After we re-exec in the userNS os.Getuid() returns the new UID (= 0)
which is not what we want to use.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Closes: #1048
Approved by: mheon
When we run containers in detach mode, nothing cleans up the network stack or
the mount points. This patch will tell conmon to execute the cleanup code when
the container exits.
It can also be called to attempt to cleanup previously running containers.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #942
Approved by: mheon
If the caller sets up the app to be in logrus.DebugLevel,
then we will add the --syslog flag to conmon to get all of the
messages.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #1014
Approved by: TomSweeneyRedHat
Catching up with opencontainers/runtime-tools@84a62c6a (generate: Move
Generator.spec to Generator.Config, 2016-11-06, #266, v0.6.0), now
that we've bumped runtime-tools in f6c0fc1a (Vendor in latest
runtime-tools, 2018-06-26, #1007).
Signed-off-by: W. Trevor King <wking@tremily.us>
Closes: #1008
Approved by: mheon
When running podman as non root user always create an userNS and let
the OCI runtime use it.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Closes: #936
Approved by: rhatdan
If the intermediate image exists in the store, podman history
will show the IDs of the intermediate image of each layer.
Signed-off-by: umohnani8 <umohnani@redhat.com>
Closes: #982
Approved by: mheon
Everytime we add a new option for create, we end up having to also
add it to run, this makes it error prone. Moving these to the same
function makes it easier to develop and prevents user mistakes.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #975
Approved by: mheon
The default /dev/pts has the option gid=5 that might not be mapped in
the rootless case.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Closes: #871
Approved by: mheon
the varlink build was not working as designed and required some touch-ups:
* return a struct that includes logs and the new image ID
* pass namespaceoption so that networking in buildah works
Signed-off-by: baude <bbaude@redhat.com>
Closes: #903
Approved by: rhatdan
Also add annotations from the image the container was created
from.
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
Closes: #886
Approved by: rhatdan
Change the level of missing /etc/containers/mount.conf to a debug, since
this is expected on most machines.
Also raised the level of some warnings to errors, so they will be better seen,
even if we are skipping.
Fixed the wording of one error, since stating is not the correct word.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #882
Approved by: mheon
We've had logrus logging in the monitor code since it landed in
68eb128f (pkg/hooks: Version the hook structure and add 1.0.0 hooks,
2018-04-27, #686). This commit adds similar logging to the initial
hook.New() and Manager.Hooks() calls to make it easier to see if those
are working as expected.
Signed-off-by: W. Trevor King <wking@tremily.us>
Closes: #887
Approved by: rhatdan
The typo is a copy/paste error from 68eb128f (pkg/hooks: Version the
hook structure and add 1.0.0 hooks, 2018-04-27, #686).
Signed-off-by: W. Trevor King <wking@tremily.us>
Closes: #887
Approved by: rhatdan
This typo from 68eb128f (pkg/hooks: Version the hook structure and add
1.0.0 hooks, 2018-04-27, #686) was causing any 'annotations' entries
in hook JSON to be silently ignored.
Signed-off-by: W. Trevor King <wking@tremily.us>
Closes: #887
Approved by: rhatdan
The continue here is from 5676597f (hooks/read: Ignore IsNotExist for
JSON files in ReadDir, 2018-04-27, #686), where it was intended to
silently ignore missing JSON files. However, the old logic was also
silently ignoring not-exist errors from the os.Stat(hook.Hook.Path)
from 68eb128f (pkg/hooks: Version the hook structure and add 1.0.0
hooks, 2018-04-27, #686). This commit adjusts the check so JSON
not-exist errors continue to be silently ignored while hook executable
not-exist errors become fatal.
Signed-off-by: W. Trevor King <wking@tremily.us>
Closes: #887
Approved by: rhatdan
Add the endpoint and methods for build so users can build an image
with varlink. build can also use the more method for streaming
output back more regularily; however, it looks like a bug in buildah
does not output all build output to the writer provided.
Tidy up some create fixes and add endpoint for GetImage requested by
jhonce.
Signed-off-by: baude <bbaude@redhat.com>
when obtaining the inspect information for a container through varlink, we need
to extract more container related information by parsing the data through the
method 'GetCtrInspectInfo' which was previously only in podman's main.
Signed-off-by: baude <bbaude@redhat.com>
Closes: #866
Approved by: rhatdan
I'd been getting the failed-to-reap errors locally, but on an
unrelated pull-request the FAH27 suite successfully reaped that hook
[1]:
--- FAIL: TestRunKillTimeout (0.50s)
assertions.go:226:
Error Trace: exec_test.go:210
Error: Expect "signal: killed" to match "^failed to reap process within 0s of the kill signal$"
FAIL
The successful-reap cases limit our coverage, but I don't think that's
a big enough problem to be worth repeated polling or similar until we
do get the failed-to-reap error.
[1]: 96c1535fdc.0.1527811547665239762/output.log
Signed-off-by: W. Trevor King <wking@tremily.us>
Closes: #868
Approved by: rhatdan
We need to map slices set for both UID and GID maps to be equivalent if
not specified by user. Currently if you do not specify both the containers
are not running.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #865
Approved by: baude
This wraps os/exec to:
* Clear the environment when the hook doesn't set 'env'. The runtime
spec has [1]:
> * env (array of strings, OPTIONAL) with the same semantics as IEEE
> Std 1003.1-2008's environ.
And running execle or similar with NULL env results in an empty
environment:
$ cat test.c
#include <unistd.h>
int main()
{
return execle("/usr/bin/env", "env", NULL, NULL);
}
$ cc -o test test.c
$ ./test
...no output...
Go's Cmd.Env, on the other hand, has [2]:
> If Env is nil, the new process uses the current process's environment.
This commit works around that by setting []string{} in those cases
to avoid leaking the runtime environment into the hooks.
* Roll the 'timeout' value (if set) into the passed context. There's
no need for two separate ways to cancel hook execution.
* Add a configurable timeout on abandoning a post-kill wait. The
waiting goroutine will continue and eventually reap the process, but
this avoids blocking the Run() call when that takes inordinately
long (for example, if a GPU cleanup hook is stuck in I/O sleep [3]).
The 'env' output format is specified in POSIX [4].
[1]: https://github.com/opencontainers/runtime-spec/blob/v1.0.1/config.md#posix-platform-hooks
[2]: https://golang.org/pkg/os/exec/#Cmd
[3]: https://github.com/projectatomic/libpod/pull/857#discussion_r192191002
[4]: http://pubs.opengroup.org/onlinepubs/9699919799/utilities/env.html
Signed-off-by: W. Trevor King <wking@tremily.us>
Closes: #857
Approved by: mheon
To more clearly distinguish between the extensionStages input to New()
(a slice of strings) and the map output from Hooks().
Signed-off-by: W. Trevor King <wking@tremily.us>
Closes: #855
Approved by: rhatdan
Currently we are giving all caps to users when running with podman run --user,
They should get none by default. If the command line includes --cap-add, then
we need to run with those capabilties. Similarly we need to drop caps from
bounding set, if user specifies --cap-drop
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #851
Approved by: mheon
The docker-archive tar files can have multiple tags for the same
image stored in it. Load pulls all the tags found in the archive
when loading a tar file. Save can oush multiple tags of the same
image to a tar archive.
Signed-off-by: umohnani8 <umohnani@redhat.com>
Closes: #819
Approved by: rhatdan
- Added alias 'container()' to image model for CreateContainer()
- Fixed return in containers_create.go to wrap error in varlink
exception
- Added a wait time to container.kill(), number of seconds to wait
for the container to change state
- Refactored cached_property() to use system libraries
- Refactored tests to speed up performance
Signed-off-by: Jhon Honce <jhonce@redhat.com>
Closes: #821
Approved by: rhatdan
I'd accidentally introduced these typos in ea415610 (hooks/docs: Add
oci-hooks.5 and per-package man page building, 2018-05-15, #772).
Signed-off-by: W. Trevor King <wking@tremily.us>
Closes: #810
Approved by: mheon
We've had this functionality since 68eb128f (pkg/hooks: Version the
hook structure and add 1.0.0 hooks, 2018-04-27, #686), but didn't have
any user-facing docs for it.
Signed-off-by: W. Trevor King <wking@tremily.us>
Closes: #811
Approved by: mheon
This isn't an issue with podman, which will only ever use one
directory. But CRI-O generally uses two directories, and we want to
make sure that changes to the fallback directory are not clobbering
hooks configured in the override directory. More background in [1].
I've split the handling into a single-directory block and a
multiple-directory block so we don't waste time polling the filesystem
for single-directory removals.
I'm using the single-directory block for the the zero-directory case
as well. Managers with zero directories should not be receiving
fsnotify events, so I don't think it really matters which block
handles them. If we want to handle this case robustly (because we're
concerned about something in the hook package adjusted the private
.directories property on the fly?), then we'll probably want to add an
explicit zero-directory block in future work.
[1]: https://github.com/kubernetes-incubator/cri-o/pull/1470
Signed-off-by: W. Trevor King <wking@tremily.us>
Closes: #757
Approved by: rhatdan
This allows us to reference the hooks docs from podman(1) in a way
that will survive system installation. The downside is that the
GitHub rendered pages become less usable, now that we can no longer
embed links as freely as we could before.
I've followed the "Sections within a manual page" suggestions from
[1].
locale(7) is [2], which is Linux-specific. Even section numbering is
platform-dependent [3], so it's unlikely that these external man
references are particularly portable. Platform packagers can adjust
our local references to match their target system, but that leaves the
GitHub rendering in an awkward place. For now, I think a
Linux-centric GitHub rendering without clickable links may be the best
we can do without moving away from go-md2man.
As far as I can tell, there's not a nice way to get go-md2man to wrap
the links in SEE ALSO without sometimes hyphenating a URL (which makes
it harder for man-page readers to copy/paste those links into their
browser).
I've also fixed some "extention" -> "extension" typos.
[1]: http://man7.org/linux/man-pages/man7/man-pages.7.html
[2]: http://man7.org/linux/man-pages/man7/locale.7.html
[3]: https://en.wikipedia.org/wiki/Man_page#Manual_sections
Signed-off-by: W. Trevor King <wking@tremily.us>
Closes: #772
Approved by: mheon
When we're given a numeric --user value, default to GID 0 if the numeric
ID doesn't correspond to a user entry in /etc/passwd that can provide us
with the user's primary group ID.
Make sure that GetAdditionalGroupsForUser() returns wrapped errors.
Also test various user:group forms.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #728
Approved by: mheon
