Commit Graph

74 Commits

Author SHA1 Message Date
Matthew Heon 39c493b3fc Do not use image CMD if user gave ENTRYPOINT
This matches Docker behavior, and seems to make sense - the CMD
may have been specific to the original entrypoint and probably
does not make sense if it was changed.

While we're in here, greatly simplify the logic for populating
the SpecGen's Command. We create the full command when making the
OCI spec, so the client should not be doing any more than setting
it to the Command the user passed in, and completely ignoring
ENTRYPOINT.

Fixes #7115

Signed-off-by: Matthew Heon <mheon@redhat.com>
2020-08-10 10:18:43 -04:00
Daniel J Walsh a5e37ad280
Switch all references to github.com/containers/libpod -> podman
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
2020-07-28 08:23:45 -04:00
Daniel J Walsh 4c4a00f63e
Support default profile for apparmor
Currently you can not apply an ApparmorProfile if you specify
--privileged.  This patch will allow both to be specified
simultaniosly.

By default Apparmor should be disabled if the user
specifies --privileged, but if the user specifies --security apparmor:PROFILE,
with --privileged, we should do both.

Added e2e run_apparmor_test.go

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
2020-07-22 06:27:20 -04:00
Giuseppe Scrivano 65d382dc68
abi: set default umask and rlimits
the code got lost in the migration to podman 2.0, reintroduce it.

Closes: https://github.com/containers/podman/issues/6989

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
2020-07-17 20:53:38 +02:00
OpenShift Merge Robot 50cd21e181
Merge pull request #6939 from rhatdan/entrypoint
Fix handling of entrypoint
2020-07-14 21:53:47 +02:00
Daniel J Walsh 6535c8b9e8
Fix handling of entrypoint
If a user specifies an entrypoint of "" then we should not use the images
entrypoint.

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
2020-07-14 13:10:03 -04:00
Matthew Heon dc2ca45d75 When determining systemd mode, use full command
We were only using the Command field in specgen when determining
whether to enable systemd if systemd=true (the default) was used.
This does not include the entrypoint, and does not include any
entrypoint/command sourced from the image - so an image could be
running systemd and we'd not correctly detect this. Using the
full, final command resolves this and matches Podman v1.9.x
behavior.

Fixes #6920

Signed-off-by: Matthew Heon <matthew.heon@pm.me>
2020-07-14 12:55:37 -04:00
Valentin Rothberg 8489dc4345 move go module to v2
With the advent of Podman 2.0.0 we crossed the magical barrier of go
modules.  While we were able to continue importing all packages inside
of the project, the project could not be vendored anymore from the
outside.

Move the go module to new major version and change all imports to
`github.com/containers/libpod/v2`.  The renaming of the imports
was done via `gomove` [1].

[1] https://github.com/KSubedi/gomove

Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
2020-07-06 15:50:12 +02:00
Ralf Haferkamp 43c19966f6 specgen: fix order for setting rlimits
Also make sure that the limits we set for rootless are not higher than
what we'd set for root containers.

Rootless containers failed to start when the calling user already
had ulimit (e.g. on NOFILE) set.

This is basically a cherry-pick of 76f8efc0d0 into specgen

Signed-off-by: Ralf Haferkamp <rhafer@suse.com>
2020-06-26 11:17:32 +02:00
Joseph Gooch eb8bfdad3e Fix --init and --init-path
Init properly passed into specgen
Allow --init with --systemd=true but not --systemd=always.

Signed-off-by: Joseph Gooch <mrwizard@dok.org>
2020-06-16 17:37:39 +00:00
Matthew Heon 644a7b78ff Ensure that containers in pods properly set hostname
When we moved to the new Namespace types in Specgen, we made a
distinction between taking a namespace from a pod, and taking it
from another container. Due to this new distinction, some code
that previously worked for both `--pod=$ID` and
`--uts=container:$ID` has accidentally become conditional on only
the latter case. This happened for Hostname - we weren't properly
setting it in cases where the container joined a pod.
Fortunately, this is an easy fix once we know to check the
condition.

Also, ensure that `podman pod inspect` actually prints hostname.

Fixes #6494

Signed-off-by: Matthew Heon <matthew.heon@pm.me>
2020-06-04 16:32:10 -04:00
Matthew Heon 26f48139ce Add remaining annotations for `podman inspect`
This should finish support for `podman inspect` in APIv2.

Signed-off-by: Matthew Heon <matthew.heon@pm.me>
2020-05-08 14:45:32 -04:00
Valentin Rothberg f269be3a31 add {generate,play} kube
Add the `podman generate kube` and `podman play kube` command.  The code
has largely been copied from Podman v1 but restructured to not leak the
K8s core API into the (remote) client.

Both commands are added in the same commit to allow for enabling the
tests at the same time.

Move some exports from `cmd/podman/common` to the appropriate places in
the backend to avoid circular dependencies.

Move definitions of label annotations to `libpod/define` and set the
security-opt labels in the frontend to make kube tests pass.

Implement rest endpoints, bindings and the tunnel interface.

Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
2020-05-06 17:08:22 +02:00
Daniel J Walsh 4a2765c498
Properly handle default capabilities listed in containers.conf
If user/admin specifies a different list of default capabilties
we need to honor these.

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
2020-05-01 15:00:26 -04:00
Daniel J Walsh 730fbc7628
Properly handle containers.conf devices
We need to add the default devices listed in containers.conf

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
2020-05-01 15:00:26 -04:00
OpenShift Merge Robot 49107a5a2e
Merge pull request #6004 from rhatdan/ulimits
Set up ulimits for rootless containers.
2020-05-01 15:58:24 +02:00
Giuseppe Scrivano c11cff4542
cmd, podman: do not override entrypoint if unset
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
2020-04-30 11:33:34 +02:00
Daniel J Walsh 51585fffdd
Set up ulimits for rootless containers.
Currently we are setting the maximum limits for rootful podman containers,
no reason not to set them by default for rootless users as well

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
2020-04-28 08:09:39 -04:00
Matthew Heon 67ec4e1d27 Improve Entrypoint and Command support
We should not be overwriting the Specgen's Command and Entrypoint
when building the final command to pass in the OCI spec. Both of
these will be provided to Libpod for use in `podman inspect` and
committing containers, and both must be set to the user's input,
not overwritten by the image if unset.

Fix this by moving command generation into OCI spec generation
and not modifying the SpecGenerator when we do so.

Signed-off-by: Matthew Heon <matthew.heon@pm.me>
2020-04-27 13:13:21 -04:00
Matthew Heon 02671a103f Add support for volumes-from, image volumes, init
This should complete Podmanv2's support for volume-related flags.
Most code was sourced from the old pkg/spec implementation with
modifications to account for the split between frontend flags
(volume, mount, tmpfs) and the backend flags implemented here.

Also enables tests for podman run with volumes

Signed-off-by: Matthew Heon <matthew.heon@pm.me>
2020-04-27 13:13:21 -04:00
Matthew Heon 1cd2b746d0 Modify namespace generation code for specgen
Namespaces have now been changed to properly handle all cases.
Spec handling code for namespaces was consolidated in a single
function.

Still missing:
- Image ports
- Pod namespaces likely still broken in Podmanv2

Signed-off-by: Matthew Heon <matthew.heon@pm.me>
2020-04-21 14:38:52 -04:00
Giuseppe Scrivano 0108161a4e
pkg: implement rlimits
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
2020-04-21 10:36:48 +02:00
Brent Baude ba430bfe5e podman v2 remove bloat v2
rid ourseleves of libpod references in v2 client

Signed-off-by: Brent Baude <bbaude@redhat.com>
2020-04-16 12:04:46 -05:00
Brent Baude 7147187942 v2specgen prune libpod
use libpod only in the specgen/generate package so that the remote clients do not inherit libpod bloat.

Signed-off-by: Brent Baude <bbaude@redhat.com>
2020-04-14 20:02:20 -05:00