build a podman-remote binary for windows that allows users to use the
remote client on windows and interact with podman on linux system.
Signed-off-by: baude <bbaude@redhat.com>
enable the ability to start containers from the remote-client. also,
enable start integration tests for remote testing.
Signed-off-by: baude <bbaude@redhat.com>
The remote client should not honor most of the local podman "global"
options. Many of them are only applicable to where the podman backend
is actually running.
Also, removing some options for push and pull that also are not
applicable to the remote client environment.
Additionally, take some of the code from main and pop it into functions
that can be called whether local or not. This helps the remote client
and darwin builds.
Signed-off-by: baude <bbaude@redhat.com>
Also, you can now podman-remote run -it. There are some bugs that need
to be ironed out but I would prefer to merge this so we can make both
progress on start and exec as well as the bugs.
* when doing podman-remote run -it foo /bin/bash, you have to press
enter to get the prompt to display. with the localized podman, we had to
teach it connect to the console first and then start the container so we
did not miss anything.
* when executing "exit" in the console, we get a hard lockup likely
because nobody knows what to do.
* custom detach keys are not supported
* podman-remote run -it alpine ls does not currently work. only
dropping to a shell works.
Signed-off-by: baude <bbaude@redhat.com>
* refactor command output to use one function
* Add new worker pool parallel operations
* Implement podman-remote umount
* Refactored podman wait to use printCmdOutput()
Signed-off-by: Jhon Honce <jhonce@redhat.com>
add the ability to create and run containers via the podman-remote
client.
we now create an intermediate layer from the the create/run cli flags.
the intermediate layer can be converted into a createconfig or into a
varlink struct. Once transported, the varlink struct can be converted
back to an intermediate layer and then to a createconfig.
remote terminals are not supported yet.
Signed-off-by: baude <bbaude@redhat.com>
the remote client now can run the diff command to report changes,
modifications, and deletions in an image or container.
Signed-off-by: baude <bbaude@redhat.com>
simplify the rootless implementation to use a single user namespace
for all the running containers.
This makes the rootless implementation behave more like root Podman,
where each container is created in the host environment.
There are multiple advantages to it: 1) much simpler implementation as
there is only one namespace to join. 2) we can join namespaces owned
by different containers. 3) commands like ps won't be limited to what
container they can access as previously we either had access to the
storage from a new namespace or access to /proc when running from the
host. 4) rootless varlink works. 5) there are only two ways to enter
in a namespace, either by creating a new one if no containers are
running or joining the existing one from any container.
Containers created by older Podman versions must be restarted.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
--trace, --help and --version were not capatilized like the rest of the
global options. This patch fixes this problem.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
add the ability for users to specify more than one container at a time
while using podman logs. If more than one container is being displayed,
podman will also prepend a shortened container id of the container on
the log line.
also, enabled the podman-remote logs command during the refactoring of
the above ability.
fixes issue #2219
Signed-off-by: baude <bbaude@redhat.com>
Remove hardcoded '(default: true)' strings from bool flags,
and '(default this-or-that)' from string flags.
First because it's unmaintainable duplication that would cause
confusion should someone ever change the default and not notice
the message.
Second, because cobra[1] already prints '(default XXXX)' for
all options with non-false non-nil default. So in each of
these cases, current podman help behavior is:
$ podman login --help
...
--tls-verify Require HTTPS ... (default: true) (default true)
This PR eliminates that duplication.
[1] actually spf13/pflag/flag.go
The only nontrivial one of these is start.go, where the default
for sigProxy depends on the --attach flag. Solution: change
the command-line default to false, and implement the new
conditional default in logic. Bonus: removed unnecessary
check, because now if sigProxy is set without --attach,
we can guarantee that it was done by the user. But please
pay close scrutiny to this particular section in case
there's something I missed.
Signed-off-by: Ed Santiago <santiago@redhat.com>
Make the usage messages (and options) different between
podman inspect, podman image inspect, and podman container inspect.
Disable inapplicable options (-l, -s) for podman image inspect
Disable -t (type) when the type is implicit through the subcommand.
Update man page to reflect differences in usage.
Fix broken test.
Uglier than desirable due to Go and Cobra limitations
Signed-off-by: Ed Santiago <santiago@redhat.com>
In lipod, we now log major events that occurr. These events
can be displayed using the `podman events` command. Each
event contains:
* Type (container, image, volume, pod...)
* Status (create, rm, stop, kill, ....)
* Timestamp in RFC3339Nano format
* Name (if applicable)
* Image (if applicable)
The format of the event and the varlink endpoint are to not
be considered stable until cockpit has done its enablement.
Signed-off-by: baude <bbaude@redhat.com>
join the user namespace where the pod is running, so that we can both
manage the storage and correctly send the kill signal to a process
which is not running as root in the namespace.
Closes: https://github.com/containers/libpod/issues/2577
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
allow to configure the path to the network-cmd binary, either via an
option flag --network-cmd-path or through the libpod.conf
configuration file.
This is currently used to customize the path to the slirp4netns
binary.
Closes: https://github.com/containers/libpod/issues/2506
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Currently in podman if a user specifies a command that does not exist
the tool shows the help information. This patch changes it to show
information like:
$ ./bin/podman foobar
Error: unrecognized command 'podman foobar'
Try 'podman --help' for more information.
$ ./bin/podman volume foobar
Error: unrecognized command `podman volume foobar`
Try 'podman volume --help' for more information.
$ ./bin/podman container foobar
Error: unrecognized command `podman container foobar`
Try 'podman container --help' for more information.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Clean up adapter code
* Add GetContainersByContext to Varlink API
* Add missing comments
* Restore save command
* Restore error type mapping when using varlink
Signed-off-by: Jhon Honce <jhonce@redhat.com>
* ps now on main command
* sign is no longer on main commmand
* ls, list no longer are valid main aliases for images
* ls, list does work for podman image
Signed-off-by: baude <bbaude@redhat.com>
* ps now on main command
* sign is no longer on main commmand
* ls, list no longer are valid main aliases for images
* ls, list does work for podman image
Signed-off-by: baude <bbaude@redhat.com>
the remote-client is currently weak for carrying error messages
over the varlink interface and displaying something useful to users
and developers for the purposes of debug. this is a starting point
to improve that user experience.
Signed-off-by: baude <bbaude@redhat.com>
add build as a local and remote-client command in the main
podman menu. also ensure it is added to the image subcommands
as well.
Signed-off-by: baude <bbaude@redhat.com>
enable podman-remote push so that users can push images from a
remote client.
change in push API to deal with the need to see output over the
varlink connection.
Signed-off-by: baude <bbaude@redhat.com>
Subcommands should not be showing the global flags. This causes the important
information to scroll off the screen.
Also fixed a typo on runCommmand (Too many 'm's)
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
In the previous CLI, we had an accurate depiction of commands
available for the remote client and those available for the
local client.
Signed-off-by: baude <bbaude@redhat.com>
We intend to migrate to the cobra cli from urfave/cli because the
project is more well maintained. There are also some technical reasons
as well which extend into our remote client work.
Signed-off-by: baude <bbaude@redhat.com>
We have no consistancy in out option usages and descritions
on whether or not the first letter should be capatalized.
This patch forces them all to be capatilized.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
We are missing the equivalence of the docker system commands
This patch set adds `podman system prune`
and `podman system info`
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
addition of import and export for the podman-remote client. This includes
the ability to send and receive files between the remote-client and the
"podman" host using an upgraded varlink connection.
Signed-off-by: baude <bbaude@redhat.com>
initial enablement of podman-remote version. includes add a APIVersion const
that will allow us to check compatibility between host/client when connections
are made.
also added client related information to podman info.
Signed-off-by: baude <bbaude@redhat.com>
Masking main level, image, and container commands that are not yet
implemented for the remote client. As each command is completed, be
sure to unmask it.
Also, masking podman command line switches that are not applicable
to the remote client.
Signed-off-by: baude <bbaude@redhat.com>
If we are not able to make arbitrary changes to the RLIMIT_NOFILE when
lacking CAP_SYS_RESOURCE, don't fail but bump the limit to the maximum
allowed. In this way the same code path works with rootless mode.
Closes: https://github.com/containers/libpod/issues/2123
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
be sure there are no bits in the umask that prevent us for creating
directories with mode 0755. Set the umask very early in the program
startup.
Closes: https://github.com/containers/libpod/issues/2074
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Fix usage of export when rootless containers are used without vfs. We
join the conmon process namespaces as the container is running in a
different one.
There can be a problem if the user specify a different path for the
conmon process, and then the file is deleted. In this case podman
won't be able to find the conmon process to join.
Closes: https://github.com/containers/libpod/issues/2027
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
podman play kube adds the ability for the user to recreate pods and containers
from a Kubernetes YAML file in libpod.
Signed-off-by: baude <bbaude@redhat.com>
when using a driver different than vfs, the mount is probably in a
different mount namespace thus not accessible from the host. Avoid
the confusion by not allowing mount when a different driver is used.
Closes: https://github.com/containers/libpod/issues/1964
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
With rootless containers we cannot really restart an existing container
as we would need to join the mount namespace as well to be able to reuse
the storage, so ensure the container is stopped first.
Closes: https://github.com/containers/libpod/issues/1965
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Add support for podman volume and its subcommands.
The commands supported are:
podman volume create
podman volume inspect
podman volume ls
podman volume rm
podman volume prune
This is a tool to manage volumes used by podman. For now it only handle
named volumes, but eventually it will handle all volumes used by podman.
Signed-off-by: umohnani8 <umohnani@redhat.com>
Part of the motivation for 800eb863 (Hooks supports two directories,
process default and override, 2018-09-17, #1487) was [1]:
> We only use this for override. The reason this was caught is people
> are trying to get hooks to work with CoreOS. You are not allowed to
> write to /usr/share... on CoreOS, so they wanted podman to also look
> at /etc, where users and third parties can write.
But we'd also been disabling hooks completely for rootless users. And
even for root users, the override logic was tricky when folks actually
had content in both directories. For example, if you wanted to
disable a hook from the default directory, you'd have to add a no-op
hook to the override directory.
Also, the previous implementation failed to handle the case where
there hooks defined in the override directory but the default
directory did not exist:
$ podman version
Version: 0.11.2-dev
Go Version: go1.10.3
Git Commit: "6df7409cb5a41c710164c42ed35e33b28f3f7214"
Built: Sun Dec 2 21:30:06 2018
OS/Arch: linux/amd64
$ ls -l /etc/containers/oci/hooks.d/test.json
-rw-r--r--. 1 root root 184 Dec 2 16:27 /etc/containers/oci/hooks.d/test.json
$ podman --log-level=debug run --rm docker.io/library/alpine echo 'successful container' 2>&1 | grep -i hook
time="2018-12-02T21:31:19-08:00" level=debug msg="reading hooks from /usr/share/containers/oci/hooks.d"
time="2018-12-02T21:31:19-08:00" level=warning msg="failed to load hooks: {}%!(EXTRA *os.PathError=open /usr/share/containers/oci/hooks.d: no such file or directory)"
With this commit:
$ podman --log-level=debug run --rm docker.io/library/alpine echo 'successful container' 2>&1 | grep -i hook
time="2018-12-02T21:33:07-08:00" level=debug msg="reading hooks from /usr/share/containers/oci/hooks.d"
time="2018-12-02T21:33:07-08:00" level=debug msg="reading hooks from /etc/containers/oci/hooks.d"
time="2018-12-02T21:33:07-08:00" level=debug msg="added hook /etc/containers/oci/hooks.d/test.json"
time="2018-12-02T21:33:07-08:00" level=debug msg="hook test.json matched; adding to stages [prestart]"
time="2018-12-02T21:33:07-08:00" level=warning msg="implicit hook directories are deprecated; set --hooks-dir="/etc/containers/oci/hooks.d" explicitly to continue to load hooks from this directory"
time="2018-12-02T21:33:07-08:00" level=error msg="container create failed: container_linux.go:336: starting container process caused "process_linux.go:399: container init caused \"process_linux.go:382: running prestart hook 0 caused \\\"error running hook: exit status 1, stdout: , stderr: oh, noes!\\\\n\\\"\""
(I'd setup the hook to error out). You can see that it's silenly
ignoring the ENOENT for /usr/share/containers/oci/hooks.d and
continuing on to load hooks from /etc/containers/oci/hooks.d.
When it loads the hook, it also logs a warning-level message
suggesting that callers explicitly configure their hook directories.
That will help consumers migrate, so we can drop the implicit hook
directories in some future release. When folks *do* explicitly
configure hook directories (via the newly-public --hooks-dir and
hooks_dir options), we error out if they're missing:
$ podman --hooks-dir /does/not/exist run --rm docker.io/library/alpine echo 'successful container'
error setting up OCI Hooks: open /does/not/exist: no such file or directory
I've dropped the trailing "path" from the old, hidden --hooks-dir-path
and hooks_dir_path because I think "dir(ectory)" is already enough
context for "we expect a path argument". I consider this name change
non-breaking because the old forms were undocumented.
Coming back to rootless users, I've enabled hooks now. I expect they
were previously disabled because users had no way to avoid
/usr/share/containers/oci/hooks.d which might contain hooks that
required root permissions. But now rootless users will have to
explicitly configure hook directories, and since their default config
is from ~/.config/containers/libpod.conf, it's a misconfiguration if
it contains hooks_dir entries which point at directories with hooks
that require root access. We error out so they can fix their
libpod.conf.
[1]: https://github.com/containers/libpod/pull/1487#discussion_r218149355
Signed-off-by: W. Trevor King <wking@tremily.us>
scope out new kube subcommand where we can add generate. you can now generate kubernetes
YAML that will allow you to run the container in a kubernetes environment. When
The YAML description will always "wrap" a container in a simple v1.Pod description.
Tests and further documentation will be added in additional PRs.
This function should be considered very much "under heavy development" at
this point.
Signed-off-by: baude <bbaude@redhat.com>
add a global flag for --max-workers so users can limit the number
of parallel operations for a given function. also, when not limited
by max-workers, we implement a heuristic function that returns the
number of preferred parallel workers based on the number of CPUs and
the given operation.
Signed-off-by: baude <bbaude@redhat.com>
Every port we open consumes an open FD. This can easily consume
all available FDs for the podman process. Set rlimits to resolve
this.
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
Closes: #1437
Approved by: rhatdan
move re-exec later on, so that we can check whether we need to join
the infra container user namespace or we need to create another one.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Closes: #1372
Approved by: mheon
be sure to be in an userns for a rootless process before initializing
the runtime. In case we are not running as uid==0, take advantage of
"podman info" that creates the runtime.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Closes: #1372
Approved by: mheon
Add a special handler to catch errors caused by specifying unknown
commands to Podman. This allows printing a more helpful error message.
```
$ podman
Command "123123" not found.
See `podman --help`.
$ podman pod 123123
Command "123123" not found.
See `podman pod --help`.
```
Signed-off-by: Valentin Rothberg <vrothberg@suse.com>
Closes: #1379
Approved by: rhatdan
Don't print potentially verbose help messages in case of usage errors,
but print only the usage error followed by a pointer to the command's
help. This aligns with Docker.
```
$ podman run -h
flag needs an argument: -h
See 'podman run --help'.
```
Signed-off-by: Valentin Rothberg <vrothberg@suse.com>
Closes: #1379
Approved by: rhatdan
join the user namespace used to create the container so that psgo can
work in the same way as with root containers.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Closes: #1371
Approved by: rhatdan
We cannot re-exec into a new user namespace to gain privileges and
access an existing as the new namespace is not the owner of the
existing container.
"unshare" is used to join the user namespace of the target container.
The current implementation assumes that the main process of the
container didn't create a new user namespace.
Since in the setup phase we are not running with euid=0, we must skip
the setup for containers/storage.
Closes: https://github.com/containers/libpod/issues/1329
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Closes: #1331
Approved by: rhatdan
Need to get some small changes into libpod to pull back into buildah
to complete buildah transition.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #1270
Approved by: mheon
When running podman as non root user always create an userNS and let
the OCI runtime use it.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Closes: #936
Approved by: rhatdan
some platforms and operating systems do not have varlink. in those cases,
we need to be able to turn off enablement of varlink in podman. this can now
be done with BUILDTAGS passed to the build though perhaps in the future
will be better.
the default is to build with varlink
Signed-off-by: baude <bbaude@redhat.com>
squash! make varlink optional for podman
The API.md and cmd/podman/varlink/ioprojectatomicpodman.go targets
will continue to work regardless of the presence (or not) of 'varlink'
is in BUILDTAGS. However, cmd/podman/varlink/ioprojectatomicpodman.go
is now only required by the podman target when BUILDTAGS contains
'varlink'.
API.md had also been an podman dependency since 5b2627dd (Makefile:
Drop find-godeps.sh for podman target, 2018-05-15, #776) when I
expanded varlink_api_generate. It had been an indirect podman
dependency (via varlink_api_generate) since 25263558 (Generate varlink
API documentation automatically, 2018-05-07, #734). But the podman
executable obviously doesn't depend on the Markdown file, so I'm
removing that dependency here.
Signed-off-by: baude <bbaude@redhat.com>
squash! make varlink optional for podman
The command-pointer approach will scale well if/when we add additional
optional commands behind their own build tags, because those tags
won't all be competing for the same getOptionalCommands namespace.
Signed-off-by: W. Trevor King <wking@tremily.us>
Closes: #987
Approved by: rhatdan
This shifts the matching logic out of libpod/container_internal and
into the hook package, where we can reuse it after vendoring into
CRI-O. It also adds unit tests with almost-complete coverage. Now
libpod is even more isolated from the hook internals, which makes it
fairly straightforward to bump the hook config file to 1.0.0. I've
dubbed the old format 0.1.0, although it doesn't specify an explicit
version. Motivation for some of my changes with 1.0.0:
* Add an explicit version field. This will make any future JSON
structure migrations more straightforward by avoiding the need for
version-guessing heuristics.
* Collect the matching properties in a new When sub-structure. This
makes the root Hook structure easier to understand, because you
don't have to read over all the matching properties when wrapping
your head around Hook.
* Replace the old 'hook' and 'arguments' with a direct embedding of
the runtime-spec's hook structure. This provides access to
additional upstream properties (args[0], env, and timeout) and
avoids the complication of a CRI-O-specific analog structure.
* Add a 'when.always' property. You can usually accomplish this
effect in another way (e.g. when.commands = [".*"]), but having a
boolean explicitly for this use-case makes for easier reading and
writing.
* Replace the previous annotations array with an annotations map. The
0.1.0 approach matched only the values regardless of key, and that
seems unreliable.
* Replace 'cmds' with 'when.commands', because while there are a few
ways to abbreviate "commands", there's only one way to write it out
in full ;). This gives folks one less thing to remember when
writing hook JSON.
* Replace the old "inject if any specified condition matches" with
"inject if all specified conditions match". This allows for more
precise targeting. Users that need more generous targeting can
recover the previous behavior by creating a separate 1.0.0 hook file
for each specified 0.1.0 condition.
I've added doc-compat support for the various pluralizations of the
0.1.0 properties. Previously, the docs and code were not in
agreement. More on this particular facet in [1].
I've updated the docs to point out that the annotations being matched
are the OCI config annotations. This differs from CRI-O, where the
annotations used are the Kubernetes-supplied annotations [2,3]. For
example, io.kubernetes.cri-o.Volumes [4] is part of CRI-O's runtime
config annotations [5], but not part of the Kubernetes-supplied
annotations CRI-O uses for matching hooks.
The Monitor method supports the CRI-O use-case [6]. podman doesn't
need it directly, but CRI-O will need it when we vendor this package
there.
I've used nvidia-container-runtime-hook for the annotation examples
because Dan mentioned the Nvidia folks as the motivation behind
annotation matching. The environment variables are documented in [7].
The 0.1.0 hook config, which does not allow for environment variables,
only works because runc currently leaks the host environment into the
hooks [8]. I haven't been able to find documentation for their usual
annotation trigger or hook-install path, so I'm just guessing there.
[1]: https://github.com/kubernetes-incubator/cri-o/pull/1235
[2]: https://github.com/kubernetes-incubator/cri-o/blob/v1.10.0/server/container_create.go#L760
[3]: https://github.com/kubernetes-incubator/cri-o/blob/v1.10.0/server/container_create.go#L772
[4]: https://github.com/kubernetes-incubator/cri-o/blob/v1.10.0/pkg/annotations/annotations.go#L97-L98
[5]: https://github.com/kubernetes-incubator/cri-o/blob/v1.10.0/server/container_create.go#L830-L834
[6]: https://github.com/kubernetes-incubator/cri-o/pull/1345/
[7]: https://github.com/NVIDIA/nvidia-container-runtime/tree/v1.3.0-1#environment-variables-oci-spec
[8]: https://github.com/opencontainers/runc/pull/1738
Signed-off-by: W. Trevor King <wking@tremily.us>
Closes: #686
Approved by: mheon
baude
OpenShift Merge Robot
Jhon Honce
Giuseppe Scrivano
Daniel J Walsh
Ed Santiago
Sebastian Jug
umohnani8
W. Trevor King
Matthew Heon
Valentin Rothberg
haircommander