Commit Graph

1256 Commits

Author SHA1 Message Date
Daniel J Walsh 5a8e5a2b17 Mask /proc/keys to protect information leak about keys on host
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>

Closes: #1060
Approved by: mheon
2018-07-08 13:38:20 +00:00
W. Trevor King 0660108e3e ctime: Drop 32-/64-bit distinction on Linux
We added the explicit int64 casts for 32-bit builds in 35e1ad78 (Make
libpod build on 32-bit systems, 2018-02-12, #324), but the explicit
casts work fine on 64-bit systems too.

Signed-off-by: W. Trevor King <wking@tremily.us>

Closes: #1058
Approved by: mheon
2018-07-07 20:35:00 +00:00
haircommander 32dd520606 Podman stats with no containers listed is the same as podman stats --all
Signed-off-by: haircommander <pehunt@redhat.com>

Closes: #1031
Approved by: rhatdan
2018-07-07 19:52:51 +00:00
Jhon Honce ca6ffbccc2 Refactor unittest for change in history API
* test_images.TestImages.test_history changed to allow
  '<missing>' as legal image ID.  Previously all layers
  used the image ID.  Now layer 0 reports '<missing>'.

Signed-off-by: Jhon Honce <jhonce@redhat.com>

Closes: #1056
Approved by: jwhonce
2018-07-06 21:59:36 +00:00
Matthew Heon d61437f689
Merge pull request #1059 from mheon/bump-0.7.1
Bump to 0.7.1
2018-07-06 14:34:46 -04:00
Matthew Heon 0b4c3da479 Bump gitvalidation epoch
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
2018-07-06 14:32:51 -04:00
Matthew Heon 6fb7a68848 Bump to v0.7.2-dev
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
2018-07-06 14:32:50 -04:00
Matthew Heon 802d4f2ba4 Bump to v0.7.1
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
2018-07-06 14:32:46 -04:00
W. Trevor King b2344b83ed pkg/ctime: Factor libpod/finished* into a separate package
This removes some boilerplate from the libpod package, so we can focus
on container stuff there.  And it gives us a tidy sub-package for
focusing on ctime extraction, so we can focus on unit testing and
portability of the extraction utility there.

For the unsupported implementation, I'm falling back to Go's ModTime
[1].  That's obviously not the creation time, but it's likely to be
closer than the uninitialized Time structure from cc6f0e85 (more
changes to compile darwin, 2018-07-04, #1047).  Especially for our use
case in libpod/oci, where we're looking at write-once exit files.

The test is more complicated than I initially expected, because on
Linux filesystem timestamps come from a truncated clock without
interpolation [2] (and network filesystems can be completely decoupled
[3]).  So even for local disks, creation times can be up to a jiffie
earlier than 'before'.  This test ensures at least monotonicity by
creating two files and ensuring the reported creation time for the
second is greater than or equal to the reported creation time for the
first.  It also checks that both creation times are within the window
from one second earlier than 'before' through 'after'.  That should be
enough of a window for local disks, even if the kernel for those
systems has an abnormally large jiffie.  It might be ok on network
filesystems, although it will not be very resilient to network clock
lagging behind the local system clock.

[1]: https://golang.org/pkg/os/#FileInfo
[2]: https://groups.google.com/d/msg/linux.kernel/mdeXx2TBYZA/_4eJEuJoAQAJ
     Subject: Re: Apparent backward time travel in timestamps on file creation
     Date: Thu, 30 Mar 2017 20:20:02 +0200
     Message-ID: <tqMPU-1Sb-21@gated-at.bofh.it>
[3]: https://groups.google.com/d/msg/linux.kernel/mdeXx2TBYZA/cTKj4OBuAQAJ
     Subject: Re: Apparent backward time travel in timestamps on file creation
     Date: Thu, 30 Mar 2017 22:10:01 +0200
     Message-ID: <tqOyl-36A-1@gated-at.bofh.it>

Signed-off-by: W. Trevor King <wking@tremily.us>

Closes: #1050
Approved by: mheon
2018-07-06 17:54:32 +00:00
Daniel J Walsh aaab26fd0c Block use of /proc/acpi from inside containers
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>

Closes: #1053
Approved by: mheon
2018-07-06 17:29:35 +00:00
baude 6092955783 remove buildah requirement for the libpod image library
if we snip the requirement to use a buildah const in the libpod image library,
we can save something on the order of 85 vendored files in consumers of the
the library.

Signed-off-by: baude <bbaude@redhat.com>

Closes: #1054
Approved by: mheon
2018-07-06 17:03:19 +00:00
W. Trevor King 8aed3857d3 contrib/python/test/test_tunnel: Fix -nNT -> -nNTq
Catching the tests up with 60427ab3 (add podman remote client,
2018-06-22, #986) to avoid non-fatal smoketest failures like [1]:

  ======================================================================
  FAIL: test_tunnel (test.test_tunnel.TestTunnel)
  ----------------------------------------------------------------------
  Traceback (most recent call last):
    File "/usr/lib64/python3.6/unittest/mock.py", line 1179, in patched
      return func(*args, **keywargs)
    File "/go/src/github.com/projectatomic/libpod/contrib/python/test/test_tunnel.py", line 79, in test_tunnel
      mock_Popen.assert_called_once_with(cmd, close_fds=True)
    File "/usr/lib64/python3.6/unittest/mock.py", line 825, in assert_called_once_with
      return self.assert_called_with(*args, **kwargs)
    File "/usr/lib64/python3.6/unittest/mock.py", line 814, in assert_called_with
      raise AssertionError(_error_message()) from cause
  AssertionError: Expected call: Popen(['ssh', '-nNT', '-L', '/tmp/user/socket:/run/podman/socket', '-i', '~/.ssh/id_rsa', 'ssh://user@hostname'], close_fds=True)
  Actual call: Popen(['ssh', '-nNTq', '-L', '/tmp/user/socket:/run/podman/socket', '-i', '~/.ssh/id_rsa', 'ssh://user@hostname'], close_fds=True)

[1]: 0d792d5c92.1.1529764423989739036/output.log

Signed-off-by: W. Trevor King <wking@tremily.us>

Closes: #1035
Approved by: mheon
2018-07-06 16:38:42 +00:00
Marco Vedovati 9eef9eb212 Refactor podman/utils with a single container start and attach function
Use a single function startAttachCtr() to handle both container start
with attach and attach to running containers, as the code handling the
attach is common for the 2 use cases.

Signed-off-by: Marco Vedovati <mvedovati@suse.com>

Closes: #1025
Approved by: rhatdan
2018-07-06 16:02:46 +00:00
Matthew Heon cf2be66f52 Remove now-unneeded cleanupCgroup() for unsupported OS
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>

Closes: #1051
Approved by: umohnani8
2018-07-06 15:29:38 +00:00
Matthew Heon eae8007896 Remove per-container CGroup parents
Originally, it seemed like a good idea to place Conmon and the
container it managed under a shared CGroup, so we could manage
the two together. It's become increasingly clear that this is a
potential performance sore point, gains us little practical
benefit in managing Conmon, and adds extra steps to container
cleanup that interfere with Conmon postrun hooks.

Revert back to a shared CGroup for conmon processes under the
CGroup parent. This will retain per-pod conmon CGroups as well if
the pod is set to create a CGroup and act as CGroup parent for
its containers.

Signed-off-by: Matthew Heon <matthew.heon@gmail.com>

Closes: #1051
Approved by: umohnani8
2018-07-06 15:29:38 +00:00
TomSweeneyRedHat 99959e55fa Fix nits and GOPATH in tutorial
Signed-off-by: TomSweeneyRedHat <tsweeney@redhat.com>

Closes: #1052
Approved by: baude
2018-07-06 00:49:56 +00:00
W. Trevor King 4f0c0597a1 spec: Make addPrivilegedDevices and createBlockIO per-platform
b96be3af (changes to allow for darwin compilation, 2018-06-20, #1015)
made AddPrivilegedDevices per-platform and cc6f0e85 (more changes to
compile darwin, 2018-07-04, #1047) made CreateBlockIO per-platform.
But both left but left out docs for the unsupported version [1]:

  pkg/spec/config_unsupported.go:18:1⚠️ exported method
    CreateConfig.AddPrivilegedDevices should have comment or be
    unexported (golint)
  pkg/spec/config_unsupported.go:22:1⚠️ exported method
    CreateConfig.CreateBlockIO should have comment or be unexported
    (golint)

To keep the docs DRY, I've restored the public methods and their docs,
and I've added new, internal methods for the per-platform
implementations.

[1]: https://travis-ci.org/projectatomic/libpod/jobs/400555937#L160

Signed-off-by: W. Trevor King <wking@tremily.us>

Closes: #1034
Approved by: baude
2018-07-06 00:48:40 +00:00
W. Trevor King 537f021733 libpod/runtime_pod: Make removePod per-platform
b96be3af (changes to allow for darwin compilation, 2018-06-20, #1015)
made RemovePod per-platform, but left out docs for the unsupported
version [1]:

  libpod/runtime_pod_unsupported.go:14:1⚠️ exported method
  Runtime.RemovePod should have comment or be unexported (golint)

To keep the docs DRY, I've restored RemovePod and its docs to their
previous location, and named a new, internal removePod for the
per-platform implementations.

[1]: https://travis-ci.org/projectatomic/libpod/jobs/400555937#L159

Signed-off-by: W. Trevor King <wking@tremily.us>

Closes: #1034
Approved by: baude
2018-07-06 00:48:39 +00:00
W. Trevor King cad28cc2d3 libpod/networking_unsupported: Remove JoinNetworkNameSpace
This function was added in cc6f0e85 (more changes to compile darwin,
2018-07-04, #1047), but it has no consumers and no Linux analog.
Remove it, which also fixes the [1]:

  libpod/networking_unsupported.go:9:1⚠️ exported function
  JoinNetworkNameSpace should have comment or be unexported (golint)

lint issue.

[1]: https://travis-ci.org/projectatomic/libpod/jobs/400555937#L158

Signed-off-by: W. Trevor King <wking@tremily.us>

Closes: #1034
Approved by: baude
2018-07-06 00:48:39 +00:00
W. Trevor King b1f63aa0cd .travis: Run gofmt and lint on OS X
Just in case their output depends on the target GOOS.  Lint, at least,
does care, because it can pass on Linux [1] and fail on OS X [2] with
the same code.

[1]: https://travis-ci.org/projectatomic/libpod/jobs/400555936#L856
[2]: https://travis-ci.org/projectatomic/libpod/jobs/400555937#L153

Signed-off-by: W. Trevor King <wking@tremily.us>

Closes: #1034
Approved by: baude
2018-07-06 00:48:39 +00:00
W. Trevor King 83968de28c rootless: Merge rootless.go back into rootless_linux.go
The files were split apart by b96be3af (changes to allow for darwin
compilation, 2018-06-20, #1015), but the C import and two functions
left in rootless.go are all Linux-specific as well.  This commit moves
all of the pre-b96be3af rootless.go into rootless_linux.go, just
adding the '// +build linux' header (b96be3af also scrambled the + in
that header) and keeping the new GetRootlessUID from a1545fe6
(rootless: add function to retrieve the original UID, 2018-07-05, #1048).

Signed-off-by: W. Trevor King <wking@tremily.us>

Closes: #1034
Approved by: baude
2018-07-06 00:48:39 +00:00
W. Trevor King 4b54a471a4 Makefile: Use a pattern rule for cross-compilation
Pattern-rule documentation is in [1].  This commit follows the basic
approach from [2], with the portable build tags from [3].

Using --keep-going allows folks to see errors for multiple target
platforms.  For example, if the Darwin target dies, we'll still
attempt to build the Linux target before erroring out.

I've added an ALLOWED_TO_FAIL environment variable to mark script
blocks for the the allow_failures block.  Currently we're requiring
builds from Linux for Linux and OS X to succeed, but allowing builds
from OS X to both targets to fail.

[1]: https://www.gnu.org/software/make/manual/html_node/Pattern-Intro.html#Pattern-Intro
[2]: e5031fcf9a
[3]: https://github.com/kubernetes-incubator/cri-o/pull/1653

Signed-off-by: W. Trevor King <wking@tremily.us>

Closes: #1034
Approved by: baude
2018-07-06 00:48:39 +00:00
baude cc6f0e85f9 more changes to compile darwin
this should represent the last major changes to get darwin to **compile**.  again,
the purpose here is to get darwin to compile so that we can eventually implement a
ci task that would protect against regressions for darwin compilation.

i have left the manual darwin compilation largely static still and in fact now only
interject (manually) two build tags to assist with the build.  trevor king has great
ideas on how to make this better and i will defer final implementation of those
to him.

Signed-off-by: baude <bbaude@redhat.com>

Closes: #1047
Approved by: rhatdan
2018-07-05 16:05:12 +00:00
umohnani8 33870ea2c3 Fix timeout issue with built-in volume test
Building our own image to test built-in volume and user
instead of using the mariadb one.
Solves timeout issue in travis tests.

Signed-off-by: umohnani8 <umohnani@redhat.com>

Closes: #1044
Approved by: mheon
2018-07-05 14:20:12 +00:00
Giuseppe Scrivano 4cc4c7137d rootless: add /run/user/$UID to the lookup paths
when XDG_RUNTIME_DIR is not set, still attempt to use /run/user/$UID
before looking up other directories.

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>

Closes: #1048
Approved by: mheon
2018-07-05 13:30:15 +00:00
Giuseppe Scrivano a1545fe6e4 rootless: add function to retrieve the original UID
After we re-exec in the userNS os.Getuid() returns the new UID (= 0)
which is not what we want to use.

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>

Closes: #1048
Approved by: mheon
2018-07-05 13:30:15 +00:00
Giuseppe Scrivano e38272047f rootless: always set XDG_RUNTIME_DIR
containers/image uses XDG_RUNTIME_DIR to locate the auth file.

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>

Closes: #1048
Approved by: mheon
2018-07-05 13:30:15 +00:00
Giuseppe Scrivano 77758a6c9f rootless: set XDG_RUNTIME_DIR also for state and exec
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>

Closes: #1048
Approved by: mheon
2018-07-05 13:30:15 +00:00
W. Trevor King baa42fd4bd libpod/container: Replace containerState* with containerPlatformState
This way we don't need to stub in structures for other OSes (e.g. the
Darwin stub in a Linux-only file).  Matthew was concerned about errors
unmarshalling, say, a Linux state object on a Windows box [1], but we
can address that in checks when loading the database [2].

[1]: https://github.com/projectatomic/libpod/pull/1015#discussion_r198649043
[2]: https://github.com/projectatomic/libpod/pull/1015#discussion_r198802956

Signed-off-by: W. Trevor King <wking@tremily.us>

Closes: #1033
Approved by: mheon
2018-07-05 12:47:10 +00:00
Valentin Rothberg 49fe03c626 urfave/cli: fix parsing of short opts
Vendor an updated version of urfave/cli to fix the parsing of short
options.  Until the fix is merged upstream, vendor the code from
github.com/vrothberg/cli containing both, the latest urfave/cli and
the bug fix.

Fixes: #714
Signed-off-by: Valentin Rothberg <vrothberg@suse.com>

Closes: #1046
Approved by: rhatdan
2018-07-05 10:43:17 +00:00
W. Trevor King f2462ca59e docs: Follow man-pages(7) suggestions for SYNOPSIS
man-pages(7) has [1]:

> For commands, this shows the syntax of the command and its arguments
> (including options); boldface is used for as-is text and italics are
> used to indicate replaceable arguments. Brackets ([]) surround
> optional arguments, vertical bars (|) separate choices, and ellipses
> (...) can be repeated.

I've adjusted our SYNOPSIS entries to match that formatting, and
generally tried to make them more consistent with the precedent set by
the man-pages project.  Outside of the SYNOPSIS entry, I prefer using
backticks for literals, although in some places I've left the **
bolding to keep things visually similar to a nearby SYNOPSIS entry.

[1]: http://man7.org/linux/man-pages/man7/man-pages.7.html

Signed-off-by: W. Trevor King <wking@tremily.us>

Closes: #1027
Approved by: rhatdan
2018-07-04 09:40:37 +00:00
TomSweeneyRedHat 6d8fac87ed Allow multiple mounts
Signed-off-by: TomSweeneyRedHat <tsweeney@redhat.com>

Closes: #1030
Approved by: rhatdan
2018-07-03 18:02:45 +00:00
W. Trevor King 7a5c376e63 Makefile: Use 'git diff' to show gofmt changes
This makes fixing errors easier.  Before this commit, errors looked
like [1]:

  $ make gofmt
  libpod/container_linux.go:1:⚠️ file is not gofmted with -s (gofmt)
  make: *** [gofmt] Error 1

But that's not very helpful when your local gofmt thinks the file is
fine.  With this commit, errors will look like:

  $ make gofmt
  find . -name '*.go' ! -path './vendor/*' -exec gofmt -s -w {} \+
  git diff --exit-code
  diff --git a/libpod/container_internal.go b/libpod/container_internal.go
  index df4de3fe..22b39870 100644
  --- a/libpod/container_internal.go
  +++ b/libpod/container_internal.go
  @@ -1,7 +1,7 @@
   package libpod

   import (
  -"bytes"
  +       "bytes"
          "context"
          "encoding/json"
          "fmt"
  make: *** [Makefile:87: gofmt] Error 1

(or whatever, I just stuffed in a formatting error for demonstration
purposes).

Also remove the helper script in favor of direct Makefile calls,
because with Git handling difference reporting and exit status, this
becomes a simpler check.  find's -exec, !, and -path arguments are
specified in POSIX [2].

[1]: https://travis-ci.org/kubernetes-incubator/cri-o/jobs/331949394#L1075
[2]: http://pubs.opengroup.org/onlinepubs/9699919799/utilities/find.html

Signed-off-by: W. Trevor King <wking@tremily.us>

Closes: #1038
Approved by: rhatdan
2018-07-03 10:39:54 +00:00
Matthew Heon 40e4481bd8 Skip a test in Travis that has timeout issues
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>

Closes: #1041
Approved by: rhatdan
2018-07-03 10:09:12 +00:00
baude 767b3ddc43 vendor in selinux and buildah for darwin compilation
Signed-off-by: baude <bbaude@redhat.com>

Closes: #1037
Approved by: baude
2018-07-02 20:39:16 +00:00
baude d357703e06 add image user to inspect data
Signed-off-by: baude <bbaude@redhat.com>

Closes: #1036
Approved by: rhatdan
2018-07-02 15:10:46 +00:00
baude b96be3af1b changes to allow for darwin compilation
Signed-off-by: baude <bbaude@redhat.com>

Closes: #1015
Approved by: baude
2018-06-29 20:44:09 +00:00
Matthew Heon 8d114ea4d8
Merge pull request #1029 from mheon/bump-0.6.5
Bump to v0.6.5
2018-06-29 16:00:47 -04:00
Matthew Heon 7a2298db6b Bump gitvalidation epoch
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
2018-06-29 15:59:22 -04:00
Matthew Heon c71845fa70 Bump to v0.7.1-dev
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
2018-06-29 15:59:22 -04:00
Matthew Heon 9d97bd67ed Bump to v0.6.5
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
2018-06-29 15:59:12 -04:00
umohnani8 4c8c000f3a Fix built-in volume issue with podman run/create
The destination path of the built-in volume was not being created
but a relabel was being attempted on it, this was causing issues
with all images that have built-in volumes.
This patch fixes that and ensures the destination volume path
is created.

Signed-off-by: umohnani8 <umohnani@redhat.com>

Closes: #1026
Approved by: mheon
2018-06-29 19:56:12 +00:00
Daniel J Walsh 7fc1a329bd Add `podman container cleanup` to CLI
When we run containers in detach mode, nothing cleans up the network stack or
the mount points.  This patch will tell conmon to execute the cleanup code when
the container exits.

It can also be called to attempt to cleanup previously running containers.

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>

Closes: #942
Approved by: mheon
2018-06-29 15:25:21 +00:00
TomSweeneyRedHat 41bd607c12 Allow multiple containers and all for umount
Signed-off-by: TomSweeneyRedHat <tsweeney@redhat.com>

Closes: #1012
Approved by: rhatdan
2018-06-29 15:01:21 +00:00
Daniel J Walsh 3a90b5224d Returning joining namespace error should not be fatal
I got my database state in a bad way by killing a hanging container.

It did not setup the network namespace correctly

listing/remove bad containers becomes impossible.

podman run alpine/nginx
^c
got me in this state.

I got into a state in the database where
podman ps -a
was returning errors and I could not get out of it,  Makeing joining the network
namespace a non fatal error fixes the issue.

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>

Closes: #918
Approved by: mheon
2018-06-29 14:32:57 +00:00
Daniel J Walsh 810f2b6061 Start using github.com/seccomp/containers-golang
User newer seccomp bindings from the seccomp upstream

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>

Closes: #1021
Approved by: giuseppe
2018-06-29 13:18:41 +00:00
haircommander c09bbe8e06 Test to verify overlay quotas work, show container overhead on quota
Signed-off-by: haircommander <pehunt@redhat.com>

Closes: #1013
Approved by: rhatdan
2018-06-29 09:21:33 +00:00
Daniel J Walsh c9eddd22eb conmon no longer writes to syslog
If the caller sets up the app to be in logrus.DebugLevel,
then we will add the --syslog flag to conmon to get all of the
messages.

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>

Closes: #1014
Approved by: TomSweeneyRedHat
2018-06-29 08:22:27 +00:00
Daniel J Walsh d61d8a35e0 Fix broken f28/cloud instance
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>

Closes: #1024
Approved by: nalind
2018-06-29 00:28:27 +00:00
umohnani8 10dfd8d92a Vendor latest projectatomic/buildah
Fixes issue with build for last step of docker file when
building with --layers.

Signed-off-by: umohnani8 <umohnani@redhat.com>

Closes: #1023
Approved by: mheon
2018-06-28 23:26:42 +00:00