podman caller sets
--hooks-dir-path=/some/typoed/directory, a fatal error is more helpful
than silently not loading any hooks. However, callers who call podman
without setting --hooks-dir-path may not need hooks at all. We don't
want to pester those callers with not-exist errors. With this commit,
we:
* Assume the caller knows what they're doing if they set
--hooks-dir-path and set HooksDirNotExistFatal.
* If the caller does not explicitly set --hooks-dir-path, assume they
won't mind if the hook directory is missing and set
HooksDirNotExistFatal false.
We also considered checking for the directory's existence in the code
calling WithHooksDir or from within WithHooksDir, but checks there
would race with the underlying ioutil.ReadDir in the hooks package.
By pushing the warn/error decision down into libpod's implementation,
we avoid a racy "do we expect this to work once libpod gets to it?"
pre-check.
I've also added a check to error if WithHooksDir is called with an
empty-string argument, because we haven't defined the semantics of
that (is it clearing a previous value? Is it effectively the same as
the current directory?). I agree with Matthew that a separate
WithNoHooks, or a *string argument to WithHooks, or some such would be
a better API for clearing previous values [1]. But for now, I'm just
erroring out to fail early for callers who might otherwise be
surprised that libpod ignores empty-string HooksDir.
[1]: https://github.com/projectatomic/libpod/pull/686#issuecomment-385119370
Signed-off-by: W. Trevor King <wking@tremily.us>
Closes: #686
Approved by: mheon
This shifts the matching logic out of libpod/container_internal and
into the hook package, where we can reuse it after vendoring into
CRI-O. It also adds unit tests with almost-complete coverage. Now
libpod is even more isolated from the hook internals, which makes it
fairly straightforward to bump the hook config file to 1.0.0. I've
dubbed the old format 0.1.0, although it doesn't specify an explicit
version. Motivation for some of my changes with 1.0.0:
* Add an explicit version field. This will make any future JSON
structure migrations more straightforward by avoiding the need for
version-guessing heuristics.
* Collect the matching properties in a new When sub-structure. This
makes the root Hook structure easier to understand, because you
don't have to read over all the matching properties when wrapping
your head around Hook.
* Replace the old 'hook' and 'arguments' with a direct embedding of
the runtime-spec's hook structure. This provides access to
additional upstream properties (args[0], env, and timeout) and
avoids the complication of a CRI-O-specific analog structure.
* Add a 'when.always' property. You can usually accomplish this
effect in another way (e.g. when.commands = [".*"]), but having a
boolean explicitly for this use-case makes for easier reading and
writing.
* Replace the previous annotations array with an annotations map. The
0.1.0 approach matched only the values regardless of key, and that
seems unreliable.
* Replace 'cmds' with 'when.commands', because while there are a few
ways to abbreviate "commands", there's only one way to write it out
in full ;). This gives folks one less thing to remember when
writing hook JSON.
* Replace the old "inject if any specified condition matches" with
"inject if all specified conditions match". This allows for more
precise targeting. Users that need more generous targeting can
recover the previous behavior by creating a separate 1.0.0 hook file
for each specified 0.1.0 condition.
I've added doc-compat support for the various pluralizations of the
0.1.0 properties. Previously, the docs and code were not in
agreement. More on this particular facet in [1].
I've updated the docs to point out that the annotations being matched
are the OCI config annotations. This differs from CRI-O, where the
annotations used are the Kubernetes-supplied annotations [2,3]. For
example, io.kubernetes.cri-o.Volumes [4] is part of CRI-O's runtime
config annotations [5], but not part of the Kubernetes-supplied
annotations CRI-O uses for matching hooks.
The Monitor method supports the CRI-O use-case [6]. podman doesn't
need it directly, but CRI-O will need it when we vendor this package
there.
I've used nvidia-container-runtime-hook for the annotation examples
because Dan mentioned the Nvidia folks as the motivation behind
annotation matching. The environment variables are documented in [7].
The 0.1.0 hook config, which does not allow for environment variables,
only works because runc currently leaks the host environment into the
hooks [8]. I haven't been able to find documentation for their usual
annotation trigger or hook-install path, so I'm just guessing there.
[1]: https://github.com/kubernetes-incubator/cri-o/pull/1235
[2]: https://github.com/kubernetes-incubator/cri-o/blob/v1.10.0/server/container_create.go#L760
[3]: https://github.com/kubernetes-incubator/cri-o/blob/v1.10.0/server/container_create.go#L772
[4]: https://github.com/kubernetes-incubator/cri-o/blob/v1.10.0/pkg/annotations/annotations.go#L97-L98
[5]: https://github.com/kubernetes-incubator/cri-o/blob/v1.10.0/server/container_create.go#L830-L834
[6]: https://github.com/kubernetes-incubator/cri-o/pull/1345/
[7]: https://github.com/NVIDIA/nvidia-container-runtime/tree/v1.3.0-1#environment-variables-oci-spec
[8]: https://github.com/opencontainers/runc/pull/1738
Signed-off-by: W. Trevor King <wking@tremily.us>
Closes: #686
Approved by: mheon
Like podman pull, when you push an image, podman should check
if the registry is listed as insecure and if so, it should
--tls-verify=false unless the user overrides this.
Signed-off-by: baude <bbaude@redhat.com>
Closes: #738
Approved by: mheon
the error was:
libpod/container.go:219::error: struct field tag `json:"groups, omitempty"` not compatible with reflect.StructTag.Get: suspicious space in struct tag value (vet)
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Closes: #729
Approved by: baude
This prevents you from cleaning up the container database, if
some how runc and friends db gets screwed up.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #725
Approved by: mheon
so that the OCI runtime creates the network namespace from the correct
userNS.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #690
Approved by: mheon
when pulling from a secure registry that is documented in registries.conf, we
should be able to pull without tls-verify=false
Signed-off-by: baude <bbaude@redhat.com>
Closes: #718
Approved by: rhatdan
This allows us to restart containers that have never been started
without error. This makes RestartWithTimeout work with running,
stopped, and created containers.
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
Closes: #719
Approved by: rhatdan
first pass at adding in the container related endpoints/methods for the libpod
backend. Couple of important notes:
* endpoints that can use a console are not going to be done until we have "remote" console
* several of the container methods should probably be able to stream as opposed to a one-off return
Signed-off-by: baude <bbaude@redhat.com>
Closes: #708
Approved by: baude
We need these for commit, and they cannot be properly deduced
from just the OCI spec, so save them in the database so we can
retrieve them for commit.
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
Closes: #700
Approved by: rhatdan
This allows us to accurately trigger OCI hooks that trigger on
the presence of volume mounts.
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
Closes: #700
Approved by: rhatdan
when performing a container commit, we should not add the default list of volumes
for a container to the resulting image. it will cause the resulting image to crash
when run subsequently.
Signed-off-by: baude <bbaude@redhat.com>
Closes: #699
Approved by: mheon
Vendor in buildah and use as much of commit and bug as possible for podman
build and commit.
Resolves#586
Signed-off-by: baude <bbaude@redhat.com>
Closes: #681
Approved by: mheon
Made a mistake in my earlier patch. I though that if you add an empty string
to an array, the length of the array would still be 0...
Realised this when vendoring the secrets pkg into cri-o.
Signed-off-by: umohnani8 <umohnani@redhat.com>
Closes: #685
Approved by: mheon
implement varlink image functions for working with libpod with the exception of a
couple due to incompletions on the libpod side of things (build).
also, created a first pass at a libpodpy package which will stand as a client to
working with libpod's varlink methods using python.
Signed-off-by: baude <bbaude@redhat.com>
Closes: #669
Approved by: baude
Instead of execing out to the host's IP, use the IP address we
got back from CNI to populate Inspect's IP address information.
Signed-off-by: Matthew Heon <mheon@redhat.com>
Closes: #680
Approved by: umohnani8
The hidden flag is used to override the path of the default mounts file
for testing purposes.
Also modified the secrets pkg to allow for this override to happen.
Signed-off-by: umohnani8 <umohnani@redhat.com>
Closes: #678
Approved by: mheon
When a user pulls an image using a transport, like docker-daemon, we try to lookup
the new image in storage by the input name after the pull. Because the input name
has a transport (different than local storage), that lookup would fail.
Signed-off-by: baude <bbaude@redhat.com>
Closes: #644
Approved by: rhatdan
If an integer is passed into the --user flag, i.e --user=1234
don't look up the user in /etc/passwd, just assign the integer as the uid.
Signed-off-by: umohnani8 <umohnani@redhat.com>
Closes: #652
Approved by: mheon
If the host is in FIPS mode and /etc/system-fips exists
/run/secrets/system-fips is created in the container so that
the container can run in FIPS mode as well.
Signed-off-by: umohnani8 <umohnani@redhat.com>
Made necessary changes to functions to include contex.Context wherever needed
Signed-off-by: umohnani8 <umohnani@redhat.com>
Closes: #640
Approved by: baude
In the case where podman needs to pull an image, if that registry that the image
resides on is known to be insesure (as defined in /etc/containers/registries.conf),
tls-verify should be altered on the fly.
Signed-off-by: baude <bbaude@redhat.com>
Closes: #626
Approved by: mheon
In the case where you have an image local, if the the user runs
podman pull, we should always attempt to pull an updated image.
Added a forceRemote bool to New (image) so we can differentiate
between "pull" or run because the actions differ. Run does not
need to pull the latest -- only run.
Signed-off-by: baude <bbaude@redhat.com>
Closes: #618
Approved by: baude
Comparing Go interfaces, like io.Reader, to nil does not work. As
such, we need to include a bool with each stream telling whether
to attach to it.
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
Closes: #608
Approved by: baude
This allows us to attach to attach to just stdout or stderr or
stdin, or any combination of these.
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
Closes: #608
Approved by: baude
Until we can handle running containers which use UID/GID mappings, make
sure that we always create containers that use the host mappings.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #609
Approved by: baude
This solves a nasty locking issue with getting the path of
namespaces for dependencies
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
Closes: #600
Approved by: rhatdan
When a container is transitioning from running to stopped and stats is runnings,
we should not break stats if we are unable to get stats for that container.
Resolves: #598
Signed-off-by: baude <bbaude@redhat.com>
Closes: #599
Approved by: mheon
Valentin Rothberg